Jump to content

vjmure

Members
  • Posts

    19
  • Joined

  • Last visited

Everything posted by vjmure

  1. Final question; the defogger did not ask me to reboot (it didn't when i disabled either). Should i reboot? Any concerns there?
  2. Thank you very much! A couple questions; did i have a TDL3 rootkit? My understanding is it usually attaches to atapi.sys or print spool; i don't recall touching those (or did the combo fix go after that). Also, one of the combo fix script commands had what looked like files related to CA Antivirus; should i be concerned there? Again, thanks a ton. I'd like to make a donation, but i don't have paypal; any other methods? Thanks V
  3. ESET Log.... ESETSmartInstaller@High as CAB hook log: OnlineScanner.ocx - registred OK # version=7 # IEXPLORE.EXE=7.00.6000.17023 (vista_gdr.100222-0012) # OnlineScanner.ocx=1.0.0.6211 # api_version=3.0.2 # EOSSerial=9ca1ae75e3c8bd47b978bc711879a4f6 # end=finished # remove_checked=true # archives_checked=true # unwanted_checked=true # unsafe_checked=true # antistealth_checked=true # utc_time=2010-05-15 04:33:32 # local_time=2010-05-15 12:33:32 (-0500, Eastern Daylight Time) # country="United States" # lang=1033 # osver=5.1.2600 NT Service Pack 3 # compatibility_mode=512 16777215 100 0 0 0 0 0 # compatibility_mode=4866 16775141 100 100 0 76229105 0 0 # compatibility_mode=6143 16777215 0 0 0 0 0 0 # compatibility_mode=8192 67108863 100 0 0 0 0 0 # scanned=135028 # found=0 # cleaned=0 # scan_time=10853
  4. Other than the ip thing; they seem OK..... But i'm not doing much. Should i try other things? Does it look clean? Are we actually good?
  5. Something odd that i noticed; maybe nothing..... I launched IE, my home page is now "bing" (instead of the google). IE hung a moment and i saw at the bottome; waiting for connection 96.6.44.50. Did a search for that IP address and found nothing. Did a tracert from CMD, after a few bounces it landed on: akamaitechnologies.com..... Not sure why ie would try to connect to it; seems like a legit company. Maybe there is some sort of subdomain of the bing .com page... Not sure; just figured i'd point that out.
  6. Thanks again. I ran combo fix. I did disable the Spyware Doctor for 30 min, but it wasn't enough time (my bad). It came up during the combo fix run. There were a couple popup errors, but it seemed to continue and run its course. Hopefully not a problem (?). Errors Were: - Pev.exe application error, Instruction at "0x0050005c" referenced memory at "0x0050005c" which could not be read. - C:\Combo-fix\catchme.cfxxe is not a valid win32 application - After reboot, ATTRIB {something} ; this one went away while i was trying to write it down. But it did finish..... ComboFix 10-05-14.06 - vjmure 05/15/2010 6:44.5.2 - x86 Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.441 [GMT -4:00] Running from: c:\documents and settings\vjmure\Desktop\Combo-Fix.exe Command switches used :: c:\documents and settings\vjmure\Desktop\CFScript.txt AV: CA Anti-Virus *On-access scanning disabled* (Updated) {17CFD1EA-56CF-40B5-A06B-BD3A27397C93} . ((((((((((((((((((((((((( Files Created from 2010-04-15 to 2010-05-15 ))))))))))))))))))))))))))))))) . 2010-05-14 10:53 . 2010-05-14 10:53 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Threat Expert 2010-05-09 04:05 . 2010-05-09 04:05 -------- d-----w- c:\program files\Trend Micro 2010-05-09 02:17 . 2010-05-14 21:40 -------- d-----w- C:\RotInHell 2010-05-08 13:57 . 2010-05-10 13:04 -------- d-----w- c:\program files\ESET 2010-05-08 13:54 . 2010-05-08 13:54 -------- d-----w- c:\program files\Common Files\Java 2010-05-08 13:54 . 2010-05-08 13:54 503808 ----a-w- c:\documents and settings\vjmure\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-75de4ac1-n\msvcp71.dll 2010-05-08 13:54 . 2010-05-08 13:54 499712 ----a-w- c:\documents and settings\vjmure\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-75de4ac1-n\jmc.dll 2010-05-08 13:54 . 2010-05-08 13:54 348160 ----a-w- c:\documents and settings\vjmure\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-75de4ac1-n\msvcr71.dll 2010-05-08 13:54 . 2010-05-08 13:54 61440 ----a-w- c:\documents and settings\vjmure\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-51c1f113-n\decora-sse.dll 2010-05-08 13:54 . 2010-05-08 13:54 12800 ----a-w- c:\documents and settings\vjmure\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-51c1f113-n\decora-d3d.dll 2010-05-08 13:53 . 2010-05-08 13:53 411368 ----a-w- c:\windows\system32\deployJava1.dll 2010-05-08 13:04 . 2008-04-14 05:27 14336 -c--a-w- c:\windows\system32\dllcache\asyncmac.sys 2010-05-08 13:04 . 2008-04-14 05:27 14336 ----a-w- c:\windows\system32\drivers\asyncmac.sys 2010-05-08 02:10 . 2010-05-08 02:10 -------- d-----w- c:\documents and settings\Test\Application Data\Malwarebytes 2010-05-06 01:18 . 2010-05-06 01:18 -------- d-----w- c:\documents and settings\vjmure\Local Settings\Application Data\Downloaded Installations 2010-04-29 01:17 . 2010-04-29 01:17 -------- d-----w- c:\documents and settings\vjmure\Local Settings\Application Data\Threat Expert 2010-04-29 00:54 . 2010-04-29 00:54 -------- d-----w- c:\documents and settings\Test\Local Settings\Application Data\Threat Expert 2010-04-29 00:45 . 2010-01-22 13:55 767952 ----a-w- c:\windows\BDTSupport.dll 2010-04-29 00:45 . 2010-01-22 13:56 149456 ----a-w- c:\windows\SGDetectionTool.dll 2010-04-29 00:45 . 2009-10-28 05:36 1152444 ----a-w- c:\windows\UDB.zip 2010-04-29 00:45 . 2008-11-26 16:08 131 ----a-w- c:\windows\IDB.zip 2010-04-29 00:45 . 2010-01-22 13:56 165840 ----a-w- c:\windows\PCTBDRes.dll 2010-04-29 00:45 . 2010-01-22 13:56 1652688 ----a-w- c:\windows\PCTBDCore.dll 2010-04-29 00:43 . 2010-02-05 13:17 233136 ----a-w- c:\windows\system32\drivers\pctgntdi.sys 2010-04-29 00:42 . 2010-03-29 14:06 218592 ----a-w- c:\windows\system32\drivers\PCTCore.sys 2010-04-29 00:42 . 2009-11-23 17:54 88040 ----a-w- c:\windows\system32\drivers\PCTAppEvent.sys 2010-04-29 00:42 . 2010-04-08 18:29 63360 ----a-w- c:\windows\system32\drivers\pctplsg.sys 2010-04-29 00:42 . 2010-04-29 00:45 -------- d-----w- c:\program files\Common Files\PC Tools 2010-04-29 00:42 . 2010-05-15 11:02 -------- d-----w- c:\program files\Spyware Doctor 2010-04-29 00:42 . 2010-04-29 00:42 -------- d-----w- c:\documents and settings\Test\Application Data\PC Tools 2010-04-29 00:42 . 2010-04-29 00:42 -------- d-----w- c:\documents and settings\All Users\Application Data\PC Tools 2010-04-28 00:45 . 2010-04-28 00:45 -------- d-----w- c:\documents and settings\user\Application Data\Lavasoft 2010-04-27 10:49 . 2008-04-14 04:10 34688 -c--a-w- c:\windows\system32\dllcache\lbrtfdc.sys 2010-04-27 10:49 . 2008-04-14 04:10 34688 ----a-w- c:\windows\system32\drivers\lbrtfdc.sys 2010-04-27 10:49 . 2008-04-14 04:11 8576 -c--a-w- c:\windows\system32\dllcache\i2omgmt.sys 2010-04-27 10:49 . 2008-04-14 04:11 8576 ----a-w- c:\windows\system32\drivers\i2omgmt.sys 2010-04-27 10:48 . 2008-04-14 04:11 8192 -c--a-w- c:\windows\system32\dllcache\changer.sys 2010-04-27 10:48 . 2008-04-14 04:11 8192 ----a-w- c:\windows\system32\drivers\changer.sys 2010-04-27 10:46 . 2008-04-14 05:21 59904 -c--a-w- c:\windows\system32\dllcache\atmarpc.sys 2010-04-27 10:46 . 2008-04-14 05:21 59904 ----a-w- c:\windows\system32\drivers\atmarpc.sys 2010-04-27 10:43 . 2010-04-27 10:43 93184 --sha-r- c:\windows\system32\oledlga.dll . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2010-05-15 11:04 . 2007-02-14 16:38 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP 2010-05-15 10:44 . 2006-12-31 18:01 -------- d-----w- c:\program files\Windows Defender 2010-05-15 10:44 . 2009-12-25 01:31 -------- d-----w- c:\program files\Microsoft LifeCam 2010-05-15 10:44 . 2009-09-09 21:08 -------- d-----w- c:\program files\QuickTime 2010-05-11 10:10 . 2005-10-03 18:39 -------- d-----w- c:\program files\MSN Games 2010-05-11 10:09 . 2005-05-24 03:47 -------- d-----w- c:\program files\iWin.com 2010-05-08 13:53 . 2006-08-25 01:49 -------- d-----w- c:\program files\Java 2010-05-08 12:21 . 2009-12-25 01:42 -------- d-----w- c:\documents and settings\vjmure\Application Data\Skype 2010-05-08 12:16 . 2004-10-06 12:01 96512 ----a-w- c:\windows\system32\drivers\atapi.sys 2010-05-08 12:01 . 2009-12-25 01:44 -------- d-----w- c:\documents and settings\vjmure\Application Data\skypePM 2010-05-06 14:36 . 2009-10-03 06:24 221568 ------w- c:\windows\system32\MpSigStub.exe 2010-05-06 01:53 . 2008-11-09 22:58 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware 2010-05-06 01:41 . 