Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Iedfix.exe Trojan Horse


  • This topic is locked This topic is locked
13 replies to this topic

#1 laz4059

laz4059

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:09:55 AM

Posted 04 August 2008 - 04:20 PM

My computer (Vista Home Basic) keeps randomly opening tabs when I open Internet explorer. It doesn't happen every time, and all the tabs are blank, but it opens them one after another until it can't open any more. It's quite annoying.
I ran Symantec Antivirus, which partially quarantined IEDFix.exe, but the problem persists.

Here's my HijackThis log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:06:40 PM, on 8/4/2008
Platform: Windows Vista (WinNT 6.00.1904)
MSIE: Internet Explorer v7.00 (7.00.6000.16681)
Boot mode: Normal

Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Symantec AntiVirus\VPTray.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Windows\system32\igfxsrvc.exe
C:\Windows\Explorer.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.cup.edu/quicklinks.jsp
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: SweetIM ToolbarURLSearchHook Class - {EEE6C35D-6118-11DC-9C72-001320C79847} - C:\Program Files\SweetIM\Toolbars\Internet Explorer\mgHelper.dll
O1 - Hosts: ::1 localhost
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O2 - BHO: SWEETIE - {EEE6C35C-6118-11DC-9C72-001320C79847} - C:\Program Files\SweetIM\Toolbars\Internet Explorer\mgToolbarIE.dll
O3 - Toolbar: SweetIM Toolbar for Internet Explorer - {EEE6C35B-6118-11DC-9C72-001320C79847} - C:\Program Files\SweetIM\Toolbars\Internet Explorer\mgToolbarIE.dll
O4 - HKLM\..\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\Windows\system32\igfxpers.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [SweetIM] C:\Program Files\SweetIM\Messenger\SweetIM.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Programs\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Programs\PartyGaming\PartyPoker\RunApp.exe
O13 - Gopher Prefix:
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: avgrsstx.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: AddFiltr - Unknown owner - C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\AddFiltr.exe (file missing)
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Bonjour Service - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: HP Health Check Service - Hewlett-Packard - c:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe

--
End of file - 6258 bytes

I have also previously removed these two entries using HijackThis:

O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O4 - HKLM\..\Run:[QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime

Any help would be greatly appreciated.

BC AdBot (Login to Remove)

 


m

#2 Shaba

Shaba

    Koutsi


  • Members
  • 7,872 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:03:55 PM

Posted 14 August 2008 - 09:35 AM

Hello and welcome to BC

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. We aim to provide the valuable service known to come from BC to every member we can, but sometimes it takes just a little longer to get to every request for help.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

Upon completing the steps below a staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

Thanks and again sorry for the delay.

Please see here for instructions
how to install HijackThis and make a logfile. Save it into convenient location and include it to your next reply, please.

Next
Please do a scan with Kaspersky Online Scanner

Note: If you are using Windows Vista, open your browser by right-clicking on its icon and select 'Run as administrator' to perform this scan.

Click on the Accept button and install any components it needs.
  • The program will install and then begin downloading the latest definition files.
  • After the files have been downloaded on the left side of the page in the Scan section select My Computer
  • This will start the program and scan your system.
  • The scan will take a while, so be patient and let it run.
  • Once the scan is complete, click on View scan report
  • Now, click on the Save Report as button.
  • Save the file to your desktop.
  • Copy and paste that information in your next post.
Please post back with HijackThis log and Kaspersky report.

Regards
Microsoft MVP Consumer Security
Posted Image

Posted Image

#3 laz4059

laz4059
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:09:55 AM

Posted 15 August 2008 - 01:52 PM

Sorry about the delay, I was out of town.

Here's the Kaspersky report:

Friday, August 15, 2008
Operating System: Microsoft Windows Vista Home Basic Edition, 32-bit (build 6000)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Friday, August 15, 2008 06:25:43
Records in database: 1094443


Scan settings
Scan using the following database extended
Scan archives yes
Scan mail databases yes

Scan area My Computer
C:\
D:\
E:\

Scan statistics
Files scanned 74589
Threat name 1
Infected objects 6
Suspicious objects 0
Duration of the scan 12:51:15

File name Threat name Threats count
C:\ProgramData\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0E180000\4E1AC3EF.VBN Infected: not-a-virus:AdWare.Win32.Vapsup.chf 1

C:\ProgramData\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0E180001\4E1AC535.VBN Infected: not-a-virus:AdWare.Win32.Vapsup.chf 1

C:\ProgramData\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0E180002\4E1AC57E.VBN Infected: not-a-virus:AdWare.Win32.Vapsup.chf 1

C:\Users\All Users\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0E180000\4E1AC3EF.VBN Infected: not-a-virus:AdWare.Win32.Vapsup.chf 1

C:\Users\All Users\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0E180001\4E1AC535.VBN Infected: not-a-virus:AdWare.Win32.Vapsup.chf 1

C:\Users\All Users\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0E180002\4E1AC57E.VBN Infected: not-a-virus:AdWare.Win32.Vapsup.chf 1

#4 laz4059

laz4059
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:09:55 AM

Posted 15 August 2008 - 01:54 PM

And here's the Hijack This log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:44:20 PM, on 8/15/2008
Platform: Windows Vista (WinNT 6.00.1904)
MSIE: Internet Explorer v7.00 (7.00.6000.16711)
Boot mode: Normal

Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Symantec AntiVirus\VPTray.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Windows\system32\igfxsrvc.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.cup.edu/quicklinks.jsp
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: SweetIM ToolbarURLSearchHook Class - {EEE6C35D-6118-11DC-9C72-001320C79847} - C:\Program Files\SweetIM\Toolbars\Internet Explorer\mgHelper.dll
O1 - Hosts: ::1 localhost
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O2 - BHO: SWEETIE - {EEE6C35C-6118-11DC-9C72-001320C79847} - C:\Program Files\SweetIM\Toolbars\Internet Explorer\mgToolbarIE.dll
O3 - Toolbar: SweetIM Toolbar for Internet Explorer - {EEE6C35B-6118-11DC-9C72-001320C79847} - C:\Program Files\SweetIM\Toolbars\Internet Explorer\mgToolbarIE.dll
O4 - HKLM\..\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\Windows\system32\igfxpers.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O13 - Gopher Prefix:
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: avgrsstx.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: AddFiltr - Unknown owner - C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\AddFiltr.exe (file missing)
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Bonjour Service - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: HP Health Check Service - Hewlett-Packard - c:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe

--
End of file - 6169 bytes

#5 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,660 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:02:55 PM

Posted 16 August 2008 - 05:03 AM

Hi,

Sorry for the delay once again. I am farbar. I am going to assist you with your problem. Please give me some time to look it over and I will get back to you as soon as possible. A quick look at you log shows no apparent infection but please refrain from any system changes.

#6 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,660 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:02:55 PM

Posted 16 August 2008 - 09:26 AM

Hi again laz4059,


We are going to clean a few thing and check all the areas to make sure there is no infection left.
  • Now we need to make sure to turn off UAC ( UAC = User Account Control )
    • Click Start, and then click Control Panel.
    • In Control Panel, click User Accounts.
    • In the User Accounts window, click User Accounts.
    • In the User Accounts tasks window, click Turn User Account Control on or off.
    • If UAC is currently configured in Admin Approval Mode, the User Account Control message appears. Click Continue.
    • Clear the Use User Account Control (UAC) to help protect your computer check box, and then click OK. If it is already uncheck, then you should also notice a red shield with an X in it located in your system tray. Ignore any messages about UAC being disabled.
    • Click Restart Now to apply the change right away. (Restart even if you did not make the above change, we need to be sure that a reboot has occurred since the first time that UAC was disabled.)
    NOTE: DO NOT CONTINUE UNTIL UAC has been disabled and you have rebooted.

  • Turn off Windows automatic updates as it might lead to unexpected results at this stage:
    • Go to start > All Programs > Windows Update.
    • In the left pane select "Change Settings".
    • In the right pane check "Never Check for Updates"
    • Click OK.
  • You have some infected files quarantined and removed by Norton. They are not harmful any more as far as you don't try to restore them. You can remove them by:
    • Double-clicking on gold shield icon in taskbar.
    • Select View->Quarantine from the menu.
    • Right click the quarantined file and select "Delete Permanently".
    • Click "Start Delete".
  • I do not recommend that you have more than one anti virus product installed and running on your computer at a time. The reason for this is that if both products have their automatic (Real-Time) protection switched on, then those products which do not encrypt the virus strings within them can cause other anti virus products to cause "false alarms". It can also lead to a clash as both products fight for access to files which are opened again this is the resident/automatic protection. In general terms, the two programs may conflict and cause:
    1) False Alarms: When the anti virus software tells you that your PC has a virus when it actually doesn't.
    2) System Performance Problems: Your system may lock up due to both products attempting to access the same file at the same time.
    Therefore please go to add/remove in the control panel and remove either Norton or AVG 8. Since Norton has a firewall I suggest you uninstall AVG 8. Uninstalling Norton needs to be done with a removal tool. If you decide to uninstall Norton I'll give information on the removal too.

  • Please download ATF Cleaner by Atribune & save it to your desktop.
    • Double-click ATF-Cleaner.exe to run the program.
    • Under Main "Select Files to Delete" choose: Select All.
    • Click the Empty Selected button.
    • If you use Firefox browser click Firefox at the top and choose: Select All
    • Click the Empty Selected button.
      If you would like to keep your saved passwords, please click No at the prompt.
    • If you use Opera browser click Opera at the top and choose: Select All
    • Click the Empty Selected button.
      If you would like to keep your saved passwords, please click No at the prompt.
    • Click Exit on the Main menu to close the program.
    Note: On Vista, "Windows Temp" is disabled. To empty "Windows Temp" ATF-Cleaner must be "Run as an Administrator".

