Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Spyware found


  • This topic is locked This topic is locked
57 replies to this topic

#1 Pizza and Pepsi

Pizza and Pepsi

  • Members
  • 277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:CA
  • Local time:08:54 PM

Posted 05 April 2012 - 06:11 PM

I scanned with the freeware version of emisoft and it found 4 traces:



Emsisoft Anti-Malware - Version 6.0
Last update: 4/5/2012 1:16:47 PM

Scan settings:

Scan type: Quick Scan
Objects: Rootkits, Memory, Traces
Scan archives: Off
ADS Scan: On

Scan start: 4/5/2012 3:44:32 PM

Value: hkey_classes_root\clsid\{6434afda-bd68-492f-9a46-58e0160bde6b}\inprocserver32 --> threadingmodel detected: Trace.Registry.spywarebot 3.6!E1
Value: hkey_local_machine\software\classes\clsid\{6434afda-bd68-492f-9a46-58e0160bde6b}\inprocserver32 --> threadingmodel detected: Trace.Registry.spywarebot 3.6!E1
Key: hkey_local_machine\software\microsoft\windows\currentversion\iconfsd detected: Trace.Registry.maxspywaredetector!E1
Key: hkey_local_machine\system\currentcontrolset\services\sdmanager detected: Trace.Registry.maxspywaredetector!E1

Scanned 467501
Found 4

Scan end: 4/5/2012 3:52:50 PM
Scan time: 0:08:18




I decided to leave these objects and scanned with malwarebytes. MBAM found nothing.




Here is the dds log:



.
DDS (Ver_2011-08-26.01) - FAT32x86
Internet Explorer: 7.0.5730.11 BrowserJavaVersion: 1.6.0_26
Run by Ken at 16:17:31 on 2012-04-05
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2038.1521 [GMT -7:00]
.
AV: Trend Micro OfficeScan Antivirus *Enabled/Updated* {C516F58A-9C7C-4517-813C-608F6D4363CD}
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost.exe -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Acer\Empowering Technology\admServ.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe
C:\Program Files\PIEngineering\X-keys\XKWdkApp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\lxcrcoms.exe
C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe
C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe
C:\Program Files\Trend Micro\OfficeScan Client\CNTAoSMgr.exe
C:\WINDOWS\TEMP\PGA0F5.EXE
C:\Program Files\Emsisoft Anti-Malware\a2service.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.yahoo.com/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
mStart Page = hxxp://www.yahoo.com/?.home=ytie
uInternet Connection Wizard,ShellNext = iexplore
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - No File
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - No File
TB: {0FBB9689-D3D7-4f7a-A2E2-585B10099BFC} - No File
TB: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No File
TB: {1017A80C-6F09-4548-A84D-EDD6AC9525F0} - No File
TB: {C4069E3A-68F1-403E-B40E-20066696354B} - No File
TB: {472734EA-242A-422B-ADF8-83D1E48CC825} - No File
TB: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [OfficeScanNT Monitor] "c:\program files\trend micro\officescan client\pccntmon.exe" -HideWindow
mRun: [LXCRCATS] rundll32 c:\windows\system32\spool\drivers\w32x86\3\LXCRtime.dll,_RunDLLEntry@16
mRun: [X-keys Programming] c:\program files\piengineering\x-keys\XKWdkApp.exe
mRunOnce: [Malwarebytes Anti-Malware] c:\program files\malwarebytes' anti-malware\mbamgui.exe /install /silent
IE: Add to Video Converter... - c:\program files\media player utilities 5.20\aviconverter\grab.html
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_7461B1589E8B4FB7.dll/cmsidewiki.html
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
Trusted Zone: eset.com\go
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {00134F72-5284-44F7-95A8-52A619F70751} - hxxps://tmos.dpns.ais.ucla.edu/officescan/console/html/ClientInstall/WinNTChk.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
TCP: DhcpNameServer = 192.168.1.254
TCP: Interfaces\{B71C78A1-D096-4D44-B5D2-754D11E381EE} : DhcpNameServer = 192.168.1.254
Notify: igfxcui - igfxdev.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\ken\application data\mozilla\firefox\profiles\98uvwq8p.default\
FF - prefs.js: browser.startup.homepage - yahoo.com
FF - plugin: c:\program files\adobe\reader 10.0\reader\air\nppdf32.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\microsoft silverlight\3.0.40624.0\npctrlui.dll
.
============= SERVICES / DRIVERS ===============
.
R1 A2DDA;A2 Direct Disk Access Support Driver;c:\program files\emsisoft anti-malware\a2ddax86.sys [2012-4-5 17904]
R2 a2AntiMalware;Emsisoft Anti-Malware 6.0 - Service;c:\program files\emsisoft anti-malware\a2service.exe [2012-4-5 3025112]
R2 AWService;AdminWorks Agent X6;c:\acer\empowering technology\admServ.exe [2005-10-24 1314816]
R2 TmFilter;Trend Micro Filter;c:\program files\trend micro\officescan client\TmXpflt.sys [2007-7-18 262416]
R2 TmPreFilter;Trend Micro PreFilter;c:\program files\trend micro\officescan client\TmPreflt.sys [2007-7-18 36624]
S1 mailKmd;mailKmd; [x]
S1 SDManager;SDManager; [x]
S2 vsdatant;vsdatant;\??\c:\windows\system32\vsdatant.sys --> c:\windows\system32\vsdatant.sys [?]
S3 a2acc;a2acc;c:\program files\emsisoft anti-malware\a2accx86.sys [2012-4-5 51632]
S3 cpuz132;cpuz132;\??\c:\docume~1\ken\locals~1\temp\cpuz132\cpuz132_x32.sys --> c:\docume~1\ken\locals~1\temp\cpuz132\cpuz132_x32.sys [?]
S3 GGSAFERDriver;GGSAFER Driver;\??\f:\garena classic\safedrv.sys --> f:\garena classic\safedrv.sys [?]
S3 POWERKEY;POWERKEY;c:\program files\launch manager\POWERKEY.SYS [2006-7-29 2343]
S4 ImapiService32;IMAPI CD-Burning COM Service ; [x]
S4 Symantec Core LC;Symantec Core LC;"c:\program files\common files\symantec shared\ccpd-lc\symlcsvc.exe" --> c:\program files\common files\symantec shared\ccpd-lc\symlcsvc.exe [?]
S4 TmProxy;OfficeScan NT Proxy Service;c:\program files\trend micro\officescan client\TmProxy.exe [2007-7-18 575064]
.
=============== Created Last 30 ================
.
.
==================== Find3M ====================
.
2012-02-03 09:22:18 1860096 ----a-w- c:\windows\system32\win32k.sys
2012-01-11 18:06:48 3072 ------w- c:\windows\system32\iacenc.dll
2012-01-09 16:20:26 139784 ----a-w- c:\windows\system32\drivers\rdpwd.sys
.
============= FINISH: 16:18:00.71 ===============




Thanks you in advance for your assistance.

Edited by Pizza and Pepsi, 05 April 2012 - 06:20 PM.

Malware shall not pass!

BC AdBot (Login to Remove)

 


#2 Pizza and Pepsi

Pizza and Pepsi
  • Topic Starter

  • Members
  • 277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:CA
  • Local time:08:54 PM

Posted 06 April 2012 - 05:53 PM

Here is the MBAM scan log:


Malwarebytes Anti-Malware 1.60.1.1000
www.malwarebytes.org

Database version: v2012.04.06.08

Windows XP Service Pack 3 x86 FAT32
Internet Explorer 7.0.5730.11
Ken :: ACER-684C9A655D [administrator]

4/6/2012 3:30:23 PM
mbam-log-2012-04-06 (15-30-23).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM | P2P
Scan options disabled:
Objects scanned: 210560
Time elapsed: 3 minute(s), 51 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)
Malware shall not pass!

#3 Pizza and Pepsi

Pizza and Pepsi
  • Topic Starter

  • Members
  • 277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:CA
  • Local time:08:54 PM

Posted 07 April 2012 - 12:05 AM

Besides what emisoft found, there have been no symptoms of malware.
Malware shall not pass!

#4 nasdaq

nasdaq

  • Malware Response Team
  • 39,512 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:12:54 AM

Posted 11 April 2012 - 09:35 AM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps.
===

Please boot to Safe Mode and delete all the files in this \temp\ folder in bold.

C:\WINDOWS\TEMP\PGA0F5.EXE <- all files should deleted.

