Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Pc Running Slow And Getting Pop-ups


  • This topic is locked This topic is locked
7 replies to this topic

#1 LaurenCP

LaurenCP

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:11:09 AM

Posted 13 May 2008 - 02:03 PM

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:00:29 PM, on 5/13/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\twc\medicsp2\bin\sprtsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\devldr32.exe
C:\Program Files\Outlook Express\msimn.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\default\Local Settings\Temporary Internet Files\Content.IE5\U0OEKFAL\HiJackThis[1].exe
C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
C:\Program Files\Symantec\LiveUpdate\AUPDATE.EXE
C:\Program Files\Symantec\LiveUpdate\LuCallbackProxy.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Program Files\Symantec\LiveUpdate\LuCallbackProxy.exe
C:\Program Files\Symantec\LiveUpdate\LuCallbackProxy.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://search.presario.net/scripts/redirec...bar&LC=0409
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: {9af42879-5331-6209-1d84-8718f1ea1fb9} - {9bf1ae1f-8178-48d1-9026-133597824fa9} - (no file)
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton AntiVirus\osCheck.exe"
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {06FE5D02-8F11-11d2-804F-00105A133818} - http://search.presario.net/scripts/redirec...c00&LC=0409 (file missing)
O9 - Extra 'Tools' menuitem: &Find Pages Linking to this URL - {06FE5D02-8F11-11d2-804F-00105A133818} - http://search.presario.net/scripts/redirec...c00&LC=0409 (file missing)
O9 - Extra button: (no name) - {06FE5D03-8F11-11d2-804F-00105A133818} - http://search.presario.net/scripts/redirec...c00&LC=0409 (file missing)
O9 - Extra 'Tools' menuitem: Find Other Pages on this &Host - {06FE5D03-8F11-11d2-804F-00105A133818} - http://search.presario.net/scripts/redirec...c00&LC=0409 (file missing)
O9 - Extra button: (no name) - {06FE5D04-8F11-11d2-804F-00105A133818} - http://search.presario.net/scripts/redirec...c00&LC=0409 (file missing)
O9 - Extra 'Tools' menuitem: AV Live - {06FE5D04-8F11-11d2-804F-00105A133818} - http://search.presario.net/scripts/redirec...c00&LC=0409 (file missing)
O9 - Extra button: Translate - {06FE5D05-8F11-11d2-804F-00105A133818} - http://search.presario.net/scripts/redirec...c00&LC=0409 (file missing)
O9 - Extra 'Tools' menuitem: AV &Translate - {06FE5D05-8F11-11d2-804F-00105A133818} - http://search.presario.net/scripts/redirec...c00&LC=0409 (file missing)
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Bonjour - {7F9DB11C-E358-4ca6-A83D-ACC663939424} - C:\Program Files\Bonjour\ExplorerPlugin.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1189284683822
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1189284869029
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} - http://www.ca.com/us/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O20 - Winlogon Notify: mlJDvUlm - mlJDvUlm.dll (file missing)
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\isPwdSvc.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: SupportSoft Sprocket Service (medicsp2) (sprtsvc_medicsp2) - SupportSoft, Inc. - C:\Program Files\twc\medicsp2\bin\sprtsvc.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe

--
End of file - 10096 bytes

BC AdBot (Login to Remove)

 


m

#2 Thunder

Thunder

  • Members
  • 3,294 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Belgium
  • Local time:05:09 PM

Posted 16 May 2008 - 04:58 AM

Hello LaurenCP and welcome to BleepingComputer,

1. * Clean your Cache and Cookies in IE:
  • Close all instances of Outlook Express and Internet Explorer
  • Go to Control Panel > Internet Options > General tab
  • Under Browsing History, click Delete.
  • Click Delete Files, Delete cookies and Delete history
  • Click Close below.
* Clean your Cache and Cookies in Firefox (In case you also have Firefox installed):
  • Go to Tools > Options.
  • Click Privacy in the menu..
  • Click the Clear now button below.. A new window will popup what to clear.
  • Select all and click the Clear button again.
  • Click OK to close the Options window
* Clean other Temporary files + Recycle bin
  • Go to start > run and type: cleanmgr and click ok.
  • Let it scan your system for files to remove.
  • Make sure Temporary Files, Temporary Internet Files, and Recycle Bin are the only things checked.
  • Press OK to remove them.
2. Please download Malwarebytes' Anti-Malware from Here or Here

Doubleclick mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply along with a fresh HijackThis log.
Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.

3. Please visit this webpage for instructions for downloading and running ComboFix:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Please ensure you read this guide carefully and install the Recovery Console first.
The Windows Recovery Console will allow you to boot up into a special recovery mode, in case your computer has a problem after an attempted removal of malware. This allows us to help you .

In the event you already have Combofix, delete your current version and download the latest version as described in the tutorial.
It must be saved directly to your desktop.


Note: Make sure not to click ComboFix's window while it's running. That may cause it to stall or freeze.

Please post the log from ComboFix (can also be found as C:\ComboFix.txt) in your next reply. :thumbsup:

If you have any questions along the way, STOP and ask them before proceeding !!

Greetings,
Thunder
Whatever happens, make believe it was intended to ...
-----------------------------------------------------------------------
Posted Image - If I have helped you in any way, please consider a donation to help me continue the fight against malware.
-----------------------------------------------------------------------
Stand Up & Be Counted --> Posted Image <-- And make a difference

#3 LaurenCP

LaurenCP
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:11:09 AM

Posted 19 May 2008 - 10:57 AM

ComboFix 08-05-15.3 - default 2008-05-19 11:43:15.4 - FAT32x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.174 [GMT -4:00]
Running from: C:\Documents and Settings\default\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\default\Desktop\WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Temp\1cb
C:\Temp\1cb\syscheck.log
C:\temp\tn3
C:\WINDOWS\SYSTEM32\lVDKnUvw.ini2
C:\WINDOWS\system32\MSINET.oca

.
((((((((((((((((((((((((( Files Created from 2008-04-19 to 2008-05-19 )))))))))))))))))))))))))))))))
.

2008-05-19 08:28 . 2008-05-19 08:28 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-05-19 08:28 . 2008-05-05 20:46 27,048 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\mbamcatchme.sys
2008-05-19 08:28 . 2008-05-05 20:46 15,864 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\mbam.sys
2008-05-19 08:18 . 2008-05-19 08:18 <DIR> d-------- C:\WINDOWS\LastGood
2008-05-16 09:34 . 2008-05-16 09:34 <DIR> d-------- C:\Program Files\Windows Sidebar
2008-05-16 09:34 . 2008-05-16 09:34 <DIR> d-------- C:\Program Files\Norton AntiVirus
2008-05-16 09:33 . 2008-05-16 09:35 123,952 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\SYMEVENT.SYS
2008-05-16 09:33 . 2008-05-16 09:35 60,800 --a------ C:\WINDOWS\SYSTEM32\S32EVNT1.DLL
2008-05-16 09:33 . 2008-05-16 09:35 10,563 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\SYMEVENT.CAT
2008-05-16 09:33 . 2008-05-16 09:35 805 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\SYMEVENT.INF
2008-05-16 09:02 . 2008-05-16 09:02 <DIR> d-------- C:\Documents and Settings\All Users\Symantec Temporary Files
2008-05-16 08:22 . 2008-05-16 08:22 0 --ah----- C:\Documents and Settings\NetworkService\NTUSER.DAT_TU_27486.LOG
2008-05-16 08:22 . 2008-05-16 08:22 0 --ah----- C:\Documents and Settings\LocalService\ntuser.dat_TU_61442.LOG
2008-05-16 08:22 . 2008-05-16 08:22 0 --ah----- C:\Documents and Settings\default\NTUSER.DAT_TU_72516.LOG
2008-05-15 12:37 . 2008-05-15 12:37 <DIR> d-------- C:\Program Files\Eusing Free Registry Cleaner
2008-05-14 08:45 . 2008-05-14 08:45 <DIR> d-------- C:\Program Files\ThreatFire
2008-05-14 08:45 . 2008-05-14 08:45 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\PC Tools
2008-05-14 08:45 . 2008-04-24 16:52 51,520 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\TfFsMon.sys
2008-05-14 08:45 . 2008-04-24 16:52 38,208 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\TfSysMon.sys
2008-05-14 08:45 . 2008-04-24 16:52 33,088 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\TfNetMon.sys
2008-05-14 08:45 . 2008-04-24 16:52 12,608 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\TfKbMon.sys
2008-05-13 14:59 . 2008-05-13 14:59 <DIR> d-------- C:\Program Files\Trend Micro
2008-05-12 16:19 . 2008-05-12 16:19 376 --a------ C:\WINDOWS\ODBC.INI
2008-05-12 16:06 . 2008-05-12 16:06 <DIR> d-------- C:\Documents and Settings\default\Application Data\Microsoft Web Folders
2008-05-12 13:11 . 2008-05-12 13:11 <DIR> d-------- C:\Program Files\Microsoft CAPICOM 2.1.0.2
2008-05-12 12:28 . 2008-05-12 12:28 <DIR> d-------- C:\Program Files\Symantec
2008-05-12 12:28 . 2008-05-12 12:28 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Symantec
2008-05-12 12:26 . 2008-05-12 12:26 <DIR> d-------- C:\Program Files\Common Files\Symantec Shared
2008-05-07 09:12 . 2008-04-13 22:06 144,384 --------- C:\WINDOWS\SYSTEM32\DRIVERS\hdaudbus.sys
2008-05-07 09:12 . 2008-04-14 00:10 10,240 --------- C:\WINDOWS\SYSTEM32\DRIVERS\sffp_mmc.sys
2008-05-07 09:10 . 2006-12-29 00:31 19,569 --a------ C:\WINDOWS\005891_.tmp
2008-05-05 15:24 . 2008-05-05 15:24 <DIR> d-------- C:\Documents and Settings\default\SecurityScans
2008-05-04 18:31 . 2008-05-04 18:31 <DIR> d-------- C:\Documents and Settings\default\Application Data\Microsoft Help
2008-05-04 18:30 . 2008-05-04 18:31 <DIR> d-------- C:\Program Files\SDFix
2008-05-04 18:25 . 2008-05-04 18:25 109,738 --a------ C:\WINDOWS\BM206522d5.xml
2008-05-04 18:20 . 2008-05-04 18:20 <DIR> d-------- C:\Temp\maxsv15
2008-05-03 00:31 . 2008-05-03 00:31 <DIR> d-------- C:\Program Files\twc
2008-05-03 00:31 . 2008-05-03 00:31 <DIR> d-------- C:\Program Files\Common Files\SupportSoft
2008-05-03 00:31 . 2008-05-03 00:31 <DIR> d-------- C:\Documents and Settings\default\Application Data\SupportSoft
2008-05-03 00:31 . 2008-05-03 00:31 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SupportSoft
2008-05-02 22:40 . 2008-02-22 02:33 69,632 --a------ C:\WINDOWS\SYSTEM32\javacpl.cpl
2008-05-02 22:39 . 2008-05-02 22:39 <DIR> d-------- C:\Program Files\Common Files\Java
2008-05-01 16:30 . 2008-05-01 16:30 <DIR> d-------- C:\Program Files\Common Files\Download Manager
2008-05-01 16:30 . 2005-09-23 07:29 626,688 --a------ C:\WINDOWS\SYSTEM32\msvcr80.dll
2008-05-01 16:23 . 2008-05-01 16:23 1,642 --a------ C:\WINDOWS\SYSTEM32\tmp.reg
2008-04-25 14:34 . 2008-04-25 14:34 <DIR> d-------- C:\WINDOWS\SYSTEM32\CatRoot2
2008-04-25 14:18 . 2008-04-25 14:18 <DIR> d-------- C:\Program Files\Microsoft Baseline Security Analyzer 2

