Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Random tabs opening on Bowsers ( www.wellaction.com / www.directddr.com )


  • This topic is locked This topic is locked
14 replies to this topic

#1 Awave

Awave

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:02:04 AM

Posted 19 June 2010 - 12:50 PM

I'am going to be try and as clear as possible

I'am operating on a XP proffesional O.S

I'am currently using Safari and Firefox as my browsers.

1 ) For more than a week now, whenever i start the browser and direct it to a site , i find that
a ) Its unable to open the site
b ) When it finally does open it, it randomly directs itself to another site, usually www.wellaction.com
2 ) When the browser is unable to open the site , i usually refresh it a couple of times and then it begins to work

Furthermore

1 ) At times my computer just hangs...the cursor moves as and where i want, but when i try and open a program or do anything....it dose'nt happen , it dose'nt even shut down and i ultimatley have to pull the plug

I do have a Symantec Anti Virus....and i've scanned my system , but have'nt been able to come up with much.

Any help will be welcome!!

Many thanks

EDIT: Moved from XP to Am I Infected forum ~ Hamluis.

Edited by hamluis, 19 June 2010 - 01:08 PM.


BC AdBot (Login to Remove)

 


#2 Blade

Blade

    Strong in the Bleepforce


  • Site Admin
  • 12,702 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:US
  • Local time:04:34 PM

Posted 19 June 2010 - 11:46 PM

Hello Awave and welcome.gif to BleepingComputer.

Let's see if we can dig up this thing.

Please download Malwarebytes Anti-Malware and save it to your desktop.
alternate download link 1
alternate download link 2

IMPORTANT!!! - when you save the file, rename it to something random, such as bubbles.exe This must be done before beginning the download!

MBAM may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you. Temporarily disable such programs or permit them to allow the changes.
  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
MBAM will automatically start and you will be asked to update the program before performing a scan.
  • If an update is found, the program will automatically update itself. Press the OK button to close that box and continue.
  • If you encounter any problems while downloading the definition updates, manually download them from here and just double-click on mbam-rules.exe to install.
On the Scanner tab:
  • Make sure the "Perform Quick Scan" option is selected.
  • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen:
  • Click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows MBAM's database version and your operating system.
  • Exit MBAM when done.
Note: If MBAM encounters a file that is difficult to remove, you will be asked to reboot your computer so MBAM can proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware.

~Blade


In your next reply, please include the following:
Malwarebytes log

Posted Image

If I am helping you, it has been 48 hours since your last post, and I have yet to reply to your topic, please send me a PM
Become a BleepingComputer fan: Facebook
Follow us on Twitter!
Circle us on Google+


#3 Awave

Awave
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:02:04 AM

Posted 20 June 2010 - 02:18 PM

Hey Blade and thanks a lot for trying to help!!

Ok , i did as you asked and downloaded the MBAM software, however when my system could not execute the file.

The following error message was displayed in a tab

Heading of the Tab :

16 bit - MS-Dos Subsystem

Message is as follows :

C:\DOCUME-1\Home1\MYDOCU-1\DOWNLO-1\bubbles.exe
The NVTDM CPU has encountered an illegal instruction.
CS:0de3 IP:fffe OP:ff ff 00 00 00 Choose 'Close' to terminate the application.

And then there were two tabs
"Close" & "Ignore"

I chose "ignore", however subsequently nothing happened.

A few more points i should add...

1 ) In the above error message , the "-" signs actually represent the "approximatley" sign , something i can't seem to copy onto this message format

2 ) My computer also does not enter into hibernation mode at all...it just says "Preparing to hibernate" and then goes back to the normal state..

Will keep adding if i discover any more probelems...

Once again, thanks for helping me out!

Awave






#4 Blade

Blade

    Strong in the Bleepforce


  • Site Admin
  • 12,702 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:US
  • Local time:04:34 PM

Posted 20 June 2010 - 04:09 PM

Hello.

Let's run an ARK scan.

Please download GMER from one of the following locations and save it to your desktop:
  • Main Mirror
    This version will download a randomly named file (Recommended)
  • Zipped Mirror
    This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
  • Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
  • Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.


  • GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
  • If it gives you a warning about rootkit activity and asks if you want to run scan...click on NO, then use the following settings for a more complete scan.
  • In the right panel, you will see several boxes that have been checked. Uncheck the following ...
    • IAT/EAT
    • Drives/Partition other than Systemdrive (typically C:\)
    • Show All (don't miss this one)
  • Then click the Scan button & wait for it to finish.
  • Once done click on the [Save..] button, and in the File name area, type in "Gmer.log" or it will save as a .log file which cannot be uploaded to your post.
  • Save it where you can easily find it, such as your desktop, and copy/paste its contents in your next reply.
  • Exit GMER and re-enable all active protection when done.
-- If you encounter any problems, try unchecking the Devices box in addition to the others previously requested. Also, try running GMER in Safe Mode.
**Caution**
Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries


~Blade


In your next reply, please include the following:
GMER log

Posted Image

If I am helping you, it has been 48 hours since your last post, and I have yet to reply to your topic, please send me a PM
Become a BleepingComputer fan: Facebook
Follow us on Twitter!
Circle us on Google+


#5 Awave

Awave
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:02:04 AM

Posted 21 June 2010 - 11:45 AM

Hi again!!


Alrite , i did as you asked and am posting the log as below....i think i was successful in stopping my Anti Virus temporarily...
GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-06-21 22:11:16
Windows 5.1.2600 Service Pack 3
Running: 8zx98pkj.exe; Driver: C:\DOCUME~1\Home1\LOCALS~1\Temp\ugldipow.sys


---- System - GMER 1.0.15 ----

SSDT 8A084728 ZwAlertResumeThread
SSDT 8A0848C0 ZwAlertThread
SSDT 8A12CCD0 ZwAllocateVirtualMemory
SSDT 8A087FB0 ZwConnectPort
SSDT 89FD38C8 ZwCreateMutant
SSDT 8A058B38 ZwCreateThread
SSDT \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwDeleteValueKey [0x9A4F0690]
SSDT 8A023718 ZwFreeVirtualMemory
SSDT 8A084418 ZwImpersonateAnonymousToken
SSDT 8A084590 ZwImpersonateThread
SSDT 8A0696A0 ZwMapViewOfSection
SSDT 8A084298 ZwOpenEvent
SSDT 8A0850C0 ZwOpenProcessToken
SSDT 8A00C520 ZwOpenThreadToken
SSDT 8A02AEE8 ZwQueryValueKey
SSDT 8A085988 ZwResumeThread
SSDT 8A084BF0 ZwSetContextThread
SSDT 8A0AEEF8 ZwSetInformationProcess
SSDT 8A0F05C0 ZwSetInformationThread
SSDT \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwSetValueKey [0x9A4F08E0]
SSDT 8A11C008 ZwSuspendProcess
SSDT 8A1B4008 ZwSuspendThread
SSDT 8A085238 ZwTerminateProcess
SSDT 8A084A48 ZwTerminateThread
SSDT 8A085088 ZwUnmapViewOfSection
SSDT 8A12B578 ZwWriteVirtualMemory

---- Kernel code sections - GMER 1.0.15 ----

.text ntkrnlpa.exe!ZwCallbackReturn + 2630 80501E68 4 Bytes CALL 50DA211B
.rsrc C:\WINDOWS\system32\drivers\ftdisk.sys entry point in ".rsrc" section [0xB9F47314]

---- User code sections - GMER 1.0.15 ----

.text C:\WINDOWS\System32\svchost.exe[1096] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 0092000A
.text C:\WINDOWS\System32\svchost.exe[1096] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 0093000A
.text C:\WINDOWS\System32\svchost.exe[1096] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 0091000C
.text C:\WINDOWS\System32\svchost.exe[1096] USER32.dll!GetCursorPos 7E42974E 5 Bytes JMP 018A000A
.text C:\WINDOWS\System32\svchost.exe[1096] ole32.dll!CoCreateInstance 7750057E 5 Bytes JMP 00AF000A
.text C:\WINDOWS\Explorer.EXE[1692] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00B7000A
.text C:\WINDOWS\Explorer.EXE[1692] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 00BD000A
.text C:\WINDOWS\Explorer.EXE[1692] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 00B6000C
.text C:\Program Files\Safari\Safari.exe[2120] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00DF000A
.text C:\Program Files\Safari\Safari.exe[2120] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 00E0000A
.text C:\Program Files\Safari\Safari.exe[2120] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 003F000C
.text C:\Program Files\Safari\Safari.exe[2120] USER32.dll!BeginPaint 7E428FE9 5 Bytes JMP 02237DB0 C:\Program Files\Common Files\Apple\Apple Application Support\WebKit.dll (WebKit Dynamic Link Library/Apple Inc.)
.text C:\Program Files\Safari\Safari.exe[2120] USER32.dll!EndPaint 7E428FFD 5 Bytes JMP 02237E20 C:\Program Files\Common Files\Apple\Apple Application Support\WebKit.dll (WebKit Dynamic Link Library/Apple Inc.)

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs SYMEVENT.SYS (Symantec Event Library/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\Ip SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\Tcp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\Udp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\RawIp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)

Device mrxsmb.sys (Windows NT SMB Minirdr/Microsoft Corporation)
Device -> \Driver\atapi \Device\Harddisk0\DR0 8A2D9EC5

---- Files - GMER 1.0.15 ----

File C:\WINDOWS\system32\drivers\ftdisk.sys suspicious modification
File C:\WINDOWS\system32\drivers\atapi.sys suspicious modification

---- EOF - GMER 1.0.15 ----


Awave



#6 Blade

Blade

    Strong in the Bleepforce


  • Site Admin
  • 12,702 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:US
  • Local time:04:34 PM

Posted 21 June 2010 - 03:20 PM

Hello.

You have a decently nasty rootkit on your machine. As such, I am shifting this thread to the specialized Malware Removal forum for advanced removal routines. We should be able to take care of this though.

In the upper right hand corner of the topic you will see a button called Options. If you click on this in the drop-down menu you can choose Track this topic. By doing this and then choosing Immediate E-Mail notification and then clicking on Proceed you will be advised when we respond to your topic and facilitate the cleaning of your machine.

Before we begin cleaning your machine, I'd like to lay out some guidelines for us to follow while we are working together.
  • I will be assisting you with your malware issues. This may or may not resolve other problems you are having with your computer. If you are still having problems after your machine has been determined clean, I will be glad to direct you to the proper forum for assistance.
  • Even if things appear better, that does not mean we are finished. Please continue to follow my instructions until I give you the all clean. Absence of symptoms does not mean that all the malware has been removed. If a piece of the infection is left, it can regenerate and reinfect your machine.
  • Attention to detail is important! Since I cannot see or directly interact with your computer I am dependent on you to "be my eyes" and provide as much information as you can regarding the current state of your computer.
  • I ask that you please refrain from running tools other than those I suggest to you while I am cleaning up your computer. The reason for this is so I know what is going on with the machine at any time. If you act independently it will cause changes to your system that I will not be aware of, which will make the process of cleaning the machine a much slower and more difficult process. Additionally, some programs can interfere with others and hamper the recovery process.
  • Please perform all steps in the order received. If you are unsure or confused about any instructions I give you, you should ask me to clarify before doing anything. Additionally, if you run into any problems while carrying out instructions, you should STOP and reply back here explaining what happened.
  • After 5 days if a topic is not replied to we assume it has been abandoned and it is closed. If you need additional time, that is perfectly alright; you just need to let us know beforehand. smile.gif
***************************************************


Download Combofix from any of the links below but rename it to renamed.exe before saving it to your desktop.


Link 1
Link 2

* IMPORTANT !!! Save ComboFix.exe to your Desktop
  • VERY IMPORTANT: Disable all running antivirus, antimalware and firewall programs as they may interfere with the proper running of ComboFix. Click on this link to see a list of programs that should be disabled. NOTE: This list is not all-inclusive. If yours is not listed and you do not know how to disable it, please ask.
  • Double click on renamed.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.



Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:



Click on Yes, to continue scanning for malware.