  • Please download Malwarebytes' Anti-Malware from MajorGeeks
    • Double Click mbam-setup.exe to install the application.
    • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
    • If an update is found, it will download and install the latest version.
    • Once the program has loaded, select "Perform Quick Scan", then click Scan.
    • The scan may take some time to finish,so please be patient.
    • When the scan is complete, click OK, then Show Results to view the results.
    • Make sure that everything is checked, and click Remove Selected.
    • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
    • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
    • Copy&Paste the entire report in your next reply.
    Extra Note:
    If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediately.


  • Download Combofix from any of the links below, and save it to your desktop. For information regarding this download, please visit this webpage: http://www.bleepingcomputer.com/combofix/how-to-use-combofix

    Link 1
    Link 2
    Link 3


    **Note: It is important that it is saved directly to your desktop**

    --------------------------------------------------------------------

    1. Close any open browsers.

    2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

    --------------------------------------------------------------------

    Double click on combofix.exe & follow the prompts.
    • When finished, it will produce a report for you.
    • Please post the "C:\ComboFix.txt" along with a new HijackThis log for further review.
    Note:
    Do not mouseclick combofix's window while it's running. That may cause it to stall


  • Please make a program list with Hijackthis:
    • Open HijackThis and click Open the Misc Tools section.
    • Click "Open Uninstall Manager"
    • Click "Save List" (generates uninstall_list.txt)
    • Click Save, copy and paste the results in your next post.
    More information with a screenshot, can be found here.

  • Please copy and paste a fresh Hijackthis log to your reply.

In your next reply:
  • The log of MBAM.
  • The Combofix log.
  • The program list.
  • A fresh Hijackthis log.


#7 laz4059

laz4059
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:09:55 AM

Posted 17 August 2008 - 03:06 AM

Malwarebytes is running now. (2 hours so far...sheesh :thumbsup: )

I have a question about deleting the quarantined files in Norton. When I follow your directions, no files show up in the quarantine area (I even set the timeframe to show files from 1994 to 2038, and nothing showed up), but when I follow the file path that I posted in the Kaspersky log, there are about 20 folders and 70 files listed. Is it safe to delete them all, or should I only pick out those that showed up using Kaspersky?

I have run ATF cleaner and uninstalled AVG, and sometime tomorrow afternoon, I will run combofix, produce a program log, and a new HijackThis log for you.

#8 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,660 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:02:55 PM

Posted 17 August 2008 - 09:40 PM

You may remove those files tagged by Kaspersky and any file or folder older than two weeks.

#9 laz4059

laz4059
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:09:55 AM

Posted 18 August 2008 - 01:36 AM

Malwarebytes log:

Malwarebytes' Anti-Malware 1.24
Database version: 1061
Windows 6.0.6000

10:27:04 PM 8/17/2008
mbam-log-8-17-2008 (22-27-04).txt

Scan type: Quick Scan
Objects scanned: 35172
Time elapsed: 3 minute(s), 27 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


COMBOFIX log:

ComboFix 08-08-16.01 - mark 2008-08-18 2:25:39.3 - NTFSx86
Microsoft® Windows Vista™ Home Basic 6.0.6000.0.1252.1.1033.18.1074 [GMT -4:00]
Running from: C:\Users\mark\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Users\mark\AppData\Roaming\macromedia\Flash Player\#SharedObjects\8URCBE7H\interclick.com
C:\Users\mark\AppData\Roaming\macromedia\Flash Player\#SharedObjects\8URCBE7H\interclick.com\ud.sol
C:\Users\mark\AppData\Roaming\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#interclick.com
C:\Users\mark\AppData\Roaming\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#interclick.com\settings.sol
C:\Users\mark\AppData\Roaming\Microsoft\Windows\Cookies\mark@ad.yieldmanager[2].txt

.
((((((((((((((((((((((((( Files Created from 2008-07-18 to 2008-08-18 )))))))))))))))))))))))))))))))
.

2008-08-17 04:13 . 2008-08-17 04:13 <DIR> d-------- C:\Users\All Users\Avg8
2008-08-17 04:13 . 2008-08-17 04:13 <DIR> d-------- C:\ProgramData\Avg8
2008-08-17 02:48 . 2008-08-17 02:48 <DIR> d-------- C:\Users\mark\AppData\Roaming\Malwarebytes
2008-08-17 02:48 . 2008-08-17 02:48 <DIR> d-------- C:\Users\All Users\Malwarebytes
2008-08-17 02:48 . 2008-08-17 02:48 <DIR> d-------- C:\ProgramData\Malwarebytes
2008-08-17 02:48 . 2008-08-17 02:48 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-08-17 02:48 . 2008-07-30 20:07 38,472 --a------ C:\Windows\System32\drivers\mbamswissarmy.sys
2008-08-17 02:48 . 2008-07-30 20:07 17,144 --a------ C:\Windows\System32\drivers\mbam.sys
2008-08-14 03:03 . 2008-07-15 19:48 2,048 --a------ C:\Windows\System32\tzres.dll
2008-08-13 19:28 . 2008-06-18 23:25 361,984 --a------ C:\Windows\System32\IPSECSVC.DLL
2008-08-13 19:28 . 2008-06-18 23:25 272,896 --a------ C:\Windows\System32\polstore.dll
2008-08-13 19:28 . 2008-04-19 04:13 268,800 --a------ C:\Windows\System32\es.dll
2008-08-13 19:28 . 2008-06-18 23:25 61,440 --a------ C:\Windows\System32\winipsec.dll
2008-08-13 19:28 . 2008-06-18 23:25 28,672 --a------ C:\Windows\System32\FwRemoteSvr.dll
2008-08-13 19:25 . 2008-04-10 01:01 737,792 --a------ C:\Windows\System32\inetcomm.dll
2008-08-13 19:25 . 2008-04-09 22:43 84,480 --a------ C:\Windows\System32\INETRES.dll
2008-08-04 16:37 . 2008-08-04 16:42 <DIR> d-------- C:\Users\All Users\Lavasoft
2008-08-04 16:37 . 2008-08-04 16:42 <DIR> d-------- C:\ProgramData\Lavasoft
2008-07-29 22:09 . 2008-07-29 22:09 <DIR> d-------- C:\Users\All Users\SweetIM
2008-07-29 22:09 . 2008-07-29 22:09 <DIR> d-------- C:\ProgramData\SweetIM
2008-07-29 22:09 . 2008-08-07 15:33 <DIR> d-------- C:\Program Files\SweetIM
2008-07-29 01:22 . 2008-07-29 01:25 <DIR> d-------- C:\Program Files\Scanning
2008-07-28 18:31 . 2008-07-28 18:31 <DIR> d-------- C:\Program Files\AVG
2008-07-28 18:08 . 2008-07-28 18:08 <DIR> d-------- C:\Program Files\Trend Micro
2008-07-28 17:40 . 2008-07-28 17:46 <DIR> d-------- C:\Users\All Users\PrevxCSI
2008-07-28 17:40 . 2008-07-28 17:46 <DIR> d-------- C:\ProgramData\PrevxCSI
2008-07-24 03:13 . 2008-07-24 03:13 <DIR> d-------- C:\Users\mark\AppData\Roaming\NCH Swift Sound
2008-07-24 03:13 . 2008-07-24 03:13 <DIR> d-------- C:\Users\All Users\NCH Swift Sound
2008-07-24 03:13 . 2008-07-24 03:13 <DIR> d-------- C:\ProgramData\NCH Swift Sound
2008-07-24 03:13 . 2008-07-27 19:55 <DIR> d-------- C:\Program Files\NCH Swift Sound

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-08-16 07:52 30,740 ----a-w C:\Users\mark\AppData\Roaming\wklnhst.dat
2008-08-14 07:01 --------- d-----w C:\Program Files\Windows Mail
2008-08-07 20:19 --------- dc----w C:\Program Files\Hewlett-Packard
2008-08-07 00:27 --------- d-----w C:\Users\mark\AppData\Roaming\goombah
2008-08-06 23:51 --------- d-----w C:\Users\mark\AppData\Roaming\Ruckus Network
2008-08-04 20:37 --------- dc----w C:\Program Files\Lavasoft
2008-08-04 20:37 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-07-16 21:35 --------- d-----w C:\Program Files\Paint.NET
2008-07-15 01:05 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-07-14 22:31 --------- d-----w C:\Users\mark\AppData\Roaming\Yahoo!
2008-07-09 07:09 174 --sha-w C:\Program Files\desktop.ini
2008-07-05 00:01 --------- d-----w C:\Users\mark\AppData\Roaming\Media Player Classic
2008-07-04 23:53 --------- d-----w C:\Program Files\AML Products
2008-06-30 04:19 --------- dc----w C:\Program Files\Audacity
2008-06-27 03:54 52,736 ----a-w C:\Windows\AppPatch\iebrshim.dll
2008-06-20 22:44 --------- d---a-w C:\ProgramData\TEMP
2008-06-12 06:54 537,600 ----a-w C:\Windows\AppPatch\AcLayers.dll
2008-06-12 06:54 173,056 ----a-w C:\Windows\AppPatch\AcXtrnal.dll
2008-06-12 01:21 2,560 ----a-w C:\Windows\AppPatch\AcRes.dll
.

