PDA

View Full Version : W32.Gammima.AG infected



choconick
2009-02-02, 11:38
hello fellas,

my computer is infected by W32.Gammima.AG apparently according to Norton, the software keep saying it has been completely resolved, but the auto protection pop up and said it just block W32.Gammima.AG again, and it keep coming back everyday, omg, how am I suppose to fix this. I have COMODO installed as well.
thanks
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:33:40 PM, on 2/02/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\Program Files\Analog Devices\SoundMAX\Smax4.exe
C:\Program Files\Google\Gmail Notifier\gnotify.exe
C:\Program Files\Brownie\BrstsWnd.exe
C:\Program Files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe
C:\Program Files\Brownie\brpjp04a.exe
C:\Program Files\Norton AntiVirus\Engine\16.2.0.7\ccSvcHst.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\VIA\RAID\vialogsv.exe
C:\Program Files\Norton AntiVirus\Engine\16.2.0.7\ccSvcHst.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\foobar2000\foobar2000.exe
C:\Program Files\uTorrent\uTorrent.exe
C:\Program Files\Norton AntiVirus\Engine\16.2.0.7\MCUI32.EXE
C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\COMODO\COMODO Internet Security\cfp.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\Program Files\Norton AntiVirus\Engine\16.2.0.7\IPSBHO.DLL
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [COMODO Internet Security] "C:\Program Files\COMODO\COMODO Internet Security\cfp.exe" -h
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: [SoundMAX] "C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray
O4 - HKLM\..\Run: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] C:\Program Files\Google\Gmail Notifier\gnotify.exe
O4 - HKLM\..\Run: [BrStsWnd] C:\Program Files\Brownie\BrstsWnd.exe Autorun
O4 - HKLM\..\Run: [VirtualCloneDrive] "C:\Program Files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe" /s
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Active Desktop Calendar] C:\Program Files\XemiComputers\Active Desktop Calendar\ADC.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O20 - AppInit_DLLs: C:\WINDOWS\system32\guard32.dll
O23 - Service: COMODO Internet Security Helper Service (cmdAgent) - Unknown owner - C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe
O23 - Service: Norton AntiVirus - Symantec Corporation - C:\Program Files\Norton AntiVirus\Engine\16.2.0.7\ccSvcHst.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: VRAID Log Service - Unknown owner - C:\Program Files\VIA\RAID\vialogsv.exe

--
End of file - 4518 bytes

Norton Antivirus 2009 protection history:

Category: Intrusion Prevention
Date & Time,Risk Level,Activity,Status,Recommended Action,Category
2/02/2009 5:11 PM,Low,Intrusion Prevention has been enabled,Detected,No Action Required,Intrusion Prevention
2/02/2009 5:11 PM,Low,Intrusion Prevention Engine version: 4.1.0.61 Definitions Set version: 20090129.001,Detected,No Action Required,Intrusion Prevention
2/02/2009 5:11 PM,Low,Intrusion Prevention is monitoring 1312 signatures. Driver version: 9.0.0.172,Detected,No Action Required,Intrusion Prevention
2/02/2009 9:08 AM,Low,Intrusion Prevention has been enabled,Detected,No Action Required,Intrusion Prevention
2/02/2009 9:08 AM,Low,Intrusion Prevention is monitoring 1312 signatures. Driver version: 9.0.0.172,Detected,No Action Required,Intrusion Prevention
2/02/2009 9:08 AM,Low,Intrusion Prevention Engine version: 4.1.0.61 Definitions Set version: 20090129.001,Detected,No Action Required,Intrusion Prevention
1/02/2009 5:01 PM,Low,Intrusion Prevention has been enabled,Detected,No Action Required,Intrusion Prevention
1/02/2009 5:01 PM,Low,Intrusion Prevention is monitoring 1312 signatures. Driver version: 9.0.0.172,Detected,No Action Required,Intrusion Prevention
1/02/2009 5:01 PM,Low,Intrusion Prevention Engine version: 4.1.0.61 Definitions Set version: 20090129.001,Detected,No Action Required,Intrusion Prevention
1/02/2009 8:49 AM,Low,Intrusion Prevention has been enabled,Detected,No Action Required,Intrusion Prevention
1/02/2009 8:49 AM,Low,Intrusion Prevention Engine version: 4.1.0.61 Definitions Set version: 20090129.001,Detected,No Action Required,Intrusion Prevention
1/02/2009 8:49 AM,Low,Intrusion Prevention is monitoring 1312 signatures. Driver version: 9.0.0.172,Detected,No Action Required,Intrusion Prevention
31/01/2009 10:56 PM,Low,Intrusion Prevention has been enabled,Detected,No Action Required,Intrusion Prevention
31/01/2009 10:56 PM,Low,Intrusion Prevention is monitoring 1312 signatures. Driver version: 9.0.0.172,Detected,No Action Required,Intrusion Prevention
31/01/2009 10:56 PM,Low,Intrusion Prevention Engine version: 4.1.0.61 Definitions Set version: 20090129.001,Detected,No Action Required,Intrusion Prevention
31/01/2009 12:50 PM,Low,Intrusion Prevention has been enabled,Detected,No Action Required,Intrusion Prevention
31/01/2009 12:50 PM,Low,Intrusion Prevention is monitoring 1312 signatures. Driver version: 9.0.0.172,Detected,No Action Required,Intrusion Prevention
