PDA

View Full Version : Help removing Virtumonde.dll please


PFJvV
2008-10-29, 12:01
I hope this is right. I ran Spybot and it keeps finding virtumonde.dll. Thanks in advance for any help it is much appreciated :)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:58:14, on 29/10/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\McAfee\Common Framework\FrameworkService.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\Program Files\McAfee\VirusScan Enterprise\vstskmgr.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\McAfee\Common Framework\UdaterUI.exe
C:\Program Files\McAfee\Common Framework\McTray.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\McAfee\VirusScan Enterprise\mcshield.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Student IT Help Centre\Inetkey\INETKEY.EXE
C:\PROGRA~1\AVG\AVG8\aAvgApi.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.yahoo.com/search/ie.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://webmail.sun.ac.za/exchange/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://www.sun.ac.za/sunproxy.pac
O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [LogMeIn GUI] "C:\Program Files\LogMeIn\x86\LogMeInSystray.exe"
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [lphcjg0j0er7j] C:\WINDOWS\system32\lphcjg0j0er7j.exe
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\McAfee\Common Framework\UdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\RunOnce: [SpybotSnD] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKLM\..\Policies\Explorer\Run: [BKeRE3Ov0g] C:\DOCUME~1\Owner\LOCALS~1\Temp\windfr.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://*.windowsupdate.com
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: avgrsstx.dll
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\McAfee\Common Framework\FrameworkService.exe
O23 - Service: McAfee McShield (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\mcshield.exe
O23 - Service: McAfee Task Manager (McTaskManager) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\vstskmgr.exe
O23 - Service: NMIndexingService - Unknown owner - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe (file missing)

--
End of file - 6132 bytes
km2357
2008-10-29, 20:35
Hello and welcome to Safer Networking.

My name is km2357 and I will be helping you to remove any infection(s) that you may have.

I will be giving you a series of instructions that need to be followed in the order in which I give them to you.

If for any reason you do not understand an instruction or are just unsure then please do not guess, simply post back with your questions/concerns and we will go through it again.

Please do not start another thread or topic, I will assist you at this thread until we solve your problems.

Lastly the fix may take several attempts and my replies may take some time but I will stick with it if you do the same.

I will be back as soon as possible with your first instructions!
km2357
2008-10-29, 20:43
Step # 1:Remove one of your Anti Virus programs.

You are operating your computer with multiple Anti Virus programs running in memory at once:

AVG8

McAfee

Anti-virus programs take up an enormous amount of your computer's resources when they are actively scanning your computer. Having two anti-virus programs running at the same time can cause your computer to run very slow, become unstable and even, in rare cases, crash.

Please remove one of them.


Step # 2: Disable Teatimer

Spybot S&D's tea timer normally provides real-time protection from spyware, however it may interfere with what we need to do. We will disable it until the machine is clean when it can be re-enabled.

This is a two step process.
First step: Right-click the Spybot Icon in the System Tray (looks like a blue/white calendar with a padlock symbol)
If you have the version 1.5 or 1.6, Click once on Resident Protection, then Right click the Spybot icon again and make sure Resident Protection is now Unchecked. The Spybot icon in the System tray should now be now colorless.
If you have Version 1.4, Click on Exit Spybot S&D Resident

Second step, For Either Version : Open Spybot S&D
Click Mode, choose Advanced Mode
Go To the bottom of the Vertical Panel on the Left, Click Tools
then, also in left panel, click Resident shows a red/white shield.
If your firewall raises a question, say OK
In the Resident protection status frame, Uncheck the box labeled Resident "Tea-Timer"(Protection of over-all system settings) active
OK any prompts.
Use File, Exit to terminate Spybot
Reboot your machine for the changes to take effect.


Step # 3: Make an uninstall list using HijackThis
To access the Uninstall Manager you would do the following:

1. Start HijackThis
2. Click on the Config button
3. Click on the Misc Tools button
4. Click on the Open Uninstall Manager button.
5. Click on the Save list... button and specify where you would like to save this file. When you press Save button a notepad will open with the contents of that file. Simply copy and paste the contents of that notepad here on your next reply.

Step # 4: Download and Run ComboFix

Download ComboFix from one of these locations:

Link 1 (http://download.bleepingcomputer.com/sUBs/ComboFix.exe)
Link 2 (http://www.forospyware.com/sUBs/ComboFix.exe)
Link 3 (http://subs.geekstogo.com/ComboFix.exe)

* IMPORTANT !!! Save ComboFix.exe to your Desktop


Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools


Double click on ComboFix.exe & follow the prompts.


As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.


Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.



http://img.photobucket.com/albums/v706/ried7/RcAuto1.gif


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

http://img.photobucket.com/albums/v706/ried7/whatnext.png


Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the Uninstall List, C:\ComboFix.txt and a fresh HiJackThis Log in your next reply.


Use multiple posts if you can't fit everything into one post.
PFJvV
2008-10-30, 00:38
Hello km2357

Thanks for the help thus far. I got the Uninstall log last because it kept closing when I tried to save list but after combo fix ran it did save I hope thats OK. Combofix also said my internet connection was closed when it wasn't but ran anyway, is that a problem?

Uninstall list:

Adobe Flash Player ActiveX
Adobe Reader 8.1.1
GTA2
HijackThis 2.0.2
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB952287)
Intel(R) Extreme Graphics Driver
Intel(R) PRO Network Adapters and Drivers
Java(TM) 6 Update 3
McAfee AntiSpyware Enterprise Module
McAfee VirusScan Enterprise
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office Access MUI (English) 2007
Microsoft Office Access Setup Metadata MUI (English) 2007
Microsoft Office Enterprise 2007
Microsoft Office Enterprise 2007
Microsoft Office Excel MUI (English) 2007
Microsoft Office Groove MUI (English) 2007
Microsoft Office Groove Setup Metadata MUI (English) 2007
Microsoft Office InfoPath MUI (English) 2007
Microsoft Office OneNote MUI (English) 2007
Microsoft Office Outlook MUI (English) 2007
Microsoft Office PowerPoint MUI (English) 2007
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proofing (English) 2007
Microsoft Office Publisher MUI (English) 2007
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Office Word MUI (English) 2007
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 Redistributable
Mozilla Firefox (2.0.0.17)
neroxml
Security Update for 2007 Microsoft Office System (KB951596)
Security Update for 2007 Microsoft Office System (KB951944)
Security Update for Microsoft Office Excel 2007 (KB951546)
Security Update for Microsoft Office OneNote 2007 (KB950130)
Security Update for Microsoft Office PowerPoint 2007 (KB951338)
Security Update for Microsoft Office Publisher 2007 (KB950114)
Security Update for Microsoft Office system 2007 (KB951808)
Security Update for Microsoft Office system 2007 (KB954326)
Security Update for Microsoft Office Word 2007 (KB950113)
Security Update for the 2007 Microsoft Office System (KB936960)
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB942615)
Security Update for Windows Internet Explorer 7 (KB944533)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows XP (KB923789)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB941569)
SoundMAX
Spybot - Search & Destroy
Update for Microsoft Office Outlook 2007 (KB952142)
Update for Office 2007 (KB932080)
Update for Office 2007 (KB946691)
Update for Outlook 2007 Junk Email Filter (kb956080)
Update for Windows XP (KB951978)
Windows Media Format 11 runtime
Windows Media Format 11 runtime
Windows Media Player 11
Windows Media Player 11
Windows XP Service Pack 3

