Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Spyclean And Newdot Keep Returning


  • This topic is locked This topic is locked
27 replies to this topic

#1 zelitha

zelitha

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:01:55 PM

Posted 29 May 2008 - 07:09 PM

I recently posted in am i infected forum and was redirected to here.
I have done a hjt log and need help with it. I have been removing trojans, etc from pc all week.
Windowsxp using adaware, spybot sd, malwarebytes, bitdefender online, and others. any help reading to see if i am clean or not would be appreciated greatly.

--------------------------------------------------------------------------------

From: //Mod Edit to remove email address to protect.
Date: May 29, 2008 5:32 PM

--------------------------------------------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:29:28 PM, on 5/29/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\drivers\KodakCCS.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\lxddserv.exe
C:\WINDOWS\system32\lxddcoms.exe
C:\WINDOWS\System32\ScsiAccess.EXE
C:\Program Files\Dell Support Center\bin\sprtsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
http://www.yahoo.com/
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: Lexmark Toolbar - {1017A80C-6F09-4548-A84D-EDD6AC9525F0} -
C:\Program Files\Lexmark Toolbar\toolband.dll
O2 - BHO: Spybot-S&D IE Protection -
{53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Windows Live Sign-in Helper -
{9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common
Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program
Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: (no name) - {B108A421-50F8-4B44-8FDA-4E2647501BB4} - (no file)
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} -
C:\Program Files\MSN Apps\MSN Toolbar\MSN
Toolbar\01.02.5000.1021\en-us\msntb.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program
Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll
O3 - Toolbar: Lexmark Toolbar - {1017A80C-6F09-4548-A84D-EDD6AC9525F0}
-
C:\Program Files\Lexmark Toolbar\toolband.dll
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [MSConfig]
C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O8 - Extra context menu item: &Search - ?p=ZJ
O8 - Extra context menu item: E&xport to Microsoft Excel -
res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66}
-
C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 -
{85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} -
C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2}
-
C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration
-
{DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683}
-
C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger -
{FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program
Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object)
-
http://www.kaspersky.com/kos/eng/partner/u...can_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine
Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {4FAE30E1-EE9C-477D-8D06-BF8D3429B60F} (WebIQ Technology
Client) - http://webiq001.webiqonline.com/WebIQ/bin/WebIQ.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control)
-
http://download.bitdefender.com/resources/scan8/oscan8.cab
O20 - Winlogon Notify: urqnnlm - urqnnlm.dll (file missing)
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software -
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil
Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program
Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program
Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd
- C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program
Files\DellSupport\brkrsvc.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak
Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: lxddCATSCustConnectService - Lexmark International, Inc. -
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\\lxddserv.exe
O23 - Service: lxdd_device - - C:\WINDOWS\system32\lxddcoms.exe
O23 - Service: Intel® NMS (NMSSvc) - Intel Corporation -
C:\WINDOWS\System32\NMSSvc.exe
O23 - Service: ScsiAccess - Unknown owner -
C:\WINDOWS\System32\ScsiAccess.EXE
O23 - Service: SupportSoft Sprocket Service (dellsupportcenter)
(sprtsvc_dellsupportcenter) - SupportSoft, Inc. - C:\Program Files\Dell
Support Center\bin\sprtsvc.exe

--
End of file - 5487 bytes

KASPERSKY ONLINE SCANNER REPORT
Thursday, May 29, 2008 10:40:05 PM
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build
2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 30/05/2008
Kaspersky Anti-Virus database records: 813686


Scan Settings
Scan using the following antivirus database extended
Scan Archives true
Scan Mail Bases true

Scan Target My Computer
A:\
C:\
D:\
E:\

Scan Statistics
Total number of scanned objects 68123
Number of viruses found 4
Number of infected objects 22
Number of suspicious objects 0
Duration of the scan process 01:26:25

Infected Object Name Virus Name Last Action
C:\Deckard\System
Scanner\backup\WINDOWS\temp\NN_6.tmp\upgrade.exe/stream/data0001
Infected: not-a-virus:AdWare.Win32.NewDotNet.m skipped

C:\Deckard\System Scanner\backup\WINDOWS\temp\NN_6.tmp\upgrade.exe/stream
Infected: not-a-virus:AdWare.Win32.NewDotNet.m skipped

C:\Deckard\System Scanner\backup\WINDOWS\temp\NN_6.tmp\upgrade.exe NSIS:
infected - 2 skipped

C:\Documents and Settings\All Users\Application
Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped

C:\Documents and Settings\All Users\Application
Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped

C:\Documents and Settings\All Users\Application
Data\SupportSoft\DellSupportCenter\SYSTEM\state\logs\sprtcmd.log Object
is locked skipped

C:\Documents and Settings\All Users\DRM\Cache\Indiv01.tmp Object is
locked skipped

C:\Documents and Settings\All Users\DRM\drmstore.hds Object is locked
skipped

C:\Documents and Settings\Donna\Cookies\INDEX.DAT Object is locked skipped

C:\Documents and Settings\Donna\Desktop\robins\SmitfraudFix\Reboot.exe
Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped

C:\Documents and
Settings\Donna\Desktop\robins\SmitfraudFix.exe/SmitfraudFix/Reboot.exe
Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped

C:\Documents and Settings\Donna\Desktop\robins\SmitfraudFix.exe RAR:
infected - 1 skipped

C:\Documents and Settings\Donna\Desktop\robins\virus removal disc1\some
programs used\SmitfraudFix.exe/SmitfraudFix/Reboot.exe Infected:
not-a-virus:RiskTool.Win32.Reboot.f skipped

C:\Documents and Settings\Donna\Desktop\robins\virus removal disc1\some
programs used\SmitfraudFix.exe RAR: infected - 1 skipped

C:\Documents and Settings\Donna\Local Settings\Application
Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\Donna\Local Settings\Application
Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\Donna\Local Settings\Application
Data\Microsoft\Zune\CurrentDatabase_365.wmdb Object is locked skipped

C:\Documents and Settings\Donna\Local
Settings\History\History.IE5\INDEX.DAT Object is locked skipped

C:\Documents and Settings\Donna\Local Settings\Temporary Internet
Files\Content.IE5\index.dat Object is locked skipped

C:\Documents and Settings\Donna\NTUSER.DAT Object is locked skipped

C:\Documents and Settings\Donna\ntuser.dat.LOG Object is locked skipped

C:\Documents and Settings\LocalService\Cookies\INDEX.DAT Object is locked
skipped

C:\Documents and Settings\LocalService\Local Settings\Application
Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\Application
Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\LocalService\Local
Settings\History\History.IE5\INDEX.DAT Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\Temporary Internet
Files\Content.IE5\81EB01AJ\upgrade[1].cab/upgrade.exe/stream/data0002
Infected: not-a-virus:AdWare.Win32.OneStep.c skipped

C:\Documents and Settings\LocalService\Local Settings\Temporary Internet
Files\Content.IE5\81EB01AJ\upgrade[1].cab/upgrade.exe/stream Infected:
not-a-virus:AdWare.Win32.OneStep.c skipped

C:\Documents and Settings\LocalService\Local Settings\Temporary Internet
Files\Content.IE5\81EB01AJ\upgrade[1].cab/upgrade.exe Infected:
not-a-virus:AdWare.Win32.OneStep.c skipped

C:\Documents and Settings\LocalService\Local Settings\Temporary Internet
Files\Content.IE5\81EB01AJ\upgrade[1].cab CAB: infected - 3 skipped

C:\Documents and Settings\LocalService\Local Settings\Temporary Internet
Files\Content.IE5\INDEX.DAT Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\Temporary Internet
Files\Content.IE5\OT6N85YN\upgrade[1].cab/upgrade.exe/stream/data0001
Infected: not-a-virus:AdWare.Win32.OneStep.e skipped

C:\Documents and Settings\LocalService\Local Settings\Temporary Internet
Files\Content.IE5\OT6N85YN\upgrade[1].cab/upgrade.exe/stream/data0002
Infected: not-a-virus:AdWare.Win32.OneStep.c skipped

C:\Documents and Settings\LocalService\Local Settings\Temporary Internet
Files\Content.IE5\OT6N85YN\upgrade[1].cab/upgrade.exe/stream Infected:
not-a-virus:AdWare.Win32.OneStep.c skipped

C:\Documents and Settings\LocalService\Local Settings\Temporary Internet
Files\Content.IE5\OT6N85YN\upgrade[1].cab/upgrade.exe Infected:
not-a-virus:AdWare.Win32.OneStep.c skipped

C:\Documents and Settings\LocalService\Local Settings\Temporary Internet
Files\Content.IE5\OT6N85YN\upgrade[1].cab CAB: infected - 4 skipped

C:\Documents and Settings\LocalService\Local Settings\Temporary Internet
Files\Content.IE5\OT6N85YN\upgrade[2].cab/upgrade.exe/stream/data0001
Infected: not-a-virus:AdWare.Win32.NewDotNet.m skipped

C:\Documents and Settings\LocalService\Local Settings\Temporary Internet
Files\Content.IE5\OT6N85YN\upgrade[2].cab/upgrade.exe/stream Infected:
not-a-virus:AdWare.Win32.NewDotNet.m skipped

C:\Documents and Settings\LocalService\Local Settings\Temporary Internet
Files\Content.IE5\OT6N85YN\upgrade[2].cab/upgrade.exe Infected:
not-a-virus:AdWare.Win32.NewDotNet.m skipped

C:\Documents and Settings\LocalService\Local Settings\Temporary Internet
Files\Content.IE5\OT6N85YN\upgrade[2].cab CAB: infected - 3 skipped

C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped

C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked
skipped

C:\Documents and Settings\NetworkService\Local Settings\Application
Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\NetworkService\Local Settings\Application
Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked
skipped

C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked
skipped

C:\Program Files\Alwil Software\Avast4\DATA\aswResp.dat Object is locked
skipped

C:\Program Files\Alwil Software\Avast4\DATA\Avast4.db Object is locked
skipped

C:\Program Files\Alwil Software\Avast4\DATA\integ\avast.int Object is
locked skipped

C:\Program Files\Alwil Software\Avast4\DATA\log\nshield.log Object is
locked skipped

C:\Program Files\Alwil Software\Avast4\DATA\log\selfdef.log Object is
locked skipped

C:\System Volume
Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP15\change.log
Object is locked skipped

C:\System Volume
Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP5\A0001112.exe
Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped

C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped

C:\WINDOWS\SchedLgU.Txt Object is locked skipped

C:\WINDOWS\SoftwareDistribution\DataStore\DataStore.edb Object is locked
skipped

C:\WINDOWS\SoftwareDistribution\DataStore\Logs\edb.log Object is locked
skipped

C:\WINDOWS\SoftwareDistribution\DataStore\Logs\tmp.edb Object is locked
skipped

C:\WINDOWS\SoftwareDistribution\EventCache\{747824EA-FD06-4370-A870-BB1D9F327B45}.bin
Object is locked skipped

C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked
skipped

C:\WINDOWS\Sti_Trace.log Object is locked skipped

C:\WINDOWS\SYSTEM32\CatRoot2\edb.log Object is locked skipped

C:\WINDOWS\SYSTEM32\CatRoot2\tmp.edb Object is locked skipped

C:\WINDOWS\SYSTEM32\CONFIG\Antivirus.Evt Object is locked skipped

C:\WINDOWS\SYSTEM32\CONFIG\AppEvent.Evt Object is locked skipped

C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT Object is locked skipped

C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT.LOG Object is locked skipped

C:\WINDOWS\SYSTEM32\CONFIG\SAM Object is locked skipped

C:\WINDOWS\SYSTEM32\CONFIG\SAM.LOG Object is locked skipped

C:\WINDOWS\SYSTEM32\CONFIG\SecEvent.Evt Object is locked skipped

C:\WINDOWS\SYSTEM32\CONFIG\SECURITY Object is locked skipped

C:\WINDOWS\SYSTEM32\CONFIG\SECURITY.LOG Object is locked skipped

C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE Object is locked skipped

C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE.LOG Object is locked skipped

C:\WINDOWS\SYSTEM32\CONFIG\SysEvent.Evt Object is locked skipped

C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM Object is locked skipped

C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM.LOG Object is locked skipped

C:\WINDOWS\SYSTEM32\H323LOG.TXT Object is locked skipped

C:\WINDOWS\SYSTEM32\LogFiles\WUDF\WUDFTrace.etl Object is locked skipped

C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\INDEX.BTR Object is locked skipped

C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\INDEX.MAP Object is locked skipped

C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\MAPPING.VER Object is locked skipped

C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\MAPPING1.MAP Object is locked
skipped

C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\MAPPING2.MAP Object is locked
skipped

C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\OBJECTS.DATA Object is locked
skipped

C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\OBJECTS.MAP Object is locked skipped

C:\WINDOWS\Temp\Perflib_Perfdata_660.dat Object is locked skipped

C:\WINDOWS\WIADEBUG.LOG Object is locked skipped

C:\WINDOWS\WIASERVC.LOG Object is locked skipped

C:\WINDOWS\WindowsUpdate.log Object is locked skipped

Scan process completed.

Edited by zelitha, 30 May 2008 - 12:15 AM.
to edit email addresses


BC AdBot (Login to Remove)

 


#2 steamwiz

steamwiz

  • Members
  • 1,039 posts
  • OFFLINE
  •  
  • Local time:07:55 PM

Posted 30 May 2008 - 01:17 PM

HI

I'd like to see the logs from some of the programs you have run ...

Any logs you have from these 3 :-

Deckard System Scanner
malwarebytes
SmitfraudFix

Hijackthis shows no active malware, but does show several orphan malware registry keys ...

Have you run Combofix ?

steam
MICROSOFT MVP - Windows Security 2004/9
member of ASAP since 2004
member of U.N.I.T.E

If I have helped you, please consider a small donation to help me continue my online fight in the war against malware Posted Image

#3 zelitha

zelitha
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:01:55 PM

Posted 30 May 2008 - 09:50 PM

SmitFraudFix v2.320

Scan done at 14:04:51.39, Thu 05/15/2008
Run from C:\Documents and Settings\Donna\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in normal mode

»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler Before SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{af73a174-ea1b-4f0b-b0b1-fe1486a6719c}"="communa"


»»»»»»»»»»»»»»»»»»»»»»»» Killing process


»»»»»»»»»»»»»»»»»»»»»»»» hosts


127.0.0.1 localhost

»»»»»»»»»»»»»»»»»»»»»»»» VACFix

VACFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» Winsock2 Fix

S!Ri's WS2Fix: LSP not Found.


»»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix

GenericRenosFix by S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files


»»»»»»»»»»»»»»»»»»»»»»»» IEDFix

IEDFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» 404Fix

404Fix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» DNS

Description: Intel® PRO/100 VE Network Connection - Packet Scheduler Miniport
DNS Server Search Order: 65.175.128.46
DNS Server Search Order: 65.175.128.47

HKLM\SYSTEM\CCS\Services\Tcpip\..\{B59ED0AC-52EB-49E1-86F1-A6DB3166E7E7}: DhcpNameServer=65.175.128.46 65.175.128.47
HKLM\SYSTEM\CS1\Services\Tcpip\..\{B59ED0AC-52EB-49E1-86F1-A6DB3166E7E7}: DhcpNameServer=65.175.128.46 65.175.128.47
HKLM\SYSTEM\CS2\Services\Tcpip\..\{B59ED0AC-52EB-49E1-86F1-A6DB3166E7E7}: DhcpNameServer=65.175.128.46 65.175.128.47
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=65.175.128.46 65.175.128.47
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=65.175.128.46 65.175.128.47
HKLM\SYSTEM\CS2\Services\Tcpip\Parameters: DhcpNameServer=65.175.128.46 65.175.128.47


»»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files


»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""


»»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning

Registry Cleaning done.

»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler After SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{af73a174-ea1b-4f0b-b0b1-fe1486a6719c}"="communa"



»»»»»»»»»»»»»»»»»»»»»»»» End

Malwarebytes' Anti-Malware 1.12
Database version: 752

Scan type: Quick Scan
Objects scanned: 45057
Time elapsed: 7 minute(s), 23 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 2
Registry Keys Infected: 31
Registry Values Infected: 10
Registry Data Items Infected: 0
Folders Infected: 3
Files Infected: 52

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
c:\program files\msn messenger\msimg32.dll (Adware.MyWebSearch) -> Unloaded module successfully.
C:\WINDOWS\SYSTEM32\otythndx.dll (Trojan.Vundo) -> Unloaded module successfully.

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\473d1b29f95b96241830b6a6ade19368 (Rogue.RegistryBot) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\5a144bd76064d1645b6e74c0734ee406 (Rogue.RegistryBot) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\965dcc82bc551df439b28676f8ab79e0 (Rogue.RegistryBot) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{daed9266-8c28-4c1c-8b58-5c66eff1d302} (Search.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{90b5a95a-afd5-4d11-b9bd-a69d53d22226} (Adware.Hotbar) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{85e06077-c824-43d0-a8dc-5efb17bc348a} (Adware.Zango) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\Installer\Features\9ee2330ae5f4470cac801baac83818c9 (Adware.Zango) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\Installer\Products\568267acfc5644dab06f058006ddbae3 (Adware.Zango) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{25560540-9571-4d7b-9389-0f166788785a} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{2eff3cf7-99c1-4c29-bc2b-68e057e22340} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{3dc201fb-e9c9-499c-a11f-23c360d7c3f8} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{63d0ed2c-b45b-4458-8b3b-60c69bbbd83c} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{98d9753d-d73b-42d5-8c85-4469cda897ab} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{9afb8248-617f-460d-9366-d71cdeda3179} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{9ff05104-b030-46fc-94b8-81276e4e27df} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{a6573479-9075-4a65-98a6-19fd29cf7374} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{0ac49246-419b-4ee0-8917-8818daad6a4e} (Adware.180Solutions) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{99410cde-6f16-42ce-9d49-3807f78f0287} (Adware.180Solutions) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{2d1a7b48-41aa-4f75-940a-09beb9073fa7} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\aoprndtws (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\affri (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\affltid (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\rdfa (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\affltid (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\affri (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Juan (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\FCOVM (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RemoveRP (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\The Weather Channel (Adware.Hotbar) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Multimedia\WMPlayer\Schemes\f3pss (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\VB and VBA Program Settings\Registry Defender (Rogue.Registry.Defender) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\8cf135fb (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Extensions\CmdMapping\{9034a523-d068-4be8-a284-9df278be776e} (Trojan.Zlob) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\{af73a174-ea1b-4f0b-b0b1-fe1486a6719c} (Trojan.Zlob) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\BM8fc20667 (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\SearchMigratedDefaultURL (Trojan.Zlob) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchUrl\w\ (Trojan.Zlob) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchURL (Trojan.Zlob) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\SearchMigratedDefaultURL (Trojan.Zlob) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\SearchUrl\w\ (Trojan.Zlob) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\SearchURL (Trojan.Zlob) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
C:\WINDOWS\SYSTEM32\527631 (Trojan.BHO) -> Quarantined and deleted successfully.
C:\Documents and Settings\Donna\Application Data\RegistrySmart (Rogue.RegistrySmart) -> Quarantined and deleted successfully.
C:\Documents and Settings\Donna\Application Data\RegistrySmart\Log (Rogue.RegistrySmart) -> Quarantined and deleted successfully.

Files Infected:
c:\program files\msn messenger\msimg32.dll (Adware.MyWebSearch) -> Delete on reboot.
C:\WINDOWS\SYSTEM32\bturgtbc.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\cbtgrutb.ini (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\etfokjnf.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\fnjkofte.ini (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\fjcwkvmu.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\umvkwcjf.ini (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\gupdlofl.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\lfoldpug.ini (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\jqgqpwdv.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\vdwpqgqj.ini (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\jypuavip.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\pivaupyj.ini (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\mllmk.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\kmllm.ini (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\kmllm.ini2 (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\otythndx.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\SYSTEM32\xdnhtyto.ini (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\ajncibob.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\bmnnipkr.dll (Trojan.AVKiller) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\dwexttct.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\fuludxjd.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\gjadodty.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\glnroocc.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\gmkbyhvx.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\gtcehdns.dll (Trojan.AVKiller) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\hbmkcdoq.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\jybkhmwh.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\kklegcta.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\kmqmrffp.dll (Trojan.AVKiller) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\lblwjwul.dll (Trojan.AVKiller) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\mkeuqxdm.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\nbxedcfr.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\nkvmhcrl.dll (Trojan.AVKiller) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\nwuontsw.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\qbketuhc.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\qdsba.dll (Trojan.Zlob) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\qfvfykfl.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\qubevocc.dll (Trojan.AVKiller) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\sipiqsoi.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\teelxwxd.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\tfhjybhf.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\uexkdcqx.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\uhkhgiyk.dll (Trojan.AVKiller) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\uumpojge.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\vrisnbgh.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\xvfxprys.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\527631\527631.dll (Trojan.BHO) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\vpiuxcax.dll (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\SYSTEM32\gewfervd.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\awtqn(2).dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\nqtwa.ini (Malware.Trace) -> Quarantined and deleted successfully.

Edited by zelitha, 30 May 2008 - 09:53 PM.


#4 steamwiz

steamwiz

  • Members
  • 1,039 posts
  • OFFLINE
  •  
  • Local time:07:55 PM

Posted 31 May 2008 - 05:11 PM

Hi

These are NOT infected with anything, they are simply the tools SmitfraudFix needs to do it's job.

C:\Documents and Settings\Donna\Desktop\robins\virus removal disc1\some
programs used\SmitfraudFix.exe/SmitfraudFix/Reboot.exe Infected:
not-a-virus:RiskTool.Win32.Reboot.f skipped

C:\Documents and Settings\Donna\Desktop\robins\virus removal disc1\some
programs used\SmitfraudFix.exe RAR: infected - 1 skipped


These can be deleted as you no longer need them :-

C:\Documents and Settings\Donna\Desktop\robins\SmitfraudFix ... folder

C:\Documents and Settings\Donna\Desktop\robins\SmitfraudFix.exe ... file


Paste this into your address bar & press go :-


C:\Documents and Settings\LocalService\Local Settings\Temporary Internet
Files\Content.IE5\


Delete the following folders :-

OT6N85YN ... folder
81EB01AJ ... folder

YOu never answered this question ?

Have you run Combofix ?

So I'll take that as a NO :thumbsup:

Please follow these directions to run Combofix & post a log.

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

steam
MICROSOFT MVP - Windows Security 2004/9
member of ASAP since 2004
member of U.N.I.T.E

If I have helped you, please consider a small donation to help me continue my online fight in the war against malware Posted Image

#5 zelitha

zelitha
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:01:55 PM

Posted 31 May 2008 - 07:14 PM

I have ran decard and combofix. After combo finished, i lost my desktop icons and couldn't get them back. Combofix does a system restore point before it scans, so I reverted back to that restore point. I got my desktop and icons, folders, etc back. But now I thought about trying to manually remove what combofix scan showed it had removed.
Here's the scan.... scared to run combofix not sure what happened first time, but i will try if these files don't help you .....

ComboFix 08-05-29.1 - Donna 2008-05-27 22:11:04.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.75 [GMT
-6:00]Running from: C:\Documents and Settings\Donna\Desktop\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE
INSTALLED !!

.

