It is currently Sat Jul 22, 2017 9:43 pm


Computer problems - suspect an attack

Is your PC infected? Is it running slow? Just can't figure out what's making it sluggish? Here is the place to get some help.

Moderators: liljim, Gecko

Computer problems - suspect an attack

Postby Nitro » Thu Mar 29, 2012 1:51 pm

Hi

I see not a lot of recent posts here - however Gecko has helped me in the past with HijackThis logs so I hope you are still around!

I had some recent warnings from NOD32 and quarantined some files. Then I discovered, probably not by coincidence, that some [long running] programs had stopped working. System Restore could not restore to any previous points for some reason, so I 'unquarantined' the suspect files in an attempt to get my programs working again. Still not working, so I learned about trying System Restore in Safe Mode - I couldn't seem to access Safe Mode via F8 [?] on boot-up, so through msconfig.exe I told windows to next reboot in Safe Mode. Then the BSOD on every bootup, resulting in me taking the computer in to a specialist who managed to cancel the 'Safe Mode' flag in 'boot.ini' and successfully run a fix of windows.

This takes me to where I am now - I have no idea if malware caused the BSOD, but on some boot ups I notice neither Firefox nor Google Chrome will open, or if they do, will not allow the opening of any websites in the search listings. I suspect foul play, so have downloaded the latest HijackThis and here is the log file:-

[note: I would be hesitant to attempt booting my computer in Safe Mode again at the moment, given that this seemed to cause the BSOD which I could not get around last time. At least until I have taken care of some important work - or if using Safe Mode is essential, I will trust your judgement. I do intend to wipe my drive with a fresh install of windows very soon, but until then is there anything bad going on that I can take care of? thank you!]

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 13:37:09, on 29/03/2012
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 SP3 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Creative\Shared Files\CTAudSvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe
C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIHLE.EXE
C:\WINDOWS\SYSTEM32\CTXFISPI.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\msiexec.exe
C:\Documents and Settings\Richard\Desktop\HiJackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Tiscali Internet Access
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\Documents and Settings\Richard\Local Settings\Application Data\xilqrlve\goddflfr.exe
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O2 - BHO: SmartSelect - {F4971EE7-DAA0-4053-9964-665D8EE6A077} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
O4 - HKLM\..\Run: [AudioDrvEmulator] "C:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe" -1 AudioDrvEmulator "C:\Program Files\Creative\Shared Files\Module Loader\Audio Emulator\AudDrvEm.dll"
O4 - HKCU\..\Run: [Creative Detector] "C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe" /R
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\Richard\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
O4 - HKCU\..\Run: [EPSON SX235 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIHLE.EXE /FU "C:\DOCUME~1\Richard\LOCALS~1\Temp\E_S3040.tmp" /EF "HKCU"
O4 - HKCU\..\Run: [GodDflfr] C:\Documents and Settings\Richard\Local Settings\Application Data\xilqrlve\goddflfr.exe
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'Default user')
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: Append Link Target to Existing PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Append to Existing PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert Link Target to Adobe PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Download all with Free Download Manager - file://C:\Program Files\Free Download Manager\dlall.htm
O8 - Extra context menu item: Download selected with Free Download Manager - file://C:\Program Files\Free Download Manager\dlselected.htm
O8 - Extra context menu item: Download web site with Free Download Manager - file://C:\Program Files\Free Download Manager\dlpage.htm
O8 - Extra context menu item: Download with Free Download Manager - file://C:\Program Files\Free Download Manager\dllink.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/cabs/ ... 2.0.84.cab
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/EN-GB/a-U ... E_UNO1.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupda ... 4000930828
O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - http://www.nvidia.com/content/DriverDow ... eqlab2.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://messenger.zone.msn.com/binary/ZI ... b56649.cab
O16 - DPF: {BD393C14-72AD-4790-A095-76522973D6B8} (CBreakshotControl Class) - http://messenger.zone.msn.com/binary/Ba ... b57213.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Me ... b56907.cab
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://ccfiles.creative.com/Web/softwar ... /CTPID.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O20 - AppInit_DLLs: acaptuser32.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Creative Audio Engine Licensing Service - Creative Labs - C:\Program Files\Common Files\Creative Labs Shared\Service\CTAELicensing.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: Creative Audio Service (CTAudSvcService) - Creative Technology Ltd - C:\Program Files\Creative\Shared Files\CTAudSvc.exe
O23 - Service: ESET HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe
O23 - Service: ESET Service (ekrn) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

--
End of file - 9436 bytes
Nitro
Newbie
Newbie
 
Posts: 6
Joined: Thu Mar 29, 2012 1:39 pm

Thanks given:1
Thanks received:0
Top

Re: Computer problems - suspect an attack

Postby Gecko » Fri Mar 30, 2012 2:20 pm

Hello Nitro,

There is one executable file running that the only search results for that file name, goddflfr.exe is your post here and the copy of this post on bleeping computer. That tells me it most likely an infection of some type.

First download Combofix from Here to you desktop but do not run it yet.
Second download Malwarebytes from Here to your desktop but do not run it yet.

Shut down all other programs and then run combofix you saved to your desktop, following the prompts, if needed to shut down any active anti virus program. Combofix might have to restart your system if so this will be automatic, once combofix is finished it will produce a log please post this log in your reply.
Now run Malwarebytes from you desktop, after the install select to update and run, after the update select "Full Scan". Again once it has finished it will also produce a log please post this log and the combofix log in you reply.
User avatar
Gecko
Super Moderator
Super Moderator
 
Posts: 5206
Joined: Thu Oct 25, 2001 1:00 am
Location: Florida, USA

Thanks given:1
Thanks received:23
Top

Re: Computer problems - suspect an attack

Postby Nitro » Thu Apr 05, 2012 5:36 pm

Hi Gecko

Sorry for delay in replying - been away a few days.

I followed your instructions - downloaded and ran ComboFix, then downloaded updated and ran Malwarebytes [logs of both below].

Upon running ComboFix, an alert told me to disable NOD32 - I couldn't figure out a sure way of doing this [NOD32 wasn't supposed to be running at all, though it is my resident virus checker], so I just uninstalled it for now. Once this was done and registry cleaned, I clicked the 'OK' box for ComboFix to continue. The uninstallation process of NOD32 advised that a reboot was necessary, but I told it not to at that point to allow ComboFix to continue.

ComboFix said 'Windows Recovery Console' not installed, so I allowed it to download and succsesfully install.

I then ran Malwarebytes which came up with 14 suspected infections, which I assume you can see from the log. You did not say if I should 'Remove Selected', so for the moment I have left it in that state.

I will leave the computer and Malwarebytes on until you come back to me. Cheers for your help so far.