2009-09-16 02:10 -------- d-----w- c:\documents and settings\vjmure\Application Data\Move Networks 2010-04-29 19:39 . 2008-11-09 22:58 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys 2010-04-29 19:39 . 2008-11-09 22:58 20952 ----a-w- c:\windows\system32\drivers\mbam.sys 2010-04-29 01:01 . 2005-06-26 17:27 -------- d-----w- c:\documents and settings\vjmure\Application Data\Lavasoft 2010-04-28 01:00 . 2007-04-12 14:17 66368 ----a-w- c:\documents and settings\user\Local Settings\Application Data\GDIPFONTCACHEV1.DAT 2010-04-21 15:59 . 2009-04-06 23:35 204 ----a-w- c:\windows\popcinfot.dat 2010-03-29 19:59 . 2010-03-28 14:45 -------- d-----w- c:\documents and settings\vjmure\Application Data\PopCapv1006 2010-03-26 13:28 . 2010-03-26 13:28 -------- d-----w- c:\documents and settings\vjmure\Application Data\PopCapv1003 2010-03-11 12:38 . 2004-10-06 12:01 832512 ----a-w- c:\windows\system32\wininet.dll 2010-03-11 12:38 . 2004-10-06 12:01 78336 ----a-w- c:\windows\system32\ieencode.dll 2010-03-11 12:38 . 2004-10-06 12:01 17408 ----a-w- c:\windows\system32\corpol.dll 2010-03-09 11:09 . 2004-10-06 12:01 430080 ----a-w- c:\windows\system32\vbscript.dll 2010-02-24 13:11 . 2004-10-06 12:01 455680 ----a-w- c:\windows\system32\drivers\mrxsmb.sys 2010-02-16 14:08 . 2004-10-06 12:01 2146304 ----a-w- c:\windows\system32\ntoskrnl.exe 2010-02-16 13:25 . 2004-08-03 22:59 2024448 ----a-w- c:\windows\system32\ntkrnlpa.exe 2005-06-07 23:47 . 2005-06-07 23:47 774144 ----a-w- c:\program files\RngInterstitial.dll . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "CAVRID"="c:\program files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\CAVRID.exe" [2009-11-28 271600] "cctray"="c:\program files\CA\CA Internet Security Suite\casc.exe" [2009-11-11 374000] "NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-06-29 8466432] "NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2007-06-29 81920] c:\documents and settings\All Users\Start Menu\Programs\Startup\ Spyware Doctor.lnk - c:\program files\Spyware Doctor\pctsGui.exe [2010-4-28 3101648] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\PFW] 2009-03-27 20:27 79368 ----a-w- c:\windows\system32\UmxWNP.dll [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend] @="Service" [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ComputerAssociatesAntiVirus] "DisableMonitoring"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "EnableFirewall"= 0 (0x0) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "c:\\Program Files\\Microsoft Games\\Flight Simulator 9\\fs9.exe"= "c:\\WINDOWS\\system32\\dpnsvr.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "c:\\Program Files\\Microsoft Games\\Age of Empires III\\age3.exe"= "c:\\WINDOWS\\system32\\sessmgr.exe"= "c:\\Program Files\\Microsoft Games\\Rise of Nations\\rise.exe"= "%windir%\\system32\\sessmgr.exe"= "c:\\Program Files\\Malwarebytes' Anti-Malware\\mbam.exe"= "c:\\Program Files\\Microsoft Office\\Live Meeting 8\\Console\\PWConsole.exe"= "c:\\Program Files\\iTunes\\iTunes.exe"= "c:\\Program Files\\Microsoft LifeCam\\LifeCam.exe"= "c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"= "c:\\Program Files\\Bonjour\\mDNSResponder.exe"= "c:\\Program Files\\iWin Games\\iWinGames.exe"= "c:\\Program Files\\iWin Games\\WebUpdater.exe"= "c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"= "c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"= "c:\\Program Files\\Skype\\Phone\\Skype.exe"= R0 KmxStart;KmxStart;c:\windows\system32\drivers\KmxStart.sys [6/8/2009 11:02 AM 108024] R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [4/28/2010 8:42 PM 218592] R1 KmxAgent;KmxAgent;c:\windows\system32\drivers\KmxAgent.sys [4/1/2009 10:45 AM 73720] R2 Browser Defender Update Service;Browser Defender Update Service;c:\program files\Spyware Doctor\BDT\BDTUpdateService.exe [4/28/2010 8:45 PM 112592] R2 ccSchedulerSVC;CA Common Scheduler Service;c:\program files\CA\CA Internet Security Suite\ccschedulersvc.exe [9/11/2009 7:49 PM 128240] R2 UmxAgent;HIPS Event Manager;c:\program files\CA\SharedComponents\HIPSEngine\UmxAgent.exe [4/1/2009 10:45 AM 875000] R2 UmxCfg;HIPS Configuration Interpreter;c:\program files\CA\SharedComponents\HIPSEngine\UmxCfg.exe [6/15/2009 11:32 AM 760664] R2 UmxPol;HIPS Policy Manager;c:\program files\CA\SharedComponents\HIPSEngine\UmxPol.exe [4/1/2009 10:45 AM 207352] R2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [11/3/2006 7:19 PM 13592] R3 KmxCfg;KmxCfg;c:\windows\system32\drivers\KmxCfg.sys [4/1/2009 10:45 AM 205304] S2 KillTheHooker;KillTheHooker;\??\c:\docume~1\vjmure\LOCALS~1\Temp\Temporary Directory 1 for TDL3%20Razor[1].zip\TDL3 Razor\TizerBruteForceEx.sys --> c:\docume~1\vjmure\LOCALS~1\Temp\Temporary Directory 1 for TDL3%20Razor[1].zip\TDL3 Razor\TizerBruteForceEx.sys [?] S3 3dfxvs;3dfxvs;c:\windows\system32\drivers\3dfxvsm.sys [7/20/2008 11:32 AM 148352] S3 memchek;memchek;\??\c:\windows\system32\memchek.sys --> c:\windows\system32\memchek.sys [?] S3 sdAuxService;PC Tools Auxiliary Service;c:\program files\Spyware Doctor\pctsAuxs.exe [4/28/2010 8:42 PM 366840] S4 iWinTrusted;iWinTrusted;c:\program files\iWin Games\iWinTrusted.exe [6/4/2009 12:11 PM 78104] --- Other Services/Drivers In Memory --- *Deregistered* - PCTSDInjDriver32 [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost] hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc . Contents of the 'Scheduled Tasks' folder 2010-05-15 c:\windows\Tasks\MP Scheduled Scan.job - c:\program files\Windows Defender\MpCmdRun.exe [2006-11-03 23:20] . . ------- Supplementary Scan ------- . uStart Page = hxxp://www.bing.com/ mStart Page = hxxp://www.google.com uInternet Connection Wizard,ShellNext = iexplore IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\OFFICE11\EXCEL.EXE/3000 LSP: c:\windows\system32\VetRedir.dll Trusted Zone: aetna.com\xtranet Trusted Zone: aetna.com\xtranet6 Trusted Zone: aetna.com\xtranetx Trusted Zone: ameritrade.com\research Trusted Zone: ameritrade.com\wwws Trusted Zone: cnn.com\politicalticker.blogs Trusted Zone: cnn.com\sportsillustrated Trusted Zone: cnn.com\www Trusted Zone: equifax.com\www.econsumer Trusted Zone: facebook.com\apps Trusted Zone: facebook.com\www Trusted Zone: fannation.com\www Trusted Zone: garmin.com\www8 Trusted Zone: nawsrc.org\www Trusted Zone: tdameritrade.com\www Trusted Zone: toysrus.com\www Trusted Zone: usana.com\www Trusted Zone: weather.com\www Trusted Zone: youtube.com\www DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab . ************************************************************************** catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2010-05-15 07:03 Windows 5.1.2600 Service Pack 3 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** "ImagePath"="\??\c:\docume~1\vjmure\LOCALS~1\Temp\Temporary Directory 1 for TDL3%20Razor [1].zip\TDL3 Razor\TizerBruteForceEx.sys" [HKEY_LOCAL_MACHINE\System\ControlSet003\Services\KillTheHooker] "ImagePath"="\??\c:\docume~1\vjmure\LOCALS~1\Temp\Temporary Directory 1 for TDL3%20Razor . --------------------- DLLs Loaded Under Running Processes --------------------- - - - - - - - > 'winlogon.exe'(1628) c:\windows\system32\UmxWnp.Dll - - - - - - - > 'lsass.exe'(1832) c:\windows\system32\VetRedir.dll c:\windows\system32\ISafeIf.dll - - - - - - - > 'explorer.exe'(3948) c:\windows\system32\WININET.dll c:\program files\Spyware Doctor\pctgmhk.dll c:\windows\system32\ieframe.dll c:\windows\system32\WPDShServiceObj.dll c:\windows\system32\PortableDeviceTypes.dll c:\windows\system32\PortableDeviceApi.dll . ------------------------ Other Running Processes ------------------------ . c:\program files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\ISafe.exe c:\program files\Java\jre6\bin\jqs.exe c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE c:\program files\Microsoft LifeCam\MSCamS32.exe c:\windows\system32\nvsvc32.exe c:\program files\Analog Devices\SoundMAX\SMAgent.exe c:\program files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\VetMsg.exe c:\windows\system32\RUNDLL32.EXE c:\program files\CA\CA Internet Security Suite\ccprovsp.exe . ************************************************************************** . Completion time: 2010-05-15 07:10:30 - machine was rebooted ComboFix-quarantined-files.txt 2010-05-15 11:10 ComboFix2.txt 2010-05-14 21:35 ComboFix3.txt 2010-05-13 10:25 ComboFix4.txt 2010-05-08 13:39 Pre-Run: 44,429,148,160 bytes free Post-Run: 44,577,538,048 bytes free - - End Of File - - 694E78CE25B4148CE8DFC3A9A17571A2
  7. OK, i am trying to C/P the results, but it keeps coming back with a 501 error. So i took screen shots (attached). I hope that works.....
