BleepingComputer.com: Security Tool & Other spyware need help...

Jump to content

Forum Guidelines

Posted Image Read the following topic before creating a new topic in this forum. It contains instructions on the what we would like you to post, which will enable us to help you more quickly.

Preparation Guide For Use Before Using Malware Removal Tools and Requesting Help


Posted Image Unfortunately, with the amount of logs we receive per day, the average response time is 5 days. I want to assure you, though, that your topic will be looked at and responded to. So please be patient.


Posted Image DO NOT RUN ComboFix unless requested to.


Posted Image Only members of the Malware Response Team or Moderators are allowed to help people with logs. Anyone else should refrain from posting to another user's log.


Posted Image When posting a log please put the type of infection you have in the topic title. IE: Winfixer, Virtumonde, WinTools, WebSearch, Home Search Assistant, etc.


Posted Image Do not bump your topic. We try to resolve logs on a first come/first served basis. By bumping your log you will be pushed back in line due to the new date of your bump.
  • 2 Pages +
  • 1
  • 2
  • You cannot start a new topic
  • This topic is locked

Security Tool & Other spyware need help... Security tool, and rederected webpages TheFeedYard.com

#1 User is offline   Genesys 

  • New Member
  • Pip
  • Find Topics
  • Group: Members
  • Posts: 11
  • Joined: 09-October 09
  • Gender:Male
  • Location:USA, Midwest

Posted 10 October 2009 - 07:34 PM

Hello First time poster.

Moved, finally got my computer set up last week. I had my computer running for a few on the net and i picked up a windows securty pro2010. Did some google searches and came up with MBAM. Malware bytes. I ran the program and it seemed to fix everything for about 2 weeks. I then started my computer one day and noticed that my windows securty center did't start up with windows. (Also it still isnt started up.) I checked to see if my firewall was activated it said it was. I went on the net and not long found myself victum of spyware and or malware once again. This one however seemes to be more difficult to remove. And first it was a "Police Pro" or something like that. Then i got a "windows securty center" I was not able to runMBAM untill i ran it in safe mode. Everything seemed to be okay after runnning it in safe mode, Till i went back on the net and noticed now that im being rederteced to ill legitamite websites. Like "THEFEEDYARD.COM"

So I did more searches yesterday and cam up with a Spybot Search and Destroy. I ran that program Wich seemed to find more malwar then MBAM. Ran it then restarted Spybot started again on windows startup ran it again. Then after that went to check back online and surf the web and im still getting them awful websites. And still my windoes securty icon fails to show up on my toolbare.. So as of right now Im in safe mode with networkeing and Hopefully somone one on here will be able to help me get threw this.

For anyone that takes the time for helping me with personal help will be appreceated. Thanks again. Ill check back soon to see if there is a post back. Im also new to this thread so ill have to figure out how things work.

Also everything seems to be fine in safe mode, my websites are actually going were there supposed to be going. But once every 5 mins or so i get a popup. Alot better then running it off safe mode.. But I don't want to be running in safe mode forever.... THANKS AGAIN PEOPLE i really need some help thanks..... again....

Here are my logs.

Thanks again for anyone looking to take the time out for some help...

Attached File(s)


#2 User is offline   Blade81 

  • Bleepin' Rocker
  • PipPipPipPipPipPip
  • Find Topics
  • Group: Malware Response Team
  • Posts: 6,364
  • Joined: 16-October 06
  • Gender:Male
  • Location:Finland

Posted 21 October 2009 - 03:55 PM

Hi,

Sorry for delayed response. Forums have been really busy. If you still need help with this post a fresh dds log, please.
Microsoft MVP Consumer Security 2008 2009 2010 2011
ASAP & UNITE member since 2006
Posted Image Posted Image

Provided malware removal related instructions are meant to be used in the correspondent user's case only. If you have similar symptoms create own topic instead of following instructions given to some other, please.

#3 User is offline   Genesys 

  • New Member
  • Pip
  • Find Topics
  • Group: Members
  • Posts: 11
  • Joined: 09-October 09
  • Gender:Male
  • Location:USA, Midwest

Posted 24 October 2009 - 01:47 PM

Yes thank you. I will post a new dds log asap. I seem to have gotten rid of all the other malewares... I now have Antiviruspro2010. Im gonna go threw the tut on bleepings main page to see if I can rid this 2010. I'll post back soon.

Well here are my new logs, Ill check back in a lil bit....

Attached File(s)

  • Attached File  Attach.txt (5.55K)
    Number of downloads: 4
  • Attached File  DDS.txt (17.1K)
    Number of downloads: 6

This post has been edited by Genesys: 24 October 2009 - 02:05 PM

#4 User is offline   Blade81 

  • Bleepin' Rocker
  • PipPipPipPipPipPip
  • Find Topics
  • Group: Malware Response Team
  • Posts: 6,364
  • Joined: 16-October 06
  • Gender:Male
  • Location:Finland

Posted 25 October 2009 - 04:15 AM

Hi,

uTorrent
LimeWire

Both above listed are P2P file sharing programs. P2P downloads are nowadays one of those things that most likely bring infection into the system. My recommendation is to uninstall these (and other if present) P2P file sharing programs.



Please visit this webpage for download links, and instructions for running ComboFix tool:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Please ensure you read this guide carefully and install the Recovery Console first.

The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.

Once installed, you should see a blue screen prompt that says:

The Recovery Console was successfully installed.

Please continue as follows:
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix, link
    Remember to re-enable them afterwards.


  • Click Yes to allow ComboFix to continue scanning for malware.

When the tool is finished, it will produce a report for you.

Please include the following reports for further review, and so we may continue cleansing the system:

C:\ComboFix.txt
New dds.txt log.

A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix. This tool is not a toy and not for everyday use.
Microsoft MVP Consumer Security 2008 2009 2010 2011
ASAP & UNITE member since 2006
Posted Image Posted Image

Provided malware removal related instructions are meant to be used in the correspondent user's case only. If you have similar symptoms create own topic instead of following instructions given to some other, please.

#5 User is offline   Genesys 

  • New Member
  • Pip
  • Find Topics
  • Group: Members
  • Posts: 11
  • Joined: 09-October 09
  • Gender:Male
  • Location:USA, Midwest

Posted 25 October 2009 - 12:23 PM

Okay. Ran combo fix. Heres the log. Also the new dds.

ComboFix 09-10-24.06 - Papa 10/25/2009 12:11.1.2 - NTFSx86 NETWORK
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1022.801 [GMT -5:00]
Running from: c:\documents and settings\Papa\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\78059736
c:\documents and settings\All Users\Application Data\78059736\78059736.bat
c:\documents and settings\All Users\Application Data\78059736\78059736.exe
c:\documents and settings\All Users\Application Data\akimiv.inf
c:\documents and settings\All Users\Application Data\bycebizimi.bat
c:\documents and settings\All Users\Application Data\foveqewuse.com
c:\documents and settings\All Users\Application Data\kinenetinu._dl
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
c:\documents and settings\All Users\Application Data\sejimit.sys
c:\documents and settings\All Users\Application Data\xynosuja.lib
c:\documents and settings\All Users\Application Data\yhope.com
c:\documents and settings\All Users\Application Data\ysupojutoj.bin
c:\documents and settings\All Users\Application Data\zify.com
c:\documents and settings\All Users\Documents\abiw.dl
c:\documents and settings\All Users\Documents\elefutiset.bat
c:\documents and settings\All Users\Documents\ikari.dl
c:\documents and settings\All Users\Documents\kenysinuko.sys
c:\documents and settings\All Users\Documents\poxyhehuv.sys
c:\documents and settings\All Users\Documents\qesarege.vbs
c:\documents and settings\All Users\Documents\qylequqo.vbs
c:\documents and settings\All Users\Documents\ubakomece.com
c:\documents and settings\All Users\Documents\ufokoxu.bat
c:\documents and settings\All Users\Documents\xageqadohe.dll
c:\documents and settings\All Users\Documents\yvihih._dl
c:\documents and settings\All Users\Documents\zedagyriwu.inf
c:\documents and settings\Papa\Application Data\ilame.vbs
c:\documents and settings\Papa\Application Data\iniasd.txt
c:\documents and settings\Papa\Application Data\qudijov.lib
c:\documents and settings\Papa\Application Data\uvokoji.bin
c:\documents and settings\Papa\Application Data\virefiwyfu.dl
c:\documents and settings\Papa\Application Data\xetukyro.sys
c:\documents and settings\Papa\Cookies\bobonu.db
c:\documents and settings\Papa\Cookies\colificab.pif
c:\documents and settings\Papa\Cookies\dywocoby.ban
c:\documents and settings\Papa\Cookies\ebohu.sys
c:\documents and settings\Papa\Cookies\ekaqy.scr
c:\documents and settings\Papa\Cookies\fador.dll
c:\documents and settings\Papa\Cookies\faqozyle.ban
c:\documents and settings\Papa\Cookies\gazetybeh.inf
c:\documents and settings\Papa\Cookies\ihekutiq.lib
c:\documents and settings\Papa\Cookies\jafer.dll
c:\documents and settings\Papa\Cookies\myfihuhi.reg
c:\documents and settings\Papa\Cookies\nedal.vbs
c:\documents and settings\Papa\Cookies\ovitohyhil.ban
c:\documents and settings\Papa\Cookies\sujewoxini.com
c:\documents and settings\Papa\Cookies\uzotuxa.db
c:\documents and settings\Papa\Cookies\wivat.ban
c:\documents and settings\Papa\Cookies\ydimovetih.ban
c:\documents and settings\Papa\Cookies\yvynalebex.com
c:\documents and settings\Papa\Local Settings\Application Data\aminoj._sy
c:\documents and settings\Papa\Local Settings\Application Data\camefatiny.pif
c:\documents and settings\Papa\Local Settings\Application Data\domuda.scr
c:\documents and settings\Papa\Local Settings\Application Data\ehaw.vbs
c:\documents and settings\Papa\Local Settings\Application Data\isytaxy._dl
c:\documents and settings\Papa\Local Settings\Application Data\item._dl
c:\documents and settings\Papa\Local Settings\Application Data\jehaxud.exe
c:\documents and settings\Papa\Local Settings\Application Data\kowevuvu.sys
c:\documents and settings\Papa\Local Settings\Application Data\lavicu.dl
c:\documents and settings\Papa\Local Settings\Application Data\numubola.ban
c:\documents and settings\Papa\Local Settings\Application Data\radimur.dl
c:\documents and settings\Papa\Local Settings\Application Data\tahen.sys
c:\documents and settings\Papa\Local Settings\Application Data\umelaq.sys
c:\documents and settings\Papa\Local Settings\Application Data\umixu.sys
c:\documents and settings\Papa\Local Settings\Application Data\upogyvyroj.com
c:\documents and settings\Papa\Local Settings\Application Data\utejiq.ban
c:\documents and settings\Papa\Local Settings\Application Data\wetuzylyf.exe
c:\documents and settings\Papa\Local Settings\Application Data\xylyh.bin
c:\documents and settings\Papa\Local Settings\Application Data\zutusof.inf
c:\documents and settings\Papa\Local Settings\Application Data\zycezof.scr
c:\documents and settings\Papa\ntuser.dll
C:\p2hhr.bat
c:\program files\AskSearch\bin\DeFAultsearch.dll
c:\program files\Common Files\bevo._dl
c:\program files\Common Files\detaly._dl
c:\program files\Common Files\fucup.dl
c:\program files\Common Files\gadirof.bin
c:\program files\Common Files\hifa._dl
c:\program files\Common Files\huxazy.dl
c:\program files\Common Files\hyhy.bin
c:\program files\Common Files\keduba.dl
c:\program files\Common Files\laxobo._dl
c:\program files\Common Files\lirycogehi.ban
c:\program files\Common Files\omirov.com
c:\program files\Common Files\pabugino.scr
c:\program files\Common Files\texageg.reg
c:\program files\Common Files\tukecuky.pif
c:\program files\Common Files\tuliwyt.bat
c:\program files\Common Files\vagezelace.reg
c:\program files\Common Files\yquw.ban
c:\program files\Common Files\ytevyje.dl
c:\windows\alikudo._dl
c:\windows\amatase.bat
c:\windows\bojit._sy
c:\windows\colidabeda._dl
c:\windows\dexadupiji.inf
c:\windows\eqafadate.dll
c:\windows\fudo._sy
c:\windows\guhok._dl
c:\windows\hicufydo.dll
c:\windows\ikuqe.reg
c:\windows\ilur.bin
c:\windows\ipurawumifora.dll
c:\windows\jakonikit.dl
c:\windows\jestertb.dll
c:\windows\kyzigoq.exe
c:\windows\lewywo.bat
c:\windows\ninytawec.bin
c:\windows\odobydu.ban
c:\windows\ofixa.vbs
c:\windows\ofymudow.pif
c:\windows\ojagaxaze._sy
c:\windows\olygy.reg
c:\windows\ominimyjo.bin
c:\windows\oxipymyz._dl
c:\windows\oxur.exe
c:\windows\ozimuduqit.inf
c:\windows\ponuzi._dl
c:\windows\qygiduf.inf
c:\windows\system32\18467.exe
c:\windows\system32\41.exe
c:\windows\system32\6334.exe
c:\windows\system32\aryjurexi.inf
c:\windows\system32\calc.dll
c:\windows\system32\comyzekis.exe
c:\windows\system32\davafuhu.exe
c:\windows\system32\delejome.exe
c:\windows\system32\dojapode.dll
c:\windows\system32\dopunidi.exe
c:\windows\system32\dukeyiwa.exe
c:\windows\system32\durifesu.exe
c:\windows\system32\fetepaze.exe
c:\windows\system32\gomebomu.exe
c:\windows\system32\howiduga.exe
c:\windows\system32\huvizuba.dll
c:\windows\system32\images
c:\windows\system32\images\i1.gif
c:\windows\system32\images\i2.gif
c:\windows\system32\images\i3.gif
c:\windows\system32\images\j1.gif
c:\windows\system32\images\j2.gif
c:\windows\system32\images\j3.gif
c:\windows\system32\images\jj1.gif
c:\windows\system32\images\jj2.gif
c:\windows\system32\images\jj3.gif
c:\windows\system32\images\l1.gif
c:\windows\system32\images\l2.gif
c:\windows\system32\images\l3.gif
c:\windows\system32\images\pix.gif
c:\windows\system32\images\t1.gif
c:\windows\system32\images\t2.gif
c:\windows\system32\images\up1.gif
c:\windows\system32\images\up2.gif
c:\windows\system32\images\w1.gif
c:\windows\system32\images\w11.gif
c:\windows\system32\images\w2.gif
c:\windows\system32\images\w3.gif
c:\windows\system32\images\w3.jpg
c:\windows\system32\images\wt1.gif
c:\windows\system32\images\wt2.gif
c:\windows\system32\images\wt3.gif
c:\windows\system32\jagepeyu.dll
c:\windows\system32\jiyazami.dll
c:\windows\system32\jumifix.sys
c:\windows\system32\kebajuvi.dll
c:\windows\system32\kivereza.dll
c:\windows\system32\kudafane.dll
c:\windows\system32\lafokune.dll
c:\windows\system32\lewuseze.exe
c:\windows\system32\luyehije.exe
c:\windows\system32\mirajehi.dll
c:\windows\system32\mize.bin
c:\windows\system32\narerope.exe
c:\windows\system32\nojepake.dll
c:\windows\system32\nutowuko.dll
c:\windows\system32\piyudijo.exe
c:\windows\system32\putabami.dll
c:\windows\system32\rijilutu.dll
c:\windows\system32\schtml
c:\windows\system32\schtml\dbsinit.exe
c:\windows\system32\schtml\images\i1.gif
c:\windows\system32\schtml\images\i2.gif
c:\windows\system32\schtml\images\i3.gif
c:\windows\system32\schtml\images\j1.gif
c:\windows\system32\schtml\images\j2.gif
c:\windows\system32\schtml\images\j3.gif
c:\windows\system32\schtml\images\jj1.gif
c:\windows\system32\schtml\images\jj2.gif
c:\windows\system32\schtml\images\jj3.gif
c:\windows\system32\schtml\images\l1.gif
c:\windows\system32\schtml\images\l2.gif
c:\windows\system32\schtml\images\l3.gif
c:\windows\system32\schtml\images\pix.gif
c:\windows\system32\schtml\images\t1.gif
c:\windows\system32\schtml\images\t2.gif
c:\windows\system32\schtml\images\up1.gif
c:\windows\system32\schtml\images\up2.gif
c:\windows\system32\schtml\images\w1.gif
c:\windows\system32\schtml\images\w11.gif
c:\windows\system32\schtml\images\w2.gif
c:\windows\system32\schtml\images\w3.gif
c:\windows\system32\schtml\images\w3.jpg
c:\windows\system32\schtml\images\word.doc
c:\windows\system32\schtml\images\wt1.gif
c:\windows\system32\schtml\images\wt2.gif
c:\windows\system32\schtml\images\wt3.gif
c:\windows\system32\schtml\wispex.html
c:\windows\system32\sehuwuri.exe
c:\windows\system32\tehisuvo.exe
c:\windows\system32\temofar.bat
c:\windows\system32\tovebogi.exe
c:\windows\system32\towozoha.exe
c:\windows\system32\ufuwyr.ban
c:\windows\system32\uhim.bin
c:\windows\system32\ulit.bin
c:\windows\system32\umih.inf
c:\windows\system32\vezipoyo.exe
c:\windows\system32\vugivodi.exe
c:\windows\system32\vuhuviti.exe
c:\windows\system32\wbem\proquota.exe
c:\windows\system32\wijahupu.exe
c:\windows\system32\wuduluto.dll
c:\windows\system32\xowyfa.vbs
c:\windows\system32\xyje._dl
c:\windows\system32\yagerumu.exe
c:\windows\system32\yasijote.exe
c:\windows\system32\ybyme.exe
c:\windows\system32\ydumugu.ban
c:\windows\system32\ylyqevecoh.scr
c:\windows\system32\yonolafo.dll
c:\windows\system32\ypezuv.ban
c:\windows\system32\ypijyte.pif
c:\windows\system32\yusayena.dll
c:\windows\system32\zalo.scr
c:\windows\system32\zehakebo.dll
c:\windows\system32\zele.pif
c:\windows\system32\zilozama.exe
c:\windows\system32\zurubefo.exe
c:\windows\tide.vbs
c:\windows\ufinuwiw._sy
c:\windows\uquca.dl
c:\windows\zodo.inf
c:\windows\zypame.scr
E:\Autorun.inf

----- BITS: Possible infected sites -----

hxxp://82.98.235.208
c:\windows\system32\proquota.exe was missing
Restored copy from - c:\windows\ServicePackFiles\i386\proquota.exe

.
((((((((((((((((((((((((( Files Created from 2009-09-25 to 2009-10-25 )))))))))))))))))))))))))))))))
.