ComboFix 12-04-05.04 - Richard 05/04/2012 12:08:23.1.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.3327.2640 [GMT 1:00]
Running from: c:\documents and settings\Richard\Desktop\ComboFix.exe
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\All Users\Application Data\DragToDiscUserNameE.txt
c:\documents and settings\All Users\Application Data\TEMP
c:\documents and settings\All Users\Application Data\TEMP\DFC5A2B2.TMP
c:\documents and settings\Richard\Desktop\Setup.exe
c:\documents and settings\Richard\GZsfEIVz2
c:\documents and settings\Richard\Local Settings\Application Data\apnloiwf.log
c:\documents and settings\Richard\Local Settings\Application Data\hpgxdkkq.log
c:\documents and settings\Richard\Local Settings\Application Data\igklykrn.log
c:\documents and settings\Richard\Local Settings\Application Data\jgabwruh.log
c:\documents and settings\Richard\Local Settings\Application Data\mybsidbl.log
c:\documents and settings\Richard\Local Settings\Application Data\tieywave.log
c:\documents and settings\Richard\Local Settings\Application Data\vbuvjyah.log
c:\documents and settings\Richard\My Documents\~WRL0004.tmp
c:\documents and settings\Richard\WINDOWS
C:\sooi832.bin
c:\sooi832.bin\0325C0D55867C47
c:\sooi832.bin\CA0A4982943.exe
c:\windows\iun6002.exe
c:\windows\MTUn4572.exe
c:\windows\SET10EB.tmp
c:\windows\SETBE8.tmp
c:\windows\system32\ClientSyncLoader.htm
c:\windows\system32\ClientSyncLoaderDriver.htm
c:\windows\system32\html
c:\windows\system32\html\blank.htm
c:\windows\system32\html\bot.htm
c:\windows\system32\html\innerframeset.htm
c:\windows\system32\html\left.htm
c:\windows\system32\html\main.htm
c:\windows\system32\html\middle.htm
c:\windows\system32\html\rightframeset.htm
c:\windows\system32\html\top.htm
c:\windows\system32\html\website.htm
c:\windows\system32\images
c:\windows\system32\images\3models.gif
c:\windows\system32\images\but3_off.gif
c:\windows\system32\images\but3_on.gif
c:\windows\system32\images\main_bot.gif
c:\windows\system32\images\main_mid.gif
c:\windows\system32\images\main_top.gif
c:\windows\system32\images\model1.gif
c:\windows\system32\images\panel_bot.gif
c:\windows\system32\images\panel_top.gif
c:\windows\system32\images\pc.gif
c:\windows\system32\images\pcw_award_cover.gif
c:\windows\system32\images\pcwcover.gif
c:\windows\system32\images\Thumbs.db
c:\windows\system32\images\topoff.gif
c:\windows\system32\images\topon.gif
c:\windows\system32\images\webscreen.gif
c:\windows\system32\SET1009.tmp
c:\windows\system32\SET100D.tmp
c:\windows\system32\SET100F.tmp
c:\windows\system32\SET1010.tmp
c:\windows\system32\SET1011.tmp
c:\windows\system32\SET101B.tmp
c:\windows\system32\SET101F.tmp
c:\windows\system32\SET1024.tmp
c:\windows\system32\SET102A.tmp
c:\windows\system32\SET103A.tmp
c:\windows\system32\SET103B.tmp
c:\windows\system32\SET105A.tmp
c:\windows\system32\SET105D.tmp
c:\windows\system32\SET1060.tmp
c:\windows\system32\SET1065.tmp
c:\windows\system32\SET1067.tmp
c:\windows\system32\SET106E.tmp
c:\windows\system32\SET106F.tmp
c:\windows\system32\SET1070.tmp
c:\windows\system32\SET1072.tmp
c:\windows\system32\SET1073.tmp
c:\windows\system32\SET1074.tmp
c:\windows\system32\SET1077.tmp
c:\windows\system32\SET1079.tmp
c:\windows\system32\SET107A.tmp
c:\windows\system32\SET107C.tmp
c:\windows\system32\SET107F.tmp
c:\windows\system32\SET1081.tmp
c:\windows\system32\SET1086.tmp
c:\windows\system32\SET1087.tmp
c:\windows\system32\SET108F.tmp
c:\windows\system32\SET1096.tmp
c:\windows\system32\SET109B.tmp
c:\windows\system32\SET109E.tmp
c:\windows\system32\SET10A1.tmp
c:\windows\system32\SET10A3.tmp
c:\windows\system32\SET10A7.tmp
c:\windows\system32\SET10A9.tmp
c:\windows\system32\SET10AA.tmp
c:\windows\system32\SET10AB.tmp
c:\windows\system32\SET10AE.tmp
c:\windows\system32\SET10AF.tmp
c:\windows\system32\SET10B3.tmp
c:\windows\system32\SET10B4.tmp
c:\windows\system32\SET10B7.tmp
c:\windows\system32\SET10B9.tmp
c:\windows\system32\SET10BF.tmp
c:\windows\system32\SET10C2.tmp
c:\windows\system32\SET10C4.tmp
c:\windows\system32\SET10C7.tmp
c:\windows\system32\SET10CA.tmp
c:\windows\system32\SET10CC.tmp
c:\windows\system32\SET185B.tmp
c:\windows\system32\SET1863.tmp
c:\windows\system32\SET1867.tmp
c:\windows\system32\SET186E.tmp
c:\windows\system32\SET1895.tmp
c:\windows\system32\SET18B9.tmp
c:\windows\system32\SET1D5D.tmp
c:\windows\system32\SET1D65.tmp
c:\windows\system32\SET1D69.tmp
c:\windows\system32\SET1D70.tmp
c:\windows\system32\SET1D95.tmp
c:\windows\system32\SET1D97.tmp
c:\windows\system32\SET1DBB.tmp
c:\windows\system32\SET44.tmp
c:\windows\system32\SET50.tmp
c:\windows\system32\SET8A2.tmp
c:\windows\system32\SET8A3.tmp
c:\windows\system32\SET8A5.tmp
c:\windows\system32\SET8A7.tmp
c:\windows\system32\SET8A9.tmp
c:\windows\system32\SET8B0.tmp
c:\windows\system32\SET8B1.tmp
c:\windows\system32\SET8B4.tmp
c:\windows\system32\SET8B9.tmp
c:\windows\system32\SET8BA.tmp
c:\windows\system32\SET8BB.tmp
c:\windows\system32\SET8BD.tmp
c:\windows\system32\SET8BE.tmp
c:\windows\system32\SET8BF.tmp
c:\windows\system32\SET8C0.tmp
c:\windows\system32\SET8C1.tmp
c:\windows\system32\SET8C3.tmp
c:\windows\system32\SET8C4.tmp
c:\windows\system32\SET8C5.tmp
c:\windows\system32\SET8C6.tmp
c:\windows\system32\SET8C9.tmp
c:\windows\system32\SET8D0.tmp
c:\windows\system32\SET8D09.tmp
c:\windows\system32\SET8D1.tmp
c:\windows\system32\SET8D2.tmp
c:\windows\system32\SET8D3.tmp
c:\windows\system32\SET8D6.tmp
c:\windows\system32\SET8D8.tmp
c:\windows\system32\SET8DA.tmp
c:\windows\system32\SET8E1.tmp
c:\windows\system32\SET8E4.tmp
c:\windows\system32\SET8E5.tmp
c:\windows\system32\SET8E7.tmp
c:\windows\system32\SET8E8.tmp
c:\windows\system32\SET8E9.tmp
c:\windows\system32\SET8EC.tmp
c:\windows\system32\SET8EE.tmp
c:\windows\system32\SET8EF.tmp
c:\windows\system32\SET8F0.tmp
c:\windows\system32\SET8F1.tmp
c:\windows\system32\SET8F2.tmp
c:\windows\system32\SET8F8.tmp
c:\windows\system32\SET8FD.tmp
c:\windows\system32\SET8FE.tmp
c:\windows\system32\SET902.tmp
c:\windows\system32\SET905.tmp
c:\windows\system32\SET906.tmp
c:\windows\system32\SET90D.tmp
c:\windows\system32\SET90E.tmp
c:\windows\system32\SET911.tmp
c:\windows\system32\SET915.tmp
c:\windows\system32\SET91E.tmp
c:\windows\system32\SET91F.tmp
c:\windows\system32\SET922.tmp
c:\windows\system32\SET925.tmp
c:\windows\system32\SET926.tmp
c:\windows\system32\SET927.tmp
c:\windows\system32\SET928.tmp
c:\windows\system32\SET929.tmp
c:\windows\system32\SET939.tmp
c:\windows\system32\SET93E.tmp
c:\windows\system32\SET940.tmp
c:\windows\system32\SET942.tmp
c:\windows\system32\SET943.tmp
c:\windows\system32\SET944.tmp
c:\windows\system32\SET945.tmp
c:\windows\system32\SET947.tmp
c:\windows\system32\SET948.tmp
c:\windows\system32\SET94C.tmp
c:\windows\system32\SET94D.tmp
c:\windows\system32\SET951.tmp
c:\windows\system32\SET952.tmp
c:\windows\system32\SET958.tmp
c:\windows\system32\SET959.tmp
c:\windows\system32\SET95A.tmp
c:\windows\system32\SET961.tmp
c:\windows\system32\SET962.tmp
c:\windows\system32\SET968.tmp
c:\windows\system32\SET969.tmp
c:\windows\system32\SET96A.tmp
c:\windows\system32\SET96D.tmp
c:\windows\system32\SET97.tmp
c:\windows\system32\SET973.tmp
c:\windows\system32\SET97F.tmp
c:\windows\system32\SET981.tmp
c:\windows\system32\SET983.tmp
c:\windows\system32\SET984.tmp
c:\windows\system32\SET985.tmp
c:\windows\system32\SET988.tmp
c:\windows\system32\SET990.tmp
c:\windows\system32\SET992.tmp
c:\windows\system32\SET993.tmp
c:\windows\system32\SET996.tmp
c:\windows\system32\SET998.tmp
c:\windows\system32\SET99C.tmp
c:\windows\system32\SET9AD.tmp
c:\windows\system32\SET9AE.tmp
c:\windows\system32\SET9AF.tmp
c:\windows\system32\SET9B6.tmp
c:\windows\system32\SET9B7.tmp
c:\windows\system32\SET9BA.tmp
c:\windows\system32\SET9BB.tmp
c:\windows\system32\SET9BC.tmp
c:\windows\system32\SET9BD.tmp
c:\windows\system32\SET9BE.tmp
c:\windows\system32\SET9C0.tmp
c:\windows\system32\SET9C1.tmp
c:\windows\system32\SET9C2.tmp
c:\windows\system32\SET9C4.tmp
c:\windows\system32\SET9C5.tmp
c:\windows\system32\SET9C6.tmp
c:\windows\system32\SET9C9.tmp
c:\windows\system32\SET9CC.tmp
c:\windows\system32\SET9D1.tmp
c:\windows\system32\SET9D2.tmp
c:\windows\system32\SET9D3.tmp
c:\windows\system32\SET9D8.tmp
c:\windows\system32\SET9D9.tmp
c:\windows\system32\SET9DA.tmp
c:\windows\system32\SET9DC.tmp
c:\windows\system32\SETA00.tmp
c:\windows\system32\SETA02.tmp
c:\windows\system32\SETA03.tmp
c:\windows\system32\SETA06.tmp
c:\windows\system32\SETA07.tmp
c:\windows\system32\SETA0A.tmp
c:\windows\system32\SETA0D.tmp
c:\windows\system32\SETA0E.tmp
c:\windows\system32\SETA10.tmp
c:\windows\system32\SETA15.tmp
c:\windows\system32\SETA17.tmp
c:\windows\system32\SETA1A.tmp
c:\windows\system32\SETA1E.tmp
c:\windows\system32\SETA1F.tmp
c:\windows\system32\SETA20.tmp
c:\windows\system32\SETA21.tmp
.
.
((((((((((((((((((((((((( Files Created from 2012-03-05 to 2012-04-05 )))))))))))))))))))))))))))))))
.
.
2017-08-17 16:06 . 2017-08-17 16:06 -------- d-----w- c:\program files\proDAD
2012-03-30 13:12 . 2012-03-30 13:12 1409 ----a-w- c:\windows\QTFont.for
2012-03-29 14:02 . 2012-03-29 14:35 226304 ---ha-w- c:\windows\system32\GZsfEIVz2
2012-03-29 13:41 . 2012-03-29 13:41 -------- d-----w- c:\documents and settings\Richard\Application Data\iZotope
2012-03-29 12:36 . 2012-03-29 12:36 388096 ----a-r- c:\documents and settings\Richard\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2012-03-29 12:36 . 2012-03-29 12:36 -------- d-----w- c:\program files\Trend Micro
2012-03-28 13:29 . 2008-06-13 11:05 272128 -c----w- c:\windows\system32\dllcache\bthport.sys
2012-03-28 13:28 . 2011-07-15 13:29 456320 -c----w- c:\windows\system32\dllcache\mrxsmb.sys
2012-03-28 13:24 . 2008-04-14 12:00 81920 ----a-w- c:\windows\system32\ieencode.dll
2012-03-28 13:24 . 2008-04-14 12:00 81920 ----a-w- c:\windows\system32\dllcache\ieencode.dll
2012-03-28 11:03 . 2001-08-17 21:36 38912 -c--a-w- c:\windows\system32\dllcache\EXCH_ntfsdrv.dll
2012-03-28 11:02 . 2008-04-14 12:00 18944 -c--a-w- c:\windows\system32\dllcache\cprofile.exe
2012-03-28 10:59 . 2008-04-14 12:00 16384 -c--a-w- c:\windows\system32\dllcache\isignup.exe
2012-03-28 10:59 . 2008-04-14 12:00 16384 ----a-w- c:\program files\Internet Explorer\Connection Wizard\isignup.exe
2012-03-28 10:32 . 2008-04-14 12:00 24661 -c--a-w- c:\windows\system32\dllcache\spxcoins.dll
2012-03-28 10:32 . 2008-04-14 12:00 24661 ----a-w- c:\windows\system32\spxcoins.dll
2012-03-28 10:32 . 2008-04-14 12:00 13312 -c--a-w- c:\windows\system32\dllcache\irclass.dll
2012-03-28 10:32 . 2008-04-14 12:00 13312 ----a-w- c:\windows\system32\irclass.dll
2012-03-28 10:32 . 2008-04-14 12:00 16535 ----a-r- c:\windows\SET16A.tmp
2012-03-28 10:31 . 2008-04-14 12:00 1088840 ----a-r- c:\windows\SET15E.tmp
2012-03-28 10:31 . 2008-04-14 12:00 1296669 ----a-r- c:\windows\SET15B.tmp
2012-03-27 02:11 . 2012-03-27 02:11 -------- d-----w- C:\i386
2012-03-17 17:36 . 2012-03-17 18:22 -------- d-----w- c:\documents and settings\Richard\Local Settings\Application Data\xilqrlve
2012-03-17 16:54 . 2012-03-17 16:54 592824 ----a-w- c:\program files\Mozilla Firefox\gkmedias.dll
2012-03-17 16:54 . 2012-03-17 16:54 44472 ----a-w- c:\program files\Mozilla Firefox\mozglue.dll
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-02-25 17:27 . 2011-05-23 17:34 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-02-03 09:22 . 2008-04-14 12:00 1860096 ----a-w- c:\windows\system32\win32k.sys
2012-02-02 19:03 . 2012-02-02 19:07 8192 ----a-w- c:\windows\system32\E_DCINST.DLL
2012-02-02 19:03 . 2012-02-02 19:07 93696 ----a-w- c:\windows\system32\E_FLBHLE.DLL
2012-02-02 19:03 . 2012-02-02 19:07 63488 ----a-w- c:\windows\system32\E_FD4BHLE.DLL
2012-01-11 19:06 . 2012-02-15 11:43 3072 ------w- c:\windows\system32\iacenc.dll
2012-01-09 16:20 . 2008-11-05 03:10 139784 ----a-w- c:\windows\system32\drivers\rdpwd.sys
2012-03-17 16:54 . 2012-01-29 23:51 97208 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
2006-05-03 10:06 163328 --sha-r- c:\windows\system32\flvDX.dll
2007-02-21 11:47 31232 --sha-r- c:\windows\system32\msfDX.dll
2007-12-17 13:43 27648 --sha-w- c:\windows\system32\Smab0.dll
2008-02-04 19:26 151040 --sha-w- c:\windows\system32\VistaUltm.dll
.
.
------- Sigcheck -------
Note: Unsigned files aren't necessarily malware.
.
[-] 2011-12-19 . 21F8FEBD157A8A6BF7F0FB826111148A . 3087872 . . [6.00.2900.6182] . . c:\windows\SoftwareDistribution\Download\796a0f15940e7ad65a72532d85ac77d3\SP3QFE\mshtml.dll
[-] 2011-12-19 . 8DE666A743F3B961892338A2E15EA702 . 3087360 . . [6.00.2900.6182] . . c:\windows\SoftwareDistribution\Download\796a0f15940e7ad65a72532d85ac77d3\SP3GDR\mshtml.dll
[-] 2011-12-17 . A9259CD226283CD4F798C00909754A94 . 5979136 . . [8.00.6001.19190] . . c:\windows\SoftwareDistribution\Download\c1d540600ba9c34c5b3244c020eee491\SP3GDR\mshtml.dll
[-] 2011-12-17 . 49B88A833ECA99EFBFFC5AAE5CC998ED . 5980160 . . [8.00.6001.23286] . . c:\windows\$hf_mig$\KB2647516-IE8\SP3QFE\mshtml.dll
[-] 2011-12-17 . 49B88A833ECA99EFBFFC5AAE5CC998ED . 5980160 . . [8.00.6001.23286] . . c:\windows\SoftwareDistribution\Download\c1d540600ba9c34c5b3244c020eee491\SP3QFE\mshtml.dll
[-] 2011-11-04 . DD8D655E1881B70A5259A23A6018A6C2 . 5978112 . . [8.00.6001.19170] . . c:\windows\ie8updates\KB2647516-IE8\mshtml.dll
[-] 2011-11-04 . DD8D655E1881B70A5259A23A6018A6C2 . 5978112 . . [8.00.6001.19170] . . c:\windows\SoftwareDistribution\Download\a6632ea9734d3683d8cc4b4a30215873\SP3GDR\mshtml.dll
[-] 2011-11-04 . 699421E2E1313C18671A703953CAE14B . 5978624 . . [8.00.6001.23266] . . c:\windows\$hf_mig$\KB2618444-IE8\SP3QFE\mshtml.dll
[-] 2011-11-04 . 699421E2E1313C18671A703953CAE14B . 5978624 . . [8.00.6001.23266] . . c:\windows\SoftwareDistribution\Download\a6632ea9734d3683d8cc4b4a30215873\SP3QFE\mshtml.dll
[-] 2011-10-03 . 4963CB503600FC3BCBDBFBA51FBA1FAC . 5971456 . . [8.00.6001.19154] . . c:\windows\ie8updates\KB2618444-IE8\mshtml.dll
[-] 2011-10-03 . 1240A6B7B470BED0AA6C9FEC7AB0EA26 . 5972992 . . [8.00.6001.23250] . . c:\windows\$hf_mig$\KB2586448-IE8\SP3QFE\mshtml.dll
[-] 2010-12-20 . 61FF8ABD55DBD6453B7DD81F6DD2D966 . 3078144 . . [6.00.2900.6058] . . c:\windows\$hf_mig$\KB2482017\SP3QFE\mshtml.dll
[-] 2010-11-05 . 17762D2C4468FF99EF33F597F9D34E6F . 3076608 . . [6.00.2900.6049] . . c:\windows\$hf_mig$\KB2416400\SP3QFE\mshtml.dll
[-] 2010-09-09 . 575FBCB3E2C6E848F0386F38AAF0E4ED . 3074560 . . [6.00.2900.6036] . . c:\windows\$hf_mig$\KB2360131\SP3QFE\mshtml.dll
[-] 2010-06-24 . E833C8A9918DA80DBE80ABD2917B9292 . 3073536 . . [6.00.2900.6003] . . c:\windows\$hf_mig$\KB2183461\SP3QFE\mshtml.dll
[-] 2010-05-06 . C7B7A88CC7D7ABA5C395145BF92F46F7 . 5950976 . . [8.00.6001.18928] . . c:\windows\SoftwareDistribution\Download\e9e3bc7b49018c1f53cc0d1bd73cad37\SP3GDR\mshtml.dll
[-] 2010-05-06 . 9BE28F749A7FE7F8F177C6AA2E9DA609 . 5953024 . . [8.00.6001.23019] . . c:\windows\SoftwareDistribution\Download\e9e3bc7b49018c1f53cc0d1bd73cad37\SP3QFE\mshtml.dll
[-] 2010-04-16 . 9574D5B0C784DA0FD8F6A9BB37936A52 . 3073536 . . [6.00.2900.5969] . . c:\windows\$hf_mig$\KB982381\SP3QFE\mshtml.dll
[-] 2010-02-26 . EE6B9880933172AE78A1146BE15D6D21 . 3073536 . . [6.00.2900.5945] . . c:\windows\$hf_mig$\KB980182\SP3QFE\mshtml.dll
[-] 2009-12-22 . A758F0891A87EE005848A0BC740A5B96 . 3071488 . . [6.00.2900.5921] . . c:\windows\$hf_mig$\KB978207\SP3GDR\mshtml.dll
[-] 2009-12-22 . AD17006339C1934D86449F335C241FF1 . 3073536 . . [6.00.2900.5921] . . c:\windows\$hf_mig$\KB978207\SP3QFE\mshtml.dll
[-] 2009-10-29 . D1CF72C34BAF70C52797D1CB78D6EE92 . 3070976 . . [6.00.2900.5897] . . c:\windows\$hf_mig$\KB976325\SP3GDR\mshtml.dll
[-] 2009-10-29 . DA551BFEC150760A38A9AD0C95A8A71C . 3073024 . . [6.00.2900.5897] . . c:\windows\$hf_mig$\KB976325\SP3QFE\mshtml.dll
[-] 2009-10-29 . F3A9E882DF2F155C9395979FF9D7B0A7 . 3070976 . . [6.00.2900.3640] . . c:\windows\$NtUninstallKB978207_0$\mshtml.dll
[-] 2009-09-25 . 601E18A9A8F0D0ED39692B593212378F . 3070976 . . [6.00.2900.5880] . . c:\windows\$hf_mig$\KB974455\SP3GDR\mshtml.dll
[-] 2009-09-25 . 37F578776552FA076EA6085F0365209C . 3072512 . . [6.00.2900.5880] . . c:\windows\$hf_mig$\KB974455\SP3QFE\mshtml.dll
[-] 2009-04-29 . ABD8093E43E53AEA5898D2214B92E9BA . 3068928 . . [6.00.2900.5803] . . c:\windows\$hf_mig$\KB969897\SP3GDR\mshtml.dll
[-] 2009-04-29 . 06CF679E3D24C3DF270556456A0F1EDA . 3069440 . . [6.00.2900.5803] . . c:\windows\$hf_mig$\KB969897\SP3QFE\mshtml.dll
[-] 2009-03-08 . D469A0EBA2EF5C6BEE8065B7E3196E5E . 5937152 . . [8.00.6001.18702] . . c:\windows\ie8updates\KB2586448-IE8\mshtml.dll
[-] 2009-03-08 . D469A0EBA2EF5C6BEE8065B7E3196E5E . 5937152 . . [8.00.6001.18702] . . c:\windows\system32\mshtml.dll
[-] 2009-03-08 . D469A0EBA2EF5C6BEE8065B7E3196E5E . 5937152 . . [8.00.6001.18702] . . c:\windows\system32\dllcache\mshtml.dll
[-] 2009-02-20 . 2F70F2F74C40397D031016FA162981C2 . 3068416 . . [6.00.2900.5764] . . c:\windows\$hf_mig$\KB963027\SP3GDR\mshtml.dll
[-] 2009-02-20 . 1618A4A2C5DD8164B8295190C8EA6544 . 3068416 . . [6.00.2900.5764] . . c:\windows\$hf_mig$\KB963027\SP3QFE\mshtml.dll
[-] 2008-12-12 . 6D1D493622EA050DBAABD0C4C1DFADB5 . 3067392 . . [6.00.2900.3492] . . c:\windows\$NtUninstallKB963027_0$\mshtml.dll
[-] 2008-12-12 . B6DAA74E2ED36C71B502945589A683AE . 3067904 . . [6.00.2900.5726] . . c:\windows\$hf_mig$\KB960714\SP3QFE\mshtml.dll
[-] 2008-12-12 . C828AA1C5469E72251F3D367005E589F . 3067904 . . [6.00.2900.5726] . . c:\windows\$hf_mig$\KB960714\SP3GDR\mshtml.dll
[-] 2008-10-16 . CC5A2205D37AE67CE23AB7FD3E1FDACA . 3067904 . . [6.00.2900.5694] . . c:\windows\$hf_mig$\KB958215\SP3QFE\mshtml.dll
[-] 2008-10-16 . B846C2DE341CF32B42AD297437233742 . 3067904 . . [6.00.2900.5694] . . c:\windows\$hf_mig$\KB958215\SP3GDR\mshtml.dll
[-] 2008-08-20 . 20D44D1A5A406CD8E129D3D4F0B5717C . 3067392 . . [6.00.2900.3429] . . c:\windows\$NtUninstallKB960714_0$\mshtml.dll
[-] 2008-08-20 . 507BDA42F7DB8209C0F0B3556A043491 . 3067904 . . [6.00.2900.5659] . . c:\windows\$hf_mig$\KB956390\SP3GDR\mshtml.dll
[-] 2008-08-20 . BD45470B132A0F98596277323D9F2E5A . 3067904 . . [6.00.2900.5659] . . c:\windows\$hf_mig$\KB956390\SP3QFE\mshtml.dll
[-] 2008-06-25 . 04EEC0FF4DD3C7041628973CA6832C33 . 3067904 . . [6.00.2900.5626] . . c:\windows\$hf_mig$\KB953838\SP3QFE\mshtml.dll
[-] 2008-06-23 . 1FC693A4EE1D9D9CD78DDA6C87232F6F . 3067392 . . [6.00.2900.3395] . . c:\windows\$NtUninstallKB956390_0$\mshtml.dll
[-] 2008-06-23 . F433136C23D13B120412B300D1324A7E . 3067392 . . [6.00.2900.5626] . . c:\windows\$hf_mig$\KB953838\SP3GDR\mshtml.dll
[-] 2008-04-21 . 083B967E6B0B2BB539CE6B08D45D631F . 3066880 . . [6.00.2900.3354] . . c:\windows\$NtUninstallKB953838_0$\mshtml.dll
[-] 2008-04-21 . FE406DE0651C9E8201DCB0460609D739 . 3066880 . . [6.00.2900.5583] . . c:\windows\$hf_mig$\KB950759\SP3GDR\mshtml.dll
[-] 2008-04-21 . 46A61BA430110F00DD990D058AA3D054 . 3067392 . . [6.00.2900.5583] . . c:\windows\$hf_mig$\KB950759\SP3QFE\mshtml.dll
[7] 2008-04-14 . A706E122B398FE1AB85CB9B75D044223 . 3066880 . . [6.00.2900.5512] . . c:\windows\SoftwareDistribution\Download\cf8ec753e88561d2ddb53e183dc05c3e\mshtml.dll
[-] 2008-02-16 . 701A6798DDF875CAA3A5099EE75FD57F . 3066880 . . [6.00.2900.3314] . . c:\windows\$NtUninstallKB950759_0$\mshtml.dll
[-] 2007-12-07 . 8A4DD074DEC1B0C063C8493ABF654CBC . 3066368 . . [6.00.2900.3268] . . c:\windows\$NtUninstallKB947864$\mshtml.dll
[-] 2007-02-20 . 2991727809C7AC3A33E4178CC73244D8 . 3063296 . . [6.00.2900.3086] . . c:\windows\$NtUninstallKB944533$\mshtml.dll
[-] 2007-01-04 . 1C45525574EF206346FBAFCAAC7CC4A5 . 3062272 . . [6.00.2900.3059] . . c:\windows\$NtUninstallKB931768$\mshtml.dll
[-] 2006-10-23 . 88E1C15BB1A9ED3CBA4D6F2F408D5010 . 3061248 . . [6.00.2900.3020] . . c:\windows\$NtUninstallKB928090$\mshtml.dll
[-] 2006-09-14 . CEFEA1C301139A817931BE132F0359FE . 3058688 . . [6.00.2900.2995] . . c:\windows\$NtUninstallKB925454$\mshtml.dll
[-] 2006-07-28 . D251679BD9EF0250201FB899EC40FD32 . 3058176 . . [6.00.2900.2963] . . c:\windows\$NtUninstallKB922760$\mshtml.dll
[-] 2006-05-19 . 8687E029BE63C77D4919485068C54D77 . 3055104 . . [6.00.2900.2912] . . c:\windows\$NtUninstallKB918899$\mshtml.dll
[-] 2006-03-23 . ABCD123F888E4E97C8751378CCCC4F26 . 3055616 . . [6.00.2900.2873] . . c:\windows\$NtUninstallKB916281$\mshtml.dll
[-] 2005-10-05 . 3394299FBF1CD0B24089FC762611360B . 3017728 . . [6.00.2900.2769] . . c:\windows\$hf_mig$\KB896688\SP2QFE\mshtml.dll
[-] 2005-10-04 . 042AC20E084D21DD6BEE99B89CC30FB7 . 3015168 . . [6.00.2900.2769] . . c:\windows\$NtUninstallKB912812$\mshtml.dll
[-] 2004-08-04 . 376E0843B2356CA91CEC8D9837A56FF7 . 3003392 . . [6.00.2900.2180] . . c:\windows\$NtUninstallKB896688$\mshtml.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Creative Detector"="c:\program files\Creative\MediaSource\Detector\CTDetect.exe" [2004-12-02 102400]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2006-06-01 94208]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2006-10-18 204288]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AudioDrvEmulator"="c:\program files\Creative\Shared Files\Module Loader\DLLML.exe" [2005-06-16 49152]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"tscuninstall"="c:\windows\system32\tscupgrd.exe" [2004-08-04 44544]
.
c:\documents and settings\Richard\Start Menu\Programs\Startup\
Adobe Gamma.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-3-16 113664]
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 14:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\windows\system32\acaptuser32.dll
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^blueyonder Instant Support Tool.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\blueyonder Instant Support Tool.lnk
backup=c:\windows\pss\blueyonder Instant Support Tool.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Photosmart Premier Fast Start.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Photosmart Premier Fast Start.lnk
backup=c:\windows\pss\HP Photosmart Premier Fast Start.lnkCommon Startup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acrobat Assistant 8.0]
2010-09-22 18:11 640440 ----a-w- c:\program files\Adobe\Acrobat 9.0\Acrobat\acrotray.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Acrobat Speed Launcher]
2011-09-07 14:53 40376 ----a-w- c:\program files\Adobe\Acrobat 9.0\Acrobat\acrobat_sl.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2012-01-03 07:37 843712 ----a-w- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\amd_dc_opt]
2007-07-23 11:06 180224 ----a-w- c:\program files\AMD\Dual-Core Optimizer\amd_dc_opt.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTDVDDET]
2003-06-18 00:00 45056 ----a-w- c:\program files\Creative\Sound Blaster X-Fi\DVDAudio\CTDVDDET.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTFMON.EXE]
2008-04-14 12:00 15360 ----a-w- c:\windows\system32\ctfmon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTHelper]
2006-12-12 09:46 19456 ----a-w- c:\windows\system32\CtHelper.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTxfiHlp]
2006-12-12 09:46 20480 ----a-w- c:\windows\system32\Ctxfihlp.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dvd43]
2006-05-22 13:26 694272 ----a-w- c:\program files\dvd43\DVD43_Tray.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GrooveMonitor]
2009-02-26 18:36 30040 ----a-w- c:\program files\Microsoft Office\Office12\GrooveMonitor.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HDAudDeck]
2009-05-14 09:45 33624064 ----a-r- c:\program files\VIA\VIAudioi\HDADeck\HDeck.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
2007-05-08 15:24 54840 ----a-w- c:\program files\HP\HP Software Update\hpwuSchd2.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Lexmark 1200 Series]
2006-07-13 05:22 57344 ----a-w- c:\program files\Lexmark 1200 Series\lxczbmgr.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Motive SmartBridge]
2005-09-22 08:05 438359 ----a-w- c:\progra~1\BLUEYO~1\SMARTB~1\blueyonder-istnotifier.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
2010-04-16 22:12 3872080 ----a-w- c:\program files\Windows Live\Messenger\msnmsgr.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
2006-01-12 16:40 155648 ----a-w- c:\program files\Common Files\Ahead\Lib\NeroCheck.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
2010-10-16 11:04 13851752 ----a-w- c:\windows\system32\nvcpl.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
2010-10-16 11:04 110696 ----a-w- c:\windows\system32\nvmctray.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCMService]
2005-01-14 18:21 110744 ----a-w- c:\program files\CyberLink\PowerCinema\PCMService.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PinnacleDriverCheck]
2004-03-10 14:26 406016 ----a-w- c:\windows\system32\PSDrvCheck.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Power2GoExpress]
2005-03-23 14:34 1630303 ----a-w- c:\program files\CyberLink\Power2Go\Power2GoExpress.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Ptipbmf]
2003-06-20 14:06 118784 ----a-w- c:\windows\system32\ptipbmf.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2007-12-11 10:56 286720 ----a-w- c:\program files\QuickTime\QTTask.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RCSystem]
2005-06-16 17:25 49152 ----a-w- c:\program files\Creative\Shared Files\Module Loader\DLLML.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2011-06-09 13:06 254696 ----a-w- c:\program files\Common Files\Java\Java Update\jusched.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
2005-11-25 09:19 151597 ----a-w- c:\program files\Common Files\Real\Update_OB\realsched.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdReg]
2000-05-11 00:00 90112 ----a-w- c:\windows\Updreg.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VolPanel]
2005-07-11 10:34 122880 ----a-w- c:\program files\Creative\Sound Blaster X-Fi\Volume Panel\VolPanel.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\{1290A33C-85F5-4164-A1BE-7DD299D4986A}]
2004-06-08 18:33 69721 ----a-w- c:\program files\CyberLink\PowerBackup\PBKScheduler.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"WMPNetworkSvc"=2 (0x2)
"PnkBstrB"=2 (0x2)
"PnkBstrA"=2 (0x2)
"Pml Driver HPZ12"=2 (0x2)
"ose"=3 (0x3)
"odserv"=3 (0x3)
"NBService"=3 (0x3)
"Microsoft Office Groove Audit Service"=3 (0x3)
"LexBceS"=2 (0x2)
"JavaQuickStarterService"=2 (0x2)
"idsvc"=3 (0x3)
"IDriverT"=3 (0x3)
"FLEXnet Licensing Service"=3 (0x3)
"CyberLink Media Library Service"=2 (0x2)
"CLSched"=2 (0x2)
"CLCapSvc"=2 (0x2)
"Adobe LM Service"=3 (0x3)
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"DisableNotifications"= 1 (0x1)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\CyberLink\\PowerCinema\\PowerCinema.exe"=
"c:\\Program Files\\BitTorrent\\bittorrent.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\EA GAMES\\Battlefield 2 Demo\\BF2.exe"=
"c:\\Program Files\\BitLord\\BitLord.exe"=
"c:\\Program Files\\Avid\\Avid Liquid 7\\Program\\RM.exe"=
"c:\\Program Files\\Avid\\Avid Liquid 7\\Program\\StudioU.mod"=
"c:\\Program Files\\The All-Seeing Eye\\eye.exe"=
"c:\\WINDOWS\\system32\\LEXPPS.EXE"=
"c:\\Program Files\\Ubisoft\\Crytek\\Far Cry\\Bin32\\FarCry.exe"=
"c:\\Program Files\\Nero\\Nero 7\\Nero Home\\NeroHome.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Java\\jre6\\bin\\java.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Opera\\opera.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Common Files\\Apple\\Apple Application Support\\WebKit2WebProcess.exe"=
.
R0 sptd;sptd;c:\windows\system32\drivers\sptd.sys [26/04/2006 23:48 642560]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [17/02/2010 11:25 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [17/02/2010 11:15 66632]
R3 Pcouffin;VSO Software pcouffin;c:\windows\system32\drivers\pcouffin.sys [12/07/2006 22:44 47360]
R3 VIAHdAudAddService;VIA High Definition Audio Driver Service;c:\windows\system32\drivers\viahduaa.sys [31/03/2010 13:58 1358720]
S3 ASPI;Advanced SCSI Programming Interface Driver;c:\windows\system32\drivers\ASPI32.SYS [25/07/2006 15:56 16512]
S3 Creative Audio Engine Licensing Service;Creative Audio Engine Licensing Service;c:\program files\Common Files\Creative Labs Shared\Service\CTAELicensing.exe [01/04/2010 16:38 79360]
S3 CT20XUT.SYS;CT20XUT.SYS;c:\windows\system32\drivers\CT20XUT.sys [04/06/2009 02:46 171032]
S3 CT20XUT;CT20XUT;c:\windows\system32\drivers\CT20XUT.sys [04/06/2009 02:46 171032]
S3 CTEXFIFX.SYS;CTEXFIFX.SYS;c:\windows\system32\drivers\CTEXFIFX.sys [04/06/2009 02:46 1324056]
S3 CTEXFIFX;CTEXFIFX;c:\windows\system32\drivers\CTEXFIFX.sys [04/06/2009 02:46 1324056]
S3 CTHWIUT.SYS;CTHWIUT.SYS;c:\windows\system32\drivers\CTHWIUT.sys [04/06/2009 02:46 72728]
S3 CTHWIUT;CTHWIUT;c:\windows\system32\drivers\CTHWIUT.sys [04/06/2009 02:46 72728]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [17/02/2010 11:15 12872]
S4 m5287;m5287;c:\windows\system32\drivers\m5287.sys [25/11/2005 17:44 85888]
S4 m5289;m5289;c:\windows\system32\drivers\m5289.sys [25/11/2005 17:44 51840]
.
Contents of the 'Scheduled Tasks' folder
.
2012-03-26 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2011-06-01 16:57]
.
2012-04-01 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-716800117-3360742898-1720601440-1006Core.job
- c:\documents and settings\Richard\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-08-02 18:00]
.
2012-04-05 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-716800117-3360742898-1720601440-1006UA.job
- c:\documents and settings\Richard\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-08-02 18:00]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.co.uk/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
mWindow Title = Tiscali Internet Access
uInternet Settings,ProxyOverride = 127.0.0.1
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: Append Link Target to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Append to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert Link Target to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
IE: Download all with Free Download Manager - file://c:\program files\Free Download Manager\dlall.htm
IE: Download selected with Free Download Manager - file://c:\program files\Free Download Manager\dlselected.htm
IE: Download web site with Free Download Manager - file://c:\program files\Free Download Manager\dlpage.htm
IE: Download with Free Download Manager - file://c:\program files\Free Download Manager\dllink.htm
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
TCP: DhcpNameServer = 194.168.4.100 194.168.8.100
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
FF - ProfilePath - c:\documents and settings\Richard\Application Data\Mozilla\Firefox\Profiles\6i2xrjmt.default\
FF - prefs.js: browser.startup.homepage - hxxp://en-GB.start.mozilla.com/firefox? ... B:official
.
- - - - ORPHANS REMOVED - - - -
.
HKCU-Run-UJ7J2I3X8GVFVFXER - c:\sooi832.bin\CA0A4982943.exe
MSConfigStartUp-egui - c:\program files\ESET\ESET NOD32 Antivirus\egui.exe
AddRemove-MadTracker 2 - c:\windows\MTUn4572.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-04-05 12:21
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-716800117-3360742898-1720601440-1006\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
[HKEY_USERS\S-1-5-21-716800117-3360742898-1720601440-1006\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{0561C98C-9C16-1528-CD53-D97A84E0A2A9}*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
"iagieijlkfgcacekbi"=hex:6b,61,64,6a,62,6a,6f,62,6b,61,6f,63,62,61,66,6c,6e,6b,
6f,6b,70,6b,00,00
"haeihkmblmajfidb"=hex:6b,61,63,6a,67,67,65,6a,6b,6c,6f,69,6d,67,6f,67,62,65,
69,68,6e,61,00,00
.
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Installer\UserData\LocalSystem\Components\€–€|ÿÿÿÿÀ•€|ù•A~*]
"AB141C35E9F4BF344B9FC010BB17F68A"=""
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(936)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
.
- - - - - - - > 'explorer.exe'(2196)
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\nvsvc32.exe
c:\program files\Creative\Shared Files\CTAudSvc.exe
c:\windows\system32\CTsvcCDA.EXE
c:\windows\system32\MsPMSPSv.exe
c:\windows\system32\wscntfy.exe
c:\windows\SYSTEM32\CTXFISPI.EXE
.
**************************************************************************
.
Completion time: 2012-04-05 12:30:21 - machine was rebooted
ComboFix-quarantined-files.txt 2012-04-05 11:30
ComboFix2.txt 2008-12-23 16:13
.
Pre-Run: 19,649,327,104 bytes free
Post-Run: 20,385,021,952 bytes free
.
WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect /usepmtimer
.
- - End Of File - - F89FE7ACB09BB4DA153E29B092A0BFBC