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-03 02:46 76,504 ----a-w C:\Documents and Settings\default\Application Data\GDIPFONTCACHEV1.DAT
2008-04-18 19:47 --------- d-----w C:\Documents and Settings\default\Application Data\Corel
2008-04-14 09:55 1,804 ----a-w C:\WINDOWS\SYSTEM32\Dcache.bin
2008-04-14 09:46 329,728 ----a-w C:\WINDOWS\SYSTEM32\netsetup.exe
2008-04-14 09:43 92,424 ----a-w C:\WINDOWS\SYSTEM32\rdpdd.dll
2008-04-14 09:43 87,176 ----a-w C:\WINDOWS\SYSTEM32\rdpwsx.dll
2008-04-14 09:43 40,840 ----a-w C:\WINDOWS\system32\drivers\termdd.sys
2008-04-14 09:43 21,896 ----a-w C:\WINDOWS\system32\drivers\tdtcp.sys
2008-04-14 09:43 139,656 ----a-w C:\WINDOWS\system32\drivers\rdpwd.sys
2008-04-14 09:43 12,168 ----a-w C:\WINDOWS\SYSTEM32\tsddd.dll
2008-04-14 09:43 12,040 ----a-w C:\WINDOWS\system32\drivers\tdpipe.sys
2008-04-14 09:41 98,304 ----a-w C:\WINDOWS\SYSTEM32\actxprxy.dll
2008-04-14 09:40 67,584 ----a-w C:\WINDOWS\SYSTEM32\dllcache\pmigrate.dll
2008-04-14 09:40 53,760 ----a-w C:\WINDOWS\SYSTEM32\dllcache\pintlcsd.dll
2008-04-14 09:40 53,279 ----a-w C:\WINDOWS\SYSTEM32\odbcji32.dll
2008-04-14 09:40 4,126 ----a-w C:\WINDOWS\SYSTEM32\msdxmlc.dll
2008-04-14 09:40 3,584 ----a-w C:\WINDOWS\SYSTEM32\msafd.dll
2008-04-14 09:40 175,104 ----a-w C:\WINDOWS\SYSTEM32\dllcache\pintlcsa.dll
2008-04-14 09:40 15,872 ----a-w C:\WINDOWS\SYSTEM32\dllcache\padrs404.dll
2008-04-14 09:40 15,360 ----a-w C:\WINDOWS\SYSTEM32\dllcache\padrs804.dll
2008-04-14 06:30 103,424 ----a-w C:\WINDOWS\SYSTEM32\dpcdll.dll
2008-04-14 05:00 1,845,632 ----a-w C:\WINDOWS\SYSTEM32\win32k.sys
2008-04-14 04:58 175,744 ----a-w C:\WINDOWS\system32\drivers\rdbss.sys
2008-04-14 04:57 2,188,928 ----a-w C:\WINDOWS\SYSTEM32\ntoskrnl.exe
2008-04-14 04:51 162,816 ----a-w C:\WINDOWS\system32\drivers\netbt.sys
2008-04-14 04:50 91,520 ----a-w C:\WINDOWS\system32\drivers\ndiswan.sys
2008-04-14 04:50 361,344 ----a-w C:\WINDOWS\system32\drivers\tcpip.sys
2008-04-14 04:50 182,656 ----a-w C:\WINDOWS\system32\drivers\ndis.sys
2008-04-14 04:49 75,264 ----a-w C:\WINDOWS\system32\drivers\ipsec.sys
2008-04-14 04:49 51,328 ----a-w C:\WINDOWS\system32\drivers\rasl2tp.sys
2008-04-14 04:49 48,384 ----a-w C:\WINDOWS\system32\drivers\raspptp.sys
2008-04-14 04:49 146,048 ----a-w C:\WINDOWS\system32\drivers\portcls.sys
2008-04-14 04:49 138,112 ----a-w C:\WINDOWS\system32\drivers\afd.sys
2008-04-14 04:48 52,480 ----a-w C:\WINDOWS\system32\drivers\i8042prt.sys
2008-04-14 04:47 83,072 ----a-w C:\WINDOWS\system32\drivers\wdmaud.sys
2008-04-14 04:47 456,576 ----a-w C:\WINDOWS\system32\drivers\mrxsmb.sys
2008-04-14 04:47 105,344 ----a-w C:\WINDOWS\system32\drivers\mup.sys
2008-04-14 04:46 49,536 ----a-w C:\WINDOWS\system32\drivers\classpnp.sys
2008-04-14 04:46 141,056 ----a-w C:\WINDOWS\system32\drivers\ks.sys
2008-04-14 04:45 64,512 ----a-w C:\WINDOWS\system32\drivers\serial.sys
2008-04-14 04:45 60,800 ----a-w C:\WINDOWS\system32\drivers\sysaudio.sys
2008-04-14 04:45 574,976 ----a-w C:\WINDOWS\system32\drivers\ntfs.sys
2008-04-14 04:45 334,848 ----a-w C:\WINDOWS\system32\drivers\srv.sys
2008-04-14 04:44 63,744 ----a-w C:\WINDOWS\system32\drivers\cdfs.sys
2008-04-14 04:44 143,744 ----a-w C:\WINDOWS\system32\drivers\fastfat.sys
2008-04-14 04:30 30,080 ----a-w C:\WINDOWS\system32\drivers\modem.sys
2008-04-14 04:30 225,664 ----a-w C:\WINDOWS\system32\drivers\tcpip6.sys
2008-04-14 04:30 19,072 ----a-w C:\WINDOWS\system32\drivers\tdi.sys
2008-04-14 04:27 41,472 ----a-w C:\WINDOWS\system32\drivers\raspppoe.sys
2008-04-14 04:27 40,576 ----a-w C:\WINDOWS\system32\drivers\ndproxy.sys
2008-04-14 04:27 34,560 ----a-w C:\WINDOWS\system32\drivers\wanarp.sys
2008-04-14 04:27 20,864 ----a-w C:\WINDOWS\system32\drivers\ipinip.sys
2008-04-14 04:27 152,832 ----a-w C:\WINDOWS\system32\drivers\ipnat.sys
2008-04-14 04:27 14,336 ----a-w C:\WINDOWS\system32\drivers\asyncmac.sys
2008-04-14 04:27 10,112 ----a-w C:\WINDOWS\system32\drivers\ndistapi.sys
2008-04-14 04:26 88,320 ----a-w C:\WINDOWS\system32\drivers\nwlnkipx.sys
2008-04-14 04:26 69,120 ----a-w C:\WINDOWS\system32\drivers\psched.sys
2008-04-14 04:26 35,072 ----a-w C:\WINDOWS\system32\drivers\msgpc.sys
2008-04-14 04:26 34,688 ----a-w C:\WINDOWS\system32\drivers\netbios.sys
2008-04-14 04:26 30,592 ----a-w C:\WINDOWS\system32\drivers\rndismp.sys
2008-04-14 04:26 30,592 ------w C:\WINDOWS\system32\drivers\rndismpx.sys
2008-04-14 04:26 14,592 ----a-w C:\WINDOWS\system32\drivers\ndisuio.sys
2008-04-14 04:26 12,800 ----a-w C:\WINDOWS\system32\drivers\usb8023.sys
2008-04-14 04:26 12,800 ------w C:\WINDOWS\system32\drivers\usb8023x.sys
2008-04-14 04:26 12,288 ----a-w C:\WINDOWS\system32\drivers\tunmp.sys
2008-04-14 04:25 202,624 ----a-w C:\WINDOWS\system32\drivers\RMCast.sys
2008-04-14 04:24 11,264 ----a-w C:\WINDOWS\system32\drivers\irenum.sys
2008-04-14 04:23 71,552 ----a-w C:\WINDOWS\system32\drivers\bridge.sys
2008-04-14 04:23 40,320 ----a-w C:\WINDOWS\system32\drivers\nmnt.sys
2008-04-14 04:23 36,608 ------w C:\WINDOWS\system32\drivers\ip6fw.sys
2008-04-14 04:23 264,832 ------w C:\WINDOWS\system32\drivers\http.sys
2008-04-14 04:21 61,824 ----a-w C:\WINDOWS\system32\drivers\nic1394.sys
2008-04-14 04:21 60,800 ----a-w C:\WINDOWS\system32\drivers\arp1394.sys
2008-04-14 04:21 59,904 ----a-w C:\WINDOWS\system32\drivers\atmarpc.sys
2008-04-14 04:21 55,808 ----a-w C:\WINDOWS\system32\drivers\atmlane.sys
2008-04-14 04:21 101,120 ------w C:\WINDOWS\system32\drivers\bthpan.sys
2008-04-14 04:15 60,160 ----a-w C:\WINDOWS\system32\drivers\drmk.sys
2008-04-14 04:14 81,664 ----a-w C:\WINDOWS\system32\drivers\videoprt.sys
2008-04-14 04:14 799,744 ----a-w C:\WINDOWS\system32\drivers\dmboot.sys
2008-04-14 04:14 20,992 ----a-w C:\WINDOWS\system32\drivers\vga.sys
2008-04-14 04:14 153,344 ----a-w C:\WINDOWS\system32\drivers\dmio.sys
2008-04-14 04:13 14,208 ------w C:\WINDOWS\system32\drivers\wacompen.sys
2008-04-14 04:13 12,672 ------w C:\WINDOWS\system32\drivers\mutohpen.sys
2008-04-14 04:11 52,352 ----a-w C:\WINDOWS\system32\drivers\volsnap.sys
2008-04-14 04:11 42,112 ----a-w C:\WINDOWS\system32\drivers\imapi.sys
2008-04-14 04:09 7,552 ----a-w C:\WINDOWS\system32\drivers\mskssrv.sys
2008-04-14 04:09 5,504 ----a-w C:\WINDOWS\system32\drivers\mstee.sys
2008-04-14 04:09 5,376 ----a-w C:\WINDOWS\system32\drivers\mspclock.sys
2008-04-14 04:09 42,368 ----a-w C:\WINDOWS\system32\drivers\mountmgr.sys
2008-04-14 04:09 4,992 ----a-w C:\WINDOWS\system32\drivers\mspqm.sys
2008-04-14 04:09 4,352 ----a-w C:\WINDOWS\system32\drivers\swenum.sys
2008-04-14 04:09 384,768 ----a-w C:\WINDOWS\system32\drivers\update.sys
2008-04-14 04:09 24,576 ----a-w C:\WINDOWS\system32\drivers\kbdclass.sys
2008-04-14 04:09 23,040 ----a-w C:\WINDOWS\system32\drivers\mouclass.sys
2008-04-14 04:09 14,592 ----a-w C:\WINDOWS\system32\drivers\kbdhid.sys
2008-04-14 04:08 71,168 ----a-w C:\WINDOWS\system32\drivers\dxg.sys
2008-04-14 04:05 24,064 ----a-w C:\WINDOWS\SYSTEM32\pidgen.dll
2008-04-14 04:03 44,544 ----a-w C:\WINDOWS\system32\drivers\fips.sys
2008-04-14 04:03 129,792 ------w C:\WINDOWS\system32\drivers\fltmgr.sys
2008-04-14 04:02 66,048 ----a-w C:\WINDOWS\system32\drivers\udfs.sys
.