2009-10-25 17:07 . 2009-10-25 17:07 -------- d-----w- C:\thcbytes
2009-10-22 04:31 . 2009-10-22 04:31 16784 ----a-w- c:\windows\system32\xevidi.dat
2009-10-19 00:14 . 2009-10-19 00:14 15716 ----a-w- c:\program files\Common Files\isemizi.dat
2009-10-16 02:09 . 2009-10-16 02:09 19879 ----a-w- c:\windows\jebysu.com
2009-10-16 02:09 . 2009-10-16 02:09 18996 ----a-w- c:\documents and settings\Papa\Local Settings\Application Data\gecy.dat
2009-10-16 01:45 . 2009-10-16 01:45 16715 ----a-w- c:\windows\system32\uworomi.dat
2009-10-15 01:57 . 2009-10-15 01:57 17903 ----a-w- c:\windows\system32\byzyxoxis.com
2009-10-15 01:57 . 2009-10-15 01:57 17662 ----a-w- c:\program files\Common Files\deqaxeseh.dat
2009-10-15 01:57 . 2009-10-15 01:57 11720 ----a-w- c:\program files\Common Files\ylacowuga.dat
2009-10-15 01:57 . 2009-10-15 01:57 10385 ----a-w- c:\windows\tete.com
2009-10-10 01:06 . 2009-10-14 00:43 664 ----a-w- c:\windows\system32\d3d9caps.dat
2009-10-09 03:22 . 2009-10-09 05:26 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-10-09 03:22 . 2009-10-09 03:25 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-10-07 00:39 . 2009-10-07 00:39 131731 ----a-w- c:\windows\system32\dbsinit.exe
2009-10-04 03:59 . 2001-08-18 03:36 19456 ----a-w- c:\windows\system32\dllcache\brbidiif.dll
2009-10-04 03:59 . 2001-08-18 03:36 102400 ----a-w- c:\windows\system32\dllcache\binlsvc.dll
2009-10-04 03:57 . 2008-04-14 03:06 84480 ----a-w- c:\windows\system32\dllcache\ac97via.sys
2009-10-01 03:33 . 2009-10-01 03:33 -------- d-----w- c:\program files\AC3Filter
2009-10-01 01:53 . 2009-10-01 01:53 -------- d-----w- c:\documents and settings\Papa\Application Data\DivX
2009-09-30 22:23 . 2009-05-13 21:56 120056 ------w- c:\windows\system32\pxcpyi64.exe
2009-09-30 22:22 . 2009-09-30 22:23 -------- d-----w- c:\program files\DivX
2009-09-30 22:22 . 2009-09-30 22:22 -------- d-----w- c:\program files\Common Files\DivX Shared
2009-09-28 23:08 . 2009-09-28 23:08 -------- d-----w- c:\documents and settings\All Users\Application Data\Pianosoft
2009-09-27 01:32 . 2009-09-27 03:17 -------- d-----w- c:\documents and settings\Papa\Application Data\U3

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-10-19 00:14 . 2009-10-19 00:14 15254 ----a-w- c:\documents and settings\Papa\Application Data\wylyciky.dat
2009-10-16 02:09 . 2009-10-16 02:09 12028 ----a-w- c:\program files\Common Files\cipa.db
2009-10-16 01:45 . 2009-10-16 01:45 14773 ----a-w- c:\documents and settings\All Users\Application Data\hebenokoxe.dat
2009-10-15 01:57 . 2009-10-15 01:57 19632 ----a-w- c:\documents and settings\All Users\Application Data\hoxy.dat
2009-10-15 01:57 . 2009-10-15 01:57 16932 ----a-w- c:\program files\Common Files\zysucu.db
2009-10-14 23:26 . 2009-09-21 02:54 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-10-07 23:05 . 2009-05-02 18:20 -------- d-----w- c:\documents and settings\Papa\Application Data\uTorrent
2009-09-24 16:26 . 2009-09-24 16:26 -------- d-----w- c:\documents and settings\Papa\Application Data\Uniblue
2009-09-23 00:44 . 2009-09-23 00:44 71680 ----a-w- c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
2009-09-22 18:08 . 2009-08-02 20:34 -------- d-----w- c:\documents and settings\Papa\Application Data\Apple Computer
2009-09-22 18:06 . 2009-09-22 18:06 17712 ---ha-w- c:\windows\system32\mlfcache.dat
2009-09-22 18:01 . 2009-09-22 18:01 -------- d-----w- c:\program files\iPhone Configuration Utility
2009-09-22 18:00 . 2009-09-22 17:59 -------- d-----w- c:\program files\iTunes
2009-09-22 18:00 . 2009-09-22 17:59 -------- d-----w- c:\documents and settings\All Users\Application Data\{755AC846-7372-4AC8-8550-C52491DAA8BD}
2009-09-22 17:59 . 2009-09-22 17:59 -------- d-----w- c:\program files\iPod
2009-09-22 17:59 . 2009-08-02 20:32 -------- d-----w- c:\program files\Common Files\Apple
2009-09-22 17:58 . 2009-09-22 17:58 -------- d-----w- c:\program files\QuickTime
2009-09-21 19:47 . 2009-09-21 02:37 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-09-21 03:42 . 2006-08-04 08:30 -------- d-----w- c:\program files\Java
2009-09-21 03:18 . 2009-06-21 22:50 17464 ----a-w- c:\documents and settings\Papa\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-09-21 02:54 . 2009-09-21 02:54 -------- d-----w- c:\documents and settings\Papa\Application Data\Malwarebytes
2009-09-21 02:54 . 2009-09-21 02:54 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-09-21 00:09 . 2009-09-21 00:09 -------- d-----w- c:\program files\MSBuild
2009-09-21 00:09 . 2009-09-21 00:09 -------- d-----w- c:\program files\Reference Assemblies
2009-09-20 23:49 . 2009-09-20 23:49 120 ----a-w- c:\windows\Eticeyeva.dat
2009-09-20 23:49 . 2009-09-20 23:49 0 ----a-w- c:\windows\Dyojodemadavaku.bin
2009-09-10 19:54 . 2009-09-21 02:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-09-10 19:53 . 2009-09-21 02:54 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-08-07 00:24 . 2004-08-10 17:02 327896 ----a-w- c:\windows\system32\wucltui.dll
2009-08-07 00:24 . 2004-08-10 17:02 209632 ----a-w- c:\windows\system32\wuweb.dll
2009-08-07 00:24 . 2009-01-04 12:00 44768 ----a-w- c:\windows\system32\wups2.dll
2009-08-07 00:24 . 2004-08-10 17:02 35552 ----a-w- c:\windows\system32\wups.dll
2009-08-07 00:24 . 2004-08-10 17:02 53472 ----a-w- c:\windows\system32\wuauclt.exe
2009-08-07 00:24 . 2004-08-10 16:50 96480 ----a-w- c:\windows\system32\cdm.dll
2009-08-07 00:23 . 2004-08-10 17:02 575704 ----a-w- c:\windows\system32\wuapi.dll
2009-08-07 00:23 . 2004-08-10 17:02 1929952 ----a-w- c:\windows\system32\wuaueng.dll
2009-08-05 09:01 . 2004-08-10 16:51 204800 ----a-w- c:\windows\system32\mswebdvd.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2006-10-19 204288]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-08-06 344064]
"ISUSPM Startup"="c:\program files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-06-10 249856]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-06-10 81920]
"DLA"="c:\windows\System32\DLA\DLACTRLW.EXE" [2005-09-08 122940]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\bytes.exe.exe" [2009-09-10 1312080]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-07-25 149280]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-09-05 417792]
"SigmatelSysTrayApp"="stsystra.exe" - c:\windows\stsystra.exe [2005-03-23 339968]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2006-8-4 24576]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"RasMan"=3 (0x3)
"RasAuto"=3 (0x3)
"MskService"=2 (0x2)
"MpfService"=2 (0x2)
"mnmsrvc"=3 (0x3)
"mcupdmgr.exe"=3 (0x3)
"McTskshd.exe"=2 (0x2)
"McShield"=2 (0x2)
"McDetect.exe"=2 (0x2)
"AOL ACS"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\iPod\\bin\\iPodService.exe"=
"c:\\Program Files\\Yahoo!\\SoftwareUpdate\\YahooAUService.exe"=
"c:\\Program Files\\Common Files\\Apple\\Mobile Device Support\\bin\\AppleMobileDeviceService.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundRouterRequest"= 1 (0x1)

.
Contents of the 'Scheduled Tasks' folder

2009-09-29 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
mStart Page = hxxp://www.google.com
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://toolbar.ask.com/toolbarv/askRedirect?o=20008&gct=&gc=1&q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\Office10\EXCEL.EXE/3000
.
- - - - ORPHANS REMOVED - - - -

BHO-{375c8e5d-e162-4ea6-991b-795c287f58b7} - yonolafo.dll
BHO-{ca499376-10b1-4fbe-a5ba-309ce29f84e9} - wibovaha.dll
HKLM-Run-78059736 - c:\documents and settings\All Users\Application Data\78059736\78059736.exe
HKLM-Run-hamefusoh - c:\windows\system32\rijilutu.dll
HKLM-Run-lohohuhigo - putabami.dll
SharedTaskScheduler-{fa0f539b-0785-4b36-8dad-9f10e7849644} - c:\windows\system32\zelayira.dll
SharedTaskScheduler-{deca11a9-c601-4c1d-ab9b-e40c038e2738} - c:\windows\system32\wenigewe.dll
SharedTaskScheduler-{f51120bc-9fa9-45df-b702-9897db8b0760} - c:\windows\system32\fidofepu.dll
SharedTaskScheduler-{b3d40d3d-f7ea-4a0c-a004-00814b575831} - c:\windows\system32\popukalu.dll
SharedTaskScheduler-{a252cd67-a975-4aa1-8d94-1bdb7ca4679d} - c:\windows\system32\niyihifi.dll
SharedTaskScheduler-{015b55ff-78f7-424b-8fe9-05b1f7304955} - c:\windows\system32\rijilutu.dll
SSODL-munamadoy-{fa0f539b-0785-4b36-8dad-9f10e7849644} - c:\windows\system32\zelayira.dll
SSODL-suvutizab-{deca11a9-c601-4c1d-ab9b-e40c038e2738} - c:\windows\system32\wenigewe.dll
SSODL-duyehozat-{f51120bc-9fa9-45df-b702-9897db8b0760} - c:\windows\system32\fidofepu.dll
SSODL-yiwemesaw-{b3d40d3d-f7ea-4a0c-a004-00814b575831} - c:\windows\system32\popukalu.dll
SSODL-yelalimib-{a252cd67-a975-4aa1-8d94-1bdb7ca4679d} - c:\windows\system32\niyihifi.dll
SSODL-jubefopat-{015b55ff-78f7-424b-8fe9-05b1f7304955} - c:\windows\system32\rijilutu.dll
AddRemove-AVIcodec - c:\program files\AVIcodec\uninst.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-10-25 12:16
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(1548)
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Yahoo!\SoftwareUpdate\YahooAUService.exe
c:\program files\Windows Media Player\WMPNetwk.exe
c:\combofix\CF31140.exe
c:\windows\system32\wscntfy.exe
c:\combofix\PEV.cfxxe
.
**************************************************************************
.
Completion time: 2009-10-25 12:19 - machine was rebooted
ComboFix-quarantined-files.txt 2009-10-25 17:19

Pre-Run: 59,103,191,040 bytes free
Post-Run: 57,808,277,504 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

- - End Of File - - 9F0F3ADF352344B466AD5C843F9227F0

Attached File(s)

  • Attached File  Attach.txt (11.09K)
    Number of downloads: 5
  • Attached File  DDS.txt (9.34K)
    Number of downloads: 3

This post has been edited by Genesys: 25 October 2009 - 12:24 PM

#6 User is offline   Blade81 

  • Bleepin' Rocker
  • PipPipPipPipPipPip
  • Find Topics
  • Group: Malware Response Team
  • Posts: 6,364
  • Joined: 16-October 06
  • Gender:Male
  • Location:Finland

Posted 25 October 2009 - 01:07 PM

Hi,


Open notepad and copy/paste the text in the quotebox below into it:

http://www.bleepingcomputer.com/forums/topic263580.html#entry1471625
Collect::
c:\windows\system32\xevidi.dat
c:\program files\Common Files\isemizi.dat
c:\windows\jebysu.com
c:\documents and settings\Papa\Local Settings\Application Data\gecy.dat
c:\windows\system32\uworomi.dat
c:\windows\system32\byzyxoxis.com
c:\program files\Common Files\deqaxeseh.dat
c:\program files\Common Files\ylacowuga.dat
c:\windows\tete.com
c:\documents and settings\Papa\Application Data\wylyciky.dat
c:\program files\Common Files\cipa.db
c:\documents and settings\All Users\Application Data\hebenokoxe.dat
c:\documents and settings\All Users\Application Data\hoxy.dat
c:\program files\Common Files\zysucu.db
c:\windows\Eticeyeva.dat
c:\windows\Dyojodemadavaku.bin
c:\windows\system32\rizedeye
c:\windows\buhakym.lib
c:\program files\common files\cipa.db
c:\program files\common files\zysucu.db
c:\windows\uxiluwiv.sys
c:\docume~1\papa\applic~1\awuquxoh.bin
c:\windows\system32\xelovas.dat
c:\program files\common files\yqeqecotuq.sys
c:\windows\amuxybumy.bin
c:\docume~1\papa\applic~1\ebonypoquj.pif
c:\windows\kofy.com
c:\windows\yjyhy.dat
c:\docume~1\papa\applic~1\ijucolaxas.scr
c:\docume~1\papa\applic~1\kyky.sys
c:\windows\cabu.com
DDS::
uSearchURL,(Default) = hxxp://toolbar.ask.com/toolbarv/askRedirect?o=20008&gct=&gc=1&q=%s
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
TB: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No File



Save this as
CFScript

A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine. This tool is not a toy and not for everyday use.

Posted Image

Close all browser windows and refering to the picture above, drag CFScript into ComboFix.exe.
Then post the resultant log.


Uninstall old Adobe Reader versions and get the latest one (9.2) here or get Foxit Reader here. Make sure you don't install toolbar if choose Foxit Reader! You may also check free readers introduced here.



Check here to see if your Flash is up-to-date (do it separately with each of your browsers). If not, uninstall vulnerable versions by following instructions here. Fresh version can be obtained here.


Uninstall this vulnerable Java:
Java 2 Runtime Environment, SE v1.4.2_03


Download ATF (Atribune Temp File) Cleaner© by Atribune to your desktop.

Double-click ATF Cleaner.exe to open it

Under Main choose:
Windows Temp
Current User Temp
All Users Temp
Cookies
Temporary Internet Files
Prefetch
Java Cache
*The other boxes are optional*
Then click the Empty Selected button.

If you use Firefox:
Click Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.

If you use Opera:
Click Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.

Click Exit on the Main menu to close the program.


* Go here to run an online scanner from ESET.
  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start
  • Make sure that the option Remove found threats is UNchecked.
  • Click Scan
  • Wait for the scan to finish
  • Use notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
  • Post back its report, a fresh dds.txt log and above mentioned ComboFix resultant log.

Microsoft MVP Consumer Security 2008 2009 2010 2011
ASAP & UNITE member since 2006
Posted Image Posted Image

Provided malware removal related instructions are meant to be used in the correspondent user's case only. If you have similar symptoms create own topic instead of following instructions given to some other, please.

#7 User is offline   Genesys 

  • New Member
  • Pip
  • Find Topics
  • Group: Members
  • Posts: 11
  • Joined: 09-October 09
  • Gender:Male
  • Location:USA, Midwest

Posted 25 October 2009 - 01:28 PM

Heres the new log i believe.


ComboFix 09-10-24.06 - Papa 10/25/2009 13:30.2.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1022.650 [GMT -5:00]
Running from: c:\documents and settings\Papa\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Papa\Desktop\CFScript.txt

file zipped: c:\docume~1\papa\applic~1\awuquxoh.bin
file zipped: c:\docume~1\papa\applic~1\ebonypoquj.pif
file zipped: c:\docume~1\papa\applic~1\ijucolaxas.scr
file zipped: c:\docume~1\papa\applic~1\kyky.sys
file zipped: c:\documents and settings\All Users\Application Data\hebenokoxe.dat
file zipped: c:\documents and settings\All Users\Application Data\hoxy.dat
file zipped: c:\documents and settings\Papa\Application Data\wylyciky.dat
file zipped: c:\documents and settings\Papa\Local Settings\Application Data\gecy.dat
file zipped: c:\program files\Common Files\cipa.db
file zipped: c:\program files\Common Files\deqaxeseh.dat
file zipped: c:\program files\Common Files\isemizi.dat
file zipped: c:\program files\Common Files\ylacowuga.dat
file zipped: c:\program files\common files\yqeqecotuq.sys
file zipped: c:\program files\Common Files\zysucu.db
file zipped: c:\windows\amuxybumy.bin
file zipped: c:\windows\buhakym.lib
file zipped: c:\windows\cabu.com
file zipped: c:\windows\Dyojodemadavaku.bin
file zipped: c:\windows\Eticeyeva.dat
file zipped: c:\windows\jebysu.com
file zipped: c:\windows\kofy.com
file zipped: c:\windows\system32\byzyxoxis.com
file zipped: c:\windows\system32\rizedeye
file zipped: c:\windows\system32\uworomi.dat
file zipped: c:\windows\system32\xelovas.dat
file zipped: c:\windows\system32\xevidi.dat
file zipped: c:\windows\tete.com
file zipped: c:\windows\uxiluwiv.sys
file zipped: c:\windows\yjyhy.dat
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\docume~1\papa\applic~1\awuquxoh.bin
c:\docume~1\papa\applic~1\ebonypoquj.pif
c:\docume~1\papa\applic~1\ijucolaxas.scr
c:\docume~1\papa\applic~1\kyky.sys
c:\documents and settings\All Users\Application Data\hebenokoxe.dat
c:\documents and settings\All Users\Application Data\hoxy.dat
c:\documents and settings\Papa\Application Data\wylyciky.dat
c:\documents and settings\Papa\Local Settings\Application Data\gecy.dat
c:\program files\Common Files\cipa.db
c:\program files\Common Files\deqaxeseh.dat
c:\program files\Common Files\isemizi.dat
c:\program files\Common Files\ylacowuga.dat
c:\program files\common files\yqeqecotuq.sys
c:\program files\Common Files\zysucu.db
c:\windows\amuxybumy.bin
c:\windows\buhakym.lib
c:\windows\cabu.com
c:\windows\Dyojodemadavaku.bin
c:\windows\Eticeyeva.dat
c:\windows\jebysu.com
c:\windows\kofy.com
c:\windows\system32\byzyxoxis.com
c:\windows\system32\rizedeye
c:\windows\system32\uworomi.dat
c:\windows\system32\xelovas.dat
c:\windows\system32\xevidi.dat
c:\windows\tete.com
c:\windows\uxiluwiv.sys
c:\windows\yjyhy.dat

.
((((((((((((((((((((((((( Files Created from 2009-09-25 to 2009-10-25 )))))))))))))))))))))))))))))))
.

2009-10-25 17:07 . 2009-10-25 17:07 -------- d-----w- C:\thcbytes
2009-10-10 01:06 . 2009-10-14 00:43 664 ----a-w- c:\windows\system32\d3d9caps.dat
2009-10-09 03:22 . 2009-10-09 05:26 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-10-09 03:22 . 2009-10-09 03:25 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-10-07 00:39 . 2009-10-07 00:39 131731 ----a-w- c:\windows\system32\dbsinit.exe
2009-10-04 03:59 . 2001-08-18 03:36 19456 ----a-w- c:\windows\system32\dllcache\brbidiif.dll
2009-10-04 03:59 . 2001-08-18 03:36 102400 ----a-w- c:\windows\system32\dllcache\binlsvc.dll
2009-10-04 03:57 . 2008-04-14 03:06 84480 ----a-w- c:\windows\system32\dllcache\ac97via.sys
2009-10-01 03:33 . 2009-10-01 03:33 -------- d-----w- c:\program files\AC3Filter
2009-10-01 01:53 . 2009-10-01 01:53 -------- d-----w- c:\documents and settings\Papa\Application Data\DivX
2009-09-30 22:23 . 2009-05-13 21:56 120056 ------w- c:\windows\system32\pxcpyi64.exe
2009-09-30 22:22 . 2009-09-30 22:23 -------- d-----w- c:\program files\DivX
2009-09-30 22:22 . 2009-09-30 22:22 -------- d-----w- c:\program files\Common Files\DivX Shared
2009-09-28 23:08 . 2009-09-28 23:08 -------- d-----w- c:\documents and settings\All Users\Application Data\Pianosoft
2009-09-27 01:32 . 2009-09-27 03:17 -------- d-----w- c:\documents and settings\Papa\Application Data\U3

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-10-14 23:26 . 2009-09-21 02:54 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-10-07 23:05 . 2009-05-02 18:20 -------- d-----w- c:\documents and settings\Papa\Application Data\uTorrent
2009-09-24 16:26 . 2009-09-24 16:26 -------- d-----w- c:\documents and settings\Papa\Application Data\Uniblue
2009-09-23 00:44 . 2009-09-23 00:44 71680 ----a-w- c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
2009-09-22 18:08 . 2009-08-02 20:34 -------- d-----w- c:\documents and settings\Papa\Application Data\Apple Computer
2009-09-22 18:06 . 2009-09-22 18:06 17712 ---ha-w- c:\windows\system32\mlfcache.dat
2009-09-22 18:01 . 2009-09-22 18:01 -------- d-----w- c:\program files\iPhone Configuration Utility
2009-09-22 18:00 . 2009-09-22 17:59 -------- d-----w- c:\program files\iTunes
2009-09-22 18:00 . 2009-09-22 17:59 -------- d-----w- c:\documents and settings\All Users\Application Data\{755AC846-7372-4AC8-8550-C52491DAA8BD}
2009-09-22 17:59 . 2009-09-22 17:59 -------- d-----w- c:\program files\iPod
2009-09-22 17:59 . 2009-08-02 20:32 -------- d-----w- c:\program files\Common Files\Apple
2009-09-22 17:58 . 2009-09-22 17:58 -------- d-----w- c:\program files\QuickTime
2009-09-21 19:47 . 2009-09-21 02:37 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-09-21 03:42 . 2006-08-04 08:30 -------- d-----w- c:\program files\Java
2009-09-21 03:18 . 2009-06-21 22:50 17464 ----a-w- c:\documents and settings\Papa\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-09-21 02:54 . 2009-09-21 02:54 -------- d-----w- c:\documents and settings\Papa\Application Data\Malwarebytes
2009-09-21 02:54 . 2009-09-21 02:54 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-09-21 00:09 . 2009-09-21 00:09 -------- d-----w- c:\program files\MSBuild
2009-09-21 00:09 . 2009-09-21 00:09 -------- d-----w- c:\program files\Reference Assemblies
2009-09-20 23:47 . 2009-09-20 23:47 18936 ----a-w- c:\documents and settings\Papa\Local Settings\Application Data\elymyga.pif
2009-09-20 23:47 . 2009-09-20 23:47 10812 ----a-w- c:\documents and settings\Papa\Local Settings\Application Data\ohanuh.scr
2009-09-11 14:18 . 2009-09-11 14:18 136192 ----a-w- c:\windows\system32\SET1F.tmp
2009-09-10 19:54 . 2009-09-21 02:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-09-10 19:53 . 2009-09-21 02:54 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-09-04 21:03 . 2009-09-04 21:03 58880 ----a-w- c:\windows\system32\SETAB.tmp
2009-08-26 08:00 . 2004-08-10 16:51 247326 ----a-w- c:\windows\system32\strmdll.dll
2009-08-07 00:24 . 2004-08-10 17:02 327896 ----a-w- c:\windows\system32\wucltui.dll
2009-08-07 00:24 . 2004-08-10 17:02 209632 ----a-w- c:\windows\system32\wuweb.dll
2009-08-07 00:24 . 2009-01-04 12:00 44768 ----a-w- c:\windows\system32\wups2.dll
2009-08-07 00:24 . 2004-08-10 17:02 35552 ----a-w- c:\windows\system32\wups.dll
2009-08-07 00:24 . 2004-08-10 17:02 53472 ------w- c:\windows\system32\wuauclt.exe
2009-08-07 00:24 . 2004-08-10 16:50 96480 ----a-w- c:\windows\system32\cdm.dll
2009-08-07 00:23 . 2004-08-10 17:02 575704 ----a-w- c:\windows\system32\wuapi.dll
2009-08-07 00:23 . 2004-08-10 17:02 1929952 ----a-w- c:\windows\system32\wuaueng.dll
2009-08-05 09:01 . 2004-08-10 16:51 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-08-04 15:13 . 2004-08-10 16:51 2145280 ------w- c:\windows\system32\ntoskrnl.exe
2009-08-04 14:20 . 2004-08-04 02:59 2023936 ------w- c:\windows\system32\ntkrnlpa.exe
.