--------------------------------------------------



Malwarebytes Anti-Malware 1.60.1.1000
www.malwarebytes.org

Database version: v2012.04.05.04

Windows XP Service Pack 3 x86 NTFS
Internet Explorer 6.0.2900.5512
Richard :: RAPSCALLION [administrator]

05/04/2012 12:38:02
mbam-log-2012-04-05 (17-26-50).txt

Scan type: Full scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 657553
Time elapsed: 2 hour(s), 57 minute(s), 14 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 14
C:\Program Files\Acoustica CD Label Maker\GZsfEIVz2 (Virus.Ramnit) -> No action taken.
C:\Program Files\Adobe\Acrobat 9.0\Acrobat\GZsfEIVz2 (Virus.Ramnit) -> No action taken.
C:\Program Files\Mozilla Firefox\GZsfEIVz2 (Virus.Ramnit) -> No action taken.
C:\Program Files\Avid\Avid Liquid 7\Program\GZsfEIVz2 (Virus.Ramnit) -> No action taken.
C:\Qoobox\Quarantine\C\Documents and Settings\Richard\GZsfEIVz2.vir (Virus.Ramnit) -> No action taken.
C:\System Volume Information\_restore{54C7A4C0-672A-400F-89D3-264781F4E928}\RP13\A0005903.exe (Trojan.Agent) -> No action taken.
C:\System Volume Information\_restore{54C7A4C0-672A-400F-89D3-264781F4E928}\RP15\A0006035.exe (Trojan.Agent.CK) -> No action taken.
C:\System Volume Information\_restore{54C7A4C0-672A-400F-89D3-264781F4E928}\RP2\A0001066.exe (Trojan.SpyEyes.H) -> No action taken.
C:\System Volume Information\_restore{54C7A4C0-672A-400F-89D3-264781F4E928}\RP5\A0004028.exe (Trojan.Agent) -> No action taken.
C:\System Volume Information\_restore{54C7A4C0-672A-400F-89D3-264781F4E928}\RP9\A0005263.exe (Trojan.SpyEyes.H) -> No action taken.
C:\WINDOWS\system32\GZsfEIVz2 (Virus.Ramnit) -> No action taken.
C:\Documents and Settings\Richard\Desktop\GABLE\GZsfEIVz2 (Virus.Ramnit) -> No action taken.
C:\Documents and Settings\Richard\Desktop\ORGANIZING\SOUND&MUSIC\GZsfEIVz2 (Virus.Ramnit) -> No action taken.
C:\Documents and Settings\Richard\Desktop\ORGANIZING\TOOLS\GZsfEIVz2 (Virus.Ramnit) -> No action taken.

(end)
Nitro
Newbie
Newbie
 
Posts: 6
Joined: Thu Mar 29, 2012 1:39 pm

Thanks given:1
Thanks received:0
Top

Re: Computer problems - suspect an attack

Postby Gecko » Fri Apr 06, 2012 2:08 am

Nitro,

By all means have Malwarebytes "Remove Selected", sorry for not including that in my first post.
After Malwarebytes is finished close it and create the following file:

Copy and paste ALL the following text in the Quote box below into Notepad.
Click on File(in the menu at the top)>Save as../Save as Type: 'All Files' /File name: CFScript to your desktop.
Code: Select all
    File::
    c:\windows\SET15E.tmp
    c:\windows\SET15B.tmp
    Folder::
    c:\windows\system32\GZsfEIVz2   

Next I want you to reboot your system.
After the reboot I want you to drag then drop the CFScript file onto ComboFix.exe icon Image, like this;
Image
This will start ComboFix again.
After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply along with a new Malwarebytes log after you "Remove Selected" if it finds anything.
User avatar
Gecko
Super Moderator
Super Moderator
 
Posts: 5206
Joined: Thu Oct 25, 2001 1:00 am
Location: Florida, USA

Thanks given:1
Thanks received:23
Top

Re: Computer problems - suspect an attack

Postby Nitro » Tue Apr 10, 2012 1:01 pm

Followed your instructions, logs below (I assume it was correct to save notepad CFScript as 'CFScript.txt' ('all files') and then drag and drop into ComboFix, as your animation suggests? I wasn't sure if I was to save as 'CFScript.txt' or just 'CFScript' without any file extension suffix for it work properly?)

Malwarebytes still found 2 issues relating to 'GZsfEIVz2' at last scan - told it to remove both, saved log, then rebooted.