((((((((((((((((((((((((((((( snapshot@2008-07-28_21.41.05.73 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-07-29 01:36:29 6,008,832 ----a-w C:\Windows\erdnt\Hiv-backup\schema.dat
+ 2008-08-18 06:25:15 6,008,832 ----a-w C:\Windows\erdnt\Hiv-backup\schema.dat
+ 2008-07-30 02:10:13 10,134 ----a-r C:\Windows\Installer\{83FA27D5-25B5-4D24-B796-DF742F08A5CF}\ARPPRODUCTICON.exe
- 2007-11-30 02:24:24 16,384 --sha-w C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2008-08-01 01:31:17 16,384 --sha-w C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2007-11-30 02:24:24 32,768 --sha-w C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2008-08-01 01:31:17 32,768 --sha-w C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2007-11-30 02:24:24 16,384 --sha-w C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2008-08-01 01:31:17 16,384 --sha-w C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2008-07-28 22:32:29 262,144 --sha-w C:\Windows\ServiceProfiles\LocalService\NTUSER.DAT
+ 2008-08-18 06:30:33 262,144 --sha-w C:\Windows\ServiceProfiles\LocalService\NTUSER.DAT
- 2008-07-09 07:09:29 957,434 -c--a-w C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\SoftwareLicensing\tokens.dat
+ 2008-08-04 20:35:15 957,434 -c--a-w C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\SoftwareLicensing\tokens.dat
- 2008-07-28 22:32:24 262,144 --sha-w C:\Windows\ServiceProfiles\NetworkService\NTUSER.DAT
+ 2008-08-18 06:30:33 262,144 --sha-w C:\Windows\ServiceProfiles\NetworkService\NTUSER.DAT
- 2007-12-12 05:54:34 18,944 ----a-w C:\Windows\servicing\GC32\tzupd.exe
+ 2008-07-16 04:09:30 18,944 ----a-w C:\Windows\servicing\GC32\tzupd.exe
- 2008-07-24 17:58:41 1,121,856 ----a-w C:\Windows\SoftwareDistribution\Download\Install\mpas-d.exe
- 2008-04-25 04:23:05 124,928 ----a-w C:\Windows\System32\advpack.dll
+ 2008-07-16 04:09:38 124,928 ----a-w C:\Windows\System32\advpack.dll
- 2008-07-29 01:32:47 16,384 --sha-w C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2008-08-18 06:23:32 16,384 --sha-w C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2008-07-29 01:32:47 32,768 --sha-w C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2008-08-18 06:23:32 32,768 --sha-w C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2008-07-29 01:32:47 16,384 --sha-w C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2008-08-18 06:23:32 16,384 --sha-w C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2008-07-29 01:36:51 262,144 ----a-w C:\Windows\System32\config\systemprofile\ntuser.dat
+ 2008-08-18 06:25:30 262,144 ----a-w C:\Windows\System32\config\systemprofile\ntuser.dat
+ 2008-04-29 15:19:50 12,960 ----a-w C:\Windows\System32\drivers\Awrtpd.sys
+ 2008-04-29 15:19:54 15,648 ----a-w C:\Windows\System32\drivers\Awrtrd.sys
+ 2008-04-29 15:20:00 15,648 ----a-w C:\Windows\System32\drivers\NSDriver.sys
- 2008-04-25 04:23:06 347,136 ----a-w C:\Windows\System32\dxtmsft.dll
+ 2008-06-27 03:54:44 347,136 ----a-w C:\Windows\System32\dxtmsft.dll
- 2008-04-25 04:23:06 214,528 ----a-w C:\Windows\System32\dxtrans.dll
+ 2008-06-27 03:54:44 214,528 ----a-w C:\Windows\System32\dxtrans.dll
- 2008-04-25 04:23:06 63,488 ----a-w C:\Windows\System32\icardie.dll
+ 2008-06-27 03:54:45 63,488 ----a-w C:\Windows\System32\icardie.dll
- 2008-04-25 04:22:36 70,656 ----a-w C:\Windows\System32\ie4uinit.exe
+ 2008-06-27 03:54:09 70,656 ----a-w C:\Windows\System32\ie4uinit.exe
- 2008-04-25 04:23:06 383,488 ----a-w C:\Windows\System32\ieapfltr.dll
+ 2008-06-27 03:54:45 383,488 ----a-w C:\Windows\System32\ieapfltr.dll
- 2008-04-25 04:23:06 6,066,176 ----a-w C:\Windows\System32\ieframe.dll
+ 2008-06-27 03:54:45 6,066,176 ----a-w C:\Windows\System32\ieframe.dll
- 2008-04-25 04:23:06 44,544 ----a-w C:\Windows\System32\iernonce.dll
+ 2008-06-27 03:54:45 44,544 ----a-w C:\Windows\System32\iernonce.dll
- 2008-04-25 04:23:06 56,320 ----a-w C:\Windows\System32\iesetup.dll
+ 2008-06-27 03:54:45 56,320 ----a-w C:\Windows\System32\iesetup.dll
- 2008-04-25 04:23:06 180,736 ----a-w C:\Windows\System32\ieui.dll
+ 2008-06-27 03:54:45 180,736 ----a-w C:\Windows\System32\ieui.dll
- 2008-04-25 04:22:36 26,624 ----a-w C:\Windows\System32\ieUnatt.exe
+ 2008-06-27 03:54:09 26,624 ----a-w C:\Windows\System32\ieUnatt.exe
- 2008-04-25 04:23:06 27,648 ----a-w C:\Windows\System32\jsproxy.dll
+ 2008-06-27 03:54:45 27,648 ----a-w C:\Windows\System32\jsproxy.dll
+ 2008-05-16 15:58:04 12,632 ----a-w C:\Windows\System32\lsdelete.exe
- 2008-04-25 04:23:11 64,512 ----a-w C:\Windows\System32\migration\WininetPlugin.dll
+ 2008-06-27 03:54:49 64,512 ----a-w C:\Windows\System32\migration\WininetPlugin.dll
- 2008-06-25 16:15:46 17,972,344 ----a-w C:\Windows\System32\mrt.exe
+ 2008-08-05 18:11:01 15,888,504 ----a-w C:\Windows\System32\mrt.exe
- 2008-04-25 04:23:07 3,591,680 ----a-w C:\Windows\System32\mshtml.dll
+ 2008-06-27 03:54:45 3,592,192 ----a-w C:\Windows\System32\mshtml.dll
- 2008-04-25 04:23:07 478,208 ----a-w C:\Windows\System32\mshtmled.dll
+ 2008-06-27 03:54:45 477,696 ----a-w C:\Windows\System32\mshtmled.dll
- 2008-04-25 04:23:09 671,232 ----a-w C:\Windows\System32\mstime.dll
+ 2008-06-27 03:54:47 671,232 ----a-w C:\Windows\System32\mstime.dll
- 2008-07-22 20:20:51 104,024 ----a-w C:\Windows\System32\perfc009.dat
+ 2008-08-15 02:12:12 104,024 ----a-w C:\Windows\System32\perfc009.dat
- 2008-07-22 20:20:51 618,648 ----a-w C:\Windows\System32\perfh009.dat
+ 2008-08-15 02:12:12 618,648 ----a-w C:\Windows\System32\perfh009.dat
- 2008-04-25 04:23:10 44,544 ----a-w C:\Windows\System32\pngfilt.dll
+ 2008-06-27 03:54:48 44,544 ----a-w C:\Windows\System32\pngfilt.dll
- 2008-07-16 21:35:53 6,029,312 ----a-w C:\Windows\System32\SMI\Store\Machine\schema.dat
+ 2008-08-18 06:28:31 6,029,312 ----a-w C:\Windows\System32\SMI\Store\Machine\schema.dat
- 2008-04-25 04:23:11 1,159,680 ----a-w C:\Windows\System32\urlmon.dll
+ 2008-06-27 03:54:49 1,159,680 ----a-w C:\Windows\System32\urlmon.dll
- 2008-07-15 07:34:01 8,876 ----a-w C:\Windows\System32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-2878619889-3177928191-3653609727-1000_UserData.bin
+ 2008-08-14 19:25:07 9,210 ----a-w C:\Windows\System32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-2878619889-3177928191-3653609727-1000_UserData.bin
- 2008-07-15 07:34:00 61,012 ----a-w C:\Windows\System32\WDI\BootPerformanceDiagnostics_SystemData.bin
+ 2008-08-14 19:25:06 61,660 ----a-w C:\Windows\System32\WDI\BootPerformanceDiagnostics_SystemData.bin
- 2008-07-15 18:59:58 30,056 ----a-w C:\Windows\System32\WDI\ShutdownPerformanceDiagnostics_SystemData.bin
+ 2008-08-14 19:25:04 31,706 ----a-w C:\Windows\System32\WDI\ShutdownPerformanceDiagnostics_SystemData.bin
- 2008-07-26 01:27:22 222,858 ----a-w C:\Windows\System32\WDI\SuspendPerformanceDiagnostics_SystemData_S3.bin
+ 2008-08-17 14:54:50 230,800 ----a-w C:\Windows\System32\WDI\SuspendPerformanceDiagnostics_SystemData_S3.bin
- 2008-04-25 04:23:11 826,368 ----a-w C:\Windows\System32\wininet.dll
+ 2008-06-27 03:54:49 826,368 ----a-w C:\Windows\System32\wininet.dll
- 2008-07-28 22:31:25 41,165,256 ----a-w C:\Windows\winsxs\ManifestCache\6.0.6001.18000_001c50b5_blobs.bin
+ 2008-08-14 07:04:04 55,791,867 ----a-w C:\Windows\winsxs\ManifestCache\6.0.6001.18000_001c50b5_blobs.bin
+ 2008-06-12 01:21:33 2,560 ----a-w C:\Windows\winsxs\x86_microsoft-windows-a..ence-mitigations-c1_31bf3856ad364e35_6.0.6000.16700_none_0a3bfb69f525d803\AcRes.dll
+ 2008-06-12 01:18:58 2,560 ----a-w C:\Windows\winsxs\x86_microsoft-windows-a..ence-mitigations-c1_31bf3856ad364e35_6.0.6000.20856_none_0a958a550e669b8c\AcRes.dll
+ 2008-03-08 01:58:43 2,560 ----a-w C:\Windows\winsxs\x86_microsoft-windows-a..ence-mitigations-c1_31bf3856ad364e35_6.0.6001.18089_none_0bd4bb63f2852f64\AcRes.dll
+ 2008-06-12 02:57:04 2,560 ----a-w C:\Windows\winsxs\x86_microsoft-windows-a..ence-mitigations-c1_31bf3856ad364e35_6.0.6001.22201_none_0cacd7250b692215\AcRes.dll
+ 2008-06-12 06:54:28 537,600 ----a-w C:\Windows\winsxs\x86_microsoft-windows-a..ence-mitigations-c5_31bf3856ad364e35_6.0.6000.16700_none_0a3ffc91f5223d5f\AcLayers.dll
+ 2008-06-12 06:54:28 173,056 ----a-w C:\Windows\winsxs\x86_microsoft-windows-a..ence-mitigations-c5_31bf3856ad364e35_6.0.6000.16700_none_0a3ffc91f5223d5f\AcXtrnal.dll
+ 2008-06-12 05:16:14 537,600 ----a-w C:\Windows\winsxs\x86_microsoft-windows-a..ence-mitigations-c5_31bf3856ad364e35_6.0.6000.20856_none_0a998b7d0e6300e8\AcLayers.dll
+ 2008-06-12 05:16:15 173,056 ----a-w C:\Windows\winsxs\x86_microsoft-windows-a..ence-mitigations-c5_31bf3856ad364e35_6.0.6000.20856_none_0a998b7d0e6300e8\AcXtrnal.dll
+ 2008-06-12 05:28:53 541,696 ----a-w C:\Windows\winsxs\x86_microsoft-windows-a..ence-mitigations-c5_31bf3856ad364e35_6.0.6001.18089_none_0bd8bc8bf28194c0\AcLayers.dll
+ 2008-03-08 04:19:21 173,056 ----a-w C:\Windows\winsxs\x86_microsoft-windows-a..ence-mitigations-c5_31bf3856ad364e35_6.0.6001.18089_none_0bd8bc8bf28194c0\AcXtrnal.dll
+ 2008-06-12 05:15:18 541,696 ----a-w C:\Windows\winsxs\x86_microsoft-windows-a..ence-mitigations-c5_31bf3856ad364e35_6.0.6001.22201_none_0cb0d84d0b658771\AcLayers.dll
