Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Now What do I do.. ebay redirect.. Malware


  • This topic is locked This topic is locked
18 replies to this topic

#1 kshan

kshan

  • Members
  • 30 posts
  • OFFLINE
  •  
  • Local time:10:30 AM

Posted 27 February 2010 - 04:26 PM

Now what do I do. I got a little aggravated with my computer, and did a bunch of stuff aginst your advice. It started with ebay/paypal redirect to the SS# stuff, then I was getting user32, "the system has to be shutdown to avoid loss... by NT AUTHORITY\SYSTEM, reason:no title, minor reason:0xff, data =0000: ff 00 00 80 ˙..€
I also had events from NT/authority DCOM error "... in order to run the server". Also I got a lot of application errors from "testworker" from a remote computer. I don't know if these mean anything.

Here is what I found out, Firefox works ok. I found a file under my user name in "Application data\temp\" that had a bunch of numbers "0176506103.NL" that could not be deleted, but I could rename it. Also under "application data\Adobe\update" there was a file named "cslid.dat" that when opened by note pad it stated it was a dos only program, this was recreated on boot up. So I was annoyed and ran all the spyware/malware removal software I could find. I also ran fixmbr, fixboot and bootcfg. Now the computer ran ok and my ".nl file did not return and the cslid.dat did not return.

However, if I ran IE Explorer a box pops open in the center of the screen and quickly closes and on the next boot the ".nl" and "cslid.dat" show up again. And of course ebay/paypal is redirected. So far Firefox is ok. I did remove several lines with Hijackthis but I have the before and after logs. What do I do with IE Explorer?
I do not know how to proceed from here and I hope I did not make an impossible task for you.

I have attached the DDs logs and ark log.

Should I reinstall XP home or reformat and reinstall XP Home? This systen has been updated only since win 98 over 10 years ago. It went from 98 to ME to XP home.
thank you for your help

Karl

Attached Files

  • Attached File  DDS.txt   14.56KB   11 downloads
  • Attached File  ark.log   948bytes   4 downloads
  • Attached File  Attach.txt   12.57KB   1 downloads


BC AdBot (Login to Remove)

 


#2 Blind Faith

Blind Faith

  • Malware Response Team
  • 4,101 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:06:30 PM

Posted 02 March 2010 - 03:17 PM

Hello and welcome to Bleeping Computer! welcome.gif

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.

Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE

We also need a new log from the GMER anti-rootkit scanner. Please first disable any CD emulation programs using the steps found in this topic:

Why we request you disable CD Emulation when receiving Malware Removal Advice

Then create another GMER log and post it as an attachment to the reply where you post your new DDS log. Instructions on how to properly create a GMER log can be found here:

How to create a GMER log





Elle
Can you hear it?It's all around!

Tomar ki manč acchč?
Yadi thakč, tahalč
Ki kshama kartč paro
?



If I haven't replied in 48 hours, please feel free to send me a PM.



Posted Image

#3 kshan

kshan
  • Topic Starter

  • Members
  • 30 posts
  • OFFLINE
  •  
  • Local time:10:30 AM

Posted 02 March 2010 - 07:39 PM

Thanks for your reply. Attached is the logs requested. I have not run IE Explorer since I had the trouble above, I am only running Firefox now. Should I try running IE Explorer to see what happens since it appeared to add the malware back in. Is there any part of IE Explorer that should be deleted ? It is IE 8.
I do all my banking, taxes and so oj on this computer, that is what is the worry.

thanks for your help,
Karl

Attached Files



#4 etavares

etavares

    Bleepin' Remover


  • Malware Response Team
  • 15,514 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:30 AM

Posted 06 March 2010 - 08:04 AM

Hello, kshan.
My name is etavares and I will be helping you with this log.

Here are some guidelines to ensure we are able to get your machine back under your control.
  • Please do not run any unsupervised scans, fixes, etc. We can work against each other and end up in a worse place.
  • Please subscribe to this topic if you have not already done so. Please check back just in case, as the email system can fail at times.
  • Just because your machine is running better does not mean it is completely cleaned. Please wait for the 'all clear' from me to say when we are done.
  • Please reply within 3 days to be fair to other people asking for help.
  • When in doubt, please stop and ask first. There's no harm in asking questions!

I see Viewpoint is installed on your machine. Viewpoint Manager is considered as foistware instead of malware since it is installed without users approval but doesn't spy or do anything "bad". This changed from what we know in 2006 read this article:

http://www.clickz.com/news/article.php/3561546

I suggest you remove the program now. Go to the Control Panel, then Add or Remove Programs uninstall the following if they exist: Viewpoint, Viewpoint Manager, Viewpoint Media Player.

I also see that you have a registry cleaner installed (in your case CCleaner). Here at BC, we do not recommend using registry cleaners.

See here for more information:
http://www.bleepingcomputer.com/forums/ind...p;#entry1326578



Step 1

We need to take a deeper look. The DDS log showed a few minor items we can fix, but nothing accounting for the redirects. These steps will help to dig into the likely cause.

We need to create an OTL report,
  • Please download OTL from this link.
  • Save it to your desktop.
  • Double click on the icon on your desktop.
  • Click the "Scan All Users" checkbox.
  • Under the Custom Scan box paste this in:

    netsvcs
    msconfig
    activex
    drivers32
    %systemroot%\system32\*.dll /lockedfiles
    %systemroot%\Tasks\*.job /lockedfiles
    %SYSTEMDRIVE%\*.exe
    /md5start
    eventlog.dll
    scecli.dll
    netlogon.dll
    cngaudit.dll
    sceclt.dll
    ntelogon.dll
    logevent.dll
    iaStor.sys
    nvstor.sys
    atapi.sys
    IdeChnDr.sys
    viasraid.sys
    AGP440.sys
    vaxscsi.sys
    nvatabus.sys
    viamraid.sys
    nvata.sys
    nvgts.sys
    iastorv.sys
    ViPrt.sys
    eNetHook.dll
    ahcix86.sys
    KR10N.sys
    nvstor32
    ahcix86s.sys
    nvrd32.sys
    /md5stop
    %systemroot%\*. /mp /s
    CREATERESTOREPOINT


  • Click the Quick Scan button.
  • The scan should take a few minutes.
  • Please copy and paste both logs in your reply. If they are too big to paste in one reply, please split them into separate posts.



Step 2
  1. Please download MBR.EXE by GMER. Save the file in your root directory. (C:\)
  2. Open Notepad and copy and paste the text in the codebox below (excluding the word Code) into Notepad.
    CODE
    @echo off
    cd\
    mbr.exe -t
    start mbr.log
  3. Next, select File --> Save As, change file type to All Files (*.*), and save it as fixme.bat in your c:\ folder.
  4. Open your c:\folder and double-click on fixme.bat. A logfile will open (C:\mbr.log). Please paste the contents in your next reply.



Step 3

In your reply, please post:
  • The OTL logs from Step 1
  • MBR log from step 2

And now that I have picked up your log, future responses will be much quicker (~1 day)

etavares


If I don't respond within 2 days, please feel free to PM me.
Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

Posted Image
Unified Network of Instructors and Trusted Eliminators
 


#5 kshan

kshan
  • Topic Starter

  • Members
  • 30 posts
  • OFFLINE
  •  
  • Local time:10:30 AM

Posted 06 March 2010 - 10:04 AM

thank you very very much.
Attached are the logs requested.

I have not run IE 8 since all the problem and the reinfecting (maybe) when I run IE 8, as described a quick 2 in x 2 in box pops ups and disappears quickly and the computer runs very slow.

The most aggravating thing is this all started with Facebook! and trying to become a friend of Wal-Mart, sears and Best buy. A person said they were in the same HS class and when I clicked on their picture up came Antivirus 2010 fake notify, got rid of that with malware bytes, the ebay one came from my wife trying to but Oil of Olay on ebay, logged in normally, she looked at a bunch of sellers and went to purchase then came the redirect. How do these thing infect these sites? A person at work also got hit with AV 2010 on facebook. Don't they check their sites?

Karl

Attached Files

  • Attached File  mbr.log   195bytes   2 downloads
  • Attached File  OTL.Txt   121.25KB   6 downloads
  • Attached File  Extras.Txt   47.63KB   6 downloads


#6 etavares

etavares

    Bleepin' Remover


  • Malware Response Team
  • 15,514 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:30 AM

Posted 06 March 2010 - 10:26 AM

Hello, kshan.

Hard to say....ad content is not controlled by the main site, so that is a constant source of infections and may explain the Facebook issue. The ebay redirect is due to a virus on your machine, not with eBay.

Also, please copy and paste your logs into your reply instead of attaching them. They're formatted for viewing in the message and it makes my job much easier.

Let's run Combofix.



Step 1

Next, please download ComboFix from one of these locations:* IMPORTANT !!! Save ComboFix.exe to your Desktop as kshanCF.exe
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Click on this link to see a list of programs that should be disabled. The list is not all inclusive.)
  • Double click on kshanCF.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.



Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:



Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply, along with any symptoms that are present after it runs.

etavares


If I don't respond within 2 days, please feel free to PM me.
Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

Posted Image
Unified Network of Instructors and Trusted Eliminators
 


#7 kshan

kshan
  • Topic Starter

  • Members
  • 30 posts
  • OFFLINE
  •  
  • Local time:10:30 AM

Posted 06 March 2010 - 03:55 PM

Ok, Ran IE 8 then combofix. Went to Ebay gave a phony user name and psw as before and it said invalid log in, which is what it should have said. the log in did not ask for personal info this time.
Is windows security essentials ok or should I have Norton (which is free license from work)? Also I have Windows 7 ultimate to put on my other computer, is it better? What is your recommendations (best guess) ?

Thanks,
Karl


here is the combofix log:

ComboFix 10-03-06.01 - Karl Shanholtzer 03/06/2010 15:27:38.3.2 - FAT32x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.3071.2389 [GMT -5:00]
Running from: c:\documents and settings\Karl Shanholtzer\Desktop\Kshancf.exe
AV: Windows Live OneCare *On-access scanning disabled* (Updated) {427ADFC3-B354-4A51-BE34-A9D4218E45C4}
FW: Windows Live OneCare Firewall *disabled* {A3899D22-27E6-4A7E-AE4E-2C106646DAAB}
.

((((((((((((((((((((((((( Files Created from 2010-02-06 to 2010-03-06 )))))))))))))))))))))))))))))))
.

2010-03-06 14:46 . 2010-03-06 14:46 41 ----a-w- C:\fixme.bat
2010-03-06 14:45 . 2010-03-06 14:44 77312 ----a-w- C:\mbr.exe
2010-03-03 05:23 . 2010-03-03 05:23 -------- d-----w- C:\FOUND.004
2010-02-26 09:21 . 2010-02-26 09:21 -------- d-----w- c:\documents and settings\Karl Shanholtzer\Application Data\Temp
2010-02-26 09:21 . 2010-02-26 09:21 -------- d-----w- c:\documents and settings\Karl Shanholtzer\Application Data\Temp
2010-02-25 04:30 . 2010-02-25 04:30 161296 ----a-w- c:\windows\system32\drivers\tmcomm.sys
2010-02-24 22:44 . 2010-02-24 22:44 -------- d-----w- c:\documents and settings\All Users\Application Data\IObit
2010-02-24 22:44 . 2010-02-24 22:44 -------- d-----w- c:\program files\IObit
2010-02-24 03:37 . 2010-02-24 03:37 50376 ----a-w- c:\windows\system32\drivers\pxrts.sys
2010-02-24 03:37 . 2010-02-24 03:37 24368 ----a-w- c:\windows\system32\drivers\pxkbf.sys
2010-02-21 05:32 . 2010-02-21 05:32 -------- d-----w- c:\documents and settings\Karl Shanholtzer\Application Data\Netcraft
2010-02-21 05:32 . 2010-02-21 05:32 -------- d-----w- c:\documents and settings\Karl Shanholtzer\Application Data\Netcraft
2010-02-21 05:32 . 2010-02-21 05:32 -------- d-----w- c:\program files\Netcraft Toolbar
2010-02-20 19:55 . 2010-02-20 19:55 -------- d-----w- c:\program files\Smart Projects
2010-02-20 18:38 . 2010-02-20 18:38 -------- d-----w- c:\program files\Seagate
2010-02-20 18:36 . 2010-02-20 18:37 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2010-02-19 02:21 . 2010-02-19 02:23 167936 ----a-w- c:\documents and settings\Karl Shanholtzer\Application Data\Tific\Download\XMLPlugin.dll
2010-02-19 02:19 . 2010-02-19 02:19 -------- d-----w- c:\program files\Common Files\Symantec Shared
2010-02-19 01:43 . 2010-02-20 16:17 57344 ----a-w- c:\documents and settings\Karl Shanholtzer\Application Data\Tific\Download\PowerProfile.exe
2010-02-19 01:43 . 2010-02-20 16:17 57344 ----a-w- c:\documents and settings\Karl Shanholtzer\Application Data\Tific\Download\.GetMemoryInfoEx.exe
2010-02-19 01:43 . 2010-02-20 16:17 171008 ----a-w- c:\documents and settings\Karl Shanholtzer\Application Data\Tific\Download\WLAN.exe
2010-02-19 01:43 . 2010-02-20 16:17 56320 ----a-w- c:\documents and settings\Karl Shanholtzer\Application Data\Tific\Download\tific-devcon.exe
2010-02-19 01:41 . 2010-02-20 16:15 52736 ----a-w- c:\documents and settings\Karl Shanholtzer\Application Data\Tific\Download\EnumDevices.exe
2010-02-19 01:41 . 2010-02-20 16:14 152944 ----a-w- c:\documents and settings\Karl Shanholtzer\Application Data\Tific\Download\BootTime.dll
2010-02-19 01:41 . 2010-02-20 16:14 204800 ----a-w- c:\documents and settings\Karl Shanholtzer\Application Data\Tific\Download\DllHost.exe
2010-02-19 01:41 . 2010-02-20 16:14 91504 ----a-w- c:\documents and settings\Karl Shanholtzer\Application Data\Tific\Download\SHA256.dll
2010-02-19 01:41 . 2010-02-20 16:14 57344 ----a-w- c:\documents and settings\Karl Shanholtzer\Application Data\Tific\Download\Shortcut.exe
2010-02-19 01:40 . 2010-02-20 16:14 110592 ----a-w- c:\documents and settings\Karl Shanholtzer\Application Data\Tific\Download\DirSize.exe
2010-02-19 01:40 . 2010-02-19 01:40 -------- d-----w- c:\documents and settings\Karl Shanholtzer\Application Data\Tific
2010-02-19 01:40 . 2010-02-19 01:40 -------- d-----w- c:\documents and settings\Karl Shanholtzer\Application Data\Tific
2010-02-19 01:40 . 2010-02-19 01:40 -------- d-----w- c:\documents and settings\All Users\Application Data\Norton
2010-02-19 01:40 . 2010-02-19 01:40 -------- d-----w- c:\documents and settings\All Users\Application Data\NortonInstaller
2010-02-18 03:58 . 2010-02-18 03:58 -------- d-----w- c:\documents and settings\Karl Shanholtzer\DoctorWeb
2010-02-18 03:37 . 2010-02-18 03:37 -------- d-----w- C:\Hosts
2010-02-17 04:33 . 2010-02-17 04:33 5115824 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2010-02-17 04:32 . 2010-02-17 04:32 -------- d-----w- c:\documents and settings\Karl Shanholtzer\Application Data\Malwarebytes
2010-02-17 04:32 . 2010-02-17 04:32 -------- d-----w- c:\documents and settings\Karl Shanholtzer\Application Data\Malwarebytes
2010-02-17 04:32 . 2010-01-07 21:07 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-02-17 04:32 . 2010-02-17 04:32 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-02-17 04:32 . 2010-02-17 04:32 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-02-17 04:32 . 2010-01-07 21:07 19160 ----a-w- c:\windows\system32\drivers\mbam.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-12-31 16:50 . 2006-05-07 17:58 353792 ----a-w- c:\windows\system32\drivers\srv.sys
2009-12-21 19:14 . 2006-05-07 17:59 916480 ------w- c:\windows\system32\wininet.dll
2009-12-16 18:43 . 2006-05-07 18:16 343040 ----a-w- c:\windows\system32\mspaint.exe
2009-12-14 07:08 . 2006-05-07 17:56 33280 ----a-w- c:\windows\system32\csrsrv.dll
2009-12-08 22:38 . 2009-12-08 22:38 152576 ----a-w- c:\documents and settings\Karl Shanholtzer\Application Data\Sun\Java\jre1.6.0_17\lzma.dll
2009-12-08 22:38 . 2009-12-08 22:38 79488 ----a-w- c:\documents and settings\Karl Shanholtzer\Application Data\Sun\Java\jre1.6.0_17\gtapi.dll
2009-12-08 19:26 . 2006-05-07 17:57 2145280 ------w- c:\windows\system32\ntoskrnl.exe
2009-12-08 18:43 . 2004-08-04 03:59 2023936 ------w- c:\windows\system32\ntkrnlpa.exe
2001-04-29 14:52 . 2001-04-29 14:52 23357 ---h--w- c:\program files\folder.htt
2006-12-11 06:26 . 2006-12-11 06:26 0 --sha-w- c:\windows\DRM\Cache\Indiv01.tmp
.

