Windows XP system infected with command adware [Archive]

View Full Version : Windows XP system infected with command adware

vagatorian

2008-10-12, 04:20

My system has been infected with command adware (and probably some other malware as well) while I was surfing some P2P sites - I had downloaded web plugins for these P2P tools - Sopcase and TVAnts. Please help !

Here are the logs from HJT -
----------------------------------------------------------
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:17:29 PM, on 10/11/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
C:\Program Files\Comcast\Desktop Doctor\bin\sprtsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Trend Micro\Internet Security 12\pccguide.exe
C:\PROGRA~1\MUSICM~1\MUSICM~3\MMDiag.exe
C:\Program Files\Comcast\Desktop Doctor\bin\sprtcmd.exe
C:\Program Files\NetWaiting\netWaiting.exe
C:\Program Files\Trend Micro\Internet Security 12\TMAS_OE\TMAS_OEMon.exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\DOCUME~1\VIKRAM~1\LOCALS~1\Temp\winvsnet.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\AIM6\aim6.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Veoh Networks\Veoh\VeohClient.exe
C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mim.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Nikon\PictureProject\NkbMonitor.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Vikram\installables\spyware_removal\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Veoh Browser Plug-in - {D0943516-5076-4020-A3B5-AEFAF26AB263} - C:\Program Files\Veoh Networks\Veoh\Plugins\reg\VeohToolbar.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [ShowLOMControl]
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [MimBoot] C:\PROGRA~1\MUSICM~1\MUSICM~3\mimboot.exe
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 12\pccguide.exe"
O4 - HKLM\..\Run: [Netsafe] C:\Program Files\NetSafe\Netsafe.exe
O4 - HKLM\..\Run: [ddoctorv2] "C:\Program Files\Comcast\Desktop Doctor\bin\sprtcmd.exe" /P ddoctorv2
O4 - HKLM\..\Run: [IUpd721] C:\DOCUME~1\VIKRAM~1\LOCALS~1\Temp\winvsnet.exe
O4 - HKCU\..\Run: [ModemOnHold] C:\Program Files\NetWaiting\netWaiting.exe
O4 - HKCU\..\Run: [OE_OEM] "C:\Program Files\Trend Micro\Internet Security 12\TMAS_OE\TMAS_OEMon.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Veoh] "C:\Program Files\Veoh Networks\Veoh\VeohClient.exe" /VeohHide
O4 - HKCU\..\Run: [Universal Installer] "C:\Program Files\ComcastUI\Universal Installer\uinstaller.exe" /fromrun /starthidden
O4 - HKCU\..\Run: [X-Cleaner Deluxe] "C:\PROGRA~1\X-CLEA~1\XCleaner_full.exe" -turbo -autostart -NOREBOOT
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: NkbMonitor.exe.lnk = C:\Program Files\Nikon\PictureProject\NkbMonitor.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {3EA4FA88-E0BE-419A-A732-9B79B87A6ED0} (CTVUAxCtrl Object) - http://dl.tvunetworks.com/TVUAx.cab
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: SupportSoft Sprocket Service (ddoctorv2) (sprtsvc_ddoctorv2) - SupportSoft, Inc. - C:\Program Files\Comcast\Desktop Doctor\bin\sprtsvc.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

--
End of file - 8179 bytes

Shaba

2008-10-12, 11:24

Hi vagatorian

Rename HijackThis.exe to vagatorian.exe and post back a fresh HijackThis log, please :)

vagatorian

2008-10-16, 02:19

Sorry for the delay in responding. I have run Spybot S&D on my machine, and here are the latest HJT logs -

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:12:25 PM, on 10/15/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
C:\Program Files\Comcast\Desktop Doctor\bin\sprtsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\Internet Security 12\pccguide.exe
C:\Program Files\NetSafe\Netsafe.exe
C:\Program Files\Comcast\Desktop Doctor\bin\sprtcmd.exe
C:\PROGRA~1\MUSICM~1\MUSICM~3\MMDiag.exe
C:\Program Files\NetWaiting\netWaiting.exe
C:\Program Files\Trend Micro\Internet Security 12\TMAS_OE\TMAS_OEMon.exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mim.exe
C:\Program Files\AIM6\aim6.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Veoh Networks\Veoh\VeohClient.exe
C:\Program Files\ComcastUI\Universal Installer\uinstaller.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Nikon\PictureProject\NkbMonitor.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\Vikram\installables\spyware_removal\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Veoh Browser Plug-in - {D0943516-5076-4020-A3B5-AEFAF26AB263} - C:\Program Files\Veoh Networks\Veoh\Plugins\reg\VeohToolbar.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [ShowLOMControl]
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [MimBoot] C:\PROGRA~1\MUSICM~1\MUSICM~3\mimboot.exe
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 12\pccguide.exe"
O4 - HKLM\..\Run: [Netsafe] C:\Program Files\NetSafe\Netsafe.exe
O4 - HKLM\..\Run: [ddoctorv2] "C:\Program Files\Comcast\Desktop Doctor\bin\sprtcmd.exe" /P ddoctorv2
O4 - HKLM\..\Run: [IUpd721] C:\DOCUME~1\VIKRAM~1\LOCALS~1\Temp\winvsnet.exe
O4 - HKCU\..\Run: [ModemOnHold] C:\Program Files\NetWaiting\netWaiting.exe
O4 - HKCU\..\Run: [OE_OEM] "C:\Program Files\Trend Micro\Internet Security 12\TMAS_OE\TMAS_OEMon.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Veoh] "C:\Program Files\Veoh Networks\Veoh\VeohClient.exe" /VeohHide
O4 - HKCU\..\Run: [Universal Installer] "C:\Program Files\ComcastUI\Universal Installer\uinstaller.exe" /fromrun /starthidden
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: NkbMonitor.exe.lnk = C:\Program Files\Nikon\PictureProject\NkbMonitor.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {3EA4FA88-E0BE-419A-A732-9B79B87A6ED0} (CTVUAxCtrl Object) - http://dl.tvunetworks.com/TVUAx.cab
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL fkmopp.dll jjabki.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: SupportSoft Sprocket Service (ddoctorv2) (sprtsvc_ddoctorv2) - SupportSoft, Inc. - C:\Program Files\Comcast\Desktop Doctor\bin\sprtsvc.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

--
End of file - 8737 bytes

Shaba

2008-10-16, 11:07

Unfortunately it didn't go right:

Rename HijackThis.exe to vagatorian.exe by doing the following;

Navigate here using Windows Explorer (windows button + E) or My Computer -> Local Disk C: -> C:\Program Files\Trend Micro\HijackThis
Right-click on the HijackThis.exe
Choose from the pull-down menu; "Rename"
And now Rename HijackThis.exe to vagatorian.exe
When you've renamed HijackThis, open HijackThis again.
Take a fresh HijackThis log (click Do a system scan and save a log file)
Post the fresh HijackThis log here.

vagatorian

2008-10-17, 08:07

Done, here are the logs after renaming HJT to vagatorian -

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:03:11 AM, on 10/17/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
C:\Program Files\Comcast\Desktop Doctor\bin\sprtsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Trend Micro\Internet Security 12\pccguide.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\NetSafe\Netsafe.exe
C:\Program Files\Comcast\Desktop Doctor\bin\sprtcmd.exe
C:\Program Files\NetWaiting\netWaiting.exe
C:\PROGRA~1\MUSICM~1\MUSICM~3\MMDiag.exe
C:\Program Files\Trend Micro\Internet Security 12\TMAS_OE\TMAS_OEMon.exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\AIM6\aim6.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Veoh Networks\Veoh\VeohClient.exe
C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mim.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Nikon\PictureProject\NkbMonitor.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Trend Micro\HijackThis\vagatorian.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {069BC79E-4973-46AB-99EB-0F24CF149949} - (no file)
O2 - BHO: (no name) - {44567E92-267F-4A24-B3A7-51B0F7ABDAF2} - (no file)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {9E91EF7B-6846-45C3-A8AB-67CF7C900783} - C:\WINDOWS\system32\vtUOeDwu.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: (no name) - {AAEB95F7-5441-41A6-B8C1-83B3F71DB660} - C:\WINDOWS\system32\ssqNHbCR.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.1.807.1746\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Veoh Browser Plug-in - {D0943516-5076-4020-A3B5-AEFAF26AB263} - C:\Program Files\Veoh Networks\Veoh\Plugins\reg\VeohToolbar.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [ShowLOMControl]
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [MimBoot] C:\PROGRA~1\MUSICM~1\MUSICM~3\mimboot.exe
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 12\pccguide.exe"
O4 - HKLM\..\Run: [Netsafe] C:\Program Files\NetSafe\Netsafe.exe
O4 - HKLM\..\Run: [ddoctorv2] "C:\Program Files\Comcast\Desktop Doctor\bin\sprtcmd.exe" /P ddoctorv2
O4 - HKLM\..\Run: [IUpd721] C:\DOCUME~1\VIKRAM~1\LOCALS~1\Temp\winvsnet.exe
O4 - HKCU\..\Run: [ModemOnHold] C:\Program Files\NetWaiting\netWaiting.exe
O4 - HKCU\..\Run: [OE_OEM] "C:\Program Files\Trend Micro\Internet Security 12\TMAS_OE\TMAS_OEMon.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Veoh] "C:\Program Files\Veoh Networks\Veoh\VeohClient.exe" /VeohHide
O4 - HKCU\..\Run: [Universal Installer] "C:\Program Files\ComcastUI\Universal Installer\uinstaller.exe" /fromrun /starthidden
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: NkbMonitor.exe.lnk = C:\Program Files\Nikon\PictureProject\NkbMonitor.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {3EA4FA88-E0BE-419A-A732-9B79B87A6ED0} (CTVUAxCtrl Object) - http://dl.tvunetworks.com/TVUAx.cab
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL fkmopp.dll jjabki.dll
O20 - Winlogon Notify: vtUOeDwu - C:\WINDOWS\SYSTEM32\vtUOeDwu.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: SupportSoft Sprocket Service (ddoctorv2) (sprtsvc_ddoctorv2) - SupportSoft, Inc. - C:\Program Files\Comcast\Desktop Doctor\bin\sprtsvc.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

--
End of file - 9422 bytes

Thanks.

Shaba

2008-10-17, 09:31

We will begin with ComboFix. Please visit this webpage for download links, and instructions for running the tool:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Please ensure you read this guide carefully and install the Recovery Console first.

The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.

Once installed, you should see a blue screen prompt that says:

The Recovery Console was successfully installed.

Please continue as follows:

Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix, link (http://www.bleepingcomputer.com/forums/topic114351.html)
Remember to re-enable them afterwards.

Click Yes to allow ComboFix to continue scanning for malware.

When the tool is finished, it will produce a report for you.

Please include the following reports for further review, and so we may continue cleansing the system:

C:\ComboFix.txt
New HijackThis log.

A word of warning: Please do not run ComboFix on your own. This tool is not a toy and not for everyday use.

vagatorian

2008-10-18, 09:30

ComboFix seems to have fixed the problem, the machine is working normally now. Please find logs below -

