Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

Hell opened its gates!

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Hell opened its gates!

Unread postby simeseko » February 22nd, 2008, 5:14 am

Hi. Ive already had one log and you told me to make a new one if i still have a problem. My net connection started falling apart. I have updated nod32 and it was reporting me that i have a virus but no matter how much time i delete it, it keeps comin back anytime i start comp. I downloaded A-squared removing tool (only scanner) and it reported me that i have: email-worm.win32.runounce.b
trojan dropper.win32.mudrop.do
backdoor.win32.shark.hz
trojan.win32.obfuscated.fk
I deleted them with a-squared then restart comp and scan again, each time with deep scan and nothing came out. I thought i was safe cause they say that a-squared is the best for it, but then
my spyware terminator started reporting blocking object on startup so i did scan with it too and it
find two more trojants; dns.changer.rb
clicker.vb.vv
it all hapened in one hour without any downloading. It seems that this a-squared is not so perfect
after all. Ive deleted this last two troyants with spyterminator and cleaned system with cc cleaner and tuneup utilities 2008.
Ive restarted comp and again same thing; spyterminator is blocking something!
I dont know what to think; im dissapointed with all of them: nod, a-squared :monkey: and spyterminator.
They are all normally updated and they still cant help me!
I have lot of data on comp that i use for work so formating and reinstalling windows is not an option. Please, help me if you can, atleast recomend me some good complet trojan removing tool. I will be greatful for any halp i can get.

My hijacklog is listed below:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:51:09, on 22.2.2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\a-squared Free\a2service.exe
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\Config\csrss.exe
C:\WINDOWS\system32\perfs.exe
C:\Program Files\CyberLink\Shared files\RichVideo.exe
C:\WINDOWS\system32\routing.exe
C:\PROGRA~1\SPYWAR~1\sp_rsser.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Eset\nod32kui.exe
C:\PROGRA~1\SPYWAR~1\SpywareTerminatorShield.exe
C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\OLYMPUS\OLYMPUS Master 2\MMonitor.exe
C:\Program Files\DNA\btdna.exe
d:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\uTorrent\uTorrent.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\HP\Digital Imaging\Product Assistant\bin\hprblog.exe
C:\WINDOWS\Explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.crawler.com/search/dispatche ... p=aus&qkw=%s&tbid=60327
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://www.crawler.com/search/ie.aspx?tb_id=60327
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,CustomizeSearch = http://dnl.crawler.com/support/sa_custo ... TbId=60327
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.crawler.com/search/ie.aspx?tb_id=60327
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://dnl.crawler.com/support/sa_custo ... TbId=60327
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Config\csrss.exe
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Crawler Toolbar - {4B3803EA-5230-4DC3-A7FC-33638F3D3542} - C:\PROGRA~1\Crawler\Toolbar\ctbr.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NVMixerTray] "C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe"
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [SpywareTerminator] "C:\PROGRA~1\SPYWAR~1\SpywareTerminatorShield.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\K-Lite Codec Pack\QuickTime\QTTask.exe" -atboottime
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [OM2_Monitor] "C:\Program Files\OLYMPUS\OLYMPUS Master 2\MMonitor.exe"
O4 - HKCU\..\Run: [BitTorrent DNA] "C:\Program Files\DNA\btdna.exe"
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [uTorrent] "C:\Program Files\uTorrent\uTorrent.exe"
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O8 - Extra context menu item: Crawler Search - tbr:iemenu
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {149E45D8-163E-4189-86FC-45022AB2B6C9} (SpinTop DRM Control) - file:///C:/Program%20Files/Amazing%20Adventures%20The%20Lost%20Tomb/Images/stg_drm.ocx
O16 - DPF: {CC450D71-CC90-424C-8638-1F2DBAC87A54} (ArmHelper Control) - file:///C:/Program%20Files/Scrabble/Images/armhelper.ocx
O18 - Protocol: tbr - {4D25FB7A-8902-4291-960E-9ADA051CFBBF} - C:\PROGRA~1\Crawler\Toolbar\ctbr.dll
O23 - Service: a-squared Free Service (a2free) - Emsi Software GmbH - C:\Program Files\a-squared Free\a2service.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Unknown owner - C:\Program Files\Eset\nod32krn.exe
O23 - Service: perfmons Service (perfmons) - Unknown owner - C:\WINDOWS\system32\perfs.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared files\RichVideo.exe
O23 - Service: Routing Service (Routing) - Unknown owner - C:\WINDOWS\system32\routing.exe
O23 - Service: Spyware Terminator Realtime Shield Service (sp_rssrv) - Crawler.com - C:\PROGRA~1\SPYWAR~1\sp_rsser.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - d:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
O23 - Service: TuneUp Drive Defrag Service (TuneUp.Defrag) - TuneUp Software GmbH - C:\WINDOWS\System32\TuneUpDefragService.exe
O23 - Service: TuneUp WinStyler Theme Service (TUWinStylerThemeSvc) - Unknown owner - C:\Program Files\TuneUp Utilities 2006\WinStylerThemeSvc.exe (file missing)

--
End of file - 8370 bytes
simeseko
Regular Member
 
Posts: 15
Joined: February 13th, 2008, 1:25 pm
Advertisement
Register to Remove

Re: Hell opened its gates!

Unread postby Simon V. » February 22nd, 2008, 4:47 pm

Hello, and welcome to the forum.

My name is Simon V., and I'll be glad to help you with your computer problems.

Please download and install CCleaner.

Open CCleaner. On the Windows tab, leave the default options alone.

  • On the Applications tab, check (tick) all the boxes except Saved Form Information. This will remove all your saved passwords if you leave this box checked.
  • Click on the Run Cleaner button at the bottom right hand corner.
  • When the cleaner has completed, click Tools in the Left Pane.
  • Verify that Uninstall is highlighted in color, or click on it.
  • In the lower right, click Save to Text File.
  • Pull down the arrow at the top of the Save dialog and choose Desktop as the location.
  • You can leave the filename as install.txt.
  • Click Save, then exit Ccleaner.
_______________________________________

Please visit this webpage for instructions for downloading and running ComboFix:

http://www.bleepingcomputer.com/combofi ... e-combofix

Post the log from ComboFix (C:\Combofix.txt) when you've accomplished that, along with a new HijackThis log and the CCleaner Uninstall List (install.txt).
User avatar
Simon V.
MRU Emeritus
MRU Emeritus
 
Posts: 3388
Joined: November 11th, 2006, 3:35 pm
Location: Antwerp, Belgium

Re: Hell opened its gates!

Unread postby simeseko » February 24th, 2008, 6:16 am

Thanks for help and instructions. I did what you told me and here are logs:

CC Cleaner:

µTorrent
1500
1500_Help
1500Trb
Adobe Flash Player Plugin
Adobe Reader 8.1.2
Adobe Shockwave Player
Adobe® Photoshop® Album Starter Edition 3.0
Advanced WindowsCare Personal 2.6.0
AiO_Scan
AiOSoftware
Antivírusový systém NOD32
Arcade Race - Crash 1.0
a-squared Free 3.1
ATI - Software Uninstall Utility
ATI Control Panel
ATI Display Driver
AusLogics Disk Defrag
Autoplay Repair 2.1.0
Babylon
Babylon Toolbar
BitTorrent
BufferChm
Call of Duty(R) 2
CCleaner (remove only)
CodeStuff Starter
CP_AtenaShokunin1Config
CP_CalendarTemplates1
CP_Package_Basic1
CP_Package_Variety1
CP_Package_Variety2
CP_Package_Variety3
CP_Panorama1Config
Crawler Toolbar with Web Security Guard
CueTour
CustomerResearchQFolder
Darwin the Monkey Demo
DC++ 0.699
Destinations
DeviceFunctionQFolder
DeviceManagementQFolder
DNA
DocProc
DocumentViewer
DocumentViewerQFolder
Dracula Twins
DVD Shrink 3.2
eSupportQFolder
FastStone Image Viewer 3.2
Fax
FullDPAppQFolder
Gadwin PrintScreen
Google Earth
Google Toolbar for Internet Explorer
GTA San Andreas
GTAIII
HijackThis 2.0.2
HP Document Viewer 5.3
HP Extended Capabilities 5.3
HP Image Zone 5.3
HP Imaging Device Functions 5.3
HP PSC & OfficeJet 5.3.B
HP Software Update
HP Solution Center & Imaging Support Tools 5.3
HPProductAssistant
Cheatbook Database 2008
Imagelys Picture Styles 2
Indeo® Software
Instafinder
InstantShareDevices
Java(TM) 6 Update 3
Java(TM) 6 Update 4
K-Lite Mega Codec Pack 1.27
Kruptos 2
LimeWire PRO 4.17.4
Macromedia Flash Player 8
Mario Forever 4.0
MarketResearch
Microsoft .NET Framework 1.1
Microsoft .NET Framework 2.0
Microsoft Office Professional Edition 2003
Microsoft Visual C++ 2005 Redistributable
Mozilla Firefox (2.0.0.12)
Mozilla Thunderbird (2.0.0.9)
MSXML 4.0 SP2 Parser and SDK
Nero 7 Ultra Edition
neroxml
Neverwinter Nights
NewCopy
NOD32 FiX v2.1
Nokia Connectivity Cable Driver
Nokia Multimedia Factory
Nokia PC Suite
Notepad++
NVIDIA Drivers
NvMixer
OLYMPUS Master 2
OneStopSoft Youtube Video File Downloader 1.0.0.7
OpenAL
Ore Explorer 1.1
PanoStandAlone
PhotoFiltre
PhotoGallery
Picasa 2
Powertoys For Windows XP
ProductContext
QuickTime
RandMap
Readme
Realtek AC'97 Audio
RESIDENT EVIL2
ResidentEvil3
ROUTE 66 RouteBundle
SAMSUNG CDMA Modem Driver Set
SAMSUNG Mobile USB Modem 1.0 Software
SAMSUNG Mobile USB Modem Software
Samsung PC Studio
Samsung PC Studio 3 USB Driver Installer
Samsung Samples Installer
Scan
ScannerCopy
SHReK the THiRD(TM) Demo
SkinsHP1
SolutionCenter
Sonic_PrimoSDK
Spyware Terminator
Status
Supercow
The Tuttles
TrayApp
TuneUp Utilities 2008
Tweak UI
Unload
VCRedistSetup
WebFldrs XP
WebReg
Windows Imaging Component
Windows Internet Explorer 7
Windows Media Encoder 9 Series
Windows Media Format Runtime
Windows Media Player 10
Windows XP Service Pack 2
winLAME prerelease4
WinRAR archiver
WinZip
XviD MPEG4 Video Codec (remove only)

ComboFix:

ComboFix 08-02-24.4 - Veronika 2008-02-24 11:00:06.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.172 [GMT 1:00]
Running from: C:\Documents and Settings\Veronika\Desktop\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((( Files Created from 2008-01-24 to 2008-02-24 )))))))))))))))))))))))))))))))
.

2008-02-24 09:52 . 2008-02-24 10:31 1,905 --a------ C:\WINDOWS\diagwrn.xml
2008-02-24 09:52 . 2008-02-24 10:31 1,905 --a------ C:\WINDOWS\diagerr.xml
2008-02-23 16:12 . 2008-02-23 16:13 <DIR> d-------- C:\Program Files\Babylon
2008-02-23 16:12 . 2008-02-23 17:28 <DIR> d-------- C:\Documents and Settings\Veronika\Application Data\Babylon
2008-02-23 16:12 . 2008-02-24 10:07 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Babylon
2008-02-22 18:55 . 2008-02-22 18:55 45,056 --a------ C:\WINDOWS\system32\Indt2.sys
2008-02-22 18:55 . 2008-02-22 18:55 42,934 --a------ C:\WINDOWS\system32\tmp2_391779322402.bk
2008-02-22 18:55 . 2008-02-22 18:55 40,030 --a------ C:\WINDOWS\system32\tmp3_206889346973.bk
2008-02-22 18:54 . 2008-02-22 18:54 44,374 --a------ C:\WINDOWS\system32\tmp4_147694747792.bk
2008-02-22 18:54 . 2008-02-22 18:54 44,355 --a------ C:\WINDOWS\system32\tmp1_238729110624.bk
2008-02-22 18:54 . 2008-02-22 18:54 44,350 --a------ C:\WINDOWS\system32\tmp3_12624285292.bk
2008-02-22 18:54 . 2008-02-22 18:54 22,774 --a------ C:\WINDOWS\system32\tmp0_377718344486.bk
2008-02-22 18:53 . 2008-02-22 18:53 37,174 --a------ C:\WINDOWS\system32\tmp2_538623607110.bk
2008-02-22 18:53 . 2008-02-22 18:53 35,715 --a------ C:\WINDOWS\system32\tmp1_732898353811.bk
2008-02-22 18:52 . 2008-02-22 18:53 44,374 --a------ C:\WINDOWS\system32\tmp0_887540299780.bk
2008-02-22 13:58 . 2008-02-22 13:59 <DIR> d-------- C:\WINDOWS\system32\NtmsData
2008-02-22 13:42 . 2008-02-22 13:42 <DIR> d--h----- C:\WINDOWS\system32\GroupPolicy
2008-02-22 13:39 . 2002-06-21 15:09 160,217 --a------ C:\WINDOWS\system32\PowerToysLicense.rtf
2008-02-22 13:38 . 2008-02-22 13:38 <DIR> d-------- C:\WINDOWS\Downloaded Installations
2008-02-22 08:56 . 2008-02-22 08:56 <DIR> d-------- C:\Program Files\Trend Micro
2008-02-21 20:03 . 2008-02-22 11:41 <DIR> d-------- C:\Program Files\Instafinder
2008-02-21 20:02 . 2008-02-22 08:38 <DIR> d-------- C:\WINDOWS\cdmxtras
2008-02-21 12:10 . 2008-02-23 22:03 <DIR> d-------- C:\Program Files\a-squared Free
2008-02-21 07:58 . 2008-02-21 07:58 32,256 --a------ C:\WINDOWS\system32\routing.exe
2008-02-21 07:57 . 2008-02-21 07:57 265,728 --a------ C:\WINDOWS\system32\andt.sys
2008-02-21 07:57 . 2008-02-21 07:58 29,974 --a------ C:\WINDOWS\system32\tmp0_518482845118.bk
2008-02-21 07:57 . 2008-02-21 07:57 40 --a------ C:\WINDOWS\system32\drmgs.sys
2008-02-20 12:18 . 2008-02-20 12:18 <DIR> d-------- C:\NV39763980.TMP
2008-02-20 12:17 . 2008-02-20 12:17 <DIR> d-------- C:\NV26722676.TMP
2008-02-20 12:11 . 2008-02-20 12:11 <DIR> d-------- C:\NV30243728.TMP
2008-02-20 10:48 . 2008-02-20 10:48 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\WinZip
2008-02-20 09:48 . 2008-02-20 09:48 359,040 --a------ C:\WINDOWS\system32\drivers\TCPIP.SYS.ORIGINAL
2008-02-20 09:48 . 2008-02-22 15:49 359,040 --a--c--- C:\WINDOWS\system32\dllcache\TCPIP.SYS
2008-02-19 18:07 . 2008-02-19 18:07 223,128 --a------ C:\WINDOWS\system32\drivers\vaxscsi.sys
2008-02-19 14:29 . 2008-02-19 14:29 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\FLEXnet
2008-02-18 12:39 . 2008-02-18 12:39 <DIR> d-------- C:\Documents and Settings\Veronika\.DownloadManager
2008-02-18 12:37 . 2008-02-18 12:37 <DIR> d-------- C:\WINDOWS\Sun
2008-02-18 09:28 . 2008-02-18 09:28 <DIR> d-------- C:\Program Files\uTorrent
2008-02-18 08:37 . 2004-08-04 00:56 221,184 --a------ C:\WINDOWS\system32\wmpns.dll
2008-02-18 08:30 . 2004-08-04 00:56 96,768 -----c--- C:\WINDOWS\system32\dllcache\dpcdll.dll
2008-02-17 13:45 . 2008-02-17 13:45 <DIR> d-------- C:\Program Files\ReflexiveArcade
2008-02-17 13:29 . 2008-02-17 13:29 <DIR> d-------- C:\Program Files\Alcohol Soft
2008-02-16 18:05 . 2008-02-16 18:10 <DIR> d-------- C:\Documents and Settings\Veronika\Application Data\MSN6
2008-02-16 11:25 . 2008-02-24 11:02 <DIR> d-------- C:\Documents and Settings\Veronika\Application Data\uTorrent
2008-02-15 11:30 . 2008-02-15 11:30 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\DivoGames
2008-02-15 11:16 . 2008-02-15 11:19 <DIR> d-------- C:\Documents and Settings\Veronika\Application Data\Super-Cow
2008-02-15 10:34 . 2008-02-15 10:34 0 --ah----- C:\WINDOWS\SwSys2.bmp
2008-02-15 10:34 . 2008-02-15 10:34 0 --ah----- C:\WINDOWS\SwSys1.bmp
2008-02-15 09:33 . 2008-02-15 09:33 306,432 --a------ C:\WINDOWS\system32\TuneUpDefragService.exe
2008-02-15 09:33 . 2007-12-20 10:41 29,440 --a------ C:\WINDOWS\system32\uxtuneup.dll
2008-02-10 14:10 . 2008-02-10 14:10 <DIR> d-------- C:\Documents and Settings\Veronika\Application Data\Auslogics
2008-02-05 12:57 . 2008-02-05 12:57 <DIR> d-------- C:\Program Files\Crawler
2008-02-05 11:52 . 2008-02-13 19:16 <DIR> d-------- C:\Documents and Settings\Veronika\Application Data\SiteAdvisor
2008-02-05 11:52 . 2008-02-05 11:52 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SiteAdvisor
2008-02-05 11:52 . 2008-02-05 11:52 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\McAfee
2008-02-04 11:12 . 2008-02-17 13:29 <DIR> d-------- C:\Documents and Settings\Veronika\Application Data\BitTorrent
2008-02-03 17:40 . 2008-02-03 17:40 <DIR> d-------- C:\Program Files\Ligos
2008-02-03 17:36 . 2008-02-04 16:06 196 --a------ C:\WINDOWS\disneysy.ini
2008-02-03 17:36 . 2008-02-05 11:56 173 --a------ C:\WINDOWS\disney.ini
2008-02-02 11:17 . 2006-06-29 13:07 14,048 --------- C:\WINDOWS\system32\spmsg2.dll
2008-02-01 14:47 . 2006-11-12 11:39 483,328 --a------ C:\WINDOWS\system32\actskn45.ocx
2008-02-01 11:24 . 2008-02-20 09:20 <DIR> d-------- C:\Documents and Settings\Veronika\Application Data\LimeWire
2008-02-01 11:23 . 2007-12-14 01:59 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-02-01 11:22 . 2008-02-04 13:38 <DIR> d-------- C:\Program Files\Java
2008-02-01 11:21 . 2008-02-01 11:21 <DIR> d-------- C:\Program Files\Common Files\Java
2008-01-31 23:13 . 2008-01-31 23:13 90,112 --a------ C:\WINDOWS\system32\QuickTimeVR.qtx
2008-01-31 23:13 . 2008-01-31 23:13 57,344 --a------ C:\WINDOWS\system32\QuickTime.qts
2008-01-31 16:32 . 2008-02-01 12:36 <DIR> d-------- C:\Resident Evil 2
2008-01-31 16:29 . 1999-01-21 23:40 180,224 --------- C:\WINDOWS\Res2_uninst.exe
2008-01-31 12:31 . 2008-01-31 12:31 502,272 --a------ C:\WINDOWS\system32\Winlogon.bak.bak
2008-01-31 11:35 . 2008-01-31 12:31 225,280 --ahs---- C:\WINDOWS\system32\Msip32.dll
2008-01-31 11:35 . 2008-01-31 12:31 6,144 --ahs---- C:\WINDOWS\system32\FaxMessage.dll
2008-01-30 14:52 . 2008-01-30 14:52 <DIR> d-------- C:\Documents and Settings\Veronika\Application Data\SpinTop
2008-01-30 12:04 . 2008-01-30 12:04 <DIR> d-------- C:\ATI
2008-01-29 13:54 . 2005-08-27 02:38 1,435,272 --a------ C:\WINDOWS\system32\Flash.ocx
2008-01-29 13:54 . 2002-03-04 12:27 1,140,472 --a------ C:\WINDOWS\system32\IGUltraGrid20.ocx
2008-01-29 13:54 . 2004-03-08 23:00 131,856 --a------ C:\WINDOWS\system32\MSADODC.ocx
2008-01-29 13:54 . 2008-02-19 18:39 124,688 --a------ C:\WINDOWS\system32\MSWINSCK.OCX
2008-01-29 13:54 . 2000-07-15 05:00 101,888 --a------ C:\WINDOWS\system32\VB6STKIT.DLL
2008-01-29 13:54 . 2001-04-20 01:28 28,672 --a------ C:\WINDOWS\system32\SysTray.ocx
2008-01-29 10:13 . 2008-01-29 10:13 <DIR> d-------- C:\WINDOWS\Replay Media Catcher
2008-01-29 10:12 . 2007-03-04 13:55 1,936,528 --a------ C:\WINDOWS\system32\ltmm15.dll
2008-01-29 10:12 . 2007-03-04 13:55 135,168 --a------ C:\WINDOWS\system32\DSKernel2.dll
2008-01-29 10:06 . 2008-01-29 10:10 <DIR> d-------- C:\Documents and Settings\Veronika\Application Data\GetRightToGo
2008-01-29 10:05 . 2008-01-29 10:05 <DIR> d-------- C:\WINDOWS\Applian FLV Player
2008-01-28 12:14 . 2007-01-29 13:56 451,072 -ra------ C:\WINDOWS\system32\drivers\athrusb.sys
2008-01-28 12:13 . 2006-08-24 13:44 477,696 --a------ C:\WINDOWS\system32\drivers\ZD1211BU.sys
2008-01-28 12:13 . 2004-01-14 11:25 81,920 --a------ C:\WINDOWS\system32\ZDPN50.DLL
2008-01-28 12:13 . 2005-03-18 15:35 31,744 --a------ C:\WINDOWS\system32\drivers\ZDPSp50a64.sys
2008-01-28 12:13 . 2005-06-08 18:44 29,184 --a------ C:\WINDOWS\system32\drivers\BRGSp50a64.sys
2008-01-28 12:13 . 2004-03-23 16:38 28,672 --a------ C:\WINDOWS\system32\InsDrvZD.dll
2008-01-28 12:13 . 2003-03-14 12:24 24,576 --a------ C:\WINDOWS\system32\ZyDelReg.exe
2008-01-28 12:13 . 2005-06-08 18:44 20,608 --a------ C:\WINDOWS\system32\drivers\BRGSp50.sys
2008-01-28 12:13 . 2004-10-25 13:40 17,664 --a------ C:\WINDOWS\system32\drivers\ZDPSp50.sys
2008-01-28 12:13 . 2004-01-14 11:30 17,151 --a------ C:\WINDOWS\system32\ZDPNDIS5.SYS
2008-01-28 12:13 . 2005-07-12 14:44 15,872 --a------ C:\WINDOWS\system32\InsDrvZD64.DLL
2008-01-27 20:50 . 2008-01-27 20:50 <DIR> d-------- C:\Program Files\DNA
2008-01-27 20:50 . 2008-02-24 10:57 <DIR> d-------- C:\Documents and Settings\Veronika\Application Data\DNA
2008-01-27 18:04 . 2008-01-27 18:04 138,752 --a------ C:\WINDOWS\system32\drivers\sp_rsdrv2.sys
2008-01-27 18:00 . 2008-02-23 11:00 <DIR> d-------- C:\Program Files\Spyware Terminator