((((((((((((((((((((((((((((( SnapShot_2010-02-25_00.08.02 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-03-06 00:12 . 2010-03-06 00:13 16384 c:\windows\TEMP\Perflib_Perfdata_a58.dat
+ 2010-02-28 14:00 . 2007-10-23 22:48 10752 c:\windows\SYSTEM32\DRIVERS\Video3D32.sys
+ 2010-02-28 14:00 . 2007-10-23 22:48 11136 c:\windows\SYSTEM32\DRIVERS\atkkbnt.sys
+ 2010-02-28 14:00 . 2007-10-23 22:48 77312 c:\windows\SYSTEM32\devcon.exe
+ 2010-02-28 14:00 . 2007-10-23 22:48 11264 c:\windows\SYSTEM32\ATKOSDMini.DLL
+ 2010-02-28 14:00 . 2007-10-23 22:48 36352 c:\windows\SYSTEM32\ATKOGL32.dll
+ 2010-02-28 14:00 . 2007-10-23 22:48 12416 c:\windows\SYSTEM32\asusgsb.sys
+ 2010-02-28 14:00 . 2007-10-23 22:48 46080 c:\windows\SYSTEM32\asrussian.dll
+ 2010-02-28 14:00 . 2007-10-23 22:48 45568 c:\windows\SYSTEM32\askorean.dll
+ 2010-02-28 14:00 . 2007-10-23 22:48 45568 c:\windows\SYSTEM32\asjapan.dll
+ 2010-02-28 14:00 . 2007-10-23 22:48 46080 c:\windows\SYSTEM32\asgerman.dll
+ 2010-02-28 14:00 . 2007-10-23 22:48 46592 c:\windows\SYSTEM32\asfrench.dll
+ 2010-02-28 14:00 . 2007-10-23 22:48 46080 c:\windows\SYSTEM32\aseng.dll
+ 2010-02-28 14:00 . 2007-10-23 22:48 45568 c:\windows\SYSTEM32\ASCHT.dll
+ 2010-02-28 14:00 . 2007-10-23 22:48 45568 c:\windows\SYSTEM32\aschs.dll
+ 2010-03-06 00:11 . 2010-03-06 00:11 26624 c:\windows\Installer\758823.msi
+ 2010-02-26 09:21 . 2010-02-26 09:21 22528 c:\windows\Installer\227d3d7.msi
+ 2010-02-28 14:00 . 2007-10-23 22:48 8704 c:\windows\SYSTEM32\DRIVERS\Bravo.sys
+ 2010-02-28 14:00 . 2007-10-23 22:48 180224 c:\windows\SYSTEM32\xvidvfw.dll
+ 2010-02-28 14:00 . 2007-10-23 22:48 761856 c:\windows\SYSTEM32\xvidcore.dll
+ 2010-02-28 14:00 . 2007-10-23 22:48 348160 c:\windows\SYSTEM32\msvcr71.dll
+ 2010-02-28 14:00 . 2007-10-23 22:48 196608 c:\windows\SYSTEM32\DRIVERS\nVivid.bin
+ 2010-02-28 14:00 . 2007-10-23 22:48 196608 c:\windows\SYSTEM32\DRIVERS\nStandard.bin
+ 2010-02-28 14:00 . 2007-10-23 22:48 196608 c:\windows\SYSTEM32\DRIVERS\nAsmedia.bin
+ 2010-02-28 14:00 . 2007-10-23 22:48 196608 c:\windows\SYSTEM32\DRIVERS\nAdvanced.bin
+ 2010-02-28 14:00 . 2007-10-23 22:48 196653 c:\windows\SYSTEM32\DRIVERS\aVivid.bin
+ 2010-02-28 14:00 . 2007-10-23 22:48 196582 c:\windows\SYSTEM32\DRIVERS\aStandard.bin
+ 2010-02-28 14:00 . 2007-10-23 22:48 196582 c:\windows\SYSTEM32\DRIVERS\aAsmedia.bin
+ 2010-02-28 14:00 . 2007-10-23 22:48 196608 c:\windows\SYSTEM32\DRIVERS\aAdvanced.bin
+ 2010-02-28 14:00 . 2007-10-23 22:48 795104 c:\windows\SYSTEM32\DPInst.exe
+ 2010-02-28 14:00 . 2007-10-23 22:48 242816 c:\windows\SYSTEM32\ATKDISP.dll
+ 2010-03-06 00:11 . 2010-03-06 00:11 463360 c:\windows\Installer\758818.msi
+ 2010-02-28 14:00 . 2007-10-23 22:46 262144 c:\windows\ATKKBService.exe
+ 2010-02-28 14:00 . 2007-10-23 22:48 5424640 c:\windows\SYSTEM32\ATKOSDX32.dll
+ 2010-02-28 14:00 . 2007-10-23 22:48 2093056 c:\windows\SYSTEM32\ATKDispCPL.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-07-26 3883856]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-09-15 68856]
"ASUS SmartDoctor"="c:\program files\ASUS\SmartDoctor\SmartDoctor.exe" [2007-12-18 1126400]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HPDJ Taskbar Utility"="c:\windows\system32\spool\drivers\w32x86\3\hpztsb05.exe" [2002-03-28 188416]
"OneCareUI"="c:\program files\Microsoft Windows OneCare Live\winssnotify.exe" [2010-02-05 65256]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2004-02-12 49152]
"HP Component Manager"="c:\program files\HP\hpcoretech\hpcmpmgr.exe" [2004-05-12 241664]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-09-06 413696]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2009-03-31 198160]
"RTHDCPL"="RTHDCPL.EXE" [2005-06-08 14565376]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-12-04 8523776]
"nwiz"="nwiz.exe" [2007-12-04 1626112]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2007-12-04 81920]
"ASUSGamerOSD"="c:\program files\ASUS\GamerOSD\GamerOSD.exe" [2007-10-23 380928]

c:\documents and settings\Karl Shanholtzer\Start Menu\Programs\Startup\
HotSync Manager.lnk - c:\program files\palmOne\HOTSYNC.EXE [2004-4-13 299008]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Quicken Startup.lnk - c:\quickenw\QWDLLS.EXE [2001-4-30 27136]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [1999-2-17 65588]
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-9-23 29696]
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2004-5-28 241664]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\OneCareMP]
@="Service"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Utility Tray.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Utility Tray.lnk
backup=c:\windows\pss\Utility Tray.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2006-06-14 21:24 278528 ----a-w- c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SiSPower]
2005-04-12 04:31 49152 ----a-r- c:\windows\SYSTEM32\SiSPower.dll

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"MsnMsgr"="c:\program files\MSN Messenger\MsnMsgr.Exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"WinFast2KLoadDefault"=rundll32.exe wf2kcpl.dll,DllLoadDefaultSettings
"WinFast_2K"=c:\windows\SYSTEM32\Wf2k.exe
"SDetect.exe"=c:\windows\Twain_32\ScanWiz5\SDetect.exe
"WinPoET"=c:\program files\VerizonDSL\WinPoET\WinPPPoverEthernet.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\setup\disabledrunkeys]
"LoadPowerProfile"=Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
"CloneCDTray"="c:\program files\Elaborate Bytes\CloneCD\CloneCDTray.exe"
"QuickTime Task"="c:\windows\SYSTEM32\qttask.exe" -atboottime
"NvCplDaemon"=RUNDLL32.EXE c:\windows\SYSTEM32\Nvcpl.dll,NvStartup
"nwiz"=nwiz.exe /install
"LoadQM"=loadqm.exe
"HPDJ Taskbar Utility"=c:\windows\SYSTEM32\hpztsb05.exe
"MSConfigReminder"=c:\windows\PCHEALTH\HELPCTR\BINARIES\MSCONFIG.EXE /reminder

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runservices-]
"AccessRampLAN 01"="c:\program files\VERIZONDSL\IPINSIGHT\ARUpld32.exe" -l
"AccessRampMonitor 01"="c:\program files\VERIZONDSL\IPINSIGHT\ARMon32a.exe"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=

R2 fssfltr;FssFltr;c:\windows\SYSTEM32\DRIVERS\fssfltr_tdi.sys [9/18/2009 7:34 PM 54752]
R2 OcHealthMon;Windows Live OneCare Health Monitor;c:\program files\Microsoft Windows OneCare Live\OcHealthMon.exe [2/5/2010 4:19 PM 26120]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [1/29/2010 1:16 AM 135664]
S3 fsssvc;Windows Live Family Safety Service;c:\program files\Windows Live\Family Safety\fsssvc.exe [8/5/2009 10:48 PM 704864]
S3 NDISKIO;NDISKIO;\??\c:\docume~1\KARLSH~1\LOCALS~1\Temp\4818de52.nmc\nse\bin\ndiskio.sys --> c:\docume~1\KARLSH~1\LOCALS~1\Temp\4818de52.nmc\nse\bin\ndiskio.sys [?]
S3 UnhookMBRS;UnhookMBRS;\??\c:\docume~1\KARLSH~1\LOCALS~1\Temp\a2f999a9.nmc\nse\bin\unhookmbrs.sys --> c:\docume~1\KARLSH~1\LOCALS~1\Temp\a2f999a9.nmc\nse\bin\unhookmbrs.sys [?]
S4 HWSNEAN;HWSNEAN;c:\docume~1\KARLSH~1\LOCALS~1\Temp\HWSNEAN.exe --> c:\docume~1\KARLSH~1\LOCALS~1\Temp\HWSNEAN.exe [?]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{44BBA840-CC51-11CF-AAFA-00AA00B6015C}]
2008-04-14 01:12 73216 ----a-w- c:\progra~1\OUTLOO~1\setup50.exe

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{44BBA840-CC51-11CF-AAFA-00AA00B6015C}]
2008-04-14 01:12 73216 ----a-w- c:\progra~1\OUTLOO~1\setup50.exe

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{7790769C-0471-11d2-AF11-00C04FA35D02}]
2008-04-14 01:12 73216 ----a-w- c:\progra~1\OUTLOO~1\setup50.exe

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{7790769C-0471-11d2-AF11-00C04FA35D02}]
2008-04-14 01:12 73216 ----a-w- c:\progra~1\OUTLOO~1\setup50.exe

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{9EF0045A-CDD9-438e-95E6-02B9AFEC8E11}]
2001-03-23 21:17 7168 ------w- c:\windows\SYSTEM32\updcrl.exe
.
Contents of the 'Scheduled Tasks' folder

2007-06-08 c:\windows\Tasks\MP Scheduled Quick Scan.job
- c:\program files\Microsoft Windows OneCare Live\Antivirus\MpCmdRun.exe [2008-07-09 22:05]

2010-01-14 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34]

2010-03-06 c:\windows\Tasks\User_Feed_Synchronization-{4751F768-5B83-41F6-8310-4CFCF59CDAA2}.job
- c:\windows\system32\msfeedssync.exe [2006-10-17 09:31]

2010-03-06 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-29 06:16]

2010-03-06 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-29 06:16]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/webhp?sourceid=navclient&ie=UTF-8
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
uSearchURL,(Default) = hxxp://keyword.netscape.com/keyword/%s
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html
Trusted Zone: turbotax.com
DPF: DirectAnimation Java Classes - file://c:\windows\SYSTEM\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
DPF: Win32 Classes
DPF: {1011E032-5CF3-4795-B751-3AA5E008CCA6} - hxxp://download.verizon.net/sfp/Cabs/max_update/VOLUpdate_1-0-0.cab
DPF: {8D7AFAB7-42D6-4671-A53E-CD355673F026} - hxxp://65.202.166.130:9000/SonySncMView.cab
FF - ProfilePath - c:\documents and settings\Karl Shanholtzer\Application Data\Mozilla\Firefox\Profiles\v4eympc6.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://en-us.start.mozilla.com/firefox?client=firefox-a&rls=org.mozilla:en-US:official
FF - plugin: c:\program files\Google\Update\1.2.183.17\npGoogleOneClick8.dll
FF - plugin: c:\program files\Opera\program\plugins\npdrmv2.dll
FF - plugin: c:\program files\Windows Live\Photo Gallery\NPWLPG.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-03-06 15:29
Windows 5.1.2600 Service Pack 3 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(332)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\program files\palmOne\PqiIcon.dll
c:\program files\palmOne\UserData.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2010-03-06 15:31:19
ComboFix-quarantined-files.txt 2010-03-06 20:31
ComboFix2.txt 2010-02-25 00:10
ComboFix3.txt 2009-11-23 02:31

Pre-Run: 75,067,293,696 bytes free
Post-Run: 75,086,856,192 bytes free

- - End Of File - - BF73BDCFB991191065C0775053825736


#8 etavares

etavares

    Bleepin' Remover


  • Malware Response Team
  • 15,514 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:30 AM

Posted 06 March 2010 - 04:03 PM

Hello, kshan.
To be honest, I don't have much experience with either Windows Essentials or Norton. I have heard others say Norton takes a lot of resources to run. I personally use Avast! which is free, and others I know recommend AVG. You can try them and see which one you like. No A/V is able to protect you 100% of the time. One important note, only have one A/V installed at a time! They will conflict with each other if you have more than one.

Now, I see this is the 3rd time combofix has been run. Can you please find these two files and post them in your reply?

C:\qoobox\ComboFix2.txt
C:\qoobox\ComboFix3.txt

Thanks!

etavares


If I don't respond within 2 days, please feel free to PM me.
Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

Posted Image
Unified Network of Instructors and Trusted Eliminators
 


#9 kshan

kshan
  • Topic Starter

  • Members
  • 30 posts
  • OFFLINE
  •  
  • Local time:10:30 AM

Posted 06 March 2010 - 04:40 PM

here is combofix2 3 to follow, How about windows7?

ComboFix 10-02-24.01 - Karl Shanholtzer 02/24/2010 19:01:46.2.2 - FAT32x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.3071.2518 [GMT -5:00]
Running from: c:\documents and settings\Karl Shanholtzer\Desktop\ComboFix.exe
AV: Windows Live OneCare *On-access scanning enabled* (Updated) {427ADFC3-B354-4A51-BE34-A9D4218E45C4}
FW: Windows Live OneCare Firewall *enabled* {A3899D22-27E6-4A7E-AE4E-2C106646DAAB}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\docume~1\KARLSH~1\LOCALS~1\Temp\21759215641.nls
c:\documents and settings\Karl Shanholtzer\Local Settings\temp\21759215641.nls
c:\windows\rasqervy.dll
c:\windows\sdfinacs.dll
c:\windows\sdfixwcs.dll
c:\windows\system32\COMCTL32.OCA

.
((((((((((((((((((((((((( Files Created from 2010-01-25 to 2010-02-25 )))))))))))))))))))))))))))))))
.