When finished, it will produce a log for you. Please include the C:\ComboFix.txt in your next reply

A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix on your own.
This tool is not a toy and not for everyday use.
ComboFix SHOULD NOT be used unless requested by a forum helper


~Blade


In your next reply, please include the following:
ComboFix log

Edited by Blade Zephon, 21 June 2010 - 03:21 PM.

Posted Image

If I am helping you, it has been 48 hours since your last post, and I have yet to reply to your topic, please send me a PM
Become a BleepingComputer fan: Facebook
Follow us on Twitter!
Circle us on Google+


#7 Awave

Awave
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:02:04 AM

Posted 21 June 2010 - 04:43 PM

Hi again!

I've run the Combofix program as you asked me to....i guess the log will tell you mostly everything you need to know....i don't know if its changed anything or not , since the scan has just been completed and i have'nt spent any time on the laptop after that....however the on thing that i should mention is that the Windows Recovery console was'nt installed and Combfix did it for me...secondly , during the scanning process , Combofix restarted the computer twice...once right when it started scanning...and then right in the end.

Please do let me know if there is anything else that i may lookout for...

Here is the log..

ComboFix 10-06-21.01 - Home1 06/22/2010 2:50.1.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2038.1512 [GMT 5.5:30]
Running from: c:\documents and settings\Home1\Desktop\renamed.exe
AV: Symantec AntiVirus Corporate Edition *On-access scanning disabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}
FW: Norton Internet Worm Protection *disabled* {990F9400-4CEE-43EA-A83A-D013ADD8EA6E}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
c:\documents and settings\Home1\Application Data\Ewnad\acco.exe
c:\documents and settings\Home1\GoToAssistDownloadHelper.exe
c:\documents and settings\Home1\Local Settings\Application Data\Windows Server
c:\documents and settings\Home1\Local Settings\Application Data\Windows Server\flags.ini
c:\documents and settings\Home1\Local Settings\Application Data\Windows Server\uses32.dat
c:\documents and settings\Home1\Local Settings\Temporary Internet Files\mcc10.tmp
c:\documents and settings\Home1\Local Settings\Temporary Internet Files\mcc109.tmp
c:\documents and settings\Home1\Local Settings\Temporary Internet Files\mcc10C.tmp
c:\documents and settings\Home1\Local Settings\Temporary Internet Files\mcc10E.tmp
c:\documents and settings\Home1\Local Settings\Temporary Internet Files\mcc11.tmp
c:\documents and settings\Home1\Local Settings\Temporary Internet Files\mcc12.tmp
c:\documents and settings\Home1\Local Settings\Temporary Internet Files\mcc125.tmp
c:\documents and settings\Home1\Local Settings\Temporary Internet Files\mcc13.tmp
c:\documents and settings\Home1\Local Settings\Temporary Internet Files\mcc13B.tmp
c:\documents and settings\Home1\Local Settings\Temporary Internet Files\mcc14.tmp
c:\documents and settings\Home1\Local Settings\Temporary Internet Files\mcc141.tmp
c:\documents and settings\Home1\Local Settings\Temporary Internet Files\mcc142.tmp
c:\documents and settings\Home1\Local Settings\Temporary Internet Files\mcc15.tmp
c:\documents and settings\Home1\Local Settings\Temporary Internet Files\mcc155.tmp
c:\documents and settings\Home1\Local Settings\Temporary Internet Files\mcc15C.tmp
c:\documents and settings\Home1\Local Settings\Temporary Internet Files\mcc16.tmp
c:\documents and settings\Home1\Local Settings\Temporary Internet Files\mcc164.tmp
c:\documents and settings\Home1\Local Settings\Temporary Internet Files\mcc169.tmp
c:\documents and settings\Home1\Local Settings\Temporary Internet Files\mcc16A.tmp
c:\documents and settings\Home1\Local Settings\Temporary Internet Files\mcc16C.tmp
c:\documents and settings\Home1\Local Settings\Temporary Internet Files\mcc17.tmp
c:\documents and settings\Home1\Local Settings\Temporary Internet Files\mcc175.tmp
c:\documents and settings\Home1\Local Settings\Temporary Internet Files\mcc179.tmp
c:\documents and settings\Home1\Local Settings\Temporary Internet Files\mcc18.tmp
c:\documents and settings\Home1\Local Settings\Temporary Internet Files\mcc184.tmp
c:\documents and settings\Home1\Local Settings\Temporary Internet Files\mcc19.tmp
c:\documents and settings\Home1\Local Settings\Temporary Internet Files\mcc1A.tmp
c:\documents and settings\Home1\Local Settings\Temporary Internet Files\mcc1A7.tmp
c:\documents and settings\Home1\Local Settings\Temporary Internet Files\mcc1B.tmp
c:\documents and settings\Home1\Local Settings\Temporary Internet Files\mcc1C.tmp
c:\documents and settings\Home1\Local Settings\Temporary Internet Files\mcc1C4.tmp
c:\documents and settings\Home1\Local Settings\Temporary Internet Files\mcc1D.tmp
c:\documents and settings\Home1\Local Settings\Temporary Internet Files\mcc1D0.tmp
c:\documents and settings\Home1\Local Settings\Temporary Internet Files\mcc1E.tmp
c:\documents and settings\Home1\Local Settings\Temporary Internet Files\mcc1E6.tmp
c:\documents and settings\Home1\Local Settings\Temporary Internet Files\mcc1EE.tmp
c:\documents and settings\Home1\Local Settings\Temporary Internet Files\mcc1F.tmp
c:\documents and settings\Home1\Local Settings\Temporary Internet Files\mcc1F4.tmp
c:\documents and settings\Home1\Local Settings\Temporary Internet Files\mcc20.tmp
c:\documents and settings\Home1\Local Settings\Temporary Internet Files\mcc21.tmp
c:\documents and settings\Home1\Local Settings\Temporary Internet Files\mcc22.tmp
c:\documents and settings\Home1\Local Settings\Temporary Internet Files\mcc23.tmp
c:\documents and settings\Home1\Local Settings\Temporary Internet Files\mcc24.tmp
c:\documents and settings\Home1\Local Settings\Temporary Internet Files\mcc25.tmp
c:\documents and settings\Home1\Local Settings\Temporary Internet Files\mcc26.tmp
c:\documents and settings\Home1\Local Settings\Temporary Internet Files\mcc266.tmp
c:\documents and settings\Home1\Local Settings\Temporary Internet Files\mcc26B.tmp
c:\documents and settings\Home1\Local Settings\Temporary Internet Files\mcc27.tmp
c:\documents and settings\Home1\Local Settings\Temporary Internet Files\mcc28.tmp
c:\documents and settings\Home1\Local Settings\Temporary Internet Files\mcc29.tmp
c:\documents and settings\Home1\Local Settings\Temporary Internet Files\mcc294.tmp
c:\documents and settings\Home1\Local Settings\Temporary Internet Files\mcc2A.tmp
c:\documents and settings\Home1\Local Settings\Temporary Internet Files\mcc2B.tmp
c:\documents and settings\Home1\Local Settings\Temporary Internet Files\mcc2D.tmp
c:\documents and settings\Home1\Local Settings\Temporary Internet Files\mcc2DA.tmp
c:\documents and settings\Home1\Local Settings\Temporary Internet Files\mcc32.tmp
c:\documents and settings\Home1\Local Settings\Temporary Internet Files\mcc326.tmp
c:\documents and settings\Home1\Local Settings\Temporary Internet Files\mcc33.tmp
c:\documents and settings\Home1\Local Settings\Temporary Internet Files\mcc355.tmp
c:\documents and settings\Home1\Local Settings\Temporary Internet Files\mcc36.tmp
c:\documents and settings\Home1\Local Settings\Temporary Internet Files\mcc360.tmp
c:\documents and settings\Home1\Local Settings\Temporary Internet Files\mcc3AB.tmp
c:\documents and settings\Home1\Local Settings\Temporary Internet Files\mcc3BF.tmp
c:\documents and settings\Home1\Local Settings\Temporary Internet Files\mcc43.tmp
c:\documents and settings\Home1\Local Settings\Temporary Internet Files\mcc44.tmp
c:\documents and settings\Home1\Local Settings\Temporary Internet Files\mcc446.tmp
c:\documents and settings\Home1\Local Settings\Temporary Internet Files\mcc46.tmp
c:\documents and settings\Home1\Local Settings\Temporary Internet Files\mcc47.tmp
c:\documents and settings\Home1\Local Settings\Temporary Internet Files\mcc48A.tmp
c:\documents and settings\Home1\Local Settings\Temporary Internet Files\mcc4E.tmp
c:\documents and settings\Home1\Local Settings\Temporary Internet Files\mcc4FB.tmp
c:\documents and settings\Home1\Local Settings\Temporary Internet Files\mcc519.tmp
c:\documents and settings\Home1\Local Settings\Temporary Internet Files\mcc52.tmp
c:\documents and settings\Home1\Local Settings\Temporary Internet Files\mcc533.tmp
c:\documents and settings\Home1\Local Settings\Temporary Internet Files\mcc54.tmp
c:\documents and settings\Home1\Local Settings\Temporary Internet Files\mcc55.tmp
c:\documents and settings\Home1\Local Settings\Temporary Internet Files\mcc56.tmp
c:\documents and settings\Home1\Local Settings\Temporary Internet Files\mcc56E.tmp
c:\documents and settings\Home1\Local Settings\Temporary Internet Files\mcc58.tmp
c:\documents and settings\Home1\Local Settings\Temporary Internet Files\mcc594.tmp
c:\documents and settings\Home1\Local Settings\Temporary Internet Files\mcc5A.tmp
c:\documents and settings\Home1\Local Settings\Temporary Internet Files\mcc5D.tmp
c:\documents and settings\Home1\Local Settings\Temporary Internet Files\mcc5F.tmp
c:\documents and settings\Home1\Local Settings\Temporary Internet Files\mcc62.tmp
c:\documents and settings\Home1\Local Settings\Temporary Internet Files\mcc624.tmp
c:\documents and settings\Home1\Local Settings\Temporary Internet Files\mcc635.tmp
c:\documents and settings\Home1\Local Settings\Temporary Internet Files\mcc6B3.tmp
c:\documents and settings\Home1\Local Settings\Temporary Internet Files\mcc6C.tmp
c:\documents and settings\Home1\Local Settings\Temporary Internet Files\mcc6C4.tmp
c:\documents and settings\Home1\Local Settings\Temporary Internet Files\mcc71A.tmp
c:\documents and settings\Home1\Local Settings\Temporary Internet Files\mcc73.tmp
c:\documents and settings\Home1\Local Settings\Temporary Internet Files\mcc75.tmp
c:\documents and settings\Home1\Local Settings\Temporary Internet Files\mcc76.tmp
c:\documents and settings\Home1\Local Settings\Temporary Internet Files\mcc78.tmp
c:\documents and settings\Home1\Local Settings\Temporary Internet Files\mcc78A.tmp
c:\documents and settings\Home1\Local Settings\Temporary Internet Files\mcc8.tmp
c:\documents and settings\Home1\Local Settings\Temporary Internet Files\mcc893.tmp
c:\documents and settings\Home1\Local Settings\Temporary Internet Files\mcc8A2.tmp
c:\documents and settings\Home1\Local Settings\Temporary Internet Files\mcc8B3.tmp
c:\documents and settings\Home1\Local Settings\Temporary Internet Files\mcc8F.tmp
c:\documents and settings\Home1\Local Settings\Temporary Internet Files\mcc9.tmp
c:\documents and settings\Home1\Local Settings\Temporary Internet Files\mcc92.tmp
c:\documents and settings\Home1\Local Settings\Temporary Internet Files\mcc94.tmp
c:\documents and settings\Home1\Local Settings\Temporary Internet Files\mcc95F.tmp
c:\documents and settings\Home1\Local Settings\Temporary Internet Files\mcc99B.tmp
c:\documents and settings\Home1\Local Settings\Temporary Internet Files\mcc9B1.tmp
c:\documents and settings\Home1\Local Settings\Temporary Internet Files\mccA.tmp
c:\documents and settings\Home1\Local Settings\Temporary Internet Files\mccB.tmp
c:\documents and settings\Home1\Local Settings\Temporary Internet Files\mccB1B.tmp
c:\documents and settings\Home1\Local Settings\Temporary Internet Files\mccC.tmp
c:\documents and settings\Home1\Local Settings\Temporary Internet Files\mccC4.tmp
c:\documents and settings\Home1\Local Settings\Temporary Internet Files\mccC6.tmp
c:\documents and settings\Home1\Local Settings\Temporary Internet Files\mccC9.tmp
c:\documents and settings\Home1\Local Settings\Temporary Internet Files\mccD.tmp
c:\documents and settings\Home1\Local Settings\Temporary Internet Files\mccD9.tmp
c:\documents and settings\Home1\Local Settings\Temporary Internet Files\mccDD.tmp
c:\documents and settings\Home1\Local Settings\Temporary Internet Files\mccE.tmp
c:\documents and settings\Home1\Local Settings\Temporary Internet Files\mccE5.tmp
c:\documents and settings\Home1\Local Settings\Temporary Internet Files\mccE7.tmp
c:\documents and settings\Home1\Local Settings\Temporary Internet Files\mccF.tmp
c:\documents and settings\Home1\Local Settings\Temporary Internet Files\mccF2.tmp
c:\documents and settings\LocalService\Local Settings\Application Data\Windows Server
c:\documents and settings\NetworkService\Local Settings\Application Data\Windows Server
c:\windows\system32\spool\prtprocs\w32x86\5sK5y.dll
c:\windows\system32\spool\prtprocs\w32x86\5y55o.dll
c:\windows\system32\spool\prtprocs\w32x86\931q93cEI.dll
c:\windows\Tasks\{35DC3473-A719-4d14-B7C1-FD326CA84A0C}.job
c:\windows\xpsp1hfm.log

