SystemDir.explorer and SystemDir.regedit infected?

View previous topic View next topic Go down

Solved SystemDir.explorer and SystemDir.regedit infected?

Post by swedstoner on Tue Jan 06, 2009 8:05 am

i think i have a keylogger

i just got banned from one of my online games and i think its from a keylogger,
if you could read over this and help me i'd love you forever! its a new computer so im very worried by the way i have windows vista

i have scanned with kaspersky (i havnt scanned in safemode) and have winpatrol and COMODO BOclean running.
i also scanned with spy bot search and destroy, but none of these programs could find anything
but when i scanned with bazooka spyware scanner i get these two results
"SystemDir.explorer"
and
"SystemDir.regedit"

[You must be registered and logged in to see this link.]
[You must be registered and logged in to see this link.]

i have read both of these removal guides and it says it could be a
keylogger, when i look for my explorer.exe and regedit.exe it is in the
default location under "C:/Windows"
but i dont know if its a false positive or not or if thats not even where the keylog is..

ill
do anything to figure this out please help me scan if a professional
could look over my computer and see if its clean or not ide appreciate
it alot! this has got me really stressed out.

swedstoner
Novice
Novice

Status :
Online
Offline

Posts : 14
Joined : 2009-01-06
OS : Windows Vista 64-bit

View user profile

Back to top Go down

Solved Re: SystemDir.explorer and SystemDir.regedit infected?

Post by Doctor Inferno on Tue Jan 06, 2009 10:29 am

Hey there, welcome to GeekPolice.

Please read this topic and post a HijackThis log here.

[You must be registered and logged in to see this link.]


Please be a GeekPolice fan on [You must be registered and logged in to see this link.]



Have we helped you? [You must be registered and logged in to see this link.] | Doctor by day, ninja by night.

Doctor Inferno
Administrator
Administrator

Status :
Online
Offline

Posts : 12017
Joined : 2007-12-26
Gender : Male
OS : Windows 7 Home Premium and Ultimate X64

View user profile

Back to top Go down

Solved Re: SystemDir.explorer and SystemDir.regedit infected?

Post by Belahzur on Tue Jan 06, 2009 2:02 pm

Hello.
No, not false positive.
You are correct about the file locations, the legit explorer/regedit are in windows, not system32.

Reads docs post a post your logs.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Status :
Online
Offline

Posts : 34916
Joined : 2008-08-03
Gender : Male
OS : XP SP3 Media Centre

View user profile

Back to top Go down

Solved Re: SystemDir.explorer and SystemDir.regedit infected?

Post by swedstoner on Tue Jan 06, 2009 10:49 pm

thanks for the reply so fast here is my logs.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:48:43 PM, on 1/6/2009
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18000)
Boot mode: Normal

Running processes:
C:\Program Files (x86)\Windows Live\Messenger\msnmsgr.exe
C:\Program Files (x86)\Yahoo!\Messenger\YahooMessenger.exe
C:\hp\support\hpsysdrv.exe
C:\Program Files (x86)\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
C:\Program Files (x86)\HP\HP Software Update\hpwuSchd2.exe
C:\Program Files (x86)\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files (x86)\Comodo\CBOClean\BOC427.EXE
C:\Program Files (x86)\BillP Studios\WinPatrol\WinPatrol.exe
C:\Program Files (x86)\Mozilla Firefox\firefox.exe
C:\Program Files (x86)\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = [You must be registered and logged in to see this link.]
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = [You must be registered and logged in to see this link.]
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = [You must be registered and logged in to see this link.]
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~2\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~2\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~2\SPYBOT~1\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files (x86)\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files (x86)\Windows Live Toolbar\msntb.dll
O3 - Toolbar: (no name) - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - (no file)
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files (x86)\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~2\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [hpsysdrv] c:\hp\support\hpsysdrv.exe
O4 - HKLM\..\Run: [OsdMaestro] c:\Program Files\Hewlett-Packard\On-Screen OSD Indicator\OSD64.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files (x86)\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [AVP] "C:\Program Files (x86)\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files (x86)\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files (x86)\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [BOC-427] C:\PROGRA~2\Comodo\CBOClean\BOC427.exe
O4 - HKLM\..\Run: [WinPatrol] "C:\Program Files (x86)\BillP Studios\WinPatrol\winpatrol.exe" -expressboot
O4 - HKCU\..\Run: [BTBFirstRun] C:\Program Files (x86)\Hewlett-Packard\SDP\hprun.exe
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [AdobeUpdater] C:\Program Files (x86)\Common Files\Adobe\Updater5\AdobeUpdater.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files (x86)\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files (x86)\Windows Live\Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files (x86)\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O8 - Extra context menu item: &Windows Live Search - [You must be registered and logged in to see this link.] Files (x86)\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: Add to Windows &Live Favorites - [You must be registered and logged in to see this link.]
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\PROGRA~2\Java\JRE16~3.0_0\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\PROGRA~2\Java\JRE16~3.0_0\bin\ssv.dll
O9 - Extra button: Web Anti-Virus statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files (x86)\Kaspersky Lab\Kaspersky Anti-Virus 7.0\SCIEPlgn.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files (x86)\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~2\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~2\SPYBOT~1\SDHelper.dll
O13 - Gopher Prefix:
O16 - DPF: vzTCPConfig - [You must be registered and logged in to see this link.]
O16 - DPF: {02ECD07A-22D0-4AF0-BA0A-3F6B06086D08} (GamesCampus Control) - [You must be registered and logged in to see this link.]
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files (x86)\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} - [You must be registered and logged in to see this link.]
O16 - DPF: {7C5D062A-7A1E-4A46-A02B-A928084CBD66} (MLauncherNew Class) - [You must be registered and logged in to see this link.]
O16 - DPF: {AA07EBD2-EBDD-4BD6-9F8F-114BD513492C} (NeffyLauncherCtl Class) - [You must be registered and logged in to see this link.]
O20 - AppInit_DLLs: C:\PROGRA~2\KASPER~1\KASPER~1.0\r3hook.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files (x86)\SUPERAntiSpyware\SASWINLO.DLL
O23 - Service: @%SystemRoot%\system32\Alg.exe,-112 (ALG) - Unknown owner - C:\Windows\System32\alg.exe (file missing)
O23 - Service: ASP.NET State Service (aspnet_state) - Unknown owner - C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe (file missing)
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - c:\Program Files (x86)\Symantec\LiveUpdate\AluSchedulerSvc.exe
O23 - Service: Kaspersky Anti-Virus 7.0 (AVP) - Kaspersky Lab - C:\Program Files (x86)\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
O23 - Service: BOCore - COMODO - C:\Program Files (x86)\Comodo\CBOClean\BOCORE.exe
O23 - Service: @dfsrres.dll,-101 (DFSR) - Unknown owner - C:\Windows\system32\DFSR.exe (file missing)
O23 - Service: GameConsoleService - WildTangent, Inc. - C:\Program Files (x86)\HP Games\My HP Game Console\GameConsoleService.exe
O23 - Service: HP Health Check Service - Hewlett-Packard - c:\Program Files (x86)\Hewlett-Packard\HP Health Check\hphc_service.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files (x86)\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: @keyiso.dll,-100 (KeyIso) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - c:\Program Files (x86)\Common Files\LightScribe\LSSrvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - c:\Program Files (x86)\Symantec\LiveUpdate\LuComServer_3_4.EXE
O23 - Service: @comres.dll,-2797 (MSDTC) - Unknown owner - C:\Windows\System32\msdtc.exe (file missing)
O23 - Service: @%SystemRoot%\System32\netlogon.dll,-102 (Netlogon) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (nvsvc) - Unknown owner - C:\Windows\system32\nvvsvc.exe (file missing)
O23 - Service: PnkBstrA - Unknown owner - C:\Windows\system32\PnkBstrA.exe
O23 - Service: @%systemroot%\system32\psbase.dll,-300 (ProtectedStorage) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @%systemroot%\system32\Locator.exe,-2 (RpcLocator) - Unknown owner - C:\Windows\system32\locator.exe (file missing)
O23 - Service: @%SystemRoot%\system32\samsrv.dll,-1 (SamSs) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: SBSD Security Center Service (SBSDWSCService) - Safer Networking Ltd. - C:\Program Files (x86)\Spybot - Search & Destroy\SDWinSec.exe
O23 - Service: @%SystemRoot%\system32\SLsvc.exe,-101 (slsvc) - Unknown owner - C:\Windows\system32\SLsvc.exe (file missing)
O23 - Service: @%SystemRoot%\system32\snmptrap.exe,-3 (SNMPTRAP) - Unknown owner - C:\Windows\System32\snmptrap.exe (file missing)
O23 - Service: @%systemroot%\system32\spoolsv.exe,-1 (Spooler) - Unknown owner - C:\Windows\System32\spoolsv.exe (file missing)
O23 - Service: Steam Client Service - Valve Corporation - C:\Program Files (x86)\Common Files\Steam\SteamService.exe
O23 - Service: @%SystemRoot%\system32\ui0detect.exe,-101 (UI0Detect) - Unknown owner - C:\Windows\system32\UI0Detect.exe (file missing)
O23 - Service: @%SystemRoot%\system32\vds.exe,-100 (vds) - Unknown owner - C:\Windows\System32\vds.exe (file missing)
O23 - Service: @%systemroot%\system32\vssvc.exe,-102 (VSS) - Unknown owner - C:\Windows\system32\vssvc.exe (file missing)
O23 - Service: @%Systemroot%\system32\wbem\wmiapsrv.exe,-110 (wmiApSrv) - Unknown owner - C:\Windows\system32\wbem\WmiApSrv.exe (file missing)
O23 - Service: @%ProgramFiles%\Windows Media Player\wmpnetwk.exe,-101 (WMPNetworkSvc) - Unknown owner - C:\Program Files (x86)\Windows Media Player\wmpnetwk.exe (file missing)
O23 - Service: XAudioService - Unknown owner - C:\Windows\system32\DRIVERS\xaudio64.exe (file missing)

--
End of file - 10841 bytes

swedstoner
Novice
Novice

Status :
Online
Offline

Posts : 14
Joined : 2009-01-06
OS : Windows Vista 64-bit

View user profile

Back to top Go down

Solved Re: SystemDir.explorer and SystemDir.regedit infected?

