View Full Version : Request for help
Hi,
my problem is that I can't open on my PC url www.microsoft.com, www.firefox.com and www.gmail.com. I tried to use the utility fixwareout. It solved the problem, but not at all. Some times after reboot the system, my problem appears again. I tried to use some antivirus and anti spam sw, but without any detections of inviders. I''ll appreciate your help. I'm enclosure requested logs.
Best Regards,
Boriak.
Enclosure
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 23:29:32, on 7.1.2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\ATKKBService.exe
C:\Program Files\ESET\ESET Smart Security\ekrn.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\ESET\ESET Smart Security\egui.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\ASUS\SmartDoctor\SmartDoctor.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\OpenOffice.org 2.3\program\soffice.exe
C:\Program Files\OpenOffice.org 2.3\program\soffice.BIN
C:\Program Files\Skype\Plugin Manager\skypePM.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET Smart Security\egui.exe" /hide /waitservice
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [gemstrmw] C:\WINDOWS\system32\gemstrmw.exe /r
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [ASUS SmartDoctor] C:\Program Files\ASUS\SmartDoctor\\SmartDoctor.exe /start
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: OpenOffice.org 2.3.lnk = C:\Program Files\OpenOffice.org 2.3\program\quickstart.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase4009.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1199570164718
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: ATK Keyboard Service (ATKKeyboardService) - ASUSTeK COMPUTER INC. - C:\WINDOWS\ATKKBService.exe
O23 - Service: Eset HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET Smart Security\EHttpSrv.exe
O23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\ESET\ESET Smart Security\ekrn.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
--
End of file - 5988 bytes
KASPERSKY ONLINE SCANNER REPORT
Tuesday, January 08, 2008 12:03:57 AM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 7/01/2008
Kaspersky Anti-Virus database records: 503926
Scan Settings
Scan using the following antivirus database extended
Scan Archives true
Scan Mail Bases true
Scan Target Critical Areas
C:\WINDOWS
C:\DOCUME~1\pilgrim\LOCALS~1\Temp\
Scan Statistics
Total number of scanned objects 18741
Number of viruses found 0
Number of infected objects 0
Number of suspicious objects 0
Duration of the scan process 00:09:11
Infected Object Name Virus Name Last Action
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\EventCache\{A138872E-38FB-46AC-B10F-F7B7058FC96B}.bin Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\Internet.evt Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
Scan process completed.
pskelley
2008-01-11, 16:30
Welcome to Safer Networking, I wish to be sure you have viewed and understand this information.
"BEFORE you POST" (READ this Procedure before Requesting Assistance)
http://forums.spybot.info/showthread.php?t=288
All advice given is taken at your own risk.
Please make sure you have read this information so we are on the same page.
I am having no problems opening those links? Have you resolved these issues yet? If not have a look here:
http://www.microsoft.com/windows/IE/community/columns/IEtopten.mspx
Make sure you clean stored junk good, try this free tool: ATF Cleaner
http://www.atribune.org/content/view/19/2/
Your HJT log is showing nothing as is the Kaspersky scan, if those suggestions do not resolve your issue, post a new HJT log and let me know about any changes in the symptoms. We will try a few scans for hidden malware (rootkits)
Thanks
Hi,
thank you very much for your answer and for the instructions.
I've viewed and read the Procedure Before Requesting Assistance, I know that all advices are taking on my own risk.
I've read an article about the problems & solutions of IExplorer and run the utility ATF Cleaner. Neither of them solved my problem. So, under your instruction, I'm enclosure a new HJT log, and I'll will wait for your further advices.
Regards,
Boriak
Enclosure
HJT Log
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 19:33:13, on 14.1.2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\ATKKBService.exe
C:\Program Files\ESET\ESET Smart Security\ekrn.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\ESET\ESET Smart Security\egui.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\ASUS\SmartDoctor\SmartDoctor.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\OpenOffice.org 2.3\program\soffice.exe
C:\Program Files\OpenOffice.org 2.3\program\soffice.BIN
C:\Program Files\Skype\Plugin Manager\skypePM.exe
C:\PROGRA~1\MICROS~3\OFFICE11\OUTLOOK.EXE
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\Program Files\Adobe\Acrobat 5.0\Reader\AcroRd32.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET Smart Security\egui.exe" /hide /waitservice
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [gemstrmw] C:\WINDOWS\system32\gemstrmw.exe /r
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [ASUS SmartDoctor] C:\Program Files\ASUS\SmartDoctor\\SmartDoctor.exe /start
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: OpenOffice.org 2.3.lnk = C:\Program Files\OpenOffice.org 2.3\program\quickstart.exe
O8 - Extra context menu item: E&xportovat do aplikace Microsoft Office Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Zdroje informací - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase4009.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1199570164718
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: ATK Keyboard Service (ATKKeyboardService) - ASUSTeK COMPUTER INC. - C:\WINDOWS\ATKKBService.exe
O23 - Service: Eset HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET Smart Security\EHttpSrv.exe
O23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\ESET\ESET Smart Security\ekrn.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
--
End of file - 6667 bytes
pskelley
2008-01-15, 14:16
Thanks for returning your feedback, let me say I see nothing in the HJT this logs that should be causing this and Kaspersky, one of the best scans, also shows nothing. So, we are looking for the proverbial needle in a haystack. I may want to see a log from Fixwareout again, but will want a fresh scan. Please remove that tool from your computer. First, a few questions:
1) Are these the only sites you are having problems with, seems you can get to Safer Networking without problems?
2) If that is the case, something may be blocking them. Open Internet Explorer > Tools > Internet Options > Security tab > click Restricted Sites > Sites > Under the word "Websites" make sure none of those three are in that box. Now close the Restricted Sites Window and click "Trusted Sites". One by one I want you to add those three websites into the box
"Add this website to the zone". They must be added in this format:
http://www.microsoft.com
http://www.firefox.com
http://www.gmail.com
copy and paste to be sure they are correct and click "Add" after each one then close, Apply and OK your way out.
3) Understand that the malware will almost always redirect you to what they want you to see, not prevent access.
4) Having said that, let's have Smitfraudfix take a look:
http://siri.geekstogo.com/SmitfraudFix.php <<< download Smitfraudfix from here and follow ONLY these directions.
Search:
Double-click SmitfraudFix.exe
Select 1 and hit Enter to create a report of the infected files. The report can be found at the root of the system drive, usually at C:\rapport.txt
Note: process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool". It is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.
http://www.beyondlogic.org/consulting/processutil/processutil.htm
Post only the C:\rapport.txt
5) Another thing you can try is an alternate browser. If you do not have one installed, give this one a try.
http://www.mozilla.com/en-US/firefox/
Let me know how it goes
Thanks
Hi,
thank you for your reply. I had tried to do all steps you proposed, here are the results:
1) I have problems only to access the web pages www.microsoft.com; www.gmail.com; www.firefox.com
2) I checked in IE the trusted and untrusted sites, but in both of them were not requested pages included. So I add this pages into trusted sites, but without any effect to my problem.
4) I run the program Smitfraudfix. I enclosure a log from the scan.
I can solve my problem by run the utility Fixwareout (I enclosure requested log, too) or with a little help of IExplorer, which after non-success try to open e.g. www.microsoft.com offers me to run Diagnose Connection Problems. I enclosure log of this test, too.
The solution of my problem works, but only till some several reboots and then comes back.
I would accept this kind of solution, but I'm still aware, that my system has been infected with something more dangerous than I think... Let me tell you one more thing that before I asked for a help in this forum, I formated C: drive and generated new instalation of WIX XP system.
I'll be appreciate if you have another proposal how to solve this.
Regards,
BoriaK
Enclosure
SmitFraudFix v2.274 Log
Scan done at 13:21:38,76, so 19.01.2008
Run from C:\Documents and Settings\pilgrim\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Verzia 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in normal mode
»»»»»»»»»»»»»»»»»»»»»»»» Process
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\ATKKBService.exe
C:\Program Files\ESET\ESET Smart Security\ekrn.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\ESET\ESET Smart Security\egui.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\ASUS\SmartDoctor\SmartDoctor.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
C:\Program Files\OpenOffice.org 2.3\program\soffice.exe
C:\Program Files\OpenOffice.org 2.3\program\soffice.BIN
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Skype\Plugin Manager\skypePM.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\WINDOWS\system32\cmd.exe
»»»»»»»»»»»»»»»»»»»»»»»» hosts
»»»»»»»»»»»»»»»»»»»»»»»» C:\
»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS
»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system
»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web
»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32
»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\pilgrim
»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\pilgrim\Application Data
»»»»»»»»»»»»»»»»»»»»»»»» Start Menu
»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\pilgrim\FAVORI~1
»»»»»»»»»»»»»»»»»»»»»»»» Desktop
»»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files
»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys
»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"
»»»»»»»»»»»»»»»»»»»»»»»» IEDFix
!!!Attention, following keys are not inevitably infected!!!
IEDFix.exe by S!Ri
»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!
SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll
»»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=""
»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""
»»»»»»»»»»»»»»»»»»»»»»»» Rustock
»»»»»»»»»»»»»»»»»»»»»»»» DNS
Description: NVIDIA nForce Networking Controller - Packet Scheduler Miniport
DNS Server Search Order: 192.168.1.1
DNS Server Search Order: 194.98.0.1
HKLM\SYSTEM\CCS\Services\Tcpip\..\{C44B5B00-088D-4485-8E8A-D5E2D2479A36}: DhcpNameServer=192.168.1.1 194.98.0.1
HKLM\SYSTEM\CS1\Services\Tcpip\..\{C44B5B00-088D-4485-8E8A-D5E2D2479A36}: DhcpNameServer=192.168.1.1 194.98.0.1
HKLM\SYSTEM\CS2\Services\Tcpip\..\{C44B5B00-088D-4485-8E8A-D5E2D2479A36}: DhcpNameServer=192.168.1.1 194.98.0.1
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=192.168.1.1 194.98.0.1
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=192.168.1.1 194.98.0.1
HKLM\SYSTEM\CS2\Services\Tcpip\Parameters: DhcpNameServer=192.168.1.1 194.98.0.1
»»»»»»»»»»»»»»»»»»»»»»»» Scanning for wininet.dll infection
»»»»»»»»»»»»»»»»»»»»»»»» End
Fixwareout log
Username "pilgrim" - 19.01.2008 14:45:51 [Fixwareout edited 9/01/2007]
~~~~~ Prerun check
Vyrovnávacia pamäť prekladania DNS sa úspešne vyprázdnila.
