Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Google redirect malware - please help me remove it


  • This topic is locked This topic is locked
14 replies to this topic

#1 RichardWhite321

RichardWhite321

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:07:46 PM

Posted 31 May 2009 - 03:54 PM

Hi,

Many thanks for taking the time to read this.

I have been infected with a browser redirect virus. It seems to randomly redirect google seach results to sites such as bmxok.info or linkedin.com or approvedchoices.com, etc ...

I have tried all I can think of including trying a few different antivirus software packages (McFee, AVG, Avira), installing and using Malwarebytes and replaceing windows firewall with Online Armour.

Please can you help me remove it? I attach my DDS reports.

Many thanks for any help you can give.

Best wishes, Richard


DDS (Ver_09-05-14.01) - NTFSx86
Run by richard at 20:10:23.43 on 31/05/2009
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_13
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3582.2353 [GMT 1:00]

AV: AntiVir Desktop *On-access scanning enabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}
FW: Online Armor Firewall *enabled* {B797DAA0-7E2E-4711-8BB3-D12744F1922A}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
C:\WINDOWS\System32\svchost.exe -k eapsvcs
svchost.exe
C:\WINDOWS\System32\svchost.exe -k dot3svc
C:\Program Files\Online Armor\OAcat.exe
C:\Program Files\Online Armor\oasrv.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\OEM04Mon.exe
C:\Program Files\TortoiseSVN\bin\TSVNCache.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\RunDLL32.exe
C:\Program Files\SigmaTel\C-Major Audio\WDM\stsystra.exe
C:\WINDOWS\system32\NWTRAY.EXE
C:\WINDOWS\StartupMonitor.exe
C:\WINDOWS\system32\iprntctl.exe
C:\WINDOWS\system32\iprntlgn.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Online Armor\oaui.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\SpeedswitchXP\SpeedswitchXP.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Mobile Master\MMAgent.exe
C:\Program Files\Online Armor\OAhlp.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Nokia\Nokia PC Suite 7\PCSuite.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Adobe\Adobe Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Program Files\Mobile Master\MMScan.exe
C:\Program Files\Novell\iFolder\trayapp.exe
C:\Program Files\3\3Connect\AutoUpdateSrv.exe
C:\PROGRA~1\WIDCOMM\BLUETO~1\BTSTAC~1.EXE
C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\STacSV.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Webroot\Washer\WasherSvc.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
C:\Program Files\PC Connectivity Solution\Transports\NclUSBSrv.exe
C:\Program Files\PC Connectivity Solution\Transports\NclRSSrv.exe
C:\Program Files\PC Connectivity Solution\Transports\NclMSBTSrv.exe
C:\Program Files\PC Connectivity Solution\Transports\NclBCBTSrv.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\richard\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
C:\Documents and Settings\richard\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\richard\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\richard\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\WISPTIS.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\richard\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.bbcnews.com/
uWindow Title = I'd rather be walking...
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\adobe acrobat 6.0\acrobat\activex\AcroIEHelper.dll
BHO: Skype add-on (mastermind): {22bf413b-c6d2-4d91-82a9-a0f997ba588c} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar.dll
BHO: AcroIEToolbarHelper Class: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\adobe\adobe acrobat 6.0\acrobat\AcroIEFavClient.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.1.1309.3572\swg.dll
BHO: McAfee SiteAdvisor BHO: {b164e929-a1b6-4a06-b104-2cd0e90a88ff} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
BHO: Google Dictionary Compression sdch: {c84d72fe-e17d-4195-bb24-76c02e2e7c4e} - c:\program files\google\google toolbar\component\fastsearch_A8904FB862BD9564.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\adobe acrobat 6.0\acrobat\AcroIEFavClient.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar.dll
TB: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
EB: Adobe PDF: {182ec0be-5110-49c8-a062-beb1d02a220b} - c:\program files\adobe\adobe acrobat 6.0\acrobat\AcroIEFavClient.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [SpeedswitchXP] c:\program files\speedswitchxp\SpeedswitchXP.exe
uRun: [swg] c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe
uRun: [MMAgent] c:\program files\mobile master\MMAgent.exe
uRun: [PC Suite Tray] "c:\program files\nokia\nokia pc suite 7\PCSuite.exe" -onlytray
uRun: [Google Update] "c:\documents and settings\richard\local settings\application data\google\update\GoogleUpdate.exe" /c
mRun: [OEM04Mon.exe] c:\windows\OEM04Mon.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /installquiet
mRun: [NVHotkey] rundll32.exe nvHotkey.dll,Start
mRun: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit
mRun: [SigmatelSysTrayApp] %ProgramFiles%\SigmaTel\C-Major Audio\WDM\stsystra.exe
mRun: [NWTRAY] NWTRAY.EXE
mRun: [Run StartupMonitor] StartupMonitor.exe
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [iPrint Tray] c:\windows\system32\iprntctl.exe TRAY_ICON
mRun: [iPrint Event Monitor] c:\windows\system32\iprntlgn.exe
mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [@OnlineArmor GUI] "c:\program files\online armor\oaui.exe"
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
StartupFolder: c:\docume~1\richard\startm~1\programs\startup\shortc~1.lnk - c:\users\rw\programs\startup\map_h.bat
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\acroba~1.lnk - c:\program files\adobe\adobe acrobat 6.0\distillr\acrotray.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\blueto~1.lnk - c:\program files\widcomm\bluetooth software\BTTray.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\novell~1.lnk - c:\program files\novell\ifolder\trayapp.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\update~1.lnk - c:\program files\3\3connect\AutoUpdateSrv.exe
mPolicies-system: CompatibleRUPSecurity = 1 (0x1)
IE: E&xport to Microsoft Excel - c:\progra~1\mi69df~1\office12\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - c:\windows\system32\msjava.dll
IE: {36ECAF82-3300-8F84-092E-AFF36D6C7040} - {86529161-034E-4F8A-88D2-3C625E612E04} - c:\program files\winhttrack\WinHTTrackIEBar.dll
IE: {77BF5300-1474-4EC7-9980-D32B190E9B07} - {77BF5300-1474-4EC7-9980-D32B190E9B07} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\mi69df~1\office12\REFIEBAR.DLL
DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} - hxxp://support.dell.com/systemprofiler/SysPro.CAB
DPF: {1E54D648-B804-468d-BC78-4AFFED8E262E} - hxxp://www.srtest.com/srl_bin/sysreqlab_srl.cab
DPF: {4E62C4DE-627D-4604-B157-4B7D6B09F02E} - hxxps://moneymanager.egg.com/Pinsafe/accounttracking.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1227107485468
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/products/plugin/autodl/jinstall-160-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-160-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {EAC139A9-D22D-4C29-8D1C-252BE63750F9} - hxxp://www.cooliris.com/shared/plinstll.cab
Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - c:\program files\google\google toolbar\component\fastsearch_A8904FB862BD9564.dll
Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: psfus - c:\windows\system32\psqlpwd.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Microsoft AntiMalware ShellExecuteHook: {091eb208-39dd-417d-a5dd-7e2c2d8fb9cb} - c:\progra~1\window~4\MpShHook.dll
SEH: OA Shell Helper: {4f07da45-8170-4859-9b5f-037ef2970034} - c:\progra~1\online~2\oaevent.dll
LSA: Authentication Packages = msv1_0 nwv1_0
LSA: Notification Packages = scecli psqlpwd

============= SERVICES / DRIVERS ===============

R0 NifFltr;NifFltr;c:\windows\system32\drivers\niffltr.sys [2009-1-6 25300]
R1 avgio;avgio;c:\program files\avira\antivir desktop\avgio.sys [2009-5-31 11608]
R1 nipplpt2;Novell iCapture Lpt Redirector 2;c:\windows\system32\drivers\nipplpt.sys [2009-5-29 34671]
R1 OADevice;OADriver;c:\windows\system32\drivers\OADriver.sys [2009-5-31 198224]
R1 OAmon;OAmon;c:\windows\system32\drivers\OAmon.sys [2009-5-31 31824]
R1 OAnet;OAnet;c:\windows\system32\drivers\OAnet.sys [2009-5-31 29776]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\avira\antivir desktop\sched.exe [2009-5-31 108289]
R2 AntiVirService;Avira AntiVir Guard;c:\program files\avira\antivir desktop\avguard.exe [2009-5-31 185089]
R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2009-5-28 55640]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\mcafee\siteadvisor\McSACore.exe [2009-5-31 210216]
R2 mdvrmng;Mobile IP Route Manager;c:\windows\system32\drivers\mdvrmng.sys [2009-5-20 10240]
R2 OAcat;Online Armor Helper Service;c:\program files\online armor\oacat.exe [2009-5-31 361672]
R2 SvcOnlineArmor;Online Armor;c:\program files\online armor\oasrv.exe [2009-5-31 3052744]
R2 WinDefend;Windows Defender;c:\program files\windows defender\MsMpEng.exe [2006-11-3 13592]
R2 wwEngineSvc;Window Washer Engine;c:\program files\webroot\washer\WasherSvc.exe [2009-1-27 598856]
R3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2009-5-28 40160]
R3 OEM04Afx;Provides a software interface to control audio effects of OEM004 camera.;c:\windows\system32\drivers\OEM04Afx.sys [2008-11-12 141376]
R3 OEM04Vfx;Creative Camera OEM004 Video VFX Driver;c:\windows\system32\drivers\OEM04Vfx.sys [2008-11-12 7424]
R3 OEM04Vid;Creative Camera OEM004 Driver;c:\windows\system32\drivers\OEM04Vid.sys [2008-11-12 234720]
S1 mferkdk;VSCore mferkdk;\??\c:\program files\mcafee\virusscan enterprise\mferkdk.sys --> c:\program files\mcafee\virusscan enterprise\mferkdk.sys [?]
S3 massfilter;ZTE Mass Storage Filter Driver;c:\windows\system32\drivers\massfilter.sys [2008-8-22 7680]
S3 vcache;vcache;c:\windows\system32\drivers\vcache.sys [2009-3-25 46992]
S3 vfilter;vfilter;c:\windows\system32\drivers\vfilter.sys [2009-3-25 28944]

=============== Created Last 30 ================

2009-05-31 18:32 <DIR> -cd----- c:\docume~1\richard\applic~1\OnlineArmor
2009-05-31 18:32 <DIR> -cd----- c:\docume~1\alluse~1\applic~1\OnlineArmor
2009-05-31 18:32 198,224 ac------ c:\windows\system32\drivers\OADriver.sys
2009-05-31 18:32 31,824 ac------ c:\windows\system32\drivers\OAmon.sys
2009-05-31 18:32 29,776 ac------ c:\windows\system32\drivers\OAnet.sys
2009-05-31 18:32 <DIR> -cd----- c:\program files\Online Armor
2009-05-31 15:53 <DIR> -cd----- c:\program files\SpywareBlaster
2009-05-31 15:52 <DIR> -cd----- c:\program files\common files\McAfee
2009-05-31 15:52 <DIR> -cd----- c:\program files\McAfee
2009-05-31 15:30 <DIR> -cd----- c:\program files\Avira
2009-05-31 15:30 <DIR> -cd----- c:\docume~1\alluse~1\applic~1\Avira
2009-05-31 15:20 <DIR> acdshr-- C:\cmdcons
2009-05-31 15:18 161,792 ac------ c:\windows\SWREG.exe
2009-05-31 15:18 154,624 ac------ c:\windows\PEV.exe
2009-05-31 15:18 98,816 ac------ c:\windows\sed.exe
2009-05-31 15:18 <DIR> -cds---- C:\ComboFix
2009-05-31 14:30 0 ac------ c:\windows\system32\8104297.jun
2009-05-31 14:30 <DIR> -cd----- c:\program files\Browser Hijack Recover
2009-05-31 13:40 <DIR> -cd----- c:\docume~1\richard\applic~1\HouseCall 6.6
2009-05-30 15:22 <DIR> -cd----- c:\docume~1\richard\applic~1\Spotify
2009-05-30 15:22 <DIR> -cd----- c:\program files\Spotify
2009-05-29 23:32 <DIR> -cd----- c:\temp\admin
2009-05-29 23:31 <DIR> -cd----- c:\temp\Incomplete
2009-05-28 15:49 55,640 ac------ c:\windows\system32\drivers\avgntflt.sys
2009-05-28 14:46 <DIR> -cd----- c:\docume~1\richard\applic~1\Malwarebytes
2009-05-28 14:46 40,160 ac------ c:\windows\system32\drivers\mbamswissarmy.sys
2009-05-28 14:45 19,096 ac------ c:\windows\system32\drivers\mbam.sys
2009-05-28 14:45 <DIR> -cd----- c:\program files\Malwarebytes' Anti-Malware
2009-05-28 14:45 <DIR> -cd----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-05-28 13:55 45,056 ac------ c:\windows\system32\iprntlgn.exe.iprint11
2009-05-28 13:55 45,056 ac------ c:\windows\system32\iprntlgn.exe.iprint1
2009-05-27 22:46 <DIR> -cd----- c:\program files\EqPlot
2009-05-25 15:01 2,514,315 ac------ c:\temp\winscp419setup.exe
2009-05-24 22:09 <DIR> -cd----- C:\spoolerlogs
2009-05-23 12:30 <DIR> -cd----- c:\temp\2v473cr2_test
2009-05-23 08:33 <DIR> -cd----- c:\temp\vX.xx_2
2009-05-23 08:33 <DIR> -cd----- c:\temp\vX.xx
2009-05-22 16:16 <DIR> -cd----- c:\temp\2v473Cr2
2009-05-22 10:43 <DIR> -cd----- c:\temp\HPC
2009-05-21 11:48 <DIR> -cd----- c:\program files\WinSCP
2009-05-21 09:56 <DIR> -cd----- c:\program files\Microsoft CAPICOM 2.1.0.2
2009-05-20 09:17 <DIR> -cd----- c:\docume~1\richard\applic~1\Birdstep Technology
2009-05-20 09:17 <DIR> -cd----- c:\docume~1\alluse~1\applic~1\Birdstep Technology
2009-05-20 09:16 10,240 -c------ c:\windows\system32\drivers\mdvrmng.sys
2009-05-20 09:16 <DIR> -cd----- c:\program files\ZTE_MF6X6_USB_MODEM_1.2050.0.6
2009-05-20 09:16 <DIR> -cd----- c:\program files\3
2009-05-20 08:38 <DIR> -cd----- c:\program files\BBC iPlayer Desktop
2009-05-12 21:08 <DIR> -cd----- c:\program files\WinDirStat
2009-05-11 23:48 72,192 ac------ C:\su 2009 assessment main text - guidelines given to students.rw.doc
2009-05-10 22:16 <DIR> -cd-h--- c:\program files\Zero G Registry
2009-05-10 22:16 <DIR> -cd----- c:\program files\NetLogo 4.0.4
2009-05-10 22:15 <DIR> -cd-h--- c:\documents and settings\richard\InstallAnywhere
2009-05-10 21:28 <DIR> -cd----- c:\program files\GomEncoder
2009-05-10 21:28 <DIR> -cd----- c:\program files\CoreAAC
2009-05-10 20:55 <DIR> -cd----- c:\windows\system32\appmgmt
2009-05-10 20:51 <DIR> -cd----- c:\docume~1\richard\applic~1\BBCiPlayerDesktop.61DB7A798358575D6A969CCD73DDBBD723A6DA9D.1
2009-05-10 08:23 484 ac------ C:\my Papers.lnk
2009-05-01 22:32 <DIR> -cd----- c:\program files\common files\PCSuite
2009-05-01 22:32 <DIR> -cd----- c:\program files\common files\Nokia
2009-05-01 22:31 <DIR> -cd----- c:\program files\PC Connectivity Solution

