Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Google search redirected to seekfor.info website


  • This topic is locked This topic is locked
9 replies to this topic

#1 pranav

pranav

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:07:11 PM

Posted 26 June 2009 - 03:15 PM

When I search for a topic on google and click on one of the resultant links, it takes a long time to bring back a result and finally takes me to a "seekfor.info" website which in turn takes me to some other website other than the intended website...please help....below is the HJT log.....I have tried MalwareBytes already...no use so far....


================================================================
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:40:51 PM, on 6/26/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16850)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Juniper Networks\Common Files\dsNcService.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Kaspersky Lab\NetworkAgent\klnagent.exe
C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
C:\Program Files\SAP\SAPsetup\setup\Updater\NwSapAutoWorkstationUpdateService.exe
C:\Program Files\SigmaTel\C-Major Audio\WDM\StacSV.exe
C:\Program Files\TeamViewer\Version4\TeamViewer_Service.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\Program Files\Citrix\ICA Client\ssonsvr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\stsystra.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\SAP\SAPsetup\setup\Updater\NwSapSetupUserNotificationTool.exe
C:\Program Files\Google\Quick Search Box\GoogleQuickSearchBox.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Common Files\Research In Motion\Auto Update\RIMAutoUpdate.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
C:\Program Files\SAP\FrontEnd\sapgui\saplogon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0 for Windows Workstations\avp.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0 for Windows Workstations\avp.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Java\jre6\bin\java.exe
C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE
C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroTray.exe
C:\WINDOWS\system32\SearchProtocolHost.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dll
O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY.exe
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0 for Windows Workstations\avp.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [SAP_WUS_UNT] "C:\Program Files\SAP\SAPsetup\setup\Updater\NwSapSetupUserNotificationTool.exe"
O4 - HKLM\..\Run: [Google Quick Search Box] "C:\Program Files\Google\Quick Search Box\GoogleQuickSearchBox.exe" /autorun
O4 - HKLM\..\Run: [Arucer] rundll32 C:\WINDOWS\system32\Arucer.dll,Arucer
O4 - HKLM\..\Run: [BlackBerryAutoUpdate] C:\Program Files\Common Files\Research In Motion\Auto Update\RIMAutoUpdate.exe /background
O4 - HKLM\..\Run: [RoxWatchTray] "C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe"
O4 - HKLM\..\Run: [Malwarebytes' Anti-Malware] "C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\RunOnce: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent
O4 - HKLM\..\RunOnce: [NoIE4StubProcessing] C:\WINDOWS\system32\reg.exe DELETE "HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components" /v "NoIE4StubProcessing" /f
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O8 - Extra context menu item: Add to Anti-Banner - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0 for Windows Workstations\ie_banner_deny.htm
O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Web Anti-Virus statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0 for Windows Workstations\SCIEPlgn.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: ad.msu.edu
O15 - Trusted Zone: ais.msu.edu
O15 - Trusted Zone: *.msu.edu
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1230045815828
O16 - DPF: {F27237D7-93C8-44C2-AC6E-D6057B9A918F} (JuniperSetupClientControl Class) - https://access.ais.msu.edu/dana-cached/sc/J...SetupClient.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = ais.ad.msu.edu
O17 - HKLM\Software\..\Telephony: DomainName = ais.ad.msu.edu
O17 - HKLM\System\CCS\Services\Tcpip\..\{138F9DE7-451F-45FF-B5A0-A2272C96A4CB}: Domain = ais.ad.msu.edu
O17 - HKLM\System\CCS\Services\Tcpip\..\{138F9DE7-451F-45FF-B5A0-A2272C96A4CB}: NameServer = 35.8.113.201,35.8.113.202
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = ais.ad.msu.edu
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = ais.ad.msu.edu,msu.edu,ad.msu.edu
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = ais.ad.msu.edu
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = ais.ad.msu.edu,msu.edu,ad.msu.edu
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = ais.ad.msu.edu,msu.edu,ad.msu.edu
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O18 - Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll
O20 - AppInit_DLLs: C:\PROGRA~1\KASPER~1\KASPER~1.0FO\adialhk.dll
O20 - Winlogon Notify: GoToAssist - C:\Program Files\Citrix\GoToAssist\514\G2AWinLogon.dll
O23 - Service: Kaspersky Anti-Virus 6.0 (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0 for Windows Workstations\avp.exe
O23 - Service: Juniper Network Connect Service (dsNcService) - Juniper Networks - C:\Program Files\Juniper Networks\Common Files\dsNcService.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: GoToAssist - Citrix Online, a division of Citrix Systems, Inc. - C:\Program Files\Citrix\GoToAssist\514\g2aservice.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Kaspersky Network Agent (klnagent) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\NetworkAgent\klnagent.exe
O23 - Service: MBAMService - Malwarebytes Corporation - C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
O23 - Service: SAPSetup Automatic Workstation Update Service (NWSAPAutoWorkstationUpdateSvc) - SAP AG - C:\Program Files\SAP\SAPsetup\setup\Updater\NwSapAutoWorkstationUpdateService.exe
O23 - Service: Roxio UPnP Renderer 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9\RoxioUPnPRenderer9.exe
O23 - Service: Roxio Upnp Server 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9\RoxioUpnpService9.exe
O23 - Service: LiveShare P2P Server 9 (RoxLiveShare9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxLiveShare9.exe
O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
O23 - Service: Roxio Hard Drive Watcher 9 (RoxWatch9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
O23 - Service: SigmaTel Audio Service (STacSV) - SigmaTel, Inc. - C:\Program Files\SigmaTel\C-Major Audio\WDM\StacSV.exe
O23 - Service: TeamViewer 4 (TeamViewer4) - TeamViewer GmbH - C:\Program Files\TeamViewer\Version4\TeamViewer_Service.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

--
End of file - 13675 bytes
===============================================================================

BC AdBot (Login to Remove)

 


#2 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:07:11 PM

Posted 27 June 2009 - 01:04 PM

Hello pranav,

Posted Image

I see you've been a member here for quite some time.....but since this is your first post I'd say a welcome was in order. :thumbup2:

I notice that you have Spybot's TeaTimer running. While this is normally a wonderful tool to protect against hijackers, it can also interfere with the fixes. So please disable TeaTimer by doing the following:
1) Run Spybot-S&D
2) Go to the Mode menu, and make sure "Advanced Mode" is selected
3) On the left hand side, choose Tools -> Resident
4) Uncheck "Resident TeaTimer" and OK any prompts

You can reenable TeaTimer once your system is clean.

This tool is not a toy. If used the wrong way you could trash your computer. Please use only under direction of a Helper. If you decide to do so anyway, please do not blame me or ComboFix.

1. Download this file - combofix.exe
http://download.bleepingcomputer.com/sUBs/ComboFix.exe
http://www.forospyware.com/sUBs/ComboFix.exe
http://subs.geekstogo.com/ComboFix.exe
2. Double click combofix.exe & follow the prompts.
3. When finished, it will produce a log for you. Post that log in your next reply please, along with a new HijackThis log.

Note:
Do not mouseclick combofix's window while it's running. That may cause it to stall.

If ComboFix will not run the first time, then rename ComboFix.exe to fluffybunny.exe and try it again. :)

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#3 pranav

pranav
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:07:11 PM

Posted 27 June 2009 - 11:18 PM

Hello,

Thank you so much for your help!!! I have installed ComboFix and below is the log generated (frankly, the disclaimer about the installation was scary but I took the leap)....


============================================================================
ComboFix 09-06-26.02 - prabhs 06/27/2009 23:56.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3574.2941 [GMT -4:00]
Running from: c:\documents and settings\prabhs\Desktop\Desktop\software\ComboFix.exe
AV: Kaspersky Anti-Virus *On-access scanning enabled* (Updated) {2C4D4BC6-0793-4956-A9F9-E252435469C0}
FW: Kaspersky Anti-Virus *disabled* {2C4D4BC6-0793-4956-A9F9-E252435469C0}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
c:\windows\system32\syrdvrrg.dll

----- BITS: Possible infected sites -----

hxxp://mothership
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_USBDRIVER
-------\Service_USBDriver


((((((((((((((((((((((((( Files Created from 2009-05-28 to 2009-06-28 )))))))))))))))))))))))))))))))
.

