BACKDOOR.BOT

View previous topic View next topic Go down

BACKDOOR.BOT

Post by karenor on 16th October 2009, 10:50 pm

Hello:

Well, the Backdoor.Bot is back. It stayed away for about one week. I ran a Mbam and the scan showed it was back last night. I am posting that scan along with the Hijack This scan.
Can someone help me get rid of this once and for all? It really slows down my computer.
I am running Windows XP with service pack #3. All items are up to date including the most recent items from Microsoft just released on 10/13/09. I also have Mbam, Spy Bot, Advanced Disk Cleaner, CCleaner, Spy Blaster, Malicious Removal, Windows Defender, AVG, Super Anti Spyware, Baseline Security Analyzer and Advanced System Care.

Thanks,
Karen

-------Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:39:51 PM, on 10/16/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\SearchProtocolHost.exe
C:\Documents and Settings\Owner\Desktop\winlogon.scr

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = [You must be registered and logged in to see this link.]
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [Microsoft Update] navmgrd.exe
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O4 - S-1-5-18 Startup: desktop(2).ini (User 'SYSTEM')
O4 - .DEFAULT Startup: desktop(2).ini (User 'Default user')
O4 - .DEFAULT User Startup: desktop(2).ini (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk.disabled
O4 - Global Startup: Windows Search.lnk = C:\Program Files\Windows Desktop Search\WindowsSearch.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: Control Pad - {28D44DAD-D1FC-4d4f-BB1B-ADF037C8DDBC} - C:\Program Files\Verizon Online\Verizon Online Control Pad\VerizonControlPad.Exe (file missing)
O9 - Extra 'Tools' menuitem: Control Pad - {28D44DAD-D1FC-4d4f-BB1B-ADF037C8DDBC} - C:\Program Files\Verizon Online\Verizon Online Control Pad\VerizonControlPad.Exe (file missing)
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: vzTCPConfig - [You must be registered and logged in to see this link.]
O16 - DPF: {0742B9EF-8C83-41CA-BFBA-830A59E23533} (Microsoft Data Collection Control) - [You must be registered and logged in to see this link.]
O16 - DPF: {19E28AFC-EAE3-4CE5-AC83-2407B42F57C9} (MSSecurityAdvisor Class) -
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - [You must be registered and logged in to see this link.]
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - [You must be registered and logged in to see this link.]
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - [You must be registered and logged in to see this link.]
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} -
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - [You must be registered and logged in to see this link.]
O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} -
O16 - DPF: {A7EA8AD2-287F-11D3-B120-006008C39542} (CBSTIEPrint Class) - [You must be registered and logged in to see this link.]
O16 - DPF: {A8658086-E6AC-4957-BC8E-7D54A7E8A78E} -
O16 - DPF: {B1E2B96C-12FE-45E2-BEF1-44A219113CDD} (SABScanProcesses Class) - [You must be registered and logged in to see this link.]
O16 - DPF: {BCBC9371-595D-11D4-A96D-00105A1CEF6C} (View22RTE Class) - [You must be registered and logged in to see this link.]
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} -
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - [You must be registered and logged in to see this link.]
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: AVG8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe

--
End of file - 6140 bytes
----------------------------------------------------------------------------------
Malwarebytes' Anti-Malware 1.41
Database version: 2971
Windows 5.1.2600 Service Pack 3

10/16/2009 2:37:02 PM
mbam-log-2009-10-16 (14-37-02).txt

Scan type: Full Scan (C:\|)
Objects scanned: 165435
Time elapsed: 3 hour(s), 8 minute(s), 46 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft Update (Backdoor.Bot) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

karenor
Intermediate
Intermediate

Posts Posts : 185
Joined Joined : 2009-09-19
OS OS : xp
Points Points : 28652
# Likes # Likes : 0

View user profile

Back to top Go down

Re: BACKDOOR.BOT

Post by Dr Jay on 17th October 2009, 5:09 am

It appears to be the second time you returned about this backdoor bot.

If you do any banking or other financial transactions on the computer, or if it contains any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the trojan has been identified and can be killed, your computer is compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the Operating System.

Visit the following sites for more information on internet theft and when to reformat!
[You must be registered and logged in to see this link.]
[You must be registered and logged in to see this link.]

Should you decide not to follow that advice, we will of course do our best to clean the computer of any infections that we can see but, as I already stated, we can in no way guarantee it to be trustworthy.

If you have any questions before making a final decision, please feel free to ask.

Please let me know if you would like to continue with trying to clean your computer.

Instead, if you decide to format and reinstall, please disconnect your computer from the Internet immediately.

Guides for format and reinstall: [You must be registered and logged in to see this link.]

[You must be registered and logged in to see this link.]

==

With that said, if you do not have the resources to do this operation, or would like to clean the computer, please do the following:

Please download [You must be registered and logged in to see this link.] and save it to your Desktop.

Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

Please reboot to Safe Mode (tap the F8 key just before Windows starts to load and select the Safe Mode option from the menu).

  • Open the extracted SDFix folder and double click RunThis.bat to start the script.
  • Type Y to begin the cleanup process.
  • It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
  • Press any Key and it will restart the PC.
  • When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
  • Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
    (Report.txt will also be copied to Clipboard ready for posting back on the forum).
  • Finally paste the contents of the Report.txt back on the forum with a new HijackThis log


Dr. Jay (DJ)


[You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.]

Dr Jay
Head Administrator
Head Administrator

Posts Posts : 13941
Joined Joined : 2009-09-06
Gender Gender : Male
OS OS : Windows 10 Home & Pro
Arch. Arch. : x64 (64-bit)
Protection Protection : Bitdefender Total Security
Points Points : 302568
# Likes # Likes : 10

View user profile

Back to top Go down

Re: BACKDOOR.BOT

Post by karenor on 17th October 2009, 6:36 pm

Hello Dragon Master Jay:

I do not use the computer for banking and such so I have decided to try to clean it. I did try to start up in SAFE mode and that makes my computer weird. I am able to get to safe mode and then the computer asks if I want to start Windows XP. I click enter and off the computer goes. A bunch of stuff happens and then I end up in a sign on area where instead of my name and my son's name it now says: Administrator and Karen. I have tried to choose Karen and Administrator. I am the administrator. When choosing either Karen or administrator I have limited items on my desk top and very little movement of my cursor and my mouse. I have tried to go to RUN and enter: C:\SDFix. The computer will not let me do this. In fact I can not type in the area at all.

What do you suggest? Am I missing one of the steps? Much of this is foreign to me. Perhaps you need to break it down to the primary level for me. I am sorry to be so dumb about this.

I appreciate your help. Please answer back so that I can open in Safe Mode and get the SDFix to run the bat so I can get that report and the Hijack this new report to you.

Thanks
Karen

karenor
Intermediate
Intermediate

Posts Posts : 185
Joined Joined : 2009-09-19
OS OS : xp
Points Points : 28652
# Likes # Likes : 0

View user profile

Back to top Go down

Re: BACKDOOR.BOT

Post by Dr Jay on 17th October 2009, 8:28 pm

It is fine to do it in Safe Mode, just go to the folder C:\SDFix - and double-click on RunThis.bat.


Dr. Jay (DJ)


[You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.]

Dr Jay
Head Administrator
Head Administrator

Posts Posts : 13941
Joined Joined : 2009-09-06
Gender Gender : Male
OS OS : Windows 10 Home & Pro
Arch. Arch. : x64 (64-bit)
Protection Protection : Bitdefender Total Security
Points Points : 302568
# Likes # Likes : 10

View user profile

Back to top Go down

Re: BACKDOOR.BOT

Post by karenor on 17th October 2009, 10:34 pm

Hi Dragon Master Jay:

I can get to SAFE mode and then I can get Windows XP to boot up in SAFE mode. After that I am given two choices: Karen or Administrator. Which should I choose? I have administrator privleges.

Thanks,
Karen

karenor
Intermediate
Intermediate

Posts Posts : 185
Joined Joined : 2009-09-19
OS OS : xp
Points Points : 28652
# Likes # Likes : 0

View user profile

Back to top Go down

Re: BACKDOOR.BOT

Post by karenor on 17th October 2009, 11:02 pm

Hi Dragon Master Jay:

I forgot to add that no matter what I choose: Karen or Administrator, I am not able to get to the SDFix. I am not able to open the file because it is not on the desk top of either Administrator or Karen. When in either Karen or Administrator I try to use the RUN and paste in C:\SDFix. I am not even able to type in the letter "C" in the area. The computer will not let me do anything. I must be missing a step. Please help me to do this.

Thanks,
Karen

karenor
Intermediate
Intermediate

Posts Posts : 185
Joined Joined : 2009-09-19
OS OS : xp
Points Points : 28652
# Likes # Likes : 0

View user profile

Back to top Go down

Re: BACKDOOR.BOT

Post by Dr Jay on 17th October 2009, 11:11 pm

Let's take a different route, and we may return to SDFIX later.

Please download ComboFix from [You must be registered and logged in to see this link.]

Rename ComboFix.exe to commy.exe before you save it to your Desktop
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools A guide to do this can be found [You must be registered and logged in to see this link.]
  • Click Start>Run then copy paste the following command into the Run box & click OK "%userprofile%\desktop\commy.exe" /stepdel
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console


Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:


  • Click on Yes, to continue scanning for malware.
  • When finished, it shall produce a log for you. Please include the contents of C:\ComboFix.txt in your next reply.

I would also like to see a list of installed programs, so please do this:
Click Start > Run then copy/paste the following single-line command into the Run box and click OK:

C:\Qoobox\Add-Remove Programs.txt

In your next reply, please include the ComboFix log and the Add-Remove Programs log.


Dr. Jay (DJ)


[You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.]

Dr Jay
Head Administrator
Head Administrator

Posts Posts : 13941
Joined Joined : 2009-09-06
Gender Gender : Male
OS OS : Windows 10 Home & Pro
Arch. Arch. : x64 (64-bit)
Protection Protection : Bitdefender Total Security
Points Points : 302568
# Likes # Likes : 10

View user profile

Back to top Go down

Re: BACKDOOR.BOT

Post by karenor on 18th October 2009, 2:00 am

Hi Dragon Slayer:

OK. I think I have everything that you asked for. So here goes.

Thanks again,
Karen

------------------------------------------------------------------------------------------------
ComboFix 09-10-16.09 - Owner 10/17/2009 18:18.1.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2046.1567 [GMT -7:00]
Running from: c:\documents and settings\Owner\Desktop\commy.exe
AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\recycler\S-1-5-21-776561741-448539723-725345543-1018
c:\windows\COUPON~1.OCX
c:\windows\CouponPrinter.ocx
c:\windows\Downloaded Program Files\ODCTOOLS
c:\windows\Downloaded Program Files\ODCTOOLS\ef6b26db-344d-4ad3-ba24-aca0bdaa999a.cab
c:\windows\Downloaded Program Files\ODCTOOLS\f04d289f-c60a-422b-8396-6c372047042e.cab
c:\windows\Installer\162c05a.msi
c:\windows\Installer\1cd2da5.msi
c:\windows\Installer\1e30eb8.msp
c:\windows\Installer\2133100.msi
c:\windows\Installer\24d0650.msi
c:\windows\Installer\250cc4c.msi
c:\windows\Installer\267b4ba.msp
c:\windows\Installer\64d57.msi
c:\windows\Installer\b75da.msi
c:\windows\system32\axaltocm.dll
c:\windows\system32\BSTIEPrintCtl1.dll
c:\windows\system32\iniasd.txt

.
((((((((((((((((((((((((( Files Created from 2009-09-18 to 2009-10-18 )))))))))))))))))))))))))))))))
.

2009-10-17 18:02 . 2009-10-17 18:02 -------- d-sh--w- c:\documents and settings\Administrator\IETldCache
2009-10-17 17:38 . 2008-11-06 09:03 -------- dc----w- C:\SDFix
2009-10-13 22:58 . 2009-10-13 22:58 9092032 ----a-w- c:\program files\windows-kb890830-v3.0.exe
2009-10-02 17:36 . 2009-10-01 17:29 195440 ------w- c:\windows\system32\MpSigStub.exe
2009-10-01 03:28 . 2009-10-02 05:39 -------- d-----w- c:\program files\Trend Micro
2009-09-30 20:22 . 2009-10-15 04:00 -------- d-----w- c:\windows\BDOSCAN8
2009-09-30 03:16 . 2009-09-30 03:16 3309072 ----a-w- c:\program files\ccsetup224.exe
2009-09-27 07:42 . 2009-09-27 07:42 -------- d-----w- c:\program files\Microsoft
2009-09-27 07:42 . 2009-09-27 07:42 -------- d-----w- c:\program files\Windows Live SkyDrive
2009-09-20 19:39 . 2009-09-20 19:40 -------- d-----w- c:\program files\SUPERAntiSpyware
2009-09-20 19:38 . 2009-09-20 19:38 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-09-20 19:38 . 2009-09-20 19:38 7174176 ----a-w- c:\program files\SUPERAntiSpyware.exe
2009-09-20 19:17 . 2009-09-20 19:17 502168 ----a-w- c:\program files\SpyHunter-Installer.exe
2009-09-19 07:37 . 2003-07-16 20:24 4224 -c--a-w- c:\windows\system32\dllcache\beep.sys
2009-09-19 07:37 . 2003-07-16 20:24 4224 ----a-w- c:\windows\system32\drivers\beep.sys
2009-09-19 07:00 . 2009-09-19 07:00 -------- d-----w- c:\documents and settings\Owner\Application Data\Malwarebytes
2009-09-19 07:00 . 2009-09-10 21:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-09-19 07:00 . 2009-09-19 07:00 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-09-19 07:00 . 2009-09-19 07:00 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-09-19 07:00 . 2009-09-10 21:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-09-19 06:56 . 2009-09-19 06:56 4045528 ----a-w- c:\program files\mbam-setup.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-10-18 00:58 . 2008-06-10 04:22 -------- d-----w- c:\documents and settings\All Users\Application Data\avg8
2009-10-17 22:29 . 2004-12-04 01:07 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-10-17 19:40 . 2008-03-04 02:30 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-10-17 19:40 . 2008-06-18 19:24 -------- d-----w- c:\program files\SpywareBlaster
2009-09-28 22:17 . 2004-05-28 21:15 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-09-27 07:35 . 2008-09-19 06:15 1146184 ----a-w- c:\program files\wlsetup-web.exe
2009-09-25 03:59 . 2009-09-12 05:31 9008576 ----a-w- c:\program files\windows-kb890830-v2.14.exe
2009-09-20 19:39 . 2008-04-22 04:19 -------- d-----w- c:\documents and settings\Owner\Application Data\SUPERAntiSpyware.com
2009-09-19 07:44 . 2009-04-27 23:15 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-09-19 05:46 . 2009-04-27 23:11 16409960 ----a-w- c:\program files\spybotsd162.exe
2009-09-19 05:27 . 2008-05-19 21:31 5154304 -c--a-w- c:\program files\WindowsDefender.msi
2009-09-11 14:18 . 2003-07-16 20:36 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-04 21:03 . 2003-07-16 20:35 58880 ----a-w- c:\windows\system32\msasn1.dll
2009-08-30 01:27 . 2009-08-30 01:26 3293088 ----a-w- c:\program files\ccsetup223.exe
2009-08-29 08:08 . 2004-02-07 01:05 916480 ----a-w- c:\windows\system32\wininet.dll
2009-08-26 08:00 . 2003-07-16 20:46 247326 ----a-w- c:\windows\system32\strmdll.dll
2009-08-18 16:47 . 2008-06-10 04:23 11952 ----a-w- c:\windows\system32\avgrsstx.dll
2009-08-18 16:47 . 2008-06-10 04:23 335240 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-08-18 16:47 . 2008-06-10 04:22 27784 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2009-08-15 20:08 . 2009-08-15 20:08 8798656 ----a-w- c:\program files\windows-kb890830-v2.13.exe
2009-08-07 02:24 . 2004-08-14 17:01 327896 ----a-w- c:\windows\system32\wucltui.dll
2009-08-07 02:24 . 2004-08-14 17:01 209632 ----a-w- c:\windows\system32\wuweb.dll
2009-08-07 02:24 . 2005-05-26 11:16 44768 ----a-w- c:\windows\system32\wups2.dll
2009-08-07 02:24 . 2004-08-14 17:01 35552 ----a-w- c:\windows\system32\wups.dll
2009-08-07 02:24 . 2004-05-28 20:01 53472 ----a-w- c:\windows\system32\wuauclt.exe
2009-08-07 02:24 . 2003-07-16 20:25 96480 ----a-w- c:\windows\system32\cdm.dll
2009-08-07 02:23 . 2004-08-14 17:01 575704 ----a-w- c:\windows\system32\wuapi.dll
2009-08-07 02:23 . 2006-10-23 00:56 215920 ----a-w- c:\windows\system32\muweb.dll
2009-08-07 02:23 . 2006-10-23 00:56 274288 ----a-w- c:\windows\system32\mucltui.dll
2009-08-07 02:23 . 2004-05-28 20:01 1929952 ----a-w- c:\windows\system32\wuaueng.dll
2009-08-05 09:01 . 2003-07-16 20:37 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-08-05 03:44 . 2003-07-16 20:39 2189184 ----a-w- c:\windows\system32\ntoskrnl.exe
2009-08-04 14:20 . 2002-08-29 01:04 2066048 ----a-w- c:\windows\system32\ntkrnlpa.exe
2009-07-30 23:54 . 2009-07-30 23:54 3278552 ----a-w- c:\program files\ccsetup222.exe
2009-07-25 18:24 . 2009-07-25 18:23 2052104 ----a-w- c:\program files\advisor belarc.exe
2009-07-15 07:12 . 2009-07-15 07:12 498544 ----a-w- c:\program files\windowsxp-kb973346-x86-enu_44c821d5d40db5542fbf81d0d8f17e95de465e27.exe
2009-07-15 05:58 . 2009-07-15 05:57 1044856 ----a-w- c:\program files\windowsxp-kb971633-x86-enu_53c185a01195b208ebbefa903f703dc668698bbb.exe
2009-07-15 05:55 . 2009-07-15 05:55 569208 ----a-w- c:\program files\windowsxp-kb961371-x86-enu_a1f2c9e0b5b50808a9b87b855277401d0da99203.exe
2009-07-15 05:53 . 2009-07-15 05:53 1017280 ----a-w- c:\program files\windows-kb890830-v2.12-delta_9f511a3dc68bb5afdd38d500fce489be4c2ecf28.exe
2009-07-04 05:07 . 2009-07-04 05:06 3252640 ----a-w- c:\program files\ccsetup221.exe
2009-07-02 18:28 . 2009-05-20 05:47 7885928 ----a-w- c:\program files\asc-setup.exe
2009-06-10 21:30 . 2009-06-10 21:30 3247736 -c--a-w- c:\program files\ccsetup220.exe
2009-06-05 04:01 . 2009-06-05 01:19 9234289 ----a-w- c:\program files\7100.exe
2009-06-04 21:16 . 2009-06-04 21:15 14243328 -c--a-w- c:\program files\DM510.32.4071221.EN.msi
2009-05-19 05:53 . 2009-05-19 05:38 3227248 ----a-w- c:\program files\ccsetup219.exe
2009-05-15 13:56 . 2008-06-09 02:21 1079272 ----a-w- c:\program files\revosetup.exe
2009-05-04 20:08 . 2009-05-04 20:08 1146368 -c--a-w- c:\program files\advanced_disk_cleaner.msi
2009-04-28 21:56 . 2009-04-28 21:55 16883056 ----a-w- c:\program files\ie8-windowsxp-x86-enu_e489483e5001f95da04e1ebf3c664173baef3e26.exe
2009-04-10 17:44 . 2009-04-10 17:44 3012768 -c--a-w- c:\program files\spywareblastersetup42.exe
2009-04-06 18:13 . 2009-03-14 18:20 10246088 ----a-w- c:\program files\windows-kb890830-v2.8.exe
2009-04-01 03:21 . 2009-03-31 23:14 5046 -c--a-w- c:\program files\ReadMe.txt
2009-04-01 03:21 . 2001-08-24 03:00 33792 ----a-w- c:\program files\regini.exe
2009-04-01 03:21 . 2009-03-10 16:45 224 -c--a-w- c:\program files\fix.bat
2009-04-01 03:21 . 2006-04-19 23:49 2289 -c--a-w- c:\program files\Damage Fix Tool disclaimer.txt
2009-03-29 04:26 . 2009-03-29 04:24 3190688 ----a-w- c:\program files\ccsetup218.exe
2009-03-15 03:35 . 2009-03-15 03:35 3184816 ----a-w- c:\program files\ccsetup217.exe
2009-03-11 19:39 . 2009-03-11 19:39 1466768 ----a-w- c:\program files\windowsxp-kb958690-x86-enu_e9dc6debddb3759a736f653cd6c4fe482d9ff141.exe
2009-03-11 19:35 . 2009-03-11 19:35 569712 ----a-w- c:\program files\windowsxp-kb960225-x86-enu_bae2bc04b963c312a47f36bdea4a8236f7003d71.exe
2009-03-11 19:32 . 2009-03-11 19:31 10246088 ----a-w- c:\program files\windows-kb890830-v2.8_92b3edda5109d46a5976767e6d6d27ff92f2af2a.exe
2009-03-01 21:50 . 2009-02-10 23:44 9448904 ----a-w- c:\program files\windows-kb890830-v2.7.exe
2009-02-10 23:38 . 2009-02-10 23:38 9450440 ----a-w- c:\program files\windows-kb890830-v2.7_0bb2e9cf3b593bb676838baea7b6a26261214c20.exe
2009-02-10 23:33 . 2009-02-10 23:33 498032 ----a-w- c:\program files\windowsxp-kb960715-x86-enu_9680c60833b2798361ab182afdd5abd7beef3d06.exe
2009-02-10 23:19 . 2009-02-10 23:19 9006448 ----a-w- c:\program files\ie7-windowsxp-kb961260-x86-enu_eda7c493b6032ebc849d9ca49db3b92a147e9b87.exe
2009-01-29 00:06 . 2009-01-28 23:48 242743296 ----a-w- c:\program files\dotnetfx35_3dce66bae0dd71284ac7a971baed07030a186918.exe
2009-01-15 05:49 . 2009-01-15 05:49 9237440 ----a-w- c:\program files\windows-kb890830-v2.6.exe
2009-01-15 05:31 . 2009-01-15 05:31 658288 ----a-w- c:\program files\WindowsXP-KB958687-x86-ENU.exe
2009-01-04 07:38 . 2009-01-04 07:38 8155851 ----a-w- c:\program files\Photoshop_albumSE_en_us_320.zip
2009-01-02 22:57 . 2009-01-02 22:57 1945096 -c--a-w- c:\program files\BELARC advisor.exe
2009-01-01 20:54 . 2008-12-11 22:11 7771584 ----a-w- c:\program files\windows-kb890830-v2.5.exe
2008-12-30 21:08 . 2008-12-30 21:08 3165824 ----a-w- c:\program files\ccsetup215.exe
2008-12-17 22:04 . 2008-12-17 22:04 2552176 -c--a-w- c:\program files\IE7-WindowsXP-KB960714-x86-ENU.exe
2008-12-17 22:01 . 2008-12-17 22:01 1861488 -c--a-w- c:\program files\WindowsXP-KB960714-x86-ENU.exe
2008-12-11 22:50 . 2008-12-11 22:50 9005936 ----a-w- c:\program files\IE7-WindowsXP-KB958215-x86-ENU.exe
2008-12-11 22:42 . 2008-12-11 22:42 639856 ----a-w- c:\program files\WindowsXP-KB956802-x86-ENU.exe
2008-12-11 22:40 . 2008-12-11 22:40 6483344 ----a-w- c:\program files\WindowsXP-WindowsMedia-KB952069-x86-ENU.exe
2008-12-11 22:35 . 2008-12-11 22:35 606064 ----a-w- c:\program files\WindowsXP-KB954600-x86-ENU.exe
2008-12-11 22:29 . 2008-12-11 22:29 523120 ----a-w- c:\program files\WindowsXP-KB955839-x86-ENU.exe
2008-11-12 04:03 . 2008-11-12 04:03 725360 ----a-w- c:\program files\WindowsXP-KB957097-x86-ENU.exe
2008-11-12 03:58 . 2008-11-12 03:58 1248808 ----a-w- c:\program files\WindowsXP-KB954459-x86-ENU.exe
2008-11-12 03:54 . 2008-11-12 03:54 952840 ----a-w- c:\program files\msxml6-KB954459-enu-x86.exe
2008-11-12 03:42 . 2008-11-12 03:41 5687304 ----a-w- c:\program files\msxml4-KB954430-enu.exe
2008-11-12 03:31 . 2008-11-12 03:31 926760 ----a-w- c:\program files\WindowsXP-KB955069-x86-ENU.exe
2008-11-12 03:16 . 2008-11-12 03:16 7645120 ----a-w- c:\program files\windows-kb890830-v2.4_b86ded5d8c14a2fd381f2193dcd5954de8a0748e.exe
2008-10-20 06:21 . 2008-10-18 18:59 7478208 ----a-w- c:\program files\windows-kb890830-v2.3.exe
2008-10-17 17:04 . 2008-10-17 16:57 2934168 ----a-w- c:\program files\ccsetup212.exe
2008-10-14 17:48 . 2008-10-14 17:48 19153264 ----a-w- c:\program files\aaw2008.exe
2008-10-04 19:17 . 2008-09-13 18:22 7281784 ----a-w- c:\program files\windows-kb890830-v2.2.exe
2008-09-02 21:07 . 2008-08-16 19:48 7182968 ----a-w- c:\program files\windows-kb890830-v2.1.exe
2008-06-30 18:11 . 2008-06-30 18:11 1579008 -c--a-w- c:\program files\MBSASetup-x86-EN.msi
2008-06-23 17:11 . 2008-06-23 17:11 2400784 ----a-w- c:\program files\WLinstaller.exe
2008-06-18 19:22 . 2008-06-18 19:21 2869536 ----a-w- c:\program files\spywareblastersetup41.exe
2008-05-19 21:26 . 2008-05-19 21:26 5154304 -c--a-w- c:\program files\WindowsDefender may 19 2008.msi
2008-05-19 21:20 . 2008-05-19 21:20 8502904 ----a-w- c:\program files\Windows-KB890830-V1.41.exe
2008-05-15 20:20 . 2008-05-15 20:19 8502904 ----a-w- c:\program files\windows-kb890830-v1.41_9602589c6ae9e584f496000ad818c3932589866e.exe
2008-05-08 05:54 . 2008-05-08 05:52 331805736 ----a-w- c:\program files\windowsxp-kb936929-sp3-x86-enu_c81472f7eeea2eca421e116cd4c03e2300ebfde4.exe
2008-05-02 18:26 . 2008-05-02 18:26 21031280 ----a-w- c:\program files\aaw2007 new version 050208.exe
2008-04-25 08:11 . 2008-04-25 08:11 1667 -c--a-w- c:\program files\ez trust.txt
2008-04-25 08:04 . 2008-04-25 08:04 8155851 ----a-w- c:\program files\Photoshop_albumSE_en_us_320 april 08.zip
2008-04-15 05:21 . 2008-04-15 05:21 2751368 ----a-w- c:\program files\CCLEANER 041408.exe
2008-04-06 02:45 . 2008-04-06 02:44 19871600 ----a-w- c:\program files\aaw2007 update 040508.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-02-26 437160]

c:\documents and settings\Default User\Start Menu\Programs\Startup\
desktop(2).ini [2004-5-28 84]

c:\documents and settings\Administrator\Start Menu\Programs\Startup\
desktop(2).ini [2004-5-28 84]

c:\documents and settings\JEFF\Start Menu\Programs\Startup\
desktop(2).ini [2004-5-28 84]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk.disabled [2008-12-2 1757]
Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2008-5-26 123904]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-08-18 16:47 11952 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"PPWebCap"=c:\progra~1\ScanSoft\PAPERP~1\PPWebCap.exe
"Microsoft Location Finder"="c:\program files\Microsoft Location Finder\LocationFinder.exe"
"BearShareInstall"=c:\docume~1\Owner\LOCALS~1\Temp\BearShareInstallLauncher.exe /Launch='"c:\docume~1\Owner\LOCALS~1\Temp\NSR122~1.EXE" /N'
"ShareazaInstall"=c:\docume~1\Owner\LOCALS~1\Temp\ShareazaInstallLauncher.exe /Launch='"c:\docume~1\Owner\LOCALS~1\Temp\NSY1B1~1.EXE" /N'
"SUPERAntiSpyware"=c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe
"SpybotSD TeaTimer"=c:\program files\Spybot - Search & Destroy\TeaTimer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"Adobe Photo Downloader"="c:\program files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe"
"OneTouch Monitor"=c:\program files\Visioneer OneTouch\OneTouchMon.exe
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_07\bin\jusched.exe"
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" -hide
"AVG8_TRAY"=c:\progra~1\AVG\AVG8\avgtray.exe
"BearShare"="c:\program files\BearShare\BearShare.exe" /pause
"CanonSolutionMenu"=c:\program files\Canon\SolutionMenu\CNSLMAIN.exe /logon
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"c:\\Program Files\\ScanSoft\\PaperPort\\NAVBrowser.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\WINDOWS\\system32\\mmc.exe"=

R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [6/9/2008 9:23 PM 335240]
R1 AvgTdiX;AVG8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [6/9/2008 9:23 PM 108552]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [9/15/2009 11:42 AM 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [9/15/2009 11:42 AM 74480]
R2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [11/3/2006 7:19 PM 13592]
S2 SVKP;SVKP;\??\c:\windows\system32\SVKP.sys --> c:\windows\system32\SVKP.sys [?]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [9/15/2009 11:42 AM 7408]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
Contents of the 'Scheduled Tasks' folder

2009-10-18 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-04 02:20]
.
.
------- Supplementary Scan -------
.
uSearchMigratedDefaultURL = [You must be registered and logged in to see this link.]
uStart Page = [You must be registered and logged in to see this link.]
mStart Page = [You must be registered and logged in to see this link.]
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = 127.0.0.1
uSearchURL,(Default) = [You must be registered and logged in to see this link.]
DPF: Microsoft XML Parser for Java
DPF: vzTCPConfig - [You must be registered and logged in to see this link.]
DPF: {A8658086-E6AC-4957-BC8E-7D54A7E8A78E}
.
- - - - ORPHANS REMOVED - - - -

SafeBoot-aawservice



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [You must be registered and logged in to see this link.]
Rootkit scan 2009-10-17 18:28
Windows 5.1.2600 Service Pack 3 NTFS

scanning hȋdden processes ...

scanning hȋdden autostart entries ...

scanning hȋdden files ...

scan completed successfully
hȋdden files: 0

**************************************************************************
.
Completion time: 2009-10-18 18:32
ComboFix-quarantined-files.txt 2009-10-18 01:32

Pre-Run: 17,632,034,816 bytes free
Post-Run: 17,610,907,648 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect /NoExecute=OptIn