----- BITS: Possible infected sites -----

hxxp://goldencaravela.net
Infected copy of c:\windows\system32\drivers\ftdisk.sys was found and disinfected
Restored copy from - Kitty had a snack tongue.gif
Infected copy of c:\windows\system32\userinit.exe was found and disinfected
Restored copy from - c:\windows\ServicePackFiles\i386\userinit.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_RKHIT
-------\Service_RkHit


((((((((((((((((((((((((( Files Created from 2010-05-21 to 2010-06-21 )))))))))))))))))))))))))))))))
.

2010-10-19 10:16 . 2010-10-19 10:16 -------- d-----w- c:\program files\iPod
2010-10-19 10:16 . 2010-10-19 10:17 -------- d-----w- c:\program files\iTunes
2010-10-19 10:10 . 2010-10-19 10:10 -------- d-----w- c:\program files\Bonjour
2010-10-19 09:56 . 2010-10-19 09:56 73000 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 9.1.1.12\SetupAdmin.exe
2010-06-15 05:27 . 2010-06-15 05:27 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
2010-06-12 12:52 . 2010-06-12 12:52 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-06-12 05:36 . 2010-06-12 05:44 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2010-06-10 09:18 . 2008-04-14 00:12 26112 ----a-w- c:\windows\system32\stu2.exe
2010-06-10 07:25 . 2010-05-06 10:41 743424 -c----w- c:\windows\system32\dllcache\iedvtool.dll
2010-06-02 13:14 . 2010-06-02 13:14 -------- d-----w- c:\documents and settings\Home1\Application Data\Uniblue
2010-06-02 13:13 . 2010-06-02 13:14 -------- d-----w- c:\documents and settings\Home1\Local Settings\Application Data\OpenCandy
2010-06-02 13:13 . 2010-06-02 13:13 -------- d-----w- c:\documents and settings\Home1\Application Data\OpenCandy
2010-06-02 13:13 . 2010-06-02 13:13 257257 ----a-w- c:\documents and settings\Home1\Application Data\OpenCandy\OpenCandy_15D9BC7B7717433583C28960DBF37672\DLMgr3WrapperUniBlue.exe
2010-05-29 14:51 . 2010-05-29 14:51 503808 ----a-w- c:\documents and settings\Home1\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-780a554b-n\msvcp71.dll
2010-05-29 14:51 . 2010-05-29 14:51 499712 ----a-w- c:\documents and settings\Home1\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-780a554b-n\jmc.dll
2010-05-29 14:51 . 2010-05-29 14:51 348160 ----a-w- c:\documents and settings\Home1\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-780a554b-n\msvcr71.dll
2010-05-29 14:51 . 2010-05-29 14:51 61440 ----a-w- c:\documents and settings\Home1\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-3264301c-n\decora-sse.dll
2010-05-29 14:51 . 2010-05-29 14:51 12800 ----a-w- c:\documents and settings\Home1\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-3264301c-n\decora-d3d.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-10-19 10:16 . 2009-12-30 12:27 -------- d-----w- c:\program files\Common Files\Apple
2010-06-21 21:33 . 2010-01-06 15:40 -------- d-----w- c:\documents and settings\Home1\Application Data\skypePM
2010-06-21 21:32 . 2010-01-06 15:37 -------- d-----w- c:\documents and settings\Home1\Application Data\Skype
2010-06-21 21:10 . 2010-01-22 20:28 -------- d-----w- c:\program files\Symantec AntiVirus
2010-06-21 21:06 . 2010-01-09 15:22 -------- d-----w- c:\documents and settings\Home1\Application Data\uTorrent
2010-06-20 07:02 . 2010-01-07 15:49 -------- d-----w- c:\documents and settings\Home1\Application Data\vlc
2010-06-12 08:20 . 2010-01-18 12:18 -------- d-----w- c:\documents and settings\Home1\Application Data\Ewnad
2010-06-12 06:50 . 2010-05-12 18:33 -------- d-----w- c:\documents and settings\Home1\Application Data\Ekybe
2010-06-10 17:33 . 2009-12-26 03:02 -------- d-----w- c:\program files\Google
2010-06-10 16:32 . 2010-01-26 12:23 -------- d-----w- c:\program files\Veoh Networks
2010-05-02 05:22 . 2005-12-14 05:34 1851264 ----a-w- c:\windows\system32\win32k.sys
2010-04-20 05:30 . 2005-12-14 05:33 285696 ----a-w- c:\windows\system32\atmfd.dll
2010-04-12 11:59 . 2010-04-19 16:04 411368 ----a-w- c:\windows\system32\deployJava1.dll
2010-04-08 07:50 . 2010-04-08 07:50 91424 ----a-w- c:\windows\system32\dnssd.dll
2010-04-08 07:50 . 2010-04-08 07:50 107808 ----a-w- c:\windows\system32\dns-sd.exe
2010-03-30 17:54 . 2010-03-30 17:54 503808 ----a-w- c:\documents and settings\Home1\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-718668b2-n\msvcp71.dll
2010-03-30 17:54 . 2010-03-30 17:54 499712 ----a-w- c:\documents and settings\Home1\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-718668b2-n\jmc.dll
2010-03-30 17:54 . 2010-03-30 17:54 348160 ----a-w- c:\documents and settings\Home1\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-718668b2-n\msvcr71.dll
2010-03-30 17:53 . 2010-03-30 17:53 61440 ----a-w- c:\documents and settings\Home1\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-1737468d-n\decora-sse.dll
2010-03-30 17:53 . 2010-03-30 17:53 12800 ----a-w- c:\documents and settings\Home1\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-1737468d-n\decora-d3d.dll
2010-03-30 17:52 . 2010-03-30 17:52 79488 ----a-w- c:\documents and settings\Home1\Application Data\Sun\Java\jre1.6.0_19\gtapi.dll
2010-03-24 09:50 . 2010-03-24 09:50 60228 ---ha-w- c:\windows\system32\mlfcache.dat
2010-03-24 09:44 . 2010-03-24 09:44 79144 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\Safari 5.31.21.10\SetupAdmin.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2009-10-09 25623336]
"Google Update"="c:\documents and settings\Home1\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2010-06-16 136176]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Apoint"="c:\program files\Apoint\Apoint.exe" [2004-11-17 118784]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-04 208952]
"MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-04 59392]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-08-05 94208]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-08-05 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-08-05 114688]
"RTHDCPL"="RTHDCPL.EXE" [2005-08-09 14743552]
"AzMixerSel"="c:\program files\Realtek\InstallShield\AzMixerSel.exe" [2005-06-11 53248]
"Mouse Suite 98 Daemon"="ICO.EXE" [2002-03-15 45056]
"SonyPowerCfg"="c:\program files\Sony\VAIO Power Management\SPMgr.exe" [2005-10-20 184320]
"ISBMgr.exe"="c:\program files\Sony\ISB Utility\ISBMgr.exe" [2004-02-20 32768]
"VAIOCameraUtility"="c:\program files\Sony\VAIO Camera Utility\VCUServe.exe" [2005-12-27 69632]
"VAIO Update 2"="c:\program files\Sony\VAIO Update 2\VAIOUpdt.exe" [2005-10-11 151552]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2008-06-24 53096]
"btbb_McciTrayApp"="c:\program files\BT Broadband Desktop Help\btbb\BTHelpNotifier.exe" [2009-09-14 1584640]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-04-04 36272]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-03-24 952768]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe" [2010-04-12 47392]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-03-17 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-04-28 142120]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\GoToAssist]
2010-01-29 11:04 16680 ----a-w- c:\program files\Citrix\GoToAssist\570\g2awinlogon.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\VESWinlogon]
2005-05-21 01:42 73728 ----a-w- c:\windows\system32\VESWinlogon.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
"d:\\uTorrent.exe"=
"d:\\VLC\\vlc.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\BT Broadband Desktop Help\\btbb\\BTHelpBrowser.exe"=
"c:\\Program Files\\BT Broadband Desktop Help\\btbb\\BTHelpNotifier.exe"=
"c:\\WINDOWS\\system32\\spoolsv.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

R2 RapportMgmtService;Rapport Management Service;c:\program files\Trusteer\Rapport\bin\RapportMgmtService.exe [3/15/2010 1:47 PM 779496]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [5/28/2010 8:02 PM 102448]
R3 SonyImgF;Sony Image Conversion Filter Driver;c:\windows\system32\drivers\SonyImgF.sys [12/14/2005 11:05 AM 28800]
S1 RapportKELL;RapportKELL;c:\program files\Trusteer\Rapport\bin\RapportKELL.sys [3/15/2010 1:47 PM 0]
S1 RapportPG;RapportPG;c:\program files\Trusteer\Rapport\bin\RapportPG.sys [3/15/2010 1:47 PM 0]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2/4/2010 2:06 AM 135664]
S3 SavRoam;SAVRoam;c:\program files\Symantec AntiVirus\SavRoam.exe [9/30/2008 5:41 PM 116664]
.
Contents of the 'Scheduled Tasks' folder

2010-06-17 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 07:04]

2010-06-21 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-03 20:36]

2010-06-21 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-03 20:36]

2010-06-21 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-206880713-2891574968-632731718-1005Core.job
- c:\documents and settings\Home1\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-06-16 06:57]

2010-06-21 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-206880713-2891574968-632731718-1005UA.job
- c:\documents and settings\Home1\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-06-16 06:57]
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
mStart Page = about:blank
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://uk.red.clientapps.yahoo.com/customize/btyahoo/defaults/su/*http://uk.search.yahoo.com/
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_60D6097707281E79.dll/cmsidewiki.html
FF - ProfilePath - c:\documents and settings\Home1\Application Data\Mozilla\Firefox\Profiles\dey2vnb9.default\
FF - prefs.js: browser.search.defaulturl - hxxp://uk.search.yahoo.com/search?fr=ffsp1&p=
FF - prefs.js: browser.search.selectedEngine - Yahoo
FF - prefs.js: browser.startup.homepage - hxxp://extratorrent.com/
FF - prefs.js: keyword.URL - hxxp://uk.search.yahoo.com/search?fr=ffds1&p=
FF - prefs.js: network.proxy.type - 2
FF - plugin: c:\documents and settings\Home1\Local Settings\Application Data\Google\Update\1.2.183.29\npGoogleOneClick8.dll
FF - plugin: c:\program files\Common Files\Motive\npMotive.dll
FF - plugin: c:\program files\Google\Google Earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\Google\Picasa3\npPicasa3.dll
FF - plugin: c:\program files\Google\Update\1.2.183.29\npGoogleOneClick8.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npBTEmailConfig.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npdeployJava1.dll
FF - plugin: d:\divx\DivX Plus Web Player\npdivx32.dll

