Windows 7 Support
Become a Fan of PCHF on Facebook!
 User Reviews - Add Yours!
The PCHF Lounge
Go Back   PC Help Forum » Security & Safety » [Fixed] Hijackthis! Logs
Reload this Page Question: annoying virus prevent hijackthis?
Register for a Free Account

[Fixed] Hijackthis! Logs - annoying virus prevent hijackthis? posted in the Security & Safety forums; Thx for the help, chiaz. here are the required logs combofix: ComboFix 09-04-04.01 - Faraz Ahmed 2009-04-06 19:49:33.1 - FAT32 x86 Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2038.1668 [GMT 5:00] Running from: ...

Advertisement
Advertisement

Reply
Scan your PC for Errors
Page 2 of 3 1 2 3
Old 04-06-2009   #8
Gold Member
 
faraz_k86's Avatar
 
Join Date: Jan 2006
Posts: 315
PC Experience: Experienced
Default Re: annoying virus prevent hijackthis?
Thx for the help, chiaz.

here are the required logs

combofix:

ComboFix 09-04-04.01 - Faraz Ahmed 2009-04-06 19:49:33.1 - FAT32x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2038.1668 [GMT 5:00]
Running from: c:\documents and settings\Faraz Ahmed\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\csrcs.exe
c:\windows\system32\lowsec
c:\windows\system32\lowsec\local.ds
c:\windows\system32\lowsec\user.ds
c:\windows\system32\x64

c:\windows\system32\userinit.exe . . . is infected!!

c:\windows\system32\spoolsv.exe . . . is infected!!

c:\windows\explorer.exe . . . is infected!!

.
((((((((((((((((((((((((( Files Created from 2009-03-06 to 2009-04-06 )))))))))))))))))))))))))))))))
.

2009-04-03 02:08 . 2009-04-03 02:08 <DIR> d-------- c:\documents and settings\All Users\Application Data\Installations
2009-04-03 02:01 . 2007-02-26 11:33 172,032 --a------ c:\windows\system32\igfxres.dll
2009-04-03 01:56 . 2004-08-04 03:56 221,184 --a------ c:\windows\system32\wmpns.dll
2009-04-03 01:55 . 2009-04-03 01:55 749 -rah----- c:\windows\WindowsShell.Manifest
2009-04-03 01:55 . 2009-04-03 01:55 749 -rah----- c:\windows\system32\wuaucpl.cpl.manifest
2009-04-03 01:55 . 2009-04-03 01:55 749 -rah----- c:\windows\system32\sapi.cpl.manifest
2009-04-03 01:55 . 2009-04-03 01:55 749 -rah----- c:\windows\system32\nwc.cpl.manifest
2009-04-03 01:55 . 2009-04-03 01:55 749 -rah----- c:\windows\system32\ncpa.cpl.manifest
2009-04-03 01:55 . 2009-04-03 01:55 488 -rah----- c:\windows\system32\logonui.exe.manifest
2009-04-03 01:43 . 2004-08-04 04:57 1,086,058 -ra------ c:\windows\SET67.tmp
2009-04-03 01:43 . 2004-08-04 05:03 1,042,903 -ra------ c:\windows\SET64.tmp
2009-04-03 00:33 . 2009-04-03 00:33 <DIR> d-------- C:\dellme
2009-04-02 23:20 . 112,238 c:\windows\system32\drivers\673bbea7.sys
2009-04-02 23:20 . 2009-04-02 23:20 104,597 --a------ C:\cgngclad.exe
2009-04-02 23:20 . 2009-04-02 23:20 46,080 --a------ C:\patq.exe
2009-04-02 23:20 . 2009-04-02 23:20 29,696 --a------ C:\hfusxvb.exe
2009-04-02 23:20 . 2009-04-02 23:20 2 --a------ C:\1236637251
2009-04-02 23:19 . 2009-04-02 23:19 9,216 --a------ c:\windows\system32\ubb.exe
2009-04-02 22:46 . 2009-04-02 22:46 1,195 -rahs---- c:\windows\system32\autorun.i
2009-04-02 22:46 . 2009-04-02 22:46 1,033 -rahs---- c:\windows\system32\autorun.in
2009-04-02 22:46 . 2009-04-02 22:46 0 -rahs---- C:\kht
2009-04-02 22:38 . 2009-04-02 22:38 <DIR> d--hs---- c:\windows\ftpcache
2009-03-31 12:31 . 2009-03-31 12:31 <DIR> d-------- c:\program files\Opera
2009-03-31 12:26 . 2009-03-31 12:26 <DIR> d---s---- c:\documents and settings\Faraz Ahmed\UserData
2009-03-30 15:36 . 2009-03-30 15:37 <DIR> d-------- c:\documents and settings\Faraz Ahmed\Application Data\TransRender
2009-03-30 15:36 . 2009-03-30 15:37 <DIR> d-------- c:\documents and settings\Faraz Ahmed\Application Data\Temporary
2009-03-30 15:36 . 2009-03-30 15:37 <DIR> d-------- c:\documents and settings\Faraz Ahmed\Application Data\Samsung
2009-03-30 15:36 . 2009-03-30 15:37 <DIR> d-------- c:\documents and settings\Faraz Ahmed\Application Data\ConvertTemp
2009-03-30 15:35 . 2009-03-30 15:35 <DIR> d-------- c:\windows\system32\Samsung_USB_Drivers
2009-03-30 15:35 . 2006-05-03 22:53 174,592 --a------ c:\windows\system32\framedyn.dll
2009-03-30 15:35 . 2006-07-24 16:05 5,632 --a------ c:\windows\system32\drivers\StarOpen.sys
2009-03-30 15:35 . 2005-08-28 20:51 766 --a------ c:\windows\system32\Uninstall.ico
2009-03-30 15:34 . 2009-03-30 15:34 <DIR> d-------- c:\program files\Samsung
2009-03-30 15:33 . 2009-03-30 15:33 <DIR> d-------- c:\program files\Common Files\Adobe
2009-03-28 12:27 . 2009-03-28 12:27 <DIR> d-------- c:\documents and settings\All Users\Application Data\Ubisoft
2009-03-28 12:26 . 2009-03-09 15:27 4,178,264 --a------ c:\windows\system32\D3DX9_41.dll
2009-03-28 12:26 . 2009-03-09 15:27 1,846,632 --a------ c:\windows\system32\D3DCompiler_41.dll
2009-03-28 12:26 . 2009-03-16 14:18 517,448 --a------ c:\windows\system32\XAudio2_4.dll
2009-03-28 12:26 . 2009-03-09 15:27 453,456 --a------ c:\windows\system32\d3dx10_41.dll
2009-03-28 12:26 . 2009-03-16 14:18 235,352 --a------ c:\windows\system32\xactengine3_4.dll
2009-03-28 12:26 . 2009-03-16 14:18 69,448 --a------ c:\windows\system32\XAPOFX1_3.dll
2009-03-28 12:26 . 2009-03-16 14:18 22,360 --a------ c:\windows\system32\X3DAudio1_6.dll
2009-03-27 12:13 . 2009-04-02 23:22 85,249 --a------ c:\windows\setupapi.old
2009-03-27 12:12 . 2009-03-10 02:39 2,793,784 --a------ c:\windows\system32\GameMon.des
2009-03-27 12:07 . 2003-07-21 08:17 5,174 --a------ c:\windows\system32\nppt9x.vxd
2009-03-27 12:07 . 2005-01-04 23:43 4,682 --a------ c:\windows\system32\npptNT2.sys
2009-03-27 12:06 . 2009-03-27 12:06 <DIR> d-------- c:\program files\Common Files\INCA Shared
2009-03-26 01:25 . 2009-03-26 01:25 <DIR> d-------- C:\ISO Shrink
2009-03-26 00:57 . 2009-03-26 00:57 <DIR> d-------- c:\program files\danny_kay1710
2009-03-26 00:40 . 2009-03-26 00:40 <DIR> d-------- c:\program files\Winnydows
2009-03-25 22:12 . 2009-03-25 22:12 <DIR> d-------- c:\documents and settings\All Users\Application Data\2DBoy
2009-03-25 12:30 . 2009-03-25 12:30 <DIR> d-------- c:\program files\CCleaner
2009-03-25 12:28 . 2009-03-25 12:28 <DIR> d-------- c:\program files\PaRaMeter
2009-03-25 12:28 . 2009-03-25 12:28 <DIR> d-------- c:\documents and settings\Faraz Ahmed\Application Data\PaRaMeter
2009-03-24 20:57 . 2009-03-24 20:57 <DIR> d-------- c:\documents and settings\All Users\Application Data\PMB Files
2009-03-24 20:55 . 2009-03-24 20:55 <DIR> d-------- c:\program files\Pando Networks
2009-03-22 16:14 . 2009-03-22 16:14 <DIR> d-------- c:\documents and settings\All Users\Application Data\Blizzard
2009-03-21 16:10 . 2009-03-21 16:10 <DIR> d--hs---- C:\FOUND.000
2009-03-21 15:31 . 2009-03-21 15:31 <DIR> d-------- c:\documents and settings\Faraz Ahmed\Application Data\Thunderbird
2009-03-19 23:16 . 2009-03-19 23:16 <DIR> d-------- c:\documents and settings\Faraz Ahmed\Application Data\Apple Computer
2009-03-19 23:15 . 2009-03-19 23:15 <DIR> d-------- c:\program files\Bonjour
2009-03-19 23:15 . 2009-03-19 23:15 <DIR> d-------- c:\documents and settings\All Users\Application Data\{00D89592-F643-4D8D-8F0F-AFAE0F14D4C3}
2009-03-19 23:14 . 2009-03-19 23:14 <DIR> d-------- c:\documents and settings\All Users\Application Data\Apple
2009-03-19 11:23 . 2009-03-19 11:23 <DIR> d-------- c:\program files\WordFlood 2.0
2009-03-16 18:03 . 2009-03-16 18:03 <DIR> d-------- c:\documents and settings\Faraz Ahmed\Application Data\dvdcss
2009-03-15 23:33 . 2009-03-15 23:33 <DIR> d-------- c:\program files\AnswerAnalyst
2009-03-14 18:35 . 2009-03-14 18:35 <DIR> d-------- c:\documents and settings\Faraz Ahmed\Application Data\ImgBurn
2009-03-14 03:41 . 2009-03-14 03:41 <DIR> d-------- c:\documents and settings\Faraz Ahmed\Application Data\Media Player Classic
2009-03-14 00:35 . 2009-03-14 00:35 <DIR> d-------- c:\program files\CSVed
2009-03-14 00:35 . 2009-03-14 00:35 <DIR> d-------- c:\documents and settings\Faraz Ahmed\Application Data\Sam Francke
2009-03-12 21:14 . 2009-03-12 21:14 <DIR> d-------- c:\documents and settings\Faraz Ahmed\Application Data\Red Alert 3
2009-03-12 17:49 . 2009-03-12 17:49 <DIR> d-------- c:\windows\Logs
2009-03-12 16:21 . 2009-03-12 16:21 <DIR> d-------- c:\documents and settings\Faraz Ahmed\Application Data\FileZilla
2009-03-12 01:59 . 2009-03-12 01:59 <DIR> d-------- c:\program files\RMClock
2009-03-11 17:52 . 2007-02-24 14:42 39,936 --a------ c:\windows\system32\drivers\rimmptsk.sys
2009-03-11 16:42 . 2009-03-11 16:42 <DIR> d-------- c:\documents and settings\Faraz Ahmed\Application Data\skypePM
2009-03-11 16:42 . 2009-03-11 16:42 56 --ah----- c:\windows\system32\ezsidmv.dat
2009-03-11 16:40 . 2009-03-11 16:40 <DIR> dr------- c:\program files\Skype
2009-03-11 16:40 . 2009-03-11 16:40 <DIR> d-------- c:\program files\Common Files\Skype
2009-03-11 16:40 . 2009-03-11 16:40 <DIR> d-------- c:\documents and settings\Faraz Ahmed\Application Data\Skype
2009-03-11 11:17 . 2009-03-11 11:17 <DIR> d-------- c:\program files\CommentKahuna
2009-03-11 11:09 . 2009-03-11 11:09 58,368 --a------ C:\FreeBlogCommenter.exe
2009-03-10 16:40 . 2009-03-10 16:40 <DIR> d-------- c:\documents and settings\Faraz Ahmed\Application Data\vlc
2009-03-10 16:13 . 2009-03-10 16:13 <DIR> d-------- c:\program files\Yahoo!
2009-03-10 16:13 . 2009-03-10 16:13 <DIR> d-------- c:\documents and settings\All Users\Application Data\Yahoo!
2009-03-10 16:02 . 2009-03-10 16:02 <DIR> d-------- c:\program files\uTorrent
2009-03-10 16:02 . 2009-03-10 16:02 <DIR> d-------- c:\documents and settings\Faraz Ahmed\Application Data\uTorrent
2009-03-10 15:17 . 2009-03-10 15:17 <DIR> d-------- c:\documents and settings\NetworkService\Application Data\Intel
2009-03-10 14:53 . 2009-03-10 14:53 <DIR> dr-h----- c:\documents and settings\Faraz Ahmed\Application Data\SecuROM
2009-03-10 14:53 . 2009-03-10 14:53 <DIR> d-------- c:\documents and settings\Faraz Ahmed\Application Data\Bioshock
2009-03-10 14:53 . 2009-03-10 14:53 107,888 --a------ c:\windows\system32\CmdLineExt.dll
2009-03-10 14:47 . 2009-01-21 11:43 1,498,560 --a------ c:\windows\system32\igkrng400.bin
2009-03-10 14:47 . 2009-01-21 11:52 155,648 --a------ c:\windows\system32\igfxCoIn_v5029.dll
2009-03-10 14:44 . 2009-03-10 14:44 <DIR> d-------- c:\program files\Orbitdownloader
2009-03-10 14:44 . 2009-03-10 14:44 <DIR> d-------- c:\documents and settings\Faraz Ahmed\Application Data\Orbit
2009-03-10 14:44 . 2009-03-10 14:44 <DIR> d-------- c:\documents and settings\Faraz Ahmed\Application Data\GrabPro
2009-03-10 12:29 . 2009-03-10 12:29 <DIR> d-------- c:\windows\Sun
2009-03-10 12:15 . 2009-03-10 12:15 <DIR> d-------- c:\program files\Java
2009-03-10 12:15 . 2009-03-10 12:15 410,976 --a------ c:\windows\system32\deploytk.dll
2009-03-10 12:15 . 2009-03-10 12:15 73,728 --a------ c:\windows\system32\javacpl.cpl
2009-03-10 11:30 . 2009-03-10 11:30 <DIR> d-------- c:\documents and settings\Faraz Ahmed\Application Data\Command & Conquer 3 Kane's Wrath
2009-03-10 11:29 . 2007-10-12 15:14 1,374,232 --a------ c:\windows\system32\D3DCompiler_36.dll
2009-03-10 11:29 . 2007-10-02 09:56 444,776 --a------ c:\windows\system32\d3dx10_36.dll
2009-03-10 11:29 . 2007-10-22 03:39 267,272 --a------ c:\windows\system32\xactengine2_10.dll
2009-03-10 11:29 . 2007-10-22 03:37 17,928 --a------ c:\windows\system32\X3DAudio1_2.dll
2009-03-10 11:28 . 2007-10-12 15:14 3,734,536 --a------ c:\windows\system32\d3dx9_36.dll
2009-03-10 11:28 . 2006-11-29 13:06 3,426,072 --a------ c:\windows\system32\d3dx9_32.dll
2009-03-10 10:46 . 2009-03-10 10:47 0 --a------ c:\windows\nsreg.dat
2009-03-10 05:49 . 2009-03-10 05:49 940,794 --a------ c:\windows\system32\LoopyMusic.wav
2009-03-10 05:49 . 2009-03-10 05:49 146,650 --a------ c:\windows\system32\BuzzingBee.wav
2009-03-10 05:46 . 2004-08-03 23:07 52,864 --a------ c:\windows\system32\drivers\DMusic.sys
2009-03-10 05:46 . 2004-08-03 23:07 6,400 --a------ c:\windows\system32\drivers\splitter.sys
2009-03-10 05:46 . 2007-02-15 13:36 176 --a------ c:\windows\system32\drivers\RTHDAEQ0.dat
2009-03-10 05:45 . 2009-03-10 05:45 <DIR> d-------- c:\windows\system32\RTCOM
2009-03-10 05:45 . 2006-08-01 15:02 49,152 --a------ c:\windows\system32\ChCfg.exe
2009-03-10 05:45 . 2006-10-16 16:10 23,856 --a------ c:\windows\system32\spupdsvc.exe
2009-03-10 05:44 . 2009-03-10 05:44 <DIR> d-------- c:\program files\Synaptics
2009-03-10 05:44 . 2009-03-10 05:44 <DIR> d-------- c:\program files\Realtek
2009-03-10 05:44 . 2009-03-10 05:44 <DIR> d--h----- c:\program files\InstallShield Installation Information
2009-03-10 05:44 . 2009-03-10 05:44 <DIR> d-------- c:\program files\Common Files\InstallShield
2009-03-10 05:42 . 2009-03-10 05:42 <DIR> d-------- c:\windows\system32\Lang
2009-03-10 05:38 . 2009-03-10 05:38 <DIR> d-------- c:\windows\system32\DRVSTORE
2009-03-10 05:38 . 2009-03-10 05:38 <DIR> d-------- c:\program files\Intel
2009-03-10 05:38 . 2009-03-10 05:38 <DIR> d-------- C:\Intel
2009-03-10 03:28 . 2009-03-10 03:28 <DIR> d-------- c:\program files\Lenovo Fingerprint Software