2009-06-27 00:40 . 2009-06-27 00:40 -------- d-sh--w- c:\documents and settings\prabhs\IECompatCache
2009-06-27 00:40 . 2009-06-27 00:40 -------- d-sh--w- c:\documents and settings\prabhs\PrivacIE
2009-06-27 00:37 . 2009-06-27 00:37 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache
2009-06-27 00:35 . 2009-06-27 00:35 -------- d-sh--w- c:\documents and settings\prabhs\IETldCache
2009-06-27 00:35 . 2009-06-27 00:35 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache
2009-06-26 19:40 . 2009-06-26 19:40 -------- d-----w- c:\program files\Trend Micro
2009-06-26 19:10 . 2009-06-26 19:10 -------- d-----w- c:\windows\ie8updates
2009-06-26 19:09 . 2009-04-30 21:22 12800 -c----w- c:\windows\system32\dllcache\xpshims.dll
2009-06-26 19:09 . 2009-04-30 21:22 246272 -c----w- c:\windows\system32\dllcache\ieproxy.dll
2009-06-26 19:06 . 2009-06-26 19:09 -------- dc-h--w- c:\windows\ie8
2009-06-26 18:02 . 2009-06-17 15:27 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-06-26 18:02 . 2009-06-26 18:02 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-06-26 18:02 . 2009-06-17 15:27 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-06-26 00:06 . 2009-06-26 23:15 1078 ----a-w- c:\windows\system32\syrdvrrg.dat
2009-06-25 21:37 . 2009-06-25 21:37 -------- d-----w- c:\documents and settings\prabhs\Application Data\Research In Motion
2009-06-25 20:19 . 2009-06-25 20:19 1153 ----a-w- c:\windows\system32\sgompynk.dat
2009-06-25 04:14 . 2009-06-25 04:14 106297 ----a-w- c:\windows\system32\sgompynk.dll
2009-06-24 20:41 . 2009-06-25 17:20 1158 ----a-w- c:\windows\system32\myykeajk.dat
2009-06-24 20:40 . 2009-06-24 20:40 -------- d-----w- c:\windows\system32\config\systemprofile\Application Data\TeamViewer
2009-06-24 13:18 . 2009-06-24 13:18 -------- d-----w- c:\documents and settings\prabhs\Application Data\Windows Search
2009-06-24 03:18 . 2009-06-24 03:18 -------- d-----w- c:\documents and settings\All Users\Application Data\Sonic
2009-06-24 03:16 . 2009-06-24 03:16 -------- d-----w- c:\program files\Roxio
2009-06-24 03:16 . 2009-06-24 03:16 -------- d-----w- c:\documents and settings\All Users\Application Data\Roxio
2009-06-24 03:16 . 2009-06-24 03:16 -------- d-----w- c:\program files\Common Files\Sonic Shared
2009-06-24 03:16 . 2009-06-24 03:16 -------- d-----w- c:\program files\Common Files\Roxio Shared
2009-06-24 03:15 . 2007-01-18 14:24 26496 ----a-r- c:\windows\system32\drivers\RimSerial.sys
2009-06-24 03:14 . 2009-06-25 21:56 -------- d-----w- c:\program files\Common Files\Research In Motion
2009-06-24 03:14 . 2009-06-24 03:14 -------- d-----w- c:\program files\Research In Motion
2009-06-24 02:37 . 2009-06-24 02:37 -------- d-----w- c:\documents and settings\prabhs\Application Data\vlc
2009-06-24 02:36 . 2009-06-24 02:36 -------- d-----w- c:\program files\VideoLAN
2009-06-24 00:28 . 2009-06-24 00:29 -------- d-----w- c:\documents and settings\prabhs\Application Data\TeamViewer
2009-06-24 00:28 . 2009-06-24 00:28 -------- d-----w- c:\program files\TeamViewer
2009-06-24 00:27 . 2009-06-24 00:27 -------- d-----w- c:\documents and settings\prabhs\temp
2009-06-24 00:25 . 2009-03-11 17:10 398632 ----a-w- c:\windows\system32\dsNcSmartCardProv.dll
2009-06-24 00:25 . 2009-03-11 17:10 345384 ----a-w- c:\windows\system32\dsNcCredProv.dll
2009-06-24 00:24 . 2009-06-24 00:24 161632 ----a-w- c:\documents and settings\prabhs\Application Data\Juniper Networks\Setup Client\x86_Microsoft.VC80.CRTP_8.0.50727.762.exe
2009-06-24 00:24 . 2009-06-24 00:25 -------- d-----w- c:\program files\Juniper Networks
2009-06-24 00:24 . 2009-06-24 00:24 36939 ----a-w- c:\documents and settings\prabhs\Application Data\Juniper Networks\setup\uninstall.exe
2009-06-24 00:24 . 2009-06-24 00:24 -------- d-----w- c:\documents and settings\prabhs\Application Data\Juniper Networks
2009-06-24 00:24 . 2009-06-24 00:24 -------- d-----w- c:\documents and settings\All Users\Application Data\Juniper Networks
2009-06-24 00:21 . 2009-06-24 00:21 -------- d-----w- c:\documents and settings\prabhs\Application Data\IDMComp
2009-06-24 00:19 . 2009-06-24 00:21 -------- d-----w- c:\program files\IDM Computer Solutions
2009-06-24 00:18 . 2009-06-24 00:18 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-06-24 00:17 . 2007-05-10 12:58 28672 ----a-w- c:\windows\system32\Arucer.dll
2009-06-24 00:17 . 2009-06-24 00:17 -------- d-----w- c:\program files\Energizer UsbCharger
2009-06-24 00:00 . 2009-06-24 00:00 -------- d-----w- c:\documents and settings\All Users\Application Data\Yahoo!
2009-06-24 00:00 . 2009-06-24 00:00 -------- d-----w- c:\program files\Yahoo!
2009-06-23 20:10 . 2009-06-23 20:10 -------- d-----w- c:\documents and settings\prabhs\Local Settings\Application Data\Microsoft Help
2009-06-23 20:03 . 2009-06-23 20:03 -------- d-----w- c:\program files\MSXML 4.0
2009-06-23 18:56 . 2009-06-23 18:56 -------- d-----w- c:\documents and settings\prabhs\Local Settings\Application Data\IsolatedStorage
2009-06-23 18:46 . 2009-06-24 04:14 -------- d-----w- c:\documents and settings\prabhs\Local Settings\Application Data\Adobe
2009-06-23 18:39 . 2008-04-14 00:12 26624 ----a-w- c:\documents and settings\LocalService\Application Data\Microsoft\UPnP Device Host\upnphost\udhisapi.dll
2009-06-23 18:35 . 2009-06-23 18:36 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-06-23 18:35 . 2009-06-23 18:36 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-06-23 18:32 . 2009-06-23 18:32 -------- d-----w- c:\documents and settings\prabhs\Application Data\Malwarebytes
2009-06-23 18:32 . 2009-06-23 18:32 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-06-23 18:30 . 2009-06-24 20:41 108343 ----a-w- c:\windows\system32\myykeajk.dll
2009-06-23 18:27 . 2009-06-23 18:27 -------- d-----w- c:\documents and settings\prabhs\Local Settings\Application Data\Google
2009-06-23 18:27 . 2009-06-23 18:27 -------- d-----w- c:\program files\Google
2009-06-23 18:19 . 2009-06-23 18:21 -------- d-----w- C:\Data
2009-06-23 18:18 . 2009-06-23 18:18 -------- d-----w- C:\Tempo
2009-06-23 18:16 . 2009-06-25 12:50 -------- d-----w- c:\program files\zentw
2009-06-23 18:04 . 2008-10-08 10:18 946176 ----a-w- c:\windows\system32\icuuc34.dll
2009-06-23 18:04 . 2008-10-08 10:18 843776 ----a-w- c:\windows\system32\icuin34.dll
2009-06-23 18:04 . 2008-10-08 10:18 8847360 ----a-w- c:\windows\system32\icudt34.dll
2009-06-23 18:04 . 2008-10-08 10:18 102400 ----a-w- c:\windows\system32\libsapu16vc80.dll
2009-06-23 18:04 . 2008-10-08 10:18 4382720 ----a-w- c:\windows\system32\librfc32u.dll
2009-06-23 18:04 . 2008-10-08 10:18 3125248 ----a-w- c:\program files\Common Files\sapxlhelper.dll
2009-06-23 18:04 . 2008-10-08 10:18 192512 ----a-w- c:\program files\Common Files\sapconsr3.dll
2009-06-23 18:04 . 2008-10-08 10:18 626688 ----a-w- c:\program files\Common Files\sapconsaccess.dll
2009-06-23 18:04 . 2008-10-08 10:18 89360 ----a-w- c:\windows\system32\Vb5db.dll
2009-06-23 18:04 . 2008-10-08 10:18 368912 ----a-w- c:\windows\system32\Vbar332.dll
2009-06-23 18:04 . 2008-10-08 10:18 253952 ----a-w- c:\windows\system32\vrfc32.dll
2009-06-23 18:04 . 2008-06-12 05:53 415504 ----a-w- c:\windows\system32\msrepl35.dll
2009-06-23 18:03 . 1995-08-15 21:38 721168 ----a-w- c:\windows\system32\vb40032.dll
2009-06-23 18:02 . 2009-06-23 18:02 -------- d-----w- c:\program files\Common Files\ESRI
2009-06-23 18:02 . 2008-10-08 10:18 1228800 ----a-w- c:\windows\system32\wdba.dll
2009-06-23 17:59 . 2009-06-27 17:05 -------- d-----w- c:\documents and settings\prabhs\SapWorkDir
2009-06-23 17:59 . 2008-06-12 05:52 95744 ----a-w- c:\windows\system32\h5rtf32.dll
2009-06-23 17:59 . 2008-06-12 05:52 51200 ----a-w- c:\windows\system32\h5tool32.dll
2009-06-23 17:59 . 2008-06-12 05:52 175616 ----a-w- c:\windows\system32\h5menu32.dll
2009-06-23 17:59 . 2008-06-12 05:52 188928 ----a-w- c:\windows\system32\h5icon32.dll
2009-06-23 17:59 . 2008-06-12 05:52 114688 ----a-w- c:\windows\system32\h5dlg32.dll
2009-06-23 17:59 . 2008-06-12 05:52 1064960 ----a-w- c:\windows\system32\h5krnl32.dll
2009-06-23 17:58 . 2008-10-08 10:18 1654784 ----a-w- c:\windows\system32\SAPbtmp.dll
2009-06-23 17:58 . 2009-06-23 18:01 -------- d-----w- c:\program files\Common Files\SAP Shared
2009-06-23 17:58 . 1998-06-18 09:58 94208 ----a-w- c:\windows\system32\msstkprp.dll
2009-06-23 17:58 . 1998-06-18 03:49 153600 ----a-w- c:\windows\system32\tlbinf32.dll
2009-06-23 17:58 . 1999-01-21 19:56 15872 ----a-w- c:\windows\system32\vtssm32.dll
2009-06-23 17:58 . 1999-01-21 19:56 533504 ----a-w- c:\windows\system32\vtssdl32.dll
2009-06-23 17:58 . 1995-06-21 06:15 640512 ----a-w- c:\windows\system32\oc30.dll
2009-06-23 17:58 . 1995-05-19 06:15 133904 ----a-w- c:\windows\system32\mfcans32.dll
2009-06-23 17:58 . 2008-10-08 10:18 3817472 ----a-w- c:\windows\system32\librfc32.dll
2009-06-23 17:44 . 2009-06-23 18:02 -------- d-----w- c:\program files\SAP
2009-06-23 17:39 . 2009-06-23 17:43 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Adobe
2009-06-23 17:26 . 2009-06-24 17:22 86760 ----a-w- c:\documents and settings\prabhs\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-06-23 17:26 . 2009-06-23 17:26 -------- d-----w- c:\documents and settings\prabhs\Application Data\Dell
2009-06-23 17:17 . 2008-04-13 23:11 21504 -c--a-w- c:\windows\system32\dllcache\hidserv.dll
2009-06-23 17:17 . 2008-04-13 23:11 21504 ----a-w- c:\windows\system32\hidserv.dll
2009-06-23 17:17 . 2008-04-13 17:39 14592 -c--a-w- c:\windows\system32\dllcache\kbdhid.sys
2009-06-23 17:17 . 2008-04-13 17:39 14592 ----a-w- c:\windows\system32\drivers\kbdhid.sys
2009-06-23 17:17 . 2008-04-13 17:45 32128 -c--a-w- c:\windows\system32\dllcache\usbccgp.sys
2009-06-23 17:17 . 2008-04-13 17:45 32128 ----a-w- c:\windows\system32\drivers\usbccgp.sys
2009-06-23 14:45 . 2009-06-23 14:45 -------- d-----w- c:\windows\system32\KB905474
2009-06-23 14:45 . 2009-03-11 02:26 1403264 ----a-w- c:\windows\system32\KB905474\wganotifypackageinner.exe
2009-06-23 14:45 . 2009-03-11 02:18 453512 ----a-w- c:\windows\system32\KB905474\wgasetup.exe
2009-06-23 14:20 . 2009-06-23 14:20 -------- d-----w- c:\program files\Microsoft Silverlight
2009-06-23 14:19 . 2009-06-23 14:19 112144 ----a-w- c:\documents and settings\All Users\Application Data\Kaspersky Lab\AVP6\Data\Updater\Temporary Files\temporaryFolder\AutoPatches\kav6\6.0.3.830\X86\kl1.sys
2009-06-23 14:19 . 2009-06-23 14:19 715280 ----a-w- c:\documents and settings\All Users\Application Data\Kaspersky Lab\AVP6\Data\Updater\Temporary Files\temporaryFolder\AutoPatches\kav6\6.0.3.830\updater.dll
2009-06-23 14:19 . 2009-06-23 14:19 158224 ----a-w- c:\documents and settings\All Users\Application Data\Kaspersky Lab\AVP6\Data\Updater\Temporary Files\temporaryFolder\AutoPatches\kav6\6.0.3.830\scrchpg.dll
2009-06-23 14:19 . 2009-06-23 14:19 201504 ----a-w- c:\documents and settings\All Users\Application Data\Kaspersky Lab\AVP6\Data\Updater\Temporary Files\temporaryFolder\AutoPatches\kav6\6.0.3.830\klif.sys
2009-06-23 14:19 . 2009-06-23 14:19 41488 ----a-w- c:\documents and settings\All Users\Application Data\Kaspersky Lab\AVP6\Data\Updater\Temporary Files\temporaryFolder\AutoPatches\kav6\6.0.3.830\fssync.dll
2009-06-23 14:19 . 2009-06-23 14:19 342544 ----a-w- c:\documents and settings\All Users\Application Data\Kaspersky Lab\AVP6\Data\Updater\Temporary Files\temporaryFolder\AutoPatches\kav6\6.0.3.830\ckahum.dll
2009-06-23 14:19 . 2009-06-23 14:19 231952 ----a-w- c:\documents and settings\All Users\Application Data\Kaspersky Lab\AVP6\Data\Updater\Temporary Files\temporaryFolder\AutoPatches\kav6\6.0.3.830\avp.exe
2009-06-23 14:18 . 2009-03-21 14:06 989696 -c----w- c:\windows\system32\dllcache\kernel32.dll
2009-06-23 14:18 . 2009-02-03 19:59 56832 -c----w- c:\windows\system32\dllcache\secur32.dll
2009-06-23 14:18 . 2008-12-05 06:54 144896 -c----w- c:\windows\system32\dllcache\schannel.dll
2009-06-23 14:15 . 2009-06-23 14:15 152576 ----a-w- c:\documents and settings\aisuser\Application Data\Sun\Java\jre1.6.0_13\lzma.dll
2009-06-23 14:13 . 2009-06-23 14:20 94643 ----a-w- c:\windows\system32\drivers\klick.dat
2009-06-23 14:13 . 2009-06-23 14:20 105395 ----a-w- c:\windows\system32\drivers\klin.dat
2009-06-23 14:12 . 2008-06-17 19:02 8461312 -c----w- c:\windows\system32\dllcache\shell32.dll
2009-06-23 14:12 . 2009-04-15 14:51 585216 -c----w- c:\windows\system32\dllcache\rpcrt4.dll
2009-06-23 14:12 . 2009-06-28 04:03 3673632 --sha-w- c:\windows\system32\drivers\fidbox.dat
2009-06-23 14:12 . 2009-06-27 00:38 -------- d-----w- c:\documents and settings\All Users\Application Data\Kaspersky Lab
2009-06-23 14:12 . 2009-06-28 04:01 181536 --sha-w- c:\windows\system32\drivers\fidbox2.dat