Restart the computer normally.
===


Please download ComboFix from one of these locations:

Link 1
Link 2

* IMPORTANT !!! Save ComboFix.exe to your Desktop

  • Disable your Anti-Virus and Anti-Spyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
  • Close any open browsers, and all other programs working. Make sure you save your file if working on a document.
  • Do not install any other programs until this if fixed.[/b]
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
  • Some Rookit infection may damage your boot sector. The Windows Recovery Console may be needed to restore it. Do not bypass this installation. You may regret it.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

Note: If you have difficulty properly disabling your protection programs, refer to this link --> http://www.bleepingcomputer.com/forums/topic114351.html

Do not mouse click ComboFix's window while it's running. That may cause it to stall
===

Third party programs if not up to date can be the cause of infiltration an infection.

Please run this security check for my review.

Download Security Check by screen317 from here.
  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.
===

Note: If after running ComboFix you get this error message "Illegal operation attempted on a registry key that has been marked for deletion." when attempting to run a program all you need to do is restart the computer to reset the registry.

Please post the logs and let me know if the problem persists.

#5 Pizza and Pepsi

Pizza and Pepsi
  • Topic Starter

  • Members
  • 277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:CA
  • Local time:08:54 PM

Posted 11 April 2012 - 05:20 PM

Thanks for taking the time to help me with my issue.


Here is the Combofix log:


ComboFix 12-04-11.03 - Ken 04/11/2012 15:00:52.10.1 - FAT32x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2038.1664 [GMT -7:00]
Running from: c:\documents and settings\Ken\Desktop\ComboFix.exe
AV: Trend Micro OfficeScan Antivirus *Disabled/Outdated* {C516F58A-9C7C-4517-813C-608F6D4363CD}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\All Users\Application Data\TEMP
.
.
((((((((((((((((((((((((( Files Created from 2012-03-11 to 2012-04-11 )))))))))))))))))))))))))))))))
.
.
2012-04-09 22:35 . 2012-04-09 22:35 -------- d-----w- c:\documents and settings\Ken\Local Settings\Application Data\NPE
2012-04-09 22:35 . 2012-04-09 22:35 -------- d-----w- c:\documents and settings\All Users\Application Data\Norton
2012-04-06 16:22 . 2009-12-30 17:20 27064 ----a-w- c:\windows\system32\drivers\revoflt.sys
2012-04-06 16:22 . 2012-04-06 16:22 -------- d-----w- c:\program files\VS Revo Group
2012-04-05 19:55 . 2012-04-05 19:55 -------- d-----w- c:\program files\Emsisoft Anti-Malware
2012-04-05 19:09 . 2012-04-05 19:09 -------- d-----w- c:\program files\CCleaner
2012-04-03 21:10 . 2012-04-03 21:10 -------- d-----w- c:\documents and settings\Ken\Application Data\Malwarebytes
2012-04-03 19:22 . 2012-04-03 19:22 -------- d-----w- c:\documents and settings\Ken\Application Data\f-secure
2012-04-02 19:25 . 2012-04-02 19:25 -------- d-----w- c:\documents and settings\Ken\Application Data\CCleanup
2012-03-29 21:50 . 2012-03-29 21:50 -------- d-----w- c:\documents and settings\Ken\Local Settings\Application Data\Unity
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-02-03 09:22 . 2004-08-04 12:00 1860096 ----a-w- c:\windows\system32\win32k.sys
2012-03-13 04:39 . 2012-04-10 23:18 97208 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"OfficeScanNT Monitor"="c:\program files\Trend Micro\OfficeScan Client\pccntmon.exe" [2007-07-18 710000]
"LXCRCATS"="c:\windows\System32\spool\DRIVERS\W32X86\3\LXCRtime.dll" [2005-12-01 65536]
"X-keys Programming"="c:\program files\PIEngineering\X-keys\XKWdkApp.exe" [2001-11-20 422400]
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Google Updater.lnk]
path=
backup=c:\windows\pss\Google Updater.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^PHM Reminders.lnk]
path=
backup=c:\windows\pss\PHM Reminders.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^STK017 PNP Monitor.lnk]
path=
backup=c:\windows\pss\STK017 PNP Monitor.lnkCommon Startup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ADMTray.exe]
2005-10-24 23:45 2462208 ----a-w- c:\acer\Empowering Technology\admtray.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2012-01-03 06:37 843712 ----a-w- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2008-04-14 00:12 15360 ----a-w- c:\windows\system32\ctfmon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CtrlVol]
2003-09-16 21:28 20480 ----a-w- c:\program files\Launch Manager\CtrlVol.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\eDataSecurity Loader]
2005-07-26 18:36 69632 ----a-w- c:\acer\Empowering Technology\eDataSecurity\eDSloader.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\eRecoveryService]
2006-01-02 17:31 397312 ----a-w- c:\acer\Empowering Technology\eRecovery\Monitor.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EzPrint]
2006-02-07 05:10 98304 ----a-w- c:\program files\Lexmark 2400 Series\ezprint.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\FaxCenterServer]
2006-02-02 08:11 290816 ----a-w- c:\program files\Lexmark Fax Solutions\fm3032.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxhkcmd]
2005-08-24 19:47 77824 ----a-w- c:\windows\system32\hkcmd.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxpers]
2005-08-24 19:51 114688 ----a-w- c:\windows\system32\igfxpers.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxtray]
2005-08-24 19:50 94208 ----a-w- c:\windows\system32\igfxtray.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IMJPMIG8.1]
2004-08-04 12:00 208952 ----a-w- c:\windows\ime\imjp8_1\imjpmig.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LaunchAp]
2005-07-25 20:36 32768 ----a-w- c:\program files\Launch Manager\LaunchAp.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LManager]
2005-11-08 17:45 69632 ----a-w- c:\program files\Launch Manager\HotkeyApp.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LMgrOSD]
2005-07-25 17:45 241664 ----a-w- c:\program files\Launch Manager\OSDCtrl.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\lxcrmon.exe]
2006-01-22 17:45 286720 ----a-w- c:\program files\Lexmark 2400 Series\lxcrmon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSPY2002]
2004-08-04 12:00 59392 ----a-w- c:\windows\system32\IME\PINTLGNT\IMSCINST.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCMService]
2005-09-01 02:59 147456 ------w- c:\program files\Acer\Acer Arcade\PCMService.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PHIME2002A]
2004-08-04 12:00 455168 ----a-w- c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PHIME2002ASync]
2004-08-04 12:00 455168 ----a-w- c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PowerKey]
2002-08-30 22:02 94208 ----a-w- c:\program files\Launch Manager\Powerkey.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\preload]
2005-05-20 00:09 32768 ----a-w- c:\windows\RUNXMLPL.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMan]
2005-04-15 18:01 77824 ----a-w- c:\windows\SOUNDMAN.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2011-04-08 19:59 254696 ----a-w- c:\program files\Common Files\Java\Java Update\jusched.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPEnh]
2005-02-04 18:11 708698 ----a-w- c:\program files\Synaptics\SynTP\SynTPEnh.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPLpr]
2005-02-04 18:12 102490 ----a-w- c:\program files\Synaptics\SynTP\SynTPLpr.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Wbutton]
2005-11-08 17:19 81920 ----a-w- c:\program files\Launch Manager\WButton.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\YOP]
2005-04-23 02:49 397312 ----a-w- c:\progra~1\Yahoo!\YOP\yop.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"LiveUpdate Notice Service"=2 (0x2)
"LiveUpdate"=3 (0x3)
"gusvc"=2 (0x2)
"NACAgent"=2 (0x2)
"WebrootSpySweeperService"=2 (0x2)
"Symantec Core LC"=2 (0x2)
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Acer\\Acer Arcade\\PCMService.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\javaw.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"19532:TCP"= 19532:TCP:Trend Micro OfficeScan Listener
"67:UDP"= 67:UDP:DHCP Discovery Service
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009
.
R1 A2DDA;A2 Direct Disk Access Support Driver;c:\program files\Emsisoft Anti-Malware\a2ddax86.sys [4/5/2012 12:55 PM 17904]
R2 TmPreFilter;Trend Micro PreFilter;c:\program files\Trend Micro\OfficeScan Client\TmPreflt.sys [7/18/2007 9:58 AM 36624]
S1 mailKmd;mailKmd; [x]
S1 SDMANAGER;SDManager; [x]
S2 TmFilter;Trend Micro Filter;c:\program files\Trend Micro\OfficeScan Client\TmXpflt.sys [7/18/2007 9:58 AM 262416]
S3 a2acc;a2acc;c:\program files\Emsisoft Anti-Malware\a2accx86.sys [4/5/2012 12:55 PM 51632]
S3 a2AntiMalware;Emsisoft Anti-Malware 6.0 - Service;c:\program files\Emsisoft Anti-Malware\a2service.exe [4/5/2012 12:55 PM 3025112]
S3 GGSAFERDriver;GGSAFER Driver;\??\f:\garena classic\safedrv.sys --> f:\garena classic\safedrv.sys [?]
S3 POWERKEY;POWERKEY;c:\program files\Launch Manager\POWERKEY.SYS [7/29/2006 6:12 PM 2343]
S3 Revoflt;Revoflt;c:\windows\system32\drivers\revoflt.sys [4/6/2012 9:22 AM 27064]
S4 ImapiService32;IMAPI CD-Burning COM Service ; [x]
S4 TmProxy;OfficeScan NT Proxy Service;c:\program files\Trend Micro\OfficeScan Client\TmProxy.exe [7/18/2007 9:58 AM 575064]
.
Contents of the 'Scheduled Tasks' folder
.
2011-10-01 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2006-08-29 21:21]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
mStart Page = hxxp://www.yahoo.com/?.home=ytie
uInternet Connection Wizard,ShellNext = iexplore
IE: Add to Video Converter... - c:\program files\Media Player Utilities 5.20\AVIConverter\grab.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_7461B1589E8B4FB7.dll/cmsidewiki.html
Trusted Zone: eset.com\go
TCP: DhcpNameServer = 192.168.1.254
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
FF - ProfilePath - c:\documents and settings\Ken\Application Data\Mozilla\Firefox\Profiles\qvwey3tk.default\
FF - prefs.js: browser.startup.homepage - yahoo.com
.
- - - - ORPHANS REMOVED - - - -
.
MSConfigStartUp-NACAgentUI - c:\program files\Cisco\Cisco NAC Agent\NACAgentUI.exe
MSConfigStartUp-QuickTime Task - c:\program files\QuickTime\qttask.exe
MSConfigStartUp-Search Protection - c:\program files\Yahoo!\Search Protection\SearchProtection.exe
MSConfigStartUp-swg - c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
MSConfigStartUp-TkBellExe - c:\program files\Real\RealPlayer\update\realsched.exe
MSConfigStartUp-VeohPlugin - c:\program files\Veoh Networks\VeohWebPlayer\veohwebplayer.exe
MSConfigStartUp-YSearchProtection - c:\program files\Yahoo!\Search Protection\SearchProtection.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-04-11 15:05
Windows 5.1.2600 Service Pack 3 FAT NTAPI
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
LXCRCATS = rundll32 c:\windows\System32\spool\DRIVERS\W32X86\3\LXCRtime.dll,_RunDLLEntry@16???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ImapiService32]
"ImagePath"=""
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'explorer.exe'(472)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2012-04-11 15:06:57
ComboFix-quarantined-files.txt 2012-04-11 22:06
.
Pre-Run: 3,565,010,944 bytes free
Post-Run: 3,526,967,296 bytes free
.
- - End Of File - - 8457619CA82F799308F545BFE12275A9