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))) ))
.
2009-03-10 00:44 315,392 ----a-w c:\windows\HideWin.exe
2009-03-09 18:26 --------- d-----w c:\program files\Microsoft ActiveSync
2009-03-09 18:08 --------- d-----w c:\program files\microsoft frontpage
2009-02-12 03:27 993,816 ----a-w c:\windows\system32\igxpun.exe
.

------- Sigcheck -------

2004-08-03 22:56 1051136 bb45164e06588eaaa13d9ddffdf09e5b c:\windows\explorer.exe

2004-08-03 22:56 34304 a1075df3a55057de6c6f49186ee7c918 c:\windows\system32\ctfmon.exe

2004-08-03 22:56 76800 8a5f1e693df9c14085d2d92186aa6e1b c:\windows\system32\spoolsv.exe

2004-08-04 03:56 130048 eb43ed2c10cc29e53f951b0943bdd680 c:\windows\system32\wuauclt.exe

2004-08-03 22:56 43520 7494762415e0e91721b1a98c2f58c778 c:\windows\system32\userinit.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Run]
"Messenger (Yahoo!)"="c:\program files\Yahoo!\Messenger\YahooMessenger.exe" [2009-02-20 4363504]
"RMClock"="c:\program files\RMClock\RMClockLauncher.exe" [2008-02-29 80384]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-05-19 794713]
"AzMixerSel"="c:\program files\Realtek\InstallShield\AzMixerSel.exe" [2006-01-25 73728]
"TPWAUDAP"="c:\program files\Lenovo\HOTKEY\TpWAudAp.exe" [2008-03-11 54560]
"TPFNF7"="c:\program files\Lenovo\NPDIRECT\TPFNF7SP.exe" [2009-01-07 60704]
"FingerPrintSoftware"="c:\program files\Lenovo Fingerprint Software\fpapp.exe" [2007-03-02 954368]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-03-10 136600]
"PMHandler"="c:\progra~1\Lenovo\PMDRIV~1\PMHandler .exe" [2007-03-16 52320]
"QuickTime Task"="c:\program files\QT Lite\QTTask.exe" [2009-01-05 434176]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-03-23 138008]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-03-23 162584]
"Persistence"="c:\windows\system32\igfxpers.ex e" [2007-03-23 138008]
"SkyTel"="SkyTel.EXE" [2006-05-16 c:\windows\SkyTel.exe]
"AGRSMMSG"="AGRSMMSG.exe" [2006-08-30 c:\windows\AGRSMMSG.exe]
"RTHDCPL"="RTHDCPL.EXE" [2007-01-30 c:\windows\RTHDCPL.exe]

c:\documents and settings\Faraz Ahmed\Start Menu\Programs\Startup\
RocketDock.lnk - c:\windows\BricoPacks\Vista Inspirat 2\RocketDock\RocketDock.exe [2007-03-19 651264]
UberIcon.lnk - c:\windows\BricoPacks\Vista Inspirat 2\UberIcon\UberIcon Manager.exe [2006-05-21 200704]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-02-13 83360]
Orbit.lnk - c:\program files\Orbitdownloader\orbitdm.exe [2009-03-10 1739976]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ATFUS]
2007-02-27 17:26 131072 c:\windows\system32\FpWinlogonNp.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tphotkey]
2008-08-08 19:14 28672 c:\program files\Lenovo\HOTKEY\tphklock.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpo licy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpo licy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Orbitdownloader\\orbitdm.exe"=
"c:\\Program Files\\Orbitdownloader\\orbitnet.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Pando Networks\\Media Booster\\PMB.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpo licy\standardprofile\GloballyOpenPorts\List]
"56177:TCP"= 56177:TCP:Pando Media Booster
"56177:UDP"= 56177:UDP:Pando Media Booster