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-06-28 03:59 . 2009-06-23 14:12 19040 --sha-w- c:\windows\system32\drivers\fidbox2.idx
2009-06-28 03:59 . 2009-06-23 14:12 51176 --sha-w- c:\windows\system32\drivers\fidbox.idx
2009-06-26 18:24 . 2008-11-25 20:33 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2009-06-24 03:16 . 2008-11-25 17:14 -------- d-----w- c:\program files\Common Files\InstallShield
2009-06-23 14:43 . 2008-11-25 19:49 70088 ----a-w- c:\documents and settings\aisuser\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-06-23 14:32 . 2008-11-26 19:38 -------- d-----w- c:\program files\Windows Desktop Search
2009-06-23 14:27 . 2008-11-25 20:43 -------- d-----w- c:\program files\Microsoft Works
2009-06-23 14:20 . 2007-07-18 18:39 112144 ----a-w- c:\windows\system32\drivers\kl1.sys
2009-06-23 14:15 . 2009-03-10 13:57 -------- d-----w- c:\program files\Java
2009-06-23 14:11 . 2008-11-25 17:14 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-05-25 04:24 . 2008-05-27 03:18 350208 ----a-w- c:\windows\system32\mssph.dll
2009-05-13 05:15 . 2006-03-04 03:33 915456 ----a-w- c:\windows\system32\wininet.dll
2009-05-07 15:32 . 2004-08-04 10:00 345600 ----a-w- c:\windows\system32\localspl.dll
2009-04-17 12:26 . 2004-08-04 10:00 1847168 ----a-w- c:\windows\system32\win32k.sys
2009-04-15 14:51 . 2004-08-04 10:00 585216 ----a-w- c:\windows\system32\rpcrt4.dll
2008-10-08 10:18 . 2009-06-23 18:04 40960 ----a-w- c:\program files\Common Files\DigitalSignature.ocx
2008-06-12 05:53 . 2009-06-23 18:04 955904 ----a-w- c:\program files\Common Files\SAPActiveXL.xlt
2008-06-12 05:53 . 2009-06-23 18:04 949760 ----a-w- c:\program files\Common Files\SAPActiveXL_nosig.xlt
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-06-23 39408]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]
"Yahoo! Pager"="c:\program files\Yahoo!\Messenger\YahooMessenger.exe" [2006-07-27 4617720]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Dell QuickSet"="c:\program files\Dell\QuickSet\quickset.exe" [2007-02-20 1191936]
"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2008-10-24 2220032]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-03-09 148888]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072]
"SAP_WUS_UNT"="c:\program files\SAP\SAPsetup\setup\Updater\NwSapSetupUserNotificationTool.exe" [2008-10-28 218472]
"Google Quick Search Box"="c:\program files\Google\Quick Search Box\GoogleQuickSearchBox.exe" [2009-06-23 68592]
"Arucer"="c:\windows\system32\Arucer.dll" [2007-05-10 28672]
"BlackBerryAutoUpdate"="c:\program files\Common Files\Research In Motion\Auto Update\RIMAutoUpdate.exe" [2009-06-05 615696]
"RoxWatchTray"="c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe" [2008-11-10 236016]
"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2009-06-17 414992]
"SigmatelSysTrayApp"="stsystra.exe" - c:\windows\stsystra.exe [2007-02-19 303104]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\GoToAssist]
2008-11-25 17:48 10536 ----a-w- c:\program files\Citrix\GoToAssist\514\g2awinlogon.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"c:\\Program Files\\TeamViewer\\Version4\\TeamViewer.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"15000:UDP"= 15000:UDP:Kaspersky Administration Kit