*********************************

ComboFix 08-10-29.07 - Owner 2008-10-30 0:10:37.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.61 [GMT 2:00]
Running from: C:\Documents and Settings\Owner\Desktop\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
C:\WINDOWS\exwf.exe
C:\WINDOWS\onfwbsak.dll
C:\WINDOWS\system32\bhxergbj.ini
C:\WINDOWS\system32\blphcjg0j0er7j.scr
C:\WINDOWS\system32\bsdjjfuj.ini
C:\WINDOWS\system32\cxwcikjq.ini
C:\WINDOWS\system32\dapfbtdn.ini
C:\WINDOWS\system32\fnybtpfg.ini
C:\WINDOWS\system32\ghuffcuk.ini
C:\WINDOWS\system32\gMTEgMoq.ini
C:\WINDOWS\system32\gMTEgMoq.ini2
C:\WINDOWS\system32\hrmpxtcl.ini
C:\WINDOWS\system32\jbgrexhb.dll
C:\WINDOWS\system32\jgrhmktp.dll
C:\WINDOWS\system32\jufjjdsb.dll
C:\WINDOWS\system32\kfooaexq.dll
C:\WINDOWS\system32\kucffuhg.dll
C:\WINDOWS\system32\lctxpmrh.dll
C:\WINDOWS\system32\lgvcnvft.dll
C:\WINDOWS\system32\lqkbomct.ini
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\ndtbfpad.dll
C:\WINDOWS\system32\negsnvhw.dll
C:\WINDOWS\system32\ptkmhrgj.ini
C:\WINDOWS\system32\pwnqsjoq.ini
C:\WINDOWS\system32\qojsqnwp.dll
C:\WINDOWS\system32\qoMgETMg.dll
C:\WINDOWS\system32\qqgvexhu.dll
C:\WINDOWS\system32\qxeaoofk.ini
C:\WINDOWS\system32\tcmobkql.dll
C:\WINDOWS\system32\tfvncvgl.ini
C:\WINDOWS\system32\uhxevgqq.ini
C:\WINDOWS\system32\whvnsgen.ini
C:\WINDOWS\system32\wjjropby.ini
C:\WINDOWS\system32\xxyvUkLb.dll
C:\WINDOWS\system32\ybporjjw.dll

----- BITS: Possible infected sites -----

hxxp://wsus.sun.ac.za
.
((((((((((((((((((((((((( Files Created from 2008-09-28 to 2008-10-29 )))))))))))))))))))))))))))))))
.

2008-10-29 23:38 . 2008-10-29 23:38 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Avg8
2008-10-29 23:38 . 2008-10-29 23:38 262,144 --a------ C:\Documents and Settings\WSUSUP~2
2008-10-29 23:26 . 2008-10-29 23:27 262,144 --a------ C:\Documents and Settings\WSUSUP~1
2008-10-29 11:55 . 2008-10-29 11:55 <DIR> d-------- C:\Program Files\Trend Micro
2008-10-28 13:42 . 2008-10-28 13:42 <DIR> d-------- C:\Documents and Settings\Administrator
2008-10-27 17:21 . 2008-10-27 17:21 <DIR> d-------- C:\Program Files\Abyss Web Server
2008-10-27 17:21 . 2008-10-27 17:21 <DIR> d-------- C:\DC++ Logs
2008-10-27 17:14 . 2008-10-28 16:52 <DIR> d-------- C:\Program Files\DC
2008-10-26 13:37 . 2008-10-28 15:50 361 --a------ C:\WINDOWS\wininit.ini
2008-10-26 00:22 . 2008-10-26 00:23 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-10-26 00:22 . 2008-10-26 09:55 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-10-22 16:32 . 2008-10-22 16:33 63 --a------ C:\WINDOWS\WINHELP.BMK

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-10-02 18:42 --------- d-----w C:\Documents and Settings\Owner\Application Data\TmpRecentIcons
2008-09-27 18:11 --------- d-----w C:\Program Files\AVG
2008-09-27 15:59 --------- d-----w C:\Documents and Settings\All Users\Application Data\zylizqvw
2008-09-27 15:26 --------- d-----w C:\Documents and Settings\All Users\Application Data\xsnwvyna
2008-09-27 14:55 --------- d-----w C:\Documents and Settings\All Users\Application Data\xmrctalg
2008-09-26 16:58 --------- d-----w C:\Documents and Settings\Owner\Application Data\PCF-VLC
2008-09-21 20:54 --------- d-----w C:\Documents and Settings\Owner\Application Data\Participatory Culture Foundation
2008-09-21 20:32 --------- d-----w C:\Documents and Settings\All Users\Application Data\Participatory Culture Foundation
2008-09-21 11:48 --------- d-----w C:\Program Files\directx
2008-09-21 11:46 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-09-21 11:46 --------- d-----w C:\Program Files\Common Files\InstallShield
2008-09-21 10:01 --------- d-----w C:\Program Files\ReflexiveArcade
2008-09-21 00:54 --------- d-----w C:\Documents and Settings\All Users\Application Data\LogMeIn
2008-09-18 20:20 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Help
2008-09-17 20:04 --------- d-----w C:\Program Files\CyberLink
2008-09-17 20:03 --------- d-----w C:\Documents and Settings\Owner\Application Data\CyberLink
2008-09-17 20:03 --------- d-----w C:\Documents and Settings\All Users\Application Data\CyberLink
2008-09-17 20:02 --------- d-----w C:\Documents and Settings\All Users\Application Data\LightScribe
2008-09-17 19:59 --------- d-----w C:\Program Files\OpenOffice.org 2.4
2008-09-17 19:52 --------- d-----w C:\Program Files\Microsoft Works
2008-09-17 19:43 --------- d-----w C:\Documents and Settings\Owner\Application Data\OpenOffice.org2
2008-09-17 07:58 --------- d-----w C:\Program Files\McAfee
2008-09-17 07:58 --------- d-----w C:\Program Files\Common Files\McAfee
2008-09-17 07:58 --------- d-----w C:\Documents and Settings\All Users\Application Data\McAfee
2008-09-17 07:57 --------- d-----w C:\Program Files\Student IT Help Centre
2008-09-01 10:18 83,288 ----a-w C:\WINDOWS\system32\LMIRfsClientNP.dll
2008-09-01 10:17 87,352 ----a-w C:\WINDOWS\system32\LMIinit.dll
2008-09-01 10:17 28,984 ----a-w C:\WINDOWS\system32\LMIport.dll
2008-09-01 10:17 23,736 ----a-w C:\WINDOWS\system32\lmimirr.dll
2008-09-01 10:17 10,040 ----a-w C:\WINDOWS\system32\lmimirr2.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2006-05-25 155648]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2006-05-25 126976]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 132496]
"ShStatEXE"="C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE" [2008-05-22 111952]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-10-10 39792]
"McAfeeUpdaterUI"="C:\Program Files\McAfee\Common Framework\UdaterUI.exe" [2007-10-25 136512]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\System32\CTFMON.EXE" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LMIinit]
2008-09-01 12:17 87352 C:\WINDOWS\system32\LMIinit.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\McAfee\\Common Framework\\FrameworkService.exe"=
"C:\\Games\\Age of Empires 2\\empires2.exe"=
"C:\\WINDOWS\\system32\\sessmgr.exe"=
"C:\\Program Files\\DC\\ApexDC.exe"=
"C:\\Program Files\\DC\\DC++0.704\\DCPlusPlus.exe"=
"C:\\Program Files\\DC\\RooiHub-v0.38.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundEchoRequest"= 1 (0x1)

R2 LMIRfsDriver;LogMeIn Remote File System Driver;C:\WINDOWS\system32\drivers\LMIRfsDriver.sys [2008-07-24 47640]
S2 LMIInfo;LogMeIn Kernel Information Provider;C:\Program Files\LogMeIn\x86\RaInfo.sys [ ]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{aac3f2ae-84f0-11dd-a8ff-000874faca27}]
\Shell\AutoRun\command - D:\RESTORE\S-1-5-21-1482476501-1644491937-682003330-1013\bob.exe
\Shell\open\command - D:\RESTORE\S-1-5-21-1482476501-1644491937-682003330-1013\bob.exe

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{28ABC5C0-4FCB-11CF-AAX5-21CX1C631322}]
C:\RESTORE\S-1-5-21-1482476501-1644491937-682003330-1013\bob.exe

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{28ABC5C0-4FCB-11CF-AAX5-21CX1C642122}]
C:\RESTORE\S-1-5-21-1482476501-1644491937-682003330-1013\SYS32.exe
.
Contents of the 'Scheduled Tasks' folder

2008-10-25 C:\WINDOWS\Tasks\Windows Update.job
- C:\WINDOWS\system32\wupdmgr.exe [2002-09-03 19:14]
.
- - - - ORPHANS REMOVED - - - -

BHO-{376EFD74-7AA4-44A4-9E39-E374ED3139A9} - C:\WINDOWS\system32\xxyvUkLb.dll
BHO-{D730BCFC-458F-4C34-B949-7270734F58DD} - C:\WINDOWS\system32\qoMgETMg.dll
HKLM-Run-LogMeIn GUI - C:\Program Files\LogMeIn\x86\LogMeInSystray.exe
HKLM-Run-lphcjg0j0er7j - C:\WINDOWS\system32\lphcjg0j0er7j.exe
HKLM-Explorer_Run-BKeRE3Ov0g - C:\DOCUME~1\Owner\LOCALS~1\Temp\windfr.exe
ShellExecuteHooks-{376EFD74-7AA4-44A4-9E39-E374ED3139A9} - C:\WINDOWS\system32\xxyvUkLb.dll


