Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected with very bad Rogue Software Virus


  • This topic is locked This topic is locked
11 replies to this topic

#1 greg55

greg55

  • Members
  • 47 posts
  • OFFLINE
  •  
  • Local time:02:51 PM

Posted 06 May 2010 - 05:59 PM

I'm not 100% how we got this virus since I came home from work to be confronted with this problem. I can not even run a hijack this scan because the virus pops up with a "application cannot be executed. The file hijackthis.exe is infected, do you want to activate your antivirus software now. I know of course this is a trap along with the fake antivirus software alerts and constant pop ups. I was however able to run hijackthis in safe mode BUT could not access the internet. So i'm going to try and attach the file.

Attached Files



BC AdBot (Login to Remove)

 


#2 greg55

greg55
  • Topic Starter

  • Members
  • 47 posts
  • OFFLINE
  •  
  • Local time:02:51 PM

Posted 07 May 2010 - 12:52 PM

To further update this problem, I have ran avast, Malwarebytes anti virus, and SUPERantivirus software. All have found and supposedly removed the virus from my registry but of course its never that easy and the virus still remains. I do however have a log of my malwarebytes results and such. I'll post that in case it can help. The virus disables internet exploxer so i am using firefox. Also when the computer is on for a short period of time no programs are able to run because the fake security warning says it can not be executed.

Attached Files


Edited by greg55, 07 May 2010 - 12:53 PM.


#3 greg55

greg55
  • Topic Starter

  • Members
  • 47 posts
  • OFFLINE
  •  
  • Local time:02:51 PM

Posted 07 May 2010 - 03:20 PM

I know you guys are busy, so I found a guide on how to remove the virus. 1st the guide stated on immediate restart of the computer go to Start menu-run-msconfig and disable the process ending in tssd. Then restart. It was supposed to disable the rogue when the computer restarts and in general, thankfully it did. Now the guide then stated use sky doctor which cost 40 bucks to remove the virus (it found quite a bit of junk) but i dont have 40 dollars to use on this problem. So I manually tried to remove the virus and there are only a few things i have questions about to see if I did this all successfully. Ill post an updated hijacklog and hope to hear from you guys soon.

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 1:19:44 PM, on 5/7/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Intel\PROSetWired\NCS\PROSet\PRONoMgr.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\ALWILS~1\Avast5\avastUI.exe
C:\Program Files\Spyware Doctor\pctsTray.exe
C:\Program Files\Veoh Networks\VeohWebPlayer\veohwebplayer.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Spyware Doctor\BDT\BDTUpdateService.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Nexon\Mabinogi\npkcmsvc.exe
C:\Program Files\Spyware Doctor\pctsAuxs.exe
C:\Program Files\Spyware Doctor\pctsSvc.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\internet explorer\iexplore.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\Trend Micro\HijackThis\HiJackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://tucson.cox.net/cci/home
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Browser Defender BHO - {2A0F3D1B-0909-4FF4-B272-609CCE6054E7} - C:\Program Files\Spyware Doctor\BDT\PCTBrowserDefender.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Veoh Web Player Video Finder - {0FBB9689-D3D7-4f7a-A2E2-585B10099BFC} - C:\Program Files\Veoh Networks\VeohWebPlayer\VeohIEToolbar.dll
O3 - Toolbar: PC Tools Browser Guard - {472734EA-242A-422B-ADF8-83D1E48CC825} - C:\Program Files\Spyware Doctor\BDT\PCTBrowserDefender.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [PRONoMgrWired] C:\Program Files\Intel\PROSetWired\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [avast5] C:\PROGRA~1\ALWILS~1\Avast5\avastUI.exe /nogui
O4 - HKLM\..\Run: [ISTray] "C:\Program Files\Spyware Doctor\pctsTray.exe"
O4 - HKCU\..\Run: [VeohPlugin] "C:\Program Files\Veoh Networks\VeohWebPlayer\veohwebplayer.exe"
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [ftbbgywc] C:\Documents and Settings\NetworkService\Local Settings\Application Data\hxdkwxmar\dukgpqytssd.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [ftbbgywc] C:\Documents and Settings\NetworkService\Local Settings\Application Data\hxdkwxmar\dukgpqytssd.exe (User 'Default user')
O4 - Startup: ERUNT AutoBackup.lnk = C:\Program Files\ERUNT\AUTOBACK.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2008.1...toUploader5.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx.com/player/DivXBrowserPlugin.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1238562626531
O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} (OnlineScanner Control) - http://download.eset.com/special/eos/OnlineScanner.cab
O16 - DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2009.0...oUploader55.cab
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\System32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\System32\browseui.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Browser Defender Update Service - Unknown owner - C:\Program Files\Spyware Doctor\BDT\BDTUpdateService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: npkcmsvc - INCA Internet Co., Ltd. - C:\Nexon\Mabinogi\npkcmsvc.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe

--
End of file - 7947 bytes


#4 Blade

Blade

    Strong in the Bleepforce


  • Site Admin
  • 12,702 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:US
  • Local time:05:51 PM

Posted 09 May 2010 - 05:30 AM

Hello, and welcome.gif to the Malware Removal forum! My online alias is Blade Zephon, or Blade for short, and I will be assisting you with your malware issues!

If you have since resolved the original problem you were having, we would appreciate you letting us know.

In the upper right hand corner of the topic you will see a button called Options. If you click on this in the drop-down menu you can choose Track this topic. By doing this and then choosing Immediate E-Mail notification and then clicking on Proceed you will be advised when we respond to your topic and facilitate the cleaning of your machine.

Before we begin cleaning your machine, I'd like to lay out some guidelines for us to follow while we are working together.
  • I will be assisting you with your malware issues. This may or may not resolve other problems you are having with your computer. If you are still having problems after your machine has been determined clean, I will be glad to direct you to the proper forum for assistance.
  • Even if things appear better, that does not mean we are finished. Please continue to follow my instructions until I give you the all clean. Absence of symptoms does not mean that all the malware has been removed. If a piece of the infection is left, it can regenerate and reinfect your machine.
  • Attention to detail is important! Since I cannot see or directly interact with your computer I am dependent on you to "be my eyes" and provide as much information as you can regarding the current state of your computer.
  • I ask that you please refrain from running tools other than those I suggest to you while I am cleaning up your computer. The reason for this is so I know what is going on with the machine at any time. If you act independently it will cause changes to your system that I will not be aware of, which will make the process of cleaning the machine a much slower and more difficult process. Additionally, some programs can interfere with others and hamper the recovery process.
  • Please perform all steps in the order received. If you are unsure or confused about any instructions I give you, you should ask me to clarify before doing anything. Additionally, if you run into any problems while carrying out instructions, you should STOP and reply back here explaining what happened.
  • After 5 days if a topic is not replied to we assume it has been abandoned and it is closed. If you need additional time, that is perfectly alright; you just need to let us know beforehand. smile.gif
***************************************************

Please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explanation about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE

***************************************************

Please download gmer.zip and save to your desktop.
  • Extract (unzip) the file to its own folder such as C:\Gmer. (Click here for information on how to do this if not sure.)
  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security program drivers will not conflict with gmer's driver.
  • Click on this link to see a list of programs that should be disabled.
  • Double-click on gmer.exe to start the program.
  • Allow the gmer.sys driver to load if asked.
  • You may be prompted to scan immediately if GMER detects rootkit activity.
  • If you are prompted to scan your system click "Yes" to begin the scan.
  • If not prompted, click the "Rootkit/Malware" tab.
  • On the right-side, all items to be scanned should be checked by default except for "Show All". Leave that box unchecked.
  • Select all drives that are connected to your system to be scanned.
  • Click the Scan button to begin. (Please be patient as it can take some time to complete)
  • When the scan is finished, click Save to save the scan results to your Desktop.
  • Save the file as gmer.log and copy/paste the contents in your next reply.
  • Exit GMER and re-enable all active protection when done.
~Blade

In your next reply, please include the following:
DDS.txt
Attach.txt
GMER.log

Posted Image

If I am helping you, it has been 48 hours since your last post, and I have yet to reply to your topic, please send me a PM
Become a BleepingComputer fan: Facebook
Follow us on Twitter!
Circle us on Google+


#5 greg55

greg55
  • Topic Starter

  • Members
  • 47 posts
  • OFFLINE
  •  
  • Local time:02:51 PM

Posted 10 May 2010 - 09:59 PM

Thank you very much blade for taking time to help me. Here are the logs you requested.


DDS (Ver_10-03-17.01) - NTFSx86
Run by archie at 17:06:35.98 on Mon 05/10/2010
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_17
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.495.95 [GMT -7:00]

AV: avast! Antivirus *On-access scanning enabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\igfxtray.exe
C:\Program Files\Intel\PROSetWired\NCS\PROSet\PRONoMgr.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\ALWILS~1\Avast5\avastUI.exe
C:\Program Files\Veoh Networks\VeohWebPlayer\veohwebplayer.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\WINDOWS\system32\ctfmon.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Nexon\Mabinogi\npkcmsvc.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\archie\My Documents\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://tucson.cox.net/cci/home
mURLSearchHooks: H - No File
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Veoh Web Player Video Finder: {0fbb9689-d3d7-4f7a-a2e2-585b10099bfc} - c:\program files\veoh networks\veohwebplayer\VeohIEToolbar.dll
TB: {A057A204-BACC-4D26-9990-79A187E2698E} - No File
TB: {472734EA-242A-422B-ADF8-83D1E48CC825} - No File
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [VeohPlugin] "c:\program files\veoh networks\veohwebplayer\veohwebplayer.exe"
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [PRONoMgrWired] c:\program files\intel\prosetwired\ncs\proset\PRONoMgr.exe
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [avast5] c:\progra~1\alwils~1\avast5\avastUI.exe /nogui
dRun: [ftbbgywc] c:\documents and settings\networkservice\local settings\application data\hxdkwxmar\dukgpqytssd.exe
StartupFolder: c:\docume~1\archie\startm~1\programs\startup\erunta~1.lnk - c:\program files\erunt\AUTOBACK.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office10\OSA.EXE
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office10\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
DPF: DirectAnimation Java Classes - file://c:\windows\java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} - hxxp://download.divx.com/player/DivXBrowserPlugin.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1238562626531
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
Notify: igfxcui - igfxsrvc.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\archie\applic~1\mozilla\firefox\profiles\f904z411.default\
FF - plugin: c:\documents and settings\all users\application data\nexonus\ngm\npNxGameUS.dll
FF - plugin: c:\program files\divx\divx plus web player\npdivx32.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npPandoWebInst.dll
FF - plugin: c:\program files\veoh networks\veohwebplayer\NPVeohTVPlugin.dll
FF - plugin: c:\program files\veoh networks\veohwebplayer\npWebPlayerVideoPluginATL.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [2010-4-7 162768]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\SASDIFSV.SYS [2010-1-5 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2010-1-5 68168]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2010-4-7 19024]
R2 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast5\AvastSvc.exe [2010-4-7 40384]
R3 avast! Mail Scanner;avast! Mail Scanner;c:\program files\alwil software\avast5\AvastSvc.exe [2010-4-7 40384]
R3 avast! Web Scanner;avast! Web Scanner;c:\program files\alwil software\avast5\AvastSvc.exe [2010-4-7 40384]
S3 rk_remover;rk_remover;\??\c:\windows\system32\drivers\rk_remover.sys --> c:\windows\system32\drivers\rk_remover.sys [?]
S3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2010-1-5 12872]