R2 klnagent;Kaspersky Network Agent;c:\program files\Kaspersky Lab\NetworkAgent\klnagent.exe [3/17/2008 5:19 PM 94608]
R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [6/26/2009 2:02 PM 195856]
R2 NWSAPAutoWorkstationUpdateSvc;SAPSetup Automatic Workstation Update Service;c:\program files\SAP\SapSetup\setup\Updater\NwSapAutoWorkstationUpdateService.exe [6/23/2009 2:07 PM 251248]
R2 TeamViewer4;TeamViewer 4;c:\program files\TeamViewer\Version4\TeamViewer_Service.exe [6/16/2009 4:48 AM 185640]
R2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [11/3/2006 8:19 PM 13592]
R3 klim5;Kaspersky Anti-Virus NDIS Filter;c:\windows\system32\drivers\klim5.sys [5/30/2007 5:49 PM 24344]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [6/26/2009 2:02 PM 19096]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
Contents of the 'Scheduled Tasks' folder

2009-06-28 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-04 00:20]

2009-06-25 c:\windows\Tasks\Spybot - Search & Destroy - Scheduled Task.job
- c:\program files\Spybot - Search & Destroy\SpybotSD.exe [2009-06-23 19:31]

2009-06-25 c:\windows\Tasks\Spybot - Search & Destroy Updater - Scheduled Task.job
- c:\program files\Spybot - Search & Destroy\SDUpdate.exe [2009-06-23 19:31]

2009-06-26 c:\windows\Tasks\WGASetup.job
- c:\windows\system32\KB905474\wgasetup.exe [2009-06-23 02:18]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
IE: Add to Anti-Banner
IE: Append to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
Trusted Zone: msu.edu
Trusted Zone: msu.edu\ad
Trusted Zone: msu.edu\ais
Trusted Zone: msu.edu\sharepoint.ebsp
TCP: {138F9DE7-451F-45FF-B5A0-A2272C96A4CB} = 35.8.113.201,35.8.113.202
DPF: {F27237D7-93C8-44C2-AC6E-D6057B9A918F} - hxxps://access.ais.msu.edu/dana-cached/sc/JuniperSetupClient.cab
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-06-28 00:03
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1060)
c:\program files\Citrix\GoToAssist\514\G2AWinLogon.dll
c:\windows\system32\klogon.dll

- - - - - - - > 'explorer.exe'(3072)
c:\windows\system32\WININET.dll
c:\program files\TeamViewer\Version4\tv.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.3053_x-ww_b80fa8ca\MSVCR80.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\WLTRYSVC.EXE
c:\windows\system32\BCMWLTRY.EXE
c:\windows\system32\scardsvr.exe
c:\program files\Kaspersky Lab\Kaspersky Anti-Virus 6.0 for Windows Workstations\avp.exe
c:\program files\Juniper Networks\Common Files\dsNcService.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Dell\QuickSet\NicConfigSvc.exe
c:\program files\Citrix\ICA Client\ssonsvr.exe
c:\program files\SigmaTel\C-Major Audio\WDM\stacsv.exe
c:\windows\system32\searchindexer.exe
c:\program files\TeamViewer\Version4\TeamViewer.exe
c:\windows\system32\rundll32.exe
c:\program files\Yahoo!\Messenger\Ymsgr_tray.exe
.
**************************************************************************
.
Completion time: 2009-06-28 0:07 - machine was rebooted
ComboFix-quarantined-files.txt 2009-06-28 04:07

Pre-Run: 60,743,434,240 bytes free
Post-Run: 60,747,730,944 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

302 --- E O F --- 2009-06-26 12:31

================================================================================

#4 pranav

pranav
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:07:11 PM

Posted 27 June 2009 - 11:25 PM

Also, please find the new HJT log file attached below, thanks:

==================================================
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:23:59 AM, on 6/28/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0 for Windows Workstations\avp.exe
C:\Program Files\Juniper Networks\Common Files\dsNcService.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Kaspersky Lab\NetworkAgent\klnagent.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
C:\Program Files\SAP\SAPsetup\setup\Updater\NwSapAutoWorkstationUpdateService.exe
C:\Program Files\Citrix\ICA Client\ssonsvr.exe
C:\Program Files\SigmaTel\C-Major Audio\WDM\StacSV.exe
C:\Program Files\TeamViewer\Version4\TeamViewer_Service.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\Program Files\TeamViewer\Version4\TeamViewer.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\SAP\SAPsetup\setup\Updater\NwSapSetupUserNotificationTool.exe
C:\Program Files\Google\Quick Search Box\GoogleQuickSearchBox.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Common Files\Research In Motion\Auto Update\RIMAutoUpdate.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dll
O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [SAP_WUS_UNT] "C:\Program Files\SAP\SAPsetup\setup\Updater\NwSapSetupUserNotificationTool.exe"
O4 - HKLM\..\Run: [Google Quick Search Box] "C:\Program Files\Google\Quick Search Box\GoogleQuickSearchBox.exe" /autorun
O4 - HKLM\..\Run: [Arucer] rundll32 C:\WINDOWS\system32\Arucer.dll,Arucer
O4 - HKLM\..\Run: [BlackBerryAutoUpdate] C:\Program Files\Common Files\Research In Motion\Auto Update\RIMAutoUpdate.exe /background
O4 - HKLM\..\Run: [RoxWatchTray] "C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe"
O4 - HKLM\..\Run: [Malwarebytes' Anti-Malware] "C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Web Anti-Virus statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0 for Windows Workstations\SCIEPlgn.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: ad.msu.edu
O15 - Trusted Zone: ais.msu.edu
O15 - Trusted Zone: *.msu.edu
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1230045815828
O16 - DPF: {F27237D7-93C8-44C2-AC6E-D6057B9A918F} (JuniperSetupClientControl Class) - https://access.ais.msu.edu/dana-cached/sc/J...SetupClient.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = ais.ad.msu.edu
O17 - HKLM\Software\..\Telephony: DomainName = ais.ad.msu.edu
O17 - HKLM\System\CCS\Services\Tcpip\..\{138F9DE7-451F-45FF-B5A0-A2272C96A4CB}: Domain = ais.ad.msu.edu
O17 - HKLM\System\CCS\Services\Tcpip\..\{138F9DE7-451F-45FF-B5A0-A2272C96A4CB}: NameServer = 35.8.113.201,35.8.113.202
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = ais.ad.msu.edu
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = ais.ad.msu.edu,msu.edu,ad.msu.edu
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = ais.ad.msu.edu
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = ais.ad.msu.edu,msu.edu,ad.msu.edu
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = ais.ad.msu.edu,msu.edu,ad.msu.edu
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O18 - Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll
O20 - Winlogon Notify: GoToAssist - C:\Program Files\Citrix\GoToAssist\514\G2AWinLogon.dll
O23 - Service: Kaspersky Anti-Virus 6.0 (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0 for Windows Workstations\avp.exe
O23 - Service: Juniper Network Connect Service (dsNcService) - Juniper Networks - C:\Program Files\Juniper Networks\Common Files\dsNcService.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: GoToAssist - Citrix Online, a division of Citrix Systems, Inc. - C:\Program Files\Citrix\GoToAssist\514\g2aservice.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Kaspersky Network Agent (klnagent) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\NetworkAgent\klnagent.exe
O23 - Service: MBAMService - Malwarebytes Corporation - C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
O23 - Service: SAPSetup Automatic Workstation Update Service (NWSAPAutoWorkstationUpdateSvc) - SAP AG - C:\Program Files\SAP\SAPsetup\setup\Updater\NwSapAutoWorkstationUpdateService.exe
O23 - Service: Roxio UPnP Renderer 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9\RoxioUPnPRenderer9.exe
O23 - Service: Roxio Upnp Server 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9\RoxioUpnpService9.exe
O23 - Service: LiveShare P2P Server 9 (RoxLiveShare9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxLiveShare9.exe
O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
O23 - Service: Roxio Hard Drive Watcher 9 (RoxWatch9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
O23 - Service: SigmaTel Audio Service (STacSV) - SigmaTel, Inc. - C:\Program Files\SigmaTel\C-Major Audio\WDM\StacSV.exe
O23 - Service: TeamViewer 4 (TeamViewer4) - TeamViewer GmbH - C:\Program Files\TeamViewer\Version4\TeamViewer_Service.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

