Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

infected with xp anitvirus 2009 and can only access safe mode


  • This topic is locked This topic is locked
13 replies to this topic

#1 Imaloser

Imaloser

  • Members
  • 87 posts
  • OFFLINE
  •  
  • Local time:09:26 PM

Posted 23 October 2008 - 08:51 PM

Ever since I got that virus my computer has only been able to start in safe mode with networking. Whenever I boot up my comp, the typical windows xp screen would load and then a blue screen would flicker for a mili sec (too fast for me to read!) and then I am presented with the option of booting it into safe mode. I have ran Malwarebytes anti malware and it seems to have gotten rid of most of them, but one or sometimes two keep coming back. The trojan "HKEY_Local_Machine\software\tdss" would come back every time I reboot and run malware. If I dont get rid of it, it will re direct me to a different site (about viruses) whenever I click on links. When I get rid of it, links work fine. And I was unable to run adware and and spybot in sm, I have ran stinger though...

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 18:45:20, on 10/23/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Safe mode with network support

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Internet Explorer\Iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,userinit.exe,
O3 - Toolbar: &hp toolkit - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - C:\HP\EXPLOREBAR\HPTOOLKT.DLL
O3 - Toolbar: (no name) - {D28D4199-67F2-4796-82E6-39BC89ABBD59} - (no file)
O3 - Toolbar: ZeroBar - {F5735C15-1FB2-41FE-BA12-242757E69DDE} - C:\Program Files\NetZero\toolbar.dll (file missing)
O3 - Toolbar: (no name) - {17DA6052-D4D6-43FC-A565-1EA8BF32C322} - (no file)
O3 - Toolbar: (no name) - {4EB25DE0-95E1-4941-B3C6-E256C2595795} - (no file)
O3 - Toolbar: (no name) - {A69CC486-6DFF-4BCE-A82E-453B55EB47E0} - (no file)
O3 - Toolbar: (no name) - {85B53BA9-FAA1-4D69-9529-10FA54C3710D} - (no file)
O3 - Toolbar: (no name) - {7D7CB02E-70AF-4950-A35D-4F019EAE99A2} - (no file)
O3 - Toolbar: (no name) - {2EDD42BE-D11E-4E48-929B-CADA88B0FEF4} - (no file)
O3 - Toolbar: (no name) - {BC7D0858-42A3-46CE-9714-5B1859F2AC7E} - (no file)
O3 - Toolbar: (no name) - {167613AF-5BAE-4195-9609-69F8D59AA716} - (no file)
O3 - Toolbar: (no name) - {F9C4D54C-638F-4C2E-8083-3150297B8B07} - (no file)
O3 - Toolbar: (no name) - {6BE0B814-7E47-4669-8765-EA0E31A8BA88} - (no file)
O3 - Toolbar: (no name) - {9AF61D34-DA44-47D5-AB6C-CF93ACF046F3} - (no file)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn4\yt.dll
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 3.0\aoltb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
O3 - Toolbar: Viewpoint Toolbar - {F8AD5AA5-D966-4667-9DAF-2561D68B2012} - C:\Program Files\Common Files\Viewpoint\Toolbar Runtime\3.8.0\IEViewBar.dll
O4 - HKLM\..\Run: [YOP] C:\PROGRA~1\Yahoo!\YOP\yop.exe /autostart
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp3\winampa.exe"
O4 - HKLM\..\Run: [WebScan] C:\PROGRA~1\ACCELE~1\ANTI-V~1\DEFSCA~1.EXE -k
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [S3apphk] S3apphk.exe
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [PRINT DATA SENDER] "C:\Program Files\PRINT DATA SENDER\hpscschd.exe" -s 123456 -t 7 -r 5 -p 60
O4 - HKLM\..\Run: [PreloadApp] c:\hp\drivers\printers\photosmart\hphprld.exe c:\hp\drivers\printers\photosmart\setup.exe -d
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [kdx] C:\WINDOWS\kdx\KHost.exe
O4 - HKLM\..\Run: [iRiver Updater] \Updater.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb10.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [DDCM] "C:\Program Files\WildTangent\DDC\DDCManager\DDCMan.exe" -Background
O4 - HKLM\..\Run: [checktime] c:\program files\HPSelect\Frontend\ct.exe
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1135471130\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [sureshotpopupkiller] "C:\Program Files\Stop-the-Pop-Up\stopthepop.exe" -minimized
O4 - HKLM\..\Run: [IPHSend] C:\Program Files\Common Files\AOL\IPHSend\IPHSend.exe
O4 - HKLM\..\Run: [CaAvTray] "C:\Program Files\Yahoo!\Antivirus\CAVTray.exe"
O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\Yahoo!\Antivirus\CAVRID.exe"
O4 - HKLM\..\Run: [VideoraiPodConverter] C:\Program Files\VideoraiPodConverter\VideoraConverter.exe -t
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM95\aim.exe -cnetwait.odl
O4 - HKCU\..\RunOnce: [NeroHomeFirstStart] C:\Program Files\Common Files\Ahead\Lib\NMFirstStart.exe
O4 - HKCU\..\RunOnce: [FlashPlayerUpdate] C:\WINDOWS\system32\Macromed\Flash\NPSWF32_FlashUtil.exe -p
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O4 - .DEFAULT User Startup: AutoPlay.exe (User 'Default user')
O4 - Startup: AutoPlay.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: dlbcserv.lnk = C:\Program Files\Dell Photo Printer 720\dlbcserv.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Office10\OSA.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\npjpi160_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\npjpi160_05.dll
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 3.0\aoltb.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - c:\Program Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .avi: C:\Program Files\Netscape\Communicator\Program\PLUGINS\npavi32.dll
O12 - Plugin for .pdf: C:\PROGRA~1\Netscape\COMMUN~1\Program\PLUGINS\nppdf32.dll
O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://netscape.musicnotes.com/download/mnviewer.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {205FF73B-CA67-11D5-99DD-444553540000} - http://www.wildtangent.com/webdrivers/webinstall/Install.cab
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com/i/cha...v43/yacscom.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/...nst_current.cab
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www1.snapfish.com/SnapfishActivia.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/200305...meInstaller.exe
O16 - DPF: {49232000-16E4-426C-A231-62846947304B} - http://ipgweb.cce.hp.com/rdq/downloads/sysinfo.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/05a9ef1af6532d642600/...ip/RdxIE601.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/Facebo...otoUploader.cab
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52/200305...meInstaller.exe
O16 - DPF: {640B39C1-D713-464F-92C3-75BD972B95EE} - http://www.sidestep.com/get/k42037/sb028.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/7d90ae0...all/xscan53.cab
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} - http://www.3dgroove.com/download/GrooveAX.cab
O16 - DPF: {7D1E9C49-BD6A-11D3-87A8-009027A35D73} (Yahoo! Audio UI1) - http://chat.yahoo.com/cab/yacsui.cab
O16 - DPF: {88D969C0-F192-11D4-A65F-0040963251E5} (XML DOM Document 4.0) - http://ipgweb.cce.hp.com/rdq/downloads/msxml4.cab
O16 - DPF: {8EDAD21C-3584-4E66-A8AB-EB0E5584767D} - http://toolbar.google.com/data/GoogleActivate.cab
O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.installengine.com/engine/isetup.cab
O16 - DPF: {94B82441-A413-4E43-8422-D49930E69764} (TLIEFlashObj Class) - https://echat.us.dell.com/Media/VisitorChat/TLIEFlash.CAB
O16 - DPF: {9A95FE4A-0CD3-4698-A0F4-D2264C6E7046} (HPActiveChat Class) - http://isupport4.hp.com/awebui/jsp/answerw...EActiveChat.CAB
O16 - DPF: {B49C4597-8721-4789-9250-315DFBD9F525} (IWinAmpActiveX Class) - http://cdn.digitalcity.com/radio/ampx/ampx2.6.1.11_en_dl.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsupp/ac...ta/SymAData.dll
O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.symantec.com/techsupp/ac.../ActiveData.cab
O16 - DPF: {F54C1137-5E34-4B95-95A5-BA56D4D8D743} (Secure Delivery) - http://moviefone.kontiki.com/securedelivery/main/kdx.cab
O16 - DPF: {FE0BD779-44EE-4A4B-AA2E-743C63F2E5E6} (IWinAmpActiveX Class) - http://pdl.stream.aol.com/downloads/aol/unagi/ampx_en_dl.cab
O16 - DPF: {FE5D6722-826F-11D5-A24E-0060B0F1A5AE} (Tukati Launcher) - http://www.tukati.com/software/4/1.7.20.20/tukati.cab
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\Yahoo!\Antivirus\ISafe.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Documents and Settings\Owner\My Documents\download\craptastic98\updater\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: VET Message Service (VETMSGNT) - Computer Associates International, Inc. - C:\Program Files\Yahoo!\Antivirus\VetMsg.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: YPCService - Yahoo! Inc. - C:\WINDOWS\system32\YPCSER~1.EXE

--
End of file - 13239 bytes

BC AdBot (Login to Remove)

 


#2 Billy O'Neal

Billy O'Neal

    Visual C++ STL Maintainer


  • Malware Response Team
  • 12,304 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Redmond, Washington
  • Local time:06:26 PM

Posted 23 October 2008 - 09:10 PM

Hello, Imaloser.
:thumbsup: to BleepingComputer.com

My name is Billy O'Neal and I will be helping you. (Billy or Bill is fine, if you like.)
Please give me some time to look over your computer's log(s).
Please take note of the following:
  • In the meantime, please refrain from making any changes to your computer.
  • Also, even if things appear to be running better, there is no guarantee that everything is finished. Please continue to check this forum post in order to ensure we get your system completely clean. We do not want to clean you part-way up, only to have the system re-infect itself. :)
  • If you do not understand any step(s) provided, please do not hesitate to ask before continuing. I would much rather clarify instructions or explain them differently than have something important broken.
  • Finally, please reply using the Posted Image button in the lower left hand corner of your screen.
We Need to Run ComboFix

Note to readers of this post other than the starter of this thread:
ComboFix is a VERY POWERFUL tool which should NOT BE USED without guidance of an expert.
  • About 1 in 100 times the computer will not longer be able to boot after running Combofix. This requires experienced hands to restore the system to bootability.
  • There are several malware infections that "target" Combofix. Experienced Helpers are aware of these infections, and take steps to remove them prior to the use of Combofix. If you do not, various things can happen depending on the infection -- from Combofix being unable to run, to the deletion of the folder C:\Windows\System32, requiring a clean install to repair.
  • Combofix makes some rather significant changes to the internals of XP and Vista in order to work. It can therefore be very dangerous!!
  • The real power of Combofix comes not as a general purposed malware remover. It is rather modest in that capacity. Combofix is powerful because it provides to the experienced Helper a convenient and powerful front-end to Scripts. It is because of its scripting strengths, and its unique reporting capabilities, that you see Combofix often recommended. But not because of its abilities as a general malware scanner.
  • Many malware removal experts will not respond to a request for help if they see that Combofix was run by the end-user without supervision. You might find after running Combofix that your system problems are worse, and nobody is willing to help you.
  • There are several general purpose anti-malware utilities where the Author(s) intended the application for general use by end-users without Supervision. Combofix is not one of them, and you would be advised to honor that position taken by its Author.
How to run ComboFix:
  • Please download ComboFix from one of the following mirrors, and save it to your desktop.
  • Disable any running Anti-Virus or Anti-Malware programs. This includes Firewalls, Anti-Virus, Spyware Scanners, etc. Any or all of them may interfere with the running of ComboFix.
  • Double click Posted Image on your desktop.
  • Read and accept (Press Yes) to the disclaimer.
  • For Windows XP Systems: Install the Recovery Console:
    • If you are using Windows XP and do not already have the Recovery Console installed, please ensure your internet connection is active (if possible), and press Yes. If for some reason your internet is not working, please press No. If you are not using Windows XP, you will not be prompted.
    • When prompted to accept the EULA, press OK.
    • Accept Microsoft's EULA (Press Yes).
    • When you are told that the RC is installed correctly, please press YES to continue scanning for malware.
  • ComboFix will run. Simply wait for it to finish.
  • When it finishes, ComboFix will produce a log. Please post that log in your next reply here :)
In your next reply, please include the following:
  • ComboFix.txt

Billy3
Twitter - My statements do not establish the official position of Microsoft Corporation, and are my own personal opinion. (But you already knew that, right?)
Posted Image

#3 Imaloser

Imaloser
  • Topic Starter

  • Members
  • 87 posts
  • OFFLINE
  •  
  • Local time:09:26 PM

Posted 23 October 2008 - 10:19 PM

Hey Billy. Thanks so much for the quick reply! After combofix was finished I restarted my comp and it actually booted up normally. :thumbsup:

Here is the log:

