Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Virtumonde Plus Some Other Unknown Malware


  • This topic is locked This topic is locked
4 replies to this topic

#1 richington

richington

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:10:44 PM

Posted 26 September 2008 - 08:24 AM

hello, please see my log file below.
many thanks in advance

Tried removing all with spybpot, adaware, stinger to no avail... pleasehelp!! :thumbsup:

Logfile of Trend Micro HijackThis v2.0.2



Scan saved at 14:21:46, on 26/09/2008
Platform: Windows Vista (WinNT 6.00.1904)
MSIE: Internet Explorer v7.00 (7.00.6000.16711)
Boot mode: Normal

Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Windows\RtHDVCpl.exe
C:\Program Files\XOSD\XOSD.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Windows\System32\igfxtray.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\Spare Messaging\MessagingApp.exe
C:\Windows\system32\igfxsrvc.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Windows\ehome\ehtray.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Windows\system32\wuauclt.exe
C:\Windows\system32\WerCon.exe
C:\Windows\explorer.exe
C:\Windows\system32\rundll32.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.thetechguys.com/welcome
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM\..\Run: [XOSD] C:\Program Files\XOSD\XOSD_ON.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\Windows\system32\igfxpers.exe
O4 - HKLM\..\Run: [SpareMessaging] "C:\Program Files\Spare Messaging\MessagingApp.exe"
O4 - HKLM\..\Run: [UpdateP2GShortCut] "C:\Program Files\CyberLink\Power2Go\MUITransfer\MUIStartMenu.exe" "C:\Program Files\CyberLink\Power2Go" update "SOFTWARE\CyberLink\Power2Go\5.0"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [MSServer] rundll32.exe C:\Windows\system32\iifcDSjK.dll,#1
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter
O4 - HKCU\..\Run: [Reminder_MUI] C:\Applications\oem\Reminder\Reminder_MUI.exe
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [MSServer] rundll32.exe C:\Users\Elliott\AppData\Local\Temp\tUlJyYon.dll,#1
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [cmds] rundll32.exe C:\Users\Elliott\AppData\Local\Temp\cbXNFvUN.dll,c
O4 - HKCU\..\Run: [004fa6cd] rundll32.exe "C:\Users\Elliott\AppData\Local\Temp\secoglmg.dll",b
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\PROGRA~1\Java\JRE16~1.0_0\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\PROGRA~1\Java\JRE16~1.0_0\bin\ssv.dll
O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\Windows\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\Windows\bdoscandel.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O13 - Gopher Prefix:
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Intel® PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: O2Micro Flash Memory Card Service (o2flash) - O2Micro International - C:\Program Files\O2Micro Oz128 Driver\o2flash.exe
O23 - Service: Intel® PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Check Point Software Technologies LTD - C:\Windows\System32\ZoneLabs\vsmon.exe

--
End of file - 7594 bytes

BC AdBot (Login to Remove)

 


#2 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:05:44 PM

Posted 26 September 2008 - 02:18 PM

Hello richington,

Welcome to Bleeping Computer :thumbsup:

I notice that you have Spybot's TeaTimer running. While this is normally a wonderful tool to protect against hijackers, it can also interfere with the fixes. So please disable TeaTimer by doing the following:
1) Run Spybot-S&D
2) Go to the Mode menu, and make sure "Advanced Mode" is selected
3) On the left hand side, choose Tools -> Resident
4) Uncheck "Resident TeaTimer" and OK any prompts

You can reenable TeaTimer once your system is clean.

This tool is not a toy. If used the wrong way you could trash your computer. Please use only under direction of a Helper. If you decide to do so anyway, please do not blame me or ComboFix.

1. Download this file - combofix.exe
http://download.bleepingcomputer.com/sUBs/ComboFix.exe
http://www.forospyware.com/sUBs/ComboFix.exe
http://subs.geekstogo.com/ComboFix.exe
2. Double click combofix.exe & follow the prompts.
3. When finished, it will produce a log for you. Post that log in your next reply please, along with a new HijackThis log.

Note:
Do not mouseclick combofix's window while it's running. That may cause it to stall.

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#3 richington

richington
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:10:44 PM

Posted 28 September 2008 - 03:54 PM

Hello Teacup,

any thanks for your reply. Upon reboot it seems that the error boxes warning of missing dll files have now gone.

I ran hijackthis again but it said that the computer could not write to specific folders (or something along those lines)

thanks once more what will i have to do now?

Combofix log


ComboFix 08-09-27.05 - Elliott 2008-09-28 21:43:10.2 - NTFSx86
Microsoft® Windows Vista™ Home Premium 6.0.6000.0.1252.1.1033.18.1135 [GMT 1:00]
Running from: C:\Users\Elliott\Downloads\ComboFix.exe
* Resident AV is active

.

((((((((((((((((((((((((( Files Created from 2008-08-28 to 2008-09-28 )))))))))))))))))))))))))))))))
.