==================== Find3M ====================

2009-05-31 15:50 189,431 ac------ c:\windows\system32\nvModes.dat
2009-05-29 12:05 69,232 ac------ c:\docume~1\richard\applic~1\GDIPFONTCACHEV1.DAT
2009-03-16 14:18 517,448 ac------ c:\windows\system32\XAudio2_4.dll
2009-03-16 14:18 235,352 ac------ c:\windows\system32\xactengine3_4.dll
2009-03-16 14:18 69,448 ac------ c:\windows\system32\XAPOFX1_3.dll
2009-03-16 14:18 22,360 ac------ c:\windows\system32\X3DAudio1_6.dll
2009-03-09 15:27 4,178,264 ac------ c:\windows\system32\D3DX9_41.dll
2009-03-09 15:27 1,846,632 ac------ c:\windows\system32\D3DCompiler_41.dll
2009-03-09 15:27 453,456 ac------ c:\windows\system32\d3dx10_41.dll
2009-03-09 05:19 410,984 ac------ c:\windows\system32\deploytk.dll
2009-03-08 04:34 914,944 ac------ c:\windows\system32\wininet.dll
2009-03-08 04:34 43,008 ac------ c:\windows\system32\licmgr10.dll
2009-03-08 04:33 18,944 ac------ c:\windows\system32\corpol.dll
2009-03-08 04:33 420,352 ac------ c:\windows\system32\vbscript.dll
2009-03-08 04:32 72,704 ac------ c:\windows\system32\admparse.dll
2009-03-08 04:32 71,680 ac------ c:\windows\system32\iesetup.dll
2009-03-08 04:31 34,816 ac------ c:\windows\system32\imgutil.dll
2009-03-08 04:31 48,128 ac------ c:\windows\system32\mshtmler.dll
2009-03-08 04:31 45,568 ac------ c:\windows\system32\mshta.exe
2009-03-08 04:22 156,160 ac------ c:\windows\system32\msls31.dll
2009-03-06 15:22 284,160 ac------ c:\windows\system32\pdh.dll

============= FINISH: 20:11:27.71 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 RenatoMejias

RenatoMejias

  • Malware Response Team
  • 913 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:46 PM

Posted 11 June 2009 - 09:04 PM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Upon completing the steps below I will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.


Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE
Renato Victor Mejias
Malware help in portuguese
jetian6yw.jpg

#3 RichardWhite321

RichardWhite321
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:07:46 PM

Posted 12 June 2009 - 02:12 AM

Hi,

Many thanks for contacting me.

My problem has not changed - Google search results links are redirected to infected sites.
I am "containing" the infection using Avira antivirus which catches the infected files from the infected pages, and running Malwarebytes every day or so. This does not normally

But neither have removed the virus that is causing the google links to be re-directed.

I appreciate the help you are giving me.

The files you requested are attached.

Best wishes, Richard

***


DDS (Ver_09-05-14.01) - NTFSx86
Run by richard at 8:01:58.50 on 12/06/2009
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_13
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3582.2566 [GMT 1:00]

AV: AntiVir Desktop *On-access scanning enabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}
FW: Online Armor Firewall *enabled* {B797DAA0-7E2E-4711-8BB3-D12744F1922A}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
C:\WINDOWS\System32\svchost.exe -k eapsvcs
svchost.exe
C:\WINDOWS\System32\svchost.exe -k dot3svc
C:\Program Files\Online Armor\OAcat.exe
C:\Program Files\Online Armor\oasrv.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
svchost.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\STacSV.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Webroot\Washer\WasherSvc.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\TortoiseSVN\bin\TSVNCache.exe
C:\WINDOWS\OEM04Mon.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\RunDLL32.exe
C:\Program Files\SigmaTel\C-Major Audio\WDM\stsystra.exe
C:\WINDOWS\system32\NWTRAY.EXE
C:\WINDOWS\StartupMonitor.exe
C:\WINDOWS\system32\iprntctl.exe
C:\WINDOWS\system32\iprntlgn.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Online Armor\oaui.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\SpeedswitchXP\SpeedswitchXP.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Online Armor\OAhlp.exe
C:\Program Files\Nokia\Nokia PC Suite 7\PCSuite.exe
C:\Documents and Settings\richard\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Adobe\Adobe Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Program Files\Novell\iFolder\trayapp.exe
C:\Program Files\3\3Connect\AutoUpdateSrv.exe
C:\PROGRA~1\WIDCOMM\BLUETO~1\BTSTAC~1.EXE
C:\Program Files\Skype\Plugin Manager\skypePM.exe
C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
C:\Program Files\PC Connectivity Solution\Transports\NclUSBSrv.exe
C:\Program Files\PC Connectivity Solution\Transports\NclRSSrv.exe
C:\Program Files\PC Connectivity Solution\Transports\NclBCBTSrv.exe
C:\Novell\GroupWise\grpwise.exe
C:\Novell\GroupWise\GWSync.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\richard\Desktop\dds.scr
C:\WINDOWS\system32\msfeedssync.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.bbcnews.com/
uWindow Title = I'd rather be walking...
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\adobe acrobat 6.0\acrobat\activex\AcroIEHelper.dll
BHO: Skype add-on (mastermind): {22bf413b-c6d2-4d91-82a9-a0f997ba588c} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar.dll
BHO: AcroIEToolbarHelper Class: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\adobe\adobe acrobat 6.0\acrobat\AcroIEFavClient.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.1.1309.3572\swg.dll
BHO: McAfee SiteAdvisor BHO: {b164e929-a1b6-4a06-b104-2cd0e90a88ff} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
BHO: Google Dictionary Compression sdch: {c84d72fe-e17d-4195-bb24-76c02e2e7c4e} - c:\program files\google\google toolbar\component\fastsearch_A8904FB862BD9564.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\adobe acrobat 6.0\acrobat\AcroIEFavClient.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar.dll
TB: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
EB: Adobe PDF: {182ec0be-5110-49c8-a062-beb1d02a220b} - c:\program files\adobe\adobe acrobat 6.0\acrobat\AcroIEFavClient.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [SpeedswitchXP] c:\program files\speedswitchxp\SpeedswitchXP.exe
uRun: [swg] c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe
uRun: [PC Suite Tray] "c:\program files\nokia\nokia pc suite 7\PCSuite.exe" -onlytray
uRun: [Google Update] "c:\documents and settings\richard\local settings\application data\google\update\GoogleUpdate.exe" /c
uRun: [MMAgent] c:\program files\mobile master\MMAgent.exe
uRun: [Skype] "c:\program files\skype\phone\Skype.exe" /nosplash /minimized
mRun: [OEM04Mon.exe] c:\windows\OEM04Mon.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /installquiet
mRun: [NVHotkey] rundll32.exe nvHotkey.dll,Start
mRun: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit
mRun: [SigmatelSysTrayApp] %ProgramFiles%\SigmaTel\C-Major Audio\WDM\stsystra.exe
mRun: [NWTRAY] NWTRAY.EXE
mRun: [Run StartupMonitor] StartupMonitor.exe
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [iPrint Tray] c:\windows\system32\iprntctl.exe TRAY_ICON
mRun: [iPrint Event Monitor] c:\windows\system32\iprntlgn.exe
mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [@OnlineArmor GUI] "c:\program files\online armor\oaui.exe"
mRun: [Google Desktop Search] "c:\program files\google\google desktop search\GoogleDesktop.exe" /startup
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
StartupFolder: c:\docume~1\richard\startm~1\programs\startup\shortc~1.lnk - c:\users\rw\programs\startup\map_h.bat
StartupFolder: c:\docume~1\richard\startm~1\programs\startup\textpad.lnk - c:\program files\textpad 4\TextPad.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\acroba~1.lnk - c:\program files\adobe\adobe acrobat 6.0\distillr\acrotray.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\blueto~1.lnk - c:\program files\widcomm\bluetooth software\BTTray.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\novell~1.lnk - c:\program files\novell\ifolder\trayapp.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\update~1.lnk - c:\program files\3\3connect\AutoUpdateSrv.exe
mPolicies-system: CompatibleRUPSecurity = 1 (0x1)
IE: E&xport to Microsoft Excel - c:\progra~1\mi69df~1\office12\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - c:\windows\system32\msjava.dll
IE: {36ECAF82-3300-8F84-092E-AFF36D6C7040} - {86529161-034E-4F8A-88D2-3C625E612E04} - c:\program files\winhttrack\WinHTTrackIEBar.dll
IE: {77BF5300-1474-4EC7-9980-D32B190E9B07} - {77BF5300-1474-4EC7-9980-D32B190E9B07} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\mi69df~1\office12\REFIEBAR.DLL
DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} - hxxp://support.dell.com/systemprofiler/SysPro.CAB
DPF: {1E54D648-B804-468d-BC78-4AFFED8E262E} - hxxp://www.srtest.com/srl_bin/sysreqlab_srl.cab
DPF: {4E62C4DE-627D-4604-B157-4B7D6B09F02E} - hxxps://moneymanager.egg.com/Pinsafe/accounttracking.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1227107485468
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/products/plugin/autodl/jinstall-160-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-160-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {EAC139A9-D22D-4C29-8D1C-252BE63750F9} - hxxp://www.cooliris.com/shared/plinstll.cab
Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - c:\program files\google\google toolbar\component\fastsearch_A8904FB862BD9564.dll
Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: psfus - c:\windows\system32\psqlpwd.dll
AppInit_DLLs: c:\progra~1\google\google~2\GOEC62~1.DLL
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Microsoft AntiMalware ShellExecuteHook: {091eb208-39dd-417d-a5dd-7e2c2d8fb9cb} - c:\progra~1\window~4\MpShHook.dll
SEH: OA Shell Helper: {4f07da45-8170-4859-9b5f-037ef2970034} - c:\progra~1\online~2\oaevent.dll
LSA: Authentication Packages = msv1_0 nwv1_0
LSA: Notification Packages = scecli psqlpwd

============= SERVICES / DRIVERS ===============

R0 NifFltr;NifFltr;c:\windows\system32\drivers\niffltr.sys [2009-1-6 25300]
R1 avgio;avgio;c:\program files\avira\antivir desktop\avgio.sys [2009-5-31 11608]
R1 nipplpt2;Novell iCapture Lpt Redirector 2;c:\windows\system32\drivers\nipplpt.sys [2009-5-29 34671]
R1 OADevice;OADriver;c:\windows\system32\drivers\OADriver.sys [2009-5-31 198224]
R1 OAmon;OAmon;c:\windows\system32\drivers\OAmon.sys [2009-5-31 31824]
R1 OAnet;OAnet;c:\windows\system32\drivers\OAnet.sys [2009-5-31 29776]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\avira\antivir desktop\sched.exe [2009-5-31 108289]
R2 AntiVirService;Avira AntiVir Guard;c:\program files\avira\antivir desktop\avguard.exe [2009-5-31 185089]
R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2009-5-28 55640]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\mcafee\siteadvisor\McSACore.exe [2009-5-31 210216]
R2 mdvrmng;Mobile IP Route Manager;c:\windows\system32\drivers\mdvrmng.sys [2009-5-20 10240]
R2 OAcat;Online Armor Helper Service;c:\program files\online armor\oacat.exe [2009-5-31 361672]
R2 SvcOnlineArmor;Online Armor;c:\program files\online armor\oasrv.exe [2009-5-31 3052744]
R2 WinDefend;Windows Defender;c:\program files\windows defender\MsMpEng.exe [2006-11-3 13592]
R2 wwEngineSvc;Window Washer Engine;c:\program files\webroot\washer\WasherSvc.exe [2009-1-27 598856]
R3 OEM04Afx;Provides a software interface to control audio effects of OEM004 camera.;c:\windows\system32\drivers\OEM04Afx.sys [2008-11-12 141376]
R3 OEM04Vfx;Creative Camera OEM004 Video VFX Driver;c:\windows\system32\drivers\OEM04Vfx.sys [2008-11-12 7424]
R3 OEM04Vid;Creative Camera OEM004 Driver;c:\windows\system32\drivers\OEM04Vid.sys [2008-11-12 234720]
S1 mferkdk;VSCore mferkdk;\??\c:\program files\mcafee\virusscan enterprise\mferkdk.sys --> c:\program files\mcafee\virusscan enterprise\mferkdk.sys [?]
S3 GoogleDesktopManager-092308-165331;Google Desktop Manager 5.8.809.23506;c:\program files\google\google desktop search\GoogleDesktop.exe [2009-6-11 30192]
S3 massfilter;ZTE Mass Storage Filter Driver;c:\windows\system32\drivers\massfilter.sys [2008-8-22 7680]
S3 vcache;vcache;c:\windows\system32\drivers\vcache.sys [2009-3-25 46992]
S3 vfilter;vfilter;c:\windows\system32\drivers\vfilter.sys [2009-3-25 28944]