Post by Belahzur on Tue Jan 06, 2009 11:05 pm

Please download and run this tool.

I notice that you have Spybot's TeaTimer running. While this is normally a wonderful tool to protect against hijackers, it can also interfere with HijackThis fixes. So please disable TeaTimer by doing the following:
1) Run Spybot-S&D
2) Go to the Mode menu, and make sure "Advanced Mode" is selected
3) On the left hand side, choose Tools -> Resident
4) Uncheck "Resident TeaTimer" and OK any prompts
You can reenable TeaTimer once your system is clean.

Please make sure Teatimer is disable before we do this, otherwise this fix will fail.

Download Malwarebytes' Anti-Malware from [You must be registered and logged in to see this link.]

Double Click mbam-setup.exe to install the application.

  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
Note:
If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.
Click OK to either and let MBAM proceed with the disinfection process.
If asked to restart the computer, please do so immediately.


Post the contents of the MBAM Log.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Status :
Online
Offline

Posts : 34916
Joined : 2008-08-03
Gender : Male
OS : XP SP3 Media Centre

View user profile

Back to top Go down

Solved Re: SystemDir.explorer and SystemDir.regedit infected?

Post by swedstoner on Tue Jan 06, 2009 11:32 pm

please take note that this is my log from yestorday it found 2 results i have removed them, i have stopped teatimer and i scanned again just now and found no results so ill just post the results from yestorday, if you need the new results ill post them too. thanks for the fast replys


Malwarebytes' Anti-Malware 1.32
Database version: 1617
Windows 6.0.6001 Service Pack 1

1/5/2009 7:19:44 PM
mbam-log-2009-01-05 (19-19-44).txt

Scan type: Full Scan (C:\|D:\|)
Objects scanned: 369225
Time elapsed: 6 hour(s), 18 minute(s), 51 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 2
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_CLASSES_ROOT\regfile\shell\open\command\ (Broken.OpenCommand) -> Bad: ("regedit.exe" "%1") Good: (regedit.exe "%1") -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoActiveDesktopChanges (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

swedstoner
Novice
Novice

Status :
Online
Offline

Posts : 14
Joined : 2009-01-06
OS : Windows Vista 64-bit

View user profile

Back to top Go down

Solved Re: SystemDir.explorer and SystemDir.regedit infected?

Post by Belahzur on Tue Jan 06, 2009 11:35 pm

Okay, lets take a look around.


  • Please download DDS by sUBs to your Desktop (Important!!) from one of these locations:
    [You must be registered and logged in to see this link.]
    [You must be registered and logged in to see this link.]
    [You must be registered and logged in to see this link.]
  • Double click DDS.scr to run
  • When complete, DDS.txt will open.
  • Click No for Optional Scan.
  • Save the report to your Desktop.
  • Copy and paste DDS.txt back here, I don't need to see attach.txt.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Status :
Online
Offline

Posts : 34916
Joined : 2008-08-03
Gender : Male
OS : XP SP3 Media Centre

View user profile

Back to top Go down

Solved Re: SystemDir.explorer and SystemDir.regedit infected?

Post by swedstoner on Wed Jan 07, 2009 12:09 am

[You must be registered and logged in to see this link.] wrote:Okay, lets take a look around.


  • Please download DDS by sUBs to your Desktop (Important!!) from one of these locations:
    [You must be registered and logged in to see this link.]
    [You must be registered and logged in to see this link.]
    [You must be registered and logged in to see this link.]
  • Double click DDS.scr to run
  • When complete, DDS.txt will open.
  • Click No for Optional Scan.
  • Save the report to your Desktop.
  • Copy and paste DDS.txt back here, I don't need to see attach.txt.

i tryed to run the file but it says "This tool does not support your Operating System"
i have vista 64bit

swedstoner
Novice
Novice

Status :
Online
Offline

Posts : 14
Joined : 2009-01-06
OS : Windows Vista 64-bit

View user profile

Back to top Go down

Solved Re: SystemDir.explorer and SystemDir.regedit infected?

Post by Belahzur on Wed Jan 07, 2009 12:18 am

Darn it.

Download [You must be registered and logged in to see this link.] to your desktop.

  • Close all windows and open it
  • Click Run Scan and let the program run uninterrupted
  • It will produce two logs for you, one will pop up called OTViewIt.txt, the other will be saved on your desktop and called Extras.txt. Just post OTViewIt.txt, I don't need to see Extras.txt
  • You may need to use more than one post to get it all on the forum


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Status :
Online
Offline

Posts : 34916
Joined : 2008-08-03
Gender : Male
OS : XP SP3 Media Centre

View user profile

Back to top Go down

Solved Re: SystemDir.explorer and SystemDir.regedit infected?

Post by swedstoner on Wed Jan 07, 2009 12:51 am

ok i got the logs here they are in separate posts

OTViewIt logfile created on: 1/6/2009 7:24:07 PM - Run
OTViewIt by OldTimer - Version 1.0.21.0 Folder = C:\Users\Ryan\Desktop
Windows Vista Home Premium Edition Service Pack 1 (Version = 6.0.6001) - Type = NTWorkstation
Internet Explorer (Version = 7.0.6001.18000)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

4.00 Gb Total Physical Memory | 2.37 Gb Available Physical Memory | 59.36% Memory free
4.00 Gb Paging File | 4.00 Gb Available in Paging File | 100.00% Paging File free
Paging file location(s): ?:\pagefile.sys;

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files (x86)
Drive C: | 688.90 Gb Total Space | 504.46 Gb Free Space | 73.23% Space Free | Partition Type: NTFS
Drive D: | 9.74 Gb Total Space | 0.89 Gb Free Space | 9.11% Space Free | Partition Type: NTFS
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: RYAN-PC
Current User Name: Ryan
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Whitelist: On
File Age = 30 Days

========== Processes ==========

[2007/08/30 16:43:18 | 04,670,704 | ---- | M] (Yahoo! Inc.) -- C:\Program Files (x86)\Yahoo!\Messenger\YahooMessenger.exe
[2007/04/18 10:01:34 | 00,065,536 | ---- | M] (Hewlett-Packard Company) -- C:\hp\support\hpsysdrv.exe
[2008/02/08 20:36:14 | 00,227,856 | ---- | M] (Kaspersky Lab) -- C:\Program Files (x86)\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
[2007/05/08 15:24:20 | 00,054,840 | ---- | M] (Hewlett-Packard) -- C:\Program Files (x86)\HP\HP Software Update\hpwuSchd2.exe
[2008/06/10 03:27:04 | 00,144,784 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files (x86)\Java\jre1.6.0_07\bin\jusched.exe
[2008/07/14 05:09:26 | 00,351,480 | ---- | M] (COMODO) -- C:\Program Files (x86)\Comodo\CBOClean\BOC427.EXE
[2008/10/09 10:52:54 | 00,333,120 | ---- | M] (BillP Studios) -- C:\Program Files (x86)\BillP Studios\WinPatrol\WinPatrol.exe
[2008/02/08 20:36:14 | 00,227,856 | ---- | M] (Kaspersky Lab) -- C:\Program Files (x86)\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
[2007/11/19 17:54:04 | 00,079,136 | ---- | M] (Hewlett-Packard Company) -- c:\Program Files (x86)\Common Files\LightScribe\LSSrvc.exe
[2008/11/28 23:54:03 | 00,066,872 | ---- | M] () -- C:\Windows\SysWOW64\PnkBstrA.exe
[2008/01/28 13:43:32 | 00,810,320 | ---- | M] (Safer Networking Ltd.) -- C:\Program Files (x86)\Spybot - Search & Destroy\SDWinSec.exe
[2007/08/23 01:35:00 | 00,243,064 | ---- | M] (Symantec Corporation) -- c:\Program Files (x86)\Symantec\LiveUpdate\AluSchedulerSvc.exe
[2009/01/06 19:23:02 | 00,422,912 | ---- | M] (OldTimer Tools) -- C:\Users\Ryan\Desktop\OTViewIt.exe

