Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

HELP YE BLEEPINGCOMPUTER.COM GODS!


  • This topic is locked This topic is locked
21 replies to this topic

#1 deeneeweenee

deeneeweenee

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:01:06 PM

Posted 09 March 2009 - 06:48 AM

please take pity: i have spent over 3 hours on the hijackthis scan, and then posting this pity plea! my 13 year old daughter has limewired and myspaced her computer into oblivion, and has been using my computer for "homework" while i am at work. since that time, strange changes have happened to my computer! what a coincidence, huh? anyhow i really respect you geeky wizards, and if you decide to throw me a bone, i promise to monitor and maintain my system (in other words, threaten my child within an inch of her life). thankyou thankyou thankyou in advance, denise :thumbup2:
DDS (Ver_09-02-01.01) - NTFSx86
Run by Owner at 3:56:29.09 on Mon 03/09/2009
Internet Explorer: 7.0.5730.11
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.126.12 [GMT -7:00]


============== Pseudo HJT Report ===============

uSearch Bar = hxxp://www.google.com/ie
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uStart Page = hxxp://google.com/
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
BHO: Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Lexmark Toolbar: {1017a80c-6f09-4548-a84d-edd6ac9525f0} - c:\program files\lexmark toolbar\toolband.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.5.0_06\bin\ssv.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
TB: Lexmark Toolbar: {1017a80c-6f09-4548-a84d-edd6ac9525f0} - c:\program files\lexmark toolbar\toolband.dll
TB: {DB87BFA2-A2E3-451E-8E5A-C89982D87CBF} - No File
mRun: [MSConfig] c:\windows\pchealth\helpctr\binaries\MSConfig.exe /auto
IE: &Search - http://edits.mywebsearch.com/toolbaredits/...?p=ZNxmk788YYUS
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office10\EXCEL.EXE/3000
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBC} - c:\program files\java\jre1.5.0_06\bin\ssv.dll
IE: {7F9DB11C-E358-4ca6-A83D-ACC663939424} - {9999A076-A9E2-4C99-8A2B-632FC9429223} - c:\program files\bonjour\ExplorerPlugin.dll
Trusted Zone: yahoo.com\us.mc314.mail
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: vzTCPConfig - hxxp://www2.verizon.net/help/fios_settings_POTT20009/include/vzTCPConfig.CAB
DPF: {01113300-3E00-11D2-8470-0060089874ED} - hxxps://activatemydsl.verizon.net/sdcCommon/download/DSL/Verizon%20High%20Speed%20Internet%20Installer.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} - hxxp://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\Yinsthelper.dll
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
TCP: {F573D2CF-FD78-48D9-82CB-225575122902} = 66.51.205.100,66.51.206.100
Notify: igfxcui - igfxsrvc.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Trend Micro Anti-Spyware Shell Extension: {03a80b1d-5c6a-42c2-9dfb-81b6005d8023} - c:\program files\trend micro\tmas\sshook.dll

================= FIREFOX ===================

FF - ProfilePath -

============= SERVICES / DRIVERS ===============


=============== Created Last 30 ================

2009-03-09 03:24 <DIR> --d----- c:\program files\Cobian Backup 8
2009-03-08 05:31 <DIR> --d----- c:\program files\ACW
2009-03-07 03:02 <DIR> --d----- c:\docume~1\owner\applic~1\Malwarebytes
2009-03-07 03:01 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-03-07 03:01 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-03-07 03:01 <DIR> --d----- c:\docume~1\alluse~1.win\applic~1\Malwarebytes
2009-03-07 03:01 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-02-23 20:24 <DIR> --d----- c:\program files\Bonjour
2009-02-21 09:04 12 a------- c:\documents and settings\owner\bitpim.dat
2009-02-21 08:49 90,624 a------- c:\windows\system32\kswdmcap.ax
2009-02-21 08:49 28,672 a------- c:\windows\system32\vidcap.ax
2009-02-21 08:49 61,952 a------- c:\windows\system32\kstvtune.ax
2009-02-21 08:49 53,760 a------- c:\windows\system32\vfwwdm32.dll
2009-02-21 08:49 43,008 a------- c:\windows\system32\ksxbar.ax
2009-02-21 03:48 <DIR> --d----- c:\program files\SAMSUNG CDMA Modem
2009-02-21 03:47 <DIR> --d----- c:\program files\QuickLink Mobile
2009-02-21 03:47 <DIR> --d----- c:\program files\common files\Smith Micro Shared
2009-02-21 00:39 <DIR> --d----- c:\program files\BitPim
2009-02-20 15:15 16,640 a----r-- c:\windows\system32\drivers\PalmUSBD.sys
2009-02-20 14:58 <DIR> --d----- c:\program files\Palm
2009-02-19 21:35 <DIR> --d----- C:\BigClock
2009-02-16 14:27 10,520 -------- c:\windows\system32\avgrsstx.dll.install_backup
2009-02-16 14:26 <DIR> --d----- c:\program files\AVG
2009-02-08 09:34 31,262,848 a------- c:\program files\AVAST ANTIVIRUS DOWNLOAD.exe

==================== Find3M ====================

2009-02-19 14:58 130,476 ac--h--- c:\windows\system32\mlfcache.dat
2009-02-08 02:13 52,736 a------- c:\windows\system32\drivers\i8042prt.sys
2009-01-13 15:55 28,549 a------- c:\windows\fonts\sarsapar.zip
2009-01-13 15:51 28,232 a------- c:\windows\fonts\easilyamused.zip
2009-01-13 15:48 11,798 a------- c:\windows\fonts\NegativeSpace1.zip
2009-01-13 14:08 838,158 a------- c:\program files\sci GRAPHS setup.exe
2009-01-11 14:57 34,304 a------- c:\windows\system32\RtriShEx.dll
2008-12-20 16:15 826,368 a------- c:\windows\system32\wininet.dll
2008-12-12 12:18 87,336 a------- c:\windows\system32\dns-sd.exe
2008-12-12 12:11 65,536 a------- c:\windows\system32\jdns_sd.dll
2008-12-12 12:11 61,440 a------- c:\windows\system32\dnssd.dll
2008-07-11 21:32 22,411,048 a------- c:\program files\SkypeSetup.exe
2008-06-11 15:38 19,790,584 a------- c:\program files\VZMM2_1-DL-SAMSU-Bld9-Juke-002.exe

2008-06-07 02:50 12,664,832 a------- c:\program files\BlackBerry Device Manager v4.2 (English).msi
2008-06-02 03:23 4,042,444 a------- c:\program files\win ace269i.exe
2008-04-19 01:43 2,733,520 a------- c:\program files\ccleansetup205.exe
2007-08-04 00:32 5,149,152 a------- c:\program files\rminstallFREEE.exe
2007-08-04 00:26 5,149,152 a------- c:\program files\regmechfree.exe
2007-07-30 07:24 4,900,888 a------- c:\program files\LimeWireWin.exe
2006-10-29 15:06 454 a------- c:\program files\Shortcut to xerox.lnk
2006-10-15 14:32 740 a------- c:\program files\LATESTADOBEEEEEEE.exe
2008-10-19 20:46 16,384 a--sh--- c:\windows\system32\config\systemprofile\cookies\index.dat
2008-10-19 20:46 16,384 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\index.dat
2008-10-19 20:46 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\temporary internet files\content.ie5\index.dat

============= FINISH: 3:57:39.40 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 Farbar

Farbar

    Just Curious


  • Security Developer
  • 20,491 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:10:06 PM

Posted 09 March 2009 - 08:30 AM

Hi deeneeweenee,

Welcome to BC HijackThis forum. I am farbar. I am going to assist you with your problem.

Please refrain from making any changes to your system (updating Windows, installing applications, removing files, etc.) from now on as it might prolong handling your log and make the job for both of us more difficult.
  • Please open HiJackThis and choose do a system scan only. Check the boxes next to ONLY the entries listed below (if present):

    O8 - Extra context menu item: &Search - http://edits.mywebsearch.com/toolbaredits/...?p=ZNxmk788YYUS

    Now close all windows other than HiJackThis, including browsers, so that nothing other than HijackThis is open, then click Fix Checked. A box will pop up asking you if you wish to fix the selected items. Please choose YES. Once it has fixed them, please exit/close HijackThis.

  • Download ComboFix from one of these locations:

    Link 1
    Link 2
    Link 3

    * IMPORTANT !!! Save ComboFix.exe to your Desktop

    • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Information on A/V control HERE)
    • Double click on ComboFix.exe & follow the prompts.
    • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
    • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
    **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

    Posted Image


    Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

    Posted Image


    Click on Yes, to continue scanning for malware.