ComboFix 12-04-05.04 - Richard 08/04/2012 12:55:07.2.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.3327.2709 [GMT 1:00]
Running from: c:\documents and settings\Richard\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Richard\Desktop\CFScript.txt
.
FILE ::
"c:\windows\SET15B.tmp"
"c:\windows\SET15E.tmp"
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\windows\SET15B.tmp
c:\windows\SET15E.tmp
c:\windows\system32\SETA24.tmp
c:\windows\system32\SETA25.tmp
c:\windows\system32\SETA2D.tmp
c:\windows\system32\SETA2E.tmp
c:\windows\system32\SETA30.tmp
c:\windows\system32\SETA31.tmp
c:\windows\system32\SETA35.tmp
c:\windows\system32\SETA37.tmp
c:\windows\system32\SETA38.tmp
c:\windows\system32\SETA39.tmp
c:\windows\system32\SETA3A.tmp
c:\windows\system32\SETA3B.tmp
c:\windows\system32\SETA3C.tmp
c:\windows\system32\SETA3E.tmp
c:\windows\system32\SETA40.tmp
c:\windows\system32\SETA44.tmp
c:\windows\system32\SETA48.tmp
c:\windows\system32\SETA50.tmp
c:\windows\system32\SETA52.tmp
c:\windows\system32\SETA54.tmp
c:\windows\system32\SETA55.tmp
c:\windows\system32\SETA56.tmp
c:\windows\system32\SETA58.tmp
c:\windows\system32\SETA5A.tmp
c:\windows\system32\SETA5B.tmp
c:\windows\system32\SETA5F.tmp
c:\windows\system32\SETA61.tmp
c:\windows\system32\SETA62.tmp
c:\windows\system32\SETA68.tmp
c:\windows\system32\SETA73.tmp
c:\windows\system32\SETA76.tmp
c:\windows\system32\SETA77.tmp
c:\windows\system32\SETA78.tmp
c:\windows\system32\SETA7B.tmp
c:\windows\system32\SETA83.tmp
c:\windows\system32\SETA8A.tmp
c:\windows\system32\SETA8C.tmp
c:\windows\system32\SETA93.tmp
c:\windows\system32\SETA96.tmp
c:\windows\system32\SETA98.tmp
c:\windows\system32\SETAAD.tmp
c:\windows\system32\SETAB1.tmp
c:\windows\system32\SETAB3.tmp
c:\windows\system32\SETAB5.tmp
c:\windows\system32\SETABC.tmp
c:\windows\system32\SETAC1.tmp
c:\windows\system32\SETAD7.tmp
c:\windows\system32\SETADD.tmp
c:\windows\system32\SETADF.tmp
c:\windows\system32\SETAE0.tmp
c:\windows\system32\SETAE6.tmp
c:\windows\system32\SETAEA.tmp
c:\windows\system32\SETAF1.tmp
c:\windows\system32\SETAF4.tmp
c:\windows\system32\SETAF6.tmp
c:\windows\system32\SETAFC.tmp
c:\windows\system32\SETB05.tmp
c:\windows\system32\SETB06.tmp
c:\windows\system32\SETB0A.tmp
c:\windows\system32\SETB0C.tmp
c:\windows\system32\SETB0D.tmp
c:\windows\system32\SETB0E.tmp
c:\windows\system32\SETB1C.tmp
c:\windows\system32\SETB21.tmp
c:\windows\system32\SETB27.tmp
c:\windows\system32\SETB37.tmp
c:\windows\system32\SETB38.tmp
c:\windows\system32\SETB57.tmp
c:\windows\system32\SETB5A.tmp
c:\windows\system32\SETB5D.tmp
c:\windows\system32\SETB62.tmp
c:\windows\system32\SETB64.tmp
c:\windows\system32\SETB6B.tmp
c:\windows\system32\SETB6C.tmp
c:\windows\system32\SETB6D.tmp
c:\windows\system32\SETB6F.tmp
c:\windows\system32\SETB70.tmp
c:\windows\system32\SETB71.tmp
c:\windows\system32\SETB74.tmp
c:\windows\system32\SETB76.tmp
c:\windows\system32\SETB77.tmp
c:\windows\system32\SETB79.tmp
c:\windows\system32\SETB7C.tmp
c:\windows\system32\SETB7E.tmp
c:\windows\system32\SETB83.tmp
c:\windows\system32\SETB84.tmp
c:\windows\system32\SETB8C.tmp
c:\windows\system32\SETB93.tmp
c:\windows\system32\SETB98.tmp
c:\windows\system32\SETB9B.tmp
c:\windows\system32\SETB9E.tmp
c:\windows\system32\SETBA0.tmp
c:\windows\system32\SETBA4.tmp
c:\windows\system32\SETBA6.tmp
c:\windows\system32\SETBA7.tmp
c:\windows\system32\SETBAB.tmp
c:\windows\system32\SETBAC.tmp
c:\windows\system32\SETBB0.tmp
c:\windows\system32\SETBB1.tmp
c:\windows\system32\SETBB4.tmp
c:\windows\system32\SETBB6.tmp
c:\windows\system32\SETBBC.tmp
c:\windows\system32\SETBBF.tmp
c:\windows\system32\SETBC1.tmp
c:\windows\system32\SETBC4.tmp
c:\windows\system32\SETBC7.tmp
c:\windows\system32\SETBC9.tmp
c:\windows\system32\SETDA5.tmp
c:\windows\system32\SETDA6.tmp
c:\windows\system32\SETDA8.tmp
c:\windows\system32\SETDAA.tmp
c:\windows\system32\SETDAC.tmp
c:\windows\system32\SETDB3.tmp
c:\windows\system32\SETDB4.tmp
c:\windows\system32\SETDB7.tmp
c:\windows\system32\SETDBC.tmp
c:\windows\system32\SETDBD.tmp
c:\windows\system32\SETDBE.tmp
c:\windows\system32\SETDC0.tmp
c:\windows\system32\SETDC1.tmp
c:\windows\system32\SETDC2.tmp
c:\windows\system32\SETDC3.tmp
c:\windows\system32\SETDC4.tmp
c:\windows\system32\SETDC6.tmp
c:\windows\system32\SETDC7.tmp
c:\windows\system32\SETDC8.tmp
c:\windows\system32\SETDC9.tmp
c:\windows\system32\SETDCC.tmp
c:\windows\system32\SETDD3.tmp
c:\windows\system32\SETDD4.tmp
c:\windows\system32\SETDD5.tmp
c:\windows\system32\SETDD6.tmp
c:\windows\system32\SETDD9.tmp
c:\windows\system32\SETDDB.tmp
c:\windows\system32\SETDDD.tmp
c:\windows\system32\SETDE4.tmp
c:\windows\system32\SETDE7.tmp
c:\windows\system32\SETDE8.tmp
c:\windows\system32\SETDEA.tmp
c:\windows\system32\SETDEB.tmp
c:\windows\system32\SETDEC.tmp
c:\windows\system32\SETDEF.tmp
c:\windows\system32\SETDF1.tmp
c:\windows\system32\SETDF2.tmp
c:\windows\system32\SETDF3.tmp
c:\windows\system32\SETDF4.tmp
c:\windows\system32\SETDF5.tmp
c:\windows\system32\SETDFB.tmp
c:\windows\system32\SETE00.tmp
c:\windows\system32\SETE01.tmp
c:\windows\system32\SETE05.tmp
c:\windows\system32\SETE08.tmp
c:\windows\system32\SETE09.tmp
c:\windows\system32\SETE10.tmp
c:\windows\system32\SETE11.tmp
c:\windows\system32\SETE14.tmp
c:\windows\system32\SETE18.tmp
c:\windows\system32\SETE21.tmp
c:\windows\system32\SETE22.tmp
c:\windows\system32\SETE25.tmp
c:\windows\system32\SETE27.tmp
c:\windows\system32\SETE28.tmp
c:\windows\system32\SETE29.tmp
c:\windows\system32\SETE2A.tmp
c:\windows\system32\SETE2B.tmp
c:\windows\system32\SETE2C.tmp
c:\windows\system32\SETE3C.tmp
c:\windows\system32\SETE41.tmp
c:\windows\system32\SETE43.tmp
c:\windows\system32\SETE45.tmp
c:\windows\system32\SETE46.tmp
c:\windows\system32\SETE47.tmp
c:\windows\system32\SETE48.tmp
c:\windows\system32\SETE4A.tmp
c:\windows\system32\SETE4B.tmp
c:\windows\system32\SETE4F.tmp
c:\windows\system32\SETE50.tmp
c:\windows\system32\SETE54.tmp
c:\windows\system32\SETE55.tmp
c:\windows\system32\SETE5B.tmp
c:\windows\system32\SETE5C.tmp
c:\windows\system32\SETE5D.tmp
c:\windows\system32\SETE64.tmp
c:\windows\system32\SETE65.tmp
c:\windows\system32\SETE6B.tmp
c:\windows\system32\SETE6C.tmp
c:\windows\system32\SETE6D.tmp
c:\windows\system32\SETE6E.tmp
c:\windows\system32\SETE70.tmp
c:\windows\system32\SETE76.tmp
c:\windows\system32\SETE82.tmp
c:\windows\system32\SETE84.tmp
c:\windows\system32\SETE86.tmp
c:\windows\system32\SETE87.tmp
c:\windows\system32\SETE88.tmp
c:\windows\system32\SETE8B.tmp
c:\windows\system32\SETE93.tmp
c:\windows\system32\SETE95.tmp
c:\windows\system32\SETE96.tmp
c:\windows\system32\SETE99.tmp
c:\windows\system32\SETE9B.tmp
c:\windows\system32\SETE9F.tmp
c:\windows\system32\SETEB0.tmp
c:\windows\system32\SETEB1.tmp
c:\windows\system32\SETEB2.tmp
c:\windows\system32\SETEB9.tmp
c:\windows\system32\SETEBA.tmp
c:\windows\system32\SETEBD.tmp
c:\windows\system32\SETEBE.tmp
c:\windows\system32\SETEBF.tmp
c:\windows\system32\SETEC0.tmp
c:\windows\system32\SETEC1.tmp
c:\windows\system32\SETEC3.tmp
c:\windows\system32\SETEC4.tmp
c:\windows\system32\SETEC5.tmp
c:\windows\system32\SETEC7.tmp
c:\windows\system32\SETEC8.tmp
c:\windows\system32\SETEC9.tmp
c:\windows\system32\SETECC.tmp
c:\windows\system32\SETECF.tmp
c:\windows\system32\SETED4.tmp
c:\windows\system32\SETED5.tmp
c:\windows\system32\SETED6.tmp
c:\windows\system32\SETEDB.tmp
c:\windows\system32\SETEDC.tmp
c:\windows\system32\SETEDD.tmp
c:\windows\system32\SETEDF.tmp
c:\windows\system32\SETF03.tmp
c:\windows\system32\SETF05.tmp
c:\windows\system32\SETF06.tmp
c:\windows\system32\SETF09.tmp
c:\windows\system32\SETF0A.tmp
c:\windows\system32\SETF0D.tmp
c:\windows\system32\SETF10.tmp
c:\windows\system32\SETF11.tmp
c:\windows\system32\SETF13.tmp
c:\windows\system32\SETF18.tmp
c:\windows\system32\SETF1A.tmp
c:\windows\system32\SETF1D.tmp
c:\windows\system32\SETF21.tmp
c:\windows\system32\SETF23.tmp
c:\windows\system32\SETF24.tmp
c:\windows\system32\SETF27.tmp
c:\windows\system32\SETF28.tmp
c:\windows\system32\SETF30.tmp
c:\windows\system32\SETF31.tmp
c:\windows\system32\SETF33.tmp
c:\windows\system32\SETF34.tmp
c:\windows\system32\SETF38.tmp
c:\windows\system32\SETF3A.tmp
c:\windows\system32\SETF3B.tmp
c:\windows\system32\SETF3C.tmp
c:\windows\system32\SETF3D.tmp
c:\windows\system32\SETF3E.tmp
c:\windows\system32\SETF3F.tmp
c:\windows\system32\SETF41.tmp
c:\windows\system32\SETF43.tmp
c:\windows\system32\SETF47.tmp
c:\windows\system32\SETF4B.tmp
c:\windows\system32\SETF53.tmp
c:\windows\system32\SETF55.tmp
c:\windows\system32\SETF57.tmp
c:\windows\system32\SETF58.tmp
c:\windows\system32\SETF59.tmp
c:\windows\system32\SETF5B.tmp
c:\windows\system32\SETF5D.tmp
c:\windows\system32\SETF62.tmp
c:\windows\system32\SETF64.tmp
c:\windows\system32\SETF65.tmp
c:\windows\system32\SETF6B.tmp
c:\windows\system32\SETF76.tmp
c:\windows\system32\SETF79.tmp
c:\windows\system32\SETF7A.tmp
c:\windows\system32\SETF7B.tmp
c:\windows\system32\SETF7E.tmp
c:\windows\system32\SETF86.tmp
c:\windows\system32\SETF8D.tmp
c:\windows\system32\SETF8F.tmp
c:\windows\system32\SETF96.tmp
c:\windows\system32\SETF99.tmp
c:\windows\system32\SETF9B.tmp
c:\windows\system32\SETF9F.tmp
c:\windows\system32\SETFB0.tmp
c:\windows\system32\SETFB4.tmp
c:\windows\system32\SETFB6.tmp
c:\windows\system32\SETFB8.tmp
c:\windows\system32\SETFBF.tmp
c:\windows\system32\SETFC4.tmp
c:\windows\system32\SETFD7.tmp
c:\windows\system32\SETFDA.tmp
c:\windows\system32\SETFE0.tmp
c:\windows\system32\SETFE2.tmp
c:\windows\system32\SETFE3.tmp
c:\windows\system32\SETFE5.tmp
c:\windows\system32\SETFE9.tmp
c:\windows\system32\SETFED.tmp
c:\windows\system32\SETFF4.tmp
c:\windows\system32\SETFF7.tmp
c:\windows\system32\SETFF9.tmp
c:\windows\system32\SETFFF.tmp
.
.
((((((((((((((((((((((((( Files Created from 2012-03-08 to 2012-04-08 )))))))))))))))))))))))))))))))
.
.
2017-08-17 16:06 . 2017-08-17 16:06 -------- d-----w- c:\program files\proDAD
2012-04-07 10:32 . 2012-04-07 10:33 226304 ---ha-w- c:\windows\system32\GZsfEIVz2
2012-04-05 11:37 . 2011-12-10 14:24 20464 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-03-30 13:12 . 2012-03-30 13:12 1409 ----a-w- c:\windows\QTFont.for
2012-03-29 13:41 . 2012-03-29 13:41 -------- d-----w- c:\documents and settings\Richard\Application Data\iZotope
2012-03-29 12:36 . 2012-03-29 12:36 388096 ----a-r- c:\documents and settings\Richard\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2012-03-29 12:36 . 2012-03-29 12:36 -------- d-----w- c:\program files\Trend Micro
2012-03-28 13:29 . 2008-06-13 11:05 272128 -c----w- c:\windows\system32\dllcache\bthport.sys
2012-03-28 13:28 . 2011-07-15 13:29 456320 -c----w- c:\windows\system32\dllcache\mrxsmb.sys
2012-03-28 13:24 . 2008-04-14 12:00 81920 ----a-w- c:\windows\system32\ieencode.dll
2012-03-28 13:24 . 2008-04-14 12:00 81920 ----a-w- c:\windows\system32\dllcache\ieencode.dll
2012-03-28 11:03 . 2001-08-17 21:36 38912 -c--a-w- c:\windows\system32\dllcache\EXCH_ntfsdrv.dll
2012-03-28 11:02 . 2008-04-14 12:00 18944 -c--a-w- c:\windows\system32\dllcache\cprofile.exe
2012-03-28 10:59 . 2008-04-14 12:00 16384 -c--a-w- c:\windows\system32\dllcache\isignup.exe
2012-03-28 10:59 . 2008-04-14 12:00 16384 ----a-w- c:\program files\Internet Explorer\Connection Wizard\isignup.exe
2012-03-28 10:32 . 2008-04-14 12:00 24661 -c--a-w- c:\windows\system32\dllcache\spxcoins.dll
2012-03-28 10:32 . 2008-04-14 12:00 24661 ----a-w- c:\windows\system32\spxcoins.dll
2012-03-28 10:32 . 2008-04-14 12:00 13312 -c--a-w- c:\windows\system32\dllcache\irclass.dll
2012-03-28 10:32 . 2008-04-14 12:00 13312 ----a-w- c:\windows\system32\irclass.dll
2012-03-28 10:32 . 2008-04-14 12:00 16535 ----a-r- c:\windows\SET16A.tmp
2012-03-27 02:11 . 2012-03-27 02:11 -------- d-----w- C:\i386
2012-03-17 17:36 . 2012-03-17 18:22 -------- d-----w- c:\documents and settings\Richard\Local Settings\Application Data\xilqrlve
2012-03-17 16:54 . 2012-03-17 16:54 592824 ----a-w- c:\program files\Mozilla Firefox\gkmedias.dll
2012-03-17 16:54 . 2012-03-17 16:54 44472 ----a-w- c:\program files\Mozilla Firefox\mozglue.dll
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-02-25 17:27 . 2011-05-23 17:34 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-02-03 09:22 . 2008-04-14 12:00 1860096 ----a-w- c:\windows\system32\win32k.sys
2012-02-02 19:03 . 2012-02-02 19:07 8192 ----a-w- c:\windows\system32\E_DCINST.DLL
2012-02-02 19:03 . 2012-02-02 19:07 93696 ----a-w- c:\windows\system32\E_FLBHLE.DLL
2012-02-02 19:03 . 2012-02-02 19:07 63488 ----a-w- c:\windows\system32\E_FD4BHLE.DLL
2012-01-11 19:06 . 2012-02-15 11:43 3072 ------w- c:\windows\system32\iacenc.dll
2012-01-09 16:20 . 2008-11-05 03:10 139784 ----a-w- c:\windows\system32\drivers\rdpwd.sys
2012-03-17 16:54 . 2012-01-29 23:51 97208 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
2006-05-03 10:06 163328 --sha-r- c:\windows\system32\flvDX.dll
2007-02-21 11:47 31232 --sha-r- c:\windows\system32\msfDX.dll
2007-12-17 13:43 27648 --sha-w- c:\windows\system32\Smab0.dll
2008-02-04 19:26 151040 --sha-w- c:\windows\system32\VistaUltm.dll
.
.
------- Sigcheck -------
Note: Unsigned files aren't necessarily malware.
.
[-] 2011-12-19 . 21F8FEBD157A8A6BF7F0FB826111148A . 3087872 . . [6.00.2900.6182] . . c:\windows\SoftwareDistribution\Download\796a0f15940e7ad65a72532d85ac77d3\SP3QFE\mshtml.dll
[-] 2011-12-19 . 8DE666A743F3B961892338A2E15EA702 . 3087360 . . [6.00.2900.6182] . . c:\windows\SoftwareDistribution\Download\796a0f15940e7ad65a72532d85ac77d3\SP3GDR\mshtml.dll
[-] 2011-12-17 . A9259CD226283CD4F798C00909754A94 . 5979136 . . [8.00.6001.19190] . . c:\windows\SoftwareDistribution\Download\c1d540600ba9c34c5b3244c020eee491\SP3GDR\mshtml.dll
[-] 2011-12-17 . 49B88A833ECA99EFBFFC5AAE5CC998ED . 5980160 . . [8.00.6001.23286] . . c:\windows\$hf_mig$\KB2647516-IE8\SP3QFE\mshtml.dll
[-] 2011-12-17 . 49B88A833ECA99EFBFFC5AAE5CC998ED . 5980160 . . [8.00.6001.23286] . . c:\windows\SoftwareDistribution\Download\c1d540600ba9c34c5b3244c020eee491\SP3QFE\mshtml.dll
[-] 2011-11-04 . DD8D655E1881B70A5259A23A6018A6C2 . 5978112 . . [8.00.6001.19170] . . c:\windows\ie8updates\KB2647516-IE8\mshtml.dll
[-] 2011-11-04 . DD8D655E1881B70A5259A23A6018A6C2 . 5978112 . . [8.00.6001.19170] . . c:\windows\SoftwareDistribution\Download\a6632ea9734d3683d8cc4b4a30215873\SP3GDR\mshtml.dll
[-] 2011-11-04 . 699421E2E1313C18671A703953CAE14B . 5978624 . . [8.00.6001.23266] . . c:\windows\$hf_mig$\KB2618444-IE8\SP3QFE\mshtml.dll
[-] 2011-11-04 . 699421E2E1313C18671A703953CAE14B . 5978624 . . [8.00.6001.23266] . . c:\windows\SoftwareDistribution\Download\a6632ea9734d3683d8cc4b4a30215873\SP3QFE\mshtml.dll
[-] 2011-10-03 . 4963CB503600FC3BCBDBFBA51FBA1FAC . 5971456 . . [8.00.6001.19154] . . c:\windows\ie8updates\KB2618444-IE8\mshtml.dll
[-] 2011-10-03 . 1240A6B7B470BED0AA6C9FEC7AB0EA26 . 5972992 . . [8.00.6001.23250] . . c:\windows\$hf_mig$\KB2586448-IE8\SP3QFE\mshtml.dll
[-] 2010-12-20 . 61FF8ABD55DBD6453B7DD81F6DD2D966 . 3078144 . . [6.00.2900.6058] . . c:\windows\$hf_mig$\KB2482017\SP3QFE\mshtml.dll
[-] 2010-11-05 . 17762D2C4468FF99EF33F597F9D34E6F . 3076608 . . [6.00.2900.6049] . . c:\windows\$hf_mig$\KB2416400\SP3QFE\mshtml.dll
[-] 2010-09-09 . 575FBCB3E2C6E848F0386F38AAF0E4ED . 3074560 . . [6.00.2900.6036] . . c:\windows\$hf_mig$\KB2360131\SP3QFE\mshtml.dll
[-] 2010-06-24 . E833C8A9918DA80DBE80ABD2917B9292 . 3073536 . . [6.00.2900.6003] . . c:\windows\$hf_mig$\KB2183461\SP3QFE\mshtml.dll
[-] 2010-05-06 . C7B7A88CC7D7ABA5C395145BF92F46F7 . 5950976 . . [8.00.6001.18928] . . c:\windows\SoftwareDistribution\Download\e9e3bc7b49018c1f53cc0d1bd73cad37\SP3GDR\mshtml.dll
[-] 2010-05-06 . 9BE28F749A7FE7F8F177C6AA2E9DA609 . 5953024 . . [8.00.6001.23019] . . c:\windows\SoftwareDistribution\Download\e9e3bc7b49018c1f53cc0d1bd73cad37\SP3QFE\mshtml.dll
[-] 2010-04-16 . 9574D5B0C784DA0FD8F6A9BB37936A52 . 3073536 . . [6.00.2900.5969] . . c:\windows\$hf_mig$\KB982381\SP3QFE\mshtml.dll
[-] 2010-02-26 . EE6B9880933172AE78A1146BE15D6D21 . 3073536 . . [6.00.2900.5945] . . c:\windows\$hf_mig$\KB980182\SP3QFE\mshtml.dll
[-] 2009-12-22 . A758F0891A87EE005848A0BC740A5B96 . 3071488 . . [6.00.2900.5921] . . c:\windows\$hf_mig$\KB978207\SP3GDR\mshtml.dll
[-] 2009-12-22 . AD17006339C1934D86449F335C241FF1 . 3073536 . . [6.00.2900.5921] . . c:\windows\$hf_mig$\KB978207\SP3QFE\mshtml.dll
[-] 2009-10-29 . D1CF72C34BAF70C52797D1CB78D6EE92 . 3070976 . . [6.00.2900.5897] . . c:\windows\$hf_mig$\KB976325\SP3GDR\mshtml.dll
[-] 2009-10-29 . DA551BFEC150760A38A9AD0C95A8A71C . 3073024 . . [6.00.2900.5897] . . c:\windows\$hf_mig$\KB976325\SP3QFE\mshtml.dll
[-] 2009-10-29 . F3A9E882DF2F155C9395979FF9D7B0A7 . 3070976 . . [6.00.2900.3640] . . c:\windows\$NtUninstallKB978207_0$\mshtml.dll
[-] 2009-09-25 . 601E18A9A8F0D0ED39692B593212378F . 3070976 . . [6.00.2900.5880] . . c:\windows\$hf_mig$\KB974455\SP3GDR\mshtml.dll
[-] 2009-09-25 . 37F578776552FA076EA6085F0365209C . 3072512 . . [6.00.2900.5880] . . c:\windows\$hf_mig$\KB974455\SP3QFE\mshtml.dll
[-] 2009-04-29 . ABD8093E43E53AEA5898D2214B92E9BA . 3068928 . . [6.00.2900.5803] . . c:\windows\$hf_mig$\KB969897\SP3GDR\mshtml.dll
[-] 2009-04-29 . 06CF679E3D24C3DF270556456A0F1EDA . 3069440 . . [6.00.2900.5803] . . c:\windows\$hf_mig$\KB969897\SP3QFE\mshtml.dll
[-] 2009-03-08 . D469A0EBA2EF5C6BEE8065B7E3196E5E . 5937152 . . [8.00.6001.18702] . . c:\windows\ie8updates\KB2586448-IE8\mshtml.dll
[-] 2009-03-08 . D469A0EBA2EF5C6BEE8065B7E3196E5E . 5937152 . . [8.00.6001.18702] . . c:\windows\system32\mshtml.dll
[-] 2009-03-08 . D469A0EBA2EF5C6BEE8065B7E3196E5E . 5937152 . . [8.00.6001.18702] . . c:\windows\system32\dllcache\mshtml.dll
[-] 2009-02-20 . 2F70F2F74C40397D031016FA162981C2 . 3068416 . . [6.00.2900.5764] . . c:\windows\$hf_mig$\KB963027\SP3GDR\mshtml.dll
[-] 2009-02-20 . 1618A4A2C5DD8164B8295190C8EA6544 . 3068416 . . [6.00.2900.5764] . . c:\windows\$hf_mig$\KB963027\SP3QFE\mshtml.dll
[-] 2008-12-12 . 6D1D493622EA050DBAABD0C4C1DFADB5 . 3067392 . . [6.00.2900.3492] . . c:\windows\$NtUninstallKB963027_0$\mshtml.dll
.
((((((((((((((((((((((((((((( SnapShot@2012-04-05_11.21.35 )))))))))))))))))))))))))))))))))))))))))
.
- 2005-09-09 22:03 . 2012-04-05 11:25 94552 c:\windows\system32\perfc009.dat
+ 2005-09-09 22:03 . 2012-04-08 10:15 94552 c:\windows\system32\perfc009.dat
+ 2005-09-09 22:03 . 2012-04-08 10:15 495702 c:\windows\system32\perfh009.dat
- 2005-09-09 22:03 . 2012-04-05 11:25 495702 c:\windows\system32\perfh009.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Creative Detector"="c:\program files\Creative\MediaSource\Detector\CTDetect.exe" [2004-12-02 102400]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2006-06-01 94208]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2006-10-18 204288]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AudioDrvEmulator"="c:\program files\Creative\Shared Files\Module Loader\DLLML.exe" [2005-06-16 49152]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"tscuninstall"="c:\windows\system32\tscupgrd.exe" [2004-08-04 44544]
.
c:\documents and settings\Richard\Start Menu\Programs\Startup\
Adobe Gamma.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-3-16 113664]
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 14:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\windows\system32\acaptuser32.dll
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^blueyonder Instant Support Tool.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\blueyonder Instant Support Tool.lnk
backup=c:\windows\pss\blueyonder Instant Support Tool.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Photosmart Premier Fast Start.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Photosmart Premier Fast Start.lnk
backup=c:\windows\pss\HP Photosmart Premier Fast Start.lnkCommon Startup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acrobat Assistant 8.0]
2010-09-22 18:11 640440 ----a-w- c:\program files\Adobe\Acrobat 9.0\Acrobat\acrotray.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Acrobat Speed Launcher]
2011-09-07 14:53 40376 ----a-w- c:\program files\Adobe\Acrobat 9.0\Acrobat\acrobat_sl.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2012-01-03 07:37 843712 ----a-w- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\amd_dc_opt]
2007-07-23 11:06 180224 ----a-w- c:\program files\AMD\Dual-Core Optimizer\amd_dc_opt.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTDVDDET]
2003-06-18 00:00 45056 ----a-w- c:\program files\Creative\Sound Blaster X-Fi\DVDAudio\CTDVDDET.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTFMON.EXE]
2008-04-14 12:00 15360 ----a-w- c:\windows\system32\ctfmon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTHelper]
2006-12-12 09:46 19456 ----a-w- c:\windows\system32\CtHelper.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTxfiHlp]
2006-12-12 09:46 20480 ----a-w- c:\windows\system32\Ctxfihlp.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dvd43]
2006-05-22 13:26 694272 ----a-w- c:\program files\dvd43\DVD43_Tray.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GrooveMonitor]
2009-02-26 18:36 30040 ----a-w- c:\program files\Microsoft Office\Office12\GrooveMonitor.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HDAudDeck]
2009-05-14 09:45 33624064 ----a-r- c:\program files\VIA\VIAudioi\HDADeck\HDeck.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
2007-05-08 15:24 54840 ----a-w- c:\program files\HP\HP Software Update\hpwuSchd2.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Lexmark 1200 Series]
2006-07-13 05:22 57344 ----a-w- c:\program files\Lexmark 1200 Series\lxczbmgr.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Motive SmartBridge]
2005-09-22 08:05 438359 ----a-w- c:\progra~1\BLUEYO~1\SMARTB~1\blueyonder-istnotifier.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
2010-04-16 22:12 3872080 ----a-w- c:\program files\Windows Live\Messenger\msnmsgr.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
2006-01-12 16:40 155648 ----a-w- c:\program files\Common Files\Ahead\Lib\NeroCheck.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
2010-10-16 11:04 13851752 ----a-w- c:\windows\system32\nvcpl.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
2010-10-16 11:04 110696 ----a-w- c:\windows\system32\nvmctray.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCMService]
2005-01-14 18:21 110744 ----a-w- c:\program files\CyberLink\PowerCinema\PCMService.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PinnacleDriverCheck]
2004-03-10 14:26 406016 ----a-w- c:\windows\system32\PSDrvCheck.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Power2GoExpress]
2005-03-23 14:34 1630303 ----a-w- c:\program files\CyberLink\Power2Go\Power2GoExpress.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Ptipbmf]
2003-06-20 14:06 118784 ----a-w- c:\windows\system32\ptipbmf.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2007-12-11 10:56 286720 ----a-w- c:\program files\QuickTime\QTTask.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RCSystem]
2005-06-16 17:25 49152 ----a-w- c:\program files\Creative\Shared Files\Module Loader\DLLML.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2011-06-09 13:06 254696 ----a-w- c:\program files\Common Files\Java\Java Update\jusched.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
2005-11-25 09:19 151597 ----a-w- c:\program files\Common Files\Real\Update_OB\realsched.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdReg]
2000-05-11 00:00 90112 ----a-w- c:\windows\Updreg.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VolPanel]
2005-07-11 10:34 122880 ----a-w- c:\program files\Creative\Sound Blaster X-Fi\Volume Panel\VolPanel.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\{1290A33C-85F5-4164-A1BE-7DD299D4986A}]
2004-06-08 18:33 69721 ----a-w- c:\program files\CyberLink\PowerBackup\PBKScheduler.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"WMPNetworkSvc"=2 (0x2)
"PnkBstrB"=2 (0x2)
"PnkBstrA"=2 (0x2)
"Pml Driver HPZ12"=2 (0x2)
"ose"=3 (0x3)
"odserv"=3 (0x3)
"NBService"=3 (0x3)
"Microsoft Office Groove Audit Service"=3 (0x3)
"LexBceS"=2 (0x2)
"JavaQuickStarterService"=2 (0x2)
"idsvc"=3 (0x3)
"IDriverT"=3 (0x3)
"FLEXnet Licensing Service"=3 (0x3)
"CyberLink Media Library Service"=2 (0x2)
"CLSched"=2 (0x2)
"CLCapSvc"=2 (0x2)
"Adobe LM Service"=3 (0x3)
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"DisableNotifications"= 1 (0x1)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\CyberLink\\PowerCinema\\PowerCinema.exe"=
"c:\\Program Files\\BitTorrent\\bittorrent.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\EA GAMES\\Battlefield 2 Demo\\BF2.exe"=
"c:\\Program Files\\BitLord\\BitLord.exe"=
"c:\\Program Files\\Avid\\Avid Liquid 7\\Program\\RM.exe"=
"c:\\Program Files\\Avid\\Avid Liquid 7\\Program\\StudioU.mod"=
"c:\\Program Files\\The All-Seeing Eye\\eye.exe"=
"c:\\WINDOWS\\system32\\LEXPPS.EXE"=
"c:\\Program Files\\Ubisoft\\Crytek\\Far Cry\\Bin32\\FarCry.exe"=
"c:\\Program Files\\Nero\\Nero 7\\Nero Home\\NeroHome.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Java\\jre6\\bin\\java.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Opera\\opera.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Common Files\\Apple\\Apple Application Support\\WebKit2WebProcess.exe"=
.
R0 sptd;sptd;c:\windows\system32\drivers\sptd.sys [26/04/2006 23:48 642560]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [17/02/2010 11:25 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [17/02/2010 11:15 66632]
R3 Pcouffin;VSO Software pcouffin;c:\windows\system32\drivers\pcouffin.sys [12/07/2006 22:44 47360]
R3 VIAHdAudAddService;VIA High Definition Audio Driver Service;c:\windows\system32\drivers\viahduaa.sys [31/03/2010 13:58 1358720]
S3 ASPI;Advanced SCSI Programming Interface Driver;c:\windows\system32\drivers\ASPI32.SYS [25/07/2006 15:56 16512]
S3 Creative Audio Engine Licensing Service;Creative Audio Engine Licensing Service;c:\program files\Common Files\Creative Labs Shared\Service\CTAELicensing.exe [01/04/2010 16:38 79360]
S3 CT20XUT.SYS;CT20XUT.SYS;c:\windows\system32\drivers\CT20XUT.sys [04/06/2009 02:46 171032]
S3 CT20XUT;CT20XUT;c:\windows\system32\drivers\CT20XUT.sys [04/06/2009 02:46 171032]
S3 CTEXFIFX.SYS;CTEXFIFX.SYS;c:\windows\system32\drivers\CTEXFIFX.sys [04/06/2009 02:46 1324056]
S3 CTEXFIFX;CTEXFIFX;c:\windows\system32\drivers\CTEXFIFX.sys [04/06/2009 02:46 1324056]
S3 CTHWIUT.SYS;CTHWIUT.SYS;c:\windows\system32\drivers\CTHWIUT.sys [04/06/2009 02:46 72728]
S3 CTHWIUT;CTHWIUT;c:\windows\system32\drivers\CTHWIUT.sys [04/06/2009 02:46 72728]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [17/02/2010 11:15 12872]
S4 m5287;m5287;c:\windows\system32\drivers\m5287.sys [25/11/2005 17:44 85888]
S4 m5289;m5289;c:\windows\system32\drivers\m5289.sys [25/11/2005 17:44 51840]
.
Contents of the 'Scheduled Tasks' folder
.
2012-03-26 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2011-06-01 16:57]
.
2012-04-07 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-716800117-3360742898-1720601440-1006Core.job
- c:\documents and settings\Richard\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-08-02 18:00]
.
2012-04-08 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-716800117-3360742898-1720601440-1006UA.job
- c:\documents and settings\Richard\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-08-02 18:00]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.co.uk/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
mWindow Title = Tiscali Internet Access
uInternet Settings,ProxyOverride = 127.0.0.1
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: Append Link Target to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Append to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert Link Target to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
IE: Download all with Free Download Manager - file://c:\program files\Free Download Manager\dlall.htm
IE: Download selected with Free Download Manager - file://c:\program files\Free Download Manager\dlselected.htm
IE: Download web site with Free Download Manager - file://c:\program files\Free Download Manager\dlpage.htm
IE: Download with Free Download Manager - file://c:\program files\Free Download Manager\dllink.htm
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
TCP: DhcpNameServer = 194.168.4.100 194.168.8.100
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
FF - ProfilePath - c:\documents and settings\Richard\Application Data\Mozilla\Firefox\Profiles\6i2xrjmt.default\
FF - prefs.js: browser.startup.homepage - hxxp://en-GB.start.mozilla.com/firefox? ... B:official
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-04-08 13:12
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-716800117-3360742898-1720601440-1006\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
[HKEY_USERS\S-1-5-21-716800117-3360742898-1720601440-1006\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{0561C98C-9C16-1528-CD53-D97A84E0A2A9}*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
"iagieijlkfgcacekbi"=hex:6b,61,64,6a,62,6a,6f,62,6b,61,6f,63,62,61,66,6c,6e,6b,
6f,6b,70,6b,00,00
"haeihkmblmajfidb"=hex:6b,61,63,6a,67,67,65,6a,6b,6c,6f,69,6d,67,6f,67,62,65,
69,68,6e,61,00,00
.
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Installer\UserData\LocalSystem\Components\€–€|ÿÿÿÿÀ•€|ù•A~*]
"AB141C35E9F4BF344B9FC010BB17F68A"=""
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(940)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
.
Completion time: 2012-04-08 13:17:06
ComboFix-quarantined-files.txt 2012-04-08 12:17
ComboFix2.txt 2012-04-05 11:30
ComboFix3.txt 2008-12-23 16:13
.
Pre-Run: 20,444,139,520 bytes free
Post-Run: 20,416,745,472 bytes free
.
- - End Of File - - 14D4C7389343FEE047ED57799A94D415