=============== Created Last 30 ================

2009-06-10 09:23 246,272 -c------ c:\windows\system32\dllcache\ieproxy.dll
2009-06-10 09:23 12,800 -c------ c:\windows\system32\dllcache\xpshims.dll
2009-06-05 08:58 <DIR> -cd----- c:\program files\common files\Jumping Bytes
2009-06-03 11:23 <DIR> -cd----- c:\program files\R
2009-06-01 13:00 <DIR> -cd----- c:\program files\Stata8_2
2009-05-31 20:52 <DIR> -cd----- c:\docume~1\alluse~1\applic~1\Kaspersky Lab Setup Files
2009-05-31 18:32 <DIR> -cd----- c:\docume~1\richard\applic~1\OnlineArmor
2009-05-31 18:32 <DIR> -cd----- c:\docume~1\alluse~1\applic~1\OnlineArmor
2009-05-31 18:32 198,224 ac------ c:\windows\system32\drivers\OADriver.sys
2009-05-31 18:32 31,824 ac------ c:\windows\system32\drivers\OAmon.sys
2009-05-31 18:32 29,776 ac------ c:\windows\system32\drivers\OAnet.sys
2009-05-31 18:32 <DIR> -cd----- c:\program files\Online Armor
2009-05-31 15:53 <DIR> -cd----- c:\program files\SpywareBlaster
2009-05-31 15:52 <DIR> -cd----- c:\program files\common files\McAfee
2009-05-31 15:52 <DIR> -cd----- c:\program files\McAfee
2009-05-31 15:30 <DIR> -cd----- c:\program files\Avira
2009-05-31 15:30 <DIR> -cd----- c:\docume~1\alluse~1\applic~1\Avira
2009-05-31 15:20 <DIR> acdshr-- C:\cmdcons
2009-05-31 15:18 161,792 ac------ c:\windows\SWREG.exe
2009-05-31 15:18 154,624 ac------ c:\windows\PEV.exe
2009-05-31 15:18 98,816 ac------ c:\windows\sed.exe
2009-05-31 15:18 <DIR> -cds---- C:\ComboFix
2009-05-31 14:30 0 ac------ c:\windows\system32\8104297.jun
2009-05-31 14:30 <DIR> -cd----- c:\program files\Browser Hijack Recover
2009-05-31 13:40 <DIR> -cd----- c:\docume~1\richard\applic~1\HouseCall 6.6
2009-05-30 15:22 <DIR> -cd----- c:\docume~1\richard\applic~1\Spotify
2009-05-30 15:22 <DIR> -cd----- c:\program files\Spotify
2009-05-29 23:32 <DIR> -cd----- c:\temp\admin
2009-05-29 23:31 <DIR> -cd----- c:\temp\Incomplete
2009-05-28 15:49 55,640 ac------ c:\windows\system32\drivers\avgntflt.sys
2009-05-28 14:46 <DIR> -cd----- c:\docume~1\richard\applic~1\Malwarebytes
2009-05-28 14:46 40,160 ac------ c:\windows\system32\drivers\mbamswissarmy.sys
2009-05-28 14:45 19,096 ac------ c:\windows\system32\drivers\mbam.sys
2009-05-28 14:45 <DIR> -cd----- c:\program files\Malwarebytes' Anti-Malware
2009-05-28 14:45 <DIR> -cd----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-05-28 13:55 45,056 ac------ c:\windows\system32\iprntlgn.exe.iprint11
2009-05-28 13:55 45,056 ac------ c:\windows\system32\iprntlgn.exe.iprint1
2009-05-27 22:46 <DIR> -cd----- c:\program files\EqPlot
2009-05-25 15:01 2,514,315 ac------ c:\temp\winscp419setup.exe
2009-05-24 22:09 <DIR> -cd----- C:\spoolerlogs
2009-05-23 12:30 <DIR> -cd----- c:\temp\2v473cr2_test
2009-05-23 08:33 <DIR> -cd----- c:\temp\vX.xx_2
2009-05-23 08:33 <DIR> -cd----- c:\temp\vX.xx
2009-05-22 16:16 <DIR> -cd----- c:\temp\2v473Cr2
2009-05-22 10:43 <DIR> -cd----- c:\temp\HPC
2009-05-21 11:48 <DIR> -cd----- c:\program files\WinSCP
2009-05-21 09:56 <DIR> -cd----- c:\program files\Microsoft CAPICOM 2.1.0.2
2009-05-20 09:17 <DIR> -cd----- c:\docume~1\richard\applic~1\Birdstep Technology
2009-05-20 09:17 <DIR> -cd----- c:\docume~1\alluse~1\applic~1\Birdstep Technology
2009-05-20 09:16 10,240 -c------ c:\windows\system32\drivers\mdvrmng.sys
2009-05-20 09:16 <DIR> -cd----- c:\program files\ZTE_MF6X6_USB_MODEM_1.2050.0.6
2009-05-20 09:16 <DIR> -cd----- c:\program files\3
2009-05-20 08:38 <DIR> -cd----- c:\program files\BBC iPlayer Desktop

==================== Find3M ====================

2009-06-12 07:59 269,393 ac------ c:\windows\system32\nvModes.dat
2009-05-29 12:05 69,232 ac------ c:\docume~1\richard\applic~1\GDIPFONTCACHEV1.DAT
2009-05-13 06:15 915,456 ac------ c:\windows\system32\wininet.dll
2009-05-07 16:32 345,600 ac------ c:\windows\system32\localspl.dll
2009-04-17 13:26 1,847,168 ac------ c:\windows\system32\win32k.sys
2009-04-15 15:51 585,216 ac------ c:\windows\system32\rpcrt4.dll
2009-03-16 14:18 517,448 ac------ c:\windows\system32\XAudio2_4.dll
2009-03-16 14:18 235,352 ac------ c:\windows\system32\xactengine3_4.dll
2009-03-16 14:18 69,448 ac------ c:\windows\system32\XAPOFX1_3.dll
2009-03-16 14:18 22,360 ac------ c:\windows\system32\X3DAudio1_6.dll

============= FINISH: 8:03:10.23 ===============

Attached Files



#4 RenatoMejias

RenatoMejias

  • Malware Response Team
  • 913 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:46 PM

Posted 12 June 2009 - 09:02 AM

Hi Richard,

We will begin with ComboFix.exe. Please visit this webpage for download links, and instructions for running the tool:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

* Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Please include the C:\ComboFix.txt in your next reply for further review.
Renato Victor Mejias
Malware help in portuguese
jetian6yw.jpg

#5 RichardWhite321

RichardWhite321
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:07:46 PM

Posted 12 June 2009 - 11:32 AM

Hi,

Many thanks for getting back to me so quickly .

I (a) ran ComboFix. It seemed to run ok and rebooted my computer, but failed to produce a ComboFix.txt file. Instead it seemed to produced a shortcut in c: called 'ComboFix' that pointed to my MyComputer.

So (:thumbup2: I renamed the executablee ComboFix.exe as 'Richard.exe', and ran it again. It seemed to run ok, did not reboot my compuer, but did produce a ComboFix.txt file.

I realised afterwards that I should not have done (:) without you telling me to, so I hope I have not meseed things up.

Many thanks for your continued help,

Richard

***

ComboFix 09-06-11.06 - richard 12/06/2009 17:12.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3582.2940 [GMT 1:00]
Running from: c:\documents and settings\richard\Desktop\Richard.exe
AV: AntiVir Desktop *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}
FW: Online Armor Firewall *disabled* {B797DAA0-7E2E-4711-8BB3-D12744F1922A}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
---- Previous Run -------
.

Infected copy of c:\windows\system32\ws2_32.dll was found and disinfected
Restored copy from - c:\system volume information\_restore{78DCF30B-FBF4-404D-8DCE-EF333CC52824}\RP193\A0062578.dll

.
((((((((((((((((((((((((( Files Created from 2009-05-12 to 2009-06-12 )))))))))))))))))))))))))))))))
.

2009-06-12 15:55 . 2009-06-12 16:00 -------- dcs---w- C:\ComboFix.t.x
2009-06-10 08:23 . 2009-04-30 21:22 12800 -c----w- c:\windows\system32\dllcache\xpshims.dll
2009-06-10 08:23 . 2009-04-30 21:22 246272 -c----w- c:\windows\system32\dllcache\ieproxy.dll
2009-06-05 07:58 . 2009-06-05 07:58 -------- dc----w- c:\program files\Common Files\Jumping Bytes
2009-06-05 07:54 . 2009-06-05 07:54 -------- dc----w- c:\documents and settings\LocalService\Bluetooth Software
2009-06-03 10:23 . 2009-06-03 10:23 -------- dc----w- c:\program files\R
2009-06-01 12:00 . 2009-06-04 14:33 -------- dc----w- c:\program files\Stata8_2
2009-05-31 19:52 . 2009-05-31 19:52 -------- dc----w- c:\documents and settings\All Users\Application Data\Kaspersky Lab Setup Files
2009-05-31 17:32 . 2009-05-31 17:32 -------- dc----w- c:\documents and settings\richard\Application Data\OnlineArmor
2009-05-31 17:32 . 2009-05-31 17:32 -------- dc----w- c:\documents and settings\All Users\Application Data\OnlineArmor
2009-05-31 17:32 . 2009-04-28 04:38 29776 -c--a-w- c:\windows\system32\drivers\OAnet.sys
2009-05-31 17:32 . 2009-04-28 04:02 31824 -c--a-w- c:\windows\system32\drivers\OAmon.sys
2009-05-31 17:32 . 2009-04-28 04:01 198224 -c--a-w- c:\windows\system32\drivers\OADriver.sys
2009-05-31 17:32 . 2009-05-31 17:53 -------- dc----w- c:\program files\Online Armor
2009-05-31 14:54 . 2009-05-31 14:54 -------- dc----w- c:\documents and settings\All Users\Application Data\TEMP
2009-05-31 14:53 . 2009-05-31 17:48 -------- dc----w- c:\program files\SpywareBlaster
2009-05-31 14:53 . 2009-05-31 14:53 -------- dc----w- c:\documents and settings\All Users\Application Data\SiteAdvisor
2009-05-31 14:52 . 2009-05-31 14:52 -------- dc----w- c:\documents and settings\LocalService\Application Data\SACore
2009-05-31 14:52 . 2009-05-31 14:52 -------- dc----w- c:\program files\Common Files\McAfee
2009-05-31 14:52 . 2009-05-31 14:52 -------- dc----w- c:\windows\system32\config\systemprofile\Application Data\SACore
2009-05-31 14:52 . 2009-05-31 17:51 -------- dc----w- c:\program files\McAfee
2009-05-31 14:52 . 2009-05-31 14:52 -------- dc----w- c:\documents and settings\All Users\Application Data\McAfee
2009-05-31 14:30 . 2009-03-30 09:33 96104 -c--a-w- c:\windows\system32\drivers\avipbb.sys
2009-05-31 14:30 . 2009-02-13 11:29 22360 -c--a-w- c:\windows\system32\drivers\avgntmgr.sys
2009-05-31 14:30 . 2009-02-13 11:17 45416 -c--a-w- c:\windows\system32\drivers\avgntdd.sys
2009-05-31 14:30 . 2009-05-31 14:30 -------- dc----w- c:\program files\Avira
2009-05-31 14:30 . 2009-05-31 14:30 -------- dc----w- c:\documents and settings\All Users\Application Data\Avira
2009-05-31 13:30 . 2009-05-31 13:44 -------- dc----w- c:\program files\Browser Hijack Recover
2009-05-31 12:41 . 2009-05-31 13:43 218736 -c--a-w- c:\documents and settings\richard\Application Data\HouseCall 6.6\patch.exe
2009-05-31 12:41 . 2009-05-31 13:43 189968 -c--a-w- c:\documents and settings\richard\Application Data\HouseCall 6.6\ciussi32.dll
2009-05-31 12:41 . 2009-05-31 13:43 170512 -c--a-w- c:\documents and settings\richard\Application Data\HouseCall 6.6\PATCHW32.DLL
2009-05-31 12:41 . 2009-05-31 13:43 1267320 -c--a-w- c:\documents and settings\richard\Application Data\HouseCall 6.6\TmUpdate.dll
2009-05-31 12:40 . 2009-05-31 13:43 832776 -c--a-w- c:\documents and settings\richard\Application Data\HouseCall 6.6\lea.dll
2009-05-31 12:40 . 2009-05-31 13:43 61440 -c--a-w- c:\documents and settings\richard\Application Data\HouseCall 6.6\Toolkit.dll
2009-05-31 12:40 . 2009-05-31 13:43 439560 -c--a-w- c:\documents and settings\richard\Application Data\HouseCall 6.6\jlea.dll
2009-05-31 12:40 . 2009-05-31 13:43 42320 -c--a-w- c:\documents and settings\richard\Application Data\HouseCall 6.6\dsvout.dll
2009-05-31 12:40 . 2009-05-31 13:43 183356 -c--a-w- c:\documents and settings\richard\Application Data\HouseCall 6.6\Uninstaller.exe
2009-05-31 12:40 . 2009-05-31 13:43 -------- dc----w- c:\documents and settings\richard\Application Data\HouseCall 6.6
2009-05-30 14:22 . 2009-06-10 08:32 -------- dc----w- c:\documents and settings\richard\Application Data\Spotify
2009-05-30 14:22 . 2009-05-30 14:23 -------- dc----w- c:\documents and settings\richard\Local Settings\Application Data\Spotify
2009-05-30 14:22 . 2009-05-30 14:22 -------- dc----w- c:\program files\Spotify
2009-05-29 22:32 . 2009-06-06 21:11 -------- dc----w- c:\temp\admin
2009-05-29 13:57 . 2008-08-27 07:59 1209616 -c--a-w- c:\windows\system32\nipplib.dll
2009-05-29 13:57 . 2008-08-25 13:29 36864 -c--a-w- c:\windows\system32\icapture.exe
2009-05-29 13:57 . 2008-08-25 13:29 34671 -c--a-w- c:\windows\system32\drivers\nipplpt.sys
2009-05-29 13:57 . 2008-08-25 13:28 49152 -c--a-w- c:\windows\system32\nipplpte.exe
2009-05-29 13:57 . 2008-08-25 13:28 45056 -c--a-w- c:\windows\system32\iprntlgn.exe
2009-05-29 13:57 . 2008-08-25 13:27 40960 -c--a-w- c:\windows\system32\iprntctl.exe
2009-05-29 13:57 . 2008-08-25 13:27 61440 -c--a-w- c:\windows\system32\iprntcmd.exe
2009-05-29 13:57 . 2008-08-25 13:27 40960 -c--a-w- c:\windows\system32\iprntcfg.exe
2009-05-29 13:57 . 2008-08-25 13:27 32768 -c--a-w- c:\windows\system32\nipplgex.dll
2009-05-29 13:57 . 2008-08-25 13:26 53248 -c--a-w- c:\windows\system32\nippcl32.dll
2009-05-29 13:57 . 2008-08-25 13:24 110592 -c--a-w- c:\windows\system32\nippnt.dll
2009-05-29 13:57 . 2008-08-25 13:23 69632 -c--a-w- c:\windows\system32\nipp95.dll
2009-05-28 14:49 . 2009-03-24 15:08 55640 -c--a-w- c:\windows\system32\drivers\avgntflt.sys
2009-05-28 13:46 . 2009-05-28 13:46 -------- dc----w- c:\documents and settings\richard\Application Data\Malwarebytes
2009-05-28 13:46 . 2009-05-26 12:20 40160 -c--a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-05-28 13:45 . 2009-05-28 13:46 -------- dc----w- c:\program files\Malwarebytes' Anti-Malware
2009-05-28 13:45 . 2009-05-28 13:45 -------- dc----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-05-28 13:45 . 2009-05-26 12:19 19096 -c--a-w- c:\windows\system32\drivers\mbam.sys
2009-05-28 13:02 . 2009-05-28 13:03 -------- dc----w- c:\documents and settings\richard\Local Settings\Application Data\Deployment
2009-05-27 21:46 . 2009-05-27 22:14 -------- dc----w- c:\program files\EqPlot
2009-05-25 14:01 . 2009-05-25 14:02 2514315 -c--a-w- c:\temp\winscp419setup.exe
2009-05-24 21:09 . 2009-05-24 21:09 -------- dc----w- C:\spoolerlogs
2009-05-23 13:43 . 2009-05-23 13:43 -------- dcsh--w- c:\windows\system32\config\systemprofile\IETldCache
2009-05-23 11:30 . 2009-05-25 15:55 -------- dc----w- c:\temp\2v473cr2_test
2009-05-23 07:33 . 2009-05-23 16:50 -------- dc----w- c:\temp\vX.xx_2
2009-05-23 07:33 . 2009-05-23 07:33 -------- dc----w- c:\temp\vX.xx
2009-05-22 15:16 . 2009-05-22 15:16 -------- dc----w- c:\temp\2v473Cr2
2009-05-22 09:43 . 2009-05-27 22:21 -------- dc----w- c:\temp\HPC
2009-05-21 10:48 . 2009-05-21 10:48 -------- dc----w- c:\program files\WinSCP
2009-05-21 08:56 . 2009-05-21 08:56 -------- dc----w- c:\program files\Microsoft CAPICOM 2.1.0.2
2009-05-20 08:35 . 2009-05-20 08:35 152576 -c--a-w- c:\documents and settings\richard\Application Data\Sun\Java\jre1.6.0_13\lzma.dll
2009-05-20 08:26 . 2009-05-20 08:26 162768 -c--a-w- c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
2009-05-20 08:21 . 2009-05-20 08:24 12337480 -c--a-w- c:\documents and settings\All Users\Application Data\Birdstep Technology\EasyConnect\Update\3UK_2.7.0.77_AUP_ZTE.exe
2009-05-20 08:17 . 2009-05-20 08:17 -------- dc----w- c:\documents and settings\richard\Application Data\Birdstep Technology
2009-05-20 08:17 . 2009-05-20 08:17 -------- dc----w- c:\documents and settings\All Users\Application Data\Birdstep Technology
2009-05-20 08:16 . 2007-05-28 17:00 10240 -c----w- c:\windows\system32\drivers\mdvrmng.sys
2009-05-20 08:16 . 2009-05-20 08:16 -------- dc----w- c:\program files\ZTE_MF6X6_USB_MODEM_1.2050.0.6
2009-05-20 08:16 . 2009-05-20 08:16 -------- dc----w- c:\program files\3
2009-05-20 07:38 . 2009-05-20 07:39 -------- dc----w- c:\program files\BBC iPlayer Desktop

