Jump to content
Sign in to follow this  
lizear

My computer is infected!

Recommended Posts

Hello lizear! My name is Maniac and I will be glad to help you solve your malware problem.

Please note:

  • If you are a paying customer, you have the privilege to contact the help desk at Consumer Support. If you choose this option to get help, please let me know.
  • I recommend you to keep the instructions I will be giving you so that they are available to you at any time. You can save them in a text file or print them.
  • Make sure you read all of the instructions and fixes thoroughly before continuing with them.
  • Follow my instructions strictly and don’t hesitate to stop and ask me if you have any questions.
  • Post your log files, don't attach them. Every log file should be copy/pasted in your next reply.

What exactly is your problem?

Share this post


Link to post
Share on other sites

Sometimes when i click on a link Google redirects me to many other sites, and i also can't click on things with a java link e.g. " javascript:void(0); "

Share this post


Link to post
Share on other sites

Step 1

  • Launch Malwarebytes' Anti-Malware
  • Go to Update tab and select Check for Updates. If an update is found, it will download and install the latest version.
  • Go to Scanner tab and select Perform Quick Scan, then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.

Extra Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer,please do so immediately.

Step 2

Download aswMBR.exe to your desktop.

Double click the aswMBR.exe to run it

Click the "Scan" button to start scan

aswMBR2-1.gif

On completion of the scan click save log, save it to your desktop and post in your next reply

aswMBR2.png

In your next reply, post the following log files:

  • Malwarebytes' Anti-Malware log
  • aswMBR log

Share this post


Link to post
Share on other sites

Hey Maniac, thanks for the help;

Here are the files you asked me to post

Malwarebytes' Anti-Malware log

Malwarebytes Anti-Malware (Trial) 1.62.0.1300

www.malwarebytes.org

Database version: v2012.07.31.02

Windows XP Service Pack 3 x86 NTFS

Internet Explorer 6.0.2900.5512

Andy :: HELLGAS-C015FE4 [administrator]

Protection: Enabled

31/07/2012 2:53:43 PM

mbam-log-2012-07-31 (14-53-43).txt

Scan type: Quick scan

Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM

Scan options disabled: P2P

Objects scanned: 196180

Time elapsed: 8 minute(s), 39 second(s)

Memory Processes Detected: 1

C:\WINDOWS\system32\explorer.exe (Worm.Autorun) -> 1796 -> Delete on reboot.

Memory Modules Detected: 0

(No malicious items detected)

Registry Keys Detected: 3

HKCR\CLSID\{28ABC5C0-4FCB-33CF-AAX5-35GX1C642122} (Worm.Autorun.B) -> Quarantined and deleted successfully.

HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\{28ABC5C0-4FCB-33CF-AAX5-35GX1C642122} (Worm.Autorun.B) -> Quarantined and deleted successfully.

HKCU\SOFTWARE\Microsoft\Active Setup\Installed Components\{28ABC5C0-4FCB-33CF-AAX5-35GX1C642122} (Worm.Autorun.B) -> Quarantined and deleted successfully.

Registry Values Detected: 0

(No malicious items detected)

Registry Data Items Detected: 6

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon|Userinit (Worm.Autorun) -> Bad: (explorer.exe) Good: () -> Quarantined and repaired successfully.

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon|Shell (Worm.Autorun) -> Bad: (Explorer.exe) Good: () -> Quarantined and repaired successfully.

HKLM\SOFTWARE\Microsoft\Security Center|AntiVirusDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and repaired successfully.

HKLM\SOFTWARE\Microsoft\Security Center|FirewallDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and repaired successfully.

HKLM\SOFTWARE\Microsoft\Security Center|UpdatesDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and repaired successfully.

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon|Userinit (Hijack.UserInit) -> Bad: (c:\windows\system32\userinit.exe,,explorer.exe) Good: (userinit.exe) -> Quarantined and repaired successfully.

Folders Detected: 1

C:\RESTORE\S-1-5-21-1482476501-1644491937-682003330-1013 (Backdoor.IRCBot) -> Quarantined and deleted successfully.

Files Detected: 7

C:\WINDOWS\system32\explorer.exe (Worm.Autorun) -> Delete on reboot.

C:\RESTORE\S-1-5-21-1482476501-1644491937-682003330-1013\Taquito.exe (Worm.Autorun.B) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\BReWErS.dll (Trojan.Downloader) -> Quarantined and deleted successfully.

C:\Documents and Settings\Andy\Local Settings\Temp\7X9IA7b.exe (Trojan.Happili) -> Quarantined and deleted successfully.

C:\Documents and Settings\Andy\Local Settings\Temporary Internet Files\Content.IE5\KXQ7C5YV\info[1].exe (Trojan.Downloader) -> Quarantined and deleted successfully.

C:\Documents and Settings\Andy\Application Data\isecurity.exe (Backdoor.IRCBot) -> Quarantined and deleted successfully.

C:\RESTORE\S-1-5-21-1482476501-1644491937-682003330-1013\Desktop.ini (Backdoor.IRCBot) -> Quarantined and deleted successfully.

(end)

aswMBR log

aswMBR version 0.9.9.1665 Copyright© 2011 AVAST Software

Run date: 2012-07-31 15:11:42

-----------------------------

15:11:42.328 OS Version: Windows 5.1.2600 Service Pack 3

15:11:42.328 Number of processors: 1 586 0x1706

15:11:42.328 ComputerName: HELLGAS-C015FE4 UserName: Andy

15:11:53.890 Initialize success

15:20:11.218 AVAST engine defs: 12073100

15:26:22.968 Disk 0 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP2T0L0-19

15:26:22.968 Disk 0 Vendor: ST3500413AS JC45 Size: 476940MB BusType: 3

15:26:22.968 Disk 1 (boot) \Device\Harddisk1\DR1 -> \Device\Ide\IdeDeviceP4T0L0-26

15:26:22.968 Disk 1 Vendor: ST3160815AS 4.AAB Size: 152626MB BusType: 3

15:26:23.000 Disk 1 MBR read successfully

15:26:23.000 Disk 1 MBR scan

15:26:23.031 Disk 1 Windows XP default MBR code

15:26:23.046 Disk 1 Partition 1 80 (A) 07 HPFS/NTFS NTFS 92161 MB offset 63

15:26:23.046 Disk 1 Partition - 00 05 Extended 60463 MB offset 188747685

15:26:23.046 Disk 1 Partition 2 00 07 HPFS/NTFS NTFS 60463 MB offset 188747751

15:26:23.046 Disk 1 scanning sectors +312576705

15:26:23.125 Disk 1 scanning C:\WINDOWS\system32\drivers

15:26:33.703 Service scanning

15:26:36.953 Service GMSIPCI E:\INSTALL\GMSIPCI.SYS **LOCKED** 21

15:26:49.281 Modules scanning

15:26:55.343 Disk 1 trace - called modules:

15:26:55.359 ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll atapi.sys pciide.sys PCIIDEX.SYS

15:26:55.359 1 nt!IofCallDriver -> \Device\Harddisk1\DR1[0x8b333ab8]

15:26:55.359 3 CLASSPNP.SYS[b80f8fd7] -> nt!IofCallDriver -> \Device\00000071[0x8b3c59e8]

15:26:55.359 5 ACPI.sys[b7f7f620] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP4T0L0-26[0x8b33dd98]

15:26:55.718 AVAST engine scan C:\WINDOWS

15:27:02.171 AVAST engine scan C:\WINDOWS\system32

15:29:06.140 AVAST engine scan C:\WINDOWS\system32\drivers

15:29:19.531 AVAST engine scan C:\Documents and Settings\Andy

15:43:59.765 File: C:\Documents and Settings\Andy\Local Settings\Temp\vii10.tmp **INFECTED** Win32:Malware-gen

15:43:59.812 File: C:\Documents and Settings\Andy\Local Settings\Temp\vii12.tmp **INFECTED** Win32:Malware-gen

15:43:59.859 File: C:\Documents and Settings\Andy\Local Settings\Temp\vii13.tmp **INFECTED** Win32:Malware-gen

15:43:59.906 File: C:\Documents and Settings\Andy\Local Settings\Temp\vii1B.tmp **INFECTED** Win32:Malware-gen

15:43:59.953 File: C:\Documents and Settings\Andy\Local Settings\Temp\vii7D.tmp **INFECTED** Win32:Malware-gen

15:44:00.015 File: C:\Documents and Settings\Andy\Local Settings\Temp\vii84.tmp **INFECTED** Win32:Malware-gen

15:44:00.078 File: C:\Documents and Settings\Andy\Local Settings\Temp\viiC.tmp **INFECTED** Win32:Malware-gen

15:44:00.156 File: C:\Documents and Settings\Andy\Local Settings\Temp\viiF.tmp **INFECTED** Win32:Malware-gen

15:44:01.343 File: C:\Documents and Settings\Andy\Local Settings\Temp\win274.exe **INFECTED** Win32:Crypt-MNC [Trj]

15:44:01.453 File: C:\Documents and Settings\Andy\Local Settings\Temp\win8761.exe **INFECTED** Win32:Crypt-MNC [Trj]

15:47:58.203 File: C:\Documents and Settings\Andy\My Documents\Download\Warcraft\BNetGatewayEditor.exe **INFECTED** Win32:Vitro

15:53:09.484 AVAST engine scan C:\Documents and Settings\All Users

15:59:56.703 Scan finished successfully

16:02:20.468 Disk 1 MBR has been saved successfully to "C:\Documents and Settings\Andy\Desktop\MBR.dat"

16:02:20.468 The log file has been saved successfully to "C:\Documents and Settings\Andy\Desktop\aswMBR.txt"

Thanks!!

Share this post


Link to post
Share on other sites

BACKDOOR WARNING

One or more of the identified infections is known to use a backdoor.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

I would advice you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the infection has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

Help: I Got Hacked. Now What Do I Do?

Help: I Got Hacked. Now What Do I Do? Part II

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?