1.) ComboFix logs

ComboFix 08-10-17.01 - Vikram Sharma 2008-10-18 2:01:35.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.403 [GMT -5:00]
Running from: C:\Documents and Settings\Vikram Sharma\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Vikram Sharma\Desktop\WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
C:\Documents and Settings\Vikram Sharma\Application Data\Zango
C:\Documents and Settings\Vikram Sharma\Application Data\Zango\v3.0\Zango\dynamic\602525.sdf
C:\Documents and Settings\Vikram Sharma\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\15541
C:\Documents and Settings\Vikram Sharma\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\20128
C:\Documents and Settings\Vikram Sharma\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\35047
C:\Documents and Settings\Vikram Sharma\Application Data\Zango\v3.0\Zango\dynamic\ustat\3750.dat
C:\Documents and Settings\Vikram Sharma\Application Data\Zango\v3.0\Zango\static\1\avatar.res
C:\Documents and Settings\Vikram Sharma\Application Data\Zango\v3.0\Zango\static\1\btntrans1.dat
C:\Documents and Settings\Vikram Sharma\Application Data\Zango\v3.0\Zango\static\1\buttondir.txt
C:\Documents and Settings\Vikram Sharma\Application Data\Zango\v3.0\Zango\static\1\components.cdf
C:\Documents and Settings\Vikram Sharma\Application Data\Zango\v3.0\Zango\static\1\cursors.res
C:\Documents and Settings\Vikram Sharma\Application Data\Zango\v3.0\Zango\static\1\d_icons_buttons_1000.res
C:\Documents and Settings\Vikram Sharma\Application Data\Zango\v3.0\Zango\static\1\d_icons_buttons_2000.res
C:\Documents and Settings\Vikram Sharma\Application Data\Zango\v3.0\Zango\static\1\d_icons_buttons_3000.res
C:\Documents and Settings\Vikram Sharma\Application Data\Zango\v3.0\Zango\static\1\d_icons_buttons_bar.res
C:\Documents and Settings\Vikram Sharma\Application Data\Zango\v3.0\Zango\static\1\d_icons_buttons_bbar1.res
C:\Documents and Settings\Vikram Sharma\Application Data\Zango\v3.0\Zango\static\1\d_icons_buttons_logos.res
C:\Documents and Settings\Vikram Sharma\Application Data\Zango\v3.0\Zango\static\1\d_icons_buttons_other.res
C:\Documents and Settings\Vikram Sharma\Application Data\Zango\v3.0\Zango\static\1\d_icons_weather.res
C:\Documents and Settings\Vikram Sharma\Application Data\Zango\v3.0\Zango\static\1\default.cdf
C:\Documents and Settings\Vikram Sharma\Application Data\Zango\v3.0\Zango\static\1\Default_511745-514279.mnu
C:\Documents and Settings\Vikram Sharma\Application Data\Zango\v3.0\Zango\static\1\Default_bidzC_ZT_IE-ca.mnu
C:\Documents and Settings\Vikram Sharma\Application Data\Zango\v3.0\Zango\static\1\Default_bidzC_ZT_IE-us.mnu
C:\Documents and Settings\Vikram Sharma\Application Data\Zango\v3.0\Zango\static\1\Default_categorize.mnu
C:\Documents and Settings\Vikram Sharma\Application Data\Zango\v3.0\Zango\static\1\Default_comparison.mnu
C:\Documents and Settings\Vikram Sharma\Application Data\Zango\v3.0\Zango\static\1\Default_explorer-Mails.mnu
C:\Documents and Settings\Vikram Sharma\Application Data\Zango\v3.0\Zango\static\1\Default_explorer-people.mnu
C:\Documents and Settings\Vikram Sharma\Application Data\Zango\v3.0\Zango\static\1\Default_favorites.mnu
C:\Documents and Settings\Vikram Sharma\Application Data\Zango\v3.0\Zango\static\1\Default_Games.mnu
C:\Documents and Settings\Vikram Sharma\Application Data\Zango\v3.0\Zango\static\1\Default_Hide.mnu
C:\Documents and Settings\Vikram Sharma\Application Data\Zango\v3.0\Zango\static\1\Default_hotbarcom.mnu
C:\Documents and Settings\Vikram Sharma\Application Data\Zango\v3.0\Zango\static\1\Default_Hotmail.mnu
C:\Documents and Settings\Vikram Sharma\Application Data\Zango\v3.0\Zango\static\1\Default_hsskin.mnu
C:\Documents and Settings\Vikram Sharma\Application Data\Zango\v3.0\Zango\static\1\Default_jemster.mnu
C:\Documents and Settings\Vikram Sharma\Application Data\Zango\v3.0\Zango\static\1\Default_jemsterie.mnu
C:\Documents and Settings\Vikram Sharma\Application Data\Zango\v3.0\Zango\static\1\Default_jemsteruk.mnu
C:\Documents and Settings\Vikram Sharma\Application Data\Zango\v3.0\Zango\static\1\Default_jobsearch.mnu
C:\Documents and Settings\Vikram Sharma\Application Data\Zango\v3.0\Zango\static\1\Default_Mails.mnu
C:\Documents and Settings\Vikram Sharma\Application Data\Zango\v3.0\Zango\static\1\Default_MobileSidewalk.mnu
C:\Documents and Settings\Vikram Sharma\Application Data\Zango\v3.0\Zango\static\1\Default_new.mnu
C:\Documents and Settings\Vikram Sharma\Application Data\Zango\v3.0\Zango\static\1\Default_premium.mnu
C:\Documents and Settings\Vikram Sharma\Application Data\Zango\v3.0\Zango\static\1\Default_reun.mnu
C:\Documents and Settings\Vikram Sharma\Application Data\Zango\v3.0\Zango\static\1\Default_ringtones.mnu
C:\Documents and Settings\Vikram Sharma\Application Data\Zango\v3.0\Zango\static\1\Default_SearchBoxTrapper.mnu
C:\Documents and Settings\Vikram Sharma\Application Data\Zango\v3.0\Zango\static\1\Default_searchfor.mnu
C:\Documents and Settings\Vikram Sharma\Application Data\Zango\v3.0\Zango\static\1\Default_searchgo.mnu
C:\Documents and Settings\Vikram Sharma\Application Data\Zango\v3.0\Zango\static\1\Default_weather.mnu
C:\Documents and Settings\Vikram Sharma\Application Data\Zango\v3.0\Zango\static\1\Default_yellowpages.mnu
C:\Documents and Settings\Vikram Sharma\Application Data\Zango\v3.0\Zango\static\1\editblbuttons.res
C:\Documents and Settings\Vikram Sharma\Application Data\Zango\v3.0\Zango\static\1\email-def-511724-548964.mnu
C:\Documents and Settings\Vikram Sharma\Application Data\Zango\v3.0\Zango\static\1\email-def-511724-9595.mnu
C:\Documents and Settings\Vikram Sharma\Application Data\Zango\v3.0\Zango\static\1\email-t1-bg.res
C:\Documents and Settings\Vikram Sharma\Application Data\Zango\v3.0\Zango\static\1\icons2.res
C:\Documents and Settings\Vikram Sharma\Application Data\Zango\v3.0\Zango\static\1\ie_games_icon.res
C:\Documents and Settings\Vikram Sharma\Application Data\Zango\v3.0\Zango\static\1\ie_video.res
C:\Documents and Settings\Vikram Sharma\Application Data\Zango\v3.0\Zango\static\1\keywords1.dat
C:\Documents and Settings\Vikram Sharma\Application Data\Zango\v3.0\Zango\static\1\layout.cdf
C:\Documents and Settings\Vikram Sharma\Application Data\Zango\v3.0\Zango\static\1\linkpathlegal.txt
C:\Documents and Settings\Vikram Sharma\Application Data\Zango\v3.0\Zango\static\1\progress.res
C:\Documents and Settings\Vikram Sharma\Application Data\Zango\v3.0\Zango\static\1\s_icons_buttons.res
C:\Documents and Settings\Vikram Sharma\Application Data\Zango\v3.0\Zango\static\1\sales_buttons.res
C:\Documents and Settings\Vikram Sharma\Application Data\Zango\v3.0\Zango\static\1\sdfmodifier.xml
C:\Documents and Settings\Vikram Sharma\Application Data\Zango\v3.0\Zango\static\1\t2_bg.res
C:\Documents and Settings\Vikram Sharma\Application Data\Zango\v3.0\Zango\static\1\theweb.mnu
C:\Documents and Settings\Vikram Sharma\Application Data\Zango\v3.0\Zango\static\1\top7.cdf
C:\Documents and Settings\Vikram Sharma\Application Data\Zango\v3.0\Zango\static\1\Top7_theweb.mnu
C:\Documents and Settings\Vikram Sharma\Application Data\Zango\v3.0\Zango\static\1\tsd_bg.res
C:\Documents and Settings\Vikram Sharma\Application Data\Zango\v3.0\Zango\static\1\zango_btn.res
C:\Documents and Settings\Vikram Sharma\Application Data\Zango\v3.0\Zango\static\1\zango_ie_menu.res
C:\Documents and Settings\Vikram Sharma\Application Data\Zango\v3.0\Zango\static\DownLoad\avatar.xip
C:\Documents and Settings\Vikram Sharma\Application Data\Zango\v3.0\Zango\static\DownLoad\BtnTrans.xip
C:\Documents and Settings\Vikram Sharma\Application Data\Zango\v3.0\Zango\static\DownLoad\BtnTrans1.xip
C:\Documents and Settings\Vikram Sharma\Application Data\Zango\v3.0\Zango\static\DownLoad\cursors.xip
C:\Documents and Settings\Vikram Sharma\Application Data\Zango\v3.0\Zango\static\DownLoad\d_icons_buttons_1000.xip
C:\Documents and Settings\Vikram Sharma\Application Data\Zango\v3.0\Zango\static\DownLoad\d_icons_buttons_2000.xip
C:\Documents and Settings\Vikram Sharma\Application Data\Zango\v3.0\Zango\static\DownLoad\d_icons_buttons_3000.xip
C:\Documents and Settings\Vikram Sharma\Application Data\Zango\v3.0\Zango\static\DownLoad\d_icons_buttons_bar.xip
C:\Documents and Settings\Vikram Sharma\Application Data\Zango\v3.0\Zango\static\DownLoad\d_icons_buttons_bbar1.xip
C:\Documents and Settings\Vikram Sharma\Application Data\Zango\v3.0\Zango\static\DownLoad\d_icons_buttons_logos.xip
C:\Documents and Settings\Vikram Sharma\Application Data\Zango\v3.0\Zango\static\DownLoad\d_icons_buttons_other.xip
C:\Documents and Settings\Vikram Sharma\Application Data\Zango\v3.0\Zango\static\DownLoad\d_icons_weather.xip
C:\Documents and Settings\Vikram Sharma\Application Data\Zango\v3.0\Zango\static\DownLoad\default.xip
C:\Documents and Settings\Vikram Sharma\Application Data\Zango\v3.0\Zango\static\DownLoad\editblbuttons.xip
C:\Documents and Settings\Vikram Sharma\Application Data\Zango\v3.0\Zango\static\DownLoad\email-t1-bg.xip
C:\Documents and Settings\Vikram Sharma\Application Data\Zango\v3.0\Zango\static\DownLoad\icons2.xip
C:\Documents and Settings\Vikram Sharma\Application Data\Zango\v3.0\Zango\static\DownLoad\ie_games_icon.xip
C:\Documents and Settings\Vikram Sharma\Application Data\Zango\v3.0\Zango\static\DownLoad\ie_video.xip
C:\Documents and Settings\Vikram Sharma\Application Data\Zango\v3.0\Zango\static\DownLoad\keywords.idx
C:\Documents and Settings\Vikram Sharma\Application Data\Zango\v3.0\Zango\static\DownLoad\keywords.xip
C:\Documents and Settings\Vikram Sharma\Application Data\Zango\v3.0\Zango\static\DownLoad\keywords1.xip
C:\Documents and Settings\Vikram Sharma\Application Data\Zango\v3.0\Zango\static\DownLoad\layout.xip
C:\Documents and Settings\Vikram Sharma\Application Data\Zango\v3.0\Zango\static\DownLoad\linkpathlegal.xip
C:\Documents and Settings\Vikram Sharma\Application Data\Zango\v3.0\Zango\static\DownLoad\progress.xip
C:\Documents and Settings\Vikram Sharma\Application Data\Zango\v3.0\Zango\static\DownLoad\s_icons_buttons.xip
C:\Documents and Settings\Vikram Sharma\Application Data\Zango\v3.0\Zango\static\DownLoad\sales_buttons.xip
C:\Documents and Settings\Vikram Sharma\Application Data\Zango\v3.0\Zango\static\DownLoad\samplegroups2reg.txt
C:\Documents and Settings\Vikram Sharma\Application Data\Zango\v3.0\Zango\static\DownLoad\sdfmodifier.xip
C:\Documents and Settings\Vikram Sharma\Application Data\Zango\v3.0\Zango\static\DownLoad\t2_bg.xip
C:\Documents and Settings\Vikram Sharma\Application Data\Zango\v3.0\Zango\static\DownLoad\top7.xip
C:\Documents and Settings\Vikram Sharma\Application Data\Zango\v3.0\Zango\static\DownLoad\tsd_bg.xip
C:\Documents and Settings\Vikram Sharma\Application Data\Zango\v3.0\Zango\static\DownLoad\zango_btn.xip
C:\Documents and Settings\Vikram Sharma\Application Data\Zango\v3.0\Zango\static\DownLoad\zango_ie_menu.xip
C:\Temp\1cb
C:\Temp\1cb\syscheck.log
C:\temp\tn3
C:\WINDOWS\faceback.exe
C:\WINDOWS\system32\blpkhxrc.dll
C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Windows Media\10.0\WMSDKNSD.XML
C:\WINDOWS\system32\crxhkplb.ini
C:\WINDOWS\system32\D6
C:\WINDOWS\system32\D6\BPU560I.exe
C:\WINDOWS\system32\drivers\asctrmm.sys
C:\WINDOWS\system32\drivers\core.cache.dsk
C:\WINDOWS\system32\eacodjrl.ini
C:\WINDOWS\system32\elpjvr.dll
C:\WINDOWS\system32\fkmopp.dll
C:\WINDOWS\system32\glggyaaq.ini
C:\WINDOWS\system32\gxapcapk.dll
C:\WINDOWS\system32\ikwacfsl.dll
C:\WINDOWS\system32\iodlcxwq.dll
C:\WINDOWS\system32\jjabki.dll
C:\WINDOWS\system32\lrjdocae.dll
C:\WINDOWS\system32\lsfcawki.ini
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\MSINET.oca
C:\WINDOWS\system32\ncvtwiby.dll
C:\WINDOWS\system32\nlatup.dll
C:\WINDOWS\system32\nnnoMGXO.dll
C:\WINDOWS\system32\nuuyjqax.dll
C:\WINDOWS\system32\odbcgf.dll
C:\WINDOWS\system32\pac.txt
C:\WINDOWS\system32\pxowsffq.dll
C:\WINDOWS\system32\qaaygglg.dll
C:\WINDOWS\system32\RCbHNqss.ini
C:\WINDOWS\system32\RCbHNqss.ini2
C:\WINDOWS\system32\rtqpkiqm.exe
C:\WINDOWS\system32\ssqNHbCR.dll
C:\WINDOWS\system32\tvthiufe.exe
C:\WINDOWS\system32\vtUOeDwu.dll
C:\WINDOWS\system32\xaqjyuun.ini
C:\WINDOWS\system32\xhsrselu.dll
C:\WINDOWS\Tasks\fyhpfzxw.job
C:\WINDOWS\Tasks\nzxmysbc.job
C:\WINDOWS\Tasks\psnhlqmr.job
C:\WINDOWS\Tasks\uosvfpyv.job

----- BITS: Possible infected sites -----

hxxp://77.74.48.101
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_ASCTRMM
-------\Legacy_CMDSERVICE
-------\Service_asctrmm

((((((((((((((((((((((((( Files Created from 2008-09-18 to 2008-10-18 )))))))))))))))))))))))))))))))
.

2008-10-13 22:17 . 2008-10-13 22:17 60,928 --ahs---- C:\WINDOWS\system32\opnlKCSj.dll
2008-10-13 21:27 . 2008-10-13 21:27 60,928 --ahs---- C:\WINDOWS\system32\hgGvuVom.dll
2008-10-13 18:21 . 2008-10-13 18:21 60,928 --ahs---- C:\WINDOWS\system32\hgGxVMgH.dll
2008-10-12 03:46 . 2008-10-12 03:46 60,928 --ahs---- C:\WINDOWS\system32\ljJYOfcY.dll
2008-10-12 01:34 . 2008-10-12 01:35 15,795 --a------ C:\Documents and Settings\All Users\mOF1.exe
2008-10-12 00:12 . 2008-10-12 00:12 60,928 --ahs---- C:\WINDOWS\system32\hgGvvttu.dll
2008-10-11 22:09 . 2008-10-11 22:09 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Comcast
2008-10-11 21:40 . 2008-10-12 00:09 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-10-11 21:40 . 2008-10-12 01:21 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-10-11 10:39 . 2008-10-11 22:53 <DIR> d-------- C:\Program Files\X-Cleaner
2008-10-10 23:21 . 2008-10-10 23:21 <DIR> d-------- C:\Documents and Settings\Vikram Sharma\Application Data\IUpd721
2008-10-10 23:13 . 2008-10-10 23:13 <DIR> d--hs---- C:\WINDOWS\VmlrcmFtIFNoYXJtYQ
2008-10-10 23:13 . 2008-10-10 23:13 <DIR> d-------- C:\WINDOWS\system32\wak
2008-10-10 23:13 . 2008-10-10 23:13 <DIR> d-------- C:\WINDOWS\system32\met
2008-10-10 23:13 . 2008-10-10 23:13 <DIR> d-------- C:\WINDOWS\system32\icon2
2008-10-10 23:13 . 2008-10-10 23:13 60,928 --ahs---- C:\WINDOWS\system32\fccbcYRj.dll
2008-10-10 23:12 . 2008-10-10 23:13 <DIR> d-------- C:\WINDOWS\system32\EV19
2008-10-10 23:12 . 2008-10-10 23:13 <DIR> d-------- C:\temp\xp34
2008-10-10 00:02 . 2008-10-10 00:02 <DIR> d-------- C:\Documents and Settings\Vikram Sharma\LocalLow
2008-10-10 00:02 . 2008-10-10 00:02 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\TVU Networks
2008-10-08 23:23 . 2008-10-08 23:47 <DIR> d-------- C:\WINDOWS\system32\CatRoot_bak
2008-10-08 23:20 . 2008-06-13 08:10 272,128 --------- C:\WINDOWS\system32\drivers\bthport.sys
2008-10-08 23:20 . 2008-06-13 08:10 272,128 --------- C:\WINDOWS\system32\dllcache\bthport.sys
2008-10-08 23:19 . 2008-06-23 11:57 6,066,176 --------- C:\WINDOWS\system32\dllcache\ieframe.dll
2008-10-08 23:19 . 2007-04-17 04:32 2,455,488 --------- C:\WINDOWS\system32\dllcache\ieapfltr.dat
2008-10-08 23:19 . 2007-03-08 00:10 991,232 --------- C:\WINDOWS\system32\dllcache\ieframe.dll.mui
2008-10-08 23:19 . 2008-06-23 11:57 459,264 --------- C:\WINDOWS\system32\dllcache\msfeeds.dll
2008-10-08 23:19 . 2008-06-23 11:57 383,488 --------- C:\WINDOWS\system32\dllcache\ieapfltr.dll
2008-10-08 23:19 . 2008-05-01 09:30 331,776 --------- C:\WINDOWS\system32\dllcache\msadce.dll
2008-10-08 23:19 . 2008-06-23 11:57 267,776 --------- C:\WINDOWS\system32\dllcache\iertutil.dll
2008-10-08 23:19 . 2008-06-23 11:57 63,488 --------- C:\WINDOWS\system32\dllcache\icardie.dll
2008-10-08 23:19 . 2008-06-23 11:57 52,224 --------- C:\WINDOWS\system32\dllcache\msfeedsbs.dll
2008-10-08 23:19 . 2008-06-23 04:20 13,824 --------- C:\WINDOWS\system32\dllcache\ieudinit.exe
2008-09-30 18:25 . 2008-09-30 18:25 <DIR> d-------- C:\Program Files\Comcast
2008-09-30 18:25 . 2008-09-30 18:25 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SupportSoft
2008-09-30 18:24 . 2008-09-30 18:25 <DIR> d-------- C:\Program Files\Common Files\SupportSoft
2008-09-30 18:24 . 2008-09-30 18:24 <DIR> d-------- C:\Program Files\ComcastUI
2008-09-26 19:59 . 2008-09-26 19:59 <DIR> d-------- C:\Program Files\Veoh Networks

