PLEASE help me remove this virus or Malware. Thank you!

AdvancedSetup · June 11, 2009

Well now that you've reset the permissions lets try running this tool again.

Download FixPolicies.exe by Bill Castner and save it to your desktop.
Double click on FixPolicies.exe to run it.
Click on Install. It will create a folder named FixPolicies on your desktop.
Open the FixPolicies folder.
Double click on Fix_policies.cmd to run it. Command Prompt will open and close quickly this is normal.
Download this INF repair file by MS-MVP Miekiemoes: http://users.telenet.be/bluepatchy/miekiemoes/tools/VArestorepolicies.zip
Unzip the download. Open the folder VArestorepolicies and Right-click the file inside, VArestorepolicies.INF and choose Install

From within IE go to Tools/Internet Options/Advanced and click on the RESET button. Then quit IE.

Then try running this Anti-Virus scanner from Kaspersky.

Run Kaspersky Online AV Scanner

Please go to Kaspersky website and perform an online antivirus scan.

Read through the requirements and privacy statement and click on Accept button.
It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
When the downloads have finished, click on Settings.
Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:
[*]Click on My Computer under Scan and then put the kettle on!
[*]Once the scan is complete, it will display the results. Click on View Scan Report.
[*]You will see a list of infected items there. Click on Save Report As....
[*]Save this report to a convenient place like your Desktop. Change the Files of type to Text file (.txt) before clicking on the Save button.
[*]Copy and paste the report into your next reply along with a fresh HJT log and a description of how your PC is behaving.

It could be that something is broken with MSCONFIG too so let me do some research and see if I can find anything on that.

AdvancedSetup · June 11, 2009

Is this the exact message you're getting?

"An Access Denied error was returned while attempting to change a service. You may need to log on using an Administrator account to make the specified changes."

If so it could be due to yourself or someone else attempting to set a Service to Disabled that can not be disabled via MSCONFIG.

Start MSCONFIG and go to the SERVICES tab and try to click on ENABLE ALL and click OK and immediately reboot the computer.

myau · June 11, 2009

Yes. I tried that many times and it still doesn't work. From the beginning, I used the MSCONFIG to check to see if there were any weird stuff on the Startup Tab. It was so I tried to unchecked that weird Chinese Characters and then I clicked apply. This message showed up. "An Access Denied error was returned while attempting to change a service. You may need to log on using an Administrator account to make the specified changes." And I clicked ok the above message showed up again. And then it gives me a choice to select either restart or exit restart. I clicked restart. Since then I can't make any changes at all. Firefox acting kind of funny. Some of the website I went to is redirecting me to my internet provider site. When I use my Internet Explorer and my internet provider brower doesn't do that.

Should I just follow the steps on the massage you posted on 11pm? THANK YOU!

Here is the new log from Malwarebytes Anti-Malware:

Malwarebytes' Anti-Malware 1.37

Database version: 2260

Windows 5.1.2600 Service Pack 3

6/10/2009 11:54:30 PM

mbam-log-2009-06-10 (23-54-30).txt

Scan type: Full Scan (C:\|D:\|E:\|)

Objects scanned: 266524

Time elapsed: 2 hour(s), 34 minute(s), 16 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

AdvancedSetup · June 11, 2009

Well let's try to take this one step at a time if we can.

Just try the SERVICES tab ONLY and nothing else - try to ENABLE ALL and let me know if you can do that or not.

myau · June 11, 2009

I tried it and it won't let me. It's giving me the same error message twice. THANK YOU!

AdvancedSetup · June 11, 2009

Okay, well let's try looking one more time for something hidden but I'm not so sure it there is.

STEP 01

Please download the following scanning tool. GMER

Download the randomly named EXE and copy the file to your Desktop. Remember what its name is.
Double click on
random named exe file
and run it.
It may take a minute to load and become available.
Do not make any changes. Click on the
SCAN
button and DO NOT use the computer while it's scanning.
Once the scan is done click on the
SAVE
button and browse to your Desktop and save the file as
GMER.LOG
Zip up the
GMER.LOG
file and save it as
gmerlog.zip
and attach it to your reply post.
DO NOT
directly post this log into a reply. You
MUST
attach it as a .ZIP file.
Click OK and quit the GMER program.

How To Use Compressed (Zipped) Folders in Windows XP

Compress and uncompress files (zip files) in Vista

STEP 02

RootRepeal - Rootkit Detector

Close ALL applications and as many items in the task tray that will stop and exit.

Please download the following tool:
RootRepeal - Rootkit Detector
Direct download link is here:
RootRepeal.rar
If you don't already have a program to open a .RAR compressed file you can download a trial version from here:
WinRAR
Extract the program file to a new folder such as
C:\RootRepeal
Run the program
RootRepeal.exe
and go to the
REPORT
tab and click on the
Scan
button
Select
ALL
of the checkboxes and then click
OK
and it will start scanning your system.
If you have multiple drives you only need to check the C: drive or the one Windows is installed on.
When done, click on
Save Report
Save it to the same location where you ran it from, such as
C:\RootRepeal
Save it as
your_name_rootrepeal.txt
- where your_name is your
forum name
This makes it more easy to track who the log belongs to.
Then open that log and select all and copy/paste it back on your next reply please.
Quit the RootRepeal program.