ComboFix 08-10-23.05 - Owner 2008-10-23 19:28:45.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.200 [GMT -7:00]
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\LocalService\Application Data\twain_32
C:\Documents and Settings\LocalService\Application Data\twain_32\user.ds
C:\Program Files\INSTALL.LOG
C:\Program Files\Netscape\Netscape\plugins\npclntax.dll
C:\WINDOWS\system32\drivers\TDSSmhlt.sys
C:\WINDOWS\system32\drivers\TDSSpqxt.sys
C:\WINDOWS\system32\TDSSbrsr.dll
C:\WINDOWS\system32\TDSSbunv.log
C:\WINDOWS\system32\TDSScfum.dll
C:\WINDOWS\system32\TDSSfxwp.log
C:\WINDOWS\system32\TDSSkkbi.log
C:\WINDOWS\system32\TDSSlxwp.dll
C:\WINDOWS\system32\TDSSnmxh.dll
C:\WINDOWS\system32\TDSSnmxh.log
C:\WINDOWS\system32\TDSSnrsr.dll
C:\WINDOWS\system32\TDSSofxh.dll
C:\WINDOWS\system32\TDSSoiqh.dll
C:\WINDOWS\system32\TDSSorvd.dat
C:\WINDOWS\system32\TDSSosvd.dll
C:\WINDOWS\system32\TDSSosvn.dll
C:\WINDOWS\system32\TDSSpaxt.dat
C:\WINDOWS\system32\TDSSrhym.dll
C:\WINDOWS\system32\TDSSrhym.log
C:\WINDOWS\system32\TDSSriqp.dll
C:\WINDOWS\system32\TDSSsbhc.dll
C:\WINDOWS\system32\TDSSsihc.dll
C:\WINDOWS\system32\TDSStkdv.log
C:\WINDOWS\system32\TDSSxfum.dll
C:\WINDOWS\system32\twain_32
C:\WINDOWS\system32\twain_32\00039BF3.uf
C:\WINDOWS\system32\twain_32\00039C70.uf
C:\WINDOWS\system32\twain_32\0005A4C3.uf
C:\WINDOWS\system32\twain_32\0005A763.uf
C:\WINDOWS\system32\twain_32\0005A986.uf
C:\WINDOWS\system32\twain_32\0005AB2C.uf
C:\WINDOWS\system32\twain_32\0005ABD7.uf
C:\WINDOWS\system32\twain_32\0005BADB.uf
C:\WINDOWS\system32\twain_32\0005BBD5.uf
C:\WINDOWS\system32\twain_32\0005D0A5.uf
C:\WINDOWS\system32\twain_32\0005D45E.uf
C:\WINDOWS\system32\twain_32\0005D75C.uf
C:\WINDOWS\system32\twain_32\0005FFC4.uf
C:\WINDOWS\system32\twain_32\00060264.uf
C:\WINDOWS\system32\twain_32\0006036D.uf
C:\WINDOWS\system32\twain_32\0006040A.uf
C:\WINDOWS\system32\twain_32\00060552.uf
C:\WINDOWS\system32\twain_32\000A4797.uf
C:\WINDOWS\system32\twain_32\000A4C0C.uf
C:\WINDOWS\system32\twain_32\000A5FD2.uf
C:\WINDOWS\system32\twain_32\000A6262.uf
C:\WINDOWS\system32\twain_32\000A6408.uf
C:\WINDOWS\system32\twain_32\000EDCFE.uf
C:\WINDOWS\system32\twain_32\000EDD8A.uf
C:\WINDOWS\system32\twain_32\000EEFBB.uf
C:\WINDOWS\system32\twain_32\000EEFE9.uf
C:\WINDOWS\system32\twain_32\000EF066.uf
C:\WINDOWS\system32\twain_32\00101F22.uf
C:\WINDOWS\system32\twain_32\0010228D.uf
C:\WINDOWS\system32\twain_32\001023A7.uf
C:\WINDOWS\system32\twain_32\001025CA.uf
C:\WINDOWS\system32\twain_32\001026F2.uf
C:\WINDOWS\system32\twain_32\00137DFD.uf
C:\WINDOWS\system32\twain_32\00137E4B.uf
C:\WINDOWS\system32\twain_32\00137F16.uf
C:\WINDOWS\system32\twain_32\00137F45.uf
C:\WINDOWS\system32\twain_32\00137FA3.uf
C:\WINDOWS\system32\twain_32\00219104.uf
C:\WINDOWS\system32\twain_32\00219171.uf
C:\WINDOWS\system32\twain_32\002193C3.uf
C:\WINDOWS\system32\twain_32\0021948E.uf
C:\WINDOWS\system32\twain_32\00219569.uf
C:\WINDOWS\system32\twain_32\002C0BF0.uf
C:\WINDOWS\system32\twain_32\002C0C4E.uf
C:\WINDOWS\system32\twain_32\002C1E40.uf
C:\WINDOWS\system32\twain_32\002C1E6F.uf
C:\WINDOWS\system32\twain_32\002C1EBD.uf
C:\WINDOWS\system32\twain_32\003AEB02.uf
C:\WINDOWS\system32\twain_32\003AEF28.uf
C:\WINDOWS\system32\twain_32\003AFE6A.uf
C:\WINDOWS\system32\twain_32\003B02A0.uf
C:\WINDOWS\system32\twain_32\003B08CB.uf
C:\WINDOWS\system32\twain_32\003CA0D0.uf
C:\WINDOWS\system32\twain_32\003CA285.uf
C:\WINDOWS\system32\twain_32\003CA370.uf
C:\WINDOWS\system32\twain_32\003CA5F0.uf
C:\WINDOWS\system32\twain_32\00496510.uf
C:\WINDOWS\system32\twain_32\local.ds
C:\WINDOWS\system32\twain_32\user.ds
C:\WINDOWS\system32\wini10801.exe

.
((((((((((((((((((((((((( Files Created from 2008-09-24 to 2008-10-24 )))))))))))))))))))))))))))))))
.

2008-10-22 02:12 . 2008-10-22 02:25 5,336 --a------ C:\WINDOWS\system32\tmp.reg
2008-10-22 02:11 . 2007-09-06 00:22 289,144 --a------ C:\WINDOWS\system32\VCCLSID.exe
2008-10-22 02:11 . 2006-04-27 17:49 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
2008-10-22 02:11 . 2008-09-08 23:38 88,576 --a------ C:\WINDOWS\system32\AntiXPVSTFix.exe
2008-10-22 02:11 . 2008-10-01 15:51 87,552 --a------ C:\WINDOWS\system32\VACFix.exe
2008-10-22 02:11 . 2008-10-10 08:58 82,944 --a------ C:\WINDOWS\system32\o4Patch.exe
2008-10-22 02:11 . 2008-05-18 21:40 82,944 --a------ C:\WINDOWS\system32\IEDFix.exe
2008-10-22 02:11 . 2008-10-10 08:58 82,944 --a------ C:\WINDOWS\system32\IEDFix.C.exe
2008-10-22 02:11 . 2008-08-18 12:19 82,432 --a------ C:\WINDOWS\system32\404Fix.exe
2008-10-22 02:11 . 2003-06-05 21:13 53,248 --a------ C:\WINDOWS\system32\Process.exe
2008-10-22 02:11 . 2004-07-31 18:50 51,200 --a------ C:\WINDOWS\system32\dumphive.exe
2008-10-22 02:11 . 2007-10-04 00:36 25,600 --a------ C:\WINDOWS\system32\WS2Fix.exe
2008-10-22 01:12 . 2008-10-22 01:12 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Kaspersky Lab Setup Files
2008-10-22 00:22 . 2008-10-22 00:22 164 --a------ C:\install.dat
2008-10-21 20:19 . 2008-10-21 20:19 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\TEMP
2008-10-21 19:05 . 2008-10-21 19:05 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Malwarebytes
2008-10-21 18:43 . 2008-10-21 18:43 165 --a------ C:\Documents and Settings\Owner\xrt_log.dat
2008-10-21 18:23 . 2001-08-18 05:00 4,224 --a------ C:\WINDOWS\system32\drivers\beep.sys
2008-10-21 18:23 . 2001-08-18 05:00 4,224 --a--c--- C:\WINDOWS\system32\dllcache\beep.sys
2008-10-20 09:40 . 2008-10-20 09:40 <DIR> d-------- C:\spoolerlogs
2008-10-16 19:13 . 2008-10-21 18:41 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-10-16 19:13 . 2008-10-16 19:13 1,409 --a------ C:\WINDOWS\QTFont.for
2008-10-14 12:19 . 2008-08-14 03:11 2,189,184 -----c--- C:\WINDOWS\system32\dllcache\ntoskrnl.exe
2008-10-14 12:19 . 2008-08-14 03:09 2,145,280 -----c--- C:\WINDOWS\system32\dllcache\ntkrnlmp.exe
2008-10-14 12:19 . 2008-08-14 02:33 2,066,048 -----c--- C:\WINDOWS\system32\dllcache\ntkrnlpa.exe
2008-10-14 12:19 . 2008-08-14 02:33 2,023,936 -----c--- C:\WINDOWS\system32\dllcache\ntkrpamp.exe
2008-10-14 12:19 . 2008-09-15 05:12 1,846,400 -----c--- C:\WINDOWS\system32\dllcache\win32k.sys
2008-10-14 12:19 . 2008-09-08 03:41 333,824 -----c--- C:\WINDOWS\system32\dllcache\srv.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-10-24 01:44 --------- d-----w C:\Program Files\Trend Micro
2008-10-23 20:40 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-10-22 03:30 --------- d-----w C:\DOCUME~1\ALLUSE~1\APPLIC~1\Avg7
2008-10-22 01:42 --------- d-----w C:\Program Files\PRINT DATA SENDER
2008-10-22 01:41 --------- d-----w C:\Program Files\Plaxo
2008-10-22 01:12 507,904 ----a-w C:\WINDOWS\system32\winlogon.exe
2008-10-22 01:12 295,424 ----a-w C:\WINDOWS\system32\termsrv.dll
2008-10-02 23:19 --------- d-----w C:\Documents and Settings\Owner\Application Data\AdobeUM
2008-09-18 22:06 77,824 ----a-w C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\plugin\bin\FDIWrapper.dll
2008-09-18 22:06 69,632 ----a-w C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\plugin\bin\msxmlwrapper.dll
2008-09-18 22:06 49,152 ----a-w C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\plugin\bin\PCHI18N.dll
2008-09-18 22:06 307,200 ----a-w C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\plugin\bin\pchnotify.exe
2008-09-18 22:06 139,264 ----a-w C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\plugin\bin\ContentUpdater.exe
2008-09-18 22:05 4,096 ----a-w C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\plugin\bin\winverifytrustwrapper.dll
2008-09-18 22:05 315,392 ----a-w C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\plugin\bin\pchmsxml.dll
2008-09-18 22:05 28,672 ----a-w C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\plugin\bin\InetWrap.dll
2008-09-18 22:05 159,744 ----a-w C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\plugin\bin\PCHButton.exe
2008-09-18 22:05 126,976 ----a-w C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\plugin\bin\SearchCtrl.dll
2008-09-18 22:01 422,802 ----a-w C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\plugin\bin\pchplugin.zip
2008-09-18 21:55 77,824 ----a-w C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\plugin\bin\WinVerifyTrust.dll
2008-09-18 21:55 731,136 ----a-w C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\plugin\bin\motdeusr.zip
2008-09-18 21:55 106,496 ----a-w C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\plugin\bin\PluginCtrl.dll
2008-09-16 22:04 --------- d-----w C:\Program Files\MP3Gain
2008-09-15 12:12 1,846,400 ----a-w C:\WINDOWS\system32\win32k.sys
2008-09-08 10:41 333,824 ----a-w C:\WINDOWS\system32\drivers\srv.sys
2008-08-24 03:49 --------- d-----w C:\Program Files\Malwarebytes' Anti-Malware
2008-08-24 03:49 --------- d-----w C:\Documents and Settings\Owner\Application Data\Malwarebytes
2008-08-24 03:49 --------- d-----w C:\DOCUME~1\ALLUSE~1\APPLIC~1\Malwarebytes
2008-08-20 05:30 666,112 ----a-w C:\WINDOWS\system32\wininet.dll
2008-08-14 10:11 2,189,184 ----a-w C:\WINDOWS\system32\ntoskrnl.exe
2008-08-14 09:33 2,066,048 ----a-w C:\WINDOWS\system32\ntkrnlpa.exe
2005-08-01 22:39 873,407 ------w C:\Program Files\VirtualDub-1.6.9.zip
2005-08-01 22:33 7,769,912 ------w C:\Program Files\DivXPlay.exe
2004-10-14 02:44 44,736 ----a-w C:\Documents and Settings\Owner\Application Data\GDIPFONTCACHEV1.DAT
2003-09-12 18:53 119 ----a-w C:\Program Files\flashdust.ini
2003-09-12 22:13 220 --sh--w C:\WINDOWS\dwin.sys
2001-08-18 12:00 94,784 --sh--w C:\WINDOWS\twain.dll
2008-04-14 00:12 50,688 --sh--w C:\WINDOWS\twain_32.dll
2003-05-21 09:09 56 --sh--r C:\WINDOWS\system32\D90142A797.sys
2008-04-14 00:11 1,028,096 --sh--w C:\WINDOWS\system32\mfc42.dll
2008-04-14 00:12 57,344 --sha-w C:\WINDOWS\system32\msvcirt.dll
2008-04-14 00:12 413,696 --sha-w C:\WINDOWS\system32\msvcp60.dll
2008-04-14 00:12 11,776 --sh--w C:\WINDOWS\system32\regsvr32.exe
.