31/01/2009 12:50 PM,Low,Intrusion Prevention Engine version: 4.1.0.61 Definitions Set version: 20090129.001,Detected,No Action Required,Intrusion Prevention
30/01/2009 8:42 PM,Low,Intrusion Prevention has been enabled,Detected,No Action Required,Intrusion Prevention
30/01/2009 8:42 PM,Low,Intrusion Prevention is monitoring 1312 signatures. Driver version: 9.0.0.172,Detected,No Action Required,Intrusion Prevention
30/01/2009 8:42 PM,Low,Intrusion Prevention Engine version: 4.1.0.61 Definitions Set version: 20090129.001,Detected,No Action Required,Intrusion Prevention
30/01/2009 10:07 AM,Low,Intrusion Prevention has been enabled,Detected,No Action Required,Intrusion Prevention
30/01/2009 10:07 AM,Low,Intrusion Prevention Engine version: 4.1.0.61 Definitions Set version: 20090129.001,Detected,No Action Required,Intrusion Prevention
30/01/2009 10:07 AM,Low,Intrusion Prevention is monitoring 1312 signatures. Driver version: 9.0.0.172,Detected,No Action Required,Intrusion Prevention
30/01/2009 1:55 AM,Low,Intrusion Prevention has been enabled,Detected,No Action Required,Intrusion Prevention
30/01/2009 1:55 AM,Low,Intrusion Prevention Engine version: 4.1.0.61 Definitions Set version: 20090120.002,Detected,No Action Required,Intrusion Prevention
30/01/2009 1:55 AM,Low,Intrusion Prevention is monitoring 1311 signatures. Driver version: 9.0.0.172,Detected,No Action Required,Intrusion Prevention
29/01/2009 6:10 PM,Low,Intrusion Prevention has been enabled,Detected,No Action Required,Intrusion Prevention
29/01/2009 6:10 PM,Low,Intrusion Prevention Engine version: 4.1.0.61 Definitions Set version: 20090120.002,Detected,No Action Required,Intrusion Prevention
29/01/2009 6:10 PM,Low,Intrusion Prevention is monitoring 1311 signatures. Driver version: 9.0.0.172,Detected,No Action Required,Intrusion Prevention
29/01/2009 9:59 AM,Low,Intrusion Prevention has been enabled,Detected,No Action Required,Intrusion Prevention
29/01/2009 9:59 AM,Low,Intrusion Prevention is monitoring 1311 signatures. Driver version: 9.0.0.172,Detected,No Action Required,Intrusion Prevention
29/01/2009 9:59 AM,Low,Intrusion Prevention Engine version: 4.1.0.61 Definitions Set version: 20090120.002,Detected,No Action Required,Intrusion Prevention
28/01/2009 7:42 PM,Low,Intrusion Prevention has been enabled,Detected,No Action Required,Intrusion Prevention
28/01/2009 7:42 PM,Low,Intrusion Prevention Engine version: 4.1.0.61 Definitions Set version: 20090120.002,Detected,No Action Required,Intrusion Prevention
28/01/2009 7:42 PM,Low,Intrusion Prevention is monitoring 1311 signatures. Driver version: 9.0.0.172,Detected,No Action Required,Intrusion Prevention
28/01/2009 6:36 PM,Low,Intrusion Prevention has been enabled,Detected,No Action Required,Intrusion Prevention
28/01/2009 6:36 PM,Low,Intrusion Prevention Engine version: 4.1.0.61 Definitions Set version: 20090120.002,Detected,No Action Required,Intrusion Prevention
28/01/2009 6:36 PM,Low,Intrusion Prevention is monitoring 1311 signatures. Driver version: 9.0.0.172,Detected,No Action Required,Intrusion Prevention
28/01/2009 5:58 PM,Low,Intrusion Prevention has been enabled,Detected,No Action Required,Intrusion Prevention
28/01/2009 5:58 PM,Low,Intrusion Prevention Engine version: 4.1.0.61 Definitions Set version: 20090120.002,Detected,No Action Required,Intrusion Prevention
28/01/2009 5:58 PM,Low,Intrusion Prevention is monitoring 1311 signatures. Driver version: 9.0.0.172,Detected,No Action Required,Intrusion Prevention
28/01/2009 5:33 PM,Low,Intrusion Prevention has been enabled,Detected,No Action Required,Intrusion Prevention
28/01/2009 5:33 PM,Low,Intrusion Prevention is monitoring 1311 signatures. Driver version: 9.0.0.172,Detected,No Action Required,Intrusion Prevention
28/01/2009 5:33 PM,Low,Intrusion Prevention Engine version: 4.1.0.61 Definitions Set version: 20090120.002,Detected,No Action Required,Intrusion Prevention
28/01/2009 2:05 PM,Low,Intrusion Prevention has been enabled,Detected,No Action Required,Intrusion Prevention
28/01/2009 2:05 PM,Low,Intrusion Prevention is monitoring 1311 signatures. Driver version: 9.0.0.172,Detected,No Action Required,Intrusion Prevention
28/01/2009 2:05 PM,Low,Intrusion Prevention Engine version: 4.1.0.61 Definitions Set version: 20090120.002,Detected,No Action Required,Intrusion Prevention
28/01/2009 10:19 AM,Low,Intrusion Prevention has been enabled,Detected,No Action Required,Intrusion Prevention
28/01/2009 10:19 AM,Low,Intrusion Prevention Engine version: 4.1.0.61 Definitions Set version: 20090120.002,Detected,No Action Required,Intrusion Prevention
28/01/2009 10:19 AM,Low,Intrusion Prevention is monitoring 1311 signatures. Driver version: 9.0.0.172,Detected,No Action Required,Intrusion Prevention
28/01/2009 7:05 AM,Low,Intrusion Prevention has been enabled,Detected,No Action Required,Intrusion Prevention
28/01/2009 7:05 AM,Low,Intrusion Prevention is monitoring 1308 signatures. Driver version: 9.0.0.172,Detected,No Action Required,Intrusion Prevention