--
End of file - 12454 bytes
=======================================================================

#5 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:07:11 PM

Posted 27 June 2009 - 11:32 PM

Hello,

Yes, the warnings are meant for the ones that pay no attention. They are true.....if used the wrong way a PC can be rendered unbootable. :thumbup2:

Do you know what this folder is? c:\program files\zentw

How is it running now please? :)

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#6 pranav

pranav
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:07:11 PM

Posted 28 June 2009 - 09:09 AM

The ZENTW folder is not a application .... I created that folder to save some files sometime back. The computer seems to be working fine now so far....no redirection problems. Do I need to uninstall or delete the COMBOFIX or can it be running? Anything else I would have to do. Thanks.

#7 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:07:11 PM

Posted 28 June 2009 - 05:11 PM

Hello,

Thank you for the info on the folder. :thumbup2:

Still some to do with ComboFix, so please don't delete it quite yet.

* Open notepad - don't use any other text editor than notepad or the script will fail.
Copy/paste the text in the quote box below into notepad:

KILLALL::
File::
c:\windows\system32\syrdvrrg.dat
c:\windows\system32\sgompynk.dat
c:\windows\system32\sgompynk.dll
c:\windows\system32\myykeajk.dat
c:\windows\system32\myykeajk.dll


Save this as txtfile CFScript

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

Posted Image

This will start ComboFix again.

After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply.

How is it running now please? Still good :)

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#8 pranav

pranav
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:07:11 PM

Posted 28 June 2009 - 11:57 PM

Hi Tea,

Below is the copied file from COMBOFIX....after running the script file....please advise. It still seems to be running ok.....that is, I dont see any problems when trying any of the sites out of Google search results...thanks.

==================================================================
ComboFix 09-06-28.01 - prabhs 06/29/2009 0:36.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3574.2935 [GMT -4:00]
Running from: c:\documents and settings\prabhs\Desktop\Desktop\software\ComboFix.exe
Command switches used :: c:\documents and settings\prabhs\Desktop\CFScript.txt
AV: Kaspersky Anti-Virus *On-access scanning disabled* (Updated) {2C4D4BC6-0793-4956-A9F9-E252435469C0}
FW: Kaspersky Anti-Virus *disabled* {2C4D4BC6-0793-4956-A9F9-E252435469C0}
* Created a new restore point

FILE ::
"c:\windows\system32\myykeajk.dat"
"c:\windows\system32\myykeajk.dll"
"c:\windows\system32\sgompynk.dat"
"c:\windows\system32\sgompynk.dll"
"c:\windows\system32\syrdvrrg.dat"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\myykeajk.dat
c:\windows\system32\myykeajk.dll
c:\windows\system32\sgompynk.dat
c:\windows\system32\sgompynk.dll
c:\windows\system32\syrdvrrg.dat

.
((((((((((((((((((((((((( Files Created from 2009-05-28 to 2009-06-29 )))))))))))))))))))))))))))))))
.