Here is the security check log:



Results of screen317's Security Check version 0.99.32
Windows XP Service Pack 3 x86
Internet Explorer 7 Out of date!
``````````````````````````````
Antivirus/Firewall Check:

Windows Firewall Enabled!
Trend Micro OfficeScan Client
```````````````````````````````
Anti-malware/Other Utilities Check:

CCleaner
Java DB 10.5.3.0
Java™ 6 Update 26
Java™ SE Development Kit 6 Update 20
Java version out of date!
Adobe Flash Player 11.1.102.55
Adobe Reader X (10.1.1)
Mozilla Firefox (11.0.)
````````````````````````````````
Process Check:
objlist.exe by Laurent

Trend Micro OfficeScan Client pccntmon.exe
``````````End of Log````````````
Malware shall not pass!

#6 Pizza and Pepsi

Pizza and Pepsi
  • Topic Starter

  • Members
  • 277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:CA
  • Local time:08:54 PM

Posted 11 April 2012 - 10:55 PM

Sometimes a random DDS popup appears and says that 2 logs have been created. I click ok and no logs appear. I did not even run DDS, so why was there a message?
Malware shall not pass!

#7 nasdaq

nasdaq

  • Malware Response Team
  • 39,512 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:12:54 AM

Posted 12 April 2012 - 07:51 AM

Secure your system by updating 3rd party programs.

Your version of Java is outdated and needs to be updated to take advantage of fixes that have eliminated security vulnerabilities.

Check your present version and update as recommended.
https://www.java.com/en/download/installed.jsp

If present remove the old version(s) of Java using the Add/Remove Programs applet.


Java™ 6 Update 26


You can also remove these two programs unless you need them for Developping Java applications.
Java DB 10.5.3.0
Java™ SE Development Kit 6 Update 20


==

You have run the DDS tool once and submitted the log.
You can remove it also. I do not think this will be shown on your Add/Remove programs list.
Just delete all of the items installed with this application.

Let me know of any other issues with this computer.

#8 Pizza and Pepsi

Pizza and Pepsi
  • Topic Starter

  • Members
  • 277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:CA
  • Local time:08:54 PM

Posted 12 April 2012 - 05:05 PM

When trying to uninstall Java™ 6 Update 26, I get the error " Error 1606 Could not access the network location".

Should I try to uninstall it using revo uninstaller?


Emisoft still says that there are traces:


Emsisoft Anti-Malware - Version 6.0
Last update: 4/5/2012 1:16:47 PM

Scan settings:

Scan type: Quick Scan
Objects: Rootkits, Memory, Traces
Scan archives: Off
ADS Scan: On

Scan start: 4/12/2012 3:01:50 PM

Value: hkey_classes_root\clsid\{6434afda-bd68-492f-9a46-58e0160bde6b}\inprocserver32 --> threadingmodel detected: Trace.Registry.spywarebot 3.6!E1
Value: hkey_local_machine\software\classes\clsid\{6434afda-bd68-492f-9a46-58e0160bde6b}\inprocserver32 --> threadingmodel detected: Trace.Registry.spywarebot 3.6!E1
Key: hkey_local_machine\software\microsoft\windows\currentversion\iconfsd detected: Trace.Registry.maxspywaredetector!E1
Key: hkey_local_machine\system\currentcontrolset\services\sdmanager detected: Trace.Registry.maxspywaredetector!E1

Scanned 467601
Found 4

Scan end: 4/12/2012 3:04:36 PM
Scan time: 0:02:46
Malware shall not pass!

#9 nasdaq

nasdaq

  • Malware Response Team
  • 39,512 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:12:54 AM

Posted 13 April 2012 - 09:05 AM

When trying to uninstall Java™ 6 Update 26, I get the error " Error 1606 Could not access the network location".

Should I try to uninstall it using revo uninstaller?

Yes.

Before we remove the CLSID keys found by Emsisoft I want to make sure nothing important will be removed.


Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1
Download Mirror #2


If your operating system is 64 bit download this tool:
SystemLook_x64.exe
  • Double-click SystemLook.exe to run it.
  • Copy and paste the content of the following bold text into the main textfield:


    :reg
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{6434AFDA-BD68-492F-9A46-58E0160BDE6B} /sub
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\IConfSD /sub
    hkey_local_machine\system\currentcontrolset\services\sdmanager /sub


  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
Note: The log can also be found on your Desktop entitled SystemLook.txt

#10 Pizza and Pepsi

Pizza and Pepsi
  • Topic Starter

  • Members
  • 277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:CA
  • Local time:08:54 PM

Posted 13 April 2012 - 05:07 PM

Here is the log from Systemlook:



SystemLook 30.07.11 by jpshortstuff
Log created at 15:06 on 13/04/2012 by Ken
Administrator - Elevation successful

========== reg ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{6434AFDA-BD68-492F-9A46-58E0160BDE6B}]
@="MD5 Class"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{6434AFDA-BD68-492F-9A46-58E0160BDE6B}\InprocServer32]
@="C:\WINDOWS\system32\XMD5.dll"
"threadingmodel"="Apartment"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{6434AFDA-BD68-492F-9A46-58E0160BDE6B}\ProgID]
@="XStandard.MD5.1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{6434AFDA-BD68-492F-9A46-58E0160BDE6B}\Programmable]
(No values found)

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{6434AFDA-BD68-492F-9A46-58E0160BDE6B}\TypeLib]
@="{58C12974-2DA8-4276-8BFF-0B0815DC33E7}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{6434AFDA-BD68-492F-9A46-58E0160BDE6B}\VersionIndependentProgID]
@="XStandard.MD5"


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\IConfSD]
"A"="0"
"B"=""
"Size"= 0x0000000002 (2)
"DD"= 0x0000000000 (0)
"MM"= 0x0000000000 (0)
"YY"= 0x0000000000 (0)


[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sdmanager]
"Type"= 0x0000000001 (1)
"Start"= 0x0000000001 (1)
"ErrorControl"= 0x0000000001 (1)
"DisplayName"="SDManager"
"Group"="Boot Bus Extender"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sdmanager\ENUM]
"0"="Root\LEGACY_SDMANAGER\0000"
"Count"= 0x0000000001 (1)
"NextInstance"= 0x0000000001 (1)
"INITSTARTFAILED"= 0x0000000001 (1)


-= EOF =-
Malware shall not pass!