---- FIREFOX POLICIES ----
FF - user.js: network.cookie.cookieBehavior - 0
FF - user.js: privacy.clearOnShutdown.cookies - false
FF - user.js: security.warn_viewing_mixed - false
FF - user.js: security.warn_viewing_mixed.show_once - false
FF - user.js: security.warn_submit_insecure - false
FF - user.js: security.warn_submit_insecure.show_once - false
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
.
- - - - ORPHANS REMOVED - - - -

WebBrowser-{D4027C7F-154A-4066-A1AD-4243D8127440} - (no file)
HKCU-Run-Messenger (Yahoo!) - c:\progra~1\Yahoo!\Messenger\YahooMessenger.exe
HKCU-Run-Search Protection - c:\program files\Yahoo!\Search Protection\SearchProtection.exe
HKCU-Run-{559705A2-5E54-7E90-0B14-592F805AECC9} - c:\documents and settings\Home1\Application Data\Ewnad\acco.exe
AddRemove-BT Yahoo! Applications - c:\progra~1\Yahoo!\Common\uninstall.exe
AddRemove-Yahoo! Toolbar - c:\progra~1\Yahoo!\Common\UNYT_W~1.EXE



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-06-22 03:02
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(760)
c:\program files\Citrix\GoToAssist\570\G2AWinLogon.dll
c:\windows\system32\VESWinlogon.dll

- - - - - - - > 'explorer.exe'(3612)
c:\windows\system32\WININET.dll
c:\program files\Trusteer\Rapport\bin\rooksbas.dll
c:\windows\system32\ieframe.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Intel\Wireless\Bin\EvtEng.exe
c:\program files\Intel\Wireless\Bin\S24EvMon.exe
c:\program files\Common Files\Symantec Shared\ccSetMgr.exe
c:\program files\Common Files\Symantec Shared\ccEvtMgr.exe
c:\program files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Symantec AntiVirus\DefWatch.exe
c:\windows\RTHDCPL.EXE
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\ICO.EXE
c:\program files\Common Files\Motive\McciCMService.exe
c:\program files\Apoint\Apntex.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\program files\Intel\Wireless\Bin\RegSrvc.exe
c:\windows\system32\wdfmgr.exe
c:\program files\Sony\VAIO Event Service\VESMgr.exe
c:\documents and settings\Home1\Local Settings\Application Data\Google\Update\1.2.183.29\GoogleCrashHandler.exe
c:\program files\Common Files\Sony Shared\VAIO Entertainment Platform\VCSW\VCSW.exe
c:\program files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCdb\VzCdbSvc.exe
c:\windows\system32\igfxext.exe
c:\windows\system32\igfxsrvc.exe
c:\program files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCdb\VzFw.exe
c:\program files\Common Files\Sony Shared\VAIO Entertainment\VzRs\VzRs.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\Trusteer\Rapport\bin\RapportService.exe
c:\program files\Skype\Plugin Manager\skypePM.exe
.
**************************************************************************
.
Completion time: 2010-06-22 03:06:36 - machine was rebooted
ComboFix-quarantined-files.txt 2010-06-21 21:36

Pre-Run: 5,200,863,232 bytes free
Post-Run: 5,250,940,928 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

- - End Of File - - ADDEB72A85FCEEF25645EB0B932FD6B7



Awave

#8 Awave

Awave
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:02:04 AM

Posted 22 June 2010 - 09:03 AM

Alritey!!

I've been working on the comp a bit since i sent you the combo fix log...it gives me immense joy to reveal that due to your efforts...things seem to be running smoothly again....no more random tabs....all the system things like "hibernating" and all seem to be working fine...however, like you mentioned , i will wait for your final all clear before i start feeling really "happy" about it .. smile.gif

Awave


#9 Blade

Blade

    Strong in the Bleepforce


  • Site Admin
  • 12,702 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:US
  • Local time:04:34 PM

Posted 23 June 2010 - 07:52 PM

Hello Awave.

Sorry for the delay.


1. Open notepad and copy/paste the text in the codebox below into it:

CODE
Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=-

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=-

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=-


Save this as CFScript.txt, in the same location as ComboFix.exe

2. Close any open browsers.

3. VERY IMPORTANT: Disable all running antivirus, antimalware and firewall programs as they may interfere with the proper running of ComboFix. Click on this link to see a list of programs that should be disabled. NOTE: This list is not all-inclusive. If yours is not listed and you do not know how to disable it, please ask.



Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

~Blade


In your next reply, please include the following:
ComboFix Log

Posted Image

If I am helping you, it has been 48 hours since your last post, and I have yet to reply to your topic, please send me a PM
Become a BleepingComputer fan: Facebook
Follow us on Twitter!
Circle us on Google+


#10 Awave

Awave
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:02:04 AM

Posted 24 June 2010 - 01:58 AM

Aelo!!

No probelem about the delay!!

I did as you asked , and shifted the notepad file onto the combofix icon....this resulted in combofix running a scan....at the end of which it produced a log which i'am copying below...i do hope that this is the one you asked for...



ComboFix 10-06-21.01 - Home1 06/24/2010 12:16:36.2.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2038.1325 [GMT 5.5:30]
Running from: c:\documents and settings\Home1\Desktop\renamed.exe
Command switches used :: c:\documents and settings\Home1\Desktop\CFscript.txt
AV: Symantec AntiVirus Corporate Edition *On-access scanning disabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}
FW: Norton Internet Worm Protection *disabled* {990F9400-4CEE-43EA-A83A-D013ADD8EA6E}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Home1\Local Settings\Temporary Internet Files\mcc189.tmp

.
((((((((((((((((((((((((( Files Created from 2010-05-24 to 2010-06-24 )))))))))))))))))))))))))))))))
.

2010-10-19 10:16 . 2010-10-19 10:16 -------- d-----w- c:\program files\iPod
2010-10-19 10:16 . 2010-10-19 10:17 -------- d-----w- c:\program files\iTunes
2010-10-19 10:10 . 2010-10-19 10:10 -------- d-----w- c:\program files\Bonjour
2010-10-19 09:56 . 2010-10-19 09:56 73000 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 9.1.1.12\SetupAdmin.exe
2010-06-24 06:43 . 2010-06-24 06:43 -------- d-----w- c:\windows\LastGood
2010-06-22 05:26 . 2010-06-22 05:27 -------- dc-h--w- c:\windows\ie8
2010-06-15 05:27 . 2010-06-15 05:27 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
2010-06-12 12:52 . 2010-06-12 12:52 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-06-12 05:36 . 2010-06-12 05:44 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2010-06-10 09:18 . 2008-04-14 00:12 26112 ----a-w- c:\windows\system32\stu2.exe
2010-06-10 07:25 . 2010-05-06 10:41 743424 -c----w- c:\windows\system32\dllcache\iedvtool.dll
2010-06-02 13:14 . 2010-06-02 13:14 -------- d-----w- c:\documents and settings\Home1\Application Data\Uniblue
2010-06-02 13:13 . 2010-06-02 13:14 -------- d-----w- c:\documents and settings\Home1\Local Settings\Application Data\OpenCandy
2010-06-02 13:13 . 2010-06-02 13:13 -------- d-----w- c:\documents and settings\Home1\Application Data\OpenCandy
2010-06-02 13:13 . 2010-06-02 13:13 257257 ----a-w- c:\documents and settings\Home1\Application Data\OpenCandy\OpenCandy_15D9BC7B7717433583C28960DBF37672\DLMgr3WrapperUniBlue.exe
2010-05-29 14:51 . 2010-05-29 14:51 503808 ----a-w- c:\documents and settings\Home1\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-780a554b-n\msvcp71.dll
2010-05-29 14:51 . 2010-05-29 14:51 499712 ----a-w- c:\documents and settings\Home1\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-780a554b-n\jmc.dll
2010-05-29 14:51 . 2010-05-29 14:51 348160 ----a-w- c:\documents and settings\Home1\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-780a554b-n\msvcr71.dll
2010-05-29 14:51 . 2010-05-29 14:51 61440 ----a-w- c:\documents and settings\Home1\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-3264301c-n\decora-sse.dll
2010-05-29 14:51 . 2010-05-29 14:51 12800 ----a-w- c:\documents and settings\Home1\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-3264301c-n\decora-d3d.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-10-19 10:16 . 2009-12-30 12:27 -------- d-----w- c:\program files\Common Files\Apple
2010-06-24 06:36 . 2010-01-06 15:37 -------- d-----w- c:\documents and settings\Home1\Application Data\Skype
2010-06-24 06:35 . 2010-01-06 15:40 -------- d-----w- c:\documents and settings\Home1\Application Data\skypePM
2010-06-23 20:40 . 2010-01-07 15:49 -------- d-----w- c:\documents and settings\Home1\Application Data\vlc
2010-06-21 21:10 . 2010-01-22 20:28 -------- d-----w- c:\program files\Symantec AntiVirus
2010-06-21 21:06 . 2010-01-09 15:22 -------- d-----w- c:\documents and settings\Home1\Application Data\uTorrent
2010-06-12 08:20 . 2010-01-18 12:18 -------- d-----w- c:\documents and settings\Home1\Application Data\Ewnad
2010-06-12 06:50 . 2010-05-12 18:33 -------- d-----w- c:\documents and settings\Home1\Application Data\Ekybe
2010-06-10 17:33 . 2009-12-26 03:02 -------- d-----w- c:\program files\Google
2010-06-10 16:32 . 2010-01-26 12:23 -------- d-----w- c:\program files\Veoh Networks
2010-05-06 10:41 . 2005-12-14 05:34 916480 ----a-w- c:\windows\system32\wininet.dll
2010-05-02 05:22 . 2005-12-14 05:34 1851264 ----a-w- c:\windows\system32\win32k.sys
2010-04-20 05:30 . 2005-12-14 05:33 285696 ----a-w- c:\windows\system32\atmfd.dll
2010-04-12 11:59 . 2010-04-19 16:04 411368 ----a-w- c:\windows\system32\deployJava1.dll
2010-04-08 07:50 . 2010-04-08 07:50 91424 ----a-w- c:\windows\system32\dnssd.dll
2010-04-08 07:50 . 2010-04-08 07:50 107808 ----a-w- c:\windows\system32\dns-sd.exe
2010-03-30 17:54 . 2010-03-30 17:54 503808 ----a-w- c:\documents and settings\Home1\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-718668b2-n\msvcp71.dll
2010-03-30 17:54 . 2010-03-30 17:54 499712 ----a-w- c:\documents and settings\Home1\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-718668b2-n\jmc.dll
2010-03-30 17:54 . 2010-03-30 17:54 348160 ----a-w- c:\documents and settings\Home1\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-718668b2-n\msvcr71.dll
2010-03-30 17:53 . 2010-03-30 17:53 61440 ----a-w- c:\documents and settings\Home1\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-1737468d-n\decora-sse.dll
2010-03-30 17:53 . 2010-03-30 17:53 12800 ----a-w- c:\documents and settings\Home1\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-1737468d-n\decora-d3d.dll
2010-03-30 17:52 . 2010-03-30 17:52 79488 ----a-w- c:\documents and settings\Home1\Application Data\Sun\Java\jre1.6.0_19\gtapi.dll
.

