|
|
notime2either
new user
Reg'd: Thu
Posts: 8
|
|
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 18:08:51, on 13/04/2008
Platform: Windows Vista (WinNT 6.00.1904)
MSIE: Internet Explorer v7.00 (7.00.6000.16643)
Boot mode: Normal
Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\hp\support\hpsysdrv.exe
C:\Program Files\Hewlett-Packard\On-Screen OSD Indicator\OSD.exe
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe
C:\Windows\RtHDVCpl.exe
C:\Program Files\HP\HP Software Update\hpwuSchd2.exe
C:\Windows\system32\schtasks.exe
C:\Program Files\Grisoft\AVG7\avgcc.exe
C:\Program Files\Spyware Terminator\SpywareTerminatorShield.Exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Hewlett-Packard\HP Advisor\HPAdvisor.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Windows\ehome\ehtray.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\hp\kbd\kbd.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3...&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3...&pf=desktop
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1CB20BF0-BBAE-40A7-93F4-6435FF3D0411} - C:\PROGRA~1\Crawler\Toolbar\ctbr.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: NCO 2.0 IE BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: AOL Toolbar Launcher - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files\AOL\AOL Toolbar 5.0\aoltb.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: (no name) - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - (no file)
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 5.0\aoltb.dll
O3 - Toolbar: &Crawler Toolbar - {4B3803EA-5230-4DC3-A7FC-33638F3D3542} - C:\PROGRA~1\Crawler\Toolbar\ctbr.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [hpsysdrv] c:\hp\support\hpsysdrv.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KbdStub.EXE
O4 - HKLM\..\Run: [OsdMaestro] "C:\Program Files\Hewlett-Packard\On-Screen OSD Indicator\OSD.exe"
O4 - HKLM\..\Run: [NvSvc] RUNDLL32.EXE C:\Windows\system32\nvsvc.dll,nvsvcStart
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SunJavaUpdateReg] "C:\Windows\system32\jureg.exe"
O4 - HKLM\..\Run: [HP Software Update] c:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [SpywareTerminator] "C:\Program Files\Spyware Terminator\SpywareTerminatorShield.exe"
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter
O4 - HKCU\..\Run: [HPAdvisor] C:\Program Files\Hewlett-Packard\HP Advisor\HPAdvisor.exe autoRun
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aol toolbar 5.0\resources\en-GB\local\search.html
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: Crawler Search - tbr:iemenu
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 5.0\aoltb.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O13 - Gopher Prefix:
O18 - Protocol: tbr - {4D25FB7A-8902-4291-960E-9ADA051CFBBF} - C:\PROGRA~1\Crawler\Toolbar\ctbr.dll
O20 - Winlogon Notify: avgwlntf - C:\Windows\SYSTEM32\avgwlntf.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG7 Resident Shield Service (AvgCoreSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgrssvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: GameConsoleService - WildTangent, Inc. - C:\Program Files\HP Games\My HP Game Console\GameConsoleService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: HP Health Check Service - Hewlett-Packard - c:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - c:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: SBSD Security Center Service (SBSDWSCService) - Safer Networking Ltd. - C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
O23 - Service: Spyware Terminator Realtime Shield Service (sp_rssrv) - Crawler.com - C:\Program Files\Spyware Terminator\sp_rsser.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\PROGRA~1\COMMON~1\SYMANT~1\CCPD-LC\symlcsvc.exe
--
End of file - 8912 bytes
Hi bricat, (i hope)
Feeling ridiculesly pleased with meself for having managed to follow the instructions this far.
The first scan of our new computer with Spyware Terminator revealed that we had GoldenKeylogger hidden away in System32\KBDSF.LL and neither, Terminator, nor anything else i could find to throw at it, would drive it out.
I note this is a legal program that can be bought by parents or employers to keep an eye on what kids or employees are up to.
Could our computer have arrived with this pre-installed?
Should i be worried about it being there?
Either way, i dont want it and would like help to get rid of it please.
Ps,couldn't see it in file above, gave me crossed eyes jus looking at it.
Regards, joe
|
|
bricat
HijackThis Helper
Reg'd: Wed
Posts: 28258
Loc: belfast
|
|
nothing showing there.
try this -
Please download ComboFix from either of these two locations
BleepingComputerComboFix
geeks to go combofix
And save it to your DESKTOP.
* Double click combofix.exe & follow the prompts.
* When finished, it shall produce a log for you. Post that log in your next reply
Do not mouseclick combofix's window whilst it's running. That may cause it to stall.
Post back with the log from ComboFix and a new HJT log please.
--------------------
MY HELP IS FREE,BUT PLEASE CONSIDER GIVING A DONATION TO HELP IN MY FIGHT AGAINST SPYWARE.
 
A computer once beat me at chess, but it was no match for me at kick boxing. 
|
notime2either
new user
Reg'd: Thu
Posts: 8
|
|
After 3rd attempt, hope i got this right, anything here? But as it says 0 hidden files at end of ComboFix, guess not.
ComboFix 08-04-14.2 - Window on the world 2008-04-15 12:10:24.1 - NTFSx86
Microsoft® Windows Vista™ Home Premium 6.0.6000.0.1252.1.1033.18.1915 [GMT 1:00]
Running from: C:\Users\Window on the world\Desktop\ComboFix.exe
.
((((((((((((((((((((((((( Files Created from 2008-03-15 to 2008-04-15 )))))))))))))))))))))))))))))))
.
2008-04-14 19:48 . 2008-04-14 19:48 <DIR> d-------- C:\Program Files\Bonjour
2008-04-14 19:47 . 2008-04-14 19:47 <DIR> d-------- C:\Users\All Users\Apple Computer
2008-04-14 19:47 . 2008-04-14 19:47 <DIR> d-------- C:\Program Files\QuickTime
2008-04-14 19:47 . 2008-04-14 19:47 <DIR> d-------- C:\PROGRA~2\Apple Computer
2008-04-14 19:46 . 2008-04-14 19:46 <DIR> d-------- C:\Users\Window on the world\{42fb2db0-4436-484a-b634-6aa61d9629c7}
2008-04-14 19:46 . 2008-04-14 19:46 <DIR> d-------- C:\Users\All Users\Apple
2008-04-14 19:46 . 2008-04-14 19:46 <DIR> d-------- C:\Program Files\Apple Software Update
2008-04-14 19:46 . 2008-04-14 19:46 <DIR> d-------- C:\PROGRA~2\Apple
2008-04-14 19:35 . 2008-04-14 19:58 <DIR> d-------- C:\Users\Window on the world\AppData\Roaming\LimeWire