252 --- E O F --- 2009-10-15 17:36
--------------------------------------------------------------------------------------------
Acrobat.com
Adobe Flash Player 10 ActiveX
Adobe Reader 7.0
Adobe® Photoshop® Album Starter Edition 3.2
Advanced Disk Cleaner
Advanced SystemCare 3
BCM V.92 56K Modem
Broadcom 440x 10/100 Integrated Controller
Canon CanoScan LiDE 100 User Registration
Canon MP Navigator EX 2.0
Canon S450
Canon Utilities Solution Menu
CanoScan LiDE 100 Scanner Driver
CCleaner (remove only)
Dell ResourceCD
Form Fill (Windows Live Toolbar)
HijackThis 2.0.2
Hotfix for Microsoft .NET Framework 3.0 (KB932471)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows Internet Explorer 7 (KB947864)
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB954550-v5)
Hotfix for Windows XP (KB970653-v3)
Intel(R) Extreme Graphics Driver
Junk Mail filter update
Malwarebytes' Anti-Malware
Map Button (Windows Live Toolbar)
MathPlayer
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Security Update (KB953297)
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft Application Error Reporting
Microsoft Base Smart Card Cryptographic Service Provider Package
Microsoft Baseline Security Analyzer 2.1
Microsoft Choice Guard
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Data Access Components KB870669
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft Location Finder
Microsoft National Language Support Downlevel APIs
Microsoft Office PowerPoint Viewer 2003
Microsoft SQL Server 2005 Compact Edition [ENU]
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
Microsoft Visual C++ 2005 Redistributable
MSVCRT
MSXML 4.0 SP2 (KB954430)
MSXML 6.0 Parser (KB933579)
OneCare Advisor (Windows Live Toolbar)
OneTouch Version 3.0
PaperPort 7.02
Portable Media Center
RealPlayer
Revo Uninstaller 1.83
Security Update for Windows Internet Explorer 7 (KB928090)
Security Update for Windows Internet Explorer 7 (KB929969)
Security Update for Windows Internet Explorer 7 (KB931768)
Security Update for Windows Internet Explorer 7 (KB933566)
Security Update for Windows Internet Explorer 7 (KB937143)
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB939653)
Security Update for Windows Internet Explorer 7 (KB942615)
Security Update for Windows Internet Explorer 7 (KB944533)
Security Update for Windows Internet Explorer 7 (KB950759)
Security Update for Windows Internet Explorer 7 (KB953838)
Security Update for Windows Internet Explorer 7 (KB956390)
Security Update for Windows Internet Explorer 7 (KB958215)
Security Update for Windows Internet Explorer 7 (KB960714)
Security Update for Windows Internet Explorer 7 (KB961260)
Security Update for Windows Internet Explorer 7 (KB963027)
Security Update for Windows Internet Explorer 8 (KB969897)
Security Update for Windows Internet Explorer 8 (KB971961)
Security Update for Windows Internet Explorer 8 (KB972260)
Security Update for Windows Internet Explorer 8 (KB974455)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player (KB954155)
Security Update for Windows Media Player (KB968816)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Media Player 10 (KB911565)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows Search 4 - KB963093
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB956744)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB958869)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961371)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB968537)
Security Update for Windows XP (KB969059)
Security Update for Windows XP (KB969898)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB971486)
Security Update for Windows XP (KB971557)
Security Update for Windows XP (KB971633)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB973346)
Security Update for Windows XP (KB973354)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973525)
Security Update for Windows XP (KB973869)
Security Update for Windows XP (KB974112)
Security Update for Windows XP (KB974571)
Security Update for Windows XP (KB975025)
Security Update for Windows XP (KB975467)
Segoe UI
SoundMAX
Spelling Dictionaries For Adobe Reader Package
Spybot - Search & Destroy
SpywareBlaster 4.2
SUPERAntiSpyware Free Edition
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Windows Internet Explorer 8 (KB968220)
Update for Windows Internet Explorer 8 (KB969497)
Update for Windows Internet Explorer 8 (KB971180)
Update for Windows Internet Explorer 8 (KB971930)
Update for Windows Internet Explorer 8 (KB972636)
Update for Windows Internet Explorer 8 (KB973874)
Update for Windows XP (KB968389)
Update for Windows XP (KB973815)
WD Diagnostics
WebFldrs XP
WildBlue Optimizer Ver 2007-07-01
Windows Defender
Windows Defender Signatures
Windows Genuine Advantage Notifications (KB905474)
Windows Genuine Advantage Validation Tool (KB892130)
Windows Imaging Component
Windows Installer Clean Up
Windows Internet Explorer 7
Windows Internet Explorer 8
Windows Live Communications Platform
Windows Live Essentials
Windows Live Mail
Windows Live Sign-in Assistant
Windows Live Upload Tool
Windows Media Format 11 runtime
Windows Media Player 11
Windows Messenger 5.1
Windows Presentation Foundation
Windows Rights Management Client Backwards Compatibility SP2
Windows Rights Management Client with Service Pack 2
Windows Search 4.0
Windows XP Service Pack 3
WordPerfect Office 11
XML Paper Specification Shared Components Pack 1.0
XVID Codec Installation
***********************************************************
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:57:41 PM, on 10/17/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\SearchProtocolHost.exe
C:\WINDOWS\system32\SearchProtocolHost.exe
C:\Documents and Settings\Owner\Desktop\winlogon.scr

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = [You must be registered and logged in to see this link.]
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O4 - S-1-5-18 Startup: desktop(2).ini (User 'SYSTEM')
O4 - .DEFAULT Startup: desktop(2).ini (User 'Default user')
O4 - .DEFAULT User Startup: desktop(2).ini (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk.disabled
O4 - Global Startup: Windows Search.lnk = C:\Program Files\Windows Desktop Search\WindowsSearch.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: Control Pad - {28D44DAD-D1FC-4d4f-BB1B-ADF037C8DDBC} - C:\Program Files\Verizon Online\Verizon Online Control Pad\VerizonControlPad.Exe (file missing)
O9 - Extra 'Tools' menuitem: Control Pad - {28D44DAD-D1FC-4d4f-BB1B-ADF037C8DDBC} - C:\Program Files\Verizon Online\Verizon Online Control Pad\VerizonControlPad.Exe (file missing)
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: vzTCPConfig - [You must be registered and logged in to see this link.]
O16 - DPF: {0742B9EF-8C83-41CA-BFBA-830A59E23533} (Microsoft Data Collection Control) - [You must be registered and logged in to see this link.]
O16 - DPF: {19E28AFC-EAE3-4CE5-AC83-2407B42F57C9} (MSSecurityAdvisor Class) -
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - [You must be registered and logged in to see this link.]
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - [You must be registered and logged in to see this link.]
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - [You must be registered and logged in to see this link.]
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} -
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - [You must be registered and logged in to see this link.]
O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} -
O16 - DPF: {A8658086-E6AC-4957-BC8E-7D54A7E8A78E} -
O16 - DPF: {B1E2B96C-12FE-45E2-BEF1-44A219113CDD} (SABScanProcesses Class) - [You must be registered and logged in to see this link.]
O16 - DPF: {BCBC9371-595D-11D4-A96D-00105A1CEF6C} (View22RTE Class) - [You must be registered and logged in to see this link.]
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} -
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - [You must be registered and logged in to see this link.]
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll

--
End of file - 5733 bytes

karenor
Intermediate
Intermediate

Posts Posts : 185
Joined Joined : 2009-09-19
OS OS : xp
Points Points : 28652
# Likes # Likes : 0

View user profile

Back to top Go down

Re: BACKDOOR.BOT

Post by Dr Jay on 18th October 2009, 3:31 am

Hi

Re-running ComboFix to remove infections:

  1. Close any open browsers.
  2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  3. Open notepad and copy/paste the text in the quotebox below into it:

    File::
    c:\program files\SpyHunter-Installer.exe
    c:\program files\regini.exe
  4. Save this as CFScript.txt, in the same location as ComboFix.exe



  5. Referring to the picture above, drag CFScript into ComboFix.exe
  6. When finished, it shall produce a log for you at C:\ComboFix.txt
  7. Please post the contents of the log in your next reply.


NEXT

Please download [You must be registered and logged in to see this link.] and save it to your Desktop.
  • Right-click on SpiderKill.zip and click Extract All. Follow the prompts and read carefully, to save it to your Desktop.
  • Double-click on the SpiderKill folder, and then double-click on SpiderKill.bat and follow all the prompts in the program.
  • Within a minute, it will save its log titled SpiderKill.txt. Please post that in your next reply. You may have to use two or three posts to be able to fit the information in.


NEXT

Please download RootRepeal from [You must be registered and logged in to see this link.].

  • Extract the program file to your Desktop.
  • Run the program RootRepeal.exe and go to the Report tab and click on the Scan button.


  • Select ALL of the checkboxes and then click OK and it will start scanning your system.

  • If you have multiple drives you only need to check the C: drive or the one Windows is installed on.
  • When done, click on Save Report
  • Save it to the Desktop.
  • Please copy/paste the contents of the report in your next reply.

Please remove any e-mail address in the RootRepeal report (if
present).

==

Please include the following logs in your next reply:
-ComboFix log
-SpiderKill log
-RootRepeal log

You may have to use 2-3 posts to get all the information in.


Dr. Jay (DJ)


[You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.]

Dr Jay
Head Administrator
Head Administrator

Posts Posts : 13941
Joined Joined : 2009-09-06
Gender Gender : Male
OS OS : Windows 10 Home & Pro
Arch. Arch. : x64 (64-bit)
Protection Protection : Bitdefender Total Security
Points Points : 302568
# Likes # Likes : 10

View user profile

Back to top Go down

Re: BACKDOOR.BOT

Post by karenor on 18th October 2009, 4:40 am

Hi:

OK. Here is the data collected.

Thanks again,
Karen
----------------------------------------------------------------------------------------------------
ComboFix 09-10-16.09 - Owner 10/17/2009 21:03.3.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2046.1556 [GMT -7:00]
Running from: c:\documents and settings\Owner\Desktop\commy.exe
Command switches used :: c:\documents and settings\Owner\CFscript.txt
AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

FILE ::
"c:\program files\regini.exe"
"c:\program files\SpyHunter-Installer.exe"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\program files\regini.exe
c:\program files\SpyHunter-Installer.exe

.
((((((((((((((((((((((((( Files Created from 2009-09-18 to 2009-10-18 )))))))))))))))))))))))))))))))
.

2009-10-18 03:10 . 2009-10-18 03:10 -------- dc----w- C:\$AVG
2009-10-18 03:09 . 2009-10-18 03:09 -------- d-----w- c:\program files\AVG
2009-10-18 03:09 . 2009-10-18 03:09 -------- d-----w- c:\documents and settings\All Users\Application Data\avg9
2009-10-18 02:19 . 2009-10-18 02:19 889800 -c--a-w- c:\program files\avg_free_stb_en_9_37.exe
2009-10-17 18:02 . 2009-10-17 18:02 -------- d-sh--w- c:\documents and settings\Administrator\IETldCache
2009-10-13 22:58 . 2009-10-13 22:58 9092032 ----a-w- c:\program files\windows-kb890830-v3.0.exe
2009-10-02 17:36 . 2009-10-01 17:29 195440 ------w- c:\windows\system32\MpSigStub.exe
2009-10-01 03:28 . 2009-10-02 05:39 -------- d-----w- c:\program files\Trend Micro
2009-09-30 20:22 . 2009-10-15 04:00 -------- d-----w- c:\windows\BDOSCAN8
2009-09-30 03:16 . 2009-09-30 03:16 3309072 ----a-w- c:\program files\ccsetup224.exe
2009-09-27 07:42 . 2009-09-27 07:42 -------- d-----w- c:\program files\Microsoft
2009-09-27 07:42 . 2009-09-27 07:42 -------- d-----w- c:\program files\Windows Live SkyDrive
2009-09-20 19:39 . 2009-09-20 19:40 -------- d-----w- c:\program files\SUPERAntiSpyware
2009-09-20 19:38 . 2009-09-20 19:38 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-09-20 19:38 . 2009-09-20 19:38 7174176 ----a-w- c:\program files\SUPERAntiSpyware.exe
2009-09-19 07:37 . 2003-07-16 20:24 4224 -c--a-w- c:\windows\system32\dllcache\beep.sys
2009-09-19 07:37 . 2003-07-16 20:24 4224 ------w- c:\windows\system32\drivers\beep.sys
2009-09-19 07:00 . 2009-09-19 07:00 -------- d-----w- c:\documents and settings\Owner\Application Data\Malwarebytes
2009-09-19 07:00 . 2009-09-10 21:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-09-19 07:00 . 2009-09-19 07:00 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-09-19 07:00 . 2009-09-19 07:00 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-09-19 07:00 . 2009-09-10 21:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-09-19 06:56 . 2009-09-19 06:56 4045528 ----a-w- c:\program files\mbam-setup.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-10-18 03:10 . 2008-06-10 04:23 12464 ----a-w- c:\windows\system32\avgrsstx.dll
2009-10-18 03:10 . 2008-06-10 04:23 360584 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2009-10-18 03:10 . 2008-06-10 04:23 333192 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-10-18 03:10 . 2008-06-10 04:22 28424 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2009-10-18 02:31 . 2004-12-04 01:07 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-10-17 19:40 . 2008-03-04 02:30 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-10-17 19:40 . 2008-06-18 19:24 -------- d-----w- c:\program files\SpywareBlaster
2009-09-28 22:17 . 2004-05-28 21:15 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-09-27 07:35 . 2008-09-19 06:15 1146184 ----a-w- c:\program files\wlsetup-web.exe
2009-09-25 03:59 . 2009-09-12 05:31 9008576 ----a-w- c:\program files\windows-kb890830-v2.14.exe
2009-09-20 19:39 . 2008-04-22 04:19 -------- d-----w- c:\documents and settings\Owner\Application Data\SUPERAntiSpyware.com
2009-09-19 07:44 . 2009-04-27 23:15 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-09-19 05:46 . 2009-04-27 23:11 16409960 ----a-w- c:\program files\spybotsd162.exe
2009-09-19 05:27 . 2008-05-19 21:31 5154304 -c--a-w- c:\program files\WindowsDefender.msi
2009-09-11 14:18 . 2003-07-16 20:36 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-04 21:03 . 2003-07-16 20:35 58880 ----a-w- c:\windows\system32\msasn1.dll
2009-08-30 01:27 . 2009-08-30 01:26 3293088 ----a-w- c:\program files\ccsetup223.exe
2009-08-29 08:08 . 2004-02-07 01:05 916480 ------w- c:\windows\system32\wininet.dll
2009-08-26 08:00 . 2003-07-16 20:46 247326 ----a-w- c:\windows\system32\strmdll.dll
2009-08-15 20:08 . 2009-08-15 20:08 8798656 ----a-w- c:\program files\windows-kb890830-v2.13.exe
2009-08-07 02:24 . 2004-08-14 17:01 327896 ----a-w- c:\windows\system32\wucltui.dll
2009-08-07 02:24 . 2004-08-14 17:01 209632 ----a-w- c:\windows\system32\wuweb.dll
2009-08-07 02:24 . 2005-05-26 11:16 44768 ----a-w- c:\windows\system32\wups2.dll
2009-08-07 02:24 . 2004-08-14 17:01 35552 ----a-w- c:\windows\system32\wups.dll
2009-08-07 02:24 . 2004-05-28 20:01 53472 ------w- c:\windows\system32\wuauclt.exe
2009-08-07 02:24 . 2003-07-16 20:25 96480 ----a-w- c:\windows\system32\cdm.dll
2009-08-07 02:23 . 2004-08-14 17:01 575704 ----a-w- c:\windows\system32\wuapi.dll
2009-08-07 02:23 . 2006-10-23 00:56 215920 ----a-w- c:\windows\system32\muweb.dll
2009-08-07 02:23 . 2006-10-23 00:56 274288 ----a-w- c:\windows\system32\mucltui.dll
2009-08-07 02:23 . 2004-05-28 20:01 1929952 ----a-w- c:\windows\system32\wuaueng.dll
2009-08-05 09:01 . 2003-07-16 20:37 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-08-05 03:44 . 2003-07-16 20:39 2189184 ------w- c:\windows\system32\ntoskrnl.exe
2009-08-04 14:20 . 2002-08-29 01:04 2066048 ------w- c:\windows\system32\ntkrnlpa.exe
2009-07-30 23:54 . 2009-07-30 23:54 3278552 ----a-w- c:\program files\ccsetup222.exe
2009-07-25 18:24 . 2009-07-25 18:23 2052104 ----a-w- c:\program files\advisor belarc.exe
2009-07-15 07:12 . 2009-07-15 07:12 498544 ----a-w- c:\program files\windowsxp-kb973346-x86-enu_44c821d5d40db5542fbf81d0d8f17e95de465e27.exe
2009-07-15 05:58 . 2009-07-15 05:57 1044856 ----a-w- c:\program files\windowsxp-kb971633-x86-enu_53c185a01195b208ebbefa903f703dc668698bbb.exe
2009-07-15 05:55 . 2009-07-15 05:55 569208 ----a-w- c:\program files\windowsxp-kb961371-x86-enu_a1f2c9e0b5b50808a9b87b855277401d0da99203.exe
2009-07-15 05:53 . 2009-07-15 05:53 1017280 ----a-w- c:\program files\windows-kb890830-v2.12-delta_9f511a3dc68bb5afdd38d500fce489be4c2ecf28.exe
2009-07-04 05:07 . 2009-07-04 05:06 3252640 ----a-w- c:\program files\ccsetup221.exe
2009-07-02 18:28 . 2009-05-20 05:47 7885928 ----a-w- c:\program files\asc-setup.exe
2009-06-10 21:30 . 2009-06-10 21:30 3247736 -c--a-w- c:\program files\ccsetup220.exe
2009-06-05 04:01 . 2009-06-05 01:19 9234289 ----a-w- c:\program files\7100.exe
2009-06-04 21:16 . 2009-06-04 21:15 14243328 -c--a-w- c:\program files\DM510.32.4071221.EN.msi
2009-05-19 05:53 . 2009-05-19 05:38 3227248 ----a-w- c:\program files\ccsetup219.exe
2009-05-15 13:56 . 2008-06-09 02:21 1079272 ----a-w- c:\program files\revosetup.exe
2009-05-04 20:08 . 2009-05-04 20:08 1146368 -c--a-w- c:\program files\advanced_disk_cleaner.msi
2009-04-28 21:56 . 2009-04-28 21:55 16883056 ----a-w- c:\program files\ie8-windowsxp-x86-enu_e489483e5001f95da04e1ebf3c664173baef3e26.exe
2009-04-10 17:44 . 2009-04-10 17:44 3012768 -c--a-w- c:\program files\spywareblastersetup42.exe
2009-04-06 18:13 . 2009-03-14 18:20 10246088 ----a-w- c:\program files\windows-kb890830-v2.8.exe
2009-04-01 03:21 . 2009-03-31 23:14 5046 -c--a-w- c:\program files\ReadMe.txt
2009-04-01 03:21 . 2009-03-10 16:45 224 -c--a-w- c:\program files\fix.bat
2009-04-01 03:21 . 2006-04-19 23:49 2289 -c--a-w- c:\program files\Damage Fix Tool disclaimer.txt
2009-03-29 04:26 . 2009-03-29 04:24 3190688 ----a-w- c:\program files\ccsetup218.exe
2009-03-15 03:35 . 2009-03-15 03:35 3184816 ----a-w- c:\program files\ccsetup217.exe
2009-03-11 19:39 . 2009-03-11 19:39 1466768 ----a-w- c:\program files\windowsxp-kb958690-x86-enu_e9dc6debddb3759a736f653cd6c4fe482d9ff141.exe
2009-03-11 19:35 . 2009-03-11 19:35 569712 ----a-w- c:\program files\windowsxp-kb960225-x86-enu_bae2bc04b963c312a47f36bdea4a8236f7003d71.exe
2009-03-11 19:32 . 2009-03-11 19:31 10246088 ----a-w- c:\program files\windows-kb890830-v2.8_92b3edda5109d46a5976767e6d6d27ff92f2af2a.exe
2009-03-01 21:50 . 2009-02-10 23:44 9448904 ----a-w- c:\program files\windows-kb890830-v2.7.exe
2009-02-10 23:38 . 2009-02-10 23:38 9450440 ----a-w- c:\program files\windows-kb890830-v2.7_0bb2e9cf3b593bb676838baea7b6a26261214c20.exe
2009-02-10 23:33 . 2009-02-10 23:33 498032 ----a-w- c:\program files\windowsxp-kb960715-x86-enu_9680c60833b2798361ab182afdd5abd7beef3d06.exe
2009-02-10 23:19 . 2009-02-10 23:19 9006448 ----a-w- c:\program files\ie7-windowsxp-kb961260-x86-enu_eda7c493b6032ebc849d9ca49db3b92a147e9b87.exe
2009-01-29 00:06 . 2009-01-28 23:48 242743296 ----a-w- c:\program files\dotnetfx35_3dce66bae0dd71284ac7a971baed07030a186918.exe
2009-01-15 05:49 . 2009-01-15 05:49 9237440 ----a-w- c:\program files\windows-kb890830-v2.6.exe
2009-01-15 05:31 . 2009-01-15 05:31 658288 ----a-w- c:\program files\WindowsXP-KB958687-x86-ENU.exe
2009-01-04 07:38 . 2009-01-04 07:38 8155851 ----a-w- c:\program files\Photoshop_albumSE_en_us_320.zip
2009-01-02 22:57 . 2009-01-02 22:57 1945096 -c--a-w- c:\program files\BELARC advisor.exe
2009-01-01 20:54 . 2008-12-11 22:11 7771584 ----a-w- c:\program files\windows-kb890830-v2.5.exe
2008-12-30 21:08 . 2008-12-30 21:08 3165824 ----a-w- c:\program files\ccsetup215.exe
2008-12-17 22:04 . 2008-12-17 22:04 2552176 -c--a-w- c:\program files\IE7-WindowsXP-KB960714-x86-ENU.exe
2008-12-17 22:01 . 2008-12-17 22:01 1861488 -c--a-w- c:\program files\WindowsXP-KB960714-x86-ENU.exe
2008-12-11 22:50 . 2008-12-11 22:50 9005936 ----a-w- c:\program files\IE7-WindowsXP-KB958215-x86-ENU.exe
2008-12-11 22:42 . 2008-12-11 22:42 639856 ----a-w- c:\program files\WindowsXP-KB956802-x86-ENU.exe
2008-12-11 22:40 . 2008-12-11 22:40 6483344 ----a-w- c:\program files\WindowsXP-WindowsMedia-KB952069-x86-ENU.exe
2008-12-11 22:35 . 2008-12-11 22:35 606064 ----a-w- c:\program files\WindowsXP-KB954600-x86-ENU.exe
2008-12-11 22:29 . 2008-12-11 22:29 523120 ----a-w- c:\program files\WindowsXP-KB955839-x86-ENU.exe
2008-11-12 04:03 . 2008-11-12 04:03 725360 ----a-w- c:\program files\WindowsXP-KB957097-x86-ENU.exe
2008-11-12 03:58 . 2008-11-12 03:58 1248808 ----a-w- c:\program files\WindowsXP-KB954459-x86-ENU.exe
2008-11-12 03:54 . 2008-11-12 03:54 952840 ----a-w- c:\program files\msxml6-KB954459-enu-x86.exe
2008-11-12 03:42 . 2008-11-12 03:41 5687304 ----a-w- c:\program files\msxml4-KB954430-enu.exe
2008-11-12 03:31 . 2008-11-12 03:31 926760 ----a-w- c:\program files\WindowsXP-KB955069-x86-ENU.exe
2008-11-12 03:16 . 2008-11-12 03:16 7645120 ----a-w- c:\program files\windows-kb890830-v2.4_b86ded5d8c14a2fd381f2193dcd5954de8a0748e.exe
2008-10-20 06:21 . 2008-10-18 18:59 7478208 ----a-w- c:\program files\windows-kb890830-v2.3.exe
2008-10-17 17:04 . 2008-10-17 16:57 2934168 ----a-w- c:\program files\ccsetup212.exe
2008-10-14 17:48 . 2008-10-14 17:48 19153264 ----a-w- c:\program files\aaw2008.exe
2008-10-04 19:17 . 2008-09-13 18:22 7281784 ----a-w- c:\program files\windows-kb890830-v2.2.exe
2008-09-02 21:07 . 2008-08-16 19:48 7182968 ----a-w- c:\program files\windows-kb890830-v2.1.exe
2008-06-30 18:11 . 2008-06-30 18:11 1579008 -c--a-w- c:\program files\MBSASetup-x86-EN.msi
2008-06-23 17:11 . 2008-06-23 17:11 2400784 ----a-w- c:\program files\WLinstaller.exe
2008-06-18 19:22 . 2008-06-18 19:21 2869536 ----a-w- c:\program files\spywareblastersetup41.exe
2008-05-19 21:26 . 2008-05-19 21:26 5154304 -c--a-w- c:\program files\WindowsDefender may 19 2008.msi
2008-05-19 21:20 . 2008-05-19 21:20 8502904 ----a-w- c:\program files\Windows-KB890830-V1.41.exe
2008-05-15 20:20 . 2008-05-15 20:19 8502904 ----a-w- c:\program files\windows-kb890830-v1.41_9602589c6ae9e584f496000ad818c3932589866e.exe
2008-05-08 05:54 . 2008-05-08 05:52 331805736 ----a-w- c:\program files\windowsxp-kb936929-sp3-x86-enu_c81472f7eeea2eca421e116cd4c03e2300ebfde4.exe
2008-05-02 18:26 . 2008-05-02 18:26 21031280 ----a-w- c:\program files\aaw2007 new version 050208.exe
2008-04-25 08:11 . 2008-04-25 08:11 1667 -c--a-w- c:\program files\ez trust.txt
2008-04-25 08:04 . 2008-04-25 08:04 8155851 ----a-w- c:\program files\Photoshop_albumSE_en_us_320 april 08.zip
2008-04-15 05:21 . 2008-04-15 05:21 2751368 ----a-w- c:\program files\CCLEANER 041408.exe
2008-04-06 02:45 . 2008-04-06 02:44 19871600 ----a-w- c:\program files\aaw2007 update 040508.exe
2008-01-14 20:32 . 2008-04-25 07:31 6957056 -c--a-w- c:\program files\PhotoLibrary.msp
.

((((((((((((((((((((((((((((( [You must be registered and logged in to see this link.] )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-07-12 03:54 . 2009-07-12 03:54 65536 c:\windows\WinSxS\x86_Microsoft.VC80.OpenMP_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_e79c4723\vcomp.dll
+ 2009-07-12 03:32 . 2009-07-12 03:32 49152 c:\windows\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_0ccc058c\mfc80KOR.dll
+ 2009-07-12 03:32 . 2009-07-12 03:32 49152 c:\windows\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_0ccc058c\mfc80JPN.dll
+ 2009-07-12 03:32 . 2009-07-12 03:32 61440 c:\windows\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_0ccc058c\mfc80ITA.dll
+ 2009-07-12 03:32 . 2009-07-12 03:32 61440 c:\windows\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_0ccc058c\mfc80FRA.dll
+ 2009-07-12 03:32 . 2009-07-12 03:32 61440 c:\windows\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_0ccc058c\mfc80ESP.dll
+ 2009-07-12 03:32 . 2009-07-12 03:32 57344 c:\windows\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_0ccc058c\mfc80ENU.dll
+ 2009-07-12 03:32 . 2009-07-12 03:32 65536 c:\windows\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_0ccc058c\mfc80DEU.dll
+ 2009-07-12 03:32 . 2009-07-12 03:32 45056 c:\windows\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_0ccc058c\mfc80CHT.dll
+ 2009-07-12 03:32 . 2009-07-12 03:32 40960 c:\windows\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_0ccc058c\mfc80CHS.dll
+ 2009-07-12 08:07 . 2009-07-12 08:07 57856 c:\windows\WinSxS\x86_Microsoft.VC80.MFC_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_b77cec8e\mfcm80u.dll
+ 2009-07-12 08:19 . 2009-07-12 08:19 69632 c:\windows\WinSxS\x86_Microsoft.VC80.MFC_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_b77cec8e\mfcm80.dll
+ 2009-07-12 08:12 . 2009-07-12 08:12 632656 c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_e6967989\msvcr80.dll
+ 2009-07-12 08:09 . 2009-07-12 08:09 554832 c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_e6967989\msvcp80.dll
+ 2009-07-12 08:08 . 2009-07-12 08:08 479232 c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_e6967989\msvcm80.dll
+ 2009-10-18 03:09 . 2009-10-18 03:09 424448 c:\windows\Installer\72464d.msi
+ 2009-07-12 03:46 . 2009-07-12 03:46 1093120 c:\windows\WinSxS\x86_Microsoft.VC80.MFC_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_b77cec8e\mfc80u.dll
+ 2009-07-12 03:46 . 2009-07-12 03:46 1105920 c:\windows\WinSxS\x86_Microsoft.VC80.MFC_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_b77cec8e\mfc80.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080]
"AVG9_TRAY"="c:\progra~1\AVG\AVG9\avgtray.exe" [2009-10-18 2010904]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-02-26 437160]

c:\documents and settings\Default User\Start Menu\Programs\Startup\
desktop(2).ini [2004-5-28 84]

c:\documents and settings\Administrator\Start Menu\Programs\Startup\
desktop(2).ini [2004-5-28 84]

c:\documents and settings\JEFF\Start Menu\Programs\Startup\
desktop(2).ini [2004-5-28 84]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk.disabled [2008-12-2 1757]
Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2008-5-26 123904]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-10-18 03:10 12464 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"PPWebCap"=c:\progra~1\ScanSoft\PAPERP~1\PPWebCap.exe
"Microsoft Location Finder"="c:\program files\Microsoft Location Finder\LocationFinder.exe"
"BearShareInstall"=c:\docume~1\Owner\LOCALS~1\Temp\BearShareInstallLauncher.exe /Launch='"c:\docume~1\Owner\LOCALS~1\Temp\NSR122~1.EXE" /N'
"ShareazaInstall"=c:\docume~1\Owner\LOCALS~1\Temp\ShareazaInstallLauncher.exe /Launch='"c:\docume~1\Owner\LOCALS~1\Temp\NSY1B1~1.EXE" /N'
"SUPERAntiSpyware"=c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe
"SpybotSD TeaTimer"=c:\program files\Spybot - Search & Destroy\TeaTimer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"Adobe Photo Downloader"="c:\program files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe"
"OneTouch Monitor"=c:\program files\Visioneer OneTouch\OneTouchMon.exe
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_07\bin\jusched.exe"
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" -hide
"AVG8_TRAY"=c:\progra~1\AVG\AVG8\avgtray.exe
"BearShare"="c:\program files\BearShare\BearShare.exe" /pause
"CanonSolutionMenu"=c:\program files\Canon\SolutionMenu\CNSLMAIN.exe /logon
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"c:\\Program Files\\ScanSoft\\PaperPort\\NAVBrowser.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\WINDOWS\\system32\\mmc.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgemc.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgnsx.exe"=

R1 AvgTdiX;AVG8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [6/9/2008 9:23 PM 360584]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [9/15/2009 11:42 AM 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [9/15/2009 11:42 AM 74480]
R2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [11/3/2006 7:19 PM 13592]
S1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [6/9/2008 9:23 PM 333192]
S2 avg9emc;AVG Free E-mail Scanner;c:\program files\AVG\AVG9\avgemc.exe [10/17/2009 8:09 PM 906520]
S2 avg9wd;AVG Free WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [10/17/2009 8:09 PM 285392]
S2 SVKP;SVKP;\??\c:\windows\system32\SVKP.sys --> c:\windows\system32\SVKP.sys [?]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [9/15/2009 11:42 AM 7408]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
Contents of the 'Scheduled Tasks' folder

2009-10-18 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-04 02:20]
.
.
------- Supplementary Scan -------
.
uSearchMigratedDefaultURL = [You must be registered and logged in to see this link.]
uStart Page = [You must be registered and logged in to see this link.]
mStart Page = [You must be registered and logged in to see this link.]
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = 127.0.0.1
uSearchURL,(Default) = [You must be registered and logged in to see this link.]
DPF: Microsoft XML Parser for Java
DPF: vzTCPConfig - [You must be registered and logged in to see this link.]
DPF: {A8658086-E6AC-4957-BC8E-7D54A7E8A78E}
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [You must be registered and logged in to see this link.]
Rootkit scan 2009-10-17 21:13
Windows 5.1.2600 Service Pack 3 NTFS

scanning hȋdden processes ...

scanning hȋdden autostart entries ...

scanning hȋdden files ...

scan completed successfully
hȋdden files: 0

**************************************************************************
.
Completion time: 2009-10-18 21:17
ComboFix-quarantined-files.txt 2009-10-18 04:16
ComboFix2.txt 2009-10-18 03:49
ComboFix3.txt 2009-10-18 01:32

Pre-Run: 17,459,040,256 bytes free
Post-Run: 17,456,816,128 bytes free

262 --- E O F --- 2009-10-15 17:36
--------------------------------------------------------------------------------
SpiderKill by DragonMaster Jay ( Oct 2009 )


Microsoft Windows XP [Version 5.1.2600]