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-06-12 16:03 . 2008-11-19 13:52 -------- dc----w- c:\documents and settings\richard\Application Data\Skype
2009-06-12 16:03 . 2008-11-19 13:53 -------- dc----w- c:\documents and settings\richard\Application Data\skypePM
2009-06-12 13:11 . 2008-11-19 17:19 -------- dc----w- c:\documents and settings\richard\Application Data\EndNote
2009-06-12 08:03 . 2008-11-12 18:15 269393 -c--a-w- c:\windows\system32\nvModes.dat
2009-06-11 15:30 . 2008-11-19 13:07 -------- dc----w- c:\program files\Google
2009-06-11 07:42 . 2008-11-18 14:46 -------- dc----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2009-06-09 11:14 . 2008-11-19 15:28 -------- dc----w- c:\documents and settings\richard\Application Data\TextPad
2009-06-06 21:11 . 2008-11-22 21:03 -------- dc----w- c:\documents and settings\richard\Application Data\LimeWire
2009-06-05 07:59 . 2008-11-19 23:09 -------- dc----w- c:\documents and settings\richard\Application Data\Mobile Master
2009-06-05 07:58 . 2008-11-19 23:09 -------- dc----w- c:\program files\Mobile Master
2009-06-05 07:55 . 2008-11-19 23:05 -------- dc----w- c:\documents and settings\All Users\Application Data\PC Suite
2009-05-31 14:46 . 2008-11-22 21:01 -------- dc----w- c:\program files\Java
2009-05-31 12:37 . 2008-11-22 21:26 -------- dc----w- c:\documents and settings\richard\Application Data\uTorrent
2009-05-28 16:29 . 2009-03-06 21:07 -------- dc----w- c:\program files\Easy DVD Player
2009-05-28 16:27 . 2008-11-19 15:41 -------- dc----w- c:\program files\SmartDraw
2009-05-28 12:51 . 2008-11-12 18:26 69232 -c--a-w- c:\documents and settings\richard\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-05-25 18:35 . 2009-02-18 23:43 -------- dc----w- c:\program files\StartKiller
2009-05-25 18:32 . 2008-11-12 17:18 -------- dc-h--w- c:\program files\InstallShield Installation Information
2009-05-25 18:32 . 2008-11-25 12:21 -------- dc----w- c:\program files\Doom 3
2009-05-17 22:52 . 2008-11-12 17:39 1324 -c--a-w- c:\windows\system32\d3d9caps.dat
2009-05-13 05:15 . 2008-04-14 04:00 915456 -c--a-w- c:\windows\system32\wininet.dll
2009-05-12 20:08 . 2009-05-12 20:08 -------- dc----w- c:\program files\WinDirStat
2009-05-10 21:18 . 2009-05-10 21:16 -------- dc----w- c:\program files\NetLogo 4.0.4
2009-05-10 21:16 . 2009-05-10 21:16 -------- dc-h--w- c:\program files\Zero G Registry
2009-05-10 20:28 . 2009-05-10 20:28 -------- dc----w- c:\program files\GomEncoder
2009-05-10 20:28 . 2009-05-10 20:28 -------- dc----w- c:\program files\CoreAAC
2009-05-10 19:51 . 2009-05-10 19:51 -------- dc----w- c:\documents and settings\richard\Application Data\BBCiPlayerDesktop.61DB7A798358575D6A969CCD73DDBBD723A6DA9D.1
2009-05-10 19:51 . 2009-05-10 19:51 -------- dc----w- c:\program files\Common Files\Adobe AIR
2009-05-10 19:50 . 2008-11-19 21:52 -------- dc----w- c:\program files\Kontiki
2009-05-10 19:50 . 2009-05-10 19:51 38208 -c--a-w- c:\documents and settings\richard\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\airappinstaller\airappinstaller.exe
2009-05-10 14:58 . 2008-11-19 16:36 -------- dc----w- c:\program files\DesignWorkshop Lite
2009-05-08 23:49 . 2009-03-06 21:31 -------- dc----w- c:\program files\WinX DVD Player 3.0
2009-05-07 15:32 . 2008-04-14 04:00 345600 -c--a-w- c:\windows\system32\localspl.dll
2009-05-02 09:48 . 2008-11-18 14:50 -------- dc----w- c:\program files\Microsoft Works
2009-05-02 09:37 . 2009-03-03 21:23 -------- dc----w- c:\program files\DeskSpace
2009-05-02 09:31 . 2009-04-11 22:11 -------- dc----w- c:\program files\Starcraft Shareware(ED)
2009-05-01 21:32 . 2009-05-01 21:32 -------- dc----w- c:\program files\Common Files\PCSuite
2009-05-01 21:32 . 2009-05-01 21:32 -------- dc----w- c:\program files\Common Files\Nokia
2009-05-01 21:32 . 2008-11-19 23:03 -------- dc----w- c:\program files\Nokia
2009-05-01 21:31 . 2009-05-01 21:31 -------- dc----w- c:\program files\PC Connectivity Solution
2009-05-01 21:30 . 2008-11-19 23:02 -------- dc----w- c:\documents and settings\All Users\Application Data\Installations
2009-05-01 21:30 . 2009-05-01 21:30 8192 -c--a-w- c:\documents and settings\All Users\Application Data\Installations\{7694EC32-CB0E-4B35-9088-7B320CB1F4FE}\Installer\CommonCustomActions\UninstCCD.exe
2009-05-01 21:30 . 2009-05-01 21:30 61440 -c--a-w- c:\documents and settings\All Users\Application Data\Installations\{7694EC32-CB0E-4B35-9088-7B320CB1F4FE}\Installer\CommonCustomActions\UninstPCSFEMsi.exe
2009-05-01 21:30 . 2009-05-01 21:30 10240 -c--a-w- c:\documents and settings\All Users\Application Data\Installations\{7694EC32-CB0E-4B35-9088-7B320CB1F4FE}\Installer\CommonCustomActions\UninstPCS.exe
2009-05-01 21:29 . 2009-05-01 21:30 34396584 -c--a-w- c:\documents and settings\All Users\Application Data\Installations\{7694EC32-CB0E-4B35-9088-7B320CB1F4FE}\Nokia_PC_Suite_7_1_26_0_eng.exe
2009-04-24 12:39 . 2009-04-24 12:39 -------- dc----w- c:\program files\Common Files\Skype
2009-04-24 12:39 . 2009-04-24 12:39 -------- dc----r- c:\program files\Skype
2009-04-24 12:39 . 2008-11-19 13:52 -------- dc----w- c:\documents and settings\All Users\Application Data\Skype
2009-04-17 12:26 . 2008-04-14 04:00 1847168 -c--a-w- c:\windows\system32\win32k.sys
2009-04-15 14:51 . 2008-04-14 04:00 585216 -c--a-w- c:\windows\system32\rpcrt4.dll
2009-03-16 13:18 . 2009-04-01 21:40 69448 -c--a-w- c:\windows\system32\XAPOFX1_3.dll
2009-03-16 13:18 . 2009-04-01 21:40 517448 -c--a-w- c:\windows\system32\XAudio2_4.dll
2009-03-16 13:18 . 2009-04-01 21:40 235352 -c--a-w- c:\windows\system32\xactengine3_4.dll
2009-03-16 13:18 . 2009-04-01 21:40 22360 -c--a-w- c:\windows\system32\X3DAudio1_6.dll
2009-03-01 21:49 . 2009-03-01 21:49 122880 -c--a-w- c:\program files\mozilla firefox\components\GoogleDesktopMozilla.dll
.