    When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

  • Please copy and paste a fresh Hijackthis log to your reply.
You might want to save this page on your favorites, so you can find it again when you return.

#3 Farbar

Farbar

    Just Curious


  • Security Developer
  • 20,491 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:10:06 PM

Posted 11 March 2009 - 11:43 AM

Are you still there?

#4 Farbar

Farbar

    Just Curious


  • Security Developer
  • 20,491 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:10:06 PM

Posted 15 March 2009 - 01:08 PM

This thread will now be closed due to lack of activity.

If you should still have an issue, please don't PM me and start a new topic.

#5 deeneeweenee

deeneeweenee
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:01:06 PM

Posted 16 March 2009 - 02:05 PM

do i have to start from scratch with a new post and hope someone will respond? sorry for the inconsistent replies, but i appreciate your time and attempts to help.

#6 Farbar

Farbar

    Just Curious


  • Security Developer
  • 20,491 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:10:06 PM

Posted 16 March 2009 - 02:19 PM

Seems I have not really closed the thread. I got your e-mail.

Please post the log you had send via PM to this thread and we will go on.

#7 deeneeweenee

deeneeweenee
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:01:06 PM

Posted 16 March 2009 - 03:05 PM

ComboFix 09-03-15.01 - Owner 2009-

ComboFix 09-03-15.01 - Owner 2009-03-16 12:34:59.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.126.12 [GMT -7:00]
Running from: c:\my download files\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((( Files Created from 2009-02-16 to 2009-03-16 )))))))))))))))))))))))))))))))
.

2009-03-16 07:48 . 2009-03-16 07:48 <DIR> d-------- c:\program files\iPod
2009-03-16 07:46 . 2009-03-16 07:49 <DIR> d-------- c:\program files\iTunes
2009-03-16 07:46 . 2009-03-16 07:49 <DIR> d-------- c:\documents and settings\All Users.WINDOWS\Application Data\{00D89592-F643-4D8D-8F0F-AFAE0F14D4C3}
2009-03-16 07:38 . 2009-03-16 07:49 <DIR> d-------- c:\windows\LastGood
2009-03-16 03:29 . 2009-03-16 05:12 <DIR> d-------- C:\music limewire
2009-03-16 03:29 . 2009-03-16 05:36 <DIR> d-------- C:\Incomplete
2009-03-09 03:24 . 2009-03-09 03:24 <DIR> d-------- c:\program files\Cobian Backup 8
2009-03-08 05:31 . 2009-03-08 05:32 <DIR> d-------- c:\program files\ACW
2009-03-07 03:02 . 2009-03-07 03:02 <DIR> d-------- c:\documents and settings\Owner\Application Data\Malwarebytes
2009-03-07 03:01 . 2009-03-16 03:23 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2009-02-23 20:24 . 2009-02-23 20:25 <DIR> d-------- c:\program files\Bonjour
2009-02-21 09:04 . 2009-02-21 09:04 12 --a------ c:\documents and settings\Owner\bitpim.dat
2009-02-21 08:49 . 2004-08-04 01:56 90,624 --a------ c:\windows\system32\kswdmcap.ax
2009-02-21 08:49 . 2004-08-04 01:56 61,952 --a------ c:\windows\system32\kstvtune.ax
2009-02-21 08:49 . 2004-08-04 01:56 53,760 --a------ c:\windows\system32\vfwwdm32.dll
2009-02-21 08:49 . 2004-08-04 01:56 43,008 --a------ c:\windows\system32\ksxbar.ax
2009-02-21 08:49 . 2004-08-04 01:56 28,672 --a------ c:\windows\system32\vidcap.ax
2009-02-21 03:48 . 2009-02-21 03:48 <DIR> d-------- c:\program files\SAMSUNG CDMA Modem
2009-02-21 03:47 . 2009-02-21 03:49 <DIR> d-------- c:\program files\QuickLink Mobile
2009-02-21 03:47 . 2009-02-21 03:49 <DIR> d-------- c:\program files\Common Files\Smith Micro Shared
2009-02-21 00:39 . 2009-02-21 00:40 <DIR> d-------- c:\program files\BitPim
2009-02-20 15:15 . 2007-12-04 18:10 16,640 -ra------ c:\windows\system32\drivers\PalmUSBD.sys
2009-02-20 15:05 . 2009-02-20 15:05 <DIR> d-------- c:\documents and settings\Owner\Application Data\Arcsoft
2009-02-20 14:59 . 2009-02-20 14:59 <DIR> d-------- c:\documents and settings\Owner\Application Data\HotSync
2009-02-20 14:59 . 2009-02-20 14:59 <DIR> d-------- c:\documents and settings\All Users.WINDOWS\Application Data\HotSync
2009-02-20 14:58 . 2009-03-16 03:22 <DIR> d-------- c:\program files\Palm
2009-02-19 21:35 . 2004-03-03 18:02 <DIR> d-------- C:\BigClock
2009-02-16 14:38 . 2009-02-16 14:43 <DIR> d-------- c:\program files\Safari
2009-02-16 14:26 . 2009-02-16 14:26 <DIR> d-------- c:\program files\AVG

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-03-16 14:47 --------- d-----w c:\program files\Common Files\Apple
2009-03-09 08:55 --------- d-----w c:\program files\Trend Micro
2009-03-08 08:04 --------- d-----w c:\program files\Coupons
2009-03-07 09:51 --------- d-----w c:\program files\Lx_cats
2009-03-06 18:12 --------- d-----w c:\program files\LimeWire
2009-03-06 18:12 --------- d-----w c:\program files\Lexmark 1300 Series
2009-03-06 17:26 --------- d-----r c:\program files\Lexmark X1100 Series
2009-02-20 09:13 --------- d---a-w c:\documents and settings\All Users.WINDOWS\Application Data\TEMP
2009-02-16 21:49 --------- d-----w c:\documents and settings\Owner\Application Data\Apple Computer
2009-02-16 20:09 --------- d-----w c:\program files\Common Files\Motive
2009-02-16 20:07 --------- d-----w c:\program files\Common Files\SupportSoft
2009-02-10 00:27 --------- d-----w c:\documents and settings\AMIRA.HOME-FB222EE479.000\Application Data\LimeWire
2009-02-08 17:13 --------- d-----w c:\program files\Alwil Software
2009-02-08 17:11 31,262,848 ----a-w c:\program files\AVAST ANTIVIRUS DOWNLOAD.exe
2009-02-08 09:13 52,736 ----a-w c:\windows\system32\drivers\i8042prt.sys
2009-02-03 07:59 --------- d-----w c:\program files\Broderbund
2009-02-02 04:32 --------- d-----w c:\documents and settings\Owner\Application Data\Broderbund Software
2009-02-02 03:27 --------- d-----w c:\program files\JlgSolera
2009-02-01 22:21 --------- d--h--w c:\program files\InstallShield Installation Information
2009-01-29 22:50 --------- d-----w c:\program files\Common Files\Real
2009-01-25 15:54 --------- d-----w c:\program files\Common Files\Adobe
2009-01-25 14:06 --------- d-----w c:\program files\QuickTime
2009-01-25 07:47 --------- d-----w c:\program files\Apple Software Update
2009-01-25 07:46 --------- d-----w c:\documents and settings\All Users.WINDOWS\Application Data\Apple
2009-01-25 00:55 --------- d-----w c:\program files\Common Files\Broderbund
2009-01-25 00:43 --------- d-----w c:\program files\Paint.NET
2009-01-25 00:41 --------- d-----w c:\program files\Web Publish
2009-01-21 10:54 --------- d-----w c:\documents and settings\Owner\Application Data\SmartDraw
2009-01-13 22:55 28,549 ----a-w c:\windows\Fonts\sarsapar.zip
2009-01-13 22:51 28,232 ----a-w c:\windows\Fonts\easilyamused.zip
2009-01-13 22:48 11,798 ----a-w c:\windows\Fonts\NegativeSpace1.zip
2009-01-13 21:08 838,158 ----a-w c:\program files\sci GRAPHS setup.exe
2008-07-12 04:32 22,411,048 ----a-w c:\program files\SkypeSetup.exe
2008-06-11 22:38 19,790,584 ----a-w c:\program files\VZMM2_1-DL-SAMSU-Bld9-Juke-002.exe
2008-06-07 09:50 12,664,832 ----a-w c:\program files\BlackBerry Device Manager v4.2 (English).msi
2008-06-02 10:23 4,042,444 ----a-w c:\program files\win ace269i.exe
2008-04-19 08:43 2,733,520 ----a-w c:\program files\ccleansetup205.exe
2007-08-04 07:32 5,149,152 ----a-w c:\program files\rminstallFREEE.exe
2007-08-04 07:26 5,149,152 ----a-w c:\program files\regmechfree.exe
2007-07-30 14:24 4,900,888 ----a-w c:\program files\LimeWireWin.exe
2006-10-29 22:06 454 ----a-w c:\program files\Shortcut to xerox.lnk
2006-10-15 21:32 740 ----a-w c:\program files\LATESTADOBEEEEEEE.exe
2008-10-20 03:46 16,384 --sha-w c:\windows\system32\config\systemprofile\Cookies\index.dat
2008-10-20 03:46 16,384 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
2008-10-20 03:46 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
.