.
------- Supplementary Scan -------
.
FireFox -: Profile - C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\ngh4wyan.default\
FireFox -: prefs.js - STARTUP.HOMEPAGE - hxxp://www.mymaties.com/
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-10-30 00:21:00
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\McAfee\Common Framework\FrameworkService.exe
C:\Program Files\McAfee\VirusScan Enterprise\mcshield.exe
C:\Program Files\McAfee\VirusScan Enterprise\vstskmgr.exe
C:\Program Files\McAfee\Common Framework\naPrdMgr.exe
C:\Program Files\McAfee\Common Framework\Mctray.exe
.
**************************************************************************
.
Completion time: 2008-10-30 0:26:47 - machine was rebooted
ComboFix-quarantined-files.txt 2008-10-29 22:26:29

Pre-Run: 10 653 495 296 bytes free
Post-Run: 10,506,592,256 bytes free

177 --- E O F --- 2008-09-18 20:21:07

********

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 00:30:51, on 30/10/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\McAfee\Common Framework\FrameworkService.exe
C:\Program Files\McAfee\VirusScan Enterprise\mcshield.exe
C:\Program Files\McAfee\VirusScan Enterprise\vstskmgr.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE
C:\Program Files\McAfee\Common Framework\UdaterUI.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\McAfee\Common Framework\McTray.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Student IT Help Centre\Inetkey\INETKEY.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://webmail.sun.ac.za/exchange/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://www.sun.ac.za/sunproxy.pac
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\McAfee\Common Framework\UdaterUI.exe" /StartedFromRunKey
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://*.windowsupdate.com
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\McAfee\Common Framework\FrameworkService.exe
O23 - Service: McAfee McShield (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\mcshield.exe
O23 - Service: McAfee Task Manager (McTaskManager) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\vstskmgr.exe
O23 - Service: NMIndexingService - Unknown owner - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe (file missing)

--
End of file - 4945 bytes

Thanks
Pieter
km2357
2008-10-30, 08:25
Thanks for the help thus far. I got the Uninstall log last because it kept closing when I tried to save list but after combo fix ran it did save I hope thats OK. Combofix also said my internet connection was closed when it wasn't but ran anyway, is that a problem?

That's ok about getting the Uninstall List last. And ComboFix looked like it ran fine, so no worries there. :)



Seems your missing an important part of your operating system. Let's get it reinstalled in case you ever need it.
Nothing is going to change on your computer other than we are going to reinstall the Recovery Console.


Go to Microsoft's website => http://support.microsoft.com/kb/310994

Select the download that's appropriate for your Operating System


http://img.photobucket.com/albums/v666/sUBs/KB310994.gif


Download the file & save it as it's originally named, next to ComboFix.exe.



http://img.photobucket.com/albums/v666/sUBs/RC1-4.gif


Now close all open windows and programs, including all anti virus and anti malware programs so they do not interfere with the running of ComboFix.


Drag the setup package onto ComboFix.exe and drop it.


Follow the prompts to start ComboFix and when prompted, agree to the End-User License Agreement to install the Microsoft Recovery Console.


At the next prompt, click 'No'.

http://img.photobucket.com/albums/v706/ried7/RC_whatnext.gif


When the tool is finished, it will produce a report for you.


Step # 1: Download and Run Flash_Disinfector

Download Flash_Disinfector from here (http://www.techsupportforum.com/sectools/sUBs/Flash_Disinfector.exe) and save it to your desktop.
Doubleclick on Flash_Disinfector.exe to run it and follow the prompts.
Wait until it has finished scanning and then exit the program.
The utility may ask you to insert your flash drive and/or other removable drives. This may include your mobile phone.
Please do so and allow the utility to clean up those drives as well.



Step # 2: Run CFScript


Please open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the code box below:


KILLALL::

File::

C:\RESTORE\S-1-5-21-1482476501-1644491937-682003330-1013\bob.exe
D:\RESTORE\S-1-5-21-1482476501-1644491937-682003330-1013\bob.exe
C:\RESTORE\S-1-5-21-1482476501-1644491937-682003330-1013\SYS32.exe

Folder::

C:\Documents and Settings\All Users\Application Data\zylizqvw
C:\Documents and Settings\All Users\Application Data\xsnwvyna
C:\Documents and Settings\All Users\Application Data\xmrctalg

Registry::

[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{aac3f2ae-84f0-11dd-a8ff-000874faca27}]
[-HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{28ABC5C0-4FCB-11CF-AAX5-21CX1C631322}]
[-HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{28ABC5C0-4FCB-11CF-AAX5-21CX1C642122}]


Save this as CFScript.txt and change the "Save as type" to "All Files" and place it on your desktop.




http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif


Note: This CFScript is for use on PFJvV's computer only! Do not use it on your computer.


Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
When finished, it shall produce a log for you. Copy and paste the contents of the log in your next reply.

CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.


In your next post/reply, I need to see the following:

1. Recovery Console Log
2. The ComboFix Log that appears after Step 2 has been completed.
3. A fresh HiJackThis Log taken after Step 2 has been completed.
PFJvV
2008-10-30, 11:46
Hello km2357

My computer is already running better thanks. :) Here are the logs:

Recovery Console log:

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect /NoExecute=OptIn

*****************************

ComboFix 08-10-29.07 - Owner 2008-10-30 11:24:07.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.72 [GMT 2:00]
Running from: C:\Documents and Settings\Owner\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Owner\Desktop\CFScript.txt
* Created a new restore point
* Resident AV is active


FILE ::
C:\RESTORE\S-1-5-21-1482476501-1644491937-682003330-1013\bob.exe
C:\RESTORE\S-1-5-21-1482476501-1644491937-682003330-1013\SYS32.exe
D:\RESTORE\S-1-5-21-1482476501-1644491937-682003330-1013\bob.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
C:\Documents and Settings\All Users\Application Data\xmrctalg
C:\Documents and Settings\All Users\Application Data\xsnwvyna
C:\Documents and Settings\All Users\Application Data\zylizqvw

----- BITS: Possible infected sites -----

hxxp://wsus.sun.ac.za
.
((((((((((((((((((((((((( Files Created from 2008-09-28 to 2008-10-30 )))))))))))))))))))))))))))))))
.