When Should I Format, How Should I Reinstall

We can still clean this machine but I can't guarantee that it will be 100% secure afterwards. Let me know what you decide to do. If you decide to go through with the cleanup, please proceed with the following steps.

Please visit this webpage for download links, and instructions for running the tool:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

* Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Please post the C:\ComboFix.txt in your next reply for further review.

Note: If you encounter a message "illegal operation attempted on registry key that has been marked for deletion" and no programs will run - please just reboot and that will resolve that error.

Share this post


Link to post
Share on other sites

ComboFix 12-07-30.03 - Andy 31/07/2012 20:34:34.1.1 - x86

Microsoft Windows XP Professional 5.1.2600.3.1252.61.1033.18.3327.2648 [GMT 10:00]

Running from: c:\documents and settings\Andy\Desktop\ComboFix.exe

.

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

.

c:\documents and settings\All Users\Application Data\TEMP

c:\documents and settings\Andy\Application Data\8d51356f4bb435f1b6f84a242a76b34c-i686.cache-2

c:\documents and settings\Andy\Local Settings\Application Data\Macromedia\htevenzm.dll

c:\documents and settings\Andy\WINDOWS

C:\restore

c:\windows\RegGenieOnUninstall.exe

c:\windows\system32\~GLH0001.TMP

c:\windows\system32\dllcache\dlimport.exe

c:\windows\system32\muzapp.exe

c:\windows\system32\SET307.tmp

c:\windows\system32\SET309.tmp

c:\windows\system32\SET30D.tmp

c:\windows\system32\SET315.tmp

c:\windows\system32\WinSys.exe

c:\windows\Tab16d20.dll

c:\windows\XSxS

.

.

((((((((((((((((((((((((( Files Created from 2012-06-28 to 2012-07-31 )))))))))))))))))))))))))))))))

.

.

2012-07-31 04:51 . 2012-07-31 04:51 -------- d-----w- c:\documents and settings\Andy\Application Data\Malwarebytes

2012-07-31 04:50 . 2012-07-31 04:50 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2012-07-31 04:50 . 2012-07-31 04:50 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes

2012-07-31 04:50 . 2012-07-03 03:46 22344 ----a-w- c:\windows\system32\drivers\mbam.sys

2012-07-17 13:27 . 2012-07-17 13:27 -------- d-----w- c:\documents and settings\All Users\Application Data\3DMGAME

2012-07-16 11:12 . 2012-07-16 11:12 -------- d-----w- c:\program files\Common Files\Steam

2012-07-16 11:12 . 2012-07-31 09:43 -------- d-----w- c:\program files\Steam

2012-07-13 05:09 . 2012-07-13 05:09 -------- d-----w- c:\documents and settings\Andy\jagexcache

2012-07-12 13:08 . 2012-07-31 08:29 -------- d-----w- C:\TDSSKiller_Quarantine

2012-07-11 10:57 . 2012-07-11 10:57 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Macromedia

2012-07-11 04:55 . 2012-07-11 04:55 -------- d-----w- c:\documents and settings\Andy\Application Data\Intel

2012-07-11 04:54 . 2012-07-11 04:54 -------- d-----w- c:\program files\Intel Corporation

2012-07-04 10:58 . 2012-07-04 10:58 -------- d-----w- c:\documents and settings\Andy\Local Settings\Application Data\etax2012

2012-07-04 10:58 . 2012-07-04 10:58 -------- d-----w- c:\program files\etax2012

.

.

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2012-07-25 07:51 . 2012-05-13 03:25 772592 ----a-w- c:\windows\system32\npDeployJava1.dll

2012-07-25 07:51 . 2012-04-04 12:15 687600 ----a-w- c:\windows\system32\deployJava1.dll

2012-07-25 07:51 . 2012-04-04 12:15 143872 ----a-w- c:\windows\system32\javacpl.cpl

2012-06-13 08:21 . 2012-06-13 08:21 53248 ----a-r- c:\documents and settings\Andy\Application Data\Microsoft\Installer\{3EE9BCAE-E9A9-45E5-9B1C-83A4D357E05C}\ARPPRODUCTICON.exe

2012-06-13 08:21 . 2012-06-13 08:21 16400 ----a-w- c:\windows\system32\drivers\LNonPnP.sys

2012-06-01 12:10 . 2012-04-07 06:25 419488 ----a-w- c:\windows\system32\FlashPlayerApp.exe

2012-06-01 12:10 . 2011-08-14 11:20 70304 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl

2012-05-21 11:34 . 2011-01-26 12:36 140496 ----a-w- c:\windows\system32\drivers\PnkBstrK.sys

2012-05-21 11:34 . 2011-01-27 03:31 280736 ----a-w- c:\windows\system32\PnkBstrB.xtr

2012-05-21 11:34 . 2011-01-26 12:35 280736 ----a-w- c:\windows\system32\PnkBstrB.exe

2012-05-15 13:46 . 2011-01-26 12:35 280736 ----a-w- c:\windows\system32\PnkBstrB.ex0

2011-10-03 00:35 . 2011-07-09 13:27 134104 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll

.

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

.

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"F.lux"="c:\documents and settings\Andy\Local Settings\Apps\F.lux\flux.exe" [2009-08-29 966656]

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"RTHDCPL"="RTHDCPL.EXE" [2008-07-31 16806912]

"WinSys2"="c:\windows\system32\winsys2.exe" [2007-10-30 208896]

"AdobeCS4ServiceManager"="c:\program files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe" [2008-08-13 611712]

"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-08 155648]

"AdobeAAMUpdater-1.0"="c:\program files\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe" [2010-03-05 500208]

"SwitchBoard"="c:\program files\Common Files\Adobe\SwitchBoard\SwitchBoard.exe" [2010-02-19 517096]

"AdobeCS5ServiceManager"="c:\program files\Common Files\Adobe\CS5ServiceManager\CS5ServiceManager.exe" [2010-02-21 406992]

"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2011-03-08 111208]

"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2011-03-08 13881448]

"HTC Sync Loader"="c:\program files\HTC\HTC Sync 3.0\htcUPCTLoader.exe" [2011-12-20 634880]

"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-09-06 413696]

"GW Port Controller"="c:\program files\Samsung\SmarThru\PORTCTRL.EXE" [2004-02-09 163840]

"nwiz"="nwiz.exe" [2008-05-02 1630208]

"EvtMgr6"="c:\program files\Logitech\SetPointP\SetPoint.exe" [2011-10-07 1387288]

"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2012-07-03 462920]

.

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-13 15360]

.

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]

"RunNarrator"="Narrator.exe" [2008-04-13 53760]

.

c:\documents and settings\All Users\Start Menu\Programs\Startup\

ASRock WiFi-802.11g.lnk - c:\program files\ASRock WiFi-802.11g\RtWLan.exe [2009-2-22 978944]

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LBTWlgn]

2011-09-27 19:03 66328 ----a-w- c:\program files\Common Files\Logishrd\Bluetooth\LBTWLgn.dll

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]

@="Driver"

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]

"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe"

"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe"

"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" -atboottime

"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe"

"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe"

"Norton Ghost 14.0"="c:\program files\Norton Ghost\Agent\VProTray.exe"

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

"c:\\Program Files\\Common Files\\Adobe\\CS4ServiceManager\\CS4ServiceManager.exe"=

"c:\\Program Files\\FlashGet\\flashget.exe"=

"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=

"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=

"c:\\Program Files\\Electronic Arts\\Battlefield Bad Company 2\\BFBC2Updater.exe"=

"c:\\WINDOWS\\system32\\PnkBstrA.exe"=

"c:\\WINDOWS\\system32\\PnkBstrB.exe"=

"c:\\Program Files\\Pando Networks\\Media Booster\\PMB.exe"=

"c:\\Documents and Settings\\All Users\\Application Data\\NexonUS\\NGM\\NGM.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\Ubisoft\\Ubisoft Game Launcher\\UbisoftGameLauncher.exe"=

"c:\\Program Files\\Steam\\Steam.exe"=

"c:\\Program Files\\Steam\\steamapps\\common\\dota 2 beta\\dota.exe"=

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"5353:TCP"= 5353:TCP:Adobe CSI CS4

"56200:TCP"= 56200:TCP:Pando Media Booster

"56200:UDP"= 56200:UDP:Pando Media Booster

"3132:TCP"= 3132:TCP:sirdaip

.

R2 LBeepKE;Logitech Beep Suppression Driver;c:\windows\system32\drivers\LBeepKE.sys [6/13/2012 6:20 PM 12184]

R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [7/31/2012 2:50 PM 655944]

R2 PassThru Service;Internet Pass-Through Service;c:\program files\HTC\Internet Pass-Through\PassThruSvr.exe [9/15/2011 11:06 AM 88576]

R2 Symantec SymSnap VSS Provider;Symantec SymSnap VSS Provider;c:\windows\system32\dllhost.exe [8/4/2004 5:56 PM 5120]

R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [7/31/2012 2:50 PM 22344]

R3 RTLWUSB;Realtek RTL8187 Wireless 802.11b/g 54Mbps USB 2.0 Network Adapter;c:\windows\system32\drivers\RTL8187.sys [2/22/2009 10:17 AM 269824]

R3 SjyPkt;SjyPkt;c:\windows\system32\drivers\SjyPkt.sys [2/22/2009 10:17 AM 13532]

R3 SymSnapService;SymSnapService;c:\program files\Norton Ghost\Shared\Drivers\SymSnapService.exe [12/20/2007 4:13 PM 1558000]

S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [1/30/2011 3:11 PM 136176]

S2 ldhgxcwxe;Monitor Security;c:\windows\system32\svchost.exe -k netsvcs [8/4/2004 5:56 PM 14336]

S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [1/30/2011 3:11 PM 136176]

S3 HTCAND32;HTC Device Driver;c:\windows\system32\drivers\ANDROIDUSB.sys [11/29/2011 4:24 PM 24576]

S3 htcnprot;HTC NDIS Protocol Driver;c:\windows\system32\drivers\htcnprot.sys [6/22/2010 5:01 PM 21248]

S3 SwitchBoard;SwitchBoard;c:\program files\Common Files\Adobe\SwitchBoard\SwitchBoard.exe [2/19/2010 1:37 PM 517096]

.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs

UxTuneUp

.