#11 nasdaq

nasdaq

  • Malware Response Team
  • 39,512 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:12:54 AM

Posted 14 April 2012 - 07:36 AM

Open notepad and copy/paste the text in the quote box below into it:

Registry::
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{6434AFDA-BD68-492F-9A46-58E0160BDE6B}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\IConfSD]
[-HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sdmanager]


Save this as CFScript.txt on your desktop.

Posted Image

Referring to the picture above, drag CFScript into ComboFix.exe
Then post the resultant log.

Let me know what problem persists.

#12 Pizza and Pepsi

Pizza and Pepsi
  • Topic Starter

  • Members
  • 277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:CA
  • Local time:08:54 PM

Posted 14 April 2012 - 03:51 PM

ComboFix 12-04-11.03 - Ken 04/14/2012 13:30:59.11.1 - FAT32x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2038.1662 [GMT -7:00]
Running from: c:\documents and settings\Ken\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Ken\Desktop\CFScript.txt
AV: Trend Micro OfficeScan Antivirus *Disabled/Outdated* {C516F58A-9C7C-4517-813C-608F6D4363CD}
.
.
((((((((((((((((((((((((( Files Created from 2012-03-14 to 2012-04-14 )))))))))))))))))))))))))))))))
.
.
2012-04-09 22:35 . 2012-04-09 22:35 -------- d-----w- c:\documents and settings\Ken\Local Settings\Application Data\NPE
2012-04-09 22:35 . 2012-04-09 22:35 -------- d-----w- c:\documents and settings\All Users\Application Data\Norton
2012-04-06 16:22 . 2009-12-30 17:20 27064 ----a-w- c:\windows\system32\drivers\revoflt.sys
2012-04-06 16:22 . 2012-04-06 16:22 -------- d-----w- c:\program files\VS Revo Group
2012-04-05 19:55 . 2012-04-05 19:55 -------- d-----w- c:\program files\Emsisoft Anti-Malware
2012-04-05 19:09 . 2012-04-05 19:09 -------- d-----w- c:\program files\CCleaner
2012-04-03 21:10 . 2012-04-03 21:10 -------- d-----w- c:\documents and settings\Ken\Application Data\Malwarebytes
2012-04-03 19:22 . 2012-04-03 19:22 -------- d-----w- c:\documents and settings\Ken\Application Data\f-secure
2012-04-02 19:25 . 2012-04-02 19:25 -------- d-----w- c:\documents and settings\Ken\Application Data\CCleanup
2012-03-29 21:50 . 2012-03-29 21:50 -------- d-----w- c:\documents and settings\Ken\Local Settings\Application Data\Unity
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-04-13 23:01 . 2010-07-01 19:26 73728 ----a-w- c:\windows\system32\javacpl.cpl
2012-04-13 23:01 . 2010-04-28 18:35 472808 ----a-w- c:\windows\system32\deployJava1.dll
2012-03-01 01:25 . 2004-08-04 12:00 832512 ----a-w- c:\windows\system32\wininet.dll
2012-03-01 01:25 . 2004-08-04 12:00 78336 ----a-w- c:\windows\system32\ieencode.dll
2012-03-01 01:25 . 2004-08-04 12:00 1830912 ----a-w- c:\windows\system32\inetcpl.cpl
2012-03-01 01:25 . 2004-08-04 12:00 17408 ----a-w- c:\windows\system32\corpol.dll
2012-02-29 14:10 . 2004-08-04 12:00 177664 ----a-w- c:\windows\system32\wintrust.dll
2012-02-29 14:10 . 2004-08-04 12:00 148480 ----a-w- c:\windows\system32\imagehlp.dll
2012-02-03 09:22 . 2004-08-04 12:00 1860096 ----a-w- c:\windows\system32\win32k.sys
2012-03-13 04:39 . 2012-04-14 00:31 97208 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((( SnapShot@2012-04-11_22.05.18 )))))))))))))))))))))))))))))))))))))))))
.
+ 2012-04-14 18:57 . 2012-04-14 18:57 16384 c:\windows\temp\Perflib_Perfdata_774.dat
+ 2004-08-04 12:00 . 2012-03-01 01:25 44544 c:\windows\system32\pngfilt.dll
- 2004-08-04 12:00 . 2011-12-19 07:13 44544 c:\windows\system32\pngfilt.dll
- 2006-11-08 04:03 . 2011-12-19 07:13 52224 c:\windows\system32\msfeedsbs.dll
+ 2006-11-08 04:03 . 2012-03-01 01:25 52224 c:\windows\system32\msfeedsbs.dll
- 2004-08-04 12:00 . 2011-12-19 07:13 27648 c:\windows\system32\jsproxy.dll
+ 2004-08-04 12:00 . 2012-03-01 01:25 27648 c:\windows\system32\jsproxy.dll
+ 2006-11-07 10:26 . 2012-02-29 12:16 13824 c:\windows\system32\ieudinit.exe
- 2006-11-07 10:26 . 2011-12-16 11:22 13824 c:\windows\system32\ieudinit.exe
- 2004-08-04 12:00 . 2011-12-19 07:13 44544 c:\windows\system32\iernonce.dll
+ 2004-08-04 12:00 . 2012-03-01 01:25 44544 c:\windows\system32\iernonce.dll
+ 2004-08-04 12:00 . 2012-02-29 12:16 70656 c:\windows\system32\ie4uinit.exe
- 2004-08-04 12:00 . 2011-12-16 11:22 70656 c:\windows\system32\ie4uinit.exe
- 2006-10-17 18:58 . 2011-12-19 07:13 63488 c:\windows\system32\icardie.dll
+ 2006-10-17 18:58 . 2012-03-01 01:25 63488 c:\windows\system32\icardie.dll
+ 2004-08-04 12:00 . 2012-03-01 01:25 44544 c:\windows\system32\dllcache\pngfilt.dll
- 2004-08-04 12:00 . 2011-12-19 07:13 44544 c:\windows\system32\dllcache\pngfilt.dll
- 2007-05-10 02:19 . 2011-12-19 07:13 52224 c:\windows\system32\dllcache\msfeedsbs.dll
+ 2007-05-10 02:19 . 2012-03-01 01:25 52224 c:\windows\system32\dllcache\msfeedsbs.dll
- 2004-08-04 12:00 . 2011-12-19 07:13 27648 c:\windows\system32\dllcache\jsproxy.dll
+ 2004-08-04 12:00 . 2012-03-01 01:25 27648 c:\windows\system32\dllcache\jsproxy.dll
+ 2007-05-10 02:19 . 2012-02-29 12:16 13824 c:\windows\system32\dllcache\ieudinit.exe
- 2007-05-10 02:19 . 2011-12-16 11:22 13824 c:\windows\system32\dllcache\ieudinit.exe
+ 2004-08-04 12:00 . 2012-03-01 01:25 44544 c:\windows\system32\dllcache\iernonce.dll
- 2004-08-04 12:00 . 2011-12-19 07:13 44544 c:\windows\system32\dllcache\iernonce.dll
- 2009-02-20 18:09 . 2011-12-19 07:13 78336 c:\windows\system32\dllcache\ieencode.dll
+ 2009-02-20 18:09 . 2012-03-01 01:25 78336 c:\windows\system32\dllcache\ieencode.dll
+ 2004-08-04 12:00 . 2012-02-29 12:16 70656 c:\windows\system32\dllcache\ie4uinit.exe
- 2004-08-04 12:00 . 2011-12-16 11:22 70656 c:\windows\system32\dllcache\ie4uinit.exe
- 2007-08-20 10:04 . 2011-12-19 07:13 63488 c:\windows\system32\dllcache\icardie.dll
+ 2007-08-20 10:04 . 2012-03-01 01:25 63488 c:\windows\system32\dllcache\icardie.dll
- 2009-06-29 16:12 . 2011-12-19 07:13 17408 c:\windows\system32\dllcache\corpol.dll
+ 2009-06-29 16:12 . 2012-03-01 01:25 17408 c:\windows\system32\dllcache\corpol.dll
+ 2012-04-12 21:45 . 2011-12-19 07:13 44544 c:\windows\ie7updates\KB2675157-IE7\pngfilt.dll
