 |
 |
| ROOTKIT PROBLEM, HELP PLEASE |
| 
dziguru
New Member
Date Joined Aug 2008
Total Posts : 6
| Posted 8-27-2008 8:49 (GMT +1) |   | Hi,
Few days ago i was installing some theme from mozilla, and after that i was attacked with big box on screen, which said that i got viruses and trojan horses..
On top left corner of box was name: ANTIVIRUS - XP 2008..
I closed all my windows, and saw that background was changed,ther was a picture of same box..
So,
i runned my antivirus NOD32, and deleted:
FakeAlert.HC trojan
FakeAlert.GS trojan
Kriptik.E trojan
Adware.XP Antivirus application
With SPYBOT i deleted:
Smithfraud-C.gp
SmithfraudC.gp -win32/Bagle.gen.zip worm
I restarted computer in Safe mode,and from there i runned Dr. Web Cureit, with him i deleted trojan Win32 (or smth like that)
After restarting computer, i runned again SPYBOT and NOD32,and they didn't find anything..
But, soon later, i runned mozilla and it was crashed again with that "ANTIVIRUS - xp 2008" window..
I deleted from registry editor a file everything that was related with that name..
And after that, i was abled to changed background,and i thought that everything was over..
Next day when i turned on computer, and runned mozilla, it was very slow on some pages, and also on some pages related with e.g. antiviruses like SAS,norton.... i was banned to entry..
I reboted computer, and runned COMBOFIX from Safe mode, but it gave me message that i got Rootkit, and need to rebot computer..
I did that, andd again from Safe mode, and ComboFix gave me same message..
He just couldn't do anything.. 
I runned ROOTKIT REVEALER, and from that i found off course that i'm infected with that virus..
Also,before posting here i runned SAS, CCLEANER, SPYBOT, NOD32,and HijackThis..
But there was nothing to found..
Would you be so kind,and help me, PLEASE!
I forgot to mentioned,
when NOD32, ans SPYBOT get across with some of trojans,
or try to delete them, i was attacked with blue screen, and computer was automaticaly trying to rebot,
and again and again after reboting there was blue screen..
After i manually rebot disk, everything was OK, and i runned again NOD32, or SPYBOT, depend on what was running when blue screen apear..
After deleting some trojans, blue screen never happened again..
Here are the logs:
SAS
SUPERAntiSpyware Scan Log
http://www.superantispyware.com
Generated 08/27/2008 at 08:53 PM
Application Version : 4.20.1046
Core Rules Database Version : 3541
Trace Rules Database Version: 1530
Scan type : Quick Scan
Total Scan Time : 00:20:19
Memory items scanned : 610
Memory threats detected : 0
Registry items scanned : 537
Registry threats detected : 0
File items scanned : 10073
File threats detected : 0
-----------------------------------------------------
HijackThis
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 21:13:54, on 27.8.2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\ibmpmsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\ThinkPad\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\IPSSVC.EXE
C:\Program Files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\ESRI\License\arcgis9x\lmgrd.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\PROGRA~1\ESRI\License\arcgis9x\ARCGIS.exe
C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\system32\PSIService.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
c:\program files\lenovo\system update\suservice.exe
C:\Program Files\Common Files\Lenovo\tvt_reg_monitor_svc.exe
C:\WINDOWS\System32\TPHDEXLG.exe
C:\Program Files\Lenovo\Rescue and Recovery\rrpservice.exe
C:\Program Files\Lenovo\Rescue and Recovery\rrservice.exe
c:\Program Files\Common Files\Lenovo\Scheduler\tvtsched.exe
C:\Program Files\Lenovo\Rescue and Recovery\ADM\IUService.exe
C:\Program Files\Common Files\Lenovo\Logger\logmon.exe
C:\Program Files\ThinkPad\ConnectUtilities\AcSvc.exe
C:\Program Files\ThinkPad\ConnectUtilities\SvcGuiHlpr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Diskeeper Corporation\Diskeeper\DkIcon.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Lenovo\NPDIRECT\TPFNF7SP.exe
C:\Program Files\Lenovo\HOTKEY\TPOSDSVC.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\WINDOWS\system32\TpShocks.exe
C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Lenovo\HOTKEY\TPONSCR.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Lenovo\Zoom\TpScrex.exe
C:\Program Files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\Program Files\Apoint2K\ApMsgFwd.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Lenovo\AwayTask\AwaySch.EXE
C:\Program Files\ThinkVantage\AMSG\Amsg.exe
C:\PROGRA~1\Lenovo\LENOVO~2\LPMGR.exe
C:\Program Files\Lenovo\Client Security Solution\cssauth.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\Program Files\Eset\nod32kui.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\DNA\btdna.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\ThinkPad\Bluetooth Software\BTTray.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\OpenOffice.org 2.4\program\soffice.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\OpenOffice.org 2.4\program\soffice.BIN
C:\Program Files\Skype\Plugin Manager\skypePM.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\WINDOWS\system32\wuauclt.exe
F:\HiJackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://lenovo.live.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.hr/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://lenovo.live.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: CPwmIEBrowserHelper Object - {F040E541-A427-4CF7-85D8-75E3E0F476C5} - C:\Program Files\Lenovo\Client Security Solution\tvtpwm_ie_com.dll
O3 - Toolbar: Show Norton Toolbar - {90222687-F593-4738-B738-FBEE9C7B26DF} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\UIBHO.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
O4 - HKLM\..\Run: [PWRMGRTR] rundll32 C:\PROGRA~1\ThinkPad\UTILIT~1\PWRMGRTR.DLL,PwrMgrBkGndMonitor
O4 - HKLM\..\Run: [BLOG] rundll32 C:\PROGRA~1\ThinkPad\UTILIT~1\BatLogEx.DLL,StartBattLog
O4 - HKLM\..\Run: [TPFNF7] C:\Program Files\Lenovo\NPDIRECT\TPFNF7SP.exe /r
O4 - HKLM\..\Run: [TPHOTKEY] C:\Program Files\Lenovo\HOTKEY\TPOSDSVC.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [TpShocks] TpShocks.exe
O4 - HKLM\..\Run: [EZEJMNAP] C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [TVT Scheduler Proxy] C:\Program Files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [AwaySch] C:\Program Files\Lenovo\AwayTask\AwaySch.EXE
O4 - HKLM\..\Run: [AMSG] C:\Program Files\ThinkVantage\AMSG\Amsg.exe /startup
O4 - HKLM\..\Run: [LPManager] C:\PROGRA~1\Lenovo\LENOVO~2\LPMGR.exe
O4 - HKLM\..\Run: [DiskeeperSystray] "C:\Program Files\Diskeeper Corporation\Diskeeper\DkIcon.exe"
O4 - HKLM\..\Run: [cssauth] "C:\Program Files\Lenovo\Client Security Solution\cssauth.exe" silent
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [IS CfgWiz] "C:\Program Files\Common Files\Symantec Shared\OPC\{31011D49-D90C-4da0-878B-78D28AD507AF}\cltUIStb.exe" /MODULE CfgWiz /GUID {BC8D3EAF-F864-4d4b-AB4D-B3D0C32E2840} /MODE CfgWiz /CMDLINE "REBOOT"
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton Internet Security\osCheck.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [BitTorrent DNA] "C:\Program Files\DNA\btdna.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: OpenOffice.org 2.4.lnk = C:\Program Files\OpenOffice.org 2.4\program\quickstart.exe
O4 - Global Startup: Bluetooth.lnk = ?
O4 - Global Startup: Digital Line Detect.lnk = C:\Program Files\Digital Line Detect\DLG.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Open with WordPerfect - C:\Program Files\WordPerfect Office X3\Programs\WPLauncher.hta
O8 - Extra context menu item: Send to &Bluetooth Device... - C:\Program Files\ThinkPad\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: (no name) - {0045D4BC-5189-4b67-969C-83BB1906C421} - C:\Program Files\Lenovo\Client Security Solution\tvtpwm_ie_com.dll
O9 - Extra 'Tools' menuitem: ThinkVantage Password Manager... - {0045D4BC-5189-4b67-969C-83BB1906C421} - C:\Program Files\Lenovo\Client Security Solution\tvtpwm_ie_com.dll
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://appldnld.apple.com.edgesuite.net/content.info.apple.com/QuickTime/qtactivex/qtplugin.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = oikon.local
O17 - HKLM\Software\..\Telephony: DomainName = oikon.local
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = oikon.local
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: Domain = oikon.local
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: ACNotify - ACNotify.dll (file missing)
O23 - Service: Ac Profile Manager Service (AcPrfMgrSvc) - Lenovo - C:\Program Files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe
O23 - Service: Access Connections Main Service (AcSvc) - Lenovo - C:\Program Files\ThinkPad\ConnectUtilities\AcSvc.exe
O23 - Service: AHM - Unknown owner - C:\DOCUME~1\Goran\LOCALS~1\Temp\AHM.exe (file missing)
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: ArcGIS License Manager - Unknown owner - C:\PROGRA~1\ESRI\License\arcgis9x\lmgrd.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\ThinkPad\Bluetooth Software\bin\btwdins.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: Diskeeper - Diskeeper Corporation - C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: ThinkPad PM Service (IBMPMSVC) - Lenovo - C:\WINDOWS\system32\ibmpmsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: IPS Core Service (IPSSVC) - Lenovo Group Limited - C:\WINDOWS\system32\IPSSVC.EXE
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\isPwdSvc.exe
O23 - Service: IviRegMgr - InterVideo - C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: ProtexisLicensing - Unknown owner - C:\WINDOWS\system32\PSIService.exe
O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel(R) PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: System Update (SUService) - Lenovo Group Limited - c:\program files\lenovo\system update\suservice.exe
O23 - Service: ThinkVantage Registry Monitor Service - Lenovo Group Limited - C:\Program Files\Common Files\Lenovo\tvt_reg_monitor_svc.exe
O23 - Service: ThinkPad HDD APS Logging Service (TPHDEXLGSVC) - Lenovo. - C:\WINDOWS\System32\TPHDEXLG.exe
O23 - Service: TSS Core Service (TSSCoreService) - IBM - C:\Program Files\Lenovo\Client Security Solution\tvttcsd.exe
O23 - Service: TVT Backup Protection Service - Unknown owner - C:\Program Files\Lenovo\Rescue and Recovery\rrpservice.exe
O23 - Service: TVT Backup Service - Lenovo Group Limited - C:\Program Files\Lenovo\Rescue and Recovery\rrservice.exe
O23 - Service: TVT Scheduler - Lenovo Group Limited - c:\Program Files\Common Files\Lenovo\Scheduler\tvtsched.exe
O23 - Service: tvtnetwk - Unknown owner - C:\Program Files\Lenovo\Rescue and Recovery\ADM\IUService.exe
--
End of file - 14867 bytes
---------------------------------------------------
Rootkit Revealer
HKLM\SECURITY\Policy\Secrets\SAC* 30.4.2006 9:30 0 bytes Key name contains embedded nulls (*)
HKLM\SECURITY\Policy\Secrets\SAI* 30.4.2006 9:30 0 bytes Key name contains embedded nulls (*)
HKLM\SOFTWARE\Classes\.wid\bin 27.8.2008 16:40 176 bytes Data mismatch between Windows API and raw hive data.
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\tdssdata 27.8.2008 14:53 0 bytes Hidden from Windows API.
HKLM\SOFTWARE\tdss 27.8.2008 14:53 0 bytes Hidden from Windows API.