------- Sigcheck -------

2008-04-14 05:42 14336 27c6d03bcdb8cfeb96b716f3d8be3e18 C:\WINDOWS\SYSTEM32\svchost.exe
2004-08-04 02:56 14336 8f078ae4ed187aaabc0a305146de6716 C:\WINDOWS\$NtServicePackUninstall$\svchost.exe
2008-04-14 05:42 14336 27c6d03bcdb8cfeb96b716f3d8be3e18 C:\WINDOWS\ServicePackFiles\i386\svchost.exe

2008-04-14 05:42 578560 b26b135ff1b9f60c9388b4a7d16f600b C:\WINDOWS\SYSTEM32\user32.dll
2007-03-08 11:36 577536 b409909f6e2e8a7067076ed748abf1e7 C:\WINDOWS\$NtServicePackUninstall$\user32.dll
2008-04-14 05:42 578560 b26b135ff1b9f60c9388b4a7d16f600b C:\WINDOWS\ServicePackFiles\i386\user32.dll
2005-03-02 14:19 577024 1800f293bccc8ede8a70e12b88d80036 C:\WINDOWS\$hf_mig$\KB890859\SP2QFE\user32.dll
2007-03-08 11:48 578048 7aa4f6c00405dfc4b70ed4214e7d687b C:\WINDOWS\$hf_mig$\KB925902\SP2QFE\user32.dll

2008-04-14 05:42 82432 2ccc474eb85ceaa3e1fa1726580a3e5a C:\WINDOWS\SYSTEM32\ws2_32.dll
2004-08-04 02:56 82944 2ed0b7f12a60f90092081c50fa0ec2b2 C:\WINDOWS\$NtServicePackUninstall$\ws2_32.dll
2008-04-14 05:42 82432 2ccc474eb85ceaa3e1fa1726580a3e5a C:\WINDOWS\ServicePackFiles\i386\ws2_32.dll

2008-03-01 09:06 826368 ad21461aef8244edec2ef18e55e1dcf3 C:\WINDOWS\SYSTEM32\WININET.DLL
2008-03-01 09:06 826368 ad21461aef8244edec2ef18e55e1dcf3 C:\WINDOWS\SYSTEM32\dllcache\wininet.dll
2008-03-01 09:06 826368 ad21461aef8244edec2ef18e55e1dcf3 C:\WINDOWS\SoftwareDistribution\Download\0e573dbed32e8bd8f7ba833ffcfb788c\SP2GDR\wininet.dll
2008-03-01 09:03 827392 6316c2f0c61271c8abdff7429174879e C:\WINDOWS\SoftwareDistribution\Download\0e573dbed32e8bd8f7ba833ffcfb788c\SP2QFE\wininet.dll
2004-08-04 02:56 656384 c0823fc5469663ba63e7db88f9919d70 C:\WINDOWS\$NtServicePackUninstall$\wininet.dll
2008-04-14 05:42 666112 7a4f775abb2f1c97def3e73afa2faedd C:\WINDOWS\ServicePackFiles\i386\wininet.dll
2004-09-29 13:27 656896 2c07195588d69a067c2afdaa31759295 C:\WINDOWS\$hf_mig$\KB834707\SP2QFE\wininet.dll
2005-03-10 03:43 657920 c8663b488996e89a84c3d17c1d12b79e C:\WINDOWS\$hf_mig$\KB890923\SP2QFE\wininet.dll
2007-06-27 10:40 824320 d6ed5e042c5207553e7f5e842918137f C:\WINDOWS\$hf_mig$\KB937143-IE7\SP2QFE\wininet.dll
2007-12-06 21:01 825344 b5b411bb229ae6ead7652a32ed47bfb9 C:\WINDOWS\$hf_mig$\KB944533-IE7\SP2QFE\wininet.dll
2008-03-01 09:03 827392 6316c2f0c61271c8abdff7429174879e C:\WINDOWS\$hf_mig$\KB947864-IE7\SP2QFE\wininet.dll
2005-03-10 04:02 656896 6f018d6319be4f96426ea829b79e05d5 C:\WINDOWS\ie7\wininet.dll
2006-11-07 21:03 818688 92995334f993e6e49c25c6d02ec04401 C:\WINDOWS\ie7updates\KB937143-IE7\wininet.dll
2007-06-27 10:35 823808 8068cbb58fe60cc95aeb2cff70178208 C:\WINDOWS\ie7updates\KB944533-IE7\wininet.dll
2007-12-06 21:21 824832 806d274c9a6c3aaea5eae8e4af841e04 C:\WINDOWS\ie7updates\KB947864-IE7\wininet.dll

2008-04-14 00:50 361344 93ea8d04ec73a85db02eb8805988f733 C:\WINDOWS\SYSTEM32\DRIVERS\tcpip.sys
2007-10-30 12:20 360064 90caff4b094573449a0872a0f919b178 C:\WINDOWS\$NtServicePackUninstall$\tcpip.sys
2008-04-14 00:50 361344 93ea8d04ec73a85db02eb8805988f733 C:\WINDOWS\ServicePackFiles\i386\tcpip.sys
2005-03-13 21:17 359936 6129e70f3d2f1e60860c930ebeaf92c2 C:\WINDOWS\$hf_mig$\KB893066\SP2QFE\tcpip.sys
2006-04-20 08:18 360576 b2220c618b42a2212a59d91ebd6fc4b4 C:\WINDOWS\$hf_mig$\KB917953\SP2QFE\tcpip.sys
2007-10-30 11:53 360832 64798ecfa43d78c7178375fcdd16d8c8 C:\WINDOWS\$hf_mig$\KB941644\SP2QFE\tcpip.sys

2008-04-14 05:42 507904 ed0ef0a136dec83df69f04118870003e C:\WINDOWS\SYSTEM32\winlogon.exe
2004-08-04 02:56 502272 01c3346c241652f43aed8e2149881bfe C:\WINDOWS\$NtServicePackUninstall$\winlogon.exe
2008-04-14 05:42 507904 ed0ef0a136dec83df69f04118870003e C:\WINDOWS\ServicePackFiles\i386\winlogon.exe

2008-04-14 00:50 182656 1df7f42665c94b825322fae71721130d C:\WINDOWS\SYSTEM32\DRIVERS\ndis.sys
2004-08-04 01:14 182912 558635d3af1c7546d26067d5d9b6959e C:\WINDOWS\$NtServicePackUninstall$\ndis.sys
2008-04-14 00:50 182656 1df7f42665c94b825322fae71721130d C:\WINDOWS\ServicePackFiles\i386\ndis.sys

2008-04-14 00:23 36608 3bb22519a194418d5fec05d800a19ad0 C:\WINDOWS\SYSTEM32\DRIVERS\ip6fw.sys
2004-08-04 01:00 29056 4448006b6bc60e6c027932cfc38d6855 C:\WINDOWS\$NtServicePackUninstall$\ip6fw.sys
2008-04-14 00:23 36608 3bb22519a194418d5fec05d800a19ad0 C:\WINDOWS\ServicePackFiles\i386\ip6fw.sys

2008-04-14 00:01 2065792 109f8e3e3c82e337bb71b6bc9b895d61 C:\WINDOWS\SYSTEM32\ntkrnlpa.exe
2007-02-28 04:38 2057600 515d30e2c90a3665a2739309334c9283 C:\WINDOWS\$NtServicePackUninstall$\ntkrnlpa.exe
2008-04-14 00:01 2065792 109f8e3e3c82e337bb71b6bc9b895d61 C:\WINDOWS\ServicePackFiles\i386\ntkrnlpa.exe
2005-03-01 20:36 2056832 d8aba3eab509627e707a3b14f00fbb6b C:\WINDOWS\$hf_mig$\KB890859\SP2QFE\ntkrnlpa.exe
2007-02-28 05:15 2059392 4d3dbdccbf97f5ba1e74f322b155c3ba C:\WINDOWS\$hf_mig$\KB931784\SP2QFE\ntkrnlpa.exe
2006-02-20 23:36 2057984 501c033d08ac37c4be751633ab02197c C:\WINDOWS\$hf_mig$\KB914882\SP2QFE\ntkrnlpa.exe