2008-09-26 14:21 . 2008-09-26 14:21 <DIR> d-------- C:\Program Files\Trend Micro
2008-09-26 14:16 . 2008-09-26 14:17 <DIR> d-------- C:\Users\Elliott\.housecall6.6
2008-09-26 11:45 . 2008-09-26 11:45 <DIR> d-------- C:\Windows\BDOSCAN8
2008-09-26 11:36 . 2008-09-26 11:36 <DIR> d-------- C:\Program Files\Lavasoft
2008-09-26 11:35 . 2008-09-26 11:39 <DIR> d-------- C:\ProgramData\Lavasoft
2008-09-26 11:34 . 2008-09-26 11:34 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-09-26 11:27 . 2008-09-26 11:28 <DIR> d-------- C:\Program Files\Java
2008-09-26 11:23 . 2008-09-26 11:23 <DIR> d-------- C:\Program Files\Common Files\Java
2008-09-26 10:15 . 2008-09-26 11:07 <DIR> d-------- C:\ProgramData\Spybot - Search & Destroy
2008-09-26 10:15 . 2008-09-26 10:16 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-09-25 22:51 . 2008-09-28 20:49 2,867 --a------ C:\rollback.ini
2008-09-23 00:50 . 2008-09-23 00:50 361,984 --a------ C:\Windows\System32\IPSECSVC.DLL
2008-09-23 00:50 . 2008-09-23 00:50 272,896 --a------ C:\Windows\System32\polstore.dll
2008-09-23 00:50 . 2008-09-23 00:50 61,440 --a------ C:\Windows\System32\winipsec.dll
2008-09-23 00:50 . 2008-09-23 00:50 28,672 --a------ C:\Windows\System32\FwRemoteSvr.dll
2008-09-23 00:49 . 2008-09-23 00:49 4,247,552 --a------ C:\Windows\System32\GameUXLegacyGDFs.dll
2008-09-23 00:49 . 2008-09-23 00:49 1,686,528 --a------ C:\Windows\System32\gameux.dll
2008-09-23 00:49 . 2008-09-23 00:49 28,160 --a------ C:\Windows\System32\Apphlpdm.dll
2008-09-23 00:45 . 2008-09-23 00:45 1,060,920 --a------ C:\Windows\System32\drivers\ntfs.sys
2008-09-23 00:45 . 2008-09-23 00:45 41,984 --a------ C:\Windows\System32\drivers\monitor.sys
2008-09-23 00:44 . 2008-09-23 00:44 2,048 --a------ C:\Windows\System32\tzres.dll
2008-09-23 00:43 . 2008-09-23 00:43 268,800 --a------ C:\Windows\System32\es.dll
2008-09-23 00:42 . 2008-09-23 00:42 303,616 --a------ C:\Windows\System32\wmpeffects.dll
2008-09-23 00:37 . 2008-09-23 00:37 1,383,424 --a------ C:\Windows\System32\mshtml.tlb
2008-09-23 00:37 . 2008-09-23 00:37 826,368 --a------ C:\Windows\System32\wininet.dll
2008-09-23 00:36 . 2008-09-23 00:36 1,831,424 --a------ C:\Windows\System32\inetcpl.cpl
2008-09-23 00:36 . 2008-09-23 00:36 56,320 --a------ C:\Windows\System32\iesetup.dll
2008-09-23 00:36 . 2008-09-23 00:36 26,624 --a------ C:\Windows\System32\ieUnatt.exe
2008-09-23 00:33 . 2008-09-23 00:33 944,184 --a------ C:\Windows\System32\winload.exe
2008-09-23 00:33 . 2008-09-23 00:33 620,088 --a------ C:\Windows\System32\ci.dll
2008-09-23 00:33 . 2008-09-23 00:33 371,712 --a------ C:\Windows\System32\srcore.dll
2008-09-23 00:33 . 2008-09-23 00:33 313,856 --a------ C:\Windows\System32\rstrui.exe
2008-09-23 00:33 . 2008-09-23 00:33 40,960 --a------ C:\Windows\System32\srclient.dll
2008-09-23 00:33 . 2008-09-23 00:33 19,000 --a------ C:\Windows\System32\kd1394.dll
2008-09-23 00:33 . 2008-09-23 00:33 16,384 --a------ C:\Windows\System32\srdelayed.exe
2008-09-23 00:33 . 2008-09-23 00:33 7,168 --a------ C:\Windows\System32\f3ahvoas.dll
2008-09-23 00:33 . 2008-09-23 00:33 6,656 --a------ C:\Windows\System32\kbd106n.dll
2008-09-23 00:30 . 2008-09-23 00:30 2,027,008 --a------ C:\Windows\System32\win32k.sys
2008-09-23 00:29 . 2008-09-23 00:29 296,448 --a------ C:\Windows\System32\gdi32.dll
2008-09-23 00:29 . 2008-09-23 00:29 113,664 --a------ C:\Windows\System32\drivers\rmcast.sys
2008-09-23 00:29 . 2008-09-23 00:29 14,848 --a------ C:\Windows\System32\wshrm.dll
2008-09-23 00:28 . 2008-09-23 00:28 1,327,104 --a------ C:\Windows\System32\quartz.dll
2008-09-23 00:28 . 2008-09-23 00:28 737,792 --a------ C:\Windows\System32\inetcomm.dll
2008-09-23 00:28 . 2008-09-23 00:28 84,480 --a------ C:\Windows\System32\INETRES.dll
2008-09-23 00:28 . 2008-09-23 00:28 83,968 --a------ C:\Windows\System32\dnsrslvr.dll
2008-09-23 00:28 . 2008-09-23 00:28 24,576 --a------ C:\Windows\System32\dnscacheugc.exe
2008-09-23 00:27 . 2008-09-23 00:27 1,244,672 --a------ C:\Windows\System32\mcmde.dll
2008-09-23 00:27 . 2008-09-23 00:27 428,032 --a------ C:\Windows\System32\EncDec.dll
2008-09-23 00:27 . 2008-09-23 00:27 292,352 --a------ C:\Windows\System32\psisdecd.dll
2008-09-23 00:27 . 2008-09-23 00:27 218,624 --a------ C:\Windows\System32\psisrndr.ax
2008-09-23 00:27 . 2008-09-23 00:27 80,896 --a------ C:\Windows\System32\MSNP.ax
2008-09-23 00:27 . 2008-09-23 00:27 68,608 --a------ C:\Windows\System32\Mpeg2Data.ax
2008-09-23 00:27 . 2008-09-23 00:27 57,856 --a------ C:\Windows\System32\MSDvbNP.ax
2008-09-22 22:07 . 2008-09-28 21:47 14,187,296 --ahs---- C:\Windows\System32\drivers\fidbox.dat
2008-09-22 22:07 . 2008-09-28 21:26 176,780 --ahs---- C:\Windows\System32\drivers\fidbox.idx
2008-09-22 22:02 . 2008-09-22 22:02 <DIR> d-------- C:\ProgramData\MailFrontier
2008-09-22 22:02 . 2008-08-21 20:41 72,592 --a------ C:\Windows\zllsputility.exe
2008-09-22 22:01 . 2008-08-21 20:41 1,221,008 --a------ C:\Windows\System32\zpeng25.dll
2008-09-22 22:00 . 2008-09-25 23:02 <DIR> d-------- C:\Windows\System32\ZoneLabs
2008-09-22 22:00 . 2008-09-28 21:30 349,222 --ah----- C:\Windows\System32\drivers\vsconfig.xml
2008-09-22 22:00 . 2008-08-21 20:42 294,288 --a------ C:\Windows\System32\drivers\vsdatant.sys
2008-09-22 21:59 . 2008-09-22 21:59 <DIR> d-------- C:\ProgramData\CheckPoint
2008-09-22 21:44 . 2008-09-25 22:53 <DIR> d-------- C:\spywarebegone
2008-09-22 21:44 . 2008-09-22 21:43 724,992 --a------ C:\Windows\iun6002.exe
2008-09-22 21:43 . 2008-09-22 21:43 170 --a------ C:\Windows\spywarebegone-fullversion-installed.html
2008-09-22 21:38 . 2008-09-22 21:38 <DIR> d-------- C:\ProgramData\Broderbund LLC
2008-09-22 21:34 . 2008-09-22 21:34 1,811,656 --a------ C:\Windows\System32\wuaueng.dll
2008-09-22 21:34 . 2008-09-22 21:34 1,524,736 --a------ C:\Windows\System32\wucltux.dll
2008-09-22 21:34 . 2008-09-22 21:34 53,448 --a------ C:\Windows\System32\wuauclt.exe
2008-09-22 21:34 . 2008-09-22 21:34 45,768 --a------ C:\Windows\System32\wups2.dll
2008-09-22 21:33 . 2008-09-22 21:33 563,912 --a------ C:\Windows\System32\wuapi.dll
2008-09-22 21:33 . 2008-09-22 21:33 163,904 --a------ C:\Windows\System32\wuwebv.dll
2008-09-22 21:33 . 2008-09-22 21:33 83,456 --a------ C:\Windows\System32\wudriver.dll
2008-09-22 21:33 . 2008-09-22 21:33 36,552 --a------ C:\Windows\System32\wups.dll
2008-09-22 21:33 . 2008-09-22 21:33 31,232 --a------ C:\Windows\System32\wuapp.exe
2008-09-22 21:32 . 2008-09-28 21:46 <DIR> d-------- C:\Windows\Internet Logs
2008-09-22 21:32 . 2008-09-22 21:32 <DIR> d-------- C:\Program Files\Zone Labs
2008-09-20 11:29 . 2008-09-20 11:29 <DIR> d-------- C:\Users\Elliott\AppData\Roaming\CyberLink
2008-09-19 22:19 . 2008-09-19 22:19 <DIR> dr------- C:\Users\Elliott\Searches
2008-09-19 22:19 . 2008-09-19 22:19 <DIR> dr------- C:\Users\Elliott\Contacts
2008-09-19 22:19 . 2008-09-19 22:19 <DIR> d-------- C:\Program Files\Common Files\Adobe
2008-09-19 22:18 . 2008-09-19 22:19 <DIR> dr------- C:\Users\Elliott\Videos
2008-09-19 22:18 . 2008-09-19 22:19 <DIR> dr------- C:\Users\Elliott\Saved Games
2008-09-19 22:18 . 2008-03-20 18:11 <DIR> d-------- C:\Users\Elliott\Roaming
2008-09-19 22:18 . 2008-09-24 21:24 <DIR> dr------- C:\Users\Elliott\Pictures
2008-09-19 22:18 . 2008-09-19 22:19 <DIR> dr------- C:\Users\Elliott\Music
2008-09-19 22:18 . 2008-09-19 22:19 <DIR> dr------- C:\Users\Elliott\Links
2008-09-19 22:18 . 2008-09-28 21:00 <DIR> dr------- C:\Users\Elliott\Downloads
2008-09-19 22:18 . 2008-09-27 19:17 <DIR> dr------- C:\Users\Elliott\Documents
2008-09-19 22:18 . 2006-11-02 13:37 <DIR> d-------- C:\Users\Elliott\AppData\Roaming\Media Center Programs
2008-09-19 22:18 . 2008-09-19 22:19 <DIR> d--h----- C:\Users\Elliott\AppData
2008-09-19 22:18 . 2008-09-26 14:16 <DIR> d-------- C:\Users\Elliott
2008-09-19 22:14 . 2008-09-19 22:14 <DIR> dr------- C:\Windows\System32\config\systemprofile\Contacts