((((((((((((((((((((((((((((( SnapShot@2009-10-25_17.16.50 )))))))))))))))))))))))))))))))))))))))))
.
- 2009-05-18 05:22 . 2007-11-30 12:39 17272 c:\windows\system32\spmsg.dll
+ 2009-05-18 05:22 . 2009-05-26 11:40 17272 c:\windows\system32\spmsg.dll
- 2004-08-10 16:51 . 2009-09-21 00:15 71732 c:\windows\system32\perfc009.dat
+ 2004-08-10 16:51 . 2009-10-25 17:35 71732 c:\windows\system32\perfc009.dat
+ 2009-09-04 21:03 . 2009-09-04 21:03 58880 c:\windows\system32\dllcache\msasn1.dll
+ 2009-06-25 00:56 . 2009-06-25 00:56 73728 c:\windows\Microsoft.NET\Framework\v1.1.4322\Updates\hotfix.exe
+ 2008-05-28 05:49 . 2008-05-28 05:49 77824 c:\windows\Microsoft.NET\Framework\v1.1.4322\mscorsn.dll
- 2007-04-14 02:58 . 2007-04-14 02:58 77824 c:\windows\Microsoft.NET\Framework\v1.1.4322\mscorsn.dll
- 2007-04-14 02:57 . 2007-04-14 02:57 86016 c:\windows\Microsoft.NET\Framework\v1.1.4322\mscorie.dll
+ 2008-05-28 05:49 . 2008-05-28 05:49 86016 c:\windows\Microsoft.NET\Framework\v1.1.4322\mscorie.dll
- 2007-04-14 02:57 . 2007-04-14 02:57 81920 c:\windows\Microsoft.NET\Framework\v1.1.4322\CORPerfMonExt.dll
+ 2008-05-28 05:49 . 2008-05-28 05:49 81920 c:\windows\Microsoft.NET\Framework\v1.1.4322\CORPerfMonExt.dll
- 2007-04-14 03:30 . 2007-04-14 03:30 32768 c:\windows\Microsoft.NET\Framework\v1.1.4322\aspnet_wp.exe
+ 2008-05-28 06:30 . 2008-05-28 06:30 32768 c:\windows\Microsoft.NET\Framework\v1.1.4322\aspnet_wp.exe
+ 2009-10-25 17:28 . 2009-10-25 17:28 90112 c:\windows\assembly\NativeImages1_v1.1.4322\System.Drawing.Design\1.0.5000.0__b03f5f7f11d50a3a_783b537d\System.Drawing.Design.dll
+ 2009-10-25 17:28 . 2009-10-25 17:28 61440 c:\windows\assembly\NativeImages1_v1.1.4322\CustomMarshalers\1.0.5000.0__b03f5f7f11d50a3a_647bf400\CustomMarshalers.dll
+ 2009-10-25 17:38 . 2009-10-25 17:38 60928 c:\windows\assembly\NativeImages_v2.0.50727_32\UIAutomationProvider\b4a9e413d5cd6d6ec2d50aa05381e293\UIAutomationProvider.ni.dll
+ 2009-10-25 17:36 . 2009-10-25 17:36 47104 c:\windows\assembly\NativeImages_v2.0.50727_32\PresentationFontCac#\3dd0f86c966c75755d62eab8ddf0634c\PresentationFontCache.ni.exe
+ 2009-10-25 17:36 . 2009-10-25 17:36 39424 c:\windows\assembly\NativeImages_v2.0.50727_32\PresentationCFFRast#\034d081fe294bab1ee1ecc98c1181424\PresentationCFFRasterizer.ni.dll
- 2009-09-21 00:15 . 2009-09-21 00:15 77824 c:\windows\assembly\GAC_MSIL\System.Web.RegularExpressions\2.0.0.0__b03f5f7f11d50a3a\System.Web.RegularExpressions.dll
+ 2009-10-25 17:34 . 2009-10-25 17:34 77824 c:\windows\assembly\GAC_MSIL\System.Web.RegularExpressions\2.0.0.0__b03f5f7f11d50a3a\System.Web.RegularExpressions.dll
- 2009-09-21 00:15 . 2009-09-21 00:15 81920 c:\windows\assembly\GAC_MSIL\System.Drawing.Design\2.0.0.0__b03f5f7f11d50a3a\System.Drawing.Design.dll
+ 2009-10-25 17:34 . 2009-10-25 17:34 81920 c:\windows\assembly\GAC_MSIL\System.Drawing.Design\2.0.0.0__b03f5f7f11d50a3a\System.Drawing.Design.dll
- 2009-09-21 00:15 . 2009-09-21 00:15 81920 c:\windows\assembly\GAC_MSIL\System.Configuration.Install\2.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll
+ 2009-10-25 17:35 . 2009-10-25 17:35 81920 c:\windows\assembly\GAC_MSIL\System.Configuration.Install\2.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll
+ 2009-10-25 17:35 . 2009-10-25 17:35 32768 c:\windows\assembly\GAC_MSIL\Microsoft.Vsa\8.0.0.0__b03f5f7f11d50a3a\Microsoft.Vsa.dll
- 2009-09-21 00:15 . 2009-09-21 00:15 32768 c:\windows\assembly\GAC_MSIL\Microsoft.Vsa\8.0.0.0__b03f5f7f11d50a3a\Microsoft.Vsa.dll
- 2009-09-21 00:15 . 2009-09-21 00:15 12800 c:\windows\assembly\GAC_MSIL\Microsoft.Vsa.Vb.CodeDOMProcessor\8.0.0.0__b03f5f7f11d50a3a\Microsoft.Vsa.Vb.CodeDOMProcessor.dll
+ 2009-10-25 17:35 . 2009-10-25 17:35 12800 c:\windows\assembly\GAC_MSIL\Microsoft.Vsa.Vb.CodeDOMProcessor\8.0.0.0__b03f5f7f11d50a3a\Microsoft.Vsa.Vb.CodeDOMProcessor.dll
+ 2009-10-25 17:35 . 2009-10-25 17:35 28672 c:\windows\assembly\GAC_MSIL\Microsoft.VisualBasic.Vsa\8.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.Vsa.dll
- 2009-09-21 00:15 . 2009-09-21 00:15 28672 c:\windows\assembly\GAC_MSIL\Microsoft.VisualBasic.Vsa\8.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.Vsa.dll
+ 2009-10-25 17:35 . 2009-10-25 17:35 77824 c:\windows\assembly\GAC_MSIL\Microsoft.Build.Utilities\2.0.0.0__b03f5f7f11d50a3a\Microsoft.Build.Utilities.dll
- 2009-09-21 00:15 . 2009-09-21 00:15 77824 c:\windows\assembly\GAC_MSIL\Microsoft.Build.Utilities\2.0.0.0__b03f5f7f11d50a3a\Microsoft.Build.Utilities.dll
+ 2009-10-25 17:35 . 2009-10-25 17:35 36864 c:\windows\assembly\GAC_MSIL\Microsoft.Build.Framework\2.0.0.0__b03f5f7f11d50a3a\Microsoft.Build.Framework.dll
- 2009-09-21 00:15 . 2009-09-21 00:15 36864 c:\windows\assembly\GAC_MSIL\Microsoft.Build.Framework\2.0.0.0__b03f5f7f11d50a3a\Microsoft.Build.Framework.dll
- 2009-09-21 00:15 . 2009-09-21 00:15 77824 c:\windows\assembly\GAC_MSIL\IEHost\2.0.0.0__b03f5f7f11d50a3a\IEHost.dll
+ 2009-10-25 17:34 . 2009-10-25 17:34 77824 c:\windows\assembly\GAC_MSIL\IEHost\2.0.0.0__b03f5f7f11d50a3a\IEHost.dll
- 2009-09-21 00:15 . 2009-09-21 00:15 13312 c:\windows\assembly\GAC_MSIL\cscompmgd\8.0.0.0__b03f5f7f11d50a3a\cscompmgd.dll
+ 2009-10-25 17:34 . 2009-10-25 17:34 13312 c:\windows\assembly\GAC_MSIL\cscompmgd\8.0.0.0__b03f5f7f11d50a3a\cscompmgd.dll
+ 2009-10-25 17:34 . 2009-10-25 17:34 10752 c:\windows\assembly\GAC_MSIL\Accessibility\2.0.0.0__b03f5f7f11d50a3a\Accessibility.dll
- 2009-09-21 00:15 . 2009-09-21 00:15 10752 c:\windows\assembly\GAC_MSIL\Accessibility\2.0.0.0__b03f5f7f11d50a3a\Accessibility.dll
- 2009-09-21 00:15 . 2009-09-21 00:15 72192 c:\windows\assembly\GAC_32\ISymWrapper\2.0.0.0__b03f5f7f11d50a3a\ISymWrapper.dll
+ 2009-10-25 17:35 . 2009-10-25 17:35 72192 c:\windows\assembly\GAC_32\ISymWrapper\2.0.0.0__b03f5f7f11d50a3a\ISymWrapper.dll
+ 2009-10-25 17:34 . 2009-10-25 17:34 69120 c:\windows\assembly\GAC_32\CustomMarshalers\2.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll
- 2009-09-21 00:15 . 2009-09-21 00:15 69120 c:\windows\assembly\GAC_32\CustomMarshalers\2.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll
- 2009-09-21 00:15 . 2009-09-21 00:15 8192 c:\windows\WinSxS\MSIL_IEExecRemote_b03f5f7f11d50a3a_2.0.0.0_x-ww_6e57c34e\IEExecRemote.dll
+ 2009-10-25 17:34 . 2009-10-25 17:34 8192 c:\windows\WinSxS\MSIL_IEExecRemote_b03f5f7f11d50a3a_2.0.0.0_x-ww_6e57c34e\IEExecRemote.dll
+ 2009-10-25 17:35 . 2009-10-25 17:35 7168 c:\windows\assembly\GAC_MSIL\Microsoft_VsaVb\8.0.0.0__b03f5f7f11d50a3a\Microsoft_VsaVb.dll
- 2009-09-21 00:15 . 2009-09-21 00:15 7168 c:\windows\assembly\GAC_MSIL\Microsoft_VsaVb\8.0.0.0__b03f5f7f11d50a3a\Microsoft_VsaVb.dll
+ 2009-10-25 17:35 . 2009-10-25 17:35 5632 c:\windows\assembly\GAC_MSIL\Microsoft.VisualC\8.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualC.Dll
- 2009-09-21 00:15 . 2009-09-21 00:15 5632 c:\windows\assembly\GAC_MSIL\Microsoft.VisualC\8.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualC.Dll
+ 2009-10-25 17:35 . 2009-10-25 17:35 6656 c:\windows\assembly\GAC_MSIL\IIEHost\2.0.0.0__b03f5f7f11d50a3a\IIEHost.dll
- 2009-09-21 00:15 . 2009-09-21 00:15 6656 c:\windows\assembly\GAC_MSIL\IIEHost\2.0.0.0__b03f5f7f11d50a3a\IIEHost.dll
+ 2009-10-25 17:34 . 2009-10-25 17:34 8192 c:\windows\assembly\GAC_MSIL\IEExecRemote\2.0.0.0__b03f5f7f11d50a3a\IEExecRemote.dll
- 2009-09-21 00:15 . 2009-09-21 00:15 8192 c:\windows\assembly\GAC_MSIL\IEExecRemote\2.0.0.0__b03f5f7f11d50a3a\IEExecRemote.dll
+ 2009-10-25 17:35 . 2009-10-25 17:35 113664 c:\windows\WinSxS\x86_System.EnterpriseServices_b03f5f7f11d50a3a_2.0.0.0_x-ww_7d5f3790\System.EnterpriseServices.Wrapper.dll
- 2009-09-21 00:15 . 2009-09-21 00:15 113664 c:\windows\WinSxS\x86_System.EnterpriseServices_b03f5f7f11d50a3a_2.0.0.0_x-ww_7d5f3790\System.EnterpriseServices.Wrapper.dll
- 2009-09-21 00:15 . 2009-09-21 00:15 258048 c:\windows\WinSxS\x86_System.EnterpriseServices_b03f5f7f11d50a3a_2.0.0.0_x-ww_7d5f3790\System.EnterpriseServices.dll
+ 2009-10-25 17:35 . 2009-10-25 17:35 258048 c:\windows\WinSxS\x86_System.EnterpriseServices_b03f5f7f11d50a3a_2.0.0.0_x-ww_7d5f3790\System.EnterpriseServices.dll
+ 2004-08-10 16:51 . 2009-04-02 04:02 604160 c:\windows\system32\wmspdmod.dll
- 2004-08-10 16:51 . 2009-09-21 00:15 442466 c:\windows\system32\perfh009.dat
+ 2004-08-10 16:51 . 2009-10-25 17:35 442466 c:\windows\system32\perfh009.dat
+ 2004-08-10 16:51 . 2009-04-02 04:02 604160 c:\windows\system32\dllcache\wmspdmod.dll
+ 2004-08-10 16:51 . 2009-08-26 08:00 247326 c:\windows\system32\dllcache\strmdll.dll
- 2004-08-10 16:51 . 2008-10-03 10:02 247326 c:\windows\system32\dllcache\strmdll.dll
+ 2009-06-25 08:25 . 2009-09-11 14:18 136192 c:\windows\system32\dllcache\msv1_0.dll
- 2009-06-25 08:25 . 2009-06-25 08:25 136192 c:\windows\system32\dllcache\msv1_0.dll
+ 2009-08-08 04:51 . 2009-08-08 04:51 989016 c:\windows\Microsoft.NET\Framework\v2.0.50727\mscordacwks.dll
- 2007-04-14 02:58 . 2007-04-14 02:58 102400 c:\windows\Microsoft.NET\Framework\v1.1.4322\mscorld.dll
+ 2008-05-28 05:49 . 2008-05-28 05:49 102400 c:\windows\Microsoft.NET\Framework\v1.1.4322\mscorld.dll
- 2007-04-14 02:56 . 2007-04-14 02:56 315392 c:\windows\Microsoft.NET\Framework\v1.1.4322\mscorjit.dll
+ 2008-05-28 05:48 . 2008-05-28 05:48 315392 c:\windows\Microsoft.NET\Framework\v1.1.4322\mscorjit.dll
+ 2008-05-28 06:30 . 2008-05-28 06:30 258048 c:\windows\Microsoft.NET\Framework\v1.1.4322\aspnet_isapi.dll
- 2007-04-14 03:30 . 2007-04-14 03:30 258048 c:\windows\Microsoft.NET\Framework\v1.1.4322\aspnet_isapi.dll
+ 2009-10-25 17:28 . 2009-10-25 17:28 835584 c:\windows\assembly\NativeImages1_v1.1.4322\System.Drawing\1.0.5000.0__b03f5f7f11d50a3a_6ebfda65\System.Drawing.dll
+ 2009-10-25 17:28 . 2009-10-25 17:28 192512 c:\windows\assembly\NativeImages1_v1.1.4322\System.Drawing.Design\1.0.5000.0__b03f5f7f11d50a3a_3047d2a2\System.Drawing.Design.dll
+ 2009-10-25 17:28 . 2009-10-25 17:28 118784 c:\windows\assembly\NativeImages1_v1.1.4322\CustomMarshalers\1.0.5000.0__b03f5f7f11d50a3a_6f26a92a\CustomMarshalers.dll
+ 2009-10-25 17:38 . 2009-10-25 17:38 240128 c:\windows\assembly\NativeImages_v2.0.50727_32\WindowsFormsIntegra#\bf92bc207f927cbbd6dfc9dc0c3eae68\WindowsFormsIntegration.ni.dll
+ 2009-10-25 17:38 . 2009-10-25 17:38 187904 c:\windows\assembly\NativeImages_v2.0.50727_32\UIAutomationTypes\6f488b7644dc50a083868e91a4014466\UIAutomationTypes.ni.dll
+ 2009-10-25 17:38 . 2009-10-25 17:38 447488 c:\windows\assembly\NativeImages_v2.0.50727_32\UIAutomationClient\c2fbf25609b704061a93500efa6f241d\UIAutomationClient.ni.dll
+ 2009-10-25 17:37 . 2009-10-25 17:37 208384 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Drawing.Desi#\ca6d7208c0fb72ff97429f2636ced321\System.Drawing.Design.ni.dll
+ 2009-10-25 17:37 . 2009-10-25 17:37 258048 c:\windows\assembly\NativeImages_v2.0.50727_32\PresentationFramewo#\96f74da5fc40b92f09069230bc0df4f0\PresentationFramework.Royale.ni.dll
+ 2009-10-25 17:37 . 2009-10-25 17:37 539648 c:\windows\assembly\NativeImages_v2.0.50727_32\PresentationFramewo#\3bb4d16b042b72c2c85a0f8ac9d48f28\PresentationFramework.Luna.ni.dll
+ 2009-10-25 17:37 . 2009-10-25 17:37 368128 c:\windows\assembly\NativeImages_v2.0.50727_32\PresentationFramewo#\30c5c2682d3c5bdaa83bb9a36ee48afa\PresentationFramework.Aero.ni.dll
+ 2009-10-25 17:37 . 2009-10-25 17:37 224768 c:\windows\assembly\NativeImages_v2.0.50727_32\PresentationFramewo#\07e952efd70f5608e221a008e6231ace\PresentationFramework.Classic.ni.dll
+ 2009-10-25 17:34 . 2009-10-25 17:34 839680 c:\windows\assembly\GAC_MSIL\System.Web.Services\2.0.0.0__b03f5f7f11d50a3a\System.Web.Services.dll
- 2009-09-21 00:15 . 2009-09-21 00:15 839680 c:\windows\assembly\GAC_MSIL\System.Web.Services\2.0.0.0__b03f5f7f11d50a3a\System.Web.Services.dll
+ 2009-10-25 17:34 . 2009-10-25 17:34 835584 c:\windows\assembly\GAC_MSIL\System.Web.Mobile\2.0.0.0__b03f5f7f11d50a3a\System.Web.Mobile.dll
- 2009-09-21 00:15 . 2009-09-21 00:15 835584 c:\windows\assembly\GAC_MSIL\System.Web.Mobile\2.0.0.0__b03f5f7f11d50a3a\System.Web.Mobile.dll
+ 2009-10-25 17:35 . 2009-10-25 17:35 114688 c:\windows\assembly\GAC_MSIL\System.ServiceProcess\2.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll
- 2009-09-21 00:15 . 2009-09-21 00:15 114688 c:\windows\assembly\GAC_MSIL\System.ServiceProcess\2.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll
+ 2009-10-25 17:35 . 2009-10-25 17:35 258048 c:\windows\assembly\GAC_MSIL\System.Security\2.0.0.0__b03f5f7f11d50a3a\System.Security.dll
- 2009-09-21 00:15 . 2009-09-21 00:15 258048 c:\windows\assembly\GAC_MSIL\System.Security\2.0.0.0__b03f5f7f11d50a3a\System.Security.dll
- 2009-09-21 00:15 . 2009-09-21 00:15 131072 c:\windows\assembly\GAC_MSIL\System.Runtime.Serialization.Formatters.Soap\2.0.0.0__b03f5f7f11d50a3a\System.Runtime.Serialization.Formatters.Soap.dll
+ 2009-10-25 17:35 . 2009-10-25 17:35 131072 c:\windows\assembly\GAC_MSIL\System.Runtime.Serialization.Formatters.Soap\2.0.0.0__b03f5f7f11d50a3a\System.Runtime.Serialization.Formatters.Soap.dll
+ 2009-10-25 17:35 . 2009-10-25 17:35 303104 c:\windows\assembly\GAC_MSIL\System.Runtime.Remoting\2.0.0.0__b77a5c561934e089\System.Runtime.Remoting.dll
- 2009-09-21 00:15 . 2009-09-21 00:15 303104 c:\windows\assembly\GAC_MSIL\System.Runtime.Remoting\2.0.0.0__b77a5c561934e089\System.Runtime.Remoting.dll
- 2009-09-21 00:15 . 2009-09-21 00:15 258048 c:\windows\assembly\GAC_MSIL\System.Messaging\2.0.0.0__b03f5f7f11d50a3a\System.Messaging.dll
+ 2009-10-25 17:35 . 2009-10-25 17:35 258048 c:\windows\assembly\GAC_MSIL\System.Messaging\2.0.0.0__b03f5f7f11d50a3a\System.Messaging.dll
- 2009-09-21 00:15 . 2009-09-21 00:15 372736 c:\windows\assembly\GAC_MSIL\System.Management\2.0.0.0__b03f5f7f11d50a3a\System.Management.dll
+ 2009-10-25 17:35 . 2009-10-25 17:35 372736 c:\windows\assembly\GAC_MSIL\System.Management\2.0.0.0__b03f5f7f11d50a3a\System.Management.dll
- 2009-09-21 00:15 . 2009-09-21 00:15 626688 c:\windows\assembly\GAC_MSIL\System.Drawing\2.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll
+ 2009-10-25 17:35 . 2009-10-25 17:35 626688 c:\windows\assembly\GAC_MSIL\System.Drawing\2.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll
- 2009-09-21 00:15 . 2009-09-21 00:15 401408 c:\windows\assembly\GAC_MSIL\System.DirectoryServices\2.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll
+ 2009-10-25 17:35 . 2009-10-25 17:35 401408 c:\windows\assembly\GAC_MSIL\System.DirectoryServices\2.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll
+ 2009-10-25 17:34 . 2009-10-25 17:34 188416 c:\windows\assembly\GAC_MSIL\System.DirectoryServices.Protocols\2.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.Protocols.dll
- 2009-09-21 00:15 . 2009-09-21 00:15 188416 c:\windows\assembly\GAC_MSIL\System.DirectoryServices.Protocols\2.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.Protocols.dll
+ 2009-10-25 17:35 . 2009-10-25 17:35 970752 c:\windows\assembly\GAC_MSIL\System.Deployment\2.0.0.0__b03f5f7f11d50a3a\System.Deployment.dll
- 2009-09-21 00:15 . 2009-09-21 00:15 970752 c:\windows\assembly\GAC_MSIL\System.Deployment\2.0.0.0__b03f5f7f11d50a3a\System.Deployment.dll
+ 2009-10-25 17:35 . 2009-10-25 17:35 745472 c:\windows\assembly\GAC_MSIL\System.Data.SqlXml\2.0.0.0__b77a5c561934e089\System.Data.SqlXml.dll
- 2009-09-21 00:15 . 2009-09-21 00:15 745472 c:\windows\assembly\GAC_MSIL\System.Data.SqlXml\2.0.0.0__b77a5c561934e089\System.Data.SqlXml.dll
- 2009-09-21 00:15 . 2009-09-21 00:15 425984 c:\windows\assembly\GAC_MSIL\System.Configuration\2.0.0.0__b03f5f7f11d50a3a\System.configuration.dll