********************Drivers list********************


Volume in drive C has no label.
Volume Serial Number is 781A-ED93

Directory of C:\Windows\System32\Drivers

10/17/2009 09:08 PM .
10/17/2009 09:08 PM ..
04/15/2003 10:39 AM 11,319 a302.sys
04/15/2003 10:39 AM 29,239 a303.sys
04/15/2003 10:40 AM 46,647 a304.sys
04/15/2003 10:40 AM 11,831 a305.sys
04/15/2003 10:40 AM 16,439 a306.sys
04/15/2003 10:40 AM 21,559 a307.sys
04/15/2003 10:40 AM 10,807 a308.sys
04/15/2003 10:40 AM 25,655 a309.sys
04/15/2003 10:40 AM 33,335 a310.sys
04/15/2003 10:40 AM 32,823 a311.sys
04/15/2003 10:41 AM 37,431 a313.sys
04/15/2003 10:41 AM 10,807 a314.sys
08/03/2004 11:07 PM 187,776 acpi(2).sys
04/14/2008 12:06 AM 187,776 acpi.sys
07/16/2003 01:23 PM 11,648 acpiec.sys
04/14/2008 05:41 AM 4,255 adv01nt5.dll
04/14/2008 05:41 AM 3,967 adv02nt5.dll
04/14/2008 05:41 AM 3,615 adv05nt5.dll
04/14/2008 05:41 AM 3,647 adv07nt5.dll
04/14/2008 05:41 AM 3,135 adv08nt5.dll
04/14/2008 05:41 AM 3,711 adv09nt5.dll
04/14/2008 05:41 AM 3,775 adv11nt5.dll
04/01/2002 01:15 PM 4,816 aeaudio(2).sys
04/01/2002 01:15 PM 4,816 aeaudio.sys
08/03/2004 10:39 PM 142,464 aec(2).sys
04/13/2008 10:09 PM 142,592 aec.sys
02/23/2005 02:58 PM 11,776 afc.sys
08/03/2004 11:14 PM 138,496 afd(2).sys
08/14/2008 03:04 AM 138,496 afd.sys
04/14/2008 12:06 AM 42,368 agp440.sys
04/14/2008 12:06 AM 44,928 agpcpq.sys
04/14/2008 12:06 AM 42,752 alim1541.sys
04/14/2008 12:06 AM 43,008 amdagp.sys
04/14/2008 12:01 AM 37,376 amdk6.sys
04/14/2008 12:01 AM 37,760 amdk7.sys
04/14/2008 12:21 AM 60,800 arp1394.sys
08/03/2004 11:05 PM 14,336 asyncmac(2).sys
04/14/2008 12:27 AM 14,336 asyncmac.sys
08/03/2004 10:59 PM 95,360 atapi(2).sys
04/14/2008 12:10 AM 96,512 atapi.sys
08/03/2004 10:29 PM 56,623 ati1btxx.sys
08/03/2004 10:29 PM 11,615 ati1mdxx.sys
08/03/2004 10:29 PM 12,047 ati1pdxx.sys
08/03/2004 10:29 PM 30,671 ati1raxx.sys
08/03/2004 10:29 PM 63,663 ati1rvxx.sys
08/03/2004 10:29 PM 26,367 ati1snxx.sys
08/03/2004 10:29 PM 21,343 ati1ttxx.sys
08/03/2004 10:29 PM 36,463 ati1tuxx.sys
08/03/2004 10:29 PM 29,455 ati1xbxx.sys
08/03/2004 10:29 PM 34,735 ati1xsxx.sys
08/03/2004 10:29 PM 327,040 ati2mtaa.sys
08/03/2004 10:29 PM 701,440 ati2mtag.sys
08/03/2004 10:29 PM 57,856 atinbtxx.sys
08/03/2004 10:29 PM 13,824 atinmdxx.sys
08/03/2004 10:29 PM 14,336 atinpdxx.sys
08/03/2004 10:29 PM 52,224 atinraxx.sys
08/03/2004 10:29 PM 104,960 atinrvxx.sys
08/03/2004 10:29 PM 28,672 atinsnxx.sys
08/03/2004 10:29 PM 13,824 atinttxx.sys
08/03/2004 10:29 PM 73,216 atintuxx.sys
08/03/2004 10:29 PM 31,744 atinxbxx.sys
08/03/2004 10:29 PM 63,488 atinxsxx.sys
07/17/2004 11:36 AM 64,352 ativmc20.cod
08/03/2004 10:58 PM 59,904 atmarpc(2).sys
04/14/2008 12:21 AM 59,904 atmarpc.sys
07/16/2003 01:24 PM 31,360 atmepvc.sys
04/14/2008 12:21 AM 55,808 atmlane.sys
07/16/2003 01:24 PM 352,256 atmuni.sys
04/14/2008 05:41 AM 21,183 atv01nt5.dll
04/14/2008 05:41 AM 11,359 atv02nt5.dll
04/14/2008 05:41 AM 25,471 atv04nt5.dll
04/14/2008 05:41 AM 14,143 atv06nt5.dll
04/14/2008 05:41 AM 17,279 atv10nt5.dll
08/17/2001 06:59 AM 3,072 audstub(2).sys
08/17/2001 06:59 AM 3,072 audstub.sys
10/17/2009 08:10 PM Avg
10/17/2009 08:10 PM 333,192 avgldx86.sys
10/17/2009 08:10 PM 28,424 avgmfx86.sys
10/17/2009 08:10 PM 360,584 avgtdix.sys
03/06/2008 11:51 AM 3,840 BANTExt.sys
06/30/2003 06:11 PM 43,136 bcm4sbxp.sys
08/17/2001 06:28 AM 871,388 BCMDM.sys
08/29/2003 04:59 AM 1,101,696 BCMSM(2).sys
08/29/2003 04:59 AM 1,101,696 BCMSM.sys
07/16/2003 01:24 PM 4,224 beep(2).sys
07/16/2003 01:24 PM 4,224 beep.sys
04/14/2008 12:23 AM 71,552 bridge.sys
04/14/2008 12:16 AM 17,024 bthenum.sys
04/14/2008 12:16 AM 37,888 bthmodem.sys
04/14/2008 12:21 AM 101,120 bthpan.sys
06/13/2008 04:05 AM 272,128 bthport.sys
04/14/2008 12:16 AM 36,480 bthprint.sys
04/14/2008 12:16 AM 18,944 bthusb.sys
08/28/2003 04:58 PM 4,272 bvrp_pci.sys
07/16/2003 01:25 PM 13,952 cbidf2k.sys
04/14/2008 12:16 AM 17,024 CCDECODE.sys
07/16/2003 01:27 PM 18,688 cdaudio(2).sys
07/16/2003 01:27 PM 18,688 cdaudio.sys
08/03/2004 11:14 PM 63,744 cdfs(2).sys
04/14/2008 12:44 AM 63,744 cdfs.sys
08/03/2004 10:59 PM 49,536 cdrom(2).sys
04/14/2008 12:10 AM 62,976 cdrom.sys
04/14/2008 05:41 AM 15,423 ch7xxnt5.dll
07/16/2003 01:27 PM 262,528 cinemst2.sys
04/14/2008 12:46 AM 49,536 classpnp.sys
01/22/2004 12:41 PM 46,944 CoachUsb.sys
07/16/2003 01:27 PM 11,776 cpqdap01.sys
04/14/2008 12:01 AM 36,736 crusoe.sys
07/17/2004 10:55 PM 129,045 cxthsfs2.cty
05/28/2004 05:48 AM disdn
04/14/2008 12:10 AM 36,352 disk.sys
04/14/2008 12:10 AM 14,208 diskdump.sys
08/03/2004 11:07 PM 799,744 dmboot(2).sys
04/14/2008 12:14 AM 799,744 dmboot.sys
08/03/2004 11:07 PM 153,344 dmio(2).sys
04/14/2008 12:14 AM 153,344 dmio.sys
07/16/2003 01:27 PM 5,888 dmload(2).sys
07/16/2003 01:27 PM 5,888 dmload.sys
08/03/2004 11:07 PM 52,864 dmusic(2).sys
04/14/2008 12:15 AM 52,864 dmusic.sys
08/03/2004 11:07 PM 60,288 drmk(2).sys
04/14/2008 12:15 AM 60,160 drmk.sys
08/03/2004 11:07 PM 2,944 drmkaud(2).sys
04/14/2008 12:15 AM 2,944 drmkaud.sys
07/16/2003 01:27 PM 10,496 dxapi(2).sys
07/16/2003 01:27 PM 10,496 dxapi.sys
08/03/2004 11:00 PM 71,040 dxg(2).sys
08/03/2004 11:00 PM 71,040 dxg(3)(2).sys
04/14/2008 12:08 AM 71,168 dxg.sys
07/16/2003 01:27 PM 3,328 dxgthk(2).sys
07/16/2003 01:27 PM 3,328 dxgthk.sys
10/14/2009 09:22 AM etc
08/03/2004 11:14 PM 143,360 fastfat(2).sys
04/14/2008 12:44 AM 143,744 fastfat.sys
08/03/2004 10:59 PM 27,392 fdc(2).sys
04/14/2008 12:10 AM 27,392 fdc.sys
07/16/2003 01:28 PM 34,944 fips(2).sys
04/14/2008 12:03 AM 44,544 fips.sys
08/03/2004 10:59 PM 20,480 flpydisk(2).sys
04/14/2008 12:10 AM 20,480 flpydisk.sys
08/03/2004 11:01 PM 124,800 fltmgr(2).sys
04/14/2008 12:03 AM 129,792 fltmgr.sys
07/16/2003 01:27 PM 12,160 fsvga.sys
07/16/2003 01:28 PM 7,936 fs_rec(2).sys
07/16/2003 01:28 PM 7,936 fs_rec.sys
07/16/2003 01:28 PM 125,056 ftdisk(2).sys
07/16/2003 01:28 PM 125,056 ftdisk.sys
04/14/2008 12:06 AM 46,464 gagp30kx.sys
07/16/2003 01:28 PM 3,440,660 gm.dls
04/13/2008 10:06 PM 144,384 hdaudbus.sys
04/14/2008 12:16 AM 25,600 hidbth.sys
04/14/2008 12:15 AM 36,864 hidclass.sys
04/14/2008 12:15 AM 19,200 hidir.sys
04/14/2008 12:15 AM 24,960 hidparse.sys
08/03/2004 10:41 PM 220,032 hsfbs2s2.sys
08/03/2004 10:41 PM 685,056 hsfcxts2.sys
08/03/2004 10:41 PM 1,041,536 hsfdpsp2.sys
04/14/2008 12:23 AM 264,832 http.sys
08/03/2004 11:14 PM 52,736 i8042prt(2).sys
04/14/2008 12:48 AM 52,480 i8042prt.sys
04/15/2003 10:40 AM 78,752 ialmkchw(2).sys
04/15/2003 10:40 AM 78,752 ialmkchw.sys
04/15/2003 10:39 AM 90,907 ialmnt5(2).sys
10/19/2005 08:59 AM 807,998 ialmnt5.sys
04/15/2003 10:40 AM 113,504 ialmsbw(2).sys
04/15/2003 10:40 AM 113,504 ialmsbw.sys
08/03/2004 11:00 PM 41,856 imapi(2).sys
04/14/2008 12:11 AM 42,112 imapi.sys
08/03/2004 10:59 PM 5,504 intelide(2).sys
04/14/2008 12:10 AM 5,504 intelide.sys
08/03/2004 10:59 PM 36,096 intelppm(2).sys
04/14/2008 12:01 AM 36,352 intelppm.sys
08/03/2004 11:00 PM 29,056 ip6fw(2).sys
04/14/2008 12:23 AM 36,608 ip6fw.sys
07/16/2003 01:30 PM 32,896 ipfltdrv(2).sys
07/16/2003 01:30 PM 32,896 ipfltdrv.sys
08/03/2004 11:04 PM 20,992 ipinip(2).sys
04/14/2008 12:27 AM 20,864 ipinip.sys
04/14/2008 12:27 AM 152,832 ipnat.sys
08/03/2004 11:14 PM 74,752 ipsec(2).sys
04/14/2008 12:49 AM 75,264 ipsec.sys
08/03/2004 11:00 PM 11,264 irenum(2).sys
04/14/2008 12:24 AM 11,264 irenum.sys
07/16/2003 01:30 PM 35,840 isapnp(2).sys
04/14/2008 12:06 AM 37,248 isapnp.sys
08/03/2004 10:58 PM 24,576 kbdclass(2).sys
04/14/2008 12:09 AM 24,576 kbdclass.sys
08/03/2004 11:07 PM 171,776 kmixer(2).sys
04/14/2008 12:15 AM 172,416 kmixer.sys
08/03/2004 11:15 PM 140,928 ks(2).sys
04/14/2008 12:46 AM 141,056 ks.sys
06/24/2009 04:18 AM 92,928 ksecdd.sys
09/10/2009 02:53 PM 19,160 mbam.sys
09/10/2009 02:54 PM 38,224 mbamswissarmy.sys
07/16/2003 01:32 PM 7,680 mcd.sys
08/03/2004 10:41 PM 11,868 mdmxsdk.sys
04/14/2008 12:06 AM 63,744 mf.sys
07/16/2003 01:33 PM 4,224 mnmdd(2).sys
07/16/2003 01:33 PM 4,224 mnmdd.sys
08/03/2004 11:08 PM 30,080 modem(2).sys
04/14/2008 12:30 AM 30,080 modem.sys
08/17/2001 06:57 AM 16,128 MODEMCSA(2).sys
08/17/2001 06:57 AM 16,128 MODEMCSA.sys
08/03/2004 10:58 PM 23,040 mouclass(2).sys
04/14/2008 12:09 AM 23,040 mouclass.sys
04/14/2008 12:09 AM 42,368 mountmgr.sys
08/03/2004 11:00 PM 181,248 mrxdav(2).sys
04/14/2008 12:02 AM 180,608 mrxdav.sys
10/24/2008 04:21 AM 455,296 mrxsmb.sys
08/03/2004 11:00 PM 19,072 msfs(2).sys
04/14/2008 12:02 AM 19,072 msfs.sys
08/03/2004 11:04 PM 35,072 msgpc(2).sys
04/14/2008 12:26 AM 35,072 msgpc.sys
08/03/2004 10:58 PM 7,552 mskssrv(2).sys
04/14/2008 12:09 AM 7,552 mskssrv.sys
08/03/2004 10:58 PM 5,376 mspclock(2).sys
04/14/2008 12:09 AM 5,376 mspclock.sys
08/03/2004 10:58 PM 4,992 mspqm(2).sys
04/14/2008 12:09 AM 4,992 mspqm.sys
08/03/2004 11:07 PM 15,488 mssmbios(2).sys
04/14/2008 12:06 AM 15,488 mssmbios.sys
04/14/2008 12:09 AM 5,504 MSTEE.sys
08/03/2004 10:41 PM 126,686 mtlmnt5.sys
08/03/2004 10:41 PM 1,309,184 mtlstrm.sys
08/03/2004 10:29 PM 452,736 mtxparhm.sys
04/14/2008 12:47 AM 105,344 mup.sys
04/14/2008 12:13 AM 12,672 mutohpen.sys
04/14/2008 12:16 AM 85,248 NABTSFEC.sys
04/14/2008 12:50 AM 182,656 ndis.sys
04/14/2008 12:16 AM 10,880 NdisIP.sys
07/16/2003 01:37 PM 9,600 ndistapi(2).sys
04/14/2008 12:27 AM 10,112 ndistapi.sys
08/03/2004 11:03 PM 12,928 ndisuio(2).sys
04/14/2008 12:26 AM 14,592 ndisuio.sys
08/03/2004 11:14 PM 91,776 ndiswan(2).sys
04/14/2008 12:50 AM 91,520 ndiswan.sys
07/16/2003 01:37 PM 38,016 ndproxy(2).sys
04/14/2008 12:27 AM 40,576 ndproxy.sys
08/03/2004 11:03 PM 34,560 netbios(2).sys
04/14/2008 12:26 AM 34,688 netbios.sys
08/03/2004 11:14 PM 162,816 netbt(2).sys
04/14/2008 12:51 AM 162,816 netbt.sys
04/15/2002 09:11 PM 67,866 netwlan5.img
04/14/2008 12:21 AM 61,824 nic1394.sys
07/16/2003 01:27 PM 12,032 nikedrv.sys
04/14/2008 12:23 AM 40,320 nmnt.sys
08/03/2004 11:00 PM 30,848 npfs(2).sys
04/14/2008 12:02 AM 30,848 npfs.sys
04/14/2008 12:45 AM 574,976 ntfs.sys
08/03/2004 10:41 PM 180,360 ntmtlfax.sys
07/16/2003 01:40 PM 2,944 null(2).sys
07/16/2003 01:40 PM 2,944 null.sys
08/03/2004 10:29 PM 1,897,408 nv4_mini.sys
07/16/2003 01:40 PM 12,416 nwlnkflt(2).sys
07/16/2003 01:40 PM 12,416 nwlnkflt.sys
07/16/2003 01:40 PM 32,512 nwlnkfwd(2).sys
07/16/2003 01:40 PM 32,512 nwlnkfwd.sys
04/14/2008 12:26 AM 88,320 nwlnkipx.sys
07/16/2003 01:40 PM 63,232 nwlnknb.sys
07/16/2003 01:40 PM 55,936 nwlnkspx.sys
08/22/2001 08:42 AM 13,632 omci(2).sys
08/22/2001 08:42 AM 13,632 omci.sys
07/16/2003 01:40 PM 3,456 oprghdlr.sys
04/14/2008 12:01 AM 42,752 p3.sys
08/03/2004 10:59 PM 80,128 parport(2).sys
04/14/2008 12:10 AM 80,128 parport.sys
04/14/2008 12:10 AM 19,712 partmgr.sys
07/16/2003 01:41 PM 6,784 parvdm(2).sys
07/16/2003 01:41 PM 6,784 parvdm.sys
08/03/2004 11:07 PM 68,224 pci(2).sys
04/14/2008 12:06 AM 68,224 pci.sys
07/16/2003 01:41 PM 3,328 pciide.sys
04/14/2008 12:10 AM 24,960 pciidex.sys
04/14/2008 12:06 AM 120,192 pcmcia.sys
08/03/2004 11:15 PM 145,792 portcls(2).sys
04/14/2008 12:49 AM 146,048 portcls.sys
08/03/2004 10:59 PM 35,328 processr(2).sys
04/14/2008 12:01 AM 35,840 processr.sys
08/03/2004 11:04 PM 69,120 psched(2).sys
04/14/2008 12:26 AM 69,120 psched.sys
07/16/2003 01:42 PM 17,792 ptilink(2).sys
07/16/2003 01:42 PM 17,792 ptilink.sys
07/16/2003 01:42 PM 8,832 rasacd(2).sys
07/16/2003 01:42 PM 8,832 rasacd.sys
08/03/2004 11:14 PM 51,328 rasl2tp(2).sys
04/14/2008 12:49 AM 51,328 rasl2tp.sys
08/03/2004 11:05 PM 41,472 raspppoe(2).sys
04/14/2008 12:27 AM 41,472 raspppoe.sys
08/03/2004 11:14 PM 48,384 raspptp(2).sys
04/14/2008 12:49 AM 48,384 raspptp.sys
07/16/2003 01:42 PM 16,512 raspti(2).sys
07/16/2003 01:42 PM 16,512 raspti.sys
07/16/2003 01:42 PM 34,432 rawwan.sys
04/14/2008 12:58 AM 175,744 rdbss.sys
07/16/2003 01:42 PM 4,224 rdpcdd(2).sys
07/16/2003 01:42 PM 4,224 rdpcdd.sys
04/14/2008 12:02 AM 196,224 rdpdr.sys
04/14/2008 05:43 AM 139,656 rdpwd.sys
08/03/2004 10:41 PM 13,776 recagent.sys
08/03/2004 10:59 PM 57,472 redbook(2).sys
04/14/2008 12:10 AM 57,600 redbook.sys
04/14/2008 12:16 AM 59,136 rfcomm.sys
07/16/2003 01:27 PM 12,032 rio8drv.sys
07/16/2003 01:27 PM 12,032 riodrv.sys
05/08/2008 07:02 AM 203,136 rmcast.sys
04/14/2008 12:26 AM 30,592 rndismp.sys
04/14/2008 12:26 AM 30,592 rndismpx.sys
07/16/2003 01:43 PM 5,888 rootmdm.sys
08/03/2004 10:29 PM 166,912 s3gnbm.sys
08/03/2004 10:59 PM 96,256 scsiport(2).sys
04/14/2008 12:10 AM 96,384 scsiport.sys
04/14/2008 12:06 AM 79,232 sdbus.sys
07/16/2003 01:44 PM 27,440 secdrv(2).sys
11/13/2007 03:25 AM 20,480 secdrv.sys
04/14/2008 12:10 AM 15,744 serenum.sys
08/03/2004 11:15 PM 64,896 serial(2).sys
04/14/2008 12:45 AM 64,512 serial.sys
04/14/2008 12:10 AM 11,904 sffdisk.sys
04/14/2008 12:10 AM 10,240 sffp_mmc.sys
04/14/2008 12:10 AM 11,008 sffp_sd.sys
08/03/2004 10:59 PM 11,392 sfloppy(2).sys
04/14/2008 12:10 AM 11,392 sfloppy.sys
04/14/2008 05:42 AM 3,901 siint5.dll
01/28/2004 04:03 PM 21,456 SilvrLnk.sys
04/14/2008 12:06 AM 40,960 sisagp.sys
04/14/2008 12:16 AM 11,136 SLIP.sys
08/03/2004 10:41 PM 129,535 slnt7554.sys
08/03/2004 10:41 PM 404,990 slntamr.sys
08/03/2004 10:41 PM 95,424 slnthal.sys
08/03/2004 10:41 PM 13,240 slwdmsup.sys
04/14/2008 12:06 AM 5,888 smbali.sys
07/16/2003 01:45 PM 14,592 smclib.sys
10/28/2002 11:26 AM 3,744 smsens.sys
02/28/2003 09:17 AM 545,024 smwdm(2).sys
02/28/2003 09:17 AM 545,024 smwdm.sys
04/14/2008 12:16 AM 25,344 sonydcam.sys
08/03/2004 11:07 PM 6,400 splitter(2).sys
04/14/2008 12:15 AM 6,272 splitter.sys
08/03/2004 11:06 PM 73,472 sr(2).sys
04/14/2008 12:06 AM 73,472 sr.sys
08/03/2004 11:14 PM 336,256 srv(2).sys
12/11/2008 03:57 AM 333,952 srv.sys
04/14/2008 12:15 AM 49,408 stream.sys
04/14/2008 12:16 AM 15,232 StreamIP.sys
08/03/2004 10:58 PM 4,352 swenum(2).sys
04/14/2008 12:09 AM 4,352 swenum.sys
08/17/2001 02:00 PM 54,272 swmidi(2).sys
04/14/2008 12:15 AM 56,576 swmidi.sys
08/03/2004 11:15 PM 60,800 sysaudio(2).sys
04/14/2008 12:45 AM 60,800 sysaudio.sys
04/14/2008 12:10 AM 14,976 tape.sys
06/20/2008 04:51 AM 361,600 tcpip.sys
06/20/2008 04:08 AM 225,856 tcpip6.sys
08/03/2004 11:07 PM 18,560 tdi(2).sys
04/14/2008 12:30 AM 19,072 tdi.sys
04/14/2008 05:43 AM 12,040 tdpipe.sys
04/14/2008 05:43 AM 21,896 tdtcp.sys
08/04/2004 01:01 AM 40,840 termdd(2).sys
04/14/2008 05:43 AM 40,840 termdd.sys
04/22/2008 09:49 PM 102,664 tmcomm.sys
07/16/2003 01:27 PM 51,712 tosdvd.sys
07/16/2003 01:27 PM 21,376 tsbvcap.sys
04/14/2008 12:26 AM 12,288 tunmp.sys
04/14/2008 12:06 AM 44,672 uagp35.sys
04/14/2008 12:02 AM 66,048 udfs.sys
11/03/2006 11:32 AM UMDF
04/14/2008 12:09 AM 384,768 update.sys
04/14/2008 12:26 AM 12,800 usb8023.sys
04/14/2008 12:26 AM 12,800 usb8023x.sys
04/14/2008 12:15 AM 25,600 usbcamd.sys
04/14/2008 12:15 AM 25,728 usbcamd2.sys
07/16/2003 01:49 PM 4,736 usbd(2).sys
07/16/2003 01:49 PM 4,736 usbd.sys
08/03/2004 11:08 PM 26,624 usbehci(2).sys
04/14/2008 12:15 AM 30,208 usbehci.sys
08/03/2004 11:08 PM 57,600 usbhub(2).sys
04/14/2008 12:15 AM 59,520 usbhub.sys
04/14/2008 12:15 AM 15,872 usbintel.sys
08/03/2004 11:08 PM 142,976 usbport(2).sys
04/14/2008 12:15 AM 143,872 usbport.sys
08/03/2004 11:58 PM 15,104 usbscan(2).sys
04/14/2008 12:15 AM 15,104 usbscan.sys
08/04/2004 12:08 AM 26,496 USBSTOR(2).SYS
04/14/2008 12:15 AM 26,368 usbstor.sys
08/03/2004 11:08 PM 20,480 usbuhci(2).sys
04/14/2008 12:15 AM 20,608 usbuhci.sys
04/14/2008 12:16 AM 121,984 usbvideo.sys
04/15/2003 10:40 AM 20,533 vch.sys
04/14/2008 05:42 AM 11,325 vchnt5.dll
07/16/2003 01:27 PM 58,112 vdmindvd.sys
04/19/2004 04:34 PM 21,604 Vet-Filt(2).sys
04/19/2004 04:34 PM 15,667 Vet-Rec(2).sys
04/19/2004 04:34 PM 108,228 VetFDDNT(2).sys
04/19/2004 04:34 PM 537,908 VetMonNT(2).sys
08/03/2004 11:07 PM 20,992 vga(2).sys
04/14/2008 12:14 AM 20,992 vga.sys
04/14/2008 12:06 AM 42,240 viaagp.sys
08/03/2004 11:07 PM 79,744 videoprt(2).sys
04/14/2008 12:14 AM 81,664 videoprt.sys
04/14/2008 12:11 AM 52,352 volsnap.sys
04/15/2003 10:39 AM 33,335 wa301a.sys
04/15/2003 10:39 AM 33,335 wa301b.sys
04/14/2008 12:13 AM 14,208 wacompen.sys
08/03/2004 10:29 PM 11,807 wadv07nt.sys
08/03/2004 10:29 PM 11,295 wadv08nt.sys
08/03/2004 10:29 PM 11,871 wadv09nt.sys
08/03/2004 10:29 PM 11,935 wadv11nt.sys
08/03/2004 11:04 PM 34,560 wanarp(2).sys
04/14/2008 12:27 AM 34,560 wanarp.sys
08/03/2004 10:29 PM 22,271 watv06nt.sys
08/03/2004 10:29 PM 25,471 watv10nt.sys
08/03/2004 11:15 PM 82,944 wdmaud(2).sys
04/14/2008 12:47 AM 83,072 wdmaud.sys
07/16/2003 01:52 PM 4,352 wmilib(2).sys
07/16/2003 01:52 PM 4,352 wmilib.sys
08/11/2004 01:45 AM 18,944 wpdusb(2).sys
10/18/2006 10:00 PM 38,528 wpdusb.sys
07/16/2003 01:53 PM 12,032 ws2ifsl.sys
04/14/2008 12:16 AM 19,200 WSTCODEC.SYS
09/28/2006 07:55 PM 77,568 WudfPf.sys
09/28/2006 08:00 PM 82,944 WudfRd.sys
417 File(s) 39,540,818 bytes

Directory of C:\Windows\System32\Drivers\Avg

10/17/2009 08:10 PM .
10/17/2009 08:10 PM ..
06/09/2008 09:29 PM 6,061,540 avi7.avg
10/17/2009 08:10 PM 1,292 commonpriv.log
10/17/2009 06:02 PM 0 commonpriv.log.lock
10/17/2009 08:10 PM 113,461 iavichjw.avm
10/17/2009 08:10 PM 43,179,769 incavi.avm
10/17/2009 08:10 PM 33,037 microavi.avg
09/30/2009 05:21 PM 492,629 miniavi.avg
7 File(s) 49,881,728 bytes

Directory of C:\Windows\System32\Drivers\disdn

05/28/2004 05:48 AM .
05/28/2004 05:48 AM ..
0 File(s) 0 bytes

Directory of C:\Windows\System32\Drivers\etc

10/14/2009 09:22 AM .
10/14/2009 09:22 AM ..
10/14/2009 09:22 AM 356,063 hosts
05/01/2005 02:44 PM 717 hosts.20080510-164849.backup
05/10/2008 04:48 PM 238,928 hosts.20080510-165925.backup
05/10/2008 04:59 PM 238,928 hosts.20080510-165939.backup
05/10/2008 04:59 PM 238,928 hosts.20080810-222157.backup
08/10/2008 10:21 PM 257,856 hosts.20081117-162359.backup
11/17/2008 05:23 PM 288,596 hosts.20081121-204714.backup
11/21/2008 09:47 PM 288,674 hosts.20081121-204759.backup
11/21/2008 09:47 PM 288,674 hosts.20081122-235309.backup
11/23/2008 12:53 AM 288,674 hosts.20081128-122749.backup
11/28/2008 01:27 PM 289,158 hosts.20081203-094628.backup
12/03/2008 10:46 AM 290,316 hosts.20081203-094740.backup
12/03/2008 10:47 AM 290,316 hosts.20081218-101612.backup
12/18/2008 11:16 AM 290,918 hosts.20081218-101652.backup
12/18/2008 11:16 AM 290,918 hosts.20081228-151102.backup
12/28/2008 04:11 PM 291,382 hosts.20081230-104319.backup
12/30/2008 11:43 AM 291,434 hosts.20090109-123057.backup
01/09/2009 01:30 PM 291,413 hosts.20090114-175138.backup
01/14/2009 06:51 PM 291,863 hosts.20090128-112346.backup
01/28/2009 12:23 PM 292,637 hosts.20090128-112425.backup
01/28/2009 12:24 PM 292,637 hosts.20090211-141748.backup
02/11/2009 03:17 PM 292,694 hosts.20090211-141830.backup
02/11/2009 03:18 PM 292,694 hosts.20090211-143307.backup
02/11/2009 03:33 PM 292,694 hosts.20090211-170453.backup
02/11/2009 06:04 PM 292,694 hosts.20090211-170828.backup
02/11/2009 06:08 PM 292,694 hosts.20090211-173156.backup
02/11/2009 06:31 PM 292,694 hosts.20090211-173302.backup
02/11/2009 06:33 PM 292,694 hosts.20090219-102255.backup
02/19/2009 11:22 AM 297,891 hosts.20090219-102406.backup
02/19/2009 11:24 AM 297,891 hosts.20090228-111037.backup
02/28/2009 12:10 PM 303,109 hosts.20090228-111122.backup
02/28/2009 12:11 PM 303,109 hosts.20090228-111207.backup
02/28/2009 12:12 PM 303,109 hosts.20090311-120934.backup
03/11/2009 12:09 PM 303,431 hosts.20090311-121042.backup
03/11/2009 12:10 PM 303,431 hosts.20090318-061510.backup
03/18/2009 06:15 AM 303,683 hosts.20090318-061627.backup
03/18/2009 06:16 AM 303,683 hosts.20090325-113322.backup
03/25/2009 11:33 AM 304,485 hosts.20090401-155411.backup
04/01/2009 03:54 PM 304,873 hosts.20090401-155626.backup
04/01/2009 03:56 PM 304,873 hosts.20090401-155813.backup
04/01/2009 03:58 PM 304,873 hosts.20090401-160013.backup
04/01/2009 04:00 PM 304,873 hosts.20090401-160300.backup
04/01/2009 04:03 PM 304,873 hosts.20090401-160441.backup
04/01/2009 04:04 PM 304,873 hosts.20090401-160521.backup
04/01/2009 04:05 PM 304,873 hosts.20090408-143258.backup
04/08/2009 02:32 PM 312,873 hosts.20090408-143355.backup
04/08/2009 02:33 PM 312,873 hosts.20090415-124143.backup
04/15/2009 12:41 PM 305,814 hosts.20090422-104110.backup
04/22/2009 10:41 AM 306,333 hosts.20090426-114223.backup
04/26/2009 11:42 AM 306,333 hosts.20090427-140722.backup
04/27/2009 02:07 PM 306,333 hosts.20090427-140804.backup
04/27/2009 02:08 PM 306,333 hosts.20090427-162217.backup
04/27/2009 04:22 PM 306,333 hosts.20090507-105437.backup
05/07/2009 10:54 AM 306,589 hosts.20090513-104058.backup
05/13/2009 10:40 AM 306,713 hosts.20090513-104242.backup
05/13/2009 10:42 AM 306,713 hosts.20090520-095531.backup
05/20/2009 09:55 AM 307,072 hosts.20090520-095624.backup
05/20/2009 09:56 AM 307,072 hosts.20090527-141821.backup
05/27/2009 02:18 PM 307,350 hosts.20090527-141905.backup
05/27/2009 02:19 PM 307,350 hosts.20090603-104500.backup
06/03/2009 10:45 AM 307,760 hosts.20090603-110710.backup
06/03/2009 11:07 AM 307,760 hosts.20090610-103651.backup
06/10/2009 10:36 AM 307,774 hosts.20090617-120408.backup
06/17/2009 12:04 PM 307,789 hosts.20090701-090234.backup
07/01/2009 09:02 AM 317,336 hosts.20090708-101213.backup
07/08/2009 10:12 AM 317,666 hosts.20090708-101521.backup
07/08/2009 10:15 AM 317,666 hosts.20090715-121000.backup
07/15/2009 12:10 PM 318,242 hosts.20090722-114750.backup
07/22/2009 11:47 AM 318,542 hosts.20090729-080801.backup
07/29/2009 08:08 AM 319,050 hosts.20090806-113135.backup
08/06/2009 11:31 AM 319,776 hosts.20090812-065118.backup
08/12/2009 06:51 AM 322,112 hosts.20090820-113546.backup
08/20/2009 11:35 AM 324,854 hosts.20090826-082136.backup
08/26/2009 08:21 AM 326,538 hosts.20090902-102719.backup
09/02/2009 10:27 AM 328,310 hosts.20090909-075724.backup
09/09/2009 07:57 AM 330,500 hosts.20090916-151513.backup
09/20/2009 12:21 PM 343,165 hosts.20090923-212932.backup
09/23/2009 09:29 PM 347,225 hosts.20090930-183546.backup
09/30/2009 06:35 PM 350,137 hosts.20091007-144245.backup
10/07/2009 02:42 PM 355,689 hosts.20091014-092215.backup
07/16/2003 01:32 PM 3,683 lmhosts.sam
07/16/2003 01:38 PM 407 networks
07/16/2003 01:42 PM 799 protocol
07/16/2003 01:44 PM 7,116 services
84 File(s) 24,007,801 bytes