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-10-17 05:59 --------- d-----w C:\Program Files\Trend Micro
2008-10-14 02:20 --------- d-----w C:\Program Files\ESPNMotion
2008-10-11 15:12 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-10-11 15:02 --------- d-----w C:\Program Files\GemMaster
2008-10-11 14:56 --------- d-----w C:\Program Files\Windows Media Components
2008-10-11 14:54 --------- d-----w C:\Program Files\Common Files\aolshare
2008-10-11 14:54 --------- d-----w C:\Documents and Settings\All Users\Application Data\AOL
2008-10-11 04:34 --------- d-----w C:\Program Files\Dell
2008-10-11 04:33 --------- d-----w C:\Documents and Settings\All Users\Application Data\GTek
2008-08-25 13:09 --------- d-----w C:\Program Files\Windows Media 7 PowerToys
2008-08-25 13:09 --------- d-----w C:\Program Files\Audio Converter LE
2008-08-17 00:56 729,088 ----a-w C:\WINDOWS\iun6002.exe
2007-12-16 14:12 38 ----a-w C:\Documents and Settings\Vikram Sharma\test.bat
2006-09-24 07:04 20 ---h--w C:\Documents and Settings\All Users\Application Data\PKP_DLec.DAT
2004-04-09 19:13 114,688 ----a-w C:\Program Files\NETGEAR DG632 USB Driveruninstalldrv.exe
2000-11-08 07:45 28,672 ----a-w C:\WINDOWS\inf\regshext.exe
2005-08-02 21:46 187,904 --sha-r C:\WINDOWS\VmlrcmFtIFNoYXJtYQ\asappsrv.dll
2005-08-02 21:58 293,888 --sha-r C:\WINDOWS\VmlrcmFtIFNoYXJtYQ\command.exe
2005-07-29 21:24 472 --sha-r C:\WINDOWS\VmlrcmFtIFNoYXJtYQ\pA5OwAIQKIhCsrLQsk.vbs
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ModemOnHold"="C:\Program Files\NetWaiting\netWaiting.exe" [2003-09-10 20480]
"OE_OEM"="C:\Program Files\Trend Micro\Internet Security 12\TMAS_OE\TMAS_OEMon.exe" [2005-08-15 20553]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 1694208]
"DellSupport"="C:\Program Files\DellSupport\DSAgnt.exe" [2007-03-15 460784]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-25 68856]
"Aim6"="C:\Program Files\AIM6\aim6.exe" [2007-04-27 50736]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-10 15360]
"Veoh"="C:\Program Files\Veoh Networks\Veoh\VeohClient.exe" [2008-08-28 3660848]
"Universal Installer"="C:\Program Files\ComcastUI\Universal Installer\uinstaller.exe" [2008-03-18 984616]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ShowLOMControl"="1 (0x1)" [X]
"ehTray"="C:\WINDOWS\ehome\ehtray.exe" [2005-09-29 67584]
"igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [2005-12-13 98304]
"igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [2005-12-13 77824]
"igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [2005-12-13 118784]
"SunJavaUpdateSched"="C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe" [2003-11-19 32881]
"Broadcom Wireless Manager UI"="C:\WINDOWS\system32\WLTRAY.exe" [2005-12-19 1347584]
"Dell QuickSet"="C:\Program Files\Dell\QuickSet\quickset.exe" [2005-12-06 839680]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2005-11-29 761947]
"DVDLauncher"="C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe" [2005-12-09 49152]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-04-04 98304]
"dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [2004-12-06 127035]
"ISUSPM Startup"="C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-06-10 249856]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2005-06-10 81920]
"MimBoot"="C:\PROGRA~1\MUSICM~1\MUSICM~3\mimboot.exe" [2005-09-08 8192]
"pccguide.exe"="C:\Program Files\Trend Micro\Internet Security 12\pccguide.exe" [2005-08-30 823362]
"Netsafe"="C:\Program Files\NetSafe\Netsafe.exe" [2007-01-31 483328]
"ddoctorv2"="C:\Program Files\Comcast\Desktop Doctor\bin\sprtcmd.exe" [2008-04-24 202560]
"SigmatelSysTrayApp"="stsystra.exe" [2005-11-16 C:\WINDOWS\stsystra.exe]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Digital Line Detect.lnk - C:\Program Files\Digital Line Detect\DLG.exe [2006-04-04 24576]
NkbMonitor.exe.lnk - C:\Program Files\Nikon\PictureProject\NkbMonitor.exe [2006-04-15 118784]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"= C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"= C:\WINDOWS\Resources\Themes\Royale.theme

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^America Online 9.0 Tray Icon.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\America Online 9.0 Tray Icon.lnk
backup=C:\WINDOWS\pss\America Online 9.0 Tray Icon.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Desktop Search]
--a------ 2006-04-04 14:59 169472 C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RealTray]
--a------ 2006-04-04 14:51 26112 C:\Program Files\Real\RealPlayer\realplay.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
--a------ 2007-03-01 07:41 4670968 C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"=
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\America Online 9.0\\waol.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{361ac05d-0e0d-11da-9aa9-806d6172696f}]
\Shell\AutoRun\command - E:\setup.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{9781bbfa-8797-11dd-9155-ce4bba04504a}]
\Shell\AutoRun\command - h0s2.bat
\Shell\explore\Command - h0s2.bat
\Shell\open\Command - h0s2.bat
.
- - - - ORPHANS REMOVED - - - -

BHO-{069BC79E-4973-46AB-99EB-0F24CF149949} - (no file)
BHO-{099fc9ce-6175-4d1e-a0d4-ca0e25900d60} - C:\WINDOWS\system32\elpjvr.dll
BHO-{18C730ED-078E-41FE-B7B7-EF3382EA64D2} - C:\WINDOWS\system32\ssqNHbCR.dll
BHO-{44567E92-267F-4A24-B3A7-51B0F7ABDAF2} - (no file)
BHO-{9E91EF7B-6846-45C3-A8AB-67CF7C900783} - C:\WINDOWS\system32\vtUOeDwu.dll
HKLM-Run-207875e1 - C:\WINDOWS\system32\blpkhxrc.dll
ShellExecuteHooks-{9E91EF7B-6846-45C3-A8AB-67CF7C900783} - C:\WINDOWS\system32\vtUOeDwu.dll
MSConfigStartUp-swg - C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe

.
------- Supplementary Scan -------
.
FireFox -: Profile - C:\Documents and Settings\Vikram Sharma\Application Data\Mozilla\Firefox\Profiles\x7eme25m.default\
FireFox -: prefs.js - SEARCH.DEFAULTURL - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FireFox -: prefs.js - STARTUP.HOMEPAGE - about:blank
.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-10-18 02:10:53
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

C:\DOCUME~1\VIKRAM~1\LOCALS~1\Temp\_tf13.tmp

scan completed successfully
hidden files: 1

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\WLTRYSVC.EXE
C:\WINDOWS\system32\BCMWLTRY.EXE
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\WINDOWS\ehome\ehrecvr.exe
C:\WINDOWS\ehome\ehSched.exe
C:\Program Files\Dell\NicConfigSvc\NicConfigSvc.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
C:\Program Files\Comcast\Desktop Doctor\bin\sprtsvc.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
C:\WINDOWS\ehome\mcrdsvc.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\PROGRA~1\MUSICM~1\MUSICM~3\MMDiag.exe
C:\WINDOWS\ehome\ehmsas.exe
C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mim.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
C:\WINDOWS\system32\msiexec.exe
C:\WINDOWS\system32\imapi.exe
.
**************************************************************************
.
Completion time: 2008-10-18 2:18:44 - machine was rebooted
ComboFix-quarantined-files.txt 2008-10-18 07:18:32

Pre-Run: 10,920,042,496 bytes free
Post-Run: 10,768,801,792 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Windows XP Media Center Edition" /noexecute=optin /fastdetect

364 --- E O F --- 2008-10-10 07:13:40

--------------------------------------------------------

2.) HJT logs -

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:28:15 AM, on 10/18/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
C:\Program Files\Comcast\Desktop Doctor\bin\sprtsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Trend Micro\Internet Security 12\pccguide.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Comcast\Desktop Doctor\bin\sprtcmd.exe
C:\PROGRA~1\MUSICM~1\MUSICM~3\MMDiag.exe
C:\Program Files\NetWaiting\netWaiting.exe
C:\Program Files\Trend Micro\Internet Security 12\TMAS_OE\TMAS_OEMon.exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\AIM6\aim6.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Veoh Networks\Veoh\VeohClient.exe
C:\Program Files\ComcastUI\Universal Installer\uinstaller.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Nikon\PictureProject\NkbMonitor.exe
C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mim.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Trend Micro\HijackThis\vagatorian.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {069BC79E-4973-46AB-99EB-0F24CF149949} - (no file)
O2 - BHO: (no name) - {099fc9ce-6175-4d1e-a0d4-ca0e25900d60} - (no file)
O2 - BHO: (no name) - {18C730ED-078E-41FE-B7B7-EF3382EA64D2} - (no file)
O2 - BHO: (no name) - {44567E92-267F-4A24-B3A7-51B0F7ABDAF2} - (no file)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {9E91EF7B-6846-45C3-A8AB-67CF7C900783} - (no file)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.1.807.1746\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Veoh Browser Plug-in - {D0943516-5076-4020-A3B5-AEFAF26AB263} - C:\Program Files\Veoh Networks\Veoh\Plugins\reg\VeohToolbar.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [ShowLOMControl]
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [MimBoot] C:\PROGRA~1\MUSICM~1\MUSICM~3\mimboot.exe
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 12\pccguide.exe"
O4 - HKLM\..\Run: [Netsafe] C:\Program Files\NetSafe\Netsafe.exe
O4 - HKLM\..\Run: [ddoctorv2] "C:\Program Files\Comcast\Desktop Doctor\bin\sprtcmd.exe" /P ddoctorv2
O4 - HKCU\..\Run: [ModemOnHold] C:\Program Files\NetWaiting\netWaiting.exe
O4 - HKCU\..\Run: [OE_OEM] "C:\Program Files\Trend Micro\Internet Security 12\TMAS_OE\TMAS_OEMon.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Veoh] "C:\Program Files\Veoh Networks\Veoh\VeohClient.exe" /VeohHide
O4 - HKCU\..\Run: [Universal Installer] "C:\Program Files\ComcastUI\Universal Installer\uinstaller.exe" /fromrun /starthidden
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: NkbMonitor.exe.lnk = C:\Program Files\Nikon\PictureProject\NkbMonitor.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {3EA4FA88-E0BE-419A-A732-9B79B87A6ED0} (CTVUAxCtrl Object) - http://dl.tvunetworks.com/TVUAx.cab
O20 - Winlogon Notify: vtUOeDwu - C:\WINDOWS\
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: SupportSoft Sprocket Service (ddoctorv2) (sprtsvc_ddoctorv2) - SupportSoft, Inc. - C:\Program Files\Comcast\Desktop Doctor\bin\sprtsvc.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

--
End of file - 9462 bytes

Thanks :)

Shaba

2008-10-18, 11:13

Yes it is much better but you are not clean yet.

Please click this link-->Jotti (http://virusscan.jotti.org/)

Copy/paste file on the list into the white Upload a file box and click Submit/Send (depends on which one you are using Jotti or VirusTotal).

C:\WINDOWS\inf\regshext.exe

Please post back the results of the scan in your next post.

If Jotti is busy, try the same at Virustotal: http://www.virustotal.com/

vagatorian

2008-10-19, 09:14

After running Jotti, the result published on the same page is as below-

Scan taken on 19 Oct 2008 07:03:24 (GMT)
A-Squared Found nothing
AntiVir Found nothing
ArcaVir Found nothing
Avast Found nothing
AVG Antivirus Found nothing
BitDefender Found nothing
ClamAV Found nothing
CPsecure Found nothing
Dr.Web Found nothing
F-Prot Antivirus Found nothing
F-Secure Anti-Virus Found nothing
G DATA Found nothing
Ikarus Found nothing
Kaspersky Anti-Virus Found nothing
NOD32 Found nothing
Norman Virus Control Found nothing
Panda Antivirus Found nothing
Sophos Antivirus Found nothing
VirusBuster Found nothing
VBA32 Found nothing

Last file scanned at least one scanner reported something about: 2.php (MD5: f1fb42cd862e57380c9116a9cf3ae620, size: 53525 bytes), detected by:

Scanner Malware name
A-Squared Backdoor.PHP.C99Shell.aq!IK
AntiVir X
ArcaVir Trojan.Php.C99shell.Aq
Avast X
AVG Antivirus X
BitDefender X
ClamAV X
CPsecure BackDoor.PHP.C99Shell.aq
Dr.Web X
F-Prot Antivirus X
F-Secure Anti-Virus Backdoor.PHP.C99Shell.aq
G DATA X
Ikarus Backdoor.PHP.C99Shell.aq
Kaspersky Anti-Virus Backdoor.PHP.C99Shell.aq
NOD32 X
Norman Virus Control X
Panda Antivirus X
Sophos Antivirus X
VirusBuster X
VBA32 X

-------------------------------

Hope this is the log you had asked for....

Thanks

Shaba

2008-10-19, 11:18

Yes, that is fine :)

Open notepad and copy/paste the text in the codebox below into it:

Rootkit::
C:\DOCUME~1\VIKRAM~1\LOCALS~1\Temp\_tf13.tmp

File::
C:\WINDOWS\system32\opnlKCSj.dll
C:\WINDOWS\system32\hgGvuVom.dll
C:\WINDOWS\system32\hgGxVMgH.dll
C:\WINDOWS\system32\ljJYOfcY.dll
C:\Documents and Settings\All Users\mOF1.exe
C:\WINDOWS\system32\hgGvvttu.dll
C:\WINDOWS\system32\fccbcYRj.dll

Folder::
C:\WINDOWS\VmlrcmFtIFNoYXJtYQ
C:\WINDOWS\system32\wak
C:\WINDOWS\system32\met
C:\WINDOWS\system32\icon2
C:\WINDOWS\system32\EV19
C:\temp\xp34

Registry::
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{9781bbfa-8797-11dd-9155-ce4bba04504a}]

Save this as "CFScript"

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.

Combofix should never take more that 20 minutes including the reboot if malware is detected.
If it does, open Task Manager then Processes tab (press ctrl, alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue.
If that happened we want to know, and also what process you had to end.

vagatorian

2008-10-19, 18:00

Ran, CmoboFix again, did not have to end any process. Logs below -

---------------------

ComboFix 08-10-18.03 - Vikram Sharma 2008-10-19 10:23:38.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.487 [GMT -5:00]
Running from: C:\Documents and Settings\Vikram Sharma\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Vikram Sharma\Desktop\CFScript.txt
* Created a new restore point

FILE ::
C:\Documents and Settings\All Users\mOF1.exe
C:\WINDOWS\system32\fccbcYRj.dll
C:\WINDOWS\system32\hgGvuVom.dll
C:\WINDOWS\system32\hgGvvttu.dll
C:\WINDOWS\system32\hgGxVMgH.dll
C:\WINDOWS\system32\ljJYOfcY.dll
C:\WINDOWS\system32\opnlKCSj.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\All Users\mOF1.exe
C:\temp\xp34
C:\temp\xp34\cPH.log
C:\WINDOWS\system32\EV19
C:\WINDOWS\system32\EV19\EV191065.exe
C:\WINDOWS\system32\fccbcYRj.dll
C:\WINDOWS\system32\hgGvuVom.dll
C:\WINDOWS\system32\hgGvvttu.dll
C:\WINDOWS\system32\hgGxVMgH.dll
C:\WINDOWS\system32\icon2
C:\WINDOWS\system32\icon2\taziMDi5.exe
C:\WINDOWS\system32\ljJYOfcY.dll
C:\WINDOWS\system32\met
C:\WINDOWS\system32\met\RUset466i.exe
C:\WINDOWS\system32\opnlKCSj.dll
C:\WINDOWS\system32\wak
C:\WINDOWS\system32\wak\TCP642v10.exe
C:\WINDOWS\VmlrcmFtIFNoYXJtYQ
C:\WINDOWS\VmlrcmFtIFNoYXJtYQ\asappsrv.dll
C:\WINDOWS\VmlrcmFtIFNoYXJtYQ\command.exe
C:\WINDOWS\VmlrcmFtIFNoYXJtYQ\pA5OwAIQKIhCsrLQsk.vbs

.
((((((((((((((((((((((((( Files Created from 2008-09-19 to 2008-10-19 )))))))))))))))))))))))))))))))
.