========== (O23) Win32 Services ==========

[2007/08/23 01:35:00 | 00,243,064 | ---- | M] (Symantec Corporation) -- c:\Program Files (x86)\Symantec\LiveUpdate\AluSchedulerSvc.exe -- (Automatic LiveUpdate Scheduler [Auto | Running])
[2008/02/08 20:36:14 | 00,227,856 | ---- | M] (Kaspersky Lab) -- C:\Program Files (x86)\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe -- (AVP [Auto | Running])
[2008/07/14 05:09:29 | 00,081,144 | ---- | M] (COMODO) -- C:\Program Files (x86)\Comodo\CBOClean\BOCore.exe -- (BOCore [Auto | Running])
File not found -- -- (CertPropSvc [Unknown | Stopped])
[2008/01/20 21:50:58 | 00,070,144 | ---- | M] (Microsoft Corporation) -- C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe -- (clr_optimization_v2.0.50727_32 [On_Demand | Stopped])
[2008/01/20 21:50:38 | 00,093,696 | ---- | M] (Microsoft Corporation) -- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe -- (clr_optimization_v2.0.50727_64 [On_Demand | Stopped])
File not found -- -- (DcomLaunch [Unknown | Running])
File not found -- -- (DPS [Unknown | Running])
[2008/01/20 21:51:36 | 00,344,064 | ---- | M] (Microsoft Corporation) -- C:\Windows\ehome\ehrecvr.exe -- (ehRecvr [On_Demand | Stopped])
[2008/01/20 21:51:36 | 00,153,600 | ---- | M] (Microsoft Corporation) -- C:\Windows\ehome\ehsched.exe -- (ehSched [On_Demand | Stopped])
[2008/01/20 21:51:57 | 00,036,864 | ---- | M] (Microsoft Corporation) -- C:\Windows\Microsoft.NET\Framework64\v3.0\WPF\PresentationFontCache.exe -- (FontCache3.0.0.0 [On_Demand | Stopped])
[2007/07/23 18:33:06 | 00,181,800 | ---- | M] (WildTangent, Inc.) -- C:\Program Files (x86)\HP Games\My HP Game Console\GameConsoleService.exe -- (GameConsoleService [On_Demand | Stopped])
File not found -- -- (gpsvc [Unknown | Running])
[2007/09/19 20:30:52 | 00,065,536 | ---- | M] (Hewlett-Packard) -- c:\Program Files (x86)\Hewlett-Packard\HP Health Check\HPHC_Service.exe -- (HP Health Check Service [Auto | Running])
[2005/04/03 23:41:10 | 00,069,632 | ---- | M] (Macrovision Corporation) -- C:\Program Files (x86)\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe -- (IDriverT [On_Demand | Stopped])
[2006/11/02 04:46:05 | 00,018,944 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\keyiso.dll -- (KeyIso [On_Demand | Running])
[2007/11/19 17:54:04 | 00,079,136 | ---- | M] (Hewlett-Packard Company) -- c:\Program Files (x86)\Common Files\LightScribe\LSSrvc.exe -- (LightScribeService [Auto | Running])
[2007/08/23 01:35:00 | 03,192,184 | ---- | M] (Symantec Corporation) -- c:\Program Files (x86)\Symantec\LiveUpdate\LuComServer_3_4.EXE -- (LiveUpdate [On_Demand | Stopped])
[2006/11/02 08:34:14 | 00,000,000 | ---D | M] -- C:\Windows\System32\Msdtc -- (MSDTC [Unknown | Stopped])
[2008/01/20 21:48:28 | 00,592,384 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\netlogon.dll -- (Netlogon [On_Demand | Stopped])
[2008/01/20 21:51:53 | 00,122,880 | ---- | M] (Microsoft Corporation) -- C:\Windows\Microsoft.NET\Framework64\v3.0\Windows Communication Foundation\SMSvcHost.exe -- (NetTcpPortSharing [Disabled | Stopped])
File not found -- -- (nvsvc [Auto | Running])
[2008/01/20 21:51:00 | 00,019,968 | ---- | M] (Microsoft Corporation) -- C:\Windows\SysWOW64\perfhost.exe -- (PerfHost [On_Demand | Stopped])
[2008/11/28 23:54:03 | 00,066,872 | ---- | M] () -- C:\Windows\System32\PnkBstrA.exe -- (PnkBstrA [Auto | Running])
File not found -- -- (RpcSs [Unknown | Running])
[2008/01/28 13:43:32 | 00,810,320 | ---- | M] (Safer Networking Ltd.) -- C:\Program Files (x86)\Spybot - Search & Destroy\SDWinSec.exe -- (SBSDWSCService [Auto | Running])
[2008/01/20 21:49:11 | 00,095,232 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\SCardSvr.dll -- (SCardSvr [Unknown | Stopped])
File not found -- -- (Schedule [Unknown | Running])
File not found -- -- (SCPolicySvc [Unknown | Stopped])
[2008/11/21 21:09:32 | 00,104,944 | ---- | M] (Valve Corporation) -- C:\Program Files (x86)\Common Files\Steam\SteamService.exe -- (Steam Client Service [On_Demand | Stopped])
[2007/10/18 11:31:54 | 00,098,328 | ---- | M] (Microsoft Corporation) -- C:\Program Files (x86)\Windows Live\Messenger\usnsvc.exe -- (usnjsvc [On_Demand | Stopped])
[2006/11/02 01:35:15 | 00,060,994 | ---- | M] () -- C:\Windows\System32\wbem\vds.mof -- (vds [On_Demand | Stopped])
[2006/11/02 01:35:15 | 00,055,846 | ---- | M] () -- C:\Windows\System32\wbem\vss.mof -- (VSS [On_Demand | Stopped])
File not found -- -- (WdiServiceHost [Unknown | Stopped])
File not found -- -- (WdiSystemHost [Unknown | Running])
[2007/10/25 17:27:54 | 00,266,240 | ---- | M] (Microsoft Corporation) -- C:\Program Files (x86)\Windows Live\installer\WLSetupSvc.exe -- (WLSetupSvc [On_Demand | Stopped])
[2008/01/20 21:52:15 | 01,216,000 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Windows Media Player\wmpnetwk.exe -- (WMPNetworkSvc [On_Demand | Running])
[2008/05/27 00:18:43 | 00,439,808 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\SearchIndexer.exe -- (WSearch [Auto | Running])
File not found -- -- (XAudioService [Auto | Running])

swedstoner
Novice
Novice

Status :
Online
Offline

Posts : 14
Joined : 2009-01-06
OS : Windows Vista 64-bit

View user profile

Back to top Go down

Solved Re: SystemDir.explorer and SystemDir.regedit infected?