2009-06-28 04:04 . 2009-06-28 04:04 -------- dc----w- c:\windows\system32\dllcache\cache
2009-06-27 00:40 . 2009-06-27 00:40 -------- d-sh--w- c:\documents and settings\prabhs\IECompatCache
2009-06-27 00:40 . 2009-06-27 00:40 -------- d-sh--w- c:\documents and settings\prabhs\PrivacIE
2009-06-27 00:37 . 2009-06-27 00:37 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache
2009-06-27 00:35 . 2009-06-27 00:35 -------- d-sh--w- c:\documents and settings\prabhs\IETldCache
2009-06-27 00:35 . 2009-06-27 00:35 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache
2009-06-26 19:40 . 2009-06-26 19:40 -------- d-----w- c:\program files\Trend Micro
2009-06-26 19:10 . 2009-06-26 19:10 -------- d-----w- c:\windows\ie8updates
2009-06-26 19:09 . 2009-04-30 21:22 12800 -c----w- c:\windows\system32\dllcache\xpshims.dll
2009-06-26 19:09 . 2009-04-30 21:22 246272 -c----w- c:\windows\system32\dllcache\ieproxy.dll
2009-06-26 19:06 . 2009-06-26 19:09 -------- dc-h--w- c:\windows\ie8
2009-06-26 18:02 . 2009-06-17 15:27 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-06-26 18:02 . 2009-06-26 18:02 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-06-26 18:02 . 2009-06-17 15:27 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-06-25 21:37 . 2009-06-25 21:37 -------- d-----w- c:\documents and settings\prabhs\Application Data\Research In Motion
2009-06-24 20:40 . 2009-06-24 20:40 -------- d-----w- c:\windows\system32\config\systemprofile\Application Data\TeamViewer
2009-06-24 13:18 . 2009-06-24 13:18 -------- d-----w- c:\documents and settings\prabhs\Application Data\Windows Search
2009-06-24 03:18 . 2009-06-24 03:18 -------- d-----w- c:\documents and settings\All Users\Application Data\Sonic
2009-06-24 03:16 . 2009-06-24 03:16 -------- d-----w- c:\program files\Roxio
2009-06-24 03:16 . 2009-06-24 03:16 -------- d-----w- c:\documents and settings\All Users\Application Data\Roxio
2009-06-24 03:16 . 2009-06-24 03:16 -------- d-----w- c:\program files\Common Files\Sonic Shared
2009-06-24 03:16 . 2009-06-24 03:16 -------- d-----w- c:\program files\Common Files\Roxio Shared
2009-06-24 03:15 . 2007-01-18 14:24 26496 ----a-r- c:\windows\system32\drivers\RimSerial.sys
2009-06-24 03:14 . 2009-06-25 21:56 -------- d-----w- c:\program files\Common Files\Research In Motion
2009-06-24 03:14 . 2009-06-24 03:14 -------- d-----w- c:\program files\Research In Motion
2009-06-24 02:37 . 2009-06-24 02:37 -------- d-----w- c:\documents and settings\prabhs\Application Data\vlc
2009-06-24 02:36 . 2009-06-24 02:36 -------- d-----w- c:\program files\VideoLAN
2009-06-24 00:28 . 2009-06-24 00:29 -------- d-----w- c:\documents and settings\prabhs\Application Data\TeamViewer
2009-06-24 00:28 . 2009-06-24 00:28 -------- d-----w- c:\program files\TeamViewer
2009-06-24 00:27 . 2009-06-24 00:27 -------- d-----w- c:\documents and settings\prabhs\temp
2009-06-24 00:25 . 2009-03-11 17:10 398632 ----a-w- c:\windows\system32\dsNcSmartCardProv.dll
2009-06-24 00:25 . 2009-03-11 17:10 345384 ----a-w- c:\windows\system32\dsNcCredProv.dll
2009-06-24 00:24 . 2009-06-24 00:24 161632 ----a-w- c:\documents and settings\prabhs\Application Data\Juniper Networks\Setup Client\x86_Microsoft.VC80.CRTP_8.0.50727.762.exe
2009-06-24 00:24 . 2009-06-24 00:25 -------- d-----w- c:\program files\Juniper Networks
2009-06-24 00:24 . 2009-06-24 00:24 36939 ----a-w- c:\documents and settings\prabhs\Application Data\Juniper Networks\setup\uninstall.exe
2009-06-24 00:24 . 2009-06-24 00:24 -------- d-----w- c:\documents and settings\prabhs\Application Data\Juniper Networks
2009-06-24 00:24 . 2009-06-24 00:24 -------- d-----w- c:\documents and settings\All Users\Application Data\Juniper Networks
2009-06-24 00:21 . 2009-06-24 00:21 -------- d-----w- c:\documents and settings\prabhs\Application Data\IDMComp
2009-06-24 00:19 . 2009-06-24 00:21 -------- d-----w- c:\program files\IDM Computer Solutions
2009-06-24 00:18 . 2009-06-24 00:18 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-06-24 00:17 . 2007-05-10 12:58 28672 ----a-w- c:\windows\system32\Arucer.dll
2009-06-24 00:17 . 2009-06-24 00:17 -------- d-----w- c:\program files\Energizer UsbCharger
2009-06-24 00:00 . 2009-06-24 00:00 -------- d-----w- c:\documents and settings\All Users\Application Data\Yahoo!
2009-06-24 00:00 . 2009-06-24 00:00 -------- d-----w- c:\program files\Yahoo!
2009-06-23 20:10 . 2009-06-23 20:10 -------- d-----w- c:\documents and settings\prabhs\Local Settings\Application Data\Microsoft Help
2009-06-23 20:03 . 2009-06-23 20:03 -------- d-----w- c:\program files\MSXML 4.0
2009-06-23 18:56 . 2009-06-23 18:56 -------- d-----w- c:\documents and settings\prabhs\Local Settings\Application Data\IsolatedStorage
2009-06-23 18:46 . 2009-06-24 04:14 -------- d-----w- c:\documents and settings\prabhs\Local Settings\Application Data\Adobe
2009-06-23 18:39 . 2008-04-14 00:12 26624 ----a-w- c:\documents and settings\LocalService\Application Data\Microsoft\UPnP Device Host\upnphost\udhisapi.dll
2009-06-23 18:35 . 2009-06-23 18:36 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-06-23 18:35 . 2009-06-23 18:36 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-06-23 18:32 . 2009-06-23 18:32 -------- d-----w- c:\documents and settings\prabhs\Application Data\Malwarebytes
2009-06-23 18:32 . 2009-06-23 18:32 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-06-23 18:27 . 2009-06-23 18:27 -------- d-----w- c:\documents and settings\prabhs\Local Settings\Application Data\Google
2009-06-23 18:27 . 2009-06-23 18:27 -------- d-----w- c:\program files\Google
2009-06-23 18:19 . 2009-06-23 18:21 -------- d-----w- C:\Data
2009-06-23 18:18 . 2009-06-23 18:18 -------- d-----w- C:\Tempo
2009-06-23 18:16 . 2009-06-25 12:50 -------- d-----w- c:\program files\zentw
2009-06-23 18:04 . 2008-10-08 10:18 946176 ----a-w- c:\windows\system32\icuuc34.dll
2009-06-23 18:04 . 2008-10-08 10:18 843776 ----a-w- c:\windows\system32\icuin34.dll
2009-06-23 18:04 . 2008-10-08 10:18 8847360 ----a-w- c:\windows\system32\icudt34.dll
2009-06-23 18:04 . 2008-10-08 10:18 102400 ----a-w- c:\windows\system32\libsapu16vc80.dll
2009-06-23 18:04 . 2008-10-08 10:18 4382720 ----a-w- c:\windows\system32\librfc32u.dll
2009-06-23 18:04 . 2008-10-08 10:18 3125248 ----a-w- c:\program files\Common Files\sapxlhelper.dll
2009-06-23 18:04 . 2008-10-08 10:18 192512 ----a-w- c:\program files\Common Files\sapconsr3.dll
2009-06-23 18:04 . 2008-10-08 10:18 626688 ----a-w- c:\program files\Common Files\sapconsaccess.dll
2009-06-23 18:04 . 2008-10-08 10:18 89360 ----a-w- c:\windows\system32\Vb5db.dll
2009-06-23 18:04 . 2008-10-08 10:18 368912 ----a-w- c:\windows\system32\Vbar332.dll
2009-06-23 18:04 . 2008-10-08 10:18 253952 ----a-w- c:\windows\system32\vrfc32.dll
2009-06-23 18:04 . 2008-06-12 05:53 415504 ----a-w- c:\windows\system32\msrepl35.dll
2009-06-23 18:03 . 1995-08-15 21:38 721168 ----a-w- c:\windows\system32\vb40032.dll
2009-06-23 18:02 . 2009-06-23 18:02 -------- d-----w- c:\program files\Common Files\ESRI
2009-06-23 18:02 . 2008-10-08 10:18 1228800 ----a-w- c:\windows\system32\wdba.dll
2009-06-23 17:59 . 2009-06-27 17:05 -------- d-----w- c:\documents and settings\prabhs\SapWorkDir
2009-06-23 17:59 . 2008-06-12 05:52 95744 ----a-w- c:\windows\system32\h5rtf32.dll
2009-06-23 17:59 . 2008-06-12 05:52 51200 ----a-w- c:\windows\system32\h5tool32.dll
2009-06-23 17:59 . 2008-06-12 05:52 175616 ----a-w- c:\windows\system32\h5menu32.dll
2009-06-23 17:59 . 2008-06-12 05:52 188928 ----a-w- c:\windows\system32\h5icon32.dll
2009-06-23 17:59 . 2008-06-12 05:52 114688 ----a-w- c:\windows\system32\h5dlg32.dll
2009-06-23 17:59 . 2008-06-12 05:52 1064960 ----a-w- c:\windows\system32\h5krnl32.dll
2009-06-23 17:58 . 2008-10-08 10:18 1654784 ----a-w- c:\windows\system32\SAPbtmp.dll
2009-06-23 17:58 . 2009-06-23 18:01 -------- d-----w- c:\program files\Common Files\SAP Shared
2009-06-23 17:58 . 1998-06-18 09:58 94208 ----a-w- c:\windows\system32\msstkprp.dll
2009-06-23 17:58 . 1998-06-18 03:49 153600 ----a-w- c:\windows\system32\tlbinf32.dll
2009-06-23 17:58 . 1999-01-21 19:56 15872 ----a-w- c:\windows\system32\vtssm32.dll
2009-06-23 17:58 . 1999-01-21 19:56 533504 ----a-w- c:\windows\system32\vtssdl32.dll
2009-06-23 17:58 . 1995-06-21 06:15 640512 ----a-w- c:\windows\system32\oc30.dll
2009-06-23 17:58 . 1995-05-19 06:15 133904 ----a-w- c:\windows\system32\mfcans32.dll
2009-06-23 17:58 . 2008-10-08 10:18 3817472 ----a-w- c:\windows\system32\librfc32.dll
2009-06-23 17:44 . 2009-06-23 18:02 -------- d-----w- c:\program files\SAP
2009-06-23 17:39 . 2009-06-23 17:43 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Adobe
2009-06-23 17:26 . 2009-06-24 17:22 86760 ----a-w- c:\documents and settings\prabhs\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-06-23 17:26 . 2009-06-23 17:26 -------- d-----w- c:\documents and settings\prabhs\Application Data\Dell
2009-06-23 17:17 . 2008-04-13 23:11 21504 -c--a-w- c:\windows\system32\dllcache\hidserv.dll
2009-06-23 17:17 . 2008-04-13 23:11 21504 ----a-w- c:\windows\system32\hidserv.dll
2009-06-23 17:17 . 2008-04-13 17:39 14592 -c--a-w- c:\windows\system32\dllcache\kbdhid.sys
2009-06-23 17:17 . 2008-04-13 17:39 14592 ----a-w- c:\windows\system32\drivers\kbdhid.sys
2009-06-23 17:17 . 2008-04-13 17:45 32128 -c--a-w- c:\windows\system32\dllcache\usbccgp.sys
2009-06-23 17:17 . 2008-04-13 17:45 32128 ----a-w- c:\windows\system32\drivers\usbccgp.sys
2009-06-23 14:45 . 2009-06-23 14:45 -------- d-----w- c:\windows\system32\KB905474
2009-06-23 14:45 . 2009-03-11 02:26 1403264 ----a-w- c:\windows\system32\KB905474\wganotifypackageinner.exe
2009-06-23 14:45 . 2009-03-11 02:18 453512 ----a-w- c:\windows\system32\KB905474\wgasetup.exe
2009-06-23 14:20 . 2009-06-23 14:20 -------- d-----w- c:\program files\Microsoft Silverlight
2009-06-23 14:19 . 2009-06-23 14:19 112144 ----a-w- c:\documents and settings\All Users\Application Data\Kaspersky Lab\AVP6\Data\Updater\Temporary Files\temporaryFolder\AutoPatches\kav6\6.0.3.830\X86\kl1.sys
2009-06-23 14:19 . 2009-06-23 14:19 715280 ----a-w- c:\documents and settings\All Users\Application Data\Kaspersky Lab\AVP6\Data\Updater\Temporary Files\temporaryFolder\AutoPatches\kav6\6.0.3.830\updater.dll
2009-06-23 14:19 . 2009-06-23 14:19 158224 ----a-w- c:\documents and settings\All Users\Application Data\Kaspersky Lab\AVP6\Data\Updater\Temporary Files\temporaryFolder\AutoPatches\kav6\6.0.3.830\scrchpg.dll
2009-06-23 14:19 . 2009-06-23 14:19 201504 ----a-w- c:\documents and settings\All Users\Application Data\Kaspersky Lab\AVP6\Data\Updater\Temporary Files\temporaryFolder\AutoPatches\kav6\6.0.3.830\klif.sys
2009-06-23 14:19 . 2009-06-23 14:19 41488 ----a-w- c:\documents and settings\All Users\Application Data\Kaspersky Lab\AVP6\Data\Updater\Temporary Files\temporaryFolder\AutoPatches\kav6\6.0.3.830\fssync.dll
2009-06-23 14:19 . 2009-06-23 14:19 342544 ----a-w- c:\documents and settings\All Users\Application Data\Kaspersky Lab\AVP6\Data\Updater\Temporary Files\temporaryFolder\AutoPatches\kav6\6.0.3.830\ckahum.dll
2009-06-23 14:19 . 2009-06-23 14:19 231952 ----a-w- c:\documents and settings\All Users\Application Data\Kaspersky Lab\AVP6\Data\Updater\Temporary Files\temporaryFolder\AutoPatches\kav6\6.0.3.830\avp.exe
2009-06-23 14:18 . 2009-03-21 14:06 989696 -c----w- c:\windows\system32\dllcache\kernel32.dll
2009-06-23 14:18 . 2009-02-03 19:59 56832 -c----w- c:\windows\system32\dllcache\secur32.dll
2009-06-23 14:18 . 2008-12-05 06:54 144896 -c----w- c:\windows\system32\dllcache\schannel.dll
2009-06-23 14:15 . 2009-06-23 14:15 152576 ----a-w- c:\documents and settings\aisuser\Application Data\Sun\Java\jre1.6.0_13\lzma.dll
2009-06-23 14:13 . 2009-06-23 14:20 94643 ----a-w- c:\windows\system32\drivers\klick.dat
2009-06-23 14:13 . 2009-06-23 14:20 105395 ----a-w- c:\windows\system32\drivers\klin.dat
2009-06-23 14:12 . 2008-06-17 19:02 8461312 -c----w- c:\windows\system32\dllcache\shell32.dll
2009-06-23 14:12 . 2009-04-15 14:51 585216 -c----w- c:\windows\system32\dllcache\rpcrt4.dll
2009-06-23 14:12 . 2009-06-29 04:46 3851040 --sha-w- c:\windows\system32\drivers\fidbox.dat
2009-06-23 14:12 . 2009-06-28 05:02 -------- d-----w- c:\documents and settings\All Users\Application Data\Kaspersky Lab
2009-06-23 14:12 . 2009-06-29 04:45 190240 --sha-w- c:\windows\system32\drivers\fidbox2.dat
2009-06-23 14:12 . 2008-12-16 12:30 354304 -c----w- c:\windows\system32\dllcache\winhttp.dll
2009-06-23 14:11 . 2008-05-03 11:55 2560 ------w- c:\windows\system32\xpsp4res.dll
2009-06-23 14:11 . 2008-04-21 12:08 215552 -c----w- c:\windows\system32\dllcache\wordpad.exe
2009-06-23 14:11 . 2009-06-23 14:11 -------- d-----w- c:\program files\Common Files\Cisco Systems