((((((((((((((((((((((((((((((((((((((( Other Deletions
)))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Program Files\FunWebProducts
C:\Program Files\internet explorer\msimg32.dll
C:\Program Files\MyWebSearch
C:\Program Files\MyWebSearch\bar\Settings\s_pid.dat
C:\Program Files\MyWebSearch\SrchAstt\4.bin\MWSSRCAS.DLL
C:\WINDOWS\BM8fc20667.xml
C:\WINDOWS\pskt.ini
C:\WINDOWS\system32\abvckxpf.ini
C:\WINDOWS\system32\afmvbkjl.ini
C:\WINDOWS\system32\amqbtaxv.ini
C:\WINDOWS\system32\bcljutkb.ini
C:\WINDOWS\system32\bldtktfh.ini
C:\WINDOWS\system32\cjtkcmrp.ini
C:\WINDOWS\system32\deglbbes.ini
C:\WINDOWS\SYSTEM32\dhidhysd.ini
C:\WINDOWS\system32\dmbpperx.ini
C:\WINDOWS\system32\f3PSSavr.scr
C:\WINDOWS\SYSTEM32\fplwthpp.ini
C:\WINDOWS\SYSTEM32\gsapetup.ini
C:\WINDOWS\SYSTEM32\hpijhhnt.ini
C:\WINDOWS\system32\hvowtakc.ini
C:\WINDOWS\SYSTEM32\iaqobdvp.ini
C:\WINDOWS\SYSTEM32\ihesqbyu.ini
C:\WINDOWS\system32\ipugrdxp.ini
C:\WINDOWS\system32\iqcnenhq.ini
C:\WINDOWS\system32\jlqkfxmr.ini
C:\WINDOWS\SYSTEM32\jlqxbhwr.ini
C:\WINDOWS\system32\jwwoyexy.ini
C:\WINDOWS\system32\lhtrrjgc.ini
C:\WINDOWS\SYSTEM32\lieyiunr.ini
C:\WINDOWS\system32\lknislfs.ini
C:\WINDOWS\system32\lveyegqs.ini
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\miyskqxh.ini
C:\WINDOWS\system32\mjayctbw.ini
C:\WINDOWS\SYSTEM32\mmhekyym.ini
C:\WINDOWS\system32\mrloupke.ini
C:\WINDOWS\system32\nfqemagr.ini
C:\WINDOWS\SYSTEM32\nhxqbknx.ini
C:\WINDOWS\system32\nkufxplt.ini
C:\WINDOWS\SYSTEM32\nqtwa.ini2
C:\WINDOWS\SYSTEM32\oapkrmen.ini
C:\WINDOWS\system32\ofacpirg.ini
C:\WINDOWS\SYSTEM32\okbslhgx.ini
C:\WINDOWS\system32\oyvmywvm.ini
C:\WINDOWS\system32\qopmkqbr.ini
C:\WINDOWS\system32\qqhksubr.ini
C:\WINDOWS\system32\qsgixflc.ini
C:\WINDOWS\SYSTEM32\roqqvsfc.ini
C:\WINDOWS\system32\tlyduirr.ini
C:\WINDOWS\system32\tqupbvdo.ini
C:\WINDOWS\system32\vrgmwphv.ini
C:\WINDOWS\system32\vrvckxvg.ini
C:\WINDOWS\SYSTEM32\wibrjpxi.ini
C:\WINDOWS\SYSTEM32\woifukoi.ini
C:\WINDOWS\system32\xinlfbhq.ini
C:\WINDOWS\system32\xpbicqnc.ini
C:\WINDOWS\system32\xsglkfcr.ini

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services
)))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_NNSERV


((((((((((((((((((((((((( Files Created from 2008-04-28 to 2008-05-27
)))))))))))))))))))))))))))))))
.

2100-02-16 16:09 . 2001-02-16
15:37 62 --a------ C:\WINDOWS\SYSTEM32\LXBOUSCI.INI
2008-05-26 20:53 . 2008-05-26 20:53 <DIR> d-------- C:\Deckard
2008-05-21 18:00 . 2007-09-06
00:22 289,144 --a------ C:\WINDOWS\SYSTEM32\VCCLSID.exe
2008-05-21 18:00 . 2006-04-27
17:49 288,417 --a------ C:\WINDOWS\SYSTEM32\SrchSTS.exe
2008-05-21 18:00 . 2008-04-24
08:10 86,528 --a------ C:\WINDOWS\SYSTEM32\VACFix.exe
2008-05-21 18:00 . 2008-04-28
08:03 82,944 --a------ C:\WINDOWS\SYSTEM32\IEDFix.exe
2008-05-21 18:00 . 2008-04-28
08:03 82,944 --a------ C:\WINDOWS\SYSTEM32\404Fix.exe
2008-05-21 18:00 . 2003-06-05
21:13 53,248 --a------ C:\WINDOWS\SYSTEM32\Process.exe
2008-05-21 18:00 . 2004-07-31
18:50 51,200 --a------ C:\WINDOWS\SYSTEM32\dumphive.exe
2008-05-21 18:00 . 2007-10-04
00:36 25,600 --a------ C:\WINDOWS\SYSTEM32\WS2Fix.exe
2008-05-21 10:36 . 2008-05-29 12:15 <DIR> d-------- C:\WINDOWS\BDOSCAN8
2008-05-20 14:56 . 2008-05-20 14:56 <DIR> d-------- C:\Program Files\Alwil
Software
2008-05-20 13:54 . 2008-05-20 13:54 <DIR> d-------- C:\VundoFix Backups
2008-05-20 13:31 . 2008-05-20
13:31 <DIR> d-------- C:\WINDOWS\SYSTEM32\Kaspersky Lab
2008-05-20 13:31 . 2008-05-20 13:31 <DIR> d-------- C:\Documents and
Settings\All Users\Application Data\Kaspersky Lab
2008-05-20 13:21 . 2008-05-13 02:57 <DIR> d-------- C:\SDFix
2008-05-20 13:16 . 2008-05-20 13:17 153 --a------ C:\WINDOWS\wininit.ini
2008-05-20 11:20 . 2008-05-20 11:19 691,545 --a------ C:\WINDOWS\unins000.exe
2008-05-20 11:20 . 2008-05-20 11:20 2,542 --a------ C:\WINDOWS\unins000.dat
2008-05-16 19:18 . 2008-05-16 19:18 <DIR> d-------- C:\fsaua.data
2008-05-15 14:13 . 2008-05-28 17:32 <DIR> d-------- C:\Program
Files\Malwarebytes' Anti-Malware
2008-05-15 14:13 . 2008-05-15 14:13 <DIR> d-------- C:\Documents and
Settings\Donna\Application Data\Malwarebytes
2008-05-15 14:13 . 2008-05-15 14:13 <DIR> d-------- C:\Documents and
Settings\All Users\Application Data\Malwarebytes
2008-05-15 14:13 . 2008-05-05
20:46 27,048 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\mbamcatchme.sys
2008-05-15 14:13 . 2008-05-05
20:46 15,864 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\mbam.sys
2008-05-14 17:55 . 2008-05-14 17:55 <DIR> d-------- C:\Program Files\Trend
Micro
2008-05-14 16:50 . 2008-05-14 16:50 <DIR> d-------- C:\Program
Files\Common Files\Wise Installation Wizard
2008-05-14 16:49 . 2008-05-15 14:01 <DIR> d-------- C:\Program
Files\RogueRemover FREE
2008-05-14 16:04 . 2008-05-21
18:04 1,536 --a------ C:\WINDOWS\SYSTEM32\tmp.reg
2008-05-14 13:27 . 2008-05-20 11:34 <DIR> d-------- C:\Program
Files\Spybot - Search & Destroy
2008-05-14 13:27 . 2008-05-20 16:08 <DIR> d-------- C:\Documents and
Settings\All Users\Application Data\Spybot - Search & Destroy
2008-05-14 13:22 . 2008-05-20 13:19 <DIR> d-------- C:\Program
Files\SpywareBlaster
2008-05-08 15:48 . 2008-05-16 23:04 680 --a------ C:\WINDOWS\SYSTEM32\MRT.INI
2008-05-07 18:45 . 2008-05-29 11:54 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-05-07 18:45 . 2008-05-29 11:54 1,409 --a------ C:\WINDOWS\QTFont.for
2008-05-07 18:14 . 2008-05-07 18:21 <DIR> d-------- C:\WINDOWS\SxsCaPendDel
2008-05-07 16:16 . 2008-05-07 16:16 13 --a------ C:\WINDOWS\SYSTEM32\8cf12775
2008-05-07 16:08 . 2008-05-07 16:14 <DIR> d-------- C:\Documents and
Settings\Tony\Application Data\Yahoo!
2008-05-07 15:51 . 2008-05-07 15:51 <DIR> d-------- C:\Documents and
Settings\Tony\Application Data\ErrorSmart
2008-05-06 05:54 . 2008-05-21 16:47 <DIR> d-a------ C:\Documents and
Settings\All Users\Application Data\TEMP
2008-04-28 20:59 . 2008-04-28
20:59 67 --a------ C:\WINDOWS\SYSTEM32\webcherm.dll
2008-04-08 17:11 . 2008-04-15 19:49 <DIR> d-------- C:\Documents and
Settings\Donna\Application Data\ErrorSmart
2008-04-07 10:31 . 2008-04-07 10:31 <DIR> d-------- C:\Documents and
Settings\Donna\Application Data\Yahoo!

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report
))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-27 05:46 --------- d-----w C:\Program Files\MSN Messenger
2008-05-14 18:39 --------- d-----w C:\Documents and
Settings\Donna\Application Data\MSN6
2008-05-08 00:21 --------- d-----w C:\Program Files\Yahoo!
2008-04-09 00:18 --------- d-----w C:\Program Files\Real
2008-03-27 08:12 151,583 ----a-w C:\WINDOWS\SYSTEM32\msjint40.dll
2008-03-27 08:12 151,583 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\msjint40.dll
2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\SYSTEM32\win32k.sys
2008-03-19 09:47 1,845,248 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\win32k.sys
2008-02-20 06:51 282,624 ----a-w C:\WINDOWS\SYSTEM32\gdi32.dll
2008-02-20 06:51 282,624 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\gdi32.dll
2008-02-20 05:32 45,568 ----a-w C:\WINDOWS\SYSTEM32\dnsrslvr.dll
2008-02-20 05:32 45,568 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\dnsrslvr.dll
2008-02-20 05:32 148,992 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\dnsapi.dll
2008-02-16 22:29 3,059,712 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\mshtml.dll
2008-02-15 09:23 18,432 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\iedw.exe
2006-01-06 00:11 32 ----a-r C:\Documents and Settings\All Users\hash.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points
))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MyWebSearch Plugin"="C:\PROGRA~1\MYWEBS~1\bar\4.bin\M3PLUGIN.DLL"
[ ]

C:\Documents and Settings\Aaron\Start Menu\Programs\Startup\
PowerReg Scheduler V3.exe [2003-09-22 17:39:23 225280]

[HKEY_LOCAL_MACHINE\software\microsoft\windows
nt\currentversion\winlogon\notify\urqnnlm]
urqnnlm.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.ctmp3"= C:\WINDOWS\System32\ctmp3.acm

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start
Menu^Programs^Startup^America Online 7.0 Tray Icon.lnk]
backup=C:\WINDOWS\pss\America Online 7.0 Tray Icon.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start
Menu^Programs^Startup^Digital Line Detect.lnk]
backup=C:\WINDOWS\pss\Digital Line Detect.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start
Menu^Programs^Startup^KeenValue.lnk]
backup=C:\WINDOWS\pss\KeenValue.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start
Menu^Programs^Startup^Kodak EasyShare software.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Kodak
EasyShare software.lnk
backup=C:\WINDOWS\pss\Kodak EasyShare software.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start
Menu^Programs^Startup^KODAK Software Updater.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\KODAK
Software Updater.lnk
backup=C:\WINDOWS\pss\KODAK Software Updater.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start
Menu^Programs^Startup^Microsoft Office.lnk]
path=C:\Documents and Settings\All Users\Start
Menu\Programs\Startup\Microsoft Office.lnk
backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start
Menu^Programs^Startup^MyWebSearch Email Plugin.lnk]
path=C:\Documents and Settings\All Users\Start
Menu\Programs\Startup\MyWebSearch Email Plugin.lnk
backup=C:\WINDOWS\pss\MyWebSearch Email Plugin.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start
Menu^Programs^Startup^QuickBooks Update Agent.lnk]
path=C:\Documents and Settings\All Users\Start
Menu\Programs\Startup\QuickBooks Update Agent.lnk
backup=C:\WINDOWS\pss\QuickBooks Update Agent.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start
Menu^Programs^Startup^Reality Fusion GameCam SE.lnk]
backup=C:\WINDOWS\pss\Reality Fusion GameCam SE.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start
Menu^Programs^Startup^updater.lnk]
path=C:\Documents and Settings\All Users\Start
Menu\Programs\Startup\updater.lnk
backup=C:\WINDOWS\pss\updater.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Donna^Start
Menu^Programs^Startup^MyWebSearch Email Plugin.lnk]
path=C:\Documents and Settings\Donna\Start
Menu\Programs\Startup\MyWebSearch Email Plugin.lnk
backup=C:\WINDOWS\pss\MyWebSearch Email Plugin.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Donna^Start
Menu^Programs^Startup^PowerReg Scheduler.exe]
path=C:\Documents and Settings\Donna\Start Menu\Programs\Startup\PowerReg
Scheduler.exe
backup=C:\WINDOWS\pss\PowerReg Scheduler.exeStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared
tools\msconfig\startupreg\AdaptecDirectCD]
--a------ 2002-10-02 17:41 684032 C:\Program Files\Roxio\Easy CD Creator
5\DirectCD\DirectCD.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared
tools\msconfig\startupreg\BCMSMMSG]
--a------ 2003-08-29 03:59 122880 C:\WINDOWS\BCMSMMSG.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared
tools\msconfig\startupreg\diagent]
--a------ 2002-04-03 01:01 135264 C:\Program
Files\Creative\SBLive\Diagnostics\diagent.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared
tools\msconfig\startupreg\dscactivate]
--a------ 2007-11-15 09:24 16384 C:\Program Files\Dell Support
Center\gs_agent\custom\dsca.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared
tools\msconfig\startupreg\Hotbar]
C:\Program Files\Hotbar\bin\4.3.5.0\HbInst.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared
tools\msconfig\startupreg\KeenValue]
C:\Program Files\Common files\KeenValue\KeenValue.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared
tools\msconfig\startupreg\LVCOMS]
--a------ 2001-06-26 18:49 86016 C:\Program Files\Common
Files\Logitech\QCDriver\LVCOMS.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared
tools\msconfig\startupreg\lxddamon]
--a------ 2007-03-05 01:40 20480 C:\Program Files\Lexmark 2500
Series\lxddamon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared
tools\msconfig\startupreg\lxddmon.exe]
--a------ 2007-05-04 00:38 291760 C:\Program Files\Lexmark 2500
Series\lxddmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared
tools\msconfig\startupreg\MCUpdateExe]
C:\PROGRA~1\mcafee.com\agent\McUpdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared
tools\msconfig\startupreg\MoneyAgent]
C:\Program Files\Microsoft Money\System\Money Express.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared
tools\msconfig\startupreg\MoneyStartUp10.0]
C:\Program Files\Microsoft Money\System\Activation.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared
tools\msconfig\startupreg\MsnMsgr]
--a------ 2007-01-19 12:54 5674352 C:\Program Files\MSN Messenger\msnmsgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared
tools\msconfig\startupreg\PrinTray]
--a------ 2002-09-18 21:52 36864
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\printray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared
tools\msconfig\startupreg\QuickTime Task]
--a------ 2004-10-17 13:55 77824 C:\Program Files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared
tools\msconfig\startupreg\RealTray]
--a------ 2002-12-24 17:04 26112 C:\Program
Files\Real\RealPlayer\RealPlay.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared
tools\msconfig\startupreg\SpybotSD TeaTimer]
-rahs---- 2008-01-28 11:43 2097488 C:\Program Files\Spybot - Search &
Destroy\TeaTimer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared
tools\msconfig\startupreg\updater]
C:\Program Files\Common files\Updater\wupdater.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared
tools\msconfig\startupreg\UpdReg]
--------- 2000-05-11 01:00 90112 C:\WINDOWS\UpdReg.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared
tools\msconfig\startupreg\Yahoo! Pager]
C:\Program Files\Yahoo!\Messenger\ypager.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"C:\\Program Files\\MSN Messenger\\livecall.exe"=
"C:\\WINDOWS\\SYSTEM32\\dplaysvr.exe"=
"C:\\WINDOWS\\SYSTEM32\\lxddcoms.exe"=
"C:\\Program Files\\Lexmark 2500 Series\\lxddamon.exe"=
"C:\\Program Files\\Lexmark 2500 Series\\App4R.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\WINDOWS\\SYSTEM32\\SPOOL\\DRIVERS\\W32X86\\3\\lxddtime.exe"=
"C:\\Program Files\\Lexmark 2500 Series\\lxddmon.exe"=
"C:\\WINDOWS\\SYSTEM32\\SPOOL\\DRIVERS\\W32X86\\3\\lxddpswx.exe"=
"C:\\WINDOWS\\SYSTEM32\\SPOOL\\DRIVERS\\W32X86\\3\\lxddjswx.exe"=

R1 aswSP;avast! Self Protection;C:\WINDOWS\system32\drivers\aswSP.sys
[2008-05-15 17:20]
R2 aswFsBlk;aswFsBlk;C:\WINDOWS\system32\DRIVERS\aswFsBlk.sys [2008-05-15
17:16]
R2 lxdd_device;lxdd_device;C:\WINDOWS\system32\lxddcoms.exe [2007-04-25
23:21]
R2
lxddCATSCustConnectService;lxddCATSCustConnectService;C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\\lxddserv.exe
[2007-04-25 23:21]
R2 sprtsvc_dellsupportcenter;SupportSoft Sprocket Service
(dellsupportcenter);C:\Program Files\Dell Support Center\bin\sprtsvc.exe
[2007-11-15 09:23]
R3 ati2mtaa;ati2mtaa;C:\WINDOWS\system32\DRIVERS\ati2mtaa.sys [2002-04-08
09:05]
S3 DCamUSBVeo532;Veo Web Camera;C:\WINDOWS\system32\Drivers\ubVeo532.sys
[2002-07-01 18:30]
S3 NMSCFG;NIC Management Service Configuration
Driver;C:\WINDOWS\system32\drivers\NMSCFG.SYS [2002-05-03 11:30]
S3 NMSSvc;Intel® NMS;C:\WINDOWS\System32\NMSSvc.exe [2002-05-03 11:29]

.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer,
http://www.gmer.net/
Rootkit scan 2008-05-27 22:19:01
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

C:\WINDOWS\explorer.exe [1736] 0x8239B5D0

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\SYSTEM32\CTsvcCDA.EXE
C:\WINDOWS\SYSTEM32\DRIVERS\KodakCCS.exe
C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\3\lxddserv.exe
C:\WINDOWS\SYSTEM32\ScsiAccess.EXE
C:\WINDOWS\SYSTEM32\MsPMSPSv.exe
C:\Program Files\Zune\ZuneNss.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
.
**************************************************************************
.
Completion time: 2008-05-27 22:29:24 - machine was rebooted
ComboFix-quarantined-files.txt 2008-05-27 04:29:15

Pre-Run: 68,394,422,272 bytes free
Post-Run: 68,449,574,912 bytes free

273 --- E O F --- 2008-05-27 04:59:37


Deckard's System Scanner v20071014.68
Run by Donna on 2008-05-27 21:51:48
Computer is in Normal Mode.
--------------------------------------------------------------------------------

Total Physical Memory: 256 MiB (512 MiB recommended).


-- HijackThis (run as Donna.exe)
-----------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:52:07 PM, on 5/27/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\drivers\KodakCCS.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\lxddserv.exe
C:\WINDOWS\system32\lxddcoms.exe
C:\WINDOWS\System32\ScsiAccess.EXE
C:\Program Files\Dell Support Center\bin\sprtsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Donna\Desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\Donna.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
http://www.yahoo.com/
R3 - URLSearchHook: (no name) - {00A6FAF6-072E-44cf-8957-5838F569A31D}
-
C:\Program Files\MyWebSearch\SrchAstt\4.bin\MWSSRCAS.DLL
O2 - BHO: MyWebSearch Search Assistant BHO -
{00A6FAF1-072E-44cf-8957-5838F569A31D} - C:\Program
Files\MyWebSearch\SrchAstt\4.bin\MWSSRCAS.DLL
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: Lexmark Toolbar - {1017A80C-6F09-4548-A84D-EDD6AC9525F0} -
C:\Program Files\Lexmark Toolbar\toolband.dll
O2 - BHO: Spybot-S&D IE Protection -
{53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Windows Live Sign-in Helper -
{9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common
Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program
Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: (no name) - {B108A421-50F8-4B44-8FDA-4E2647501BB4} - (no file)
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} -
C:\Program Files\MSN Apps\MSN Toolbar\MSN
Toolbar\01.02.5000.1021\en-us\msntb.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program
Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll
O3 - Toolbar: Lexmark Toolbar - {1017A80C-6F09-4548-A84D-EDD6AC9525F0}
-
C:\Program Files\Lexmark Toolbar\toolband.dll
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [MyWebSearch Plugin] rundll32
C:\PROGRA~1\MYWEBS~1\bar\4.bin\M3PLUGIN.DLL,UPF
O8 - Extra context menu item: &Search - ?p=ZJ
O8 - Extra context menu item: E&xport to Microsoft Excel -
res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66}
-
C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 -
{85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} -
C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2}
-
C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration
-
{DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683}
-
C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger -
{FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program
Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object)
-
http://www.kaspersky.com/kos/eng/partner/u...can_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine
Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {4FAE30E1-EE9C-477D-8D06-BF8D3429B60F} (WebIQ Technology
Client) - http://webiq001.webiqonline.com/WebIQ/bin/WebIQ.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control)
-
http://download.bitdefender.com/resources/scan8/oscan8.cab
O20 - Winlogon Notify: urqnnlm - urqnnlm.dll (file missing)
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software -
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil
Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program
Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program
Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd
- C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program
Files\DellSupport\brkrsvc.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak
Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: lxddCATSCustConnectService - Lexmark International, Inc. -
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\\lxddserv.exe
O23 - Service: lxdd_device - - C:\WINDOWS\system32\lxddcoms.exe
O23 - Service: Intel® NMS (NMSSvc) - Intel Corporation -
C:\WINDOWS\System32\NMSSvc.exe
O23 - Service: ScsiAccess - Unknown owner -
C:\WINDOWS\System32\ScsiAccess.EXE
O23 - Service: SupportSoft Sprocket Service (dellsupportcenter)
(sprtsvc_dellsupportcenter) - SupportSoft, Inc. - C:\Program Files\Dell
Support Center\bin\sprtsvc.exe

--
End of file - 5786 bytes

-- Files created between 2008-04-27 and 2008-05-27
-----------------------------

2008-05-26 23:44:26 28672 --a------ C:\WINDOWS\system32\f3PSSavr.scr
<Not Verified; FunWebProducts.com; Popular Screensavers>
2008-05-27 23:44:26 0 d-------- C:\Program Files\FunWebProducts
2008-05-27 23:44:09 0 d-------- C:\Program Files\MyWebSearch
2008-05-27 13:48:02 51 --a------ C:\Documents and Settings\All
Users\lxdd
2008-05-21 18:00:42 25600 --a------ C:\WINDOWS\system32\WS2Fix.exe
2008-05-21 18:00:42 289144 --a------ C:\WINDOWS\system32\VCCLSID.exe
<Not Verified; S!Ri; >
2008-05-21 18:00:42 86528 --a------ C:\WINDOWS\system32\VACFix.exe
<Not Verified; S!Ri.URZ; VACFix>
2008-05-21 18:00:42 288417 --a------ C:\WINDOWS\system32\SrchSTS.exe
<Not Verified; S!Ri; SrchSTS>
2008-05-21 18:00:42 82944 --a------ C:\WINDOWS\system32\IEDFix.exe
<Not Verified; S!Ri.URZ; IEDFix>
2008-05-21 18:00:42 51200 --a------ C:\WINDOWS\system32\dumphive.exe
2008-05-21 18:00:42 82944 --a------ C:\WINDOWS\system32\404Fix.exe
<Not Verified; S!Ri.URZ; IEDFix>
2008-05-21 18:00:41 53248 --a------ C:\WINDOWS\system32\Process.exe
<Not Verified; http://www.beyondlogic.org;/ Command Line Process Utility>
2008-05-21 10:36:07 0 d-------- C:\WINDOWS\BDOSCAN8
2008-05-20 14:56:51 0 d-------- C:\Program Files\Alwil Software
2008-05-20 13:54:17 0 d-------- C:\VundoFix Backups
2008-05-20 13:31:04 0 d-------- C:\Documents and Settings\All
Users\Application Data\Kaspersky Lab
2008-05-20 13:31:02 0 d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-05-20 11:20:26 691545 --a------ C:\WINDOWS\unins000.exe
2008-05-20 11:20:26 2542 --a------ C:\WINDOWS\unins000.dat
2008-05-16 19:18:50 0 d-------- C:\fsaua.data
2008-05-15 14:13:12 0 d-------- C:\Documents and
Settings\Donna\Application Data\Malwarebytes
2008-05-15 14:13:04 0 d-------- C:\Program Files\Malwarebytes'
Anti-Malware
2008-05-15 14:13:04 0 d-------- C:\Documents and Settings\All
Users\Application Data\Malwarebytes
2008-05-14 17:55:20 0 d-------- C:\Program Files\Trend Micro
2008-05-14 16:50:43 0 d-------- C:\Program Files\Common Files\Wise
Installation Wizard
2008-05-14 16:49:21 0 d-------- C:\Program Files\RogueRemover FREE
2008-05-14 16:04:26 1536 --a------ C:\WINDOWS\system32\tmp.reg
2008-05-14 13:27:37 0 d-------- C:\Documents and Settings\All
Users\Application Data\Spybot - Search & Destroy
2008-05-14 13:22:49 0 d-------- C:\Program Files\SpywareBlaster
2008-05-07 18:39:37 0 --a------ C:\Documents and Settings\Donna\NULL
2008-05-07 18:14:54 0 d-------- C:\WINDOWS\SxsCaPendDel
2008-05-07 16:16:51 13 --a------ C:\WINDOWS\system32\8cf12775
2008-05-07 16:08:36 0 d-------- C:\Documents and
Settings\Tony\Application Data\Yahoo!
2008-05-07 15:51:59 0 d-------- C:\Documents and
Settings\Tony\Application Data\ErrorSmart
2008-05-06 05:54:29 0 d-a------ C:\Documents and Settings\All
Users\Application Data\TEMP


-- Find3M Report
---------------------------------------------------------------

2008-05-27 23:46:38 0 d-------- C:\Program Files\MSN Messenger
2008-05-27 22:25:27 77 --a------ C:\WINDOWS\popcinfo.dat
2008-05-14 16:50:43 0 d-a------ C:\Program Files\Common Files
2008-05-14 12:39:45 0 d-------- C:\Documents and
Settings\Donna\Application Data\MSN6
2008-05-08 16:33:29 1037750 --ahs---- C:\WINDOWS\system32\nqtwa.ini2
2008-05-07 18:21:53 0 d-------- C:\Program Files\Yahoo!
2008-04-28 20:59:03 67 --a------ C:\WINDOWS\system32\webcherm.dll
2008-04-15 19:49:45 0 d-------- C:\Documents and
Settings\Donna\Application Data\ErrorSmart
2008-04-08 18:18:43 0 d-------- C:\Program Files\Real
2008-04-07 10:31:27 0 d-------- C:\Documents and
Settings\Donna\Application Data\Yahoo!