------- Sigcheck -------

2004-08-04 00:56 502272 01c3346c241652f43aed8e2149881bfe C:\WINDOWS\$NtServicePackUninstall$\winlogon.exe
2008-04-13 17:12 507904 ed0ef0a136dec83df69f04118870003e C:\WINDOWS\ServicePackFiles\i386\winlogon.exe
2008-10-21 18:12 507904 3969440ba384d35317dbbdeeaae641ce C:\WINDOWS\system32\winlogon.exe

2004-08-04 00:56 295424 b60c877d16d9c880b952fda04adf16e6 C:\WINDOWS\$NtServicePackUninstall$\termsrv.dll
2001-08-18 05:00 197632 458635d2e4559526cf9c895340a38702 C:\WINDOWS\$NtUninstallQ311889$\termsrv.dll
2008-04-13 17:12 295424 ff3477c03be7201c294c35f684b3479f C:\WINDOWS\ServicePackFiles\i386\termsrv.dll
2008-10-21 18:12 295424 63999d0abd8dabfd76a9c07f6e104868 C:\WINDOWS\system32\termsrv.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Yahoo! Pager"="C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" [2006-11-30 4662776]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2008-04-13 1695232]
"MoneyAgent"="c:\Program Files\Microsoft Money\System\Money Express.exe" [2001-07-25 184376]
"Acme.PCHButton"="C:\PROGRA~1\HPINST~1\plugin\bin\PCHButton.exe" [2004-03-12 159744]
"PlaxoUpdate"="C:\Program Files\Plaxo\3.14.0.44\PlaxoHelper_en.exe" [2008-07-24 363591]
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.Exe" [2006-01-24 7094272]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-27 68856]
"PlaxoSysTray"="C:\Program Files\Plaxo\3.14.0.44\PlaxoSysTray.exe" [2008-07-24 20480]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="NvQTwk" [X]
"YOP"="C:\PROGRA~1\Yahoo!\YOP\yop.exe" [2005-04-22 397312]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 144784]
"Recguard"="C:\WINDOWS\SMINST\RECGUARD.EXE" [2001-12-18 212992]
"PRINT DATA SENDER"="C:\Program Files\PRINT DATA SENDER\hpscschd.exe" [2004-10-21 72192]
"PreloadApp"="c:\hp\drivers\printers\photosmart\hphprld.exe" [2001-12-12 36864]
"kdx"="C:\WINDOWS\kdx\KHost.exe" [2004-03-18 1757184]
"iRiver Updater"="\Updater.exe" [2004-07-01 212992]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2004-08-20 155648]
"hpsysdrv"="c:\windows\system\hpsysdrv.exe" [1998-05-07 52736]
"HPDJ Taskbar Utility"="C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb10.exe" [2004-03-04 172032]
"HP Software Update"="C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe" [2004-02-18 49152]
"HP Component Manager"="C:\Program Files\HP\hpcoretech\hpcmpmgr.exe" [2003-12-22 241664]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2004-08-20 118784]
"dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [2002-03-14 102455]
"checktime"="c:\program files\HPSelect\Frontend\ct.exe" [2002-01-26 45056]
"HostManager"="C:\Program Files\Common Files\AOL\1135471130\ee\AOLSoftware.exe" [2006-05-09 50760]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2006-04-08 180269]
"IPHSend"="C:\Program Files\Common Files\AOL\IPHSend\IPHSend.exe" [2006-02-17 124520]
"CaAvTray"="C:\Program Files\Yahoo!\Antivirus\CAVTray.exe" [2006-07-30 230512]
"CAVRID"="C:\Program Files\Yahoo!\Antivirus\CAVRID.exe" [2006-07-30 185456]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-01-31 385024]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-02-19 267048]
"KBD"="C:\HP\KBD\KBD.EXE" [2005-02-02 61440]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2008-07-19 78008]
"S3apphk"="S3apphk.exe" [2002-03-15 C:\WINDOWS\system32\S3apphk.exe]
"nwiz"="nwiz.exe" [2002-03-09 C:\WINDOWS\system32\nwiz.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" [2008-04-13 C:\WINDOWS\system32\narrator.exe]

C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\
AutoPlay.exe [2001-09-17 36864]

C:\DOCUME~1\ALLUSE~1\STARTM~1\Programs\Startup\
Adobe Gamma Loader.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2004-07-04 113664]
dlbcserv.lnk - C:\Program Files\Dell Photo Printer 720\dlbcserv.exe [2005-09-10 315392]
Microsoft Office.lnk - C:\Program Files\Office10\OSA.EXE [2001-02-13 83360]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"ForceClassicControlPanel"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.I420"= i420vfw.dll
"vidc.mxmc"= MimicICM.DLL
"vidc.xvid"= xvid.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll schannel.dll digest.dll msnsspc.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ComputerAssociatesAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Real\\RealOne Player\\realplay.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"C:\\WINDOWS\\kdx\\khost.exe"=
"C:\\Program Files\\Netscape\\Netscape\\Netscp.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"C:\\Program Files\\QuickTime\\QuickTimePlayer.exe"=
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"C:\\Program Files\\AIM\\aim.exe"=
"C:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\SAGENT4.EXE"=
"C:\\LimeWireWin.exe"=
"C:\\Program Files\\Common Files\\AOL\\1135471130\\ee\\aolsoftware.exe"=
"C:\\Program Files\\Common Files\\AOL\\1135471130\\ee\\aim6.exe"=
"C:\\Program Files\\BitComet\\BitComet.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"C:\\StubInstaller.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Wizet\\MapleStory\\Patcher.exe"=
"C:\\Program Files\\AIM6\\aim6.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=

R1 aswSP;avast! Self Protection;C:\WINDOWS\system32\drivers\aswSP.sys [2008-07-19 78416]
R1 Cinemsup;Cinemsup;C:\WINDOWS\System32\drivers\cinemsup.sys [2002-07-19 6656]
R2 aswFsBlk;aswFsBlk;C:\WINDOWS\system32\DRIVERS\aswFsBlk.sys [2008-07-19 20560]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{a001f0a2-339f-11dd-8a0e-00e01882a580}]
\Shell\AutoRun\command - G:\Autorun.exe /run
\Shell\Shell00\Command - G:\Autorun.exe /run
\Shell\Shell01\Command - G:\Autorun.exe /action
\Shell\Shell02\Command - G:\Autorun.exe /uninstall

*Newly Created Service* - AVAST!_MAIL_SCANNER
*Newly Created Service* - AVAST!_WEB_SCANNER
*Newly Created Service* - PROCEXP90
.
Contents of the 'Scheduled Tasks' folder

2008-10-11 C:\WINDOWS\Tasks\1-Click Maintenance.job
- C:\Program Files\TuneUp Utilities 2004\SystemOptimizer.exe []

2008-10-14 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 14:57]

2008-10-21 C:\WINDOWS\Tasks\Symantec NetDetect.job
- C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE [2004-12-14 13:24]
.
- - - - ORPHANS REMOVED - - - -

Toolbar-{D28D4199-67F2-4796-82E6-39BC89ABBD59} - (no file)
Toolbar-{17DA6052-D4D6-43FC-A565-1EA8BF32C322} - (no file)
Toolbar-{4EB25DE0-95E1-4941-B3C6-E256C2595795} - (no file)
Toolbar-{A69CC486-6DFF-4BCE-A82E-453B55EB47E0} - (no file)
Toolbar-{85B53BA9-FAA1-4D69-9529-10FA54C3710D} - (no file)
Toolbar-{7D7CB02E-70AF-4950-A35D-4F019EAE99A2} - (no file)
Toolbar-{2EDD42BE-D11E-4E48-929B-CADA88B0FEF4} - (no file)
Toolbar-{BC7D0858-42A3-46CE-9714-5B1859F2AC7E} - (no file)
Toolbar-{167613AF-5BAE-4195-9609-69F8D59AA716} - (no file)
Toolbar-{F9C4D54C-638F-4C2E-8083-3150297B8B07} - (no file)
Toolbar-{6BE0B814-7E47-4669-8765-EA0E31A8BA88} - (no file)
Toolbar-{9AF61D34-DA44-47D5-AB6C-CF93ACF046F3} - (no file)
WebBrowser-{D28D4199-67F2-4796-82E6-39BC89ABBD59} - (no file)
WebBrowser-{17DA6052-D4D6-43FC-A565-1EA8BF32C322} - (no file)
WebBrowser-{4EB25DE0-95E1-4941-B3C6-E256C2595795} - (no file)
WebBrowser-{A69CC486-6DFF-4BCE-A82E-453B55EB47E0} - (no file)
WebBrowser-{85B53BA9-FAA1-4D69-9529-10FA54C3710D} - (no file)
WebBrowser-{7D7CB02E-70AF-4950-A35D-4F019EAE99A2} - (no file)
WebBrowser-{2EDD42BE-D11E-4E48-929B-CADA88B0FEF4} - (no file)
WebBrowser-{BC7D0858-42A3-46CE-9714-5B1859F2AC7E} - (no file)
WebBrowser-{167613AF-5BAE-4195-9609-69F8D59AA716} - (no file)
WebBrowser-{F9C4D54C-638F-4C2E-8083-3150297B8B07} - (no file)
WebBrowser-{6BE0B814-7E47-4669-8765-EA0E31A8BA88} - (no file)
WebBrowser-{E5D4DBD9-F2BB-4AC2-95A3-3D4A01074627} - (no file)
WebBrowser-{CDD5D9E0-4ECC-4BD8-9A55-7056DD4F7C8B} - (no file)
WebBrowser-{9CD7380C-6199-4A90-8DEE-388EFCE11069} - (no file)
WebBrowser-{D97EC924-F768-4CE5-9DBA-DC0892865FCC} - (no file)
WebBrowser-{F55DA263-4FCC-4F8E-B4B7-646AC0DD948B} - (no file)
WebBrowser-{009B65ED-CC70-4CF9-96FE-4778387ECE3B} - (no file)
WebBrowser-{9AF61D34-DA44-47D5-AB6C-CF93ACF046F3} - (no file)
WebBrowser-{BA670195-A7C5-4C7A-8771-5A1DCAF082CD} - (no file)
HKCU-Run-uoltray - C:\Program Files\NetZero\exec.exe
HKCU-Run-SpyKiller - C:\Program Files\SpyKiller\spykiller.exe
HKCU-Run-Microsoft Works Update Detection - c:\Program Files\Microsoft Works\WkDetect.exe
HKCU-Run-BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA} - C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
HKCU-Run-Aim6 - (no file)
HKLM-Run-WinampAgent - C:\Program Files\Winamp3\winampa.exe
HKLM-Run-WebScan - C:\PROGRA~1\ACCELE~1\ANTI-V~1\DEFSCA~1.EXE
HKLM-Run-DDCM - C:\Program Files\WildTangent\DDC\DDCManager\DDCMan.exe
HKLM-Run-sureshotpopupkiller - C:\Program Files\Stop-the-Pop-Up\stopthepop.exe
HKLM-Run-VideoraiPodConverter - C:\Program Files\VideoraiPodConverter\VideoraConverter.exe
SafeBoot-TDSSmhlt.sys


.
------- Supplementary Scan -------
.
FireFox -: Profile - C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\bhqe3228.default\
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-10-23 19:50:51
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\TDSSserv]
"imagepath"="\systemroot\system32\drivers\TDSSmhlt.sys"

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\TDSSserv.sys)]
"imagepath"="\systemroot\system32\drivers\TDSSpqxt.sys"
.
Completion time: 2008-10-23 20:07:17
ComboFix-quarantined-files.txt 2008-10-24 03:06:49

Pre-Run: 18,499,235,840 bytes free
Post-Run: 18,719,674,368 bytes free

354 --- E O F --- 2008-10-14 23:53:01

#4 Billy O'Neal

Billy O'Neal

    Visual C++ STL Maintainer


  • Malware Response Team
  • 12,304 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Redmond, Washington
  • Local time:06:26 PM

Posted 24 October 2008 - 09:31 PM

Hello, Imaloser.