2008-04-14 19:34 . 2008-04-14 19:35 <DIR> d-------- C:\Program Files\LimeWire
2008-04-13 19:44 . 2008-04-13 19:44 <DIR> d-------- C:\epson
2008-04-13 18:08 . 2008-04-13 18:08 <DIR> d-------- C:\Program Files\Trend Micro
2008-04-12 17:37 . 2008-04-12 17:39 <DIR> d-------- C:\Netgear
2008-04-11 19:14 . 2008-04-11 19:14 307 --a------ C:\Windows\game.ini
2008-04-11 18:55 . 2008-04-11 18:55 <DIR> d-------- C:\Program Files\Activision
2008-04-11 18:23 . 2008-04-11 18:23 2,027,008 --a------ C:\Windows\System32\win32k.sys
2008-04-11 18:23 . 2008-04-11 18:23 944,184 --a------ C:\Windows\System32\winload.exe
2008-04-11 18:23 . 2008-04-11 18:23 620,088 --a------ C:\Windows\System32\ci.dll
2008-04-11 18:23 . 2008-04-11 18:23 371,712 --a------ C:\Windows\System32\srcore.dll
2008-04-11 18:23 . 2008-04-11 18:23 313,856 --a------ C:\Windows\System32\rstrui.exe
2008-04-11 18:23 . 2008-04-11 18:23 40,960 --a------ C:\Windows\System32\srclient.dll
2008-04-11 18:23 . 2008-04-11 18:23 19,000 --a------ C:\Windows\System32\kd1394.dll
2008-04-11 18:23 . 2008-04-11 18:23 16,384 --a------ C:\Windows\System32\srdelayed.exe
2008-04-11 18:23 . 2008-04-11 18:23 7,168 --a------ C:\Windows\System32\f3ahvoas.dll
2008-04-11 18:23 . 2008-04-11 18:23 6,656 --a------ C:\Windows\System32\kbd106n.dll
2008-04-11 18:22 . 2008-04-11 18:22 296,448 --a------ C:\Windows\System32\gdi32.dll
2008-04-11 18:20 . 2008-04-11 18:20 84,480 --a------ C:\Windows\System32\dnsrslvr.dll
2008-04-11 18:20 . 2008-04-11 18:20 24,576 --a------ C:\Windows\System32\dnscacheugc.exe
2008-04-11 17:57 . 2008-04-11 17:57 99,840 --a------ C:\Windows\System32\poqexec.exe
2008-04-06 14:41 . 2008-04-06 14:41 194,560 --a------ C:\Windows\System32\WebClnt.dll
2008-04-06 14:41 . 2008-04-06 14:41 110,080 --a------ C:\Windows\System32\drivers\mrxdav.sys
2008-04-06 14:39 . 2008-04-06 14:39 223,232 --a------ C:\Windows\System32\WMASF.DLL
2008-04-06 14:39 . 2008-04-06 14:39 130,048 --a------ C:\Windows\System32\drivers\srv2.sys
2008-04-06 14:39 . 2008-04-06 14:39 101,888 --a------ C:\Windows\System32\drivers\mrxsmb.sys
2008-04-06 14:39 . 2008-04-06 14:39 84,992 --a------ C:\Windows\System32\drivers\srvnet.sys
2008-04-06 14:39 . 2008-04-06 14:39 58,368 --a------ C:\Windows\System32\drivers\mrxsmb20.sys
2008-04-06 14:39 . 2008-04-06 14:39 11,776 --a------ C:\Windows\System32\sbunattend.exe
2008-04-06 14:39 . 2008-04-06 14:39 9,728 --a------ C:\Windows\System32\LAPRXY.DLL
2008-04-06 14:39 . 2008-04-06 14:39 2,048 --a------ C:\Windows\System32\asferror.dll
2008-04-06 14:37 . 2008-04-06 14:37 3,505,848 --a------ C:\Windows\System32\ntkrnlpa.exe
2008-04-06 14:37 . 2008-04-06 14:37 3,472,056 --a------ C:\Windows\System32\ntoskrnl.exe
2008-04-06 14:37 . 2008-04-06 14:37 2,048 --a------ C:\Windows\System32\tzres.dll
2008-04-06 14:28 . 2008-04-06 14:28 1,712,984 --a------ C:\Windows\System32\wuaueng.dll
2008-04-06 14:28 . 2008-04-06 14:28 1,524,224 --a------ C:\Windows\System32\wucltux.dll
2008-04-06 14:28 . 2008-04-06 14:28 53,080 --a------ C:\Windows\System32\wuauclt.exe
2008-04-06 14:28 . 2008-04-06 14:28 43,352 --a------ C:\Windows\System32\wups2.dll
2008-04-06 14:27 . 2008-04-06 14:27 <DIR> d-------- C:\Users\Window on the world\AppData\Roaming\Template
2008-04-06 14:27 . 2008-04-06 14:27 549,720 --a------ C:\Windows\System32\wuapi.dll
2008-04-06 14:27 . 2008-04-06 14:27 163,000 --a------ C:\Windows\System32\wuwebv.dll
2008-04-06 14:27 . 2008-04-06 14:27 80,896 --a------ C:\Windows\System32\wudriver.dll
2008-04-06 14:27 . 2008-04-06 14:27 33,624 --a------ C:\Windows\System32\wups.dll
2008-04-06 14:27 . 2008-04-06 14:27 31,232 --a------ C:\Windows\System32\wuapp.exe
2008-04-06 14:27 . 2008-04-06 20:33 126 --a------ C:\Users\Window on the world\AppData\Roaming\wklnhst.dat
2008-04-04 12:56 . 2008-04-04 12:56 <DIR> d-------- C:\Users\Window on the world\AppData\Roaming\InstallShield
2008-04-04 10:01 . 2007-11-26 10:38 238,848 --a------ C:\Windows\UNBOC.EXE
2008-04-04 10:01 . 2007-05-08 17:01 208,896 --a------ C:\Windows\CMDLIC.DLL
2008-04-04 10:01 . 2006-11-02 10:46 14,848 --a------ C:\Windows\System32\wsock32.dlb
2008-04-04 10:00 . 2008-04-05 20:34 <DIR> d-------- C:\Program Files\Comodo
2008-04-03 10:30 . 2008-04-03 10:30 <DIR> d-------- C:\Users\Window on the world\AppData\Roaming\True Sword
2008-04-02 23:37 . 2008-04-02 23:37 0 --a------ C:\Windows\System32\SBRC.dat
2008-04-02 23:37 . 2008-04-02 23:37 0 --a------ C:\Windows\System32\SBFC.dat
2008-04-02 22:58 . 2008-04-02 22:58 <DIR> d-------- C:\Users\Window on the world\AppData\Roaming\Sunbelt Software
2008-04-02 22:29 . 2008-04-15 12:01 <DIR> d-------- C:\Users\Window on the world\AppData\Roaming\SiteAdvisor
2008-04-02 22:29 . 2008-04-02 22:29 <DIR> d-------- C:\Users\All Users\SiteAdvisor
2008-04-02 22:29 . 2008-04-02 22:29 <DIR> d-------- C:\Users\All Users\McAfee
2008-04-02 22:29 . 2008-04-02 22:29 <DIR> d-------- C:\PROGRA~2\SiteAdvisor
2008-04-02 22:29 . 2008-04-02 22:29 <DIR> d-------- C:\PROGRA~2\McAfee
2008-04-02 13:51 . 2008-04-03 00:53 <DIR> d-a------ C:\Users\All Users\TEMP
2008-04-02 13:51 . 2008-04-02 13:51 <DIR> d-------- C:\Users\All Users\Google
2008-04-02 13:51 . 2008-04-02 13:51 <DIR> d-------- C:\Program Files\Google
2008-04-02 13:51 . 2008-04-03 00:53 <DIR> d-a------ C:\PROGRA~2\TEMP
2008-04-02 12:36 . 2008-04-02 12:36 <DIR> d-------- C:\Program Files\Enigma Software Group
2008-04-02 12:17 . 2008-04-02 12:17 <DIR> d-------- C:\Program Files\Lavasoft
2008-04-02 12:16 . 2008-04-02 12:16 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-04-01 18:42 . 2008-04-01 18:42 <DIR> d-------- C:\Program Files\Windows Live Toolbar
2008-04-01 18:40 . 2008-04-01 18:40 <DIR> d-------- C:\Windows\PCHEALTH
2008-04-01 18:37 . 2008-04-01 18:37 <DIR> d-------- C:\Users\All Users\WLInstaller
2008-04-01 18:37 . 2008-04-01 18:40 <DIR> d-------- C:\Program Files\Windows Live
2008-04-01 18:37 . 2008-04-01 18:40 <DIR> d--hsc--- C:\Program Files\Common Files\WindowsLiveInstaller
2008-04-01 18:37 . 2008-04-01 18:37 <DIR> d-------- C:\PROGRA~2\WLInstaller
2008-04-01 13:16 . 2008-04-01 13:16 <DIR> d-------- C:\Program Files\Crawler
2008-04-01 13:15 . 2008-04-15 11:56 <DIR> d-------- C:\Users\Window on the world\AppData\Roaming\Spyware Terminator
2008-04-01 13:15 . 2008-04-15 11:58 <DIR> d-------- C:\Users\All Users\Spyware Terminator
2008-04-01 13:15 . 2008-04-15 11:58 <DIR> d-------- C:\Program Files\Spyware Terminator
2008-04-01 13:15 . 2008-04-15 11:58 <DIR> d-------- C:\PROGRA~2\Spyware Terminator
