Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

PHP/C99shell.E infected PHP files


  • This topic is locked This topic is locked
16 replies to this topic

#1 Mac John

Mac John

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:11:09 PM

Posted 14 December 2010 - 12:35 AM

I found that my Zen Cart store was hacked. When I FTP'd into the site I found that they'd uploaded their own file uploader was well as a few PHP/C99shell.E infected PHP files. They had also changed all of the notification email addresses in Zen Cart admin and turned on the manual Credit Card payment system to have it point to their own email address.

I am guessing this happened one of two ways:
1) They hacked a security-hole / vulnerability in the Zen Cart system directly; or
2) There is some malware on my system that gave them my login details.

When I put a USB drive in my PC and took it to a friend who has CA Anti-Virus, the couple of exe files I had on my USB drive were infected with Win32/Virut.17408. The CA definition can be seen here: http://www.ca.com/securityadvisor/virusinfo/virus.aspx?ID=66586

It sounds very much like I could have this and THAT'S how my site was hacked... via this virus/malware on my PC.

I have attached the DDS and Gmer reports as indicated in the "How to Post" section.

If you need any additional reports, please let me know. Thanks in advance!


Kind Regards,

Mac

Attached Files



BC AdBot (Login to Remove)

 


#2 Shannon2012

Shannon2012

  • Security Colleague
  • 3,657 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina, USA
  • Local time:12:09 AM

Posted 23 December 2010 - 09:03 AM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Upon completing the steps below another staff member will review your topic and do their best to resolve your issues.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.

Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE

We also need a new log from the GMER anti-rootkit scanner. Please first disable any CD emulation programs using the steps found in this topic:

Why we request you disable CD Emulation when receiving Malware Removal Advice

Then create another GMER log and post it as an attachment to the reply where you post your new DDS log. Instructions on how to properly create a GMER log can be found here:

How to create a GMER log


Shannon

#3 thcbytes

thcbytes

  • Malware Response Team
  • 14,790 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:09 PM

Posted 03 January 2011 - 04:07 PM

Due to the lack of feedback, this topic is now closed.In the event you still have problems, please send me or any Moderator a Private Message and ask them to reopen this topic within the next 5 days.
Proud member - Unified Network of Instructors and Trained Eliminators
Posted Image

I do not accept personal donations for assistance provided. I would ask that you instead consider donating the greatest gift - Organ Donation. Your organs are of no use to you when your gone. You will save a life that would otherwise be lost!

http://donatelife.net/register-now/

#4 thcbytes

thcbytes

  • Malware Response Team
  • 14,790 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:09 PM

Posted 24 January 2011 - 10:08 PM

This topic has been re-opened at the request of the person who originally posted.
Proud member - Unified Network of Instructors and Trained Eliminators
Posted Image

I do not accept personal donations for assistance provided. I would ask that you instead consider donating the greatest gift - Organ Donation. Your organs are of no use to you when your gone. You will save a life that would otherwise be lost!

http://donatelife.net/register-now/

#5 thcbytes

thcbytes

  • Malware Response Team
  • 14,790 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:09 PM

Posted 24 January 2011 - 10:13 PM

Hi and welcome to the Virus/Trojan/Spyware/Malware Removal forum,

I am thcbytes and I am here to help you!

I ask that you refrain from running tools other than those I suggest to you while I am cleaning up your computer. The reason for this is so I know what is going on with the machine at any time. Some programs can interfere with others and hamper the recovery process.

Please perform all steps in the order received and do not proceed if you need clarification.

Please copy and paste all logs into your post unless directed otherwise. Please do not re-run any programs I suggest. If you encounter problems please stop and tell me about it. When your computer is clean I will alert you of such. I will also provide you with detailed suggestions for prevention.

In the upper right hand corner of the topic you will see a button called Watch this topic. Click on this then choose Immediate E-Mail notification and then Proceed and you will be advised when I respond to your topic by email.

After 5 days if your topic is not replied I we assume it has been abandoned and I will close it.

I would also like to inform you that most of us here at Bleeping Computer offer our expert assistance out of the goodness of our hearts. Please be courteous and appreciative for the assistance provided!

Again I would like to remind you to make no further changes to your computer unless I direct you to do so. Your computer fix will be based on the current condition of your computer! Any changes might delay my ability to help you.

==========

We need to see some information about what is happening in your machine.

Re-run these scans due to the prolonged time since your last post. You do not need to re-download these apps if you still have them.

Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE

==========

Please download GMER from one of the following locations and save it to your desktop:
  • Main Mirror
    This version will download a randomly named file (Recommended)
  • Zipped Mirror
    This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
  • Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
  • Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.

    Posted Image
  • GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
  • If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
  • Now click the Scan button. If you see a rootkit warning window, click OK.
  • When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
  • Click the Copy button and paste the results into your next reply.
  • Exit GMER and re-enable all active protection when done.
-- If you encounter any problems, try running GMER in Safe Mode.

Regards,
thcbytes
Proud member - Unified Network of Instructors and Trained Eliminators
Posted Image

I do not accept personal donations for assistance provided. I would ask that you instead consider donating the greatest gift - Organ Donation. Your organs are of no use to you when your gone. You will save a life that would otherwise be lost!

http://donatelife.net/register-now/

#6 Mac John

Mac John
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:11:09 PM

Posted 27 January 2011 - 06:33 PM

Since opening this thread, I suspect the original threat was in fact an unrelated Zen Cart "website-based" hack. Even so, I still want to check. Also, the other issue I have is that often when I try to open a new tab in IE8, or even just the first window, it freezes. I have noticed that when I open one instance of IE8, there are 2 iexplore.exe processes running.

This constant crashing of IE8 is not only very frustrating, but I thought might be related to some malware also.

Anyway, here's my DDS log (below). Attach.zip and gmer.zip attached containing their respective log files.

Many thanks guys! Your help is VERY much appreciated!

Cheers,

Mac


DDS (Ver_10-12-12.02) - NTFSx86
Run by User at 10:09:13.68 on Fri 28/01/2011
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_23
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1015.166 [GMT 11:00]

AV: CA Anti-Virus Plus *Disabled/Updated* {6B98D35F-BB76-41C0-876B-A50645ED099A}
FW: CA Personal Firewall *Disabled*