=============== Created Last 30 ================

2010-05-07 18:40:51 0 d-----w- c:\windows\pss
2010-04-27 05:04:02 0 d-----w- c:\docume~1\alluse~1\applic~1\211B

==================== Find3M ====================

2010-03-26 19:00:50 41872 ----a-w- c:\windows\system32\xfcodec.dll
2010-03-10 06:15:52 420352 ----a-w- c:\windows\system32\vbscript.dll
2010-02-25 06:24:37 916480 ----a-w- c:\windows\system32\wininet.dll
2010-02-17 16:10:28 2189952 ------w- c:\windows\system32\ntoskrnl.exe
2010-02-16 13:25:04 2066816 ------w- c:\windows\system32\ntkrnlpa.exe
2010-02-12 04:33:11 100864 ----a-w- c:\windows\system32\6to4svc.dll
2010-02-07 19:00:32 16384 --sha-w- c:\windows\system32\config\systemprofile\ietldcache\index.dat
2010-02-07 19:00:21 16384 --sha-w- c:\windows\system32\config\systemprofile\privacie\index.dat

============= FINISH: 17:07:46.12 ===============



GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-05-10 19:56:58
Windows 5.1.2600 Service Pack 3
Running: gamer.exe; Driver: C:\DOCUME~1\archie\LOCALS~1\Temp\kgqiqfoc.sys


---- System - GMER 1.0.15 ----

SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwClose [0xEE9D5C08]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwCreateKey [0xEE9D5AC4]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwDeleteKey [0xEE9D6078]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwDeleteValueKey [0xEE9D5FA2]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwDuplicateObject [0xEE9D569A]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwOpenKey [0xEE9D5B9E]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwOpenProcess [0xEE9D55DA]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwOpenThread [0xEE9D563E]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwQueryValueKey [0xEE9D5CBE]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwRenameKey [0xEE9D6146]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwRestoreKey [0xEE9D5C7E]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwSetValueKey [0xEE9D5DFE]
SSDT \??\C:\Program Files\SUPERAntiSpyware\SASKUTIL.sys (SASKUTIL.SYS/SUPERAdBlocker.com and SUPERAntiSpyware.com) ZwTerminateProcess [0xEEAE7950]

Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwCreateProcessEx [0xEE9E250A]
Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwCreateSection [0xEE9E232E]
Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwLoadDriver [0xEE9E2468]
Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) NtCreateSection
Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ObInsertObject
Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ObMakeTemporaryObject

---- Kernel code sections - GMER 1.0.15 ----

PAGE ntoskrnl.exe!ObInsertObject 8056503A 5 Bytes JMP EE9DF97E \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software)
PAGE ntoskrnl.exe!NtCreateSection 805652B3 7 Bytes JMP EE9E2332 \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software)
PAGE ntoskrnl.exe!ZwCreateProcessEx 8057FE4C 7 Bytes JMP EE9E250E \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software)
PAGE ntoskrnl.exe!ObMakeTemporaryObject 8059F8CA 5 Bytes JMP EE9DE4AA \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software)
PAGE ntoskrnl.exe!ZwLoadDriver 805A3B73 7 Bytes JMP EE9E246C \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software)
.rsrc C:\WINDOWS\System32\DRIVERS\redbook.sys entry point in ".rsrc" section [0xF77C9F94]

---- User code sections - GMER 1.0.15 ----

.text C:\Program Files\Veoh Networks\VeohWebPlayer\veohwebplayer.exe[384] kernel32.dll!SetUnhandledExceptionFilter 7C84495D 5 Bytes [33, C0, C2, 04, 00] {XOR EAX, EAX; RET 0x4}
.text C:\WINDOWS\System32\svchost.exe[1040] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 3 Bytes JMP 0091000A
.text C:\WINDOWS\System32\svchost.exe[1040] ntdll.dll!NtProtectVirtualMemory + 4 7C90D6F2 1 Byte [84]
.text C:\WINDOWS\System32\svchost.exe[1040] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 0092000A
.text C:\WINDOWS\System32\svchost.exe[1040] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 0090000C
.text C:\WINDOWS\System32\svchost.exe[1040] USER32.dll!GetCursorPos 7E42974E 5 Bytes JMP 02B0000A
.text C:\WINDOWS\System32\svchost.exe[1040] ole32.dll!CoCreateInstance 7750057E 5 Bytes JMP 029A000A
.text C:\WINDOWS\Explorer.EXE[1632] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00B6000A
.text C:\WINDOWS\Explorer.EXE[1632] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 00BC000A
.text C:\WINDOWS\Explorer.EXE[1632] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 00B5000C
.text C:\WINDOWS\system32\wuauclt.exe[4008] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00B9000A
.text C:\WINDOWS\system32\wuauclt.exe[4008] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 00BA000A
.text C:\WINDOWS\system32\wuauclt.exe[4008] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 00B8000C

---- User IAT/EAT - GMER 1.0.15 ----

IAT C:\WINDOWS\system32\services.exe[688] @ C:\WINDOWS\system32\services.exe [ADVAPI32.dll!CreateProcessAsUserW] 003A0002
IAT C:\WINDOWS\system32\services.exe[688] @ C:\WINDOWS\system32\services.exe [KERNEL32.dll!CreateProcessW] 003A0000

---- Devices - GMER 1.0.15 ----

Device \FileSystem\Ntfs \Ntfs aswSP.SYS (avast! self protection module/ALWIL Software)

AttachedDevice \FileSystem\Ntfs \Ntfs aswMon2.SYS (avast! File System Filter Driver for Windows XP/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\Ip aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\Tcp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\Udp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\RawIp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)

Device -> \Driver\atapi \Device\Harddisk0\DR0 855A6EE4

---- Files - GMER 1.0.15 ----

File C:\WINDOWS\System32\DRIVERS\redbook.sys suspicious modification
File C:\WINDOWS\system32\drivers\atapi.sys suspicious modification

---- EOF - GMER 1.0.15 ----

Attached Files



#6 Blade

Blade

    Strong in the Bleepforce


  • Site Admin
  • 12,702 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:US
  • Local time:05:51 PM

Posted 11 May 2010 - 05:49 AM

hello greg55

Download Combofix from any of the links below but rename it to renamed.exe before saving it to your desktop.


Link 1
Link 2

* IMPORTANT !!! Save ComboFix.exe to your Desktop
  • VERY IMPORTANT: Disable all running antivirus, antimalware and firewall programs as they may interfere with the proper running of ComboFix. Click on this link to see a list of programs that should be disabled. NOTE: This list is not all-inclusive. If yours is not listed and you do not know how to disable it, please ask.
  • Double click on renamed.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.



Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:



Click on Yes, to continue scanning for malware.

When finished, it will produce a log for you. Please include the C:\ComboFix.txt in your next reply

A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix on your own.
This tool is not a toy and not for everyday use.
ComboFix SHOULD NOT be used unless requested by a forum helper


~Blade


In your next reply, please include the following:
ComboFix log

Edited by Blade Zephon, 11 May 2010 - 05:50 AM.

Posted Image

If I am helping you, it has been 48 hours since your last post, and I have yet to reply to your topic, please send me a PM
Become a BleepingComputer fan: Facebook
Follow us on Twitter!
Circle us on Google+


#7 greg55

greg55
  • Topic Starter

  • Members
  • 47 posts
  • OFFLINE
  •  
  • Local time:02:51 PM

Posted 12 May 2010 - 05:54 PM

Thanks so much for your help. Combo fix deleted the files I could not find -Phew-. here is the log thumbup2.gif

ComboFix 10-05-12.01 - archie 05/12/2010 15:39:47.5.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.495.252 [GMT -7:00]
Running from: c:\documents and settings\archie\Desktop\ComboFix.exe
AV: avast! Antivirus *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\mswintmp.dat
c:\documents and settings\archie\Local Settings\Temporary Internet Files\72P1CMy2.jpg
c:\documents and settings\archie\Local Settings\Temporary Internet Files\Hf572bXu.jpg
c:\documents and settings\archie\Local Settings\Temporary Internet Files\w71Gv3.jpg
c:\documents and settings\archie\Local Settings\Temporary Internet Files\Yqcul01p0.jpg
c:\documents and settings\NetworkService\Local Settings\Application Data\hxdkwxmar
c:\documents and settings\NetworkService\Local Settings\Application Data\hxdkwxmar\dukgpqytssd.exe

Infected copy of c:\windows\system32\drivers\redbook.sys was found and disinfected
Restored copy from - Kitty had a snack tongue.gif
.
((((((((((((((((((((((((( Files Created from 2010-04-12 to 2010-05-12 )))))))))))))))))))))))))))))))
.

2010-05-12 22:18 . 2010-05-12 22:18 -------- d-----w- c:\windows\system32\MpEngineStore
2010-05-07 20:18 . 2010-05-07 20:18 388096 ----a-r- c:\documents and settings\archie\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2010-05-07 19:13 . 2010-05-07 19:13 -------- d-----w- c:\documents and settings\archie\Local Settings\Application Data\Threat Expert
2010-05-07 18:53 . 2010-05-08 06:48 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2010-05-06 21:40 . 2010-05-06 21:40 -------- d-sh--w- c:\documents and settings\NetworkService\PrivacIE
2010-04-27 05:04 . 2010-04-27 05:04 -------- d-----w- c:\documents and settings\All Users\Application Data\211B