R1 lenovo.smi;Lenovo System Interface Driver;c:\windows\system32\drivers\smiif32.sys [2008-05-12 13480]
R1 PMHler;PMHler;c:\windows\system32\drivers\PMHler.s ys [2006-05-24 10240]
R2 FingerprintServer;Fingerprint Server;c:\windows\system32\FpLogonServ.exe [2007-01-19 81920]
R2 FNF5SVC;Fn+F5 Service;c:\program files\Lenovo\HOTKEY\FnF5svc.exe [2008-03-14 54560]
S3 npggsvc;nProtect GameGuard Service;c:\windows\system32\GameMon.des -service --> c:\windows\system32\GameMon.des -service [?]

[HKEY_CURRENT_USER\software\microsoft\windows\curre ntversion\explorer\mountpoints2\{53b8f62f-10bd-11de-ab9b-001dd9f920d1}]
\sheLL\AuTOplaY\cOmmANd - J:\xgat.pif
\sheLL\AutoRun\command - J:\xgat.pif
\sheLL\EXplOrE\CommaND - J:\xgat.pif
\sheLL\oPen\COmMAnD - J:\xgat.pif

[HKEY_CURRENT_USER\software\microsoft\windows\curre ntversion\explorer\mountpoints2\{5aa4677e-0d0b-11de-ab83-db9e9aceb849}]
\shell\autorun\command - G:\kobsgv.exe
\shell\explore\command - G:\kobsgv.exe
\shell\open\command - G:\kobsgv.exe

[HKEY_CURRENT_USER\software\microsoft\windows\curre ntversion\explorer\mountpoints2\{c8669b8c-16b7-11de-abab-001dd9f920d1}]
\shell\autorun\command - G:\wiqtdb.exe
\shell\explore\command - G:\wiqtdb.exe
\shell\open\command - G:\wiqtdb.exe

[HKEY_CURRENT_USER\software\microsoft\windows\curre ntversion\explorer\mountpoints2\{d726aa4e-19e7-11de-abb2-001dd9f920d1}]
\sheLL\AuTOplaY\cOmmANd - xgat.pif
\sheLL\AutoRun\command - xgat.pif
\sheLL\EXplOrE\CommaND - xgat.pif
\sheLL\oPen\COmMAnD - xgat.pif
.
- - - - ORPHANS REMOVED - - - -

HKLM-Explorer_Run-csrcs - c:\windows\system32\csrcs.exe


.
------- Supplementary Scan -------
.
uInternet Settings,ProxyOverride = *.local
IE: &Download by Orbit - c:\program files\Orbitdownloader\orbitmxt.dll/201
IE: &Grab video by Orbit - c:\program files\Orbitdownloader\orbitmxt.dll/204
IE: Do&wnload selected by Orbit - c:\program files\Orbitdownloader\orbitmxt.dll/203
IE: Down&load all by Orbit - c:\program files\Orbitdownloader\orbitmxt.dll/202
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
IE: Send to &Bluetooth Device... - c:\program files\Lenovo\Bluetooth Software\btsendto_ie_ctx.htm
TCP: {551BFCCC-FB16-4907-9B69-502355D36D6A} = 203.99.163.240,203.99.163.243
TCP: {E2F1BB3B-FEFA-484B-B7CB-59EE6202F1AF} = 203.99.163.240,203.99.163.243
FF - ProfilePath - c:\documents and settings\Faraz Ahmed\Application Data\Mozilla\Firefox\Profiles\h9yxczw6.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.search.selectedEngine - Yahoo
FF - plugin: c:\program files\Mozilla Firefox\plugins\npPandoWebInst.dll
.

************************************************** ************************

catchme 0.3.1375 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-04-06 19:53:05
Windows 5.1.2600 Service Pack 2 FAT NTAPI

detected NTDLL code modification:
ZwOpenFile

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

************************************************** ************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\n pggsvc]
"ImagePath"="c:\windows\system32\GameMon.des -service"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\6 73bbea7]
"ImagePath"="\SystemRoot\System32\drivers\673bbea7 .sys"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\s-1-5-21-583907252-1897051121-725345543-1003\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"??"=hex:c3,da,5e,d4,f7,c7,3d,a9,a5,36,ed,12,76,61 ,c0,d6,19,d0,3e,39,d6,d8,4a,
95,30,89,e3,c6,93,24,74,47,36,43,2b,2c,e5,a1,8d,79 ,79,d9,91,61,f7,69,80,a4,\
"??"=hex:35,fc,c6,3d,c9,02,ad,db,37,1f,61,de,0f,33 ,8f,50
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1088)
c:\windows\system32\FpWinLogonNp.dll
c:\program files\Lenovo Fingerprint Software\ATCSSINT.dll
c:\program files\Lenovo Fingerprint Software\SharedResources.dll
c:\program files\Lenovo Fingerprint Software\FPResource.dll
c:\program files\Bonjour\mdnsNSP.dll
c:\program files\Lenovo\HOTKEY\tphklock.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\LENOVO\BLUETOOTH SOFTWARE\BIN\BTWDINS.EXE
c:\program files\INTEL\WIRELESS\BIN\EVTENG.EXE
c:\program files\INTEL\WIRELESS\BIN\S24EVMON.EXE
c:\program files\BONJOUR\MDNSRESPONDER.EXE
c:\program files\JAVA\JRE6\BIN\JQS.EXE
c:\program files\LENOVO\PM DRIVER\PMSVEH.EXE
c:\program files\INTEL\WIRELESS\BIN\REGSRVC.EXE
c:\windows\system32\igfxsrvc.exe
c:\program files\Orbitdownloader\orbitnet.exe
c:\windows\system32\wscntfy.exe
.
************************************************** ************************
.
Completion time: 2009-04-06 19:54:40 - machine was rebooted
ComboFix-quarantined-files.txt 2009-04-06 14:54:36

Pre-Run: 365,297,664 bytes free
Post-Run: 423,723,008 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOW S
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Micro soft Windows XP Professional" /noexecute=optin /fastdetect

309
HJT:

Logfile of HijackThis v1.99.1
Scan saved at 7:56:25 PM, on 4/6/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lenovo\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\FpLogonServ.exe
C:\Program Files\LENOVO\HOTKEY\FNF5SVC.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Lenovo\PM Driver\PMSveH.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Lenovo\HOTKEY\TpWAudAp.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Lenovo\NPDIRECT\TPFNF7SP.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Orbitdownloader\orbitdm.exe
C:\WINDOWS\BricoPacks\Vista Inspirat 2\RocketDock\RocketDock.exe
C:\WINDOWS\BricoPacks\Vista Inspirat 2\UberIcon\UberIcon Manager.exe
C:\Program Files\Orbitdownloader\orbitnet.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = MSN.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = Live Search
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = Live Search
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyOverride = *.local
O2 - BHO: btorbit.com - {000123B4-9B42-4900-B3F7-F4B073EFC214} - C:\Program Files\Orbitdownloader\orbitcth.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Grab Pro - {C55BBCD6-41AD-48AD-9953-3609C48EACC7} - C:\Program Files\Orbitdownloader\GrabPro.dll
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [AzMixerSel] C:\Program Files\Realtek\InstallShield\AzMixerSel.exe
O4 - HKLM\..\Run: [TPWAUDAP] C:\Program Files\Lenovo\HOTKEY\TpWAudAp.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [TPFNF7] C:\Program Files\Lenovo\NPDIRECT\TPFNF7SP.exe /r
O4 - HKLM\..\Run: [FingerPrintSoftware] "C:\Program Files\Lenovo Fingerprint Software\fpapp.exe" \s
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [PMHandler] C:\PROGRA~1\Lenovo\PMDRIV~1\PMHandler.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QT Lite\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKCU\..\Run: [Messenger (Yahoo!)] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [RMClock] "C:\Program Files\RMClock\RMClockLauncher.exe"
O4 - Startup: RocketDock.lnk = C:\WINDOWS\BricoPacks\Vista Inspirat 2\RocketDock\RocketDock.exe
O4 - Startup: UberIcon.lnk = C:\WINDOWS\BricoPacks\Vista Inspirat 2\UberIcon\UberIcon Manager.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Orbit.lnk = C:\Program Files\Orbitdownloader\orbitdm.exe
O8 - Extra context menu item: &Download by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/201
O8 - Extra context menu item: &Grab video by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/204
O8 - Extra context menu item: Do&wnload selected by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/203
O8 - Extra context menu item: Down&load all by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/202
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Send to &Bluetooth Device... - C:\Program Files\Lenovo\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\Lenovo\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\Lenovo\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\program files\bonjour\mdnsnsp.dll
O11 - Options group: [searching] Search from the Address bar
O16 - DPF: {69EF49E5-FE46-4B92-B5FA-2193AB7A6B8A} (GameLauncher Control) - http://www.acclaim.com/cabs/acclaim_v4.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{551BFCCC-FB16-4907-9B69-502355D36D6A}: NameServer = 203.99.163.240,203.99.163.243
O17 - HKLM\System\CCS\Services\Tcpip\..\{E2F1BB3B-FEFA-484B-B7CB-59EE6202F1AF}: NameServer = 203.99.163.240,203.99.163.243
O17 - HKLM\System\CS1\Services\Tcpip\..\{551BFCCC-FB16-4907-9B69-502355D36D6A}: NameServer = 203.99.163.240,203.99.163.243
O17 - HKLM\System\CS2\Services\Tcpip\..\{551BFCCC-FB16-4907-9B69-502355D36D6A}: NameServer = 203.99.163.240,203.99.163.243
O17 - HKLM\System\CS3\Services\Tcpip\..\{551BFCCC-FB16-4907-9B69-502355D36D6A}: NameServer = 203.99.163.240,203.99.163.243
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: ATFUS - C:\WINDOWS\system32\FpWinLogonNp.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
O20 - Winlogon Notify: tphotkey - C:\Program Files\Lenovo\HOTKEY\tphklock.dll
O23 - Service: Background Intelligent Transfer Service (BITS) - Unknown owner - %fystemRoot%\system32\svchost.exe (file missing)
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\Lenovo\Bluetooth Software\bin\btwdins.exe
O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: Fingerprint Server (FingerprintServer) - AuthenTec,Inc - C:\WINDOWS\system32\FpLogonServ.exe
O23 - Service: Fn+F5 Service (FNF5SVC) - Lenovo. - C:\Program Files\LENOVO\HOTKEY\FNF5SVC.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Unknown owner - C:\Program Files\Java\jre6\bin\jqs.exe" -service -config "C:\Program Files\Java\jre6\lib\deploy\jqs\jqs.conf (file missing)
O23 - Service: nProtect GameGuard Service (npggsvc) - Unknown owner - C:\WINDOWS\system32\GameMon.des.exe (file missing)
O23 - Service: PMSveH - Lenovo - C:\Program Files\Lenovo\PM Driver\PMSveH.exe
O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel(R) PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: Automatic Updates (wuauserv) - Unknown owner - %fystemroot%\system32\svchost.exe (file missing)
faraz_k86 is offline   Reply With Quote
Old 04-06-2009   #9
Senior Security Analyst
 