2008-10-19 01:48 . 2006-10-04 09:06 1,197,294 --------- C:\WINDOWS\system32\dllcache\sysmain.sdb
2008-10-19 01:48 . 2006-10-04 09:06 764,868 --------- C:\WINDOWS\system32\dllcache\apph_sp.sdb
2008-10-19 01:48 . 2006-10-04 09:06 217,118 --------- C:\WINDOWS\system32\dllcache\apphelp.sdb
2008-10-19 01:47 . 2008-10-19 01:47 <DIR> d-------- C:\Program Files\Windows Media Connect 2
2008-10-19 01:46 . 2008-10-19 01:46 <DIR> d-------- C:\WINDOWS\system32\drivers\UMDF
2008-10-19 01:41 . 2008-10-19 01:41 <DIR> d-------- C:\Program Files\Netflix
2008-10-11 22:09 . 2008-10-11 22:09 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Comcast
2008-10-11 21:40 . 2008-10-12 00:09 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-10-11 21:40 . 2008-10-12 01:21 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-10-11 10:39 . 2008-10-11 22:53 <DIR> d-------- C:\Program Files\X-Cleaner
2008-10-10 23:21 . 2008-10-10 23:21 <DIR> d-------- C:\Documents and Settings\Vikram Sharma\Application Data\IUpd721
2008-10-10 00:02 . 2008-10-10 00:02 <DIR> d-------- C:\Documents and Settings\Vikram Sharma\LocalLow
2008-10-10 00:02 . 2008-10-10 00:02 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\TVU Networks
2008-10-08 23:23 . 2008-10-08 23:47 <DIR> d-------- C:\WINDOWS\system32\CatRoot_bak
2008-10-08 23:20 . 2008-06-13 08:10 272,128 --------- C:\WINDOWS\system32\drivers\bthport.sys
2008-10-08 23:20 . 2008-06-13 08:10 272,128 --------- C:\WINDOWS\system32\dllcache\bthport.sys
2008-10-08 23:19 . 2008-10-03 12:41 6,066,176 --------- C:\WINDOWS\system32\dllcache\ieframe.dll
2008-10-08 23:19 . 2007-04-17 04:32 2,455,488 --------- C:\WINDOWS\system32\dllcache\ieapfltr.dat
2008-10-08 23:19 . 2007-03-08 00:10 991,232 --------- C:\WINDOWS\system32\dllcache\ieframe.dll.mui
2008-10-08 23:19 . 2008-08-26 02:24 459,264 --------- C:\WINDOWS\system32\dllcache\msfeeds.dll
2008-10-08 23:19 . 2008-08-26 02:24 383,488 --------- C:\WINDOWS\system32\dllcache\ieapfltr.dll
2008-10-08 23:19 . 2008-05-01 09:30 331,776 --------- C:\WINDOWS\system32\dllcache\msadce.dll
2008-10-08 23:19 . 2008-08-26 02:24 267,776 --------- C:\WINDOWS\system32\dllcache\iertutil.dll
2008-10-08 23:19 . 2008-08-26 02:24 63,488 --------- C:\WINDOWS\system32\dllcache\icardie.dll
2008-10-08 23:19 . 2008-08-26 02:24 52,224 --------- C:\WINDOWS\system32\dllcache\msfeedsbs.dll
2008-10-08 23:19 . 2008-08-25 03:38 13,824 --------- C:\WINDOWS\system32\dllcache\ieudinit.exe
2008-09-30 18:25 . 2008-09-30 18:25 <DIR> d-------- C:\Program Files\Comcast
2008-09-30 18:25 . 2008-09-30 18:25 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SupportSoft
2008-09-30 18:24 . 2008-09-30 18:25 <DIR> d-------- C:\Program Files\Common Files\SupportSoft
2008-09-30 18:24 . 2008-09-30 18:24 <DIR> d-------- C:\Program Files\ComcastUI
2008-09-26 19:59 . 2008-09-26 19:59 <DIR> d-------- C:\Program Files\Veoh Networks

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-10-17 05:59 --------- d-----w C:\Program Files\Trend Micro
2008-10-14 02:20 --------- d-----w C:\Program Files\ESPNMotion
2008-10-11 15:12 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-10-11 15:02 --------- d-----w C:\Program Files\GemMaster
2008-10-11 14:56 --------- d-----w C:\Program Files\Windows Media Components
2008-10-11 14:54 --------- d-----w C:\Program Files\Common Files\aolshare
2008-10-11 14:54 --------- d-----w C:\Documents and Settings\All Users\Application Data\AOL
2008-10-11 04:34 --------- d-----w C:\Program Files\Dell
2008-10-11 04:33 --------- d-----w C:\Documents and Settings\All Users\Application Data\GTek
2008-08-28 10:04 333,056 ----a-w C:\WINDOWS\system32\drivers\srv.sys
2008-08-25 13:09 --------- d-----w C:\Program Files\Windows Media 7 PowerToys
2008-08-25 13:09 --------- d-----w C:\Program Files\Audio Converter LE
2008-08-17 00:56 729,088 ----a-w C:\WINDOWS\iun6002.exe
2007-12-16 14:12 38 ----a-w C:\Documents and Settings\Vikram Sharma\test.bat
2006-09-24 07:04 20 ---h--w C:\Documents and Settings\All Users\Application Data\PKP_DLec.DAT
2004-04-09 19:13 114,688 ----a-w C:\Program Files\NETGEAR DG632 USB Driveruninstalldrv.exe
.