-- Registry Dump
---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper
Objects\{B108A421-50F8-4B44-8FDA-4E2647501BB4}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [05/15/2008
05:19 PM]
"MyWebSearch Plugin"="C:\PROGRA~1\MYWEBS~1\bar\4.bin\M3PLUGIN.DLL"
[]

C:\Documents and Settings\Donna\Start Menu\Programs\Startup\
DESKTOP.INI [9/3/2002 9:00:00 AM]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
DESKTOP.INI [9/3/2002 9:00:00 AM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
@=

[HKEY_LOCAL_MACHINE\software\microsoft\windows
nt\currentversion\winlogon\notify\urqnnlm]
urqnnlm.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 C:\WINDOWS\system32\awtqn.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll,

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"

[HKEY_LOCAL_MACHINE\software\microsoft\shared
tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start
Menu^Programs^Startup^America Online 7.0 Tray Icon.lnk]
backup=C:\WINDOWS\pss\America Online 7.0 Tray Icon.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared
tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start
Menu^Programs^Startup^Digital Line Detect.lnk]
backup=C:\WINDOWS\pss\Digital Line Detect.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared
tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start
Menu^Programs^Startup^KeenValue.lnk]
backup=C:\WINDOWS\pss\KeenValue.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared
tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start
Menu^Programs^Startup^Kodak EasyShare software.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Kodak
EasyShare software.lnk
backup=C:\WINDOWS\pss\Kodak EasyShare software.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared
tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start
Menu^Programs^Startup^KODAK Software Updater.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\KODAK
Software Updater.lnk
backup=C:\WINDOWS\pss\KODAK Software Updater.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared
tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start
Menu^Programs^Startup^Microsoft Office.lnk]
path=C:\Documents and Settings\All Users\Start
Menu\Programs\Startup\Microsoft Office.lnk
backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared
tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start
Menu^Programs^Startup^MyWebSearch Email Plugin.lnk]
path=C:\Documents and Settings\All Users\Start
Menu\Programs\Startup\MyWebSearch Email Plugin.lnk
backup=C:\WINDOWS\pss\MyWebSearch Email Plugin.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared
tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start
Menu^Programs^Startup^QuickBooks Update Agent.lnk]
path=C:\Documents and Settings\All Users\Start
Menu\Programs\Startup\QuickBooks Update Agent.lnk
backup=C:\WINDOWS\pss\QuickBooks Update Agent.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared
tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start
Menu^Programs^Startup^Reality Fusion GameCam SE.lnk]
backup=C:\WINDOWS\pss\Reality Fusion GameCam SE.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared
tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start
Menu^Programs^Startup^updater.lnk]
path=C:\Documents and Settings\All Users\Start
Menu\Programs\Startup\updater.lnk
backup=C:\WINDOWS\pss\updater.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared
tools\msconfig\startupfolder\C:^Documents and Settings^Donna^Start
Menu^Programs^Startup^MyWebSearch Email Plugin.lnk]
path=C:\Documents and Settings\Donna\Start
Menu\Programs\Startup\MyWebSearch Email Plugin.lnk
backup=C:\WINDOWS\pss\MyWebSearch Email Plugin.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared
tools\msconfig\startupfolder\C:^Documents and Settings^Donna^Start
Menu^Programs^Startup^PowerReg Scheduler.exe]
path=C:\Documents and Settings\Donna\Start Menu\Programs\Startup\PowerReg
Scheduler.exe
backup=C:\WINDOWS\pss\PowerReg Scheduler.exeStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared
tools\msconfig\startupreg\AdaptecDirectCD]
"C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared
tools\msconfig\startupreg\BCMSMMSG]
BCMSMMSG.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared
tools\msconfig\startupreg\diagent]
"C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe" startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared
tools\msconfig\startupreg\dscactivate]
"C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared
tools\msconfig\startupreg\Hotbar]
C:\Program Files\Hotbar\bin\4.3.5.0\HbInst.exe /Upgrade

[HKEY_LOCAL_MACHINE\software\microsoft\shared
tools\msconfig\startupreg\KeenValue]
C:\Program Files\Common files\KeenValue\KeenValue.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared
tools\msconfig\startupreg\LVCOMS]
C:\Program Files\Common Files\Logitech\QCDriver\LVCOMS.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared
tools\msconfig\startupreg\lxddamon]
"C:\Program Files\Lexmark 2500 Series\lxddamon.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared
tools\msconfig\startupreg\lxddmon.exe]
"C:\Program Files\Lexmark 2500 Series\lxddmon.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared
tools\msconfig\startupreg\MCUpdateExe]
C:\PROGRA~1\mcafee.com\agent\McUpdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared
tools\msconfig\startupreg\MoneyAgent]
"C:\Program Files\Microsoft Money\System\Money Express.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared
tools\msconfig\startupreg\MoneyStartUp10.0]
"C:\Program Files\Microsoft Money\System\Activation.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared
tools\msconfig\startupreg\MsnMsgr]
"C:\Program Files\MSN Messenger\msnmsgr.exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared
tools\msconfig\startupreg\PrinTray]
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\printray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared
tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\qttask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared
tools\msconfig\startupreg\RealTray]
C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER

[HKEY_LOCAL_MACHINE\software\microsoft\shared
tools\msconfig\startupreg\SpybotSD TeaTimer]
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared
tools\msconfig\startupreg\updater]
C:\Program Files\Common files\Updater\wupdater.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared
tools\msconfig\startupreg\UpdReg]
C:\WINDOWS\UpdReg.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared
tools\msconfig\startupreg\Yahoo! Pager]
C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet




-- End of Deckard's System Scanner: finished at 2008-05-27 21:52:46
------------

#6 steamwiz

steamwiz

  • Members
  • 1,039 posts
  • OFFLINE
  •  
  • Local time:07:55 PM

Posted 01 June 2008 - 02:18 PM

HI

I have ran decard and combofix. After combo finished, i lost my desktop icons and couldn't get them back. Combofix does a system restore point before it scans, so I reverted back to that restore point. I got my desktop and icons, folders, etc back. But now I thought about trying to manually remove what combofix scan showed it had removed.
Here's the scan.... scared to run combofix not sure what happened first time, but i will try if these files don't help you


The Combofix & Deckard's System Scanner logs are 5 days old ... I need to see a new Combofix log ...

You know that a system restore will set your computer back to before you run Combofix, so you can be happy with the knowledge you can do that again if the need arises .. :thumbsup:

However, It was probably only the fact that explorer.exe was not running after removing the malware, which caused this ... 2 things you could have tried instead of a system restore :-

1. Ctrl-Alt-Del & bring up task manager > click > File > New Task (run) > enter explorer & click OK

2. Reboot ... this will restart explorer & restore your desktop.

So please run Combofix again ...

Then run & post a new KASPERSKY ONLINE SCANNER REPORT

If you are not happy about any of this or want to ask any questions first, please do :)

steam
MICROSOFT MVP - Windows Security 2004/9
member of ASAP since 2004
member of U.N.I.T.E

If I have helped you, please consider a small donation to help me continue my online fight in the war against malware Posted Image

#7 zelitha

zelitha
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:01:55 PM

Posted 02 June 2008 - 12:46 AM

here is combolog...and kapersky scan. Thanks for helping me. I would love to learn how to read these scans and hjt logs.


Date: Jun 1, 2008 10:49 PM

ComboFix 08-05-29.1 - Donna 2008-06-01 21:22:59.1 - NTFSx86
Running from: C:\Documents and Settings\Donna\Desktop\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE
INSTALLED !!

.

((((((((((((((((((((((((((((((((((((((( Other Deletions
)))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Program Files\FunWebProducts
C:\Program Files\internet explorer\msimg32.dll
C:\Program Files\MyWebSearch
C:\Program Files\MyWebSearch\SrchAstt\4.bin\MWSSRCAS.DLL
C:\WINDOWS\pskt.ini
C:\WINDOWS\system32\abvckxpf.ini
C:\WINDOWS\system32\afmvbkjl.ini
C:\WINDOWS\system32\amqbtaxv.ini
C:\WINDOWS\SYSTEM32\bcljutkb.ini
C:\WINDOWS\system32\bldtktfh.ini
C:\WINDOWS\SYSTEM32\cjtkcmrp.ini
C:\WINDOWS\system32\deglbbes.ini
C:\WINDOWS\SYSTEM32\dhidhysd.ini
C:\WINDOWS\system32\dmbpperx.ini
C:\WINDOWS\system32\f3PSSavr.scr
C:\WINDOWS\system32\fplwthpp.ini
C:\WINDOWS\system32\gsapetup.ini
C:\WINDOWS\system32\hpijhhnt.ini
C:\WINDOWS\SYSTEM32\hvowtakc.ini
C:\WINDOWS\system32\iaqobdvp.ini
C:\WINDOWS\system32\ihesqbyu.ini
C:\WINDOWS\system32\ipugrdxp.ini
C:\WINDOWS\system32\iqcnenhq.ini
C:\WINDOWS\system32\jlqkfxmr.ini
C:\WINDOWS\system32\jlqxbhwr.ini
C:\WINDOWS\system32\jwwoyexy.ini
C:\WINDOWS\system32\lhtrrjgc.ini
C:\WINDOWS\SYSTEM32\lieyiunr.ini
C:\WINDOWS\system32\lknislfs.ini
C:\WINDOWS\system32\lveyegqs.ini
C:\WINDOWS\SYSTEM32\miyskqxh.ini
C:\WINDOWS\system32\mjayctbw.ini
C:\WINDOWS\system32\mmhekyym.ini
C:\WINDOWS\SYSTEM32\mrloupke.ini
C:\WINDOWS\SYSTEM32\nfqemagr.ini
C:\WINDOWS\SYSTEM32\nhxqbknx.ini
C:\WINDOWS\system32\nkufxplt.ini
C:\WINDOWS\SYSTEM32\oapkrmen.ini
C:\WINDOWS\system32\ofacpirg.ini
C:\WINDOWS\SYSTEM32\okbslhgx.ini
C:\WINDOWS\system32\oyvmywvm.ini
C:\WINDOWS\SYSTEM32\qopmkqbr.ini
C:\WINDOWS\SYSTEM32\qqhksubr.ini
C:\WINDOWS\system32\qsgixflc.ini
C:\WINDOWS\system32\roqqvsfc.ini
C:\WINDOWS\SYSTEM32\tlyduirr.ini
C:\WINDOWS\system32\tqupbvdo.ini
C:\WINDOWS\system32\vrgmwphv.ini
C:\WINDOWS\system32\vrvckxvg.ini
C:\WINDOWS\system32\webcherm.dll
C:\WINDOWS\SYSTEM32\wibrjpxi.ini
C:\WINDOWS\SYSTEM32\woifukoi.ini
C:\WINDOWS\system32\xinlfbhq.ini
C:\WINDOWS\system32\xpbicqnc.ini
C:\WINDOWS\system32\xsglkfcr.ini

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services
)))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_NNSERV


((((((((((((((((((((((((( Files Created from 2008-05-02 to 2008-06-02
)))))))))))))))))))))))))))))))
.

2100-02-16 16:09 . 2001-02-16
15:37 62 --a------ C:\WINDOWS\SYSTEM32\LXBOUSCI.INI
2008-05-30 22:52 . 2008-05-31 00:01 <DIR> d-------- C:\RECYCLER(2)
2008-05-26 20:53 . 2008-05-26 20:53 <DIR> d-------- C:\Deckard
2008-05-21 18:00 . 2007-09-06
00:22 289,144 --a------ C:\WINDOWS\SYSTEM32\VCCLSID.exe
2008-05-21 18:00 . 2006-04-27
17:49 288,417 --a------ C:\WINDOWS\SYSTEM32\SrchSTS.exe
2008-05-21 18:00 . 2008-04-24
08:10 86,528 --a------ C:\WINDOWS\SYSTEM32\VACFix.exe
2008-05-21 18:00 . 2008-04-28
08:03 82,944 --a------ C:\WINDOWS\SYSTEM32\IEDFix.exe
2008-05-21 18:00 . 2008-04-28
08:03 82,944 --a------ C:\WINDOWS\SYSTEM32\404Fix.exe
2008-05-21 18:00 . 2003-06-05
21:13 53,248 --a------ C:\WINDOWS\SYSTEM32\Process.exe
2008-05-21 18:00 . 2004-07-31
18:50 51,200 --a------ C:\WINDOWS\SYSTEM32\dumphive.exe
2008-05-21 18:00 . 2007-10-04
00:36 25,600 --a------ C:\WINDOWS\SYSTEM32\WS2Fix.exe
2008-05-21 10:36 . 2008-05-29 12:15 <DIR> d-------- C:\WINDOWS\BDOSCAN8
2008-05-20 14:56 . 2008-05-20 14:56 <DIR> d-------- C:\Program Files\Alwil
Software
2008-05-20 13:54 . 2008-05-20 13:54 <DIR> d-------- C:\VundoFix Backups
2008-05-20 13:31 . 2008-05-20
13:31 <DIR> d-------- C:\WINDOWS\SYSTEM32\Kaspersky Lab
2008-05-20 13:31 . 2008-05-20 13:31 <DIR> d-------- C:\Documents and
Settings\All Users\Application Data\Kaspersky Lab
2008-05-20 13:21 . 2008-05-13 02:57 <DIR> d-------- C:\SDFix
2008-05-20 13:16 . 2008-05-20 13:17 153 --a------ C:\WINDOWS\wininit.ini
2008-05-20 11:20 . 2008-05-20 11:19 691,545 --a------ C:\WINDOWS\unins000.exe
2008-05-20 11:20 . 2008-05-20 11:20 2,542 --a------ C:\WINDOWS\unins000.dat
2008-05-16 19:18 . 2008-05-16 19:18 <DIR> d-------- C:\fsaua.data
2008-05-15 14:13 . 2008-05-28 17:32 <DIR> d-------- C:\Program
Files\Malwarebytes' Anti-Malware
2008-05-15 14:13 . 2008-05-15 14:13 <DIR> d-------- C:\Documents and
Settings\Donna\Application Data\Malwarebytes
2008-05-15 14:13 . 2008-05-15 14:13 <DIR> d-------- C:\Documents and
Settings\All Users\Application Data\Malwarebytes
2008-05-15 14:13 . 2008-05-05
20:46 27,048 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\mbamcatchme.sys
2008-05-15 14:13 . 2008-05-05
20:46 15,864 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\mbam.sys
2008-05-14 17:55 . 2008-05-14 17:55 <DIR> d-------- C:\Program Files\Trend
Micro
2008-05-14 16:50 . 2008-05-14 16:50 <DIR> d-------- C:\Program
Files\Common Files\Wise Installation Wizard
2008-05-14 16:49 . 2008-05-15 14:01 <DIR> d-------- C:\Program
Files\RogueRemover FREE
2008-05-14 16:04 . 2008-05-21
18:04 1,536 --a------ C:\WINDOWS\SYSTEM32\tmp.reg
2008-05-14 13:27 . 2008-05-20 11:34 <DIR> d-------- C:\Program
Files\Spybot - Search & Destroy
2008-05-14 13:27 . 2008-05-20 16:08 <DIR> d-------- C:\Documents and
Settings\All Users\Application Data\Spybot - Search & Destroy
2008-05-14 13:22 . 2008-05-20 13:19 <DIR> d-------- C:\Program
Files\SpywareBlaster
2008-05-08 15:48 . 2008-05-16 23:04 680 --a------ C:\WINDOWS\SYSTEM32\MRT.INI
2008-05-07 18:45 . 2008-05-29 11:54 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-05-07 18:45 . 2008-05-29 11:54 1,409 --a------ C:\WINDOWS\QTFont.for
2008-05-07 18:14 . 2008-05-07 18:21 <DIR> d-------- C:\WINDOWS\SxsCaPendDel
2008-05-07 16:16 . 2008-05-07 16:16 13 --a------ C:\WINDOWS\SYSTEM32\8cf12775
2008-05-07 16:08 . 2008-05-07 16:14 <DIR> d-------- C:\Documents and
Settings\Tony\Application Data\Yahoo!
2008-05-07 15:51 . 2008-05-07 15:51 <DIR> d-------- C:\Documents and
Settings\Tony\Application Data\ErrorSmart
2008-05-06 05:54 . 2008-05-21 16:47 <DIR> d-a------ C:\Documents and
Settings\All Users\Application Data\TEMP

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report
))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-30 05:46 --------- d-----w C:\Program Files\MSN Messenger
2008-05-14 18:39 --------- d-----w C:\Documents and
Settings\Donna\Application Data\MSN6
2008-05-08 00:21 --------- d-----w C:\Program Files\Yahoo!
2008-04-16 01:49 --------- d-----w C:\Documents and
Settings\Donna\Application Data\ErrorSmart
2008-04-09 00:18 --------- d-----w C:\Program Files\Real
2008-04-07 16:31 --------- d-----w C:\Documents and
Settings\Donna\Application Data\Yahoo!
2006-01-06 00:11 32 ----a-r C:\Documents and Settings\All Users\hash.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points
))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MyWebSearch Plugin"="C:\PROGRA~1\MYWEBS~1\bar\4.bin\M3PLUGIN.DLL"
[ ]

C:\Documents and Settings\Aaron\Start Menu\Programs\Startup\
PowerReg Scheduler V3.exe [2003-09-22 17:39:23 225280]

[HKEY_LOCAL_MACHINE\software\microsoft\windows
nt\currentversion\winlogon\notify\urqnnlm]
urqnnlm.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.ctmp3"= C:\WINDOWS\System32\ctmp3.acm

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start
Menu^Programs^Startup^America Online 7.0 Tray Icon.lnk]
backup=C:\WINDOWS\pss\America Online 7.0 Tray Icon.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start
Menu^Programs^Startup^Digital Line Detect.lnk]
backup=C:\WINDOWS\pss\Digital Line Detect.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start
Menu^Programs^Startup^KeenValue.lnk]
backup=C:\WINDOWS\pss\KeenValue.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start
Menu^Programs^Startup^Kodak EasyShare software.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Kodak
EasyShare software.lnk
backup=C:\WINDOWS\pss\Kodak EasyShare software.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start
Menu^Programs^Startup^KODAK Software Updater.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\KODAK
Software Updater.lnk
backup=C:\WINDOWS\pss\KODAK Software Updater.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start
Menu^Programs^Startup^Microsoft Office.lnk]
path=C:\Documents and Settings\All Users\Start
Menu\Programs\Startup\Microsoft Office.lnk
backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start
Menu^Programs^Startup^MyWebSearch Email Plugin.lnk]
path=C:\Documents and Settings\All Users\Start
Menu\Programs\Startup\MyWebSearch Email Plugin.lnk
backup=C:\WINDOWS\pss\MyWebSearch Email Plugin.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start
Menu^Programs^Startup^QuickBooks Update Agent.lnk]
path=C:\Documents and Settings\All Users\Start
Menu\Programs\Startup\QuickBooks Update Agent.lnk
backup=C:\WINDOWS\pss\QuickBooks Update Agent.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start
Menu^Programs^Startup^Reality Fusion GameCam SE.lnk]
backup=C:\WINDOWS\pss\Reality Fusion GameCam SE.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start
Menu^Programs^Startup^updater.lnk]
path=C:\Documents and Settings\All Users\Start
Menu\Programs\Startup\updater.lnk
backup=C:\WINDOWS\pss\updater.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Donna^Start
Menu^Programs^Startup^MyWebSearch Email Plugin.lnk]
path=C:\Documents and Settings\Donna\Start
Menu\Programs\Startup\MyWebSearch Email Plugin.lnk
backup=C:\WINDOWS\pss\MyWebSearch Email Plugin.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Donna^Start
Menu^Programs^Startup^PowerReg Scheduler.exe]
path=C:\Documents and Settings\Donna\Start Menu\Programs\Startup\PowerReg
Scheduler.exe
backup=C:\WINDOWS\pss\PowerReg Scheduler.exeStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared
tools\msconfig\startupreg\AdaptecDirectCD]
--a------ 2002-10-02 17:41 684032 C:\Program Files\Roxio\Easy CD Creator
5\DirectCD\DirectCD.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared
tools\msconfig\startupreg\BCMSMMSG]
--a------ 2003-08-29 03:59 122880 C:\WINDOWS\BCMSMMSG.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared
tools\msconfig\startupreg\diagent]
--a------ 2002-04-03 01:01 135264 C:\Program
Files\Creative\SBLive\Diagnostics\diagent.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared
tools\msconfig\startupreg\dscactivate]
--a------ 2007-11-15 09:24 16384 C:\Program Files\Dell Support
Center\gs_agent\custom\dsca.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared
tools\msconfig\startupreg\Hotbar]
C:\Program Files\Hotbar\bin\4.3.5.0\HbInst.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared
tools\msconfig\startupreg\KeenValue]
C:\Program Files\Common files\KeenValue\KeenValue.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared
tools\msconfig\startupreg\LVCOMS]
--a------ 2001-06-26 18:49 86016 C:\Program Files\Common
Files\Logitech\QCDriver\LVCOMS.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared
tools\msconfig\startupreg\lxddamon]
--a------ 2007-03-05 01:40 20480 C:\Program Files\Lexmark 2500
Series\lxddamon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared
tools\msconfig\startupreg\lxddmon.exe]
--a------ 2007-05-04 00:38 291760 C:\Program Files\Lexmark 2500
Series\lxddmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared
tools\msconfig\startupreg\MCUpdateExe]
C:\PROGRA~1\mcafee.com\agent\McUpdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared
tools\msconfig\startupreg\MoneyAgent]
C:\Program Files\Microsoft Money\System\Money Express.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared
tools\msconfig\startupreg\MoneyStartUp10.0]
C:\Program Files\Microsoft Money\System\Activation.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared
tools\msconfig\startupreg\MsnMsgr]
--a------ 2007-01-19 12:54 5674352 C:\Program Files\MSN Messenger\msnmsgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared
tools\msconfig\startupreg\PrinTray]
--a------ 2002-09-18 21:52 36864
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\printray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared
tools\msconfig\startupreg\QuickTime Task]
--a------ 2004-10-17 13:55 77824 C:\Program Files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared
tools\msconfig\startupreg\RealTray]
--a------ 2002-12-24 17:04 26112 C:\Program
Files\Real\RealPlayer\RealPlay.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared
tools\msconfig\startupreg\SpybotSD TeaTimer]
-rahs---- 2008-01-28 11:43 2097488 C:\Program Files\Spybot - Search &
Destroy\TeaTimer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared
tools\msconfig\startupreg\updater]
C:\Program Files\Common files\Updater\wupdater.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared
tools\msconfig\startupreg\UpdReg]
--------- 2000-05-11 01:00 90112 C:\WINDOWS\UpdReg.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared
tools\msconfig\startupreg\Yahoo! Pager]
C:\Program Files\Yahoo!\Messenger\ypager.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"C:\\Program Files\\MSN Messenger\\livecall.exe"=
"C:\\WINDOWS\\SYSTEM32\\dplaysvr.exe"=
"C:\\WINDOWS\\SYSTEM32\\lxddcoms.exe"=
"C:\\Program Files\\Lexmark 2500 Series\\lxddamon.exe"=
"C:\\Program Files\\Lexmark 2500 Series\\App4R.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\WINDOWS\\SYSTEM32\\SPOOL\\DRIVERS\\W32X86\\3\\lxddtime.exe"=
"C:\\Program Files\\Lexmark 2500 Series\\lxddmon.exe"=
"C:\\WINDOWS\\SYSTEM32\\SPOOL\\DRIVERS\\W32X86\\3\\lxddpswx.exe"=
"C:\\WINDOWS\\SYSTEM32\\SPOOL\\DRIVERS\\W32X86\\3\\lxddjswx.exe"=