+ 2009-10-25 17:35 . 2009-10-25 17:35 425984 c:\windows\assembly\GAC_MSIL\System.Configuration\2.0.0.0__b03f5f7f11d50a3a\System.configuration.dll
+ 2009-10-25 17:35 . 2009-10-25 17:35 110592 c:\windows\assembly\GAC_MSIL\sysglobl\2.0.0.0__b03f5f7f11d50a3a\sysglobl.dll
- 2009-09-21 00:15 . 2009-09-21 00:15 110592 c:\windows\assembly\GAC_MSIL\sysglobl\2.0.0.0__b03f5f7f11d50a3a\sysglobl.dll
- 2009-09-21 00:15 . 2009-09-21 00:15 659456 c:\windows\assembly\GAC_MSIL\Microsoft.VisualBasic\8.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll
+ 2009-10-25 17:35 . 2009-10-25 17:35 659456 c:\windows\assembly\GAC_MSIL\Microsoft.VisualBasic\8.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll
- 2009-09-21 00:15 . 2009-09-21 00:15 372736 c:\windows\assembly\GAC_MSIL\Microsoft.VisualBasic.Compatibility\8.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.Compatibility.dll
+ 2009-10-25 17:35 . 2009-10-25 17:35 372736 c:\windows\assembly\GAC_MSIL\Microsoft.VisualBasic.Compatibility\8.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.Compatibility.dll
+ 2009-10-25 17:35 . 2009-10-25 17:35 110592 c:\windows\assembly\GAC_MSIL\Microsoft.VisualBasic.Compatibility.Data\8.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.Compatibility.Data.dll
- 2009-09-21 00:15 . 2009-09-21 00:15 110592 c:\windows\assembly\GAC_MSIL\Microsoft.VisualBasic.Compatibility.Data\8.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.Compatibility.Data.dll
+ 2009-10-25 17:35 . 2009-10-25 17:35 749568 c:\windows\assembly\GAC_MSIL\Microsoft.JScript\8.0.0.0__b03f5f7f11d50a3a\Microsoft.JScript.dll
- 2009-09-21 00:15 . 2009-09-21 00:15 749568 c:\windows\assembly\GAC_MSIL\Microsoft.JScript\8.0.0.0__b03f5f7f11d50a3a\Microsoft.JScript.dll
+ 2009-10-25 17:35 . 2009-10-25 17:35 655360 c:\windows\assembly\GAC_MSIL\Microsoft.Build.Tasks\2.0.0.0__b03f5f7f11d50a3a\Microsoft.Build.Tasks.dll
- 2009-09-21 00:15 . 2009-09-21 00:15 655360 c:\windows\assembly\GAC_MSIL\Microsoft.Build.Tasks\2.0.0.0__b03f5f7f11d50a3a\Microsoft.Build.Tasks.dll
+ 2009-10-25 17:35 . 2009-10-25 17:35 348160 c:\windows\assembly\GAC_MSIL\Microsoft.Build.Engine\2.0.0.0__b03f5f7f11d50a3a\Microsoft.Build.Engine.dll
- 2009-09-21 00:15 . 2009-09-21 00:15 348160 c:\windows\assembly\GAC_MSIL\Microsoft.Build.Engine\2.0.0.0__b03f5f7f11d50a3a\Microsoft.Build.Engine.dll
- 2009-09-21 00:15 . 2009-09-21 00:15 507904 c:\windows\assembly\GAC_MSIL\AspNetMMCExt\2.0.0.0__b03f5f7f11d50a3a\AspNetMMCExt.dll
+ 2009-10-25 17:34 . 2009-10-25 17:34 507904 c:\windows\assembly\GAC_MSIL\AspNetMMCExt\2.0.0.0__b03f5f7f11d50a3a\AspNetMMCExt.dll
- 2009-09-21 00:15 . 2009-09-21 00:15 261632 c:\windows\assembly\GAC_32\System.Transactions\2.0.0.0__b77a5c561934e089\System.Transactions.dll
+ 2009-10-25 17:35 . 2009-10-25 17:35 261632 c:\windows\assembly\GAC_32\System.Transactions\2.0.0.0__b77a5c561934e089\System.Transactions.dll
+ 2009-10-25 17:35 . 2009-10-25 17:35 113664 c:\windows\assembly\GAC_32\System.EnterpriseServices\2.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll
- 2009-09-21 00:15 . 2009-09-21 00:15 113664 c:\windows\assembly\GAC_32\System.EnterpriseServices\2.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll
+ 2009-10-25 17:35 . 2009-10-25 17:35 258048 c:\windows\assembly\GAC_32\System.EnterpriseServices\2.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.dll
- 2009-09-21 00:15 . 2009-09-21 00:15 258048 c:\windows\assembly\GAC_32\System.EnterpriseServices\2.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.dll
- 2009-09-21 00:15 . 2009-09-21 00:15 486400 c:\windows\assembly\GAC_32\System.Data.OracleClient\2.0.0.0__b77a5c561934e089\System.Data.OracleClient.dll
+ 2009-10-25 17:35 . 2009-10-25 17:35 486400 c:\windows\assembly\GAC_32\System.Data.OracleClient\2.0.0.0__b77a5c561934e089\System.Data.OracleClient.dll
+ 2009-10-25 17:19 . 2009-08-13 13:55 1748992 c:\windows\WinSxS\x86_Microsoft.Windows.GdiPlus_6595b64144ccf1df_1.0.6001.22319_x-ww_f0b4c2df\GdiPlus.dll
- 2004-08-10 16:51 . 2008-04-14 00:12 1435648 c:\windows\system32\query.dll
+ 2004-08-10 16:51 . 2009-07-17 16:22 1435648 c:\windows\system32\query.dll
+ 2009-07-17 16:22 . 2009-07-17 16:22 1435648 c:\windows\system32\dllcache\query.dll
+ 2009-01-04 22:24 . 2009-08-05 01:44 2189184 c:\windows\system32\dllcache\ntoskrnl.exe
- 2009-01-04 22:24 . 2009-02-06 10:32 2023936 c:\windows\system32\dllcache\ntkrpamp.exe
+ 2009-01-04 22:24 . 2009-08-04 14:20 2023936 c:\windows\system32\dllcache\ntkrpamp.exe
+ 2009-01-04 22:24 . 2009-08-04 14:20 2066048 c:\windows\system32\dllcache\ntkrnlpa.exe
- 2009-01-04 22:24 . 2009-02-08 00:02 2066048 c:\windows\system32\dllcache\ntkrnlpa.exe
- 2004-08-10 16:51 . 2009-02-06 11:06 2145280 c:\windows\system32\dllcache\ntkrnlmp.exe
+ 2004-08-10 16:51 . 2009-08-04 15:13 2145280 c:\windows\system32\dllcache\ntkrnlmp.exe
+ 2009-08-08 04:51 . 2009-08-08 04:51 5812560 c:\windows\Microsoft.NET\Framework\v2.0.50727\mscorwks.dll
- 2008-11-25 09:59 . 2008-11-25 09:59 4546560 c:\windows\Microsoft.NET\Framework\v2.0.50727\mscorlib.dll
+ 2009-08-08 04:51 . 2009-08-08 04:51 4546560 c:\windows\Microsoft.NET\Framework\v2.0.50727\mscorlib.dll
+ 2008-05-28 06:35 . 2008-05-28 06:35 1265664 c:\windows\Microsoft.NET\Framework\v1.1.4322\System.Web.dll
- 2007-04-14 03:35 . 2007-04-14 03:35 1265664 c:\windows\Microsoft.NET\Framework\v1.1.4322\System.Web.dll
- 2007-04-14 03:35 . 2007-04-14 03:35 1232896 c:\windows\Microsoft.NET\Framework\v1.1.4322\System.dll
+ 2008-05-28 06:35 . 2008-05-28 06:35 1232896 c:\windows\Microsoft.NET\Framework\v1.1.4322\System.dll
+ 2008-05-28 05:48 . 2008-05-28 05:48 2514944 c:\windows\Microsoft.NET\Framework\v1.1.4322\mscorwks.dll
- 2007-04-14 02:57 . 2007-04-14 02:57 2514944 c:\windows\Microsoft.NET\Framework\v1.1.4322\mscorwks.dll
- 2007-04-14 02:57 . 2007-04-14 02:57 2523136 c:\windows\Microsoft.NET\Framework\v1.1.4322\mscorsvr.dll
+ 2008-05-28 05:48 . 2008-05-28 05:48 2523136 c:\windows\Microsoft.NET\Framework\v1.1.4322\mscorsvr.dll
- 2007-04-14 02:50 . 2007-04-14 02:50 2142208 c:\windows\Microsoft.NET\Framework\v1.1.4322\mscorlib.dll
+ 2008-05-28 05:43 . 2008-05-28 05:43 2142208 c:\windows\Microsoft.NET\Framework\v1.1.4322\mscorlib.dll
+ 2009-01-04 22:24 . 2009-08-05 01:44 2189184 c:\windows\Driver Cache\i386\ntoskrnl.exe
+ 2009-01-04 22:24 . 2009-08-04 14:20 2023936 c:\windows\Driver Cache\i386\ntkrpamp.exe
- 2009-01-04 22:24 . 2009-02-06 10:32 2023936 c:\windows\Driver Cache\i386\ntkrpamp.exe
- 2009-01-04 22:24 . 2009-02-08 00:02 2066048 c:\windows\Driver Cache\i386\ntkrnlpa.exe
+ 2009-01-04 22:24 . 2009-08-04 14:20 2066048 c:\windows\Driver Cache\i386\ntkrnlpa.exe
+ 2009-01-04 22:24 . 2009-08-04 15:13 2145280 c:\windows\Driver Cache\i386\ntkrnlmp.exe
- 2009-01-04 22:24 . 2009-02-06 11:06 2145280 c:\windows\Driver Cache\i386\ntkrnlmp.exe
+ 2009-10-25 17:28 . 2009-10-25 17:28 4792320 c:\windows\assembly\NativeImages1_v1.1.4322\System\1.0.5000.0__b77a5c561934e089_f501a0dc\System.dll
+ 2009-10-25 17:28 . 2009-10-25 17:28 1966080 c:\windows\assembly\NativeImages1_v1.1.4322\System\1.0.5000.0__b77a5c561934e089_8ab14e82\System.dll
+ 2009-10-25 17:28 . 2009-10-25 17:28 5513216 c:\windows\assembly\NativeImages1_v1.1.4322\System.Xml\1.0.5000.0__b77a5c561934e089_b497e8b4\System.Xml.dll
+ 2009-10-25 17:28 . 2009-10-25 17:28 2088960 c:\windows\assembly\NativeImages1_v1.1.4322\System.Xml\1.0.5000.0__b77a5c561934e089_9d974b77\System.Xml.dll
+ 2009-10-25 17:28 . 2009-10-25 17:28 7884800 c:\windows\assembly\NativeImages1_v1.1.4322\System.Windows.Forms\1.0.5000.0__b77a5c561934e089_650734ec\System.Windows.Forms.dll
+ 2009-10-25 17:28 . 2009-10-25 17:28 3018752 c:\windows\assembly\NativeImages1_v1.1.4322\System.Windows.Forms\1.0.5000.0__b77a5c561934e089_3fc2b534\System.Windows.Forms.dll
+ 2009-10-25 17:28 . 2009-10-25 17:28 2244608 c:\windows\assembly\NativeImages1_v1.1.4322\System.Drawing\1.0.5000.0__b03f5f7f11d50a3a_6ffb1988\System.Drawing.dll
+ 2009-10-25 17:28 . 2009-10-25 17:28 1470464 c:\windows\assembly\NativeImages1_v1.1.4322\System.Design\1.0.5000.0__b03f5f7f11d50a3a_704f1e99\System.Design.dll
+ 2009-10-25 17:28 . 2009-10-25 17:28 3395584 c:\windows\assembly\NativeImages1_v1.1.4322\System.Design\1.0.5000.0__b03f5f7f11d50a3a_0575d253\System.Design.dll
+ 2009-10-25 17:28 . 2009-10-25 17:28 3391488 c:\windows\assembly\NativeImages1_v1.1.4322\mscorlib\1.0.5000.0__b77a5c561934e089_e5ace4ec\mscorlib.dll
+ 2009-10-25 17:29 . 2009-10-25 17:29 8908800 c:\windows\assembly\NativeImages1_v1.1.4322\mscorlib\1.0.5000.0__b77a5c561934e089_9968c1e1\mscorlib.dll
+ 2009-10-25 17:36 . 2009-10-25 17:36 3313664 c:\windows\assembly\NativeImages_v2.0.50727_32\WindowsBase\204d6e5b335134f23ca37638b9227ecf\WindowsBase.ni.dll
+ 2009-10-25 17:38 . 2009-10-25 17:38 1049600 c:\windows\assembly\NativeImages_v2.0.50727_32\UIAutomationClients#\0f2ed6a204eb13841e99b77025464afc\UIAutomationClientsideProviders.ni.dll
+ 2009-10-25 17:36 . 2009-10-25 17:36 7868416 c:\windows\assembly\NativeImages_v2.0.50727_32\System\3de5bd01124463d7862bd173af90bc83\System.ni.dll
+ 2009-10-25 17:38 . 2009-10-25 17:38 5450752 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Xml\5913d3f81e77194ec833991b1047a532\System.Xml.ni.dll
+ 2009-10-25 17:37 . 2009-10-25 17:37 1917440 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Speech\99594bae1d022502925f5b9dfcdaae9a\System.Speech.ni.dll
+ 2009-10-25 17:37 . 2009-10-25 17:37 1035264 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Printing\e5313735a40c0800f116e27fba4754db\System.Printing.ni.dll
+ 2009-10-25 17:37 . 2009-10-25 17:37 1587200 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Drawing\abb2ac7e08bee026f857d8fa36f9fe6f\System.Drawing.ni.dll
+ 2009-10-25 17:37 . 2009-10-25 17:37 6616576 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Data\694c07365e0fd6bba0bc304d4d2404a7\System.Data.ni.dll
+ 2009-10-25 17:37 . 2009-10-25 17:37 2516480 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Data.Linq\32788c58ff9f8324460604cf1fe7681b\System.Data.Linq.ni.dll
+ 2009-10-25 17:37 . 2009-10-25 17:37 2295296 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Core\c0a42d2ad8a4078040b334f6770ea11f\System.Core.ni.dll
+ 2009-10-25 17:37 . 2009-10-25 17:37 2128896 c:\windows\assembly\NativeImages_v2.0.50727_32\ReachFramework\954685c29689d2a6126ceca1fd55e904\ReachFramework.ni.dll
+ 2009-10-25 17:37 . 2009-10-25 17:37 1657856 c:\windows\assembly\NativeImages_v2.0.50727_32\PresentationUI\a3a6f52ce1d09a7bdccc8e7fc664792d\PresentationUI.ni.dll
+ 2009-10-25 17:36 . 2009-10-25 17:36 1451008 c:\windows\assembly\NativeImages_v2.0.50727_32\PresentationBuildTa#\f906701365083c1473db31519147e263\PresentationBuildTasks.ni.dll
+ 2009-10-25 17:35 . 2009-10-25 17:35 3149824 c:\windows\assembly\GAC_MSIL\System\2.0.0.0__b77a5c561934e089\System.dll
- 2009-09-21 00:15 . 2009-09-21 00:15 3149824 c:\windows\assembly\GAC_MSIL\System\2.0.0.0__b77a5c561934e089\System.dll
- 2009-09-21 00:15 . 2009-09-21 00:15 2048000 c:\windows\assembly\GAC_MSIL\System.Xml\2.0.0.0__b77a5c561934e089\System.XML.dll
+ 2009-10-25 17:35 . 2009-10-25 17:35 2048000 c:\windows\assembly\GAC_MSIL\System.Xml\2.0.0.0__b77a5c561934e089\System.XML.dll
- 2009-09-21 00:15 . 2009-09-21 00:15 5025792 c:\windows\assembly\GAC_MSIL\System.Windows.Forms\2.0.0.0__b77a5c561934e089\System.Windows.Forms.dll
+ 2009-10-25 17:34 . 2009-10-25 17:34 5025792 c:\windows\assembly\GAC_MSIL\System.Windows.Forms\2.0.0.0__b77a5c561934e089\System.Windows.Forms.dll
- 2009-09-21 00:15 . 2009-09-21 00:15 5062656 c:\windows\assembly\GAC_MSIL\System.Design\2.0.0.0__b03f5f7f11d50a3a\System.Design.dll
+ 2009-10-25 17:34 . 2009-10-25 17:34 5062656 c:\windows\assembly\GAC_MSIL\System.Design\2.0.0.0__b03f5f7f11d50a3a\System.Design.dll
- 2009-09-21 00:15 . 2009-09-21 00:15 5242880 c:\windows\assembly\GAC_32\System.Web\2.0.0.0__b03f5f7f11d50a3a\System.Web.dll
+ 2009-10-25 17:34 . 2009-10-25 17:34 5242880 c:\windows\assembly\GAC_32\System.Web\2.0.0.0__b03f5f7f11d50a3a\System.Web.dll
+ 2009-10-25 17:35 . 2009-10-25 17:35 2933248 c:\windows\assembly\GAC_32\System.Data\2.0.0.0__b77a5c561934e089\System.Data.dll
- 2009-09-21 00:15 . 2009-09-21 00:15 2933248 c:\windows\assembly\GAC_32\System.Data\2.0.0.0__b77a5c561934e089\System.Data.dll
+ 2009-10-25 17:35 . 2009-10-25 17:35 4546560 c:\windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\mscorlib.dll
- 2009-09-21 00:15 . 2009-09-21 00:15 4546560 c:\windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\mscorlib.dll
- 2009-01-05 09:02 . 2009-01-05 09:02 1232896 c:\windows\assembly\GAC\System\1.0.5000.0__b77a5c561934e089\System.dll
+ 2009-10-25 17:28 . 2009-10-25 17:28 1232896 c:\windows\assembly\GAC\System\1.0.5000.0__b77a5c561934e089\System.dll
+ 2009-10-25 17:28 . 2009-10-25 17:28 1265664 c:\windows\assembly\GAC\System.Web\1.0.5000.0__b03f5f7f11d50a3a\System.Web.dll
- 2009-01-05 09:02 . 2009-01-05 09:02 1265664 c:\windows\assembly\GAC\System.Web\1.0.5000.0__b03f5f7f11d50a3a\System.Web.dll
+ 2009-10-25 17:28 . 2009-10-02 16:01 25198016 c:\windows\system32\MRT.exe
+ 2009-08-11 02:08 . 2009-08-11 02:08 11315712 c:\windows\Microsoft.NET\Framework\v1.1.4322\Updates\M953297\M953297Uninstall.msp
+ 2009-08-15 01:32 . 2009-08-15 01:32 11110912 c:\windows\Installer\b0ccb.msp
+ 2009-08-10 19:09 . 2009-08-10 19:09 17254912 c:\windows\Installer\b0cc2.msp
+ 2009-10-25 17:38 . 2009-10-25 17:38 12430848 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Windows.Forms\d2ea8d76f015817db1607075812b555f\System.Windows.Forms.ni.dll
+ 2009-10-25 17:37 . 2009-10-25 17:37 10683392 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Design\8b82e08c008924d51833cb0884bcbfc5\System.Design.ni.dll
+ 2009-10-25 17:37 . 2009-10-25 17:37 14327808 c:\windows\assembly\NativeImages_v2.0.50727_32\PresentationFramewo#\58c7ac6b6054038dc9346d7ec8e32b4c\PresentationFramework.ni.dll
+ 2009-10-25 17:36 . 2009-10-25 17:36 12216320 c:\windows\assembly\NativeImages_v2.0.50727_32\PresentationCore\94badbd64df59de7da249f71da38b1c2\PresentationCore.ni.dll
+ 2009-10-25 17:35 . 2009-10-25 17:35 11486720 c:\windows\assembly\NativeImages_v2.0.50727_32\mscorlib\7124a40b9998f7b63c86bd1a2125ce26\mscorlib.ni.dll
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2006-10-19 204288]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-08-06 344064]
"ISUSPM Startup"="c:\program files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-06-10 249856]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-06-10 81920]
"DLA"="c:\windows\System32\DLA\DLACTRLW.EXE" [2005-09-08 122940]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\bytes.exe.exe" [2009-09-10 1312080]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-07-25 149280]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-09-05 417792]
"SigmatelSysTrayApp"="stsystra.exe" - c:\windows\stsystra.exe [2005-03-23 339968]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2006-8-4 24576]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"RasMan"=3 (0x3)
"RasAuto"=3 (0x3)
"MskService"=2 (0x2)
"MpfService"=2 (0x2)
"mnmsrvc"=3 (0x3)
"mcupdmgr.exe"=3 (0x3)
"McTskshd.exe"=2 (0x2)
"McShield"=2 (0x2)
"McDetect.exe"=2 (0x2)
"AOL ACS"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\iPod\\bin\\iPodService.exe"=
"c:\\Program Files\\Yahoo!\\SoftwareUpdate\\YahooAUService.exe"=
"c:\\Program Files\\Common Files\\Apple\\Mobile Device Support\\bin\\AppleMobileDeviceService.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundRouterRequest"= 1 (0x1)