------- Sigcheck -------

2008-04-13 17:12 14336 27c6d03bcdb8cfeb96b716f3d8be3e18 c:\windows\SoftwareDistribution\Download\cf8ec753e88561d2ddb53e183dc05c3e\svchost.exe
2004-08-04 05:00 14336 8f078ae4ed187aaabc0a305146de6716 c:\windows\system32\svchost.exe
2004-08-04 05:00 14336 8f078ae4ed187aaabc0a305146de6716 c:\windows\system32\dllcache\svchost.exe

2008-04-13 17:12 82432 2ccc474eb85ceaa3e1fa1726580a3e5a c:\windows\SoftwareDistribution\Download\cf8ec753e88561d2ddb53e183dc05c3e\ws2_32.dll
2004-08-04 05:00 82944 2ed0b7f12a60f90092081c50fa0ec2b2 c:\windows\system32\ws2_32.dll
2004-08-04 05:00 82944 2ed0b7f12a60f90092081c50fa0ec2b2 c:\windows\system32\dllcache\ws2_32.dll

2006-04-20 05:18 360576 b2220c618b42a2212a59d91ebd6fc4b4 c:\windows\$hf_mig$\KB917953\SP2QFE\tcpip.sys
2007-10-30 09:53 360832 64798ecfa43d78c7178375fcdd16d8c8 c:\windows\$hf_mig$\KB941644\SP2QFE\tcpip.sys
2008-06-20 03:44 360960 744e57c99232201ae98c49168b918f48 c:\windows\$hf_mig$\KB951748\SP2QFE\tcpip.sys
2008-06-20 04:51 361600 9aefa14bd6b182d61e3119fa5f436d3d c:\windows\$hf_mig$\KB951748\SP3GDR\tcpip.sys
2008-06-20 04:59 361600 ad978a1b783b5719720cff204b666c8e c:\windows\$hf_mig$\KB951748\SP3QFE\tcpip.sys
2004-08-04 05:00 359040 9f4b36614a0fc234525ba224957de55c c:\windows\$NtUninstallKB917953$\tcpip.sys
2006-04-20 04:51 359808 1dbf125862891817f374f407626967f4 c:\windows\$NtUninstallKB941644$\tcpip.sys
2007-10-30 10:20 360064 90caff4b094573449a0872a0f919b178 c:\windows\$NtUninstallKB951748$\tcpip.sys
2008-04-13 12:20 361344 93ea8d04ec73a85db02eb8805988f733 c:\windows\SoftwareDistribution\Download\cf8ec753e88561d2ddb53e183dc05c3e\tcpip.sys
2008-06-20 03:45 360320 2a5554fc5b1e04e131230e3ce035c3f9 c:\windows\system32\dllcache\tcpip.sys
2008-06-20 03:45 360320 2a5554fc5b1e04e131230e3ce035c3f9 c:\windows\system32\drivers\tcpip.sys

2008-04-13 17:12 507904 ed0ef0a136dec83df69f04118870003e c:\windows\SoftwareDistribution\Download\cf8ec753e88561d2ddb53e183dc05c3e\winlogon.exe
2004-08-04 05:00 502272 01c3346c241652f43aed8e2149881bfe c:\windows\system32\winlogon.exe
2004-08-04 05:00 502272 01c3346c241652f43aed8e2149881bfe c:\windows\system32\dllcache\winlogon.exe

2008-04-13 12:20 182656 1df7f42665c94b825322fae71721130d c:\windows\SoftwareDistribution\Download\cf8ec753e88561d2ddb53e183dc05c3e\ndis.sys
2004-08-04 05:00 182912 558635d3af1c7546d26067d5d9b6959e c:\windows\system32\dllcache\ndis.sys
2004-08-04 05:00 182912 558635d3af1c7546d26067d5d9b6959e c:\windows\system32\drivers\ndis.sys

2008-04-13 11:53 36608 3bb22519a194418d5fec05d800a19ad0 c:\windows\SoftwareDistribution\Download\cf8ec753e88561d2ddb53e183dc05c3e\ip6fw.sys
2004-08-04 05:00 29056 4448006b6bc60e6c027932cfc38d6855 c:\windows\system32\dllcache\ip6fw.sys
2004-08-04 05:00 29056 4448006b6bc60e6c027932cfc38d6855 c:\windows\system32\drivers\ip6fw.sys

2008-04-13 17:12 108544 0e776ed5f7cc9f94299e70461b7b8185 c:\windows\SoftwareDistribution\Download\cf8ec753e88561d2ddb53e183dc05c3e\services.exe
2004-08-04 05:00 108032 c6ce6eec82f187615d1002bb3bb50ed4 c:\windows\system32\services.exe
2004-08-04 05:00 108032 c6ce6eec82f187615d1002bb3bb50ed4 c:\windows\system32\dllcache\services.exe

2008-04-13 17:12 13312 bf2466b3e18e970d8a976fb95fc1ca85 c:\windows\SoftwareDistribution\Download\cf8ec753e88561d2ddb53e183dc05c3e\lsass.exe
2004-08-04 05:00 13312 84885f9b82f4d55c6146ebf6065d75d2 c:\windows\system32\lsass.exe
2004-08-04 05:00 13312 84885f9b82f4d55c6146ebf6065d75d2 c:\windows\system32\dllcache\lsass.exe

2008-04-13 17:12 15360 5f1d5f88303d4a4dbc8e5f97ba967cc3 c:\windows\SoftwareDistribution\Download\cf8ec753e88561d2ddb53e183dc05c3e\ctfmon.exe
2004-08-04 05:00 15360 24232996a38c0b0cf151c2140ae29fc8 c:\windows\system32\ctfmon.exe
2004-08-04 05:00 15360 24232996a38c0b0cf151c2140ae29fc8 c:\windows\system32\dllcache\ctfmon.exe

2008-04-13 17:12 26112 a93aee1928a9d7ce3e16d24ec7380f89 c:\windows\SoftwareDistribution\Download\cf8ec753e88561d2ddb53e183dc05c3e\userinit.exe
2004-08-04 05:00 24576 39b1ffb03c2296323832acbae50d2aff c:\windows\system32\userinit.exe
2004-08-04 05:00 24576 39b1ffb03c2296323832acbae50d2aff c:\windows\system32\dllcache\userinit.exe

2008-04-13 17:12 295424 ff3477c03be7201c294c35f684b3479f c:\windows\SoftwareDistribution\Download\cf8ec753e88561d2ddb53e183dc05c3e\termsrv.dll
2004-08-04 05:00 295424 b60c877d16d9c880b952fda04adf16e6 c:\windows\system32\termsrv.dll
2004-08-04 05:00 295424 b60c877d16d9c880b952fda04adf16e6 c:\windows\system32\dllcache\termsrv.dll

2008-04-13 17:12 17408 50a166237a0fa771261275a405646cc0 c:\windows\SoftwareDistribution\Download\cf8ec753e88561d2ddb53e183dc05c3e\powrprof.dll
2004-08-04 05:00 17408 1b5f6923abb450692e9fe0672c897aed c:\windows\system32\powrprof.dll
2004-08-04 05:00 17408 1b5f6923abb450692e9fe0672c897aed c:\windows\system32\dllcache\powrprof.dll