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\CA\SharedComponents\HIPSEngine\UmxCfg.exe
C:\Program Files\CA\SharedComponents\HIPSEngine\UmxFwHlp.exe
C:\Program Files\CA\SharedComponents\HIPSEngine\UmxPol.exe
C:\Program Files\CA\SharedComponents\HIPSEngine\UmxAgent.exe
svchost.exe
C:\WINDOWS\System32\svchost.exe -k Akamai
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\AutoMate 5\AutoMate5Svc.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus Plus\caamsvc.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus Plus\isafe.exe
C:\Program Files\CA\CA Internet Security Suite\ccschedulersvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\Symantec\Norton Ghost 2003\GhostStartService.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\Program Files\Common Files\Protexis\License Service\PsiService_2.exe
C:\Program Files\Sandboxie\SbieSvc.exe
c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\UltraVNC\WinVNC.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\ASUSTeK\ASUSDVD\PDVDServ.exe
C:\Program Files\AutoMate 5\AM5HkWnd.exe
C:\WINDOWS\system32\hpnra.exe
C:\Program Files\ScanSoft\OmniPage15.0\Opware15.exe
C:\WINDOWS\Samsung\PanelMgr\SSMMgr.exe
C:\Program Files\SmarThru Office\BackUpSvr.exe
C:\Program Files\SmarThru Office\LegacyLauncher.exe
C:\Program Files\Microsoft LifeChat\LifeChat.exe
C:\Program Files\CA\CA Internet Security Suite\casc.exe
C:\Program Files\CA\CA Internet Security Suite\ccprovsp.exe
C:\WINDOWS\system32\DllHost.exe
C:\WINDOWS\Twain_32\Samsung\SCX4x28\Scan2pc.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\DivX\DivX Update\DivXUpdate.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\UltraVNC\vncviewer.exe
C:\SOFTWARE\TimesheetAssistant.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\CA\CA Internet Security Suite\ccEvtMgr.exe
C:\Documents and Settings\User\Desktop\BLEEPI~1\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com.au/
BHO: SnagIt Toolbar Loader: {00c6482d-c502-44c8-8409-fce54ad9c208} - c:\program files\techsmith\snagit 9\SnagitBHO.dll
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: IE to GetRight Helper: {31ff080d-12a3-439a-a2ef-4ba95a3148e8} - c:\program files\getright\xx2gr.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
TB: Snagit: {8ff5e183-abde-46eb-b09e-d2aab95cabe3} - c:\program files\techsmith\snagit 9\SnagitIEAddin.dll
TB: {8FF5E180-ABDE-46EB-B09E-D2AAB95CABE3} - No File
TB: {10134636-E7AF-4AC5-A1DC-C7C44BB97D81} - No File
EB: Adobe PDF: {182ec0be-5110-49c8-a062-beb1d02a220b} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
uRun: [MsnMsgr] "c:\program files\windows live\messenger\MsnMsgr.Exe" /background
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "c:\program files\common files\ahead\lib\NMBgMonitor.exe"
uRun: [updateMgr] "c:\program files\adobe\acrobat 7.0\acrobat\AdobeUpdateManager.exe" AcStd7_0_8 -reboot 1
mRun: [igfxtray] c:\windows\system32\igfxtray.exe
mRun: [igfxhkcmd] c:\windows\system32\hkcmd.exe
mRun: [igfxpers] c:\windows\system32\igfxpers.exe
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [Alcmtr] ALCMTR.EXE
mRun: [RemoteControl] "c:\program files\asustek\asusdvd\PDVDServ.exe"
mRun: [ISUSPM Startup] "c:\program files\common files\installshield\updateservice\isuspm.exe" -startup
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [AutoMate5] c:\program files\automate 5\AM5HkWnd.exe
mRun: [HP Network Registry Agent] c:\windows\system32\hpnra.exe
mRun: [SSBkgdUpdate] "c:\program files\common files\scansoft shared\ssbkgdupdate\SSBkgdupdate.exe" -Embedding -boot
mRun: [Opware15] "c:\program files\scansoft\omnipage15.0\Opware15.exe"
mRun: [OpScheduler] "c:\program files\scansoft\omnipage15.0\OpScheduler.exe"
mRun: [PDF3 Registry Controller] "c:\program files\scansoft\omnipage15.0\pdfconverter3\\RegistryController.exe"
mRun: [NeroFilterCheck] c:\program files\common files\ahead\lib\NeroCheck.exe
mRun: [UniPrint] c:\progra~1\uniprint\client\SetDfltSettings.exe
mRun: [LandOnline] c:\program files\landonline printer driver\PrintManager.exe
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [SkyTel] SkyTel.EXE
mRun: [Samsung PanelMgr] c:\windows\samsung\panelmgr\SSMMgr.exe /autorun
mRun: [STO Backup Service] c:\program files\smarthru office\BackUpSvr.exe
mRun: [STO Launcher Service] c:\program files\smarthru office\LegacyLauncher.exe /run
mRun: [LifeChat] "c:\program files\microsoft lifechat\LifeChat.exe"
mRun: [cctray] "c:\program files\ca\ca internet security suite\casc.exe"
mRun: [CAPPActiveProtection] "c:\program files\ca\ca internet security suite\ca anti-spyware\CAPPActiveProtection.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [4x28 Scan2PC] "c:\windows\twain_32\samsung\scx4x28\Scan2pc.exe"
mRun: [capfupgrade] c:\program files\ca\ca internet security suite\ca personal firewall\capfupgrade.exe
mRun: [winvnc] "c:\program files\ultravnc\WinVNC.exe" -servicehelper
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
mRun: [DivXUpdate] "c:\program files\divx\divx update\DivXUpdate.exe" /CHECKNOW
StartupFolder: c:\docume~1\user\startm~1\programs\startup\custom~1.lnk - c:\program files\ultravnc\vncviewer.exe
StartupFolder: c:\docume~1\user\startm~1\programs\startup\timesh~1.lnk - c:\software\TimesheetAssistant.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\vpncli~1.lnk - c:\windows\installer\{ccbaa1f7-e5e1-48b2-9ed9-a79c6a37ce78}\Icon3E5562ED7.ico
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\winzip~1.lnk - c:\program files\winzip\WZQKPICK.EXE
mPolicies-explorer: NoStrCmpLogical = 1 (0x1)
IE: Append to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Capture Selection - c:\program files\smarthru office\WebCapture.dll2.htm
IE: Convert link target to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Download with GetRight - c:\program files\getright\GRdownload.htm
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: Open with GetRight Browser - c:\program files\getright\GRbrowse.htm
IE: Open with Scansoft PDF Converter 3.0 - c:\program files\scansoft\omnipage15.0\pdfconverter3\IEShellExt.dll /100
IE: Save as HTML - c:\program files\smarthru office\WebCapture.dll1.htm
IE: Save Selected Text - c:\program files\smarthru office\WebCapture.dll.htm
IE: Sothink SWF Catcher - c:\program files\common files\sourcetec\swf catcher\InternetExplorer.htm
IE: Web Capture - c:\program files\smarthru office\WebCapture.dll
IE: {6E0321C4-E024-4D85-B2D9-2F4AF0E2D33E} - c:\program files\movies extractor scout lite\flashextract.exe
IE: {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - c:\program files\common files\sourcetec\swf catcher\InternetExplorer.htm
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
LSP: c:\windows\system32\VetRedir.dll
Trusted Zone: govt.nz\logon.landonline
Trusted Zone: liveperson.net\server.iad
DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - hxxp://a1540.g.akamai.net/7/1540/52/20070501/qtinstall.info.apple.com/qtactivex/qtplugin.cab
DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} - hxxp://download.microsoft.com/download/e/7/3/e7345c16-80aa-4488-ae10-9ac6be844f99/OGAControl.cab
DPF: {0742B9EF-8C83-41CA-BFBA-830A59E23533} - hxxps://support.microsoft.com/OAS/ActiveX/MSDcode.cab
DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/FacebookPhotoUploader5.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {254AA86E-5655-4518-AA87-185D7CC41801} - hxxps://secure.logmeinrescue.com/TechConsole/x86/RescueControl.cab
DPF: {33415AC7-AFFA-4D55-B41C-C64C0D07DFCA} - hxxp://h50203.www5.hp.com/HPISWeb/Customer/cabs/HPISWebManager.CAB
DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} - hxxp://gfx2.hotmail.com/mail/w2/resources/MSNPUpld.cab
DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} - hxxp://upload.facebook.com/controls/FacebookPhotoUploader3.cab
DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} - hxxp://upload.facebook.com/controls/FacebookPhotoUploader.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1178166591656
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {AF2E62B6-F9E1-4D4F-A10A-9DC8E6DCBCC0} - hxxp://update.videoegg.com/Install/Windows/Initial/VideoEggPublisher.exe
DPF: {C7DB51B4-BCF7-4923-8874-7F1A0DC92277} - hxxp://office.microsoft.com/officeupdate/content/opuc4.cab
DPF: {CAFEEFAC-0014-0002-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_11-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_06-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {DE22A7AB-A739-4C58-AD52-21F9CD6306B7} - hxxp://download.microsoft.com/download/7/E/6/7E6A8567-DFE4-4624-87C3-163549BE2704/clearadj.cab
DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} - hxxps://rpdata.webex.com/client/T26L/webex/ieatgpc.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} - hxxps://secure.logmein.com/activex/ractrl.cab?lmi=100
DPF: {FFBB3F3B-0A5A-4106-BE53-DFE1E2340CB1} - hxxp://dlm.tools.akamai.com/dlmanager/versions/activex/dlm-activex-2.2.1.6.cab
Notify: igfxcui - igfxdev.dll
Notify: PFW - UmxWnp.Dll
AppInit_DLLs: UmxSbxExw.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
LSA: Notification Packages = scecli scecli scecli scecli scecli scecli scecli

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\user\applic~1\mozilla\firefox\profiles\9l6e7sta.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com.au/
FF - component: c:\program files\ca\ca internet security suite\ca anti-phishing\toolbar\firefox\components\CAFxToolBar.dll
FF - plugin: c:\documents and settings\user\application data\videoegg\loader\4665\npvideoegg-loader.dll
FF - plugin: c:\program files\divx\divx plus web player\npdivx32.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\microsoft\web platform installer\NPWPIDetector.dll
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0019-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0019-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Ext: IE View: {6e84150a-d526-41f1-a480-a67d3fed910d} - %profile%\extensions\{6e84150a-d526-41f1-a480-a67d3fed910d}
FF - Ext: New Tab Homepage: {66E978CD-981F-47DF-AC42-E3CF417C1467} - %profile%\extensions\{66E978CD-981F-47DF-AC42-E3CF417C1467}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtension
FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\java\jre6\lib\deploy\jqs\ff
FF - Ext: CA Anti-Phishing Toolbar: caaphishtoolbar@ca.com - c:\program files\ca\ca internet security suite\ca anti-phishing\toolbar\Firefox

============= SERVICES / DRIVERS ===============

R0 KmxAMRT;KmxAMRT;c:\windows\system32\drivers\KmxAMRT.sys [2010-9-17 135248]
R0 KmxStart;KmxStart;c:\windows\system32\drivers\KmxStart.sys [2010-5-3 108112]
R1 GhPciScan;GhostPciScanner;c:\program files\symantec\norton ghost 2003\GhPciScan.sys [2003-12-17 5632]
R1 KmxAgent;KmxAgent;c:\windows\system32\drivers\KmxAgent.sys [2010-3-22 79864]
R1 KmxFile;KmxFile;c:\windows\system32\drivers\KmxFile.sys [2009-9-2 53240]
R1 KmxFw;KmxFw;c:\windows\system32\drivers\KmxFw.sys [2009-6-8 115704]
R2 Akamai;Akamai NetSession Interface;c:\windows\system32\svchost.exe -k Akamai [2006-2-28 14336]
R2 CAAMSvc;CAAMSvc;c:\program files\ca\ca internet security suite\ca anti-virus plus\CAAMSvc.exe [2010-10-29 206152]
R2 CAISafe;CAISafe;c:\program files\ca\ca internet security suite\ca anti-virus plus\isafe.exe [2010-7-13 212992]
R2 ccSchedulerSVC;CA Common Scheduler Service;c:\program files\ca\ca internet security suite\ccschedulersvc.exe [2009-6-26 206160]
R2 KmxCF;KmxCF;c:\windows\system32\drivers\KmxCF.sys [2009-8-14 145912]
R2 KmxSbx;KmxSbx;c:\windows\system32\drivers\KmxSbx.sys [2009-9-30 60920]
R2 UmxAgent;HIPS Event Manager;c:\program files\ca\sharedcomponents\hipsengine\UmxAgent.exe [2009-8-4 887288]
R2 UmxCfg;HIPS Configuration Interpreter;c:\program files\ca\sharedcomponents\hipsengine\UmxCfg.exe [2010-8-24 740160]
R2 UmxPol;HIPS Policy Manager;c:\program files\ca\sharedcomponents\hipsengine\UmxPol.exe [2010-9-17 301648]
R2 vnccom;vnccom;c:\windows\system32\drivers\vnccom.SYS [2010-7-14 6016]
R3 KmxCfg;KmxCfg;c:\windows\system32\drivers\KmxCfg.sys [2010-6-9 244304]
R3 SbieDrv;SbieDrv;c:\program files\sandboxie\SbieDrv.sys [2008-4-28 93696]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 SSPORT;SSPORT;\??\c:\windows\system32\drivers\ssport.sys --> c:\windows\system32\drivers\SSPORT.sys [?]
S3 KmxAMVet;KmxAMVet;c:\windows\system32\drivers\KmxAMVet.sys [2009-3-27 598656]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
S4 MSSQLServerADHelper100;SQL Active Directory Helper Service;c:\program files\microsoft sql server\100\shared\sqladhlp.exe [2008-7-10 47128]
S4 RsFx0102;RsFx0102 Driver;c:\windows\system32\drivers\RsFx0102.sys [2008-7-10 242712]
S4 SQLAgent$SQLEXPRESS;SQL Server Agent (SQLEXPRESS);c:\program files\microsoft sql server\mssql10.sqlexpress\mssql\binn\SQLAGENT.EXE [2008-7-10 369688]

=============== File Associations ===============

.scr=AutoCADLTScriptFile

=============== Created Last 30 ================

2011-01-24 03:51:00 1409 ----a-w- c:\windows\QTFont.for

==================== Find3M ====================

2010-12-13 04:21:27 2516 --sha-w- c:\windows\system32\KGyGaAvL.sys
2010-11-18 18:12:44 81920 ----a-w- c:\windows\system32\isign32.dll
2010-11-12 07:53:06 472808 ----a-w- c:\windows\system32\deployJava1.dll
2010-11-12 05:34:10 73728 ----a-w- c:\windows\system32\javacpl.cpl
2010-11-09 14:52:35 249856 ----a-w- c:\windows\system32\odbc32.dll
2010-11-06 00:26:58 916480 ----a-w- c:\windows\system32\wininet.dll
2010-11-06 00:26:58 43520 ----a-w- c:\windows\system32\licmgr10.dll
2010-11-06 00:26:58 1469440 ------w- c:\windows\system32\inetcpl.cpl
2010-11-03 12:25:54 385024 ----a-w- c:\windows\system32\html.iec
2008-06-05 09:15:15 136 ----a-w- c:\program files\BMonitor.dll

============= FINISH: 10:21:51.46 ===============

Attached Files



#7 thcbytes

thcbytes

  • Malware Response Team
  • 14,790 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:09 PM

Posted 27 January 2011 - 10:08 PM

Please note....