chiaz's Avatar
 
Join Date: Jun 2006
Location: Singapore
Posts: 5,350
PC Experience: PC Guru
Default Re: annoying virus prevent hijackthis?
Faraz, You have been infected by multiple flash drive infections. You may have to format some of your flash drives or else the infection will return when you plug them in.


Please copy this page to *Notepad* and save to your desktop for reference as you will not have any browsers open while you are carrying out portions of these instructions.
It's IMPORTANT to carry out the instructions in the sequence listed below.
1. Close any open browsers.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
Open *notepad* and copy/paste the text in the quotebox below into it:


Drivers::
6 73bbea7

Files::
c:\windows\system32\drivers\673bbea7.sys
C:\cgngclad.exe
C:\patq.exe
C:\hfusxvb.exe
c:\windows\system32\ubb.exe
c:\windows\system32\autorun.i
c:\windows\system32\autorun.in

Registry::
[-HKEY_CURRENT_USER\software\microsoft\windows\curre ntversion\explorer\mountpoints2\{53b8f62f-10bd-11de-ab9b-001dd9f920d1}]
[-HKEY_CURRENT_USER\software\microsoft\windows\curre ntversion\explorer\mountpoints2\{5aa4677e-0d0b-11de-ab83-db9e9aceb849}]
[-HKEY_CURRENT_USER\software\microsoft\windows\curre ntversion\explorer\mountpoints2\{c8669b8c-16b7-11de-abab-001dd9f920d1}]
[-HKEY_CURRENT_USER\software\microsoft\windows\curre ntversion\explorer\mountpoints2\{d726aa4e-19e7-11de-abb2-001dd9f920d1}]

Dirlook::
C:\dellme
C:\1236637251
C:\kht

Reboot::


(Note:
1) You should copy and paste all the way from File:: to Reboot::
2) There seems to be a formatting problem with the forum software, so please join up the "currentversion" word before saving the file and running it. Currently it is showing as "curre ntversion".



Save this as CFScript.txt, in the same location as ComboFix.exe which is on the Desktop.


Refering to the picture above, drag CFScript.txt into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt
Please copy and paste the ComboFix.txt in your reply.

*Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall. Altering this script in any way could damage your computer.*
chiaz is online now   Reply With Quote
Old 04-07-2009   #10
Gold Member
 
faraz_k86's Avatar
 
Join Date: Jan 2006
Posts: 315
PC Experience: Experienced
Default Re: annoying virus prevent hijackthis?
thx for the help chiaz, I had installed nod32 trial during this time and it was really giving problems with the process. but i finally figured out how to disable it. on every startup i get a barrage of messages that memory is infected.. and wireless is infected and then memory again...is this normal or is nod32 over rated?

ComboFix 09-04-04.01 - Faraz Ahmed 2009-04-07 6:28:34.2 - FAT32x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2038.1613 [GMT 5:00]
Running from: c:\documents and settings\Faraz Ahmed\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Faraz Ahmed\Desktop\CFScript.txt
AV: ESET NOD32 Antivirus 4.0 *On-access scanning disabled* (Updated)
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Faraz Ahmed\reader_s.exe
c:\windows\system32\8.tmp
c:\windows\system32\9.tmp
c:\windows\system32\afisicx.exe
c:\windows\system32\comsa32.sys
c:\windows\system32\reader_s.exe
c:\windows\system32\tpszxyd.sys
c:\windows\system32\w.exe

c:\windows\system32\spoolsv.exe . . . is infected!!

c:\windows\explorer.exe . . . is infected!!

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_protect
-------\Service_protect
-------\Service_restore


((((((((((((((((((((((((( Files Created from 2009-03-07 to 2009-04-07 )))))))))))))))))))))))))))))))
.