2008-04-13 17:11 110080 0da85218e92526972a821587e6a8bf8f c:\windows\SoftwareDistribution\Download\cf8ec753e88561d2ddb53e183dc05c3e\imm32.dll
2004-08-04 05:00 110080 87ca7ce6469577f059297b9d6556d66d c:\windows\system32\imm32.dll
2004-08-04 05:00 110080 87ca7ce6469577f059297b9d6556d66d c:\windows\system32\dllcache\imm32.dll
.
((((((((((((((((((((((((((((( SnapShot@2009-03-09_12.10.25.43 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-02-09 10:20:05 1,847,424 ----a-w c:\windows\$hf_mig$\KB958690\SP2QFE\win32k.sys
+ 2009-02-09 11:13:27 1,846,784 ----a-w c:\windows\$hf_mig$\KB958690\SP3GDR\win32k.sys
+ 2009-02-09 11:08:53 1,847,552 ----a-w c:\windows\$hf_mig$\KB958690\SP3QFE\win32k.sys
+ 2008-07-09 07:38:24 17,272 ----a-w c:\windows\$hf_mig$\KB958690\spmsg.dll
+ 2008-07-09 07:38:25 231,288 ----a-w c:\windows\$hf_mig$\KB958690\spuninst.exe
+ 2008-07-09 07:38:24 26,488 ----a-w c:\windows\$hf_mig$\KB958690\update\spcustom.dll
+ 2008-07-09 07:38:29 755,576 ----a-w c:\windows\$hf_mig$\KB958690\update\update.exe
+ 2008-07-09 07:38:37 382,840 ----a-w c:\windows\$hf_mig$\KB958690\update\updspapi.dll
+ 2008-12-05 06:41:26 144,896 ----a-w c:\windows\$hf_mig$\KB960225\SP2QFE\schannel.dll
+ 2008-12-05 06:54:55 144,896 ----a-w c:\windows\$hf_mig$\KB960225\SP3GDR\schannel.dll
+ 2008-12-05 06:58:08 144,896 ----a-w c:\windows\$hf_mig$\KB960225\SP3QFE\schannel.dll
+ 2007-11-30 11:18:51 17,272 ----a-w c:\windows\$hf_mig$\KB960225\spmsg.dll
+ 2007-11-30 11:18:51 231,288 ----a-w c:\windows\$hf_mig$\KB960225\spuninst.exe
+ 2007-11-30 11:18:51 26,488 ----a-w c:\windows\$hf_mig$\KB960225\update\spcustom.dll
+ 2007-11-30 12:39:22 755,576 ----a-w c:\windows\$hf_mig$\KB960225\update\update.exe
+ 2007-11-30 12:39:22 382,840 ----a-w c:\windows\$hf_mig$\KB960225\update\updspapi.dll
+ 2009-03-16 14:51:12 102,400 ----a-r c:\windows\Installer\{C26B06A9-27BB-45B0-9873-9C623EC2BA38}\iTunesIco.exe
+ 2008-04-17 21:12:54 15,464 ----a-w c:\windows\LastGood\system32\DRIVERS\GEARAspiWDM.sys
+ 2008-04-17 21:12:54 107,368 ----a-w c:\windows\LastGood\system32\GEARAspi.dll
- 2007-04-25 14:21:15 144,896 -c--a-w c:\windows\system32\dllcache\schannel.dll
+ 2008-12-05 07:12:45 144,896 -c--a-w c:\windows\system32\dllcache\schannel.dll
- 2008-09-15 11:57:41 1,846,016 -c--a-w c:\windows\system32\dllcache\win32k.sys
+ 2009-02-09 10:19:34 1,846,272 -c--a-w c:\windows\system32\dllcache\win32k.sys
- 2007-06-12 07:51:12 10,834,944 -c--a-w c:\windows\system32\dllcache\wmp.dll
+ 2008-11-12 01:34:42 10,838,016 -c--a-w c:\windows\system32\dllcache\wmp.dll
- 2008-04-17 21:12:54 15,464 ----a-w c:\windows\system32\drivers\GEARAspiWDM.sys
+ 2009-01-15 19:19:36 23,848 ----a-w c:\windows\system32\drivers\GEARAspiWDM.sys
+ 2008-04-17 19:12:54 107,368 -c--a-w c:\windows\system32\DRVSTORE\GEARAspiWD_4F4AA3475F1B13A1E8212B6D40B351211BC358CE\x86\GEARAspi.dll
+ 2009-01-15 19:19:36 23,848 -c--a-w c:\windows\system32\DRVSTORE\GEARAspiWD_4F4AA3475F1B13A1E8212B6D40B351211BC358CE\x86\GEARAspiWDM.sys
+ 2009-03-06 06:59:00 36,864 -c--a-w c:\windows\system32\DRVSTORE\usbaapl_AF109929C2381E41FEF454F3FEDAA257A9E85F92\usbaapl.sys
+ 2009-03-06 06:59:00 1,900,544 -c--a-w c:\windows\system32\DRVSTORE\usbaapl_AF109929C2381E41FEF454F3FEDAA257A9E85F92\usbaaplrc.dll
- 2009-02-06 22:57:03 675,360 ----a-w c:\windows\system32\FNTCACHE.DAT
+ 2009-03-11 19:06:28 675,360 ----a-w c:\windows\system32\FNTCACHE.DAT
- 2008-04-17 21:12:54 107,368 ----a-w c:\windows\system32\GEARAspi.dll
+ 2008-04-17 19:12:54 107,368 ----a-w c:\windows\system32\GEARAspi.dll
- 2009-03-09 18:56:47 59,984 ----a-w c:\windows\system32\perfc009.dat
+ 2009-03-15 05:03:22 59,984 ----a-w c:\windows\system32\perfc009.dat
- 2009-03-09 18:56:47 397,890 ----a-w c:\windows\system32\perfh009.dat
+ 2009-03-15 05:03:24 397,890 ----a-w c:\windows\system32\perfh009.dat
- 2007-04-25 14:21:15 144,896 ----a-w c:\windows\system32\schannel.dll
+ 2008-12-05 07:12:45 144,896 ----a-w c:\windows\system32\schannel.dll
- 2008-07-09 07:38:24 17,272 ------w c:\windows\system32\spmsg.dll
+ 2007-11-30 11:18:51 17,272 ------w c:\windows\system32\spmsg.dll
- 2006-10-16 23:10:58 23,856 ----a-w c:\windows\system32\spupdsvc.exe
+ 2007-07-27 16:41:38 26,488 ----a-w c:\windows\system32\spupdsvc.exe
- 2008-09-15 11:57:41 1,846,016 ----a-w c:\windows\system32\win32k.sys
+ 2009-02-09 10:19:34 1,846,272 ----a-w c:\windows\system32\win32k.sys
- 2007-06-12 07:51:12 10,834,944 ----a-w c:\windows\system32\wmp.dll
+ 2008-11-12 01:34:42 10,838,016 ----a-w c:\windows\system32\wmp.dll
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSConfig"="c:\windows\PCHealth\HelpCtr\Binaries\MSConfig.exe" [2004-08-04 158208]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-03-12 342312]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{03A80B1D-5C6A-42c2-9DFB-81B6005D8023}"= "c:\program files\Trend Micro\Tmas\sshook.dll" [2006-08-25 77824]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^Adobe Reader Synchronizer.lnk]
backup=c:\windows\pss\Adobe Reader Synchronizer.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^EPSON Background Monitor.lnk]
backup=c:\windows\pss\EPSON Background Monitor.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^Event Reminder.lnk]
backup=c:\windows\pss\Event Reminder.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^HotSync Manager.lnk]
path=c:\documents and settings\All Users.WINDOWS\Start Menu\Programs\Startup\HotSync Manager.lnk
backup=c:\windows\pss\HotSync Manager.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^MediaChecker.lnk]
backup=c:\windows\pss\MediaChecker.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^Run Google Web Accelerator.lnk]
backup=c:\windows\pss\Run Google Web Accelerator.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^Trend Micro Anti-Spyware.lnk]
backup=c:\windows\pss\Trend Micro Anti-Spyware.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^Alarm Manager.LNK]
path=c:\documents and settings\Owner\Start Menu\Programs\Startup\Alarm Manager.LNK
backup=c:\windows\pss\Alarm Manager.LNKStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^firefox.lnk]
backup=c:\windows\pss\firefox.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^LimeWire On Startup.lnk]
backup=c:\windows\pss\LimeWire On Startup.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^MEMonitor.lnk]
backup=c:\windows\pss\MEMonitor.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^Microsoft Greetings Reminders.lnk]
backup=c:\windows\pss\Microsoft Greetings Reminders.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^yahoodeeneeweenee.url]
backup=c:\windows\pss\yahoodeeneeweenee.urlStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
c:\windows\system32\dumprep 0 -k [X]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
--a------ 2008-10-15 02:04 39792 c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
--a------ 2004-02-10 11:51 118784 c:\windows\system32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
--a------ 2005-05-12 00:12 49152 c:\program files\HP\HP Software Update\hpwuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPDJ Taskbar Utility]
--a------ 2002-11-05 11:34 188416 c:\windows\system32\spool\drivers\w32x86\3\hpztsb07.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
--a------ 2004-02-10 11:55 155648 c:\windows\system32\igfxtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2009-03-12 20:56 342312 c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Lexmark X1100 Series]
--------- 2003-08-19 03:43 57344 c:\program files\Lexmark X1100 Series\lxbkbmgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\lxdcamon]
--a------ 2007-04-30 01:19 20480 c:\program files\Lexmark 1300 Series\lxdcamon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2009-01-05 17:18 413696 c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WMPNSCFG]
--------- 2006-10-18 21:05 204288 c:\program files\Windows Media Player\wmpnscfg.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"RPSUpdaterR"=3 (0x3)
"MyWebSearchService"=2 (0x2)
"lxdc_device"=3 (0x3)
"lxdcCATSCustConnectService"=3 (0x3)
"iPod Service"=3 (0x3)
"IDriverT"=3 (0x3)
"gusvc"=3 (0x3)
"EpsonBidirectionalService"=2 (0x2)
"dvpapi"=3 (0x3)
"Bonjour Service"=2 (0x2)
"avg8wd"=2 (0x2)
"avg8emc"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\StubInstaller.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\Lexmark 1300 Series\\lxdcamon.exe"=
"c:\\Program Files\\Lexmark 1300 Series\\App4R.exe"=
"c:\\WINDOWS\\system32\\LEXPPS.EXE"=
"c:\\WINDOWS\\system32\\mmc.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Lexmark 1300 Series\\Diagnostics\\lxdccdw.exe"=
"c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\lxdcpswx.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundTimestampRequest"= 1 (0x1)
"AllowInboundMaskRequest"= 1 (0x1)
"AllowInboundRouterRequest"= 1 (0x1)
"AllowOutboundDestinationUnreachable"= 1 (0x1)
"AllowOutboundSourceQuench"= 1 (0x1)
"AllowOutboundParameterProblem"= 1 (0x1)
"AllowOutboundTimeExceeded"= 1 (0x1)
"AllowRedirect"= 1 (0x1)
"AllowOutboundPacketTooBig"= 1 (0x1)