System was rebooted successfully.
~~~~~ Postrun check
HKLM\SOFTWARE\~\Winlogon\ "System"=""
....
....
~~~~~ Misc files.
....
~~~~~ Checking for older varients.
....
~~~~~ Current runs (hklm hkcu "run" Keys Only)
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMan"="SOUNDMAN.EXE"
"ATIPTA"="C:\\Program Files\\ATI Technologies\\ATI Control Panel\\atiptaxx.exe"
"egui"="\"C:\\Program Files\\ESET\\ESET Smart Security\\egui.exe\" /hide /waitservice"
"NeroFilterCheck"="C:\\WINDOWS\\system32\\NeroCheck.exe"
"InCD"="C:\\Program Files\\Ahead\\InCD\\InCD.exe"
"gemstrmw"="C:\\WINDOWS\\system32\\gemstrmw.exe /r"
"SunJavaUpdateSched"="\"C:\\Program Files\\Java\\jre1.6.0_03\\bin\\jusched.exe\""
"Windows Defender"="\"C:\\Program Files\\Windows Defender\\MSASCui.exe\" -hide"
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\\WINDOWS\\system32\\ctfmon.exe"
"ASUS SmartDoctor"="C:\\Program Files\\ASUS\\SmartDoctor\\\\SmartDoctor.exe /start"
"SpybotSD TeaTimer"="C:\\Program Files\\Spybot - Search & Destroy\\TeaTimer.exe"
"Skype"="\"C:\\Program Files\\Skype\\Phone\\Skype.exe\" /nosplash /minimized"
"MsnMsgr"="\"C:\\Program Files\\Windows Live\\Messenger\\MsnMsgr.Exe\" /background"
....
Hosts file was reset, If you use a custom hosts file please replace it...
~~~~~ End report ~~~~~
IE - Diagnose connection utility log
Last diagnostic run time: 01/19/08 10:14:42 HTTP, HTTPS, FTP Diagnostic
HTTP, HTTPS, FTP connectivity
info HTTP: Successfully connected to www.microsoft.com.
info FTP (Passive): Successfully connected to ftp.microsoft.com.
info HTTPS: Successfully connected to www.microsoft.com.
DNS Client Diagnostic
DNS - Not a home user scenario
info Using Web Proxy: no
info Resolving name ok for (www.microsoft.com): yes
No DNS servers
DNS failure
Gateway Diagnostic
Gateway
info The following proxy configuration is being used by IE: Automatically Detect Settings:Disabled Automatic Configuration Script: Proxy Server: Proxy Bypass list:
info This computer has the following default gateway entry(ies): 192.168.1.1
info This computer has the following IP address(es): 192.168.1.10
info The default gateway is in the same subnet as this computer
info The default gateway entry is a valid unicast address
info The default gateway address was resolved via ARP in 1 try(ies)
info The default gateway was reached via ICMP Ping in 1 try(ies)
warn Hostname www.microsoft.com could not be resolved (Error code 0x2afc). Could be either gateway or DNS issue
action Automated repair: Renew IP address
action Releasing the current IP address...
action Successfully released the current IP address
action Renewing the IP address...
action Successfully renewed the current IP address
info This computer has the following default gateway entry(ies): 192.168.1.1
info This computer has the following IP address(es): 192.168.1.10
info The default gateway is in the same subnet as this computer
info The default gateway entry is a valid unicast address
info The default gateway address was resolved via ARP in 1 try(ies)
info The default gateway was reached via ICMP Ping in 1 try(ies)
info TCP port 80 on host 207.46.19.254 was successfully reached
info The Internet host www.microsoft.com was successfully reached
info The default gateway is OK
IP Layer Diagnostic
Corrupted IP routing table
info The default route is valid
info The loopback route is valid
info The local host route is valid
info The local subnet route is valid
Invalid ARP cache entries
action The ARP cache has been flushed
IP Configuration Diagnostic
Invalid IP address
info Valid IP address detected: 192.168.1.10
Wireless Diagnostic
Wireless - Service disabled
Wireless - User SSID
Wireless - First time setup
Wireless - Radio off
Wireless - Out of range
Wireless - Hardware issue
Wireless - Novice user
Wireless - Ad-hoc network
Wireless - Less preferred
Wireless - 802.1x enabled
Wireless - Configuration mismatch
Wireless - Low SNR
WinSock Diagnostic
WinSock status
info All base service provider entries are present in the Winsock catalog.
info The Winsock Service provider chains are valid.
info Provider entry MSAFD Tcpip [TCP/IP] passed the loopback communication test.
info Provider entry MSAFD Tcpip [UDP/IP] passed the loopback communication test.
info Provider entry RSVP UDP Service Provider passed the loopback communication test.
info Provider entry RSVP TCP Service Provider passed the loopback communication test.
info Connectivity is valid for all Winsock service providers.
Network Adapter Diagnostic
Network location detection
info Using home Internet connection
Network adapter identification
info Network connection: Name=Local Area Connection, Device=NVIDIA nForce Networking Controller, MediaType=LAN, SubMediaType=LAN
info Network connection: Name=MSN, Device=, MediaType=PHONE, SubMediaType=NONE
info Ethernet connection selected
Network adapter status
info Network connection status: Connected
HTTP, HTTPS, FTP Diagnostic
HTTP, HTTPS, FTP connectivity
warn HTTP: Error 12007 connecting to www.microsoft.com: The server name or address could not be resolved
info FTP (Passive): Successfully connected to ftp.microsoft.com.
warn HTTPS: Error 12007 connecting to www.microsoft.com: The server name or address could not be resolved
warn HTTPS: Error 12037 connecting to www.passport.net: The date in the certificate is invalid or has expired
warn HTTP: Error 12007 connecting to www.hotmail.com: The server name or address could not be resolved
error Could not make an HTTP connection.
error Could not make an HTTPS connection.
pskelley
2008-01-19, 16:17
Most of the information you posted means nothing to me, I suggest you contact tech support at your Internet Service Provider, they should be able to help with connection issues.
Here also is the Google, perhaps something there will help:
http://www.google.com/search?hl=en&q=troubleshoot+connection+issues&btnG=Google+Search
Let's have a look for a hidden rootkit infection:
Please download F-Secure Blacklight:
ftp://ftp.f-secure.com/anti-virus/tools/fsbl.exe
and save to your C:\ drive.
Open a command window by going to Start > Run and typing: cmd
Copy/paste or type the following in the command window: C:\fsbl.exe /expert
Hit "Enter" to start the program and then close the cmd box.
Accept the user agreement and click "Next".
Click "Scan".
After the scan is complete, click "Next", then "Exit".
BlackLight will create a log in C:\ drive named "fsbl-xxxxxxx.log" (the xxxxxxx will be the date and time of the scan).
The log will have a list of all items found. Do not choose to rename any yet!
I want to see the log first because legitimate items can also be present...like "wbemtest.exe" and "tcptest.exe.
Exit Blacklight and post the contents of the log in your next reply.
Thanks
Hi,
Thank you for your answer. I enclosure requested log from program BlackLight Engine.
BoriaK
Enclosure
01/19/08 16:38:06 [Info]: BlackLight Engine 1.0.67 initialized
01/19/08 16:38:06 [Info]: OS: 5.1 build 2600 (Service Pack 2)
01/19/08 16:38:06 [Note]: 7019 4
01/19/08 16:38:06 [Note]: 7005 0
01/19/08 16:38:11 [Note]: 7006 0
01/19/08 16:38:11 [Note]: 7022 0
01/19/08 16:38:11 [Note]: 7011 1088
01/19/08 16:38:11 [Note]: 7026 0
01/19/08 16:38:11 [Note]: 7026 0
01/19/08 16:38:13 [Note]: FSRAW library version 1.7.1024
01/19/08 16:39:41 [Note]: 2000 1012
01/19/08 16:39:41 [Note]: 2000 1012
01/19/08 16:39:41 [Note]: 2000 1012
01/19/08 16:43:02 [Note]: 7007 0
pskelley
2008-01-19, 17:29
That's clean, remove the Blacklight program from your computer. Let's have combofix take a look, I am about out of ideas.
Tutorial: http://www.bleepingcomputer.com/combofix/how-to-use-combofix
Thanks to sUBs and anyone else who helped with this fix.
Download ComboFix from Here (http://www.techsupportforum.com/sectools/sUBs/ComboFix.exe) or Here (http://download.bleepingcomputer.com/sUBs/ComboFix.exe) to your Desktop
Double click combofix.exe and follow the prompts.
When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next reply
Note: Do not mouseclick combofix's window while its running. That may cause it to stall
Post the combofix log and a new HJT log.
Thanks
Hi,
I enclosure requested CF's log, but dived into parts, because of the size of file. HJT's log follows.
Boriak
Enclosure
ComboFix - Part One
ComboFix 08-01-18.5 - pilgrim 2008-01-19 17:36:16.2 - NTFSx86
Systém Microsoft Windows XP Professional 5.1.2600.2.1250.1.1033.18.494 [GMT 1:00]
Running from: C:\Documents and Settings\pilgrim\Desktop\ComboFix.exe
* Created a new restore point
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
((((((((((((((((((((((((( Files Created from 2007-12-19 to 2008-01-19 )))))))))))))))))))))))))))))))
.