((((((((((((((((((((((((((((( SnapShot@2010-06-21_21.31.36 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-06-24 06:34 . 2010-06-24 06:34 16384 c:\windows\Temp\Perflib_Perfdata_6b0.dat
+ 2005-12-14 05:34 . 2009-03-07 23:01 46592 c:\windows\system32\pngfilt.dll
- 2005-12-14 05:34 . 2006-10-17 06:58 48128 c:\windows\system32\mshtmler.dll
+ 2005-12-14 05:34 . 2009-03-07 23:01 48128 c:\windows\system32\mshtmler.dll
+ 2005-12-14 05:34 . 2009-03-07 23:01 66560 c:\windows\system32\mshtmled.dll
+ 2005-12-14 05:34 . 2009-03-07 23:01 45568 c:\windows\system32\mshta.exe
- 2005-12-14 05:34 . 2006-10-17 07:26 45568 c:\windows\system32\mshta.exe
+ 2006-10-17 07:28 . 2009-03-07 23:01 13312 c:\windows\system32\msfeedssync.exe
+ 2006-10-17 08:03 . 2010-05-06 10:41 55296 c:\windows\system32\msfeedsbs.dll
+ 2005-12-14 05:34 . 2009-03-07 23:04 43008 c:\windows\system32\licmgr10.dll
+ 2005-12-14 05:34 . 2010-05-06 10:41 25600 c:\windows\system32\jsproxy.dll
+ 2005-12-14 05:34 . 2009-03-07 23:02 94720 c:\windows\system32\inseng.dll
+ 2005-12-14 05:34 . 2009-03-07 23:01 34816 c:\windows\system32\imgutil.dll
+ 2005-12-14 05:34 . 2009-03-07 23:02 71680 c:\windows\system32\iesetup.dll
+ 2005-12-14 05:34 . 2009-03-07 23:02 55808 c:\windows\system32\iernonce.dll
+ 2006-10-17 07:28 . 2009-03-07 23:01 59904 c:\windows\system32\icardie.dll
+ 2006-10-17 07:28 . 2009-03-07 23:01 46592 c:\windows\system32\dllcache\pngfilt.dll
- 2006-10-17 06:58 . 2006-10-17 06:58 48128 c:\windows\system32\dllcache\mshtmler.dll
+ 2006-10-17 06:58 . 2009-03-07 23:01 48128 c:\windows\system32\dllcache\mshtmler.dll
+ 2006-10-17 08:03 . 2009-03-07 23:01 66560 c:\windows\system32\dllcache\mshtmled.dll
- 2006-10-17 07:26 . 2006-10-17 07:26 45568 c:\windows\system32\dllcache\mshta.exe
+ 2006-10-17 07:26 . 2009-03-07 23:01 45568 c:\windows\system32\dllcache\mshta.exe
+ 2009-10-29 07:46 . 2010-05-06 10:41 55296 c:\windows\system32\dllcache\msfeedsbs.dll
+ 2006-10-17 07:35 . 2009-03-07 23:04 43008 c:\windows\system32\dllcache\licmgr10.dll
+ 2006-10-17 08:03 . 2010-05-06 10:41 25600 c:\windows\system32\dllcache\jsproxy.dll
+ 2006-10-17 07:30 . 2009-03-07 23:02 94720 c:\windows\system32\dllcache\inseng.dll
+ 2006-10-17 07:27 . 2009-03-07 23:01 34816 c:\windows\system32\dllcache\imgutil.dll
+ 2009-10-28 14:36 . 2010-05-04 12:39 13824 c:\windows\system32\dllcache\ieudinit.exe
- 2009-10-28 14:36 . 2009-10-28 14:36 13824 c:\windows\system32\dllcache\ieudinit.exe
+ 2006-10-17 07:31 . 2009-03-07 23:02 71680 c:\windows\system32\dllcache\iesetup.dll
+ 2006-10-17 07:30 . 2009-03-07 23:02 55808 c:\windows\system32\dllcache\iernonce.dll
+ 2009-12-26 03:15 . 2010-04-16 11:43 41984 c:\windows\system32\dllcache\iecompat.dll
+ 2009-10-29 07:46 . 2009-03-07 23:01 59904 c:\windows\system32\dllcache\icardie.dll
+ 2006-10-17 07:14 . 2009-03-07 22:54 68608 c:\windows\system32\dllcache\hmmapi.dll
+ 2009-10-29 07:46 . 2009-03-07 23:03 18944 c:\windows\system32\dllcache\corpol.dll
+ 2006-10-17 07:31 . 2009-03-07 23:02 72704 c:\windows\system32\dllcache\admparse.dll
+ 2005-12-14 05:33 . 2009-03-07 23:03 18944 c:\windows\system32\corpol.dll
+ 2005-12-14 05:33 . 2009-03-07 23:02 72704 c:\windows\system32\admparse.dll
+ 2010-06-22 05:29 . 2009-03-07 23:03 12288 c:\windows\ie8updates\KB982381-IE8\xpshims.dll
+ 2010-06-22 05:29 . 2008-07-08 13:02 17272 c:\windows\ie8updates\KB982381-IE8\spmsg.dll
+ 2010-06-22 05:29 . 2008-07-08 13:02 26488 c:\windows\ie8updates\KB982381-IE8\spcustom.dll
+ 2010-06-22 05:29 . 2009-03-07 23:01 55296 c:\windows\ie8updates\KB982381-IE8\msfeedsbs.dll
+ 2010-06-22 05:29 . 2009-03-07 23:03 25600 c:\windows\ie8updates\KB982381-IE8\jsproxy.dll
+ 2010-06-24 06:44 . 2009-05-26 11:40 17272 c:\windows\ie8updates\KB981332-IE8\spmsg.dll
+ 2010-06-24 06:44 . 2009-05-26 11:40 26488 c:\windows\ie8updates\KB981332-IE8\spcustom.dll
+ 2010-06-24 06:44 . 2008-07-08 13:02 17272 c:\windows\ie8updates\KB976662-IE8\spmsg.dll
+ 2010-06-24 06:44 . 2008-07-08 13:02 26488 c:\windows\ie8updates\KB976662-IE8\spcustom.dll
+ 2010-06-24 06:44 . 2008-07-08 13:02 17272 c:\windows\ie8updates\KB971961-IE8\spmsg.dll
+ 2010-06-24 06:44 . 2008-07-08 13:02 26488 c:\windows\ie8updates\KB971961-IE8\spcustom.dll
+ 2010-06-22 05:27 . 2009-03-08 08:53 58464 c:\windows\ie8\spuninst\iecustom.dll
+ 2010-06-22 05:26 . 2010-05-04 17:20 44544 c:\windows\ie8\pngfilt.dll
+ 2010-06-22 05:26 . 2006-10-17 06:58 48128 c:\windows\ie8\mshtmler.dll
+ 2010-06-22 05:26 . 2006-10-17 07:26 45568 c:\windows\ie8\mshta.exe
+ 2010-06-22 05:26 . 2006-10-17 07:28 12288 c:\windows\ie8\msfeedssync.exe
+ 2010-06-22 05:26 . 2010-05-04 17:20 52224 c:\windows\ie8\msfeedsbs.dll
+ 2010-06-22 05:26 . 2006-10-17 07:35 40960 c:\windows\ie8\licmgr10.dll
+ 2010-06-22 05:26 . 2010-05-04 17:20 27648 c:\windows\ie8\jsproxy.dll
+ 2010-06-22 05:26 . 2006-10-17 07:30 92672 c:\windows\ie8\inseng.dll
+ 2010-06-22 05:26 . 2006-10-17 07:27 36352 c:\windows\ie8\imgutil.dll
+ 2010-06-22 05:26 . 2006-10-17 07:31 55296 c:\windows\ie8\iesetup.dll
+ 2010-06-22 05:26 . 2010-05-04 17:20 44544 c:\windows\ie8\iernonce.dll
+ 2010-06-22 05:26 . 2010-05-04 17:20 78336 c:\windows\ie8\ieencode.dll
+ 2010-06-22 05:26 . 2010-05-04 12:39 70656 c:\windows\ie8\ie4uinit.exe
+ 2010-06-22 05:26 . 2010-05-04 17:20 63488 c:\windows\ie8\icardie.dll
+ 2010-06-22 05:26 . 2006-10-17 07:14 60416 c:\windows\ie8\hmmapi.dll
+ 2010-06-22 05:26 . 2010-05-04 17:20 17408 c:\windows\ie8\corpol.dll
+ 2010-06-22 05:26 . 2006-10-17 07:31 71680 c:\windows\ie8\admparse.dll
+ 2010-06-21 21:49 . 2009-10-29 07:46 44544 c:\windows\ie7updates\KB982381-IE7\pngfilt.dll
+ 2010-06-21 21:49 . 2009-10-29 07:46 52224 c:\windows\ie7updates\KB982381-IE7\msfeedsbs.dll
+ 2010-06-21 21:49 . 2009-10-29 07:46 27648 c:\windows\ie7updates\KB982381-IE7\jsproxy.dll
+ 2010-06-21 21:49 . 2009-10-28 14:36 13824 c:\windows\ie7updates\KB982381-IE7\ieudinit.exe
+ 2010-06-21 21:49 . 2009-10-29 07:46 44544 c:\windows\ie7updates\KB982381-IE7\iernonce.dll
+ 2010-06-21 21:49 . 2009-10-29 07:46 78336 c:\windows\ie7updates\KB982381-IE7\ieencode.dll
+ 2010-06-21 21:49 . 2009-10-28 14:36 70656 c:\windows\ie7updates\KB982381-IE7\ie4uinit.exe
+ 2010-06-21 21:49 . 2009-10-29 07:46 63488 c:\windows\ie7updates\KB982381-IE7\icardie.dll
+ 2010-06-21 21:49 . 2009-10-29 07:46 17408 c:\windows\ie7updates\KB982381-IE7\corpol.dll
+ 2010-06-22 05:29 . 2009-03-07 23:05 2048 c:\windows\ie8updates\KB982632-IE8\iecompat.dll
+ 2006-10-17 07:35 . 2009-03-07 23:04 208384 c:\windows\system32\WinFXDocObj.exe
+ 2005-12-14 05:34 . 2009-03-07 23:04 236544 c:\windows\system32\webcheck.dll
+ 2005-12-14 05:34 . 2010-03-10 06:15 420352 c:\windows\system32\vbscript.dll
- 2005-12-14 05:34 . 2009-10-29 07:46 105984 c:\windows\system32\url.dll
+ 2005-12-14 05:34 . 2009-03-07 23:04 105984 c:\windows\system32\url.dll
+ 2005-12-14 05:34 . 2010-05-06 10:41 206848 c:\windows\system32\occache.dll
+ 2005-12-14 05:34 . 2010-05-06 10:41 611840 c:\windows\system32\mstime.dll
+ 2005-12-14 05:34 . 2009-03-07 23:04 193536 c:\windows\system32\msrating.dll
+ 2005-12-14 05:34 . 2009-03-07 22:52 156160 c:\windows\system32\msls31.dll
- 2005-12-14 05:34 . 2006-10-17 08:03 156160 c:\windows\system32\msls31.dll
+ 2006-10-17 08:03 . 2010-05-06 10:41 599040 c:\windows\system32\msfeeds.dll
+ 2010-06-24 06:35 . 2010-06-24 06:35 231888 c:\windows\system32\Macromed\Flash\FlashUtil10h_Plugin.exe
+ 2005-12-14 05:34 . 2009-03-07 23:03 726528 c:\windows\system32\jscript.dll
+ 2006-10-17 08:03 . 2009-03-07 22:52 164352 c:\windows\system32\ieui.dll
+ 2005-12-14 05:34 . 2010-05-06 10:41 184320 c:\windows\system32\iepeers.dll
+ 2005-12-14 05:34 . 2010-05-06 10:41 387584 c:\windows\system32\iedkcs32.dll
+ 2006-10-17 06:57 . 2009-03-07 22:41 445952 c:\windows\system32\ieapfltr.dll
+ 2005-12-14 05:34 . 2009-03-07 23:02 163840 c:\windows\system32\ieakui.dll
+ 2005-12-14 05:34 . 2009-03-07 23:03 229376 c:\windows\system32\ieaksie.dll
+ 2005-12-14 05:34 . 2009-03-07 23:03 125952 c:\windows\system32\ieakeng.dll
+ 2005-12-14 05:34 . 2010-05-05 13:30 173056 c:\windows\system32\ie4uinit.exe
+ 2005-12-14 05:34 . 2010-05-04 17:20 133120 c:\windows\system32\extmgr.dll
- 2005-12-14 05:34 . 2009-10-29 07:46 133120 c:\windows\system32\extmgr.dll
+ 2005-12-14 05:34 . 2009-03-07 23:01 216064 c:\windows\system32\dxtrans.dll
+ 2005-12-14 05:34 . 2009-03-07 23:01 348160 c:\windows\system32\dxtmsft.dll
+ 2006-10-17 08:03 . 2010-05-06 10:41 916480 c:\windows\system32\dllcache\wininet.dll
+ 2006-10-17 08:03 . 2009-03-07 23:04 236544 c:\windows\system32\dllcache\webcheck.dll
+ 2006-10-17 08:03 . 2009-03-07 23:03 759296 c:\windows\system32\dllcache\VGX.dll
+ 2010-03-09 11:09 . 2010-03-10 06:15 420352 c:\windows\system32\dllcache\vbscript.dll
- 2006-10-17 07:35 . 2009-10-29 07:46 105984 c:\windows\system32\dllcache\url.dll
+ 2006-10-17 07:35 . 2009-03-07 23:04 105984 c:\windows\system32\dllcache\url.dll
+ 2009-01-07 12:50 . 2009-01-07 12:50 134144 c:\windows\system32\dllcache\sqmapi.dll
+ 2009-01-07 12:50 . 2009-01-07 12:50 474112 c:\windows\system32\dllcache\shlwapi.dll
+ 2006-10-17 07:34 . 2010-05-06 10:41 206848 c:\windows\system32\dllcache\occache.dll
+ 2006-10-17 08:03 . 2010-05-06 10:41 611840 c:\windows\system32\dllcache\mstime.dll
+ 2006-10-17 07:35 . 2009-03-07 23:04 193536 c:\windows\system32\dllcache\msrating.dll
- 2006-10-17 08:03 . 2006-10-17 08:03 156160 c:\windows\system32\dllcache\msls31.dll
+ 2006-10-17 08:03 . 2009-03-07 22:52 156160 c:\windows\system32\dllcache\msls31.dll
+ 2009-10-29 07:46 . 2010-05-06 10:41 599040 c:\windows\system32\dllcache\msfeeds.dll
+ 2009-12-26 02:46 . 2009-12-09 05:53 726528 c:\windows\system32\dllcache\jscript.dll
+ 2006-10-17 07:34 . 2009-03-08 08:39 638816 c:\windows\system32\dllcache\iexplore.exe
+ 2006-10-17 08:03 . 2010-05-06 10:41 184320 c:\windows\system32\dllcache\iepeers.dll
+ 2006-10-17 07:31 . 2010-05-06 10:41 387584 c:\windows\system32\dllcache\iedkcs32.dll
+ 2009-10-29 07:46 . 2009-03-07 22:41 445952 c:\windows\system32\dllcache\ieapfltr.dll
+ 2006-10-17 06:53 . 2009-03-07 23:02 163840 c:\windows\system32\dllcache\ieakui.dll
+ 2006-10-17 07:31 . 2009-03-07 23:03 229376 c:\windows\system32\dllcache\ieaksie.dll
+ 2006-10-17 07:31 . 2009-03-07 23:03 125952 c:\windows\system32\dllcache\ieakeng.dll
+ 2006-10-17 07:30 . 2010-05-05 13:30 173056 c:\windows\system32\dllcache\ie4uinit.exe
- 2006-10-17 08:03 . 2009-10-29 07:46 133120 c:\windows\system32\dllcache\extmgr.dll
+ 2006-10-17 08:03 . 2010-05-04 17:20 133120 c:\windows\system32\dllcache\extmgr.dll
+ 2006-10-17 07:27 . 2009-03-07 23:01 216064 c:\windows\system32\dllcache\dxtrans.dll
+ 2006-10-17 07:28 . 2009-03-07 23:01 348160 c:\windows\system32\dllcache\dxtmsft.dll
+ 2006-10-17 07:30 . 2009-03-07 23:02 128512 c:\windows\system32\dllcache\advpack.dll
+ 2005-12-14 05:33 . 2009-03-07 23:02 128512 c:\windows\system32\advpack.dll
+ 2010-06-22 05:29 . 2009-05-26 09:01 382840 c:\windows\ie8updates\KB982632-IE8\spuninst\updspapi.dll
+ 2010-06-22 05:29 . 2009-05-26 09:01 231288 c:\windows\ie8updates\KB982632-IE8\spuninst\spuninst.exe
+ 2010-06-22 05:29 . 2009-03-07 23:04 914944 c:\windows\ie8updates\KB982381-IE8\wininet.dll
+ 2010-06-22 05:29 . 2010-02-22 14:23 382840 c:\windows\ie8updates\KB982381-IE8\updspapi.dll
+ 2010-06-22 05:29 . 2008-07-08 13:02 755576 c:\windows\ie8updates\KB982381-IE8\update.exe