---------------------------------------


Malwarebytes Anti-Malware 1.60.1.1000
http://www.malwarebytes.org

Database version: v2012.04.05.04

Windows XP Service Pack 3 x86 NTFS
Internet Explorer 6.0.2900.5512
Richard :: RAPSCALLION [administrator]

10/04/2012 02:24:04
mbam-log-2012-04-10 (02-24-04).txt

Scan type: Full scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 653830
Time elapsed: 2 hour(s), 51 minute(s), 27 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 2
C:\WINDOWS\system32\GZsfEIVz2 (Virus.Ramnit) -> Quarantined and deleted successfully.
C:\Program Files\Adobe\Acrobat 9.0\Acrobat\GZsfEIVz2 (Virus.Ramnit) -> Quarantined and deleted successfully.

(end)
Nitro
Newbie
Newbie
 
Posts: 6
Joined: Thu Mar 29, 2012 1:39 pm

Thanks given:1
Thanks received:0
Top

Re: Computer problems - suspect an attack

Postby home it guy » Thu Apr 19, 2012 4:14 pm

Hi, sorry to hear about your computer issues. We may have a solution for you,




-----------------------------------------------------------------------------------------

http://www.homeitservice.net/

Over 15 years experience removing infections from PCs and Servers.

If reinfection occurs within 30 days, we will remove the virus or spyware at no charge.

Remote support allows us to scan your computer for infection. We value your time so instead of keeping you on the phone for hours, we will call you back when your computer is clean.
User avatar
home it guy
Newbie
Newbie
 
Posts: 5
Joined: Wed Apr 11, 2012 7:32 pm
Location: Atlanta, Georgia
Operating System: Windows 7

Thanks given:0
Thanks received:0
Top

Re: Computer problems - suspect an attack

Postby Gecko » Fri Apr 20, 2012 1:43 am

Copy and paste ALL the following text in the Quote box below into Notepad.
Click on File(in the menu at the top)>Save as../Save as Type: 'All Files' /File name: CFScript to your desktop.
Code: Select all
    File::
    c:\windows\SET16A.tmp
    Folder::
    c:\windows\system32\GZsfEIVz2
    Registry::

Now drag then drop the CFScript file onto ComboFix.exe
Image
Image
This will start ComboFix again.
After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply along with a new HijackThis log.
User avatar
Gecko
Super Moderator
Super Moderator
 
Posts: 5206
Joined: Thu Oct 25, 2001 1:00 am
Location: Florida, USA

Thanks given:1
Thanks received:23
Top

Re: Computer problems - suspect an attack

Postby Nitro » Fri Apr 20, 2012 1:43 pm

Followed your instructions, logs below.

First, when I dragged ComboFix.txt into ComboFix.exe, the program began to run but a box appeared advising 'Version 12-04-05.04 ComboFix expired - click YES for reduced functionality mode or NO to exit'. I clicked NO, deleted ComboFix.exe from my desktop, then downloaded it again from your link at Bleeping Computer. Dragged ComboFix.txt into the new ComboFix.exe, and it ran.

Also, upon running HijackThis [2.00.0004], a box appeared with an 'unexpected error #5 - invalid procedure call or argument' [I copied the picture if necessary to see it]. It allowed me to continue, and produced the log.