Post by swedstoner on Wed Jan 07, 2009 12:51 am

========== Driver Services ==========

[2008/01/20 21:46:53 | 00,486,456 | ---- | M] (Adaptec, Inc.) -- C:\Windows\WinSxS\amd64_adp94xx.inf_31bf3856ad364e35_6.0.6001.18000_none_5e0fcb9b69814f7b\adp94xx.sys -- (adp94xx [Disabled | Stopped])
[2008/01/20 21:46:54 | 00,342,584 | ---- | M] (Adaptec, Inc.) -- C:\Windows\WinSxS\amd64_adpahci.inf_31bf3856ad364e35_6.0.6001.18000_none_c05c13aa3dfbc961\adpahci.sys -- (adpahci [Disabled | Stopped])
[2008/01/20 21:46:54 | 00,126,520 | ---- | M] (Adaptec, Inc.) -- C:\Windows\WinSxS\amd64_adpu160m.inf_31bf3856ad364e35_6.0.6001.18000_none_f2feed0b63bf261d\adpu160m.sys -- (adpu160m [Disabled | Stopped])
[2008/01/20 21:47:27 | 00,185,912 | ---- | M] (Adaptec, Inc.) -- C:\Windows\WinSxS\amd64_adpu320.inf_31bf3856ad364e35_6.0.6001.18000_none_f4cbbad1148c6b4a\adpu320.sys -- (adpu320 [Disabled | Stopped])
[2008/01/20 21:46:50 | 00,015,976 | ---- | M] (Acer Laboratories Inc.) -- C:\Windows\WinSxS\amd64_mshdc.inf_31bf3856ad364e35_6.0.6001.18000_none_3956c39dd9e73fd2\aliide.sys -- (aliide [Disabled | Stopped])
[2008/01/20 21:46:52 | 00,090,680 | ---- | M] (Adaptec, Inc.) -- C:\Windows\WinSxS\amd64_arc.inf_31bf3856ad364e35_6.0.6001.18000_none_7bfed8c7803713cf\arc.sys -- (arc [Disabled | Stopped])
[2008/01/20 21:47:00 | 00,091,192 | ---- | M] (Adaptec, Inc.) -- C:\Windows\WinSxS\amd64_arcsas.inf_31bf3856ad364e35_6.0.6001.18000_none_771684264153c2d4\arcsas.sys -- (arcsas [Disabled | Stopped])
File not found -- -- (atksgt [Auto | Running])
[2007/04/17 15:19:58 | 00,011,504 | ---- | M] (Windows (R) Server 2003 DDK provider) -- C:\Program Files (x86)\Comodo\CBOClean\BOCDRIVE.SYS -- (BOCDRIVE [On_Demand | Running])
[2008/01/20 21:46:56 | 00,018,432 | ---- | M] (Brother Industries, Ltd.) -- C:\Windows\WinSxS\amd64_brmfcsto.inf_31bf3856ad364e35_6.0.6001.18000_none_800ff95700142785\BrFiltLo.sys -- (BrFiltLo [On_Demand | Stopped])
[2008/01/20 21:46:56 | 00,008,704 | ---- | M] (Brother Industries, Ltd.) -- C:\Windows\WinSxS\amd64_brmfcsto.inf_31bf3856ad364e35_6.0.6001.18000_none_800ff95700142785\BrFiltUp.sys -- (BrFiltUp [On_Demand | Stopped])
File not found -- -- (CAXHWBS2 [On_Demand | Running])
[2008/01/20 21:46:50 | 00,018,024 | ---- | M] (CMD Technology, Inc.) -- C:\Windows\WinSxS\amd64_mshdc.inf_31bf3856ad364e35_6.0.6001.18000_none_3956c39dd9e73fd2\cmdide.sys -- (cmdide [Disabled | Stopped])
[2008/01/20 21:46:56 | 00,146,176 | ---- | M] (Intel Corporation) -- C:\Windows\WinSxS\amd64_nete1g3e.inf_31bf3856ad364e35_6.0.6001.18000_none_04b0c96be9c034d3\E1G6032E.sys -- (E1G60 [On_Demand | Stopped])
[2008/01/20 21:46:59 | 00,397,368 | ---- | M] (Emulex) -- C:\Windows\WinSxS\amd64_elxstor.inf_31bf3856ad364e35_6.0.6001.18000_none_08ac13ff69b034ee\elxstor.sys -- (elxstor [Disabled | Stopped])
[2008/01/20 21:46:59 | 00,047,672 | ---- | M] (Hewlett-Packard Company) -- C:\Windows\WinSxS\amd64_hpcisss.inf_31bf3856ad364e35_6.0.6001.18000_none_d59c6600292b9522\HpCISSs.sys -- (HpCISSs [Disabled | Stopped])
File not found -- -- (HSF_DP [On_Demand | Running])
File not found -- -- (iaStor [Boot | Running])
[2008/01/20 21:46:59 | 00,290,872 | ---- | M] (Intel Corporation) -- C:\Windows\WinSxS\amd64_iastorv.inf_31bf3856ad364e35_6.0.6001.18000_none_0b2fedfc40256bc5\iaStorV.sys -- (iaStorV [Disabled | Stopped])
File not found -- -- (IntcAzAudAddService [On_Demand | Running])
File not found -- -- (kl1 [System | Running])
File not found -- -- (KLIF [System | Running])
File not found -- -- (KLIM6 [System | Running])
File not found -- -- (lirsgt [Auto | Running])
[2008/01/20 21:46:51 | 00,113,720 | ---- | M] (LSI Logic) -- C:\Windows\WinSxS\amd64_lsi_fc.inf_31bf3856ad364e35_6.0.6001.18000_none_c59b4ac1fa719137\lsi_fc.sys -- (LSI_FC [Disabled | Stopped])
[2008/01/20 21:46:56 | 00,105,016 | ---- | M] (LSI Logic) -- C:\Windows\WinSxS\amd64_lsi_sas.inf_31bf3856ad364e35_6.0.6001.18000_none_5b86b7f9e8ff0dc5\lsi_sas.sys -- (LSI_SAS [Disabled | Stopped])
[2008/01/20 21:47:01 | 00,113,720 | ---- | M] (LSI Logic) -- C:\Windows\WinSxS\amd64_lsi_scsi.inf_31bf3856ad364e35_6.0.6001.18000_none_f883c787da42af0c\lsi_scsi.sys -- (LSI_SCSI [Disabled | Stopped])
[2006/06/19 05:26:50 | 00,094,208 | ---- | M] (Conexant) -- C:\Windows\System32\mdmxsdk.dll -- (mdmxsdk [Auto | Running])
[2008/01/20 21:46:59 | 00,035,896 | ---- | M] (LSI Corporation) -- C:\Windows\WinSxS\amd64_megasas.inf_31bf3856ad364e35_6.0.6001.18000_none_8c5ef0c0070fb814\megasas.sys -- (megasas [Disabled | Stopped])
[2008/01/20 21:46:56 | 00,438,328 | ---- | M] (LSI Corporation, Inc.) -- C:\Windows\WinSxS\amd64_megasr.inf_31bf3856ad364e35_6.0.6001.18000_none_44b889fdb37f3d14\MegaSR.sys -- (MegaSR [Disabled | Stopped])
[2006/09/18 16:35:23 | 00,001,088 | ---- | M] () -- C:\Windows\System32\wbem\mpsdrv.mof -- (mpsdrv [On_Demand | Running])
[2005/01/01 04:43:08 | 00,004,682 | ---- | M] (INCA Internet Co., Ltd.) -- C:\Windows\System32\npptNT2.sys -- (NPPTNT2 [On_Demand | Stopped])
[2008/01/20 21:47:26 | 05,942,912 | ---- | M] (NVIDIA Corporation) -- C:\Windows\WinSxS\amd64_nv_lh.inf_31bf3856ad364e35_6.0.6001.18000_none_4a8627558332bbba\nvlddmkm.sys -- (nvlddmkm [On_Demand | Running])
[2008/01/20 21:46:54 | 00,128,056 | ---- | M] (NVIDIA Corporation) -- C:\Windows\WinSxS\amd64_nvraid.inf_31bf3856ad364e35_6.0.6001.18000_none_95f95eab775c159d\nvraid.sys -- (nvraid [Disabled | Stopped])
[2008/01/20 21:46:54 | 00,054,328 | ---- | M] (NVIDIA Corporation) -- C:\Windows\WinSxS\amd64_nvraid.inf_31bf3856ad364e35_6.0.6001.18000_none_95f95eab775c159d\nvstor.sys -- (nvstor [Disabled | Stopped])
[2008/01/20 21:46:52 | 01,221,176 | ---- | M] (QLogic Corporation) -- C:\Windows\WinSxS\amd64_ql2300.inf_31bf3856ad364e35_6.0.6001.18000_none_90b29e0f5eb4b0a1\ql2300.sys -- (ql2300 [Disabled | Stopped])
[2008/11/27 07:32:55 | 00,024,448 | ---- | M] () -- C:\Windows\System32\drivers\rkhdrv40.sys -- (rkhdrv40 [On_Demand | Stopped])
File not found -- -- (RTL8169 [On_Demand | Running])
[2008/11/17 15:11:06 | 00,008,944 | ---- | M] (SUPERAdBlocker.com and SUPERAntiSpyware.com) -- C:\Program Files (x86)\SUPERAntiSpyware\sasdifsv.sys -- (SASDIFSV [System | Stopped])
[2008/11/17 15:11:08 | 00,007,408 | R--- | M] ( SUPERAdBlocker.com and SUPERAntiSpyware.com) -- C:\Program Files (x86)\SUPERAntiSpyware\SASENUM.SYS -- (SASENUM [On_Demand | Stopped])
[2008/11/17 15:11:04 | 00,055,024 | ---- | M] (SUPERAdBlocker.com and SUPERAntiSpyware.com) -- C:\Program Files (x86)\SUPERAntiSpyware\SASKUTIL.SYS -- (SASKUTIL [System | Stopped])
[2006/09/29 18:51:44 | 00,023,040 | ---- | M] (Macrovision Corporation, Macrovision Europe Limited, and Macrovision Japan and Asia K.K.) -- C:\Windows\WinSxS\amd64_macrovision-protection-safedisc_31bf3856ad364e35_6.0.6000.16386_none_b794b0d578b7ec2e\secdrv.sys -- (secdrv [Auto | Running])
[2008/01/20 21:47:26 | 00,078,392 | ---- | M] (Silicon Integrated Systems) -- C:\Windows\WinSxS\amd64_sisraid4.inf_31bf3856ad364e35_6.0.6001.18000_none_8460e59f708bb476\sisraid4.sys -- (SiSRaid4 [Disabled | Stopped])
[2006/09/18 16:36:40 | 00,003,066 | ---- | M] () -- C:\Windows\System32\wbem\tcpip.mof -- (Tcpip [Boot | Running])
[2008/01/20 21:46:56 | 00,284,728 | ---- | M] (ULi Electronics Inc.) -- C:\Windows\WinSxS\amd64_uliahci.inf_31bf3856ad364e35_6.0.6001.18000_none_a21b1cbb80e47096\uliahci.sys -- (uliahci [Disabled | Stopped])
[2008/01/20 21:46:52 | 00,174,696 | ---- | M] (Promise Technology, Inc.) -- C:\Windows\WinSxS\amd64_ulsata2.inf_31bf3856ad364e35_6.0.6001.18000_none_9ce1027f4768b389\ulsata2.sys -- (ulsata2 [Disabled | Stopped])
[2008/01/20 21:46:50 | 00,018,024 | ---- | M] (VIA Technologies, Inc.) -- C:\Windows\WinSxS\amd64_mshdc.inf_31bf3856ad364e35_6.0.6001.18000_none_3956c39dd9e73fd2\viaide.sys -- (viaide [Disabled | Stopped])
[2008/01/20 21:47:25 | 00,149,048 | ---- | M] (VIA Technologies Inc.,Ltd) -- C:\Windows\WinSxS\amd64_vsmraid.inf_31bf3856ad364e35_6.0.6001.18000_none_508698a452d25e17\vsmraid.sys -- (vsmraid [Disabled | Stopped])
[2008/01/20 21:46:53 | 00,392,704 | ---- | M] (Conexant Systems, Inc.) -- C:\Windows\WinSxS\amd64_mdmcxpv6.inf_31bf3856ad364e35_6.0.6001.18000_none_1f6618d91f404c66\VSTBS26.SYS -- (VST64HWBS2 [On_Demand | Stopped])
[2008/01/20 21:46:57 | 01,523,712 | ---- | M] (Conexant Systems, Inc.) -- C:\Windows\WinSxS\amd64_mdmcxhv6.inf_31bf3856ad364e35_6.0.6001.18000_none_0673f8918ab7629e\VSTDPV6.SYS -- (VST64_DPV [On_Demand | Stopped])
File not found -- -- (winachsf [On_Demand | Running])
File not found -- -- (XAudio [Auto | Running])
File not found -- -- (xcbdaNtsc [On_Demand | Running])