((((((((((((((((((((((((((((( SnapShot@2009-05-31_14.22.04 )))))))))))))))))))))))))))))))))))))))))
.
+ 2007-11-07 01:19 . 2007-11-07 01:19 54272 c:\windows\WinSxS\x86_Microsoft.VC90.OpenMP_1fc8b3b9a1e18e3b_9.0.21022.8_x-ww_ecc42bd1\vcomp90.dll
+ 2009-06-12 16:00 . 2009-06-12 16:00 16384 c:\windows\Temp\Perflib_Perfdata_4b8.dat
+ 2008-04-14 04:00 . 2009-06-12 16:05 65482 c:\windows\system32\perfc009.dat
+ 2008-04-14 04:00 . 2009-04-30 21:22 25600 c:\windows\system32\jsproxy.dll
- 2008-04-14 04:00 . 2009-03-08 03:33 25600 c:\windows\system32\jsproxy.dll
+ 2009-05-31 14:30 . 2009-06-09 16:03 28520 c:\windows\system32\drivers\ssmdrv.sys
+ 2008-04-14 04:00 . 2009-04-30 21:22 25600 c:\windows\system32\dllcache\jsproxy.dll
- 2008-04-14 04:00 . 2009-03-08 03:33 25600 c:\windows\system32\dllcache\jsproxy.dll
+ 2008-11-18 14:50 . 2009-06-11 07:42 35088 c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\oisicon.exe
- 2008-11-18 14:50 . 2009-05-28 14:33 35088 c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\oisicon.exe
+ 2008-11-18 14:50 . 2009-06-11 07:42 18704 c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\mspicons.exe
- 2008-11-18 14:50 . 2009-05-28 14:33 18704 c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\mspicons.exe
- 2008-11-18 14:50 . 2009-05-28 14:33 20240 c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\cagicon.exe
+ 2008-11-18 14:50 . 2009-06-11 07:42 20240 c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\cagicon.exe
+ 2008-11-18 14:15 . 2009-06-11 07:42 90112 c:\windows\Installer\{90110409-6000-11D3-8CFE-0050048383C9}\xlicons.exe
- 2008-11-18 14:15 . 2009-05-29 10:23 90112 c:\windows\Installer\{90110409-6000-11D3-8CFE-0050048383C9}\xlicons.exe
- 2008-11-18 14:15 . 2009-05-29 10:23 45056 c:\windows\Installer\{90110409-6000-11D3-8CFE-0050048383C9}\wordicon.exe
+ 2008-11-18 14:15 . 2009-06-11 07:42 45056 c:\windows\Installer\{90110409-6000-11D3-8CFE-0050048383C9}\wordicon.exe
+ 2008-11-18 14:15 . 2009-06-11 07:42 22528 c:\windows\Installer\{90110409-6000-11D3-8CFE-0050048383C9}\unbndico.exe
- 2008-11-18 14:15 . 2009-05-29 10:23 22528 c:\windows\Installer\{90110409-6000-11D3-8CFE-0050048383C9}\unbndico.exe
+ 2008-11-18 14:15 . 2009-06-11 07:42 30720 c:\windows\Installer\{90110409-6000-11D3-8CFE-0050048383C9}\pptico.exe
- 2008-11-18 14:15 . 2009-05-29 10:23 30720 c:\windows\Installer\{90110409-6000-11D3-8CFE-0050048383C9}\pptico.exe
+ 2008-11-18 14:15 . 2009-06-11 07:42 16384 c:\windows\Installer\{90110409-6000-11D3-8CFE-0050048383C9}\PEicons.exe
- 2008-11-18 14:15 . 2009-05-29 10:23 16384 c:\windows\Installer\{90110409-6000-11D3-8CFE-0050048383C9}\PEicons.exe
- 2008-11-18 14:15 . 2009-05-29 10:23 34304 c:\windows\Installer\{90110409-6000-11D3-8CFE-0050048383C9}\misc.exe
+ 2008-11-18 14:15 . 2009-06-11 07:42 34304 c:\windows\Installer\{90110409-6000-11D3-8CFE-0050048383C9}\misc.exe
+ 2009-06-05 07:58 . 2009-06-05 07:58 31430 c:\windows\Installer\{5F0E82C8-CB7F-4896-884D-ECD2D876AEB8}\controlPanelIcon.exe
+ 2009-04-02 13:23 . 2009-04-02 13:23 10104 c:\windows\Installer\$PatchCache$\Managed\00002109030000000000000000F01FEC\12.0.6425\XLCALL32.DLL
+ 2009-04-03 17:01 . 2009-04-03 17:01 71504 c:\windows\Installer\$PatchCache$\Managed\00002109030000000000000000F01FEC\12.0.6425\XL12CNVP.DLL
+ 2009-04-03 16:57 . 2009-04-03 16:57 21320 c:\windows\Installer\$PatchCache$\Managed\00002109030000000000000000F01FEC\12.0.6425\WRD12EXE.EXE
+ 2009-06-11 07:41 . 2009-03-08 03:33 12288 c:\windows\ie8updates\KB969897-IE8\xpshims.dll
+ 2009-06-11 07:41 . 2009-03-08 03:33 25600 c:\windows\ie8updates\KB969897-IE8\jsproxy.dll
+ 2008-11-18 14:15 . 2009-06-11 07:42 3584 c:\windows\Installer\{90110409-6000-11D3-8CFE-0050048383C9}\opwicon.exe
- 2008-11-18 14:15 . 2009-05-29 10:23 3584 c:\windows\Installer\{90110409-6000-11D3-8CFE-0050048383C9}\opwicon.exe
+ 2008-11-18 14:15 . 2009-06-11 07:42 8192 c:\windows\Installer\{90110409-6000-11D3-8CFE-0050048383C9}\mspicons.exe
- 2008-11-18 14:15 . 2009-05-29 10:23 8192 c:\windows\Installer\{90110409-6000-11D3-8CFE-0050048383C9}\mspicons.exe
- 2008-11-18 14:15 . 2009-05-29 10:23 2560 c:\windows\Installer\{90110409-6000-11D3-8CFE-0050048383C9}\cagicon.exe
+ 2008-11-18 14:15 . 2009-06-11 07:42 2560 c:\windows\Installer\{90110409-6000-11D3-8CFE-0050048383C9}\cagicon.exe
+ 2008-07-29 07:05 . 2008-07-29 07:05 161784 c:\windows\WinSxS\x86_Microsoft.VC90.ATL_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_d01483b2\atl90.dll
+ 2008-04-14 04:00 . 2009-06-12 16:05 426638 c:\windows\system32\perfh009.dat
+ 2008-04-14 04:00 . 2009-04-30 21:22 385536 c:\windows\system32\iedkcs32.dll
- 2008-04-14 04:00 . 2009-03-08 03:32 173056 c:\windows\system32\ie4uinit.exe
+ 2008-04-14 04:00 . 2009-04-30 11:21 173056 c:\windows\system32\ie4uinit.exe
- 2008-11-12 15:14 . 2009-05-28 12:51 267800 c:\windows\system32\FNTCACHE.DAT
+ 2008-11-12 15:14 . 2009-06-11 07:44 267800 c:\windows\system32\FNTCACHE.DAT
+ 2008-04-14 04:00 . 2009-05-13 05:15 915456 c:\windows\system32\dllcache\wininet.dll
+ 2008-04-14 04:00 . 2009-04-15 14:51 585216 c:\windows\system32\dllcache\rpcrt4.dll
+ 2008-04-14 04:00 . 2009-05-07 15:32 345600 c:\windows\system32\dllcache\localspl.dll
+ 2008-04-14 04:00 . 2009-04-30 21:22 385536 c:\windows\system32\dllcache\iedkcs32.dll
+ 2008-04-14 04:00 . 2009-04-30 11:21 173056 c:\windows\system32\dllcache\ie4uinit.exe
- 2008-04-14 04:00 . 2009-03-08 03:32 173056 c:\windows\system32\dllcache\ie4uinit.exe
- 2009-05-28 14:32 . 2009-05-28 14:32 217864 c:\windows\Installer\{90120000-006E-0409-0000-0000000FF1CE}\misc.exe
+ 2009-06-02 16:29 . 2009-06-02 16:29 217864 c:\windows\Installer\{90120000-006E-0409-0000-0000000FF1CE}\misc.exe
- 2008-11-18 14:50 . 2009-05-28 14:33 888080 c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\wordicon.exe
+ 2008-11-18 14:50 . 2009-06-11 07:42 888080 c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\wordicon.exe
+ 2008-11-18 14:50 . 2009-06-11 07:42 272648 c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\pubs.exe
- 2008-11-18 14:50 . 2009-05-28 14:33 272648 c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\pubs.exe
+ 2008-11-18 14:50 . 2009-06-11 07:42 922384 c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\pptico.exe
- 2008-11-18 14:50 . 2009-05-28 14:33 922384 c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\pptico.exe
- 2008-11-18 14:50 . 2009-05-28 14:33 845584 c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\outicon.exe
+ 2008-11-18 14:50 . 2009-06-11 07:42 845584 c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\outicon.exe
+ 2008-11-18 14:50 . 2009-06-11 07:42 217864 c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\misc.exe
- 2008-11-18 14:50 . 2009-05-28 14:33 217864 c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\misc.exe
+ 2008-11-18 14:50 . 2009-06-11 07:42 184080 c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\joticon.exe
- 2008-11-18 14:50 . 2009-05-28 14:33 184080 c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\joticon.exe
+ 2008-11-18 14:50 . 2009-06-11 07:42 159504 c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\inficon.exe
- 2008-11-18 14:50 . 2009-05-28 14:33 159504 c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\inficon.exe
- 2008-11-18 14:15 . 2009-05-29 10:23 114688 c:\windows\Installer\{90110409-6000-11D3-8CFE-0050048383C9}\outicon.exe
+ 2008-11-18 14:15 . 2009-06-11 07:42 114688 c:\windows\Installer\{90110409-6000-11D3-8CFE-0050048383C9}\outicon.exe
+ 2008-11-18 14:15 . 2009-06-11 07:42 167936 c:\windows\Installer\{90110409-6000-11D3-8CFE-0050048383C9}\accicons.exe
- 2008-11-18 14:15 . 2009-05-29 10:23 167936 c:\windows\Installer\{90110409-6000-11D3-8CFE-0050048383C9}\accicons.exe
+ 2009-04-03 17:11 . 2009-04-03 17:11 408424 c:\windows\Installer\$PatchCache$\Managed\00002109030000000000000000F01FEC\12.0.6425\WINWORD.EXE
+ 2009-06-11 07:41 . 2009-03-08 03:34 914944 c:\windows\ie8updates\KB969897-IE8\wininet.dll
+ 2009-06-11 07:41 . 2008-07-09 07:38 382840 c:\windows\ie8updates\KB969897-IE8\spuninst\updspapi.dll
+ 2009-06-11 07:41 . 2007-11-30 12:39 231288 c:\windows\ie8updates\KB969897-IE8\spuninst\spuninst.exe
+ 2009-06-11 07:41 . 2009-03-08 03:33 246784 c:\windows\ie8updates\KB969897-IE8\ieproxy.dll
+ 2009-06-11 07:41 . 2009-03-08 13:09 391536 c:\windows\ie8updates\KB969897-IE8\iedkcs32.dll
+ 2009-06-11 07:41 . 2009-03-08 03:32 173056 c:\windows\ie8updates\KB969897-IE8\ie4uinit.exe
+ 2008-04-14 04:00 . 2009-04-30 21:22 1207808 c:\windows\system32\urlmon.dll
+ 2008-04-14 04:00 . 2009-05-13 05:15 5936128 c:\windows\system32\mshtml.dll
+ 2007-08-13 18:34 . 2009-04-30 21:22 1985024 c:\windows\system32\iertutil.dll
- 2007-08-13 18:34 . 2009-03-08 03:32 1985024 c:\windows\system32\iertutil.dll
+ 2008-04-14 04:00 . 2009-04-17 12:26 1847168 c:\windows\system32\dllcache\win32k.sys
+ 2008-04-14 04:00 . 2009-04-30 21:22 1207808 c:\windows\system32\dllcache\urlmon.dll
+ 2008-04-14 04:00 . 2009-05-13 05:15 5936128 c:\windows\system32\dllcache\mshtml.dll
+ 2008-11-19 13:13 . 2009-04-30 21:22 1985024 c:\windows\system32\dllcache\iertutil.dll
- 2008-11-19 13:13 . 2009-03-08 03:32 1985024 c:\windows\system32\dllcache\iertutil.dll
+ 2008-11-18 14:50 . 2009-06-11 07:42 1172240 c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\xlicons.exe
- 2008-11-18 14:50 . 2009-05-28 14:33 1172240 c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\xlicons.exe
+ 2008-11-18 14:50 . 2009-06-11 07:42 1165584 c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\accicons.exe
- 2008-11-18 14:50 . 2009-05-28 14:33 1165584 c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\accicons.exe
+ 2009-04-03 16:57 . 2009-04-03 16:57 4671320 c:\windows\Installer\$PatchCache$\Managed\00002109030000000000000000F01FEC\12.0.6425\WRD12CNV.DLL
+ 2009-06-11 07:41 . 2009-03-08 03:34 1206784 c:\windows\ie8updates\KB969897-IE8\urlmon.dll
+ 2009-06-11 07:41 . 2009-03-08 03:41 5937152 c:\windows\ie8updates\KB969897-IE8\mshtml.dll
+ 2009-06-11 07:41 . 2009-03-08 03:32 1985024 c:\windows\ie8updates\KB969897-IE8\iertutil.dll
+ 2008-11-19 13:12 . 2009-06-01 16:51 23635392 c:\windows\system32\MRT.exe
+ 2007-08-13 18:54 . 2009-04-30 21:22 11064832 c:\windows\system32\ieframe.dll
+ 2008-11-19 13:13 . 2009-04-30 21:22 11064832 c:\windows\system32\dllcache\ieframe.dll
+ 2009-04-03 17:01 . 2009-04-03 17:01 15108448 c:\windows\Installer\$PatchCache$\Managed\00002109030000000000000000F01FEC\12.0.6425\XL12CNV.EXE
+ 2009-04-03 17:11 . 2009-04-03 17:11 17740136 c:\windows\Installer\$PatchCache$\Managed\00002109030000000000000000F01FEC\12.0.6425\WWLIB.DLL
+ 2009-04-03 17:11 . 2009-04-03 17:11 18330984 c:\windows\Installer\$PatchCache$\Managed\00002109030000000000000000F01FEC\12.0.6425\EXCEL.EXE
+ 2009-06-11 07:41 . 2009-03-08 03:39 11063808 c:\windows\ie8updates\KB969897-IE8\ieframe.dll
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\1TortoiseNormal]
@="{C5994560-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994560-53D9-4125-87C9-F193FC689CB2}]
2008-01-16 17:52 80384 -c--a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\2TortoiseModified]
@="{C5994561-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994561-53D9-4125-87C9-F193FC689CB2}]
2008-01-16 17:52 80384 -c--a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\3TortoiseConflict]
@="{C5994562-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994562-53D9-4125-87C9-F193FC689CB2}]
2008-01-16 17:52 80384 -c--a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\4TortoiseLocked]
@="{C5994563-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994563-53D9-4125-87C9-F193FC689CB2}]
2008-01-16 17:52 80384 -c--a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\5TortoiseReadOnly]
@="{C5994564-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994564-53D9-4125-87C9-F193FC689CB2}]
2008-01-16 17:52 80384 -c--a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\6TortoiseDeleted]
@="{C5994565-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994565-53D9-4125-87C9-F193FC689CB2}]
2008-01-16 17:52 80384 -c--a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\7TortoiseAdded]
@="{C5994566-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994566-53D9-4125-87C9-F193FC689CB2}]
2008-01-16 17:52 80384 -c--a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\8TortoiseIgnored]
@="{C5994567-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994567-53D9-4125-87C9-F193FC689CB2}]
2008-01-16 17:52 80384 -c--a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\9TortoiseUnversioned]
@="{C5994568-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994568-53D9-4125-87C9-F193FC689CB2}]
2008-01-16 17:52 80384 -c--a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\UEAFOverlay]
@="{F2F31467-B1AC-4df0-AE79-FD5FA085E22B}"
[HKEY_CLASSES_ROOT\CLSID\{F2F31467-B1AC-4df0-AE79-FD5FA085E22B}]
2007-04-16 23:13 721408 -c--a-w- c:\program files\Fingerprint Reader Suite\farchns.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\UEAFOverlayOpen]
@="{A3E208F7-0E3A-4182-A7A6-B169D5D691AA}"
[HKEY_CLASSES_ROOT\CLSID\{A3E208F7-0E3A-4182-A7A6-B169D5D691AA}]
2007-04-16 23:13 721408 -c--a-w- c:\program files\Fingerprint Reader Suite\farchns.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"SpeedswitchXP"="c:\program files\SpeedswitchXP\SpeedswitchXP.exe" [2006-07-14 626688]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-11-20 68856]
"PC Suite Tray"="c:\program files\Nokia\Nokia PC Suite 7\PCSuite.exe" [2009-03-20 1312256]
"Google Update"="c:\documents and settings\richard\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2009-05-31 133104]
"MMAgent"="c:\program files\Mobile Master\MMAgent.exe" [2009-05-27 1355776]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2009-04-16 24264488]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"OEM04Mon.exe"="c:\windows\OEM04Mon.exe" [2007-06-11 36864]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-08-01 8466432]
"SigmatelSysTrayApp"="c:\program files\SigmaTel\C-Major Audio\WDM\stsystra.exe" [2007-05-10 405504]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-09-06 413696]
"iPrint Tray"="c:\windows\system32\iprntctl.exe" [2008-08-25 40960]
"iPrint Event Monitor"="c:\windows\system32\iprntlgn.exe" [2008-08-25 45056]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-03-09 148888]
"@OnlineArmor GUI"="c:\program files\Online Armor\oaui.exe" [2009-04-28 2045128]
"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2009-06-11 30192]
"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2007-08-01 1626112]
"NVHotkey"="nvHotkey.dll" - c:\windows\system32\nvhotkey.dll [2007-08-01 67584]
"NvMediaCenter"="NvMCTray.dll" - c:\windows\system32\nvmctray.dll [2007-08-01 81920]
"NWTRAY"="NWTRAY.EXE" - c:\windows\system32\nwtray.exe [2002-03-12 28672]
"Run StartupMonitor"="StartupMonitor.exe" - c:\windows\StartupMonitor.exe [2000-05-20 86016]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2008-11-04 435096]

c:\documents and settings\richard\Start Menu\Programs\Startup\
Shortcut to map_h.bat.lnk - c:\users\rw\programs\startup\map_h.bat [2008-11-8 37]
TextPad.lnk - c:\program files\TextPad 4\TextPad.exe [2008-11-19 1900544]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Acrobat Assistant.lnk - c:\program files\Adobe\Adobe Acrobat 6.0\Distillr\acrotray.exe [2003-5-15 217193]
Bluetooth.lnk - c:\program files\WIDCOMM\Bluetooth Software\BTTray.exe [2006-5-24 622653]
Novell iFolder.lnk - c:\program files\Novell\iFolder\trayapp.exe [2009-1-6 266317]
Update Agent.lnk - c:\program files\3\3Connect\AutoUpdateSrv.exe [2009-5-20 670256]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"CompatibleRUPSecurity"= 1 (0x1)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{4F07DA45-8170-4859-9B5F-037EF2970034}"= "c:\progra~1\ONLINE~2\oaevent.dll" [2009-04-28 335048]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\psfus]
2007-04-16 23:04 86528 -c--a-w- c:\windows\system32\psqlpwd.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 nwv1_0
Notification Packages REG_MULTI_SZ scecli psqlpwd

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Novell\\GroupWise\\grpwise.exe"=
"c:\\Novell\\GroupWise\\notify.exe"=
"c:\\Program Files\\Microsoft Office\\Office10\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office10\\WINWORD.EXE"=
"c:\\Program Files\\Spotify\\spotify.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