2008-04-14 00:57 2188928 0c89243c7c3ee199b96fcc16990e0679 C:\WINDOWS\SYSTEM32\ntoskrnl.exe
2007-02-28 05:10 2180352 582a8dbaa58c3b1f176eb2817daee77c C:\WINDOWS\$NtServicePackUninstall$\ntoskrnl.exe
2008-04-14 00:57 2188928 0c89243c7c3ee199b96fcc16990e0679 C:\WINDOWS\ServicePackFiles\i386\ntoskrnl.exe
2005-03-01 21:04 2179456 28187802b7c368c0d3aef7d4c382aabb C:\WINDOWS\$hf_mig$\KB890859\SP2QFE\ntoskrnl.exe
2007-02-28 05:55 2182144 5a5c8db4aa962c714c8371fbdf189fc9 C:\WINDOWS\$hf_mig$\KB931784\SP2QFE\ntoskrnl.exe
2006-02-21 00:01 2180992 df4d09b676964646fa166a78c816b4c3 C:\WINDOWS\$hf_mig$\KB914882\SP2QFE\ntoskrnl.exe

2008-04-14 05:42 1033728 12896823fb95bfb3dc9b46bcaedc9923 C:\WINDOWS\explorer.exe
2007-06-13 06:23 1033216 97bd6515465659ff8f3b7be375b2ea87 C:\WINDOWS\$NtServicePackUninstall$\explorer.exe
2008-04-14 05:42 1033728 12896823fb95bfb3dc9b46bcaedc9923 C:\WINDOWS\ServicePackFiles\i386\explorer.exe
2007-06-13 07:26 1033216 7712df0cdde3a5ac89843e61cd5b3658 C:\WINDOWS\$hf_mig$\KB938828\SP2QFE\explorer.exe

2008-04-14 05:42 108544 0e776ed5f7cc9f94299e70461b7b8185 C:\WINDOWS\SYSTEM32\services.exe
2004-08-04 02:56 108032 c6ce6eec82f187615d1002bb3bb50ed4 C:\WINDOWS\$NtServicePackUninstall$\services.exe
2008-04-14 05:42 108544 0e776ed5f7cc9f94299e70461b7b8185 C:\WINDOWS\ServicePackFiles\i386\services.exe

2008-04-14 05:42 13312 bf2466b3e18e970d8a976fb95fc1ca85 C:\WINDOWS\SYSTEM32\lsass.exe
2004-08-04 02:56 13312 84885f9b82f4d55c6146ebf6065d75d2 C:\WINDOWS\$NtServicePackUninstall$\lsass.exe
2008-04-14 05:42 13312 bf2466b3e18e970d8a976fb95fc1ca85 C:\WINDOWS\ServicePackFiles\i386\lsass.exe

2008-04-14 05:42 15360 5f1d5f88303d4a4dbc8e5f97ba967cc3 C:\WINDOWS\SYSTEM32\ctfmon.exe
2004-08-04 02:56 15360 24232996a38c0b0cf151c2140ae29fc8 C:\WINDOWS\$NtServicePackUninstall$\ctfmon.exe
2008-04-14 05:42 15360 5f1d5f88303d4a4dbc8e5f97ba967cc3 C:\WINDOWS\ServicePackFiles\i386\ctfmon.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6D53EC84-6AAE-4787-AEEE-F4628F01010C}]
2008-05-16 09:37 116088 --a------ C:\PROGRA~1\COMMON~1\SYMANT~1\IDS\IPSBHO.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{9bf1ae1f-8178-48d1-9026-133597824fa9}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2008-04-14 05:42 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2008-01-25 21:47 51048]
"osCheck"="C:\Program Files\Norton AntiVirus\osCheck.exe" [2008-02-07 02:49 718704]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2003-10-06 14:16 5058560]
"ThreatFire"="C:\Program Files\ThreatFire\TFTray.exe" [2008-04-24 16:52 259392]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoBandCustomize"= 0 (0x0)
"NoMovingBands"= 0 (0x0)
"NoCloseDragDropBands"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\mlJDvUlm]
mlJDvUlm.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"= ctwdm32.dll
"msacm.enc"= ITIG726.acm

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Kodak EasyShare software.lnk]
backup=C:\WINDOWS\pss\Kodak EasyShare software.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Works Calendar Reminders.lnk]
backup=C:\WINDOWS\pss\Microsoft Works Calendar Reminders.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
--a------ 2008-01-11 22:16 39792 C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\azs5RWbmQ]


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ccApp]
--a------ 2008-01-25 21:47 51048 C:\Program Files\Common Files\Symantec Shared\ccApp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CPQEASYACC]
--a------ 2000-04-18 15:42 409600 C:\Program Files\Compaq\Easy Access Button Support\cpqeadm.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CPQInet]
--a------ 2000-06-20 11:10 237568 c:\compaq\CPQInet\CpqInet.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a------ 2008-04-14 05:42 15360 C:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Digital Dashboard]
--a------ 2000-05-28 00:05 77824 C:\Program Files\Compaq\Digital Dashboard\DevGulp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DWQueuedReporting]
--a------ 2007-02-26 01:01 437160 C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2007-09-26 14:42 267064 C:\Program Files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
C:\WINDOWS\system32\dumprep 0 -k

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LoadQM]
--a------ 2000-05-03 17:23 7536 C:\WINDOWS\LOADQM.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Logitech Utility]
--------- 2003-12-17 09:50 19968 C:\WINDOWS\LOGI_MWX.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechVideoRepair]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechVideoTray]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
--a------ 2003-10-06 14:16 5058560 C:\WINDOWS\system32\NvCpl.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
--a------ 2003-10-06 14:16 49152 C:\WINDOWS\system32\NVMCTRAY.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
--a------ 2003-10-06 14:16 741376 C:\WINDOWS\SYSTEM32\nwiz.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\osCheck]
--a------ 2008-02-07 02:49 718704 C:\Program Files\Norton AntiVirus\osCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCDRealtime]
--------- 2004-08-29 13:07 91648 C:\WINDOWS\realtime.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QOELOADER]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2007-06-29 06:24 286720 C:\Program Files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2008-02-22 04:25 144784 C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ThreatFire]
--a------ 2008-04-24 16:52 259392 C:\Program Files\ThreatFire\TFTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Ukmhl]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ViewMgr]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\winupdates]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\YSearchProtection]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"WinDefend"=2 (0x2)
"iPod Service"=3 (0x3)
"Bonjour Service"=2 (0x2)
"AVGEMS"=2 (0x2)
"Avg7UpdSvc"=2 (0x2)
"Avg7Alrt"=2 (0x2)
"aawservice"=2 (0x2)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"ctfmon.exe"=C:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"LoadPowerProfile"=Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
"NvMediaCenter"=RUNDLL32.EXE C:\WINDOWS\SYSTEM32\NVMCTRAY.DLL,NvTaskbarInit
"NvCplDaemon"="RUNDLL32.EXE" C:\WINDOWS\system32\NvCpl.dll,NvStartup
"medicsp2"=C:\Program Files\twc\medicsp2\bin\sprtcmd.exe /P medicsp2

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runservices-]
"LoadPowerProfile"=Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
"StillImageMonitor"=C:\WINDOWS\SYSTEM32\STIMON.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Messenger\\MSMSGS.EXE"=
"C:\\WINDOWS\\System32\\dplaysvr.exe"=
"C:\\Program Files\\Internet Explorer\\iexplore.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"C:\\Program Files\\LimeWire\\LimeWire.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"C:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=
"C:\\WINDOWS\\System32\\mmc.exe"=

R0 TfFsMon;TfFsMon;C:\WINDOWS\system32\drivers\TfFsMon.sys [2008-04-24 16:52]
R0 TfSysMon;TfSysMon;C:\WINDOWS\system32\drivers\TfSysMon.sys [2008-04-24 16:52]
R2 LiveUpdate Notice;LiveUpdate Notice;"C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon []
R2 ThreatFire;ThreatFire;C:\Program Files\ThreatFire\TFService.exe service []
R3 TfNetMon;TfNetMon;C:\WINDOWS\system32\drivers\TfNetMon.sys [2008-04-24 16:52]
S2 sprtsvc_medicsp2;SupportSoft Sprocket Service (medicsp2);C:\Program Files\twc\medicsp2\bin\sprtsvc.exe [2007-03-07 11:54]
S3 COH_Mon;COH_Mon;C:\WINDOWS\system32\Drivers\COH_Mon.sys [2008-03-06 21:32]
S3 PID_0920;Logitech QuickCam Express(PID_0920);C:\WINDOWS\system32\DRIVERS\LV532AV.SYS []

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{ab1610c4-4bc9-11d9-b4d6-806d6172696f}]
\Shell\AutoRun\command - E:\setup.exe


[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{44BBA840-CC51-11CF-AAFA-00AA00B6015C}]
"C:\PROGRA~1\OUTLOO~1\setup50.exe" /APP:OE /CALLER:WIN9X /user /install

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{44BBA840-CC51-11CF-AAFA-00AA00B6015C}]
"C:\PROGRA~1\OUTLOO~1\setup50.exe" /APP:OE /CALLER:WIN9X /user /install
"C:\PROGRA~1\OUTLOO~1\setup50.exe" /APP:OE /CALLER:IE50 /user /install

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{7790769C-0471-11d2-AF11-00C04FA35D02}]
"C:\PROGRA~1\OUTLOO~1\setup50.exe" /APP:WAB /CALLER:WIN9X /user /install

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{7790769C-0471-11d2-AF11-00C04FA35D02}]
"C:\PROGRA~1\OUTLOO~1\setup50.exe" /APP:WAB /CALLER:WIN9X /user /install
"C:\PROGRA~1\OUTLOO~1\setup50.exe" /APP:WAB /CALLER:IE50 /user /install

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{9EF0045A-CDD9-438e-95E6-02B9AFEC8E11}]
C:\WINDOWS\SYSTEM32\updcrl.exe -e -u C:\WINDOWS\SYSTEM\verisignpub1.crl
.
Contents of the 'Scheduled Tasks' folder
"2008-05-12 23:07:26 C:\WINDOWS\Tasks\XoftSpySE.job"
- C:\Program Files\XoftSpySE\XoftSpy.exe
"2008-05-19 15:00:02 C:\WINDOWS\Tasks\1-Click Maintenance.job"
- C:\Program Files\TuneUp Utilities 2008\OneClickStarter.exe
"2008-05-16 14:07:52 C:\WINDOWS\Tasks\Norton AntiVirus - Run Full System Scan - default.job"
- C:\Program Files\Norton AntiVirus\Navw32.exeh/TASK:
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-19 11:49:41
Windows 5.1.2600 Service Pack 3 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-05-19 11:52:21
ComboFix-quarantined-files.txt 2008-05-19 15:52:14
ComboFix4.txt 2008-04-02 15:34:44
ComboFix3.txt 2008-04-10 13:06:28
ComboFix2.txt 2008-04-13 13:58:18