I see you have uTorrent & Bitcommet installed!

Using any peer-to-peer (P2P) or file sharing program (i.e. Limewire, eMule, Kontiki, BitTorrent, uTorrent, BearShare, Azureus/Vuze) is a security risk which can make your system susceptible to a smörgåsbord of malware infections, remote attacks, and exposure of personal information.

The reason for this is that file sharing relies on its members giving and gaining unfettered access to computers across the P2P network. This practice can make you vulnerable to data and identity theft, system infection and remote access exploit by attackers who can take control of your computer without your knowledge. Even if you change the risky default settings to a safer configuration, downloading files from an anonymous source increases your exposure to infection because the files you are downloading may actually contain a disguised threat. Many malicious worms and Trojans, such as the Storm Worm, target and spread across P2P files sharing networks because of their known vulnerabilities. In some instances the infection may cause so much damage to your system that recovery is not possible and a Repair Install will NOT help!. In those cases, the only option is to wipe your drive, reformat and reinstall the OS.

Even the safest P2P file sharing programs that do not contain bundled spyware, still expose you to risks because of the very nature of the P2P file sharing process. By default, most P2P file sharing programs are configured to automatically launch at startup. They are also configured to allow other P2P users on the same network open access to a shared directory on your computer. The best way to eliminate these risks is to avoid using P2P applications.Using such programs is very likely how your computer got infected!!

==========

Please download ComboFix from one of these locations:

Link 1
Link 2

Save it to your Desktop <-- Important!!!

  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. Please refer to this link for instructions.

  • Double click it & follow the prompts.

  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image

Click on Yes, to continue scanning for malware.

When finished, it will produce a log for you. Please include the C:\ComboFix.txt in your next reply

A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix on your own.
This tool is not a toy and not for everyday use.
ComboFix SHOULD NOT be used unless requested by a forum helper


==========

This next.....

Download and run Win32kDiag:
Then this......

Download and run a batch file (peek.bat):
  • Download peek.bat from the download link below and save it to your Desktop.
  • Double-click peek.bat to run it.A black Command Prompt window will appear shortly: the program is running.
  • Once it is finished, copy and paste the entire contents of the Log.txt file it creates as a reply to this post.

Regards,
thcbytes
Proud member - Unified Network of Instructors and Trained Eliminators
Posted Image

I do not accept personal donations for assistance provided. I would ask that you instead consider donating the greatest gift - Organ Donation. Your organs are of no use to you when your gone. You will save a life that would otherwise be lost!

http://donatelife.net/register-now/

#8 Mac John

Mac John
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:11:09 PM

Posted 30 January 2011 - 10:56 PM

Thanks for the reply thcbytes!

Yes, I have those file sharing apps installed. :) I haven't used BitComet in a very long time. I use uTorrent, but use it to download files from a "members only" server that I would like to think is a little "safer". That said, I am aware of the risks involved here and know that file sharing cannot really be safe. Keeping that in mind, I don't even download from here often and it has been a little while since I downloaded something using any file sharing apps. These apps do not run on startup either.

Apologies for the delay. Weekend + ComboFix forced me to uninstall CA Security Suite before it would run. This was a bit of an effort in itself!

Also note that the log file for Win32kDiag.exe remained short, containing text "WARNING: Could not get backup privileges!" running as any account type (Administrator, My Account which also had Admin rights, etc). I even tried given "Everyone" full rights to c:\windows. Removed such permission again after that change the results. I didn't want to do any "unknown" mucking around until you took a look at it!

Results of each of the three log files requested are as follows:


ComboFix.exe
ComboFix 11-01-29.03 - User 31/01/2011 13:10:29.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1015.317 [GMT 11:00]
Running from: c:\documents and settings\User\Desktop\Bleeping Computer stuff\step2\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Acr2E4C.tmp
C:\Acr95FC.tmp
C:\Acr95FD.tmp
c:\documents and settings\User\Application Data\VideoEgg
c:\documents and settings\User\Application Data\VideoEgg\Data\report.log
c:\documents and settings\User\Application Data\VideoEgg\DataLOCKED
c:\documents and settings\User\Application Data\VideoEgg\Loader\4665\npvideoegg-loader.dll
c:\documents and settings\User\Application Data\VideoEgg\Loader\loader.ver
c:\documents and settings\User\Application Data\VideoEgg\Publisher\4520\avcodec.dll
c:\documents and settings\User\Application Data\VideoEgg\Publisher\4520\crashRpt.dll
c:\documents and settings\User\Application Data\VideoEgg\Publisher\4520\FLVEncoder.dll
c:\documents and settings\User\Application Data\VideoEgg\Publisher\4520\lame_enc.dll
c:\documents and settings\User\Application Data\VideoEgg\Publisher\4520\LevelMeter.ax
c:\documents and settings\User\Application Data\VideoEgg\Publisher\4520\libcurlve.dll
c:\documents and settings\User\Application Data\VideoEgg\Publisher\4520\libpng.dll
c:\documents and settings\User\Application Data\VideoEgg\Publisher\4520\npvideoegg-publisher.dll
c:\documents and settings\User\Application Data\VideoEgg\Publisher\4520\resources\VideoEgg\images\aol_watermark.png
c:\documents and settings\User\Application Data\VideoEgg\Publisher\4520\resources\VideoEgg\images\audio_combo.png
c:\documents and settings\User\Application Data\VideoEgg\Publisher\4520\resources\VideoEgg\images\audio_source.png
c:\documents and settings\User\Application Data\VideoEgg\Publisher\4520\resources\VideoEgg\images\big_gray_logo.png
c:\documents and settings\User\Application Data\VideoEgg\Publisher\4520\resources\VideoEgg\images\big_logo_cropped.png
c:\documents and settings\User\Application Data\VideoEgg\Publisher\4520\resources\VideoEgg\images\blank_slide.png
c:\documents and settings\User\Application Data\VideoEgg\Publisher\4520\resources\VideoEgg\images\button_browse_down.png
c:\documents and settings\User\Application Data\VideoEgg\Publisher\4520\resources\VideoEgg\images\button_browse_over.png
c:\documents and settings\User\Application Data\VideoEgg\Publisher\4520\resources\VideoEgg\images\button_browse_up.png
c:\documents and settings\User\Application Data\VideoEgg\Publisher\4520\resources\VideoEgg\images\camcorder_btn_highlighted.png
c:\documents and settings\User\Application Data\VideoEgg\Publisher\4520\resources\VideoEgg\images\camcorder_slide.png
c:\documents and settings\User\Application Data\VideoEgg\Publisher\4520\resources\VideoEgg\images\camcorders_title.png
c:\documents and settings\User\Application Data\VideoEgg\Publisher\4520\resources\VideoEgg\images\corners_bottom_left.png
c:\documents and settings\User\Application Data\VideoEgg\Publisher\4520\resources\VideoEgg\images\corners_bottom_left_curve.png
c:\documents and settings\User\Application Data\VideoEgg\Publisher\4520\resources\VideoEgg\images\corners_bottom_right.png
c:\documents and settings\User\Application Data\VideoEgg\Publisher\4520\resources\VideoEgg\images\corners_top_right.png
c:\documents and settings\User\Application Data\VideoEgg\Publisher\4520\resources\VideoEgg\images\done.png
c:\documents and settings\User\Application Data\VideoEgg\Publisher\4520\resources\VideoEgg\images\done_capture.png
c:\documents and settings\User\Application Data\VideoEgg\Publisher\4520\resources\VideoEgg\images\done_capture_down.png
c:\documents and settings\User\Application Data\VideoEgg\Publisher\4520\resources\VideoEgg\images\done_capture_over.png
c:\documents and settings\User\Application Data\VideoEgg\Publisher\4520\resources\VideoEgg\images\done_down.png
c:\documents and settings\User\Application Data\VideoEgg\Publisher\4520\resources\VideoEgg\images\done_over.png
c:\documents and settings\User\Application Data\VideoEgg\Publisher\4520\resources\VideoEgg\images\dropshadow_bottom_left.png
c:\documents and settings\User\Application Data\VideoEgg\Publisher\4520\resources\VideoEgg\images\dropshadow_horiz.png
c:\documents and settings\User\Application Data\VideoEgg\Publisher\4520\resources\VideoEgg\images\dropshadow_vertical.png
c:\documents and settings\User\Application Data\VideoEgg\Publisher\4520\resources\VideoEgg\images\dropzone.png
c:\documents and settings\User\Application Data\VideoEgg\Publisher\4520\resources\VideoEgg\images\dv_fast_forward.png
c:\documents and settings\User\Application Data\VideoEgg\Publisher\4520\resources\VideoEgg\images\dv_pause.png
c:\documents and settings\User\Application Data\VideoEgg\Publisher\4520\resources\VideoEgg\images\dv_play.png
c:\documents and settings\User\Application Data\VideoEgg\Publisher\4520\resources\VideoEgg\images\dv_rewind.png
c:\documents and settings\User\Application Data\VideoEgg\Publisher\4520\resources\VideoEgg\images\dv_stop.png
c:\documents and settings\User\Application Data\VideoEgg\Publisher\4520\resources\VideoEgg\images\email_instructions.png
c:\documents and settings\User\Application Data\VideoEgg\Publisher\4520\resources\VideoEgg\images\email_sent.png
c:\documents and settings\User\Application Data\VideoEgg\Publisher\4520\resources\VideoEgg\images\email_sent_down.png
c:\documents and settings\User\Application Data\VideoEgg\Publisher\4520\resources\VideoEgg\images\email_sent_over.png
c:\documents and settings\User\Application Data\VideoEgg\Publisher\4520\resources\VideoEgg\images\eraser.CUR
c:\documents and settings\User\Application Data\VideoEgg\Publisher\4520\resources\VideoEgg\images\eraser_cursor.png
c:\documents and settings\User\Application Data\VideoEgg\Publisher\4520\resources\VideoEgg\images\file_btn_highlighted.png
c:\documents and settings\User\Application Data\VideoEgg\Publisher\4520\resources\VideoEgg\images\file_slide.png
c:\documents and settings\User\Application Data\VideoEgg\Publisher\4520\resources\VideoEgg\images\help.png
c:\documents and settings\User\Application Data\VideoEgg\Publisher\4520\resources\VideoEgg\images\icon_camcorder.png
c:\documents and settings\User\Application Data\VideoEgg\Publisher\4520\resources\VideoEgg\images\icon_camcorder_dark.png
c:\documents and settings\User\Application Data\VideoEgg\Publisher\4520\resources\VideoEgg\images\icon_camcorder_light.png
c:\documents and settings\User\Application Data\VideoEgg\Publisher\4520\resources\VideoEgg\images\icon_camcorders.png
c:\documents and settings\User\Application Data\VideoEgg\Publisher\4520\resources\VideoEgg\images\icon_ff.png
c:\documents and settings\User\Application Data\VideoEgg\Publisher\4520\resources\VideoEgg\images\icon_file_dark.png
c:\documents and settings\User\Application Data\VideoEgg\Publisher\4520\resources\VideoEgg\images\icon_file_light.png
c:\documents and settings\User\Application Data\VideoEgg\Publisher\4520\resources\VideoEgg\images\icon_pause.png
c:\documents and settings\User\Application Data\VideoEgg\Publisher\4520\resources\VideoEgg\images\icon_phone_dark.png
c:\documents and settings\User\Application Data\VideoEgg\Publisher\4520\resources\VideoEgg\images\icon_phone_light.png
c:\documents and settings\User\Application Data\VideoEgg\Publisher\4520\resources\VideoEgg\images\icon_play.png
c:\documents and settings\User\Application Data\VideoEgg\Publisher\4520\resources\VideoEgg\images\icon_rewind.png
c:\documents and settings\User\Application Data\VideoEgg\Publisher\4520\resources\VideoEgg\images\icon_stop.png
c:\documents and settings\User\Application Data\VideoEgg\Publisher\4520\resources\VideoEgg\images\icon_webcam.png
c:\documents and settings\User\Application Data\VideoEgg\Publisher\4520\resources\VideoEgg\images\icon_webcam_dark.png
c:\documents and settings\User\Application Data\VideoEgg\Publisher\4520\resources\VideoEgg\images\icon_webcam_light.png
c:\documents and settings\User\Application Data\VideoEgg\Publisher\4520\resources\VideoEgg\images\icon_webcams.png
c:\documents and settings\User\Application Data\VideoEgg\Publisher\4520\resources\VideoEgg\images\loading.png
c:\documents and settings\User\Application Data\VideoEgg\Publisher\4520\resources\VideoEgg\images\loading_movie.png
c:\documents and settings\User\Application Data\VideoEgg\Publisher\4520\resources\VideoEgg\images\locating.png
c:\documents and settings\User\Application Data\VideoEgg\Publisher\4520\resources\VideoEgg\images\logo.png
c:\documents and settings\User\Application Data\VideoEgg\Publisher\4520\resources\VideoEgg\images\logo_bottom.png
c:\documents and settings\User\Application Data\VideoEgg\Publisher\4520\resources\VideoEgg\images\logo_middle.png
c:\documents and settings\User\Application Data\VideoEgg\Publisher\4520\resources\VideoEgg\images\logo_top.png
c:\documents and settings\User\Application Data\VideoEgg\Publisher\4520\resources\VideoEgg\images\mobile_btn_highlighted.png
c:\documents and settings\User\Application Data\VideoEgg\Publisher\4520\resources\VideoEgg\images\mobile_slide.png
c:\documents and settings\User\Application Data\VideoEgg\Publisher\4520\resources\VideoEgg\images\mobile_slide_disabled.png
c:\documents and settings\User\Application Data\VideoEgg\Publisher\4520\resources\VideoEgg\images\movie_placeholder.png
c:\documents and settings\User\Application Data\VideoEgg\Publisher\4520\resources\VideoEgg\images\ok.png
c:\documents and settings\User\Application Data\VideoEgg\Publisher\4520\resources\VideoEgg\images\ok_down.png
c:\documents and settings\User\Application Data\VideoEgg\Publisher\4520\resources\VideoEgg\images\ok_over.png
c:\documents and settings\User\Application Data\VideoEgg\Publisher\4520\resources\VideoEgg\images\player_fast_forward.png
c:\documents and settings\User\Application Data\VideoEgg\Publisher\4520\resources\VideoEgg\images\player_fast_forward_disabled.png
c:\documents and settings\User\Application Data\VideoEgg\Publisher\4520\resources\VideoEgg\images\player_fill.png
c:\documents and settings\User\Application Data\VideoEgg\Publisher\4520\resources\VideoEgg\images\player_pause.png
c:\documents and settings\User\Application Data\VideoEgg\Publisher\4520\resources\VideoEgg\images\player_play.png
c:\documents and settings\User\Application Data\VideoEgg\Publisher\4520\resources\VideoEgg\images\player_rewind.png
c:\documents and settings\User\Application Data\VideoEgg\Publisher\4520\resources\VideoEgg\images\player_rewind_disabled.png
c:\documents and settings\User\Application Data\VideoEgg\Publisher\4520\resources\VideoEgg\images\player_rewind_to_start.png
c:\documents and settings\User\Application Data\VideoEgg\Publisher\4520\resources\VideoEgg\images\playhead.png
c:\documents and settings\User\Application Data\VideoEgg\Publisher\4520\resources\VideoEgg\images\powered_by.png
c:\documents and settings\User\Application Data\VideoEgg\Publisher\4520\resources\VideoEgg\images\progress.png
c:\documents and settings\User\Application Data\VideoEgg\Publisher\4520\resources\VideoEgg\images\refresh_list_down.png
c:\documents and settings\User\Application Data\VideoEgg\Publisher\4520\resources\VideoEgg\images\refresh_list_over.png
c:\documents and settings\User\Application Data\VideoEgg\Publisher\4520\resources\VideoEgg\images\refresh_list_up.png
c:\documents and settings\User\Application Data\VideoEgg\Publisher\4520\resources\VideoEgg\images\restart.png
c:\documents and settings\User\Application Data\VideoEgg\Publisher\4520\resources\VideoEgg\images\restart_over.png
c:\documents and settings\User\Application Data\VideoEgg\Publisher\4520\resources\VideoEgg\images\start_capture.png
c:\documents and settings\User\Application Data\VideoEgg\Publisher\4520\resources\VideoEgg\images\start_capture_disabled.png
c:\documents and settings\User\Application Data\VideoEgg\Publisher\4520\resources\VideoEgg\images\start_capture_down.png
c:\documents and settings\User\Application Data\VideoEgg\Publisher\4520\resources\VideoEgg\images\start_capture_over.png
c:\documents and settings\User\Application Data\VideoEgg\Publisher\4520\resources\VideoEgg\images\start_over.png
c:\documents and settings\User\Application Data\VideoEgg\Publisher\4520\resources\VideoEgg\images\start_over_highlight.png
c:\documents and settings\User\Application Data\VideoEgg\Publisher\4520\resources\VideoEgg\images\start_slider.png
c:\documents and settings\User\Application Data\VideoEgg\Publisher\4520\resources\VideoEgg\images\stop_capture.png
c:\documents and settings\User\Application Data\VideoEgg\Publisher\4520\resources\VideoEgg\images\stop_capture_disabled.png
c:\documents and settings\User\Application Data\VideoEgg\Publisher\4520\resources\VideoEgg\images\stop_capture_down.png