R0 NifFltr;NifFltr;c:\windows\system32\drivers\niffltr.sys [06/01/2009 10:53 25300]
R1 nipplpt2;Novell iCapture Lpt Redirector 2;c:\windows\system32\drivers\nipplpt.sys [29/05/2009 14:57 34671]
R1 OADevice;OADriver;c:\windows\system32\drivers\OADriver.sys [31/05/2009 18:32 198224]
R1 OAmon;OAmon;c:\windows\system32\drivers\OAmon.sys [31/05/2009 18:32 31824]
R1 OAnet;OAnet;c:\windows\system32\drivers\OAnet.sys [31/05/2009 18:32 29776]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [31/05/2009 15:30 108289]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\McAfee\SiteAdvisor\McSACore.exe [31/05/2009 15:52 210216]
R2 mdvrmng;Mobile IP Route Manager;c:\windows\system32\drivers\mdvrmng.sys [20/05/2009 09:16 10240]
R2 OAcat;Online Armor Helper Service;c:\program files\Online Armor\oacat.exe [31/05/2009 18:32 361672]
R2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [03/11/2006 20:19 13592]
R2 wwEngineSvc;Window Washer Engine;c:\program files\Webroot\Washer\WasherSvc.exe [27/01/2009 18:49 598856]
R3 OEM04Afx;Provides a software interface to control audio effects of OEM004 camera.;c:\windows\system32\drivers\OEM04Afx.sys [12/11/2008 18:16 141376]
R3 OEM04Vfx;Creative Camera OEM004 Video VFX Driver;c:\windows\system32\drivers\OEM04Vfx.sys [12/11/2008 18:16 7424]
R3 OEM04Vid;Creative Camera OEM004 Driver;c:\windows\system32\drivers\OEM04Vid.sys [12/11/2008 18:16 234720]
S2 SvcOnlineArmor;Online Armor;c:\program files\Online Armor\oasrv.exe [31/05/2009 18:32 3052744]
S3 GoogleDesktopManager-092308-165331;Google Desktop Manager 5.8.809.23506;c:\program files\Google\Google Desktop Search\GoogleDesktop.exe [11/06/2009 16:30 30192]
S3 massfilter;ZTE Mass Storage Filter Driver;c:\windows\system32\drivers\massfilter.sys [22/08/2008 19:56 7680]
S3 vcache;vcache;c:\windows\system32\drivers\vcache.sys [25/03/2009 21:19 46992]
S3 vfilter;vfilter;c:\windows\system32\drivers\vfilter.sys [25/03/2009 21:19 28944]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
Contents of the 'Scheduled Tasks' folder

2009-06-12 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-789336058-2025429265-1801674531-1003.job
- c:\documents and settings\richard\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-05-31 18:28]

2009-06-12 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-03 19:20]

2009-06-12 c:\windows\Tasks\User_Feed_Synchronization-{E2E50640-E066-4CA5-A1AF-82FBD09C7F42}.job
- c:\windows\system32\msfeedssync.exe [2007-08-13 03:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.bbcnews.com/
IE: E&xport to Microsoft Excel - c:\progra~1\MI69DF~1\Office12\EXCEL.EXE/3000
Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - c:\program files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll
DPF: {4E62C4DE-627D-4604-B157-4B7D6B09F02E} - hxxps://moneymanager.egg.com/Pinsafe/accounttracking.cab
DPF: {EAC139A9-D22D-4C29-8D1C-252BE63750F9} - hxxp://www.cooliris.com/shared/plinstll.cab
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-06-12 17:14
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-789336058-2025429265-1801674531-1003\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{280DF7DA-9B6D-694A-22F7-119678CD0601}*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
"abhinbmdlmeocdgkkcnpnpcjnnggjfnked"=hex:6a,61,67,68,62,69,70,61,62,6f,65,63,
6b,62,62,67,63,62,64,6c,00,53
"panjppohkhbfhaciifpnjnldjjikmifp"=hex:69,61,6c,68,70,6a,67,6c,6a,69,61,70,6d,
6b,6c,68,61,66,00,00
"abhinbmdlmeocdgkkcnpnpcjnnggifahbb"=hex:69,61,69,68,6f,67,6c,66,6b,62,6e,61,
6c,70,64,6f,6c,61,00,00
"panjppohkhbfhaciifpnjnldjjjkjioo"=hex:69,61,69,68,6f,67,6c,66,6b,62,6e,61,6c,
70,64,6f,6c,61,00,00
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(544)
c:\windows\system32\psqlpwd.dll
c:\program files\Fingerprint Reader Suite\homefus2.dll
c:\program files\Fingerprint Reader Suite\infra.dll
c:\program files\Fingerprint Reader Suite\homepass.dll
c:\program files\Fingerprint Reader Suite\bio.dll
c:\program files\Fingerprint Reader Suite\remote.dll
c:\program files\Fingerprint Reader Suite\crypto.dll

- - - - - - - > 'lsass.exe'(600)
c:\windows\system32\psqlpwd.dll
c:\program files\Fingerprint Reader Suite\homefus2.dll
c:\program files\Fingerprint Reader Suite\infra.dll

- - - - - - - > 'Explorer.exe'(3296)
c:\windows\system32\WININET.dll
c:\program files\McAfee\SiteAdvisor\saHook.dll
c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
c:\program files\TortoiseSVN\bin\TortoiseStub.dll
c:\program files\Fingerprint Reader Suite\farchns.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.3053_x-ww_b80fa8ca\MSVCR80.dll
c:\program files\Fingerprint Reader Suite\infra.dll
c:\progra~1\WINDOW~2\wmpband.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2009-06-12 17:16
ComboFix-quarantined-files.txt 2009-06-12 16:16

Pre-Run: 49,876,729,856 bytes free
Post-Run: 49,393,549,312 bytes free

464 --- E O F --- 2009-06-11 07:42

Attached Files



#6 RenatoMejias

RenatoMejias

  • Malware Response Team
  • 913 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:46 PM

Posted 12 June 2009 - 02:41 PM

Hi Richard,

Try to find the file below:

C:\Qoobox\ComboFix1.txt

If you find it, please post the content of this file to further review, if don't find, just let me know.

Thanks.
Renato Victor Mejias
Malware help in portuguese
jetian6yw.jpg

#7 RichardWhite321

RichardWhite321
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:07:46 PM

Posted 12 June 2009 - 05:33 PM

Hi,

I could not find that file, but that directory does exist - I have attached the entire directory as a zip file just in case it helps.

Many thanks, Richard

Attached Files



#8 RenatoMejias

RenatoMejias

  • Malware Response Team
  • 913 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:46 PM

Posted 13 June 2009 - 03:03 PM

Hi Richard,

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

RegNull::

[HKEY_USERS\S-1-5-21-789336058-2025429265-1801674531-1003\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{280DF7DA-9B6D-694A-22F7-119678CD0601}*]


Save this as CFScript.txt, in the same location as ComboFix.exe


Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

Also,

Please do an online scan with Kaspersky WebScanner

Click on Kaspersky Online Scanner

You will be prompted to install an ActiveX component from Kaspersky, Click Yes.
  • The program will launch and then begin downloading the latest definition files:
  • Once the files have been downloaded click on NEXT
  • Now click on Scan Settings
  • In the scan settings make sure that the following are selected:
    • Scan using the following Anti-Virus database:
    Extended (if available otherwise Standard)
    • Scan Options:
    Scan Archives
    Scan Mail Bases
  • Click OK
  • Now under select a target to scan:Select My Computer
  • This will program will start and scan your system.
  • The scan will take a while so be patient and let it run.
  • Once the scan is complete it will display if your system has been infected.
    • Now click on the Save as Text button:
  • Save the file to your desktop.
  • Copy and paste that information in your next post.

Renato Victor Mejias
Malware help in portuguese
jetian6yw.jpg

#9 RichardWhite321

RichardWhite321
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:07:46 PM

Posted 14 June 2009 - 02:27 AM

Dear Renato,

Here are the two files you requested.

Many thanks, Richard

****

ComboFix 09-06-11.06 - richard 13/06/2009 22:55.4 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3582.2927 [GMT 1:00]
Running from: c:\documents and settings\richard\Desktop\Richard.exe
Command switches used :: c:\documents and settings\richard\Desktop\CFScript.txt
AV: AntiVir Desktop *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}
FW: Online Armor Firewall *disabled* {B797DAA0-7E2E-4711-8BB3-D12744F1922A}
.

((((((((((((((((((((((((( Files Created from 2009-05-13 to 2009-06-13 )))))))))))))))))))))))))))))))
.

2009-06-12 22:49 . 2009-06-12 22:49 -------- dc----w- c:\program files\Channel4
2009-06-12 22:49 . 2009-06-12 22:49 -------- dc----w- c:\documents and settings\All Users\Application Data\Kontiki
2009-06-12 22:48 . 2009-06-12 22:48 -------- dc----w- c:\documents and settings\All Users\Application Data\Channel4
2009-06-12 22:28 . 2009-06-12 22:28 267788 -c--a-w- C:\Qoobox.zip
2009-06-12 15:55 . 2009-06-12 16:00 -------- dcs---w- C:\ComboFix.t.x
2009-06-10 08:23 . 2009-04-30 21:22 12800 -c----w- c:\windows\system32\dllcache\xpshims.dll
2009-06-10 08:23 . 2009-04-30 21:22 246272 -c----w- c:\windows\system32\dllcache\ieproxy.dll
2009-06-05 07:58 . 2009-06-05 07:58 -------- dc----w- c:\program files\Common Files\Jumping Bytes
2009-06-05 07:54 . 2009-06-05 07:54 -------- dc----w- c:\documents and settings\LocalService\Bluetooth Software
2009-06-03 10:23 . 2009-06-03 10:23 -------- dc----w- c:\program files\R
2009-06-01 12:00 . 2009-06-04 14:33 -------- dc----w- c:\program files\Stata8_2
2009-05-31 19:52 . 2009-05-31 19:52 -------- dc----w- c:\documents and settings\All Users\Application Data\Kaspersky Lab Setup Files
2009-05-31 17:32 . 2009-05-31 17:32 -------- dc----w- c:\documents and settings\richard\Application Data\OnlineArmor
2009-05-31 17:32 . 2009-05-31 17:32 -------- dc----w- c:\documents and settings\All Users\Application Data\OnlineArmor
2009-05-31 17:32 . 2009-04-28 04:38 29776 -c--a-w- c:\windows\system32\drivers\OAnet.sys
2009-05-31 17:32 . 2009-04-28 04:02 31824 -c--a-w- c:\windows\system32\drivers\OAmon.sys
2009-05-31 17:32 . 2009-04-28 04:01 198224 -c--a-w- c:\windows\system32\drivers\OADriver.sys
2009-05-31 17:32 . 2009-05-31 17:53 -------- dc----w- c:\program files\Online Armor
2009-05-31 14:54 . 2009-05-31 14:54 -------- dc----w- c:\documents and settings\All Users\Application Data\TEMP
2009-05-31 14:53 . 2009-05-31 17:48 -------- dc----w- c:\program files\SpywareBlaster
2009-05-31 14:53 . 2009-05-31 14:53 -------- dc----w- c:\documents and settings\All Users\Application Data\SiteAdvisor
2009-05-31 14:52 . 2009-06-12 22:20 -------- dc----w- c:\documents and settings\LocalService\Application Data\SACore
2009-05-31 14:52 . 2009-05-31 14:52 -------- dc----w- c:\program files\Common Files\McAfee
2009-05-31 14:52 . 2009-05-31 14:52 -------- dc----w- c:\windows\system32\config\systemprofile\Application Data\SACore
2009-05-31 14:52 . 2009-05-31 17:51 -------- dc----w- c:\program files\McAfee
2009-05-31 14:52 . 2009-05-31 14:52 -------- dc----w- c:\documents and settings\All Users\Application Data\McAfee
2009-05-31 14:30 . 2009-03-30 09:33 96104 -c--a-w- c:\windows\system32\drivers\avipbb.sys
2009-05-31 14:30 . 2009-02-13 11:29 22360 -c--a-w- c:\windows\system32\drivers\avgntmgr.sys
2009-05-31 14:30 . 2009-02-13 11:17 45416 -c--a-w- c:\windows\system32\drivers\avgntdd.sys
2009-05-31 14:30 . 2009-05-31 14:30 -------- dc----w- c:\program files\Avira
2009-05-31 14:30 . 2009-05-31 14:30 -------- dc----w- c:\documents and settings\All Users\Application Data\Avira
2009-05-31 13:30 . 2009-05-31 13:44 -------- dc----w- c:\program files\Browser Hijack Recover
2009-05-31 12:41 . 2009-05-31 13:43 218736 -c--a-w- c:\documents and settings\richard\Application Data\HouseCall 6.6\patch.exe
2009-05-31 12:41 . 2009-05-31 13:43 189968 -c--a-w- c:\documents and settings\richard\Application Data\HouseCall 6.6\ciussi32.dll
2009-05-31 12:41 . 2009-05-31 13:43 170512 -c--a-w- c:\documents and settings\richard\Application Data\HouseCall 6.6\PATCHW32.DLL
2009-05-31 12:41 . 2009-05-31 13:43 1267320 -c--a-w- c:\documents and settings\richard\Application Data\HouseCall 6.6\TmUpdate.dll
2009-05-31 12:40 . 2009-05-31 13:43 832776 -c--a-w- c:\documents and settings\richard\Application Data\HouseCall 6.6\lea.dll
2009-05-31 12:40 . 2009-05-31 13:43 61440 -c--a-w- c:\documents and settings\richard\Application Data\HouseCall 6.6\Toolkit.dll
2009-05-31 12:40 . 2009-05-31 13:43 439560 -c--a-w- c:\documents and settings\richard\Application Data\HouseCall 6.6\jlea.dll
2009-05-31 12:40 . 2009-05-31 13:43 42320 -c--a-w- c:\documents and settings\richard\Application Data\HouseCall 6.6\dsvout.dll
2009-05-31 12:40 . 2009-05-31 13:43 183356 -c--a-w- c:\documents and settings\richard\Application Data\HouseCall 6.6\Uninstaller.exe
2009-05-31 12:40 . 2009-05-31 13:43 -------- dc----w- c:\documents and settings\richard\Application Data\HouseCall 6.6
2009-05-30 14:22 . 2009-06-10 08:32 -------- dc----w- c:\documents and settings\richard\Application Data\Spotify
2009-05-30 14:22 . 2009-05-30 14:23 -------- dc----w- c:\documents and settings\richard\Local Settings\Application Data\Spotify
2009-05-30 14:22 . 2009-05-30 14:22 -------- dc----w- c:\program files\Spotify
2009-05-29 22:32 . 2009-06-06 21:11 -------- dc----w- c:\temp\admin
2009-05-29 13:57 . 2008-08-27 07:59 1209616 -c--a-w- c:\windows\system32\nipplib.dll
2009-05-29 13:57 . 2008-08-25 13:29 36864 -c--a-w- c:\windows\system32\icapture.exe
2009-05-29 13:57 . 2008-08-25 13:29 34671 -c--a-w- c:\windows\system32\drivers\nipplpt.sys
2009-05-29 13:57 . 2008-08-25 13:28 49152 -c--a-w- c:\windows\system32\nipplpte.exe
2009-05-29 13:57 . 2008-08-25 13:28 45056 -c--a-w- c:\windows\system32\iprntlgn.exe
2009-05-29 13:57 . 2008-08-25 13:27 40960 -c--a-w- c:\windows\system32\iprntctl.exe
2009-05-29 13:57 . 2008-08-25 13:27 61440 -c--a-w- c:\windows\system32\iprntcmd.exe
2009-05-29 13:57 . 2008-08-25 13:27 40960 -c--a-w- c:\windows\system32\iprntcfg.exe
2009-05-29 13:57 . 2008-08-25 13:27 32768 -c--a-w- c:\windows\system32\nipplgex.dll
2009-05-29 13:57 . 2008-08-25 13:26 53248 -c--a-w- c:\windows\system32\nippcl32.dll
2009-05-29 13:57 . 2008-08-25 13:24 110592 -c--a-w- c:\windows\system32\nippnt.dll
2009-05-29 13:57 . 2008-08-25 13:23 69632 -c--a-w- c:\windows\system32\nipp95.dll
2009-05-28 14:49 . 2009-03-24 15:08 55640 -c--a-w- c:\windows\system32\drivers\avgntflt.sys
2009-05-28 13:46 . 2009-05-28 13:46 -------- dc----w- c:\documents and settings\richard\Application Data\Malwarebytes
2009-05-28 13:46 . 2009-05-26 12:20 40160 -c--a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-05-28 13:45 . 2009-05-28 13:46 -------- dc----w- c:\program files\Malwarebytes' Anti-Malware
2009-05-28 13:45 . 2009-05-28 13:45 -------- dc----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-05-28 13:45 . 2009-05-26 12:19 19096 -c--a-w- c:\windows\system32\drivers\mbam.sys
2009-05-28 13:02 . 2009-05-28 13:03 -------- dc----w- c:\documents and settings\richard\Local Settings\Application Data\Deployment
2009-05-27 21:46 . 2009-05-27 22:14 -------- dc----w- c:\program files\EqPlot
2009-05-25 14:01 . 2009-05-25 14:02 2514315 -c--a-w- c:\temp\winscp419setup.exe
2009-05-24 21:09 . 2009-05-24 21:09 -------- dc----w- C:\spoolerlogs
2009-05-23 13:43 . 2009-05-23 13:43 -------- dcsh--w- c:\windows\system32\config\systemprofile\IETldCache
2009-05-23 11:30 . 2009-05-25 15:55 -------- dc----w- c:\temp\2v473cr2_test
2009-05-23 07:33 . 2009-05-23 16:50 -------- dc----w- c:\temp\vX.xx_2
2009-05-23 07:33 . 2009-05-23 07:33 -------- dc----w- c:\temp\vX.xx
2009-05-22 15:16 . 2009-05-22 15:16 -------- dc----w- c:\temp\2v473Cr2
2009-05-22 09:43 . 2009-05-27 22:21 -------- dc----w- c:\temp\HPC
2009-05-21 10:48 . 2009-05-21 10:48 -------- dc----w- c:\program files\WinSCP
2009-05-21 08:56 . 2009-05-21 08:56 -------- dc----w- c:\program files\Microsoft CAPICOM 2.1.0.2
2009-05-20 08:35 . 2009-05-20 08:35 152576 -c--a-w- c:\documents and settings\richard\Application Data\Sun\Java\jre1.6.0_13\lzma.dll
2009-05-20 08:26 . 2009-05-20 08:26 162768 -c--a-w- c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
2009-05-20 08:21 . 2009-05-20 08:24 12337480 -c--a-w- c:\documents and settings\All Users\Application Data\Birdstep Technology\EasyConnect\Update\3UK_2.7.0.77_AUP_ZTE.exe
2009-05-20 08:17 . 2009-05-20 08:17 -------- dc----w- c:\documents and settings\richard\Application Data\Birdstep Technology
2009-05-20 08:17 . 2009-05-20 08:17 -------- dc----w- c:\documents and settings\All Users\Application Data\Birdstep Technology
2009-05-20 08:16 . 2007-05-28 17:00 10240 -c----w- c:\windows\system32\drivers\mdvrmng.sys
2009-05-20 08:16 . 2009-05-20 08:16 -------- dc----w- c:\program files\ZTE_MF6X6_USB_MODEM_1.2050.0.6
2009-05-20 08:16 . 2009-05-20 08:16 -------- dc----w- c:\program files\3
2009-05-20 07:38 . 2009-05-20 07:39 -------- dc----w- c:\program files\BBC iPlayer Desktop