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-09-26 21:21 92,160 ----a-w C:\Windows\Internet Logs\xDB8258.tmp
2008-09-26 13:36 3,078,144 ----a-w C:\Windows\Internet Logs\xDB66EC.tmp
2008-09-23 10:41 174 --sha-w C:\Program Files\desktop.ini
2008-09-23 10:38 --------- d-----w C:\Program Files\Windows Mail
2008-09-22 23:49 537,600 ----a-w C:\Windows\AppPatch\AcLayers.dll
2008-09-22 23:49 449,536 ----a-w C:\Windows\AppPatch\AcSpecfc.dll
2008-09-22 23:49 2,560 ----a-w C:\Windows\AppPatch\AcRes.dll
2008-09-22 23:49 2,144,256 ----a-w C:\Windows\AppPatch\AcGenral.dll
2008-09-22 23:49 173,056 ----a-w C:\Windows\AppPatch\AcXtrnal.dll
2008-09-22 23:37 52,736 ----a-w C:\Windows\AppPatch\iebrshim.dll
.

((((((((((((((((((((((((((((( snapshot@2008-09-28_21.12.28.75 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-09-28 19:43:18 2,048 --sha-w C:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
+ 2008-09-28 20:30:47 2,048 --sha-w C:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
- 2008-09-28 19:43:19 2,048 --sha-w C:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
+ 2008-09-28 20:30:47 2,048 --sha-w C:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
- 2008-09-28 19:45:22 262,144 --sha-w C:\Windows\ServiceProfiles\LocalService\ntuser.dat
+ 2008-09-28 20:32:57 262,144 --sha-w C:\Windows\ServiceProfiles\LocalService\ntuser.dat
- 2008-09-28 19:45:17 262,144 --sha-w C:\Windows\ServiceProfiles\NetworkService\ntuser.dat
+ 2008-09-28 20:33:03 262,144 --sha-w C:\Windows\ServiceProfiles\NetworkService\ntuser.dat
- 2008-09-28 19:48:43 16,384 --sha-w C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2008-09-28 20:30:53 16,384 --sha-w C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2008-09-28 19:48:43 32,768 --sha-w C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2008-09-28 20:30:53 32,768 --sha-w C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2008-09-28 19:48:43 16,384 --sha-w C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2008-09-28 20:30:53 16,384 --sha-w C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2008-09-28 19:51:28 108,526 ----a-w C:\Windows\System32\perfc009.dat
+ 2008-09-28 20:38:29 108,526 ----a-w C:\Windows\System32\perfc009.dat
- 2008-09-28 19:51:28 623,342 ----a-w C:\Windows\System32\perfh009.dat
+ 2008-09-28 20:38:29 623,342 ----a-w C:\Windows\System32\perfh009.dat
- 2008-09-25 22:08:06 6,291,456 ----a-w C:\Windows\System32\SMI\Store\Machine\schema.dat
+ 2008-09-28 20:23:25 6,291,456 ----a-w C:\Windows\System32\SMI\Store\Machine\schema.dat
- 2008-09-28 19:45:55 4,602 ----a-w C:\Windows\System32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-2918115158-1247843368-2325946213-1000_UserData.bin
+ 2008-09-28 20:33:04 4,654 ----a-w C:\Windows\System32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-2918115158-1247843368-2325946213-1000_UserData.bin
- 2008-09-28 19:45:54 52,814 ----a-w C:\Windows\System32\WDI\BootPerformanceDiagnostics_SystemData.bin
+ 2008-09-28 20:33:03 52,846 ----a-w C:\Windows\System32\WDI\BootPerformanceDiagnostics_SystemData.bin
- 2008-09-28 19:49:57 178,780 ----a-w C:\Windows\System32\ZoneLabs\avsys\bases\sfdb.dat
+ 2008-09-28 20:31:01 179,816 ----a-w C:\Windows\System32\ZoneLabs\avsys\bases\sfdb.dat
- 2008-09-28 20:04:11 1,446,400 ----a-w C:\Windows\System32\ZoneLabs\zlqrtdb.dat
+ 2008-09-28 20:43:12 1,448,448 ----a-w C:\Windows\System32\ZoneLabs\zlqrtdb.dat
- 2008-09-28 20:11:21 83,890,035 ----a-w C:\Windows\winsxs\ManifestCache\6.0.6001.18000_001c50b5_blobs.bin
+ 2008-09-28 20:23:11 135,090,331 ----a-w C:\Windows\winsxs\ManifestCache\6.0.6001.18000_001c50b5_blobs.bin
+ 2006-11-02 12:35:28 77,824 ----a-w C:\Windows\winsxs\msil_ehiextens_31bf3856ad364e35_6.0.6001.18000_none_fdcbbc4906dd2f5d\ehiExtens.dll
+ 2006-11-02 07:11:38 2,560 ----a-w C:\Windows\winsxs\x86_microsoft-windows-a..ence-mitigations-c1_31bf3856ad364e35_6.0.6001.18000_none_0c223829f24c6bcd\AcRes.dll
+ 2006-11-02 09:46:02 38,912 ----a-w C:\Windows\winsxs\x86_microsoft-windows-a..on-experience-tools_31bf3856ad364e35_6.0.6001.18000_none_94ca2703a87213b1\acppage.dll
+ 2006-11-02 07:11:39 2,048 ----a-w C:\Windows\winsxs\x86_microsoft-windows-a..on-experience-tools_31bf3856ad364e35_6.0.6001.18000_none_94ca2703a87213b1\acprgwiz.dll
+ 2006-11-02 09:45:32 8,192 ----a-w C:\Windows\winsxs\x86_microsoft-windows-a..on-experience-tools_31bf3856ad364e35_6.0.6001.18000_none_94ca2703a87213b1\pcaelv.exe
+ 2006-11-02 09:45:32 7,680 ----a-w C:\Windows\winsxs\x86_microsoft-windows-a..on-experience-tools_31bf3856ad364e35_6.0.6001.18000_none_94ca2703a87213b1\pcalua.exe
+ 2006-11-02 09:45:32 14,336 ----a-w C:\Windows\winsxs\x86_microsoft-windows-a..on-experience-tools_31bf3856ad364e35_6.0.6001.18000_none_94ca2703a87213b1\pcaui.exe
+ 2006-11-02 09:41:17 2,048 ----a-w C:\Windows\winsxs\x86_microsoft-windows-basic-misc-tools_31bf3856ad364e35_6.0.6001.18000_none_175cb770bf6b8f77\netmsg.dll
+ 2006-11-02 09:46:11 14,848 ----a-w C:\Windows\winsxs\x86_microsoft-windows-basic-misc-tools_31bf3856ad364e35_6.0.6001.18000_none_175cb770bf6b8f77\netrap.dll
+ 2006-11-02 09:44:52 34,304 ----a-w C:\Windows\winsxs\x86_microsoft-windows-bth-user_31bf3856ad364e35_6.0.6001.18000_none_65193febd52e137a\bthudtask.exe
+ 2006-11-02 09:46:14 34,304 ----a-w C:\Windows\winsxs\x86_microsoft-windows-bth-user_31bf3856ad364e35_6.0.6001.18000_none_65193febd52e137a\wshbth.dll
+ 2006-11-02 09:46:02 23,552 ----a-w C:\Windows\winsxs\x86_microsoft-windows-com-complus-runtime_31bf3856ad364e35_6.0.6001.18000_none_59cabf11d4b18d8a\catsrvps.dll
+ 2006-09-18 21:27:45 61,440 ----a-w C:\Windows\winsxs\x86_microsoft-windows-com-complus-runtime_31bf3856ad364e35_6.0.6001.18000_none_59cabf11d4b18d8a\comempty.dat