2008-01-19 13:21 . 2007-09-05 23:22 289,144 --a------ C:\WINDOWS\system32\VCCLSID.exe
2008-01-19 13:21 . 2006-04-27 16:49 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
2008-01-19 13:21 . 2007-12-20 23:11 81,920 --a------ C:\WINDOWS\system32\IEDFix.exe
2008-01-19 13:21 . 2003-06-05 20:13 53,248 --a------ C:\WINDOWS\system32\Process.exe
2008-01-19 13:21 . 2004-07-31 17:50 51,200 --a------ C:\WINDOWS\system32\dumphive.exe
2008-01-19 13:21 . 2007-10-03 23:36 25,600 --a------ C:\WINDOWS\system32\WS2Fix.exe
2008-01-19 13:21 . 2008-01-19 17:25 2,136 --a------ C:\WINDOWS\system32\tmp.reg
2008-01-19 10:01 . 2008-01-19 10:01 <DIR> d-------- C:\Program Files\Microsoft Baseline Security Analyzer 2
2008-01-18 23:12 . 2008-01-19 10:16 <DIR> d-------- C:\Documents and Settings\pilgrim\SecurityScans
2008-01-17 19:29 . 2008-01-17 19:29 <DIR> d-------- C:\Documents and Settings\pilgrim\Application Data\Windows Live Writer
2008-01-16 23:09 . 2008-01-16 23:09 <DIR> d-------- C:\Documents and Settings\pilgrim\Application Data\SecondLife
2008-01-16 23:08 . 2008-01-16 23:12 <DIR> d-------- C:\Program Files\SecondLife
2008-01-16 22:53 . 2008-01-16 22:53 <DIR> d-------- C:\Documents and Settings\pilgrim\Contacts
2008-01-16 22:52 . 2008-01-16 22:52 <DIR> d----c--- C:\WINDOWS\system32\DRVSTORE
2008-01-16 22:48 . 2008-01-17 19:28 <DIR> d-------- C:\Program Files\Windows Live
2008-01-16 22:48 . 2008-01-16 22:51 <DIR> d--hsc--- C:\Program Files\Common Files\WindowsLiveInstaller
2008-01-16 22:48 . 2008-01-17 19:20 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\WLInstaller
2008-01-15 17:08 . 2008-01-15 17:08 <DIR> d-------- C:\Documents and Settings\pilgrim\Application Data\Ahead
2008-01-15 17:08 . 2008-01-15 20:34 116 --a------ C:\WINDOWS\NeroDigital.ini
2008-01-10 18:36 . 2003-06-19 01:31 17,920 --a------ C:\WINDOWS\system32\mdimon.dll
2008-01-10 18:36 . 2008-01-10 18:36 384 --a------ C:\WINDOWS\ODBC.INI
2008-01-10 18:35 . 2008-01-10 18:35 <DIR> d-------- C:\Program Files\Microsoft.NET
2008-01-10 18:34 . 2008-01-10 18:35 <DIR> d-------- C:\WINDOWS\SHELLNEW
2008-01-10 18:34 . 2008-01-10 18:34 <DIR> d-------- C:\Program Files\Microsoft Works
2008-01-09 00:31 . 2008-01-09 00:34 <DIR> d-------- C:\WINDOWS\system32\NtmsData
2008-01-08 00:08 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\NirCmd.exe
2008-01-07 23:37 . 2008-01-07 23:37 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-01-07 23:37 . 2008-01-07 23:37 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-01-07 22:52 . 2008-01-07 22:52 <DIR> d-------- C:\Program Files\Windows Defender
2008-01-07 19:08 . 2008-01-07 23:15 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-01-07 19:08 . 2008-01-07 23:15 <DIR> d-------- C:\Documents and Settings\pilgrim\Application Data\SUPERAntiSpyware.com
2008-01-07 19:08 . 2008-01-07 19:08 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-01-07 19:06 . 2008-01-07 19:06 178,696 ---h----- C:\treeinfo.wc
2008-01-07 19:05 . 2008-01-07 19:33 385 --a------ C:\WINDOWS\WINCMD.INI
2008-01-07 11:19 . 2008-01-07 11:55 <DIR> d-------- C:\Documents and Settings\Boris\Application Data\OpenOffice.org2
2008-01-07 11:17 . 2008-01-07 11:17 <DIR> d-------- C:\Documents and Settings\Boris\Application Data\skypePM
2008-01-07 11:15 . 2008-01-07 11:18 <DIR> d-------- C:\Documents and Settings\Boris\Application Data\Skype
2008-01-07 11:14 . 2008-01-07 11:14 <DIR> d-------- C:\Documents and Settings\Boris\Application Data\ESET
2008-01-07 11:14 . 2006-02-28 13:00 221,184 --a------ C:\WINDOWS\system32\wmpns.dll
2008-01-07 10:55 . 2008-01-19 16:03 <DIR> d-------- C:\Documents and Settings\pilgrim\Application Data\skypePM
2008-01-07 10:55 . 2008-01-07 10:55 32 --a------ C:\Documents and Settings\All Users\Application Data\ezsid.dat
2008-01-07 10:53 . 2008-01-07 10:53 <DIR> d-------- C:\Program Files\Skype
2008-01-07 10:53 . 2008-01-07 10:53 <DIR> d-------- C:\Program Files\Common Files\Skype
2008-01-07 10:53 . 2008-01-19 17:23 <DIR> d-------- C:\Documents and Settings\pilgrim\Application Data\Skype
2008-01-07 10:53 . 2008-01-07 10:53 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Skype
2008-01-07 10:32 . 2008-01-07 10:48 <DIR> d-------- C:\Program Files\Enigma Software Group
2008-01-07 10:12 . 2008-01-19 15:23 <DIR> d-------- C:\Documents and Settings\pilgrim\Application Data\OpenOffice.org2
2008-01-07 10:10 . 2008-01-07 10:10 <DIR> d-------- C:\Program Files\OpenOffice.org 2.3
2008-01-07 10:09 . 2008-01-07 10:09 <DIR> d-------- C:\Program Files\Java
2008-01-07 10:09 . 2008-01-07 10:09 <DIR> d-------- C:\Program Files\Common Files\Java
2008-01-07 10:09 . 2007-09-24 23:31 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-01-06 21:48 . 2008-01-06 21:48 <DIR> d-------- C:\Program Files\Gemplus
2008-01-06 21:48 . 2008-01-06 21:48 <DIR> d-------- C:\Program Files\ComfortChip
2008-01-06 21:48 . 2002-10-04 11:21 61,776 --a------ C:\WINDOWS\system32\drivers\GTwinUSB.sys
2008-01-06 21:48 . 2003-04-02 20:14 24,576 --------- C:\WINDOWS\system32\gemstrmw.exe
2008-01-06 20:18 . 2008-01-06 20:34 <DIR> d-------- C:\Program Files\Microsoft Money 2005
2008-01-06 19:51 . 2007-07-30 19:19 271,224 --a------ C:\WINDOWS\system32\mucltui.dll
2008-01-06 19:51 . 2007-07-30 19:19 30,072 --a------ C:\WINDOWS\system32\mucltui.dll.mui
2008-01-06 19:22 . 2008-01-06 19:23 <DIR> d-------- C:\Program Files\SpywareBlaster
2008-01-06 19:22 . 2005-08-25 18:18 118,784 --a------ C:\WINDOWS\system32\MSSTDFMT.DLL
2008-01-06 19:22 . 2005-08-25 18:19 115,920 --a------ C:\WINDOWS\system32\MSINET.OCX
2008-01-06 17:34 . 2008-01-19 11:18 <DIR> d-------- C:\Program Files\Windows Live Safety Center
2008-01-06 17:28 . 2008-01-06 17:28 <DIR> d-------- C:\Program Files\Microsoft CAPICOM 2.1.0.2
2008-01-06 11:28 . 2008-01-06 11:28 0 --a------ C:\WINDOWS\system32\SBRC.dat
2008-01-06 11:28 . 2008-01-06 11:28 0 --a------ C:\WINDOWS\system32\SBFC.dat
2008-01-06 11:18 . 2008-01-06 11:18 <DIR> d-------- C:\Documents and Settings\pilgrim\Application Data\Sunbelt Software
2008-01-06 10:58 . 2007-10-11 00:55 6,065,664 -----c--- C:\WINDOWS\system32\dllcache\ieframe.dll
2008-01-06 10:58 . 2007-07-01 04:31 2,455,488 -----c--- C:\WINDOWS\system32\dllcache\ieapfltr.dat
2008-01-06 10:58 . 2007-07-01 04:36 991,232 -----c--- C:\WINDOWS\system32\dllcache\ieframe.dll.mui
2008-01-06 10:58 . 2007-10-11 00:55 459,264 -----c--- C:\WINDOWS\system32\dllcache\msfeeds.dll
2008-01-06 10:58 . 2007-10-11 00:55 383,488 -----c--- C:\WINDOWS\system32\dllcache\ieapfltr.dll
2008-01-06 10:58 . 2007-10-11 00:55 267,776 -----c--- C:\WINDOWS\system32\dllcache\iertutil.dll
2008-01-06 10:58 . 2007-10-11 00:55 63,488 -----c--- C:\WINDOWS\system32\dllcache\icardie.dll
2008-01-06 10:58 . 2007-10-11 00:55 52,224 -----c--- C:\WINDOWS\system32\dllcache\msfeedsbs.dll
2008-01-06 10:58 . 2007-10-10 11:59 13,824 -----c--- C:\WINDOWS\system32\dllcache\ieudinit.exe
2008-01-06 03:01 . 2008-01-06 03:01 1,158 --a------ C:\WINDOWS\mozver.dat
2008-01-06 03:00 . 2008-01-06 03:00 0 --a------ C:\WINDOWS\nsreg.dat
2008-01-06 02:40 . 2008-01-18 23:53 <DIR> d-------- C:\Program Files\Yahoo!