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-06-13 21:49 . 2008-11-19 13:52 -------- dc----w- c:\documents and settings\richard\Application Data\Skype
2009-06-13 18:12 . 2008-11-19 17:19 -------- dc----w- c:\documents and settings\richard\Application Data\EndNote
2009-06-13 17:06 . 2008-11-19 13:53 -------- dc----w- c:\documents and settings\richard\Application Data\skypePM
2009-06-13 12:45 . 2008-11-12 18:15 269369 -c--a-w- c:\windows\system32\nvModes.dat
2009-06-12 22:49 . 2008-11-19 21:52 -------- dc----w- c:\program files\Kontiki
2009-06-11 15:30 . 2008-11-19 13:07 -------- dc----w- c:\program files\Google
2009-06-11 07:42 . 2008-11-18 14:46 -------- dc----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2009-06-09 11:14 . 2008-11-19 15:28 -------- dc----w- c:\documents and settings\richard\Application Data\TextPad
2009-06-06 21:11 . 2008-11-22 21:03 -------- dc----w- c:\documents and settings\richard\Application Data\LimeWire
2009-06-05 07:59 . 2008-11-19 23:09 -------- dc----w- c:\documents and settings\richard\Application Data\Mobile Master
2009-06-05 07:58 . 2008-11-19 23:09 -------- dc----w- c:\program files\Mobile Master
2009-06-05 07:55 . 2008-11-19 23:05 -------- dc----w- c:\documents and settings\All Users\Application Data\PC Suite
2009-05-31 14:46 . 2008-11-22 21:01 -------- dc----w- c:\program files\Java
2009-05-31 12:37 . 2008-11-22 21:26 -------- dc----w- c:\documents and settings\richard\Application Data\uTorrent
2009-05-28 16:29 . 2009-03-06 21:07 -------- dc----w- c:\program files\Easy DVD Player
2009-05-28 16:27 . 2008-11-19 15:41 -------- dc----w- c:\program files\SmartDraw
2009-05-28 12:51 . 2008-11-12 18:26 69232 -c--a-w- c:\documents and settings\richard\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-05-25 18:35 . 2009-02-18 23:43 -------- dc----w- c:\program files\StartKiller
2009-05-25 18:32 . 2008-11-12 17:18 -------- dc-h--w- c:\program files\InstallShield Installation Information
2009-05-25 18:32 . 2008-11-25 12:21 -------- dc----w- c:\program files\Doom 3
2009-05-17 22:52 . 2008-11-12 17:39 1324 -c--a-w- c:\windows\system32\d3d9caps.dat
2009-05-13 05:15 . 2008-04-14 04:00 915456 -c--a-w- c:\windows\system32\wininet.dll
2009-05-12 20:08 . 2009-05-12 20:08 -------- dc----w- c:\program files\WinDirStat
2009-05-10 21:18 . 2009-05-10 21:16 -------- dc----w- c:\program files\NetLogo 4.0.4
2009-05-10 21:16 . 2009-05-10 21:16 -------- dc-h--w- c:\program files\Zero G Registry
2009-05-10 20:28 . 2009-05-10 20:28 -------- dc----w- c:\program files\GomEncoder
2009-05-10 20:28 . 2009-05-10 20:28 -------- dc----w- c:\program files\CoreAAC
2009-05-10 19:51 . 2009-05-10 19:51 -------- dc----w- c:\documents and settings\richard\Application Data\BBCiPlayerDesktop.61DB7A798358575D6A969CCD73DDBBD723A6DA9D.1
2009-05-10 19:51 . 2009-05-10 19:51 -------- dc----w- c:\program files\Common Files\Adobe AIR
2009-05-10 19:50 . 2009-05-10 19:51 38208 -c--a-w- c:\documents and settings\richard\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\airappinstaller\airappinstaller.exe
2009-05-10 14:58 . 2008-11-19 16:36 -------- dc----w- c:\program files\DesignWorkshop Lite
2009-05-08 23:49 . 2009-03-06 21:31 -------- dc----w- c:\program files\WinX DVD Player 3.0
2009-05-07 15:32 . 2008-04-14 04:00 345600 -c--a-w- c:\windows\system32\localspl.dll
2009-05-02 09:48 . 2008-11-18 14:50 -------- dc----w- c:\program files\Microsoft Works
2009-05-02 09:37 . 2009-03-03 21:23 -------- dc----w- c:\program files\DeskSpace
2009-05-02 09:31 . 2009-04-11 22:11 -------- dc----w- c:\program files\Starcraft Shareware(ED)
2009-05-01 21:32 . 2009-05-01 21:32 -------- dc----w- c:\program files\Common Files\PCSuite
2009-05-01 21:32 . 2009-05-01 21:32 -------- dc----w- c:\program files\Common Files\Nokia
2009-05-01 21:32 . 2008-11-19 23:03 -------- dc----w- c:\program files\Nokia
2009-05-01 21:31 . 2009-05-01 21:31 -------- dc----w- c:\program files\PC Connectivity Solution
2009-05-01 21:30 . 2008-11-19 23:02 -------- dc----w- c:\documents and settings\All Users\Application Data\Installations
2009-05-01 21:30 . 2009-05-01 21:30 8192 -c--a-w- c:\documents and settings\All Users\Application Data\Installations\{7694EC32-CB0E-4B35-9088-7B320CB1F4FE}\Installer\CommonCustomActions\UninstCCD.exe
2009-05-01 21:30 . 2009-05-01 21:30 61440 -c--a-w- c:\documents and settings\All Users\Application Data\Installations\{7694EC32-CB0E-4B35-9088-7B320CB1F4FE}\Installer\CommonCustomActions\UninstPCSFEMsi.exe
2009-05-01 21:30 . 2009-05-01 21:30 10240 -c--a-w- c:\documents and settings\All Users\Application Data\Installations\{7694EC32-CB0E-4B35-9088-7B320CB1F4FE}\Installer\CommonCustomActions\UninstPCS.exe
2009-05-01 21:29 . 2009-05-01 21:30 34396584 -c--a-w- c:\documents and settings\All Users\Application Data\Installations\{7694EC32-CB0E-4B35-9088-7B320CB1F4FE}\Nokia_PC_Suite_7_1_26_0_eng.exe
2009-04-24 12:39 . 2009-04-24 12:39 -------- dc----w- c:\program files\Common Files\Skype
2009-04-24 12:39 . 2009-04-24 12:39 -------- dc----r- c:\program files\Skype
2009-04-24 12:39 . 2008-11-19 13:52 -------- dc----w- c:\documents and settings\All Users\Application Data\Skype
2009-04-17 12:26 . 2008-04-14 04:00 1847168 -c--a-w- c:\windows\system32\win32k.sys
2009-04-15 14:51 . 2008-04-14 04:00 585216 -c--a-w- c:\windows\system32\rpcrt4.dll
2009-03-16 13:18 . 2009-04-01 21:40 69448 -c--a-w- c:\windows\system32\XAPOFX1_3.dll
2009-03-16 13:18 . 2009-04-01 21:40 517448 -c--a-w- c:\windows\system32\XAudio2_4.dll
2009-03-16 13:18 . 2009-04-01 21:40 235352 -c--a-w- c:\windows\system32\xactengine3_4.dll
2009-03-16 13:18 . 2009-04-01 21:40 22360 -c--a-w- c:\windows\system32\X3DAudio1_6.dll
2009-03-01 21:49 . 2009-03-01 21:49 122880 -c--a-w- c:\program files\mozilla firefox\components\GoogleDesktopMozilla.dll
.

((((((((((((((((((((((((((((( SnapShot_2009-06-12_16.14.42 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-06-13 20:40 . 2009-06-13 20:40 16384 c:\windows\Temp\Perflib_Perfdata_8f4.dat
- 2008-04-14 04:00 . 2009-06-12 16:05 65482 c:\windows\system32\perfc009.dat
+ 2008-04-14 04:00 . 2009-06-13 20:44 65482 c:\windows\system32\perfc009.dat
+ 2008-04-14 04:00 . 2009-06-13 20:44 426638 c:\windows\system32\perfh009.dat
- 2008-04-14 04:00 . 2009-06-12 16:05 426638 c:\windows\system32\perfh009.dat
+ 2007-06-11 12:04 . 2007-06-11 12:04 190696 c:\windows\system32\Macromed\Flash\FlashUtil9d.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\1TortoiseNormal]
@="{C5994560-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994560-53D9-4125-87C9-F193FC689CB2}]
2008-01-16 17:52 80384 -c--a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\2TortoiseModified]
@="{C5994561-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994561-53D9-4125-87C9-F193FC689CB2}]
2008-01-16 17:52 80384 -c--a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\3TortoiseConflict]
@="{C5994562-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994562-53D9-4125-87C9-F193FC689CB2}]
2008-01-16 17:52 80384 -c--a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\4TortoiseLocked]
@="{C5994563-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994563-53D9-4125-87C9-F193FC689CB2}]
2008-01-16 17:52 80384 -c--a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\5TortoiseReadOnly]
@="{C5994564-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994564-53D9-4125-87C9-F193FC689CB2}]
2008-01-16 17:52 80384 -c--a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\6TortoiseDeleted]
@="{C5994565-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994565-53D9-4125-87C9-F193FC689CB2}]
2008-01-16 17:52 80384 -c--a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\7TortoiseAdded]
@="{C5994566-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994566-53D9-4125-87C9-F193FC689CB2}]
2008-01-16 17:52 80384 -c--a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\8TortoiseIgnored]
@="{C5994567-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994567-53D9-4125-87C9-F193FC689CB2}]
2008-01-16 17:52 80384 -c--a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\9TortoiseUnversioned]
@="{C5994568-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994568-53D9-4125-87C9-F193FC689CB2}]
2008-01-16 17:52 80384 -c--a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\UEAFOverlay]
@="{F2F31467-B1AC-4df0-AE79-FD5FA085E22B}"
[HKEY_CLASSES_ROOT\CLSID\{F2F31467-B1AC-4df0-AE79-FD5FA085E22B}]
2007-04-16 23:13 721408 -c--a-w- c:\program files\Fingerprint Reader Suite\farchns.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\UEAFOverlayOpen]
@="{A3E208F7-0E3A-4182-A7A6-B169D5D691AA}"
[HKEY_CLASSES_ROOT\CLSID\{A3E208F7-0E3A-4182-A7A6-B169D5D691AA}]
2007-04-16 23:13 721408 -c--a-w- c:\program files\Fingerprint Reader Suite\farchns.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"SpeedswitchXP"="c:\program files\SpeedswitchXP\SpeedswitchXP.exe" [2006-07-14 626688]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-11-20 68856]
"PC Suite Tray"="c:\program files\Nokia\Nokia PC Suite 7\PCSuite.exe" [2009-03-20 1312256]
"Google Update"="c:\documents and settings\richard\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2009-05-31 133104]
"MMAgent"="c:\program files\Mobile Master\MMAgent.exe" [2009-05-27 1355776]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2009-04-16 24264488]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"OEM04Mon.exe"="c:\windows\OEM04Mon.exe" [2007-06-11 36864]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-08-01 8466432]
"SigmatelSysTrayApp"="c:\program files\SigmaTel\C-Major Audio\WDM\stsystra.exe" [2007-05-10 405504]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-09-06 413696]
"iPrint Tray"="c:\windows\system32\iprntctl.exe" [2008-08-25 40960]
"iPrint Event Monitor"="c:\windows\system32\iprntlgn.exe" [2008-08-25 45056]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-03-09 148888]
"@OnlineArmor GUI"="c:\program files\Online Armor\oaui.exe" [2009-04-28 2045128]
"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2009-06-11 30192]
"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2007-08-01 1626112]
"NVHotkey"="nvHotkey.dll" - c:\windows\system32\nvhotkey.dll [2007-08-01 67584]
"NvMediaCenter"="NvMCTray.dll" - c:\windows\system32\nvmctray.dll [2007-08-01 81920]
"NWTRAY"="NWTRAY.EXE" - c:\windows\system32\nwtray.exe [2002-03-12 28672]
"Run StartupMonitor"="StartupMonitor.exe" - c:\windows\StartupMonitor.exe [2000-05-20 86016]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2008-11-04 435096]