HKLM\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\tdssserv.sys 25.8.2008 13:40 0 bytes Hidden from Windows API.
HKLM\SYSTEM\ControlSet001\Control\SafeBoot\Network\tdssserv.sys 25.8.2008 13:40 0 bytes Hidden from Windows API.
HKLM\SYSTEM\ControlSet001\Services\tdssserv 27.8.2008 15:26 0 bytes Hidden from Windows API.
HKLM\SYSTEM\ControlSet003\Control\SafeBoot\Minimal\tdssserv.sys 25.8.2008 13:40 0 bytes Hidden from Windows API.
HKLM\SYSTEM\ControlSet003\Control\SafeBoot\Network\tdssserv.sys 25.8.2008 13:40 0 bytes Hidden from Windows API.
HKLM\SYSTEM\ControlSet003\Services\tdssserv 27.8.2008 15:26 0 bytes Hidden from Windows API.
C: 1.1.1601 2:00 0 bytes Error mounting volume
---------------------------------------------------- | | Back to Top | | |
|
dziguru
New Member
Date Joined Aug 2008
Total Posts : 6
| Posted 8-28-2008 9:04 (GMT +1) | | hello again..
in the meantime, i installed Malwarebytes' Anti-Malware (from http://www.besttechie.net/tools/mbam-setup.exe),
and it found a lot of infected files.. (log is below)
after that i was finally able to run Combofix, it also found some suspicies .dll files (log is below)
But what i'm now worry about is that Rootkit Revealer found 256 files that are hidden from Windows API ?!
WTF?! 
Don't know exactly is that just smth from my computer that is not realted with any kind of infections, or i should be worry?
Please if anyone can be of any help I would appreciate!
Thanks!
Here are the logs:
Malwarebytes'
Malwarebytes' Anti-Malware 1.25
Database version: 1062
Windows 5.1.2600 Service Pack 2
0:42:40 28.8.2008
mbam-log-08-28-2008 (00-42-40).txt
Scan type: Quick Scan
Objects scanned: 66821
Time elapsed: 3 minute(s), 15 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 3
Registry Values Infected: 2
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 7
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\tdssdata (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\tdss (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Software Notifier (Rogue.Multiple) -> Quarantined and deleted successfully.
Registry Values Infected:
HKEY_CURRENT_USER\Control Panel\Desktop\originalwallpaper (Hijack.Wallpaper) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Control Panel\Desktop\convertedwallpaper (Hijack.Wallpaper) -> Quarantined and deleted successfully.
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
C:\WINDOWS\system32\tdssadw.dll (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\system32\tdssl.dll (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\system32\tdssserf.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\tdssmain.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\tdssinit.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\tdsslog.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\tdssserv.sys (Trojan.Agent) -> Delete on reboot.
--------------------------------------------------------------------------
ComboFix
ComboFix 08-08-26.02 - goran 2008-08-28 1:58:39.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1250.1.1033.18.393 [GMT 2:00]
Running from: C:\Documents and Settings\Goran\Desktop\ComboFix.exe
* Resident AV is active
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Windows Media\10.0\WMSDKNSD.XML
C:\WINDOWS\system32\REGOBJ.DLL
----- BITS: Possible infected sites -----
http://deepspace
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\Legacy_TDSSSERV
-------\Service_tdssserv
((((((((((((((((((((((((( Files Created from 2008-07-28 to 2008-08-28 )))))))))))))))))))))))))))))))
.
2008-08-28 00:38 . 2008-08-28 00:38 <DIR> d-------- C:\Documents and Settings\Goran\Application Data\Malwarebytes
2008-08-28 00:37 . 2008-08-28 01:49 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-08-28 00:37 . 2008-08-28 00:37 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-08-27 20:55 . 2008-08-27 20:55 <DIR> d-------- C:\Program Files\Yahoo!
2008-08-27 20:55 . 2008-08-27 21:00 <DIR> d-------- C:\Program Files\CCleaner
2008-08-27 20:31 . 2008-08-27 20:31 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-08-26 15:57 . 2008-08-26 15:57 <DIR> d-------- C:\Program Files\NX Client for Windows
2008-08-26 15:57 . 2008-08-27 13:40 <DIR> d-------- C:\Documents and Settings\Goran\.nx
2008-08-26 00:51 . 2008-08-27 20:40 <DIR> d-------- C:\Documents and Settings\Goran\DoctorWeb
2008-08-25 19:10 . 2008-08-27 20:31 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-08-25 19:10 . 2008-08-27 20:31 <DIR> d-------- C:\Documents and Settings\Goran\Application Data\SUPERAntiSpyware.com
2008-08-25 19:10 . 2008-08-25 19:10 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-08-25 17:09 . 2008-08-25 17:09 <DIR> d-------- C:\Program Files\Microsoft CAPICOM 2.1.0.2
2008-08-22 12:07 . 2008-08-25 16:24 <DIR> d-------- C:\Documents and Settings\Goran\Application Data\BitTorrent
2008-08-22 12:06 . 2008-08-28 02:07 <DIR> d-------- C:\Program Files\DNA
2008-08-22 12:06 . 2008-08-28 02:07 <DIR> d-------- C:\Documents and Settings\Goran\Application Data\DNA
2008-08-22 11:50 . 2008-08-27 15:10 <DIR> d-------- C:\Work
2008-08-22 11:47 . 2008-08-22 14:18 <DIR> d-------- C:\OSTALO
2008-08-22 11:38 . 2008-08-22 11:41 <DIR> d-------- C:\Program Files\BSplayer
2008-08-21 23:40 . 2003-07-29 16:16 299,008 --a------ C:\WINDOWS\system32\RealMediaSplitter.ax
2008-08-21 23:40 . 2001-08-18 20:00 262,144 --a------ C:\WINDOWS\system32\mpg4ds32.axu
2008-08-21 23:40 . 2004-02-26 02:08 236,544 --a------ C:\WINDOWS\system32\divxdec.ax
2008-08-21 23:40 . 2004-04-05 13:36 217,088 --a------ C:\WINDOWS\system32\xvidcore.dll
2008-08-21 23:40 . 2000-06-30 17:40 139,264 --a------ C:\WINDOWS\system32\Mpeg2Decoder.ax
2008-08-21 23:40 . 2008-04-06 00:43 136,192 --a------ C:\WINDOWS\system32\VideoEdit.ocx
2008-08-21 23:40 . 2004-02-10 19:15 128,512 --a------ C:\WINDOWS\system32\xvid.dll
2008-08-21 23:40 . 2000-06-26 13:13 94,208 --a------ C:\WINDOWS\system32\Mpeg2Parser.ax
2008-08-21 23:40 . 2004-04-05 13:46 61,440 --a------ C:\WINDOWS\system32\xvid.ax
2008-08-21 23:40 . 2007-08-08 12:25 61,440 --a------ C:\WINDOWS\system32\imgscaler.dll
2008-08-21 23:40 . 2007-08-08 12:26 22,016 --a------ C:\WINDOWS\system32\img_utils.dll
2008-08-21 23:39 . 2003-05-22 13:27 620,094 --a------ C:\WINDOWS\system32\divx.dll
2008-08-21 23:39 . 2003-08-19 15:20 180,224 --a------ C:\WINDOWS\system32\ac3filter.ax
2008-08-21 09:25 . 2008-05-01 16:30 331,776 --------- C:\WINDOWS\system32\dllcache\msadce.dll
2008-08-20 16:33 . 2008-08-20 16:40 <DIR> d-------- C:\Program Files\MotoGP
2008-08-18 21:43 . 2008-08-18 21:43 0 --------- C:\WINDOWS\cfgedit.INI
2008-08-02 20:59 . 2008-08-02 20:59 287 --------- C:\WINDOWS\EReg072.dat
2008-08-02 20:56 . 2008-08-02 20:56 <DIR> d-------- C:\Program Files\Electronic Arts
2008-07-31 15:10 . 2008-07-31 15:10 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\NFS Underground Demo
2008-07-31 15:09 . 2008-07-31 15:09 <DIR> d-------- C:\Program Files\Common Files\DirectX
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-08-28 00:08 --------- d-----w C:\Documents and Settings\Goran\Application Data\Skype
2008-08-27 23:55 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-08-27 22:48 --------- d-----w C:\Documents and Settings\Goran\Application Data\OpenOffice.org2
2008-08-27 22:05 --------- d-----w C:\Documents and Settings\Goran\Application Data\skypePM
2008-08-27 09:24 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-08-27 08:36 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2008-08-26 09:58 --------- d-----w C:\Program Files\Norton Internet Security
2008-08-26 09:00 --------- d-----w C:\Program Files\Creative
2008-08-25 15:12 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-08-25 15:07 --------- d-----w C:\Program Files\Microsoft Works
2008-08-25 14:15 --------- d-----w C:\Program Files\Java
2008-08-22 10:05 --------- d-----w C:\Documents and Settings\Goran\Application Data\LimeWire
2008-08-20 13:10 --------- d-----w C:\Program Files\LimeWire
2008-08-13 16:00 --------- d-----w C:\Program Files\Norton Security Scan
2008-07-22 19:49 --------- d-----w C:\Documents and Settings\Goran\Application Data\Apple Computer
2008-07-03 14:23 --------- d-----w C:\Documents and Settings\Goran\Application Data\Ahead
2008-07-03 14:22 --------- d-----w C:\Program Files\Common Files\Ahead
2008-07-03 14:22 --------- d-----w C:\Program Files\Ahead
2008-07-02 13:14 --------- d-----w C:\Documents and Settings\Goran\Application Data\FastStone
2008-07-02 13:13 --------- d-----w C:\Program Files\FastStone Capture
2008-07-02 13:09 --------- d-----w C:\Program Files\Google
2008-07-01 09:32 --------- d-----w C:\Program Files\OpenOffice.org 2.4
2008-02-21 12:38 32 ------w C:\Documents and Settings\All Users\Application Data\ezsid.dat
2007-12-29 05:13 1,398,352 ------w C:\Documents and Settings\All Users\Application Data\pswi_preloaded.exe
2007-12-29 05:04 32,768 --sh--w C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Feeds Cache\index.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 14:00 15360]
"Skype"="C:\Program Files\Skype\Phone\Skype.exe" [2008-02-01 18:22 21898024]
"BitTorrent DNA"="C:\Program Files\DNA\btdna.exe" [2008-08-22 12:06 342336]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2008-07-07 09:42 2156368]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2008-08-19 23:34 1576176]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PWRMGRTR"="C:\PROGRA~1\ThinkPad\UTILIT~1\PWRMGRTR.DLL" [2007-09-05 18:18 200704]
"BLOG"="C:\PROGRA~1\ThinkPad\UTILIT~1\BatLogEx.DLL" [2007-09-05 18:18 208896]
"TPFNF7"="C:\Program Files\Lenovo\NPDIRECT\TPFNF7SP.exe" [2007-04-09 20:03 58416]
"TPHOTKEY"="C:\Program Files\Lenovo\HOTKEY\TPOSDSVC.exe" [2007-03-09 07:49 66176]
"Apoint"="C:\Program Files\Apoint2K\Apoint.exe" [2007-03-05 15:27 172032]
"EZEJMNAP"="C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe" [2007-03-28 19:32 243248]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2007-09-07 03:27 141848]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2007-09-07 03:27 162328]