  8. You can wait for web response (automatic reload) or type your email in the form below and click "request" so the system sends you a notification when the scan is finished. Email: Antivirus Version Last Update Result a-squared 4.5.0.50 2010.05.10 - AhnLab-V3 2010.05.15.00 2010.05.14 - AntiVir 8.2.1.242 2010.05.14 - Antiy-AVL 2.0.3.7 2010.05.14 - Authentium 5.2.0.5 2010.05.14 - Avast 4.8.1351.0 2010.05.14 - Avast5 5.0.332.0 2010.05.14 - AVG 9.0.0.787 2010.05.14 - BitDefender 7.2 2010.05.14 - CAT-QuickHeal 10.00 2010.05.14 - ClamAV 0.96.0.3-git 2010.05.14 - Comodo 4841 2010.05.14 - DrWeb 5.0.2.03300 2010.05.14 - eSafe 7.0.17.0 2010.05.13 - eTrust-Vet 35.2.7488 2010.05.14 - F-Prot 4.5.1.85 2010.05.14 - F-Secure 9.0.15370.0 2010.05.14 - Fortinet 4.1.133.0 2010.05.14 - GData 21 2010.05.14 - Ikarus T3.1.1.84.0 2010.05.14 - Jiangmin 13.0.900 2010.05.14 - Kaspersky 7.0.0.125 2010.05.14 - McAfee 5.400.0.1158 2010.05.14 - McAfee-GW-Edition 2010.1 2010.05.14 - Microsoft 1.5703 2010.05.14 - NOD32 5115 2010.05.14 - Norman 6.04.12 2010.05.14 - nProtect 2010-05-14.01 2010.05.14 - Panda 10.0.2.7 2010.05.14 - PCTools 7.0.3.5 2010.05.14 Application.NirCmd Prevx 3.0 2010.05.14 - Rising 22.47.04.03 2010.05.14 - Sophos 4.53.0 2010.05.14 - Sunbelt 6303 2010.05.14 - Symantec 20101.1.0.89 2010.05.14 - TheHacker 6.5.2.0.280 2010.05.14 - TrendMicro 9.120.0.1004 2010.05.14 - TrendMicro-HouseCall 9.120.0.1004 2010.05.14 - VBA32 3.12.12.5 2010.05.14 - ViRobot 2010.5.14.2316 2010.05.14 - VirusBuster 5.0.27.0 2010.05.14 -
  9. Script results below. Also, i did have PC Tools "fix" its findings as it has since found an .exe. Screenshot attached. ComboFix 10-05-14.06 - vjmure 05/14/2010 17:16:32.4.2 - x86 Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.442 [GMT -4:00] Running from: c:\documents and settings\vjmure\Desktop\Combo-Fix.exe Command switches used :: c:\documents and settings\vjmure\Desktop\CFScript.txt AV: CA Anti-Virus *On-access scanning disabled* (Updated) {17CFD1EA-56CF-40B5-A06B-BD3A27397C93} file zipped: c:\windows\system32\oledlga.dll . ((((((((((((((((((((((((( Files Created from 2010-04-14 to 2010-05-14 ))))))))))))))))))))))))))))))) . 2010-05-14 10:53 . 2010-05-14 10:53 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Threat Expert 2010-05-09 04:05 . 2010-05-09 04:05 -------- d-----w- c:\program files\Trend Micro 2010-05-09 02:17 . 2010-05-09 02:17 -------- d-----w- C:\RotInHell 2010-05-08 13:57 . 2010-05-10 13:04 -------- d-----w- c:\program files\ESET 2010-05-08 13:54 . 2010-05-08 13:54 -------- d-----w- c:\program files\Common Files\Java 2010-05-08 13:53 . 2010-05-08 13:53 411368 ----a-w- c:\windows\system32\deployJava1.dll 2010-05-08 13:04 . 2008-04-14 05:27 14336 -c--a-w- c:\windows\system32\dllcache\asyncmac.sys 2010-05-08 13:04 . 2008-04-14 05:27 14336 ----a-w- c:\windows\system32\drivers\asyncmac.sys 2010-05-08 02:10 . 2010-05-08 02:10 -------- d-----w- c:\documents and settings\Test\Application Data\Malwarebytes 2010-05-06 01:18 . 2010-05-06 01:18 -------- d-----w- c:\documents and settings\vjmure\Local Settings\Application Data\Downloaded Installations 2010-04-29 01:17 . 2010-04-29 01:17 -------- d-----w- c:\documents and settings\vjmure\Local Settings\Application Data\Threat Expert 2010-04-29 00:54 . 2010-04-29 00:54 -------- d-----w- c:\documents and settings\Test\Local Settings\Application Data\Threat Expert 2010-04-29 00:45 . 2010-01-22 13:55 767952 ----a-w- c:\windows\BDTSupport.dll 2010-04-29 00:45 . 2010-01-22 13:56 149456 ----a-w- c:\windows\SGDetectionTool.dll 2010-04-29 00:45 . 2009-10-28 05:36 1152444 ----a-w- c:\windows\UDB.zip 2010-04-29 00:45 . 2008-11-26 16:08 131 ----a-w- c:\windows\IDB.zip 2010-04-29 00:45 . 2010-01-22 13:56 165840 ----a-w- c:\windows\PCTBDRes.dll 2010-04-29 00:45 . 2010-01-22 13:56 1652688 ----a-w- c:\windows\PCTBDCore.dll 2010-04-29 00:43 . 2010-02-05 13:17 233136 ----a-w- c:\windows\system32\drivers\pctgntdi.sys 2010-04-29 00:42 . 2010-03-29 14:06 218592 ----a-w- c:\windows\system32\drivers\PCTCore.sys 2010-04-29 00:42 . 2009-11-23 17:54 88040 ----a-w- c:\windows\system32\drivers\PCTAppEvent.sys 2010-04-29 00:42 . 2010-04-08 18:29 63360 ----a-w- c:\windows\system32\drivers\pctplsg.sys 2010-04-29 00:42 . 2010-04-29 00:45 -------- d-----w- c:\program files\Common Files\PC Tools 2010-04-29 00:42 . 2010-05-14 21:08 -------- d-----w- c:\program files\Spyware Doctor 2010-04-29 00:42 . 2010-04-29 00:42 -------- d-----w- c:\documents and settings\Test\Application Data\PC Tools 2010-04-29 00:42 . 2010-04-29 00:42 -------- d-----w- c:\documents and settings\All Users\Application Data\PC Tools 2010-04-28 00:45 . 2010-04-28 00:45 -------- d-----w- c:\documents and settings\user\Application Data\Lavasoft 2010-04-27 10:49 . 2008-04-14 04:10 34688 -c--a-w- c:\windows\system32\dllcache\lbrtfdc.sys 2010-04-27 10:49 . 2008-04-14 04:10 34688 ----a-w- c:\windows\system32\drivers\lbrtfdc.sys 2010-04-27 10:49 . 2008-04-14 04:11 8576 -c--a-w- c:\windows\system32\dllcache\i2omgmt.sys 2010-04-27 10:49 . 2008-04-14 04:11 8576 ----a-w- c:\windows\system32\drivers\i2omgmt.sys 2010-04-27 10:48 . 2008-04-14 04:11 8192 -c--a-w- c:\windows\system32\dllcache\changer.sys 2010-04-27 10:48 . 2008-04-14 04:11 8192 ----a-w- c:\windows\system32\drivers\changer.sys 2010-04-27 10:46 . 2008-04-14 05:21 59904 -c--a-w- c:\windows\system32\dllcache\atmarpc.sys 2010-04-27 10:46 . 2008-04-14 05:21 59904 ----a-w- c:\windows\system32\drivers\atmarpc.sys 2010-04-27 10:43 . 2010-04-27 10:43 93184 --sha-r- c:\windows\system32\oledlga.dll . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2010-05-14 21:12 . 2007-02-14 16:38 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP 2010-05-11 10:10 . 2005-10-03 18:39 -------- d-----w- c:\program files\MSN Games 2010-05-11 10:09 . 2005-05-24 03:47 -------- d-----w- c:\program files\iWin.com 2010-05-08 13:54 . 2010-05-08 13:54 503808 ----a-w- c:\documents and settings\vjmure\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-75de4ac1-n\msvcp71.dll 2010-05-08 13:54 . 2010-05-08 13:54 499712 ----a-w- c:\documents and settings\vjmure\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-75de4ac1-n\jmc.dll 2010-05-08 13:54 . 2010-05-08 13:54 348160 ----a-w- c:\documents and settings\vjmure\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-75de4ac1-n\msvcr71.dll 2010-05-08 13:54 . 2010-05-08 13:54 61440 ----a-w- c:\documents and settings\vjmure\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-51c1f113-n\decora-sse.dll 2010-05-08 13:54 . 2010-05-08 13:54 12800 ----a-w- c:\documents and settings\vjmure\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-51c1f113-n\decora-d3d.dll 2010-05-08 13:53 . 2006-08-25 01:49 -------- d-----w- c:\program files\Java 2010-05-08 12:21 . 2009-12-25 01:42 -------- d-----w- c:\documents and settings\vjmure\Application Data\Skype 2010-05-08 12:16 . 2004-10-06 12:01 96512 ----a-w- c:\windows\system32\drivers\atapi.sys 2010-05-08 12:01 . 2009-12-25 01:44 -------- d-----w- c:\documents and settings\vjmure\Application Data\skypePM 2010-05-06 14:36 . 2009-10-03 06:24 221568 ------w- c:\windows\system32\MpSigStub.exe 2010-05-06 01:53 . 2008-11-09 22:58 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware 2010-05-06 01:41 . 2009-09-16 02:10 -------- d-----w- c:\documents and settings\vjmure\Application Data\Move Networks 2010-04-29 19:39 . 2008-11-09 22:58 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys 2010-04-29 19:39 . 2008-11-09 22:58 20952 ----a-w- c:\windows\system32\drivers\mbam.sys 2010-04-29 03:04 . 2009-09-09 21:08 -------- d-----w- c:\program files\QuickTime 2010-04-29 01:01 . 2005-06-26 17:27 -------- d-----w- c:\documents and settings\vjmure\Application Data\Lavasoft 2010-04-29 00:33 . 2009-12-25 01:31 -------- d-----w- c:\program files\Microsoft LifeCam 2010-04-29 00:32 . 2006-12-31 18:01 -------- d-----w- c:\program files\Windows Defender 2010-04-28 01:00 . 2007-04-12 14:17 66368 ----a-w- c:\documents and settings\user\Local Settings\Application Data\GDIPFONTCACHEV1.DAT 2010-04-21 15:59 . 2009-04-06 23:35 204 ----a-w- c:\windows\popcinfot.dat 2010-03-29 19:59 . 2010-03-28 14:45 -------- d-----w- c:\documents and settings\vjmure\Application Data\PopCapv1006 2010-03-26 13:28 . 2010-03-26 13:28 -------- d-----w- c:\documents and settings\vjmure\Application Data\PopCapv1003 2010-03-11 12:38 . 2004-10-06 12:01 832512 ----a-w- c:\windows\system32\wininet.dll 2010-03-11 12:38 . 2004-10-06 12:01 78336 ----a-w- c:\windows\system32\ieencode.dll 2010-03-11 12:38 . 2004-10-06 12:01 17408 ----a-w- c:\windows\system32\corpol.dll 2010-03-09 11:09 . 2004-10-06 12:01 430080 ----a-w- c:\windows\system32\vbscript.dll 2010-02-24 13:11 . 2004-10-06 12:01 455680 ----a-w- c:\windows\system32\drivers\mrxsmb.sys 2010-02-16 14:08 . 2004-10-06 12:01 2146304 ----a-w- c:\windows\system32\ntoskrnl.exe 2010-02-16 13:25 . 2004-08-03 22:59 2024448 ----a-w- c:\windows\system32\ntkrnlpa.exe 2005-06-07 23:47 . 