((((((((((((((((((((((((((((( snapshot@2008-10-18_ 2.18.01.29 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-08-26 09:08:35 124,928 ----a-w C:\WINDOWS\$hf_mig$\KB956390-IE7\SP2QFE\advpack.dll
+ 2008-08-26 09:08:36 347,136 ----a-w C:\WINDOWS\$hf_mig$\KB956390-IE7\SP2QFE\dxtmsft.dll
+ 2008-08-26 09:08:36 214,528 ----a-w C:\WINDOWS\$hf_mig$\KB956390-IE7\SP2QFE\dxtrans.dll
+ 2008-08-26 09:08:36 132,608 ----a-w C:\WINDOWS\$hf_mig$\KB956390-IE7\SP2QFE\extmgr.dll
+ 2008-08-26 09:08:36 63,488 ----a-w C:\WINDOWS\$hf_mig$\KB956390-IE7\SP2QFE\icardie.dll
+ 2008-08-25 08:43:21 70,656 ----a-w C:\WINDOWS\$hf_mig$\KB956390-IE7\SP2QFE\ie4uinit.exe
+ 2008-08-26 09:08:36 153,088 ----a-w C:\WINDOWS\$hf_mig$\KB956390-IE7\SP2QFE\ieakeng.dll
+ 2008-08-26 09:08:36 230,400 ----a-w C:\WINDOWS\$hf_mig$\KB956390-IE7\SP2QFE\ieaksie.dll
+ 2008-08-23 05:54:50 161,792 ----a-w C:\WINDOWS\$hf_mig$\KB956390-IE7\SP2QFE\ieakui.dll
+ 2007-04-17 09:32:38 2,455,488 ----a-w C:\WINDOWS\$hf_mig$\KB956390-IE7\SP2QFE\ieapfltr.dat
+ 2008-08-26 09:08:36 380,928 ----a-w C:\WINDOWS\$hf_mig$\KB956390-IE7\SP2QFE\ieapfltr.dll
+ 2008-08-26 09:08:37 388,608 ----a-w C:\WINDOWS\$hf_mig$\KB956390-IE7\SP2QFE\iedkcs32.dll
+ 2008-10-03 17:26:50 6,068,224 ----a-w C:\WINDOWS\$hf_mig$\KB956390-IE7\SP2QFE\ieframe.dll
+ 2008-08-26 09:08:39 44,544 ----a-w C:\WINDOWS\$hf_mig$\KB956390-IE7\SP2QFE\iernonce.dll
+ 2008-08-26 09:08:39 267,776 ----a-w C:\WINDOWS\$hf_mig$\KB956390-IE7\SP2QFE\iertutil.dll
+ 2008-08-25 08:43:21 13,824 ----a-w C:\WINDOWS\$hf_mig$\KB956390-IE7\SP2QFE\ieudinit.exe
+ 2008-08-23 05:56:16 635,848 ----a-w C:\WINDOWS\$hf_mig$\KB956390-IE7\SP2QFE\iexplore.exe
+ 2008-08-26 09:08:40 27,648 ----a-w C:\WINDOWS\$hf_mig$\KB956390-IE7\SP2QFE\jsproxy.dll
+ 2008-08-26 09:08:40 459,264 ----a-w C:\WINDOWS\$hf_mig$\KB956390-IE7\SP2QFE\msfeeds.dll
+ 2008-08-26 09:08:40 52,224 ----a-w C:\WINDOWS\$hf_mig$\KB956390-IE7\SP2QFE\msfeedsbs.dll
+ 2008-08-26 09:08:43 3,594,752 ----a-w C:\WINDOWS\$hf_mig$\KB956390-IE7\SP2QFE\mshtml.dll
+ 2008-08-26 09:08:43 477,696 ----a-w C:\WINDOWS\$hf_mig$\KB956390-IE7\SP2QFE\mshtmled.dll
+ 2008-08-26 09:08:44 193,024 ----a-w C:\WINDOWS\$hf_mig$\KB956390-IE7\SP2QFE\msrating.dll
+ 2008-08-26 09:08:44 671,232 ----a-w C:\WINDOWS\$hf_mig$\KB956390-IE7\SP2QFE\mstime.dll
+ 2008-08-26 09:08:44 102,912 ----a-w C:\WINDOWS\$hf_mig$\KB956390-IE7\SP2QFE\occache.dll
+ 2008-08-26 09:08:44 44,544 ----a-w C:\WINDOWS\$hf_mig$\KB956390-IE7\SP2QFE\pngfilt.dll
+ 2008-08-26 09:08:44 105,984 ----a-w C:\WINDOWS\$hf_mig$\KB956390-IE7\SP2QFE\url.dll
+ 2008-08-26 09:08:45 1,162,752 ----a-w C:\WINDOWS\$hf_mig$\KB956390-IE7\SP2QFE\urlmon.dll
+ 2008-08-26 09:08:45 233,472 ----a-w C:\WINDOWS\$hf_mig$\KB956390-IE7\SP2QFE\webcheck.dll
+ 2008-08-26 09:08:45 827,904 ----a-w C:\WINDOWS\$hf_mig$\KB956390-IE7\SP2QFE\wininet.dll
+ 2007-03-06 01:22:36 14,048 ----a-w C:\WINDOWS\$hf_mig$\KB956390-IE7\spmsg.dll
+ 2007-03-06 01:22:41 213,216 ----a-w C:\WINDOWS\$hf_mig$\KB956390-IE7\spuninst.exe
+ 2007-03-06 01:22:34 22,752 ----a-w C:\WINDOWS\$hf_mig$\KB956390-IE7\update\spcustom.dll
+ 2007-03-06 01:22:59 716,000 ----a-w C:\WINDOWS\$hf_mig$\KB956390-IE7\update\update.exe
+ 2007-03-06 01:23:51 371,424 ----a-w C:\WINDOWS\$hf_mig$\KB956390-IE7\update\updspapi.dll
+ 2006-10-04 14:05:26 39,424 ------w C:\WINDOWS\AppPatch\acadproc.dll
- 2006-05-21 06:13:46 1,863,680 ----a-w C:\WINDOWS\assembly\GAC\EhCM\6.0.3000.0__31bf3856ad364e35\ehcm.dll
+ 2008-10-19 06:52:15 1,863,680 ----a-w C:\WINDOWS\assembly\GAC\EhCM\6.0.3000.0__31bf3856ad364e35\ehcm.dll
- 2006-05-21 06:13:46 864,256 ----a-w C:\WINDOWS\assembly\GAC\ehepg\6.0.3000.0__31bf3856ad364e35\ehepg.dll
+ 2008-10-19 06:52:16 868,352 ----a-w C:\WINDOWS\assembly\GAC\ehepg\6.0.3000.0__31bf3856ad364e35\ehepg.dll
- 2005-08-17 02:11:04 204,800 ----a-w C:\WINDOWS\assembly\GAC\ehiPlay\6.0.3000.0__31bf3856ad364e35\ehiPlay.dll
+ 2008-10-19 06:52:16 204,800 ----a-w C:\WINDOWS\assembly\GAC\ehiPlay\6.0.3000.0__31bf3856ad364e35\ehiplay.dll
- 2007-02-28 09:53:04 2,137,600 ------w C:\WINDOWS\Driver Cache\i386\ntkrnlmp.exe
+ 2008-08-14 09:55:01 2,142,720 ------w C:\WINDOWS\Driver Cache\i386\ntkrnlmp.exe
- 2007-02-28 09:15:56 2,059,392 ------w C:\WINDOWS\Driver Cache\i386\ntkrnlpa.exe
+ 2008-08-14 09:18:44 2,062,976 ------w C:\WINDOWS\Driver Cache\i386\ntkrnlpa.exe
- 2007-02-28 09:15:59 2,017,280 ------w C:\WINDOWS\Driver Cache\i386\ntkrpamp.exe
+ 2008-08-14 09:18:46 2,020,864 ------w C:\WINDOWS\Driver Cache\i386\ntkrpamp.exe
- 2007-02-28 09:55:14 2,182,144 ------w C:\WINDOWS\Driver Cache\i386\ntoskrnl.exe
+ 2008-08-14 09:57:20 2,185,984 ------w C:\WINDOWS\Driver Cache\i386\ntoskrnl.exe
- 2005-08-05 19:01:54 239,104 ----a-w C:\WINDOWS\Driver Cache\i386\psisdecd.dll
+ 2006-10-09 21:12:14 235,008 ----a-w C:\WINDOWS\Driver Cache\i386\psisdecd.dll
- 2005-10-11 13:39:38 1,863,680 ----a-w C:\WINDOWS\ehome\ehcm.dll
+ 2006-10-09 21:16:00 1,863,680 ----a-w C:\WINDOWS\ehome\ehcm.dll
- 2005-10-11 13:32:46 864,256 ----a-w C:\WINDOWS\ehome\ehepg.dll
+ 2006-10-09 21:07:44 868,352 ----a-w C:\WINDOWS\ehome\ehepg.dll
- 2005-10-11 13:40:36 332,288 ----a-w C:\WINDOWS\ehome\ehglid.dll
+ 2006-10-09 21:17:04 328,704 ----a-w C:\WINDOWS\ehome\ehglid.dll
- 2004-08-10 09:11:48 178,688 ----a-w C:\WINDOWS\ehome\ehkeyctl.dll
+ 2006-10-09 21:18:32 178,176 ----a-w C:\WINDOWS\ehome\ehkeyctl.dll
- 2005-10-11 13:40:32 237,568 ----a-w C:\WINDOWS\ehome\ehrecvr.exe
+ 2006-10-09 21:16:56 237,568 ----a-w C:\WINDOWS\ehome\ehrecvr.exe
- 2005-10-11 13:43:18 3,219,456 ----a-w C:\WINDOWS\ehome\ehshell.exe
+ 2006-10-09 21:19:14 3,223,552 ----a-w C:\WINDOWS\ehome\ehshell.exe
- 2005-08-05 19:01:58 492,032 ----a-w C:\WINDOWS\ehome\ehui.dll
+ 2006-10-09 21:16:30 558,592 ----a-w C:\WINDOWS\ehome\ehui.dll
- 2005-08-05 18:06:02 105,984 ----a-w C:\WINDOWS\ehome\mstvcapn.dll
+ 2006-10-09 21:12:52 107,008 ----a-w C:\WINDOWS\ehome\mstvcapn.dll
+ 2008-06-23 16:57:27 124,928 -c----w C:\WINDOWS\ie7updates\KB956390-IE7\advpack.dll
+ 2008-06-23 16:57:27 347,136 -c----w C:\WINDOWS\ie7updates\KB956390-IE7\dxtmsft.dll
+ 2008-06-23 16:57:27 214,528 -c----w C:\WINDOWS\ie7updates\KB956390-IE7\dxtrans.dll
+ 2008-06-23 16:57:27 133,120 -c----w C:\WINDOWS\ie7updates\KB956390-IE7\extmgr.dll
+ 2008-06-23 16:57:28 63,488 -c----w C:\WINDOWS\ie7updates\KB956390-IE7\icardie.dll
+ 2008-06-23 09:20:25 70,656 -c----w C:\WINDOWS\ie7updates\KB956390-IE7\ie4uinit.exe
+ 2008-06-23 16:57:29 153,088 -c----w C:\WINDOWS\ie7updates\KB956390-IE7\ieakeng.dll
+ 2008-06-23 16:57:29 230,400 -c----w C:\WINDOWS\ie7updates\KB956390-IE7\ieaksie.dll
+ 2008-06-21 05:23:54 161,792 -c----w C:\WINDOWS\ie7updates\KB956390-IE7\ieakui.dll
+ 2008-06-23 16:57:29 383,488 -c----w C:\WINDOWS\ie7updates\KB956390-IE7\ieapfltr.dll
+ 2008-06-23 16:57:29 384,512 -c----w C:\WINDOWS\ie7updates\KB956390-IE7\iedkcs32.dll
+ 2008-06-23 16:57:33 6,066,176 -c----w C:\WINDOWS\ie7updates\KB956390-IE7\ieframe.dll
+ 2008-06-23 16:57:33 44,544 -c----w C:\WINDOWS\ie7updates\KB956390-IE7\iernonce.dll
+ 2008-06-23 16:57:34 267,776 -c----w C:\WINDOWS\ie7updates\KB956390-IE7\iertutil.dll
+ 2008-06-23 09:20:26 13,824 -c----w C:\WINDOWS\ie7updates\KB956390-IE7\ieudinit.exe
+ 2008-06-23 09:20:52 625,664 -c----w C:\WINDOWS\ie7updates\KB956390-IE7\iexplore.exe
+ 2008-06-23 16:57:35 27,648 -c----w C:\WINDOWS\ie7updates\KB956390-IE7\jsproxy.dll
+ 2008-06-23 16:57:36 459,264 -c----w C:\WINDOWS\ie7updates\KB956390-IE7\msfeeds.dll
+ 2008-06-23 16:57:36 52,224 -c----w C:\WINDOWS\ie7updates\KB956390-IE7\msfeedsbs.dll
+ 2008-06-24 15:57:40 3,592,192 -c----w C:\WINDOWS\ie7updates\KB956390-IE7\mshtml.dll
+ 2008-06-23 16:57:39 477,696 -c----w C:\WINDOWS\ie7updates\KB956390-IE7\mshtmled.dll
+ 2008-06-23 16:57:39 193,024 -c----w C:\WINDOWS\ie7updates\KB956390-IE7\msrating.dll
+ 2008-06-23 16:57:40 671,232 -c----w C:\WINDOWS\ie7updates\KB956390-IE7\mstime.dll
+ 2008-06-23 16:57:40 102,912 -c----w C:\WINDOWS\ie7updates\KB956390-IE7\occache.dll
+ 2008-06-23 16:57:40 44,544 -c----w C:\WINDOWS\ie7updates\KB956390-IE7\pngfilt.dll
+ 2007-03-06 01:22:41 213,216 -c----w C:\WINDOWS\ie7updates\KB956390-IE7\spuninst\spuninst.exe
+ 2007-03-06 01:23:51 371,424 -c----w C:\WINDOWS\ie7updates\KB956390-IE7\spuninst\updspapi.dll
+ 2008-06-23 16:57:40 105,984 -c----w C:\WINDOWS\ie7updates\KB956390-IE7\url.dll
+ 2008-06-23 16:57:40 1,159,680 -c----w C:\WINDOWS\ie7updates\KB956390-IE7\urlmon.dll
+ 2008-06-23 16:57:41 233,472 -c----w C:\WINDOWS\ie7updates\KB956390-IE7\webcheck.dll
+ 2008-06-23 16:57:41 826,368 -c----w C:\WINDOWS\ie7updates\KB956390-IE7\wininet.dll
- 2004-08-10 10:00:00 192,512 ----a-w C:\WINDOWS\inf\unregmp2.exe
+ 2006-11-01 23:31:34 315,904 ----a-w C:\WINDOWS\inf\unregmp2.exe
+ 2007-03-23 00:07:56 91,488 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\9040110900063D11C8EF10054038389C\11.0.8173\ADDRPARS.DLL
+ 2007-03-23 00:07:54 80,224 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\9040110900063D11C8EF10054038389C\11.0.8173\DLGSETP.DLL
+ 2007-04-19 18:53:52 137,568 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\9040110900063D11C8EF10054038389C\11.0.8173\ENVELOPE.DLL
+ 2007-05-31 18:41:06 10,352,472 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\9040110900063D11C8EF10054038389C\11.0.8173\EXCEL.EXE
+ 2007-04-19 19:09:30 167,256 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\9040110900063D11C8EF10054038389C\11.0.8173\IETAG.DLL
+ 2007-04-19 18:53:52 127,328 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\9040110900063D11C8EF10054038389C\11.0.8173\IMPMAIL.DLL
+ 2007-04-19 18:54:04 183,136 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\9040110900063D11C8EF10054038389C\11.0.8173\MIMEDIR.DLL
+ 2007-06-18 22:16:32 12,259,160 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\9040110900063D11C8EF10054038389C\11.0.8173\MSO.DLL
+ 2007-05-10 18:35:04 6,747,480 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\9040110900063D11C8EF10054038389C\11.0.8173\MSPUB.EXE
+ 2007-05-31 18:43:46 7,613,280 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\9040110900063D11C8EF10054038389C\11.0.8173\OUTLLIB.DLL
+ 2007-04-19 18:53:44 106,336 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\9040110900063D11C8EF10054038389C\11.0.8173\OUTLMIME.DLL
+ 2007-05-31 18:42:14 200,032 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\9040110900063D11C8EF10054038389C\11.0.8173\OUTLOOK.EXE
+ 2007-04-19 18:53:56 149,856 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\9040110900063D11C8EF10054038389C\11.0.8173\OUTLPH.DLL
+ 2007-04-19 18:53:24 69,984 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\9040110900063D11C8EF10054038389C\11.0.8173\OUTLRPC.DLL
+ 2007-05-31 18:35:22 6,420,320 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\9040110900063D11C8EF10054038389C\11.0.8173\POWERPNT.EXE
+ 2007-05-31 18:35:46 133,976 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\9040110900063D11C8EF10054038389C\11.0.8173\PRTF9.DLL
+ 2007-05-31 18:36:08 612,184 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\9040110900063D11C8EF10054038389C\11.0.8173\PTXT9.DLL
+ 2007-05-10 18:34:48 562,528 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\9040110900063D11C8EF10054038389C\11.0.8173\PUBCONV.DLL
+ 2007-03-23 00:07:10 41,824 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\9040110900063D11C8EF10054038389C\11.0.8173\RECALL.DLL
+ 2007-03-23 00:07:54 78,168 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\9040110900063D11C8EF10054038389C\11.0.8173\RM.DLL
+ 2007-03-23 00:22:02 103,264 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\9040110900063D11C8EF10054038389C\11.0.8173\TRANSMGR.DLL
+ 2007-05-09 22:19:48 2,585,936 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\9040110900063D11C8EF10054038389C\11.0.8173\VBE6.DLL
+ 2007-05-31 18:37:40 12,310,368 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\9040110900063D11C8EF10054038389C\11.0.8173\WINWORD.EXE
- 2008-10-09 05:22:07 593,920 ----a-r C:\WINDOWS\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\accicons.exe
+ 2008-10-19 08:05:38 593,920 ----a-r C:\WINDOWS\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\accicons.exe
- 2008-10-09 05:22:07 12,288 ----a-r C:\WINDOWS\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\cagicon.exe
+ 2008-10-19 08:05:38 12,288 ----a-r C:\WINDOWS\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\cagicon.exe
- 2008-10-09 05:22:07 86,016 ----a-r C:\WINDOWS\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\inficon.exe
+ 2008-10-19 08:05:38 86,016 ----a-r C:\WINDOWS\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\inficon.exe
- 2008-10-09 05:22:07 135,168 ----a-r C:\WINDOWS\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\misc.exe
+ 2008-10-19 08:05:38 135,168 ----a-r C:\WINDOWS\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\misc.exe
- 2008-10-09 05:22:07 11,264 ----a-r C:\WINDOWS\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\mspicons.exe
+ 2008-10-19 08:05:38 11,264 ----a-r C:\WINDOWS\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\mspicons.exe
- 2008-10-09 05:22:07 27,136 ----a-r C:\WINDOWS\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\oisicon.exe
+ 2008-10-19 08:05:38 27,136 ----a-r C:\WINDOWS\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\oisicon.exe
- 2008-10-09 05:22:07 4,096 ----a-r C:\WINDOWS\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\opwicon.exe
+ 2008-10-19 08:05:39 4,096 ----a-r C:\WINDOWS\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\opwicon.exe
- 2008-10-09 05:22:08 794,624 ----a-r C:\WINDOWS\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\outicon.exe
+ 2008-10-19 08:05:39 794,624 ----a-r C:\WINDOWS\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\outicon.exe
- 2008-10-09 05:22:07 249,856 ----a-r C:\WINDOWS\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\pptico.exe
+ 2008-10-19 08:05:38 249,856 ----a-r C:\WINDOWS\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\pptico.exe
- 2008-10-09 05:22:07 61,440 ----a-r C:\WINDOWS\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\pubs.exe
+ 2008-10-19 08:05:38 61,440 ----a-r C:\WINDOWS\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\pubs.exe
- 2008-10-09 05:22:08 23,040 ----a-r C:\WINDOWS\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\unbndico.exe
+ 2008-10-19 08:05:39 23,040 ----a-r C:\WINDOWS\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\unbndico.exe
- 2008-10-09 05:22:07 286,720 ----a-r C:\WINDOWS\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\wordicon.exe
+ 2008-10-19 08:05:38 286,720 ----a-r C:\WINDOWS\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\wordicon.exe
- 2008-10-09 05:22:07 409,600 ----a-r C:\WINDOWS\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\xlicons.exe
+ 2008-10-19 08:05:37 409,600 ----a-r C:\WINDOWS\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\xlicons.exe
- 2008-10-09 05:21:57 38,240 ----a-r C:\WINDOWS\Installer\{90120000-0020-0409-0000-0000000FF1CE}\O12ConvIcon.exe
+ 2008-10-19 08:02:27 38,240 ----a-r C:\WINDOWS\Installer\{90120000-0020-0409-0000-0000000FF1CE}\O12ConvIcon.exe
- 2008-06-23 16:57:27 124,928 ----a-w C:\WINDOWS\system32\advpack.dll
+ 2008-08-26 07:24:28 124,928 ----a-w C:\WINDOWS\system32\advpack.dll
- 2004-08-10 10:00:00 8,192 ----a-w C:\WINDOWS\system32\asferror.dll
+ 2006-10-19 02:47:08 7,168 ----a-w C:\WINDOWS\system32\asferror.dll
- 2004-08-10 10:00:00 480,768 ----a-w C:\WINDOWS\system32\audiodev.dll
+ 2006-10-19 02:47:08 276,992 ----a-w C:\WINDOWS\system32\audiodev.dll
- 2006-03-03 12:26:29 429,056 ----a-w C:\WINDOWS\system32\blackbox.dll
+ 2006-10-19 02:47:10 542,720 ----a-w C:\WINDOWS\system32\blackbox.dll
- 2005-08-03 23:29:52 207,872 ----a-w C:\WINDOWS\system32\cewmdm.dll
+ 2006-10-19 02:47:10 229,376 ----a-w C:\WINDOWS\system32\cewmdm.dll
- 2008-06-23 16:57:27 124,928 ------w C:\WINDOWS\system32\dllcache\advpack.dll
+ 2008-08-26 07:24:28 124,928 ------w C:\WINDOWS\system32\dllcache\advpack.dll
- 2008-06-20 10:44:38 138,368 ------w C:\WINDOWS\system32\dllcache\afd.sys
+ 2008-08-14 09:51:43 138,368 ------w C:\WINDOWS\system32\dllcache\afd.sys
- 2008-06-23 16:57:27 347,136 ----a-w C:\WINDOWS\system32\dllcache\dxtmsft.dll
+ 2008-08-26 07:24:28 347,136 ----a-w C:\WINDOWS\system32\dllcache\dxtmsft.dll
- 2008-06-23 16:57:27 214,528 ----a-w C:\WINDOWS\system32\dllcache\dxtrans.dll
+ 2008-08-26 07:24:28 214,528 ----a-w C:\WINDOWS\system32\dllcache\dxtrans.dll
- 2005-10-11 13:39:38 1,863,680 ------w C:\WINDOWS\system32\dllcache\ehcm.dll
+ 2006-10-09 21:16:00 1,863,680 ------w C:\WINDOWS\system32\dllcache\ehcm.dll
- 2005-10-11 13:32:46 864,256 ------w C:\WINDOWS\system32\dllcache\ehepg.dll
+ 2006-10-09 21:07:44 868,352 ------w C:\WINDOWS\system32\dllcache\ehepg.dll
+ 2006-10-09 21:17:04 328,704 ------w C:\WINDOWS\system32\dllcache\ehglid.dll
- 2005-10-11 13:43:18 3,219,456 ------w C:\WINDOWS\system32\dllcache\ehshell.exe
+ 2006-10-09 21:19:14 3,223,552 ------w C:\WINDOWS\system32\dllcache\ehshell.exe
+ 2006-10-09 21:16:30 558,592 ------w C:\WINDOWS\system32\dllcache\ehui.dll
+ 2006-10-09 21:12:44 456,192 ------w C:\WINDOWS\system32\dllcache\encdec.dll
- 2008-06-23 16:57:27 133,120 ----a-w C:\WINDOWS\system32\dllcache\extmgr.dll
+ 2008-08-26 07:24:28 133,120 ----a-w C:\WINDOWS\system32\dllcache\extmgr.dll
- 2008-06-23 09:20:25 70,656 ------w C:\WINDOWS\system32\dllcache\ie4uinit.exe
+ 2008-08-25 08:37:59 70,656 ------w C:\WINDOWS\system32\dllcache\ie4uinit.exe
- 2008-06-23 16:57:29 153,088 ------w C:\WINDOWS\system32\dllcache\ieakeng.dll
+ 2008-08-26 07:24:28 153,088 ------w C:\WINDOWS\system32\dllcache\ieakeng.dll
- 2008-06-23 16:57:29 230,400 ------w C:\WINDOWS\system32\dllcache\ieaksie.dll
+ 2008-08-26 07:24:28 230,400 ------w C:\WINDOWS\system32\dllcache\ieaksie.dll
- 2008-06-21 05:23:54 161,792 ------w C:\WINDOWS\system32\dllcache\ieakui.dll
+ 2008-08-23 05:54:51 161,792 ------w C:\WINDOWS\system32\dllcache\ieakui.dll
- 2008-06-23 16:57:29 384,512 ------w C:\WINDOWS\system32\dllcache\iedkcs32.dll
+ 2008-08-26 07:24:29 384,512 ------w C:\WINDOWS\system32\dllcache\iedkcs32.dll
- 2008-06-23 16:57:33 44,544 ------w C:\WINDOWS\system32\dllcache\iernonce.dll
+ 2008-08-26 07:24:29 44,544 ------w C:\WINDOWS\system32\dllcache\iernonce.dll
- 2008-06-23 09:20:52 625,664 ------w C:\WINDOWS\system32\dllcache\iexplore.exe
+ 2008-08-23 05:56:15 635,848 ------w C:\WINDOWS\system32\dllcache\iexplore.exe
- 2008-06-23 16:57:35 27,648 ----a-w C:\WINDOWS\system32\dllcache\jsproxy.dll
+ 2008-08-26 07:24:30 27,648 ----a-w C:\WINDOWS\system32\dllcache\jsproxy.dll
- 2008-06-24 15:57:40 3,592,192 ----a-w C:\WINDOWS\system32\dllcache\mshtml.dll
+ 2008-08-27 08:24:32 3,593,216 ----a-w C:\WINDOWS\system32\dllcache\mshtml.dll
- 2008-06-23 16:57:39 477,696 ----a-w C:\WINDOWS\system32\dllcache\mshtmled.dll
+ 2008-08-26 07:24:30 477,696 ----a-w C:\WINDOWS\system32\dllcache\mshtmled.dll
- 2008-06-23 16:57:39 193,024 ----a-w C:\WINDOWS\system32\dllcache\msrating.dll
+ 2008-08-26 07:24:30 193,024 ----a-w C:\WINDOWS\system32\dllcache\msrating.dll
- 2008-06-23 16:57:40 671,232 ----a-w C:\WINDOWS\system32\dllcache\mstime.dll
+ 2008-08-26 07:24:30 671,232 ----a-w C:\WINDOWS\system32\dllcache\mstime.dll
- 2005-10-11 13:39:32 1,669,120 ------w C:\WINDOWS\system32\dllcache\msvidctl.dll
+ 2006-10-09 21:15:52 1,669,632 ------w C:\WINDOWS\system32\dllcache\msvidctl.dll
- 2007-02-28 09:53:04 2,137,600 ------w C:\WINDOWS\system32\dllcache\ntkrnlmp.exe