STEP 03

Please download Rootkit Revealer

Unzip it to your desktop.
Open the rootkitrevealer folder and double-click rootkitrevealer.exe
Close ALL windows and programs and do nothing on the pc while the scan runs. This includes games, browser windows, email clients, etc.
Click the Scan button (bottom right)
It may take a while to scan (don't do anything while it's running)
When it's done, go up to File > Save. Choose to save it to your desktop.
Open rootkitrevealer.txt on your desktop and copy the entire contents and paste them here

STEP 04

Please visit this site for instructions on using this tool: Haxfix instructions - updated

You can download haxfix from site, or from Bleeping computer.

On both sites you will find always an updated version of the tool.

Follow the directions from that site and post back the log.

STEP 05

Please click here to download AVP Tool by Kaspersky.

Save it to your desktop.
Reboot your computer into SafeMode.
You can do this by restarting your computer and continually tapping the
F8
key until a menu appears.

Use your up arrow key to highlight SafeMode then hit
enter
.
Double click the setup file to run it.
Click Next to continue.
It will by default install it to your desktop folder.Click Next.
Hit ok at the prompt for scanning in Safe Mode.
It will then open a box There will be a tab that says Automatic scan.
Under Automatic scan make sure these are checked.

System Memory
Startup Objects
Disk Boot Sectors.
My Computer.
Also any other drives (Removable that you may have)

After that click on Security level then choose Customize then click on the tab that says Heuristic Analyzer then choose Enable Deep rootkit search then choose ok.

Then choose OK again then you are back to the main screen.

Then click on Scan at the to right hand Corner.
It will automatically Neutralize any objects found.
If some objects are left un-neutralized then click the button that says Neutralize all
If it says it cannot be Neutralized then chooose The delete option when prompted.
After that is done click on the reports button at the bottom and save it to file name it Kas.
Save it somewhere convenient like your desktop and just post only the detected Virus\malware in the report it will be at the very top under Detected post those results in your next reply.
Note: This tool will self uninstall when you close it so please save the log before closing it.

myau · June 11, 2009

I don't think I can run in Safe mode. Last time I ran it, it gives me some kind of warning and to reboot the computer on normal mode. But I will try it again.

AdvancedSetup · June 11, 2009

Then we may need to fix that. I'm going to bed though so I'll have to take this back up some time tomorrow.

myau · June 11, 2009

I forgot to ask. On step 4. I only need to get a log file right? I don't need to run auto fix?Thank You!

myau · June 11, 2009

I just tested the Safe Mode. Is it the Safe Mode suppose to have many lines something

like" multi(0)disk(0)........ and it is in black screen

before going to the Safe Mode? If it is then I can run it

in Safe Mode. I think maybe I added the Recovery console

then they let me boot on Safe Mode. I am not sure.I tried

Step 2 but it won't let me scan it and it crashes. I have

also attached the GMER log file. Thanks for explaining

the joke about the cat. Now I understand it. It is funny.

I hope you have a sweet dream. THANK YOU!

ROOTREPEAL CRASH REPORT

-------------------------

Exception Code: 0xc0000005

Exception Address: 0x00412d1a

Attempt to read from address: 0x00ee2004

AdvancedSetup · June 12, 2009

Please try to do steps 3 and 4 then and skip 2

GMER log looks fine.

myau · June 12, 2009

Hi I only did the log file, because I don't know if you want me to run autofix from HAXFIX. I have attached the log file for Rootkit Revealer. For some reason the Rootkit Revealer doesn't save correctly. I tried to save it on the desktop but then it shows up an alert saying something Rootkit Revealer program needs to be closed. It's kind of like frozen. It did that twice because I tried to scan it again. When I look for the log files on the desktop it doesn't show up. Then I run the Rootkit Revealer program again and click file save and clicked rootkitrevealer and then open. That's how I got the log file. I hope nothings wrong with it. I thought I should let you know. THANK YOU!

HAXFIX logfile - by Marckie

version 5.081

Thu 06/11/2009 21:59:52.79

running from C:\HaxFix

--- Checking for Haxdoor ---

checking for a3d files

a3d files not found

checking for matching notify keys

no matching notify keys found

checking for matching services

matching services found

Aspi32

checking for matching safeboot services

no matching safeboot services found

--- Checking for Goldun - Spybanker ---

checking for SSODL keys

no ssodl keys found

checking for notify keys

no notify keys found

checking for services

no services found

checking for random used files and services

-- these files are not necessarily malicious

-- scanning all folders

C:\I386\NETEL90A.INF

C:\I386\NETEL980.INF

C:\I386\EVENTVWR.EXE

C:\I386\LPRHELP.DLL

C:\Documents and Settings\All Users\Application Data\Dell\Alert\252\startStopIS.dll

no matching random used services found

checking for browser helper objects

no known browser helper objects found

checking for appinit files

no files found

checking for possible infected files

please submit these file here: http://www.bleepingcomputer.com/submit-mal....php?channel=11

no files found

checking for Active Setup Installed Components

no known Active Setup Installed Components found

checking iexplore.exe

iexplore.exe is not infected

--- Checking for other Goldun, Spybanker and Haxdoor files ---

no other Haxdoor or Goldun files found

--- Catchme logfile - thank you Gmer ---

catchme 0.3.1380.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-06-11 22:04:14

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

C:\WINDOWS\SYSTEM32\findstr.exe [2116] 0x82CD4840

scanning hidden services & system hive ...