"Persistence"="C:\WINDOWS\system32\igfxpers.exe" [2007-09-07 03:27 137752]
"TVT Scheduler Proxy"="C:\Program Files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe" [2007-07-12 06:53 540672]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 04:27 144784]
"DLA"="C:\WINDOWS\System32\DLA\DLACTRLW.EXE" [2006-02-02 15:20 122940]
"ISUSPM Startup"="C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-28 02:50 221184]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-28 02:50 81920]
"AwaySch"="C:\Program Files\Lenovo\AwayTask\AwaySch.EXE" [2006-11-07 12:51 91688]
"AMSG"="C:\Program Files\ThinkVantage\AMSG\Amsg.exe" [2007-02-01 20:00 419376]
"LPManager"="C:\PROGRA~1\Lenovo\LENOVO~2\LPMGR.exe" [2007-07-12 19:11 124256]
"DiskeeperSystray"="C:\Program Files\Diskeeper Corporation\Diskeeper\DkIcon.exe" [2006-05-19 02:24 196696]
"cssauth"="C:\Program Files\Lenovo\Client Security Solution\cssauth.exe" [2007-08-04 02:35 2630968]
"nod32kui"="C:\Program Files\Eset\nod32kui.exe" [2008-01-28 15:26 949376]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 23:16 39792]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2008-03-28 18:20 385024]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-02-19 14:10 267048]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2007-01-10 07:59 115816]
"IS CfgWiz"="C:\Program Files\Common Files\Symantec Shared\OPC\{31011D49-D90C-4da0-878B-78D28AD507AF}\cltUIStb.exe" [2007-01-13 04:28 431752]
"osCheck"="C:\Program Files\Norton Internet Security\osCheck.exe" [2007-01-14 09:11 771704]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 10:50 155648]
"TpShocks"="TpShocks.exe" [2007-09-28 23:28 181544 C:\WINDOWS\system32\TpShocks.exe]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2004-08-04 14:00 110592 C:\WINDOWS\system32\bthprops.cpl]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 14:00 15360]
C:\Documents and Settings\Goran\Start Menu\Programs\Startup\
OpenOffice.org 2.4.lnk - C:\Program Files\OpenOffice.org 2.4\program\quickstart.exe [2008-01-21 16:41:28 393216]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Bluetooth.lnk - C:\Program Files\ThinkPad\Bluetooth Software\BTTray.exe [2007-02-28 03:43:30 561213]
Digital Line Detect.lnk - C:\Program Files\Digital Line Detect\DLG.exe [2007-12-29 07:00:15 50688]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"disablecad"= 0 (0x0)
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "C:\Program Files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 10:13 77824]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-07-23 16:28 352256 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\psfus]
2007-03-15 08:17 89600 C:\WINDOWS\system32\psqlpwd.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tpfnf2]
2006-09-06 09:37 34344 C:\Program Files\Lenovo\HOTKEY\notifyf2.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tphotkey]
2006-12-14 04:06 28672 C:\Program Files\Lenovo\HOTKEY\tphklock.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ACNotify]
2007-07-06 00:52 32768 c:\Program Files\ThinkPad\ConnectUtilities\ACNotify.dll
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Notification Packages REG_MULTI_SZ scecli ACGina psqlpwd
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dllschannel.dlldigest.dllmsnsspc.dll
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\NX Client for Windows\\nxclient.exe"=
"C:\\Program Files\\NX Client for Windows\\bin\\nxssh.exe"=
"\\\\pan\\c$\\Program Files\\NX Client for Windows\\nxclient.exe"=
"C:\\Program Files\\Electronic Arts\\Need For Speed III\\nfs3.exe"=
"C:\\Downloads\\BitTorrent\\bittorrent.exe"=
"C:\\Program Files\\DNA\\btdna.exe"=
"C:\\Program Files\\Skype\\Phone\\Skype.exe"=
R0 Shockprf;Shockprf;C:\WINDOWS\system32\DRIVERS\Apsx86.sys [2007-09-29 02:29]
R0 TPDIGIMN;TPDIGIMN;C:\WINDOWS\system32\DRIVERS\ApsHM86.sys [2007-09-29 02:28]
R1 ANC;ANC;C:\WINDOWS\system32\drivers\ANC.SYS [2005-11-08 19:27]
R1 IBMTPCHK;IBMTPCHK;C:\WINDOWS\system32\Drivers\IBMBLDID.sys [2007-04-02 21:24]
R1 TPPWRIF;TPPWRIF;C:\WINDOWS\system32\drivers\Tppwrif.sys [2007-09-05 18:18]
R2 ArcGIS License Manager;ArcGIS License Manager;C:\PROGRA~1\ESRI\License\arcgis9x\lmgrd.exe [1999-12-01 13:38]
R2 smihlp;SMI Helper Driver (smihlp);C:\Program Files\Common Files\ThinkVantage Fingerprint Software\Drivers\smihlp.sys [2007-03-15 08:10]
R2 TVT Backup Protection Service;TVT Backup Protection Service;C:\Program Files\Lenovo\Rescue and Recovery\rrpservice.exe [2007-07-12 06:38]
R3 TVTI2C;Lenovo SM bus driver;C:\WINDOWS\system32\DRIVERS\Tvti2c.sys [2007-05-23 01:59]
S3 AHM;AHM;C:\DOCUME~1\Goran\LOCALS~1\Temp\AHM.exe []
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{10301cde-e50c-11dc-9898-001e37216257}]
\Shell\AutoRun\command - E:\LaunchU3.exe -a
*Newly Created Service* - COMHOST
*Newly Created Service* - SASENUM
*Newly Created Service* - SASKUTIL
.
Contents of the 'Scheduled Tasks' folder
2008-06-12 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 15:57]
2008-08-28 C:\WINDOWS\Tasks\PMTask.job
- C:\PROGRA~1\ThinkPad\UTILIT~1\PWMIDTSK.EXE [2007-09-05 18:18]
.
.
------- Supplementary Scan -------
.
FireFox -: Profile - C:\Documents and Settings\Goran\Application Data\Mozilla\Firefox\Profiles\ecwx3eoy.default\
FF -: plugin - C:\Program Files\DNA\plugins\npbtdna.dll
FF -: plugin - C:\Program Files\iTunes\Mozilla Plugins\npitunes.dll
FF -: plugin - C:\Program Files\Mozilla Firefox\plugins\npbittorrent.dll
FF -: plugin - C:\Program Files\Mozilla Firefox\plugins\npGoogleGadgetPluginFirefoxWin.dll
FF -: plugin - c:\program files\yahoo!\common\npyaxmpb.dll
.
.
------- File Associations (Beta) -------
.
regfile=regedit.exe "%1" %*
scrfile="%1" %*
.
**************************************************************************
catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-08-28 02:06:47
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\tdssserv]
"imagepath"="\systemroot\system32\drivers\tdssserv.sys"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\Program Files\Lenovo\HOTKEY\tphklock.dll
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\ibmpmsvc.exe
C:\Program Files\ThinkPad\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\system32\IPSSVC.EXE
C:\Program Files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\PROGRA~1\ESRI\License\arcgis9x\ARCGIS.EXE
C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\ESET\nod32krn.exe
C:\WINDOWS\system32\PSIService.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\Lenovo\System Update\SUService.exe
C:\Program Files\Common Files\Lenovo\tvt_reg_monitor_svc.exe
C:\WINDOWS\system32\TPHDEXLG.exe
C:\Program Files\Lenovo\Client Security Solution\tvttcsd.exe
C:\Program Files\Lenovo\Rescue and Recovery\rrservice.exe
C:\Program Files\Common Files\Lenovo\Scheduler\tvtsched.exe
C:\Program Files\Lenovo\Rescue and Recovery\ADM\IUService.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\Program Files\ThinkPad\ConnectUtilities\AcSvc.exe
C:\Program Files\Common Files\Lenovo\Logger\logmon.exe
C:\Program Files\ThinkPad\ConnectUtilities\SvcGuiHlpr.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Lenovo\HOTKEY\TPONSCR.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Lenovo\ZOOM\TpScrex.exe
C:\Program Files\Apoint2K\ApMsgFwd.exe
C:\Program Files\Apoint2K\ApntEx.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\OpenOffice.org 2.4\program\soffice.exe
C:\Program Files\OpenOffice.org 2.4\program\soffice.bin
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Skype\Plugin Manager\skypePM.exe
.
**************************************************************************
.
Completion time: 2008-08-28 2:14:37 - machine was rebooted
ComboFix-quarantined-files.txt 2008-08-28 00:14:29
Pre-Run: 115,591,778,304 bytes free
Post-Run: 115,457,679,360 bytes free
271 --- E O F --- 2008-08-25 15:10:01
--------------------------------------------------------------------------------
Rootkit Revealer
HKLM\SECURITY\Policy\Secrets\SAC* 30.4.2006 9:30 0 bytes Key name contains embedded nulls (*)
HKLM\SECURITY\Policy\Secrets\SAI* 30.4.2006 9:30 0 bytes Key name contains embedded nulls (*)
HKLM\SOFTWARE\Classes\.wid\bin 28.8.2008 0:54 176 bytes Data mismatch between Windows API and raw hive data.
HKLM\SOFTWARE\Eset\Nod\CurrentVersion\Scheduler\Timestamp 27.8.2008 23:54 4 bytes Data mismatch between Windows API and raw hive data.
HKLM\SOFTWARE\Eset\Nod\CurrentVersion\Scheduler\100\LastExec 27.8.2008 23:54 4 bytes Data mismatch between Windows API and raw hive data.
C:\Documents and Settings\Goran\Local Settings\Application Data\Mozilla\Firefox\Profiles\ecwx3eoy.default\Cache\3F1B32CFd01 28.8.2008 1:30 20.12 KB Hidden from Windows API.
C:\Documents and Settings\Goran\Local Settings\Application Data\Mozilla\Firefox\Profiles\ecwx3eoy.default\Cache\4CC06E70d01 28.8.2008 1:30 147.08 KB Hidden from Windows API.
C:\Documents and Settings\Goran\Local Settings\Application Data\Mozilla\Firefox\Profiles\ecwx3eoy.default\Cache\56DE028Dd01 28.8.2008 1:30 46.49 KB Hidden from Windows API.
C:\Documents and Settings\Goran\Local Settings\Application Data\Mozilla\Firefox\Profiles\ecwx3eoy.default\Cache\5FA35996d01 28.8.2008 1:30 34.47 KB Hidden from Windows API.
C:\Documents and Settings\Goran\Local Settings\Application Data\Mozilla\Firefox\Profiles\ecwx3eoy.default\Cache\6A9AA3FBd01 28.8.2008 1:30 53.24 KB Hidden from Windows API.
C:\Documents and Settings\Goran\Local Settings\Application Data\Mozilla\Firefox\Profiles\ecwx3eoy.default\Cache\95290131d01 28.8.2008 1:30 24.32 KB Hidden from Windows API.
C:\Documents and Settings\Goran\Local Settings\Application Data\Mozilla\Firefox\Profiles\ecwx3eoy.default\Cache\DF9621EDd01 28.8.2008 1:30 31.22 KB Hidden from Windows API.
C:\Documents and Settings\Goran\Local Settings\Application Data\Mozilla\Firefox\Profiles\ecwx3eoy.default\Cache\E9FEDEC7d01 28.8.2008 1:30 40.01 KB Hidden from Windows API.
C:\Documents and Settings\Goran\Local Settings\History\History.IE5\MSHist012008082820080829\index.dat 28.8.2008 1:26 32.00 KB Hidden from Windows API.
C:\RRbackups\C 27.8.2008 14:45 0 bytes Hidden from Windows API.