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-24 10:00 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-02-22 14:49 359,040 ----a-w C:\WINDOWS\system32\drivers\TCPIP.SYS
2008-02-22 11:39 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-02-22 11:39 --------- d-----w C:\Program Files\CyberLink
2008-02-22 11:04 --------- d-----w C:\Documents and Settings\All Users\Application Data\CyberLink
2008-02-20 11:56 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple Computer
2008-02-20 06:56 397,926 ----a-w C:\WINDOWS\Help\SETUP.EXE
2008-02-19 14:49 --------- d-----w C:\Program Files\Common Files\Adobe
2008-02-17 16:16 --------- d-----w C:\Documents and Settings\All Users\Application Data\HP
2008-02-15 18:11 --------- d-----w C:\Documents and Settings\All Users\Application Data\DVD Shrink
2008-02-15 08:49 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-02-15 08:33 --------- d-----w C:\Documents and Settings\All Users\Application Data\TuneUp Software
2008-02-14 13:32 --------- d-----w C:\Documents and Settings\All Users\Application Data\Ulead Systems
2008-02-08 16:58 --------- d-----w C:\Program Files\Google
2008-01-18 12:26 --------- d-----w C:\Program Files\winLAME
2008-01-12 15:13 --------- d-----w C:\Documents and Settings\Veronika\Application Data\The Longest Journey Demo
2008-01-10 19:40 --------- d-----w C:\Documents and Settings\Veronika\Application Data\iWin
2008-01-09 15:48 --------- d-----w C:\Documents and Settings\Veronika\Application Data\Movie Label
2008-01-09 10:40 --------- d-----w C:\Documents and Settings\Veronika\Application Data\SecondLife
2008-01-09 10:39 --------- d-----w C:\Documents and Settings\Veronika\Application Data\Nero
2008-01-09 10:30 --------- d-----w C:\Documents and Settings\Veronika\Application Data\Apple Computer
2008-01-08 12:57 --------- d-----w C:\Program Files\AusLogics Disk Defrag
2008-01-08 12:36 2,320,640 ----a-w C:\WINDOWS\system32\TUKernel.exe
2008-01-08 12:06 --------- d--h--w C:\Documents and Settings\All Users\Application Data\{6FAAE54C-8147-4998-934C-6744E67FD415}
2008-01-08 11:18 --------- d-----w C:\Documents and Settings\Veronika\Application Data\Lavasoft
2008-01-04 10:40 108,144 ----a-w C:\WINDOWS\system32\CmdLineExt.dll
2008-01-03 13:56 --------- d-----w C:\Documents and Settings\Veronika\Application Data\Secretmaker
2007-12-24 20:57 --------- d-----w C:\Documents and Settings\Veronika\Application Data\Leadertech
2007-12-10 15:40 43,698 ----a-w C:\WINDOWS\system32\xvid-uninstall.exe
2007-12-03 13:29 356,352 ----a-w C:\WINDOWS\eSellerateEngine.dll
2007-12-03 11:36 86,016 ----a-w C:\WINDOWS\system32\OpenAL32.dll
2007-12-03 11:36 409,600 ----a-w C:\WINDOWS\system32\wrap_oal.dll
2005-05-11 22:36 12,288 ----a-w C:\WINDOWS\Fonts\RandFont.dll
.

------- Sigcheck -------

27a5959c94ee173a063ca06bd14f021a C:\WINDOWS\system32\drivers\tcpip.sys
-c----w 332,928 2002-08-29 01:58:12 C:\WINDOWS\$NtServicePackUninstall$\tcpip.sys
----a-w 359,040 2004-08-03 22:14:42 C:\WINDOWS\ServicePackFiles\i386\TCPIP.SYS
-c--a-w 359,040 2008-02-22 14:49:04 C:\WINDOWS\system32\dllcache\TCPIP.SYS
----a-w 359,040 2008-02-22 14:49:04 C:\WINDOWS\system32\drivers\TCPIP.SYS
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
{2318C2B1-4965-11D4-9B18-009027A5CD4F}
{4B3803EA-5230-4DC3-A7FC-33638F3D3542}
{965B54B0-71E0-4611-8DE7-F73FA0B20E26}

[HKEY_CLASSES_ROOT\clsid\{965b54b0-71e0-4611-8de7-f73fa0b20e26}]
[HKEY_CLASSES_ROOT\BabylonTBLib.BabylonTB.1]
[HKEY_CLASSES_ROOT\TypeLib\{162484B8-B114-453f-A344-C0B24B0F1D99}]
[HKEY_CLASSES_ROOT\BabylonTBLib.BabylonTB]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
"{965B54B0-71E0-4611-8DE7-F73FA0B20E26}"= C:\Program Files\Babylon\Babylon Toolbar\BabylonIEToolBar.dll [2007-12-18 14:42 267488]

[HKEY_CLASSES_ROOT\clsid\{965b54b0-71e0-4611-8de7-f73fa0b20e26}]
[HKEY_CLASSES_ROOT\BabylonTBLib.BabylonTB.1]
[HKEY_CLASSES_ROOT\TypeLib\{162484B8-B114-453f-A344-C0B24B0F1D99}]
[HKEY_CLASSES_ROOT\BabylonTBLib.BabylonTB]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:56 15360]
"OM2_Monitor"="C:\Program Files\OLYMPUS\OLYMPUS Master 2\MMonitor.exe" [2007-02-08 20:43 95800]
"BitTorrent DNA"="C:\Program Files\DNA\btdna.exe" [2008-02-12 10:34 287040]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-02-04 17:33 68856]
"uTorrent"="C:\Program Files\uTorrent\uTorrent.exe" [2008-02-18 09:28 219952]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMan"="SOUNDMAN.EXE" [2007-04-16 15:28 577536 C:\WINDOWS\soundman.exe]
"NVMixerTray"="C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe" [2004-06-03 20:51 131072]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-11-30 21:10 344064]
"NeroFilterCheck"="C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe" [2006-01-12 15:40 155648]
"nod32kui"="C:\Program Files\Eset\nod32kui.exe" [2008-01-27 17:23 847872]
"SpywareTerminator"="C:\PROGRA~1\SPYWAR~1\SpywareTerminatorShield.exe" [2008-01-27 18:02 2834432]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe" [2007-12-14 03:42 144784]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 22:16 39792]
"QuickTime Task"="C:\Program Files\K-Lite Codec Pack\QuickTime\QTTask.exe" [2008-01-31 23:13 385024]
"BDRegion"="C:\Program Files\Cyberlink\Shared Files\brs.exe" [2007-11-17 01:20 91432]
"BackgroundSwitcher"="C:\WINDOWS\system32\bgswitch.exe" [2001-10-19 12:14 19520]
"CoolSwitch"="C:\WINDOWS\system32\taskswitch.exe" [2001-10-19 12:14 45632]
"FastUser"="C:\WINDOWS\system32\fast.exe" [2001-10-19 12:14 49216]
"Babylon Client"="C:\Program Files\Babylon\Babylon-Pro\Babylon.exe" [2007-12-18 14:42 3116768]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\System32\CTFMON.EXE" [2004-08-04 00:56 15360]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2005-05-11 23:23:26 282624]
HP Image Zone Fast Start.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe [2005-05-12 00:49:24 73728]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoResolveSearch"= 1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoInstrumentation"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"D:\\Program Files\\Activision\\SHReK the THiRD Demo\\SHReK the THiRD.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\uTorrent\\uTorrent.exe"=
"C:\\Program Files\\DNA\\btdna.exe"=
"d:\\Program Files\\BitTorrent\\bittorrent.exe"=

R1 sp_rsdrv2;Spyware Terminator Driver 2;C:\WINDOWS\system32\drivers\sp_rsdrv2.sys [2008-01-27 18:04]
R2 perfmons;perfmons Service;C:\WINDOWS\system32\perfs.exe [2001-08-23 11:00]
R2 Routing;Routing Service;C:\WINDOWS\system32\routing.exe [2008-02-21 07:58]
R2 UxTuneUp;TuneUp Theme Extension;C:\WINDOWS\System32\svchost.exe [2004-08-04 00:56]
R3 PSched;QoS Packet Scheduler;C:\WINDOWS\system32\DRIVERS\psched.sys [2004-08-03 23:04]
S1 atitray;atitray;C:\Program Files\Radeon Omega Drivers\v3.8.330\ATI Tray Tools\atitray.sys []
S3 athrusb;802.11g Wireless USB2.0 Adapter driver;C:\WINDOWS\system32\DRIVERS\athrusb.sys [2007-01-29 13:56]
S3 PCASp50;PCASp50 NDIS Protocol Driver;C:\WINDOWS\system32\Drivers\PCASp50.sys []
S3 SetupNTGLM7X;SetupNTGLM7X;E:\NTGLM7X.sys []
S3 TuneUp.Defrag;TuneUp Drive Defrag Service;C:\WINDOWS\System32\TuneUpDefragService.exe [2008-02-15 09:33]
S3 ZD1211BU(SMC);802.11g Wireless USB2.0 Adapter Driver(SMC);C:\WINDOWS\system32\DRIVERS\zd1211Bu.sys [2006-08-24 13:44]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
UxTuneUp

.
Contents of the 'Scheduled Tasks' folder
"2008-02-22 16:40:38 C:\WINDOWS\Tasks\1-Click Maintenance.job"
- D:\Program Files\TuneUp Utilities 2008\OneClick.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-24 11:05:39
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\lsass.exe [5.01.2600.2180]
-> C:\WINDOWS\system32\imon.dll
-> C:\Program Files\Eset\pr_imon.dll

PROCESS: C:\WINDOWS\Config\csrss.exe [1.00.0000.0000]
-> C:\WINDOWS\system32\imon.dll
-> C:\Program Files\Eset\pr_imon.dll
.
Completion time: 2008-02-24 11:06:46

New Hijack Log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:08:36, on 24.2.2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\a-squared Free\a2service.exe
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\system32\perfs.exe
C:\Program Files\CyberLink\Shared files\RichVideo.exe
C:\WINDOWS\system32\routing.exe
C:\PROGRA~1\SPYWAR~1\sp_rsser.exe
C:\WINDOWS\Config\csrss.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
d:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\Program Files\Eset\nod32kui.exe
C:\PROGRA~1\SPYWAR~1\SpywareTerminatorShield.exe
C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe
C:\Program Files\Cyberlink\Shared Files\brs.exe
C:\WINDOWS\system32\taskswitch.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\fast.exe
C:\Program Files\Babylon\Babylon-Pro\Babylon.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\OLYMPUS\OLYMPUS Master 2\MMonitor.exe
C:\WINDOWS\system32\Fast.exe
C:\Program Files\DNA\btdna.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\HP\Digital Imaging\Product Assistant\bin\hprblog.exe
C:\Program Files\uTorrent\uTorrent.exe
C:\WINDOWS\Explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://www.crawler.com/search/ie.aspx?tb_id=60327
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,CustomizeSearch = http://dnl.crawler.com/support/sa_custo ... TbId=60327
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Crawler Toolbar - {4B3803EA-5230-4DC3-A7FC-33638F3D3542} - C:\PROGRA~1\Crawler\Toolbar\ctbr.dll
O3 - Toolbar: Babylon - {965B54B0-71E0-4611-8DE7-F73FA0B20E26} - C:\Program Files\Babylon\Babylon Toolbar\BabylonIEToolBar.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NVMixerTray] "C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe"
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [SpywareTerminator] "C:\PROGRA~1\SPYWAR~1\SpywareTerminatorShield.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\K-Lite Codec Pack\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [BDRegion] C:\Program Files\Cyberlink\Shared Files\brs.exe
O4 - HKLM\..\Run: [BackgroundSwitcher] C:\WINDOWS\system32\bgswitch.exe
O4 - HKLM\..\Run: [CoolSwitch] C:\WINDOWS\system32\taskswitch.exe
O4 - HKLM\..\Run: [FastUser] C:\WINDOWS\system32\fast.exe
O4 - HKLM\..\Run: [Babylon Client] C:\Program Files\Babylon\Babylon-Pro\Babylon.exe -AutoStart
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [OM2_Monitor] "C:\Program Files\OLYMPUS\OLYMPUS Master 2\MMonitor.exe"
O4 - HKCU\..\Run: [BitTorrent DNA] "C:\Program Files\DNA\btdna.exe"
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [uTorrent] "C:\Program Files\uTorrent\uTorrent.exe"
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O8 - Extra context menu item: Crawler Search - tbr:iemenu
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Translate with &Babylon - res://C:\Program Files\Babylon\Babylon-Pro\Utils\BabylonIEPI.dll/Translate.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {149E45D8-163E-4189-86FC-45022AB2B6C9} (SpinTop DRM Control) - file:///C:/Program%20Files/Amazing%20Adventures%20The%20Lost%20Tomb/Images/stg_drm.ocx
O16 - DPF: {CC450D71-CC90-424C-8638-1F2DBAC87A54} (ArmHelper Control) - file:///C:/Program%20Files/Scrabble/Images/armhelper.ocx
O17 - HKLM\System\CCS\Services\Tcpip\..\{F095ED02-C1BB-4548-A5A3-ABEF8A029A77}: NameServer = 192.168.1.5
O18 - Protocol: tbr - {4D25FB7A-8902-4291-960E-9ADA051CFBBF} - C:\PROGRA~1\Crawler\Toolbar\ctbr.dll
O23 - Service: a-squared Free Service (a2free) - Emsi Software GmbH - C:\Program Files\a-squared Free\a2service.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Unknown owner - C:\Program Files\Eset\nod32krn.exe
O23 - Service: perfmons Service (perfmons) - Unknown owner - C:\WINDOWS\system32\perfs.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared files\RichVideo.exe
O23 - Service: Routing Service (Routing) - Unknown owner - C:\WINDOWS\system32\routing.exe
O23 - Service: Spyware Terminator Realtime Shield Service (sp_rssrv) - Crawler.com - C:\PROGRA~1\SPYWAR~1\sp_rsser.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - d:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
O23 - Service: TuneUp Drive Defrag Service (TuneUp.Defrag) - TuneUp Software GmbH - C:\WINDOWS\System32\TuneUpDefragService.exe
O23 - Service: TuneUp WinStyler Theme Service (TUWinStylerThemeSvc) - Unknown owner - C:\Program Files\TuneUp Utilities 2006\WinStylerThemeSvc.exe (file missing)

--
End of file - 8846 bytes

Im at your mercy, help anyway you can, please! :roll:
simeseko
Regular Member
 
Posts: 15
Joined: February 13th, 2008, 1:25 pm

Re: Hell opened its gates!

Unread postby Simon V. » February 24th, 2008, 7:14 am

Hi :)

Go to Microsoft's website => http://support.microsoft.com/kb/310994
Select the download that's appropriate for your Operating System

Image

Download the file & save it as it's originally named, next to ComboFix.exe.

Image

Now close all open windows and programs, then drag the setup package onto ComboFix.exe and drop it. Follow the prompts to start ComboFix and when prompted, agree to the End-User License Agreement to install the Microsoft Recovery Console. When complete, a log named CF_RC.txt will open. Please post the contents of that log.

Please do not reboot your machine until we have reviewed the log.
User avatar
Simon V.
MRU Emeritus
MRU Emeritus
 
Posts: 3388
Joined: November 11th, 2006, 3:35 pm
Location: Antwerp, Belgium

Re: Hell opened its gates!

Unread postby simeseko » February 25th, 2008, 10:47 am

I installed zone alarm and some motherfucker wants to get in. After it blocks him he restarts the server. I can bearly post a reply! I downloaded this WindowsXP-KB310994-SP2-Pro-BootDisk-ENU and integrated in ComboFix but in the log it still says i dont have recovery console. I had houndred trojants in the morning. Ive scaned with advanced windows care and spytermunator. Before them nod and a2 didnt found nothing. Im really disapointed with those two. Here are fresh logs:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 14:32:14, on 25.2.2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\a-squared Free\a2service.exe
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\system32\perfs.exe
C:\Program Files\CyberLink\Shared files\RichVideo.exe
C:\WINDOWS\system32\routing.exe
C:\PROGRA~1\SPYWAR~1\sp_rsser.exe
d:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Fast.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Eset\nod32kui.exe
C:\PROGRA~1\SPYWAR~1\SpywareTerminatorShield.exe
C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\OLYMPUS\OLYMPUS Master 2\MMonitor.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\HP\Digital Imaging\Product Assistant\bin\hprblog.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.com/0SEENUS/SAOS01
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://www.crawler.com/search/ie.aspx?tb_id=60327
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,CustomizeSearch = http://dnl.crawler.com/support/sa_custo ... TbId=60327
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O2 - BHO: ZoneAlarm Spy Blocker BHO - {F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Crawler Toolbar - {4B3803EA-5230-4DC3-A7FC-33638F3D3542} - C:\PROGRA~1\Crawler\Toolbar\ctbr.dll
O3 - Toolbar: ZoneAlarm Spy Blocker - {F0D4B239-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NVMixerTray] "C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe"
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [SpywareTerminator] "C:\PROGRA~1\SPYWAR~1\SpywareTerminatorShield.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe"
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [OM2_Monitor] "C:\Program Files\OLYMPUS\OLYMPUS Master 2\MMonitor.exe"
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O8 - Extra context menu item: Crawler Search - tbr:iemenu
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {149E45D8-163E-4189-86FC-45022AB2B6C9} (SpinTop DRM Control) - file:///C:/Program%20Files/Amazing%20Adventures%20The%20Lost%20Tomb/Images/stg_drm.ocx
O16 - DPF: {CC450D71-CC90-424C-8638-1F2DBAC87A54} (ArmHelper Control) - file:///C:/Program%20Files/Scrabble/Images/armhelper.ocx
O17 - HKLM\System\CCS\Services\Tcpip\..\{F095ED02-C1BB-4548-A5A3-ABEF8A029A77}: NameServer = 192.168.1.1
O18 - Protocol: tbr - {4D25FB7A-8902-4291-960E-9ADA051CFBBF} - C:\PROGRA~1\Crawler\Toolbar\ctbr.dll
O23 - Service: a-squared Free Service (a2free) - Emsi Software GmbH - C:\Program Files\a-squared Free\a2service.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Unknown owner - C:\Program Files\Eset\nod32krn.exe
O23 - Service: perfmons Service (perfmons) - Unknown owner - C:\WINDOWS\system32\perfs.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared files\RichVideo.exe
O23 - Service: Routing Service (Routing) - Unknown owner - C:\WINDOWS\system32\routing.exe
O23 - Service: Spyware Terminator Realtime Shield Service (sp_rssrv) - Crawler.com - C:\PROGRA~1\SPYWAR~1\sp_rsser.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - d:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
O23 - Service: TuneUp Drive Defrag Service (TuneUp.Defrag) - TuneUp Software GmbH - C:\WINDOWS\System32\TuneUpDefragService.exe
O23 - Service: TuneUp WinStyler Theme Service (TUWinStylerThemeSvc) - Unknown owner - C:\Program Files\TuneUp Utilities 2006\WinStylerThemeSvc.exe (file missing)
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 8277 bytes

µTorrent
1500
1500_Help
1500Trb
Adobe Flash Player Plugin
Adobe Reader 8.1.2
Adobe Shockwave Player
Adobe® Photoshop® Album Starter Edition 3.0
Advanced WindowsCare Personal 2.6.0
AiO_Scan
AiOSoftware
Antivírusový systém NOD32
Arcade Race - Crash 1.0
a-squared Free 3.1
ATI - Software Uninstall Utility
ATI Control Panel
ATI Display Driver
AusLogics Disk Defrag
Autoplay Repair 2.1.0
BufferChm
CCleaner (remove only)
CP_AtenaShokunin1Config
CP_CalendarTemplates1
CP_Package_Basic1
CP_Package_Variety1
CP_Package_Variety2
CP_Package_Variety3
CP_Panorama1Config
Crawler Toolbar with Web Security Guard
CueTour
CustomerResearchQFolder
Darwin the Monkey Demo
DC++ 0.699
Destinations
DeviceFunctionQFolder
DeviceManagementQFolder
DNA
DocProc
DocumentViewer
DocumentViewerQFolder
Dracula Twins
DVD Shrink 3.2
eSupportQFolder
FastStone Image Viewer 3.2
Fax
FullDPAppQFolder
Gadwin PrintScreen
Google Earth
Google Toolbar for Internet Explorer
GTA San Andreas
GTAIII
HijackThis 2.0.2
HP Document Viewer 5.3
HP Extended Capabilities 5.3
HP Image Zone 5.3
HP Imaging Device Functions 5.3
HP PSC & OfficeJet 5.3.B
HP Software Update
HP Solution Center & Imaging Support Tools 5.3
HPProductAssistant
Cheatbook Database 2008
Imagelys Picture Styles 2
Indeo® Software
InstantShareDevices
Java(TM) 6 Update 3
Java(TM) 6 Update 4
K-Lite Mega Codec Pack 1.27
Kruptos 2
LimeWire PRO 4.17.4
Macromedia Flash Player 8
Magic ISO Maker v5.4 (build 0255)
Mario Forever 4.0
MarketResearch
Microsoft .NET Framework 1.1
Microsoft .NET Framework 2.0
Microsoft Office Professional Edition 2003
Microsoft Visual C++ 2005 Redistributable
Mozilla Firefox (2.0.0.12)
Mozilla Thunderbird (2.0.0.9)
MSXML 4.0 SP2 Parser and SDK
Nero 7 Ultra Edition
neroxml
Neverwinter Nights
NewCopy
NOD32 FiX v2.1
Nokia Connectivity Cable Driver
Nokia Multimedia Factory
Nokia PC Suite
Notepad++
NVIDIA Drivers
NvMixer
OLYMPUS Master 2
OneStopSoft Youtube Video File Downloader 1.0.0.7
OpenAL
Ore Explorer 1.1
PanoStandAlone
PhotoFiltre
PhotoGallery
Picasa 2
Powertoys For Windows XP
ProductContext
QuickTime
RandMap
Readme
Realtek AC'97 Audio
RESIDENT EVIL2
ResidentEvil3
ROUTE 66 RouteBundle
SAMSUNG CDMA Modem Driver Set
SAMSUNG Mobile USB Modem 1.0 Software
SAMSUNG Mobile USB Modem Software
Samsung PC Studio
Samsung PC Studio 3 USB Driver Installer
Samsung Samples Installer
Scan
ScannerCopy
SHReK the THiRD(TM) Demo
SkinsHP1
SolutionCenter
Sonic_PrimoSDK
Spyware Terminator
Status
Supercow
The Tuttles
TrayApp
TuneUp Utilities 2008
Tweak UI
Unload
VCRedistSetup
WebFldrs XP
WebReg
Windows Imaging Component
Windows Internet Explorer 7
Windows Media Encoder 9 Series
Windows Media Format Runtime
Windows Media Player 10
Windows XP Service Pack 2
winLAME prerelease4
WinRAR archiver
WinZip
XviD MPEG4 Video Codec (remove only)
ZoneAlarm
ZoneAlarm Spy Blocker

ComboFix 08-02-25.3 - Veronika 2008-02-25 14:59:46.4 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.146 [GMT 1:00]
Running from: C:\Documents and Settings\Veronika\Desktop\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((( Files Created from 2008-01-25 to 2008-02-25 )))))))))))))))))))))))))))))))
.