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4]

"h0"=dword:00000000

"khjeh"=hex:19,da,35,d3,79,b1,46,f4,31,cb,51,2d,c2,25,55,76,60,69,84,9a,a1,..

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4]

"h0"=dword:00000000

"khjeh"=hex:19,da,35,d3,79,b1,46,f4,31,cb,51,2d,c2,25,55,76,60,69,84,9a,a1,..

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4]

"h0"=dword:00000000

"khjeh"=hex:19,da,35,d3,79,b1,46,f4,31,cb,51,2d,c2,25,55,76,60,69,84,9a,a1,..

scanning hidden registry entries ...

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Prefetcher]

"TracesProcessed"=dword:000039d5

scanning hidden files ...

scan completed successfully

hidden processes: 1

hidden services: 0

hidden files: 0

--- Analysing Catchme logfile ---

no matching regkeys found

Finished!

AdvancedSetup · June 12, 2009

I thought I asked you to remove the following programs but I don't see that I did when looking back, so let's please take care of that now.

STEP 01

Please fully uninstall the following programs. Once we're done and your system is clean you can reinstall any of them you want.

If any are paid versions make sure you have the information required to reregister or activate them first.

BitTorrent 4.4.1

eMule

J2SE Runtime Environment 5.0 Update 3

LimeWire 4.12.11

Macromedia Shockwave Player

mIRC

ParetoLogic Anti-Spyware

ParetoLogic Privacy Controls

Shockwave

Then follow the directions below.

STEP 02

Download but do not yet run ComboFix

If you have a previous version of Combofix.exe, delete it and download a fresh copy.

Download it to your DESKTOP - it MUST run from the Desktop

download.bleepingcomputer.com/sUBs/ComboFix.exe

subs.geekstogo.com/ComboFix.exe

Using your mouse, Highlight and then Right-click | Copy the entire contents of the Code box below, including blank lines

KILLALL::
AtJob::
RegLock::
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\sptd]
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\sptd]
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\sptd]
Registry::
[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\sptd]
[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\sptd]
[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\sptd]
Driver::
sptd
File::
C:\Windows\System32\Drivers\sptd.sys

Open a new Notepad session (Do not use a Word Processor or WordPad). Click "Format" and be certain that Word Wrap is not enabled. Right-click | Paste the Code box contents from above into Notepad. Click File, Save as..., and set the location to your Desktop, and enter (including quotation marks) as the filename: "CFscript.txt" .

Using your mouse, drag the new file CFscript.txt and drop it on the Combo-Fix.exe icon as shown:

Important: Have no other programs running. Your Task Bar should be clear of any program entries including your Browser.
Disconnect from the Internet.
Disable your Antivirus software. If it has Script Blocking features, please disable these as well.
A window may open with a series of Disclaimers. Accept the Disclaimers to start the fix.
It may identify that Recovery Console is not installed. Please accept when asked if you wish it to be installed.
When the scan completes Notepad will open with with your results log open. Do a File, Exit.

A caution - Do not run Combofix more than once. Do not touch your mouse/keyboard until the scan has completed, as this may cause the process to stall or your computer to lock. The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs, please reboot to restore the desktop. Even when ComboFix appears to be doing nothing, look at your Drive light. If it is flashing, Combofix is still at work.

Post back the Combofix log on your next reply.

STEP 03

1. Uninstall Malwarebytes' Anti-Malware using Add/Remove programs in the control panel.

2. Restart your computer (very important).

3. Download and run this utility. http://www.malwarebytes.org/mbam-clean.exe

4. It will ask to restart your computer (please allow it to).

5. After the computer restarts, download but (DO NOT install) the latest version from here. http://www.malwarebytes.org/mbam/program/mbam-setup.exe

STEP 04

Then FULLY DISABLE McAfee Anti-Virus (you may be able to set the Services to DISABLED using this method.)

Click on START - RUN and type in SERVICES.MSC and hit the OK button. Then scroll through all the services and locate all of them that are McAfee or NAI and set them to DISABLED

DO NOT try to stop the service, just write it down on a piece of paper the name and what its current startup type is set to, then set it to DISABLED and reboot the computer.

After the reboot NOW try to install MBAM - DO NOT try to register it if you have a license for it, just install it and try to update it.

Let me know how all of this goes.

myau · June 12, 2009

It was fine I guess. When I tried to uninstall mIRC it said it might be already uninstalled do you want me to take it out of the add/Remove and I clicked yes. Also I believe I have uninstall J2SE Runtime Environment 5.0 Update 3 and upgraded to 6, so I didn't uninstall JRE 6. Malwarebytes Anti-Malware lets me do updates and I also did a scan but found nothing. The problem is still the same. Those Characters looks different everytime I restart the computer. I went back and changed my McAfree to be enabled. Almost forgot to include the combofix logs. What should I do next? THANK YOU!