Directory of C:\Windows\System32\Drivers\UMDF

11/03/2006 11:32 AM .
11/03/2006 11:32 AM ..
10/18/2006 11:47 PM 671,232 wpdmtpdr.dll
1 File(s) 671,232 bytes

Total Files Listed:
509 File(s) 114,101,579 bytes
14 Dir(s) 17,469,911,040 bytes free


***********************Hidden Drivers********************
Volume in drive C has no label.
Volume Serial Number is 781A-ED93

Directory of C:\Windows\System32\Drivers

karenor
Intermediate
Intermediate

Posts Posts : 185
Joined Joined : 2009-09-19
OS OS : xp
Points Points : 28652
# Likes # Likes : 0

View user profile

Back to top Go down

Re: BACKDOOR.BOT

Post by karenor on 18th October 2009, 4:41 am

*********************Processes*******************


PROCESS PID PRIO PATH
smss.exe 548 Normal C:\WINDOWS\System32\smss.exe
csrss.exe 612 Normal C:\WINDOWS\system32\csrss.exe
winlogon.exe 636 High C:\WINDOWS\system32\winlogon.exe
services.exe 680 Normal C:\WINDOWS\system32\services.exe
lsass.exe 692 Normal C:\WINDOWS\system32\lsass.exe
svchost.exe 848 Normal C:\WINDOWS\system32\svchost.exe
svchost.exe 928 Normal C:\WINDOWS\system32\svchost.exe
MsMpEng.exe 1020 Normal C:\Program Files\Windows Defender\MsMpEng.exe
svchost.exe 1064 Normal C:\WINDOWS\System32\svchost.exe
svchost.exe 1124 Normal C:\WINDOWS\System32\svchost.exe
svchost.exe 1276 Normal C:\WINDOWS\System32\svchost.exe
spoolsv.exe 1420 Normal C:\WINDOWS\system32\spoolsv.exe
svchost.exe 2016 Normal C:\WINDOWS\System32\svchost.exe
svchost.exe 432 Normal C:\WINDOWS\System32\svchost.exe
SearchIndexer.exe 540 Normal C:\WINDOWS\system32\SearchIndexer.exe
ctfmon.exe 1664 Normal C:\WINDOWS\system32\ctfmon.exe
alg.exe 1920 Normal C:\WINDOWS\System32\alg.exe
MSASCui.exe 3348 Normal C:\Program Files\Windows Defender\MSASCui.exe
notepad.exe 1776 Normal C:\WINDOWS\system32\notepad.exe
imapi.exe 3572 Normal C:\WINDOWS\system32\imapi.exe
explorer.exe 1900 Normal C:\WINDOWS\explorer.exe
IEXPLORE.EXE 4024 Normal C:\Program Files\Internet Explorer\IEXPLORE.EXE
IEXPLORE.EXE 2492 Normal C:\Program Files\Internet Explorer\IEXPLORE.EXE
SearchProtocolHost.exe 888 Below Normal C:\WINDOWS\system32\SearchProtocolHost.exe
SearchFilterHost.exe 1312 Below Normal C:\WINDOWS\system32\SearchFilterHost.exe
explorer.exe 492 High C:\WINDOWS\explorer.exe
cmd.exe 1588 Normal C:\WINDOWS\system32\cmd.exe
processes.exe 2544 Normal C:\Documents and Settings\Owner\Desktop\SpiderKill\SpiderKill\processes.exe


Module information for 'explorer.exe'(1900)
MODULE BASE SIZE PATH
explorer.exe 1000000 1044480 C:\WINDOWS\explorer.exe 6.00.2900.5512 (xpsp.080413-2105) Windows Explorer
ntdll.dll 7c900000 729088 C:\WINDOWS\system32\ntdll.dll 5.1.2600.5755 (xpsp_sp3_gdr.090206-1234) NT Layer DLL
kernel32.dll 7c800000 1007616 C:\WINDOWS\system32\kernel32.dll 5.1.2600.5781 (xpsp_sp3_gdr.090321-1317) Windows NT BASE API Client DLL
ADVAPI32.dll 77dd0000 634880 C:\WINDOWS\system32\ADVAPI32.dll 5.1.2600.5755 (xpsp_sp3_gdr.090206-1234) Advanced Windows 32 Base API
RPCRT4.dll 77e70000 598016 C:\WINDOWS\system32\RPCRT4.dll 5.1.2600.5795 (xpsp_sp3_gdr.090415-1241) Remote Procedure Call Runtime
Secur32.dll 77fe0000 69632 C:\WINDOWS\system32\Secur32.dll 5.1.2600.5834 (xpsp_sp3_gdr.090624-1305) Security Support Provider Interface
BROWSEUI.dll 75f80000 1036288 C:\WINDOWS\system32\BROWSEUI.dll 6.00.2900.5512 (xpsp.080413-2105) Shell Browser UI Library
GDI32.dll 77f10000 299008 C:\WINDOWS\system32\GDI32.dll 5.1.2600.5698 (xpsp_sp3_gdr.081022-1932) GDI Client DLL
USER32.dll 7e410000 593920 C:\WINDOWS\system32\USER32.dll 5.1.2600.5512 (xpsp.080413-2105) Windows XP USER API Client DLL
msvcrt.dll 77c10000 360448 C:\WINDOWS\system32\msvcrt.dll 7.0.2600.5512 (xpsp.080413-2111) Windows NT CRT DLL
ole32.dll 774e0000 1298432 C:\WINDOWS\system32\ole32.dll 5.1.2600.5512 (xpsp.080413-2108) Microsoft OLE for Windows
SHLWAPI.dll 77f60000 483328 C:\WINDOWS\system32\SHLWAPI.dll 6.00.2900.5512 (xpsp.080413-2105) Shell Light-weight Utility Library
OLEAUT32.dll 77120000 569344 C:\WINDOWS\system32\OLEAUT32.dll 5.1.2600.5512 5.1.2600.5512
SHDOCVW.dll 7e290000 1511424 C:\WINDOWS\system32\SHDOCVW.dll 6.00.2900.5512 (xpsp.080413-2105) Shell Doc Object and Control Library
CRYPT32.dll 77a80000 610304 C:\WINDOWS\system32\CRYPT32.dll 5.131.2600.5512 (xpsp.080413-2113) Crypto API32
MSASN1.dll 77b20000 73728 C:\WINDOWS\system32\MSASN1.dll 5.1.2600.5875 (xpsp_sp3_gdr.090904-1413) ASN.1 Runtime APIs
CRYPTUI.dll 754d0000 524288 C:\WINDOWS\system32\CRYPTUI.dll 5.131.2600.5512 (xpsp.080413-2113) Microsoft Trust UI Provider
NETAPI32.dll 5b860000 348160 C:\WINDOWS\system32\NETAPI32.dll 5.1.2600.5694 (xpsp_sp3_gdr.081015-1312) Net Win32 API DLL
VERSION.dll 77c00000 32768 C:\WINDOWS\system32\VERSION.dll 5.1.2600.5512 (xpsp.080413-2105) Version Checking and File Installation Libraries
WININET.dll 3d930000 942080 C:\WINDOWS\system32\WININET.dll 8.00.6001.18828 (longhorn_ie8_gdr.090826-1700) Internet Extensions for Win32
Normaliz.dll 400000 36864 C:\WINDOWS\system32\Normaliz.dll 6.0.5441.0 (winmain(wmbla).060628-1735) Unicode Normalization DLL
urlmon.dll 78130000 1253376 C:\WINDOWS\system32\urlmon.dll 8.00.6001.18828 (longhorn_ie8_gdr.090826-1700) OLE32 Extensions for Win32
iertutil.dll 3dfd0000 1998848 C:\WINDOWS\system32\iertutil.dll 8.00.6001.18828 (longhorn_ie8_gdr.090826-1700) Run time utility for Internet Explorer
WINTRUST.dll 76c30000 188416 C:\WINDOWS\system32\WINTRUST.dll 5.131.2600.5512 (xpsp.080413-2113) Microsoft Trust Verification APIs
IMAGEHLP.dll 76c90000 163840 C:\WINDOWS\system32\IMAGEHLP.dll 5.1.2600.5512 (xpsp.080413-2105) Windows NT Image Helper
WLDAP32.dll 76f60000 180224 C:\WINDOWS\system32\WLDAP32.dll 5.1.2600.5512 (xpsp.080413-2113) Win32 LDAP API DLL
SHELL32.dll 7c9c0000 8482816 C:\WINDOWS\system32\SHELL32.dll 6.00.2900.5622 (xpsp_sp3_gdr.080617-1319) Windows Shell Common Dll
UxTheme.dll 5ad70000 229376 C:\WINDOWS\system32\UxTheme.dll 6.00.2900.5512 (xpsp.080413-2105) Microsoft UxTheme Library
ShimEng.dll 5cb70000 155648 C:\WINDOWS\system32\ShimEng.dll 5.1.2600.5512 (xpsp.080413-2105) Shim Engine DLL
AcGenral.DLL 6f880000 1875968 C:\WINDOWS\AppPatch\AcGenral.DLL 5.1.2600.5512 (xpsp.080413-2105) Windows Compatibility DLL
WINMM.dll 76b40000 184320 C:\WINDOWS\system32\WINMM.dll 5.1.2600.5512 (xpsp.080413-0845) MCI API DLL
MSACM32.dll 77be0000 86016 C:\WINDOWS\system32\MSACM32.dll 5.1.2600.5512 (xpsp.080413-0845) Microsoft ACM Audio Filter
USERENV.dll 769c0000 737280 C:\WINDOWS\system32\USERENV.dll 5.1.2600.5512 (xpsp.080413-2113) Userenv
IMM32.DLL 76390000 118784 C:\WINDOWS\system32\IMM32.DLL 5.1.2600.5512 (xpsp.080413-2105) Windows XP IMM32 API Client DLL
comctl32.dll 773d0000 1060864 C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83\comctl32.dll 6.0 (xpsp.080413-2105) User Experience Controls Library
comctl32.dll 5d090000 630784 C:\WINDOWS\system32\comctl32.dll 5.82 (xpsp.080413-2105) Common Controls Library
MSCTF.dll 74720000 311296 C:\WINDOWS\system32\MSCTF.dll 5.1.2600.5512 (xpsp.080413-2105) MSCTF Server DLL
msctfime.ime 755c0000 188416 C:\WINDOWS\system32\msctfime.ime 5.1.2600.5512 (xpsp.080413-2105) Microsoft Text Frame Work Service IME
appHelp.dll 77b40000 139264 C:\WINDOWS\system32\appHelp.dll 5.1.2600.5512 (xpsp.080413-2105) Application Compatibility Client Library
CLBCATQ.DLL 76fd0000 520192 C:\WINDOWS\system32\CLBCATQ.DLL 2001.12.4414.700 2001.12.4414.700
COMRes.dll 77050000 806912 C:\WINDOWS\system32\COMRes.dll 2001.12.4414.700 2001.12.4414.700
cscui.dll 77a20000 344064 C:\WINDOWS\System32\cscui.dll 5.1.2600.5512 (xpsp.080413-2105) Client Side Caching UI
CSCDLL.dll 76600000 118784 C:\WINDOWS\System32\CSCDLL.dll 5.1.2600.5512 (xpsp.080413-2111) Offline Network Agent
themeui.dll 5ba60000 462848 C:\WINDOWS\System32\themeui.dll 6.00.2900.5512 (xpsp.080413-2105) Windows Theme API
MSIMG32.dll 76380000 20480 C:\WINDOWS\System32\MSIMG32.dll 5.1.2600.5512 (xpsp.080413-2105) GDIEXT Client DLL
xpsp2res.dll 1770000 2904064 C:\WINDOWS\system32\xpsp2res.dll 5.1.2600.5512 (xpsp.080413-2113) Service Pack 2 Messages
actxprxy.dll 71d40000 110592 C:\WINDOWS\system32\actxprxy.dll 6.00.2900.5512 (xpsp.080413-2113) ActiveX Interface Marshaling Library
msi.dll 7d1e0000 2867200 C:\WINDOWS\system32\msi.dll 3.1.4001.5512 Windows Installer
LINKINFO.dll 76980000 32768 C:\WINDOWS\system32\LINKINFO.dll 5.1.2600.5512 (xpsp.080413-2105) Windows Volume Tracking
ntshrui.dll 76990000 151552 C:\WINDOWS\system32\ntshrui.dll 5.1.2600.5512 (xpsp.080413-2105) Shell extensions for sharing
ATL.DLL 76b20000 69632 C:\WINDOWS\system32\ATL.DLL 3.05.2284 ATL Module for Windows XP (Unicode)
ieframe.dll 3e1c0000 11087872 C:\WINDOWS\system32\ieframe.dll 8.00.6001.18828 (longhorn_ie8_gdr.090826-1700) Internet Explorer
SAMLIB.dll 71bf0000 77824 C:\WINDOWS\system32\SAMLIB.dll 5.1.2600.5512 (xpsp.080413-2113) SAM Library DLL
SETUPAPI.dll 77920000 995328 C:\WINDOWS\system32\SETUPAPI.dll 5.1.2600.5512 (xpsp.080413-2111) Windows Setup API
NETSHELL.dll 76400000 1724416 C:\WINDOWS\system32\NETSHELL.dll 5.1.2600.5512 (xpsp.080413-0852) Network Connections Shell
credui.dll 76c00000 188416 C:\WINDOWS\system32\credui.dll 5.1.2600.5512 (xpsp.080413-2113) Credential Manager User Interface
dot3api.dll 478c0000 40960 C:\WINDOWS\system32\dot3api.dll 5.1.2600.5512 (xpsp.080413-0852) 802.3 Autoconfiguration API
rtutils.dll 76e80000 57344 C:\WINDOWS\system32\rtutils.dll 5.1.2600.5512 (xpsp.080413-0852) Routing Utilities
dot3dlg.dll 736d0000 24576 C:\WINDOWS\system32\dot3dlg.dll 5.1.2600.5512 (xpsp.080413-0852) 802.3 UI Helper
OneX.DLL 5dca0000 163840 C:\WINDOWS\system32\OneX.DLL 5.1.2600.5512 (xpsp.080413-0852) IEEE 802.1X supplicant library
WTSAPI32.dll 76f50000 32768 C:\WINDOWS\system32\WTSAPI32.dll 5.1.2600.5512 (xpsp.080413-2111) Windows Terminal Server SDK APIs
WINSTA.dll 76360000 65536 C:\WINDOWS\system32\WINSTA.dll 5.1.2600.5512 (xpsp.080413-2111) Winstation Library
eappcfg.dll 745b0000 139264 C:\WINDOWS\system32\eappcfg.dll 5.1.2600.5512 (xpsp.080413-0852) Eap Peer Config
MSVCP60.dll 76080000 413696 C:\WINDOWS\system32\MSVCP60.dll 6.02.3104.0 Microsoft (R) C++ Runtime Library
eappprxy.dll 5dcd0000 57344 C:\WINDOWS\system32\eappprxy.dll 5.1.2600.5512 (xpsp.080413-0852) Microsoft EAPHost Peer Client DLL
iphlpapi.dll 76d60000 102400 C:\WINDOWS\system32\iphlpapi.dll 5.1.2600.5512 (xpsp.080413-0852) IP Helper API
WS2_32.dll 71ab0000 94208 C:\WINDOWS\system32\WS2_32.dll 5.1.2600.5512 (xpsp.080413-0852) Windows Socket 2.0 32-Bit DLL
WS2HELP.dll 71aa0000 32768 C:\WINDOWS\system32\WS2HELP.dll 5.1.2600.5512 (xpsp.080413-0852) Windows Socket 2.0 Helper for Windows NT
webcheck.dll 2440000 249856 C:\WINDOWS\system32\webcheck.dll 8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339) Web Site Monitor
MLANG.dll 75cf0000 593920 C:\WINDOWS\system32\MLANG.dll 6.00.2900.5512 (xpsp.080413-2105) Multi Language Support DLL
stobject.dll 76280000 135168 C:\WINDOWS\system32\stobject.dll 5.1.2600.5512 (xpsp.080413-2105) Systray shell service object
BatMeter.dll 74af0000 40960 C:\WINDOWS\system32\BatMeter.dll 6.00.2900.5512 (xpsp.080413-2105) Battery Meter Helper DLL
POWRPROF.dll 74ad0000 32768 C:\WINDOWS\system32\POWRPROF.dll 6.00.2900.5512 (xpsp.080413-2105) Power Profile Helper DLL
WPDShServiceObj.dll 164a0000 143360 C:\WINDOWS\system32\WPDShServiceObj.dll 5.2.5721.5145 (WMP_11.061018-2006) Windows Portable Device Shell Service Object
WINHTTP.dll 4d4f0000 364544 C:\WINDOWS\system32\WINHTTP.dll 5.1.2600.5727 (xpsp_sp3_gdr.081215-1359) Windows HTTP Services
mydocs.dll 72410000 106496 C:\WINDOWS\System32\mydocs.dll 6.00.2900.5512 (xpsp.080413-2105) My Documents Folder UI
PortableDeviceTypes.dll 109c0000 180224 C:\WINDOWS\system32\PortableDeviceTypes.dll 5.2.5721.5145 (WMP_11.061018-2006) Windows Portable Device (Parameter) Types Component
PortableDeviceApi.dll 10930000 299008 C:\WINDOWS\system32\PortableDeviceApi.dll 5.2.5721.5145 (WMP_11.061018-2006) Windows Portable Device API Components
wdmaud.drv 72d20000 36864 C:\WINDOWS\system32\wdmaud.drv 5.1.2600.5512 (xpsp.080413-2108) WDM Audio driver mapper
msacm32.drv 72d10000 32768 C:\WINDOWS\system32\msacm32.drv 5.1.2600.0 (xpclient.010817-1148) Microsoft Sound Mapper
midimap.dll 77bd0000 28672 C:\WINDOWS\system32\midimap.dll 5.1.2600.5512 (xpsp.080413-0845) Microsoft MIDI Mapper
SXS.DLL 7e720000 720896 C:\WINDOWS\system32\SXS.DLL 5.1.2600.5512 (xpsp.080413-2111) Fusion 2.5
MPR.dll 71b20000 73728 C:\WINDOWS\system32\MPR.dll 5.1.2600.5512 (xpsp.080413-0852) Multiple Provider Router DLL
drprov.dll 75f60000 28672 C:\WINDOWS\System32\drprov.dll 5.1.2600.5512 (xpsp.080413-2111) Microsoft Terminal Server Network Provider
ntlanman.dll 71c10000 57344 C:\WINDOWS\System32\ntlanman.dll 5.1.2600.5512 (xpsp.080413-2108) Microsoft® Lan Manager
NETUI0.dll 71cd0000 94208 C:\WINDOWS\System32\NETUI0.dll 5.1.2600.5512 (xpsp.080413-2108) NT LM UI Common Code - GUI Classes
NETUI1.dll 71c90000 262144 C:\WINDOWS\System32\NETUI1.dll 5.1.2600.5512 (xpsp.080413-2108) NT LM UI Common Code - Networking classes
NETRAP.dll 71c80000 28672 C:\WINDOWS\System32\NETRAP.dll 5.1.2600.5512 (xpsp.080413-2113) Net Remote Admin Protocol DLL
davclnt.dll 75f70000 40960 C:\WINDOWS\System32\davclnt.dll 5.1.2600.5512 (xpsp.080413-2111) Web DAV Client DLL
browselc.dll 71600000 73728 C:\WINDOWS\system32\browselc.dll 6.00.2900.5512 (xpsp.080413-2105) Shell Browser UI Library
DUSER.dll 6c1b0000 315392 C:\WINDOWS\system32\DUSER.dll 5.1.2600.5512 (xpsp.080413-2105) Windows DirectUser Engine
PDFShell.dll 10000000 114688 C:\Program Files\Adobe\Acrobat 7.0\ActiveX\PDFShell.dll 7.0.0.0 PDF Shell Extension
zipfldr.dll 73380000 356352 C:\WINDOWS\System32\zipfldr.dll 6.00.2900.5512 (xpsp.080413-2105) Compressed (zipped) Folders
MSNLNamespaceMgr.dll 3730000 315392 C:\Program Files\Windows Desktop Search\MSNLNamespaceMgr.dll 7.00.6001.18260 (vistasp1_gdr_oobsvc.090524-1500) Windows Search Namespace Manager
MpShHook.dll 5f800000 90112 C:\PROGRA~1\WINDOW~4\MpShHook.dll 1.1.1593.0 Shell Execution Monitor
MSVCR80.dll 3780000 634880 C:\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_e6967989\MSVCR80.dll 8.00.50727.4053 Microsoft® C Runtime Library
MSVCP80.dll 7c420000 552960 C:\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_e6967989\MSVCP80.dll 8.00.50727.4053 Microsoft® C++ Runtime Library
SASSEH.DLL 2db0000 81920 C:\Program Files\SUPERAntiSpyware\SASSEH.DLL 1, 0, 0, 1012 ShellExecuteHook
shdoclc.dll 71800000 557056 C:\WINDOWS\system32\shdoclc.dll 6.00.2900.5512 (xpsp.080413-2105) Shell Doc Object and Control Library
MpOAv.dll 2d20000 86016 C:\PROGRA~1\WINDOW~4\MpOAv.dll 1.1.1593.0 IOfficeAntiVirus Module
PSAPI.DLL 76bf0000 45056 C:\WINDOWS\system32\PSAPI.DLL 5.1.2600.5512 (xpsp.080413-2105) Process Status Helper
rsaenh.dll 68000000 221184 C:\WINDOWS\system32\rsaenh.dll 5.1.2600.5507 (xpsp.080318-1711) Microsoft Enhanced Cryptographic Provider
Module information for 'explorer.exe'(492)
MODULE BASE SIZE PATH
explorer.exe 1000000 1044480 C:\WINDOWS\explorer.exe 6.00.2900.5512 (xpsp.080413-2105) Windows Explorer
ntdll.dll 7c900000 729088 C:\WINDOWS\system32\ntdll.dll 5.1.2600.5755 (xpsp_sp3_gdr.090206-1234) NT Layer DLL
kernel32.dll 7c800000 1007616 C:\WINDOWS\system32\kernel32.dll 5.1.2600.5781 (xpsp_sp3_gdr.090321-1317) Windows NT BASE API Client DLL
ADVAPI32.dll 77dd0000 634880 C:\WINDOWS\system32\ADVAPI32.dll 5.1.2600.5755 (xpsp_sp3_gdr.090206-1234) Advanced Windows 32 Base API
RPCRT4.dll 77e70000 598016 C:\WINDOWS\system32\RPCRT4.dll 5.1.2600.5795 (xpsp_sp3_gdr.090415-1241) Remote Procedure Call Runtime
Secur32.dll 77fe0000 69632 C:\WINDOWS\system32\Secur32.dll 5.1.2600.5834 (xpsp_sp3_gdr.090624-1305) Security Support Provider Interface
BROWSEUI.dll 75f80000 1036288 C:\WINDOWS\system32\BROWSEUI.dll 6.00.2900.5512 (xpsp.080413-2105) Shell Browser UI Library
GDI32.dll 77f10000 299008 C:\WINDOWS\system32\GDI32.dll 5.1.2600.5698 (xpsp_sp3_gdr.081022-1932) GDI Client DLL
USER32.dll 7e410000 593920 C:\WINDOWS\system32\USER32.dll 5.1.2600.5512 (xpsp.080413-2105) Windows XP USER API Client DLL
msvcrt.dll 77c10000 360448 C:\WINDOWS\system32\msvcrt.dll 7.0.2600.5512 (xpsp.080413-2111) Windows NT CRT DLL
ole32.dll 774e0000 1298432 C:\WINDOWS\system32\ole32.dll 5.1.2600.5512 (xpsp.080413-2108) Microsoft OLE for Windows
SHLWAPI.dll 77f60000 483328 C:\WINDOWS\system32\SHLWAPI.dll 6.00.2900.5512 (xpsp.080413-2105) Shell Light-weight Utility Library
OLEAUT32.dll 77120000 569344 C:\WINDOWS\system32\OLEAUT32.dll 5.1.2600.5512 5.1.2600.5512
SHDOCVW.dll 7e290000 1511424 C:\WINDOWS\system32\SHDOCVW.dll 6.00.2900.5512 (xpsp.080413-2105) Shell Doc Object and Control Library
CRYPT32.dll 77a80000 610304 C:\WINDOWS\system32\CRYPT32.dll 5.131.2600.5512 (xpsp.080413-2113) Crypto API32
MSASN1.dll 77b20000 73728 C:\WINDOWS\system32\MSASN1.dll 5.1.2600.5875 (xpsp_sp3_gdr.090904-1413) ASN.1 Runtime APIs
CRYPTUI.dll 754d0000 524288 C:\WINDOWS\system32\CRYPTUI.dll 5.131.2600.5512 (xpsp.080413-2113) Microsoft Trust UI Provider
NETAPI32.dll 5b860000 348160 C:\WINDOWS\system32\NETAPI32.dll 5.1.2600.5694 (xpsp_sp3_gdr.081015-1312) Net Win32 API DLL
VERSION.dll 77c00000 32768 C:\WINDOWS\system32\VERSION.dll 5.1.2600.5512 (xpsp.080413-2105) Version Checking and File Installation Libraries
WININET.dll 3d930000 942080 C:\WINDOWS\system32\WININET.dll 8.00.6001.18828 (longhorn_ie8_gdr.090826-1700) Internet Extensions for Win32
Normaliz.dll 400000 36864 C:\WINDOWS\system32\Normaliz.dll 6.0.5441.0 (winmain(wmbla).060628-1735) Unicode Normalization DLL
urlmon.dll 78130000 1253376 C:\WINDOWS\system32\urlmon.dll 8.00.6001.18828 (longhorn_ie8_gdr.090826-1700) OLE32 Extensions for Win32
iertutil.dll 3dfd0000 1998848 C:\WINDOWS\system32\iertutil.dll 8.00.6001.18828 (longhorn_ie8_gdr.090826-1700) Run time utility for Internet Explorer
WINTRUST.dll 76c30000 188416 C:\WINDOWS\system32\WINTRUST.dll 5.131.2600.5512 (xpsp.080413-2113) Microsoft Trust Verification APIs
IMAGEHLP.dll 76c90000 163840 C:\WINDOWS\system32\IMAGEHLP.dll 5.1.2600.5512 (xpsp.080413-2105) Windows NT Image Helper
WLDAP32.dll 76f60000 180224 C:\WINDOWS\system32\WLDAP32.dll 5.1.2600.5512 (xpsp.080413-2113) Win32 LDAP API DLL
SHELL32.dll 7c9c0000 8482816 C:\WINDOWS\system32\SHELL32.dll 6.00.2900.5622 (xpsp_sp3_gdr.080617-1319) Windows Shell Common Dll
UxTheme.dll 5ad70000 229376 C:\WINDOWS\system32\UxTheme.dll 6.00.2900.5512 (xpsp.080413-2105) Microsoft UxTheme Library
ShimEng.dll 5cb70000 155648 C:\WINDOWS\system32\ShimEng.dll 5.1.2600.5512 (xpsp.080413-2105) Shim Engine DLL
AcGenral.DLL 6f880000 1875968 C:\WINDOWS\AppPatch\AcGenral.DLL 5.1.2600.5512 (xpsp.080413-2105) Windows Compatibility DLL
WINMM.dll 76b40000 184320 C:\WINDOWS\system32\WINMM.dll 5.1.2600.5512 (xpsp.080413-0845) MCI API DLL
MSACM32.dll 77be0000 86016 C:\WINDOWS\system32\MSACM32.dll 5.1.2600.5512 (xpsp.080413-0845) Microsoft ACM Audio Filter
USERENV.dll 769c0000 737280 C:\WINDOWS\system32\USERENV.dll 5.1.2600.5512 (xpsp.080413-2113) Userenv
IMM32.DLL 76390000 118784 C:\WINDOWS\system32\IMM32.DLL 5.1.2600.5512 (xpsp.080413-2105) Windows XP IMM32 API Client DLL
comctl32.dll 773d0000 1060864 C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83\comctl32.dll 6.0 (xpsp.080413-2105) User Experience Controls Library
comctl32.dll 5d090000 630784 C:\WINDOWS\system32\comctl32.dll 5.82 (xpsp.080413-2105) Common Controls Library
SETUPAPI.dll 77920000 995328 C:\WINDOWS\system32\SETUPAPI.dll 5.1.2600.5512 (xpsp.080413-2111) Windows Setup API
MSCTF.dll 74720000 311296 C:\WINDOWS\system32\MSCTF.dll 5.1.2600.5512 (xpsp.080413-2105) MSCTF Server DLL
msctfime.ime 755c0000 188416 C:\WINDOWS\system32\msctfime.ime 5.1.2600.5512 (xpsp.080413-2105) Microsoft Text Frame Work Service IME
appHelp.dll 77b40000 139264 C:\WINDOWS\system32\appHelp.dll 5.1.2600.5512 (xpsp.080413-2105) Application Compatibility Client Library
CLBCATQ.DLL 76fd0000 520192 C:\WINDOWS\system32\CLBCATQ.DLL 2001.12.4414.700 2001.12.4414.700
COMRes.dll 77050000 806912 C:\WINDOWS\system32\COMRes.dll 2001.12.4414.700 2001.12.4414.700
ieframe.dll 3e1c0000 11087872 C:\WINDOWS\system32\ieframe.dll 8.00.6001.18828 (longhorn_ie8_gdr.090826-1700) Internet Explorer
xpsp2res.dll 1100000 2904064 C:\WINDOWS\system32\xpsp2res.dll 5.1.2600.5512 (xpsp.080413-2113) Service Pack 2 Messages
msi.dll 7d1e0000 2867200 C:\WINDOWS\system32\msi.dll 3.1.4001.5512 Windows Installer
SXS.DLL 7e720000 720896 C:\WINDOWS\system32\SXS.DLL 5.1.2600.5512 (xpsp.080413-2111) Fusion 2.5
browselc.dll 71600000 73728 C:\WINDOWS\system32\browselc.dll 6.00.2900.5512 (xpsp.080413-2105) Shell Browser UI Library
ws2_32.dll 71ab0000 94208 C:\WINDOWS\system32\ws2_32.dll 5.1.2600.5512 (xpsp.080413-0852) Windows Socket 2.0 32-Bit DLL
WS2HELP.dll 71aa0000 32768 C:\WINDOWS\system32\WS2HELP.dll 5.1.2600.5512 (xpsp.080413-0852) Windows Socket 2.0 Helper for Windows NT
cscui.dll 77a20000 344064 C:\WINDOWS\System32\cscui.dll 5.1.2600.5512 (xpsp.080413-2105) Client Side Caching UI
CSCDLL.dll 76600000 118784 C:\WINDOWS\System32\CSCDLL.dll 5.1.2600.5512 (xpsp.080413-2111) Offline Network Agent
DUSER.dll 6c1b0000 315392 C:\WINDOWS\system32\DUSER.dll 5.1.2600.5512 (xpsp.080413-2105) Windows DirectUser Engine
ntshrui.dll 76990000 151552 C:\WINDOWS\system32\ntshrui.dll 5.1.2600.5512 (xpsp.080413-2105) Shell extensions for sharing
ATL.DLL 76b20000 69632 C:\WINDOWS\system32\ATL.DLL 3.05.2284 ATL Module for Windows XP (Unicode)
MSIMG32.dll 76380000 20480 C:\WINDOWS\system32\MSIMG32.dll 5.1.2600.5512 (xpsp.080413-2105) GDIEXT Client DLL
PDFShell.dll 10000000 114688 C:\Program Files\Adobe\Acrobat 7.0\ActiveX\PDFShell.dll 7.0.0.0 PDF Shell Extension
wdmaud.drv 72d20000 36864 C:\WINDOWS\system32\wdmaud.drv 5.1.2600.5512 (xpsp.080413-2108) WDM Audio driver mapper
msacm32.drv 72d10000 32768 C:\WINDOWS\system32\msacm32.drv 5.1.2600.0 (xpclient.010817-1148) Microsoft Sound Mapper
midimap.dll 77bd0000 28672 C:\WINDOWS\system32\midimap.dll 5.1.2600.5512 (xpsp.080413-0845) Microsoft MIDI Mapper
MSNLNamespaceMgr.dll 1900000 315392 C:\Program Files\Windows Desktop Search\MSNLNamespaceMgr.dll 7.00.6001.18260 (vistasp1_gdr_oobsvc.090524-1500) Windows Search Namespace Manager
MpShHook.dll 5f800000 90112 C:\PROGRA~1\WINDOW~4\MpShHook.dll 1.1.1593.0 Shell Execution Monitor
MSVCR80.dll 2130000 634880 C:\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_e6967989\MSVCR80.dll 8.00.50727.4053 Microsoft® C Runtime Library
MSVCP80.dll 7c420000 552960 C:\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_e6967989\MSVCP80.dll 8.00.50727.4053 Microsoft® C++ Runtime Library
rsaenh.dll 68000000 221184 C:\WINDOWS\system32\rsaenh.dll 5.1.2600.5507 (xpsp.080318-1711) Microsoft Enhanced Cryptographic Provider
SASSEH.DLL 1680000 81920 C:\Program Files\SUPERAntiSpyware\SASSEH.DLL 1, 0, 0, 1012 ShellExecuteHook



******************************************
EOF
--------------------------------------------------------

karenor
Intermediate
Intermediate

Posts Posts : 185
Joined Joined : 2009-09-19
OS OS : xp
Points Points : 28652
# Likes # Likes : 0

View user profile

Back to top Go down

Re: BACKDOOR.BOT

Post by karenor on 18th October 2009, 4:47 am

Hi:

Finally, here is the Root Repeal log.

