Seven items are detected but not removed after reboot

[Terry Morin]

Thank you in advance for any assistance in removing the last of some pretty persistant malware

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 12:05:05 AM, on 21/04/2009

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16827)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\WLTRYSVC.EXE

C:\WINDOWS\System32\bcmwltry.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Avira\AntiVir Desktop\sched.exe

C:\Program Files\Avira\AntiVir Desktop\avguard.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Avira\AntiVir Desktop\avgnt.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE

C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\MsPMSPSv.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/

O2 - BHO: (no name) - {AE624DCF-4037-40B8-BF98-3F715EC06963} - C:\WINDOWS\system32\catsrvp.dll

O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min

O4 - HKLM\..\RunOnce: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exe

O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exe

O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe

O23 - Service: Google Update Service (gupdate1c985b06893e612) (gupdate1c985b06893e612) - Unknown owner - C:\Program Files\Google\Update\GoogleUpdate.exe (file missing)

O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe

O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

--

End of file - 2335 bytes

mbam_log_2009_04_21__00_04_03_.txt

mbam_log_2009_04_21__00_04_03_.txt

[negster22]

Hi and Welcome!

I have pasted your log here but please do not attach items unless requested to do so.

Malwarebytes' Anti-Malware 1.36

Database version: 2017

Windows 5.1.2600 Service Pack 3

21/04/2009 12:04:08 AM

mbam-log-2009-04-21 (00-04-03).txt

Scan type: Quick Scan

Objects scanned: 82659

Time elapsed: 4 minute(s), 27 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 2

Registry Values Infected: 4

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 1

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{ae624dcf-4037-40b8-bf98-3f715ec06963} (Trojan.BHO.H) -> No action taken.

HKEY_CLASSES_ROOT\CLSID\{ae624dcf-4037-40b8-bf98-3f715ec06963} (Trojan.BHO.H) -> No action taken.

Registry Values Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\bf (Trojan.Agent) -> No action taken.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\bk (Trojan.Agent) -> No action taken.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\iu (Trojan.Agent) -> No action taken.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\mu (Trojan.Agent) -> No action taken.

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

C:\WINDOWS\system32\catsrvp.dll (Trojan.BHO.H) -> No action taken.

===================

Did you hit the "remove selected" button in MBAM and then reboot afterward? These two entries in your HJT log, indicate MBAM has not completed its work.

O2 - BHO: (no name) - {AE624DCF-4037-40B8-BF98-3F715EC06963} - C:\WINDOWS\system32\catsrvp.dll

O4 - HKLM\..\RunOnce: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript

Here is the correct procedure that you should follow:

• Relaunch Malwarebytes' Anti-Malware
• Select the Update tab -> Check for Updates
  
• After MBAM updates, select the Scanner tab.
  
• Select Perform quick scan, then click Scan.
  
• When the scan is complete, click OK -> Show Results to view the scan results.
  
• Check all items found, and then choose the 'Remove Selected' option to move the selected items to the quarantine.
  
• When the scan is done, a log will open in Notepad with the scan results. Please post the results in your next reply.
  

NOTE: If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer,please do so immediately.

________________

Clean the clutter:

Download ATF Cleaner by Atribune

• Close Internet Explorer and any other open browsers
  
• Double-click ATF-Cleaner.exe to run the program.
  
• Under Main choose: Select All
  
• Click the Empty Selected button.
  

If you use Firefox browser

• Click Firefox at the top and choose: Select All
• Click the Empty Selected button.
  
• NOTE: If you would like to keep your saved passwords, please click
  
• 
  
• No at the prompt.
  

If you use Opera browser

• Click Opera at the top and choose: Select All
• Click the Empty Selected button.
  
• NOTE: If you would like to keep your saved passwords, please click No at the prompt.
  

Click Exit on the Main menu to close the program.

________________

Download DDS and save it to your desktop from here or here

Disable any script blocking programs you may have installed (such as Norton script blocking), and then double-click dss.scr to run the tool.

• When done, DDS will open two (2) logs:
  • DDS.txt
    
  • Attach.txt
    

  [*]Save both reports to your desktop

  [*]Please copy and paste both logs into your next reply,

===============================================================

Please post the new MBAM log,, the DDS scan reports, and a new HJT log.

[Terry Morin]

Items still remain. Here are my logs

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 5:30:05 PM, on 21/04/2009

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16827)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\WLTRYSVC.EXE

C:\WINDOWS\System32\bcmwltry.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE

C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\MsPMSPSv.exe

C:\WINDOWS\system32\wuauclt.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/

O2 - BHO: (no name) - {AE624DCF-4037-40B8-BF98-3F715EC06963} - C:\WINDOWS\system32\catsrvp.dll

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe

O23 - Service: Google Update Service (gupdate1c985b06893e612) (gupdate1c985b06893e612) - Unknown owner - C:\Program Files\Google\Update\GoogleUpdate.exe (file missing)

O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe

O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

--

End of file - 1750 bytes

mbam_log_2009_04_21__17_26_45_.txt

DDS.txt

Attach.txt

mbam_log_2009_04_21__17_26_45_.txt

DDS.txt

Attach.txt

[negster22]

I stated above:

I have pasted your log here but please do not attach items unless requested to do so.

That still holds, please copy and paste all logs into you reply!

Did you edit your HJT log? It is very brief.

[Terry Morin]

I did not edit the hijack this log. Before installing malwarebytes i installed hijack this and removed some items. I am sorry for using the upload rather than copy and paste the logs - it won't happen again !

[Terry Morin]

Malwarebytes' Anti-Malware 1.36

Database version: 2022

Windows 5.1.2600 Service Pack 3

21/04/2009 5:26:45 PM

mbam-log-2009-04-21 (17-26-45).txt

Scan type: Quick Scan

Objects scanned: 79425

Time elapsed: 1 minute(s), 33 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 2

Registry Values Infected: 4

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 1

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{ae624dcf-4037-40b8-bf98-3f715ec06963} (Trojan.BHO.H) -> Delete on reboot.

HKEY_CLASSES_ROOT\CLSID\{ae624dcf-4037-40b8-bf98-3f715ec06963} (Trojan.BHO.H) -> Delete on reboot.

Registry Values Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\bf (Trojan.Agent) -> Delete on reboot.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\bk (Trojan.Agent) -> Delete on reboot.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\iu (Trojan.Agent) -> Delete on reboot.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\mu (Trojan.Agent) -> Delete on reboot.

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

C:\WINDOWS\system32\catsrvp.dll (Trojan.BHO.H) -> Delete on reboot.

DDS (Ver_09-03-16.01) - NTFSx86

Run by Craig Selby at 17:18:57.85 on 21/04/2009

Internet Explorer: 7.0.5730.11

Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2046.1581 [GMT -6:00]

AV: McAfee VirusScan *On-access scanning enabled* (Updated)

FW: *disabled*

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\svchost -k DcomLaunch

svchost.exe

C:\WINDOWS\System32\svchost.exe -k netsvcs

svchost.exe

svchost.exe

C:\WINDOWS\System32\WLTRYSVC.EXE

C:\WINDOWS\System32\bcmwltry.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\ctfmon.exe

svchost.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE

C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe

C:\WINDOWS\system32\svchost.exe -k imgsvc

C:\WINDOWS\system32\MsPMSPSv.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\WINDOWS\system32\wuauclt.exe

C:\Documents and Settings\Craig Selby\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.ca/

BHO: {ae624dcf-4037-40b8-bf98-3f715ec06963} - c:\windows\system32\catsrvp.dll

TB: {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - No File

TB: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File

TB: &Windows Live Toolbar: {21fa44ef-376d-4d53-9b0f-8a89d3229068} -

uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe

DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/C/0/C/C0CBBA88-A6F2-48D9-9B0E-1719D1177202/LegitCheckControl.cab

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab

DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab

DPF: {CAFEEFAC-0015-0000-0009-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_09-windows-i586.cab

DPF: {CAFEEFAC-0015-0000-0010-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_10-windows-i586.cab

DPF: {CAFEEFAC-0015-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_11-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab

Notify: AtiExtEvent - Ati2evxx.dll

============= SERVICES / DRIVERS ===============

R0 fjdjmgwh;fjdjmgwh;c:\windows\system32\drivers\fjdjmgwh.sys [2004-8-10 23424]

R2 fssfltr;FssFltr;c:\windows\system32\drivers\fssfltr_tdi.sys [2009-3-15 55152]

R2 SeaPort;SeaPort;c:\program files\microsoft\search enhancement pack\seaport\SeaPort.exe [2009-1-14 226656]

S2 gupdate1c985b06893e612;Google Update Service (gupdate1c985b06893e612);"c:\program files\google\update\googleupdate.exe" /svc --> c:\program files\google\update\GoogleUpdate.exe [?]

S3 Cdlinetb;Cdlinetb;c:\windows\system32\drivers\fdc.sys [2004-8-3 27392]

S3 fsssvc;Windows Live Family Safety;c:\program files\windows live\family safety\fsssvc.exe [2009-2-6 533360]

=============== Created Last 30 ================

2009-04-21 00:04 <DIR> --d----- c:\program files\Trend Micro

2009-04-20 22:53 1,238 a------- c:\windows\system32\tmp.reg

2009-04-17 01:47 55,640 a------- c:\windows\system32\drivers\avgntflt.sys

2009-04-17 01:09 389,120 a------- c:\windows\system32\CF20342.exe

2009-04-17 01:08 389,120 a------- c:\windows\system32\CF20006.exe

2009-04-17 00:55 15,504 a------- c:\windows\system32\drivers\mbam.sys

2009-04-17 00:55 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys

2009-04-17 00:55 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware

2009-04-16 22:21 2,560 -------- c:\windows\system32\xpsp4res.dll

2009-04-16 22:21 215,552 -------- c:\windows\system32\dllcache\wordpad.exe

2009-04-13 01:19 1,089,593 -------- c:\windows\system32\dllcache\ntprint.cat

2009-04-12 23:02 <DIR> --d----- c:\docume~1\craigs~1\applic~1\Malwarebytes

2009-04-12 23:02 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes

2009-04-12 05:52 <DIR> --d----- c:\windows\system32\XPSViewer

2009-04-12 05:52 117,760 -------- c:\windows\system32\prntvpt.dll

2009-04-12 05:52 89,088 -------- c:\windows\system32\dllcache\filterpipelineprintproc.dll

2009-04-12 05:52 <DIR> --d----- C:\94ef67d20e48c4ca9452ded76f

2009-04-12 05:52 1,676,288 -------- c:\windows\system32\xpssvcs.dll

2009-04-12 05:52 1,676,288 -------- c:\windows\system32\dllcache\xpssvcs.dll

2009-04-12 05:52 597,504 -------- c:\windows\system32\dllcache\printfilterpipelinesvc.exe