ComboFix 12-04-20.03 - Richard 20/04/2012 12:50:16.3.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.3327.2674 [GMT 1:00]
Running from: c:\documents and settings\Richard\My Documents\Downloads\ComboFix.exe
Command switches used :: c:\documents and settings\Richard\Desktop\CFScript.txt
.
FILE ::
"c:\windows\SET16A.tmp"
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\windows\SET16A.tmp
.
.
((((((((((((((((((((((((( Files Created from 2012-03-20 to 2012-04-20 )))))))))))))))))))))))))))))))
.
.
2017-08-17 16:06 . 2017-08-17 16:06 -------- d-----w- c:\program files\proDAD
2012-04-05 11:37 . 2011-12-10 14:24 20464 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-03-30 13:12 . 2012-03-30 13:12 1409 ----a-w- c:\windows\QTFont.for
2012-03-29 13:41 . 2012-03-29 13:41 -------- d-----w- c:\documents and settings\Richard\Application Data\iZotope
2012-03-29 12:36 . 2012-03-29 12:36 388096 ----a-r- c:\documents and settings\Richard\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2012-03-29 12:36 . 2012-03-29 12:36 -------- d-----w- c:\program files\Trend Micro
2012-03-28 13:29 . 2008-06-13 11:05 272128 -c----w- c:\windows\system32\dllcache\bthport.sys
2012-03-28 13:28 . 2011-07-15 13:29 456320 -c----w- c:\windows\system32\dllcache\mrxsmb.sys
2012-03-28 13:24 . 2008-04-14 12:00 81920 ----a-w- c:\windows\system32\ieencode.dll
2012-03-28 13:24 . 2008-04-14 12:00 81920 ----a-w- c:\windows\system32\dllcache\ieencode.dll
2012-03-28 11:03 . 2001-08-17 21:36 38912 -c--a-w- c:\windows\system32\dllcache\EXCH_ntfsdrv.dll
2012-03-28 11:02 . 2008-04-14 12:00 18944 -c--a-w- c:\windows\system32\dllcache\cprofile.exe
2012-03-28 10:59 . 2008-04-14 12:00 16384 -c--a-w- c:\windows\system32\dllcache\isignup.exe
2012-03-28 10:59 . 2008-04-14 12:00 16384 ----a-w- c:\program files\Internet Explorer\Connection Wizard\isignup.exe
2012-03-28 10:32 . 2008-04-14 12:00 24661 -c--a-w- c:\windows\system32\dllcache\spxcoins.dll
2012-03-28 10:32 . 2008-04-14 12:00 24661 ----a-w- c:\windows\system32\spxcoins.dll
2012-03-28 10:32 . 2008-04-14 12:00 13312 -c--a-w- c:\windows\system32\dllcache\irclass.dll
2012-03-28 10:32 . 2008-04-14 12:00 13312 ----a-w- c:\windows\system32\irclass.dll
2012-03-27 02:11 . 2012-03-27 02:11 -------- d-----w- C:\i386
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-02-29 14:10 . 2008-04-14 12:00 177664 ----a-w- c:\windows\system32\wintrust.dll
2012-02-29 14:10 . 2008-04-14 12:00 148480 ----a-w- c:\windows\system32\imagehlp.dll
2012-02-25 17:27 . 2011-05-23 17:34 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-02-03 09:22 . 2008-04-14 12:00 1860096 ----a-w- c:\windows\system32\win32k.sys
2012-02-02 19:03 . 2012-02-02 19:07 8192 ----a-w- c:\windows\system32\E_DCINST.DLL
2012-02-02 19:03 . 2012-02-02 19:07 93696 ----a-w- c:\windows\system32\E_FLBHLE.DLL
2012-02-02 19:03 . 2012-02-02 19:07 63488 ----a-w- c:\windows\system32\E_FD4BHLE.DLL
2012-03-17 16:54 . 2012-01-29 23:51 97208 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
2006-05-03 10:06 163328 --sha-r- c:\windows\system32\flvDX.dll
2007-02-21 11:47 31232 --sha-r- c:\windows\system32\msfDX.dll
2007-12-17 13:43 27648 --sha-w- c:\windows\system32\Smab0.dll
2008-02-04 19:26 151040 --sha-w- c:\windows\system32\VistaUltm.dll
.
.
------- Sigcheck -------
Note: Unsigned files aren't necessarily malware.
.
[-] 2011-12-19 . 21F8FEBD157A8A6BF7F0FB826111148A . 3087872 . . [6.00.2900.6182] . . c:\windows\SoftwareDistribution\Download\796a0f15940e7ad65a72532d85ac77d3\SP3QFE\mshtml.dll
[-] 2011-12-19 . 8DE666A743F3B961892338A2E15EA702 . 3087360 . . [6.00.2900.6182] . . c:\windows\SoftwareDistribution\Download\796a0f15940e7ad65a72532d85ac77d3\SP3GDR\mshtml.dll
[-] 2011-12-17 . A9259CD226283CD4F798C00909754A94 . 5979136 . . [8.00.6001.19190] . . c:\windows\SoftwareDistribution\Download\c1d540600ba9c34c5b3244c020eee491\SP3GDR\mshtml.dll
[-] 2011-12-17 . 49B88A833ECA99EFBFFC5AAE5CC998ED . 5980160 . . [8.00.6001.23286] . . c:\windows\$hf_mig$\KB2647516-IE8\SP3QFE\mshtml.dll
[-] 2011-12-17 . 49B88A833ECA99EFBFFC5AAE5CC998ED . 5980160 . . [8.00.6001.23286] . . c:\windows\SoftwareDistribution\Download\c1d540600ba9c34c5b3244c020eee491\SP3QFE\mshtml.dll
[-] 2011-11-04 . DD8D655E1881B70A5259A23A6018A6C2 . 5978112 . . [8.00.6001.19170] . . c:\windows\ie8updates\KB2647516-IE8\mshtml.dll
[-] 2011-11-04 . DD8D655E1881B70A5259A23A6018A6C2 . 5978112 . . [8.00.6001.19170] . . c:\windows\SoftwareDistribution\Download\a6632ea9734d3683d8cc4b4a30215873\SP3GDR\mshtml.dll
[-] 2011-11-04 . 699421E2E1313C18671A703953CAE14B . 5978624 . . [8.00.6001.23266] . . c:\windows\$hf_mig$\KB2618444-IE8\SP3QFE\mshtml.dll
[-] 2011-11-04 . 699421E2E1313C18671A703953CAE14B . 5978624 . . [8.00.6001.23266] . . c:\windows\SoftwareDistribution\Download\a6632ea9734d3683d8cc4b4a30215873\SP3QFE\mshtml.dll
[-] 2011-10-03 . 4963CB503600FC3BCBDBFBA51FBA1FAC . 5971456 . . [8.00.6001.19154] . . c:\windows\ie8updates\KB2618444-IE8\mshtml.dll
[-] 2011-10-03 . 1240A6B7B470BED0AA6C9FEC7AB0EA26 . 5972992 . . [8.00.6001.23250] . . c:\windows\$hf_mig$\KB2586448-IE8\SP3QFE\mshtml.dll
[-] 2010-12-20 . 61FF8ABD55DBD6453B7DD81F6DD2D966 . 3078144 . . [6.00.2900.6058] . . c:\windows\$hf_mig$\KB2482017\SP3QFE\mshtml.dll
[-] 2010-11-05 . 17762D2C4468FF99EF33F597F9D34E6F . 3076608 . . [6.00.2900.6049] . . c:\windows\$hf_mig$\KB2416400\SP3QFE\mshtml.dll
[-] 2010-09-09 . 575FBCB3E2C6E848F0386F38AAF0E4ED . 3074560 . . [6.00.2900.6036] . . c:\windows\$hf_mig$\KB2360131\SP3QFE\mshtml.dll
[-] 2010-06-24 . E833C8A9918DA80DBE80ABD2917B9292 . 3073536 . . [6.00.2900.6003] . . c:\windows\$hf_mig$\KB2183461\SP3QFE\mshtml.dll
[-] 2010-05-06 . C7B7A88CC7D7ABA5C395145BF92F46F7 . 5950976 . . [8.00.6001.18928] . . c:\windows\SoftwareDistribution\Download\e9e3bc7b49018c1f53cc0d1bd73cad37\SP3GDR\mshtml.dll
[-] 2010-05-06 . 9BE28F749A7FE7F8F177C6AA2E9DA609 . 5953024 . . [8.00.6001.23019] . . c:\windows\SoftwareDistribution\Download\e9e3bc7b49018c1f53cc0d1bd73cad37\SP3QFE\mshtml.dll
[-] 2010-04-16 . 9574D5B0C784DA0FD8F6A9BB37936A52 . 3073536 . . [6.00.2900.5969] . . c:\windows\$hf_mig$\KB982381\SP3QFE\mshtml.dll
[-] 2010-02-26 . EE6B9880933172AE78A1146BE15D6D21 . 3073536 . . [6.00.2900.5945] . . c:\windows\$hf_mig$\KB980182\SP3QFE\mshtml.dll
[-] 2009-12-22 . A758F0891A87EE005848A0BC740A5B96 . 3071488 . . [6.00.2900.5921] . . c:\windows\$hf_mig$\KB978207\SP3GDR\mshtml.dll
[-] 2009-12-22 . AD17006339C1934D86449F335C241FF1 . 3073536 . . [6.00.2900.5921] . . c:\windows\$hf_mig$\KB978207\SP3QFE\mshtml.dll
[-] 2009-10-29 . D1CF72C34BAF70C52797D1CB78D6EE92 . 3070976 . . [6.00.2900.5897] . . c:\windows\$hf_mig$\KB976325\SP3GDR\mshtml.dll
[-] 2009-10-29 . DA551BFEC150760A38A9AD0C95A8A71C . 3073024 . . [6.00.2900.5897] . . c:\windows\$hf_mig$\KB976325\SP3QFE\mshtml.dll
[-] 2009-10-29 . F3A9E882DF2F155C9395979FF9D7B0A7 . 3070976 . . [6.00.2900.3640] . . c:\windows\$NtUninstallKB978207_0$\mshtml.dll
[-] 2009-09-25 . 601E18A9A8F0D0ED39692B593212378F . 3070976 . . [6.00.2900.5880] . . c:\windows\$hf_mig$\KB974455\SP3GDR\mshtml.dll
[-] 2009-09-25 . 37F578776552FA076EA6085F0365209C . 3072512 . . [6.00.2900.5880] . . c:\windows\$hf_mig$\KB974455\SP3QFE\mshtml.dll
[-] 2009-04-29 . ABD8093E43E53AEA5898D2214B92E9BA . 3068928 . . [6.00.2900.5803] . . c:\windows\$hf_mig$\KB969897\SP3GDR\mshtml.dll
[-] 2009-04-29 . 06CF679E3D24C3DF270556456A0F1EDA . 3069440 . . [6.00.2900.5803] . . c:\windows\$hf_mig$\KB969897\SP3QFE\mshtml.dll
[-] 2009-03-08 . D469A0EBA2EF5C6BEE8065B7E3196E5E . 5937152 . . [8.00.6001.18702] . . c:\windows\ie8updates\KB2586448-IE8\mshtml.dll
[-] 2009-03-08 . D469A0EBA2EF5C6BEE8065B7E3196E5E . 5937152 . . [8.00.6001.18702] . . c:\windows\system32\mshtml.dll
[-] 2009-03-08 . D469A0EBA2EF5C6BEE8065B7E3196E5E . 5937152 . . [8.00.6001.18702] . . c:\windows\system32\dllcache\mshtml.dll
[-] 2009-02-20 . 2F70F2F74C40397D031016FA162981C2 . 3068416 . . [6.00.2900.5764] . . c:\windows\$hf_mig$\KB963027\SP3GDR\mshtml.dll
[-] 2009-02-20 . 1618A4A2C5DD8164B8295190C8EA6544 . 3068416 . . [6.00.2900.5764] . . c:\windows\$hf_mig$\KB963027\SP3QFE\mshtml.dll
[-] 2008-12-12 . 6D1D493622EA050DBAABD0C4C1DFADB5 . 3067392 . . [6.00.2900.3492] . . c:\windows\$NtUninstallKB963027_0$\mshtml.dll
[-] 2008-12-12 . B6DAA74E2ED36C71B502945589A683AE . 3067904 . . [6.00.2900.5726] . . c:\windows\$hf_mig$\KB960714\SP3QFE\mshtml.dll
[-] 2008-12-12 . C828AA1C5469E72251F3D367005E589F . 3067904 . . [6.00.2900.5726] . . c:\windows\$hf_mig$\KB960714\SP3GDR\mshtml.dll
.
((((((((((((((((((((((((((((( SnapShot@2012-04-05_11.21.35 )))))))))))))))))))))))))))))))))))))))))
.
- 2005-09-09 22:03 . 2012-04-05 11:25 94552 c:\windows\system32\perfc009.dat
+ 2005-09-09 22:03 . 2012-04-20 10:34 94552 c:\windows\system32\perfc009.dat
+ 2012-04-13 01:02 . 2012-04-13 01:02 90112 c:\windows\assembly\NativeImages1_v1.1.4322\System.Drawing.Design\1.0.5000.0__b03f5f7f11d50a3a_a7012668\System.Drawing.Design.dll
+ 2012-04-13 11:12 . 2012-04-13 11:12 36864 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Web.DynamicD#\36124bfc4baaa1c2063d699e77324080\System.Web.DynamicData.Design.ni.dll
+ 2012-04-13 11:12 . 2012-04-13 11:12 56320 c:\windows\assembly\NativeImages_v2.0.50727_32\DecklinkVideoProper#\d53aeb8bbda80b10b91b9f1c5d8cf3e7\DecklinkVideoProperties.ni.dll
+ 2012-04-13 11:12 . 2012-04-13 11:12 51712 c:\windows\assembly\NativeImages_v2.0.50727_32\AjaVideoProperties\19dccfe7b9d02f9707bae09dbf4ca94e\AjaVideoProperties.ni.dll
- 2012-02-15 14:07 . 2012-02-15 14:07 77824 c:\windows\assembly\GAC_MSIL\System.Web.RegularExpressions\2.0.0.0__b03f5f7f11d50a3a\System.Web.RegularExpressions.dll
+ 2012-04-13 01:01 . 2012-04-13 01:01 77824 c:\windows\assembly\GAC_MSIL\System.Web.RegularExpressions\2.0.0.0__b03f5f7f11d50a3a\System.Web.RegularExpressions.dll
- 2012-02-15 14:07 . 2012-02-15 14:07 81920 c:\windows\assembly\GAC_MSIL\System.Drawing.Design\2.0.0.0__b03f5f7f11d50a3a\System.Drawing.Design.dll
+ 2012-04-13 01:01 . 2012-04-13 01:01 81920 c:\windows\assembly\GAC_MSIL\System.Drawing.Design\2.0.0.0__b03f5f7f11d50a3a\System.Drawing.Design.dll
+ 2012-04-13 01:01 . 2012-04-13 01:01 81920 c:\windows\assembly\GAC_MSIL\System.Configuration.Install\2.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll
- 2012-02-15 14:07 . 2012-02-15 14:07 81920 c:\windows\assembly\GAC_MSIL\System.Configuration.Install\2.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll
- 2012-02-15 14:07 . 2012-02-15 14:07 32768 c:\windows\assembly\GAC_MSIL\Microsoft.Vsa\8.0.0.0__b03f5f7f11d50a3a\Microsoft.Vsa.dll
+ 2012-04-13 01:01 . 2012-04-13 01:01 32768 c:\windows\assembly\GAC_MSIL\Microsoft.Vsa\8.0.0.0__b03f5f7f11d50a3a\Microsoft.Vsa.dll
- 2012-02-15 14:07 . 2012-02-15 14:07 12800 c:\windows\assembly\GAC_MSIL\Microsoft.Vsa.Vb.CodeDOMProcessor\8.0.0.0__b03f5f7f11d50a3a\Microsoft.Vsa.Vb.CodeDOMProcessor.dll
+ 2012-04-13 01:01 . 2012-04-13 01:01 12800 c:\windows\assembly\GAC_MSIL\Microsoft.Vsa.Vb.CodeDOMProcessor\8.0.0.0__b03f5f7f11d50a3a\Microsoft.Vsa.Vb.CodeDOMProcessor.dll
+ 2012-04-13 01:01 . 2012-04-13 01:01 28672 c:\windows\assembly\GAC_MSIL\Microsoft.VisualBasic.Vsa\8.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.Vsa.dll
- 2012-02-15 14:07 . 2012-02-15 14:07 28672 c:\windows\assembly\GAC_MSIL\Microsoft.VisualBasic.Vsa\8.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.Vsa.dll
+ 2012-04-13 01:01 . 2012-04-13 01:01 77824 c:\windows\assembly\GAC_MSIL\Microsoft.Build.Utilities\2.0.0.0__b03f5f7f11d50a3a\Microsoft.Build.Utilities.dll
- 2012-02-15 14:07 . 2012-02-15 14:07 77824 c:\windows\assembly\GAC_MSIL\Microsoft.Build.Utilities\2.0.0.0__b03f5f7f11d50a3a\Microsoft.Build.Utilities.dll
- 2012-02-15 14:07 . 2012-02-15 14:07 36864 c:\windows\assembly\GAC_MSIL\Microsoft.Build.Framework\2.0.0.0__b03f5f7f11d50a3a\Microsoft.Build.Framework.dll
+ 2012-04-13 01:01 . 2012-04-13 01:01 36864 c:\windows\assembly\GAC_MSIL\Microsoft.Build.Framework\2.0.0.0__b03f5f7f11d50a3a\Microsoft.Build.Framework.dll
+ 2012-04-13 01:01 . 2012-04-13 01:01 77824 c:\windows\assembly\GAC_MSIL\IEHost\2.0.0.0__b03f5f7f11d50a3a\IEHost.dll
- 2012-02-15 14:07 . 2012-02-15 14:07 77824 c:\windows\assembly\GAC_MSIL\IEHost\2.0.0.0__b03f5f7f11d50a3a\IEHost.dll
- 2012-02-15 14:07 . 2012-02-15 14:07 13312 c:\windows\assembly\GAC_MSIL\cscompmgd\8.0.0.0__b03f5f7f11d50a3a\cscompmgd.dll
+ 2012-04-13 01:01 . 2012-04-13 01:01 13312 c:\windows\assembly\GAC_MSIL\cscompmgd\8.0.0.0__b03f5f7f11d50a3a\cscompmgd.dll
+ 2012-04-13 01:01 . 2012-04-13 01:01 10752 c:\windows\assembly\GAC_MSIL\Accessibility\2.0.0.0__b03f5f7f11d50a3a\Accessibility.dll
- 2012-02-15 14:07 . 2012-02-15 14:07 10752 c:\windows\assembly\GAC_MSIL\Accessibility\2.0.0.0__b03f5f7f11d50a3a\Accessibility.dll
+ 2012-04-13 01:01 . 2012-04-13 01:01 72192 c:\windows\assembly\GAC_32\ISymWrapper\2.0.0.0__b03f5f7f11d50a3a\ISymWrapper.dll
- 2012-02-15 14:07 . 2012-02-15 14:07 72192 c:\windows\assembly\GAC_32\ISymWrapper\2.0.0.0__b03f5f7f11d50a3a\ISymWrapper.dll
+ 2012-04-13 01:01 . 2012-04-13 01:01 69120 c:\windows\assembly\GAC_32\CustomMarshalers\2.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll
- 2012-02-15 14:07 . 2012-02-15 14:07 69120 c:\windows\assembly\GAC_32\CustomMarshalers\2.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll
+ 2012-04-13 01:01 . 2012-04-13 01:01 8192 c:\windows\WinSxS\MSIL_IEExecRemote_b03f5f7f11d50a3a_2.0.0.0_x-ww_6e57c34e\IEExecRemote.dll
- 2012-02-15 14:07 . 2012-02-15 14:07 8192 c:\windows\WinSxS\MSIL_IEExecRemote_b03f5f7f11d50a3a_2.0.0.0_x-ww_6e57c34e\IEExecRemote.dll
+ 2012-04-13 01:01 . 2012-04-13 01:01 7168 c:\windows\assembly\GAC_MSIL\Microsoft_VsaVb\8.0.0.0__b03f5f7f11d50a3a\Microsoft_VsaVb.dll
- 2012-02-15 14:07 . 2012-02-15 14:07 7168 c:\windows\assembly\GAC_MSIL\Microsoft_VsaVb\8.0.0.0__b03f5f7f11d50a3a\Microsoft_VsaVb.dll
- 2012-02-15 14:07 . 2012-02-15 14:07 5632 c:\windows\assembly\GAC_MSIL\Microsoft.VisualC\8.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualC.Dll
+ 2012-04-13 01:01 . 2012-04-13 01:01 5632 c:\windows\assembly\GAC_MSIL\Microsoft.VisualC\8.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualC.Dll
+ 2012-04-13 01:01 . 2012-04-13 01:01 6656 c:\windows\assembly\GAC_MSIL\IIEHost\2.0.0.0__b03f5f7f11d50a3a\IIEHost.dll
- 2012-02-15 14:07 . 2012-02-15 14:07 6656 c:\windows\assembly\GAC_MSIL\IIEHost\2.0.0.0__b03f5f7f11d50a3a\IIEHost.dll
+ 2012-04-13 01:01 . 2012-04-13 01:01 8192 c:\windows\assembly\GAC_MSIL\IEExecRemote\2.0.0.0__b03f5f7f11d50a3a\IEExecRemote.dll
- 2012-02-15 14:07 . 2012-02-15 14:07 8192 c:\windows\assembly\GAC_MSIL\IEExecRemote\2.0.0.0__b03f5f7f11d50a3a\IEExecRemote.dll
- 2012-02-15 14:07 . 2012-02-15 14:07 113664 c:\windows\WinSxS\x86_System.EnterpriseServices_b03f5f7f11d50a3a_2.0.0.0_x-ww_7d5f3790\System.EnterpriseServices.Wrapper.dll
+ 2012-04-13 01:01 . 2012-04-13 01:01 113664 c:\windows\WinSxS\x86_System.EnterpriseServices_b03f5f7f11d50a3a_2.0.0.0_x-ww_7d5f3790\System.EnterpriseServices.Wrapper.dll
- 2012-02-15 14:07 . 2012-02-15 14:07 258048 c:\windows\WinSxS\x86_System.EnterpriseServices_b03f5f7f11d50a3a_2.0.0.0_x-ww_7d5f3790\System.EnterpriseServices.dll
+ 2012-04-13 01:01 . 2012-04-13 01:01 258048 c:\windows\WinSxS\x86_System.EnterpriseServices_b03f5f7f11d50a3a_2.0.0.0_x-ww_7d5f3790\System.EnterpriseServices.dll
+ 2005-09-09 22:03 . 2012-04-20 10:34 495702 c:\windows\system32\perfh009.dat
- 2005-09-09 22:03 . 2012-04-05 11:25 495702 c:\windows\system32\perfh009.dat
+ 2008-04-14 12:00 . 2012-02-29 14:10 177664 c:\windows\system32\dllcache\wintrust.dll
- 2008-04-14 12:00 . 2009-12-24 06:59 177664 c:\windows\system32\dllcache\wintrust.dll
+ 2008-04-14 12:00 . 2012-02-29 14:10 148480 c:\windows\system32\dllcache\imagehlp.dll
+ 2012-01-31 02:38 . 2012-01-31 02:38 630784 c:\windows\Microsoft.NET\Framework\v2.0.50727\System.Drawing.dll
+ 2012-01-27 16:35 . 2012-01-27 16:35 471040 c:\windows\Microsoft.NET\Framework\v1.1.4322\System.Drawing.dll
+ 2012-02-02 22:56 . 2012-02-02 22:56 963584 c:\windows\Installer\14077f1.msp
+ 2012-04-13 10:33 . 2012-04-13 10:33 843776 c:\windows\assembly\NativeImages1_v1.1.4322\System.Drawing\1.0.5000.0__b03f5f7f11d50a3a_004397e3\System.Drawing.dll
+ 2012-04-13 10:33 . 2012-04-13 10:33 192512 c:\windows\assembly\NativeImages1_v1.1.4322\System.Drawing.Design\1.0.5000.0__b03f5f7f11d50a3a_7bab4e4e\System.Drawing.Design.dll
+ 2012-04-13 10:34 . 2012-04-13 10:34 240128 c:\windows\assembly\NativeImages_v2.0.50727_32\WindowsFormsIntegra#\5be064066858620a8aa628fca459a888\WindowsFormsIntegration.ni.dll
+ 2012-04-13 11:12 . 2012-04-13 11:12 129536 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Web.Routing\1107b3a711bab40c83e2561ba2431d62\System.Web.Routing.ni.dll
+ 2012-04-13 11:12 . 2012-04-13 11:12 859648 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Web.Extensio#\d7c8c294920cfe79765215e242308d28\System.Web.Extensions.Design.ni.dll
+ 2012-04-13 11:12 . 2012-04-13 11:12 328704 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Web.Entity\5176923a8264305118a299419e1c7bde\System.Web.Entity.ni.dll
+ 2012-04-13 11:12 . 2012-04-13 11:12 301056 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Web.Entity.D#\d746c0f0ed36226efb2e0115de42cdd6\System.Web.Entity.Design.ni.dll
+ 2012-04-13 11:12 . 2012-04-13 11:12 547328 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Web.DynamicD#\df5542604898c9ea3fda32c8619ae0e5\System.Web.DynamicData.ni.dll
+ 2012-04-13 11:12 . 2012-04-13 11:12 141312 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Web.Abstract#\b9c8715157536097b489132574ad5c17\System.Web.Abstractions.ni.dll
+ 2012-04-13 11:12 . 2012-04-13 11:12 212992 c:\windows\assembly\NativeImages_v2.0.50727_32\System.ServiceProce#\56e433394df8d44e43690a855e403555\System.ServiceProcess.ni.dll
+ 2012-04-13 10:34 . 2012-04-13 10:34 208384 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Drawing.Desi#\cc2cd3bc46c9c2b30e47281e404a3230\System.Drawing.Design.ni.dll
+ 2012-04-13 11:12 . 2012-04-13 11:12 585216 c:\windows\assembly\NativeImages_v2.0.50727_32\Sony.Vegas\62d32c63f021df87ba5af3fa1bc863c7\Sony.Vegas.ni.dll
+ 2012-04-13 11:12 . 2012-04-13 11:12 235008 c:\windows\assembly\NativeImages_v2.0.50727_32\Sony.Vegas.NetRender\556c535871934f5311b631e48fdfd5f3\Sony.Vegas.NetRender.ni.dll
+ 2012-04-13 11:12 . 2012-04-13 11:12 261120 c:\windows\assembly\NativeImages_v2.0.50727_32\Sony.MediaSoftware.#\beeae93e0882ed6a8403c46557c6a725\Sony.MediaSoftware.ExternalVideoDevice.ni.dll
+ 2012-04-13 11:12 . 2012-04-13 11:12 673280 c:\windows\assembly\NativeImages_v2.0.50727_32\Sony.Capture\56499243ce2a251ba9abb2bcbfee5a2c\Sony.Capture.ni.dll
+ 2012-04-13 11:12 . 2012-04-13 11:12 159744 c:\windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\e8da13f8b95ad296b9fba92bc411fcba\Microsoft.VisualStudio.WizardFramework.ni.dll
+ 2012-04-13 11:12 . 2012-04-13 11:12 511488 c:\windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\e6399bb63e262c88d274c9c613911923\Microsoft.VisualStudio.Shell.Design.ni.dll
+ 2012-04-13 11:12 . 2012-04-13 11:12 822272 c:\windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\e19926e80112d65172093b8b3c5574e9\Microsoft.VisualStudio.Shell.ni.dll
+ 2012-04-13 11:12 . 2012-04-13 11:12 220672 c:\windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\5a92c034adff79ea2a2823900e2ed252\Microsoft.VisualStudio.Configuration.ni.dll
+ 2012-04-13 11:12 . 2012-04-13 11:12 861696 c:\windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\0dd88c6d6dcb34be7b3acc2053ec9bad\Microsoft.VisualStudio.Shell.9.0.ni.dll
+ 2012-04-13 11:12 . 2012-04-13 11:12 842240 c:\windows\assembly\NativeImages_v2.0.50727_32\AspNetMMCExt\8d6cd6a93f679608d52b6c874088b963\AspNetMMCExt.ni.dll
+ 2012-04-13 01:01 . 2012-04-13 01:01 839680 c:\windows\assembly\GAC_MSIL\System.Web.Services\2.0.0.0__b03f5f7f11d50a3a\System.Web.Services.dll
- 2012-02-15 14:07 . 2012-02-15 14:07 839680 c:\windows\assembly\GAC_MSIL\System.Web.Services\2.0.0.0__b03f5f7f11d50a3a\System.Web.Services.dll
+ 2012-04-13 01:01 . 2012-04-13 01:01 835584 c:\windows\assembly\GAC_MSIL\System.Web.Mobile\2.0.0.0__b03f5f7f11d50a3a\System.Web.Mobile.dll
- 2012-02-15 14:07 . 2012-02-15 14:07 835584 c:\windows\assembly\GAC_MSIL\System.Web.Mobile\2.0.0.0__b03f5f7f11d50a3a\System.Web.Mobile.dll
+ 2012-04-13 01:01 . 2012-04-13 01:01 114688 c:\windows\assembly\GAC_MSIL\System.ServiceProcess\2.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll
- 2012-02-15 14:07 . 2012-02-15 14:07 114688 c:\windows\assembly\GAC_MSIL\System.ServiceProcess\2.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll
+ 2012-04-13 01:01 . 2012-04-13 01:01 258048 c:\windows\assembly\GAC_MSIL\System.Security\2.0.0.0__b03f5f7f11d50a3a\System.Security.dll
- 2012-02-15 14:07 . 2012-02-15 14:07 258048 c:\windows\assembly\GAC_MSIL\System.Security\2.0.0.0__b03f5f7f11d50a3a\System.Security.dll
+ 2012-04-13 01:01 . 2012-04-13 01:01 131072 c:\windows\assembly\GAC_MSIL\System.Runtime.Serialization.Formatters.Soap\2.0.0.0__b03f5f7f11d50a3a\System.Runtime.Serialization.Formatters.Soap.dll
- 2012-02-15 14:07 . 2012-02-15 14:07 131072 c:\windows\assembly\GAC_MSIL\System.Runtime.Serialization.Formatters.Soap\2.0.0.0__b03f5f7f11d50a3a\System.Runtime.Serialization.Formatters.Soap.dll
+ 2012-04-13 01:01 . 2012-04-13 01:01 303104 c:\windows\assembly\GAC_MSIL\System.Runtime.Remoting\2.0.0.0__b77a5c561934e089\System.Runtime.Remoting.dll
- 2012-02-15 14:07 . 2012-02-15 14:07 303104 c:\windows\assembly\GAC_MSIL\System.Runtime.Remoting\2.0.0.0__b77a5c561934e089\System.Runtime.Remoting.dll
+ 2012-04-13 01:01 . 2012-04-13 01:01 258048 c:\windows\assembly\GAC_MSIL\System.Messaging\2.0.0.0__b03f5f7f11d50a3a\System.Messaging.dll
- 2012-02-15 14:07 . 2012-02-15 14:07 258048 c:\windows\assembly\GAC_MSIL\System.Messaging\2.0.0.0__b03f5f7f11d50a3a\System.Messaging.dll
- 2012-02-15 14:07 . 2012-02-15 14:07 372736 c:\windows\assembly\GAC_MSIL\System.Management\2.0.0.0__b03f5f7f11d50a3a\System.Management.dll
+ 2012-04-13 01:01 . 2012-04-13 01:01 372736 c:\windows\assembly\GAC_MSIL\System.Management\2.0.0.0__b03f5f7f11d50a3a\System.Management.dll
+ 2012-04-13 01:01 . 2012-04-13 01:01 630784 c:\windows\assembly\GAC_MSIL\System.Drawing\2.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll
- 2012-02-15 14:07 . 2012-02-15 14:07 401408 c:\windows\assembly\GAC_MSIL\System.DirectoryServices\2.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll
+ 2012-04-13 01:01 . 2012-04-13 01:01 401408 c:\windows\assembly\GAC_MSIL\System.DirectoryServices\2.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll
- 2012-02-15 14:07 . 2012-02-15 14:07 188416 c:\windows\assembly\GAC_MSIL\System.DirectoryServices.Protocols\2.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.Protocols.dll
+ 2012-04-13 01:01 . 2012-04-13 01:01 188416 c:\windows\assembly\GAC_MSIL\System.DirectoryServices.Protocols\2.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.Protocols.dll
+ 2012-04-13 01:01 . 2012-04-13 01:01 970752 c:\windows\assembly\GAC_MSIL\System.Deployment\2.0.0.0__b03f5f7f11d50a3a\System.Deployment.dll
- 2012-02-15 14:07 . 2012-02-15 14:07 970752 c:\windows\assembly\GAC_MSIL\System.Deployment\2.0.0.0__b03f5f7f11d50a3a\System.Deployment.dll
+ 2012-04-13 01:01 . 2012-04-13 01:01 745472 c:\windows\assembly\GAC_MSIL\System.Data.SqlXml\2.0.0.0__b77a5c561934e089\System.Data.SqlXml.dll
- 2012-02-15 14:07 . 2012-02-15 14:07 745472 c:\windows\assembly\GAC_MSIL\System.Data.SqlXml\2.0.0.0__b77a5c561934e089\System.Data.SqlXml.dll
- 2012-02-15 14:07 . 2012-02-15 14:07 425984 c:\windows\assembly\GAC_MSIL\System.Configuration\2.0.0.0__b03f5f7f11d50a3a\System.configuration.dll
+ 2012-04-13 01:01 . 2012-04-13 01:01 425984 c:\windows\assembly\GAC_MSIL\System.Configuration\2.0.0.0__b03f5f7f11d50a3a\System.configuration.dll
- 2012-02-15 14:07 . 2012-02-15 14:07 110592 c:\windows\assembly\GAC_MSIL\sysglobl\2.0.0.0__b03f5f7f11d50a3a\sysglobl.dll
+ 2012-04-13 01:01 . 2012-04-13 01:01 110592 c:\windows\assembly\GAC_MSIL\sysglobl\2.0.0.0__b03f5f7f11d50a3a\sysglobl.dll
+ 2012-04-13 01:01 . 2012-04-13 01:01 659456 c:\windows\assembly\GAC_MSIL\Microsoft.VisualBasic\8.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll
- 2012-02-15 14:07 . 2012-02-15 14:07 659456 c:\windows\assembly\GAC_MSIL\Microsoft.VisualBasic\8.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll
+ 2012-04-13 01:01 . 2012-04-13 01:01 372736 c:\windows\assembly\GAC_MSIL\Microsoft.VisualBasic.Compatibility\8.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.Compatibility.dll
- 2012-02-15 14:07 . 2012-02-15 14:07 372736 c:\windows\assembly\GAC_MSIL\Microsoft.VisualBasic.Compatibility\8.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.Compatibility.dll
- 2012-02-15 14:07 . 2012-02-15 14:07 110592 c:\windows\assembly\GAC_MSIL\Microsoft.VisualBasic.Compatibility.Data\8.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.Compatibility.Data.dll
+ 2012-04-13 01:01 . 2012-04-13 01:01 110592 c:\windows\assembly\GAC_MSIL\Microsoft.VisualBasic.Compatibility.Data\8.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.Compatibility.Data.dll
- 2012-02-15 14:07 . 2012-02-15 14:07 749568 c:\windows\assembly\GAC_MSIL\Microsoft.JScript\8.0.0.0__b03f5f7f11d50a3a\Microsoft.JScript.dll
+ 2012-04-13 01:01 . 2012-04-13 01:01 749568 c:\windows\assembly\GAC_MSIL\Microsoft.JScript\8.0.0.0__b03f5f7f11d50a3a\Microsoft.JScript.dll
+ 2012-04-13 01:01 . 2012-04-13 01:01 655360 c:\windows\assembly\GAC_MSIL\Microsoft.Build.Tasks\2.0.0.0__b03f5f7f11d50a3a\Microsoft.Build.Tasks.dll
- 2012-02-15 14:07 . 2012-02-15 14:07 655360 c:\windows\assembly\GAC_MSIL\Microsoft.Build.Tasks\2.0.0.0__b03f5f7f11d50a3a\Microsoft.Build.Tasks.dll
+ 2012-04-13 01:01 . 2012-04-13 01:01 348160 c:\windows\assembly\GAC_MSIL\Microsoft.Build.Engine\2.0.0.0__b03f5f7f11d50a3a\Microsoft.Build.Engine.dll
- 2012-02-15 14:07 . 2012-02-15 14:07 348160 c:\windows\assembly\GAC_MSIL\Microsoft.Build.Engine\2.0.0.0__b03f5f7f11d50a3a\Microsoft.Build.Engine.dll
+ 2012-04-13 01:01 . 2012-04-13 01:01 507904 c:\windows\assembly\GAC_MSIL\AspNetMMCExt\2.0.0.0__b03f5f7f11d50a3a\AspNetMMCExt.dll
- 2012-02-15 14:07 . 2012-02-15 14:07 507904 c:\windows\assembly\GAC_MSIL\AspNetMMCExt\2.0.0.0__b03f5f7f11d50a3a\AspNetMMCExt.dll
+ 2012-04-13 01:01 . 2012-04-13 01:01 261632 c:\windows\assembly\GAC_32\System.Transactions\2.0.0.0__b77a5c561934e089\System.Transactions.dll
- 2012-02-15 14:07 . 2012-02-15 14:07 261632 c:\windows\assembly\GAC_32\System.Transactions\2.0.0.0__b77a5c561934e089\System.Transactions.dll
- 2012-02-15 14:07 . 2012-02-15 14:07 113664 c:\windows\assembly\GAC_32\System.EnterpriseServices\2.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll
+ 2012-04-13 01:01 . 2012-04-13 01:01 113664 c:\windows\assembly\GAC_32\System.EnterpriseServices\2.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll
+ 2012-04-13 01:01 . 2012-04-13 01:01 258048 c:\windows\assembly\GAC_32\System.EnterpriseServices\2.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.dll
- 2012-02-15 14:07 . 2012-02-15 14:07 258048 c:\windows\assembly\GAC_32\System.EnterpriseServices\2.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.dll
+ 2012-04-13 01:01 . 2012-04-13 01:01 486400 c:\windows\assembly\GAC_32\System.Data.OracleClient\2.0.0.0__b77a5c561934e089\System.Data.OracleClient.dll
- 2012-02-15 14:07 . 2012-02-15 14:07 486400 c:\windows\assembly\GAC_32\System.Data.OracleClient\2.0.0.0__b77a5c561934e089\System.Data.OracleClient.dll
+ 2012-04-13 01:02 . 2012-04-13 01:02 471040 c:\windows\assembly\GAC\System.Drawing\1.0.5000.0__b03f5f7f11d50a3a\System.Drawing.dll
+ 2012-01-31 03:46 . 2012-01-31 03:46 6385664 c:\windows\Microsoft.NET\Framework\v1.1.4322\Updates\M2656370\M2656370Uninstall.msp
+ 2012-01-30 19:46 . 2012-01-30 19:46 7069184 c:\windows\Installer\14077fb.msp
+ 2012-04-13 10:33 . 2012-04-13 10:33 3035136 c:\windows\assembly\NativeImages1_v1.1.4322\System.Windows.Forms\1.0.5000.0__b77a5c561934e089_7a3fe07e\System.Windows.Forms.dll
+ 2012-04-13 10:33 . 2012-04-13 10:33 7917568 c:\windows\assembly\NativeImages1_v1.1.4322\System.Windows.Forms\1.0.5000.0__b77a5c561934e089_5a9256eb\System.Windows.Forms.dll
+ 2012-04-13 10:34 . 2012-04-13 10:34 2248704 c:\windows\assembly\NativeImages1_v1.1.4322\System.Drawing\1.0.5000.0__b03f5f7f11d50a3a_1190804f\System.Drawing.dll
+ 2012-04-13 10:33 . 2012-04-13 10:33 1470464 c:\windows\assembly\NativeImages1_v1.1.4322\System.Design\1.0.5000.0__b03f5f7f11d50a3a_d5444ca1\System.Design.dll
+ 2012-04-13 10:34 . 2012-04-13 10:34 3395584 c:\windows\assembly\NativeImages1_v1.1.4322\System.Design\1.0.5000.0__b03f5f7f11d50a3a_853b9c70\System.Design.dll
+ 2012-04-13 11:13 . 2012-04-13 11:13 1356288 c:\windows\assembly\NativeImages_v2.0.50727_32\System.WorkflowServ#\d31d2eb0a862d3c1d3561be5f1570c3e\System.WorkflowServices.ni.dll
+ 2012-04-13 11:13 . 2012-04-13 11:13 4514304 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Workflow.Com#\53c2336db392bfa5484850780048e37a\System.Workflow.ComponentModel.ni.dll
+ 2012-04-13 11:13 . 2012-04-13 11:13 2992640 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Workflow.Act#\f243723cda77dd647b250dd9c42c35e2\System.Workflow.Activities.ni.dll
+ 2012-04-13 11:12 . 2012-04-13 11:12 2209280 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Web.Mobile\d1dacd5cb445b242b70bf7d606464293\System.Web.Mobile.ni.dll
+ 2012-04-13 11:12 . 2012-04-13 11:12 2405888 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Web.Extensio#\6acbb8bb1a43fab0fdcf55bedd1fbcc3\System.Web.Extensions.ni.dll
+ 2012-04-13 10:34 . 2012-04-13 10:34 1035776 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Printing\44d507a702c1623810e094adf751f687\System.Printing.ni.dll
+ 2012-04-13 10:34 . 2012-04-13 10:34 1591808 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Drawing\8d886cdc2ca5f0ff97cd1afe8773bb6e\System.Drawing.ni.dll
+ 2012-04-13 11:12 . 2012-04-13 11:12 1801216 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Deployment\3d253a2235f7c03630003bc1fbaf34a3\System.Deployment.ni.dll
+ 2012-04-13 10:34 . 2012-04-13 10:34 2128896 c:\windows\assembly\NativeImages_v2.0.50727_32\ReachFramework\c73e109dbac6b099786cc68fe36e3d0b\ReachFramework.ni.dll
+ 2012-04-13 10:34 . 2012-04-13 10:34 1657856 c:\windows\assembly\NativeImages_v2.0.50727_32\PresentationUI\20d72aeac1109863b77532d37d3f4fa2\PresentationUI.ni.dll
+ 2012-04-13 11:12 . 2012-04-13 11:12 1868800 c:\windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\60118f6f2ab286b7418b8ce1644e3d56\Microsoft.VisualStudio.CommonIDE.ni.dll
+ 2012-04-13 11:12 . 2012-04-13 11:12 1712128 c:\windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualBas#\3ec4a3f74cb80c9b9581d778e8645b2c\Microsoft.VisualBasic.ni.dll
+ 2012-04-13 11:12 . 2012-04-13 11:12 1620992 c:\windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Build.Tas#\876b7280cf4e81fd65b120f60d38a7d9\Microsoft.Build.Tasks.ni.dll
+ 2012-04-13 11:12 . 2012-04-13 11:12 1966080 c:\windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Build.Tas#\64ba53308e90fa3837fe47977e2d37b6\Microsoft.Build.Tasks.v3.5.ni.dll
- 2012-02-15 14:07 . 2012-02-15 14:07 3186688 c:\windows\assembly\GAC_MSIL\System\2.0.0.0__b77a5c561934e089\System.dll
+ 2012-04-13 01:01 . 2012-04-13 01:01 3186688 c:\windows\assembly\GAC_MSIL\System\2.0.0.0__b77a5c561934e089\System.dll
+ 2012-04-13 01:01 . 2012-04-13 01:01 2048000 c:\windows\assembly\GAC_MSIL\System.Xml\2.0.0.0__b77a5c561934e089\System.XML.dll
- 2012-02-15 14:07 . 2012-02-15 14:07 2048000 c:\windows\assembly\GAC_MSIL\System.Xml\2.0.0.0__b77a5c561934e089\System.XML.dll
- 2012-02-15 14:07 . 2012-02-15 14:07 5025792 c:\windows\assembly\GAC_MSIL\System.Windows.Forms\2.0.0.0__b77a5c561934e089\System.Windows.Forms.dll
+ 2012-04-13 01:01 . 2012-04-13 01:01 5025792 c:\windows\assembly\GAC_MSIL\System.Windows.Forms\2.0.0.0__b77a5c561934e089\System.Windows.Forms.dll
- 2012-02-15 14:07 . 2012-02-15 14:07 5062656 c:\windows\assembly\GAC_MSIL\System.Design\2.0.0.0__b03f5f7f11d50a3a\System.Design.dll
+ 2012-04-13 01:01 . 2012-04-13 01:01 5062656 c:\windows\assembly\GAC_MSIL\System.Design\2.0.0.0__b03f5f7f11d50a3a\System.Design.dll
+ 2012-04-13 01:00 . 2012-04-13 01:00 5246976 c:\windows\assembly\GAC_32\System.Web\2.0.0.0__b03f5f7f11d50a3a\System.Web.dll
- 2012-02-15 14:07 . 2012-02-15 14:07 5246976 c:\windows\assembly\GAC_32\System.Web\2.0.0.0__b03f5f7f11d50a3a\System.Web.dll
- 2012-02-15 14:07 . 2012-02-15 14:07 2933248 c:\windows\assembly\GAC_32\System.Data\2.0.0.0__b77a5c561934e089\System.Data.dll
+ 2012-04-13 01:01 . 2012-04-13 01:01 2933248 c:\windows\assembly\GAC_32\System.Data\2.0.0.0__b77a5c561934e089\System.Data.dll
- 2012-02-15 14:07 . 2012-02-15 14:07 4550656 c:\windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\mscorlib.dll
+ 2012-04-13 01:01 . 2012-04-13 01:01 4550656 c:\windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\mscorlib.dll
+ 2012-04-13 10:34 . 2012-04-13 10:34 12430848 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Windows.Forms\d96906db18e87ffe2e08f6cda7e2be0f\System.Windows.Forms.ni.dll
+ 2012-04-13 11:12 . 2012-04-13 11:12 11817472 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Web\db1d2470de43ffcb6f562277208d56e5\System.Web.ni.dll
+ 2012-04-13 10:34 . 2012-04-13 10:34 10683392 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Design\561138d8d199861578c197c4d24e3934\System.Design.ni.dll
+ 2012-04-13 10:34 . 2012-04-13 10:34 14328320 c:\windows\assembly\NativeImages_v2.0.50727_32\PresentationFramewo#\029d1d9e6495065aa4f38bcf2315ee8c\PresentationFramework.ni.dll
+ 2012-04-13 01:02 . 2012-04-13 01:02 12215808 c:\windows\assembly\NativeImages_v2.0.50727_32\PresentationCore\0a059ecfca6e421629a8298b03a7814c\PresentationCore.ni.dll
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Creative Detector"="c:\program files\Creative\MediaSource\Detector\CTDetect.exe" [2004-12-02 102400]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2006-06-01 94208]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2006-10-18 204288]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AudioDrvEmulator"="c:\program files\Creative\Shared Files\Module Loader\DLLML.exe" [2005-06-16 49152]
"Lexmark 1200 Series"="c:\program files\Lexmark 1200 Series\lxczbmgr.exe" [2006-07-13 57344]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"tscuninstall"="c:\windows\system32\tscupgrd.exe" [2004-08-04 44544]
.
c:\documents and settings\Richard\Start Menu\Programs\Startup\
Adobe Gamma.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-3-16 113664]
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 14:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\windows\system32\acaptuser32.dll
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^blueyonder Instant Support Tool.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\blueyonder Instant Support Tool.lnk
backup=c:\windows\pss\blueyonder Instant Support Tool.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Photosmart Premier Fast Start.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Photosmart Premier Fast Start.lnk
backup=c:\windows\pss\HP Photosmart Premier Fast Start.lnkCommon Startup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acrobat Assistant 8.0]
2010-09-22 18:11 640440 ----a-w- c:\program files\Adobe\Acrobat 9.0\Acrobat\acrotray.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Acrobat Speed Launcher]
2011-09-07 14:53 40376 ----a-w- c:\program files\Adobe\Acrobat 9.0\Acrobat\acrobat_sl.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2012-01-03 07:37 843712 ----a-w- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\amd_dc_opt]
2007-07-23 11:06 180224 ----a-w- c:\program files\AMD\Dual-Core Optimizer\amd_dc_opt.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTDVDDET]
2003-06-18 00:00 45056 ----a-w- c:\program files\Creative\Sound Blaster X-Fi\DVDAudio\CTDVDDET.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTFMON.EXE]
2008-04-14 12:00 15360 ----a-w- c:\windows\system32\ctfmon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTHelper]
2006-12-12 09:46 19456 ----a-w- c:\windows\system32\CtHelper.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTxfiHlp]
2006-12-12 09:46 20480 ----a-w- c:\windows\system32\Ctxfihlp.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dvd43]
2006-05-22 13:26 694272 ----a-w- c:\program files\dvd43\DVD43_Tray.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GrooveMonitor]
2009-02-26 18:36 30040 ----a-w- c:\program files\Microsoft Office\Office12\GrooveMonitor.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HDAudDeck]
2009-05-14 09:45 33624064 ----a-r- c:\program files\VIA\VIAudioi\HDADeck\HDeck.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
2007-05-08 15:24 54840 ----a-w- c:\program files\HP\HP Software Update\hpwuSchd2.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Lexmark 1200 Series]
2006-07-13 05:22 57344 ----a-w- c:\program files\Lexmark 1200 Series\lxczbmgr.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Motive SmartBridge]
2005-09-22 08:05 438359 ----a-w- c:\progra~1\BLUEYO~1\SMARTB~1\blueyonder-istnotifier.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
2010-04-16 22:12 3872080 ----a-w- c:\program files\Windows Live\Messenger\msnmsgr.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
2006-01-12 16:40 155648 ----a-w- c:\program files\Common Files\Ahead\Lib\NeroCheck.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
2010-10-16 11:04 13851752 ----a-w- c:\windows\system32\nvcpl.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
2010-10-16 11:04 110696 ----a-w- c:\windows\system32\nvmctray.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCMService]
2005-01-14 18:21 110744 ----a-w- c:\program files\CyberLink\PowerCinema\PCMService.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PinnacleDriverCheck]
2004-03-10 14:26 406016 ----a-w- c:\windows\system32\PSDrvCheck.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Power2GoExpress]
2005-03-23 14:34 1630303 ----a-w- c:\program files\CyberLink\Power2Go\Power2GoExpress.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Ptipbmf]
2003-06-20 14:06 118784 ----a-w- c:\windows\system32\ptipbmf.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2007-12-11 10:56 286720 ----a-w- c:\program files\QuickTime\QTTask.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RCSystem]
2005-06-16 17:25 49152 ----a-w- c:\program files\Creative\Shared Files\Module Loader\DLLML.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2011-06-09 13:06 254696 ----a-w- c:\program files\Common Files\Java\Java Update\jusched.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
2005-11-25 09:19 151597 ----a-w- c:\program files\Common Files\Real\Update_OB\realsched.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdReg]
2000-05-11 00:00 90112 ----a-w- c:\windows\Updreg.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VolPanel]
2005-07-11 10:34 122880 ----a-w- c:\program files\Creative\Sound Blaster X-Fi\Volume Panel\VolPanel.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\{1290A33C-85F5-4164-A1BE-7DD299D4986A}]
2004-06-08 18:33 69721 ----a-w- c:\program files\CyberLink\PowerBackup\PBKScheduler.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"WMPNetworkSvc"=2 (0x2)
"PnkBstrB"=2 (0x2)
"PnkBstrA"=2 (0x2)
"Pml Driver HPZ12"=2 (0x2)
"ose"=3 (0x3)
"odserv"=3 (0x3)
"NBService"=3 (0x3)
"Microsoft Office Groove Audit Service"=3 (0x3)
"LexBceS"=2 (0x2)
"JavaQuickStarterService"=2 (0x2)
"idsvc"=3 (0x3)
"IDriverT"=3 (0x3)
"FLEXnet Licensing Service"=3 (0x3)
"CyberLink Media Library Service"=2 (0x2)
"CLSched"=2 (0x2)
"CLCapSvc"=2 (0x2)
"Adobe LM Service"=3 (0x3)
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"DisableNotifications"= 1 (0x1)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\CyberLink\\PowerCinema\\PowerCinema.exe"=
"c:\\Program Files\\BitTorrent\\bittorrent.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\EA GAMES\\Battlefield 2 Demo\\BF2.exe"=
"c:\\Program Files\\BitLord\\BitLord.exe"=
"c:\\Program Files\\Avid\\Avid Liquid 7\\Program\\RM.exe"=
"c:\\Program Files\\Avid\\Avid Liquid 7\\Program\\StudioU.mod"=
"c:\\Program Files\\The All-Seeing Eye\\eye.exe"=
"c:\\WINDOWS\\system32\\LEXPPS.EXE"=
"c:\\Program Files\\Ubisoft\\Crytek\\Far Cry\\Bin32\\FarCry.exe"=
"c:\\Program Files\\Nero\\Nero 7\\Nero Home\\NeroHome.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Java\\jre6\\bin\\java.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Opera\\opera.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Common Files\\Apple\\Apple Application Support\\WebKit2WebProcess.exe"=
.
R0 sptd;sptd;c:\windows\system32\drivers\sptd.sys [26/04/2006 23:48 642560]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [17/02/2010 11:25 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [17/02/2010 11:15 66632]
R3 Pcouffin;VSO Software pcouffin;c:\windows\system32\drivers\pcouffin.sys [12/07/2006 22:44 47360]
R3 VIAHdAudAddService;VIA High Definition Audio Driver Service;c:\windows\system32\drivers\viahduaa.sys [31/03/2010 13:58 1358720]
S3 ASPI;Advanced SCSI Programming Interface Driver;c:\windows\system32\drivers\ASPI32.SYS [25/07/2006 15:56 16512]
S3 Creative Audio Engine Licensing Service;Creative Audio Engine Licensing Service;c:\program files\Common Files\Creative Labs Shared\Service\CTAELicensing.exe [01/04/2010 16:38 79360]
S3 CT20XUT.SYS;CT20XUT.SYS;c:\windows\system32\drivers\CT20XUT.sys [04/06/2009 02:46 171032]
S3 CT20XUT;CT20XUT;c:\windows\system32\drivers\CT20XUT.sys [04/06/2009 02:46 171032]
S3 CTEXFIFX.SYS;CTEXFIFX.SYS;c:\windows\system32\drivers\CTEXFIFX.sys [04/06/2009 02:46 1324056]
S3 CTEXFIFX;CTEXFIFX;c:\windows\system32\drivers\CTEXFIFX.sys [04/06/2009 02:46 1324056]
S3 CTHWIUT.SYS;CTHWIUT.SYS;c:\windows\system32\drivers\CTHWIUT.sys [04/06/2009 02:46 72728]
S3 CTHWIUT;CTHWIUT;c:\windows\system32\drivers\CTHWIUT.sys [04/06/2009 02:46 72728]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [17/02/2010 11:15 12872]
S4 m5287;m5287;c:\windows\system32\drivers\m5287.sys [25/11/2005 17:44 85888]
S4 m5289;m5289;c:\windows\system32\drivers\m5289.sys [25/11/2005 17:44 51840]
.
Contents of the 'Scheduled Tasks' folder
.
2012-04-16 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2011-06-01 16:57]
.
2012-04-19 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-716800117-3360742898-1720601440-1006Core.job
- c:\documents and settings\Richard\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-08-02 18:00]
.
2012-04-20 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-716800117-3360742898-1720601440-1006UA.job
- c:\documents and settings\Richard\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-08-02 18:00]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.co.uk/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
mWindow Title = Tiscali Internet Access
uInternet Settings,ProxyOverride = 127.0.0.1
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: Append Link Target to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Append to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert Link Target to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
IE: Download all with Free Download Manager - file://c:\program files\Free Download Manager\dlall.htm
IE: Download selected with Free Download Manager - file://c:\program files\Free Download Manager\dlselected.htm
IE: Download web site with Free Download Manager - file://c:\program files\Free Download Manager\dlpage.htm
IE: Download with Free Download Manager - file://c:\program files\Free Download Manager\dllink.htm
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
TCP: DhcpNameServer = 194.168.4.100 194.168.8.100
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
FF - ProfilePath - c:\documents and settings\Richard\Application Data\Mozilla\Firefox\Profiles\6i2xrjmt.default\
FF - prefs.js: browser.startup.homepage - hxxp://en-GB.start.mozilla.com/firefox? ... B:official
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-04-20 13:04
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-716800117-3360742898-1720601440-1006\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
[HKEY_USERS\S-1-5-21-716800117-3360742898-1720601440-1006\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{0561C98C-9C16-1528-CD53-D97A84E0A2A9}*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
"iagieijlkfgcacekbi"=hex:6b,61,64,6a,62,6a,6f,62,6b,61,6f,63,62,61,66,6c,6e,6b,
6f,6b,70,6b,00,00
"haeihkmblmajfidb"=hex:6b,61,63,6a,67,67,65,6a,6b,6c,6f,69,6d,67,6f,67,62,65,
69,68,6e,61,00,00
.
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Installer\UserData\LocalSystem\Components\€–€|ÿÿÿÿÀ•€|ù•A~*]
"AB141C35E9F4BF344B9FC010BB17F68A"=""
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(944)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
.
Completion time: 2012-04-20 13:09:34
ComboFix-quarantined-files.txt 2012-04-20 12:09
ComboFix2.txt 2012-04-08 12:17
ComboFix3.txt 2012-04-05 11:30
ComboFix4.txt 2008-12-23 16:13
.
Pre-Run: 19,442,167,808 bytes free
Post-Run: 19,433,914,368 bytes free
.
- - End Of File - - 9867DB912A432CE07BE2B937659253DE
Nitro
Newbie
Newbie
 