2010-02-24 22:44 . 2010-02-24 22:44 -------- d-----w- c:\documents and settings\All Users\Application Data\IObit
2010-02-24 22:44 . 2010-02-24 22:44 -------- d-----w- c:\program files\IObit
2010-02-24 03:37 . 2010-02-24 03:37 50376 ----a-w- c:\windows\system32\drivers\pxrts.sys
2010-02-24 03:37 . 2010-02-24 03:37 24368 ----a-w- c:\windows\system32\drivers\pxkbf.sys
2010-02-23 22:45 . 2010-02-23 22:45 29352 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\OC\Channels\ch1\HTML\item_templ\common\fixes\HASFix058456.dll
2010-02-23 22:45 . 2010-02-23 22:45 23720 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\OC\Channels\ch1\HTML\item_templ\common\fixes\HelpAndSupport_TestContent.dll
2010-02-23 22:45 . 2010-02-23 22:45 23056 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\OC\Channels\ch1\HTML\item_templ\common\fixes\HASFix101001.dll
2010-02-23 22:45 . 2010-02-23 22:45 221208 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\OC\Channels\ch1\HTML\item_templ\common\fixes\HelpAndSupportCommon.dll
2010-02-23 22:45 . 2010-02-23 22:45 21160 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\OC\Channels\ch1\HTML\item_templ\common\fixes\HASFix056479.dll
2010-02-23 22:45 . 2010-02-23 22:45 110248 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\OC\Channels\ch1\HTML\item_templ\common\fixes\HelpAndSupportInterface.dll
2010-02-21 05:32 . 2010-02-21 05:32 -------- d-----w- c:\documents and settings\Karl Shanholtzer\Application Data\Netcraft
2010-02-21 05:32 . 2010-02-21 05:32 -------- d-----w- c:\documents and settings\Karl Shanholtzer\Application Data\Netcraft
2010-02-21 05:32 . 2010-02-21 05:32 -------- d-----w- c:\program files\Netcraft Toolbar
2010-02-20 19:55 . 2010-02-20 19:55 -------- d-----w- c:\program files\Smart Projects
2010-02-20 18:38 . 2010-02-20 18:38 -------- d-----w- c:\program files\Seagate
2010-02-20 18:36 . 2010-02-20 18:37 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2010-02-20 16:35 . 2010-02-20 16:35 -------- d-----w- c:\program files\CCleaner
2010-02-19 02:21 . 2010-02-19 02:23 167936 ----a-w- c:\documents and settings\Karl Shanholtzer\Application Data\Tific\Download\XMLPlugin.dll
2010-02-19 02:19 . 2010-02-19 02:19 -------- d-----w- c:\program files\Common Files\Symantec Shared
2010-02-19 01:43 . 2010-02-20 16:17 57344 ----a-w- c:\documents and settings\Karl Shanholtzer\Application Data\Tific\Download\PowerProfile.exe
2010-02-19 01:43 . 2010-02-20 16:17 57344 ----a-w- c:\documents and settings\Karl Shanholtzer\Application Data\Tific\Download\.GetMemoryInfoEx.exe
2010-02-19 01:43 . 2010-02-20 16:17 171008 ----a-w- c:\documents and settings\Karl Shanholtzer\Application Data\Tific\Download\WLAN.exe
2010-02-19 01:43 . 2010-02-20 16:17 56320 ----a-w- c:\documents and settings\Karl Shanholtzer\Application Data\Tific\Download\tific-devcon.exe
2010-02-19 01:41 . 2010-02-20 16:15 52736 ----a-w- c:\documents and settings\Karl Shanholtzer\Application Data\Tific\Download\EnumDevices.exe
2010-02-19 01:41 . 2010-02-20 16:14 152944 ----a-w- c:\documents and settings\Karl Shanholtzer\Application Data\Tific\Download\BootTime.dll
2010-02-19 01:41 . 2010-02-20 16:14 204800 ----a-w- c:\documents and settings\Karl Shanholtzer\Application Data\Tific\Download\DllHost.exe
2010-02-19 01:41 . 2010-02-20 16:14 91504 ----a-w- c:\documents and settings\Karl Shanholtzer\Application Data\Tific\Download\SHA256.dll
2010-02-19 01:41 . 2010-02-20 16:14 57344 ----a-w- c:\documents and settings\Karl Shanholtzer\Application Data\Tific\Download\Shortcut.exe
2010-02-19 01:40 . 2010-02-20 16:14 110592 ----a-w- c:\documents and settings\Karl Shanholtzer\Application Data\Tific\Download\DirSize.exe
2010-02-19 01:40 . 2010-02-19 01:40 -------- d-----w- c:\documents and settings\Karl Shanholtzer\Application Data\Tific
2010-02-19 01:40 . 2010-02-19 01:40 -------- d-----w- c:\documents and settings\Karl Shanholtzer\Application Data\Tific
2010-02-19 01:40 . 2010-02-19 01:40 -------- d-----w- c:\documents and settings\All Users\Application Data\Norton
2010-02-19 01:40 . 2010-02-19 01:40 -------- d-----w- c:\documents and settings\All Users\Application Data\NortonInstaller
2010-02-18 03:58 . 2010-02-18 03:58 -------- d-----w- c:\documents and settings\Karl Shanholtzer\DoctorWeb
2010-02-18 03:37 . 2010-02-18 03:37 -------- d-----w- C:\Hosts
2010-02-17 04:33 . 2010-02-17 04:33 5115824 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2010-02-17 04:32 . 2010-02-17 04:32 -------- d-----w- c:\documents and settings\Karl Shanholtzer\Application Data\Malwarebytes
2010-02-17 04:32 . 2010-02-17 04:32 -------- d-----w- c:\documents and settings\Karl Shanholtzer\Application Data\Malwarebytes
2010-02-17 04:32 . 2010-01-07 21:07 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-02-17 04:32 . 2010-02-17 04:32 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-02-17 04:32 . 2010-02-17 04:32 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-02-17 04:32 . 2010-01-07 21:07 19160 ----a-w- c:\windows\system32\drivers\mbam.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-12-31 16:50 . 2006-05-07 17:58 353792 ----a-w- c:\windows\system32\drivers\srv.sys
2009-12-21 19:14 . 2006-05-07 17:59 916480 ----a-w- c:\windows\system32\wininet.dll
2009-12-16 18:43 . 2006-05-07 18:16 343040 ----a-w- c:\windows\system32\mspaint.exe
2009-12-14 07:08 . 2006-05-07 17:56 33280 ----a-w- c:\windows\system32\csrsrv.dll
2009-12-08 22:38 . 2009-12-08 22:38 152576 ----a-w- c:\documents and settings\Karl Shanholtzer\Application Data\Sun\Java\jre1.6.0_17\lzma.dll
2009-12-08 22:38 . 2009-12-08 22:38 79488 ----a-w- c:\documents and settings\Karl Shanholtzer\Application Data\Sun\Java\jre1.6.0_17\gtapi.dll
2009-12-08 19:26 . 2006-05-07 17:57 2145280 ------w- c:\windows\system32\ntoskrnl.exe
2009-12-08 18:43 . 2004-08-04 03:59 2023936 ------w- c:\windows\system32\ntkrnlpa.exe
2009-12-04 18:22 . 2006-05-07 17:57 455424 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2009-11-27 17:11 . 2006-05-07 17:58 1291776 ----a-w- c:\windows\system32\quartz.dll
2009-11-27 17:11 . 2004-08-04 05:56 17920 ----a-w- c:\windows\system32\msyuv.dll
2009-11-27 16:07 . 2006-05-07 17:57 28672 ----a-w- c:\windows\system32\msvidc32.dll
2009-11-27 16:07 . 2001-08-18 03:36 8704 ----a-w- c:\windows\system32\tsbyuv.dll
2009-11-27 16:07 . 2006-05-07 17:57 11264 ----a-w- c:\windows\system32\msrle32.dll
2009-11-27 16:07 . 2006-05-07 17:55 84992 ----a-w- c:\windows\system32\avifil32.dll
2009-11-27 16:07 . 2004-08-04 05:56 48128 ----a-w- c:\windows\system32\iyuv_32.dll
2001-04-29 14:52 . 2001-04-29 14:52 23357 ---h--w- c:\program files\folder.htt
2006-12-11 06:26 . 2006-12-11 06:26 0 --sha-w- c:\windows\DRM\Cache\Indiv01.tmp
.