2009-04-12 05:52 575,488 -------- c:\windows\system32\xpsshhdr.dll

2009-04-12 05:52 575,488 -------- c:\windows\system32\dllcache\xpsshhdr.dll

2009-04-12 05:06 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Symantec

2009-04-12 05:05 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Norton

2009-04-12 05:05 <DIR> --d----- c:\docume~1\alluse~1\applic~1\NortonInstaller

2009-04-12 03:41 <DIR> --d----- c:\program files\Spybot - Search & Destroy

2009-04-12 03:41 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy

2009-04-11 22:38 97,792 a------- c:\windows\system32\catsrvp.dll

==================== Find3M ====================

2009-03-21 08:06 989,696 -------- c:\windows\system32\dllcache\kernel32.dll

2009-03-06 08:22 284,160 a------- c:\windows\system32\pdh.dll

2009-03-06 08:22 284,160 -------- c:\windows\system32\dllcache\pdh.dll

2009-03-02 18:18 826,368 a------- c:\windows\system32\wininet.dll

2009-03-02 18:18 826,368 a------- c:\windows\system32\dllcache\wininet.dll

2009-02-27 22:54 636,072 -------- c:\windows\system32\dllcache\iexplore.exe

2009-02-20 04:20 70,656 -------- c:\windows\system32\dllcache\ie4uinit.exe

2009-02-20 04:20 13,824 -------- c:\windows\system32\dllcache\ieudinit.exe

2009-02-19 23:14 161,792 -------- c:\windows\system32\dllcache\ieakui.dll

2009-02-09 06:10 729,088 a------- c:\windows\system32\lsasrv.dll

2009-02-09 06:10 729,088 -------- c:\windows\system32\dllcache\lsasrv.dll

2009-02-09 06:10 714,752 a------- c:\windows\system32\ntdll.dll

2009-02-09 06:10 617,472 a------- c:\windows\system32\advapi32.dll

2009-02-09 06:10 401,408 a------- c:\windows\system32\rpcss.dll

2009-02-09 06:10 714,752 -------- c:\windows\system32\dllcache\ntdll.dll

2009-02-09 06:10 617,472 -------- c:\windows\system32\dllcache\advapi32.dll

2009-02-09 06:10 473,600 -------- c:\windows\system32\dllcache\fastprox.dll

2009-02-09 06:10 453,120 -------- c:\windows\system32\dllcache\wmiprvsd.dll

2009-02-09 06:10 401,408 -------- c:\windows\system32\dllcache\rpcss.dll

2009-02-09 05:13 1,846,784 a------- c:\windows\system32\win32k.sys

2009-02-09 05:13 1,846,784 -------- c:\windows\system32\dllcache\win32k.sys

2009-02-07 19:02 2,066,048 -------- c:\windows\system32\dllcache\ntkrnlpa.exe

2009-02-06 19:03 307,576 a------- c:\windows\WLXPGSS.SCR

2009-02-06 18:52 49,504 a------- c:\windows\system32\sirenacm.dll

2009-02-06 05:11 110,592 a------- c:\windows\system32\services.exe

2009-02-06 05:11 110,592 -------- c:\windows\system32\dllcache\services.exe

2009-02-06 05:08 2,189,056 -------- c:\windows\system32\dllcache\ntoskrnl.exe

2009-02-06 05:06 2,145,280 a------- c:\windows\system32\ntoskrnl.exe

2009-02-06 05:06 2,145,280 -------- c:\windows\system32\dllcache\ntkrnlmp.exe

2009-02-06 04:39 35,328 a------- c:\windows\system32\sc.exe

2009-02-06 04:39 35,328 -------- c:\windows\system32\dllcache\sc.exe

2009-02-06 04:32 2,023,936 a------- c:\windows\system32\ntkrnlpa.exe

2009-02-06 04:32 2,023,936 -------- c:\windows\system32\dllcache\ntkrpamp.exe

2009-02-06 04:10 227,840 -------- c:\windows\system32\dllcache\wmiprvse.exe

2009-02-03 13:59 56,832 a------- c:\windows\system32\secur32.dll

2009-02-03 13:59 56,832 -------- c:\windows\system32\dllcache\secur32.dll

2008-12-29 22:34 73,344 a------- c:\docume~1\craigs~1\applic~1\GDIPFONTCACHEV1.DAT

2008-08-31 22:24 32,768 ac-sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008083120080901\index.dat

============= FINISH: 17:19:41.65 ===============

UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.

IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_09-03-16.01)

Microsoft Windows XP Home Edition

Boot Device: \Device\HarddiskVolume2

Install Date: 30/09/2006 7:02:18 PM

System Uptime: 21/04/2009 5:16:22 PM (0 hours ago)

Motherboard: Dell Inc. | | 0XD720

Processor: Intel® Core2 CPU T7400 @ 2.16GHz | Microprocessor | 2161/133mhz

==== Disk Partitions =========================

C: is FIXED (NTFS) - 107 GiB total, 64.508 GiB free.

D: is CDROM ()

==== Disabled Device Manager Items =============

==== System Restore Points ===================

RP1: 17/04/2009 1:55:57 AM - System Checkpoint

RP2: 21/04/2009 8:37:55 AM - System Checkpoint

RP3: 21/04/2009 5:14:45 PM - Avira AntiVir Personal - 21/04/2009 17:14

==== Installed Programs ======================

Adobe Flash Player 10 ActiveX

Adobe Photoshop 6.0

Adobe Photoshop CS

Adobe Reader 7.1.0

Adobe SVG Viewer 3.0

Apple Mobile Device Support

Apple Software Update

ATI Catalyst Control Center

ATI Display Driver

AutoUpdate

BitTornado 0.3.18

BlackBerry Desktop Software 4.2.1

Bonjour

Broadcom Management Programs

Canon PowerShot A40 WIA Driver

Choice Guard

Command & Conquer Generals

Command and ConquerTM Generals Zero Hour

Conexant HDA D110 MDC V.92 Modem

Critical Update for Windows Media Player 11 (KB959772)

Dell Media Experience

Dell Support 3.2

Dell System Restore

Dell Wireless WLAN Card

Digital Line Detect

DivX Codec

DivX Content Uploader

DivX Converter

DivX Player

DivX Web Player

DVD Shrink 3.2

Easy CD & DVD Creator 6

Google Update Helper

High Definition Audio Driver Package - KB835221

HijackThis 2.0.2

Hotfix 2050 for SQL Server 2000 ENU (KB948110)

Hotfix 2055 for SQL Server 2000 ENU (KB960082)

Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)

Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)

Hotfix for Windows Internet Explorer 7 (KB947864)

Hotfix for Windows Media Format 11 SDK (KB929399)

Hotfix for Windows Media Player 11 (KB939683)

Hotfix for Windows XP (KB952287)

Hotfix for Windows XP (KB954550-v5)

Hotfix for Windows XP (KB954708)

Hotfix for Windows XP (KB961118)

ImageMixer for HDD Camcorder

iTunes

J2SE Runtime Environment 5.0 Update 10

J2SE Runtime Environment 5.0 Update 11

J2SE Runtime Environment 5.0 Update 6

J2SE Runtime Environment 5.0 Update 9

Java 6 Update 11

Java 6 Update 3

Java 6 Update 5

Java 6 Update 7

Java SE Runtime Environment 6 Update 1

Junk Mail filter update

Malwarebytes' Anti-Malware

Map Button (Windows Live Toolbar)

MCU

Microsoft .NET Framework 1.1

Microsoft .NET Framework 1.1 Hotfix (KB928366)

Microsoft .NET Framework 2.0 Service Pack 2

Microsoft .NET Framework 3.0 Service Pack 2

Microsoft .NET Framework 3.5 SP1

Microsoft Application Error Reporting

Microsoft Compression Client Pack 1.0 for Windows XP

Microsoft Internationalized Domain Names Mitigation APIs

Microsoft National Language Support Downlevel APIs

Microsoft Office Live Add-in 1.3

Microsoft Office Outlook 2003 with Business Contact Manager Update

Microsoft Office XP Professional with FrontPage

Microsoft Plus! Digital Media Edition Installer

Microsoft Plus! Photo Story 2 LE

Microsoft Search Enhancement Pack

Microsoft Silverlight

Microsoft Sync Framework Runtime Native v1.0 (x86)

Microsoft Sync Framework Services Native v1.0 (x86)

Microsoft User-Mode Driver Framework Feature Pack 1.0

Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17

Microsoft Works

MobileMe Control Panel

Modem Helper

Mozilla Firefox (3.0.6)

MSVCRT

MSXML 4.0 SP2 (KB927978)

MSXML 4.0 SP2 (KB936181)

MSXML 4.0 SP2 (KB954430)

Musicmatch for Windows Media Player

NetWaiting

OneCare Advisor (Windows Live Toolbar)

Popup Blocker (Windows Live Toolbar)

PowerDVD 5.7

QuickSet

QuickTime

Security Update for Step By Step Interactive Training (KB898458)

Security Update for Step By Step Interactive Training (KB923723)

Security Update for Windows Internet Explorer 7 (KB928090)

Security Update for Windows Internet Explorer 7 (KB929969)

Security Update for Windows Internet Explorer 7 (KB931768)

Security Update for Windows Internet Explorer 7 (KB933566)

Security Update for Windows Internet Explorer 7 (KB937143)

Security Update for Windows Internet Explorer 7 (KB938127)

Security Update for Windows Internet Explorer 7 (KB939653)

Security Update for Windows Internet Explorer 7 (KB942615)

Security Update for Windows Internet Explorer 7 (KB944533)

Security Update for Windows Internet Explorer 7 (KB950759)

Security Update for Windows Internet Explorer 7 (KB953838)

Security Update for Windows Internet Explorer 7 (KB956390)

Security Update for Windows Internet Explorer 7 (KB958215)

Security Update for Windows Internet Explorer 7 (KB960714)

Security Update for Windows Internet Explorer 7 (KB961260)

Security Update for Windows Internet Explorer 7 (KB963027)

Security Update for Windows Media Player (KB911564)

Security Update for Windows Media Player (KB952069)

Security Update for Windows Media Player 10 (KB917734)

Security Update for Windows Media Player 11 (KB936782)

Security Update for Windows Media Player 11 (KB954154)

Security Update for Windows Media Player 6.4 (KB925398)

Security Update for Windows XP (KB923561)

Security Update for Windows XP (KB923689)

Security Update for Windows XP (KB938464)

Security Update for Windows XP (KB941569)

Security Update for Windows XP (KB946648)

Security Update for Windows XP (KB950760)

Security Update for Windows XP (KB950762)

Security Update for Windows XP (KB950974)

Security Update for Windows XP (KB951066)

Security Update for Windows XP (KB951376-v2)

Security Update for Windows XP (KB951376)

Security Update for Windows XP (KB951698)

Security Update for Windows XP (KB951748)

Security Update for Windows XP (KB952004)

Security Update for Windows XP (KB952954)

Security Update for Windows XP (KB953839)

Security Update for Windows XP (KB954211)

Security Update for Windows XP (KB954459)

Security Update for Windows XP (KB954600)

Security Update for Windows XP (KB955069)

Security Update for Windows XP (KB956391)

Security Update for Windows XP (KB956572)

Security Update for Windows XP (KB956802)

Security Update for Windows XP (KB956803)

Security Update for Windows XP (KB956841)

Security Update for Windows XP (KB957095)

Security Update for Windows XP (KB957097)

Security Update for Windows XP (KB958644)

Security Update for Windows XP (KB958687)

Security Update for Windows XP (KB958690)

Security Update for Windows XP (KB959426)

Security Update for Windows XP (KB960225)

Security Update for Windows XP (KB960715)

Security Update for Windows XP (KB960803)

Security Update for Windows XP (KB961373)

Segoe UI

Smart Menus (Windows Live Toolbar)