+ 2008-06-12 05:15:19 173,056 ----a-w C:\Windows\winsxs\x86_microsoft-windows-a..ence-mitigations-c5_31bf3856ad364e35_6.0.6001.22201_none_0cb0d84d0b658771\AcXtrnal.dll
+ 2008-07-16 04:09:38 124,928 ----a-w C:\Windows\winsxs\x86_microsoft-windows-advpack_31bf3856ad364e35_6.0.6000.16717_none_a9e15ad3f5abc778\advpack.dll
+ 2008-07-18 03:13:52 124,928 ----a-w C:\Windows\winsxs\x86_microsoft-windows-advpack_31bf3856ad364e35_6.0.6000.20879_none_aa2c18ab0ef84196\advpack.dll
+ 2008-04-19 08:13:07 268,800 ----a-w C:\Windows\winsxs\x86_microsoft-windows-c..complus-eventsystem_31bf3856ad364e35_6.0.6000.16677_none_0ac2b30954c98430\es.dll
+ 2008-04-19 08:27:37 268,800 ----a-w C:\Windows\winsxs\x86_microsoft-windows-c..complus-eventsystem_31bf3856ad364e35_6.0.6000.20818_none_0b8e318c6db592d2\es.dll
+ 2008-04-18 05:48:39 269,312 ----a-w C:\Windows\winsxs\x86_microsoft-windows-c..complus-eventsystem_31bf3856ad364e35_6.0.6001.18057_none_0cbe918751dfdd3f\es.dll
+ 2008-04-18 05:30:29 269,312 ----a-w C:\Windows\winsxs\x86_microsoft-windows-c..complus-eventsystem_31bf3856ad364e35_6.0.6001.22162_none_0d385cf46b0a1a47\es.dll
+ 2008-06-27 03:54:48 44,544 ----a-w C:\Windows\winsxs\x86_microsoft-windows-i..ablenetworkgraphics_31bf3856ad364e35_6.0.6000.16711_none_ebd662c7164a156d\pngfilt.dll
+ 2008-06-27 03:49:09 44,544 ----a-w C:\Windows\winsxs\x86_microsoft-windows-i..ablenetworkgraphics_31bf3856ad364e35_6.0.6000.20868_none_ec30f1fc2f89f24d\pngfilt.dll
+ 2008-06-27 03:54:49 1,159,680 ----a-w C:\Windows\winsxs\x86_microsoft-windows-i..ersandsecurityzones_31bf3856ad364e35_6.0.6000.16711_none_b2f30b79d9aa8cd1\urlmon.dll
+ 2008-06-27 03:49:41 1,162,752 ----a-w C:\Windows\winsxs\x86_microsoft-windows-i..ersandsecurityzones_31bf3856ad364e35_6.0.6000.20868_none_b34d9aaef2ea69b1\urlmon.dll
+ 2008-06-27 04:15:28 1,166,336 ----a-w C:\Windows\winsxs\x86_microsoft-windows-i..ersandsecurityzones_31bf3856ad364e35_6.0.6001.18099_none_b48acb29d70acadb\urlmon.dll
+ 2008-06-27 03:50:29 1,166,848 ----a-w C:\Windows\winsxs\x86_microsoft-windows-i..ersandsecurityzones_31bf3856ad364e35_6.0.6001.22212_none_b563e734efedd6e3\urlmon.dll
+ 2008-06-27 03:54:47 671,232 ----a-w C:\Windows\winsxs\x86_microsoft-windows-i..mlrenderingadvanced_31bf3856ad364e35_6.0.6000.16711_none_ded59a427f534c40\mstime.dll
+ 2008-06-27 03:47:51 671,232 ----a-w C:\Windows\winsxs\x86_microsoft-windows-i..mlrenderingadvanced_31bf3856ad364e35_6.0.6000.20868_none_df30297798932920\mstime.dll
+ 2008-06-27 04:15:25 671,232 ----a-w C:\Windows\winsxs\x86_microsoft-windows-i..mlrenderingadvanced_31bf3856ad364e35_6.0.6001.18099_none_e06d59f27cb38a4a\mstime.dll
+ 2008-06-27 03:48:43 671,232 ----a-w C:\Windows\winsxs\x86_microsoft-windows-i..mlrenderingadvanced_31bf3856ad364e35_6.0.6001.22212_none_e14675fd95969652\mstime.dll
+ 2008-07-15 23:48:18 2,048 ----a-w C:\Windows\winsxs\x86_microsoft-windows-i..rnational-timezones_31bf3856ad364e35_6.0.6000.16717_none_135d4bd00c6d4a6b\tzres.dll
+ 2008-07-16 04:09:30 18,944 ----a-w C:\Windows\winsxs\x86_microsoft-windows-i..rnational-timezones_31bf3856ad364e35_6.0.6000.16717_none_135d4bd00c6d4a6b\tzupd.exe
+ 2008-07-15 23:43:45 2,048 ----a-w C:\Windows\winsxs\x86_microsoft-windows-i..rnational-timezones_31bf3856ad364e35_6.0.6000.20878_none_13a7095d25baab32\tzres.dll
+ 2008-07-16 01:28:34 18,944 ----a-w C:\Windows\winsxs\x86_microsoft-windows-i..rnational-timezones_31bf3856ad364e35_6.0.6000.20878_none_13a7095d25baab32\tzupd.exe
+ 2008-07-16 01:32:44 2,048 ----a-w C:\Windows\winsxs\x86_microsoft-windows-i..rnational-timezones_31bf3856ad364e35_6.0.6001.18108_none_154f5aac098ad8c2\tzres.dll
+ 2008-01-19 07:33:33 18,944 ----a-w C:\Windows\winsxs\x86_microsoft-windows-i..rnational-timezones_31bf3856ad364e35_6.0.6001.18108_none_154f5aac098ad8c2\tzupd.exe
+ 2008-07-16 01:27:35 2,048 ----a-w C:\Windows\winsxs\x86_microsoft-windows-i..rnational-timezones_31bf3856ad364e35_6.0.6001.22223_none_15be562d22bd31bb\tzres.dll
+ 2008-07-16 01:27:35 18,944 ----a-w C:\Windows\winsxs\x86_microsoft-windows-i..rnational-timezones_31bf3856ad364e35_6.0.6001.22223_none_15be562d22bd31bb\tzupd.exe
+ 2008-06-27 03:54:45 27,648 ----a-w C:\Windows\winsxs\x86_microsoft-windows-i..tocolimplementation_31bf3856ad364e35_6.0.6000.16711_none_fff8e71ba4b3b364\jsproxy.dll
+ 2008-06-27 03:54:49 826,368 ----a-w C:\Windows\winsxs\x86_microsoft-windows-i..tocolimplementation_31bf3856ad364e35_6.0.6000.16711_none_fff8e71ba4b3b364\wininet.dll
+ 2008-06-27 03:54:49 64,512 ----a-w C:\Windows\winsxs\x86_microsoft-windows-i..tocolimplementation_31bf3856ad364e35_6.0.6000.16711_none_fff8e71ba4b3b364\WininetPlugin.dll
+ 2008-06-27 03:47:03 27,648 ----a-w C:\Windows\winsxs\x86_microsoft-windows-i..tocolimplementation_31bf3856ad364e35_6.0.6000.20868_none_00537650bdf39044\jsproxy.dll
+ 2008-06-27 03:49:46 827,904 ----a-w C:\Windows\winsxs\x86_microsoft-windows-i..tocolimplementation_31bf3856ad364e35_6.0.6000.20868_none_00537650bdf39044\wininet.dll
+ 2008-06-27 03:49:46 64,512 ----a-w C:\Windows\winsxs\x86_microsoft-windows-i..tocolimplementation_31bf3856ad364e35_6.0.6000.20868_none_00537650bdf39044\WininetPlugin.dll
+ 2008-06-27 04:15:24 28,160 ----a-w C:\Windows\winsxs\x86_microsoft-windows-i..tocolimplementation_31bf3856ad364e35_6.0.6001.18099_none_0190a6cba213f16e\jsproxy.dll
+ 2008-06-27 04:15:28 827,392 ----a-w C:\Windows\winsxs\x86_microsoft-windows-i..tocolimplementation_31bf3856ad364e35_6.0.6001.18099_none_0190a6cba213f16e\wininet.dll
+ 2008-06-27 04:15:28 64,512 ----a-w C:\Windows\winsxs\x86_microsoft-windows-i..tocolimplementation_31bf3856ad364e35_6.0.6001.18099_none_0190a6cba213f16e\WininetPlugin.dll
+ 2008-06-27 03:47:35 28,160 ----a-w C:\Windows\winsxs\x86_microsoft-windows-i..tocolimplementation_31bf3856ad364e35_6.0.6001.22212_none_0269c2d6baf6fd76\jsproxy.dll
+ 2008-06-27 03:50:35 827,904 ----a-w C:\Windows\winsxs\x86_microsoft-windows-i..tocolimplementation_31bf3856ad364e35_6.0.6001.22212_none_0269c2d6baf6fd76\wininet.dll
+ 2008-06-27 03:50:35 64,512 ----a-w C:\Windows\winsxs\x86_microsoft-windows-i..tocolimplementation_31bf3856ad364e35_6.0.6001.22212_none_0269c2d6baf6fd76\WininetPlugin.dll
+ 2007-09-27 17:37:35 2,455,488 ----a-w C:\Windows\winsxs\x86_microsoft-windows-ie-antiphishfilter_31bf3856ad364e35_6.0.6000.16711_none_f9a209f56e9f2db7\ieapfltr.dat
+ 2008-06-27 03:54:45 383,488 ----a-w C:\Windows\winsxs\x86_microsoft-windows-ie-antiphishfilter_31bf3856ad364e35_6.0.6000.16711_none_f9a209f56e9f2db7\ieapfltr.dll
+ 2007-09-27 17:37:35 2,455,488 ----a-w C:\Windows\winsxs\x86_microsoft-windows-ie-antiphishfilter_31bf3856ad364e35_6.0.6000.20868_none_f9fc992a87df0a97\ieapfltr.dat
+ 2008-06-27 03:46:48 383,488 ----a-w C:\Windows\winsxs\x86_microsoft-windows-ie-antiphishfilter_31bf3856ad364e35_6.0.6000.20868_none_f9fc992a87df0a97\ieapfltr.dll
+ 2008-06-27 03:54:44 347,136 ----a-w C:\Windows\winsxs\x86_microsoft-windows-ie-directxtransforms_31bf3856ad364e35_6.0.6000.16711_none_95d642ad8484b3e5\dxtmsft.dll
+ 2008-06-27 03:54:44 214,528 ----a-w C:\Windows\winsxs\x86_microsoft-windows-ie-directxtransforms_31bf3856ad364e35_6.0.6000.16711_none_95d642ad8484b3e5\dxtrans.dll
+ 2008-06-27 03:46:25 347,136 ----a-w C:\Windows\winsxs\x86_microsoft-windows-ie-directxtransforms_31bf3856ad364e35_6.0.6000.20868_none_9630d1e29dc490c5\dxtmsft.dll
+ 2008-06-27 03:46:25 214,528 ----a-w C:\Windows\winsxs\x86_microsoft-windows-ie-directxtransforms_31bf3856ad364e35_6.0.6000.20868_none_9630d1e29dc490c5\dxtrans.dll
+ 2008-06-27 03:54:45 477,696 ----a-w C:\Windows\winsxs\x86_microsoft-windows-ie-htmlediting_31bf3856ad364e35_6.0.6000.16711_none_4638dd0546456672\mshtmled.dll
+ 2008-06-27 03:47:32 477,696 ----a-w C:\Windows\winsxs\x86_microsoft-windows-ie-htmlediting_31bf3856ad364e35_6.0.6000.20868_none_46936c3a5f854352\mshtmled.dll
+ 2008-06-27 03:54:45 3,592,192 ----a-w C:\Windows\winsxs\x86_microsoft-windows-ie-htmlrendering_31bf3856ad364e35_6.0.6000.16711_none_1153063a250a1c9a\mshtml.dll
+ 2008-06-27 03:47:31 3,594,240 ----a-w C:\Windows\winsxs\x86_microsoft-windows-ie-htmlrendering_31bf3856ad364e35_6.0.6000.20868_none_11ad956f3e49f97a\mshtml.dll
+ 2008-06-27 04:15:24 3,578,368 ----a-w C:\Windows\winsxs\x86_microsoft-windows-ie-htmlrendering_31bf3856ad364e35_6.0.6001.18099_none_12eac5ea226a5aa4\mshtml.dll
+ 2008-06-27 03:48:28 3,578,880 ----a-w C:\Windows\winsxs\x86_microsoft-windows-ie-htmlrendering_31bf3856ad364e35_6.0.6001.22212_none_13c3e1f53b4d66ac\mshtml.dll
+ 2008-06-27 03:54:45 63,488 ----a-w C:\Windows\winsxs\x86_microsoft-windows-ie-infocard_31bf3856ad364e35_6.0.6000.16711_none_58ab7304671ea8a3\icardie.dll
+ 2008-06-27 03:46:48 63,488 ----a-w C:\Windows\winsxs\x86_microsoft-windows-ie-infocard_31bf3856ad364e35_6.0.6000.20868_none_59060239805e8583\icardie.dll
+ 2008-06-27 03:54:09 26,624 ----a-w C:\Windows\winsxs\x86_microsoft-windows-ie-internetexplorer_31bf3856ad364e35_6.0.6000.16711_none_2d71f3a71cdf2247\ieUnatt.exe