You're welcome :D

You have a Peer-To-Peer program installed.
Your log shows that you are using so called peer-to-peer or file-sharing programs (in your case Limewire). These programs allow to share files between users as the name(s) suggest. In today's world the cyber crime has come to an enormous dimension and any means is used to infect personal computers to make use of their stored data or machine power for further propagation of the malware files. A popular means is the use of file-sharing tools as a tremendous amount of prospective victims can be reached through it.

It is therefore possible to be infected by downloading manipulated files via peer-to-peer tools and thus suggested to be used with intense care. Some further readings on this subject, along the included links, are as follows: "File-Sharing, otherwise known as Peer To Peer" and "Risks of File-Sharing Technology."

It is also important to note that sharing entertainment files and proprietary software infringes the copyright laws in many countries over the world and you are putting yourself at risk of being indicted through organizations watching over the rights of the authors of such files (i.e. the RIAA for music files, or the MPAA for movie files in the USA) or the authors of the files themselves.

Naturally there are also legal ways to use these services, such as downloading Linux distributions or office suites such as "Open Office."

You appear to have a Registry Cleaner installed!
The following is referring to TuneUp Utilities 2004
Please be aware that bleepingcomputer staff do not recommend the usage of registry cleaners / tools due to the following facts:
  • Registry tools can cause irreparable damage to your Operating System
  • Registry tools can, as a result of the above, render your pc to be inoperable.
This is done, assuming that the major audience here at this board might be inexperienced users and thus a suggested safeguard from our side.
If you feel you have the need for a registry cleaner, then you are just as welcome to keep it. This is what we refer to an "optional fix" and is up to the user, so just take this as a recommendation from my side.

We need to re-run ComboFix with some additonal directives.
  • Please disable any running anti-virus programs.

    If you are unsure how to do this, see this topic: http://www.bleepingcomputer.com/forums/t/114351/how-to-temporarily-disable-your-anti-virus-firewall-and-anti-malware-programs/

  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  • Open notepad and copy/paste the text in the quotebox below into it:
    http://www.bleepingcomputer.com/forums/t/176088/infected-with-xp-anitvirus-2009-and-can-only-access-safe-mode/
    
    suspect::[54]
    C:\WINDOWS\system32\termsrv.dll
    C:\WINDOWS\system32\winlogon.exe
    
    registry::
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "C:\\LimeWireWin.exe"=-
    "C:\\Program Files\\Wizet\\MapleStory\\Patcher.exe"=-
    "C:\\Program Files\\Netscape\\Netscape\\Netscp.exe"=-
    "C:\\Program Files\\Messenger\\msmsgs.exe"=-
    "C:\\Program Files\\Mozilla Firefox\\firefox.exe"=-
    
    file::
    C:\WINDOWS\Tasks\1-Click Maintenance.job
    
    driver::
    TDSSserv
    TDSSserv.sys)
  • Save this as CFScript.txt, in the same location as ComboFix.exe
  • Posted Image
    Refering to the picture above, drag CFScript into ComboFix.exe
  • When finished, it shall produce a log for you at "C:\ComboFix.txt". Please copy and paste that report here.
Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall.

In your next reply, please include the following:
  • ComboFix.txt

Billy3

Edited by Billy O'Neal, 24 October 2008 - 09:31 PM.

Twitter - My statements do not establish the official position of Microsoft Corporation, and are my own personal opinion. (But you already knew that, right?)
Posted Image

#5 Imaloser

Imaloser
  • Topic Starter

  • Members
  • 87 posts
  • OFFLINE
  •  
  • Local time:09:26 PM

Posted 24 October 2008 - 11:41 PM

I wish I could understand this stuff :)


Okay...so i've just been reading up about viruses. some viruses that malware quarantined were "backdoor.agent" (on the day i got the virus which was 10/21, i ran malware right away) which i read is very serious. And when I ran combofix like you suggested on oct 23 for the first time it said something about rootkit (also looked this up. and malware has a log about it which is from one month ago) or something and then it had to restart. my comp has been working fine now though, thanks to you. i am now extremely paranoid about someone stealing all my info. i am this close to smashing my comp into bits.


And after the second run of combo fix, it said something about sending my malware log file (or something like that) to BC, which I did. it just asked me to copy and paste whatever was below (a zip file) and hit send. :)

sorry for bombarding you with all this stuff. :thumbsup:


Here is the log:

ComboFix 08-10-24.02 - Owner 2008-10-24 20:50:48.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.228 [GMT -7:00]
Running from: C:\Documents and Settings\Owner\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Owner\Desktop\CFScript.txt
* Created a new restore point

FILE ::
C:\WINDOWS\Tasks\1-Click Maintenance.job
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\Tasks\1-Click Maintenance.job

.
((((((((((((((((((((((((( Files Created from 2008-09-25 to 2008-10-25 )))))))))))))))))))))))))))))))
.

2008-10-24 09:10 . 2008-10-03 10:41 6,066,176 -----c--- C:\WINDOWS\system32\dllcache\ieframe.dll
2008-10-24 09:10 . 2007-04-17 02:32 2,455,488 -----c--- C:\WINDOWS\system32\dllcache\ieapfltr.dat
2008-10-24 09:10 . 2007-03-07 22:10 991,232 -----c--- C:\WINDOWS\system32\dllcache\ieframe.dll.mui
2008-10-24 09:10 . 2008-08-26 00:24 459,264 -----c--- C:\WINDOWS\system32\dllcache\msfeeds.dll
2008-10-24 09:10 . 2008-08-26 00:24 383,488 -----c--- C:\WINDOWS\system32\dllcache\ieapfltr.dll
2008-10-24 09:10 . 2008-08-26 00:24 267,776 -----c--- C:\WINDOWS\system32\dllcache\iertutil.dll
2008-10-24 09:10 . 2008-08-26 00:24 63,488 -----c--- C:\WINDOWS\system32\dllcache\icardie.dll
2008-10-24 09:10 . 2008-08-26 00:24 52,224 -----c--- C:\WINDOWS\system32\dllcache\msfeedsbs.dll
2008-10-24 09:10 . 2008-08-25 01:38 13,824 -----c--- C:\WINDOWS\system32\dllcache\ieudinit.exe
2008-10-23 23:19 . 2008-10-24 19:00 1,393 --a------ C:\WINDOWS\imsins.BAK
2008-10-23 20:08 . 2008-10-15 09:34 337,408 -----c--- C:\WINDOWS\system32\dllcache\netapi32.dll
2008-10-22 02:12 . 2008-10-22 02:25 5,336 --a------ C:\WINDOWS\system32\tmp.reg
2008-10-22 02:11 . 2007-09-06 00:22 289,144 --a------ C:\WINDOWS\system32\VCCLSID.exe
2008-10-22 02:11 . 2006-04-27 17:49 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
2008-10-22 02:11 . 2008-09-08 23:38 88,576 --a------ C:\WINDOWS\system32\AntiXPVSTFix.exe
2008-10-22 02:11 . 2008-10-01 15:51 87,552 --a------ C:\WINDOWS\system32\VACFix.exe
2008-10-22 02:11 . 2008-10-10 08:58 82,944 --a------ C:\WINDOWS\system32\o4Patch.exe
2008-10-22 02:11 . 2008-05-18 21:40 82,944 --a------ C:\WINDOWS\system32\IEDFix.exe
2008-10-22 02:11 . 2008-10-10 08:58 82,944 --a------ C:\WINDOWS\system32\IEDFix.C.exe
2008-10-22 02:11 . 2008-08-18 12:19 82,432 --a------ C:\WINDOWS\system32\404Fix.exe
2008-10-22 02:11 . 2003-06-05 21:13 53,248 --a------ C:\WINDOWS\system32\Process.exe
2008-10-22 02:11 . 2004-07-31 18:50 51,200 --a------ C:\WINDOWS\system32\dumphive.exe
2008-10-22 02:11 . 2007-10-04 00:36 25,600 --a------ C:\WINDOWS\system32\WS2Fix.exe
2008-10-22 01:12 . 2008-10-22 01:12 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab Setup Files
2008-10-22 00:22 . 2008-10-22 00:22 164 --a------ C:\install.dat
2008-10-21 20:19 . 2008-10-21 20:19 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\TEMP
2008-10-21 19:05 . 2008-10-21 19:05 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Malwarebytes
2008-10-21 18:43 . 2008-10-21 18:43 165 --a------ C:\Documents and Settings\Owner\xrt_log.dat
2008-10-21 18:23 . 2001-08-18 05:00 4,224 --a------ C:\WINDOWS\system32\drivers\beep.sys
2008-10-21 18:23 . 2001-08-18 05:00 4,224 --a--c--- C:\WINDOWS\system32\dllcache\beep.sys
2008-10-20 09:40 . 2008-10-20 09:40 <DIR> d-------- C:\spoolerlogs
2008-10-16 19:13 . 2008-10-24 19:26 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-10-16 19:13 . 2008-10-16 19:13 1,409 --a------ C:\WINDOWS\QTFont.for
2008-10-14 12:19 . 2008-08-14 03:11 2,189,184 -----c--- C:\WINDOWS\system32\dllcache\ntoskrnl.exe
2008-10-14 12:19 . 2008-08-14 03:09 2,145,280 -----c--- C:\WINDOWS\system32\dllcache\ntkrnlmp.exe
2008-10-14 12:19 . 2008-08-14 02:33 2,066,048 -----c--- C:\WINDOWS\system32\dllcache\ntkrnlpa.exe
2008-10-14 12:19 . 2008-08-14 02:33 2,023,936 -----c--- C:\WINDOWS\system32\dllcache\ntkrpamp.exe
2008-10-14 12:19 . 2008-09-15 05:12 1,846,400 -----c--- C:\WINDOWS\system32\dllcache\win32k.sys
2008-10-14 12:19 . 2008-09-08 03:41 333,824 -----c--- C:\WINDOWS\system32\dllcache\srv.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-10-25 03:28 --------- d-----w C:\Program Files\PRINT DATA SENDER
2008-10-25 02:26 --------- d-----w C:\Program Files\Plaxo
2008-10-24 22:54 --------- d--h--w C:\Documents and Settings\Owner\Application Data\Move Networks
2008-10-24 01:44 --------- d-----w C:\Program Files\Trend Micro
2008-10-23 20:40 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-10-22 03:30 --------- d-----w C:\Documents and Settings\All Users\Application Data\Avg7
2008-10-22 01:12 507,904 ----a-w C:\WINDOWS\system32\winlogon.exe
2008-10-22 01:12 295,424 ----a-w C:\WINDOWS\system32\termsrv.dll
2008-10-02 23:19 --------- d-----w C:\Documents and Settings\Owner\Application Data\AdobeUM
2008-09-18 22:06 77,824 ----a-w C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\plugin\bin\FDIWrapper.dll
2008-09-18 22:06 69,632 ----a-w C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\plugin\bin\msxmlwrapper.dll
2008-09-18 22:06 49,152 ----a-w C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\plugin\bin\PCHI18N.dll
2008-09-18 22:06 307,200 ----a-w C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\plugin\bin\pchnotify.exe
2008-09-18 22:06 139,264 ----a-w C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\plugin\bin\ContentUpdater.exe
2008-09-18 22:05 4,096 ----a-w C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\plugin\bin\winverifytrustwrapper.dll
2008-09-18 22:05 315,392 ----a-w C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\plugin\bin\pchmsxml.dll
2008-09-18 22:05 28,672 ----a-w C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\plugin\bin\InetWrap.dll
2008-09-18 22:05 159,744 ----a-w C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\plugin\bin\PCHButton.exe
2008-09-18 22:05 126,976 ----a-w C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\plugin\bin\SearchCtrl.dll
2008-09-18 22:01 422,802 ----a-w C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\plugin\bin\pchplugin.zip
2008-09-18 21:55 77,824 ----a-w C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\plugin\bin\WinVerifyTrust.dll
2008-09-18 21:55 731,136 ----a-w C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\plugin\bin\motdeusr.zip
2008-09-18 21:55 106,496 ----a-w C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\plugin\bin\PluginCtrl.dll
2008-09-16 22:04 --------- d-----w C:\Program Files\MP3Gain
2008-09-15 12:12 1,846,400 ----a-w C:\WINDOWS\system32\win32k.sys
2008-09-08 10:41 333,824 ----a-w C:\WINDOWS\system32\drivers\srv.sys
2008-08-26 07:24 826,368 ----a-w C:\WINDOWS\system32\wininet.dll
2008-08-14 10:11 2,189,184 ----a-w C:\WINDOWS\system32\ntoskrnl.exe
2008-08-14 09:33 2,066,048 ----a-w C:\WINDOWS\system32\ntkrnlpa.exe
2005-08-01 22:39 873,407 ------w C:\Program Files\VirtualDub-1.6.9.zip
2005-08-01 22:33 7,769,912 ------w C:\Program Files\DivXPlay.exe
2004-10-14 02:44 44,736 ----a-w C:\Documents and Settings\Owner\Application Data\GDIPFONTCACHEV1.DAT
2003-09-12 18:53 119 ----a-w C:\Program Files\flashdust.ini
2003-09-12 22:13 220 --sh--w C:\WINDOWS\dwin.sys
2001-08-18 12:00 94,784 --sh--w C:\WINDOWS\twain.dll
2008-04-14 00:12 50,688 --sh--w C:\WINDOWS\twain_32.dll
2003-05-21 09:09 56 --sh--r C:\WINDOWS\system32\D90142A797.sys
2008-04-14 00:11 1,028,096 --sh--w C:\WINDOWS\system32\mfc42.dll
2008-04-14 00:12 57,344 --sha-w C:\WINDOWS\system32\msvcirt.dll
2008-04-14 00:12 413,696 --sha-w C:\WINDOWS\system32\msvcp60.dll
2008-04-14 00:12 11,776 --sh--w C:\WINDOWS\system32\regsvr32.exe
.