Sonic Audio module

Sonic DLA

Sonic MyDVD LE

Sonic RecordNow Copy

Sonic RecordNow Data

Sonic Update Manager

Synaptics Pointing Device Driver

Update for Windows XP (KB951072-v2)

Update for Windows XP (KB951978)

Update for Windows XP (KB955839)

Update for Windows XP (KB967715)

Visual C++ 2008 x86 Runtime - (v9.0.30729)

Visual C++ 2008 x86 Runtime - v9.0.30729.01

WebFldrs XP

Windows Genuine Advantage Notifications (KB905474)

Windows Genuine Advantage Validation Tool (KB892130)

Windows Installer 3.1 (KB893803)

Windows Internet Explorer 7

Windows Live Call

Windows Live Communications Platform

Windows Live Essentials

Windows Live Family Safety

Windows Live Favorites for Windows Live Toolbar

Windows Live Mail

Windows Live Messenger

Windows Live Outlook Toolbar (Windows Live Toolbar)

Windows Live Photo Gallery

Windows Live Sign-in Assistant

Windows Live Sync

Windows Live Toolbar

Windows Live Toolbar Extension (Windows Live Toolbar)

Windows Live Upload Tool

Windows Live Writer

Windows Media Format 11 runtime

Windows Media Player 10

Windows Media Player 11

Windows XP Service Pack 3

==== Event Viewer Messages From Past Week ========

20/04/2009 10:58:10 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: AFD APPDRV avgio avipbb cdudf_xp Fips intelppm IPSec MRxSmb NetBIOS NetBT RasAcd Rdbss ssmdrv Tcpip

20/04/2009 10:58:10 PM, error: Service Control Manager [7001] - The TCP/IP NetBIOS Helper service depends on the AFD service which failed to start because of the following error: A device attached to the system is not functioning.

20/04/2009 10:58:10 PM, error: Service Control Manager [7001] - The IPSEC Services service depends on the IPSEC driver service which failed to start because of the following error: A device attached to the system is not functioning.

20/04/2009 10:58:10 PM, error: Service Control Manager [7001] - The IP Traffic Filter Driver service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.

20/04/2009 10:58:10 PM, error: Service Control Manager [7001] - The fssfltr service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.

20/04/2009 10:58:10 PM, error: Service Control Manager [7001] - The DNS Client service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.

20/04/2009 10:58:10 PM, error: Service Control Manager [7001] - The DHCP Client service depends on the NetBios over Tcpip service which failed to start because of the following error: A device attached to the system is not functioning.

20/04/2009 10:57:42 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}

17/04/2009 8:07:03 AM, error: sr [1] - The System Restore filter encountered the unexpected error '0xC0000001' while processing the file '' on the volume 'HarddiskVolume2'. It has stopped monitoring the volume.

16/04/2009 10:49:59 PM, error: Service Control Manager [7023] - The System Restore Service service terminated with the following error: The system cannot find the file specified.

16/04/2009 10:49:59 PM, error: Service Control Manager [7000] - The Google Update Service (gupdate1c985b06893e612) service failed to start due to the following error: The system cannot find the path specified.

16/04/2009 10:49:58 PM, error: SRService [104] - The System Restore initialization process failed.

==== End Of File ===========================

[negster22]

[negster22]

[negster22]

Please download Combofix from one of these locations:

HERE or HERE

Here is a tutorial that describes how to download, install and run Combofix more thoroughly. Please review it, but do not run Combofix yet - because I am going to have you launch it differently than is described in the tutorial.

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Very Important! Temporarily disable your antivirus and antimalware real-time protection and any script blocking components of them or your firewall before performing a scan. They can interfere with ComboFix and even remove onboard components so it is rendered ineffective:

http://www.bleepingcomputer.com/forums/topic114351.html

Also, disable your firewall!

You can enable the Window firewall in the interim, until the scan is complete.

Running Combofix using CFSript

In the event you already have Combofix, please delete it as this is a new and updated version.

Note - do NOT run Combofix in the conventional manner by double- clicking its desktop shortcut.

Instead, I am going to have your launch it with a Script that specifically targets your malicious items.

It is important that you follow the next set of instructions precisely.

Open Notepad by hitting Start -> run, typing notepad into the Open: box, and then clicking OK.

On the Notepad menu, choose "Format" and make sure that Word Wrap is unchecked (disabled).

Copy/paste the text in the code box below into Notepad.

Save this to your desktop as CFScript.txt by selecting File -> Save as.

KillAll::
Driver::fjdjmgwh
Registry::[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{ae624dcf-4037-40b8-bf98-3f715ec06963}] 
Collect::[75]c:\windows\system32\catsrvp.dllc:\windows\system32\drivers\fjdjmgwh.sys
Extra::

Referring to the picture above, drag CFScript.txt into ComboFix.exe on your desktop.

This will cause ComboFix to run.

Please post back the log that is opens when it finishes called C:\Combofix.txt.

After Combofix has complete its run and generated a log file, you can re-enable your AV and firewall active protection.

Please post C:\Combofix.txt, a new MBAM log, and a new HJT log

[Terry Morin]

Wow ! It looks like did the trick .

I will certainly upgrade to the full version of this fantastic software.

Thank you very much

Terry

ComboFix 09-04-23.02 - Craig Selby 22/04/2009 23:01.1 - NTFSx86

Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2046.1667 [GMT -6:00]

Running from: c:\documents and settings\Craig Selby\Desktop\ComboFix.exe

Command switches used :: c:\documents and settings\Craig Selby\Desktop\CFScript.txt

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\documents and settings\Craig Selby\Application Data\Microsoft\SystemCertificates\Request

c:\windows\system32\catsrvp.dll

c:\windows\system32\drivers\fjdjmgwh.sys

c:\windows\system32\tmp.reg

.

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.

-------\Legacy_FJDJMGWH

-------\Service_fjdjmgwh

-------\Service_UACd.sys

((((((((((((((((((((((((( Files Created from 2009-03-23 to 2009-04-23 )))))))))))))))))))))))))))))))

.

2009-04-22 07:18 . 2009-04-22 07:18 -------- d-----w c:\windows\system32\NtmsData

2009-04-22 06:51 . 2009-04-06 21:32 15504 ----a-w c:\windows\system32\drivers\mbam.sys

2009-04-22 06:51 . 2009-04-06 21:32 38496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys

2009-04-17 07:47 . 2009-02-13 17:31 55640 ----a-w c:\windows\system32\drivers\avgntflt.sys

2009-04-17 07:12 . 2009-04-17 07:30 -------- d---a-w c:\documents and settings\All Users\Application Data\TEMP

2009-04-17 04:23 . 2009-03-06 14:22 284160 ------w c:\windows\system32\dllcache\pdh.dll

2009-04-17 04:23 . 2009-02-09 12:10 401408 ------w c:\windows\system32\dllcache\rpcss.dll

2009-04-17 04:23 . 2009-02-06 11:11 110592 ------w c:\windows\system32\dllcache\services.exe

2009-04-17 04:23 . 2009-02-06 10:39 35328 ------w c:\windows\system32\dllcache\sc.exe

2009-04-17 04:23 . 2009-02-09 12:10 729088 ------w c:\windows\system32\dllcache\lsasrv.dll

2009-04-17 04:23 . 2009-02-09 12:10 473600 ------w c:\windows\system32\dllcache\fastprox.dll

2009-04-17 04:23 . 2009-02-09 12:10 453120 ------w c:\windows\system32\dllcache\wmiprvsd.dll

2009-04-17 04:23 . 2009-02-06 10:10 227840 ------w c:\windows\system32\dllcache\wmiprvse.exe

2009-04-17 04:23 . 2009-02-09 12:10 714752 ------w c:\windows\system32\dllcache\ntdll.dll

2009-04-17 04:23 . 2009-02-09 12:10 617472 ------w c:\windows\system32\dllcache\advapi32.dll

2009-04-17 04:21 . 2008-05-03 11:55 2560 ------w c:\windows\system32\xpsp4res.dll

2009-04-17 04:21 . 2008-04-21 12:08 215552 ------w c:\windows\system32\dllcache\wordpad.exe

2009-04-13 09:28 . 2009-04-13 09:28 -------- d-----w c:\documents and settings\Administrator\Application Data\Malwarebytes

2009-04-13 07:19 . 2009-01-09 19:19 1089593 ------w c:\windows\system32\dllcache\ntprint.cat

2009-04-13 05:02 . 2009-04-13 05:02 -------- d-----w c:\documents and settings\Craig Selby\Application Data\Malwarebytes

2009-04-13 05:02 . 2009-04-13 05:02 -------- d-----w c:\documents and settings\All Users\Application Data\Malwarebytes

2009-04-12 20:18 . 2009-04-12 20:18 -------- d-----w c:\documents and settings\Craig Selby\Local Settings\Application Data\Symantec

2009-04-12 12:52 . 2009-04-12 12:52 -------- d-----w c:\documents and settings\Administrator\Local Settings\Application Data\Symantec

2009-04-12 11:52 . 2009-04-12 11:52 -------- d-----w c:\windows\system32\XPSViewer

2009-04-12 11:52 . 2008-07-06 12:06 89088 ------w c:\windows\system32\dllcache\filterpipelineprintproc.dll

2009-04-12 11:52 . 2008-07-06 12:06 117760 ------w c:\windows\system32\prntvpt.dll

2009-04-12 11:52 . 2009-04-12 11:52 -------- d-----w C:\94ef67d20e48c4ca9452ded76f

2009-04-12 11:52 . 2008-07-06 12:06 575488 ------w c:\windows\system32\xpsshhdr.dll

2009-04-12 11:52 . 2008-07-06 12:06 575488 ------w c:\windows\system32\dllcache\xpsshhdr.dll

2009-04-12 11:52 . 2008-07-06 12:06 1676288 ------w c:\windows\system32\xpssvcs.dll

2009-04-12 11:52 . 2008-07-06 12:06 1676288 ------w c:\windows\system32\dllcache\xpssvcs.dll

2009-04-12 11:52 . 2008-07-06 10:50 597504 ------w c:\windows\system32\dllcache\printfilterpipelinesvc.exe

2009-04-12 11:06 . 2009-04-12 11:06 -------- d-----w c:\documents and settings\All Users\Application Data\Symantec

2009-04-12 11:05 . 2009-04-12 22:17 -------- d-----w c:\documents and settings\All Users\Application Data\Norton

2009-04-12 11:05 . 2009-04-12 11:05 -------- d-----w c:\documents and settings\All Users\Application Data\NortonInstaller

2009-04-12 09:41 . 2009-04-17 04:45 -------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy

2009-04-12 04:29 . 2009-04-12 04:29 73928 ----a-w c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-04-23 05:01 . 2004-08-10 17:51 23424 ----a-w c:\windows\system32\drivers\btasjsuh.sys

2009-04-22 06:51 . 2009-04-22 06:51 -------- d-----w c:\program files\Malwarebytes' Anti-Malware

2009-04-21 06:04 . 2009-04-21 06:04 -------- d-----w c:\program files\Trend Micro

2009-04-17 04:45 . 2009-04-12 09:41 -------- d-----w c:\program files\Spybot - Search & Destroy

2009-04-17 04:41 . 2008-08-27 04:05 -------- d-----w c:\documents and settings\All Users\Application Data\Lavasoft