Pre-Run: 13,266,616,320 bytes free
Post-Run: 13,582,172,160 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout = 30
default = multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS = "Microsoft Windows XP Home Edition" /fastdetect /NoExecute=OptIn
C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

410 --- E O F --- 2008-05-16 04:20:36

#4 Thunder

Thunder

  • Members
  • 3,294 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Belgium
  • Local time:05:09 PM

Posted 20 May 2008 - 03:29 AM

Hello LaurenCP,

Well done. :thumbsup:

Let's clean up some more :

Open Notepad - don't use any other texteditor than Notepad or the script will fail !
Copy/paste the bold, blue text below into an empty notepad window:File::
C:\WINDOWS\BM206522d5.xml
Folder::
C:\Temp\maxsv15
Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{9bf1ae1f-8178-48d1-9026-133597824fa9}]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\mlJDvUlm]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\azs5RWbmQ]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Ukmhl]

Save this as txtfile CFScript

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

Posted Image

This will start ComboFix again. Upon reboot, (in case it asks to reboot), post the contents of the Combofix log, as well as a fresh HijackThislog in your next reply.

Your JavaVM is also out of date. Older versions have vulnerabilities that malware can use to infect your system.
Please follow these steps to remove older version Java components and update.

Updating Java:
  • Download the latest version of Java Runtime Environment (JRE) 6u6.
  • Scroll down to where it says The Java SE Runtime Environment (JRE) allows end-users to run Java applications.
  • Click the Download button to the right.
  • Check the box that says: Accept License Agreement
  • The page will refresh.
  • Click on the link to download Windows Offline Installation (jre-6u6-windows-i586-p.exe) and save to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Control Panel, double-click on Add/Remove programs and remove all older versions of Java.
  • Check any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u6-windowsi586-p.exe to install the newest version.
Are you still having problems ?

Greetings,
Thunder

Edited by Thunder, 20 May 2008 - 03:30 AM.

Whatever happens, make believe it was intended to ...
-----------------------------------------------------------------------
Posted Image - If I have helped you in any way, please consider a donation to help me continue the fight against malware.
-----------------------------------------------------------------------
Stand Up & Be Counted --> Posted Image <-- And make a difference

#5 LaurenCP

LaurenCP
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:11:09 AM

Posted 23 May 2008 - 08:53 AM

Included are the two logs you requested. No other problems except for...

As I was researching yesterday, I came across a service in services.msc that looked odd to me. It points to a temp file, although my temp files are cleaned up. The service is e.exe (benpao trojan?) and its startup type is switched to manual. I don't know if this is still causing any issues, since the temp file itself is gone. There are entries in both of the logs for this (in red). Please let me know if there is anything that can be done about this, as it makes me nervous to have it listed, even if it isn't an issue.

COMBOFIX LOG:

ComboFix 08-05-21.3 - default 2008-05-23 8:41:51.6 - FAT32x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.118 [GMT -4:00]
Running from: C:\Documents and Settings\default\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\default\Desktop\cfscript.txt
* Created a new restore point

FILE ::
C:\WINDOWS\BM206522d5.xml
.

((((((((((((((((((((((((( Files Created from 2008-04-23 to 2008-05-23 )))))))))))))))))))))))))))))))
.

2008-05-22 08:51 . 2008-05-22 08:51 0 --a------ C:\WINDOWS\SYSTEM32\V
2008-05-22 08:49 . 2008-05-22 08:49 12,600 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\PROCEXP111.SYS
2008-05-19 08:28 . 2008-05-19 08:28 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-05-19 08:28 . 2008-05-05 20:46 27,048 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\mbamcatchme.sys
2008-05-19 08:28 . 2008-05-05 20:46 15,864 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\mbam.sys
2008-05-16 09:34 . 2008-05-16 09:34 <DIR> d-------- C:\Program Files\Windows Sidebar
2008-05-16 09:34 . 2008-05-16 09:34 <DIR> d-------- C:\Program Files\Norton AntiVirus
2008-05-16 09:33 . 2008-05-16 09:35 123,952 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\SYMEVENT.SYS
2008-05-16 09:33 . 2008-05-16 09:35 60,800 --a------ C:\WINDOWS\SYSTEM32\S32EVNT1.DLL
2008-05-16 09:33 . 2008-05-16 09:35 10,563 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\SYMEVENT.CAT
2008-05-16 09:33 . 2008-05-16 09:35 805 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\SYMEVENT.INF
2008-05-16 09:02 . 2008-05-16 09:02 <DIR> d-------- C:\Documents and Settings\All Users\Symantec Temporary Files
2008-05-15 12:37 . 2008-05-15 12:37 <DIR> d-------- C:\Program Files\Eusing Free Registry Cleaner
2008-05-14 08:45 . 2008-05-14 08:45 <DIR> d-------- C:\Program Files\ThreatFire
2008-05-14 08:45 . 2008-05-14 08:45 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\PC Tools
2008-05-14 08:45 . 2008-04-24 16:52 51,520 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\TfFsMon.sys
2008-05-14 08:45 . 2008-04-24 16:52 38,208 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\TfSysMon.sys
2008-05-14 08:45 . 2008-04-24 16:52 33,088 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\TfNetMon.sys
2008-05-14 08:45 . 2008-04-24 16:52 12,608 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\TfKbMon.sys
2008-05-13 14:59 . 2008-05-13 14:59 <DIR> d-------- C:\Program Files\Trend Micro
2008-05-12 16:19 . 2008-05-12 16:19 376 --a------ C:\WINDOWS\ODBC.INI
2008-05-12 16:06 . 2008-05-12 16:06 <DIR> d-------- C:\Documents and Settings\default\Application Data\Microsoft Web Folders
2008-05-12 13:11 . 2008-05-12 13:11 <DIR> d-------- C:\Program Files\Microsoft CAPICOM 2.1.0.2
2008-05-12 12:28 . 2008-05-12 12:28 <DIR> d-------- C:\Program Files\Symantec
2008-05-12 12:28 . 2008-05-12 12:28 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Symantec
2008-05-12 12:26 . 2008-05-12 12:26 <DIR> d-------- C:\Program Files\Common Files\Symantec Shared
2008-05-07 09:12 . 2008-04-13 22:06 144,384 --------- C:\WINDOWS\SYSTEM32\DRIVERS\hdaudbus.sys
2008-05-07 09:12 . 2008-04-14 00:10 10,240 --------- C:\WINDOWS\SYSTEM32\DRIVERS\sffp_mmc.sys
2008-05-07 09:10 . 2006-12-29 00:31 19,569 --a------ C:\WINDOWS\005891_.tmp
2008-05-05 15:24 . 2008-05-05 15:24 <DIR> d-------- C:\Documents and Settings\default\SecurityScans
2008-05-04 18:31 . 2008-05-04 18:31 <DIR> d-------- C:\Documents and Settings\default\Application Data\Microsoft Help
2008-05-04 18:30 . 2008-05-04 18:31 <DIR> d-------- C:\Program Files\SDFix
2008-05-03 00:31 . 2008-05-03 00:31 <DIR> d-------- C:\Program Files\twc
2008-05-03 00:31 . 2008-05-03 00:31 <DIR> d-------- C:\Program Files\Common Files\SupportSoft
2008-05-03 00:31 . 2008-05-03 00:31 <DIR> d-------- C:\Documents and Settings\default\Application Data\SupportSoft
2008-05-03 00:31 . 2008-05-03 00:31 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SupportSoft
2008-05-02 22:40 . 2008-02-22 02:33 69,632 --a------ C:\WINDOWS\SYSTEM32\javacpl.cpl
2008-05-02 22:39 . 2008-05-02 22:39 <DIR> d-------- C:\Program Files\Common Files\Java
2008-05-01 16:30 . 2008-05-01 16:30 <DIR> d-------- C:\Program Files\Common Files\Download Manager
2008-05-01 16:30 . 2005-09-23 07:29 626,688 --a------ C:\WINDOWS\SYSTEM32\msvcr80.dll
2008-05-01 16:23 . 2008-05-01 16:23 1,642 --a------ C:\WINDOWS\SYSTEM32\tmp.reg
2008-04-25 14:34 . 2008-04-25 14:34 <DIR> d-------- C:\WINDOWS\SYSTEM32\CatRoot2
2008-04-25 14:18 . 2008-04-25 14:18 <DIR> d-------- C:\Program Files\Microsoft Baseline Security Analyzer 2

