Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Windows cannot find Internet Explorer


  • Please log in to reply
14 replies to this topic

#1 Nodracol

Nodracol

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Local time:09:26 PM

Posted 28 December 2008 - 05:01 AM

Sorry I posted this in the wrong forum before. Have read instructions for posting now! Herewith description of my problem.

Lost all access to Internet Explorer 5 days ago.
Error message is: 'Cannot find c:\program\internet explorer\Iexplore.exe'
Have tried using system restore to a previous date (before problem arose) but cannot restore (may be linked to same problem). Computer goes through the motions of restoring but then right a the end I receive error message 'cannot complete system restore'

Reinstalling Internet explorer either version 6 7 or Beta 8 all behave the same

Used Malwarebytes antimalware (in safe mode) and found VUNDO trojan which it removed, but problem remains
Used Superantispyware (in safe mode) and found one other trojan which was removed, but problem remains.

Thanks in advance for you help

Don

DDS log below and attachment

DDS (Version 1.1.0) - NTFSx86
Run by n at 9:42:13.79 on 28/12/2008
Internet Explorer: 8.0.6001.18241 BrowserJavaVersion: 1.6.0_07
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1394 [GMT 0:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated)

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\System32\wltrysvc.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\SearchIndexer.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\Acer\Empowering Technology\ePower\ePower_DMC.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\SM1BG.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\WLTRAY.exe
C:\Program Files\Common Files\Corel\Corel PhotoDownloader\Corel Photo Downloader.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Acer\Empowering Technology\Acer.Empowering.Framework.Launcher.exe
C:\Program Files\Windows Desktop Search\WindowsSearch.exe
C:\WINDOWS\system32\wbem\unsecapp.exe
C:\WINDOWS\system32\wbem\wmiapsrv.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\SearchProtocolHost.exe
C:\WINDOWS\system32\SearchProtocolHost.exe
C:\Documents and Settings\n\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.co.uk/ig?hl=en
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.google.com/ie
uURLSearchHooks: TorrentMan Toolbar: {7c5c0f58-e061-457d-9033-77307f5ed00c} - c:\program files\torrentman\tbTorr.dll
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: NoExplorer - No File
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Skype add-on (mastermind): {22bf413b-c6d2-4d91-82a9-a0f997ba588c} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\DLASHX_W.DLL
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_07\bin\ssv.dll
BHO: TorrentMan Toolbar: {7c5c0f58-e061-457d-9033-77307f5ed00c} - c:\program files\torrentman\tbTorr.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\googletoolbar1.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\4.1.805.4472\swg.dll
TB: &Google: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\googletoolbar1.dll
TB: TorrentMan Toolbar: {7c5c0f58-e061-457d-9033-77307f5ed00c} - c:\program files\torrentman\tbTorr.dll
TB: {A057A204-BACC-4D26-9990-79A187E2698E} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [swg] c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe
mRun: [ePower_DMC] c:\acer\empowering technology\epower\ePower_DMC.exe
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [SM1BG] c:\windows\SM1BG.EXE
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [EPSON Stylus Photo R200 Series] c:\windows\system32\spool\drivers\w32x86\3\E_S4I0H2.EXE /P30 "EPSON Stylus Photo R200 Series" /O5 "LPT1:" /M "Stylus Photo R200"
mRun: [Broadcom Wireless Manager UI] c:\windows\system32\WLTRAY
mRun: [Boot] c:\acer\empowering technology\epower\Boot.exe
mRun: [Alcmtr] ALCMTR.EXE
mRun: [BroadcomWireless] c:\program files\broadcom\wireless\utility\WlanUtil.exe
mRun: [QuickTime Task] "c:\program files\k-lite codec pack\quicktime\qttask.exe" -atboottime
mRun: [NapsterShell] c:\program files\napster\napster.exe /systray
mRun: [Corel Photo Downloader] "c:\program files\common files\corel\corel photodownloader\Corel Photo Downloader.exe" -startup
StartupFolder: c:\docume~1\n\startm~1\programs\startup\autoru~1\pictur~1.lnk - c:\program files\sony\sony picture utility\pmbcore\SPUVolumeWatcher.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\acerem~1.lnk - c:\acer\empowering technology\Acer.Empowering.Framework.Launcher.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\window~1.lnk - c:\program files\windows desktop search\WindowsSearch.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\autoru~1\google~1.lnk - c:\program files\google\google updater\GoogleUpdater.exe
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_07\bin\ssv.dll
IE: {77BF5300-1474-4EC7-9980-D32B190E9B07} - {77BF5300-1474-4EC7-9980-D32B190E9B07} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Name-Space Handler: ftp\* - {419A0123-4312-1122-A0C0-434FDA6DA542} - c:\program files\coreftp\pftpns.dll
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
Notify: AtiExtEvent - Ati2evxx.dll
AppInit_DLLs: avgrsstx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\n\applic~1\mozilla\firefox\profiles\k1mtdnro.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT1640187&SearchSource=3&q=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.google.co.uk/
FF - component: c:\documents and settings\n\application data\mozilla\firefox\profiles\k1mtdnro.default\extensions\{7c5c0f58-e061-457d-9033-77307f5ed00c}\components\FFAlert.dll
FF - component: c:\program files\avg\avg8\firefox\components\avgssff.dll
FF - plugin: c:\program files\google\google updater\2.4.1368.5602\npCIDetect13.dll
FF - plugin: c:\program files\google\picasa3\npPicasa3.dll
FF - plugin: c:\program files\k-lite codec pack\quicktime\plugins\npqtplugin.dll
FF - plugin: c:\program files\k-lite codec pack\quicktime\plugins\npqtplugin2.dll
FF - plugin: c:\program files\k-lite codec pack\quicktime\plugins\npqtplugin3.dll
FF - plugin: c:\program files\k-lite codec pack\quicktime\plugins\npqtplugin4.dll
FF - plugin: c:\program files\k-lite codec pack\quicktime\plugins\npqtplugin5.dll
FF - plugin: c:\program files\k-lite codec pack\real\browser\plugins\nppl3260.dll
FF - plugin: c:\program files\k-lite codec pack\real\browser\plugins\nprpjplug.dll

============= SERVICES / DRIVERS ===============

R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2008-6-11 97928]
R1 AvgMfx86;AVG On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2008-6-11 26824]
R1 Cinemsup;Cinemsup;c:\windows\system32\drivers\Cinemsup.sys [2003-12-19 6656]
R1 SASDIFSV;SASDIFSV;\??\c:\program files\superantispyware\SASDIFSV.SYS [2008-12-4 8944]
R1 SASKUTIL;SASKUTIL;\??\c:\program files\superantispyware\SASKUTIL.sys [2008-12-4 55024]
R2 avg8wd;AVG8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2008-6-11 231704]
R2 EpmPsd;Acer EPM Power Scheme Driver;\??\c:\windows\system32\drivers\epm-psd.sys [2006-2-1 4096]
R2 EpmShd;Acer EPM System Hardware Driver;\??\c:\windows\system32\drivers\epm-shd.sys [2006-2-1 78208]
S3 Roxio UPnP Renderer 10;Roxio UPnP Renderer 10;"c:\program files\roxio\digital home 10\RoxioUPnPRenderer10.exe" [2007-8-24 72176]
S3 RoxMediaDB10;RoxMediaDB10;"c:\program files\common files\roxio shared\10.0\sharedcom\RoxMediaDB10.exe" [2007-8-24 1083888]
S3 SASENUM;SASENUM;\??\c:\program files\superantispyware\SASENUM.SYS [2008-12-4 7408]
S4 Roxio Upnp Server 10;Roxio Upnp Server 10;"c:\program files\roxio\digital home 10\RoxioUpnpService10.exe" [2007-8-24 362992]
S4 RoxLiveShare10;LiveShare P2P Server 10;"c:\program files\common files\roxio shared\10.0\sharedcom\RoxLiveShare10.exe" [2007-8-24 309744]
S4 RoxWatch10;Roxio Hard Drive Watcher 10;"c:\program files\common files\roxio shared\10.0\sharedcom\RoxWatch10.exe" [2007-8-24 166384]

=============== Created Last 30 ================

2008-12-28 09:14 <DIR> --d----- c:\program files\Trend Micro
2008-12-28 08:18 <DIR> --d----- c:\windows\ie8updates
2008-12-27 21:24 <DIR> --d----- C:\VundoFix Backups
2008-12-27 18:06 <DIR> --d----- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2008-12-27 18:05 <DIR> --d----- c:\program files\SUPERAntiSpyware
2008-12-27 18:05 <DIR> --d----- c:\docume~1\n\applic~1\SUPERAntiSpyware.com
2008-12-27 18:03 <DIR> --d----- c:\program files\common files\Wise Installation Wizard
2008-12-26 16:06 <DIR> -cd-h--- c:\windows\ie8
2008-12-26 11:00 <DIR> --d----- c:\docume~1\n\applic~1\Malwarebytes
2008-12-26 10:59 15,504 a------- c:\windows\system32\drivers\mbam.sys
2008-12-26 10:59 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2008-12-26 10:59 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2008-12-26 10:59 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2008-12-13 12:24 16,832 a------- c:\windows\system32\amcompat.tlb
2008-12-13 12:24 23,392 a------- c:\windows\system32\nscompat.tlb
2008-12-12 13:49 <DIR> --d----- c:\windows\system32\IOSUBSYS
2008-12-04 13:21 446,464 a------- c:\windows\system32\MotionPicture.scr
2008-12-01 15:58 <DIR> --d----- c:\program files\Fantastic Flame Screensaver
2008-12-01 15:58 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Laconic Software
2008-12-01 15:58 5,611,808 a------- c:\windows\system32\xa467309046.exe
2008-12-01 15:58 5,611,808 a------- c:\windows\system32\xa467307875.exe
2008-12-01 10:11 939,368 a------- c:\windows\flash.ocx
2008-12-01 10:11 290,816 a------- c:\windows\Living 3D Dolphins Full.scr
2008-12-01 10:11 <DIR> --d----- c:\program files\ScreenSaver.com
2008-11-30 14:00 <DIR> --d----- c:\program files\UselessCreations
2008-11-30 13:58 146,800 a------- c:\windows\system32\UC3D.scr
2008-11-29 17:12 <DIR> --d----- c:\docume~1\n\applic~1\Aquatica 3D

==================== Find3M ====================

2008-12-14 14:24 170,892 a------- c:\windows\pchealth\helpctr\config\cache\Professional_32_1033.dat
2008-12-08 21:57 740,830 a------- c:\program files\screen.bmp
2008-12-08 21:57 141,554 a------- c:\program files\screen.jpg
2008-11-28 07:41 6,424 a------- c:\windows\system32\KGyGaAvL.sys
2008-11-17 20:04 2,306,113 a------- c:\windows\system32\GPhotos.scr
2008-10-23 12:36 286,720 a------- c:\windows\system32\gdi32.dll
2008-10-16 14:06 268,648 a------- c:\windows\system32\mucltui.dll
2008-10-16 14:06 208,744 a------- c:\windows\system32\muweb.dll
2008-10-03 10:02 247,326 -------- c:\windows\system32\strmdll.dll
2008-09-30 16:43 1,286,152 a------- c:\windows\system32\msxml4.dll
2008-04-24 12:10 32 a------- c:\docume~1\alluse~1\applic~1\ezsid.dat
2007-05-25 13:59 598,016 a------- c:\program files\ScreenGrab.exe
2003-08-27 13:19 36,963 a----r-- c:\program files\common files\SM1updtr.dll
2008-09-16 08:26 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008091620080917\index.dat

============= FINISH: 9:42:59.00 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 shelf life

shelf life

  • Malware Response Team
  • 2,651 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:@localhost
  • Local time:10:26 PM

Posted 03 January 2009 - 11:38 PM

hi Nodracol,



have you tried:
start>run and type in:
iexplore.exe
click ok or enter.

update MBAM and scan in normal mode then post the log;

* When the scan is complete, click OK, then Show Results to view the results.
*** Be sure that everything is checked, and click Remove Selected.***
* When completed, a log will open in Notepad. Please save it to a convenient location. The log can also be opened by going to Start > All Programs > Malwarebytes' Anti-Malware > Logs > log-date.txt

please post the MBAM log in reply

How Can I Reduce My Risk to Malware?


#3 Nodracol

Nodracol
  • Topic Starter

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Local time:09:26 PM

Posted 04 January 2009 - 06:21 AM

Hi shelf life, thanks for helping. Have tried what you suggested with updated MBAM. No infections found - see log:

Malwarebytes' Anti-Malware 1.31
Database version: 1610
Windows 5.1.2600 Service Pack 3

04/01/2009 11:08:50
mbam-log-2009-01-04 (11-08-50).txt

Scan type: Quick Scan
Objects scanned: 59505
Time elapsed: 8 minute(s), 20 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

-------------------

When I ran MBAM just over a week ago it found VUNDO trojan and quarranteed it. I attach that log also just incase it helps with your diagnosis

Thanks

Malwarebytes' Anti-Malware 1.31
Database version: 1550
Windows 5.1.2600 Service Pack 3

26/12/2008 11:22:35
mbam-log-2008-12-26 (11-22-35).txt

Scan type: Quick Scan
Objects scanned: 70677
Time elapsed: 20 minute(s), 45 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 5
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 4

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{39a3e6cc-f46b-3c71-81da-0a7e41a2722a} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{39a3e6cc-f46b-3c71-81da-0a7e41a2722a} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\TypeLib\{8b767315-a97a-36d5-bd57-68fa1428c639} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{c7c9ccb9-c374-383b-89c2-80a1e272b645} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{39a3e6cc-f46b-3c71-81da-0a7e41a2722a} (Trojan.Vundo.H) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\wrq74330.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\rq74330.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\qdbon.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\Program Files\KB32114.exe (Trojan.Agent) -> Quarantined and deleted successfully.

#4 shelf life

shelf life

  • Malware Response Team
  • 2,651 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:@localhost
  • Local time:10:26 PM

Posted 04 January 2009 - 08:34 AM

did you get IE to launch?