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-05-07 20:09 . 2010-02-08 07:29 -------- d-----w- c:\program files\SUPERAntiSpyware
2010-05-06 18:04 . 2010-02-08 07:30 117760 ----a-w- c:\documents and settings\archie\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2010-04-28 15:29 . 2010-02-08 07:13 -------- d-----w- c:\program files\ESET
2010-04-26 04:59 . 2010-04-11 17:02 439816 ----a-w- c:\documents and settings\archie\Application Data\Real\Update\setup3.10\setup.exe
2010-04-25 23:31 . 2009-12-17 11:17 -------- d-----w- c:\documents and settings\archie\Application Data\Apple Computer
2010-04-14 16:47 . 2010-04-07 18:30 38848 ----a-w- c:\windows\system32\avastSS.scr
2010-04-14 16:47 . 2010-04-07 18:30 153184 ----a-w- c:\windows\system32\aswBoot.exe
2010-04-14 16:35 . 2010-04-07 18:30 46672 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2010-04-14 16:35 . 2010-04-07 18:30 162768 ----a-w- c:\windows\system32\drivers\aswSP.sys
2010-04-14 16:31 . 2010-04-07 18:30 23376 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2010-04-14 16:31 . 2010-04-07 18:30 100432 ----a-w- c:\windows\system32\drivers\aswmon2.sys
2010-04-14 16:31 . 2010-04-07 18:30 94800 ----a-w- c:\windows\system32\drivers\aswmon.sys
2010-04-14 16:31 . 2010-04-07 18:30 19024 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2010-04-14 16:30 . 2010-04-07 18:30 28880 ----a-w- c:\windows\system32\drivers\aavmker4.sys
2010-04-10 07:19 . 2010-03-13 19:26 -------- d-----w- c:\documents and settings\archie\Application Data\Xfire
2010-04-09 17:44 . 2010-03-13 19:26 -------- d-----w- c:\program files\Xfire
2010-04-07 18:29 . 2010-04-07 18:29 -------- d-----w- c:\program files\Alwil Software
2010-04-07 18:29 . 2010-04-07 18:29 -------- d-----w- c:\documents and settings\All Users\Application Data\Alwil Software
2010-03-26 19:00 . 2010-03-26 19:00 41872 ----a-w- c:\windows\system32\xfcodec.dll
2010-03-15 04:54 . 2008-10-19 23:49 -------- d-----w- c:\program files\LimeWire
2010-03-10 06:15 . 2002-09-03 17:09 420352 ----a-w- c:\windows\system32\vbscript.dll
2010-02-25 16:45 . 2009-09-24 20:20 98304 ----a-w- c:\documents and settings\All Users\Application Data\NexonUS\NGM\npNxGameUS.dll
2010-02-25 16:45 . 2009-09-24 20:20 126976 ----a-w- c:\documents and settings\All Users\Application Data\NexonUS\NGM\nxgameus.dll
2010-02-25 16:45 . 2009-09-24 20:20 401408 ----a-w- c:\documents and settings\All Users\Application Data\NexonUS\NGM\NGMResource.dll
2010-02-25 16:45 . 2009-09-24 20:20 258352 ----a-w- c:\documents and settings\All Users\Application Data\NexonUS\NGM\unicows.dll
2010-02-25 16:45 . 2009-09-24 20:20 765952 ----a-w- c:\documents and settings\All Users\Application Data\NexonUS\NGM\NGMDll.dll
2010-02-25 16:45 . 2009-09-24 20:20 172032 ----a-w- c:\documents and settings\All Users\Application Data\NexonUS\NGM\NGM.exe
2010-02-25 06:24 . 2002-09-03 17:12 916480 ----a-w- c:\windows\system32\wininet.dll
2010-02-24 13:11 . 2002-09-03 16:42 455680 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2010-02-21 01:23 . 2010-02-21 01:23 152576 ----a-w- c:\documents and settings\archie\Application Data\Sun\Java\jre1.6.0_17\lzma.dll
2010-02-21 01:23 . 2010-02-21 01:23 79488 ----a-w- c:\documents and settings\archie\Application Data\Sun\Java\jre1.6.0_17\gtapi.dll
2010-02-17 16:10 . 2002-09-03 16:50 2189952 ------w- c:\windows\system32\ntoskrnl.exe
2010-02-16 13:25 . 2002-08-29 01:04 2066816 ------w- c:\windows\system32\ntkrnlpa.exe
2010-02-12 04:33 . 2002-09-03 16:26 100864 ----a-w- c:\windows\system32\6to4svc.dll
.