28/01/2009 7:05 AM,Low,Intrusion Prevention Engine version: 4.1.0.61 Definitions Set version: 20090115.001,Detected,No Action Required,Intrusion Prevention
27/01/2009 10:55 PM,Low,Intrusion Prevention has been enabled,Detected,No Action Required,Intrusion Prevention
27/01/2009 10:55 PM,Low,Intrusion Prevention is monitoring 1308 signatures. Driver version: 9.0.0.172,Detected,No Action Required,Intrusion Prevention
27/01/2009 10:55 PM,Low,Intrusion Prevention Engine version: 4.1.0.61 Definitions Set version: 20090115.001,Detected,No Action Required,Intrusion Prevention
27/01/2009 4:28 PM,Low,Intrusion Prevention has been enabled,Detected,No Action Required,Intrusion Prevention
27/01/2009 4:28 PM,Low,Intrusion Prevention Engine version: 4.1.0.61 Definitions Set version: 20090115.001,Detected,No Action Required,Intrusion Prevention
27/01/2009 4:28 PM,Low,Intrusion Prevention is monitoring 1308 signatures. Driver version: 9.0.0.172,Detected,No Action Required,Intrusion Prevention
27/01/2009 4:12 PM,Low,Intrusion Prevention has been enabled,Detected,No Action Required,Intrusion Prevention
27/01/2009 4:12 PM,Low,Intrusion Prevention Engine version: 4.1.0.61 Definitions Set version: 20080826.006,Detected,No Action Required,Intrusion Prevention
27/01/2009 4:12 PM,Low,Intrusion Prevention is monitoring 1178 signatures. Driver version: 9.0.0.172,Detected,No Action Required,Intrusion Prevention
27/01/2009 4:02 PM,Low,Intrusion Prevention has been enabled,Detected,No Action Required,Intrusion Prevention
27/01/2009 4:02 PM,Low,Intrusion Prevention Engine version: 4.1.0.61 Definitions Set version: 20080826.006,Detected,No Action Required,Intrusion Prevention
27/01/2009 4:02 PM,Low,Intrusion Prevention is monitoring 1178 signatures. Driver version: 9.0.0.172,Detected,No Action Required,Intrusion Prevention
27/01/2009 3:34 PM,Low,Intrusion Prevention has been enabled,Detected,No Action Required,Intrusion Prevention
27/01/2009 3:34 PM,Low,Intrusion Prevention Engine version: 4.1.0.61 Definitions Set version: 20080826.006,Detected,No Action Required,Intrusion Prevention
27/01/2009 3:34 PM,Low,Intrusion Prevention is monitoring 1178 signatures. Driver version: 9.0.0.172,Detected,No Action Required,Intrusion Prevention
27/01/2009 3:27 PM,Low,Intrusion Prevention has been enabled,Detected,No Action Required,Intrusion Prevention
27/01/2009 3:27 PM,Low,Intrusion Prevention Engine version: 4.1.0.61 Definitions Set version: 20080826.006,Detected,No Action Required,Intrusion Prevention
27/01/2009 3:27 PM,Low,Intrusion Prevention is monitoring 1178 signatures. Driver version: 9.0.0.172,Detected,No Action Required,Intrusion Prevention


Category: Resolved Security Risks
Date & Time,Risk Level,Activity,Status,Recommended Action,Component,Definitions Version,ERASER Version,Risk Name,Risk Category,Risk Type,Risk State
31/01/2009 2:36 AM,High,W32.Gammima.AG detected by Auto-Protect,Removed,Resolved - No Action,Auto-Protect,2009.01.29.051,108.2.4.3,W32.Gammima.AG,Virus,File Based,Fully removed
31/01/2009 3:55 PM,High,W32.Gammima.AG detected by Auto-Protect,Removed,Resolved - No Action,Auto-Protect,2009.01.30.024,108.2.4.3,W32.Gammima.AG,Virus,File Based,Fully removed
31/01/2009 2:16 AM,High,W32.Gammima.AG detected by Auto-Protect,Removed,Resolved - No Action,Auto-Protect,2009.01.29.051,108.2.4.3,W32.Gammima.AG,Virus,File Based,Fully removed


Category: Scan Results
Date & Time,Risk Level,Activity,Status,Recommended Action,Task Name,Scan Time,Total items scanned,Files & Directories,Registry Entries,Processes & Start-Up Items,Network & Browser Items,Other,Trusted Files,Skipped Files,Total Security Risks Detected,Total Security Risks Resolved,Total Security Risks Requiring Attention
27/01/2009 5:21 PM,Low,Idle Quick Scan results,Completed,Resolved - No Action,Idle Quick Scan,0:00:00:21 (d:h:m:s),"2,522",649,133,"1,634",12,4,157,0,0,0,0
27/01/2009 4:30 PM,Low,Idle Quick Scan results,Completed,Resolved - No Action,Idle Quick Scan,0:00:00:16 (d:h:m:s),"2,487",624,131,"1,626",12,4,0,570,0,0,0
27/01/2009 4:26 PM,Low,Idle Quick Scan results,Completed,Resolved - No Action,Idle Quick Scan,0:00:00:41 (d:h:m:s),"2,535",624,131,"1,674",12,4,0,0,0,0,0
30/01/2009 10:10 AM,Low,Idle Quick Scan results,Completed,Resolved - No Action,Idle Quick Scan,0:00:00:26 (d:h:m:s),"2,899",695,169,"1,929",12,4,176,0,0,0,0
1/02/2009 5:12 PM,Low,Idle Quick Scan results,Completed,Resolved - No Action,Idle Quick Scan,0:00:00:25 (d:h:m:s),"2,822",675,171,"1,870",12,4,198,0,0,0,0
30/01/2009 5:24 PM,Low,Idle Quick Scan results,Completed,Resolved - No Action,Idle Quick Scan,0:00:00:31 (d:h:m:s),"2,973",709,172,"1,986",12,4,176,0,0,0,0
28/01/2009 10:20 AM,Low,Idle Quick Scan results,Completed,Resolved - No Action,Idle Quick Scan,0:00:00:17 (d:h:m:s),"2,623",645,136,"1,736",12,4,156,0,0,0,0
2/02/2009 9:28 AM,Low,Idle Quick Scan results,Completed,Resolved - No Action,Idle Quick Scan,0:00:00:28 (d:h:m:s),"2,950",702,171,"1,971",12,4,203,0,0,0,0