ComboFix 09-06-11.06 - Cindy06/12/2009 4:15.3 - NTFSx86

Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.510.270 [GMT -5:00]

Running from: c:\documents and settings\Cindy\Desktop\ComboFix.exe

Command switches used :: c:\documents and settings\Cindy\Desktop\CFscript.txt

AV: McAfee VirusScan *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}

FW: McAfee Personal Firewall *disabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}

FILE ::

"c:\windows\System32\Drivers\sptd.sys"

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

C:\RootRepeal.exe

.

((((((((((((((((((((((((( Files Created from 2009-05-12 to 2009-06-12 )))))))))))))))))))))))))))))))

.

2009-06-12 02:58 . 2009-06-12 03:19 -------- d-----w- C:\HaxFix

2009-06-12 02:58 . 2009-06-11 07:16 517790 ----a-w- C:\HaxFix.exe

2009-06-11 08:13 . 2009-06-11 08:13 -------- d-sh--w- c:\documents and settings\Administrator.SMILEFACE.000\IETldCache

2009-06-11 07:59 . 2009-06-11 07:59 0 ----a-w- C:\settings.dat

2009-06-11 05:31 . 2009-06-11 05:31 -------- d-sh--w- c:\documents and settings\Daniel\PrivacIE

2009-06-10 15:52 . 2009-06-12 09:14 -------- d-----w- c:\windows\system32\CatRoot2

2009-06-10 00:21 . 2009-04-30 21:22 12800 ------w- c:\windows\system32\dllcache\xpshims.dll

2009-06-10 00:21 . 2009-04-30 21:22 246272 ------w- c:\windows\system32\dllcache\ieproxy.dll

2009-06-09 17:15 . 2009-06-09 17:15 -------- d-----w- c:\documents and settings\Cindy\DoctorWeb

2009-06-08 21:31 . 2009-06-08 21:31 -------- d-----w- c:\program files\ESET

2009-06-08 21:26 . 2009-06-08 21:26 -------- d-sh--w- c:\documents and settings\Cindy\PrivacIE

2009-06-08 21:14 . 2009-06-08 21:12 410984 ----a-w- c:\windows\system32\deploytk.dll

2009-06-08 21:12 . 2009-06-08 21:12 -------- d-----w- c:\program files\Java

2009-06-08 20:36 . 2009-06-08 20:36 -------- d-----w- c:\program files\CCleaner

2009-06-06 23:11 . 2009-06-06 23:11 -------- d-----w- c:\program files\Trend Micro

2009-06-06 21:28 . 2009-06-06 21:28 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache

2009-06-06 15:04 . 2009-06-06 15:04 -------- d-----w- c:\documents and settings\Cindy\Application Data\Malwarebytes

2009-06-06 15:03 . 2009-05-26 18:20 40160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2009-06-06 15:03 . 2009-06-06 15:03 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes

2009-06-06 15:03 . 2009-05-26 18:19 19096 ----a-w- c:\windows\system32\drivers\mbam.sys

2009-06-06 15:03 . 2009-06-06 15:03 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2009-06-06 11:25 . 2009-06-06 11:25 -------- d-sh--w- c:\documents and settings\Daniel\IETldCache

2009-06-06 10:57 . 2009-06-06 11:17 -------- d-----w- c:\program files\XoftSpySE

2009-06-05 18:48 . 2009-06-05 18:48 -------- d-sh--w- c:\documents and settings\Cindy\IETldCache

2009-06-05 18:10 . 2009-06-05 18:45 -------- d-----w- c:\windows\SxsCaPendDel

2009-06-05 17:49 . 2009-06-05 17:49 -------- d-----w- c:\windows\ie8updates

2009-06-05 17:46 . 2009-05-12 05:11 102912 ------w- c:\windows\system32\dllcache\iecompat.dll

2009-06-05 17:38 . 2009-06-05 17:46 -------- dc-h--w- c:\windows\ie8

2009-06-05 07:44 . 2009-06-05 07:44 -------- d-----w- c:\documents and settings\All Users\Application Data\Citrix

2009-06-05 07:40 . 2009-06-05 07:40 -------- d-----w- c:\documents and settings\Cindy\Local Settings\Application Data\Citrix

2009-06-05 07:39 . 2009-06-05 07:39 61224 ----a-w- c:\documents and settings\Cindy\GoToAssistDownloadHelper.exe

2009-06-05 06:22 . 2009-06-05 06:22 49152 ----a-r- c:\documents and settings\Cindy\Application Data\Microsoft\Installer\{FCC07EEA-FA18-4A21-9105-9666603C6885}\IconFCC07EEA1.exe

2009-06-05 06:22 . 2009-06-05 06:22 49152 ----a-r- c:\documents and settings\Cindy\Application Data\Microsoft\Installer\{FCC07EEA-FA18-4A21-9105-9666603C6885}\IconFCC07EEA.exe

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-06-12 08:32 . 2007-09-14 06:17 -------- d-----w- c:\program files\ParetoLogic

2009-06-12 08:31 . 2008-02-09 18:38 -------- d-----w- c:\program files\eMule

2009-06-09 21:45 . 2005-01-21 17:31 -------- d-----w- c:\program files\Common Files\Motive