((((((((((((((((((((((((((((( SnapShot_2010-02-12_18.34.06 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-07-12 07:02 . 2009-07-12 07:02 51008 c:\windows\WinSxS\x86_Microsoft.VC90.OpenMP_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_f0ccd4aa\vcomp90.dll
+ 2007-11-07 09:19 . 2007-11-07 09:19 54272 c:\windows\WinSxS\x86_Microsoft.VC90.OpenMP_1fc8b3b9a1e18e3b_9.0.21022.8_x-ww_ecc42bd1\vcomp90.dll
+ 2009-07-12 07:02 . 2009-07-12 07:02 59728 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_15fc9313\mfc90rus.dll
+ 2009-07-12 07:02 . 2009-07-12 07:02 42832 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_15fc9313\mfc90kor.dll
+ 2009-07-12 07:02 . 2009-07-12 07:02 43344 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_15fc9313\mfc90jpn.dll
+ 2009-07-12 07:02 . 2009-07-12 07:02 61264 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_15fc9313\mfc90ita.dll
+ 2009-07-12 07:02 . 2009-07-12 07:02 62800 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_15fc9313\mfc90fra.dll
+ 2009-07-12 07:02 . 2009-07-12 07:02 61760 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_15fc9313\mfc90esp.dll
+ 2009-07-12 07:02 . 2009-07-12 07:02 61776 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_15fc9313\mfc90esn.dll
+ 2009-07-12 07:02 . 2009-07-12 07:02 53568 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_15fc9313\mfc90enu.dll
+ 2009-07-12 07:02 . 2009-07-12 07:02 63296 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_15fc9313\mfc90deu.dll
+ 2009-07-12 07:02 . 2009-07-12 07:02 36688 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_15fc9313\mfc90cht.dll
+ 2009-07-12 07:02 . 2009-07-12 07:02 35648 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_15fc9313\mfc90chs.dll
+ 2008-07-29 15:05 . 2008-07-29 15:05 62976 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90rus.dll
+ 2008-07-29 15:05 . 2008-07-29 15:05 46080 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90kor.dll
+ 2008-07-29 15:05 . 2008-07-29 15:05 46592 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90jpn.dll
+ 2008-07-29 15:05 . 2008-07-29 15:05 64512 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90ita.dll
+ 2008-07-29 15:05 . 2008-07-29 15:05 66048 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90fra.dll
+ 2008-07-29 15:05 . 2008-07-29 15:05 65024 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90esp.dll
+ 2008-07-29 15:05 . 2008-07-29 15:05 65024 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90esn.dll
+ 2008-07-29 15:05 . 2008-07-29 15:05 56832 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90enu.dll
+ 2008-07-29 15:05 . 2008-07-29 15:05 66560 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90deu.dll
+ 2008-07-29 15:05 . 2008-07-29 15:05 39936 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90cht.dll
+ 2008-07-29 15:05 . 2008-07-29 15:05 38912 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90chs.dll
+ 2009-07-12 07:05 . 2009-07-12 07:05 59904 c:\windows\WinSxS\x86_Microsoft.VC90.MFC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_a57c1f53\mfcm90u.dll
+ 2009-07-12 07:05 . 2009-07-12 07:05 59904 c:\windows\WinSxS\x86_Microsoft.VC90.MFC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_a57c1f53\mfcm90.dll
+ 2008-07-29 13:07 . 2008-07-29 13:07 59904 c:\windows\WinSxS\x86_Microsoft.VC90.MFC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_405b0943\mfcm90u.dll
+ 2008-07-29 13:07 . 2008-07-29 13:07 59904 c:\windows\WinSxS\x86_Microsoft.VC90.MFC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_405b0943\mfcm90.dll
+ 2010-05-12 22:39 . 2010-05-12 22:39 16384 c:\windows\Temp\Perflib_Perfdata_5a0.dat
- 2008-09-07 21:50 . 2009-10-28 15:07 46080 c:\windows\system32\tzchange.exe
+ 2008-09-07 21:50 . 2010-01-23 08:11 46080 c:\windows\system32\tzchange.exe
+ 2007-08-14 01:54 . 2010-02-25 06:24 55296 c:\windows\system32\msfeedsbs.dll
- 2007-08-14 01:54 . 2009-12-21 19:14 55296 c:\windows\system32\msfeedsbs.dll
+ 2010-05-12 22:18 . 2010-05-12 22:18 28752 c:\windows\system32\MpEngineStore\MpKsl29304333.sys
+ 2002-09-03 16:37 . 2010-02-25 06:24 25600 c:\windows\system32\jsproxy.dll
- 2002-09-03 16:37 . 2009-12-21 19:14 25600 c:\windows\system32\jsproxy.dll
- 2009-07-27 19:07 . 2009-12-21 19:14 12800 c:\windows\system32\dllcache\xpshims.dll
+ 2009-07-27 19:07 . 2010-02-25 06:24 12800 c:\windows\system32\dllcache\xpshims.dll
- 2008-09-14 16:03 . 2009-12-21 19:14 55296 c:\windows\system32\dllcache\msfeedsbs.dll
+ 2008-09-14 16:03 . 2010-02-25 06:24 55296 c:\windows\system32\dllcache\msfeedsbs.dll
+ 2007-08-14 01:54 . 2010-02-25 06:24 25600 c:\windows\system32\dllcache\jsproxy.dll
- 2007-08-14 01:54 . 2009-12-21 19:14 25600 c:\windows\system32\dllcache\jsproxy.dll
+ 2010-01-13 14:01 . 2010-01-13 14:01 86016 c:\windows\system32\dllcache\cabview.dll
+ 2002-09-03 16:28 . 2010-01-13 14:01 86016 c:\windows\system32\cabview.dll
+ 2010-03-31 06:57 . 2009-12-21 19:14 12800 c:\windows\ie8updates\KB980182-IE8\xpshims.dll
+ 2010-03-31 06:57 . 2009-12-21 19:14 55296 c:\windows\ie8updates\KB980182-IE8\msfeedsbs.dll
+ 2010-03-31 06:57 . 2009-12-21 19:14 25600 c:\windows\ie8updates\KB980182-IE8\jsproxy.dll
+ 2010-02-24 09:09 . 2009-10-28 15:07 46080 c:\windows\$NtUninstallKB979306$\tzchange.exe
+ 2010-02-24 09:09 . 2010-01-23 10:40 16896 c:\windows\$NtUninstallKB979306$\spuninst\tzchange.dll
+ 2010-03-31 06:57 . 2009-05-26 11:40 26488 c:\windows\$hf_mig$\KB980182-IE8\update\spcustom.dll
+ 2010-03-31 06:57 . 2009-05-26 11:40 17272 c:\windows\$hf_mig$\KB980182-IE8\spmsg.dll
+ 2010-03-31 04:38 . 2010-02-25 06:19 12800 c:\windows\$hf_mig$\KB980182-IE8\SP3QFE\xpshims.dll
+ 2010-03-31 04:38 . 2010-02-25 06:19 55296 c:\windows\$hf_mig$\KB980182-IE8\SP3QFE\msfeedsbs.dll
+ 2010-03-31 04:38 . 2010-02-25 06:19 25600 c:\windows\$hf_mig$\KB980182-IE8\SP3QFE\jsproxy.dll
+ 2010-02-24 09:09 . 2008-07-08 13:02 26488 c:\windows\$hf_mig$\KB976662-IE8\update\spcustom.dll
+ 2010-02-24 09:09 . 2008-07-08 13:02 17272 c:\windows\$hf_mig$\KB976662-IE8\spmsg.dll
+ 2010-03-11 07:30 . 2008-07-08 13:02 26488 c:\windows\$hf_mig$\KB975561\update\spcustom.dll
+ 2010-03-11 07:30 . 2008-07-08 13:02 17272 c:\windows\$hf_mig$\KB975561\spmsg.dll
+ 2009-07-12 07:02 . 2009-07-12 07:02 653120 c:\windows\WinSxS\x86_Microsoft.VC90.CRT_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_d495ac4e\msvcr90.dll
+ 2009-07-12 07:02 . 2009-07-12 07:02 569664 c:\windows\WinSxS\x86_Microsoft.VC90.CRT_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_d495ac4e\msvcp90.dll
+ 2009-07-12 07:05 . 2009-07-12 07:05 225280 c:\windows\WinSxS\x86_Microsoft.VC90.CRT_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_d495ac4e\msvcm90.dll
+ 2008-07-29 15:05 . 2008-07-29 15:05 655872 c:\windows\WinSxS\x86_Microsoft.VC90.CRT_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_6f74963e\msvcr90.dll
+ 2008-07-29 15:05 . 2008-07-29 15:05 572928 c:\windows\WinSxS\x86_Microsoft.VC90.CRT_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_6f74963e\msvcp90.dll
+ 2008-07-29 10:54 . 2008-07-29 10:54 225280 c:\windows\WinSxS\x86_Microsoft.VC90.CRT_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_6f74963e\msvcm90.dll
+ 2009-07-12 07:02 . 2009-07-12 07:02 159032 c:\windows\WinSxS\x86_Microsoft.VC90.ATL_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_353599c2\atl90.dll
+ 2008-07-29 15:05 . 2008-07-29 15:05 161784 c:\windows\WinSxS\x86_Microsoft.VC90.ATL_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_d01483b2\atl90.dll
+ 2002-09-03 17:12 . 2009-12-24 06:59 177664 c:\windows\system32\wintrust.dll
- 2002-09-03 16:50 . 2009-12-21 19:14 206848 c:\windows\system32\occache.dll
+ 2002-09-03 16:50 . 2010-02-25 06:24 206848 c:\windows\system32\occache.dll
- 2002-09-03 16:46 . 2009-03-08 11:32 611840 c:\windows\system32\mstime.dll
+ 2002-09-03 16:46 . 2010-02-25 06:24 611840 c:\windows\system32\mstime.dll
+ 2007-08-14 01:54 . 2010-02-25 06:24 594432 c:\windows\system32\msfeeds.dll
- 2007-08-14 01:54 . 2009-12-21 19:14 594432 c:\windows\system32\msfeeds.dll
+ 2002-09-03 16:37 . 2009-12-09 05:53 726528 c:\windows\system32\jscript.dll
- 2002-09-03 16:37 . 2009-06-22 06:44 726528 c:\windows\system32\jscript.dll
+ 2010-02-21 01:27 . 2009-10-11 11:17 149280 c:\windows\system32\javaws.exe
- 2009-08-06 16:06 . 2009-07-25 12:23 149280 c:\windows\system32\javaws.exe
- 2009-08-06 16:06 . 2009-07-25 12:23 145184 c:\windows\system32\javaw.exe
+ 2010-02-21 01:27 . 2009-10-11 11:17 145184 c:\windows\system32\javaw.exe
+ 2010-02-21 01:27 . 2009-10-11 11:17 145184 c:\windows\system32\java.exe
- 2009-08-06 16:06 . 2009-07-25 12:23 145184 c:\windows\system32\java.exe
- 2002-09-03 16:35 . 2009-12-21 19:14 184320 c:\windows\system32\iepeers.dll
+ 2002-09-03 16:35 . 2010-02-25 06:24 184320 c:\windows\system32\iepeers.dll
- 2002-09-03 16:34 . 2009-12-21 19:14 387584 c:\windows\system32\iedkcs32.dll
+ 2002-09-03 16:34 . 2010-02-25 06:24 387584 c:\windows\system32\iedkcs32.dll
- 2002-09-03 16:34 . 2009-12-21 13:19 173056 c:\windows\system32\ie4uinit.exe
+ 2002-09-03 16:34 . 2010-02-24 09:54 173056 c:\windows\system32\ie4uinit.exe
+ 2002-09-03 17:06 . 2010-02-11 12:02 226880 c:\windows\system32\drivers\tcpip6.sys
+ 2009-12-24 06:59 . 2009-12-24 06:59 177664 c:\windows\system32\dllcache\wintrust.dll
+ 2007-08-14 01:54 . 2010-02-25 06:24 916480 c:\windows\system32\dllcache\wininet.dll
- 2007-08-14 01:54 . 2009-12-21 19:14 916480 c:\windows\system32\dllcache\wininet.dll
+ 2007-08-14 01:54 . 2010-03-10 06:15 420352 c:\windows\system32\dllcache\vbscript.dll
- 2007-08-14 01:54 . 2009-03-08 11:33 420352 c:\windows\system32\dllcache\vbscript.dll
+ 2008-06-20 11:08 . 2010-02-11 12:02 226880 c:\windows\system32\dllcache\tcpip6.sys
+ 2007-08-14 01:44 . 2010-02-25 06:24 206848 c:\windows\system32\dllcache\occache.dll
- 2007-08-14 01:44 . 2009-12-21 19:14 206848 c:\windows\system32\dllcache\occache.dll
- 2007-08-14 01:54 . 2009-03-08 11:32 611840 c:\windows\system32\dllcache\mstime.dll
+ 2007-08-14 01:54 . 2010-02-25 06:24 611840 c:\windows\system32\dllcache\mstime.dll
- 2008-09-14 16:03 . 2009-12-21 19:14 594432 c:\windows\system32\dllcache\msfeeds.dll
+ 2008-09-14 16:03 . 2010-02-25 06:24 594432 c:\windows\system32\dllcache\msfeeds.dll
+ 2008-11-13 01:33 . 2010-02-24 13:11 455680 c:\windows\system32\dllcache\mrxsmb.sys
+ 2007-08-14 01:38 . 2009-12-09 05:53 726528 c:\windows\system32\dllcache\jscript.dll
- 2007-08-14 01:38 . 2009-06-22 06:44 726528 c:\windows\system32\dllcache\jscript.dll
+ 2009-07-27 19:07 . 2010-02-25 06:24 247808 c:\windows\system32\dllcache\ieproxy.dll
+ 2007-08-14 01:54 . 2010-02-25 06:24 184320 c:\windows\system32\dllcache\iepeers.dll
- 2007-08-14 01:54 . 2009-12-21 19:14 184320 c:\windows\system32\dllcache\iepeers.dll
+ 2007-08-14 01:39 . 2010-02-25 06:24 387584 c:\windows\system32\dllcache\iedkcs32.dll
- 2007-08-14 01:39 . 2009-12-21 19:14 387584 c:\windows\system32\dllcache\iedkcs32.dll
- 2007-08-14 01:39 . 2009-12-21 13:19 173056 c:\windows\system32\dllcache\ie4uinit.exe
+ 2007-08-14 01:39 . 2010-02-24 09:54 173056 c:\windows\system32\dllcache\ie4uinit.exe
+ 2010-02-12 04:33 . 2010-02-12 04:33 100864 c:\windows\system32\dllcache\6to4svc.dll
- 2009-04-06 19:01 . 2009-07-25 12:23 411368 c:\windows\system32\deploytk.dll
+ 2009-04-06 19:01 . 2009-10-11 11:17 411368 c:\windows\system32\deploytk.dll
+ 2010-05-07 18:54 . 2010-05-07 18:54 228352 c:\windows\Installer\52093.msi
+ 2010-04-07 18:30 . 2010-04-07 18:30 219648 c:\windows\Installer\1cfe80.msi
+ 2010-04-15 06:19 . 2009-03-08 11:33 420352 c:\windows\ie8updates\KB981332-IE8\vbscript.dll
+ 2010-04-15 06:19 . 2009-05-26 11:40 382840 c:\windows\ie8updates\KB981332-IE8\spuninst\updspapi.dll
+ 2010-04-15 06:19 . 2009-05-26 11:40 231288 c:\windows\ie8updates\KB981332-IE8\spuninst\spuninst.exe
+ 2010-03-31 06:57 . 2009-12-21 19:14 916480 c:\windows\ie8updates\KB980182-IE8\wininet.dll
+ 2010-03-31 06:57 . 2009-05-26 11:40 382840 c:\windows\ie8updates\KB980182-IE8\spuninst\updspapi.dll
+ 2010-03-31 06:57 . 2009-05-26 11:40 231288 c:\windows\ie8updates\KB980182-IE8\spuninst\spuninst.exe
+ 2010-03-31 06:57 . 2009-12-21 19:14 206848 c:\windows\ie8updates\KB980182-IE8\occache.dll
+ 2010-03-31 06:57 . 2009-03-08 11:32 611840 c:\windows\ie8updates\KB980182-IE8\mstime.dll
+ 2010-03-31 06:57 . 2009-12-21 19:14 594432 c:\windows\ie8updates\KB980182-IE8\msfeeds.dll
+ 2010-03-31 06:57 . 2009-12-21 19:14 246272 c:\windows\ie8updates\KB980182-IE8\ieproxy.dll
+ 2010-03-31 06:57 . 2009-12-21 19:14 184320 c:\windows\ie8updates\KB980182-IE8\iepeers.dll
+ 2010-03-31 06:57 . 2009-12-21 19:14 387584 c:\windows\ie8updates\KB980182-IE8\iedkcs32.dll
+ 2010-03-31 06:57 . 2009-12-21 13:19 173056 c:\windows\ie8updates\KB980182-IE8\ie4uinit.exe
+ 2010-02-24 09:09 . 2008-07-08 13:02 382840 c:\windows\ie8updates\KB976662-IE8\spuninst\updspapi.dll
+ 2010-02-24 09:09 . 2008-07-08 13:02 231288 c:\windows\ie8updates\KB976662-IE8\spuninst\spuninst.exe
+ 2010-02-24 09:09 . 2009-06-22 06:44 726528 c:\windows\ie8updates\KB976662-IE8\jscript.dll
+ 2010-05-09 20:44 . 2010-05-09 20:44 249856 c:\windows\ERDNT\AutoBackup\5-9-2010\Users\00000002\UsrClass.dat
+ 2010-05-09 20:44 . 2005-10-20 19:02 163328 c:\windows\ERDNT\AutoBackup\5-9-2010\ERDNT.EXE
+ 2010-05-08 19:49 . 2010-05-08 19:49 249856 c:\windows\ERDNT\AutoBackup\5-8-2010\Users\00000002\UsrClass.dat
+ 2010-05-08 19:49 . 2005-10-20 19:02 163328 c:\windows\ERDNT\AutoBackup\5-8-2010\ERDNT.EXE
+ 2010-05-07 15:28 . 2010-05-07 15:28 241664 c:\windows\ERDNT\AutoBackup\5-7-2010\Users\00000002\UsrClass.dat
+ 2010-05-07 15:28 . 2005-10-20 19:02 163328 c:\windows\ERDNT\AutoBackup\5-7-2010\ERDNT.EXE
+ 2010-05-06 17:36 . 2010-05-06 17:36 241664 c:\windows\ERDNT\AutoBackup\5-6-2010\Users\00000002\UsrClass.dat
+ 2010-05-06 17:36 . 2005-10-20 19:02 163328 c:\windows\ERDNT\AutoBackup\5-6-2010\ERDNT.EXE
+ 2010-05-05 20:59 . 2010-05-05 20:59 241664 c:\windows\ERDNT\AutoBackup\5-5-2010\Users\00000002\UsrClass.dat
+ 2010-05-05 20:59 . 2005-10-20 19:02 163328 c:\windows\ERDNT\AutoBackup\5-5-2010\ERDNT.EXE
+ 2010-05-05 03:02 . 2010-05-05 03:02 241664 c:\windows\ERDNT\AutoBackup\5-4-2010\Users\00000002\UsrClass.dat
+ 2010-05-05 03:02 . 2005-10-20 19:02 163328 c:\windows\ERDNT\AutoBackup\5-4-2010\ERDNT.EXE
+ 2010-05-04 00:14 . 2010-05-04 00:14 241664 c:\windows\ERDNT\AutoBackup\5-3-2010\Users\00000002\UsrClass.dat
+ 2010-05-04 00:14 . 2005-10-20 19:02 163328 c:\windows\ERDNT\AutoBackup\5-3-2010\ERDNT.EXE
+ 2010-05-02 17:02 . 2010-05-02 17:02 241664 c:\windows\ERDNT\AutoBackup\5-2-2010\Users\00000002\UsrClass.dat