Contents of the 'Scheduled Tasks' folder

.

2012-07-31 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job

- c:\program files\Google\Update\GoogleUpdate.exe [2011-01-30 05:11]

.

2012-07-31 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job

- c:\program files\Google\Update\GoogleUpdate.exe [2011-01-30 05:11]

.

2012-07-30 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1343024091-746137067-839522115-1003Core.job

- c:\documents and settings\Andy\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2012-07-11 08:54]

.

2012-07-31 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1343024091-746137067-839522115-1003UA.job

- c:\documents and settings\Andy\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2012-07-11 08:54]

.

.

------- Supplementary Scan -------

.

uStart Page = about:blank

uInternet Settings,ProxyOverride = *.local

uSearchAssistant = hxxp://www.google.com/ie

uSearchURL,(Default) = hxxp://www.google.com/search?q=%s

IE: &Download All with FlashGet - c:\program files\FlashGet\jc_all.htm

IE: &Download with FlashGet - c:\program files\FlashGet\jc_link.htm

IE: Download Link Using Mega Manager... - c:\program files\Megaupload\Mega Manager\mm_file.htm

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000

TCP: DhcpNameServer = 192.168.1.1

FF - ProfilePath - c:\documents and settings\Andy\Application Data\Mozilla\Firefox\Profiles\v79js9jf.default\

FF - prefs.js: browser.startup.homepage - hxxp://192.168.1.1/cgi-bin/webcm?var%3Amain=menu&var%3Astyle=style5&getpage=%2Fusr%2Fwww_safe%2Fhtml%2Fdefs%2Fstyle5%2Fmenus%2Fmenu.html&errorpage=%2Fusr%2Fwww_safe%2Fhtml%2Fdefs%2Fstyle5%2Fmenus%2Fmenu.html&var%3Apagename=fwan&var%3Agetpagenext=&var%3Aerrorpagename=&var%3Amenu=advanced&var%3Amenutitle=Advanced&var%3Apagetitle=Port+Forwarding&var%3Apagemaster=fwan&var%3Aconid=connection2&var%3Alanip=192.168.1.2&var%3Anew=&var%3Arule=&var%3Acategory=categoryU&connection0%3Afwan%3Asettings%2Fping%2Fstate=&var%3Alangrp=lan0

FF - prefs.js: network.proxy.http - proxy.tpg.com.au

FF - prefs.js: network.proxy.http_port - 3128

FF - prefs.js: network.proxy.type - 0

FF - user.js: network.http.max-persistent-connections-per-server - 4

FF - user.js: nglayout.initialpaint.delay - 600

FF - user.js: content.notify.interval - 600000

FF - user.js: content.max.tokenizing.time - 1800000

FF - user.js: content.switch.threshold - 600000

.

- - - - ORPHANS REMOVED - - - -

.

WebBrowser-{A057A204-BACC-4D26-C39E-35F1D2A32EC8} - (no file)

HKCU-Run-AdobeBridge - (no file)

HKCU-Run-Macromedia - c:\documents and settings\Andy\Local Settings\Application Data\Macromedia\htevenzm.dll

AddRemove-The Walking Dead Game EP 1&2 - c:\documents and settings\Andy\Desktop\Andy's Inventory\Uninstal.exe

.

.

.

**************************************************************************

.

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2012-07-31 20:39

Windows 5.1.2600 Service Pack 3 NTFS

.

scanning hidden processes ...

.

scanning hidden autostart entries ...

.

HKCU\Software\Microsoft\Windows\CurrentVersion\Run

Macromedia = RUNDLL32.EXE "c:\documents and settings\Andy\Local Settings\Application Data\Macromedia\htevenzm.dll",_AvisynthPluginInit2@4?6789

.

scanning hidden files ...

.

scan completed successfully

hidden files: 0

.

**************************************************************************

.

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ldhgxcwxe]

"ServiceDll"="c:\windows\system32\yfklrene.dll"

.

--------------------- LOCKED REGISTRY KEYS ---------------------

.

[HKEY_USERS\S-1-5-21-1343024091-746137067-839522115-1003\Software\SecuROM\License information*]

"datasecu"=hex:c6,79,ec,bf,3a,76,48,c0,d9,16,5c,a4,e0,c6,24,b4,b8,0b,c3,2f,c3,

ae,67,95,e1,62,68,77,18,f3,1c,f2,36,ab,ca,43,b7,ec,b8,e1,f3,0b,78,f5,e4,24,\

"rkeysecu"=hex:a5,08,18,2e,4c,45,0d,8b,c0,84,c1,5c,c6,43,4a,b0

.

--------------------- DLLs Loaded Under Running Processes ---------------------

.

- - - - - - - > 'winlogon.exe'(736)

c:\program files\common files\logishrd\bluetooth\LBTWlgn.dll

.

- - - - - - - > 'explorer.exe'(3584)

c:\program files\iTunes\iTunesMiniPlayer.dll

c:\program files\iTunes\iTunesMiniPlayer.Resources\en.lproj\iTunesMiniPlayerLocalized.dll

c:\program files\iTunes\iTunesMiniPlayer.Resources\iTunesMiniPlayer.dll

c:\program files\Common Files\Adobe\Acrobat\ActiveX\PDFShell.dll

c:\windows\system32\WPDShServiceObj.dll

c:\windows\system32\PortableDeviceTypes.dll

c:\windows\system32\PortableDeviceApi.dll

.

------------------------ Other Running Processes ------------------------

.

c:\windows\system32\nvsvc32.exe

c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

c:\program files\Bonjour\mDNSResponder.exe

c:\program files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe

c:\program files\Norton Ghost\Agent\VProSvc.exe

c:\windows\system32\PnkBstrA.exe

c:\windows\System32\TUProgSt.exe

c:\windows\system32\wscntfy.exe

c:\windows\system32\msdtc.exe

c:\windows\RTHDCPL.EXE

c:\windows\system32\RUNDLL32.EXE

c:\program files\Common Files\LogiShrd\KHAL3\KHALMNPR.EXE

.

**************************************************************************

.

Completion time: 2012-07-31 20:43:08 - machine was rebooted

ComboFix-quarantined-files.txt 2012-07-31 10:42

.

Pre-Run: 37,140,877,312 bytes free

Post-Run: 40,940,085,248 bytes free

.

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe

[boot loader]

timeout=2

default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS

[operating systems]

c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

UnsupportedDebug="do not select this" /debug

multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

.

- - End Of File - - 224DE349D77CD1D1C529A857C55143C3

Share this post


Link to post
Share on other sites

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

KillAll::

Driver::
ldhgxcwxe
sirdaip

File::
c:\windows\system32\yfklrene.dll

Folder::
c:\documents and settings\NetworkService\Local Settings\Application Data\Macromedia

Registry::
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3132:TCP"=-

[-HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ldhgxcwxe]

JavaClearCache::

Save this as CFScript.txt, in the same location as ComboFix.exe

CFScriptB-4.gif

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

Share this post


Link to post
Share on other sites

Hey Maniac, I followed your procedure and it didn't work, in fact when i dragged the script.txt, to the combofix.exe, a blue window popped up and says ....."scanning it may take no more than 10 mins,.....". Then my desktop + the window freezes (i left my computer on over night just in case it wasn't frozen), the only thing that was moving was the mouse. Any suggestions?? thanks!

Share this post


Link to post
Share on other sites

My first suggestion is to try again, but not with script.txt as you did, but with CFScript.txt .

Share this post


Link to post
Share on other sites

sorry that's what i have done, CFScript.txt, still produced the same result as my previous post :(

Share this post


Link to post
Share on other sites

Here is the Log:

ComboFix 12-08-05.02 - Andy 05/08/2012 19:37:08.2.1 - x86 NETWORK

Microsoft Windows XP Professional 5.1.2600.3.1252.61.1033.18.3327.3037 [GMT 10:00]

Running from: c:\documents and settings\Andy\Desktop\ComboFix.exe

Command switches used :: c:\documents and settings\Andy\Desktop\CFScript.txt

.

FILE ::

"c:\windows\system32\yfklrene.dll"

.

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

.

c:\documents and settings\NetworkService\Local Settings\Application Data\Macromedia

c:\windows\system32\URTTemp

c:\windows\system32\URTTemp\fusion.dll

c:\windows\system32\URTTemp\mscoree.dll

c:\windows\system32\URTTemp\mscoree.dll.local

c:\windows\system32\URTTemp\mscorsn.dll

c:\windows\system32\URTTemp\mscorwks.dll

c:\windows\system32\URTTemp\msvcr71.dll

c:\windows\system32\URTTemp\regtlib.exe

.

.

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.

.

-------\Legacy_LDHGXCWXE

-------\Service_ldhgxcwxe

.

.

((((((((((((((((((((((((( Files Created from 2012-07-05 to 2012-08-05 )))))))))))))))))))))))))))))))

.

.