R3 i740;i740;c:\windows\system32\DRIVERS\i740nt5.sys [2001-08-17 58592]
R4 lxdc_device;lxdc_device;c:\windows\system32\lxdccoms.exe [2007-05-25 537520]
R4 lxdcCATSCustConnectService;lxdcCATSCustConnectService;c:\windows\System32\spool\DRIVERS\W32X86\3\\lxdcserv.exe [2007-05-25 99248]
S2 NwSapAgent;SAP Agent;c:\windows\system32\svchost.exe [2004-08-04 14336]


--- Other Services/Drivers In Memory ---

*NewlyCreated* - APPLE_MOBILE_DEVICE
*NewlyCreated* - IPOD_SERVICE
*Deregistered* - 6to4
*Deregistered* - AFD
*Deregistered* - ALG
*Deregistered* - Apple Mobile Device
*Deregistered* - AudioSrv
*Deregistered* - audstub
*Deregistered* - Beep
*Deregistered* - Browser
*Deregistered* - Cdfs
*Deregistered* - CryptSvc
*Deregistered* - CSS DVP
*Deregistered* - DcomLaunch
*Deregistered* - Dhcp
*Deregistered* - ERSvc
*Deregistered* - EventSystem
*Deregistered* - Fastfat
*Deregistered* - Fips
*Deregistered* - FltMgr
*Deregistered* - Ftdisk
*Deregistered* - Gpc
*Deregistered* - helpsvc
*Deregistered* - HidServ
*Deregistered* - HTTP
*Deregistered* - ImapiService
*Deregistered* - IntelIde
*Deregistered* - Ip6Fw
*Deregistered* - IpNat
*Deregistered* - iPod Service
*Deregistered* - IPSec
*Deregistered* - KSecDD
*Deregistered* - lanmanserver
*Deregistered* - lanmanworkstation
*Deregistered* - LexBceS
*Deregistered* - LmHosts
*Deregistered* - MCSTRM
*Deregistered* - mdmxsdk
*Deregistered* - mnmdd
*Deregistered* - Mouclass
*Deregistered* - MountMgr
*Deregistered* - mr7910
*Deregistered* - MRxDAV
*Deregistered* - MRxSmb
*Deregistered* - Msfs
*Deregistered* - MSIServer
*Deregistered* - mssmbios
*Deregistered* - Mup
*Deregistered* - NDIS
*Deregistered* - NdisTapi
*Deregistered* - Ndisuio
*Deregistered* - NdisWan
*Deregistered* - NDProxy
*Deregistered* - NetBIOS
*Deregistered* - NetBT
*Deregistered* - Netman
*Deregistered* - Nla
*Deregistered* - Npfs
*Deregistered* - Ntfs
*Deregistered* - Null
*Deregistered* - NwlnkIpx
*Deregistered* - NwlnkNb
*Deregistered* - NwlnkSpx
*Deregistered* - NwSapAgent
*Deregistered* - OMCI
*Deregistered* - PartMgr
*Deregistered* - ParVdm
*Deregistered* - PptpMiniport
*Deregistered* - ProtectedStorage
*Deregistered* - PSched
*Deregistered* - RasAcd
*Deregistered* - Rasl2tp
*Deregistered* - RasMan
*Deregistered* - RasPppoe
*Deregistered* - Raspti
*Deregistered* - Rdbss
*Deregistered* - RDPCDD
*Deregistered* - RimVSerPort
*Deregistered* - ROOTMODEM
*Deregistered* - RpcLocator
*Deregistered* - RpcSs
*Deregistered* - SamSs
*Deregistered* - Schedule
*Deregistered* - seclogon
*Deregistered* - SENS
*Deregistered* - SharedAccess
*Deregistered* - ShellHWDetection
*Deregistered* - Spooler
*Deregistered* - sr
*Deregistered* - srservice
*Deregistered* - Srv
*Deregistered* - SSDPSRV
*Deregistered* - StillCam
*Deregistered* - stisvc
*Deregistered* - swenum
*Deregistered* - TapiSrv
*Deregistered* - Tcpip
*Deregistered* - Tcpip6
*Deregistered* - TermDD
*Deregistered* - TermService
*Deregistered* - tmcomm
*Deregistered* - tunmp
*Deregistered* - Update
*Deregistered* - upnphost
*Deregistered* - VgaSave
*Deregistered* - VolSnap
*Deregistered* - W32Time
*Deregistered* - Wanarp
*Deregistered* - WebClient
*Deregistered* - winmgmt
*Deregistered* - wscsvc
*Deregistered* - wuauserv
*Deregistered* - WudfPf
*Deregistered* - WudfSvc
*Deregistered* - WZCSVC
.
Contents of the 'Scheduled Tasks' folder

2009-03-01 c:\windows\Tasks\CHANGES.job
- c:\program files\Java\jre1.5.0_06\CHANGES [2005-11-10 12:36]
.
.
------- Supplementary Scan -------
.
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uStart Page = hxxp://google.com/
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
Trusted Zone: yahoo.com\us.mc314.mail
TCP: {F573D2CF-FD78-48D9-82CB-225575122902} = 66.51.205.100,66.51.206.100
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
DPF: vzTCPConfig - hxxp://www2.verizon.net/help/fios_settings_POTT20009/include/vzTCPConfig.CAB
FF - ProfilePath -
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-03-16 12:43:41
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1078081533-1659004503-725345543-1003\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
Completion time: 2009-03-16 12:53:07
ComboFix-quarantined-files.txt 2009-03-16 19:52:48
ComboFix2.txt 2009-03-09 19:14:34

Pre-Run: 46,979,764,224 bytes free
Post-Run: 47,205,421,056 bytes free

444 --- E O F --- 2009-03-11 18:59:49

Attached Files



#8 Farbar

Farbar

    Just Curious


  • Security Developer
  • 20,491 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:10:06 PM

Posted 16 March 2009 - 03:50 PM

  • Please open HiJackThis and choose do a system scan only. Check the boxes next to ONLY the entries listed below (if present):

    O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll (file missing)

    Now close all windows other than HiJackThis, including browsers, so that nothing other than HijackThis is open, then click Fix Checked. A box will pop up asking you if you wish to fix the selected items. Please choose YES. Once it has fixed them, please exit/close HijackThis.