2009-06-08 08:16 . 2009-06-08 08:15 108856 ----a-w- c:\documents and settings\Daniel\Local Settings\Application Data\GDIPFONTCACHEV1.DAT

2009-06-08 03:46 . 2008-12-16 20:52 1457 ----a-w- c:\windows\AC6A35BD-5292-43f6-B548-5FE3C42C144C.bat

2009-06-05 07:40 . 2007-07-19 23:56 -------- d-----w- c:\program files\Citrix

2009-06-05 06:21 . 2008-12-16 20:34 -------- d-----w- c:\program files\McAfee

2009-05-14 19:16 . 2009-05-06 18:55 -------- d-----w- c:\program files\Coupons

2009-05-13 05:15 . 2005-06-18 04:49 915456 ----a-w- c:\windows\system32\wininet.dll

2009-05-12 21:23 . 2005-10-25 20:50 -------- d-----w- c:\documents and settings\Cindy\Application Data\Canon

2009-05-12 21:08 . 2009-02-17 11:09 266400 ----a-r- c:\documents and settings\Cindy\Application Data\McAfee\Supportability\MVTLogs\Results\detect.dll

2009-05-07 15:32 . 2002-08-29 10:00 345600 ----a-w- c:\windows\system32\localspl.dll

2009-05-05 03:46 . 2009-05-04 23:48 -------- d-----w- c:\documents and settings\Cindy\Application Data\Nero

2009-05-04 23:31 . 2009-05-04 21:34 -------- d-----w- c:\program files\Common Files\Nero

2009-05-04 22:42 . 2009-05-04 21:37 -------- d-----w- c:\program files\Nero

2009-05-04 22:13 . 2009-05-04 10:08 -------- d-----w- c:\documents and settings\All Users\Application Data\Nero

2009-05-04 20:36 . 2009-05-04 20:36 -------- d-----w- c:\program files\MSBuild

2009-05-04 20:35 . 2009-05-04 20:35 -------- d-----w- c:\program files\Reference Assemblies

2009-05-04 11:06 . 2009-05-04 11:06 -------- d-----w- c:\program files\Windows Sidebar

2009-04-17 12:26 . 2002-08-29 10:00 1847168 ----a-w- c:\windows\system32\win32k.sys

2009-04-15 14:51 . 2004-04-28 18:57 585216 ----a-w- c:\windows\system32\rpcrt4.dll

2004-01-10 07:27 . 2004-01-10 07:27 693840 -c--a-w- c:\program files\wmv9VCMsetup.exe

2003-10-28 20:50 . 2003-10-28 20:50 5313488 -c--a-w- c:\program files\DivX51Bundle.exe

2003-10-23 02:56 . 2003-10-23 02:56 723963 -c--a-w- c:\program files\netvampire.zip

2003-10-06 20:32 . 2003-10-06 20:32 765 -c-ha-w- c:\program files\hpothb07.tif

2003-10-06 20:32 . 2003-10-06 20:32 452 -c-ha-w- c:\program files\hpothb07.dat

2003-08-16 03:02 . 2003-08-16 03:02 3120360 -c--a-w- c:\program files\Install_AIM.exe

2003-08-15 16:22 . 2003-08-15 15:51 9130944 -c--a-w- c:\program files\AdbeRdr60_enu.exe

2002-05-19 08:48 . 2003-10-28 19:42 102 -c--a-w- c:\program files\Readme.txt

2002-05-19 07:57 . 2003-10-28 19:42 944797 -c--a-w- c:\program files\wrar300.exe

2002-05-15 06:37 . 2003-10-28 19:42 473 -c--a-w- c:\program files\rarreg.key

2008-12-16 20:52 . 2008-12-16 20:54 94208 ----a-w- c:\program files\mozilla firefox\components\blsfflock.dll

2008-09-04 19:03 . 2008-09-04 19:03 27976 ----a-w- c:\program files\mozilla firefox\plugins\atgpcdec.dll

2008-09-04 19:03 . 2008-09-04 19:03 125848 ----a-w- c:\program files\mozilla firefox\plugins\atgpcext.dll

2008-09-04 19:03 . 2008-09-04 19:03 98712 ----a-w- c:\program files\mozilla firefox\plugins\ieatgpc.dll

.

((((((((((((((((((((((((((((( SnapShot@2009-06-08_04.12.27 )))))))))))))))))))))))))))))))))))))))))

.

+ 2009-06-12 09:26 . 2009-06-12 09:26 16384 c:\windows\temp\Perflib_Perfdata_604.dat

- 2002-08-29 10:00 . 2009-03-08 09:33 25600 c:\windows\SYSTEM32\jsproxy.dll

+ 2002-08-29 10:00 . 2009-04-30 21:22 25600 c:\windows\SYSTEM32\jsproxy.dll

+ 2006-05-10 05:22 . 2009-04-30 21:22 25600 c:\windows\SYSTEM32\DLLCACHE\jsproxy.dll

- 2006-05-10 05:22 . 2009-03-08 09:33 25600 c:\windows\SYSTEM32\DLLCACHE\jsproxy.dll

- 2009-06-05 05:40 . 2009-06-08 01:15 16384 c:\windows\SYSTEM32\CONFIG\systemprofile\Local Settings\History\History.IE5\index.dat