2008-10-30 00:27 . 2008-08-14 12:11 2,189,184 -----c--- C:\WINDOWS\system32\dllcache\ntoskrnl.exe
2008-10-30 00:27 . 2008-08-14 12:09 2,145,280 -----c--- C:\WINDOWS\system32\dllcache\ntkrnlmp.exe
2008-10-30 00:27 . 2008-08-14 11:33 2,066,048 -----c--- C:\WINDOWS\system32\dllcache\ntkrnlpa.exe
2008-10-30 00:27 . 2008-08-14 11:33 2,023,936 -----c--- C:\WINDOWS\system32\dllcache\ntkrpamp.exe
2008-10-30 00:27 . 2008-09-15 14:12 1,846,400 -----c--- C:\WINDOWS\system32\dllcache\win32k.sys
2008-10-30 00:27 . 2008-10-15 18:34 337,408 -----c--- C:\WINDOWS\system32\dllcache\netapi32.dll
2008-10-30 00:27 . 2008-09-08 12:41 333,824 -----c--- C:\WINDOWS\system32\dllcache\srv.sys
2008-10-29 23:38 . 2008-10-29 23:38 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Avg8
2008-10-29 23:38 . 2008-10-29 23:38 262,144 --a------ C:\Documents and Settings\WSUSUP~2
2008-10-29 23:26 . 2008-10-29 23:27 262,144 --a------ C:\Documents and Settings\WSUSUP~1
2008-10-29 11:55 . 2008-10-29 11:55 <DIR> d-------- C:\Program Files\Trend Micro
2008-10-28 13:42 . 2008-10-28 13:42 <DIR> d-------- C:\Documents and Settings\Administrator
2008-10-27 17:21 . 2008-10-27 17:21 <DIR> d-------- C:\Program Files\Abyss Web Server
2008-10-27 17:21 . 2008-10-27 17:21 <DIR> d-------- C:\DC++ Logs
2008-10-27 17:14 . 2008-10-28 16:52 <DIR> d-------- C:\Program Files\DC
2008-10-26 13:37 . 2008-10-28 15:50 361 --a------ C:\WINDOWS\wininit.ini
2008-10-26 00:22 . 2008-10-26 00:23 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-10-26 00:22 . 2008-10-26 09:55 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-10-22 16:32 . 2008-10-22 16:33 63 --a------ C:\WINDOWS\WINHELP.BMK
2008-09-28 21:18 . 2008-09-28 21:18 121 --ahs---- C:\WINDOWS\system32\djjlqyjf.ini
2008-09-27 20:11 . 2008-09-27 20:11 <DIR> d-------- C:\Program Files\AVG
2008-09-27 16:51 . 2008-10-02 20:42 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\TmpRecentIcons
2008-09-26 18:58 . 2008-09-26 18:58 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\PCF-VLC
2008-09-21 22:54 . 2008-09-21 22:54 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Participatory Culture Foundation
2008-09-21 22:32 . 2008-09-21 22:32 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Participatory Culture Foundation
2008-09-21 13:48 . 2008-09-21 13:48 <DIR> d-------- C:\Program Files\directx
2008-09-21 13:06 . 2008-09-21 13:06 4,096 --a------ C:\WINDOWS\d3dx.dat
2008-09-21 12:01 . 2008-09-21 12:01 <DIR> d-------- C:\Program Files\ReflexiveArcade
2008-09-21 02:54 . 2008-09-21 02:54 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\LogMeIn
2008-09-21 02:54 . 2008-09-01 12:18 83,288 --a------ C:\WINDOWS\system32\LMIRfsClientNP.dll
2008-09-21 02:54 . 2008-07-24 18:46 47,640 --a------ C:\WINDOWS\system32\drivers\LMIRfsDriver.sys
2008-09-21 02:54 . 2008-09-01 12:17 28,984 --a------ C:\WINDOWS\system32\LMIport.dll
2008-09-21 02:53 . 2008-09-01 12:17 87,352 --a------ C:\WINDOWS\system32\LMIinit.dll
2008-09-21 02:53 . 2008-09-21 02:53 1,024 --a------ C:\.rnd
2008-09-19 19:29 . 2008-09-19 19:29 1,160 --a------ C:\WINDOWS\mozver.dat
2008-09-18 21:53 . 2008-10-30 11:00 <DIR> d-------- C:\Quarantine
2008-09-18 20:43 . 2008-05-09 12:53 512,000 -----c--- C:\WINDOWS\system32\dllcache\jscript.dll
2008-09-18 20:43 . 2008-05-09 12:53 430,080 -----c--- C:\WINDOWS\system32\dllcache\vbscript.dll
2008-09-18 20:43 . 2008-05-01 16:33 331,776 -----c--- C:\WINDOWS\system32\dllcache\msadce.dll
2008-09-18 20:43 . 2008-05-09 12:53 180,224 -----c--- C:\WINDOWS\system32\dllcache\scrobj.dll
2008-09-18 20:43 . 2008-05-09 12:53 172,032 -----c--- C:\WINDOWS\system32\dllcache\scrrun.dll
2008-09-18 20:43 . 2008-05-08 13:24 155,648 -----c--- C:\WINDOWS\system32\dllcache\wscript.exe
2008-09-18 20:43 . 2008-05-09 10:45 135,168 -----c--- C:\WINDOWS\system32\dllcache\cscript.exe
2008-09-18 20:43 . 2008-05-09 12:53 90,112 -----c--- C:\WINDOWS\system32\dllcache\wshext.dll
2008-09-18 19:56 . 2008-09-18 19:56 <DIR> d-------- C:\WINDOWS\Sun
2008-09-17 22:10 . 2008-09-25 11:14 <DIR> d-------- C:\Games
2008-09-17 22:02 . 2008-09-17 22:02 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\LightScribe
2008-09-17 21:51 . 2008-09-17 21:52 <DIR> d-------- C:\Program Files\Microsoft Works
2008-09-17 21:47 . 2008-09-17 21:47 <DIR> d-------- C:\WINDOWS\SHELLNEW
2008-09-17 21:46 . 2008-10-30 01:06 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Microsoft Help
2008-09-17 21:45 . 2008-09-17 21:45 <DIR> dr-h----- C:\MSOCache
2008-09-17 21:42 . 2008-09-17 21:42 <DIR> dr-hs---- C:\RESTORE
2008-09-17 09:58 . 2008-09-17 09:58 <DIR> d-------- C:\Program Files\McAfee
2008-09-17 09:58 . 2008-09-17 09:58 <DIR> d-------- C:\Program Files\Common Files\McAfee
2008-09-17 09:58 . 2008-09-17 09:58 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\McAfee
2008-09-17 09:58 . 2007-10-25 15:06 1,495,552 --a------ C:\WINDOWS\system32\epoPGPsdk.dll
2008-09-17 09:58 . 2008-05-22 20:50 174,952 --a------ C:\WINDOWS\system32\drivers\mfehidk.sys
2008-09-17 09:58 . 2008-05-22 20:50 72,936 --a------ C:\WINDOWS\system32\drivers\mfeavfk.sys
2008-09-17 09:58 . 2008-05-22 20:50 64,232 --a------ C:\WINDOWS\system32\drivers\mfeapfk.sys
2008-09-17 09:58 . 2008-05-22 20:50 52,104 --a------ C:\WINDOWS\system32\drivers\mfetdik.sys
2008-09-17 09:58 . 2007-10-25 15:06 280 --a------ C:\WINDOWS\system32\epoPGPsdk.dll.sig
2008-09-17 09:57 . 2008-09-17 09:57 <DIR> d-------- C:\Program Files\Student IT Help Centre
2008-09-01 12:17 . 2008-09-01 12:17 23,736 --a------ C:\WINDOWS\system32\lmimirr.dll
2008-09-01 12:17 . 2008-09-01 12:17 10,040 --a------ C:\WINDOWS\system32\lmimirr2.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-09-21 11:46 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-09-21 11:46 --------- d-----w C:\Program Files\Common Files\InstallShield
2008-09-17 20:04 --------- d-----w C:\Program Files\CyberLink
2008-09-17 20:03 --------- d-----w C:\Documents and Settings\Owner\Application Data\CyberLink
2008-09-17 20:03 --------- d-----w C:\Documents and Settings\All Users\Application Data\CyberLink
2008-09-17 19:59 --------- d-----w C:\Program Files\OpenOffice.org 2.4
2008-09-17 19:43 --------- d-----w C:\Documents and Settings\Owner\Application Data\OpenOffice.org2
2008-09-15 12:12 1,846,400 ----a-w C:\WINDOWS\system32\win32k.sys
2008-09-08 10:41 333,824 ----a-w C:\WINDOWS\system32\drivers\srv.sys
2008-08-26 07:24 826,368 ----a-w C:\WINDOWS\system32\wininet.dll
2008-08-14 10:11 2,189,184 ----a-w C:\WINDOWS\system32\ntoskrnl.exe
2008-08-14 09:33 2,066,048 ----a-w C:\WINDOWS\system32\ntkrnlpa.exe
2008-07-07 20:26 253,952 ----a-w C:\WINDOWS\system32\es.dll
.