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-03 02:46 76,504 ----a-w C:\Documents and Settings\default\Application Data\GDIPFONTCACHEV1.DAT
2008-04-18 19:47 --------- d-----w C:\Documents and Settings\default\Application Data\Corel
2008-04-14 09:55 1,804 ----a-w C:\WINDOWS\SYSTEM32\Dcache.bin
2008-04-14 09:46 329,728 ----a-w C:\WINDOWS\SYSTEM32\netsetup.exe
2008-04-14 09:43 92,424 ----a-w C:\WINDOWS\SYSTEM32\rdpdd.dll
2008-04-14 09:43 87,176 ----a-w C:\WINDOWS\SYSTEM32\rdpwsx.dll
2008-04-14 09:43 40,840 ----a-w C:\WINDOWS\system32\drivers\termdd.sys
2008-04-14 09:43 21,896 ----a-w C:\WINDOWS\system32\drivers\tdtcp.sys
2008-04-14 09:43 139,656 ----a-w C:\WINDOWS\system32\drivers\rdpwd.sys
2008-04-14 09:43 12,168 ----a-w C:\WINDOWS\SYSTEM32\tsddd.dll
2008-04-14 09:43 12,040 ----a-w C:\WINDOWS\system32\drivers\tdpipe.sys
2008-04-14 09:41 98,304 ----a-w C:\WINDOWS\SYSTEM32\actxprxy.dll
2008-04-14 09:40 67,584 ----a-w C:\WINDOWS\SYSTEM32\dllcache\pmigrate.dll
2008-04-14 09:40 53,760 ----a-w C:\WINDOWS\SYSTEM32\dllcache\pintlcsd.dll
2008-04-14 09:40 53,279 ----a-w C:\WINDOWS\SYSTEM32\odbcji32.dll
2008-04-14 09:40 4,126 ----a-w C:\WINDOWS\SYSTEM32\msdxmlc.dll
2008-04-14 09:40 3,584 ----a-w C:\WINDOWS\SYSTEM32\msafd.dll
2008-04-14 09:40 175,104 ----a-w C:\WINDOWS\SYSTEM32\dllcache\pintlcsa.dll
2008-04-14 09:40 15,872 ----a-w C:\WINDOWS\SYSTEM32\dllcache\padrs404.dll
2008-04-14 09:40 15,360 ----a-w C:\WINDOWS\SYSTEM32\dllcache\padrs804.dll
2008-04-14 06:30 103,424 ----a-w C:\WINDOWS\SYSTEM32\dpcdll.dll
2008-04-14 05:00 1,845,632 ----a-w C:\WINDOWS\SYSTEM32\win32k.sys
2008-04-14 04:58 175,744 ----a-w C:\WINDOWS\system32\drivers\rdbss.sys
2008-04-14 04:57 2,188,928 ----a-w C:\WINDOWS\SYSTEM32\ntoskrnl.exe
2008-04-14 04:51 162,816 ----a-w C:\WINDOWS\system32\drivers\netbt.sys
2008-04-14 04:50 91,520 ----a-w C:\WINDOWS\system32\drivers\ndiswan.sys
2008-04-14 04:50 361,344 ----a-w C:\WINDOWS\system32\drivers\tcpip.sys
2008-04-14 04:50 182,656 ----a-w C:\WINDOWS\system32\drivers\ndis.sys
2008-04-14 04:49 75,264 ----a-w C:\WINDOWS\system32\drivers\ipsec.sys
2008-04-14 04:49 51,328 ----a-w C:\WINDOWS\system32\drivers\rasl2tp.sys
2008-04-14 04:49 48,384 ----a-w C:\WINDOWS\system32\drivers\raspptp.sys
2008-04-14 04:49 146,048 ----a-w C:\WINDOWS\system32\drivers\portcls.sys
2008-04-14 04:49 138,112 ----a-w C:\WINDOWS\system32\drivers\afd.sys
2008-04-14 04:48 52,480 ----a-w C:\WINDOWS\system32\drivers\i8042prt.sys
2008-04-14 04:47 83,072 ----a-w C:\WINDOWS\system32\drivers\wdmaud.sys
2008-04-14 04:47 456,576 ----a-w C:\WINDOWS\system32\drivers\mrxsmb.sys
2008-04-14 04:47 105,344 ----a-w C:\WINDOWS\system32\drivers\mup.sys
2008-04-14 04:46 49,536 ----a-w C:\WINDOWS\system32\drivers\classpnp.sys
2008-04-14 04:46 141,056 ----a-w C:\WINDOWS\system32\drivers\ks.sys
2008-04-14 04:45 64,512 ----a-w C:\WINDOWS\system32\drivers\serial.sys
2008-04-14 04:45 60,800 ----a-w C:\WINDOWS\system32\drivers\sysaudio.sys
2008-04-14 04:45 574,976 ----a-w C:\WINDOWS\system32\drivers\ntfs.sys
2008-04-14 04:45 334,848 ----a-w C:\WINDOWS\system32\drivers\srv.sys
2008-04-14 04:44 63,744 ----a-w C:\WINDOWS\system32\drivers\cdfs.sys
2008-04-14 04:44 143,744 ----a-w C:\WINDOWS\system32\drivers\fastfat.sys
2008-04-14 04:30 30,080 ----a-w C:\WINDOWS\system32\drivers\modem.sys
2008-04-14 04:30 225,664 ----a-w C:\WINDOWS\system32\drivers\tcpip6.sys
2008-04-14 04:30 19,072 ----a-w C:\WINDOWS\system32\drivers\tdi.sys
2008-04-14 04:27 41,472 ----a-w C:\WINDOWS\system32\drivers\raspppoe.sys
2008-04-14 04:27 40,576 ----a-w C:\WINDOWS\system32\drivers\ndproxy.sys
2008-04-14 04:27 34,560 ----a-w C:\WINDOWS\system32\drivers\wanarp.sys
2008-04-14 04:27 20,864 ----a-w C:\WINDOWS\system32\drivers\ipinip.sys
2008-04-14 04:27 152,832 ----a-w C:\WINDOWS\system32\drivers\ipnat.sys
2008-04-14 04:27 14,336 ----a-w C:\WINDOWS\system32\drivers\asyncmac.sys
2008-04-14 04:27 10,112 ----a-w C:\WINDOWS\system32\drivers\ndistapi.sys
2008-04-14 04:26 88,320 ----a-w C:\WINDOWS\system32\drivers\nwlnkipx.sys
2008-04-14 04:26 69,120 ----a-w C:\WINDOWS\system32\drivers\psched.sys
2008-04-14 04:26 35,072 ----a-w C:\WINDOWS\system32\drivers\msgpc.sys
2008-04-14 04:26 34,688 ----a-w C:\WINDOWS\system32\drivers\netbios.sys
2008-04-14 04:26 30,592 ----a-w C:\WINDOWS\system32\drivers\rndismp.sys
2008-04-14 04:26 30,592 ------w C:\WINDOWS\system32\drivers\rndismpx.sys
2008-04-14 04:26 14,592 ----a-w C:\WINDOWS\system32\drivers\ndisuio.sys
2008-04-14 04:26 12,800 ----a-w C:\WINDOWS\system32\drivers\usb8023.sys
2008-04-14 04:26 12,800 ------w C:\WINDOWS\system32\drivers\usb8023x.sys
2008-04-14 04:26 12,288 ----a-w C:\WINDOWS\system32\drivers\tunmp.sys
2008-04-14 04:25 202,624 ----a-w C:\WINDOWS\system32\drivers\RMCast.sys
2008-04-14 04:24 11,264 ----a-w C:\WINDOWS\system32\drivers\irenum.sys
2008-04-14 04:23 71,552 ----a-w C:\WINDOWS\system32\drivers\bridge.sys
2008-04-14 04:23 40,320 ----a-w C:\WINDOWS\system32\drivers\nmnt.sys
2008-04-14 04:23 36,608 ------w C:\WINDOWS\system32\drivers\ip6fw.sys
2008-04-14 04:23 264,832 ------w C:\WINDOWS\system32\drivers\http.sys
2008-04-14 04:21 61,824 ----a-w C:\WINDOWS\system32\drivers\nic1394.sys
2008-04-14 04:21 60,800 ----a-w C:\WINDOWS\system32\drivers\arp1394.sys
2008-04-14 04:21 59,904 ----a-w C:\WINDOWS\system32\drivers\atmarpc.sys
2008-04-14 04:21 55,808 ----a-w C:\WINDOWS\system32\drivers\atmlane.sys
2008-04-14 04:21 101,120 ------w C:\WINDOWS\system32\drivers\bthpan.sys
2008-04-14 04:15 60,160 ----a-w C:\WINDOWS\system32\drivers\drmk.sys
2008-04-14 04:14 81,664 ----a-w C:\WINDOWS\system32\drivers\videoprt.sys
2008-04-14 04:14 799,744 ----a-w C:\WINDOWS\system32\drivers\dmboot.sys
2008-04-14 04:14 20,992 ----a-w C:\WINDOWS\system32\drivers\vga.sys
2008-04-14 04:14 153,344 ----a-w C:\WINDOWS\system32\drivers\dmio.sys
2008-04-14 04:13 14,208 ------w C:\WINDOWS\system32\drivers\wacompen.sys
2008-04-14 04:13 12,672 ------w C:\WINDOWS\system32\drivers\mutohpen.sys
2008-04-14 04:11 52,352 ----a-w C:\WINDOWS\system32\drivers\volsnap.sys
2008-04-14 04:11 42,112 ----a-w C:\WINDOWS\system32\drivers\imapi.sys
2008-04-14 04:09 7,552 ----a-w C:\WINDOWS\system32\drivers\mskssrv.sys
2008-04-14 04:09 5,504 ----a-w C:\WINDOWS\system32\drivers\mstee.sys
2008-04-14 04:09 5,376 ----a-w C:\WINDOWS\system32\drivers\mspclock.sys
2008-04-14 04:09 42,368 ----a-w C:\WINDOWS\system32\drivers\mountmgr.sys
2008-04-14 04:09 4,992 ----a-w C:\WINDOWS\system32\drivers\mspqm.sys
2008-04-14 04:09 4,352 ----a-w C:\WINDOWS\system32\drivers\swenum.sys
2008-04-14 04:09 384,768 ----a-w C:\WINDOWS\system32\drivers\update.sys
2008-04-14 04:09 24,576 ----a-w C:\WINDOWS\system32\drivers\kbdclass.sys
2008-04-14 04:09 23,040 ----a-w C:\WINDOWS\system32\drivers\mouclass.sys
2008-04-14 04:09 14,592 ----a-w C:\WINDOWS\system32\drivers\kbdhid.sys
2008-04-14 04:08 71,168 ----a-w C:\WINDOWS\system32\drivers\dxg.sys
2008-04-14 04:05 24,064 ----a-w C:\WINDOWS\SYSTEM32\pidgen.dll
2008-04-14 04:03 44,544 ----a-w C:\WINDOWS\system32\drivers\fips.sys
2008-04-14 04:03 129,792 ------w C:\WINDOWS\system32\drivers\fltmgr.sys
2008-04-14 04:02 66,048 ----a-w C:\WINDOWS\system32\drivers\udfs.sys
.