+ 2006-11-02 09:46:11 7,168 ----a-w C:\Windows\winsxs\x86_microsoft-windows-com-complus-runtime_31bf3856ad364e35_6.0.6001.18000_none_59cabf11d4b18d8a\mtxex.dll
+ 2006-09-18 21:27:12 19,429 ----a-w C:\Windows\winsxs\x86_microsoft-windows-com-dtc-tracing_31bf3856ad364e35_6.0.6001.18000_none_17df4ac2f2cf5440\msdtcvtr.bat
+ 2006-09-18 21:35:10 27,792 ----a-w C:\Windows\winsxs\x86_microsoft-windows-com-legacyole_31bf3856ad364e35_6.0.6001.18000_none_3f1ba507d2463833\compobj.dll
+ 2006-11-02 09:39:39 3,072 ----a-w C:\Windows\winsxs\x86_microsoft-windows-com-legacyole_31bf3856ad364e35_6.0.6001.18000_none_3f1ba507d2463833\iprop.dll
+ 2006-09-18 21:35:13 42,592 ----a-w C:\Windows\winsxs\x86_microsoft-windows-com-legacyole_31bf3856ad364e35_6.0.6001.18000_none_3f1ba507d2463833\ole2.dll
+ 2006-09-18 21:35:14 169,520 ----a-w C:\Windows\winsxs\x86_microsoft-windows-com-legacyole_31bf3856ad364e35_6.0.6001.18000_none_3f1ba507d2463833\ole2disp.dll
+ 2006-09-18 21:35:15 153,008 ----a-w C:\Windows\winsxs\x86_microsoft-windows-com-legacyole_31bf3856ad364e35_6.0.6001.18000_none_3f1ba507d2463833\ole2nls.dll
+ 2006-09-18 21:35:15 4,208 ----a-w C:\Windows\winsxs\x86_microsoft-windows-com-legacyole_31bf3856ad364e35_6.0.6001.18000_none_3f1ba507d2463833\storage.dll
+ 2006-09-18 21:35:15 177,856 ----a-w C:\Windows\winsxs\x86_microsoft-windows-com-legacyole_31bf3856ad364e35_6.0.6001.18000_none_3f1ba507d2463833\typelib.dll
+ 2006-11-02 09:46:03 31,232 ----a-w C:\Windows\winsxs\x86_microsoft-windows-convert_31bf3856ad364e35_6.0.6001.18000_none_9cd54abba85233ff\cnvfat.dll
+ 2006-11-02 09:46:05 11,264 ----a-w C:\Windows\winsxs\x86_microsoft-windows-d..ime-eashared-imepad_31bf3856ad364e35_6.0.6001.18000_none_3a8c422a9f3101c4\padrs404.dll
+ 2006-11-02 09:46:05 11,776 ----a-w C:\Windows\winsxs\x86_microsoft-windows-d..ime-eashared-imepad_31bf3856ad364e35_6.0.6001.18000_none_3a8c422a9f3101c4\padrs804.dll
+ 2006-11-02 09:46:13 26,624 ----a-w C:\Windows\winsxs\x86_microsoft-windows-d..oryservices-ntdsapi_31bf3856ad364e35_6.0.6001.18000_none_cedd4665f13650d7\w32topl.dll
+ 2006-11-02 09:46:05 36,352 ----a-w C:\Windows\winsxs\x86_microsoft-windows-directshow-other_31bf3856ad364e35_6.0.6001.18000_none_0d5187f9e0ba9013\mciqtz32.dll
+ 2006-11-02 09:46:03 30,208 ----a-w C:\Windows\winsxs\x86_microsoft-windows-directx-directdraw_31bf3856ad364e35_6.0.6001.18000_none_0505a2ecc0013ebd\ddrawex.dll
+ 2006-11-02 09:03:41 3,072 ----a-w C:\Windows\winsxs\x86_microsoft-windows-directx-directplay8_31bf3856ad364e35_6.0.6001.18000_none_78d68814bebf2d3b\dpnaddr.dll
+ 2006-11-02 09:46:04 56,832 ----a-w C:\Windows\winsxs\x86_microsoft-windows-directx-directplay8_31bf3856ad364e35_6.0.6001.18000_none_78d68814bebf2d3b\dpnathlp.dll
+ 2006-11-02 09:46:04 7,168 ----a-w C:\Windows\winsxs\x86_microsoft-windows-directx-directplay8_31bf3856ad364e35_6.0.6001.18000_none_78d68814bebf2d3b\dpnhpast.dll
+ 2006-11-02 09:46:04 7,168 ----a-w C:\Windows\winsxs\x86_microsoft-windows-directx-directplay8_31bf3856ad364e35_6.0.6001.18000_none_78d68814bebf2d3b\dpnhupnp.dll
+ 2006-11-02 09:03:41 3,072 ----a-w C:\Windows\winsxs\x86_microsoft-windows-directx-directplay8_31bf3856ad364e35_6.0.6001.18000_none_78d68814bebf2d3b\dpnlobby.dll
+ 2006-11-02 09:45:03 23,040 ----a-w C:\Windows\winsxs\x86_microsoft-windows-directx-directplay8_31bf3856ad364e35_6.0.6001.18000_none_78d68814bebf2d3b\dpnsvr.exe
+ 2006-09-18 21:39:30 215,943 ----a-w C:\Windows\winsxs\x86_microsoft-windows-dssec_31bf3856ad364e35_6.0.6001.18000_none_5a65d782fc87d29e\dssec.dat
+ 2006-11-02 12:35:32 21,504 ----a-w C:\Windows\winsxs\x86_microsoft-windows-ehome-ehdebug_31bf3856ad364e35_6.0.6001.18000_none_2fddb7218242099b\ehdebug.dll
+ 2006-11-02 12:35:33 16,384 ----a-w C:\Windows\winsxs\x86_microsoft-windows-ehome-ehssetup_31bf3856ad364e35_6.0.6001.18000_none_91c1b8b7b69b880e\ehssetup.dll
+ 2006-11-02 09:46:11 15,360 ----a-w C:\Windows\winsxs\x86_microsoft-windows-font-registrysettings_31bf3856ad364e35_6.0.6001.18000_none_95b1533bb11caa04\muifontsetup.dll
+ 2006-11-02 09:46:05 58,368 ----a-w C:\Windows\winsxs\x86_microsoft-windows-i..hinese-imepadapplet_31bf3856ad364e35_6.0.6001.18000_none_fb2914a7fb7f05d4\IMTCDIC.dll
+ 2006-11-02 07:33:43 19,991,040 ----a-w C:\Windows\winsxs\x86_microsoft-windows-i..hinese-imepadapplet_31bf3856ad364e35_6.0.6001.18000_none_fb2914a7fb7f05d4\MSHWCHTR.dll
+ 2006-11-02 12:36:18 120,320 ----a-w C:\Windows\winsxs\x86_microsoft-windows-i..integration-support_31bf3856ad364e35_6.0.6001.18000_none_2834ca37a387d4a3\idq.dll
+ 2006-11-02 09:44:59 84,992 ----a-w C:\Windows\winsxs\x86_microsoft-windows-icm-ui_31bf3856ad364e35_6.0.6001.18000_none_3a58b76aa0cf669e\colorcpl.exe
+ 2006-11-02 09:46:05 21,504 ----a-w C:\Windows\winsxs\x86_microsoft-windows-icm-ui_31bf3856ad364e35_6.0.6001.18000_none_3a58b76aa0cf669e\icmui.dll
+ 2006-11-02 07:33:30 48,128 ----a-w C:\Windows\winsxs\x86_microsoft-windows-ie-htmleditingsupport_31bf3856ad364e35_6.0.6001.18000_none_f36d8680ba269c41\mshtmler.dll
+ 2006-11-02 09:46:05 16,384 ----a-w C:\Windows\winsxs\x86_microsoft-windows-ie-runoncessetup_31bf3856ad364e35_6.0.6001.18000_none_88eec871cb19b965\iessetup.dll
+ 2008-09-22 23:36:50 180,736 ----a-w C:\Windows\winsxs\x86_microsoft-windows-ieframe_31bf3856ad364e35_6.0.6001.18000_none_64a26c9fae1f0949\ieui.dll
+ 2006-11-02 12:36:24 98,133 ----a-w C:\Windows\winsxs\x86_microsoft-windows-iis-legacyscripts_31bf3856ad364e35_6.0.6001.18000_none_7e466ce97736febd\adsutil.vbs
+ 2006-11-02 12:36:24 4,346 ----a-w C:\Windows\winsxs\x86_microsoft-windows-iis-legacyscripts_31bf3856ad364e35_6.0.6001.18000_none_7e466ce97736febd\clusftp.vbs