+ 2008-08-14 09:55:01 2,142,720 ------w C:\WINDOWS\system32\dllcache\ntkrnlmp.exe
- 2007-02-28 09:15:56 2,059,392 ------w C:\WINDOWS\system32\dllcache\ntkrnlpa.exe
+ 2008-08-14 09:18:44 2,062,976 ------w C:\WINDOWS\system32\dllcache\ntkrnlpa.exe
- 2007-02-28 09:15:59 2,017,280 ------w C:\WINDOWS\system32\dllcache\ntkrpamp.exe
+ 2008-08-14 09:18:46 2,020,864 ------w C:\WINDOWS\system32\dllcache\ntkrpamp.exe
- 2007-02-28 09:55:14 2,182,144 ------w C:\WINDOWS\system32\dllcache\ntoskrnl.exe
+ 2008-08-14 09:57:20 2,185,984 ------w C:\WINDOWS\system32\dllcache\ntoskrnl.exe
- 2008-06-23 16:57:40 102,912 ------w C:\WINDOWS\system32\dllcache\occache.dll
+ 2008-08-26 07:24:30 102,912 ------w C:\WINDOWS\system32\dllcache\occache.dll
- 2008-06-23 16:57:40 44,544 ----a-w C:\WINDOWS\system32\dllcache\pngfilt.dll
+ 2008-08-26 07:24:30 44,544 ----a-w C:\WINDOWS\system32\dllcache\pngfilt.dll
+ 2006-10-09 21:12:14 235,008 ------w C:\WINDOWS\system32\dllcache\psisdecd.dll
+ 2006-10-09 21:12:40 291,840 ------w C:\WINDOWS\system32\dllcache\sbe.dll
- 2006-08-14 10:34:41 332,928 ------w C:\WINDOWS\system32\dllcache\srv.sys
+ 2008-08-28 10:04:17 333,056 ------w C:\WINDOWS\system32\dllcache\srv.sys
- 2008-06-23 16:57:40 105,984 ------w C:\WINDOWS\system32\dllcache\url.dll
+ 2008-08-26 07:24:30 105,984 ------w C:\WINDOWS\system32\dllcache\url.dll
- 2008-06-23 16:57:40 1,159,680 ----a-w C:\WINDOWS\system32\dllcache\urlmon.dll
+ 2008-08-26 07:24:31 1,159,680 ----a-w C:\WINDOWS\system32\dllcache\urlmon.dll
- 2008-06-23 16:57:41 233,472 ------w C:\WINDOWS\system32\dllcache\webcheck.dll
+ 2008-08-26 07:24:31 233,472 ------w C:\WINDOWS\system32\dllcache\webcheck.dll
- 2007-03-08 13:47:48 1,843,584 ------w C:\WINDOWS\system32\dllcache\win32k.sys
+ 2008-09-15 11:57:41 1,846,016 ------w C:\WINDOWS\system32\dllcache\win32k.sys
- 2008-06-23 16:57:41 826,368 ----a-w C:\WINDOWS\system32\dllcache\wininet.dll
+ 2008-08-26 07:24:31 826,368 ----a-w C:\WINDOWS\system32\dllcache\wininet.dll
- 2007-10-27 22:39:46 228,864 ------w C:\WINDOWS\system32\dllcache\wmasf.dll
+ 2007-10-27 22:40:30 222,720 ------w C:\WINDOWS\system32\dllcache\wmasf.dll
- 2006-12-07 04:14:51 2,330,624 ------w C:\WINDOWS\system32\dllcache\wmvcore.dll
+ 2006-10-19 02:47:22 2,450,944 ----a-w C:\WINDOWS\system32\dllcache\wmvcore.dll
- 2008-06-20 10:44:38 138,368 ----a-w C:\WINDOWS\system32\drivers\afd.sys
+ 2008-08-14 09:51:43 138,368 ----a-w C:\WINDOWS\system32\drivers\afd.sys
+ 2006-10-19 02:47:22 671,232 ------w C:\WINDOWS\system32\drivers\UMDF\wpdmtpdr.dll
- 2006-03-03 12:33:01 18,944 ----a-w C:\WINDOWS\system32\drivers\wpdusb.sys
+ 2006-10-19 01:00:00 38,528 ----a-w C:\WINDOWS\system32\drivers\wpdusb.sys
+ 2006-09-28 23:55:50 77,568 ------w C:\WINDOWS\system32\drivers\WudfPf.sys
+ 2006-09-29 00:00:34 82,944 ------w C:\WINDOWS\system32\drivers\WudfRd.sys
- 2005-08-03 23:29:52 178,936 ----a-w C:\WINDOWS\system32\drmupgds.exe
+ 2006-10-19 01:00:46 249,856 ----a-w C:\WINDOWS\system32\drmupgds.exe
- 2006-03-03 12:26:57 581,632 ----a-w C:\WINDOWS\system32\drmv2clt.dll
+ 2006-10-19 02:47:10 991,744 ----a-w C:\WINDOWS\system32\drmv2clt.dll
- 2008-06-23 16:57:27 347,136 ----a-w C:\WINDOWS\system32\dxtmsft.dll
+ 2008-08-26 07:24:28 347,136 ----a-w C:\WINDOWS\system32\dxtmsft.dll
- 2008-06-23 16:57:27 214,528 ----a-w C:\WINDOWS\system32\dxtrans.dll
+ 2008-08-26 07:24:28 214,528 ----a-w C:\WINDOWS\system32\dxtrans.dll
- 2005-08-05 19:01:54 356,352 ----a-w C:\WINDOWS\system32\encdec.dll
+ 2006-10-09 21:12:44 456,192 ----a-w C:\WINDOWS\system32\encdec.dll
- 2008-06-23 16:57:27 133,120 ----a-w C:\WINDOWS\system32\extmgr.dll
+ 2008-08-26 07:24:28 133,120 ----a-w C:\WINDOWS\system32\extmgr.dll
- 2008-10-09 22:13:29 308,400 ----a-w C:\WINDOWS\system32\FNTCACHE.DAT
+ 2008-10-19 14:21:16 308,400 ----a-w C:\WINDOWS\system32\FNTCACHE.DAT
- 2008-06-23 16:57:28 63,488 ----a-w C:\WINDOWS\system32\icardie.dll
+ 2008-08-26 07:24:28 63,488 ----a-w C:\WINDOWS\system32\icardie.dll
- 2008-06-23 09:20:25 70,656 ----a-w C:\WINDOWS\system32\ie4uinit.exe
+ 2008-08-25 08:37:59 70,656 ----a-w C:\WINDOWS\system32\ie4uinit.exe
- 2008-06-23 16:57:29 153,088 ----a-w C:\WINDOWS\system32\ieakeng.dll
+ 2008-08-26 07:24:28 153,088 ----a-w C:\WINDOWS\system32\ieakeng.dll
- 2008-06-23 16:57:29 230,400 ----a-w C:\WINDOWS\system32\ieaksie.dll
+ 2008-08-26 07:24:28 230,400 ----a-w C:\WINDOWS\system32\ieaksie.dll
- 2008-06-21 05:23:54 161,792 ----a-w C:\WINDOWS\system32\ieakui.dll
+ 2008-08-23 05:54:51 161,792 ----a-w C:\WINDOWS\system32\ieakui.dll
- 2008-06-23 16:57:29 383,488 ----a-w C:\WINDOWS\system32\ieapfltr.dll
+ 2008-08-26 07:24:28 383,488 ----a-w C:\WINDOWS\system32\ieapfltr.dll
- 2008-06-23 16:57:29 384,512 ----a-w C:\WINDOWS\system32\iedkcs32.dll
+ 2008-08-26 07:24:29 384,512 ----a-w C:\WINDOWS\system32\iedkcs32.dll
- 2008-06-23 16:57:33 6,066,176 ----a-w C:\WINDOWS\system32\ieframe.dll
+ 2008-10-03 17:41:15 6,066,176 ----a-w C:\WINDOWS\system32\ieframe.dll
- 2008-06-23 16:57:33 44,544 ----a-w C:\WINDOWS\system32\iernonce.dll
+ 2008-08-26 07:24:29 44,544 ----a-w C:\WINDOWS\system32\iernonce.dll
- 2008-06-23 16:57:34 267,776 ----a-w C:\WINDOWS\system32\iertutil.dll
+ 2008-08-26 07:24:29 267,776 ----a-w C:\WINDOWS\system32\iertutil.dll
- 2008-06-23 09:20:26 13,824 ----a-w C:\WINDOWS\system32\ieudinit.exe
+ 2008-08-25 08:38:00 13,824 ----a-w C:\WINDOWS\system32\ieudinit.exe
- 2008-06-23 16:57:35 27,648 ----a-w C:\WINDOWS\system32\jsproxy.dll
+ 2008-08-26 07:24:30 27,648 ----a-w C:\WINDOWS\system32\jsproxy.dll
- 2005-08-03 23:29:52 6,656 ----a-w C:\WINDOWS\system32\laprxy.dll
+ 2006-10-19 02:47:14 11,264 ----a-w C:\WINDOWS\system32\LAPRXY.dll
- 2005-08-03 23:29:52 96,768 ----a-w C:\WINDOWS\system32\logagent.exe
+ 2006-10-19 01:03:58 100,864 ----a-w C:\WINDOWS\system32\logagent.exe
- 2005-08-03 23:29:52 106,496 ----a-w C:\WINDOWS\system32\mfplat.dll
+ 2006-10-19 02:47:14 212,992 ----a-w C:\WINDOWS\system32\MFPLAT.dll
+ 2006-10-19 02:47:14 259,072 ------w C:\WINDOWS\system32\MP43DECD.dll
- 2004-08-10 10:00:00 310,272 ----a-w C:\WINDOWS\system32\mp43dmod.dll
+ 2006-10-19 02:47:14 4,096 ----a-w C:\WINDOWS\system32\MP43DMOD.dll
+ 2006-10-19 02:47:14 317,440 ------w C:\WINDOWS\system32\MP4SDECD.dll
- 2004-08-10 10:00:00 384,512 ----a-w C:\WINDOWS\system32\mp4sdmod.dll
+ 2006-10-19 02:47:14 4,096 ----a-w C:\WINDOWS\system32\MP4SDMOD.dll
+ 2006-10-19 02:47:14 259,072 ------w C:\WINDOWS\system32\MPG4DECD.dll
- 2004-08-10 10:00:00 240,640 ----a-w C:\WINDOWS\system32\mpg4dmod.dll
+ 2006-10-19 02:47:14 4,096 ----a-w C:\WINDOWS\system32\MPG4DMOD.dll
+ 2006-10-02 20:28:42 312,128 ------w C:\WINDOWS\system32\msdelta.dll
- 2008-06-23 16:57:36 459,264 ----a-w C:\WINDOWS\system32\msfeeds.dll
+ 2008-08-26 07:24:30 459,264 ----a-w C:\WINDOWS\system32\msfeeds.dll
- 2008-06-23 16:57:36 52,224 ----a-w C:\WINDOWS\system32\msfeedsbs.dll
+ 2008-08-26 07:24:30 52,224 ----a-w C:\WINDOWS\system32\msfeedsbs.dll
- 2008-06-24 15:57:40 3,592,192 ----a-w C:\WINDOWS\system32\mshtml.dll
+ 2008-08-27 08:24:32 3,593,216 ----a-w C:\WINDOWS\system32\mshtml.dll
- 2008-06-23 16:57:39 477,696 ----a-w C:\WINDOWS\system32\mshtmled.dll
+ 2008-08-26 07:24:30 477,696 ----a-w C:\WINDOWS\system32\mshtmled.dll
- 2005-08-03 23:29:52 115,200 ----a-w C:\WINDOWS\system32\msnetobj.dll
+ 2006-10-19 02:47:16 179,712 ----a-w C:\WINDOWS\system32\msnetobj.dll
- 2005-08-03 23:29:52 25,088 ----a-w C:\WINDOWS\system32\MsPMSNSv.dll
+ 2006-10-19 02:47:16 27,136 ----a-w C:\WINDOWS\system32\mspmsnsv.dll
- 2005-08-03 23:29:52 173,568 ----a-w C:\WINDOWS\system32\MsPMSP.dll
+ 2006-10-19 02:47:16 175,616 ----a-w C:\WINDOWS\system32\mspmsp.dll
- 2008-06-23 16:57:39 193,024 ----a-w C:\WINDOWS\system32\msrating.dll
+ 2008-08-26 07:24:30 193,024 ----a-w C:\WINDOWS\system32\msrating.dll
- 2005-08-03 23:29:52 353,520 ----a-w C:\WINDOWS\system32\MSSCP.dll
+ 2006-10-19 02:47:16 414,208 ----a-w C:\WINDOWS\system32\msscp.dll
- 2008-06-23 16:57:40 671,232 ----a-w C:\WINDOWS\system32\mstime.dll
+ 2008-08-26 07:24:30 671,232 ----a-w C:\WINDOWS\system32\mstime.dll
- 2005-10-11 13:39:32 1,669,120 ----a-w C:\WINDOWS\system32\msvidctl.dll
+ 2006-10-09 21:15:52 1,669,632 ----a-w C:\WINDOWS\system32\msvidctl.dll
- 2005-08-03 23:29:52 315,904 ----a-w C:\WINDOWS\system32\MSWMDM.dll
+ 2006-10-19 02:47:16 321,536 ----a-w C:\WINDOWS\system32\mswmdm.dll
- 2007-02-28 09:15:59 2,017,280 ----a-w C:\WINDOWS\system32\ntkrnlpa.exe
+ 2008-08-14 09:18:46 2,020,864 ----a-w C:\WINDOWS\system32\ntkrnlpa.exe
- 2007-02-28 09:53:04 2,137,600 ----a-w C:\WINDOWS\system32\ntoskrnl.exe
+ 2008-08-14 09:55:01 2,142,720 ----a-w C:\WINDOWS\system32\ntoskrnl.exe
- 2008-06-23 16:57:40 102,912 ----a-w C:\WINDOWS\system32\occache.dll
+ 2008-08-26 07:24:30 102,912 ----a-w C:\WINDOWS\system32\occache.dll
- 2008-06-23 16:57:40 44,544 ----a-w C:\WINDOWS\system32\pngfilt.dll
+ 2008-08-26 07:24:30 44,544 ----a-w C:\WINDOWS\system32\pngfilt.dll
+ 2006-10-19 02:47:18 284,160 ------w C:\WINDOWS\system32\PortableDeviceApi.dll
+ 2006-10-19 02:47:18 101,888 ------w C:\WINDOWS\system32\PortableDeviceClassExtension.dll
+ 2006-10-19 02:47:18 166,912 ------w C:\WINDOWS\system32\PortableDeviceTypes.dll
+ 2006-10-19 02:47:18 132,096 ------w C:\WINDOWS\system32\PortableDeviceWiaCompat.dll
+ 2006-10-19 02:47:18 199,168 ------w C:\WINDOWS\system32\PortableDeviceWMDRM.dll
- 2005-08-05 19:01:54 239,104 ----a-w C:\WINDOWS\system32\psisdecd.dll
+ 2006-10-09 21:12:14 235,008 ----a-w C:\WINDOWS\system32\psisdecd.dll
- 2005-08-03 23:29:52 221,184 ----a-w C:\WINDOWS\system32\qasf.dll
+ 2006-10-19 02:47:18 211,456 ----a-w C:\WINDOWS\system32\qasf.dll
- 2005-08-05 19:01:54 282,112 ----a-w C:\WINDOWS\system32\sbe.dll
+ 2006-10-09 21:12:40 291,840 ----a-w C:\WINDOWS\system32\sbe.dll
- 2005-06-28 15:21:34 22,752 ----a-w C:\WINDOWS\system32\spupdsvc.exe
+ 2006-09-25 22:58:48 23,856 ----a-w C:\WINDOWS\system32\spupdsvc.exe
- 2008-06-23 16:57:40 105,984 ----a-w C:\WINDOWS\system32\url.dll
+ 2008-08-26 07:24:30 105,984 ----a-w C:\WINDOWS\system32\url.dll
- 2008-06-23 16:57:40 1,159,680 ----a-w C:\WINDOWS\system32\urlmon.dll
+ 2008-08-26 07:24:31 1,159,680 ----a-w C:\WINDOWS\system32\urlmon.dll
- 2005-08-04 01:05:58 47,104 ----a-w C:\WINDOWS\system32\uwdf.exe
+ 2006-10-19 02:58:00 8,704 ----a-w C:\WINDOWS\system32\uwdf.exe
- 2005-08-04 01:05:53 15,872 ----a-w C:\WINDOWS\system32\wdfapi.dll
+ 2006-10-19 02:47:18 4,096 ----a-w C:\WINDOWS\system32\wdfapi.dll
- 2005-08-04 01:05:55 38,912 ----a-w C:\WINDOWS\system32\wdfmgr.exe
+ 2006-10-19 02:58:00 8,704 ----a-w C:\WINDOWS\system32\wdfmgr.exe
- 2008-06-23 16:57:41 233,472 ----a-w C:\WINDOWS\system32\webcheck.dll
+ 2008-08-26 07:24:31 233,472 ----a-w C:\WINDOWS\system32\webcheck.dll
- 2007-03-08 13:47:48 1,843,584 ----a-w C:\WINDOWS\system32\win32k.sys
+ 2008-09-15 11:57:41 1,846,016 ----a-w C:\WINDOWS\system32\win32k.sys
- 2008-06-23 16:57:41 826,368 ----a-w C:\WINDOWS\system32\wininet.dll
+ 2008-08-26 07:24:31 826,368 ----a-w C:\WINDOWS\system32\wininet.dll
- 2005-08-03 23:29:52 359,936 ----a-w C:\WINDOWS\system32\wmadmod.dll
+ 2006-10-19 02:47:18 757,248 ----a-w C:\WINDOWS\system32\WMADMOD.dll
- 2005-08-03 23:29:52 716,288 ----a-w C:\WINDOWS\system32\wmadmoe.dll
+ 2006-10-19 02:47:18 1,117,696 ----a-w C:\WINDOWS\system32\WMADMOE.dll
- 2007-10-27 22:39:46 228,864 ----a-w C:\WINDOWS\system32\wmasf.dll
+ 2007-10-27 22:40:30 222,720 ----a-w C:\WINDOWS\system32\wmasf.dll
- 2005-08-03 23:29:52 29,184 ----a-w C:\WINDOWS\system32\WMDMLOG.dll
+ 2006-10-19 02:47:18 33,792 ----a-w C:\WINDOWS\system32\wmdmlog.dll
- 2005-08-03 23:29:52 37,376 ----a-w C:\WINDOWS\system32\WMDMPS.dll
+ 2006-10-19 02:47:18 37,376 ----a-w C:\WINDOWS\system32\wmdmps.dll
- 2005-08-03 23:29:52 344,064 ----a-w C:\WINDOWS\system32\WMDRMdev.dll
+ 2006-10-19 02:47:18 429,056 ----a-w C:\WINDOWS\system32\wmdrmdev.dll
- 2005-08-03 23:29:52 290,816 ----a-w C:\WINDOWS\system32\WMDRMNet.dll
+ 2006-10-19 02:47:20 348,672 ----a-w C:\WINDOWS\system32\wmdrmnet.dll
- 2005-08-03 23:29:52 180,224 ----a-w C:\WINDOWS\system32\wmdrmsdk.dll
+ 2006-10-19 02:47:20 535,040 ----a-w C:\WINDOWS\system32\wmdrmsdk.dll
- 2004-08-10 10:00:00 189,440 ----a-w C:\WINDOWS\system32\wmerror.dll
+ 2006-10-19 02:47:20 227,328 ----a-w C:\WINDOWS\system32\wmerror.dll
- 2005-08-03 23:29:52 150,016 ----a-w C:\WINDOWS\system32\wmidx.dll
+ 2006-10-19 02:47:20 157,184 ----a-w C:\WINDOWS\system32\wmidx.dll
- 2005-08-03 23:29:52 988,672 ----a-w C:\WINDOWS\system32\wmnetmgr.dll
+ 2006-10-19 02:47:20 937,984 ----a-w C:\WINDOWS\system32\WMNetMgr.dll
- 2007-04-30 13:20:24 5,537,792 ----a-w C:\WINDOWS\system32\wmp.dll
+ 2006-10-19 02:47:20 10,834,432 ----a-w C:\WINDOWS\system32\wmp.dll
- 2004-08-10 10:00:00 131,072 ----a-w C:\WINDOWS\system32\wmpasf.dll
+ 2006-10-19 02:47:20 242,688 ----a-w C:\WINDOWS\system32\wmpasf.dll
- 2004-08-10 10:00:00 278,528 ----a-w C:\WINDOWS\system32\wmpdxm.dll
+ 2006-10-19 02:47:20 314,880 ----a-w C:\WINDOWS\system32\wmpdxm.dll
+ 2006-10-19 02:47:20 295,936 ------w C:\WINDOWS\system32\wmpeffects.dll
- 2004-08-10 10:00:00 1,582,080 ----a-w C:\WINDOWS\system32\wmpencen.dll
+ 2006-10-19 02:47:20 1,661,440 ----a-w C:\WINDOWS\system32\wmpencen.dll
- 2005-06-23 21:15:32 3,371,008 ----a-w C:\WINDOWS\system32\wmploc.dll
+ 2006-10-19 02:47:20 8,231,936 ----a-w C:\WINDOWS\system32\wmploc.dll
+ 2006-10-19 02:47:20 613,376 ------w C:\WINDOWS\system32\wmpmde.dll
+ 2006-10-19 02:47:20 130,048 ------w C:\WINDOWS\system32\wmpps.dll
- 2004-08-10 10:00:00 81,920 ----a-w C:\WINDOWS\system32\wmpshell.dll
+ 2006-10-19 02:47:20 99,840 ----a-w C:\WINDOWS\system32\wmpshell.dll
- 2004-08-10 10:00:00 174,080 ----a-w C:\WINDOWS\system32\wmpsrcwp.dll
+ 2006-10-19 02:47:20 204,288 ----a-w C:\WINDOWS\system32\wmpsrcwp.dll
- 2005-08-03 23:29:52 771,584 ----a-w C:\WINDOWS\system32\wmsdmod.dll
+ 2006-10-19 02:47:22 4,096 ----a-w C:\WINDOWS\system32\wmsdmod.dll
- 2005-08-03 23:29:52 1,119,744 ----a-w C:\WINDOWS\system32\wmsdmoe2.dll
+ 2006-10-19 02:47:22 4,096 ----a-w C:\WINDOWS\system32\wmsdmoe2.dll
- 2005-08-03 23:29:54 407,552 ----a-w C:\WINDOWS\system32\wmspdmod.dll
+ 2006-10-19 02:47:22 603,648 ----a-w C:\WINDOWS\system32\WMSPDMOD.dll
- 2005-08-03 23:29:54 940,544 ----a-w C:\WINDOWS\system32\wmspdmoe.dll
+ 2006-10-19 02:47:22 1,329,152 ----a-w C:\WINDOWS\system32\WMSPDMOE.dll
- 2005-08-03 23:29:54 1,216,000 ----a-w C:\WINDOWS\system32\wmvadvd.dll
+ 2006-10-19 02:47:22 4,096 ----a-w C:\WINDOWS\system32\WMVADVD.dll
- 2005-08-03 23:29:54 1,512,448 ----a-w C:\WINDOWS\system32\WMVADVE.DLL
+ 2006-10-19 02:47:22 4,096 ----a-w C:\WINDOWS\system32\WMVADVE.DLL
- 2006-12-07 04:14:51 2,330,624 ------w C:\WINDOWS\system32\wmvcore.dll
+ 2006-10-19 02:47:22 2,450,944 ----a-w C:\WINDOWS\system32\wmvcore.dll
+ 2006-10-19 02:47:22 1,543,680 ------w C:\WINDOWS\system32\WMVDECOD.dll
- 2005-08-03 23:29:54 826,368 ----a-w C:\WINDOWS\system32\wmvdmod.dll
+ 2006-10-19 02:47:22 4,096 ----a-w C:\WINDOWS\system32\wmvdmod.dll
- 2005-08-03 23:29:54 1,003,008 ----a-w C:\WINDOWS\system32\wmvdmoe2.dll
+ 2006-10-19 02:47:22 4,096 ----a-w C:\WINDOWS\system32\wmvdmoe2.dll
+ 2006-10-19 02:47:22 1,574,912 ------w C:\WINDOWS\system32\WMVENCOD.dll
+ 2006-10-19 02:47:22 1,382,912 ------w C:\WINDOWS\system32\WMVSDECD.dll
+ 2006-10-19 02:47:22 767,488 ------w C:\WINDOWS\system32\WMVSENCD.dll
+ 2006-10-19 02:47:22 656,896 ------w C:\WINDOWS\system32\WMVXENCD.dll
- 2006-03-03 12:33:09 38,912 ----a-w C:\WINDOWS\system32\wpd_ci.dll
+ 2006-10-19 02:47:22 629,760 ----a-w C:\WINDOWS\system32\wpd_ci.dll
- 2006-03-03 12:32:57 61,952 ----a-w C:\WINDOWS\system32\wpdconns.dll
+ 2006-10-19 02:47:22 35,840 ----a-w C:\WINDOWS\system32\wpdconns.dll
- 2006-03-03 12:33:00 114,176 ----a-w C:\WINDOWS\system32\wpdmtp.dll
+ 2006-10-19 02:47:22 154,624 ----a-w C:\WINDOWS\system32\wpdmtp.dll
- 2006-03-03 12:33:00 66,560 ----a-w C:\WINDOWS\system32\wpdmtpus.dll
+ 2006-10-19 02:47:22 63,488 ----a-w C:\WINDOWS\system32\wpdmtpus.dll
+ 2006-10-19 02:47:22 2,603,008 ------w C:\WINDOWS\system32\WpdShext.dll
+ 2006-10-19 01:00:14 17,408 ------w C:\WINDOWS\system32\wpdshextautoplay.exe
+ 2006-10-19 02:47:22 38,400 ------w C:\WINDOWS\system32\wpdshextres.dll
+ 2006-10-19 02:47:22 133,632 ------w C:\WINDOWS\system32\WPDShServiceObj.dll
- 2006-03-03 12:33:10 329,728 ----a-w C:\WINDOWS\system32\wpdsp.dll
+ 2006-10-19 02:47:22 356,352 ----a-w C:\WINDOWS\system32\wpdsp.dll
+ 2006-09-29 01:13:26 95,344 ------w C:\WINDOWS\system32\WUDFCoinstaller.dll
+ 2006-09-28 23:56:38 146,432 ------w C:\WINDOWS\system32\WudfHost.exe
+ 2006-09-28 23:56:16 165,376 ------w C:\WINDOWS\system32\WudfPlatform.dll
+ 2006-09-28 23:56:14 55,808 ------w C:\WINDOWS\system32\WudfSvc.dll
+ 2006-09-28 23:56:38 316,416 ------w C:\WINDOWS\system32\WUDFx.dll
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ModemOnHold"="C:\Program Files\NetWaiting\netWaiting.exe" [2003-09-10 20480]
"OE_OEM"="C:\Program Files\Trend Micro\Internet Security 12\TMAS_OE\TMAS_OEMon.exe" [2005-08-15 20553]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 1694208]
"DellSupport"="C:\Program Files\DellSupport\DSAgnt.exe" [2007-03-15 460784]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-25 68856]
"Aim6"="C:\Program Files\AIM6\aim6.exe" [2007-04-27 50736]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-10 15360]
"Veoh"="C:\Program Files\Veoh Networks\Veoh\VeohClient.exe" [2008-08-28 3660848]
"Universal Installer"="C:\Program Files\ComcastUI\Universal Installer\uinstaller.exe" [2008-03-18 984616]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ShowLOMControl"="1 (0x1)" [X]
"ehTray"="C:\WINDOWS\ehome\ehtray.exe" [2005-09-29 67584]
"igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [2005-12-13 98304]
"igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [2005-12-13 77824]
"igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [2005-12-13 118784]
"SunJavaUpdateSched"="C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe" [2003-11-19 32881]
"Broadcom Wireless Manager UI"="C:\WINDOWS\system32\WLTRAY.exe" [2005-12-19 1347584]
"Dell QuickSet"="C:\Program Files\Dell\QuickSet\quickset.exe" [2005-12-06 839680]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2005-11-29 761947]
"DVDLauncher"="C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe" [2005-12-09 49152]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-04-04 98304]
"dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [2004-12-06 127035]
"ISUSPM Startup"="C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-06-10 249856]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2005-06-10 81920]
"MimBoot"="C:\PROGRA~1\MUSICM~1\MUSICM~3\mimboot.exe" [2005-09-08 8192]
"pccguide.exe"="C:\Program Files\Trend Micro\Internet Security 12\pccguide.exe" [2005-08-30 823362]
"Netsafe"="C:\Program Files\NetSafe\Netsafe.exe" [2007-01-31 483328]
"ddoctorv2"="C:\Program Files\Comcast\Desktop Doctor\bin\sprtcmd.exe" [2008-04-24 202560]
"SigmatelSysTrayApp"="stsystra.exe" [2005-11-16 C:\WINDOWS\stsystra.exe]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Digital Line Detect.lnk - C:\Program Files\Digital Line Detect\DLG.exe [2006-04-04 24576]
NkbMonitor.exe.lnk - C:\Program Files\Nikon\PictureProject\NkbMonitor.exe [2006-04-15 118784]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"= C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"= C:\WINDOWS\Resources\Themes\Royale.theme