c:\documents and settings\User\Application Data\VideoEgg\Publisher\4520\resources\VideoEgg\images\stop_capture_over.png
c:\documents and settings\User\Application Data\VideoEgg\Publisher\4520\resources\VideoEgg\images\stop_slider.png
c:\documents and settings\User\Application Data\VideoEgg\Publisher\4520\resources\VideoEgg\images\tab_slide_deselected.png
c:\documents and settings\User\Application Data\VideoEgg\Publisher\4520\resources\VideoEgg\images\tape_control.png
c:\documents and settings\User\Application Data\VideoEgg\Publisher\4520\resources\VideoEgg\images\text_camcorder.png
c:\documents and settings\User\Application Data\VideoEgg\Publisher\4520\resources\VideoEgg\images\text_camcorder_highlight.png
c:\documents and settings\User\Application Data\VideoEgg\Publisher\4520\resources\VideoEgg\images\text_file.png
c:\documents and settings\User\Application Data\VideoEgg\Publisher\4520\resources\VideoEgg\images\text_file_highlight.png
c:\documents and settings\User\Application Data\VideoEgg\Publisher\4520\resources\VideoEgg\images\text_phone.png
c:\documents and settings\User\Application Data\VideoEgg\Publisher\4520\resources\VideoEgg\images\text_phone_highlight.png
c:\documents and settings\User\Application Data\VideoEgg\Publisher\4520\resources\VideoEgg\images\text_webcam.png
c:\documents and settings\User\Application Data\VideoEgg\Publisher\4520\resources\VideoEgg\images\text_webcam_highlight.png
c:\documents and settings\User\Application Data\VideoEgg\Publisher\4520\resources\VideoEgg\images\title.png
c:\documents and settings\User\Application Data\VideoEgg\Publisher\4520\resources\VideoEgg\images\upload.png
c:\documents and settings\User\Application Data\VideoEgg\Publisher\4520\resources\VideoEgg\images\upload_down.png
c:\documents and settings\User\Application Data\VideoEgg\Publisher\4520\resources\VideoEgg\images\upload_from.png
c:\documents and settings\User\Application Data\VideoEgg\Publisher\4520\resources\VideoEgg\images\upload_over.png
c:\documents and settings\User\Application Data\VideoEgg\Publisher\4520\resources\VideoEgg\images\uploading.png
c:\documents and settings\User\Application Data\VideoEgg\Publisher\4520\resources\VideoEgg\images\uploading_fill.png
c:\documents and settings\User\Application Data\VideoEgg\Publisher\4520\resources\VideoEgg\images\uploading_high.png
c:\documents and settings\User\Application Data\VideoEgg\Publisher\4520\resources\VideoEgg\images\uploading_low.png
c:\documents and settings\User\Application Data\VideoEgg\Publisher\4520\resources\VideoEgg\images\uploading_medium.png
c:\documents and settings\User\Application Data\VideoEgg\Publisher\4520\resources\VideoEgg\images\uploading_thumbnail.png
c:\documents and settings\User\Application Data\VideoEgg\Publisher\4520\resources\VideoEgg\images\volume_gray.png
c:\documents and settings\User\Application Data\VideoEgg\Publisher\4520\resources\VideoEgg\images\volume_green.png
c:\documents and settings\User\Application Data\VideoEgg\Publisher\4520\resources\VideoEgg\images\volume_high.png
c:\documents and settings\User\Application Data\VideoEgg\Publisher\4520\resources\VideoEgg\images\volume_low.png
c:\documents and settings\User\Application Data\VideoEgg\Publisher\4520\resources\VideoEgg\images\volume_orange.png
c:\documents and settings\User\Application Data\VideoEgg\Publisher\4520\resources\VideoEgg\images\volume_red.png
c:\documents and settings\User\Application Data\VideoEgg\Publisher\4520\resources\VideoEgg\images\volume_slider.png
c:\documents and settings\User\Application Data\VideoEgg\Publisher\4520\resources\VideoEgg\images\waiting_for_email.png
c:\documents and settings\User\Application Data\VideoEgg\Publisher\4520\resources\VideoEgg\images\webcam_btn_highlighted.png
c:\documents and settings\User\Application Data\VideoEgg\Publisher\4520\resources\VideoEgg\images\webcam_slide.png
c:\documents and settings\User\Application Data\VideoEgg\Publisher\4520\resources\VideoEgg\images\webcams_title.png
c:\documents and settings\User\Application Data\VideoEgg\Publisher\4520\resources\VideoEgg\messages\messages.en-US.bundle
c:\documents and settings\User\Application Data\VideoEgg\Publisher\4520\VideoEgg_FLVWriter.ax
c:\documents and settings\User\Application Data\VideoEgg\Publisher\4520\zlib.dll
c:\documents and settings\User\Application Data\VideoEgg\Publisher\publisher.ver
c:\documents and settings\User\Application Data\VideoEgg\Uninstall.exe
c:\documents and settings\User\Application Data\VideoEgg\Updater\4665\libcurlve.dll
c:\documents and settings\User\Application Data\VideoEgg\Updater\4665\updater.dll
c:\documents and settings\User\Application Data\VideoEgg\Updater\updater.exe
c:\documents and settings\User\Application Data\VideoEgg\Updater\updater.ver
c:\documents and settings\User\Application Data\VideoEgg\Updater\VideoEggBroker.exe
c:\documents and settings\User\Application Data\VideoEgg\Updater\VideoEggBroker.exe.old
c:\documents and settings\User\g2mdlhlpx.exe
c:\documents and settings\User\Recent\Thumbs.db
c:\windows\system32\_004791_.tmp.dll
c:\windows\system32\_004792_.tmp.dll
c:\windows\system32\_004793_.tmp.dll
c:\windows\system32\_004794_.tmp.dll
c:\windows\system32\_004801_.tmp.dll
c:\windows\system32\_004802_.tmp.dll
c:\windows\system32\_004803_.tmp.dll
c:\windows\system32\_004804_.tmp.dll
c:\windows\system32\_004805_.tmp.dll
c:\windows\system32\_004806_.tmp.dll
c:\windows\system32\_004807_.tmp.dll
c:\windows\system32\_004808_.tmp.dll
c:\windows\system32\_004809_.tmp.dll
c:\windows\system32\_004810_.tmp.dll
c:\windows\system32\_004811_.tmp.dll
c:\windows\system32\_004812_.tmp.dll
c:\windows\system32\_004813_.tmp.dll
c:\windows\system32\_004814_.tmp.dll
c:\windows\system32\_004815_.tmp.dll
c:\windows\system32\_004816_.tmp.dll
c:\windows\system32\_004817_.tmp.dll
c:\windows\system32\_004818_.tmp.dll
c:\windows\system32\_004819_.tmp.dll
c:\windows\system32\_004820_.tmp.dll
c:\windows\system32\_004821_.tmp.dll
c:\windows\system32\_004822_.tmp.dll
c:\windows\system32\_004823_.tmp.dll
c:\windows\system32\_004824_.tmp.dll
c:\windows\system32\_004825_.tmp.dll
c:\windows\system32\_004826_.tmp.dll
c:\windows\system32\_004827_.tmp.dll
c:\windows\system32\_004828_.tmp.dll
c:\windows\system32\_004829_.tmp.dll
c:\windows\system32\_004830_.tmp.dll
c:\windows\system32\_004831_.tmp.dll
c:\windows\system32\_004832_.tmp.dll
c:\windows\system32\_004833_.tmp.dll
c:\windows\system32\_004834_.tmp.dll
c:\windows\system32\_004835_.tmp.dll
c:\windows\system32\_004836_.tmp.dll
c:\windows\system32\_004837_.tmp.dll
c:\windows\system32\_004838_.tmp.dll
c:\windows\system32\_004839_.tmp.dll
c:\windows\system32\_004840_.tmp.dll
c:\windows\system32\_004841_.tmp.dll
c:\windows\system32\_004842_.tmp.dll
c:\windows\system32\_004843_.tmp.dll
c:\windows\system32\_004844_.tmp.dll
c:\windows\system32\_004845_.tmp.dll
c:\windows\system32\_004846_.tmp.dll
c:\windows\system32\_004847_.tmp.dll
c:\windows\system32\_004848_.tmp.dll
c:\windows\system32\_004849_.tmp.dll
c:\windows\system32\_004850_.tmp.dll
c:\windows\system32\_004851_.tmp.dll
c:\windows\system32\_004852_.tmp.dll
c:\windows\system32\_004853_.tmp.dll
c:\windows\system32\_004854_.tmp.dll
c:\windows\system32\_004855_.tmp.dll
c:\windows\system32\_004856_.tmp.dll
c:\windows\system32\_004857_.tmp.dll
c:\windows\system32\_004858_.tmp.dll
c:\windows\system32\_004859_.tmp.dll
c:\windows\system32\_004860_.tmp.dll
c:\windows\system32\_004861_.tmp.dll
c:\windows\system32\_004862_.tmp.dll
c:\windows\system32\_004863_.tmp.dll
c:\windows\system32\_004864_.tmp.dll
c:\windows\system32\_004865_.tmp.dll
c:\windows\system32\_004866_.tmp.dll
c:\windows\system32\_004867_.tmp.dll
c:\windows\system32\_004868_.tmp.dll
c:\windows\system32\_004869_.tmp.dll
c:\windows\system32\_004870_.tmp.dll
c:\windows\system32\_004871_.tmp.dll
c:\windows\system32\_004872_.tmp.dll
c:\windows\system32\_004873_.tmp.dll
c:\windows\system32\_004874_.tmp.dll
c:\windows\system32\_004875_.tmp.dll
c:\windows\system32\_004876_.tmp.dll
c:\windows\system32\_004877_.tmp.dll
c:\windows\system32\_004878_.tmp.dll
c:\windows\system32\_004879_.tmp.dll
c:\windows\system32\_004880_.tmp.dll
c:\windows\system32\_004881_.tmp.dll
c:\windows\system32\_004882_.tmp.dll
c:\windows\system32\_004883_.tmp.dll
c:\windows\system32\_004884_.tmp.dll
c:\windows\system32\_004885_.tmp.dll
c:\windows\system32\_004886_.tmp.dll
c:\windows\system32\_004887_.tmp.dll
c:\windows\system32\_004888_.tmp.dll
c:\windows\system32\_004889_.tmp.dll
c:\windows\system32\_004890_.tmp.dll
c:\windows\system32\_004891_.tmp.dll
c:\windows\system32\_004892_.tmp.dll
c:\windows\system32\_004893_.tmp.dll
c:\windows\system32\_004894_.tmp.dll
c:\windows\system32\_004895_.tmp.dll
c:\windows\system32\_004896_.tmp.dll
c:\windows\system32\_004897_.tmp.dll
c:\windows\system32\_004898_.tmp.dll
c:\windows\system32\_004899_.tmp.dll
c:\windows\system32\_004900_.tmp.dll
c:\windows\system32\_004901_.tmp.dll
c:\windows\system32\_004902_.tmp.dll
c:\windows\system32\_004903_.tmp.dll
c:\windows\system32\_004904_.tmp.dll
c:\windows\system32\_004905_.tmp.dll
c:\windows\system32\_004906_.tmp.dll
c:\windows\system32\_004907_.tmp.dll
c:\windows\system32\_004908_.tmp.dll
c:\windows\system32\_004910_.tmp.dll
c:\windows\system32\_004911_.tmp.dll
c:\windows\system32\_004912_.tmp.dll
c:\windows\system32\_004913_.tmp.dll
c:\windows\system32\_004914_.tmp.dll
c:\windows\system32\_004915_.tmp.dll
c:\windows\system32\_004916_.tmp.dll
c:\windows\system32\_004917_.tmp.dll
c:\windows\system32\_004918_.tmp.dll
c:\windows\system32\_004919_.tmp.dll
c:\windows\system32\_004920_.tmp.dll
c:\windows\system32\_004922_.tmp.dll
c:\windows\system32\_004923_.tmp.dll
c:\windows\system32\_004924_.tmp.dll
c:\windows\system32\_004925_.tmp.dll
c:\windows\system32\_004926_.tmp.dll
c:\windows\system32\_004927_.tmp.dll
c:\windows\system32\_004928_.tmp.dll
c:\windows\system32\_004929_.tmp.dll
c:\windows\system32\_004930_.tmp.dll
c:\windows\system32\_004931_.tmp.dll
c:\windows\system32\_004932_.tmp.dll
c:\windows\system32\_004933_.tmp.dll
c:\windows\system32\_004935_.tmp.dll
c:\windows\system32\_004936_.tmp.dll
c:\windows\system32\_004937_.tmp.dll
c:\windows\system32\_004938_.tmp.dll
c:\windows\system32\_004939_.tmp.dll
c:\windows\system32\_004941_.tmp.dll
c:\windows\system32\_004942_.tmp.dll
c:\windows\system32\_004944_.tmp.dll
c:\windows\system32\_004945_.tmp.dll
c:\windows\system32\_004946_.tmp.dll
c:\windows\system32\_004947_.tmp.dll
c:\windows\system32\_004948_.tmp.dll
c:\windows\system32\_004949_.tmp.dll
c:\windows\system32\_004950_.tmp.dll
c:\windows\system32\_004951_.tmp.dll
c:\windows\system32\_004952_.tmp.dll
c:\windows\system32\_004953_.tmp.dll
c:\windows\system32\_004954_.tmp.dll
c:\windows\system32\_004956_.tmp.dll
c:\windows\system32\_004957_.tmp.dll
c:\windows\system32\_004958_.tmp.dll
c:\windows\system32\_004959_.tmp.dll
c:\windows\system32\_004960_.tmp.dll
c:\windows\system32\_004961_.tmp.dll
c:\windows\system32\_004962_.tmp.dll
c:\windows\system32\_004963_.tmp.dll
c:\windows\system32\_004964_.tmp.dll
c:\windows\system32\_004965_.tmp.dll
c:\windows\system32\_004966_.tmp.dll
c:\windows\system32\_004968_.tmp.dll
c:\windows\system32\_004969_.tmp.dll
c:\windows\system32\_004970_.tmp.dll
c:\windows\system32\_004971_.tmp.dll
c:\windows\system32\_004973_.tmp.dll
c:\windows\system32\_004975_.tmp.dll
c:\windows\system32\_004976_.tmp.dll
c:\windows\system32\_004977_.tmp.dll
c:\windows\system32\_004978_.tmp.dll
c:\windows\system32\_004979_.tmp.dll
c:\windows\system32\_004980_.tmp.dll
c:\windows\system32\_004981_.tmp.dll
c:\windows\system32\_004982_.tmp.dll
c:\windows\system32\_004984_.tmp.dll
c:\windows\system32\_004985_.tmp.dll
c:\windows\system32\_004986_.tmp.dll
c:\windows\system32\_004987_.tmp.dll
c:\windows\system32\_004988_.tmp.dll
c:\windows\system32\_004989_.tmp.dll
c:\windows\system32\_004990_.tmp.dll
c:\windows\system32\_004991_.tmp.dll
c:\windows\system32\_004993_.tmp.dll
c:\windows\system32\_004994_.tmp.dll
c:\windows\system32\_004995_.tmp.dll
c:\windows\system32\_004998_.tmp.dll
c:\windows\system32\_004999_.tmp.dll
c:\windows\system32\_005003_.tmp.dll
c:\windows\system32\_005004_.tmp.dll
c:\windows\system32\_005006_.tmp.dll
c:\windows\system32\_005008_.tmp.dll
c:\windows\system32\_005009_.tmp.dll
c:\windows\system32\_005011_.tmp.dll
c:\windows\system32\_005012_.tmp.dll
c:\windows\system32\_005013_.tmp.dll
c:\windows\system32\_005014_.tmp.dll
c:\windows\system32\_005017_.tmp.dll
c:\windows\system32\_005018_.tmp.dll
c:\windows\system32\_005019_.tmp.dll
c:\windows\system32\_005020_.tmp.dll
c:\windows\system32\_005021_.tmp.dll
c:\windows\system32\_005026_.tmp.dll
c:\windows\system32\_005028_.tmp.dll
c:\windows\system32\Cache
c:\windows\system32\wpa.dbl.bak2