c:\documents and settings\richard\Start Menu\Programs\Startup\
Shortcut to map_h.bat.lnk - c:\users\rw\programs\startup\map_h.bat [2008-11-8 37]
TextPad.lnk - c:\program files\TextPad 4\TextPad.exe [2008-11-19 1900544]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Acrobat Assistant.lnk - c:\program files\Adobe\Adobe Acrobat 6.0\Distillr\acrotray.exe [2003-5-15 217193]
Bluetooth.lnk - c:\program files\WIDCOMM\Bluetooth Software\BTTray.exe [2006-5-24 622653]
Novell iFolder.lnk - c:\program files\Novell\iFolder\trayapp.exe [2009-1-6 266317]
Update Agent.lnk - c:\program files\3\3Connect\AutoUpdateSrv.exe [2009-5-20 670256]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"CompatibleRUPSecurity"= 1 (0x1)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{4F07DA45-8170-4859-9B5F-037EF2970034}"= "c:\progra~1\ONLINE~2\oaevent.dll" [2009-04-28 335048]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\psfus]
2007-04-16 23:04 86528 -c--a-w- c:\windows\system32\psqlpwd.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 nwv1_0
Notification Packages REG_MULTI_SZ scecli psqlpwd

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Novell\\GroupWise\\grpwise.exe"=
"c:\\Novell\\GroupWise\\notify.exe"=
"c:\\Program Files\\Microsoft Office\\Office10\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office10\\WINWORD.EXE"=
"c:\\Program Files\\Spotify\\spotify.exe"=
"c:\\Program Files\\Kontiki\\KService.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

R0 NifFltr;NifFltr;c:\windows\system32\drivers\niffltr.sys [06/01/2009 10:53 25300]
R1 nipplpt2;Novell iCapture Lpt Redirector 2;c:\windows\system32\drivers\nipplpt.sys [29/05/2009 14:57 34671]
R1 OADevice;OADriver;c:\windows\system32\drivers\OADriver.sys [31/05/2009 18:32 198224]
R1 OAmon;OAmon;c:\windows\system32\drivers\OAmon.sys [31/05/2009 18:32 31824]
R1 OAnet;OAnet;c:\windows\system32\drivers\OAnet.sys [31/05/2009 18:32 29776]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [31/05/2009 15:30 108289]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\McAfee\SiteAdvisor\McSACore.exe [31/05/2009 15:52 210216]
R2 mdvrmng;Mobile IP Route Manager;c:\windows\system32\drivers\mdvrmng.sys [20/05/2009 09:16 10240]
R2 OAcat;Online Armor Helper Service;c:\program files\Online Armor\oacat.exe [31/05/2009 18:32 361672]
R2 SvcOnlineArmor;Online Armor;c:\program files\Online Armor\oasrv.exe [31/05/2009 18:32 3052744]
R2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [03/11/2006 20:19 13592]
R2 wwEngineSvc;Window Washer Engine;c:\program files\Webroot\Washer\WasherSvc.exe [27/01/2009 18:49 598856]
R3 OEM04Afx;Provides a software interface to control audio effects of OEM004 camera.;c:\windows\system32\drivers\OEM04Afx.sys [12/11/2008 18:16 141376]
R3 OEM04Vfx;Creative Camera OEM004 Video VFX Driver;c:\windows\system32\drivers\OEM04Vfx.sys [12/11/2008 18:16 7424]
R3 OEM04Vid;Creative Camera OEM004 Driver;c:\windows\system32\drivers\OEM04Vid.sys [12/11/2008 18:16 234720]
S3 GoogleDesktopManager-092308-165331;Google Desktop Manager 5.8.809.23506;c:\program files\Google\Google Desktop Search\GoogleDesktop.exe [11/06/2009 16:30 30192]
S3 massfilter;ZTE Mass Storage Filter Driver;c:\windows\system32\drivers\massfilter.sys [22/08/2008 19:56 7680]
S3 vcache;vcache;c:\windows\system32\drivers\vcache.sys [25/03/2009 21:19 46992]
S3 vfilter;vfilter;c:\windows\system32\drivers\vfilter.sys [25/03/2009 21:19 28944]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
Contents of the 'Scheduled Tasks' folder

2009-06-13 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-789336058-2025429265-1801674531-1003.job
- c:\documents and settings\richard\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-05-31 18:28]

2009-06-13 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-03 19:20]

2009-06-13 c:\windows\Tasks\User_Feed_Synchronization-{E2E50640-E066-4CA5-A1AF-82FBD09C7F42}.job
- c:\windows\system32\msfeedssync.exe [2007-08-13 03:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.bbcnews.com/
IE: E&xport to Microsoft Excel - c:\progra~1\MI69DF~1\Office12\EXCEL.EXE/3000
Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - c:\program files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll
DPF: {4E62C4DE-627D-4604-B157-4B7D6B09F02E} - hxxps://moneymanager.egg.com/Pinsafe/accounttracking.cab
DPF: {EAC139A9-D22D-4C29-8D1C-252BE63750F9} - hxxp://www.cooliris.com/shared/plinstll.cab
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-06-13 22:59
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(544)
c:\windows\system32\psqlpwd.dll
c:\program files\Fingerprint Reader Suite\homefus2.dll
c:\program files\Fingerprint Reader Suite\infra.dll
c:\program files\Fingerprint Reader Suite\homepass.dll
c:\program files\Fingerprint Reader Suite\bio.dll
c:\program files\Fingerprint Reader Suite\remote.dll
c:\program files\Fingerprint Reader Suite\crypto.dll
c:\program files\McAfee\SiteAdvisor\saHook.dll
c:\windows\system32\NLS\ENGLISH\MAPBASER.DLL
c:\windows\system32\NLS\ENGLISH\NWSHLXNR.DLL
c:\windows\system32\NLS\ENGLISH\NOVNPNTR.DLL

- - - - - - - > 'lsass.exe'(600)
c:\windows\system32\psqlpwd.dll
c:\program files\Fingerprint Reader Suite\homefus2.dll
c:\program files\Fingerprint Reader Suite\infra.dll

- - - - - - - > 'Explorer.exe'(1560)
c:\windows\system32\WININET.dll
c:\program files\Online Armor\OAwatch.dll
c:\program files\McAfee\SiteAdvisor\saHook.dll
c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
c:\program files\TortoiseSVN\bin\TortoiseStub.dll
c:\program files\Fingerprint Reader Suite\farchns.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.3053_x-ww_b80fa8ca\MSVCR80.dll
c:\program files\Fingerprint Reader Suite\infra.dll
c:\progra~1\WINDOW~2\wmpband.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2009-06-13 23:02
ComboFix-quarantined-files.txt 2009-06-13 22:02

Pre-Run: 49,106,165,760 bytes free
Post-Run: 49,092,091,904 bytes free

354 --- E O F --- 2009-06-11 07:42








***********















--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7.0 REPORT
Sunday, June 14, 2009
Operating System: Microsoft Windows XP Professional Service Pack 3 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Program database last update: Saturday, June 13, 2009 23:41:31
Records in database: 2340433
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
C:\
D:\
E:\
F:\
G:\
H:\
I:\

Scan statistics:
Files scanned: 391703
Threat name: 1
Infected objects: 2
Suspicious objects: 0
Duration of the scan: 03:04:54


File name / Threat name / Threats count
C:\users\rw\programs\condor\from paul c\CondorArchive.zip Infected: not-a-virus:NetTool.Win32.Calc-DNet.f 1
C:\users\rw\programs\condor\from tini\Condor_examples.zip Infected: not-a-virus:NetTool.Win32.Calc-DNet.f 1

The selected area was scanned.

#10 RenatoMejias

RenatoMejias

  • Malware Response Team
  • 913 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:46 PM

Posted 14 June 2009 - 11:42 AM

Hi Richard,

Please, delete the files below:

C:\users\rw\programs\condor\from paul c\CondorArchive.zip
C:\users\rw\programs\condor\from tini\Condor_examples.zip

Let's check your hosts file to see if there are some modification.

Go to start > Run and type it:

notepad "%windir%\system32\drivers\etc\hosts"

A notepad file will pop-up, copy and paste the content of this file in your next reply.

Thanks.
Renato Victor Mejias
Malware help in portuguese
jetian6yw.jpg

#11 RichardWhite321

RichardWhite321
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:07:46 PM

Posted 14 June 2009 - 12:59 PM

Hi,

I've deleted both files and here is the hosts file contents:

Many thanks,

Richard

***

# Copyright © 1993-1999 Microsoft Corp.
#
# This is a sample HOSTS file used by Microsoft TCP/IP for Windows.
#
# This file contains the mappings of IP addresses to host names. Each
# entry should be kept on an individual line. The IP address should
# be placed in the first column followed by the corresponding host name.
# The IP address and the host name should be separated by at least one
# space.
#
# Additionally, comments (such as these) may be inserted on individual
# lines or following the machine name denoted by a '#' symbol.
#
# For example:
#
# 102.54.94.97 rhino.acme.com # source server
# 38.25.63.10 x.acme.com # x client host

127.0.0.1 localhost
127.0.0.1 mozilla.com
127.0.0.1 www.mozilla.com
127.0.0.1 firefox.com
127.0.0.1 www.firefox.com
127.0.0.1 www.firefox2.com
127.0.0.1 firefox2.com
127.0.0.1 download.mozilla.com

#12 RenatoMejias

RenatoMejias

  • Malware Response Team
  • 913 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:46 PM

Posted 17 June 2009 - 10:57 AM

Hi Richard, sorry for the delay.

Google still redirecting you to bad sites?
Renato Victor Mejias
Malware help in portuguese
jetian6yw.jpg

#13 RichardWhite321

RichardWhite321
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:07:46 PM

Posted 17 June 2009 - 01:13 PM

Hi Renato,

No probem at all - I appreciate you are volunteer!

No, I just tried it for 3 searches and 10 different links per search and they all took me to the right place.!

It's wonderful.

Many thanks, indeed - I will certainly donate when we are all done!

Is there anything else I need to do?

Many thanks, Richard

#14 RenatoMejias

RenatoMejias

  • Malware Response Team
  • 913 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:46 PM

Posted 17 June 2009 - 01:59 PM

Hi Richard,

No probem at all - I appreciate you are volunteer!

No, I just tried it for 3 searches and 10 different links per search and they all took me to the right place.!

It's wonderful.


Sounds good :cool:

Many thanks, indeed - I will certainly donate when we are all done!


You can donate to Bleeping Computer or to the ComboFix author IF you wish, personally I don't accept donations.

Is there anything else I need to do?


Nice work :thumbup2:

Let's wrap it up.................

* Clean your Cache and Cookies in IE:
  • Close all instances of Outlook Express and Internet Explorer
  • Go to Control Panel > Internet Options > General tab
  • Click the "Delete Cookies" button
  • Next to it, Click the "Delete Files" button
  • When prompted, place a check in: "Delete all offline content", click OK
* Clean your Cache and Cookies in Firefox (In case you also have Firefox installed):
  • Go to Tools > Options.
  • Click Privacy in the menu on the left side of the Options window.
  • Click the Clear button located to the right of each option (History, Cookies, Cache).
  • Click OK to close the Options window
    Alternatively, you can clear all information stored while browsing by clicking Clear All.
    A confirmation dialog box will be shown before clearing the information.
* Clean other Temporary files + Recycle bin
  • Go to start > run and type: cleanmgr and click ok.
  • Let it scan your system for files to remove.
  • Make sure Temporary Files, Temporary Internet Files, and Recycle Bin are the only things checked.
  • Press OK to remove them.
**********

Congratulations! You now appear clean! :)

**********

Download and Run OTC

We will now remove the tools we used during this fix using OTC.
  • Download OTC by OldTimer and save it to your desktop.
  • Double click Posted Image icon to start the program. If you are using Vista, please right-click and choose run as administrator
  • Then Click the big Posted Image button.
  • You will get a prompt saying "Being Cleanup Process". Please select Yes.
  • Restart your computer when prompted.
**********

Uninstall Combofix
  • Click on your Start Menu, then Run....
  • Now type combofix /u in the runbox and click OK.
    Notice the space between the "x" and "/".

    Posted Image
  • When shown the disclaimer, Select "2"
**********

Recommendations
Below are some recommendations to lower your chances of (re)infection.
  • Install and maintain an outbound firewall
  • Install the MVPs hosts file, and update it regularly
    You can use the HostMan host file manager to do this automaticly if you wish.
    For more information on the hosts file, and what it can do for you, you can view the Tutorial on the Hosts file
  • Install an Anti-Spyware program, and update it regularly
  • Keep Windows (and your other Microsoft software) up to date!
    I cannot stress how important this is enough. Often holes are found in Internet Explorer or Windows itself that require patching. Sometimes these holes will allow an attacker unrestricted access to your computer.
  • If you are using Windows XP or earlier
    Visit the Microsoft Update Website and follow the on screen instructions to setup Microsoft Update. Also follow the instructions to update your system. Please REBOOT and repeat this process until there are no more updates to install!!
  • Stay up to date!
    The MOST IMPORTANT part of any security setup is keeping the software up to date. Malware writers release new variants every single day. If your software updates don't keep up, then the malware will always be one step ahead. Not a good thing :).
**********

System Slow?
You may wish to try StartupLite. Simply download this tool to your desktop and run it. It will explain any optional auto-start programs on your system, and offer the option to stop these programs from starting at startup. This will result in fewer programs running when you boot your system, and should improve preformance.
If that does not work, you can try the steps mentioned in Slow Computer/browser? Check Here First; It May Not Be Malware.

**********

Do you have any more questions?

Regards,
Renato Victor Mejias
Malware help in portuguese
jetian6yw.jpg

#15 RenatoMejias

RenatoMejias

  • Malware Response Team
  • 913 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:46 PM

Posted 24 June 2009 - 09:19 PM

Since this issue appears resolved ... this Topic is closed. Glad I could help.

If you need this topic reopened, please request this by sending me a PM
with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.
Renato Victor Mejias
Malware help in portuguese
jetian6yw.jpg




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users