------- Sigcheck -------

2008-04-14 05:42 14336 27c6d03bcdb8cfeb96b716f3d8be3e18 C:\WINDOWS\SYSTEM32\svchost.exe
2004-08-04 02:56 14336 8f078ae4ed187aaabc0a305146de6716 C:\WINDOWS\$NtServicePackUninstall$\svchost.exe
2008-04-14 05:42 14336 27c6d03bcdb8cfeb96b716f3d8be3e18 C:\WINDOWS\ServicePackFiles\i386\svchost.exe

2008-04-14 05:42 578560 b26b135ff1b9f60c9388b4a7d16f600b C:\WINDOWS\SYSTEM32\user32.dll
2007-03-08 11:36 577536 b409909f6e2e8a7067076ed748abf1e7 C:\WINDOWS\$NtServicePackUninstall$\user32.dll
2008-04-14 05:42 578560 b26b135ff1b9f60c9388b4a7d16f600b C:\WINDOWS\ServicePackFiles\i386\user32.dll
2005-03-02 14:19 577024 1800f293bccc8ede8a70e12b88d80036 C:\WINDOWS\$hf_mig$\KB890859\SP2QFE\user32.dll
2007-03-08 11:48 578048 7aa4f6c00405dfc4b70ed4214e7d687b C:\WINDOWS\$hf_mig$\KB925902\SP2QFE\user32.dll

2008-04-14 05:42 82432 2ccc474eb85ceaa3e1fa1726580a3e5a C:\WINDOWS\SYSTEM32\ws2_32.dll
2004-08-04 02:56 82944 2ed0b7f12a60f90092081c50fa0ec2b2 C:\WINDOWS\$NtServicePackUninstall$\ws2_32.dll
2008-04-14 05:42 82432 2ccc474eb85ceaa3e1fa1726580a3e5a C:\WINDOWS\ServicePackFiles\i386\ws2_32.dll

2008-03-01 09:06 826368 ad21461aef8244edec2ef18e55e1dcf3 C:\WINDOWS\SYSTEM32\WININET.DLL
2008-03-01 09:06 826368 ad21461aef8244edec2ef18e55e1dcf3 C:\WINDOWS\SYSTEM32\dllcache\wininet.dll
2008-03-01 09:06 826368 ad21461aef8244edec2ef18e55e1dcf3 C:\WINDOWS\SoftwareDistribution\Download\0e573dbed32e8bd8f7ba833ffcfb788c\SP2GDR\wininet.dll
2008-03-01 09:03 827392 6316c2f0c61271c8abdff7429174879e C:\WINDOWS\SoftwareDistribution\Download\0e573dbed32e8bd8f7ba833ffcfb788c\SP2QFE\wininet.dll
2004-08-04 02:56 656384 c0823fc5469663ba63e7db88f9919d70 C:\WINDOWS\$NtServicePackUninstall$\wininet.dll
2008-04-14 05:42 666112 7a4f775abb2f1c97def3e73afa2faedd C:\WINDOWS\ServicePackFiles\i386\wininet.dll
2004-09-29 13:27 656896 2c07195588d69a067c2afdaa31759295 C:\WINDOWS\$hf_mig$\KB834707\SP2QFE\wininet.dll
2005-03-10 03:43 657920 c8663b488996e89a84c3d17c1d12b79e C:\WINDOWS\$hf_mig$\KB890923\SP2QFE\wininet.dll
2007-06-27 10:40 824320 d6ed5e042c5207553e7f5e842918137f C:\WINDOWS\$hf_mig$\KB937143-IE7\SP2QFE\wininet.dll
2007-12-06 21:01 825344 b5b411bb229ae6ead7652a32ed47bfb9 C:\WINDOWS\$hf_mig$\KB944533-IE7\SP2QFE\wininet.dll
2008-03-01 09:03 827392 6316c2f0c61271c8abdff7429174879e C:\WINDOWS\$hf_mig$\KB947864-IE7\SP2QFE\wininet.dll
2005-03-10 04:02 656896 6f018d6319be4f96426ea829b79e05d5 C:\WINDOWS\ie7\wininet.dll
2006-11-07 21:03 818688 92995334f993e6e49c25c6d02ec04401 C:\WINDOWS\ie7updates\KB937143-IE7\wininet.dll
2007-06-27 10:35 823808 8068cbb58fe60cc95aeb2cff70178208 C:\WINDOWS\ie7updates\KB944533-IE7\wininet.dll
2007-12-06 21:21 824832 806d274c9a6c3aaea5eae8e4af841e04 C:\WINDOWS\ie7updates\KB947864-IE7\wininet.dll

2008-04-14 00:50 361344 93ea8d04ec73a85db02eb8805988f733 C:\WINDOWS\SYSTEM32\DRIVERS\tcpip.sys
2007-10-30 12:20 360064 90caff4b094573449a0872a0f919b178 C:\WINDOWS\$NtServicePackUninstall$\tcpip.sys
2008-04-14 00:50 361344 93ea8d04ec73a85db02eb8805988f733 C:\WINDOWS\ServicePackFiles\i386\tcpip.sys
2005-03-13 21:17 359936 6129e70f3d2f1e60860c930ebeaf92c2 C:\WINDOWS\$hf_mig$\KB893066\SP2QFE\tcpip.sys
2006-04-20 08:18 360576 b2220c618b42a2212a59d91ebd6fc4b4 C:\WINDOWS\$hf_mig$\KB917953\SP2QFE\tcpip.sys
2007-10-30 11:53 360832 64798ecfa43d78c7178375fcdd16d8c8 C:\WINDOWS\$hf_mig$\KB941644\SP2QFE\tcpip.sys

2008-04-14 05:42 507904 ed0ef0a136dec83df69f04118870003e C:\WINDOWS\SYSTEM32\winlogon.exe
2004-08-04 02:56 502272 01c3346c241652f43aed8e2149881bfe C:\WINDOWS\$NtServicePackUninstall$\winlogon.exe
2008-04-14 05:42 507904 ed0ef0a136dec83df69f04118870003e C:\WINDOWS\ServicePackFiles\i386\winlogon.exe

2008-04-14 00:50 182656 1df7f42665c94b825322fae71721130d C:\WINDOWS\SYSTEM32\DRIVERS\ndis.sys
2004-08-04 01:14 182912 558635d3af1c7546d26067d5d9b6959e C:\WINDOWS\$NtServicePackUninstall$\ndis.sys
2008-04-14 00:50 182656 1df7f42665c94b825322fae71721130d C:\WINDOWS\ServicePackFiles\i386\ndis.sys

2008-04-14 00:23 36608 3bb22519a194418d5fec05d800a19ad0 C:\WINDOWS\SYSTEM32\DRIVERS\ip6fw.sys
2004-08-04 01:00 29056 4448006b6bc60e6c027932cfc38d6855 C:\WINDOWS\$NtServicePackUninstall$\ip6fw.sys
2008-04-14 00:23 36608 3bb22519a194418d5fec05d800a19ad0 C:\WINDOWS\ServicePackFiles\i386\ip6fw.sys

2008-04-14 00:01 2065792 109f8e3e3c82e337bb71b6bc9b895d61 C:\WINDOWS\SYSTEM32\ntkrnlpa.exe
2007-02-28 04:38 2057600 515d30e2c90a3665a2739309334c9283 C:\WINDOWS\$NtServicePackUninstall$\ntkrnlpa.exe
2008-04-14 00:01 2065792 109f8e3e3c82e337bb71b6bc9b895d61 C:\WINDOWS\ServicePackFiles\i386\ntkrnlpa.exe
2005-03-01 20:36 2056832 d8aba3eab509627e707a3b14f00fbb6b C:\WINDOWS\$hf_mig$\KB890859\SP2QFE\ntkrnlpa.exe
2007-02-28 05:15 2059392 4d3dbdccbf97f5ba1e74f322b155c3ba C:\WINDOWS\$hf_mig$\KB931784\SP2QFE\ntkrnlpa.exe
2006-02-20 23:36 2057984 501c033d08ac37c4be751633ab02197c C:\WINDOWS\$hf_mig$\KB914882\SP2QFE\ntkrnlpa.exe

2008-04-14 00:57 2188928 0c89243c7c3ee199b96fcc16990e0679 C:\WINDOWS\SYSTEM32\ntoskrnl.exe
2007-02-28 05:10 2180352 582a8dbaa58c3b1f176eb2817daee77c C:\WINDOWS\$NtServicePackUninstall$\ntoskrnl.exe
2008-04-14 00:57 2188928 0c89243c7c3ee199b96fcc16990e0679 C:\WINDOWS\ServicePackFiles\i386\ntoskrnl.exe
2005-03-01 21:04 2179456 28187802b7c368c0d3aef7d4c382aabb C:\WINDOWS\$hf_mig$\KB890859\SP2QFE\ntoskrnl.exe
2007-02-28 05:55 2182144 5a5c8db4aa962c714c8371fbdf189fc9 C:\WINDOWS\$hf_mig$\KB931784\SP2QFE\ntoskrnl.exe
2006-02-21 00:01 2180992 df4d09b676964646fa166a78c816b4c3 C:\WINDOWS\$hf_mig$\KB914882\SP2QFE\ntoskrnl.exe

2008-04-14 05:42 1033728 12896823fb95bfb3dc9b46bcaedc9923 C:\WINDOWS\explorer.exe
2007-06-13 06:23 1033216 97bd6515465659ff8f3b7be375b2ea87 C:\WINDOWS\$NtServicePackUninstall$\explorer.exe
2008-04-14 05:42 1033728 12896823fb95bfb3dc9b46bcaedc9923 C:\WINDOWS\ServicePackFiles\i386\explorer.exe
2007-06-13 07:26 1033216 7712df0cdde3a5ac89843e61cd5b3658 C:\WINDOWS\$hf_mig$\KB938828\SP2QFE\explorer.exe

2008-04-14 05:42 108544 0e776ed5f7cc9f94299e70461b7b8185 C:\WINDOWS\SYSTEM32\services.exe
2004-08-04 02:56 108032 c6ce6eec82f187615d1002bb3bb50ed4 C:\WINDOWS\$NtServicePackUninstall$\services.exe
2008-04-14 05:42 108544 0e776ed5f7cc9f94299e70461b7b8185 C:\WINDOWS\ServicePackFiles\i386\services.exe

2008-04-14 05:42 13312 bf2466b3e18e970d8a976fb95fc1ca85 C:\WINDOWS\SYSTEM32\lsass.exe
2004-08-04 02:56 13312 84885f9b82f4d55c6146ebf6065d75d2 C:\WINDOWS\$NtServicePackUninstall$\lsass.exe
2008-04-14 05:42 13312 bf2466b3e18e970d8a976fb95fc1ca85 C:\WINDOWS\ServicePackFiles\i386\lsass.exe