2009-04-07 06:09 . 2009-04-06 21:01 36,864 --a------ c:\windows\system32\dpcxool64.sys
2009-04-07 00:32 . 2009-04-07 00:32 <DIR> d-------- c:\program files\ESET
2009-04-07 00:32 . 2009-04-07 00:32 <DIR> d-------- c:\documents and settings\All Users\Application Data\ESET
2009-04-07 00:22 . 2009-04-07 00:22 <DIR> d--hs---- C:\FOUND.002
2009-04-06 22:54 . 2009-04-06 22:54 <DIR> d--hs---- C:\FOUND.001
2009-04-06 22:38 . 2009-04-06 22:38 182,912 --a------ c:\windows\system32\dllcache\ndis.sys
2009-04-06 22:38 . 2009-04-06 22:39 64,512 --a------ c:\windows\system32\6.tmp
2009-04-06 22:38 . 2009-04-06 22:38 128 --a------ c:\windows\system32\4.tmp
2009-04-06 22:20 . 2009-04-06 22:20 <DIR> d-------- c:\documents and settings\All Users\Application Data\Kaspersky Lab Setup Files
2009-04-03 02:08 . 2009-04-03 02:08 <DIR> d-------- c:\documents and settings\All Users\Application Data\Installations
2009-04-03 02:01 . 2007-02-26 11:33 172,032 --a------ c:\windows\system32\igfxres.dll
2009-04-03 01:56 . 2004-08-04 03:56 221,184 --a------ c:\windows\system32\wmpns.dll
2009-04-03 01:55 . 2009-04-03 01:55 749 -rah----- c:\windows\WindowsShell.Manifest
2009-04-03 01:55 . 2009-04-03 01:55 749 -rah----- c:\windows\system32\wuaucpl.cpl.manifest
2009-04-03 01:55 . 2009-04-03 01:55 749 -rah----- c:\windows\system32\sapi.cpl.manifest
2009-04-03 01:55 . 2009-04-03 01:55 749 -rah----- c:\windows\system32\nwc.cpl.manifest
2009-04-03 01:55 . 2009-04-03 01:55 749 -rah----- c:\windows\system32\ncpa.cpl.manifest
2009-04-03 01:55 . 2009-04-03 01:55 488 -rah----- c:\windows\system32\logonui.exe.manifest
2009-04-03 01:43 . 2004-08-04 04:57 1,086,058 -ra------ c:\windows\SET67.tmp
2009-04-03 01:43 . 2004-08-04 05:03 1,042,903 -ra------ c:\windows\SET64.tmp
2009-04-02 23:19 . 2009-04-02 23:19 9,216 --a------ c:\windows\system32\ubb.exe
2009-04-02 22:46 . 2009-04-02 22:46 1,195 -rahs---- c:\windows\system32\autorun.i
2009-04-02 22:46 . 2009-04-02 22:46 1,033 -rahs---- c:\windows\system32\autorun.in
2009-04-02 22:46 . 2009-04-02 22:46 0 -rahs---- C:\kht
2009-04-02 22:38 . 2009-04-02 22:38 <DIR> d--hs---- c:\windows\ftpcache
2009-03-31 12:31 . 2009-03-31 12:31 <DIR> d-------- c:\program files\Opera
2009-03-31 12:26 . 2009-03-31 12:26 <DIR> d---s---- c:\documents and settings\Faraz Ahmed\UserData
2009-03-30 15:36 . 2009-03-30 15:37 <DIR> d-------- c:\documents and settings\Faraz Ahmed\Application Data\TransRender
2009-03-30 15:36 . 2009-03-30 15:37 <DIR> d-------- c:\documents and settings\Faraz Ahmed\Application Data\Temporary
2009-03-30 15:36 . 2009-03-30 15:37 <DIR> d-------- c:\documents and settings\Faraz Ahmed\Application Data\Samsung
2009-03-30 15:36 . 2009-03-30 15:37 <DIR> d-------- c:\documents and settings\Faraz Ahmed\Application Data\ConvertTemp
2009-03-30 15:35 . 2009-03-30 15:35 <DIR> d-------- c:\windows\system32\Samsung_USB_Drivers
2009-03-30 15:35 . 2006-05-03 22:53 174,592 --a------ c:\windows\system32\framedyn.dll
2009-03-30 15:35 . 2005-08-28 20:51 766 --a------ c:\windows\system32\Uninstall.ico
2009-03-30 15:34 . 2009-03-30 15:34 <DIR> d-------- c:\program files\Samsung
2009-03-30 15:33 . 2009-03-30 15:33 <DIR> d-------- c:\program files\Common Files\Adobe
2009-03-28 12:27 . 2009-03-28 12:27 <DIR> d-------- c:\documents and settings\All Users\Application Data\Ubisoft
2009-03-28 12:26 . 2009-03-09 15:27 4,178,264 --a------ c:\windows\system32\D3DX9_41.dll
2009-03-28 12:26 . 2009-03-09 15:27 1,846,632 --a------ c:\windows\system32\D3DCompiler_41.dll
2009-03-28 12:26 . 2009-03-16 14:18 517,448 --a------ c:\windows\system32\XAudio2_4.dll
2009-03-28 12:26 . 2009-03-09 15:27 453,456 --a------ c:\windows\system32\d3dx10_41.dll
2009-03-28 12:26 . 2009-03-16 14:18 235,352 --a------ c:\windows\system32\xactengine3_4.dll
2009-03-28 12:26 . 2009-03-16 14:18 69,448 --a------ c:\windows\system32\XAPOFX1_3.dll
2009-03-28 12:26 . 2009-03-16 14:18 22,360 --a------ c:\windows\system32\X3DAudio1_6.dll
2009-03-27 12:13 . 2009-04-02 23:22 85,249 --a------ c:\windows\setupapi.old
2009-03-27 12:12 . 2009-03-10 02:39 2,793,784 --a------ c:\windows\system32\GameMon.des
2009-03-27 12:07 . 2003-07-21 08:17 5,174 --a------ c:\windows\system32\nppt9x.vxd
2009-03-27 12:07 . 2005-01-04 23:43 4,682 --a------ c:\windows\system32\npptNT2.sys
2009-03-27 12:06 . 2009-03-27 12:06 <DIR> d-------- c:\program files\Common Files\INCA Shared
2009-03-26 01:25 . 2009-03-26 01:25 <DIR> d-------- C:\ISO Shrink
2009-03-26 00:57 . 2009-03-26 00:57 <DIR> d-------- c:\program files\danny_kay1710
2009-03-26 00:40 . 2009-03-26 00:40 <DIR> d-------- c:\program files\Winnydows
2009-03-25 22:12 . 2009-03-25 22:12 <DIR> d-------- c:\documents and settings\All Users\Application Data\2DBoy
2009-03-25 12:30 . 2009-03-25 12:30 <DIR> d-------- c:\program files\CCleaner
2009-03-25 12:28 . 2009-03-25 12:28 <DIR> d-------- c:\program files\PaRaMeter
2009-03-25 12:28 . 2009-03-25 12:28 <DIR> d-------- c:\documents and settings\Faraz Ahmed\Application Data\PaRaMeter
2009-03-24 20:57 . 2009-03-24 20:57 <DIR> d-------- c:\documents and settings\All Users\Application Data\PMB Files
2009-03-24 20:55 . 2009-03-24 20:55 <DIR> d-------- c:\program files\Pando Networks
2009-03-22 16:14 . 2009-03-22 16:14 <DIR> d-------- c:\documents and settings\All Users\Application Data\Blizzard
2009-03-21 16:10 . 2009-03-21 16:10 <DIR> d--hs---- C:\FOUND.000
2009-03-21 15:31 . 2009-03-21 15:31 <DIR> d-------- c:\documents and settings\Faraz Ahmed\Application Data\Thunderbird
2009-03-19 23:16 . 2009-03-19 23:16 <DIR> d-------- c:\documents and settings\Faraz Ahmed\Application Data\Apple Computer
2009-03-19 23:15 . 2009-03-19 23:15 <DIR> d-------- c:\program files\Bonjour
2009-03-19 23:15 . 2009-03-19 23:15 <DIR> d-------- c:\documents and settings\All Users\Application Data\{00D89592-F643-4D8D-8F0F-AFAE0F14D4C3}
2009-03-19 23:14 . 2009-03-19 23:14 <DIR> d-------- c:\documents and settings\All Users\Application Data\Apple
2009-03-19 11:23 . 2009-03-19 11:23 <DIR> d-------- c:\program files\WordFlood 2.0
2009-03-16 18:03 . 2009-03-16 18:03 <DIR> d-------- c:\documents and settings\Faraz Ahmed\Application Data\dvdcss
2009-03-15 23:33 . 2009-03-15 23:33 <DIR> d-------- c:\program files\AnswerAnalyst
2009-03-14 18:35 . 2009-03-14 18:35 <DIR> d-------- c:\documents and settings\Faraz Ahmed\Application Data\ImgBurn
2009-03-14 03:41 . 2009-03-14 03:41 <DIR> d-------- c:\documents and settings\Faraz Ahmed\Application Data\Media Player Classic
2009-03-14 00:35 . 2009-03-14 00:35 <DIR> d-------- c:\program files\CSVed
2009-03-14 00:35 . 2009-03-14 00:35 <DIR> d-------- c:\documents and settings\Faraz Ahmed\Application Data\Sam Francke
2009-03-12 21:14 . 2009-03-12 21:14 <DIR> d-------- c:\documents and settings\Faraz Ahmed\Application Data\Red Alert 3
2009-03-12 17:49 . 2009-03-12 17:49 <DIR> d-------- c:\windows\Logs
2009-03-12 16:21 . 2009-03-12 16:21 <DIR> d-------- c:\documents and settings\Faraz Ahmed\Application Data\FileZilla
2009-03-12 01:59 . 2009-03-12 01:59 <DIR> d-------- c:\program files\RMClock
2009-03-11 17:52 . 2007-02-24 14:42 39,936 --a------ c:\windows\system32\drivers\rimmptsk.sys
2009-03-11 16:42 . 2009-03-11 16:42 <DIR> d-------- c:\documents and settings\Faraz Ahmed\Application Data\skypePM
2009-03-11 16:42 . 2009-03-11 16:42 56 --ah----- c:\windows\system32\ezsidmv.dat
2009-03-11 16:40 . 2009-03-11 16:40 <DIR> dr------- c:\program files\Skype
2009-03-11 16:40 . 2009-03-11 16:40 <DIR> d-------- c:\program files\Common Files\Skype
2009-03-11 16:40 . 2009-03-11 16:40 <DIR> d-------- c:\documents and settings\Faraz Ahmed\Application Data\Skype
2009-03-11 11:17 . 2009-03-11 11:17 <DIR> d-------- c:\program files\CommentKahuna
2009-03-10 16:40 . 2009-03-10 16:40 <DIR> d-------- c:\documents and settings\Faraz Ahmed\Application Data\vlc
2009-03-10 16:13 . 2009-03-10 16:13 <DIR> d-------- c:\program files\Yahoo!
2009-03-10 16:13 . 2009-03-10 16:13 <DIR> d-------- c:\documents and settings\All Users\Application Data\Yahoo!
2009-03-10 16:02 . 2009-03-10 16:02 <DIR> d-------- c:\program files\uTorrent
2009-03-10 16:02 . 2009-03-10 16:02 <DIR> d-------- c:\documents and settings\Faraz Ahmed\Application Data\uTorrent
2009-03-10 15:17 . 2009-03-10 15:17 <DIR> d-------- c:\documents and settings\NetworkService\Application Data\Intel
2009-03-10 14:53 . 2009-03-10 14:53 <DIR> dr-h----- c:\documents and settings\Faraz Ahmed\Application Data\SecuROM
2009-03-10 14:53 . 2009-03-10 14:53 <DIR> d-------- c:\documents and settings\Faraz Ahmed\Application Data\Bioshock
2009-03-10 14:53 . 2009-03-10 14:53 107,888 --a------ c:\windows\system32\CmdLineExt.dll
2009-03-10 14:47 . 2009-01-21 11:43 1,498,560 --a------ c:\windows\system32\igkrng400.bin
2009-03-10 14:47 . 2009-01-21 11:52 155,648 --a------ c:\windows\system32\igfxCoIn_v5029.dll
2009-03-10 14:44 . 2009-03-10 14:44 <DIR> d-------- c:\program files\Orbitdownloader
2009-03-10 14:44 . 2009-03-10 14:44 <DIR> d-------- c:\documents and settings\Faraz Ahmed\Application Data\Orbit
2009-03-10 14:44 . 2009-03-10 14:44 <DIR> d-------- c:\documents and settings\Faraz Ahmed\Application Data\GrabPro
2009-03-10 12:29 . 2009-03-10 12:29 <DIR> d-------- c:\windows\Sun
2009-03-10 12:15 . 2009-03-10 12:15 <DIR> d-------- c:\program files\Java
2009-03-10 12:15 . 2009-03-10 12:15 410,976 --a------ c:\windows\system32\deploytk.dll
2009-03-10 12:15 . 2009-03-10 12:15 73,728 --a------ c:\windows\system32\javacpl.cpl
2009-03-10 11:30 . 2009-03-10 11:30 <DIR> d-------- c:\documents and settings\Faraz Ahmed\Application Data\Command & Conquer 3 Kane's Wrath
2009-03-10 11:29 . 2007-10-12 15:14 1,374,232 --a------ c:\windows\system32\D3DCompiler_36.dll
2009-03-10 11:29 . 2007-10-02 09:56 444,776 --a------ c:\windows\system32\d3dx10_36.dll
2009-03-10 11:29 . 2007-10-22 03:39 267,272 --a------ c:\windows\system32\xactengine2_10.dll
2009-03-10 11:29 . 2007-10-22 03:37 17,928 --a------ c:\windows\system32\X3DAudio1_2.dll
2009-03-10 11:28 . 2007-10-12 15:14 3,734,536 --a------ c:\windows\system32\d3dx9_36.dll
2009-03-10 11:28 . 2006-11-29 13:06 3,426,072 --a------ c:\windows\system32\d3dx9_32.dll
2009-03-10 10:46 . 2009-03-10 10:47 0 --a------ c:\windows\nsreg.dat
2009-03-10 05:49 . 2009-03-10 05:49 940,794 --a------ c:\windows\system32\LoopyMusic.wav
2009-03-10 05:49 . 2009-03-10 05:49 146,650 --a------ c:\windows\system32\BuzzingBee.wav
2009-03-10 05:46 . 2004-08-03 23:07 52,864 --a------ c:\windows\system32\drivers\DMusic.sys
2009-03-10 05:46 . 2004-08-03 23:07 6,400 --a------ c:\windows\system32\drivers\splitter.sys
2009-03-10 05:46 . 2007-02-15 13:36 176 --a------ c:\windows\system32\drivers\RTHDAEQ0.dat
2009-03-10 05:45 . 2009-03-10 05:45 <DIR> d-------- c:\windows\system32\RTCOM
2009-03-10 05:45 . 2006-08-01 15:02 49,152 --a------ c:\windows\system32\ChCfg.exe
2009-03-10 05:45 . 2006-10-16 16:10 23,856 --a------ c:\windows\system32\spupdsvc.exe
2009-03-10 05:44 . 2009-03-10 05:44 <DIR> d-------- c:\program files\Synaptics
2009-03-10 05:44 . 2009-03-10 05:44 <DIR> d-------- c:\program files\Realtek
2009-03-10 05:44 . 2009-03-10 05:44 <DIR> d--h----- c:\program files\InstallShield Installation Information
2009-03-10 05:44 . 2009-03-10 05:44 <DIR> d-------- c:\program files\Common Files\InstallShield
2009-03-10 05:42 . 2009-03-10 05:42 <DIR> d-------- c:\windows\system32\Lang
2009-03-10 05:38 . 2009-03-10 05:38 <DIR> d-------- c:\windows\system32\DRVSTORE
2009-03-10 05:38 . 2009-03-10 05:38 <DIR> d-------- c:\program files\Intel
2009-03-10 05:38 . 2009-03-10 05:38 <DIR> d-------- C:\Intel