C:\RRbackups\C\0 27.8.2008 14:45 0 bytes Hidden from Windows API.
C:\RRbackups\C\0\Data0 27.8.2008 14:51 47.69 MB Hidden from Windows API.
C:\RRbackups\C\0\EFSFile 27.8.2008 14:50 0 bytes Hidden from Windows API.
C:\RRbackups\C\0\HashFile 27.8.2008 14:50 1.30 MB Hidden from Windows API.
C:\RRbackups\C\0\Info 27.8.2008 14:50 0 bytes Hidden from Windows API.
C:\RRbackups\C\0\TOCFile 27.8.2008 14:50 132.38 MB Hidden from Windows API.
C:\RRbackups\common 28.8.2008 0:48 0 bytes Hidden from Windows API.
C:\RRbackups\common\backups.dat 28.8.2008 0:48 8.00 KB Hidden from Windows API.
C:\RRbackups\common\bt0.dat 7.5.2008 14:00 31.50 KB Hidden from Windows API.
C:\RRbackups\common\css.dat 28.8.2008 0:48 8.00 KB Hidden from Windows API.
C:\RRbackups\common\hints.dat 28.8.2008 0:48 8.00 KB Hidden from Windows API.
C:\RRbackups\common\mnd.dat 28.8.2008 0:48 8.00 KB Hidden from Windows API.
C:\RRbackups\common\regcerts.dat 28.8.2008 0:48 8.00 KB Hidden from Windows API.
C:\RRbackups\common\restore.log 29.12.2007 7:25 110 bytes Hidden from Windows API.
C:\RRbackups\common\rr.log 28.8.2008 0:46 62.40 KB Hidden from Windows API.
C:\RRbackups\common\SAM 28.8.2008 0:48 256.00 KB Hidden from Windows API.
C:\RRbackups\common\seccache.dat 28.8.2008 0:48 8.00 KB Hidden from Windows API.
C:\RRbackups\common\secpolicy.dat 28.8.2008 0:48 68.00 KB Hidden from Windows API.
C:\RRbackups\common\settings.dat 28.8.2008 0:48 28.00 KB Hidden from Windows API.
C:\RRbackups\common\system.dat 28.8.2008 0:48 12.00 KB Hidden from Windows API.
C:\RRbackups\common\tvtcmn.dat 28.8.2008 0:48 8.00 KB Hidden from Windows API.
C:\RRbackups\common\tvtns.bin 28.8.2008 0:46 23 bytes Hidden from Windows API.
C:\RRbackups\common\usersids.dat 28.8.2008 0:48 15.23 KB Hidden from Windows API.
C:\RRbackups\Documents and Settings 29.1.2008 10:08 0 bytes Hidden from Windows API.
C:\RRbackups\Documents and Settings\admin 26.1.2008 7:01 0 bytes Hidden from Windows API.
C:\RRbackups\Documents and Settings\admin\Application Data 26.1.2008 7:01 0 bytes Hidden from Windows API.
C:\RRbackups\Documents and Settings\admin\Application Data\Lenovo 28.8.2008 0:48 0 bytes Hidden from Windows API.
C:\RRbackups\Documents and Settings\admin\Application Data\Lenovo\Client Security Solution 28.8.2008 0:48 0 bytes Hidden from Windows API.
C:\RRbackups\Documents and Settings\admin\Application Data\Lenovo\Client Security Solution\hibernation.dat 28.8.2008 0:48 4 bytes Hidden from Windows API.
C:\RRbackups\Documents and Settings\admin\Application Data\Microsoft 28.8.2008 0:48 0 bytes Hidden from Windows API.
C:\RRbackups\Documents and Settings\admin\Application Data\Microsoft\Crypto 28.8.2008 0:48 0 bytes Hidden from Windows API.
C:\RRbackups\Documents and Settings\admin\Application Data\Microsoft\Crypto\RSA 28.8.2008 0:48 0 bytes Hidden from Windows API.
C:\RRbackups\Documents and Settings\admin\Application Data\Microsoft\Protect 28.8.2008 0:48 0 bytes Hidden from Windows API.
C:\RRbackups\Documents and Settings\admin\Application Data\Microsoft\Protect\CREDHIST 28.8.2008 0:48 24 bytes Hidden from Windows API.
C:\RRbackups\Documents and Settings\admin\Application Data\Microsoft\Protect\S-1-5-21-1244432995-1934938720-2088283556-1008 28.8.2008 0:48 0 bytes Hidden from Windows API.
C:\RRbackups\Documents and Settings\admin\Application Data\Microsoft\Protect\S-1-5-21-1244432995-1934938720-2088283556-1008\d8cbab23-266e-428e-8c64-5f38f867419d 28.8.2008 0:48 388 bytes Hidden from Windows API.
C:\RRbackups\Documents and Settings\admin\Application Data\Microsoft\Protect\S-1-5-21-1244432995-1934938720-2088283556-1008\Preferred 28.8.2008 0:48 24 bytes Hidden from Windows API.
C:\RRbackups\Documents and Settings\admin\Application Data\Microsoft\Protect\S-1-5-21-190288567-2153323879-70621810-500 28.8.2008 0:48 0 bytes Hidden from Windows API.
C:\RRbackups\Documents and Settings\admin\Application Data\Microsoft\Protect\S-1-5-21-190288567-2153323879-70621810-500\b1c74fa1-a9c6-4113-88be-12e9e84b2c9e 28.8.2008 0:48 388 bytes Hidden from Windows API.
C:\RRbackups\Documents and Settings\admin\Application Data\Microsoft\Protect\S-1-5-21-190288567-2153323879-70621810-500\Preferred 28.8.2008 0:48 24 bytes Hidden from Windows API.
C:\RRbackups\Documents and Settings\admin\Application Data\Microsoft\Protect\S-1-5-21-2091788877-828744221-3910388043-500 28.8.2008 0:48 0 bytes Hidden from Windows API.
C:\RRbackups\Documents and Settings\admin\Application Data\Microsoft\Protect\S-1-5-21-2091788877-828744221-3910388043-500\28a551ef-8fd6-4a76-a868-2ee89f23d225 28.8.2008 0:48 388 bytes Hidden from Windows API.
C:\RRbackups\Documents and Settings\admin\Application Data\Microsoft\Protect\S-1-5-21-2091788877-828744221-3910388043-500\Preferred 28.8.2008 0:48 24 bytes Hidden from Windows API.
C:\RRbackups\Documents and Settings\admin\Application Data\Microsoft\Protect\S-1-5-21-3174391715-1426725909-1426218312-500 28.8.2008 0:48 0 bytes Hidden from Windows API.
C:\RRbackups\Documents and Settings\admin\Application Data\Microsoft\Protect\S-1-5-21-3174391715-1426725909-1426218312-500\a0998209-5b27-4bdd-a7f6-1a010b4dd028 28.8.2008 0:48 388 bytes Hidden from Windows API.
C:\RRbackups\Documents and Settings\admin\Application Data\Microsoft\Protect\S-1-5-21-3174391715-1426725909-1426218312-500\Preferred 28.8.2008 0:48 24 bytes Hidden from Windows API.
C:\RRbackups\Documents and Settings\admin\Application Data\Microsoft\SystemCertificates 28.8.2008 0:48 0 bytes Hidden from Windows API.
C:\RRbackups\Documents and Settings\admin\Application Data\Microsoft\SystemCertificates\My 28.8.2008 0:48 0 bytes Hidden from Windows API.
C:\RRbackups\Documents and Settings\admin\Application Data\Microsoft\SystemCertificates\My\Certificates 28.8.2008 0:48 0 bytes Hidden from Windows API.
C:\RRbackups\Documents and Settings\admin\Application Data\Microsoft\SystemCertificates\My\CRLs 28.8.2008 0:48 0 bytes Hidden from Windows API.
C:\RRbackups\Documents and Settings\admin\Application Data\Microsoft\SystemCertificates\My\CTLs 28.8.2008 0:48 0 bytes Hidden from Windows API.
C:\RRbackups\Documents and Settings\Administrator 29.12.2007 7:26 0 bytes Hidden from Windows API.
C:\RRbackups\Documents and Settings\administrator.OIKON 29.1.2008 10:08 0 bytes Hidden from Windows API.
C:\RRbackups\Documents and Settings\administrator.OIKON\Application Data 29.1.2008 10:08 0 bytes Hidden from Windows API.
C:\RRbackups\Documents and Settings\administrator.OIKON\Application Data\Lenovo 28.8.2008 0:48 0 bytes Hidden from Windows API.
C:\RRbackups\Documents and Settings\administrator.OIKON\Application Data\Lenovo\Client Security Solution 28.8.2008 0:48 0 bytes Hidden from Windows API.
C:\RRbackups\Documents and Settings\administrator.OIKON\Application Data\Lenovo\Client Security Solution\hibernation.dat 28.8.2008 0:48 4 bytes Hidden from Windows API.
C:\RRbackups\Documents and Settings\administrator.OIKON\Application Data\Microsoft 28.8.2008 0:48 0 bytes Hidden from Windows API.
C:\RRbackups\Documents and Settings\administrator.OIKON\Application Data\Microsoft\Crypto 28.8.2008 0:48 0 bytes Hidden from Windows API.
C:\RRbackups\Documents and Settings\administrator.OIKON\Application Data\Microsoft\Crypto\RSA 28.8.2008 0:48 0 bytes Hidden from Windows API.
C:\RRbackups\Documents and Settings\administrator.OIKON\Application Data\Microsoft\Crypto\RSA\S-1-5-21-1331721859-1769129644-345007071-500 28.8.2008 0:48 0 bytes Hidden from Windows API.
C:\RRbackups\Documents and Settings\administrator.OIKON\Application Data\Microsoft\Crypto\RSA\S-1-5-21-1331721859-1769129644-345007071-500\83aa4cc77f591dfc2374580bbd95f6ba_ca4ec190-8c65-410b-b61b-7b5969638bcc 28.8.2008 0:48 45 bytes Hidden from Windows API.
C:\RRbackups\Documents and Settings\administrator.OIKON\Application Data\Microsoft\Protect 28.8.2008 0:48 0 bytes Hidden from Windows API.
C:\RRbackups\Documents and Settings\administrator.OIKON\Application Data\Microsoft\Protect\CREDHIST 28.8.2008 0:48 24 bytes Hidden from Windows API.
C:\RRbackups\Documents and Settings\administrator.OIKON\Application Data\Microsoft\Protect\S-1-5-21-1331721859-1769129644-345007071-500 28.8.2008 0:48 0 bytes Hidden from Windows API.
C:\RRbackups\Documents and Settings\administrator.OIKON\Application Data\Microsoft\Protect\S-1-5-21-1331721859-1769129644-345007071-500\ffa74d49-77d4-48f4-85e9-a044a088b761 28.8.2008 0:48 664 bytes Hidden from Windows API.
C:\RRbackups\Documents and Settings\administrator.OIKON\Application Data\Microsoft\Protect\S-1-5-21-1331721859-1769129644-345007071-500\Preferred 28.8.2008 0:48 24 bytes Hidden from Windows API.
C:\RRbackups\Documents and Settings\administrator.OIKON\Application Data\Microsoft\Protect\S-1-5-21-190288567-2153323879-70621810-500 28.8.2008 0:48 0 bytes Hidden from Windows API.
C:\RRbackups\Documents and Settings\administrator.OIKON\Application Data\Microsoft\Protect\S-1-5-21-190288567-2153323879-70621810-500\b1c74fa1-a9c6-4113-88be-12e9e84b2c9e 28.8.2008 0:48 388 bytes Hidden from Windows API.