29/01/2009 6:21 PM,Low,Idle Quick Scan results,Completed,Resolved - No Action,Idle Quick Scan,0:00:00:29 (d:h:m:s),"2,627",643,137,"1,741",12,4,156,0,0,0,0
29/01/2009 11:11 AM,Low,Idle Quick Scan results,Completed,Resolved - No Action,Idle Quick Scan,0:00:00:30 (d:h:m:s),"2,732",671,137,"1,818",12,4,156,0,0,0,0
1/02/2009 9:09 AM,Low,Idle Quick Scan results,Completed,Resolved - No Action,Idle Quick Scan,0:00:00:28 (d:h:m:s),"2,958",699,171,"1,982",12,4,194,0,0,0,0
31/01/2009 1:25 PM,Low,Idle Quick Scan results,Completed,Resolved - No Action,Idle Quick Scan,0:00:00:34 (d:h:m:s),"3,109",713,171,"2,119",12,4,196,0,0,0,0
28/01/2009 7:35 AM,Low,Idle Quick Scan results,Completed,Resolved - No Action,Idle Quick Scan,0:00:00:22 (d:h:m:s),"2,576",639,136,"1,695",12,4,157,0,0,0,0
30/01/2009 2:09 AM,Low,Idle Quick Scan results,Completed,Resolved - No Action,Idle Quick Scan,0:00:00:27 (d:h:m:s),"2,778",673,169,"1,830",12,4,177,0,0,0,0


Category: Quarantine
Date & Time,Risk Level,Activity,Status,Recommended Action,Component,Definitions Version,ERASER Version,Risk Name,Risk Category,Risk Type,Risk State
31/01/2009 2:36 AM,High,W32.Gammima.AG detected by Auto-Protect,Removed,Resolved - No Action,Auto-Protect,2009.01.29.051,108.2.4.3,W32.Gammima.AG,Virus,File Based,Fully removed
31/01/2009 3:55 PM,High,W32.Gammima.AG detected by Auto-Protect,Removed,Resolved - No Action,Auto-Protect,2009.01.30.024,108.2.4.3,W32.Gammima.AG,Virus,File Based,Fully removed
31/01/2009 2:16 AM,High,W32.Gammima.AG detected by Auto-Protect,Removed,Resolved - No Action,Auto-Protect,2009.01.29.051,108.2.4.3,W32.Gammima.AG,Virus,File Based,Fully removed


Category: System Activity Monitoring
Date & Time,Risk Level,Activity,Status,Recommended Action,Program,Last Updated,Affected Area,Modified resource,Target file
30/01/2009 2:53 PM,Low,"setupsg.exe made 25 modifications to your System Configuration., Resource",Detected,"No Action Required, No Action Required",e:\software\drivers\scanner\lide25_11010wnenz\setupsg.exe,"Friday, 30 January 2009 2:53 PM",System Configuration,"c:\documents and settings\fei\local settings\temp\wzse0.tmp\delsg.exe, c:\documents and settings\fei\local settings\temp\wzse0.tmp\setupsg.exe, c:\documents and settings\fei\local settings\temp\wzse0.tmp\usbscan.sys, c:\documents and settings\fei\local settings\temp\wzse0.tmp\cnql25\cnql1213.dll, c:\documents and settings\fei\local settings\temp\wzse0.tmp\cnqsg110\balco.dll, c:\documents and settings\fei\local settings\temp\wzse0.tmp\cnqsg110\cfine2.dll, c:\documents and settings\fei\local settings\temp\wzse0.tmp\cnqsg110\cisds.ds, c:\documents and settings\fei\local settings\temp\wzse0.tmp\cnqsg110\cnqu110.dll, c:\documents and settings\fei\local settings\temp\wzse0.tmp\cnqsg110\iop.dll, c:\documents and settings\fei\local settings\temp\wzse0.tmp\cnqsg110\itlib32.dll, c:\documents and settings\fei\local settings\temp\wzse0.tmp\cnqsg110\jda_cimg.dll, c:\documents and settings\fei\local settings\temp\wzse0.tmp\cnqsg110\libblc.dll, c:\documents and settings\fei\local settings\temp\wzse0.tmp\cnqsg110\msvcrt.dll, c:\documents and settings\fei\local settings\temp\wzse0.tmp\cnqsg110\nbs4mb.dll, c:\documents and settings\fei\local settings\temp\wzse0.tmp\cnqsg110\nbscor4m.dll, c:\documents and settings\fei\local settings\temp\wzse0.tmp\cnqsg110\rmslantc.dll, c:\documents and settings\fei\local settings\temp\wzse0.tmp\cnqsg110\rstcol.dll, c:\documents and settings\fei\local settings\temp\wzse0.tmp\cnqsg110\scanintf.dll, c:\documents and settings\fei\local settings\temp\wzse0.tmp\cnqsg110\scrprmv.dll, c:\documents and settings\fei\local settings\temp\wzse0.tmp\cnqsg110\sgui.dll, c:\documents and settings\fei\local settings\temp\wzse0.tmp\cnqsg110\sgui_res.dll, c:\documents and settings\fei\local settings\temp\wzse0.tmp\cnqsg110\tpm.dll, c:\documents and settings\fei\local settings\temp\wzse0.tmp\cnqsg110\twain_32.dll, c:\documents and settings\fei\local settings\temp\wzse0.tmp\cnqsg110\twunk_32.exe, c:\documents and settings\fei\local settings\temp\wzse0.tmp\instal~1\setup.exe",
28/01/2009 12:55 PM,Low,"foobar2000_0.9.6.1.exe made 26 modifications to your computer., Resource, Resource",Detected,"No Action Required, No Action Required",e:\software\foobar2000_0.9.6.1.exe,"Wednesday, 28 January 2009 12:55 PM","System Configuration, Windows Startup Settings","c:\documents and settings\fei\local settings\temp\nslcf.tmp\system.dll, c:\documents and settings\fei\local settings\temp\nslcf.tmp\nsdialogs.dll, c:\documents and settings\fei\local settings\temp\nslcf.tmp\uac.dll, c:\documents and settings\fei\local settings\temp\nslcf.tmp\startmenu.dll, c:\program files\foobar2000\foobar2000.exe, c:\program files\foobar2000\shared.dll, c:\program files\foobar2000\shellext32.dll, c:\program files\foobar2000\foobar2000 shell associations updater.exe, c:\program files\foobar2000\components\foo_input_std.dll, c:\program files\foobar2000\components\foo_ui_std.dll, c:\program files\foobar2000\components\foo_cdda.dll, c:\program