Thanks again for helping me,
Karen
---------------------------------------------------------
ROOTREPEAL (c) AD, 2007-2009
==================================================
Scan Start Time: 2009/10/17 21:33
Program Version: Version 1.3.5.0
Windows Version: Windows XP SP3
==================================================

Drivers
-------------------
Name: catchme.sys
Image Path: C:\DOCUME~1\Owner\LOCALS~1\Temp\catchme.sys
Address: 0xB1EBD000 Size: 31744 File Visible: No Signed: -
Status: -

Name: PROCEXP90.SYS
Image Path: C:\WINDOWS\system32\Drivers\PROCEXP90.SYS
Address: 0xF7999000 Size: 6464 File Visible: No Signed: -
Status: -

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xB1632000 Size: 49152 File Visible: No Signed: -
Status: -

Hidden/Locked Files
-------------------
Path: c:\documents and settings\owner\cookies\owner@[You must be registered and logged in to see this link.]
Status: Size mismatch (API: 255, Raw: 253)

Path: c:\documents and settings\owner\local settings\temp\~df433b.tmp
Status: Allocation size mismatch (API: 16384, Raw: 0)

==EOF==

karenor
Intermediate
Intermediate

Posts Posts : 185
Joined Joined : 2009-09-19
OS OS : xp
Points Points : 28652
# Likes # Likes : 0

View user profile

Back to top Go down

Re: BACKDOOR.BOT

Post by Dr Jay on 18th October 2009, 9:20 am

Please try SDBot again. Those logs appear clean, but it is good to make sure the bot is gone for good.


Dr. Jay (DJ)


[You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.]

Dr Jay
Head Administrator
Head Administrator

Posts Posts : 13941
Joined Joined : 2009-09-06
Gender Gender : Male
OS OS : Windows 10 Home & Pro
Arch. Arch. : x64 (64-bit)
Protection Protection : Bitdefender Total Security
Points Points : 302568
# Likes # Likes : 10

View user profile

Back to top Go down

Re: BACKDOOR.BOT

Post by karenor on 19th October 2009, 12:55 am

Hi Dragon Master Jay:

I did a Spy Bot Search and Destroy, Mbam, Super Anti Spyware and an AVG scan. All came up clean. I am posting the Mbam results here. I think you were able to get rid of this thing. I hope it is gone for good.

Many thanks,
Karen

Malwarebytes' Anti-Malware 1.41
Database version: 2981
Windows 5.1.2600 Service Pack 3

10/18/2009 12:56:12 PM
mbam-log-2009-10-18 (12-56-12).txt

Scan type: Quick Scan
Objects scanned: 117949
Time elapsed: 32 minute(s), 4 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

karenor
Intermediate
Intermediate

Posts Posts : 185
Joined Joined : 2009-09-19
OS OS : xp
Points Points : 28652
# Likes # Likes : 0

View user profile

Back to top Go down

Re: BACKDOOR.BOT

Post by Dr Jay on 19th October 2009, 1:20 am

You did not try SDBot?


Dr. Jay (DJ)


[You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.]

Dr Jay
Head Administrator
Head Administrator

Posts Posts : 13941
Joined Joined : 2009-09-06
Gender Gender : Male
OS OS : Windows 10 Home & Pro
Arch. Arch. : x64 (64-bit)
Protection Protection : Bitdefender Total Security
Points Points : 302568
# Likes # Likes : 10

View user profile

Back to top Go down

Re: BACKDOOR.BOT

Post by karenor on 19th October 2009, 2:18 am

Hi Dragon Master Jay:

Do you have a link for SD Bot? I am sorry, I thought that was your abbreviation for Spy Bot Search and Destroy! LOL

If you can send me a message and a link for SD Bot I will certainly run it. I want very much to be rid of this pest once and for all.

I appreciate all your help,
Karen

karenor
Intermediate
Intermediate

Posts Posts : 185
Joined Joined : 2009-09-19
OS OS : xp
Points Points : 28652
# Likes # Likes : 0

View user profile

Back to top Go down

Re: BACKDOOR.BOT

Post by Dr Jay on 19th October 2009, 4:16 am

Ooops...I meant SDFix. Ahahaha

Please download [You must be registered and logged in to see this link.] and save it to your Desktop.

Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

Please reboot to Safe Mode (tap the F8 key just before Windows starts to load and select the Safe Mode option from the menu).

  • Open the extracted SDFix folder and double click RunThis.bat to start the script.
  • Type Y to begin the cleanup process.
  • It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
  • Press any Key and it will restart the PC.
  • When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
  • Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
    (Report.txt will also be copied to Clipboard ready for posting back on the forum).
  • Finally paste the contents of the Report.txt back on the forum with a new HijackThis log


Dr. Jay (DJ)


[You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.]

Dr Jay
Head Administrator
Head Administrator

Posts Posts : 13941
Joined Joined : 2009-09-06
Gender Gender : Male
OS OS : Windows 10 Home & Pro
Arch. Arch. : x64 (64-bit)
Protection Protection : Bitdefender Total Security
Points Points : 302568
# Likes # Likes : 10

View user profile

Back to top Go down

Re: BACKDOOR.BOT

Post by karenor on 19th October 2009, 10:37 pm

Hi Dragon Master Jay:

Well, the SDFix was the one that I tried to do before. It did not work for me in Safe Mode. I tried it again just now. I can get all the way to the place where you are supposed to type in "Y" Unfortunately the item is pulsating and when I try to type in "Y" the machine freezes and does not permit anything. I can not type in "Y" I can not move the mouse anymore. I can not do anything at all except turn off the computer. I tried to do this four times with the same results. No go for me.

I am attaching the Hijack this log.

Thanks again,
Karen
-----------------------------------------------------------------------------------------------
. Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:33:29 PM, on 10/19/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\AVG\AVG9\avgchsvx.exe
C:\Program Files\AVG\AVG9\avgrsx.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\AVG\AVG9\avgwdsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\Program Files\AVG\AVG9\avgemc.exe
C:\Program Files\AVG\AVG9\avgnsx.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\SearchProtocolHost.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = [You must be registered and logged in to see this link.]
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG9\avgssie.dll
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O4 - S-1-5-18 Startup: desktop(2).ini (User 'SYSTEM')
O4 - .DEFAULT Startup: desktop(2).ini (User 'Default user')
O4 - .DEFAULT User Startup: desktop(2).ini (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk.disabled
O4 - Global Startup: Windows Search.lnk = C:\Program Files\Windows Desktop Search\WindowsSearch.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: Control Pad - {28D44DAD-D1FC-4d4f-BB1B-ADF037C8DDBC} - C:\Program Files\Verizon Online\Verizon Online Control Pad\VerizonControlPad.Exe (file missing)
O9 - Extra 'Tools' menuitem: Control Pad - {28D44DAD-D1FC-4d4f-BB1B-ADF037C8DDBC} - C:\Program Files\Verizon Online\Verizon Online Control Pad\VerizonControlPad.Exe (file missing)
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: vzTCPConfig - [You must be registered and logged in to see this link.]
O16 - DPF: {0742B9EF-8C83-41CA-BFBA-830A59E23533} (Microsoft Data Collection Control) - [You must be registered and logged in to see this link.]
O16 - DPF: {19E28AFC-EAE3-4CE5-AC83-2407B42F57C9} (MSSecurityAdvisor Class) -
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - [You must be registered and logged in to see this link.]
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - [You must be registered and logged in to see this link.]
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - [You must be registered and logged in to see this link.]
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} -
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - [You must be registered and logged in to see this link.]
O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} -
O16 - DPF: {A8658086-E6AC-4957-BC8E-7D54A7E8A78E} -
O16 - DPF: {B1E2B96C-12FE-45E2-BEF1-44A219113CDD} (SABScanProcesses Class) - [You must be registered and logged in to see this link.]
O16 - DPF: {BCBC9371-595D-11D4-A96D-00105A1CEF6C} (View22RTE Class) - [You must be registered and logged in to see this link.]
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} -
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - [You must be registered and logged in to see this link.]
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG9\avgpp.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: AVG Free E-mail Scanner (avg9emc) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG9\avgemc.exe
O23 - Service: AVG Free WatchDog (avg9wd) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG9\avgwdsvc.exe

--
End of file - 6290 bytes

karenor
Intermediate
Intermediate

Posts Posts : 185
Joined Joined : 2009-09-19
OS OS : xp
Points Points : 28652
# Likes # Likes : 0

View user profile

Back to top Go down

Re: BACKDOOR.BOT

Post by Dr Jay on 19th October 2009, 11:14 pm

Ok. Time to kill it. The backdoor bot is deciding to disable SDFix, which is causing it not to run. It seems the computer has been completely compromised..so it is time to take control.

STEP 1
Please navigate to this webpage: [You must be registered and logged in to see this link.] and see the section "Fix it for me" and click the Microsoft Fix-It button. This will download a fix utility to repair the security settings on your computer, due to damages of malware or other harmful system changes. Install the file after download.

STEP 2
Please download [You must be registered and logged in to see this link.] to your desktop

  • Double click the program to run it. It will only take a few seconds to run.
  • You will be prompted to press any key at the end to close it
  • Once it is finished, it will remove itself. If not, delete it yourself


STEP 3
Please download the Kaspersky AVP Tool from [You must be registered and logged in to see this link.].
  • Save it to your desktop.
  • Please reboot to Safe Mode (tap the F8 key just before Windows starts to load and select the Safe Mode option from the menu).
  • Double click the setup file to run it.
  • Click Next to continue.
  • It will by default install it to your desktop folder.Click Next.
  • Hit ok at the prompt for scanning in Safe Mode.
  • It will then open a box There will be a tab that says Automatic scan.
  • Under Automatic scan make sure these are checked:

    • System Memory
    • Startup Objects
    • Disk Boot Sectors.
    • My Computer.
    • Also any other drives (Removable that you may have)

After that click on Security level then choose Customize then click on the tab that says Heuristic Analyzer then choose Enable Deep rootkit search then choose ok.
Then choose OK again then you are back to the main screen.

  • Then click on Scan at the to right hand Corner.
  • It will automatically Neutralize any objects found.
  • If some objects are left un-neutralized then click the button that says Neutralize all
  • If it says it cannot be Neutralized then chooose The delete option when prompted.
  • After that is done click on the reports button at the bottom and save it to file name it Kas.
  • Save it somewhere convenient like your desktop and just post only the detected Virus\malware in the report it will be at the very top under Detected post those results in your next reply.
Note: This tool will self uninstall when you close it so please save the log before closing it.

STEP 4
Try SDFix again.


==

When you have finished attempting to kill it, lol, reply back here with results from Kaspersky AVP (if possible), and SDFix log (if possible).


Dr. Jay (DJ)


[You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.]

Dr Jay
Head Administrator
Head Administrator

Posts Posts : 13941
Joined Joined : 2009-09-06
Gender Gender : Male
OS OS : Windows 10 Home & Pro
Arch. Arch. : x64 (64-bit)
Protection Protection : Bitdefender Total Security
Points Points : 302568
# Likes # Likes : 10

View user profile

Back to top Go down

Re: BACKDOOR.BOT

Post by karenor on 20th October 2009, 8:49 am

Hi Dragon Master Jay:

Here is the Kas report.

Thanks,
Karen

Scan
----
Scanned: 366401
Detected: 1
Untreated: 0
Start time: 10/19/2009 10:24:58 PM
Duration: 03:18:59
Finish time: 10/20/2009 1:43:57 AM


Detected
--------
Status Object
------ ------
deleted: Trojan program Trojan-Downloader.WMA.Wimad.m File: C:\My Downloads\SAVE 051107\hush by master p.wm


Events
------
Time Name Status Reason
---- ---- ------ ------
10/19/2009 10:25:12 PM Running module: smss.exe\smss.exe ok scanned


Statistics
----------
Object Scanned Detected Untreated Deleted Moved to Quarantine Archives Packed files Password protected Corrupted
------ ------- -------- --------- ------- ------------------- -------- ------------ ------------------ ---------


Settings
--------
Parameter Value
--------- -----
Security Level Recommended
Action Prompt for action when the scan is complete
Run mode Manually
File types Scan all files
Scan only new and changed files No
Scan archives All
Scan embedded OLE objects All
Skip if object is larger than No
Skip if scan takes longer than No
Parse email formats No
Scan password-protected archives No
Enable iChecker technology No
Enable iSwift technology No
Show detected threats on "Detected" tab Yes
Rootkits search Yes
Deep rootkits search No
Use heuristic analyzer Yes


Quarantine
----------
Status Object Size Added
------ ------ ---- -----


Backup
------
Status Object Size
------ ------ ----

karenor
Intermediate
Intermediate

Posts Posts : 185
Joined Joined : 2009-09-19
OS OS : xp
Points Points : 28652
# Likes # Likes : 0

View user profile

Back to top Go down

Re: BACKDOOR.BOT

Post by karenor on 20th October 2009, 9:17 am

Hi Dragon Master Jay:

Still not able to do the SDFix. Also, when doing the RBFA, it kept saying that RBFA needed to debug. Every time I would ask the computer to debug the program, the program would shut down. So I had to skip the RBFA.
I was able to do a MBAM and Hijack This.

Thanks,
Karen
-------------------------------------------------------------------------
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:16:31 AM, on 10/20/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\AVG\AVG9\avgchsvx.exe
C:\Program Files\AVG\AVG9\avgrsx.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\AVG\AVG9\avgwdsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\AVG\AVG9\avgemc.exe
C:\Program Files\AVG\AVG9\avgnsx.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\SearchProtocolHost.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = [You must be registered and logged in to see this link.]
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG9\avgssie.dll
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O4 - S-1-5-18 Startup: desktop(2).ini (User 'SYSTEM')
O4 - .DEFAULT Startup: desktop(2).ini (User 'Default user')
O4 - .DEFAULT User Startup: desktop(2).ini (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk.disabled
O4 - Global Startup: Windows Search.lnk = C:\Program Files\Windows Desktop Search\WindowsSearch.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: Control Pad - {28D44DAD-D1FC-4d4f-BB1B-ADF037C8DDBC} - C:\Program Files\Verizon Online\Verizon Online Control Pad\VerizonControlPad.Exe (file missing)
O9 - Extra 'Tools' menuitem: Control Pad - {28D44DAD-D1FC-4d4f-BB1B-ADF037C8DDBC} - C:\Program Files\Verizon Online\Verizon Online Control Pad\VerizonControlPad.Exe (file missing)
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: vzTCPConfig - [You must be registered and logged in to see this link.]
O16 - DPF: {0742B9EF-8C83-41CA-BFBA-830A59E23533} (Microsoft Data Collection Control) - [You must be registered and logged in to see this link.]
O16 - DPF: {19E28AFC-EAE3-4CE5-AC83-2407B42F57C9} (MSSecurityAdvisor Class) -
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - [You must be registered and logged in to see this link.]
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - [You must be registered and logged in to see this link.]
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - [You must be registered and logged in to see this link.]
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} -
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - [You must be registered and logged in to see this link.]
O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} -
O16 - DPF: {A8658086-E6AC-4957-BC8E-7D54A7E8A78E} -
O16 - DPF: {B1E2B96C-12FE-45E2-BEF1-44A219113CDD} (SABScanProcesses Class) - [You must be registered and logged in to see this link.]
O16 - DPF: {BCBC9371-595D-11D4-A96D-00105A1CEF6C} (View22RTE Class) - [You must be registered and logged in to see this link.]
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} -
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - [You must be registered and logged in to see this link.]
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG9\avgpp.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: AVG Free E-mail Scanner (avg9emc) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG9\avgemc.exe
O23 - Service: AVG Free WatchDog (avg9wd) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG9\avgwdsvc.exe

--
End of file - 6295 bytes
----------------------------------------

Malwarebytes' Anti-Malware 1.41
Database version: 2981
Windows 5.1.2600 Service Pack 3

10/20/2009 2:12:32 AM
mbam-log-2009-10-20 (02-12-32).txt

Scan type: Quick Scan
Objects scanned: 119311
Time elapsed: 10 minute(s), 15 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

karenor
Intermediate
Intermediate

Posts Posts : 185
Joined Joined : 2009-09-19
OS OS : xp
Points Points : 28652
# Likes # Likes : 0

View user profile

Back to top Go down

Re: BACKDOOR.BOT

Post by Dr Jay on 20th October 2009, 2:45 pm

Please download Dial-A-Fix from [You must be registered and logged in to see this link.].

Save it to your Desktop.

Right-click on the Zip and select Extract all. Save the extracted files to the Desktop.

Open Dial-a-fix.exe

Click the green checkmark at the bottom of the window; this should select all options.

Now, click GO.

Allow it to run (the status will be displayed at the bottom), and follow any prompts you receive.

Please let me know how your computer is running and if you are satisfied with the way it runs.


Dr. Jay (DJ)


[You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.]

Dr Jay
Head Administrator
Head Administrator

Posts Posts : 13941
Joined Joined : 2009-09-06
Gender Gender : Male
OS OS : Windows 10 Home & Pro
Arch. Arch. : x64 (64-bit)
Protection Protection : Bitdefender Total Security
Points Points : 302568
# Likes # Likes : 10

View user profile

Back to top Go down

Re: BACKDOOR.BOT

Post by karenor on 20th October 2009, 7:49 pm

Hi Dragon Master Jay:

Well the Dial A Fix ran. In the IE Explorer area I got an error #127 several times. The scan moved on and completed itself. I am pasting the results below.

I wonder why my computer would not do the SDFix in Safe Mode. Is this thing gone now?

Thanks,
Karen

12:32:28 PM | Dial-a-fix was unable to determine your version of Internet Explorer
Notes about this log:
1) "->" denotes an external command being executed, and "-> (number)" indicates
the return code from the previous command
2) Not all external command return codes are accurate, or useful
3) Sometimes commands return 0 (no error) even when they fail or crash
4) If an error occurs while registering an object, please send an email to:
[You must be registered and logged in to see this link.] and include a copy of this log

DAF version: v0.60.0.24

--- System info ---
OS: Microsoft Windows XP Service Pack 3
IE version: 8.0.6001.18702
MPC: 55277-OEM
CPU: Intel(R) Celeron(R) CPU 2.40GHz (~2390MHz)
BIOS: 12/2/2003
Memory (approx): 2046MB
Uptime: 2 hour(s)
Current directory: C:\Documents and Settings\Owner\Desktop\Dial-a-fix-v0.60.0.24\Dial-a-fix-v0.60.0.24
---