2005-06-07 23:47 774144 ----a-w- c:\program files\RngInterstitial.dll . <pre> c:\program files\Analog Devices\SoundMAX\smax4 .exe c:\program files\Analog Devices\SoundMAX\smax4pnp .exe c:\program files\CA\CA Internet Security Suite\casc .exe c:\program files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\cavrid .exe c:\program files\IC\Card Reader Driver v1.9e\disk_monitor .exe c:\program files\Microsoft LifeCam\lifeexp .exe c:\program files\QuickTime\qttask .exe c:\program files\Windows Defender\msascui .exe </pre> ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "CAVRID"="c:\program files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\CAVRID.exe" [N/A] "cctray"="c:\program files\CA\CA Internet Security Suite\casc.exe" [2010-04-28 374000] "NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-06-29 8466432] "NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2007-06-29 81920] "ISTray"="c:\program files\Spyware Doctor\pctsTray.exe" [2010-03-09 1286608] c:\documents and settings\All Users\Start Menu\Programs\Startup\ Spyware Doctor.lnk - c:\program files\Spyware Doctor\pctsGui.exe [2010-4-28 3101648] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\PFW] 2009-03-27 20:27 79368 ----a-w- c:\windows\system32\UmxWNP.dll [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend] @="Service" [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ComputerAssociatesAntiVirus] "DisableMonitoring"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "EnableFirewall"= 0 (0x0) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "c:\\Program Files\\Microsoft Games\\Flight Simulator 9\\fs9.exe"= "c:\\WINDOWS\\system32\\dpnsvr.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "c:\\Program Files\\Microsoft Games\\Age of Empires III\\age3.exe"= "c:\\WINDOWS\\system32\\sessmgr.exe"= "c:\\Program Files\\Microsoft Games\\Rise of Nations\\rise.exe"= "%windir%\\system32\\sessmgr.exe"= "c:\\Program Files\\Malwarebytes' Anti-Malware\\mbam.exe"= "c:\\Program Files\\Microsoft Office\\Live Meeting 8\\Console\\PWConsole.exe"= "c:\\Program Files\\iTunes\\iTunes.exe"= "c:\\Program Files\\Microsoft LifeCam\\LifeCam.exe"= "c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"= "c:\\Program Files\\Bonjour\\mDNSResponder.exe"= "c:\\Program Files\\iWin Games\\iWinGames.exe"= "c:\\Program Files\\iWin Games\\WebUpdater.exe"= "c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"= "c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"= "c:\\Program Files\\Skype\\Phone\\Skype.exe"= R0 KmxStart;KmxStart;c:\windows\system32\drivers\KmxStart.sys [6/8/2009 11:02 AM 108024] R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [4/28/2010 8:42 PM 218592] R1 KmxAgent;KmxAgent;c:\windows\system32\drivers\KmxAgent.sys [4/1/2009 10:45 AM 73720] R2 Browser Defender Update Service;Browser Defender Update Service;c:\program files\Spyware Doctor\BDT\BDTUpdateService.exe [4/28/2010 8:45 PM 112592] R2 ccSchedulerSVC;CA Common Scheduler Service;c:\program files\CA\CA Internet Security Suite\ccschedulersvc.exe [9/11/2009 7:49 PM 128240] R2 sdAuxService;PC Tools Auxiliary Service;c:\program files\Spyware Doctor\pctsAuxs.exe [4/28/2010 8:42 PM 366840] R2 UmxAgent;HIPS Event Manager;c:\program files\CA\SharedComponents\HIPSEngine\UmxAgent.exe [4/1/2009 10:45 AM 875000] R2 UmxCfg;HIPS Configuration Interpreter;c:\program files\CA\SharedComponents\HIPSEngine\UmxCfg.exe [6/15/2009 11:32 AM 760664] R2 UmxPol;HIPS Policy Manager;c:\program files\CA\SharedComponents\HIPSEngine\UmxPol.exe [4/1/2009 10:45 AM 207352] R2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [11/3/2006 7:19 PM 13592] R3 KmxCfg;KmxCfg;c:\windows\system32\drivers\KmxCfg.sys [4/1/2009 10:45 AM 205304] S2 KillTheHooker;KillTheHooker;\??\c:\docume~1\vjmure\LOCALS~1\Temp\Temporary Directory 1 for TDL3%20Razor[1].zip\TDL3 Razor\TizerBruteForceEx.sys --> c:\docume~1\vjmure\LOCALS~1\Temp\Temporary Directory 1 for TDL3%20Razor[1].zip\TDL3 Razor\TizerBruteForceEx.sys [?] S3 3dfxvs;3dfxvs;c:\windows\system32\drivers\3dfxvsm.sys [7/20/2008 11:32 AM 148352] S3 memchek;memchek;\??\c:\windows\system32\memchek.sys --> c:\windows\system32\memchek.sys [?] S4 iWinTrusted;iWinTrusted;c:\program files\iWin Games\iWinTrusted.exe [6/4/2009 12:11 PM 78104] --- Other Services/Drivers In Memory --- *Deregistered* - PCTSDInjDriver32 [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost] hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc . Contents of the 'Scheduled Tasks' folder 2010-05-14 c:\windows\Tasks\MP Scheduled Scan.job - c:\program files\Windows Defender\MpCmdRun.exe [2006-11-03 23:20] . . ------- Supplementary Scan ------- . uStart Page = hxxp://www.bing.com/ mStart Page = hxxp://www.google.com uInternet Connection Wizard,ShellNext = iexplore IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\OFFICE11\EXCEL.EXE/3000 LSP: c:\windows\system32\VetRedir.dll Trusted Zone: aetna.com\xtranet Trusted Zone: aetna.com\xtranet6 Trusted Zone: aetna.com\xtranetx Trusted Zone: ameritrade.com\research Trusted Zone: ameritrade.com\wwws Trusted Zone: cnn.com\politicalticker.blogs Trusted Zone: cnn.com\sportsillustrated Trusted Zone: cnn.com\www Trusted Zone: equifax.com\www.econsumer Trusted Zone: facebook.com\apps Trusted Zone: facebook.com\www Trusted Zone: fannation.com\www Trusted Zone: garmin.com\www8 Trusted Zone: nawsrc.org\www Trusted Zone: tdameritrade.com\www Trusted Zone: toysrus.com\www Trusted Zone: usana.com\www Trusted Zone: weather.com\www Trusted Zone: youtube.com\www DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab . ************************************************************************** catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2010-05-14 17:26 Windows 5.1.2600 Service Pack 3 NTFS detected NTDLL code modification: ZwClose scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** "ImagePath"="\??\c:\docume~1\vjmure\LOCALS~1\Temp\Temporary Directory 1 for TDL3%20Razor [1].zip\TDL3 Razor\TizerBruteForceEx.sys" [HKEY_LOCAL_MACHINE\System\ControlSet003\Services\KillTheHooker] "ImagePath"="\??\c:\docume~1\vjmure\LOCALS~1\Temp\Temporary Directory 1 for TDL3%20Razor . --------------------- DLLs Loaded Under Running Processes --------------------- - - - - - - - > 'winlogon.exe'(1748) c:\windows\system32\UmxWnp.Dll - - - - - - - > 'lsass.exe'(1952) c:\windows\system32\VetRedir.dll c:\windows\system32\ISafeIf.dll - - - - - - - > 'explorer.exe'(2792) c:\windows\system32\WININET.dll c:\program files\Spyware Doctor\pctgmhk.dll c:\windows\system32\ieframe.dll c:\windows\system32\WPDShServiceObj.dll c:\windows\system32\PortableDeviceTypes.dll c:\windows\system32\PortableDeviceApi.dll c:\windows\system32\WS2_32.dll c:\windows\system32\WS2HELP.dll . Completion time: 2010-05-14 17:32:24 ComboFix-quarantined-files.txt 2010-05-14 21:32 ComboFix2.txt 2010-05-13 10:25 ComboFix3.txt 2010-05-08 13:39 Pre-Run: 44,604,461,056 bytes free Post-Run: 44,578,422,784 bytes free - - End Of File - - 2853959EEC6EAE0E148520CFF1F675D6 Upload was successful
  10. FYI.... They all seem to be registry entries....
  11. From http://www.virustotal.com/ "0 bytes size received / Se ha recibido un archivo vacio " Also, my "Spyware Doctor" ran on its normal schedule and found some things; screen shot it attached. I took no action (the app is still up). Thanks, V
  12. BTW, i did reenable the Antivirus / anti malware as well. (i ran no scans though) Thanks, V
  13. Thanks again. Here is the result of the combo fix: ComboFix 10-05-12.03 - vjmure 05/13/2010 6:07.3.2 - x86 Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.460 [GMT -4:00] Running from: c:\documents and settings\vjmure\Desktop\Combo-Fix.exe AV: CA Anti-Virus *On-access scanning disabled* (Updated) {17CFD1EA-56CF-40B5-A06B-BD3A27397C93} . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . c:\windows\SMRTDRIV.DLL c:\windows\system32\ctfmon .exe c:\windows\system32\nwiz .exe c:\windows\system32\regsvr32 .exe c:\windows\system32\rundll32 .exe c:\windows\vvx3000 .exe . ((((((((((((((((((((((((( Files Created from 2010-04-13 to 2010-05-13 ))))))))))))))))))))))))))))))) . 2010-05-09 04:05 . 2010-05-09 04:05 -------- d-----w- c:\program files\Trend Micro 2010-05-09 02:17 . 2010-05-09 02:17 -------- d-----w- C:\RotInHell 2010-05-08 13:57 . 2010-05-10 13:04 -------- d-----w- c:\program files\ESET 2010-05-08 13:54 . 2010-05-08 13:54 -------- d-----w- c:\program files\Common Files\Java 2010-05-08 13:54 . 2010-05-08 13:54 503808 ----a-w- c:\documents and settings\vjmure\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-75de4ac1-n\msvcp71.dll 2010-05-08 13:54 . 2010-05-08 13:54 499712 ----a-w- c:\documents and settings\vjmure\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-75de4ac1-n\jmc.dll 2010-05-08 13:54 . 2010-05-08 13:54 348160 ----a-w- c:\documents and settings\vjmure\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-75de4ac1-n\msvcr71.dll 2010-05-08 13:54 . 2010-05-08 13:54 61440 ----a-w- c:\documents and settings\vjmure\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-51c1f113-n\decora-sse.dll 2010-05-08 13:54 . 2010-05-08 13:54 12800 ----a-w- c:\documents and settings\vjmure\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-51c1f113-n\decora-d3d.dll 2010-05-08 13:53 . 