========== (R ) Internet Explorer ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main]
"Default_Page_URL"=http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=81&bd=Pavilion&pf=desktop
"Default_Search_URL"=http://go.microsoft.com/fwlink/?LinkId=54896
"Default_Secondary_Page_URL"=
"Extensions Off Page"=about:NoAdd-ons
"Local Page"=%SystemRoot%\system32\blank.htm
"Search Page"=http://go.microsoft.com/fwlink/?LinkId=54896
"Security Risk Page"=about:SecurityRisk
"Start Page"=http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=81&bd=Pavilion&pf=desktop

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Main]
"Default_Page_URL"=http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=81&bd=Pavilion&pf=desktop
"Local Page"=C:\Windows\system32\blank.htm
"Page_Transitions"=
"Search Page"=http://go.microsoft.com/fwlink/?LinkId=54896
"Start Page"=http://www.google.com/
"StartPageCache"=

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{CFBFAE00-17A6-11D0-99CB-00C04FD64497}" (HKLM) -- C:\Windows\SysWOW64\ieframe.dll (Microsoft Corporation)
"{EF99BD32-C1FB-11D2-892F-0090271D4F88}" (HKLM) -- C:\Program Files (x86)\Yahoo!\Companion\Installs\cpn\yt.dll (Yahoo! Inc.)

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = 0

swedstoner
Novice
Novice

Status :
Online
Offline

Posts : 14
Joined : 2009-01-06
OS : Windows Vista 64-bit

View user profile

Back to top Go down

Solved Re: SystemDir.explorer and SystemDir.regedit infected?

Post by swedstoner on Wed Jan 07, 2009 12:51 am

========== (O1) Hosts File ==========

HOSTS File = (893572 bytes) - C:\Windows\System32\drivers\etc\Hosts
First 25 entries...
127.0.0.1 localhost
127.0.0.1 ad.a8.net
127.0.0.1 asy.a8ww.net
127.0.0.1 a9rhiwa.cn #[Google.Warning]
127.0.0.1 [You must be registered and logged in to see this link.]
127.0.0.1 acezip.net #[SiteAdvisor.acezip.net]
127.0.0.1 [You must be registered and logged in to see this link.] #[Win32/Adware.180Solutions]
127.0.0.1 phpadsnew.abac.com
127.0.0.1 a.abnad.net
127.0.0.1 b.abnad.net
127.0.0.1 c.abnad.net #[eTrust.Tracking.Cookie]
127.0.0.1 d.abnad.net
127.0.0.1 e.abnad.net
127.0.0.1 t.abnad.net
127.0.0.1 z.abnad.net
127.0.0.1 banners.absolpublisher.com
127.0.0.1 tracking.absolstats.com
127.0.0.1 adv.abv.bg
127.0.0.1 bimg.abv.bg
127.0.0.1 www2.a-counter.kiev.ua
127.0.0.1 track.acclaimnetwork.com
127.0.0.1 accuserveadsystem.com
127.0.0.1 [You must be registered and logged in to see this link.]
127.0.0.1 gtb5.acecounter.com
127.0.0.1 gtb19.acecounter.com
25889 more lines...

========== (O2) BHO's ==========

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\]
{02478D38-C3F9-4efb-9B51-7695ECA05670} (HKLM) -- C:\Program Files (x86)\Yahoo!\Companion\Installs\cpn\yt.dll (Yahoo! Inc.)
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (HKLM) -- C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
{5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} (HKLM) -- C:\Program Files (x86)\Yahoo!\Common\yiesrvc.dll (Yahoo! Inc.)
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43} (HKLM) -- C:\Program Files (x86)\Java\jre1.6.0_07\bin\ssv.dll (Sun Microsystems, Inc.)
{7E853D72-626A-48EC-A868-BA8D5E23E045} (HKLM) -- Reg Error: Key does not exist or could not be opened. File not found
{9030D464-4C02-4ABF-8ECC-5164760863C6} (HKLM) -- C:\Program Files (x86)\Common Files\microsoft shared\Windows Live\WindowsLiveLogin.dll (Microsoft Corporation)
{BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} (HKLM) -- C:\Program Files (x86)\Windows Live Toolbar\msntb.dll (Microsoft Corporation)

========== (O3) Toolbars ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar]
"{7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA}" (HKLM) -- Reg Error: Key does not exist or could not be opened. File not found

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar]
"{BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0}" (HKLM) -- C:\Program Files (x86)\Windows Live Toolbar\msntb.dll (Microsoft Corporation)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar]
"{EF99BD32-C1FB-11D2-892F-0090271D4F88}" (HKLM) -- C:\Program Files (x86)\Yahoo!\Companion\Installs\cpn\yt.dll (Yahoo! Inc.)

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
"{BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0}" (HKLM) -- C:\Program Files (x86)\Windows Live Toolbar\msntb.dll (Microsoft Corporation)

========== (O4) Run Keys ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
""= File not found
"Adobe Reader Speed Launcher"="C:\Program Files (x86)\Adobe\Reader 8.0\Reader\Reader_sl.exe" (Adobe Systems Incorporated)
"AVP"="C:\Program Files (x86)\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe" (Kaspersky Lab)
"BOC-427"=C:\PROGRA~2\Comodo\CBOClean\BOC427.exe (COMODO)
"HP Software Update"=C:\Program Files (x86)\HP\HP Software Update\HPWuSchd2.exe (Hewlett-Packard)
"hpsysdrv"=c:\hp\support\hpsysdrv.exe (Hewlett-Packard Company)
"OsdMaestro"=c:\Program Files\Hewlett-Packard\On-Screen OSD Indicator\OSD64.exe (OsdMaestro)
"SunJavaUpdateSched"="C:\Program Files (x86)\Java\jre1.6.0_07\bin\jusched.exe" (Sun Microsystems, Inc.)
"WinPatrol"="C:\Program Files (x86)\BillP Studios\WinPatrol\winpatrol.exe" -expressboot (BillP Studios)

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AdobeUpdater"=C:\Program Files (x86)\Common Files\Adobe\Updater5\AdobeUpdater.exe (Adobe Systems Incorporated)
"BTBFirstRun"=C:\Program Files (x86)\Hewlett-Packard\SDP\hprun.exe (Hewlett-Packard Company)
"ehTray.exe"=C:\Windows\ehome\ehTray.exe (Microsoft Corporation)
"msnmsgr"="C:\Program Files (x86)\Windows Live\Messenger\msnmsgr.exe" /background (Microsoft Corporation)
"WindowsWelcomeCenter"=rundll32.exe oobefldr.dll,ShowWelcomeCenter File not found
"Yahoo! Pager"="C:\Program Files (x86)\Yahoo!\Messenger\YahooMessenger.exe" -quiet (Yahoo! Inc.)

swedstoner
Novice
Novice

Status :
Online
Offline

Posts : 14
Joined : 2009-01-06
OS : Windows Vista 64-bit

View user profile

Back to top Go down

Solved Re: SystemDir.explorer and SystemDir.regedit infected?

Post by swedstoner on Wed Jan 07, 2009 12:52 am

========== (O6 & O7) Current Version Policies ==========

[HKEY_CURRENT_USER\Software\policies\microsoft\internet explorer\Control Panel\HomePage]
""=0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer]
"NoActiveDesktop"=1
"ForceActiveDesktopOn"=0
"NoActiveDesktopChanges"=0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System]
"ConsentPromptBehaviorAdmin"=2
"ConsentPromptBehaviorUser"=1
"EnableInstallerDetection"=1
"EnableLUA"=1
"EnableSecureUIAPaths"=1
"EnableVirtualization"=1
"PromptOnSecureDesktop"=1
"ValidateAdminCodeSignatures"=0
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"scforceoption"=0
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1
"FilterAdministratorToken"=0
"EnableUIADesktopToggle"=0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\dontdisplaylastusername]
""=0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\UIPI\Clipboard\ExceptionFormats]
"CF_TEXT"=1
"CF_BITMAP"=2
"CF_OEMTEXT"=7
"CF_DIB"=8
"CF_PALETTE"=9
"CF_UNICODETEXT"=13
"CF_DIBV5"=17

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\DisableRegistryTools]
""=0

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\DisableRegistryTools\ShowInfoTip]
""=0

========== (O8) IE Context Menu Extensions ==========

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\MenuExt\]
&Windows Live Search: C:\Program Files (x86)\Windows Live Toolbar\msntb.dll [2007/10/19 13:20:48 | 00,546,320 | ---- | M] (Microsoft Corporation)
Add to Windows &Live Favorites: File not found

========== (O9) IE Extensions ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\]
{08B0E5C0-4FCB-11CF-AAA5-00401C608501}: Menu: Sun Java Console -- %ProgramFiles%\Java\jre1.6.0_07\bin\npjpi160_07.dll [2008/06/10 03:27:02 | 00,132,496 | ---- | M] (Sun Microsystems, Inc.)
{1F460357-8A94-4D71-9CA3-AA4ACF32ED8E}: Button: Web Anti-Virus statistics -- %ProgramFiles%\Kaspersky Lab\Kaspersky Anti-Virus 7.0\SCIEPlgn.dll [2008/02/08 20:37:52 | 00,223,760 | ---- | M] (Kaspersky Lab)
{5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897}: Button: Yahoo! Services -- %ProgramFiles%\Yahoo!\Common\yiesrvc.dll [2007/12/12 17:09:42 | 00,222,448 | ---- | M] (Yahoo! Inc.)