2008-04-14 05:42 15360 5f1d5f88303d4a4dbc8e5f97ba967cc3 C:\WINDOWS\SYSTEM32\ctfmon.exe
2004-08-04 02:56 15360 24232996a38c0b0cf151c2140ae29fc8 C:\WINDOWS\$NtServicePackUninstall$\ctfmon.exe
2008-04-14 05:42 15360 5f1d5f88303d4a4dbc8e5f97ba967cc3 C:\WINDOWS\ServicePackFiles\i386\ctfmon.exe
.
((((((((((((((((((((((((((((( snapshot@2008-05-22_15.40.45.52 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-05-22 18:45:16 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-05-23 12:34:42 2,048 --s-a-w C:\WINDOWS\bootstat.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6D53EC84-6AAE-4787-AEEE-F4628F01010C}]
2008-05-16 09:37 116088 --a------ C:\PROGRA~1\COMMON~1\SYMANT~1\IDS\IPSBHO.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2008-04-14 05:42 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2003-10-06 14:16 5058560]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoBandCustomize"= 0 (0x0)
"NoMovingBands"= 0 (0x0)
"NoCloseDragDropBands"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"= ctwdm32.dll
"msacm.enc"= ITIG726.acm

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"ctfmon.exe"=C:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runservices-]
"LoadPowerProfile"=Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
"StillImageMonitor"=C:\WINDOWS\SYSTEM32\STIMON.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Messenger\\MSMSGS.EXE"=
"C:\\WINDOWS\\System32\\dplaysvr.exe"=
"C:\\Program Files\\Internet Explorer\\iexplore.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"C:\\Program Files\\LimeWire\\LimeWire.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"C:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=
"C:\\WINDOWS\\System32\\mmc.exe"=

R0 TfFsMon;TfFsMon;C:\WINDOWS\system32\drivers\TfFsMon.sys [2008-04-24 16:52]
R0 TfSysMon;TfSysMon;C:\WINDOWS\system32\drivers\TfSysMon.sys [2008-04-24 16:52]
R2 LiveUpdate Notice;LiveUpdate Notice;"C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon []
R2 sprtsvc_medicsp2;SupportSoft Sprocket Service (medicsp2);C:\Program Files\twc\medicsp2\bin\sprtsvc.exe [2007-03-07 11:54]
R2 ThreatFire;ThreatFire;C:\Program Files\ThreatFire\TFService.exe service []
R3 TfNetMon;TfNetMon;C:\WINDOWS\system32\drivers\TfNetMon.sys [2008-04-24 16:52]
S3 COH_Mon;COH_Mon;C:\WINDOWS\system32\Drivers\COH_Mon.sys [2008-03-06 21:32]
S3 E;E;C:\DOCUME~1\default\LOCALS~1\Temp\E.exe []
S3 PID_0920;Logitech QuickCam Express(PID_0920);C:\WINDOWS\system32\DRIVERS\LV532AV.SYS []


[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{44BBA840-CC51-11CF-AAFA-00AA00B6015C}]
"C:\PROGRA~1\OUTLOO~1\setup50.exe" /APP:OE /CALLER:WIN9X /user /install

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{44BBA840-CC51-11CF-AAFA-00AA00B6015C}]
"C:\PROGRA~1\OUTLOO~1\setup50.exe" /APP:OE /CALLER:WIN9X /user /install
"C:\PROGRA~1\OUTLOO~1\setup50.exe" /APP:OE /CALLER:IE50 /user /install

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{7790769C-0471-11d2-AF11-00C04FA35D02}]
"C:\PROGRA~1\OUTLOO~1\setup50.exe" /APP:WAB /CALLER:WIN9X /user /install

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{7790769C-0471-11d2-AF11-00C04FA35D02}]
"C:\PROGRA~1\OUTLOO~1\setup50.exe" /APP:WAB /CALLER:WIN9X /user /install
"C:\PROGRA~1\OUTLOO~1\setup50.exe" /APP:WAB /CALLER:IE50 /user /install

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{9EF0045A-CDD9-438e-95E6-02B9AFEC8E11}]
C:\WINDOWS\SYSTEM32\updcrl.exe -e -u C:\WINDOWS\SYSTEM\verisignpub1.crl
.
Contents of the 'Scheduled Tasks' folder
"2008-05-22 12:47:36 C:\WINDOWS\Tasks\XoftSpySE.job"
- C:\Program Files\XoftSpySE\XoftSpy.exe
"2008-05-22 12:47:34 C:\WINDOWS\Tasks\1-Click Maintenance.job"
- C:\Program Files\TuneUp Utilities 2008\OneClickStarter.exe
"2008-05-20 00:30:28 C:\WINDOWS\Tasks\Norton AntiVirus - Run Full System Scan - default.job"
- C:\Program Files\Norton AntiVirus\Navw32.exe
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-23 08:48:20
Windows 5.1.2600 Service Pack 3 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


**************************************************************************
.
Completion time: 2008-05-23 9:04:14
ComboFix-quarantined-files.txt 2008-05-23 12:51:20
ComboFix5.txt 2008-04-10 13:06:28
ComboFix4.txt 2008-04-13 13:58:18
ComboFix3.txt 2008-05-19 15:52:26
ComboFix2.txt 2008-05-22 19:42:04

Pre-Run: 14,822,899,712 bytes free
Post-Run: 14,825,455,616 bytes free

324 --- E O F --- 2008-05-16 04:20:36

HIJACKTHIS LOG:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:37:54 AM, on 5/23/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\twc\medicsp2\bin\sprtsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\ThreatFire\TFService.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\devldr32.exe
C:\PROGRA~1\COMMON~1\SYMANT~1\CCPD-LC\symlcsvc.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Outlook Express\msimn.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://search.presario.net/scripts/redirec...bar&LC=0409
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\PROGRA~1\COMMON~1\SYMANT~1\IDS\IPSBHO.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - AutorunsDisabled - (no file)
O9 - Extra button: (no name) - {06FE5D02-8F11-11d2-804F-00105A133818} - http://search.presario.net/scripts/redirec...c00&LC=0409 (file missing)
O9 - Extra 'Tools' menuitem: &Find Pages Linking to this URL - {06FE5D02-8F11-11d2-804F-00105A133818} - http://search.presario.net/scripts/redirec...c00&LC=0409 (file missing)
O9 - Extra button: (no name) - {06FE5D03-8F11-11d2-804F-00105A133818} - http://search.presario.net/scripts/redirec...c00&LC=0409 (file missing)
O9 - Extra 'Tools' menuitem: Find Other Pages on this &Host - {06FE5D03-8F11-11d2-804F-00105A133818} - http://search.presario.net/scripts/redirec...c00&LC=0409 (file missing)
O9 - Extra button: (no name) - {06FE5D04-8F11-11d2-804F-00105A133818} - http://search.presario.net/scripts/redirec...c00&LC=0409 (file missing)
O9 - Extra 'Tools' menuitem: AV Live - {06FE5D04-8F11-11d2-804F-00105A133818} - http://search.presario.net/scripts/redirec...c00&LC=0409 (file missing)
O9 - Extra button: Translate - {06FE5D05-8F11-11d2-804F-00105A133818} - http://search.presario.net/scripts/redirec...c00&LC=0409 (file missing)
O9 - Extra 'Tools' menuitem: AV &Translate - {06FE5D05-8F11-11d2-804F-00105A133818} - http://search.presario.net/scripts/redirec...c00&LC=0409 (file missing)
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra button: Bonjour - {7F9DB11C-E358-4ca6-A83D-ACC663939424} - C:\Program Files\Bonjour\ExplorerPlugin.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab
O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/activescan/cabs/as2stubie.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1189284683822
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} (Symantec Download Manager) - https://webdl.symantec.com/activex/symdlmgr.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1189284869029
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} - http://www.ca.com/us/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://sdlc-esd.sun.com/ESD42/JSCDL/jre/6u...ows-i586-jc.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: E - Unknown owner - C:\DOCUME~1\default\LOCALS~1\Temp\E.exe (file missing)
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: LiveUpdate - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\LuComServer_3_4.EXE
O23 - Service: LiveUpdate Notice - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: SupportSoft Sprocket Service (medicsp2) (sprtsvc_medicsp2) - SupportSoft, Inc. - C:\Program Files\twc\medicsp2\bin\sprtsvc.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\PROGRA~1\COMMON~1\SYMANT~1\CCPD-LC\symlcsvc.exe
O23 - Service: ThreatFire - PC Tools - C:\Program Files\ThreatFire\TFService.exe

--
End of file - 9280 bytes

#6 Thunder

Thunder

  • Members
  • 3,294 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Belgium
  • Local time:05:09 PM

Posted 24 May 2008 - 04:56 AM

Hello LaurenCP,

Go to Start > Run, and copy and paste next command in the field:sc delete E and click OK/Enter
That entry should be gone upon reboot.

You can remove all used tools and folders created in the process.
To remove ComboFix :
Go to Start > Run, and copy and paste next command in the field:ComboFix /u
Make sure there's a space between Combofix and /u
Then press Enter.
This will uninstall Combofix, delete its related folders and files, restore your clock settings, hide file extensions, hide the system/hidden files and resets System Restore again.

Greetings,
Thunder
Whatever happens, make believe it was intended to ...
-----------------------------------------------------------------------
Posted Image - If I have helped you in any way, please consider a donation to help me continue the fight against malware.
-----------------------------------------------------------------------
Stand Up & Be Counted --> Posted Image <-- And make a difference

#7 LaurenCP

LaurenCP
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:11:09 AM

Posted 28 May 2008 - 07:29 AM

That did it... thanks so much for your help..

#8 Thunder

Thunder

  • Members
  • 3,294 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Belgium
  • Local time:05:09 PM

Posted 28 May 2008 - 08:28 AM

Glad we could help, LaurenCP :thumbsup:

Please read this Prevention page with lots of info and tips how to prevent this in the future.
And if you want to improve speed/system performance after malware removal, take a look here.
Extra note: Make sure your programs are up to date - because older versions may contain Security Leaks.
To find out what programs need to be updated, please run the Secunia Software Inspector Scan.

Please also read Tony Klein's excellent article: How I got Infected in the First Place
and/or Grinlers tutorial on how malware is hidden and installed

Since this issue appears resolved ... this Topic is closed.
If you need this topic reopened for continuations of existing problems, please request this by sending me a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.
Whatever happens, make believe it was intended to ...
-----------------------------------------------------------------------
Posted Image - If I have helped you in any way, please consider a donation to help me continue the fight against malware.
-----------------------------------------------------------------------
Stand Up & Be Counted --> Posted Image <-- And make a difference




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users