+ 2010-05-02 17:02 . 2005-10-20 19:02 163328 c:\windows\ERDNT\AutoBackup\5-2-2010\ERDNT.EXE
+ 2010-05-12 21:56 . 2010-05-12 21:56 249856 c:\windows\ERDNT\AutoBackup\5-12-2010\Users\00000002\UsrClass.dat
+ 2010-05-12 21:56 . 2005-10-20 19:02 163328 c:\windows\ERDNT\AutoBackup\5-12-2010\ERDNT.EXE
+ 2010-05-12 00:18 . 2010-05-12 00:18 249856 c:\windows\ERDNT\AutoBackup\5-11-2010\Users\00000002\UsrClass.dat
+ 2010-05-12 00:18 . 2005-10-20 19:02 163328 c:\windows\ERDNT\AutoBackup\5-11-2010\ERDNT.EXE
+ 2010-05-10 23:54 . 2010-05-10 23:54 249856 c:\windows\ERDNT\AutoBackup\5-10-2010\Users\00000002\UsrClass.dat
+ 2010-05-10 23:54 . 2005-10-20 19:02 163328 c:\windows\ERDNT\AutoBackup\5-10-2010\ERDNT.EXE
+ 2010-05-01 22:23 . 2010-05-01 22:23 241664 c:\windows\ERDNT\AutoBackup\5-1-2010\Users\00000002\UsrClass.dat
+ 2010-05-01 22:23 . 2005-10-20 19:02 163328 c:\windows\ERDNT\AutoBackup\5-1-2010\ERDNT.EXE
+ 2010-04-30 18:51 . 2010-04-30 18:51 241664 c:\windows\ERDNT\AutoBackup\4-30-2010\Users\00000002\UsrClass.dat
+ 2010-04-30 18:51 . 2005-10-20 19:02 163328 c:\windows\ERDNT\AutoBackup\4-30-2010\ERDNT.EXE
+ 2010-04-29 17:45 . 2010-04-29 17:45 241664 c:\windows\ERDNT\AutoBackup\4-29-2010\Users\00000002\UsrClass.dat
+ 2010-04-29 17:45 . 2005-10-20 19:02 163328 c:\windows\ERDNT\AutoBackup\4-29-2010\ERDNT.EXE
+ 2010-04-29 03:43 . 2010-04-29 03:43 241664 c:\windows\ERDNT\AutoBackup\4-28-2010\Users\00000002\UsrClass.dat
+ 2010-04-29 03:43 . 2005-10-20 19:02 163328 c:\windows\ERDNT\AutoBackup\4-28-2010\ERDNT.EXE
+ 2010-04-28 01:42 . 2010-04-28 01:42 237568 c:\windows\ERDNT\AutoBackup\4-27-2010\Users\00000002\UsrClass.dat
+ 2010-04-28 01:42 . 2005-10-20 19:02 163328 c:\windows\ERDNT\AutoBackup\4-27-2010\ERDNT.EXE
+ 2010-04-26 23:51 . 2010-04-26 23:51 237568 c:\windows\ERDNT\AutoBackup\4-26-2010\Users\00000002\UsrClass.dat
+ 2010-04-26 23:51 . 2005-10-20 19:02 163328 c:\windows\ERDNT\AutoBackup\4-26-2010\ERDNT.EXE
+ 2010-04-25 22:19 . 2010-04-25 22:19 237568 c:\windows\ERDNT\AutoBackup\4-25-2010\Users\00000002\UsrClass.dat
+ 2010-04-25 22:19 . 2005-10-20 19:02 163328 c:\windows\ERDNT\AutoBackup\4-25-2010\ERDNT.EXE
+ 2010-04-24 18:35 . 2010-04-24 18:35 237568 c:\windows\ERDNT\AutoBackup\4-24-2010\Users\00000002\UsrClass.dat
+ 2010-04-24 18:35 . 2005-10-20 19:02 163328 c:\windows\ERDNT\AutoBackup\4-24-2010\ERDNT.EXE
+ 2010-04-23 21:07 . 2010-04-23 21:07 237568 c:\windows\ERDNT\AutoBackup\4-23-2010\Users\00000002\UsrClass.dat
+ 2010-04-23 21:07 . 2005-10-20 19:02 163328 c:\windows\ERDNT\AutoBackup\4-23-2010\ERDNT.EXE
+ 2010-04-22 20:11 . 2010-04-22 20:11 237568 c:\windows\ERDNT\AutoBackup\4-22-2010\Users\00000002\UsrClass.dat
+ 2010-04-22 20:11 . 2005-10-20 19:02 163328 c:\windows\ERDNT\AutoBackup\4-22-2010\ERDNT.EXE
+ 2010-04-21 21:14 . 2010-04-21 21:14 237568 c:\windows\ERDNT\AutoBackup\4-21-2010\Users\00000002\UsrClass.dat
+ 2010-04-21 21:14 . 2005-10-20 19:02 163328 c:\windows\ERDNT\AutoBackup\4-21-2010\ERDNT.EXE
+ 2010-04-19 16:49 . 2010-04-19 16:49 237568 c:\windows\ERDNT\AutoBackup\4-19-2010\Users\00000002\UsrClass.dat
+ 2010-04-19 16:49 . 2005-10-20 19:02 163328 c:\windows\ERDNT\AutoBackup\4-19-2010\ERDNT.EXE
+ 2010-04-19 04:55 . 2010-04-19 04:55 237568 c:\windows\ERDNT\AutoBackup\4-18-2010\Users\00000002\UsrClass.dat
+ 2010-04-19 04:55 . 2005-10-20 19:02 163328 c:\windows\ERDNT\AutoBackup\4-18-2010\ERDNT.EXE
+ 2010-04-17 19:18 . 2010-04-17 19:18 237568 c:\windows\ERDNT\AutoBackup\4-17-2010\Users\00000002\UsrClass.dat
+ 2010-04-17 19:18 . 2005-10-20 19:02 163328 c:\windows\ERDNT\AutoBackup\4-17-2010\ERDNT.EXE
+ 2010-04-16 17:06 . 2010-04-16 17:06 237568 c:\windows\ERDNT\AutoBackup\4-16-2010\Users\00000002\UsrClass.dat
+ 2010-04-16 17:06 . 2005-10-20 19:02 163328 c:\windows\ERDNT\AutoBackup\4-16-2010\ERDNT.EXE
+ 2010-04-15 18:01 . 2010-04-15 18:01 237568 c:\windows\ERDNT\AutoBackup\4-15-2010\Users\00000002\UsrClass.dat
+ 2010-04-15 18:01 . 2005-10-20 19:02 163328 c:\windows\ERDNT\AutoBackup\4-15-2010\ERDNT.EXE
+ 2010-04-14 18:23 . 2010-04-14 18:23 237568 c:\windows\ERDNT\AutoBackup\4-14-2010\Users\00000002\UsrClass.dat
+ 2010-04-14 18:23 . 2005-10-20 19:02 163328 c:\windows\ERDNT\AutoBackup\4-14-2010\ERDNT.EXE
+ 2010-04-13 14:58 . 2010-04-13 14:58 237568 c:\windows\ERDNT\AutoBackup\4-13-2010\Users\00000002\UsrClass.dat
+ 2010-04-13 14:58 . 2005-10-20 19:02 163328 c:\windows\ERDNT\AutoBackup\4-13-2010\ERDNT.EXE
+ 2010-04-13 00:15 . 2010-04-13 00:15 237568 c:\windows\ERDNT\AutoBackup\4-12-2010\Users\00000002\UsrClass.dat
+ 2010-04-13 00:15 . 2005-10-20 19:02 163328 c:\windows\ERDNT\AutoBackup\4-12-2010\ERDNT.EXE
+ 2008-11-13 01:33 . 2010-02-24 13:11 455680 c:\windows\Driver Cache\i386\mrxsmb.sys
+ 2010-02-24 09:09 . 2009-05-26 11:40 382840 c:\windows\$NtUninstallKB979306$\spuninst\updspapi.dll
+ 2010-02-24 09:09 . 2009-05-26 11:40 231288 c:\windows\$NtUninstallKB979306$\spuninst\spuninst.exe
+ 2010-03-11 07:30 . 2009-05-27 00:10 382840 c:\windows\$NtUninstallKB975561$\spuninst\updspapi.dll
+ 2010-03-11 07:30 . 2008-07-08 13:02 231288 c:\windows\$NtUninstallKB975561$\spuninst\spuninst.exe
+ 2010-03-31 06:57 . 2009-05-26 11:40 382840 c:\windows\$hf_mig$\KB980182-IE8\update\updspapi.dll
+ 2010-03-31 06:57 . 2009-05-26 11:40 755576 c:\windows\$hf_mig$\KB980182-IE8\update\update.exe
+ 2010-03-31 06:57 . 2009-05-26 11:40 231288 c:\windows\$hf_mig$\KB980182-IE8\spuninst.exe
+ 2010-03-31 04:38 . 2010-02-25 06:19 919040 c:\windows\$hf_mig$\KB980182-IE8\SP3QFE\wininet.dll
+ 2010-03-31 04:38 . 2010-02-25 06:19 206848 c:\windows\$hf_mig$\KB980182-IE8\SP3QFE\occache.dll
+ 2010-03-31 04:38 . 2010-02-25 06:19 611840 c:\windows\$hf_mig$\KB980182-IE8\SP3QFE\mstime.dll
+ 2010-03-31 04:38 . 2010-02-25 06:19 594432 c:\windows\$hf_mig$\KB980182-IE8\SP3QFE\msfeeds.dll
+ 2010-03-31 04:38 . 2010-02-25 06:19 247808 c:\windows\$hf_mig$\KB980182-IE8\SP3QFE\ieproxy.dll
+ 2010-03-31 04:38 . 2010-02-25 06:19 184320 c:\windows\$hf_mig$\KB980182-IE8\SP3QFE\iepeers.dll
+ 2010-03-31 04:37 . 2010-02-25 06:19 387584 c:\windows\$hf_mig$\KB980182-IE8\SP3QFE\iedkcs32.dll
+ 2010-03-31 04:37 . 2010-02-24 09:34 173056 c:\windows\$hf_mig$\KB980182-IE8\SP3QFE\ie4uinit.exe
+ 2010-02-24 09:09 . 2008-07-08 13:02 382840 c:\windows\$hf_mig$\KB976662-IE8\update\updspapi.dll
+ 2010-02-24 09:09 . 2008-07-08 13:02 755576 c:\windows\$hf_mig$\KB976662-IE8\update\update.exe
+ 2010-02-24 09:09 . 2008-07-08 13:02 231288 c:\windows\$hf_mig$\KB976662-IE8\spuninst.exe
+ 2010-02-23 19:25 . 2009-12-09 05:51 726528 c:\windows\$hf_mig$\KB976662-IE8\SP3QFE\jscript.dll
+ 2010-03-11 07:30 . 2009-05-27 00:10 382840 c:\windows\$hf_mig$\KB975561\update\updspapi.dll
+ 2010-03-11 07:30 . 2008-07-08 13:02 755576 c:\windows\$hf_mig$\KB975561\update\update.exe
+ 2010-03-11 07:30 . 2008-07-08 13:02 231288 c:\windows\$hf_mig$\KB975561\spuninst.exe
+ 2009-07-12 07:02 . 2009-07-12 07:02 3780424 c:\windows\WinSxS\x86_Microsoft.VC90.MFC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_a57c1f53\mfc90u.dll
+ 2009-07-12 07:02 . 2009-07-12 07:02 3765048 c:\windows\WinSxS\x86_Microsoft.VC90.MFC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_a57c1f53\mfc90.dll
+ 2008-07-29 15:05 . 2008-07-29 15:05 3783672 c:\windows\WinSxS\x86_Microsoft.VC90.MFC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_405b0943\mfc90u.dll
+ 2008-07-29 15:05 . 2008-07-29 15:05 3768312 c:\windows\WinSxS\x86_Microsoft.VC90.MFC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_405b0943\mfc90.dll
- 2008-09-07 21:51 . 2009-07-12 19:21 4874240 c:\windows\system32\wmp.dll
+ 2008-09-07 21:51 . 2010-03-20 01:05 4874240 c:\windows\system32\wmp.dll
+ 2002-09-03 17:08 . 2010-02-25 06:24 1209344 c:\windows\system32\urlmon.dll
+ 2002-09-03 16:44 . 2010-02-25 06:24 5944832 c:\windows\system32\mshtml.dll
+ 2007-08-14 01:34 . 2010-02-25 06:24 1985536 c:\windows\system32\iertutil.dll
- 2007-08-14 01:34 . 2009-12-21 19:14 1985536 c:\windows\system32\iertutil.dll
+ 2008-09-07 21:51 . 2010-03-20 01:05 4874240 c:\windows\system32\dllcache\wmp.dll
- 2008-09-07 21:51 . 2009-07-12 19:21 4874240 c:\windows\system32\dllcache\wmp.dll
+ 2007-08-14 01:54 . 2010-02-25 06:24 1209344 c:\windows\system32\dllcache\urlmon.dll
+ 2008-10-16 03:44 . 2010-02-17 16:10 2189952 c:\windows\system32\dllcache\ntoskrnl.exe
+ 2008-10-16 03:44 . 2010-02-16 13:25 2024448 c:\windows\system32\dllcache\ntkrpamp.exe
+ 2008-10-16 03:44 . 2010-02-16 13:25 2066816 c:\windows\system32\dllcache\ntkrnlpa.exe
+ 2008-10-16 03:44 . 2010-02-16 14:08 2146304 c:\windows\system32\dllcache\ntkrnlmp.exe
+ 2007-08-14 01:54 . 2010-02-25 06:24 5944832 c:\windows\system32\dllcache\mshtml.dll
+ 2010-03-11 01:02 . 2009-10-23 15:28 3558912 c:\windows\system32\dllcache\moviemk.exe
+ 2008-09-14 16:03 . 2010-02-25 06:24 1985536 c:\windows\system32\dllcache\iertutil.dll
- 2008-09-14 16:03 . 2009-12-21 19:14 1985536 c:\windows\system32\dllcache\iertutil.dll
+ 2010-05-07 20:18 . 2010-05-07 20:18 1094656 c:\windows\Installer\c722c.msi
+ 2010-03-31 06:57 . 2009-12-21 19:14 1208832 c:\windows\ie8updates\KB980182-IE8\urlmon.dll
+ 2010-03-31 06:57 . 2009-12-21 19:14 5942784 c:\windows\ie8updates\KB980182-IE8\mshtml.dll
+ 2010-03-31 06:57 . 2009-12-21 19:14 1985536 c:\windows\ie8updates\KB980182-IE8\iertutil.dll
+ 2010-05-09 20:44 . 2010-05-09 20:44 3698688 c:\windows\ERDNT\AutoBackup\5-9-2010\Users\00000001\NTUSER.DAT
+ 2010-05-08 19:49 . 2010-05-08 19:49 3661824 c:\windows\ERDNT\AutoBackup\5-8-2010\Users\00000001\NTUSER.DAT
+ 2010-05-07 15:28 . 2010-05-07 15:28 3649536 c:\windows\ERDNT\AutoBackup\5-7-2010\Users\00000001\NTUSER.DAT
+ 2010-05-06 17:36 . 2010-05-06 17:36 3649536 c:\windows\ERDNT\AutoBackup\5-6-2010\Users\00000001\NTUSER.DAT
+ 2010-05-05 20:59 . 2010-05-05 20:59 3649536 c:\windows\ERDNT\AutoBackup\5-5-2010\Users\00000001\NTUSER.DAT
+ 2010-05-05 03:02 . 2010-05-05 03:02 3649536 c:\windows\ERDNT\AutoBackup\5-4-2010\Users\00000001\NTUSER.DAT
+ 2010-05-04 00:14 . 2010-05-04 00:14 3633152 c:\windows\ERDNT\AutoBackup\5-3-2010\Users\00000001\NTUSER.DAT
+ 2010-05-02 17:02 . 2010-05-02 17:02 3633152 c:\windows\ERDNT\AutoBackup\5-2-2010\Users\00000001\NTUSER.DAT
+ 2010-05-12 21:56 . 2010-05-12 21:56 3698688 c:\windows\ERDNT\AutoBackup\5-12-2010\Users\00000001\NTUSER.DAT
+ 2010-05-12 00:18 . 2010-05-12 00:18 3698688 c:\windows\ERDNT\AutoBackup\5-11-2010\Users\00000001\NTUSER.DAT
+ 2010-05-10 23:54 . 2010-05-10 23:54 3698688 c:\windows\ERDNT\AutoBackup\5-10-2010\Users\00000001\NTUSER.DAT
+ 2010-05-01 22:23 . 2010-05-01 22:23 3633152 c:\windows\ERDNT\AutoBackup\5-1-2010\Users\00000001\NTUSER.DAT
+ 2010-04-30 18:51 . 2010-04-30 18:51 3633152 c:\windows\ERDNT\AutoBackup\4-30-2010\Users\00000001\NTUSER.DAT
+ 2010-04-29 17:45 . 2010-04-29 17:45 3633152 c:\windows\ERDNT\AutoBackup\4-29-2010\Users\00000001\NTUSER.DAT
+ 2010-04-29 03:43 . 2010-04-29 03:43 3633152 c:\windows\ERDNT\AutoBackup\4-28-2010\Users\00000001\NTUSER.DAT
+ 2010-04-28 01:42 . 2010-04-28 01:42 3633152 c:\windows\ERDNT\AutoBackup\4-27-2010\Users\00000001\NTUSER.DAT
+ 2010-04-26 23:51 . 2010-04-26 23:51 3633152 c:\windows\ERDNT\AutoBackup\4-26-2010\Users\00000001\NTUSER.DAT
+ 2010-04-25 22:19 . 2010-04-25 22:19 3633152 c:\windows\ERDNT\AutoBackup\4-25-2010\Users\00000001\NTUSER.DAT
+ 2010-04-24 18:35 . 2010-04-24 18:35 3633152 c:\windows\ERDNT\AutoBackup\4-24-2010\Users\00000001\NTUSER.DAT
+ 2010-04-23 21:07 . 2010-04-23 21:07 3633152 c:\windows\ERDNT\AutoBackup\4-23-2010\Users\00000001\NTUSER.DAT
+ 2010-04-22 20:11 . 2010-04-22 20:11 3633152 c:\windows\ERDNT\AutoBackup\4-22-2010\Users\00000001\NTUSER.DAT
+ 2010-04-21 21:14 . 2010-04-21 21:14 3633152 c:\windows\ERDNT\AutoBackup\4-21-2010\Users\00000001\NTUSER.DAT
+ 2010-04-19 16:49 . 2010-04-19 16:49 3633152 c:\windows\ERDNT\AutoBackup\4-19-2010\Users\00000001\NTUSER.DAT
+ 2010-04-19 04:55 . 2010-04-19 04:55 3633152 c:\windows\ERDNT\AutoBackup\4-18-2010\Users\00000001\NTUSER.DAT
+ 2010-04-17 19:18 . 2010-04-17 19:18 3633152 c:\windows\ERDNT\AutoBackup\4-17-2010\Users\00000001\NTUSER.DAT
+ 2010-04-16 17:06 . 2010-04-16 17:06 3633152 c:\windows\ERDNT\AutoBackup\4-16-2010\Users\00000001\NTUSER.DAT
+ 2010-04-15 18:01 . 2010-04-15 18:01 3633152 c:\windows\ERDNT\AutoBackup\4-15-2010\Users\00000001\NTUSER.DAT
+ 2010-04-14 18:23 . 2010-04-14 18:23 3633152 c:\windows\ERDNT\AutoBackup\4-14-2010\Users\00000001\NTUSER.DAT
+ 2010-04-13 14:58 . 2010-04-13 14:58 3633152 c:\windows\ERDNT\AutoBackup\4-13-2010\Users\00000001\NTUSER.DAT
+ 2010-04-13 00:15 . 2010-04-13 00:15 3633152 c:\windows\ERDNT\AutoBackup\4-12-2010\Users\00000001\NTUSER.DAT
+ 2008-10-16 03:44 . 2010-02-17 16:10 2189952 c:\windows\Driver Cache\i386\ntoskrnl.exe
+ 2008-10-16 03:44 . 2010-02-16 13:25 2024448 c:\windows\Driver Cache\i386\ntkrpamp.exe
+ 2008-10-16 03:44 . 2010-02-16 13:25 2066816 c:\windows\Driver Cache\i386\ntkrnlpa.exe
+ 2008-10-16 03:44 . 2010-02-16 14:08 2146304 c:\windows\Driver Cache\i386\ntkrnlmp.exe
+ 2010-03-11 07:30 . 2008-04-14 12:42 3558912 c:\windows\$NtUninstallKB975561$\moviemk.exe
+ 2010-03-31 04:37 . 2010-02-25 06:19 1209856 c:\windows\$hf_mig$\KB980182-IE8\SP3QFE\urlmon.dll
+ 2010-03-31 04:37 . 2010-02-25 06:19 5946880 c:\windows\$hf_mig$\KB980182-IE8\SP3QFE\mshtml.dll
+ 2010-03-31 04:37 . 2010-02-25 06:19 1986048 c:\windows\$hf_mig$\KB980182-IE8\SP3QFE\iertutil.dll
+ 2010-03-11 01:02 . 2009-10-23 14:53 3558912 c:\windows\$hf_mig$\KB975561\SP3QFE\moviemk.exe
+ 2010-02-10 09:21 . 2010-04-30 18:51 32058312 c:\windows\system32\MRT.exe
+ 2007-08-14 01:54 . 2010-02-25 18:54 11070976 c:\windows\system32\ieframe.dll
+ 2008-09-14 16:03 . 2010-02-25 18:54 11070976 c:\windows\system32\dllcache\ieframe.dll
+ 2010-03-31 06:57 . 2009-12-21 19:14 11070464 c:\windows\ie8updates\KB980182-IE8\ieframe.dll
+ 2010-03-31 04:37 . 2010-02-25 06:19 11073024 c:\windows\$hf_mig$\KB980182-IE8\SP3QFE\ieframe.dll
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"VeohPlugin"="c:\program files\Veoh Networks\VeohWebPlayer\veohwebplayer.exe" [2009-05-19 3561720]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2010-05-07 2017280]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2004-08-20 155648]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2004-08-20 118784]
"PRONoMgrWired"="c:\program files\Intel\PROSetWired\NCS\PROSet\PRONoMgr.exe" [2004-03-02 86016]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-10-20 185872]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-11-11 417792]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-11-12 141600]
"avast5"="c:\progra~1\ALWILS~1\Avast5\avastUI.exe" [2010-04-14 2790472]