Iam sure you know that 8.0 is a beta release and could have all kinds of issues with it, known and unknown issues.

looks like its active on your machine:
Internet Explorer: 8.0.6001.18241

If you havent already you should visit the MS knowledge base;
http://support.microsoft.com/search/defaul...mm=1&res=20
There are also MS forums you can visit.

How Can I Reduce My Risk to Malware?


#5 Nodracol

Nodracol
  • Topic Starter

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Local time:09:26 PM

Posted 04 January 2009 - 08:52 AM

IE still won't launch.
Should I reload IE7?
I left IE8 on as it was at this point that I gave up trying to solve the problem myself and was told not to change anything by BC until someone had looked at HJT logs etc.

#6 shelf life

shelf life

  • Malware Response Team
  • 2,651 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:@localhost
  • Local time:10:26 PM

Posted 04 January 2009 - 04:59 PM

MBAM cleaned some items out. your antivirus is up to date and is coming up clean? What about Superantispyware?
if these are all clean then yes you can attempt a re-install of 7.0

You should make sure from the MS knowledge base or somewhere on the MS website that the procedure you are following is the correct one, both for re-installing 7.0 and uninstalling the beta version.

You might also back up anything on your HD you dont want to lose as a precaution, just in case. heres a web based free service up to 50GB of data. Transfer of large amounts of data can be kind of slow as its via Java applet. But at least you would have the data. Good luck

http://www.adrive.com/


before you re-install IE lets get one more tool to look for malware. Its called Combofix. Read through the guide which will explain all you need to know about it. when you finish the guide, follow the combofix prompts. Post the combofix log.

link to guide:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Edited by shelf life, 04 January 2009 - 05:08 PM.

How Can I Reduce My Risk to Malware?


#7 Nodracol

Nodracol
  • Topic Starter

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Local time:09:26 PM

Posted 05 January 2009 - 06:37 AM

Tried Superspyware (updated) and found nothing.
Have not reinstalled IE7 yet
Followed guidelines on Combofix installation and running.
Combofix log attached:

ComboFix 09-01-04.01 - n 2009-01-05 11:25:15.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1305 [GMT 0:00]
Running from: c:\documents and settings\n\Desktop\ComboFix.exe
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated)
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\IE4 Error Log.txt
c:\windows\OPTIONS\CABS\_desktop.ini
c:\windows\system32\Desktop_.ini

.
((((((((((((((((((((((((( Files Created from 2008-12-05 to 2009-01-05 )))))))))))))))))))))))))))))))
.

2008-12-29 17:14 . 2009-01-03 14:33 54,156 --ah----- c:\windows\QTFont.qfn
2008-12-29 17:14 . 2009-01-03 14:33 1,409 --a------ c:\windows\QTFont.for
2008-12-29 17:13 . 2008-12-29 17:13 <DIR> d-------- c:\documents and settings\n\Productions
2008-12-28 09:14 . 2008-12-28 09:14 <DIR> d-------- c:\program files\Trend Micro
2008-12-28 08:18 . 2009-01-04 16:21 <DIR> d-------- c:\windows\ie8updates
2008-12-27 21:24 . 2008-12-27 21:24 <DIR> d-------- C:\VundoFix Backups
2008-12-27 18:24 . 2008-12-27 18:24 <DIR> d-------- c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com
2008-12-27 18:06 . 2008-12-27 18:06 <DIR> d-------- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2008-12-27 18:05 . 2009-01-05 09:40 <DIR> d-------- c:\program files\SUPERAntiSpyware
2008-12-27 18:05 . 2008-12-27 18:05 <DIR> d-------- c:\documents and settings\n\Application Data\SUPERAntiSpyware.com
2008-12-27 18:03 . 2008-12-27 18:03 <DIR> d-------- c:\program files\Common Files\Wise Installation Wizard
2008-12-26 17:12 . 2008-12-26 17:20 <DIR> d-------- c:\program files\RegCure
2008-12-26 16:27 . 2008-12-26 16:31 <DIR> d-------- c:\documents and settings\Administrator
2008-12-26 16:06 . 2004-08-03 22:56 81,920 --a------ c:\windows\system32\ieencode.dll
2008-12-26 16:06 . 2004-08-03 22:56 81,920 --a------ c:\windows\system32\dllcache\ieencode.dll
2008-12-26 11:00 . 2008-12-26 11:00 <DIR> d-------- c:\documents and settings\n\Application Data\Malwarebytes
2008-12-26 10:59 . 2008-12-26 16:35 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2008-12-26 10:59 . 2008-12-26 10:59 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2008-12-26 10:59 . 2008-12-03 19:59 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2008-12-26 10:59 . 2008-12-03 19:59 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2008-12-13 12:24 . 2008-12-19 08:08 23,392 --a------ c:\windows\system32\nscompat.tlb
2008-12-13 12:24 . 2008-12-19 08:08 16,832 --a------ c:\windows\system32\amcompat.tlb
2008-12-12 13:49 . 2008-12-12 13:49 <DIR> d-------- c:\windows\system32\IOSUBSYS

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-01-03 12:01 --------- d-----w c:\documents and settings\All Users\Application Data\Google Updater
2008-12-17 19:47 --------- d-----w c:\program files\Corel
2008-12-17 11:27 --------- d-----w c:\program files\TorrentMan
2008-12-17 11:22 --------- d-----w c:\program files\BitLord
2008-12-16 16:49 --------- d-----w c:\documents and settings\All Users\Application Data\Napster
2008-12-16 16:38 --------- d-----w c:\program files\Windows Media Connect 2
2008-12-16 16:20 --------- d--h--w c:\program files\InstallShield Installation Information
2008-12-14 15:59 --------- d-----w c:\program files\Microsoft Visual Studio 8
2008-12-14 15:58 --------- d-----w c:\documents and settings\All Users\Application Data\Microsoft Help
2008-12-14 15:57 --------- d-----w c:\program files\MSBuild
2008-12-12 13:49 --------- d-----w c:\program files\Google
2008-12-10 16:41 --------- d-----w c:\documents and settings\n\Application Data\CoreFTP
2008-12-10 00:37 --------- d-----w c:\program files\eclipse
2008-12-08 21:57 740,830 ------w c:\program files\screen.bmp
2008-12-08 21:57 141,554 ------w c:\program files\screen.jpg
2008-12-01 15:58 5,611,808 ----a-w c:\windows\system32\xa467309046.exe
2008-12-01 15:58 5,611,808 ----a-w c:\windows\system32\xa467307875.exe
2008-12-01 15:58 --------- d-----w c:\program files\Fantastic Flame Screensaver
2008-12-01 15:58 --------- d-----w c:\documents and settings\All Users\Application Data\Laconic Software
2008-12-01 10:11 --------- d-----w c:\program files\ScreenSaver.com
2008-11-30 14:00 --------- d-----w c:\program files\UselessCreations
2008-11-30 13:44 146,800 ----a-w c:\windows\system32\UC3D.scr
2008-11-29 17:12 --------- d-----w c:\documents and settings\n\Application Data\Aquatica 3D
2008-11-28 07:41 6,424 ----a-w c:\windows\system32\KGyGaAvL.sys
2008-11-21 13:53 --------- d-----w c:\documents and settings\n\Application Data\Corel
2008-11-21 13:52 --------- d-----w c:\program files\Common Files\Corel
2008-11-17 20:04 2,306,113 ----a-w c:\windows\system32\GPhotos.scr
2008-11-15 13:45 --------- d-----w c:\program files\Pro Imaging Powertoys
2008-11-10 16:01 --------- d-----w c:\program files\Common Files\Adobe
2008-11-08 18:07 --------- d-----w c:\documents and settings\n\Application Data\Sony Corporation
2008-11-08 18:05 --------- d-----w c:\program files\Sonic
2008-11-08 18:01 --------- d-----w c:\program files\Sony
2008-11-08 18:00 --------- d-----w c:\documents and settings\All Users\Application Data\Sony Corporation
2008-10-23 12:36 286,720 ----a-w c:\windows\system32\gdi32.dll
2008-10-16 14:13 202,776 ----a-w c:\windows\system32\wuweb.dll
2008-10-16 14:13 1,809,944 ----a-w c:\windows\system32\wuaueng.dll
2008-10-16 14:12 561,688 ----a-w c:\windows\system32\wuapi.dll
2008-10-16 14:12 323,608 ----a-w c:\windows\system32\wucltui.dll
2008-10-16 14:09 92,696 ----a-w c:\windows\system32\cdm.dll
2008-10-16 14:09 51,224 ----a-w c:\windows\system32\wuauclt.exe
2008-10-16 14:09 43,544 ----a-w c:\windows\system32\wups2.dll
2008-10-16 14:08 34,328 ----a-w c:\windows\system32\wups.dll
2008-10-16 14:06 268,648 ----a-w c:\windows\system32\mucltui.dll
2008-10-16 14:06 208,744 ----a-w c:\windows\system32\muweb.dll
2008-04-24 12:10 32 ------w c:\documents and settings\All Users\Application Data\ezsid.dat
2007-05-25 13:59 598,016 ------w c:\program files\ScreenGrab.exe
2003-08-27 13:19 36,963 ------r c:\program files\Common Files\SM1updtr.dll
2008-09-16 08:26 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008091620080917\index.dat
.

------- Sigcheck -------

2004-08-03 22:56 14336 8f078ae4ed187aaabc0a305146de6716 c:\windows\$NtServicePackUninstall$\svchost.exe
2008-04-14 00:12 14336 27c6d03bcdb8cfeb96b716f3d8be3e18 c:\windows\ServicePackFiles\i386\svchost.exe
2008-04-14 00:12 14336 27c6d03bcdb8cfeb96b716f3d8be3e18 c:\windows\system32\svchost.exe

2005-03-02 18:19 577024 1800f293bccc8ede8a70e12b88d80036 c:\windows\$hf_mig$\KB890859\SP2QFE\user32.dll
2007-03-08 15:48 578048 7aa4f6c00405dfc4b70ed4214e7d687b c:\windows\$hf_mig$\KB925902\SP2QFE\user32.dll
2007-03-08 15:36 577536 b409909f6e2e8a7067076ed748abf1e7 c:\windows\$NtServicePackUninstall$\user32.dll
2004-08-03 22:56 577024 c72661f8552ace7c5c85e16a3cf505c4 c:\windows\$NtUninstallKB890859$\user32.dll
2005-03-02 18:09 577024 de2db164bbb35db061af0997e4499054 c:\windows\$NtUninstallKB925902$\user32.dll
2008-04-14 00:12 578560 b26b135ff1b9f60c9388b4a7d16f600b c:\windows\ServicePackFiles\i386\user32.dll
2008-04-14 00:12 578560 b26b135ff1b9f60c9388b4a7d16f600b c:\windows\system32\user32.dll

2004-08-03 22:56 82944 2ed0b7f12a60f90092081c50fa0ec2b2 c:\windows\$NtServicePackUninstall$\ws2_32.dll
2008-04-14 00:12 82432 2ccc474eb85ceaa3e1fa1726580a3e5a c:\windows\ServicePackFiles\i386\ws2_32.dll
2008-04-14 00:12 82432 2ccc474eb85ceaa3e1fa1726580a3e5a c:\windows\system32\ws2_32.dll

2007-10-11 05:57 666112 80d660a49e0d118144423099b2a9f5da c:\windows\$hf_mig$\KB942615\SP2QFE\wininet.dll
2007-10-10 23:47 825344 0e5d918f87efa7d2424d66b499c7eb04 c:\windows\$hf_mig$\KB942615-IE7\SP2QFE\wininet.dll
2007-12-07 02:01 825344 b5b411bb229ae6ead7652a32ed47bfb9 c:\windows\$hf_mig$\KB944533-IE7\SP2QFE\wininet.dll
2008-02-16 09:32 666112 bb1eacd6ab47e78ebca02eb781550d55 c:\windows\$hf_mig$\KB947864\SP2QFE\wininet.dll
2008-03-01 13:03 827392 6316c2f0c61271c8abdff7429174879e c:\windows\$hf_mig$\KB947864-IE7\SP2QFE\wininet.dll
2008-04-23 03:35 827392 41546b396a526918da7995a02ea04e51 c:\windows\$hf_mig$\KB950759-IE7\SP2QFE\wininet.dll
2008-06-23 16:01 827904 c66402a06b83b036c195242c0c8cf83c c:\windows\$hf_mig$\KB953838-IE7\SP2QFE\wininet.dll
2008-08-26 09:08 827904 77c192fe56a70d7fa0247ba0a6201c32 c:\windows\$hf_mig$\KB956390-IE7\SP2QFE\wininet.dll
2008-10-16 20:24 827904 0d5b75171ff51775b630a431b6c667e8 c:\windows\$hf_mig$\KB958215-IE7\SP2QFE\wininet.dll
2004-08-03 22:56 656384 c0823fc5469663ba63e7db88f9919d70 c:\windows\$NtUninstallKB942615$\wininet.dll
2007-10-11 06:13 659456 2005ad86a22aee68e21ee59f9ccb77f2 c:\windows\$NtUninstallKB947864$\wininet.dll
2008-04-23 04:16 826368 f6589be784647cfdbc22ea51ccb1a57a c:\windows\ie7updates\KB953838-IE7\wininet.dll
2008-08-26 07:24 826368 ef8eba98145bfa44e80d17a3b3453300 c:\windows\ie7updates\KB958215-IE7\wininet.dll
2008-04-14 00:12 666112 7a4f775abb2f1c97def3e73afa2faedd c:\windows\ServicePackFiles\i386\wininet.dll
2008-10-16 20:38 826368 6741eaf7b7f110e803a6e38f6e5fa6b0 c:\windows\SoftwareDistribution\Download\1aada90d3aca2362b0231ac90aa9a9fd\SP2GDR\wininet.dll
2008-10-16 20:24 827904 0d5b75171ff51775b630a431b6c667e8 c:\windows\SoftwareDistribution\Download\1aada90d3aca2362b0231ac90aa9a9fd\SP2QFE\wininet.dll
2008-04-21 07:04 659456 1efb8a3ea8454aec1bb8a240a2845598 c:\windows\SoftwareDistribution\Download\4a70167257b9ec465806ced7f92b65d8\sp2gdr\wininet.dll
2008-04-21 06:56 666624 2e7de1bf9418b071799eb53de8cc22f5 c:\windows\SoftwareDistribution\Download\4a70167257b9ec465806ced7f92b65d8\sp2qfe\wininet.dll
2008-04-21 06:44 666112 2b0c24aa747a93a28987b6d65a4a74bc c:\windows\SoftwareDistribution\Download\4a70167257b9ec465806ced7f92b65d8\sp3gdr\wininet.dll
2008-04-21 06:24 666624 26f240c250e5b4b395cb4b178ba75437 c:\windows\SoftwareDistribution\Download\4a70167257b9ec465806ced7f92b65d8\sp3qfe\wininet.dll
2008-08-26 07:24 826368 ef8eba98145bfa44e80d17a3b3453300 c:\windows\SoftwareDistribution\Download\5d9d48823dca01f9929a959c29f5edc4\SP2GDR\wininet.dll
2008-08-26 09:08 827904 77c192fe56a70d7fa0247ba0a6201c32 c:\windows\SoftwareDistribution\Download\5d9d48823dca01f9929a959c29f5edc4\SP2QFE\wininet.dll
2008-10-16 20:38 826368 6741eaf7b7f110e803a6e38f6e5fa6b0 c:\windows\SoftwareDistribution\Download\c74979a750f473b6d9d8ef0bba9b356c\SP2GDR\wininet.dll
2008-10-16 20:24 827904 0d5b75171ff51775b630a431b6c667e8 c:\windows\SoftwareDistribution\Download\c74979a750f473b6d9d8ef0bba9b356c\SP2QFE\wininet.dll
2008-03-01 13:06 826368 ad21461aef8244edec2ef18e55e1dcf3 c:\windows\SoftwareDistribution\Download\ceba12074e2ee6f2478e27a2b926a276\SP2GDR\wininet.dll
2008-03-01 13:03 827392 6316c2f0c61271c8abdff7429174879e c:\windows\SoftwareDistribution\Download\ceba12074e2ee6f2478e27a2b926a276\SP2QFE\wininet.dll
2008-02-16 08:59 659456 0c690e77c0e924c45b4d7045b182fff1 c:\windows\system32\wininet.dll
2008-02-16 08:59 659456 0c690e77c0e924c45b4d7045b182fff1 c:\windows\system32\dllcache\wininet.dll