------- Sigcheck -------

2004-08-04 00:56 502272 01c3346c241652f43aed8e2149881bfe C:\WINDOWS\$NtServicePackUninstall$\winlogon.exe
2008-04-13 17:12 507904 ed0ef0a136dec83df69f04118870003e C:\WINDOWS\ServicePackFiles\i386\winlogon.exe
2008-10-21 18:12 507904 3969440ba384d35317dbbdeeaae641ce C:\WINDOWS\system32\winlogon.exe

2004-08-04 00:56 295424 b60c877d16d9c880b952fda04adf16e6 C:\WINDOWS\$NtServicePackUninstall$\termsrv.dll
2001-08-18 05:00 197632 458635d2e4559526cf9c895340a38702 C:\WINDOWS\$NtUninstallQ311889$\termsrv.dll
2008-04-13 17:12 295424 ff3477c03be7201c294c35f684b3479f C:\WINDOWS\ServicePackFiles\i386\termsrv.dll
2008-10-21 18:12 295424 63999d0abd8dabfd76a9c07f6e104868 C:\WINDOWS\system32\termsrv.dll
.
((((((((((((((((((((((((((((( snapshot@2008-10-23_20.01.42.10 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-04-14 00:11:48 61,440 -c--a-w C:\WINDOWS\ie7\admparse.dll
+ 2008-04-14 00:11:48 99,840 -c--a-w C:\WINDOWS\ie7\advpack.dll
+ 2006-06-03 11:40:49 33,792 -c--a-w C:\WINDOWS\ie7\custsat.dll
+ 2008-04-14 00:11:52 357,888 -c--a-w C:\WINDOWS\ie7\dxtmsft.dll
+ 2008-04-14 00:11:52 205,312 -c--a-w C:\WINDOWS\ie7\dxtrans.dll
+ 2008-04-14 00:11:53 55,808 -c--a-w C:\WINDOWS\ie7\extmgr.dll
+ 2008-04-14 00:11:54 38,912 -c--a-w C:\WINDOWS\ie7\hmmapi.dll
+ 2008-04-14 00:12:22 34,304 -c--a-w C:\WINDOWS\ie7\ie4uinit.exe
+ 2008-04-14 00:11:54 143,360 -c--a-w C:\WINDOWS\ie7\ieakeng.dll
+ 2008-04-14 00:11:54 216,576 -c--a-w C:\WINDOWS\ie7\ieaksie.dll
+ 2001-08-18 12:00:00 221,184 -c--a-w C:\WINDOWS\ie7\ieakui.dll
+ 2008-04-14 00:11:54 323,584 -c--a-w C:\WINDOWS\ie7\iedkcs32.dll
+ 2008-04-14 00:12:22 18,432 -c--a-w C:\WINDOWS\ie7\iedw.exe
+ 2008-04-14 00:11:54 251,904 -c--a-w C:\WINDOWS\ie7\iepeers.dll
+ 2008-04-14 00:11:54 48,640 -c--a-w C:\WINDOWS\ie7\iernonce.dll
+ 2008-04-14 00:11:54 62,976 -c--a-w C:\WINDOWS\ie7\iesetup.dll
+ 2008-04-14 00:12:22 93,184 -c--a-w C:\WINDOWS\ie7\iexplore.exe
+ 2008-04-14 00:11:54 35,840 -c--a-w C:\WINDOWS\ie7\imgutil.dll
+ 2008-04-14 00:11:55 96,256 -c--a-w C:\WINDOWS\ie7\inseng.dll
+ 2008-04-14 00:11:56 15,872 -c--a-w C:\WINDOWS\ie7\jsproxy.dll
+ 2008-04-14 00:11:56 22,016 -c--a-w C:\WINDOWS\ie7\licmgr10.dll
+ 2008-04-14 00:12:27 29,184 -c--a-w C:\WINDOWS\ie7\mshta.exe
+ 2008-08-20 05:30:53 3,067,904 -c--a-w C:\WINDOWS\ie7\mshtml.dll
+ 2008-04-14 00:11:59 449,024 -c--a-w C:\WINDOWS\ie7\mshtmled.dll
+ 2008-04-13 16:26:26 56,832 -c--a-w C:\WINDOWS\ie7\mshtmler.dll
+ 2001-08-18 12:00:00 146,432 -c--a-w C:\WINDOWS\ie7\msls31.dll
+ 2008-04-14 00:12:00 146,432 -c--a-w C:\WINDOWS\ie7\msrating.dll
+ 2008-04-14 00:12:00 532,480 -c--a-w C:\WINDOWS\ie7\mstime.dll
+ 2008-04-14 00:12:02 96,256 -c--a-w C:\WINDOWS\ie7\occache.dll
+ 2008-04-14 00:12:02 39,424 -c--a-w C:\WINDOWS\ie7\pngfilt.dll
+ 2007-08-14 01:54:42 32,960 -c--a-w C:\WINDOWS\ie7\spuninst\iecustom.dll
+ 2007-08-14 01:52:06 66,048 -c--a-w C:\WINDOWS\ie7\spuninst\ieResetIcons.exe
+ 2006-09-07 00:43:16 213,216 -c--a-w C:\WINDOWS\ie7\spuninst\spuninst.exe
+ 2006-09-07 00:43:18 371,424 -c--a-w C:\WINDOWS\ie7\spuninst\updspapi.dll
+ 2008-04-14 00:12:08 37,888 -c--a-w C:\WINDOWS\ie7\url.dll
+ 2008-08-20 05:30:52 619,520 -c--a-w C:\WINDOWS\ie7\urlmon.dll
+ 2008-04-14 00:12:08 851,968 -c--a-w C:\WINDOWS\ie7\vgx.dll
+ 2008-04-14 00:12:08 276,480 -c--a-w C:\WINDOWS\ie7\webcheck.dll
+ 2008-08-20 05:30:51 666,112 -c--a-w C:\WINDOWS\ie7\wininet.dll
+ 2007-03-06 01:22:39 213,216 -c----w C:\WINDOWS\ie7updates\KB938127-v2-IE7\spuninst\spuninst.exe
+ 2007-03-06 01:23:47 371,424 -c----w C:\WINDOWS\ie7updates\KB938127-v2-IE7\spuninst\updspapi.dll
+ 2007-08-14 01:54:10 765,952 -c----w C:\WINDOWS\ie7updates\KB938127-v2-IE7\vgx.dll
+ 2007-08-14 01:39:00 123,904 -c----w C:\WINDOWS\ie7updates\KB956390-IE7\advpack.dll
+ 2007-08-14 01:39:00 123,904 -c----w C:\WINDOWS\ie7updates\KB956390-IE7\advpack.dll.000
+ 2007-08-14 01:35:46 346,624 -c----w C:\WINDOWS\ie7updates\KB956390-IE7\dxtmsft.dll
+ 2007-08-14 01:35:46 346,624 -c----w C:\WINDOWS\ie7updates\KB956390-IE7\dxtmsft.dll.000
+ 2007-08-14 01:35:38 214,528 -c----w C:\WINDOWS\ie7updates\KB956390-IE7\dxtrans.dll
+ 2007-08-14 01:35:38 214,528 -c----w C:\WINDOWS\ie7updates\KB956390-IE7\dxtrans.dll.000
+ 2007-08-14 01:54:10 131,584 -c----w C:\WINDOWS\ie7updates\KB956390-IE7\extmgr.dll
+ 2007-08-14 01:54:10 131,584 -c----w C:\WINDOWS\ie7updates\KB956390-IE7\extmgr.dll.000
+ 2007-08-14 01:36:26 61,952 -c----w C:\WINDOWS\ie7updates\KB956390-IE7\icardie.dll
+ 2007-08-14 01:39:06 54,784 -c----w C:\WINDOWS\ie7updates\KB956390-IE7\ie4uinit.exe
+ 2007-08-14 01:39:06 54,784 -c----w C:\WINDOWS\ie7updates\KB956390-IE7\ie4uinit.exe.000
+ 2007-08-14 01:39:26 152,064 -c----w C:\WINDOWS\ie7updates\KB956390-IE7\ieakeng.dll
+ 2007-08-14 01:39:26 152,064 -c----w C:\WINDOWS\ie7updates\KB956390-IE7\ieakeng.dll.000
+ 2007-08-14 01:39:54 229,376 -c----w C:\WINDOWS\ie7updates\KB956390-IE7\ieaksie.dll
+ 2007-08-14 01:39:54 229,376 -c----w C:\WINDOWS\ie7updates\KB956390-IE7\ieaksie.dll.000
+ 2007-08-14 00:56:54 161,792 -c----w C:\WINDOWS\ie7updates\KB956390-IE7\ieakui.dll
+ 2007-02-12 23:10:12 2,451,312 -c----w C:\WINDOWS\ie7updates\KB956390-IE7\ieapfltr.dat
+ 2007-07-11 19:27:48 383,488 -c----w C:\WINDOWS\ie7updates\KB956390-IE7\ieapfltr.dll
+ 2007-08-14 01:39:50 382,976 -c----w C:\WINDOWS\ie7updates\KB956390-IE7\iedkcs32.dll
+ 2007-08-14 01:39:50 382,976 -c----w C:\WINDOWS\ie7updates\KB956390-IE7\iedkcs32.dll.000
+ 2007-08-14 01:54:10 6,049,280 -c----w C:\WINDOWS\ie7updates\KB956390-IE7\ieframe.dll
+ 2007-08-14 01:39:10 43,008 -c----w C:\WINDOWS\ie7updates\KB956390-IE7\iernonce.dll
+ 2007-08-14 01:39:10 43,008 -c----w C:\WINDOWS\ie7updates\KB956390-IE7\iernonce.dll.000
+ 2007-08-14 01:34:04 266,752 -c----w C:\WINDOWS\ie7updates\KB956390-IE7\iertutil.dll
+ 2007-08-14 01:39:10 13,312 -c----w C:\WINDOWS\ie7updates\KB956390-IE7\ieudinit.exe
+ 2007-08-14 01:43:56 622,080 -c----w C:\WINDOWS\ie7updates\KB956390-IE7\iexplore.exe
+ 2007-08-14 01:43:56 622,080 -c----w C:\WINDOWS\ie7updates\KB956390-IE7\iexplore.exe.000
+ 2007-08-14 01:54:10 27,136 -c----w C:\WINDOWS\ie7updates\KB956390-IE7\jsproxy.dll
+ 2007-08-14 01:54:10 27,136 -c----w C:\WINDOWS\ie7updates\KB956390-IE7\jsproxy.dll.000
+ 2007-08-14 01:54:10 458,752 -c----w C:\WINDOWS\ie7updates\KB956390-IE7\msfeeds.dll
+ 2007-08-14 01:54:10 50,688 -c----w C:\WINDOWS\ie7updates\KB956390-IE7\msfeedsbs.dll
+ 2007-08-14 01:54:12 3,578,368 -c----w C:\WINDOWS\ie7updates\KB956390-IE7\mshtml.dll
+ 2007-08-14 01:54:10 475,648 -c----w C:\WINDOWS\ie7updates\KB956390-IE7\mshtmled.dll
+ 2007-08-14 01:54:10 475,648 -c----w C:\WINDOWS\ie7updates\KB956390-IE7\mshtmled.dll.000
+ 2007-08-14 01:44:26 192,000 -c----w C:\WINDOWS\ie7updates\KB956390-IE7\msrating.dll
+ 2007-08-14 01:44:26 192,000 -c----w C:\WINDOWS\ie7updates\KB956390-IE7\msrating.dll.000
+ 2007-08-14 01:54:10 670,720 -c----w C:\WINDOWS\ie7updates\KB956390-IE7\mstime.dll
+ 2007-08-14 01:54:10 670,720 -c----w C:\WINDOWS\ie7updates\KB956390-IE7\mstime.dll.000
+ 2007-08-14 01:44:06 101,376 -c----w C:\WINDOWS\ie7updates\KB956390-IE7\occache.dll
+ 2007-08-14 01:44:06 101,376 -c----w C:\WINDOWS\ie7updates\KB956390-IE7\occache.dll.000
+ 2007-08-14 01:36:12 44,544 -c----w C:\WINDOWS\ie7updates\KB956390-IE7\pngfilt.dll
+ 2007-08-14 01:36:12 44,544 -c----w C:\WINDOWS\ie7updates\KB956390-IE7\pngfilt.dll.000
+ 2007-03-06 01:22:39 213,216 -c----w C:\WINDOWS\ie7updates\KB956390-IE7\spuninst\spuninst.exe
+ 2007-03-06 01:23:51 371,424 -c----w C:\WINDOWS\ie7updates\KB956390-IE7\spuninst\updspapi.dll
+ 2007-08-14 01:44:30 105,984 -c----w C:\WINDOWS\ie7updates\KB956390-IE7\url.dll
+ 2007-08-14 01:44:30 105,984 -c----w C:\WINDOWS\ie7updates\KB956390-IE7\url.dll.000
+ 2007-08-14 01:54:10 1,162,240 -c----w C:\WINDOWS\ie7updates\KB956390-IE7\urlmon.dll
+ 2007-08-14 01:54:10 231,424 -c----w C:\WINDOWS\ie7updates\KB956390-IE7\webcheck.dll
+ 2007-08-14 01:54:10 231,424 -c----w C:\WINDOWS\ie7updates\KB956390-IE7\webcheck.dll.000
+ 2007-08-14 01:54:10 818,688 -c----w C:\WINDOWS\ie7updates\KB956390-IE7\wininet.dll
- 2008-04-14 00:11:48 61,440 ----a-w C:\WINDOWS\system32\admparse.dll
+ 2007-08-14 01:39:20 71,680 ----a-w C:\WINDOWS\system32\admparse.dll
- 2008-04-14 00:11:48 99,840 ----a-w C:\WINDOWS\system32\advpack.dll
+ 2008-08-26 07:24:28 124,928 ----a-w C:\WINDOWS\system32\advpack.dll
+ 2007-08-14 01:39:20 71,680 -c----w C:\WINDOWS\system32\dllcache\admparse.dll
+ 2008-08-26 07:24:28 124,928 -c----w C:\WINDOWS\system32\dllcache\advpack.dll
+ 2006-09-23 20:12:50 1,022,976 -c----w C:\WINDOWS\system32\dllcache\browseui.dll
+ 2007-08-14 01:42:54 17,408 -c----w C:\WINDOWS\system32\dllcache\corpol.dll
- 2006-06-03 11:40:49 33,792 -c--a-w C:\WINDOWS\system32\dllcache\custsat.dll
+ 2007-08-14 01:54:10 33,792 -c--a-w C:\WINDOWS\system32\dllcache\custsat.dll
+ 2008-08-26 07:24:28 347,136 -c----w C:\WINDOWS\system32\dllcache\dxtmsft.dll
+ 2008-08-26 07:24:28 214,528 -c----w C:\WINDOWS\system32\dllcache\dxtrans.dll
+ 2008-08-26 07:24:28 133,120 -c----w C:\WINDOWS\system32\dllcache\extmgr.dll
+ 2007-08-14 01:18:02 60,416 -c----w C:\WINDOWS\system32\dllcache\hmmapi.dll
+ 2008-08-25 08:37:59 70,656 -c----w C:\WINDOWS\system32\dllcache\ie4uinit.exe
+ 2008-08-26 07:24:28 153,088 -c----w C:\WINDOWS\system32\dllcache\ieakeng.dll
+ 2008-08-26 07:24:28 230,400 -c----w C:\WINDOWS\system32\dllcache\ieaksie.dll
- 2001-08-18 12:00:00 221,184 ----a-w C:\WINDOWS\system32\dllcache\ieakui.dll
+ 2008-08-23 05:54:51 161,792 -c----w C:\WINDOWS\system32\dllcache\ieakui.dll
+ 2008-08-26 07:24:29 384,512 -c----w C:\WINDOWS\system32\dllcache\iedkcs32.dll
+ 2007-08-14 01:44:02 69,120 -c----w C:\WINDOWS\system32\dllcache\iedw.exe
+ 2007-08-14 01:45:18 78,336 -c----w C:\WINDOWS\system32\dllcache\ieencode.dll
+ 2007-08-14 01:54:10 191,488 -c----w C:\WINDOWS\system32\dllcache\iepeers.dll
+ 2008-08-26 07:24:29 44,544 -c----w C:\WINDOWS\system32\dllcache\iernonce.dll