((((((((((((((((((((((((((((( snapshot@2008-10-30_ 0.24.10.17 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-08-14 10:09:26 2,145,280 ------w C:\WINDOWS\Driver Cache\i386\ntkrnlmp.exe
+ 2008-08-14 09:33:16 2,066,048 ------w C:\WINDOWS\Driver Cache\i386\ntkrnlpa.exe
+ 2008-08-14 09:33:16 2,023,936 ------w C:\WINDOWS\Driver Cache\i386\ntkrpamp.exe
+ 2008-08-14 10:11:02 2,189,184 ------w C:\WINDOWS\Driver Cache\i386\ntoskrnl.exe
+ 2008-06-23 16:57:27 124,928 -c----w C:\WINDOWS\ie7updates\KB956390-IE7\advpack.dll
+ 2008-06-23 16:57:27 347,136 -c----w C:\WINDOWS\ie7updates\KB956390-IE7\dxtmsft.dll
+ 2008-06-23 16:57:27 214,528 -c----w C:\WINDOWS\ie7updates\KB956390-IE7\dxtrans.dll
+ 2008-06-23 16:57:27 133,120 -c----w C:\WINDOWS\ie7updates\KB956390-IE7\extmgr.dll
+ 2008-06-23 16:57:28 63,488 -c----w C:\WINDOWS\ie7updates\KB956390-IE7\icardie.dll
+ 2008-06-23 09:20:25 70,656 -c----w C:\WINDOWS\ie7updates\KB956390-IE7\ie4uinit.exe
+ 2008-06-23 16:57:29 153,088 -c----w C:\WINDOWS\ie7updates\KB956390-IE7\ieakeng.dll
+ 2008-06-23 16:57:29 230,400 -c----w C:\WINDOWS\ie7updates\KB956390-IE7\ieaksie.dll
+ 2008-06-21 05:23:54 161,792 -c----w C:\WINDOWS\ie7updates\KB956390-IE7\ieakui.dll
+ 2008-06-23 16:57:29 383,488 -c----w C:\WINDOWS\ie7updates\KB956390-IE7\ieapfltr.dll
+ 2008-06-23 16:57:29 384,512 -c----w C:\WINDOWS\ie7updates\KB956390-IE7\iedkcs32.dll
+ 2008-06-23 16:57:33 6,066,176 -c----w C:\WINDOWS\ie7updates\KB956390-IE7\ieframe.dll
+ 2008-06-23 16:57:33 44,544 -c----w C:\WINDOWS\ie7updates\KB956390-IE7\iernonce.dll
+ 2008-06-23 16:57:34 267,776 -c----w C:\WINDOWS\ie7updates\KB956390-IE7\iertutil.dll
+ 2008-06-23 09:20:26 13,824 -c----w C:\WINDOWS\ie7updates\KB956390-IE7\ieudinit.exe
+ 2008-06-23 09:20:52 625,664 -c----w C:\WINDOWS\ie7updates\KB956390-IE7\iexplore.exe
+ 2008-06-23 16:57:35 27,648 -c----w C:\WINDOWS\ie7updates\KB956390-IE7\jsproxy.dll
+ 2008-06-23 16:57:36 459,264 -c----w C:\WINDOWS\ie7updates\KB956390-IE7\msfeeds.dll
+ 2008-06-23 16:57:36 52,224 -c----w C:\WINDOWS\ie7updates\KB956390-IE7\msfeedsbs.dll
+ 2008-06-24 08:57:40 3,592,192 -c----w C:\WINDOWS\ie7updates\KB956390-IE7\mshtml.dll
+ 2008-06-23 16:57:39 477,696 -c----w C:\WINDOWS\ie7updates\KB956390-IE7\mshtmled.dll
+ 2008-06-23 16:57:39 193,024 -c----w C:\WINDOWS\ie7updates\KB956390-IE7\msrating.dll
+ 2008-06-23 16:57:40 671,232 -c----w C:\WINDOWS\ie7updates\KB956390-IE7\mstime.dll
+ 2008-06-23 16:57:40 102,912 -c----w C:\WINDOWS\ie7updates\KB956390-IE7\occache.dll
+ 2008-06-23 16:57:40 44,544 -c----w C:\WINDOWS\ie7updates\KB956390-IE7\pngfilt.dll
+ 2007-03-06 01:22:39 213,216 -c----w C:\WINDOWS\ie7updates\KB956390-IE7\spuninst\spuninst.exe
+ 2007-03-06 01:23:51 371,424 -c----w C:\WINDOWS\ie7updates\KB956390-IE7\spuninst\updspapi.dll
+ 2008-06-23 16:57:40 105,984 -c----w C:\WINDOWS\ie7updates\KB956390-IE7\url.dll
+ 2008-06-23 16:57:40 1,159,680 -c----w C:\WINDOWS\ie7updates\KB956390-IE7\urlmon.dll
+ 2008-06-23 16:57:41 233,472 -c----w C:\WINDOWS\ie7updates\KB956390-IE7\webcheck.dll
+ 2008-06-23 16:57:41 826,368 -c----w C:\WINDOWS\ie7updates\KB956390-IE7\wininet.dll
- 2008-09-18 20:20:59 1,165,584 ----a-r C:\WINDOWS\Installer\{90120000-0030-0000-0000-0000000FF1CE}\accicons.exe
+ 2008-10-29 23:06:09 1,165,584 ----a-r C:\WINDOWS\Installer\{90120000-0030-0000-0000-0000000FF1CE}\accicons.exe
- 2008-09-18 20:21:00 20,240 ----a-r C:\WINDOWS\Installer\{90120000-0030-0000-0000-0000000FF1CE}\cagicon.exe
+ 2008-10-29 23:06:10 20,240 ----a-r C:\WINDOWS\Installer\{90120000-0030-0000-0000-0000000FF1CE}\cagicon.exe
- 2008-09-18 20:20:59 159,504 ----a-r C:\WINDOWS\Installer\{90120000-0030-0000-0000-0000000FF1CE}\inficon.exe
+ 2008-10-29 23:06:09 159,504 ----a-r C:\WINDOWS\Installer\{90120000-0030-0000-0000-0000000FF1CE}\inficon.exe
- 2008-09-18 20:20:59 184,080 ----a-r C:\WINDOWS\Installer\{90120000-0030-0000-0000-0000000FF1CE}\joticon.exe
+ 2008-10-29 23:06:09 184,080 ----a-r C:\WINDOWS\Installer\{90120000-0030-0000-0000-0000000FF1CE}\joticon.exe
- 2008-09-18 20:21:00 217,864 ----a-r C:\WINDOWS\Installer\{90120000-0030-0000-0000-0000000FF1CE}\misc.exe
+ 2008-10-29 23:06:10 217,864 ----a-r C:\WINDOWS\Installer\{90120000-0030-0000-0000-0000000FF1CE}\misc.exe
- 2008-09-18 20:21:00 18,704 ----a-r C:\WINDOWS\Installer\{90120000-0030-0000-0000-0000000FF1CE}\mspicons.exe
+ 2008-10-29 23:06:10 18,704 ----a-r C:\WINDOWS\Installer\{90120000-0030-0000-0000-0000000FF1CE}\mspicons.exe
- 2008-09-18 20:21:00 35,088 ----a-r C:\WINDOWS\Installer\{90120000-0030-0000-0000-0000000FF1CE}\oisicon.exe
+ 2008-10-29 23:06:11 35,088 ----a-r C:\WINDOWS\Installer\{90120000-0030-0000-0000-0000000FF1CE}\oisicon.exe
- 2008-09-18 20:20:59 845,584 ----a-r C:\WINDOWS\Installer\{90120000-0030-0000-0000-0000000FF1CE}\outicon.exe
+ 2008-10-29 23:06:09 845,584 ----a-r C:\WINDOWS\Installer\{90120000-0030-0000-0000-0000000FF1CE}\outicon.exe
- 2008-09-18 20:20:59 922,384 ----a-r C:\WINDOWS\Installer\{90120000-0030-0000-0000-0000000FF1CE}\pptico.exe
+ 2008-10-29 23:06:10 922,384 ----a-r C:\WINDOWS\Installer\{90120000-0030-0000-0000-0000000FF1CE}\pptico.exe
- 2008-09-18 20:21:00 272,648 ----a-r C:\WINDOWS\Installer\{90120000-0030-0000-0000-0000000FF1CE}\pubs.exe
+ 2008-10-29 23:06:10 272,648 ----a-r C:\WINDOWS\Installer\{90120000-0030-0000-0000-0000000FF1CE}\pubs.exe
- 2008-09-18 20:21:00 888,080 ----a-r C:\WINDOWS\Installer\{90120000-0030-0000-0000-0000000FF1CE}\wordicon.exe
+ 2008-10-29 23:06:10 888,080 ----a-r C:\WINDOWS\Installer\{90120000-0030-0000-0000-0000000FF1CE}\wordicon.exe
- 2008-09-18 20:20:59 1,172,240 ----a-r C:\WINDOWS\Installer\{90120000-0030-0000-0000-0000000FF1CE}\xlicons.exe
+ 2008-10-29 23:06:09 1,172,240 ----a-r C:\WINDOWS\Installer\{90120000-0030-0000-0000-0000000FF1CE}\xlicons.exe
- 2008-06-23 16:57:27 124,928 ----a-w C:\WINDOWS\system32\advpack.dll
+ 2008-08-26 07:24:28 124,928 ----a-w C:\WINDOWS\system32\advpack.dll
- 2008-06-23 16:57:27 124,928 -c----w C:\WINDOWS\system32\dllcache\advpack.dll
+ 2008-08-26 07:24:28 124,928 -c----w C:\WINDOWS\system32\dllcache\advpack.dll
- 2008-06-20 11:40:08 138,496 -c----w C:\WINDOWS\system32\dllcache\afd.sys
+ 2008-08-14 10:04:36 138,496 -c----w C:\WINDOWS\system32\dllcache\afd.sys
- 2008-06-23 16:57:27 347,136 -c--a-w C:\WINDOWS\system32\dllcache\dxtmsft.dll
+ 2008-08-26 07:24:28 347,136 -c--a-w C:\WINDOWS\system32\dllcache\dxtmsft.dll
- 2008-06-23 16:57:27 214,528 -c--a-w C:\WINDOWS\system32\dllcache\dxtrans.dll
+ 2008-08-26 07:24:28 214,528 -c--a-w C:\WINDOWS\system32\dllcache\dxtrans.dll
- 2008-06-23 16:57:27 133,120 -c--a-w C:\WINDOWS\system32\dllcache\extmgr.dll
+ 2008-08-26 07:24:28 133,120 -c--a-w C:\WINDOWS\system32\dllcache\extmgr.dll
- 2008-06-23 16:57:28 63,488 -c----w C:\WINDOWS\system32\dllcache\icardie.dll
+ 2008-08-26 07:24:28 63,488 -c----w C:\WINDOWS\system32\dllcache\icardie.dll
- 2008-06-23 09:20:25 70,656 -c----w C:\WINDOWS\system32\dllcache\ie4uinit.exe
+ 2008-08-25 08:37:59 70,656 -c----w C:\WINDOWS\system32\dllcache\ie4uinit.exe
- 2008-06-23 16:57:29 153,088 -c----w C:\WINDOWS\system32\dllcache\ieakeng.dll
+ 2008-08-26 07:24:28 153,088 -c----w C:\WINDOWS\system32\dllcache\ieakeng.dll
- 2008-06-23 16:57:29 230,400 -c----w C:\WINDOWS\system32\dllcache\ieaksie.dll
+ 2008-08-26 07:24:28 230,400 -c----w C:\WINDOWS\system32\dllcache\ieaksie.dll
- 2008-06-21 05:23:54 161,792 -c--a-w C:\WINDOWS\system32\dllcache\ieakui.dll
+ 2008-08-23 05:54:51 161,792 -c--a-w C:\WINDOWS\system32\dllcache\ieakui.dll
- 2008-06-23 16:57:29 383,488 -c----w C:\WINDOWS\system32\dllcache\ieapfltr.dll
+ 2008-08-26 07:24:28 383,488 -c----w C:\WINDOWS\system32\dllcache\ieapfltr.dll
- 2008-06-23 16:57:29 384,512 -c----w C:\WINDOWS\system32\dllcache\iedkcs32.dll
+ 2008-08-26 07:24:29 384,512 -c----w C:\WINDOWS\system32\dllcache\iedkcs32.dll
- 2008-06-23 16:57:33 6,066,176 -c----w C:\WINDOWS\system32\dllcache\ieframe.dll
+ 2008-10-03 17:41:15 6,066,176 -c----w C:\WINDOWS\system32\dllcache\ieframe.dll