.
((((((((((((((((((((((((( Files Created from 2010-12-28 to 2011-01-31 )))))))))))))))))))))))))))))))
.

2011-01-31 01:08 . 2011-01-31 01:09 -------- d-----w- c:\documents and settings\All Users\Application Data\CA-SupportBridge
2011-01-24 03:51 . 2011-01-24 03:51 1409 ----a-w- c:\windows\QTFont.for

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-12-22 01:22 . 2010-12-22 01:22 359744 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\VSTAHost\CorelPHOTOPAINT\9.0\1033\ResourceCache.dll
2010-12-22 01:19 . 2010-12-22 01:19 359744 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\VSTAHost\CorelDRAW\9.0\1033\ResourceCache.dll
2010-12-22 01:14 . 2009-02-26 22:02 416 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\MSDN\9.0\1033\ResourceCache.dll
2010-11-18 18:12 . 2007-03-05 08:26 81920 ----a-w- c:\windows\system32\isign32.dll
2010-11-12 07:53 . 2010-05-16 11:33 472808 ----a-w- c:\windows\system32\deployJava1.dll
2010-11-12 05:34 . 2007-04-25 23:01 73728 ----a-w- c:\windows\system32\javacpl.cpl
2010-11-09 14:52 . 2006-02-28 12:00 249856 ----a-w- c:\windows\system32\odbc32.dll
2010-11-06 00:26 . 2006-02-28 12:00 916480 ----a-w- c:\windows\system32\wininet.dll
2010-11-06 00:26 . 2006-02-28 12:00 43520 ----a-w- c:\windows\system32\licmgr10.dll
2010-11-06 00:26 . 2006-02-28 12:00 1469440 ------w- c:\windows\system32\inetcpl.cpl
2010-11-03 12:25 . 2006-02-28 12:00 385024 ----a-w- c:\windows\system32\html.iec
2010-11-02 15:17 . 2008-10-20 21:53 40960 ----a-w- c:\windows\system32\drivers\ndproxy.sys
2008-06-05 09:15 . 2008-05-26 22:54 136 ----a-w- c:\program files\BMonitor.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr"="c:\program files\Windows Live\Messenger\MsnMsgr.Exe" [2009-07-26 3883856]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2006-10-09 139264]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-11-28 98304]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-11-28 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-11-28 118784]
"RTHDCPL"="RTHDCPL.EXE" [2006-07-21 16261632]
"RemoteControl"="c:\program files\ASUSTeK\ASUSDVD\PDVDServ.exe" [2004-11-02 32768]
"ISUSPM Startup"="c:\program files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-08-11 249856]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-08-11 81920]
"AutoMate5"="c:\program files\AutoMate 5\AM5HkWnd.exe" [2005-06-27 2859520]
"HP Network Registry Agent"="c:\windows\system32\hpnra.exe" [2004-10-15 61440]
"SSBkgdUpdate"="c:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2003-09-29 155648]
"Opware15"="c:\program files\ScanSoft\OmniPage15.0\Opware15.exe" [2005-07-05 69632]
"PDF3 Registry Controller"="c:\program files\ScanSoft\OmniPage15.0\PDFConverter3\\RegistryController.exe" [2005-04-12 106496]
"NeroFilterCheck"="c:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2006-01-12 155648]
"UniPrint"="c:\progra~1\UniPrint\Client\SetDfltSettings.exe" [2004-05-11 94208]
"LandOnline"="c:\program files\LandOnline Printer Driver\PrintManager.exe" [2006-03-09 110592]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-03-28 413696]
"SkyTel"="SkyTel.EXE" [2006-05-16 2879488]
"Samsung PanelMgr"="c:\windows\Samsung\PanelMgr\SSMMgr.exe" [2008-05-20 536576]
"STO Backup Service"="c:\program files\SmarThru Office\BackUpSvr.exe" [2008-06-11 192512]
"STO Launcher Service"="c:\program files\SmarThru Office\LegacyLauncher.exe" [2008-06-11 331776]
"LifeChat"="c:\program files\Microsoft LifeChat\LifeChat.exe" [2008-08-21 267296]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-21 932288]
"4x28 Scan2PC"="c:\windows\Twain_32\Samsung\SCX4x28\Scan2pc.exe" [2009-03-17 503808]
"winvnc"="c:\program files\UltraVNC\WinVNC.exe" [2010-07-13 712704]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
"DivXUpdate"="c:\program files\DivX\DivX Update\DivXUpdate.exe" [2010-09-16 1164584]

c:\documents and settings\User\Start Menu\Programs\Startup\
CUSTOMER HELPDESK.lnk - c:\program files\UltraVNC\vncviewer.exe [2010-7-14 749568]
Timesheet Assistant.lnk - c:\software\TimesheetAssistant.exe [2010-3-23 301709]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
VPN Client.lnk - c:\windows\Installer\{CCBAA1F7-E5E1-48B2-9ED9-A79C6A37CE78}\Icon3E5562ED7.ico [2009-2-9 6144]
WinZip Quick Pick.lnk - c:\program files\WinZip\WZQKPICK.EXE [2010-5-12 118784]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoStrCmpLogical"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\windows\system32\UmxSbxExw.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ComputerAssociatesAntiMalware]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Electric Rain\\Swift 3D\\Version 4.50\\Program\\Swift3D.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\BitComet\\BitComet.exe"=
"c:\\Program Files\\UltraVNC\\winvnc.exe"=
"c:\\Program Files\\MyWANiP\\MyWanIP.exe"=
"c:\\Program Files\\AutoMate 5\\TaskEdit.exe"=
"c:\\Program Files\\AutoMate 5\\SpawnTask.exe"=
"c:\\Program Files\\AutoMate 5\\AMTA.exe"=
"c:\\Program Files\\UltraVNC\\vncviewer.exe"=
"c:\\WINDOWS\\system32\\ftp.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\ZipGenius 6\\ftpg.exe"=
"c:\\Program Files\\Robo-FTP\\Robo-FTP.exe"=
"c:\\WINDOWS\\system32\\mmc.exe"=
"c:\\Program Files\\Advantig\\OneClick\\repeater.exe"=
"c:\\Program Files\\Advantig\\OneClick\\vncviewer.exe"=
"c:\\Program Files\\GlobalSCAPE\\CuteFTP 7 Professional\\ftpte.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\javaw.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\WINDOWS\\twain_32\\Samsung\\ScanMgr.exe"=
"c:\\WINDOWS\\twain_32\\Samsung\\SCX4x28\\Scan2Pc.exe"=
"c:\\WINDOWS\\twain_32\\Samsung\\SCX4x28\\Sscan2io.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\java.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\SOFTWARE\\utorrent.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"14086:TCP"= 14086:TCP:BitComet 14086 TCP
"14086:UDP"= 14086:UDP:BitComet 14086 UDP
"21332:TCP"= 21332:TCP:MyWANIP-TCPport
"21332:UDP"= 21332:UDP:MyWANIP-UDPport
"1041:TCP"= 1041:TCP:Akamai NetSession Interface
"5000:UDP"= 5000:UDP:Akamai NetSession Interface