((((((((((((((((((((((((((((( SnapShot@2009-11-23_02.30.20 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-07-12 01:54 . 2009-07-12 01:54 65536 c:\windows\winsxs\x86_Microsoft.VC80.OpenMP_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_e79c4723\vcomp.dll
+ 2009-07-12 01:32 . 2009-07-12 01:32 49152 c:\windows\winsxs\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_0ccc058c\mfc80KOR.dll
+ 2009-07-12 01:32 . 2009-07-12 01:32 49152 c:\windows\winsxs\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_0ccc058c\mfc80JPN.dll
+ 2009-07-12 01:32 . 2009-07-12 01:32 61440 c:\windows\winsxs\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_0ccc058c\mfc80ITA.dll
+ 2009-07-12 01:32 . 2009-07-12 01:32 61440 c:\windows\winsxs\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_0ccc058c\mfc80FRA.dll
+ 2009-07-12 01:32 . 2009-07-12 01:32 61440 c:\windows\winsxs\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_0ccc058c\mfc80ESP.dll
+ 2009-07-12 01:32 . 2009-07-12 01:32 57344 c:\windows\winsxs\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_0ccc058c\mfc80ENU.dll
+ 2009-07-12 01:32 . 2009-07-12 01:32 65536 c:\windows\winsxs\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_0ccc058c\mfc80DEU.dll
+ 2009-07-12 01:32 . 2009-07-12 01:32 45056 c:\windows\winsxs\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_0ccc058c\mfc80CHT.dll
+ 2009-07-12 01:32 . 2009-07-12 01:32 40960 c:\windows\winsxs\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_0ccc058c\mfc80CHS.dll
+ 2009-07-12 06:07 . 2009-07-12 06:07 57856 c:\windows\winsxs\x86_Microsoft.VC80.MFC_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_b77cec8e\mfcm80u.dll
+ 2009-07-12 06:19 . 2009-07-12 06:19 69632 c:\windows\winsxs\x86_Microsoft.VC80.MFC_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_b77cec8e\mfcm80.dll
+ 2007-01-29 08:58 . 2010-01-23 08:11 46080 c:\windows\SYSTEM32\tzchange.exe
- 2007-01-29 08:58 . 2009-07-14 12:03 46080 c:\windows\SYSTEM32\tzchange.exe
+ 2006-05-07 17:58 . 2009-10-21 05:38 75776 c:\windows\SYSTEM32\strmfilt.dll
- 2006-05-07 17:58 . 2008-04-14 01:12 75776 c:\windows\SYSTEM32\strmfilt.dll
- 2006-05-07 17:58 . 2008-04-14 01:12 79872 c:\windows\SYSTEM32\raschap.dll
+ 2006-05-07 17:58 . 2009-10-12 13:38 79872 c:\windows\SYSTEM32\raschap.dll
+ 2006-05-07 17:58 . 2009-12-09 08:21 65428 c:\windows\SYSTEM32\perfc009.dat
- 2006-10-27 20:09 . 2009-08-29 09:08 55296 c:\windows\SYSTEM32\msfeedsbs.dll
+ 2006-10-27 20:09 . 2009-12-21 19:14 55296 c:\windows\SYSTEM32\msfeedsbs.dll
+ 2009-04-04 02:45 . 2010-01-16 13:23 84661 c:\windows\SYSTEM32\MACROMED\FLASH\uninstall_plugin.exe
- 2009-04-04 02:45 . 2009-04-04 02:45 84661 c:\windows\SYSTEM32\MACROMED\FLASH\uninstall_plugin.exe
+ 2008-04-16 00:16 . 2010-02-15 22:25 84507 c:\windows\SYSTEM32\MACROMED\FLASH\uninstall_activeX.exe
- 2006-05-07 17:57 . 2009-08-29 09:08 25600 c:\windows\SYSTEM32\jsproxy.dll
+ 2006-05-07 17:57 . 2009-12-21 19:14 25600 c:\windows\SYSTEM32\jsproxy.dll
+ 2006-05-07 17:56 . 2009-10-21 05:38 25088 c:\windows\SYSTEM32\httpapi.dll
- 2006-05-07 17:56 . 2009-06-16 15:36 81920 c:\windows\SYSTEM32\fontsub.dll
+ 2006-05-07 17:56 . 2009-10-15 16:28 81920 c:\windows\SYSTEM32\fontsub.dll
- 2009-06-10 02:24 . 2009-08-29 09:08 12800 c:\windows\SYSTEM32\dllcache\xpshims.dll
+ 2009-06-10 02:24 . 2009-12-21 19:14 12800 c:\windows\SYSTEM32\dllcache\xpshims.dll
+ 2009-10-21 05:38 . 2009-10-21 05:38 75776 c:\windows\SYSTEM32\dllcache\strmfilt.dll
+ 2009-10-12 13:38 . 2009-10-12 13:38 79872 c:\windows\SYSTEM32\dllcache\raschap.dll
+ 2004-08-04 05:56 . 2009-11-27 17:11 17920 c:\windows\SYSTEM32\dllcache\msyuv.dll
+ 2006-05-07 17:57 . 2009-11-27 16:07 28672 c:\windows\SYSTEM32\dllcache\msvidc32.dll
+ 2009-11-27 16:07 . 2009-11-27 16:07 11264 c:\windows\SYSTEM32\dllcache\msrle32.dll
- 2007-05-09 00:20 . 2009-08-29 09:08 55296 c:\windows\SYSTEM32\dllcache\msfeedsbs.dll
+ 2007-05-09 00:20 . 2009-12-21 19:14 55296 c:\windows\SYSTEM32\dllcache\msfeedsbs.dll
+ 2006-05-07 17:57 . 2009-12-21 19:14 25600 c:\windows\SYSTEM32\dllcache\jsproxy.dll
- 2006-05-07 17:57 . 2009-08-29 09:08 25600 c:\windows\SYSTEM32\dllcache\jsproxy.dll
+ 2004-08-04 05:56 . 2009-11-27 16:07 48128 c:\windows\SYSTEM32\dllcache\iyuv_32.dll
+ 2009-10-21 05:38 . 2009-10-21 05:38 25088 c:\windows\SYSTEM32\dllcache\httpapi.dll
+ 2009-06-16 15:36 . 2009-10-15 16:28 81920 c:\windows\SYSTEM32\dllcache\fontsub.dll
- 2009-06-16 15:36 . 2009-06-16 15:36 81920 c:\windows\SYSTEM32\dllcache\fontsub.dll
+ 2009-12-14 07:08 . 2009-12-14 07:08 33280 c:\windows\SYSTEM32\dllcache\csrsrv.dll
+ 2009-06-10 15:13 . 2009-11-27 16:07 84992 c:\windows\SYSTEM32\dllcache\avifil32.dll
- 2009-06-10 15:13 . 2009-06-10 15:13 84992 c:\windows\SYSTEM32\dllcache\avifil32.dll
+ 2010-01-29 06:16 . 2010-01-29 06:16 22528 c:\windows\Installer\10f2857.msi
+ 2009-11-25 05:51 . 2009-11-25 05:51 32768 c:\windows\Installer\{F662A8E6-F4DC-41A2-901E-8C11F044BDEC}\icon.exe
+ 2010-02-20 18:38 . 2010-02-20 18:38 11264 c:\windows\Installer\{98613C99-1399-416C-A07C-1EE1C585D872}\Icon98613C992.exe
+ 2010-01-22 06:42 . 2009-10-29 07:45 12800 c:\windows\ie8updates\KB978207-IE8\xpshims.dll
+ 2010-01-22 06:42 . 2009-10-29 07:45 55296 c:\windows\ie8updates\KB978207-IE8\msfeedsbs.dll
+ 2010-01-22 06:42 . 2009-10-29 07:45 25600 c:\windows\ie8updates\KB978207-IE8\jsproxy.dll
+ 2009-12-09 08:02 . 2009-08-29 09:08 12800 c:\windows\ie8updates\KB976325-IE8\xpshims.dll
+ 2009-12-09 08:02 . 2009-08-29 09:08 55296 c:\windows\ie8updates\KB976325-IE8\msfeedsbs.dll
+ 2009-12-09 08:02 . 2009-08-29 09:08 25600 c:\windows\ie8updates\KB976325-IE8\jsproxy.dll
+ 2009-11-27 17:11 . 2009-11-27 17:11 17920 c:\windows\Driver Cache\i386\msyuv.dll
+ 2009-11-27 16:07 . 2009-11-27 16:07 48128 c:\windows\Driver Cache\i386\iyuv_32.dll
+ 2009-11-25 05:52 . 2009-07-14 12:03 46080 c:\windows\$NtUninstallKB976098-v2$\tzchange.exe
+ 2009-11-25 05:52 . 2009-10-29 02:03 16896 c:\windows\$NtUninstallKB976098-v2$\spuninst\tzchange.dll
+ 2009-12-09 08:02 . 2008-04-14 01:12 79872 c:\windows\$NtUninstallKB974318$\raschap.dll
+ 2010-01-13 06:07 . 2009-06-16 15:36 81920 c:\windows\$NtUninstallKB972270$\fontsub.dll
+ 2009-12-09 08:02 . 2008-04-14 01:12 75776 c:\windows\$NtUninstallKB970430$\strmfilt.dll
+ 2009-12-09 08:02 . 2008-04-14 01:11 24576 c:\windows\$NtUninstallKB970430$\httpapi.dll
+ 2010-01-22 06:42 . 2008-07-08 13:02 26488 c:\windows\$hf_mig$\KB978207-IE8\update\spcustom.dll
+ 2010-01-22 06:42 . 2008-07-08 13:02 17272 c:\windows\$hf_mig$\KB978207-IE8\spmsg.dll
+ 2010-01-21 22:34 . 2009-12-21 19:09 12800 c:\windows\$hf_mig$\KB978207-IE8\SP3QFE\xpshims.dll
+ 2010-01-21 22:34 . 2009-12-21 19:09 55296 c:\windows\$hf_mig$\KB978207-IE8\SP3QFE\msfeedsbs.dll
+ 2010-01-21 22:34 . 2009-12-21 19:09 25600 c:\windows\$hf_mig$\KB978207-IE8\SP3QFE\jsproxy.dll
+ 2009-12-09 08:02 . 2009-05-26 11:40 26488 c:\windows\$hf_mig$\KB976325-IE8\update\spcustom.dll
+ 2009-12-09 08:02 . 2009-05-26 11:40 17272 c:\windows\$hf_mig$\KB976325-IE8\spmsg.dll
+ 2009-12-08 22:36 . 2009-10-29 07:45 12800 c:\windows\$hf_mig$\KB976325-IE8\SP3QFE\xpshims.dll
+ 2009-12-08 22:36 . 2009-10-29 07:45 55296 c:\windows\$hf_mig$\KB976325-IE8\SP3QFE\msfeedsbs.dll
+ 2009-12-08 22:36 . 2009-10-29 07:45 25600 c:\windows\$hf_mig$\KB976325-IE8\SP3QFE\jsproxy.dll
+ 2009-12-09 08:02 . 2009-05-26 11:40 26488 c:\windows\$hf_mig$\KB974392\update\spcustom.dll
+ 2009-12-09 08:02 . 2009-05-26 11:40 17272 c:\windows\$hf_mig$\KB974392\spmsg.dll
+ 2009-12-09 08:02 . 2009-05-26 11:40 26488 c:\windows\$hf_mig$\KB974318\update\spcustom.dll
+ 2009-12-09 08:02 . 2009-05-26 11:40 17272 c:\windows\$hf_mig$\KB974318\spmsg.dll
+ 2009-10-12 13:28 . 2009-10-12 13:28 79872 c:\windows\$hf_mig$\KB974318\SP3QFE\raschap.dll
+ 2009-12-09 08:02 . 2009-05-26 11:40 26488 c:\windows\$hf_mig$\KB973904\update\spcustom.dll
+ 2009-12-09 08:02 . 2009-05-26 11:40 17272 c:\windows\$hf_mig$\KB973904\spmsg.dll
+ 2009-11-25 05:52 . 2008-07-08 13:02 26488 c:\windows\$hf_mig$\KB973687\update\spcustom.dll
+ 2009-11-25 05:52 . 2008-07-08 13:02 17272 c:\windows\$hf_mig$\KB973687\spmsg.dll
+ 2010-01-13 06:07 . 2008-07-08 13:02 26488 c:\windows\$hf_mig$\KB972270\update\spcustom.dll
+ 2010-01-13 06:07 . 2008-07-08 13:02 17272 c:\windows\$hf_mig$\KB972270\spmsg.dll
+ 2010-01-13 02:16 . 2009-10-15 16:39 81920 c:\windows\$hf_mig$\KB972270\SP3QFE\fontsub.dll
+ 2009-12-09 08:02 . 2008-07-08 13:02 26488 c:\windows\$hf_mig$\KB971737\update\spcustom.dll
+ 2009-12-09 08:02 . 2008-07-08 13:02 17272 c:\windows\$hf_mig$\KB971737\spmsg.dll
+ 2009-12-09 08:02 . 2009-05-26 11:40 26488 c:\windows\$hf_mig$\KB970430\update\spcustom.dll
+ 2009-12-09 08:02 . 2009-05-26 11:40 17272 c:\windows\$hf_mig$\KB970430\spmsg.dll
+ 2009-10-21 05:40 . 2009-10-21 05:40 75776 c:\windows\$hf_mig$\KB970430\SP3QFE\strmfilt.dll
+ 2009-10-21 05:40 . 2009-10-21 05:40 25088 c:\windows\$hf_mig$\KB970430\SP3QFE\httpapi.dll
+ 2010-01-08 22:50 . 2009-05-26 11:40 26488 c:\windows\$hf_mig$\KB955759\update\spcustom.dll
+ 2010-01-08 22:50 . 2009-05-26 11:40 17272 c:\windows\$hf_mig$\KB955759\spmsg.dll
+ 2001-08-18 03:36 . 2009-11-27 16:07 8704 c:\windows\SYSTEM32\dllcache\tsbyuv.dll
+ 2009-11-27 16:07 . 2009-11-27 16:07 8704 c:\windows\Driver Cache\i386\tsbyuv.dll
+ 2009-07-12 06:12 . 2009-07-12 06:12 632656 c:\windows\winsxs\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_e6967989\msvcr80.dll
+ 2009-07-12 06:09 . 2009-07-12 06:09 554832 c:\windows\winsxs\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_e6967989\msvcp80.dll
+ 2009-07-12 06:08 . 2009-07-12 06:08 479232 c:\windows\winsxs\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_e6967989\msvcm80.dll
+ 2006-05-07 17:59 . 2009-08-25 09:17 354816 c:\windows\SYSTEM32\winhttp.dll
+ 2006-05-07 17:58 . 2009-10-15 16:28 119808 c:\windows\SYSTEM32\t2embed.dll
- 2006-05-07 17:58 . 2009-06-16 15:36 119808 c:\windows\SYSTEM32\t2embed.dll
- 2006-05-07 17:58 . 2008-04-14 01:12 474112 c:\windows\SYSTEM32\shlwapi.dll
+ 2006-05-07 17:58 . 2009-12-08 09:23 474112 c:\windows\SYSTEM32\shlwapi.dll
+ 2006-05-07 17:58 . 2009-10-12 13:38 149504 c:\windows\SYSTEM32\rastls.dll
+ 2006-05-07 17:58 . 2009-12-09 08:21 426402 c:\windows\SYSTEM32\perfh009.dat
+ 2006-05-07 17:57 . 2009-12-21 19:14 206848 c:\windows\SYSTEM32\occache.dll
- 2006-05-07 17:57 . 2009-08-29 09:08 206848 c:\windows\SYSTEM32\occache.dll
+ 2006-05-07 17:57 . 2009-10-13 10:30 270336 c:\windows\SYSTEM32\oakley.dll
- 2006-05-07 17:57 . 2008-04-14 01:12 270336 c:\windows\SYSTEM32\oakley.dll
+ 2006-10-27 20:09 . 2009-12-21 19:14 594432 c:\windows\SYSTEM32\msfeeds.dll
- 2006-10-27 20:09 . 2009-08-29 09:08 594432 c:\windows\SYSTEM32\msfeeds.dll
+ 2009-10-28 03:40 . 2009-10-28 03:40 257440 c:\windows\SYSTEM32\MACROMED\FLASH\NPSWF32_FlashUtil.exe
+ 2010-01-27 00:58 . 2010-01-27 00:58 256280 c:\windows\SYSTEM32\MACROMED\FLASH\FlashUtil10e.exe
- 2006-05-07 17:57 . 2009-06-22 07:44 726528 c:\windows\SYSTEM32\jscript.dll
+ 2006-05-07 17:57 . 2009-12-09 05:53 726528 c:\windows\SYSTEM32\jscript.dll
- 2006-05-07 17:57 . 2009-08-29 09:08 184320 c:\windows\SYSTEM32\iepeers.dll
+ 2006-05-07 17:57 . 2009-12-21 19:14 184320 c:\windows\SYSTEM32\iepeers.dll
- 2006-05-07 17:57 . 2009-08-29 09:08 387584 c:\windows\SYSTEM32\iedkcs32.dll
+ 2006-05-07 17:57 . 2009-12-21 19:14 387584 c:\windows\SYSTEM32\iedkcs32.dll
- 2006-05-07 17:57 . 2009-08-28 11:35 173056 c:\windows\SYSTEM32\ie4uinit.exe
+ 2006-05-07 17:57 . 2009-12-21 13:19 173056 c:\windows\SYSTEM32\ie4uinit.exe
+ 2004-08-04 04:00 . 2009-10-20 16:20 265728 c:\windows\SYSTEM32\DRIVERS\http.sys
- 2006-05-07 13:59 . 2009-08-29 09:08 916480 c:\windows\SYSTEM32\dllcache\wininet.dll
+ 2006-05-07 13:59 . 2009-12-21 19:14 916480 c:\windows\SYSTEM32\dllcache\wininet.dll
+ 2008-12-16 13:30 . 2009-08-25 09:17 354816 c:\windows\SYSTEM32\dllcache\winhttp.dll
- 2009-06-16 15:36 . 2009-06-16 15:36 119808 c:\windows\SYSTEM32\dllcache\t2embed.dll
+ 2009-06-16 15:36 . 2009-10-15 16:28 119808 c:\windows\SYSTEM32\dllcache\t2embed.dll
+ 2008-10-15 02:07 . 2009-12-31 16:50 353792 c:\windows\SYSTEM32\dllcache\srv.sys
+ 2009-01-07 23:20 . 2009-12-08 09:23 474112 c:\windows\SYSTEM32\dllcache\shlwapi.dll
- 2009-01-07 23:20 . 2009-01-07 23:20 474112 c:\windows\SYSTEM32\dllcache\shlwapi.dll
+ 2009-10-12 13:38 . 2009-10-12 13:38 149504 c:\windows\SYSTEM32\dllcache\rastls.dll
- 2006-05-07 17:57 . 2009-08-29 09:08 206848 c:\windows\SYSTEM32\dllcache\occache.dll
+ 2006-05-07 17:57 . 2009-12-21 19:14 206848 c:\windows\SYSTEM32\dllcache\occache.dll
+ 2009-10-13 10:30 . 2009-10-13 10:30 270336 c:\windows\SYSTEM32\dllcache\oakley.dll
+ 2009-12-16 18:43 . 2009-12-16 18:43 343040 c:\windows\SYSTEM32\dllcache\mspaint.exe
+ 2007-05-09 00:20 . 2009-12-21 19:14 594432 c:\windows\SYSTEM32\dllcache\msfeeds.dll
- 2007-05-09 00:20 . 2009-08-29 09:08 594432 c:\windows\SYSTEM32\dllcache\msfeeds.dll
+ 2008-11-12 04:26 . 2009-12-04 18:22 455424 c:\windows\SYSTEM32\dllcache\mrxsmb.sys
+ 2008-05-09 11:53 . 2009-12-09 05:53 726528 c:\windows\SYSTEM32\dllcache\jscript.dll
- 2008-05-09 11:53 . 2009-06-22 07:44 726528 c:\windows\SYSTEM32\dllcache\jscript.dll
+ 2009-06-10 02:24 . 2009-12-21 19:14 246272 c:\windows\SYSTEM32\dllcache\ieproxy.dll
- 2009-06-10 02:24 . 2009-08-29 09:08 246272 c:\windows\SYSTEM32\dllcache\ieproxy.dll
+ 2006-05-07 17:57 . 2009-12-21 19:14 184320 c:\windows\SYSTEM32\dllcache\iepeers.dll
- 2006-05-07 17:57 . 2009-08-29 09:08 184320 c:\windows\SYSTEM32\dllcache\iepeers.dll
- 2006-05-07 17:57 . 2009-08-29 09:08 387584 c:\windows\SYSTEM32\dllcache\iedkcs32.dll
+ 2006-05-07 17:57 . 2009-12-21 19:14 387584 c:\windows\SYSTEM32\dllcache\iedkcs32.dll
+ 2006-05-07 17:57 . 2009-12-21 13:19 173056 c:\windows\SYSTEM32\dllcache\ie4uinit.exe
- 2006-05-07 17:57 . 2009-08-28 11:35 173056 c:\windows\SYSTEM32\dllcache\ie4uinit.exe
+ 2009-10-20 16:20 . 2009-10-20 16:20 265728 c:\windows\SYSTEM32\dllcache\http.sys
+ 2010-01-08 22:50 . 2009-11-21 15:51 471552 c:\windows\SYSTEM32\dllcache\aclayers.dll
- 2009-04-04 06:13 . 2009-07-25 10:23 411368 c:\windows\SYSTEM32\deploytk.dll
+ 2009-04-04 06:13 . 2009-10-11 09:17 411368 c:\windows\SYSTEM32\deploytk.dll
+ 2010-02-23 03:34 . 2009-10-27 22:08 142790 c:\windows\PCHEALTH\HELPCTR\Config\Cache\Personal_32_1033.dat
+ 2010-02-20 18:38 . 2010-02-20 18:38 584704 c:\windows\Installer\5aa112.msi
+ 2010-02-20 18:38 . 2010-02-20 18:38 424960 c:\windows\Installer\5aa10e.msi
+ 2010-02-21 05:32 . 2010-02-21 05:32 644096 c:\windows\Installer\2b2abb8.msi
+ 2009-11-25 05:51 . 2009-11-25 05:51 429568 c:\windows\Installer\21d39fc.msi
+ 2010-01-22 06:42 . 2009-10-29 07:45 916480 c:\windows\ie8updates\KB978207-IE8\wininet.dll
+ 2010-01-22 06:42 . 2009-05-26 11:40 382840 c:\windows\ie8updates\KB978207-IE8\spuninst\updspapi.dll
+ 2010-01-22 06:42 . 2008-07-08 13:02 231288 c:\windows\ie8updates\KB978207-IE8\spuninst\spuninst.exe
+ 2010-01-22 06:42 . 2009-10-29 07:45 206848 c:\windows\ie8updates\KB978207-IE8\occache.dll
+ 2010-01-22 06:42 . 2009-10-29 07:45 594432 c:\windows\ie8updates\KB978207-IE8\msfeeds.dll
+ 2010-01-22 06:42 . 2009-10-29 07:45 246272 c:\windows\ie8updates\KB978207-IE8\ieproxy.dll
+ 2010-01-22 06:42 . 2009-10-29 07:45 184320 c:\windows\ie8updates\KB978207-IE8\iepeers.dll
+ 2010-01-22 06:42 . 2009-10-29 07:45 387584 c:\windows\ie8updates\KB978207-IE8\iedkcs32.dll
+ 2010-01-22 06:42 . 2009-10-28 14:40 173056 c:\windows\ie8updates\KB978207-IE8\ie4uinit.exe
+ 2010-02-24 06:08 . 2008-07-08 13:02 382840 c:\windows\ie8updates\KB976662-IE8\spuninst\updspapi.dll
+ 2010-02-24 06:08 . 2008-07-08 13:02 231288 c:\windows\ie8updates\KB976662-IE8\spuninst\spuninst.exe
+ 2010-02-24 06:08 . 2009-06-22 07:44 726528 c:\windows\ie8updates\KB976662-IE8\jscript.dll
+ 2009-12-09 08:02 . 2009-08-29 09:08 916480 c:\windows\ie8updates\KB976325-IE8\wininet.dll
+ 2009-12-09 08:02 . 2009-05-26 11:40 382840 c:\windows\ie8updates\KB976325-IE8\spuninst\updspapi.dll
+ 2009-12-09 08:02 . 2009-05-26 11:40 231288 c:\windows\ie8updates\KB976325-IE8\spuninst\spuninst.exe
+ 2009-12-09 08:02 . 2009-08-29 09:08 206848 c:\windows\ie8updates\KB976325-IE8\occache.dll
+ 2009-12-09 08:02 . 2009-08-29 09:08 594432 c:\windows\ie8updates\KB976325-IE8\msfeeds.dll
+ 2009-12-09 08:02 . 2009-08-29 09:08 246272 c:\windows\ie8updates\KB976325-IE8\ieproxy.dll
+ 2009-12-09 08:02 . 2009-08-29 09:08 184320 c:\windows\ie8updates\KB976325-IE8\iepeers.dll
+ 2009-12-09 08:02 . 2009-08-29 09:08 387584 c:\windows\ie8updates\KB976325-IE8\iedkcs32.dll
+ 2009-12-09 08:02 . 2009-08-28 11:35 173056 c:\windows\ie8updates\KB976325-IE8\ie4uinit.exe
+ 2008-11-12 04:26 . 2009-12-04 18:22 455424 c:\windows\Driver Cache\i386\mrxsmb.sys
+ 2009-10-20 16:20 . 2009-10-20 16:20 265728 c:\windows\Driver Cache\i386\http.sys
+ 2006-05-07 17:55 . 2009-11-21 15:51 471552 c:\windows\AppPatch\AcLayers.dll
+ 2009-11-25 05:52 . 2009-05-26 11:40 382840 c:\windows\$NtUninstallKB976098-v2$\spuninst\updspapi.dll
+ 2009-11-25 05:52 . 2009-05-26 11:40 231288 c:\windows\$NtUninstallKB976098-v2$\spuninst\spuninst.exe
+ 2009-12-09 08:02 . 2009-05-26 11:40 382840 c:\windows\$NtUninstallKB974392$\spuninst\updspapi.dll
+ 2009-12-09 08:02 . 2009-05-26 11:40 231288 c:\windows\$NtUninstallKB974392$\spuninst\spuninst.exe
+ 2009-12-09 08:02 . 2008-04-14 01:12 270336 c:\windows\$NtUninstallKB974392$\oakley.dll
+ 2009-12-09 08:02 . 2009-05-26 11:40 382840 c:\windows\$NtUninstallKB974318$\spuninst\updspapi.dll
+ 2009-12-09 08:02 . 2009-05-26 11:40 231288 c:\windows\$NtUninstallKB974318$\spuninst\spuninst.exe
+ 2009-12-09 08:02 . 2008-04-14 01:12 150016 c:\windows\$NtUninstallKB974318$\rastls.dll
+ 2009-12-09 08:02 . 2009-05-26 11:40 382840 c:\windows\$NtUninstallKB973904$\spuninst\updspapi.dll
+ 2009-12-09 08:02 . 2009-05-26 11:40 231288 c:\windows\$NtUninstallKB973904$\spuninst\spuninst.exe
+ 2009-12-09 08:02 . 2004-08-04 17:00 116288 c:\windows\$NtUninstallKB973904$\msconv97.dll
+ 2009-11-25 05:52 . 2009-05-26 11:40 382840 c:\windows\$NtUninstallKB973687$\spuninst\updspapi.dll
+ 2009-11-25 05:52 . 2008-07-08 13:02 231288 c:\windows\$NtUninstallKB973687$\spuninst\spuninst.exe
+ 2010-01-13 06:07 . 2009-06-16 15:36 119808 c:\windows\$NtUninstallKB972270$\t2embed.dll
+ 2010-01-13 06:07 . 2008-07-08 13:02 382840 c:\windows\$NtUninstallKB972270$\spuninst\updspapi.dll
+ 2010-01-13 06:07 . 2008-07-08 13:02 231288 c:\windows\$NtUninstallKB972270$\spuninst\spuninst.exe
+ 2009-12-09 08:02 . 2008-12-16 13:30 354304 c:\windows\$NtUninstallKB971737$\winhttp.dll
+ 2009-12-09 08:02 . 2009-05-26 11:40 382840 c:\windows\$NtUninstallKB971737$\spuninst\updspapi.dll
+ 2009-12-09 08:02 . 2008-07-08 13:02 231288 c:\windows\$NtUninstallKB971737$\spuninst\spuninst.exe
+ 2009-12-09 08:02 . 2009-05-26 11:40 382840 c:\windows\$NtUninstallKB970430$\spuninst\updspapi.dll
+ 2009-12-09 08:02 . 2009-05-26 11:40 231288 c:\windows\$NtUninstallKB970430$\spuninst\spuninst.exe
+ 2009-12-09 08:02 . 2008-04-13 19:53 264832 c:\windows\$NtUninstallKB970430$\http.sys
+ 2010-01-08 22:50 . 2009-05-26 22:10 382840 c:\windows\$NtUninstallKB955759$\spuninst\updspapi.dll
+ 2010-01-08 22:50 . 2009-05-26 11:40 231288 c:\windows\$NtUninstallKB955759$\spuninst\spuninst.exe
+ 2010-01-08 22:50 . 2008-04-14 01:11 451072 c:\windows\$NtUninstallKB955759$\aclayers.dll
+ 2010-01-22 06:42 . 2009-05-26 11:40 382840 c:\windows\$hf_mig$\KB978207-IE8\update\updspapi.dll
+ 2010-01-22 06:42 . 2008-07-08 13:02 755576 c:\windows\$hf_mig$\KB978207-IE8\update\update.exe
+ 2010-01-22 06:42 . 2008-07-08 13:02 231288 c:\windows\$hf_mig$\KB978207-IE8\spuninst.exe
+ 2010-01-21 22:34 . 2009-12-21 19:09 916480 c:\windows\$hf_mig$\KB978207-IE8\SP3QFE\wininet.dll
+ 2010-01-21 22:34 . 2009-12-21 19:09 206848 c:\windows\$hf_mig$\KB978207-IE8\SP3QFE\occache.dll
+ 2010-01-21 22:34 . 2009-12-21 19:09 594432 c:\windows\$hf_mig$\KB978207-IE8\SP3QFE\msfeeds.dll
+ 2010-01-21 22:34 . 2009-12-21 19:09 246272 c:\windows\$hf_mig$\KB978207-IE8\SP3QFE\ieproxy.dll
+ 2010-01-21 22:34 . 2009-12-21 19:09 184320 c:\windows\$hf_mig$\KB978207-IE8\SP3QFE\iepeers.dll
+ 2010-01-21 22:34 . 2009-12-21 19:09 387584 c:\windows\$hf_mig$\KB978207-IE8\SP3QFE\iedkcs32.dll
+ 2010-01-21 22:34 . 2009-12-21 13:22 173056 c:\windows\$hf_mig$\KB978207-IE8\SP3QFE\ie4uinit.exe
+ 2009-12-09 08:02 . 2009-05-26 11:40 382840 c:\windows\$hf_mig$\KB976325-IE8\update\updspapi.dll
+ 2009-12-09 08:02 . 2009-05-26 11:40 755576 c:\windows\$hf_mig$\KB976325-IE8\update\update.exe
+ 2009-12-09 08:02 . 2009-05-26 11:40 231288 c:\windows\$hf_mig$\KB976325-IE8\spuninst.exe
+ 2009-12-08 22:36 . 2009-10-29 07:45 916480 c:\windows\$hf_mig$\KB976325-IE8\SP3QFE\wininet.dll
+ 2009-12-08 22:36 . 2009-10-29 07:45 206848 c:\windows\$hf_mig$\KB976325-IE8\SP3QFE\occache.dll
+ 2009-12-08 22:36 . 2009-10-29 07:45 594432 c:\windows\$hf_mig$\KB976325-IE8\SP3QFE\msfeeds.dll
+ 2009-12-08 22:36 . 2009-10-29 07:45 246272 c:\windows\$hf_mig$\KB976325-IE8\SP3QFE\ieproxy.dll
+ 2009-12-08 22:36 . 2009-10-29 07:45 184320 c:\windows\$hf_mig$\KB976325-IE8\SP3QFE\iepeers.dll
+ 2009-12-08 22:36 . 2009-10-29 07:45 387584 c:\windows\$hf_mig$\KB976325-IE8\SP3QFE\iedkcs32.dll
+ 2009-12-08 22:36 . 2009-10-28 14:10 173056 c:\windows\$hf_mig$\KB976325-IE8\SP3QFE\ie4uinit.exe
+ 2009-12-09 08:02 . 2009-05-26 11:40 382840 c:\windows\$hf_mig$\KB974392\update\updspapi.dll
+ 2009-12-09 08:02 . 2009-05-26 11:40 755576 c:\windows\$hf_mig$\KB974392\update\update.exe
+ 2009-12-09 08:02 . 2009-05-26 11:40 231288 c:\windows\$hf_mig$\KB974392\spuninst.exe
+ 2009-10-13 10:38 . 2009-10-13 10:38 270336 c:\windows\$hf_mig$\KB974392\SP3QFE\oakley.dll
+ 2009-12-09 08:02 . 2009-05-26 11:40 382840 c:\windows\$hf_mig$\KB974318\update\updspapi.dll
+ 2009-12-09 08:02 . 2009-05-26 11:40 755576 c:\windows\$hf_mig$\KB974318\update\update.exe
+ 2009-12-09 08:02 . 2009-05-26 11:40 231288 c:\windows\$hf_mig$\KB974318\spuninst.exe
+ 2009-10-12 13:28 . 2009-10-12 13:28 150016 c:\windows\$hf_mig$\KB974318\SP3QFE\rastls.dll
+ 2009-12-09 08:02 . 2009-05-26 11:40 382840 c:\windows\$hf_mig$\KB973904\update\updspapi.dll
+ 2009-12-09 08:02 . 2009-05-26 11:40 755576 c:\windows\$hf_mig$\KB973904\update\update.exe
+ 2009-12-09 08:02 . 2009-05-26 11:40 231288 c:\windows\$hf_mig$\KB973904\spuninst.exe
+ 2009-12-08 22:35 . 2009-07-29 14:01 119648 c:\windows\$hf_mig$\KB973904\SP3QFE\msconv97.dll
+ 2009-11-25 05:52 . 2009-05-26 11:40 382840 c:\windows\$hf_mig$\KB973687\update\updspapi.dll
+ 2009-11-25 05:52 . 2008-07-08 13:02 755576 c:\windows\$hf_mig$\KB973687\update\update.exe
+ 2009-11-25 05:52 . 2008-07-08 13:02 231288 c:\windows\$hf_mig$\KB973687\spuninst.exe
+ 2010-01-13 06:07 . 2008-07-08 13:02 382840 c:\windows\$hf_mig$\KB972270\update\updspapi.dll
+ 2010-01-13 06:07 . 2008-07-08 13:02 755576 c:\windows\$hf_mig$\KB972270\update\update.exe
+ 2010-01-13 06:07 . 2008-07-08 13:02 231288 c:\windows\$hf_mig$\KB972270\spuninst.exe
+ 2010-01-13 02:16 . 2009-10-15 16:39 119808 c:\windows\$hf_mig$\KB972270\SP3QFE\t2embed.dll
+ 2009-12-09 08:02 . 2009-05-26 11:40 382840 c:\windows\$hf_mig$\KB971737\update\updspapi.dll
+ 2009-12-09 08:02 . 2009-05-26 11:40 755576 c:\windows\$hf_mig$\KB971737\update\update.exe
+ 2009-12-09 08:02 . 2008-07-08 13:02 231288 c:\windows\$hf_mig$\KB971737\spuninst.exe
+ 2009-08-25 09:27 . 2009-08-25 09:27 354816 c:\windows\$hf_mig$\KB971737\SP3QFE\winhttp.dll
+ 2009-12-09 08:02 . 2009-05-26 11:40 382840 c:\windows\$hf_mig$\KB970430\update\updspapi.dll
+ 2009-12-09 08:02 . 2009-05-26 11:40 755576 c:\windows\$hf_mig$\KB970430\update\update.exe
+ 2009-12-09 08:02 . 2009-05-26 11:40 231288 c:\windows\$hf_mig$\KB970430\spuninst.exe
+ 2009-10-20 15:21 . 2009-10-20 15:21 265728 c:\windows\$hf_mig$\KB970430\SP3QFE\http.sys
+ 2010-01-08 22:50 . 2009-05-26 22:10 382840 c:\windows\$hf_mig$\KB955759\update\updspapi.dll
+ 2010-01-08 22:50 . 2009-05-26 11:40 755576 c:\windows\$hf_mig$\KB955759\update\update.exe
+ 2010-01-08 22:50 . 2009-05-26 11:40 231288 c:\windows\$hf_mig$\KB955759\spuninst.exe
+ 2010-01-08 22:50 . 2009-11-21 15:41 471552 c:\windows\$hf_mig$\KB955759\SP3QFE\aclayers.dll
+ 2009-07-12 01:46 . 2009-07-12 01:46 1093120 c:\windows\winsxs\x86_Microsoft.VC80.MFC_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_b77cec8e\mfc80u.dll
+ 2009-07-12 01:46 . 2009-07-12 01:46 1105920 c:\windows\winsxs\x86_Microsoft.VC80.MFC_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_b77cec8e\mfc80.dll
+ 2009-07-21 05:03 . 2009-07-21 05:03 1348432 c:\windows\winsxs\x86_Microsoft.MSXML2_6bd6b9abf345378f_4.20.9876.0_x-ww_a621d1d5\msxml4.dll
- 2006-05-07 17:58 . 2009-08-29 09:08 1208832 c:\windows\SYSTEM32\urlmon.dll
+ 2006-05-07 17:58 . 2009-12-21 19:14 1208832 c:\windows\SYSTEM32\urlmon.dll
+ 2008-07-06 21:03 . 2009-07-31 15:05 1372672 c:\windows\SYSTEM32\msxml6.dll
+ 2009-07-21 05:05 . 2009-07-21 05:05 1348432 c:\windows\SYSTEM32\msxml4.dll
+ 2006-05-07 17:57 . 2009-07-31 04:35 1172480 c:\windows\SYSTEM32\msxml3.dll
+ 2006-05-07 17:57 . 2009-12-21 19:14 5942784 c:\windows\SYSTEM32\mshtml.dll
+ 2009-10-28 03:40 . 2009-10-28 03:40 3885984 c:\windows\SYSTEM32\MACROMED\FLASH\NPSWF32.dll
- 2006-10-17 17:57 . 2009-08-29 09:08 1985536 c:\windows\SYSTEM32\iertutil.dll
+ 2006-10-17 17:57 . 2009-12-21 19:14 1985536 c:\windows\SYSTEM32\iertutil.dll
+ 2006-05-07 13:58 . 2009-12-21 19:14 1208832 c:\windows\SYSTEM32\dllcache\urlmon.dll
- 2006-05-07 13:58 . 2009-08-29 09:08 1208832 c:\windows\SYSTEM32\dllcache\urlmon.dll
+ 2008-05-07 06:12 . 2009-11-27 17:11 1291776 c:\windows\SYSTEM32\dllcache\quartz.dll
+ 2008-10-15 02:07 . 2009-12-08 19:27 2189184 c:\windows\SYSTEM32\dllcache\ntoskrnl.exe
- 2008-10-15 02:07 . 2009-08-05 01:44 2189184 c:\windows\SYSTEM32\dllcache\ntoskrnl.exe
- 2008-10-15 02:07 . 2009-08-04 15:20 2023936 c:\windows\SYSTEM32\dllcache\ntkrpamp.exe
+ 2008-10-15 02:07 . 2009-12-08 18:43 2023936 c:\windows\SYSTEM32\dllcache\ntkrpamp.exe
+ 2008-10-15 02:07 . 2009-12-08 18:43 2066048 c:\windows\SYSTEM32\dllcache\ntkrnlpa.exe
- 2008-10-15 02:07 . 2009-08-04 15:20 2066048 c:\windows\SYSTEM32\dllcache\ntkrnlpa.exe
- 2008-10-15 02:07 . 2009-08-04 16:13 2145280 c:\windows\SYSTEM32\dllcache\ntkrnlmp.exe
+ 2008-10-15 02:07 . 2009-12-08 19:26 2145280 c:\windows\SYSTEM32\dllcache\ntkrnlmp.exe
+ 2008-07-06 21:03 . 2009-07-31 15:05 1372672 c:\windows\SYSTEM32\dllcache\msxml6.dll
+ 2008-11-12 04:26 . 2009-07-31 04:35 1172480 c:\windows\SYSTEM32\dllcache\msxml3.dll
+ 2006-05-07 17:57 . 2009-12-21 19:14 5942784 c:\windows\SYSTEM32\dllcache\mshtml.dll
- 2007-05-09 00:20 . 2009-08-29 09:08 1985536 c:\windows\SYSTEM32\dllcache\iertutil.dll
+ 2007-05-09 00:20 . 2009-12-21 19:14 1985536 c:\windows\SYSTEM32\dllcache\iertutil.dll
+ 2010-01-22 06:42 . 2009-10-29 07:45 1208832 c:\windows\ie8updates\KB978207-IE8\urlmon.dll
+ 2010-01-22 06:42 . 2009-10-29 07:45 5940736 c:\windows\ie8updates\KB978207-IE8\mshtml.dll
+ 2010-01-22 06:42 . 2009-10-29 07:45 1985536 c:\windows\ie8updates\KB978207-IE8\iertutil.dll
+ 2009-12-09 08:02 . 2009-08-29 09:08 1208832 c:\windows\ie8updates\KB976325-IE8\urlmon.dll
+ 2009-12-09 08:02 . 2009-10-22 09:19 5939712 c:\windows\ie8updates\KB976325-IE8\mshtml.dll
+ 2009-12-09 08:02 . 2009-08-29 09:08 1985536 c:\windows\ie8updates\KB976325-IE8\iertutil.dll
- 2008-10-15 02:07 . 2009-08-05 01:44 2189184 c:\windows\Driver Cache\i386\ntoskrnl.exe
+ 2008-10-15 02:07 . 2009-12-08 19:27 2189184 c:\windows\Driver Cache\i386\ntoskrnl.exe
- 2008-10-15 02:07 . 2009-08-04 15:20 2023936 c:\windows\Driver Cache\i386\ntkrpamp.exe
+ 2008-10-15 02:07 . 2009-12-08 18:43 2023936 c:\windows\Driver Cache\i386\ntkrpamp.exe
+ 2008-10-15 02:07 . 2009-12-08 18:43 2066048 c:\windows\Driver Cache\i386\ntkrnlpa.exe
- 2008-10-15 02:07 . 2009-08-04 15:20 2066048 c:\windows\Driver Cache\i386\ntkrnlpa.exe
- 2008-10-15 02:07 . 2009-08-04 16:13 2145280 c:\windows\Driver Cache\i386\ntkrnlmp.exe
+ 2008-10-15 02:07 . 2009-12-08 19:26 2145280 c:\windows\Driver Cache\i386\ntkrnlmp.exe
+ 2009-11-25 05:52 . 2008-09-10 01:14 1307648 c:\windows\$NtUninstallKB973687$\msxml6.dll
+ 2009-11-25 05:52 . 2008-09-04 17:15 1106944 c:\windows\$NtUninstallKB973687$\msxml3.dll
+ 2010-01-21 22:34 . 2009-12-21 19:09 1209344 c:\windows\$hf_mig$\KB978207-IE8\SP3QFE\urlmon.dll
+ 2010-01-21 22:34 . 2009-12-21 19:09 5945856 c:\windows\$hf_mig$\KB978207-IE8\SP3QFE\mshtml.dll
+ 2010-01-21 22:34 . 2009-12-21 19:09 1986048 c:\windows\$hf_mig$\KB978207-IE8\SP3QFE\iertutil.dll
+ 2009-12-08 22:36 . 2009-10-29 07:45 1209344 c:\windows\$hf_mig$\KB976325-IE8\SP3QFE\urlmon.dll
+ 2009-12-08 22:36 . 2009-10-29 07:45 5944320 c:\windows\$hf_mig$\KB976325-IE8\SP3QFE\mshtml.dll
+ 2009-12-08 22:36 . 2009-10-29 07:45 1986048 c:\windows\$hf_mig$\KB976325-IE8\SP3QFE\iertutil.dll
+ 2009-11-24 20:04 . 2009-07-31 04:24 1447424 c:\windows\$hf_mig$\KB973687\SP3QFE\msxml6.dll
+ 2009-11-24 20:04 . 2009-07-31 04:24 1172480 c:\windows\$hf_mig$\KB973687\SP3QFE\msxml3.dll
+ 2006-05-13 00:04 . 2010-02-01 16:26 30364104 c:\windows\SYSTEM32\MRT.exe
+ 2006-10-27 20:09 . 2009-12-21 19:14 11070464 c:\windows\SYSTEM32\ieframe.dll
+ 2007-05-09 00:20 . 2009-12-21 19:14 11070464 c:\windows\SYSTEM32\dllcache\ieframe.dll
+ 2010-01-20 06:31 . 2010-01-20 06:31 15710720 c:\windows\Installer\1d52633.msp
+ 2010-01-22 06:42 . 2009-10-29 07:45 11069952 c:\windows\ie8updates\KB978207-IE8\ieframe.dll
+ 2009-12-09 08:02 . 2009-08-29 09:08 11069440 c:\windows\ie8updates\KB976325-IE8\ieframe.dll
+ 2009-12-22 19:09 . 2009-12-22 19:09 11070976 c:\windows\$hf_mig$\KB978207-IE8\SP3QFE\ieframe.dll
+ 2009-10-29 18:15 . 2009-10-29 18:15 11070464 c:\windows\$hf_mig$\KB976325-IE8\SP3QFE\ieframe.dll
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-07-26 3883856]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-09-15 68856]
"updateMgr"="c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 313472]
"ASUS SmartDoctor"="c:\program files\ASUS\SmartDoctor\SmartDoctor.exe" [2007-12-18 1126400]
"Objmfc"="c:\documents and settings\Karl Shanholtzer\Application Data\Adobe\Update\clipar.dat" [2010-02-24 124928]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HPDJ Taskbar Utility"="c:\windows\system32\spool\drivers\w32x86\3\hpztsb05.exe" [2002-03-28 188416]
"OneCareUI"="c:\program files\Microsoft Windows OneCare Live\winssnotify.exe" [2009-07-09 65240]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2004-02-12 49152]
"HP Component Manager"="c:\program files\HP\hpcoretech\hpcmpmgr.exe" [2004-05-12 241664]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-09-06 413696]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2009-03-31 198160]
"RTHDCPL"="RTHDCPL.EXE" [2005-06-08 14565376]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-12-04 8523776]
"nwiz"="nwiz.exe" [2007-12-04 1626112]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2007-12-04 81920]