+ 2008-06-27 03:54:09 625,664 ----a-w C:\Windows\winsxs\x86_microsoft-windows-ie-internetexplorer_31bf3856ad364e35_6.0.6000.16711_none_2d71f3a71cdf2247\iexplore.exe
+ 2008-06-27 01:41:11 26,624 ----a-w C:\Windows\winsxs\x86_microsoft-windows-ie-internetexplorer_31bf3856ad364e35_6.0.6000.20868_none_2dcc82dc361eff27\ieUnatt.exe
+ 2008-06-27 01:41:30 625,664 ----a-w C:\Windows\winsxs\x86_microsoft-windows-ie-internetexplorer_31bf3856ad364e35_6.0.6000.20868_none_2dcc82dc361eff27\iexplore.exe
+ 2008-06-27 03:54:09 70,656 ----a-w C:\Windows\winsxs\x86_microsoft-windows-ie-setup-support_31bf3856ad364e35_6.0.6000.16711_none_c3e0a8c26159eaec\ie4uinit.exe
+ 2008-06-27 03:54:45 44,544 ----a-w C:\Windows\winsxs\x86_microsoft-windows-ie-setup-support_31bf3856ad364e35_6.0.6000.16711_none_c3e0a8c26159eaec\iernonce.dll
+ 2008-06-27 03:54:45 56,320 ----a-w C:\Windows\winsxs\x86_microsoft-windows-ie-setup-support_31bf3856ad364e35_6.0.6000.16711_none_c3e0a8c26159eaec\iesetup.dll
+ 2008-06-27 01:41:00 70,656 ----a-w C:\Windows\winsxs\x86_microsoft-windows-ie-setup-support_31bf3856ad364e35_6.0.6000.20868_none_c43b37f77a99c7cc\ie4uinit.exe
+ 2008-06-27 03:46:49 44,544 ----a-w C:\Windows\winsxs\x86_microsoft-windows-ie-setup-support_31bf3856ad364e35_6.0.6000.20868_none_c43b37f77a99c7cc\iernonce.dll
+ 2008-06-27 03:46:49 56,320 ----a-w C:\Windows\winsxs\x86_microsoft-windows-ie-setup-support_31bf3856ad364e35_6.0.6000.20868_none_c43b37f77a99c7cc\iesetup.dll
+ 2008-06-27 03:54:45 52,736 ----a-w C:\Windows\winsxs\x86_microsoft-windows-iebrshim_31bf3856ad364e35_6.0.6000.16711_none_2a05bf326809c049\iebrshim.dll
+ 2008-06-27 03:46:48 52,736 ----a-w C:\Windows\winsxs\x86_microsoft-windows-iebrshim_31bf3856ad364e35_6.0.6000.20868_none_2a604e6781499d29\iebrshim.dll
+ 2008-06-27 03:54:45 6,066,176 ----a-w C:\Windows\winsxs\x86_microsoft-windows-ieframe_31bf3856ad364e35_6.0.6000.16711_none_62b2603db0ffaac7\ieframe.dll
+ 2008-06-27 03:54:45 180,736 ----a-w C:\Windows\winsxs\x86_microsoft-windows-ieframe_31bf3856ad364e35_6.0.6000.16711_none_62b2603db0ffaac7\ieui.dll
+ 2008-06-27 03:46:49 6,068,736 ----a-w C:\Windows\winsxs\x86_microsoft-windows-ieframe_31bf3856ad364e35_6.0.6000.20868_none_630cef72ca3f87a7\ieframe.dll
+ 2008-06-27 03:46:49 180,736 ----a-w C:\Windows\winsxs\x86_microsoft-windows-ieframe_31bf3856ad364e35_6.0.6000.20868_none_630cef72ca3f87a7\ieui.dll
+ 2008-06-27 04:15:23 6,068,736 ----a-w C:\Windows\winsxs\x86_microsoft-windows-ieframe_31bf3856ad364e35_6.0.6001.18099_none_644a1fedae5fe8d1\ieframe.dll
+ 2008-01-19 07:34:31 180,736 ----a-w C:\Windows\winsxs\x86_microsoft-windows-ieframe_31bf3856ad364e35_6.0.6001.18099_none_644a1fedae5fe8d1\ieui.dll
+ 2008-06-27 03:47:06 6,070,272 ----a-w C:\Windows\winsxs\x86_microsoft-windows-ieframe_31bf3856ad364e35_6.0.6001.22212_none_65233bf8c742f4d9\ieframe.dll
+ 2008-06-27 03:47:06 180,736 ----a-w C:\Windows\winsxs\x86_microsoft-windows-ieframe_31bf3856ad364e35_6.0.6001.22212_none_65233bf8c742f4d9\ieui.dll
+ 2008-06-27 03:54:09 263,168 ----a-w C:\Windows\winsxs\x86_microsoft-windows-ieinstal_31bf3856ad364e35_6.0.6000.16711_none_e6abccbc9482feff\ieinstal.exe
+ 2008-06-27 01:41:23 263,168 ----a-w C:\Windows\winsxs\x86_microsoft-windows-ieinstal_31bf3856ad364e35_6.0.6000.20868_none_e7065bf1adc2dbdf\ieinstal.exe
+ 2008-06-27 03:54:09 301,568 ----a-w C:\Windows\winsxs\x86_microsoft-windows-ieuser_31bf3856ad364e35_6.0.6000.16711_none_0b5401d8d6fdbeb1\ieuser.exe
+ 2008-06-27 01:41:24 301,568 ----a-w C:\Windows\winsxs\x86_microsoft-windows-ieuser_31bf3856ad364e35_6.0.6000.20868_none_0bae910df03d9b91\ieuser.exe
+ 2008-04-30 05:29:59 454,656 ----a-w C:\Windows\winsxs\x86_microsoft-windows-m..nts-mdac-rds-ce-dll_31bf3856ad364e35_6.0.6000.16683_none_5fb7376b44d6ca52\msadce.dll
+ 2008-04-30 05:19:33 454,656 ----a-w C:\Windows\winsxs\x86_microsoft-windows-m..nts-mdac-rds-ce-dll_31bf3856ad364e35_6.0.6000.20825_none_6083b6385dc1f24b\msadce.dll
+ 2008-04-30 05:36:32 454,656 ----a-w C:\Windows\winsxs\x86_microsoft-windows-m..nts-mdac-rds-ce-dll_31bf3856ad364e35_6.0.6001.18065_none_61b5167d41eb560f\msadce.dll
+ 2008-04-30 05:25:53 454,656 ----a-w C:\Windows\winsxs\x86_microsoft-windows-m..nts-mdac-rds-ce-dll_31bf3856ad364e35_6.0.6001.22169_none_6242b4705b055b35\msadce.dll
+ 2008-04-10 05:01:31 737,792 ----a-w C:\Windows\winsxs\x86_microsoft-windows-mail-comm-dll_31bf3856ad364e35_6.0.6000.16669_none_77930ed65b8e9f2d\inetcomm.dll
+ 2008-04-10 02:43:11 84,480 ----a-w C:\Windows\winsxs\x86_microsoft-windows-mail-comm-dll_31bf3856ad364e35_6.0.6000.16669_none_77930ed65b8e9f2d\INETRES.dll
+ 2008-04-10 04:56:31 737,792 ----a-w C:\Windows\winsxs\x86_microsoft-windows-mail-comm-dll_31bf3856ad364e35_6.0.6000.20810_none_7849ba89748bcc5a\inetcomm.dll
+ 2008-04-10 02:44:56 84,480 ----a-w C:\Windows\winsxs\x86_microsoft-windows-mail-comm-dll_31bf3856ad364e35_6.0.6000.20810_none_7849ba89748bcc5a\INETRES.dll
+ 2008-04-10 05:12:41 738,304 ----a-w C:\Windows\winsxs\x86_microsoft-windows-mail-comm-dll_31bf3856ad364e35_6.0.6001.18049_none_798eed5458a4f83c\inetcomm.dll
+ 2006-11-02 08:48:55 84,480 ----a-w C:\Windows\winsxs\x86_microsoft-windows-mail-comm-dll_31bf3856ad364e35_6.0.6001.18049_none_798eed5458a4f83c\INETRES.dll
+ 2008-04-10 04:59:52 738,304 ----a-w C:\Windows\winsxs\x86_microsoft-windows-mail-comm-dll_31bf3856ad364e35_6.0.6001.22154_none_7a08b8c171cf3544\inetcomm.dll
+ 2008-04-10 02:51:10 84,480 ----a-w C:\Windows\winsxs\x86_microsoft-windows-mail-comm-dll_31bf3856ad364e35_6.0.6001.22154_none_7a08b8c171cf3544\INETRES.dll
+ 2008-06-19 03:25:22 28,672 ----a-w C:\Windows\winsxs\x86_microsoft-windows-n..-domain-clients-svc_31bf3856ad364e35_6.0.6000.16705_none_422d3c83eeda2955\FwRemoteSvr.dll
+ 2008-06-19 03:25:22 361,984 ----a-w C:\Windows\winsxs\x86_microsoft-windows-n..-domain-clients-svc_31bf3856ad364e35_6.0.6000.16705_none_422d3c83eeda2955\IPSECSVC.DLL
+ 2008-06-19 03:25:25 272,896 ----a-w C:\Windows\winsxs\x86_microsoft-windows-n..-domain-clients-svc_31bf3856ad364e35_6.0.6000.16705_none_422d3c83eeda2955\polstore.dll
+ 2008-06-19 03:25:26 61,440 ----a-w C:\Windows\winsxs\x86_microsoft-windows-n..-domain-clients-svc_31bf3856ad364e35_6.0.6000.16705_none_422d3c83eeda2955\winipsec.dll
+ 2008-06-19 03:11:10 28,672 ----a-w C:\Windows\winsxs\x86_microsoft-windows-n..-domain-clients-svc_31bf3856ad364e35_6.0.6000.20861_none_4271f89f082c0b69\FwRemoteSvr.dll
+ 2008-06-19 03:11:28 361,984 ----a-w C:\Windows\winsxs\x86_microsoft-windows-n..-domain-clients-svc_31bf3856ad364e35_6.0.6000.20861_none_4271f89f082c0b69\IPSECSVC.DLL
+ 2008-06-19 03:13:36 272,896 ----a-w C:\Windows\winsxs\x86_microsoft-windows-n..-domain-clients-svc_31bf3856ad364e35_6.0.6000.20861_none_4271f89f082c0b69\polstore.dll
+ 2008-06-19 03:14:12 61,440 ----a-w C:\Windows\winsxs\x86_microsoft-windows-n..-domain-clients-svc_31bf3856ad364e35_6.0.6000.20861_none_4271f89f082c0b69\winipsec.dll
+ 2008-01-19 07:34:22 28,672 ----a-w C:\Windows\winsxs\x86_microsoft-windows-n..-domain-clients-svc_31bf3856ad364e35_6.0.6001.18094_none_43b129adec4a9f41\FwRemoteSvr.dll
+ 2008-06-19 03:31:48 361,984 ----a-w C:\Windows\winsxs\x86_microsoft-windows-n..-domain-clients-svc_31bf3856ad364e35_6.0.6001.18094_none_43b129adec4a9f41\IPSECSVC.DLL
+ 2008-01-19 07:36:07 272,896 ----a-w C:\Windows\winsxs\x86_microsoft-windows-n..-domain-clients-svc_31bf3856ad364e35_6.0.6001.18094_none_43b129adec4a9f41\polstore.dll
+ 2008-01-19 07:36:55 61,440 ----a-w C:\Windows\winsxs\x86_microsoft-windows-n..-domain-clients-svc_31bf3856ad364e35_6.0.6001.18094_none_43b129adec4a9f41\winipsec.dll
+ 2008-06-19 03:12:13 28,672 ----a-w C:\Windows\winsxs\x86_microsoft-windows-n..-domain-clients-svc_31bf3856ad364e35_6.0.6001.22206_none_449e183f051d7367\FwRemoteSvr.dll
+ 2008-06-19 03:12:58 361,984 ----a-w C:\Windows\winsxs\x86_microsoft-windows-n..-domain-clients-svc_31bf3856ad364e35_6.0.6001.22206_none_449e183f051d7367\IPSECSVC.DLL
+ 2008-06-19 03:15:05 272,896 ----a-w C:\Windows\winsxs\x86_microsoft-windows-n..-domain-clients-svc_31bf3856ad364e35_6.0.6001.22206_none_449e183f051d7367\polstore.dll
+ 2008-06-19 03:15:48 61,440 ----a-w C:\Windows\winsxs\x86_microsoft-windows-n..-domain-clients-svc_31bf3856ad364e35_6.0.6001.22206_none_449e183f051d7367\winipsec.dll
+ 2008-06-30 23:03:49 2,413,032 ----a-w C:\Windows\winsxs\x86_microsoft-windows-oespamfilter-dat_31bf3856ad364e35_6.0.6000.16714_none_f09b0ea06e5840aa\OESpamFilter.dat
+ 2008-06-30 22:56:06 2,413,032 ----a-w C:\Windows\winsxs\x86_microsoft-windows-oespamfilter-dat_31bf3856ad364e35_6.0.6000.20874_none_f0e3cbe387a6881a\OESpamFilter.dat
+ 2008-07-04 02:02:58 2,413,032 ----a-w C:\Windows\winsxs\x86_microsoft-windows-oespamfilter-dat_31bf3856ad364e35_6.0.6001.18104_none_f28c1d326b76b5aa\OESpamFilter.dat
+ 2008-06-30 23:00:26 2,413,032 ----a-w C:\Windows\winsxs\x86_microsoft-windows-oespamfilter-dat_31bf3856ad364e35_6.0.6001.22218_none_f30eeb398498d6c1\OESpamFilter.dat
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{EEE6C35D-6118-11DC-9C72-001320C79847}"= "C:\Program Files\SweetIM\Toolbars\Internet Explorer\mgHelper.dll" [2008-07-06 12:44 173368]