R1 GhPciScan;GhostPciScanner;c:\program files\Symantec\Norton Ghost 2003\GhPciScan.sys [17/12/2003 4:41 PM 5632]
R2 Akamai;Akamai NetSession Interface;c:\windows\System32\svchost.exe -k Akamai [28/02/2006 11:00 PM 14336]
R2 vnccom;vnccom;c:\windows\system32\drivers\vnccom.SYS [14/07/2010 9:53 AM 6016]
S1 KmxAgent;KmxAgent;c:\windows\system32\drivers\KmxAgent.sys [22/03/2010 1:58 PM 79864]
S1 KmxFile;KmxFile;c:\windows\system32\drivers\KmxFile.sys [2/09/2009 6:29 PM 53240]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [18/03/2010 2:16 PM 130384]
S2 KmxCF;KmxCF;c:\windows\system32\drivers\KmxCF.sys [14/08/2009 12:43 PM 145912]
S2 SSPORT;SSPORT;\??\c:\windows\system32\Drivers\SSPORT.sys --> c:\windows\system32\Drivers\SSPORT.sys [?]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [18/03/2010 2:16 PM 753504]
S4 MSSQLServerADHelper100;SQL Active Directory Helper Service;c:\program files\Microsoft SQL Server\100\Shared\sqladhlp.exe [10/07/2008 5:28 PM 47128]
S4 RsFx0102;RsFx0102 Driver;c:\windows\system32\drivers\RsFx0102.sys [10/07/2008 2:49 AM 242712]
S4 SQLAgent$SQLEXPRESS;SQL Server Agent (SQLEXPRESS);c:\program files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\SQLAGENT.EXE [10/07/2008 5:28 PM 369688]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
Akamai REG_MULTI_SZ Akamai
.
Contents of the 'Scheduled Tasks' folder

2011-01-30 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 04:57]

2009-05-06 c:\windows\Tasks\LifeChatTask.job
- c:\program files\Microsoft LifeChat\LifeChat.exe [2008-08-21 01:16]

2011-01-31 c:\windows\Tasks\reminder_timesheet.job
- C:\reminder_timesheet.bat [2009-10-06 01:40]

2011-01-30 c:\windows\Tasks\scheduledbackup.job
- c:\windows\system32\ntbackup.exe [2006-02-28 18:42]

2011-01-31 c:\windows\Tasks\SDMsgUpdate (SD).job
- c:\progra~1\SMARTD~1\Messages\SDNotify.exe [2009-09-14 04:39]

2011-01-28 c:\windows\Tasks\TimesheetAssistant.job
- c:\software\TimesheetAssistant.au3 [2010-03-21 22:37]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com.au/
IE: Append to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Capture Selection - c:\program files\SmarThru Office\WebCapture.dll2.htm
IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Download with GetRight - c:\program files\GetRight\GRdownload.htm
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: Open with GetRight Browser - c:\program files\GetRight\GRbrowse.htm
IE: Open with Scansoft PDF Converter 3.0 - c:\program files\ScanSoft\OmniPage15.0\PDFConverter3\IEShellExt.dll /100
IE: Save as HTML - c:\program files\SmarThru Office\WebCapture.dll1.htm
IE: Save Selected Text - c:\program files\SmarThru Office\WebCapture.dll.htm
IE: Sothink SWF Catcher - c:\program files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
IE: Web Capture - c:\program files\SmarThru Office\WebCapture.dll
IE: {{6E0321C4-E024-4D85-B2D9-2F4AF0E2D33E} - c:\program files\Movies Extractor Scout LITE\flashextract.exe
Trusted Zone: govt.nz\logon.landonline
Trusted Zone: liveperson.net\server.iad
DPF: {254AA86E-5655-4518-AA87-185D7CC41801} - hxxps://secure.logmeinrescue.com/TechConsole/x86/RescueControl.cab
FF - ProfilePath - c:\documents and settings\User\Application Data\Mozilla\Firefox\Profiles\9l6e7sta.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com.au/
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0019-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0019-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Ext: IE View: {6e84150a-d526-41f1-a480-a67d3fed910d} - %profile%\extensions\{6e84150a-d526-41f1-a480-a67d3fed910d}
FF - Ext: New Tab Homepage: {66E978CD-981F-47DF-AC42-E3CF417C1467} - %profile%\extensions\{66E978CD-981F-47DF-AC42-E3CF417C1467}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\Java\jre6\lib\deploy\jqs\ff
.
.
------- File Associations -------
.
.scr=AutoCADLTScriptFile
.
- - - - ORPHANS REMOVED - - - -

WebBrowser-{8FF5E180-ABDE-46EB-B09E-D2AAB95CABE3} - (no file)
HKCU-Run-updateMgr - c:\program files\Adobe\Acrobat 7.0\Acrobat\AdobeUpdateManager.exe
HKLM-Run-OpScheduler - c:\program files\ScanSoft\OmniPage15.0\OpScheduler.exe
HKLM-Run-CAPPActiveProtection - c:\program files\CA\CA Internet Security Suite\CA Anti-Spyware\CAPPActiveProtection.exe
AddRemove-AccessDiver v4.401_is1 - c:\program files\Accessdiver\unins000.exe
AddRemove-CDSCOPE2000 Melbourne June 2000 Data Update - c:\temp\TEST-D~1\CDSCOP~1\UNWISE.EXE
AddRemove-CDSCOPE2000 St Kilda Road August 2000 Data Update - c:\temp\TEST-D~1\CDSCOP~1\UNWISE.EXE
AddRemove-{7B63B2922B174135AFC0E1377DD81EC2} - c:\program files\DivX\DivXCodecUninstall.exe
AddRemove-VideoEgg - c:\documents and settings\User\Application Data\VideoEgg\Uninstall.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-01-31 13:57
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"

[HKEY_LOCAL_MACHINE\software\DeterministicNetworks\DNE\Parameters]
"SymbolicLinkValue"=hex(6):5c,00,52,00,65,00,67,00,69,00,73,00,74,00,72,00,79,
00,5c,00,4d,00,61,00,63,00,68,00,69,00,6e,00,65,00,5c,00,53,00,79,00,73,00,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(3568)
c:\windows\system32\WININET.dll
c:\program files\ScanSoft\OmniPage15.0\OpHook15.dll
c:\program files\AutoMate 5\AM5TrgHk.dll
c:\program files\Windows Media Player\wmpband.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\msi.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\program files\WinSCP\DragExt.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\AutoMate 5\AutoMate5Svc.exe
c:\program files\Cisco Systems\VPN Client\cvpnd.exe
c:\program files\Symantec\Norton Ghost 2003\GhostStartService.exe
c:\windows\system32\inetsrv\inetinfo.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\program files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\sqlservr.exe
c:\program files\Common Files\Protexis\License Service\PsiService_2.exe
c:\program files\Sandboxie\SbieSvc.exe
c:\program files\Microsoft SQL Server\90\Shared\sqlwriter.exe
c:\windows\system32\wscntfy.exe
c:\windows\RTHDCPL.EXE
c:\windows\system32\DllHost.exe
c:\windows\system32\cisvc.exe
c:\windows\system32\cidaemon.exe
c:\windows\system32\cidaemon.exe
c:\windows\system32\cidaemon.exe
.
**************************************************************************
.
Completion time: 2011-01-31 14:14:39 - machine was rebooted
ComboFix-quarantined-files.txt 2011-01-31 03:14

Pre-Run: 23,780,634,624 bytes free
Post-Run: 26,915,012,608 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

- - End Of File - - AD341BAB9528FA54278F5608B8C696E9




Win32kDiag.exe
Running from: C:\Documents and Settings\User\Desktop\Bleeping Computer stuff\step2\Win32kDiag.exe

Log file at : C:\Documents and Settings\User\Desktop\Win32kDiag.txt

WARNING: Could not get backup privileges!

Searching 'C:\WINDOWS'...





Finished!



peek.bat
Volume in drive C has no label.
Volume Serial Number is F872-DE65

Directory of C:\WINDOWS\$NtServicePackUninstall$

28/02/2006 11:00 PM 180,224 scecli.dll

Directory of C:\WINDOWS\$NtServicePackUninstall$

28/02/2006 11:00 PM 407,040 netlogon.dll

Directory of C:\WINDOWS\$NtServicePackUninstall$

28/02/2006 11:00 PM 55,808 eventlog.dll
3 File(s) 643,072 bytes

Directory of C:\WINDOWS\ERDNT\cache

14/04/2008 05:42 AM 181,248 scecli.dll

Directory of C:\WINDOWS\ERDNT\cache

14/04/2008 05:42 AM 407,040 netlogon.dll

Directory of C:\WINDOWS\ERDNT\cache

14/04/2008 05:41 AM 56,320 eventlog.dll
3 File(s) 644,608 bytes

Directory of C:\WINDOWS\ServicePackFiles\i386

14/04/2008 05:42 AM 181,248 scecli.dll

Directory of C:\WINDOWS\ServicePackFiles\i386

14/04/2008 05:42 AM 407,040 netlogon.dll

Directory of C:\WINDOWS\ServicePackFiles\i386

14/04/2008 05:41 AM 56,320 eventlog.dll
3 File(s) 644,608 bytes

Directory of C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e

14/04/2008 11:12 AM 181,248 scecli.dll

Directory of C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e

14/04/2008 11:12 AM 407,040 netlogon.dll

Directory of C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e

14/04/2008 11:11 AM 56,320 eventlog.dll
3 File(s) 644,608 bytes

Directory of C:\WINDOWS\system32

14/04/2008 05:42 AM 181,248 scecli.dll

Directory of C:\WINDOWS\system32

14/04/2008 05:42 AM 407,040 netlogon.dll

Directory of C:\WINDOWS\system32

14/04/2008 05:41 AM 56,320 eventlog.dll
3 File(s) 644,608 bytes

Total Files Listed:
15 File(s) 3,221,504 bytes
0 Dir(s) 26,955,419,648 bytes free

#9 thcbytes

thcbytes

  • Malware Response Team
  • 14,790 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:09 PM

Posted 30 January 2011 - 11:34 PM

Well done. :thumbup2:

Did you pay for that AV software? If not would you like to re-install it or would you like my recommendation?

You mentioned earlier that there was a Virut detection. We better rule that out!

Please make sure that you can view all hidden files. Instructions on how to do this can be found here:

How to see hidden files in Windows

Please click this link-->Jotti

When the jotti page has finished loading, click the browse button and navigate to the files listed below in bold, then click Submit. You will only be able to have one file scanned at a time.

c:\windows\system32\userinit.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\System32\svchost.exe


If you get...

This file has been scanned before. The results for this previous scan are listed below.


Please choose "Scan Again"!!!!!!!!!

Please post back the results of the scan in your next post.

If Jotti is busy, try the same at Virustotal

How is your computer running now?

Regards,
thcbytes
Proud member - Unified Network of Instructors and Trained Eliminators
Posted Image

I do not accept personal donations for assistance provided. I would ask that you instead consider donating the greatest gift - Organ Donation. Your organs are of no use to you when your gone. You will save a life that would otherwise be lost!

http://donatelife.net/register-now/

#10 Mac John

Mac John
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:11:09 PM

Posted 02 February 2011 - 09:15 PM

Hi thcbytes,

Thanks again for the reply.