R1 aswSP;avast! Self Protection;C:\WINDOWS\system32\drivers\aswSP.sys
[2008-05-15 17:20]
R2 aswFsBlk;aswFsBlk;C:\WINDOWS\system32\DRIVERS\aswFsBlk.sys [2008-05-15
17:16]
R2 lxdd_device;lxdd_device;C:\WINDOWS\system32\lxddcoms.exe [2007-04-25
23:21]
R2
lxddCATSCustConnectService;lxddCATSCustConnectService;C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\\lxddserv.exe
[2007-04-25 23:21]
R2 sprtsvc_dellsupportcenter;SupportSoft Sprocket Service
(dellsupportcenter);C:\Program Files\Dell Support Center\bin\sprtsvc.exe
[2007-11-15 09:23]
R3 ati2mtaa;ati2mtaa;C:\WINDOWS\system32\DRIVERS\ati2mtaa.sys [2002-04-08
09:05]
S3 DCamUSBVeo532;Veo Web Camera;C:\WINDOWS\system32\Drivers\ubVeo532.sys
[2002-07-01 18:30]
S3 NMSCFG;NIC Management Service Configuration
Driver;C:\WINDOWS\system32\drivers\NMSCFG.SYS [2002-05-03 11:30]
S3 NMSSvc;Intel® NMS;C:\WINDOWS\System32\NMSSvc.exe [2002-05-03 11:29]

.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer,
http://www.gmer.net/
Rootkit scan 2008-06-01 21:32:29
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\SYSTEM32\CTsvcCDA.EXE
C:\WINDOWS\SYSTEM32\DRIVERS\KodakCCS.exe
C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\3\lxddserv.exe
C:\WINDOWS\SYSTEM32\ScsiAccess.EXE
C:\WINDOWS\SYSTEM32\MsPMSPSv.exe
C:\Program Files\Zune\ZuneNss.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\SYSTEM32\rundll32.exe
.
**************************************************************************
.
Completion time: 2008-06-01 21:38:52 - machine was rebooted [Donna]
ComboFix-quarantined-files.txt 2008-06-02 03:38:44

Pre-Run: 67,860,205,568 bytes free
Post-Run: 67,856,683,008 bytes free

258 --- E O F --- 2008-06-02 01:42:08
--------------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Monday, June 02, 2008 12:15:46 AM
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build
2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 2/06/2008
Kaspersky Anti-Virus database records: 821554


Scan Settings
Scan using the following antivirus database extended
Scan Archives true
Scan Mail Bases true

Scan Target My Computer
A:\
C:\
D:\
E:\

Scan Statistics
Total number of scanned objects 63677
Number of viruses found 5
Number of infected objects 18
Number of suspicious objects 0
Duration of the scan process 01:14:54

Infected Object Name Virus Name Last Action
C:\Deckard\System
Scanner\20080530215147\backup\WINDOWS\temp\NN_6.tmp\upgrade.exe/stream/data0001
Infected: not-a-virus:AdWare.Win32.NewDotNet.m skipped

C:\Deckard\System
Scanner\20080530215147\backup\WINDOWS\temp\NN_6.tmp\upgrade.exe/stream
Infected: not-a-virus:AdWare.Win32.NewDotNet.m skipped

C:\Deckard\System
Scanner\20080530215147\backup\WINDOWS\temp\NN_6.tmp\upgrade.exe NSIS:
infected - 2 skipped

C:\Documents and Settings\All Users\Application
Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped

C:\Documents and Settings\All Users\Application
Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped

C:\Documents and Settings\All Users\Application
Data\SupportSoft\DellSupportCenter\SYSTEM\state\logs\sprtcmd.log Object
is locked skipped

C:\Documents and Settings\All Users\DRM\Cache\Indiv01.tmp Object is
locked skipped

C:\Documents and Settings\All Users\DRM\drmstore.hds Object is locked
skipped

C:\Documents and Settings\Donna\Cookies\INDEX.DAT Object is locked skipped

C:\Documents and Settings\Donna\Desktop\robins\SmitfraudFix\Reboot.exe
Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped

C:\Documents and
Settings\Donna\Desktop\robins\SmitfraudFix.exe/SmitfraudFix/Reboot.exe
Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped

C:\Documents and Settings\Donna\Desktop\robins\SmitfraudFix.exe RAR:
infected - 1 skipped

C:\Documents and Settings\Donna\Desktop\robins\virus removal disc1\some
programs used\SmitfraudFix.exe/SmitfraudFix/Reboot.exe Infected:
not-a-virus:RiskTool.Win32.Reboot.f skipped

C:\Documents and Settings\Donna\Desktop\robins\virus removal disc1\some
programs used\SmitfraudFix.exe RAR: infected - 1 skipped

C:\Documents and Settings\Donna\Local Settings\Application
Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\Donna\Local Settings\Application
Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\Donna\Local Settings\Application
Data\Microsoft\Zune\CurrentDatabase_365.wmdb Object is locked skipped

C:\Documents and Settings\Donna\Local
Settings\History\History.IE5\INDEX.DAT Object is locked skipped

C:\Documents and Settings\Donna\Local
Settings\History\History.IE5\MSHist012008060120080602\index.dat Object is
locked skipped

C:\Documents and Settings\Donna\Local Settings\Temporary Internet
Files\Content.IE5\index.dat Object is locked skipped

C:\Documents and Settings\Donna\ntuser.dat Object is locked skipped

C:\Documents and Settings\Donna\ntuser.dat.LOG Object is locked skipped

C:\Documents and Settings\Donna\UserData\index.dat Object is locked skipped

C:\Documents and Settings\LocalService\Cookies\INDEX.DAT Object is locked
skipped

C:\Documents and Settings\LocalService\Local Settings\Application
Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\Application
Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\LocalService\Local
Settings\History\History.IE5\INDEX.DAT Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\Temporary Internet
Files\Content.IE5\INDEX.DAT Object is locked skipped

C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped

C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked
skipped

C:\Documents and Settings\NetworkService\Local Settings\Application
Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\NetworkService\Local Settings\Application
Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked
skipped

C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked
skipped

C:\Program Files\Alwil Software\Avast4\DATA\aswResp.dat Object is locked
skipped

C:\Program Files\Alwil Software\Avast4\DATA\Avast4.db Object is locked
skipped

C:\Program Files\Alwil Software\Avast4\DATA\integ\avast.int Object is
locked skipped

C:\Program Files\Alwil Software\Avast4\DATA\log\AshWebSv.ws Object is
locked skipped

C:\Program Files\Alwil Software\Avast4\DATA\log\aswMaiSv.log Object is
locked skipped

C:\Program Files\Alwil Software\Avast4\DATA\log\nshield.log Object is
locked skipped

C:\Program Files\Alwil Software\Avast4\DATA\log\selfdef.log Object is
locked skipped

C:\Program Files\Alwil Software\Avast4\DATA\report\Resident protection.txt
Object is locked skipped

C:\QooBox\Quarantine\C\Program Files\Internet Explorer\msimg32.dll.vir
Infected: not-a-virus:AdTool.Win32.MyWebSearch.cg skipped

C:\QooBox\Quarantine\C\Program
Files\MyWebSearch\SrchAstt\4.bin\MWSSRCAS.DLL.vir Infected:
not-a-virus:AdTool.Win32.MyWebSearch.ca skipped

C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\f3PSSavr.scr.vir Infected:
not-a-virus:AdTool.Win32.MyWebSearch.bg skipped

C:\System Volume
Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP17\A0005462.DLL
Infected: not-a-virus:AdTool.Win32.MyWebSearch.ca skipped

C:\System Volume
Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP17\A0005463.dll
Infected: not-a-virus:AdTool.Win32.MyWebSearch.cg skipped

C:\System Volume
Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP17\A0005464.scr
Infected: not-a-virus:AdTool.Win32.MyWebSearch.bg skipped

C:\System Volume
Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP20\A0006201.DLL
Infected: not-a-virus:AdTool.Win32.MyWebSearch.ca skipped

C:\System Volume
Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP20\A0006202.dll
Infected: not-a-virus:AdTool.Win32.MyWebSearch.cg skipped

C:\System Volume
Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP20\A0006203.scr
Infected: not-a-virus:AdTool.Win32.MyWebSearch.bg skipped

C:\System Volume
Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP20\change.log
Object is locked skipped

C:\System Volume
Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP5\A0001112.exe
Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped

C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped

C:\WINDOWS\SchedLgU.Txt Object is locked skipped

C:\WINDOWS\SoftwareDistribution\EventCache\{747824EA-FD06-4370-A870-BB1D9F327B45}.bin
Object is locked skipped

C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked
skipped

C:\WINDOWS\Sti_Trace.log Object is locked skipped

C:\WINDOWS\SYSTEM32\CatRoot2\edb.log Object is locked skipped

C:\WINDOWS\SYSTEM32\CatRoot2\tmp.edb Object is locked skipped

C:\WINDOWS\SYSTEM32\CONFIG\Antivirus.Evt Object is locked skipped

C:\WINDOWS\SYSTEM32\CONFIG\AppEvent.Evt Object is locked skipped

C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT Object is locked skipped

C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT.LOG Object is locked skipped

C:\WINDOWS\SYSTEM32\CONFIG\SAM Object is locked skipped

C:\WINDOWS\SYSTEM32\CONFIG\SAM.LOG Object is locked skipped

C:\WINDOWS\SYSTEM32\CONFIG\SecEvent.Evt Object is locked skipped

C:\WINDOWS\SYSTEM32\CONFIG\SECURITY Object is locked skipped

C:\WINDOWS\SYSTEM32\CONFIG\SECURITY.LOG Object is locked skipped

C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE Object is locked skipped

C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE.LOG Object is locked skipped

C:\WINDOWS\SYSTEM32\CONFIG\SysEvent.Evt Object is locked skipped

C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM Object is locked skipped

C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM.LOG Object is locked skipped

C:\WINDOWS\SYSTEM32\H323LOG.TXT Object is locked skipped

C:\WINDOWS\SYSTEM32\LogFiles\WUDF\WUDFTrace.etl Object is locked skipped

C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\INDEX.BTR Object is locked skipped

C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\INDEX.MAP Object is locked skipped

C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\MAPPING.VER Object is locked skipped

C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\MAPPING1.MAP Object is locked
skipped

C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\MAPPING2.MAP Object is locked
skipped

C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\OBJECTS.DATA Object is locked
skipped

C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\OBJECTS.MAP Object is locked skipped

C:\WINDOWS\Temp\Perflib_Perfdata_660.dat Object is locked skipped

C:\WINDOWS\Temp\_avast4_\Webshlock.txt Object is locked skipped

C:\WINDOWS\WIADEBUG.LOG Object is locked skipped

C:\WINDOWS\WIASERVC.LOG Object is locked skipped

C:\WINDOWS\WindowsUpdate.log Object is locked skipped

Scan process completed.

Edited by zelitha, 02 June 2008 - 01:37 AM.


#8 steamwiz

steamwiz

  • Members
  • 1,039 posts
  • OFFLINE
  •  
  • Local time:07:55 PM

Posted 02 June 2008 - 02:53 PM

Hi

I would love to learn how to read these scans and hjt logs.


There are many schools etc on the forums which teach this, let me know if you want a list ?

Do you know what this is ? C:\WINDOWS\SYSTEM32\8cf12775

Open notepad and copy/paste the text in the code box below into it:
NOTE* make sure to only highlight and copy what is inside the code box nothing out side of it.
Also ..

Pay particular attention to this :-

Make sure the word Folder:: is on the first line of the text file you save (no blank line above it, & no space in front of it)
Folder::
C:\VundoFix Backups

Registry::
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\urqnnlm]

DirLook::
C:\RECYCLER(2)
C:\Documents and Settings\Tony\Application Data\ErrorSmart
C:\Documents and Settings\Donna\Application Data\ErrorSmart


Save this as "CFScript.txt"

Then drag the CFScript.txt into ComboFix.exe as you see in the screenshot below.
Posted Image

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply.

ErrorSmart is a registry cleaner, & a dubious one at that (allows you to scan, but wont fix anything until you pay up) ... I don't believe there is such a thing as a reliable registry cleaner, it will do no harm to have a few orphan registry entries, but after running a registry cleaner, windows could become damaged or not even load ... did you download this program, or did it just appear ?

steam
MICROSOFT MVP - Windows Security 2004/9
member of ASAP since 2004
member of U.N.I.T.E

If I have helped you, please consider a small donation to help me continue my online fight in the war against malware Posted Image

#9 zelitha

zelitha
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:01:55 PM

Posted 03 June 2008 - 06:58 AM

Hello,
There are many schools etc on the forums which teach this, let me know if you want a list ?
Yes, I would like a list. Thanks.

I don't know what this is C:\WINDOWS\SYSTEM32\8cf12775.

I think my spouse installed ErrorSmart program he purchased, but it didn't work. I don't want it on pc. I uninstalled it.

here's new combofix scan...


ComboFix 08-05-29.1 - Donna 2008-06-02 23:22:18.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.74 [GMT -6:00]
Running from: C:\Documents and Settings\Donna\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Donna\Desktop\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE
INSTALLED !!

.

((((((((((((((((((((((((( Files Created from 2008-05-03 to 2008-06-03
)))))))))))))))))))))))))))))))
.

2100-02-16 16:09 . 2001-02-16
15:37 62 --a------ C:\WINDOWS\SYSTEM32\LXBOUSCI.INI
2008-05-30 22:52 . 2008-05-31 00:01 <DIR> d-------- C:\RECYCLER(2)
2008-05-26 20:53 . 2008-05-26 20:53 <DIR> d-------- C:\Deckard
2008-05-21 18:00 . 2007-09-06
00:22 289,144 --a------ C:\WINDOWS\SYSTEM32\VCCLSID.exe
2008-05-21 18:00 . 2006-04-27
17:49 288,417 --a------ C:\WINDOWS\SYSTEM32\SrchSTS.exe
2008-05-21 18:00 . 2008-04-24
08:10 86,528 --a------ C:\WINDOWS\SYSTEM32\VACFix.exe
2008-05-21 18:00 . 2008-04-28
08:03 82,944 --a------ C:\WINDOWS\SYSTEM32\IEDFix.exe
2008-05-21 18:00 . 2008-04-28
08:03 82,944 --a------ C:\WINDOWS\SYSTEM32\404Fix.exe
2008-05-21 18:00 . 2003-06-05
21:13 53,248 --a------ C:\WINDOWS\SYSTEM32\Process.exe
2008-05-21 18:00 . 2004-07-31
18:50 51,200 --a------ C:\WINDOWS\SYSTEM32\dumphive.exe
2008-05-21 18:00 . 2007-10-04
00:36 25,600 --a------ C:\WINDOWS\SYSTEM32\WS2Fix.exe
2008-05-21 10:36 . 2008-05-29 12:15 <DIR> d-------- C:\WINDOWS\BDOSCAN8
2008-05-20 14:56 . 2008-05-20 14:56 <DIR> d-------- C:\Program Files\Alwil
Software
2008-05-20 13:54 . 2008-05-20 13:54 <DIR> d-------- C:\VundoFix Backups
2008-05-20 13:31 . 2008-05-20
13:31 <DIR> d-------- C:\WINDOWS\SYSTEM32\Kaspersky Lab
2008-05-20 13:31 . 2008-05-20 13:31 <DIR> d-------- C:\Documents and
Settings\All Users\Application Data\Kaspersky Lab
2008-05-20 13:21 . 2008-05-13 02:57 <DIR> d-------- C:\SDFix
2008-05-20 13:16 . 2008-05-20 13:17 153 --a------ C:\WINDOWS\wininit.ini
2008-05-20 11:20 . 2008-05-20 11:19 691,545 --a------ C:\WINDOWS\unins000.exe
2008-05-20 11:20 . 2008-05-20 11:20 2,542 --a------ C:\WINDOWS\unins000.dat
2008-05-16 19:18 . 2008-05-16 19:18 <DIR> d-------- C:\fsaua.data
2008-05-15 14:13 . 2008-05-28 17:32 <DIR> d-------- C:\Program
Files\Malwarebytes' Anti-Malware
2008-05-15 14:13 . 2008-05-15 14:13 <DIR> d-------- C:\Documents and
Settings\Donna\Application Data\Malwarebytes
2008-05-15 14:13 . 2008-05-15 14:13 <DIR> d-------- C:\Documents and
Settings\All Users\Application Data\Malwarebytes
2008-05-15 14:13 . 2008-05-05
20:46 27,048 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\mbamcatchme.sys
2008-05-15 14:13 . 2008-05-05
20:46 15,864 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\mbam.sys
2008-05-14 17:55 . 2008-05-14 17:55 <DIR> d-------- C:\Program Files\Trend
Micro
2008-05-14 16:50 . 2008-05-14 16:50 <DIR> d-------- C:\Program
Files\Common Files\Wise Installation Wizard
2008-05-14 16:49 . 2008-05-15 14:01 <DIR> d-------- C:\Program
Files\RogueRemover FREE
2008-05-14 16:04 . 2008-05-21
18:04 1,536 --a------ C:\WINDOWS\SYSTEM32\tmp.reg
2008-05-14 13:27 . 2008-05-20 11:34 <DIR> d-------- C:\Program
Files\Spybot - Search & Destroy
2008-05-14 13:27 . 2008-05-20 16:08 <DIR> d-------- C:\Documents and
Settings\All Users\Application Data\Spybot - Search & Destroy
2008-05-14 13:22 . 2008-05-20 13:19 <DIR> d-------- C:\Program
Files\SpywareBlaster
2008-05-08 15:48 . 2008-05-16 23:04 680 --a------ C:\WINDOWS\SYSTEM32\MRT.INI
2008-05-07 18:45 . 2008-05-29 11:54 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-05-07 18:45 . 2008-05-29 11:54 1,409 --a------ C:\WINDOWS\QTFont.for
2008-05-07 18:14 . 2008-05-07 18:21 <DIR> d-------- C:\WINDOWS\SxsCaPendDel
2008-05-07 16:16 . 2008-05-07 16:16 13 --a------ C:\WINDOWS\SYSTEM32\8cf12775
2008-05-07 16:08 . 2008-05-07 16:14 <DIR> d-------- C:\Documents and
Settings\Tony\Application Data\Yahoo!
2008-05-07 15:51 . 2008-05-07 15:51 <DIR> d-------- C:\Documents and
Settings\Tony\Application Data\ErrorSmart
2008-05-06 05:54 . 2008-05-21 16:47 <DIR> d-a------ C:\Documents and
Settings\All Users\Application Data\TEMP

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report
))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-30 05:46 --------- d-----w C:\Program Files\MSN Messenger
2008-05-14 18:39 --------- d-----w C:\Documents and
Settings\Donna\Application Data\MSN6
2008-05-08 00:21 --------- d-----w C:\Program Files\Yahoo!
2008-04-16 01:49 --------- d-----w C:\Documents and
Settings\Donna\Application Data\ErrorSmart
2008-04-09 00:18 --------- d-----w C:\Program Files\Real
2008-04-07 16:31 --------- d-----w C:\Documents and
Settings\Donna\Application Data\Yahoo!
2008-03-27 08:12 151,583 ----a-w C:\WINDOWS\SYSTEM32\msjint40.dll
2008-03-27 08:12 151,583 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\msjint40.dll
2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\SYSTEM32\win32k.sys
2008-03-19 09:47 1,845,248 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\win32k.sys
2006-01-06 00:11 32 ----a-r C:\Documents and Settings\All Users\hash.dat
.

(((((((((((((((((((((((((((((((((((((((((((( Look
)))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.