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))) ))
.
2009-04-06 17:38 182,912 ----a-w c:\windows\system32\drivers\ndis.sys
2009-03-10 00:44 315,392 ----a-w c:\windows\HideWin.exe
2009-03-09 18:26 --------- d-----w c:\program files\Microsoft ActiveSync
2009-03-09 18:08 --------- d-----w c:\program files\microsoft frontpage
2009-02-12 03:27 993,816 ----a-w c:\windows\system32\igxpun.exe
.

(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))) )))))))
.

---- Directory of C:\1236637251 ----

c:\1236637251\

---- Directory of C:\dellme ----

c:\dellme\

---- Directory of C:\kht ----

c:\kht\


------- Sigcheck -------

2009-04-06 22:38 213376 558635d3af1c7546d26067d5d9b6959e c:\windows\system32\drivers\ndis.sys
2009-04-06 22:38 213376 558635d3af1c7546d26067d5d9b6959e c:\windows\system32\dllcache\ndis.sys

2004-08-03 22:56 1032192 b1097c0e157502e58b2328f68f1c3c15 c:\windows\EXPLORER.EXE

2004-08-03 22:56 34304 a1075df3a55057de6c6f49186ee7c918 c:\windows\system32\ctfmon.exe

2004-08-03 22:56 76800 312d5d06594d8c7c92b4e6cfae747352 c:\windows\system32\spoolsv.exe

2004-08-04 03:56 130048 ca9ef237a32beb96b9227bc659e28690 c:\windows\system32\wuauclt.exe