2008-04-01 13:15 . 2008-04-01 13:15 138,752 --a------ C:\Windows\System32\drivers\sp_rsdrv2.sys
2008-04-01 13:08 . 2008-04-02 12:17 <DIR> d-------- C:\Users\All Users\Lavasoft
2008-04-01 13:08 . 2008-04-02 12:17 <DIR> d-------- C:\PROGRA~2\Lavasoft
2008-04-01 12:26 . 2008-04-01 12:29 <DIR> d-------- C:\Users\All Users\Spybot - Search & Destroy
2008-04-01 12:26 . 2008-04-01 12:26 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-04-01 12:26 . 2008-04-01 12:29 <DIR> d-------- C:\PROGRA~2\Spybot - Search & Destroy
2008-04-01 11:31 . 2008-04-15 11:56 <DIR> d-------- C:\Users\Window on the world\AppData\Roaming\AVG7
2008-04-01 11:30 . 2008-04-01 11:30 <DIR> d-------- C:\Users\All Users\Grisoft
2008-04-01 11:30 . 2008-04-01 11:33 <DIR> d-------- C:\Users\All Users\avg7
2008-04-01 11:30 . 2008-04-01 11:30 <DIR> d-------- C:\PROGRA~2\Grisoft
2008-04-01 11:30 . 2008-04-01 11:33 <DIR> d-------- C:\PROGRA~2\avg7
2008-04-01 11:30 . 2008-04-01 11:30 53,768 --a------ C:\Windows\System32\drivers\avgwfp.sys
2008-04-01 11:30 . 2008-04-01 11:30 9,216 --a------ C:\Windows\System32\avgwlntf.dll
2008-04-01 10:49 . 2008-04-01 10:49 <DIR> d-------- C:\Program Files\VS Revo Group
2008-03-31 23:21 . 2008-03-31 23:21 0 --a------ C:\Windows\nsreg.dat
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-11 18:14 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-04-11 17:18 826,368 ----a-w C:\Windows\System32\wininet.dll
2008-04-11 17:18 56,320 ----a-w C:\Windows\System32\iesetup.dll
2008-04-11 17:18 52,736 ----a-w C:\Windows\AppPatch\iebrshim.dll
2008-04-11 17:18 26,624 ----a-w C:\Windows\System32\ieUnatt.exe
2008-04-06 19:35 --------- d-----w C:\Program Files\Windows Sidebar
2008-04-04 10:36 --------- d-----w C:\PROGRA~2\WildTangent
2008-04-01 11:50 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-04-01 10:29 --------- d-----w C:\PROGRA~2\Symantec
2008-03-30 22:39 --------- d-----w C:\PROGRA~2\Hewlett-Packard
2008-03-30 22:33 1,831 --sha-r C:\Windows\system32\drivers\103C_HP_CPC_KE545AA-ABU a6355.uk_YC_0Pavi_QCZH804_E81GBv3PrA4_49_INARRA3_SASUSTek Computer INC._V3.02_B5.05_T080104_WUH0_L409_M3070_J500_7AMD_8Phenom 9500 Quad-Core_92.2_#080330_N10DE03EF_Z_G10DE0421.MRK
2008-01-04 19:40 174 --sha-w C:\Program Files\desktop.ini
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{602ADB0E-4AFF-4217-8AA1-95DAC4DFA408}]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="C:\Program Files\Windows Sidebar\sidebar.exe" [2008-04-06 14:39 1232896]
"WindowsWelcomeCenter"="oobefldr.dll" [2006-11-02 13:34 2159104 C:\Windows\System32\oobefldr.dll]
"HPAdvisor"="C:\Program Files\Hewlett-Packard\HP Advisor\HPAdvisor.exe" [2007-10-04 03:02 1783136]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2008-01-28 11:43 2097488]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe" [2008-04-02 13:51 171448]
"msnmsgr"="C:\Program Files\Windows Live\Messenger\msnmsgr.exe" [2007-10-18 11:34 5724184]
"ehTray.exe"="C:\Windows\ehome\ehTray.exe" [2006-11-02 13:35 125440]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2008-01-04 20:17 1006264]
"hpsysdrv"="c:\hp\support\hpsysdrv.exe" [2007-04-18 16:01 65536]
"KBD"="C:\HP\KBD\KbdStub.EXE" [2006-12-08 17:16 65536]
"OsdMaestro"="C:\Program Files\Hewlett-Packard\On-Screen OSD Indicator\OSD.exe" [2007-02-15 12:59 118784]
"NvSvc"="C:\Windows\system32\nvsvc.dll" [2007-08-27 19:59 86016]
"NvCplDaemon"="C:\Windows\system32\NvCpl.dll" [2007-08-27 19:59 8473120]
"NvMediaCenter"="C:\Windows\system32\NvMcTray.dll" [2007-08-27 19:59 81920]
"RtHDVCpl"="RtHDVCpl.exe" [2007-10-25 14:52 4702208 C:\Windows\RtHDVCpl.exe]
"SunJavaUpdateReg"="C:\Windows\system32\jureg.exe" [2007-04-07 11:56 54936]
"HP Software Update"="c:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2007-05-09 01:24 54840]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2008-04-15 11:58 579584]
"SpywareTerminator"="C:\Program Files\Spyware Terminator\SpywareTerminatorShield.exe" [2008-04-01 13:15 2957824]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-03-28 23:37 413696]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2008-04-01 11:30 219136]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgwlntf]
avgwlntf.dll 2008-04-01 11:30 9216 C:\Windows\System32\avgwlntf.dll
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"{AC452B5A-0E30-4BAF-BBD8-DC23DCC970F3}"= c:\Program Files\Cyberlink\PowerDirector\PDR.EXE:CyberLink PowerDirector
"{FE586755-BA98-47C6-A1D3-9DDEC21D7C06}"= C:\Program Files\Windows Live\Messenger\livecall.exe:Windows Live Messenger (Phone)
"TCP Query User{07E0AAF7-5BBD-4274-A749-53D402F47FD7}C:\\program files\\limewire\\limewire.exe"= UDP:C:\program files\limewire\limewire.exe:LimeWire
"UDP Query User{282BE039-F9D5-4E5D-940F-E2B9E3A4046A}C:\\program files\\limewire\\limewire.exe"= TCP:C:\program files\limewire\limewire.exe:LimeWire
"{997785A8-062D-430B-9E7D-E19FCE238E92}"= UDP:C:\Program Files\Bonjour\mDNSResponder.exe:Bonjour
"{32E95D04-1E6D-4673-A318-8873BC986480}"= TCP:C:\Program Files\Bonjour\mDNSResponder.exe:Bonjour
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\RestrictedServices\Static\System]
"DFSR-1"= RPort=5722|UDP:%SystemRoot%\system32\svchost.exe|Svc=DFSR:Allow inbound TCP traffic|
R1 sp_rsdrv2;Spyware Terminator Driver 2;C:\Windows\system32\drivers\sp_rsdrv2.sys [2008-04-01 13:15]
R2 SBSDWSCService;SBSD Security Center Service;C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe [2008-01-28 11:43]
R3 AvgWFP;AVG7 Firewall Driver x86;C:\Windows\system32\Drivers\avgwfp.sys [2008-04-01 11:30]
S3 GameConsoleService;GameConsoleService;"C:\Program Files\HP Games\My HP Game Console\GameConsoleService.exe" [2008-03-29 00:04]
*Newly Created Service* - CATCHME
.
Contents of the 'Scheduled Tasks' folder
"2008-04-01 17:42:07 C:\Windows\Tasks\Check Updates for Windows Live Toolbar.job"
- C:\Program Files\Windows Live Toolbar\MSNTBUP.EXE
"2008-04-15 11:00:33 C:\Windows\Tasks\User_Feed_Synchronization-{100F61FD-9BE5-4D42-AC0B-E51A31386A94}.job"
- C:\Windows\system32\msfeedssync.exe
.
**************************************************************************
catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-15 12:12:52
Windows 6.0.6000 NTFS
scanning hidden processes ... ComboFix 08-04-14.2 - Window on the world 2008-04-15 12:10:24.1 - NTFSx86
Microsoft® Windows Vista™ Home Premium 6.0.6000.0.1252.1.1033.18.1915 [GMT 1:00]
Running from: C:\Users\Window on the world\Desktop\ComboFix.exe
.
((((((((((((((((((((((((( Files Created from 2008-03-15 to 2008-04-15 )))))))))))))))))))))))))))))))
.