---- Directory of C:\Documents and Settings\Donna\Application
Data\ErrorSmart ----

2008-05-14 13:19 29815 --a------ C:\Documents and
Settings\Donna\Application Data\ErrorSmart\Registry
Backups\2008-05-14_13-19-45.reg
2008-05-14 13:17 123 --a------ C:\Documents and Settings\Donna\Application
Data\ErrorSmart\Registry Backups\2008-05-14_13-17-17.reg
2008-04-09 11:10 451 --a------ C:\Documents and Settings\Donna\Application
Data\ErrorSmart\Registry Backups\2008-04-09_11-10-46.reg

---- Directory of C:\Documents and Settings\Tony\Application
Data\ErrorSmart ----

2008-05-07 17:04 5832704 --a------ C:\Documents and
Settings\Tony\Application Data\ErrorSmart\Full Backups\FULL
2008-05-07_17-03-46.rbu\SYSTEM
2008-05-07 17:04 24268800 --a------ C:\Documents and
Settings\Tony\Application Data\ErrorSmart\Full Backups\FULL
2008-05-07_17-03-46.rbu\SOFTWARE
2008-05-07 17:04 1236992 --a------ C:\Documents and
Settings\Tony\Application Data\ErrorSmart\Full Backups\FULL
2008-05-07_17-03-46.rbu\CURRENT_USER
2008-05-07 17:04 1003520 --a------ C:\Documents and
Settings\Tony\Application Data\ErrorSmart\Full Backups\FULL
2008-05-07_17-03-46.rbu\DEFAULT
2008-05-07 17:03 24576 --a------ C:\Documents and
Settings\Tony\Application Data\ErrorSmart\Full Backups\FULL
2008-05-07_17-03-46.rbu\SAM
2008-05-07 17:03 192512 --a------ C:\Documents and
Settings\Tony\Application Data\ErrorSmart\Full Backups\FULL
2008-05-07_17-03-46.rbu\SECURITY
2008-05-07 17:03 0 --a------ C:\Documents and Settings\Tony\Application
Data\ErrorSmart\Registry Backups\FULL 2008-05-07_17-03-46.rbu
2008-05-07 17:01 451 --a------ C:\Documents and Settings\Tony\Application
Data\ErrorSmart\Registry Backups\2008-05-07_17-01-38.reg

---- Directory of C:\recycler(2) ----

2008-05-30
23:42 9620 --ah----- C:\recycler(2)\S-1-5-21-580569085-2703565083-2296238082-1006(2)\INFO2
2002-12-24
13:36 79 --a------ C:\recycler(2)\S-1-5-21-580569085-2703565083-2296238082-1006(2)\Dc12.scf