+ 2007-08-14 01:39:12 55,296 -c----w C:\WINDOWS\system32\dllcache\iesetup.dll
+ 2008-08-23 05:56:15 635,848 -c----w C:\WINDOWS\system32\dllcache\iexplore.exe
+ 2007-08-14 01:36:06 36,352 -c----w C:\WINDOWS\system32\dllcache\imgutil.dll
+ 2007-08-14 01:39:02 92,672 -c----w C:\WINDOWS\system32\dllcache\inseng.dll
+ 2008-08-26 07:24:30 27,648 -c----w C:\WINDOWS\system32\dllcache\jsproxy.dll
+ 2007-08-14 01:44:18 40,960 -c----w C:\WINDOWS\system32\dllcache\licmgr10.dll
+ 2007-08-14 01:32:30 45,568 -c----w C:\WINDOWS\system32\dllcache\mshta.exe
- 2008-08-20 05:30:53 3,067,904 -c----w C:\WINDOWS\system32\dllcache\mshtml.dll
+ 2008-08-27 20:54:32 3,593,216 -c----w C:\WINDOWS\system32\dllcache\mshtml.dll
+ 2008-08-26 07:24:30 477,696 -c----w C:\WINDOWS\system32\dllcache\mshtmled.dll
+ 2007-08-14 01:01:12 48,128 -c----w C:\WINDOWS\system32\dllcache\mshtmler.dll
- 2001-08-18 12:00:00 146,432 ----a-w C:\WINDOWS\system32\dllcache\msls31.dll
+ 2007-08-14 01:54:10 156,160 -c--a-w C:\WINDOWS\system32\dllcache\msls31.dll
+ 2008-08-26 07:24:30 193,024 -c----w C:\WINDOWS\system32\dllcache\msrating.dll
+ 2008-08-26 07:24:30 671,232 -c----w C:\WINDOWS\system32\dllcache\mstime.dll
+ 2008-08-26 07:24:30 102,912 -c----w C:\WINDOWS\system32\dllcache\occache.dll
+ 2008-08-26 07:24:30 44,544 -c----w C:\WINDOWS\system32\dllcache\pngfilt.dll
+ 2006-09-23 20:12:50 474,112 -c----w C:\WINDOWS\system32\dllcache\shlwapi.dll
+ 2008-08-26 07:24:30 105,984 -c----w C:\WINDOWS\system32\dllcache\url.dll
- 2008-08-20 05:30:52 619,520 -c----w C:\WINDOWS\system32\dllcache\urlmon.dll
+ 2008-08-26 07:24:31 1,159,680 -c----w C:\WINDOWS\system32\dllcache\urlmon.dll
+ 2008-05-27 17:23:58 765,952 -c----w C:\WINDOWS\system32\dllcache\vgx.dll
+ 2008-08-26 07:24:31 233,472 -c----w C:\WINDOWS\system32\dllcache\webcheck.dll
- 2008-08-20 05:30:51 666,112 -c----w C:\WINDOWS\system32\dllcache\wininet.dll
+ 2008-08-26 07:24:31 826,368 -c----w C:\WINDOWS\system32\dllcache\wininet.dll
- 2008-04-14 00:11:52 357,888 ----a-w C:\WINDOWS\system32\dxtmsft.dll
+ 2008-08-26 07:24:28 347,136 ------w C:\WINDOWS\system32\dxtmsft.dll
- 2008-04-14 00:11:52 205,312 ----a-w C:\WINDOWS\system32\dxtrans.dll
+ 2008-08-26 07:24:28 214,528 ------w C:\WINDOWS\system32\dxtrans.dll
- 2008-04-14 00:11:53 55,808 ----a-w C:\WINDOWS\system32\extmgr.dll
+ 2008-08-26 07:24:28 133,120 ------w C:\WINDOWS\system32\extmgr.dll
+ 2008-08-26 07:24:28 63,488 ----a-w C:\WINDOWS\system32\icardie.dll
- 2008-04-14 00:12:22 34,304 ----a-w C:\WINDOWS\system32\ie4uinit.exe
+ 2008-08-25 08:37:59 70,656 ------w C:\WINDOWS\system32\ie4uinit.exe
- 2008-04-14 00:11:54 143,360 ----a-w C:\WINDOWS\system32\ieakeng.dll
+ 2008-08-26 07:24:28 153,088 ------w C:\WINDOWS\system32\ieakeng.dll
- 2008-04-14 00:11:54 216,576 ----a-w C:\WINDOWS\system32\ieaksie.dll
+ 2008-08-26 07:24:28 230,400 ------w C:\WINDOWS\system32\ieaksie.dll
- 2001-08-18 12:00:00 221,184 ----a-w C:\WINDOWS\system32\ieakui.dll
+ 2008-08-23 05:54:51 161,792 ------w C:\WINDOWS\system32\ieakui.dll
+ 2007-04-17 09:32:38 2,455,488 ----a-w C:\WINDOWS\system32\ieapfltr.dat
+ 2008-08-26 07:24:28 383,488 ----a-w C:\WINDOWS\system32\ieapfltr.dll
- 2008-04-14 00:11:54 323,584 ----a-w C:\WINDOWS\system32\iedkcs32.dll
+ 2008-08-26 07:24:29 384,512 ------w C:\WINDOWS\system32\iedkcs32.dll
+ 2008-10-03 17:41:15 6,066,176 ----a-w C:\WINDOWS\system32\ieframe.dll
- 2008-04-14 00:11:54 251,904 ----a-w C:\WINDOWS\system32\iepeers.dll
+ 2007-08-14 01:54:10 191,488 ----a-w C:\WINDOWS\system32\iepeers.dll
- 2008-04-14 00:11:54 48,640 ----a-w C:\WINDOWS\system32\iernonce.dll
+ 2008-08-26 07:24:29 44,544 ------w C:\WINDOWS\system32\iernonce.dll
+ 2008-08-26 07:24:29 267,776 ----a-w C:\WINDOWS\system32\iertutil.dll
- 2008-04-14 00:11:54 62,976 ----a-w C:\WINDOWS\system32\iesetup.dll
+ 2007-08-14 01:39:12 55,296 ----a-w C:\WINDOWS\system32\iesetup.dll
+ 2008-08-25 08:38:00 13,824 ----a-w C:\WINDOWS\system32\ieudinit.exe
+ 2007-08-14 01:54:10 180,736 ------w C:\WINDOWS\system32\ieui.dll
- 2008-04-14 00:11:54 35,840 ----a-w C:\WINDOWS\system32\imgutil.dll
+ 2007-08-14 01:36:06 36,352 ----a-w C:\WINDOWS\system32\imgutil.dll
- 2008-04-14 00:11:55 96,256 ----a-w C:\WINDOWS\system32\inseng.dll
+ 2007-08-14 01:39:02 92,672 ----a-w C:\WINDOWS\system32\inseng.dll
- 2008-04-14 00:11:56 15,872 ----a-w C:\WINDOWS\system32\jsproxy.dll
+ 2008-08-26 07:24:30 27,648 ------w C:\WINDOWS\system32\jsproxy.dll
- 2007-03-16 01:19:28 1,476,992 ----a-w C:\WINDOWS\system32\LegitCheckControl.dll
+ 2008-03-21 01:06:36 1,480,232 ----a-w C:\WINDOWS\system32\LegitCheckControl.dll
- 2008-04-14 00:11:56 22,016 ----a-w C:\WINDOWS\system32\licmgr10.dll
+ 2007-08-14 01:44:18 40,960 ----a-w C:\WINDOWS\system32\licmgr10.dll
+ 2008-08-26 07:24:30 459,264 ----a-w C:\WINDOWS\system32\msfeeds.dll
+ 2008-08-26 07:24:30 52,224 ----a-w C:\WINDOWS\system32\msfeedsbs.dll
+ 2007-08-14 01:36:40 12,288 ------w C:\WINDOWS\system32\msfeedssync.exe
- 2008-04-14 00:12:27 29,184 ----a-w C:\WINDOWS\system32\mshta.exe
+ 2007-08-14 01:32:30 45,568 ----a-w C:\WINDOWS\system32\mshta.exe
- 2008-08-20 05:30:53 3,067,904 ----a-w C:\WINDOWS\system32\mshtml.dll
+ 2008-08-27 20:54:32 3,593,216 ----a-w C:\WINDOWS\system32\mshtml.dll
- 2008-04-14 00:11:59 449,024 ----a-w C:\WINDOWS\system32\mshtmled.dll
+ 2008-08-26 07:24:30 477,696 ----a-w C:\WINDOWS\system32\mshtmled.dll
- 2008-04-13 16:26:26 56,832 ----a-w C:\WINDOWS\system32\mshtmler.dll
+ 2007-08-14 01:01:12 48,128 ----a-w C:\WINDOWS\system32\mshtmler.dll
- 2001-08-18 12:00:00 146,432 ----a-w C:\WINDOWS\system32\msls31.dll
+ 2007-08-14 01:54:10 156,160 ----a-w C:\WINDOWS\system32\msls31.dll
- 2008-04-14 00:12:00 146,432 ----a-w C:\WINDOWS\system32\msrating.dll
+ 2008-08-26 07:24:30 193,024 ------w C:\WINDOWS\system32\msrating.dll
- 2008-04-14 00:12:00 532,480 ----a-w C:\WINDOWS\system32\mstime.dll
+ 2008-08-26 07:24:30 671,232 ------w C:\WINDOWS\system32\mstime.dll
- 2008-04-14 00:12:01 337,408 ----a-w C:\WINDOWS\system32\netapi32.dll
+ 2008-10-15 16:34:24 337,408 ----a-w C:\WINDOWS\system32\netapi32.dll
- 2008-04-14 00:12:02 96,256 ----a-w C:\WINDOWS\system32\occache.dll
+ 2008-08-26 07:24:30 102,912 ------w C:\WINDOWS\system32\occache.dll
- 2008-04-14 00:12:02 39,424 ----a-w C:\WINDOWS\system32\pngfilt.dll
+ 2008-08-26 07:24:30 44,544 ------w C:\WINDOWS\system32\pngfilt.dll
- 2007-11-30 11:18:51 17,272 ------w C:\WINDOWS\system32\spmsg.dll
+ 2007-11-30 12:39:22 17,272 ------w C:\WINDOWS\system32\spmsg.dll
- 2008-04-14 00:12:08 37,888 ----a-w C:\WINDOWS\system32\url.dll
+ 2008-08-26 07:24:30 105,984 ----a-w C:\WINDOWS\system32\url.dll
- 2008-08-20 05:30:52 619,520 ----a-w C:\WINDOWS\system32\urlmon.dll
+ 2008-08-26 07:24:31 1,159,680 ----a-w C:\WINDOWS\system32\urlmon.dll
- 2008-04-14 00:12:08 276,480 ----a-w C:\WINDOWS\system32\webcheck.dll
+ 2008-08-26 07:24:31 233,472 ----a-w C:\WINDOWS\system32\webcheck.dll
+ 2007-08-14 01:45:16 206,336 ------w C:\WINDOWS\system32\WinFXDocObj.exe
+ 2008-10-25 02:25:24 16,384 ----atw C:\WINDOWS\Temp\Perflib_Perfdata_440.dat
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Yahoo! Pager"="C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" [2006-11-30 4662776]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2008-04-13 1695232]
"MoneyAgent"="c:\Program Files\Microsoft Money\System\Money Express.exe" [2001-07-25 184376]
"Acme.PCHButton"="C:\PROGRA~1\HPINST~1\plugin\bin\PCHButton.exe" [2004-03-12 159744]
"PlaxoUpdate"="C:\Program Files\Plaxo\3.14.0.44\PlaxoHelper_en.exe" [2008-07-24 363591]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-27 68856]
"PlaxoSysTray"="C:\Program Files\Plaxo\3.14.0.44\PlaxoSysTray.exe" [2008-07-24 20480]
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.Exe" [2006-01-24 7094272]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="NvQTwk" [X]
"YOP"="C:\PROGRA~1\Yahoo!\YOP\yop.exe" [2005-04-22 397312]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 144784]
"Recguard"="C:\WINDOWS\SMINST\RECGUARD.EXE" [2001-12-18 212992]
"PRINT DATA SENDER"="C:\Program Files\PRINT DATA SENDER\hpscschd.exe" [2004-10-21 72192]
"PreloadApp"="c:\hp\drivers\printers\photosmart\hphprld.exe" [2001-12-12 36864]
"kdx"="C:\WINDOWS\kdx\KHost.exe" [2004-03-18 1757184]
"iRiver Updater"="\Updater.exe" [2004-07-01 212992]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2004-08-20 155648]
"hpsysdrv"="c:\windows\system\hpsysdrv.exe" [1998-05-07 52736]
"HPDJ Taskbar Utility"="C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb10.exe" [2004-03-04 172032]
"HP Software Update"="C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe" [2004-02-18 49152]
"HP Component Manager"="C:\Program Files\HP\hpcoretech\hpcmpmgr.exe" [2003-12-22 241664]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2004-08-20 118784]
"dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [2002-03-14 102455]
"checktime"="c:\program files\HPSelect\Frontend\ct.exe" [2002-01-26 45056]
"HostManager"="C:\Program Files\Common Files\AOL\1135471130\ee\AOLSoftware.exe" [2006-05-09 50760]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2006-04-08 180269]
"IPHSend"="C:\Program Files\Common Files\AOL\IPHSend\IPHSend.exe" [2006-02-17 124520]
"CaAvTray"="C:\Program Files\Yahoo!\Antivirus\CAVTray.exe" [2006-07-30 230512]
"CAVRID"="C:\Program Files\Yahoo!\Antivirus\CAVRID.exe" [2006-07-30 185456]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-01-31 385024]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-02-19 267048]
"KBD"="C:\HP\KBD\KBD.EXE" [2005-02-02 61440]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2008-07-19 78008]
"S3apphk"="S3apphk.exe" [2002-03-15 C:\WINDOWS\system32\S3apphk.exe]
"nwiz"="nwiz.exe" [2002-03-09 C:\WINDOWS\system32\nwiz.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" [2008-04-13 C:\WINDOWS\system32\narrator.exe]