2008-04-14 19:48 . 2008-04-14 19:48 <DIR> d-------- C:\Program Files\Bonjour
2008-04-14 19:47 . 2008-04-14 19:47 <DIR> d-------- C:\Users\All Users\Apple Computer
2008-04-14 19:47 . 2008-04-14 19:47 <DIR> d-------- C:\Program Files\QuickTime
2008-04-14 19:47 . 2008-04-14 19:47 <DIR> d-------- C:\PROGRA~2\Apple Computer
2008-04-14 19:46 . 2008-04-14 19:46 <DIR> d-------- C:\Users\Window on the world\{42fb2db0-4436-484a-b634-6aa61d9629c7}
2008-04-14 19:46 . 2008-04-14 19:46 <DIR> d-------- C:\Users\All Users\Apple
2008-04-14 19:46 . 2008-04-14 19:46 <DIR> d-------- C:\Program Files\Apple Software Update
2008-04-14 19:46 . 2008-04-14 19:46 <DIR> d-------- C:\PROGRA~2\Apple
2008-04-14 19:35 . 2008-04-14 19:58 <DIR> d-------- C:\Users\Window on the world\AppData\Roaming\LimeWire
2008-04-14 19:34 . 2008-04-14 19:35 <DIR> d-------- C:\Program Files\LimeWire
2008-04-13 19:44 . 2008-04-13 19:44 <DIR> d-------- C:\epson
2008-04-13 18:08 . 2008-04-13 18:08 <DIR> d-------- C:\Program Files\Trend Micro
2008-04-12 17:37 . 2008-04-12 17:39 <DIR> d-------- C:\Netgear
2008-04-11 19:14 . 2008-04-11 19:14 307 --a------ C:\Windows\game.ini
2008-04-11 18:55 . 2008-04-11 18:55 <DIR> d-------- C:\Program Files\Activision
2008-04-11 18:23 . 2008-04-11 18:23 2,027,008 --a------ C:\Windows\System32\win32k.sys
2008-04-11 18:23 . 2008-04-11 18:23 944,184 --a------ C:\Windows\System32\winload.exe
2008-04-11 18:23 . 2008-04-11 18:23 620,088 --a------ C:\Windows\System32\ci.dll
2008-04-11 18:23 . 2008-04-11 18:23 371,712 --a------ C:\Windows\System32\srcore.dll
2008-04-11 18:23 . 2008-04-11 18:23 313,856 --a------ C:\Windows\System32\rstrui.exe
2008-04-11 18:23 . 2008-04-11 18:23 40,960 --a------ C:\Windows\System32\srclient.dll
2008-04-11 18:23 . 2008-04-11 18:23 19,000 --a------ C:\Windows\System32\kd1394.dll
2008-04-11 18:23 . 2008-04-11 18:23 16,384 --a------ C:\Windows\System32\srdelayed.exe
2008-04-11 18:23 . 2008-04-11 18:23 7,168 --a------ C:\Windows\System32\f3ahvoas.dll
2008-04-11 18:23 . 2008-04-11 18:23 6,656 --a------ C:\Windows\System32\kbd106n.dll
2008-04-11 18:22 . 2008-04-11 18:22 296,448 --a------ C:\Windows\System32\gdi32.dll
2008-04-11 18:20 . 2008-04-11 18:20 84,480 --a------ C:\Windows\System32\dnsrslvr.dll
2008-04-11 18:20 . 2008-04-11 18:20 24,576 --a------ C:\Windows\System32\dnscacheugc.exe
2008-04-11 17:57 . 2008-04-11 17:57 99,840 --a------ C:\Windows\System32\poqexec.exe
2008-04-06 14:41 . 2008-04-06 14:41 194,560 --a------ C:\Windows\System32\WebClnt.dll
2008-04-06 14:41 . 2008-04-06 14:41 110,080 --a------ C:\Windows\System32\drivers\mrxdav.sys
2008-04-06 14:39 . 2008-04-06 14:39 223,232 --a------ C:\Windows\System32\WMASF.DLL
2008-04-06 14:39 . 2008-04-06 14:39 130,048 --a------ C:\Windows\System32\drivers\srv2.sys
2008-04-06 14:39 . 2008-04-06 14:39 101,888 --a------ C:\Windows\System32\drivers\mrxsmb.sys
2008-04-06 14:39 . 2008-04-06 14:39 84,992 --a------ C:\Windows\System32\drivers\srvnet.sys
2008-04-06 14:39 . 2008-04-06 14:39 58,368 --a------ C:\Windows\System32\drivers\mrxsmb20.sys
2008-04-06 14:39 . 2008-04-06 14:39 11,776 --a------ C:\Windows\System32\sbunattend.exe
2008-04-06 14:39 . 2008-04-06 14:39 9,728 --a------ C:\Windows\System32\LAPRXY.DLL
2008-04-06 14:39 . 2008-04-06 14:39 2,048 --a------ C:\Windows\System32\asferror.dll
2008-04-06 14:37 . 2008-04-06 14:37 3,505,848 --a------ C:\Windows\System32\ntkrnlpa.exe
2008-04-06 14:37 . 2008-04-06 14:37 3,472,056 --a------ C:\Windows\System32\ntoskrnl.exe
2008-04-06 14:37 . 2008-04-06 14:37 2,048 --a------ C:\Windows\System32\tzres.dll
2008-04-06 14:28 . 2008-04-06 14:28 1,712,984 --a------ C:\Windows\System32\wuaueng.dll
2008-04-06 14:28 . 2008-04-06 14:28 1,524,224 --a------ C:\Windows\System32\wucltux.dll
2008-04-06 14:28 . 2008-04-06 14:28 53,080 --a------ C:\Windows\System32\wuauclt.exe
2008-04-06 14:28 . 2008-04-06 14:28 43,352 --a------ C:\Windows\System32\wups2.dll
2008-04-06 14:27 . 2008-04-06 14:27 <DIR> d-------- C:\Users\Window on the world\AppData\Roaming\Template
2008-04-06 14:27 . 2008-04-06 14:27 549,720 --a------ C:\Windows\System32\wuapi.dll
2008-04-06 14:27 . 2008-04-06 14:27 163,000 --a------ C:\Windows\System32\wuwebv.dll
2008-04-06 14:27 . 2008-04-06 14:27 80,896 --a------ C:\Windows\System32\wudriver.dll
2008-04-06 14:27 . 2008-04-06 14:27 33,624 --a------ C:\Windows\System32\wups.dll
2008-04-06 14:27 . 2008-04-06 14:27 31,232 --a------ C:\Windows\System32\wuapp.exe
2008-04-06 14:27 . 2008-04-06 20:33 126 --a------ C:\Users\Window on the world\AppData\Roaming\wklnhst.dat
2008-04-04 12:56 . 2008-04-04 12:56 <DIR> d-------- C:\Users\Window on the world\AppData\Roaming\InstallShield
2008-04-04 10:01 . 2007-11-26 10:38 238,848 --a------ C:\Windows\UNBOC.EXE
2008-04-04 10:01 . 2007-05-08 17:01 208,896 --a------ C:\Windows\CMDLIC.DLL
2008-04-04 10:01 . 2006-11-02 10:46 14,848 --a------ C:\Windows\System32\wsock32.dlb
2008-04-04 10:00 . 2008-04-05 20:34 <DIR> d-------- C:\Program Files\Comodo
2008-04-03 10:30 . 2008-04-03 10:30 <DIR> d-------- C:\Users\Window on the world\AppData\Roaming\True Sword
2008-04-02 23:37 . 2008-04-02 23:37 0 --a------ C:\Windows\System32\SBRC.dat
2008-04-02 23:37 . 2008-04-02 23:37 0 --a------ C:\Windows\System32\SBFC.dat
2008-04-02 22:58 . 2008-04-02 22:58 <DIR> d-------- C:\Users\Window on the world\AppData\Roaming\Sunbelt Software
2008-04-02 22:29 . 2008-04-15 12:01 <DIR> d-------- C:\Users\Window on the world\AppData\Roaming\SiteAdvisor
2008-04-02 22:29 . 2008-04-02 22:29 <DIR> d-------- C:\Users\All Users\SiteAdvisor
2008-04-02 22:29 . 2008-04-02 22:29 <DIR> d-------- C:\Users\All Users\McAfee
2008-04-02 22:29 . 2008-04-02 22:29 <DIR> d-------- C:\PROGRA~2\SiteAdvisor
2008-04-02 22:29 . 2008-04-02 22:29 <DIR> d-------- C:\PROGRA~2\McAfee
2008-04-02 13:51 . 2008-04-03 00:53 <DIR> d-a------ C:\Users\All Users\TEMP
2008-04-02 13:51 . 2008-04-02 13:51 <DIR> d-------- C:\Users\All Users\Google
2008-04-02 13:51 . 2008-04-02 13:51 <DIR> d-------- C:\Program Files\Google
2008-04-02 13:51 . 2008-04-03 00:53 <DIR> d-a------ C:\PROGRA~2\TEMP
2008-04-02 12:36 . 2008-04-02 12:36 <DIR> d-------- C:\Program Files\Enigma Software Group
2008-04-02 12:17 . 2008-04-02 12:17 <DIR> d-------- C:\Program Files\Lavasoft
2008-04-02 12:16 . 2008-04-02 12:16 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-04-01 18:42 . 2008-04-01 18:42 <DIR> d-------- C:\Program Files\Windows Live Toolbar
2008-04-01 18:40 . 2008-04-01 18:40 <DIR> d-------- C:\Windows\PCHEALTH
2008-04-01 18:37 . 2008-04-01 18:37 <DIR> d-------- C:\Users\All Users\WLInstaller
2008-04-01 18:37 . 2008-04-01 18:40 <DIR> d-------- C:\Program Files\Windows Live
2008-04-01 18:37 . 2008-04-01 18:40 <DIR> d--hsc--- C:\Program Files\Common Files\WindowsLiveInstaller
2008-04-01 18:37 . 2008-04-01 18:37 <DIR> d-------- C:\PROGRA~2\WLInstaller
2008-04-01 13:16 . 2008-04-01 13:16 <DIR> d-------- C:\Program Files\Crawler
2008-04-01 13:15 . 2008-04-15 11:56 <DIR> d-------- C:\Users\Window on the world\AppData\Roaming\Spyware Terminator