+ 2006-11-02 12:36:24 4,341 ----a-w C:\Windows\winsxs\x86_microsoft-windows-iis-legacyscripts_31bf3856ad364e35_6.0.6001.18000_none_7e466ce97736febd\clusweb.vbs
+ 2006-11-02 12:36:24 41,401 ----a-w C:\Windows\winsxs\x86_microsoft-windows-iis-legacyscripts_31bf3856ad364e35_6.0.6001.18000_none_7e466ce97736febd\IIsExt.vbs
+ 2006-11-02 12:36:24 2,048 ----a-w C:\Windows\winsxs\x86_microsoft-windows-iis-legacysnapin_31bf3856ad364e35_6.0.6001.18000_none_8120d407b205fdca\iismui.dll
+ 2006-11-02 12:36:24 22,528 ----a-w C:\Windows\winsxs\x86_microsoft-windows-iis-legacysnapin_31bf3856ad364e35_6.0.6001.18000_none_8120d407b205fdca\InetMgr6.exe
+ 2006-11-02 12:36:21 16,384 ----a-w C:\Windows\winsxs\x86_microsoft-windows-iis-metabase_31bf3856ad364e35_6.0.6001.18000_none_3931f7d521f321a6\infoadmn.dll
+ 2006-11-02 12:36:21 9,728 ----a-w C:\Windows\winsxs\x86_microsoft-windows-iis-metabase_31bf3856ad364e35_6.0.6001.18000_none_3931f7d521f321a6\infoctrs.dll
+ 2006-11-02 12:36:21 19,968 ----a-w C:\Windows\winsxs\x86_microsoft-windows-iis-metabase_31bf3856ad364e35_6.0.6001.18000_none_3931f7d521f321a6\iscomlog.dll
+ 2006-11-02 12:36:21 7,680 ----a-w C:\Windows\winsxs\x86_microsoft-windows-iis-metabase_31bf3856ad364e35_6.0.6001.18000_none_3931f7d521f321a6\rpcref.dll
+ 2006-11-02 12:36:19 8,192 ----a-w C:\Windows\winsxs\x86_microsoft-windows-iis-sharedlibraries_31bf3856ad364e35_6.0.6001.18000_none_10e972c4b4d2574c\iisrstap.dll
+ 2006-11-02 12:36:20 10,752 ----a-w C:\Windows\winsxs\x86_microsoft-windows-iis-sharedlibraries_31bf3856ad364e35_6.0.6001.18000_none_10e972c4b4d2574c\wamregps.dll
+ 2006-11-02 07:15:56 2,560 ----a-w C:\Windows\winsxs\x86_microsoft-windows-installer-engine_31bf3856ad364e35_6.0.6001.18000_none_037a7e2bb384bf01\msimsg.dll
+ 2006-11-02 08:33:06 2,560 ----a-w C:\Windows\winsxs\x86_microsoft-windows-international-core_31bf3856ad364e35_6.0.6001.18000_none_e9aa6488d9c10036\normaliz.dll
+ 2006-11-02 09:46:09 323,584 ----a-w C:\Windows\winsxs\x86_microsoft-windows-m..-components-jet2x3x_31bf3856ad364e35_6.0.6001.18000_none_e79f2d93ba6ffee6\msrd2x40.dll
+ 2006-11-02 12:35:27 8,704 ----a-w C:\Windows\winsxs\x86_microsoft-windows-m..essagingcoreservice_31bf3856ad364e35_6.0.6001.18000_none_e309c7bbe82e39d1\mqsvc.exe
+ 2006-11-02 12:35:51 2,048 ----a-w C:\Windows\winsxs\x86_microsoft-windows-mediafoundation_31bf3856ad364e35_6.0.6001.18000_none_9c5f2f3c0cc1aa83\mferror.dll
+ 2006-11-02 12:35:54 16,384 ----a-w C:\Windows\winsxs\x86_microsoft-windows-mediaplayer-ssetup_31bf3856ad364e35_6.0.6001.18000_none_13b1244660e5fd4e\wmssetup.dll
+ 2006-11-02 12:35:57 2,048 ----a-w C:\Windows\winsxs\x86_microsoft-windows-mediaplayer-wmasf_31bf3856ad364e35_6.0.6001.18000_none_a7b5f0a040680d4c\asferror.dll
+ 2006-11-02 12:35:57 9,728 ----a-w C:\Windows\winsxs\x86_microsoft-windows-mediaplayer-wmasf_31bf3856ad364e35_6.0.6001.18000_none_a7b5f0a040680d4c\LAPRXY.DLL
+ 2006-09-18 21:33:22 673,088 ----a-w C:\Windows\winsxs\x86_microsoft-windows-mlang_31bf3856ad364e35_6.0.6001.18000_none_56df4b78e3fe4e3f\mlang.dat
+ 2006-11-02 12:36:06 150,016 ----a-w C:\Windows\winsxs\x86_microsoft-windows-moviemaker_31bf3856ad364e35_6.0.6001.18000_none_f261ec400d1da6d8\MOVIEMK.exe
+ 2006-11-02 12:36:05 23,040 ----a-w C:\Windows\winsxs\x86_microsoft-windows-moviemaker_31bf3856ad364e35_6.0.6001.18000_none_f261ec400d1da6d8\WMM2EXT.dll
+ 2006-11-02 12:35:28 13,824 ----a-w C:\Windows\winsxs\x86_microsoft-windows-msmq-admin_31bf3856ad364e35_6.0.6001.18000_none_b74e019e3d6c64b6\mqcertui.dll
+ 2008-09-22 23:50:17 28,672 ----a-w C:\Windows\winsxs\x86_microsoft-windows-n..-domain-clients-svc_31bf3856ad364e35_6.0.6001.18000_none_440e77d1ec053e6c\FwRemoteSvr.dll
+ 2008-09-22 23:50:16 272,896 ----a-w C:\Windows\winsxs\x86_microsoft-windows-n..-domain-clients-svc_31bf3856ad364e35_6.0.6001.18000_none_440e77d1ec053e6c\polstore.dll
+ 2008-09-22 23:50:17 61,440 ----a-w C:\Windows\winsxs\x86_microsoft-windows-n..-domain-clients-svc_31bf3856ad364e35_6.0.6001.18000_none_440e77d1ec053e6c\winipsec.dll
+ 2006-11-02 09:46:11 11,776 ----a-w C:\Windows\winsxs\x86_microsoft-windows-n..iagnosticsframework_31bf3856ad364e35_6.0.6001.18000_none_dc5ac24ae0ca36fc\ndproxystub.dll
+ 2006-11-02 12:36:04 51,712 ----a-w C:\Windows\winsxs\x86_microsoft-windows-networkprojection_31bf3856ad364e35_6.0.6001.18000_none_e3c78331f0bd2d51\CRPPresentation.dll
+ 2006-11-02 12:36:04 89,600 ----a-w C:\Windows\winsxs\x86_microsoft-windows-networkprojection_31bf3856ad364e35_6.0.6001.18000_none_e3c78331f0bd2d51\NetProj.exe
+ 2006-11-02 07:38:59 2,048 ----a-w C:\Windows\winsxs\x86_microsoft-windows-networktopology_31bf3856ad364e35_6.0.6001.18000_none_d155f734fa7d6b4f\lltdres.dll
+ 2006-11-02 09:45:33 60,416 ----a-w C:\Windows\winsxs\x86_microsoft-windows-p..installerandprintui_31bf3856ad364e35_6.0.6001.18000_none_d6543f9ff5ec4aec\printui.exe
+ 2006-11-02 09:45:02 17,408 ----a-w C:\Windows\winsxs\x86_microsoft-windows-p..ncetoolscommandline_31bf3856ad364e35_6.0.6001.18000_none_61237ad0fed51e58\diskperf.exe
+ 2006-11-02 09:45:35 37,376 ----a-w C:\Windows\winsxs\x86_microsoft-windows-p..ncetoolscommandline_31bf3856ad364e35_6.0.6001.18000_none_61237ad0fed51e58\relog.exe
+ 2006-11-02 09:45:49 39,936 ----a-w C:\Windows\winsxs\x86_microsoft-windows-p..ncetoolscommandline_31bf3856ad364e35_6.0.6001.18000_none_61237ad0fed51e58\typeperf.exe
+ 2006-11-02 12:36:18 20,992 ----a-w C:\Windows\winsxs\x86_microsoft-windows-p..ting-lprportmonitor_31bf3856ad364e35_6.0.6001.18000_none_b403a1813dce9905\lprmon.dll
+ 2006-11-02 12:36:18 11,776 ----a-w C:\Windows\winsxs\x86_microsoft-windows-p..ting-lprportmonitor_31bf3856ad364e35_6.0.6001.18000_none_b403a1813dce9905\lprmonui.dll