files\foobar2000\components\foo_albumlist.dll, \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\foobar2000\DisplayIcon, \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\foobar2000\UninstallString, c:\program files\foobar2000\components\foo_dsp_std.dll, c:\program files\foobar2000\components\foo_rgscan.dll, c:\program files\foobar2000\components\foo_converter.dll, c:\program files\foobar2000\uninstall.exe, c:\documents and settings\all users\start menu\programs\foobar2000\foobar2000.lnk, c:\documents and settings\all users\start menu\programs\foobar2000\foobar2000.lnk, c:\documents and settings\all users\start menu\programs\foobar2000\foobar2000 - website.url, c:\documents and settings\all users\start menu\programs\foobar2000\uninstall.lnk, c:\documents and settings\all users\start menu\programs\foobar2000\uninstall.lnk, c:\documents and settings\fei\application data\microsoft\internet explorer\quick launch\foobar2000.lnk, c:\documents and settings\fei\application data\microsoft\internet explorer\quick launch\foobar2000.lnk, c:\documents and settings\all users\start menu\programs\foobar2000\foobar2000 - website.url",
27/01/2009 3:53 PM,Low,"issetup.exe modified your System Configuration., Resource",Detected,"No Action Required, No Action Required",c:\ati\support\6-11-pre-r300_xp-2k_dd_ccc_wdm_38185\issetup.exe,"Tuesday, 27 January 2009 3:53 PM",System Configuration,c:\program files\common files\installshield\engine\6\intel 32\temp.000,
29/01/2009 10:01 PM,Low,"devcon32.exe modified your System Configuration., Resource",Detected,"No Action Required, No Action Required",c:\documents and settings\fei\local settings\temp\nst7e.tmp\devcon32.exe,"Thursday, 29 January 2009 10:01 PM",System Configuration,c:\windows\system32\drivers\vclone.sys,
2/02/2009 5:50 PM,Low,"keygen.exe modified your System Configuration., Resource",Detected,"No Action Required, No Action Required","c:\documents and settings\fei\desktop\xemicomputers.active.desktop.calendar.v7.69.090119.winall.incl.keygen-crd\keygen\keygen.exe","Monday, 2 February 2009 5:50 PM",System Configuration,"c:\documents and settings\fei\desktop\xemicomputers.active.desktop.calendar.v7.69.090119.winall.incl.keygen-crd\keygen\keygen.exe",
27/01/2009 3:54 PM,Low,"setup.exe modified your System Configuration., Resource",Detected,"No Action Required, No Action Required",c:\ati\support\6-11-pre-r300_xp-2k_dd_ccc_wdm_38185\driver\setup.exe,"Tuesday, 27 January 2009 3:54 PM",System Configuration,c:\program files\common files\installshield\engine\6\intel 32\temp.000,
29/01/2009 10:01 PM,Low,"setupvirtualclonedrive5301.exe made 31 modifications to your computer., Resource, Resource, Resource",Detected,"No Action Required, No Action Required",e:\software\setupvirtualclonedrive5301.exe,"Thursday, 29 January 2009 10:01 PM","System Configuration, Windows Startup Settings, Windows System Settings","c:\documents and settings\fei\local settings\temp\nst7e.tmp\installhelp.dll, c:\program files\elaborate bytes\virtualclonedrive\installhelp.dll, c:\program files\elaborate bytes\virtualclonedrive\devcon32.exe, c:\program files\elaborate bytes\virtualclonedrive\vcd-uninst.exe, c:\program files\elaborate bytes\virtualclonedrive\elbydvd.exe, c:\program files\elaborate bytes\virtualclonedrive\helplauncher.exe, \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\ElbyDelay\ImagePath, \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\ElbyDelay\Type, c:\program files\elaborate bytes\virtualclonedrive\vcddaemon.exe, c:\program files\elaborate bytes\virtualclonedrive\vcdmount.exe, c:\program files\elaborate bytes\virtualclonedrive\vcdprefs.exe, c:\documents and settings\fei\local settings\temp\nst7e.tmp\elbyvcdshell.dll, c:\program files\elaborate bytes\virtualclonedrive\elbyvcdshell.dll, c:\windows\system32\elbycdio.dll, c:\windows\system32\elbyvcd.dll, c:\windows\system32\drivers\elbycdio.sys, c:\windows\system32\drivers\elbydelay.sys, c:\documents and settings\fei\local settings\temp\nst7e.tmp\vclone.sys, c:\documents and settings\fei\local settings\temp\nst7e.tmp\devcon32.exe, \REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Run, \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\VirtualCloneDrive, \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\VirtualCloneDrive\UninstallString, c:\documents and settings\all users\start menu\programs\elaborate bytes\virtualclonedrive\uninstall.lnk, c:\documents and settings\all users\start menu\programs\elaborate bytes\virtualclonedrive\uninstall.lnk, c:\documents and settings\all users\start menu\programs\elaborate bytes\virtualclonedrive\manual.lnk, c:\documents and settings\all users\start menu\programs\elaborate bytes\virtualclonedrive\manual.lnk, c:\documents and settings\all users\start menu\programs\elaborate bytes\virtualclonedrive\virtual clonedrive.lnk, c:\documents and settings\all users\start menu\programs\elaborate bytes\virtualclonedrive\virtual clonedrive.lnk, c:\documents and settings\all users\start menu\programs\elaborate bytes\virtualclonedrive\virtual clonedrive revision history.lnk, c:\documents and settings\all users\start menu\programs\elaborate bytes\virtualclonedrive\virtual clonedrive revision history.lnk",C:\WINDOWS\System32\Drivers\ElbyCDIO.sys