[HKEY_CLASSES_ROOT\clsid\{eee6c35d-6118-11dc-9c72-001320c79847}]
[HKEY_CLASSES_ROOT\SweetIM_URLSearchHook.ToolbarURLSearchHook.1]
[HKEY_CLASSES_ROOT\TypeLib\{EEE6C35F-6118-11DC-9C72-001320C79847}]
[HKEY_CLASSES_ROOT\SweetIM_URLSearchHook.ToolbarURLSearchHook]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{EEE6C35C-6118-11DC-9C72-001320C79847}]
2008-07-06 12:44 1164600 --a------ C:\Program Files\SweetIM\Toolbars\Internet Explorer\mgToolbarIE.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{EEE6C35B-6118-11DC-9C72-001320C79847}"= "C:\Program Files\SweetIM\Toolbars\Internet Explorer\mgToolbarIE.dll" [2008-07-06 12:44 1164600]

[HKEY_CLASSES_ROOT\clsid\{eee6c35b-6118-11dc-9c72-001320c79847}]
[HKEY_CLASSES_ROOT\SWEETIE.SWEETIE.3]
[HKEY_CLASSES_ROOT\TypeLib\{EEE6C35E-6118-11DC-9C72-001320C79847}]
[HKEY_CLASSES_ROOT\SWEETIE.SWEETIE]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{EEE6C35B-6118-11DC-9C72-001320C79847}"= "C:\Program Files\SweetIM\Toolbars\Internet Explorer\mgToolbarIE.dll" [2008-07-06 12:44 1164600]