- 2008-06-23 16:57:33 44,544 -c----w C:\WINDOWS\system32\dllcache\iernonce.dll
+ 2008-08-26 07:24:29 44,544 -c----w C:\WINDOWS\system32\dllcache\iernonce.dll
- 2008-06-23 16:57:34 267,776 -c----w C:\WINDOWS\system32\dllcache\iertutil.dll
+ 2008-08-26 07:24:29 267,776 -c----w C:\WINDOWS\system32\dllcache\iertutil.dll
- 2008-06-23 09:20:26 13,824 -c----w C:\WINDOWS\system32\dllcache\ieudinit.exe
+ 2008-08-25 08:38:00 13,824 -c----w C:\WINDOWS\system32\dllcache\ieudinit.exe
- 2008-06-23 09:20:52 625,664 -c----w C:\WINDOWS\system32\dllcache\iexplore.exe
+ 2008-08-23 05:56:15 635,848 -c----w C:\WINDOWS\system32\dllcache\iexplore.exe
- 2008-06-23 16:57:35 27,648 -c--a-w C:\WINDOWS\system32\dllcache\jsproxy.dll
+ 2008-08-26 07:24:30 27,648 -c--a-w C:\WINDOWS\system32\dllcache\jsproxy.dll
- 2008-06-23 16:57:36 459,264 -c----w C:\WINDOWS\system32\dllcache\msfeeds.dll
+ 2008-08-26 07:24:30 459,264 -c----w C:\WINDOWS\system32\dllcache\msfeeds.dll
- 2008-06-23 16:57:36 52,224 -c----w C:\WINDOWS\system32\dllcache\msfeedsbs.dll
+ 2008-08-26 07:24:30 52,224 -c----w C:\WINDOWS\system32\dllcache\msfeedsbs.dll
- 2008-06-24 08:57:40 3,592,192 -c--a-w C:\WINDOWS\system32\dllcache\mshtml.dll
+ 2008-08-27 11:54:32 3,593,216 -c--a-w C:\WINDOWS\system32\dllcache\mshtml.dll
- 2008-06-23 16:57:39 477,696 -c--a-w C:\WINDOWS\system32\dllcache\mshtmled.dll
+ 2008-08-26 07:24:30 477,696 -c--a-w C:\WINDOWS\system32\dllcache\mshtmled.dll
- 2008-06-23 16:57:39 193,024 -c--a-w C:\WINDOWS\system32\dllcache\msrating.dll
+ 2008-08-26 07:24:30 193,024 -c--a-w C:\WINDOWS\system32\dllcache\msrating.dll
- 2008-06-23 16:57:40 671,232 -c--a-w C:\WINDOWS\system32\dllcache\mstime.dll
+ 2008-08-26 07:24:30 671,232 -c--a-w C:\WINDOWS\system32\dllcache\mstime.dll
- 2008-06-23 16:57:40 102,912 -c----w C:\WINDOWS\system32\dllcache\occache.dll
+ 2008-08-26 07:24:30 102,912 -c----w C:\WINDOWS\system32\dllcache\occache.dll
- 2008-06-23 16:57:40 44,544 -c--a-w C:\WINDOWS\system32\dllcache\pngfilt.dll
+ 2008-08-26 07:24:30 44,544 -c--a-w C:\WINDOWS\system32\dllcache\pngfilt.dll
- 2008-06-23 16:57:40 105,984 -c----w C:\WINDOWS\system32\dllcache\url.dll
+ 2008-08-26 07:24:30 105,984 -c----w C:\WINDOWS\system32\dllcache\url.dll
- 2008-06-23 16:57:40 1,159,680 -c--a-w C:\WINDOWS\system32\dllcache\urlmon.dll
+ 2008-08-26 07:24:31 1,159,680 -c--a-w C:\WINDOWS\system32\dllcache\urlmon.dll
- 2008-06-23 16:57:41 233,472 -c----w C:\WINDOWS\system32\dllcache\webcheck.dll
+ 2008-08-26 07:24:31 233,472 -c----w C:\WINDOWS\system32\dllcache\webcheck.dll
- 2008-06-23 16:57:41 826,368 -c--a-w C:\WINDOWS\system32\dllcache\wininet.dll
+ 2008-08-26 07:24:31 826,368 -c--a-w C:\WINDOWS\system32\dllcache\wininet.dll
- 2008-06-20 11:40:08 138,496 ----a-w C:\WINDOWS\system32\drivers\afd.sys
+ 2008-08-14 10:04:36 138,496 ----a-w C:\WINDOWS\system32\drivers\afd.sys
- 2008-06-23 16:57:27 347,136 ----a-w C:\WINDOWS\system32\dxtmsft.dll
+ 2008-08-26 07:24:28 347,136 ----a-w C:\WINDOWS\system32\dxtmsft.dll
- 2008-06-23 16:57:27 214,528 ----a-w C:\WINDOWS\system32\dxtrans.dll
+ 2008-08-26 07:24:28 214,528 ----a-w C:\WINDOWS\system32\dxtrans.dll
- 2008-06-23 16:57:27 133,120 ----a-w C:\WINDOWS\system32\extmgr.dll
+ 2008-08-26 07:24:28 133,120 ----a-w C:\WINDOWS\system32\extmgr.dll
- 2008-09-18 11:05:21 212,080 ----a-w C:\WINDOWS\system32\FNTCACHE.DAT
+ 2008-10-30 07:59:42 212,080 ----a-w C:\WINDOWS\system32\FNTCACHE.DAT
- 2008-06-23 16:57:28 63,488 ----a-w C:\WINDOWS\system32\icardie.dll
+ 2008-08-26 07:24:28 63,488 ----a-w C:\WINDOWS\system32\icardie.dll
- 2008-06-23 09:20:25 70,656 ----a-w C:\WINDOWS\system32\ie4uinit.exe
+ 2008-08-25 08:37:59 70,656 ----a-w C:\WINDOWS\system32\ie4uinit.exe
- 2008-06-23 16:57:29 153,088 ----a-w C:\WINDOWS\system32\ieakeng.dll
+ 2008-08-26 07:24:28 153,088 ----a-w C:\WINDOWS\system32\ieakeng.dll
- 2008-06-23 16:57:29 230,400 ----a-w C:\WINDOWS\system32\ieaksie.dll
+ 2008-08-26 07:24:28 230,400 ----a-w C:\WINDOWS\system32\ieaksie.dll
- 2008-06-21 05:23:54 161,792 ----a-w C:\WINDOWS\system32\ieakui.dll
+ 2008-08-23 05:54:51 161,792 ----a-w C:\WINDOWS\system32\ieakui.dll
- 2008-06-23 16:57:29 383,488 ----a-w C:\WINDOWS\system32\ieapfltr.dll
+ 2008-08-26 07:24:28 383,488 ----a-w C:\WINDOWS\system32\ieapfltr.dll
- 2008-06-23 16:57:29 384,512 ----a-w C:\WINDOWS\system32\iedkcs32.dll
+ 2008-08-26 07:24:29 384,512 ----a-w C:\WINDOWS\system32\iedkcs32.dll
- 2008-06-23 16:57:33 6,066,176 ----a-w C:\WINDOWS\system32\ieframe.dll
+ 2008-10-03 17:41:15 6,066,176 ----a-w C:\WINDOWS\system32\ieframe.dll
- 2008-06-23 16:57:33 44,544 ----a-w C:\WINDOWS\system32\iernonce.dll
+ 2008-08-26 07:24:29 44,544 ----a-w C:\WINDOWS\system32\iernonce.dll
- 2008-06-23 16:57:34 267,776 ----a-w C:\WINDOWS\system32\iertutil.dll
+ 2008-08-26 07:24:29 267,776 ----a-w C:\WINDOWS\system32\iertutil.dll
- 2008-06-23 09:20:26 13,824 ----a-w C:\WINDOWS\system32\ieudinit.exe
+ 2008-08-25 08:38:00 13,824 ----a-w C:\WINDOWS\system32\ieudinit.exe
- 2008-06-23 16:57:35 27,648 ----a-w C:\WINDOWS\system32\jsproxy.dll
+ 2008-08-26 07:24:30 27,648 ----a-w C:\WINDOWS\system32\jsproxy.dll
- 2008-06-23 16:57:36 459,264 ----a-w C:\WINDOWS\system32\msfeeds.dll
+ 2008-08-26 07:24:30 459,264 ----a-w C:\WINDOWS\system32\msfeeds.dll
- 2008-06-23 16:57:36 52,224 ----a-w C:\WINDOWS\system32\msfeedsbs.dll
+ 2008-08-26 07:24:30 52,224 ----a-w C:\WINDOWS\system32\msfeedsbs.dll
- 2008-06-24 08:57:40 3,592,192 ----a-w C:\WINDOWS\system32\mshtml.dll
+ 2008-08-27 11:54:32 3,593,216 ----a-w C:\WINDOWS\system32\mshtml.dll
- 2008-06-23 16:57:39 477,696 ----a-w C:\WINDOWS\system32\mshtmled.dll
+ 2008-08-26 07:24:30 477,696 ----a-w C:\WINDOWS\system32\mshtmled.dll
- 2008-06-23 16:57:39 193,024 ----a-w C:\WINDOWS\system32\msrating.dll
+ 2008-08-26 07:24:30 193,024 ----a-w C:\WINDOWS\system32\msrating.dll
- 2008-06-23 16:57:40 671,232 ----a-w C:\WINDOWS\system32\mstime.dll
+ 2008-08-26 07:24:30 671,232 ----a-w C:\WINDOWS\system32\mstime.dll
- 2008-04-14 03:42:02 337,408 ----a-w C:\WINDOWS\system32\netapi32.dll
+ 2008-10-15 16:34:24 337,408 ----a-w C:\WINDOWS\system32\netapi32.dll
- 2008-06-23 16:57:40 102,912 ----a-w C:\WINDOWS\system32\occache.dll
+ 2008-08-26 07:24:30 102,912 ----a-w C:\WINDOWS\system32\occache.dll
- 2008-06-23 16:57:40 44,544 ----a-w C:\WINDOWS\system32\pngfilt.dll
+ 2008-08-26 07:24:30 44,544 ----a-w C:\WINDOWS\system32\pngfilt.dll
- 2007-11-30 12:39:22 17,272 ----a-w C:\WINDOWS\system32\spmsg.dll
+ 2007-11-30 11:18:51 17,272 ------w C:\WINDOWS\system32\spmsg.dll
- 2008-06-23 16:57:40 105,984 ----a-w C:\WINDOWS\system32\url.dll
+ 2008-08-26 07:24:30 105,984 ----a-w C:\WINDOWS\system32\url.dll
- 2008-06-23 16:57:40 1,159,680 ----a-w C:\WINDOWS\system32\urlmon.dll
+ 2008-08-26 07:24:31 1,159,680 ----a-w C:\WINDOWS\system32\urlmon.dll
- 2008-06-23 16:57:41 233,472 ----a-w C:\WINDOWS\system32\webcheck.dll
+ 2008-08-26 07:24:31 233,472 ----a-w C:\WINDOWS\system32\webcheck.dll
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2006-05-25 155648]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2006-05-25 126976]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 132496]
"ShStatEXE"="C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE" [2008-05-22 111952]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-10-10 39792]
"McAfeeUpdaterUI"="C:\Program Files\McAfee\Common Framework\UdaterUI.exe" [2007-10-25 136512]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\System32\CTFMON.EXE" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LMIinit]
2008-09-01 12:17 87352 C:\WINDOWS\system32\LMIinit.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\McAfee\\Common Framework\\FrameworkService.exe"=
"C:\\Games\\Age of Empires 2\\empires2.exe"=
"C:\\WINDOWS\\system32\\sessmgr.exe"=
"C:\\Program Files\\DC\\ApexDC.exe"=
"C:\\Program Files\\DC\\DC++0.704\\DCPlusPlus.exe"=
"C:\\Program Files\\DC\\RooiHub-v0.38.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundEchoRequest"= 1 (0x1)