2010-05-08 13:53 411368 ----a-w- c:\windows\system32\deployJava1.dll 2010-05-08 13:04 . 2008-04-14 05:27 14336 -c--a-w- c:\windows\system32\dllcache\asyncmac.sys 2010-05-08 13:04 . 2008-04-14 05:27 14336 ----a-w- c:\windows\system32\drivers\asyncmac.sys 2010-05-08 02:10 . 2010-05-08 02:10 -------- d-----w- c:\documents and settings\Test\Application Data\Malwarebytes 2010-05-06 01:18 . 2010-05-06 01:18 -------- d-----w- c:\documents and settings\vjmure\Local Settings\Application Data\Downloaded Installations 2010-04-29 01:17 . 2010-04-29 01:17 -------- d-----w- c:\documents and settings\vjmure\Local Settings\Application Data\Threat Expert 2010-04-29 00:54 . 2010-04-29 00:54 -------- d-----w- c:\documents and settings\Test\Local Settings\Application Data\Threat Expert 2010-04-29 00:45 . 2010-01-22 13:55 767952 ----a-w- c:\windows\BDTSupport.dll 2010-04-29 00:45 . 2010-01-22 13:56 149456 ----a-w- c:\windows\SGDetectionTool.dll 2010-04-29 00:45 . 2009-10-28 05:36 1152444 ----a-w- c:\windows\UDB.zip 2010-04-29 00:45 . 2008-11-26 16:08 131 ----a-w- c:\windows\IDB.zip 2010-04-29 00:45 . 2010-01-22 13:56 165840 ----a-w- c:\windows\PCTBDRes.dll 2010-04-29 00:45 . 2010-01-22 13:56 1652688 ----a-w- c:\windows\PCTBDCore.dll 2010-04-29 00:43 . 2010-02-05 13:17 233136 ----a-w- c:\windows\system32\drivers\pctgntdi.sys 2010-04-29 00:42 . 2010-03-29 14:06 218592 ----a-w- c:\windows\system32\drivers\PCTCore.sys 2010-04-29 00:42 . 2009-11-23 17:54 88040 ----a-w- c:\windows\system32\drivers\PCTAppEvent.sys 2010-04-29 00:42 . 2010-04-08 18:29 63360 ----a-w- c:\windows\system32\drivers\pctplsg.sys 2010-04-29 00:42 . 2010-04-29 00:45 -------- d-----w- c:\program files\Common Files\PC Tools 2010-04-29 00:42 . 2010-05-13 03:26 -------- d-----w- c:\program files\Spyware Doctor 2010-04-29 00:42 . 2010-04-29 00:42 -------- d-----w- c:\documents and settings\Test\Application Data\PC Tools 2010-04-29 00:42 . 2010-04-29 00:42 -------- d-----w- c:\documents and settings\All Users\Application Data\PC Tools 2010-04-28 00:45 . 2010-04-28 00:45 -------- d-----w- c:\documents and settings\user\Application Data\Lavasoft 2010-04-27 10:49 . 2008-04-14 04:10 34688 -c--a-w- c:\windows\system32\dllcache\lbrtfdc.sys 2010-04-27 10:49 . 2008-04-14 04:10 34688 ----a-w- c:\windows\system32\drivers\lbrtfdc.sys 2010-04-27 10:49 . 2008-04-14 04:11 8576 -c--a-w- c:\windows\system32\dllcache\i2omgmt.sys 2010-04-27 10:49 . 2008-04-14 04:11 8576 ----a-w- c:\windows\system32\drivers\i2omgmt.sys 2010-04-27 10:48 . 2008-04-14 04:11 8192 -c--a-w- c:\windows\system32\dllcache\changer.sys 2010-04-27 10:48 . 2008-04-14 04:11 8192 ----a-w- c:\windows\system32\drivers\changer.sys 2010-04-27 10:46 . 2008-04-14 05:21 59904 -c--a-w- c:\windows\system32\dllcache\atmarpc.sys 2010-04-27 10:46 . 2008-04-14 05:21 59904 ----a-w- c:\windows\system32\drivers\atmarpc.sys 2010-04-27 10:43 . 2010-04-27 10:43 93184 --sha-r- c:\windows\system32\oledlga.dll . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2010-05-13 10:03 . 2007-02-14 16:38 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP 2010-05-11 10:10 . 2005-10-03 18:39 -------- d-----w- c:\program files\MSN Games 2010-05-11 10:09 . 2005-05-24 03:47 -------- d-----w- c:\program files\iWin.com 2010-05-08 13:53 . 2006-08-25 01:49 -------- d-----w- c:\program files\Java 2010-05-08 12:21 . 2009-12-25 01:42 -------- d-----w- c:\documents and settings\vjmure\Application Data\Skype 2010-05-08 12:16 . 2004-10-06 12:01 96512 ----a-w- c:\windows\system32\drivers\atapi.sys 2010-05-08 12:01 . 2009-12-25 01:44 -------- d-----w- c:\documents and settings\vjmure\Application Data\skypePM 2010-05-06 14:36 . 2009-10-03 06:24 221568 ------w- c:\windows\system32\MpSigStub.exe 2010-05-06 01:53 . 2008-11-09 22:58 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware 2010-05-06 01:41 . 2009-09-16 02:10 -------- d-----w- c:\documents and settings\vjmure\Application Data\Move Networks 2010-04-29 19:39 . 2008-11-09 22:58 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys 2010-04-29 19:39 . 2008-11-09 22:58 20952 ----a-w- c:\windows\system32\drivers\mbam.sys 2010-04-29 03:04 . 2009-09-09 21:08 -------- d-----w- c:\program files\QuickTime 2010-04-29 01:01 . 2005-06-26 17:27 -------- d-----w- c:\documents and settings\vjmure\Application Data\Lavasoft 2010-04-29 00:33 . 2009-12-25 01:31 -------- d-----w- c:\program files\Microsoft LifeCam 2010-04-29 00:32 . 2006-12-31 18:01 -------- d-----w- c:\program files\Windows Defender 2010-04-28 01:00 . 2007-04-12 14:17 66368 ----a-w- c:\documents and settings\user\Local Settings\Application Data\GDIPFONTCACHEV1.DAT 2010-04-21 15:59 . 2009-04-06 23:35 204 ----a-w- c:\windows\popcinfot.dat 2010-03-29 19:59 . 2010-03-28 14:45 -------- d-----w- c:\documents and settings\vjmure\Application Data\PopCapv1006 2010-03-26 13:28 . 2010-03-26 13:28 -------- d-----w- c:\documents and settings\vjmure\Application Data\PopCapv1003 2010-03-11 12:38 . 2004-10-06 12:01 832512 ----a-w- c:\windows\system32\wininet.dll 2010-03-11 12:38 . 2004-10-06 12:01 78336 ----a-w- c:\windows\system32\ieencode.dll 2010-03-11 12:38 . 2004-10-06 12:01 17408 ----a-w- c:\windows\system32\corpol.dll 2010-03-09 11:09 . 2004-10-06 12:01 430080 ----a-w- c:\windows\system32\vbscript.dll 2010-02-24 13:11 . 2004-10-06 12:01 455680 ----a-w- c:\windows\system32\drivers\mrxsmb.sys 2010-02-16 14:08 . 2004-10-06 12:01 2146304 ----a-w- c:\windows\system32\ntoskrnl.exe 2010-02-16 13:25 . 2004-08-03 22:59 2024448 ----a-w- c:\windows\system32\ntkrnlpa.exe 2005-06-07 23:47 . 2005-06-07 23:47 774144 ----a-w- c:\program files\RngInterstitial.dll . <pre> c:\program files\Analog Devices\SoundMAX\smax4 .exe c:\program files\Analog Devices\SoundMAX\smax4pnp .exe c:\program files\CA\CA Internet Security Suite\casc .exe c:\program files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\cavrid .exe c:\program files\IC\Card Reader Driver v1.9e\disk_monitor .exe c:\program files\Microsoft LifeCam\lifeexp .exe c:\program files\QuickTime\qttask .exe c:\program files\Windows Defender\msascui .exe </pre> ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "CAVRID"="c:\program files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\CAVRID.exe" [N/A] "cctray"="c:\program files\CA\CA Internet Security Suite\casc.exe" [2010-04-28 374000] "NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-06-29 8466432] "NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2007-06-29 81920] "ISTray"="c:\program files\Spyware Doctor\pctsTray.exe" [2010-03-09 1286608] c:\documents and settings\All Users\Start Menu\Programs\Startup\ Spyware Doctor.lnk - c:\program files\Spyware Doctor\pctsGui.exe [2010-4-28 3101648] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\PFW] 2009-03-27 20:27 79368 ----a-w- c:\windows\system32\UmxWNP.dll [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend] @="Service" [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ComputerAssociatesAntiVirus] "DisableMonitoring"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "EnableFirewall"= 0 (0x0) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "c:\\Program Files\\Microsoft Games\\Flight Simulator 9\\fs9.exe"= "c:\\WINDOWS\\system32\\dpnsvr.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "c:\\Program Files\\Microsoft Games\\Age of Empires III\\age3.exe"= "c:\\WINDOWS\\system32\\sessmgr.exe"= "c:\\Program Files\\Microsoft Games\\Rise of Nations\\rise.exe"= "%windir%\\system32\\sessmgr.exe"= "c:\\Program Files\\Malwarebytes' Anti-Malware\\mbam.exe"= "c:\\Program Files\\Microsoft Office\\Live Meeting 8\\Console\\PWConsole.exe"= "c:\\Program Files\\iTunes\\iTunes.exe"= "c:\\Program Files\\Microsoft LifeCam\\LifeCam.exe"= "c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"= "c:\\Program Files\\Bonjour\\mDNSResponder.exe"= "c:\\Program Files\\iWin Games\\iWinGames.exe"= "c:\\Program Files\\iWin Games\\WebUpdater.exe"= "c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"= "c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"= "c:\\Program Files\\Skype\\Phone\\Skype.exe"= R0 KmxStart;KmxStart;c:\windows\system32\drivers\KmxStart.sys [6/8/2009 11:02 AM 108024] R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [4/28/2010 8:42 PM 218592] R1 KmxAgent;KmxAgent;c:\windows\system32\drivers\KmxAgent.sys [4/1/2009 10:45 AM 73720] R2 Browser Defender Update Service;Browser Defender Update Service;c:\program files\Spyware Doctor\BDT\BDTUpdateService.exe [4/28/2010 8:45 PM 112592] R2 ccSchedulerSVC;CA Common Scheduler Service;c:\program files\CA\CA Internet Security Suite\ccschedulersvc.exe [9/11/2009 7:49 PM 128240] R2 sdAuxService;PC Tools Auxiliary Service;c:\program files\Spyware Doctor\pctsAuxs.exe [4/28/2010 8:42 PM 366840] R2 UmxAgent;HIPS Event Manager;c:\program files\CA\SharedComponents\HIPSEngine\UmxAgent.exe [4/1/2009 10:45 AM 875000] R2 UmxCfg;HIPS Configuration Interpreter;c:\program files\CA\SharedComponents\HIPSEngine\UmxCfg.exe [6/15/2009 11:32 AM 760664] R2 UmxPol;HIPS Policy Manager;c:\program files\CA\SharedComponents\HIPSEngine\UmxPol.exe [4/1/2009 10:45 AM 207352] R2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [11/3/2006 7:19 PM 13592] R3 KmxCfg;KmxCfg;c:\windows\system32\drivers\KmxCfg.sys [4/1/2009 10:45 AM 205304] S2 KillTheHooker;KillTheHooker;\??