2009-04-17 04:41 . 2007-03-31 04:57 -------- d-----w c:\program files\Lavasoft

2009-04-12 20:08 . 2006-10-01 03:09 73928 ----a-w c:\documents and settings\Craig Selby\Local Settings\Application Data\GDIPFONTCACHEV1.DAT

2009-04-12 11:52 . 2009-04-12 11:52 -------- d-----w c:\program files\MSBuild

2009-04-12 11:52 . 2009-04-12 11:52 -------- d-----w c:\program files\Reference Assemblies

2009-04-10 01:49 . 2009-04-10 01:49 0 ----a-w c:\documents and settings\Craig Selby\Application Data\~eu37.tmp

2009-03-21 14:06 . 2009-03-21 14:06 989696 ------w c:\windows\system32\dllcache\kernel32.dll

2009-03-19 04:01 . 2009-03-19 04:01 -------- d-----w c:\program files\iTunes

2009-03-19 04:01 . 2009-03-19 04:01 -------- d-----w c:\documents and settings\All Users\Application Data\{00D89592-F643-4D8D-8F0F-AFAE0F14D4C3}

2009-03-19 04:01 . 2009-03-19 04:01 -------- d-----w c:\program files\iPod

2009-03-19 04:01 . 2007-07-13 04:52 -------- d-----w c:\program files\Common Files\Apple

2009-03-19 04:00 . 2008-12-03 15:56 -------- d-----w c:\program files\QuickTime

2009-03-19 00:37 . 2009-03-19 00:37 -------- d-----w c:\program files\Bonjour

2009-03-16 04:37 . 2009-03-16 04:33 -------- d-----w c:\program files\Microsoft

2009-03-16 04:37 . 2009-03-16 04:32 -------- d-----w c:\program files\Windows Live

2009-03-16 04:36 . 2006-11-20 02:36 -------- d-----w c:\program files\Windows Live Toolbar

2009-03-16 04:36 . 2009-03-16 04:36 -------- d-----w c:\program files\Microsoft Sync Framework

2009-03-16 04:33 . 2007-02-04 00:31 -------- d-----w c:\program files\MSN Messenger

2009-03-16 04:32 . 2009-03-16 04:32 -------- d-----w c:\program files\Windows Live SkyDrive

2009-03-16 03:48 . 2009-03-16 03:48 -------- d-----w c:\program files\Common Files\Windows Live

2009-03-06 14:22 . 2004-08-10 17:51 284160 ----a-w c:\windows\system32\pdh.dll

2009-03-03 04:39 . 2007-12-20 14:23 -------- d-----w c:\documents and settings\Craig Selby\Application Data\U3

2009-03-03 00:18 . 2006-09-22 06:58 826368 ----a-w c:\windows\system32\dllcache\wininet.dll

2009-03-03 00:18 . 2004-08-10 17:51 826368 ----a-w c:\windows\system32\wininet.dll

2009-02-28 04:54 . 2006-10-17 20:04 636072 ------w c:\windows\system32\dllcache\iexplore.exe

2009-02-27 04:28 . 2008-05-22 03:29 -------- d-----w c:\program files\Microsoft Silverlight

2009-02-20 10:20 . 2007-05-09 13:55 13824 ------w c:\windows\system32\dllcache\ieudinit.exe

2009-02-20 10:20 . 2006-10-27 09:44 70656 ------w c:\windows\system32\dllcache\ie4uinit.exe

2009-02-20 05:14 . 2006-10-27 09:42 161792 ------w c:\windows\system32\dllcache\ieakui.dll

2009-02-09 12:10 . 2004-08-10 17:51 729088 ----a-w c:\windows\system32\lsasrv.dll

2009-02-09 12:10 . 2004-08-10 17:51 401408 ----a-w c:\windows\system32\rpcss.dll

2009-02-09 12:10 . 2004-08-10 17:51 714752 ----a-w c:\windows\system32\ntdll.dll

2009-02-09 12:10 . 2004-08-10 17:50 617472 ----a-w c:\windows\system32\advapi32.dll

2009-02-09 11:13 . 2008-10-15 04:17 1846784 ------w c:\windows\system32\dllcache\win32k.sys

2009-02-09 11:13 . 2004-08-10 17:51 1846784 ----a-w c:\windows\system32\win32k.sys

2009-02-08 01:02 . 2008-10-15 04:15 2066048 ------w c:\windows\system32\dllcache\ntkrnlpa.exe

2009-02-07 01:03 . 2009-02-07 01:03 307576 ----a-w c:\windows\WLXPGSS.SCR

2009-02-07 00:52 . 2009-02-07 00:52 49504 ----a-w c:\windows\system32\sirenacm.dll

2009-02-06 11:11 . 2004-08-10 17:51 110592 ----a-w c:\windows\system32\services.exe

2009-02-06 11:08 . 2008-10-15 04:15 2189056 ------w c:\windows\system32\dllcache\ntoskrnl.exe

2009-02-06 11:06 . 2008-10-15 04:15 2145280 ------w c:\windows\system32\dllcache\ntkrnlmp.exe

2009-02-06 11:06 . 2004-08-10 17:51 2145280 ----a-w c:\windows\system32\ntoskrnl.exe

2009-02-06 10:39 . 2004-08-10 17:51 35328 ----a-w c:\windows\system32\sc.exe

2009-02-06 10:32 . 2008-10-15 04:15 2023936 ------w c:\windows\system32\dllcache\ntkrpamp.exe

2009-02-06 10:32 . 2004-08-04 03:59 2023936 ----a-w c:\windows\system32\ntkrnlpa.exe

2009-02-03 19:59 . 2009-02-03 19:59 56832 ------w c:\windows\system32\dllcache\secur32.dll

2009-02-03 19:59 . 2004-08-10 17:51 56832 ----a-w c:\windows\system32\secur32.dll

2008-12-30 04:34 . 2007-02-14 15:21 73344 ----a-w c:\documents and settings\Craig Selby\Application Data\GDIPFONTCACHEV1.DAT

2006-10-01 01:03 . 2006-10-01 01:03 134 ----a-w c:\documents and settings\Craig Selby\Local Settings\Application Data\fusioncache.dat

2006-09-22 07:14 . 2009-04-12 02:26 128 ----a-w c:\documents and settings\Administrator\Local Settings\Application Data\fusioncache.dat

2008-09-01 04:24 . 2008-09-01 04:24 32768 -csha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008083120080901\index.dat

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\Messenger\\msmsgs.exe"=

"c:\\Program Files\\NetMeeting\\conf.exe"=

"c:\\WINDOWS\\system32\\rtcshare.exe"=

"c:\\Program Files\\BitTornado\\btdownloadgui.exe"=

"c:\\Program Files\\EA Games\\Command & Conquer Generals Zero Hour\\patchget.dat"=

"c:\\Program Files\\EA Games\\Command and Conquer Generals\\patchget.dat"=

"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=

"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=

"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=

"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

"c:\\Program Files\\Java\\jre6\\bin\\java.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"8383:TCP"= 8383:TCP:TINYPROXY

"53:TCP"= 53:TCP:TINYPROXY

"8484:TCP"= 8484:TCP:TINYPROXY

R3 Cdlinetb;Cdlinetb;c:\windows\system32\drivers\fdc.sys [2008-04-13 27392]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - FJDJMGWH

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{8147cd6f-af04-11dc-86c9-0015c5b4807e}]

\Shell\AutoRun\command - F:\LaunchU3.exe -a

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.google.ca/

.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-04-22 23:04

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(928)

c:\windows\system32\Ati2evxx.dll

c:\windows\System32\BCMLogon.dll

.

------------------------ Other Running Processes ------------------------

.

c:\windows\system32\ati2evxx.exe

c:\windows\system32\WLTRYSVC.EXE

c:\windows\system32\BCMWLTRY.EXE

c:\windows\system32\ati2evxx.exe

c:\program files\Java\jre6\bin\jqs.exe

c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE

c:\program files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe

c:\windows\system32\MsPMSPSv.exe

c:\windows\system32\wscntfy.exe

.

**************************************************************************

.

Completion time: 2009-04-23 23:07 - machine was rebooted

ComboFix-quarantined-files.txt 2009-04-23 05:07

Pre-Run: 69,526,175,744 bytes free

Post-Run: 69,427,400,704 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe

[boot loader]

timeout=2

default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS

[operating systems]

c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

193 --- E O F --- 2009-04-17 04:36

Malwarebytes' Anti-Malware 1.36

Database version: 2024

Windows 5.1.2600 Service Pack 3

22/04/2009 11:11:43 PM

mbam-log-2009-04-22 (23-11-43).txt

Scan type: Quick Scan

Objects scanned: 79409

Time elapsed: 2 minute(s), 19 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 11:12:15 PM, on 22/04/2009

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16827)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\WLTRYSVC.EXE

C:\WINDOWS\System32\bcmwltry.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\MsPMSPSv.exe

C:\WINDOWS\system32\wscntfy.exe

C:\WINDOWS\explorer.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe

O23 - Service: Google Update Service (gupdate1c985b06893e612) (gupdate1c985b06893e612) - Unknown owner - C:\Program Files\Google\Update\GoogleUpdate.exe (file missing)

O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe

O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

--

End of file - 2003 bytes

[negster22]

Good job, and thank you for your support for MBAM!

I can see in the Combofix log that a malicious driver has morphed and reappeared so we have to run Combofix with CFscript again.

First, delete the CFScript on your desktop.

I am going to have your launch Combofix as before, but with a new Script that specifically targets your new malicious items.

• Close any open browsers.
  
• Close/disable all anti-virus and anti-malware programs so they do not interfere with the running of ComboFix.
  

It is important that you follow the next set of instructions precisely.

Open Notepad by hitting Start -> run, typing notepad into the Open: box, and then clicking OK.

On the Notepad menu, choose "Format" and make sure that Word Wrap is unchecked (disabled).

Copy/paste the text in the code box below into Notepad.

Save this to your desktop as CFScript.txt by selecting File -> Save as.

KillAll::
Driver::FJDJMGWHbtasjsuh
File::c:\windows\system32\drivers\btasjsuh.sysc:\windows\system32\drivers\FJDJMGWH.sys
DirLook::c:\windows\system32\NtmsData

Referring to the picture above, drag CFScript.txt into the renamed ComboFix.exe on your desktop.

This will cause ComboFix to run.

Please post back the log that is opens when it finishes.

Can you please post these two logs:

C:\Combofix.txt

C:\Qoobox\ComboFix-quarantined-files.txt

Thank you!

[Terry Morin]

Whoops! Began the celebration early I see. You probably noticed I reinstalled my Windows One Care but hopefully disabled as requested. Here are the logs

ComboFix 09-04-25.03 - Craig Selby 24/04/2009 20:49.2 - NTFSx86

Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2046.1510 [GMT -6:00]

Running from: c:\documents and settings\Craig Selby\Desktop\ComboFix.exe

Command switches used :: c:\documents and settings\Craig Selby\Desktop\CFScript.txt

AV: Windows Live OneCare *On-access scanning disabled* (Updated)

FW: Windows Live OneCare Firewall *disabled*

FILE ::

c:\windows\system32\drivers\btasjsuh.sys

c:\windows\system32\drivers\FJDJMGWH.sys

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\windows\system32\drivers\btasjsuh.sys

.