2012-07-31 12:05 . 2012-06-02 05:18 275696 ----a-w- c:\windows\system32\mucltui.dll

2012-07-31 12:00 . 2012-07-31 12:00 -------- d-sh--w- c:\documents and settings\Andy\PrivacIE

2012-07-31 11:53 . 2012-07-31 11:53 -------- d-sh--w- c:\documents and settings\Andy\IETldCache

2012-07-31 11:47 . 2012-07-31 11:48 -------- dc-h--w- c:\windows\ie8

2012-07-31 11:44 . 2012-05-11 14:42 521728 -c----w- c:\windows\system32\dllcache\jsdbgui.dll

2012-07-31 11:42 . 2011-08-16 10:45 6144 -c----w- c:\windows\system32\dllcache\iecompat.dll

2012-07-31 11:42 . 2012-05-11 14:42 629760 -c----w- c:\windows\system32\dllcache\msfeeds.dll

2012-07-31 11:42 . 2012-05-11 14:42 55296 -c----w- c:\windows\system32\dllcache\msfeedsbs.dll

2012-07-31 11:42 . 2012-05-11 14:42 12800 -c----w- c:\windows\system32\dllcache\xpshims.dll

2012-07-31 11:42 . 2012-05-11 14:42 247808 -c----w- c:\windows\system32\dllcache\ieproxy.dll

2012-07-31 11:42 . 2012-05-11 14:42 2000384 -c----w- c:\windows\system32\dllcache\iertutil.dll

2012-07-31 11:42 . 2012-05-11 14:42 743424 -c----w- c:\windows\system32\dllcache\iedvtool.dll

2012-07-31 11:42 . 2012-05-11 10:12 11111424 -c----w- c:\windows\system32\dllcache\ieframe.dll

2012-07-31 11:38 . 2012-06-02 05:19 22040 ----a-w- c:\windows\system32\wucltui.dll.mui

2012-07-31 11:38 . 2012-06-02 05:19 45080 ----a-w- c:\windows\system32\wups2.dll

2012-07-31 11:38 . 2012-06-02 05:19 15384 ----a-w- c:\windows\system32\wuaucpl.cpl.mui

2012-07-31 11:38 . 2012-06-02 05:19 15384 ----a-w- c:\windows\system32\wuapi.dll.mui

2012-07-31 11:38 . 2012-06-02 05:19 17944 ----a-w- c:\windows\system32\wuaueng.dll.mui

2012-07-31 04:51 . 2012-07-31 04:51 -------- d-----w- c:\documents and settings\Andy\Application Data\Malwarebytes

2012-07-31 04:50 . 2012-07-31 04:50 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2012-07-31 04:50 . 2012-07-31 04:50 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes

2012-07-31 04:50 . 2012-07-03 03:46 22344 ----a-w- c:\windows\system32\drivers\mbam.sys

2012-07-17 13:27 . 2012-07-17 13:27 -------- d-----w- c:\documents and settings\All Users\Application Data\3DMGAME

2012-07-16 11:12 . 2012-07-16 11:12 -------- d-----w- c:\program files\Common Files\Steam

2012-07-16 11:12 . 2012-08-05 09:17 -------- d-----w- c:\program files\Steam

2012-07-13 05:09 . 2012-07-13 05:09 -------- d-----w- c:\documents and settings\Andy\jagexcache

2012-07-12 13:08 . 2012-07-31 08:29 -------- d-----w- C:\TDSSKiller_Quarantine

2012-07-11 04:55 . 2012-07-11 04:55 -------- d-----w- c:\documents and settings\Andy\Application Data\Intel

2012-07-11 04:54 . 2012-07-11 04:54 -------- d-----w- c:\program files\Intel Corporation

.

.

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2012-07-25 07:51 . 2012-05-13 03:25 772592 ----a-w- c:\windows\system32\npDeployJava1.dll

2012-07-25 07:51 . 2012-04-04 12:15 687600 ----a-w- c:\windows\system32\deployJava1.dll

2012-07-25 07:51 . 2012-04-04 12:15 143872 ----a-w- c:\windows\system32\javacpl.cpl

2012-06-13 08:21 . 2012-06-13 08:21 53248 ----a-r- c:\documents and settings\Andy\Application Data\Microsoft\Installer\{3EE9BCAE-E9A9-45E5-9B1C-83A4D357E05C}\ARPPRODUCTICON.exe

2012-06-13 08:21 . 2012-06-13 08:21 16400 ----a-w- c:\windows\system32\drivers\LNonPnP.sys

2012-06-04 07:35 . 2009-02-21 23:35 210968 ----a-w- c:\windows\system32\wuweb.dll

2012-06-04 07:35 . 2012-06-04 07:35 222448 ----a-w- c:\windows\system32\muweb.dll

2012-06-02 05:19 . 2009-02-21 23:35 329240 ----a-w- c:\windows\system32\wucltui.dll

2012-06-02 05:19 . 2009-02-21 23:35 219160 ----a-w- c:\windows\system32\wuaucpl.cpl

2012-06-02 05:19 . 2009-02-21 23:35 53784 ----a-w- c:\windows\system32\wuauclt.exe

2012-06-02 05:19 . 2009-02-21 23:35 35864 ----a-w- c:\windows\system32\wups.dll

2012-06-02 05:19 . 2004-08-04 07:56 97304 ----a-w- c:\windows\system32\cdm.dll

2012-06-02 05:19 . 2009-02-21 23:35 577048 ----a-w- c:\windows\system32\wuapi.dll

2012-06-02 05:19 . 2009-02-21 23:35 1933848 ----a-w- c:\windows\system32\wuaueng.dll

2012-06-01 12:10 . 2012-04-07 06:25 419488 ----a-w- c:\windows\system32\FlashPlayerApp.exe

2012-06-01 12:10 . 2011-08-14 11:20 70304 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl

2012-05-21 11:34 . 2011-01-26 12:36 140496 ----a-w- c:\windows\system32\drivers\PnkBstrK.sys

2012-05-21 11:34 . 2011-01-27 03:31 280736 ----a-w- c:\windows\system32\PnkBstrB.xtr

2012-05-21 11:34 . 2011-01-26 12:35 280736 ----a-w- c:\windows\system32\PnkBstrB.exe

2012-05-16 15:08 . 2004-08-04 07:56 916992 ----a-w- c:\windows\system32\wininet.dll

2012-05-15 13:46 . 2011-01-26 12:35 280736 ----a-w- c:\windows\system32\PnkBstrB.ex0

2012-05-11 14:42 . 2004-08-04 07:56 1469440 ------w- c:\windows\system32\inetcpl.cpl

2012-05-11 14:42 . 2004-08-04 07:56 43520 ------w- c:\windows\system32\licmgr10.dll

2012-05-11 11:38 . 2004-08-04 05:59 385024 ------w- c:\windows\system32\html.iec

2011-10-03 00:35 . 2011-07-09 13:27 134104 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll

.

.

((((((((((((((((((((((((((((( SnapShot@2012-07-31_10.39.55 )))))))))))))))))))))))))))))))))))))))))

.

+ 2012-08-05 09:44 . 2012-08-05 09:44 16384 c:\windows\temp\Perflib_Perfdata_a54.dat

+ 2012-08-05 09:44 . 2012-08-05 09:44 16384 c:\windows\temp\Perflib_Perfdata_1c8.dat

+ 2009-02-22 00:10 . 2009-01-07 08:21 26144 c:\windows\system32\spupdsvc.exe

+ 2011-09-10 12:42 . 2009-01-07 08:20 16928 c:\windows\system32\spmsg.dll

+ 2012-07-31 11:38 . 2012-06-02 05:19 35864 c:\windows\system32\SoftwareDistribution\Setup\ServiceStartup\wups.dll\7.6.7600.256\wups.dll

+ 2004-08-04 07:56 . 2009-03-07 18:31 46592 c:\windows\system32\pngfilt.dll

+ 2009-01-07 08:20 . 2009-01-07 08:20 23552 c:\windows\system32\normaliz.dll

+ 2009-01-07 08:20 . 2009-01-07 08:20 24576 c:\windows\system32\nlsdl.dll

+ 2004-08-04 07:56 . 2009-03-07 18:31 48128 c:\windows\system32\mshtmler.dll

+ 2004-08-04 07:56 . 2012-05-11 14:42 67072 c:\windows\system32\mshtmled.dll

+ 2004-08-04 07:56 . 2009-03-07 18:31 45568 c:\windows\system32\mshta.exe

+ 2009-03-07 18:31 . 2009-03-07 18:31 13312 c:\windows\system32\msfeedssync.exe

+ 2009-03-07 18:31 . 2012-05-11 14:42 55296 c:\windows\system32\msfeedsbs.dll

+ 2004-08-04 07:56 . 2012-05-11 14:42 25600 c:\windows\system32\jsproxy.dll

+ 2004-08-04 07:56 . 2009-03-07 18:32 94720 c:\windows\system32\inseng.dll

+ 2004-08-04 07:56 . 2009-03-07 18:31 34816 c:\windows\system32\imgutil.dll

+ 2009-03-07 18:32 . 2009-03-07 18:32 36864 c:\windows\system32\ieudinit.exe

+ 2004-08-04 07:56 . 2009-03-07 18:32 71680 c:\windows\system32\iesetup.dll

+ 2004-08-04 07:56 . 2009-03-07 18:32 55808 c:\windows\system32\iernonce.dll

+ 2009-01-07 08:20 . 2009-01-07 08:20 26112 c:\windows\system32\idndl.dll

+ 2009-03-07 18:31 . 2009-03-07 18:31 59904 c:\windows\system32\icardie.dll

+ 2009-02-21 23:35 . 2012-06-02 05:19 35864 c:\windows\system32\dllcache\wups.dll

+ 2009-02-21 23:35 . 2012-06-02 05:19 53784 c:\windows\system32\dllcache\wuauclt.exe

+ 2009-03-07 18:31 . 2009-03-07 18:31 46592 c:\windows\system32\dllcache\pngfilt.dll

+ 2009-03-07 18:31 . 2009-03-07 18:31 48128 c:\windows\system32\dllcache\mshtmler.dll

+ 2009-03-07 18:31 . 2012-05-11 14:42 67072 c:\windows\system32\dllcache\mshtmled.dll

+ 2009-03-07 18:31 . 2009-03-07 18:31 45568 c:\windows\system32\dllcache\mshta.exe

+ 2009-03-07 18:34 . 2012-05-11 14:42 43520 c:\windows\system32\dllcache\licmgr10.dll

+ 2009-03-07 18:33 . 2012-05-11 14:42 25600 c:\windows\system32\dllcache\jsproxy.dll

+ 2009-03-07 18:32 . 2009-03-07 18:32 94720 c:\windows\system32\dllcache\inseng.dll

+ 2009-03-07 18:31 . 2009-03-07 18:31 34816 c:\windows\system32\dllcache\imgutil.dll