Yes I did pay for that software. Here is the URL for the latest version:
http://www.ca-store.com.au/malware/internet_security_suite.aspx

Our "subscription" ends around June this year.

I have previously used the CA software because in the past it has proved to be effective, but at the same time, not TOO resource hungry, invasive or problematic.

That said, with the 2010 version of the software, myself and a couple of others in the office have noticed that it slows everything down quite a bit.

So in answer to your question regarding a recommendation, YES is the answer. If you can recommend something that is effective, but would likely perform a little better on these older PCs of ours, that would be great!

Since removing CA (which as I said, was difficult) my system performance has improved. The intermittent issue causing multiple tabs in IE8 to crash the browser so far has not reared its ugly head either. So far. That said, whenever I run a single window of IE8 I STILL get 2 iexplore.exe processes running.

As for the Virut issue, those were found in some "PHP" files that I downloaded from my web-host via FTP. They were picked up immediately on download though by CA so I fairly certain they didn't get to do anything. I have since learned that they were uploaded to my server via a ZenCart hack, rather than by local infection on my PC (I think). Regardless, I have run the scans as you suggested. Results are below:

Filename: userinit.exe
Status: Scan finished. 0 out of 19 scanners reported malware.
Scan taken on: Tue 25 Jan 2011 22:34:44 (CET) Permalink

Filename: explorer.exe
Status: Scan finished. 0 out of 19 scanners reported malware.
Scan taken on: Thu 3 Feb 2011 02:18:38 (CET) Permalink

Filename: svchost.exe
Status: Scan finished. 0 out of 19 scanners reported malware.
Scan taken on: Thu 3 Feb 2011 02:16:36 (CET) Permalink


So I guess, at present, the main issue is the double-iexplore.exe process thing?

Anyway, your input here is much appreciated.

Thanks mate!


Cheers,

Mac

Edited by Mac John, 02 February 2011 - 10:18 PM.


#11 thcbytes

thcbytes

  • Malware Response Team
  • 14,790 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:09 PM

Posted 03 February 2011 - 08:43 AM

Your welcome. :thumbup2:

Please download Malwarebytes Anti-Malware and save it to your desktop.

alternate download link 1
alternate download link 2

MBAM may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you. Temporarily disable such programs or permit them to allow the changes.
  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
MBAM will automatically start and you will be asked to update the program before performing a scan.
  • If an update is found, the program will automatically update itself. Press the OK button to close that box and continue.
  • If you encounter any problems while downloading the definition updates, manually download them from here and just double-click on mbam-rules.exe to install.
On the Scanner tab:
  • Make sure the "Perform Quick Scan" option is selected.
  • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen:
  • Click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows MBAM's database version and your operating system.
  • Exit MBAM when done.
Note: If MBAM encounters a file that is difficult to remove, you will be asked to reboot your computer so MBAM can proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware.

==========

Be sure to completely uninstall CA-Antivirus first.

Please download and install Microsoft Security Essentials
http://www.microsoft.com/security_essentials/

After successful installation please run a scan and alert me if there are any detections.

In order to post those detections please do this...

  • Please double click the MSE icon in the lower right system tray.
  • Click History
  • Maximize the screen
  • Highlight everything from "Category to Items"
  • Press Ctrl + C to copy
  • Right click and copy/paste the results here for my review like this...

Category: Worm

Description: This program is dangerous and self-propagates over a network connection.

Recommendation: Remove this software immediately.

Microsoft Security Essentials detected programs that may compromise your privacy or damage your computer. You can still access the files that these programs use without removing them (not recommended). To access these files, select the 'Allow' action and click 'Apply actions'. If this option is not available, log on as administrator or ask the local administrator for help.

Items:
file:C:\ProgramData\Microsoft\Microsoft Antimalware\LocalCopy\{B04E09D2-291E-48C5-8B63-540F8072E110}-vundo.exe
webfile:C:\ProgramData\Microsoft\Microsoft Antimalware\LocalCopy\{B04E09D2-291E-48C5-8B63-540F8072E110}-vundo.exe|http://www.bleepingcomputer.com/mrc/download.php?file=28359


Regards,
thcbytes
Proud member - Unified Network of Instructors and Trained Eliminators
Posted Image

I do not accept personal donations for assistance provided. I would ask that you instead consider donating the greatest gift - Organ Donation. Your organs are of no use to you when your gone. You will save a life that would otherwise be lost!

http://donatelife.net/register-now/

#12 Mac John

Mac John
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:11:09 PM

Posted 06 February 2011 - 06:28 PM

No detections found in "Microsoft Security Essentials". I had actually followed a different forum (on the CA website) to COMPLETELY remove CA when I first had trouble removing it.

MBAM report is as follows, thanks!


Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org

Database version: 5697

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

7/02/2011 10:23:16 AM
mbam-log-2011-02-07 (10-23-16).txt

Scan type: Quick scan
Objects scanned: 184909
Time elapsed: 37 minute(s), 26 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 8
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\CLSID\{AF2E62B6-F9E1-4D4F-A10A-9DC8E6DCBCC0} (Adware.VideoEgg) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{AF2E62B6-F9E1-4D4F-A10A-9DC8E6DCBCC0} (Adware.VideoEgg) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{AF2E62B6-F9E1-4D4F-A10A-9DC8E6DCBCC0} (Adware.VideoEgg) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\VideoEgg.ActiveXLoader (Adware.VideoEgg) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\VideoEgg (Adware.VideoEgg) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\MozillaPlugins\@videoegg.com/Publisher,version=1.5 (Adware.VideoEgg) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\VideoEgg (Adware.VideoEgg) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\MozillaPlugins\@videoegg.com/Publisher,version=1.5 (Adware.VideoEgg) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

#13 thcbytes

thcbytes

  • Malware Response Team
  • 14,790 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:09 PM

Posted 07 February 2011 - 04:36 PM

Hello,

Congratulations! You now appear clean!

**********

Please pay particularly close attention to the instructions that follow. To neglect these steps risk needless reinfection!!

**********

Are things running okay? Do you have any more questions?

**********

  • Press the Windows Key + R on your keyboard.
  • Now copy & paste the green bolded text in the run-box and click OK.

    ComboFix /Uninstall


    Posted Image

  • The following will implement some very important cleanup procedures as well as reset System Restore points.

**********

We will now remove the tools we used during this fix using OTC.

  • Download OTC by OldTimer and save it to your desktop.
  • Double click Posted Image icon to start the program. If you are using Vista, please right-click and choose run as administrator
  • Then Click the big Posted Image button.
  • You will get a prompt saying "Being Cleanup Process". Please select Yes.
  • Restart your computer when prompted.

**********

Please right click and delete and remaining tools you downloaded for cleanup. Do not forget to turn you AV's real-time protection back on.

**********

Recommendations


Below are some recommendations to lower your chances of (re)infection.


  • Have one antivirus application installed and running at all times.

  • Avoid file sharing, P2P, illegal downloads or rogue sites. This is a sure way to get severely infected.

  • Install an Anti-Spyware program, and update it regularly

    Malwarebytes' Anti-Malware is an excellent Anti-Spyware scanner. It's scan times are usually under ten minutes, and has excellent detection and removal rates.

    SUPERAntiSpyware is another good scanner with high detection and removal rates.
    Both programs are free for non commercial home use but provide a resident and do not nag if you purchase the paid versions.

  • Prevention article : To find out more information about how you got infected in the first place and some great guidelines to follow to prevent future infections please read the Prevention artice by Miekiemoes.

  • Keep Windows (and your other Microsoft software) up to date!
    I cannot stress how important this is enough. Often holes are found in Internet Explorer or Windows itself that require patching. Sometimes these holes will allow an attacker unrestricted access to your computer.

  • Keep your other software up to date as well. Periodically run the Secunia Online Software Inspector (OSI).

  • Consider Firefox as your primary browser. Its safer, fast and secure!

  • Install WOT. Never inadvertently surf to a dangerous website again.

  • Install NoScript. Pre-emptively blocks malicious scripts and allows JavaScript, Java and other potentially dangerous content only from sites you trust.

  • Stay up to date!

    Again the MOST IMPORTANT part of any security setup is keeping the software up to date. Malware writers release new variants every single day. If your software updates don't keep up, then the malware will always be one step ahead. Not a good thing :(.

Good luck & safe surfing,
Kind Regards,
thcbytes
Proud member - Unified Network of Instructors and Trained Eliminators
Posted Image

I do not accept personal donations for assistance provided. I would ask that you instead consider donating the greatest gift - Organ Donation. Your organs are of no use to you when your gone. You will save a life that would otherwise be lost!

http://donatelife.net/register-now/

#14 Mac John

Mac John
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:11:09 PM

Posted 08 February 2011 - 06:28 PM

Thanks very much thcbytes!

One issue remaining... whenever I run Internet Explorer 8 (single window, single tab) I still have two iexplore.exe processes running in Task Manager.

Seeing how I've now been given a "clean bill of health" at least I know it's not malware causing this. Would it be safe to say that this issue is a Windows XP SP3 issue? I know we are now stepping outside of the initial "malware hunt", but if there's anything else you could suggest as to the cause of this, that would be great.

Cheers,

Mac

#15 thcbytes

thcbytes

  • Malware Response Team
  • 14,790 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:09 PM

Posted 08 February 2011 - 09:18 PM

Your correct. It might be outside my expertize. I opened IE8 and noted 2 iexplore.exe's running also. Nevertheless it might be worth posting in the Windows XP thread here at BC.

Try this...

Download and run Process Explorer
http://technet.microsoft.com/en-us/sysinternals/bb896653

  • Open an instance of IE
  • Single click iexplore.exe in Process Explorer
  • Press View
  • Then check Show lower panel
  • Then choose Lower Panel View and then DLL's
  • Next press the Save button and save it as iexplore dlls to your desktop (this will save the iexplore with all the associated DLL's)
  • Next choose View, then Lower Panel View, and then Handles
  • Again press the Save button and save it to your desktop as iexplore handles
Copy and paste both logs here.

Regards,
thcbytes
Proud member - Unified Network of Instructors and Trained Eliminators
Posted Image

I do not accept personal donations for assistance provided. I would ask that you instead consider donating the greatest gift - Organ Donation. Your organs are of no use to you when your gone. You will save a life that would otherwise be lost!

http://donatelife.net/register-now/




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users