c:\documents and settings\Karl Shanholtzer\Start Menu\Programs\Startup\
HotSync Manager.lnk - c:\program files\palmOne\HOTSYNC.EXE [2004-4-13 299008]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Quicken Startup.lnk - c:\quickenw\QWDLLS.EXE [2001-4-30 27136]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [1999-2-17 65588]
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-9-23 29696]
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2004-5-28 241664]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\OneCareMP]
@="Service"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Utility Tray.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Utility Tray.lnk
backup=c:\windows\pss\Utility Tray.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2006-06-14 21:24 278528 ----a-w- c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SiSPower]
2005-04-12 04:31 49152 ----a-r- c:\windows\SYSTEM32\SiSPower.dll

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"MsnMsgr"="c:\program files\MSN Messenger\MsnMsgr.Exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"WinFast2KLoadDefault"=rundll32.exe wf2kcpl.dll,DllLoadDefaultSettings
"WinFast_2K"=c:\windows\SYSTEM32\Wf2k.exe
"SDetect.exe"=c:\windows\Twain_32\ScanWiz5\SDetect.exe
"WinPoET"=c:\program files\VerizonDSL\WinPoET\WinPPPoverEthernet.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\setup\disabledrunkeys]
"LoadPowerProfile"=Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
"CloneCDTray"="c:\program files\Elaborate Bytes\CloneCD\CloneCDTray.exe"
"QuickTime Task"="c:\windows\SYSTEM32\qttask.exe" -atboottime
"NvCplDaemon"=RUNDLL32.EXE c:\windows\SYSTEM32\Nvcpl.dll,NvStartup
"nwiz"=nwiz.exe /install
"LoadQM"=loadqm.exe
"HPDJ Taskbar Utility"=c:\windows\SYSTEM32\hpztsb05.exe
"MSConfigReminder"=c:\windows\PCHEALTH\HELPCTR\BINARIES\MSCONFIG.EXE /reminder