+ 2006-11-02 12:35:39 1,486,848 ----a-w C:\Windows\winsxs\x86_microsoft-windows-p..topeeradhocmeetings_31bf3856ad364e35_6.0.6001.18000_none_aa47d5c4002219b8\WinCollabRes.dll
+ 2008-02-15 17:33:21 30,674 ----a-w C:\Windows\winsxs\x86_microsoft-windows-p..unterinfrastructure_31bf3856ad364e35_6.0.6001.18000_none_7185fd57fee6c971\perfc.dat
+ 2008-02-15 17:33:21 30,674 ----a-w C:\Windows\winsxs\x86_microsoft-windows-p..unterinfrastructure_31bf3856ad364e35_6.0.6001.18000_none_7185fd57fee6c971\perfd.dat
+ 2008-02-15 17:33:21 287,440 ----a-w C:\Windows\winsxs\x86_microsoft-windows-p..unterinfrastructure_31bf3856ad364e35_6.0.6001.18000_none_7185fd57fee6c971\perfh.dat
+ 2008-02-15 17:33:21 287,440 ----a-w C:\Windows\winsxs\x86_microsoft-windows-p..unterinfrastructure_31bf3856ad364e35_6.0.6001.18000_none_7185fd57fee6c971\perfi.dat
+ 2006-11-02 09:42:44 17,408 ----a-w C:\Windows\winsxs\x86_microsoft-windows-p..unterinfrastructure_31bf3856ad364e35_6.0.6001.18000_none_7185fd57fee6c971\prflbmsg.dll
+ 2006-11-02 12:35:38 18,944 ----a-w C:\Windows\winsxs\x86_microsoft-windows-peertopeerpnrp_31bf3856ad364e35_6.0.6001.18000_none_717f15b322749509\pnrpperf.dll
+ 2006-11-02 12:36:25 7,168 ----a-w C:\Windows\winsxs\x86_microsoft-windows-r..emanagement-service_31bf3856ad364e35_6.0.6001.18000_none_0e3e31f00e12b007\mll_hp.dll
+ 2006-11-02 12:36:25 17,408 ----a-w C:\Windows\winsxs\x86_microsoft-windows-r..emanagement-service_31bf3856ad364e35_6.0.6001.18000_none_0e3e31f00e12b007\ntmsevt.dll
+ 2006-11-02 12:36:25 43,008 ----a-w C:\Windows\winsxs\x86_microsoft-windows-r..emanagement-service_31bf3856ad364e35_6.0.6001.18000_none_0e3e31f00e12b007\rsm.exe
+ 2006-11-02 12:36:25 26,624 ----a-w C:\Windows\winsxs\x86_microsoft-windows-r..emanagement-service_31bf3856ad364e35_6.0.6001.18000_none_0e3e31f00e12b007\rsmmllsv.exe
+ 2006-11-02 12:36:25 22,016 ----a-w C:\Windows\winsxs\x86_microsoft-windows-r..emanagement-service_31bf3856ad364e35_6.0.6001.18000_none_0e3e31f00e12b007\rsmsink.exe
+ 2006-11-02 12:36:25 54,272 ----a-w C:\Windows\winsxs\x86_microsoft-windows-r..emanagement-service_31bf3856ad364e35_6.0.6001.18000_none_0e3e31f00e12b007\rsmui.exe
+ 2006-11-02 09:45:34 16,896 ----a-w C:\Windows\winsxs\x86_microsoft-windows-rasclienttools_31bf3856ad364e35_6.0.6001.18000_none_6f46cfc8a8b142a0\rasdial.exe
+ 2006-11-02 09:46:12 36,352 ----a-w C:\Windows\winsxs\x86_microsoft-windows-rasrtutils_31bf3856ad364e35_6.0.6001.18000_none_0d159410ea7a8f9d\rtutils.dll
+ 2006-11-02 09:46:02 13,824 ----a-w C:\Windows\winsxs\x86_microsoft-windows-registry-editor_31bf3856ad364e35_6.0.6001.18000_none_f42eb564dbd8a697\clb.dll
+ 2006-11-02 09:45:35 9,216 ----a-w C:\Windows\winsxs\x86_microsoft-windows-registry-editor_31bf3856ad364e35_6.0.6001.18000_none_f42eb564dbd8a697\regedt32.exe
+ 2006-11-02 12:35:24 40,960 ----a-w C:\Windows\winsxs\x86_microsoft-windows-remoteassistance-exe_31bf3856ad364e35_6.0.6001.18000_none_3758172c01e5ce47\racpldlg.dll
+ 2006-11-02 12:35:38 12,555,776 ----a-w C:\Windows\winsxs\x86_microsoft-windows-s..inboxgames-shanghai_31bf3856ad364e35_6.0.6001.18000_none_c0a3fbb5ef29fe27\Mahjong.dll
+ 2006-11-02 12:35:37 29,001,216 ----a-w C:\Windows\winsxs\x86_microsoft-windows-s..iuminboxgames-chess_31bf3856ad364e35_6.0.6001.18000_none_74d4a1cd7e673a2e\Chess.dll
+ 2006-11-02 12:35:35 4,305,408 ----a-w C:\Windows\winsxs\x86_microsoft-windows-s..oxgames-minesweeper_31bf3856ad364e35_6.0.6001.18000_none_a2611d5c392f48a1\MineSweeper.dll
+ 2006-11-02 12:35:36 28,665,856 ----a-w C:\Windows\winsxs\x86_microsoft-windows-s..oxgames-purbleplace_31bf3856ad364e35_6.0.6001.18000_none_062b7e7afe71e492\PurblePlace.dll
+ 2006-11-02 12:35:35 8,384,512 ----a-w C:\Windows\winsxs\x86_microsoft-windows-s..oxgames-purbleplace_31bf3856ad364e35_6.0.6001.18000_none_062b7e7afe71e492\PurblePlace2.dll
+ 2006-11-02 09:43:11 2,928,640 ----a-w C:\Windows\winsxs\x86_microsoft-windows-setup-component_31bf3856ad364e35_6.0.6001.18000_none_322c7e4ead424897\W32UIImg.dll
+ 2006-11-02 09:46:13 9,728 ----a-w C:\Windows\winsxs\x86_microsoft-windows-smbserver_31bf3856ad364e35_6.0.6001.18000_none_f8f4e8f8eadb7d91\sscore.dll
+ 2006-11-02 12:35:47 19,968 ----a-w C:\Windows\winsxs\x86_microsoft-windows-t..c-journalnotewriter_31bf3856ad364e35_6.0.6001.18000_none_4264ef6a4d057d2c\jnwmon.dll
+ 2006-11-02 12:35:47 22,528 ----a-w C:\Windows\winsxs\x86_microsoft-windows-t..c-journalnotewriter_31bf3856ad364e35_6.0.6001.18000_none_4264ef6a4d057d2c\jnwppr.dll
+ 2006-11-02 12:35:47 47,104 ----a-w C:\Windows\winsxs\x86_microsoft-windows-t..c-journalnotewriter_31bf3856ad364e35_6.0.6001.18000_none_4264ef6a4d057d2c\PDIALOG.exe
+ 2006-11-02 12:35:44 1,495,040 ----a-w C:\Windows\winsxs\x86_microsoft-windows-t..krecognition.zh-chs_31bf3856ad364e35_6.0.6001.18000_none_fd484d54658ae209\chslm.lex.bin
+ 2006-11-02 12:35:44 10,335,843 ----a-w C:\Windows\winsxs\x86_microsoft-windows-t..krecognition.zh-chs_31bf3856ad364e35_6.0.6001.18000_none_fd484d54658ae209\chslm.wdic2.bin
+ 2006-11-02 12:35:44 21,963,264 ----a-w C:\Windows\winsxs\x86_microsoft-windows-t..krecognition.zh-chs_31bf3856ad364e35_6.0.6001.18000_none_fd484d54658ae209\mshwchsr.dll
+ 2006-11-02 12:35:46 2,187,264 ----a-w C:\Windows\winsxs\x86_microsoft-windows-t..krecognition.zh-cht_31bf3856ad364e35_6.0.6001.18000_none_fd48368c658afbaa\chtlm.lex.bin
+ 2006-11-02 12:35:45 11,300,913 ----a-w C:\Windows\winsxs\x86_microsoft-windows-t..krecognition.zh-cht_31bf3856ad364e35_6.0.6001.18000_none_fd48368c658afbaa\chtlm.wdic2.bin
+ 2006-11-02 12:35:45 19,991,040 ----a-w C:\Windows\winsxs\x86_microsoft-windows-t..krecognition.zh-cht_31bf3856ad364e35_6.0.6001.18000_none_fd48368c658afbaa\mshwchtr.dll