2008-04-01 13:15 . 2008-04-15 11:58 <DIR> d-------- C:\Users\All Users\Spyware Terminator
2008-04-01 13:15 . 2008-04-15 11:58 <DIR> d-------- C:\Program Files\Spyware Terminator
2008-04-01 13:15 . 2008-04-15 11:58 <DIR> d-------- C:\PROGRA~2\Spyware Terminator
2008-04-01 13:15 . 2008-04-01 13:15 138,752 --a------ C:\Windows\System32\drivers\sp_rsdrv2.sys
2008-04-01 13:08 . 2008-04-02 12:17 <DIR> d-------- C:\Users\All Users\Lavasoft
2008-04-01 13:08 . 2008-04-02 12:17 <DIR> d-------- C:\PROGRA~2\Lavasoft
2008-04-01 12:26 . 2008-04-01 12:29 <DIR> d-------- C:\Users\All Users\Spybot - Search & Destroy
2008-04-01 12:26 . 2008-04-01 12:26 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-04-01 12:26 . 2008-04-01 12:29 <DIR> d-------- C:\PROGRA~2\Spybot - Search & Destroy
2008-04-01 11:31 . 2008-04-15 11:56 <DIR> d-------- C:\Users\Window on the world\AppData\Roaming\AVG7
2008-04-01 11:30 . 2008-04-01 11:30 <DIR> d-------- C:\Users\All Users\Grisoft
2008-04-01 11:30 . 2008-04-01 11:33 <DIR> d-------- C:\Users\All Users\avg7
2008-04-01 11:30 . 2008-04-01 11:30 <DIR> d-------- C:\PROGRA~2\Grisoft
2008-04-01 11:30 . 2008-04-01 11:33 <DIR> d-------- C:\PROGRA~2\avg7
2008-04-01 11:30 . 2008-04-01 11:30 53,768 --a------ C:\Windows\System32\drivers\avgwfp.sys
2008-04-01 11:30 . 2008-04-01 11:30 9,216 --a------ C:\Windows\System32\avgwlntf.dll
2008-04-01 10:49 . 2008-04-01 10:49 <DIR> d-------- C:\Program Files\VS Revo Group
2008-03-31 23:21 . 2008-03-31 23:21 0 --a------ C:\Windows\nsreg.dat
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-11 18:14 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-04-11 17:18 826,368 ----a-w C:\Windows\System32\wininet.dll
2008-04-11 17:18 56,320 ----a-w C:\Windows\System32\iesetup.dll
2008-04-11 17:18 52,736 ----a-w C:\Windows\AppPatch\iebrshim.dll
2008-04-11 17:18 26,624 ----a-w C:\Windows\System32\ieUnatt.exe
2008-04-06 19:35 --------- d-----w C:\Program Files\Windows Sidebar
2008-04-04 10:36 --------- d-----w C:\PROGRA~2\WildTangent
2008-04-01 11:50 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-04-01 10:29 --------- d-----w C:\PROGRA~2\Symantec
2008-03-30 22:39 --------- d-----w C:\PROGRA~2\Hewlett-Packard
2008-03-30 22:33 1,831 --sha-r C:\Windows\system32\drivers\103C_HP_CPC_KE545AA-ABU a6355.uk_YC_0Pavi_QCZH804_E81GBv3PrA4_49_INARRA3_SASUSTek Computer INC._V3.02_B5.05_T080104_WUH0_L409_M3070_J500_7AMD_8Phenom 9500 Quad-Core_92.2_#080330_N10DE03EF_Z_G10DE0421.MRK
2008-01-04 19:40 174 --sha-w C:\Program Files\desktop.ini
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{602ADB0E-4AFF-4217-8AA1-95DAC4DFA408}]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="C:\Program Files\Windows Sidebar\sidebar.exe" [2008-04-06 14:39 1232896]
"WindowsWelcomeCenter"="oobefldr.dll" [2006-11-02 13:34 2159104 C:\Windows\System32\oobefldr.dll]
"HPAdvisor"="C:\Program Files\Hewlett-Packard\HP Advisor\HPAdvisor.exe" [2007-10-04 03:02 1783136]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2008-01-28 11:43 2097488]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe" [2008-04-02 13:51 171448]
"msnmsgr"="C:\Program Files\Windows Live\Messenger\msnmsgr.exe" [2007-10-18 11:34 5724184]
"ehTray.exe"="C:\Windows\ehome\ehTray.exe" [2006-11-02 13:35 125440]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2008-01-04 20:17 1006264]
"hpsysdrv"="c:\hp\support\hpsysdrv.exe" [2007-04-18 16:01 65536]
"KBD"="C:\HP\KBD\KbdStub.EXE" [2006-12-08 17:16 65536]
"OsdMaestro"="C:\Program Files\Hewlett-Packard\On-Screen OSD Indicator\OSD.exe" [2007-02-15 12:59 118784]
"NvSvc"="C:\Windows\system32\nvsvc.dll" [2007-08-27 19:59 86016]
"NvCplDaemon"="C:\Windows\system32\NvCpl.dll" [2007-08-27 19:59 8473120]
"NvMediaCenter"="C:\Windows\system32\NvMcTray.dll" [2007-08-27 19:59 81920]
"RtHDVCpl"="RtHDVCpl.exe" [2007-10-25 14:52 4702208 C:\Windows\RtHDVCpl.exe]
"SunJavaUpdateReg"="C:\Windows\system32\jureg.exe" [2007-04-07 11:56 54936]
"HP Software Update"="c:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2007-05-09 01:24 54840]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2008-04-15 11:58 579584]
"SpywareTerminator"="C:\Program Files\Spyware Terminator\SpywareTerminatorShield.exe" [2008-04-01 13:15 2957824]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-03-28 23:37 413696]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2008-04-01 11:30 219136]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgwlntf]
avgwlntf.dll 2008-04-01 11:30 9216 C:\Windows\System32\avgwlntf.dll
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"{AC452B5A-0E30-4BAF-BBD8-DC23DCC970F3}"= c:\Program Files\Cyberlink\PowerDirector\PDR.EXE:CyberLink PowerDirector
"{FE586755-BA98-47C6-A1D3-9DDEC21D7C06}"= C:\Program Files\Windows Live\Messenger\livecall.exe:Windows Live Messenger (Phone)
"TCP Query User{07E0AAF7-5BBD-4274-A749-53D402F47FD7}C:\\program files\\limewire\\limewire.exe"= UDP:C:\program files\limewire\limewire.exe:LimeWire
"UDP Query User{282BE039-F9D5-4E5D-940F-E2B9E3A4046A}C:\\program files\\limewire\\limewire.exe"= TCP:C:\program files\limewire\limewire.exe:LimeWire
"{997785A8-062D-430B-9E7D-E19FCE238E92}"= UDP:C:\Program Files\Bonjour\mDNSResponder.exe:Bonjour
"{32E95D04-1E6D-4673-A318-8873BC986480}"= TCP:C:\Program Files\Bonjour\mDNSResponder.exe:Bonjour
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\RestrictedServices\Static\System]
"DFSR-1"= RPort=5722|UDP:%SystemRoot%\system32\svchost.exe|Svc=DFSR:Allow inbound TCP traffic|
R1 sp_rsdrv2;Spyware Terminator Driver 2;C:\Windows\system32\drivers\sp_rsdrv2.sys [2008-04-01 13:15]
R2 SBSDWSCService;SBSD Security Center Service;C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe [2008-01-28 11:43]
R3 AvgWFP;AVG7 Firewall Driver x86;C:\Windows\system32\Drivers\avgwfp.sys [2008-04-01 11:30]
S3 GameConsoleService;GameConsoleService;"C:\Program Files\HP Games\My HP Game Console\GameConsoleService.exe" [2008-03-29 00:04]
*Newly Created Service* - CATCHME
.
Contents of the 'Scheduled Tasks' folder
"2008-04-01 17:42:07 C:\Windows\Tasks\Check Updates for Windows Live Toolbar.job"
- C:\Program Files\Windows Live Toolbar\MSNTBUP.EXE
"2008-04-15 11:00:33 C:\Windows\Tasks\User_Feed_Synchronization-{100F61FD-9BE5-4D42-AC0B-E51A31386A94}.job"
- C:\Windows\system32\msfeedssync.exe
.
**************************************************************************
catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-15 12:12:52
Windows 6.0.6000 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
Completion time: 2008-04-15 12:13:35
ComboFix-quarantined-files.txt 2008-04-15 11:13:32
Pre-Run: 404,584,284,160 bytes free
Post-Run: 404,779,753,472 bytes free
.
2008-04-12 18:57:03 --- E O F ---
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
Completion time: 2008-04-15 12:13:35
ComboFix-quarantined-files.txt 2008-04-15 11:13:32
Pre-Run: 404,584,284,160 bytes free
Post-Run: 404,779,753,472 bytes free
.