[HKEY_CLASSES_ROOT\clsid\{eee6c35b-6118-11dc-9c72-001320c79847}]
[HKEY_CLASSES_ROOT\SWEETIE.SWEETIE.3]
[HKEY_CLASSES_ROOT\TypeLib\{EEE6C35E-6118-11DC-9C72-001320C79847}]
[HKEY_CLASSES_ROOT\SWEETIE.SWEETIE]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WMPNSCFG"="C:\Program Files\Windows Media Player\WMPNSCFG.exe" [2006-11-02 08:34 201728]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="C:\Windows\system32\igfxtray.exe" [2007-05-11 12:54 138008]
"HotKeysCmds"="C:\Windows\system32\hkcmd.exe" [2007-05-11 12:54 154392]
"Persistence"="C:\Windows\system32\igfxpers.exe" [2007-05-11 12:54 133912]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2006-11-22 20:12 107112]
"vptray"="C:\PROGRA~1\SYMANT~1\VPTray.exe" [2006-11-28 09:34 134808]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2007-12-01 04:24 185896]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2006-05-13 18:36 774233]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 23:16 39792]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
--a--c--- 2005-02-17 02:11 49152 c:\Program Files\Hp\HP Software Update\hpwuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QPService]
-----c--- 2006-12-02 19:32 167936 C:\Program Files\Hp\QuickPlay\QPService.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Defender]
--a------ 2007-09-27 13:47 1006264 C:\Program Files\Windows Defender\MSASCui.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"{FB4A444F-B668-4AF9-803E-169029B376BD}"= UDP:C:\Program Files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{10637143-05B8-468A-816E-134741D8BD69}"= TCP:C:\Program Files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{1DF264F7-023A-4A2E-B363-F397806E9BFF}"= UDP:C:\Program Files\Hp\QuickPlay\QP.exe:QP
"{3F9EA138-5B1F-469E-B283-B8ACAFF759B9}"= TCP:C:\Program Files\Hp\QuickPlay\QP.exe:QP
"{791622C2-D530-4576-8AB4-1FB72454A9D0}"= UDP:C:\Program Files\Symantec AntiVirus\Rtvscan.exe:Symantec Antivirus
"{8680BAD8-769B-4B8E-A0FD-B3EBD0FA24FD}"= TCP:C:\Program Files\Symantec AntiVirus\Rtvscan.exe:Symantec Antivirus
"{92706EEE-8735-4342-8B4C-886ED7AD8A69}"= UDP:C:\Program Files\Common Files\Symantec Shared\ccApp.exe:Symantec Email
"{902340D1-B7E3-4E4A-B3AD-68564FFCE5D3}"= TCP:C:\Program Files\Common Files\Symantec Shared\ccApp.exe:Symantec Email
"TCP Query User{E454251D-CA2D-4121-80AD-D0DF6384AB83}C:\\users\\mark\\desktop\\quake3arena\\quake3arena.exe"= UDP:C:\users\mark\desktop\quake3arena\quake3arena.exe:quake3arena.exe
"UDP Query User{AF088D46-15B9-4905-B56D-7F1AEEF80617}C:\\users\\mark\\desktop\\quake3arena\\quake3arena.exe"= TCP:C:\users\mark\desktop\quake3arena\quake3arena.exe:quake3arena.exe
"TCP Query User{C4B7A251-6826-4B2E-9DFE-5FEC4A17ABBC}C:\\program files\\quake3arena\\quake3arena.exe"= UDP:C:\program files\quake3arena\quake3arena.exe:Quake3Arena
"UDP Query User{7DA25AC5-E47D-41A0-BA03-75309BF07D1C}C:\\program files\\quake3arena\\quake3arena.exe"= TCP:C:\program files\quake3arena\quake3arena.exe:Quake3Arena
"TCP Query User{CC2E3A65-F8AC-4FC9-AB20-A2615535DD11}C:\\program files\\quake3arena\\quake3arena.exe"= UDP:C:\program files\quake3arena\quake3arena.exe:Quake3Arena
"UDP Query User{713A1DC8-2678-4AE2-B010-78E1C6319687}C:\\program files\\quake3arena\\quake3arena.exe"= TCP:C:\program files\quake3arena\quake3arena.exe:Quake3Arena
"TCP Query User{ECAE1615-2052-43CA-8477-AC7D9BAF4CD0}C:\\program files\\filetopia3\\filetopia.exe"= UDP:C:\program files\filetopia3\filetopia.exe:Filetopia
"UDP Query User{ABFA8CDC-5891-4058-A4CE-7C785572575B}C:\\program files\\filetopia3\\filetopia.exe"= TCP:C:\program files\filetopia3\filetopia.exe:Filetopia
"TCP Query User{6EAE01CC-91EB-48EF-BB08-B7178C0921BD}C:\\program files\\filetopia3\\filetopia.exe"= UDP:C:\program files\filetopia3\filetopia.exe:Filetopia
"UDP Query User{E26BBAF7-6E98-4B1E-A3EE-4413ADFFFF1F}C:\\program files\\filetopia3\\filetopia.exe"= TCP:C:\program files\filetopia3\filetopia.exe:Filetopia
"{FDA3DE98-1C43-42F5-804C-7A2EC28C3EC6}"= C:\Program Files\MSN Messenger\livecall.exe:Windows Live Messenger 8.1 (Phone)
"{7BD5A55D-72BF-4F66-9922-A61FA9AA32A8}"= UDP:C:\Program Files\Ruckus Player\Ruckus.exe:Ruckus
"{69A9DC3F-529A-47A9-95B8-94F8ED072F82}"= TCP:C:\Program Files\Ruckus Player\Ruckus.exe:Ruckus
"TCP Query User{C4B7D5ED-FD39-4CAC-AAE2-A4A2B4F0E22B}C:\\program files\\participatory culture foundation\\miro\\miro_downloader.exe"= UDP:C:\program files\participatory culture foundation\miro\miro_downloader.exe:Miro_Downloader
"UDP Query User{E69FFAAE-D640-4765-B37E-A95CE39106E9}C:\\program files\\participatory culture foundation\\miro\\miro_downloader.exe"= TCP:C:\program files\participatory culture foundation\miro\miro_downloader.exe:Miro_Downloader
"{974466B1-6510-4AA0-A5EE-CDC31B42EBD9}"= Disabled:UDP:C:\Program Files\MySpace\IM\MySpaceIM.exe:MySpaceIM
"{5A7805D6-3BB3-4A6C-BC2D-B98CD97BD96E}"= Disabled:TCP:C:\Program Files\MySpace\IM\MySpaceIM.exe:MySpaceIM
"{625A5EC5-70F5-4CFF-AFC0-155D64BB96E9}"= Disabled:UDP:C:\Program Files\MySpace\IM\MySpaceIM.exe:MySpaceIM
"{188E57F9-7B99-4821-8D8C-11E016908ACA}"= Disabled:TCP:C:\Program Files\MySpace\IM\MySpaceIM.exe:MySpaceIM
"{E4E4349F-353E-4143-BDF7-E98EF566A314}"= UDP:C:\Program Files\Ruckus Player\Ruckus.exe:Ruckus
"{961F3079-0BB6-450D-898E-C9DFAE6AF8A2}"= TCP:C:\Program Files\Ruckus Player\Ruckus.exe:Ruckus