\c:\docume~1\vjmure\LOCALS~1\Temp\Temporary Directory 1 for TDL3%20Razor[1].zip\TDL3 Razor\TizerBruteForceEx.sys --> c:\docume~1\vjmure\LOCALS~1\Temp\Temporary Directory 1 for TDL3%20Razor[1].zip\TDL3 Razor\TizerBruteForceEx.sys [?] S3 3dfxvs;3dfxvs;c:\windows\system32\drivers\3dfxvsm.sys [7/20/2008 11:32 AM 148352] S3 memchek;memchek;\??\c:\windows\system32\memchek.sys --> c:\windows\system32\memchek.sys [?] S4 iWinTrusted;iWinTrusted;c:\program files\iWin Games\iWinTrusted.exe [6/4/2009 12:11 PM 78104] --- Other Services/Drivers In Memory --- *Deregistered* - PCTSDInjDriver32 [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost] hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc . Contents of the 'Scheduled Tasks' folder 2010-05-13 c:\windows\Tasks\MP Scheduled Scan.job - c:\program files\Windows Defender\MpCmdRun.exe [2006-11-03 23:20] . . ------- Supplementary Scan ------- . uStart Page = hxxp://www.bing.com/ mStart Page = hxxp://www.google.com uInternet Connection Wizard,ShellNext = yes uInternet Connection Wizard,ShellNext = 0a000000 uInternet Connection Wizard,ShellNext = yes uInternet Connection Wizard,ShellNext = 01000000 uInternet Connection Wizard,ShellNext = yes uInternet Connection Wizard,ShellNext = 1a000000 uInternet Connection Wizard,ShellNext = 1a000000 uInternet Connection Wizard,ShellNext = hxxp://www.google.com uInternet Connection Wizard,ShellNext = Microsoft Corporation uInternet Connection Wizard,ShellNext = MICROSO uInternet Connection Wizard,ShellNext = 6.0.2600.0000 uInternet Connection Wizard,ShellNext = no uInternet Connection Wizard,ShellNext = \0 uInternet Connection Wizard,ShellNext = about:NoAdd-ons uInternet Connection Wizard,ShellNext = about:SecurityRisk uInternet Connection Wizard,ShellNext = yes uInternet Connection Wizard,ShellNext = yes IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\OFFICE11\EXCEL.EXE/3000 LSP: c:\windows\system32\VetRedir.dll Trusted Zone: aetna.com\xtranet Trusted Zone: aetna.com\xtranet6 Trusted Zone: aetna.com\xtranetx Trusted Zone: ameritrade.com\research Trusted Zone: ameritrade.com\wwws Trusted Zone: cnn.com\politicalticker.blogs Trusted Zone: cnn.com\sportsillustrated Trusted Zone: cnn.com\www Trusted Zone: equifax.com\www.econsumer Trusted Zone: facebook.com\apps Trusted Zone: facebook.com\www Trusted Zone: fannation.com\www Trusted Zone: garmin.com\www8 Trusted Zone: nawsrc.org\www Trusted Zone: tdameritrade.com\www Trusted Zone: toysrus.com\www Trusted Zone: usana.com\www Trusted Zone: weather.com\www Trusted Zone: youtube.com\www DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab . ************************************************************************** catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2010-05-13 06:19 Windows 5.1.2600 Service Pack 3 NTFS detected NTDLL code modification: ZwClose scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** "ImagePath"="\??\c:\docume~1\vjmure\LOCALS~1\Temp\Temporary Directory 1 for TDL3%20Razor [1].zip\TDL3 Razor\TizerBruteForceEx.sys" [HKEY_LOCAL_MACHINE\System\ControlSet003\Services\KillTheHooker] "ImagePath"="\??\c:\docume~1\vjmure\LOCALS~1\Temp\Temporary Directory 1 for TDL3%20Razor . --------------------- DLLs Loaded Under Running Processes --------------------- - - - - - - - > 'winlogon.exe'(1748) c:\windows\system32\UmxWnp.Dll - - - - - - - > 'lsass.exe'(1952) c:\windows\system32\VetRedir.dll c:\windows\system32\ISafeIf.dll . Completion time: 2010-05-13 06:25:06 ComboFix-quarantined-files.txt 2010-05-13 10:25 ComboFix2.txt 2010-05-08 13:39 Pre-Run: 44,847,493,120 bytes free Post-Run: 44,995,600,384 bytes free - - End Of File - - 75BDE1F420D64B80D3957D265DA23B36
  14. Borislav, Thank you immensely for helping me out on this. I did the following: 1- Uninstalled Adobe Reader 9.1 (through ctl panel) 2- updated, and ran, Malwarebytes. It found zero infections. Report below. 3- Ran DDS- log below. Quick question; what should i do with my machine during this process? Should i leave it on? Shut it off? Could i check email, use internet etc? Thanks V Malwarebytes Log: Malwarebytes' Anti-Malware 1.46 www.malwarebytes.org Database version: 4094 Windows 5.1.2600 Service Pack 3 Internet Explorer 7.0.5730.11 5/12/2010 5:22:13 PM mbam-log-2010-05-12 (17-22-13).txt Scan type: Quick scan Objects scanned: 140875 Time elapsed: 10 minute(s), 53 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 0 Registry Values Infected: 0 Registry Data Items Infected: 0 Folders Infected: 0 Files Infected: 0 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: (No malicious items detected) Registry Values Infected: (No malicious items detected) Registry Data Items Infected: (No malicious items detected) Folders Infected: (No malicious items detected) Files Infected: (No malicious items detected) DDS Log: DDS (Ver_10-03-17.01) - NTFSx86 Run by vjmure at 17:23:41.10 on Wed 05/12/2010 Internet Explorer: 7.0.5730.11 Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.433 [GMT -4:00] AV: CA Anti-Virus *On-access scanning enabled* (Updated) {17CFD1EA-56CF-40B5-A06B-BD3A27397C93} ============== Running Processes =============== C:\WINDOWS\system32\svchost -k DcomLaunch C:\WINDOWS\system32\svchost -k rpcss C:\Program Files\Windows Defender\MsMpEng.exe C:\WINDOWS\System32\svchost.exe -k netsvcs C:\WINDOWS\system32\svchost.exe -k NetworkService C:\WINDOWS\system32\svchost.exe -k LocalService C:\WINDOWS\system32\spoolsv.exe C:\Program Files\CA\SharedComponents\HIPSEngine\UmxCfg.exe C:\Program Files\CA\SharedComponents\HIPSEngine\UmxPol.exe C:\Program Files\CA\SharedComponents\HIPSEngine\UmxAgent.exe C:\WINDOWS\system32\svchost.exe -k LocalService C:\Program Files\Spyware Doctor\BDT\BDTUpdateService.exe C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\ISafe.exe C:\Program Files\CA\CA Internet Security Suite\ccschedulersvc.exe C:\WINDOWS\system32\svchost.exe -k hpdevmgmt C:\Program Files\Java\jre6\bin\jqs.exe C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE C:\Program Files\Microsoft LifeCam\MSCamS32.exe C:\WINDOWS\system32\nvsvc32.exe C:\Program Files\Spyware Doctor\pctsAuxs.exe C:\Program Files\Spyware Doctor\pctsSvc.exe C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\VetMsg.exe C:\WINDOWS\System32\alg.exe C:\Program Files\Spyware Doctor\pctsTray.exe C:\WINDOWS\Explorer.EXE C:\Program Files\CA\CA Internet Security Suite\casc.exe C:\Program Files\CA\CA Internet Security Suite\ccprovsp.exe C:\WINDOWS\system32\RUNDLL32.EXE C:\WINDOWS\system32\ctfmon.exe C:\WINDOWS\system32\wuauclt.exe C:\Program Files\internet explorer\iexplore.exe C:\Documents and Settings\vjmure\Desktop\dds.com C:\WINDOWS\system32\wbem\wmiprvse.exe ============== Pseudo HJT Report =============== uStart Page = hxxp://www.bing.com/ mStart Page = hxxp://www.google.com uInternet Connection Wizard,ShellNext = iexplore BHO: PC Tools Browser Guard BHO: {2a0f3d1b-0909-4ff4-b272-609cce6054e7} - c:\program files\spyware doctor\bdt\PCTBrowserDefender.dll TB: PC Tools Browser Guard: {472734ea-242a-422b-adf8-83d1e48cc825} - c:\program files\spyware doctor\bdt\PCTBrowserDefender.dll TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe mRun: [CAVRID] "c:\program files\ca\etrust internet security suite\etrust ez antivirus\CAVRID.exe" mRun: [cctray] c:\program files\ca\ca internet security suite\casc.exe mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit mRun: [iSTray] "c:\program files\spyware doctor\pctsTray.exe" StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\spywar~1.lnk - c:\program files\spyware doctor\pctsGui.exe IE: E&xport to Microsoft Excel - c:\progra~1\mi1933~1\office11\EXCEL.EXE/3000 IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe IE: {5067A26B-1337-4436-8AFE-EE169C2DA79F} - {77BF5300-1474-4EC7-9980-D32B190E9B07} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll IE: {77BF5300-1474-4EC7-9980-D32B190E9B07} - {77BF5300-1474-4EC7-9980-D32B190E9B07} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\mi1933~1\office11\REFIEBAR.DLL LSP: c:\windows\system32\VetRedir.dll Trusted Zone: aetna.com\xtranet Trusted Zone: aetna.com\xtranet6 Trusted Zone: aetna.com\xtranetx Trusted Zone: ameritrade.com\research Trusted Zone: ameritrade.com\wwws Trusted Zone: cnn.com\politicalticker.blogs Trusted Zone: cnn.com\sportsillustrated Trusted Zone: cnn.com\www Trusted Zone: equifax.com\www.econsumer Trusted Zone: facebook.com\apps Trusted Zone: facebook.com\www Trusted Zone: fannation.com\www Trusted Zone: garmin.com\www8 Trusted Zone: nawsrc.org\www Trusted Zone: tdameritrade.com\www Trusted Zone: toysrus.com\www Trusted Zone: usana.com\www Trusted Zone: weather.com\www Trusted Zone: youtube.com\www DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/3/9/8/398422c0-8d3e-40e1-a617-af65a72a0465/LegitCheckControl.cab DPF: {233C1507-6A77-46A4-9443-F871F945D258} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab DPF: {6D2EF4B4-CB62-4C0B-85F3-B79C236D702C} - hxxp://www.facebook.com/controls/contactx.dll DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1148152187781 DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL Notify: PFW - UmxWnp.Dll SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll SEH: Microsoft AntiMalware ShellExecuteHook: {091eb208-39dd-417d-a5dd-7e2c2d8fb9cb} - c:\progra~1\window~4\MpShHook.dll ============= SERVICES / DRIVERS =============== R0 KmxStart;KmxStart;c:\windows\system32\drivers\KmxStart.sys [2009-6-8 108024] R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [2010-4-28 218592] R1 KmxAgent;KmxAgent;c:\windows\system32\drivers\KmxAgent.sys [2009-4-1 73720] R1 VET-FILT;VET File System Filter;c:\windows\system32\drivers\vet-filt.sys [2009-9-11 26352] R1 VET-REC;VET File System Recognizer;c:\windows\system32\drivers\vet-rec.sys [2009-9-11 21104] R1 VETEFILE;VET File Scan Engine;c:\windows\system32\drivers\vetefile.sys [2009-9-11 739696] R1 VETFDDNT;VET Floppy Boot Sector Monitor;c:\windows\system32\drivers\vetfddnt.sys [2009-9-11 21488] R1 VETMONNT;VET File Monitor;c:\windows\system32\drivers\vetmonnt.sys [2009-9-11 161008] R2 Browser Defender Update Service;Browser Defender Update Service;c:\program files\spyware doctor\bdt\BDTUpdateService.exe [2010-4-28 112592] R2 CAISafe;CAISafe;c:\program files\ca\etrust internet security suite\etrust ez antivirus\isafe.exe [2007-1-7 144696] R2 ccSchedulerSVC;CA Common Scheduler Service;c:\program files\ca\ca internet security suite\ccschedulersvc.exe [2009-9-11 128240] R2 sdAuxService;PC Tools Auxiliary Service;c:\program files\spyware doctor\pctsAuxs.exe [2010-4-28 366840] R2 sdCoreService;PC Tools Security Service;c:\program files\spyware doctor\pctsSvc.exe [2010-4-28 1142224] R2 UmxAgent;HIPS Event Manager;c:\program files\ca\sharedcomponents\hipsengine\UmxAgent.exe [2009-4-1 875000] R2 UmxCfg;HIPS Configuration Interpreter;c:\program files\ca\sharedcomponents\hipsengine\UmxCfg.exe [2009-6-15 760664] R2 UmxPol;HIPS Policy Manager;c:\program files\ca\sharedcomponents\hipsengine\UmxPol.exe [2009-4-1 207352] R2 VETMSGNT;VET Message Service;c:\program files\ca\etrust internet security suite\etrust ez antivirus\vetmsg.exe [2007-1-7 292080] R2 WinDefend;Windows Defender;c:\program files\windows defender\MsMpEng.exe [2006-11-3 13592] R3 KmxCfg;KmxCfg;c:\windows\system32\drivers\KmxCfg.sys [2009-4-1 205304] R3 VETEBOOT;VET Boot Scan Engine;c:\windows\system32\drivers\veteboot.sys [2009-9-11 133520] S2 KillTheHooker;KillTheHooker;\??\c:\docume~1\vjmure\locals~1\temp\temporary directory 1 for tdl3%20razor[1].zip\tdl3 razor\tizerbruteforceex.sys --> c:\docume~1\vjmure\locals~1\temp\temporary directory 1 for tdl3%20razor[1].zip\tdl3 razor\TizerBruteForceEx.sys [?] S3 3dfxvs;3dfxvs;c:\windows\system32\drivers\3dfxvsm.sys [2008-7-20 148352] S3 memchek;memchek;\??\c:\windows\system32\memchek.sys --> c:\windows\system32\memchek.sys [?] S4 iWinTrusted;iWinTrusted;c:\program files\iwin games\iWinTrusted.exe [2009-6-4 78104] =============== Created Last 30 ================ 2010-05-10 22:51:18 0 ----a-w- c:\documents and settings\vjmure\defogger_reenable 2010-05-09 04:05:24 0 d-----w- c:\program files\Trend Micro 2010-05-09 02:17:08 0 d-----w- C:\RotInHell 2010-05-08 13:57:41 0 d-----w- c:\program files\ESET 2010-05-08 13:53:55 73728 ----a-w- c:\windows\system32\javacpl.cpl 2010-05-08 13:53:55 411368 ----a-w- c:\windows\system32\deployJava1.dll 2010-05-08 13:04:11 14336 -c--a-w- c:\windows\system32\dllcache\asyncmac.sys 2010-05-08 13:04:11 14336 ----a-w- c:\windows\system32\drivers\asyncmac.sys 2010-05-08 12:30:32 0 d-sha-r- C:\cmdcons 2010-04-29 00:45:05 882 ----a-w- c:\windows\RegSDImport.xml 2010-04-29 00:45:05 879 ----a-w- c:\windows\RegISSImport.xml 2010-04-29 00:45:05 767952 ----a-w- c:\windows\BDTSupport.dll 2010-04-29 00:45:04 149456 ----a-w- c:\windows\SGDetectionTool.dll 2010-04-29 00:45:04 131 ----a-w- c:\windows\IDB.zip 2010-04-29 00:45:04 1152444 ----a-w- c:\windows\UDB.zip 2010-04-29 00:45:03 165840 ----a-w- c:\windows\PCTBDRes.dll 2010-04-29 00:45:03 1652688 ----a-w- c:\windows\PCTBDCore.dll 2010-04-29 00:43:02 7387 ----a-w- c:\windows\system32\drivers\pctgntdi.cat 2010-04-29 00:43:02 233136 ----a-w- c:\windows\system32\drivers\pctgntdi.sys 2010-04-29 00:42:57 88040 ----a-w- c:\windows\system32\drivers\PCTAppEvent.sys 2010-04-29 00:42:57 7412 ----a-w- c:\windows\system32\drivers\PCTAppEvent.cat 2010-04-29 00:42:57 7383 ----a-w- c:\windows\system32\drivers\pctcore.cat 2010-04-29 00:42:57 218592 ----a-w- c:\windows\system32\drivers\PCTCore.sys 2010-04-29 00:42:47 7383 ----a-w- c:\windows\system32\drivers\pctplsg.cat 2010-04-29 00:42:47 63360 ----a-w- c:\windows\system32\drivers\pctplsg.sys 2010-04-29 00:42:32 0 d-----w- c:\program files\common files\PC Tools 2010-04-29 00:42:31 0 d-----w- c:\program files\Spyware Doctor 2010-04-29 00:42:31 0 d-----w- c:\docume~1\alluse~1\applic~1\PC Tools 2010-04-27 10:49:03 34688 -c--a-w- c:\windows\system32\dllcache\lbrtfdc.sys 2010-04-27 10:49:03 34688 ----a-w- c:\windows\system32\drivers\lbrtfdc.sys 2010-04-27 10:49:00 8576 -c--a-w- c:\windows\system32\dllcache\i2omgmt.sys 2010-04-27 10:49:00 8576 ----a-w- c:\windows\system32\drivers\i2omgmt.sys 2010-04-27 10:48:58 8192 -c--a-w- c:\windows\system32\dllcache\changer.sys 2010-04-27 10:48:58 8192 ----a-w- c:\windows\system32\drivers\changer.sys 2010-04-27 10:46:25 59904 -c--a-w- c:\windows\system32\dllcache\atmarpc.sys 2010-04-27 10:46:25 59904 ----a-w- c:\windows\system32\drivers\atmarpc.sys 2010-04-27 10:43:23 93184 --sha-r- c:\windows\system32\oledlga.dll ==================== Find3M ==================== 2010-05-08 12:16:39 96512 ----a-w- c:\windows\system32\drivers\atapi.sys 2010-05-06 14:36:38 221568 ------w- c:\windows\system32\MpSigStub.exe 2010-04-29 19:39:38 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys 2010-04-29 19:39:26 20952 ----a-w- c:\windows\system32\drivers\mbam.sys 2010-03-11 12:38:54 832512 ----a-w- c:\windows\system32\wininet.dll 2010-03-11 12:38:52 78336 ----a-w- c:\windows\system32\ieencode.dll 2010-03-11 12:38:51 17408 ----a-w- c:\windows\system32\corpol.dll 2010-03-09 11:09:18 430080 ----a-w- c:\windows\system32\vbscript.dll 2010-02-16 14:08:49 2146304 ----a-w- c:\windows\system32\ntoskrnl.exe 2010-02-16 13:25:04 2024448 ----a-w- c:\windows\system32\ntkrnlpa.exe 2010-02-12 04:33:11 100864 ----a-w- c:\windows\system32\6to4svc.dll 2005-06-07 23:47:39 774144 ----a-w- c:\program files\RngInterstitial.dll 2008-11-09 04:37:09 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008110820081109\index.dat ============= FINISH: 17:24:44.85 ===============
  15. Last attachment ... ( i would have added attachments to the original, but machine froze....) defogger_disable.log renamed defogger_disable.txt defogger_disable.txt
  16. here are attachments.... ark.txt Attach.txt mbam_log_2010_05_11__01_09_49_.txt
  17. Ran Antivirus, malwarebytes, PC Doctor; found a bunch of stuff, but did NOT fix the issue. Followed instructions on this page http://forums.malwarebytes.org/index.php?showtopic=9573 (I'm infected, what do i do now). Here are the logs. Side note; the "Defogger" did NOT ask me to reboot; but i did anyway????? Not sure if that is an issue. Here is the DDS.txt. Also, attached is the "attach.txt", "ark.txt" and malware bytes log.... ANY HELP IS IMMENSELY APPRECIATED! Thanks - Vjmure DDS (Ver_10-03-17.01) - NTFSx86 Run by vjmure at 18:57:01.28 on Mon 05/10/2010 Internet Explorer: 7.0.5730.11 Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.447 [GMT -4:00] AV: CA Anti-Virus *On-access scanning enabled* (Updated) {17CFD1EA-56CF-40B5-A06B-BD3A27397C93} ============== Running Processes =============== C:\WINDOWS\system32\svchost -k DcomLaunch C:\WINDOWS\system32\svchost -k rpcss C:\Program Files\Windows Defender\MsMpEng.exe C:\WINDOWS\System32\svchost.exe -k netsvcs C:\WINDOWS\system32\svchost.exe -k NetworkService C:\WINDOWS\system32\svchost.exe -k LocalService C:\WINDOWS\system32\spoolsv.exe C:\Program Files\CA\SharedComponents\HIPSEngine\UmxCfg.exe C:\Program Files\CA\SharedComponents\HIPSEngine\UmxPol.exe C:\Program Files\CA\SharedComponents\HIPSEngine\UmxAgent.exe C:\WINDOWS\system32\svchost.exe -k LocalService C:\Program Files\Spyware Doctor\BDT\BDTUpdateService.exe C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\ISafe.exe C:\Program Files\CA\CA Internet Security Suite\ccschedulersvc.exe C:\WINDOWS\system32\svchost.exe -k hpdevmgmt C:\Program Files\Java\jre6\bin\jqs.exe C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE C:\Program Files\Microsoft LifeCam\MSCamS32.exe C:\WINDOWS\system32\nvsvc32.exe C:\Program Files\Spyware Doctor\pctsAuxs.exe C:\Program Files\Spyware Doctor\pctsSvc.exe C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\VetMsg.exe C:\WINDOWS\system32\wuauclt.exe C:\Program Files\Spyware Doctor\pctsTray.exe C:\WINDOWS\System32\alg.exe C:\WINDOWS\Explorer.EXE C:\Program Files\CA\CA Internet Security Suite\casc.