+ 2009-06-05 05:40 . 2009-06-12 07:38 16384 c:\windows\SYSTEM32\CONFIG\systemprofile\Local Settings\History\History.IE5\index.dat

+ 2009-06-05 05:40 . 2009-06-12 07:38 32768 c:\windows\SYSTEM32\CONFIG\systemprofile\Cookies\index.dat

- 2009-06-05 05:40 . 2009-06-08 01:15 32768 c:\windows\SYSTEM32\CONFIG\systemprofile\Cookies\index.dat

+ 2002-09-30 10:11 . 2009-06-10 19:10 45056 c:\windows\Installer\{911B0409-6000-11D3-8CFE-0050048383C9}\wordicon.exe

- 2002-09-30 10:11 . 2009-04-16 05:57 45056 c:\windows\Installer\{911B0409-6000-11D3-8CFE-0050048383C9}\wordicon.exe

+ 2002-09-30 10:11 . 2009-06-10 19:10 22528 c:\windows\Installer\{911B0409-6000-11D3-8CFE-0050048383C9}\unbndico.exe

- 2002-09-30 10:11 . 2009-04-16 05:57 22528 c:\windows\Installer\{911B0409-6000-11D3-8CFE-0050048383C9}\unbndico.exe

- 2002-09-30 10:11 . 2009-04-16 05:57 16384 c:\windows\Installer\{911B0409-6000-11D3-8CFE-0050048383C9}\PEicons.exe

+ 2002-09-30 10:11 . 2009-06-10 19:10 16384 c:\windows\Installer\{911B0409-6000-11D3-8CFE-0050048383C9}\PEicons.exe

+ 2002-09-30 10:11 . 2009-06-10 19:10 34304 c:\windows\Installer\{911B0409-6000-11D3-8CFE-0050048383C9}\misc.exe

- 2002-09-30 10:11 . 2009-04-16 05:57 34304 c:\windows\Installer\{911B0409-6000-11D3-8CFE-0050048383C9}\misc.exe

+ 2009-06-10 19:10 . 2009-06-10 19:10 38240 c:\windows\Installer\{90120000-0020-0409-0000-0000000FF1CE}\O12ConvIcon.exe

- 2009-06-05 17:24 . 2009-06-05 17:24 38240 c:\windows\Installer\{90120000-0020-0409-0000-0000000FF1CE}\O12ConvIcon.exe

+ 2003-07-17 22:58 . 2009-06-08 08:18 69120 c:\windows\Installer\{00000409-78E1-11D2-B60F-006097C998E7}\xlicons.exe

- 2003-07-17 22:58 . 2003-09-23 17:46 69120 c:\windows\Installer\{00000409-78E1-11D2-B60F-006097C998E7}\xlicons.exe

- 2003-07-17 22:58 . 2003-09-23 17:46 35328 c:\windows\Installer\{00000409-78E1-11D2-B60F-006097C998E7}\wordicon.exe

+ 2003-07-17 22:58 . 2009-06-08 08:18 35328 c:\windows\Installer\{00000409-78E1-11D2-B60F-006097C998E7}\wordicon.exe

- 2003-07-17 22:58 . 2003-09-23 17:46 30208 c:\windows\Installer\{00000409-78E1-11D2-B60F-006097C998E7}\pptico.exe

+ 2003-07-17 22:58 . 2009-06-08 08:18 30208 c:\windows\Installer\{00000409-78E1-11D2-B60F-006097C998E7}\pptico.exe

- 2003-07-17 22:58 . 2003-09-23 17:46 11264 c:\windows\Installer\{00000409-78E1-11D2-B60F-006097C998E7}\PEicons.exe

+ 2003-07-17 22:58 . 2009-06-08 08:18 11264 c:\windows\Installer\{00000409-78E1-11D2-B60F-006097C998E7}\PEicons.exe

- 2003-07-17 22:58 . 2003-09-23 17:46 28160 c:\windows\Installer\{00000409-78E1-11D2-B60F-006097C998E7}\misc.exe

+ 2003-07-17 22:58 . 2009-06-08 08:18 28160 c:\windows\Installer\{00000409-78E1-11D2-B60F-006097C998E7}\misc.exe

+ 2003-07-17 22:58 . 2009-06-08 08:18 73216 c:\windows\Installer\{00000409-78E1-11D2-B60F-006097C998E7}\fpicon.exe

- 2003-07-17 22:58 . 2003-09-23 17:46 73216 c:\windows\Installer\{00000409-78E1-11D2-B60F-006097C998E7}\fpicon.exe

+ 2003-07-17 22:58 . 2009-06-08 08:18 22528 c:\windows\Installer\{00000409-78E1-11D2-B60F-006097C998E7}\bindico.exe

- 2003-07-17 22:58 . 2003-09-23 17:46 22528 c:\windows\Installer\{00000409-78E1-11D2-B60F-006097C998E7}\bindico.exe

+ 2009-04-03 23:01 . 2009-04-03 23:01 71504 c:\windows\Installer\$PatchCache$\Managed\00002109020090400000000000F01FEC\12.0.6425\XL12CNVP.DLL