2006-04-20 12:18 360576 b2220c618b42a2212a59d91ebd6fc4b4 c:\windows\$hf_mig$\KB917953\SP2QFE\tcpip.sys
2007-10-30 16:53 360832 64798ecfa43d78c7178375fcdd16d8c8 c:\windows\$hf_mig$\KB941644\SP2QFE\tcpip.sys
2008-06-20 10:44 360960 744e57c99232201ae98c49168b918f48 c:\windows\$hf_mig$\KB951748\SP2QFE\tcpip.sys
2008-06-20 11:51 361600 9aefa14bd6b182d61e3119fa5f436d3d c:\windows\$hf_mig$\KB951748\SP3GDR\tcpip.sys
2008-06-20 11:59 361600 ad978a1b783b5719720cff204b666c8e c:\windows\$hf_mig$\KB951748\SP3QFE\tcpip.sys
2008-06-20 10:45 360320 2a5554fc5b1e04e131230e3ce035c3f9 c:\windows\$NtServicePackUninstall$\tcpip.sys
2004-08-03 21:14 359040 9f4b36614a0fc234525ba224957de55c c:\windows\$NtUninstallKB917953$\tcpip.sys
2006-04-20 11:51 359808 1dbf125862891817f374f407626967f4 c:\windows\$NtUninstallKB941644$\tcpip.sys
2008-04-13 19:20 361344 93ea8d04ec73a85db02eb8805988f733 c:\windows\$NtUninstallKB951748$\tcpip.sys
2007-10-30 17:20 360064 90caff4b094573449a0872a0f919b178 c:\windows\$NtUninstallKB951748_0$\tcpip.sys
2008-04-13 19:20 361344 93ea8d04ec73a85db02eb8805988f733 c:\windows\ServicePackFiles\i386\tcpip.sys
2008-06-20 11:51 361600 9aefa14bd6b182d61e3119fa5f436d3d c:\windows\system32\dllcache\tcpip.sys
2008-06-20 11:51 361600 9aefa14bd6b182d61e3119fa5f436d3d c:\windows\system32\drivers\tcpip.sys

2004-08-03 22:56 502272 01c3346c241652f43aed8e2149881bfe c:\windows\$NtServicePackUninstall$\winlogon.exe
2008-04-14 00:12 507904 ed0ef0a136dec83df69f04118870003e c:\windows\ServicePackFiles\i386\winlogon.exe
2008-04-14 00:12 507904 ed0ef0a136dec83df69f04118870003e c:\windows\system32\winlogon.exe

2004-08-03 21:14 182912 558635d3af1c7546d26067d5d9b6959e c:\windows\$NtServicePackUninstall$\ndis.sys
2008-04-13 19:20 182656 1df7f42665c94b825322fae71721130d c:\windows\ServicePackFiles\i386\ndis.sys
2008-04-13 19:20 182656 1df7f42665c94b825322fae71721130d c:\windows\system32\drivers\ndis.sys

2004-08-03 21:00 29056 4448006b6bc60e6c027932cfc38d6855 c:\windows\$NtServicePackUninstall$\ip6fw.sys
2008-04-13 18:53 36608 3bb22519a194418d5fec05d800a19ad0 c:\windows\ServicePackFiles\i386\ip6fw.sys
2008-04-13 18:53 36608 3bb22519a194418d5fec05d800a19ad0 c:\windows\system32\drivers\ip6fw.sys

2005-03-02 00:36 2056832 d8aba3eab509627e707a3b14f00fbb6b c:\windows\$hf_mig$\KB890859\SP2QFE\ntkrnlpa.exe
2007-02-28 09:15 2059392 4d3dbdccbf97f5ba1e74f322b155c3ba c:\windows\$hf_mig$\KB931784\SP2QFE\ntkrnlpa.exe
2008-08-14 14:39 2066048 a25e9b86effb2af33bf51e676b68bfb0 c:\windows\$hf_mig$\KB956841\SP3QFE\ntkrnlpa.exe
2007-02-28 08:38 2015744 a58ac1c6199ef34228abee7fc057ae09 c:\windows\$NtServicePackUninstall$\ntkrnlpa.exe
2004-08-03 23:05 2015232 fb142b7007ca2eea76966c6c5cc12150 c:\windows\$NtUninstallKB890859$\ntkrnlpa.exe
2005-03-02 00:34 2015232 3cd941e472ddf3534e53038535719771 c:\windows\$NtUninstallKB931784$\ntkrnlpa.exe
2008-04-13 18:31 2023936 7f653a89f6e89e3ae0d49830eece35d4 c:\windows\$NtUninstallKB956841$\ntkrnlpa.exe
2008-08-14 09:33 2066048 4ac58f03eb94a72809949d757fc39d80 c:\windows\Driver Cache\i386\ntkrnlpa.exe
2008-04-13 18:31 2065792 109f8e3e3c82e337bb71b6bc9b895d61 c:\windows\ServicePackFiles\i386\ntkrnlpa.exe
2008-08-14 09:33 2023936 8206b5f94a6a9450e934029420c1693f c:\windows\system32\ntkrnlpa.exe
2008-08-14 09:33 2066048 4ac58f03eb94a72809949d757fc39d80 c:\windows\system32\dllcache\ntkrnlpa.exe

2005-03-02 01:04 2179456 28187802b7c368c0d3aef7d4c382aabb c:\windows\$hf_mig$\KB890859\SP2QFE\ntoskrnl.exe
2007-02-28 09:55 2182144 5a5c8db4aa962c714c8371fbdf189fc9 c:\windows\$hf_mig$\KB931784\SP2QFE\ntoskrnl.exe
2008-08-14 15:11 2189184 31914172342bff330063f343ac6958fe c:\windows\$hf_mig$\KB956841\SP3QFE\ntoskrnl.exe
2007-02-28 09:08 2136064 1220faf071dea8653ee21de7dcda8bfd c:\windows\$NtServicePackUninstall$\ntoskrnl.exe
2004-08-03 21:18 2148352 626309040459c3915997ef98ec1c8d40 c:\windows\$NtUninstallKB890859$\ntoskrnl.exe
2005-03-02 00:57 2135552 48b3e89af7074cee0314a3e0c7faffdb c:\windows\$NtUninstallKB931784$\ntoskrnl.exe
2008-04-13 19:24 2145280 40f8880122a030a7e9e1fedea833b33d c:\windows\$NtUninstallKB956841$\ntoskrnl.exe
2008-08-14 10:11 2189184 eeaf32f8e15a24f62becb1bd403bb5c5 c:\windows\Driver Cache\i386\ntoskrnl.exe
2008-04-13 19:27 2188928 0c89243c7c3ee199b96fcc16990e0679 c:\windows\ServicePackFiles\i386\ntoskrnl.exe
2008-08-14 10:09 2145280 f6f8245b3a2e9ca834dd318e7ae0c6d0 c:\windows\system32\ntoskrnl.exe
2008-08-14 10:11 2189184 eeaf32f8e15a24f62becb1bd403bb5c5 c:\windows\system32\dllcache\ntoskrnl.exe

2008-04-14 00:12 1033728 12896823fb95bfb3dc9b46bcaedc9923 c:\windows\explorer.exe
2007-06-13 11:26 1033216 7712df0cdde3a5ac89843e61cd5b3658 c:\windows\$hf_mig$\KB938828\SP2QFE\explorer.exe
2007-06-13 10:23 1033216 97bd6515465659ff8f3b7be375b2ea87 c:\windows\$NtServicePackUninstall$\explorer.exe
2004-08-03 22:56 1032192 a0732187050030ae399b241436565e64 c:\windows\$NtUninstallKB938828$\explorer.exe
2008-04-14 00:12 1033728 12896823fb95bfb3dc9b46bcaedc9923 c:\windows\ServicePackFiles\i386\explorer.exe

2004-08-03 22:56 108032 c6ce6eec82f187615d1002bb3bb50ed4 c:\windows\$NtServicePackUninstall$\services.exe
2008-04-14 00:12 108544 0e776ed5f7cc9f94299e70461b7b8185 c:\windows\ServicePackFiles\i386\services.exe
2008-04-14 00:12 108544 0e776ed5f7cc9f94299e70461b7b8185 c:\windows\system32\services.exe

2004-08-03 22:56 13312 84885f9b82f4d55c6146ebf6065d75d2 c:\windows\$NtServicePackUninstall$\lsass.exe
2008-04-14 00:12 13312 bf2466b3e18e970d8a976fb95fc1ca85 c:\windows\ServicePackFiles\i386\lsass.exe
2008-04-14 00:12 13312 bf2466b3e18e970d8a976fb95fc1ca85 c:\windows\system32\lsass.exe

2004-08-03 22:56 15360 24232996a38c0b0cf151c2140ae29fc8 c:\windows\$NtServicePackUninstall$\ctfmon.exe
2008-04-14 00:12 15360 5f1d5f88303d4a4dbc8e5f97ba967cc3 c:\windows\ServicePackFiles\i386\ctfmon.exe
2008-04-14 00:12 15360 5f1d5f88303d4a4dbc8e5f97ba967cc3 c:\windows\system32\ctfmon.exe

2005-06-11 00:17 57856 ad3d9d191aea7b5445fe1d82ffbb4788 c:\windows\$hf_mig$\KB896423\SP2QFE\spoolsv.exe
2005-06-10 23:53 57856 da81ec57acd4cdc3d4c51cf3d409af9f c:\windows\$NtServicePackUninstall$\spoolsv.exe
2004-08-03 22:56 57856 7435b108b935e42ea92ca94f59c8e717 c:\windows\$NtUninstallKB896423$\spoolsv.exe
2008-04-14 00:12 57856 d8e14a61acc1d4a6cd0d38aebac7fa3b c:\windows\ServicePackFiles\i386\spoolsv.exe
2008-04-14 00:12 57856 d8e14a61acc1d4a6cd0d38aebac7fa3b c:\windows\system32\spoolsv.exe

2004-08-03 22:56 24576 39b1ffb03c2296323832acbae50d2aff c:\windows\$NtServicePackUninstall$\userinit.exe
2008-04-14 00:12 26112 a93aee1928a9d7ce3e16d24ec7380f89 c:\windows\ServicePackFiles\i386\userinit.exe
2008-04-14 00:12 26112 a93aee1928a9d7ce3e16d24ec7380f89 c:\windows\system32\userinit.exe

2004-08-03 22:56 295424 b60c877d16d9c880b952fda04adf16e6 c:\windows\$NtServicePackUninstall$\termsrv.dll
2008-04-14 00:12 295424 ff3477c03be7201c294c35f684b3479f c:\windows\ServicePackFiles\i386\termsrv.dll
2008-04-14 00:12 295424 ff3477c03be7201c294c35f684b3479f c:\windows\system32\termsrv.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{7c5c0f58-e061-457d-9033-77307f5ed00c}"= "c:\program files\TorrentMan\tbTorr.dll" [2008-05-21 1526296]

[HKEY_CLASSES_ROOT\clsid\{7c5c0f58-e061-457d-9033-77307f5ed00c}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{7c5c0f58-e061-457d-9033-77307f5ed00c}]
2008-05-21 00:43 1526296 --------- c:\program files\TorrentMan\tbTorr.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{7c5c0f58-e061-457d-9033-77307f5ed00c}"= "c:\program files\TorrentMan\tbTorr.dll" [2008-05-21 1526296]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{7C5C0F58-E061-457D-9033-77307F5ED00C}"= "c:\program files\TorrentMan\tbTorr.dll" [2008-05-21 1526296]

[HKEY_CLASSES_ROOT\clsid\{7c5c0f58-e061-457d-9033-77307f5ed00c}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2006-02-18 68856]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2009-01-05 1830128]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY" [X]
"ePower_DMC"="c:\acer\Empowering Technology\ePower\ePower_DMC.exe" [2006-05-30 421888]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2008-12-02 1261336]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-03-03 761946]
"SM1BG"="c:\windows\SM1BG.EXE" [2003-08-27 94208]
"EPSON Stylus Photo R200 Series"="c:\windows\System32\spool\DRIVERS\W32X86\3\E_S4I0H2.EXE" [2003-09-11 99840]
"QuickTime Task"="c:\program files\K-Lite Codec Pack\QuickTime\qttask.exe" [2008-01-31 385024]
"Corel Photo Downloader"="c:\program files\Common Files\Corel\Corel PhotoDownloader\Corel Photo Downloader.exe" [2007-08-28 531272]
"RTHDCPL"="RTHDCPL.EXE" [2006-06-28 c:\windows\RTHDCPL.exe]

c:\documents and settings\n\Start Menu\Programs\Startup\AutorunsDisabled
Picture Motion Browser Media Check Tool.lnk - c:\program files\Sony\Sony Picture Utility\PMBCore\SPUVolumeWatcher.exe [2008-11-08 385024]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Acer Empowering Technology.lnk - c:\acer\Empowering Technology\Acer.Empowering.Framework.Launcher.exe [2006-02-07 45056]
Windows Desktop Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2007-02-05 118784]

c:\documents and settings\All Users\Start Menu\Programs\Startup\AutorunsDisabled
Google Updater.lnk - c:\program files\Google\Google Updater\GoogleUpdater.exe [2006-02-18 161264]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2007-02-05 294400]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-01-05 09:40 356352 c:\program files\SUPERAntiSpyware\SASWINLO.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.3iv2"= 3ivxVfWCodec.dll
"VIDC.HFYU"= huffyuv.dll
"VIDC.VP31"= vp31vfw.dll
"vidc.rtmp"= Roxio_DivX.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\iexplore.exe]
"Debugger"=c:\windows\system32\klomp.exe

[HKLM\~\startupfolder\C:^Documents and Settings^n^Start Menu^Programs^Startup^Adobe Gamma.lnk]
path=c:\documents and settings\n\Start Menu\Programs\Startup\Adobe Gamma.lnk
backup=c:\windows\pss\Adobe Gamma.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
--------- 2008-10-15 01:04 39792 c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Corel Photo Downloader]
--------- 2007-08-28 12:00 531272 c:\program files\Common Files\Corel\Corel PhotoDownloader\Corel Photo Downloader.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
--------- 2006-02-18 12:19 68856 c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Adeline's stuff\\projects\\cametrics\\HydraUI.exe"=
"c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\SAGENT4.EXE"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\BitLord\\BitLord.exe"=
"c:\\Program Files\\eclipse\\eclipse.exe"=
"\\\\Computer\\print_engine_xaar\\bin\\HydraUI.exe"=

R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2008-06-11 97928]
R1 Cinemsup;Cinemsup;c:\windows\system32\drivers\cinemsup.sys [2003-12-19 6656]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2008-12-04 8944]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2008-12-04 55024]
R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2008-12-04 7408]
R4 avg8wd;AVG8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2008-06-11 231704]
R4 EpmPsd;Acer EPM Power Scheme Driver;c:\windows\system32\drivers\epm-psd.sys [2006-02-01 4096]
R4 EpmShd;Acer EPM System Hardware Driver;c:\windows\system32\drivers\epm-shd.sys [2006-02-01 78208]
S3 Roxio UPnP Renderer 10;Roxio UPnP Renderer 10;c:\program files\Roxio\Digital Home 10\RoxioUPnPRenderer10.exe [2007-08-24 72176]
S3 RoxMediaDB10;RoxMediaDB10;c:\program files\Common Files\Roxio Shared\10.0\SharedCOM\RoxMediaDB10.exe [2007-08-24 1083888]
S4 Roxio Upnp Server 10;Roxio Upnp Server 10;c:\program files\Roxio\Digital Home 10\RoxioUpnpService10.exe [2007-08-24 362992]
S4 RoxLiveShare10;LiveShare P2P Server 10;c:\program files\Common Files\Roxio Shared\10.0\SharedCOM\RoxLiveShare10.exe [2007-08-24 309744]
S4 RoxWatch10;Roxio Hard Drive Watcher 10;c:\program files\Common Files\Roxio Shared\10.0\SharedCOM\RoxWatch10.exe [2007-08-24 166384]

*Newly Created Service* - CATCHME
*Newly Created Service* - PROCEXP90
*Newly Created Service* - SASDIFSV
.
Contents of the 'Scheduled Tasks' folder

2008-12-17 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 13:57]

2009-01-05 c:\windows\Tasks\RegCure Program Check.job
- c:\program files\RegCure\RegCure.exe [2008-11-27 18:55]

2008-12-26 c:\windows\Tasks\RegCure.job
- c:\program files\RegCure\RegCure.exe [2008-11-27 18:55]
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-Boot - c:\acer\Empowering Technology\ePower\Boot.exe
HKLM-Run-BroadcomWireless - c:\program files\Broadcom\Wireless\Utility\WlanUtil.exe
HKLM-Run-NapsterShell - c:\program files\Napster\napster.exe


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.co.uk/ig?hl=en
uSearch Page = hxxp://www.google.com
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uSearch Bar = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
Name-Space Handler: ftp\* - {419A0123-4312-1122-A0C0-434FDA6DA542} - c:\program files\CoreFTP\pftpns.dll

c:\windows\Downloaded Program Files\TraderMediaX.ocx - O16 -: {2A493D5F-8914-4D3E-8BF3-767F281862F4}
hxxp://sell.autotrader.co.uk/uk-ola/common/TraderMediaX.cab
FF - ProfilePath - c:\documents and settings\n\Application Data\Mozilla\Firefox\Profiles\k1mtdnro.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT1640187&SearchSource=3&q=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.google.co.uk/
FF - component: c:\documents and settings\n\Application Data\Mozilla\Firefox\Profiles\k1mtdnro.default\extensions\{7c5c0f58-e061-457d-9033-77307f5ed00c}\components\FFAlert.dll
FF - component: c:\program files\AVG\AVG8\Firefox\components\avgssff.dll
FF - plugin: c:\program files\Google\Google Updater\2.4.1368.5602\npCIDetect13.dll
FF - plugin: c:\program files\Google\Picasa3\npPicasa3.dll
FF - plugin: c:\program files\K-Lite Codec Pack\QuickTime\Plugins\npqtplugin.dll
FF - plugin: c:\program files\K-Lite Codec Pack\QuickTime\Plugins\npqtplugin2.dll
FF - plugin: c:\program files\K-Lite Codec Pack\QuickTime\Plugins\npqtplugin3.dll
FF - plugin: c:\program files\K-Lite Codec Pack\QuickTime\Plugins\npqtplugin4.dll
FF - plugin: c:\program files\K-Lite Codec Pack\QuickTime\Plugins\npqtplugin5.dll
FF - plugin: c:\program files\K-Lite Codec Pack\real\browser\plugins\nppl3260.dll
FF - plugin: c:\program files\K-Lite Codec Pack\real\browser\plugins\nprpjplug.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-01-05 11:27:27
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(708)
c:\windows\system32\avgrsstx.dll
c:\windows\system32\Ati2evxx.dll
c:\windows\System32\BCMLogon.dll

- - - - - - - > 'lsass.exe'(796)
c:\windows\system32\avgrsstx.dll
.
Completion time: 2009-01-05 11:28:53
ComboFix-quarantined-files.txt 2009-01-05 11:28:50

Pre-Run: 2,033,807,360 bytes free
Post-Run: 2,128,486,400 bytes free

353 --- E O F --- 2009-01-05 07:53:48

#8 Nodracol

Nodracol
  • Topic Starter

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Local time:09:26 PM

Posted 05 January 2009 - 07:20 AM

Have just installed IE7 from Microsoft website (recommended download). It installed successfully but will still not load either via programmes or the run command in the start up menu. AaaaaaaaH!

#9 Nodracol

Nodracol
  • Topic Starter

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Local time:09:26 PM

Posted 05 January 2009 - 12:43 PM

:thumbsup: DONE IT!
AFTER OVER 2 WEEKS OF TRYING TO FIND A SOLUTION I DID ANOTHER SEARCH ON THE INTERNET AND FOUND THE FOLLOWING BLOG REFERENCE TO THE PROBLEM:

http://pctechnow.blogspot.com/2008/08/cant...n-run-from.html

A ROGUE REGEDIT ENTRY WHICH IS NOT DELETED AFTER REMOVING ALL TROJANS AND IS NOT FOUND BY ANY SPYWARE.

THE GUYS AT BC SHOULD RECRUIT THIS MAN!

MY CONGRATS TO PC TECH NOW :)

#10 shelf life

shelf life

  • Malware Response Team
  • 2,651 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:@localhost
  • Local time:10:26 PM

Posted 05 January 2009 - 06:25 PM

hi,

I must admit I've never come across the problem until yours and ive seen loads of logs but it looks like got it all taken care of.
we will use combofix now.

Click Start, then Run and type Notepad and click OK.
Copy/paste the text in the code box below into notepad:

File::
c:\windows\system32\xa467309046.exe
c:\windows\system32\xa467307875.exe

Name the Notepad file CFScript.txt and Save it to your desktop.
now locate the file you just saved and the combofix icon, both on your desktop
using your mouse drag the CFScript right on top of the combofix icon and release, combofix will run and produce a new log
please post the new combofix log and a new hjt log.

i think this at one time was bundled with adware may not be the case anymore:
UselessCreations

Your torrent client: much malware distributed on p2p networks, most people dont need another potential source for malware.

How Can I Reduce My Risk to Malware?


#11 Nodracol

Nodracol
  • Topic Starter

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Local time:09:26 PM

Posted 06 January 2009 - 04:52 AM

Hi Shelflife

Before I make the changes you suggest can you explain why? If the problem is solved by taking out the rogue regedit entries, what is the purpose of the additional changes which Combofix will do? Will do if I know why.

Thanks

#12 shelf life

shelf life

  • Malware Response Team
  • 2,651 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:@localhost
  • Local time:10:26 PM

Posted 06 January 2009 - 06:27 PM

hi,

Sure: a quick search with Scroogle returns no results for those two .exe. This is not usually encouraging news. Running the combofix script will put them in combofix's quarantine folder, where they could be restored back, if needed. You could also navigate to the system32 dir and manually delete them yourself. You can also go to the website below and upload them so they can be checked out, maybe malware, maybe not. You can also post one more hjt log----The site can get busy at times:

http://www.virustotal.com/

How Can I Reduce My Risk to Malware?


#13 Nodracol

Nodracol
  • Topic Starter

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Local time:09:26 PM

Posted 07 January 2009 - 07:08 AM

Thanks for the info. Have done what you suggest and logs posted below:

HIHACKTHIS LOG
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:03:53, on 07/01/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wltrysvc.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\Acer\Empowering Technology\ePower\ePower_DMC.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\SM1BG.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\WLTRAY.exe
C:\Program Files\Common Files\Corel\Corel PhotoDownloader\Corel Photo Downloader.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Acer\Empowering Technology\Acer.Empowering.Framework.Launcher.exe
C:\Program Files\Windows Desktop Search\WindowsSearch.exe
C:\WINDOWS\system32\wbem\unsecapp.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wbem\wmiapsrv.exe
C:\WINDOWS\system32\SearchProtocolHost.exe
C:\PROGRA~1\AVG\AVG8\avgscanx.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/ig?hl=en
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R3 - URLSearchHook: TorrentMan Toolbar - {7c5c0f58-e061-457d-9033-77307f5ed00c} - C:\Program Files\TorrentMan\tbTorr.dll
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll (file missing)
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: TorrentMan Toolbar - {7c5c0f58-e061-457d-9033-77307f5ed00c} - C:\Program Files\TorrentMan\tbTorr.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\4.1.805.4472\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: TorrentMan Toolbar - {7c5c0f58-e061-457d-9033-77307f5ed00c} - C:\Program Files\TorrentMan\tbTorr.dll
O4 - HKLM\..\Run: [ePower_DMC] C:\Acer\Empowering Technology\ePower\ePower_DMC.exe
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [SM1BG] C:\WINDOWS\SM1BG.EXE
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [EPSON Stylus Photo R200 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I0H2.EXE /P30 "EPSON Stylus Photo R200 Series" /O5 "LPT1:" /M "Stylus Photo R200"
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\K-Lite Codec Pack\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Corel Photo Downloader] "C:\Program Files\Common Files\Corel\Corel PhotoDownloader\Corel Photo Downloader.exe" -startup
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Startup: AutorunsDisabled
O4 - Global Startup: Acer Empowering Technology.lnk = ?
O4 - Global Startup: AutorunsDisabled
O4 - Global Startup: Windows Desktop Search.lnk = C:\Program Files\Windows Desktop Search\WindowsSearch.exe
O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\WINDOWS\system32\GPhotos.scr/200
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {2A493D5F-8914-4D3E-8BF3-767F281862F4} (TraderMediaImgX Control) - http://sell.autotrader.co.uk/uk-ola/common/TraderMediaX.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: avgrsstx.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Roxio UPnP Renderer 10 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 10\RoxioUPnPRenderer10.exe
O23 - Service: RoxMediaDB10 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\10.0\SharedCOM\RoxMediaDB10.exe
O23 - Service: Broadcom Wireless LAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\wltrysvc.exe

--
End of file - 7600 bytes


COMBOFIX LOG
ComboFix 09-01-06.02 - n 2009-01-07 11:57:17.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1472 [GMT 0:00]
Running from: c:\documents and settings\n\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\n\Desktop\CFScript.txt
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated)
* Created a new restore point
.

((((((((((((((((((((((((( Files Created from 2008-12-07 to 2009-01-07 )))))))))))))))))))))))))))))))
.

2008-12-29 17:14 . 2009-01-06 22:06 54,156 --ah----- c:\windows\QTFont.qfn
2008-12-29 17:14 . 2009-01-06 22:06 1,409 --a------ c:\windows\QTFont.for
2008-12-29 17:13 . 2008-12-29 17:13 <DIR> d-------- c:\documents and settings\n\Productions
2008-12-28 09:14 . 2008-12-28 09:14 <DIR> d-------- c:\program files\Trend Micro
2008-12-28 08:18 . 2009-01-04 16:21 <DIR> d-------- c:\windows\ie8updates
2008-12-27 21:24 . 2008-12-27 21:24 <DIR> d-------- C:\VundoFix Backups
2008-12-27 18:24 . 2008-12-27 18:24 <DIR> d-------- c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com
2008-12-27 18:06 . 2008-12-27 18:06 <DIR> d-------- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2008-12-27 18:05 . 2009-01-05 09:40 <DIR> d-------- c:\program files\SUPERAntiSpyware
2008-12-27 18:05 . 2008-12-27 18:05 <DIR> d-------- c:\documents and settings\n\Application Data\SUPERAntiSpyware.com
2008-12-27 18:03 . 2008-12-27 18:03 <DIR> d-------- c:\program files\Common Files\Wise Installation Wizard
2008-12-26 17:12 . 2008-12-26 17:20 <DIR> d-------- c:\program files\RegCure
2008-12-26 16:27 . 2008-12-26 16:31 <DIR> d-------- c:\documents and settings\Administrator
2008-12-26 16:06 . 2007-08-13 18:45 78,336 --a------ c:\windows\system32\ieencode.dll
2008-12-26 16:06 . 2007-08-13 18:45 78,336 --a--c--- c:\windows\system32\dllcache\ieencode.dll
2008-12-26 11:00 . 2008-12-26 11:00 <DIR> d-------- c:\documents and settings\n\Application Data\Malwarebytes
2008-12-26 10:59 . 2008-12-26 16:35 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2008-12-26 10:59 . 2008-12-26 10:59 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2008-12-26 10:59 . 2008-12-03 19:59 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2008-12-26 10:59 . 2008-12-03 19:59 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2008-12-13 12:24 . 2008-12-19 08:08 23,392 --a------ c:\windows\system32\nscompat.tlb
2008-12-13 12:24 . 2008-12-19 08:08 16,832 --a------ c:\windows\system32\amcompat.tlb
2008-12-12 13:49 . 2008-12-12 13:49 <DIR> d-------- c:\windows\system32\IOSUBSYS

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-01-05 14:01 --------- d-----w c:\documents and settings\All Users\Application Data\Google Updater
2008-12-17 19:47 --------- d-----w c:\program files\Corel
2008-12-17 11:27 --------- d-----w c:\program files\TorrentMan
2008-12-17 11:22 --------- d-----w c:\program files\BitLord
2008-12-16 16:49 --------- d-----w c:\documents and settings\All Users\Application Data\Napster
2008-12-16 16:38 --------- d-----w c:\program files\Windows Media Connect 2
2008-12-16 16:20 --------- d--h--w c:\program files\InstallShield Installation Information
2008-12-14 15:59 --------- d-----w c:\program files\Microsoft Visual Studio 8
2008-12-14 15:58 --------- d-----w c:\documents and settings\All Users\Application Data\Microsoft Help
2008-12-14 15:57 --------- d-----w c:\program files\MSBuild
2008-12-12 13:49 --------- d-----w c:\program files\Google
2008-12-10 16:41 --------- d-----w c:\documents and settings\n\Application Data\CoreFTP
2008-12-10 00:37 --------- d-----w c:\program files\eclipse
2008-12-08 21:57 740,830 ------w c:\program files\screen.bmp
2008-12-08 21:57 141,554 ------w c:\program files\screen.jpg
2008-12-01 15:58 5,611,808 ----a-w c:\windows\system32\xa467309046.exe
2008-12-01 15:58 5,611,808 ----a-w c:\windows\system32\xa467307875.exe
2008-12-01 15:58 --------- d-----w c:\program files\Fantastic Flame Screensaver
2008-12-01 15:58 --------- d-----w c:\documents and settings\All Users\Application Data\Laconic Software
2008-12-01 10:11 --------- d-----w c:\program files\ScreenSaver.com
2008-11-30 14:00 --------- d-----w c:\program files\UselessCreations
2008-11-30 13:44 146,800 ----a-w c:\windows\system32\UC3D.scr
2008-11-29 17:12 --------- d-----w c:\documents and settings\n\Application Data\Aquatica 3D
2008-11-28 07:41 6,424 ----a-w c:\windows\system32\KGyGaAvL.sys
2008-11-21 13:53 --------- d-----w c:\documents and settings\n\Application Data\Corel
2008-11-21 13:52 --------- d-----w c:\program files\Common Files\Corel
2008-11-17 20:04 2,306,113 ----a-w c:\windows\system32\GPhotos.scr
2008-11-15 13:45 --------- d-----w c:\program files\Pro Imaging Powertoys
2008-11-10 16:01 --------- d-----w c:\program files\Common Files\Adobe
2008-11-08 18:07 --------- d-----w c:\documents and settings\n\Application Data\Sony Corporation
2008-11-08 18:05 --------- d-----w c:\program files\Sonic
2008-11-08 18:01 --------- d-----w c:\program files\Sony
2008-11-08 18:00 --------- d-----w c:\documents and settings\All Users\Application Data\Sony Corporation
2008-10-23 12:36 286,720 ----a-w c:\windows\system32\gdi32.dll
2008-10-16 20:38 826,368 ----a-w c:\windows\system32\wininet.dll
2008-10-16 14:13 202,776 ----a-w c:\windows\system32\wuweb.dll
2008-10-16 14:13 1,809,944 ----a-w c:\windows\system32\wuaueng.dll
2008-10-16 14:12 561,688 ----a-w c:\windows\system32\wuapi.dll
2008-10-16 14:12 323,608 ----a-w c:\windows\system32\wucltui.dll
2008-10-16 14:09 92,696 ----a-w c:\windows\system32\cdm.dll
2008-10-16 14:09 51,224 ----a-w c:\windows\system32\wuauclt.exe
2008-10-16 14:09 43,544 ----a-w c:\windows\system32\wups2.dll
2008-10-16 14:08 34,328 ----a-w c:\windows\system32\wups.dll
2008-10-16 14:06 268,648 ----a-w c:\windows\system32\mucltui.dll
2008-10-16 14:06 208,744 ----a-w c:\windows\system32\muweb.dll
2008-04-24 12:10 32 ------w c:\documents and settings\All Users\Application Data\ezsid.dat
2007-05-25 13:59 598,016 ------w c:\program files\ScreenGrab.exe
2003-08-27 13:19 36,963 ------r c:\program files\Common Files\SM1updtr.dll
2008-09-16 08:26 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008091620080917\index.dat
.

------- Sigcheck -------

2004-08-03 22:56 14336 8f078ae4ed187aaabc0a305146de6716 c:\windows\$NtServicePackUninstall$\svchost.exe
2008-04-14 00:12 14336 27c6d03bcdb8cfeb96b716f3d8be3e18 c:\windows\ServicePackFiles\i386\svchost.exe
2008-04-14 00:12 14336 27c6d03bcdb8cfeb96b716f3d8be3e18 c:\windows\system32\svchost.exe

2005-03-02 18:19 577024 1800f293bccc8ede8a70e12b88d80036 c:\windows\$hf_mig$\KB890859\SP2QFE\user32.dll
2007-03-08 15:48 578048 7aa4f6c00405dfc4b70ed4214e7d687b c:\windows\$hf_mig$\KB925902\SP2QFE\user32.dll
2007-03-08 15:36 577536 b409909f6e2e8a7067076ed748abf1e7 c:\windows\$NtServicePackUninstall$\user32.dll
2004-08-03 22:56 577024 c72661f8552ace7c5c85e16a3cf505c4 c:\windows\$NtUninstallKB890859$\user32.dll
2005-03-02 18:09 577024 de2db164bbb35db061af0997e4499054 c:\windows\$NtUninstallKB925902$\user32.dll
2008-04-14 00:12 578560 b26b135ff1b9f60c9388b4a7d16f600b c:\windows\ServicePackFiles\i386\user32.dll
2008-04-14 00:12 578560 b26b135ff1b9f60c9388b4a7d16f600b c:\windows\system32\user32.dll

2004-08-03 22:56 82944 2ed0b7f12a60f90092081c50fa0ec2b2 c:\windows\$NtServicePackUninstall$\ws2_32.dll
2008-04-14 00:12 82432 2ccc474eb85ceaa3e1fa1726580a3e5a c:\windows\ServicePackFiles\i386\ws2_32.dll
2008-04-14 00:12 82432 2ccc474eb85ceaa3e1fa1726580a3e5a c:\windows\system32\ws2_32.dll

2006-04-20 12:18 360576 b2220c618b42a2212a59d91ebd6fc4b4 c:\windows\$hf_mig$\KB917953\SP2QFE\tcpip.sys
2007-10-30 16:53 360832 64798ecfa43d78c7178375fcdd16d8c8 c:\windows\$hf_mig$\KB941644\SP2QFE\tcpip.sys
2008-06-20 10:44 360960 744e57c99232201ae98c49168b918f48 c:\windows\$hf_mig$\KB951748\SP2QFE\tcpip.sys
2008-06-20 11:51 361600 9aefa14bd6b182d61e3119fa5f436d3d c:\windows\$hf_mig$\KB951748\SP3GDR\tcpip.sys
2008-06-20 11:59 361600 ad978a1b783b5719720cff204b666c8e c:\windows\$hf_mig$\KB951748\SP3QFE\tcpip.sys
2008-06-20 10:45 360320 2a5554fc5b1e04e131230e3ce035c3f9 c:\windows\$NtServicePackUninstall$\tcpip.sys
2004-08-03 21:14 359040 9f4b36614a0fc234525ba224957de55c c:\windows\$NtUninstallKB917953$\tcpip.sys
2006-04-20 11:51 359808 1dbf125862891817f374f407626967f4 c:\windows\$NtUninstallKB941644$\tcpip.sys
2008-04-13 19:20 361344 93ea8d04ec73a85db02eb8805988f733 c:\windows\$NtUninstallKB951748$\tcpip.sys
2007-10-30 17:20 360064 90caff4b094573449a0872a0f919b178 c:\windows\$NtUninstallKB951748_0$\tcpip.sys
2008-04-13 19:20 361344 93ea8d04ec73a85db02eb8805988f733 c:\windows\ServicePackFiles\i386\tcpip.sys
2008-06-20 11:51 361600 9aefa14bd6b182d61e3119fa5f436d3d c:\windows\system32\dllcache\tcpip.sys
2008-06-20 11:51 361600 9aefa14bd6b182d61e3119fa5f436d3d c:\windows\system32\drivers\tcpip.sys

2004-08-03 22:56 502272 01c3346c241652f43aed8e2149881bfe c:\windows\$NtServicePackUninstall$\winlogon.exe
2008-04-14 00:12 507904 ed0ef0a136dec83df69f04118870003e c:\windows\ServicePackFiles\i386\winlogon.exe
2008-04-14 00:12 507904 ed0ef0a136dec83df69f04118870003e c:\windows\system32\winlogon.exe

2004-08-03 21:14 182912 558635d3af1c7546d26067d5d9b6959e c:\windows\$NtServicePackUninstall$\ndis.sys
2008-04-13 19:20 182656 1df7f42665c94b825322fae71721130d c:\windows\ServicePackFiles\i386\ndis.sys
2008-04-13 19:20 182656 1df7f42665c94b825322fae71721130d c:\windows\system32\drivers\ndis.sys

2004-08-03 21:00 29056 4448006b6bc60e6c027932cfc38d6855 c:\windows\$NtServicePackUninstall$\ip6fw.sys
2008-04-13 18:53 36608 3bb22519a194418d5fec05d800a19ad0 c:\windows\ServicePackFiles\i386\ip6fw.sys
2008-04-13 18:53 36608 3bb22519a194418d5fec05d800a19ad0 c:\windows\system32\drivers\ip6fw.sys

2005-03-02 00:36 2056832 d8aba3eab509627e707a3b14f00fbb6b c:\windows\$hf_mig$\KB890859\SP2QFE\ntkrnlpa.exe
2007-02-28 09:15 2059392 4d3dbdccbf97f5ba1e74f322b155c3ba c:\windows\$hf_mig$\KB931784\SP2QFE\ntkrnlpa.exe
2008-08-14 14:39 2066048 a25e9b86effb2af33bf51e676b68bfb0 c:\windows\$hf_mig$\KB956841\SP3QFE\ntkrnlpa.exe
2007-02-28 08:38 2015744 a58ac1c6199ef34228abee7fc057ae09 c:\windows\$NtServicePackUninstall$\ntkrnlpa.exe
2004-08-03 23:05 2015232 fb142b7007ca2eea76966c6c5cc12150 c:\windows\$NtUninstallKB890859$\ntkrnlpa.exe
2005-03-02 00:34 2015232 3cd941e472ddf3534e53038535719771 c:\windows\$NtUninstallKB931784$\ntkrnlpa.exe
2008-04-13 18:31 2023936 7f653a89f6e89e3ae0d49830eece35d4 c:\windows\$NtUninstallKB956841$\ntkrnlpa.exe
2008-08-14 09:33 2066048 4ac58f03eb94a72809949d757fc39d80 c:\windows\Driver Cache\i386\ntkrnlpa.exe
2008-04-13 18:31 2065792 109f8e3e3c82e337bb71b6bc9b895d61 c:\windows\ServicePackFiles\i386\ntkrnlpa.exe
2008-08-14 09:33 2023936 8206b5f94a6a9450e934029420c1693f c:\windows\system32\ntkrnlpa.exe
2008-08-14 09:33 2066048 4ac58f03eb94a72809949d757fc39d80 c:\windows\system32\dllcache\ntkrnlpa.exe

2005-03-02 01:04 2179456 28187802b7c368c0d3aef7d4c382aabb c:\windows\$hf_mig$\KB890859\SP2QFE\ntoskrnl.exe
2007-02-28 09:55 2182144 5a5c8db4aa962c714c8371fbdf189fc9 c:\windows\$hf_mig$\KB931784\SP2QFE\ntoskrnl.exe
2008-08-14 15:11 2189184 31914172342bff330063f343ac6958fe c:\windows\$hf_mig$\KB956841\SP3QFE\ntoskrnl.exe
2007-02-28 09:08 2136064 1220faf071dea8653ee21de7dcda8bfd c:\windows\$NtServicePackUninstall$\ntoskrnl.exe
2004-08-03 21:18 2148352 626309040459c3915997ef98ec1c8d40 c:\windows\$NtUninstallKB890859$\ntoskrnl.exe
2005-03-02 00:57 2135552 48b3e89af7074cee0314a3e0c7faffdb c:\windows\$NtUninstallKB931784$\ntoskrnl.exe
2008-04-13 19:24 2145280 40f8880122a030a7e9e1fedea833b33d c:\windows\$NtUninstallKB956841$\ntoskrnl.exe
2008-08-14 10:11 2189184 eeaf32f8e15a24f62becb1bd403bb5c5 c:\windows\Driver Cache\i386\ntoskrnl.exe
2008-04-13 19:27 2188928 0c89243c7c3ee199b96fcc16990e0679 c:\windows\ServicePackFiles\i386\ntoskrnl.exe
2008-08-14 10:09 2145280 f6f8245b3a2e9ca834dd318e7ae0c6d0 c:\windows\system32\ntoskrnl.exe
2008-08-14 10:11 2189184 eeaf32f8e15a24f62becb1bd403bb5c5 c:\windows\system32\dllcache\ntoskrnl.exe

2008-04-14 00:12 1033728 12896823fb95bfb3dc9b46bcaedc9923 c:\windows\explorer.exe
2007-06-13 11:26 1033216 7712df0cdde3a5ac89843e61cd5b3658 c:\windows\$hf_mig$\KB938828\SP2QFE\explorer.exe
2007-06-13 10:23 1033216 97bd6515465659ff8f3b7be375b2ea87 c:\windows\$NtServicePackUninstall$\explorer.exe
2004-08-03 22:56 1032192 a0732187050030ae399b241436565e64 c:\windows\$NtUninstallKB938828$\explorer.exe
2008-04-14 00:12 1033728 12896823fb95bfb3dc9b46bcaedc9923 c:\windows\ServicePackFiles\i386\explorer.exe

2004-08-03 22:56 108032 c6ce6eec82f187615d1002bb3bb50ed4 c:\windows\$NtServicePackUninstall$\services.exe
2008-04-14 00:12 108544 0e776ed5f7cc9f94299e70461b7b8185 c:\windows\ServicePackFiles\i386\services.exe
2008-04-14 00:12 108544 0e776ed5f7cc9f94299e70461b7b8185 c:\windows\system32\services.exe

2004-08-03 22:56 13312 84885f9b82f4d55c6146ebf6065d75d2 c:\windows\$NtServicePackUninstall$\lsass.exe
2008-04-14 00:12 13312 bf2466b3e18e970d8a976fb95fc1ca85 c:\windows\ServicePackFiles\i386\lsass.exe
2008-04-14 00:12 13312 bf2466b3e18e970d8a976fb95fc1ca85 c:\windows\system32\lsass.exe

2004-08-03 22:56 15360 24232996a38c0b0cf151c2140ae29fc8 c:\windows\$NtServicePackUninstall$\ctfmon.exe
2008-04-14 00:12 15360 5f1d5f88303d4a4dbc8e5f97ba967cc3 c:\windows\ServicePackFiles\i386\ctfmon.exe
2008-04-14 00:12 15360 5f1d5f88303d4a4dbc8e5f97ba967cc3 c:\windows\system32\ctfmon.exe

2005-06-11 00:17 57856 ad3d9d191aea7b5445fe1d82ffbb4788 c:\windows\$hf_mig$\KB896423\SP2QFE\spoolsv.exe
2005-06-10 23:53 57856 da81ec57acd4cdc3d4c51cf3d409af9f c:\windows\$NtServicePackUninstall$\spoolsv.exe
2004-08-03 22:56 57856 7435b108b935e42ea92ca94f59c8e717 c:\windows\$NtUninstallKB896423$\spoolsv.exe
2008-04-14 00:12 57856 d8e14a61acc1d4a6cd0d38aebac7fa3b c:\windows\ServicePackFiles\i386\spoolsv.exe
2008-04-14 00:12 57856 d8e14a61acc1d4a6cd0d38aebac7fa3b c:\windows\system32\spoolsv.exe

2004-08-03 22:56 24576 39b1ffb03c2296323832acbae50d2aff c:\windows\$NtServicePackUninstall$\userinit.exe
2008-04-14 00:12 26112 a93aee1928a9d7ce3e16d24ec7380f89 c:\windows\ServicePackFiles\i386\userinit.exe
2008-04-14 00:12 26112 a93aee1928a9d7ce3e16d24ec7380f89 c:\windows\system32\userinit.exe

2004-08-03 22:56 295424 b60c877d16d9c880b952fda04adf16e6 c:\windows\$NtServicePackUninstall$\termsrv.dll
2008-04-14 00:12 295424 ff3477c03be7201c294c35f684b3479f c:\windows\ServicePackFiles\i386\termsrv.dll
2008-04-14 00:12 295424 ff3477c03be7201c294c35f684b3479f c:\windows\system32\termsrv.dll
.
((((((((((((((((((((((((((((( snapshot@2009-01-05_11.28.10.31 )))))))))))))))))))))))))))))))))))))))))
.
+ 2005-10-12 23:12:25 22,752 -c----w c:\windows\$NtUninstallKB915865$\spcustom.dll
+ 2005-10-12 23:12:25 14,048 -c----w c:\windows\$NtUninstallKB915865$\spmsg.dll
+ 2005-10-12 23:12:26 213,216 -c----w c:\windows\$NtUninstallKB915865$\spuninst.exe
+ 2005-10-12 23:12:28 716,000 -c----w c:\windows\$NtUninstallKB915865$\update.exe
+ 2005-10-12 23:12:33 371,424 -c----w c:\windows\$NtUninstallKB915865$\updspapi.dll
+ 2008-06-12 11:28:02 121,856 -c----w c:\windows\$NtUninstallKB915865$\xmllite.dll
+ 2004-08-03 22:56:42 61,440 -c--a-w c:\windows\ie7\admparse.dll
+ 2004-08-03 22:56:42 99,840 -c--a-w c:\windows\ie7\advpack.dll
+ 2004-08-03 22:56:42 35,328 -c--a-w c:\windows\ie7\corpol.dll
+ 2006-06-03 11:40:49 33,792 -c--a-w c:\windows\ie7\custsat.dll
+ 2008-02-16 08:59:35 357,888 -c--a-w c:\windows\ie7\dxtmsft.dll
+ 2008-02-16 08:59:35 205,312 -c--a-w c:\windows\ie7\dxtrans.dll
+ 2008-02-16 08:59:35 55,808 -c--a-w c:\windows\ie7\extmgr.dll
+ 2004-08-03 22:56:44 38,912 -c--a-w c:\windows\ie7\hmmapi.dll
+ 2004-08-03 22:56:52 34,304 -c--a-w c:\windows\ie7\ie4uinit.exe
+ 2004-08-03 22:56:44 139,264 -c--a-w c:\windows\ie7\ieakeng.dll
+ 2004-08-03 22:56:44 216,576 -c--a-w c:\windows\ie7\ieaksie.dll
+ 2001-08-23 11:00:00 221,184 -c--a-w c:\windows\ie7\ieakui.dll
+ 2004-08-03 22:56:44 323,584 -c--a-w c:\windows\ie7\iedkcs32.dll
+ 2008-02-15 09:23:37 18,432 -c--a-w c:\windows\ie7\iedw.exe
+ 2004-08-03 22:56:44 81,920 -c--a-w c:\windows\ie7\ieencode.dll
+ 2008-02-16 08:59:35 251,392 -c--a-w c:\windows\ie7\iepeers.dll
+ 2004-08-03 22:56:44 48,640 -c--a-w c:\windows\ie7\iernonce.dll
+ 2004-08-03 22:56:44 62,976 -c--a-w c:\windows\ie7\iesetup.dll
+ 2004-08-03 22:56:52 93,184 -c--a-w c:\windows\ie7\iexplore.exe
+ 2004-08-03 22:56:44 35,840 -c--a-w c:\windows\ie7\imgutil.dll
+ 2008-02-16 08:59:35 96,256 -c--a-w c:\windows\ie7\inseng.dll
+ 2008-02-16 08:59:35 16,384 -c--a-w c:\windows\ie7\jsproxy.dll
+ 2004-08-03 22:56:44 22,016 -c--a-w c:\windows\ie7\licmgr10.dll
+ 2004-08-03 22:56:54 29,184 -c--a-w c:\windows\ie7\mshta.exe
+ 2008-12-12 17:01:00 3,067,904 -c--a-w c:\windows\ie7\mshtml.dll
+ 2008-12-12 17:01:00 3,067,904 -c--a-w c:\windows\ie7\mshtml.dll.000
+ 2008-02-16 08:59:37 449,024 -c--a-w c:\windows\ie7\mshtmled.dll
+ 2004-08-03 22:56:16 56,832 -c--a-w c:\windows\ie7\mshtmler.dll
+ 2001-08-23 11:00:00 146,432 -c--a-w c:\windows\ie7\msls31.dll
+ 2008-02-16 08:59:37 146,432 -c--a-w c:\windows\ie7\msrating.dll
+ 2008-02-16 08:59:37 532,480 -c--a-w c:\windows\ie7\mstime.dll
+ 2004-08-03 22:56:46 96,256 -c--a-w c:\windows\ie7\occache.dll
+ 2008-02-16 08:59:37 39,424 -c--a-w c:\windows\ie7\pngfilt.dll
+ 2007-08-13 18:54:42 32,960 -c--a-w c:\windows\ie7\spuninst\iecustom.dll
+ 2007-08-13 18:52:06 66,048 -c--a-w c:\windows\ie7\spuninst\ieResetIcons.exe
+ 2006-09-06 17:43:16 213,216 -c--a-w c:\windows\ie7\spuninst\spuninst.exe
+ 2006-09-06 17:43:18 371,424 -c--a-w c:\windows\ie7\spuninst\updspapi.dll
+ 2004-08-03 22:56:48 37,888 -c--a-w c:\windows\ie7\url.dll
+ 2008-02-16 08:59:38 615,936 -c--a-w c:\windows\ie7\urlmon.dll
+ 2007-06-26 15:13:22 851,968 -c--a-w c:\windows\ie7\vgx.dll
+ 2004-08-03 22:56:48 276,480 -c--a-w c:\windows\ie7\webcheck.dll
+ 2008-02-16 08:59:39 659,456 -c--a-w c:\windows\ie7\wininet.dll
+ 2007-03-06 01:22:39 213,216 -c----w c:\windows\ie7updates\KB938127-v2-IE7\spuninst\spuninst.exe
+ 2007-03-06 01:23:47 371,424 -c----w c:\windows\ie7updates\KB938127-v2-IE7\spuninst\updspapi.dll
+ 2007-08-13 18:54:10 765,952 -c----w c:\windows\ie7updates\KB938127-v2-IE7\vgx.dll
+ 2007-08-13 18:39:00 123,904 -c----w c:\windows\ie7updates\KB956390-IE7\advpack.dll
+ 2007-08-13 18:35:46 346,624 -c----w c:\windows\ie7updates\KB956390-IE7\dxtmsft.dll
+ 2007-08-13 18:35:38 214,528 -c----w c:\windows\ie7updates\KB956390-IE7\dxtrans.dll
+ 2007-08-13 18:54:10 131,584 -c----w c:\windows\ie7updates\KB956390-IE7\extmgr.dll
+ 2007-08-13 18:36:26 61,952 -c----w c:\windows\ie7updates\KB956390-IE7\icardie.dll
+ 2007-08-13 18:39:06 54,784 -c----w c:\windows\ie7updates\KB956390-IE7\ie4uinit.exe
+ 2007-08-13 18:39:26 152,064 -c----w c:\windows\ie7updates\KB956390-IE7\ieakeng.dll
+ 2007-08-13 18:39:54 229,376 -c----w c:\windows\ie7updates\KB956390-IE7\ieaksie.dll
+ 2007-08-13 17:56:54 161,792 -c----w c:\windows\ie7updates\KB956390-IE7\ieakui.dll
+ 2007-02-12 16:10:12 2,451,312 -c----w c:\windows\ie7updates\KB956390-IE7\ieapfltr.dat
+ 2007-07-11 12:27:48 383,488 -c----w c:\windows\ie7updates\KB956390-IE7\ieapfltr.dll
+ 2007-08-13 18:39:50 382,976 -c----w c:\windows\ie7updates\KB956390-IE7\iedkcs32.dll
+ 2007-08-13 18:54:10 6,049,280 -c----w c:\windows\ie7updates\KB956390-IE7\ieframe.dll
+ 2007-08-13 18:39:10 43,008 -c----w c:\windows\ie7updates\KB956390-IE7\iernonce.dll
+ 2007-08-13 18:34:04 266,752 -c----w c:\windows\ie7updates\KB956390-IE7\iertutil.dll
+ 2007-08-13 18:39:10 13,312 -c----w c:\windows\ie7updates\KB956390-IE7\ieudinit.exe
+ 2007-08-13 18:43:56 622,080 -c----w c:\windows\ie7updates\KB956390-IE7\iexplore.exe
+ 2007-08-13 18:54:10 27,136 -c----w c:\windows\ie7updates\KB956390-IE7\jsproxy.dll
+ 2007-08-13 18:54:10 458,752 -c----w c:\windows\ie7updates\KB956390-IE7\msfeeds.dll
+ 2007-08-13 18:54:10 50,688 -c----w c:\windows\ie7updates\KB956390-IE7\msfeedsbs.dll
+ 2007-08-13 18:54:12 3,578,368 -c----w c:\windows\ie7updates\KB956390-IE7\mshtml.dll
+ 2007-08-13 18:54:12 3,578,368 -c----w c:\windows\ie7updates\KB956390-IE7\mshtml.dll.000
+ 2007-08-13 18:54:10 475,648 -c----w c:\windows\ie7updates\KB956390-IE7\mshtmled.dll
+ 2007-08-13 18:44:26 192,000 -c----w c:\windows\ie7updates\KB956390-IE7\msrating.dll
+ 2007-08-13 18:54:10 670,720 -c----w c:\windows\ie7updates\KB956390-IE7\mstime.dll
+ 2007-08-13 18:44:06 101,376 -c----w c:\windows\ie7updates\KB956390-IE7\occache.dll
+ 2007-08-13 18:36:12 44,544 -c----w c:\windows\ie7updates\KB956390-IE7\pngfilt.dll
+ 2007-03-06 01:22:31 22,752 -c----w c:\windows\ie7updates\KB956390-IE7\spcustom.dll
+ 2007-03-06 01:22:33 14,048 -c----w c:\windows\ie7updates\KB956390-IE7\spmsg.dll
+ 2007-03-06 01:22:39 213,216 -c----w c:\windows\ie7updates\KB956390-IE7\spuninst.exe
+ 2007-03-06 01:22:39 213,216 -c----w c:\windows\ie7updates\KB956390-IE7\spuninst\spuninst.exe
+ 2007-03-06 01:23:51 371,424 -c----w c:\windows\ie7updates\KB956390-IE7\spuninst\updspapi.dll
+ 2007-03-06 01:22:59 716,000 -c----w c:\windows\ie7updates\KB956390-IE7\update.exe
+ 2007-03-06 01:23:51 371,424 -c----w c:\windows\ie7updates\KB956390-IE7\updspapi.dll
+ 2007-08-13 18:44:30 105,984 -c----w c:\windows\ie7updates\KB956390-IE7\url.dll
+ 2007-08-13 18:54:10 1,162,240 -c----w c:\windows\ie7updates\KB956390-IE7\urlmon.dll
+ 2007-08-13 18:54:10 231,424 -c----w c:\windows\ie7updates\KB956390-IE7\webcheck.dll
+ 2007-08-13 18:54:10 818,688 -c----w c:\windows\ie7updates\KB956390-IE7\wininet.dll
+ 2008-10-17 02:08:40 3,593,216 -c----w c:\windows\ie7updates\KB960714-IE7\mshtml.dll
+ 2007-03-06 01:22:31 22,752 -c----w c:\windows\ie7updates\KB960714-IE7\spcustom.dll
+ 2007-03-06 01:22:33 14,048 -c----w c:\windows\ie7updates\KB960714-IE7\spmsg.dll
+ 2007-03-06 01:22:39 213,216 -c----w c:\windows\ie7updates\KB960714-IE7\spuninst.exe
+ 2007-03-06 01:22:39 213,216 -c----w c:\windows\ie7updates\KB960714-IE7\spuninst\spuninst.exe
+ 2007-03-06 01:23:47 371,424 -c----w c:\windows\ie7updates\KB960714-IE7\spuninst\updspapi.dll
+ 2007-03-06 01:22:56 716,000 -c----w c:\windows\ie7updates\KB960714-IE7\update.exe
+ 2007-03-06 01:23:47 371,424 -c----w c:\windows\ie7updates\KB960714-IE7\updspapi.dll
- 2004-08-03 22:56:42 61,440 ----a-w c:\windows\system32\admparse.dll
+ 2007-08-13 18:39:20 71,680 ----a-w c:\windows\system32\admparse.dll
- 2004-08-03 22:56:42 99,840 ----a-w c:\windows\system32\advpack.dll
+ 2008-10-16 20:38:34 124,928 ----a-w c:\windows\system32\advpack.dll
- 2004-08-03 22:56:42 61,440 -c--a-w c:\windows\system32\dllcache\admparse.dll
+ 2007-08-13 18:39:20 71,680 -c--a-w c:\windows\system32\dllcache\admparse.dll
- 2004-08-03 22:56:42 99,840 -c--a-w c:\windows\system32\dllcache\advpack.dll
+ 2008-10-16 20:38:34 124,928 -c----w c:\windows\system32\dllcache\advpack.dll
- 2006-06-03 11:40:49 33,792 -c--a-w c:\windows\system32\dllcache\custsat.dll
+ 2007-08-13 18:54:10 33,792 -c--a-w c:\windows\system32\dllcache\custsat.dll
- 2008-02-16 08:59:35 357,888 -c--a-w c:\windows\system32\dllcache\dxtmsft.dll
+ 2008-10-16 20:38:34 347,136 -c----w c:\windows\system32\dllcache\dxtmsft.dll
- 2008-02-16 08:59:35 205,312 -c--a-w c:\windows\system32\dllcache\dxtrans.dll
+ 2008-10-16 20:38:34 214,528 -c----w c:\windows\system32\dllcache\dxtrans.dll
- 2008-02-16 08:59:35 55,808 -c--a-w c:\windows\system32\dllcache\extmgr.dll
+ 2008-10-16 20:38:35 133,120 -c----w c:\windows\system32\dllcache\extmgr.dll
- 2004-08-03 22:56:44 38,912 -c--a-w c:\windows\system32\dllcache\hmmapi.dll
+ 2007-08-13 18:18:02 60,416 -c--a-w c:\windows\system32\dllcache\hmmapi.dll
- 2004-08-03 22:56:52 34,304 -c--a-w c:\windows\system32\dllcache\ie4uinit.exe
+ 2008-10-16 13:11:09 70,656 -c----w c:\windows\system32\dllcache\ie4uinit.exe
- 2004-08-03 22:56:44 139,264 -c--a-w c:\windows\system32\dllcache\ieakeng.dll
+ 2008-10-16 20:38:35 153,088 -c----w c:\windows\system32\dllcache\ieakeng.dll
- 2004-08-03 22:56:44 216,576 -c--a-w c:\windows\system32\dllcache\ieaksie.dll
+ 2008-10-16 20:38:35 230,400 -c----w c:\windows\system32\dllcache\ieaksie.dll
- 2001-08-23 11:00:00 221,184 -c--a-w c:\windows\system32\dllcache\ieakui.dll
+ 2008-10-15 07:04:53 161,792 -c----w c:\windows\system32\dllcache\ieakui.dll
- 2004-08-03 22:56:44 323,584 -c--a-w c:\windows\system32\dllcache\iedkcs32.dll
+ 2008-10-16 20:38:35 384,512 -c----w c:\windows\system32\dllcache\iedkcs32.dll
- 2008-02-15 09:23:37 18,432 -c--a-w c:\windows\system32\dllcache\iedw.exe
+ 2007-08-13 18:44:02 69,120 -c--a-w c:\windows\system32\dllcache\iedw.exe
- 2008-02-16 08:59:35 251,392 -c--a-w c:\windows\system32\dllcache\iepeers.dll
+ 2007-08-13 18:54:10 191,488 -c--a-w c:\windows\system32\dllcache\iepeers.dll
- 2004-08-03 22:56:44 48,640 -c--a-w c:\windows\system32\dllcache\iernonce.dll
+ 2008-10-16 20:38:37 44,544 -c----w c:\windows\system32\dllcache\iernonce.dll
- 2004-08-03 22:56:44 62,976 -c--a-w c:\windows\system32\dllcache\iesetup.dll
+ 2007-08-13 18:39:12 55,296 -c--a-w c:\windows\system32\dllcache\iesetup.dll
- 2004-08-03 22:56:52 93,184 -c--a-w c:\windows\system32\dllcache\iexplore.exe
+ 2008-10-15 07:06:26 633,632 -c----w c:\windows\system32\dllcache\iexplore.exe
- 2004-08-03 22:56:44 35,840 -c--a-w c:\windows\system32\dllcache\imgutil.dll
+ 2007-08-13 18:36:06 36,352 -c--a-w c:\windows\system32\dllcache\imgutil.dll
- 2008-02-16 08:59:35 96,256 -c--a-w c:\windows\system32\dllcache\inseng.dll
+ 2007-08-13 18:39:02 92,672 -c--a-w c:\windows\system32\dllcache\inseng.dll
- 2008-02-16 08:59:35 16,384 -c--a-w c:\windows\system32\dllcache\jsproxy.dll
+ 2008-10-16 20:38:37 27,648 -c----w c:\windows\system32\dllcache\jsproxy.dll
- 2004-08-03 22:56:44 22,016 -c--a-w c:\windows\system32\dllcache\licmgr10.dll
+ 2007-08-13 18:44:18 40,960 -c--a-w c:\windows\system32\dllcache\licmgr10.dll
- 2004-08-03 22:56:54 29,184 -c--a-w c:\windows\system32\dllcache\mshta.exe
+ 2007-08-13 18:32:30 45,568 -c--a-w c:\windows\system32\dllcache\mshta.exe
- 2008-02-16 22:29:38 3,059,712 -c--a-w c:\windows\system32\dllcache\mshtml.dll
+ 2008-12-13 06:40:02 3,593,216 -c----w c:\windows\system32\dllcache\mshtml.dll
- 2008-02-16 08:59:37 449,024 -c--a-w c:\windows\system32\dllcache\mshtmled.dll
+ 2008-10-16 20:38:38 477,696 -c----w c:\windows\system32\dllcache\mshtmled.dll
- 2004-08-03 22:56:16 56,832 -c--a-w c:\windows\system32\dllcache\mshtmler.dll
+ 2007-08-13 18:01:12 48,128 -c--a-w c:\windows\system32\dllcache\mshtmler.dll
- 2001-08-23 11:00:00 146,432 -c--a-w c:\windows\system32\dllcache\msls31.dll
+ 2007-08-13 18:54:10 156,160 -c--a-w c:\windows\system32\dllcache\msls31.dll
- 2008-02-16 08:59:37 146,432 -c--a-w c:\windows\system32\dllcache\msrating.dll
+ 2008-10-16 20:38:38 193,024 -c----w c:\windows\system32\dllcache\msrating.dll
- 2008-02-16 08:59:37 532,480 -c--a-w c:\windows\system32\dllcache\mstime.dll
+ 2008-10-16 20:38:39 671,232 -c----w c:\windows\system32\dllcache\mstime.dll
- 2004-08-03 22:56:46 96,256 -c--a-w c:\windows\system32\dllcache\occache.dll
+ 2008-10-16 20:38:39 102,912 -c----w c:\windows\system32\dllcache\occache.dll
- 2008-02-16 08:59:37 39,424 -c--a-w c:\windows\system32\dllcache\pngfilt.dll
+ 2008-10-16 20:38:39 44,544 -c----w c:\windows\system32\dllcache\pngfilt.dll
- 2004-08-03 22:56:48 37,888 -c--a-w c:\windows\system32\dllcache\url.dll
+ 2008-10-16 20:38:39 105,984 -c----w c:\windows\system32\dllcache\url.dll
- 2008-02-16 08:59:38 615,936 -c--a-w c:\windows\system32\dllcache\urlmon.dll
+ 2008-10-16 20:38:39 1,160,192 -c----w c:\windows\system32\dllcache\urlmon.dll
- 2007-06-26 15:13:22 851,968 -c--a-w c:\windows\system32\dllcache\vgx.dll
+ 2008-05-27 17:23:58 765,952 -c--a-w c:\windows\system32\dllcache\vgx.dll
- 2004-08-03 22:56:48 276,480 -c--a-w c:\windows\system32\dllcache\webcheck.dll
+ 2008-10-16 20:38:39 233,472 -c----w c:\windows\system32\dllcache\webcheck.dll
- 2008-02-16 08:59:39 659,456 -c--a-w c:\windows\system32\dllcache\wininet.dll
+ 2008-10-16 20:38:40 826,368 -c----w c:\windows\system32\dllcache\wininet.dll
- 2008-02-16 08:59:35 357,888 ----a-w c:\windows\system32\dxtmsft.dll
+ 2008-10-16 20:38:34 347,136 ------w c:\windows\system32\dxtmsft.dll
- 2008-02-16 08:59:35 205,312 ----a-w c:\windows\system32\dxtrans.dll
+ 2008-10-16 20:38:34 214,528 ------w c:\windows\system32\dxtrans.dll
- 2008-02-16 08:59:35 55,808 ----a-w c:\windows\system32\extmgr.dll
+ 2008-10-16 20:38:35 133,120 ------w c:\windows\system32\extmgr.dll
+ 2008-10-16 20:38:35 63,488 ----a-w c:\windows\system32\icardie.dll
- 2004-08-03 22:56:52 34,304 ----a-w c:\windows\system32\ie4uinit.exe
+ 2008-10-16 13:11:09 70,656 ------w c:\windows\system32\ie4uinit.exe
- 2004-08-03 22:56:44 139,264 ----a-w c:\windows\system32\ieakeng.dll
+ 2008-10-16 20:38:35 153,088 ------w c:\windows\system32\ieakeng.dll
- 2004-08-03 22:56:44 216,576 ----a-w c:\windows\system32\ieaksie.dll
+ 2008-10-16 20:38:35 230,400 ------w c:\windows\system32\ieaksie.dll
- 2001-08-23 11:00:00 221,184 ----a-w c:\windows\system32\ieakui.dll
+ 2008-10-15 07:04:53 161,792 ------w c:\windows\system32\ieakui.dll
+ 2007-04-17 09:32:38 2,455,488 ----a-w c:\windows\system32\ieapfltr.dat
+ 2008-10-16 20:38:35 383,488 ----a-w c:\windows\system32\ieapfltr.dll
- 2004-08-03 22:56:44 323,584 ----a-w c:\windows\system32\iedkcs32.dll
+ 2008-10-16 20:38:35 384,512 ------w c:\windows\system32\iedkcs32.dll
+ 2008-10-16 20:38:37 6,066,176 ----a-w c:\windows\system32\ieframe.dll
- 2008-02-16 08:59:35 251,392 ----a-w c:\windows\system32\iepeers.dll
+ 2007-08-13 18:54:10 191,488 ----a-w c:\windows\system32\iepeers.dll
- 2004-08-03 22:56:44 48,640 ----a-w c:\windows\system32\iernonce.dll
+ 2008-10-16 20:38:37 44,544 ------w c:\windows\system32\iernonce.dll
+ 2008-10-16 20:38:37 267,776 ----a-w c:\windows\system32\iertutil.dll
- 2004-08-03 22:56:44 62,976 ----a-w c:\windows\system32\iesetup.dll
+ 2007-08-13 18:39:12 55,296 ----a-w c:\windows\system32\iesetup.dll
- 2008-08-22 03:06:24 36,864 ----a-w c:\windows\system32\ieudinit.exe
+ 2008-10-16 13:11:09 13,824 ----a-w c:\windows\system32\ieudinit.exe
+ 2007-08-13 18:54:10 180,736 ------w c:\windows\system32\ieui.dll
- 2004-08-03 22:56:44 35,840 ----a-w c:\windows\system32\imgutil.dll
+ 2007-08-13 18:36:06 36,352 ----a-w c:\windows\system32\imgutil.dll
- 2008-02-16 08:59:35 96,256 ----a-w c:\windows\system32\inseng.dll
+ 2007-08-13 18:39:02 92,672 ----a-w c:\windows\system32\inseng.dll
- 2008-02-16 08:59:35 16,384 ----a-w c:\windows\system32\jsproxy.dll
+ 2008-10-16 20:38:37 27,648 ------w c:\windows\system32\jsproxy.dll
- 2004-08-03 22:56:44 22,016 ----a-w c:\windows\system32\licmgr10.dll
+ 2007-08-13 18:44:18 40,960 ----a-w c:\windows\system32\licmgr10.dll
+ 2008-10-16 20:38:37 459,264 ----a-w c:\windows\system32\msfeeds.dll
+ 2008-10-16 20:38:37 52,224 ----a-w c:\windows\system32\msfeedsbs.dll
+ 2007-08-13 18:36:40 12,288 ------w c:\windows\system32\msfeedssync.exe
- 2004-08-03 22:56:54 29,184 ----a-w c:\windows\system32\mshta.exe
+ 2007-08-13 18:32:30 45,568 ----a-w c:\windows\system32\mshta.exe
- 2008-02-16 22:29:38 3,059,712 ----a-w c:\windows\system32\mshtml.dll
+ 2008-12-13 06:40:02 3,593,216 ----a-w c:\windows\system32\mshtml.dll
- 2008-02-16 08:59:37 449,024 ----a-w c:\windows\system32\mshtmled.dll
+ 2008-10-16 20:38:38 477,696 ------w c:\windows\system32\mshtmled.dll
- 2004-08-03 22:56:16 56,832 ----a-w c:\windows\system32\mshtmler.dll
+ 2007-08-13 18:01:12 48,128 ----a-w c:\windows\system32\mshtmler.dll
- 2001-08-23 11:00:00 146,432 ----a-w c:\windows\system32\msls31.dll
+ 2007-08-13 18:54:10 156,160 ----a-w c:\windows\system32\msls31.dll
- 2008-02-16 08:59:37 146,432 ----a-w c:\windows\system32\msrating.dll
+ 2008-10-16 20:38:38 193,024 ------w c:\windows\system32\msrating.dll
- 2008-02-16 08:59:37 532,480 ----a-w c:\windows\system32\mstime.dll
+ 2008-10-16 20:38:39 671,232 ------w c:\windows\system32\mstime.dll
- 2004-08-03 22:56:46 96,256 ----a-w c:\windows\system32\occache.dll
+ 2008-10-16 20:38:39 102,912 ------w c:\windows\system32\occache.dll
- 2008-02-16 08:59:37 39,424 ----a-w c:\windows\system32\pngfilt.dll
+ 2008-10-16 20:38:39 44,544 ------w c:\windows\system32\pngfilt.dll
- 2004-08-03 22:56:48 37,888 ----a-w c:\windows\system32\url.dll
+ 2008-10-16 20:38:39 105,984 ----a-w c:\windows\system32\url.dll
- 2008-02-16 08:59:38 615,936 ----a-w c:\windows\system32\urlmon.dll
+ 2008-10-16 20:38:39 1,160,192 ----a-w c:\windows\system32\urlmon.dll
- 2004-08-03 22:56:48 276,480 ----a-w c:\windows\system32\webcheck.dll
+ 2008-10-16 20:38:39 233,472 ----a-w c:\windows\system32\webcheck.dll
+ 2007-08-13 18:45:16 206,336 ------w c:\windows\system32\WinFXDocObj.exe
- 2008-06-12 11:28:02 121,856 ----a-w c:\windows\system32\xmllite.dll
+ 2006-07-14 15:51:51 121,856 ----a-w c:\windows\system32\xmllite.dll
+ 2009-01-07 11:46:22 16,384 ----atw c:\windows\Temp\Perflib_Perfdata_598.dat
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{7c5c0f58-e061-457d-9033-77307f5ed00c}"= "c:\program files\TorrentMan\tbTorr.dll" [2008-05-21 1526296]

[HKEY_CLASSES_ROOT\clsid\{7c5c0f58-e061-457d-9033-77307f5ed00c}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{7c5c0f58-e061-457d-9033-77307f5ed00c}]
2008-05-21 00:43 1526296 --------- c:\program files\TorrentMan\tbTorr.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{7c5c0f58-e061-457d-9033-77307f5ed00c}"= "c:\program files\TorrentMan\tbTorr.dll" [2008-05-21 1526296]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{7C5C0F58-E061-457D-9033-77307F5ED00C}"= "c:\program files\TorrentMan\tbTorr.dll" [2008-05-21 1526296]

[HKEY_CLASSES_ROOT\clsid\{7c5c0f58-e061-457d-9033-77307f5ed00c}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2006-02-18 68856]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2009-01-05 1830128]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY" [X]
"ePower_DMC"="c:\acer\Empowering Technology\ePower\ePower_DMC.exe" [2006-05-30 421888]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2008-12-02 1261336]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-03-03 761946]
"SM1BG"="c:\windows\SM1BG.EXE" [2003-08-27 94208]
"EPSON Stylus Photo R200 Series"="c:\windows\System32\spool\DRIVERS\W32X86\3\E_S4I0H2.EXE" [2003-09-11 99840]
"QuickTime Task"="c:\program files\K-Lite Codec Pack\QuickTime\qttask.exe" [2008-01-31 385024]
"Corel Photo Downloader"="c:\program files\Common Files\Corel\Corel PhotoDownloader\Corel Photo Downloader.exe" [2007-08-28 531272]
"RTHDCPL"="RTHDCPL.EXE" [2006-06-28 c:\windows\RTHDCPL.exe]

c:\documents and settings\n\Start Menu\Programs\Startup\AutorunsDisabled
Picture Motion Browser Media Check Tool.lnk - c:\program files\Sony\Sony Picture Utility\PMBCore\SPUVolumeWatcher.exe [2008-11-08 385024]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Acer Empowering Technology.lnk - c:\acer\Empowering Technology\Acer.Empowering.Framework.Launcher.exe [2006-02-07 45056]
Windows Desktop Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2007-02-05 118784]

c:\documents and settings\All Users\Start Menu\Programs\Startup\AutorunsDisabled
Google Updater.lnk - c:\program files\Google\Google Updater\GoogleUpdater.exe [2006-02-18 161264]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2007-02-05 294400]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-01-05 09:40 356352 c:\program files\SUPERAntiSpyware\SASWINLO.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.3iv2"= 3ivxVfWCodec.dll
"VIDC.HFYU"= huffyuv.dll
"VIDC.VP31"= vp31vfw.dll
"vidc.rtmp"= Roxio_DivX.dll

[HKLM\~\startupfolder\C:^Documents and Settings^n^Start Menu^Programs^Startup^Adobe Gamma.lnk]
path=c:\documents and settings\n\Start Menu\Programs\Startup\Adobe Gamma.lnk
backup=c:\windows\pss\Adobe Gamma.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
--------- 2008-10-15 01:04 39792 c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Corel Photo Downloader]
--------- 2007-08-28 12:00 531272 c:\program files\Common Files\Corel\Corel PhotoDownloader\Corel Photo Downloader.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
--------- 2006-02-18 12:19 68856 c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Adeline's stuff\\projects\\cametrics\\HydraUI.exe"=
"c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\SAGENT4.EXE"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\BitLord\\BitLord.exe"=
"c:\\Program Files\\eclipse\\eclipse.exe"=
"\\\\Computer\\print_engine_xaar\\bin\\HydraUI.exe"=

R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2008-06-11 97928]
R1 Cinemsup;Cinemsup;c:\windows\system32\drivers\cinemsup.sys [2003-12-19 6656]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2008-12-04 8944]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2008-12-04 55024]
R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2008-12-04 7408]
R4 avg8wd;AVG8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2008-06-11 231704]
R4 EpmPsd;Acer EPM Power Scheme Driver;c:\windows\system32\drivers\epm-psd.sys [2006-02-01 4096]
R4 EpmShd;Acer EPM System Hardware Driver;c:\windows\system32\drivers\epm-shd.sys [2006-02-01 78208]
S3 Roxio UPnP Renderer 10;Roxio UPnP Renderer 10;c:\program files\Roxio\Digital Home 10\RoxioUPnPRenderer10.exe [2007-08-24 72176]
S3 RoxMediaDB10;RoxMediaDB10;c:\program files\Common Files\Roxio Shared\10.0\SharedCOM\RoxMediaDB10.exe [2007-08-24 1083888]
S4 Roxio Upnp Server 10;Roxio Upnp Server 10;c:\program files\Roxio\Digital Home 10\RoxioUpnpService10.exe [2007-08-24 362992]
S4 RoxLiveShare10;LiveShare P2P Server 10;c:\program files\Common Files\Roxio Shared\10.0\SharedCOM\RoxLiveShare10.exe [2007-08-24 309744]
S4 RoxWatch10;Roxio Hard Drive Watcher 10;c:\program files\Common Files\Roxio Shared\10.0\SharedCOM\RoxWatch10.exe [2007-08-24 166384]
.
Contents of the 'Scheduled Tasks' folder

2008-12-17 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 13:57]

2009-01-07 c:\windows\Tasks\RegCure Program Check.job
- c:\program files\RegCure\RegCure.exe [2008-11-27 18:55]

2008-12-26 c:\windows\Tasks\RegCure.job
- c:\program files\RegCure\RegCure.exe [2008-11-27 18:55]

2009-01-06 c:\windows\Tasks\User_Feed_Synchronization-{9946D844-846A-45F7-8771-41D02314ADA5}.job
- c:\windows\system32\msfeedssync.exe [2007-08-13 18:36]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.co.uk/ig?hl=en
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
Name-Space Handler: ftp\* - {419A0123-4312-1122-A0C0-434FDA6DA542} - c:\program files\CoreFTP\pftpns.dll

c:\windows\Downloaded Program Files\TraderMediaX.ocx - O16 -: {2A493D5F-8914-4D3E-8BF3-767F281862F4}
hxxp://sell.autotrader.co.uk/uk-ola/common/TraderMediaX.cab
FF - ProfilePath - c:\documents and settings\n\Application Data\Mozilla\Firefox\Profiles\k1mtdnro.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT1640187&SearchSource=3&q=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.google.co.uk/
FF - component: c:\documents and settings\n\Application Data\Mozilla\Firefox\Profiles\k1mtdnro.default\extensions\{7c5c0f58-e061-457d-9033-77307f5ed00c}\components\FFAlert.dll
FF - component: c:\program files\AVG\AVG8\Firefox\components\avgssff.dll
FF - plugin: c:\program files\Google\Google Updater\2.4.1368.5602\npCIDetect13.dll
FF - plugin: c:\program files\Google\Picasa3\npPicasa3.dll
FF - plugin: c:\program files\K-Lite Codec Pack\QuickTime\Plugins\npqtplugin.dll
FF - plugin: c:\program files\K-Lite Codec Pack\QuickTime\Plugins\npqtplugin2.dll
FF - plugin: c:\program files\K-Lite Codec Pack\QuickTime\Plugins\npqtplugin3.dll
FF - plugin: c:\program files\K-Lite Codec Pack\QuickTime\Plugins\npqtplugin4.dll
FF - plugin: c:\program files\K-Lite Codec Pack\QuickTime\Plugins\npqtplugin5.dll
FF - plugin: c:\program files\K-Lite Codec Pack\real\browser\plugins\nppl3260.dll
FF - plugin: c:\program files\K-Lite Codec Pack\real\browser\plugins\nprpjplug.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-01-07 12:00:21
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(708)
c:\windows\system32\avgrsstx.dll
c:\program files\SUPERAntiSpyware\SASWINLO.DLL
c:\windows\system32\Ati2evxx.dll
c:\windows\System32\BCMLogon.dll

- - - - - - - > 'lsass.exe'(792)
c:\windows\system32\avgrsstx.dll
.
Completion time: 2009-01-07 12:02:56
ComboFix-quarantined-files.txt 2009-01-07 12:02:53
ComboFix2.txt 2009-01-05 11:28:54

Pre-Run: 1,705,275,392 bytes free
Post-Run: 1,842,626,560 bytes free

558 --- E O F --- 2009-01-07 08:06:41

#14 Nodracol

Nodracol
  • Topic Starter

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Local time:09:26 PM

Posted 07 January 2009 - 07:27 AM

Hi Shelflife,
I've discoved that the two files you referred to were linnked to a Screensaver which was a free download. I have unistalled the screensaver but they were not deleted from SYSTEM32 folder. So I have now deleted them manually. One last question, due you think my problem would have been the reason why I could not get System Restore to complete? I am going to retry to see if that works now as well.

Happy New year to you and your team.

#15 shelf life

shelf life

  • Malware Response Team
  • 2,651 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:@localhost
  • Local time:10:26 PM

Posted 07 January 2009 - 07:35 PM

hi,

ok thanks for the info. You can remove combofix like this;
start>run
type in combofix /u
click ok or enter
Note: There is a space after the x and before the /

reason why I could not get System Restore to complete?

no, i dont think so. You could try turning it off, reboot then turn it back on. This will cause you to lose all previous restore points though. May not be a good idea.

you can try this to make sure the service is running;
start>run and type in
cmd
click ok or enter

at the prompt_
type in:

net start srservice

How Can I Reduce My Risk to Malware?





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users