29/01/2009 6:40 PM,Low,"klcodec445s.tmp made 111 modifications to your computer., Resource, Resource",Detected,"No Action Required, No Action Required",c:\documents and settings\fei\local settings\temp\is-sp5a1.tmp\klcodec445s.tmp,"Thursday, 29 January 2009 6:40 PM","System Configuration, Windows Startup Settings","c:\documents and settings\fei\local settings\temp\is-6e4n4.tmp\_isetup\_regdll.tmp, c:\documents and settings\fei\local settings\temp\is-6e4n4.tmp\_isetup\_shfoldr.dll, c:\documents and settings\fei\local settings\temp\is-6e4n4.tmp\_isetup\_iscrypt.dll, c:\documents and settings\fei\local settings\temp\is-6e4n4.tmp\ffspkcfg.dll, c:\documents and settings\fei\local settings\temp\is-6e4n4.tmp\wincpuid.dll, c:\documents and settings\fei\local settings\temp\is-6e4n4.tmp\psvince.dll, \REGISTRY\MACHINE\SOFTWARE\Classes\mplayerc.avi\DefaultIcon, \REGISTRY\MACHINE\SOFTWARE\Classes\mplayerc.divx\DefaultIcon, \REGISTRY\MACHINE\SOFTWARE\Classes\mplayerc.mpg\DefaultIcon, \REGISTRY\MACHINE\SOFTWARE\Classes\mplayerc.mpeg\DefaultIcon, \REGISTRY\MACHINE\SOFTWARE\Classes\mplayerc.mpe\DefaultIcon, \REGISTRY\MACHINE\SOFTWARE\Classes\mplayerc.mp2v\DefaultIcon, \REGISTRY\MACHINE\SOFTWARE\Classes\mplayerc.m1v\DefaultIcon, \REGISTRY\MACHINE\SOFTWARE\Classes\mplayerc.m2v\DefaultIcon, \REGISTRY\MACHINE\SOFTWARE\Classes\mplayerc.wmv\DefaultIcon, \REGISTRY\MACHINE\SOFTWARE\Classes\mplayerc.asf\DefaultIcon, \REGISTRY\MACHINE\SOFTWARE\Classes\mplayerc.ogm\DefaultIcon, \REGISTRY\MACHINE\SOFTWARE\Classes\mplayerc.ogv\DefaultIcon, \REGISTRY\MACHINE\SOFTWARE\Classes\mplayerc.mkv\DefaultIcon, \REGISTRY\MACHINE\SOFTWARE\Classes\mplayerc.mka\DefaultIcon, \REGISTRY\MACHINE\SOFTWARE\Classes\mplayerc.mp4\DefaultIcon, \REGISTRY\MACHINE\SOFTWARE\Classes\mplayerc.hdmov\DefaultIcon, \REGISTRY\MACHINE\SOFTWARE\Classes\mplayerc.flv\DefaultIcon, \REGISTRY\MACHINE\SOFTWARE\Classes\mplayerc.ts\DefaultIcon, \REGISTRY\MACHINE\SOFTWARE\Classes\mplayerc.m2ts\DefaultIcon, \REGISTRY\MACHINE\SOFTWARE\Classes\mplayerc.m2t\DefaultIcon, \REGISTRY\MACHINE\SOFTWARE\Classes\mplayerc.mts\DefaultIcon, \REGISTRY\MACHINE\SOFTWARE\Classes\mplayerc.3g2\DefaultIcon, \REGISTRY\MACHINE\SOFTWARE\Classes\mplayerc.3gp\DefaultIcon, \REGISTRY\MACHINE\SOFTWARE\Classes\mplayerc.3gp2\DefaultIcon, \REGISTRY\MACHINE\SOFTWARE\Classes\mplayerc.3gpp\DefaultIcon, \REGISTRY\MACHINE\SOFTWARE\Classes\mplayerc.mov\DefaultIcon, \REGISTRY\MACHINE\SOFTWARE\Classes\mplayerc.qt\DefaultIcon, \REGISTRY\MACHINE\SOFTWARE\Classes\mplayerc.ra\DefaultIcon, \REGISTRY\MACHINE\SOFTWARE\Classes\mplayerc.ram\DefaultIcon, \REGISTRY\MACHINE\SOFTWARE\Classes\mplayerc.rm\DefaultIcon, \REGISTRY\MACHINE\SOFTWARE\Classes\mplayerc.rmvb\DefaultIcon, \REGISTRY\MACHINE\SOFTWARE\Classes\mplayerc.rmm\DefaultIcon, \REGISTRY\MACHINE\SOFTWARE\Classes\mplayerc.rp\DefaultIcon, \REGISTRY\MACHINE\SOFTWARE\Classes\mplayerc.rpm\DefaultIcon, \REGISTRY\MACHINE\SOFTWARE\Classes\mplayerc.rt\DefaultIcon, \REGISTRY\MACHINE\SOFTWARE\Classes\mplayerc.rv\DefaultIcon, \REGISTRY\MACHINE\SOFTWARE\Classes\mplayerc.smi\DefaultIcon, \REGISTRY\MACHINE\SOFTWARE\Classes\mplayerc.smil\DefaultIcon, c:\program files\k-lite codec pack\is-60phk.tmp, c:\program files\k-lite codec pack\is-s4dmb.tmp, c:\program files\k-lite codec pack\tools\is-jumf5.tmp, c:\program files\k-lite codec pack\ffdshow\is-k4m51.tmp, c:\program files\k-lite codec pack\ffdshow\is-g97h4.tmp, c:\program files\k-lite codec pack\ffdshow\is-sv5lr.tmp, c:\program files\k-lite codec pack\ffdshow\is-fp8mm.tmp, c:\program files\k-lite codec pack\ffdshow\is-oat96.tmp, c:\program files\k-lite codec pack\ffdshow\is-f57cu.tmp, c:\program files\k-lite codec pack\ffdshow\is-s2i3u.tmp, c:\program files\k-lite codec pack\ffdshow\is-328c3.tmp, c:\program files\k-lite codec pack\ffdshow\is-fv2v4.tmp, c:\program files\k-lite codec pack\ffdshow\is-rp8hj.tmp, c:\program files\k-lite codec pack\ffdshow\is-i5gu6.tmp, c:\program files\k-lite codec pack\media player classic\is-9dcc8.tmp, c:\program files\k-lite codec pack\media player classic\is-5i43n.tmp, c:\program files\k-lite codec pack\filters\is-1t7r9.tmp, c:\program files\k-lite codec pack\filters\is-h03sc.tmp, c:\program files\k-lite codec pack\filters\is-bq6q0.tmp, c:\program files\k-lite codec pack\filters\is-hnf7f.tmp, c:\program files\k-lite codec pack\filters\haali\is-lh290.tmp, c:\program files\k-lite codec pack\filters\haali\is-irm80.tmp, c:\program files\k-lite codec pack\filters\haali\is-p59n5.tmp, c:\program files\k-lite codec pack\filters\haali\is-2o185.tmp, c:\program files\k-lite codec pack\filters\haali\is-kgdng.tmp, c:\program files\k-lite codec pack\filters\haali\is-bi67e.tmp, c:\program files\k-lite codec pack\filters\haali\is-7db7e.tmp, c:\program files\k-lite codec pack\filters\haali\is-s90oi.tmp, c:\program files\k-lite codec