Posts: 6
Joined: Thu Mar 29, 2012 1:39 pm

Thanks given:1
Thanks received:0
Top

Re: Computer problems - suspect an attack

Postby Nitro » Fri Apr 20, 2012 1:44 pm

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 13:22:30, on 20/04/2012
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 SP3 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Creative\Shared Files\CTAudSvc.exe
C:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe
C:\Program Files\Lexmark 1200 Series\lxczbmgr.exe
C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe
C:\Program Files\Lexmark 1200 Series\lxczbmon.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\SYSTEM32\CTXFISPI.EXE
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\Richard\Desktop\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O2 - BHO: SmartSelect - {F4971EE7-DAA0-4053-9964-665D8EE6A077} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
O4 - HKLM\..\Run: [AudioDrvEmulator] "C:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe" -1 AudioDrvEmulator "C:\Program Files\Creative\Shared Files\Module Loader\Audio Emulator\AudDrvEm.dll"
O4 - HKLM\..\Run: [Lexmark 1200 Series] "C:\Program Files\Lexmark 1200 Series\lxczbmgr.exe"
O4 - HKCU\..\Run: [Creative Detector] "C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe" /R
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'Default user')
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: Append Link Target to Existing PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Append to Existing PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert Link Target to Adobe PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Download all with Free Download Manager - file://C:\Program Files\Free Download Manager\dlall.htm
O8 - Extra context menu item: Download selected with Free Download Manager - file://C:\Program Files\Free Download Manager\dlselected.htm
O8 - Extra context menu item: Download web site with Free Download Manager - file://C:\Program Files\Free Download Manager\dlpage.htm
O8 - Extra context menu item: Download with Free Download Manager - file://C:\Program Files\Free Download Manager\dllink.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/cabs/ ... 2.0.84.cab
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/EN-GB/a-U ... E_UNO1.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupda ... 4000930828
O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - http://www.nvidia.com/content/DriverDow ... eqlab2.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://messenger.zone.msn.com/binary/ZI ... b56649.cab
O16 - DPF: {BD393C14-72AD-4790-A095-76522973D6B8} (CBreakshotControl Class) - http://messenger.zone.msn.com/binary/Ba ... b57213.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Me ... b56907.cab
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://ccfiles.creative.com/Web/softwar ... /CTPID.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O20 - AppInit_DLLs: C:\WINDOWS\system32\acaptuser32.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Creative Audio Engine Licensing Service - Creative Labs - C:\Program Files\Common Files\Creative Labs Shared\Service\CTAELicensing.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: Creative Audio Service (CTAudSvcService) - Creative Technology Ltd - C:\Program Files\Creative\Shared Files\CTAudSvc.exe
O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

--
End of file - 8854 bytes
Nitro
Newbie
Newbie
 
Posts: 6
Joined: Thu Mar 29, 2012 1:39 pm

Thanks given:1
Thanks received:0
Top

Re: Computer problems - suspect an attack

Postby Gecko » Sat Apr 21, 2012 2:35 pm

Nitro,

At last it looks clean.
So how is it running now?

Who said thanks: Nitro (Thu Apr 26, 2012 1:14 pm)
User avatar
Gecko
Super Moderator
Super Moderator
 
Posts: 5206
Joined: Thu Oct 25, 2001 1:00 am
Location: Florida, USA

Thanks given:1
Thanks received:23
Top

Re: Computer problems - suspect an attack

Postby Nitro » Thu Apr 26, 2012 1:14 pm

All seems fine.

Thanks for your help, Gecko.

:cheerleader:
Nitro
Newbie
Newbie
 
Posts: 6
Joined: Thu Mar 29, 2012 1:39 pm

Thanks given:1
Thanks received:0
Top


Return to Malware Support

Who is online

Users browsing this forum: No registered users and 1 guest

cron