+ 2009-03-07 18:32 . 2009-03-07 18:32 71680 c:\windows\system32\dllcache\iesetup.dll

+ 2009-03-07 18:32 . 2009-03-07 18:32 55808 c:\windows\system32\dllcache\iernonce.dll

+ 2009-03-07 18:24 . 2009-03-07 18:24 68608 c:\windows\system32\dllcache\hmmapi.dll

+ 2009-03-07 18:33 . 2009-03-07 18:33 18944 c:\windows\system32\dllcache\corpol.dll

+ 2004-08-04 07:56 . 2012-06-02 05:19 97304 c:\windows\system32\dllcache\cdm.dll

+ 2009-03-07 18:32 . 2009-03-07 18:32 72704 c:\windows\system32\dllcache\admparse.dll

+ 2004-08-04 07:56 . 2009-03-07 18:33 18944 c:\windows\system32\corpol.dll

+ 2004-08-04 07:56 . 2009-03-07 18:32 72704 c:\windows\system32\admparse.dll

+ 2011-02-26 01:47 . 2012-08-03 05:26 49152 c:\windows\Installer\{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}\ConfigIcon.dll

- 2011-02-26 01:47 . 2012-03-08 01:43 49152 c:\windows\Installer\{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}\ConfigIcon.dll

+ 2012-07-31 11:49 . 2009-03-07 18:33 12288 c:\windows\ie8updates\KB982381-IE8\xpshims.dll

+ 2012-07-31 11:49 . 2009-03-07 18:31 55296 c:\windows\ie8updates\KB982381-IE8\msfeedsbs.dll

+ 2012-07-31 11:49 . 2009-03-07 18:33 25600 c:\windows\ie8updates\KB982381-IE8\jsproxy.dll

+ 2012-07-31 11:50 . 2011-11-04 19:20 12800 c:\windows\ie8updates\KB2699988-IE8\xpshims.dll

+ 2012-07-31 11:50 . 2011-11-04 19:20 66560 c:\windows\ie8updates\KB2699988-IE8\mshtmled.dll

+ 2012-07-31 11:50 . 2011-11-04 19:20 55296 c:\windows\ie8updates\KB2699988-IE8\msfeedsbs.dll

+ 2012-07-31 11:50 . 2011-11-04 19:20 43520 c:\windows\ie8updates\KB2699988-IE8\licmgr10.dll

+ 2012-07-31 11:50 . 2011-11-04 19:20 25600 c:\windows\ie8updates\KB2699988-IE8\jsproxy.dll

+ 2012-07-31 11:49 . 2010-05-06 10:41 12800 c:\windows\ie8updates\KB2618444-IE8\xpshims.dll

+ 2012-07-31 11:49 . 2009-03-07 18:31 66560 c:\windows\ie8updates\KB2618444-IE8\mshtmled.dll

+ 2012-07-31 11:49 . 2010-05-06 10:41 55296 c:\windows\ie8updates\KB2618444-IE8\msfeedsbs.dll

+ 2012-07-31 11:49 . 2009-03-07 18:34 43008 c:\windows\ie8updates\KB2618444-IE8\licmgr10.dll

+ 2012-07-31 11:49 . 2010-05-06 10:41 25600 c:\windows\ie8updates\KB2618444-IE8\jsproxy.dll

+ 2012-07-31 11:47 . 2008-04-13 18:42 37888 c:\windows\ie8\url.dll

+ 2012-07-31 11:48 . 2009-03-08 04:23 58464 c:\windows\ie8\spuninst\iecustom.dll

+ 2012-07-31 11:47 . 2008-04-13 18:42 39424 c:\windows\ie8\pngfilt.dll

+ 2012-07-31 11:47 . 2008-04-13 18:42 96256 c:\windows\ie8\occache.dll

+ 2012-07-31 11:47 . 2008-04-13 10:56 56832 c:\windows\ie8\mshtmler.dll

+ 2012-07-31 11:47 . 2008-04-13 18:42 29184 c:\windows\ie8\mshta.exe

+ 2012-07-31 11:47 . 2008-04-13 18:41 22016 c:\windows\ie8\licmgr10.dll

+ 2012-07-31 11:47 . 2008-04-13 18:41 15872 c:\windows\ie8\jsproxy.dll

+ 2012-07-31 11:47 . 2008-04-13 18:41 96256 c:\windows\ie8\inseng.dll

+ 2012-07-31 11:47 . 2008-04-13 18:41 35840 c:\windows\ie8\imgutil.dll

+ 2012-07-31 11:47 . 2008-04-13 18:42 93184 c:\windows\ie8\iexplore.exe

+ 2012-07-31 11:47 . 2008-04-13 18:41 62976 c:\windows\ie8\iesetup.dll

+ 2012-07-31 11:47 . 2008-04-13 18:41 48640 c:\windows\ie8\iernonce.dll

+ 2012-07-31 11:47 . 2008-04-13 18:41 81920 c:\windows\ie8\ieencode.dll

+ 2012-07-31 11:47 . 2008-04-13 18:42 34304 c:\windows\ie8\ie4uinit.exe

+ 2012-07-31 11:47 . 2008-04-13 18:41 38912 c:\windows\ie8\hmmapi.dll

+ 2012-07-31 11:47 . 2008-04-13 18:41 35328 c:\windows\ie8\corpol.dll

+ 2012-07-31 11:47 . 2008-04-13 18:41 99840 c:\windows\ie8\advpack.dll

+ 2012-07-31 11:47 . 2008-04-13 18:41 61440 c:\windows\ie8\admparse.dll

- 2011-02-02 10:23 . 2012-07-31 08:09 49152 c:\windows\.jagex_cache_32\runescape\jagmisc.dll

+ 2011-02-02 10:23 . 2012-08-05 04:42 49152 c:\windows\.jagex_cache_32\runescape\jagmisc.dll

- 2011-02-02 10:23 . 2012-07-31 08:10 96256 c:\windows\.jagex_cache_32\runescape\jaggl.dll

+ 2011-02-02 10:23 . 2012-08-05 04:42 96256 c:\windows\.jagex_cache_32\runescape\jaggl.dll

- 2011-02-02 10:23 . 2012-07-31 08:10 80896 c:\windows\.jagex_cache_32\runescape\jagdx.dll

+ 2011-02-02 10:23 . 2012-08-05 04:42 80896 c:\windows\.jagex_cache_32\runescape\jagdx.dll

+ 2011-02-02 10:23 . 2012-08-05 04:42 81920 c:\windows\.jagex_cache_32\runescape\hw3d.dll

- 2011-02-02 10:23 . 2012-07-31 08:10 81920 c:\windows\.jagex_cache_32\runescape\hw3d.dll

+ 2012-04-02 09:46 . 2012-08-05 04:42 66048 c:\windows\.jagex_cache_32\browsercontrol.dll

- 2012-04-02 09:46 . 2012-07-31 08:09 66048 c:\windows\.jagex_cache_32\browsercontrol.dll

+ 2012-07-31 11:49 . 2009-03-07 18:35 2048 c:\windows\ie8updates\KB2598845-IE8\iecompat.dll

- 2011-12-14 01:58 . 2008-04-13 18:42 121856 c:\windows\system32\xmllite.dll

+ 2011-12-14 01:58 . 2009-01-07 08:21 121856 c:\windows\system32\xmllite.dll

+ 2009-03-07 18:34 . 2009-03-07 18:34 208384 c:\windows\system32\WinFXDocObj.exe

+ 2004-08-04 07:56 . 2009-03-07 18:34 236544 c:\windows\system32\webcheck.dll

+ 2004-08-04 07:56 . 2009-03-07 18:33 420352 c:\windows\system32\vbscript.dll

+ 2004-08-04 07:56 . 2012-05-11 14:42 105984 c:\windows\system32\url.dll

+ 2012-07-31 11:38 . 2012-06-02 05:19 577048 c:\windows\system32\SoftwareDistribution\Setup\ServiceStartup\wuapi.dll\7.6.7600.256\wuapi.dll

+ 2004-08-04 07:56 . 2012-05-11 14:42 206848 c:\windows\system32\occache.dll

+ 2004-08-04 07:56 . 2012-05-11 14:42 611840 c:\windows\system32\mstime.dll

+ 2004-08-04 07:56 . 2009-03-07 18:34 193536 c:\windows\system32\msrating.dll

+ 2001-08-23 12:00 . 2009-03-07 18:22 156160 c:\windows\system32\msls31.dll

+ 2009-03-07 18:32 . 2012-05-11 14:42 629760 c:\windows\system32\msfeeds.dll

+ 2009-01-07 08:20 . 2009-01-07 08:20 265720 c:\windows\system32\msdbg2.dll

+ 2004-08-04 07:56 . 2009-03-07 18:33 726528 c:\windows\system32\jscript.dll

+ 2009-03-07 18:22 . 2009-03-07 18:22 164352 c:\windows\system32\ieui.dll

+ 2004-08-04 07:56 . 2012-05-11 14:42 184320 c:\windows\system32\iepeers.dll

+ 2004-08-04 07:56 . 2012-05-11 14:42 387584 c:\windows\system32\iedkcs32.dll

+ 2009-03-07 18:11 . 2009-03-07 18:11 445952 c:\windows\system32\ieapfltr.dll

+ 2001-08-23 12:00 . 2009-03-07 18:32 163840 c:\windows\system32\ieakui.dll

+ 2004-08-04 07:56 . 2009-03-07 18:33 229376 c:\windows\system32\ieaksie.dll

+ 2004-08-04 07:56 . 2009-03-07 18:33 125952 c:\windows\system32\ieakeng.dll

+ 2004-08-04 07:56 . 2012-05-11 11:38 174080 c:\windows\system32\ie4uinit.exe

+ 2004-08-04 07:56 . 2009-03-07 18:31 216064 c:\windows\system32\dxtrans.dll

+ 2004-08-04 07:56 . 2009-03-07 18:31 348160 c:\windows\system32\dxtmsft.dll

+ 2009-02-21 23:35 . 2012-06-04 07:35 210968 c:\windows\system32\dllcache\wuweb.dll