========== (O12) Internet Explorer Plugins ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Plugins\]
PluginsPage: "" = [You must be registered and logged in to see this link.]
PluginsPageFriendlyName: "" = Microsoft ActiveX Gallery

========== (O13) Default Prefixes ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\URL\DefaultPrefix]
""=http://

========== (O15) Trusted Sites ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\]
48 domain(s) and sub-domain(s) not assigned to a zone.

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\]
55 domain(s) and sub-domain(s) not assigned to a zone.

========== (O16) DPF ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\]
{02ECD07A-22D0-4AF0-BA0A-3F6B06086D08}: [You must be registered and logged in to see this link.] -- GamesCampus Control
{17492023-C23A-453E-A040-C7C580BBF700}: [You must be registered and logged in to see this link.] -- Windows Genuine Advantage Validation Tool
{30528230-99f7-4bb4-88d8-fa1d4f56a2ab}: C:\Program Files (x86)\Yahoo!\Common\Yinsthelper.dll -- Installation Support
{67DABFBF-D0AB-41FA-9C46-CC0F21721616}: [You must be registered and logged in to see this link.] -- Reg Error: Key does not exist or could not be opened.
{7C5D062A-7A1E-4A46-A02B-A928084CBD66}: [You must be registered and logged in to see this link.] -- MLauncherNew Class
{8AD9C840-044E-11D1-B3E9-00805F499D93}: [You must be registered and logged in to see this link.] -- Java Plug-in 1.6.0_07
{8FFBE65D-2C9C-4669-84BD-5829DC0B603C}: [You must be registered and logged in to see this link.] -- Reg Error: Key does not exist or could not be opened.
{AA07EBD2-EBDD-4BD6-9F8F-114BD513492C}: [You must be registered and logged in to see this link.] -- NeffyLauncherCtl Class
{CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA}: [You must be registered and logged in to see this link.] -- Reg Error: Key does not exist or could not be opened.
{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}: [You must be registered and logged in to see this link.] -- Java Plug-in 1.6.0_07
{CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA}: [You must be registered and logged in to see this link.] -- Java Plug-in 1.6.0_07
vzTCPConfig: [You must be registered and logged in to see this link.] -- Reg Error: Key does not exist or could not be opened.

swedstoner
Novice
Novice

Status :
Online
Offline

Posts : 14
Joined : 2009-01-06
OS : Windows Vista 64-bit

View user profile

Back to top Go down

Solved Re: SystemDir.explorer and SystemDir.regedit infected?

Post by swedstoner on Wed Jan 07, 2009 12:52 am

========== (O17) DNS Name Servers ==========

{1E6C176C-A2FA-4ED1-9311-0C4F2F822321} (Servers: | Description: Realtek RTL8168C(P)/8111C(P) Family PCI-E Gigabit Ethernet NIC (NDIS 6.0))
{91D95F1B-7719-4933-84DA-BEAA18F26D43} (Servers: | Description: USB Wireless 802.11 b/g Adaptor)

========== (O20) AppInit_DLLs ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_Dlls"=C:\PROGRA~2\KASPER~1\KASPER~1.0\r3hook.dll
>[2008/02/08 20:37:52 | 00,072,208 | ---- | M] (Kaspersky Lab) -- C:\Program Files (x86)\Kaspersky Lab\Kaspersky Anti-Virus 7.0\r3hook.dll

========== (O20) HKLM Winlogon Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"VMApplet"=rundll32 shell32,Control_RunDLL "sysdm.cpl"
>File not found --


========== (O20) Winlogon Notify Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\]
!SASWinLogon: "DllName" = C:\Program Files (x86)\SUPERAntiSpyware\SASWINLO.DLL -- C:\Program Files (x86)\SUPERAntiSpyware\SASWINLO.DLL (SUPERAntiSpyware.com)
klogon: "DllName" = Reg Error: Value DLLName does not exist or could not be read. -- File not found

========== (O21) SSODL Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"WebCheck"={E6FB5E20-DE35-11CF-9C87-00AA005127ED} (HKLM) -- C:\Windows\SysWOW64\webcheck.dll (Microsoft Corporation)

========== Shell Execute Hooks ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}" (HKLM) -- C:\Program Files (x86)\SUPERAntiSpyware\SASSEH.DLL (SuperAdBlocker.com)

========== HKLM *SecurityProviders* ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders]
"SecurityProviders"=credssp.dll
>File not found --

========== LSA *Security Packages* ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa]
"Security Packages"=kerberos,msv1_0,schannel,wdigest,tspkg,
>[2008/01/20 21:50:00 | 00,062,464 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\TSpkg.dll

========== Safeboot Options ==========

"AlternateShell"=cmd.exe

swedstoner
Novice
Novice

Status :
Online
Offline

Posts : 14
Joined : 2009-01-06
OS : Windows Vista 64-bit

View user profile

Back to top Go down

Solved Re: SystemDir.explorer and SystemDir.regedit infected?

Post by swedstoner on Wed Jan 07, 2009 12:52 am

========== CDRom AutoRun Settings ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Cdrom]
"AutoRun" = 1