c:\documents and settings\archie\Start Menu\Programs\Startup\
ERUNT AutoBackup.lnk - c:\program files\ERUNT\AUTOBACK.EXE [2005-10-20 38912]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 21:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableNotifications"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"c:\\Program Files\\Veoh Networks\\VeohWebPlayer\\veohwebplayer.exe"=
"c:\\Program Files\\Pando Networks\\Media Booster\\PMB.exe"=
"c:\\Documents and Settings\\All Users\\Application Data\\NexonUS\\NGM\\NGM.exe"=
"c:\\Program Files\\iMesh Applications\\iMesh\\iMesh.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\WINDOWS\\system32\\hkcmd.exe"=
"c:\\Program Files\\Xfire\\Xfire.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"56234:TCP"= 56234:TCP:Pando Media Booster
"56234:UDP"= 56234:UDP:Pando Media Booster
"57113:TCP"= 57113:TCP:Pando Media Booster
"57113:UDP"= 57113:UDP:Pando Media Booster

R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [4/7/2010 11:30 AM 162768]
R1 MpKsl29304333;MpKsl29304333;c:\windows\system32\MpEngineStore\MpKsl29304333.sys [5/12/2010 3:18 PM 28752]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [1/5/2010 7:56 AM 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [1/5/2010 7:56 AM 68168]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [4/7/2010 11:30 AM 19024]
S3 rk_remover;rk_remover;\??\c:\windows\system32\drivers\rk_remover.sys --> c:\windows\system32\drivers\rk_remover.sys [?]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [1/5/2010 7:56 AM 12872]
.
Contents of the 'Scheduled Tasks' folder