C:\RRbackups\Documents and Settings\administrator.OIKON\Application Data\Microsoft\Protect\S-1-5-21-190288567-2153323879-70621810-500\Preferred 28.8.2008 0:48 24 bytes Hidden from Windows API.
C:\RRbackups\Documents and Settings\administrator.OIKON\Application Data\Microsoft\Protect\S-1-5-21-2091788877-828744221-3910388043-500 28.8.2008 0:48 0 bytes Hidden from Windows API.
C:\RRbackups\Documents and Settings\administrator.OIKON\Application Data\Microsoft\Protect\S-1-5-21-2091788877-828744221-3910388043-500\28a551ef-8fd6-4a76-a868-2ee89f23d225 28.8.2008 0:48 388 bytes Hidden from Windows API.
C:\RRbackups\Documents and Settings\administrator.OIKON\Application Data\Microsoft\Protect\S-1-5-21-2091788877-828744221-3910388043-500\Preferred 28.8.2008 0:48 24 bytes Hidden from Windows API.
C:\RRbackups\Documents and Settings\administrator.OIKON\Application Data\Microsoft\Protect\S-1-5-21-3174391715-1426725909-1426218312-500 28.8.2008 0:48 0 bytes Hidden from Windows API.
C:\RRbackups\Documents and Settings\administrator.OIKON\Application Data\Microsoft\Protect\S-1-5-21-3174391715-1426725909-1426218312-500\a0998209-5b27-4bdd-a7f6-1a010b4dd028 28.8.2008 0:48 388 bytes Hidden from Windows API.
C:\RRbackups\Documents and Settings\administrator.OIKON\Application Data\Microsoft\Protect\S-1-5-21-3174391715-1426725909-1426218312-500\Preferred 28.8.2008 0:48 24 bytes Hidden from Windows API.
C:\RRbackups\Documents and Settings\administrator.OIKON\Application Data\Microsoft\SystemCertificates 28.8.2008 0:48 0 bytes Hidden from Windows API.
C:\RRbackups\Documents and Settings\administrator.OIKON\Application Data\Microsoft\SystemCertificates\My 28.8.2008 0:48 0 bytes Hidden from Windows API.
C:\RRbackups\Documents and Settings\administrator.OIKON\Application Data\Microsoft\SystemCertificates\My\Certificates 28.8.2008 0:48 0 bytes Hidden from Windows API.
C:\RRbackups\Documents and Settings\administrator.OIKON\Application Data\Microsoft\SystemCertificates\My\CRLs 28.8.2008 0:48 0 bytes Hidden from Windows API.
C:\RRbackups\Documents and Settings\administrator.OIKON\Application Data\Microsoft\SystemCertificates\My\CTLs 28.8.2008 0:48 0 bytes Hidden from Windows API.
C:\RRbackups\Documents and Settings\Administrator\Application Data 29.12.2007 7:26 0 bytes Hidden from Windows API.
C:\RRbackups\Documents and Settings\Administrator\Application Data\Lenovo 28.8.2008 0:48 0 bytes Hidden from Windows API.
C:\RRbackups\Documents and Settings\Administrator\Application Data\Lenovo\Client Security Solution 28.8.2008 0:48 0 bytes Hidden from Windows API.
C:\RRbackups\Documents and Settings\Administrator\Application Data\Microsoft 28.8.2008 0:48 0 bytes Hidden from Windows API.
C:\RRbackups\Documents and Settings\Administrator\Application Data\Microsoft\Crypto 28.8.2008 0:48 0 bytes Hidden from Windows API.
C:\RRbackups\Documents and Settings\Administrator\Application Data\Microsoft\Crypto\RSA 28.8.2008 0:48 0 bytes Hidden from Windows API.
C:\RRbackups\Documents and Settings\Administrator\Application Data\Microsoft\Protect 28.8.2008 0:48 0 bytes Hidden from Windows API.
C:\RRbackups\Documents and Settings\Administrator\Application Data\Microsoft\Protect\CREDHIST 28.8.2008 0:48 24 bytes Hidden from Windows API.
C:\RRbackups\Documents and Settings\Administrator\Application Data\Microsoft\Protect\S-1-5-21-190288567-2153323879-70621810-500 28.8.2008 0:48 0 bytes Hidden from Windows API.
C:\RRbackups\Documents and Settings\Administrator\Application Data\Microsoft\Protect\S-1-5-21-190288567-2153323879-70621810-500\b1c74fa1-a9c6-4113-88be-12e9e84b2c9e 28.8.2008 0:48 388 bytes Hidden from Windows API.
C:\RRbackups\Documents and Settings\Administrator\Application Data\Microsoft\Protect\S-1-5-21-190288567-2153323879-70621810-500\Preferred 28.8.2008 0:48 24 bytes Hidden from Windows API.
C:\RRbackups\Documents and Settings\Administrator\Application Data\Microsoft\Protect\S-1-5-21-2091788877-828744221-3910388043-500 28.8.2008 0:48 0 bytes Hidden from Windows API.
C:\RRbackups\Documents and Settings\Administrator\Application Data\Microsoft\Protect\S-1-5-21-2091788877-828744221-3910388043-500\28a551ef-8fd6-4a76-a868-2ee89f23d225 28.8.2008 0:48 388 bytes Hidden from Windows API.
C:\RRbackups\Documents and Settings\Administrator\Application Data\Microsoft\Protect\S-1-5-21-2091788877-828744221-3910388043-500\Preferred 28.8.2008 0:48 24 bytes Hidden from Windows API.
C:\RRbackups\Documents and Settings\Administrator\Application Data\Microsoft\Protect\S-1-5-21-3174391715-1426725909-1426218312-500 28.8.2008 0:48 0 bytes Hidden from Windows API.
C:\RRbackups\Documents and Settings\Administrator\Application Data\Microsoft\Protect\S-1-5-21-3174391715-1426725909-1426218312-500\a0998209-5b27-4bdd-a7f6-1a010b4dd028 28.8.2008 0:48 388 bytes Hidden from Windows API.
C:\RRbackups\Documents and Settings\Administrator\Application Data\Microsoft\Protect\S-1-5-21-3174391715-1426725909-1426218312-500\Preferred 28.8.2008 0:48 24 bytes Hidden from Windows API.
C:\RRbackups\Documents and Settings\Administrator\Application Data\Microsoft\SystemCertificates 28.8.2008 0:48 0 bytes Hidden from Windows API.
C:\RRbackups\Documents and Settings\Administrator\Application Data\Microsoft\SystemCertificates\My 28.8.2008 0:48 0 bytes Hidden from Windows API.
C:\RRbackups\Documents and Settings\Administrator\Application Data\Microsoft\SystemCertificates\My\Certificates 28.8.2008 0:48 0 bytes Hidden from Windows API.
C:\RRbackups\Documents and Settings\Administrator\Application Data\Microsoft\SystemCertificates\My\CRLs 28.8.2008 0:48 0 bytes Hidden from Windows API.
C:\RRbackups\Documents and Settings\Administrator\Application Data\Microsoft\SystemCertificates\My\CTLs 28.8.2008 0:48 0 bytes Hidden from Windows API.
C:\RRbackups\Documents and Settings\All Users 29.12.2007 7:26 0 bytes Hidden from Windows API.
C:\RRbackups\Documents and Settings\All Users\Application Data 29.12.2007 7:26 0 bytes Hidden from Windows API.
C:\RRbackups\Documents and Settings\All Users\Application Data\Microsoft 29.12.2007 7:26 0 bytes Hidden from Windows API.
C:\RRbackups\Documents and Settings\All Users\Application Data\Microsoft\Crypto 28.8.2008 0:48 0 bytes Hidden from Windows API.
C:\RRbackups\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA 28.8.2008 0:48 0 bytes Hidden from Windows API.
C:\RRbackups\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys 28.8.2008 0:48 0 bytes Hidden from Windows API.
C:\RRbackups\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\S-1-5-18 28.8.2008 0:48 0 bytes Hidden from Windows API.
C:\RRbackups\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\S-1-5-18\42e7e898003fbdeb9585806ee1664b51_ca4ec190-8c65-410b-b61b-7b5969638bcc 28.8.2008 0:48 57 bytes Hidden from Windows API.
C:\RRbackups\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\S-1-5-18\8f71098770f72c7a67cd8f1151619865_ca4ec190-8c65-410b-b61b-7b5969638bcc 28.8.2008 0:48 54 bytes Hidden from Windows API.
C:\RRbackups\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\S-1-5-18\d42cc0c3858a58db2db37658219e6400_ca4ec190-8c65-410b-b61b-7b5969638bcc 28.8.2008 0:48 893 bytes Hidden from Windows API.
C:\RRbackups\Documents and Settings\Default User 29.12.2007 7:26 0 bytes Hidden from Windows API.
C:\RRbackups\Documents and Settings\Default User\Application Data 26.1.2008 7:01 0 bytes Hidden from Windows API.
C:\RRbackups\Documents and Settings\Default User\Application Data\Lenovo 28.8.2008 0:48 0 bytes Hidden from Windows API.
C:\RRbackups\Documents and Settings\Default User\Application Data\Lenovo\Client Security Solution 28.8.2008 0:48 0 bytes Hidden from Windows API.
C:\RRbackups\Documents and Settings\Default User\Application Data\Microsoft 28.8.2008 0:48 0 bytes Hidden from Windows API.
C:\RRbackups\Documents and Settings\Default User\Application Data\Microsoft\Crypto 28.8.2008 0:48 0 bytes Hidden from Windows API.
C:\RRbackups\Documents and Settings\Default User\Application Data\Microsoft\Crypto\RSA 28.8.2008 0:48 0 bytes Hidden from Windows API.
C:\RRbackups\Documents and Settings\Default User\Application Data\Microsoft\Protect 28.8.2008 0:48 0 bytes Hidden from Windows API.
C:\RRbackups\Documents and Settings\Default User\Application Data\Microsoft\Protect\CREDHIST 28.8.2008 0:48 24 bytes Hidden from Windows API.
C:\RRbackups\Documents and Settings\Default User\Application Data\Microsoft\Protect\S-1-5-21-190288567-2153323879-70621810-500 28.8.2008 0:48 0 bytes Hidden from Windows API.
C:\RRbackups\Documents and Settings\Default User\Application Data\Microsoft\Protect\S-1-5-21-190288567-2153323879-70621810-500\b1c74fa1-a9c6-4113-88be-12e9e84b2c9e 28.8.2008 0:48 388 bytes Hidden from Windows API.
C:\RRbackups\Documents and Settings\Default User\Application Data\Microsoft\Protect\S-1-5-21-190288567-2153323879-70621810-500\Preferred 28.8.2008 0:48 24 bytes Hidden from Windows API.
C:\RRbackups\Documents and Settings\Default User\Application Data\Microsoft\Protect\S-1-5-21-2091788877-828744221-3910388043-500 28.8.2008 0:48 0 bytes Hidden from Windows API.
C:\RRbackups\Documents and Settings\Default User\Application Data\Microsoft\Protect\S-1-5-21-2091788877-828744221-3910388043-500\28a551ef-8fd6-4a76-a868-2ee89f23d225 28.8.2008 0:48 388 bytes Hidden from Windows API.
C:\RRbackups\Documents and Settings\Default User\Application Data\Microsoft\Protect\S-1-5-21-2091788877-828744221-3910388043-500\Preferred 28.8.2008 0:48 24 bytes Hidden from Windows API.
