Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Win XP Home - Won't Load Beyond Desktop Wallpaper


  • Please log in to reply
12 replies to this topic

#1 blueciv07

blueciv07

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:08:34 AM

Posted 19 January 2009 - 05:14 PM

My mother is having some problems with her computer, and without being there to see it,
it's difficult to troubleshoot. She refuses to get anyone out there, and since I've seen numerous people
being helped here, I thought someone might be able to provide some instructions that I can relay
to her to figure out what type of virus or issue she has and help troubleshoot. She isn't extremely technology
savvy, but I can hopefully help her over the phone if there are any issues.

She is prone to getting viruses as I remove them regularly from her computer.

I am only relaying information here, so I am not sure exactly what happened or all of the steps taken. Hopefully, this can help:

She has a Dell desktop (I believe it's a Dimension).
It's a relatively older PC.
System Info: Windows XP Home
Uses: Cox (McAfee) Security Suite

She has cable internet, and thus, the internet is on all the time. She rarely shuts down her computer.
Apparently, one day, she came home and the screen was black. Upon rebooting, it let her enter her password, and it
loaded her desktop background, but nothing would load from there. She tried to go into safe mode, but it wouldn't load either.
She tried to restore her computer to an earlier point, and that didn't seem to work.
Eventually, after rebooting constantly, she was able to get on the computer. She sent me some of the processes running, but out of the onces she sent, they
were either normal processes or hard to tell if they could be viruses disguised as normal processes.
Malware Bytes ran but only deleted cookies and temporary internet files, and CCleaner didn't find much. She was receiving Antivirus popups the quite frequently
saying that she wasn't protected.

The next day, she came back, and it was "shot" again. The same issues were occurring. When she tried to
press control+alt+delete after only her desktop background loaded, it said that this was disabled by the
administrator. She's the administrator on the computer, and there isn't any obvious new account created (unless it isn't showing when you reboot).

Anyway, she was finally able to boot in safe mode (With networking) where she is now.
She is scared to reboot as then she may
lose access again.

The Geek Squad told her it sounded like some sort of hijacked situation.

I should also note that she does not have the CDs to the computer right now.


Could someone help us proceed? (Sorry for the long post. I wanted to provide as much info as possible.)

{Mod Edit; Moved from XP to AII~~boopme}

Edited by boopme, 19 January 2009 - 08:37 PM.


BC AdBot (Login to Remove)

 


#2 Budapest

Budapest

    Bleepin' Cynic


  • Moderator
  • 23,579 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:34 PM

Posted 19 January 2009 - 06:49 PM

You could try the following scan. It can be copied over from another computer on a pen drive or CD if you're having trouble downloading files on the problem computer.

Before we start fixing anything you should print out these instructions or copy them to a NotePad file so they will be accessible. Some steps will require you to disconnect from the Internet or use Safe Mode and you will not have access to this page.

Please download DrWeb-CureIt and save it to your desktop. DO NOT perform a scan yet.

Reboot your computer in "Safe Mode" using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode".

Scan with Dr.Web CureIt as follows:
  • Double-click on drweb-cureit.exe to open the program and click Start. (There is no need to update if you just downloaded the most current version
  • Read the Virus check by DrWeb scanner prompt and click Ok where asked to Start scan now? Allow the setup.exe to load if asked by any of your security programs.
  • The Express scan will automatically begin.
    (This is a short scan of files currently running in memory, boot sectors, and targeted folders).
  • If prompted to dowload the Full version Free Trial, ignore and click the X to close the window.
  • If an infected object is found, you will be prompted to move anything that cannot be cured. Click Yes to All.
  • When complete, click Select All, then choose Cure > Move incurable.
    (This will move any detected files to the C:\Documents and Settings\userprofile\DoctorWeb\Quarantine folder if they can't be cured)
  • Now put a check next to Complete scan to scan all local disks and removable media.
  • In the top menu, click Settings > Change settings, and UNcheck "Heuristic analysis" under the "Scanning" tab, then click Ok.
  • Back at the main window, click the green arrow "Start Scanning" button on the right under the Dr.Web logo.
  • When the scan is complete, a message will be displayed at the bottom indicating if any viruses were found.
  • Click "Yes to all" if asked to cure or move the file(s) and select "Move incurable".
  • In the top menu, click file and choose save report list.
  • Save the DrWeb.csv report to your desktop.
  • Exit Dr.Web Cureit when done.
  • Important! Reboot your computer because it could be possible that files in use will be moved/deleted during reboot.
  • After reboot, post the contents of the log from Dr.Web in your next reply. (You can use Notepad to open the DrWeb.cvs report)

The power of accurate observation is commonly called cynicism by those who haven't got it.

—George Bernard Shaw

#3 blueciv07

blueciv07
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:08:34 AM

Posted 20 January 2009 - 03:28 PM

Okay, she printed the instructions and tried to follow them, but it wouldn't let her open the program to run the scan. She couldn't remember the exact message (but she can check later if you need the exact message), but she said it was something about opposing/conflicting programs or the like.

Edited by blueciv07, 20 January 2009 - 03:45 PM.


#4 Budapest

Budapest

    Bleepin' Cynic


  • Moderator
  • 23,579 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:34 PM

Posted 20 January 2009 - 04:26 PM

Yeah - the exact error message would help.

One thing to try is to rename the drweb-cureit.exe to something else, such as abcde.bat, and then try to run it.
The power of accurate observation is commonly called cynicism by those who haven't got it.

—George Bernard Shaw

#5 blueciv07

blueciv07
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:08:34 AM

Posted 20 January 2009 - 05:51 PM

She renamed it. The disclaimer came up...Publisher could not be verified. Are you sure you want to run this program. She clicked yes then received this message:
Software version conflict. Installation aborted.

(Thanks so much for your help!)


New development: Now there is an icon on the desktop that says "G*y Fetish S*x." She tried to delete it, it disappeared and then came right back.
She said this wasn't there before, and she definitely didn't put it there ;-)
When she right clicked and selected Properties so that she could tell me the file extension, a pop up came up that said something about system performance had degraded, mentioned malware, and told her to run some scan. But the properties on the file won't load.

She also says there is a new program called "Rapid Antivirus" that wasn't there yesterday. She ended this via the Task Manager. (This started running again later. It said it removed a key logger.)

Another popup came up while I was on the phone that said: Error check connection. Network connection is now restricted. Abnormal network activity detected. Probably cause: Spyware Detection.

Malware Bytes still won't load.

She tried to delete the Rapid Antivirus, and her computer shut down. She got another message: Unregistered copy of rapid antivirus found. Microsoft security recommends...She went to add/remove programs and saw that she has Spyware Guard 2008. She tried to delete it, and it said that there was an error.

(Looks Like a Trojan issue. Just need some advice on where to go from there.)

She is constantly receiving popups that say things about spyware and system compromised. Rapid Antivirus is not in the programs list. Since she said there is no Start Bar in Safe Mode, I don't know how to tell her to check her Programs folder to see if it's there.

Finally, the properties came up on G*y Fetish S*x.
Read Only
Created Yesterday
It wouldn't let her delete this either.

(Sorry, I'm adding to this every time she tells me new things.)

I've seen at least one thread about it here, but the one I found doesn't seem to mention a solution.

Edited by blueciv07, 20 January 2009 - 06:24 PM.


#6 Calo

Calo

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Dublin
  • Local time:02:34 PM

Posted 20 January 2009 - 06:48 PM

if explorer isn't opening sometimes...

well one thing it could be is googledesktop, assuming its installed.

i fix computers and iv came across it a good few times.
go into task manager, ctrl-alt-del.
then click file, then run, and type "appwiz.cpl",
this will open add/remove windows,
from there uninstall google desktop and then reboot it may fix the problem.

its a very usful tip to all reading, it took me hours to figure it was causing explorer.exe not to load.

anyway, i would advise just downloading SDFIX you can use that in safe-mode, use a usbstick to transfer it to the pc if you don't have internet access on the pc being worked on.
after that sdfix has ran and rebooted into normal mode, Run malwarebytes, superantispyware, spywaredoctor from googlepack(its free), then do a defrag and a checkdisk, it should be brand new then. well nearly. haha

Edited by garmanma, 20 January 2009 - 07:37 PM.


#7 Budapest

Budapest

    Bleepin' Cynic


  • Moderator
  • 23,579 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:34 PM

Posted 20 January 2009 - 09:02 PM

Trying to run SDfix is not a bad idea.

http://www.bleepingcomputer.com/forums/t/131299/how-to-use-sdfix/
The power of accurate observation is commonly called cynicism by those who haven't got it.

—George Bernard Shaw

#8 blueciv07

blueciv07
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:08:34 AM

Posted 21 January 2009 - 06:22 PM

She followed the instructions given in that link - I emailed them to her.
When she went to the link provided for SDFix, it said "Page Cannot Be Displayed"
So, she typed in SDFix (in her toolbar to search), and it took her to sdfix.org. It asked her to download Spyware Cease. She clicked Download, but thought it might be wrong, so she cancelled it. But it's still on her desktop.

Also, her Safe Mode is blank. The only way she's getting to programs is to use the Task Manager.

How should we proceed?

Edited by blueciv07, 21 January 2009 - 06:25 PM.


#9 Budapest

Budapest

    Bleepin' Cynic


  • Moderator
  • 23,579 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:34 PM

Posted 21 January 2009 - 06:28 PM

Download this file and then double-click on it to install Malwarebytes.

http://www.besttechie.net/tools/mbam-setup.exe

If it won't install try renaming the mbam-setup.exe file.

Let us know if you can get it installed.
The power of accurate observation is commonly called cynicism by those who haven't got it.

—George Bernard Shaw

#10 blueciv07

blueciv07
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:08:34 AM

Posted 21 January 2009 - 07:48 PM

She already has that installed on her computer (as I used it to remove Malware last time I was at her house, haha), and it won't run. When she attempts to run it, it does nothing.

(Sorry, I feel like I'm "shooting down" all your suggestions. But I promise she's trying them.)

Edited by blueciv07, 21 January 2009 - 07:49 PM.


#11 Budapest

Budapest

    Bleepin' Cynic


  • Moderator
  • 23,579 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:34 PM

Posted 21 January 2009 - 08:58 PM

Rename this file to something else (such as abcde.bat):

C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe

Then double click the file and see if Malwarebytes starts.
The power of accurate observation is commonly called cynicism by those who haven't got it.

—George Bernard Shaw

#12 blueciv07

blueciv07
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:08:34 AM

Posted 24 January 2009 - 06:15 PM

Okay, I was able to look at this personally. There are so many things wrong here, where do I begin? I ended some potentially harmful processes, tried to rename Malware Bytes, and it still wouldn't run. I ran CCleaner, and it worked, but it clearly didn't delete the issues. She wasn't able to get to the SDFix link, so I sent it to her in an instant message. It ran, and it said it deleted a bunch of stuff, but after the restart, the last check was not performed. Windows wouldn't open beyond the desktop wallpaper. I opened her back up in Safe Mode, and the popups are still occurring, dirty programs and icons won't delete, and the processes that SDFix said it deleted are still running. She keeps getting weird blue screens and the computer "restarts" with a Windows screen mentioning Rapid Antivirus.

I also deleted several folders from the program files including "Rapid Antivirus." It also keeps scanning her computer.

SDFix Report:

System Report
*************

Run on Sat 01/24/2009 at 06:03 PM

Microsoft Windows XP [Version 5.1.2600]

Current user is an administrator

Running Processes:

\??\C:\WINDOWS\system32\csrss.exe [404]
\??\C:\WINDOWS\system32\winlogon.exe [428]
C:\WINDOWS\system32\services.exe [476]
C:\WINDOWS\system32\lsass.exe [488]
C:\WINDOWS\system32\svchost.exe [664]
C:\WINDOWS\system32\svchost.exe [768]
C:\WINDOWS\System32\svchost.exe [932]
C:\WINDOWS\System32\svchost.exe [984]
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe [1252]
C:\Program Files\McAfee\MPF\MPFSrv.exe [1308]
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe [1920]
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe [112]
C:\WINDOWS\system32\msiconf.exe [188]
C:\WINDOWS\System32\svchost.exe [268]
C:\WINDOWS\system32\taskmgr.exe [304]


Drivers - Running:

ACPI
AFD
agp440
AN983
atapi
Beep
Cdfs
Cdrom
DcCam
Disk
Fdc
Flpydisk
FltMgr
Ftdisk
Gpc
i8042prt
Imapi
IntelIde
IpFilterDriver
IpNat
IPSec
isapnp
Kbdclass
KSecDD
mfehidk
Mouclass
MountMgr
MPFP
MRxSmb
Msfs
mssmbios
Mup
NDIS
NdisTapi
Ndisuio
NdisWan
NDProxy
NetBIOS
NetBT
Npfs
Ntfs
Null
PartMgr
PCI
PptpMiniport
PSched
Ptilink
RasAcd
Rasl2tp
RasPppoe
Raspti
Rdbss
RDPCDD
redbook
sr
Srv
swenum
Tcpip
TermDD
Update
usbhub
usbuhci
VgaSave
VolSnap
WS2IFSL


Drivers - Stopped:

Abiosdsk
abp480n5
ac97intc
ACPIEC
adpu160m
aec
Aha154x
aic78u2
aic78xx
AliIde
amsint
asc
asc3350p
asc3550
AsyncMac
Atdisk
ati2mpaa
ati2mtaa
Atmarpc
audstub
catchme
cbidf2k
cd20xrnt
Cdaudio
Changer
CmdIde
Cpqarray
dac960nt
DcFpoint
DCFS2K
DcLps
DcPTP
dmboot
dmio
dmload
DMusic
dpti2o
drmkaud
Exportit
Fastfat
Fips
GT680x
HCF_MSFT
HidUsb
hpn
hpt3xx
HTTP
i2omgmt
i2omp
ini910u
ip6fw
IpInIp
IRENUM
kmixer
lbrtfdc
mfeavfk
mfebopk
mferkdk
mfesmfk
mnmdd
Modem
mraid35x
MRxDAV
MSKSSRV
MSPCLOCK
MSPQM
NwlnkFlt
NwlnkFwd
Pandrv
Parport
ParVdm
PCIDump
PCIIde
Pcmcia
PDCOMP
PDFRAME
PDRELI
PDRFRAME
perc2
perc2hib
Processor
ql1080
Ql10wnt
ql12160
ql1240
ql1280
RDPWD
Secdrv
serenum
Serial
Sfloppy
Simbad
Sparrow
splitter
StillCam
swmidi
symc810
symc8xx
sym_hi
sym_u3
sysaudio
TDPIPE
TDTCP
TosIde
Udfs
ultra
usbccgp
usbprint
usbscan
USBSTOR
USB_RNDIS
ViaIde
Wanarp
WDICA
wdmaud


Services - Running:

DcomLaunch
Dnscache
Eventlog
helpsvc
LmHosts
mcmscsvc
MpfService
PlugPlay
RpcSs
winmgmt


Services - Stopped:

0319171230573593mcinstcleanup
6to4
afisicx
Alerter
ALG
AppMgmt
aspnet_state
AudioSrv
BITS
Browser
cisvc
ClipSrv
clr_optimization_v2.0.50727_32
COMSysApp
CryptSvc
Dcfssvc
Dhcp
dmadmin
dmserver
Dot3svc
EapHost
ERSvc
EventSystem
FastUserSwitchingCompatibility
gusvc
HidServ
hkmsvc
HTTPFilter
ImapiService
lanmanserver
lanmanworkstation
mabidwe
McAfee
McNASvc
McODS
McProxy
McShield
McSysmon
Messenger
mnmsrvc
MSDTC
MSIServer
napagent
NetDDE
NetDDEdsdm
Netlogon
Netman
Nla
noxtcyr
noytcyr
NtLmSsp
NtmsSvc
ose
PolicyAgent
ProtectedStorage
RasAuto
RasMan
RDSessMgr
RemoteAccess
roxtctm
roytctm
RpcLocator
RSVP
SamSs
SCardSvr
Schedule
seclogon
SENS
seuictol
SharedAccess
ShellHWDetection
solewxte
sotpeca
soxpeca
Spooler
srservice
SSDPSRV
stisvc
SwPrv
SysmonLog
TapiSrv
tdydowkc
TermService
Themes
TrkWks
upnphost
UPS
VSS
W32Time
WebClient
WmdmPmSN
WmiApSrv
wscsvc
wsldoekd
wuauserv
WZCSVC
xmlprov


Files Created/Modified - 60 Days:


C:\

Jan 24 2009 5:57:34p 402,653,184 A.SH. "C:\pagefile.sys"


C:\WINDOWS\

Jan 24 2009 5:57:42p 2,048 A.S.. "C:\WINDOWS\bootstat.dat"
Jan 13 2009 8:54:18a 133,120 A.... "C:\WINDOWS\ikuzucow.dll"
Jan 11 2009 5:53:12p 132,608 A.... "C:\WINDOWS\omasatox.dll"
Jan 7 2009 6:02:48a 134,149 A.... "C:\WINDOWS\reged.exe"
Jan 11 2009 5:41:00p 40,448 A.... "C:\WINDOWS\Rtoziroquqofoli.dll"
Jan 7 2009 6:02:48a 51,197 A.... "C:\WINDOWS\spoolsystem.exe"
Jan 7 2009 6:02:48a 50,620 A.... "C:\WINDOWS\sys.com"
Jan 7 2009 6:02:48a 47,872 A.... "C:\WINDOWS\syscert.exe"
Jan 7 2009 6:02:48a 1,003,957 A.... "C:\WINDOWS\sysexplorer.exe"
Jan 7 2009 6:02:48a 18,941 A.... "C:\WINDOWS\vmreg.dll"
Jan 12 2009 9:08:36p 129,024 A.... "C:\WINDOWS\system32\bvvbvxsc.dll"
Jan 12 2009 9:11:22p 72,704 A.... "C:\WINDOWS\system32\cnywhtvx.dll"
Jan 11 2009 11:29:44p 22,528 A.... "C:\WINDOWS\system32\digeste.dll"
Jan 12 2009 1:15:32a 72,704 A.... "C:\WINDOWS\system32\dklutobi.dll"
Jan 9 2009 1:09:02a 129,024 A.... "C:\WINDOWS\system32\fkdthenc.dll"
Jan 24 2009 5:50:42p 213,672 A.... "C:\WINDOWS\system32\FNTCACHE.DAT"
Jan 12 2009 1:12:32a 129,024 A.... "C:\WINDOWS\system32\geivagag.dll"
Dec 9 2008 6:24:38p 17,593,280 A.... "C:\WINDOWS\system32\MRT.exe"
Jan 13 2009 8:58:28p 33,280 A.... "C:\WINDOWS\system32\msfacat32.dll"
Dec 13 2008 1:40:02a 3,593,216 A.... "C:\WINDOWS\system32\mshtml.dll"
Jan 24 2009 6:00:34p 83,456 A.... "C:\WINDOWS\system32\msiconf.exe"
Dec 9 2008 9:43:12p 60,624 A.... "C:\WINDOWS\system32\perfc009.dat"
Dec 9 2008 9:43:12p 400,464 A.... "C:\WINDOWS\system32\perfh009.dat"
Jan 8 2009 1:14:20a 129,024 A.... "C:\WINDOWS\system32\psxfkyfx.dll"
Jan 12 2009 1:12:32a 129,024 A.... "C:\WINDOWS\system32\qesinn.dll"
Jan 11 2009 1:14:18a 129,024 A.... "C:\WINDOWS\system32\qrghmhbq.dll"
Jan 19 2009 9:34:32p 69,632 A.... "C:\WINDOWS\system32\svcnost.exe"
Jan 19 2009 9:34:32p 167,936 A.... "C:\WINDOWS\system32\tx17860.dll"
Jan 13 2009 7:20:40a 384,000 A.... "C:\WINDOWS\system32\winscenter.exe"
Jan 10 2009 1:19:26a 129,024 A.... "C:\WINDOWS\system32\wjhroqva.dll"
Jan 7 2009 1:07:32a 129,024 A.... "C:\WINDOWS\system32\wjpmgvpe.dll"
Jan 19 2009 9:34:32p 167,936 A.... "C:\WINDOWS\system32\wtx17860.dll"
Jan 12 2009 9:08:36p 129,024 A.... "C:\WINDOWS\system32\xgpawc.dll"
Jan 10 2009 1:16:26a 72,704 A.... "C:\WINDOWS\system32\xvcqixnm.dll"
Jan 11 2009 11:29:46p 36,352 ..... "C:\WINDOWS\system32\xxyvusQi.dll"
Jan 3 2009 11:54:50p 302,592 A.... "C:\WINDOWS\system32\xxyxVlLD.dll"
Jan 24 2009 5:56:04p 6 A..H. "C:\WINDOWS\Tasks\SA.DAT"
Jan 24 2009 5:22:52a 28,677 A.... "C:\WINDOWS\Temp\100.tmp"
Jan 24 2009 5:42:54a 77,835 A.... "C:\WINDOWS\Temp\101.tmp"
Jan 24 2009 6:01:56p 2,114 A.... "C:\WINDOWS\Temp\scs5.tmp"
Jan 24 2009 5:43:30a 0 A.... "C:\WINDOWS\Temp\_ad102.exe"
Jan 24 2009 5:43:12a 0 A.... "C:\WINDOWS\Temp\_ad102.tmp"
Dec 13 2008 1:40:02a 3,593,216 A.... "C:\WINDOWS\system32\dllcache\mshtml.dll"
Jan 24 2009 4:48:26p 578,560 A.... "C:\WINDOWS\system32\dllcache\user32.dll"
Dec 3 2008 7:52:34p 15,504 A.... "C:\WINDOWS\system32\drivers\mbam.sys"
Dec 3 2008 7:52:38p 38,496 A.... "C:\WINDOWS\system32\drivers\mbamswissarmy.sys"
Dec 9 2008 9:38:18p 32,004 A.... "C:\WINDOWS\system32\oobe\updshell.htm"
Jan 24 2009 5:53:50p 16,384 A.SH. "C:\WINDOWS\Temp\Cookies\index.dat"
Dec 9 2008 9:16:02p 77,423 A.... "C:\WINDOWS\PCHEALTH\HELPCTR\OfflineCache\index.dat"
Dec 9 2008 9:13:52p 11,372 A.... "C:\WINDOWS\PCHEALTH\HELPCTR\System_OEM\DellSystem.htm"
Dec 9 2008 9:13:54p 1,965 A.... "C:\WINDOWS\PCHEALTH\HELPCTR\System_OEM\dell_content.htm"
Dec 9 2008 9:13:54p 1,969 A.... "C:\WINDOWS\PCHEALTH\HELPCTR\System_OEM\dell_content1.htm"
Dec 9 2008 9:13:54p 1,975 A.... "C:\WINDOWS\PCHEALTH\HELPCTR\System_OEM\dell_content2.htm"
Dec 9 2008 9:13:54p 1,971 A.... "C:\WINDOWS\PCHEALTH\HELPCTR\System_OEM\dell_content3.htm"
Dec 9 2008 9:38:18p 5,579 A.... "C:\WINDOWS\system32\oobe\setup\autoupdt.htm"
Dec 9 2008 9:38:18p 13,568 A.... "C:\WINDOWS\system32\oobe\setup\au_plcy.htm"
Jan 24 2009 5:53:50p 16,384 A.SH. "C:\WINDOWS\Temp\History\History.IE5\index.dat"
Jan 24 2009 5:53:50p 32,768 A.SH. "C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\index.dat"
Dec 9 2008 9:13:52p 627 A.... "C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Microsoft Corporation,L=Redmond,S=Washington,C=US\Connection.htm"
Dec 9 2008 9:13:52p 2,722 A.... "C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Microsoft Corporation,L=Redmond,S=Washington,C=US\OfflineOptions.htm"
Dec 9 2008 9:13:52p 13,050 A.... "C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Microsoft Corporation,L=Redmond,S=Washington,C=US\OfflineDC.htm"
Dec 9 2008 9:13:52p 30,494 A.... "C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Microsoft Corporation,L=Redmond,S=Washington,C=US\pss_getting_worldwide_help.htm"
Dec 9 2008 9:13:46p 2,843 A.... "C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Microsoft Corporation,L=Redmond,S=Washington,C=US\Remote Assistance\confirm.htm"
Dec 9 2008 9:13:56p 16,167 A.... "C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Microsoft Corporation,L=Redmond,S=Washington,C=US\Remote Assistance\rcstatus.htm"
Dec 9 2008 9:13:56p 5,403 A.... "C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Microsoft Corporation,L=Redmond,S=Washington,C=US\Remote Assistance\Common\ConnIssue.htm"
Dec 9 2008 9:13:48p 1,633 A.... "C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Microsoft Corporation,L=Redmond,S=Washington,C=US\Remote Assistance\Common\LearnInternet.htm"
Dec 9 2008 9:13:48p 2,317 A.... "C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Microsoft Corporation,L=Redmond,S=Washington,C=US\Remote Assistance\Common\RAHelp.htm"
Dec 9 2008 9:13:56p 5,930 A.... "C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Microsoft Corporation,L=Redmond,S=Washington,C=US\Remote Assistance\Common\RCMoreInfo.htm"
Dec 9 2008 9:13:46p 3,332 A.... "C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Microsoft Corporation,L=Redmond,S=Washington,C=US\Remote Assistance\Escalation\Common\rcConnection.htm"
Dec 9 2008 9:13:46p 2,630 A.... "C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Microsoft Corporation,L=Redmond,S=Washington,C=US\Remote Assistance\Escalation\Common\rcscreen1.htm"
Dec 9 2008 9:13:46p 4,437 A.... "C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Microsoft Corporation,L=Redmond,S=Washington,C=US\Remote Assistance\Escalation\Common\rcscreen2.htm"
Dec 9 2008 9:13:46p 321 A.... "C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Microsoft Corporation,L=Redmond,S=Washington,C=US\Remote Assistance\Escalation\Common\rcscreen3.htm"
Dec 9 2008 9:13:56p 3,425 A.... "C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Microsoft Corporation,L=Redmond,S=Washington,C=US\Remote Assistance\Escalation\Email\escalationhelp.htm"
Dec 9 2008 9:13:48p 4,805 A.... "C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Microsoft Corporation,L=Redmond,S=Washington,C=US\Remote Assistance\Escalation\Email\rcDetails.htm"
Dec 9 2008 9:13:56p 8,096 A.... "C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Microsoft Corporation,L=Redmond,S=Washington,C=US\Remote Assistance\Escalation\Email\rcscreen7.htm"
Dec 9 2008 9:13:48p 7,662 A.... "C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Microsoft Corporation,L=Redmond,S=Washington,C=US\Remote Assistance\Escalation\Email\rcscreen8.htm"
Dec 9 2008 9:13:48p 8,445 A.... "C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Microsoft Corporation,L=Redmond,S=Washington,C=US\Remote Assistance\Escalation\Email\rcscreen9.htm"
Dec 9 2008 9:13:48p 5,207 A.... "C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Microsoft Corporation,L=Redmond,S=Washington,C=US\Remote Assistance\Escalation\Email\rcInviteStatus.htm"
Dec 9 2008 9:13:46p 4,374 A.... "C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Microsoft Corporation,L=Redmond,S=Washington,C=US\Remote Assistance\Escalation\Email\rcscreen4.htm"
Dec 9 2008 9:13:46p 14,765 A.... "C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Microsoft Corporation,L=Redmond,S=Washington,C=US\Remote Assistance\Escalation\Email\rcscreen5.htm"
Dec 9 2008 9:13:56p 30,465 A.... "C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Microsoft Corporation,L=Redmond,S=Washington,C=US\Remote Assistance\Escalation\Email\rcscreen6.htm"
Dec 9 2008 9:13:48p 1,290 A.... "C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Microsoft Corporation,L=Redmond,S=Washington,C=US\Remote Assistance\Escalation\Email\rcscreen6_head.htm"
Dec 9 2008 9:13:56p 3,282 A.... "C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Microsoft Corporation,L=Redmond,S=Washington,C=US\Remote Assistance\Escalation\Email\ShieldsUpMsg.htm"
Dec 9 2008 9:13:48p 13,433 A.... "C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Microsoft Corporation,L=Redmond,S=Washington,C=US\Remote Assistance\Escalation\Unsolicited\UnSolicitedRCUI.htm"


C:\Program Files\

Dec 19 2008 1:28:02p 1,434,864 A.... "C:\Program Files\CCleaner\CCleaner.exe"
Dec 26 2008 12:13:44p 114,658 A.... "C:\Program Files\CCleaner\uninst.exe"
Jan 24 2009 6:03:28p 83,456 A.... "C:\Program Files\Common Files\AvBAG53jkrx.exe"
Jan 19 2009 9:34:22p 117,760 A.... "C:\Program Files\Common Files\dRp6PJ53WU.exe"
Jan 19 2009 9:34:22p 174,080 A.... "C:\Program Files\Common Files\Ndm353a2rL.exe"
Dec 3 2008 7:52:32p 380,048 A.... "C:\Program Files\Malwarebytes' Anti-Malware\mbam-dor.exe"
Dec 3 2008 7:52:32p 73,360 A.... "C:\Program Files\Malwarebytes' Anti-Malware\mbam.dll"
Dec 3 2008 7:52:32p 1,265,296 A.... "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe"
Dec 3 2008 7:52:34p 73,360 A.... "C:\Program Files\Malwarebytes' Anti-Malware\mbamext.dll"
Dec 3 2008 7:52:34p 399,504 A.... "C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe"
Dec 3 2008 7:52:34p 170,640 A.... "C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe"
Dec 3 2008 7:52:36p 44,688 A.... "C:\Program Files\Malwarebytes' Anti-Malware\ssubtmr6.dll"
Dec 26 2008 12:12:24p 8,583 A.... "C:\Program Files\Malwarebytes' Anti-Malware\unins000.dat"
Dec 26 2008 12:11:42p 688,784 A.... "C:\Program Files\Malwarebytes' Anti-Malware\unins000.exe"
Dec 3 2008 7:52:36p 77,968 A.... "C:\Program Files\Malwarebytes' Anti-Malware\zlib.dll"
Dec 18 2008 9:33:50p 21,504 A.... "C:\Program Files\CCleaner\Lang\lang-1063.dll"
Dec 18 2008 9:34:22p 21,504 A.... "C:\Program Files\CCleaner\Lang\lang-1071.dll"
Dec 18 2008 9:34:34p 21,504 A.... "C:\Program Files\CCleaner\Lang\lang-1066.dll"
Dec 18 2008 9:34:30p 22,016 A.... "C:\Program Files\CCleaner\Lang\lang-1050.dll"
Dec 18 2008 9:33:16p 21,504 A.... "C:\Program Files\CCleaner\Lang\lang-1030.dll"
Dec 18 2008 9:33:40p 23,552 A.... "C:\Program Files\CCleaner\Lang\lang-1040.dll"
Dec 18 2008 9:34:12p 24,576 A.... "C:\Program Files\CCleaner\Lang\lang-1034.dll"
Dec 18 2008 9:33:54p 21,504 A.... "C:\Program Files\CCleaner\Lang\lang-1044.dll"
Dec 18 2008 9:33:38p 23,040 A.... "C:\Program Files\CCleaner\Lang\lang-1038.dll"
Dec 18 2008 9:33:10p 11,776 A.... "C:\Program Files\CCleaner\Lang\lang-1028.dll"
Dec 18 2008 9:34:06p 22,016 A.... "C:\Program Files\CCleaner\Lang\lang-1048.dll"
Dec 18 2008 9:33:28p 21,504 A.... "C:\Program Files\CCleaner\Lang\lang-1110.dll"
Dec 18 2008 9:32:50p 21,504 A.... "C:\Program Files\CCleaner\Lang\lang-1051.dll"
Dec 18 2008 9:34:12p 21,504 A.... "C:\Program Files\CCleaner\Lang\lang-1055.dll"
Dec 18 2008 9:33:04p 19,456 A.... "C:\Program Files\CCleaner\Lang\lang-1025.dll"
Dec 18 2008 9:33:22p 23,040 A.... "C:\Program Files\CCleaner\Lang\lang-1035.dll"
Dec 18 2008 9:33:58p 22,016 A.... "C:\Program Files\CCleaner\Lang\lang-1045.dll"
Dec 18 2008 9:33:12p 20,480 A.... "C:\Program Files\CCleaner\Lang\lang-1029.dll"
Dec 18 2008 9:32:52p 21,504 A.... "C:\Program Files\CCleaner\Lang\lang-1052.dll"
Dec 18 2008 9:33:32p 26,112 A.... "C:\Program Files\CCleaner\Lang\lang-1032.dll"
Dec 18 2008 9:33:48p 11,776 A.... "C:\Program Files\CCleaner\Lang\lang-1042.dll"
Dec 18 2008 9:34:24p 24,064 A.... "C:\Program Files\CCleaner\Lang\lang-1026.dll"
Dec 18 2008 9:33:26p 24,576 A.... "C:\Program Files\CCleaner\Lang\lang-1036.dll"
Dec 18 2008 9:34:04p 24,576 A.... "C:\Program Files\CCleaner\Lang\lang-1046.dll"
Dec 18 2008 9:33:18p 24,576 A.... "C:\Program Files\CCleaner\Lang\lang-1043.dll"
Dec 18 2008 9:33:00p 23,040 A.... "C:\Program Files\CCleaner\Lang\lang-1027.dll"
Dec 18 2008 9:33:34p 18,944 A.... "C:\Program Files\CCleaner\Lang\lang-1037.dll"
Dec 18 2008 9:32:58p 22,016 A.... "C:\Program Files\CCleaner\Lang\lang-1031.dll"
Dec 18 2008 9:33:44p 14,848 A.... "C:\Program Files\CCleaner\Lang\lang-1041.dll"
Dec 18 2008 9:34:10p 20,992 A.... "C:\Program Files\CCleaner\Lang\lang-1049.dll"
Dec 18 2008 9:32:54p 22,016 A.... "C:\Program Files\CCleaner\Lang\lang-1053.dll"
Dec 18 2008 9:34:00p 25,088 A.... "C:\Program Files\CCleaner\Lang\lang-2070.dll"
Dec 18 2008 9:33:06p 11,776 A.... "C:\Program Files\CCleaner\Lang\lang-2052.dll"
Dec 18 2008 9:34:20p 20,992 A.... "C:\Program Files\CCleaner\Lang\lang-2074.dll"
Dec 18 2008 9:34:16p 20,992 A.... "C:\Program Files\CCleaner\Lang\lang-3098.dll"
Dec 18 2008 9:34:28p 21,504 A.... "C:\Program Files\CCleaner\Lang\lang-5146.dll"
Dec 5 2008 3:51:06p 293,152 A.... "C:\Program Files\McAfee\SiteAdvisor\McBrwctl.dll"
Dec 5 2008 3:51:06p 206,096 A.... "C:\Program Files\McAfee\SiteAdvisor\McSACore.exe"
Dec 5 2008 3:51:08p 56,752 A.... "C:\Program Files\McAfee\SiteAdvisor\McSACorePS.dll"
Dec 5 2008 3:51:10p 14,032 A.... "C:\Program Files\McAfee\SiteAdvisor\sahook.dll"
Dec 5 2008 3:51:12p 200,368 A.... "C:\Program Files\McAfee\SiteAdvisor\saplugin.dll"
Dec 10 2008 9:09:56a 2,302,664 A.... "C:\Program Files\McAfee\SiteAdvisor\sares.dll"
Dec 5 2008 3:51:12p 364,704 A.... "C:\Program Files\McAfee\SiteAdvisor\saupkeep.dll"
Dec 5 2008 3:51:08p 86,104 A.... "C:\Program Files\McAfee\SiteAdvisor\uninstall.exe"
Dec 26 2008 10:45:06p 47 A.... "C:\Program Files\PopCap Games\Zuma Deluxe\hw.dat"
Jan 18 2009 2:20:54p 239 A.... "C:\Program Files\Yahoo!\Messenger\TMP1.tmp"
Nov 24 2008 6:13:34p 239 A.... "C:\Program Files\Yahoo!\Messenger\TMP112.tmp"
Dec 4 2008 7:26:20p 239 A.... "C:\Program Files\Yahoo!\Messenger\TMP113B.tmp"
Dec 9 2008 5:16:48p 239 A.... "C:\Program Files\Yahoo!\Messenger\TMP17A.tmp"
Jan 5 2009 3:34:38p 239 A.... "C:\Program Files\Yahoo!\Messenger\TMP18F.tmp"
Jan 7 2009 8:13:28p 239 A.... "C:\Program Files\Yahoo!\Messenger\TMP190.tmp"
Jan 7 2009 8:13:52p 239 A.... "C:\Program Files\Yahoo!\Messenger\TMP193.tmp"
Dec 15 2008 4:44:18p 239 A.... "C:\Program Files\Yahoo!\Messenger\TMP1A7.tmp"
Dec 15 2008 6:02:12p 239 A.... "C:\Program Files\Yahoo!\Messenger\TMP1B0.tmp"
Dec 11 2008 5:15:48p 239 A.... "C:\Program Files\Yahoo!\Messenger\TMP1BE.tmp"
Jan 5 2009 6:41:18p 239 A.... "C:\Program Files\Yahoo!\Messenger\TMP1E0.tmp"
Dec 7 2008 4:23:22p 239 A.... "C:\Program Files\Yahoo!\Messenger\TMP1F3.tmp"
Dec 23 2008 3:35:54p 239 A.... "C:\Program Files\Yahoo!\Messenger\TMP1FC.tmp"
Dec 7 2008 5:54:08p 239 A.... "C:\Program Files\Yahoo!\Messenger\TMP207.tmp"
Dec 29 2008 2:45:22p 239 A.... "C:\Program Files\Yahoo!\Messenger\TMP306.tmp"
Dec 29 2008 2:58:12p 239 A.... "C:\Program Files\Yahoo!\Messenger\TMP307.tmp"
Nov 25 2008 5:06:26p 239 A.... "C:\Program Files\Yahoo!\Messenger\TMP30F.tmp"
Dec 16 2008 6:03:30p 239 A.... "C:\Program Files\Yahoo!\Messenger\TMP328.tmp"
Dec 16 2008 6:03:42p 239 A.... "C:\Program Files\Yahoo!\Messenger\TMP329.tmp"
Jan 9 2009 4:03:04p 239 A.... "C:\Program Files\Yahoo!\Messenger\TMP39F.tmp"
Dec 17 2008 4:58:24p 239 A.... "C:\Program Files\Yahoo!\Messenger\TMP40D.tmp"
Jan 6 2009 7:33:44p 239 A.... "C:\Program Files\Yahoo!\Messenger\TMP41B.tmp"
Jan 12 2009 4:14:38p 239 A.... "C:\Program Files\Yahoo!\Messenger\TMP520.tmp"
Dec 30 2008 3:44:42p 239 A.... "C:\Program Files\Yahoo!\Messenger\TMP531.tmp"
Jan 12 2009 8:02:56p 239 A.... "C:\Program Files\Yahoo!\Messenger\TMP57E.tmp"
Jan 10 2009 8:24:16a 239 A.... "C:\Program Files\Yahoo!\Messenger\TMP5CF.tmp"
Dec 18 2008 4:50:24p 239 A.... "C:\Program Files\Yahoo!\Messenger\TMP64A.tmp"
Dec 31 2008 9:24:02a 239 A.... "C:\Program Files\Yahoo!\Messenger\TMP6B8.tmp"
Nov 29 2008 7:44:18p 239 A.... "C:\Program Files\Yahoo!\Messenger\TMPA76.tmp"
Nov 30 2008 8:57:54a 239 A.... "C:\Program Files\Yahoo!\Messenger\TMPAA7.tmp"
Nov 30 2008 10:54:50a 239 A.... "C:\Program Files\Yahoo!\Messenger\TMPAB1.tmp"
Nov 30 2008 3:25:50p 239 A.... "C:\Program Files\Yahoo!\Messenger\TMPAD4.tmp"
Jan 2 2009 5:58:08p 239 A.... "C:\Program Files\Yahoo!\Messenger\TMPB0A.tmp"
Jan 3 2009 9:05:52a 239 A.... "C:\Program Files\Yahoo!\Messenger\TMPC2D.tmp"
Dec 6 2008 4:41:44p 239 A.... "C:\Program Files\Yahoo!\Messenger\TMPC4.tmp"
Dec 8 2008 9:53:22p 239 A.... "C:\Program Files\Yahoo!\Messenger\TMPC5.tmp"
Dec 10 2008 5:30:28p 239 A.... "C:\Program Files\Yahoo!\Messenger\TMPC6.tmp"
Dec 1 2008 6:41:54p 239 A.... "C:\Program Files\Yahoo!\Messenger\TMPC6F.tmp"
Dec 14 2008 5:49:58p 239 A.... "C:\Program Files\Yahoo!\Messenger\TMPC7.tmp"
Dec 22 2008 2:09:24p 239 A.... "C:\Program Files\Yahoo!\Messenger\TMPC8.tmp"
Dec 27 2008 5:39:08p 239 A.... "C:\Program Files\Yahoo!\Messenger\TMPC9.tmp"
Jan 8 2009 4:46:44p 239 A.... "C:\Program Files\Yahoo!\Messenger\TMPCB.tmp"
Jan 11 2009 10:35:14a 239 A.... "C:\Program Files\Yahoo!\Messenger\TMPDA.tmp"
Jan 12 2009 9:10:10p 239 A.... "C:\Program Files\Yahoo!\Messenger\TMPDB.tmp"
Jan 12 2009 9:10:20p 239 A.... "C:\Program Files\Yahoo!\Messenger\TMPDC.tmp"
Jan 13 2009 8:41:52p 239 A.... "C:\Program Files\Yahoo!\Messenger\TMPDE.tmp"
Dec 1 2008 9:22:46p 239 A.... "C:\Program Files\Yahoo!\Messenger\TMPDE0.tmp"
Dec 1 2008 9:37:34p 239 A.... "C:\Program Files\Yahoo!\Messenger\TMPDE2.tmp"
Jan 16 2009 8:58:54p 239 A.... "C:\Program Files\Yahoo!\Messenger\TMPDF.tmp"
Jan 4 2009 11:00:56a 239 A.... "C:\Program Files\Yahoo!\Messenger\TMPE8D.tmp"
Nov 24 2008 9:39:10a 239 A.... "C:\Program Files\Yahoo!\Messenger\TMPF1.tmp"
Dec 28 2008 4:34:28p 239 A.... "C:\Program Files\Yahoo!\Messenger\TMPF2.tmp"
Nov 24 2008 9:39:26a 239 A.... "C:\Program Files\Yahoo!\Messenger\TMPF3.tmp"
Nov 24 2008 9:56:56a 239 A.... "C:\Program Files\Yahoo!\Messenger\TMPF4.tmp"
Dec 28 2008 4:34:56p 239 A.... "C:\Program Files\Yahoo!\Messenger\TMPF5.tmp"
Jan 17 2009 6:05:34p 239 A.... "C:\Program Files\Yahoo!\Messenger\TMPF6.tmp"
Jan 18 2009 9:14:20p 239 A.... "C:\Program Files\Yahoo!\Messenger\TMPF7.tmp"
Jan 19 2009 5:25:06p 239 A.... "C:\Program Files\Yahoo!\Messenger\TMPF8.tmp"
Jan 21 2009 5:24:18p 239 A.... "C:\Program Files\Yahoo!\Messenger\TMPFB.tmp"
Dec 14 2008 9:00:42p 239 A.... "C:\Program Files\Yahoo!\Messenger\TMPFD.tmp"
Jan 21 2009 6:31:18p 239 A.... "C:\Program Files\Yahoo!\Messenger\TMPFE.tmp"
Jan 23 2009 9:10:00p 239 A.... "C:\Program Files\Yahoo!\Messenger\TMPFF.tmp"
Jan 4 2009 7:07:22p 2,888 A.... "C:\Program Files\PopCap Games\Zuma Deluxe\userdata\highscores.dat"
Jan 4 2009 7:07:36p 279 A.... "C:\Program Files\PopCap Games\Zuma Deluxe\userdata\user1.dat"
Dec 27 2008 12:26:28p 19 A.... "C:\Program Files\PopCap Games\Zuma Deluxe\userdata\users.dat"
Jan 23 2009 9:29:30p 110 A.... "C:\Program Files\Yahoo!\Messenger\cache\pXLDGkySZH_jsEOKmvuPWw--.Display.dat"
Jan 23 2009 9:09:20p 0 A.... "C:\Program Files\Yahoo!\Messenger\cache\pXLDGkySZH_jsEOKmvuPWw--.ProfileMap.dat.tmp"
Jan 12 2009 3:41:06p 2,223,005 A...R "C:\Program Files\McAfee\VirusScan\DAT\5493.0\avvclean.dat"
Jan 12 2009 3:41:06p 1,034,861 A...R "C:\Program Files\McAfee\VirusScan\DAT\5493.0\avvnames.dat"
Jan 12 2009 3:41:06p 67,449,749 A...R "C:\Program Files\McAfee\VirusScan\DAT\5493.0\avvscan.dat"
Jan 13 2009 8:38:08p 5,047 A.... "C:\Program Files\KODAK\KODAK Software Updater\7288971\Users\Default\Data\chandir.dat"
Jan 13 2009 8:38:10p 11,494 A.... "C:\Program Files\KODAK\KODAK Software Updater\7288971\Users\Default\Data\chn.dat"
Jan 13 2009 8:40:02p 3,008 A.... "C:\Program Files\KODAK\KODAK Software Updater\7288971\Users\Default\Data\prs.dat"
Jan 13 2009 8:38:08p 2,816 A.... "C:\Program Files\KODAK\KODAK Software Updater\7288971\Users\Default\Data\prs_die.dat"
Jan 13 2009 8:38:08p 2,720 A.... "C:\Program Files\KODAK\KODAK Software Updater\7288971\Users\Default\Data\prs_dnd.dat"
Jan 13 2009 8:38:08p 3,008 A.... "C:\Program Files\KODAK\KODAK Software Updater\7288971\Users\Default\Data\prs_ext.dat"
Jan 13 2009 8:38:08p 3,008 A.... "C:\Program Files\KODAK\KODAK Software Updater\7288971\Users\Default\Data\prs_rcv.dat"
Jan 13 2009 8:40:02p 5,206 A.... "C:\Program Files\KODAK\KODAK Software Updater\7288971\Users\Default\Data\storydb.dat"
Jan 13 2009 8:38:42p 226 A.... "C:\Program Files\KODAK\KODAK Software Updater\7288971\Users\Default\Data\3a2f\UserProf.dat"


Files with hidden attributes:

Wed 15 Oct 2008 633,632 A.SH. --- "C:\Program Files\Internet Explorer\iexplore.exe"
Wed 16 May 2007 40,960 ...H. --- "C:\Documents and Settings\Sue\Desktop\~WRL0005.tmp"
Tue 12 Feb 2008 26,112 ...H. --- "C:\Documents and Settings\Sue\Desktop\~WRL2527.tmp"
Wed 16 May 2007 43,008 ...H. --- "C:\Documents and Settings\Sue\Desktop\~WRL3691.tmp"
Mon 29 Dec 2008 20,487 A.SHR --- "C:\Program Files\McAfee\MQC\MRU.bak"
Mon 29 Dec 2008 265 A.SHR --- "C:\Program Files\McAfee\MQC\qcconf.bak"
Sat 22 Nov 2008 135 A..H. --- "C:\Documents and Settings\All Users\Application Data\avg8\scanlogs\srmcheck.tmp"


Program Folders:

C:\Program Files\

2K Play
Adobe
AIM
AOD
AVG
BearPaw 1200CS
BroadJump
CCleaner
Common Files
ComPlus Applications
EA GAMES
Electronic Arts
Google
Hewlett-Packard
hp deskjet 5550 series
Internet Explorer
Jasc Software Inc
Java
KODAK
Malwarebytes' Anti-Malware
Maxis
McAfee
McAfee.com
messenger
Microsoft ActiveSync
Microsoft Common
microsoft frontpage
Microsoft Games
Microsoft Office
Microsoft Works
Movie Maker
msn
NetMeeting
Online Services
Outlook Express
PopCap Games
QuickTime
Real
Sibelius Software
Temp
Ulead Systems
Uninstall Information
Viewpoint
Windows Media Player
Windows NT
WindowsUpdate
WinRAR
Yahoo!
Zone Labs

C:\Program Files\Common Files\

Adobe
DESIGNER
InstallShield
Java
Kodak
McAfee
Microsoft Shared
MSSoap
ODBC
Real
Services
SpeechEngines
Symantec Shared
System
xing shared


Add/Remove Programs:

Adobe Flash Player ActiveX
Adobe Shockwave Player
AOL Instant Messenger
BearPaw 1200CS v1.3
CCleaner (remove only)
Crush'Em 2.0
ATP
hp deskjet 5550 series (Remove only)
hp instant support
hp print screen utility
Microsoft Internationalized Domain Names Mitigation APIs
Windows Internet Explorer 7
Microsoft Data Access Components KB870669
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player 9 (KB911565)
Security Update for Windows Media Player 9 (KB917734)
Security Update for Windows XP (KB923689)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows Internet Explorer 7 (KB928090)
Security Update for Windows Internet Explorer 7 (KB929969)
Security Update for Windows Internet Explorer 7 (KB931768)
Security Update for Windows Internet Explorer 7 (KB933566)
Security Update for Windows Media Player 9 (KB936782)
Security Update for Windows Internet Explorer 7 (KB937143)
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows XP (KB938464)
Security Update for Windows Internet Explorer 7 (KB939653)
Security Update for Windows XP (KB941569)
Security Update for Windows Internet Explorer 7 (KB942615)
Security Update for Windows Internet Explorer 7 (KB944533)
Security Update for Windows XP (KB946648)
Hotfix for Windows Internet Explorer 7 (KB947864)
Security Update for Windows Internet Explorer 7 (KB950759)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Update for Windows XP (KB951072-v2)
Security Update for Windows XP (KB951376)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Update for Windows XP (KB951978)
Security Update for Windows Media Player (KB952069)
Hotfix for Windows XP (KB952287)
Security Update for Windows XP (KB952954)
Security Update for Windows Internet Explorer 7 (KB953838)
Security Update for Windows XP (KB953839)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Update for Windows XP (KB955839)
Security Update for Windows Internet Explorer 7 (KB956390)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows Internet Explorer 7 (KB958215)
Security Update for Windows XP (KB958644)
Security Update for Windows Internet Explorer 7 (KB960714)
Malwarebytes' Anti-Malware
McAfee SecurityCenter
Network Play System (Patching)
Microsoft National Language Support Downlevel APIs
Puzzl'Em 1.0 Beta2
QuickTime
RealPlayer
Ulead Photo Express 3.0 SE
Viewpoint Manager (Remove Only)
Viewpoint Media Player
Windows Genuine Advantage Notifications (KB905474)
Windows XP Service Pack 3
WinRAR archiver
Yahoo! Toolbar
Yahoo! Browser Services
Yahoo! Internet Mail
Yahoo! Address AutoComplete
Yahoo! Messenger
Yahoo! Messenger Explorer Bar
Yahoo! Toolbar
Yahoo! Install Manager
Zuma Deluxe 1.0
Kodak EasyShare software
Google Toolbar for Internet Explorer
Java™ 6 Update 2
upapp
Deal or No Deal
Windows Genuine Advantage v1.3.0254.0
Microsoft Visual C++ 2005 Redistributable
Microsoft Office Standard Edition 2003
Adobe Reader 6.0.1
Microsoft .NET Framework 2.0 Service Pack 1
Works Synchronization
Paint Shop Pro 7
Google Toolbar for Internet Explorer
Works Suite OS Pack


Run Values:

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"workflo"="D:\\install\\workflow.exe"
"HPDJ Taskbar Utility"="C:\\WINDOWS\\System32\\spool\\drivers\\w32x86\\3\\hpztsb06.exe"
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"MSKDetectorExe"="C:\\Program Files\\McAfee\\SpamKiller\\MSKDetct.exe /uninstall"
"MISAggregator"=""
"mcagent_exe"="C:\\Program Files\\McAfee.com\\Agent\\mcagent.exe /runkey"
"Sdazipidurayap"="rundll32.exe \"C:\\WINDOWS\\Rtoziroquqofoli.dll\",e"
"Rhewehucucaq"="rundll32.exe \"C:\\WINDOWS\\omasatox.dll\",e"
"5867fcf0"="rundll32.exe \"C:\\WINDOWS\\system32\\cnywhtvx.dll\",b"
"KernelFaultCheck"=hex(2):25,00,73,00,79,00,73,00,74,00,65,00,6d,00,72,00,6f,\
00,6f,00,74,00,25,00,5c,00,73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,\
5c,00,64,00,75,00,6d,00,70,00,72,00,65,00,70,00,20,00,30,00,20,00,2d,00,6b,\
00,00,00
"SDFix"="C:\\DOCUME~1\\ADMINI~1\\MYDOCU~1\\download\\sb556\\SDFix\\RunThis.bat /second"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"Yahoo! Pager"="\"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe\" -quiet"
"ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"
"AIM"="C:\\Program Files\\AIM\\aim.exe -cnetwait.odl"
"msiexec.exe"="msiconf.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runonceex]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runonceex\install1]
"SDFix"="C:\\DOCUME~1\\ADMINI~1\\MYDOCU~1\\download\\sb556\\SDFix\\RunThis.bat /second"


Bot Check:

SERVICE_NAME: wscsvc
DISPLAY_NAME : Security Center
START_TYPE : 2 AUTO_START

SERVICE_NAME: sharedaccess
DISPLAY_NAME : Windows Firewall/Internet Connection Sharing (ICS)
START_TYPE : 2 AUTO_START

SERVICE_NAME: wuauserv
DISPLAY_NAME : Automatic Updates
START_TYPE : 2 AUTO_START

SERVICE_NAME: srservice
DISPLAY_NAME : System Restore Service
START_TYPE : 2 AUTO_START

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole]
"EnableDCOM"="Y"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa]
"restrictanonymous"=dword:00000000

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update]
"AUOptions"=dword:00000004

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"AntiVirusDisableNotify"=dword:00000000
"FirewallDisableNotify"=dword:00000000
"UpdatesDisableNotify"=dword:00000000
"AntiVirusOverride"=dword:00000000
"FirewallOverride"=dword:00000000

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"WaitToKillServiceTimeout"="20000"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"SFCDisable"=dword:00000000
"Shell"="Explorer.exe"
"userinit"="C:\\WINDOWS\\system32\\twex.exe,"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shell extensions]



[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NetBT\Parameters]
"TransportBindName"="\\Device\\"


ShellExecuteHooks:

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""
"{E60A0B68-2F3C-A1D2-A901-9381E036D21A}"=""



Environment:


HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager\environment
ComSpec REG_EXPAND_SZ %SystemRoot%\system32\cmd.exe
Path REG_EXPAND_SZ %SystemRoot%\system32;%SystemRoot%;%SystemRoot%\System32\Wbem
windir REG_EXPAND_SZ %SystemRoot%
OS REG_SZ Windows_NT
PATHEXT REG_SZ .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
TEMP REG_EXPAND_SZ %SystemRoot%\TEMP
TMP REG_EXPAND_SZ %SystemRoot%\TEMP
SAFEBOOT_OPTION REG_SZ NETWORK

SecurityProviders:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders
SecurityProviders REG_SZ msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, digeste.dll


Authentication Packages:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa
Authentication Packages REG_MULTI_SZ msv1_0\0C:\WINDOWS\system32\xxyxVlLD\0\0


Subsystem Startup:

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\SubSystems]
"Windows"="%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,3072,512 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ProfileControl=Off MaxRequestThreads=16"


Midi Drivers:

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32]
"midi"="wdmaud.drv"


Non-Default IFEO Debugger:


Non-Default Installed Components:


Non-Default Safeboot Minimal:


HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\mcmscsvc
<NO NAME> REG_SZ


HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\mcods
<NO NAME> REG_SZ


HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\mfehidk
<NO NAME> REG_SZ Driver


HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\mfehidk.sys
<NO NAME> REG_SZ Driver


HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\mferkdk
<NO NAME> REG_SZ Driver


HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\mferkdk.sys
<NO NAME> REG_SZ Driver


HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\mfetdik
<NO NAME> REG_SZ Driver


HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\mfetdik.sys
<NO NAME> REG_SZ Driver


File Associations:


[HKEY_CLASSES_ROOT\batfile\shell\open\command]
@="\"%1\" %*"

[HKEY_CLASSES_ROOT\cmdfile\shell\open\command]
@="\"%1\" %*"

[HKEY_CLASSES_ROOT\comfile\shell\open\command]
@="\"%1\" %*"

[HKEY_CLASSES_ROOT\exefile\shell\open\command]
@="\"%1\" %*"

[HKEY_CLASSES_ROOT\htafile\shell\open\command]
@="C:\\WINDOWS\\system32\\mshta.exe \"%1\" %*"

[HKEY_CLASSES_ROOT\http\shell\open\command]
@="\"C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE\" -nohome"

[HKEY_CLASSES_ROOT\htmlfile\shell\open\command]
@="\"C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE\" -nohome"

[HKEY_CLASSES_ROOT\regedit\shell\open\command]
@="regedit.exe %1"

[HKEY_CLASSES_ROOT\regfile\shell\open\command]
@="regedit.exe \"%1\""

[HKEY_CLASSES_ROOT\scrfile\shell\open\command]
@="\"%1\" /S"

[HKEY_CLASSES_ROOT\txtfile\shell\open\command]
@="%SystemRoot%\system32\NOTEPAD.EXE %1"


Finished!

Edited by blueciv07, 24 January 2009 - 06:25 PM.


#13 Budapest

Budapest

    Bleepin' Cynic


  • Moderator
  • 23,579 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:34 PM

Posted 25 January 2009 - 03:03 PM

Try scanning with McAfee AVERT Stinger.
The power of accurate observation is commonly called cynicism by those who haven't got it.

—George Bernard Shaw




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users