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runservices-]
"AccessRampLAN 01"="c:\program files\VERIZONDSL\IPINSIGHT\ARUpld32.exe" -l
"AccessRampMonitor 01"="c:\program files\VERIZONDSL\IPINSIGHT\ARMon32a.exe"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=

R2 fssfltr;FssFltr;c:\windows\SYSTEM32\DRIVERS\fssfltr_tdi.sys [9/18/2009 7:34 PM 54752]
R2 OcHealthMon;Windows Live OneCare Health Monitor;c:\program files\Microsoft Windows OneCare Live\OcHealthMon.exe [7/9/2009 12:15 PM 26104]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [1/10/2007 9:42 PM 24652]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [1/29/2010 1:16 AM 135664]
S3 fsssvc;Windows Live Family Safety Service;c:\program files\Windows Live\Family Safety\fsssvc.exe [8/5/2009 10:48 PM 704864]
S3 HWSNEAN;HWSNEAN;c:\docume~1\KARLSH~1\LOCALS~1\Temp\HWSNEAN.exe --> c:\docume~1\KARLSH~1\LOCALS~1\Temp\HWSNEAN.exe [?]
S3 NDISKIO;NDISKIO;\??\c:\docume~1\KARLSH~1\LOCALS~1\Temp\4818de52.nmc\nse\bin\ndiskio.sys --> c:\docume~1\KARLSH~1\LOCALS~1\Temp\4818de52.nmc\nse\bin\ndiskio.sys [?]
S3 UnhookMBRS;UnhookMBRS;\??\c:\docume~1\KARLSH~1\LOCALS~1\Temp\a2f999a9.nmc\nse\bin\unhookmbrs.sys --> c:\docume~1\KARLSH~1\LOCALS~1\Temp\a2f999a9.nmc\nse\bin\unhookmbrs.sys [?]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{44BBA840-CC51-11CF-AAFA-00AA00B6015C}]
2008-04-14 01:12 73216 ----a-w- c:\progra~1\OUTLOO~1\setup50.exe

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{44BBA840-CC51-11CF-AAFA-00AA00B6015C}]
2008-04-14 01:12 73216 ----a-w- c:\progra~1\OUTLOO~1\setup50.exe

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{7790769C-0471-11d2-AF11-00C04FA35D02}]
2008-04-14 01:12 73216 ----a-w- c:\progra~1\OUTLOO~1\setup50.exe

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{7790769C-0471-11d2-AF11-00C04FA35D02}]
2008-04-14 01:12 73216 ----a-w- c:\progra~1\OUTLOO~1\setup50.exe

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{9EF0045A-CDD9-438e-95E6-02B9AFEC8E11}]
2001-03-23 21:17 7168 ------w- c:\windows\SYSTEM32\updcrl.exe
.
Contents of the 'Scheduled Tasks' folder

2007-06-08 c:\windows\Tasks\MP Scheduled Quick Scan.job
- c:\program files\Microsoft Windows OneCare Live\Antivirus\MpCmdRun.exe [2008-07-09 22:05]

2010-01-14 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34]

2010-02-24 c:\windows\Tasks\User_Feed_Synchronization-{4751F768-5B83-41F6-8310-4CFCF59CDAA2}.job
- c:\windows\system32\msfeedssync.exe [2006-10-17 09:31]

2010-02-25 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-29 06:16]

2010-02-24 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-29 06:16]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/webhp?sourceid=navclient&ie=UTF-8
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
mSearch Bar = hxxp://home.netscape.com/home/winsearch200.html
uInternet Settings,ProxyOverride = 127.0.0.1
uSearchURL,(Default) = hxxp://keyword.netscape.com/keyword/%s
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html
Trusted Zone: turbotax.com
DPF: DirectAnimation Java Classes - file://c:\windows\SYSTEM\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
DPF: Win32 Classes
DPF: {1011E032-5CF3-4795-B751-3AA5E008CCA6} - hxxp://download.verizon.net/sfp/Cabs/max_update/VOLUpdate_1-0-0.cab
DPF: {8D7AFAB7-42D6-4671-A53E-CD355673F026} - hxxp://65.202.166.130:9000/SonySncMView.cab
FF - ProfilePath - c:\documents and settings\Karl Shanholtzer\Application Data\Mozilla\Firefox\Profiles\v4eympc6.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://en-us.start.mozilla.com/firefox?client=firefox-a&rls=org.mozilla:en-US:official
FF - plugin: c:\program files\Google\Update\1.2.183.13\npGoogleOneClick8.dll
FF - plugin: c:\program files\Opera\program\plugins\npdrmv2.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Media Player\npViewpoint.dll
FF - plugin: c:\program files\Windows Live\Photo Gallery\NPWLPG.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-02-24 19:08
Windows 5.1.2600 Service Pack 3 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(2784)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Microsoft Windows OneCare Live\Antivirus\MsMpEng.exe
c:\program files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
c:\windows\system32\nvsvc32.exe
c:\windows\RTHDCPL.EXE
c:\program files\Microsoft Windows OneCare Live\Firewall\msfwsvc.exe
c:\program files\Microsoft Windows OneCare Live\winss.exe
c:\program files\HP\HP Software Update\HPWUCli.exe
c:\program files\Viewpoint\Viewpoint Manager\ViewMgr.exe
.
**************************************************************************
.
Completion time: 2010-02-24 19:10:46 - machine was rebooted
ComboFix-quarantined-files.txt 2010-02-25 00:10
ComboFix2.txt 2009-11-23 02:31

Pre-Run: 74,991,337,472 bytes free
Post-Run: 75,009,654,784 bytes free

- - End Of File - - E98F4181E8B53A0BA4A5FFBBBCAC20BB


#10 kshan

kshan
  • Topic Starter

  • Members
  • 30 posts
  • OFFLINE
  •  
  • Local time:10:30 AM

Posted 06 March 2010 - 04:45 PM




Here is Combofix3.txt:


ComboFix 09-11-22.04 - Karl Shanholtzer 11/22/2009 21:24.1.2 - FAT32x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.3071.2541 [GMT -5:00]
Running from: c:\documents and settings\Karl Shanholtzer\Desktop\Fix.exe
AV: Windows Live OneCare *On-access scanning enabled* (Updated) {427ADFC3-B354-4A51-BE34-A9D4218E45C4}
FW: Windows Live OneCare Firewall *enabled* {A3899D22-27E6-4A7E-AE4E-2C106646DAAB}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\DOWNLOADED PROGRAM FILES\RDXIe.dll
c:\windows\start.exe
c:\windows\system32\clrviddc.dll
c:\windows\Web\default.htt

.
((((((((((((((((((((((((( Files Created from 2009-10-23 to 2009-11-23 )))))))))))))))))))))))))))))))
.

2009-11-12 21:59 . 2009-11-12 21:59 -------- d-----w- c:\program files\Microsoft Works

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-11-15 23:01 . 2009-08-09 21:08 196608 ----a-w- c:\windows\system32\drivers\nStandard.bin
2009-10-17 01:45 . 2009-10-17 01:45 152576 ----a-w- c:\documents and settings\Karl Shanholtzer\Application Data\Sun\Java\jre1.6.0_15\lzma.dll
2009-10-16 01:38 . 2003-09-16 16:44 124 ----a-w- c:\documents and settings\Karl Shanholtzer\Application Data\fusioncache.dat
2009-10-16 01:38 . 2009-10-16 01:38 -------- d-----w- c:\documents and settings\Karl Shanholtzer\Application Data\Turbine
2009-10-16 00:46 . 2009-10-16 00:46 -------- d-----w- c:\program files\Turbine
2009-10-10 13:18 . 2009-10-10 13:18 -------- d-----w- c:\documents and settings\All Users\Application Data\nView_Profiles
2009-09-11 15:18 . 2006-05-07 17:57 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-04 22:03 . 2006-05-07 17:57 58880 ----a-w- c:\windows\system32\msasn1.dll
2009-08-29 09:08 . 2006-05-07 17:59 916480 ----a-w- c:\windows\system32\wininet.dll
2009-08-26 09:00 . 2006-05-07 18:00 247326 ----a-w- c:\windows\system32\strmdll.dll
2001-04-29 14:52 . 2001-04-29 14:52 23357 ---h--w- c:\program files\folder.htt
2006-10-11 08:04 . 2009-03-06 05:36 61036 ----a-w- c:\program files\mozilla firefox\components\jar50.dll
2006-10-11 08:05 . 2009-03-06 05:36 48742 ----a-w- c:\program files\mozilla firefox\components\jsd3250.dll
2006-10-11 08:05 . 2009-03-06 05:36 29313 ----a-w- c:\program files\mozilla firefox\components\myspell.dll
2006-10-11 08:05 . 2009-03-06 05:36 41082 ----a-w- c:\program files\mozilla firefox\components\spellchk.dll
2006-10-11 08:04 . 2009-03-06 05:36 166510 ----a-w- c:\program files\mozilla firefox\components\xpinstal.dll
2006-12-11 06:26 . 2006-12-11 06:26 0 --sha-w- c:\windows\DRM\Cache\Indiv01.tmp
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-07-26 3883856]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-09-15 68856]
"updateMgr"="c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 313472]
"ASUS SmartDoctor"="c:\program files\ASUS\SmartDoctor\SmartDoctor.exe" [2007-12-18 1126400]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HPDJ Taskbar Utility"="c:\windows\system32\spool\drivers\w32x86\3\hpztsb05.exe" [2002-03-28 188416]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2006-06-14 278528]
"OneCareUI"="c:\program files\Microsoft Windows OneCare Live\winssnotify.exe" [2009-07-09 65240]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2004-02-12 49152]
"HP Component Manager"="c:\program files\HP\hpcoretech\hpcmpmgr.exe" [2004-05-12 241664]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-09-06 413696]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2009-03-31 198160]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-12-04 8523776]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2007-12-04 81920]
"ASUSGamerOSD"="c:\program files\ASUS\GamerOSD\GamerOSD.exe" [2007-10-23 380928]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-07-25 149280]
"SiSPower"="SiSPower.dll" - c:\windows\SYSTEM32\SiSPower.dll [2005-04-12 49152]
"RTHDCPL"="RTHDCPL.EXE" - c:\windows\RTHDCPL.EXE [2005-06-08 14565376]
"nwiz"="nwiz.exe" - c:\windows\SYSTEM32\nwiz.exe [2007-12-04 1626112]

c:\documents and settings\Karl Shanholtzer\Start Menu\Programs\Startup\
HotSync Manager.lnk - c:\program files\palmOne\HOTSYNC.EXE [2004-4-13 299008]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Quicken Startup.lnk - c:\quickenw\QWDLLS.EXE [2001-4-30 27136]
Utility Tray.lnk - c:\windows\SYSTEM32\sistray.exe [2006-5-7 266240]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [1999-2-17 65588]
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-9-23 29696]
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2004-5-28 241664]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\OneCareMP]
@="Service"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"MsnMsgr"="c:\program files\MSN Messenger\MsnMsgr.Exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"WinFast2KLoadDefault"=rundll32.exe wf2kcpl.dll,DllLoadDefaultSettings
"WinFast_2K"=c:\windows\SYSTEM32\Wf2k.exe
"SDetect.exe"=c:\windows\Twain_32\ScanWiz5\SDetect.exe
"WinPoET"=c:\program files\VerizonDSL\WinPoET\WinPPPoverEthernet.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\setup\disabledrunkeys]
"LoadPowerProfile"=Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
"CloneCDTray"="c:\program files\Elaborate Bytes\CloneCD\CloneCDTray.exe"
"QuickTime Task"="c:\windows\SYSTEM32\qttask.exe" -atboottime
"NvCplDaemon"=RUNDLL32.EXE c:\windows\SYSTEM32\Nvcpl.dll,NvStartup
"nwiz"=nwiz.exe /install
"LoadQM"=loadqm.exe
"HPDJ Taskbar Utility"=c:\windows\SYSTEM32\hpztsb05.exe
"MSConfigReminder"=c:\windows\PCHEALTH\HELPCTR\BINARIES\MSCONFIG.EXE /reminder

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runservices-]
"AccessRampLAN 01"="c:\program files\VERIZONDSL\IPINSIGHT\ARUpld32.exe" -l
"AccessRampMonitor 01"="c:\program files\VERIZONDSL\IPINSIGHT\ARMon32a.exe"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=

R2 fssfltr;FssFltr;c:\windows\SYSTEM32\DRIVERS\fssfltr_tdi.sys [9/18/2009 7:34 PM 54752]
R2 IntuitUpdateService;Intuit Update Service;c:\program files\Common Files\Intuit\Update Service\IntuitUpdateService.exe [10/10/2008 5:45 AM 13088]
R2 OcHealthMon;Windows Live OneCare Health Monitor;c:\program files\Microsoft Windows OneCare Live\OcHealthMon.exe [7/9/2009 12:15 PM 26104]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [1/10/2007 9:42 PM 24652]
S3 fsssvc;Windows Live Family Safety Service;c:\program files\Windows Live\Family Safety\fsssvc.exe [8/5/2009 10:48 PM 704864]
S3 HWSNEAN;HWSNEAN;c:\docume~1\KARLSH~1\LOCALS~1\Temp\HWSNEAN.exe --> c:\docume~1\KARLSH~1\LOCALS~1\Temp\HWSNEAN.exe [?]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{44BBA840-CC51-11CF-AAFA-00AA00B6015C}]
"c:\progra~1\OUTLOO~1\setup50.exe" /APP:OE /CALLER:WIN9X /user /install

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{44BBA840-CC51-11CF-AAFA-00AA00B6015C}]
"c:\progra~1\OUTLOO~1\setup50.exe" /APP:OE /CALLER:WIN9X /user /install
"c:\progra~1\OUTLOO~1\setup50.exe" /APP:OE /CALLER:IE50 /user /install

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{7790769C-0471-11d2-AF11-00C04FA35D02}]
"c:\progra~1\OUTLOO~1\setup50.exe" /APP:WAB /CALLER:WIN9X /user /install

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{7790769C-0471-11d2-AF11-00C04FA35D02}]
"c:\progra~1\OUTLOO~1\setup50.exe" /APP:WAB /CALLER:WIN9X /user /install
"c:\progra~1\OUTLOO~1\setup50.exe" /APP:WAB /CALLER:IE50 /user /install

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{9EF0045A-CDD9-438e-95E6-02B9AFEC8E11}]
c:\windows\SYSTEM32\updcrl.exe -e -u c:\windows\SYSTEM\verisignpub1.crl
.
Contents of the 'Scheduled Tasks' folder

2007-06-08 c:\windows\Tasks\MP Scheduled Quick Scan.job
- c:\program files\Microsoft Windows OneCare Live\Antivirus\MpCmdRun.exe [2008-07-09 22:05]

2009-11-05 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34]

2009-11-22 c:\windows\Tasks\User_Feed_Synchronization-{4751F768-5B83-41F6-8310-4CFCF59CDAA2}.job
- c:\windows\system32\msfeedssync.exe [2006-10-17 09:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/webhp?sourceid=navclient&ie=UTF-8
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
mSearch Bar = hxxp://home.netscape.com/home/winsearch200.html
uInternet Settings,ProxyOverride = 127.0.0.1
uSearchURL,(Default) = hxxp://keyword.netscape.com/keyword/%s
Trusted Zone: ebay.com\signin
Trusted Zone: turbotax.com
DPF: DirectAnimation Java Classes - file://c:\windows\SYSTEM\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
DPF: Win32 Classes
DPF: {1011E032-5CF3-4795-B751-3AA5E008CCA6} - hxxp://download.verizon.net/sfp/Cabs/max_update/VOLUpdate_1-0-0.cab
DPF: {8D7AFAB7-42D6-4671-A53E-CD355673F026} - hxxp://65.202.166.130:9000/SonySncMView.cab
FF - ProfilePath - c:\documents and settings\Karl Shanholtzer\Application Data\Mozilla\Firefox\Profiles\v4eympc6.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://en-us.start.mozilla.com/firefox?client=firefox-a&rls=org.mozilla:en-US:official
FF - component: c:\program files\Mozilla Firefox\components\xpinstal.dll
FF - component: c:\program files\Mozilla Firefox\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\googletoolbar.dll
FF - component: c:\program files\Mozilla Firefox\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\metrics.dll
FF - component: c:\program files\Mozilla Firefox\extensions\talkback@mozilla.org\components\qfaservices.dll
FF - component: c:\program files\Real\RealPlayer\browserrecord\components\nprpbrowserrecordplugin.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-11-22 21:30
Windows 5.1.2600 Service Pack 3 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2009-11-22 21:31
ComboFix-quarantined-files.txt 2009-11-23 02:31

Pre-Run: 56,147,673,088 bytes free
Post-Run: 57,380,831,232 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout = 30
default = multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS = "Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

- - End Of File - - 330B3B2A852EA47A28136A3AA15EDFF5


#11 etavares

etavares

    Bleepin' Remover


  • Malware Response Team
  • 15,514 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:30 AM

Posted 06 March 2010 - 05:00 PM

Hello, kshan.
I use Windows 7 and I like it. You can still get infected by malware, of course. I like W7 a lot, but I also liked XP. W7 does boot up much quicker which I really like about it.

Let's take care of a few things.