C:\RRbackups\Documents and Settings\Default User\Application Data\Microsoft\Protect\S-1-5-21-3174391715-1426725909-1426218312-500 28.8.2008 0:48 0 bytes Hidden from Windows API.
C:\RRbackups\Documents and Settings\Default User\Application Data\Microsoft\Protect\S-1-5-21-3174391715-1426725909-1426218312-500\a0998209-5b27-4bdd-a7f6-1a010b4dd028 28.8.2008 0:48 388 bytes Hidden from Windows API.
C:\RRbackups\Documents and Settings\Default User\Application Data\Microsoft\Protect\S-1-5-21-3174391715-1426725909-1426218312-500\Preferred 28.8.2008 0:48 24 bytes Hidden from Windows API.
C:\RRbackups\Documents and Settings\Default User\Application Data\Microsoft\SystemCertificates 28.8.2008 0:48 0 bytes Hidden from Windows API.
C:\RRbackups\Documents and Settings\Default User\Application Data\Microsoft\SystemCertificates\My 28.8.2008 0:48 0 bytes Hidden from Windows API.
C:\RRbackups\Documents and Settings\Default User\Application Data\Microsoft\SystemCertificates\My\Certificates 28.8.2008 0:48 0 bytes Hidden from Windows API.
C:\RRbackups\Documents and Settings\Default User\Application Data\Microsoft\SystemCertificates\My\CRLs 28.8.2008 0:48 0 bytes Hidden from Windows API.
C:\RRbackups\Documents and Settings\Default User\Application Data\Microsoft\SystemCertificates\My\CTLs 28.8.2008 0:48 0 bytes Hidden from Windows API.
C:\RRbackups\Documents and Settings\Goran 29.1.2008 10:08 0 bytes Hidden from Windows API.
C:\RRbackups\Documents and Settings\Goran\Application Data 29.1.2008 10:08 0 bytes Hidden from Windows API.
C:\RRbackups\Documents and Settings\Goran\Application Data\Lenovo 28.8.2008 0:48 0 bytes Hidden from Windows API.
C:\RRbackups\Documents and Settings\Goran\Application Data\Lenovo\Client Security Solution 28.8.2008 0:48 0 bytes Hidden from Windows API.
C:\RRbackups\Documents and Settings\Goran\Application Data\Lenovo\Client Security Solution\hibernation.dat 28.8.2008 0:48 4 bytes Hidden from Windows API.
C:\RRbackups\Documents and Settings\Goran\Application Data\Microsoft 28.8.2008 0:48 0 bytes Hidden from Windows API.
C:\RRbackups\Documents and Settings\Goran\Application Data\Microsoft\Crypto 28.8.2008 0:48 0 bytes Hidden from Windows API.
C:\RRbackups\Documents and Settings\Goran\Application Data\Microsoft\Crypto\RSA 28.8.2008 0:48 0 bytes Hidden from Windows API.
C:\RRbackups\Documents and Settings\Goran\Application Data\Microsoft\Crypto\RSA\S-1-5-21-1331721859-1769129644-345007071-1313 28.8.2008 0:48 0 bytes Hidden from Windows API.
C:\RRbackups\Documents and Settings\Goran\Application Data\Microsoft\Crypto\RSA\S-1-5-21-1331721859-1769129644-345007071-1313\15e4aef4a15912d28a8359af91b0bfa7_ca4ec190-8c65-410b-b61b-7b5969638bcc 28.8.2008 0:48 79 bytes Hidden from Windows API.
C:\RRbackups\Documents and Settings\Goran\Application Data\Microsoft\Crypto\RSA\S-1-5-21-1331721859-1769129644-345007071-1313\6b29ae44e85efac3c72ff4d1865d73f1_ca4ec190-8c65-410b-b61b-7b5969638bcc 28.8.2008 0:48 53 bytes Hidden from Windows API.
C:\RRbackups\Documents and Settings\Goran\Application Data\Microsoft\Crypto\RSA\S-1-5-21-1331721859-1769129644-345007071-1313\7bdb16f91c96080fe6671cb01063f256_ca4ec190-8c65-410b-b61b-7b5969638bcc 28.8.2008 0:48 1.27 KB Hidden from Windows API.
C:\RRbackups\Documents and Settings\Goran\Application Data\Microsoft\Crypto\RSA\S-1-5-21-1331721859-1769129644-345007071-1313\83aa4cc77f591dfc2374580bbd95f6ba_ca4ec190-8c65-410b-b61b-7b5969638bcc 28.8.2008 0:48 45 bytes Hidden from Windows API.
C:\RRbackups\Documents and Settings\Goran\Application Data\Microsoft\Crypto\RSA\S-1-5-21-1331721859-1769129644-345007071-1313\8f71098770f72c7a67cd8f1151619865_ca4ec190-8c65-410b-b61b-7b5969638bcc 28.8.2008 0:48 54 bytes Hidden from Windows API.
C:\RRbackups\Documents and Settings\Goran\Application Data\Microsoft\Crypto\RSA\S-1-5-21-1331721859-1769129644-345007071-1313\db9f941892bd7d9958307d7d5383b172_ca4ec190-8c65-410b-b61b-7b5969638bcc 28.8.2008 0:48 79 bytes Hidden from Windows API.
C:\RRbackups\Documents and Settings\Goran\Application Data\Microsoft\Crypto\RSA\S-1-5-21-1331721859-1769129644-345007071-1313\ee3056b8e60b4e7fc8f88c74ad192cf0_ca4ec190-8c65-410b-b61b-7b5969638bcc 28.8.2008 0:48 79 bytes Hidden from Windows API.
C:\RRbackups\Documents and Settings\Goran\Application Data\Microsoft\Protect 28.8.2008 0:48 0 bytes Hidden from Windows API.
C:\RRbackups\Documents and Settings\Goran\Application Data\Microsoft\Protect\CREDHIST 28.8.2008 0:48 24 bytes Hidden from Windows API.
C:\RRbackups\Documents and Settings\Goran\Application Data\Microsoft\Protect\S-1-5-21-1331721859-1769129644-345007071-1313 28.8.2008 0:48 0 bytes Hidden from Windows API.
C:\RRbackups\Documents and Settings\Goran\Application Data\Microsoft\Protect\S-1-5-21-1331721859-1769129644-345007071-1313\136c05fd-6294-4b13-a9c3-6f6626f134fd 28.8.2008 0:48 664 bytes Hidden from Windows API.
C:\RRbackups\Documents and Settings\Goran\Application Data\Microsoft\Protect\S-1-5-21-1331721859-1769129644-345007071-1313\4777ae7e-a6a2-412a-887c-4916c0a871a6 28.8.2008 0:48 740 bytes Hidden from Windows API.
C:\RRbackups\Documents and Settings\Goran\Application Data\Microsoft\Protect\S-1-5-21-1331721859-1769129644-345007071-1313\6e97f712-f060-4cdb-ac16-15b191d65ac7 28.8.2008 0:48 664 bytes Hidden from Windows API.
C:\RRbackups\Documents and Settings\Goran\Application Data\Microsoft\Protect\S-1-5-21-1331721859-1769129644-345007071-1313\BK-OIKON 28.8.2008 0:48 860 bytes Hidden from Windows API.
C:\RRbackups\Documents and Settings\Goran\Application Data\Microsoft\Protect\S-1-5-21-1331721859-1769129644-345007071-1313\Preferred 28.8.2008 0:48 24 bytes Hidden from Windows API.
C:\RRbackups\Documents and Settings\Goran\Application Data\Microsoft\Protect\S-1-5-21-190288567-2153323879-70621810-500 28.8.2008 0:48 0 bytes Hidden from Windows API.
C:\RRbackups\Documents and Settings\Goran\Application Data\Microsoft\Protect\S-1-5-21-190288567-2153323879-70621810-500\b1c74fa1-a9c6-4113-88be-12e9e84b2c9e 28.8.2008 0:48 388 bytes Hidden from Windows API.
C:\RRbackups\Documents and Settings\Goran\Application Data\Microsoft\Protect\S-1-5-21-190288567-2153323879-70621810-500\Preferred 28.8.2008 0:48 24 bytes Hidden from Windows API.
C:\RRbackups\Documents and Settings\Goran\Application Data\Microsoft\Protect\S-1-5-21-2091788877-828744221-3910388043-500 28.8.2008 0:48 0 bytes Hidden from Windows API.
C:\RRbackups\Documents and Settings\Goran\Application Data\Microsoft\Protect\S-1-5-21-2091788877-828744221-3910388043-500\28a551ef-8fd6-4a76-a868-2ee89f23d225 28.8.2008 0:48 388 bytes Hidden from Windows API.
C:\RRbackups\Documents and Settings\Goran\Application Data\Microsoft\Protect\S-1-5-21-2091788877-828744221-3910388043-500\Preferred 28.8.2008 0:48 24 bytes Hidden from Windows API.
C:\RRbackups\Documents and Settings\Goran\Application Data\Microsoft\Protect\S-1-5-21-3174391715-1426725909-1426218312-500 28.8.2008 0:48 0 bytes Hidden from Windows API.
C:\RRbackups\Documents and Settings\Goran\Application Data\Microsoft\Protect\S-1-5-21-3174391715-1426725909-1426218312-500\a0998209-5b27-4bdd-a7f6-1a010b4dd028 28.8.2008 0:48 388 bytes Hidden from Windows API.
C:\RRbackups\Documents and Settings\Goran\Application Data\Microsoft\Protect\S-1-5-21-3174391715-1426725909-1426218312-500\Preferred 28.8.2008 0:48 24 bytes Hidden from Windows API.
C:\RRbackups\Documents and Settings\Goran\Application Data\Microsoft\SystemCertificates 28.8.2008 0:48 0 bytes Hidden from Windows API.
C:\RRbackups\Documents and Settings\Goran\Application Data\Microsoft\SystemCertificates\My 28.8.2008 0:48 0 bytes Hidden from Windows API.
C:\RRbackups\Documents and Settings\Goran\Application Data\Microsoft\SystemCertificates\My\Certificates 28.8.2008 0:48 0 bytes Hidden from Windows API.
C:\RRbackups\Documents and Settings\Goran\Application Data\Microsoft\SystemCertificates\My\Certificates\56FFC788B65E8039B9943E700ACC678EFDB22E6D 28.8.2008 0:48 813 bytes Hidden from Windows API.
C:\RRbackups\Documents and Settings\Goran\Application Data\Microsoft\SystemCertificates\My\CRLs 28.8.2008 0:48 0 bytes Hidden from Windows API.
C:\RRbackups\Documents and Settings\Goran\Application Data\Microsoft\SystemCertificates\My\CTLs 28.8.2008 0:48 0 bytes Hidden from Windows API.
C:\RRbackups\Documents and Settings\Goran\Application Data\Microsoft\SystemCertificates\My\Keys 28.8.2008 0:48 0 bytes Hidden from Windows API.
C:\RRbackups\Documents and Settings\Goran\Application Data\Microsoft\SystemCertificates\My\Keys\44ECEA32CA11A18812FD211BF72C41B62052C92E 28.8.2008 0:48 240 bytes Hidden from Windows API.
C:\RRbackups\Documents and Settings\Goran\Application Data\Microsoft\SystemCertificates\Request 28.8.2008 0:48 0 bytes Hidden from Windows API.
C:\RRbackups\Documents and Settings\Goran\Application Data\Microsoft\SystemCertificates\Request\Certificates 28.8.2008 0:48 0 bytes Hidden from Windows API.