2008-01-06 02:40 . 2008-01-06 02:40 <DIR> d-------- C:\Program Files\CCleaner
2008-01-06 02:27 . 2008-01-06 02:54 <DIR> d-------- C:\Program Files\RegClean
2008-01-06 02:27 . 2008-01-06 02:27 <DIR> d-------- C:\Documents and Settings\pilgrim\Application Data\RegClean
2008-01-06 02:03 . 2008-01-06 02:03 <DIR> d-------- C:\Program Files\Trend Micro
2008-01-06 01:53 . 2008-01-06 01:53 <DIR> d-------- C:\Documents and Settings\pilgrim\DoctorWeb
2008-01-06 01:08 . 2008-01-06 01:52 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-01-06 00:46 . 2005-09-23 08:29 626,688 --a------ C:\WINDOWS\system32\msvcr80.dll
2008-01-06 00:46 . 2005-07-06 18:13 499,712 --a------ C:\WINDOWS\system32\msvcp71.dll
2008-01-06 00:32 . 2008-01-06 00:32 <DIR> d-------- C:\Program Files\Lavasoft
2008-01-06 00:32 . 2008-01-07 23:15 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-01-06 00:32 . 2008-01-10 20:57 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-01-06 00:14 . 2008-01-06 00:14 <DIR> d-------- C:\Documents and Settings\pilgrim\Application Data\AdwareAlert
2008-01-06 00:07 . 2008-01-06 00:07 <DIR> d-------- C:\Documents and Settings\pilgrim\Application Data\MSNInstaller
2008-01-05 23:53 . 2005-07-22 11:43 2,973,696 --------- C:\WINDOWS\NuNinst.exe
2008-01-05 23:53 . 2005-07-25 10:53 101,504 --------- C:\WINDOWS\system32\drivers\InCDfs.sys
2008-01-05 23:53 . 2006-03-22 12:55 59,138 --------- C:\WINDOWS\NuNinst.cfg
2008-01-05 23:53 . 2005-07-25 10:53 29,696 --------- C:\WINDOWS\system32\drivers\InCDpass.sys
2008-01-05 23:53 . 2005-07-25 10:52 28,672 --------- C:\WINDOWS\system32\drivers\InCDrm.sys
2008-01-05 23:53 . 2005-07-25 10:53 8,704 --------- C:\WINDOWS\system32\drivers\InCDrec.sys
2008-01-05 23:50 . 2005-04-20 12:32 2,916,352 --------- C:\WINDOWS\UNNMP.exe
2008-01-05 23:50 . 2006-03-22 12:55 47,867 --------- C:\WINDOWS\UNNMP.cfg
2008-01-05 23:49 . 2001-07-09 10:50 155,648 --a------ C:\WINDOWS\system32\NeroCheck.exe
F ---
ComboFix's log - part two
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-10 19:44 12,632 ----a-w C:\WINDOWS\system32\lsdelete.exe
2008-01-05 21:27 --------- d-----w C:\Program Files\Common Files\Adobe
2008-01-05 21:25 --------- d-----w C:\Documents and Settings\pilgrim\Application Data\InterTrust
2008-01-05 21:10 7,296 --s---w C:\WINDOWS\system32\drivers\EIO.SYS
2008-01-05 21:10 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-01-05 21:10 --------- d-----w C:\Program Files\ASUS
2008-01-05 21:09 --------- d-----w C:\Program Files\My Company Name
2008-01-05 21:08 --------- d-----w C:\Program Files\ATI Technologies
2008-01-05 21:07 --------- d-----w C:\Program Files\Common Files\InstallShield
2008-01-05 20:57 --------- d-----w C:\Program Files\microsoft frontpage
2007-11-07 09:26 721,920 ----a-w C:\WINDOWS\system32\lsasrv.dll
2007-10-29 22:43 1,287,680 ----a-w C:\WINDOWS\system32\quartz.dll
2007-10-27 16:39 230,912 ----a-w C:\WINDOWS\system32\wmasf.dll
2007-10-24 00:47 96,760 ----a-w C:\WINDOWS\system32\dfshim.dll
2007-10-24 00:47 84,480 ----a-w C:\WINDOWS\system32\mscories.dll
2007-10-24 00:47 282,112 ----a-w C:\WINDOWS\system32\mscoree.dll
2007-10-24 00:47 158,720 ----a-w C:\WINDOWS\system32\mscorier.dll
.
((((((((((((((((((((((((((((( snapshot@2008-01-08_ 0.11.49,53 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-01-19 09:40:29 32,768 ----a-w C:\WINDOWS\assembly\GAC\Common.OSVersion\1.0.1971.16453__1db7a4ab5d525f8f\Common.OSVersion.dll
+ 2008-01-19 09:08:55 69,120 ----a-w C:\WINDOWS\assembly\GAC_32\CustomMarshalers\2.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll
+ 2008-01-19 09:08:58 72,192 ----a-w C:\WINDOWS\assembly\GAC_32\ISymWrapper\2.0.0.0__b03f5f7f11d50a3a\ISymWrapper.dll
+ 2008-01-19 09:08:50 4,444,160 ----a-w C:\WINDOWS\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\mscorlib.dll
+ 2008-01-19 09:08:59 483,840 ----a-w C:\WINDOWS\assembly\GAC_32\System.Data.OracleClient\2.0.0.0__b77a5c561934e089\System.Data.OracleClient.dll
+ 2008-01-19 09:08:53 3,036,160 ----a-w C:\WINDOWS\assembly\GAC_32\System.Data\2.0.0.0__b77a5c561934e089\System.Data.dll
+ 2008-01-19 09:08:59 258,048 ----a-w C:\WINDOWS\assembly\GAC_32\System.EnterpriseServices\2.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.dll
+ 2008-01-19 09:08:59 113,664 ----a-w C:\WINDOWS\assembly\GAC_32\System.EnterpriseServices\2.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll
+ 2008-01-19 09:08:58 261,120 ----a-w C:\WINDOWS\assembly\GAC_32\System.Transactions\2.0.0.0__b77a5c561934e089\System.Transactions.dll
+ 2008-01-19 09:08:52 5,431,296 ----a-w C:\WINDOWS\assembly\GAC_32\System.Web\2.0.0.0__b03f5f7f11d50a3a\System.Web.dll
+ 2008-01-19 09:08:54 10,752 ----a-w C:\WINDOWS\assembly\GAC_MSIL\Accessibility\2.0.0.0__b03f5f7f11d50a3a\Accessibility.dll
+ 2008-01-19 09:08:52 507,904 ----a-w C:\WINDOWS\assembly\GAC_MSIL\AspNetMMCExt\2.0.0.0__b03f5f7f11d50a3a\AspNetMMCExt.dll
+ 2008-01-19 09:08:55 13,312 ----a-w C:\WINDOWS\assembly\GAC_MSIL\cscompmgd\8.0.0.0__b03f5f7f11d50a3a\cscompmgd.dll
+ 2008-01-19 09:08:57 8,192 ----a-w C:\WINDOWS\assembly\GAC_MSIL\IEExecRemote\2.0.0.0__b03f5f7f11d50a3a\IEExecRemote.dll
+ 2008-01-19 09:08:57 77,824 ----a-w C:\WINDOWS\assembly\GAC_MSIL\IEHost\2.0.0.0__b03f5f7f11d50a3a\IEHost.dll
+ 2008-01-19 09:08:57 6,656 ----a-w C:\WINDOWS\assembly\GAC_MSIL\IIEHost\2.0.0.0__b03f5f7f11d50a3a\IIEHost.dll
+ 2008-01-19 09:09:00 348,160 ----a-w C:\WINDOWS\assembly\GAC_MSIL\Microsoft.Build.Engine\2.0.0.0__b03f5f7f11d50a3a\Microsoft.Build.Engine.dll
+ 2008-01-19 09:09:00 36,864 ----a-w C:\WINDOWS\assembly\GAC_MSIL\Microsoft.Build.Framework\2.0.0.0__b03f5f7f11d50a3a\Microsoft.Build.Framework.dll
+ 2008-01-19 09:09:00 655,360 ----a-w C:\WINDOWS\assembly\GAC_MSIL\Microsoft.Build.Tasks\2.0.0.0__b03f5f7f11d50a3a\Microsoft.Build.Tasks.dll
+ 2008-01-19 09:09:00 77,824 ----a-w C:\WINDOWS\assembly\GAC_MSIL\Microsoft.Build.Utilities\2.0.0.0__b03f5f7f11d50a3a\Microsoft.Build.Utilities.dll
+ 2008-01-19 09:08:57 749,568 ----a-w C:\WINDOWS\assembly\GAC_MSIL\Microsoft.JScript\8.0.0.0__b03f5f7f11d50a3a\Microsoft.JScript.dll
+ 2008-01-19 09:08:57 110,592 ----a-w C:\WINDOWS\assembly\GAC_MSIL\Microsoft.VisualBasic.Compatibility.Data\8.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.Compatibility.Data.dll
+ 2008-01-19 09:08:57 372,736 ----a-w C:\WINDOWS\assembly\GAC_MSIL\Microsoft.VisualBasic.Compatibility\8.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.Compatibility.dll
+ 2008-01-19 09:08:59 28,672 ----a-w C:\WINDOWS\assembly\GAC_MSIL\Microsoft.VisualBasic.Vsa\8.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.Vsa.dll
+ 2008-01-19 09:08:56 671,744 ----a-w C:\WINDOWS\assembly\GAC_MSIL\Microsoft.VisualBasic\8.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll
+ 2008-01-19 09:08:51 5,632 ----a-w C:\WINDOWS\assembly\GAC_MSIL\Microsoft.VisualC\8.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualC.Dll
+ 2008-01-19 09:08:59 12,800 ----a-w C:\WINDOWS\assembly\GAC_MSIL\Microsoft.Vsa.Vb.CodeDOMProcessor\8.0.0.0__b03f5f7f11d50a3a\Microsoft.Vsa.Vb.CodeDOMProcessor.dll
+ 2008-01-19 09:08:55 32,768 ----a-w C:\WINDOWS\assembly\GAC_MSIL\Microsoft.Vsa\8.0.0.0__b03f5f7f11d50a3a\Microsoft.Vsa.dll
+ 2008-01-19 09:08:55 7,168 ----a-w C:\WINDOWS\assembly\GAC_MSIL\Microsoft_VsaVb\8.0.0.0__b03f5f7f11d50a3a\Microsoft_VsaVb.dll
+ 2008-01-19 09:08:58 110,592 ----a-w C:\WINDOWS\assembly\GAC_MSIL\sysglobl\2.0.0.0__b03f5f7f11d50a3a\sysglobl.dll
+ 2008-01-19 09:08:58 81,920 ----a-w C:\WINDOWS\assembly\GAC_MSIL\System.Configuration.Install\2.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll
+ 2008-01-19 09:08:52 425,984 ----a-w C:\WINDOWS\assembly\GAC_MSIL\System.Configuration\2.0.0.0__b03f5f7f11d50a3a\System.configuration.dll
+ 2008-01-19 09:08:53 741,376 ----a-w C:\WINDOWS\assembly\GAC_MSIL\System.Data.SqlXml\2.0.0.0__b77a5c561934e089\System.Data.SqlXml.dll
+ 2008-01-19 09:08:53 933,888 ----a-w C:\WINDOWS\assembly\GAC_MSIL\System.Deployment\2.0.0.0__b03f5f7f11d50a3a\System.Deployment.dll
+ 2008-01-19 09:09:01 5,070,848 ----a-w C:\WINDOWS\assembly\GAC_MSIL\System.Design\2.0.0.0__b03f5f7f11d50a3a\System.Design.dll
+ 2008-01-19 09:09:00 188,416 ----a-w C:\WINDOWS\assembly\GAC_MSIL\System.DirectoryServices.Protocols\2.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.Protocols.dll
+ 2008-01-19 09:08:54 401,408 ----a-w C:\WINDOWS\assembly\GAC_MSIL\System.DirectoryServices\2.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll
+ 2008-01-19 09:08:59 81,920 ----a-w C:\WINDOWS\assembly\GAC_MSIL\System.Drawing.Design\2.0.0.0__b03f5f7f11d50a3a\System.Drawing.Design.dll
+ 2008-01-19 09:08:51 630,784 ----a-w C:\WINDOWS\assembly\GAC_MSIL\System.Drawing\2.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll
+ 2008-01-19 09:08:59 372,736 ----a-w C:\WINDOWS\assembly\GAC_MSIL\System.Management\2.0.0.0__b03f5f7f11d50a3a\System.Management.dll