Step 1

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

QUOTE
File::
C:\spw98v.exe
DDS::
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
DPF: {03F998B2-0E00-11D3-A498-00104B6EB52E} - hxxps://components.viewpoint.com/MTSInstallers/MetaStream3.cab?url=http://www.viewpoint.com/cgi-bin/installer.v4/vet_install_popup.pl?3&6&04.00.09.13&unknown&unknown&http://www.simmonsoptics.com/
Driver::
NDISKIO
UnhookMBRS
HWSNEAN


Save this as CFScript.txt, in the same location as ComboFix.exe




Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

etavares


If I don't respond within 2 days, please feel free to PM me.
Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

Posted Image
Unified Network of Instructors and Trusted Eliminators
 


#12 kshan

kshan
  • Topic Starter

  • Members
  • 30 posts
  • OFFLINE
  •  
  • Local time:10:30 AM

Posted 06 March 2010 - 06:49 PM

Here is my Combofix log, it updated Comboxfix to a newer version when run:



ComboFix 10-03-06.03 - Karl Shanholtzer 03/06/2010 18:21:24.4.2 - FAT32x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.3071.2577 [GMT -5:00]
Running from: c:\documents and settings\Karl Shanholtzer\Desktop\Kshancf.exe
Command switches used :: c:\documents and settings\Karl Shanholtzer\Desktop\CFScript.txt
AV: Windows Live OneCare *On-access scanning disabled* (Updated) {427ADFC3-B354-4A51-BE34-A9D4218E45C4}
FW: Windows Live OneCare Firewall *enabled* {A3899D22-27E6-4A7E-AE4E-2C106646DAAB}

FILE ::
"C:\spw98v.exe"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\spw98v.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_HWSNEAN
-------\Legacy_NDISKIO
-------\Legacy_UNHOOKMBRS
-------\Service_HWSNEAN
-------\Service_NDISKIO
-------\Service_UnhookMBRS


((((((((((((((((((((((((( Files Created from 2010-02-06 to 2010-03-06 )))))))))))))))))))))))))))))))
.

2010-03-06 14:46 . 2010-03-06 14:46 41 ----a-w- C:\fixme.bat
2010-03-06 14:45 . 2010-03-06 14:44 77312 ----a-w- C:\mbr.exe
2010-03-03 05:23 . 2010-03-03 05:23 -------- d-----w- C:\FOUND.004
2010-02-26 09:21 . 2010-02-26 09:21 -------- d-----w- c:\documents and settings\Karl Shanholtzer\Application Data\Temp
2010-02-26 09:21 . 2010-02-26 09:21 -------- d-----w- c:\documents and settings\Karl Shanholtzer\Application Data\Temp
2010-02-25 04:30 . 2010-02-25 04:30 161296 ----a-w- c:\windows\system32\drivers\tmcomm.sys
2010-02-24 22:44 . 2010-02-24 22:44 -------- d-----w- c:\documents and settings\All Users\Application Data\IObit
2010-02-24 22:44 . 2010-02-24 22:44 -------- d-----w- c:\program files\IObit
2010-02-24 03:37 . 2010-02-24 03:37 50376 ----a-w- c:\windows\system32\drivers\pxrts.sys
2010-02-24 03:37 . 2010-02-24 03:37 24368 ----a-w- c:\windows\system32\drivers\pxkbf.sys
2010-02-21 05:32 . 2010-02-21 05:32 -------- d-----w- c:\documents and settings\Karl Shanholtzer\Application Data\Netcraft
2010-02-21 05:32 . 2010-02-21 05:32 -------- d-----w- c:\documents and settings\Karl Shanholtzer\Application Data\Netcraft
2010-02-21 05:32 . 2010-02-21 05:32 -------- d-----w- c:\program files\Netcraft Toolbar
2010-02-20 19:55 . 2010-02-20 19:55 -------- d-----w- c:\program files\Smart Projects
2010-02-20 18:38 . 2010-02-20 18:38 -------- d-----w- c:\program files\Seagate
2010-02-20 18:36 . 2010-02-20 18:37 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2010-02-19 02:21 . 2010-02-19 02:23 167936 ----a-w- c:\documents and settings\Karl Shanholtzer\Application Data\Tific\Download\XMLPlugin.dll
2010-02-19 02:19 . 2010-02-19 02:19 -------- d-----w- c:\program files\Common Files\Symantec Shared
2010-02-19 01:43 . 2010-02-20 16:17 57344 ----a-w- c:\documents and settings\Karl Shanholtzer\Application Data\Tific\Download\PowerProfile.exe
2010-02-19 01:43 . 2010-02-20 16:17 57344 ----a-w- c:\documents and settings\Karl Shanholtzer\Application Data\Tific\Download\.GetMemoryInfoEx.exe
2010-02-19 01:43 . 2010-02-20 16:17 171008 ----a-w- c:\documents and settings\Karl Shanholtzer\Application Data\Tific\Download\WLAN.exe
2010-02-19 01:43 . 2010-02-20 16:17 56320 ----a-w- c:\documents and settings\Karl Shanholtzer\Application Data\Tific\Download\tific-devcon.exe
2010-02-19 01:41 . 2010-02-20 16:15 52736 ----a-w- c:\documents and settings\Karl Shanholtzer\Application Data\Tific\Download\EnumDevices.exe
2010-02-19 01:41 . 2010-02-20 16:14 152944 ----a-w- c:\documents and settings\Karl Shanholtzer\Application Data\Tific\Download\BootTime.dll
2010-02-19 01:41 . 2010-02-20 16:14 204800 ----a-w- c:\documents and settings\Karl Shanholtzer\Application Data\Tific\Download\DllHost.exe
2010-02-19 01:41 . 2010-02-20 16:14 91504 ----a-w- c:\documents and settings\Karl Shanholtzer\Application Data\Tific\Download\SHA256.dll
2010-02-19 01:41 . 2010-02-20 16:14 57344 ----a-w- c:\documents and settings\Karl Shanholtzer\Application Data\Tific\Download\Shortcut.exe
2010-02-19 01:40 . 2010-02-20 16:14 110592 ----a-w- c:\documents and settings\Karl Shanholtzer\Application Data\Tific\Download\DirSize.exe
2010-02-19 01:40 . 2010-02-19 01:40 -------- d-----w- c:\documents and settings\Karl Shanholtzer\Application Data\Tific
2010-02-19 01:40 . 2010-02-19 01:40 -------- d-----w- c:\documents and settings\Karl Shanholtzer\Application Data\Tific
2010-02-19 01:40 . 2010-02-19 01:40 -------- d-----w- c:\documents and settings\All Users\Application Data\Norton
2010-02-19 01:40 . 2010-02-19 01:40 -------- d-----w- c:\documents and settings\All Users\Application Data\NortonInstaller
2010-02-18 03:58 . 2010-02-18 03:58 -------- d-----w- c:\documents and settings\Karl Shanholtzer\DoctorWeb
2010-02-18 03:37 . 2010-02-18 03:37 -------- d-----w- C:\Hosts
2010-02-17 04:33 . 2010-02-17 04:33 5115824 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2010-02-17 04:32 . 2010-02-17 04:32 -------- d-----w- c:\documents and settings\Karl Shanholtzer\Application Data\Malwarebytes
2010-02-17 04:32 . 2010-02-17 04:32 -------- d-----w- c:\documents and settings\Karl Shanholtzer\Application Data\Malwarebytes
2010-02-17 04:32 . 2010-01-07 21:07 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-02-17 04:32 . 2010-02-17 04:32 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-02-17 04:32 . 2010-02-17 04:32 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-02-17 04:32 . 2010-01-07 21:07 19160 ----a-w- c:\windows\system32\drivers\mbam.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-03-06 21:00 . 2010-02-28 14:00 196608 ----a-w- c:\windows\system32\drivers\nStandard.bin
2009-12-31 16:50 . 2006-05-07 17:58 353792 ----a-w- c:\windows\system32\drivers\srv.sys
2009-12-21 19:14 . 2006-05-07 17:59 916480 ------w- c:\windows\system32\wininet.dll
2009-12-16 18:43 . 2006-05-07 18:16 343040 ----a-w- c:\windows\system32\mspaint.exe
2009-12-14 07:08 . 2006-05-07 17:56 33280 ----a-w- c:\windows\system32\csrsrv.dll
2009-12-08 22:38 . 2009-12-08 22:38 152576 ----a-w- c:\documents and settings\Karl Shanholtzer\Application Data\Sun\Java\jre1.6.0_17\lzma.dll
2009-12-08 22:38 . 2009-12-08 22:38 79488 ----a-w- c:\documents and settings\Karl Shanholtzer\Application Data\Sun\Java\jre1.6.0_17\gtapi.dll
2009-12-08 19:26 . 2006-05-07 17:57 2145280 ------w- c:\windows\system32\ntoskrnl.exe
2009-12-08 18:43 . 2004-08-04 03:59 2023936 ------w- c:\windows\system32\ntkrnlpa.exe
2001-04-29 14:52 . 2001-04-29 14:52 23357 ---h--w- c:\program files\folder.htt
2006-12-11 06:26 . 2006-12-11 06:26 0 --sha-w- c:\windows\DRM\Cache\Indiv01.tmp
.

((((((((((((((((((((((((((((( SnapShot_2010-02-25_00.08.02 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-02-28 14:00 . 2007-10-23 22:48 10752 c:\windows\SYSTEM32\DRIVERS\Video3D32.sys
+ 2010-02-28 14:00 . 2007-10-23 22:48 11136 c:\windows\SYSTEM32\DRIVERS\atkkbnt.sys
+ 2010-02-28 14:00 . 2007-10-23 22:48 77312 c:\windows\SYSTEM32\devcon.exe
+ 2010-02-28 14:00 . 2007-10-23 22:48 11264 c:\windows\SYSTEM32\ATKOSDMini.DLL
+ 2010-02-28 14:00 . 2007-10-23 22:48 36352 c:\windows\SYSTEM32\ATKOGL32.dll
+ 2010-02-28 14:00 . 2007-10-23 22:48 12416 c:\windows\SYSTEM32\asusgsb.sys
+ 2010-02-28 14:00 . 2007-10-23 22:48 46080 c:\windows\SYSTEM32\asrussian.dll
+ 2010-02-28 14:00 . 2007-10-23 22:48 45568 c:\windows\SYSTEM32\askorean.dll
+ 2010-02-28 14:00 . 2007-10-23 22:48 45568 c:\windows\SYSTEM32\asjapan.dll
+ 2010-02-28 14:00 . 2007-10-23 22:48 46080 c:\windows\SYSTEM32\asgerman.dll
+ 2010-02-28 14:00 . 2007-10-23 22:48 46592 c:\windows\SYSTEM32\asfrench.dll
+ 2010-02-28 14:00 . 2007-10-23 22:48 46080 c:\windows\SYSTEM32\aseng.dll
+ 2010-02-28 14:00 . 2007-10-23 22:48 45568 c:\windows\SYSTEM32\ASCHT.dll
+ 2010-02-28 14:00 . 2007-10-23 22:48 45568 c:\windows\SYSTEM32\aschs.dll
+ 2010-03-06 00:11 . 2010-03-06 00:11 26624 c:\windows\Installer\758823.msi
+ 2010-02-26 09:21 . 2010-02-26 09:21 22528 c:\windows\Installer\227d3d7.msi
+ 2010-02-28 14:00 . 2007-10-23 22:48 8704 c:\windows\SYSTEM32\DRIVERS\Bravo.sys
+ 2010-02-28 14:00 . 2007-10-23 22:48 180224 c:\windows\SYSTEM32\xvidvfw.dll
+ 2010-02-28 14:00 . 2007-10-23 22:48 761856 c:\windows\SYSTEM32\xvidcore.dll
+ 2010-02-28 14:00 . 2007-10-23 22:48 348160 c:\windows\SYSTEM32\msvcr71.dll
+ 2010-02-28 14:00 . 2007-10-23 22:48 196608 c:\windows\SYSTEM32\DRIVERS\nVivid.bin
+ 2010-02-28 14:00 . 2007-10-23 22:48 196608 c:\windows\SYSTEM32\DRIVERS\nAsmedia.bin
+ 2010-02-28 14:00 . 2007-10-23 22:48 196608 c:\windows\SYSTEM32\DRIVERS\nAdvanced.bin
+ 2010-02-28 14:00 . 2007-10-23 22:48 196653 c:\windows\SYSTEM32\DRIVERS\aVivid.bin
+ 2010-02-28 14:00 . 2007-10-23 22:48 196582 c:\windows\SYSTEM32\DRIVERS\aStandard.bin
+ 2010-02-28 14:00 . 2007-10-23 22:48 196582 c:\windows\SYSTEM32\DRIVERS\aAsmedia.bin
+ 2010-02-28 14:00 . 2007-10-23 22:48 196608 c:\windows\SYSTEM32\DRIVERS\aAdvanced.bin
+ 2010-02-28 14:00 . 2007-10-23 22:48 795104 c:\windows\SYSTEM32\DPInst.exe
+ 2010-02-28 14:00 . 2007-10-23 22:48 242816 c:\windows\SYSTEM32\ATKDISP.dll
+ 2010-03-06 00:11 . 2010-03-06 00:11 463360 c:\windows\Installer\758818.msi
+ 2010-02-28 14:00 . 2007-10-23 22:46 262144 c:\windows\ATKKBService.exe
+ 2010-02-28 14:00 . 2007-10-23 22:48 5424640 c:\windows\SYSTEM32\ATKOSDX32.dll
+ 2010-02-28 14:00 . 2007-10-23 22:48 2093056 c:\windows\SYSTEM32\ATKDispCPL.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-07-26 3883856]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-09-15 68856]
"ASUS SmartDoctor"="c:\program files\ASUS\SmartDoctor\SmartDoctor.exe" [2007-12-18 1126400]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HPDJ Taskbar Utility"="c:\windows\system32\spool\drivers\w32x86\3\hpztsb05.exe" [2002-03-28 188416]
"OneCareUI"="c:\program files\Microsoft Windows OneCare Live\winssnotify.exe" [2010-02-05 65256]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2004-02-12 49152]
"HP Component Manager"="c:\program files\HP\hpcoretech\hpcmpmgr.exe" [2004-05-12 241664]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-09-06 413696]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2009-03-31 198160]
"RTHDCPL"="RTHDCPL.EXE" [2005-06-08 14565376]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-12-04 8523776]
"nwiz"="nwiz.exe" [2007-12-04 1626112]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2007-12-04 81920]
"ASUSGamerOSD"="c:\program files\ASUS\GamerOSD\GamerOSD.exe" [2007-10-23 380928]

c:\documents and settings\Karl Shanholtzer\Start Menu\Programs\Startup\
HotSync Manager.lnk - c:\program files\palmOne\HOTSYNC.EXE [2004-4-13 299008]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Quicken Startup.lnk - c:\quickenw\QWDLLS.EXE [2001-4-30 27136]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [1999-2-17 65588]
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-9-23 29696]
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2004-5-28 241664]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\OneCareMP]
@="Service"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Utility Tray.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Utility Tray.lnk
backup=c:\windows\pss\Utility Tray.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2006-06-14 21:24 278528 ----a-w- c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SiSPower]
2005-04-12 04:31 49152 ----a-r- c:\windows\SYSTEM32\SiSPower.dll

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"MsnMsgr"="c:\program files\MSN Messenger\MsnMsgr.Exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"WinFast2KLoadDefault"=rundll32.exe wf2kcpl.dll,DllLoadDefaultSettings
"WinFast_2K"=c:\windows\SYSTEM32\Wf2k.exe
"SDetect.exe"=c:\windows\Twain_32\ScanWiz5\SDetect.exe
"WinPoET"=c:\program files\VerizonDSL\WinPoET\WinPPPoverEthernet.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\setup\disabledrunkeys]
"LoadPowerProfile"=Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
"CloneCDTray"="c:\program files\Elaborate Bytes\CloneCD\CloneCDTray.exe"
"QuickTime Task"="c:\windows\SYSTEM32\qttask.exe" -atboottime
"NvCplDaemon"=RUNDLL32.EXE c:\windows\SYSTEM32\Nvcpl.dll,NvStartup
"nwiz"=nwiz.exe /install
"LoadQM"=loadqm.exe
"HPDJ Taskbar Utility"=c:\windows\SYSTEM32\hpztsb05.exe
"MSConfigReminder"=c:\windows\PCHEALTH\HELPCTR\BINARIES\MSCONFIG.EXE /reminder

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runservices-]
"AccessRampLAN 01"="c:\program files\VERIZONDSL\IPINSIGHT\ARUpld32.exe" -l
"AccessRampMonitor 01"="c:\program files\VERIZONDSL\IPINSIGHT\ARMon32a.exe"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=

R2 fssfltr;FssFltr;c:\windows\SYSTEM32\DRIVERS\fssfltr_tdi.sys [9/18/2009 7:34 PM 54752]
R2 OcHealthMon;Windows Live OneCare Health Monitor;c:\program files\Microsoft Windows OneCare Live\OcHealthMon.exe [2/5/2010 4:19 PM 26120]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [1/29/2010 1:16 AM 135664]
S3 fsssvc;Windows Live Family Safety Service;c:\program files\Windows Live\Family Safety\fsssvc.exe [8/5/2009 10:48 PM 704864]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{44BBA840-CC51-11CF-AAFA-00AA00B6015C}]
2008-04-14 01:12 73216 ----a-w- c:\progra~1\OUTLOO~1\setup50.exe

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{44BBA840-CC51-11CF-AAFA-00AA00B6015C}]
2008-04-14 01:12 73216 ----a-w- c:\progra~1\OUTLOO~1\setup50.exe

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{7790769C-0471-11d2-AF11-00C04FA35D02}]
2008-04-14 01:12 73216 ----a-w- c:\progra~1\OUTLOO~1\setup50.exe

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{7790769C-0471-11d2-AF11-00C04FA35D02}]
2008-04-14 01:12 73216 ----a-w- c:\progra~1\OUTLOO~1\setup50.exe

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{9EF0045A-CDD9-438e-95E6-02B9AFEC8E11}]
2001-03-23 21:17 7168 ------w- c:\windows\SYSTEM32\updcrl.exe
.
Contents of the 'Scheduled Tasks' folder

2007-06-08 c:\windows\Tasks\MP Scheduled Quick Scan.job
- c:\program files\Microsoft Windows OneCare Live\Antivirus\MpCmdRun.exe [2008-07-09 22:05]

2010-01-14 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34]

2010-03-06 c:\windows\Tasks\User_Feed_Synchronization-{4751F768-5B83-41F6-8310-4CFCF59CDAA2}.job
- c:\windows\system32\msfeedssync.exe [2006-10-17 09:31]

2010-03-06 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-29 06:16]

2010-03-06 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-29 06:16]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/webhp?sourceid=navclient&ie=UTF-8
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
uSearchURL,(Default) = hxxp://keyword.netscape.com/keyword/%s
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html
Trusted Zone: turbotax.com
DPF: DirectAnimation Java Classes - file://c:\windows\SYSTEM\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
DPF: Win32 Classes
DPF: {1011E032-5CF3-4795-B751-3AA5E008CCA6} - hxxp://download.verizon.net/sfp/Cabs/max_update/VOLUpdate_1-0-0.cab
DPF: {8D7AFAB7-42D6-4671-A53E-CD355673F026} - hxxp://65.202.166.130:9000/SonySncMView.cab
FF - ProfilePath - c:\documents and settings\Karl Shanholtzer\Application Data\Mozilla\Firefox\Profiles\v4eympc6.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://en-us.start.mozilla.com/firefox?client=firefox-a&rls=org.mozilla:en-US:official
FF - plugin: c:\program files\Google\Update\1.2.183.17\npGoogleOneClick8.dll
FF - plugin: c:\program files\Opera\program\plugins\npdrmv2.dll
FF - plugin: c:\program files\Windows Live\Photo Gallery\NPWLPG.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.