((((((((((((((((((((((((((((( snapshot@2008-06-01_21.38.23.45
)))))))))))))))))))))))))))))))))))))))))
.
- 2008-01-05
17:07:29 68,608 ----a-w C:\WINDOWS\assembly\GAC_32\CustomMarshalers\2.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll
+ 2008-06-02
06:22:12 69,120 ----a-w C:\WINDOWS\assembly\GAC_32\CustomMarshalers\2.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll
- 2008-01-05
17:07:48 72,192 ----a-w C:\WINDOWS\assembly\GAC_32\ISymWrapper\2.0.0.0__b03f5f7f11d50a3a\ISymWrapper.dll
+ 2008-06-02
06:22:22 72,192 ----a-w C:\WINDOWS\assembly\GAC_32\ISymWrapper\2.0.0.0__b03f5f7f11d50a3a\ISymWrapper.dll
- 2008-01-05
17:07:49 4,308,992 ----a-w C:\WINDOWS\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\mscorlib.dll
+ 2008-06-02
06:21:47 4,444,160 ----a-w C:\WINDOWS\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\mscorlib.dll
- 2008-01-05
17:07:50 482,304 ----a-w C:\WINDOWS\assembly\GAC_32\System.Data.OracleClient\2.0.0.0__b77a5c561934e089\System.Data.OracleClient.dll
+ 2008-06-02
06:22:26 483,840 ----a-w C:\WINDOWS\assembly\GAC_32\System.Data.OracleClient\2.0.0.0__b77a5c561934e089\System.Data.OracleClient.dll
- 2008-01-05
17:07:43 2,878,976 ----a-w C:\WINDOWS\assembly\GAC_32\System.Data\2.0.0.0__b77a5c561934e089\System.Data.dll
+ 2008-06-02
06:22:00 3,036,160 ----a-w C:\WINDOWS\assembly\GAC_32\System.Data\2.0.0.0__b77a5c561934e089\System.Data.dll
+ 2008-06-02
06:22:31 258,048 ----a-w C:\WINDOWS\assembly\GAC_32\System.EnterpriseServices\2.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.dll
+ 2008-06-02
06:22:31 113,664 ----a-w C:\WINDOWS\assembly\GAC_32\System.EnterpriseServices\2.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll
- 2008-01-05
17:08:00 260,096 ----a-w C:\WINDOWS\assembly\GAC_32\System.Transactions\2.0.0.0__b77a5c561934e089\System.Transactions.dll
+ 2008-06-02
06:22:24 261,120 ----a-w C:\WINDOWS\assembly\GAC_32\System.Transactions\2.0.0.0__b77a5c561934e089\System.Transactions.dll
- 2008-01-05
17:07:35 5,025,792 ----a-w C:\WINDOWS\assembly\GAC_32\System.Web\2.0.0.0__b03f5f7f11d50a3a\System.Web.dll
+ 2008-06-02
06:21:56 5,431,296 ----a-w C:\WINDOWS\assembly\GAC_32\System.Web\2.0.0.0__b03f5f7f11d50a3a\System.Web.dll
- 2008-01-05
17:07:27 10,752 ----a-w C:\WINDOWS\assembly\GAC_MSIL\Accessibility\2.0.0.0__b03f5f7f11d50a3a\Accessibility.dll
+ 2008-06-02
06:22:08 10,752 ----a-w C:\WINDOWS\assembly\GAC_MSIL\Accessibility\2.0.0.0__b03f5f7f11d50a3a\Accessibility.dll
- 2008-01-05
17:07:19 503,808 ----a-w C:\WINDOWS\assembly\GAC_MSIL\AspNetMMCExt\2.0.0.0__b03f5f7f11d50a3a\AspNetMMCExt.dll
+ 2008-06-02
06:21:57 507,904 ----a-w C:\WINDOWS\assembly\GAC_MSIL\AspNetMMCExt\2.0.0.0__b03f5f7f11d50a3a\AspNetMMCExt.dll
- 2008-01-05
17:07:22 13,312 ----a-w C:\WINDOWS\assembly\GAC_MSIL\cscompmgd\8.0.0.0__b03f5f7f11d50a3a\cscompmgd.dll
+ 2008-06-02
06:22:11 13,312 ----a-w C:\WINDOWS\assembly\GAC_MSIL\cscompmgd\8.0.0.0__b03f5f7f11d50a3a\cscompmgd.dll
- 2008-01-05
17:07:46 8,192 ----a-w C:\WINDOWS\assembly\GAC_MSIL\IEExecRemote\2.0.0.0__b03f5f7f11d50a3a\IEExecRemote.dll
+ 2008-06-02
06:22:17 8,192 ----a-w C:\WINDOWS\assembly\GAC_MSIL\IEExecRemote\2.0.0.0__b03f5f7f11d50a3a\IEExecRemote.dll
- 2008-01-05
17:07:46 36,864 ----a-w C:\WINDOWS\assembly\GAC_MSIL\IEHost\2.0.0.0__b03f5f7f11d50a3a\IEHost.dll
+ 2008-06-02
06:22:18 77,824 ----a-w C:\WINDOWS\assembly\GAC_MSIL\IEHost\2.0.0.0__b03f5f7f11d50a3a\IEHost.dll
- 2008-01-05
17:07:47 5,632 ----a-w C:\WINDOWS\assembly\GAC_MSIL\IIEHost\2.0.0.0__b03f5f7f11d50a3a\IIEHost.dll
+ 2008-06-02
06:22:19 6,656 ----a-w C:\WINDOWS\assembly\GAC_MSIL\IIEHost\2.0.0.0__b03f5f7f11d50a3a\IIEHost.dll
- 2008-01-05
17:07:24 413,696 ----a-w C:\WINDOWS\assembly\GAC_MSIL\Microsoft.Build.Engine\2.0.0.0__b03f5f7f11d50a3a\Microsoft.Build.Engine.dll
+ 2008-06-02
06:22:32 348,160 ----a-w C:\WINDOWS\assembly\GAC_MSIL\Microsoft.Build.Engine\2.0.0.0__b03f5f7f11d50a3a\Microsoft.Build.Engine.dll
- 2008-01-05
17:07:25 36,864 ----a-w C:\WINDOWS\assembly\GAC_MSIL\Microsoft.Build.Framework\2.0.0.0__b03f5f7f11d50a3a\Microsoft.Build.Framework.dll
+ 2008-06-02
06:22:33 36,864 ----a-w C:\WINDOWS\assembly\GAC_MSIL\Microsoft.Build.Framework\2.0.0.0__b03f5f7f11d50a3a\Microsoft.Build.Framework.dll
- 2008-01-05
17:07:26 647,168 ----a-w C:\WINDOWS\assembly\GAC_MSIL\Microsoft.Build.Tasks\2.0.0.0__b03f5f7f11d50a3a\Microsoft.Build.Tasks.dll
+ 2008-06-02
06:22:35 655,360 ----a-w C:\WINDOWS\assembly\GAC_MSIL\Microsoft.Build.Tasks\2.0.0.0__b03f5f7f11d50a3a\Microsoft.Build.Tasks.dll
- 2008-01-05
17:07:27 73,728 ----a-w C:\WINDOWS\assembly\GAC_MSIL\Microsoft.Build.Utilities\2.0.0.0__b03f5f7f11d50a3a\Microsoft.Build.Utilities.dll
+ 2008-06-02
06:22:36 77,824 ----a-w C:\WINDOWS\assembly\GAC_MSIL\Microsoft.Build.Utilities\2.0.0.0__b03f5f7f11d50a3a\Microsoft.Build.Utilities.dll
- 2008-01-05
17:07:23 745,472 ----a-w C:\WINDOWS\assembly\GAC_MSIL\Microsoft.JScript\8.0.0.0__b03f5f7f11d50a3a\Microsoft.JScript.dll
+ 2008-06-02
06:22:20 749,568 ----a-w C:\WINDOWS\assembly\GAC_MSIL\Microsoft.JScript\8.0.0.0__b03f5f7f11d50a3a\Microsoft.JScript.dll
- 2008-01-05
17:08:06 110,592 ----a-w C:\WINDOWS\assembly\GAC_MSIL\Microsoft.VisualBasic.Compatibility.Data\8.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.Compatibility.Data.dll
+ 2008-06-02
06:22:18 110,592 ----a-w C:\WINDOWS\assembly\GAC_MSIL\Microsoft.VisualBasic.Compatibility.Data\8.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.Compatibility.Data.dll
- 2008-01-05
17:08:05 372,736 ----a-w C:\WINDOWS\assembly\GAC_MSIL\Microsoft.VisualBasic.Compatibility\8.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.Compatibility.dll
+ 2008-06-02
06:22:16 372,736 ----a-w C:\WINDOWS\assembly\GAC_MSIL\Microsoft.VisualBasic.Compatibility\8.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.Compatibility.dll
- 2008-01-05
17:07:16 28,672 ----a-w C:\WINDOWS\assembly\GAC_MSIL\Microsoft.VisualBasic.Vsa\8.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.Vsa.dll
+ 2008-06-02
06:22:27 28,672 ----a-w C:\WINDOWS\assembly\GAC_MSIL\Microsoft.VisualBasic.Vsa\8.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.Vsa.dll
- 2008-01-05
17:08:04 667,648 ----a-w C:\WINDOWS\assembly\GAC_MSIL\Microsoft.VisualBasic\8.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll
+ 2008-06-02
06:22:15 671,744 ----a-w C:\WINDOWS\assembly\GAC_MSIL\Microsoft.VisualBasic\8.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll
- 2008-01-05
17:08:06 5,632 ----a-w C:\WINDOWS\assembly\GAC_MSIL\Microsoft.VisualC\8.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualC.Dll
+ 2008-06-02
06:21:50 5,632 ----a-w C:\WINDOWS\assembly\GAC_MSIL\Microsoft.VisualC\8.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualC.Dll
- 2008-01-05
17:07:18 12,800 ----a-w C:\WINDOWS\assembly\GAC_MSIL\Microsoft.Vsa.Vb.CodeDOMProcessor\8.0.0.0__b03f5f7f11d50a3a\Microsoft.Vsa.Vb.CodeDOMProcessor.dll
+ 2008-06-02
06:22:30 12,800 ----a-w C:\WINDOWS\assembly\GAC_MSIL\Microsoft.Vsa.Vb.CodeDOMProcessor\8.0.0.0__b03f5f7f11d50a3a\Microsoft.Vsa.Vb.CodeDOMProcessor.dll
- 2008-01-05
17:07:17 32,768 ----a-w C:\WINDOWS\assembly\GAC_MSIL\Microsoft.Vsa\8.0.0.0__b03f5f7f11d50a3a\Microsoft.Vsa.dll
+ 2008-06-02
06:22:14 32,768 ----a-w C:\WINDOWS\assembly\GAC_MSIL\Microsoft.Vsa\8.0.0.0__b03f5f7f11d50a3a\Microsoft.Vsa.dll
- 2008-01-05
17:07:18 7,168 ----a-w C:\WINDOWS\assembly\GAC_MSIL\Microsoft_VsaVb\8.0.0.0__b03f5f7f11d50a3a\Microsoft_VsaVb.dll
+ 2008-06-02
06:22:13 7,168 ----a-w C:\WINDOWS\assembly\GAC_MSIL\Microsoft_VsaVb\8.0.0.0__b03f5f7f11d50a3a\Microsoft_VsaVb.dll
- 2008-01-05
17:07:54 110,592 ----a-w C:\WINDOWS\assembly\GAC_MSIL\sysglobl\2.0.0.0__b03f5f7f11d50a3a\sysglobl.dll
+ 2008-06-02
06:22:21 110,592 ----a-w C:\WINDOWS\assembly\GAC_MSIL\sysglobl\2.0.0.0__b03f5f7f11d50a3a\sysglobl.dll
- 2008-01-05
17:07:30 81,920 ----a-w C:\WINDOWS\assembly\GAC_MSIL\System.Configuration.Install\2.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll
+ 2008-06-02
06:22:22 81,920 ----a-w C:\WINDOWS\assembly\GAC_MSIL\System.Configuration.Install\2.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll
- 2008-01-05
17:07:55 389,120 ----a-w C:\WINDOWS\assembly\GAC_MSIL\System.Configuration\2.0.0.0__b03f5f7f11d50a3a\System.configuration.dll
+ 2008-06-02
06:21:58 425,984 ----a-w C:\WINDOWS\assembly\GAC_MSIL\System.Configuration\2.0.0.0__b03f5f7f11d50a3a\System.configuration.dll
- 2008-01-05
17:07:51 716,800 ----a-w C:\WINDOWS\assembly\GAC_MSIL\System.Data.SqlXml\2.0.0.0__b77a5c561934e089\System.Data.SqlXml.dll
+ 2008-06-02
06:22:01 741,376 ----a-w C:\WINDOWS\assembly\GAC_MSIL\System.Data.SqlXml\2.0.0.0__b77a5c561934e089\System.Data.SqlXml.dll
- 2008-01-05
17:07:21 884,736 ----a-w C:\WINDOWS\assembly\GAC_MSIL\System.Deployment\2.0.0.0__b03f5f7f11d50a3a\System.Deployment.dll
+ 2008-06-02
06:22:02 933,888 ----a-w C:\WINDOWS\assembly\GAC_MSIL\System.Deployment\2.0.0.0__b03f5f7f11d50a3a\System.Deployment.dll
- 2008-01-05
17:07:45 5,050,368 ----a-w C:\WINDOWS\assembly\GAC_MSIL\System.Design\2.0.0.0__b03f5f7f11d50a3a\System.Design.dll
+ 2008-06-02
06:22:37 5,070,848 ----a-w C:\WINDOWS\assembly\GAC_MSIL\System.Design\2.0.0.0__b03f5f7f11d50a3a\System.Design.dll
- 2008-01-05
17:07:32 188,416 ----a-w C:\WINDOWS\assembly\GAC_MSIL\System.DirectoryServices.Protocols\2.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.Protocols.dll
+ 2008-06-02
06:22:34 188,416 ----a-w C:\WINDOWS\assembly\GAC_MSIL\System.DirectoryServices.Protocols\2.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.Protocols.dll
- 2008-01-05
17:07:31 397,312 ----a-w C:\WINDOWS\assembly\GAC_MSIL\System.DirectoryServices\2.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll
+ 2008-06-02
06:22:09 401,408 ----a-w C:\WINDOWS\assembly\GAC_MSIL\System.DirectoryServices\2.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll
- 2008-01-05
17:07:32 81,920 ----a-w C:\WINDOWS\assembly\GAC_MSIL\System.Drawing.Design\2.0.0.0__b03f5f7f11d50a3a\System.Drawing.Design.dll
+ 2008-06-02
06:22:29 81,920 ----a-w C:\WINDOWS\assembly\GAC_MSIL\System.Drawing.Design\2.0.0.0__b03f5f7f11d50a3a\System.Drawing.Design.dll
- 2008-01-05
17:07:58 700,416 ----a-w C:\WINDOWS\assembly\GAC_MSIL\System.Drawing\2.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll
+ 2008-06-02
06:21:52 630,784 ----a-w C:\WINDOWS\assembly\GAC_MSIL\System.Drawing\2.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll
- 2008-01-05
17:07:52 368,640 ----a-w C:\WINDOWS\assembly\GAC_MSIL\System.Management\2.0.0.0__b03f5f7f11d50a3a\System.Management.dll
+ 2008-06-02
06:22:30 372,736 ----a-w C:\WINDOWS\assembly\GAC_MSIL\System.Management\2.0.0.0__b03f5f7f11d50a3a\System.Management.dll
- 2008-01-05
17:07:59 258,048 ----a-w C:\WINDOWS\assembly\GAC_MSIL\System.Messaging\2.0.0.0__b03f5f7f11d50a3a\System.Messaging.dll
+ 2008-06-02
06:22:28 258,048 ----a-w C:\WINDOWS\assembly\GAC_MSIL\System.Messaging\2.0.0.0__b03f5f7f11d50a3a\System.Messaging.dll
- 2008-01-05
17:07:53 299,008 ----a-w C:\WINDOWS\assembly\GAC_MSIL\System.Runtime.Remoting\2.0.0.0__b77a5c561934e089\System.Runtime.Remoting.dll
+ 2008-06-02
06:22:25 299,008 ----a-w C:\WINDOWS\assembly\GAC_MSIL\System.Runtime.Remoting\2.0.0.0__b77a5c561934e089\System.Runtime.Remoting.dll
- 2008-01-05
17:07:53 131,072 ----a-w C:\WINDOWS\assembly\GAC_MSIL\System.Runtime.Serialization.Formatters.Soap\2.0.0.0__b03f5f7f11d50a3a\System.Runtime.Serialization.Formatters.Soap.dll
+ 2008-06-02
06:22:24 131,072 ----a-w C:\WINDOWS\assembly\GAC_MSIL\System.Runtime.Serialization.Formatters.Soap\2.0.0.0__b03f5f7f11d50a3a\System.Runtime.Serialization.Formatters.Soap.dll
- 2008-01-05
17:07:28 258,048 ----a-w C:\WINDOWS\assembly\GAC_MSIL\System.Security\2.0.0.0__b03f5f7f11d50a3a\System.Security.dll
+ 2008-06-02
06:21:53 258,048 ----a-w C:\WINDOWS\assembly\GAC_MSIL\System.Security\2.0.0.0__b03f5f7f11d50a3a\System.Security.dll
- 2008-01-05
17:07:33 114,688 ----a-w C:\WINDOWS\assembly\GAC_MSIL\System.ServiceProcess\2.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll
+ 2008-06-02
06:21:54 114,688 ----a-w C:\WINDOWS\assembly\GAC_MSIL\System.ServiceProcess\2.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll
- 2008-01-05
17:08:02 835,584 ----a-w C:\WINDOWS\assembly\GAC_MSIL\System.Web.Mobile\2.0.0.0__b03f5f7f11d50a3a\System.Web.Mobile.dll
+ 2008-06-02
06:22:07 884,736 ----a-w C:\WINDOWS\assembly\GAC_MSIL\System.Web.Mobile\2.0.0.0__b03f5f7f11d50a3a\System.Web.Mobile.dll
- 2008-01-05
17:07:35 86,016 ----a-w C:\WINDOWS\assembly\GAC_MSIL\System.Web.RegularExpressions\2.0.0.0__b03f5f7f11d50a3a\System.Web.RegularExpressions.dll
+ 2008-06-02
06:22:07 90,112 ----a-w C:\WINDOWS\assembly\GAC_MSIL\System.Web.RegularExpressions\2.0.0.0__b03f5f7f11d50a3a\System.Web.RegularExpressions.dll
- 2008-01-05
17:07:36 823,296 ----a-w C:\WINDOWS\assembly\GAC_MSIL\System.Web.Services\2.0.0.0__b03f5f7f11d50a3a\System.Web.Services.dll
+ 2008-06-02
06:22:05 839,680 ----a-w C:\WINDOWS\assembly\GAC_MSIL\System.Web.Services\2.0.0.0__b03f5f7f11d50a3a\System.Web.Services.dll
- 2008-01-05
17:07:38 5,316,608 ----a-w C:\WINDOWS\assembly\GAC_MSIL\System.Windows.Forms\2.0.0.0__b77a5c561934e089\System.Windows.Forms.dll
+ 2008-06-02
06:22:10 5,013,504 ----a-w C:\WINDOWS\assembly\GAC_MSIL\System.Windows.Forms\2.0.0.0__b77a5c561934e089\System.Windows.Forms.dll
- 2008-01-05
17:07:41 2,035,712 ----a-w C:\WINDOWS\assembly\GAC_MSIL\System.Xml\2.0.0.0__b77a5c561934e089\System.XML.dll
+ 2008-06-02
06:21:55 2,068,480 ----a-w C:\WINDOWS\assembly\GAC_MSIL\System.Xml\2.0.0.0__b77a5c561934e089\System.XML.dll
- 2008-01-05
17:07:56 3,018,752 ----a-w C:\WINDOWS\assembly\GAC_MSIL\System\2.0.0.0__b77a5c561934e089\System.dll
+ 2008-06-02
06:22:04 3,076,096 ----a-w C:\WINDOWS\assembly\GAC_MSIL\System\2.0.0.0__b77a5c561934e089\System.dll
+ 2008-06-02
21:14:23 27,136 ----a-w C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Accessibility\c6772fd12a581ad3be49e3f2a80b5622\Accessibility.ni.dll
+ 2008-06-02
21:14:31 884,736 ----a-w C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\AspNetMMCExt\a1d353edc300e3aff0784202f68a657b\AspNetMMCExt.ni.dll
+ 2008-06-02
21:14:33 237,568 ----a-w C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\CustomMarshalers\c10ec9b4de2b366236ec83237dc31281\CustomMarshalers.ni.dll
+ 2008-06-02
21:14:32 15,360 ----a-w C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\dfsvc\837fe02bdcf637d5bf1e5ffb935ebb80\dfsvc.ni.exe
+ 2008-06-02
21:14:35 876,544 ----a-w C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Microsoft.Build.Eng#\9710a3c0d11dd264c3a6b88977699e9b\Microsoft.Build.Engine.ni.dll
+ 2008-06-02
21:14:36 81,920 ----a-w C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Microsoft.Build.Fra#\e2858a45971fb30b0c0523dbb52c1d4e\Microsoft.Build.Framework.ni.dll
+ 2008-06-02
21:14:42 1,695,744 ----a-w C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Microsoft.Build.Tas#\63d69ffdf3c640d2d104a4b74e8115f8\Microsoft.Build.Tasks.ni.dll
+ 2008-06-02
21:14:43 167,936 ----a-w C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Microsoft.Build.Uti#\11cb5418c06e30100616fbf205588489\Microsoft.Build.Utilities.ni.dll
+ 2008-06-02
21:14:48 1,740,800 ----a-w C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualBas#\923bd55258380eae77353d36a5a1b08f\Microsoft.VisualBasic.ni.dll
+ 2008-06-02
20:46:14 11,722,752 ----a-w C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\mscorlib\32e6f703c114f3a971cbe706586e3655\mscorlib.ni.dll
+ 2008-06-02
21:14:50 1,011,712 ----a-w C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.Configuration\eee9b48577689e92db5a7b5c5de98d9b\System.Configuration.ni.dll
+ 2008-06-02
20:48:47 7,049,216 ----a-w C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.Data\5f669e819da7010c1dca347a25597c42\System.Data.ni.dll
+ 2008-06-02
21:14:53 1,798,144 ----a-w C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.Deployment\c7dea4895e1fa33d65e448c03de48d26\System.Deployment.ni.dll
+ 2008-06-02
20:50:12 10,969,088 ----a-w C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.Design\c1e16b40e30a05c39be8aee46311841c\System.Design.ni.dll
+ 2008-06-02
21:14:56 1,224,704 ----a-w C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.DirectorySer#\914668b240550f529e54bb772c6fc881\System.DirectoryServices.ni.dll
+ 2008-06-02
21:14:57 512,000 ----a-w C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.DirectorySer#\f11bc82c09955cb8438d3885a99c297d\System.DirectoryServices.Protocols.ni.dll
+ 2008-06-02
20:50:32 229,376 ----a-w C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.Drawing.Desi#\b974f6c17d17a533adf6e7710c5a62fa\System.Drawing.Design.ni.dll
+ 2008-06-02
20:50:28 1,667,072 ----a-w C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.Drawing\0e83aac37b2623f1a24c70979f31dd56\System.Drawing.ni.dll
+ 2008-06-02
21:15:00 659,456 ----a-w C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.EnterpriseSe#\646131eda5f21f4e6216733d49c22c56\System.EnterpriseServices.ni.dll
+ 2008-06-02
21:14:59 294,912 ----a-w C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.EnterpriseSe#\646131eda5f21f4e6216733d49c22c56\System.EnterpriseServices.Wrapper.dll
+ 2008-06-02
21:15:02 733,184 ----a-w C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.Security\2b5994269cc5b996231c9b21afea9a91\System.Security.ni.dll
+ 2008-06-02
21:15:03 233,472 ----a-w C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.ServiceProce#\193ac978af569ad9ee45110b359961b9\System.ServiceProcess.ni.dll
+ 2008-06-02
21:15:04 679,936 ----a-w C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.Transactions\12e0aa1030badf4524f897e3f57b037a\System.Transactions.ni.dll
+ 2008-06-02
21:15:31 2,342,912 ----a-w C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.Web.Mobile\37d87b3cab1c66ec4430ebb2abeaa570\System.Web.Mobile.ni.dll
+ 2008-06-02
21:15:33 237,568 ----a-w C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.Web.RegularE#\b5b81faf46fc63c20d5339b36edd02fa\System.Web.RegularExpressions.ni.dll
+ 2008-06-02
21:15:37 1,986,560 ----a-w C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.Web.Services\38991368499e2109ea4099a0fe29c5a3\System.Web.Services.ni.dll
+ 2008-06-02
21:15:26 12,509,184 ----a-w C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.Web\67cfb70213562afe2ca9b9066764af3a\System.Web.ni.dll
+ 2008-06-02
20:51:19 13,193,216 ----a-w C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.Windows.Forms\3d8c79c45aa674e43f075e2e66b8caf5\System.Windows.Forms.ni.dll
+ 2008-06-02
20:52:01 5,771,264 ----a-w C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.Xml\c98cb65a79cfccb44ea727ebe4593ede\System.Xml.ni.dll
+ 2008-06-02
20:47:18 8,265,728 ----a-w C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System\ba0e3a22211ba7343e0116b051f2965a\System.ni.dll
- 2008-06-02 03:28:38 2,048 --s-a-w C:\WINDOWS\BOOTSTAT.DAT
+ 2008-06-03 03:22:54 2,048 --s-a-w C:\WINDOWS\BOOTSTAT.DAT
- 2005-09-23
13:28:52 72,704 ----a-w C:\WINDOWS\Microsoft.NET\Framework\NETFXSBS10.exe
+ 2007-10-24
07:47:38 82,944 ----a-w C:\WINDOWS\Microsoft.NET\Framework\NETFXSBS10.exe
- 2005-09-23
13:28:52 7,680 ----a-w C:\WINDOWS\Microsoft.NET\Framework\sbscmp10.dll
+ 2007-10-24
07:47:38 16,896 ----a-w C:\WINDOWS\Microsoft.NET\Framework\sbscmp10.dll
- 2005-09-23
13:28:56 7,680 ----a-w C:\WINDOWS\Microsoft.NET\Framework\sbscmp20_mscorwks.dll
+ 2007-10-24
07:47:40 16,896 ----a-w C:\WINDOWS\Microsoft.NET\Framework\sbscmp20_mscorwks.dll
- 2005-09-23
13:28:58 7,680 ----a-w C:\WINDOWS\Microsoft.NET\Framework\sbscmp20_perfcounter.dll
+ 2007-10-24
07:47:42 16,896 ----a-w C:\WINDOWS\Microsoft.NET\Framework\sbscmp20_perfcounter.dll
- 2005-09-23
13:28:56 7,680 ----a-w C:\WINDOWS\Microsoft.NET\Framework\SharedReg12.dll
+ 2007-10-24
07:47:40 16,896 ----a-w C:\WINDOWS\Microsoft.NET\Framework\SharedReg12.dll
- 2005-09-23
13:28:52 86,528 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.0.3705\mscormmc.dll
+ 2007-10-24
07:47:38 97,280 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.0.3705\mscormmc.dll
- 2005-09-23
13:28:36 18,944 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\1033\alinkui.dll
+ 2007-10-24
07:47:26 28,672 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\1033\alinkui.dll
- 2005-09-23
13:28:42 136,192 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\1033\cscompui.dll
+ 2007-10-24
07:47:30 145,408 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\1033\cscompui.dll
- 2005-09-23
13:28:44 4,608 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\1033\CvtResUI.dll
+ 2007-10-24
07:47:32 13,824 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\1033\CvtResUI.dll
- 2005-09-23
13:29:04 183,808 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\1033\vbc7ui.dll
+ 2007-10-24
07:47:48 193,016 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\1033\vbc7ui.dll
- 2005-09-23
13:28:28 208,896 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\1033\Vsavb7rtUI.dll
+ 2007-10-24
07:47:20 218,112 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\1033\Vsavb7rtUI.dll
- 2005-09-23
13:28:56 10,752 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Accessibility.dll
+ 2007-10-24
07:47:40 10,752 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Accessibility.dll
- 2005-09-23
13:28:58 138,240 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\AdoNetDiag.dll
+ 2007-10-24
07:47:42 147,968 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\AdoNetDiag.dll
- 2005-09-23
13:28:36 87,552 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\alink.dll
+ 2007-10-24
07:47:26 99,320 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\alink.dll
- 2005-09-23
13:28:58 55,488 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe
+ 2007-10-24
07:47:42 59,392 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe
- 2005-09-23
13:28:32 36,864 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_compiler.exe
+ 2007-10-24
07:47:22 36,864 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_compiler.exe
- 2005-09-23
13:28:32 10,752 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_filter.dll
+ 2007-10-24
07:47:22 22,024 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_filter.dll
- 2005-09-23
13:28:32 8,192 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_isapi.dll
+ 2007-10-24
07:47:22 17,928 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_isapi.dll
- 2005-09-23
13:28:32 23,552 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Aspnet_perf.dll
+ 2007-10-24
07:47:22 33,288 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Aspnet_perf.dll
- 2005-09-23
13:28:32 70,656 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_rc.dll
+ 2007-10-24
07:47:22 84,480 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_rc.dll
- 2005-09-23
13:28:32 13,824 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_regbrowsers.exe
+ 2007-10-24
07:47:22 24,576 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_regbrowsers.exe
- 2005-09-23
13:28:32 26,824 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_regiis.exe
+ 2007-10-24
07:47:22 32,776 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_regiis.exe
- 2005-09-23
13:28:32 106,496 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_regsql.exe
+ 2007-10-24
07:47:22 106,496 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_regsql.exe
- 2005-09-23
13:28:32 29,896 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe
+ 2007-10-24
07:47:22 33,800 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe
- 2005-09-23
13:28:32 29,888 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_wp.exe
+ 2007-10-24
07:47:22 33,280 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_wp.exe
- 2005-09-23
13:28:32 503,808 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\AspNetMMCExt.dll
+ 2007-10-24
07:47:22 507,904 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\AspNetMMCExt.dll
- 2005-09-23
13:28:56 106,496 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\CasPol.exe
+ 2007-10-24
07:47:40 106,496 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\CasPol.exe
- 2005-09-23
13:28:56 88,576 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\CORPerfMonExt.dll
+ 2007-10-24
07:47:40 101,896 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\CORPerfMonExt.dll
- 2005-09-23
13:28:42 76,984 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\csc.exe
+ 2007-10-24
07:47:30 80,376 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\csc.exe
- 2005-09-23
13:28:42 1,144,832 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\cscomp.dll
+ 2007-10-24
07:47:30 1,162,744 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\cscomp.dll
- 2005-09-23
13:28:42 13,312 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\cscompmgd.dll
+ 2007-10-24
07:47:30 13,312 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\cscompmgd.dll
- 2005-09-23
13:28:58 17,920 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Culture.dll
+ 2007-10-24
07:47:42 27,136 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Culture.dll
- 2005-09-23
13:28:56 68,608 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\CustomMarshalers.dll
+ 2007-10-24
07:47:40 69,120 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\CustomMarshalers.dll
- 2005-09-23
13:28:44 31,936 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
+ 2007-10-24
07:47:30 35,320 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
- 2005-09-23
13:28:38 52,736 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\dfdll.dll
+ 2007-10-24
07:47:28 66,552 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\dfdll.dll
- 2005-09-23
13:28:38 4,608 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\dfsvc.exe
+ 2007-10-24
07:47:28 5,120 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\dfsvc.exe
- 2005-09-23
13:29:12 547,840 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\diasymreader.dll
+ 2007-10-24
07:47:54 572,936 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\diasymreader.dll
- 2005-09-23
13:28:56 788,992 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\EventLogMessages.dll
+ 2007-10-24
07:47:40 798,224 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\EventLogMessages.dll
- 2005-09-23
13:28:50 9,216 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\fusion.dll
+ 2007-10-24
07:47:36 18,936 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\fusion.dll
- 2005-09-23
13:28:56 9,728 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\IEExec.exe
+ 2007-10-24
07:47:40 9,728 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\IEExec.exe
- 2005-09-23
13:28:56 8,192 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\IEExecRemote.dll
+ 2007-10-24
07:47:40 8,192 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\IEExecRemote.dll
- 2005-09-23
13:28:56 36,864 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\IEHost.dll
+ 2007-10-24
07:47:40 77,824 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\IEHost.dll
- 2005-09-23
13:28:56 5,632 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\IIEHost.dll
+ 2007-10-24
07:47:40 6,656 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\IIEHost.dll
- 2005-09-23
13:28:56 224,952 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\ilasm.exe
+ 2007-10-24
07:47:40 230,904 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\ilasm.exe
- 2005-09-23
13:28:56 28,672 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe
+ 2007-10-24
07:47:40 28,672 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe
- 2005-09-23
13:28:56 55,296 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\InstallUtilLib.dll
+ 2007-10-24
07:47:40 65,032 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\InstallUtilLib.dll
- 2005-09-23
13:28:56 72,192 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\ISymWrapper.dll
+ 2007-10-24
07:47:40 72,192 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\ISymWrapper.dll
- 2005-09-23
13:28:48 40,960 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\jsc.exe
+ 2007-10-24
07:47:34 40,960 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\jsc.exe
- 2005-09-23
13:28:48 413,696 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Microsoft.Build.Engine.dll
+ 2007-10-24
07:47:36 348,160 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Microsoft.Build.Engine.dll
- 2005-09-23
13:28:48 36,864 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Microsoft.Build.Framework.dll
+ 2007-10-24
07:47:36 36,864 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Microsoft.Build.Framework.dll
- 2005-09-23
13:28:48 647,168 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Microsoft.Build.Tasks.dll
+ 2007-10-24
07:47:36 655,360 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Microsoft.Build.Tasks.dll
- 2005-09-23
13:28:48 73,728 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Microsoft.Build.Utilities.dll
+ 2007-10-24
07:47:36 77,824 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Microsoft.Build.Utilities.dll
- 2005-09-23
13:28:48 745,472 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Microsoft.JScript.dll
+ 2007-10-24
07:47:34 749,568 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Microsoft.JScript.dll
- 2005-09-23
13:29:10 110,592 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Microsoft.VisualBasic.Compatibility.Data.dll
+ 2007-10-24
07:47:52 110,592 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Microsoft.VisualBasic.Compatibility.Data.dll
- 2005-09-23
13:29:10 372,736 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Microsoft.VisualBasic.Compatibility.dll
+ 2007-10-24
07:47:52 372,736 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Microsoft.VisualBasic.Compatibility.dll
- 2005-09-23
13:29:08 667,648 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Microsoft.VisualBasic.dll
+ 2007-10-24
07:47:50 671,744 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Microsoft.VisualBasic.dll
- 2005-09-23
13:28:30 28,672 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Microsoft.VisualBasic.Vsa.dll
+ 2007-10-24
07:47:20 28,672 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Microsoft.VisualBasic.Vsa.dll
- 2005-09-23
13:29:10 5,632 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Microsoft.VisualC.Dll
+ 2007-10-24
07:47:52 5,632 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Microsoft.VisualC.Dll
- 2005-09-23
13:28:30 32,768 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Microsoft.Vsa.dll
+ 2007-10-24
07:47:20 32,768 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Microsoft.Vsa.dll
- 2005-09-23
13:28:30 12,800 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Microsoft.Vsa.Vb.CodeDOMProcessor.dll
+ 2007-10-24
07:47:20 12,800 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Microsoft.Vsa.Vb.CodeDOMProcessor.dll
- 2005-09-23
13:28:30 7,168 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Microsoft_VsaVb.dll
+ 2007-10-24
07:47:20 7,168 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Microsoft_VsaVb.dll
- 2005-09-23
13:28:32 87,552 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\MmcAspExt.dll
+ 2007-10-24
07:47:22 97,792 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\MmcAspExt.dll
- 2005-09-23
13:28:48 69,632 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe
+ 2007-10-24
07:47:36 69,632 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe
- 2005-09-23
13:28:56 800,768 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscordacwks.dll
+ 2007-10-24
07:47:40 822,280 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscordacwks.dll
- 2005-09-23
13:28:56 73,216 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscordbc.dll
+ 2007-10-24
07:47:40 83,456 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscordbc.dll
- 2005-09-23
13:28:56 288,768 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscordbi.dll
+ 2007-10-24
07:47:40 308,224 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscordbi.dll
- 2005-09-23
13:28:56 36,864 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorie.dll
+ 2007-10-24
07:47:40 47,104 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorie.dll
- 2005-09-23
13:28:56 326,144 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorjit.dll
+ 2007-10-24
07:47:40 348,672 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorjit.dll
- 2005-09-23
13:28:56 81,408 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorld.dll
+ 2007-10-24
07:47:40 94,208 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorld.dll
- 2005-09-23
13:28:56 4,308,992 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorlib.dll
+ 2007-10-24
07:47:40 4,444,160 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorlib.dll
- 2005-09-23
13:28:56 102,400 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorpe.dll
+ 2007-10-24
07:47:40 114,688 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorpe.dll
- 2005-09-23
13:29:00 330,752 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorrc.dll
+ 2007-10-24
07:47:44 340,992 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorrc.dll
- 2005-09-23
13:28:56 67,072 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsec.dll
+ 2007-10-24
07:47:40 77,312 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsec.dll
- 2005-09-23
13:28:50 9,216 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsn.dll
+ 2007-10-24
07:47:36 18,944 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsn.dll
- 2005-09-23
13:28:56 226,816 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvc.dll
+ 2007-10-24
07:47:40 242,688 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvc.dll
- 2005-09-23
13:28:56 66,240 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
+ 2007-10-24
07:47:40 70,144 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
- 2005-09-23
13:28:56 10,240 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscortim.dll
+ 2007-10-24
07:47:40 19,456 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscortim.dll
- 2005-09-23
13:28:50 5,615,616 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorwks.dll
+ 2007-10-24
07:47:36 5,814,784 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorwks.dll
- 2005-09-23
13:29:00 22,528 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\MUI\0409\mscorsecr.dll
+ 2007-10-24
07:47:44 31,744 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\MUI\0409\mscorsecr.dll
- 2005-09-23
13:28:56 96,440 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\ngen.exe
+ 2007-10-24
07:47:40 101,880 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\ngen.exe
- 2005-09-23
13:28:56 14,848 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\normalization.dll
+ 2007-10-24
07:47:40 24,584 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\normalization.dll
- 2005-09-23
13:28:56 78,336 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\PerfCounter.dll
+ 2007-10-24
07:47:40 89,096 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\PerfCounter.dll
- 2005-09-23
13:28:50 136,192 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\peverify.dll
+ 2007-10-24
07:47:36 144,896 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\peverify.dll
- 2005-09-23
13:28:56 53,248 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
+ 2007-10-24
07:47:40 53,248 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
- 2005-09-23
13:28:56 32,768 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
+ 2007-10-24
07:47:40 32,768 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
- 2005-09-23
13:29:02 59,072 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\regtlibv12.exe
+ 2007-10-24
07:47:46 61,952 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\regtlibv12.exe
- 2005-09-23
13:28:58 7,680 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\sbscmp20_mscorlib.dll
+ 2007-10-24
07:47:42 16,896 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\sbscmp20_mscorlib.dll
- 2005-09-23
13:28:56 107,520 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\shfusion.dll
+ 2007-10-24
07:47:40 119,296 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\shfusion.dll
- 2005-09-23
13:29:00 85,504 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\ShFusRes.dll
+ 2007-10-24
07:47:44 95,232 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\ShFusRes.dll
- 2005-09-23
13:28:56 377,344 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\SOS.dll
+ 2007-10-24
07:47:40 392,696 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\SOS.dll
- 2005-09-23
13:28:56 110,592 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\sysglobl.dll
+ 2007-10-24
07:47:40 110,592 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\sysglobl.dll
- 2005-09-23
13:28:58 389,120 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\System.configuration.dll
+ 2007-10-24
07:47:42 425,984 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\System.configuration.dll
- 2005-09-23
13:28:56 81,920 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\System.Configuration.Install.dll
+ 2007-10-24
07:47:40 81,920 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\System.Configuration.Install.dll
- 2005-09-23
13:28:56 2,878,976 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\System.Data.dll
+ 2007-10-24
07:47:40 3,036,160 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\System.Data.dll
- 2005-09-23
13:28:56 482,304 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\System.Data.OracleClient.dll
+ 2007-10-24
07:47:40 483,840 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\System.Data.OracleClient.dll
- 2005-09-23
13:28:56 716,800 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\System.Data.SqlXml.dll
+ 2007-10-24
07:47:40 741,376 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\System.Data.SqlXml.dll
- 2005-09-23
13:28:38 884,736 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\System.Deployment.dll
+ 2007-10-24
07:47:28 933,888 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\System.Deployment.dll
- 2005-09-23
13:28:56 5,050,368 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\System.Design.dll
+ 2007-10-24
07:47:40 5,070,848 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\System.Design.dll
- 2005-09-23
13:28:56 397,312 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\System.DirectoryServices.dll
+ 2007-10-24
07:47:40 401,408 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\System.DirectoryServices.dll
- 2005-09-23
13:28:56 188,416 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\System.DirectoryServices.Protocols.dll
+ 2007-10-24
07:47:40 188,416 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\System.DirectoryServices.Protocols.dll
- 2005-09-23
13:28:56 3,018,752 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\System.dll
+ 2007-10-24
07:47:40 3,076,096 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\System.dll
- 2005-09-23
13:28:56 81,920 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\System.Drawing.Design.dll
+ 2007-10-24
07:47:40 81,920 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\System.Drawing.Design.dll
- 2005-09-23
13:28:56 700,416 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\System.Drawing.dll
+ 2007-10-24
07:47:40 630,784 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\System.Drawing.dll
- 2005-09-23
13:28:56 258,048 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\System.EnterpriseServices.dll
+ 2007-10-24
07:47:40 258,048 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\System.EnterpriseServices.dll
- 2005-09-23
13:28:56 47,616 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\System.EnterpriseServices.Thunk.dll
+ 2007-10-24
07:47:40 57,392 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\System.EnterpriseServices.Thunk.dll
- 2005-09-23
13:28:56 114,176 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\System.EnterpriseServices.Wrapper.dll
+ 2007-10-24
07:47:40 113,664 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\System.EnterpriseServices.Wrapper.dll
- 2005-09-23
13:28:56 368,640 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\System.Management.dll
+ 2007-10-24
07:47:40 372,736 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\System.Management.dll
- 2005-09-23
13:28:56 258,048 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\System.Messaging.dll
+ 2007-10-24
07:47:40 258,048 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\System.Messaging.dll
- 2005-09-23
13:28:56 299,008 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\System.Runtime.Remoting.dll
+ 2007-10-24
07:47:40 299,008 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\System.Runtime.Remoting.dll
- 2005-09-23
13:28:56 131,072 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\System.Runtime.Serialization.Formatters.Soap.dll
+ 2007-10-24
07:47:40 131,072 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\System.Runtime.Serialization.Formatters.Soap.dll
- 2005-09-23
13:28:56 258,048 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\System.Security.dll
+ 2007-10-24
07:47:40 258,048 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\System.Security.dll
- 2005-09-23
13:28:56 114,688 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\System.ServiceProcess.dll
+ 2007-10-24
07:47:40 114,688 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\System.ServiceProcess.dll
- 2005-09-23
13:28:56 260,096 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\System.Transactions.dll
+ 2007-10-24
07:47:40 261,120 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\System.Transactions.dll
- 2005-09-23
13:28:56 5,025,792 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\System.Web.dll
+ 2007-10-24
07:47:40 5,431,296 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\System.Web.dll
- 2005-09-23
13:28:56 835,584 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\System.Web.Mobile.dll
+ 2007-10-24
07:47:40 884,736 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\System.Web.Mobile.dll
- 2005-09-23
13:28:56 86,016 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\System.Web.RegularExpressions.dll
+ 2007-10-24
07:47:40 90,112 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\System.Web.RegularExpressions.dll
- 2005-09-23
13:28:56 823,296 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\System.Web.Services.dll
+ 2007-10-24
07:47:40 839,680 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\System.Web.Services.dll
- 2005-09-23
13:28:56 5,316,608 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\System.Windows.Forms.dll
+ 2007-10-24
07:47:40 5,013,504 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\System.Windows.Forms.dll
- 2005-09-23
13:28:56 2,035,712 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\System.XML.dll
+ 2007-10-24
07:47:40 2,068,480 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\System.XML.dll
- 2005-09-23
13:28:56 71,680 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\TLBREF.DLL
+ 2007-10-24
07:47:40 81,400 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\TLBREF.DLL
- 2005-09-23
13:29:06 1,140,920 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\vbc.exe
+ 2007-10-24
07:47:48 1,172,472 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\vbc.exe
- 2005-09-23
13:28:30 1,306,624 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\VsaVb7rt.dll
+ 2007-10-24
07:47:20 1,344,000 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\VsaVb7rt.dll
- 2005-09-23
13:28:32 298,496 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\webengine.dll
+ 2007-10-24
07:47:22 434,688 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\webengine.dll
- 2005-09-23
13:28:56 28,160 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\WMINet_Utils.dll
+ 2007-10-24
07:47:40 37,896 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\WMINet_Utils.dll
- 2005-09-23 13:28:38 83,456 ----a-w C:\WINDOWS\SYSTEM32\dfshim.dll
+ 2007-10-24 07:47:28 96,760 ----a-w C:\WINDOWS\SYSTEM32\dfshim.dll
- 2005-09-23 13:28:52 270,848 ----a-w C:\WINDOWS\SYSTEM32\mscoree.dll
+ 2007-10-24 07:47:38 282,112 ----a-w C:\WINDOWS\SYSTEM32\mscoree.dll
- 2005-09-23 13:28:52 150,016 ----a-w C:\WINDOWS\SYSTEM32\mscorier.dll
+ 2007-10-24 07:47:38 158,720 ----a-w C:\WINDOWS\SYSTEM32\mscorier.dll
- 2005-09-23 13:28:52 74,240 ----a-w C:\WINDOWS\SYSTEM32\mscories.dll
+ 2007-10-24 07:47:38 84,480 ----a-w C:\WINDOWS\SYSTEM32\mscories.dll
- 2005-09-23
13:29:00 6,144 ----a-w C:\WINDOWS\SYSTEM32\MUI\0409\mscorees.dll
+ 2007-10-24
07:47:44 15,360 ----a-w C:\WINDOWS\SYSTEM32\MUI\0409\mscorees.dll
- 2008-05-31 04:47:07 59,838 ----a-w C:\WINDOWS\SYSTEM32\PERFC009.DAT
+ 2008-06-02 06:22:48 71,954 ----a-w C:\WINDOWS\SYSTEM32\PERFC009.DAT
- 2008-05-31 04:47:07 398,000 ----a-w C:\WINDOWS\SYSTEM32\PERFH009.DAT
+ 2008-06-02 06:22:48 428,136 ----a-w C:\WINDOWS\SYSTEM32\PERFH009.DAT
+ 2008-06-02
06:22:17 8,192 ----a-w C:\WINDOWS\WinSxS\MSIL_IEExecRemote_b03f5f7f11d50a3a_2.0.0.0_x-ww_6e57c34e\IEExecRemote.dll
+ 2007-10-24
07:47:56 479,232 ----a-w C:\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.1433_x-ww_5cf844d2\msvcm80.dll
+ 2007-10-24
07:47:56 558,080 ----a-w C:\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.1433_x-ww_5cf844d2\msvcp80.dll
+ 2007-10-24
07:47:56 635,904 ----a-w C:\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.1433_x-ww_5cf844d2\msvcr80.dll
- 2008-01-05
17:07:20 258,048 ----a-w C:\WINDOWS\WinSxS\x86_System.EnterpriseServices_b03f5f7f11d50a3a_2.0.0.0_x-ww_7d5f3790\System.EnterpriseServices.dll
+ 2008-06-02
06:22:31 258,048 ----a-w C:\WINDOWS\WinSxS\x86_System.EnterpriseServices_b03f5f7f11d50a3a_2.0.0.0_x-ww_7d5f3790\System.EnterpriseServices.dll
- 2008-01-05
17:07:20 114,176 ----a-w C:\WINDOWS\WinSxS\x86_System.EnterpriseServices_b03f5f7f11d50a3a_2.0.0.0_x-ww_7d5f3790\System.EnterpriseServices.Wrapper.dll
+ 2008-06-02
06:22:31 113,664 ----a-w C:\WINDOWS\WinSxS\x86_System.EnterpriseServices_b03f5f7f11d50a3a_2.0.0.0_x-ww_7d5f3790\System.EnterpriseServices.Wrapper.dll
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points
))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MyWebSearch Plugin"="C:\PROGRA~1\MYWEBS~1\bar\4.bin\M3PLUGIN.DLL"
[ ]