+ 2010-06-22 05:29 . 2010-02-22 14:23 382840 c:\windows\ie8updates\KB982381-IE8\spuninst\updspapi.dll
+ 2010-06-22 05:29 . 2008-07-08 13:02 231288 c:\windows\ie8updates\KB982381-IE8\spuninst\spuninst.exe
+ 2010-06-22 05:29 . 2008-07-08 13:02 231288 c:\windows\ie8updates\KB982381-IE8\spuninst.exe
+ 2010-06-22 05:29 . 2009-03-07 23:04 109568 c:\windows\ie8updates\KB982381-IE8\occache.dll
+ 2010-06-22 05:29 . 2009-03-07 23:02 611840 c:\windows\ie8updates\KB982381-IE8\mstime.dll
+ 2010-06-22 05:29 . 2009-03-07 23:02 594432 c:\windows\ie8updates\KB982381-IE8\msfeeds.dll
+ 2010-06-22 05:29 . 2009-03-07 23:03 246784 c:\windows\ie8updates\KB982381-IE8\ieproxy.dll
+ 2010-06-22 05:29 . 2009-03-07 23:01 183808 c:\windows\ie8updates\KB982381-IE8\iepeers.dll
+ 2010-06-22 05:29 . 2009-03-07 23:05 742912 c:\windows\ie8updates\KB982381-IE8\iedvtool.dll
+ 2010-06-22 05:29 . 2009-03-08 08:39 391536 c:\windows\ie8updates\KB982381-IE8\iedkcs32.dll
+ 2010-06-22 05:29 . 2009-03-07 23:02 173056 c:\windows\ie8updates\KB982381-IE8\ie4uinit.exe
+ 2010-06-24 06:44 . 2009-03-07 23:03 420352 c:\windows\ie8updates\KB981332-IE8\vbscript.dll
+ 2010-06-24 06:44 . 2009-05-26 11:40 382840 c:\windows\ie8updates\KB981332-IE8\updspapi.dll
+ 2010-06-24 06:44 . 2009-05-26 11:40 755576 c:\windows\ie8updates\KB981332-IE8\update.exe
+ 2010-06-24 06:44 . 2009-05-26 11:40 382840 c:\windows\ie8updates\KB981332-IE8\spuninst\updspapi.dll
+ 2010-06-24 06:44 . 2009-05-26 11:40 231288 c:\windows\ie8updates\KB981332-IE8\spuninst\spuninst.exe
+ 2010-06-24 06:44 . 2009-05-26 11:40 231288 c:\windows\ie8updates\KB981332-IE8\spuninst.exe
+ 2010-06-24 06:44 . 2008-07-08 13:02 382840 c:\windows\ie8updates\KB976662-IE8\updspapi.dll
+ 2010-06-24 06:44 . 2008-07-08 13:02 755576 c:\windows\ie8updates\KB976662-IE8\update.exe
+ 2010-06-24 06:44 . 2008-07-08 13:02 382840 c:\windows\ie8updates\KB976662-IE8\spuninst\updspapi.dll
+ 2010-06-24 06:44 . 2008-07-08 13:02 231288 c:\windows\ie8updates\KB976662-IE8\spuninst\spuninst.exe
+ 2010-06-24 06:44 . 2008-07-08 13:02 231288 c:\windows\ie8updates\KB976662-IE8\spuninst.exe
+ 2010-06-24 06:44 . 2009-06-22 06:44 726528 c:\windows\ie8updates\KB976662-IE8\jscript.dll
+ 2010-06-24 06:44 . 2008-07-08 13:02 382840 c:\windows\ie8updates\KB971961-IE8\updspapi.dll
+ 2010-06-24 06:44 . 2008-07-08 13:02 755576 c:\windows\ie8updates\KB971961-IE8\update.exe
+ 2010-06-24 06:44 . 2008-07-08 13:02 382840 c:\windows\ie8updates\KB971961-IE8\spuninst\updspapi.dll
+ 2010-06-24 06:44 . 2008-07-08 13:02 231288 c:\windows\ie8updates\KB971961-IE8\spuninst\spuninst.exe
+ 2010-06-24 06:44 . 2008-07-08 13:02 231288 c:\windows\ie8updates\KB971961-IE8\spuninst.exe
+ 2010-06-24 06:44 . 2009-03-07 23:03 726528 c:\windows\ie8updates\KB971961-IE8\jscript.dll
+ 2010-06-22 05:26 . 2010-05-04 17:20 832512 c:\windows\ie8\wininet.dll
+ 2010-06-22 05:26 . 2006-10-17 07:35 206336 c:\windows\ie8\winfxdocobj.exe
+ 2010-06-22 05:26 . 2010-05-04 17:20 233472 c:\windows\ie8\webcheck.dll
+ 2010-06-22 05:26 . 2008-05-27 17:23 765952 c:\windows\ie8\vgx.dll
+ 2010-06-22 05:26 . 2010-03-09 11:09 430080 c:\windows\ie8\vbscript.dll
+ 2010-06-22 05:26 . 2010-05-04 17:20 105984 c:\windows\ie8\url.dll
+ 2010-06-22 05:27 . 2009-01-07 12:51 382496 c:\windows\ie8\spuninst\updspapi.dll
+ 2010-06-22 05:27 . 2009-01-07 12:50 231456 c:\windows\ie8\spuninst\spuninst.exe
+ 2010-06-22 05:26 . 2006-09-06 12:13 213216 c:\windows\ie8\spuninst.exe
+ 2010-06-22 05:26 . 2010-05-04 17:20 102912 c:\windows\ie8\occache.dll
+ 2010-06-22 05:26 . 2010-05-04 17:20 671232 c:\windows\ie8\mstime.dll
+ 2010-06-22 05:26 . 2010-05-04 17:20 193024 c:\windows\ie8\msrating.dll
+ 2010-06-22 05:26 . 2006-10-17 08:03 156160 c:\windows\ie8\msls31.dll
+ 2010-06-22 05:26 . 2010-05-04 17:20 477696 c:\windows\ie8\mshtmled.dll
+ 2010-06-22 05:26 . 2010-05-04 17:20 459264 c:\windows\ie8\msfeeds.dll
+ 2010-06-22 05:26 . 2009-08-13 15:16 512000 c:\windows\ie8\jscript.dll
+ 2010-06-22 05:26 . 2010-04-16 11:43 634656 c:\windows\ie8\iexplore.exe
+ 2010-06-22 05:26 . 2006-10-17 08:03 180736 c:\windows\ie8\ieui.dll
+ 2010-06-22 05:26 . 2010-05-04 17:20 268288 c:\windows\ie8\iertutil.dll
+ 2010-06-22 05:26 . 2006-10-17 08:03 287744 c:\windows\ie8\ieproxy.dll
+ 2010-06-22 05:26 . 2010-05-04 17:20 192512 c:\windows\ie8\iepeers.dll
+ 2010-06-22 05:26 . 2010-05-04 17:20 385024 c:\windows\ie8\iedkcs32.dll
+ 2010-06-22 05:26 . 2010-05-04 17:20 380928 c:\windows\ie8\ieapfltr.dll
+ 2010-06-22 05:26 . 2010-04-16 11:43 161792 c:\windows\ie8\ieakui.dll
+ 2010-06-22 05:26 . 2010-05-04 17:20 230400 c:\windows\ie8\ieaksie.dll
+ 2010-06-22 05:26 . 2010-05-04 17:20 153088 c:\windows\ie8\ieakeng.dll
+ 2010-06-22 05:26 . 2010-05-04 17:20 214528 c:\windows\ie8\dxtrans.dll
+ 2010-06-22 05:26 . 2010-05-04 17:20 347136 c:\windows\ie8\dxtmsft.dll
+ 2010-06-22 05:26 . 2010-05-04 17:20 124928 c:\windows\ie8\advpack.dll
+ 2010-06-21 21:49 . 2009-10-29 07:46 832512 c:\windows\ie7updates\KB982381-IE7\wininet.dll
+ 2010-06-21 21:49 . 2009-10-29 07:46 233472 c:\windows\ie7updates\KB982381-IE7\webcheck.dll
+ 2010-06-21 21:49 . 2009-10-29 07:46 105984 c:\windows\ie7updates\KB982381-IE7\url.dll
+ 2010-06-21 21:49 . 2009-05-26 11:40 382840 c:\windows\ie7updates\KB982381-IE7\spuninst\updspapi.dll
+ 2010-06-21 21:49 . 2008-07-08 13:02 231288 c:\windows\ie7updates\KB982381-IE7\spuninst\spuninst.exe
+ 2010-06-21 21:49 . 2009-10-29 07:46 102912 c:\windows\ie7updates\KB982381-IE7\occache.dll
+ 2010-06-21 21:49 . 2009-10-29 07:46 671232 c:\windows\ie7updates\KB982381-IE7\mstime.dll
+ 2010-06-21 21:49 . 2009-10-29 07:46 193024 c:\windows\ie7updates\KB982381-IE7\msrating.dll
+ 2010-06-21 21:49 . 2009-10-29 07:46 477696 c:\windows\ie7updates\KB982381-IE7\mshtmled.dll
+ 2010-06-21 21:49 . 2009-10-29 07:46 459264 c:\windows\ie7updates\KB982381-IE7\msfeeds.dll
+ 2010-06-21 21:49 . 2009-10-28 06:54 634632 c:\windows\ie7updates\KB982381-IE7\iexplore.exe
+ 2010-06-21 21:49 . 2009-10-29 07:46 268288 c:\windows\ie7updates\KB982381-IE7\iertutil.dll
+ 2010-06-21 21:49 . 2006-10-17 08:03 191488 c:\windows\ie7updates\KB982381-IE7\iepeers.dll
+ 2010-06-21 21:49 . 2009-10-29 07:46 385024 c:\windows\ie7updates\KB982381-IE7\iedkcs32.dll
+ 2010-06-21 21:49 . 2009-10-29 07:46 380928 c:\windows\ie7updates\KB982381-IE7\ieapfltr.dll
+ 2010-06-21 21:49 . 2009-10-28 06:52 161792 c:\windows\ie7updates\KB982381-IE7\ieakui.dll
+ 2010-06-21 21:49 . 2009-10-29 07:46 230400 c:\windows\ie7updates\KB982381-IE7\ieaksie.dll
+ 2010-06-21 21:49 . 2009-10-29 07:46 153088 c:\windows\ie7updates\KB982381-IE7\ieakeng.dll
+ 2010-06-21 21:49 . 2009-10-29 07:46 133120 c:\windows\ie7updates\KB982381-IE7\extmgr.dll
+ 2010-06-21 21:49 . 2009-10-29 07:46 214528 c:\windows\ie7updates\KB982381-IE7\dxtrans.dll
+ 2010-06-21 21:49 . 2009-10-29 07:46 347136 c:\windows\ie7updates\KB982381-IE7\dxtmsft.dll
+ 2010-06-21 21:49 . 2009-10-29 07:46 124928 c:\windows\ie7updates\KB982381-IE7\advpack.dll
+ 2005-12-14 05:34 . 2010-05-06 10:41 1209344 c:\windows\system32\urlmon.dll
+ 2005-12-14 05:34 . 2010-05-06 10:41 5950976 c:\windows\system32\mshtml.dll
+ 2010-01-27 01:07 . 2010-06-24 06:35 5612496 c:\windows\system32\Macromed\Flash\NPSWF32.dll
+ 2006-10-17 07:27 . 2010-05-06 10:41 1985536 c:\windows\system32\iertutil.dll
+ 2006-09-05 18:31 . 2009-02-06 15:37 3698584 c:\windows\system32\ieapfltr.dat
+ 2006-10-17 08:03 . 2010-05-06 10:41 1209344 c:\windows\system32\dllcache\urlmon.dll
+ 2009-01-07 12:50 . 2009-01-07 12:50 1497088 c:\windows\system32\dllcache\shdocvw.dll
+ 2006-10-17 08:03 . 2010-05-06 10:41 5950976 c:\windows\system32\dllcache\mshtml.dll
+ 2009-10-29 07:46 . 2010-05-06 10:41 1985536 c:\windows\system32\dllcache\iertutil.dll
+ 2009-06-29 08:33 . 2009-02-06 15:37 3698584 c:\windows\system32\dllcache\ieapfltr.dat
+ 2009-01-07 12:50 . 2009-01-07 12:50 1022976 c:\windows\system32\dllcache\browseui.dll
+ 2010-06-22 05:29 . 2009-03-07 23:04 1206784 c:\windows\ie8updates\KB982381-IE8\urlmon.dll
+ 2010-06-22 05:29 . 2009-03-07 23:11 5937152 c:\windows\ie8updates\KB982381-IE8\mshtml.dll
+ 2010-06-22 05:29 . 2009-03-07 23:02 1985024 c:\windows\ie8updates\KB982381-IE8\iertutil.dll
+ 2010-06-22 05:26 . 2010-05-04 17:20 1168384 c:\windows\ie8\urlmon.dll
+ 2010-06-22 05:26 . 2010-05-04 17:20 3600384 c:\windows\ie8\mshtml.dll
+ 2010-06-22 05:26 . 2010-05-04 17:20 6067200 c:\windows\ie8\ieframe.dll
+ 2010-06-22 05:26 . 2009-06-29 08:33 2452872 c:\windows\ie8\ieapfltr.dat
+ 2010-06-21 21:49 . 2009-10-29 07:46 1168384 c:\windows\ie7updates\KB982381-IE7\urlmon.dll
+ 2010-06-21 21:49 . 2009-10-29 07:46 3598336 c:\windows\ie7updates\KB982381-IE7\mshtml.dll
+ 2010-06-21 21:49 . 2009-10-29 07:46 6067200 c:\windows\ie7updates\KB982381-IE7\ieframe.dll
+ 2006-10-17 08:03 . 2010-05-06 10:41 11076096 c:\windows\system32\ieframe.dll
+ 2009-10-29 07:46 . 2010-05-06 10:41 11076096 c:\windows\system32\dllcache\ieframe.dll
+ 2010-06-22 05:29 . 2009-03-07 23:09 11063808 c:\windows\ie8updates\KB982381-IE8\ieframe.dll
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2009-10-09 25623336]
"Google Update"="c:\documents and settings\Home1\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2010-06-16 136176]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Apoint"="c:\program files\Apoint\Apoint.exe" [2004-11-17 118784]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-04 208952]
"MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-04 59392]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-08-05 94208]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-08-05 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-08-05 114688]
"RTHDCPL"="RTHDCPL.EXE" [2005-08-09 14743552]
"AzMixerSel"="c:\program files\Realtek\InstallShield\AzMixerSel.exe" [2005-06-11 53248]
"Mouse Suite 98 Daemon"="ICO.EXE" [2002-03-15 45056]
"SonyPowerCfg"="c:\program files\Sony\VAIO Power Management\SPMgr.exe" [2005-10-20 184320]
"ISBMgr.exe"="c:\program files\Sony\ISB Utility\ISBMgr.exe" [2004-02-20 32768]
"VAIOCameraUtility"="c:\program files\Sony\VAIO Camera Utility\VCUServe.exe" [2005-12-27 69632]
"VAIO Update 2"="c:\program files\Sony\VAIO Update 2\VAIOUpdt.exe" [2005-10-11 151552]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2008-06-24 53096]
"btbb_McciTrayApp"="c:\program files\BT Broadband Desktop Help\btbb\BTHelpNotifier.exe" [2009-09-14 1584640]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-04-04 36272]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-03-24 952768]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe" [2010-04-12 47392]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-03-17 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-04-28 142120]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\GoToAssist]
2010-01-29 11:04 16680 ----a-w- c:\program files\Citrix\GoToAssist\570\g2awinlogon.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\VESWinlogon]
2005-05-21 01:42 73728 ----a-w- c:\windows\system32\VESWinlogon.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
"d:\\uTorrent.exe"=
"d:\\VLC\\vlc.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\BT Broadband Desktop Help\\btbb\\BTHelpBrowser.exe"=
"c:\\Program Files\\BT Broadband Desktop Help\\btbb\\BTHelpNotifier.exe"=
"c:\\WINDOWS\\system32\\spoolsv.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