C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\
AutoPlay.exe [2001-09-17 36864]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2004-07-04 113664]
dlbcserv.lnk - C:\Program Files\Dell Photo Printer 720\dlbcserv.exe [2005-09-10 315392]
Microsoft Office.lnk - C:\Program Files\Office10\OSA.EXE [2001-02-13 83360]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"ForceClassicControlPanel"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.I420"= i420vfw.dll
"vidc.mxmc"= MimicICM.DLL
"vidc.xvid"= xvid.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll schannel.dll digest.dll msnsspc.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ComputerAssociatesAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Real\\RealOne Player\\realplay.exe"=
"C:\\WINDOWS\\kdx\\khost.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"C:\\Program Files\\QuickTime\\QuickTimePlayer.exe"=
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"C:\\Program Files\\AIM\\aim.exe"=
"C:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\SAGENT4.EXE"=
"C:\\Program Files\\Common Files\\AOL\\1135471130\\ee\\aolsoftware.exe"=
"C:\\Program Files\\Common Files\\AOL\\1135471130\\ee\\aim6.exe"=
"C:\\Program Files\\BitComet\\BitComet.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"C:\\StubInstaller.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\AIM6\\aim6.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=

R1 aswSP;avast! Self Protection;C:\WINDOWS\system32\drivers\aswSP.sys [2008-07-19 78416]
R1 Cinemsup;Cinemsup;C:\WINDOWS\System32\drivers\cinemsup.sys [2002-07-19 6656]
R2 aswFsBlk;aswFsBlk;C:\WINDOWS\system32\DRIVERS\aswFsBlk.sys [2008-07-19 20560]
S3 trid3d;trid3d;C:\WINDOWS\system32\DRIVERS\trid3dm.sys [2002-03-20 144860]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{a001f0a2-339f-11dd-8a0e-00e01882a580}]
\Shell\AutoRun\command - G:\Autorun.exe /run
\Shell\Shell00\Command - G:\Autorun.exe /run
\Shell\Shell01\Command - G:\Autorun.exe /action
\Shell\Shell02\Command - G:\Autorun.exe /uninstall
.
Contents of the 'Scheduled Tasks' folder

2008-10-14 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 14:57]

2008-10-25 C:\WINDOWS\Tasks\Symantec NetDetect.job
- C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE [2004-12-14 13:24]
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-10-24 21:09:47
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-10-24 21:22:45
ComboFix-quarantined-files.txt 2008-10-25 04:21:50
ComboFix2.txt 2008-10-24 03:07:25

Pre-Run: 18,132,217,856 bytes free
Post-Run: 18,121,674,752 bytes free

437 --- E O F --- 2008-10-24 06:19:55

Edited by Imaloser, 25 October 2008 - 04:46 AM.


#6 Billy O'Neal

Billy O'Neal

    Visual C++ STL Maintainer


  • Malware Response Team
  • 12,304 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Redmond, Washington
  • Local time:06:26 PM

Posted 25 October 2008 - 05:35 PM

Hello, Imaloser.

Okay...so i've just been reading up about viruses. some viruses that malware quarantined were "backdoor.agent" (on the day i got the virus which was 10/21, i ran malware right away) which i read is very serious. And when I ran combofix like you suggested on oct 23 for the first time it said something about rootkit (also looked this up. and malware has a log about it which is from one month ago) or something and then it had to restart. my comp has been working fine now though, thanks to you. i am now extremely paranoid about someone stealing all my info. i am this close to smashing my comp into bits.


Yes, backdoors are nasty.
They allow hackers to remotely control your computer, steal critical system information and download and execute files.

And after the second run of combo fix, it said something about sending my malware log file (or something like that) to BC, which I did. it just asked me to copy and paste whatever was below (a zip file) and hit send.

Thank you :)

sorry for bombarding you with all this stuff.


You're not bombarding anything :thumbsup:

I would like us to use ESET (NOD32)'s Online Scanner
  • Please go to ESET OnlineScan (NOD32)
  • You will then see the Terms of Use, tick the check-box infront of YES, I accept the Terms of Use
  • Now click Start
  • Should you face a Security Warning that asks if you want to install and run a file called "OnlineScanner.cab", click Yes
  • Click Start
    • Note: (the Onlinescanner will now prepare itself for running on your pc)
  • To do a full-scan, tick: "Remove found threats" and "Scan potentially unwanted applications"
  • Press Scan
  • The Onlinescan will now start and scan your pc (this could take a while)
  • When the scan has finished, it will show a screen with two tabs "overview" and "details" and the option to get information or buy software, just close the window
  • Click Start >> Run... >> type: C:\Program Files\EsetOnlineScanner\log.txt
  • The Scanresults will now open in Notepad
  • Click into the text area, right-click and chose "select all" (or use <Control>+A)
  • Right-click again and chose "Copy" (or <Control>+C)
  • Close/Exit Notepad
  • Navigate to this thread and post your log along with anything else requested from us, by right-clicking and "paste" (or ctrl+v) in the text area of the reply post you just created.
Note: For Vista Users: Eset is compatible but Internet Explorer must be run as Administrator. To do this, right-click on the IE icon in the Start Menu or Quick Launch Bar on the Taskbar and select "Run as Administrator" from the context menu.)

In your next reply, please include the following:
  • ESET OnlineScan's Log

Billy3
Twitter - My statements do not establish the official position of Microsoft Corporation, and are my own personal opinion. (But you already knew that, right?)
Posted Image

#7 Imaloser

Imaloser
  • Topic Starter

  • Members
  • 87 posts
  • OFFLINE
  •  
  • Local time:09:26 PM

Posted 26 October 2008 - 12:06 AM

Wow. that really did take forever.