**************************************************************************
scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files:

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(296)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\program files\palmOne\PqiIcon.dll
c:\program files\palmOne\UserData.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Microsoft Windows OneCare Live\Antivirus\MsMpEng.exe
c:\windows\ATKKBService.exe
c:\program files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
c:\windows\system32\nvsvc32.exe
c:\program files\Microsoft Windows OneCare Live\Firewall\msfwsvc.exe
c:\windows\RTHDCPL.EXE
c:\windows\system32\RUNDLL32.EXE
c:\program files\Microsoft Windows OneCare Live\winss.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2010-03-06 18:29:29 - machine was rebooted
ComboFix-quarantined-files.txt 2010-03-06 23:29
ComboFix2.txt 2010-03-06 20:31
ComboFix3.txt 2010-02-25 00:10
ComboFix4.txt 2009-11-23 02:31

Pre-Run: 75,079,254,016 bytes free
Post-Run: 74,956,734,464 bytes free

- - End Of File - - C0F659A96AFF28444580A0B161CF8092


#13 etavares

etavares

    Bleepin' Remover


  • Malware Response Team
  • 15,514 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:30 AM

Posted 07 March 2010 - 07:59 AM

Hello, kshan.
Are you getting redirected now?

Also, I see Turbotax.com is in your trusted sites. I advise you to not have any trusted sites (see below) unless you know the website and need to grant them that power to have them work correctly. I use turbotax.com successfully without having it be a trusted site.

Your Adobe Reader is out of date. I suggest you update to Version 9.3 by following the instructions below. If you choose not to upgrade, just skip to the last step.



O15 Entries Warning (Sites in your Trusted Zones)

Having trusted sites may not be a good idea. The reason why I say it's not a good idea is because the security settings for the internet is not extremely high and once you put a site in your trusted zone, basically almost anymore or thing, including hackers or other malicious software have full access to that site which can lead to hijacking that site and may even have access to your computer. Are you sure you trust a site to that degree?

It is recommended NOT to have ANY sites in your Trusted Zone unless the site requires it to function properly and you trust it very well. Other than that, it is not necessary for you to add any sites into the trusted zone. If you're not sure, and/or you do not need these in your trusted zone to facilitate access or you did not knowingly permit this access yourself, then please remove those sites from your trusted zone.

They can be accessed in Internet Explorer via Tools>>Internet Options>>Security>>Trusted Zone>>Sites. Remove if there are any there.



Step 1

You are using and outdated version of Adobe Reader. Adobe has since been updated and the update closes many security holes and provides new features.

First, uninstall earlier versions of Adobe Reader.
  • Go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove all versions of Adobe Reader.
  • Check (highlight) any item with Adobe Reader in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Adobe Reader version.

Please download the latest version from:
http://get.adobe.com/reader/

And install it. Once installed, launch it, select Help --> Check for Updates and install any updates.


You may also try the free Foxit PDF reader if you prefer:
http://www.foxitsoftware.com/pdf/reader/



Step 2

Please post a fresh DDS log in your reply.

etavares


If I don't respond within 2 days, please feel free to PM me.
Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

Posted Image
Unified Network of Instructors and Trusted Eliminators
 


#14 kshan

kshan
  • Topic Starter

  • Members
  • 30 posts
  • OFFLINE
  •  
  • Local time:10:30 AM

Posted 07 March 2010 - 10:20 AM

Logged into Ebay, It would not allow me to log in until I removed "deny cookies from ebay.com" in the privacy panel in IE8. I was not redirected when I logged in. The browsers run very fast now. No problems with Firefox.
What do you think of Netcraft? I was curious about the sites I visit.
Can I restart One care and the firewall now?
Also is there a good free Adobe PDF writer out there? Also what Outlook Express type programs are there for Windows7?

Soory, I have too many questions

Thanks,
Karl


Here is the DDS.txt and the Attach.txt is zipped and attached per operating instructions.


DDS (Ver_09-12-01.01) - FAT32x86
Run by Karl Shanholtzer at 9:52:39.85 on Sun 03/07/2010
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.3071.2499 [GMT -5:00]

AV: Windows Live OneCare *On-access scanning disabled* (Updated) {427ADFC3-B354-4A51-BE34-A9D4218E45C4}
FW: Windows Live OneCare Firewall *enabled* {A3899D22-27E6-4A7E-AE4E-2C106646DAAB}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
SVCHOST.EXE
C:\Program Files\Microsoft Windows OneCare Live\Antivirus\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
SVCHOST.EXE
SVCHOST.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Microsoft Windows OneCare Live\winssnotify.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\ASUS\GamerOSD\GamerOSD.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\ctfmon.exe
C:\QUICKENW\QWDLLS.EXE
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\palmOne\HOTSYNC.EXE
SVCHOST.EXE
C:\WINDOWS\ATKKBService.exe
C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Microsoft Windows OneCare Live\OcHealthMon.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Microsoft Windows OneCare Live\Firewall\msfwsvc.exe
C:\Program Files\Microsoft Windows OneCare Live\winss.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Karl Shanholtzer\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/webhp?sourceid=navclient&ie=UTF-8
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
uSearchURL,(Default) = hxxp://keyword.netscape.com/keyword/%s
BHO: Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn0\YT.DLL
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\program files\real\realplayer\rpbrowserrecordplugin.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.5.4723.1820\swg.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn0\YT.DLL
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
TB: &Netcraft Toolbar: {d554d8fc-b36d-4bb4-93db-4a3394d505e3} - c:\program files\netcraft toolbar\nctb.dll
uRun: [msnmsgr] "c:\program files\windows live\messenger\msnmsgr.exe" /background
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [ASUS SmartDoctor] c:\program files\asus\smartdoctor\SmartDoctor.exe /start
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [HPDJ Taskbar Utility] c:\windows\system32\spool\drivers\w32x86\3\hpztsb05.exe
mRun: [OneCareUI] "c:\program files\microsoft windows onecare live\winssnotify.exe"
mRun: [HP Software Update] "c:\program files\hp\hp software update\HPWuSchd2.exe"
mRun: [HP Component Manager] "c:\program files\hp\hpcoretech\hpcmpmgr.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [ASUSGamerOSD] c:\program files\asus\gamerosd\GamerOSD.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRunOnce: [Uninstall Adobe Download Manager] "c:\windows\system32\rundll32.exe" "c:\program files\nos\bin\getPlus_Helper.dll",Uninstall /IE2883E8F-472F-4fb0-9522-AC9BF37916A7 /Get1noarp
StartupFolder: c:\docume~1\karlsh~1\startm~1\programs\startup\hotsyn~1.lnk - c:\program files\palmone\HOTSYNC.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\quicke~1.lnk - c:\quickenw\QWDLLS.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office\OSA9.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
DPF: DirectAnimation Java Classes - file://c:\windows\system\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: Win32 Classes
DPF: {01113300-3E00-11D2-8470-0060089874ED} - hxxps://activatemydsl.verizon.net/sdcCommon/download/DSL/Verizon%20High%20Speed%20Internet%20Installer.cab
DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} - hxxp://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
DPF: {1011E032-5CF3-4795-B751-3AA5E008CCA6} - hxxp://download.verizon.net/sfp/Cabs/max_update/VOLUpdate_1-0-0.cab
DPF: {13EC55CF-D993-475B-9ACA-F4A384957956} - hxxps://www.windowsonecare.com/install/cli/1.1.1067.8/WinSSWebAgent.CAB
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/3/9/8/398422c0-8d3e-40e1-a617-af65a72a0465/LegitCheckControl.cab
DPF: {22945A69-1191-4DCF-9E6F-409BDE94D101} - hxxp://www.solidworks.com/plugins/edrawings/download.cfm?Release=REL&Type=WEB&Language=English
DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} - hxxp://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} - hxxp://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
DPF: {6B4788E2-BAE8-11D2-A1B4-00400512739B} - hxxp://216.249.24.142/code/PWActiveXImgCtl.CAB
DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} - hxxps://h20436.www2.hp.com/ediags/dex/secure/HPDEXAXO.cab
DPF: {8D7AFAB7-42D6-4671-A53E-CD355673F026} - hxxp://65.202.166.130:9000/SonySncMView.cab
DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} - hxxp://web1.shutterfly.com/downloads/Uploader.cab
DPF: {9B03C5F1-F5AB-47EE-937D-A8EDA626F876} - hxxp://download.zonelabs.com/bin/promotions/spywaredetector/WebAAS.cab
DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} - hxxp://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?37880.3567592593
DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} - hxxp://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
Handler: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} - c:\program files\hp\hpcoretech\comp\hpuiprot.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
mASetup: {44BBA840-CC51-11CF-AAFA-00AA00B6015C} - "c:\progra~1\outloo~1\setup50.exe" /APP:OE /CALLER:WIN9X /user /install
mASetup: {44BBA840-CC51-11CF-AAFA-00AA00B6015C} - "c:\progra~1\outloo~1\setup50.exe" /app:oe /caller:win9x /user /install - "c:\progra~1\outloo~1\setup50.exe" /APP:OE /CALLER:IE50 /user /install
mASetup: {7790769C-0471-11d2-AF11-00C04FA35D02} - "c:\progra~1\outloo~1\setup50.exe" /APP:WAB /CALLER:WIN9X /user /install
mASetup: {7790769C-0471-11d2-AF11-00C04FA35D02} - "c:\progra~1\outloo~1\setup50.exe" /app:wab /caller:win9x /user /install - "c:\progra~1\outloo~1\setup50.exe" /APP:WAB /CALLER:IE50 /user /install
mASetup: {9EF0045A-CDD9-438e-95E6-02B9AFEC8E11} - c:\windows\system32\updcrl.exe -e -u c:\windows\system\verisignpub1.crl

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\karlsh~1\applic~1\mozilla\firefox\profiles\v4eympc6.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://en-us.start.mozilla.com/firefox?client=firefox-a&rls=org.mozilla:en-US:official
FF - plugin: c:\documents and settings\karl shanholtzer\application data\mozilla\firefox\profiles\v4eympc6.default\extensions\{e2883e8f-472f-4fb0-9522-ac9bf37916a7}\plugins\np_gp.dll
FF - plugin: c:\program files\google\update\1.2.183.17\npGoogleOneClick8.dll
FF - plugin: c:\program files\opera\program\plugins\np_gp.dll
FF - plugin: c:\program files\opera\program\plugins\npdrmv2.dll
FF - plugin: c:\program files\windows live\photo gallery\NPWLPG.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

============= SERVICES / DRIVERS ===============

R2 fssfltr;FssFltr;c:\windows\system32\drivers\fssfltr_tdi.sys [2009-9-18 54752]
R2 OcHealthMon;Windows Live OneCare Health Monitor;c:\program files\microsoft windows onecare live\OcHealthMon.exe [2010-2-5 26120]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-1-29 135664]
S3 fsssvc;Windows Live Family Safety Service;c:\program files\windows live\family safety\fsssvc.exe [2009-8-5 704864]
S3 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2007-10-11 53168]

=============== Created Last 30 ================

2010-03-07 14:49:56 0 d-----w- C:\Bleep_Logs
2010-03-06 23:20:51 0 d-----w- C:\Kshancf
2010-03-06 14:46:38 41 ----a-w- C:\fixme.bat
2010-03-06 14:45:04 77312 ----a-w- C:\mbr.exe
2010-03-03 05:23:10 0 d-----w- C:\FOUND.004
2010-02-26 09:21:00 0 d-----w- c:\docume~1\karlsh~1\applic~1\Temp
2010-02-25 04:30:46 161296 ----a-w- c:\windows\system32\drivers\tmcomm.sys
2010-02-24 22:44:45 0 d-----w- c:\docume~1\alluse~1\applic~1\IObit
2010-02-24 22:44:41 0 d-----w- c:\program files\IObit
2010-02-24 03:37:40 50376 ----a-w- c:\windows\system32\drivers\pxrts.sys
2010-02-24 03:37:40 24368 ----a-w- c:\windows\system32\drivers\pxkbf.sys
2010-02-21 05:32:41 0 d-----w- c:\docume~1\karlsh~1\applic~1\Netcraft
2010-02-21 05:32:27 0 d-----w- c:\program files\Netcraft Toolbar
2010-02-20 18:38:29 0 d-----w- c:\program files\Seagate
2010-02-20 18:36:58 0 d-----w- c:\program files\common files\Wise Installation Wizard
2010-02-19 02:19:30 0 d-----w- c:\program files\common files\Symantec Shared
2010-02-19 01:40:21 0 d-----w- c:\docume~1\karlsh~1\applic~1\Tific
2010-02-19 01:40:09 0 d-----w- c:\docume~1\alluse~1\applic~1\Norton
2010-02-19 01:40:02 0 d-----w- c:\docume~1\alluse~1\applic~1\NortonInstaller
2010-02-18 03:58:30 0 d-----w- c:\documents and settings\karl shanholtzer\DoctorWeb
2010-02-18 03:37:26 0 d-----w- C:\Hosts
2010-02-17 04:32:42 0 d-----w- c:\docume~1\karlsh~1\applic~1\Malwarebytes
2010-02-17 04:32:37 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-02-17 04:32:35 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-02-17 04:32:35 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-02-17 04:32:35 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes

==================== Find3M ====================

2010-03-06 21:00:08 196608 ----a-w- c:\windows\system32\drivers\nStandard.bin
2009-12-31 16:50:04 353792 ------w- c:\windows\system32\dllcache\srv.sys
2009-12-21 13:19:18 173056 ----a-w- c:\windows\system32\dllcache\ie4uinit.exe
2009-12-16 18:43:28 343040 ----a-w- c:\windows\system32\mspaint.exe
2009-12-16 18:43:28 343040 ------w- c:\windows\system32\dllcache\mspaint.exe
2009-12-14 07:08:24 33280 ----a-w- c:\windows\system32\csrsrv.dll
2009-12-14 07:08:24 33280 ------w- c:\windows\system32\dllcache\csrsrv.dll
2009-12-10 03:54:08 261632 ----a-w- c:\windows\PEV.exe
2009-12-09 05:53:44 726528 ----a-w- c:\windows\system32\dllcache\jscript.dll
2009-12-08 19:27:52 2189184 ------w- c:\windows\system32\dllcache\ntoskrnl.exe
2009-12-08 19:26:16 2145280 ------w- c:\windows\system32\ntoskrnl.exe
2009-12-08 19:26:16 2145280 ------w- c:\windows\system32\dllcache\ntkrnlmp.exe
2009-12-08 18:43:52 2023936 ------w- c:\windows\system32\ntkrnlpa.exe
2009-12-08 18:43:52 2023936 ------w- c:\windows\system32\dllcache\ntkrpamp.exe
2009-12-08 18:43:50 2066048 ------w- c:\windows\system32\dllcache\ntkrnlpa.exe
2009-12-08 09:23:28 474112 ------w- c:\windows\system32\dllcache\shlwapi.dll
2001-04-29 14:52:04 271 --sh--w- c:\program files\desktop.ini
2001-04-29 14:52:04 23357 ---h--w- c:\program files\folder.htt
2008-07-07 00:05:42 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008070620080707\index.dat

============= FINISH: 9:53:01.53 ===============



Attached Files



#15 etavares

etavares

    Bleepin' Remover


  • Malware Response Team
  • 15,514 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:30 AM

Posted 07 March 2010 - 12:32 PM

Hello, kshan.

I don't know much about Netcraft. You may want to ask in one of the other forums. A good site is McAfee's Site Advisor to know if a website is safe or not:
http://www.siteadvisor.com/

Yes, please start both the firewall and One Care.

As for PDF writing, I know of several, but can't recommend one. I use Office 2007 and 2010 and both have a plug-in you can download from Microsoft to save a file as a PDF so I've never needed one. Our list of freeware has a few. Check this post out:
http://www.bleepingcomputer.com/forums/ind...st&p=345674

Go to "Office Applications". Looks like CutePDF, PDF Creator, etc. can do that. Give one or several a try once we're done if you want.

QUOTE
Soory, I have too many questions

Don't be sorry! The only dumb question is the one not asked.

At this point, you appear clean to me, but I want a second opinion before we clean up our mess. Please do the following scan and post the results in your reply.






I'd like us to scan your machine with ESET OnlineScan
  1. Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  2. Click the button.
  3. For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    1. Click on to download the ESET Smart Installer. Save it to your desktop.
    2. Double click on the icon on your desktop.
  4. Check
  5. Click the button.
  6. Accept any security warnings from your browser.
  7. Check
  8. Push the Start button.
  9. ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  10. When the scan completes, push
  11. Push , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  12. Push the button.
  13. Push

etavares


If I don't respond within 2 days, please feel free to PM me.
Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

Posted Image
Unified Network of Instructors and Trusted Eliminators
 





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users