+ 2012-04-12 21:45 . 2011-12-19 07:13 52224 c:\windows\ie7updates\KB2675157-IE7\msfeedsbs.dll
+ 2012-04-12 21:45 . 2011-12-19 07:13 27648 c:\windows\ie7updates\KB2675157-IE7\jsproxy.dll
+ 2012-04-12 21:45 . 2011-12-16 11:22 13824 c:\windows\ie7updates\KB2675157-IE7\ieudinit.exe
+ 2012-04-12 21:45 . 2011-12-19 07:13 44544 c:\windows\ie7updates\KB2675157-IE7\iernonce.dll
+ 2012-04-12 21:45 . 2011-12-19 07:13 78336 c:\windows\ie7updates\KB2675157-IE7\ieencode.dll
+ 2012-04-12 21:45 . 2011-12-16 11:22 70656 c:\windows\ie7updates\KB2675157-IE7\ie4uinit.exe
+ 2012-04-12 21:45 . 2011-12-19 07:13 63488 c:\windows\ie7updates\KB2675157-IE7\icardie.dll
+ 2012-04-12 21:45 . 2011-12-19 07:13 17408 c:\windows\ie7updates\KB2675157-IE7\corpol.dll
- 2004-08-04 12:00 . 2011-12-19 07:13 233472 c:\windows\system32\webcheck.dll
+ 2004-08-04 12:00 . 2012-03-01 01:25 233472 c:\windows\system32\webcheck.dll
+ 2004-08-04 12:00 . 2012-03-01 01:25 106496 c:\windows\system32\url.dll
- 2004-08-04 12:00 . 2011-12-19 07:13 106496 c:\windows\system32\url.dll
+ 2004-08-04 12:00 . 2012-03-01 01:25 102912 c:\windows\system32\occache.dll
- 2004-08-04 12:00 . 2011-12-19 07:13 102912 c:\windows\system32\occache.dll
- 2004-08-04 12:00 . 2011-12-19 07:13 671232 c:\windows\system32\mstime.dll
+ 2004-08-04 12:00 . 2012-03-01 01:25 671232 c:\windows\system32\mstime.dll
- 2004-08-04 12:00 . 2011-12-19 07:13 193024 c:\windows\system32\msrating.dll
+ 2004-08-04 12:00 . 2012-03-01 01:25 193024 c:\windows\system32\msrating.dll
- 2004-08-04 12:00 . 2011-12-19 07:13 478720 c:\windows\system32\mshtmled.dll
+ 2004-08-04 12:00 . 2012-03-01 01:25 478720 c:\windows\system32\mshtmled.dll
+ 2006-11-08 04:03 . 2012-03-01 01:25 468480 c:\windows\system32\msfeeds.dll
- 2006-11-08 04:03 . 2011-12-19 07:13 468480 c:\windows\system32\msfeeds.dll
- 2011-08-21 02:30 . 2011-05-04 11:52 157472 c:\windows\system32\javaws.exe
+ 2012-04-13 23:01 . 2012-04-13 23:01 157472 c:\windows\system32\javaws.exe
+ 2012-04-13 23:01 . 2012-04-13 23:01 149280 c:\windows\system32\javaw.exe
+ 2012-04-13 23:01 . 2012-04-13 23:01 149280 c:\windows\system32\java.exe
- 2006-10-17 18:57 . 2011-12-19 07:13 268288 c:\windows\system32\iertutil.dll
+ 2006-10-17 18:57 . 2012-03-01 01:25 268288 c:\windows\system32\iertutil.dll
+ 2004-08-04 12:00 . 2012-03-01 01:25 192512 c:\windows\system32\iepeers.dll
- 2004-08-04 12:00 . 2011-12-19 07:13 192512 c:\windows\system32\iepeers.dll
+ 2004-08-04 12:00 . 2012-03-01 01:25 384512 c:\windows\system32\iedkcs32.dll
- 2004-08-04 12:00 . 2011-12-19 07:13 384512 c:\windows\system32\iedkcs32.dll
+ 2006-10-17 18:27 . 2012-03-01 01:25 380928 c:\windows\system32\ieapfltr.dll
- 2006-10-17 18:27 . 2011-12-19 07:13 380928 c:\windows\system32\ieapfltr.dll
- 2004-08-04 12:00 . 2011-12-16 09:58 161792 c:\windows\system32\ieakui.dll
+ 2004-08-04 12:00 . 2012-02-29 10:59 161792 c:\windows\system32\ieakui.dll
- 2004-08-04 12:00 . 2011-12-19 07:13 230400 c:\windows\system32\ieaksie.dll
+ 2004-08-04 12:00 . 2012-03-01 01:25 230400 c:\windows\system32\ieaksie.dll
- 2004-08-04 12:00 . 2011-12-19 07:13 153088 c:\windows\system32\ieakeng.dll
+ 2004-08-04 12:00 . 2012-03-01 01:25 153088 c:\windows\system32\ieakeng.dll
+ 2004-08-04 12:00 . 2012-03-01 01:25 133120 c:\windows\system32\extmgr.dll
- 2004-08-04 12:00 . 2011-12-19 07:13 133120 c:\windows\system32\extmgr.dll
+ 2004-08-04 12:00 . 2012-03-01 01:25 214528 c:\windows\system32\dxtrans.dll
- 2004-08-04 12:00 . 2011-12-19 07:13 214528 c:\windows\system32\dxtrans.dll
+ 2004-08-04 12:00 . 2012-03-01 01:25 347136 c:\windows\system32\dxtmsft.dll
- 2004-08-04 12:00 . 2011-12-19 07:13 347136 c:\windows\system32\dxtmsft.dll
- 2009-12-24 06:59 . 2009-12-24 06:59 177664 c:\windows\system32\dllcache\wintrust.dll
+ 2009-12-24 06:59 . 2012-02-29 14:10 177664 c:\windows\system32\dllcache\wintrust.dll
- 2004-08-04 05:00 . 2011-12-19 07:13 832512 c:\windows\system32\dllcache\wininet.dll
+ 2004-08-04 05:00 . 2012-03-01 01:25 832512 c:\windows\system32\dllcache\wininet.dll
+ 2004-08-04 12:00 . 2012-03-01 01:25 233472 c:\windows\system32\dllcache\webcheck.dll
- 2004-08-04 12:00 . 2011-12-19 07:13 233472 c:\windows\system32\dllcache\webcheck.dll
- 2004-08-04 05:00 . 2011-12-19 07:13 106496 c:\windows\system32\dllcache\url.dll
+ 2004-08-04 05:00 . 2012-03-01 01:25 106496 c:\windows\system32\dllcache\url.dll
+ 2004-08-04 12:00 . 2012-03-01 01:25 102912 c:\windows\system32\dllcache\occache.dll
- 2004-08-04 12:00 . 2011-12-19 07:13 102912 c:\windows\system32\dllcache\occache.dll
+ 2004-08-04 12:00 . 2012-03-01 01:25 671232 c:\windows\system32\dllcache\mstime.dll
- 2004-08-04 12:00 . 2011-12-19 07:13 671232 c:\windows\system32\dllcache\mstime.dll
- 2004-08-04 12:00 . 2011-12-19 07:13 193024 c:\windows\system32\dllcache\msrating.dll
+ 2004-08-04 12:00 . 2012-03-01 01:25 193024 c:\windows\system32\dllcache\msrating.dll
- 2004-08-04 12:00 . 2011-12-19 07:13 478720 c:\windows\system32\dllcache\mshtmled.dll
+ 2004-08-04 12:00 . 2012-03-01 01:25 478720 c:\windows\system32\dllcache\mshtmled.dll
+ 2007-05-10 02:19 . 2012-03-01 01:25 468480 c:\windows\system32\dllcache\msfeeds.dll
- 2007-05-10 02:19 . 2011-12-19 07:13 468480 c:\windows\system32\dllcache\msfeeds.dll
+ 2012-02-29 14:10 . 2012-02-29 14:10 148480 c:\windows\system32\dllcache\imagehlp.dll
+ 2004-08-04 12:00 . 2012-02-29 11:01 634680 c:\windows\system32\dllcache\iexplore.exe
- 2004-08-04 12:00 . 2011-12-16 10:00 634680 c:\windows\system32\dllcache\iexplore.exe
+ 2007-05-10 02:19 . 2012-03-01 01:25 268288 c:\windows\system32\dllcache\iertutil.dll
- 2007-05-10 02:19 . 2011-12-19 07:13 268288 c:\windows\system32\dllcache\iertutil.dll
+ 2004-08-04 12:00 . 2012-03-01 01:25 192512 c:\windows\system32\dllcache\iepeers.dll
- 2004-08-04 12:00 . 2011-12-19 07:13 192512 c:\windows\system32\dllcache\iepeers.dll
- 2004-08-04 12:00 . 2011-12-19 07:13 384512 c:\windows\system32\dllcache\iedkcs32.dll
+ 2004-08-04 12:00 . 2012-03-01 01:25 384512 c:\windows\system32\dllcache\iedkcs32.dll
- 2007-05-10 02:19 . 2011-12-19 07:13 380928 c:\windows\system32\dllcache\ieapfltr.dll
+ 2007-05-10 02:19 . 2012-03-01 01:25 380928 c:\windows\system32\dllcache\ieapfltr.dll