2008-02-25 14:32 . 2008-02-25 14:36 <DIR> d-------- C:\ComboFix(2)
2008-02-25 13:24 . 2008-02-25 15:14 282,656 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat
2008-02-25 13:24 . 2008-02-25 14:25 4,544 --ahs---- C:\WINDOWS\system32\drivers\fidbox.idx
2008-02-25 13:23 . 2008-02-25 13:23 <DIR> d-------- C:\Program Files\ZoneAlarmSB
2008-02-25 13:22 . 2008-02-25 13:22 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\MailFrontier
2008-02-25 13:09 . 2008-02-25 13:09 <DIR> d-------- C:\Documents and Settings\Veronika\Application Data\iolo
2008-02-25 13:09 . 2008-02-25 13:09 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\iolo
2008-02-25 13:09 . 2008-02-25 13:09 406 --a------ C:\WINDOWS\system32\ioloBootDefrag.cfg
2008-02-25 12:29 . 2008-02-25 13:23 4,212 ---h----- C:\WINDOWS\system32\zllictbl.dat
2008-02-25 12:28 . 2008-02-25 12:28 <DIR> d-------- C:\Program Files\Zone Labs
2008-02-25 11:25 . 2008-02-25 15:16 <DIR> d-------- C:\WINDOWS\Internet Logs
2008-02-24 20:54 . 2008-02-25 12:13 663 --a------ C:\log.html
2008-02-24 20:53 . 2006-10-09 13:28 835,584 --a------ C:\WINDOWS\system32\WINCTL4.OCX
2008-02-24 20:53 . 2006-10-09 14:06 495,616 --a------ C:\WINDOWS\system32\WINUTIL5.DLL
2008-02-24 20:53 . 2006-05-17 09:40 393,216 --a------ C:\WINDOWS\system32\WINLCTL5.DLL
2008-02-24 11:33 . 2008-02-24 11:44 <DIR> d-------- C:\Program Files\MagicISO
2008-02-24 09:52 . 2008-02-24 10:31 1,905 --a------ C:\WINDOWS\diagwrn.xml
2008-02-24 09:52 . 2008-02-24 10:31 1,905 --a------ C:\WINDOWS\diagerr.xml
2008-02-22 18:55 . 2008-02-22 18:55 42,934 --a------ C:\WINDOWS\system32\tmp2_391779322402.bk
2008-02-22 18:55 . 2008-02-22 18:55 40,030 --a------ C:\WINDOWS\system32\tmp3_206889346973.bk
2008-02-22 18:54 . 2008-02-22 18:54 44,374 --a------ C:\WINDOWS\system32\tmp4_147694747792.bk
2008-02-22 18:54 . 2008-02-22 18:54 44,355 --a------ C:\WINDOWS\system32\tmp1_238729110624.bk
2008-02-22 18:54 . 2008-02-22 18:54 44,350 --a------ C:\WINDOWS\system32\tmp3_12624285292.bk
2008-02-22 18:54 . 2008-02-22 18:54 22,774 --a------ C:\WINDOWS\system32\tmp0_377718344486.bk
2008-02-22 18:53 . 2008-02-22 18:53 37,174 --a------ C:\WINDOWS\system32\tmp2_538623607110.bk
2008-02-22 18:53 . 2008-02-22 18:53 35,715 --a------ C:\WINDOWS\system32\tmp1_732898353811.bk
2008-02-22 18:52 . 2008-02-22 18:53 44,374 --a------ C:\WINDOWS\system32\tmp0_887540299780.bk
2008-02-22 13:58 . 2008-02-22 13:59 <DIR> d-------- C:\WINDOWS\system32\NtmsData
2008-02-22 13:42 . 2008-02-22 13:42 <DIR> d--h----- C:\WINDOWS\system32\GroupPolicy
2008-02-22 13:39 . 2002-06-21 15:09 160,217 --a------ C:\WINDOWS\system32\PowerToysLicense.rtf
2008-02-22 13:38 . 2008-02-22 13:38 <DIR> d-------- C:\WINDOWS\Downloaded Installations
2008-02-22 08:56 . 2008-02-22 08:56 <DIR> d-------- C:\Program Files\Trend Micro
2008-02-21 20:02 . 2008-02-22 08:38 <DIR> d-------- C:\WINDOWS\cdmxtras
2008-02-21 12:10 . 2008-02-25 08:42 <DIR> d-------- C:\Program Files\a-squared Free
2008-02-21 07:58 . 2008-02-21 07:58 32,256 --a------ C:\WINDOWS\system32\routing.exe
2008-02-21 07:57 . 2008-02-21 07:57 265,728 --a------ C:\WINDOWS\system32\andt.sys
2008-02-21 07:57 . 2008-02-21 07:58 29,974 --a------ C:\WINDOWS\system32\tmp0_518482845118.bk
2008-02-21 07:57 . 2008-02-21 07:57 40 --a------ C:\WINDOWS\system32\drmgs.sys
2008-02-20 12:18 . 2008-02-20 12:18 <DIR> d-------- C:\NV39763980.TMP
2008-02-20 12:17 . 2008-02-20 12:17 <DIR> d-------- C:\NV26722676.TMP
2008-02-20 12:11 . 2008-02-20 12:11 <DIR> d-------- C:\NV30243728.TMP
2008-02-20 10:48 . 2008-02-20 10:48 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\WinZip
2008-02-20 09:48 . 2008-02-20 09:48 359,040 --a------ C:\WINDOWS\system32\drivers\TCPIP.SYS.ORIGINAL
2008-02-20 09:48 . 2008-02-22 15:49 359,040 --a--c--- C:\WINDOWS\system32\dllcache\TCPIP.SYS
2008-02-19 18:07 . 2008-02-19 18:07 223,128 --a------ C:\WINDOWS\system32\drivers\vaxscsi.sys
2008-02-19 14:29 . 2008-02-19 14:29 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\FLEXnet
2008-02-18 12:39 . 2008-02-18 12:39 <DIR> d-------- C:\Documents and Settings\Veronika\.DownloadManager
2008-02-18 12:37 . 2008-02-18 12:37 <DIR> d-------- C:\WINDOWS\Sun
2008-02-18 09:28 . 2008-02-18 09:28 <DIR> d-------- C:\Program Files\uTorrent
2008-02-18 08:37 . 2004-08-04 00:56 221,184 --a------ C:\WINDOWS\system32\wmpns.dll
2008-02-18 08:30 . 2004-08-04 00:56 96,768 -----c--- C:\WINDOWS\system32\dllcache\dpcdll.dll
2008-02-17 13:45 . 2008-02-17 13:45 <DIR> d-------- C:\Program Files\ReflexiveArcade
2008-02-17 13:29 . 2008-02-17 13:29 <DIR> d-------- C:\Program Files\Alcohol Soft
2008-02-16 18:05 . 2008-02-16 18:10 <DIR> d-------- C:\Documents and Settings\Veronika\Application Data\MSN6
2008-02-16 11:25 . 2008-02-25 14:25 <DIR> d-------- C:\Documents and Settings\Veronika\Application Data\uTorrent
2008-02-15 11:30 . 2008-02-15 11:30 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\DivoGames
2008-02-15 11:16 . 2008-02-15 11:19 <DIR> d-------- C:\Documents and Settings\Veronika\Application Data\Super-Cow
2008-02-15 10:34 . 2008-02-15 10:34 0 --ah----- C:\WINDOWS\SwSys2.bmp
2008-02-15 10:34 . 2008-02-15 10:34 0 --ah----- C:\WINDOWS\SwSys1.bmp
2008-02-15 09:33 . 2008-02-15 09:33 306,432 --a------ C:\WINDOWS\system32\TuneUpDefragService.exe
2008-02-15 09:33 . 2007-12-20 10:41 29,440 --a------ C:\WINDOWS\system32\uxtuneup.dll
2008-02-10 14:10 . 2008-02-10 14:10 <DIR> d-------- C:\Documents and Settings\Veronika\Application Data\Auslogics
2008-02-05 12:57 . 2008-02-05 12:57 <DIR> d-------- C:\Program Files\Crawler
2008-02-05 11:52 . 2008-02-13 19:16 <DIR> d-------- C:\Documents and Settings\Veronika\Application Data\SiteAdvisor
2008-02-05 11:52 . 2008-02-05 11:52 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SiteAdvisor
2008-02-05 11:52 . 2008-02-05 11:52 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\McAfee
2008-02-03 17:40 . 2008-02-03 17:40 <DIR> d-------- C:\Program Files\Ligos
2008-02-03 17:36 . 2008-02-04 16:06 196 --a------ C:\WINDOWS\disneysy.ini
2008-02-03 17:36 . 2008-02-05 11:56 173 --a------ C:\WINDOWS\disney.ini
2008-02-02 11:17 . 2006-06-29 13:07 14,048 --------- C:\WINDOWS\system32\spmsg2.dll
2008-02-01 14:47 . 2006-11-12 11:39 483,328 --a------ C:\WINDOWS\system32\actskn45.ocx
2008-02-01 11:24 . 2008-02-20 09:20 <DIR> d-------- C:\Documents and Settings\Veronika\Application Data\LimeWire
2008-02-01 11:23 . 2007-12-14 01:59 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-02-01 11:22 . 2008-02-04 13:38 <DIR> d-------- C:\Program Files\Java
2008-02-01 11:21 . 2008-02-01 11:21 <DIR> d-------- C:\Program Files\Common Files\Java
2008-01-31 23:13 . 2008-01-31 23:13 90,112 --a------ C:\WINDOWS\system32\QuickTimeVR.qtx
2008-01-31 23:13 . 2008-01-31 23:13 57,344 --a------ C:\WINDOWS\system32\QuickTime.qts
2008-01-31 16:32 . 2008-02-01 12:36 <DIR> d-------- C:\Resident Evil 2
2008-01-31 16:29 . 1999-01-21 23:40 180,224 --------- C:\WINDOWS\Res2_uninst.exe
2008-01-31 12:31 . 2008-01-31 12:31 502,272 --a------ C:\WINDOWS\system32\Winlogon.bak.bak
2008-01-31 11:35 . 2008-01-31 12:31 225,280 --ahs---- C:\WINDOWS\system32\Msip32.dll
2008-01-31 11:35 . 2008-01-31 12:31 6,144 --ahs---- C:\WINDOWS\system32\FaxMessage.dll
2008-01-30 14:52 . 2008-01-30 14:52 <DIR> d-------- C:\Documents and Settings\Veronika\Application Data\SpinTop
2008-01-30 12:04 . 2008-01-30 12:04 <DIR> d-------- C:\ATI
2008-01-29 13:54 . 2005-08-27 02:38 1,435,272 --a------ C:\WINDOWS\system32\Flash.ocx
2008-01-29 13:54 . 2002-03-04 12:27 1,140,472 --a------ C:\WINDOWS\system32\IGUltraGrid20.ocx
2008-01-29 13:54 . 2004-03-08 23:00 131,856 --a------ C:\WINDOWS\system32\MSADODC.ocx
2008-01-29 13:54 . 2008-02-19 18:39 124,688 --a------ C:\WINDOWS\system32\MSWINSCK.OCX
2008-01-29 13:54 . 2000-07-15 05:00 101,888 --a------ C:\WINDOWS\system32\VB6STKIT.DLL
2008-01-29 13:54 . 2001-04-20 01:28 28,672 --a------ C:\WINDOWS\system32\SysTray.ocx
2008-01-29 10:13 . 2008-01-29 10:13 <DIR> d-------- C:\WINDOWS\Replay Media Catcher
2008-01-29 10:12 . 2007-03-04 13:55 1,936,528 --a------ C:\WINDOWS\system32\ltmm15.dll
2008-01-29 10:12 . 2007-03-04 13:55 135,168 --a------ C:\WINDOWS\system32\DSKernel2.dll
2008-01-29 10:06 . 2008-01-29 10:10 <DIR> d-------- C:\Documents and Settings\Veronika\Application Data\GetRightToGo
2008-01-29 10:05 . 2008-01-29 10:05 <DIR> d-------- C:\WINDOWS\Applian FLV Player
2008-01-28 12:14 . 2007-01-29 13:56 451,072 -ra------ C:\WINDOWS\system32\drivers\athrusb.sys
2008-01-28 12:13 . 2006-08-24 13:44 477,696 --a------ C:\WINDOWS\system32\drivers\ZD1211BU.sys
2008-01-28 12:13 . 2004-01-14 11:25 81,920 --a------ C:\WINDOWS\system32\ZDPN50.DLL
2008-01-28 12:13 . 2005-03-18 15:35 31,744 --a------ C:\WINDOWS\system32\drivers\ZDPSp50a64.sys
2008-01-28 12:13 . 2005-06-08 18:44 29,184 --a------ C:\WINDOWS\system32\drivers\BRGSp50a64.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-24 20:55 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-02-24 13:38 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-02-22 14:49 359,040 ----a-w C:\WINDOWS\system32\drivers\TCPIP.SYS
2008-02-22 11:39 --------- d-----w C:\Program Files\CyberLink
2008-02-22 11:04 --------- d-----w C:\Documents and Settings\All Users\Application Data\CyberLink
2008-02-20 11:56 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple Computer
2008-02-20 06:56 397,926 ----a-w C:\WINDOWS\Help\SETUP.EXE
2008-02-19 14:49 --------- d-----w C:\Program Files\Common Files\Adobe
2008-02-17 16:16 --------- d-----w C:\Documents and Settings\All Users\Application Data\HP
2008-02-15 18:11 --------- d-----w C:\Documents and Settings\All Users\Application Data\DVD Shrink
2008-02-15 08:49 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-02-15 08:33 --------- d-----w C:\Documents and Settings\All Users\Application Data\TuneUp Software
2008-02-14 13:32 --------- d-----w C:\Documents and Settings\All Users\Application Data\Ulead Systems
2008-02-08 16:58 --------- d-----w C:\Program Files\Google
2008-01-24 09:42 --------- d-----w C:\Documents and Settings\Veronika\Application Data\Nokia Multimedia Player
2008-01-18 12:26 --------- d-----w C:\Program Files\winLAME
2008-01-12 15:13 --------- d-----w C:\Documents and Settings\Veronika\Application Data\The Longest Journey Demo
2008-01-10 19:40 --------- d-----w C:\Documents and Settings\Veronika\Application Data\iWin
2008-01-09 15:48 --------- d-----w C:\Documents and Settings\Veronika\Application Data\Movie Label
2008-01-09 10:40 --------- d-----w C:\Documents and Settings\Veronika\Application Data\SecondLife
2008-01-09 10:39 --------- d-----w C:\Documents and Settings\Veronika\Application Data\Nero
2008-01-09 10:30 --------- d-----w C:\Documents and Settings\Veronika\Application Data\Apple Computer
2008-01-08 12:57 --------- d-----w C:\Program Files\AusLogics Disk Defrag
2008-01-08 12:36 2,320,640 ----a-w C:\WINDOWS\system32\TUKernel.exe
2008-01-08 12:06 --------- d--h--w C:\Documents and Settings\All Users\Application Data\{6FAAE54C-8147-4998-934C-6744E67FD415}
2008-01-08 11:18 --------- d-----w C:\Documents and Settings\Veronika\Application Data\Lavasoft
2008-01-04 10:40 108,144 ----a-w C:\WINDOWS\system32\CmdLineExt.dll
2008-01-03 13:56 --------- d-----w C:\Documents and Settings\Veronika\Application Data\Secretmaker
2007-12-10 15:40 43,698 ----a-w C:\WINDOWS\system32\xvid-uninstall.exe
2007-12-03 13:29 356,352 ----a-w C:\WINDOWS\eSellerateEngine.dll
2007-12-03 11:36 86,016 ----a-w C:\WINDOWS\system32\OpenAL32.dll
2007-12-03 11:36 409,600 ----a-w C:\WINDOWS\system32\wrap_oal.dll
2005-05-11 22:36 12,288 ----a-w C:\WINDOWS\Fonts\RandFont.dll
.

------- Sigcheck -------

27a5959c94ee173a063ca06bd14f021a C:\WINDOWS\system32\drivers\tcpip.sys
-c----w 332,928 2002-08-29 01:58:12 C:\WINDOWS\$NtServicePackUninstall$\tcpip.sys
----a-w 359,040 2004-08-03 22:14:42 C:\WINDOWS\ServicePackFiles\i386\TCPIP.SYS
-c--a-w 359,040 2008-02-22 14:49:04 C:\WINDOWS\system32\dllcache\TCPIP.SYS
----a-w 359,040 2008-02-22 14:49:04 C:\WINDOWS\system32\drivers\TCPIP.SYS
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA}]
2008-02-25 13:23 262144 --a------ C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
{2318C2B1-4965-11D4-9B18-009027A5CD4F}
{4B3803EA-5230-4DC3-A7FC-33638F3D3542}
{F0D4B239-DA4B-4DAF-81E4-DFEE4931A4AA}

[HKEY_CLASSES_ROOT\clsid\{f0d4b239-da4b-4daf-81e4-dfee4931a4aa}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
"{F0D4B239-DA4B-4DAF-81E4-DFEE4931A4AA}"= C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL [2008-02-25 13:23 262144]

[HKEY_CLASSES_ROOT\clsid\{f0d4b239-da4b-4daf-81e4-dfee4931a4aa}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:56 15360]
"OM2_Monitor"="C:\Program Files\OLYMPUS\OLYMPUS Master 2\MMonitor.exe" [2007-02-08 20:43 95800]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-02-04 17:33 68856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMan"="SOUNDMAN.EXE" [2007-04-16 15:28 577536 C:\WINDOWS\soundman.exe]
"NVMixerTray"="C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe" [2004-06-03 20:51 131072]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-11-30 21:10 344064]
"NeroFilterCheck"="C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe" [2006-01-12 15:40 155648]
"nod32kui"="C:\Program Files\Eset\nod32kui.exe" [2008-01-27 17:23 847872]
"SpywareTerminator"="C:\PROGRA~1\SPYWAR~1\SpywareTerminatorShield.exe" [2008-01-27 18:02 2834432]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe" [2007-12-14 03:42 144784]
"ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [2007-11-14 16:05 919016]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\System32\CTFMON.EXE" [2004-08-04 00:56 15360]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2005-05-11 23:23:26 282624]
HP Image Zone Fast Start.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe [2005-05-12 00:49:24 73728]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoResolveSearch"= 1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoInstrumentation"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"D:\\Program Files\\Activision\\SHReK the THiRD Demo\\SHReK the THiRD.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\uTorrent\\uTorrent.exe"=

R1 sp_rsdrv2;Spyware Terminator Driver 2;C:\WINDOWS\system32\drivers\sp_rsdrv2.sys [2008-01-27 18:04]
R2 perfmons;perfmons Service;C:\WINDOWS\system32\perfs.exe [2001-08-23 11:00]
R2 Routing;Routing Service;C:\WINDOWS\system32\routing.exe [2008-02-21 07:58]
R2 UxTuneUp;TuneUp Theme Extension;C:\WINDOWS\System32\svchost.exe [2004-08-04 00:56]
R3 PSched;QoS Packet Scheduler;C:\WINDOWS\system32\DRIVERS\psched.sys [2004-08-03 23:04]
S1 atitray;atitray;C:\Program Files\Radeon Omega Drivers\v3.8.330\ATI Tray Tools\atitray.sys []
S3 athrusb;802.11g Wireless USB2.0 Adapter driver;C:\WINDOWS\system32\DRIVERS\athrusb.sys [2007-01-29 13:56]
S3 PCASp50;PCASp50 NDIS Protocol Driver;C:\WINDOWS\system32\Drivers\PCASp50.sys []
S3 SetupNTGLM7X;SetupNTGLM7X;E:\NTGLM7X.sys []
S3 TuneUp.Defrag;TuneUp Drive Defrag Service;C:\WINDOWS\System32\TuneUpDefragService.exe [2008-02-15 09:33]
S3 ZD1211BU(SMC);802.11g Wireless USB2.0 Adapter Driver(SMC);C:\WINDOWS\system32\DRIVERS\zd1211Bu.sys [2006-08-24 13:44]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
UxTuneUp

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{b0f3d511-e2b5-11dc-ac45-00142a942c31}]
\Shell\AutoRun\command - H:\USBNB.exe

.
Contents of the 'Scheduled Tasks' folder
"2008-02-22 16:40:38 C:\WINDOWS\Tasks\1-Click Maintenance.job"
- D:\Program Files\TuneUp Utilities 2008\OneClick.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-25 15:17:49
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\lsass.exe [5.01.2600.2180]
-> C:\WINDOWS\system32\imon.dll
-> C:\Program Files\Eset\pr_imon.dll
.
Completion time: 2008-02-25 15:19:17

HELP!!!
simeseko
Regular Member
 
Posts: 15
Joined: February 13th, 2008, 1:25 pm

Re: Hell opened its gates!