.
Contents of the 'Scheduled Tasks' folder

2008-10-25 C:\WINDOWS\Tasks\Windows Update.job
- C:\WINDOWS\system32\wupdmgr.exe [2002-09-03 19:14]
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-10-30 11:29:20
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\McAfee\Common Framework\FrameworkService.exe
C:\Program Files\McAfee\VirusScan Enterprise\mcshield.exe
C:\Program Files\McAfee\VirusScan Enterprise\vstskmgr.exe
C:\Program Files\McAfee\Common Framework\naPrdMgr.exe
C:\Program Files\McAfee\Common Framework\Mctray.exe
.
**************************************************************************
.
Completion time: 2008-10-30 11:39:55 - machine was rebooted [Owner]
ComboFix-quarantined-files.txt 2008-10-30 09:39:30
ComboFix2.txt 2008-10-29 22:26:50

Pre-Run: 10 131 734 528 bytes free
Post-Run: 10,117,808,128 bytes free

349 --- E O F --- 2008-10-29 23:06:27

*****

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:44:13, on 30/10/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\McAfee\Common Framework\FrameworkService.exe
C:\Program Files\McAfee\VirusScan Enterprise\mcshield.exe
C:\Program Files\McAfee\VirusScan Enterprise\vstskmgr.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\McAfee\Common Framework\UdaterUI.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\McAfee\Common Framework\McTray.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Student IT Help Centre\Inetkey\INETKEY.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://webmail.sun.ac.za/exchange/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://www.sun.ac.za/sunproxy.pac
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\McAfee\Common Framework\UdaterUI.exe" /StartedFromRunKey
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://*.windowsupdate.com
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\McAfee\Common Framework\FrameworkService.exe
O23 - Service: McAfee McShield (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\mcshield.exe
O23 - Service: McAfee Task Manager (McTaskManager) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\vstskmgr.exe
O23 - Service: NMIndexingService - Unknown owner - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe (file missing)

--
End of file - 4855 bytes

Pieter
km2357
2008-10-30, 20:58
Reconfigure Windows XP to show hidden files:
To enable the viewing of Hidden files follow these steps:


Close all programs so that you are at your desktop.
Double-click on the My Computer icon.
Select the Tools menu and click Folder Options.
After the new window appears select the View tab.
Put a checkmark in the checkbox labeled Display the contents of system folders.
Under the Hidden files and folders section select the radio button labeled Show hidden files and folders.
Remove the checkmark from the checkbox labeled Hide file extensions for known file types.
Remove the checkmark from the checkbox labeled Hide protected operating system files.
Press the Apply button and then the OK button and shutdown My Computer.
Now your computer is configured to show all hidden files.