10/20/2009 12:32:28 PM -- Dial-a-fix : [v0.60.0.24] -- started
12:32:28 PM | Policy scan started
12:32:28 PM | Policy scan ended - no restrictive policies were found
--- Emptying temp folders ---
12:33:25 PM | Deleting C:\Documents and Settings\Owner\Local Settings\temp...
12:33:28 PM | C:\Documents and Settings\Owner\Local Settings\temp could not be completely emptied, please reboot and try again
12:33:28 PM | Deleting C:\WINDOWS\temp...
12:33:28 PM | C:\WINDOWS\temp has been re-created
12:33:28 PM | Deleting C:\DOCUME~1\Owner\LOCALS~1\Temp...
12:33:28 PM | C:\DOCUME~1\Owner\LOCALS~1\Temp could not be completely emptied, please reboot and try again
--- MSI ---
12:33:43 PM | Registered: C:\WINDOWS\system32\msi.dll
--- Windows Update ---
--- Registration: Windows Update/Automatic Update DLLs ---
12:33:55 PM | Unregistered: C:\WINDOWS\system32\msxml.dll
12:33:55 PM | Registered: C:\WINDOWS\system32\msxml.dll
12:33:55 PM | Unregistered: C:\WINDOWS\system32\msxml2.dll
12:33:56 PM | Registered: C:\WINDOWS\system32\msxml2.dll
12:33:57 PM | Unregistered: C:\WINDOWS\system32\msxml3.dll
12:33:58 PM | Registered: C:\WINDOWS\system32\msxml3.dll
12:33:59 PM | Unregistered: C:\WINDOWS\system32\msxml4.dll
12:33:59 PM | Registered: C:\WINDOWS\system32\msxml4.dll
12:33:59 PM | Unregistered: C:\WINDOWS\system32\qmgr.dll
12:33:59 PM | Registered: C:\WINDOWS\system32\qmgr.dll
12:33:59 PM | Unregistered: C:\WINDOWS\system32\qmgrprxy.dll
12:33:59 PM | Registered: C:\WINDOWS\system32\qmgrprxy.dll
12:33:59 PM | Unregistered: C:\WINDOWS\system32\muweb.dll
12:33:59 PM | Registered: C:\WINDOWS\system32\muweb.dll
12:33:59 PM | Unregistered: C:\WINDOWS\system32\winhttp.dll
12:33:59 PM | Registered: C:\WINDOWS\system32\winhttp.dll
12:34:00 PM | Registered: C:\WINDOWS\system32\wuapi.dll
12:34:00 PM | Unregistered: C:\WINDOWS\system32\wuaueng.dll
12:34:02 PM | Registered: C:\WINDOWS\system32\wuaueng.dll
12:34:02 PM | Unregistered: C:\WINDOWS\system32\wuaueng1.dll
12:34:02 PM | Registered: C:\WINDOWS\system32\wuaueng1.dll
12:34:02 PM | Unregistered: C:\WINDOWS\system32\wucltui.dll
12:34:02 PM | Registered: C:\WINDOWS\system32\wucltui.dll
12:34:02 PM | Unregistered: C:\WINDOWS\system32\wups.dll
12:34:02 PM | Registered: C:\WINDOWS\system32\wups.dll
12:34:02 PM | Unregistered: C:\WINDOWS\system32\wups2.dll
12:34:02 PM | Registered: C:\WINDOWS\system32\wups2.dll
12:34:02 PM | Unregistered: C:\WINDOWS\system32\wuweb.dll
12:34:02 PM | Registered: C:\WINDOWS\system32\wuweb.dll
12:34:02 PM | Registered: C:\WINDOWS\system32\ole32.dll
--- SSL/HTTPS/Cryptography ---
12:34:13 PM | Executed 'cmd.exe /c rmdir /q /s C:\WINDOWS\system32\Catroot2'
--- Registration: SSL/HTTPS/Cryptography ---
12:34:17 PM | Unregistered: C:\WINDOWS\system32\cryptdlg.dll
12:34:17 PM | Registered: C:\WINDOWS\system32\cryptdlg.dll
12:34:17 PM | Unregistered: C:\WINDOWS\system32\cryptui.dll
12:34:17 PM | Registered: C:\WINDOWS\system32\cryptui.dll
12:34:17 PM | Unregistered: C:\WINDOWS\system32\cryptext.dll
12:34:18 PM | Registered: C:\WINDOWS\system32\cryptext.dll
12:34:18 PM | Unregistered: C:\WINDOWS\system32\dssenh.dll
12:34:18 PM | Registered: C:\WINDOWS\system32\dssenh.dll
12:34:18 PM | Unregistered: C:\WINDOWS\system32\gpkcsp.dll
12:34:18 PM | Registered: C:\WINDOWS\system32\gpkcsp.dll
12:34:18 PM | Unregistered: C:\WINDOWS\system32\initpki.dll
12:35:32 PM | Registered: C:\WINDOWS\system32\initpki.dll
12:35:33 PM | Unregistered: C:\WINDOWS\system32\licdll.dll
12:35:33 PM | Registered: C:\WINDOWS\system32\licdll.dll
12:35:33 PM | Unregistered: C:\WINDOWS\system32\mssign32.dll
12:35:33 PM | Registered: C:\WINDOWS\system32\mssign32.dll
12:35:33 PM | Unregistered: C:\WINDOWS\system32\mssip32.dll
12:35:33 PM | Registered: C:\WINDOWS\system32\mssip32.dll
12:35:33 PM | Unregistered: C:\WINDOWS\system32\scardssp.dll
12:35:34 PM | Registered: C:\WINDOWS\system32\scardssp.dll
12:35:34 PM | Unregistered: C:\WINDOWS\system32\sccbase.dll
12:35:34 PM | Registered: C:\WINDOWS\system32\sccbase.dll
12:35:34 PM | Unregistered: C:\WINDOWS\system32\scecli.dll
12:35:34 PM | Registered: C:\WINDOWS\system32\scecli.dll
12:35:34 PM | Unregistered: C:\WINDOWS\system32\softpub.dll
12:35:34 PM | Registered: C:\WINDOWS\system32\softpub.dll
12:35:34 PM | Unregistered: C:\WINDOWS\system32\slbcsp.dll
12:35:35 PM | Registered: C:\WINDOWS\system32\slbcsp.dll
12:35:35 PM | Unregistered: C:\WINDOWS\system32\regwizc.dll
12:35:35 PM | Registered: C:\WINDOWS\system32\regwizc.dll
12:35:35 PM | Unregistered: C:\WINDOWS\system32\rsaenh.dll
12:35:35 PM | Registered: C:\WINDOWS\system32\rsaenh.dll
12:35:35 PM | Unregistered: C:\WINDOWS\system32\winhttp.dll
12:35:35 PM | Registered: C:\WINDOWS\system32\winhttp.dll
12:35:35 PM | Unregistered: C:\WINDOWS\system32\wintrust.dll
12:35:35 PM | Registered: C:\WINDOWS\system32\wintrust.dll
--- Registration: ActiveX controls/codecs ---
12:35:36 PM | Registered: C:\WINDOWS\system32\acelpdec.ax
12:35:36 PM | Registered: C:\WINDOWS\system32\actxprxy.dll
12:35:36 PM | Registered: C:\WINDOWS\system32\asctrls.ocx
12:35:37 PM | Registered: C:\WINDOWS\system32\daxctle.ocx
12:35:37 PM | Registered: C:\WINDOWS\system32\hhctrl.ocx
12:35:37 PM | Registered: C:\WINDOWS\system32\l3codecx.ax
12:35:37 PM | Registered: C:\WINDOWS\system32\licmgr10.dll
12:35:37 PM | Registered: C:\WINDOWS\system32\mpg4ds32.ax
12:35:40 PM | Registered: C:\WINDOWS\system32\msdxm.ocx
12:35:40 PM | Registered: C:\WINDOWS\system32\proctexe.ocx
12:35:40 PM | Registered: C:\WINDOWS\system32\tdc.ocx
12:35:40 PM | Registered: C:\WINDOWS\system32\wshom.ocx
--- Registration: Control Panel applets ---
12:35:40 PM | DllInstalled: C:\WINDOWS\system32\inetcpl.cpl
12:35:41 PM | DllInstalled: C:\WINDOWS\system32\appwiz.cpl
12:35:41 PM | Registered: C:\WINDOWS\system32\appwiz.cpl
12:35:41 PM | DllInstalled: C:\WINDOWS\system32\nusrmgr.cpl
12:35:41 PM | Registered: C:\WINDOWS\system32\nusrmgr.cpl
--- Registration: Direct[X|Draw|Show|Media] ---
12:35:41 PM | Registered: C:\WINDOWS\system32\quartz.dll
12:35:43 PM | Registered: C:\WINDOWS\system32\danim.dll
12:35:43 PM | Registered: C:\WINDOWS\system32\dmscript.dll
12:35:43 PM | Registered: C:\WINDOWS\system32\dmstyle.dll
12:35:43 PM | Registered: C:\WINDOWS\system32\dxmasf.dll
12:35:43 PM | Registered: C:\WINDOWS\system32\dxtmsft.dll
12:35:43 PM | Registered: C:\WINDOWS\system32\dxtrans.dll
12:35:43 PM | Registered: C:\WINDOWS\system32\sbe.dll
--- Registration: Programming cores/runtimes ---
12:35:43 PM | Registered: C:\WINDOWS\system32\atl.dll
12:35:43 PM | Registered: C:\WINDOWS\system32\corpol.dll
12:35:44 PM | Registered: C:\WINDOWS\system32\jscript.dll
12:35:44 PM | Registered: C:\WINDOWS\system32\dispex.dll
12:35:44 PM | Registered: C:\WINDOWS\system32\scrrun.dll
12:35:44 PM | Registered: C:\WINDOWS\system32\scrobj.dll
12:35:44 PM | Registered: C:\WINDOWS\system32\vbscript.dll
12:35:44 PM | Registered: C:\WINDOWS\system32\wshext.dll
--- Registration: Explorer/IE/OE/shell/WMP ---
12:35:44 PM | Registered: C:\WINDOWS\system32\activeds.dll
12:35:45 PM | Registered: C:\WINDOWS\system32\audiodev.dll
12:35:46 PM | DllInstalled: C:\WINDOWS\system32\browseui.dll
12:35:46 PM | Registered: C:\WINDOWS\system32\browseui.dll
12:35:46 PM | Registered: C:\WINDOWS\system32\browsewm.dll
12:35:46 PM | Registered: C:\WINDOWS\system32\cabview.dll
12:35:47 PM | Registered: C:\WINDOWS\system32\cdfview.dll
12:35:47 PM | Registered: C:\WINDOWS\system32\clbcatex.dll
12:35:47 PM | Registered: C:\WINDOWS\system32\clbcatq.dll
12:35:47 PM | Registered: C:\WINDOWS\system32\comcat.dll
12:35:47 PM | Registered: C:\WINDOWS\system32\cscui.dll
12:35:47 PM | Registered: C:\WINDOWS\system32\credui.dll
12:35:47 PM | Registered: C:\WINDOWS\system32\datime.dll
12:35:47 PM | Registered: C:\WINDOWS\system32\devmgr.dll
12:35:47 PM | Registered: C:\WINDOWS\system32\dfsshlex.dll
12:35:48 PM | Registered: C:\WINDOWS\system32\dmdlgs.dll
12:35:48 PM | Registered: C:\WINDOWS\system32\dmdskmgr.dll
12:35:48 PM | Registered: C:\WINDOWS\system32\dmloader.dll
12:35:48 PM | Registered: C:\WINDOWS\system32\dmocx.dll
12:35:48 PM | Registered: C:\WINDOWS\system32\dmview.ocx
12:35:48 PM | DllInstalled: C:\WINDOWS\system32\dsuiext.dll
12:35:48 PM | Registered: C:\WINDOWS\system32\dsuiext.dll
12:35:48 PM | DllInstalled: C:\WINDOWS\system32\dsquery.dll
12:35:48 PM | Registered: C:\WINDOWS\system32\dsquery.dll
12:35:48 PM | Registered: C:\WINDOWS\system32\dskquoui.dll
12:35:48 PM | Registered: C:\WINDOWS\system32\els.dll
12:35:49 PM | Registered: C:\WINDOWS\system32\es.dll
12:35:49 PM | Registered: C:\WINDOWS\system32\fontext.dll
12:35:49 PM | Registered: C:\WINDOWS\system32\hlink.dll
12:35:50 PM | Registered: C:\WINDOWS\system32\hnetcfg.dll
12:35:50 PM | Registered: C:\WINDOWS\system32\iedkcs32.dll
12:35:50 PM | Registered: C:\WINDOWS\system32\iepeers.dll
12:35:50 PM | Error 127: C:\WINDOWS\system32\iesetup.dll is not registerable or the file is corrupted. Version: 8.00.6001.18702
12:36:23 PM | Error 127: C:\WINDOWS\system32\iesetup.dll is not DLLInstall-able or the file is corrupted. Version: 8.00.6001.18702
12:36:35 PM | Registered: C:\WINDOWS\system32\ils.dll
12:36:35 PM | Error 127: C:\WINDOWS\system32\imgutil.dll is not registerable or the file is corrupted. Version: 8.00.6001.18702
12:36:37 PM | Registered: C:\WINDOWS\system32\inetcfg.dll
12:36:37 PM | Registered: C:\WINDOWS\system32\inetcomm.dll
12:36:38 PM | Error 127: C:\WINDOWS\system32\inseng.dll is not registerable or the file is corrupted. Version: 8.00.6001.18702
12:36:42 PM | Error 127: C:\WINDOWS\system32\inseng.dll is not DLLInstall-able or the file is corrupted. Version: 8.00.6001.18702
12:36:43 PM | Registered: C:\WINDOWS\system32\laprxy.dll
12:36:44 PM | Registered: C:\WINDOWS\system32\lmrt.dll
12:36:44 PM | Registered: C:\WINDOWS\system32\mlang.dll
12:36:45 PM | Registered: C:\WINDOWS\system32\mmcndmgr.dll
12:36:46 PM | Registered: C:\WINDOWS\system32\mmcshext.dll
12:36:46 PM | Registered: C:\WINDOWS\system32\mscoree.dll
12:36:46 PM | Error 127: C:\WINDOWS\system32\mshtml.dll is not registerable or the file is corrupted. Version: 8.00.6001.18828
12:36:50 PM | Error 127: C:\WINDOWS\system32\mshtml.dll is not DLLInstall-able or the file is corrupted. Version: 8.00.6001.18828
12:36:53 PM | Registered: C:\WINDOWS\system32\mshtmled.dll
12:36:54 PM | Registered: C:\WINDOWS\system32\msieftp.dll
12:36:54 PM | Registered: C:\WINDOWS\system32\msoeacct.dll
12:36:54 PM | Registered: C:\WINDOWS\system32\msr2c.dll
12:36:54 PM | Error 127: C:\WINDOWS\system32\msrating.dll is not registerable or the file is corrupted. Version: 8.00.6001.18702
12:36:57 PM | DllInstalled: C:\WINDOWS\system32\mydocs.dll
12:36:57 PM | Registered: C:\WINDOWS\system32\mydocs.dll
12:36:57 PM | Registered: C:\WINDOWS\system32\mstime.dll
12:36:57 PM | Registered: C:\WINDOWS\system32\netcfgx.dll
12:36:57 PM | DllInstalled: C:\WINDOWS\system32\netplwiz.dll
12:36:57 PM | Registered: C:\WINDOWS\system32\netplwiz.dll
12:36:58 PM | Registered: C:\WINDOWS\system32\netman.dll
12:36:58 PM | Registered: C:\WINDOWS\system32\netshell.dll
12:36:58 PM | Registered: C:\WINDOWS\system32\ntmsevt.dll
12:36:58 PM | Registered: C:\WINDOWS\system32\ntmsmgr.dll
12:36:58 PM | DllInstalled: C:\WINDOWS\system32\ntmssvc.dll
12:36:58 PM | Registered: C:\WINDOWS\system32\ntmssvc.dll
12:36:58 PM | Error 127: C:\WINDOWS\system32\occache.dll is not registerable or the file is corrupted. Version: 8.00.6001.18828
12:37:00 PM | Error 127: C:\WINDOWS\system32\occache.dll is not DLLInstall-able or the file is corrupted. Version: 8.00.6001.18828
12:37:03 PM | Registered: C:\WINDOWS\system32\ole32.dll
12:37:03 PM | Registered: C:\WINDOWS\system32\oleaut32.dll
12:37:03 PM | Registered: C:\WINDOWS\system32\oleacc.dll
12:37:03 PM | Registered: C:\WINDOWS\system32\olepro32.dll
12:37:03 PM | DllInstalled: C:\WINDOWS\system32\photowiz.dll
12:37:03 PM | Registered: C:\WINDOWS\system32\photowiz.dll
12:37:03 PM | Error 127: C:\WINDOWS\system32\pngfilt.dll is not registerable or the file is corrupted. Version: 8.00.6001.18702
12:37:04 PM | Registered: C:\WINDOWS\system32\remotepg.dll
12:37:04 PM | Registered: C:\WINDOWS\system32\rpcrt4.dll
12:37:04 PM | Registered: C:\WINDOWS\system32\rshx32.dll
12:37:05 PM | Registered: C:\WINDOWS\system32\sendmail.dll
12:37:05 PM | Registered: C:\WINDOWS\system32\slayerxp.dll
12:37:08 PM | DllInstalled: C:\WINDOWS\system32\shdocvw.dll
12:37:08 PM | Registered: C:\WINDOWS\system32\shdocvw.dll
12:37:08 PM | Registered: C:\WINDOWS\system32\shell32.dll
12:37:14 PM | DllInstalled: C:\WINDOWS\system32\shell32.dll
12:37:14 PM | Registered: C:\WINDOWS\system32\shmedia.dll
12:37:15 PM | DllInstalled: C:\WINDOWS\system32\shimgvw.dll
12:37:15 PM | Registered: C:\WINDOWS\system32\shimgvw.dll
12:37:16 PM | DllInstalled: C:\WINDOWS\system32\shsvcs.dll
12:37:17 PM | Registered: C:\WINDOWS\system32\shsvcs.dll
12:37:17 PM | Registered: C:\WINDOWS\system32\srclient.dll
12:37:17 PM | Unregistered: C:\WINDOWS\system32\stobject.dll
12:37:17 PM | Registered: C:\WINDOWS\system32\stobject.dll
12:37:18 PM | DllInstalled: C:\WINDOWS\system32\themeui.dll
12:37:18 PM | Registered: C:\WINDOWS\system32\themeui.dll
12:37:18 PM | Registered: C:\WINDOWS\system32\twext.dll
12:37:21 PM | DllInstalled: C:\WINDOWS\system32\urlmon.dll
12:37:21 PM | Registered: C:\WINDOWS\system32\urlmon.dll
12:37:21 PM | Registered: C:\WINDOWS\system32\userenv.dll
12:37:21 PM | Error 127: C:\WINDOWS\system32\webcheck.dll is not registerable or the file is corrupted. Version: 8.00.6001.18702
12:37:23 PM | Error 127: C:\WINDOWS\system32\webcheck.dll is not DLLInstall-able or the file is corrupted. Version: 8.00.6001.18702
12:37:25 PM | Registered: C:\WINDOWS\system32\webvw.dll
12:37:25 PM | Registered: C:\WINDOWS\system32\winhttp.dll
12:37:25 PM | DllInstalled: C:\WINDOWS\system32\wininet.dll
12:37:26 PM | Registered: C:\WINDOWS\system32\zipfldr.dll
12:37:26 PM | Registered: C:\Program Files\Common Files\system\Ole DB\msdadc.dll
12:37:26 PM | Registered: C:\Program Files\Common Files\system\Ole DB\msdaenum.dll
12:37:26 PM | Registered: C:\Program Files\Common Files\system\Ole DB\msdaer.dll
12:37:26 PM | Registered: C:\Program Files\Common Files\system\Ole DB\msdaipp.dll
12:37:27 PM | Registered: C:\Program Files\Common Files\system\Ole DB\msdaora.dll
12:37:27 PM | Registered: C:\Program Files\Common Files\system\Ole DB\msdaosp.dll
12:37:28 PM | Registered: C:\Program Files\Common Files\system\Ole DB\msdaps.dll
12:37:28 PM | Registered: C:\Program Files\Common Files\system\Ole DB\msdasc.dll
12:37:28 PM | Registered: C:\Program Files\Common Files\system\Ole DB\msdasql.dll
12:37:28 PM | Registered: C:\Program Files\Common Files\system\Ole DB\msdatt.dll
12:37:28 PM | Registered: C:\Program Files\Common Files\system\Ole DB\msdaurl.dll
12:37:28 PM | Registered: C:\Program Files\Common Files\system\Ole DB\msxactps.dll
12:37:29 PM | Registered: C:\Program Files\Common Files\system\Ole DB\oledb32.dll
12:37:29 PM | Registered: C:\Program Files\Common Files\system\Ole DB\oledb32r.dll
12:37:29 PM | Registered: C:\Program Files\Common Files\system\Ole DB\sqloledb.dll
12:37:29 PM | Registered: C:\Program Files\Common Files\system\Ole DB\sqlxmlx.dll
--- Emptying temp folders ---
12:38:01 PM | Deleting C:\Documents and Settings\Owner\Local Settings\temp...
12:38:01 PM | C:\Documents and Settings\Owner\Local Settings\temp could not be completely emptied, please reboot and try again
12:38:01 PM | Deleting C:\WINDOWS\temp...
12:38:02 PM | C:\WINDOWS\temp has been re-created
12:38:02 PM | Deleting C:\DOCUME~1\Owner\LOCALS~1\Temp...
12:38:02 PM | C:\DOCUME~1\Owner\LOCALS~1\Temp could not be completely emptied, please reboot and try again
--- MSI ---
12:38:12 PM | Registered: C:\WINDOWS\system32\msi.dll
--- Windows Update ---
--- Registration: Windows Update/Automatic Update DLLs ---
12:38:24 PM | Unregistered: C:\WINDOWS\system32\msxml.dll
12:38:24 PM | Registered: C:\WINDOWS\system32\msxml.dll
12:38:24 PM | Unregistered: C:\WINDOWS\system32\msxml2.dll
12:38:25 PM | Registered: C:\WINDOWS\system32\msxml2.dll
12:38:27 PM | Unregistered: C:\WINDOWS\system32\msxml3.dll
12:38:29 PM | Registered: C:\WINDOWS\system32\msxml3.dll
12:38:30 PM | Unregistered: C:\WINDOWS\system32\msxml4.dll
12:38:30 PM | Registered: C:\WINDOWS\system32\msxml4.dll
12:38:30 PM | Unregistered: C:\WINDOWS\system32\qmgr.dll
12:38:30 PM | Registered: C:\WINDOWS\system32\qmgr.dll
12:38:30 PM | Unregistered: C:\WINDOWS\system32\qmgrprxy.dll
12:38:30 PM | Registered: C:\WINDOWS\system32\qmgrprxy.dll
12:38:30 PM | Unregistered: C:\WINDOWS\system32\muweb.dll
12:38:31 PM | Registered: C:\WINDOWS\system32\muweb.dll
12:38:31 PM | Unregistered: C:\WINDOWS\system32\winhttp.dll
12:38:31 PM | Registered: C:\WINDOWS\system32\winhttp.dll
12:38:31 PM | Registered: C:\WINDOWS\system32\wuapi.dll
12:38:31 PM | Unregistered: C:\WINDOWS\system32\wuaueng.dll
12:38:34 PM | Registered: C:\WINDOWS\system32\wuaueng.dll
12:38:34 PM | Unregistered: C:\WINDOWS\system32\wuaueng1.dll
12:38:34 PM | Registered: C:\WINDOWS\system32\wuaueng1.dll
12:38:34 PM | Unregistered: C:\WINDOWS\system32\wucltui.dll
12:38:34 PM | Registered: C:\WINDOWS\system32\wucltui.dll
12:38:34 PM | Unregistered: C:\WINDOWS\system32\wups.dll
12:38:35 PM | Registered: C:\WINDOWS\system32\wups.dll
12:38:35 PM | Unregistered: C:\WINDOWS\system32\wups2.dll
12:38:35 PM | Registered: C:\WINDOWS\system32\wups2.dll
12:38:35 PM | Unregistered: C:\WINDOWS\system32\wuweb.dll
12:38:35 PM | Registered: C:\WINDOWS\system32\wuweb.dll
12:38:35 PM | Registered: C:\WINDOWS\system32\ole32.dll
--- SSL/HTTPS/Cryptography ---
12:38:48 PM | Executed 'cmd.exe /c rmdir /q /s C:\WINDOWS\system32\Catroot2'
--- Registration: SSL/HTTPS/Cryptography ---
12:38:52 PM | Unregistered: C:\WINDOWS\system32\cryptdlg.dll
12:38:53 PM | Registered: C:\WINDOWS\system32\cryptdlg.dll
12:38:53 PM | Unregistered: C:\WINDOWS\system32\cryptui.dll
12:38:53 PM | Registered: C:\WINDOWS\system32\cryptui.dll
12:38:53 PM | Unregistered: C:\WINDOWS\system32\cryptext.dll
12:38:54 PM | Registered: C:\WINDOWS\system32\cryptext.dll
12:38:54 PM | Unregistered: C:\WINDOWS\system32\dssenh.dll
12:38:54 PM | Registered: C:\WINDOWS\system32\dssenh.dll
12:38:54 PM | Unregistered: C:\WINDOWS\system32\gpkcsp.dll
12:38:54 PM | Registered: C:\WINDOWS\system32\gpkcsp.dll
12:38:54 PM | Unregistered: C:\WINDOWS\system32\initpki.dll
12:38:56 PM | Registered: C:\WINDOWS\system32\initpki.dll
12:38:57 PM | Unregistered: C:\WINDOWS\system32\licdll.dll
12:38:57 PM | Registered: C:\WINDOWS\system32\licdll.dll
12:38:57 PM | Unregistered: C:\WINDOWS\system32\mssign32.dll
12:38:57 PM | Registered: C:\WINDOWS\system32\mssign32.dll
12:38:57 PM | Unregistered: C:\WINDOWS\system32\mssip32.dll
12:38:57 PM | Registered: C:\WINDOWS\system32\mssip32.dll
12:38:58 PM | Unregistered: C:\WINDOWS\system32\scardssp.dll
12:38:58 PM | Registered: C:\WINDOWS\system32\scardssp.dll
12:38:58 PM | Unregistered: C:\WINDOWS\system32\sccbase.dll
12:38:58 PM | Registered: C:\WINDOWS\system32\sccbase.dll
12:38:58 PM | Unregistered: C:\WINDOWS\system32\scecli.dll
12:38:58 PM | Registered: C:\WINDOWS\system32\scecli.dll
12:38:58 PM | Unregistered: C:\WINDOWS\system32\softpub.dll
12:38:58 PM | Registered: C:\WINDOWS\system32\softpub.dll
12:38:58 PM | Unregistered: C:\WINDOWS\system32\slbcsp.dll
12:38:59 PM | Registered: C:\WINDOWS\system32\slbcsp.dll
12:38:59 PM | Unregistered: C:\WINDOWS\system32\regwizc.dll
12:38:59 PM | Registered: C:\WINDOWS\system32\regwizc.dll
12:38:59 PM | Unregistered: C:\WINDOWS\system32\rsaenh.dll
12:38:59 PM | Registered: C:\WINDOWS\system32\rsaenh.dll
12:38:59 PM | Unregistered: C:\WINDOWS\system32\winhttp.dll
12:38:59 PM | Registered: C:\WINDOWS\system32\winhttp.dll
12:38:59 PM | Unregistered: C:\WINDOWS\system32\wintrust.dll
12:39:00 PM | Registered: C:\WINDOWS\system32\wintrust.dll
--- Registration: ActiveX controls/codecs ---
12:39:02 PM | Registered: C:\WINDOWS\system32\acelpdec.ax
12:39:02 PM | Registered: C:\WINDOWS\system32\actxprxy.dll
12:39:02 PM | Registered: C:\WINDOWS\system32\asctrls.ocx
12:39:03 PM | Registered: C:\WINDOWS\system32\daxctle.ocx
12:39:03 PM | Registered: C:\WINDOWS\system32\hhctrl.ocx
12:39:03 PM | Registered: C:\WINDOWS\system32\l3codecx.ax
12:39:03 PM | Registered: C:\WINDOWS\system32\licmgr10.dll
12:39:03 PM | Registered: C:\WINDOWS\system32\mpg4ds32.ax
12:39:06 PM | Registered: C:\WINDOWS\system32\msdxm.ocx
12:39:06 PM | Registered: C:\WINDOWS\system32\proctexe.ocx
12:39:06 PM | Registered: C:\WINDOWS\system32\tdc.ocx
12:39:06 PM | Registered: C:\WINDOWS\system32\wshom.ocx
--- Registration: Control Panel applets ---
12:39:06 PM | DllInstalled: C:\WINDOWS\system32\inetcpl.cpl
12:39:06 PM | DllInstalled: C:\WINDOWS\system32\appwiz.cpl
12:39:06 PM | Registered: C:\WINDOWS\system32\appwiz.cpl
12:39:06 PM | DllInstalled: C:\WINDOWS\system32\nusrmgr.cpl
12:39:07 PM | Registered: C:\WINDOWS\system32\nusrmgr.cpl
--- Registration: Direct[X|Draw|Show|Media] ---
12:39:07 PM | Registered: C:\WINDOWS\system32\quartz.dll
12:39:07 PM | Registered: C:\WINDOWS\system32\danim.dll
12:39:07 PM | Registered: C:\WINDOWS\system32\dmscript.dll
12:39:07 PM | Registered: C:\WINDOWS\system32\dmstyle.dll
12:39:08 PM | Registered: C:\WINDOWS\system32\dxmasf.dll
12:39:08 PM | Registered: C:\WINDOWS\system32\dxtmsft.dll
12:39:08 PM | Registered: C:\WINDOWS\system32\dxtrans.dll
12:39:08 PM | Registered: C:\WINDOWS\system32\sbe.dll
--- Registration: Programming cores/runtimes ---
12:39:08 PM | Registered: C:\WINDOWS\system32\atl.dll
12:39:08 PM | Registered: C:\WINDOWS\system32\corpol.dll
12:39:08 PM | Registered: C:\WINDOWS\system32\jscript.dll
12:39:08 PM | Registered: C:\WINDOWS\system32\dispex.dll
12:39:09 PM | Registered: C:\WINDOWS\system32\scrrun.dll
12:39:09 PM | Registered: C:\WINDOWS\system32\scrobj.dll
12:39:09 PM | Registered: C:\WINDOWS\system32\vbscript.dll
12:39:09 PM | Registered: C:\WINDOWS\system32\wshext.dll
--- Registration: Explorer/IE/OE/shell/WMP ---
12:39:09 PM | Registered: C:\WINDOWS\system32\activeds.dll
12:39:09 PM | Registered: C:\WINDOWS\system32\audiodev.dll
12:39:10 PM | DllInstalled: C:\WINDOWS\system32\browseui.dll
12:39:10 PM | Registered: C:\WINDOWS\system32\browseui.dll
12:39:10 PM | Registered: C:\WINDOWS\system32\browsewm.dll
12:39:10 PM | Registered: C:\WINDOWS\system32\cabview.dll
12:39:10 PM | Registered: C:\WINDOWS\system32\cdfview.dll
12:39:11 PM | Registered: C:\WINDOWS\system32\clbcatex.dll
12:39:11 PM | Registered: C:\WINDOWS\system32\clbcatq.dll
12:39:11 PM | Registered: C:\WINDOWS\system32\comcat.dll
12:39:11 PM | Registered: C:\WINDOWS\system32\cscui.dll
12:39:11 PM | Registered: C:\WINDOWS\system32\credui.dll
12:39:11 PM | Registered: C:\WINDOWS\system32\datime.dll
12:39:11 PM | Registered: C:\WINDOWS\system32\devmgr.dll
12:39:11 PM | Registered: C:\WINDOWS\system32\dfsshlex.dll
12:39:11 PM | Registered: C:\WINDOWS\system32\dmdlgs.dll
12:39:11 PM | Registered: C:\WINDOWS\system32\dmdskmgr.dll
12:39:12 PM | Registered: C:\WINDOWS\system32\dmloader.dll
12:39:12 PM | Registered: C:\WINDOWS\system32\dmocx.dll
12:39:12 PM | Registered: C:\WINDOWS\system32\dmview.ocx
12:39:12 PM | DllInstalled: C:\WINDOWS\system32\dsuiext.dll
12:39:12 PM | Registered: C:\WINDOWS\system32\dsuiext.dll
12:39:12 PM | DllInstalled: C:\WINDOWS\system32\dsquery.dll
12:39:12 PM | Registered: C:\WINDOWS\system32\dsquery.dll
12:39:12 PM | Registered: C:\WINDOWS\system32\dskquoui.dll
12:39:12 PM | Registered: C:\WINDOWS\system32\els.dll
12:39:13 PM | Registered: C:\WINDOWS\system32\es.dll
12:39:13 PM | Registered: C:\WINDOWS\system32\fontext.dll
12:39:13 PM | Registered: C:\WINDOWS\system32\hlink.dll
12:39:14 PM | Registered: C:\WINDOWS\system32\hnetcfg.dll
12:39:14 PM | Registered: C:\WINDOWS\system32\iedkcs32.dll
12:39:14 PM | Registered: C:\WINDOWS\system32\iepeers.dll
12:39:14 PM | Error 127: C:\WINDOWS\system32\iesetup.dll is not registerable or the file is corrupted. Version: 8.00.6001.18702
12:39:20 PM | Error 127: C:\WINDOWS\system32\iesetup.dll is not DLLInstall-able or the file is corrupted. Version: 8.00.6001.18702
12:39:21 PM | Registered: C:\WINDOWS\system32\ils.dll
12:39:21 PM | Error 127: C:\WINDOWS\system32\imgutil.dll is not registerable or the file is corrupted. Version: 8.00.6001.18702
12:39:22 PM | Registered: C:\WINDOWS\system32\inetcfg.dll
12:39:22 PM | Registered: C:\WINDOWS\system32\inetcomm.dll
12:39:22 PM | Error 127: C:\WINDOWS\system32\inseng.dll is not registerable or the file is corrupted. Version: 8.00.6001.18702
12:39:23 PM | Error 127: C:\WINDOWS\system32\inseng.dll is not DLLInstall-able or the file is corrupted. Version: 8.00.6001.18702
12:39:34 PM | Registered: C:\WINDOWS\system32\laprxy.dll
12:39:36 PM | Registered: C:\WINDOWS\system32\lmrt.dll
12:39:36 PM | Registered: C:\WINDOWS\system32\mlang.dll
12:39:37 PM | Registered: C:\WINDOWS\system32\mmcndmgr.dll
12:39:37 PM | Registered: C:\WINDOWS\system32\mmcshext.dll
12:39:37 PM | Registered: C:\WINDOWS\system32\mscoree.dll
12:39:37 PM | Error 127: C:\WINDOWS\system32\mshtml.dll is not registerable or the file is corrupted. Version: 8.00.6001.18828
12:39:39 PM | Error 127: C:\WINDOWS\system32\mshtml.dll is not DLLInstall-able or the file is corrupted. Version: 8.00.6001.18828
12:39:39 PM | Registered: C:\WINDOWS\system32\mshtmled.dll
12:39:39 PM | Registered: C:\WINDOWS\system32\msieftp.dll
12:39:40 PM | Registered: C:\WINDOWS\system32\msoeacct.dll
12:39:40 PM | Registered: C:\WINDOWS\system32\msr2c.dll
12:39:40 PM | Error 127: C:\WINDOWS\system32\msrating.dll is not registerable or the file is corrupted. Version: 8.00.6001.18702
12:39:41 PM | DllInstalled: C:\WINDOWS\system32\mydocs.dll
12:39:41 PM | Registered: C:\WINDOWS\system32\mydocs.dll
12:39:41 PM | Registered: C:\WINDOWS\system32\mstime.dll
12:39:42 PM | Registered: C:\WINDOWS\system32\netcfgx.dll
12:39:42 PM | DllInstalled: C:\WINDOWS\system32\netplwiz.dll
12:39:42 PM | Registered: C:\WINDOWS\system32\netplwiz.dll
12:39:42 PM | Registered: C:\WINDOWS\system32\netman.dll
12:39:43 PM | Registered: C:\WINDOWS\system32\netshell.dll
12:39:43 PM | Registered: C:\WINDOWS\system32\ntmsevt.dll
12:39:43 PM | Registered: C:\WINDOWS\system32\ntmsmgr.dll
12:39:44 PM | DllInstalled: C:\WINDOWS\system32\ntmssvc.dll
12:39:44 PM | Registered: C:\WINDOWS\system32\ntmssvc.dll
12:39:44 PM | Error 127: C:\WINDOWS\system32\occache.dll is not registerable or the file is corrupted. Version: 8.00.6001.18828
12:39:46 PM | Error 127: C:\WINDOWS\system32\occache.dll is not DLLInstall-able or the file is corrupted. Version: 8.00.6001.18828
12:39:47 PM | Registered: C:\WINDOWS\system32\ole32.dll
12:39:47 PM | Registered: C:\WINDOWS\system32\oleaut32.dll
12:39:47 PM | Registered: C:\WINDOWS\system32\oleacc.dll
12:39:47 PM | Registered: C:\WINDOWS\system32\olepro32.dll
12:39:47 PM | DllInstalled: C:\WINDOWS\system32\photowiz.dll
12:39:48 PM | Registered: C:\WINDOWS\system32\photowiz.dll
12:39:48 PM | Error 127: C:\WINDOWS\system32\pngfilt.dll is not registerable or the file is corrupted. Version: 8.00.6001.18702
12:39:49 PM | Registered: C:\WINDOWS\system32\remotepg.dll
12:39:49 PM | Registered: C:\WINDOWS\system32\rpcrt4.dll
12:39:49 PM | Registered: C:\WINDOWS\system32\rshx32.dll
12:39:50 PM | Registered: C:\WINDOWS\system32\sendmail.dll
12:39:50 PM | Registered: C:\WINDOWS\system32\slayerxp.dll
12:39:51 PM | DllInstalled: C:\WINDOWS\system32\shdocvw.dll
12:39:51 PM | Registered: C:\WINDOWS\system32\shdocvw.dll
12:39:51 PM | Registered: C:\WINDOWS\system32\shell32.dll
12:40:03 PM | DllInstalled: C:\WINDOWS\system32\shell32.dll
12:40:03 PM | Registered: C:\WINDOWS\system32\shmedia.dll
12:40:03 PM | DllInstalled: C:\WINDOWS\system32\shimgvw.dll
12:40:05 PM | Registered: C:\WINDOWS\system32\shimgvw.dll
12:40:05 PM | DllInstalled: C:\WINDOWS\system32\shsvcs.dll
12:40:05 PM | Registered: C:\WINDOWS\system32\shsvcs.dll
12:40:05 PM | Registered: C:\WINDOWS\system32\srclient.dll
12:40:05 PM | Unregistered: C:\WINDOWS\system32\stobject.dll
12:40:05 PM | Registered: C:\WINDOWS\system32\stobject.dll
12:40:05 PM | DllInstalled: C:\WINDOWS\system32\themeui.dll
12:40:06 PM | Registered: C:\WINDOWS\system32\themeui.dll
12:40:06 PM | Registered: C:\WINDOWS\system32\twext.dll
12:40:06 PM | DllInstalled: C:\WINDOWS\system32\urlmon.dll
12:40:06 PM | Registered: C:\WINDOWS\system32\urlmon.dll
12:40:06 PM | Registered: C:\WINDOWS\system32\userenv.dll
12:40:06 PM | Error 127: C:\WINDOWS\system32\webcheck.dll is not registerable or the file is corrupted. Version: 8.00.6001.18702
12:40:09 PM | Error 127: C:\WINDOWS\system32\webcheck.dll is not DLLInstall-able or the file is corrupted. Version: 8.00.6001.18702
12:40:11 PM | Registered: C:\WINDOWS\system32\webvw.dll
12:40:11 PM | Registered: C:\WINDOWS\system32\winhttp.dll
12:40:11 PM | DllInstalled: C:\WINDOWS\system32\wininet.dll
12:40:11 PM | Registered: C:\WINDOWS\system32\zipfldr.dll
12:40:11 PM | Registered: C:\Program Files\Common Files\system\Ole DB\msdadc.dll
12:40:11 PM | Registered: C:\Program Files\Common Files\system\Ole DB\msdaenum.dll
12:40:11 PM | Registered: C:\Program Files\Common Files\system\Ole DB\msdaer.dll
12:40:11 PM | Registered: C:\Program Files\Common Files\system\Ole DB\msdaipp.dll
12:40:12 PM | Registered: C:\Program Files\Common Files\system\Ole DB\msdaora.dll
12:40:12 PM | Registered: C:\Program Files\Common Files\system\Ole DB\msdaosp.dll
12:40:12 PM | Registered: C:\Program Files\Common Files\system\Ole DB\msdaps.dll
12:40:12 PM | Registered: C:\Program Files\Common Files\system\Ole DB\msdasc.dll
12:40:12 PM | Registered: C:\Program Files\Common Files\system\Ole DB\msdasql.dll
12:40:12 PM | Registered: C:\Program Files\Common Files\system\Ole DB\msdatt.dll
12:40:12 PM | Registered: C:\Program Files\Common Files\system\Ole DB\msdaurl.dll
12:40:12 PM | Registered: C:\Program Files\Common Files\system\Ole DB\msxactps.dll
12:40:13 PM | Registered: C:\Program Files\Common Files\system\Ole DB\oledb32.dll
12:40:13 PM | Registered: C:\Program Files\Common Files\system\Ole DB\oledb32r.dll
12:40:13 PM | Registered: C:\Program Files\Common Files\system\Ole DB\sqloledb.dll
12:40:13 PM | Registered: C:\Program Files\Common Files\system\Ole DB\sqlxmlx.dll

karenor
Intermediate
Intermediate

Posts Posts : 185
Joined Joined : 2009-09-19
OS OS : xp
Points Points : 28652
# Likes # Likes : 0

View user profile

Back to top Go down

Re: BACKDOOR.BOT

Post by Dr Jay on 20th October 2009, 8:03 pm

Internet Explorer 8 is corrupted. Please uninstall it via Control Panel > Add or Remove Programs. Then, please reinstall it from Microsoft.com.

NEXT

This will be to fix System files:
Go Start and then to Run,
Type in: sfc /scannow
Click OK.
Have Windows CD/DVD handy.
If System File Checker (sfc) finds any errors, it may ask you for the CD/DVD.
If sfc does not find any errors in Windows XP, it will simply quit, without any message.

If you don't have Windows CD....

Go Start and then Run
type in regedit and click OK


Navigate to the following key:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup

On the right hand side, find: SourcePath

It probably has an entry pointing to your CD-ROM drive, usually D and that is why it is asking for the XP CD.
All we need to do is change it to: C:
Now, double click the SourcePath setting and a new box will pop up.
Change the drive letter from your CD drive to your root drive, usually C:
Close Registry Editor.

Now restart your computer and try sfc /scannow again!

After the first run, reboot your computer. Do a second run. Now the scan and fix is finished.


NEXT


Please try SDFix again. Re-download, and retry. Let me know in your next reply if you had any trouble doing any of the above.


Dr. Jay (DJ)


[You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.]

Dr Jay
Head Administrator
Head Administrator

Posts Posts : 13941
Joined Joined : 2009-09-06
Gender Gender : Male
OS OS : Windows 10 Home & Pro
Arch. Arch. : x64 (64-bit)
Protection Protection : Bitdefender Total Security
Points Points : 302568
# Likes # Likes : 10

View user profile

Back to top Go down

Re: BACKDOOR.BOT

Post by karenor on 20th October 2009, 8:27 pm

Hi:

I am getting ready to do what you asked. I am printing up your list right now. Is the Windows CD you want me to have at the ready the cd that says Microsoft Windows XP Home Edition?

Thanks,
Karen

karenor
Intermediate
Intermediate

Posts Posts : 185
Joined Joined : 2009-09-19
OS OS : xp
Points Points : 28652
# Likes # Likes : 0

View user profile

Back to top Go down

Re: BACKDOOR.BOT

Post by Dr Jay on 20th October 2009, 9:53 pm

That would be it. Smile


Dr. Jay (DJ)


[You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.]

Dr Jay
Head Administrator
Head Administrator

Posts Posts : 13941
Joined Joined : 2009-09-06
Gender Gender : Male
OS OS : Windows 10 Home & Pro
Arch. Arch. : x64 (64-bit)
Protection Protection : Bitdefender Total Security
Points Points : 302568
# Likes # Likes : 10

View user profile

Back to top Go down

Re: BACKDOOR.BOT

Post by karenor on 20th October 2009, 11:23 pm

Hi Dragon Master Jay:

Well I was able to complete the SFC/scannow. No problem doing that. I was not asked for the cd.

I removed the SDFix and downloaded again. Still can not go into safe mode and do anything with it. I get all the way to the "Y" and when I attempt to type in "Y" the machine does nothing anymore. I have to turn the machine off to get the cursor or the mouse to even more again.