  • Your Java is out of date. Older versions have vulnerabilities that malicious sites can use to exploit and infect your system. Please follow these steps to remove older version Java components and update:
    • Download the latest version of Java Runtime Environment (JRE) Version 6 and save it to your desktop.
    • Scroll down to where it says "Java Runtime Environment (JRE) 6 Update 12".
    • Click the "Download" button to the right.
    • Select your Platform: "Windows".
    • Select your Language: "Multi-language".
    • Read the License Agreement, and then check the box that says: "Accept License Agreement".
    • Click Continue and the page will refresh.
    • Click on the link to download Windows Offline Installation and save the file to your desktop.
    • Close any programs you may have running - especially your web browser.
    • Go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove the older version of Java:
    • Check

      J2SE Runtime Environment 5.0 Update 6

    • Click the Remove or Change/Remove button and follow the onscreen instructions for the Java uninstaller.
    • Reboot your computer.
    • Then from your desktop double-click on jre-6u12-windows-i586-p.exe to install the newest version.
  • You are missing one important program on that computer: An antivirus.
    This is somewhat suicidal in today's digital world.

    I recommend this good free antivirus:


    Avira
    • Download the installer. Install and update it.
    • In the left pane click Status. In the right pane click Scan system now.
    • After the scan finished let it remove what it finds and then Click Report.
    • You can get the last report also by clicking on Reports on the left pane.
    • In the right window under Action double-click on the last Scan listed (you see also the corresponding Dat/Time).
    • A window opens, click on Report file.
    • Copy and paste the content of the report to your reply.
  • Please copy and paste a fresh Hijackthis log to your reply.


#9 deeneeweenee

deeneeweenee
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:01:06 PM

Posted 16 March 2009 - 04:42 PM

i finished steps 1 and 2. i have to go to work now, but i should be able to finish 3 & 4 on my break. thanks for the easy directions...

#10 Farbar

Farbar

    Just Curious


  • Security Developer
  • 20,491 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:10:06 PM

Posted 16 March 2009 - 07:02 PM

Take your time and post the logs when ready.

#11 deeneeweenee

deeneeweenee
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:01:06 PM

Posted 17 March 2009 - 09:39 AM

here is the report from my initial scan on 03/16/09:

Attention: Loading engine failed. The scan was started with the back-up of the engine.

Avira AntiVir Personal
Report file date: Monday, March 16, 2009 18:26

Scanning for 1303192 virus strains and unwanted programs.

Licensed to: Avira AntiVir PersonalEdition Classic
Serial number: 0000149996-ADJIE-0001
Platform: Windows XP
Windows version: (Service Pack 2) [5.1.2600]
Boot mode: Normally booted
Username: SYSTEM
Computer name: HOME-FB222EE479

Version information:
BUILD.DAT : 8.2.0.337 16934 Bytes 11/18/2008 13:05:00
AVSCAN.EXE : 8.1.4.10 315649 Bytes 11/18/2008 16:21:26
AVSCAN.DLL : 8.1.4.0 40705 Bytes 5/26/2008 15:56:40
LUKE.DLL : 8.1.4.5 164097 Bytes 6/12/2008 20:44:19
LUKERES.DLL : 8.1.4.0 12033 Bytes 5/26/2008 15:58:52
ANTIVIR0.VDF : 7.1.0.0 15603712 Bytes 10/27/2008 19:30:36
ANTIVIR1.VDF : 7.1.2.12 3336192 Bytes 2/11/2009 01:16:56
ANTIVIR2.VDF : 7.1.2.152 749568 Bytes 3/11/2009 01:17:06
ANTIVIR3.VDF : 7.1.2.177 153088 Bytes 3/16/2009 01:17:11
Engineversion : 8.2.0.116
AEVDF.DLL : 8.1.1.0 106868 Bytes 3/17/2009 01:17:40
AESCRIPT.DLL : 8.1.1.63 364923 Bytes 3/17/2009 01:17:38
AESCN.DLL : 8.1.1.8 127346 Bytes 3/17/2009 01:17:35
AERDL.DLL : 8.1.1.3 438645 Bytes 11/4/2008 21:58:38
AEPACK.DLL : 8.1.3.10 397686 Bytes 3/17/2009 01:17:33
AEOFFICE.DLL : 8.1.0.36 196987 Bytes 3/17/2009 01:17:30
AEHEUR.DLL : 8.1.0.104 1634679 Bytes 3/17/2009 01:17:27
AEHELP.DLL : 8.1.2.2 119158 Bytes 3/17/2009 01:17:18
AEGEN.DLL : 8.1.1.29 336245 Bytes 3/17/2009 01:17:17
AEEMU.DLL : 8.1.0.9 393588 Bytes 10/14/2008 18:05:56
AECORE.DLL : 8.1.6.6 176501 Bytes 3/17/2009 01:17:13
AEBB.DLL : 8.1.0.3 53618 Bytes 10/14/2008 18:05:56
AVWINLL.DLL : 1.0.0.12 15105 Bytes 7/9/2008 16:40:05
AVPREF.DLL : 8.0.2.0 38657 Bytes 5/16/2008 17:28:01
AVREP.DLL : 8.0.0.2 98344 Bytes 7/31/2008 20:02:15
AVREG.DLL : 8.0.0.1 33537 Bytes 5/9/2008 19:26:40
AVARKT.DLL : 1.0.0.23 307457 Bytes 2/12/2008 16:29:23
AVEVTLOG.DLL : 8.0.0.16 119041 Bytes 6/12/2008 20:27:49
SQLITE3.DLL : 3.3.17.1 339968 Bytes 1/23/2008 01:28:02
SMTPLIB.DLL : 1.2.0.23 28929 Bytes 6/12/2008 20:49:40
NETNT.DLL : 8.0.0.1 7937 Bytes 1/25/2008 20:05:10
RCIMAGE.DLL : 8.0.0.51 2371841 Bytes 6/12/2008 21:48:07
RCTEXT.DLL : 8.0.52.0 86273 Bytes 6/27/2008 21:34:37

Configuration settings for the scan:
Jobname..........................: Complete system scan
Configuration file...............: c:\program files\avira\antivir personaledition classic\sysscan.avp
Logging..........................: low
Primary action...................: interactive
Secondary action.................: ignore
Scan master boot sector..........: on
Scan boot sector.................: on
Boot sectors.....................: C:,
Process scan.....................: on
Scan registry....................: on
Search for rootkits..............: off
Scan all files...................: Intelligent file selection
Scan archives....................: on
Recursion depth..................: 20
Smart extensions.................: on
Macro heuristic..................: on
File heuristic...................: medium

Start of the scan: Monday, March 16, 2009 18:26

The scan of running processes will be started
Scan process 'avwsc.exe' - '1' Module(s) have been scanned
Scan process 'avscan.exe' - '1' Module(s) have been scanned
Scan process 'avscan.exe' - '1' Module(s) have been scanned
Scan process 'avcenter.exe' - '1' Module(s) have been scanned
Scan process 'avguard.exe' - '1' Module(s) have been scanned
Scan process 'avgnt.exe' - '1' Module(s) have been scanned
Scan process 'sched.exe' - '1' Module(s) have been scanned
Scan process 'taskmgr.exe' - '1' Module(s) have been scanned
Scan process 'iexplore.exe' - '1' Module(s) have been scanned
Scan process 'jqs.exe' - '1' Module(s) have been scanned
Scan process 'iPodService.exe' - '1' Module(s) have been scanned
Scan process 'iTunesHelper.exe' - '1' Module(s) have been scanned
Scan process 'alg.exe' - '1' Module(s) have been scanned
Scan process 'explorer.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'locator.exe' - '1' Module(s) have been scanned
Scan process 'AppleMobileDeviceService.exe' - '1' Module(s) have been scanned
Scan process 'LEXPPS.EXE' - '1' Module(s) have been scanned
Scan process 'spoolsv.exe' - '1' Module(s) have been scanned
Scan process 'LEXBCES.EXE' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'lsass.exe' - '1' Module(s) have been scanned
Scan process 'services.exe' - '1' Module(s) have been scanned
Scan process 'winlogon.exe' - '1' Module(s) have been scanned
Scan process 'csrss.exe' - '1' Module(s) have been scanned
Scan process 'smss.exe' - '1' Module(s) have been scanned
30 processes with 30 modules were scanned

Starting master boot sector scan:
Master boot sector HD0
[INFO] No virus was found!

Start scanning boot sectors:
Boot sector 'C:\'
[INFO] No virus was found!

Starting to scan the registry.
The registry was scanned ( '50' files ).