Be sure to re-hide your files once you are finished cleaning your computer.


Step # 1 Update Java

Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system.

Please follow these steps to remove older version Java components and update.

Updating Java:

Download the latest version of Java Runtime Environment (JRE) 6u10 (http://www.java.com/en/download/manual.jsp).
Click on the link to download Windows Offline Installation and save to your desktop. Do NOT use the Sun Download Manager.
Close any programs you may have running - especially your web browser.
Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
Remove the following old versions of Java:


Java(TM) 6 Update 3


Click the Remove or Change/Remove button.
Repeat as many times as necessary to remove each Java versions.
Reboot your computer once all Java components are removed.

From your desktop double-click on the download to install the newest version.


Step # 2: Download and Run ATF Cleaner
Download ATF (Atribune Temp File) Cleaner© by Atribune (http://www.atribune.org/ccount/click.php?id=1) to your desktop.

Double-click ATF Cleaner.exe to open it.

Under Main choose:
Windows Temp
Current User Temp
All Users Temp
Temporary Internet Files
Prefetch
Java Cache
*The other boxes are optional*
Then click the Empty Selected button.

Firefox:
Click Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.

Opera:
Click Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.

Click Exit on the Main menu to close the program.


Step # 3: Deleting Files/Folders

I need you to use Windows Explorer to delete the file I have marked in Red(if found):

C:\WINDOWS\system32\djjlqyjf.ini


Step # 4 Download and Run Malwarebytes' Anti-Malware

Please download Malwarebytes' Anti-Malware (http://www.besttechie.net/tools/mbam-setup.exe) to your desktop.

Double-click mbam-setup.exe and follow the prompts to install the program.
Be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
If an update is found, it will download and install the latest version.
Before running a scan, click the Update tab, next click Check for Updates to download any updates, if available.
Next click the Scanner tab and select Perform Quick Scan, then click Scan.
When the scan is complete, click OK, then Show Results to view the results.
Be sure that everything is checked, and click Remove Selected.
When completed, a log will open in Notepad. Please save it to a convenient location.
You can also access the log by doing the following:

Click on the Malwarebytes' Anti-Malware icon to launch the program.
Click on the Logs tab.
Click on the log at the bottom of those listed to highlight it.
Click Open.

In your next post/reply, I need to see the following:

1. MalwareBytes' Log
2. A fresh HiJackThis Log
PFJvV
2008-10-30, 22:33
Hello km2357

My computer seems to be healthy again! Thank you very much :).
Which programs would you recommend using for regular checks?

Here are the logs you requested:
Malwarebyte:

(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

**************

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 22:29:01, on 30/10/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\McAfee\Common Framework\FrameworkService.exe
C:\Program Files\McAfee\VirusScan Enterprise\mcshield.exe
C:\Program Files\McAfee\VirusScan Enterprise\vstskmgr.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\McAfee\Common Framework\UdaterUI.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\McAfee\Common Framework\McTray.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Student IT Help Centre\Inetkey\INETKEY.EXE
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://webmail.sun.ac.za/exchange/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://www.sun.ac.za/sunproxy.pac
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\McAfee\Common Framework\UdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\RunOnce: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://*.windowsupdate.com
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\McAfee\Common Framework\FrameworkService.exe
O23 - Service: McAfee McShield (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\mcshield.exe
O23 - Service: McAfee Task Manager (McTaskManager) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\vstskmgr.exe
O23 - Service: NMIndexingService - Unknown owner - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe (file missing)

--
End of file - 5023 bytes

****************

Thanks again
Pieter
km2357
2008-10-30, 23:59
My computer seems to be healthy again! Thank you very much .
Which programs would you recommend using for regular checks?

I would use MalwareBytes' for regular checks. It has a very fast scan (use Quick Scan) and is updated frequently, often 2-3 times a days. I would do a Quick Scan of your computer with it every 2-3 weeks. Be sure to update (click on Update tab, check for updates) before running a scan.

In the next few posts, I'll be giving you some tips and a few more programs to keep your computer clean. :)


Step # 1 Update Adobe Acrobat Reader

There is a newer version of Adobe Acrobat Reader available. (See Note below)


First, go to Add/Remove Programs and uninstall all previous versions.
Please go to this link Adobe Acrobat Reader Download Link (http://www.adobe.com/products/acrobat/readstep2.html)
On the right Untick Adobe Phototshop Album Starter Edition if you do not wish to include this in the installation.
Click the Continue button
Click Run, and click Run again
Next click the Install Now button and follow the on screen prompts

Note: Adobe 9 is a large program and if you prefer a smaller program you can get Foxit 2.3 instead from http://www.foxitsoftware.com/pdf/rd_intro.php


Step # 2: Run Kaspersky Online Scan

Please go to Kaspersky website (http://www.kaspersky.com/kos/eng/partner/default/kavwebscan.html) and perform an online antivirus scan.

Read through the requirements and privacy statement and click on Accept button.
It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
When the downloads have finished, click on Settings.
Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button: Spyware, Adware, Dialers, and other potentially dangerous programs
Archives
Mail databases Click on My Computer under Scan.
Once the scan is complete, it will display the results. Click on View Scan Report.
You will see a list of infected items there. Click on Save Report As....
Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button.
Please post this log in your next reply.


In your next post/reply, I need to see the following:

1. Kaspersky Log
2. A fresh HiJackThis Log
3. How is your computer doing, any problems?
PFJvV
2008-10-31, 14:53
Hey km2357

My computer is running rather well, but I feel it should perhaps be running better though I am uncertain. I do feel that it takes too long to open programs or windows but once open tends to run fine generally.

Here are the logs you requested:

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7 REPORT
Friday, October 31, 2008
Operating System: Microsoft Windows XP Home Edition Service Pack 3 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Friday, October 31, 2008 07:20:59
Records in database: 1363729
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
A:\
C:\

Scan statistics:
Files scanned: 34192
Threat name: 1
Infected objects: 1
Suspicious objects: 0
Duration of the scan: 01:48:45


File name / Threat name / Threats count
C:\Games\Age of Empires 2\Uninstal.exe Infected: Email-Worm.Win32.Luder.e 1

The selected area was scanned.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 14:51:17, on 31/10/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\McAfee\Common Framework\FrameworkService.exe
C:\Program Files\McAfee\VirusScan Enterprise\mcshield.exe
C:\Program Files\McAfee\VirusScan Enterprise\vstskmgr.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\McAfee\Common Framework\UdaterUI.exe
C:\Program Files\McAfee\Common Framework\McTray.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Student IT Help Centre\Inetkey\INETKEY.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://webmail.sun.ac.za/exchange/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://www.sun.ac.za/sunproxy.pac
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\McAfee\Common Framework\UdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://*.windowsupdate.com
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\McAfee\Common Framework\FrameworkService.exe
O23 - Service: McAfee McShield (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\mcshield.exe
O23 - Service: McAfee Task Manager (McTaskManager) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\vstskmgr.exe
O23 - Service: NMIndexingService - Unknown owner - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe (file missing)

--
End of file - 4946 bytes
km2357
2008-10-31, 20:30
My computer is running rather well, but I feel it should perhaps be running better though I am uncertain. I do feel that it takes too long to open programs or windows but once open tends to run fine generally.

Try following the tips here (http://www.malwareremoval.com/tutorials/runningslowly.php) to see if they help speed up your computer.

Using Windows Explorer, delete the following file, if found:

C:\Games\Age of Empires 2\Uninstal.exe

Empty your Recycle Bin.
km2357
2008-11-03, 21:24
PFJvV? How are things coming along?
km2357
2008-11-07, 23:46
This topic has been archived due to inactivity.

As it has been five days or more since your last post, and I have posted a response to that post to which you did not reply, this topic will not be reopened. If you still require help, please start a new topic and include a fresh HijackThis log and a link to this thread.

Applies only to the original poster, anyone else with similar problems please start a new topic.