.
Contents of the 'Scheduled Tasks' folder

2009-09-29 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
mStart Page = hxxp://www.google.com
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://toolbar.ask.com/toolbarv/askRedirect?o=20008&gct=&gc=1&q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\Office10\EXCEL.EXE/3000
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-10-25 13:34
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2009-10-25 13:35
ComboFix-quarantined-files.txt 2009-10-25 18:35
ComboFix2.txt 2009-10-25 17:19

Pre-Run: 57,440,260,096 bytes free
Post-Run: 57,408,913,408 bytes free

- - End Of File - - 6B5ABAC236EC99AF5C0ADF705EEC8C4F
Upload was successful

This post has been edited by Genesys: 25 October 2009 - 01:40 PM

#8 User is offline   Blade81 

  • Bleepin' Rocker
  • PipPipPipPipPipPip
  • Find Topics
  • Group: Malware Response Team
  • Posts: 6,364
  • Joined: 16-October 06
  • Gender:Male
  • Location:Finland

Posted 25 October 2009 - 01:39 PM

Hi,

Follow the steps in same order as they are listed there.
Microsoft MVP Consumer Security 2008 2009 2010 2011
ASAP & UNITE member since 2006
Posted Image Posted Image

Provided malware removal related instructions are meant to be used in the correspondent user's case only. If you have similar symptoms create own topic instead of following instructions given to some other, please.

#9 User is offline   Genesys 

  • New Member
  • Pip
  • Find Topics
  • Group: Members
  • Posts: 11
  • Joined: 09-October 09
  • Gender:Male
  • Location:USA, Midwest

Posted 25 October 2009 - 02:32 PM

Sorry but my combo log was posted erlier..


Here is the eset log

ESETSmartInstaller@High as CAB hook log:
OnlineScanner.ocx - registred OK
# version=7
# iexplore.exe=6.00.2900.5512 (xpsp.080413-2105)
# OnlineScanner.ocx=1.0.0.6210
# api_version=3.0.2
# EOSSerial=a1639f5c5f81354297f32cede1c5564d
# end=finished
# remove_checked=false
# archives_checked=false
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2009-10-25 07:28:38
# local_time=2009-10-25 02:28:38 (-0600, Central Daylight Time)
# country="United States"
# lang=9
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=8192 67108863 100 0 0 0 0 0
# scanned=63704
# found=72
# cleaned=0
# scan_time=1893
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CoolWWWSearchOleHelp1.zip Win32/Bagle.gen.zip worm 00000000000000000000000000000000 I
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\FraudAdvancedVirusRemover3.zip Win32/Bagle.gen.zip worm 00000000000000000000000000000000 I
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\FraudAntivirusPlus.zip Win32/Bagle.gen.zip worm 00000000000000000000000000000000 I
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\FraudAntivirusPro3.zip Win32/Bagle.gen.zip worm 00000000000000000000000000000000 I
C:\Qoobox\Quarantine\C\WINDOWS\system32\dukeyiwa.exe.vir a variant of Win32/Kryptik.AVV trojan 00000000000000000000000000000000 I
C:\Qoobox\Quarantine\C\WINDOWS\system32\durifesu.exe.vir Win32/TrojanDownloader.FakeAlert.AMS trojan 00000000000000000000000000000000 I
C:\Qoobox\Quarantine\C\WINDOWS\system32\fetepaze.exe.vir Win32/TrojanDownloader.FakeAlert.AED trojan 00000000000000000000000000000000 I
C:\Qoobox\Quarantine\C\WINDOWS\system32\howiduga.exe.vir a variant of Win32/Kryptik.AVV trojan 00000000000000000000000000000000 I
C:\Qoobox\Quarantine\C\WINDOWS\system32\luyehije.exe.vir a variant of Win32/Kryptik.AVV trojan 00000000000000000000000000000000 I
C:\Qoobox\Quarantine\C\WINDOWS\system32\piyudijo.exe.vir a variant of Win32/Kryptik.AVX trojan 00000000000000000000000000000000 I
C:\Qoobox\Quarantine\C\WINDOWS\system32\sehuwuri.exe.vir a variant of Win32/Kryptik.AVX trojan 00000000000000000000000000000000 I
C:\Qoobox\Quarantine\C\WINDOWS\system32\towozoha.exe.vir a variant of Win32/Kryptik.AVV trojan 00000000000000000000000000000000 I
C:\Qoobox\Quarantine\C\WINDOWS\system32\vezipoyo.exe.vir Win32/TrojanDownloader.FakeAlert.AED trojan 00000000000000000000000000000000 I
C:\Qoobox\Quarantine\C\WINDOWS\system32\vuhuviti.exe.vir a variant of Win32/Kryptik.AVG trojan 00000000000000000000000000000000 I
C:\Qoobox\Quarantine\C\WINDOWS\system32\yagerumu.exe.vir a variant of Win32/Kryptik.AQE trojan 00000000000000000000000000000000 I
C:\Qoobox\Quarantine\C\WINDOWS\system32\schtml\dbsinit.exe.vir Win32/Adware.WinAntiVirus application 00000000000000000000000000000000 I
C:\Qoobox\Quarantine\C\WINDOWS\system32\schtml\wispex.html.vir Win32/Adware.WinAntiVirus application 00000000000000000000000000000000 I
C:\Qoobox\Quarantine\C\WINDOWS\system32\wbem\proquota.exe.vir a variant of Win32/Kryptik.AIQ trojan 00000000000000000000000000000000 I
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1\A0000086.exe a variant of Win32/Kryptik.AVV trojan 00000000000000000000000000000000 I
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1\A0000105.exe probably a variant of Win32/TrojanDownloader.FakeAlert.GU trojan 00000000000000000000000000000000 I
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1\A0000138.exe a variant of Win32/Kryptik.AOK trojan 00000000000000000000000000000000 I
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1\A0000139.exe Win32/TrojanDownloader.FakeAlert.AED trojan 00000000000000000000000000000000 I
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1\A0000140.exe probably unknown NewHeur_PE virus 00000000000000000000000000000000 I
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1\A0000146.exe a variant of Win32/Kryptik.ASB trojan 00000000000000000000000000000000 I
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1\A0000201.exe a variant of Win32/Kryptik.AVV trojan 00000000000000000000000000000000 I
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1\A0000244.exe a variant of Win32/Kryptik.ASB trojan 00000000000000000000000000000000 I
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1\A0000251.exe a variant of Win32/Kryptik.AOK trojan 00000000000000000000000000000000 I
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP2\A0000282.exe a variant of Win32/Kryptik.AVG trojan 00000000000000000000000000000000 I
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP2\A0000283.exe a variant of Win32/Kryptik.ASB trojan 00000000000000000000000000000000 I
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP2\A0000287.exe Win32/TrojanDownloader.FakeAlert.AMS trojan 00000000000000000000000000000000 I
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP2\A0000288.exe a variant of Win32/Kryptik.AOK trojan 00000000000000000000000000000000 I
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP2\A0000304.exe a variant of Win32/Kryptik.ASB trojan 00000000000000000000000000000000 I
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP2\A0000328.exe a variant of Win32/Kryptik.AVX trojan 00000000000000000000000000000000 I
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP2\A0000341.exe Win32/TrojanDownloader.FakeAlert.AED trojan 00000000000000000000000000000000 I
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP2\A0000342.exe a variant of Win32/Kryptik.AOK trojan 00000000000000000000000000000000 I
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP3\A0000360.exe a variant of Win32/Kryptik.AOK trojan 00000000000000000000000000000000 I
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP3\A0000369.exe a variant of Win32/Kryptik.ASB trojan 00000000000000000000000000000000 I
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP3\A0000372.cpl a variant of Win32/Kryptik.AVJ trojan 00000000000000000000000000000000 I
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP3\A0000373.exe a variant of Win32/Kryptik.AOK trojan 00000000000000000000000000000000 I
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP3\A0000386.exe a variant of Win32/Kryptik.ASB trojan 00000000000000000000000000000000 I
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP3\A0000395.exe a variant of Win32/Kryptik.AOK trojan 00000000000000000000000000000000 I
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP3\A0000424.exe a variant of Win32/Kryptik.AOK trojan 00000000000000000000000000000000 I
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP3\A0000438.exe a variant of Win32/Kryptik.ASB trojan 00000000000000000000000000000000 I
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP4\A0000453.exe a variant of Win32/Kryptik.AOK trojan 00000000000000000000000000000000 I
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP4\A0000458.exe a variant of Win32/Kryptik.ASB trojan 00000000000000000000000000000000 I
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP4\A0000471.exe a variant of Win32/Kryptik.AOK trojan 00000000000000000000000000000000 I
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP4\A0001492.exe a variant of Win32/Kryptik.ASB trojan 00000000000000000000000000000000 I
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP4\A0001493.exe a variant of Win32/Kryptik.ASB trojan 00000000000000000000000000000000 I
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP5\A0001529.exe Win32/TrojanDropper.Agent.OJT trojan 00000000000000000000000000000000 I
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP5\A0001530.exe Win32/TrojanDownloader.FakeAlert.AED trojan 00000000000000000000000000000000 I
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP5\A0001531.exe Win32/TrojanDownloader.Small.NTQ trojan 00000000000000000000000000000000 I
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP5\A0001532.exe a variant of Win32/Kryptik.AMD trojan 00000000000000000000000000000000 I
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP5\A0001534.exe a variant of Win32/Kryptik.ASV trojan 00000000000000000000000000000000 I
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP5\A0001535.exe a variant of Win32/Kryptik.ASA trojan 00000000000000000000000000000000 I
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP5\A0001537.exe a variant of Win32/Kryptik.AOK trojan 00000000000000000000000000000000 I
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP5\A0001538.exe a variant of Win32/Kryptik.AOK trojan 00000000000000000000000000000000 I
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP5\A0001542.exe a variant of Win32/Kryptik.ASB trojan 00000000000000000000000000000000 I
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP5\A0001575.exe a variant of Win32/Kryptik.ASB trojan 00000000000000000000000000000000 I
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP5\A0001667.exe a variant of Win32/Kryptik.AVV trojan 00000000000000000000000000000000 I
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP5\A0001668.exe Win32/TrojanDownloader.FakeAlert.AMS trojan 00000000000000000000000000000000 I
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP5\A0001669.exe Win32/TrojanDownloader.FakeAlert.AED trojan 00000000000000000000000000000000 I
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP5\A0001670.exe a variant of Win32/Kryptik.AVV trojan 00000000000000000000000000000000 I
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP5\A0001678.exe a variant of Win32/Kryptik.AVV trojan 00000000000000000000000000000000 I
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP5\A0001683.exe a variant of Win32/Kryptik.AVX trojan 00000000000000000000000000000000 I
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP5\A0001684.exe Win32/Adware.WinAntiVirus application 00000000000000000000000000000000 I
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP5\A0001685.exe a variant of Win32/Kryptik.AVX trojan 00000000000000000000000000000000 I
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP5\A0001689.exe a variant of Win32/Kryptik.AVV trojan 00000000000000000000000000000000 I
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP5\A0001691.exe Win32/TrojanDownloader.FakeAlert.AED trojan 00000000000000000000000000000000 I
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP5\A0001693.exe a variant of Win32/Kryptik.AVG trojan 00000000000000000000000000000000 I
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP5\A0001694.exe a variant of Win32/Kryptik.AIQ trojan 00000000000000000000000000000000 I
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP5\A0001698.exe a variant of Win32/Kryptik.AQE trojan 00000000000000000000000000000000 I
C:\WINDOWS\system32\dbsinit.exe Win32/Adware.WinAntiVirus application 00000000000000000000000000000000 I



also here is the dds


DDS (Ver_09-09-29.01) - NTFSx86
Run by Papa at 14:34:36.85 on Sun 10/25/2009
Internet Explorer: 6.0.2900.5512
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1022.580 [GMT -5:00]


============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
C:\WINDOWS\stsystra.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\Program Files\Digital Line Detect\DLG.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Documents and Settings\Papa\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
mStart Page = hxxp://www.google.com
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://toolbar.ask.com/toolbarv/askRedirect?o=20008&gct=&gc=1&q=%s
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
mRun: [SigmatelSysTrayApp] stsystra.exe
mRun: [ATIPTA] "c:\program files\ati technologies\ati control panel\atiptaxx.exe"
mRun: [ISUSPM Startup] "c:\program files\common files\installshield\updateservice\isuspm.exe" -startup
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [DLA] c:\windows\system32\dla\DLACTRLW.EXE
mRun: [Malwarebytes Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\bytes.exe.exe" /runcleanupscript
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [SunJavaUpdateSched] c:\program files\java\jre6\bin\jusched.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\digita~1.lnk - c:\program files\digital line detect\DLG.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office10\OSA.EXE
IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office10\EXCEL.EXE/3000
IE: {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - c:\program files\partygaming\partypoker\RunApp.exe
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE}
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {F4430FE8-2638-42e5-B849-800749B94EED} - c:\program files\partygaming.net\partypokernet\RunPF.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {08B0E5C0-4FCB-11CF-AAA5-00401C608501}
IE: {39FD89BF-D3F1-45b6-BB56-3582CCF489E1} - {7DD73374-7187-4103-8F29-622AA25E7C40} - c:\program files\mcafee\spamkiller\mcapfbho.dll
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1231070389890
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos-beta/OnlineScanner.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/products/plugin/autodl/jinstall-160-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-160-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

============= SERVICES / DRIVERS ===============

R2 YahooAUService;Yahoo! Updater;c:\program files\yahoo!\softwareupdate\YahooAUService.exe [2008-11-9 602392]
S4 McDetect.exe;McAfee WSC Integration;c:\program files\mcafee.com\agent\Mcdetect.exe [2006-8-4 126976]
S4 McShield;McAfee.com McShield;c:\progra~1\mcafee.com\vso\mcshield.exe --> c:\progra~1\mcafee.com\vso\mcshield.exe [?]
S4 McTskshd.exe;McAfee Task Scheduler;c:\progra~1\mcafee.com\agent\mctskshd.exe [2006-8-4 122368]
S4 mcupdmgr.exe;McAfee SecurityCenter Update Manager;c:\progra~1\mcafee.com\agent\mcupdmgr.exe [2006-8-4 245760]