2009-04-23 05:02:17 . 2009-04-23 05:02:17 2,510 ----a-w C:\Qoobox\Quarantine\Registry_backups\Service_UACd.sys.reg.dat

2009-04-23 05:02:17 . 2009-04-23 05:02:17 6,070 ----a-w C:\Qoobox\Quarantine\Registry_backups\Service_fjdjmgwh.reg.dat

2009-04-23 05:02:17 . 2009-04-25 02:50:57 806 ----a-w C:\Qoobox\Quarantine\Registry_backups\Legacy_FJDJMGWH.reg.dat

2009-04-23 05:02:11 . 2009-04-25 02:50:51 7,614 ----a-w C:\Qoobox\Quarantine\Registry_backups\tcpip.reg

2009-04-23 05:01:07 . 2009-04-23 05:01:07 507 ----a-w C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\_fjdjmgwh_.sys.zip

2009-04-23 05:01:07 . 2009-04-23 05:01:07 587 ----a-w C:\Qoobox\Quarantine\C\WINDOWS\system32\_catsrvp_.dll.zip

2009-04-23 05:01:01 . 2009-04-23 05:01:02 12,162 ----a-w C:\Qoobox\Quarantine\[75]-Submit_2009-04-23@23.00.zip

2009-04-23 04:54:35 . 2009-04-25 02:48:22 507 ----a-w C:\Qoobox\Quarantine\catchme.log

2009-04-21 04:53:27 . 2009-04-21 04:58:48 1,238 ----a-w C:\Qoobox\Quarantine\C\WINDOWS\system32\tmp.reg.vir

2009-04-12 04:38:57 . 2009-04-12 23:39:45 97,792 ----a-w C:\Qoobox\Quarantine\C\WINDOWS\system32\catsrvp.dll.vir

2004-08-10 17:51:17 . 2009-04-23 05:01:02 23,424 ----a-w C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\btasjsuh.sys.vir

2004-08-10 17:51:17 . 2004-08-04 10:00:00 23,424 ----a-w C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\fjdjmgwh.sys.vir

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.

-------\Legacy_FJDJMGWH

((((((((((((((((((((((((( Files Created from 2009-05-25 to 2009-4-25 )))))))))))))))))))))))))))))))

.

2009-04-23 08:58 . 2009-04-23 08:59 -------- d-----w c:\documents and settings\All Users\Application Data\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}

2009-04-23 07:33 . 2009-04-23 07:33 5 ----a-w c:\windows\system32\drivers\DELL_XPS_MM061 .MRK

2009-04-23 07:33 . 2009-04-23 07:33 5 ----a-w c:\windows\system32\drivers\1028_DELL_XPS_MM061 .MRK

2009-04-23 07:33 . 2005-07-08 19:19 666 ----a-w c:\windows\speed.reg

2009-04-23 07:23 . 2007-10-10 01:17 416 ----a-w c:\windows\system32\vcredist_x86.bat

2009-04-23 07:23 . 2007-10-10 01:17 2682880 ----a-w c:\windows\system32\vcredist_x86.exe

2009-04-23 07:22 . 2009-04-23 07:22 22729 ----a-w C:\newkey

2009-04-23 07:22 . 2009-04-23 07:22 22729 ----a-w C:\newfile.enc

2009-04-23 07:12 . 2009-04-23 07:12 -------- d-----w c:\documents and settings\Craig Selby\Local Settings\Application Data\SupportSoft

2009-04-23 07:10 . 2009-04-23 07:10 -------- d-----w c:\documents and settings\All Users\Application Data\SupportSoft

2009-04-23 07:10 . 2009-04-23 07:10 -------- d-----w c:\documents and settings\All Users\Application Data\PCDr

2009-04-23 07:10 . 2009-04-23 07:10 -------- d-----w c:\documents and settings\All Users\Application Data\PC-Doctor

2009-04-23 07:09 . 2009-04-23 07:12 -------- d-----w c:\documents and settings\All Users\Application Data\Dell

2009-04-23 07:05 . 2007-08-21 15:58 146944 ----a-w c:\windows\system32\st325602.dll

2009-04-23 07:04 . 2009-04-23 07:04 -------- d-----w c:\documents and settings\Craig Selby\Application Data\InstallShield

2009-04-23 07:02 . 2008-04-13 18:36 8832 ----a-w c:\windows\system32\drivers\wmiacpi.sys

2009-04-23 07:02 . 2008-04-13 18:36 8832 ----a-w c:\windows\system32\dllcache\wmiacpi.sys

2009-04-23 06:50 . 2009-04-23 06:50 -------- d-----w c:\documents and settings\Craig Selby\Local Settings\Application Data\Identities

2009-04-23 06:49 . 2009-04-23 06:49 -------- d-----w c:\documents and settings\Craig Selby\Application Data\Windows Desktop Search

2009-04-23 06:49 . 2009-04-23 06:49 -------- d-----w c:\windows\system32\GroupPolicy

2009-04-23 06:48 . 2008-03-07 17:02 98304 ------w c:\windows\system32\dllcache\nlhtml.dll

2009-04-23 06:48 . 2008-03-07 17:02 29696 ------w c:\windows\system32\dllcache\mimefilt.dll

2009-04-23 06:48 . 2008-03-07 17:02 192000 ------w c:\windows\system32\dllcache\offfilt.dll

2009-04-23 05:27 . 2007-11-28 04:56 91328 ----a-w c:\windows\system32\drivers\msfwdrv.sys

2009-04-23 05:27 . 2007-11-28 04:56 116416 ----a-w c:\windows\system32\drivers\msfwhlpr.sys

2009-04-23 05:26 . 2008-05-15 22:15 53168 ----a-w c:\windows\system32\drivers\MpFilter.sys

2009-04-22 07:18 . 2009-04-22 07:18 -------- d-----w c:\windows\system32\NtmsData

2009-04-22 06:51 . 2009-04-06 21:32 15504 ----a-w c:\windows\system32\drivers\mbam.sys

2009-04-22 06:51 . 2009-04-06 21:32 38496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys

2009-04-17 07:47 . 2009-02-13 17:31 55640 ----a-w c:\windows\system32\drivers\avgntflt.sys

2009-04-17 07:12 . 2009-04-17 07:30 -------- d---a-w c:\documents and settings\All Users\Application Data\TEMP

2009-04-17 04:23 . 2009-03-06 14:22 284160 ------w c:\windows\system32\dllcache\pdh.dll

2009-04-17 04:23 . 2009-02-09 12:10 401408 ------w c:\windows\system32\dllcache\rpcss.dll

2009-04-17 04:23 . 2009-02-06 11:11 110592 ------w c:\windows\system32\dllcache\services.exe

2009-04-17 04:23 . 2009-02-06 10:39 35328 ------w c:\windows\system32\dllcache\sc.exe

2009-04-17 04:23 . 2009-02-09 12:10 729088 ------w c:\windows\system32\dllcache\lsasrv.dll

2009-04-17 04:23 . 2009-02-09 12:10 473600 ------w c:\windows\system32\dllcache\fastprox.dll

2009-04-17 04:23 . 2009-02-09 12:10 453120 ------w c:\windows\system32\dllcache\wmiprvsd.dll

2009-04-17 04:23 . 2009-02-06 10:10 227840 ------w c:\windows\system32\dllcache\wmiprvse.exe

2009-04-17 04:23 . 2009-02-09 12:10 714752 ------w c:\windows\system32\dllcache\ntdll.dll

2009-04-17 04:23 . 2009-02-09 12:10 617472 ------w c:\windows\system32\dllcache\advapi32.dll

2009-04-17 04:21 . 2008-05-03 11:55 2560 ------w c:\windows\system32\xpsp4res.dll

2009-04-17 04:21 . 2008-04-21 12:08 215552 ------w c:\windows\system32\dllcache\wordpad.exe

2009-04-13 09:28 . 2009-04-13 09:28 -------- d-----w c:\documents and settings\Administrator\Application Data\Malwarebytes

2009-04-13 07:19 . 2009-01-09 19:19 1089593 ------w c:\windows\system32\dllcache\ntprint.cat

2009-04-13 05:02 . 2009-04-13 05:02 -------- d-----w c:\documents and settings\Craig Selby\Application Data\Malwarebytes

2009-04-13 05:02 . 2009-04-13 05:02 -------- d-----w c:\documents and settings\All Users\Application Data\Malwarebytes

2009-04-12 20:18 . 2009-04-12 20:18 -------- d-----w c:\documents and settings\Craig Selby\Local Settings\Application Data\Symantec

2009-04-12 12:52 . 2009-04-12 12:52 -------- d-----w c:\documents and settings\Administrator\Local Settings\Application Data\Symantec

2009-04-12 11:52 . 2009-04-12 11:52 -------- d-----w c:\windows\system32\XPSViewer

2009-04-12 11:52 . 2008-07-06 12:06 89088 ------w c:\windows\system32\dllcache\filterpipelineprintproc.dll

2009-04-12 11:52 . 2008-07-06 12:06 117760 ------w c:\windows\system32\prntvpt.dll

2009-04-12 11:52 . 2009-04-12 11:52 -------- d-----w C:\94ef67d20e48c4ca9452ded76f

2009-04-12 11:52 . 2008-07-06 12:06 575488 ------w c:\windows\system32\xpsshhdr.dll

2009-04-12 11:52 . 2008-07-06 12:06 575488 ------w c:\windows\system32\dllcache\xpsshhdr.dll

2009-04-12 11:52 . 2008-07-06 12:06 1676288 ------w c:\windows\system32\xpssvcs.dll

2009-04-12 11:52 . 2008-07-06 12:06 1676288 ------w c:\windows\system32\dllcache\xpssvcs.dll

2009-04-12 11:52 . 2008-07-06 10:50 597504 ------w c:\windows\system32\dllcache\printfilterpipelinesvc.exe

2009-04-12 11:06 . 2009-04-12 11:06 -------- d-----w c:\documents and settings\All Users\Application Data\Symantec

2009-04-12 11:05 . 2009-04-12 22:17 -------- d-----w c:\documents and settings\All Users\Application Data\Norton

2009-04-12 11:05 . 2009-04-12 11:05 -------- d-----w c:\documents and settings\All Users\Application Data\NortonInstaller

2009-04-12 09:41 . 2009-04-17 04:45 -------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy

2009-04-12 04:29 . 2009-04-12 04:29 73928 ----a-w c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-04-25 02:41 . 2009-04-23 05:23 -------- d-----w c:\program files\Microsoft Windows OneCare Live

2009-04-23 08:59 . 2009-04-23 08:58 -------- d-----w c:\program files\iTunes

2009-04-23 08:59 . 2009-04-23 08:59 -------- d-----w c:\program files\iPod

2009-04-23 08:58 . 2007-07-13 04:52 -------- d-----w c:\program files\Common Files\Apple

2009-04-23 07:43 . 2006-09-22 07:03 -------- d-----w c:\program files\Broadcom

2009-04-23 07:38 . 2009-04-23 07:38 -------- d-----w c:\program files\DIFX

2009-04-23 07:33 . 2006-09-22 06:59 -------- d-----w c:\program files\Dell

2009-04-23 07:27 . 2009-04-23 07:27 -------- d-----w c:\program files\Intel

2009-04-23 07:10 . 2009-04-23 07:09 -------- d-----w c:\program files\Dell Support Center