R2 RapportMgmtService;Rapport Management Service;c:\program files\Trusteer\Rapport\bin\RapportMgmtService.exe [3/15/2010 1:47 PM 779496]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [5/28/2010 8:02 PM 102448]
R3 SonyImgF;Sony Image Conversion Filter Driver;c:\windows\system32\drivers\SonyImgF.sys [12/14/2005 11:05 AM 28800]
S1 RapportKELL;RapportKELL;c:\program files\Trusteer\Rapport\bin\RapportKELL.sys [3/15/2010 1:47 PM 0]
S1 RapportPG;RapportPG;c:\program files\Trusteer\Rapport\bin\RapportPG.sys [3/15/2010 1:47 PM 0]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2/4/2010 2:06 AM 135664]
S3 SavRoam;SAVRoam;c:\program files\Symantec AntiVirus\SavRoam.exe [9/30/2008 5:41 PM 116664]
.
Contents of the 'Scheduled Tasks' folder

2010-06-17 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 07:04]

2010-06-24 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-03 20:36]

2010-06-23 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-03 20:36]

2010-06-23 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-206880713-2891574968-632731718-1005Core.job
- c:\documents and settings\Home1\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-06-16 06:57]

2010-06-23 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-206880713-2891574968-632731718-1005UA.job
- c:\documents and settings\Home1\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-06-16 06:57]
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://uk.red.clientapps.yahoo.com/customize/btyahoo/defaults/su/*http://uk.search.yahoo.com/
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_60D6097707281E79.dll/cmsidewiki.html
FF - ProfilePath - c:\documents and settings\Home1\Application Data\Mozilla\Firefox\Profiles\dey2vnb9.default\
FF - prefs.js: browser.search.defaulturl - hxxp://uk.search.yahoo.com/search?fr=ffsp1&p=
FF - prefs.js: browser.search.selectedEngine - Yahoo
FF - prefs.js: browser.startup.homepage - hxxp://extratorrent.com/
FF - prefs.js: keyword.URL - hxxp://uk.search.yahoo.com/search?fr=ffds1&p=
FF - prefs.js: network.proxy.type - 2
FF - plugin: c:\documents and settings\Home1\Local Settings\Application Data\Google\Update\1.2.183.29\npGoogleOneClick8.dll
FF - plugin: c:\program files\Common Files\Motive\npMotive.dll
FF - plugin: c:\program files\Google\Google Earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\Google\Picasa3\npPicasa3.dll
FF - plugin: c:\program files\Google\Update\1.2.183.29\npGoogleOneClick8.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npBTEmailConfig.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npdeployJava1.dll
FF - plugin: d:\divx\DivX Plus Web Player\npdivx32.dll

---- FIREFOX POLICIES ----
FF - user.js: network.cookie.cookieBehavior - 0
FF - user.js: privacy.clearOnShutdown.cookies - false
FF - user.js: security.warn_viewing_mixed - false
FF - user.js: security.warn_viewing_mixed.show_once - false
FF - user.js: security.warn_submit_insecure - false
FF - user.js: security.warn_submit_insecure.show_once - false
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-06-24 12:21
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(768)
c:\program files\Citrix\GoToAssist\570\G2AWinLogon.dll
c:\windows\system32\VESWinlogon.dll
.
Completion time: 2010-06-24 12:23:40
ComboFix-quarantined-files.txt 2010-06-24 06:53
ComboFix2.txt 2010-06-21 21:36

Pre-Run: 4,557,393,920 bytes free
Post-Run: 4,539,449,344 bytes free

- - End Of File - - 3813309D80EF6657C6E1A671CFD1A858

As of now , the system seems to be working fine.....
Before we close the topic...which is whenever you deem it to be appropriate to do so....i do have some questions...am just keeping them for till the current situation is resolved...

Thanks again!!