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^America Online 9.0 Tray Icon.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\America Online 9.0 Tray Icon.lnk
backup=C:\WINDOWS\pss\America Online 9.0 Tray Icon.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Desktop Search]
--a------ 2006-04-04 14:59 169472 C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RealTray]
--a------ 2006-04-04 14:51 26112 C:\Program Files\Real\RealPlayer\realplay.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
--a------ 2007-03-01 07:41 4670968 C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"=
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\America Online 9.0\\waol.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{361ac05d-0e0d-11da-9aa9-806d6172696f}]
\Shell\AutoRun\command - E:\setup.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{9781bbfa-8797-11dd-9155-ce4bba04504a}]
\Shell\AutoRun\command - h0s2.bat
\Shell\explore\Command - h0s2.bat
\Shell\open\Command - h0s2.bat
.
- - - - ORPHANS REMOVED - - - -

BHO-{069BC79E-4973-46AB-99EB-0F24CF149949} - (no file)
BHO-{099fc9ce-6175-4d1e-a0d4-ca0e25900d60} - (no file)
BHO-{18C730ED-078E-41FE-B7B7-EF3382EA64D2} - (no file)
BHO-{44567E92-267F-4A24-B3A7-51B0F7ABDAF2} - (no file)
BHO-{9E91EF7B-6846-45C3-A8AB-67CF7C900783} - (no file)
Notify-vtUOeDwu - (no file)

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-10-19 10:50:46
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\WLTRYSVC.EXE
C:\WINDOWS\system32\BCMWLTRY.EXE
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\WINDOWS\ehome\ehrecvr.exe
C:\WINDOWS\ehome\ehSched.exe
C:\Program Files\Dell\NicConfigSvc\NicConfigSvc.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
C:\Program Files\Comcast\Desktop Doctor\bin\sprtsvc.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
C:\WINDOWS\ehome\mcrdsvc.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\ehome\ehmsas.exe
C:\PROGRA~1\MUSICM~1\MUSICM~3\MMDiag.exe
C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mim.exe
C:\Program Files\AIM6\aolsoftware.exe
.
**************************************************************************
.
Completion time: 2008-10-19 10:55:53 - machine was rebooted [Vikram Sharma]
ComboFix-quarantined-files.txt 2008-10-19 15:55:50
ComboFix2.txt 2008-10-18 07:18:45

Pre-Run: 10,114,592,768 bytes free
Post-Run: 10,208,493,568 bytes free

654 --- E O F --- 2008-10-19 08:07:15

-------------

HJT logs -

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:57:32 AM, on 10/19/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
C:\Program Files\Comcast\Desktop Doctor\bin\sprtsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\WINDOWS\stsystra.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Trend Micro\Internet Security 12\pccguide.exe
C:\Program Files\NetSafe\Netsafe.exe
C:\Program Files\Comcast\Desktop Doctor\bin\sprtcmd.exe
C:\Program Files\NetWaiting\netWaiting.exe
C:\Program Files\Trend Micro\Internet Security 12\TMAS_OE\TMAS_OEMon.exe
C:\PROGRA~1\MUSICM~1\MUSICM~3\MMDiag.exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\AIM6\aim6.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Veoh Networks\Veoh\VeohClient.exe
C:\Program Files\ComcastUI\Universal Installer\uinstaller.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Nikon\PictureProject\NkbMonitor.exe
C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mim.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\vagatorian.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.1.807.1746\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Veoh Browser Plug-in - {D0943516-5076-4020-A3B5-AEFAF26AB263} - C:\Program Files\Veoh Networks\Veoh\Plugins\reg\VeohToolbar.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [ShowLOMControl]
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [MimBoot] C:\PROGRA~1\MUSICM~1\MUSICM~3\mimboot.exe
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 12\pccguide.exe"
O4 - HKLM\..\Run: [Netsafe] C:\Program Files\NetSafe\Netsafe.exe
O4 - HKLM\..\Run: [ddoctorv2] "C:\Program Files\Comcast\Desktop Doctor\bin\sprtcmd.exe" /P ddoctorv2
O4 - HKCU\..\Run: [ModemOnHold] C:\Program Files\NetWaiting\netWaiting.exe
O4 - HKCU\..\Run: [OE_OEM] "C:\Program Files\Trend Micro\Internet Security 12\TMAS_OE\TMAS_OEMon.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Veoh] "C:\Program Files\Veoh Networks\Veoh\VeohClient.exe" /VeohHide
O4 - HKCU\..\Run: [Universal Installer] "C:\Program Files\ComcastUI\Universal Installer\uinstaller.exe" /fromrun /starthidden
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: NkbMonitor.exe.lnk = C:\Program Files\Nikon\PictureProject\NkbMonitor.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {3EA4FA88-E0BE-419A-A732-9B79B87A6ED0} (CTVUAxCtrl Object) - http://dl.tvunetworks.com/TVUAx.cab
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: SupportSoft Sprocket Service (ddoctorv2) (sprtsvc_ddoctorv2) - SupportSoft, Inc. - C:\Program Files\Comcast\Desktop Doctor\bin\sprtsvc.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

--
End of file - 8727 bytes

Thanks.