Starting the file scan:

Begin scan in 'C:\'
C:\hiberfil.sys
[WARNING] The file could not be opened!
C:\pagefile.sys
[WARNING] The file could not be opened!
C:\Documents and Settings\Owner\My Documents\Deleted 9639\TV3EBODY\WineGlass[1].jpg
[DETECTION] The file contains an executable program that is disguised by a harmless file extension (HIDDENEXT/Crypted)
[NOTE] The file was moved to '4a2d01e6.qua'!
C:\Documents and Settings\Owner\Shared\portrait music of dan fogelber.wma
[DETECTION] Is the TR/Dldr.WMA.Wimad.N.3 Trojan
[NOTE] The file was moved to '4a310329.qua'!
C:\Incomplete\Preview-T-5118466-adam corolla [remix].wav
[DETECTION] Contains recognition pattern of the EXP/ASF.GetCodec.Gen exploit
[NOTE] The file was moved to '4a2403d1.qua'!
C:\Incomplete\T-5118466-adam corolla [remix].wav
[DETECTION] Contains recognition pattern of the EXP/ASF.GetCodec.Gen exploit
[NOTE] The file was moved to '49f40390.qua'!
C:\My Download Files\antivir_workstation_winu_en_h.exe
[0] Archive type: RAR SFX (self extracting)
--> basic\aecore.dll
[WARNING] The temporary file could not be opened!
C:\My Download Files\ComboFix.exe
[0] Archive type: RAR SFX (self extracting)
--> 32788R22FWJFW\Boot.bat
[WARNING] The temporary file could not be opened!
C:\Program Files\Adobe\Acrobat 7.0\Setup Files\RdrBig708\ENU__\Data1.cab
[0] Archive type: CAB (Microsoft)
--> VDK10.RSD
[WARNING] No further files can be extracted from this archive. The archive will be closed
C:\Program Files\Adobe\Acrobat 7.0\Setup Files\RdrBig708\ENU____\Data1.cab
[0] Archive type: CAB (Microsoft)
--> VDK10.RSD
[WARNING] No further files can be extracted from this archive. The archive will be closed
C:\Program Files\Adobe\Acrobat 7.0\Setup Files\RdrBig708\ENU______\Data1.cab
[0] Archive type: CAB (Microsoft)
--> VDK10.RSD
[WARNING] No further files can be extracted from this archive. The archive will be closed
C:\Program Files\Adobe\Acrobat 7.0\Setup Files\RdrBig708\ENU_________\Data1.cab
[0] Archive type: CAB (Microsoft)
--> VDK10.RSD
[WARNING] No further files can be extracted from this archive. The archive will be closed
C:\Program Files\Adobe\Acrobat 7.0\Setup Files\RdrBig708\ENU______________\Data1.cab
[0] Archive type: CAB (Microsoft)
--> VDK10.RSD
[WARNING] No further files can be extracted from this archive. The archive will be closed
C:\Program Files\Adobe\Acrobat 7.0\Setup Files\RdrBig708\ENU________________\Data1.cab
[0] Archive type: CAB (Microsoft)
--> VDK10.RSD
[WARNING] No further files can be extracted from this archive. The archive will be closed
C:\Program Files\Adobe\Acrobat 7.0\Setup Files\RdrBig708\ENU__________________\Data1.cab
[0] Archive type: CAB (Microsoft)
--> VDK10.RSD
[WARNING] No further files can be extracted from this archive. The archive will be closed
C:\Program Files\Adobe\Acrobat 7.0\Setup Files\RdrBig708\ENU____________________\Data1.cab
[0] Archive type: CAB (Microsoft)
--> VDK10.RSD
[WARNING] No further files can be extracted from this archive. The archive will be closed
C:\Program Files\Adobe\Acrobat 7.0\Setup Files\RdrBig708\ENU______________________\Data1.cab
[0] Archive type: CAB (Microsoft)
--> VDK10.RSD
[WARNING] No further files can be extracted from this archive. The archive will be closed
C:\Program Files\Adobe\Acrobat 7.0\Setup Files\RdrBig708\ENU________________________\Data1.cab
[0] Archive type: CAB (Microsoft)
--> VDK10.RSD
[WARNING] No further files can be extracted from this archive. The archive will be closed
C:\Program Files\Adobe\Acrobat 7.0\Setup Files\RdrBig708\ENU__________________________\Data1.cab
[0] Archive type: CAB (Microsoft)
--> VDK10.RSD
[WARNING] No further files can be extracted from this archive. The archive will be closed
C:\Program Files\Adobe\Acrobat 7.0\Setup Files\RdrBig708\ENU____________________________\Data1.cab
[0] Archive type: CAB (Microsoft)
--> VDK10.RSD
[WARNING] No further files can be extracted from this archive. The archive will be closed
C:\Program Files\Adobe\Acrobat 7.0\Setup Files\RdrBig708\ENU_____________________________\Data1.cab
[0] Archive type: CAB (Microsoft)
--> VDK10.RSD
[WARNING] No further files can be extracted from this archive. The archive will be closed
C:\Program Files\Adobe\Acrobat 7.0\Setup Files\RdrBig708\ENU______________________________\Data1.cab
[0] Archive type: CAB (Microsoft)
--> VDK10.RSD
[WARNING] No further files can be extracted from this archive. The archive will be closed
C:\Program Files\Adobe\Acrobat 7.0\Setup Files\RdrBig708\ENU____________________________________\Data1.cab
[0] Archive type: CAB (Microsoft)
--> VDK10.RSD
[WARNING] No further files can be extracted from this archive. The archive will be closed
C:\Program Files\Adobe\Acrobat 7.0\Setup Files\RdrBig708\ENU_____________________________________\Data1.cab
[0] Archive type: CAB (Microsoft)
--> VDK10.RSD
[WARNING] No further files can be extracted from this archive. The archive will be closed
C:\Program Files\Adobe\Acrobat 7.0\Setup Files\RdrBig708\ENU_______________________________________\Data1.cab
[0] Archive type: CAB (Microsoft)
--> VDK10.RSD
[WARNING] No further files can be extracted from this archive. The archive will be closed
C:\Program Files\Adobe\Acrobat 7.0\Setup Files\RdrBig708\ENU_________________________________________________\Data1.cab
[0] Archive type: CAB (Microsoft)
--> VDK10.RSD
[WARNING] No further files can be extracted from this archive. The archive will be closed
C:\Program Files\Adobe\Acrobat 7.0\Setup Files\RdrBig708\ENU____________________________________________________\Data1.cab
[0] Archive type: CAB (Microsoft)
--> VDK10.RSD
[WARNING] No further files can be extracted from this archive. The archive will be closed
C:\Program Files\Adobe\Acrobat 7.0\Setup Files\RdrBig708\ENU_________________________________________________________\Data1.cab
[0] Archive type: CAB (Microsoft)
--> VDK10.RSD
[WARNING] No further files can be extracted from this archive. The archive will be closed
C:\Program Files\Adobe\Acrobat 7.0\Setup Files\RdrBig708\ENU____________________________________________________________\Data1.cab
[0] Archive type: CAB (Microsoft)
--> VDK10.RSD
[WARNING] No further files can be extracted from this archive. The archive will be closed
C:\Program Files\Adobe\Acrobat 7.0\Setup Files\RdrBig708\ENU______________________________________________________________\Data1.cab
[0] Archive type: CAB (Microsoft)
--> VDK10.RSD
[WARNING] No further files can be extracted from this archive. The archive will be closed
C:\Program Files\Adobe\Acrobat 7.0\Setup Files\RdrBig708\ENU_______________________________________________________________\Data1.cab
[0] Archive type: CAB (Microsoft)
--> VDK10.RSD
[WARNING] No further files can be extracted from this archive. The archive will be closed
C:\Program Files\Adobe\Acrobat 7.0\Setup Files\RdrBig708\ENU___________________________________________________________________\Data1.cab
[0] Archive type: CAB (Microsoft)
--> VDK10.RSD
[WARNING] No further files can be extracted from this archive. The archive will be closed
C:\Program Files\Adobe\Acrobat 7.0\Setup Files\RdrBig708\ENU____________________________________________________________________\Data1.cab
[0] Archive type: CAB (Microsoft)
--> VDK10.RSD
[WARNING] No further files can be extracted from this archive. The archive will be closed
C:\Program Files\Adobe\Acrobat 7.0\Setup Files\RdrBig708\ENU_____________________________________________________________________\Data1.cab
[0] Archive type: CAB (Microsoft)
--> VDK10.RSD
[WARNING] No further files can be extracted from this archive. The archive will be closed
C:\Program Files\Adobe\Acrobat 7.0\Setup Files\RdrBig708\ENU_______________________________________________________________________\Data1.cab
[0] Archive type: CAB (Microsoft)
--> VDK10.RSD
[WARNING] No further files can be extracted from this archive. The archive will be closed
C:\Program Files\Adobe\Acrobat 7.0\Setup Files\RdrBig708\ENU___________________________________________________________________________\Data1.cab
[0] Archive type: CAB (Microsoft)
--> VDK10.RSD
[WARNING] No further files can be extracted from this archive. The archive will be closed
C:\Program Files\Adobe\Acrobat 7.0\Setup Files\RdrBig708\ENU____________________________________________________________________________\Data1.cab
[0] Archive type: CAB (Microsoft)
--> VDK10.RSD
[WARNING] No further files can be extracted from this archive. The archive will be closed
C:\Program Files\Adobe\Acrobat 7.0\Setup Files\RdrBig708\ENU_____________________________________________________________________________\Data1.cab
[0] Archive type: CAB (Microsoft)
--> VDK10.RSD
[WARNING] No further files can be extracted from this archive. The archive will be closed
C:\Program Files\Adobe\Acrobat 7.0\Setup Files\RdrBig708\ENU______________________________________________________________________________\Data1.cab
[0] Archive type: CAB (Microsoft)
--> VDK10.RSD
[WARNING] No further files can be extracted from this archive. The archive will be closed
C:\Program Files\Adobe\Acrobat 7.0\Setup Files\RdrBig708\ENU___________________________________________________________________________________\Data1.cab
[0] Archive type: CAB (Microsoft)
--> VDK10.RSD
[WARNING] No further files can be extracted from this archive. The archive will be closed
C:\Program Files\Adobe\Acrobat 7.0\Setup Files\RdrBig708\ENU_____________________________________________________________________________________\Data1.cab
[0] Archive type: CAB (Microsoft)
--> VDK10.RSD
[WARNING] No further files can be extracted from this archive. The archive will be closed
C:\Program Files\Adobe\Acrobat 7.0\Setup Files\RdrBig708\ENU______________________________________________________________________________________\Data1.cab
[0] Archive type: CAB (Microsoft)
--> VDK10.RSD
[WARNING] No further files can be extracted from this archive. The archive will be closed
C:\Program Files\Adobe\Acrobat 7.0\Setup Files\RdrBig708\ENU_______________________________________________________________________________________\Data1.cab
[0] Archive type: CAB (Microsoft)
--> VDK10.RSD
[WARNING] No further files can be extracted from this archive. The archive will be closed
C:\Program Files\Adobe\Acrobat 7.0\Setup Files\RdrBig708\ENU________________________________________________________________________________________\Data1.cab
[0] Archive type: CAB (Microsoft)
--> VDK10.RSD
[WARNING] No further files can be extracted from this archive. The archive will be closed
C:\Program Files\Adobe\Acrobat 7.0\Setup Files\RdrBig708\ENU__________________________________________________________________________________________\Data1.cab
[0] Archive type: CAB (Microsoft)
--> VDK10.RSD
[WARNING] No further files can be extracted from this archive. The archive will be closed
C:\Program Files\Adobe\Acrobat 7.0\Setup Files\RdrBig708\ENU___________________________________________________________________________________________\Data1.cab
[0] Archive type: CAB (Microsoft)
--> VDK10.RSD
[WARNING] No further files can be extracted from this archive. The archive will be closed
C:\Program Files\Adobe\Acrobat 7.0\Setup Files\RdrBig708\ENU_______________________________________________________________________________________________\Data1.cab
[0] Archive type: CAB (Microsoft)
--> VDK10.RSD
[WARNING] No further files can be extracted from this archive. The archive will be closed
C:\Program Files\Adobe\Acrobat 7.0\Setup Files\RdrBig708\ENU________________________________________________________________________________________________\Data1.cab
[0] Archive type: CAB (Microsoft)
--> VDK10.RSD
[WARNING] No further files can be extracted from this archive. The archive will be closed
C:\Program Files\Adobe\Acrobat 7.0\Setup Files\RdrBig708\ENU____________________________________________________________________________________________________\Data1.cab
[0] Archive type: CAB (Microsoft)
--> VDK10.RSD
[WARNING] No further files can be extracted from this archive. The archive will be closed
C:\Program Files\Adobe\Acrobat 7.0\Setup Files\RdrBig708\ENU_____________________________________________________________________________________________________\Data1.cab
[0] Archive type: CAB (Microsoft)
--> VDK10.RSD
[WARNING] No further files can be extracted from this archive. The archive will be closed
C:\Program Files\Adobe\Acrobat 7.0\Setup Files\RdrBig708\ENU_______________________________________________________________________________________________________\Data1.cab
[0] Archive type: CAB (Microsoft)
--> VDK10.RSD
[WARNING] No further files can be extracted from this archive. The archive will be closed
C:\Program Files\Adobe\Acrobat 7.0\Setup Files\RdrBig708\ENU________________________________________________________________________________________________________\Data1.cab
[0] Archive type: CAB (Microsoft)
--> VDK10.RSD
[WARNING] No further files can be extracted from this archive. The archive will be closed
C:\Program Files\Adobe\Acrobat 7.0\Setup Files\RdrBig708\ENU_________________________________________________________________________________________________________\Data1.cab
[0] Archive type: CAB (Microsoft)
--> VDK10.RSD
[WARNING] No further files can be extracted from this archive. The archive will be closed
C:\Program Files\Adobe\Acrobat 7.0\Setup Files\RdrBig708\ENU__________________________________________________________________________________________________________\Data1.cab
[0] Archive type: CAB (Microsoft)
--> VDK10.RSD
[WARNING] No further files can be extracted from this archive. The archive will be closed
C:\WINDOWS\Fonts\mfm132.zip
[0] Archive type: ZIP
--> setup.exe
[DETECTION] Contains recognition pattern of the DR/Aureate.A.5 dropper
[NOTE] The file was moved to '4a2c0af5.qua'!
C:\WINDOWS\Fonts\mfm132\setup.exe
[DETECTION] Contains recognition pattern of the DR/Aureate.A.5 dropper
[NOTE] The file was moved to '4a330b03.qua'!