+ 2006-11-02 12:35:47 2,048 ----a-w C:\Windows\winsxs\x86_microsoft-windows-t..nputpersonalization_31bf3856ad364e35_6.0.6001.18000_none_3fac12f5c6543548\IPSEventLogMsg.dll
+ 2006-11-02 12:35:47 19,456 ----a-w C:\Windows\winsxs\x86_microsoft-windows-t..nputpersonalization_31bf3856ad364e35_6.0.6001.18000_none_3fac12f5c6543548\TabIpsps.dll
+ 2006-11-02 12:35:48 19,968 ----a-w C:\Windows\winsxs\x86_microsoft-windows-t..ournalnotewriterqfe_31bf3856ad364e35_6.0.6001.18000_none_4d983a117ea4cea6\jnwmon.dll
+ 2006-11-02 12:35:48 22,528 ----a-w C:\Windows\winsxs\x86_microsoft-windows-t..ournalnotewriterqfe_31bf3856ad364e35_6.0.6001.18000_none_4d983a117ea4cea6\jnwppr.dll
+ 2006-11-02 12:35:40 13,577,657 ----a-w C:\Windows\winsxs\x86_microsoft-windows-t..reinkrecognition.ja_31bf3856ad364e35_6.0.6001.18000_none_03ed68ae2c4994ef\dicjp.bin
+ 2006-11-02 12:35:41 8,704 ----a-w C:\Windows\winsxs\x86_microsoft-windows-t..reinkrecognition.ja_31bf3856ad364e35_6.0.6001.18000_none_03ed68ae2c4994ef\dicjp.dll
+ 2006-11-02 12:35:40 21,462,016 ----a-w C:\Windows\winsxs\x86_microsoft-windows-t..reinkrecognition.ja_31bf3856ad364e35_6.0.6001.18000_none_03ed68ae2c4994ef\mshwjpnr.dll
+ 2006-11-02 12:35:41 21,827,584 ----a-w C:\Windows\winsxs\x86_microsoft-windows-t..reinkrecognition.ko_31bf3856ad364e35_6.0.6001.18000_none_03ed2a082c4a1514\mshwkorr.dll
+ 2006-11-02 12:35:47 114,688 ----a-w C:\Windows\winsxs\x86_microsoft-windows-tabletpc-inputpanel_31bf3856ad364e35_6.0.6001.18000_none_118f15c677824d1e\TipBand.dll
+ 2006-11-02 12:35:47 1,149,440 ----a-w C:\Windows\winsxs\x86_microsoft-windows-tabletpc-inputpanel_31bf3856ad364e35_6.0.6001.18000_none_118f15c677824d1e\TipRes.dll
+ 2006-11-02 12:35:48 47,104 ----a-w C:\Windows\winsxs\x86_microsoft-windows-tabletpc-journal_31bf3856ad364e35_6.0.6001.18000_none_17b18851a49835e5\NBMapTIP.dll
+ 2006-11-02 12:35:43 149,504 ----a-w C:\Windows\winsxs\x86_microsoft-windows-tabletpc-softkeyboard_31bf3856ad364e35_6.0.6001.18000_none_d1b1affa515cd235\tabskb.dll
+ 2006-11-02 12:35:38 57,856 ----a-w C:\Windows\winsxs\x86_microsoft-windows-telnet-server_31bf3856ad364e35_6.0.6001.18000_none_9307dcf14f15ce10\tlntadmn.exe
+ 2006-11-02 09:46:13 40,960 ----a-w C:\Windows\winsxs\x86_microsoft-windows-tpm-adminsnapin_31bf3856ad364e35_6.0.6001.18000_none_777d16eedf412426\tpmcompc.dll
+ 2006-11-02 09:46:13 16,384 ----a-w C:\Windows\winsxs\x86_microsoft-windows-unimodem-core_31bf3856ad364e35_6.0.6001.18000_none_949832cbd48def6a\uniplat.dll
+ 2006-11-02 09:46:13 37,888 ----a-w C:\Windows\winsxs\x86_microsoft-windows-upnpssdp_31bf3856ad364e35_6.0.6001.18000_none_7fc972ebd13849b5\ssdpapi.dll
+ 2006-11-02 09:45:51 516,096 ----a-w C:\Windows\winsxs\x86_microsoft-windows-wab-app_31bf3856ad364e35_6.0.6001.18000_none_42a95d80d7929e62\wab.exe
+ 2006-11-02 09:46:13 33,280 ----a-w C:\Windows\winsxs\x86_microsoft-windows-wab-app_31bf3856ad364e35_6.0.6001.18000_none_42a95d80d7929e62\wabfind.dll
+ 2006-11-02 09:45:51 66,048 ----a-w C:\Windows\winsxs\x86_microsoft-windows-wab-app_31bf3856ad364e35_6.0.6001.18000_none_42a95d80d7929e62\wabmig.exe
+ 2006-11-02 09:46:05 35,840 ----a-w C:\Windows\winsxs\x86_microsoft-windows-wmi-krnlprov-provider_31bf3856ad364e35_6.0.6001.18000_none_e3b0c3fff516edba\KrnlProv.dll
+ 2006-11-02 09:46:05 18,944 ----a-w C:\Windows\winsxs\x86_microsoft-windows-wmi-management-snapins_31bf3856ad364e35_6.0.6001.18000_none_9be5ddb8baf2bc00\MMFUtil.dll
+ 2006-11-02 12:35:58 31,744 ----a-w C:\Windows\winsxs\x86_microsoft-windows-wpd-legacywmdmapi_31bf3856ad364e35_6.0.6001.18000_none_59aa91436faa8e2e\wmdmlog.dll
+ 2006-11-02 12:35:58 36,864 ----a-w C:\Windows\winsxs\x86_microsoft-windows-wpd-legacywmdmapi_31bf3856ad364e35_6.0.6001.18000_none_59aa91436faa8e2e\wmdmps.dll
+ 2006-11-02 09:46:12 32,768 ----a-w C:\Windows\winsxs\x86_microsoft.windows.h...sdhost-driverclass_31bf3856ad364e35_6.0.6001.18000_none_c2f17878c82f85ef\sdhcinst.dll
+ 2006-11-02 12:41:20 1,327,104 ----a-w C:\Windows\winsxs\x86_networking-mpssvc-admin.resources_31bf3856ad364e35_6.0.6001.18000_en-us_40f01b7c96c997a3\AuthFWSnapIn.Resources.dll
+ 2006-11-02 09:45:10 263,680 ----a-w C:\Windows\winsxs\x86_networking-mpssvc_31bf3856ad364e35_6.0.6001.18000_none_0a7986d9b92aa27a\FirewallSettings.exe
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="C:\Program Files\Windows Sidebar\sidebar.exe" [2008-01-15 1232896]
"Reminder_MUI"="C:\Applications\oem\Reminder\Reminder_MUI.exe" [2008-01-10 1081344]
"ehTray.exe"="C:\Windows\ehome\ehTray.exe" [2006-11-02 125440]
"WMPNSCFG"="C:\Program Files\Windows Media Player\WMPNSCFG.exe" [2006-11-02 201728]
"cmds"="C:\Users\Elliott\AppData\Local\Temp\cbXNFvUN.dll" [2008-09-22 327168]
"WindowsWelcomeCenter"="oobefldr.dll" [2006-11-02 C:\Windows\System32\oobefldr.dll]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"XOSD"="C:\Program Files\XOSD\XOSD_ON.exe" [2007-01-03 476672]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2007-03-22 857648]
"IgfxTray"="C:\Windows\system32\igfxtray.exe" [2007-06-06 142104]
"HotKeysCmds"="C:\Windows\system32\hkcmd.exe" [2007-06-06 154392]
"Persistence"="C:\Windows\system32\igfxpers.exe" [2007-06-06 138008]
"SpareMessaging"="C:\Program Files\Spare Messaging\MessagingApp.exe" [2007-11-28 42824]
"UpdateP2GShortCut"="C:\Program Files\CyberLink\Power2Go\MUITransfer\MUIStartMenu.exe" [2007-07-26 202024]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-11 40048]
"ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [2008-08-21 981904]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"RtHDVCpl"="RtHDVCpl.exe" [2007-10-11 C:\Windows\RtHDVCpl.exe]