=============== Created Last 30 ================

2009-10-25 13:53 <DIR> --d----- c:\program files\ESET
2009-10-25 12:14 50,176 a------- c:\windows\system32\proquota.exe
2009-10-25 12:10 <DIR> a-dshr-- C:\cmdcons
2009-10-25 12:09 236,544 a------- c:\windows\PEV.exe
2009-10-25 12:09 161,792 a------- c:\windows\SWREG.exe
2009-10-25 12:09 98,816 a------- c:\windows\sed.exe
2009-10-25 12:07 <DIR> --d----- C:\thcbytes
2009-10-09 20:06 664 a------- c:\windows\system32\d3d9caps.dat
2009-10-08 22:22 <DIR> --d----- c:\program files\Spybot - Search & Destroy
2009-10-08 22:22 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2009-10-06 19:39 131,731 a------- c:\windows\system32\dbsinit.exe
2009-10-06 19:33 107 a------- c:\windows\system32\wwp.htm
2009-10-03 22:59 82,172 a------- c:\windows\system32\dllcache\bopomofo.nls
2009-10-03 22:59 19,456 a------- c:\windows\system32\dllcache\brbidiif.dll
2009-10-03 22:59 102,400 a------- c:\windows\system32\dllcache\binlsvc.dll
2009-10-03 22:59 66,728 a------- c:\windows\system32\dllcache\big5.nls
2009-10-03 22:57 84,480 a------- c:\windows\system32\dllcache\ac97via.sys
2009-09-30 22:33 <DIR> --d----- c:\program files\AC3Filter
2009-09-30 17:23 120,056 -------- c:\windows\system32\pxcpyi64.exe
2009-09-30 17:22 <DIR> --d----- c:\program files\DivX
2009-09-30 17:22 <DIR> --d----- c:\program files\common files\DivX Shared
2009-09-28 18:08 140,488 a------- c:\windows\system32\comdlg32.ocx
2009-09-28 18:08 6,832 a------- c:\windows\system32\PulseSoundTouchForVB.tlb
2009-09-28 18:08 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Pianosoft

==================== Find3M ====================

2009-09-22 13:06 17,712 a---h--- c:\windows\system32\mlfcache.dat
2009-09-11 09:18 136,192 a------- c:\windows\system32\SET1F.tmp
2009-09-11 09:18 136,192 -------- c:\windows\system32\dllcache\msv1_0.dll
2009-09-10 14:54 38,224 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-09-10 14:53 19,160 a------- c:\windows\system32\drivers\mbam.sys
2009-09-04 16:03 58,880 a------- c:\windows\system32\SETAB.tmp
2009-09-04 16:03 58,880 -------- c:\windows\system32\dllcache\msasn1.dll
2009-08-26 03:00 247,326 a------- c:\windows\system32\strmdll.dll
2009-08-26 03:00 247,326 a------- c:\windows\system32\dllcache\strmdll.dll
2009-08-13 10:16 512,000 a------- c:\windows\system32\dllcache\jscript.dll
2009-08-06 19:24 327,896 a------- c:\windows\system32\dllcache\wucltui.dll
2009-08-06 19:24 209,632 a------- c:\windows\system32\dllcache\wuweb.dll
2009-08-06 19:24 35,552 a------- c:\windows\system32\dllcache\wups.dll
2009-08-06 19:24 53,472 a------- c:\windows\system32\dllcache\wuauclt.exe
2009-08-06 19:24 96,480 a------- c:\windows\system32\dllcache\cdm.dll
2009-08-06 19:23 575,704 a------- c:\windows\system32\dllcache\wuapi.dll
2009-08-06 19:23 1,929,952 a------- c:\windows\system32\dllcache\wuaueng.dll
2009-08-05 04:01 204,800 a------- c:\windows\system32\mswebdvd.dll
2009-08-05 04:01 204,800 -------- c:\windows\system32\dllcache\mswebdvd.dll
2009-08-04 20:44 2,189,184 a------- c:\windows\system32\dllcache\ntoskrnl.exe
2009-08-04 10:13 2,145,280 a------- c:\windows\system32\dllcache\ntkrnlmp.exe
2009-08-04 10:13 2,145,280 -------- c:\windows\system32\ntoskrnl.exe
2009-08-04 09:20 2,023,936 -------- c:\windows\system32\ntkrnlpa.exe
2009-08-04 09:20 2,023,936 -------- c:\windows\system32\dllcache\ntkrpamp.exe
2009-08-04 09:20 2,066,048 -------- c:\windows\system32\dllcache\ntkrnlpa.exe
2009-07-12 22:44 34 a------- c:\documents and settings\papa\jagex_runescape_preferences.dat

============= FINISH: 14:35:04.68 ===============

This post has been edited by Genesys: 25 October 2009 - 02:37 PM

#10 User is offline   Blade81 

  • Bleepin' Rocker
  • PipPipPipPipPipPip
  • Find Topics
  • Group: Malware Response Team
  • Posts: 6,364
  • Joined: 16-October 06
  • Gender:Male
  • Location:Finland

Posted 25 October 2009 - 04:42 PM

Open notepad and copy/paste the text in the quotebox below into it:

File::
c:\windows\system32\dbsinit.exe
c:\documents and settings\Papa\Local Settings\Application Data\elymyga.pif
c:\documents and settings\Papa\Local Settings\Application Data\ohanuh.scr
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CoolWWWSearchOleHelp1.zip
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\FraudAdvancedVirusRemover3.zip
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\FraudAntivirusPlus.zip
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\FraudAntivirusPro3.zip
DirLook::
C:\thcbytes
Registry::
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchUrl]
"@"=""



Save this as
CFScript

A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine. This tool is not a toy and not for everyday use.

Posted Image

Close all browser windows and refering to the picture above, drag CFScript into ComboFix.exe
Then post the resultant log & fresh dds.txt. How's the system running?
Microsoft MVP Consumer Security 2008 2009 2010 2011
ASAP & UNITE member since 2006
Posted Image Posted Image

Provided malware removal related instructions are meant to be used in the correspondent user's case only. If you have similar symptoms create own topic instead of following instructions given to some other, please.

#11 User is offline   Genesys 

  • New Member
  • Pip
  • Find Topics
  • Group: Members
  • Posts: 11
  • Joined: 09-October 09
  • Gender:Male
  • Location:USA, Midwest

Posted 25 October 2009 - 05:01 PM

The system is running good after the first combofix. I got my windows sercurity icon back. im able to be on the internet without safe modes help.

I think i understand a little how this is working too.....

Here is combofix

ComboFix 09-10-25.01 - Papa 10/25/2009 16:53.3.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1022.541 [GMT -5:00]
Running from: c:\documents and settings\Papa\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Papa\Desktop\CFScript.txt

FILE ::
"c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CoolWWWSearchOleHelp1.zip"
"c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\FraudAdvancedVirusRemover3.zip"
"c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\FraudAntivirusPlus.zip"
"c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\FraudAntivirusPro3.zip"
"c:\documents and settings\Papa\Local Settings\Application Data\elymyga.pif"
"c:\documents and settings\Papa\Local Settings\Application Data\ohanuh.scr"
"c:\windows\system32\dbsinit.exe"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CoolWWWSearchOleHelp1.zip
c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\FraudAdvancedVirusRemover3.zip
c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\FraudAntivirusPlus.zip
c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\FraudAntivirusPro3.zip
c:\documents and settings\Papa\Local Settings\Application Data\elymyga.pif
c:\documents and settings\Papa\Local Settings\Application Data\ohanuh.scr
c:\windows\system32\dbsinit.exe

.
((((((((((((((((((((((((( Files Created from 2009-09-25 to 2009-10-25 )))))))))))))))))))))))))))))))
.

2009-10-25 18:53 . 2009-10-25 18:53 -------- d-----w- c:\program files\ESET
2009-10-25 17:07 . 2009-10-25 17:07 -------- d-----w- C:\thcbytes
2009-10-10 01:06 . 2009-10-14 00:43 664 ----a-w- c:\windows\system32\d3d9caps.dat
2009-10-09 03:22 . 2009-10-09 05:26 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-10-09 03:22 . 2009-10-09 03:25 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-10-04 03:59 . 2001-08-18 03:36 19456 ----a-w- c:\windows\system32\dllcache\brbidiif.dll
2009-10-04 03:59 . 2001-08-18 03:36 102400 ----a-w- c:\windows\system32\dllcache\binlsvc.dll
2009-10-04 03:57 . 2008-04-14 03:06 84480 ----a-w- c:\windows\system32\dllcache\ac97via.sys
2009-10-01 03:33 . 2009-10-01 03:33 -------- d-----w- c:\program files\AC3Filter
2009-10-01 01:53 . 2009-10-01 01:53 -------- d-----w- c:\documents and settings\Papa\Application Data\DivX
2009-09-30 22:23 . 2009-05-13 21:56 120056 ------w- c:\windows\system32\pxcpyi64.exe
2009-09-30 22:22 . 2009-09-30 22:23 -------- d-----w- c:\program files\DivX
2009-09-30 22:22 . 2009-09-30 22:22 -------- d-----w- c:\program files\Common Files\DivX Shared
2009-09-28 23:08 . 2009-09-28 23:08 -------- d-----w- c:\documents and settings\All Users\Application Data\Pianosoft
2009-09-27 01:32 . 2009-09-27 03:17 -------- d-----w- c:\documents and settings\Papa\Application Data\U3

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-10-25 21:04 . 2009-05-02 18:20 -------- d-----w- c:\documents and settings\Papa\Application Data\uTorrent
2009-10-14 23:26 . 2009-09-21 02:54 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-09-24 16:26 . 2009-09-24 16:26 -------- d-----w- c:\documents and settings\Papa\Application Data\Uniblue
2009-09-23 00:44 . 2009-09-23 00:44 71680 ----a-w- c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
2009-09-22 18:08 . 2009-08-02 20:34 -------- d-----w- c:\documents and settings\Papa\Application Data\Apple Computer
2009-09-22 18:06 . 2009-09-22 18:06 17712 ---ha-w- c:\windows\system32\mlfcache.dat
2009-09-22 18:01 . 2009-09-22 18:01 -------- d-----w- c:\program files\iPhone Configuration Utility
2009-09-22 18:00 . 2009-09-22 17:59 -------- d-----w- c:\program files\iTunes
2009-09-22 18:00 . 2009-09-22 17:59 -------- d-----w- c:\documents and settings\All Users\Application Data\{755AC846-7372-4AC8-8550-C52491DAA8BD}
2009-09-22 17:59 . 2009-09-22 17:59 -------- d-----w- c:\program files\iPod
2009-09-22 17:59 . 2009-08-02 20:32 -------- d-----w- c:\program files\Common Files\Apple
2009-09-22 17:58 . 2009-09-22 17:58 -------- d-----w- c:\program files\QuickTime
2009-09-21 19:47 . 2009-09-21 02:37 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-09-21 03:42 . 2006-08-04 08:30 -------- d-----w- c:\program files\Java
2009-09-21 03:18 . 2009-06-21 22:50 17464 ----a-w- c:\documents and settings\Papa\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-09-21 02:54 . 2009-09-21 02:54 -------- d-----w- c:\documents and settings\Papa\Application Data\Malwarebytes
2009-09-21 02:54 . 2009-09-21 02:54 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-09-21 00:09 . 2009-09-21 00:09 -------- d-----w- c:\program files\MSBuild
2009-09-21 00:09 . 2009-09-21 00:09 -------- d-----w- c:\program files\Reference Assemblies
2009-09-11 14:18 . 2009-09-11 14:18 136192 ----a-w- c:\windows\system32\SET1F.tmp
2009-09-10 19:54 . 2009-09-21 02:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-09-10 19:53 . 2009-09-21 02:54 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-09-04 21:03 . 2009-09-04 21:03 58880 ----a-w- c:\windows\system32\SETAB.tmp
2009-08-26 08:00 . 2004-08-10 16:51 247326 ----a-w- c:\windows\system32\strmdll.dll
2009-08-07 00:24 . 2004-08-10 17:02 327896 ----a-w- c:\windows\system32\wucltui.dll
2009-08-07 00:24 . 2004-08-10 17:02 209632 ----a-w- c:\windows\system32\wuweb.dll
2009-08-07 00:24 . 2009-01-04 12:00 44768 ----a-w- c:\windows\system32\wups2.dll
2009-08-07 00:24 . 2004-08-10 17:02 35552 ----a-w- c:\windows\system32\wups.dll
2009-08-07 00:24 . 2004-08-10 17:02 53472 ------w- c:\windows\system32\wuauclt.exe
2009-08-07 00:24 . 2004-08-10 16:50 96480 ----a-w- c:\windows\system32\cdm.dll
2009-08-07 00:23 . 2004-08-10 17:02 575704 ----a-w- c:\windows\system32\wuapi.dll
2009-08-07 00:23 . 2004-08-10 17:02 1929952 ----a-w- c:\windows\system32\wuaueng.dll
2009-08-05 09:01 . 2004-08-10 16:51 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-08-04 15:13 . 2004-08-10 16:51 2145280 ------w- c:\windows\system32\ntoskrnl.exe
2009-08-04 14:20 . 2004-08-04 02:59 2023936 ------w- c:\windows\system32\ntkrnlpa.exe