2009-04-23 07:09 . 2009-04-23 07:09 -------- d-----w c:\program files\Common Files\supportsoft

2009-04-23 07:06 . 2009-04-23 07:06 304 ----a-w c:\windows\system32\drivers\sthdae.log

2009-04-23 07:05 . 2006-09-22 07:02 -------- d--h--w c:\program files\InstallShield Installation Information

2009-04-23 06:49 . 2009-04-23 06:49 -------- d-----w c:\program files\Windows Desktop Search

2009-04-22 06:51 . 2009-04-22 06:51 -------- d-----w c:\program files\Malwarebytes' Anti-Malware

2009-04-21 06:04 . 2009-04-21 06:04 -------- d-----w c:\program files\Trend Micro

2009-04-17 04:45 . 2009-04-12 09:41 -------- d-----w c:\program files\Spybot - Search & Destroy

2009-04-17 04:41 . 2008-08-27 04:05 -------- d-----w c:\documents and settings\All Users\Application Data\Lavasoft

2009-04-17 04:41 . 2007-03-31 04:57 -------- d-----w c:\program files\Lavasoft

2009-04-12 20:08 . 2006-10-01 03:09 73928 ----a-w c:\documents and settings\Craig Selby\Local Settings\Application Data\GDIPFONTCACHEV1.DAT

2009-04-12 11:52 . 2009-04-12 11:52 -------- d-----w c:\program files\MSBuild

2009-04-12 11:52 . 2009-04-12 11:52 -------- d-----w c:\program files\Reference Assemblies

2009-04-10 01:49 . 2009-04-10 01:49 0 ----a-w c:\documents and settings\Craig Selby\Application Data\~eu37.tmp

2009-03-21 14:06 . 2009-03-21 14:06 989696 ------w c:\windows\system32\dllcache\kernel32.dll

2009-03-19 22:32 . 2008-01-29 18:01 23400 ----a-w c:\windows\system32\drivers\GEARAspiWDM.sys

2009-03-19 04:01 . 2009-03-19 04:01 -------- d-----w c:\documents and settings\All Users\Application Data\{00D89592-F643-4D8D-8F0F-AFAE0F14D4C3}

2009-03-19 04:00 . 2008-12-03 15:56 -------- d-----w c:\program files\QuickTime

2009-03-19 00:37 . 2009-03-19 00:37 -------- d-----w c:\program files\Bonjour

2009-03-16 04:37 . 2009-03-16 04:33 -------- d-----w c:\program files\Microsoft

2009-03-16 04:37 . 2009-03-16 04:32 -------- d-----w c:\program files\Windows Live

2009-03-16 04:36 . 2006-11-20 02:36 -------- d-----w c:\program files\Windows Live Toolbar

2009-03-16 04:36 . 2009-03-16 04:36 -------- d-----w c:\program files\Microsoft Sync Framework

2009-03-16 04:33 . 2007-02-04 00:31 -------- d-----w c:\program files\MSN Messenger

2009-03-16 04:32 . 2009-03-16 04:32 -------- d-----w c:\program files\Windows Live SkyDrive

2009-03-16 03:48 . 2009-03-16 03:48 -------- d-----w c:\program files\Common Files\Windows Live

2009-03-06 14:22 . 2004-08-10 17:51 284160 ----a-w c:\windows\system32\pdh.dll

2009-03-03 04:39 . 2007-12-20 14:23 -------- d-----w c:\documents and settings\Craig Selby\Application Data\U3

2009-03-03 00:18 . 2006-09-22 06:58 826368 ----a-w c:\windows\system32\dllcache\wininet.dll

2009-03-03 00:18 . 2004-08-10 17:51 826368 ----a-w c:\windows\system32\wininet.dll

2009-02-28 04:54 . 2006-10-17 20:04 636072 ------w c:\windows\system32\dllcache\iexplore.exe

2009-02-27 04:28 . 2008-05-22 03:29 -------- d-----w c:\program files\Microsoft Silverlight

2009-02-20 10:20 . 2007-05-09 13:55 13824 ------w c:\windows\system32\dllcache\ieudinit.exe

2009-02-20 10:20 . 2006-10-27 09:44 70656 ------w c:\windows\system32\dllcache\ie4uinit.exe

2009-02-20 05:14 . 2006-10-27 09:42 161792 ------w c:\windows\system32\dllcache\ieakui.dll

2009-02-09 12:10 . 2004-08-10 17:51 729088 ----a-w c:\windows\system32\lsasrv.dll

2009-02-09 12:10 . 2004-08-10 17:51 401408 ----a-w c:\windows\system32\rpcss.dll

2009-02-09 12:10 . 2004-08-10 17:51 714752 ----a-w c:\windows\system32\ntdll.dll

2009-02-09 12:10 . 2004-08-10 17:50 617472 ----a-w c:\windows\system32\advapi32.dll

2009-02-09 11:13 . 2008-10-15 04:17 1846784 ------w c:\windows\system32\dllcache\win32k.sys

2009-02-09 11:13 . 2004-08-10 17:51 1846784 ----a-w c:\windows\system32\win32k.sys

2009-02-08 01:02 . 2008-10-15 04:15 2066048 ------w c:\windows\system32\dllcache\ntkrnlpa.exe

2009-02-07 01:03 . 2009-02-07 01:03 307576 ----a-w c:\windows\WLXPGSS.SCR

2009-02-07 00:52 . 2009-02-07 00:52 49504 ----a-w c:\windows\system32\sirenacm.dll

2009-02-06 11:11 . 2004-08-10 17:51 110592 ----a-w c:\windows\system32\services.exe

2009-02-06 11:08 . 2008-10-15 04:15 2189056 ------w c:\windows\system32\dllcache\ntoskrnl.exe

2009-02-06 11:06 . 2008-10-15 04:15 2145280 ------w c:\windows\system32\dllcache\ntkrnlmp.exe

2009-02-06 11:06 . 2004-08-10 17:51 2145280 ----a-w c:\windows\system32\ntoskrnl.exe

2009-02-06 10:39 . 2004-08-10 17:51 35328 ----a-w c:\windows\system32\sc.exe

2009-02-06 10:32 . 2008-10-15 04:15 2023936 ------w c:\windows\system32\dllcache\ntkrpamp.exe

2009-02-06 10:32 . 2004-08-04 03:59 2023936 ----a-w c:\windows\system32\ntkrnlpa.exe

2009-02-03 19:59 . 2009-02-03 19:59 56832 ------w c:\windows\system32\dllcache\secur32.dll

2009-02-03 19:59 . 2004-08-10 17:51 56832 ----a-w c:\windows\system32\secur32.dll

2008-12-30 04:34 . 2007-02-14 15:21 73344 ----a-w c:\documents and settings\Craig Selby\Application Data\GDIPFONTCACHEV1.DAT

2006-10-01 01:03 . 2006-10-01 01:03 134 ----a-w c:\documents and settings\Craig Selby\Local Settings\Application Data\fusioncache.dat

2006-09-22 07:14 . 2009-04-12 02:26 128 ----a-w c:\documents and settings\Administrator\Local Settings\Application Data\fusioncache.dat

2008-09-01 04:24 . 2008-09-01 04:24 32768 -csha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008083120080901\index.dat

.

(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))

.

---- Directory of c:\windows\system32\NtmsData ----

2009-04-22 07:18 . 2009-04-22 07:18 816 ----a-w c:\windows\system32\NtmsData\NTMSREG

2009-04-22 07:18 . 2009-04-22 07:18 79496 ----a-w c:\windows\system32\NtmsData\NTMSIDX

2009-04-22 07:18 . 2009-04-22 07:18 110592 ----a-w c:\windows\system32\NtmsData\NTMSDATA

2009-04-22 07:18 . 2009-04-22 07:18 110592 ----a-w c:\windows\system32\NtmsData\NTMSDATA.BAK

((((((((((((((((((((((((((((( SnapShot@2009-04-23_05.04.11 )))))))))))))))))))))))))))))))))))))))))

.

+ 2006-12-02 06:46 . 2006-12-02 06:46 65536 c:\windows\WinSxS\x86_Microsoft.VC80.OpenMP_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_6c18549a\vcomp.dll

+ 2006-12-02 06:08 . 2006-12-02 06:08 49152 c:\windows\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_91481303\mfc80KOR.dll

+ 2006-12-02 06:08 . 2006-12-02 06:08 49152 c:\windows\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_91481303\mfc80JPN.dll

+ 2006-12-02 06:08 . 2006-12-02 06:08 61440 c:\windows\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_91481303\mfc80ITA.dll

+ 2006-12-02 06:08 . 2006-12-02 06:08 61440 c:\windows\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_91481303\mfc80FRA.dll

+ 2006-12-02 06:08 . 2006-12-02 06:08 61440 c:\windows\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_91481303\mfc80ESP.dll

+ 2006-12-02 06:08 . 2006-12-02 06:08 57344 c:\windows\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_91481303\mfc80ENU.dll

+ 2006-12-02 06:08 . 2006-12-02 06:08 65536 c:\windows\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_91481303\mfc80DEU.dll

+ 2006-12-02 06:08 . 2006-12-02 06:08 45056 c:\windows\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_91481303\mfc80CHT.dll

+ 2006-12-02 06:08 . 2006-12-02 06:08 40960 c:\windows\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_91481303\mfc80CHS.dll

+ 2006-12-02 06:26 . 2006-12-02 06:26 57856 c:\windows\WinSxS\x86_Microsoft.VC80.MFC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_3bf8fa05\mfcm80u.dll

+ 2006-12-02 06:25 . 2006-12-02 06:25 69632 c:\windows\WinSxS\x86_Microsoft.VC80.MFC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_3bf8fa05\mfcm80.dll

+ 2006-12-02 04:56 . 2006-12-02 04:56 96256 c:\windows\WinSxS\x86_Microsoft.VC80.ATL_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_cbb27474\ATL80.dll

+ 2005-09-23 05:49 . 2005-09-23 05:49 95744 c:\windows\WinSxS\x86_Microsoft.VC80.ATL_1fc8b3b9a1e18e3b_8.0.50727.42_x-ww_6e805841\ATL80.dll

+ 2009-04-25 02:54 . 2009-04-25 02:54 16384 c:\windows\temp\Perflib_Perfdata_6c0.dat

+ 2009-04-25 02:52 . 2009-04-25 02:52 16384 c:\windows\temp\Perflib_Perfdata_12c.dat

+ 2008-05-27 04:18 . 2008-05-27 04:18 56320 c:\windows\system32\xmlfilter.dll

+ 2006-09-22 06:39 . 2007-10-10 01:17 24064 c:\windows\system32\WLTRYSVC.EXE

+ 2006-09-22 06:39 . 2007-10-10 01:17 65536 c:\windows\system32\wltrynt.dll

+ 2008-05-27 04:19 . 2008-05-27 04:19 97792 c:\windows\system32\UncCplExt.dll

+ 2006-09-22 07:02 . 2006-03-08 18:51 81920 c:\windows\system32\SynTPCo2.dll

- 2006-09-22 07:02 . 2006-03-08 16:51 81920 c:\windows\system32\SynTPCo2.dll

+ 2008-05-27 03:59 . 2008-05-27 03:59 18904 c:\windows\system32\structuredqueryschematrivial.bin