C:\Users\Elliott\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE [2006-10-26 98632]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.clmp3enc"= C:\PROGRA~1\CYBERL~1\Power2Go\CLMP3Enc.ACM

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\DomainProfile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"{BA6F5BE3-CF0C-4761-BD12-D59000768812}"= C:\Program Files\Windows Live\Messenger\livecall.exe:Windows Live Messenger (Phone)
"{BF7E9934-41A9-4126-BAEE-B1B6717F22CA}"= UDP:C:\Program Files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{713B65B8-F93D-4BA1-BD2B-1BE43671F8DA}"= TCP:C:\Program Files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\PublicProfile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\RestrictedServices\Static\System]
"DFSR-1"= RPort=5722|UDP:%SystemRoot%\system32\svchost.exe|Svc=DFSR:Allow inbound TCP traffic|

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile]
"EnableFirewall"= 0 (0x0)

R0 O2MDRDR;O2MDRDR;C:\Windows\system32\DRIVERS\o2media.sys [2007-04-03 39680]
R0 O2SDRDR;O2SDRDR;C:\Windows\system32\DRIVERS\o2sd.sys [2007-04-02 35712]
.
Contents of the 'Scheduled Tasks' folder
.
.
------- Supplementary Scan -------
.
FireFox -: Profile - C:\Users\Elliott\AppData\Roaming\Mozilla\Firefox\Profiles\4afmipjh.default\
.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-09-28 21:46:49
Windows 6.0.6000 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\Windows\Explorer.exe
-> C:\Users\Elliott\AppData\Local\Temp\cbXNFvUN.dll
-> ?:\Windows\system32\WLDAP32.dll
-> ?:\Windows\system32\WLDAP32.dll
.
Completion time: 2008-09-28 21:49:30
ComboFix-quarantined-files.txt 2008-09-28 20:49:20
ComboFix2.txt 2008-09-28 20:14:52

Pre-Run: 114,485,125,120 bytes free
Post-Run: 114,451,533,824 bytes free

366 --- E O F --- 2008-09-26 13:49:34

===================================================================================================


Hijack this log:


===================================================================================================
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 14:21:46, on 26/09/2008
Platform: Windows Vista (WinNT 6.00.1904)
MSIE: Internet Explorer v7.00 (7.00.6000.16711)
Boot mode: Normal

Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Windows\RtHDVCpl.exe
C:\Program Files\XOSD\XOSD.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Windows\System32\igfxtray.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\Spare Messaging\MessagingApp.exe
C:\Windows\system32\igfxsrvc.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Windows\ehome\ehtray.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Windows\system32\wuauclt.exe
C:\Windows\system32\WerCon.exe
C:\Windows\explorer.exe
C:\Windows\system32\rundll32.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.thetechguys.com/welcome
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM\..\Run: [XOSD] C:\Program Files\XOSD\XOSD_ON.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\Windows\system32\igfxpers.exe
O4 - HKLM\..\Run: [SpareMessaging] "C:\Program Files\Spare Messaging\MessagingApp.exe"
O4 - HKLM\..\Run: [UpdateP2GShortCut] "C:\Program Files\CyberLink\Power2Go\MUITransfer\MUIStartMenu.exe" "C:\Program Files\CyberLink\Power2Go" update "SOFTWARE\CyberLink\Power2Go\5.0"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [MSServer] rundll32.exe C:\Windows\system32\iifcDSjK.dll,#1
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter
O4 - HKCU\..\Run: [Reminder_MUI] C:\Applications\oem\Reminder\Reminder_MUI.exe
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [MSServer] rundll32.exe C:\Users\Elliott\AppData\Local\Temp\tUlJyYon.dll,#1
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [cmds] rundll32.exe C:\Users\Elliott\AppData\Local\Temp\cbXNFvUN.dll,c
O4 - HKCU\..\Run: [004fa6cd] rundll32.exe "C:\Users\Elliott\AppData\Local\Temp\secoglmg.dll",b
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\PROGRA~1\Java\JRE16~1.0_0\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\PROGRA~1\Java\JRE16~1.0_0\bin\ssv.dll
O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\Windows\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\Windows\bdoscandel.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O13 - Gopher Prefix:
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Intel® PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: O2Micro Flash Memory Card Service (o2flash) - O2Micro International - C:\Program Files\O2Micro Oz128 Driver\o2flash.exe
O23 - Service: Intel® PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Check Point Software Technologies LTD - C:\Windows\System32\ZoneLabs\vsmon.exe

--
End of file - 7594 bytes

#4 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:05:44 PM

Posted 28 September 2008 - 04:15 PM

Hello,

You're welcome. :thumbsup:

Please download Malwarebytes' Anti-Malware from one of these places:
http://www.majorgeeks.com/Malwarebytes_Ant...ware_d5756.html
http://www.besttechie.net/tools/mbam-setup.exe

Double Click mbam-setup.exe to install the application.

* Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select "Perform Quick Scan", then click Scan.
* The scan may take some time to finish,so please be patient.
* When the scan is complete, click OK, then Show Results to view the results.
* Make sure that everything is checked, and click Remove Selected.
* When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
* The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
* Copy&Paste the entire report in your next reply along with a fresh HijackThis log.

Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediately.

Please let me know how it's running now. :)

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#5 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:05:44 PM

Posted 10 October 2008 - 02:21 AM

Since this issue appears resolved ... this Topic is closed.

If you need this topic reopened, please request this by sending the moderating team a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users