C:\Documents and Settings\Aaron\Start Menu\Programs\Startup\
PowerReg Scheduler V3.exe [2003-09-22 17:39:23 225280]

[HKEY_LOCAL_MACHINE\software\microsoft\windows
nt\currentversion\winlogon\notify\urqnnlm]
urqnnlm.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.ctmp3"= C:\WINDOWS\System32\ctmp3.acm

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start
Menu^Programs^Startup^America Online 7.0 Tray Icon.lnk]
backup=C:\WINDOWS\pss\America Online 7.0 Tray Icon.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start
Menu^Programs^Startup^Digital Line Detect.lnk]
backup=C:\WINDOWS\pss\Digital Line Detect.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start
Menu^Programs^Startup^KeenValue.lnk]
backup=C:\WINDOWS\pss\KeenValue.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start
Menu^Programs^Startup^Kodak EasyShare software.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Kodak
EasyShare software.lnk
backup=C:\WINDOWS\pss\Kodak EasyShare software.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start
Menu^Programs^Startup^KODAK Software Updater.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\KODAK
Software Updater.lnk
backup=C:\WINDOWS\pss\KODAK Software Updater.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start
Menu^Programs^Startup^Microsoft Office.lnk]
path=C:\Documents and Settings\All Users\Start
Menu\Programs\Startup\Microsoft Office.lnk
backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start
Menu^Programs^Startup^MyWebSearch Email Plugin.lnk]
path=C:\Documents and Settings\All Users\Start
Menu\Programs\Startup\MyWebSearch Email Plugin.lnk
backup=C:\WINDOWS\pss\MyWebSearch Email Plugin.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start
Menu^Programs^Startup^QuickBooks Update Agent.lnk]
path=C:\Documents and Settings\All Users\Start
Menu\Programs\Startup\QuickBooks Update Agent.lnk
backup=C:\WINDOWS\pss\QuickBooks Update Agent.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start
Menu^Programs^Startup^Reality Fusion GameCam SE.lnk]
backup=C:\WINDOWS\pss\Reality Fusion GameCam SE.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start
Menu^Programs^Startup^updater.lnk]
path=C:\Documents and Settings\All Users\Start
Menu\Programs\Startup\updater.lnk
backup=C:\WINDOWS\pss\updater.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Donna^Start
Menu^Programs^Startup^MyWebSearch Email Plugin.lnk]
path=C:\Documents and Settings\Donna\Start
Menu\Programs\Startup\MyWebSearch Email Plugin.lnk
backup=C:\WINDOWS\pss\MyWebSearch Email Plugin.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Donna^Start
Menu^Programs^Startup^PowerReg Scheduler.exe]
path=C:\Documents and Settings\Donna\Start Menu\Programs\Startup\PowerReg
Scheduler.exe
backup=C:\WINDOWS\pss\PowerReg Scheduler.exeStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared
tools\msconfig\startupreg\AdaptecDirectCD]
--a------ 2002-10-02 17:41 684032 C:\Program Files\Roxio\Easy CD Creator
5\DirectCD\DirectCD.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared
tools\msconfig\startupreg\BCMSMMSG]
--a------ 2003-08-29 03:59 122880 C:\WINDOWS\BCMSMMSG.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared
tools\msconfig\startupreg\diagent]
--a------ 2002-04-03 01:01 135264 C:\Program
Files\Creative\SBLive\Diagnostics\diagent.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared
tools\msconfig\startupreg\dscactivate]
--a------ 2007-11-15 09:24 16384 C:\Program Files\Dell Support
Center\gs_agent\custom\dsca.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared
tools\msconfig\startupreg\Hotbar]
C:\Program Files\Hotbar\bin\4.3.5.0\HbInst.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared
tools\msconfig\startupreg\KeenValue]
C:\Program Files\Common files\KeenValue\KeenValue.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared
tools\msconfig\startupreg\LVCOMS]
--a------ 2001-06-26 18:49 86016 C:\Program Files\Common
Files\Logitech\QCDriver\LVCOMS.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared
tools\msconfig\startupreg\lxddamon]
--a------ 2007-03-05 01:40 20480 C:\Program Files\Lexmark 2500
Series\lxddamon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared
tools\msconfig\startupreg\lxddmon.exe]
--a------ 2007-05-04 00:38 291760 C:\Program Files\Lexmark 2500
Series\lxddmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared
tools\msconfig\startupreg\MCUpdateExe]
C:\PROGRA~1\mcafee.com\agent\McUpdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared
tools\msconfig\startupreg\MoneyAgent]
C:\Program Files\Microsoft Money\System\Money Express.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared
tools\msconfig\startupreg\MoneyStartUp10.0]
C:\Program Files\Microsoft Money\System\Activation.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared
tools\msconfig\startupreg\MsnMsgr]
--a------ 2007-01-19 12:54 5674352 C:\Program Files\MSN Messenger\msnmsgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared
tools\msconfig\startupreg\PrinTray]
--a------ 2002-09-18 21:52 36864
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\printray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared
tools\msconfig\startupreg\QuickTime Task]
--a------ 2004-10-17 13:55 77824 C:\Program Files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared
tools\msconfig\startupreg\RealTray]
--a------ 2002-12-24 17:04 26112 C:\Program
Files\Real\RealPlayer\RealPlay.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared
tools\msconfig\startupreg\SpybotSD TeaTimer]
-rahs---- 2008-01-28 11:43 2097488 C:\Program Files\Spybot - Search &
Destroy\TeaTimer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared
tools\msconfig\startupreg\updater]
C:\Program Files\Common files\Updater\wupdater.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared
tools\msconfig\startupreg\UpdReg]
--------- 2000-05-11 01:00 90112 C:\WINDOWS\UpdReg.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared
tools\msconfig\startupreg\Yahoo! Pager]
C:\Program Files\Yahoo!\Messenger\ypager.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"C:\\Program Files\\MSN Messenger\\livecall.exe"=
"C:\\WINDOWS\\SYSTEM32\\dplaysvr.exe"=
"C:\\WINDOWS\\SYSTEM32\\lxddcoms.exe"=
"C:\\Program Files\\Lexmark 2500 Series\\lxddamon.exe"=
"C:\\Program Files\\Lexmark 2500 Series\\App4R.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\WINDOWS\\SYSTEM32\\SPOOL\\DRIVERS\\W32X86\\3\\lxddtime.exe"=
"C:\\Program Files\\Lexmark 2500 Series\\lxddmon.exe"=
"C:\\WINDOWS\\SYSTEM32\\SPOOL\\DRIVERS\\W32X86\\3\\lxddpswx.exe"=
"C:\\WINDOWS\\SYSTEM32\\SPOOL\\DRIVERS\\W32X86\\3\\lxddjswx.exe"=

R1 aswSP;avast! Self Protection;C:\WINDOWS\system32\drivers\aswSP.sys
[2008-05-15 17:20]
R2 aswFsBlk;aswFsBlk;C:\WINDOWS\system32\DRIVERS\aswFsBlk.sys [2008-05-15
17:16]
R2 lxdd_device;lxdd_device;C:\WINDOWS\system32\lxddcoms.exe [2007-04-25
23:21]
R2
lxddCATSCustConnectService;lxddCATSCustConnectService;C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\\lxddserv.exe
[2007-04-25 23:21]
R2 sprtsvc_dellsupportcenter;SupportSoft Sprocket Service
(dellsupportcenter);C:\Program Files\Dell Support Center\bin\sprtsvc.exe
[2007-11-15 09:23]
R3 ati2mtaa;ati2mtaa;C:\WINDOWS\system32\DRIVERS\ati2mtaa.sys [2002-04-08
09:05]
S3 DCamUSBVeo532;Veo Web Camera;C:\WINDOWS\system32\Drivers\ubVeo532.sys
[2002-07-01 18:30]
S3 NMSCFG;NIC Management Service Configuration
Driver;C:\WINDOWS\system32\drivers\NMSCFG.SYS [2002-05-03 11:30]
S3 NMSSvc;Intel® NMS;C:\WINDOWS\System32\NMSSvc.exe [2002-05-03 11:29]

*Newly Created Service* - CATCHME
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer,
http://www.gmer.net
Rootkit scan 2008-06-02 23:26:12
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-06-02 23:30:59
ComboFix-quarantined-files.txt 2008-06-03 05:30:56

Pre-Run: 67,779,264,512 bytes free
Post-Run: 67,783,098,368 bytes free

612 --- E O F --- 2008-06-02 06:24:08


how to i remove any references to MYWEBS, KEENVALUE and these other things below....


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MyWebSearch Plugin"="C:\PROGRA~1\MYWEBS~1\bar\4.bin\M3PLUGIN.DLL"
[ ]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start
Menu^Programs^Startup^America Online 7.0 Tray Icon.lnk]
backup=C:\WINDOWS\pss\America Online 7.0 Tray Icon.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Donna^Start
Menu^Programs^Startup^MyWebSearch Email Plugin.lnk]
path=C:\Documents and Settings\Donna\Start
Menu\Programs\Startup\MyWebSearch Email Plugin.lnk
backup=C:\WINDOWS\pss\MyWebSearch Email Plugin.lnkStartup



[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start
Menu^Programs^Startup^KeenValue.lnk]
backup=C:\WINDOWS\pss\KeenValue.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared
tools\msconfig\startupreg\MCUpdateExe]
C:\PROGRA~1\mcafee.com\agent\McUpdate.exe

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start
Menu^Programs^Startup^MyWebSearch Email Plugin.lnk]
path=C:\Documents and Settings\All Users\Start
Menu\Programs\Startup\MyWebSearch Email Plugin.lnk
backup=C:\WINDOWS\pss\MyWebSearch Email Plugin.lnkCommon Startup


[HKEY_LOCAL_MACHINE\software\microsoft\shared
tools\msconfig\startupreg\Hotbar]
C:\Program Files\Hotbar\bin\4.3.5.0\HbInst.exe

#10 steamwiz

steamwiz

  • Members
  • 1,039 posts
  • OFFLINE
  •  
  • Local time:07:55 PM

Posted 03 June 2008 - 02:35 PM

HI

These errorsmart folders contain registry backups of registry entries which errorsmart has removed :-

C:\Documents and Settings\Tony\Application Data\ErrorSmart
C:\Documents and Settings\Donna\Application Data\ErrorSmart

They are not malicious, & if you have registry problems in the future you may need to check the contents for backups. I would leave them, they can't do any harm to leave ...

This folder :-

C:\recycler(2)

contains ...

C:\recycler(2)\S-1-5-21-580569085-2703565083-2296238082-1006(2)\INFO2
C:\recycler(2)\S-1-5-21-580569085-2703565083-2296238082-1006(2)\Dc12.scf

These are also from the registry, I don't know what they are, but I can't see them being a problem, I would leave them as well ... by the way you wont see the folder, it's hidden, so you can't delete it without help anyway.

The entries you want to delete are shown in msconfig ... I'll give you another CFScript to delete some of them ...

The others are in your startup folders ...

Go here & delete the bold entries :-

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\America Online 7.0 Tray Icon.lnk
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\KeenValue.lnk
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\MyWebSearch Email Plugin.lnk

C:\Documents and Settings\Donna\Start Menu\Programs\Startup\MyWebSearch Email Plugin.lnk

You can delete this :-

C:\WINDOWS\SYSTEM32\8cf12775

It looks like it could be errorsmart related.

There are many schools etc on the forums which teach this, let me know if you want a list ?
Yes, I would like a list. Thanks.


I'm sending you a PM

-
Open notepad and copy/paste the text in the code box below into it:
NOTE* make sure to only highlight and copy what is inside the code box nothing out side of it.
Also ..

Pay particular attention to this :-

Make sure the word Registry::
is on the first line of the text file you save (no blank line above it, & no space in front of it)
Registry::
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MyWebSearch Plugin"=-

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MCUpdateExe]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Hotbar]


Save this as "CFScript.txt"

Then drag the CFScript.txt into ComboFix.exe as you see in the screenshot below.
Posted Image

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply.

steam
MICROSOFT MVP - Windows Security 2004/9
member of ASAP since 2004
member of U.N.I.T.E

If I have helped you, please consider a small donation to help me continue my online fight in the war against malware Posted Image

#11 zelitha

zelitha
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:01:55 PM

Posted 03 June 2008 - 05:33 PM

I deleted the items you gave me. Here is the new combofix log.

I cannot find this entry. C:\WINDOWS\SYSTEM32\8cf12775



Date: Jun 3, 2008 3:28 PM
ComboFix 08-05-29.1 - Donna 2008-06-03 14:01:39.3 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.72 [GMT -6:00]
Running from: C:\Documents and Settings\Donna\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Donna\Desktop\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE
INSTALLED !!

.

((((((((((((((((((((((((( Files Created from 2008-05-03 to 2008-06-03
)))))))))))))))))))))))))))))))
.

2100-02-16 16:09 . 2001-02-16
15:37 62 --a------ C:\WINDOWS\SYSTEM32\LXBOUSCI.INI
2008-05-30 22:52 . 2008-05-31 00:01 <DIR> d-------- C:\RECYCLER(2)
2008-05-26 20:53 . 2008-05-26 20:53 <DIR> d-------- C:\Deckard
2008-05-21 18:00 . 2007-09-06
00:22 289,144 --a------ C:\WINDOWS\SYSTEM32\VCCLSID.exe
2008-05-21 18:00 . 2006-04-27
17:49 288,417 --a------ C:\WINDOWS\SYSTEM32\SrchSTS.exe
2008-05-21 18:00 . 2008-04-24
08:10 86,528 --a------ C:\WINDOWS\SYSTEM32\VACFix.exe
2008-05-21 18:00 . 2008-04-28
08:03 82,944 --a------ C:\WINDOWS\SYSTEM32\IEDFix.exe
2008-05-21 18:00 . 2008-04-28
08:03 82,944 --a------ C:\WINDOWS\SYSTEM32\404Fix.exe
2008-05-21 18:00 . 2003-06-05
21:13 53,248 --a------ C:\WINDOWS\SYSTEM32\Process.exe
2008-05-21 18:00 . 2004-07-31
18:50 51,200 --a------ C:\WINDOWS\SYSTEM32\dumphive.exe
2008-05-21 18:00 . 2007-10-04
00:36 25,600 --a------ C:\WINDOWS\SYSTEM32\WS2Fix.exe
2008-05-21 10:36 . 2008-05-29 12:15 <DIR> d-------- C:\WINDOWS\BDOSCAN8
2008-05-20 14:56 . 2008-05-20 14:56 <DIR> d-------- C:\Program Files\Alwil
Software
2008-05-20 13:54 . 2008-05-20 13:54 <DIR> d-------- C:\VundoFix Backups
2008-05-20 13:31 . 2008-05-20
13:31 <DIR> d-------- C:\WINDOWS\SYSTEM32\Kaspersky Lab
2008-05-20 13:31 . 2008-05-20 13:31 <DIR> d-------- C:\Documents and
Settings\All Users\Application Data\Kaspersky Lab
2008-05-20 13:21 . 2008-05-13 02:57 <DIR> d-------- C:\SDFix
2008-05-20 13:16 . 2008-05-20 13:17 153 --a------ C:\WINDOWS\wininit.ini
2008-05-20 11:20 . 2008-05-20 11:19 691,545 --a------ C:\WINDOWS\unins000.exe
2008-05-20 11:20 . 2008-05-20 11:20 2,542 --a------ C:\WINDOWS\unins000.dat
2008-05-16 19:18 . 2008-05-16 19:18 <DIR> d-------- C:\fsaua.data
2008-05-15 14:13 . 2008-05-28 17:32 <DIR> d-------- C:\Program
Files\Malwarebytes' Anti-Malware
2008-05-15 14:13 . 2008-05-15 14:13 <DIR> d-------- C:\Documents and
Settings\Donna\Application Data\Malwarebytes
2008-05-15 14:13 . 2008-05-15 14:13 <DIR> d-------- C:\Documents and
Settings\All Users\Application Data\Malwarebytes
2008-05-15 14:13 . 2008-05-05
20:46 27,048 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\mbamcatchme.sys
2008-05-15 14:13 . 2008-05-05
20:46 15,864 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\mbam.sys
2008-05-14 17:55 . 2008-05-14 17:55 <DIR> d-------- C:\Program Files\Trend
Micro
2008-05-14 16:50 . 2008-05-14 16:50 <DIR> d-------- C:\Program
Files\Common Files\Wise Installation Wizard
2008-05-14 16:49 . 2008-05-15 14:01 <DIR> d-------- C:\Program
Files\RogueRemover FREE
2008-05-14 16:04 . 2008-05-21
18:04 1,536 --a------ C:\WINDOWS\SYSTEM32\tmp.reg
2008-05-14 13:27 . 2008-05-20 11:34 <DIR> d-------- C:\Program
Files\Spybot - Search & Destroy
2008-05-14 13:27 . 2008-05-20 16:08 <DIR> d-------- C:\Documents and
Settings\All Users\Application Data\Spybot - Search & Destroy
2008-05-14 13:22 . 2008-05-20 13:19 <DIR> d-------- C:\Program
Files\SpywareBlaster
2008-05-08 15:48 . 2008-05-16 23:04 680 --a------ C:\WINDOWS\SYSTEM32\MRT.INI
2008-05-07 18:45 . 2008-05-29 11:54 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-05-07 18:45 . 2008-05-29 11:54 1,409 --a------ C:\WINDOWS\QTFont.for
2008-05-07 18:14 . 2008-05-07 18:21 <DIR> d-------- C:\WINDOWS\SxsCaPendDel
2008-05-07 16:16 . 2008-05-07 16:16 13 --a------ C:\WINDOWS\SYSTEM32\8cf12775
2008-05-07 16:08 . 2008-05-07 16:14 <DIR> d-------- C:\Documents and
Settings\Tony\Application Data\Yahoo!
2008-05-07 15:51 . 2008-05-07 15:51 <DIR> d-------- C:\Documents and
Settings\Tony\Application Data\ErrorSmart
2008-05-06 05:54 . 2008-05-21 16:47 <DIR> d-a------ C:\Documents and
Settings\All Users\Application Data\TEMP

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report
))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-30 05:46 --------- d-----w C:\Program Files\MSN Messenger
2008-05-14 18:39 --------- d-----w C:\Documents and
Settings\Donna\Application Data\MSN6
2008-05-08 00:21 --------- d-----w C:\Program Files\Yahoo!
2008-04-16 01:49 --------- d-----w C:\Documents and
Settings\Donna\Application Data\ErrorSmart
2008-04-09 00:18 --------- d-----w C:\Program Files\Real
2008-04-07 16:31 --------- d-----w C:\Documents and
Settings\Donna\Application Data\Yahoo!
2008-03-27 08:12 151,583 ----a-w C:\WINDOWS\SYSTEM32\msjint40.dll
2008-03-27 08:12 151,583 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\msjint40.dll
2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\SYSTEM32\win32k.sys
2008-03-19 09:47 1,845,248 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\win32k.sys
2006-01-06 00:11 32 ----a-r C:\Documents and Settings\All Users\hash.dat
.

((((((((((((((((((((((((((((( snapshot_2008-06-02_23.30.41.78
)))))))))))))))))))))))))))))))))))))))))
.
- 2008-06-03 03:22:54 2,048 --s-a-w C:\WINDOWS\BOOTSTAT.DAT
+ 2008-06-03 19:32:23 2,048 --s-a-w C:\WINDOWS\BOOTSTAT.DAT
+ 2008-06-03 19:32:43 16,384 ----atw C:\WINDOWS\Temp\Perflib_Perfdata_65c.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points
))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2008-05-15
17:19 79224]

C:\Documents and Settings\Aaron\Start Menu\Programs\Startup\
PowerReg Scheduler V3.exe [2003-09-22 17:39:23 225280]

[HKEY_LOCAL_MACHINE\software\microsoft\windows
nt\currentversion\winlogon\notify\urqnnlm]
urqnnlm.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.ctmp3"= C:\WINDOWS\System32\ctmp3.acm

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start
Menu^Programs^Startup^Digital Line Detect.lnk]
backup=C:\WINDOWS\pss\Digital Line Detect.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start
Menu^Programs^Startup^Kodak EasyShare software.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Kodak
EasyShare software.lnk
backup=C:\WINDOWS\pss\Kodak EasyShare software.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start
Menu^Programs^Startup^KODAK Software Updater.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\KODAK
Software Updater.lnk
backup=C:\WINDOWS\pss\KODAK Software Updater.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start
Menu^Programs^Startup^Microsoft Office.lnk]
path=C:\Documents and Settings\All Users\Start
Menu\Programs\Startup\Microsoft Office.lnk
backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start
Menu^Programs^Startup^QuickBooks Update Agent.lnk]
path=C:\Documents and Settings\All Users\Start
Menu\Programs\Startup\QuickBooks Update Agent.lnk
backup=C:\WINDOWS\pss\QuickBooks Update Agent.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start
Menu^Programs^Startup^Reality Fusion GameCam SE.lnk]
backup=C:\WINDOWS\pss\Reality Fusion GameCam SE.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start
Menu^Programs^Startup^updater.lnk]
path=C:\Documents and Settings\All Users\Start
Menu\Programs\Startup\updater.lnk
backup=C:\WINDOWS\pss\updater.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Donna^Start
Menu^Programs^Startup^PowerReg Scheduler.exe]
path=C:\Documents and Settings\Donna\Start Menu\Programs\Startup\PowerReg
Scheduler.exe
backup=C:\WINDOWS\pss\PowerReg Scheduler.exeStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared
tools\msconfig\startupreg\AdaptecDirectCD]
--a------ 2002-10-02 17:41 684032 C:\Program Files\Roxio\Easy CD Creator
5\DirectCD\DirectCD.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared
tools\msconfig\startupreg\BCMSMMSG]
--a------ 2003-08-29 03:59 122880 C:\WINDOWS\BCMSMMSG.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared
tools\msconfig\startupreg\diagent]
--a------ 2002-04-03 01:01 135264 C:\Program
Files\Creative\SBLive\Diagnostics\diagent.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared
tools\msconfig\startupreg\dscactivate]
--a------ 2007-11-15 09:24 16384 C:\Program Files\Dell Support
Center\gs_agent\custom\dsca.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared
tools\msconfig\startupreg\LVCOMS]
--a------ 2001-06-26 18:49 86016 C:\Program Files\Common
Files\Logitech\QCDriver\LVCOMS.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared
tools\msconfig\startupreg\lxddamon]
--a------ 2007-03-05 01:40 20480 C:\Program Files\Lexmark 2500
Series\lxddamon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared
tools\msconfig\startupreg\lxddmon.exe]
--a------ 2007-05-04 00:38 291760 C:\Program Files\Lexmark 2500
Series\lxddmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared
tools\msconfig\startupreg\MoneyAgent]
C:\Program Files\Microsoft Money\System\Money Express.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared
tools\msconfig\startupreg\MoneyStartUp10.0]
C:\Program Files\Microsoft Money\System\Activation.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared
tools\msconfig\startupreg\MsnMsgr]
--a------ 2007-01-19 12:54 5674352 C:\Program Files\MSN Messenger\msnmsgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared
tools\msconfig\startupreg\PrinTray]
--a------ 2002-09-18 21:52 36864
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\printray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared
tools\msconfig\startupreg\QuickTime Task]
--a------ 2004-10-17 13:55 77824 C:\Program Files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared
tools\msconfig\startupreg\RealTray]
--a------ 2002-12-24 17:04 26112 C:\Program
Files\Real\RealPlayer\RealPlay.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared
tools\msconfig\startupreg\SpybotSD TeaTimer]
-rahs---- 2008-01-28 11:43 2097488 C:\Program Files\Spybot - Search &
Destroy\TeaTimer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared
tools\msconfig\startupreg\updater]
C:\Program Files\Common files\Updater\wupdater.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared
tools\msconfig\startupreg\UpdReg]
--------- 2000-05-11 01:00 90112 C:\WINDOWS\UpdReg.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared
tools\msconfig\startupreg\Yahoo! Pager]
C:\Program Files\Yahoo!\Messenger\ypager.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"C:\\Program Files\\MSN Messenger\\livecall.exe"=
"C:\\WINDOWS\\SYSTEM32\\dplaysvr.exe"=
"C:\\WINDOWS\\SYSTEM32\\lxddcoms.exe"=
"C:\\Program Files\\Lexmark 2500 Series\\lxddamon.exe"=
"C:\\Program Files\\Lexmark 2500 Series\\App4R.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\WINDOWS\\SYSTEM32\\SPOOL\\DRIVERS\\W32X86\\3\\lxddtime.exe"=
"C:\\Program Files\\Lexmark 2500 Series\\lxddmon.exe"=
"C:\\WINDOWS\\SYSTEM32\\SPOOL\\DRIVERS\\W32X86\\3\\lxddpswx.exe"=
"C:\\WINDOWS\\SYSTEM32\\SPOOL\\DRIVERS\\W32X86\\3\\lxddjswx.exe"=