========== Files/Folders - Created Within 30 Days ==========

[2009/01/06 19:23:01 | 00,422,912 | ---- | C] (OldTimer Tools) -- C:\Users\Ryan\Desktop\OTViewIt.exe
[2009/01/06 19:08:31 | 00,368,781 | ---- | C] () -- C:\Users\Ryan\Desktop\dds(2).pif
[2009/01/06 19:07:34 | 00,368,781 | ---- | C] () -- C:\Users\Ryan\Desktop\dds.scr
[2009/01/06 19:06:24 | 00,368,784 | ---- | C] () -- C:\Users\Ryan\Desktop\dds.com
[2009/01/06 07:07:37 | 00,099,743 | ---- | C] () -- C:\Users\Ryan\Desktop\DxDiag.xml
[2009/01/06 04:08:02 | 00,001,930 | ---- | C] () -- C:\Users\Ryan\Desktop\HijackThis.lnk
[2009/01/06 04:08:01 | 00,000,000 | ---D | C] -- C:\Program Files (x86)\Trend Micro
[2009/01/05 04:28:54 | 00,000,000 | ---D | C] -- C:\Users\Ryan\AppData\Roaming\Malwarebytes
[2009/01/05 04:28:52 | 00,015,504 | ---- | C] (Malwarebytes Corporation) -- C:\Windows\System32\drivers\mbam.sys
[2009/01/05 04:28:50 | 00,038,496 | ---- | C] (Malwarebytes Corporation) -- C:\Windows\System32\drivers\mbamswissarmy.sys
[2009/01/05 04:28:49 | 00,000,000 | ---D | C] -- C:\ProgramData\Malwarebytes
[2009/01/05 04:28:49 | 00,000,000 | ---D | C] -- C:\Program Files (x86)\Malwarebytes' Anti-Malware
[2009/01/05 04:20:12 | 00,000,000 | ---D | C] -- C:\Users\Ryan\AppData\Roaming\WinPatrol
[2009/01/05 04:20:07 | 00,000,000 | ---D | C] -- C:\Program Files (x86)\BillP Studios
[2009/01/05 04:07:11 | 00,015,360 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\wsock32.dlb
[2009/01/05 04:07:04 | 00,205,560 | ---- | C] (COMODO) -- C:\Windows\UNBOC.EXE
[2009/01/05 04:07:03 | 00,212,728 | ---- | C] (COMODO) -- C:\Windows\CMDLIC.DLL
[2009/01/05 04:06:53 | 00,000,000 | ---D | C] -- C:\ProgramData\BOC427
[2009/01/05 04:06:48 | 00,000,410 | ---- | C] () -- C:\Windows\BOC427.INI
[2009/01/05 04:06:45 | 00,000,000 | ---D | C] -- C:\Program Files (x86)\Comodo
[2009/01/05 04:02:41 | 00,000,000 | -HSD | C] -- C:\Config.Msi
[2009/01/05 03:16:49 | 00,118,784 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\MSSTDFMT.DLL
[2009/01/05 03:16:48 | 00,000,000 | ---D | C] -- C:\Program Files (x86)\SpywareBlaster
[2009/01/05 02:57:05 | 00,000,000 | ---D | C] -- C:\ProgramData\PrevxCSI
[2009/01/03 16:37:54 | 00,000,268 | ---- | C] () -- C:\sqmdata00.sqm
[2009/01/03 04:44:14 | 00,000,000 | ---D | C] -- C:\Program Files (x86)\CoEmu
[2009/01/02 20:33:47 | 00,018,689 | ---- | C] () -- C:\Users\Ryan\Documents\me 025.png
[2009/01/02 20:32:08 | 00,012,628 | ---- | C] () -- C:\Users\Ryan\Documents\me 420.jpg
[2009/01/02 19:10:47 | 00,427,482 | ---- | C] () -- C:\Users\Ryan\Desktop\stronglifts-5x5.pdf
[2008/12/31 02:19:16 | 00,002,223 | ---- | C] () -- C:\Users\Ryan\Desktop\Rakion.lnk
[2008/12/31 02:18:18 | 00,000,000 | ---D | C] -- C:\Program Files (x86)\Softnyx
[2008/12/26 17:58:12 | 00,000,000 | ---D | C] -- C:\Users\Ryan\Desktop\Pharoahe_Monch_-_Internal_Affairs_
[2008/12/26 17:57:37 | 00,000,000 | ---D | C] -- C:\Users\Ryan\Desktop\Illadelph Halflife
[2008/12/26 17:57:11 | 00,000,000 | ---D | C] -- C:\Users\Ryan\Desktop\Busta_Rhymes_-_When_Disaster_Strikes
[2008/12/26 17:56:14 | 00,000,000 | ---D | C] -- C:\Users\Ryan\Desktop\Black Moon - Enta Da Stage
[2008/12/26 17:53:35 | 00,000,000 | ---D | C] -- C:\Users\Ryan\Desktop\AZ_-_Doe_Or_Die_1995_192kb
[2008/12/26 17:52:28 | 00,000,000 | ---D | C] -- C:\Users\Ryan\Desktop\Scarface_-_The_Fix
[2008/12/26 17:52:21 | 00,000,000 | ---D | C] -- C:\Users\Ryan\Desktop\The_Pharcyde_-_Bizarre_Ride_II
[2008/12/26 17:51:50 | 00,000,000 | ---D | C] -- C:\Users\Ryan\Desktop\UGK_-_Ridin_Dirty
[2008/12/26 17:30:57 | 00,000,000 | ---D | C] -- C:\Users\Ryan\Desktop\00-MF_Doom_-_Operation_Doomsday-1999-_HHFN_
[2008/12/25 20:20:09 | 00,000,000 | ---D | C] -- C:\Users\Ryan\Desktop\Artifacts-Between_A_Rock_And_A_Hard_Place-1994-NHH_INT
[2008/12/24 17:24:33 | 00,000,000 | ---D | C] -- C:\Users\Ryan\Desktop\BG_Knocc_Out___Dresta_-_Real_Brothas_-_1995
[2008/12/24 16:54:49 | 00,026,831 | ---- | C] () -- C:\Users\Ryan\Documents\user40903_pic2213_1226558916.jpg
[2008/12/24 16:54:40 | 00,049,626 | ---- | C] () -- C:\Users\Ryan\Documents\user40903_pic1031_1217032325.jpg
[2008/12/24 16:54:26 | 00,010,695 | ---- | C] () -- C:\Users\Ryan\Documents\user40903_pic2440_1228178266.jpg
[2008/12/24 16:54:17 | 00,039,560 | ---- | C] () -- C:\Users\Ryan\Documents\user40903_pic2664_1229789391.jpg
[2008/12/20 19:36:42 | 00,000,000 | ---D | C] -- C:\Program Files (x86)\Armor2net
[2008/12/20 19:27:23 | 00,000,000 | ---D | C] -- C:\ProgramData\SecTaskMan
[2008/12/20 19:27:20 | 00,000,000 | ---D | C] -- C:\Program Files (x86)\Security Task Manager
[2008/12/19 03:18:23 | 00,000,000 | ---D | C] -- C:\Users\Ryan\Documents\Runes of Magic
[2008/12/19 03:13:16 | 00,001,854 | ---- | C] () -- C:\Users\Ryan\Desktop\Runes of Magic.lnk
[2008/12/19 03:01:28 | 03,578,880 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\mshtml.dll
[2008/12/19 03:01:12 | 00,000,000 | ---D | C] -- C:\CrashReport
[2008/12/19 02:52:13 | 00,000,000 | ---D | C] -- C:\Program Files (x86)\Runes of Magic
[2008/12/18 18:53:10 | 00,000,000 | ---D | C] -- C:\Program Files (x86)\SystemRequirementsLab
[2008/12/18 18:53:09 | 00,000,000 | ---D | C] -- C:\Users\Ryan\AppData\Roaming\SystemRequirementsLab
[2008/12/18 03:37:25 | 00,000,000 | ---D | C] -- C:\Users\Ryan\Desktop\Wax__26_EOM_-_Liquid_Courage
[2008/12/18 03:33:55 | 04,669,466 | ---- | C] () -- C:\Users\Ryan\Documents\Wax & EOM - Music And Liquor.mp3
[2008/12/17 16:22:11 | 00,000,000 | ---D | C] -- C:\Users\Ryan\Desktop\The Roots - Things Fall Apart
[2008/12/14 23:54:26 | 00,000,000 | ---D | C] -- C:\Users\Ryan\Desktop\KidRock - Hist
[2008/12/14 23:27:02 | 00,000,000 | ---D | C] -- C:\Program Files (x86)\AC Tool
[2008/12/14 23:25:19 | 00,001,614 | ---- | C] () -- C:\Users\Public\Desktop\KnightOnline.lnk
[2008/12/14 23:19:52 | 00,000,000 | ---D | C] -- C:\GamersFirst
[2008/12/11 18:44:49 | 00,000,000 | ---D | C] -- C:\Users\Ryan\AppData\Roaming\Ventrilo
[2008/12/11 18:43:34 | 00,000,754 | ---- | C] () -- C:\Users\Ryan\Desktop\Ventrilo.lnk
[2008/12/11 03:03:00 | 00,002,048 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\tzres.dll
[2008/12/11 00:50:06 | 00,201,216 | ---- | C] (Microsoft Corporation) -- C:\Users\Ryan\Documents\dinput8.dll
[2008/12/10 19:14:59 | 02,868,736 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\mf.dll
[2008/12/10 19:14:57 | 02,386,944 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\WMVCORE.DLL
[2008/12/10 19:14:57 | 00,996,352 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\WMNetMgr.dll
[2008/12/10 19:14:57 | 00,094,720 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\logagent.exe
[2008/12/10 19:14:17 | 11,580,928 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\shell32.dll
[2008/12/10 19:14:07 | 01,166,336 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\urlmon.dll
[2008/12/10 19:14:06 | 06,068,736 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\ieframe.dll
[2008/12/10 19:14:05 | 00,827,392 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\wininet.dll
[2008/12/10 19:14:05 | 00,671,232 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\mstime.dll
[2008/12/10 19:14:04 | 00,270,336 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\iertutil.dll
[2008/12/10 19:14:03 | 00,028,160 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\jsproxy.dll
[2008/12/10 19:13:21 | 00,028,672 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\Apphlpdm.dll
[2008/12/10 19:13:20 | 04,240,384 | ---- | C] (Microsoft) -- C:\Windows\System32\GameUXLegacyGDFs.dll
[2008/12/10 19:11:55 | 00,303,104 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\gdi32.dll
[2008/12/10 19:11:50 | 03,080,704 | ---- | C] (Microsoft Corporation) -- C:\Windows\explorer.exe
[2008/12/10 19:11:50 | 02,927,104 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\explorer.exe
[2008/12/08 23:02:24 | 00,004,352 | ---- | C] () -- C:\Users\Ryan\Documents\cc_20081208_230216 new.reg
[2008/12/08 21:51:04 | 09,658,970 | ---- | C] () -- C:\Users\Ryan\Desktop\Big Sloan & Ta Smallz Interview By JeremyMT - 12-5-08.WMA
[2008/12/08 16:36:05 | 00,056,388 | ---- | C] () -- C:\Users\Ryan\Desktop\waxeom.jpg

swedstoner
Novice
Novice

Status :
Online
Offline

Posts : 14
Joined : 2009-01-06
OS : Windows Vista 64-bit

View user profile

Back to top Go down

Solved Re: SystemDir.explorer and SystemDir.regedit infected?