Unread postby Simon V. » February 25th, 2008, 12:47 pm

Hi :)

I hadn't instructed to run Combofix again or install ZoneAlarm, please don't do anything unless I tell you so. Your computer isn't completely clean, but I first want the Recovery Console installed. Did you get any error messages when trying to drag the file into Combofix.exe?
User avatar
Simon V.
MRU Emeritus
MRU Emeritus
 
Posts: 3388
Joined: November 11th, 2006, 3:35 pm
Location: Antwerp, Belgium

Re: Hell opened its gates!

Unread postby simeseko » February 25th, 2008, 1:32 pm

No, everything worked fine. Sorry ive installed zone alarm, i didnt know what to do. I had houndred trojans in the morning and my net connection was falling apart. I had to configure it again just now from begining just to post this reply! Sorry, please :oops:
simeseko
Regular Member
 
Posts: 15
Joined: February 13th, 2008, 1:25 pm

Re: Hell opened its gates!

Unread postby Simon V. » February 25th, 2008, 1:52 pm

Please check whether this folder exists - C:\CMDCONS\
User avatar
Simon V.
MRU Emeritus
MRU Emeritus
 
Posts: 3388
Joined: November 11th, 2006, 3:35 pm
Location: Antwerp, Belgium

Re: Hell opened its gates!

Unread postby simeseko » February 25th, 2008, 2:01 pm

Yes.

P.S. I hacked net.max_halfopen to 50 last month to got better speeds when downloading torrents. I hope it isnt responsible for my latest troubles, ups! :oops:
simeseko
Regular Member
 
Posts: 15
Joined: February 13th, 2008, 1:25 pm

Re: Hell opened its gates!

Unread postby Simon V. » February 25th, 2008, 3:36 pm

Hi :)

I understand that downloading music and other files may be important to you; however, the Peer-to-Peer programs that you are using to do that, even if they are not infected with malware, will bring malware into your system. Therefore, the chances of you becoming infected again are very high. This obviously can result in disabling your computer and could even lead to someone stealing sensitive personal data from your computer. Beyond the inconvenience this causes you, these programs also tend to use your computer as a server to spread more infection all over the internet, so your computer becomes a part of the malware problem.

Remember that no matter how clean the program you're using for Peer-to-Peer filesharing may be, it offers no guarantees regarding the cleanliness of files you may choose to download. All files available via Peer-to-Peer filesharing carry a high risk, particularly those that offer you illegitimate methods of using legitimate software programs without paying for them. Any program or file that offers you the ability to access non-freeware programs at no cost, e.g., pirated software and/or cracks/key generators for gaining access to legitimate software, is 100% guaranteed to contain malware.

Here is some information that looks at the rates of infection:

http://www.benedelman.org/spyware/p2p/

With that being said, I recommend that you remove the following Peer-to-Peer program(s):

(Click on Start, then Control Panel. Double click on Add or Remove Programs)

µTorrent
LimeWire PRO 4.17.4


Also remove the following program -

Java(TM) 6 Update 3
______________________

Open Notepad (Go to Start > Run, type Notepad and hit Enter), and copy/paste the text in the quotebox below into it:

Code: Select all
KillAll::

File::

C:\WINDOWS\system32\routing.exe
C:\WINDOWS\system32\andt.sys
C:\WINDOWS\system32\drmgs.sys
C:\WINDOWS\system32\perfs.exe

Folder::

C:\WINDOWS\cdmxtras

Driver::

perfmons
Routing


Click on File > Save as....

In the File Name box, copy/paste CFScript.txt (Note: Do not change the filename!)

Click Save (Save the CFScript in the same location as Combofix.exe)

Close any open windows.

Close/disable all anti-virus and anti-malware programs so they do not interfere with the running of ComboFix.

Image

Referring to the picture above, drag CFScript into ComboFix.exe.
It will create a log. Be sure to save it to a convenient location.
______________________

Please download Malwarebytes' Anti-Malware to your desktop.

  • Double-click mbam-setup.exe and follow the prompts to install the program.
  • Be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select Perform quick scan, then click Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Be sure that everything is checked, and click Remove Selected.
  • When completed, a log will open in Notepad. Please save it to a convenient location.
  • You can also access the log by doing the following:

    • Click on the Malwarebytes' Anti-Malware icon to launch the program.
    • Click on the Logs tab.
    • Click on the log at the bottom of those listed to highlight it.
    • Click Open.
______________________

Close all programs before continuing, and try not to run anything during the scan.

Please do an online scan with Kaspersky WebScanner. (You will need to use Internet Explorer to run this scan)

On the welcome screen, click Accept.

You will be promted to install an ActiveX component from Kaspersky, click Install.

  • The program will launch and then begin downloading the latest definition files.
  • Once the files have been downloaded click on Next.
  • Now click on Scan Settings.
  • In the scan settings make sure that the following are selected:

  • Scan using the following Anti-Virus database:

    Extended (if available, otherwise Standard)

  • Scan Options:

    Scan Archives
    Scan Mail Bases

  • Click OK.
  • Now under Select a Target to Scan:

    Select My Computer.

  • The program will start and scan your system.
  • The scan will take a while so be patient and let it run.
  • Once the scan is complete it will display if your system has been infected.
  • Now click on the Save as Text button and save the file to your desktop.
______________________

In your next reply, please post:

  • the Combofix log (C:\Combofix.txt)
  • the Malwarebytes' Anti-Malware log
  • the Kaspersky Online Scan report
  • a new HijackThis log
User avatar
Simon V.
MRU Emeritus
MRU Emeritus
 
Posts: 3388
Joined: November 11th, 2006, 3:35 pm
Location: Antwerp, Belgium

Re: Hell opened its gates! Taken over by a backdoor!!

Unread postby simeseko » February 26th, 2008, 6:14 am

Im sorry for late reply, my girlfriend was screeming at me that im all day on comp so i couldn continue last night. I gave up of alcohol, drugs and even rock n roll cause of her! Cigs are forbiden too. This has to be love, right? Please, accept my apologies.

I did scans as you instructed me and i think im FUBAR!!

Tuesday, February 26, 2008 10:48:40 AM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 26/02/2008
Kaspersky Anti-Virus database records: 581531
Scan Settings
Scan using the following antivirus database extended
Scan Archives true
Scan Mail Bases true
Scan Target My Computer
A:\
C:\
D:\
E:\
F:\
Scan Statistics
Total number of scanned objects 81402
Number of viruses found 21
Number of infected objects 51
Number of suspicious objects 0
Duration of the scan process 01:09:34

Infected Object Name Virus Name Last Action
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked

skipped
C:\Documents and Settings\LocalService\Local Settings\Application

Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application

Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat

Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet

Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application

Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application

Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked

skipped
C:\Documents and Settings\Veronika\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Veronika\Local Settings\Application

Data\ApplicationHistory\hpqimzone.exe.3204510e.ini.inuse Object is locked

skipped
C:\Documents and Settings\Veronika\Local Settings\Application Data\HP\Digital

Imaging\db\administrativeInfo.dbf Object is locked skipped
C:\Documents and Settings\Veronika\Local Settings\Application Data\HP\Digital

Imaging\db\albumImagesTable.cdx Object is locked skipped
C:\Documents and Settings\Veronika\Local Settings\Application Data\HP\Digital

Imaging\db\albumImagesTable.dbf Object is locked skipped
C:\Documents and Settings\Veronika\Local Settings\Application Data\HP\Digital

Imaging\db\albumTable.cdx Object is locked skipped
C:\Documents and Settings\Veronika\Local Settings\Application Data\HP\Digital

Imaging\db\albumTable.dbf Object is locked skipped
C:\Documents and Settings\Veronika\Local Settings\Application Data\HP\Digital

Imaging\db\CB_Server_Errors.txt Object is locked skipped
C:\Documents and Settings\Veronika\Local Settings\Application Data\HP\Digital

Imaging\db\EXIFTable.cdx Object is locked skipped
C:\Documents and Settings\Veronika\Local Settings\Application Data\HP\Digital

Imaging\db\EXIFTable.dbf Object is locked skipped
C:\Documents and Settings\Veronika\Local Settings\Application Data\HP\Digital

Imaging\db\imageTable.cdx Object is locked skipped
C:\Documents and Settings\Veronika\Local Settings\Application Data\HP\Digital

Imaging\db\imageTable.dbf Object is locked skipped
C:\Documents and Settings\Veronika\Local Settings\Application Data\HP\Digital

Imaging\db\imageTable.fpt Object is locked skipped
C:\Documents and Settings\Veronika\Local Settings\Application Data\HP\Digital

Imaging\db\keywordImagesTable.cdx Object is locked skipped
C:\Documents and Settings\Veronika\Local Settings\Application Data\HP\Digital

Imaging\db\keywordImagesTable.dbf Object is locked skipped
C:\Documents and Settings\Veronika\Local Settings\Application Data\HP\Digital

Imaging\db\keywordTable.cdx Object is locked skipped
C:\Documents and Settings\Veronika\Local Settings\Application Data\HP\Digital

Imaging\db\keywordTable.dbf Object is locked skipped
C:\Documents and Settings\Veronika\Local Settings\Application Data\HP\Digital

Imaging\db\managedFolderTable.dbf Object is locked skipped
C:\Documents and Settings\Veronika\Local Settings\Application Data\HP\Digital

Imaging\db\pathnameTable.cdx Object is locked skipped
C:\Documents and Settings\Veronika\Local Settings\Application Data\HP\Digital

Imaging\db\pathnameTable.dbf Object is locked skipped
C:\Documents and Settings\Veronika\Local Settings\Application Data\HP\Digital

Imaging\db\propertiesTable.cdx Object is locked skipped
C:\Documents and Settings\Veronika\Local Settings\Application Data\HP\Digital

Imaging\db\propertiesTable.dbf Object is locked skipped
C:\Documents and Settings\Veronika\Local Settings\Application Data\HP\Digital

Imaging\db\ROFImagesTable.cdx Object is locked skipped
C:\Documents and Settings\Veronika\Local Settings\Application Data\HP\Digital

Imaging\db\ROFImagesTable.dbf Object is locked skipped
C:\Documents and Settings\Veronika\Local Settings\Application Data\HP\Digital

Imaging\db\ROFTable.cdx Object is locked skipped
C:\Documents and Settings\Veronika\Local Settings\Application Data\HP\Digital

Imaging\db\ROFTable.dbf Object is locked skipped
C:\Documents and Settings\Veronika\Local Settings\Application Data\Microsoft\Feeds

Cache\index.dat Object is locked skipped
C:\Documents and Settings\Veronika\Local Settings\Application

Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Veronika\Local Settings\Application

Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Veronika\Local Settings\History\History.IE5\index.dat

Object is locked skipped
C:\Documents and Settings\Veronika\Local

Settings\History\History.IE5\MSHist012008022620080227\index.dat Object is locked

skipped
C:\Documents and Settings\Veronika\Local Settings\Temp\hpodvd09.log Object is locked

skipped
C:\Documents and Settings\Veronika\Local Settings\Temp\om214.tmp Object is locked

skipped
C:\Documents and Settings\Veronika\Local Settings\Temp\~DF18FB.tmp Object is locked

skipped
C:\Documents and Settings\Veronika\Local Settings\Temporary Internet

Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat Object is locked

skipped
C:\Documents and Settings\Veronika\Local Settings\Temporary Internet

Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Veronika\ntuser.dat Object is locked skipped
C:\Documents and Settings\Veronika\ntuser.dat.LOG Object is locked skipped
C:\Program Files\Eset\infected\5JSWNFCA.NQF Infected: not-a-virus:AdWare.Win32.VB.bh

skipped
C:\Program Files\Eset\infected\KRKKMJAA.NQF Infected: not-a-virus:AdWare.Win32.VB.bh

skipped
C:\Program Files\Eset\infected\PE1FADCA.NQF Infected: Trojan-Downloader.Win32.Agent.dzm

skipped
C:\Program Files\Eset\infected\YGFYOKAA.NQF Infected: Trojan-Clicker.Win32.VB.ael

skipped
C:\Program Files\Eset\infected\YZ1RF5DA.NQF Infected: not-a-virus:AdWare.Win32.VB.bh

skipped
C:\Program Files\Eset\logs\virlog.dat Object is locked skipped
C:\Program Files\Eset\logs\warnlog.dat Object is locked skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\andt.sys.vir Infected:

Trojan-Downloader.Win32.Delf.evt skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked

skipped
C:\System Volume

Information\_restore{CFEE2263-3668-4B34-A622-ACB960E9A3AE}\RP17\A0006013.sys Infected:

not-a-virus:AdWare.Win32.VB.bh skipped
C:\System Volume

Information\_restore{CFEE2263-3668-4B34-A622-ACB960E9A3AE}\RP17\A0006016.exe Infected:

not-a-virus:AdTool.Win32.WhenU.t skipped
C:\System Volume

Information\_restore{CFEE2263-3668-4B34-A622-ACB960E9A3AE}\RP17\A0006018.dll Infected:

not-a-virus:AdTool.Win32.WhenU.r skipped
C:\System Volume

Information\_restore{CFEE2263-3668-4B34-A622-ACB960E9A3AE}\RP17\A0006019.exe Infected:

not-a-virus:AdWare.Win32.OneStep.c skipped
C:\System Volume

Information\_restore{CFEE2263-3668-4B34-A622-ACB960E9A3AE}\RP17\A0006041.dll Infected:

not-a-virus:AdWare.Win32.OneStep.a skipped
C:\System Volume

Information\_restore{CFEE2263-3668-4B34-A622-ACB960E9A3AE}\RP17\A0006042.exe Infected:

not-a-virus:AdWare.Win32.OneStep.c skipped
C:\System Volume

Information\_restore{CFEE2263-3668-4B34-A622-ACB960E9A3AE}\RP24\A0007174.sys Infected:

Trojan-Downloader.Win32.Delf.evt skipped
C:\System Volume Information\_restore{CFEE2263-3668-4B34-A622-ACB960E9A3AE}\RP24\change.log

Object is locked skipped
C:\System Volume Information\_restore{CFEE2263-3668-4B34-A622-ACB960E9A3AE}\RP7\A0003049.sys

Infected: Trojan-Clicker.Win32.VB.ael skipped
C:\System Volume Information\_restore{CFEE2263-3668-4B34-A622-ACB960E9A3AE}\RP8\A0003116.DLL

Infected: not-a-virus:AdTool.Win32.MyWebSearch.o skipped
C:\System Volume Information\_restore{CFEE2263-3668-4B34-A622-ACB960E9A3AE}\RP8\A0003117.exe

Infected: not-a-virus:AdWare.Win32.Altnet.a skipped
C:\System Volume Information\_restore{CFEE2263-3668-4B34-A622-ACB960E9A3AE}\RP8\A0003118.DLL

Infected: not-a-virus:AdTool.Win32.MyWebSearch.l skipped
C:\System Volume Information\_restore{CFEE2263-3668-4B34-A622-ACB960E9A3AE}\RP8\A0003119.dll

Infected: not-a-virus:AdWare.Win32.Altnet.a skipped
C:\System Volume Information\_restore{CFEE2263-3668-4B34-A622-ACB960E9A3AE}\RP8\A0003120.dll

Infected: not-a-virus:AdWare.Win32.Altnet.a skipped
C:\System Volume Information\_restore{CFEE2263-3668-4B34-A622-ACB960E9A3AE}\RP8\A0003122.dll

Infected: not-a-virus:AdWare.Win32.BrilliantDigital.3039 skipped
C:\System Volume Information\_restore{CFEE2263-3668-4B34-A622-ACB960E9A3AE}\RP8\A0003123.dll

Infected: not-a-virus:AdWare.Win32.Altnet.j skipped
C:\System Volume Information\_restore{CFEE2263-3668-4B34-A622-ACB960E9A3AE}\RP8\A0003124.dll

Infected: not-a-virus:AdWare.Win32.Altnet.a skipped
C:\System Volume Information\_restore{CFEE2263-3668-4B34-A622-ACB960E9A3AE}\RP8\A0003125.exe

Infected: not-a-virus:AdWare.Win32.Altnet.g skipped
C:\System Volume Information\_restore{CFEE2263-3668-4B34-A622-ACB960E9A3AE}\RP8\A0003128.dll

Infected: not-a-virus:AdWare.Win32.RXBar.f skipped
C:\System Volume Information\_restore{CFEE2263-3668-4B34-A622-ACB960E9A3AE}\RP9\A0003156.sys

Infected: Trojan-Clicker.Win32.VB.ael skipped
C:\System Volume Information\_restore{CFEE2263-3668-4B34-A622-ACB960E9A3AE}\RP9\A0003157.DLL

Infected: not-a-virus:AdWare.Win32.MySearch.e skipped
C:\System Volume Information\_restore{CFEE2263-3668-4B34-A622-ACB960E9A3AE}\RP9\A0003158.dll

Infected: not-a-virus:AdWare.Win32.RXBar.f skipped
C:\System Volume Information\_restore{CFEE2263-3668-4B34-A622-ACB960E9A3AE}\RP9\A0003159.exe

Infected: not-a-virus:AdWare.Win32.TopSearch.a skipped
C:\WINDOWS\Config\csrss.exe Infected: Backdoor.Win32.Agobot.aqs skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\Help\SETUP.EXE Infected: Backdoor.Win32.VB.cds skipped
C:\WINDOWS\Internet Logs\fwdbglog.txt Object is locked skipped
C:\WINDOWS\Internet Logs\fwpktlog.txt Object is locked skipped
C:\WINDOWS\Internet Logs\IAMDB.RDB Object is locked skipped
C:\WINDOWS\Internet Logs\tvDebug.log Object is locked skipped
C:\WINDOWS\Internet Logs\VERONIKA-36JOG3.ldb Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\Internet.evt Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\drivers\fidbox.dat Object is locked skipped
C:\WINDOWS\system32\drivers\fidbox.idx Object is locked skipped
C:\WINDOWS\system32\drivers\sptd.sys Object is locked skipped
C:\WINDOWS\system32\drivers\vaxscsi.sys Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\tmp0_377718344486.bk Infected: not-a-virus:AdWare.Win32.VB.bh

skipped
C:\WINDOWS\system32\tmp0_887540299780.bk Infected: not-a-virus:AdWare.Win32.VB.bh

skipped
C:\WINDOWS\system32\tmp1_238729110624.bk Infected: not-a-virus:AdWare.Win32.VB.bh

skipped
C:\WINDOWS\system32\tmp1_732898353811.bk Infected: not-a-virus:AdWare.Win32.VB.bh

skipped
C:\WINDOWS\system32\tmp2_391779322402.bk Infected: not-a-virus:AdWare.Win32.VB.bh

skipped
C:\WINDOWS\system32\tmp2_538623607110.bk Infected: not-a-virus:AdWare.Win32.VB.bh

skipped
C:\WINDOWS\system32\tmp3_12624285292.bk Infected: not-a-virus:AdWare.Win32.VB.bh

skipped
C:\WINDOWS\system32\tmp3_206889346973.bk Infected: not-a-virus:AdWare.Win32.VB.bh

skipped
C:\WINDOWS\system32\tmp4_147694747792.bk Infected: not-a-virus:AdWare.Win32.VB.bh

skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\system32\Winlogon.bak.bak Infected: Trojan.Win32.Patched.bm skipped
C:\WINDOWS\TEMP\ZLT0735c.TMP Object is locked skipped
C:\WINDOWS\TEMP\ZLT07360.TMP Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
D:\Downloads\Limewire PRO 4.17.0.zip/Limewire PRO 4.17.0.EXE/data0000.cab/14XR6~1.EXE

Infected: Backdoor.Win32.Agobot.aqs skipped
D:\Downloads\Limewire PRO 4.17.0.zip/Limewire PRO 4.17.0.EXE/data0000.cab Infected:

Backdoor.Win32.Agobot.aqs skipped
D:\Downloads\Limewire PRO 4.17.0.zip/Limewire PRO 4.17.0.EXE Infected:

Backdoor.Win32.Agobot.aqs skipped
D:\Downloads\Limewire PRO 4.17.0.zip ZIP: infected - 3 skipped
D:\Program Files\Alcohol Soft\Alcohol 120\StarWind\logs\starwind.2008-02-26.08-45-20.log

Object is locked skipped
D:\Program Files\Kazaa\kazaa.exe/TopSearch.dll Infected: not-a-virus:AdWare.Win32.Altnet.d

skipped
D:\Program Files\Kazaa\kazaa.exe CAB: infected - 1 skipped
D:\Program Files\Kazaa\kazaa.exe Execryptor: infected - 1 skipped
D:\RECYCLER\S-1-5-21-1993962763-776561741-839522115-500\De22.doc Object is locked

skipped
D:\Sime stalker\Limewire PRO 4.17.0\Limewire PRO 4.17.0.EXE/data0000.cab/14XR6~1.EXE

Infected: Backdoor.Win32.Agobot.aqs skipped
D:\Sime stalker\Limewire PRO 4.17.0\Limewire PRO 4.17.0.EXE/data0000.cab Infected:

Backdoor.Win32.Agobot.aqs skipped
D:\Sime stalker\Limewire PRO 4.17.0\Limewire PRO 4.17.0.EXE Rsrc-Package: infected - 2

skipped
D:\System Volume Information\MountPointManagerRemoteDatabase Object is locked

skipped
D:\System Volume

Information\_restore{CFEE2263-3668-4B34-A622-ACB960E9A3AE}\RP17\A0005975.dll Infected:

not-a-virus:AdWare.Win32.Altnet.d skipped
D:\System Volume Information\_restore{CFEE2263-3668-4B34-A622-ACB960E9A3AE}\RP24\change.log

Object is locked skipped
Scan process completed.