2010-02-04 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 19:34]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://tucson.cox.net/cci/home
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
FF - ProfilePath - c:\documents and settings\archie\Application Data\Mozilla\Firefox\Profiles\f904z411.default\
FF - plugin: c:\documents and settings\All Users\Application Data\NexonUS\NGM\npNxGameUS.dll
FF - plugin: c:\program files\DivX\DivX Plus Web Player\npdivx32.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npPandoWebInst.dll
FF - plugin: c:\program files\Veoh Networks\VeohWebPlayer\NPVeohTVPlugin.dll
FF - plugin: c:\program files\Veoh Networks\VeohWebPlayer\npWebPlayerVideoPluginATL.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
.
- - - - ORPHANS REMOVED - - - -

MSConfigStartUp-ftbbgywc - c:\documents and settings\NetworkService\Local Settings\Application Data\hxdkwxmar\dukgpqytssd.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-05-12 15:47
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(640)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\WININET.dll
.
Completion time: 2010-05-12 15:50:39
ComboFix-quarantined-files.txt 2010-05-12 22:50
ComboFix2.txt 2010-02-12 18:38
ComboFix3.txt 2010-02-08 04:25
ComboFix4.txt 2010-02-07 22:13
ComboFix5.txt 2010-05-12 22:33

Pre-Run: 52,668,153,856 bytes free
Post-Run: 52,819,214,336 bytes free

- - End Of File - - 8CFDF7E06B4EFA6D0F29CB4D1BCB6DC4

Attached Files

  • Attached File  log.txt   44.61KB   8 downloads

Edited by Blade Zephon, 13 May 2010 - 12:31 AM.
Posted log in reply to facilitate analysis. Please do not attach logs unless the board software will not let you post them directly. Thanks!


#8 Blade

Blade

    Strong in the Bleepforce


  • Site Admin
  • 12,702 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:US
  • Local time:05:51 PM

Posted 13 May 2010 - 10:16 PM

Hello greg55

1. Open notepad and copy/paste the text in the codebox below into it:

CODE
Registry::
HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=-
"FirewallOverride"=-

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"=-
"DisableNotifications"=-


Save this as CFScript.txt, in the same location as ComboFix.exe

2. Close any open browsers.

3. VERY IMPORTANT: Disable all running antivirus, antimalware and firewall programs as they may interfere with the proper running of ComboFix. Click on this link to see a list of programs that should be disabled. NOTE: This list is not all-inclusive. If yours is not listed and you do not know how to disable it, please ask.



Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

~Blade


In your next reply, please include the following:
ComboFix log
How is the computer running now?

Posted Image

If I am helping you, it has been 48 hours since your last post, and I have yet to reply to your topic, please send me a PM
Become a BleepingComputer fan: Facebook
Follow us on Twitter!
Circle us on Google+


#9 greg55

greg55
  • Topic Starter

  • Members
  • 47 posts
  • OFFLINE
  •  
  • Local time:02:51 PM

Posted 14 May 2010 - 05:11 PM

thanks a lot. Everything is running fine and smooth now thumbup2.gif

ComboFix 10-05-12.01 - archie 05/14/2010 15:00:17.6.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.495.165 [GMT -7:00]
Running from: c:\documents and settings\archie\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\archie\Desktop\CFScript.txt
AV: avast! Antivirus *On-access scanning disabled* (Outdated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
.

((((((((((((((((((((((((( Files Created from 2010-04-14 to 2010-05-14 )))))))))))))))))))))))))))))))
.

2010-05-12 22:18 . 2010-05-13 07:40 -------- d-----w- c:\windows\system32\MpEngineStore
2010-05-07 20:18 . 2010-05-07 20:18 388096 ----a-r- c:\documents and settings\archie\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2010-05-07 19:13 . 2010-05-07 19:13 -------- d-----w- c:\documents and settings\archie\Local Settings\Application Data\Threat Expert
2010-05-07 18:53 . 2010-05-08 06:48 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2010-05-06 21:40 . 2010-05-06 21:40 -------- d-sh--w- c:\documents and settings\NetworkService\PrivacIE
2010-04-27 05:04 . 2010-04-27 05:04 -------- d-----w- c:\documents and settings\All Users\Application Data\211B