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\CA\CA Internet Security Suite\ccprovsp.exe C:\WINDOWS\system32\wuauclt.exe C:\Documents and Settings\vjmure\Desktop\dds.com C:\WINDOWS\system32\wbem\wmiprvse.exe ============== Pseudo HJT Report =============== uStart Page = hxxp://www.google.com/ mStart Page = hxxp://www.google.com uInternet Connection Wizard,ShellNext = iexplore BHO: PC Tools Browser Guard BHO: {2a0f3d1b-0909-4ff4-b272-609cce6054e7} - c:\program files\spyware doctor\bdt\PCTBrowserDefender.dll TB: PC Tools Browser Guard: {472734ea-242a-422b-adf8-83d1e48cc825} - c:\program files\spyware doctor\bdt\PCTBrowserDefender.dll TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe mRun: [CAVRID] "c:\program files\ca\etrust internet security suite\etrust ez antivirus\CAVRID.exe" mRun: [cctray] c:\program files\ca\ca internet security suite\casc.exe mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit mRun: [iSTray] "c:\program files\spyware doctor\pctsTray.exe" StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\spywar~1.lnk - c:\program files\spyware doctor\pctsGui.exe IE: E&xport to Microsoft Excel - c:\progra~1\mi1933~1\office11\EXCEL.EXE/3000 IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe IE: {5067A26B-1337-4436-8AFE-EE169C2DA79F} - {77BF5300-1474-4EC7-9980-D32B190E9B07} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll IE: {77BF5300-1474-4EC7-9980-D32B190E9B07} - {77BF5300-1474-4EC7-9980-D32B190E9B07} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\mi1933~1\office11\REFIEBAR.DLL LSP: c:\windows\system32\VetRedir.dll Trusted Zone: aetna.com\xtranet Trusted Zone: aetna.com\xtranet6 Trusted Zone: aetna.com\xtranetx Trusted Zone: ameritrade.com\research Trusted Zone: ameritrade.com\wwws Trusted Zone: cnn.com\politicalticker.blogs Trusted Zone: cnn.com\sportsillustrated Trusted Zone: cnn.com\www Trusted Zone: equifax.com\www.econsumer Trusted Zone: facebook.com\apps Trusted Zone: facebook.com\www Trusted Zone: fannation.com\www Trusted Zone: garmin.com\www8 Trusted Zone: nawsrc.org\www Trusted Zone: tdameritrade.com\www Trusted Zone: toysrus.com\www Trusted Zone: usana.com\www Trusted Zone: weather.com\www Trusted Zone: youtube.com\www DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/3/9/8/398422c0-8d3e-40e1-a617-af65a72a0465/LegitCheckControl.cab DPF: {233C1507-6A77-46A4-9443-F871F945D258} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab DPF: {6D2EF4B4-CB62-4C0B-85F3-B79C236D702C} - hxxp://www.facebook.com/controls/contactx.dll DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1148152187781 DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL Notify: PFW - UmxWnp.Dll SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll SEH: Microsoft AntiMalware ShellExecuteHook: {091eb208-39dd-417d-a5dd-7e2c2d8fb9cb} - c:\progra~1\window~4\MpShHook.dll ============= SERVICES / DRIVERS =============== R0 KmxStart;KmxStart;c:\windows\system32\drivers\KmxStart.sys [2009-6-8 108024] R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [2010-4-28 218592] R1 KmxAgent;KmxAgent;c:\windows\system32\drivers\KmxAgent.sys [2009-4-1 73720] R1 VET-FILT;VET File System Filter;c:\windows\system32\drivers\vet-filt.sys [2009-9-11 26352] R1 VET-REC;VET File System Recognizer;c:\windows\system32\drivers\vet-rec.sys [2009-9-11 21104] R1 VETEFILE;VET File Scan Engine;c:\windows\system32\drivers\vetefile.sys [2009-9-11 739696] R1 VETFDDNT;VET Floppy Boot Sector Monitor;c:\windows\system32\drivers\vetfddnt.sys [2009-9-11 21488] R1 VETMONNT;VET File Monitor;c:\windows\system32\drivers\vetmonnt.sys [2009-9-11 161008] R2 Browser Defender Update Service;Browser Defender Update Service;c:\program files\spyware doctor\bdt\BDTUpdateService.exe [2010-4-28 112592] R2 CAISafe;CAISafe;c:\program files\ca\etrust internet security suite\etrust ez antivirus\isafe.exe [2007-1-7 144696] R2 ccSchedulerSVC;CA Common Scheduler Service;c:\program files\ca\ca internet security suite\ccschedulersvc.exe [2009-9-11 128240] R2 sdAuxService;PC Tools Auxiliary Service;c:\program files\spyware doctor\pctsAuxs.exe [2010-4-28 366840] R2 sdCoreService;PC Tools Security Service;c:\program files\spyware doctor\pctsSvc.exe [2010-4-28 1142224] R2 UmxAgent;HIPS Event Manager;c:\program files\ca\sharedcomponents\hipsengine\UmxAgent.exe [2009-4-1 875000] R2 UmxCfg;HIPS Configuration Interpreter;c:\program files\ca\sharedcomponents\hipsengine\UmxCfg.exe [2009-6-15 760664] R2 UmxPol;HIPS Policy Manager;c:\program files\ca\sharedcomponents\hipsengine\UmxPol.exe [2009-4-1 207352] R2 VETMSGNT;VET Message Service;c:\program files\ca\etrust internet security suite\etrust ez antivirus\vetmsg.exe [2007-1-7 292080] R2 WinDefend;Windows Defender;c:\program files\windows defender\MsMpEng.exe [2006-11-3 13592] R3 KmxCfg;KmxCfg;c:\windows\system32\drivers\KmxCfg.sys [2009-4-1 205304] R3 VETEBOOT;VET Boot Scan Engine;c:\windows\system32\drivers\veteboot.sys [2009-9-11 133520] S2 KillTheHooker;KillTheHooker;\??\c:\docume~1\vjmure\locals~1\temp\temporary directory 1 for tdl3%20razor[1].zip\tdl3 razor\tizerbruteforceex.sys --> c:\docume~1\vjmure\locals~1\temp\temporary directory 1 for tdl3%20razor[1].zip\tdl3 razor\TizerBruteForceEx.sys [?] S3 3dfxvs;3dfxvs;c:\windows\system32\drivers\3dfxvsm.sys [2008-7-20 148352] S3 memchek;memchek;\??\c:\windows\system32\memchek.sys --> c:\windows\system32\memchek.sys [?] S4 iWinTrusted;iWinTrusted;c:\program files\iwin games\iWinTrusted.exe [2009-6-4 78104] =============== Created Last 30 ================ 2010-05-10 22:51:18 0 ----a-w- c:\documents and settings\vjmure\defogger_reenable 2010-05-09 04:05:24 0 d-----w- c:\program files\Trend Micro 2010-05-09 02:17:08 0 d-----w- C:\RotInHell 2010-05-08 13:57:41 0 d-----w- c:\program files\ESET 2010-05-08 13:53:55 73728 ----a-w- c:\windows\system32\javacpl.cpl 2010-05-08 13:53:55 411368 ----a-w- c:\windows\system32\deployJava1.dll 2010-05-08 13:04:11 14336 -c--a-w- c:\windows\system32\dllcache\asyncmac.sys 2010-05-08 13:04:11 14336 ----a-w- c:\windows\system32\drivers\asyncmac.sys 2010-05-08 12:30:32 0 d-sha-r- C:\cmdcons 2010-04-29 00:45:05 882 ----a-w- c:\windows\RegSDImport.xml 2010-04-29 00:45:05 879 ----a-w- c:\windows\RegISSImport.xml 2010-04-29 00:45:05 767952 ----a-w- c:\windows\BDTSupport.dll 2010-04-29 00:45:04 149456 ----a-w- c:\windows\SGDetectionTool.dll 2010-04-29 00:45:04 131 ----a-w- c:\windows\IDB.zip 2010-04-29 00:45:04 1152444 ----a-w- c:\windows\UDB.zip 2010-04-29 00:45:03 165840 ----a-w- c:\windows\PCTBDRes.dll 2010-04-29 00:45:03 1652688 ----a-w- c:\windows\PCTBDCore.dll 2010-04-29 00:43:02 7387 ----a-w- c:\windows\system32\drivers\pctgntdi.cat 2010-04-29 00:43:02 233136 ----a-w- c:\windows\system32\drivers\pctgntdi.sys 2010-04-29 00:42:57 88040 ----a-w- c:\windows\system32\drivers\PCTAppEvent.sys 2010-04-29 00:42:57 7412 ----a-w- c:\windows\system32\drivers\PCTAppEvent.cat 2010-04-29 00:42:57 7383 ----a-w- c:\windows\system32\drivers\pctcore.cat 2010-04-29 00:42:57 218592 ----a-w- c:\windows\system32\drivers\PCTCore.sys 2010-04-29 00:42:47 7383 ----a-w- c:\windows\system32\drivers\pctplsg.cat 2010-04-29 00:42:47 63360 ----a-w- c:\windows\system32\drivers\pctplsg.sys 2010-04-29 00:42:32 0 d-----w- c:\program files\common files\PC Tools 2010-04-29 00:42:31 0 d-----w- c:\program files\Spyware Doctor 2010-04-29 00:42:31 0 d-----w- c:\docume~1\alluse~1\applic~1\PC Tools 2010-04-27 10:49:03 34688 -c--a-w- c:\windows\system32\dllcache\lbrtfdc.sys 2010-04-27 10:49:03 34688 ----a-w- c:\windows\system32\drivers\lbrtfdc.sys 2010-04-27 10:49:00 8576 -c--a-w- c:\windows\system32\dllcache\i2omgmt.sys 2010-04-27 10:49:00 8576 ----a-w- c:\windows\system32\drivers\i2omgmt.sys 2010-04-27 10:48:58 8192 -c--a-w- c:\windows\system32\dllcache\changer.sys 2010-04-27 10:48:58 8192 ----a-w- c:\windows\system32\drivers\changer.sys 2010-04-27 10:46:25 59904 -c--a-w- c:\windows\system32\dllcache\atmarpc.sys 2010-04-27 10:46:25 59904 ----a-w- c:\windows\system32\drivers\atmarpc.sys 2010-04-27 10:43:23 93184 --sha-r- c:\windows\system32\oledlga.dll ==================== Find3M ==================== 2010-05-08 12:16:39 96512 ----a-w- c:\windows\system32\drivers\atapi.sys 2010-04-29 19:39:38 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys 2010-04-29 19:39:26 20952 ----a-w- c:\windows\system32\drivers\mbam.sys 2010-03-11 12:38:54 832512 ----a-w- c:\windows\system32\wininet.dll 2010-03-11 12:38:52 78336 ----a-w- c:\windows\system32\ieencode.dll 2010-03-11 12:38:51 17408 ----a-w- c:\windows\system32\corpol.dll 2010-03-09 11:09:18 430080 ----a-w- c:\windows\system32\vbscript.dll 2010-02-24 14:16:06 181632 ------w- c:\windows\system32\MpSigStub.exe 2010-02-16 14:08:49 2146304 ----a-w- c:\windows\system32\ntoskrnl.exe 2010-02-16 13:25:04 2024448 ----a-w- c:\windows\system32\ntkrnlpa.exe 2010-02-12 04:33:11 100864 ----a-w- c:\windows\system32\6to4svc.dll 2005-06-07 23:47:39 774144 ----a-w- c:\program files\RngInterstitial.dll 2008-11-09 04:37:09 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008110820081109\index.dat ============= FINISH: 18:58:10.64 ===============
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.