ComboFix 08-02-25.3 - Veronika 2008-02-26 8:48:48.6 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.100 [GMT 1:00]
Running from: C:\Documents and Settings\Veronika\Desktop\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((( Files Created from 2008-01-26 to 2008-02-26 )))))))))))))))))))))))))))))))
.

2008-02-25 21:19 . 2007-12-14 01:59 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-02-25 16:45 . 2008-02-25 16:45 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-02-25 16:45 . 2008-02-25 16:45 1,409 --a------ C:\WINDOWS\QTFont.for
2008-02-25 16:35 . 2008-02-25 16:35 <DIR> d-------- C:\Documents and Settings\Veronika\Application Data\TransRender
2008-02-25 16:35 . 2008-02-25 16:35 <DIR> d-------- C:\Documents and Settings\Veronika\Application Data\Temporary
2008-02-25 16:35 . 2008-02-25 16:35 <DIR> d-------- C:\Documents and Settings\Veronika\Application Data\ConvertTemp
2008-02-25 16:13 . 2007-11-27 14:22 2,521,600 --a------ C:\WINDOWS\3D Realistic Fireplace 3.scr
2008-02-25 16:13 . 2007-05-24 14:41 118,784 --a------ C:\WINDOWS\dx7ogl32.dll
2008-02-25 14:32 . 2008-02-25 14:36 <DIR> d-------- C:\ComboFix(2)
2008-02-25 13:24 . 2008-02-26 08:53 395,296 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat
2008-02-25 13:24 . 2008-02-26 00:26 6,464 --ahs---- C:\WINDOWS\system32\drivers\fidbox.idx
2008-02-25 13:23 . 2008-02-25 13:23 <DIR> d-------- C:\Program Files\ZoneAlarmSB
2008-02-25 13:22 . 2008-02-25 13:22 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\MailFrontier
2008-02-25 13:09 . 2008-02-25 13:09 <DIR> d-------- C:\Documents and Settings\Veronika\Application Data\iolo
2008-02-25 13:09 . 2008-02-25 13:09 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\iolo
2008-02-25 13:09 . 2008-02-25 13:09 406 --a------ C:\WINDOWS\system32\ioloBootDefrag.cfg
2008-02-25 12:29 . 2008-02-25 18:22 4,212 ---h----- C:\WINDOWS\system32\zllictbl.dat
2008-02-25 12:28 . 2008-02-25 12:28 <DIR> d-------- C:\Program Files\Zone Labs
2008-02-25 11:25 . 2008-02-26 00:24 <DIR> d-------- C:\WINDOWS\Internet Logs
2008-02-24 20:54 . 2008-02-25 12:13 663 --a------ C:\log.html
2008-02-24 20:53 . 2006-10-09 13:28 835,584 --a------ C:\WINDOWS\system32\WINCTL4.OCX
2008-02-24 20:53 . 2006-10-09 14:06 495,616 --a------ C:\WINDOWS\system32\WINUTIL5.DLL
2008-02-24 20:53 . 2006-05-17 09:40 393,216 --a------ C:\WINDOWS\system32\WINLCTL5.DLL
2008-02-24 11:33 . 2008-02-24 11:44 <DIR> d-------- C:\Program Files\MagicISO
2008-02-24 09:52 . 2008-02-24 10:31 1,905 --a------ C:\WINDOWS\diagwrn.xml
2008-02-24 09:52 . 2008-02-24 10:31 1,905 --a------ C:\WINDOWS\diagerr.xml
2008-02-22 18:55 . 2008-02-22 18:55 42,934 --a------ C:\WINDOWS\system32\tmp2_391779322402.bk
2008-02-22 18:55 . 2008-02-22 18:55 40,030 --a------ C:\WINDOWS\system32\tmp3_206889346973.bk
2008-02-22 18:54 . 2008-02-22 18:54 44,374 --a------ C:\WINDOWS\system32\tmp4_147694747792.bk
2008-02-22 18:54 . 2008-02-22 18:54 44,355 --a------ C:\WINDOWS\system32\tmp1_238729110624.bk
2008-02-22 18:54 . 2008-02-22 18:54 44,350 --a------ C:\WINDOWS\system32\tmp3_12624285292.bk
2008-02-22 18:54 . 2008-02-22 18:54 22,774 --a------ C:\WINDOWS\system32\tmp0_377718344486.bk
2008-02-22 18:53 . 2008-02-22 18:53 37,174 --a------ C:\WINDOWS\system32\tmp2_538623607110.bk
2008-02-22 18:53 . 2008-02-22 18:53 35,715 --a------ C:\WINDOWS\system32\tmp1_732898353811.bk
2008-02-22 18:52 . 2008-02-22 18:53 44,374 --a------ C:\WINDOWS\system32\tmp0_887540299780.bk
2008-02-22 13:58 . 2008-02-22 13:59 <DIR> d-------- C:\WINDOWS\system32\NtmsData
2008-02-22 13:42 . 2008-02-22 13:42 <DIR> d--h----- C:\WINDOWS\system32\GroupPolicy
2008-02-22 13:39 . 2002-06-21 15:09 160,217 --a------ C:\WINDOWS\system32\PowerToysLicense.rtf
2008-02-22 13:38 . 2008-02-22 13:38 <DIR> d-------- C:\WINDOWS\Downloaded Installations
2008-02-22 08:56 . 2008-02-22 08:56 <DIR> d-------- C:\Program Files\Trend Micro
2008-02-21 12:10 . 2008-02-25 08:42 <DIR> d-------- C:\Program Files\a-squared Free
2008-02-21 07:57 . 2008-02-21 07:58 29,974 --a------ C:\WINDOWS\system32\tmp0_518482845118.bk
2008-02-20 12:18 . 2008-02-20 12:18 <DIR> d-------- C:\NV39763980.TMP
2008-02-20 12:17 . 2008-02-20 12:17 <DIR> d-------- C:\NV26722676.TMP
2008-02-20 12:11 . 2008-02-20 12:11 <DIR> d-------- C:\NV30243728.TMP
2008-02-20 10:48 . 2008-02-20 10:48 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\WinZip
2008-02-20 09:48 . 2008-02-20 09:48 359,040 --a------ C:\WINDOWS\system32\drivers\TCPIP.SYS.ORIGINAL
2008-02-20 09:48 . 2008-02-22 15:49 359,040 --a--c--- C:\WINDOWS\system32\dllcache\TCPIP.SYS
2008-02-19 18:07 . 2008-02-19 18:07 223,128 --a------ C:\WINDOWS\system32\drivers\vaxscsi.sys
2008-02-19 14:29 . 2008-02-19 14:29 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\FLEXnet
2008-02-18 12:39 . 2008-02-18 12:39 <DIR> d-------- C:\Documents and Settings\Veronika\.DownloadManager
2008-02-18 12:37 . 2008-02-18 12:37 <DIR> d-------- C:\WINDOWS\Sun
2008-02-18 09:28 . 2008-02-18 09:28 <DIR> d-------- C:\Program Files\uTorrent
2008-02-18 08:37 . 2004-08-04 00:56 221,184 --a------ C:\WINDOWS\system32\wmpns.dll
2008-02-18 08:30 . 2004-08-04 00:56 96,768 -----c--- C:\WINDOWS\system32\dllcache\dpcdll.dll
2008-02-17 13:45 . 2008-02-17 13:45 <DIR> d-------- C:\Program Files\ReflexiveArcade
2008-02-17 13:29 . 2008-02-17 13:29 <DIR> d-------- C:\Program Files\Alcohol Soft
2008-02-16 18:05 . 2008-02-16 18:10 <DIR> d-------- C:\Documents and Settings\Veronika\Application Data\MSN6
2008-02-16 11:25 . 2008-02-26 00:25 <DIR> d-------- C:\Documents and Settings\Veronika\Application Data\uTorrent
2008-02-15 11:30 . 2008-02-15 11:30 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\DivoGames
2008-02-15 11:16 . 2008-02-15 11:19 <DIR> d-------- C:\Documents and Settings\Veronika\Application Data\Super-Cow
2008-02-15 10:34 . 2008-02-15 10:34 0 --ah----- C:\WINDOWS\SwSys2.bmp
2008-02-15 10:34 . 2008-02-15 10:34 0 --ah----- C:\WINDOWS\SwSys1.bmp
2008-02-15 09:33 . 2008-02-15 09:33 306,432 --a------ C:\WINDOWS\system32\TuneUpDefragService.exe
2008-02-15 09:33 . 2007-12-20 10:41 29,440 --a------ C:\WINDOWS\system32\uxtuneup.dll
2008-02-10 14:10 . 2008-02-10 14:10 <DIR> d-------- C:\Documents and Settings\Veronika\Application Data\Auslogics
2008-02-05 12:57 . 2008-02-05 12:57 <DIR> d-------- C:\Program Files\Crawler
2008-02-05 11:52 . 2008-02-13 19:16 <DIR> d-------- C:\Documents and Settings\Veronika\Application Data\SiteAdvisor
2008-02-05 11:52 . 2008-02-05 11:52 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SiteAdvisor
2008-02-05 11:52 . 2008-02-05 11:52 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\McAfee
2008-02-03 17:40 . 2008-02-03 17:40 <DIR> d-------- C:\Program Files\Ligos
2008-02-03 17:36 . 2008-02-04 16:06 196 --a------ C:\WINDOWS\disneysy.ini
2008-02-03 17:36 . 2008-02-05 11:56 173 --a------ C:\WINDOWS\disney.ini
2008-02-02 11:17 . 2006-06-29 13:07 14,048 --------- C:\WINDOWS\system32\spmsg2.dll
2008-02-01 14:47 . 2006-11-12 11:39 483,328 --a------ C:\WINDOWS\system32\actskn45.ocx
2008-02-01 11:24 . 2008-02-20 09:20 <DIR> d-------- C:\Documents and Settings\Veronika\Application Data\LimeWire
2008-02-01 11:22 . 2008-02-25 21:20 <DIR> d-------- C:\Program Files\Java
2008-02-01 11:21 . 2008-02-01 11:21 <DIR> d-------- C:\Program Files\Common Files\Java
2008-01-31 23:13 . 2008-01-31 23:13 90,112 --a------ C:\WINDOWS\system32\QuickTimeVR.qtx
2008-01-31 23:13 . 2008-01-31 23:13 57,344 --a------ C:\WINDOWS\system32\QuickTime.qts
2008-01-31 16:32 . 2008-02-01 12:36 <DIR> d-------- C:\Resident Evil 2
2008-01-31 16:29 . 1999-01-21 23:40 180,224 --------- C:\WINDOWS\Res2_uninst.exe
2008-01-31 12:31 . 2008-01-31 12:31 502,272 --a------ C:\WINDOWS\system32\Winlogon.bak.bak
2008-01-31 11:35 . 2008-01-31 12:31 225,280 --ahs---- C:\WINDOWS\system32\Msip32.dll
2008-01-31 11:35 . 2008-01-31 12:31 6,144 --ahs---- C:\WINDOWS\system32\FaxMessage.dll
2008-01-30 14:52 . 2008-01-30 14:52 <DIR> d-------- C:\Documents and Settings\Veronika\Application Data\SpinTop
2008-01-30 12:04 . 2008-01-30 12:04 <DIR> d-------- C:\ATI
2008-01-29 13:54 . 2005-08-27 02:38 1,435,272 --a------ C:\WINDOWS\system32\Flash.ocx
2008-01-29 13:54 . 2002-03-04 12:27 1,140,472 --a------ C:\WINDOWS\system32\IGUltraGrid20.ocx
2008-01-29 13:54 . 2004-03-08 23:00 131,856 --a------ C:\WINDOWS\system32\MSADODC.ocx
2008-01-29 13:54 . 2008-02-19 18:39 124,688 --a------ C:\WINDOWS\system32\MSWINSCK.OCX
2008-01-29 13:54 . 2000-07-15 05:00 101,888 --a------ C:\WINDOWS\system32\VB6STKIT.DLL
2008-01-29 13:54 . 2001-04-20 01:28 28,672 --a------ C:\WINDOWS\system32\SysTray.ocx
2008-01-29 10:13 . 2008-01-29 10:13 <DIR> d-------- C:\WINDOWS\Replay Media Catcher
2008-01-29 10:12 . 2007-03-04 13:55 1,936,528 --a------ C:\WINDOWS\system32\ltmm15.dll
2008-01-29 10:12 . 2007-03-04 13:55 135,168 --a------ C:\WINDOWS\system32\DSKernel2.dll
2008-01-29 10:06 . 2008-01-29 10:10 <DIR> d-------- C:\Documents and Settings\Veronika\Application Data\GetRightToGo
2008-01-29 10:05 . 2008-01-29 10:05 <DIR> d-------- C:\WINDOWS\Applian FLV Player
2008-01-28 12:14 . 2007-01-29 13:56 451,072 -ra------ C:\WINDOWS\system32\drivers\athrusb.sys
2008-01-28 12:13 . 2006-08-24 13:44 477,696 --a------ C:\WINDOWS\system32\drivers\ZD1211BU.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-25 20:32 123,392 ----a-w C:\WINDOWS\Internet Logs\xDB3.tmp
2008-02-25 20:32 1,394,176 ----a-w C:\WINDOWS\Internet Logs\xDB4.tmp
2008-02-25 16:49 2,803,712 ----a-w C:\WINDOWS\Internet Logs\xDB1.tmp
2008-02-25 16:49 1,374,208 ----a-w C:\WINDOWS\Internet Logs\xDB2.tmp
2008-02-24 20:55 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-02-24 13:38 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-02-22 14:49 359,040 ----a-w C:\WINDOWS\system32\drivers\TCPIP.SYS
2008-02-22 11:39 --------- d-----w C:\Program Files\CyberLink
2008-02-22 11:04 --------- d-----w C:\Documents and Settings\All Users\Application Data\CyberLink
2008-02-20 11:56 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple Computer
2008-02-20 06:56 397,926 ----a-w C:\WINDOWS\Help\SETUP.EXE
2008-02-19 14:49 --------- d-----w C:\Program Files\Common Files\Adobe
2008-02-17 16:16 --------- d-----w C:\Documents and Settings\All Users\Application Data\HP
2008-02-15 18:11 --------- d-----w C:\Documents and Settings\All Users\Application Data\DVD Shrink
2008-02-15 08:49 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-02-15 08:33 --------- d-----w C:\Documents and Settings\All Users\Application Data\TuneUp Software
2008-02-14 13:32 --------- d-----w C:\Documents and Settings\All Users\Application Data\Ulead Systems
2008-02-08 16:58 --------- d-----w C:\Program Files\Google
2008-01-24 09:42 --------- d-----w C:\Documents and Settings\Veronika\Application Data\Nokia Multimedia Player
2008-01-18 12:26 --------- d-----w C:\Program Files\winLAME
2008-01-12 15:13 --------- d-----w C:\Documents and Settings\Veronika\Application Data\The Longest Journey Demo
2008-01-10 19:40 --------- d-----w C:\Documents and Settings\Veronika\Application Data\iWin
2008-01-09 15:48 --------- d-----w C:\Documents and Settings\Veronika\Application Data\Movie Label
2008-01-09 10:40 --------- d-----w C:\Documents and Settings\Veronika\Application Data\SecondLife
2008-01-09 10:39 --------- d-----w C:\Documents and Settings\Veronika\Application Data\Nero
2008-01-09 10:30 --------- d-----w C:\Documents and Settings\Veronika\Application Data\Apple Computer
2008-01-08 12:57 --------- d-----w C:\Program Files\AusLogics Disk Defrag
2008-01-08 12:36 2,320,640 ----a-w C:\WINDOWS\system32\TUKernel.exe
2008-01-08 12:06 --------- d--h--w C:\Documents and Settings\All Users\Application Data\{6FAAE54C-8147-4998-934C-6744E67FD415}
2008-01-08 11:18 --------- d-----w C:\Documents and Settings\Veronika\Application Data\Lavasoft
2008-01-04 10:40 108,144 ----a-w C:\WINDOWS\system32\CmdLineExt.dll
2008-01-03 13:56 --------- d-----w C:\Documents and Settings\Veronika\Application Data\Secretmaker
2007-12-10 15:40 43,698 ----a-w C:\WINDOWS\system32\xvid-uninstall.exe
2007-12-03 13:29 356,352 ----a-w C:\WINDOWS\eSellerateEngine.dll
2007-12-03 11:36 86,016 ----a-w C:\WINDOWS\system32\OpenAL32.dll
2007-12-03 11:36 409,600 ----a-w C:\WINDOWS\system32\wrap_oal.dll
2005-05-11 22:36 12,288 ----a-w C:\WINDOWS\Fonts\RandFont.dll
.

------- Sigcheck -------

27a5959c94ee173a063ca06bd14f021a C:\WINDOWS\system32\drivers\tcpip.sys
-c----w 332,928 2002-08-29 01:58:12 C:\WINDOWS\$NtServicePackUninstall$\tcpip.sys
----a-w 359,040 2004-08-03 22:14:42 C:\WINDOWS\ServicePackFiles\i386\TCPIP.SYS
-c--a-w 359,040 2008-02-22 14:49:04 C:\WINDOWS\system32\dllcache\TCPIP.SYS
----a-w 359,040 2008-02-22 14:49:04 C:\WINDOWS\system32\drivers\TCPIP.SYS
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA}]
2008-02-25 13:23 262144 --a------ C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
{2318C2B1-4965-11D4-9B18-009027A5CD4F}
{4B3803EA-5230-4DC3-A7FC-33638F3D3542}
{F0D4B239-DA4B-4DAF-81E4-DFEE4931A4AA}

[HKEY_CLASSES_ROOT\clsid\{f0d4b239-da4b-4daf-81e4-dfee4931a4aa}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
"{F0D4B239-DA4B-4DAF-81E4-DFEE4931A4AA}"= C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL [2008-02-25 13:23 262144]

[HKEY_CLASSES_ROOT\clsid\{f0d4b239-da4b-4daf-81e4-dfee4931a4aa}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:56 15360]
"OM2_Monitor"="C:\Program Files\OLYMPUS\OLYMPUS Master 2\MMonitor.exe" [2007-02-08 20:43 95800]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-02-04 17:33 68856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMan"="SOUNDMAN.EXE" [2007-04-16 15:28 577536 C:\WINDOWS\soundman.exe]
"NVMixerTray"="C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe" [2004-06-03 20:51 131072]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-11-30 21:10 344064]
"NeroFilterCheck"="C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe" [2006-01-12 15:40 155648]
"nod32kui"="C:\Program Files\Eset\nod32kui.exe" [2008-01-27 17:23 847872]
"SpywareTerminator"="C:\PROGRA~1\SPYWAR~1\SpywareTerminatorShield.exe" [2008-01-27 18:02 2834432]
"ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [2007-11-14 16:05 919016]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe" [2007-12-14 03:42 144784]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\System32\CTFMON.EXE" [2004-08-04 00:56 15360]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2005-05-11 23:23:26 282624]
HP Image Zone Fast Start.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe [2005-05-12 00:49:24 73728]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoResolveSearch"= 1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoInstrumentation"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"D:\\Program Files\\Activision\\SHReK the THiRD Demo\\SHReK the THiRD.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\uTorrent\\uTorrent.exe"=

R1 sp_rsdrv2;Spyware Terminator Driver 2;C:\WINDOWS\system32\drivers\sp_rsdrv2.sys [2008-01-27 18:04]
R2 UxTuneUp;TuneUp Theme Extension;C:\WINDOWS\System32\svchost.exe [2004-08-04 00:56]
R3 PSched;QoS Packet Scheduler;C:\WINDOWS\system32\DRIVERS\psched.sys [2004-08-03 23:04]
S1 atitray;atitray;C:\Program Files\Radeon Omega Drivers\v3.8.330\ATI Tray Tools\atitray.sys []
S3 athrusb;802.11g Wireless USB2.0 Adapter driver;C:\WINDOWS\system32\DRIVERS\athrusb.sys [2007-01-29 13:56]
S3 PCASp50;PCASp50 NDIS Protocol Driver;C:\WINDOWS\system32\Drivers\PCASp50.sys []
S3 SetupNTGLM7X;SetupNTGLM7X;E:\NTGLM7X.sys []
S3 TuneUp.Defrag;TuneUp Drive Defrag Service;C:\WINDOWS\System32\TuneUpDefragService.exe [2008-02-15 09:33]
S3 ZD1211BU(SMC);802.11g Wireless USB2.0 Adapter Driver(SMC);C:\WINDOWS\system32\DRIVERS\zd1211Bu.sys [2006-08-24 13:44]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
UxTuneUp

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{b0f3d511-e2b5-11dc-ac45-00142a942c31}]
\Shell\AutoRun\command - H:\USBNB.exe

.
Contents of the 'Scheduled Tasks' folder
"2008-02-22 16:40:38 C:\WINDOWS\Tasks\1-Click Maintenance.job"
- D:\Program Files\TuneUp Utilities 2008\OneClick.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-26 08:52:52
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\lsass.exe [5.01.2600.2180]
-> C:\WINDOWS\system32\imon.dll
-> C:\Program Files\Eset\pr_imon.dll
.
Completion time: 2008-02-26 8:54:19
ComboFix-quarantined-files.txt 2008-02-26 07:54:12
ComboFix2.txt 2008-02-25 20:37:28
ComboFix3.txt 2008-02-25 14:19:19


Malwarebytes' Anti-Malware 1.05
Database version: 406

Scan type: Quick Scan
Objects scanned: 26803
Time elapsed: 3 minute(s), 8 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 1
Registry Keys Infected: 6
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 4

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
C:\Program Files\HP\Digital Imaging\bin\hpqmif08.dll (Trojan.Downloader) -> No action taken.