+ 2004-08-04 12:00 . 2012-02-29 10:59 161792 c:\windows\system32\dllcache\ieakui.dll
- 2004-08-04 12:00 . 2011-12-16 09:58 161792 c:\windows\system32\dllcache\ieakui.dll
+ 2004-08-04 12:00 . 2012-03-01 01:25 230400 c:\windows\system32\dllcache\ieaksie.dll
- 2004-08-04 12:00 . 2011-12-19 07:13 230400 c:\windows\system32\dllcache\ieaksie.dll
+ 2004-08-04 12:00 . 2012-03-01 01:25 153088 c:\windows\system32\dllcache\ieakeng.dll
- 2004-08-04 12:00 . 2011-12-19 07:13 153088 c:\windows\system32\dllcache\ieakeng.dll
+ 2004-08-04 12:00 . 2012-03-01 01:25 133120 c:\windows\system32\dllcache\extmgr.dll
- 2004-08-04 12:00 . 2011-12-19 07:13 133120 c:\windows\system32\dllcache\extmgr.dll
- 2004-08-04 12:00 . 2011-12-19 07:13 214528 c:\windows\system32\dllcache\dxtrans.dll
+ 2004-08-04 12:00 . 2012-03-01 01:25 214528 c:\windows\system32\dllcache\dxtrans.dll
+ 2004-08-04 12:00 . 2012-03-01 01:25 347136 c:\windows\system32\dllcache\dxtmsft.dll
- 2004-08-04 12:00 . 2011-12-19 07:13 347136 c:\windows\system32\dllcache\dxtmsft.dll
- 2004-08-04 05:00 . 2011-12-19 07:13 124928 c:\windows\system32\dllcache\advpack.dll
+ 2004-08-04 05:00 . 2012-03-01 01:25 124928 c:\windows\system32\dllcache\advpack.dll
+ 2004-08-04 12:00 . 2012-03-01 01:25 124928 c:\windows\system32\advpack.dll
- 2004-08-04 12:00 . 2011-12-19 07:13 124928 c:\windows\system32\advpack.dll
+ 2012-04-13 23:02 . 2012-04-13 23:02 203776 c:\windows\Installer\41c4c2.msi
+ 2012-04-13 23:01 . 2012-04-13 23:01 901120 c:\windows\Installer\41c4b2.msi
+ 2012-04-12 21:45 . 2011-12-19 07:13 832512 c:\windows\ie7updates\KB2675157-IE7\wininet.dll
+ 2012-04-12 21:45 . 2011-12-19 07:13 233472 c:\windows\ie7updates\KB2675157-IE7\webcheck.dll
+ 2012-04-12 21:45 . 2011-12-19 07:13 106496 c:\windows\ie7updates\KB2675157-IE7\url.dll
+ 2012-04-12 21:45 . 2010-07-05 13:16 382840 c:\windows\ie7updates\KB2675157-IE7\spuninst\updspapi.dll
+ 2012-04-12 21:45 . 2010-07-05 13:15 231288 c:\windows\ie7updates\KB2675157-IE7\spuninst\spuninst.exe
+ 2012-04-12 21:45 . 2011-12-19 07:13 102912 c:\windows\ie7updates\KB2675157-IE7\occache.dll
+ 2012-04-12 21:45 . 2011-12-19 07:13 671232 c:\windows\ie7updates\KB2675157-IE7\mstime.dll
+ 2012-04-12 21:45 . 2011-12-19 07:13 193024 c:\windows\ie7updates\KB2675157-IE7\msrating.dll
+ 2012-04-12 21:45 . 2011-12-19 07:13 478720 c:\windows\ie7updates\KB2675157-IE7\mshtmled.dll
+ 2012-04-12 21:45 . 2011-12-19 07:13 468480 c:\windows\ie7updates\KB2675157-IE7\msfeeds.dll
+ 2012-04-12 21:45 . 2011-12-16 10:00 634680 c:\windows\ie7updates\KB2675157-IE7\iexplore.exe
+ 2012-04-12 21:45 . 2011-12-19 07:13 268288 c:\windows\ie7updates\KB2675157-IE7\iertutil.dll
+ 2012-04-12 21:45 . 2011-12-19 07:13 192512 c:\windows\ie7updates\KB2675157-IE7\iepeers.dll
+ 2012-04-12 21:45 . 2011-12-19 07:13 384512 c:\windows\ie7updates\KB2675157-IE7\iedkcs32.dll
+ 2012-04-12 21:45 . 2011-12-19 07:13 380928 c:\windows\ie7updates\KB2675157-IE7\ieapfltr.dll
+ 2012-04-12 21:45 . 2011-12-16 09:58 161792 c:\windows\ie7updates\KB2675157-IE7\ieakui.dll
+ 2012-04-12 21:45 . 2011-12-19 07:13 230400 c:\windows\ie7updates\KB2675157-IE7\ieaksie.dll
+ 2012-04-12 21:45 . 2011-12-19 07:13 153088 c:\windows\ie7updates\KB2675157-IE7\ieakeng.dll
+ 2012-04-12 21:45 . 2011-12-19 07:13 133120 c:\windows\ie7updates\KB2675157-IE7\extmgr.dll
+ 2012-04-12 21:45 . 2011-12-19 07:13 214528 c:\windows\ie7updates\KB2675157-IE7\dxtrans.dll
+ 2012-04-12 21:45 . 2011-12-19 07:13 347136 c:\windows\ie7updates\KB2675157-IE7\dxtmsft.dll
+ 2012-04-12 21:45 . 2011-12-19 07:13 124928 c:\windows\ie7updates\KB2675157-IE7\advpack.dll
- 2004-08-04 12:00 . 2011-12-19 07:13 1168896 c:\windows\system32\urlmon.dll
+ 2004-08-04 12:00 . 2012-03-01 01:25 1168896 c:\windows\system32\urlmon.dll
- 2004-08-04 12:00 . 2011-12-19 07:13 3616768 c:\windows\system32\mshtml.dll
+ 2004-08-04 12:00 . 2012-03-01 01:25 3616768 c:\windows\system32\mshtml.dll
+ 2006-11-08 04:03 . 2012-03-01 01:25 6076928 c:\windows\system32\ieframe.dll
- 2004-08-04 05:00 . 2011-12-19 07:13 1168896 c:\windows\system32\dllcache\urlmon.dll
+ 2004-08-04 05:00 . 2012-03-01 01:25 1168896 c:\windows\system32\dllcache\urlmon.dll
- 2004-08-04 12:00 . 2011-12-19 07:13 3616768 c:\windows\system32\dllcache\mshtml.dll
+ 2004-08-04 12:00 . 2012-03-01 01:25 3616768 c:\windows\system32\dllcache\mshtml.dll
+ 2007-05-10 02:19 . 2012-03-01 01:25 6076928 c:\windows\system32\dllcache\ieframe.dll
+ 2012-04-12 21:45 . 2011-12-19 07:13 1168896 c:\windows\ie7updates\KB2675157-IE7\urlmon.dll
+ 2012-04-12 21:45 . 2011-12-19 07:13 3616768 c:\windows\ie7updates\KB2675157-IE7\mshtml.dll
+ 2012-04-12 21:45 . 2011-12-19 07:13 6076416 c:\windows\ie7updates\KB2675157-IE7\ieframe.dll
+ 2007-01-22 17:59 . 2012-04-12 21:56 55154568 c:\windows\system32\MRT.exe
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"OfficeScanNT Monitor"="c:\program files\Trend Micro\OfficeScan Client\pccntmon.exe" [2007-07-18 710000]
"LXCRCATS"="c:\windows\System32\spool\DRIVERS\W32X86\3\LXCRtime.dll" [2005-12-01 65536]
"X-keys Programming"="c:\program files\PIEngineering\X-keys\XKWdkApp.exe" [2001-11-20 422400]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2012-01-18 254696]
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Google Updater.lnk]
path=
backup=c:\windows\pss\Google Updater.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^PHM Reminders.lnk]
path=
backup=c:\windows\pss\PHM Reminders.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^STK017 PNP Monitor.lnk]
path=
backup=c:\windows\pss\STK017 PNP Monitor.lnkCommon Startup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ADMTray.exe]
2005-10-24 23:45 2462208 ----a-w- c:\acer\Empowering Technology\admtray.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2012-01-03 06:37 843712 ----a-w- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2008-04-14 00:12 15360 ----a-w- c:\windows\system32\ctfmon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CtrlVol]
2003-09-16 21:28 20480 ----a-w- c:\program files\Launch Manager\CtrlVol.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\eDataSecurity Loader]