2008-04-12 18:57:03 --- E O F ---
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 14:49:41, on 15/04/2008
Platform: Windows Vista (WinNT 6.00.1904)
MSIE: Internet Explorer v7.00 (7.00.6000.16643)
Boot mode: Normal
Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
C:\Windows\Explorer.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\hp\support\hpsysdrv.exe
C:\Program Files\Hewlett-Packard\On-Screen OSD Indicator\OSD.exe
C:\Windows\System32\rundll32.exe
C:\Windows\RtHDVCpl.exe
C:\Windows\System32\rundll32.exe
C:\Windows\system32\schtasks.exe
C:\Program Files\HP\HP Software Update\hpwuSchd2.exe
C:\Program Files\Grisoft\AVG7\avgcc.exe
C:\Program Files\Spyware Terminator\SpywareTerminatorShield.Exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Hewlett-Packard\HP Advisor\HPAdvisor.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Windows\ehome\ehtray.exe
C:\Windows\ehome\ehmsas.exe
C:\Windows\System32\mobsync.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Windows\system32\SearchFilterHost.exe
C:\hp\kbd\kbd.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3...&pf=desktop
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: (no name) - {1CB20BF0-BBAE-40A7-93F4-6435FF3D0411} - C:\PROGRA~1\Crawler\Toolbar\ctbr.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: NCO 2.0 IE BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: AOL Toolbar Launcher - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files\AOL\AOL Toolbar 5.0\aoltb.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: (no name) - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - (no file)
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 5.0\aoltb.dll
O3 - Toolbar: &Crawler Toolbar - {4B3803EA-5230-4DC3-A7FC-33638F3D3542} - C:\PROGRA~1\Crawler\Toolbar\ctbr.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [hpsysdrv] c:\hp\support\hpsysdrv.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KbdStub.EXE
O4 - HKLM\..\Run: [OsdMaestro] "C:\Program Files\Hewlett-Packard\On-Screen OSD Indicator\OSD.exe"
O4 - HKLM\..\Run: [NvSvc] RUNDLL32.EXE C:\Windows\system32\nvsvc.dll,nvsvcStart
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM\..\Run: [SunJavaUpdateReg] "C:\Windows\system32\jureg.exe"
O4 - HKLM\..\Run: [HP Software Update] c:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [SpywareTerminator] "C:\Program Files\Spyware Terminator\SpywareTerminatorShield.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter
O4 - HKCU\..\Run: [HPAdvisor] C:\Program Files\Hewlett-Packard\HP Advisor\HPAdvisor.exe autoRun
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aol toolbar 5.0\resources\en-GB\local\search.html
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: Crawler Search - tbr:iemenu
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 5.0\aoltb.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O13 - Gopher Prefix:
O18 - Protocol: tbr - {4D25FB7A-8902-4291-960E-9ADA051CFBBF} - C:\PROGRA~1\Crawler\Toolbar\ctbr.dll
O20 - Winlogon Notify: avgwlntf - C:\Windows\SYSTEM32\avgwlntf.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG7 Resident Shield Service (AvgCoreSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgrssvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: GameConsoleService - WildTangent, Inc. - C:\Program Files\HP Games\My HP Game Console\GameConsoleService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: HP Health Check Service - Hewlett-Packard - c:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - c:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: SBSD Security Center Service (SBSDWSCService) - Safer Networking Ltd. - C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
O23 - Service: Spyware Terminator Realtime Shield Service (sp_rssrv) - Crawler.com - C:\Program Files\Spyware Terminator\sp_rsser.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\PROGRA~1\COMMON~1\SYMANT~1\CCPD-LC\symlcsvc.exe
--
End of file - 8604 bytes
2008-04-14 19:48 . 2008-04-14 19:48 <DIR> d-------- C:\Program Files\Bonjour
2008-04-14 19:47 . 2008-04-14 19:47 <DIR> d-------- C:\Users\All Users\Apple Computer
2008-04-14 19:47 . 2008-04-14 19:47 <DIR> d-------- C:\Program Files\QuickTime
2008-04-14 19:47 . 2008-04-14 19:47 <DIR> d-------- C:\PROGRA~2\Apple Computer
2008-04-14 19:46 . 2008-04-14 19:46 <DIR> d-------- C:\Users\Window on the world\{42fb2db0-4436-484a-b634-6aa61d9629c7}
2008-04-14 19:46 . 2008-04-14 19:46 <DIR> d-------- C:\Users\All Users\Apple
2008-04-14 19:46 . 2008-04-14 19:46 <DIR> d-------- C:\Program Files\Apple Software Update
2008-04-14 19:46 . 2008-04-14 19:46 <DIR> d-------- C:\PROGRA~2\Apple
2008-04-14 19:35 . 2008-04-14 19:58 <DIR> d-------- C:\Users\Window on the world\AppData\Roaming\LimeWire
2008-04-14 19:34 . 2008-04-14 19:35 <DIR> d-------- C:\Program Files\LimeWire
2008-04-13 19:44 . 2008-04-13 19:44 <DIR> d-------- C:\epson
2008-04-13 18:08 . 2008-04-13 18:08 <DIR> d-------- C:\Program Files\Trend Micro
2008-04-12 17:37 . 2008-04-12 17:39 <DIR> d-------- C:\Netgear
2008-04-11 19:14 . 2008-04-11 19:14 307 --a------ C:\Windows\game.ini
2008-04-11 18:55 . 2008-04-11 18:55 <DIR> d-------- C:\Program Files\Activision
2008-04-11 18:23 . 2008-04-11 18:23 2,027,008 --a------ C:\Windows\System32\win32k.sys
2008-04-11 18:23 . 2008-04-11 18:23 944,184 --a------ C:\Windows\System32\winload.exe
2008-04-11 18:23 . 2008-04-11 18:23 620,088 --a------ C:\Windows\System32\ci.dll
2008-04-11 18:23 . 2008-04-11 18:23 371,712 --a------ C:\Windows\System32\srcore.dll
2008-04-11 18:23 . 2008-04-11 18:23 313,856 --a------ C:\Windows\System32\rstrui.exe
2008-04-11 18:23 . 2008-04-11 18:23 40,960 --a------ C:\Windows\System32\srclient.dll
2008-04-11 18:23 . 2008-04-11 18:23 19,000 --a------ C:\Windows\System32\kd1394.dll
2008-04-11 18:23 . 2008-04-11 18:23 16,384 --a------ C:\Windows\System32\srdelayed.exe
2008-04-11 18:23 . 2008-04-11 18:23 7,168 --a------ C:\Windows\System32\f3ahvoas.dll
2008-04-11 18:23 . 2008-04-11 18:23 6,656 --a------ C:\Windows\System32\kbd106n.dll
2008-04-11 18:22 . 2008-04-11 18:22 296,448 --a------ C:\Windows\System32\gdi32.dll
2008-04-11 18:20 . 2008-04-11 18:20 84,480 --a------ C:\Windows\System32\dnsrslvr.dll
2008-04-11 18:20 . 2008-04-11 18:20 24,576 --a------ C:\Windows\System32\dnscacheugc.exe
2008-04-11 17:57 . 2008-04-11 17:57 99,840 --a------ C:\Windows\System32\poqexec.exe
2008-04-06 14:41 . 2008-04-06 14:41 194,560 --a------ C:\Windows\System32\WebClnt.dll
2008-04-06 14:41 . 2008-04-06 14:41 110,080 --a------ C:\Windows\System32\drivers\mrxdav.sys
2008-04-06 14:39 . 2008-04-06 14:39 223,232 --a------ C:\Windows\System32\WMASF.DLL
2008-04-06 14:39 . 2008-04-06 14:39 130,048 --a------ C:\Windows\System32\drivers\srv2.sys
2008-04-06 14:39 . 2008-04-06 14:39 101,888 --a------ C:\Windows\System32\drivers\mrxsmb.sys
2008-04-06 14:39 . 2008-04-06 14:39 84,992 --a------ C:\Windows\System32\drivers\srvnet.sys
2008-04-06 14:39 . 2008-04-06 14:39 58,368 --a------ C:\Windows\System32\drivers\mrxsmb20.sys
2008-04-06 14:39 . 2008-04-06 14:39 11,776 --a------ C:\Windows\System32\sbunattend.exe
2008-04-06 14:39 . 2008-04-06 14:39 9,728 --a------ C:\Windows\System32\LAPRXY.DLL
2008-04-06 14:39 . 2008-04-06 14:39 2,048 --a------ C:\Windows\System32\asferror.dll
2008-04-06 14:37 . 2008-04-06 14:37 3,505,848 --a------ C:\Windows\System32\ntkrnlpa.exe
2008-04-06 14:37 . 2008-04-06 14:37 3,472,056 --a------ C:\Windows\System32\ntoskrnl.exe
2008-04-06 14:37 . 2008-04-06 14:37 2,048 --a------ C:\Windows\System32\tzres.dll
2008-04-06 14:28 . 2008-04-06 14:28 1,712,984 --a------ C:\Windows\System32\wuaueng.dll