+ 2009-04-03 22:57 . 2009-04-03 22:57 21320 c:\windows\Installer\$PatchCache$\Managed\00002109020090400000000000F01FEC\12.0.6425\WRD12EXE.EXE

+ 2009-06-10 19:09 . 2009-03-08 09:33 12288 c:\windows\ie8updates\KB969897-IE8\xpshims.dll

+ 2009-06-10 19:09 . 2009-03-08 09:33 25600 c:\windows\ie8updates\KB969897-IE8\jsproxy.dll

- 2002-09-30 10:11 . 2009-04-16 05:57 3584 c:\windows\Installer\{911B0409-6000-11D3-8CFE-0050048383C9}\opwicon.exe

+ 2002-09-30 10:11 . 2009-06-10 19:10 3584 c:\windows\Installer\{911B0409-6000-11D3-8CFE-0050048383C9}\opwicon.exe

- 2002-09-30 10:11 . 2009-04-16 05:57 8192 c:\windows\Installer\{911B0409-6000-11D3-8CFE-0050048383C9}\mspicons.exe

+ 2002-09-30 10:11 . 2009-06-10 19:10 8192 c:\windows\Installer\{911B0409-6000-11D3-8CFE-0050048383C9}\mspicons.exe

+ 2002-09-30 10:11 . 2009-06-10 19:10 2560 c:\windows\Installer\{911B0409-6000-11D3-8CFE-0050048383C9}\cagicon.exe

- 2002-09-30 10:11 . 2009-04-16 05:57 2560 c:\windows\Installer\{911B0409-6000-11D3-8CFE-0050048383C9}\cagicon.exe

+ 2009-06-08 21:14 . 2009-06-08 21:12 148888 c:\windows\SYSTEM32\javaws.exe

+ 2009-06-08 21:14 . 2009-06-08 21:12 144792 c:\windows\SYSTEM32\javaw.exe

+ 2009-06-08 21:14 . 2009-06-08 21:12 144792 c:\windows\SYSTEM32\java.exe

+ 2002-08-29 10:00 . 2009-04-30 21:22 385536 c:\windows\SYSTEM32\iedkcs32.dll

- 2002-08-29 10:00 . 2009-03-08 09:32 173056 c:\windows\SYSTEM32\ie4uinit.exe

+ 2002-08-29 10:00 . 2009-04-30 11:21 173056 c:\windows\SYSTEM32\ie4uinit.exe

- 2002-09-30 10:15 . 2009-06-05 18:45 336256 c:\windows\SYSTEM32\FNTCACHE.DAT

+ 2002-09-30 10:15 . 2003-05-20 05:00 336256 c:\windows\SYSTEM32\FNTCACHE.DAT

+ 2006-05-10 05:23 . 2009-05-13 05:15 915456 c:\windows\SYSTEM32\DLLCACHE\wininet.dll

+ 2009-04-15 14:51 . 2009-04-15 14:51 585216 c:\windows\SYSTEM32\DLLCACHE\rpcrt4.dll

+ 2009-05-07 15:32 . 2009-05-07 15:32 345600 c:\windows\SYSTEM32\DLLCACHE\localspl.dll

+ 2006-11-07 09:27 . 2009-04-30 21:22 385536 c:\windows\SYSTEM32\DLLCACHE\iedkcs32.dll

+ 2006-11-07 09:26 . 2009-04-30 11:21 173056 c:\windows\SYSTEM32\DLLCACHE\ie4uinit.exe

- 2006-11-07 09:26 . 2009-03-08 09:32 173056 c:\windows\SYSTEM32\DLLCACHE\ie4uinit.exe

- 2009-06-06 21:28 . 2009-06-06 17:35 245760 c:\windows\SYSTEM32\CONFIG\systemprofile\IETldCache\index.dat

+ 2009-06-06 21:28 . 2009-06-10 19:41 245760 c:\windows\SYSTEM32\CONFIG\systemprofile\IETldCache\index.dat

+ 2009-06-12 09:12 . 2009-06-12 09:12 389120 c:\windows\SYSTEM32\CF17690.exe

- 2003-07-17 22:58 . 2003-09-23 17:46 104960 c:\windows\Installer\{00000409-78E1-11D2-B60F-006097C998E7}\outicon.exe

+ 2003-07-17 22:58 . 2009-06-08 08:18 104960 c:\windows\Installer\{00000409-78E1-11D2-B60F-006097C998E7}\outicon.exe

+ 2003-07-17 22:58 . 2009-06-08 08:18 155136 c:\windows\Installer\{00000409-78E1-11D2-B60F-006097C998E7}\accicons.exe

- 2003-07-17 22:58 . 2003-09-23 17:46 155136 c:\windows\Installer\{00000409-78E1-11D2-B60F-006097C998E7}\accicons.exe

+ 2009-06-10 19:09 . 2009-03-08 09:34 914944 c:\windows\ie8updates\KB969897-IE8\wininet.dll

+ 2009-06-10 19:09 . 2008-07-09 07:38 382840 c:\windows\ie8updates\KB969897-IE8\spuninst\updspapi.dll

+ 2009-06-10 19:09 . 2007-11-30 12:39 231288 c:\windows\ie8updates\KB969897-IE8\spuninst\spuninst.exe