Registry Keys Infected:
HKEY_CLASSES_ROOT\CLSID\{4c53f186-5376-913e-6bb7-1002d734c888} (Trojan.Downloader) -> No action taken.
HKEY_CLASSES_ROOT\CLSID\{085de4b8-c8fe-4017-86df-103fe31c39ab} (Trojan.Downloader) -> No action taken.
HKEY_CLASSES_ROOT\CLSID\{42693d23-6964-45f4-ad8e-1077ce972d8d} (Trojan.Downloader) -> No action taken.
HKEY_CLASSES_ROOT\CLSID\{6d04ab11-637e-4a88-8a1b-84bc5a0d193e} (Trojan.Downloader) -> No action taken.
HKEY_CLASSES_ROOT\Interface\{6d04ab11-637e-4a88-8a1b-84bc5a0d193e} (Trojan.Downloader) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\DownloadManager (Adware.ISTBar) -> No action taken.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Program Files\HP\Digital Imaging\bin\hpqmif08.dll (Trojan.Downloader) -> No action taken.
C:\WINDOWS\system32\Msip32.dll (Spyware.Passwords) -> No action taken.
C:\WINDOWS\system32\FaxMessage.dll (Backdoor.RCServ) -> No action taken.
C:\WINDOWS\Config\csrss.exe (Trojan.Downloader) -> No action taken.


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:59:22, on 26.2.2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\a-squared Free\a2service.exe
C:\Program Files\Eset\nod32krn.exe
C:\Program Files\CyberLink\Shared files\RichVideo.exe
C:\PROGRA~1\SPYWAR~1\sp_rsser.exe
d:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Fast.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\OLYMPUS\OLYMPUS Master 2\MMonitor.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\HP\Digital Imaging\Product Assistant\bin\hprblog.exe
C:\WINDOWS\explorer.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\PROGRA~1\Crawler\Toolbar\CToolbar.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://www.crawler.com/search/ie.aspx?tb_id=60327
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,CustomizeSearch = http://dnl.crawler.com/support/sa_custo ... TbId=60327
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O2 - BHO: ZoneAlarm Spy Blocker BHO - {F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Crawler Toolbar - {4B3803EA-5230-4DC3-A7FC-33638F3D3542} - C:\PROGRA~1\Crawler\Toolbar\ctbr.dll
O3 - Toolbar: ZoneAlarm Spy Blocker - {F0D4B239-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NVMixerTray] "C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe"
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [SpywareTerminator] "C:\PROGRA~1\SPYWAR~1\SpywareTerminatorShield.exe"
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [OM2_Monitor] "C:\Program Files\OLYMPUS\OLYMPUS Master 2\MMonitor.exe"
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O8 - Extra context menu item: Crawler Search - tbr:iemenu
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partne ... nicode.cab
O16 - DPF: {149E45D8-163E-4189-86FC-45022AB2B6C9} (SpinTop DRM Control) - file:///C:/Program%20Files/Amazing%20Adventures%20The%20Lost%20Tomb/Images/stg_drm.ocx
O16 - DPF: {CC450D71-CC90-424C-8638-1F2DBAC87A54} (ArmHelper Control) - file:///C:/Program%20Files/Scrabble/Images/armhelper.ocx
O17 - HKLM\System\CCS\Services\Tcpip\..\{F095ED02-C1BB-4548-A5A3-ABEF8A029A77}: NameServer = 192.168.1.1
O18 - Protocol: tbr - {4D25FB7A-8902-4291-960E-9ADA051CFBBF} - C:\PROGRA~1\Crawler\Toolbar\ctbr.dll
O23 - Service: a-squared Free Service (a2free) - Emsi Software GmbH - C:\Program Files\a-squared Free\a2service.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Unknown owner - C:\Program Files\Eset\nod32krn.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared files\RichVideo.exe
O23 - Service: Spyware Terminator Realtime Shield Service (sp_rssrv) - Crawler.com - C:\PROGRA~1\SPYWAR~1\sp_rsser.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - d:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
O23 - Service: TuneUp Drive Defrag Service (TuneUp.Defrag) - TuneUp Software GmbH - C:\WINDOWS\System32\TuneUpDefragService.exe
O23 - Service: TuneUp WinStyler Theme Service (TUWinStylerThemeSvc) - Unknown owner - C:\Program Files\TuneUp Utilities 2006\WinStylerThemeSvc.exe (file missing)
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 8034 bytes


P.S. Is it possible that even in this moment, trojants are spreading on more files?
If so, then hurry- help!!
P.S. Autoplay function when i insert dvd doesnt work too although in tweaks is turned normaly on.
Another P.S. My gf sister is using our router throught wifi; can i get infectet from her laptop too?
Yet another p.s. I see lot of people on this forum have some Security updates for Windows. Should i install them? If yes, please show me how :|
simeseko
Regular Member
 
Posts: 15
Joined: February 13th, 2008, 1:25 pm

Re: Hell opened its gates!

Unread postby Simon V. » February 26th, 2008, 12:05 pm

C:\WINDOWS\Config\csrss.exe --> Backdoor.Win32.Agobot.aqs
C:\WINDOWS\Help\SETUP.EXE --> Backdoor.Win32.VB.cds
D:\Downloads\Limewire PRO 4.17.0.zip/Limewire PRO 4.17.0.EXE/data0000.cab/14XR6~1.EXE --> Backdoor.Win32.Agobot.aqs
D:\Downloads\Limewire PRO 4.17.0.zip/Limewire PRO 4.17.0.EXE/data0000.cab --> Backdoor.Win32.Agobot.aqs
D:\Downloads\Limewire PRO 4.17.0.zip/Limewire PRO 4.17.0.EXE --> Backdoor.Win32.Agobot.aqs
D:\Sime stalker\Limewire PRO 4.17.0\Limewire PRO 4.17.0.EXE/data0000.cab/14XR6~1.EXE --> Backdoor.Win32.Agobot.aqs
D:\Sime stalker\Limewire PRO 4.17.0\Limewire PRO 4.17.0.EXE/data0000.cab --> Backdoor.Win32.Agobot.aqs

That's doesn't look good, I'm afraid.

You have been infected by a backdoor trojan. This infection allows outsiders complete access to every keystroke, account, and password you use while on this machine.

IF this computer has been used for any kind of important data, my best recommendation is to disconnect from the internet, reformat the entire drive and reinstall your operating system and applications.

We can likely clean the infected files off the computer, and if you wish we will attempt to do so, but we cannot be sure that the infection didn't do something to your system to reduce the system security. If that's the case, you could be subject to another attack or takeover as soon as you reconnect to the internet, even after removal of the infection.

The decision whether to reformat or not should be based on what you use the computer for. If the computer has been used for any important data, you are strongly advised to do the following, immediately:

  • Disconnect the infected computer from the internet and from any networked computers until the computer can be cleaned.
  • Back up all important data on the machine. Do not back up any applications (programs) or executable files (.dll, .exe, .scr, .bat, .cmd, .vbs, .sys). Those should be reinstalled from the original CD's or websites.
  • If you have used this computer for shopping, banking, or any transactions relating to your financial well being, call all of your banks, credit card companies and financial institutions, informing them that you may be a victim of identity theft, and to put a watch on your accounts or change all your account numbers.
  • From a clean computer, change ALL your online passwords - for ISP login, email, banks, financial accounts, PayPal, eBay, online companies, and any online forums or groups you belong to.
  • DO NOT change passwords or do any transactions while using the infected computer because the attacker will get the new password and transaction information.
  • Take any other steps you think appropriate for an attempted identity theft.

To help you understand more, please take some time to read the following articles:

What are Remote Access Trojans and why are they dangerous
How do I respond to a possible identity theft and how do I prevent it
When should do a reformat and reinstallation of my OS
Where to backup your files
How to backup your files in Windows XP
Restoring your backups

In your next reply, let me know how you want to proceed.
User avatar
Simon V.
MRU Emeritus
MRU Emeritus
 
Posts: 3388
Joined: November 11th, 2006, 3:35 pm
Location: Antwerp, Belgium

Re: Hell opened its gates!

Unread postby simeseko » February 26th, 2008, 2:15 pm

I was affraid you will say that, man. First i would like to try and clean it. Tell me what i need to do. And tell me why this so famous Nod doesnt work.
simeseko
Regular Member
 
Posts: 15
Joined: February 13th, 2008, 1:25 pm

Re: Hell opened its gates!

Unread postby Simon V. » February 26th, 2008, 2:58 pm

Hi :)

P.S. Autoplay function when i insert dvd doesnt work too although in tweaks is turned normaly on.

Remind me when your computer is clean, and we'll enable it again.

Another P.S. My gf sister is using our router throught wifi; can i get infectet from her laptop too?

Yes. You'd be better off to disconnect this PC from the internet as much as possible.

Yet another p.s. I see lot of people on this forum have some Security updates for Windows. Should i install them? If yes, please show me how :|

http://v4.windowsupdate.microsoft.com/nl/default.asp

Please wait with updating until your computer is clean. Let's continue...

Open Notepad (Go to Start > Run, type Notepad and hit Enter), and copy/paste the text in the quotebox below into it:

Code: Select all
http://malwareremoval.com/forum/viewtopic.php?f=11&t=28120&p=269365#p269365

Suspect::[1]

C:\WINDOWS\3D Realistic Fireplace 3.scr
C:\WINDOWS\dx7ogl32.dll
C:\WINDOWS\diagwrn.xml
C:\WINDOWS\diagerr.xml
C:\WINDOWS\SwSys2.bmp
C:\WINDOWS\SwSys1.bmp
C:\WINDOWS\disneysy.ini
C:\WINDOWS\disney.ini
C:\WINDOWS\Res2_uninst.exe
C:\WINDOWS\system32\drivers\tcpip.sys

File::

C:\WINDOWS\Config\csrss.exe
C:\WINDOWS\Help\SETUP.EXE
C:\WINDOWS\system32\tmp2_391779322402.bk
C:\WINDOWS\system32\tmp3_206889346973.bk
C:\WINDOWS\system32\tmp4_147694747792.bk
C:\WINDOWS\system32\tmp1_238729110624.bk
C:\WINDOWS\system32\tmp3_12624285292.bk
C:\WINDOWS\system32\tmp0_377718344486.bk
C:\WINDOWS\system32\tmp2_538623607110.bk
C:\WINDOWS\system32\tmp1_732898353811.bk
C:\WINDOWS\system32\tmp0_887540299780.bk
C:\WINDOWS\system32\tmp0_518482845118.bk
C:\WINDOWS\system32\Winlogon.bak.bak
D:\Downloads\Limewire PRO 4.17.0.zip
D:\Sime stalker\Limewire PRO 4.17.0\Limewire PRO 4.17.0.EXE
C:\WINDOWS\system32\WINCTL4.OCX
C:\WINDOWS\system32\WINUTIL5.DLL
C:\WINDOWS\system32\WINLCTL5.DLL
C:\NV39763980.TMP
C:\NV26722676.TMP
C:\NV30243728.TMP
C:\WINDOWS\system32\actskn45.ocx
C:\WINDOWS\system32\Msip32.dll
C:\WINDOWS\system32\FaxMessage.dll
C:\WINDOWS\Internet Logs\xDB3.tmp
C:\WINDOWS\Internet Logs\xDB4.tmp
C:\WINDOWS\Internet Logs\xDB1.tmp
C:\WINDOWS\Internet Logs\xDB2.tmp
C:\WINDOWS\system32\TUKernel.exe

Folder::

D:\Program Files\Kazaa

DirLook::

C:\Documents and Settings\Veronika\Application Data\TransRender
C:\Documents and Settings\Veronika\Application Data\Temporary
C:\Documents and Settings\Veronika\Application Data\ConvertTemp


Click on File > Save as....

In the File Name box, copy/paste CFScript.txt (Note: Do not change the filename!)

Click Save (Save the CFScript in the same location as Combofix.exe)

Close any open windows.

Close/disable all anti-virus and anti-malware programs so they do not interfere with the running of ComboFix.

Image

Referring to the picture above, drag CFScript into ComboFix.exe.
When your computer has restarted, a webpage will pop up. Please follow the instructions and upload the file asked.

It will create a log. Post its contents back here.
User avatar
Simon V.
MRU Emeritus
MRU Emeritus
 
Posts: 3388
Joined: November 11th, 2006, 3:35 pm
Location: Antwerp, Belgium

Re: Hell opened its gates!

Unread postby simeseko » February 26th, 2008, 3:28 pm

Thanks, man.
I did everything and upload the file and they just told me to inform you theyve got it.
Here is new Combo log:

ComboFix 08-02-25.3 - Veronika 2008-02-26 20:10:25.7 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.95 [GMT 1:00]
Running from: C:\Documents and Settings\Veronika\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Veronika\Desktop\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
C:\NV26722676.TMP
C:\NV30243728.TMP
C:\NV39763980.TMP
C:\WINDOWS\Config\csrss.exe
C:\WINDOWS\Help\SETUP.EXE
C:\WINDOWS\Internet Logs\xDB1.tmp
C:\WINDOWS\Internet Logs\xDB2.tmp
C:\WINDOWS\Internet Logs\xDB3.tmp
C:\WINDOWS\Internet Logs\xDB4.tmp
C:\WINDOWS\system32\actskn45.ocx
C:\WINDOWS\system32\FaxMessage.dll
C:\WINDOWS\system32\Msip32.dll
C:\WINDOWS\system32\tmp0_377718344486.bk
C:\WINDOWS\system32\tmp0_518482845118.bk
C:\WINDOWS\system32\tmp0_887540299780.bk
C:\WINDOWS\system32\tmp1_238729110624.bk
C:\WINDOWS\system32\tmp1_732898353811.bk
C:\WINDOWS\system32\tmp2_391779322402.bk
C:\WINDOWS\system32\tmp2_538623607110.bk
C:\WINDOWS\system32\tmp3_12624285292.bk
C:\WINDOWS\system32\tmp3_206889346973.bk
C:\WINDOWS\system32\tmp4_147694747792.bk
C:\WINDOWS\system32\TUKernel.exe
C:\WINDOWS\system32\WINCTL4.OCX
C:\WINDOWS\system32\WINLCTL5.DLL
C:\WINDOWS\system32\Winlogon.bak.bak
C:\WINDOWS\system32\WINUTIL5.DLL
D:\Downloads\Limewire PRO 4.17.0.zip
D:\Sime stalker\Limewire PRO 4.17.0\Limewire PRO 4.17.0.EXE
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\Config\csrss.exe
C:\WINDOWS\Help\SETUP.EXE
C:\WINDOWS\Internet Logs\xDB1.tmp
C:\WINDOWS\Internet Logs\xDB2.tmp
C:\WINDOWS\Internet Logs\xDB3.tmp
C:\WINDOWS\Internet Logs\xDB4.tmp
C:\WINDOWS\system32\actskn45.ocx
C:\WINDOWS\system32\FaxMessage.dll
C:\WINDOWS\system32\Msip32.dll
C:\WINDOWS\system32\tmp0_377718344486.bk
C:\WINDOWS\system32\tmp0_518482845118.bk
C:\WINDOWS\system32\tmp0_887540299780.bk
C:\WINDOWS\system32\tmp1_238729110624.bk
C:\WINDOWS\system32\tmp1_732898353811.bk
C:\WINDOWS\system32\tmp2_391779322402.bk
C:\WINDOWS\system32\tmp2_538623607110.bk
C:\WINDOWS\system32\tmp3_12624285292.bk
C:\WINDOWS\system32\tmp3_206889346973.bk
C:\WINDOWS\system32\tmp4_147694747792.bk
C:\WINDOWS\system32\TUKernel.exe
C:\WINDOWS\system32\WINCTL4.OCX
C:\WINDOWS\system32\WINLCTL5.DLL
C:\WINDOWS\system32\Winlogon.bak.bak
C:\WINDOWS\system32\WINUTIL5.DLL
D:\Downloads\Limewire PRO 4.17.0.zip
D:\Program Files\Kazaa
D:\Program Files\Kazaa\ammp3.dll
D:\Program Files\Kazaa\bdupd.dll
D:\Program Files\Kazaa\BGP2P\bdcore.dll
D:\Program Files\Kazaa\BGP2P\bdupd.dll
D:\Program Files\Kazaa\BGP2P\libfn.dll
D:\Program Files\Kazaa\BGP2P\plugins.htm
D:\Program Files\Kazaa\BGP2P\plugins\7zip.xmd
D:\Program Files\Kazaa\BGP2P\plugins\ace.xmd
D:\Program Files\Kazaa\BGP2P\plugins\adsntfs.xmd
D:\Program Files\Kazaa\BGP2P\plugins\alz.xmd
D:\Program Files\Kazaa\BGP2P\plugins\arc.xmd
D:\Program Files\Kazaa\BGP2P\plugins\arj.xmd
D:\Program Files\Kazaa\BGP2P\plugins\bach.xmd
D:\Program Files\Kazaa\BGP2P\plugins\boot.xmd
D:\Program Files\Kazaa\BGP2P\plugins\bzip2.xmd
D:\Program Files\Kazaa\BGP2P\plugins\cab.xmd
D:\Program Files\Kazaa\BGP2P\plugins\ceva_dll.cvd
D:\Program Files\Kazaa\BGP2P\plugins\ceva_emu.cvd
D:\Program Files\Kazaa\BGP2P\plugins\ceva_vfs.cvd
D:\Program Files\Kazaa\BGP2P\plugins\cevakrnl.cvd
D:\Program Files\Kazaa\BGP2P\plugins\cevakrnl.ivd
D:\Program Files\Kazaa\BGP2P\plugins\cevakrnl.rvd
D:\Program Files\Kazaa\BGP2P\plugins\cevakrnl.xmd
D:\Program Files\Kazaa\BGP2P\plugins\cpio.xmd
D:\Program Files\Kazaa\BGP2P\plugins\cran.cvd
D:\Program Files\Kazaa\BGP2P\plugins\cran.ivd
D:\Program Files\Kazaa\BGP2P\plugins\cran.xmd
D:\Program Files\Kazaa\BGP2P\plugins\dbx.xmd
D:\Program Files\Kazaa\BGP2P\plugins\docfile.xmd
D:\Program Files\Kazaa\BGP2P\plugins\e_spyw.ivd
D:\Program Files\Kazaa\BGP2P\plugins\emalware.cvd
D:\Program Files\Kazaa\BGP2P\plugins\emalware.i01
D:\Program Files\Kazaa\BGP2P\plugins\emalware.i02
D:\Program Files\Kazaa\BGP2P\plugins\emalware.i03
D:\Program Files\Kazaa\BGP2P\plugins\emalware.i04
D:\Program Files\Kazaa\BGP2P\plugins\emalware.i05
D:\Program Files\Kazaa\BGP2P\plugins\emalware.i06
D:\Program Files\Kazaa\BGP2P\plugins\emalware.i07
D:\Program Files\Kazaa\BGP2P\plugins\emalware.i08
D:\Program Files\Kazaa\BGP2P\plugins\emalware.i09
D:\Program Files\Kazaa\BGP2P\plugins\emalware.i10
D:\Program Files\Kazaa\BGP2P\plugins\emalware.i11
D:\Program Files\Kazaa\BGP2P\plugins\emalware.i12
D:\Program Files\Kazaa\BGP2P\plugins\emalware.i13
D:\Program Files\Kazaa\BGP2P\plugins\emalware.i14
D:\Program Files\Kazaa\BGP2P\plugins\emalware.i15
D:\Program Files\Kazaa\BGP2P\plugins\emalware.i16
D:\Program Files\Kazaa\BGP2P\plugins\emalware.i17
D:\Program Files\Kazaa\BGP2P\plugins\emalware.i18
D:\Program Files\Kazaa\BGP2P\plugins\emalware.i19
D:\Program Files\Kazaa\BGP2P\plugins\emalware.ivd
D:\Program Files\Kazaa\BGP2P\plugins\emalware.xmd
D:\Program Files\Kazaa\BGP2P\plugins\epoc.xmd
D:\Program Files\Kazaa\BGP2P\plugins\gzip.xmd
D:\Program Files\Kazaa\BGP2P\plugins\ha.xmd
D:\Program Files\Kazaa\BGP2P\plugins\hlp.xmd
D:\Program Files\Kazaa\BGP2P\plugins\hpe.cvd
D:\Program Files\Kazaa\BGP2P\plugins\hpe.xmd
D:\Program Files\Kazaa\BGP2P\plugins\hqx.xmd
D:\Program Files\Kazaa\BGP2P\plugins\html.xmd
D:\Program Files\Kazaa\BGP2P\plugins\chm.xmd
D:\Program Files\Kazaa\BGP2P\plugins\imp.xmd
D:\Program Files\Kazaa\BGP2P\plugins\inno.xmd
D:\Program Files\Kazaa\BGP2P\plugins\instyler.xmd
D:\Program Files\Kazaa\BGP2P\plugins\iso.xmd
D:\Program Files\Kazaa\BGP2P\plugins\java.cvd
D:\Program Files\Kazaa\BGP2P\plugins\java.xmd
D:\Program Files\Kazaa\BGP2P\plugins\jpeg.xmd
D:\Program Files\Kazaa\BGP2P\plugins\lha.xmd
D:\Program Files\Kazaa\BGP2P\plugins\lnk.xmd
D:\Program Files\Kazaa\BGP2P\plugins\mbox.xmd
D:\Program Files\Kazaa\BGP2P\plugins\mbx.xmd
D:\Program Files\Kazaa\BGP2P\plugins\mdx.xmd
D:\Program Files\Kazaa\BGP2P\plugins\mdx_97.cvd
D:\Program Files\Kazaa\BGP2P\plugins\mdx_97.ivd
D:\Program Files\Kazaa\BGP2P\plugins\mdx_w95.cvd
D:\Program Files\Kazaa\BGP2P\plugins\mdx_x95.cvd
D:\Program Files\Kazaa\BGP2P\plugins\mdx_xf.cvd
D:\Program Files\Kazaa\BGP2P\plugins\mime.xmd
D:\Program Files\Kazaa\BGP2P\plugins\mobmalware.cvd
D:\Program Files\Kazaa\BGP2P\plugins\mobmalware.xmd
D:\Program Files\Kazaa\BGP2P\plugins\mso.xmd
D:\Program Files\Kazaa\BGP2P\plugins\na.cvd
D:\Program Files\Kazaa\BGP2P\plugins\na.xmd
D:\Program Files\Kazaa\BGP2P\plugins\nelf.cvd
D:\Program Files\Kazaa\BGP2P\plugins\nelf.xmd
D:\Program Files\Kazaa\BGP2P\plugins\nsis.xmd
D:\Program Files\Kazaa\BGP2P\plugins\objd.xmd
D:\Program Files\Kazaa\BGP2P\plugins\pdf.xmd
D:\Program Files\Kazaa\BGP2P\plugins\pst.xmd
D:\Program Files\Kazaa\BGP2P\plugins\rar.xmd
D:\Program Files\Kazaa\BGP2P\plugins\regscan.cvd
D:\Program Files\Kazaa\BGP2P\plugins\rpm.xmd
D:\Program Files\Kazaa\BGP2P\plugins\rtf.xmd
D:\Program Files\Kazaa\BGP2P\plugins\rup.cvd
D:\Program Files\Kazaa\BGP2P\plugins\rup.xmd
D:\Program Files\Kazaa\BGP2P\plugins\sdx.cvd
D:\Program Files\Kazaa\BGP2P\plugins\sdx.ivd
D:\Program Files\Kazaa\BGP2P\plugins\sdx.xmd
D:\Program Files\Kazaa\BGP2P\plugins\sfx.xmd
D:\Program Files\Kazaa\BGP2P\plugins\swf.xmd
D:\Program Files\Kazaa\BGP2P\plugins\tar.xmd
D:\Program Files\Kazaa\BGP2P\plugins\td0.xmd
D:\Program Files\Kazaa\BGP2P\plugins\thebat.xmd
D:\Program Files\Kazaa\BGP2P\plugins\tnef.xmd
D:\Program Files\Kazaa\BGP2P\plugins\unpack.cvd
D:\Program Files\Kazaa\BGP2P\plugins\unpack.ivd
D:\Program Files\Kazaa\BGP2P\plugins\unpack.xmd
D:\Program Files\Kazaa\BGP2P\plugins\update.txt
D:\Program Files\Kazaa\BGP2P\plugins\uudecode.xmd
D:\Program Files\Kazaa\BGP2P\plugins\ve.cvd
D:\Program Files\Kazaa\BGP2P\plugins\ve.ivd
D:\Program Files\Kazaa\BGP2P\plugins\ve.xmd
D:\Program Files\Kazaa\BGP2P\plugins\vedata.cvd
D:\Program Files\Kazaa\BGP2P\plugins\viza.xmd
D:\Program Files\Kazaa\BGP2P\plugins\wise.xmd
D:\Program Files\Kazaa\BGP2P\plugins\xishield.xmd
D:\Program Files\Kazaa\BGP2P\plugins\z.xmd
D:\Program Files\Kazaa\BGP2P\plugins\zip.xmd
D:\Program Files\Kazaa\BGP2P\plugins\zoo.xmd
D:\Program Files\Kazaa\BGP2P\versions.dat
D:\Program Files\Kazaa\CKGFRs.dll
D:\Program Files\Kazaa\Db\config.cab
D:\Program Files\Kazaa\Db\d01.cab
D:\Program Files\Kazaa\Db\d02.cab
D:\Program Files\Kazaa\Db\data1024.dbb
D:\Program Files\Kazaa\Db\data256.dbb
D:\Program Files\Kazaa\Db\k7tqkgkk_tssv125.dat
D:\Program Files\Kazaa\Db\np.tmp
D:\Program Files\Kazaa\Help\arrow.gif
D:\Program Files\Kazaa\Help\arrow_sml.gif
D:\Program Files\Kazaa\Help\background.gif
D:\Program Files\Kazaa\Help\h_mykazaa.gif
D:\Program Files\Kazaa\Help\h_myMedia.gif
D:\Program Files\Kazaa\Help\h_myplaylists.gif
D:\Program Files\Kazaa\Help\icon_gold_kap.gif
D:\Program Files\Kazaa\Help\myKapsules.gif
D:\Program Files\Kazaa\Help\mykapsules.htm
D:\Program Files\Kazaa\Help\mykazaa.css
D:\Program Files\Kazaa\Help\mykazaa.htm
D:\Program Files\Kazaa\Help\mymedia.htm
D:\Program Files\Kazaa\Help\myplaylists.htm
D:\Program Files\Kazaa\Help\spacer.gif
D:\Program Files\Kazaa\kazaa.exe
D:\Program Files\Kazaa\Kazaa.url
D:\Program Files\Kazaa\kzscan.dll
D:\Program Files\Kazaa\libcurl.dll
D:\Program Files\Kazaa\libeay32.dll
D:\Program Files\Kazaa\libssl32.dll
D:\Program Files\Kazaa\My Channels\Bin\crazyplaygames.kcd
D:\Program Files\Kazaa\My Channels\Bin\dating.kcd
D:\Program Files\Kazaa\My Channels\Bin\emerging_artists.kcd
D:\Program Files\Kazaa\My Channels\Bin\g_spot.kcd
D:\Program Files\Kazaa\My Channels\Bin\onelove_browse.kcd
D:\Program Files\Kazaa\My Channels\Bin\ringtonechannel.kcd
D:\Program Files\Kazaa\My Channels\Bin\rshiphop.kcd
D:\Program Files\Kazaa\My Channels\Bin\skilledgames.kcd
D:\Program Files\Kazaa\My Channels\Images\crazyplaygames.bmp
D:\Program Files\Kazaa\My Channels\Images\dating.bmp
D:\Program Files\Kazaa\My Channels\Images\emerging_artists.bmp
D:\Program Files\Kazaa\My Channels\Images\g_spot.bmp
D:\Program Files\Kazaa\My Channels\Images\onelove_browse.bmp
D:\Program Files\Kazaa\My Channels\Images\ringtonechannel.bmp
D:\Program Files\Kazaa\My Channels\Images\rshiphop_browse.bmp
D:\Program Files\Kazaa\My Channels\Images\skilledgames.bmp
D:\Program Files\Kazaa\My Shared Folder\Audio - Alternative Rock.kpl
D:\Program Files\Kazaa\My Shared Folder\Audio - Barrington Levy.kpl
D:\Program Files\Kazaa\My Shared Folder\Audio - Electronica.kpl
D:\Program Files\Kazaa\My Shared Folder\Audio - Fine Arts Militia Album.kpl
D:\Program Files\Kazaa\My Shared Folder\Audio - Folk.kpl
D:\Program Files\Kazaa\My Shared Folder\Audio - Funk.kpl
D:\Program Files\Kazaa\My Shared Folder\Audio - Hip Hop.kpl
D:\Program Files\Kazaa\My Shared Folder\Audio - Jazz.kpl
D:\Program Files\Kazaa\My Shared Folder\Audio - Pop Rock.kpl
D:\Program Files\Kazaa\My Shared Folder\Audio - Public Enemy Revolverlution Album.kpl
D:\Program Files\Kazaa\My Shared Folder\Audio - R&B.kpl
D:\Program Files\Kazaa\My Shared Folder\Audio - Reggae.kpl
D:\Program Files\Kazaa\My Shared Folder\Audio - The Honey Palace Album.kpl
D:\Program Files\Kazaa\myshare.ico
D:\Program Files\Kazaa\Skins\Black Glass\License.txt
D:\Program Files\Kazaa\Skins\Black Glass\mainbar_mykazaa.bmp
D:\Program Files\Kazaa\Skins\Black Glass\mainbar_mykazaa_dis.bmp
D:\Program Files\Kazaa\Skins\Black Glass\mainbar_mykazaa_over.bmp
D:\Program Files\Kazaa\Skins\Black Glass\mainbar_mykazaa_sel.bmp
D:\Program Files\Kazaa\Skins\Black Glass\mainbar_peer.bmp
D:\Program Files\Kazaa\Skins\Black Glass\mainbar_peer_dis.bmp
D:\Program Files\Kazaa\Skins\Black Glass\mainbar_peer_over.bmp
D:\Program Files\Kazaa\Skins\Black Glass\mainbar_peer_sel.bmp
D:\Program Files\Kazaa\Skins\Black Glass\mainbar_search.bmp
D:\Program Files\Kazaa\Skins\Black Glass\mainbar_search_dis.bmp
D:\Program Files\Kazaa\Skins\Black Glass\mainbar_search_over.bmp
D:\Program Files\Kazaa\Skins\Black Glass\mainbar_search_sel.bmp
D:\Program Files\Kazaa\Skins\Black Glass\mainbar_shop.bmp
D:\Program Files\Kazaa\Skins\Black Glass\mainbar_shop_dis.bmp
D:\Program Files\Kazaa\Skins\Black Glass\mainbar_shop_over.bmp
D:\Program Files\Kazaa\Skins\Black Glass\mainbar_shop_sel.bmp
D:\Program Files\Kazaa\Skins\Black Glass\mainbar_start.bmp
D:\Program Files\Kazaa\Skins\Black Glass\mainbar_start_dis.bmp
D:\Program Files\Kazaa\Skins\Black Glass\mainbar_start_over.bmp
D:\Program Files\Kazaa\Skins\Black Glass\mainbar_start_sel.bmp
D:\Program Files\Kazaa\Skins\Black Glass\mainbar_tell.bmp
D:\Program Files\Kazaa\Skins\Black Glass\mainbar_tell_dis.bmp
D:\Program Files\Kazaa\Skins\Black Glass\mainbar_tell_over.bmp
D:\Program Files\Kazaa\Skins\Black Glass\mainbar_tell_sel.bmp
D:\Program Files\Kazaa\Skins\Black Glass\mainbar_theatre.bmp
D:\Program Files\Kazaa\Skins\Black Glass\mainbar_theatre_dis.bmp
D:\Program Files\Kazaa\Skins\Black Glass\mainbar_theatre_over.bmp
D:\Program Files\Kazaa\Skins\Black Glass\mainbar_theatre_sel.bmp
D:\Program Files\Kazaa\Skins\Black Glass\mainbar_traffic.bmp
D:\Program Files\Kazaa\Skins\Black Glass\mainbar_traffic_dis.bmp
D:\Program Files\Kazaa\Skins\Black Glass\mainbar_traffic_over.bmp
D:\Program Files\Kazaa\Skins\Black Glass\mainbar_traffic_sel.bmp
D:\Program Files\Kazaa\Skins\Black Glass\mediabar_addtoplay.bmp
D:\Program Files\Kazaa\Skins\Black Glass\mediabar_addtoplay_dis.bmp
D:\Program Files\Kazaa\Skins\Black Glass\mediabar_addtoplay_over.bmp
D:\Program Files\Kazaa\Skins\Black Glass\mediabar_addtoplay_sel.bmp
D:\Program Files\Kazaa\Skins\Black Glass\mediabar_next.bmp
D:\Program Files\Kazaa\Skins\Black Glass\mediabar_next_dis.bmp
D:\Program Files\Kazaa\Skins\Black Glass\mediabar_next_over.bmp
D:\Program Files\Kazaa\Skins\Black Glass\mediabar_next_sel.bmp
D:\Program Files\Kazaa\Skins\Black Glass\mediabar_pause.bmp
D:\Program Files\Kazaa\Skins\Black Glass\mediabar_pause_dis.bmp
D:\Program Files\Kazaa\Skins\Black Glass\mediabar_pause_over.bmp
D:\Program Files\Kazaa\Skins\Black Glass\mediabar_pause_sel.bmp
D:\Program Files\Kazaa\Skins\Black Glass\mediabar_play.bmp
D:\Program Files\Kazaa\Skins\Black Glass\mediabar_play_dis.bmp
D:\Program Files\Kazaa\Skins\Black Glass\mediabar_play_over.bmp
D:\Program Files\Kazaa\Skins\Black Glass\mediabar_play_sel.bmp
D:\Program Files\Kazaa\Skins\Black Glass\mediabar_prev.bmp
D:\Program Files\Kazaa\Skins\Black Glass\mediabar_prev_dis.bmp
D:\Program Files\Kazaa\Skins\Black Glass\mediabar_prev_over.bmp
D:\Program Files\Kazaa\Skins\Black Glass\mediabar_prev_sel.bmp
D:\Program Files\Kazaa\Skins\Black Glass\mediabar_slider.bmp
D:\Program Files\Kazaa\Skins\Black Glass\mediabar_sliderThumb.bmp
D:\Program Files\Kazaa\Skins\Black Glass\mediabar_sliderThumb_over.bmp
D:\Program Files\Kazaa\Skins\Black Glass\mediabar_stop.bmp
D:\Program Files\Kazaa\Skins\Black Glass\mediabar_stop_dis.bmp
D:\Program Files\Kazaa\Skins\Black Glass\mediabar_stop_over.bmp
D:\Program Files\Kazaa\Skins\Black Glass\mediabar_stop_sel.bmp
D:\Program Files\Kazaa\Skins\Black Glass\mediabar_volume.bmp
D:\Program Files\Kazaa\Skins\Black Glass\mediabar_volume_dis.bmp
D:\Program Files\Kazaa\Skins\Black Glass\mediabar_volume_over.bmp
D:\Program Files\Kazaa\Skins\Black Glass\mediabar_volume_sel.bmp
D:\Program Files\Kazaa\Skins\Black Glass\mykazaabar_delete.bmp
D:\Program Files\Kazaa\Skins\Black Glass\mykazaabar_delete_dis.bmp
D:\Program Files\Kazaa\Skins\Black Glass\mykazaabar_delete_over.bmp
D:\Program Files\Kazaa\Skins\Black Glass\mykazaabar_delete_sel.bmp
D:\Program Files\Kazaa\Skins\Black Glass\mykazaabar_folders.bmp
D:\Program Files\Kazaa\Skins\Black Glass\mykazaabar_folders_dis.bmp
D:\Program Files\Kazaa\Skins\Black Glass\mykazaabar_folders_over.bmp
D:\Program Files\Kazaa\Skins\Black Glass\mykazaabar_folders_sel.bmp
D:\Program Files\Kazaa\Skins\Black Glass\mykazaabar_moreinfo.bmp
D:\Program Files\Kazaa\Skins\Black Glass\mykazaabar_moreinfo_dis.bmp
D:\Program Files\Kazaa\Skins\Black Glass\mykazaabar_moreinfo_over.bmp
D:\Program Files\Kazaa\Skins\Black Glass\mykazaabar_moreinfo_sel.bmp
D:\Program Files\Kazaa\Skins\Black Glass\mykazaabar_share.bmp
D:\Program Files\Kazaa\Skins\Black Glass\mykazaabar_share_dis.bmp
D:\Program Files\Kazaa\Skins\Black Glass\mykazaabar_share_over.bmp
D:\Program Files\Kazaa\Skins\Black Glass\mykazaabar_share_sel.bmp
D:\Program Files\Kazaa\Skins\Black Glass\searchbar_closetabs.bmp
D:\Program Files\Kazaa\Skins\Black Glass\searchbar_closetabs_dis.bmp
D:\Program Files\Kazaa\Skins\Black Glass\searchbar_closetabs_over.bmp
D:\Program Files\Kazaa\Skins\Black Glass\searchbar_closetabs_sel.bmp
D:\Program Files\Kazaa\Skins\Black Glass\searchbar_download.bmp
D:\Program Files\Kazaa\Skins\Black Glass\searchbar_download_dis.bmp
D:\Program Files\Kazaa\Skins\Black Glass\searchbar_download_over.bmp
D:\Program Files\Kazaa\Skins\Black Glass\searchbar_download_sel.bmp
D:\Program Files\Kazaa\Skins\Black Glass\searchbar_messageuser.bmp
D:\Program Files\Kazaa\Skins\Black Glass\searchbar_messageuser_dis.bmp
D:\Program Files\Kazaa\Skins\Black Glass\searchbar_messageuser_over.bmp
D:\Program Files\Kazaa\Skins\Black Glass\searchbar_messageuser_sel.bmp
D:\Program Files\Kazaa\Skins\Black Glass\searchbar_newsearch.bmp
D:\Program Files\Kazaa\Skins\Black Glass\searchbar_newsearch_dis.bmp
D:\Program Files\Kazaa\Skins\Black Glass\searchbar_newsearch_over.bmp
D:\Program Files\Kazaa\Skins\Black Glass\searchbar_newsearch_sel.bmp
D:\Program Files\Kazaa\Skins\Black Glass\searchbar_searchuser.bmp
D:\Program Files\Kazaa\Skins\Black Glass\searchbar_searchuser_dis.bmp
D:\Program Files\Kazaa\Skins\Black Glass\searchbar_searchuser_over.bmp
D:\Program Files\Kazaa\Skins\Black Glass\searchbar_searchuser_sel.bmp
D:\Program Files\Kazaa\Skins\Black Glass\searchbar_showsearch.bmp
D:\Program Files\Kazaa\Skins\Black Glass\searchbar_showsearch_dis.bmp
D:\Program Files\Kazaa\Skins\Black Glass\searchbar_showsearch_over.bmp
D:\Program Files\Kazaa\Skins\Black Glass\searchbar_showsearch_sel.bmp
D:\Program Files\Kazaa\Skins\Black Glass\skin.xml
D:\Program Files\Kazaa\Skins\Black Glass\startbar_back.bmp
D:\Program Files\Kazaa\Skins\Black Glass\startbar_back_dis.bmp
D:\Program Files\Kazaa\Skins\Black Glass\startbar_back_over.bmp
D:\Program Files\Kazaa\Skins\Black Glass\startbar_back_sel.bmp
D:\Program Files\Kazaa\Skins\Black Glass\startbar_fwd.bmp
D:\Program Files\Kazaa\Skins\Black Glass\startbar_fwd_dis.bmp
D:\Program Files\Kazaa\Skins\Black Glass\startbar_fwd_over.bmp
D:\Program Files\Kazaa\Skins\Black Glass\startbar_fwd_sel.bmp
D:\Program Files\Kazaa\Skins\Black Glass\startbar_home.bmp
D:\Program Files\Kazaa\Skins\Black Glass\startbar_home_dis.bmp
D:\Program Files\Kazaa\Skins\Black Glass\startbar_home_over.bmp
D:\Program Files\Kazaa\Skins\Black Glass\startbar_home_sel.bmp
D:\Program Files\Kazaa\Skins\Black Glass\startbar_refresh.bmp
D:\Program Files\Kazaa\Skins\Black Glass\startbar_refresh_dis.bmp
D:\Program Files\Kazaa\Skins\Black Glass\startbar_refresh_over.bmp
D:\Program Files\Kazaa\Skins\Black Glass\startbar_refresh_sel.bmp
D:\Program Files\Kazaa\Skins\Black Glass\startbar_stop.bmp
D:\Program Files\Kazaa\Skins\Black Glass\startbar_stop_dis.bmp
D:\Program Files\Kazaa\Skins\Black Glass\startbar_stop_over.bmp
D:\Program Files\Kazaa\Skins\Black Glass\startbar_stop_sel.bmp
D:\Program Files\Kazaa\Skins\Black Glass\theatrebar_fullscreen.bmp
D:\Program Files\Kazaa\Skins\Black Glass\theatrebar_fullscreen_dis.bmp
D:\Program Files\Kazaa\Skins\Black Glass\theatrebar_fullscreen_over.bmp
D:\Program Files\Kazaa\Skins\Black Glass\theatrebar_fullscreen_sel.bmp
D:\Program Files\Kazaa\Skins\Black Glass\trafficbar_cancel.bmp
D:\Program Files\Kazaa\Skins\Black Glass\trafficbar_cancel_dis.bmp
D:\Program Files\Kazaa\Skins\Black Glass\trafficbar_cancel_over.bmp
D:\Program Files\Kazaa\Skins\Black Glass\trafficbar_cancel_sel.bmp
D:\Program Files\Kazaa\Skins\Black Glass\trafficbar_pause.bmp
D:\Program Files\Kazaa\Skins\Black Glass\trafficbar_pause_dis.bmp
D:\Program Files\Kazaa\Skins\Black Glass\trafficbar_pause_over.bmp
D:\Program Files\Kazaa\Skins\Black Glass\trafficbar_pause_sel.bmp
D:\Program Files\Kazaa\Skins\Black Glass\trafficbar_resume.bmp
D:\Program Files\Kazaa\Skins\Black Glass\trafficbar_resume_dis.bmp
D:\Program Files\Kazaa\Skins\Black Glass\trafficbar_resume_over.bmp
D:\Program Files\Kazaa\Skins\Black Glass\trafficbar_resume_sel.bmp
D:\Program Files\Kazaa\Skins\Black Glass\window_btm.bmp
D:\Program Files\Kazaa\Skins\Black Glass\window_btmLeft.bmp
D:\Program Files\Kazaa\Skins\Black Glass\window_btmright.bmp
D:\Program Files\Kazaa\Skins\Black Glass\window_left.bmp
D:\Program Files\Kazaa\Skins\Black Glass\window_right.bmp
D:\Program Files\Kazaa\Skins\Black Glass\window_top.bmp
D:\Program Files\Kazaa\Skins\Black Glass\window_topleft.bmp
D:\Program Files\Kazaa\Skins\Black Glass\window_topright.bmp
D:\Program Files\Kazaa\Skins\Black Glass\windowbar_close.bmp
D:\Program Files\Kazaa\Skins\Black Glass\windowbar_close_dis.bmp
D:\Program Files\Kazaa\Skins\Black Glass\windowbar_close_over.bmp
D:\Program Files\Kazaa\Skins\Black Glass\windowbar_close_sel.bmp
D:\Program Files\Kazaa\Skins\Black Glass\windowbar_maximise.bmp
D:\Program Files\Kazaa\Skins\Black Glass\windowbar_maximise_dis.bmp
D:\Program Files\Kazaa\Skins\Black Glass\windowbar_maximise_over.bmp
D:\Program Files\Kazaa\Skins\Black Glass\windowbar_maximise_sel.bmp
D:\Program Files\Kazaa\Skins\Black Glass\windowbar_minimise.bmp
D:\Program Files\Kazaa\Skins\Black Glass\windowbar_minimise_dis.bmp
D:\Program Files\Kazaa\Skins\Black Glass\windowbar_minimise_over.bmp
D:\Program Files\Kazaa\Skins\Black Glass\windowbar_minimise_sel.bmp
D:\Program Files\Kazaa\Skins\Black Glass\windowbar_restore.bmp
D:\Program Files\Kazaa\Skins\Black Glass\windowbar_restore_dis.bmp
D:\Program Files\Kazaa\Skins\Black Glass\windowbar_restore_over.bmp
D:\Program Files\Kazaa\Skins\Black Glass\windowbar_restore_sel.bmp
D:\Program Files\Kazaa\ssleay32.dll
D:\Sime stalker\Limewire PRO 4.17.0\Limewire PRO 4.17.0.EXE

.
((((((((((((((((((((((((( Files Created from 2008-01-26 to 2008-02-26 )))))))))))))))))))))))))))))))
.