pack\filters\is-mg34g.tmp, c:\windows\system32\is-418ff.tmp, c:\program files\k-lite codec pack\tools\is-ojaij.tmp, c:\program files\k-lite codec pack\tools\is-bf1vd.tmp, c:\program files\k-lite codec pack\tools\is-45vhp.tmp, c:\program files\k-lite codec pack\tools\is-2g68r.tmp, \REGISTRY\MACHINE\SOFTWARE\Classes\rtsp\DefaultIcon, \REGISTRY\MACHINE\SOFTWARE\Classes\pnm\DefaultIcon, \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KLiteCodecPack_is1\UninstallString, c:\documents and settings\all users\start menu\programs\k-lite codec pack\media player classic.lnk, c:\documents and settings\all users\start menu\programs\k-lite codec pack\media player classic.lnk, c:\documents and settings\all users\start menu\programs\k-lite codec pack\configuration\codec tweak tool.lnk, c:\documents and settings\all users\start menu\programs\k-lite codec pack\configuration\codec tweak tool.lnk, c:\documents and settings\all users\start menu\programs\k-lite codec pack\tools\codec tweak tool.lnk, c:\documents and settings\all users\start menu\programs\k-lite codec pack\tools\codec tweak tool.lnk, c:\documents and settings\all users\start menu\programs\k-lite codec pack\configuration\reset to recommended settings.lnk, c:\documents and settings\all users\start menu\programs\k-lite codec pack\configuration\reset to recommended settings.lnk, c:\documents and settings\all users\start menu\programs\k-lite codec pack\configuration\cyberlink mpeg-2 decoder.lnk, c:\documents and settings\all users\start menu\programs\k-lite codec pack\configuration\cyberlink mpeg-2 decoder.lnk, c:\documents and settings\all users\start menu\programs\k-lite codec pack\configuration\directvobsub.lnk, c:\documents and settings\all users\start menu\programs\k-lite codec pack\configuration\directvobsub.lnk, c:\documents and settings\all users\start menu\programs\k-lite codec pack\configuration\ffdshow audio decoder.lnk, c:\documents and settings\all users\start menu\programs\k-lite codec pack\configuration\ffdshow audio decoder.lnk, c:\documents and settings\all users\start menu\programs\k-lite codec pack\configuration\ffdshow video decoder.lnk, c:\documents and settings\all users\start menu\programs\k-lite codec pack\configuration\ffdshow video decoder.lnk, c:\documents and settings\all users\start menu\programs\k-lite codec pack\configuration\haali media splitter.lnk, c:\documents and settings\all users\start menu\programs\k-lite codec pack\configuration\haali media splitter.lnk, c:\documents and settings\all users\start menu\programs\k-lite codec pack\configuration\haali video renderer.lnk, c:\documents and settings\all users\start menu\programs\k-lite codec pack\configuration\haali video renderer.lnk, c:\documents and settings\all users\start menu\programs\k-lite codec pack\tools\mediainfo.lnk, c:\documents and settings\all users\start menu\programs\k-lite codec pack\tools\mediainfo.lnk, c:\documents and settings\all users\start menu\programs\k-lite codec pack\tools\vobsubstrip.lnk, c:\documents and settings\all users\start menu\programs\k-lite codec pack\tools\vobsubstrip.lnk, c:\documents and settings\all users\start menu\programs\k-lite codec pack\help\faq.lnk, c:\documents and settings\all users\start menu\programs\k-lite codec pack\help\faq.lnk, c:\documents and settings\all users\start menu\programs\k-lite codec pack\help\website.url, c:\documents and settings\all users\start menu\programs\k-lite codec pack\uninstall\uninstall k-lite codec pack.lnk, c:\documents and settings\all users\start menu\programs\k-lite codec pack\uninstall\uninstall k-lite codec pack.lnk, c:\documents and settings\all users\start menu\programs\k-lite codec pack\help\website.url",
30/01/2009 2:53 PM,Low,"setup.exe modified your System Configuration., Resource",Detected,"No Action Required, No Action Required",c:\documents and settings\fei\local settings\temp\wzse0.tmp\instal~1\setup.exe,"Friday, 30 January 2009 2:53 PM",System Configuration,c:\program files\common files\installshield\engine\6\intel 32\temp.000,
2/02/2009 5:50 PM,Low,"adc.tmp made 62 modifications to your System Configuration., Resource, Resource",Detected,"No Action Required, No Action Required",c:\documents and settings\fei\local settings\temp\is-ptudp.tmp\adc.tmp,"Monday, 2 February 2009 5:50 PM","System Configuration, Windows Startup Settings","c:\documents and settings\fei\local settings\temp\is-gf1sh.tmp\_isetup\_regdll.tmp, c:\documents and settings\fei\local settings\temp\is-gf1sh.tmp\_isetup\_shfoldr.dll, c:\documents and settings\fei\local settings\temp\is-gf1sh.tmp\adcmigrator.exe, c:\documents and settings\fei\local settings\temp\is-gf1sh.tmp\sqlite3.dll, c:\program files\xemicomputers\active desktop calendar\is-cumrj.tmp, c:\program files\xemicomputers\active desktop calendar\is-h7pj3.tmp, c:\program files\xemicomputers\active desktop calendar\is-dvgls.tmp, c:\program files\xemicomputers\active desktop calendar\is-cur60.tmp, c:\program files\xemicomputers\active desktop calendar\is-npi1o.tmp, c:\program files\xemicomputers\active desktop