2005-07-26 18:36 69632 ----a-w- c:\acer\Empowering Technology\eDataSecurity\eDSloader.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\eRecoveryService]
2006-01-02 17:31 397312 ----a-w- c:\acer\Empowering Technology\eRecovery\Monitor.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EzPrint]
2006-02-07 05:10 98304 ----a-w- c:\program files\Lexmark 2400 Series\ezprint.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\FaxCenterServer]
2006-02-02 08:11 290816 ----a-w- c:\program files\Lexmark Fax Solutions\fm3032.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxhkcmd]
2005-08-24 19:47 77824 ----a-w- c:\windows\system32\hkcmd.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxpers]
2005-08-24 19:51 114688 ----a-w- c:\windows\system32\igfxpers.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxtray]
2005-08-24 19:50 94208 ----a-w- c:\windows\system32\igfxtray.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IMJPMIG8.1]
2004-08-04 12:00 208952 ----a-w- c:\windows\ime\imjp8_1\imjpmig.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LaunchAp]
2005-07-25 20:36 32768 ----a-w- c:\program files\Launch Manager\LaunchAp.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LManager]
2005-11-08 17:45 69632 ----a-w- c:\program files\Launch Manager\HotkeyApp.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LMgrOSD]
2005-07-25 17:45 241664 ----a-w- c:\program files\Launch Manager\OSDCtrl.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\lxcrmon.exe]
2006-01-22 17:45 286720 ----a-w- c:\program files\Lexmark 2400 Series\lxcrmon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSPY2002]
2004-08-04 12:00 59392 ----a-w- c:\windows\system32\IME\PINTLGNT\IMSCINST.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCMService]
2005-09-01 02:59 147456 ------w- c:\program files\Acer\Acer Arcade\PCMService.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PHIME2002A]
2004-08-04 12:00 455168 ----a-w- c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PHIME2002ASync]
2004-08-04 12:00 455168 ----a-w- c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PowerKey]
2002-08-30 22:02 94208 ----a-w- c:\program files\Launch Manager\Powerkey.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\preload]
2005-05-20 00:09 32768 ----a-w- c:\windows\RUNXMLPL.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMan]
2005-04-15 18:01 77824 ----a-w- c:\windows\SOUNDMAN.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2012-01-18 21:02 254696 ----a-w- c:\program files\Common Files\Java\Java Update\jusched.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPEnh]
2005-02-04 18:11 708698 ----a-w- c:\program files\Synaptics\SynTP\SynTPEnh.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPLpr]
2005-02-04 18:12 102490 ----a-w- c:\program files\Synaptics\SynTP\SynTPLpr.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Wbutton]
2005-11-08 17:19 81920 ----a-w- c:\program files\Launch Manager\WButton.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\YOP]
2005-04-23 02:49 397312 ----a-w- c:\progra~1\Yahoo!\YOP\yop.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"LiveUpdate Notice Service"=2 (0x2)
"LiveUpdate"=3 (0x3)
"gusvc"=2 (0x2)
"NACAgent"=2 (0x2)
"WebrootSpySweeperService"=2 (0x2)
"Symantec Core LC"=2 (0x2)
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Acer\\Acer Arcade\\PCMService.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"19532:TCP"= 19532:TCP:Trend Micro OfficeScan Listener
"67:UDP"= 67:UDP:DHCP Discovery Service
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009
.
R1 A2DDA;A2 Direct Disk Access Support Driver;c:\program files\Emsisoft Anti-Malware\a2ddax86.sys [4/5/2012 12:55 PM 17904]
R2 TmPreFilter;Trend Micro PreFilter;c:\program files\Trend Micro\OfficeScan Client\TmPreflt.sys [7/18/2007 9:58 AM 36624]
S1 mailKmd;mailKmd; [x]
S2 TmFilter;Trend Micro Filter;c:\program files\Trend Micro\OfficeScan Client\TmXpflt.sys [7/18/2007 9:58 AM 262416]
S3 a2acc;a2acc;c:\program files\Emsisoft Anti-Malware\a2accx86.sys [4/5/2012 12:55 PM 51632]
S3 a2AntiMalware;Emsisoft Anti-Malware 6.0 - Service;c:\program files\Emsisoft Anti-Malware\a2service.exe [4/5/2012 12:55 PM 3025112]
S3 GGSAFERDriver;GGSAFER Driver;\??\f:\garena classic\safedrv.sys --> f:\garena classic\safedrv.sys [?]
S3 POWERKEY;POWERKEY;c:\program files\Launch Manager\POWERKEY.SYS [7/29/2006 6:12 PM 2343]
S3 Revoflt;Revoflt;c:\windows\system32\drivers\revoflt.sys [4/6/2012 9:22 AM 27064]
S4 ImapiService32;IMAPI CD-Burning COM Service ; [x]
S4 TmProxy;OfficeScan NT Proxy Service;c:\program files\Trend Micro\OfficeScan Client\TmProxy.exe [7/18/2007 9:58 AM 575064]
.
Contents of the 'Scheduled Tasks' folder
.
2011-10-01 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2006-08-29 21:21]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
mStart Page = hxxp://www.yahoo.com/?.home=ytie
uInternet Connection Wizard,ShellNext = iexplore
IE: Add to Video Converter... - c:\program files\Media Player Utilities 5.20\AVIConverter\grab.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_7461B1589E8B4FB7.dll/cmsidewiki.html
Trusted Zone: eset.com\go
TCP: DhcpNameServer = 192.168.1.254
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
FF - ProfilePath - c:\documents and settings\Ken\Application Data\Mozilla\Firefox\Profiles\04f1vmj1.default\
FF - prefs.js: browser.startup.homepage - yahoo.com
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-04-14 13:36
Windows 5.1.2600 Service Pack 3 FAT NTAPI
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
LXCRCATS = rundll32 c:\windows\System32\spool\DRIVERS\W32X86\3\LXCRtime.dll,_RunDLLEntry@16???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ImapiService32]
"ImagePath"=""
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(656)
c:\windows\system32\igfxdev.dll
.
- - - - - - - > 'explorer.exe'(2872)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2012-04-14 13:37:51
ComboFix-quarantined-files.txt 2012-04-14 20:37
ComboFix2.txt 2012-04-11 22:06
.
Pre-Run: 3,048,210,432 bytes free
Post-Run: 3,013,853,184 bytes free
.
- - End Of File - - 7C34D43A9FAA03DAA66F987E39C4A65F
Malware shall not pass!