Shaba

2008-10-19, 18:41

Looks like second round is needed.

Open notepad and copy/paste the text in the codebox below into it:

Registry::
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{9781bbfa-8797-11dd-9155-ce4bba04504a}]

Save this as "CFScript"

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.

Combofix should never take more that 20 minutes including the reboot if malware is detected.
If it does, open Task Manager then Processes tab (press ctrl, alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue.
If that happened we want to know, and also what process you had to end.

vagatorian

2008-10-21, 07:41

Latest ComboFix logs --

ComboFix 08-10-19.04 - Vikram Sharma 2008-10-21 0:18:16.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.505 [GMT -5:00]
Running from: C:\Documents and Settings\Vikram Sharma\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Vikram Sharma\Desktop\CFScript.txt
* Created a new restore point
.

((((((((((((((((((((((((( Files Created from 2008-09-21 to 2008-10-21 )))))))))))))))))))))))))))))))
.

2008-10-19 01:48 . 2006-10-04 09:06 1,197,294 --------- C:\WINDOWS\system32\dllcache\sysmain.sdb
2008-10-19 01:48 . 2006-10-04 09:06 764,868 --------- C:\WINDOWS\system32\dllcache\apph_sp.sdb
2008-10-19 01:48 . 2006-10-04 09:06 217,118 --------- C:\WINDOWS\system32\dllcache\apphelp.sdb
2008-10-19 01:47 . 2008-10-19 01:47 <DIR> d-------- C:\Program Files\Windows Media Connect 2
2008-10-19 01:46 . 2008-10-19 01:46 <DIR> d-------- C:\WINDOWS\system32\drivers\UMDF
2008-10-19 01:41 . 2008-10-19 01:41 <DIR> d-------- C:\Program Files\Netflix
2008-10-11 22:09 . 2008-10-11 22:09 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Comcast
2008-10-11 21:40 . 2008-10-12 00:09 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-10-11 21:40 . 2008-10-12 01:21 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-10-11 10:39 . 2008-10-11 22:53 <DIR> d-------- C:\Program Files\X-Cleaner
2008-10-10 23:21 . 2008-10-10 23:21 <DIR> d-------- C:\Documents and Settings\Vikram Sharma\Application Data\IUpd721
2008-10-10 00:02 . 2008-10-10 00:02 <DIR> d-------- C:\Documents and Settings\Vikram Sharma\LocalLow
2008-10-10 00:02 . 2008-10-10 00:02 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\TVU Networks
2008-10-08 23:23 . 2008-10-08 23:47 <DIR> d-------- C:\WINDOWS\system32\CatRoot_bak
2008-10-08 23:20 . 2008-06-13 08:10 272,128 --------- C:\WINDOWS\system32\drivers\bthport.sys
2008-10-08 23:20 . 2008-06-13 08:10 272,128 --------- C:\WINDOWS\system32\dllcache\bthport.sys
2008-10-08 23:19 . 2008-10-03 12:41 6,066,176 --------- C:\WINDOWS\system32\dllcache\ieframe.dll
2008-10-08 23:19 . 2007-04-17 04:32 2,455,488 --------- C:\WINDOWS\system32\dllcache\ieapfltr.dat
2008-10-08 23:19 . 2007-03-08 00:10 991,232 --------- C:\WINDOWS\system32\dllcache\ieframe.dll.mui
2008-10-08 23:19 . 2008-08-26 02:24 459,264 --------- C:\WINDOWS\system32\dllcache\msfeeds.dll
2008-10-08 23:19 . 2008-08-26 02:24 383,488 --------- C:\WINDOWS\system32\dllcache\ieapfltr.dll
2008-10-08 23:19 . 2008-05-01 09:30 331,776 --------- C:\WINDOWS\system32\dllcache\msadce.dll
2008-10-08 23:19 . 2008-08-26 02:24 267,776 --------- C:\WINDOWS\system32\dllcache\iertutil.dll
2008-10-08 23:19 . 2008-08-26 02:24 63,488 --------- C:\WINDOWS\system32\dllcache\icardie.dll
2008-10-08 23:19 . 2008-08-26 02:24 52,224 --------- C:\WINDOWS\system32\dllcache\msfeedsbs.dll
2008-10-08 23:19 . 2008-08-25 03:38 13,824 --------- C:\WINDOWS\system32\dllcache\ieudinit.exe
2008-09-30 18:25 . 2008-09-30 18:25 <DIR> d-------- C:\Program Files\Comcast
2008-09-30 18:25 . 2008-09-30 18:25 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SupportSoft
2008-09-30 18:24 . 2008-09-30 18:25 <DIR> d-------- C:\Program Files\Common Files\SupportSoft
2008-09-30 18:24 . 2008-09-30 18:24 <DIR> d-------- C:\Program Files\ComcastUI
2008-09-26 19:59 . 2008-09-26 19:59 <DIR> d-------- C:\Program Files\Veoh Networks

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-10-17 05:59 --------- d-----w C:\Program Files\Trend Micro
2008-10-14 02:20 --------- d-----w C:\Program Files\ESPNMotion
2008-10-11 15:12 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-10-11 15:02 --------- d-----w C:\Program Files\GemMaster
2008-10-11 14:56 --------- d-----w C:\Program Files\Windows Media Components
2008-10-11 14:54 --------- d-----w C:\Program Files\Common Files\aolshare
2008-10-11 14:54 --------- d-----w C:\Documents and Settings\All Users\Application Data\AOL
2008-10-11 04:34 --------- d-----w C:\Program Files\Dell
2008-10-11 04:33 --------- d-----w C:\Documents and Settings\All Users\Application Data\GTek
2008-09-17 20:46 7,518 --sha-w C:\WINDOWS\system32\KGyGaAvL.sys
2008-09-15 11:57 1,846,016 ----a-w C:\WINDOWS\system32\win32k.sys
2008-09-15 11:57 1,846,016 ------w C:\WINDOWS\system32\dllcache\win32k.sys
2008-08-28 10:04 333,056 ----a-w C:\WINDOWS\system32\drivers\srv.sys
2008-08-28 10:04 333,056 ------w C:\WINDOWS\system32\dllcache\srv.sys
2008-08-27 08:24 3,593,216 ----a-w C:\WINDOWS\system32\dllcache\mshtml.dll
2008-08-25 13:09 --------- d-----w C:\Program Files\Windows Media 7 PowerToys
2008-08-25 13:09 --------- d-----w C:\Program Files\Audio Converter LE
2008-08-25 08:37 70,656 ------w C:\WINDOWS\system32\dllcache\ie4uinit.exe
2008-08-23 05:56 635,848 ------w C:\WINDOWS\system32\dllcache\iexplore.exe
2008-08-23 05:54 161,792 ------w C:\WINDOWS\system32\dllcache\ieakui.dll
2008-08-17 00:56 729,088 ----a-w C:\WINDOWS\iun6002.exe
2008-08-14 09:57 2,185,984 ------w C:\WINDOWS\system32\dllcache\ntoskrnl.exe
2008-08-14 09:55 2,142,720 ----a-w C:\WINDOWS\system32\ntoskrnl.exe
2008-08-14 09:55 2,142,720 ------w C:\WINDOWS\system32\dllcache\ntkrnlmp.exe
2008-08-14 09:51 138,368 ------w C:\WINDOWS\system32\dllcache\afd.sys
2008-08-14 09:18 2,062,976 ------w C:\WINDOWS\system32\dllcache\ntkrnlpa.exe
2008-08-14 09:18 2,020,864 ----a-w C:\WINDOWS\system32\ntkrnlpa.exe
2008-08-14 09:18 2,020,864 ------w C:\WINDOWS\system32\dllcache\ntkrpamp.exe
2007-12-16 14:12 38 ----a-w C:\Documents and Settings\Vikram Sharma\test.bat
2006-09-24 07:04 20 ---h--w C:\Documents and Settings\All Users\Application Data\PKP_DLec.DAT
2004-04-09 19:13 114,688 ----a-w C:\Program Files\NETGEAR DG632 USB Driveruninstalldrv.exe
2000-11-08 07:45 28,672 ----a-w C:\WINDOWS\inf\regshext.exe
.

((((((((((((((((((((((((((((( snapshot_2008-10-19_10.55.35.89 )))))))))))))))))))))))))))))))))))))))))
.
- 2006-10-19 02:47:16 414,208 ----a-w C:\WINDOWS\system32\msscp.dll
+ 2006-12-04 21:21:50 414,720 ----a-w C:\WINDOWS\system32\msscp.dll
- 2008-09-23 04:20:01 54,682 ----a-w C:\WINDOWS\system32\perfc009.dat
+ 2008-10-19 17:24:22 54,682 ----a-w C:\WINDOWS\system32\perfc009.dat
- 2008-09-23 04:20:01 385,164 ----a-w C:\WINDOWS\system32\perfh009.dat
+ 2008-10-19 17:24:22 385,164 ----a-w C:\WINDOWS\system32\perfh009.dat
- 2007-11-30 11:18:51 17,272 ------w C:\WINDOWS\system32\spmsg.dll
+ 2007-07-27 15:41:40 16,760 ------w C:\WINDOWS\system32\spmsg.dll
- 2006-10-19 02:47:20 10,834,432 ----a-w C:\WINDOWS\system32\wmp.dll
+ 2007-06-12 04:51:12 10,834,944 ----a-w C:\WINDOWS\system32\wmp.dll
- 2006-10-19 02:47:20 295,936 ------w C:\WINDOWS\system32\wmpeffects.dll
+ 2008-06-24 23:12:58 295,936 ------w C:\WINDOWS\system32\wmpeffects.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ModemOnHold"="C:\Program Files\NetWaiting\netWaiting.exe" [2003-09-10 20480]
"OE_OEM"="C:\Program Files\Trend Micro\Internet Security 12\TMAS_OE\TMAS_OEMon.exe" [2005-08-15 20553]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 1694208]
"DellSupport"="C:\Program Files\DellSupport\DSAgnt.exe" [2007-03-15 460784]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-25 68856]
"Aim6"="C:\Program Files\AIM6\aim6.exe" [2007-04-27 50736]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-10 15360]
"Veoh"="C:\Program Files\Veoh Networks\Veoh\VeohClient.exe" [2008-08-28 3660848]
"Universal Installer"="C:\Program Files\ComcastUI\Universal Installer\uinstaller.exe" [2008-03-18 984616]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ShowLOMControl"="1 (0x1)" [X]
"ehTray"="C:\WINDOWS\ehome\ehtray.exe" [2005-09-29 67584]
"igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [2005-12-13 98304]
"igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [2005-12-13 77824]
"igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [2005-12-13 118784]
"SunJavaUpdateSched"="C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe" [2003-11-19 32881]
"Broadcom Wireless Manager UI"="C:\WINDOWS\system32\WLTRAY.exe" [2005-12-19 1347584]
"Dell QuickSet"="C:\Program Files\Dell\QuickSet\quickset.exe" [2005-12-06 839680]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2005-11-29 761947]
"DVDLauncher"="C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe" [2005-12-09 49152]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-04-04 98304]
"dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [2004-12-06 127035]
"ISUSPM Startup"="C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-06-10 249856]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2005-06-10 81920]
"MimBoot"="C:\PROGRA~1\MUSICM~1\MUSICM~3\mimboot.exe" [2005-09-08 8192]
"pccguide.exe"="C:\Program Files\Trend Micro\Internet Security 12\pccguide.exe" [2005-08-30 823362]
"Netsafe"="C:\Program Files\NetSafe\Netsafe.exe" [2007-01-31 483328]
"ddoctorv2"="C:\Program Files\Comcast\Desktop Doctor\bin\sprtcmd.exe" [2008-04-24 202560]
"SigmatelSysTrayApp"="stsystra.exe" [2005-11-16 C:\WINDOWS\stsystra.exe]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Digital Line Detect.lnk - C:\Program Files\Digital Line Detect\DLG.exe [2006-04-04 24576]
NkbMonitor.exe.lnk - C:\Program Files\Nikon\PictureProject\NkbMonitor.exe [2006-04-15 118784]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"= C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"= C:\WINDOWS\Resources\Themes\Royale.theme

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^America Online 9.0 Tray Icon.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\America Online 9.0 Tray Icon.lnk
backup=C:\WINDOWS\pss\America Online 9.0 Tray Icon.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Desktop Search]
--a------ 2006-04-04 14:59 169472 C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RealTray]
--a------ 2006-04-04 14:51 26112 C:\Program Files\Real\RealPlayer\realplay.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
--a------ 2007-03-01 07:41 4670968 C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"=
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\America Online 9.0\\waol.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{361ac05d-0e0d-11da-9aa9-806d6172696f}]
\Shell\AutoRun\command - E:\setup.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{9781bbfa-8797-11dd-9155-ce4bba04504a}]
\Shell\AutoRun\command - h0s2.bat
\Shell\explore\Command - h0s2.bat
\Shell\open\Command - h0s2.bat
.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-10-21 00:20:49
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-10-21 0:22:23
ComboFix-quarantined-files.txt 2008-10-21 05:22:13
ComboFix2.txt 2008-10-19 15:55:54
ComboFix3.txt 2008-10-18 07:18:45

Pre-Run: 10,135,240,704 bytes free
Post-Run: 10,121,355,264 bytes free

177 --- E O F --- 2008-10-20 08:01:30

***************************

HJT logs --

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:40:14 AM, on 10/21/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
C:\Program Files\Comcast\Desktop Doctor\bin\sprtsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Trend Micro\Internet Security 12\pccguide.exe
C:\Program Files\NetSafe\Netsafe.exe
C:\Program Files\Comcast\Desktop Doctor\bin\sprtcmd.exe
C:\Program Files\NetWaiting\netWaiting.exe
C:\Program Files\Trend Micro\Internet Security 12\TMAS_OE\TMAS_OEMon.exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\AIM6\aim6.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Veoh Networks\Veoh\VeohClient.exe
C:\Program Files\ComcastUI\Universal Installer\uinstaller.exe
C:\PROGRA~1\MUSICM~1\MUSICM~3\MMDiag.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mim.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Trend Micro\HijackThis\vagatorian.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.1.807.1746\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Veoh Browser Plug-in - {D0943516-5076-4020-A3B5-AEFAF26AB263} - C:\Program Files\Veoh Networks\Veoh\Plugins\reg\VeohToolbar.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [ShowLOMControl]
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [MimBoot] C:\PROGRA~1\MUSICM~1\MUSICM~3\mimboot.exe
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 12\pccguide.exe"
O4 - HKLM\..\Run: [Netsafe] C:\Program Files\NetSafe\Netsafe.exe
O4 - HKLM\..\Run: [ddoctorv2] "C:\Program Files\Comcast\Desktop Doctor\bin\sprtcmd.exe" /P ddoctorv2
O4 - HKCU\..\Run: [ModemOnHold] C:\Program Files\NetWaiting\netWaiting.exe
O4 - HKCU\..\Run: [OE_OEM] "C:\Program Files\Trend Micro\Internet Security 12\TMAS_OE\TMAS_OEMon.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Veoh] "C:\Program Files\Veoh Networks\Veoh\VeohClient.exe" /VeohHide
O4 - HKCU\..\Run: [Universal Installer] "C:\Program Files\ComcastUI\Universal Installer\uinstaller.exe" /fromrun /starthidden
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: NkbMonitor.exe.lnk = C:\Program Files\Nikon\PictureProject\NkbMonitor.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {3EA4FA88-E0BE-419A-A732-9B79B87A6ED0} (CTVUAxCtrl Object) - http://dl.tvunetworks.com/TVUAx.cab
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: SupportSoft Sprocket Service (ddoctorv2) (sprtsvc_ddoctorv2) - SupportSoft, Inc. - C:\Program Files\Comcast\Desktop Doctor\bin\sprtsvc.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

--
End of file - 8657 bytes

Thanks.

Shaba

2008-10-21, 15:05

Did you copy/paste all this to CFScript?

Registry::
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{9781bbfa-8797-11dd-9155-ce4bba04504a}]

vagatorian

2008-10-23, 03:15

Yes, I think I copied all of it....I deleted the CFScript file after running ComboFix though. Should I run it again?

Thanks.

Shaba

2008-10-23, 10:12

Yes, please :)

Shaba

2008-10-28, 14:42

Due to the lack of feedback this Topic is closed.

If it has been five days or more since your last post, and the helper assisting you posted a response to that post to which you did not reply, your topic will not be reopened. At that point, if you still require help, please start a new topic and include a fresh HijackThis log and a link to your previous thread.

If it has been less than five days since your last response and you need the thread re-opened, please send a private message (pm). A valid, working link to the closed topic is required.

Everyone else please begin a New Topic.