End of the scan: Monday, March 16, 2009 19:39
Used time: 1:15:03 Hour(s)

The scan has been done completely.

6765 Scanning directories
156962 Files were scanned
6 viruses and/or unwanted programs were found
0 Files were classified as suspicious:
0 files were deleted
0 files were repaired
6 files were moved to quarantine
0 files were renamed
2 Files cannot be scanned
156954 Files not concerned
1257 Archives were scanned
50 Warnings
6 Notes

fresh hijackthis log
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:36:41 AM, on 3/17/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16791)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avcenter.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avscan.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Lexmark Toolbar - {1017A80C-6F09-4548-A84D-EDD6AC9525F0} - C:\Program Files\Lexmark Toolbar\toolband.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: Lexmark Toolbar - {1017A80C-6F09-4548-A84D-EDD6AC9525F0} - C:\Program Files\Lexmark Toolbar\toolband.dll
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O9 - Extra button: Bonjour - {7F9DB11C-E358-4ca6-A83D-ACC663939424} - C:\Program Files\Bonjour\ExplorerPlugin.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: vzTCPConfig - http://www2.verizon.net/help/fios_settings...vzTCPConfig.CAB
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - https://activatemydsl.verizon.net/sdcCommon...20Installer.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.5) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{F573D2CF-FD78-48D9-82CB-225575122902}: NameServer = 66.51.205.100,66.51.206.100
O23 - Service: Avira AntiVir Personal - Free Antivirus Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: Avira AntiVir Personal - Free Antivirus Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE

--
End of file - 5472 bytes
hope this works...

#12 Farbar

Farbar

    Just Curious


  • Security Developer
  • 20,491 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:10:06 PM

Posted 17 March 2009 - 09:54 AM

Avira found some malware specially in audio files.

Please tell me how is the computer running?

#13 deeneeweenee

deeneeweenee
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:01:06 PM

Posted 17 March 2009 - 11:23 AM

EXTREMELY sloooooooowww... :thumbup2:

#14 Farbar

Farbar

    Just Curious


  • Security Developer
  • 20,491 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:10:06 PM

Posted 17 March 2009 - 11:29 AM

I am at work right now. Please tell me if you have a Windows installation CD.

#15 deeneeweenee

deeneeweenee
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:01:06 PM

Posted 17 March 2009 - 11:38 AM

yes, i have a reinstallation cd (xp home ed) that dell sent me.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users