+ 2008-01-19 09:08:59 258,048 ----a-w C:\WINDOWS\assembly\GAC_MSIL\System.Messaging\2.0.0.0__b03f5f7f11d50a3a\System.Messaging.dll
+ 2008-01-19 09:08:58 299,008 ----a-w C:\WINDOWS\assembly\GAC_MSIL\System.Runtime.Remoting\2.0.0.0__b77a5c561934e089\System.Runtime.Remoting.dll
+ 2008-01-19 09:08:58 131,072 ----a-w C:\WINDOWS\assembly\GAC_MSIL\System.Runtime.Serialization.Formatters.Soap\2.0.0.0__b03f5f7f11d50a3a\System.Runtime.Serialization.Formatters.Soap.dll
+ 2008-01-19 09:08:51 258,048 ----a-w C:\WINDOWS\assembly\GAC_MSIL\System.Security\2.0.0.0__b03f5f7f11d50a3a\System.Security.dll
+ 2008-01-19 09:08:51 114,688 ----a-w C:\WINDOWS\assembly\GAC_MSIL\System.ServiceProcess\2.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll
+ 2008-01-19 09:08:54 884,736 ----a-w C:\WINDOWS\assembly\GAC_MSIL\System.Web.Mobile\2.0.0.0__b03f5f7f11d50a3a\System.Web.Mobile.dll
+ 2008-01-19 09:08:54 90,112 ----a-w C:\WINDOWS\assembly\GAC_MSIL\System.Web.RegularExpressions\2.0.0.0__b03f5f7f11d50a3a\System.Web.RegularExpressions.dll
+ 2008-01-19 09:08:54 839,680 ----a-w C:\WINDOWS\assembly\GAC_MSIL\System.Web.Services\2.0.0.0__b03f5f7f11d50a3a\System.Web.Services.dll
+ 2008-01-19 09:08:55 5,013,504 ----a-w C:\WINDOWS\assembly\GAC_MSIL\System.Windows.Forms\2.0.0.0__b77a5c561934e089\System.Windows.Forms.dll
+ 2008-01-19 09:08:51 2,068,480 ----a-w C:\WINDOWS\assembly\GAC_MSIL\System.Xml\2.0.0.0__b77a5c561934e089\System.XML.dll
+ 2008-01-19 09:08:53 3,076,096 ----a-w C:\WINDOWS\assembly\GAC_MSIL\System\2.0.0.0__b77a5c561934e089\System.dll
+ 2008-01-19 10:05:24 27,136 ----a-w C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Accessibility\c6772fd12a581ad3be49e3f2a80b5622\Accessibility.ni.dll
+ 2008-01-19 10:05:27 884,736 ----a-w C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\AspNetMMCExt\a1d353edc300e3aff0784202f68a657b\AspNetMMCExt.ni.dll
+ 2008-01-19 10:05:29 237,568 ----a-w C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\CustomMarshalers\c10ec9b4de2b366236ec83237dc31281\CustomMarshalers.ni.dll
+ 2008-01-19 10:05:28 15,360 ----a-w C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\dfsvc\837fe02bdcf637d5bf1e5ffb935ebb80\dfsvc.ni.exe
+ 2008-01-19 10:05:30 876,544 ----a-w C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Microsoft.Build.Eng#\9710a3c0d11dd264c3a6b88977699e9b\Microsoft.Build.Engine.ni.dll
+ 2008-01-19 10:05:31 81,920 ----a-w C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Microsoft.Build.Fra#\e2858a45971fb30b0c0523dbb52c1d4e\Microsoft.Build.Framework.ni.dll
+ 2008-01-19 10:05:34 1,695,744 ----a-w C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Microsoft.Build.Tas#\63d69ffdf3c640d2d104a4b74e8115f8\Microsoft.Build.Tasks.ni.dll
+ 2008-01-19 10:05:35 167,936 ----a-w C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Microsoft.Build.Uti#\11cb5418c06e30100616fbf205588489\Microsoft.Build.Utilities.ni.dll
+ 2008-01-19 10:05:38 1,740,800 ----a-w C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualBas#\923bd55258380eae77353d36a5a1b08f\Microsoft.VisualBasic.ni.dll
+ 2008-01-19 09:14:26 11,722,752 ----a-w C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\mscorlib\32e6f703c114f3a971cbe706586e3655\mscorlib.ni.dll
+ 2008-01-19 10:05:40 1,011,712 ----a-w C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.Configuration\eee9b48577689e92db5a7b5c5de98d9b\System.Configuration.ni.dll
+ 2008-01-19 09:15:01 7,049,216 ----a-w C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.Data\5f669e819da7010c1dca347a25597c42\System.Data.ni.dll
+ 2008-01-19 10:05:42 1,798,144 ----a-w C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.Deployment\c7dea4895e1fa33d65e448c03de48d26\System.Deployment.ni.dll
+ 2008-01-19 09:15:23 10,969,088 ----a-w C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.Design\c1e16b40e30a05c39be8aee46311841c\System.Design.ni.dll
+ 2008-01-19 10:05:44 1,224,704 ----a-w C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.DirectorySer#\914668b240550f529e54bb772c6fc881\System.DirectoryServices.ni.dll
+ 2008-01-19 10:05:45 512,000 ----a-w C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.DirectorySer#\f11bc82c09955cb8438d3885a99c297d\System.DirectoryServices.Protocols.ni.dll
+ 2008-01-19 09:15:26 229,376 ----a-w C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.Drawing.Desi#\b974f6c17d17a533adf6e7710c5a62fa\System.Drawing.Design.ni.dll
+ 2008-01-19 09:15:25 1,667,072 ----a-w C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.Drawing\0e83aac37b2623f1a24c70979f31dd56\System.Drawing.ni.dll
+ 2008-01-19 10:05:46 659,456 ----a-w C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.EnterpriseSe#\646131eda5f21f4e6216733d49c22c56\System.EnterpriseServices.ni.dll
+ 2008-01-19 10:05:46 294,912 ----a-w C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.EnterpriseSe#\646131eda5f21f4e6216733d49c22c56\System.EnterpriseServices.Wrapper.dll
+ 2008-01-19 10:05:48 733,184 ----a-w C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.Security\2b5994269cc5b996231c9b21afea9a91\System.Security.ni.dll
+ 2008-01-19 10:05:49 233,472 ----a-w C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.ServiceProce#\193ac978af569ad9ee45110b359961b9\System.ServiceProcess.ni.dll
+ 2008-01-19 10:05:50 679,936 ----a-w C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.Transactions\12e0aa1030badf4524f897e3f57b037a\System.Transactions.ni.dll
+ 2008-01-19 10:06:09 2,342,912 ----a-w C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.Web.Mobile\37d87b3cab1c66ec4430ebb2abeaa570\System.Web.Mobile.ni.dll
+ 2008-01-19 10:06:10 237,568 ----a-w C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.Web.RegularE#\b5b81faf46fc63c20d5339b36edd02fa\System.Web.RegularExpressions.ni.dll
+ 2008-01-19 10:06:13 1,986,560 ----a-w C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.Web.Services\38991368499e2109ea4099a0fe29c5a3\System.Web.Services.ni.dll
+ 2008-01-19 10:06:06 12,509,184 ----a-w C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.Web\67cfb70213562afe2ca9b9066764af3a\System.Web.ni.dll
+ 2008-01-19 09:15:43 13,193,216 ----a-w C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.Windows.Forms\3d8c79c45aa674e43f075e2e66b8caf5\System.Windows.Forms.ni.dll
+ 2008-01-19 09:15:53 5,771,264 ----a-w C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.Xml\c98cb65a79cfccb44ea727ebe4593ede\System.Xml.ni.dll
+ 2008-01-19 09:14:46 8,265,728 ----a-w C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System\ba0e3a22211ba7343e0116b051f2965a\System.ni.dll
+ 2007-08-02 10:31:32 360,320 ----a-w C:\WINDOWS\Downloaded Program Files\MsnPUpld.dll
+ 2007-08-02 10:31:32 67,456 ----a-w C:\WINDOWS\Downloaded Program Files\PURen-us.dll
+ 2007-08-06 11:10:12 67,968 ----a-w C:\WINDOWS\Downloaded Program Files\PURsk-sk.dll
+ 2000-08-31 07:00:00 163,328 ----a-w C:\WINDOWS\erdnt\Hiv-backup\ERDNT.EXE
+ 2008-01-19 16:36:07 229,376 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000001\NTUSER.DAT
+ 2008-01-19 16:36:07 8,192 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000002\UsrClass.dat
+ 2008-01-19 16:36:07 233,472 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000003\NTUSER.DAT
+ 2008-01-19 16:36:07 8,192 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000004\UsrClass.dat
+ 2008-01-19 16:36:07 3,694,592 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000005\NTUSER.DAT
+ 2008-01-19 16:36:07 167,936 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000006\UsrClass.dat
+ 2003-07-07 20:36:00 2,058,343 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\5040110900063D11C8EF10054038389C\11.0.5614\OUTLFLTR.DAT
+ 2003-07-08 18:48:00 115,288 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\5040110900063D11C8EF10054038389C\11.0.5614\OUTLFLTR.DLL
+ 2008-01-16 21:52:05 29,926 ----a-r C:\WINDOWS\Installer\{74F5766E-2792-40C3-85F8-B04111F904B2}\MsblIco.Exe
+ 2008-01-19 09:01:46 30,240 ----a-r C:\WINDOWS\Installer\{7F231232-C309-4401-964A-2A002B6E1ED9}\mbsa.exe
+ 2008-01-12 08:23:09 593,920 ----a-r C:\WINDOWS\Installer\{90110405-6000-11D3-8CFE-0150048383C9}\accicons.exe
+ 2008-01-12 08:23:10 12,288 ----a-r C:\WINDOWS\Installer\{90110405-6000-11D3-8CFE-0150048383C9}\cagicon.exe
+ 2008-01-12 08:23:10 86,016 ----a-r C:\WINDOWS\Installer\{90110405-6000-11D3-8CFE-0150048383C9}\inficon.exe
+ 2008-01-12 08:23:09 135,168 ----a-r C:\WINDOWS\Installer\{90110405-6000-11D3-8CFE-0150048383C9}\misc.exe
+ 2008-01-12 08:23:10 11,264 ----a-r C:\WINDOWS\Installer\{90110405-6000-11D3-8CFE-0150048383C9}\mspicons.exe
+ 2008-01-12 08:23:10 27,136 ----a-r C:\WINDOWS\Installer\{90110405-6000-11D3-8CFE-0150048383C9}\oisicon.exe
+ 2008-01-12 08:23:10 4,096 ----a-r C:\WINDOWS\Installer\{90110405-6000-11D3-8CFE-0150048383C9}\opwicon.exe
+ 2008-01-12 08:23:10 794,624 ----a-r C:\WINDOWS\Installer\{90110405-6000-11D3-8CFE-0150048383C9}\outicon.exe