Awave


#11 Blade

Blade

    Strong in the Bleepforce


  • Site Admin
  • 12,702 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:US
  • Local time:04:34 PM

Posted 24 June 2010 - 02:05 AM

Hello

QUOTE
i do have some questions

Please feel free to ask at any time.

We appear to have dealt with the bulk of the infection. Now we'll check for leftover pieces, and after that we'll clean up and be finished.

Sometimes malware that is removed from your computer leaves other traces behind. These traces may not be active, but they are unwanted on your computer.
Therefore, by using ESET online scanner it is possible for us to find leftover or missed malware files on your computer and we can now further clean up your computer
.

I'd like us to scan your machine with ESET OnlineScan
  1. Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  2. Click the button.
  3. For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    1. Click on to download the ESET Smart Installer. Save it to your desktop.
    2. Double click on the icon on your desktop.
  4. Check
  5. Click the button.
  6. Accept any security warnings from your browser.
  7. Check
  8. Push the Start button.
  9. ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  10. When the scan completes, push
  11. Push , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  12. Push the button.
  13. Push
Note for Vista Users: Eset is compatible but Internet Explorer must be run as Administrator. To do this, right-click on the IE icon in the Start Menu or Quick Launch Bar on the Taskbar and select "Run as Administrator" from the context menu.)
**Note**
To optimize scanning time and produce a more sensible report for review:
  • Close any open programs
  • Turn off the real time scanner of any existing antivirus program while performing the online scan.

~Blade


In your next reply, please include the following:
ESET Online Scan log

Posted Image

If I am helping you, it has been 48 hours since your last post, and I have yet to reply to your topic, please send me a PM
Become a BleepingComputer fan: Facebook
Follow us on Twitter!
Circle us on Google+


#12 Awave

Awave
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:02:04 AM

Posted 24 June 2010 - 04:07 AM

Here is the ESETScan log



C:\Documents and Settings\Home1\Application Data\Sun\Java\Deployment\cache\6.0\63\5b42f9bf-4444ba08 a variant of Java/TrojanDownloader.Agent.NAN trojan deleted - quarantined
C:\Documents and Settings\Home1\My Documents\Downloads\Spyware Cease v6.3.0 - rubak\Spyware Cease v6.3.0 - rubak.rar a variant of Win32/Adware.SpywareCease application deleted - quarantined
C:\Documents and Settings\Home1\My Documents\Downloads\Spyware Cease v6.3.0 - rubak\setup\SpywareCease_Setup.exe a variant of Win32/Adware.SpywareCease application deleted - quarantined
C:\Documents and Settings\NetworkService\Application Data\Sun\Java\Deployment\cache\6.0\53\73eb6d35-135e97a9 a variant of Java/TrojanDownloader.Agent.NBE trojan deleted - quarantined
C:\Qoobox\Quarantine\C\WINDOWS\system32\userinit.exe.vir Win32/TrojanDownloader.FakeAlert.AAA trojan cleaned by deleting - quarantined
C:\Qoobox\Quarantine\C\WINDOWS\system32\spool\prtprocs\w32x86\5sK5y.dll.vir a variant of Win32/Kryptik.EXJ trojan cleaned by deleting - quarantined
C:\Qoobox\Quarantine\C\WINDOWS\system32\spool\prtprocs\w32x86\5y55o.dll.vir a variant of Win32/Kryptik.EXJ trojan cleaned by deleting - quarantined
C:\Qoobox\Quarantine\C\WINDOWS\system32\spool\prtprocs\w32x86\931q93cEI.dll.vir a variant of Win32/Kryptik.EXJ trojan cleaned by deleting - quarantined
C:\System Volume Information\_restore{7F9436B5-C404-4C78-9E93-BE1C52D99A62}\RP1\A0000077.exe Win32/TrojanDownloader.FakeAlert.AAA trojan cleaned by deleting - quarantined
C:\System Volume Information\_restore{7F9436B5-C404-4C78-9E93-BE1C52D99A62}\RP1\A0000080.dll a variant of Win32/Kryptik.EXJ trojan cleaned by deleting - quarantined
C:\System Volume Information\_restore{7F9436B5-C404-4C78-9E93-BE1C52D99A62}\RP1\A0000081.dll a variant of Win32/Kryptik.EXJ trojan cleaned by deleting - quarantined
C:\System Volume Information\_restore{7F9436B5-C404-4C78-9E93-BE1C52D99A62}\RP1\A0000082.dll a variant of Win32/Kryptik.EXJ trojan cleaned by deleting - quarantined
H:\MR. PRASAD BLACK&WHITE PHOTO MARRIAGE 22-11-09\autorun.inf Win32/Peerfrag.FI worm cleaned by deleting - quarantined

----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------


Also...right at the end of the scan....there was this option to delete quarrantine files....i did'nt check that one...because i simply was'nt sure....about whether if i try to delete by ESET , then it dose'nt end up having an adverse reaction...

And aah..my questions...

1 ) Is it possible for me to pick up anything which can damage my computer ( malware /spyware / virus and all related therein ) just by simply surfing the net , watching videos online, etc ?....or do i have to deliberately download something / execute it before it can act?
2 ) A client like Bittorrent , how bad is it?
3 ) How does one get active proactive protection against all that is listed in Q 1 ?....which product would you recommend?

Thanks a lot again...really apprectate it!!!

Awave




#13 Blade

Blade

    Strong in the Bleepforce


  • Site Admin
  • 12,702 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:US
  • Local time:04:34 PM

Posted 27 June 2010 - 01:10 PM

Hello Awave.

Sorry for the delay.

Yes, you should have allowed ESET to delete the files which it quarantined. As long as it did quarantine those files however, you should be able to delete them from ESET's control panel.

in response to your questions.

1). Yes, unfortunately that can happen. This is due to exploits and vulnerabilities in legitimate software (for example, Adobe Reader or Java) that are discovered and used by malicious programmers. This is why we stress that you keep all of your software up to date, so that you have all the available security patches. Even then however, there may be a vulnerability that has been recently discovered and not yet been patched, so you must be careful which sites you visit and what you allow onto your machine.

***************************************************

2). Here's a bit of information on Peer to Peer apps such as Bittorrent.

peer-to-peer or file-sharing programs allow users to share files with each other. In today's world the cyber crime has come to an enormous dimension and any means is used to infect personal computers to make use of their stored data or machine power for further propagation of the malware files. A popular means is the use of file-sharing tools as a tremendous amount of prospective victims can be reached through it.

It is therefore possible to be infected by downloading manipulated files via peer-to-peer tools and thus suggested to be used with intense care. Some further readings on this subject, along the included links, are as follows: "File-Sharing, otherwise known as Peer To Peer" and "Risks of File-Sharing Technology."

It is also important to note that sharing entertainment files and proprietary software infringes the copyright laws in many countries over the world and you are putting yourself at risk of being indicted through organizations watching over the rights of the authors of such files (i.e. the RIAA for music files, or the MPAA for movie files in the USA) or the authors of the files themselves.

Naturally there are also legal ways to use these services, such as downloading Linux distributions or office suites such as "Open Office."

I personally don't recommend them, as they can become a serious security vulnerability. One can very easily download a malicious file by mistake.

***************************************************

3). First, know this: No program can completely protect you against malware. Malware writers are continually developing new and more complex methods to get around security software, and some of those attempts will succeed for at least a short while. The most effective means to protect yourself from malware is by practicing safe surfing habits. Some more information on how to protect yourself from being reinfected can be found later in this post.

***************************************************

Now, let's clean up our mess.
  • Click on Start>Run
  • Now type combofix /Uninstall in the runbox and click OK. Notice the space between the "x" and "/".
  • You will then recieve a message letting you know that Combofix was uninstalled Successfully.
This will remove files/folders assoicated with combofix and uninstall it.

***************************************************

Your machine appears to be clean!

If you disabled emulation drivers earlier, you can re-enable them now if you wish:

To re-enable your Emulation drivers, double click DeFogger to run the tool.
  • The application window will appear
  • Click the Re-enable button to re-enable your CD Emulation drivers
  • Click Yes to continue
  • A 'Finished!' message will appear
  • Click OK
  • DeFogger will now ask to reboot the machine - click OK
IMPORTANT! If you receive an error message while running DeFogger, please post the log defogger_enable which will appear on your desktop.

Your Emulation drivers are now re-enabled.

***************************************************

I highly recommend that you read through the below set of very helpful suggestions and implement them; they will help protect you from reinfection
I recommend you regularly visit the Windows Update Site!
  • Lots of Hacking/Trojans use the methods found (plugged by the updates) that have not been stopped by people not updating.
  • By updating your machine, you have one less headache!
  • Update ALL Critical updates and any other Windows updates for services/programs that you use.
  • If you wish, you can also use automatic updates. This is a good thing to have if you want to be up-to-date all the time, but can also be a bit of an annoyance due to its handling and the sizes of the updates. If you wish to turn on automatic updates then you will find here is a nice little article about turning on automatic updates.
  • Note that it will download them for you, but you still have to actually click install.
  • If you do not want to have automatic updates turned on, or are on dial-up, you can always download updates seperately at: http://windowsupdate.microsoft.com.
It is also a good idea to check for the latest versions of commonly installed applications that are regularly patched to fix vulnerabilities. You can check these by visiting Secunia Software Inspector and Calendar of Updates.

For a nice list of freeware programs in all categories, please have a look at this thread with freeware products that are regarded as useful by the users of this forum: Commonly Used Freeware Replacements.

Another recommendation, is to download HostsMan. It safeguards you with a regularly updated Hosts-file that blocks dangerous sites from opening. This adds another bit of safety while surfing the Internet. For installlation and setting up, follow these steps:
  1. Double-click the Downloaded installer and install the tool to a location of your choice
  2. Via the Startmenu, navigate to HostsMan and run the program.
    1. Click "Hosts" in the menu
    2. Click "Manage Updates" in the submenu
    3. Out of the three, select at least one of them (I have MVPS Host as my main one)
    4. Click "Add Update." After that you will only need to click on the following button to retrieve updates:
  3. Click the X to exit the program.
Finally, and definitely the MOST IMPORTANT step, click on the following tutorial and follow each step listed there:

Simple and easy ways to keep your computer safe and secure on the Internet

Glad I was able to help and if there any other problems related to your computer please feel free to post them in the appropriate forum. Though we help people with spyware and viruses here at BC, we also help people with other computer problems! Do not forget to tell your friends about us!

~Blade

Posted Image

If I am helping you, it has been 48 hours since your last post, and I have yet to reply to your topic, please send me a PM
Become a BleepingComputer fan: Facebook
Follow us on Twitter!
Circle us on Google+


#14 Awave

Awave
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:02:04 AM

Posted 28 June 2010 - 04:48 AM

Hey!

Thanks a lot for helping me out...and for providing the answers i needed...although after reading , i do realize that there is'nt any sure shot way of keeping oneself protected...except going off the net....but at least i now am more aware.
The system is working fine now....have downloaded the HOSTSMAN program.....just wanted to make sure about one thing....the HOSTSMAN program works for every browser in my system yes??....as in , if on any of the browsers i open up a site which is trying to get malware into my system...then HOSTMAN would warn me...is that presumption correct?

Apart from the above query....all i can repeat is that....if theres something you feel i can help you out with...then do let me know...i live in India...although i spend most of my time on the Oceans.....as as navigating officer on a merchant ship...

And yes , i will definitely publicize this forum...coz it more than deserves that...

Awave

#15 Blade

Blade

    Strong in the Bleepforce


  • Site Admin
  • 12,702 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:US
  • Local time:04:34 PM

Posted 28 June 2010 - 02:13 PM

QUOTE
the HOSTSMAN program works for every browser in my system yes??


This is correct. Hostsman works at the DNS Resolution level, which is browser independent.

It was my pleasure to help. thumbup2.gif

Since this issue appears to be resolved ... this Topic has been closed.

If you need this topic reopened, please send me a PM.
Please include the address of this thread in your request.
This applies only to the original topic starter.

Everyone else please start a new topic.

~Blade

Posted Image

If I am helping you, it has been 48 hours since your last post, and I have yet to reply to your topic, please send me a PM
Become a BleepingComputer fan: Facebook
Follow us on Twitter!
Circle us on Google+





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users