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-06-29 04:39 . 2009-06-23 14:12 53624 --sha-w- c:\windows\system32\drivers\fidbox.idx
2009-06-29 04:39 . 2009-06-23 14:12 19856 --sha-w- c:\windows\system32\drivers\fidbox2.idx
2009-06-26 18:24 . 2008-11-25 20:33 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2009-06-24 03:16 . 2008-11-25 17:14 -------- d-----w- c:\program files\Common Files\InstallShield
2009-06-23 14:43 . 2008-11-25 19:49 70088 ----a-w- c:\documents and settings\aisuser\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-06-23 14:32 . 2008-11-26 19:38 -------- d-----w- c:\program files\Windows Desktop Search
2009-06-23 14:27 . 2008-11-25 20:43 -------- d-----w- c:\program files\Microsoft Works
2009-06-23 14:20 . 2007-07-18 18:39 112144 ----a-w- c:\windows\system32\drivers\kl1.sys
2009-06-23 14:15 . 2009-03-10 13:57 -------- d-----w- c:\program files\Java
2009-06-23 14:11 . 2008-11-25 17:14 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-05-25 04:24 . 2008-05-27 03:18 350208 ----a-w- c:\windows\system32\mssph.dll
2009-05-13 05:15 . 2006-03-04 03:33 915456 ----a-w- c:\windows\system32\wininet.dll
2009-05-07 15:32 . 2004-08-04 10:00 345600 ----a-w- c:\windows\system32\localspl.dll
2009-04-17 12:26 . 2004-08-04 10:00 1847168 ----a-w- c:\windows\system32\win32k.sys
2009-04-15 14:51 . 2004-08-04 10:00 585216 ----a-w- c:\windows\system32\rpcrt4.dll
2008-10-08 10:18 . 2009-06-23 18:04 40960 ----a-w- c:\program files\Common Files\DigitalSignature.ocx
2008-06-12 05:53 . 2009-06-23 18:04 955904 ----a-w- c:\program files\Common Files\SAPActiveXL.xlt
2008-06-12 05:53 . 2009-06-23 18:04 949760 ----a-w- c:\program files\Common Files\SAPActiveXL_nosig.xlt
.

((((((((((((((((((((((((((((( SnapShot@2009-06-28_04.03.24 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-06-29 04:40 . 2009-06-29 04:40 16384 c:\windows\temp\Perflib_Perfdata_320.dat
+ 2004-08-04 10:00 . 2009-06-29 04:45 79360 c:\windows\system32\perfc009.dat
- 2004-08-04 10:00 . 2009-06-27 00:40 79360 c:\windows\system32\perfc009.dat
+ 2009-06-28 04:04 . 2008-10-16 19:09 51224 c:\windows\system32\dllcache\cache\wuauclt.exe
+ 2009-06-28 04:04 . 2008-04-14 00:12 82432 c:\windows\system32\dllcache\cache\ws2_32.dll
+ 2009-06-28 04:04 . 2008-04-14 00:12 26112 c:\windows\system32\dllcache\cache\userinit.exe
+ 2009-06-28 04:04 . 2008-04-14 00:12 14336 c:\windows\system32\dllcache\cache\svchost.exe
+ 2009-06-28 04:04 . 2008-04-14 00:12 57856 c:\windows\system32\dllcache\cache\spoolsv.exe
+ 2009-06-28 04:04 . 2008-04-14 00:12 17408 c:\windows\system32\dllcache\cache\powrprof.dll
+ 2009-06-28 04:04 . 2008-04-14 00:12 13312 c:\windows\system32\dllcache\cache\lsass.exe
+ 2009-06-28 04:04 . 2008-04-13 18:39 24576 c:\windows\system32\dllcache\cache\kbdclass.sys
+ 2009-06-28 04:04 . 2008-04-13 18:53 36608 c:\windows\system32\dllcache\cache\ip6fw.sys
+ 2009-06-28 04:04 . 2008-04-14 00:12 15360 c:\windows\system32\dllcache\cache\ctfmon.exe
+ 2009-06-29 04:41 . 2009-06-29 04:40 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
- 2008-11-25 16:42 . 2009-06-28 04:01 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
- 2008-11-25 16:42 . 2009-06-28 04:01 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2008-11-25 16:42 . 2009-06-29 04:40 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2009-06-27 00:37 . 2009-06-29 04:41 16384 c:\windows\system32\config\systemprofile\IETldCache\index.dat
- 2009-06-27 00:37 . 2009-06-28 04:01 16384 c:\windows\system32\config\systemprofile\IETldCache\index.dat
- 2008-11-25 16:42 . 2009-06-28 04:01 16384 c:\windows\system32\config\systemprofile\Cookies\index.dat
+ 2008-11-25 16:42 . 2009-06-29 04:40 16384 c:\windows\system32\config\systemprofile\Cookies\index.dat
- 2004-08-04 10:00 . 2009-06-27 00:40 465640 c:\windows\system32\perfh009.dat
+ 2004-08-04 10:00 . 2009-06-29 04:45 465640 c:\windows\system32\perfh009.dat
+ 2009-06-28 04:04 . 2008-04-14 00:12 507904 c:\windows\system32\dllcache\cache\winlogon.exe
+ 2009-06-28 04:04 . 2009-05-13 05:15 915456 c:\windows\system32\dllcache\cache\wininet.dll
+ 2009-06-28 04:04 . 2008-04-14 00:12 578560 c:\windows\system32\dllcache\cache\user32.dll
+ 2009-06-28 04:04 . 2008-04-14 00:12 295424 c:\windows\system32\dllcache\cache\termsrv.dll
+ 2009-06-28 04:04 . 2008-06-20 11:51 361600 c:\windows\system32\dllcache\cache\tcpip.sys
+ 2009-06-28 04:04 . 2009-02-06 11:11 110592 c:\windows\system32\dllcache\cache\services.exe
+ 2009-06-28 04:04 . 2008-04-13 19:20 182656 c:\windows\system32\dllcache\cache\ndis.sys
+ 2009-06-28 04:04 . 2009-03-21 14:06 989696 c:\windows\system32\dllcache\cache\kernel32.dll
+ 2009-06-28 04:04 . 2008-04-14 00:11 110080 c:\windows\system32\dllcache\cache\imm32.dll
+ 2009-06-28 04:04 . 2008-04-14 00:11 167936 c:\windows\system32\dllcache\cache\appmgmts.dll
+ 2009-06-28 04:04 . 2008-04-14 00:12 1614848 c:\windows\system32\dllcache\cache\sfcfiles.dll
+ 2009-06-28 04:04 . 2009-02-06 11:06 2145280 c:\windows\system32\dllcache\cache\ntoskrnl.exe
+ 2009-06-28 04:04 . 2009-02-06 10:32 2023936 c:\windows\system32\dllcache\cache\ntkrnlpa.exe
+ 2009-06-28 04:04 . 2008-04-14 00:12 1033728 c:\windows\system32\dllcache\cache\explorer.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-06-23 39408]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]
"Yahoo! Pager"="c:\program files\Yahoo!\Messenger\YahooMessenger.exe" [2006-07-27 4617720]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Dell QuickSet"="c:\program files\Dell\QuickSet\quickset.exe" [2007-02-20 1191936]
"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2008-10-24 2220032]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-03-09 148888]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072]
"SAP_WUS_UNT"="c:\program files\SAP\SAPsetup\setup\Updater\NwSapSetupUserNotificationTool.exe" [2008-10-28 218472]
"Google Quick Search Box"="c:\program files\Google\Quick Search Box\GoogleQuickSearchBox.exe" [2009-06-23 68592]
"Arucer"="c:\windows\system32\Arucer.dll" [2007-05-10 28672]
"BlackBerryAutoUpdate"="c:\program files\Common Files\Research In Motion\Auto Update\RIMAutoUpdate.exe" [2009-06-05 615696]
"RoxWatchTray"="c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe" [2008-11-10 236016]
"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2009-06-17 414992]
"SigmatelSysTrayApp"="stsystra.exe" - c:\windows\stsystra.exe [2007-02-19 303104]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\GoToAssist]
2008-11-25 17:48 10536 ----a-w- c:\program files\Citrix\GoToAssist\514\g2awinlogon.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"c:\\Program Files\\TeamViewer\\Version4\\TeamViewer.exe"=
"c:\\WINDOWS\\system32\\rundll32.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"15000:UDP"= 15000:UDP:Kaspersky Administration Kit