+ 2009-06-10 19:09 . 2009-03-08 09:33 246784 c:\windows\ie8updates\KB969897-IE8\ieproxy.dll

+ 2009-06-10 19:09 . 2009-03-08 19:09 391536 c:\windows\ie8updates\KB969897-IE8\iedkcs32.dll

+ 2009-06-10 19:09 . 2009-03-08 09:32 173056 c:\windows\ie8updates\KB969897-IE8\ie4uinit.exe

+ 2005-09-02 20:19 . 2009-04-30 21:22 1207808 c:\windows\SYSTEM32\urlmon.dll

+ 2005-10-04 17:19 . 2009-05-13 05:15 5936128 c:\windows\SYSTEM32\mshtml.dll

- 2006-10-17 17:57 . 2009-03-08 09:32 1985024 c:\windows\SYSTEM32\iertutil.dll

+ 2006-10-17 17:57 . 2009-04-30 21:22 1985024 c:\windows\SYSTEM32\iertutil.dll

+ 2008-10-15 17:44 . 2009-04-17 12:26 1847168 c:\windows\SYSTEM32\DLLCACHE\win32k.sys

+ 2006-05-10 05:23 . 2009-04-30 21:22 1207808 c:\windows\SYSTEM32\DLLCACHE\urlmon.dll

+ 2006-05-19 15:08 . 2009-05-13 05:15 5936128 c:\windows\SYSTEM32\DLLCACHE\mshtml.dll

- 2007-05-10 06:30 . 2009-03-08 09:32 1985024 c:\windows\SYSTEM32\DLLCACHE\iertutil.dll

+ 2007-05-10 06:30 . 2009-04-30 21:22 1985024 c:\windows\SYSTEM32\DLLCACHE\iertutil.dll

+ 2009-04-03 22:57 . 2009-04-03 22:57 4671320 c:\windows\Installer\$PatchCache$\Managed\00002109020090400000000000F01FEC\12.0.6425\WRD12CNV.DLL

+ 2009-06-10 19:09 . 2009-03-08 09:34 1206784 c:\windows\ie8updates\KB969897-IE8\urlmon.dll

+ 2009-06-10 19:09 . 2009-03-08 09:41 5937152 c:\windows\ie8updates\KB969897-IE8\mshtml.dll

+ 2009-06-10 19:09 . 2009-03-08 09:32 1985024 c:\windows\ie8updates\KB969897-IE8\iertutil.dll

+ 2005-10-17 01:20 . 2009-06-01 16:51 23635392 c:\windows\SYSTEM32\MRT.exe

+ 2006-11-08 03:03 . 2009-04-30 21:22 11064832 c:\windows\SYSTEM32\ieframe.dll

+ 2007-05-10 06:30 . 2009-04-30 21:22 11064832 c:\windows\SYSTEM32\DLLCACHE\ieframe.dll

+ 2009-04-03 23:01 . 2009-04-03 23:01 15108448 c:\windows\Installer\$PatchCache$\Managed\00002109020090400000000000F01FEC\12.0.6425\XL12CNV.EXE

+ 2009-06-10 19:09 . 2009-03-08 09:39 11063808 c:\windows\ie8updates\KB969897-IE8\ieframe.dll

.

-- Snapshot reset to current date --

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"VeohPlugin"="c:\program files\Veoh Networks\VeohWebPlayer\veohwebplayer.exe" [2009-04-03 3558648]

"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"YBrowser"="c:\progra~1\Yahoo!\browser\ybrwicon.exe" [2006-07-21 129536]

"OpwareSE2"="c:\program files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe" [2003-05-08 49152]

"Motive SmartBridge"="c:\progra~1\SBCSEL~1\SMARTB~1\MotiveSB.exe" [2006-09-15 380928]

"Microsoft Works Update Detection"="c:\program files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe" [2002-07-16 28672]

"IPInSightMonitor 01"="c:\program files\SBC Yahoo!\Connection Manager\IP InSight\IPMon32.exe" [2003-07-14 98304]

"DVDSentry"="c:\windows\System32\DSentry.exe" [2002-08-14 28672]

"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-09-20 94208]

"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-09-20 77824]

"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-09-20 114688]

"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-11 40048]

"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-08-31 185896]

"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2007-11-02 582992]

"McENUI"="c:\progra~1\McAfee\MHN\McENUI.exe" [2007-11-30 1164576]

"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-06-08 148888]

c:\documents and settings\Cindy\Start Menu\Programs\Startup\

Adobe Gamma.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-3-16 113664]

c:\documents and settings\All Users\Start Menu\Programs\Startup\

AT&T Self Support Tool.lnk - c:\program files\SBC Self Support Tool\bin\matcli.exe [2005-1-21 217088]

Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2003-7-14 24576]

Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^America Online 8.0 Tray Icon.lnk]

backup=c:\windows\pss\America Online 8.0 Tray Icon.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Cindy^Start Menu^Programs^Startup^LimeWire On Startup.lnk]

backup=c:\windows\pss\LimeWire On Startup.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Cindy^Start Menu^Programs^Startup^MostFun.lnk]

backup=c:\windows\pss\MostFun.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]