+ 2008-01-12 08:23:09 249,856 ----a-r C:\WINDOWS\Installer\{90110405-6000-11D3-8CFE-0150048383C9}\pptico.exe
+ 2008-01-12 08:23:09 61,440 ----a-r C:\WINDOWS\Installer\{90110405-6000-11D3-8CFE-0150048383C9}\pubs.exe
+ 2008-01-12 08:23:10 23,040 ----a-r C:\WINDOWS\Installer\{90110405-6000-11D3-8CFE-0150048383C9}\unbndico.exe
+ 2008-01-12 08:23:09 286,720 ----a-r C:\WINDOWS\Installer\{90110405-6000-11D3-8CFE-0150048383C9}\wordicon.exe
+ 2008-01-12 08:23:09 409,600 ----a-r C:\WINDOWS\Installer\{90110405-6000-11D3-8CFE-0150048383C9}\xlicons.exe
+ 2007-10-24 00:47:38 82,944 ----a-w C:\WINDOWS\Microsoft.NET\Framework\NETFXSBS10.exe
+ 2005-09-23 06:29:04 5,120 ----a-w C:\WINDOWS\Microsoft.NET\Framework\sbs_diasymreader.dll
+ 2005-09-23 06:29:04 5,120 ----a-w C:\WINDOWS\Microsoft.NET\Framework\sbs_iehost.dll
+ 2005-09-23 06:29:04 5,120 ----a-w C:\WINDOWS\Microsoft.NET\Framework\sbs_microsoft.jscript.dll
+ 2005-09-23 06:29:04 5,632 ----a-w C:\WINDOWS\Microsoft.NET\Framework\sbs_microsoft.vsa.vb.codedomprocessor.dll
+ 2005-09-23 06:29:04 5,120 ----a-w C:\WINDOWS\Microsoft.NET\Framework\sbs_mscordbi.dll
+ 2005-09-23 06:29:04 5,120 ----a-w C:\WINDOWS\Microsoft.NET\Framework\sbs_mscorrc.dll
+ 2005-09-23 06:29:04 5,120 ----a-w C:\WINDOWS\Microsoft.NET\Framework\sbs_mscorsec.dll
+ 2005-09-23 06:29:04 5,120 ----a-w C:\WINDOWS\Microsoft.NET\Framework\sbs_system.configuration.install.dll
+ 2005-09-23 06:29:04 5,120 ----a-w C:\WINDOWS\Microsoft.NET\Framework\sbs_system.data.dll
+ 2005-09-23 06:29:04 5,120 ----a-w C:\WINDOWS\Microsoft.NET\Framework\sbs_system.enterpriseservices.dll
+ 2005-09-23 06:29:04 5,120 ----a-w C:\WINDOWS\Microsoft.NET\Framework\sbs_VsaVb7rt.dll
+ 2005-09-23 06:29:04 5,120 ----a-w C:\WINDOWS\Microsoft.NET\Framework\sbs_wminet_utils.dll
+ 2007-10-24 00:47:38 16,896 ----a-w C:\WINDOWS\Microsoft.NET\Framework\sbscmp10.dll
+ 2007-10-24 00:47:40 16,896 ----a-w C:\WINDOWS\Microsoft.NET\Framework\sbscmp20_mscorwks.dll
+ 2007-10-24 00:47:42 16,896 ----a-w C:\WINDOWS\Microsoft.NET\Framework\sbscmp20_perfcounter.dll
+ 2007-10-24 00:47:40 16,896 ----a-w C:\WINDOWS\Microsoft.NET\Framework\SharedReg12.dll
+ 2007-10-24 00:47:38 97,280 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.0.3705\mscormmc.dll
+ 2007-10-24 00:47:26 28,672 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\1033\alinkui.dll
+ 2007-10-24 00:47:30 145,408 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\1033\cscompui.dll
+ 2007-10-24 00:47:32 13,824 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\1033\CvtResUI.dll
+ 2007-10-24 00:47:48 193,016 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\1033\vbc7ui.dll
+ 2007-10-24 00:47:20 218,112 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\1033\Vsavb7rtUI.dll
+ 2007-10-24 00:47:40 10,752 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Accessibility.dll
+ 2007-10-24 00:47:42 147,968 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\AdoNetDiag.dll
+ 2007-10-24 00:47:26 99,320 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\alink.dll
+ 2007-10-24 00:47:42 59,392 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe
+ 2007-10-24 00:47:22 36,864 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_compiler.exe
+ 2007-10-24 00:47:22 22,024 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_filter.dll
+ 2007-10-24 00:47:22 17,928 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_isapi.dll
+ 2007-10-24 00:47:22 33,288 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Aspnet_perf.dll
+ 2007-10-24 00:47:22 84,480 ----a-w
combofix's log - part three
C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_rc.dll
+ 2007-10-24 00:47:22 24,576 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_regbrowsers.exe
+ 2007-10-24 00:47:22 32,776 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_regiis.exe
+ 2007-10-24 00:47:22 106,496 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_regsql.exe
+ 2007-10-24 00:47:22 33,800 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe
+ 2007-10-24 00:47:22 33,280 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_wp.exe
+ 2007-10-24 00:47:22 507,904 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\AspNetMMCExt.dll
+ 2007-10-24 00:47:40 106,496 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\CasPol.exe
+ 2007-10-24 00:47:40 101,896 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\CORPerfMonExt.dll
+ 2007-10-24 00:47:30 80,376 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\csc.exe
+ 2007-10-24 00:47:30 1,162,744 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\cscomp.dll
+ 2007-10-24 00:47:30 13,312 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\cscompmgd.dll
+ 2007-10-24 00:47:42 27,136 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Culture.dll
+ 2007-10-24 00:47:40 69,120 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\CustomMarshalers.dll
+ 2007-10-24 00:47:30 35,320 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
+ 2007-10-24 00:47:28 66,552 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\dfdll.dll
+ 2007-10-24 00:47:28 5,120 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\dfsvc.exe
+ 2007-10-24 00:47:54 572,936 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\diasymreader.dll
+ 2007-10-24 00:47:40 798,224 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\EventLogMessages.dll
+ 2007-10-24 00:47:36 18,936 ----a-w
C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\fusion.dll
+ 2007-10-24 00:47:40 9,728 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\IEExec.exe
+ 2007-10-24 00:47:40 8,192 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\IEExecRemote.dll
+ 2007-10-24 00:47:40 77,824 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\IEHost.dll
+ 2007-10-24 00:47:40 6,656 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\IIEHost.dll
+ 2007-10-24 00:47:40 230,904 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\ilasm.exe
+ 2007-10-24 00:47:40 28,672 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe
+ 2007-10-24 00:47:40 65,032 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\InstallUtilLib.dll
+ 2007-10-24 00:47:40 72,192 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\ISymWrapper.dll
+ 2007-10-24 00:47:34 40,960 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\jsc.exe
+ 2007-10-24 00:47:36 348,160 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Microsoft.Build.Engine.dll
+ 2007-10-24 00:47:36 36,864 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Microsoft.Build.Framework.dll
+ 2007-10-24 00:47:36 655,360 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Microsoft.Build.Tasks.dll
+ 2007-10-24 00:47:36 77,824 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Microsoft.Build.Utilities.dll
+ 2007-10-24 00:47:34 749,568 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Microsoft.JScript.dll
+ 2007-10-24 00:47:52 110,592 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Microsoft.VisualBasic.Compatibility.Data.dll
+ 2007-10-24 00:47:52 372,736 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Microsoft.VisualBasic.Compatibility.dll
+ 2007-10-24 00:47:50 671,744 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Microsoft.VisualBasic.dll
+ 2007-10-24 00:47:20 28,672 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Microsoft.VisualBasic.Vsa.dll
+ 2007-10-24 00:47:52 5,632 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Microsoft.VisualC.Dll
+ 2007-10-24 00:47:20 32,768 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Microsoft.Vsa.dll
+ 2007-10-24 00:47:20 12,800 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Microsoft.Vsa.Vb.CodeDOMProcessor.dll
+ 2007-10-24 00:47:20 7,168 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Microsoft_VsaVb.dll
+ 2007-10-24 00:47:22 97,792 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\MmcAspExt.dll
+ 2007-10-24 00:47:36 69,632 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe
+ 2007-10-24 00:47:40 822,280 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscordacwks.dll
+ 2007-10-24 00:47:40 83,456 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscordbc.dll
+ 2007-10-24 00:47:40 308,224 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscordbi.dll
+ 2007-10-24 00:47:40 47,104 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorie.dll
+ 2007-10-24 00:47:40 348,672 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorjit.dll
+ 2007-10-24 00:47:40 94,208 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorld.dll
+ 2007-10-24 00:47:40 4,444,160 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorlib.dll
+ 2007-10-24 00:47:40 114,688 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorpe.dll
+ 2007-10-24 00:47:44 340,992 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorrc.dll