+ 2006-09-22 06:39 . 2004-09-03 16:00 90112 c:\windows\system32\snymsico.dll

- 2006-09-22 06:39 . 2005-10-14 13:40 90112 c:\windows\system32\snymsico.dll

+ 2008-05-27 04:17 . 2008-05-27 04:17 87552 c:\windows\system32\searchfilterhost.exe

+ 2008-05-27 04:18 . 2008-05-27 04:18 38400 c:\windows\system32\rtffilt.dll

- 2006-09-22 06:39 . 2005-10-14 13:40 16480 c:\windows\system32\rixdicon.dll

+ 2006-09-22 06:39 . 2005-05-07 01:06 16480 c:\windows\system32\rixdicon.dll

+ 2009-04-23 07:38 . 2005-10-14 13:40 28544 c:\windows\system32\ReinstallBackups\0027\DriverFiles\rimmptsk.sys

+ 2009-04-23 07:37 . 2005-10-14 13:40 16480 c:\windows\system32\ReinstallBackups\0026\DriverFiles\rixdicon.dll

+ 2009-04-23 07:37 . 2005-10-14 13:40 90112 c:\windows\system32\ReinstallBackups\0012\DriverFiles\snymsico.dll

+ 2009-04-23 07:37 . 2005-10-14 13:40 51328 c:\windows\system32\ReinstallBackups\0012\DriverFiles\rimsptsk.sys

+ 2008-05-27 04:18 . 2008-05-27 04:18 71680 c:\windows\system32\propdefs.dll

+ 2005-10-29 05:49 . 2005-10-29 05:49 84480 c:\windows\system32\pintool.exe

+ 2004-08-10 17:51 . 2009-04-23 07:24 87288 c:\windows\system32\perfc009.dat

+ 2008-05-27 04:19 . 2008-05-27 04:19 11264 c:\windows\system32\oephRes.dll

- 2004-08-10 17:51 . 2008-04-14 00:12 98304 c:\windows\system32\nlhtml.dll

+ 2004-08-10 17:51 . 2008-03-07 17:02 98304 c:\windows\system32\nlhtml.dll

+ 2008-05-27 04:18 . 2008-05-27 04:18 44032 c:\windows\system32\msstrc.dll

+ 2008-05-27 04:17 . 2008-05-27 04:17 32768 c:\windows\system32\mssprxy.dll

+ 2008-05-27 04:17 . 2008-05-27 04:17 87552 c:\windows\system32\mssitlb.dll

+ 2008-05-27 04:17 . 2008-05-27 04:17 11776 c:\windows\system32\msshooks.dll

+ 2008-05-27 04:17 . 2008-05-27 04:17 60416 c:\windows\system32\msscntrs.dll

+ 2008-05-27 04:17 . 2008-05-27 04:17 34816 c:\windows\system32\msscb.dll

+ 2004-08-10 18:01 . 2004-08-04 10:00 19429 c:\windows\system32\MsDtc\Trace\msdtcvtr.bat

- 2004-08-10 17:51 . 2008-04-14 00:11 29696 c:\windows\system32\mimefilt.dll

+ 2004-08-10 17:51 . 2008-03-07 17:02 29696 c:\windows\system32\mimefilt.dll

+ 2009-04-23 07:37 . 2006-11-14 23:35 37376 c:\windows\system32\DRVSTORE\rixdptsk_0D7A83C1B48CDC1DF8A41B44C97F2A9295350D76\rixdptsk.sys

+ 2009-04-23 07:37 . 2005-05-07 01:06 16480 c:\windows\system32\DRVSTORE\rixdptsk_0D7A83C1B48CDC1DF8A41B44C97F2A9295350D76\rixdicon.dll

+ 2009-04-23 07:37 . 2004-09-03 16:00 90112 c:\windows\system32\DRVSTORE\rimsptsk_160EAF8844DAFFD63505557B90B41496E64C136A\snymsico.dll

+ 2009-04-23 07:37 . 2006-11-15 01:42 43520 c:\windows\system32\DRVSTORE\rimsptsk_160EAF8844DAFFD63505557B90B41496E64C136A\rimsptsk.sys

+ 2009-04-23 07:37 . 2006-11-15 06:16 32256 c:\windows\system32\DRVSTORE\rimmptsk_01759BDBD4096A5241053A76A22A5A5BAC1000AE\rimmptsk.sys

+ 2009-04-23 05:27 . 2007-11-28 04:56 91328 c:\windows\system32\DRVSTORE\msfwdrv_8B7A77566FDBAD6964DFFFCFFDA27E97D55990D5\msfwdrv.sys

+ 2009-04-23 05:26 . 2008-05-15 22:15 53168 c:\windows\system32\DRVSTORE\mpfilter_7624CBE7EF3BB21A52F29BE608459E93D0D31F4C\mpfilter.sys

+ 2009-04-23 08:59 . 2009-03-19 22:32 23400 c:\windows\system32\DRVSTORE\GEARAspiWD_F475AF659D36685632E9BD97B57E9D9661FF3FFD\x86\GEARAspiWDM.sys

+ 2009-04-23 07:42 . 2006-11-21 10:25 45568 c:\windows\system32\DRVSTORE\b44win_A4FF09C646CF97A72E7241C9A8D160636A21E4F9\bcm4sbxp.sys

+ 2009-04-23 07:42 . 2006-11-21 10:20 49507 c:\windows\system32\DRVSTORE\b44win_A4FF09C646CF97A72E7241C9A8D160636A21E4F9\bcm4sbe5.sys

+ 2008-02-13 23:16 . 2008-02-13 23:16 68080 c:\windows\system32\drvins64.exe

+ 2004-08-04 04:08 . 2008-04-13 18:45 49408 c:\windows\system32\drivers\stream.sys

- 2004-08-04 04:08 . 2008-04-13 18:45 49408 c:\windows\system32\drivers\stream.sys

+ 2006-09-22 06:39 . 2006-11-14 23:35 37376 c:\windows\system32\drivers\rixdptsk.sys

+ 2006-09-22 06:39 . 2006-11-15 01:42 43520 c:\windows\system32\drivers\rimsptsk.sys

+ 2006-09-22 06:39 . 2006-11-15 06:16 32256 c:\windows\system32\drivers\rimmptsk.sys

- 2006-09-22 06:39 . 2005-12-19 13:08 33664 c:\windows\system32\drivers\BCMWLNPF.SYS

+ 2006-09-22 06:39 . 2007-10-10 01:17 33664 c:\windows\system32\drivers\BCMWLNPF.SYS

+ 2006-09-22 06:39 . 2006-11-21 10:25 45568 c:\windows\system32\drivers\bcm4sbxp.sys

- 2006-09-22 07:02 . 2005-08-12 22:50 16128 c:\windows\system32\drivers\APPDRV.SYS

+ 2006-09-22 07:02 . 2005-08-12 23:50 16128 c:\windows\system32\drivers\APPDRV.SYS

+ 2004-08-04 04:08 . 2008-04-13 18:45 49408 c:\windows\system32\dllcache\stream.sys

+ 2006-09-22 07:00 . 2008-04-13 18:45 60160 c:\windows\system32\dllcache\drmk.sys

+ 2005-10-29 05:49 . 2005-10-29 05:49 25600 c:\windows\system32\bcsprsrc.dll

+ 2006-09-22 06:39 . 2007-10-10 01:17 69632 c:\windows\system32\bcmwlpkt.dll

- 2006-09-22 06:39 . 2005-12-19 13:08 69632 c:\windows\system32\bcmwlpkt.dll

+ 2005-10-28 22:40 . 2005-10-28 22:40 96792 c:\windows\system32\basecsp.dll

+ 2009-04-23 07:43 . 2009-04-23 07:43 40960 c:\windows\Installer\{C99C0593-3B48-41D9-B42F-6E035B320449}\NewShortcut1.FCA9991C_BA96_4189_B2BE_13852649CA68.exe

+ 2009-04-23 05:24 . 2009-04-23 05:24 10134 c:\windows\Installer\{8B21B9EF-6DBF-4F63-8CC7-9F6A56D1EE8E}\ARPPRODUCTICON.exe

+ 2008-05-27 04:19 . 2008-05-27 04:19 2048 c:\windows\system32\UncRes.dll

+ 2006-09-22 07:00 . 2008-04-14 00:11 4096 c:\windows\system32\dllcache\ksuser.dll

+ 2008-08-26 15:22 . 2008-01-18 15:13 2247 c:\windows\ServicePackFiles\i386\tscdsbl.bat

+ 2008-08-26 15:22 . 2008-01-18 15:13 2247 c:\windows\Installer\tsclientmsitrans\tscdsbl.bat

+ 2009-04-23 07:43 . 2009-04-23 07:43 3262 c:\windows\Installer\{C99C0593-3B48-41D9-B42F-6E035B320449}\ARPPRODUCTICON.exe

+ 2009-04-23 07:42 . 2009-04-23 07:42 3262 c:\windows\Installer\{612B9183-67A9-4B44-9877-2F059E35B86A}\ARPPRODUCTICON.exe

+ 2008-05-27 04:19 . 2008-05-27 04:19 131072 c:\windows\system32\UncPH.dll

+ 2008-05-27 04:19 . 2008-05-27 04:19 108032 c:\windows\system32\UncNE.dll

+ 2008-05-27 04:19 . 2008-05-27 04:19 143872 c:\windows\system32\UncDMS.dll

+ 2008-05-27 03:59 . 2008-05-27 03:59 106605 c:\windows\system32\structuredqueryschema.bin

+ 2006-09-22 06:39 . 2007-05-10 16:23 270336 c:\windows\system32\stacapi.dll

+ 2008-05-27 04:17 . 2008-05-27 04:17 301568 c:\windows\system32\srchadmin.dll

+ 2008-05-27 04:18 . 2008-05-27 04:18 184832 c:\windows\system32\searchprotocolhost.exe

+ 2008-05-27 04:18 . 2008-05-27 04:18 439808 c:\windows\system32\searchindexer.exe

+ 2009-04-23 07:37 . 2005-10-14 13:40 307968 c:\windows\system32\ReinstallBackups\0026\DriverFiles\rixdptsk.sys

+ 2009-04-23 07:23 . 2005-11-02 17:24 424320 c:\windows\system32\ReinstallBackups\0025\DriverFiles\BCMWL5.SYS

+ 2008-05-27 04:17 . 2008-05-27 04:17 754176 c:\windows\system32\propsys.dll

+ 2006-09-22 06:39 . 2007-10-10 01:17 139264 c:\windows\system32\preflib.dll

+ 2004-08-10 17:51 . 2009-04-23 07:24 482240 c:\windows\system32\perfh009.dat

+ 2004-08-10 17:51 . 2008-03-07 17:02 192000 c:\windows\system32\offfilt.dll

- 2004-08-10 17:51 . 2008-04-14 00:12 192000 c:\windows\system32\offfilt.dll

+ 2008-05-27 04:19 . 2008-05-27 04:19 273408 c:\windows\system32\oeph.dll

+ 2008-05-27 04:18 . 2008-05-27 04:18 203776 c:\windows\system32\mssphtb.dll

+ 2008-05-27 04:18 . 2008-05-27 04:18 350208 c:\windows\system32\mssph.dll

+ 2008-05-27 04:18 . 2008-05-27 04:18 231936 c:\windows\system32\msshsq.dll

+ 2005-10-29 05:49 . 2005-10-29 05:49 151552 c:\windows\system32\ifxcardm.dll

+ 2009-04-23 05:27 . 2007-11-28 04:56 116416 c:\windows\system32\DRVSTORE\msfwhlpr_0D06EB3A0072EC31805FD097692DFF987F98BDA6\msfwhlpr.sys