2008-04-06 14:28 . 2008-04-06 14:28 1,524,224 --a------ C:\Windows\System32\wucltux.dll
2008-04-06 14:28 . 2008-04-06 14:28 53,080 --a------ C:\Windows\System32\wuauclt.exe
2008-04-06 14:28 . 2008-04-06 14:28 43,352 --a------ C:\Windows\System32\wups2.dll
2008-04-06 14:27 . 2008-04-06 14:27 <DIR> d-------- C:\Users\Window on the world\AppData\Roaming\Template
2008-04-06 14:27 . 2008-04-06 14:27 549,720 --a------ C:\Windows\System32\wuapi.dll
2008-04-06 14:27 . 2008-04-06 14:27 163,000 --a------ C:\Windows\System32\wuwebv.dll
2008-04-06 14:27 . 2008-04-06 14:27 80,896 --a------ C:\Windows\System32\wudriver.dll
2008-04-06 14:27 . 2008-04-06 14:27 33,624 --a------ C:\Windows\System32\wups.dll
2008-04-06 14:27 . 2008-04-06 14:27 31,232 --a------ C:\Windows\System32\wuapp.exe
2008-04-06 14:27 . 2008-04-06 20:33 126 --a------ C:\Users\Window on the world\AppData\Roaming\wklnhst.dat
2008-04-04 12:56 . 2008-04-04 12:56 <DIR> d-------- C:\Users\Window on the world\AppData\Roaming\InstallShield
2008-04-04 10:01 . 2007-11-26 10:38 238,848 --a------ C:\Windows\UNBOC.EXE
2008-04-04 10:01 . 2007-05-08 17:01 208,896 --a------ C:\Windows\CMDLIC.DLL
2008-04-04 10:01 . 2006-11-02 10:46 14,848 --a------ C:\Windows\System32\wsock32.dlb
2008-04-04 10:00 . 2008-04-05 20:34 <DIR> d-------- C:\Program Files\Comodo
2008-04-03 10:30 . 2008-04-03 10:30 <DIR> d-------- C:\Users\Window on the world\AppData\Roaming\True Sword
2008-04-02 23:37 . 2008-04-02 23:37 0 --a------ C:\Windows\System32\SBRC.dat
2008-04-02 23:37 . 2008-04-02 23:37 0 --a------ C:\Windows\System32\SBFC.dat
2008-04-02 22:58 . 2008-04-02 22:58 <DIR> d-------- C:\Users\Window on the world\AppData\Roaming\Sunbelt Software
2008-04-02 22:29 . 2008-04-15 12:01 <DIR> d-------- C:\Users\Window on the world\AppData\Roaming\SiteAdvisor
2008-04-02 22:29 . 2008-04-02 22:29 <DIR> d-------- C:\Users\All Users\SiteAdvisor
2008-04-02 22:29 . 2008-04-02 22:29 <DIR> d-------- C:\Users\All Users\McAfee
2008-04-02 22:29 . 2008-04-02 22:29 <DIR> d-------- C:\PROGRA~2\SiteAdvisor
2008-04-02 22:29 . 2008-04-02 22:29 <DIR> d-------- C:\PROGRA~2\McAfee
2008-04-02 13:51 . 2008-04-03 00:53 <DIR> d-a------ C:\Users\All Users\TEMP
2008-04-02 13:51 . 2008-04-02 13:51 <DIR> d-------- C:\Users\All Users\Google
2008-04-02 13:51 . 2008-04-02 13:51 <DIR> d-------- C:\Program Files\Google
2008-04-02 13:51 . 2008-04-03 00:53 <DIR> d-a------ C:\PROGRA~2\TEMP
2008-04-02 12:36 . 2008-04-02 12:36 <DIR> d-------- C:\Program Files\Enigma Software Group
2008-04-02 12:17 . 2008-04-02 12:17 <DIR> d-------- C:\Program Files\Lavasoft
2008-04-02 12:16 . 2008-04-02 12:16 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-04-01 18:42 . 2008-04-01 18:42 <DIR> d-------- C:\Program Files\Windows Live Toolbar
2008-04-01 18:40 . 2008-04-01 18:40 <DIR> d-------- C:\Windows\PCHEALTH
2008-04-01 18:37 . 2008-04-01 18:37 <DIR> d-------- C:\Users\All Users\WLInstaller
2008-04-01 18:37 . 2008-04-01 18:40 <DIR> d-------- C:\Program Files\Windows Live
2008-04-01 18:37 . 2008-04-01 18:40 <DIR> d--hsc--- C:\Program Files\Common Files\WindowsLiveInstaller
2008-04-01 18:37 . 2008-04-01 18:37 <DIR> d-------- C:\PROGRA~2\WLInstaller
2008-04-01 13:16 . 2008-04-01 13:16 <DIR> d-------- C:\Program Files\Crawler
2008-04-01 13:15 . 2008-04-15 11:56 <DIR> d-------- C:\Users\Window on the world\AppData\Roaming\Spyware Terminator
2008-04-01 13:15 . 2008-04-15 11:58 <DIR> d-------- C:\Users\All Users\Spyware Terminator
2008-04-01 13:15 . 2008-04-15 11:58 <DIR> d-------- C:\Program Files\Spyware Terminator
2008-04-01 13:15 . 2008-04-15 11:58 <DIR> d-------- C:\PROGRA~2\Spyware Terminator
2008-04-01 13:15 . 2008-04-01 13:15 138,752 --a------ C:\Windows\System32\drivers\sp_rsdrv2.sys
2008-04-01 13:08 . 2008-04-02 12:17 <DIR> d-------- C:\Users\All Users\Lavasoft
2008-04-01 13:08 . 2008-04-02 12:17 <DIR> d-------- C:\PROGRA~2\Lavasoft
2008-04-01 12:26 . 2008-04-01 12:29 <DIR> d-------- C:\Users\All Users\Spybot - Search & Destroy
2008-04-01 12:26 . 2008-04-01 12:26 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-04-01 12:26 . 2008-04-01 12:29 <DIR> d-------- C:\PROGRA~2\Spybot - Search & Destroy
2008-04-01 11:31 . 2008-04-15 11:56 <DIR> d-------- C:\Users\Window on the world\AppData\Roaming\AVG7
2008-04-01 11:30 . 2008-04-01 11:30 <DIR> d-------- C:\Users\All Users\Grisoft
2008-04-01 11:30 . 2008-04-01 11:33 <DIR> d-------- C:\Users\All Users\avg7
2008-04-01 11:30 . 2008-04-01 11:30 <DIR> d-------- C:\PROGRA~2\Grisoft
2008-04-01 11:30 . 2008-04-01 11:33 <DIR> d-------- C:\PROGRA~2\avg7
2008-04-01 11:30 . 2008-04-01 11:30 53,768 --a------ C:\Windows\System32\drivers\avgwfp.sys
2008-04-01 11:30 . 2008-04-01 11:30 9,216 --a------ C:\Windows\System32\avgwlntf.dll
2008-04-01 10:49 . 2008-04-01 10:49 <DIR> d-------- C:\Program Files\VS Revo Group
2008-03-31 23:21 . 2008-03-31 23:21 0 --a------ C:\Windows\nsreg.dat
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-11 18:14 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-04-11 17:18 826,368 ----a-w C:\Windows\System32\wininet.dll
2008-04-11 17:18 56,320 ----a-w C:\Windows\System32\iesetup.dll
2008-04-11 17:18 52,736 ----a-w C:\Windows\AppPatch\iebrshim.dll
2008-04-11 17:18 26,624 ----a-w C:\Windows\System32\ieUnatt.exe
2008-04-06 19:35 --------- d-----w C:\Program Files\Windows Sidebar
2008-04-04 10:36 --------- d-----w C:\PROGRA~2\WildTangent
2008-04-01 11:50 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-04-01 10:29 --------- d-----w C:\PROGRA~2\Symantec
2008-03-30 22:39 --------- d-----w C:\PROGRA~2\Hewlett-Packard
2008-03-30 22:33 1,831 --sha-r C:\Windows\system32\drivers\103C_HP_CPC_KE545AA-ABU a6355.uk_YC_0Pavi_QCZH804_E81GBv3PrA4_49_INARRA3_SASUSTek Computer INC._V3.02_B5.05_T080104_WUH0_L409_M3070_J500_7AMD_8Phenom 9500 Quad-Core_92.2_#080330_N10DE03EF_Z_G10DE0421.MRK
2008-01-04 19:40 174 --sha-w C:\Program Files\desktop.ini
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{602ADB0E-4AFF-4217-8AA1-95DAC4DFA408}]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="C:\Program Files\Windows Sidebar\sidebar.exe" [2008-04-06 14:39 1232896]
"WindowsWelcomeCenter"="oobefldr.dll" [2006-11-02 13:34 2159104 C:\Windows\System32\oobefldr.dll]
"HPAdvisor"="C:\Program Files\Hewlett-Packard\HP Advisor\HPAdvisor.exe" [2007-10-04 03:02 1783136]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2008-01-28 11:43 2097488]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe" [2008-04-02 13:51 171448]
"msnmsgr"="C:\Program Files\Windows Live\Messenger\msnmsgr.exe" [2007-10-18 11:34 5724184]
"ehTray.exe"="C:\Windows\ehome\ehTray.exe" [2006-11-02 13:35 125440]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2008-01-04 20:17 1006264]
"hpsysdrv"="c:\hp\support\hpsysdrv.exe" [2007-04-18 16:01 65536]
"KBD"="C:\HP\KBD\KbdStub.EXE" [2006-12-08 17:16 65536]
"OsdMaestro"="C:\Program Files\Hewlett-Packard\On-Screen OSD Indicator\OSD.exe" [2007-02-15 12:59 118784]
"NvSvc"="C:\Windows\system32\nvsvc.dll" [2007-08-27 19:59 86016]
"NvCplDaemon"="C:\Windows\system32\NvCpl.dll" [2007-08-27 19:59 8473120]
"NvMediaCenter"="C:\Windows\system32\NvMcTray.dll" [2007-08-27 19:59 81920]
"RtHDVCpl"="RtHDVCpl.exe" [2007-10-25 14:52 4702208 C:\Windows\RtHDVCpl.exe]
"SunJavaUpdateReg"="C:\Windows\system32\jureg.exe" [2007-04-07 11:56 54936]
"HP Software Update"="c:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2007-05-09 01:24 54840]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2008-04-15 11:58 579584]