+ 2007-10-24 00:47:40 77,312 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsec.dll
+ 2007-10-24 00:47:36 18,944 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsn.dll
+ 2007-10-24 00:47:40 242,688 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvc.dll
+ 2007-10-24 00:47:40 70,144 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
+ 2007-10-24 00:47:40 19,456 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscortim.dll
+ 2007-10-24 00:47:36 5,814,784 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorwks.dll
+ 2007-10-24 00:47:44 31,744 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\MUI\0409\mscorsecr.dll
+ 2007-10-24 00:47:40 101,880 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\ngen.exe
+ 2007-10-24 00:47:40 24,584 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\normalization.dll
+ 2007-10-24 00:47:40 89,096 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\PerfCounter.dll
+ 2007-10-24 00:47:36 144,896 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\peverify.dll
+ 2007-10-24 00:47:40 53,248 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
+ 2007-10-24 00:47:40 32,768 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
+ 2007-10-24 00:47:46 61,952 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\regtlibv12.exe
+ 2007-10-24 00:47:42 16,896 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\sbscmp20_mscorlib.dll
+ 2007-10-24 00:47:40 119,296 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\shfusion.dll
+ 2007-10-24 00:47:44 95,232 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\ShFusRes.dll
+ 2007-10-24 00:47:40 392,696 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\SOS.dll
+ 2007-10-24 00:47:40 110,592 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\sysglobl.dll
+ 2007-10-24 00:47:42 425,984 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\System.configuration.dll
+ 2007-10-24 00:47:40 81,920 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\System.Configuration.Install.dll
+ 2007-10-24 00:47:40 3,036,160 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\System.Data.dll
+ 2007-10-24 00:47:40 483,840 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\System.Data.OracleClient.dll
+ 2007-10-24 00:47:40 741,376 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\System.Data.SqlXml.dll
+ 2007-10-24 00:47:28 933,888 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\System.Deployment.dll
+ 2007-10-24 00:47:40 5,070,848 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\System.Design.dll
+ 2007-10-24 00:47:40 401,408 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\System.DirectoryServices.dll
+ 2007-10-24 00:47:40 188,416 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\System.DirectoryServices.Protocols.dll
combofix's log - part four
+ 2007-10-24 00:47:40 3,076,096 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\System.dll
+ 2007-10-24 00:47:40 81,920 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\System.Drawing.Design.dll
+ 2007-10-24 00:47:40 630,784 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\System.Drawing.dll
+ 2007-10-24 00:47:40 258,048 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\System.EnterpriseServices.dll
+ 2007-10-24 00:47:40 57,392 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\System.EnterpriseServices.Thunk.dll
+ 2007-10-24 00:47:40 113,664 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\System.EnterpriseServices.Wrapper.dll
+ 2007-10-24 00:47:40 372,736 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\System.Management.dll
+ 2007-10-24 00:47:40 258,048 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\System.Messaging.dll
+ 2007-10-24 00:47:40 299,008 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\System.Runtime.Remoting.dll
+ 2007-10-24 00:47:40 131,072 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\System.Runtime.Serialization.Formatters.Soap.dll
+ 2007-10-24 00:47:40 258,048 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\System.Security.dll
+ 2007-10-24 00:47:40 114,688 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\System.ServiceProcess.dll
+ 2007-10-24 00:47:40 261,120 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\System.Transactions.dll
+ 2007-10-24 00:47:40 5,431,296 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\System.Web.dll
+ 2007-10-24 00:47:40 884,736 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\System.Web.Mobile.dll
+ 2007-10-24 00:47:40 90,112 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\System.Web.RegularExpressions.dll
+ 2007-10-24 00:47:40 839,680 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\System.Web.Services.dll
+ 2007-10-24 00:47:40 5,013,504 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\System.Windows.Forms.dll
+ 2007-10-24 00:47:40 2,068,480 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\System.XML.dll
+ 2007-10-24 00:47:40 81,400 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\TLBREF.DLL
+ 2007-10-24 00:47:48 1,172,472 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\vbc.exe
+ 2007-10-24 00:47:20 1,344,000 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\VsaVb7rt.dll
+ 2007-10-24 00:47:22 434,688 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\webengine.dll
+ 2007-10-24 00:47:40 37,896 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\WMINet_Utils.dll
+ 2008-01-19 09:03:00 7,926 ----a-w C:\WINDOWS\SoftwareDistribution\EventCache\{45C0917A-DE6F-432E-B612-6426511DBDB7}.bin
+ 2005-10-28 22:49:40 133,120 ------w C:\WINDOWS\system32\axaltocm.dll
+ 2005-10-28 15:40:16 96,792 ------w C:\WINDOWS\system32\basecsp.dll
+ 2005-10-28 22:49:40 25,600 ------w C:\WINDOWS\system32\bcsprsrc.dll
- 2006-08-17 12:28:27 721,920 -c--a-w C:\WINDOWS\system32\dllcache\lsasrv.dll
+ 2007-11-07 09:26:56 721,920 -c--a-w C:\WINDOWS\system32\dllcache\lsasrv.dll
- 2006-02-28 12:00:00 116,224 -c--a-w C:\WINDOWS\system32\dllcache\p2p.dll
+ 2006-10-11 16:24:45 153,088 -c--a-w C:\WINDOWS\system32\dllcache\p2p.dll
- 2006-02-28 12:00:00 86,016 -c--a-w C:\WINDOWS\system32\dllcache\p2pgasvc.dll
+ 2006-10-11 16:24:45 104,960 -c--a-w C:\WINDOWS\system32\dllcache\p2pgasvc.dll
- 2006-02-28 12:00:00 312,320 -c--a-w C:\WINDOWS\system32\dllcache\p2pgraph.dll
+ 2006-10-11 16:24:45 313,344 -c--a-w C:\WINDOWS\system32\dllcache\p2pgraph.dll
- 2006-02-28 12:00:00 88,064 -c--a-w C:\WINDOWS\system32\dllcache\p2pnetsh.dll
+ 2006-10-11 16:24:45 116,224 -c--a-w C:\WINDOWS\system32\dllcache\p2pnetsh.dll
- 2006-02-28 12:00:00 526,848 -c--a-w C:\WINDOWS\system32\dllcache\p2psvc.dll
+ 2006-10-11 16:24:45 553,984 -c--a-w C:\WINDOWS\system32\dllcache\p2psvc.dll
- 2006-02-28 12:00:00 48,640 -c--a-w C:\WINDOWS\system32\dllcache\pnrpnsp.dll
+ 2006-10-11 16:24:45 58,880 -c--a-w C:\WINDOWS\system32\dllcache\pnrpnsp.dll
- 2006-04-20 11:51:50 359,808 -c--a-w C:\WINDOWS\system32\dllcache\tcpip.sys
+ 2007-10-30 17:20:55 360,064 -c--a-w C:\WINDOWS\system32\dllcache\tcpip.sys
- 2006-04-20 11:51:50 359,808 ----a-w C:\WINDOWS\system32\drivers\tcpip.sys
+ 2007-10-30 17:20:55 360,064 ----a-w C:\WINDOWS\system32\drivers\tcpip.sys
+ 2003-08-03 17:56:16 1,146,184 ----a-w C:\WINDOWS\system32\FM20.DLL
+ 2003-07-15 05:57:04 32,584 ----a-w C:\WINDOWS\system32\FM20ENU.DLL
- 2008-01-07 09:59:14 99,848 ----a-w C:\WINDOWS\system32\FNTCACHE.DAT
+ 2008-01-11 12:51:06 248,696 ----a-w C:\WINDOWS\system32\FNTCACHE.DAT
+ 2005-10-28 22:49:40 151,552 ------w C:\WINDOWS\system32\ifxcardm.dll
+ 2002-08-21 04:10:16 204,800 ----a-w C:\WINDOWS\system32\INKED.DLL
+ 1999-03-26 15:59:10 53,248 ----a-w C:\WINDOWS\system32\MFC42CSY.DLL
- 2007-12-02 14:00:06 18,684,536 ----a-w C:\WINDOWS\system32\MRT.exe
+ 2008-01-02 09:21:38 17,642,616 ----a-w C:\WINDOWS\system32\MRT.exe
+ 1999-05-19 14:58:34 7,680 ----a-w C:\WINDOWS\system32\MSPRPCS.DLL
+ 2000-05-11 12:06:20 397,312 ----a-w C:\WINDOWS\system32\MSRDO20.DLL
+ 1998-08-09 18:07:34 94,208 ----a-w C:\WINDOWS\system32\MSSTKPRP.DLL
+ 2007-10-24 00:47:44 15,360 ----a-w C:\WINDOWS\system32\mui\0409\mscorees.dll
+ 2005-09-23 06:28:56 32,768 ----a-w C:\WINDOWS\system32\netfxperf.dll
- 2006-02-28 12:00:00 116,224 ----a-w C:\WINDOWS\system32\p2p.dll
+ 2006-10-11 16:24:45 153,088 ----a-w C:\WINDOWS\system32\p2p.dll
- 2006-02-28 12:00:00 86,016 ----a-w C:\WINDOWS\system32\p2pgasvc.dll
+ 2006-10-11 16:24:45 104,960 ----a-w C:\WINDOWS\system32\p2pgasvc.dll
- 2006-02-28 12:00:00 312,320 ----a-w C:\WINDOWS\system32\p2pgraph.dll
+ 2006-10-11 16:24:45 313,344 ----a-w C:\WINDOWS\system32\p2pgraph.dll
- 2006-02-28 12:00:00 88,064 ----a-w C:\WINDOWS\system32\p2pnetsh.dll
+ 2006-10-11 16:24:45 116,224 ----a-w C:\WINDOWS\system32\p2pnetsh.dll
- 2006-02-28 12:00:00 526,848 ----a-w C:\WINDOWS\system32\p2psvc.dll
+ 2006-10-11 16:24:45 553,984 ----a-w C:\WINDOWS\system32\p2psvc.dll
- 2008-01-05 23:48:07 40,128 ----a-w C:\WINDOWS\system32\perfc009.dat