#13 nasdaq

nasdaq

  • Malware Response Team
  • 39,512 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:12:54 AM

Posted 15 April 2012 - 07:27 AM

Looking good.
Any remaining issues?

#14 Pizza and Pepsi

Pizza and Pepsi
  • Topic Starter

  • Members
  • 277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:CA
  • Local time:08:54 PM

Posted 15 April 2012 - 10:53 PM

I want to make sure there is no malware, so I will post a new DDS and MBAM log by Monday evening (and anything else you may want me to use).
Malware shall not pass!

#15 Pizza and Pepsi

Pizza and Pepsi
  • Topic Starter

  • Members
  • 277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:CA
  • Local time:08:54 PM

Posted 16 April 2012 - 07:34 PM

Here is the new DDS log:



.
DDS (Ver_2011-08-26.01) - FAT32x86
Internet Explorer: 7.0.5730.11 BrowserJavaVersion: 1.6.0_31
Run by Ken at 17:23:13 on 2012-04-16
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2038.1378 [GMT -7:00]
.
AV: Trend Micro OfficeScan Antivirus *Enabled/Updated* {C516F58A-9C7C-4517-813C-608F6D4363CD}
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost.exe -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Acer\Empowering Technology\admServ.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe
C:\Program Files\PIEngineering\X-keys\XKWdkApp.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\WINDOWS\system32\lxcrcoms.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\WINDOWS\notepad.exe
C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe
C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe
C:\Program Files\Trend Micro\OfficeScan Client\CNTAoSMgr.exe
C:\WINDOWS\TEMP\WIDE10.EXE
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.yahoo.com/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
mStart Page = hxxp://www.yahoo.com/?.home=ytie
uInternet Connection Wizard,ShellNext = iexplore
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - No File
BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - No File
TB: {0FBB9689-D3D7-4f7a-A2E2-585B10099BFC} - No File
TB: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No File
TB: {1017A80C-6F09-4548-A84D-EDD6AC9525F0} - No File
TB: {C4069E3A-68F1-403E-B40E-20066696354B} - No File
TB: {472734EA-242A-422B-ADF8-83D1E48CC825} - No File
TB: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File
mRun: [OfficeScanNT Monitor] "c:\program files\trend micro\officescan client\pccntmon.exe" -HideWindow
mRun: [LXCRCATS] rundll32 c:\windows\system32\spool\drivers\w32x86\3\LXCRtime.dll,_RunDLLEntry@16
mRun: [X-keys Programming] c:\program files\piengineering\x-keys\XKWdkApp.exe
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRunOnce: [Malwarebytes Anti-Malware] c:\program files\malwarebytes' anti-malware\mbamgui.exe /install /silent
IE: Add to Video Converter... - c:\program files\media player utilities 5.20\aviconverter\grab.html
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_7461B1589E8B4FB7.dll/cmsidewiki.html
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
Trusted Zone: eset.com\go
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {00134F72-5284-44F7-95A8-52A619F70751} - hxxps://tmos.dpns.ais.ucla.edu/officescan/console/html/ClientInstall/WinNTChk.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0031-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab
TCP: DhcpNameServer = 192.168.1.254
TCP: Interfaces\{B71C78A1-D096-4D44-B5D2-754D11E381EE} : DhcpNameServer = 192.168.1.254
Notify: igfxcui - igfxdev.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\ken\application data\mozilla\firefox\profiles\04f1vmj1.default\
FF - prefs.js: browser.startup.homepage - yahoo.com
FF - plugin: c:\program files\adobe\reader 10.0\reader\air\nppdf32.dll
FF - plugin: c:\program files\java\jre6\bin\plugin2\npdeployJava1.dll
FF - plugin: c:\program files\java\jre6\bin\plugin2\npjp2.dll
FF - plugin: c:\program files\microsoft silverlight\3.0.40624.0\npctrlui.dll
.
============= SERVICES / DRIVERS ===============
.
R1 A2DDA;A2 Direct Disk Access Support Driver;c:\program files\emsisoft anti-malware\a2ddax86.sys [2012-4-5 17904]
R2 AWService;AdminWorks Agent X6;c:\acer\empowering technology\admServ.exe [2005-10-24 1314816]
R2 TmFilter;Trend Micro Filter;c:\program files\trend micro\officescan client\TmXpflt.sys [2007-7-18 262416]
R2 TmPreFilter;Trend Micro PreFilter;c:\program files\trend micro\officescan client\TmPreflt.sys [2007-7-18 36624]
R3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2012-4-16 40776]
S1 mailKmd;mailKmd; [x]
S2 vsdatant;vsdatant;\??\c:\windows\system32\vsdatant.sys --> c:\windows\system32\vsdatant.sys [?]
S3 a2acc;a2acc;c:\program files\emsisoft anti-malware\a2accx86.sys [2012-4-5 51632]
S3 a2AntiMalware;Emsisoft Anti-Malware 6.0 - Service;c:\program files\emsisoft anti-malware\a2service.exe [2012-4-5 3025112]
S3 cpuz132;cpuz132;\??\c:\docume~1\ken\locals~1\temp\cpuz132\cpuz132_x32.sys --> c:\docume~1\ken\locals~1\temp\cpuz132\cpuz132_x32.sys [?]
S3 GGSAFERDriver;GGSAFER Driver;\??\f:\garena classic\safedrv.sys --> f:\garena classic\safedrv.sys [?]
S3 POWERKEY;POWERKEY;c:\program files\launch manager\POWERKEY.SYS [2006-7-29 2343]
S3 Revoflt;Revoflt;c:\windows\system32\drivers\revoflt.sys [2012-4-6 27064]
S4 ImapiService32;IMAPI CD-Burning COM Service ; [x]
S4 Symantec Core LC;Symantec Core LC;"c:\program files\common files\symantec shared\ccpd-lc\symlcsvc.exe" --> c:\program files\common files\symantec shared\ccpd-lc\symlcsvc.exe [?]
S4 TmProxy;OfficeScan NT Proxy Service;c:\program files\trend micro\officescan client\TmProxy.exe [2007-7-18 575064]
.
=============== Created Last 30 ================
.
2012-04-16 23:15:44 40776 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2012-04-16 23:15:30 22344 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-04-16 23:15:30 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2012-04-16 23:11:31 -------- d-sh--w- C:\Recycled
2012-04-11 21:53:18 98816 ----a-w- c:\windows\sed.exe
2012-04-11 21:53:18 518144 ----a-w- c:\windows\SWREG.exe
2012-04-11 21:53:18 256000 ----a-w- c:\windows\PEV.exe
2012-04-11 21:53:18 208896 ----a-w- c:\windows\MBR.exe
2012-04-09 22:35:00 -------- d-----w- c:\documents and settings\ken\local settings\application data\NPE
2012-04-09 22:35:00 -------- d-----w- c:\documents and settings\all users\application data\Norton
2012-04-06 16:22:10 27064 ----a-w- c:\windows\system32\drivers\revoflt.sys
2012-04-06 16:22:07 -------- d-----w- c:\program files\VS Revo Group
2012-04-05 19:55:07 -------- d-----w- c:\program files\Emsisoft Anti-Malware
2012-04-05 19:09:04 -------- d-----w- c:\program files\CCleaner
2012-04-03 21:10:01 -------- d-----w- c:\documents and settings\ken\application data\Malwarebytes
2012-04-03 19:22:09 -------- d-----w- c:\documents and settings\ken\application data\f-secure
2012-04-02 19:25:41 -------- d-----w- c:\documents and settings\ken\application data\CCleanup
2012-03-29 21:50:40 -------- d-----w- c:\documents and settings\ken\local settings\application data\Unity
.
==================== Find3M ====================
.
2012-04-13 23:01:20 73728 ----a-w- c:\windows\system32\javacpl.cpl
2012-04-13 23:01:18 472808 ----a-w- c:\windows\system32\deployJava1.dll
2012-03-01 01:25:04 832512 ----a-w- c:\windows\system32\wininet.dll
2012-03-01 01:25:04 78336 ----a-w- c:\windows\system32\ieencode.dll
2012-03-01 01:25:04 1830912 ----a-w- c:\windows\system32\inetcpl.cpl
2012-03-01 01:25:04 17408 ----a-w- c:\windows\system32\corpol.dll
2012-02-29 14:10:16 177664 ----a-w- c:\windows\system32\wintrust.dll
2012-02-29 14:10:16 148480 ----a-w- c:\windows\system32\imagehlp.dll
2012-02-03 09:22:18 1860096 ----a-w- c:\windows\system32\win32k.sys
.
============= FINISH: 17:24:12.43 ===============






I ran a full MBAM scan and nothing was found.
Malware shall not pass!




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users