((((((((((((((((((((((((((((( SnapShot_2009-10-25_18.34.23 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-10-25 18:47 . 2009-10-25 18:47 88589 c:\windows\system32\Macromed\Flash\uninstall_activeX.exe
+ 2009-10-25 19:19 . 2009-10-25 19:19 37888 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Windows.Pres#\8acb476a0d4ee17a12881e17ae74a6af\System.Windows.Presentation.ni.dll
+ 2009-10-25 19:19 . 2009-10-25 19:19 36864 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Web.DynamicD#\4b87ca3482a3c0ee733e028ecee7de65\System.Web.DynamicData.Design.ni.dll
+ 2009-10-25 19:17 . 2009-10-25 19:17 94208 c:\windows\assembly\NativeImages_v2.0.50727_32\System.ComponentMod#\a0c71055364bd356971791284c3fb910\System.ComponentModel.DataAnnotations.ni.dll
+ 2009-10-25 19:17 . 2009-10-25 19:17 82944 c:\windows\assembly\NativeImages_v2.0.50727_32\System.AddIn.Contra#\f9a75bbdc2ce7db578b5977766a09b99\System.AddIn.Contract.ni.dll
+ 2009-10-25 19:18 . 2009-10-25 19:18 55296 c:\windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Vsa\f2673aec397c52796aef05bb9d2668df\Microsoft.Vsa.ni.dll
+ 2009-10-25 19:16 . 2009-10-25 19:16 65024 c:\windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Build.Fra#\d513fe1a81c441e7656a9b062cff4e9f\Microsoft.Build.Framework.ni.dll
+ 2009-10-25 19:16 . 2009-10-25 19:16 74752 c:\windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Build.Fra#\c5d504724d7f351b1d034615dbb72a2a\Microsoft.Build.Framework.ni.dll
+ 2009-10-25 19:07 . 2009-10-25 19:07 14336 c:\windows\assembly\NativeImages_v2.0.50727_32\dfsvc\a664ccab020f93f1d533919f57131190\dfsvc.ni.exe
+ 2009-10-25 18:59 . 2009-10-25 18:59 25600 c:\windows\assembly\NativeImages_v2.0.50727_32\Accessibility\e63d6d26b8a664cfdfbd4ad75e03c14d\Accessibility.ni.dll
+ 2009-07-18 03:12 . 2009-07-18 03:12 257440 c:\windows\system32\Macromed\Flash\FlashUtil10c.exe
+ 2009-10-25 19:16 . 2009-10-25 19:16 321536 c:\windows\assembly\NativeImages_v2.0.50727_32\WsatConfig\e2098e43d115155d6ba91ba3a7e577cf\WsatConfig.ni.exe
+ 2009-10-25 19:19 . 2009-10-25 19:19 400896 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Xml.Linq\eb23b78564687badff1bd1f1d0a0ec97\System.Xml.Linq.ni.dll
+ 2009-10-25 19:19 . 2009-10-25 19:19 129536 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Web.Routing\e7666364bf9f3ba5f4833c9efedd8218\System.Web.Routing.ni.dll
+ 2009-10-25 19:19 . 2009-10-25 19:19 202240 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Web.RegularE#\b5f1b8791e6c47e5bd5e7018c346c586\System.Web.RegularExpressions.ni.dll
+ 2009-10-25 19:19 . 2009-10-25 19:19 859648 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Web.Extensio#\884eacddf339b8b342f66aedff5f8ef9\System.Web.Extensions.Design.ni.dll
+ 2009-10-25 19:19 . 2009-10-25 19:19 328704 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Web.Entity\9e199645bd26f1afe58ebe185d1e7f0f\System.Web.Entity.ni.dll
+ 2009-10-25 19:19 . 2009-10-25 19:19 301056 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Web.Entity.D#\652017ebe962ab2eb271c2524f31cd61\System.Web.Entity.Design.ni.dll
+ 2009-10-25 19:19 . 2009-10-25 19:19 547328 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Web.DynamicD#\d0070c1c1a642ae30394e00bc0d82336\System.Web.DynamicData.ni.dll
+ 2009-10-25 19:19 . 2009-10-25 19:19 141312 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Web.Abstract#\1896753d02d146be1988d32241300f51\System.Web.Abstractions.ni.dll
+ 2009-10-25 19:18 . 2009-10-25 19:18 627200 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Transactions\408e637346ef628a3f54fb1b9b83ac9f\System.Transactions.ni.dll
+ 2009-10-25 19:18 . 2009-10-25 19:18 212992 c:\windows\assembly\NativeImages_v2.0.50727_32\System.ServiceProce#\1f61bccb700d687775cf778dd77752e9\System.ServiceProcess.ni.dll
+ 2009-10-25 19:16 . 2009-10-25 19:16 676352 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Security\a9e9b885a6601469c4058375cc74d856\System.Security.ni.dll
+ 2009-10-25 19:18 . 2009-10-25 19:18 311296 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Runtime.Seri#\9bc34a79af9c3ed2cf17a0226c769b4c\System.Runtime.Serialization.Formatters.Soap.ni.dll
+ 2009-10-25 19:18 . 2009-10-25 19:18 621056 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Net\5f74a84e9d28c2332c51f6e30da0e125\System.Net.ni.dll
+ 2009-10-25 19:18 . 2009-10-25 19:18 998400 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Management\2c208e4c5521f31057ea7d6e93c6a567\System.Management.ni.dll
+ 2009-10-25 19:18 . 2009-10-25 19:18 330752 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Management.I#\818b20a7c6f3b2fe97bf008ca24080c1\System.Management.Instrumentation.ni.dll
+ 2009-10-25 19:06 . 2009-10-25 19:06 381440 c:\windows\assembly\NativeImages_v2.0.50727_32\System.IO.Log\6c273eb9d1ee8b66b5ecb073de4b785d\System.IO.Log.ni.dll
+ 2009-10-25 19:00 . 2009-10-25 19:00 212992 c:\windows\assembly\NativeImages_v2.0.50727_32\System.IdentityMode#\7222db518afb4eaaa138824278249bc7\System.IdentityModel.Selectors.ni.dll
+ 2009-10-25 19:18 . 2009-10-25 19:18 280064 c:\windows\assembly\NativeImages_v2.0.50727_32\System.EnterpriseSe#\8a7d0bd0057a8ed38291d5662248f7a1\System.EnterpriseServices.Wrapper.dll
+ 2009-10-25 19:18 . 2009-10-25 19:18 627712 c:\windows\assembly\NativeImages_v2.0.50727_32\System.EnterpriseSe#\8a7d0bd0057a8ed38291d5662248f7a1\System.EnterpriseServices.ni.dll
+ 2009-10-25 19:18 . 2009-10-25 19:18 881152 c:\windows\assembly\NativeImages_v2.0.50727_32\System.DirectorySer#\c92fc19800e701c90f90ab7a2ab44c47\System.DirectoryServices.AccountManagement.ni.dll
+ 2009-10-25 19:18 . 2009-10-25 19:18 455680 c:\windows\assembly\NativeImages_v2.0.50727_32\System.DirectorySer#\a601f47a98ee67df424685c9a66ea449\System.DirectoryServices.Protocols.ni.dll
+ 2009-10-25 19:18 . 2009-10-25 19:18 939008 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Data.Service#\b91b44015859163646f210d284f7166a\System.Data.Services.Client.ni.dll
+ 2009-10-25 19:18 . 2009-10-25 19:18 354816 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Data.Service#\1b35297e07b85071daecdb06f96750a1\System.Data.Services.Design.ni.dll
+ 2009-10-25 19:18 . 2009-10-25 19:18 756736 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Data.Entity.#\cf906bf9146d1f0013451ec63b58e064\System.Data.Entity.Design.ni.dll
+ 2009-10-25 19:17 . 2009-10-25 19:17 135680 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Data.DataSet#\4ff4134b0d490c090e03d74e104517c4\System.Data.DataSetExtensions.ni.dll
+ 2009-10-25 19:16 . 2009-10-25 19:16 971264 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Configuration\7c743462baccf29b3567b0e3ec9ac134\System.Configuration.ni.dll
+ 2009-10-25 19:18 . 2009-10-25 19:18 141312 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Configuratio#\443e3a85c491b2de4a2ac654cb957484\System.Configuration.Install.ni.dll
+ 2009-10-25 19:16 . 2009-10-25 19:16 633856 c:\windows\assembly\NativeImages_v2.0.50727_32\System.AddIn\cba35f47925431a54d0e6ae147a292f1\System.AddIn.ni.dll
+ 2009-10-25 19:07 . 2009-10-25 19:07 366080 c:\windows\assembly\NativeImages_v2.0.50727_32\SMSvcHost\6af32fe5cbec0aa54e2efa6910c73651\SMSvcHost.ni.exe
+ 2009-10-25 19:07 . 2009-10-25 19:07 256000 c:\windows\assembly\NativeImages_v2.0.50727_32\SMDiagnostics\7602d7687fb9bd21cd9ae60d2b187c99\SMDiagnostics.ni.dll
+ 2009-10-25 19:07 . 2009-10-25 19:07 320512 c:\windows\assembly\NativeImages_v2.0.50727_32\ServiceModelReg\a23dc25782df04533a13e348203e4dc5\ServiceModelReg.ni.exe
+ 2009-10-25 19:16 . 2009-10-25 19:16 133632 c:\windows\assembly\NativeImages_v2.0.50727_32\MSBuild\eade8c1c9c1e8e5ffb50e6c9b9af0f6a\MSBuild.ni.exe
+ 2009-10-25 19:07 . 2009-10-25 19:07 386560 c:\windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Transacti#\fc4d66e0a92b3767006a84f2519d2457\Microsoft.Transactions.Bridge.Dtc.ni.dll
+ 2009-10-25 19:16 . 2009-10-25 19:16 144384 c:\windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Build.Uti#\58ca3ecc52b7246b448c109817198a0b\Microsoft.Build.Utilities.ni.dll
+ 2009-10-25 19:16 . 2009-10-25 19:16 175104 c:\windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Build.Uti#\4dd43724dd92026577c6f588270137a0\Microsoft.Build.Utilities.v3.5.ni.dll
+ 2009-10-25 19:16 . 2009-10-25 19:16 839680 c:\windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Build.Eng#\8c651f75bb741330370986dcad8e9e5b\Microsoft.Build.Engine.ni.dll
+ 2009-10-25 19:16 . 2009-10-25 19:16 222720 c:\windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Build.Con#\a6dcbae619ccd938bfe808c54d6d3ae0\Microsoft.Build.Conversion.v3.5.ni.dll
+ 2009-10-25 19:16 . 2009-10-25 19:16 220672 c:\windows\assembly\NativeImages_v2.0.50727_32\CustomMarshalers\77688ce14f221ed94a9f442ae4736123\CustomMarshalers.ni.dll
+ 2009-10-25 19:07 . 2009-10-25 19:07 410112 c:\windows\assembly\NativeImages_v2.0.50727_32\ComSvcConfig\a17c65f0cffaa4f792dd38d50df9d526\ComSvcConfig.ni.exe
+ 2009-10-25 18:59 . 2009-10-25 18:59 842240 c:\windows\assembly\NativeImages_v2.0.50727_32\AspNetMMCExt\85d7c111956b478766d90625b35d963f\AspNetMMCExt.ni.dll
+ 2009-10-25 19:19 . 2009-10-25 19:19 1356288 c:\windows\assembly\NativeImages_v2.0.50727_32\System.WorkflowServ#\fa48917b13629d8effa80dd4a2f2973d\System.WorkflowServices.ni.dll
+ 2009-10-25 19:19 . 2009-10-25 19:19 1908224 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Workflow.Run#\6fe66ee6f3c81996bc148f1ebe7ec030\System.Workflow.Runtime.ni.dll
+ 2009-10-25 19:19 . 2009-10-25 19:19 4514304 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Workflow.Com#\9d0b61f2f1ebdc300bd970f594c422ef\System.Workflow.ComponentModel.ni.dll
+ 2009-10-25 19:19 . 2009-10-25 19:19 2992640 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Workflow.Act#\65328898148a720d394f802f192fc2a0\System.Workflow.Activities.ni.dll
+ 2009-10-25 19:19 . 2009-10-25 19:19 1840640 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Web.Services\ea07ac791bb5cb9f83679e3dd1a0c0cc\System.Web.Services.ni.dll
+ 2009-10-25 19:19 . 2009-10-25 19:19 2209280 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Web.Mobile\29e2f8b1fb691ced973acf49fcee6ec1\System.Web.Mobile.ni.dll
+ 2009-10-25 19:19 . 2009-10-25 19:19 2403328 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Web.Extensio#\981dea02bc63c0c083e335adf9018788\System.Web.Extensions.ni.dll
+ 2009-10-25 19:18 . 2009-10-25 19:18 1706496 c:\windows\assembly\NativeImages_v2.0.50727_32\System.ServiceModel#\e182695d05ea57257568bc5f3208aca7\System.ServiceModel.Web.ni.dll
+ 2009-10-25 19:06 . 2009-10-25 19:06 2338304 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Runtime.Seri#\67ad55827f2542552b576170f0a7dc56\System.Runtime.Serialization.ni.dll
+ 2009-10-25 19:00 . 2009-10-25 19:00 1056768 c:\windows\assembly\NativeImages_v2.0.50727_32\System.IdentityModel\c3b18fef5c6dc3bcdbe5df699fd21a55\System.IdentityModel.ni.dll
+ 2009-10-25 19:18 . 2009-10-25 19:18 1116672 c:\windows\assembly\NativeImages_v2.0.50727_32\System.DirectorySer#\f47ebb9db460874b1bcbfc391dc970b1\System.DirectoryServices.ni.dll
+ 2009-10-25 19:18 . 2009-10-25 19:18 1801216 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Deployment\c94a427baa7683f4221b91f90c18461b\System.Deployment.ni.dll
+ 2009-10-25 19:16 . 2009-10-25 19:16 2510336 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Data.SqlXml\272152f0cc139490729e215611a4b244\System.Data.SqlXml.ni.dll
+ 2009-10-25 19:18 . 2009-10-25 19:18 1328128 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Data.Services\112a48e34620a0210eb850040da8a31b\System.Data.Services.ni.dll
+ 2009-10-25 19:17 . 2009-10-25 19:17 9924096 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Data.Entity\9012cac7819660f61f1c69cf8e4f2ccf\System.Data.Entity.ni.dll
+ 2009-10-25 19:16 . 2009-10-25 19:16 1712128 c:\windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualBas#\6eee9b772b6d12d3dbd82f118c2ab2e5\Microsoft.VisualBasic.ni.dll
+ 2009-10-25 19:07 . 2009-10-25 19:07 1093120 c:\windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Transacti#\f19e9b439636d0744597fff1331cad04\Microsoft.Transactions.Bridge.ni.dll
+ 2009-10-25 19:18 . 2009-10-25 19:18 2332160 c:\windows\assembly\NativeImages_v2.0.50727_32\Microsoft.JScript\5b1af7b5be24c7ace065fe1c81c2b650\Microsoft.JScript.ni.dll
+ 2009-10-25 19:16 . 2009-10-25 19:16 1620992 c:\windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Build.Tas#\9eec1cc7ac37e0c7f3205e8156149c5a\Microsoft.Build.Tasks.ni.dll
+ 2009-10-25 19:16 . 2009-10-25 19:16 1966080 c:\windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Build.Tas#\28c0730288453d57d5dcd62903c4d31b\Microsoft.Build.Tasks.v3.5.ni.dll
+ 2009-10-25 19:16 . 2009-10-25 19:16 1888768 c:\windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Build.Eng#\5dd4f58999eed37c12aee7ea9f9863ac\Microsoft.Build.Engine.ni.dll
+ 2009-10-25 19:18 . 2009-10-25 19:18 11796992 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Web\5cea03cfb008f2eac1439a9905467f37\System.Web.ni.dll
+ 2009-10-25 19:07 . 2009-10-25 19:07 17317888 c:\windows\assembly\NativeImages_v2.0.50727_32\System.ServiceModel\06d6eab93282d2b136a377bd50b7c5a9\System.ServiceModel.ni.dll
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2006-10-19 204288]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-08-06 344064]
"ISUSPM Startup"="c:\program files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-06-10 249856]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-06-10 81920]
"DLA"="c:\windows\System32\DLA\DLACTRLW.EXE" [2005-09-08 122940]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\bytes.exe.exe" [2009-09-10 1312080]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-09-05 417792]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-07-25 149280]
"SigmatelSysTrayApp"="stsystra.exe" - c:\windows\stsystra.exe [2005-03-23 339968]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2006-8-4 24576]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"RasMan"=3 (0x3)
"RasAuto"=3 (0x3)
"MskService"=2 (0x2)
"MpfService"=2 (0x2)
"mnmsrvc"=3 (0x3)
"mcupdmgr.exe"=3 (0x3)
"McTskshd.exe"=2 (0x2)
"McShield"=2 (0x2)
"McDetect.exe"=2 (0x2)
"AOL ACS"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\iPod\\bin\\iPodService.exe"=
"c:\\Program Files\\Yahoo!\\SoftwareUpdate\\YahooAUService.exe"=
"c:\\Program Files\\Common Files\\Apple\\Mobile Device Support\\bin\\AppleMobileDeviceService.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundRouterRequest"= 1 (0x1)


--- Other Services/Drivers In Memory ---

*NewlyCreated* - MBR
*Deregistered* - mbr
.
Contents of the 'Scheduled Tasks' folder

2009-09-29 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
mStart Page = hxxp://www.google.com
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://toolbar.ask.com/toolbarv/askRedirect?o=20008&gct=&gc=1&q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\Office10\EXCEL.EXE/3000
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos-beta/OnlineScanner.cab
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-10-25 16:56
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2009-10-25 16:58
ComboFix-quarantined-files.txt 2009-10-25 21:58
ComboFix2.txt 2009-10-25 18:36
ComboFix3.txt 2009-10-25 17:19

Pre-Run: 57,258,807,296 bytes free
Post-Run: 57,226,878,976 bytes free

- - End Of File - - 1BE156109B27523E2A92411E5B81342D

This post has been edited by Blade81: 25 October 2009 - 05:08 PM

#12 User is offline   Genesys 

  • New Member
  • Pip
  • Find Topics
  • Group: Members
  • Posts: 11
  • Joined: 09-October 09
  • Gender:Male
  • Location:USA, Midwest

Posted 25 October 2009 - 05:01 PM

The system is running good after the first combofix. I got my windows sercurity icon back. im able to be on the internet without safe modes help.

I think i understand a little how this is working too.....

Here is combofix

ComboFix 09-10-25.01 - Papa 10/25/2009 16:53.3.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1022.541 [GMT -5:00]
Running from: c:\documents and settings\Papa\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Papa\Desktop\CFScript.txt

FILE ::
"c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CoolWWWSearchOleHelp1.zip"
"c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\FraudAdvancedVirusRemover3.zip"
"c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\FraudAntivirusPlus.zip"
"c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\FraudAntivirusPro3.zip"
"c:\documents and settings\Papa\Local Settings\Application Data\elymyga.pif"
"c:\documents and settings\Papa\Local Settings\Application Data\ohanuh.scr"
"c:\windows\system32\dbsinit.exe"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CoolWWWSearchOleHelp1.zip
c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\FraudAdvancedVirusRemover3.zip
c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\FraudAntivirusPlus.zip
c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\FraudAntivirusPro3.zip
c:\documents and settings\Papa\Local Settings\Application Data\elymyga.pif
c:\documents and settings\Papa\Local Settings\Application Data\ohanuh.scr
c:\windows\system32\dbsinit.exe

.
((((((((((((((((((((((((( Files Created from 2009-09-25 to 2009-10-25 )))))))))))))))))))))))))))))))
.

2009-10-25 18:53 . 2009-10-25 18:53 -------- d-----w- c:\program files\ESET
2009-10-25 17:07 . 2009-10-25 17:07 -------- d-----w- C:\thcbytes
2009-10-10 01:06 . 2009-10-14 00:43 664 ----a-w- c:\windows\system32\d3d9caps.dat
2009-10-09 03:22 . 2009-10-09 05:26 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-10-09 03:22 . 2009-10-09 03:25 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-10-04 03:59 . 2001-08-18 03:36 19456 ----a-w- c:\windows\system32\dllcache\brbidiif.dll
2009-10-04 03:59 . 2001-08-18 03:36 102400 ----a-w- c:\windows\system32\dllcache\binlsvc.dll
2009-10-04 03:57 . 2008-04-14 03:06 84480 ----a-w- c:\windows\system32\dllcache\ac97via.sys
2009-10-01 03:33 . 2009-10-01 03:33 -------- d-----w- c:\program files\AC3Filter
2009-10-01 01:53 . 2009-10-01 01:53 -------- d-----w- c:\documents and settings\Papa\Application Data\DivX
2009-09-30 22:23 . 2009-05-13 21:56 120056 ------w- c:\windows\system32\pxcpyi64.exe
2009-09-30 22:22 . 2009-09-30 22:23 -------- d-----w- c:\program files\DivX
2009-09-30 22:22 . 2009-09-30 22:22 -------- d-----w- c:\program files\Common Files\DivX Shared
2009-09-28 23:08 . 2009-09-28 23:08 -------- d-----w- c:\documents and settings\All Users\Application Data\Pianosoft
2009-09-27 01:32 . 2009-09-27 03:17 -------- d-----w- c:\documents and settings\Papa\Application Data\U3

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-10-25 21:04 . 2009-05-02 18:20 -------- d-----w- c:\documents and settings\Papa\Application Data\uTorrent
2009-10-14 23:26 . 2009-09-21 02:54 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-09-24 16:26 . 2009-09-24 16:26 -------- d-----w- c:\documents and settings\Papa\Application Data\Uniblue
2009-09-23 00:44 . 2009-09-23 00:44 71680 ----a-w- c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
2009-09-22 18:08 . 2009-08-02 20:34 -------- d-----w- c:\documents and settings\Papa\Application Data\Apple Computer
2009-09-22 18:06 . 2009-09-22 18:06 17712 ---ha-w- c:\windows\system32\mlfcache.dat
2009-09-22 18:01 . 2009-09-22 18:01 -------- d-----w- c:\program files\iPhone Configuration Utility
2009-09-22 18:00 . 2009-09-22 17:59 -------- d-----w- c:\program files\iTunes
2009-09-22 18:00 . 2009-09-22 17:59 -------- d-----w- c:\documents and settings\All Users\Application Data\{755AC846-7372-4AC8-8550-C52491DAA8BD}
2009-09-22 17:59 . 2009-09-22 17:59 -------- d-----w- c:\program files\iPod
2009-09-22 17:59 . 2009-08-02 20:32 -------- d-----w- c:\program files\Common Files\Apple
2009-09-22 17:58 . 2009-09-22 17:58 -------- d-----w- c:\program files\QuickTime
2009-09-21 19:47 . 2009-09-21 02:37 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-09-21 03:42 . 2006-08-04 08:30 -------- d-----w- c:\program files\Java
2009-09-21 03:18 . 2009-06-21 22:50 17464 ----a-w- c:\documents and settings\Papa\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-09-21 02:54 . 2009-09-21 02:54 -------- d-----w- c:\documents and settings\Papa\Application Data\Malwarebytes
2009-09-21 02:54 . 2009-09-21 02:54 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-09-21 00:09 . 2009-09-21 00:09 -------- d-----w- c:\program files\MSBuild
2009-09-21 00:09 . 2009-09-21 00:09 -------- d-----w- c:\program files\Reference Assemblies
2009-09-11 14:18 . 2009-09-11 14:18 136192 ----a-w- c:\windows\system32\SET1F.tmp
2009-09-10 19:54 . 2009-09-21 02:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-09-10 19:53 . 2009-09-21 02:54 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-09-04 21:03 . 2009-09-04 21:03 58880 ----a-w- c:\windows\system32\SETAB.tmp
2009-08-26 08:00 . 2004-08-10 16:51 247326 ----a-w- c:\windows\system32\strmdll.dll
2009-08-07 00:24 . 2004-08-10 17:02 327896 ----a-w- c:\windows\system32\wucltui.dll
2009-08-07 00:24 . 2004-08-10 17:02 209632 ----a-w- c:\windows\system32\wuweb.dll
2009-08-07 00:24 . 2009-01-04 12:00 44768 ----a-w- c:\windows\system32\wups2.dll
2009-08-07 00:24 . 2004-08-10 17:02 35552 ----a-w- c:\windows\system32\wups.dll
2009-08-07 00:24 . 2004-08-10 17:02 53472 ------w- c:\windows\system32\wuauclt.exe
2009-08-07 00:24 . 2004-08-10 16:50 96480 ----a-w- c:\windows\system32\cdm.dll
2009-08-07 00:23 . 2004-08-10 17:02 575704 ----a-w- c:\windows\system32\wuapi.dll
2009-08-07 00:23 . 2004-08-10 17:02 1929952 ----a-w- c:\windows\system32\wuaueng.dll
2009-08-05 09:01 . 2004-08-10 16:51 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-08-04 15:13 . 2004-08-10 16:51 2145280 ------w- c:\windows\system32\ntoskrnl.exe
2009-08-04 14:20 . 2004-08-04 02:59 2023936 ------w- c:\windows\system32\ntkrnlpa.exe