+ 2008-01-19 09:09:03 60,760 ----a-w C:\WINDOWS\system32\perfc009.dat
- 2008-01-05 23:48:07 311,740 ----a-w C:\WINDOWS\system32\perfh009.dat
+ 2008-01-19 09:09:03 400,600 ----a-w C:\WINDOWS\system32\perfh009.dat
+ 2005-10-28 22:49:42 84,480 ------w C:\WINDOWS\system32\pintool.exe
- 2006-02-28 12:00:00 48,640 ----a-w C:\WINDOWS\system32\pnrpnsp.dll
+ 2006-10-11 16:24:45 58,880 ----a-w C:\WINDOWS\system32\pnrpnsp.dll
+ 2000-04-03 16:52:54 151,552 ----a-w C:\WINDOWS\system32\RDOCURS.DLL
+ 1998-03-25 04:54:08 15,872 ----a-w C:\WINDOWS\system32\SCP32.DLL
+ 2007-10-18 10:31:46 51,224 ----a-w C:\WINDOWS\system32\sirenacm.dll
+ 2003-06-19 00:31:44 758,784 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\3\mdigraph.dll
+ 2003-06-19 00:31:46 35,328 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\3\mdiui.dll
+ 2003-06-19 00:31:44 758,784 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\mdigraph.dll
+ 2003-06-19 00:31:46 35,328 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\mdiui.dll
+ 2003-06-19 00:31:48 18,944 ----a-w C:\WINDOWS\system32\spool\prtprocs\w32x86\mdippr.dll
+ 1999-11-25 01:40:50 40,960 ----a-w C:\WINDOWS\system32\VBAME.DLL
+ 2002-08-21 04:13:12 189,952 ----a-w C:\WINDOWS\system32\WISPTIS.EXE
+ 2008-01-19 09:08:57 8,192 ----a-w C:\WINDOWS\WinSxS\MSIL_IEExecRemote_b03f5f7f11d50a3a_2.0.0.0_x-ww_6e57c34e\IEExecRemote.dll
+ 2007-10-24 00:47:56 479,232 ----a-w C:\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.1433_x-ww_5cf844d2\msvcm80.dll
+ 2007-10-24 00:47:56 558,080 ----a-w C:\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.1433_x-ww_5cf844d2\msvcp80.dll
+ 2007-10-24 00:47:56 635,904 ----a-w C:\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.1433_x-ww_5cf844d2\msvcr80.dll
+ 2006-06-05 13:14:28 479,232 ----a-w C:\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.163_x-ww_681e29fb\msvcm80.dll
+ 2006-06-05 13:14:28 548,864 ----a-w C:\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.163_x-ww_681e29fb\msvcp80.dll
+ 2006-06-05 13:14:28 626,688 ----a-w C:\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.163_x-ww_681e29fb\msvcr80.dll
+ 2008-01-19 09:08:59 258,048 ----a-w C:\WINDOWS\WinSxS\x86_System.EnterpriseServices_b03f5f7f11d50a3a_2.0.0.0_x-ww_7d5f3790\System.EnterpriseServices.dll
+ 2008-01-19 09:08:59 113,664 ----a-w C:\WINDOWS\WinSxS\x86_System.EnterpriseServices_b03f5f7f11d50a3a_2.0.0.0_x-ww_7d5f3790\System.EnterpriseServices.Wrapper.dll
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2006-02-28 13:00 15360]
"ASUS SmartDoctor"="C:\Program Files\ASUS\SmartDoctor\\SmartDoctor.exe" [2004-10-07 15:08 974848]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2007-08-31 16:46 1460560]
"Skype"="C:\Program Files\Skype\Phone\Skype.exe" [2007-12-07 15:08 21686568]
"MsnMsgr"="C:\Program Files\Windows Live\Messenger\MsnMsgr.exe" [2007-10-18 11:35 5724184]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMan"="SOUNDMAN.EXE" [2004-12-01 08:54 77824 C:\WINDOWS\SOUNDMAN.EXE]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-09-21 21:10 344064]
"egui"="C:\Program Files\ESET\ESET Smart Security\egui.exe" [2007-12-21 08:21 1443072]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 10:50 155648]
"InCD"="C:\Program Files\Ahead\InCD\InCD.exe" [2005-07-25 11:01 1397760]
"gemstrmw"="C:\WINDOWS\system32\gemstrmw.exe" [2003-04-02 20:14 24576]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11 132496]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2006-11-03 19:20 866584]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2006-02-28 13:00 15360]
C:\Documents and Settings\pilgrim\Start Menu\Programs\Startup\
OpenOffice.org 2.3.lnk - C:\Program Files\OpenOffice.org 2.3\program\quickstart.exe [2007-08-17 21:57:56]
R3 GTwinUSB;GTwinUSB;C:\WINDOWS\system32\Drivers\GTwinUSB.sys [2002-10-04 11:21]
R3 PSched;QoS Packet Scheduler;C:\WINDOWS\system32\DRIVERS\psched.sys [2006-02-28 13:00]
R3 Video3D;ASUS Video3D Service;C:\WINDOWS\system32\Drivers\Video3D.sys [2004-07-06 19:56]
S3 SetupNTGLM7X;SetupNTGLM7X;E:\NTGLM7X.sys []
.
Contents of the 'Scheduled Tasks' folder
"2008-01-06 02:00:00 C:\WINDOWS\Tasks\AdwareAlert Scheduled Scan.job"
- C:\Program Files\AdwareAlert\AdwareAlert.ex
- C:\Program Files\AdwareAlert
"2008-01-19 14:25:45 C:\WINDOWS\Tasks\MP Scheduled Scan.job"
- C:\Program Files\Windows Defender\MpCmdRun.exe
"2008-01-06 01:53:00 C:\WINDOWS\Tasks\RegClean Scheduled Scan.job"
- C:\Program Files\RegClean\RegClean.ex
- C:\Program Files\RegClean
.
**************************************************************************
catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-19 17:37:19
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\WINDOWS\system32\cmfrtcsp.dll
.
Completion time: 2008-01-19 17:37:45
ComboFix2.txt 2008-01-07 23:12:09
.
2008-01-18 20:19:54 --- E O
HJT's log
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 17:42:06, on 19.1.2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\ATKKBService.exe
C:\Program Files\ESET\ESET Smart Security\ekrn.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\ESET\ESET Smart Security\egui.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\ASUS\SmartDoctor\SmartDoctor.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
C:\Program Files\OpenOffice.org 2.3\program\soffice.exe
C:\Program Files\OpenOffice.org 2.3\program\soffice.BIN
C:\Program Files\Skype\Plugin Manager\skypePM.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Pomocník pri prihlasovaní v sieti Windows Live - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET Smart Security\egui.exe" /hide /waitservice
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [gemstrmw] C:\WINDOWS\system32\gemstrmw.exe /r
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [ASUS SmartDoctor] C:\Program Files\ASUS\SmartDoctor\\SmartDoctor.exe /start
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: OpenOffice.org 2.3.lnk = C:\Program Files\OpenOffice.org 2.3\program\quickstart.exe
O8 - Extra context menu item: E&xportovat do aplikace Microsoft Office Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Pridať do blogu - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Pridať do blogu v programe Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Zdroje informací - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: http://www.firefox.com
O15 - Trusted Zone: http://www.gmail.com
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase4009.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1199570164718
O16 - DPF: {7FC1B346-83E6-4774-8D20-1A6B09B0E737} (Windows Live Photo Upload Control) - http://cid-475c6ece0bab72c9.spaces.live.com/PhotoUpload/MsnPUpld.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: ATK Keyboard Service (ATKKeyboardService) - ASUSTeK COMPUTER INC. - C:\WINDOWS\ATKKBService.exe
O23 - Service: Eset HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET Smart Security\EHttpSrv.exe
O23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\ESET\ESET Smart Security\ekrn.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
--
End of file - 7622 bytes
pskelley
2008-01-19, 19:52
combofix is showing nothing in the way of malware, you may delete that program from your computer, in fact remove all programs we used if you have not done so.
You said:
1) I have problems only to access the web pages www.microsoft.com; www.gmail.com; www.firefox.comBecause this is effecting only a few websites, it is likely some kind of setting that your ISP should be able to help you with.
All of the tools we have run have been clean, let's clean a little like this:
Open HijackThis and choose "Do a system scan only" then check the box in front of these line items:
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
Close all programs but HJT and all browser windows, then click on "Fix Checked"
Run Clean Manager
http://spyware-free.us/tutorials/cleanmgr/
Some good information for you:
http://users.telenet.be/bluepatchy/miekiemoes/slowcomputer.html
Here is some great information from experts in this field that will help you stay clean and safe online.
http://users.telenet.be/bluepatchy/miekiemoes/prevention.html
http://forums.spybot.info/showthread.php?t=279
http://russelltexas.com/malware/allclear.htm
http://forum.malwareremoval.com/viewtopic.php?t=14
http://www.bleepingcomputer.com/forums/topict2520.html
http://cybercoyote.org/security/not-admin.shtml
Thanks...pskelley
Safer Networking Forums
http://www.spybot.info/en/donate/index.html
If you are reading this information...thank a teacher,
If you are reading it in English...thank a soldier.
Hi,
I want to say thank you very much for your help and assistance. I'm happy that my PC is clean, I'm more calm, now. Thank you for the links with useful information How to stay Safe and Clean.
Bye,
BoriaK