+ 2009-02-21 23:35 . 2012-06-02 05:19 329240 c:\windows\system32\dllcache\wucltui.dll

+ 2009-02-21 23:35 . 2012-06-02 05:19 577048 c:\windows\system32\dllcache\wuapi.dll

+ 2009-03-07 18:34 . 2012-05-16 15:08 916992 c:\windows\system32\dllcache\wininet.dll

+ 2009-03-07 18:34 . 2009-03-07 18:34 236544 c:\windows\system32\dllcache\webcheck.dll

+ 2009-03-07 18:33 . 2009-03-07 18:33 759296 c:\windows\system32\dllcache\VGX.dll

+ 2009-03-07 18:33 . 2009-03-07 18:33 420352 c:\windows\system32\dllcache\vbscript.dll

+ 2009-03-07 18:34 . 2012-05-11 14:42 105984 c:\windows\system32\dllcache\url.dll

+ 2009-01-07 08:20 . 2009-01-07 08:20 134144 c:\windows\system32\dllcache\sqmapi.dll

+ 2009-01-07 08:20 . 2009-01-07 08:20 474112 c:\windows\system32\dllcache\shlwapi.dll

+ 2009-03-07 18:34 . 2012-05-11 14:42 206848 c:\windows\system32\dllcache\occache.dll

+ 2009-03-07 18:32 . 2012-05-11 14:42 611840 c:\windows\system32\dllcache\mstime.dll

+ 2009-03-07 18:34 . 2009-03-07 18:34 193536 c:\windows\system32\dllcache\msrating.dll

+ 2001-08-23 12:00 . 2009-03-07 18:22 156160 c:\windows\system32\dllcache\msls31.dll

+ 2009-03-07 18:33 . 2009-03-07 18:33 726528 c:\windows\system32\dllcache\jscript.dll

+ 2009-03-08 04:09 . 2009-03-08 04:09 638816 c:\windows\system32\dllcache\iexplore.exe

+ 2009-03-07 18:31 . 2012-05-11 14:42 184320 c:\windows\system32\dllcache\iepeers.dll

+ 2009-03-08 04:09 . 2012-05-11 14:42 387584 c:\windows\system32\dllcache\iedkcs32.dll

+ 2001-08-23 12:00 . 2009-03-07 18:32 163840 c:\windows\system32\dllcache\ieakui.dll

+ 2009-03-07 18:33 . 2009-03-07 18:33 229376 c:\windows\system32\dllcache\ieaksie.dll

+ 2009-03-07 18:33 . 2009-03-07 18:33 125952 c:\windows\system32\dllcache\ieakeng.dll

+ 2009-03-07 18:32 . 2012-05-11 11:38 174080 c:\windows\system32\dllcache\ie4uinit.exe

+ 2009-03-07 18:31 . 2009-03-07 18:31 216064 c:\windows\system32\dllcache\dxtrans.dll

+ 2009-03-07 18:31 . 2009-03-07 18:31 348160 c:\windows\system32\dllcache\dxtmsft.dll

+ 2009-03-07 18:32 . 2009-03-07 18:32 128512 c:\windows\system32\dllcache\advpack.dll

+ 2004-08-04 07:56 . 2009-03-07 18:32 128512 c:\windows\system32\advpack.dll

+ 2012-07-31 11:49 . 2009-03-07 18:34 914944 c:\windows\ie8updates\KB982381-IE8\wininet.dll

+ 2012-07-31 11:49 . 2010-02-22 14:23 382840 c:\windows\ie8updates\KB982381-IE8\spuninst\updspapi.dll

+ 2012-07-31 11:49 . 2008-07-08 13:02 231288 c:\windows\ie8updates\KB982381-IE8\spuninst\spuninst.exe

+ 2012-07-31 11:49 . 2009-03-07 18:34 109568 c:\windows\ie8updates\KB982381-IE8\occache.dll

+ 2012-07-31 11:49 . 2009-03-07 18:32 611840 c:\windows\ie8updates\KB982381-IE8\mstime.dll

+ 2012-07-31 11:49 . 2009-03-07 18:32 594432 c:\windows\ie8updates\KB982381-IE8\msfeeds.dll

+ 2012-07-31 11:49 . 2009-03-07 18:33 246784 c:\windows\ie8updates\KB982381-IE8\ieproxy.dll

+ 2012-07-31 11:49 . 2009-03-07 18:31 183808 c:\windows\ie8updates\KB982381-IE8\iepeers.dll

+ 2012-07-31 11:49 . 2009-03-07 18:35 742912 c:\windows\ie8updates\KB982381-IE8\iedvtool.dll

+ 2012-07-31 11:49 . 2009-03-08 04:09 391536 c:\windows\ie8updates\KB982381-IE8\iedkcs32.dll

+ 2012-07-31 11:49 . 2009-03-07 18:32 173056 c:\windows\ie8updates\KB982381-IE8\ie4uinit.exe

+ 2012-07-31 11:50 . 2011-11-04 19:20 916992 c:\windows\ie8updates\KB2699988-IE8\wininet.dll

+ 2012-07-31 11:50 . 2011-11-04 19:20 105984 c:\windows\ie8updates\KB2699988-IE8\url.dll

+ 2012-07-31 11:50 . 2010-07-05 13:16 382840 c:\windows\ie8updates\KB2699988-IE8\spuninst\updspapi.dll

+ 2012-07-31 11:50 . 2010-07-05 13:15 231288 c:\windows\ie8updates\KB2699988-IE8\spuninst\spuninst.exe

+ 2012-07-31 11:50 . 2011-11-04 19:20 206848 c:\windows\ie8updates\KB2699988-IE8\occache.dll

+ 2012-07-31 11:50 . 2011-11-04 19:20 611840 c:\windows\ie8updates\KB2699988-IE8\mstime.dll

+ 2012-07-31 11:50 . 2011-11-04 19:20 602112 c:\windows\ie8updates\KB2699988-IE8\msfeeds.dll

+ 2012-07-31 11:50 . 2009-03-07 18:35 521216 c:\windows\ie8updates\KB2699988-IE8\jsdbgui.dll

+ 2012-07-31 11:50 . 2011-11-04 19:20 247808 c:\windows\ie8updates\KB2699988-IE8\ieproxy.dll

+ 2012-07-31 11:50 . 2011-11-04 19:20 184320 c:\windows\ie8updates\KB2699988-IE8\iepeers.dll

+ 2012-07-31 11:50 . 2011-11-04 19:20 743424 c:\windows\ie8updates\KB2699988-IE8\iedvtool.dll

+ 2012-07-31 11:50 . 2011-11-04 19:20 387584 c:\windows\ie8updates\KB2699988-IE8\iedkcs32.dll

+ 2012-07-31 11:50 . 2011-11-04 11:24 174080 c:\windows\ie8updates\KB2699988-IE8\ie4uinit.exe

+ 2012-07-31 11:49 . 2010-05-06 10:41 916480 c:\windows\ie8updates\KB2618444-IE8\wininet.dll

+ 2012-07-31 11:49 . 2009-03-07 18:34 105984 c:\windows\ie8updates\KB2618444-IE8\url.dll

+ 2012-07-31 11:49 . 2010-07-05 13:16 382840 c:\windows\ie8updates\KB2618444-IE8\spuninst\updspapi.dll

+ 2012-07-31 11:49 . 2010-07-05 13:15 231288 c:\windows\ie8updates\KB2618444-IE8\spuninst\spuninst.exe

+ 2012-07-31 11:49 . 2010-05-06 10:41 206848 c:\windows\ie8updates\KB2618444-IE8\occache.dll

+ 2012-07-31 11:49 . 2010-05-06 10:41 611840 c:\windows\ie8updates\KB2618444-IE8\mstime.dll

+ 2012-07-31 11:49 . 2010-05-06 10:41 599040 c:\windows\ie8updates\KB2618444-IE8\msfeeds.dll

+ 2012-07-31 11:49 . 2010-05-06 10:41 247808 c:\windows\ie8updates\KB2618444-IE8\ieproxy.dll

+ 2012-07-31 11:49 . 2010-05-06 10:41 184320 c:\windows\ie8updates\KB2618444-IE8\iepeers.dll

+ 2012-07-31 11:49 . 2010-05-06 10:41 743424 c:\windows\ie8updates\KB2618444-IE8\iedvtool.dll

+ 2012-07-31 11:49 . 2010-05-06 10:41 387584 c:\windows\ie8updates\KB2618444-IE8\iedkcs32.dll

+ 2012-07-31 11:49 . 2010-05-05 13:30 173056 c:\windows\ie8updates\KB2618444-IE8\ie4uinit.exe

+ 2012-07-31 11:49 . 2010-07-05 13:16 382840 c:\windows\ie8updates\KB2598845-IE8\spuninst\updspapi.dll

+ 2012-07-31 11:49 . 2010-07-05 13:15 231288 c:\windows\ie8updates\KB2598845-IE8\spuninst\spuninst.exe

+ 2012-07-31 11:47 . 2008-04-13 18:42 666112 c:\windows\ie8\wininet.dll

+ 2012-07-31 11:47 . 2008-04-13 18:42 276480 c:\windows\ie8\webcheck.dll

+ 2012-07-31 11:47 . 2008-04-13 18:42 851968 c:\windows\ie8\vgx.dll

+ 2012-07-31 11:47 . 2008-04-13 18:42 434176 c:\windows\ie8\vbscript.dll

+ 2012-07-31 11:47 . 2008-04-13 18:42 619520 c:\windows\ie8\urlmon.dll

+ 2012-07-31 11:48 . 2009-01-07 08:21 382496 c:\windows\ie8\spuninst\updspapi.dll

+ 2012-07-31 11:48 . 2009-01-07 08:20 231456 c:\windows\ie8\spuninst\spuninst.exe