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-05-07 20:09 . 2010-02-08 07:29 -------- d-----w- c:\program files\SUPERAntiSpyware
2010-05-06 18:04 . 2010-02-08 07:30 117760 ----a-w- c:\documents and settings\archie\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2010-04-28 15:29 . 2010-02-08 07:13 -------- d-----w- c:\program files\ESET
2010-04-26 04:59 . 2010-04-11 17:02 439816 ----a-w- c:\documents and settings\archie\Application Data\Real\Update\setup3.10\setup.exe
2010-04-25 23:31 . 2009-12-17 11:17 -------- d-----w- c:\documents and settings\archie\Application Data\Apple Computer
2010-04-14 16:47 . 2010-04-07 18:30 38848 ----a-w- c:\windows\system32\avastSS.scr
2010-04-14 16:47 . 2010-04-07 18:30 153184 ----a-w- c:\windows\system32\aswBoot.exe
2010-04-14 16:35 . 2010-04-07 18:30 46672 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2010-04-14 16:35 . 2010-04-07 18:30 162768 ----a-w- c:\windows\system32\drivers\aswSP.sys
2010-04-14 16:31 . 2010-04-07 18:30 23376 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2010-04-14 16:31 . 2010-04-07 18:30 100432 ----a-w- c:\windows\system32\drivers\aswmon2.sys
2010-04-14 16:31 . 2010-04-07 18:30 94800 ----a-w- c:\windows\system32\drivers\aswmon.sys
2010-04-14 16:31 . 2010-04-07 18:30 19024 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2010-04-14 16:30 . 2010-04-07 18:30 28880 ----a-w- c:\windows\system32\drivers\aavmker4.sys
2010-04-10 07:19 . 2010-03-13 19:26 -------- d-----w- c:\documents and settings\archie\Application Data\Xfire
2010-04-09 17:44 . 2010-03-13 19:26 -------- d-----w- c:\program files\Xfire
2010-04-07 18:29 . 2010-04-07 18:29 -------- d-----w- c:\program files\Alwil Software
2010-04-07 18:29 . 2010-04-07 18:29 -------- d-----w- c:\documents and settings\All Users\Application Data\Alwil Software
2010-03-26 19:00 . 2010-03-26 19:00 41872 ----a-w- c:\windows\system32\xfcodec.dll
2010-03-10 06:15 . 2002-09-03 17:09 420352 ----a-w- c:\windows\system32\vbscript.dll
2010-02-25 16:45 . 2009-09-24 20:20 98304 ----a-w- c:\documents and settings\All Users\Application Data\NexonUS\NGM\npNxGameUS.dll
2010-02-25 16:45 . 2009-09-24 20:20 126976 ----a-w- c:\documents and settings\All Users\Application Data\NexonUS\NGM\nxgameus.dll
2010-02-25 16:45 . 2009-09-24 20:20 401408 ----a-w- c:\documents and settings\All Users\Application Data\NexonUS\NGM\NGMResource.dll
2010-02-25 16:45 . 2009-09-24 20:20 258352 ----a-w- c:\documents and settings\All Users\Application Data\NexonUS\NGM\unicows.dll
2010-02-25 16:45 . 2009-09-24 20:20 765952 ----a-w- c:\documents and settings\All Users\Application Data\NexonUS\NGM\NGMDll.dll
2010-02-25 16:45 . 2009-09-24 20:20 172032 ----a-w- c:\documents and settings\All Users\Application Data\NexonUS\NGM\NGM.exe
2010-02-25 06:24 . 2002-09-03 17:12 916480 ----a-w- c:\windows\system32\wininet.dll
2010-02-24 13:11 . 2002-09-03 16:42 455680 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2010-02-21 01:23 . 2010-02-21 01:23 152576 ----a-w- c:\documents and settings\archie\Application Data\Sun\Java\jre1.6.0_17\lzma.dll
2010-02-21 01:23 . 2010-02-21 01:23 79488 ----a-w- c:\documents and settings\archie\Application Data\Sun\Java\jre1.6.0_17\gtapi.dll
2010-02-17 16:10 . 2002-09-03 16:50 2189952 ------w- c:\windows\system32\ntoskrnl.exe
2010-02-16 13:25 . 2002-08-29 01:04 2066816 ------w- c:\windows\system32\ntkrnlpa.exe
.

((((((((((((((((((((((((((((( SnapShot_2010-05-12_22.47.05 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-05-14 21:34 . 2010-05-14 21:34 16384 c:\windows\Temp\Perflib_Perfdata_6b4.dat
+ 2008-09-23 04:19 . 2010-05-14 21:40 84661 c:\windows\system32\Macromed\Flash\uninstall_plugin.exe
+ 2010-01-27 01:07 . 2010-01-27 01:07 256280 c:\windows\system32\Macromed\Flash\NPSWF32_FlashUtil.exe
+ 2008-09-07 02:51 . 2010-01-29 15:01 691712 c:\windows\system32\inetcomm.dll
- 2008-09-07 02:51 . 2008-04-11 19:04 691712 c:\windows\system32\inetcomm.dll
- 2008-09-14 16:02 . 2008-04-11 19:04 691712 c:\windows\system32\dllcache\inetcomm.dll
+ 2008-09-14 16:02 . 2010-01-29 15:01 691712 c:\windows\system32\dllcache\inetcomm.dll
+ 2010-05-14 21:34 . 2010-05-14 21:34 249856 c:\windows\ERDNT\AutoBackup\5-14-2010\Users\00000002\UsrClass.dat
+ 2010-05-14 21:34 . 2005-10-20 19:02 163328 c:\windows\ERDNT\AutoBackup\5-14-2010\ERDNT.EXE
+ 2010-05-14 02:26 . 2010-05-14 02:27 249856 c:\windows\ERDNT\AutoBackup\5-13-2010\Users\00000002\UsrClass.dat
+ 2010-05-14 02:27 . 2005-10-20 19:02 163328 c:\windows\ERDNT\AutoBackup\5-13-2010\ERDNT.EXE
+ 2010-01-27 01:07 . 2010-01-27 01:07 3884312 c:\windows\system32\Macromed\Flash\NPSWF32.dll
- 2009-08-12 22:36 . 2009-07-10 13:27 1315328 c:\windows\system32\dllcache\msoe.dll
+ 2009-08-12 22:36 . 2010-01-29 15:01 1315328 c:\windows\system32\dllcache\msoe.dll
+ 2010-05-14 21:34 . 2010-05-14 21:34 3698688 c:\windows\ERDNT\AutoBackup\5-14-2010\Users\00000001\NTUSER.DAT
+ 2010-05-14 02:26 . 2010-05-14 02:26 3698688 c:\windows\ERDNT\AutoBackup\5-13-2010\Users\00000001\NTUSER.DAT
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"VeohPlugin"="c:\program files\Veoh Networks\VeohWebPlayer\veohwebplayer.exe" [2009-05-19 3561720]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2010-05-07 2017280]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2004-08-20 155648]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2004-08-20 118784]
"PRONoMgrWired"="c:\program files\Intel\PROSetWired\NCS\PROSet\PRONoMgr.exe" [2004-03-02 86016]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-10-20 185872]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-11-11 417792]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-11-12 141600]
"avast5"="c:\progra~1\ALWILS~1\Avast5\avastUI.exe" [2010-04-14 2790472]

c:\documents and settings\archie\Start Menu\Programs\Startup\
ERUNT AutoBackup.lnk - c:\program files\ERUNT\AUTOBACK.EXE [2005-10-20 38912]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 21:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"c:\\Program Files\\Veoh Networks\\VeohWebPlayer\\veohwebplayer.exe"=
"c:\\Program Files\\Pando Networks\\Media Booster\\PMB.exe"=
"c:\\Documents and Settings\\All Users\\Application Data\\NexonUS\\NGM\\NGM.exe"=
"c:\\Program Files\\iMesh Applications\\iMesh\\iMesh.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\WINDOWS\\system32\\hkcmd.exe"=
"c:\\Program Files\\Xfire\\Xfire.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"56234:TCP"= 56234:TCP:Pando Media Booster
"56234:UDP"= 56234:UDP:Pando Media Booster
"57113:TCP"= 57113:TCP:Pando Media Booster
"57113:UDP"= 57113:UDP:Pando Media Booster

R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [4/7/2010 11:30 AM 162768]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [1/5/2010 7:56 AM 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [1/5/2010 7:56 AM 68168]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [4/7/2010 11:30 AM 19024]
S3 rk_remover;rk_remover;\??\c:\windows\system32\drivers\rk_remover.sys --> c:\windows\system32\drivers\rk_remover.sys [?]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [1/5/2010 7:56 AM 12872]
.
Contents of the 'Scheduled Tasks' folder

2010-02-04 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 19:34]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://tucson.cox.net/cci/home
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
FF - ProfilePath - c:\documents and settings\archie\Application Data\Mozilla\Firefox\Profiles\f904z411.default\
FF - plugin: c:\documents and settings\All Users\Application Data\NexonUS\NGM\npNxGameUS.dll
FF - plugin: c:\program files\DivX\DivX Plus Web Player\npdivx32.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npPandoWebInst.dll
FF - plugin: c:\program files\Veoh Networks\VeohWebPlayer\NPVeohTVPlugin.dll
FF - plugin: c:\program files\Veoh Networks\VeohWebPlayer\npWebPlayerVideoPluginATL.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-05-14 15:06
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(640)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\WININET.dll

- - - - - - - > 'explorer.exe'(1604)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
.
Completion time: 2010-05-14 15:09:05
ComboFix-quarantined-files.txt 2010-05-14 22:09
ComboFix2.txt 2010-05-12 22:50
ComboFix3.txt 2010-02-12 18:38
ComboFix4.txt 2010-02-08 04:25
ComboFix5.txt 2010-05-14 21:58

Pre-Run: 52,955,316,224 bytes free
Post-Run: 52,922,720,256 bytes free

- - End Of File - - BEB5434E9A5F54CAA9491DA31A13BFA4

Attached Files


Edited by Blade Zephon, 16 May 2010 - 02:41 AM.
Posted log in reply to facilitate analysis. Please do not attach logs unless the board software will not let you post them directly. Thanks!


#10 Blade

Blade

    Strong in the Bleepforce


  • Site Admin
  • 12,702 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:US
  • Local time:05:51 PM

Posted 16 May 2010 - 02:42 AM

Hello greg55

Sometimes malware that is removed from your computer leaves other traces behind. These traces may not be active, but they are unwanted on your computer.
Therefore, by using ESET online scanner it is possible for us to find leftover or missed malware files on your computer and we can now further clean up your computer
.

I'd like us to scan your machine with ESET OnlineScan
  1. Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  2. Click the button.
  3. For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    1. Click on to download the ESET Smart Installer. Save it to your desktop.
    2. Double click on the icon on your desktop.
  4. Check
  5. Click the button.
  6. Accept any security warnings from your browser.
  7. Check
  8. Push the Start button.
  9. ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  10. When the scan completes, push
  11. Push , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  12. Push the button.
  13. Push
Note for Vista Users: Eset is compatible but Internet Explorer must be run as Administrator. To do this, right-click on the IE icon in the Start Menu or Quick Launch Bar on the Taskbar and select "Run as Administrator" from the context menu.)
**Note**
To optimize scanning time and produce a more sensible report for review:
  • Close any open programs
  • Turn off the real time scanner of any existing antivirus program while performing the online scan.
~Blade


In your next reply, please include the following:
ESET log

Edited by Blade Zephon, 16 May 2010 - 02:42 AM.

Posted Image

If I am helping you, it has been 48 hours since your last post, and I have yet to reply to your topic, please send me a PM
Become a BleepingComputer fan: Facebook
Follow us on Twitter!
Circle us on Google+


#11 Blade

Blade

    Strong in the Bleepforce


  • Site Admin
  • 12,702 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:US
  • Local time:05:51 PM

Posted 19 May 2010 - 06:16 PM

are you still there?

Posted Image

If I am helping you, it has been 48 hours since your last post, and I have yet to reply to your topic, please send me a PM
Become a BleepingComputer fan: Facebook
Follow us on Twitter!
Circle us on Google+


#12 Blade

Blade

    Strong in the Bleepforce


  • Site Admin
  • 12,702 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:US
  • Local time:05:51 PM

Posted 25 May 2010 - 11:32 PM

Due to lack of feedback, this topic is now Closed

If you need this topic reopened, please send me a PM.
Please include the address of this thread in your request.
This applies only to the original topic starter.

Everyone else please start a new topic.

~Blade

Posted Image

If I am helping you, it has been 48 hours since your last post, and I have yet to reply to your topic, please send me a PM
Become a BleepingComputer fan: Facebook
Follow us on Twitter!
Circle us on Google+





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users