"SpywareTerminator"="C:\Program Files\Spyware Terminator\SpywareTerminatorShield.exe" [2008-04-01 13:15 2957824]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-03-28 23:37 413696]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2008-04-01 11:30 219136]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgwlntf]
avgwlntf.dll 2008-04-01 11:30 9216 C:\Windows\System32\avgwlntf.dll
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"{AC452B5A-0E30-4BAF-BBD8-DC23DCC970F3}"= c:\Program Files\Cyberlink\PowerDirector\PDR.EXE:CyberLink PowerDirector
"{FE586755-BA98-47C6-A1D3-9DDEC21D7C06}"= C:\Program Files\Windows Live\Messenger\livecall.exe:Windows Live Messenger (Phone)
"TCP Query User{07E0AAF7-5BBD-4274-A749-53D402F47FD7}C:\\program files\\limewire\\limewire.exe"= UDP:C:\program files\limewire\limewire.exe:LimeWire
"UDP Query User{282BE039-F9D5-4E5D-940F-E2B9E3A4046A}C:\\program files\\limewire\\limewire.exe"= TCP:C:\program files\limewire\limewire.exe:LimeWire
"{997785A8-062D-430B-9E7D-E19FCE238E92}"= UDP:C:\Program Files\Bonjour\mDNSResponder.exe:Bonjour
"{32E95D04-1E6D-4673-A318-8873BC986480}"= TCP:C:\Program Files\Bonjour\mDNSResponder.exe:Bonjour
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\RestrictedServices\Static\System]
"DFSR-1"= RPort=5722|UDP:%SystemRoot%\system32\svchost.exe|Svc=DFSR:Allow inbound TCP traffic|
R1 sp_rsdrv2;Spyware Terminator Driver 2;C:\Windows\system32\drivers\sp_rsdrv2.sys [2008-04-01 13:15]
R2 SBSDWSCService;SBSD Security Center Service;C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe [2008-01-28 11:43]
R3 AvgWFP;AVG7 Firewall Driver x86;C:\Windows\system32\Drivers\avgwfp.sys [2008-04-01 11:30]
S3 GameConsoleService;GameConsoleService;"C:\Program Files\HP Games\My HP Game Console\GameConsoleService.exe" [2008-03-29 00:04]
*Newly Created Service* - CATCHME
.
Contents of the 'Scheduled Tasks' folder
"2008-04-01 17:42:07 C:\Windows\Tasks\Check Updates for Windows Live Toolbar.job"
- C:\Program Files\Windows Live Toolbar\MSNTBUP.EXE
"2008-04-15 11:00:33 C:\Windows\Tasks\User_Feed_Synchronization-{100F61FD-9BE5-4D42-AC0B-E51A31386A94}.job"
- C:\Windows\system32\msfeedssync.exe
.
**************************************************************************
catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-15 12:12:52
Windows 6.0.6000 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
Completion time: 2008-04-15 12:13:35
ComboFix-quarantined-files.txt 2008-04-15 11:13:32
Pre-Run: 404,584,284,160 bytes free
Post-Run: 404,779,753,472 bytes free
.
2008-04-12 18:57:03 --- E O F ---
|
bricat
HijackThis Helper
Reg'd: Wed
Posts: 28258
Loc: belfast
|
|
I don't see anything there at all.
is it System32\KBDSF.DLL it is pointing to ?
KBDSF.DLL is a legitimate file, it is associated with your KEYBOARD LAYOUT
--------------------
MY HELP IS FREE,BUT PLEASE CONSIDER GIVING A DONATION TO HELP IN MY FIGHT AGAINST SPYWARE.
A computer once beat me at chess, but it was no match for me at kick boxing.
|
notime2either
new user
Reg'd: Thu
Posts: 8
|
|
Thanks,yes, it's in system32/kbdsf.dll. So why does Spyware Terminator consider it a 3 star critical threat then?
|
bricat
HijackThis Helper
Reg'd: Wed
Posts: 28258
Loc: belfast
|
|
It could be a false positive, we'll have to do a manual hunt for the files, if they are there.
hit CNTL + ALT + DEL to bring up TASKMANAGER.
Highlite wsg32.exe and click on END PROCESS if it is there.
click on START\RUN and type regsvr32 /u procshow.dll hit OK
do the same with regsvr32 /u procshow32.dll hit OK
follow the instructions HERE to show hidden files.
then boot up in SAFE MODE
Navigate to C:\WINDOWS\SYSTEM32
delete these files if they are there :-
wsg32.exe
procshow.dll
procshow32.dll
then reboot normally.
Open up Control Panel, and type in "UAC" into the search box. You'll see a link for "Turn User Account Control (UAC) on or off":
On the next screen you should uncheck the box for "Use User Account Control (UAC)", and then click on the OK button.
You'll need to reboot your computer before the changes take effect
then :-
Open a blank notepad.
Copy the BOLD text below to the blank NOTEPAD.
call it FIX.REG --- (where it says FILE NAME)
save it to your desktop.----(at the top where it says SAVE IN, click the drop down menu and select DESKTOP)
save as "all files" ---- (where it says SAVE AS TYPE click the drop down menu and choose ALL FILES)
on your desktop double click on FIX.REG and allow it to merge with the registry when it asks.
REGEDIT4
[-HKEY_LOCAL_MACHINESOFTWAREKMiNT21GoldenKeylogger]
[-HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRunwsg32=wsg32.exe]
reboot and run spyware terminator again to see if it still finds it.let me know how you go.
--------------------
MY HELP IS FREE,BUT PLEASE CONSIDER GIVING A DONATION TO HELP IN MY FIGHT AGAINST SPYWARE.
A computer once beat me at chess, but it was no match for me at kick boxing.
|
notime2either
new user
Reg'd: Thu
Posts: 8
|
|
B**! hell bricat, your're asking a lot. But i intend to rise to the challenge, after i've carefully written the instructions down and recovered from my week-end away, in chester.
ps, dont have a paypal account,any other way i can help?
|
notime2either
new user
Reg'd: Thu
Posts: 8
|
|
B**! hell bricat, your're asking a lot. But i intend to rise to the challenge, after i've carefully written the instructions down and recovered from my week-end away, in chester.
ps, dont have a paypal account,any other way i can help?
ONE HOUR LATER
Just tried to follow instructions a little way, but problems, problems.
No, wsg32.exe.
--------------
regsvr32 /u procshow.dll failed to load. With instuction,
------------------------
"Make sure the binary is stored at the specified path or debug it to check for problems with the binary or dependant .dll files"
"The specified module could not be found."
Think i may be getting in way over my head.
|
bricat
HijackThis Helper
Reg'd: Wed
Posts: 28258
Loc: belfast
|
|
it's good that "regsvr32 /u procshow.dll failed to load", and there is no "wsg32.exe"
it means it isn't on your computer.
I'd say you are getting a false positive from spywareterminator.
you can either ignore the alert, try updating SWT or get rid of spyware terminator and use another anti spyware program.
P.S
you don't need to have a paypal accnt to make a donation, you can use a credit card.
--------------------
MY HELP IS FREE,BUT PLEASE CONSIDER GIVING A DONATION TO HELP IN MY FIGHT AGAINST SPYWARE.
A computer once beat me at chess, but it was no match for me at kick boxing.
|
notime2either
new user
Reg'd: Thu
Posts: 8
|
|
YIPPEEEE, SUCCESS.
Did as you suggested, uninstalled and reinstalled spyware terminator.
First scan, just an affiliated cookie.
Second, full scan, NOTHING.
i a very happy boy,you were spot on, must've been a false positive.
Then i notice there's a button for reporting such things, too late now, dont have one anymore.
Have great respect for someone who understands the magical world of system configurations and the internal workings of this wonderful toy/tool called a computer. i much happier weilding a hammer n chisel.
Keep up the good work and thanks for all your help and patience, hope i find you again, should i encounter any more problems, that i cant find a solution to.
|
bricat
HijackThis Helper
Reg'd: Wed
Posts: 28258
Loc: belfast
|
|
glad you got it sorted.
and if you need me again you know where i am .
--------------------
MY HELP IS FREE,BUT PLEASE CONSIDER GIVING A DONATION TO HELP IN MY FIGHT AGAINST SPYWARE.
A computer once beat me at chess, but it was no match for me at kick boxing.
|
|
Previous
Index
Next
Threaded
Edit
Reply
Quote