2004-08-03 22:56 24576 332e0a31788ce01559b52da1e7a5ffac c:\windows\system32\userinit.exe
.
((((((((((((((((((((((((((((( SnapShot@2009-04-06_19.53.50.96 )))))))))))))))))))))))))))))))))))))))))
.
- 2004-08-03 17:56:50 1,032,192 ----a-w c:\windows\BricoPacks\SysFiles\14_explorer.exe
+ 2004-08-03 17:56:50 1,051,136 ----a-w c:\windows\BricoPacks\SysFiles\14_explorer.exe
- 2004-08-03 22:56:50 768,512 ----a-w c:\windows\BricoPacks\SysFiles\17_helpctr.exe
+ 2004-08-03 22:56:50 787,456 ----a-w c:\windows\BricoPacks\SysFiles\17_helpctr.exe
- 2004-08-03 17:56:48 98,304 ----a-w c:\windows\BricoPacks\SysFiles\2_ahui.exe
+ 2004-08-03 17:56:48 117,248 ----a-w c:\windows\BricoPacks\SysFiles\2_ahui.exe
- 2004-08-03 17:56:58 220,672 ----a-w c:\windows\BricoPacks\SysFiles\24_logon.scr
+ 2004-08-03 17:56:58 239,616 ----a-w c:\windows\BricoPacks\SysFiles\24_logon.scr
- 2004-08-03 17:56:52 240,128 ----a-w c:\windows\BricoPacks\SysFiles\26_migwiz.exe
+ 2004-08-03 17:56:52 259,072 ----a-w c:\windows\BricoPacks\SysFiles\26_migwiz.exe
- 2004-08-03 22:56:54 343,040 ----a-w c:\windows\BricoPacks\SysFiles\31_mspaint.exe
+ 2004-08-03 22:56:54 361,984 ----a-w c:\windows\BricoPacks\SysFiles\31_mspaint.exe
- 2004-08-03 17:56:56 53,760 ----a-w c:\windows\BricoPacks\SysFiles\35_narrator.exe
+ 2004-08-03 17:56:56 72,704 ----a-w c:\windows\BricoPacks\SysFiles\35_narrator.exe
- 2004-08-03 17:56:56 69,120 ----a-w c:\windows\BricoPacks\SysFiles\40_notepad.exe
+ 2004-08-03 17:56:56 88,064 ----a-w c:\windows\BricoPacks\SysFiles\40_notepad.exe
- 2004-08-03 17:56:56 69,120 ----a-w c:\windows\BricoPacks\SysFiles\41_notepad.exe
+ 2004-08-03 17:56:56 88,064 ----a-w c:\windows\BricoPacks\SysFiles\41_notepad.exe
- 2004-08-03 17:56:56 146,432 ----a-w c:\windows\BricoPacks\SysFiles\48_regedit.exe
+ 2004-08-03 17:56:56 165,376 ----a-w c:\windows\BricoPacks\SysFiles\48_regedit.exe
- 2004-08-03 22:56:58 131,584 ----a-w c:\windows\BricoPacks\SysFiles\54_sndrec32.exe
+ 2004-08-03 22:56:58 150,528 ----a-w c:\windows\BricoPacks\SysFiles\54_sndrec32.exe
- 2001-08-23 12:00:00 138,752 ----a-w c:\windows\BricoPacks\SysFiles\55_sndvol32.exe
+ 2001-08-23 12:00:00 157,696 ----a-w c:\windows\BricoPacks\SysFiles\55_sndvol32.exe
- 2004-08-03 17:56:58 105,984 ----a-w c:\windows\BricoPacks\SysFiles\58_sysocmgr.exe
+ 2004-08-03 17:56:58 124,928 ----a-w c:\windows\BricoPacks\SysFiles\58_sysocmgr.exe
- 2004-08-03 17:56:58 135,680 ----a-w c:\windows\BricoPacks\SysFiles\60_taskmgr.exe
+ 2004-08-03 17:56:58 154,624 ----a-w c:\windows\BricoPacks\SysFiles\60_taskmgr.exe
- 2004-08-03 17:56:58 433,664 ----a-w c:\windows\BricoPacks\SysFiles\67_wiaacmgr.exe
+ 2004-08-03 17:56:58 452,608 ----a-w c:\windows\BricoPacks\SysFiles\67_wiaacmgr.exe
- 2001-08-23 12:00:00 114,688 ----a-w c:\windows\BricoPacks\SysFiles\7_calc.exe
+ 2001-08-23 12:00:00 133,632 ----a-w c:\windows\BricoPacks\SysFiles\7_calc.exe
- 2004-08-03 22:56:58 111,104 ----a-w c:\windows\BricoPacks\SysFiles\73_wuauclt.exe
+ 2004-08-03 22:56:58 130,048 ----a-w c:\windows\BricoPacks\SysFiles\73_wuauclt.exe
- 2004-08-03 22:56:58 165,888 ----a-w c:\windows\BricoPacks\SysFiles\74_wuauclt1.exe
+ 2004-08-03 22:56:58 184,832 ----a-w c:\windows\BricoPacks\SysFiles\74_wuauclt1.exe
- 2004-08-03 17:56:52 514,560 ----a-w c:\windows\BricoPacks\SysFiles\78_logonui.exe
+ 2004-08-03 17:56:52 533,504 ----a-w c:\windows\BricoPacks\SysFiles\78_logonui.exe
- 2004-08-03 22:56:52 93,184 ----a-w c:\windows\BricoPacks\SysFiles\79_iexplore.exe
+ 2004-08-03 22:56:52 112,128 ----a-w c:\windows\BricoPacks\SysFiles\79_iexplore.exe
- 2004-08-03 17:56:48 64,000 ----a-w c:\windows\BricoPacks\SysFiles\8_cleanmgr.exe
+ 2004-08-03 17:56:48 82,944 ----a-w c:\windows\BricoPacks\SysFiles\8_cleanmgr.exe
- 2004-08-03 22:56:54 60,416 ----a-w c:\windows\BricoPacks\SysFiles\80_msimn.exe
+ 2004-08-03 22:56:54 79,360 ----a-w c:\windows\BricoPacks\SysFiles\80_msimn.exe
- 2004-08-03 22:56:54 3,555,328 ----a-w c:\windows\BricoPacks\SysFiles\82_moviemk.exe
+ 2004-08-03 22:56:54 3,574,272 ----a-w c:\windows\BricoPacks\SysFiles\82_moviemk.exe
- 2004-08-03 17:56:50 388,608 ----a-w c:\windows\BricoPacks\SysFiles\9_cmd.exe
+ 2004-08-03 17:56:50 407,552 ----a-w c:\windows\BricoPacks\SysFiles\9_cmd.exe
+ 2005-10-20 15:02:28 185,856 ----a-w c:\windows\ERDNT\subs\ERDNT.EXE
- 2004-08-03 17:56:58 208,896 ----a-w c:\windows\inf\unregmp2.exe
+ 2004-08-03 17:56:58 229,376 ----a-w c:\windows\inf\UNREGMP2.EXE
- 2009-03-09 18:27:20 65,536 ----a-r c:\windows\Installer\{90280409-6000-11D3-8CFE-0050048383C9}\wordicon.exe
+ 2009-03-09 18:27:20 49,152 ----a-r c:\windows\Installer\{90280409-6000-11D3-8CFE-0050048383C9}\wordicon.exe
+ 2009-04-06 19:32:52 10,134 ----a-r c:\windows\Installer\{CDF97135-7FD2-4289-96B8-DD4505267ACD}\callmsi.exe
+ 2009-04-06 19:32:52 101,480 ----a-r c:\windows\Installer\{CDF97135-7FD2-4289-96B8-DD4505267ACD}\egui.exe
- 2006-10-29 22:33:58 761,856 ----a-w c:\windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe
+ 2006-10-29 22:33:58 741,376 ----a-w c:\windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe
- 2004-08-03 17:56:56 69,120 ----a-w c:\windows\notepad.exe
+ 2004-08-03 17:56:56 88,064 ----a-w c:\windows\notepad.exe
- 2004-08-03 22:56:50 768,512 ----a-w c:\windows\pchealth\helpctr\binaries\HelpCtr.exe
+ 2004-08-03 22:56:50 787,456 ----a-w c:\windows\pchealth\helpctr\binaries\HelpCtr.exe
- 2004-08-03 22:56:48 202,752 ----a-w c:\windows\system32\accwiz.exe
+ 2004-08-03 22:56:48 184,320 ----a-w c:\windows\system32\ACCWIZ.EXE
- 2004-08-03 17:56:48 98,304 ----a-w c:\windows\system32\ahui.exe
+ 2004-08-03 17:56:48 117,248 ----a-w c:\windows\system32\ahui.exe
- 2004-08-03 17:56:48 63,488 ----a-w c:\windows\system32\alg.exe
+ 2004-08-03 17:56:48 44,544 ----a-w c:\windows\system32\ALG.EXE
- 2004-08-03 17:56:48 5,632 ----a-w c:\windows\system32\cisvc.exe
+ 2004-08-03 17:56:48 23,552 ----a-w c:\windows\system32\cisvc.exe
- 2004-08-03 17:56:50 407,552 ----a-w c:\windows\system32\cmd.exe
+ 2004-08-03 17:56:50 388,608 ----a-w c:\windows\system32\CMD.EXE
- 2009-04-06 14:52:28 16,384 ----a-w c:\windows\system32\config\systemprofile\Cookies\i ndex.dat
+ 2009-04-07 01:35:40 32,768 ----a-w c:\windows\system32\config\systemprofile\Cookies\i ndex.dat
- 2009-04-06 14:52:28 32,768 ----a-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2009-04-07 01:35:40 49,152 ----a-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2009-04-06 17:39:38 32,768 ----a-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012009033020090 406\index.dat
+ 2009-04-06 17:47:34 32,768 ----a-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012009040620090 407\index.dat
- 2009-04-06 14:52:28 32,768 ----a-w c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2009-04-07 01:35:40 114,688 ----a-w c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
- 2001-08-23 07:00:00 8,192 ----a-w c:\windows\system32\control.exe
+ 2001-08-23 07:00:00 27,136 ----a-w c:\windows\system32\control.exe
- 2004-08-03 17:56:50 118,784 ----a-w c:\windows\system32\cscript.exe
+ 2004-08-03 17:56:50 98,304 ----a-w c:\windows\system32\CSCRIPT.EXE
- 2004-08-03 17:56:48 98,304 ----a-w c:\windows\system32\dllcache\ahui.exe
+ 2004-08-03 17:56:48 119,808 ----a-w c:\windows\system32\dllcache\ahui.exe
- 2004-08-03 17:56:58 105,984 ----a-w c:\windows\system32\dllcache\sysocmgr.exe
+ 2004-08-03 17:56:58 201,216 ----a-w c:\windows\system32\dllcache\sysocmgr.exe
- 2004-08-03 17:56:48 37,888 ----a-w c:\windows\system32\dllcache\url.dll
+ 2004-08-03 17:56:48 59,392 ----a-w c:\windows\system32\dllcache\url.dll
- 2004-08-03 17:56:48 601,088 ----a-w c:\windows\system32\dllcache\urlmon.dll
+ 2004-08-03 17:56:48 674,816 ----a-w c:\windows\system32\dllcache\urlmon.dll
- 2004-08-03 17:56:48 656,384 ----a-w c:\windows\system32\dllcache\wininet.dll
+ 2004-08-03 17:56:48 690,176 ----a-w c:\windows\system32\dllcache\wininet.dll
- 2006-10-30 05:51:30 149,123 ----a-w c:\windows\system32\drivers\btwdndis.sys
+ 2006-10-30 05:51:30 182,912 ----a-w c:\windows\system32\drivers\btwdndis.sys
+ 2009-02-06 09:19:52 113,448 ----a-w c:\windows\system32\drivers\eamon.sys
+ 2009-02-06 09:23:18 106,208 ----a-w c:\windows\system32\drivers\ehdrv.sys
+ 2009-02-06 09:24:24 93,336 ----a-w c:\windows\system32\drivers\epfwtdir.sys
- 2001-08-23 07:00:00 45,568 ----a-w c:\windows\system32\drwtsn32.exe
+ 2001-08-23 07:00:00 64,512 ----a-w c:\windows\system32\drwtsn32.exe
- 2004-08-03 17:56:50 180,224 ----a-w c:\windows\system32\dwwin.exe
+ 2004-08-03 17:56:50 200,704 ----a-w c:\windows\system32\dwwin.exe
- 2004-08-03 17:56:50 50,176 ----a-w c:\windows\system32\eventcreate.exe
+ 2004-08-03 17:56:50 69,120 ----a-w c:\windows\system32\eventcreate.exe
- 2004-08-03 17:56:52 168,960 ----a-w c:\windows\system32\imapi.exe
+ 2004-08-03 17:56:52 150,016 ----a-w c:\windows\system32\imapi.exe
- 2004-08-03 17:56:52 75,264 ----a-w c:\windows\system32\locator.exe
+ 2004-08-03 17:56:52 75,776 ----a-w c:\windows\system32\locator.exe
- 2004-08-03 17:56:58 239,616 ----a-w c:\windows\system32\logon.scr
+ 2004-08-03 17:56:58 220,672 ----a-w c:\windows\system32\logon.scr
- 2004-08-03 17:56:52 533,504 ----a-w c:\windows\system32\logonui.exe
+ 2004-08-03 17:56:52 514,560 ----a-w c:\windows\system32\logonui.exe
- 2004-08-03 17:56:52 834,048 ----a-w c:\windows\system32\mmc.exe
+ 2004-08-03 17:56:52 815,616 ----a-w c:\windows\system32\mmc.exe
- 2004-08-03 22:56:52 32,768 ----a-w c:\windows\system32\mnmsrvc.exe
+ 2004-08-03 22:56:52 53,248 ----a-w c:\windows\system32\mnmsrvc.exe
- 2004-08-03 17:56:54 96,256 ----a-w c:\windows\system32\msiexec.exe
+ 2004-08-03 17:56:54 77,312 ----a-w c:\windows\system32\msiexec.exe
- 2004-08-03 17:56:56 88,064 ----a-w c:\windows\system32\notepad.exe
+ 2004-08-03 17:56:56 69,120 ----a-w c:\windows\system32\NOTEPAD.EXE
- 2004-08-03 17:56:56 1,219,072 ----a-w c:\windows\system32\ntbackup.exe
+ 2004-08-03 17:56:56 1,217,536 ----a-w c:\windows\system32\NTBACKUP.EXE
- 2004-08-03 17:56:56 419,840 ----a-w c:\windows\system32\ntvdm.exe
+ 2004-08-03 17:56:56 438,784 ----a-w c:\windows\system32\ntvdm.exe
- 2004-08-03 17:56:56 67,584 ----a-w c:\windows\system32\openfiles.exe
+ 2004-08-03 17:56:56 86,528 ----a-w c:\windows\system32\openfiles.exe
- 2009-04-06 14:49:38 66,778 ----a-w c:\windows\system32\perfc009.dat
+ 2009-04-07 01:29:14 66,778 ----a-w c:\windows\system32\perfc009.dat
- 2009-04-06 14:49:38 428,160 ----a-w c:\windows\system32\perfh009.dat
+ 2009-04-07 01:29:14 428,160 ----a-w c:\windows\system32\perfh009.dat
- 2004-08-03 17:56:56 30,720 ----a-w c:\windows\system32\regsvr32.exe
+ 2004-08-03 17:56:56 12,288 ----a-w c:\windows\system32\regsvr32.exe
- 2001-08-23 07:00:00 132,608 ----a-w c:\windows\system32\rsvp.exe
+ 2001-08-23 07:00:00 150,016 ----a-w c:\windows\system32\rsvp.exe
- 2004-08-03 17:56:56 52,224 ----a-w c:\windows\system32\rundll32.exe
+ 2004-08-03 17:56:56 51,200 ----a-w c:\windows\system32\rundll32.exe
- 2004-08-03 17:56:56 33,280 ----a-w c:\windows\system32\runonce.exe
+ 2004-08-03 17:56:56 14,336 ----a-w c:\windows\system32\RUNONCE.EXE
- 2004-08-03 17:56:56 95,744 ----a-w c:\windows\system32\scardsvr.exe
+ 2004-08-03 17:56:56 113,152 ----a-w c:\windows\system32\SCardSvr.exe
- 2004-08-03 22:56:58 140,800 ----a-w c:\windows\system32\sessmgr.exe
+ 2004-08-03 22:56:58 158,208 ----a-w c:\windows\system32\sessmgr.exe
- 2001-08-23 07:00:00 9,728 ----a-w c:\windows\system32\sfc.exe
+ 2001-08-23 07:00:00 28,672 ----a-w c:\windows\system32\sfc.exe
- 2004-08-03 17:56:58 105,984 ----a-w c:\windows\system32\sysocmgr.exe
+ 2004-08-03 17:56:58 124,928 ----a-w c:\windows\system32\sysocmgr.exe
- 2004-08-03 17:56:58 154,624 ----a-w c:\windows\system32\taskmgr.exe
+ 2004-08-03 17:56:58 135,680 ----a-w c:\windows\system32\TASKMGR.EXE
- 2001-08-23 12:00:00 16,384 ----a-w c:\windows\system32\tskill.exe
+ 2001-08-23 12:00:00 35,328 ----a-w c:\windows\system32\tskill.exe
- 2004-08-03 22:56:58 215,552 ----a-w c:\windows\system32\wbem\wmiadap.exe
+ 2004-08-03 22:56:58 196,608 ----a-w c:\windows\system32\wbem\WMIADAP.EXE
- 2004-08-03 22:56:58 126,464 ----a-w c:\windows\system32\wbem\wmiapsrv.exe
+ 2004-08-03 22:56:58 143,872 ----a-w c:\windows\system32\wbem\wmiapsrv.exe
- 2004-08-03 22:56:58 237,056 ----a-w c:\windows\system32\wbem\wmiprvse.exe
+ 2004-08-03 22:56:58 218,112 ----a-w c:\windows\system32\wbem\wmiprvse.exe
- 2004-08-03 17:56:58 13,824 ----a-w c:\windows\system32\wscntfy.exe
+ 2004-08-03 17:56:58 14,336 ----a-w c:\windows\system32\WSCNTFY.EXE
- 2004-08-03 22:56:58 165,888 ----a-w c:\windows\system32\wuauclt1.exe
+ 2004-08-03 22:56:58 184,832 ----a-w c:\windows\system32\wuauclt1.exe
+ 2009-04-07 01:35:42 16,384 ----a-w c:\windows\Temp\Perflib_Perfdata_250.dat
+ 2009-04-07 01:36:10 16,384 ----a-w c:\windows\Temp\Perflib_Perfdata_7d4.dat
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Run]
"Messenger (Yahoo!)"="c:\program files\Yahoo!\Messenger\YahooMessenger.exe" [2009-02-20 4363504]
"RMClock"="c:\program files\RMClock\RMClockLauncher.exe" [2008-02-29 61440]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run]
"egui"="c:\program files\ESET\ESET NOD32 Antivirus\egui.exe" [2009-02-06 2021400]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-02-13 83360]
Orbit.lnk - c:\program files\Orbitdownloader\ORBITDM.EXE [2009-03-10 1736704]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ATFUS]
2007-02-27 17:26 131072 c:\windows\system32\FpWinlogonNp.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tphotkey]
2008-08-08 19:14 28672 c:\program files\Lenovo\HOTKEY\tphklock.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpo licy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpo licy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Orbitdownloader\\orbitdm.exe"=
"c:\\Program Files\\Orbitdownloader\\orbitnet.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Pando Networks\\Media Booster\\PMB.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpo licy\standardprofile\GloballyOpenPorts\List]
"56177:TCP"= 56177:TCP:Pando Media Booster
"56177:UDP"= 56177:UDP:Pando Media Booster
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-15364 - c:\windows\system32\8.tmp.exe
HKU-Default-Run-reader_s - c:\documents and settings\Faraz Ahmed\reader_s.exe