R2 klnagent;Kaspersky Network Agent;c:\program files\Kaspersky Lab\NetworkAgent\klnagent.exe [3/17/2008 5:19 PM 94608]
R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [6/26/2009 2:02 PM 195856]
R2 NWSAPAutoWorkstationUpdateSvc;SAPSetup Automatic Workstation Update Service;c:\program files\SAP\SapSetup\setup\Updater\NwSapAutoWorkstationUpdateService.exe [6/23/2009 2:07 PM 251248]
R2 TeamViewer4;TeamViewer 4;c:\program files\TeamViewer\Version4\TeamViewer_Service.exe [6/16/2009 4:48 AM 185640]
R2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [11/3/2006 8:19 PM 13592]
R3 klim5;Kaspersky Anti-Virus NDIS Filter;c:\windows\system32\drivers\klim5.sys [5/30/2007 5:49 PM 24344]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [6/26/2009 2:02 PM 19096]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
Contents of the 'Scheduled Tasks' folder

2009-06-29 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-04 00:20]

2009-06-25 c:\windows\Tasks\Spybot - Search & Destroy - Scheduled Task.job
- c:\program files\Spybot - Search & Destroy\SpybotSD.exe [2009-06-23 19:31]

2009-06-25 c:\windows\Tasks\Spybot - Search & Destroy Updater - Scheduled Task.job
- c:\program files\Spybot - Search & Destroy\SDUpdate.exe [2009-06-23 19:31]

2009-06-26 c:\windows\Tasks\WGASetup.job
- c:\windows\system32\KB905474\wgasetup.exe [2009-06-23 02:18]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
IE: Append to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
Trusted Zone: msu.edu
Trusted Zone: msu.edu\ad
Trusted Zone: msu.edu\ais
Trusted Zone: msu.edu\sharepoint.ebsp
TCP: {138F9DE7-451F-45FF-B5A0-A2272C96A4CB} = 35.8.113.201,35.8.113.202
DPF: {F27237D7-93C8-44C2-AC6E-D6057B9A918F} - hxxps://access.ais.msu.edu/dana-cached/sc/JuniperSetupClient.cab
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-06-29 00:46
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1492)
c:\program files\Citrix\GoToAssist\514\G2AWinLogon.dll
c:\windows\system32\klogon.dll

- - - - - - - > 'explorer.exe'(4076)
c:\windows\system32\WININET.dll
c:\program files\TeamViewer\Version4\tv.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.3053_x-ww_b80fa8ca\MSVCR80.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll
c:\program files\WinRAR\rarext.dll
c:\program files\Malwarebytes' Anti-Malware\mbamext.dll
c:\program files\Kaspersky Lab\Kaspersky Anti-Virus 6.0 for Windows Workstations\ShellEx.dll
c:\program files\Adobe\Acrobat 8.0\Acrobat Elements\ContextMenu.dll
c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
c:\progra~1\SPYBOT~1\SDHelper.dll
c:\program files\Microsoft Office\Office12\1033\GrooveIntlResource.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\WLTRYSVC.EXE
c:\windows\system32\BCMWLTRY.EXE
c:\windows\system32\scardsvr.exe
c:\program files\Kaspersky Lab\Kaspersky Anti-Virus 6.0 for Windows Workstations\avp.exe
c:\program files\Juniper Networks\Common Files\dsNcService.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Dell\QuickSet\NicConfigSvc.exe
c:\program files\SigmaTel\C-Major Audio\WDM\stacsv.exe
c:\windows\system32\searchindexer.exe
c:\program files\TeamViewer\Version4\TeamViewer.exe
c:\program files\Citrix\ICA Client\ssonsvr.exe
c:\windows\system32\rundll32.exe
.
**************************************************************************
.
Completion time: 2009-06-29 0:50 - machine was rebooted
ComboFix-quarantined-files.txt 2009-06-29 04:50
ComboFix2.txt 2009-06-28 04:07

Pre-Run: 60,707,209,216 bytes free
Post-Run: 60,703,428,608 bytes free

347 --- E O F --- 2009-06-26 12:31
================================================================

#9 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:07:11 PM

Posted 29 June 2009 - 12:26 AM

Hello there,

Looks good. :thumbup2:

Please delete ComboFix and its accompanying folder C:\Qoobox. Empty your Recycle bin and reboot your computer.

If there are no further problems:

Below I have included a number of recommendations on how to protect your computer in order to prevent future malware infections. Please take these recommendations seriously! These few simple steps can stave off the vast majority of spyware problems.

Regularly go to http://windowsupdate.microsoft.com and download all the "critical updates" for Windows, including the latest version of Internet Explorer. This can patch many of the security holes through which attackers can gain access to your computer. You should also turn on the Windows automatic update feature.

It is very important to maintain your Firewall.
A tutorial on understanding and using firewalls may be found here.

In order to protect yourself against spyware, you should consider installing and running the following free programs:

SpywareBlaster
A tutorial on using SpywareBlaster to prevent spyware from ever installing on your computer may be found here.

SpywareGuard
A tutorial on using SpywareGuard for realtime protection against spyware and hijackers may be found here.

A tutorial on using Spybot to remove spyware from your computer may be found here. Please also remember to enable Spybot's "Immunize" and "TeaTimer" features.

Make sure to keep these programs up-to-date and to run them regularly, as this can prevent a great deal of spyware hassle.

* Avoid illegal sites, because that's where most malware is present.
* Don't click on links inside popups.
* Don't click on links in spam messages claiming to offer anti-spyware software; because most of these so called removers ARE spyware.
* Download free software only from sites you know and trust. A lot of free software can bundle other software, including spyware.

Please consider using an alternate browser. Mozilla's Firefox browser is fantastic; it is much more secure than Internet Explorer, and also has the best built-in popup blocker (as an added benefit!) that I have ever seen. If you are interested, Firefox may be downloaded from here:
http://www.mozilla.org/products/firefox/

Please make sure to run your antivirus software regularly, and to keep it up-to-date.

Take care!
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#10 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:07:11 PM

Posted 30 June 2009 - 05:42 AM

Since this issue appears resolved ... this Topic is closed.

If you need this topic reopened, please request this by sending the moderating team a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users