Here is the log:
# version=4
# OnlineScanner.ocx=1.0.0.635
# OnlineScannerDLLA.dll=1, 0, 0, 79
# OnlineScannerDLLW.dll=1, 0, 0, 78
# OnlineScannerUninstaller.exe=1, 0, 0, 49
# vers_standard_module=3555 (20081025)
# vers_arch_module=1.064 (20080214)
# vers_adv_heur_module=1.064 (20070717)
# EOSSerial=37607a986bd6074da4f69e90bc8c18db
# end=finished
# remove_checked=true
# unwanted_checked=true
# utc_time=2008-10-26 04:58:37
# local_time=2008-10-25 09:58:37 (-0800, Pacific Daylight Time)
# country="United States"
# osver=5.1.2600 NT Service Pack 3
# scanned=584080
# found=19
# scan_time=22194
C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\AutoPlay.exe Win32/Agent.NVP trojan (unable to clean - deleted) 00000000000000000000000000000000
C:\Documents and Settings\Default User\Start Menu\Programs\Startup\AutoPlay.exe Win32/Agent.NVP trojan (unable to clean - deleted) 00000000000000000000000000000000
C:\Documents and Settings\Owner\Application Data\Mozilla\Profiles\Default User\iuk5324g.slt\Cache(3)\BD49E85Ad01 multiple infiltrations (deleted) 00000000000000000000000000000000
C:\Documents and Settings\Owner\Application Data\Mozilla\Profiles\Default User\iuk5324g.slt\Cache(3)\BD49E85Ad01 »WISE »mpz300.dll a variant of Win32/Adware.F1Organizer application (error while cleaning - operation unavailable for this type of object - error while deleting - operation unavailable for this type of object - was a part of the deleted object) 00000000000000000000000000000000
C:\Documents and Settings\Owner\Application Data\Mozilla\Profiles\Default User\iuk5324g.slt\Cache(3)\BD49E85Ad01 »WISE »TTIL_imesh.exe a variant of Win32/Adware.Ezula application (error while cleaning - operation unavailable for this type of object - error while deleting - operation unavailable for this type of object - was a part of the deleted object) 00000000000000000000000000000000
C:\Documents and Settings\Owner\Application Data\Mozilla\Profiles\Default User\iuk5324g.slt\Cache(3)\BD49E85Ad01 »WISE »imesh_336.exe Win32/Adware.NdotNet application (error while cleaning - operation unavailable for this type of object - error while deleting - operation unavailable for this type of object - was a part of the deleted object) 00000000000000000000000000000000
C:\Documents and Settings\Owner\Application Data\Mozilla\Profiles\Default User\iuk5324g.slt\Cache(3)\BD49E85Ad01 »WISE »FSG.exe Win32/Adware.Gator.Trickler.F application (error while cleaning - operation unavailable for this type of object - error while deleting - operation unavailable for this type of object - was a part of the deleted object) 00000000000000000000000000000000
C:\hp\bin\AUTOPLAY.EXE Win32/Agent.NVP trojan (unable to clean - deleted) 00000000000000000000000000000000
C:\Program Files\Internet Washer Pro\cache\iwupdate.exe Win32/Adware.ZipClix application (deleted) 00000000000000000000000000000000
C:\Program Files\Internet Washer Pro\cache\iwupdate.exe »WISE »ZIPCLIX.EXE Win32/Adware.ZipClix application (error while deleting - operation unavailable for this type of object - was a part of the deleted object) 00000000000000000000000000000000
C:\Program Files\Internet Washer Pro\cache\iwupdate.exe »WISE »ZIPCLIX.EXE »WISE »zipclix.dll Win32/Adware.ZipClix application (error while cleaning - operation unavailable for this type of object - error while deleting - operation unavailable for this type of object - was a part of the deleted object) 00000000000000000000000000000000
C:\Program Files\KaZaA Speedup\SuperBarInstaller.exe probably unknown NewHeur_PE virus (unable to clean - deleted) 00000000000000000000000000000000
C:\Program Files\Netscape\Netscape\puppy screensaver.exe Win32/Adware.Gator.Trickler.E application (deleted) 00000000000000000000000000000000
C:\Program Files\Netscape\Netscape\puppy screensaver.exe »WISE »Trickler3103_PIC_fs_DMPT.exe Win32/Adware.Gator.Trickler.E application (error while cleaning - operation unavailable for this type of object - error while deleting - operation unavailable for this type of object - was a part of the deleted object) 00000000000000000000000000000000
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq2E.tmp Win32/Adware.MNP application (unable to clean - deleted) 00000000000000000000000000000000
C:\Qoobox\Quarantine\C\WINDOWS\system32\TDSSnrsr.dll.vir Win32/Agent.ODG trojan (unable to clean - deleted) 00000000000000000000000000000000
C:\Qoobox\Quarantine\C\WINDOWS\system32\TDSSxfum.dll.vir Win32/Agent.ODG trojan (unable to clean - deleted) 00000000000000000000000000000000
C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\TDSSmhlt.sys.vir Win32/Agent.ODG trojan (unable to clean - deleted) 00000000000000000000000000000000
C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\TDSSpqxt.sys.vir Win32/Agent.ODG trojan (unable to clean - deleted) 00000000000000000000000000000000

#8 Billy O'Neal

Billy O'Neal

    Visual C++ STL Maintainer


  • Malware Response Team
  • 12,304 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Redmond, Washington
  • Local time:06:26 PM

Posted 26 October 2008 - 12:21 AM

Hello, Imaloser.
I'm suprised... ESET is usually one of the faster tools...

We need to execute an OTMoveIt3 script
  • Please download OTMoveIt3 by OldTimer and save it to your desktop.
  • Double click the Posted Image icon on your desktop.
  • Paste the following code under the Posted Image area. Do not include the word "Code".
    :files
    C:\Program Files\Internet Washer Pro
  • Push the large Posted Image button.
  • OTMI3 may ask to reboot the machine. Please do so if asked.
  • Copy/Paste the contents under the Posted Image line here in your next reply.
  • If you are unable to copy/paste from this window (as will be the case if the machine was rebooted), open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTMoveIt\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.
Congratulations! You now appear clean! :thumbsup:

Are things running okay? Do you have any more questions?

System Still Slow?
You may wish to try StartupLite. Simply download this tool to your desktop and run it. It will explain any optional auto-start programs on your system, and offer the option to stop these programs from starting at startup. This will result in fewer programs running when you boot your system, and should improve preformance.
If that does not work, you can try the steps mentioned in Slow Computer/browser? Check Here First; It May Not Be Malware
We Need to Remove ComboFix
  • Please go to Start -> Run
  • Enter "ComboFix /u" (without quotes). Note the space betwen "ComboFix" and "/u", it needs to be there.
    Posted Image
  • Press OK (Or hit enter).
  • Allow ComboFix to remove itself.
We Need to Clean Up Our Mess
  • Please download OTCleanIt from one of the following mirrors and save it to your desktop:
  • Double click the Posted Image icon.
  • Push the large "Cleanup" button.
  • Allow your system to reboot.
Reset System Restore
Windows' "System Restore" feature can cause malware files to be cached and retained by your system. Resetting System Restore will clean these files from your system, and will allow you to use System Restore without fear of reinfection.
  • Go to Start > Programs > Accessories > System Tools and click "System Restore".
  • Choose the radio button marked "Create a Restore Point" on the first screen then click "Next". Give the R.P. a name then click "Create". The new point will be stamped with the current date and time. Keep a log of this so you can find it easily should you need to use System Restore.
  • Then go to Start > Run and type: Cleanmgr
  • Click "OK".
  • Click the "More Options" Tab.
  • Click "Clean Up" in the System Restore section to remove all previous restore points except the newly created one.
Note: You should only do this once, not on a regular basis!
You will not be able to restore computer to any earlier than today!

Recommendations
Below are some recommendations to lower your chances of (re)infection.
  • Install and maintain an outbound firewall
  • Install Spyware Blaster and update it regularly
    If you wish, the commercial version provides automatic updating.
  • Install the MVPs hosts file, and update it regularly
    You can use the HostMan host file manager to do this automaticly if you wish.
    For more information on the hosts file, and what it can do for you, you can view the Tutorial on the Hosts file
  • Install an Anti-Spyware program, and update it regularly
    Malware Byte's Anti Malware is an excellent Anti-Spyware scanner. It's scan times are usually under ten minutes, and has excellent detection and removal rates.
    SUPERAntiSpyware is another good scanner with high detection and removal rates.
    Both programs are free for non commercial home use but provide a resident and do not nag if you purchase the paid versions.
  • Keep Windows (and your other Microsoft software) up to date!
    I cannot stress how important this is enough. Often holes are found in Internet Explorer or Windows itself that require patching. Sometimes these holes will allow an attacker unrestricted access to your computer.

    If you are using Windows XP or earlier
    Visit the Microsoft Update Website and follow the on screen instructions to setup Microsoft Update. Also follow the instructions to update your system. Please REBOOT and repeat this process until there are no more updates to install!!

    If you are using Windows Vista
    • Click the "Start Menu" (or Windows Orb)
    • Click "All Programs"
    • Click "Windows Update"
    • On the left, choose "Change Settings"
    • Ensure that the checkbox "Use Microsoft Update" at the bottom of the window is checked.
    • Press OK and accept the UAC prompt.
      Note: You shouldn't need to check this checkbox every single time you update, only the first time.
    • Click "Check for Updates" in the upper left corner.
    • Follow the instructions to install the latest updates.
    • Reboot and repeat the "Check for Updates" until there are no more critical updates to install
  • Keep your other software up to date as well
    Software does not need to be made by Microsoft to be insecure. You can use the Secunia Online Software occasionally to help you check for out of date software on your machine.
  • Stay up to date!
    The MOST IMPORTANT part of any security setup is keeping the software up to date. Malware writers release new variants every single day. If your software updates don't keep up, then the malware will always be one step ahead. Not a good thing :).
Billy3

Edited by Billy O'Neal, 26 October 2008 - 12:21 AM.

Twitter - My statements do not establish the official position of Microsoft Corporation, and are my own personal opinion. (But you already knew that, right?)
Posted Image

#9 Imaloser

Imaloser
  • Topic Starter

  • Members
  • 87 posts
  • OFFLINE
  •  
  • Local time:09:26 PM

Posted 26 October 2008 - 12:31 AM

[/list]Congratulations! You now appear clean! :)

:thumbsup:

as you requested:
========== FILES ==========
C:\Program Files\Internet Washer Pro\plugins moved successfully.
C:\Program Files\Internet Washer Pro\forms\CVS moved successfully.
C:\Program Files\Internet Washer Pro\forms\3\images\CVS moved successfully.
C:\Program Files\Internet Washer Pro\forms\3\images moved successfully.
C:\Program Files\Internet Washer Pro\forms\3\CVS moved successfully.
C:\Program Files\Internet Washer Pro\forms\3 moved successfully.
C:\Program Files\Internet Washer Pro\forms\2\images\CVS moved successfully.
C:\Program Files\Internet Washer Pro\forms\2\images moved successfully.
C:\Program Files\Internet Washer Pro\forms\2\CVS moved successfully.
C:\Program Files\Internet Washer Pro\forms\2 moved successfully.
C:\Program Files\Internet Washer Pro\forms\1\images\CVS moved successfully.
C:\Program Files\Internet Washer Pro\forms\1\images moved successfully.
C:\Program Files\Internet Washer Pro\forms\1\CVS moved successfully.
C:\Program Files\Internet Washer Pro\forms\1 moved successfully.
C:\Program Files\Internet Washer Pro\forms moved successfully.
C:\Program Files\Internet Washer Pro\custom moved successfully.
C:\Program Files\Internet Washer Pro\cache moved successfully.
C:\Program Files\Internet Washer Pro moved successfully.

OTMoveIt3 by OldTimer - Version 1.0.5.0 log created on 10252008_222840

#10 Billy O'Neal

Billy O'Neal

    Visual C++ STL Maintainer


  • Malware Response Team
  • 12,304 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Redmond, Washington
  • Local time:06:26 PM

Posted 26 October 2008 - 12:32 AM

Are things running okay? Do you have any more questions?
Twitter - My statements do not establish the official position of Microsoft Corporation, and are my own personal opinion. (But you already knew that, right?)
Posted Image

#11 Imaloser

Imaloser
  • Topic Starter

  • Members
  • 87 posts
  • OFFLINE
  •  
  • Local time:09:26 PM

Posted 26 October 2008 - 12:35 AM

Are things running okay? Do you have any more questions?

things are running smoothly. am i supposed to follow the "OTCleanIt" step?

#12 Billy O'Neal

Billy O'Neal

    Visual C++ STL Maintainer


  • Malware Response Team
  • 12,304 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Redmond, Washington
  • Local time:06:26 PM

Posted 26 October 2008 - 12:52 AM

Yep :thumbsup: Everything above "Recommendations" applies here ;)

Billy3
Twitter - My statements do not establish the official position of Microsoft Corporation, and are my own personal opinion. (But you already knew that, right?)
Posted Image

#13 Imaloser

Imaloser
  • Topic Starter

  • Members
  • 87 posts
  • OFFLINE
  •  
  • Local time:09:26 PM

Posted 26 October 2008 - 01:37 AM

I just want to thank you for all the help! I really appreciated it, Billy! :thumbsup:

#14 Billy O'Neal

Billy O'Neal

    Visual C++ STL Maintainer


  • Malware Response Team
  • 12,304 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Redmond, Washington
  • Local time:06:26 PM

Posted 26 October 2008 - 09:25 PM

Hello, Imaloser.

You're welcome :thumbsup: Glad to hear things got cleaned up!

Since this issue appears resolved, this topic has been closed.

If you need this topic reopened, please send me or another moderator a PM.

Everyone else please begin a new topic.

Billy3
Twitter - My statements do not establish the official position of Microsoft Corporation, and are my own personal opinion. (But you already knew that, right?)
Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users