C:\RRbackups\Documents and Settings\Goran\Application Data\Microsoft\SystemCertificates\Request\CRLs 28.8.2008 0:48 0 bytes Hidden from Windows API.
C:\RRbackups\Documents and Settings\Goran\Application Data\Microsoft\SystemCertificates\Request\CTLs 28.8.2008 0:48 0 bytes Hidden from Windows API.
C:\RRbackups\Documents and Settings\LocalService 29.12.2007 7:26 0 bytes Hidden from Windows API.
C:\RRbackups\Documents and Settings\LocalService\Application Data 29.12.2007 7:26 0 bytes Hidden from Windows API.
C:\RRbackups\Documents and Settings\LocalService\Application Data\Microsoft 28.8.2008 0:48 0 bytes Hidden from Windows API.
C:\RRbackups\Documents and Settings\LocalService\Application Data\Microsoft\SystemCertificates 28.8.2008 0:48 0 bytes Hidden from Windows API.
C:\RRbackups\Documents and Settings\LocalService\Application Data\Microsoft\SystemCertificates\My 28.8.2008 0:48 0 bytes Hidden from Windows API.
C:\RRbackups\Documents and Settings\LocalService\Application Data\Microsoft\SystemCertificates\My\Certificates 28.8.2008 0:48 0 bytes Hidden from Windows API.
C:\RRbackups\Documents and Settings\LocalService\Application Data\Microsoft\SystemCertificates\My\CRLs 28.8.2008 0:48 0 bytes Hidden from Windows API.
C:\RRbackups\Documents and Settings\LocalService\Application Data\Microsoft\SystemCertificates\My\CTLs 28.8.2008 0:48 0 bytes Hidden from Windows API.
C:\RRbackups\Documents and Settings\NetworkService 29.12.2007 7:26 0 bytes Hidden from Windows API.
C:\RRbackups\Documents and Settings\NetworkService\Application Data 29.12.2007 7:26 0 bytes Hidden from Windows API.
C:\RRbackups\Documents and Settings\NetworkService\Application Data\Microsoft 28.8.2008 0:48 0 bytes Hidden from Windows API.
C:\RRbackups\Documents and Settings\NetworkService\Application Data\Microsoft\Crypto 28.8.2008 0:48 0 bytes Hidden from Windows API.
C:\RRbackups\Documents and Settings\NetworkService\Application Data\Microsoft\Crypto\RSA 28.8.2008 0:48 0 bytes Hidden from Windows API.
C:\RRbackups\Documents and Settings\NetworkService\Application Data\Microsoft\Crypto\RSA\S-1-5-20 28.8.2008 0:48 0 bytes Hidden from Windows API.
C:\RRbackups\Documents and Settings\NetworkService\Application Data\Microsoft\Crypto\RSA\S-1-5-20\94498385663a229a93d423c6d144ae0b_ca4ec190-8c65-410b-b61b-7b5969638bcc 28.8.2008 0:48 2.46 KB Hidden from Windows API.
C:\RRbackups\Documents and Settings\NetworkService\Application Data\Microsoft\Protect 28.8.2008 0:48 0 bytes Hidden from Windows API.
C:\RRbackups\Documents and Settings\NetworkService\Application Data\Microsoft\Protect\CREDHIST 28.8.2008 0:48 24 bytes Hidden from Windows API.
C:\RRbackups\Documents and Settings\NetworkService\Application Data\Microsoft\Protect\S-1-5-20 28.8.2008 0:48 0 bytes Hidden from Windows API.
C:\RRbackups\Documents and Settings\NetworkService\Application Data\Microsoft\Protect\S-1-5-20\d010c3e1-e171-42eb-a4cf-f52963f960b8 28.8.2008 0:48 388 bytes Hidden from Windows API.
C:\RRbackups\Documents and Settings\NetworkService\Application Data\Microsoft\Protect\S-1-5-20\Preferred 28.8.2008 0:48 24 bytes Hidden from Windows API.
C:\RRbackups\Documents and Settings\NetworkService\Application Data\Microsoft\SystemCertificates 28.8.2008 0:48 0 bytes Hidden from Windows API.
C:\RRbackups\Documents and Settings\NetworkService\Application Data\Microsoft\SystemCertificates\My 28.8.2008 0:48 0 bytes Hidden from Windows API.
C:\RRbackups\Documents and Settings\NetworkService\Application Data\Microsoft\SystemCertificates\My\Certificates 28.8.2008 0:48 0 bytes Hidden from Windows API.
C:\RRbackups\Documents and Settings\NetworkService\Application Data\Microsoft\SystemCertificates\My\CRLs 28.8.2008 0:48 0 bytes Hidden from Windows API.
C:\RRbackups\Documents and Settings\NetworkService\Application Data\Microsoft\SystemCertificates\My\CTLs 28.8.2008 0:48 0 bytes Hidden from Windows API.
C:\RRbackups\SIS 31.1.2008 11:21 0 bytes Hidden from Windows API.
C:\RRbackups\SIS\C 27.8.2008 13:23 0 bytes Hidden from Windows API.
C:\WINDOWS\SoftwareDistribution\EventCache\{997936AA-CBC5-4445-A1F1-C2B9990DAA8A}.bin 28.8.2008 1:24 8 bytes Hidden from Windows API.
---------------------------------------------------------------------------------------------
SAS
SUPERAntiSpyware Scan Log
http://www.superantispyware.com
Generated 08/28/2008 at 09:50 AM
Application Version : 4.20.1046
Core Rules Database Version : 3550
Trace Rules Database Version: 1538
Scan type : Quick Scan
Total Scan Time : 00:22:47
Memory items scanned : 631
Memory threats detected : 0
Registry items scanned : 539
Registry threats detected : 0
File items scanned : 9537
File threats detected : 0
------------------------------------------------------------
HijackThis
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 09:53, on 2008-08-28
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\ibmpmsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\ThinkPad\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\IPSSVC.EXE
C:\Program Files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\ESRI\License\arcgis9x\lmgrd.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\PROGRA~1\ESRI\License\arcgis9x\ARCGIS.exe
C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\system32\PSIService.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
c:\program files\lenovo\system update\suservice.exe
C:\Program Files\Common Files\Lenovo\tvt_reg_monitor_svc.exe
C:\WINDOWS\System32\TPHDEXLG.exe
C:\Program Files\Lenovo\Rescue and Recovery\rrpservice.exe
C:\Program Files\Lenovo\Rescue and Recovery\rrservice.exe
c:\Program Files\Common Files\Lenovo\Scheduler\tvtsched.exe
C:\Program Files\Lenovo\Rescue and Recovery\ADM\IUService.exe
C:\Program Files\ThinkPad\ConnectUtilities\AcSvc.exe
C:\Program Files\Common Files\Lenovo\Logger\logmon.exe
C:\Program Files\ThinkPad\ConnectUtilities\SvcGuiHlpr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Diskeeper Corporation\Diskeeper\DkIcon.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Lenovo\NPDIRECT\TPFNF7SP.exe
C:\Program Files\Lenovo\HOTKEY\TPOSDSVC.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\WINDOWS\system32\TpShocks.exe
C:\Program Files\Lenovo\HOTKEY\TPONSCR.exe
C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
C:\Program Files\Lenovo\Zoom\TpScrex.exe
C:\WINDOWS\system32\igfxtray.exe
C:\Program Files\Apoint2K\ApMsgFwd.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Lenovo\AwayTask\AwaySch.EXE
C:\Program Files\ThinkVantage\AMSG\Amsg.exe
C:\PROGRA~1\Lenovo\LENOVO~2\LPMGR.exe
C:\Program Files\Lenovo\Client Security Solution\cssauth.exe
C:\Program Files\Eset\nod32kui.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\DNA\btdna.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\ThinkPad\Bluetooth Software\BTTray.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\OpenOffice.org 2.4\program\soffice.exe
C:\Program Files\OpenOffice.org 2.4\program\soffice.BIN
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Skype\Plugin Manager\skypePM.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Goran\Desktop\HiJackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://lenovo.live.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.hr/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://lenovo.live.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: CPwmIEBrowserHelper Object - {F040E541-A427-4CF7-85D8-75E3E0F476C5} - C:\Program Files\Lenovo\Client Security Solution\tvtpwm_ie_com.dll
O3 - Toolbar: Show Norton Toolbar - {90222687-F593-4738-B738-FBEE9C7B26DF} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\UIBHO.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
O4 - HKLM\..\Run: [PWRMGRTR] rundll32 C:\PROGRA~1\ThinkPad\UTILIT~1\PWRMGRTR.DLL,PwrMgrBkGndMonitor
O4 - HKLM\..\Run: [BLOG] rundll32 C:\PROGRA~1\ThinkPad\UTILIT~1\BatLogEx.DLL,StartBattLog
O4 - HKLM\..\Run: [TPFNF7] C:\Program Files\Lenovo\NPDIRECT\TPFNF7SP.exe /r
O4 - HKLM\..\Run: [TPHOTKEY] C:\Program Files\Lenovo\HOTKEY\TPOSDSVC.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [TpShocks] TpShocks.exe
O4 - HKLM\..\Run: [EZEJMNAP] C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [TVT Scheduler Proxy] C:\Program Files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [AwaySch] C:\Program Files\Lenovo\AwayTask\AwaySch.EXE
O4 - HKLM\..\Run: [AMSG] C:\Program Files\ThinkVantage\AMSG\Amsg.exe /startup
O4 - HKLM\..\Run: [LPManager] C:\PROGRA~1\Lenovo\LENOVO~2\LPMGR.exe
O4 - HKLM\..\Run: [DiskeeperSystray] "C:\Program Files\Diskeeper Corporation\Diskeeper\DkIcon.exe"
O4 - HKLM\..\Run: [cssauth] "C:\Program Files\Lenovo\Client Security Solution\cssauth.exe" silent
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [IS CfgWiz] "C:\Program Files\Common Files\Symantec Shared\OPC\{31011D49-D90C-4da0-878B-78D28AD507AF}\cltUIStb.exe" /MODULE CfgWiz /GUID {BC8D3EAF-F864-4d4b-AB4D-B3D0C32E2840} /MODE CfgWiz /CMDLINE "REBOOT"
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton Internet Security\osCheck.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [BitTorrent DNA] "C:\Program Files\DNA\btdna.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: OpenOffice.org 2.4.lnk = C:\Program Files\OpenOffice.org 2.4\program\quickstart.exe
O4 - Global Startup: Bluetooth.lnk = ?