+ 2009-04-23 08:59 . 2008-04-17 18:12 107368 c:\windows\system32\DRVSTORE\GEARAspiWD_F475AF659D36685632E9BD97B57E9D9661FF3FFD\x86\GEARAspi.dll

- 2004-03-16 16:58 . 2008-04-13 19:19 146048 c:\windows\system32\drivers\portcls.sys

+ 2004-03-16 16:58 . 2008-04-13 19:19 146048 c:\windows\system32\drivers\portcls.sys

+ 2004-03-16 16:58 . 2008-04-13 19:19 146048 c:\windows\system32\dllcache\portcls.sys

+ 2004-08-04 04:15 . 2008-04-13 19:16 141056 c:\windows\system32\dllcache\ks.sys

+ 2006-09-22 06:39 . 2007-10-10 01:17 278528 c:\windows\system32\bcmwlu00.exe

+ 2006-09-22 06:59 . 2007-10-10 01:17 806912 c:\windows\system32\BCMLogon.dll

+ 2006-09-22 06:39 . 2007-10-10 01:17 753664 c:\windows\system32\bcm1xsup.dll

+ 2005-10-29 05:49 . 2005-10-29 05:49 133120 c:\windows\system32\axaltocm.dll

+ 2006-09-22 07:00 . 2007-05-10 16:22 405504 c:\windows\stsystra.exe

+ 2009-04-23 08:59 . 2009-04-23 08:59 102400 c:\windows\Installer\{5EFCBB42-36AB-4FF9-B90C-E78C7B9EE7B3}\iTunesIco.exe

+ 2006-12-02 06:25 . 2006-12-02 06:25 1093120 c:\windows\WinSxS\x86_Microsoft.VC80.MFC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_3bf8fa05\mfc80u.dll

+ 2006-12-02 06:25 . 2006-12-02 06:25 1101824 c:\windows\WinSxS\x86_Microsoft.VC80.MFC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_3bf8fa05\mfc80.dll

+ 2006-09-22 06:39 . 2007-10-10 01:17 2183168 c:\windows\system32\WLTRAY.EXE

+ 2006-09-22 06:39 . 2007-10-10 01:17 2670592 c:\windows\system32\WLBCGCBPRO731.DLL

+ 2008-05-27 04:21 . 2008-05-27 04:21 1582592 c:\windows\system32\tquery.dll

+ 2006-09-22 07:00 . 2007-04-10 23:02 1601536 c:\windows\system32\stlang.dll

+ 2008-05-27 04:21 . 2008-05-27 04:21 1418240 c:\windows\system32\mssrch.dll

+ 2006-09-22 06:39 . 2007-05-10 16:24 1222840 c:\windows\system32\drivers\sthda.sys

+ 2006-09-22 06:39 . 2007-10-10 01:17 1123328 c:\windows\system32\drivers\BCMWL5.SYS

+ 2006-09-22 06:39 . 2007-10-10 01:17 1921024 c:\windows\system32\BCMWLTRY.EXE

.

-- Snapshot reset to current date --

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"OneCareUI"="c:\program files\Microsoft Windows OneCare Live\winssnotify.exe" [2009-03-22 63864]

"SigmatelSysTrayApp"="c:\program files\SigmaTel\C-Major Audio\WDM\stsystra.exe" [2007-05-10 405504]

"dellsupportcenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2009-01-30 206064]

"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2007-10-10 2183168]

"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-03-08 761947]

"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-01-05 413696]

"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-04-02 342312]

c:\documents and settings\All Users\Start Menu\Programs\Startup\

Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2008-5-26 123904]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]

"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2008-05-27 304128]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\OneCareMP]

@="Service"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\Messenger\\msmsgs.exe"=

"c:\\Program Files\\NetMeeting\\conf.exe"=

"c:\\WINDOWS\\system32\\rtcshare.exe"=

"c:\\Program Files\\BitTornado\\btdownloadgui.exe"=

"c:\\Program Files\\EA Games\\Command & Conquer Generals Zero Hour\\patchget.dat"=

"c:\\Program Files\\EA Games\\Command and Conquer Generals\\patchget.dat"=

"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=

"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=

"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=

"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

"c:\\Program Files\\Java\\jre6\\bin\\java.exe"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"8383:TCP"= 8383:TCP:TINYPROXY

"53:TCP"= 53:TCP:TINYPROXY

"8484:TCP"= 8484:TCP:TINYPROXY

R2 gupdate1c985b06893e612;Google Update Service (gupdate1c985b06893e612); [x]

R3 Cdlinetb;Cdlinetb;c:\windows\system32\drivers\fdc.sys [2008-04-13 27392]

R3 fsssvc;Windows Live Family Safety;c:\program files\Windows Live\Family Safety\fsssvc.exe [2009-02-07 533360]

S2 fssfltr;fssfltr;c:\windows\system32\DRIVERS\fssfltr_tdi.sys [2009-02-07 55152]

S2 OcHealthMon;Windows Live OneCare Health Monitor;c:\program files\Microsoft Windows OneCare Live\OcHealthMon.exe [2009-03-22 24936]

S2 SeaPort;SeaPort;c:\program files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe [2009-01-14 226656]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{8147cd6f-af04-11dc-86c9-0015c5b4807e}]

\Shell\AutoRun\command - F:\LaunchU3.exe -a

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.google.ca/

.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-04-24 20:53

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(924)

c:\windows\system32\Ati2evxx.dll

c:\windows\System32\BCMLogon.dll

.

------------------------ Other Running Processes ------------------------

.

c:\windows\system32\ati2evxx.exe

c:\program files\Microsoft Windows OneCare Live\Antivirus\MsMpEng.exe

c:\windows\system32\WLTRYSVC.EXE

c:\windows\system32\BCMWLTRY.EXE

c:\windows\system32\ati2evxx.exe

c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

c:\program files\Bonjour\mDNSResponder.exe

c:\program files\Java\jre6\bin\jqs.exe

c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE

c:\program files\Dell Support Center\bin\sprtsvc.exe

c:\windows\system32\MsPMSPSv.exe

c:\windows\system32\searchindexer.exe

c:\windows\system32\wscntfy.exe

c:\program files\Microsoft Windows OneCare Live\Firewall\msfwsvc.exe

c:\program files\Microsoft Windows OneCare Live\winss.exe

c:\program files\iPod\bin\iPodService.exe

.

**************************************************************************

.

Completion time: 2009-04-25 20:57 - machine was rebooted

ComboFix-quarantined-files.txt 2009-04-25 02:57

Pre-Run: 68,152,381,440 bytes free

Post-Run: 68,155,973,632 bytes free

385 --- E O F --- 2009-04-17 04:36

[negster22]

That looks much better. How is your computer behaving now?

Now that you got OneCare reinstalled, let's disable it temporarily and get a second opinion with an online scanner:

Please perform a scan with the ESET online virus scanner:

http://www.eset.com/onlinescan/index.php

• ESET recommends disabling your resident antivirus's auto-protection feature before beginning the scan to avoid conflicts and system hangs. Please disable your antivirus's Guard and any antispyware or HIPS programs you are running.
  
• Use Internet Explorer to navigate to the scanner website because you must approve install an ActiveX add-on to complete the scan.
  
• Check the "Yes, I accept the terms of use" box.
  
• Click "Start"
  
• Check the following two boxes:
  • enable "Remove found threats"
    
  • Scan unwanted applications
    

  [*]Click the Scan button to begin scanning.

  [*]When the scan is done the log is automatically saved. To retrieve it

  • Close the ESET scan Window.
    
  • Now open a run line by clicking Start >> Run...
    
  • Copy/paste "C:\Program Files\EsetOnlineScanner\log.txt" ino the Open box:
    
  • The Scan results will now display in Notepad
    

  [*]Please copy and paste the ESET scan report that can be found in this location

  C:\Program Files\EsetOnlineScanner\log.txt into your next reply

Note to Vista users and anyone with restrictive IE security settings: Depending on your security settings, you may have to allow cookies and put the ESET website, www.eset.com, into the trusted zone of Internet Explorer if the scan has problems starting (in Vista this is a necessity as IE runs in Protected mode).

To do that, on the Internet Explorer menu click Tools => Internet Options => Security => Trusted Sites => Sites. Then uncheck "Require server verification for all sites in this zone" checkbox at the bottom of the dialog. Add the above www.eset.com url to the list of trusted sites, by inserting it in the blank box and clicking the Add button, then click Close. For cookies, choose the IE7 Privacy tab and add the above eset.com url to the exceptions list for cookie blocking.

[Terry Morin]

Hello again. My PC is running well, here is the log of the online scan

# version=4

# OnlineScanner.ocx=1.0.0.635

# OnlineScannerDLLA.dll=1, 0, 0, 79

# OnlineScannerDLLW.dll=1, 0, 0, 78

# OnlineScannerUninstaller.exe=1, 0, 0, 49

# vers_standard_module=4035 (20090425)

# vers_arch_module=1.064 (20080214)

# vers_adv_heur_module=1.066 (20070917)

# EOSSerial=8588070099faa141962a78ea73ec90f9

# end=finished

# remove_checked=true

# unwanted_checked=true

# utc_time=2009-04-26 02:33:17

# local_time=2009-04-25 08:33:17 (-0700, Mountain Daylight Time)

# country="Canada"

# osver=5.1.2600 NT Service Pack 3

# scanned=366736

# found=2

# scan_time=2073

C:\Qoobox\Quarantine\[75]-Submit_2009-04-23@23.00.zip Win32/BHO.EXT trojan (deleted) 00000000000000000000000000000000

C:\Qoobox\Quarantine\[75]-Submit_2009-04-23@23.00.zip

[negster22]

Good job, Terry! Your computer is clean now.

We have a few steps to finish up now.

Let's remove Combofix and all its associated files including those in quarantine:

Click start -> run, then copy and paste the following line into the Open box and click OK.

"%userprofile%\desktop\combofix.exe" /u

This will do the following:

• Uninstall Combofix and all its associated files and folders.
  
• It will flush your system restore points and create a new restore point.
  
• It will rehide your system files and folders
  
• Reset your system clock
  

Here are some additional measures you should take to keep your system in good working order and ensure your continued security.

1. Scan your system for outdated versions of commonly used software applications that may also cause your PC be vulnerable, using the Secunia Online Software Inspector (OSI)

Just click the "Start Scanner" button to get a listing of all outdated and possibly insecure resident programs.

Note: If your firewall prompts you about access, allow it.

2. Keep MBAM as an on demand scanner because I highly recommend it, and the quick scan will find most all active malware in minutes.

3. You can reduce your startups by downloading Malwarebyte's StartUp Lite and saving it to a convenient location. Just double-click StartUpLite.exe. Then, check the options you would like based on the descriptions provided, then select continue. This will free up system resources because nonessential background programs will no longer be running when you start up your computer.

Finally, please follow the suggestions offered by Tony Klein in How did I get infected in the first place. so you can maintain a safe and secure computing environment.

Happy Surfing!