I am in the process of doing the "Catch Me" part of the SDFix. That scan is going right now. I can post those results if that would help.

Thanks,
Karen

karenor
Intermediate
Intermediate

Posts Posts : 185
Joined Joined : 2009-09-19
OS OS : xp
Points Points : 28652
# Likes # Likes : 0

View user profile

Back to top Go down

Re: BACKDOOR.BOT

Post by karenor on 21st October 2009, 12:02 am

Hi Dragon Master Jay:

Well the Catch Me sat there and spun its wheels for over one hour with no report and no results. I went to the SDFix page run by Andy Manchestra located here: [You must be registered and logged in to see this link.]

I tried all of the items he suggested to correct the SDFix. In my case I got readings back that said I was set up correctly to run SDFix.

Sadly, no matter what I do I can not run SDFix in Safe Mode. I have tried so many times. What else can I do? Why can I not run this?

Thanks,
Karen

karenor
Intermediate
Intermediate

Posts Posts : 185
Joined Joined : 2009-09-19
OS OS : xp
Points Points : 28652
# Likes # Likes : 0

View user profile

Back to top Go down

Re: BACKDOOR.BOT

Post by karenor on 21st October 2009, 12:07 am

Hi:

I forgot to add that I ran a Mbam and Super Anti Spyware. Here is the log from Mbam.

Malwarebytes' Anti-Malware 1.41
Database version: 2823
Windows 5.1.2600 Service Pack 3

9/19/2009 12:26:39 AM
mbam-log-2009-09-19 (00-26-39).txt

Scan type: Quick Scan
Objects scanned: 107918
Time elapsed: 23 minute(s), 27 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 11
Registry Values Infected: 1
Registry Data Items Infected: 6
Folders Infected: 0
Files Infected: 8

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{42f2c9ba-614f-47c0-b3e3-ecfd34eed658} (Adware.ISTBar) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{7c559105-9ecf-42b8-b3f7-832e75edd959} (Adware.ISTBar) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{1d4db7d2-6ec9-47a3-bd87-1e41684e07bb} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{37b85a29-692b-4205-9cad-2626e4993404} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{13197ace-6851-45c3-a7ff-c281324d5489} (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{30000273-8230-4dd4-be4f-6889d1e74167} (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{3aa42713-5c1e-48e2-b432-d8bf420dd31d} (Rogue.AntiVirus2008) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{2d2bee6e-3c9a-4d58-b9ec-458edb28d0f6} (Rogue.DriveCleaner) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{ad7fafb0-16d6-40c3-af27-585d6e6453fd} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{f919fbd3-a96b-4679-af26-f551439bb5fd} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{5d60ff48-95be-4956-b4c6-6bb168a70310} (Trojan.KeenValue) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft Update (Backdoor.Bot) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\hwdgqmcw.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\vhlyrkv.exe (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\kri746.dat (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\beep.sys (Trojan.KillAV) -> Quarantined and deleted successfully.
C:\WINDOWS\kri746.dat (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\~.exe (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\braviax.exe (Trojan.FakeAlert) -> Delete on reboot.
C:\WINDOWS\system32\dllcache\beep.sys (Fake.Beep.sys) -> Quarantined and deleted successfully.


Thanks,
Karen

karenor
Intermediate
Intermediate

Posts Posts : 185
Joined Joined : 2009-09-19
OS OS : xp
Points Points : 28652
# Likes # Likes : 0

View user profile

Back to top Go down

Re: BACKDOOR.BOT

Post by Dr Jay on 21st October 2009, 12:07 am

Ok. Here is an alternate that will help:

Please download Trojan Remover from one of the following links:



Save the download to your Desktop. Then double-click on the trjsetup file to install it. When installing, make sure to checkmark the box Create Desktop icon. Then, at the end of the setup, please make sure the following checkboxes have a check in them: Check for Updates? and Run Trojan Remover after setup is completed.

Once in the program, an update prompt will appear. Click the Update button at the bottom, let it finish, then click Close. The next popup that appears will tell you to enter license key. Just click the Continue button.

Now you see the main window. Click the Scan button. If you have an antivirus or other security software running, you may get a prompt.
See here to learn how to disable security software temporarily: [You must be registered and logged in to see this link.]
If yours is not on the list, then continue with the program.

When done disabling protection, click the Yes button.

Once done scanning (usually quick), it will provide the following:
A. If infected, it will give more information.
B. No active malicious files were found and no changes were made.

Please let me know of any results in your next reply. If your computer is found to be clean, then it truly has to be.


Dr. Jay (DJ)


[You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.]

Dr Jay
Head Administrator
Head Administrator

Posts Posts : 13941
Joined Joined : 2009-09-06
Gender Gender : Male
OS OS : Windows 10 Home & Pro
Arch. Arch. : x64 (64-bit)
Protection Protection : Bitdefender Total Security
Points Points : 302568
# Likes # Likes : 10

View user profile

Back to top Go down

Re: BACKDOOR.BOT

Post by karenor on 21st October 2009, 1:17 am

Hi Dragon Master Jay:

Well here is the log. I am assuming this is a clean bill of health for my poor computer. I really appreciate all that you have done for me.

Thanks again,
Karen
***** NORMAL SCAN FOR ACTIVE MALWARE *****
Trojan Remover Ver 6.8.1.2591. For information, email [You must be registered and logged in to see this link.]
[Unregistered version]
Scan started at: 5:47:41 PM 20 Oct 2009
Using Database v7411
Operating System: Windows XP Home Edition (SP3) [Build: 5.1.2600]
File System: NTFS
UserData directory: C:\Documents and Settings\Owner\Application Data\Simply Super Software\Trojan Remover\
Database directory: C:\Documents and Settings\All Users\Application Data\Simply Super Software\Trojan Remover\Data\
Logfile directory: C:\Documents and Settings\Owner\My Documents\Simply Super Software\Trojan Remover Logfiles\
Program directory: C:\Program Files\Trojan Remover\
Running with Administrator privileges

************************************************************

************************************************************
5:47:41 PM: ----- SCANNING FOR ROOTKIT SERVICES -----
No hȋdden Services were detected.

************************************************************
5:47:44 PM: Scanning -----WINDOWS REGISTRY-----
--------------------
Checking HKCU\SOFTWARE\Microsoft\Windows NT\CurrentVersion\WinLogon
--------------------
Checking HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\WinLogon
This key's "Shell" value calls the following program(s):
Key value: [Explorer.exe]
File: Explorer.exe
C:\WINDOWS\Explorer.exe
1033728 bytes
Created: 7/16/2003 1:28 PM
Modified: 4/14/2008 5:42 AM
Company: Microsoft Corporation
----------
This key's "Userinit" value calls the following program(s):
Key value: [C:\WINDOWS\system32\userinit.exe,]
File: C:\WINDOWS\system32\userinit.exe
C:\WINDOWS\system32\userinit.exe
26112 bytes
Created: 7/16/2003 1:49 PM
Modified: 4/14/2008 5:42 AM
Company: Microsoft Corporation
----------
This key's "System" value appears to be blank
----------
This key's "UIHost" value calls the following program:
Key value: [logonui.exe]
File: logonui.exe
C:\WINDOWS\system32\logonui.exe
514560 bytes
Created: 7/16/2003 1:32 PM
Modified: 4/14/2008 5:42 AM
Company: Microsoft Corporation
----------
--------------------
Checking HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows
--------------------
Checking HKCU\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows
--------------------
Checking HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Value Name: Windows Defender
Value Data: "C:\Program Files\Windows Defender\MSASCui.exe" -hide
C:\Program Files\Windows Defender\MSASCui.exe
866584 bytes
Created: 11/3/2006 7:20 PM
Modified: 11/3/2006 7:20 PM
Company: Microsoft Corporation
--------------------
Value Name: TrojanScanner
Value Data: C:\Program Files\Trojan Remover\Trjscan.exe /boot
C:\Program Files\Trojan Remover\Trjscan.exe
1070984 bytes
Created: 10/20/2009 5:33 PM
Modified: 10/17/2009 8:35 PM
Company: Simply Super Software
--------------------
--------------------
Checking HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
This Registry Key appears to be empty
--------------------
Checking HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
This Registry Key appears to be empty
--------------------
Checking HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce
This Registry Key appears to be empty
--------------------
Checking HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
This Registry Key appears to be empty
--------------------
Checking HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Value Name: ctfmon.exe
Value Data: C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\ctfmon.exe
15360 bytes
Created: 7/16/2003 1:26 PM
Modified: 4/14/2008 5:42 AM
Company: Microsoft Corporation
--------------------
--------------------
Checking HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce
This Registry Key appears to be empty
--------------------
Checking HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices
This Registry Key appears to be empty
--------------------
Checking HKCU\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
This Registry Key appears to be empty
--------------------
Checking HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnceEx
This Registry Key appears to be empty
--------------------
Checking HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
This Registry Key appears to be empty

************************************************************
5:47:46 PM: Scanning -----SHELLEXECUTEHOOKS-----
ValueName: {AEB6717E-7E19-11d0-97EE-00C04FD91972}
File: shell32.dll - this file is expected and has been left in place
----------
ValueName: {56F9679E-7826-4C84-81F3-532071A8BCC5}
File: C:\Program Files\Windows Desktop Search\MSNLNamespaceMgr.dll
C:\Program Files\Windows Desktop Search\MSNLNamespaceMgr.dll
304128 bytes
Created: 5/26/2008 10:19 PM
Modified: 5/24/2009 10:41 PM
Company: Microsoft Corporation
----------
ValueName: {091EB208-39DD-417D-A5DD-7E2C2D8FB9CB}
Value: Microsoft AntiMalware ShellExecuteHook
File: C:\PROGRA~1\WINDOW~4\MpShHook.dll
C:\PROGRA~1\WINDOW~4\MpShHook.dll
83224 bytes
Created: 11/3/2006 7:20 PM
Modified: 11/3/2006 7:20 PM
Company: Microsoft Corporation
----------

************************************************************
5:47:46 PM: Scanning -----hȋdden REGISTRY ENTRIES-----
Taskdir check completed
----------
No hȋdden File-loading Registry Entries found
----------

************************************************************
5:47:47 PM: Scanning -----ACTIVE SCREENSAVER-----
No active ScreenSaver found to scan.

************************************************************
5:47:47 PM: Scanning ----- REGISTRY ACTIVE SETUP KEYS -----

************************************************************
5:47:47 PM: Scanning ----- SERVICEDLL REGISTRY KEYS -----
Key: AppMgmt
%SystemRoot%\System32\appmgmts.dll - file is globally excluded (file cannot be found)
--------------------
Key: HidServ
%SystemRoot%\System32\hidserv.dll - file is globally excluded (file cannot be found)
--------------------
Key: NwSapAgent
Path: %SystemRoot%\System32\ipxsap.dll
C:\WINDOWS\System32\ipxsap.dll
66560 bytes
Created: 7/16/2003 1:30 PM
Modified: 7/16/2003 1:30 PM
Company: Microsoft Corporation
--------------------
Key: srservice
Path: %SystemRoot%\system32\srsvc.dll
C:\WINDOWS\system32\srsvc.dll
171008 bytes
Created: 5/28/2004 1:03 PM
Modified: 4/14/2008 5:42 AM
Company: Microsoft Corporation
--------------------

************************************************************
5:47:48 PM: Scanning ----- SERVICES REGISTRY KEYS -----
Key: avg9emc
ImagePath: "C:\Program Files\AVG\AVG9\avgemc.exe"
C:\Program Files\AVG\AVG9\avgemc.exe
906520 bytes
Created: 10/17/2009 8:09 PM
Modified: 10/17/2009 8:09 PM
Company: AVG Technologies CZ, s.r.o.
----------
Key: avg9wd
ImagePath: "C:\Program Files\AVG\AVG9\avgwdsvc.exe"
C:\Program Files\AVG\AVG9\avgwdsvc.exe
285392 bytes
Created: 10/17/2009 8:09 PM
Modified: 10/17/2009 8:09 PM
Company: AVG Technologies CZ, s.r.o.
----------
Key: AvgTdiX
ImagePath: \SystemRoot\System32\Drivers\avgtdix.sys
C:\WINDOWS\System32\Drivers\avgtdix.sys
360584 bytes
Created: 6/9/2008 9:23 PM
Modified: 10/17/2009 8:10 PM
Company: AVG Technologies CZ, s.r.o.
----------
Key: BANTExt
ImagePath: \SystemRoot\System32\Drivers\BANTExt.sys
C:\WINDOWS\System32\Drivers\BANTExt.sys
3840 bytes
Created: 1/2/2009 4:01 PM
Modified: 3/6/2008 11:51 AM
Company: [no info]
----------
Key: catchme
ImagePath: \??\C:\DOCUME~1\Owner\LOCALS~1\Temp\catchme.sys - this file is globally excluded
----------
Key: CoachUsb
ImagePath: system32\DRIVERS\CoachUsb.sys
C:\WINDOWS\system32\DRIVERS\CoachUsb.sys
46944 bytes
Created: 7/26/2008 2:06 PM
Modified: 1/22/2004 12:41 PM
Company: FotoNation Ltd.
----------
Key: CoachVc
ImagePath: system32\DRIVERS\CoachVc.sys
C:\WINDOWS\system32\DRIVERS\CoachVc.sys - [file not found to scan]
----------
Key: ImapiService
ImagePath: %systemroot%\system32\imapi.exe
C:\WINDOWS\system32\imapi.exe
150528 bytes
Created: 7/16/2003 1:30 PM
Modified: 4/14/2008 5:42 AM
Company: Microsoft Corporation
----------
Key: MREMPR5
ImagePath: \??\C:\PROGRA~1\COMMON~1\Motive\MREMPR5.SYS
C:\PROGRA~1\COMMON~1\Motive\MREMPR5.SYS
19345 bytes
Created: 9/25/2006 4:33 AM
Modified: 3/11/2007 2:37 PM
Company: Motive, Inc.
----------
Key: MRENDIS5
ImagePath: \??\C:\PROGRA~1\COMMON~1\Motive\MRENDIS5.SYS
C:\PROGRA~1\COMMON~1\Motive\MRENDIS5.SYS
18003 bytes
Created: 9/25/2006 4:33 AM
Modified: 3/11/2007 2:37 PM
Company: Motive, Inc.
----------
Key: NwlnkIpx
ImagePath: system32\DRIVERS\nwlnkipx.sys
C:\WINDOWS\system32\DRIVERS\nwlnkipx.sys
88320 bytes
Created: 7/16/2003 1:40 PM
Modified: 4/14/2008 12:26 AM
Company: Microsoft Corporation
----------
Key: NwlnkNb
ImagePath: system32\DRIVERS\nwlnknb.sys
C:\WINDOWS\system32\DRIVERS\nwlnknb.sys
63232 bytes
Created: 7/16/2003 1:40 PM
Modified: 7/16/2003 1:40 PM
Company: Microsoft Corporation
----------
Key: NwlnkSpx
ImagePath: system32\DRIVERS\nwlnkspx.sys
C:\WINDOWS\system32\DRIVERS\nwlnkspx.sys
55936 bytes
Created: 7/16/2003 1:40 PM
Modified: 7/16/2003 1:40 PM
Company: Microsoft Corporation
----------
Key: SABProcEnum
ImagePath: \??\C:\Program Files\Internet Explorer\SABProcEnum.sys
C:\Program Files\Internet Explorer\SABProcEnum.sys - [file not found to scan]
----------
Key: SASENUM
ImagePath: \??\C:\Program Files\SUPERAntiSpyware\SASENUM.SYS
C:\Program Files\SUPERAntiSpyware\SASENUM.SYS
-R- 7408 bytes
Created: 9/15/2009 11:42 AM
Modified: 9/15/2009 11:42 AM
Company: SUPERAdBlocker.com and SUPERAntiSpyware.com
----------
Key: SVKP
ImagePath: \??\C:\WINDOWS\system32\SVKP.sys
C:\WINDOWS\system32\SVKP.sys - [file not found to scan]
----------
Key: SwPrv
ImagePath: C:\WINDOWS\System32\dllhost.exe /Processid:{D755A93D-E25D-4DDE-9969-30EC6DFA8F7A}
C:\WINDOWS\System32\dllhost.exe
5120 bytes
Created: 7/16/2003 1:27 PM
Modified: 4/14/2008 5:42 AM
Company: Microsoft Corporation
----------
Key: vsdatant
ImagePath: \??\C:\WINDOWS\System32\vsdatant.sys
C:\WINDOWS\System32\vsdatant.sys
228344 bytes
Created: 6/3/2004 5:23 PM
Modified: 2/17/2004 4:52 PM
Company: Zone Labs Inc.
----------
Key: WinDefend
ImagePath: "C:\Program Files\Windows Defender\MsMpEng.exe"
C:\Program Files\Windows Defender\MsMpEng.exe
13592 bytes
Created: 11/3/2006 7:19 PM
Modified: 11/3/2006 7:19 PM
Company: Microsoft Corporation
----------
Key: WpdUsb
ImagePath: System32\Drivers\wpdusb.sys
C:\WINDOWS\System32\Drivers\wpdusb.sys
38528 bytes
Created: 8/11/2004 1:45 AM
Modified: 10/18/2006 10:00 PM
Company: Microsoft Corporation
----------
Key: zntport
ImagePath: \??\C:\WINDOWS\system32\zntport.sys
C:\WINDOWS\system32\zntport.sys - [file not found to scan]
----------

************************************************************
5:47:53 PM: Scanning -----VXD ENTRIES-----
Checking the following VxD entries:
C:\WINDOWS\system32\JAVASUP.VXD
7315 bytes
Created: 5/31/2004 6:27 PM
Modified: 2/28/2003 4:54 PM
Company: [no info]
VxD Key = JAVASUP
----------
----------

************************************************************
5:47:54 PM: Scanning ----- WINLOGON\NOTIFY DLLS -----
Key : igfxcui
DLLName: igfxsrvc.dll
C:\WINDOWS\system32\igfxsrvc.dll
348160 bytes
Created: 5/28/2004 3:18 PM
Modified: 10/19/2005 8:59 AM
Company: Intel Corporation
----------

************************************************************
5:47:54 PM: Scanning ----- CONTEXTMENUHANDLERS -----
Key: AVG9 Shell Extension
CLSID: {9F97547E-4609-42C5-AE0C-81C61FFAEBC3}
Path: C:\Program Files\AVG\AVG9\avgse.dll
C:\Program Files\AVG\AVG9\avgse.dll
109336 bytes
Created: 10/17/2009 8:09 PM
Modified: 10/17/2009 8:09 PM
Company: AVG Technologies CZ, s.r.o.
----------
Key: ShellExtension
CLSID: [empty]
----------
Key: {CA8ACAFA-5FBB-467B-B348-90DD488DE003}
Path: C:\Program Files\SUPERAntiSpyware\SASCTXMN.DLL
C:\Program Files\SUPERAntiSpyware\SASCTXMN.DLL
61440 bytes
Created: 2/27/2007 12:39 PM
Modified: 2/27/2007 12:39 PM
Company: SUPERAntiSpyware.com
----------

************************************************************
5:47:55 PM: Scanning ----- FOLDER\COLUMNHANDLERS -----

************************************************************
5:47:55 PM: Scanning ----- BROWSER HELPER OBJECTS -----
Key: {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0}
BHO: C:\Program Files\AVG\AVG9\avgssie.dll
C:\Program Files\AVG\AVG9\avgssie.dll
1471768 bytes
Created: 10/17/2009 8:10 PM
Modified: 10/17/2009 8:10 PM
Company: AVG Technologies CZ, s.r.o.
----------

************************************************************
5:47:55 PM: Scanning ----- SHELLSERVICEOBJECTS -----

************************************************************
5:47:55 PM: Scanning ----- SHAREDTASKSCHEDULER ENTRIES -----

************************************************************
5:47:55 PM: Scanning ----- IMAGEFILE DEBUGGERS -----
No "Debugger" entries found.

************************************************************
5:47:55 PM: Scanning ----- APPINIT_DLLS -----
No APPINIT_DLLS value found to check

************************************************************
5:47:56 PM: Scanning ----- SECURITY PROVIDER DLLS -----

************************************************************
5:47:56 PM: Scanning ------ COMMON STARTUP GROUP ------
[C:\Documents and Settings\All Users\Start Menu\Programs\Startup]
The Common Startup Group attempts to load the following file(s) at boot time:
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk.disabled
1757 bytes
Created: 12/2/2008 2:33 PM
Modified: 12/2/2008 2:33 PM
Company: [no info]
--------------------
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\desktop.ini
-HS- 84 bytes
Created: 5/28/2004 5:53 AM
Modified: 5/28/2004 1:06 PM
Company: [no info]
--------------------
Windows Search.lnk - links to C:\PROGRA~1\WI459E~1\WINDOW~1.EXE
C:\PROGRA~1\WI459E~1\WINDOW~1.EXE
123904 bytes
Created: 5/26/2008 10:19 PM
Modified: 5/26/2008 10:19 PM
Company: Microsoft Corporation
--------------------

************************************************************
5:47:57 PM: Scanning ------ USER STARTUP GROUPS ------
--------------------
Checking Startup Group for: Administrator
[C:\Documents and Settings\Administrator\START MENU\PROGRAMS\STARTUP]
The Startup Group for Administrator attempts to load the following file(s):
C:\Documents and Settings\Administrator\START MENU\PROGRAMS\STARTUP\desktop(2).ini
-HS- 84 bytes
Created: 10/17/2009 11:01 AM
Modified: 5/28/2004 1:06 PM
Company: [no info]
C:\Documents and Settings\Administrator\START MENU\PROGRAMS\STARTUP\desktop(2).ini - no action taken on this file
----------
C:\Documents and Settings\Administrator\START MENU\PROGRAMS\STARTUP\desktop.ini
-HS- 84 bytes
Created: 10/17/2009 11:01 AM
Modified: 5/28/2004 1:06 PM
Company: [no info]
----------
--------------------
Checking Startup Group for: Guest
[C:\Documents and Settings\Guest\START MENU\PROGRAMS\STARTUP]
The Startup Group for Guest attempts to load the following file(s):
C:\Documents and Settings\Guest\START MENU\PROGRAMS\STARTUP\desktop.ini
-HS- 84 bytes
Created: 9/6/2004 10:03 AM
Modified: 5/28/2004 1:06 PM
Company: [no info]
----------
--------------------
Checking Startup Group for: JEFF
[C:\Documents and Settings\JEFF\START MENU\PROGRAMS\STARTUP]
The Startup Group for JEFF attempts to load the following file(s):
C:\Documents and Settings\JEFF\START MENU\PROGRAMS\STARTUP\desktop(2).ini
-HS- 84 bytes
Created: 6/23/2008 9:51 PM
Modified: 5/28/2004 1:06 PM
Company: [no info]
C:\Documents and Settings\JEFF\START MENU\PROGRAMS\STARTUP\desktop(2).ini - no action taken on this file
----------
C:\Documents and Settings\JEFF\START MENU\PROGRAMS\STARTUP\desktop.ini
-HS- 84 bytes
Created: 6/23/2008 9:51 PM
Modified: 5/28/2004 1:06 PM
Company: [no info]
----------
--------------------
Checking Startup Group for: Owner
[C:\Documents and Settings\Owner\START MENU\PROGRAMS\STARTUP]
The Startup Group for Owner attempts to load the following file(s):
C:\Documents and Settings\Owner\START MENU\PROGRAMS\STARTUP\desktop.ini
-HS- 84 bytes
Created: 5/28/2004 1:13 PM
Modified: 5/28/2004 1:06 PM
Company: [no info]
----------

************************************************************
5:47:59 PM: Scanning ----- SCHEDULED TASKS -----
No Scheduled Tasks found to scan

************************************************************
5:47:59 PM: Scanning ----- SHELLICONOVERLAYIDENTIFIERS -----

************************************************************
5:47:59 PM: Scanning ----- DEVICE DRIVER ENTRIES -----
Value: msacm.iac2
File: iac25_32.ax
C:\WINDOWS\system32\iac25_32.ax
199680 bytes
Created: 11/14/2002 12:58 PM
Modified: 4/14/2008 5:42 AM
Company: Intel Corporation
----------

************************************************************
5:47:59 PM: ----- ADDITIONAL CHECKS -----
PE386 rootkit checks completed
----------
Winlogon registry rootkit checks completed
----------
Heuristic checks for hȋdden files/drivers completed
----------
Layered Service Provider entries checks completed
----------
Windows Explorer Policies checks completed
----------
Desktop Wallpaper: C:\WINDOWS\wallpaper.bmp
C:\WINDOWS\wallpaper.bmp
2359350 bytes
Created: 12/12/2006 7:04 PM
Modified: 10/14/2009 9:38 PM
Company: [no info]
----------
Web Desktop Wallpaper: %USERPROFILE%\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
231677766 bytes
Created: 6/23/2009 8:49 AM
Modified: 10/14/2009 9:35 PM
Company: [no info]
----------
Checks for rogue DNS NameServers completed
----------
Additional checks completed

************************************************************
5:48:00 PM: Scanning ----- RUNNING PROCESSES -----

C:\WINDOWS\System32\smss.exe
50688 bytes
Created: 7/16/2003 1:45 PM
Modified: 4/14/2008 5:42 AM
Company: Microsoft Corporation
--------------------
C:\WINDOWS\system32\csrss.exe
6144 bytes
Created: 7/16/2003 1:26 PM
Modified: 4/14/2008 5:42 AM
Company: Microsoft Corporation
--------------------
C:\WINDOWS\system32\winlogon.exe
507904 bytes
Created: 7/16/2003 1:51 PM
Modified: 4/14/2008 5:42 AM
Company: Microsoft Corporation
--------------------
C:\WINDOWS\system32\services.exe
110592 bytes
Created: 7/16/2003 1:44 PM
Modified: 2/6/2009 4:11 AM
Company: Microsoft Corporation
--------------------
C:\WINDOWS\system32\lsass.exe
13312 bytes
Created: 7/16/2003 1:32 PM
Modified: 4/14/2008 5:42 AM
Company: Microsoft Corporation
--------------------
C:\WINDOWS\system32\svchost.exe
14336 bytes
Created: 7/16/2003 1:47 PM
Modified: 4/14/2008 5:42 AM
Company: Microsoft Corporation
--------------------
C:\WINDOWS\system32\svchost.exe - file already scanned
--------------------
C:\WINDOWS\System32\svchost.exe - file already scanned
--------------------
C:\WINDOWS\System32\svchost.exe - file already scanned
--------------------
C:\WINDOWS\system32\svchost.exe - file already scanned
--------------------
C:\Program Files\AVG\AVG9\avgchsvx.exe
1055000 bytes
Created: 10/17/2009 8:09 PM
Modified: 10/17/2009 8:10 PM
Company: AVG Technologies CZ, s.r.o.
--------------------
C:\Program Files\AVG\AVG9\avgrsx.exe
502040 bytes
Created: 10/17/2009 8:09 PM
Modified: 10/17/2009 8:09 PM
Company: AVG Technologies CZ, s.r.o.
--------------------
C:\Program Files\AVG\AVG9\avgcsrvx.exe
702744 bytes
Created: 10/17/2009 8:09 PM
Modified: 10/17/2009 8:09 PM
Company: AVG Technologies CZ, s.r.o.
--------------------
C:\WINDOWS\system32\spoolsv.exe
57856 bytes
Created: 7/16/2003 1:46 PM
Modified: 4/14/2008 5:42 AM
Company: Microsoft Corporation
--------------------
C:\WINDOWS\System32\svchost.exe - file already scanned
--------------------
C:\Program Files\AVG\AVG9\avgwdsvc.exe - file already scanned
--------------------
C:\WINDOWS\System32\svchost.exe - file already scanned
--------------------
C:\Program Files\AVG\AVG9\avgemc.exe - file already scanned
--------------------
C:\Program Files\AVG\AVG9\avgnsx.exe
600344 bytes
Created: 10/17/2009 8:09 PM
Modified: 10/17/2009 8:09 PM
Company: AVG Technologies CZ, s.r.o.
--------------------
C:\WINDOWS\system32\SearchIndexer.exe
439808 bytes
Created: 5/26/2008 10:18 PM
Modified: 5/26/2008 10:18 PM
Company: Microsoft Corporation
--------------------
C:\WINDOWS\system32\wuauclt.exe
53472 bytes
Created: 5/28/2004 1:01 PM
Modified: 8/6/2009 7:24 PM
Company: Microsoft Corporation
--------------------
C:\Program Files\AVG\AVG9\avgcsrvx.exe - file already scanned
--------------------
C:\WINDOWS\System32\alg.exe
44544 bytes
Created: 7/16/2003 1:24 PM
Modified: 4/14/2008 5:42 AM
Company: Microsoft Corporation
--------------------
C:\WINDOWS\system32\wscntfy.exe
13824 bytes
Created: 8/4/2004 12:56 AM
Modified: 4/14/2008 5:42 AM
Company: Microsoft Corporation
--------------------
C:\WINDOWS\Explorer.EXE - file already scanned
--------------------
C:\WINDOWS\system32\ctfmon.exe - file already scanned
--------------------
C:\Documents and Settings\Owner\Application Data\Simply Super Software\Trojan Remover\cnr2.exe
FileSize: 3101560
[This is a Trojan Remover component]
--------------------

************************************************************
5:48:06 PM: Checking HOSTS file
No malicious entries were found in the HOSTS file

************************************************************
------ INTERNET EXPLORER HOME/START/SEARCH SETTINGS ------
HKLM\Software\Microsoft\Internet Explorer\Main\"Start Page":
[You must be registered and logged in to see this link.]
HKLM\Software\Microsoft\Internet Explorer\Main\"Local Page":
C:\WINDOWS\system32\blank.htm
HKLM\Software\Microsoft\Internet Explorer\Main\"Search Page":
[You must be registered and logged in to see this link.]
HKLM\Software\Microsoft\Internet Explorer\Main\"Default_Page_URL":
[You must be registered and logged in to see this link.]
HKLM\Software\Microsoft\Internet Explorer\Main\"Default_Search_URL":
[You must be registered and logged in to see this link.]
HKLM\Software\Microsoft\Internet Explorer\Search\"CustomizeSearch":
[You must be registered and logged in to see this link.]
HKLM\Software\Microsoft\Internet Explorer\Search\"SearchAssistant":
[You must be registered and logged in to see this link.]
HKCU\Software\Microsoft\Internet Explorer\Main\"Start Page":
[You must be registered and logged in to see this link.]
HKCU\Software\Microsoft\Internet Explorer\Main\"Local Page":
C:\WINDOWS\system32\blank.htm
HKCU\Software\Microsoft\Internet Explorer\Main\"Search Page":
[You must be registered and logged in to see this link.]

************************************************************
=== NO CHANGES HAVE BEEN MADE TO YOUR SYSTEM FILES ===
Scan completed at: 5:48:07 PM 20 Oct 2009
Total Scan time: 00:00:25
************************************************************


***** NORMAL SCAN FOR ACTIVE MALWARE *****
Trojan Remover Ver 6.8.1.2591. For information, email [You must be registered and logged in to see this link.]
[Unregistered version]
Scan started at: 5:35:07 PM 20 Oct 2009
Using Database v7411
Operating System: Windows XP Home Edition (SP3) [Build: 5.1.2600]
File System: NTFS
UserData directory: C:\Documents and Settings\Owner\Application Data\Simply Super Software\Trojan Remover\
Database directory: C:\Documents and Settings\All Users\Application Data\Simply Super Software\Trojan Remover\Data\
Logfile directory: C:\Documents and Settings\Owner\My Documents\Simply Super Software\Trojan Remover Logfiles\
Program directory: C:\Program Files\Trojan Remover\
Running with Administrator privileges

************************************************************

************************************************************
5:35:07 PM: ----- SCANNING FOR ROOTKIT SERVICES -----
No hȋdden Services were detected.