2008-02-26 09:19 . 2008-02-26 09:19 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-02-26 09:19 . 2008-02-26 09:19 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-02-26 09:06 . 2008-02-26 09:06 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-02-26 09:06 . 2008-02-26 09:06 <DIR> d-------- C:\Documents and Settings\Veronika\Application Data\Malwarebytes
2008-02-26 09:06 . 2008-02-26 09:06 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-02-25 21:19 . 2007-12-14 01:59 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-02-25 16:45 . 2008-02-25 16:45 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-02-25 16:45 . 2008-02-25 16:45 1,409 --a------ C:\WINDOWS\QTFont.for
2008-02-25 16:35 . 2008-02-25 16:35 <DIR> d-------- C:\Documents and Settings\Veronika\Application Data\TransRender
2008-02-25 16:35 . 2008-02-25 16:35 <DIR> d-------- C:\Documents and Settings\Veronika\Application Data\Temporary
2008-02-25 16:35 . 2008-02-25 16:35 <DIR> d-------- C:\Documents and Settings\Veronika\Application Data\ConvertTemp
2008-02-25 16:13 . 2007-11-27 14:22 2,521,600 --a------ C:\WINDOWS\3D Realistic Fireplace 3.scr
2008-02-25 16:13 . 2007-05-24 14:41 118,784 --a------ C:\WINDOWS\dx7ogl32.dll
2008-02-25 14:32 . 2008-02-25 14:36 <DIR> d-------- C:\ComboFix(2)
2008-02-25 13:24 . 2008-02-26 20:17 1,665,056 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat
2008-02-25 13:24 . 2008-02-26 16:07 20,648 --ahs---- C:\WINDOWS\system32\drivers\fidbox.idx
2008-02-25 13:23 . 2008-02-25 13:23 <DIR> d-------- C:\Program Files\ZoneAlarmSB
2008-02-25 13:22 . 2008-02-25 13:22 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\MailFrontier
2008-02-25 13:09 . 2008-02-25 13:09 <DIR> d-------- C:\Documents and Settings\Veronika\Application Data\iolo
2008-02-25 13:09 . 2008-02-25 13:09 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\iolo
2008-02-25 13:09 . 2008-02-25 13:09 406 --a------ C:\WINDOWS\system32\ioloBootDefrag.cfg
2008-02-25 12:29 . 2008-02-25 18:22 4,212 ---h----- C:\WINDOWS\system32\zllictbl.dat
2008-02-25 12:28 . 2008-02-25 12:28 <DIR> d-------- C:\Program Files\Zone Labs
2008-02-25 11:25 . 2008-02-26 20:13 <DIR> d-------- C:\WINDOWS\Internet Logs
2008-02-24 11:33 . 2008-02-24 11:44 <DIR> d-------- C:\Program Files\MagicISO
2008-02-24 09:52 . 2008-02-24 10:31 1,905 --a------ C:\WINDOWS\diagwrn.xml
2008-02-24 09:52 . 2008-02-24 10:31 1,905 --a------ C:\WINDOWS\diagerr.xml
2008-02-22 13:58 . 2008-02-22 13:59 <DIR> d-------- C:\WINDOWS\system32\NtmsData
2008-02-22 13:42 . 2008-02-22 13:42 <DIR> d--h----- C:\WINDOWS\system32\GroupPolicy
2008-02-22 13:39 . 2002-06-21 15:09 160,217 --a------ C:\WINDOWS\system32\PowerToysLicense.rtf
2008-02-22 13:38 . 2008-02-22 13:38 <DIR> d-------- C:\WINDOWS\Downloaded Installations
2008-02-22 08:56 . 2008-02-22 08:56 <DIR> d-------- C:\Program Files\Trend Micro
2008-02-21 12:10 . 2008-02-25 08:42 <DIR> d-------- C:\Program Files\a-squared Free
2008-02-20 12:18 . 2008-02-20 12:18 <DIR> d-------- C:\NV39763980.TMP
2008-02-20 12:17 . 2008-02-20 12:17 <DIR> d-------- C:\NV26722676.TMP
2008-02-20 12:11 . 2008-02-20 12:11 <DIR> d-------- C:\NV30243728.TMP
2008-02-20 10:48 . 2008-02-20 10:48 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\WinZip
2008-02-20 09:48 . 2008-02-20 09:48 359,040 --a------ C:\WINDOWS\system32\drivers\TCPIP.SYS.ORIGINAL
2008-02-20 09:48 . 2008-02-22 15:49 359,040 --a--c--- C:\WINDOWS\system32\dllcache\TCPIP.SYS
2008-02-19 18:07 . 2008-02-19 18:07 223,128 --a------ C:\WINDOWS\system32\drivers\vaxscsi.sys
2008-02-19 14:29 . 2008-02-19 14:29 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\FLEXnet
2008-02-18 12:39 . 2008-02-18 12:39 <DIR> d-------- C:\Documents and Settings\Veronika\.DownloadManager
2008-02-18 12:37 . 2008-02-18 12:37 <DIR> d-------- C:\WINDOWS\Sun
2008-02-18 09:28 . 2008-02-18 09:28 <DIR> d-------- C:\Program Files\uTorrent
2008-02-18 08:37 . 2004-08-04 00:56 221,184 --a------ C:\WINDOWS\system32\wmpns.dll
2008-02-18 08:30 . 2004-08-04 00:56 96,768 -----c--- C:\WINDOWS\system32\dllcache\dpcdll.dll
2008-02-17 13:45 . 2008-02-17 13:45 <DIR> d-------- C:\Program Files\ReflexiveArcade
2008-02-17 13:29 . 2008-02-17 13:29 <DIR> d-------- C:\Program Files\Alcohol Soft
2008-02-16 18:05 . 2008-02-16 18:10 <DIR> d-------- C:\Documents and Settings\Veronika\Application Data\MSN6
2008-02-16 11:25 . 2008-02-26 00:25 <DIR> d-------- C:\Documents and Settings\Veronika\Application Data\uTorrent
2008-02-15 11:30 . 2008-02-15 11:30 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\DivoGames
2008-02-15 11:16 . 2008-02-15 11:19 <DIR> d-------- C:\Documents and Settings\Veronika\Application Data\Super-Cow
2008-02-15 10:34 . 2008-02-15 10:34 0 --ah----- C:\WINDOWS\SwSys2.bmp
2008-02-15 10:34 . 2008-02-15 10:34 0 --ah----- C:\WINDOWS\SwSys1.bmp
2008-02-15 09:33 . 2008-02-15 09:33 306,432 --a------ C:\WINDOWS\system32\TuneUpDefragService.exe
2008-02-15 09:33 . 2007-12-20 10:41 29,440 --a------ C:\WINDOWS\system32\uxtuneup.dll
2008-02-10 14:10 . 2008-02-10 14:10 <DIR> d-------- C:\Documents and Settings\Veronika\Application Data\Auslogics
2008-02-05 12:57 . 2008-02-05 12:57 <DIR> d-------- C:\Program Files\Crawler
2008-02-05 11:52 . 2008-02-13 19:16 <DIR> d-------- C:\Documents and Settings\Veronika\Application Data\SiteAdvisor
2008-02-05 11:52 . 2008-02-05 11:52 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SiteAdvisor
2008-02-05 11:52 . 2008-02-05 11:52 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\McAfee
2008-02-03 17:40 . 2008-02-03 17:40 <DIR> d-------- C:\Program Files\Ligos
2008-02-03 17:36 . 2008-02-04 16:06 196 --a------ C:\WINDOWS\disneysy.ini
2008-02-03 17:36 . 2008-02-05 11:56 173 --a------ C:\WINDOWS\disney.ini
2008-02-02 11:17 . 2006-06-29 13:07 14,048 --------- C:\WINDOWS\system32\spmsg2.dll
2008-02-01 11:24 . 2008-02-20 09:20 <DIR> d-------- C:\Documents and Settings\Veronika\Application Data\LimeWire
2008-02-01 11:22 . 2008-02-25 21:20 <DIR> d-------- C:\Program Files\Java
2008-02-01 11:21 . 2008-02-01 11:21 <DIR> d-------- C:\Program Files\Common Files\Java
2008-01-31 23:13 . 2008-01-31 23:13 90,112 --a------ C:\WINDOWS\system32\QuickTimeVR.qtx
2008-01-31 23:13 . 2008-01-31 23:13 57,344 --a------ C:\WINDOWS\system32\QuickTime.qts
2008-01-31 16:32 . 2008-02-01 12:36 <DIR> d-------- C:\Resident Evil 2
2008-01-31 16:29 . 1999-01-21 23:40 180,224 --------- C:\WINDOWS\Res2_uninst.exe
2008-01-30 14:52 . 2008-01-30 14:52 <DIR> d-------- C:\Documents and Settings\Veronika\Application Data\SpinTop
2008-01-30 12:04 . 2008-01-30 12:04 <DIR> d-------- C:\ATI
2008-01-29 13:54 . 2005-08-27 02:38 1,435,272 --a------ C:\WINDOWS\system32\Flash.ocx
2008-01-29 13:54 . 2002-03-04 12:27 1,140,472 --a------ C:\WINDOWS\system32\IGUltraGrid20.ocx
2008-01-29 13:54 . 2004-03-08 23:00 131,856 --a------ C:\WINDOWS\system32\MSADODC.ocx
2008-01-29 13:54 . 2008-02-19 18:39 124,688 --a------ C:\WINDOWS\system32\MSWINSCK.OCX
2008-01-29 13:54 . 2000-07-15 05:00 101,888 --a------ C:\WINDOWS\system32\VB6STKIT.DLL
2008-01-29 13:54 . 2001-04-20 01:28 28,672 --a------ C:\WINDOWS\system32\SysTray.ocx
2008-01-29 10:13 . 2008-01-29 10:13 <DIR> d-------- C:\WINDOWS\Replay Media Catcher
2008-01-29 10:12 . 2007-03-04 13:55 1,936,528 --a------ C:\WINDOWS\system32\ltmm15.dll
2008-01-29 10:12 . 2007-03-04 13:55 135,168 --a------ C:\WINDOWS\system32\DSKernel2.dll
2008-01-29 10:06 . 2008-01-29 10:10 <DIR> d-------- C:\Documents and Settings\Veronika\Application Data\GetRightToGo
2008-01-29 10:05 . 2008-01-29 10:05 <DIR> d-------- C:\WINDOWS\Applian FLV Player
2008-01-28 12:14 . 2007-01-29 13:56 451,072 -ra------ C:\WINDOWS\system32\drivers\athrusb.sys
2008-01-28 12:13 . 2006-08-24 13:44 477,696 --a------ C:\WINDOWS\system32\drivers\ZD1211BU.sys
2008-01-28 12:13 . 2004-01-14 11:25 81,920 --a------ C:\WINDOWS\system32\ZDPN50.DLL
2008-01-28 12:13 . 2005-03-18 15:35 31,744 --a------ C:\WINDOWS\system32\drivers\ZDPSp50a64.sys
2008-01-28 12:13 . 2005-06-08 18:44 29,184 --a------ C:\WINDOWS\system32\drivers\BRGSp50a64.sys
2008-01-28 12:13 . 2004-03-23 16:38 28,672 --a------ C:\WINDOWS\system32\InsDrvZD.dll
2008-01-28 12:13 . 2003-03-14 12:24 24,576 --a------ C:\WINDOWS\system32\ZyDelReg.exe
2008-01-28 12:13 . 2005-06-08 18:44 20,608 --a------ C:\WINDOWS\system32\drivers\BRGSp50.sys
2008-01-28 12:13 . 2004-10-25 13:40 17,664 --a------ C:\WINDOWS\system32\drivers\ZDPSp50.sys
2008-01-28 12:13 . 2004-01-14 11:30 17,151 --a------ C:\WINDOWS\system32\ZDPNDIS5.SYS
2008-01-28 12:13 . 2005-07-12 14:44 15,872 --a------ C:\WINDOWS\system32\InsDrvZD64.DLL
2008-01-27 20:50 . 2008-02-25 12:56 <DIR> d-------- C:\Documents and Settings\Veronika\Application Data\DNA
2008-01-27 18:04 . 2008-01-27 18:04 138,752 --a------ C:\WINDOWS\system32\drivers\sp_rsdrv2.sys
2008-01-27 18:00 . 2008-02-25 12:16 <DIR> d-------- C:\Program Files\Spyware Terminator
2008-01-27 18:00 . 2008-02-26 11:01 <DIR> d-------- C:\Documents and Settings\Veronika\Application Data\Spyware Terminator

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-26 18:03 831,248 ----a-w C:\WINDOWS\Internet Logs\tvDebug.zip
2008-02-26 15:06 71,168 ----a-w C:\WINDOWS\Internet Logs\xDB5.tmp
2008-02-26 15:06 1,400,832 ----a-w C:\WINDOWS\Internet Logs\xDB6.tmp
2008-02-24 20:55 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-02-24 13:38 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-02-22 14:49 359,040 ----a-w C:\WINDOWS\system32\drivers\TCPIP.SYS
2008-02-22 11:39 --------- d-----w C:\Program Files\CyberLink
2008-02-22 11:04 --------- d-----w C:\Documents and Settings\All Users\Application Data\CyberLink
2008-02-20 11:56 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple Computer
2008-02-19 14:49 --------- d-----w C:\Program Files\Common Files\Adobe
2008-02-17 16:16 --------- d-----w C:\Documents and Settings\All Users\Application Data\HP
2008-02-15 18:11 --------- d-----w C:\Documents and Settings\All Users\Application Data\DVD Shrink
2008-02-15 08:49 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-02-15 08:33 --------- d-----w C:\Documents and Settings\All Users\Application Data\TuneUp Software
2008-02-14 13:32 --------- d-----w C:\Documents and Settings\All Users\Application Data\Ulead Systems
2008-02-08 16:58 --------- d-----w C:\Program Files\Google
2008-01-24 09:42 --------- d-----w C:\Documents and Settings\Veronika\Application Data\Nokia Multimedia Player
2008-01-18 12:26 --------- d-----w C:\Program Files\winLAME
2008-01-12 15:13 --------- d-----w C:\Documents and Settings\Veronika\Application Data\The Longest Journey Demo
2008-01-10 19:40 --------- d-----w C:\Documents and Settings\Veronika\Application Data\iWin
2008-01-09 15:48 --------- d-----w C:\Documents and Settings\Veronika\Application Data\Movie Label
2008-01-09 10:40 --------- d-----w C:\Documents and Settings\Veronika\Application Data\SecondLife
2008-01-09 10:39 --------- d-----w C:\Documents and Settings\Veronika\Application Data\Nero
2008-01-09 10:30 --------- d-----w C:\Documents and Settings\Veronika\Application Data\Apple Computer
2008-01-08 12:57 --------- d-----w C:\Program Files\AusLogics Disk Defrag
2008-01-08 12:06 --------- d--h--w C:\Documents and Settings\All Users\Application Data\{6FAAE54C-8147-4998-934C-6744E67FD415}
2008-01-08 11:18 --------- d-----w C:\Documents and Settings\Veronika\Application Data\Lavasoft
2008-01-04 10:40 108,144 ----a-w C:\WINDOWS\system32\CmdLineExt.dll
2008-01-03 13:56 --------- d-----w C:\Documents and Settings\Veronika\Application Data\Secretmaker
2007-12-10 15:40 43,698 ----a-w C:\WINDOWS\system32\xvid-uninstall.exe
2007-12-03 13:29 356,352 ----a-w C:\WINDOWS\eSellerateEngine.dll
2007-12-03 11:36 86,016 ----a-w C:\WINDOWS\system32\OpenAL32.dll
2007-12-03 11:36 409,600 ----a-w C:\WINDOWS\system32\wrap_oal.dll
2005-05-11 22:36 12,288 ----a-w C:\WINDOWS\Fonts\RandFont.dll
.

(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.

---- Directory of C:\Documents and Settings\Veronika\Application Data\ConvertTemp ----


---- Directory of C:\Documents and Settings\Veronika\Application Data\Temporary ----


---- Directory of C:\Documents and Settings\Veronika\Application Data\TransRender ----



------- Sigcheck -------

27a5959c94ee173a063ca06bd14f021a C:\WINDOWS\system32\drivers\tcpip.sys
-c----w 332,928 2002-08-29 01:58:12 C:\WINDOWS\$NtServicePackUninstall$\tcpip.sys
----a-w 359,040 2004-08-03 22:14:42 C:\WINDOWS\ServicePackFiles\i386\TCPIP.SYS
-c--a-w 359,040 2008-02-22 14:49:04 C:\WINDOWS\system32\dllcache\TCPIP.SYS
----a-w 359,040 2008-02-22 14:49:04 C:\WINDOWS\system32\drivers\TCPIP.SYS
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA}]
2008-02-25 13:23 262144 --a------ C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
{2318C2B1-4965-11D4-9B18-009027A5CD4F}
{4B3803EA-5230-4DC3-A7FC-33638F3D3542}
{F0D4B239-DA4B-4DAF-81E4-DFEE4931A4AA}

[HKEY_CLASSES_ROOT\clsid\{f0d4b239-da4b-4daf-81e4-dfee4931a4aa}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
"{F0D4B239-DA4B-4DAF-81E4-DFEE4931A4AA}"= C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL [2008-02-25 13:23 262144]

[HKEY_CLASSES_ROOT\clsid\{f0d4b239-da4b-4daf-81e4-dfee4931a4aa}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:56 15360]
"OM2_Monitor"="C:\Program Files\OLYMPUS\OLYMPUS Master 2\MMonitor.exe" [2007-02-08 20:43 95800]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-02-04 17:33 68856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMan"="SOUNDMAN.EXE" [2007-04-16 15:28 577536 C:\WINDOWS\soundman.exe]
"NVMixerTray"="C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe" [2004-06-03 20:51 131072]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-11-30 21:10 344064]
"NeroFilterCheck"="C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe" [2006-01-12 15:40 155648]
"nod32kui"="C:\Program Files\Eset\nod32kui.exe" [2008-01-27 17:23 847872]
"SpywareTerminator"="C:\Program Files\Spyware Terminator\SpywareTerminatorShield.exe" [2008-01-27 18:02 2834432]
"ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [2007-11-14 16:05 919016]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe" [2007-12-14 03:42 144784]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\System32\CTFMON.EXE" [2004-08-04 00:56 15360]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2005-05-11 23:23:26 282624]
HP Image Zone Fast Start.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe [2005-05-12 00:49:24 73728]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoResolveSearch"= 1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoInstrumentation"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"D:\\Program Files\\Activision\\SHReK the THiRD Demo\\SHReK the THiRD.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\uTorrent\\uTorrent.exe"=

R1 sp_rsdrv2;Spyware Terminator Driver 2;C:\WINDOWS\system32\drivers\sp_rsdrv2.sys [2008-01-27 18:04]
R2 UxTuneUp;TuneUp Theme Extension;C:\WINDOWS\System32\svchost.exe [2004-08-04 00:56]
R3 PSched;QoS Packet Scheduler;C:\WINDOWS\system32\DRIVERS\psched.sys [2004-08-03 23:04]
S1 atitray;atitray;C:\Program Files\Radeon Omega Drivers\v3.8.330\ATI Tray Tools\atitray.sys []
S3 athrusb;802.11g Wireless USB2.0 Adapter driver;C:\WINDOWS\system32\DRIVERS\athrusb.sys [2007-01-29 13:56]
S3 PCASp50;PCASp50 NDIS Protocol Driver;C:\WINDOWS\system32\Drivers\PCASp50.sys []
S3 SetupNTGLM7X;SetupNTGLM7X;E:\NTGLM7X.sys []
S3 TuneUp.Defrag;TuneUp Drive Defrag Service;C:\WINDOWS\System32\TuneUpDefragService.exe [2008-02-15 09:33]
S3 ZD1211BU(SMC);802.11g Wireless USB2.0 Adapter Driver(SMC);C:\WINDOWS\system32\DRIVERS\zd1211Bu.sys [2006-08-24 13:44]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
UxTuneUp

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{b0f3d511-e2b5-11dc-ac45-00142a942c31}]
\Shell\AutoRun\command - H:\USBNB.exe

*Newly Created Service* - CATCHME
.
Contents of the 'Scheduled Tasks' folder
"2008-02-22 16:40:38 C:\WINDOWS\Tasks\1-Click Maintenance.job"
- D:\Program Files\TuneUp Utilities 2008\OneClick.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-26 20:17:14
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\lsass.exe [5.01.2600.2180]
-> C:\WINDOWS\system32\imon.dll
-> C:\Program Files\Eset\pr_imon.dll
.
Completion time: 2008-02-26 20:18:32
ComboFix-quarantined-files.txt 2008-02-26 19:18:27
ComboFix2.txt 2008-02-26 07:54:20
ComboFix3.txt 2008-02-25 20:37:28
ComboFix4.txt 2008-02-25 14:19:19

Why Nod32 failed to inform me of anything, not even about stupid clickers and downloaders?
simeseko
Regular Member
 
Posts: 15
Joined: February 13th, 2008, 1:25 pm
Advertisement
Register to Remove

Next

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: ataa92 and 54 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware