Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

cmd.exe, regedit crash, google search results redirected


  • This topic is locked This topic is locked
12 replies to this topic

#1 tizzo

tizzo

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:FL
  • Local time:11:59 PM

Posted 14 April 2009 - 09:05 PM

I'm running Windows XP SP3.

I downloaded, installed, and updated AVG Antivirus Free edition (after discovering this infection), and let it run a scan, but it did not find anything.

I'm having a problem that I've seen others posting about elsewhere on the forums. Here's a link to the thread that exactly matches my symptoms:

http://www.bleepingcomputer.com/forums/t/206736/run-cmdexe-causes-explorer-to-crash/


The first thing I noticed is that cmd.exe crashes and takes explorer.exe with it (everything disappears but the wallpaper, and when it comes back most of what was in the taskbar is missing, though it's still running). I also tried with Task Manager running, and I can see explorer.exe disappear for a split second before reappearing. When I started searching for help on Google, I noticed the redirect problem as well. When I click a link in the Google results, I go to the page I selected, and then immediately past it to some other page. I can return to the page I wanted via the back button.

From a clean computer, I started researching, and came across the above referenced thread elsewhere on Bleeping Computer that described my problem almost exactly. One thing I noticed that's a little different is that a few people said that if they change the name of cmd.exe to something else like cmd2.exe, they were able to run it. In my case, renaming/copying to cmd2.exe did not help, but renaming to something else (I used "completelydifferentname.exe"), allowed me to get a command prompt.

Like others, I was unable to run DDS. Any attempt to do so, including by running it inside a cmd window using the technique described above, results in a blank CMD-looking window appearing briefly and then disappearing. It appears as though the malware I'm after is somehow blocking DDS from running.

Following the instructions at the above referenced page to download and run RSIT since DDS doesn't work, I ran the RSIT tool and got the attached files.

I'd appreciate any help that anyone can offer. Thanks.

Tony

Attached Files

  • Attached File  info.txt   13.66KB   17 downloads
  • Attached File  log.txt   49.88KB   3 downloads


BC AdBot (Login to Remove)

 


#2 tizzo

tizzo
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:FL
  • Local time:11:59 PM

Posted 15 April 2009 - 12:30 AM

After posting this, I was browsing other threads in which I saw someone request that log files be copied and pasted instead of attached, so I'm doing that here, for the RSI log files. Here they are:


info.txt logfile of random's system information tool 1.06 2009-04-14 22:00:26

======Uninstall list======

$100,000 Pyramid-->C:\PROGRA~1\100KPY~1\UNWISE.EXE /U C:\PROGRA~1\100KPY~1\INSTALL.LOG
-->rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
Adobe Flash Player 10 ActiveX-->C:\WINDOWS\system32\Macromed\Flash\uninstall_activeX.exe
Adobe Flash Player 10 Plugin-->C:\WINDOWS\system32\Macromed\Flash\uninstall_plugin.exe
Adobe Reader 7.0.5-->MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A70000000000}
AIM 6-->C:\Program Files\AIM6\uninst.exe
Apache HTTP Server 2.0.55-->MsiExec.exe /I{3A862C7D-0504-48BC-AEF8-7F7479C7C158}
AVG 8.5-->C:\Program Files\AVG\AVG8\setup.exe /UNINSTALL
Coupon Printer for Windows-->"C:\Program Files\Coupons\uninstall.exe" "/U:C:\Program Files\Coupons\Uninstall\uninstall.xml"
Data Lifeguard Tools-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{2C0A655C-61E7-428A-8ED2-23A3D20E7DD2}\Setup.exe"
Documents To Go-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{C89C4BEA-3B9A-414A-9392-9CE4EC5C63BF}\setup.exe" -vzUNINST
DVC-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{99B98440-4A0D-11D5-8310-0050DABBB21D}\Setup.exe"
High Definition Audio Driver Package - KB888111-->"C:\WINDOWS\$NtUninstallKB888111WXP$\spuninst\spuninst.exe"
HijackThis 2.0.2-->"C:\Program Files\Trend Micro\HijackThis\HijackThis.exe" /uninstall
HP Memories Disc-->MsiExec.exe /X{B376402D-58EA-45EA-BD50-DD924EB67A70}
HP Software Update-->MsiExec.exe /X{15EE79F4-4ED1-4267-9B0F-351009325D7D}
Indeo® software-->C:\WINDOWS\IsUninst.exe -f"C:\Program Files\Intel\Indeo\Indeo Uninstall.isu" -c"C:\WINDOWS\system32\SavedSystemFiles\indounin.dll"
Invoke Solutions Participant 5.5.0.1437-->"C:\Program Files\Invoke Solutions\Participant\5.5\unins000.exe"
J2SE Runtime Environment 5.0 Update 11-->MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0150110}
J2SE Runtime Environment 5.0 Update 6-->MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0150060}
Java™ 6 Update 11-->MsiExec.exe /X{26A24AE4-039D-4CA4-87B4-2F83216011FF}
Java™ 6 Update 5-->MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160050}
Java™ 6 Update 7-->MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160070}
Java™ SE Runtime Environment 6 Update 1-->MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160010}
Keynote Connector-->C:\WINDOWS\DOWNLO~1\CONNEC~2.EXE /Uninstall
Malwarebytes' Anti-Malware-->"C:\Program Files\Malwarebytes' Anti-Malware\unins000.exe"
Microsoft .NET Framework 1.1 Hotfix (KB928366)-->"C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Updates\hotfix.exe" "C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Updates\M928366\M928366Uninstall.msp"
Microsoft .NET Framework 1.1-->msiexec.exe /X {CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}
Microsoft .NET Framework 1.1-->MsiExec.exe /X{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}
Microsoft .NET Framework 2.0 Service Pack 1-->MsiExec.exe /I{B508B3F1-A24A-32C0-B310-85786919EF28}
Microsoft Internationalized Domain Names Mitigation APIs-->"C:\WINDOWS\$NtServicePackUninstallIDNMitigationAPIs$\spuninst\spuninst.exe"
Microsoft National Language Support Downlevel APIs-->"C:\WINDOWS\$NtServicePackUninstallNLSDownlevelMapping$\spuninst\spuninst.exe"
Microsoft Office 2000 SR-1 Professional-->MsiExec.exe /I{00010409-78E1-11D2-B60F-006097C998E7}
Microsoft Visual C++ 2005 Redistributable-->MsiExec.exe /X{7299052b-02a4-4627-81f2-1818da5d550d}
Mozilla Firefox (3.0.5)-->C:\Program Files\Mozilla Firefox\uninstall\helper.exe
MSXML 4.0 SP2 (KB927978)-->MsiExec.exe /I{37477865-A3F1-4772-AD43-AAFC6BCFF99F}
MSXML 4.0 SP2 (KB936181)-->MsiExec.exe /I{C04E32E0-0416-434D-AFB9-6969D703A9EF}
MSXML 4.0 SP2 (KB954430)-->MsiExec.exe /I{86493ADD-824D-4B8E-BD72-8C5DCDC52A71}
Outburst-->C:\WINDOWS\IsUninst.exe -f"c:\program files\hasbro\Uninst.isu"
PDFCreator 0.8.0-->C:\Program Files\PDFCreator\unins000.exe
Photosmart 140,240,7200,7600,7700,7900 Series-->C:\Program Files\Hewlett-Packard\{45B6180B-DCAB-4093-8EE8-6164457517F0}\setup\hpzscr01.exe -datfile hphscr01.dat
Pictionary-->C:\WINDOWS\unvise.exe C:\DOCUME~1\ALLUSE~1\DOCUME~1\GAMES\uninstal.log
Quicken 2007-->MsiExec.exe /X{0D2E80C8-0875-43EB-9623-47118E2DFBCA}
Realtek High Definition Audio Driver-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\50\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}\Setup.exe" -l0x9 -removeonly
Security Update for CAPICOM (KB931906)-->MsiExec.exe /I{0EFDF2F9-836D-4EB7-A32D-038BD3F1FB2A}
Security Update for CAPICOM (KB931906)-->MsiExec.exe /X{0EFDF2F9-836D-4EB7-A32D-038BD3F1FB2A}
Security Update for Windows Internet Explorer 7 (KB938127-v2)-->"C:\WINDOWS\ie7updates\KB938127-v2-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB956390)-->"C:\WINDOWS\ie7updates\KB956390-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB958215)-->"C:\WINDOWS\ie7updates\KB958215-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB960714)-->"C:\WINDOWS\ie7updates\KB960714-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB961260)-->"C:\WINDOWS\ie7updates\KB961260-IE7\spuninst\spuninst.exe"
Security Update for Windows Media Player (KB952069)-->"C:\WINDOWS\$NtUninstallKB952069_WM9$\spuninst\spuninst.exe"
Security Update for Windows XP (KB938464)-->"C:\WINDOWS\$NtUninstallKB938464$\spuninst\spuninst.exe"
Security Update for Windows XP (KB938464-v2)-->"C:\WINDOWS\$NtUninstallKB938464-v2$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951748)-->"C:\WINDOWS\$NtUninstallKB951748$\spuninst\spuninst.exe"
Security Update for Windows XP (KB954211)-->"C:\WINDOWS\$NtUninstallKB954211$\spuninst\spuninst.exe"
Security Update for Windows XP (KB954459)-->"C:\WINDOWS\$NtUninstallKB954459$\spuninst\spuninst.exe"
Security Update for Windows XP (KB954600)-->"C:\WINDOWS\$NtUninstallKB954600$\spuninst\spuninst.exe"
Security Update for Windows XP (KB955069)-->"C:\WINDOWS\$NtUninstallKB955069$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956391)-->"C:\WINDOWS\$NtUninstallKB956391$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956802)-->"C:\WINDOWS\$NtUninstallKB956802$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956803)-->"C:\WINDOWS\$NtUninstallKB956803$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956841)-->"C:\WINDOWS\$NtUninstallKB956841$\spuninst\spuninst.exe"
Security Update for Windows XP (KB957097)-->"C:\WINDOWS\$NtUninstallKB957097$\spuninst\spuninst.exe"
Security Update for Windows XP (KB958215)-->"C:\WINDOWS\$NtUninstallKB958215$\spuninst\spuninst.exe"
Security Update for Windows XP (KB958644)-->"C:\WINDOWS\$NtUninstallKB958644$\spuninst\spuninst.exe"
Security Update for Windows XP (KB958687)-->"C:\WINDOWS\$NtUninstallKB958687$\spuninst\spuninst.exe"
Security Update for Windows XP (KB958690)-->"C:\WINDOWS\$NtUninstallKB958690$\spuninst\spuninst.exe"
Security Update for Windows XP (KB960225)-->"C:\WINDOWS\$NtUninstallKB960225$\spuninst\spuninst.exe"
Security Update for Windows XP (KB960714)-->"C:\WINDOWS\$NtUninstallKB960714$\spuninst\spuninst.exe"
Security Update for Windows XP (KB960715)-->"C:\WINDOWS\$NtUninstallKB960715$\spuninst\spuninst.exe"
Smart Guardian-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\50\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{417E7710-C77B-4CB9-839A-D586A12C64E2}\setup.exe" -l0x9 -removeonly
Studio 8-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{53EF6570-21A4-47ED-A40A-E6470A5677A3}\Setup.exe" -l0x9 UNINSTALL
TortoiseSVN-->MsiExec.exe /X{C2AA63A0-27E0-458B-862A-BEC09DEA5286}
Update for Windows XP (KB951978)-->"C:\WINDOWS\$NtUninstallKB951978$\spuninst\spuninst.exe"
Update for Windows XP (KB955839)-->"C:\WINDOWS\$NtUninstallKB955839$\spuninst\spuninst.exe"
Update for Windows XP (KB967715)-->"C:\WINDOWS\$NtUninstallKB967715$\spuninst\spuninst.exe"
VIA Display Driver 6.14.10.0099-->C:\PROGRA~1\S3\UChromeP\s3minset.exe /u UChromeP.uns
VIA Platform Device Manager-->C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\7\INTEL3~1\IDriver.exe /M{20D4A895-748C-4D88-871C-FDB1695B0169}
VIA Rhine-Family Fast-Ethernet Adapter-->Rundll32.exe vuins32.dll,vuins32Ex $Rhine $VIA
Viewpoint Media Player-->C:\Program Files\Viewpoint\Viewpoint Experience Technology\mtsAxInstaller.exe /u
Vim 6.3 (self-installing)-->C:\Program Files\Vim\vim63\uninstall-gui.exe
Winamp (remove only)-->"C:\Program Files\Winamp\UninstWA.exe"
Windows Internet Explorer 7-->"C:\WINDOWS\ie7\spuninst\spuninst.exe"
Windows Media Format Runtime-->"C:\Program Files\Windows Media Player\wmsetsdk.exe" /UninstallAll
Windows Media Player 10-->"C:\Program Files\Windows Media Player\Setup_wm.exe" /Uninstall
Windows XP Service Pack 3-->"C:\WINDOWS\$NtServicePackUninstall$\spuninst\spuninst.exe"
WinZip Command Line Support Add-On 1.1 SR-1-->C:\Program Files\WinZip\winzip32 /auninstall wzcline
WinZip-->"C:\Program Files\WinZip\WINZIP32.EXE" /uninstall
Yahoo! Browser Services-->C:\PROGRA~1\Yahoo!\Common\unyext.exe
Yahoo! Install Manager-->C:\WINDOWS\system32\regsvr32 /u C:\PROGRA~1\Yahoo!\Common\YINSTH~1.DLL
Yahoo! Messenger-->C:\PROGRA~1\Yahoo!\MESSEN~1\UNWISE.EXE /U C:\PROGRA~1\Yahoo!\MESSEN~1\INSTALL.LOG
Yahoo! Toolbar-->C:\PROGRA~1\Yahoo!\Common\unyt.exe
Yahtzee-->C:\WINDOWS\uninst.exe -fC:\WINDOWS\DeIsL1.isu
ZoneAlarm-->C:\Program Files\Zone Labs\ZoneAlarm\zauninst.exe

======Security center information======

AV: AVG Anti-Virus Free
FW: ZoneAlarm Firewall

======System event log======

Computer Name: ZEBRA
Event Code: 7000
Message: The TrueVector Internet Monitor service failed to start due to the following error:
The service did not respond to the start or control request in a timely fashion.


Record Number: 13991
Source Name: Service Control Manager
Time Written: 20081024225211.000000-240
Event Type: error
User:

Computer Name: ZEBRA
Event Code: 7009
Message: Timeout (30000 milliseconds) waiting for the TrueVector Internet Monitor service to connect.

Record Number: 13990
Source Name: Service Control Manager
Time Written: 20081024225211.000000-240
Event Type: error
User:

Computer Name: ZEBRA
Event Code: 7000
Message: The mrtRate service failed to start due to the following error:
The system cannot find the file specified.


Record Number: 13989
Source Name: Service Control Manager
Time Written: 20081024225211.000000-240
Event Type: error
User:

Computer Name: ZEBRA
Event Code: 4226
Message: TCP/IP has reached the security limit imposed on the number of concurrent TCP connect attempts.

Record Number: 13982
Source Name: Tcpip
Time Written: 20081020103041.000000-240
Event Type: warning
User:

Computer Name: ZEBRA
Event Code: 4226
Message: TCP/IP has reached the security limit imposed on the number of concurrent TCP connect attempts.

Record Number: 13981
Source Name: Tcpip
Time Written: 20081016142856.000000-240
Event Type: warning
User:

=====Application event log=====

Computer Name: ZEBRA
Event Code: 1524
Message: Windows cannot unload your classes registry file - it is still in use by other applications or services. The file will be unloaded when it is no longer in use.



Record Number: 4261
Source Name: Userenv
Time Written: 20051105040707.000000-240
Event Type: warning
User: ZEBRA\Tony

Computer Name: ZEBRA
Event Code: 1002
Message: Hanging application iexplore.exe, version 6.0.2900.2180, hang module hungapp, version 0.0.0.0, hang address 0x00000000.

Record Number: 4253
Source Name: Application Hang
Time Written: 20051105013616.000000-240
Event Type: error
User:

Computer Name: ZEBRA
Event Code: 1002
Message: Hanging application iexplore.exe, version 6.0.2900.2180, hang module hungapp, version 0.0.0.0, hang address 0x00000000.

Record Number: 4229
Source Name: Application Hang
Time Written: 20051103154147.000000-240
Event Type: error
User:

Computer Name: ZEBRA
Event Code: 1002
Message: Hanging application iexplore.exe, version 6.0.2900.2180, hang module hungapp, version 0.0.0.0, hang address 0x00000000.

Record Number: 4206
Source Name: Application Hang
Time Written: 20051102104910.000000-240
Event Type: error
User:

Computer Name: ZEBRA
Event Code: 1002
Message: Hanging application iexplore.exe, version 6.0.2900.2180, hang module hungapp, version 0.0.0.0, hang address 0x00000000.

Record Number: 4182
Source Name: Application Hang
Time Written: 20051101163649.000000-240
Event Type: error
User:

======Environment variables======

"ComSpec"=%SystemRoot%\system32\cmd.exe
"Path"=%SystemRoot%\system32;%SystemRoot%;%SystemRoot%\system32\WBEM;C:\Program Files\Subversion\bin
"windir"=%SystemRoot%
"OS"=Windows_NT
"PROCESSOR_ARCHITECTURE"=x86
"PROCESSOR_LEVEL"=15
"PROCESSOR_IDENTIFIER"=x86 Family 15 Model 6 Stepping 2, GenuineIntel
"PROCESSOR_REVISION"=0602
"NUMBER_OF_PROCESSORS"=2
"PATHEXT"=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
"TEMP"=%SystemRoot%\TEMP
"TMP"=%SystemRoot%\TEMP
"FP_NO_HOST_CHECK"=NO
"VERSION"=3.0.5.001
"SESSIONID"=1122358832337htx605618a9e64:10558d4b1ed:-3da1
"COLLECTIONID"=COL8143
"ITEMID"=dj-22741-15
"UPDATEDIR"=C:\DOCUME~1\Tony\LOCALS~1\Temp\rad54697.tmp
"TOOLPATH"=/C:\Program%20Files\Hewlett-Packard\HP%20Software%20Update\install.htm
"HMSERVER"=https://wwss1proa.cce.hp.com/wuss/servlet/WUSSServlet
"SWUTVER"=1.0.18.20030627
"OSVER"=winXPP
"LANG"=1033
"TIMEOUT"=0
"tvdumpflags"=8

-----------------EOF-----------------




Logfile of random's system information tool 1.06 (written by random/random)
Run by Tony at 2009-04-14 22:00:03
Microsoft Windows XP Professional Service Pack 3
System drive C: has 209 GB (87%) free of 239 GB
Total RAM: 3006 MB (75% free)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:00:20 PM, on 4/14/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16791)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Iomega\System32\AppServices.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Apache Group\Apache2\bin\Apache.exe
C:\Program Files\TortoiseSVN\bin\TSVNCache.exe
C:\Program Files\Winamp\winampa.exe
C:\WINDOWS\system32\hphmon05.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\VTTimer.exe
C:\WINDOWS\system32\S3trayp.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Apache Group\Apache2\bin\ApacheMonitor.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\Program Files\AVG\AVG8\avgtray.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\Tony\My Documents\Downloaded Software\Tools\RSIT.exe
C:\Program Files\Trend Micro\HijackThis\Tony.exe
C:\WINDOWS\system32\wuauclt.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: Java™ Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [HPHUPD05] C:\Program Files\Hewlett-Packard\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\system32\hphmon05.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [S3Trayp] S3trayp.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKCU\..\Run: [DynSite] C:\Program Files\NoelD\DynSite for Windows\DynSite.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\ypager.exe" -quiet
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Monitor Apache Servers.lnk = C:\Program Files\Apache Group\Apache2\bin\ApacheMonitor.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {493ACF15-5CD9-4474-82A6-91670C3DD66E} (LinkedIn ContactFinderControl) - http://www.linkedin.com/cab/LinkedInContactFinderControl.cab
O16 - DPF: {50647AB5-18FD-4142-82B0-5852478DD0D5} (Keynote Connector Launcher 2) - http://webeffective.keynote.com/applicatio...torLauncher.cab
O16 - DPF: {549F957E-2F89-11D6-8CFE-00C04F52B225} (CMV5 Class) - http://www101.coolsavings.com/download/cscmv5X.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1112678302927
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1232925368468
O16 - DPF: {A7EA8AD2-287F-11D3-B120-006008C39542} (CBSTIEPrint Class) - http://offers.e-centives.com/cif/download/bin/actxcab.cab
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.com/controls/cpcScanner.cab
O16 - DPF: {D4323BF2-006A-4440-A2F5-27E3E7AB25F8} (Virtools WebPlayer Class) - http://a532.g.akamai.net/f/532/6712/5m/vir...5/installer.exe
O16 - DPF: {D4F3F795-7712-4D92-91DF-AEB055D8AC73} (Invoke Solutions Compatibility Test Control) - http://online.invokesolutions.com/events/b...iveCompTest.ocx
O16 - DPF: {D8AA889B-2C65-47C3-8C16-3DCD4EF76A47} (Invoke Solutions Participant Control(MR)) - http://online.invokesolutions.com/events/b...1437/MILive.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{0C3EBDFF-2EC7-48A4-AAC7-454D676539AE}: NameServer = 192.168.1.1
O17 - HKLM\System\CCS\Services\Tcpip\..\{D365116A-BF4D-47EA-925C-1CC7D5972CF2}: NameServer = 192.168.1.1
O17 - HKLM\System\CS1\Services\Tcpip\..\{0C3EBDFF-2EC7-48A4-AAC7-454D676539AE}: NameServer = 192.168.1.1
O17 - HKLM\System\CS2\Services\Tcpip\..\{0C3EBDFF-2EC7-48A4-AAC7-454D676539AE}: NameServer = 192.168.1.1
O17 - HKLM\System\CS4\Services\Tcpip\..\{0C3EBDFF-2EC7-48A4-AAC7-454D676539AE}: NameServer = 192.168.1.1
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: Apache2 - Apache Software Foundation - C:\Program Files\Apache Group\Apache2\bin\Apache.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Iomega App Services - Iomega Corporation - C:\PROGRA~1\Iomega\System32\AppServices.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 9670 bytes

======Scheduled tasks folder======

C:\WINDOWS\tasks\Tony Nightly Backup.job

======Registry dump======

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{02478D38-C3F9-4EFB-9B51-7695ECA05670}]
Yahoo! Toolbar Helper - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll [2006-10-26 440384]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]
AcroIEHlprObj Class - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll [2005-09-24 63136]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{3CA2F312-6F6E-4B53-A66E-4E65E497C8C0}]
AVG Safe Search - C:\Program Files\AVG\AVG8\avgssie.dll [2009-04-14 1078552]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897}]
Yahoo! IE Services Button - C:\Program Files\Yahoo!\Common\yiesrvc.dll [2006-10-31 198136]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}]
Java™ Plug-In SSV Helper - C:\Program Files\Java\jre6\bin\ssv.dll [2009-01-25 320920]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DBC80044-A445-435b-BC74-9C25C1C588A9}]
Java™ Plug-In 2 SSV Helper - C:\Program Files\Java\jre6\bin\jp2ssv.dll [2009-01-25 34816]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{E7E6F031-17CE-4C07-BC86-EABFE594F69C}]
JQSIEStartDetectorImpl Class - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll [2009-01-25 73728]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
{EF99BD32-C1FB-11D2-892F-0090271D4F88} - Yahoo! Toolbar - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll [2006-10-26 440384]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"WinampAgent"=C:\Program Files\Winamp\winampa.exe [2004-12-20 33792]
"HPHUPD05"=C:\Program Files\Hewlett-Packard\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe [2003-08-20 49152]
"HP Component Manager"=C:\Program Files\HP\hpcoretech\hpcmpmgr.exe [2003-08-20 221184]
"HPHmon05"=C:\WINDOWS\system32\hphmon05.exe [2003-08-20 483328]
"HP Software Update"=C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe [2005-02-16 49152]
"SunJavaUpdateSched"=C:\Program Files\Java\jre6\bin\jusched.exe [2009-01-25 136600]
"ZoneAlarm Client"=C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe [2008-07-09 919016]
"VTTimer"=C:\WINDOWS\system32\VTTimer.exe [2006-09-21 53248]
"S3Trayp"=C:\WINDOWS\system32\S3trayp.exe [2007-06-11 176128]
"RTHDCPL"=C:\WINDOWS\RTHDCPL.EXE [2007-10-16 16855552]
"SkyTel"=C:\WINDOWS\SkyTel.EXE [2007-10-11 1826816]
"Alcmtr"=C:\WINDOWS\ALCMTR.EXE [2005-05-03 69632]
"AVG8_TRAY"=C:\PROGRA~1\AVG\AVG8\avgtray.exe [2009-04-14 1932568]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"DynSite"=C:\Program Files\NoelD\DynSite for Windows\DynSite.exe []
"Yahoo! Pager"=C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet []
"ctfmon.exe"=C:\WINDOWS\system32\ctfmon.exe [2008-04-13 15360]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE
Monitor Apache Servers.lnk - C:\Program Files\Apache Group\Apache2\bin\ApacheMonitor.exe
WinZip Quick Pick.lnk - C:\Program Files\WinZip\WZQKPICK.EXE

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\avgrsstarter]
C:\WINDOWS\system32\avgrsstx.dll [2009-04-14 10520]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WgaLogon]
C:\WINDOWS\system32\WgaLogon.dll [2009-03-10 239496]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
UPnPMonitor - {e57ce738-33e8-4c51-8354-bb4de9d215d1} - C:\WINDOWS\system32\upnpui.dll [2008-04-13 239616]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\UploadMgr]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\vsmon]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDriveTypeAutoRun"=145

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"HonorAutoRunSetting"=

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\Program Files\Yahoo!\Messenger\YPager.exe"="C:\Program Files\Yahoo!\Messenger\YPager.exe:*:Enabled:Yahoo! Messenger"
"C:\Program Files\Yahoo!\Messenger\YServer.exe"="C:\Program Files\Yahoo!\Messenger\YServer.exe:*:Enabled:Yahoo! FT Server"
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe"="C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe:*:Enabled:Yahoo! Messenger"
"C:\Program Files\Common Files\AOL\Loader\aolload.exe"="C:\Program Files\Common Files\AOL\Loader\aolload.exe:*:Enabled:AOL Loader"
"C:\Program Files\AVG\AVG8\avgupd.exe"="C:\Program Files\AVG\AVG8\avgupd.exe:*:Enabled:avgupd.exe"
"C:\Program Files\AVG\AVG8\avgnsx.exe"="C:\Program Files\AVG\AVG8\avgnsx.exe:*:Enabled:avgnsx.exe"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{2e83b89a-ec3e-11d9-afe8-00095b1a64c6}]
shell\AutoRun\command - H:\JDSecure\Windows\JDSecure31.exe


======List of files/folders created in the last 3 months======

2009-04-14 22:00:03 ----D---- C:\rsit
2009-04-14 21:29:37 ----A---- C:\WINDOWS\system32\cmd2.exe
2009-04-14 20:11:54 ----HD---- C:\$AVG8.VAULT$
2009-04-14 19:55:41 ----A---- C:\WINDOWS\system32\avgrsstx.dll
2009-04-14 19:55:20 ----D---- C:\Program Files\AVG
2009-04-14 19:55:19 ----D---- C:\Documents and Settings\All Users\Application Data\avg8
2009-04-14 19:07:17 ----D---- C:\WINDOWS\LastGood
2009-04-14 18:52:42 ----D---- C:\Documents and Settings\Tony\Application Data\Malwarebytes
2009-04-14 18:52:36 ----D---- C:\Program Files\Malwarebytes' Anti-Malware
2009-04-14 18:52:36 ----D---- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2009-04-14 18:41:10 ----D---- C:\Program Files\Trend Micro
2009-04-14 00:31:57 ----HDC---- C:\WINDOWS\$NtUninstallKB960225$
2009-04-14 00:31:47 ----HDC---- C:\WINDOWS\$NtUninstallKB938464-v2$
2009-04-14 00:29:50 ----HDC---- C:\WINDOWS\$NtUninstallKB960715$
2009-04-14 00:29:38 ----HDC---- C:\WINDOWS\$NtUninstallKB967715$
2009-04-14 00:29:27 ----HDC---- C:\WINDOWS\$NtUninstallKB958690$
2009-01-26 14:32:35 ----A---- C:\WINDOWS\system32\mucltui.dll.mui
2009-01-26 14:32:35 ----A---- C:\WINDOWS\system32\mucltui.dll
2009-01-25 23:25:31 ----HDC---- C:\WINDOWS\ie7
2009-01-25 23:20:31 ----D---- C:\WINDOWS\system32\URTTEMP
2009-01-25 23:11:46 ----HDC---- C:\WINDOWS\$NtUninstallKB952069_WM9$
2009-01-25 23:11:40 ----HDC---- C:\WINDOWS\$NtUninstallKB954459$
2009-01-25 23:11:26 ----HDC---- C:\WINDOWS\$NtUninstallKB951978$
2009-01-25 22:07:47 ----A---- C:\WINDOWS\system32\javaws.exe
2009-01-25 22:07:47 ----A---- C:\WINDOWS\system32\javaw.exe
2009-01-25 22:07:47 ----A---- C:\WINDOWS\system32\java.exe
2009-01-25 22:07:47 ----A---- C:\WINDOWS\system32\deploytk.dll
2009-01-25 21:54:43 ----HDC---- C:\WINDOWS\$NtUninstallKB956803$
2009-01-25 21:54:33 ----HDC---- C:\WINDOWS\$NtUninstallKB955839$
2009-01-25 21:54:19 ----HDC---- C:\WINDOWS\$NtUninstallKB956391$
2009-01-25 21:54:05 ----HDC---- C:\WINDOWS\$NtUninstallKB958215$
2009-01-25 21:53:38 ----HDC---- C:\WINDOWS\$NtUninstallKB954211$
2009-01-25 21:53:26 ----HDC---- C:\WINDOWS\$NtUninstallKB956841$
2009-01-25 21:53:13 ----HDC---- C:\WINDOWS\$NtUninstallKB960714$
2009-01-25 21:53:06 ----D---- C:\Program Files\Microsoft CAPICOM 2.1.0.2
2009-01-25 21:52:03 ----HDC---- C:\WINDOWS\$NtUninstallKB957097$
2009-01-25 21:51:10 ----HDC---- C:\WINDOWS\$NtUninstallKB958687$
2009-01-25 21:50:42 ----HDC---- C:\WINDOWS\$NtUninstallKB951748$
2009-01-25 21:50:31 ----HDC---- C:\WINDOWS\$NtUninstallKB954600$
2009-01-25 21:50:20 ----HDC---- C:\WINDOWS\$NtUninstallKB958644$
2009-01-25 21:50:09 ----HDC---- C:\WINDOWS\$NtUninstallKB955069$
2009-01-25 21:49:57 ----HDC---- C:\WINDOWS\$NtUninstallKB956802$
2009-01-25 21:10:25 ----D---- C:\WINDOWS\Prefetch
2009-01-25 20:40:01 ----HDC---- C:\WINDOWS\$NtUninstallKB938464$
2009-01-25 20:34:13 ----D---- C:\WINDOWS\system32\scripting
2009-01-25 20:34:12 ----D---- C:\WINDOWS\system32\en
2009-01-25 20:34:12 ----D---- C:\WINDOWS\l2schemas
2009-01-25 20:13:24 ----A---- C:\WINDOWS\system32\wmphoto.dll
2009-01-25 20:13:23 ----A---- C:\WINDOWS\system32\wlanapi.dll
2009-01-25 20:13:23 ----A---- C:\WINDOWS\system32\windowscodecsext.dll
2009-01-25 20:13:23 ----A---- C:\WINDOWS\system32\windowscodecs.dll
2009-01-25 20:13:21 ----A---- C:\WINDOWS\system32\tspkg.dll
2009-01-25 20:13:21 ----A---- C:\WINDOWS\system32\tsgqec.dll
2009-01-25 20:13:18 ----A---- C:\WINDOWS\system32\setupn.exe
2009-01-25 20:13:17 ----A---- C:\WINDOWS\system32\rhttpaa.dll
2009-01-25 20:13:17 ----A---- C:\WINDOWS\system32\rasqec.dll
2009-01-25 20:13:17 ----A---- C:\WINDOWS\system32\qutil.dll
2009-01-25 20:13:17 ----A---- C:\WINDOWS\system32\qcliprov.dll
2009-01-25 20:13:17 ----A---- C:\WINDOWS\system32\qagentrt.dll
2009-01-25 20:13:17 ----A---- C:\WINDOWS\system32\qagent.dll
2009-01-25 20:13:16 ----A---- C:\WINDOWS\system32\photometadatahandler.dll
2009-01-25 20:13:16 ----A---- C:\WINDOWS\system32\onex.dll
2009-01-25 20:13:14 ----A---- C:\WINDOWS\system32\napstat.exe
2009-01-25 20:13:14 ----A---- C:\WINDOWS\system32\napmontr.dll
2009-01-25 20:13:14 ----A---- C:\WINDOWS\system32\napipsec.dll
2009-01-25 20:13:14 ----A---- C:\WINDOWS\system32\msxml6r.dll
2009-01-25 20:13:14 ----A---- C:\WINDOWS\system32\msxml6.dll
2009-01-25 20:13:13 ----A---- C:\WINDOWS\system32\msshavmsg.dll
2009-01-25 20:13:13 ----A---- C:\WINDOWS\system32\mssha.dll
2009-01-25 20:13:10 ----A---- C:\WINDOWS\system32\mmcperf.exe
2009-01-25 20:13:10 ----A---- C:\WINDOWS\system32\mmcfxcommon.dll
2009-01-25 20:13:10 ----A---- C:\WINDOWS\system32\mmcex.dll
2009-01-25 20:13:10 ----A---- C:\WINDOWS\system32\microsoft.managementconsole.dll
2009-01-25 20:13:08 ----A---- C:\WINDOWS\system32\l2gpstore.dll
2009-01-25 20:13:08 ----A---- C:\WINDOWS\system32\kmsvc.dll
2009-01-25 20:13:08 ----A---- C:\WINDOWS\system32\kbdpash.dll
2009-01-25 20:13:08 ----A---- C:\WINDOWS\system32\kbdnepr.dll
2009-01-25 20:13:08 ----A---- C:\WINDOWS\system32\kbdiultn.dll
2009-01-25 20:13:08 ----A---- C:\WINDOWS\system32\kbdbhc.dll
2009-01-25 20:13:02 ----A---- C:\WINDOWS\system32\eapsvc.dll
2009-01-25 20:13:02 ----A---- C:\WINDOWS\system32\eapqec.dll
2009-01-25 20:13:02 ----A---- C:\WINDOWS\system32\eappprxy.dll
2009-01-25 20:13:02 ----A---- C:\WINDOWS\system32\eapphost.dll
2009-01-25 20:13:02 ----A---- C:\WINDOWS\system32\eappgnui.dll
2009-01-25 20:13:02 ----A---- C:\WINDOWS\system32\eappcfg.dll
2009-01-25 20:13:02 ----A---- C:\WINDOWS\system32\eapp3hst.dll
2009-01-25 20:13:02 ----A---- C:\WINDOWS\system32\eapolqec.dll
2009-01-25 20:13:02 ----A---- C:\WINDOWS\006070_.tmp
2009-01-25 20:13:01 ----A---- C:\WINDOWS\system32\dot3ui.dll
2009-01-25 20:13:01 ----A---- C:\WINDOWS\system32\dot3svc.dll
2009-01-25 20:13:01 ----A---- C:\WINDOWS\system32\dot3msm.dll
2009-01-25 20:13:01 ----A---- C:\WINDOWS\system32\dot3gpclnt.dll
2009-01-25 20:13:01 ----A---- C:\WINDOWS\system32\dot3dlg.dll
2009-01-25 20:13:01 ----A---- C:\WINDOWS\system32\dot3cfg.dll
2009-01-25 20:13:01 ----A---- C:\WINDOWS\system32\dot3api.dll
2009-01-25 20:13:01 ----A---- C:\WINDOWS\system32\dimsroam.dll
2009-01-25 20:13:01 ----A---- C:\WINDOWS\system32\dimsntfy.dll
2009-01-25 20:13:01 ----A---- C:\WINDOWS\system32\dhcpqec.dll
2009-01-25 20:13:00 ----A---- C:\WINDOWS\system32\credssp.dll
2009-01-25 20:12:59 ----A---- C:\WINDOWS\system32\bitsprx4.dll
2009-01-25 20:12:59 ----A---- C:\WINDOWS\system32\azroles.dll
2009-01-25 20:12:58 ----A---- C:\WINDOWS\system32\aaclient.dll
2009-01-25 19:58:18 ----HDC---- C:\WINDOWS\$NtUninstallKB873333$
2009-01-25 19:51:27 ----HDC---- C:\WINDOWS\$NtServicePackUninstall$
2009-01-25 19:09:07 ----N---- C:\WINDOWS\system32\spmsg.dll
2009-01-25 19:08:27 ----A---- C:\WINDOWS\system32\winhttp.dll
2009-01-25 19:08:27 ----A---- C:\WINDOWS\system32\qmgrprxy.dll
2009-01-25 18:34:27 ----RA---- C:\WINDOWS\system32\Ntport.dll
2009-01-25 18:34:27 ----RA---- C:\WINDOWS\system32\itevio.dll
2009-01-25 18:34:27 ----D---- C:\WINDOWS\SysWow64
2009-01-25 18:34:27 ----D---- C:\Program Files\ITE
2009-01-25 18:31:34 ----D---- C:\WINDOWS\system32\Lang
2009-01-25 17:58:47 ----A---- C:\WINDOWS\system32\ChCfg.exe
2009-01-25 17:58:27 ----D---- C:\WINDOWS\system32\RTCOM
2009-01-25 17:57:57 ----HDC---- C:\WINDOWS\$NtUninstallKB888111WXP$
2009-01-25 17:57:55 ----A---- C:\WINDOWS\SoundMan.exe
2009-01-25 17:57:55 ----A---- C:\WINDOWS\SkyTel.exe
2009-01-25 17:57:55 ----A---- C:\WINDOWS\RtlUpd.exe
2009-01-25 17:57:55 ----A---- C:\WINDOWS\RTLCPL.exe
2009-01-25 17:57:53 ----D---- C:\Program Files\Realtek
2009-01-25 17:57:53 ----A---- C:\WINDOWS\RTHDCPL.exe
2009-01-25 17:57:53 ----A---- C:\WINDOWS\MicCal.exe
2009-01-25 17:57:53 ----A---- C:\WINDOWS\alcwzrd.exe
2009-01-25 17:57:53 ----A---- C:\WINDOWS\Alcmtr.exe
2009-01-25 17:57:47 ----A---- C:\WINDOWS\RtlExUpd.dll
2009-01-25 17:57:47 ----A---- C:\WINDOWS\HideWin.exe
2009-01-25 17:56:46 ----D---- C:\Program Files\Driver
2009-01-25 17:51:16 ----D---- C:\WINDOWS\vnDrvBas
2009-01-25 17:51:16 ----A---- C:\WINDOWS\system32\vuins32.dll
2009-01-25 17:51:16 ----A---- C:\WINDOWS\system32\difxapi.dll
2009-01-25 17:49:26 ----D---- C:\Program Files\S3
2009-01-25 17:37:51 ----RA---- C:\WINDOWS\system32\vIdeInst.dll
2009-01-25 17:18:43 ----D---- C:\Program Files\VIA
2009-01-25 17:18:27 ----SHD---- C:\WINDOWS\Installer
2009-01-25 17:17:11 ----D---- C:\Pre SP3 Backups
2009-01-25 16:28:23 ----D---- C:\Documents and Settings\Tony\Application Data\Intuit
2009-01-25 16:03:14 ----RAH---- C:\WINDOWS\system32\logonui.exe.manifest
2009-01-25 16:02:53 ----A---- C:\WINDOWS\system32\safrslv.dll
2009-01-25 16:02:53 ----A---- C:\WINDOWS\system32\safrdm.dll
2009-01-25 16:02:53 ----A---- C:\WINDOWS\system32\safrcdlg.dll
2009-01-25 16:02:53 ----A---- C:\WINDOWS\system32\racpldlg.dll
2009-01-25 16:02:50 ----A---- C:\WINDOWS\system32\mnmsrvc.exe
2009-01-25 16:02:50 ----A---- C:\WINDOWS\system32\isrdbg32.dll
2009-01-25 16:02:49 ----A---- C:\WINDOWS\system32\inetres.dll
2009-01-25 16:02:48 ----A---- C:\WINDOWS\system32\isign32.dll
2009-01-25 16:02:48 ----A---- C:\WINDOWS\system32\inetcfg.dll
2009-01-25 16:02:48 ----A---- C:\WINDOWS\system32\icwphbk.dll
2009-01-25 16:02:48 ----A---- C:\WINDOWS\system32\icwdial.dll
2009-01-25 16:02:42 ----N---- C:\WINDOWS\system32\qmgr.dll
2009-01-25 16:02:37 ----A---- C:\WINDOWS\system32\srsvc.dll
2009-01-25 16:02:37 ----A---- C:\WINDOWS\system32\srrstr.dll
2009-01-25 16:02:37 ----A---- C:\WINDOWS\system32\srclient.dll
2009-01-25 16:02:37 ----A---- C:\WINDOWS\system32\mnmdd.dll
2009-01-25 16:02:37 ----A---- C:\WINDOWS\system32\ils.dll
2009-01-25 16:02:36 ----A---- C:\WINDOWS\system32\nmmkcert.dll
2009-01-25 16:02:36 ----A---- C:\WINDOWS\system32\msconf.dll
2009-01-25 16:02:34 ----A---- C:\WINDOWS\system32\msoert2.dll
2009-01-25 16:02:34 ----A---- C:\WINDOWS\system32\msoeacct.dll
2009-01-25 16:02:33 ----A---- C:\WINDOWS\system32\inetcomm.dll
2009-01-25 16:02:32 ----A---- C:\WINDOWS\system32\schedsvc.dll
2009-01-25 16:02:32 ----A---- C:\WINDOWS\system32\mstinit.exe
2009-01-25 16:02:32 ----A---- C:\WINDOWS\system32\mstask.dll
2009-01-25 16:01:47 ----A---- C:\WINDOWS\system32\accwiz.exe
2009-01-25 16:01:46 ----A---- C:\WINDOWS\system32\sndrec32.exe
2009-01-25 16:01:46 ----A---- C:\WINDOWS\system32\hypertrm.dll
2009-01-25 16:01:45 ----A---- C:\WINDOWS\system32\xolehlp.dll
2009-01-25 16:01:45 ----A---- C:\WINDOWS\system32\rdshost.exe
2009-01-25 16:01:45 ----A---- C:\WINDOWS\system32\qprocess.exe
2009-01-25 16:01:45 ----A---- C:\WINDOWS\system32\mtxoci.dll
2009-01-25 16:01:45 ----A---- C:\WINDOWS\system32\msdtcuiu.dll
2009-01-25 16:01:45 ----A---- C:\WINDOWS\system32\msdtctm.dll
2009-01-25 16:01:44 ----A---- C:\WINDOWS\system32\msdtclog.dll
2009-01-25 16:01:44 ----A---- C:\WINDOWS\system32\msdtc.exe
2009-01-25 16:01:44 ----A---- C:\WINDOWS\system32\comrepl.dll
2009-01-25 16:01:44 ----A---- C:\WINDOWS\system32\colbact.dll
2009-01-25 16:01:43 ----A---- C:\WINDOWS\system32\comuid.dll
2009-01-25 16:01:43 ----A---- C:\WINDOWS\system32\clbcatq.dll
2009-01-25 16:01:43 ----A---- C:\WINDOWS\system32\clbcatex.dll
2009-01-25 16:01:43 ----A---- C:\WINDOWS\system32\catsrvps.dll
2009-01-25 16:01:43 ----A---- C:\WINDOWS\system32\catsrv.dll
2009-01-25 16:01:39 ----A---- C:\WINDOWS\system32\servdeps.dll
2009-01-25 16:01:39 ----A---- C:\WINDOWS\system32\mmfutil.dll
2009-01-25 16:01:39 ----A---- C:\WINDOWS\system32\cmprops.dll
2009-01-25 16:01:38 ----A---- C:\WINDOWS\system32\spider.exe
2009-01-25 16:01:38 ----A---- C:\WINDOWS\system32\mspaint.exe
2009-01-25 16:01:38 ----A---- C:\WINDOWS\system32\mplay32.exe
2009-01-25 16:01:38 ----A---- C:\WINDOWS\system32\clipbrd.exe
2009-01-25 16:01:37 ----A---- C:\WINDOWS\system32\wuauserv.dll
2009-01-25 16:01:37 ----A---- C:\WINDOWS\system32\wuaueng.dll
2009-01-25 16:01:37 ----A---- C:\WINDOWS\system32\wuauclt.exe
2009-01-25 16:01:37 ----A---- C:\WINDOWS\system32\tscfgwmi.dll
2009-01-25 16:01:36 ----A---- C:\WINDOWS\system32\tscupgrd.exe
2009-01-25 16:01:36 ----A---- C:\WINDOWS\system32\termsrv.dll
2009-01-25 16:01:36 ----A---- C:\WINDOWS\system32\sessmgr.exe
2009-01-25 16:01:36 ----A---- C:\WINDOWS\system32\remotepg.dll
2009-01-25 16:01:36 ----A---- C:\WINDOWS\system32\rdsaddin.exe
2009-01-25 16:01:36 ----A---- C:\WINDOWS\system32\rdchost.dll
2009-01-25 16:01:36 ----A---- C:\WINDOWS\system32\mstscax.dll
2009-01-25 16:01:36 ----A---- C:\WINDOWS\system32\mstsc.exe
2009-01-25 16:01:35 ----A---- C:\WINDOWS\system32\rdpwsx.dll
2009-01-25 16:01:35 ----A---- C:\WINDOWS\system32\rdpsnd.dll
2009-01-25 16:01:35 ----A---- C:\WINDOWS\system32\rdpclip.exe
2009-01-25 16:01:35 ----A---- C:\WINDOWS\system32\msdtcprx.dll
2009-01-25 16:01:35 ----A---- C:\WINDOWS\system32\icaapi.dll
2009-01-25 16:01:35 ----A---- C:\WINDOWS\system32\cfgbkend.dll
2009-01-25 16:01:34 ----A---- C:\WINDOWS\system32\comsvcs.dll
2009-01-25 16:01:34 ----A---- C:\WINDOWS\system32\catsrvut.dll
2009-01-25 16:01:30 ----A---- C:\WINDOWS\system32\licwmi.dll
2009-01-25 15:58:29 ----A---- C:\WINDOWS\system32\irclass.dll
2009-01-25 15:58:28 ----A---- C:\WINDOWS\system32\storprop.dll
2009-01-25 15:58:28 ----A---- C:\WINDOWS\system32\spxcoins.dll
2009-01-25 15:58:16 ----RA---- C:\WINDOWS\SETED.tmp
2009-01-25 15:58:14 ----RA---- C:\WINDOWS\SETE5.tmp
2009-01-24 17:17:22 ----D---- C:\WINDOWS\WinSxS
2009-01-24 17:17:19 ----RD---- C:\WINDOWS\Web
2009-01-24 17:17:19 ----D---- C:\WINDOWS\WBEM
2009-01-24 17:17:19 ----D---- C:\WINDOWS\Twain32
2009-01-24 17:17:19 ----D---- C:\WINDOWS\twain_32
2009-01-24 17:17:16 ----SD---- C:\WINDOWS\Tasks
2009-01-24 17:17:16 ----D---- C:\WINDOWS\Temp
2009-01-24 17:16:57 ----D---- C:\WINDOWS\system32\ZoneLabs
2009-01-24 17:16:56 ----D---- C:\WINDOWS\system32\xircom
2009-01-24 17:16:48 ----D---- C:\WINDOWS\system32\wins
2009-01-24 17:16:37 ----D---- C:\WINDOWS\system32\wbem
2009-01-24 17:16:31 ----D---- C:\WINDOWS\system32\usmt
2009-01-24 17:16:17 ----D---- C:\WINDOWS\system32\spool
2009-01-24 17:16:16 ----D---- C:\WINDOWS\system32\SoftwareDistribution
2009-01-24 17:16:14 ----D---- C:\WINDOWS\system32\ShellExt
2009-01-24 17:16:11 ----D---- C:\WINDOWS\system32\Setup
2009-01-24 17:16:01 ----D---- C:\WINDOWS\system32\SavedSystemFiles
2009-01-24 17:15:59 ----D---- C:\WINDOWS\system32\Restore
2009-01-24 17:15:58 ----D---- C:\WINDOWS\system32\ReinstallBackups
2009-01-24 17:15:56 ----D---- C:\WINDOWS\system32\ras
2009-01-24 17:15:53 ----D---- C:\WINDOWS\system32\PreInstall
2009-01-24 17:15:43 ----D---- C:\WINDOWS\system32\oobe
2009-01-24 17:15:38 ----D---- C:\WINDOWS\system32\NtmsData
2009-01-24 17:15:37 ----D---- C:\WINDOWS\system32\npp
2009-01-24 17:15:27 ----D---- C:\WINDOWS\system32\mui
2009-01-24 17:15:18 ----D---- C:\WINDOWS\system32\MsDtc
2009-01-24 17:15:10 ----SD---- C:\WINDOWS\system32\Microsoft
2009-01-24 17:15:06 ----D---- C:\WINDOWS\system32\Macromed
2009-01-24 17:14:53 ----D---- C:\WINDOWS\system32\inetsrv
2009-01-24 17:14:52 ----D---- C:\WINDOWS\system32\IME
2009-01-24 17:14:51 ----D---- C:\WINDOWS\system32\icsxml
2009-01-24 17:14:50 ----D---- C:\WINDOWS\system32\ias
2009-01-24 17:14:48 ----HD---- C:\WINDOWS\system32\GroupPolicy
2009-01-24 17:14:48 ----A---- C:\WINDOWS\system32\h323log.txt
2009-01-24 17:14:45 ----D---- C:\WINDOWS\system32\export
2009-01-24 17:14:44 ----D---- C:\WINDOWS\system32\en-US
2009-01-24 17:14:28 ----D---- C:\WINDOWS\system32\drivers
2009-01-24 17:13:22 ----RSHDC---- C:\WINDOWS\system32\dllcache
2009-01-24 17:13:17 ----D---- C:\WINDOWS\system32\DirectX
2009-01-24 17:13:16 ----D---- C:\WINDOWS\system32\dhcp
2009-01-24 17:13:00 ----D---- C:\WINDOWS\system32\config
2009-01-24 17:12:58 ----D---- C:\WINDOWS\system32\Com
2009-01-24 17:12:53 ----D---- C:\WINDOWS\system32\CatRoot2
2009-01-24 17:12:44 ----D---- C:\WINDOWS\system32\CatRoot
2009-01-24 17:12:43 ----D---- C:\WINDOWS\system32\bits
2009-01-24 17:12:40 ----D---- C:\WINDOWS\system32\appmgmt
2009-01-24 17:12:39 ----D---- C:\WINDOWS\system32\3com_dmi
2009-01-24 17:12:39 ----D---- C:\WINDOWS\system32\3076
2009-01-24 17:12:39 ----D---- C:\WINDOWS\system32\2052
2009-01-24 17:12:39 ----D---- C:\WINDOWS\system32\1054
2009-01-24 17:12:39 ----D---- C:\WINDOWS\system32\1042
2009-01-24 17:12:38 ----D---- C:\WINDOWS\system32\1041
2009-01-24 17:12:38 ----D---- C:\WINDOWS\system32\1037
2009-01-24 17:12:38 ----D---- C:\WINDOWS\system32\1033
2009-01-24 17:12:38 ----D---- C:\WINDOWS\system32\1031
2009-01-24 17:12:38 ----D---- C:\WINDOWS\system32\1028
2009-01-24 17:12:38 ----D---- C:\WINDOWS\system32\1025
2009-01-24 17:12:38 ----D---- C:\WINDOWS\system32
2009-01-24 17:12:37 ----D---- C:\WINDOWS\system
2009-01-24 17:12:36 ----D---- C:\WINDOWS\Sun
2009-01-24 17:12:34 ----D---- C:\WINDOWS\srchasst
2009-01-24 17:08:41 ----HD---- C:\WINDOWS\ShellNew
2009-01-24 17:08:41 ----D---- C:\WINDOWS\SoftwareDistribution
2009-01-24 17:06:38 ----D---- C:\WINDOWS\ServicePackFiles
2009-01-24 17:06:37 ----D---- C:\WINDOWS\security
2009-01-24 17:06:37 ----A---- C:\WINDOWS\SchedLgU.Txt
2009-01-24 17:06:35 ----D---- C:\WINDOWS\Resources
2009-01-24 17:06:31 ----D---- C:\WINDOWS\repair
2009-01-24 17:06:31 ----D---- C:\WINDOWS\Registration
2009-01-24 17:06:15 ----D---- C:\WINDOWS\RegisteredPackages
2009-01-24 17:06:14 ----D---- C:\WINDOWS\provisioning
2009-01-24 17:06:08 ----D---- C:\WINDOWS\peernet
2009-01-24 17:05:32 ----RD---- C:\WINDOWS\Offline Web Pages
2009-01-24 17:05:32 ----D---- C:\WINDOWS\PCHealth
2009-01-24 17:05:31 ----D---- C:\WINDOWS\network diagnostic
2009-01-24 17:05:31 ----D---- C:\WINDOWS\mui
2009-01-24 17:05:31 ----D---- C:\WINDOWS\msapps
2009-01-24 17:05:30 ----D---- C:\WINDOWS\msagent
2009-01-24 17:05:30 ----D---- C:\WINDOWS\Minidump
2009-01-24 17:05:12 ----D---- C:\WINDOWS\Microsoft.NET
2009-01-24 17:05:10 ----D---- C:\WINDOWS\Media
2009-01-24 17:05:04 ----D---- C:\WINDOWS\java
2009-01-24 17:04:46 ----D---- C:\WINDOWS\Internet Logs
2009-01-24 17:03:30 ----HD---- C:\WINDOWS\inf
2009-01-24 17:03:29 ----D---- C:\WINDOWS\ime
2009-01-24 17:03:29 ----D---- C:\WINDOWS\ie7updates
2009-01-24 17:03:28 ----D---- C:\WINDOWS\Hewlett-Packard
2009-01-24 17:02:57 ----D---- C:\WINDOWS\Help
2009-01-24 17:02:48 ----RSD---- C:\WINDOWS\Fonts
2009-01-24 17:02:47 ----D---- C:\WINDOWS\EHome
2009-01-24 17:02:35 ----SD---- C:\WINDOWS\Downloaded Program Files
2009-01-24 17:02:35 ----D---- C:\WINDOWS\Driver Cache
2009-01-24 17:02:33 ----D---- C:\WINDOWS\Debug
2009-01-24 17:02:29 ----D---- C:\WINDOWS\Cursors
2009-01-24 17:02:29 ----D---- C:\WINDOWS\CSC
2009-01-24 17:02:29 ----D---- C:\WINDOWS\Connection Wizard
2009-01-24 17:02:29 ----D---- C:\WINDOWS\Config
2009-01-24 17:02:25 ----D---- C:\WINDOWS\Cache
2009-01-24 17:02:03 ----RSD---- C:\WINDOWS\assembly
2009-01-24 17:02:03 ----D---- C:\WINDOWS\APW_DATA
2009-01-24 17:02:02 ----D---- C:\WINDOWS\AppPatch
2009-01-24 17:02:02 ----D---- C:\WINDOWS\addins
2009-01-24 17:00:34 ----HD---- C:\WINDOWS\$NtUninstallKB891781_0$
2009-01-24 17:00:34 ----HD---- C:\WINDOWS\$NtUninstallKB891711$
2009-01-24 17:00:31 ----HD---- C:\WINDOWS\$NtUninstallKB890175_0$
2009-01-24 17:00:30 ----HD---- C:\WINDOWS\$NtUninstallKB890047_0$
2009-01-24 17:00:29 ----HD---- C:\WINDOWS\$NtUninstallKB888302_0$
2009-01-24 17:00:28 ----HD---- C:\WINDOWS\$NtUninstallKB888113_0$
2009-01-24 17:00:27 ----HD---- C:\WINDOWS\$NtUninstallKB885836_0$
2009-01-24 17:00:26 ----HD---- C:\WINDOWS\$NtUninstallKB885835_0$
2009-01-24 17:00:25 ----HD---- C:\WINDOWS\$NtUninstallKB885250_0$
2009-01-24 17:00:25 ----HD---- C:\WINDOWS\$NtUninstallKB873339_0$
2009-01-24 17:00:24 ----HD---- C:\WINDOWS\$NtUninstallKB873333_0$
2009-01-24 17:00:23 ----HD---- C:\WINDOWS\$NtUninstallKB871250$
2009-01-24 17:00:22 ----HD---- C:\WINDOWS\$NtUninstallKB867282-IE6SP1-20050127.163319$
2009-01-24 17:00:20 ----HDC---- C:\WINDOWS\$NtUninstallKB842773$
2009-01-24 17:00:20 ----HD---- C:\WINDOWS\$NtUninstallKB841356$
2009-01-24 17:00:19 ----HD---- C:\WINDOWS\$NtUninstallKB835732$
2009-01-24 17:00:18 ----HD---- C:\WINDOWS\$NtUninstallKB833987$
2009-01-24 17:00:17 ----HD---- C:\WINDOWS\$NtUninstallKB828741$
2009-01-24 17:00:17 ----HD---- C:\WINDOWS\$NtServicePackUninstallNLSDownlevelMapping$
2009-01-24 17:00:16 ----HD---- C:\WINDOWS\$NtServicePackUninstallIDNMitigationAPIs$
2009-01-24 16:58:29 ----HD---- C:\WINDOWS\$MSI31Uninstall_KB893803v2$
2009-01-24 16:58:26 ----HD---- C:\WINDOWS\$MSI31Uninstall_KB893803$
2009-01-24 16:56:21 ----HD---- C:\WINDOWS\$hf_mig$
2009-01-24 16:56:21 ----D---- C:\WINDOWS
2009-01-24 16:43:52 ----SHD---- C:\RECYCLER
2009-01-24 16:43:44 ----D---- C:\Program Files\Zone Labs
2009-01-24 16:43:11 ----D---- C:\Program Files\Yahoo!
2009-01-24 16:43:11 ----D---- C:\Program Files\xerox
2009-01-24 16:43:09 ----HD---- C:\Program Files\WindowsUpdate
2009-01-24 16:43:09 ----D---- C:\Program Files\WinZip
2009-01-24 16:43:07 ----D---- C:\Program Files\Windows NT
2009-01-24 16:43:05 ----D---- C:\Program Files\Windows Media Player
2009-01-24 16:43:04 ----D---- C:\Program Files\WinDlg
2009-01-24 16:42:32 ----D---- C:\Program Files\Winamp
2009-01-24 16:42:29 ----D---- C:\Program Files\Western Digital
2009-01-24 16:42:28 ----D---- C:\Program Files\Virtools Web Player 3.5
2009-01-24 16:41:59 ----D---- C:\Program Files\Vim
2009-01-24 16:41:57 ----HD---- C:\Program Files\Uninstall Information
2009-01-24 16:41:57 ----D---- C:\Program Files\Viewpoint
2009-01-24 16:41:48 ----D---- C:\Program Files\TortoiseSVN
2009-01-24 16:41:39 ----D---- C:\Program Files\Subversion
2009-01-24 16:41:39 ----D---- C:\Program Files\Snapshot Viewer
2009-01-24 16:41:36 ----D---- C:\Program Files\Sandi's Games From Diskette
2009-01-24 16:41:21 ----D---- C:\Program Files\Quicken
2009-01-24 16:41:06 ----D---- C:\Program Files\PDFCreator
2009-01-24 16:41:05 ----D---- C:\Program Files\Outlook Express
2009-01-24 16:41:05 ----D---- C:\Program Files\Online Services
2009-01-24 16:41:05 ----D---- C:\Program Files\OfficeUpdate11
2009-01-24 16:41:04 ----D---- C:\Program Files\NetMeeting
2009-01-24 16:41:04 ----D---- C:\Program Files\MySpace
2009-01-24 16:41:04 ----D---- C:\Program Files\MSXML 4.0
2009-01-24 16:41:03 ----D---- C:\Program Files\MSN Gaming Zone
2009-01-24 16:40:59 ----D---- C:\Program Files\MSN
2009-01-24 16:40:47 ----D---- C:\Program Files\Mozilla Firefox
2009-01-24 16:40:46 ----D---- C:\Program Files\Movie Maker
2009-01-24 16:40:43 ----D---- C:\Program Files\Microsoft Visual Studio
2009-01-24 16:40:06 ----D---- C:\Program Files\Microsoft Office
2009-01-24 16:40:06 ----D---- C:\Program Files\microsoft frontpage
2009-01-24 16:40:06 ----D---- C:\Program Files\Messenger
2009-01-24 16:40:06 ----D---- C:\Program Files\Lavasoft
2009-01-24 16:38:02 ----D---- C:\Program Files\Java
2009-01-24 16:38:00 ----D---- C:\Program Files\Iomega
2009-01-24 16:38:00 ----D---- C:\Program Files\Invoke Solutions
2009-01-24 16:37:58 ----D---- C:\Program Files\Internet Explorer
2009-01-24 16:37:58 ----D---- C:\Program Files\Intel
2009-01-24 16:37:53 ----HD---- C:\Program Files\InstallShield Installation Information
2009-01-24 16:37:51 ----D---- C:\Program Files\HP
2009-01-24 16:36:49 ----D---- C:\Program Files\Hewlett-Packard
2009-01-24 16:35:59 ----D---- C:\Program Files\Hasbro
2009-01-24 16:35:59 ----D---- C:\Program Files\Coupons
2009-01-24 16:35:59 ----D---- C:\Program Files\ComPlus Applications
2009-01-24 16:35:58 ----D---- C:\Program Files\Common Files\Wise Installation Wizard
2009-01-24 16:35:53 ----D---- C:\Program Files\Common Files\System
2009-01-24 16:35:53 ----D---- C:\Program Files\Common Files\Symantec Shared
2009-01-24 16:35:52 ----D---- C:\Program Files\Common Files\SpeechEngines
2009-01-24 16:35:52 ----D---- C:\Program Files\Common Files\Sonic Shared
2009-01-24 16:35:52 ----D---- C:\Program Files\Common Files\Services
2009-01-24 16:35:52 ----D---- C:\Program Files\Common Files\Palo Alto Software
2009-01-24 16:35:52 ----D---- C:\Program Files\Common Files\ODBC
2009-01-24 16:35:52 ----D---- C:\Program Files\Common Files\MSSoap
2009-01-24 16:35:19 ----D---- C:\Program Files\Common Files\Microsoft Shared
2009-01-24 16:35:09 ----D---- C:\Program Files\Common Files\Java
2009-01-24 16:35:08 ----D---- C:\Program Files\Common Files\Intuit
2009-01-24 16:35:07 ----D---- C:\Program Files\Common Files\InstallShield
2009-01-24 16:35:07 ----D---- C:\Program Files\Common Files\Designer
2009-01-24 16:35:05 ----D---- C:\Program Files\Common Files\AOL
2009-01-24 16:35:05 ----D---- C:\Program Files\Common Files\Adobe
2009-01-24 16:35:05 ----D---- C:\Program Files\Common Files\Adaptec Shared
2009-01-24 16:35:05 ----D---- C:\Program Files\Common Files
2009-01-24 16:34:08 ----D---- C:\Program Files\Apache Group
2009-01-24 16:33:18 ----D---- C:\Program Files\AIM6
2009-01-24 16:33:17 ----D---- C:\Program Files\Ahead
2009-01-24 16:32:54 ----D---- C:\Program Files\Adobe
2009-01-24 16:32:53 ----D---- C:\Program Files\Adaptec
2009-01-24 16:32:07 ----RD---- C:\Program Files
2009-01-24 16:32:07 ----D---- C:\Program Files\100KPyramid
2009-01-24 16:32:04 ----D---- C:\FEUD
2009-01-24 16:32:03 ----D---- C:\DVCDRV
2009-01-24 16:29:03 ----D---- C:\Documents and Settings\Tony\Application Data\Yahoo! Messenger
2009-01-24 16:29:03 ----D---- C:\Documents and Settings\Tony\Application Data\TortoiseSVN
2009-01-24 16:29:03 ----D---- C:\Documents and Settings\Tony\Application Data\Talkback
2009-01-24 16:29:03 ----D---- C:\Documents and Settings\Tony\Application Data\Symantec
2009-01-24 16:28:53 ----D---- C:\Documents and Settings\Tony\Application Data\Sun
2009-01-24 16:28:53 ----D---- C:\Documents and Settings\Tony\Application Data\Subversion
2009-01-24 16:28:53 ----D---- C:\Documents and Settings\Tony\Application Data\Sonic
2009-01-24 16:28:53 ----D---- C:\Documents and Settings\Tony\Application Data\PDFCreator
2009-01-24 16:28:52 ----D---- C:\Documents and Settings\Tony\Application Data\MySpace
2009-01-24 16:28:48 ----D---- C:\Documents and Settings\Tony\Application Data\Mozilla
2009-01-24 16:28:48 ----D---- C:\Documents and Settings\Tony\Application Data\Microsoft Web Folders
2009-01-24 16:28:45 ----SD---- C:\Documents and Settings\Tony\Application Data\Microsoft
2009-01-24 16:28:43 ----D---- C:\Documents and Settings\Tony\Application Data\Macromedia
2009-01-24 16:28:43 ----D---- C:\Documents and Settings\Tony\Application Data\Leadertech
2009-01-24 16:28:43 ----D---- C:\Documents and Settings\Tony\Application Data\Identities
2009-01-24 16:28:42 ----D---- C:\Documents and Settings\Tony\Application Data\Hewlett-Packard
2009-01-24 16:28:42 ----D---- C:\Documents and Settings\Tony\Application Data\Help
2009-01-24 16:28:42 ----D---- C:\Documents and Settings\Tony\Application Data\Ahead
2009-01-24 16:28:42 ----D---- C:\Documents and Settings\Tony\Application Data\AdobeUM
2009-01-24 16:28:41 ----D---- C:\Documents and Settings\Tony\Application Data\Adobe
2009-01-24 16:00:38 ----D---- C:\Documents and Settings\All Users\Application Data\Yahoo! Companion
2009-01-24 16:00:37 ----RHD---- C:\Documents and Settings\All Users\Application Data\yahoo!
2009-01-24 16:00:37 ----D---- C:\Documents and Settings\All Users\Application Data\Windows Genuine Advantage
2009-01-24 16:00:36 ----D---- C:\Documents and Settings\All Users\Application Data\Viewpoint
2009-01-24 16:00:36 ----D---- C:\Documents and Settings\All Users\Application Data\Symantec
2009-01-24 15:59:26 ----SD---- C:\Documents and Settings\All Users\Application Data\Microsoft
2009-01-24 15:59:26 ----D---- C:\Documents and Settings\All Users\Application Data\MailFrontier
2009-01-24 15:59:23 ----D---- C:\Documents and Settings\All Users\Application Data\Lavasoft
2009-01-24 15:58:28 ----D---- C:\Documents and Settings\All Users\Application Data\Intuit
2009-01-24 15:58:15 ----D---- C:\Documents and Settings\All Users\Application Data\AOL OCP
2009-01-24 15:58:13 ----D---- C:\Documents and Settings\All Users\Application Data\AOL Downloads
2009-01-24 15:58:13 ----D---- C:\Documents and Settings\All Users\Application Data\AOL
2009-01-24 15:58:13 ----D---- C:\Documents and Settings\All Users\Application Data\Ahead
2009-01-24 15:58:13 ----D---- C:\Documents and Settings\All Users\Application Data\Adobe
2009-01-24 15:58:08 ----D---- C:\Documents and Settings
2009-01-24 15:58:07 ----D---- C:\ac5c174796ab6e3f40957e168d
2009-01-24 15:54:43 ----SHD---- C:\System Volume Information

======List of files/folders modified in the last 3 months======

2009-04-14 00:31:50 ----A---- C:\WINDOWS\imsins.BAK
2009-04-13 15:04:11 ----A---- C:\WINDOWS\win.ini
2009-03-10 22:18:20 ----A---- C:\WINDOWS\system32\LegitCheckControl.dll
2009-03-10 22:18:14 ----A---- C:\WINDOWS\system32\WgaTray.exe
2009-03-10 22:18:00 ----A---- C:\WINDOWS\system32\WgaLogon.dll
2009-03-08 09:52:00 ----A---- C:\WINDOWS\system32\PerfStringBackup.INI
2009-02-25 12:55:00 ----A---- C:\WINDOWS\system32\MRT.exe
2009-01-25 21:47:12 ----A---- C:\WINDOWS\OEWABLog.txt
2009-01-25 21:44:26 ----A---- C:\WINDOWS\setuplog.txt
2009-01-25 19:56:45 ----ASH---- C:\boot.ini
2009-01-25 19:53:43 ----RASH---- C:\NTDETECT.COM
2009-01-25 16:21:27 ----A---- C:\WINDOWS\system32\wpa.bak
2009-01-25 16:07:00 ----A---- C:\WINDOWS\ODBCINST.INI
2009-01-25 16:03:08 ----RAH---- C:\WINDOWS\system32\cdplayer.exe.manifest
2009-01-25 15:58:33 ----A---- C:\WINDOWS\system.ini
2009-01-25 15:58:21 ----ASH---- C:\Documents and Settings\All Users\Application Data\desktop.ini
2009-01-16 22:35:14 ----A---- C:\WINDOWS\system32\mshtml.dll

======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R1 AFS2K;AFS2k; C:\WINDOWS\system32\drivers\AFS2K.sys [2005-07-27 43672]
R1 AvgLdx86;AVG Free AVI Loader Driver x86; C:\WINDOWS\System32\Drivers\avgldx86.sys [2009-04-14 325640]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86; C:\WINDOWS\System32\Drivers\avgmfx86.sys [2009-04-14 27656]
R1 AvgTdiX;AVG Free8 Network Redirector; C:\WINDOWS\System32\Drivers\avgtdix.sys [2009-04-14 108552]
R1 BIOS;BIOS; \??\C:\WINDOWS\System32\drivers\BIOS.sys []
R1 Cinemsup;Cinemsup; C:\WINDOWS\system32\drivers\Cinemsup.sys [2002-07-19 6656]
R1 intelppm;Intel Processor Driver; C:\WINDOWS\System32\DRIVERS\intelppm.sys [2008-04-13 36352]
R1 KLIF;KLIF; C:\WINDOWS\system32\DRIVERS\klif.sys [2007-07-19 127768]
R1 vsdatant;vsdatant; C:\WINDOWS\System32\vsdatant.sys [2008-07-09 394952]
R2 tmcomm;tmcomm; \??\C:\WINDOWS\system32\drivers\tmcomm.sys []
R3 FET5X86V;VIA Rhine-Family Fast-Ethernet Adapter Driver Service; C:\WINDOWS\System32\DRIVERS\fetnd5bv.sys [2007-02-27 42496]
R3 HDAudBus;Microsoft UAA Bus Driver for High Definition Audio; C:\WINDOWS\System32\DRIVERS\HDAudBus.sys [2008-04-13 144384]
R3 hidusb;Microsoft HID Class Driver; C:\WINDOWS\System32\DRIVERS\hidusb.sys [2008-04-13 10368]
R3 IntcAzAudAddService;Service for Realtek HD Audio (WDM); C:\WINDOWS\system32\drivers\RtkHDAud.sys [2007-10-16 4615168]
R3 mouhid;Mouse HID Driver; C:\WINDOWS\System32\DRIVERS\mouhid.sys [2003-03-31 12160]
R3 S3GIGP;S3GIGP; C:\WINDOWS\System32\DRIVERS\S3gIGPm.sys [2007-07-11 714240]
R3 usbehci;Microsoft USB 2.0 Enhanced Host Controller Miniport Driver; C:\WINDOWS\System32\DRIVERS\usbehci.sys [2008-04-13 30208]
R3 usbhub;USB2 Enabled Hub; C:\WINDOWS\System32\DRIVERS\usbhub.sys [2008-04-13 59520]
R3 usbscan;USB Scanner Driver; C:\WINDOWS\system32\DRIVERS\usbscan.sys [2008-04-13 15104]
R3 usbuhci;Microsoft USB Universal Host Controller Miniport Driver; C:\WINDOWS\System32\DRIVERS\usbuhci.sys [2008-04-13 20608]
S2 mrtRate;mrtRate; C:\WINDOWS\system32\drivers\mrtRate.sys []
S3 ati2mtaa;ati2mtaa; C:\WINDOWS\system32\DRIVERS\ati2mtaa.sys [2004-08-04 327040]
S3 CCDECODE;Closed Caption Decoder; C:\WINDOWS\system32\DRIVERS\CCDECODE.sys [2008-04-13 17024]
S3 cirrus;cirrus; C:\WINDOWS\system32\DRIVERS\cirrus.sys [2001-08-17 45696]
S3 CVirtA;Cisco Systems VPN Adapter; C:\WINDOWS\system32\DRIVERS\CVirtA.sys [2005-02-08 5185]
S3 FA312;NETGEAR FA330/FA312/FA311 Fast Ethernet Adapter Driver; C:\WINDOWS\System32\DRIVERS\FA312nd5.sys [2001-08-17 16074]
S3 FETNDIS;VIA PCI 10/100Mb Fast Ethernet Adapter NT Driver; C:\WINDOWS\system32\DRIVERS\fetnd5.sys [2001-08-17 27165]
S3 i740;i740; C:\WINDOWS\System32\DRIVERS\i740nt5.sys [2001-08-17 58592]
S3 MSTEE;Microsoft Streaming Tee/Sink-to-Sink Converter; C:\WINDOWS\system32\drivers\MSTEE.sys [2008-04-13 5504]
S3 NABTSFEC;NABTS/FEC VBI Codec; C:\WINDOWS\system32\DRIVERS\NABTSFEC.sys [2008-04-13 85248]
S3 NdisIP;Microsoft TV/Video Connection; C:\WINDOWS\system32\DRIVERS\NdisIP.sys [2008-04-13 10880]
S3 nuvaud2;Pinnacle Fusion Audio; C:\WINDOWS\system32\DRIVERS\nuvaud2.sys [2001-12-03 26560]
S3 NUVision;Pinnacle Fusion Video; C:\WINDOWS\system32\DRIVERS\nuvvid2.sys [2001-12-03 155264]
S3 PalmUSBD;PalmUSBD; C:\WINDOWS\system32\drivers\PalmUSBD.sys []
S3 SLIP;BDA Slip De-Framer; C:\WINDOWS\system32\DRIVERS\SLIP.sys [2008-04-13 11136]
S3 streamip;BDA IPSink; C:\WINDOWS\system32\DRIVERS\StreamIP.sys [2008-04-13 15232]
S3 usbccgp;Microsoft USB Generic Parent Driver; C:\WINDOWS\System32\DRIVERS\usbccgp.sys [2008-04-13 32128]
S3 usbohci;Microsoft USB Open Host Controller Miniport Driver; C:\WINDOWS\System32\DRIVERS\usbohci.sys [2008-04-13 17152]
S3 USBSTOR;USB Mass Storage Driver; C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS [2008-04-13 26368]
S3 WSTCODEC;World Standard Teletext Codec; C:\WINDOWS\system32\DRIVERS\WSTCODEC.SYS [2008-04-13 19200]

======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R2 Apache2;Apache2; C:\Program Files\Apache Group\Apache2\bin\Apache.exe [2005-10-17 20537]
R2 avg8wd;AVG Free8 WatchDog; C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe [2009-04-14 298264]
R2 Iomega App Services;Iomega App Services; C:\PROGRA~1\Iomega\System32\AppServices.exe [2003-09-24 73728]
R2 JavaQuickStarterService;Java Quick Starter; C:\Program Files\Java\jre6\bin\jqs.exe [2009-01-25 152984]
R2 vsmon;TrueVector Internet Monitor; C:\WINDOWS\system32\ZoneLabs\vsmon.exe [2008-07-09 75304]
S3 aspnet_state;ASP.NET State Service; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe [2007-10-24 33800]
S3 clr_optimization_v2.0.50727_32;.NET Runtime Optimization Service v2.0.50727_X86; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe [2007-10-24 70144]
S3 IDriverT;InstallDriver Table Manager; C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe [2004-10-22 73728]
S3 UMWdf;Windows User Mode Driver Framework; C:\WINDOWS\System32\wdfmgr.exe [2004-09-22 38912]
S4 Iomega Activity Disk2;Iomega Activity Disk2; []

-----------------EOF-----------------

#3 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,706 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:05:59 AM

Posted 15 April 2009 - 05:33 AM

Hi tizzo,

I am farbar. I am going to assist you with your problem.

Please refrain from making any changes or running any tools from now on as it might make the job for both of us more difficult.
  • Go to C:\Windows and find regedit32.exe then rename it to tiz.exe
    Double-click tiz.exe to run it. The registry editor opens.
    In the left pane navigate to the following sub-key:
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32
    Highlight Drivers32 sub-key and under File menu select Export...
    Give a name like drivers32 and save the file to the desktop. You get driver32.reg on the desktop.
    Rename the driver32.reg to driver32.txt then open it and post the content to your reply.

  • Please download Malwarebytes' Anti-Malware from MajorGeeks
  • Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the MBAM log.
Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediately.


Edited by farbar, 15 April 2009 - 04:14 PM.


#4 tizzo

tizzo
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:FL
  • Local time:11:59 PM

Posted 15 April 2009 - 08:57 AM

Thank you, farbar, for getting back to me so quickly. I'll follow step 1 and post the results when I get back to my PC tonight.

As for step 2, I should tell you that prior to receiving your instructions to take no further action, I did download and install Malware Bytes. Using instructions similar to those you posted, I tried to update and run a quick scan. The update failed because it apparently could not access the update site. The quick scan found nothing.

Elsewhere in these forums, I found and followed instructions for manually updating Malware Bytes by downloading and running an executable file that apparently patches the installed MB database. After doing that, I ran a quick scan, which again found nothing. I've tried running a couple of full scans, but they always hang while (or immediately after) trying to scan the contents of C:\rsit. I deleted the two files from this directory with no change. I've also deleted the directory itself, but haven't had a chance to repeat the scan since doing so. I suspect that it is not C:\rsit but whatever MB is trying to scan after it that is causing the problem anyway. Note, once again, that this is only when trying to do a full scan. Quick scan runs to completion and tells me it found nothing.

I will nevertheless attempt to follow the instructions for step 2 again when I get home, after I complete step 1.

One quick questions, however: Do I need to disable my AVG Antivirus in order to complete step 2?

Thanks again.

Tony

Edited by tizzo, 15 April 2009 - 09:00 AM.


#5 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,706 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:05:59 AM

Posted 15 April 2009 - 11:07 AM

Thanks for updating me.

No need to run MBAM at the moment. Just open it under Update tab note down and tell me the Database Version of your MBAM.

Edited by farbar, 15 April 2009 - 11:07 AM.


#6 tizzo

tizzo
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:FL
  • Local time:11:59 PM

Posted 15 April 2009 - 12:53 PM

The MPAM database version is 1954.

Tony

#7 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,706 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:05:59 AM

Posted 15 April 2009 - 01:05 PM

It is still behind but it doesn't matter now please do step 1.

#8 tizzo

tizzo
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:FL
  • Local time:11:59 PM

Posted 15 April 2009 - 06:09 PM

Here is the result of step 1:

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32]
"midimapper"="midimap.dll"
"msacm.imaadpcm"="imaadp32.acm"
"msacm.msadpcm"="msadp32.acm"
"msacm.msg711"="msg711.acm"
"msacm.msgsm610"="msgsm32.acm"
"msacm.trspch"="tssoft32.acm"
"vidc.cvid"="iccvid.dll"
"vidc.iv31"="ir32_32.dll"
"vidc.iv32"="ir32_32.dll"
"VIDC.IYUV"="iyuv_32.dll"
"vidc.mrle"="msrle32.dll"
"vidc.msvc"="msvidc32.dll"
"VIDC.UYVY"="msyuv.dll"
"VIDC.YUY2"="msyuv.dll"
"VIDC.YVU9"="iyvu9_32.dll"
"VIDC.YVYU"="msyuv.dll"
"wavemapper"="msacm32.drv"
"midi"="wdmaud.drv"
"wave"="wdmaud.drv"
"midi1"="wdmaud.drv"
"msacm.msg723"="msg723.acm"
"vidc.M263"="msh263.drv"
"vidc.M261"="msh261.drv"
"msacm.msaudio1"="msaud32.acm"
"msacm.sl_anet"="sl_anet.acm"
"msacm.l3acm"="l3codecx.acm"
"VIDC.PIXL"="pclepixl.dll"
"VIDC.NTN1"="NUVision.ax"
"MSVideo8"="VfWWDM32.dll"
"wave1"="wdmaud.drv"
"mixer"="wdmaud.drv"
"vidc.iv50"="ir50_32.dll"
"msacm.iac2"="C:\\WINDOWS\\system32\\Iac25_32.ax"
"vidc.I420"="msh263.drv"
"wave2"="wdmaud.drv"
"midi2"="wdmaud.drv"
"mixer1"="wdmaud.drv"
"aux"="wdmaud.drv"
"aux2"="C:\\WINDOWS\\system32\\..\\irhd.yof"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32\Terminal Server]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32\Terminal Server\RDP]
"wave"="rdpsnd.dll"
"MaxBandwidth"=dword:000056b9
"wavemapper"="msacm32.drv"
"EnableMP3Codec"=dword:00000001
"midimapper"="midimap.dll"
"mixer"="rdpsnd.dll"

#9 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,706 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:05:59 AM

Posted 16 April 2009 - 01:33 AM

We need to go to the registry again.
  • Double-click tiz.exe to run it. The registry editor opens.
  • In the left pane navigate to the following sub-key:

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32

  • Highlight Drivers32 sub-key. In the right pane under Name there is a value named aux2 right-click on it and select Delete
  • Confirm the deletion and close the registry editor.
  • Reboot you computer and delete the following file: C:\WINDOWS\irhd.yof
  • Tell me if the problem is resolved.

Edited by farbar, 16 April 2009 - 01:39 AM.


#10 tizzo

tizzo
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:FL
  • Local time:11:59 PM

Posted 16 April 2009 - 07:29 AM

That seems to have done the trick.

I ran into one problem with the reboot that gave me heartburn. After deleting the registry key, I asked for a restart. It got to the point where the screen was black (but not off) and stayed there. After about 20 minutes I hit the reset button.

It came back up just fine after that. One thing I noticed is that there were 8 Microsoft updates waiting to be applied before I rebooted, and there were none after I came back up. So I think it's most likely that the problem rebooting was due to these updates, probably hung trying to apply one of them.

After rebooting, the registry key I'd deleted was still gone, and it gave me no trouble deleting the file. After that I had time to try running regedt32 (as regedt32.exe) and cmd (as cmd.exe), and both of those worked. I also did a few google searches in Firefox and didn't have any of my results redirected.

#11 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,706 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:05:59 AM

Posted 16 April 2009 - 08:48 AM

Good news and well done :thumbup2:

Thanks for the detailed feedback.
  • I see on the log the Coupon Printer for Windows is installed on your computer:
    This program is known to be bundled with adware/spyware.

    For more information please see this:
    A Closer Look at Coupons.com

    To uninstall Coupon Printer for Windows:

    Click "start" on the taskbar and then click on the "Control Panel" icon.
    Please doubleclick the "Add or Remove Programs" icon.
    A list of programs installed will be "populated" this may take a bit of time.
    If they exist, uninstall the following by clicking on the following entries and selecting "remove":

    Coupon Printer for Windows

    Also delete the folders in bold (if present):

    C:\Program Files\Coupon
    C:\Program Files\Coupons

  • Viewpoint Manager is considered as foistware instead of malware since it is installed without users approval but doesn't spy or do anything "bad". This changed from what we know in 2006 read this article:

    http://www.clickz.com/news/article.php/3561546

    I suggest you remove the following program if you are not using it.

    Viewpoint Media Player.

    Also remove the folder in bold: C:\Program Files\Viewpoint


    Your Java is out of date. Older versions have vulnerabilities that malicious sites can use to exploit and infect your system. Please follow these steps to remove older version Java components and update:
    • Download the latest version of Java Runtime Environment (JRE) Version 6 and save it to your desktop.
    • Look for "Java Runtime Environment (JRE)" JRE 6 Update 13.
    • Click the Download button to the right.
    • Select your Platform: "Windows".
    • Select your Language: "Multi-language".
    • Read the License Agreement, and then check the box that says: "Accept License Agreement".
    • Click Continue and the page will refresh.
    • Under Required Files, check the box for Windows Offline Installation, click the link below it and save the file to your desktop.
    • Close any programs you may have running - especially your web browser.
    Go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove all older versions of Java.
    • Check (highlight) any item with Java Runtime Environment (JRE or J2SE) in the name.
    • Click the Remove or Change/Remove button and follow the onscreen instructions for the Java uninstaller.
    • Repeat as many times as necessary to remove each Java versions.
    • Reboot your computer once all Java components are removed.
    • Then from your desktop double-click on jre-6u13-windows-i586-p.exe to install the newest version.
    -- If using Windows Vista and the installer refuses to launch due to insufficient user permissions, then Run As Administrator.
    -- If you choose to update via the Java applet in Control Panel, uncheck the option to install the Toolbar unless you want it.
    -- The uninstaller incorporated in this release removes previous Updates 10 and above, but does not remove older versions, so they still need to be removed manually.


    Note: The Java Quick Starter (JQS.exe) adds a service to improve the initial startup time of Java applets and applications. To disable the JQS service if you don't want to use it, go to Start > Control Panel > Java > Advanced > Miscellaneous and uncheck the box for Java Quick Starter. Click Ok and reboot your computer.

  • First Set a New Restore Point then Remove the Old Restore Points to prevent possible reinfection from an old one. Some of the malware you picked up could have been saved in System Restore. Since System Restore is a protected directory, your tools can not access it to delete these bad files which sometimes can reinfect your system. Setting a new restore point AFTER cleaning your system will help prevent this and enable your computer to "roll-back" to a clean working state.

    To set a new restore point:
    • Go to Start > Programs > Accessories > System Tools and click "System Restore".
    • Choose the radio button marked "Create a Restore Point" on the first screen then click "Next".
    • Give the Restore Point a name then click "Create". The new point will be stamped with the current date and time. Keep a log of this so you can find it easily should you need to use System Restore.
    To remove the old restore points:
    • Go to Start > Run then type: Cleanmgr in the box and click "OK".
    • You get a window to select the drive to clean, the default is already set to (C:) drive. Click OK.
    • Click the "More Options" Tab.
    • Click "Clean Up" in the System Restore section to remove all previous restore points except the newly created one.
    • Click OK and Yes.
  • Optional: Install Javacools© SpywareBlaster
    SpywareBlaster will added a large list of programs and sites into your Internet Explorer and Firefox settings and that will protect you from running and downloading known malicious programs. What you need is updating it once in 2-3 weeks and enabling the restriction. You can find more information and a download link here.

Do you have any question before we close the topic?

#12 tizzo

tizzo
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:FL
  • Local time:11:59 PM

Posted 16 April 2009 - 10:10 AM

No, I think I'm fine now, and thanks again for all your help.

That driver we removed jumped out at me as suspicious when I prepared the registry dump for you, but I never would have been so bold as to just remove it on my own.

I was wondering whether you have any specific information on what it was and where I may have gotten it? Or did we just get rid of it because it looked like it didn't belong?

#13 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,706 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:05:59 AM

Posted 16 April 2009 - 12:41 PM

You are welcome tizzo.

I was wondering whether you have any specific information on what it was and where I may have gotten it? Or did we just get rid of it because it looked like it didn't belong?


It was Win32/Daonol trojan. If the symptoms were not recognized we could hardly find it specially because the tools depending on cmd and regedit could not run.

This thread will now be closed.

If you need this topic reopened, please send me a PM and I will reopen it for you. Include the address of this thread in your request.

If you should have a new issue, please start a new topic.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users