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\RestrictedServices\Static\System]
"DFSR-1"= RPort=5722|UDP:%SystemRoot%\system32\svchost.exe|Svc=DFSR:Allow inbound TCP traffic|


[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceNoNetwork REG_MULTI_SZ PLA DPS BFE mpssvc
.
.
------- Supplementary Scan -------
.
R0 -: HKCU-Main,Start Page = hxxp://www.cup.edu/quicklinks.jsp
R1 -: HKCU-Internet Settings,ProxyOverride = *.local
O8 -: E&xport to Microsoft Excel - C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O9 -: {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Programs\PartyGaming\PartyPoker\RunApp.exe


**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-08-18 02:30:42
Windows 6.0.6000 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Windows\System32\audiodg.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Windows\System32\wlanext.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Windows\System32\drivers\XAudio.exe
C:\Program Files\Symantec AntiVirus\VPTray.exe
C:\Windows\System32\igfxsrvc.exe
C:\Windows\System32\msiexec.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
.
**************************************************************************
.
Completion time: 2008-08-18 2:34:01 - machine was rebooted
ComboFix-quarantined-files.txt 2008-08-18 06:33:40
ComboFix2.txt 2008-07-29 05:30:37
ComboFix3.txt 2008-07-29 01:41:48

Pre-Run: 39,820,890,112 bytes free
Post-Run: 39,722,225,664 bytes free

399 --- E O F --- 2008-08-16 05:18:14

#10 laz4059

laz4059
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:09:55 AM

Posted 18 August 2008 - 01:42 AM

Program List:

Ad-Aware
Adobe Acrobat and Reader 8.1.2 Security Update 1 (KB403742)
Adobe Flash Player ActiveX
Adobe Reader 8.1.2
Adobe Shockwave Player
ASL_HS_Installer32
Audacity 1.2.6
BitZip - Powered by Miro
Bonjour Core for Windows
Broadcom 802.11 Wireless LAN Adapter
Compton's Interactive Encyclopedia 1997
Conexant HD Audio
DivX
Drug Lord 2
Google Earth
Goombah Partner COM Server
HDAUDIO Soft Data Fax Modem with SmartCP
Hewlett-Packard Active Check
Hewlett-Packard Asset Agent
HijackThis 2.0.2
HP Active Support Library
HP Active Support Library
HP Active Support Library 32 bit components
HP DVD Play 3.0
HP Help and Support
HP Update
Intel® Graphics Media Accelerator Driver
Java™ SE Runtime Environment 6
LiveUpdate 3.2 (Symantec Corporation)
Malwarebytes' Anti-Malware
Microsoft Office Excel MUI (English) 2007
Microsoft Office Home and Student 2007
Microsoft Office Home and Student 2007
Microsoft Office OneNote MUI (English) 2007
Microsoft Office PowerPoint MUI (English) 2007
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proofing (English) 2007
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Office Word MUI (English) 2007
Microsoft Speech API 3.0
Microsoft Visual C++ 2005 Redistributable
Microsoft Works
Microsoft Zoo Tycoon
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB941833)
NetWaiting
New Millennium CD
ODF Add-in for Microsoft Word
Paint.NET v3.35
Power Audio Video DVD Converter 1.0
QuickTime
RealPlayer
Realtek 8139 and 8139C+ Ethernet Network Card Driver for Windows Vista
Ruckus Player
Spybot - Search & Destroy 1.3
SweetIM Toolbar for Internet Explorer 3.2
Symantec AntiVirus
Synaptics Pointing Device Driver



New HijackThis Log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:40:29 AM, on 8/18/2008
Platform: Windows Vista (WinNT 6.00.1904)
MSIE: Internet Explorer v7.00 (7.00.6000.16711)
Boot mode: Normal

Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Symantec AntiVirus\VPTray.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Windows\system32\igfxsrvc.exe
C:\Windows\Explorer.exe
C:\Windows\system32\notepad.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\system32\NOTEPAD.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Windows\system32\SearchFilterHost.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.cup.edu/quicklinks.jsp
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: SweetIM ToolbarURLSearchHook Class - {EEE6C35D-6118-11DC-9C72-001320C79847} - C:\Program Files\SweetIM\Toolbars\Internet Explorer\mgHelper.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O2 - BHO: SWEETIE - {EEE6C35C-6118-11DC-9C72-001320C79847} - C:\Program Files\SweetIM\Toolbars\Internet Explorer\mgToolbarIE.dll
O3 - Toolbar: SweetIM Toolbar for Internet Explorer - {EEE6C35B-6118-11DC-9C72-001320C79847} - C:\Program Files\SweetIM\Toolbars\Internet Explorer\mgToolbarIE.dll
O4 - HKLM\..\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\Windows\system32\igfxpers.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Programs\PartyGaming\PartyPoker\RunApp.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Programs\PartyGaming\PartyPoker\RunApp.exe (file missing)
O13 - Gopher Prefix:
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: AddFiltr - Unknown owner - C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\AddFiltr.exe (file missing)
O23 - Service: Bonjour Service - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: HP Health Check Service - Hewlett-Packard - c:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe

--
End of file - 5877 bytes

#11 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,660 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:02:55 PM

Posted 19 August 2008 - 06:51 PM

Hi,

Sorry for the delay and thanks for your patience.

We have run some top scanners and gone through the logs thoroughly. Your problem doesn't seem malware related. Here is some recommendations:
  • Your Java is out of date. Older versions have vulnerabilities that malicious sites can use to exploit and infect your system. Please follow these steps to remove older version Java components and update:
    • Download the latest version of Java Runtime Environment (JRE) Version 7 and save it to your desktop.
    • Scroll down to where it says "Java Runtime Environment (JRE) 6 Update 7...allows end-users to run Java applications".
    • Click the "Download" button to the right.
    • Select your Platform: "Windows".
    • Select your Language: "Multi-language".
    • Read the License Agreement, and then check the box that says: "Accept License Agreement".
    • Click Continue and the page will refresh.
    • Click on the link to download Windows Offline Installation and save the file to your desktop.
    • Close any programs you may have running - especially your web browser.
    • Go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove all older versions of Java.
    • Check (highlight) any item with Java Runtime Environment (JRE or J2SE) in the name.
    • Click the Remove or Change/Remove button.
    • Repeat as many times as necessary to remove each Java versions.
    • Reboot your computer once all Java components are removed.
    • Then from your desktop double-click on jre-6u7-windows-i586-p.exe to install the newest version.
  • Close Internet Explorer. Go to start > Control Panel > internet options.
    Under General tab press Delete... then Delete All Check Also delete files and settings stored by Add-ons click Yes.

  • If the problem still comes back visit this page to resolve the most commonly reported problems with IE7: http://www.enhanceie.com/ie/troubleshoot.asp
    In case you needed further assistance on that you may start a topic at: Web Browsing/Email and Other Internet Applications

  • First Set a New Restore Point then Remove the Old Restore Points to prevent possible reinfection from an old one. Some of the malware you picked up could have been saved in System Restore. Since System Restore is a protected directory, your tools can not access it to delete these bad files which sometimes can reinfect your system. Setting a new restore point AFTER cleaning your system will help prevent this and enable your computer to "roll-back" to a clean working state.

    To set a new restore point:
    • Go to Start > Right-click Computer > Properties > In the left pane click on System Protection. All the drives should have a checkmark next to them.
    • Choose the radio button marked "Create ".
    • Give the Restore Point a name. The new point will be stamped with the current date and time. Keep a log of this so you can find it easily should you need to use System Restore.
    • Click "Create" and OK twice.
    To remove the old restore points:
    • Go to Start > Run then type: Cleanmgr in the box and click "OK".
    • Click the "More Options" Tab.
    • Click "Clean Up" in the System Restore and Shadow Copies section to remove all previous restore points except the newly created one.
    • Click OK.
  • Make sure you install all the security updates for Windows, Internet explorer & Microsoft Office.
    Whenever a security problem in its software is found, Microsoft will usually create a patch for it to that after the patch is installed, attackers can't use the vulnerability to install malicious software on your PC, so keeping up with these patches will help to prevent malicious software being installed on your PC.

  • Install Javacools© SpywareBlaster -
    SpywareBlaster will added a large list of programs and sites into your Internet Explorer and Firefox settings and that will protect you from running and downloading known malicious programs. You can find more information and a download link here.


#12 laz4059

laz4059
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:09:55 AM

Posted 20 August 2008 - 04:38 AM

Alright. I updated Java, re-enabled updates, etc; etc.

It hasn't happened in a day or two, so it may be gone *crosses fingers and clicks heels together*

Thanks! :thumbsup:

#13 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,660 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:02:55 PM

Posted 20 August 2008 - 06:50 AM

You are welcome.

Please do this also:

Go to start > run and copy and paste next command in the field:

ComboFix /u

Make sure there's a space between Combofix and /
Then hit enter.

This will uninstall Combofix, delete its related folders and files, reset your clock settings, hide file extensions, hide the system/hidden files and resets System Restore again.

Enjoy Surfing!

#14 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,660 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:02:55 PM

Posted 23 August 2008 - 03:56 AM

This thread will now be closed.
If you need this topic reopened, please contact a member of the HJT Team and we will reopen it for you.
Include the address of this thread in your request.
If you should have a new issue, please start a new topic.
This applies only to the original topic starter.
Everyone else please begin a New Topic.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users