R1 aswSP;avast! Self Protection;C:\WINDOWS\system32\drivers\aswSP.sys
[2008-05-15 17:20]
R2 aswFsBlk;aswFsBlk;C:\WINDOWS\system32\DRIVERS\aswFsBlk.sys [2008-05-15
17:16]
R2 lxdd_device;lxdd_device;C:\WINDOWS\system32\lxddcoms.exe [2007-04-25
23:21]
R2
lxddCATSCustConnectService;lxddCATSCustConnectService;C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\\lxddserv.exe
[2007-04-25 23:21]
R2 sprtsvc_dellsupportcenter;SupportSoft Sprocket Service
(dellsupportcenter);C:\Program Files\Dell Support Center\bin\sprtsvc.exe
[2007-11-15 09:23]
R3 ati2mtaa;ati2mtaa;C:\WINDOWS\system32\DRIVERS\ati2mtaa.sys [2002-04-08
09:05]
S3 DCamUSBVeo532;Veo Web Camera;C:\WINDOWS\system32\Drivers\ubVeo532.sys
[2002-07-01 18:30]
S3 NMSCFG;NIC Management Service Configuration
Driver;C:\WINDOWS\system32\drivers\NMSCFG.SYS [2002-05-03 11:30]
S3 NMSSvc;Intel® NMS;C:\WINDOWS\System32\NMSSvc.exe [2002-05-03 11:29]

.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer,
http://www.gmer.net
Rootkit scan 2008-06-03 14:05:27
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-06-03 14:10:06
ComboFix-quarantined-files.txt 2008-06-03 20:10:02
ComboFix2.txt 2008-06-03 05:31:01

Pre-Run: 67,796,926,464 bytes free
Post-Run: 67,817,078,784 bytes free

179 --- E O F --- 2008-06-02 06:24:08

#12 steamwiz

steamwiz

  • Members
  • 1,039 posts
  • OFFLINE
  •  
  • Local time:07:55 PM

Posted 03 June 2008 - 05:55 PM

HI

The file is still showing on your computer, & it's not hidden .. you should be able to see it ... not to worry, we'll delete it with Combofix. There is also a registry key which is proving stubborn ... I'll include that again ...

2008-05-07 16:16 . 2008-05-07 16:16 13 --a------ C:\WINDOWS\SYSTEM32\8cf12775

Open notepad and copy/paste the text in the code box below into it:
NOTE* make sure to only highlight and copy what is inside the code box nothing out side of it.
Also ..

Pay particular attention to this :-

Make sure the word File:: is on the first line of the text file you save (no blank line above it, & no space in front of it)
File::
C:\WINDOWS\SYSTEM32\8cf12775

Registry::
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\urqnnlm]


Save this as "CFScript.txt"

Then drag the CFScript.txt into ComboFix.exe as you see in the screenshot below.
Posted Image

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply.

Please post a new hijackthis as well.

steam
MICROSOFT MVP - Windows Security 2004/9
member of ASAP since 2004
member of U.N.I.T.E

If I have helped you, please consider a small donation to help me continue my online fight in the war against malware Posted Image

#13 zelitha

zelitha
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:01:55 PM

Posted 03 June 2008 - 11:32 PM

this is still not removing...very stubborn. I have searched the registry and not found it either.

urqnnlm - urqnnlm.dll (file missing)

Would adding the .dll to it when doing combofix code in notepad remove it ?


new combofix log
ComboFix 08-05-29.1 - Donna 2008-06-03 21:17:19.4 - NTFSx86
Running from: C:\Documents and Settings\Donna\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Donna\Desktop\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE
INSTALLED !!


FILE ::
C:\WINDOWS\SYSTEM32\8cf12775
.

((((((((((((((((((((((((((((((((((((((( Other Deletions
)))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\SYSTEM32\8cf12775

.
((((((((((((((((((((((((( Files Created from 2008-05-04 to 2008-06-04
)))))))))))))))))))))))))))))))
.

2100-02-16 16:09 . 2001-02-16
15:37 62 --a------ C:\WINDOWS\SYSTEM32\LXBOUSCI.INI
2008-05-30 22:52 . 2008-05-31 00:01 <DIR> d-------- C:\RECYCLER(2)
2008-05-26 20:53 . 2008-05-26 20:53 <DIR> d-------- C:\Deckard
2008-05-21 18:00 . 2007-09-06
00:22 289,144 --a------ C:\WINDOWS\SYSTEM32\VCCLSID.exe
2008-05-21 18:00 . 2006-04-27
17:49 288,417 --a------ C:\WINDOWS\SYSTEM32\SrchSTS.exe
2008-05-21 18:00 . 2008-04-24
08:10 86,528 --a------ C:\WINDOWS\SYSTEM32\VACFix.exe
2008-05-21 18:00 . 2008-04-28
08:03 82,944 --a------ C:\WINDOWS\SYSTEM32\IEDFix.exe
2008-05-21 18:00 . 2008-04-28
08:03 82,944 --a------ C:\WINDOWS\SYSTEM32\404Fix.exe
2008-05-21 18:00 . 2003-06-05
21:13 53,248 --a------ C:\WINDOWS\SYSTEM32\Process.exe
2008-05-21 18:00 . 2004-07-31
18:50 51,200 --a------ C:\WINDOWS\SYSTEM32\dumphive.exe
2008-05-21 18:00 . 2007-10-04
00:36 25,600 --a------ C:\WINDOWS\SYSTEM32\WS2Fix.exe
2008-05-21 10:36 . 2008-05-29 12:15 <DIR> d-------- C:\WINDOWS\BDOSCAN8
2008-05-20 14:56 . 2008-05-20 14:56 <DIR> d-------- C:\Program Files\Alwil
Software
2008-05-20 13:31 . 2008-05-20
13:31 <DIR> d-------- C:\WINDOWS\SYSTEM32\Kaspersky Lab
2008-05-20 13:31 . 2008-05-20 13:31 <DIR> d-------- C:\Documents and
Settings\All Users\Application Data\Kaspersky Lab
2008-05-20 13:21 . 2008-05-13 02:57 <DIR> d-------- C:\SDFix
2008-05-20 13:16 . 2008-05-20 13:17 153 --a------ C:\WINDOWS\wininit.ini
2008-05-20 11:20 . 2008-05-20 11:19 691,545 --a------ C:\WINDOWS\unins000.exe
2008-05-20 11:20 . 2008-05-20 11:20 2,542 --a------ C:\WINDOWS\unins000.dat
2008-05-16 19:18 . 2008-05-16 19:18 <DIR> d-------- C:\fsaua.data
2008-05-15 14:13 . 2008-05-28 17:32 <DIR> d-------- C:\Program
Files\Malwarebytes' Anti-Malware
2008-05-15 14:13 . 2008-05-15 14:13 <DIR> d-------- C:\Documents and
Settings\Donna\Application Data\Malwarebytes
2008-05-15 14:13 . 2008-05-15 14:13 <DIR> d-------- C:\Documents and
Settings\All Users\Application Data\Malwarebytes
2008-05-15 14:13 . 2008-05-05
20:46 27,048 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\mbamcatchme.sys
2008-05-15 14:13 . 2008-05-05
20:46 15,864 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\mbam.sys
2008-05-14 17:55 . 2008-05-14 17:55 <DIR> d-------- C:\Program Files\Trend
Micro
2008-05-14 16:50 . 2008-05-14 16:50 <DIR> d-------- C:\Program
Files\Common Files\Wise Installation Wizard
2008-05-14 16:49 . 2008-05-15 14:01 <DIR> d-------- C:\Program
Files\RogueRemover FREE
2008-05-14 16:04 . 2008-05-21
18:04 1,536 --a------ C:\WINDOWS\SYSTEM32\tmp.reg
2008-05-14 13:27 . 2008-05-20 11:34 <DIR> d-------- C:\Program
Files\Spybot - Search & Destroy
2008-05-14 13:27 . 2008-05-20 16:08 <DIR> d-------- C:\Documents and
Settings\All Users\Application Data\Spybot - Search & Destroy
2008-05-14 13:22 . 2008-05-20 13:19 <DIR> d-------- C:\Program
Files\SpywareBlaster
2008-05-08 15:48 . 2008-05-16 23:04 680 --a------ C:\WINDOWS\SYSTEM32\MRT.INI
2008-05-07 18:45 . 2008-05-29 11:54 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-05-07 18:45 . 2008-05-29 11:54 1,409 --a------ C:\WINDOWS\QTFont.for
2008-05-07 18:14 . 2008-05-07 18:21 <DIR> d-------- C:\WINDOWS\SxsCaPendDel
2008-05-07 16:08 . 2008-05-07 16:14 <DIR> d-------- C:\Documents and
Settings\Tony\Application Data\Yahoo!
2008-05-07 15:51 . 2008-05-07 15:51 <DIR> d-------- C:\Documents and
Settings\Tony\Application Data\ErrorSmart
2008-05-06 05:54 . 2008-05-21 16:47 <DIR> d-a------ C:\Documents and
Settings\All Users\Application Data\TEMP

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report
))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-30 05:46 --------- d-----w C:\Program Files\MSN Messenger
2008-05-14 18:39 --------- d-----w C:\Documents and
Settings\Donna\Application Data\MSN6
2008-05-08 00:21 --------- d-----w C:\Program Files\Yahoo!
2008-04-16 01:49 --------- d-----w C:\Documents and
Settings\Donna\Application Data\ErrorSmart
2008-04-09 00:18 --------- d-----w C:\Program Files\Real
2008-04-07 16:31 --------- d-----w C:\Documents and
Settings\Donna\Application Data\Yahoo!
2008-03-27 08:12 151,583 ----a-w C:\WINDOWS\SYSTEM32\msjint40.dll
2008-03-27 08:12 151,583 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\msjint40.dll
2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\SYSTEM32\win32k.sys
2008-03-19 09:47 1,845,248 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\win32k.sys
2006-01-06 00:11 32 ----a-r C:\Documents and Settings\All Users\hash.dat
.

((((((((((((((((((((((((((((( snapshot_2008-06-02_23.30.41.78
)))))))))))))))))))))))))))))))))))))))))
.
- 2008-06-03 03:22:54 2,048 --s-a-w C:\WINDOWS\BOOTSTAT.DAT
+ 2008-06-04 03:01:19 2,048 --s-a-w C:\WINDOWS\BOOTSTAT.DAT
+ 2008-06-04 03:01:39 16,384 ----atw C:\WINDOWS\Temp\Perflib_Perfdata_664.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points
))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2008-05-15
17:19 79224]

C:\Documents and Settings\Aaron\Start Menu\Programs\Startup\
PowerReg Scheduler V3.exe [2003-09-22 17:39:23 225280]

[HKEY_LOCAL_MACHINE\software\microsoft\windows
nt\currentversion\winlogon\notify\urqnnlm]
urqnnlm.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.ctmp3"= C:\WINDOWS\System32\ctmp3.acm

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start
Menu^Programs^Startup^Digital Line Detect.lnk]
backup=C:\WINDOWS\pss\Digital Line Detect.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start
Menu^Programs^Startup^Kodak EasyShare software.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Kodak
EasyShare software.lnk
backup=C:\WINDOWS\pss\Kodak EasyShare software.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start
Menu^Programs^Startup^KODAK Software Updater.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\KODAK
Software Updater.lnk
backup=C:\WINDOWS\pss\KODAK Software Updater.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start
Menu^Programs^Startup^Microsoft Office.lnk]
path=C:\Documents and Settings\All Users\Start
Menu\Programs\Startup\Microsoft Office.lnk
backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start
Menu^Programs^Startup^QuickBooks Update Agent.lnk]
path=C:\Documents and Settings\All Users\Start
Menu\Programs\Startup\QuickBooks Update Agent.lnk
backup=C:\WINDOWS\pss\QuickBooks Update Agent.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start
Menu^Programs^Startup^Reality Fusion GameCam SE.lnk]
backup=C:\WINDOWS\pss\Reality Fusion GameCam SE.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start
Menu^Programs^Startup^updater.lnk]
path=C:\Documents and Settings\All Users\Start
Menu\Programs\Startup\updater.lnk
backup=C:\WINDOWS\pss\updater.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Donna^Start
Menu^Programs^Startup^PowerReg Scheduler.exe]
path=C:\Documents and Settings\Donna\Start Menu\Programs\Startup\PowerReg
Scheduler.exe
backup=C:\WINDOWS\pss\PowerReg Scheduler.exeStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared
tools\msconfig\startupreg\AdaptecDirectCD]
--a------ 2002-10-02 17:41 684032 C:\Program Files\Roxio\Easy CD Creator
5\DirectCD\DirectCD.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared
tools\msconfig\startupreg\BCMSMMSG]
--a------ 2003-08-29 03:59 122880 C:\WINDOWS\BCMSMMSG.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared
tools\msconfig\startupreg\diagent]
--a------ 2002-04-03 01:01 135264 C:\Program
Files\Creative\SBLive\Diagnostics\diagent.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared
tools\msconfig\startupreg\dscactivate]
--a------ 2007-11-15 09:24 16384 C:\Program Files\Dell Support
Center\gs_agent\custom\dsca.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared
tools\msconfig\startupreg\LVCOMS]
--a------ 2001-06-26 18:49 86016 C:\Program Files\Common
Files\Logitech\QCDriver\LVCOMS.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared
tools\msconfig\startupreg\lxddamon]
--a------ 2007-03-05 01:40 20480 C:\Program Files\Lexmark 2500
Series\lxddamon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared
tools\msconfig\startupreg\lxddmon.exe]
--a------ 2007-05-04 00:38 291760 C:\Program Files\Lexmark 2500
Series\lxddmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared
tools\msconfig\startupreg\MoneyAgent]
C:\Program Files\Microsoft Money\System\Money Express.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared
tools\msconfig\startupreg\MoneyStartUp10.0]
C:\Program Files\Microsoft Money\System\Activation.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared
tools\msconfig\startupreg\MsnMsgr]
--a------ 2007-01-19 12:54 5674352 C:\Program Files\MSN Messenger\msnmsgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared
tools\msconfig\startupreg\PrinTray]
--a------ 2002-09-18 21:52 36864
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\printray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared
tools\msconfig\startupreg\QuickTime Task]
--a------ 2004-10-17 13:55 77824 C:\Program Files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared
tools\msconfig\startupreg\RealTray]
--a------ 2002-12-24 17:04 26112 C:\Program
Files\Real\RealPlayer\RealPlay.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared
tools\msconfig\startupreg\SpybotSD TeaTimer]
-rahs---- 2008-01-28 11:43 2097488 C:\Program Files\Spybot - Search &
Destroy\TeaTimer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared
tools\msconfig\startupreg\updater]
C:\Program Files\Common files\Updater\wupdater.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared
tools\msconfig\startupreg\UpdReg]
--------- 2000-05-11 01:00 90112 C:\WINDOWS\UpdReg.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared
tools\msconfig\startupreg\Yahoo! Pager]
C:\Program Files\Yahoo!\Messenger\ypager.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"C:\\Program Files\\MSN Messenger\\livecall.exe"=
"C:\\WINDOWS\\SYSTEM32\\dplaysvr.exe"=
"C:\\WINDOWS\\SYSTEM32\\lxddcoms.exe"=
"C:\\Program Files\\Lexmark 2500 Series\\lxddamon.exe"=
"C:\\Program Files\\Lexmark 2500 Series\\App4R.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\WINDOWS\\SYSTEM32\\SPOOL\\DRIVERS\\W32X86\\3\\lxddtime.exe"=
"C:\\Program Files\\Lexmark 2500 Series\\lxddmon.exe"=
"C:\\WINDOWS\\SYSTEM32\\SPOOL\\DRIVERS\\W32X86\\3\\lxddpswx.exe"=
"C:\\WINDOWS\\SYSTEM32\\SPOOL\\DRIVERS\\W32X86\\3\\lxddjswx.exe"=

R1 aswSP;avast! Self Protection;C:\WINDOWS\system32\drivers\aswSP.sys
[2008-05-15 17:20]
R2 aswFsBlk;aswFsBlk;C:\WINDOWS\system32\DRIVERS\aswFsBlk.sys [2008-05-15
17:16]
R2 lxdd_device;lxdd_device;C:\WINDOWS\system32\lxddcoms.exe [2007-04-25
23:21]
R2
lxddCATSCustConnectService;lxddCATSCustConnectService;C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\\lxddserv.exe
[2007-04-25 23:21]
R2 sprtsvc_dellsupportcenter;SupportSoft Sprocket Service
(dellsupportcenter);C:\Program Files\Dell Support Center\bin\sprtsvc.exe
[2007-11-15 09:23]
R3 ati2mtaa;ati2mtaa;C:\WINDOWS\system32\DRIVERS\ati2mtaa.sys [2002-04-08
09:05]
S3 DCamUSBVeo532;Veo Web Camera;C:\WINDOWS\system32\Drivers\ubVeo532.sys
[2002-07-01 18:30]
S3 NMSCFG;NIC Management Service Configuration
Driver;C:\WINDOWS\system32\drivers\NMSCFG.SYS [2002-05-03 11:30]
S3 NMSSvc;Intel® NMS;C:\WINDOWS\System32\NMSSvc.exe [2002-05-03 11:29]

.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer,
http://www.gmer.net
Rootkit scan 2008-06-03 21:20:56
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-06-03 21:25:19
ComboFix-quarantined-files.txt 2008-06-04 03:25:15
ComboFix2.txt 2008-06-03 20:10:08
ComboFix3.txt 2008-06-03 05:31:01

Pre-Run: 68,979,765,248 bytes free
Post-Run: 68,965,994,496 bytes free

183 --- E O F --- 2008-06-02 06:24:08
----------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:29:15 PM, on 6/3/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\drivers\KodakCCS.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\lxddserv.exe
C:\WINDOWS\system32\lxddcoms.exe
C:\WINDOWS\System32\ScsiAccess.EXE
C:\Program Files\Dell Support Center\bin\sprtsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL =
http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page =
http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: Lexmark Toolbar - {1017A80C-6F09-4548-A84D-EDD6AC9525F0} -
C:\Program Files\Lexmark Toolbar\toolband.dll
O2 - BHO: Spybot-S&D IE Protection -
{53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Windows Live Sign-in Helper -
{9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common
Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program
Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} -
C:\Program Files\MSN Apps\MSN Toolbar\MSN
Toolbar\01.02.5000.1021\en-us\msntb.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program
Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll
O3 - Toolbar: Lexmark Toolbar - {1017A80C-6F09-4548-A84D-EDD6AC9525F0}
-
C:\Program Files\Lexmark Toolbar\toolband.dll
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O8 - Extra context menu item: &Search - ?p=ZJ
O8 - Extra context menu item: E&xport to Microsoft Excel -
res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66}
-
C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 -
{85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} -
C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2}
-
C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration
-
{DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683}
-
C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger -
{FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program
Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object)
-
http://www.kaspersky.com/kos/eng/partner/u...can_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine
Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {4FAE30E1-EE9C-477D-8D06-BF8D3429B60F} (WebIQ Technology
Client) - http://webiq001.webiqonline.com/WebIQ/bin/WebIQ.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control)
-
http://download.bitdefender.com/resources/scan8/oscan8.cab
O20 - Winlogon Notify: urqnnlm - urqnnlm.dll (file missing)
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software -
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil
Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program
Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program
Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd
- C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program
Files\DellSupport\brkrsvc.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak
Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: lxddCATSCustConnectService - Lexmark International, Inc. -
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\\lxddserv.exe
O23 - Service: lxdd_device - - C:\WINDOWS\system32\lxddcoms.exe
O23 - Service: Intel® NMS (NMSSvc) - Intel Corporation -
C:\WINDOWS\System32\NMSSvc.exe
O23 - Service: ScsiAccess - Unknown owner -
C:\WINDOWS\System32\ScsiAccess.EXE
O23 - Service: SupportSoft Sprocket Service (dellsupportcenter)
(sprtsvc_dellsupportcenter) - SupportSoft, Inc. - C:\Program Files\Dell
Support Center\bin\sprtsvc.exe

--
End of file - 5546 bytes

#14 steamwiz

steamwiz

  • Members
  • 1,039 posts
  • OFFLINE
  •  
  • Local time:07:55 PM

Posted 04 June 2008 - 05:36 PM

HI

this is still not removing...very stubborn. I have searched the registry and not found it either.

urqnnlm - urqnnlm.dll (file missing)

Would adding the .dll to it when doing combofix code in notepad remove it ?


NO ... the last thing we want to do is reinstate a malware file (when your computer is now clean)...

It's now an orphan (empty) registry key, it wont and never will be a problem, if we have to leave it, it wont matter ...

But run hijackthis and try to fix with hijackthis :-

O20 - Winlogon Notify: urqnnlm - urqnnlm.dll (file missing)

Then ...

Go to Start > Run > copy and paste ComboFix /u into the Open: box & press OK

Posted Image

Then run & post a new KASPERSKY ONLINE SCANNER REPORT

steam

EDIT ... I've just realised you didn't mean reinstate the dll ... you meant include it to be DELETED ... but the file doesn't exist anymore ... :thumbsup:

Edited by steamwiz, 04 June 2008 - 05:39 PM.
add edit note

MICROSOFT MVP - Windows Security 2004/9
member of ASAP since 2004
member of U.N.I.T.E

If I have helped you, please consider a small donation to help me continue my online fight in the war against malware Posted Image

#15 zelitha

zelitha
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:01:55 PM

Posted 06 June 2008 - 07:03 AM

hi Steam,

I am out of town, away from my pc, be at least 2 weeks before back. I will run hjt scan, hopefully will remove the registry entry "urqnnlm" . Will uninstall combofix, Then i will run kapersky online scan. I will post then in 2 weeks when back.

But My pc is "clean" for as active badies, Right?

Thanks for your help, greatly appreciated.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users