************************************************************
5:35:11 PM: Scanning -----WINDOWS REGISTRY-----
--------------------
Checking HKCU\SOFTWARE\Microsoft\Windows NT\CurrentVersion\WinLogon
--------------------
Checking HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\WinLogon
This key's "Shell" value calls the following program(s):
Key value: [Explorer.exe]
File: Explorer.exe
C:\WINDOWS\Explorer.exe
1033728 bytes
Created: 7/16/2003 1:28 PM
Modified: 4/14/2008 5:42 AM
Company: Microsoft Corporation
----------
This key's "Userinit" value calls the following program(s):
Key value: [C:\WINDOWS\system32\userinit.exe,]
File: C:\WINDOWS\system32\userinit.exe
C:\WINDOWS\system32\userinit.exe
26112 bytes
Created: 7/16/2003 1:49 PM
Modified: 4/14/2008 5:42 AM
Company: Microsoft Corporation
----------
This key's "System" value appears to be blank
----------
This key's "UIHost" value calls the following program:
Key value: [logonui.exe]
File: logonui.exe
C:\WINDOWS\system32\logonui.exe
514560 bytes
Created: 7/16/2003 1:32 PM
Modified: 4/14/2008 5:42 AM
Company: Microsoft Corporation
----------
--------------------
Checking HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows
--------------------
Checking HKCU\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows
--------------------
Checking HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Value Name: Windows Defender
Value Data: "C:\Program Files\Windows Defender\MSASCui.exe" -hide
C:\Program Files\Windows Defender\MSASCui.exe
866584 bytes
Created: 11/3/2006 7:20 PM
Modified: 11/3/2006 7:20 PM
Company: Microsoft Corporation
--------------------
Value Name: TrojanScanner
Value Data: C:\Program Files\Trojan Remover\Trjscan.exe /boot
C:\Program Files\Trojan Remover\Trjscan.exe
1070984 bytes
Created: 10/20/2009 5:33 PM
Modified: 10/17/2009 8:35 PM
Company: Simply Super Software
--------------------
--------------------
Checking HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
This Registry Key appears to be empty
--------------------
Checking HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
This Registry Key appears to be empty
--------------------
Checking HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce
This Registry Key appears to be empty
--------------------
Checking HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
This Registry Key appears to be empty
--------------------
Checking HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Value Name: ctfmon.exe
Value Data: C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\ctfmon.exe
15360 bytes
Created: 7/16/2003 1:26 PM
Modified: 4/14/2008 5:42 AM
Company: Microsoft Corporation
--------------------
--------------------
Checking HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce
This Registry Key appears to be empty
--------------------
Checking HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices
This Registry Key appears to be empty
--------------------
Checking HKCU\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
This Registry Key appears to be empty
--------------------
Checking HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnceEx
This Registry Key appears to be empty
--------------------
Checking HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
This Registry Key appears to be empty

************************************************************
5:35:13 PM: Scanning -----SHELLEXECUTEHOOKS-----
ValueName: {AEB6717E-7E19-11d0-97EE-00C04FD91972}
File: shell32.dll - this file is expected and has been left in place
----------
ValueName: {56F9679E-7826-4C84-81F3-532071A8BCC5}
File: C:\Program Files\Windows Desktop Search\MSNLNamespaceMgr.dll
C:\Program Files\Windows Desktop Search\MSNLNamespaceMgr.dll
304128 bytes
Created: 5/26/2008 10:19 PM
Modified: 5/24/2009 10:41 PM
Company: Microsoft Corporation
----------
ValueName: {091EB208-39DD-417D-A5DD-7E2C2D8FB9CB}
Value: Microsoft AntiMalware ShellExecuteHook
File: C:\PROGRA~1\WINDOW~4\MpShHook.dll
C:\PROGRA~1\WINDOW~4\MpShHook.dll
83224 bytes
Created: 11/3/2006 7:20 PM
Modified: 11/3/2006 7:20 PM
Company: Microsoft Corporation
----------

************************************************************
5:35:13 PM: Scanning -----hȋdden REGISTRY ENTRIES-----
Taskdir check completed
----------
No hȋdden File-loading Registry Entries found
----------

************************************************************
5:35:14 PM: Scanning -----ACTIVE SCREENSAVER-----
No active ScreenSaver found to scan.

************************************************************
5:35:14 PM: Scanning ----- REGISTRY ACTIVE SETUP KEYS -----

************************************************************
5:35:14 PM: Scanning ----- SERVICEDLL REGISTRY KEYS -----
Key: AppMgmt
%SystemRoot%\System32\appmgmts.dll - file is globally excluded (file cannot be found)
--------------------
Key: HidServ
%SystemRoot%\System32\hidserv.dll - file is globally excluded (file cannot be found)
--------------------
Key: NwSapAgent
Path: %SystemRoot%\System32\ipxsap.dll
C:\WINDOWS\System32\ipxsap.dll
66560 bytes
Created: 7/16/2003 1:30 PM
Modified: 7/16/2003 1:30 PM
Company: Microsoft Corporation
--------------------
Key: srservice
Path: %SystemRoot%\system32\srsvc.dll
C:\WINDOWS\system32\srsvc.dll
171008 bytes
Created: 5/28/2004 1:03 PM
Modified: 4/14/2008 5:42 AM
Company: Microsoft Corporation
--------------------

************************************************************
5:35:17 PM: Scanning ----- SERVICES REGISTRY KEYS -----
Key: avg9emc
ImagePath: "C:\Program Files\AVG\AVG9\avgemc.exe"
C:\Program Files\AVG\AVG9\avgemc.exe
906520 bytes
Created: 10/17/2009 8:09 PM
Modified: 10/17/2009 8:09 PM
Company: AVG Technologies CZ, s.r.o.
----------
Key: avg9wd
ImagePath: "C:\Program Files\AVG\AVG9\avgwdsvc.exe"
C:\Program Files\AVG\AVG9\avgwdsvc.exe
285392 bytes
Created: 10/17/2009 8:09 PM
Modified: 10/17/2009 8:09 PM
Company: AVG Technologies CZ, s.r.o.
----------
Key: AvgTdiX
ImagePath: \SystemRoot\System32\Drivers\avgtdix.sys
C:\WINDOWS\System32\Drivers\avgtdix.sys
360584 bytes
Created: 6/9/2008 9:23 PM
Modified: 10/17/2009 8:10 PM
Company: AVG Technologies CZ, s.r.o.
----------
Key: BANTExt
ImagePath: \SystemRoot\System32\Drivers\BANTExt.sys
C:\WINDOWS\System32\Drivers\BANTExt.sys
3840 bytes
Created: 1/2/2009 4:01 PM
Modified: 3/6/2008 11:51 AM
Company: [no info]
----------
Key: catchme
ImagePath: \??\C:\DOCUME~1\Owner\LOCALS~1\Temp\catchme.sys - this file is globally excluded
----------
Key: CoachUsb
ImagePath: system32\DRIVERS\CoachUsb.sys
C:\WINDOWS\system32\DRIVERS\CoachUsb.sys
46944 bytes
Created: 7/26/2008 2:06 PM
Modified: 1/22/2004 12:41 PM
Company: FotoNation Ltd.
----------
Key: CoachVc
ImagePath: system32\DRIVERS\CoachVc.sys
C:\WINDOWS\system32\DRIVERS\CoachVc.sys - [file not found to scan]
----------
Key: ImapiService
ImagePath: %systemroot%\system32\imapi.exe
C:\WINDOWS\system32\imapi.exe
150528 bytes
Created: 7/16/2003 1:30 PM
Modified: 4/14/2008 5:42 AM
Company: Microsoft Corporation
----------
Key: MREMPR5
ImagePath: \??\C:\PROGRA~1\COMMON~1\Motive\MREMPR5.SYS
C:\PROGRA~1\COMMON~1\Motive\MREMPR5.SYS
19345 bytes
Created: 9/25/2006 4:33 AM
Modified: 3/11/2007 2:37 PM
Company: Motive, Inc.
----------
Key: MRENDIS5
ImagePath: \??\C:\PROGRA~1\COMMON~1\Motive\MRENDIS5.SYS
C:\PROGRA~1\COMMON~1\Motive\MRENDIS5.SYS
18003 bytes
Created: 9/25/2006 4:33 AM
Modified: 3/11/2007 2:37 PM
Company: Motive, Inc.
----------
Key: NwlnkIpx
ImagePath: system32\DRIVERS\nwlnkipx.sys
C:\WINDOWS\system32\DRIVERS\nwlnkipx.sys
88320 bytes
Created: 7/16/2003 1:40 PM
Modified: 4/14/2008 12:26 AM
Company: Microsoft Corporation
----------
Key: NwlnkNb
ImagePath: system32\DRIVERS\nwlnknb.sys
C:\WINDOWS\system32\DRIVERS\nwlnknb.sys
63232 bytes
Created: 7/16/2003 1:40 PM
Modified: 7/16/2003 1:40 PM
Company: Microsoft Corporation
----------
Key: NwlnkSpx
ImagePath: system32\DRIVERS\nwlnkspx.sys
C:\WINDOWS\system32\DRIVERS\nwlnkspx.sys
55936 bytes
Created: 7/16/2003 1:40 PM
Modified: 7/16/2003 1:40 PM
Company: Microsoft Corporation
----------
Key: SABProcEnum
ImagePath: \??\C:\Program Files\Internet Explorer\SABProcEnum.sys
C:\Program Files\Internet Explorer\SABProcEnum.sys - [file not found to scan]
----------
Key: SASENUM
ImagePath: \??\C:\Program Files\SUPERAntiSpyware\SASENUM.SYS
C:\Program Files\SUPERAntiSpyware\SASENUM.SYS
-R- 7408 bytes
Created: 9/15/2009 11:42 AM
Modified: 9/15/2009 11:42 AM
Company: SUPERAdBlocker.com and SUPERAntiSpyware.com
----------
Key: SVKP
ImagePath: \??\C:\WINDOWS\system32\SVKP.sys
C:\WINDOWS\system32\SVKP.sys - [file not found to scan]
----------
Key: SwPrv
ImagePath: C:\WINDOWS\System32\dllhost.exe /Processid:{D755A93D-E25D-4DDE-9969-30EC6DFA8F7A}
C:\WINDOWS\System32\dllhost.exe
5120 bytes
Created: 7/16/2003 1:27 PM
Modified: 4/14/2008 5:42 AM
Company: Microsoft Corporation
----------
Key: vsdatant
ImagePath: \??\C:\WINDOWS\System32\vsdatant.sys
C:\WINDOWS\System32\vsdatant.sys
228344 bytes
Created: 6/3/2004 5:23 PM
Modified: 2/17/2004 4:52 PM
Company: Zone Labs Inc.
----------
Key: WinDefend
ImagePath: "C:\Program Files\Windows Defender\MsMpEng.exe"
C:\Program Files\Windows Defender\MsMpEng.exe
13592 bytes
Created: 11/3/2006 7:19 PM
Modified: 11/3/2006 7:19 PM
Company: Microsoft Corporation
----------
Key: WpdUsb
ImagePath: System32\Drivers\wpdusb.sys
C:\WINDOWS\System32\Drivers\wpdusb.sys
38528 bytes
Created: 8/11/2004 1:45 AM
Modified: 10/18/2006 10:00 PM
Company: Microsoft Corporation
----------
Key: zntport
ImagePath: \??\C:\WINDOWS\system32\zntport.sys
C:\WINDOWS\system32\zntport.sys - [file not found to scan]
----------

************************************************************
5:35:22 PM: Scanning -----VXD ENTRIES-----
Checking the following VxD entries:
C:\WINDOWS\system32\JAVASUP.VXD
7315 bytes
Created: 5/31/2004 6:27 PM
Modified: 2/28/2003 4:54 PM
Company: [no info]
VxD Key = JAVASUP
----------
----------

************************************************************
5:35:23 PM: Scanning ----- WINLOGON\NOTIFY DLLS -----
Key : igfxcui
DLLName: igfxsrvc.dll
C:\WINDOWS\system32\igfxsrvc.dll
348160 bytes
Created: 5/28/2004 3:18 PM
Modified: 10/19/2005 8:59 AM
Company: Intel Corporation
----------

************************************************************
5:35:23 PM: Scanning ----- CONTEXTMENUHANDLERS -----
Key: AVG9 Shell Extension
CLSID: {9F97547E-4609-42C5-AE0C-81C61FFAEBC3}
Path: C:\Program Files\AVG\AVG9\avgse.dll
C:\Program Files\AVG\AVG9\avgse.dll
109336 bytes
Created: 10/17/2009 8:09 PM
Modified: 10/17/2009 8:09 PM
Company: AVG Technologies CZ, s.r.o.
----------
Key: ShellExtension
CLSID: [empty]
----------
Key: {CA8ACAFA-5FBB-467B-B348-90DD488DE003}
Path: C:\Program Files\SUPERAntiSpyware\SASCTXMN.DLL
C:\Program Files\SUPERAntiSpyware\SASCTXMN.DLL
61440 bytes
Created: 2/27/2007 12:39 PM
Modified: 2/27/2007 12:39 PM
Company: SUPERAntiSpyware.com
----------

************************************************************
5:35:24 PM: Scanning ----- FOLDER\COLUMNHANDLERS -----

************************************************************
5:35:24 PM: Scanning ----- BROWSER HELPER OBJECTS -----
Key: {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0}
BHO: C:\Program Files\AVG\AVG9\avgssie.dll
C:\Program Files\AVG\AVG9\avgssie.dll
1471768 bytes
Created: 10/17/2009 8:10 PM
Modified: 10/17/2009 8:10 PM
Company: AVG Technologies CZ, s.r.o.
----------

************************************************************
5:35:24 PM: Scanning ----- SHELLSERVICEOBJECTS -----

************************************************************
5:35:24 PM: Scanning ----- SHAREDTASKSCHEDULER ENTRIES -----

************************************************************
5:35:24 PM: Scanning ----- IMAGEFILE DEBUGGERS -----
No "Debugger" entries found.

************************************************************
5:35:24 PM: Scanning ----- APPINIT_DLLS -----
No APPINIT_DLLS value found to check

************************************************************
5:35:25 PM: Scanning ----- SECURITY PROVIDER DLLS -----

************************************************************
5:35:25 PM: Scanning ------ COMMON STARTUP GROUP ------
[C:\Documents and Settings\All Users\Start Menu\Programs\Startup]
The Common Startup Group attempts to load the following file(s) at boot time:
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk.disabled
1757 bytes
Created: 12/2/2008 2:33 PM
Modified: 12/2/2008 2:33 PM
Company: [no info]
--------------------
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\desktop.ini
-HS- 84 bytes
Created: 5/28/2004 5:53 AM
Modified: 5/28/2004 1:06 PM
Company: [no info]
--------------------
Windows Search.lnk - links to C:\PROGRA~1\WI459E~1\WINDOW~1.EXE
C:\PROGRA~1\WI459E~1\WINDOW~1.EXE
123904 bytes
Created: 5/26/2008 10:19 PM
Modified: 5/26/2008 10:19 PM
Company: Microsoft Corporation
--------------------

************************************************************
5:35:26 PM: Scanning ------ USER STARTUP GROUPS ------
--------------------
Checking Startup Group for: Administrator
[C:\Documents and Settings\Administrator\START MENU\PROGRAMS\STARTUP]
The Startup Group for Administrator attempts to load the following file(s):
C:\Documents and Settings\Administrator\START MENU\PROGRAMS\STARTUP\desktop(2).ini
-HS- 84 bytes
Created: 10/17/2009 11:01 AM
Modified: 5/28/2004 1:06 PM
Company: [no info]
C:\Documents and Settings\Administrator\START MENU\PROGRAMS\STARTUP\desktop(2).ini - no action taken on this file
----------
C:\Documents and Settings\Administrator\START MENU\PROGRAMS\STARTUP\desktop.ini
-HS- 84 bytes
Created: 10/17/2009 11:01 AM
Modified: 5/28/2004 1:06 PM
Company: [no info]
----------
--------------------
Checking Startup Group for: Guest
[C:\Documents and Settings\Guest\START MENU\PROGRAMS\STARTUP]
The Startup Group for Guest attempts to load the following file(s):
C:\Documents and Settings\Guest\START MENU\PROGRAMS\STARTUP\desktop.ini
-HS- 84 bytes
Created: 9/6/2004 10:03 AM
Modified: 5/28/2004 1:06 PM
Company: [no info]
----------
--------------------
Checking Startup Group for: JEFF
[C:\Documents and Settings\JEFF\START MENU\PROGRAMS\STARTUP]
The Startup Group for JEFF attempts to load the following file(s):
C:\Documents and Settings\JEFF\START MENU\PROGRAMS\STARTUP\desktop(2).ini
-HS- 84 bytes
Created: 6/23/2008 9:51 PM
Modified: 5/28/2004 1:06 PM
Company: [no info]
C:\Documents and Settings\JEFF\START MENU\PROGRAMS\STARTUP\desktop(2).ini - no action taken on this file
----------
C:\Documents and Settings\JEFF\START MENU\PROGRAMS\STARTUP\desktop.ini
-HS- 84 bytes
Created: 6/23/2008 9:51 PM
Modified: 5/28/2004 1:06 PM
Company: [no info]
----------
--------------------
Checking Startup Group for: Owner
[C:\Documents and Settings\Owner\START MENU\PROGRAMS\STARTUP]
The Startup Group for Owner attempts to load the following file(s):
C:\Documents and Settings\Owner\START MENU\PROGRAMS\STARTUP\desktop.ini
-HS- 84 bytes
Created: 5/28/2004 1:13 PM
Modified: 5/28/2004 1:06 PM
Company: [no info]
----------

************************************************************
5:35:28 PM: Scanning ----- SCHEDULED TASKS -----
No Scheduled Tasks found to scan

************************************************************
5:35:28 PM: Scanning ----- SHELLICONOVERLAYIDENTIFIERS -----

************************************************************
5:35:28 PM: Scanning ----- DEVICE DRIVER ENTRIES -----
Value: msacm.iac2
File: iac25_32.ax
C:\WINDOWS\system32\iac25_32.ax
199680 bytes
Created: 11/14/2002 12:58 PM
Modified: 4/14/2008 5:42 AM
Company: Intel Corporation
----------

************************************************************
5:35:29 PM: ----- ADDITIONAL CHECKS -----
PE386 rootkit checks completed
----------
Winlogon registry rootkit checks completed
----------
Heuristic checks for hȋdden files/drivers completed
----------
Layered Service Provider entries checks completed
----------
==============================
Restrictive Windows Explorer Policies found in force on this computer:
HKCU\Software\Microsoft\Internet Explorer\Download
CheckExeSignatures - default policy reset
RunInvalidSignatures - default policy reset
All Policy Values listed have been removed or reset
==============================
Windows Explorer Policies checks completed
----------
Desktop Wallpaper: C:\WINDOWS\wallpaper.bmp
C:\WINDOWS\wallpaper.bmp
2359350 bytes
Created: 12/12/2006 7:04 PM
Modified: 10/14/2009 9:38 PM
Company: [no info]
----------
Web Desktop Wallpaper: %USERPROFILE%\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
231677766 bytes
Created: 6/23/2009 8:49 AM
Modified: 10/14/2009 9:35 PM
Company: [no info]
----------
Checks for rogue DNS NameServers completed
----------
Additional checks completed

************************************************************
5:37:35 PM: Scanning ----- RUNNING PROCESSES -----

C:\WINDOWS\System32\smss.exe
50688 bytes
Created: 7/16/2003 1:45 PM
Modified: 4/14/2008 5:42 AM
Company: Microsoft Corporation
--------------------
C:\WINDOWS\system32\csrss.exe
6144 bytes
Created: 7/16/2003 1:26 PM
Modified: 4/14/2008 5:42 AM
Company: Microsoft Corporation
--------------------
C:\WINDOWS\system32\winlogon.exe
507904 bytes
Created: 7/16/2003 1:51 PM
Modified: 4/14/2008 5:42 AM
Company: Microsoft Corporation
--------------------
C:\WINDOWS\system32\services.exe
110592 bytes
Created: 7/16/2003 1:44 PM
Modified: 2/6/2009 4:11 AM
Company: Microsoft Corporation
--------------------
C:\WINDOWS\system32\lsass.exe
13312 bytes
Created: 7/16/2003 1:32 PM
Modified: 4/14/2008 5:42 AM
Company: Microsoft Corporation
--------------------
C:\WINDOWS\system32\svchost.exe
14336 bytes
Created: 7/16/2003 1:47 PM
Modified: 4/14/2008 5:42 AM
Company: Microsoft Corporation
--------------------
C:\WINDOWS\system32\svchost.exe - file already scanned
--------------------
C:\WINDOWS\System32\svchost.exe - file already scanned
--------------------
C:\WINDOWS\System32\svchost.exe - file already scanned
--------------------
C:\Program Files\AVG\AVG9\avgchsvx.exe
1055000 bytes
Created: 10/17/2009 8:09 PM
Modified: 10/17/2009 8:10 PM
Company: AVG Technologies CZ, s.r.o.
--------------------
C:\Program Files\AVG\AVG9\avgrsx.exe
502040 bytes
Created: 10/17/2009 8:09 PM
Modified: 10/17/2009 8:09 PM
Company: AVG Technologies CZ, s.r.o.
--------------------
C:\WINDOWS\system32\svchost.exe - file already scanned
--------------------
C:\Program Files\AVG\AVG9\avgcsrvx.exe
702744 bytes
Created: 10/17/2009 8:09 PM
Modified: 10/17/2009 8:09 PM
Company: AVG Technologies CZ, s.r.o.
--------------------
C:\WINDOWS\system32\spoolsv.exe
57856 bytes
Created: 7/16/2003 1:46 PM
Modified: 4/14/2008 5:42 AM
Company: Microsoft Corporation
--------------------
C:\WINDOWS\System32\svchost.exe - file already scanned
--------------------
C:\Program Files\AVG\AVG9\avgwdsvc.exe - file already scanned
--------------------
C:\WINDOWS\System32\svchost.exe - file already scanned
--------------------
C:\WINDOWS\system32\SearchIndexer.exe
439808 bytes
Created: 5/26/2008 10:18 PM
Modified: 5/26/2008 10:18 PM
Company: Microsoft Corporation
--------------------
C:\Program Files\AVG\AVG9\avgemc.exe - file already scanned
--------------------
C:\Program Files\AVG\AVG9\avgnsx.exe
600344 bytes
Created: 10/17/2009 8:09 PM
Modified: 10/17/2009 8:09 PM
Company: AVG Technologies CZ, s.r.o.
--------------------
C:\Program Files\AVG\AVG9\avgcsrvx.exe - file already scanned
--------------------
C:\WINDOWS\System32\alg.exe
44544 bytes
Created: 7/16/2003 1:24 PM
Modified: 4/14/2008 5:42 AM
Company: Microsoft Corporation
--------------------
C:\WINDOWS\Explorer.EXE - file already scanned
--------------------
C:\WINDOWS\system32\ctfmon.exe - file already scanned
--------------------
C:\Program Files\Internet Explorer\IEXPLORE.EXE
638816 bytes
Created: 5/28/2004 1:03 PM
Modified: 3/8/2009 2:09 PM
Company: Microsoft Corporation
--------------------
C:\WINDOWS\system32\wscntfy.exe
13824 bytes
Created: 8/4/2004 12:56 AM
Modified: 4/14/2008 5:42 AM
Company: Microsoft Corporation
--------------------
C:\Program Files\Internet Explorer\IEXPLORE.EXE - file already scanned
--------------------
C:\Documents and Settings\Owner\Application Data\Simply Super Software\Trojan Remover\kux80.exe
FileSize: 3101560
[This is a Trojan Remover component]
--------------------

************************************************************
5:37:41 PM: Checking HOSTS file
No malicious entries were found in the HOSTS file

************************************************************
------ INTERNET EXPLORER HOME/START/SEARCH SETTINGS ------
HKLM\Software\Microsoft\Internet Explorer\Main\"Start Page":
[You must be registered and logged in to see this link.]
HKLM\Software\Microsoft\Internet Explorer\Main\"Local Page":
C:\WINDOWS\system32\blank.htm
HKLM\Software\Microsoft\Internet Explorer\Main\"Search Page":
[You must be registered and logged in to see this link.]
HKLM\Software\Microsoft\Internet Explorer\Main\"Default_Page_URL":
[You must be registered and logged in to see this link.]
HKLM\Software\Microsoft\Internet Explorer\Main\"Default_Search_URL":
[You must be registered and logged in to see this link.]
HKLM\Software\Microsoft\Internet Explorer\Search\"CustomizeSearch":
[You must be registered and logged in to see this link.]
HKLM\Software\Microsoft\Internet Explorer\Search\"SearchAssistant":
[You must be registered and logged in to see this link.]
HKCU\Software\Microsoft\Internet Explorer\Main\"Start Page":
[You must be registered and logged in to see this link.]
HKCU\Software\Microsoft\Internet Explorer\Main\"Local Page":
C:\WINDOWS\system32\blank.htm
HKCU\Software\Microsoft\Internet Explorer\Main\"Search Page":
[You must be registered and logged in to see this link.]

************************************************************
=== CHANGES WERE MADE TO THE WINDOWS REGISTRY ===
Scan completed at: 5:37:41 PM 20 Oct 2009
Total Scan time: 00:02:34
************************************************************

karenor
Intermediate
Intermediate

Posts Posts : 185
Joined Joined : 2009-09-19
OS OS : xp
Points Points : 28652
# Likes # Likes : 0

View user profile

Back to top Go down

Re: BACKDOOR.BOT

Post by Dr Jay on 21st October 2009, 1:39 am

I want to check something else:

Please copy the following in to Notepad:

@echo off
cd C:\windows\system32
del ~.exe >> result.txt
exit


then click File > Save as
For Save as Type: All Files
Filename: killthebeast.bat

Save to the desktop.

Then, double-click on the file to run it. It will produce a very small log on the desktop called result.txt. Please let me know what that says. It may not appear. No big deal.

==

Please re-open Malwarebytes, click the Update tab, and click Check for Updates. Then, click the Scanner tab, select Perform Quick Scan, and press Scan. Remove selected, and post the log in your next reply.


Dr. Jay (DJ)


[You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.]

Dr Jay
Head Administrator
Head Administrator

Posts Posts : 13941
Joined Joined : 2009-09-06
Gender Gender : Male
OS OS : Windows 10 Home & Pro
Arch. Arch. : x64 (64-bit)
Protection Protection : Bitdefender Total Security
Points Points : 302568
# Likes # Likes : 10

View user profile

Back to top Go down

Re: BACKDOOR.BOT

Post by karenor on 21st October 2009, 3:01 am

Hi Dragon Master Jay:

I did as you said. Twice. Both times the result.txt came up empty. Here is the Mbam results log.

Thanks,
Karen

---------------Malwarebytes' Anti-Malware 1.41
Database version: 3001
Windows 5.1.2600 Service Pack 3

10/20/2009 7:47:51 PM
mbam-log-2009-10-20 (19-47-51).txt

Scan type: Quick Scan
Objects scanned: 116692
Time elapsed: 9 minute(s), 53 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)
---------------

karenor
Intermediate
Intermediate

Posts Posts : 185
Joined Joined : 2009-09-19
OS OS : xp
Points Points : 28652
# Likes # Likes : 0

View user profile

Back to top Go down

Re: BACKDOOR.BOT

Post by Dr Jay on 21st October 2009, 7:30 am

Go to the following folder and see if this file is in there: ~.exe

C:\windows\system32


If not, then the backdoor bot must be gone!


Dr. Jay (DJ)


[You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.]

Dr Jay
Head Administrator
Head Administrator

Posts Posts : 13941
Joined Joined : 2009-09-06
Gender Gender : Male
OS OS : Windows 10 Home & Pro
Arch. Arch. : x64 (64-bit)
Protection Protection : Bitdefender Total Security
Points Points : 302568
# Likes # Likes : 10

View user profile

Back to top Go down

Re: BACKDOOR.BOT

Post by karenor on 21st October 2009, 6:52 pm

Hi Dragon Master Jay:

Well I pasted what you asked for in the Run area. A large file came up and I went over it twice. The folder was filled with items. Did I look in the right place? The item was not listed there at all. If I am supposed to look someplace else, please tell me how to get there. I want to be certain I am checking correctly and that this thing is gone.

Thanks,
Karen

karenor
Intermediate
Intermediate

Posts Posts : 185
Joined Joined : 2009-09-19
OS OS : xp
Points Points : 28652
# Likes # Likes : 0

View user profile

Back to top Go down

Re: BACKDOOR.BOT

Post by Dr Jay on 21st October 2009, 9:52 pm

Ok. That was correct. The file was not found.

Would you like to know how to prevent malware in the future?


Dr. Jay (DJ)


[You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.]

Dr Jay
Head Administrator
Head Administrator

Posts Posts : 13941
Joined Joined : 2009-09-06
Gender Gender : Male
OS OS : Windows 10 Home & Pro
Arch. Arch. : x64 (64-bit)
Protection Protection : Bitdefender Total Security
Points Points : 302568
# Likes # Likes : 10

View user profile

Back to top Go down

Re: BACKDOOR.BOT

Post by karenor on 21st October 2009, 11:44 pm

Hi Dragon Master Jay:

You bet I would! This experience was just so horrible. I was so worried. I can not thank you enough for being there to help me. Without you I would be in a horrible mess.

What tips can you share with me and others to prevent this from happening again? I thought I was taking care of things on my computer. I thought I had everything covered with all the crap I am running on here. I am currently running AVG, the Mbam, the Spy Bot, Spy Blaster, CCleaner, Baseline Analyzer, Windows Defender, Advanced Disk Cleaner, Advanced System Care, Super Anti Spyware and Microsoft Malicious Remover. Heck, I spend so much time running these programs I hardly have any time to have fun on the computer!

Please share your thoughts and tips. I am feeling better now and not afraid anymore.

Thanks,
Karen Hooray!

karenor
Intermediate
Intermediate

Posts Posts : 185
Joined Joined : 2009-09-19
OS OS : xp
Points Points : 28652
# Likes # Likes : 0

View user profile

Back to top Go down

Re: BACKDOOR.BOT

Post by Dr Jay on 22nd October 2009, 12:18 am

Please read the following information that I have provided, which will help you prevent malicious software in the future. Please keep in mind, malware is a continuous danger on the Internet. It is highly important to stay safe while browsing, to prevent re-infection.

Software recommendations

AntiSpyware

  • [You must be registered and logged in to see this link.]
    SpywareBlaster is a program that prevents spyware from installing on your computer. A tutorial on using SpywareBlaster may be found [You must be registered and logged in to see this link.].
  • [You must be registered and logged in to see this link.].
    Spybot - Search & Destroy is a spyware and adware removal program. It also has realtime protection, TeaTimer to help safeguard your computer against spyware. (The link for Spybot - Search & Destroy contains a tutorial that will help you download, install, and begin using Spybot).


NOTE: Please keep ALL of these programs up-to-date and run them whenever you suspect a problem to prevent malware problems.

Resident Protection help
A number of programs have resident protection and it is a good idea to run the resident protection of one of each type of program to maintain protection. However, it is important to run only one resident program of each type since they can conflict and become less effective. That means only one antivirus, firewall, and scanning anti-spyware program at a time. Passive protectors such as SpywareBlaster can be run with any of them.

Rogue programs help
There are a lot of rogue programs out there that want to scare you into giving them your money and some malware actually claims to be security programs. If you get a popup for a security program that you did not install yourself, do NOT click on it and ask for help immediately. It is very important to run an antivirus and firewall, but you can't always rely on reviews and ads for information. Ask in a security forum that you trust if you are not sure. If you are unsure and looking for anti-spyware programs, you can find out if it is a rogue here:
[You must be registered and logged in to see this link.]

Securing your computer

  • [You must be registered and logged in to see this link.] - It is very important to make sure that both Internet Explorer and Windows are kept current with the latest critical security patches from Microsoft. To do this just start Internet Explorer and select Tools > Windows Update, and follow the online instructions from there.
  • [You must be registered and logged in to see this link.] replaces your current HOSTS file with one containing well known ad sites and other bad sites. This prevents your computer from connecting to those sites by redirecting them to 127.0.0.1, which is your local computer's loopback address, meaning it will be difficult to infect your computer in the future.


Please consider using an alternate browser
Mozilla's Firefox browser is a very good alternative. In addition to being generally more secure than Internet Explorer, it has a very good built-in popup blocker and add-ons, like NoScript, can make it even more secure. Opera is another good option.

If you are interested:


Thank you for choosing GeekPolice. Please see [You must be registered and logged in to see this link.] if you would like to leave feedback or contribute to our site. Do you have any more questions?


Dr. Jay (DJ)


[You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.]

Dr Jay
Head Administrator
Head Administrator

Posts Posts : 13941
Joined Joined : 2009-09-06
Gender Gender : Male
OS OS : Windows 10 Home & Pro
Arch. Arch. : x64 (64-bit)
Protection Protection : Bitdefender Total Security
Points Points : 302568
# Likes # Likes : 10

View user profile

Back to top Go down

Re: BACKDOOR.BOT

Post by karenor on 22nd October 2009, 1:30 am

Hi Dragon Master Jay:

Those are all wonderful ideas. I can take some of those ideas and improve my situation for sure.

Thank you so much for your assistance. This was very upsetting to me and I am glad that you were available to help me.

Thanks again and take care,
Karen

karenor
Intermediate
Intermediate

Posts Posts : 185
Joined Joined : 2009-09-19
OS OS : xp
Points Points : 28652
# Likes # Likes : 0

View user profile

Back to top Go down

View previous topic View next topic Back to top


 
Permissions in this forum:
You cannot reply to topics in this forum