+ 2012-07-31 11:47 . 2008-04-13 18:42 532480 c:\windows\ie8\mstime.dll

+ 2012-07-31 11:47 . 2008-04-13 18:42 146432 c:\windows\ie8\msrating.dll

+ 2012-07-31 11:47 . 2001-08-23 12:00 146432 c:\windows\ie8\msls31.dll

+ 2012-07-31 11:47 . 2008-04-13 18:42 449024 c:\windows\ie8\mshtmled.dll

+ 2012-07-31 11:47 . 2008-04-13 18:41 512000 c:\windows\ie8\jscript.dll

+ 2012-07-31 11:47 . 2008-04-13 18:41 251904 c:\windows\ie8\iepeers.dll

+ 2012-07-31 11:47 . 2008-04-13 18:41 323584 c:\windows\ie8\iedkcs32.dll

+ 2012-07-31 11:47 . 2001-08-23 12:00 221184 c:\windows\ie8\ieakui.dll

+ 2012-07-31 11:47 . 2008-04-13 18:41 216576 c:\windows\ie8\ieaksie.dll

+ 2012-07-31 11:47 . 2008-04-13 18:41 143360 c:\windows\ie8\ieakeng.dll

+ 2012-07-31 11:47 . 2008-04-13 18:41 205312 c:\windows\ie8\dxtrans.dll

+ 2012-07-31 11:47 . 2008-04-13 18:41 357888 c:\windows\ie8\dxtmsft.dll

+ 2011-02-02 10:23 . 2012-08-05 04:42 147456 c:\windows\.jagex_cache_32\runescape\jaclib.dll

- 2011-02-02 10:23 . 2012-07-31 08:10 147456 c:\windows\.jagex_cache_32\runescape\jaclib.dll

+ 2004-08-04 07:56 . 2012-05-11 14:42 1212416 c:\windows\system32\urlmon.dll

+ 2004-08-04 07:56 . 2012-05-11 14:42 6007808 c:\windows\system32\mshtml.dll

+ 2009-03-07 18:32 . 2012-05-11 14:42 2000384 c:\windows\system32\iertutil.dll

+ 2009-02-06 11:07 . 2009-02-06 11:07 3698584 c:\windows\system32\ieapfltr.dat

+ 2009-02-21 23:35 . 2012-06-02 05:19 1933848 c:\windows\system32\dllcache\wuaueng.dll

+ 2009-03-07 18:34 . 2012-05-11 14:42 1212416 c:\windows\system32\dllcache\urlmon.dll

+ 2009-01-07 08:20 . 2009-01-07 08:20 1497088 c:\windows\system32\dllcache\shdocvw.dll

+ 2009-03-07 18:41 . 2012-05-11 14:42 6007808 c:\windows\system32\dllcache\mshtml.dll

+ 2009-01-07 08:20 . 2009-01-07 08:20 1022976 c:\windows\system32\dllcache\browseui.dll

+ 2012-07-31 11:49 . 2009-03-07 18:34 1206784 c:\windows\ie8updates\KB982381-IE8\urlmon.dll

+ 2012-07-31 11:49 . 2009-03-07 18:41 5937152 c:\windows\ie8updates\KB982381-IE8\mshtml.dll

+ 2012-07-31 11:49 . 2009-03-07 18:32 1985024 c:\windows\ie8updates\KB982381-IE8\iertutil.dll

+ 2012-07-31 11:50 . 2011-11-04 19:20 1212416 c:\windows\ie8updates\KB2699988-IE8\urlmon.dll

+ 2012-07-31 11:50 . 2011-11-04 19:20 5978112 c:\windows\ie8updates\KB2699988-IE8\mshtml.dll

+ 2012-07-31 11:50 . 2011-11-04 19:20 2000384 c:\windows\ie8updates\KB2699988-IE8\iertutil.dll

+ 2012-07-31 11:49 . 2010-05-06 10:41 1209344 c:\windows\ie8updates\KB2618444-IE8\urlmon.dll

+ 2012-07-31 11:49 . 2010-05-06 10:41 5950976 c:\windows\ie8updates\KB2618444-IE8\mshtml.dll

+ 2012-07-31 11:49 . 2010-05-06 10:41 1985536 c:\windows\ie8updates\KB2618444-IE8\iertutil.dll

+ 2012-07-31 11:47 . 2008-04-13 18:42 3066880 c:\windows\ie8\mshtml.dll

+ 2011-02-02 10:23 . 2012-08-05 04:42 1266688 c:\windows\.jagex_cache_32\runescape\sw3d.dll

+ 2011-02-18 07:34 . 2012-07-02 17:13 57442464 c:\windows\system32\MRT.exe

+ 2009-03-07 18:39 . 2012-05-11 10:12 11111424 c:\windows\system32\ieframe.dll

+ 2012-08-03 05:26 . 2012-08-03 05:26 20343808 c:\windows\Installer\3b2b23.msp

+ 2012-07-31 11:49 . 2009-03-07 18:39 11063808 c:\windows\ie8updates\KB982381-IE8\ieframe.dll

+ 2012-07-31 11:50 . 2011-11-04 19:20 11081728 c:\windows\ie8updates\KB2699988-IE8\ieframe.dll

+ 2012-07-31 11:49 . 2010-05-06 10:41 11076096 c:\windows\ie8updates\KB2618444-IE8\ieframe.dll

.

-- Snapshot reset to current date --

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

.

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"F.lux"="c:\documents and settings\Andy\Local Settings\Apps\F.lux\flux.exe" [2009-08-29 966656]

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"RTHDCPL"="RTHDCPL.EXE" [2008-07-31 16806912]

"WinSys2"="c:\windows\system32\winsys2.exe" [2007-10-30 208896]

"AdobeCS4ServiceManager"="c:\program files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe" [2008-08-13 611712]

"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-08 155648]

"AdobeAAMUpdater-1.0"="c:\program files\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe" [2010-03-05 500208]

"SwitchBoard"="c:\program files\Common Files\Adobe\SwitchBoard\SwitchBoard.exe" [2010-02-19 517096]

"AdobeCS5ServiceManager"="c:\program files\Common Files\Adobe\CS5ServiceManager\CS5ServiceManager.exe" [2010-02-21 406992]

"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2011-03-08 111208]

"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2011-03-08 13881448]

"HTC Sync Loader"="c:\program files\HTC\HTC Sync 3.0\htcUPCTLoader.exe" [2011-12-20 634880]

"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-09-06 413696]

"GW Port Controller"="c:\program files\Samsung\SmarThru\PORTCTRL.EXE" [2004-02-09 163840]

"nwiz"="nwiz.exe" [2008-05-02 1630208]

"EvtMgr6"="c:\program files\Logitech\SetPointP\SetPoint.exe" [2011-10-07 1387288]

"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2012-07-03 462920]

.

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-13 15360]

.

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]

"RunNarrator"="Narrator.exe" [2008-04-13 53760]

.

c:\documents and settings\All Users\Start Menu\Programs\Startup\

ASRock WiFi-802.11g.lnk - c:\program files\ASRock WiFi-802.11g\RtWLan.exe [2009-2-22 978944]

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LBTWlgn]

2011-09-27 19:03 66328 ----a-w- c:\program files\Common Files\Logishrd\Bluetooth\LBTWLgn.dll

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]

@="Driver"

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]

"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe"

"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe"

"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" -atboottime

"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe"

"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe"

"Norton Ghost 14.0"="c:\program files\Norton Ghost\Agent\VProTray.exe"

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

"c:\\Program Files\\Common Files\\Adobe\\CS4ServiceManager\\CS4ServiceManager.exe"=

"c:\\Program Files\\FlashGet\\flashget.exe"=

"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=

"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=

"c:\\Program Files\\Electronic Arts\\Battlefield Bad Company 2\\BFBC2Updater.exe"=

"c:\\WINDOWS\\system32\\PnkBstrA.exe"=

"c:\\WINDOWS\\system32\\PnkBstrB.exe"=

"c:\\Program Files\\Pando Networks\\Media Booster\\PMB.exe"=

"c:\\Documents and Settings\\All Users\\Application Data\\NexonUS\\NGM\\NGM.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\Ubisoft\\Ubisoft Game Launcher\\UbisoftGameLauncher.exe"=

"c:\\Program Files\\Steam\\Steam.exe"=

"c:\\Program Files\\Steam\\steamapps\\common\\dota 2 beta\\dota.exe"=

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"5353:TCP"= 5353:TCP:Adobe CSI CS4

"56200:TCP"= 56200:TCP:Pando Media Booster

"56200:UDP"= 56200:UDP:Pando Media Booster

.

R2 LBeepKE;Logitech Beep Suppression Driver;c:\windows\system32\drivers\LBeepKE.sys [6/13/2012 6:20 PM 12184]

R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [7/31/2012 2:50 PM 655944]

R2 PassThru Service;Internet Pass-Through Service;c:\program files\HTC\Internet Pass-Through\PassThruSvr.exe [9/15/2011 11:06 AM 88576]

R2 Symantec SymSnap VSS Provider;Symantec SymSnap VSS Provider;c:\windows\system32\dllhost.exe [8/4/2004 5:56 PM 5120]

R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [7/31/2012 2:50 PM 22344]

R3 RTLWUSB;Realtek RTL8187 Wireless 802.11b/g 54Mbps USB 2.0 Network Adapter;c:\windows\system32\drivers\RTL8187.sys [2/22/2009 10:17 AM 269824]

R3 SjyPkt;SjyPkt;c:\windows\system32\drivers\SjyPkt.sys [2/22/2009 10:17 AM 13532]

R3 SymSnapService;SymSnapService;c:\program files\Norton Ghost\Shared\Drivers\SymSnapService.exe [12/20/2007 4:13 PM 1558000]

S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [1/30/2011 3:11 PM 136176]

S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [1/30/2011 3:11 PM 136176]

S3 HTCAND32;HTC Device Driver;c:\windows\system32\drivers\ANDROIDUSB.sys [11/29/2011 4:24 PM 24576]

S3 htcnprot;HTC NDIS Protocol Driver;c:\windows\system32\drivers\htcnprot.sys [6/22/2010 5:01 PM 21248]

S3 SwitchBoard;SwitchBoard;c:\program files\Common Files\Adobe\SwitchBoard\SwitchBoard.exe [2/19/2010 1:37 PM 517096]

.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs

UxTuneUp

.