((((((((((((((((((((((((((((( SnapShot_2009-10-25_18.34.23 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-10-25 18:47 . 2009-10-25 18:47 88589 c:\windows\system32\Macromed\Flash\uninstall_activeX.exe
+ 2009-10-25 19:19 . 2009-10-25 19:19 37888 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Windows.Pres#\8acb476a0d4ee17a12881e17ae74a6af\System.Windows.Presentation.ni.dll
+ 2009-10-25 19:19 . 2009-10-25 19:19 36864 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Web.DynamicD#\4b87ca3482a3c0ee733e028ecee7de65\System.Web.DynamicData.Design.ni.dll
+ 2009-10-25 19:17 . 2009-10-25 19:17 94208 c:\windows\assembly\NativeImages_v2.0.50727_32\System.ComponentMod#\a0c71055364bd356971791284c3fb910\System.ComponentModel.DataAnnotations.ni.dll
+ 2009-10-25 19:17 . 2009-10-25 19:17 82944 c:\windows\assembly\NativeImages_v2.0.50727_32\System.AddIn.Contra#\f9a75bbdc2ce7db578b5977766a09b99\System.AddIn.Contract.ni.dll
+ 2009-10-25 19:18 . 2009-10-25 19:18 55296 c:\windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Vsa\f2673aec397c52796aef05bb9d2668df\Microsoft.Vsa.ni.dll
+ 2009-10-25 19:16 . 2009-10-25 19:16 65024 c:\windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Build.Fra#\d513fe1a81c441e7656a9b062cff4e9f\Microsoft.Build.Framework.ni.dll
+ 2009-10-25 19:16 . 2009-10-25 19:16 74752 c:\windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Build.Fra#\c5d504724d7f351b1d034615dbb72a2a\Microsoft.Build.Framework.ni.dll
+ 2009-10-25 19:07 . 2009-10-25 19:07 14336 c:\windows\assembly\NativeImages_v2.0.50727_32\dfsvc\a664ccab020f93f1d533919f57131190\dfsvc.ni.exe
+ 2009-10-25 18:59 . 2009-10-25 18:59 25600 c:\windows\assembly\NativeImages_v2.0.50727_32\Accessibility\e63d6d26b8a664cfdfbd4ad75e03c14d\Accessibility.ni.dll
+ 2009-07-18 03:12 . 2009-07-18 03:12 257440 c:\windows\system32\Macromed\Flash\FlashUtil10c.exe
+ 2009-10-25 19:16 . 2009-10-25 19:16 321536 c:\windows\assembly\NativeImages_v2.0.50727_32\WsatConfig\e2098e43d115155d6ba91ba3a7e577cf\WsatConfig.ni.exe
+ 2009-10-25 19:19 . 2009-10-25 19:19 400896 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Xml.Linq\eb23b78564687badff1bd1f1d0a0ec97\System.Xml.Linq.ni.dll
+ 2009-10-25 19:19 . 2009-10-25 19:19 129536 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Web.Routing\e7666364bf9f3ba5f4833c9efedd8218\System.Web.Routing.ni.dll
+ 2009-10-25 19:19 . 2009-10-25 19:19 202240 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Web.RegularE#\b5f1b8791e6c47e5bd5e7018c346c586\System.Web.RegularExpressions.ni.dll
+ 2009-10-25 19:19 . 2009-10-25 19:19 859648 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Web.Extensio#\884eacddf339b8b342f66aedff5f8ef9\System.Web.Extensions.Design.ni.dll
+ 2009-10-25 19:19 . 2009-10-25 19:19 328704 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Web.Entity\9e199645bd26f1afe58ebe185d1e7f0f\System.Web.Entity.ni.dll
+ 2009-10-25 19:19 . 2009-10-25 19:19 301056 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Web.Entity.D#\652017ebe962ab2eb271c2524f31cd61\System.Web.Entity.Design.ni.dll
+ 2009-10-25 19:19 . 2009-10-25 19:19 547328 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Web.DynamicD#\d0070c1c1a642ae30394e00bc0d82336\System.Web.DynamicData.ni.dll
+ 2009-10-25 19:19 . 2009-10-25 19:19 141312 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Web.Abstract#\1896753d02d146be1988d32241300f51\System.Web.Abstractions.ni.dll
+ 2009-10-25 19:18 . 2009-10-25 19:18 627200 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Transactions\408e637346ef628a3f54fb1b9b83ac9f\System.Transactions.ni.dll
+ 2009-10-25 19:18 . 2009-10-25 19:18 212992 c:\windows\assembly\NativeImages_v2.0.50727_32\System.ServiceProce#\1f61bccb700d687775cf778dd77752e9\System.ServiceProcess.ni.dll
+ 2009-10-25 19:16 . 2009-10-25 19:16 676352 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Security\a9e9b885a6601469c4058375cc74d856\System.Security.ni.dll
+ 2009-10-25 19:18 . 2009-10-25 19:18 311296 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Runtime.Seri#\9bc34a79af9c3ed2cf17a0226c769b4c\System.Runtime.Serialization.Formatters.Soap.ni.dll
+ 2009-10-25 19:18 . 2009-10-25 19:18 621056 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Net\5f74a84e9d28c2332c51f6e30da0e125\System.Net.ni.dll
+ 2009-10-25 19:18 . 2009-10-25 19:18 998400 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Management\2c208e4c5521f31057ea7d6e93c6a567\System.Management.ni.dll
+ 2009-10-25 19:18 . 2009-10-25 19:18 330752 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Management.I#\818b20a7c6f3b2fe97bf008ca24080c1\System.Management.Instrumentation.ni.dll
+ 2009-10-25 19:06 . 2009-10-25 19:06 381440 c:\windows\assembly\NativeImages_v2.0.50727_32\System.IO.Log\6c273eb9d1ee8b66b5ecb073de4b785d\System.IO.Log.ni.dll
+ 2009-10-25 19:00 . 2009-10-25 19:00 212992 c:\windows\assembly\NativeImages_v2.0.50727_32\System.IdentityMode#\7222db518afb4eaaa138824278249bc7\System.IdentityModel.Selectors.ni.dll
+ 2009-10-25 19:18 . 2009-10-25 19:18 280064 c:\windows\assembly\NativeImages_v2.0.50727_32\System.EnterpriseSe#\8a7d0bd0057a8ed38291d5662248f7a1\System.EnterpriseServices.Wrapper.dll
+ 2009-10-25 19:18 . 2009-10-25 19:18 627712 c:\windows\assembly\NativeImages_v2.0.50727_32\System.EnterpriseSe#\8a7d0bd0057a8ed38291d5662248f7a1\System.EnterpriseServices.ni.dll
+ 2009-10-25 19:18 . 2009-10-25 19:18 881152 c:\windows\assembly\NativeImages_v2.0.50727_32\System.DirectorySer#\c92fc19800e701c90f90ab7a2ab44c47\System.DirectoryServices.AccountManagement.ni.dll
+ 2009-10-25 19:18 . 2009-10-25 19:18 455680 c:\windows\assembly\NativeImages_v2.0.50727_32\System.DirectorySer#\a601f47a98ee67df424685c9a66ea449\System.DirectoryServices.Protocols.ni.dll
+ 2009-10-25 19:18 . 2009-10-25 19:18 939008 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Data.Service#\b91b44015859163646f210d284f7166a\System.Data.Services.Client.ni.dll
+ 2009-10-25 19:18 . 2009-10-25 19:18 354816 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Data.Service#\1b35297e07b85071daecdb06f96750a1\System.Data.Services.Design.ni.dll
+ 2009-10-25 19:18 . 2009-10-25 19:18 756736 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Data.Entity.#\cf906bf9146d1f0013451ec63b58e064\System.Data.Entity.Design.ni.dll
+ 2009-10-25 19:17 . 2009-10-25 19:17 135680 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Data.DataSet#\4ff4134b0d490c090e03d74e104517c4\System.Data.DataSetExtensions.ni.dll
+ 2009-10-25 19:16 . 2009-10-25 19:16 971264 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Configuration\7c743462baccf29b3567b0e3ec9ac134\System.Configuration.ni.dll
+ 2009-10-25 19:18 . 2009-10-25 19:18 141312 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Configuratio#\443e3a85c491b2de4a2ac654cb957484\System.Configuration.Install.ni.dll
+ 2009-10-25 19:16 . 2009-10-25 19:16 633856 c:\windows\assembly\NativeImages_v2.0.50727_32\System.AddIn\cba35f47925431a54d0e6ae147a292f1\System.AddIn.ni.dll
+ 2009-10-25 19:07 . 2009-10-25 19:07 366080 c:\windows\assembly\NativeImages_v2.0.50727_32\SMSvcHost\6af32fe5cbec0aa54e2efa6910c73651\SMSvcHost.ni.exe
+ 2009-10-25 19:07 . 2009-10-25 19:07 256000 c:\windows\assembly\NativeImages_v2.0.50727_32\SMDiagnostics\7602d7687fb9bd21cd9ae60d2b187c99\SMDiagnostics.ni.dll
+ 2009-10-25 19:07 . 2009-10-25 19:07 320512 c:\windows\assembly\NativeImages_v2.0.50727_32\ServiceModelReg\a23dc25782df04533a13e348203e4dc5\ServiceModelReg.ni.exe
+ 2009-10-25 19:16 . 2009-10-25 19:16 133632 c:\windows\assembly\NativeImages_v2.0.50727_32\MSBuild\eade8c1c9c1e8e5ffb50e6c9b9af0f6a\MSBuild.ni.exe
+ 2009-10-25 19:07 . 2009-10-25 19:07 386560 c:\windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Transacti#\fc4d66e0a92b3767006a84f2519d2457\Microsoft.Transactions.Bridge.Dtc.ni.dll
+ 2009-10-25 19:16 . 2009-10-25 19:16 144384 c:\windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Build.Uti#\58ca3ecc52b7246b448c109817198a0b\Microsoft.Build.Utilities.ni.dll
+ 2009-10-25 19:16 . 2009-10-25 19:16 175104 c:\windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Build.Uti#\4dd43724dd92026577c6f588270137a0\Microsoft.Build.Utilities.v3.5.ni.dll
+ 2009-10-25 19:16 . 2009-10-25 19:16 839680 c:\windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Build.Eng#\8c651f75bb741330370986dcad8e9e5b\Microsoft.Build.Engine.ni.dll
+ 2009-10-25 19:16 . 2009-10-25 19:16 222720 c:\windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Build.Con#\a6dcbae619ccd938bfe808c54d6d3ae0\Microsoft.Build.Conversion.v3.5.ni.dll
+ 2009-10-25 19:16 . 2009-10-25 19:16 220672 c:\windows\assembly\NativeImages_v2.0.50727_32\CustomMarshalers\77688ce14f221ed94a9f442ae4736123\CustomMarshalers.ni.dll
+ 2009-10-25 19:07 . 2009-10-25 19:07 410112 c:\windows\assembly\NativeImages_v2.0.50727_32\ComSvcConfig\a17c65f0cffaa4f792dd38d50df9d526\ComSvcConfig.ni.exe
+ 2009-10-25 18:59 . 2009-10-25 18:59 842240 c:\windows\assembly\NativeImages_v2.0.50727_32\AspNetMMCExt\85d7c111956b478766d90625b35d963f\AspNetMMCExt.ni.dll
+ 2009-10-25 19:19 . 2009-10-25 19:19 1356288 c:\windows\assembly\NativeImages_v2.0.50727_32\System.WorkflowServ#\fa48917b13629d8effa80dd4a2f2973d\System.WorkflowServices.ni.dll
+ 2009-10-25 19:19 . 2009-10-25 19:19 1908224 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Workflow.Run#\6fe66ee6f3c81996bc148f1ebe7ec030\System.Workflow.Runtime.ni.dll
+ 2009-10-25 19:19 . 2009-10-25 19:19 4514304 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Workflow.Com#\9d0b61f2f1ebdc300bd970f594c422ef\System.Workflow.ComponentModel.ni.dll
+ 2009-10-25 19:19 . 2009-10-25 19:19 2992640 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Workflow.Act#\65328898148a720d394f802f192fc2a0\System.Workflow.Activities.ni.dll
+ 2009-10-25 19:19 . 2009-10-25 19:19 1840640 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Web.Services\ea07ac791bb5cb9f83679e3dd1a0c0cc\System.Web.Services.ni.dll
+ 2009-10-25 19:19 . 2009-10-25 19:19 2209280 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Web.Mobile\29e2f8b1fb691ced973acf49fcee6ec1\System.Web.Mobile.ni.dll
+ 2009-10-25 19:19 . 2009-10-25 19:19 2403328 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Web.Extensio#\981dea02bc63c0c083e335adf9018788\System.Web.Extensions.ni.dll
+ 2009-10-25 19:18 . 2009-10-25 19:18 1706496 c:\windows\assembly\NativeImages_v2.0.50727_32\System.ServiceModel#\e182695d05ea57257568bc5f3208aca7\System.ServiceModel.Web.ni.dll
+ 2009-10-25 19:06 . 2009-10-25 19:06 2338304 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Runtime.Seri#\67ad55827f2542552b576170f0a7dc56\System.Runtime.Serialization.ni.dll
+ 2009-10-25 19:00 . 2009-10-25 19:00 1056768 c:\windows\assembly\NativeImages_v2.0.50727_32\System.IdentityModel\c3b18fef5c6dc3bcdbe5df699fd21a55\System.IdentityModel.ni.dll
+ 2009-10-25 19:18 . 2009-10-25 19:18 1116672 c:\windows\assembly\NativeImages_v2.0.50727_32\System.DirectorySer#\f47ebb9db460874b1bcbfc391dc970b1\System.DirectoryServices.ni.dll
+ 2009-10-25 19:18 . 2009-10-25 19:18 1801216 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Deployment\c94a427baa7683f4221b91f90c18461b\System.Deployment.ni.dll
+ 2009-10-25 19:16 . 2009-10-25 19:16 2510336 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Data.SqlXml\272152f0cc139490729e215611a4b244\System.Data.SqlXml.ni.dll
+ 2009-10-25 19:18 . 2009-10-25 19:18 1328128 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Data.Services\112a48e34620a0210eb850040da8a31b\System.Data.Services.ni.dll
+ 2009-10-25 19:17 . 2009-10-25 19:17 9924096 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Data.Entity\9012cac7819660f61f1c69cf8e4f2ccf\System.Data.Entity.ni.dll
+ 2009-10-25 19:16 . 2009-10-25 19:16 1712128 c:\windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualBas#\6eee9b772b6d12d3dbd82f118c2ab2e5\Microsoft.VisualBasic.ni.dll
+ 2009-10-25 19:07 . 2009-10-25 19:07 1093120 c:\windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Transacti#\f19e9b439636d0744597fff1331cad04\Microsoft.Transactions.Bridge.ni.dll
+ 2009-10-25 19:18 . 2009-10-25 19:18 2332160 c:\windows\assembly\NativeImages_v2.0.50727_32\Microsoft.JScript\5b1af7b5be24c7ace065fe1c81c2b650\Microsoft.JScript.ni.dll
+ 2009-10-25 19:16 . 2009-10-25 19:16 1620992 c:\windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Build.Tas#\9eec1cc7ac37e0c7f3205e8156149c5a\Microsoft.Build.Tasks.ni.dll
+ 2009-10-25 19:16 . 2009-10-25 19:16 1966080 c:\windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Build.Tas#\28c0730288453d57d5dcd62903c4d31b\Microsoft.Build.Tasks.v3.5.ni.dll
+ 2009-10-25 19:16 . 2009-10-25 19:16 1888768 c:\windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Build.Eng#\5dd4f58999eed37c12aee7ea9f9863ac\Microsoft.Build.Engine.ni.dll
+ 2009-10-25 19:18 . 2009-10-25 19:18 11796992 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Web\5cea03cfb008f2eac1439a9905467f37\System.Web.ni.dll
+ 2009-10-25 19:07 . 2009-10-25 19:07 17317888 c:\windows\assembly\NativeImages_v2.0.50727_32\System.ServiceModel\06d6eab93282d2b136a377bd50b7c5a9\System.ServiceModel.ni.dll
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2006-10-19 204288]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-08-06 344064]
"ISUSPM Startup"="c:\program files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-06-10 249856]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-06-10 81920]
"DLA"="c:\windows\System32\DLA\DLACTRLW.EXE" [2005-09-08 122940]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\bytes.exe.exe" [2009-09-10 1312080]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-09-05 417792]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-07-25 149280]
"SigmatelSysTrayApp"="stsystra.exe" - c:\windows\stsystra.exe [2005-03-23 339968]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2006-8-4 24576]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"RasMan"=3 (0x3)
"RasAuto"=3 (0x3)
"MskService"=2 (0x2)
"MpfService"=2 (0x2)
"mnmsrvc"=3 (0x3)
"mcupdmgr.exe"=3 (0x3)
"McTskshd.exe"=2 (0x2)
"McShield"=2 (0x2)
"McDetect.exe"=2 (0x2)
"AOL ACS"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\iPod\\bin\\iPodService.exe"=
"c:\\Program Files\\Yahoo!\\SoftwareUpdate\\YahooAUService.exe"=
"c:\\Program Files\\Common Files\\Apple\\Mobile Device Support\\bin\\AppleMobileDeviceService.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundRouterRequest"= 1 (0x1)


--- Other Services/Drivers In Memory ---

*NewlyCreated* - MBR
*Deregistered* - mbr
.
Contents of the 'Scheduled Tasks' folder

2009-09-29 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
mStart Page = hxxp://www.google.com
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://toolbar.ask.com/toolbarv/askRedirect?o=20008&gct=&gc=1&q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\Office10\EXCEL.EXE/3000
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos-beta/OnlineScanner.cab
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-10-25 16:56
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2009-10-25 16:58
ComboFix-quarantined-files.txt 2009-10-25 21:58
ComboFix2.txt 2009-10-25 18:36
ComboFix3.txt 2009-10-25 17:19

Pre-Run: 57,258,807,296 bytes free
Post-Run: 57,226,878,976 bytes free

- - End Of File - - 1BE156109B27523E2A92411E5B81342D

Attached File(s)

  • Attached File  DDS.txt (8.42K)
    Number of downloads: 2

This post has been edited by Blade81: 25 October 2009 - 05:09 PM

#13 User is offline   Blade81 

  • Bleepin' Rocker
  • PipPipPipPipPipPip
  • Find Topics
  • Group: Malware Response Team
  • Posts: 6,364
  • Joined: 16-October 06
  • Gender:Male
  • Location:Finland

Posted 25 October 2009 - 05:15 PM

Good. It's time to secure your system to prevent against further intrusions then :(


THESE STEPS ARE VERY IMPORTANT

Let's reset system restore
Reset and Re-enable your System Restore to remove infected files that have been backed up by Windows. The files in System Restore are protected to prevent any programs changing those files. This is the only way to clean these files: You will lose all previous restore points which are likely to be infected. Please note you need Administrator Access to do clean the restore points.

1. Turn off System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.

2. Reboot.

3. Turn ON System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check *Turn off System Restore*.
Click Apply, and then click OK.
NOTE: only do this ONCE,NOT on a regular basis



Now lets uninstall ComboFix:
  • Click START then RUN
  • Now copy-paste Combofix /u in the runbox and click OK


Please download OTC and save it to desktop.
  • Double-click OTC.exe.
  • Click the CleanUp! button.
  • Select Yes when the
    Begin cleanup Process?
    prompt appears.
  • If you are prompted to Reboot during the cleanup, select Yes.
  • The tool will delete itself once it finishes, if not delete it by yourself.

Note: If you receive a warning from your firewall or other security programs regarding OTC attempting to contact the internet, please allow it to do so.



UPDATING WINDOWS AND INTERNET EXPLORER

IMPORTANT: You Need to Update Windows and Internet Explorer to protect your computer from the malware that is around on the Internet. Please go to the windows update site to get the critical updates.

If you are running Microsoft Office, or any portion thereof, go to the Microsoft's Office Update site and make sure you have at least all the critical updates installed (Free) Microsoft Office Update.


Make your Internet Explorer more secure

This can be done by following these simple instructions:
From within Internet Explorer click on the Tools menu and then click on Options.
Click once on the Security tab
Click once on the Internet icon so it becomes highlighted.
Click once on the Custom Level button.
Change the Download signed ActiveX controls to Prompt
Change the Download unsigned ActiveX controls to Disable
Change the Initialize and script ActiveX controls not marked as safe to Disable
Change the Installation of desktop items to Prompt
Change the Launching programs and files in an IFRAME to Prompt
Change the Navigate sub-frames across different domains to Prompt
When all these settings have been made, click on the OK button.
If it prompts you as to whether or not you want to save the settings, press the Yes button.
Next press the Apply button and then the OK to exit the Internet Properties page.



The following are recommended third party programs that are designed to keep your computer clean. A link as well as a brief description is included with each item.
  • hosts file:
    • Every version of windows has a hosts file as part of them.
    • In a very basic sense, they are used to locate webpages.
    • We can customize a hosts file so that it blocks certain webpages.
    • However, it can slow down certain computers.
    • This is why using a hosts file is optional!!
    Download it here. Make sure you read the instructions on how to install the hosts file. There is a good tutorial here
    If you decide to download the hosts file, the slowdown problems can usually be avoided by following these steps:

    • Click the start button (at the lower left hand corner of your screen)
    • Click run
    • In the dialog box, type services.msc
    • hit enter, then locate dns client
    • Highlight it, then double-click it.
    • On the dropdown box, change the setting from automatic to manual.
    • Click ok

  • Get Anti Virus Software and keep it updated - Most AVs will update automatically, but if not I would recommend making updating the AV the first job every time the PC is connected to the internet. An AV that is using defs that are seven days old is not going to be much protection. If you do not update your anti virus software then it will not be able to catch any of the new variants that may come out. Good free antivirus programs are:
    Antivir
    Avast!
    Good commercial ones are from:
    Kaspersky and
    ESET
  • Use a Firewall - I can not stress how important it is that you use a Firewall on your computer. Without a firewall your computer is susceptible to being hacked and taken over. Simply using a Firewall in its default configuration can lower your risk greatly. For more info, check this webpage out.
    If you don't have a 3rd party firewall or a router behind NAT then I recommend getting one. I recommend either Online Armor Free or Comodo Firewall Pro (If you choose Comodo: Uncheck during installation Install Comodo HopSurf.., Make Comodo my default search provider and Make Comodo Search my homepage and install firewall ONLY!). Both providers have support forums that help with configuration related questions.


Just a final reminder for you. I am trying to stress these two points.
UPDATE UPDATE UPDATE!!! Make sure you do this about every 1-2 weeks.
Make sure all of your security programs are up to date.
Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.


Once again, please post and tell me how things are going with your system... problems etc.

Have a great day,
Blade :(
Microsoft MVP Consumer Security 2008 2009 2010 2011
ASAP & UNITE member since 2006
Posted Image Posted Image

Provided malware removal related instructions are meant to be used in the correspondent user's case only. If you have similar symptoms create own topic instead of following instructions given to some other, please.

#14 User is offline   Genesys 

  • New Member
  • Pip
  • Find Topics
  • Group: Members
  • Posts: 11
  • Joined: 09-October 09
  • Gender:Male
  • Location:USA, Midwest

Posted 25 October 2009 - 06:01 PM

Great! Doing the steps now. Thanks again for your help...... Ill let you know if i have any questions.\


How big of a difference is it actually between the free software or the ones you actually have to pay for?

This post has been edited by Genesys: 25 October 2009 - 06:04 PM

#15 User is offline   Genesys 

  • New Member
  • Pip
  • Find Topics
  • Group: Members
  • Posts: 11
  • Joined: 09-October 09
  • Gender:Male
  • Location:USA, Midwest

Posted 26 October 2009 - 05:43 PM

well i just got home today, my computer seemed to be a lil slow, so i rebooted. upon opening into my windows desktop i got a error message

Windoes connot exess path or file. You may not have appropiate permession... and this was for my Run.dll file... any clues?

Share this topic:


  • 2 Pages +
  • 1
  • 2
  • You cannot start a new topic
  • This topic is locked

1 User(s) are reading this topic
0 members, 1 guests, 0 anonymous users