O4 - Global Startup: Digital Line Detect.lnk = C:\Program Files\Digital Line Detect\DLG.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Open with WordPerfect - C:\Program Files\WordPerfect Office X3\Programs\WPLauncher.hta
O8 - Extra context menu item: Send to &Bluetooth Device... - C:\Program Files\ThinkPad\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: (no name) - {0045D4BC-5189-4b67-969C-83BB1906C421} - C:\Program Files\Lenovo\Client Security Solution\tvtpwm_ie_com.dll
O9 - Extra 'Tools' menuitem: ThinkVantage Password Manager... - {0045D4BC-5189-4b67-969C-83BB1906C421} - C:\Program Files\Lenovo\Client Security Solution\tvtpwm_ie_com.dll
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://appldnld.apple.com.edgesuite.net/content.info.apple.com/QuickTime/qtactivex/qtplugin.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = oikon.local
O17 - HKLM\Software\..\Telephony: DomainName = oikon.local
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = oikon.local
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: Domain = oikon.local
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: ACNotify - ACNotify.dll (file missing)
O23 - Service: Ac Profile Manager Service (AcPrfMgrSvc) - Lenovo - C:\Program Files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe
O23 - Service: Access Connections Main Service (AcSvc) - Lenovo - C:\Program Files\ThinkPad\ConnectUtilities\AcSvc.exe
O23 - Service: AHM - Unknown owner - C:\DOCUME~1\Goran\LOCALS~1\Temp\AHM.exe (file missing)
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: ArcGIS License Manager - Unknown owner - C:\PROGRA~1\ESRI\License\arcgis9x\lmgrd.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\ThinkPad\Bluetooth Software\bin\btwdins.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: Diskeeper - Diskeeper Corporation - C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: ThinkPad PM Service (IBMPMSVC) - Lenovo - C:\WINDOWS\system32\ibmpmsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: IPS Core Service (IPSSVC) - Lenovo Group Limited - C:\WINDOWS\system32\IPSSVC.EXE
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\isPwdSvc.exe
O23 - Service: IviRegMgr - InterVideo - C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: ProtexisLicensing - Unknown owner - C:\WINDOWS\system32\PSIService.exe
O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel(R) PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: System Update (SUService) - Lenovo Group Limited - c:\program files\lenovo\system update\suservice.exe
O23 - Service: ThinkVantage Registry Monitor Service - Lenovo Group Limited - C:\Program Files\Common Files\Lenovo\tvt_reg_monitor_svc.exe
O23 - Service: ThinkPad HDD APS Logging Service (TPHDEXLGSVC) - Lenovo. - C:\WINDOWS\System32\TPHDEXLG.exe
O23 - Service: TSS Core Service (TSSCoreService) - IBM - C:\Program Files\Lenovo\Client Security Solution\tvttcsd.exe
O23 - Service: TVT Backup Protection Service - Unknown owner - C:\Program Files\Lenovo\Rescue and Recovery\rrpservice.exe
O23 - Service: TVT Backup Service - Lenovo Group Limited - C:\Program Files\Lenovo\Rescue and Recovery\rrservice.exe
O23 - Service: TVT Scheduler - Lenovo Group Limited - c:\Program Files\Common Files\Lenovo\Scheduler\tvtsched.exe
O23 - Service: tvtnetwk - Unknown owner - C:\Program Files\Lenovo\Rescue and Recovery\ADM\IUService.exe
--
End of file - 14675 bytesa | | Back to Top | | |
|
Touch
Forum Moderator
Date Joined Jun 2004
Total Posts : 14291
| Posted 9-5-2008 8:31 (GMT +1) | | It looks like you have two active antivirus programs running ?
"If the resident scanners of two different AV programs are used simultaneously, conflicts can result. The computer may run very, very slowly, it may become difficult to access files or the computer may crash altogether.”
I´ll therefore suggest you remove one of them from add/remove programs in controlpanel.
Reboot
Post new combofix log:
And save to the desktop.
Close all other browser windows.
Important-> Temporarily disable your anti-virus, real-time protection before performing a scan. They can interfere with combofix or remove some of its embedded files which may cause "unpredictable results".
Go to Start->Run and copy/paste: ComboFix /snapshot and hit OK. It should run Combofix.
Please note, that once you start combofix you should not click anywhere on the combofix window as it can cause the program to stall. In fact, when combofix is running, do not touch your computer at all and just take a break as it may take a while for it to complete.
When finished, it will produce a logfile located at C:\combofix.txt.
Post the contents of that log in your next reply
NB. If you are using any P2P (file sharing) programs, please remove them before we clean your computer.. We do not clean logs that have P2P applications installed as this can cause reinfection during your cleaning.
Do NOT post your problem in someone elses thread.
| | Back to Top | | |
|
dziguru
New Member
Date Joined Aug 2008
Total Posts : 6
| Posted 9-5-2008 9:49 (GMT +1) | | hi..thanks on quick reply :)
i deleted all unuseful AV from my computer..
ther is only NOD32,
and some parts od stupid Norton which came with my computer..i was trying to delete it, but it is not possible..
with add/remove program i removed about 30% of program..
with Norton Removal Tool i removed about 5-10%..it is just impossible, it does not allowed me..
with autoruns i disabled everything which is in connection with Symantec product..
here is combofix log:
ComboFix 08-09-04.08 - Goran 2008-09-05 10:14:58.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1250.1.1033.18.434 [GMT 2:00]
Running from: C:\Documents and Settings\Goran\Desktop\ComboFix.exe
Command switches used :: /snapshot
* Created a new restore point
* Resident AV is active
.
((((((((((((((((((((((((( Files Created from 2008-08-05 to 2008-09-05 )))))))))))))))))))))))))))))))
.
2008-08-28 11:48 . 2008-08-28 11:48 0 --------- C:\WINDOWS\system32\OQTEN
2008-08-28 00:38 . 2008-08-28 00:38 <DIR> d-------- C:\Documents and Settings\Goran\Application Data\Malwarebytes
2008-08-28 00:37 . 2008-09-05 09:57 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-08-28 00:37 . 2008-08-28 00:37 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-08-27 20:55 . 2008-08-27 20:55 <DIR> d-------- C:\Program Files\Yahoo!
2008-08-26 15:57 . 2008-08-26 15:57 <DIR> d-------- C:\Program Files\NX Client for Windows
2008-08-26 15:57 . 2008-09-04 09:18 <DIR> d-------- C:\Documents and Settings\Goran\.nx
2008-08-26 00:51 . 2008-08-27 20:40 <DIR> d-------- C:\Documents and Settings\Goran\DoctorWeb
2008-08-25 19:10 . 2008-09-02 09:39 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-08-25 19:10 . 2008-09-02 09:40 <DIR> d-------- C:\Documents and Settings\Goran\Application Data\SUPERAntiSpyware.com
2008-08-25 19:10 . 2008-08-25 19:10 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-08-25 17:09 . 2008-08-25 17:09 <DIR> d-------- C:\Program Files\Microsoft CAPICOM 2.1.0.2
2008-08-22 12:07 . 2008-09-05 01:23 <DIR> d-------- C:\Documents and Settings\Goran\Application Data\BitTorrent
2008-08-22 12:06 . 2008-09-05 10:01 <DIR> d-------- C:\Program Files\DNA
2008-08-22 12:06 . 2008-09-05 10:11 <DIR> d-------- C:\Documents and Settings\Goran\Application Data\DNA
2008-08-22 11:50 . 2008-09-02 11:35 <DIR> d-------- C:\Work
2008-08-22 11:47 . 2008-09-01 14:09 <DIR> d-------- C:\OSTALO
2008-08-22 11:38 . 2008-08-29 15:49 <DIR> d-------- C:\Program Files\BSplayer
2008-08-21 23:40 . 2003-07-29 16:16 299,008 --------- C:\WINDOWS\system32\RealMediaSplitter.ax
2008-08-21 23:40 . 2001-08-18 20:00 262,144 --------- C:\WINDOWS\system32\mpg4ds32.axu
2008-08-21 23:40 . 2004-02-26 02:08 236,544 --------- C:\WINDOWS\system32\divxdec.ax
2008-08-21 23:40 . 2004-04-05 13:36 217,088 --------- C:\WINDOWS\system32\xvidcore.dll
2008-08-21 23:40 . 2000-06-30 17:40 139,264 --------- C:\WINDOWS\system32\Mpeg2Decoder.ax
2008-08-21 23:40 . 2008-04-06 00:43 136,192 --------- C:\WINDOWS\system32\VideoEdit.ocx
2008-08-21 23:40 . 2004-02-10 19:15 128,512 --------- C:\WINDOWS\system32\xvid.dll
2008-08-21 23:40 . 2000-06-26 13:13 94,208 --------- C:\WINDOWS\system32\Mpeg2Parser.ax
2008-08-21 23:40 . 2004-04-05 13:46 61,440 --------- C:\WINDOWS\system32\xvid.ax
2008-08-21 23:40 . 2007-08-08 12:25 61,440 --------- C:\WINDOWS\system32\imgscaler.dll
2008-08-21 23:40 . 2007-08-08 12:26 22,016 --------- C:\WINDOWS\system32\img_utils.dll
2008-08-21 23:39 . 2003-05-22 13:27 620,094 --------- C:\WINDOWS\system32\divx.dll
2008-08-21 23:39 . 2003-08-19 15:20 180,224 --------- C:\WINDOWS\system32\ac3filter.ax
2008-08-21 09:25 . 2008-05-01 16:30 331,776 --------- C:\WINDOWS\system32\dllcache\msadce.dll
2008-08-20 16:33 . 2008-08-20 16:40 <DIR> d-------- C:\Program Files\MotoGP
2008-08-18 21:43 . 2008-08-18 21:43 0 --------- C:\WINDOWS\cfgedit.INI
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-09-05 08:03 --------- d-----w C:\Documents and Settings\Goran\Application Data\Skype
2008-09-05 08:02 --------- d-----w C:\Documents and Settings\Goran\Application Data\OpenOffice.org2
2008-09-05 07:52 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-09-05 07:43 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-09-05 07:40 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-09-05 07:10 --------- d-----w C:\Documents and Settings\Goran\Application Data\skypePM
2008-09-04 18:38 --------- d-----w C:\Documents and Settings\Goran\Application Data\LimeWire
2008-09-04 12:00 --------- d-----w C:\Program Files\IrfanView
2008-08-27 08:36 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2008-08-26 09:58 --------- d-----w C:\Program Files\Norton Internet Security
2008-08-26 09:00 --------- d-----w C:\Program Files\Creative
2008-08-25 15:07 --------- d-----w C:\Program Files\Microsoft Works
2008-08-25 14:15 --------- d-----w C:\Program Files\Java
2008-08-20 13:10 --------- d-----w C:\Program Files\LimeWire
2008-08-13 16:00 --------- d-----w C:\Program Files\Norton Security Scan
2008-08-02 18:56 --------- d-----w C:\Program Files\Electronic Arts
2008-07-31 13:10 --------- d-----w C:\Documents and Settings\All Users\Application Data\NFS Underground Demo
2008-07-31 13:09 --------- d-----w C:\Program Files\Common Files\DirectX
2008-07-22 19:49 --------- d-----w C:\Documents and Settings\Goran\Application Data\Apple Computer
2008-07-07 20:32 253,952 ------w C:\WINDOWS\system32\es.dll
2008-07-07 20:32 253,952 ------w C:\WINDOWS\system32\dllcache\es.dll
2008-06-24 16:23 74,240 ------w C:\WINDOWS\system32\mscms.dll
2008-06-24 16:23 74,240 ------w C:\WINDOWS\system32\dllcache\mscms.dll
2008-06-24 08:57 3,592,192 ------w C:\WINDOWS\system32\dllcache\mshtml.dll
2008-06-23 09:20 70,656 ------w C:\WINDOWS\system32\dllcache\ie4uinit.exe
2008-06-23 09:20 625,664 ------w C:\WINDOWS\system32\dllcache\iexplore.exe
2008-06-23 09:20 13,824 ------w C:\WINDOWS\system32\dllcache\ieudinit.exe
2008-06-21 05:23 161,792 ------w C:\WINDOWS\system32\dllcache\ieakui.dll
2008-06-20 17:36 245,248 ------w C:\WINDOWS\system32\mswsock.dll
2008-06-20 17:36 245,248 ------w C:\WINDOWS\system32\dl | |
| |