Contents of the 'Scheduled Tasks' folder

.

2012-08-05 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job

- c:\program files\Google\Update\GoogleUpdate.exe [2011-01-30 05:11]

.

2012-08-05 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job

- c:\program files\Google\Update\GoogleUpdate.exe [2011-01-30 05:11]

.

2012-08-04 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1343024091-746137067-839522115-1003Core.job

- c:\documents and settings\Andy\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2012-07-11 08:54]

.

2012-08-05 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1343024091-746137067-839522115-1003UA.job

- c:\documents and settings\Andy\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2012-07-11 08:54]

.

.

------- Supplementary Scan -------

.

uStart Page = about:blank

uInternet Settings,ProxyOverride = *.local

uSearchAssistant = hxxp://www.google.com/ie

uSearchURL,(Default) = hxxp://www.google.com/search?q=%s

IE: &Download All with FlashGet - c:\program files\FlashGet\jc_all.htm

IE: &Download with FlashGet - c:\program files\FlashGet\jc_link.htm

IE: Download Link Using Mega Manager... - c:\program files\Megaupload\Mega Manager\mm_file.htm

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000

TCP: DhcpNameServer = 192.168.1.1

FF - ProfilePath - c:\documents and settings\Andy\Application Data\Mozilla\Firefox\Profiles\v79js9jf.default\

FF - prefs.js: browser.startup.homepage - hxxp://192.168.1.1/cgi-bin/webcm?var%3Amain=menu&var%3Astyle=style5&getpage=%2Fusr%2Fwww_safe%2Fhtml%2Fdefs%2Fstyle5%2Fmenus%2Fmenu.html&errorpage=%2Fusr%2Fwww_safe%2Fhtml%2Fdefs%2Fstyle5%2Fmenus%2Fmenu.html&var%3Apagename=fwan&var%3Agetpagenext=&var%3Aerrorpagename=&var%3Amenu=advanced&var%3Amenutitle=Advanced&var%3Apagetitle=Port+Forwarding&var%3Apagemaster=fwan&var%3Aconid=connection2&var%3Alanip=192.168.1.2&var%3Anew=&var%3Arule=&var%3Acategory=categoryU&connection0%3Afwan%3Asettings%2Fping%2Fstate=&var%3Alangrp=lan0

FF - prefs.js: network.proxy.http - proxy.tpg.com.au

FF - prefs.js: network.proxy.http_port - 3128

FF - prefs.js: network.proxy.type - 0

FF - user.js: network.http.max-persistent-connections-per-server - 4

FF - user.js: nglayout.initialpaint.delay - 600

FF - user.js: content.notify.interval - 600000

FF - user.js: content.max.tokenizing.time - 1800000

FF - user.js: content.switch.threshold - 600000

.

.

**************************************************************************

.

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2012-08-05 19:45

Windows 5.1.2600 Service Pack 3 NTFS

.

scanning hidden processes ...

.

scanning hidden autostart entries ...

.

scanning hidden files ...

.

scan completed successfully

hidden files: 0

.

**************************************************************************

.

--------------------- LOCKED REGISTRY KEYS ---------------------

.

[HKEY_USERS\S-1-5-21-1343024091-746137067-839522115-1003\Software\SecuROM\License information*]

"datasecu"=hex:c6,79,ec,bf,3a,76,48,c0,d9,16,5c,a4,e0,c6,24,b4,b8,0b,c3,2f,c3,

ae,67,95,e1,62,68,77,18,f3,1c,f2,36,ab,ca,43,b7,ec,b8,e1,f3,0b,78,f5,e4,24,\

"rkeysecu"=hex:a5,08,18,2e,4c,45,0d,8b,c0,84,c1,5c,c6,43,4a,b0

.

--------------------- DLLs Loaded Under Running Processes ---------------------

.

- - - - - - - > 'winlogon.exe'(728)

c:\program files\common files\logishrd\bluetooth\LBTWlgn.dll

.

- - - - - - - > 'explorer.exe'(3220)

c:\windows\system32\WININET.dll

c:\program files\iTunes\iTunesMiniPlayer.dll

c:\program files\iTunes\iTunesMiniPlayer.Resources\en.lproj\iTunesMiniPlayerLocalized.dll

c:\program files\iTunes\iTunesMiniPlayer.Resources\iTunesMiniPlayer.dll

c:\windows\system32\ieframe.dll

c:\windows\system32\webcheck.dll

c:\windows\system32\WPDShServiceObj.dll

c:\program files\Common Files\Adobe\Acrobat\ActiveX\PDFShell.dll

c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_e6967989\MSVCR80.dll

c:\windows\system32\PortableDeviceTypes.dll

c:\windows\system32\PortableDeviceApi.dll

.

------------------------ Other Running Processes ------------------------

.

c:\windows\system32\nvsvc32.exe

c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

c:\program files\Bonjour\mDNSResponder.exe

c:\program files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe

c:\program files\Norton Ghost\Agent\VProSvc.exe

c:\windows\system32\PnkBstrA.exe

c:\windows\System32\TUProgSt.exe

c:\windows\system32\wscntfy.exe

c:\windows\system32\msdtc.exe

c:\windows\RTHDCPL.EXE

c:\windows\system32\RUNDLL32.EXE

c:\program files\Common Files\LogiShrd\KHAL3\KHALMNPR.EXE

.

**************************************************************************

.

Completion time: 2012-08-05 19:48:54 - machine was rebooted

ComboFix-quarantined-files.txt 2012-08-05 09:48

ComboFix2.txt 2012-07-31 10:43

.

Pre-Run: 42,111,741,952 bytes free

Post-Run: 41,993,736,192 bytes free

.

- - End Of File - - B21814F7FCD4EF588199F55B09344AB0

Share this post


Link to post
Share on other sites

Good! :)

Please run a free online scan with the ESET Online Scanner

Note: You will need to use Internet Explorer for this scan

  • Tick the box next to YES, I accept the Terms of Use
  • Click Start
  • When asked, allow the ActiveX control to install
  • Click Start
  • Make sure that the options Remove found threats and the option Scan unwanted applications is checked
  • Click Scan (This scan can take several hours, so please be patient)
  • Once the scan is completed, you may close the window
  • Use Notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
  • Copy and paste that log as a reply to this topic

Share this post


Link to post
Share on other sites

log.txt

ESETSmartInstaller@High as CAB hook log:

OnlineScanner.ocx - registred OK

# version=7

# iexplore.exe=8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339)

# OnlineScanner.ocx=1.0.0.6583

# api_version=3.0.2

# EOSSerial=462564931c313e4f9bdd64b7f8b6cab1

# end=finished

# remove_checked=true

# archives_checked=false

# unwanted_checked=true

# unsafe_checked=false

# antistealth_checked=true

# utc_time=2012-08-06 08:18:37

# local_time=2012-08-06 06:18:37 (+1000, AUS Eastern Standard Time)

# country="Australia"

# lang=1033

# osver=5.1.2600 NT Service Pack 3

# compatibility_mode=8192 67108863 100 0 0 0 0 0

# scanned=118306

# found=11

# cleaned=11

# scan_time=2577

C:\Documents and Settings\Andy\My Documents\Download\MsgPlusLive-482.exe a variant of Win32/Adware.CiDHelp application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

C:\Documents and Settings\Andy\My Documents\Download\Fairstars\keygen.exe probably a variant of Win32/Agent.BUYFMNU trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

C:\Documents and Settings\Andy\My Documents\Download\mIRC\Crack\mirc.exe Win32/PSW.Agent.NLY trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

C:\Documents and Settings\Andy\My Documents\Download\Warcraft\BNetGatewayEditor.exe Win32/Virut.NBP virus (cleaned - quarantined) 00000000000000000000000000000000 C

C:\Documents and Settings\Andy\My Documents\Soul Eater\Assassin's creed\ACR+11Tr-LNG.exe a variant of Win32/Packed.VMProtect.AAH trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

F:\High School\eco\i-cms.htm HTML/Iframe.B.Gen virus (deleted - quarantined) 00000000000000000000000000000000 C

F:\High School\eco\Web Design Brisbane, Website Design Brisbane, Search Engine Optimisation - Web Page Development Agency Australia.htm HTML/TrojanClicker.IFrame.NAP virus (cleaned - quarantined) 00000000000000000000000000000000 C

F:\High School\eco\Yr 12\rudd-pumps-47b-into-infrastructure-20081212-6x7v.html HTML/TrojanClicker.IFrame.NAP virus (cleaned - quarantined) 00000000000000000000000000000000 C

F:\High School\eco\Yr 12\us-jobs-market-faces-next-big-hit-20090109-7dk7.html HTML/TrojanClicker.IFrame.NAP virus (cleaned - quarantined) 00000000000000000000000000000000 C

F:\High School\eco\Yr 12\us-unemployment-surges-to-16year-high-20090110-7du3.html HTML/TrojanClicker.IFrame.NAP virus (cleaned - quarantined) 00000000000000000000000000000000 C

F:\High School\HSC MM\Assesment Tasks\Project Parts\Parts\Misc\hologram.html HTML/TrojanClicker.IFrame.NAP virus (cleaned - quarantined) 00000000000000000000000000000000 C

Share this post


Link to post
Share on other sites

yeah it's working fine at the moment :) no more google redirects and my java works now

Share this post


Link to post
Share on other sites

Glad I could help! :)

Before we finish could you please compress the following folder using WinRaR: C:\Qoobox\Quarantine and to upload it somewhere for example in www.rapidshare.com . Then send me a download link via PM.

Thanks in advance!

Share this post


Link to post
Share on other sites

Glad we could help. :)

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Share this post


Link to post
Share on other sites
Guest
This topic is now closed to further replies.
Sign in to follow this  

  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.