.
------- Supplementary Scan -------
.
uInternet Settings,ProxyOverride = *.local
IE: &Download by Orbit - c:\program files\Orbitdownloader\orbitmxt.dll/201
IE: &Grab video by Orbit - c:\program files\Orbitdownloader\orbitmxt.dll/204
IE: Do&wnload selected by Orbit - c:\program files\Orbitdownloader\orbitmxt.dll/203
IE: Down&load all by Orbit - c:\program files\Orbitdownloader\orbitmxt.dll/202
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
IE: Send to &Bluetooth Device... - c:\program files\Lenovo\Bluetooth Software\btsendto_ie_ctx.htm
TCP: {551BFCCC-FB16-4907-9B69-502355D36D6A} = 203.99.163.240,203.99.163.243
TCP: {E2F1BB3B-FEFA-484B-B7CB-59EE6202F1AF} = 203.99.163.240,203.99.163.243
FF - ProfilePath - c:\documents and settings\Faraz Ahmed\Application Data\Mozilla\Firefox\Profiles\h9yxczw6.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.search.selectedEngine - Yahoo
FF - plugin: c:\program files\Mozilla Firefox\plugins\npPandoWebInst.dll
.

************************************************** ************************
scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files:

************************************************** ************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1088)
c:\windows\system32\FpWinLogonNp.dll
c:\program files\Lenovo Fingerprint Software\ATCSSINT.dll
c:\program files\Lenovo Fingerprint Software\SharedResources.dll
c:\program files\Lenovo Fingerprint Software\FPResource.dll
c:\program files\Lenovo\HOTKEY\tphklock.dll
c:\program files\Bonjour\mdnsNSP.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\LENOVO\BLUETOOTH SOFTWARE\BIN\BTWDINS.EXE
c:\program files\INTEL\WIRELESS\BIN\EVTENG.EXE
c:\program files\INTEL\WIRELESS\BIN\S24EVMON.EXE
c:\program files\BONJOUR\MDNSRESPONDER.EXE
c:\program files\ESET\ESET NOD32 ANTIVIRUS\EKRN.EXE
c:\windows\SYSTEM32\FPLOGONSERV.EXE
c:\program files\LENOVO\HOTKEY\FNF5SVC.EXE
c:\program files\JAVA\JRE6\BIN\JQS.EXE
c:\program files\LENOVO\PM DRIVER\PMSVEH.EXE
c:\program files\INTEL\WIRELESS\BIN\REGSRVC.EXE
c:\program files\ORBITDOWNLOADER\ORBITNET.EXE
c:\windows\system32\wscntfy.exe
.
************************************************** ************************
.
Completion time: 2009-04-07 6:37:30 - machine was rebooted
ComboFix-quarantined-files.txt 2009-04-07 01:37:26
ComboFix2.txt 2009-04-06 14:54:42

Pre-Run: 1,230,536,704 bytes free
Post-Run: 1,167,376,384 bytes free

439
faraz_k86 is offline   Reply With Quote
Old 04-07-2009   #11
Gold Member
 
faraz_k86's Avatar
 
Join Date: Jan 2006
Posts: 315
PC Experience: Experienced
Default Re: annoying virus prevent hijackthis?
im also heavily infected by virut.nbm

after a little googling i find that virut.nbm is a real pain to clean.. can combofix clean this cause nod32 sure cant... the virus just keeps coming back
faraz_k86 is offline   Reply With Quote
Old 04-07-2009   #12
Senior Security Analyst
 
chiaz's Avatar
 
Join Date: Jun 2006
Location: Singapore
Posts: 5,350
PC Experience: PC Guru
Default Re: annoying virus prevent hijackthis?
Yes, I'm afraid from your last ComboFix log I see signs of the Virut infection, which is not good news at all.

Virut is capable of infecting all the computers (.exe) and (.scr). The main problem is that the virus has been badly coded, and as a result it leaves many of the files corrupted beyond repair.

Security experts suggest that a clean reformat is the only way to return the machine to its normal working state.

Backup all your documents and important items (personal data, work documents, etc) only. DO NOT backup any executable files (software, .exe files) and screensavers (.scr). It attempts to infect any accessed .exe or .scr files by appending itself to the executable.
Also, try to avoid backing up compressed files (zip/cab/rar) files that have .exe or .scr files inside them. Virut can penetrate and infect .exe files inside compressed files too.

Let me know if you have questions or problems regarding this.
chiaz is online now   Reply With Quote
Old 04-07-2009   #13
Gold Member
 
faraz_k86's Avatar
 
Join Date: Jan 2006
Posts: 315
PC Experience: Experienced
Default Re: annoying virus prevent hijackthis?


so i guess the only way left is a format.. something i seriously wanted to avoid

thx for your help, chiaz. but where did this virut come from? does it usually come from usbs or infected sites?

i had avast home installed. it should have picked it up.. i guess the free version do lack in some areas.
faraz_k86 is offline   Reply With Quote
Old 04-07-2009   #14
Senior Security Analyst
 
chiaz's Avatar
 
Join Date: Jun 2006
Location: Singapore
Posts: 5,350
PC Experience: PC Guru
Default Re: annoying virus prevent hijackthis?
The Virut infection is being passed around rapidly now through many of the usual malware download methods, of which torrent downloading and the usage of cracks holds the dubious top position.

Personally I believe safe Internet habits are far more effective in preventing malware entry to a PC than any form of security software, be it anti-virus, anti-spyware, firewalls or other intrusion-prevention applications. I use Avast as well, by the way.

I'm not saying you torrent files/use cracks, but it has been observed that Virut is mainly spread by that.
chiaz is online now   Reply With Quote

Reply
Page 2 of 3 1 2 3

Bookmarks

Tags
annoying, hijackthis, prevent, Question:, virus, [Question]
Similar discussions...
Thread Thread Starter Forum Replies Last Post
Mega annoying virus to deal with!! cracktheshell [Pending] HJT Logs 4 04-03-2009 03:28 AM
Information: So, You Want To Prevent This From Happening? Crush [Fixed] Hijackthis! Logs 0 03-29-2009 06:35 PM
Annoying Virus egyprincessnyc [Fixed] Hijackthis! Logs 31 10-30-2007 10:28 PM
Hi guys I have an annoying virus or trojan puttz [Fixed] Hijackthis! Logs 4 07-19-2007 08:46 AM
PC now virus free, but still a few annoying registry problems, ash182 Windows XP/2000 5 02-06-2006 07:03 PM

« I am having some problems with a virus(?) | Problems downloading Word documents with AVG »
Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes
Linear Mode Linear Mode

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are Off
Pingbacks are Off
Refbacks are On


Site Map - Top

All times are GMT. The time now is 02:33 AM.
Powered by vBulletin
Copyright ©2000 - 2010, Jelsoft Enterprises Ltd.
SEO by vBSEO 3.3.2