Post by swedstoner on Wed Jan 07, 2009 12:53 am

========== Files - Modified Within 30 Days ==========

[3 C:\Windows\*.tmp files]
[2009/01/06 19:23:02 | 00,422,912 | ---- | M] (OldTimer Tools) -- C:\Users\Ryan\Desktop\OTViewIt.exe
[2009/01/06 19:08:31 | 00,368,781 | ---- | M] () -- C:\Users\Ryan\Desktop\dds(2).pif
[2009/01/06 19:07:34 | 00,368,781 | ---- | M] () -- C:\Users\Ryan\Desktop\dds.scr
[2009/01/06 19:06:26 | 00,368,784 | ---- | M] () -- C:\Users\Ryan\Desktop\dds.com
[2009/01/06 17:10:47 | 00,000,006 | -H-- | M] () -- C:\Windows\tasks\SA.DAT
[2009/01/06 17:10:45 | 00,067,584 | --S- | M] () -- C:\Windows\bootstat.dat
[2009/01/06 07:07:37 | 00,099,743 | ---- | M] () -- C:\Users\Ryan\Desktop\DxDiag.xml
[2009/01/06 04:08:02 | 00,001,930 | ---- | M] () -- C:\Users\Ryan\Desktop\HijackThis.lnk
[2009/01/06 03:10:24 | 00,074,120 | ---- | M] () -- C:\Users\Ryan\AppData\Local\GDIPFONTCACHEV1.DAT
[2009/01/05 04:10:51 | 00,000,410 | ---- | M] () -- C:\Windows\BOC427.INI
[2009/01/05 03:59:33 | 00,000,258 | RHS- | M] () -- C:\ProgramData\ntuser.pol
[2009/01/04 18:41:50 | 00,038,496 | ---- | M] (Malwarebytes Corporation) -- C:\Windows\System32\drivers\mbamswissarmy.sys
[2009/01/04 18:41:46 | 00,015,504 | ---- | M] (Malwarebytes Corporation) -- C:\Windows\System32\drivers\mbam.sys
[2009/01/03 16:37:54 | 00,000,268 | ---- | M] () -- C:\sqmdata00.sqm
[2009/01/02 20:33:47 | 00,018,689 | ---- | M] () -- C:\Users\Ryan\Documents\me 025.png
[2009/01/02 20:32:08 | 00,012,628 | ---- | M] () -- C:\Users\Ryan\Documents\me 420.jpg
[2009/01/02 19:10:48 | 00,427,482 | ---- | M] () -- C:\Users\Ryan\Desktop\stronglifts-5x5.pdf
[2009/01/01 23:02:56 | 00,019,456 | ---- | M] () -- C:\Users\Ryan\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2008/12/31 02:19:16 | 00,002,223 | ---- | M] () -- C:\Users\Ryan\Desktop\Rakion.lnk
[2008/12/30 02:26:37 | 00,001,854 | ---- | M] () -- C:\Users\Ryan\Desktop\Runes of Magic.lnk
[2008/12/24 16:54:49 | 00,026,831 | ---- | M] () -- C:\Users\Ryan\Documents\user40903_pic2213_1226558916.jpg
[2008/12/24 16:54:42 | 00,049,626 | ---- | M] () -- C:\Users\Ryan\Documents\user40903_pic1031_1217032325.jpg
[2008/12/24 16:54:26 | 00,010,695 | ---- | M] () -- C:\Users\Ryan\Documents\user40903_pic2440_1228178266.jpg
[2008/12/24 16:54:17 | 00,039,560 | ---- | M] () -- C:\Users\Ryan\Documents\user40903_pic2664_1229789391.jpg
[2008/12/18 03:34:26 | 04,669,466 | ---- | M] () -- C:\Users\Ryan\Documents\Wax & EOM - Music And Liquor.mp3
[2008/12/14 23:25:19 | 00,001,614 | ---- | M] () -- C:\Users\Public\Desktop\KnightOnline.lnk
[2008/12/12 00:52:52 | 03,578,880 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\mshtml.dll
[2008/12/11 18:43:34 | 00,000,754 | ---- | M] () -- C:\Users\Ryan\Desktop\Ventrilo.lnk
[2008/12/08 23:02:27 | 00,004,352 | ---- | M] () -- C:\Users\Ryan\Documents\cc_20081208_230216 new.reg
[2008/12/08 21:51:04 | 09,658,970 | ---- | M] () -- C:\Users\Ryan\Desktop\Big Sloan & Ta Smallz Interview By JeremyMT - 12-5-08.WMA
[2008/12/08 16:36:06 | 00,056,388 | ---- | M] () -- C:\Users\Ryan\Desktop\waxeom.jpg
< End of report >

swedstoner
Novice
Novice

Status :
Online
Offline

Posts : 14
Joined : 2009-01-06
OS : Windows Vista 64-bit

View user profile

Back to top Go down

Solved Re: SystemDir.explorer and SystemDir.regedit infected?

Post by Belahzur on Wed Jan 07, 2009 1:03 am

Hello. I don't see any traces of what this malware does according to the links in your first post, theres no run value for it.
Although, I do want to look at this file.

Please upload this file in bold:
C:\Windows\System32\explorer.exe
To this site below for a scan.
[You must be registered and logged in to see this link.]
Copy and paste the results back here.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Status :
Online
Offline

Posts : 34916
Joined : 2008-08-03
Gender : Male
OS : XP SP3 Media Centre

View user profile

Back to top Go down

Solved Re: SystemDir.explorer and SystemDir.regedit infected?

Post by swedstoner on Wed Jan 07, 2009 1:14 am

[You must be registered and logged in to see this link.] wrote:Hello. I don't see any traces of what this malware does according to the links in your first post, theres no run value for it.
Although, I do want to look at this file.

Please upload this file in bold:
C:\Windows\System32\explorer.exe
To this site below for a scan.
[You must be registered and logged in to see this link.]
Copy and paste the results back here.

hi i scanned it heres the results. one more thing.. the default location is in "C:/windows"
not "C:/windows/system32"? does that mean i should remove the explorer.exe and the regedit.exe in the system32 since theres the legit one in C:/windows? i cant see the file when i look for it in system32 but when i use virusjotti its there in my system32



Service load:





0%


100%
File:
explorer.exe
Status:

OK(Note: file has been scanned before. Therefore, this file's scan results will not be stored in the database)


MD5:
4f554999d7d5f05daaebba7b5ba1089d
Packers detected:
-






Scanner results


Scan taken on 07 Jan 2009 01:10:43 (GMT)
A-Squared
Found nothing

AntiVir
Found nothing

ArcaVir
Found nothing

Avast
Found nothing

AVG Antivirus
Found nothing

BitDefender
Found nothing

ClamAV
Found nothing

CPsecure
Found nothing

Dr.Web
Found nothing

F-Prot Antivirus
Found nothing

F-Secure Anti-Virus
Found nothing

G DATA
Found nothing

Ikarus
Found nothing

Kaspersky Anti-Virus
Found nothing

NOD32
Found nothing

Norman Virus Control
Found nothing

Panda Antivirus
Found nothing

Sophos Antivirus
Found nothing

VirusBuster
Found nothing

VBA32
Found nothing


Last edited by swedstoner on Wed Jan 07, 2009 1:17 am; edited 1 time in total

swedstoner
Novice
Novice

Status :
Online
Offline

Posts : 14
Joined : 2009-01-06
OS : Windows Vista 64-bit

View user profile

Back to top Go down

Solved Re: SystemDir.explorer and SystemDir.regedit infected?

Post by Belahzur on Wed Jan 07, 2009 1:17 am

Hello.
No, don't do that.

The other ones if clean, can be used as backups.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Status :
Online
Offline

Posts : 34916
Joined : 2008-08-03
Gender : Male
OS : XP SP3 Media Centre

View user profile

Back to top Go down

Solved Re: SystemDir.explorer and SystemDir.regedit infected?

Post by swedstoner on Wed Jan 07, 2009 1:19 am

[You must be registered and logged in to see this link.] wrote:Hello.
No, don't do that.

The other ones if clean, can be used as backups.
so im clean? did you notice anything else in my logs? thanks for all this help

swedstoner
Novice
Novice

Status :
Online
Offline

Posts : 14
Joined : 2009-01-06
OS : Windows Vista 64-bit

View user profile

Back to top Go down

Solved Re: SystemDir.explorer and SystemDir.regedit infected?

Post by Belahzur on Wed Jan 07, 2009 1:25 am

No, nothing of suspicion.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Status :
Online
Offline

Posts : 34916
Joined : 2008-08-03
Gender : Male
OS : XP SP3 Media Centre

View user profile

Back to top Go down

Solved Re: SystemDir.explorer and SystemDir.regedit infected?

Post by swedstoner on Wed Jan 07, 2009 1:28 am

[You must be registered and logged in to see this link.] wrote:No, nothing of suspicion.
ok that makes me feel alot better! thank you very much you are great! this was very much appreciated all this help and you guys here at geekpolice thumbs up!
thanks again you saved my day Hooray! Thank You!

swedstoner
Novice
Novice

Status :
Online
Offline

Posts : 14
Joined : 2009-01-06
OS : Windows Vista 64-bit

View user profile

Back to top Go down

Solved Re: SystemDir.explorer and SystemDir.regedit infected?

Post by Doctor Inferno on Mon Mar 02, 2009 9:49 am

Since this issue is resolved, this topic is closed.

If you need this topic reopened, please contact a staff member. This applies only to the original topic starter.

Everyone else, please open a new topic for your questions.


Please be a GeekPolice fan on [You must be registered and logged in to see this link.]



Have we helped you? [You must be registered and logged in to see this link.] | Doctor by day, ninja by night.

Doctor Inferno
Administrator
Administrator

Status :
Online
Offline

Posts : 12017
Joined : 2007-12-26
Gender : Male
OS : Windows 7 Home Premium and Ultimate X64

View user profile

Back to top Go down

View previous topic View next topic Back to top

- Similar topics

 
Permissions in this forum:
You cannot reply to topics in this forum