calendar\is-qnv5o.tmp, c:\program files\xemicomputers\active desktop calendar\icon library\calendar icons\is-v1o8a.tmp, c:\program files\xemicomputers\active desktop calendar\icon library\calendar icons\is-ohgng.tmp, c:\program files\xemicomputers\active desktop calendar\icon library\calendar icons\is-jhd3k.tmp, c:\program files\xemicomputers\active desktop calendar\icon library\calendar icons\is-aed1k.tmp, c:\program files\xemicomputers\active desktop calendar\icon library\calendar icons\is-jsets.tmp, c:\program files\xemicomputers\active desktop calendar\icon library\calendar icons\is-22bab.tmp, c:\program files\xemicomputers\active desktop calendar\icon library\calendar icons\is-a504s.tmp, c:\program files\xemicomputers\active desktop calendar\icon library\calendar icons\is-vgimq.tmp, c:\program files\xemicomputers\active desktop calendar\icon library\calendar icons\is-mnbin.tmp, c:\program files\xemicomputers\active desktop calendar\icon library\calendar icons\is-b3s9g.tmp, c:\program files\xemicomputers\active desktop calendar\icon library\calendar icons\is-6atjo.tmp, c:\program files\xemicomputers\active desktop calendar\icon library\calendar icons\is-2oh06.tmp, c:\program files\xemicomputers\active desktop calendar\icon library\calendar icons\is-ghpsi.tmp, c:\program files\xemicomputers\active desktop calendar\icon library\calendar icons\is-u0m1o.tmp, c:\program files\xemicomputers\active desktop calendar\icon library\calendar icons\is-6spg0.tmp, c:\program files\xemicomputers\active desktop calendar\icon library\calendar icons\is-tu3sg.tmp, c:\program files\xemicomputers\active desktop calendar\icon library\calendar icons\is-optl6.tmp, c:\program files\xemicomputers\active desktop calendar\icon library\calendar icons\is-9h3jr.tmp, c:\program files\xemicomputers\active desktop calendar\icon library\calendar icons\is-dd2td.tmp, c:\program files\xemicomputers\active desktop calendar\icon library\calendar icons\is-7peuh.tmp, c:\program files\xemicomputers\active desktop calendar\icon library\calendar icons\is-3j0qa.tmp, c:\program files\xemicomputers\active desktop calendar\icon library\calendar icons\is-lrekg.tmp, c:\program files\xemicomputers\active desktop calendar\icon library\calendar icons\is-d823n.tmp, c:\program files\xemicomputers\active desktop calendar\icon library\calendar icons\is-d7jd0.tmp, c:\program files\xemicomputers\active desktop calendar\icon library\calendar icons\is-5d1dn.tmp, c:\program files\xemicomputers\active desktop calendar\icon library\calendar icons\is-595cg.tmp, c:\program files\xemicomputers\active desktop calendar\icon library\calendar icons\is-ktmel.tmp, c:\program files\xemicomputers\active desktop calendar\icon library\calendar icons\is-ts62m.tmp, c:\program files\xemicomputers\active desktop calendar\icon library\marking icons\is-7svl4.tmp, c:\program files\xemicomputers\active desktop calendar\icon library\marking icons\is-a10oi.tmp, c:\program files\xemicomputers\active desktop calendar\icon library\marking icons\is-14kdv.tmp, c:\program files\xemicomputers\active desktop calendar\icon library\marking icons\is-9g5ea.tmp, c:\program files\xemicomputers\active desktop calendar\icon library\marking icons\is-j6bqa.tmp, c:\program files\xemicomputers\active desktop calendar\icon library\marking icons\is-2ma9e.tmp, c:\program files\xemicomputers\active desktop calendar\icon library\marking icons\is-h63le.tmp, c:\program files\xemicomputers\active desktop calendar\icon library\marking icons\is-3tfil.tmp, c:\program files\xemicomputers\active desktop calendar\icon library\marking icons\is-n5kb0.tmp, c:\program files\xemicomputers\active desktop calendar\icon library\today & pin icons\is-mt23u.tmp, c:\program files\xemicomputers\active desktop calendar\icon library\today & pin icons\is-s2ssq.tmp, \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Active Desktop Calendar_is1\UninstallString, c:\documents and settings\all users\start menu\programs\active desktop calendar\active desktop calendar.lnk, c:\documents and settings\all users\start menu\programs\active desktop calendar\active desktop calendar.lnk, c:\documents and settings\all users\start menu\programs\active desktop calendar\active desktop calendar on the web.lnk, c:\documents and settings\all users\start menu\programs\active desktop calendar\active desktop calendar on the web.lnk, c:\documents and settings\all users\start menu\programs\active desktop calendar\uninstall active desktop calendar.lnk, c:\documents and settings\all users\start menu\programs\active desktop calendar\uninstall active desktop calendar.lnk, c:\documents and settings\all users\start menu\programs\active desktop calendar\active desktop calendar help file.lnk, c:\documents and settings\all users\start menu\programs\active desktop calendar\active desktop calendar help file.lnk, c:\documents and settings\all users\start menu\programs\active desktop calendar\readme.lnk, c:\documents and settings\all users\start menu\programs\active desktop calendar\readme.lnk, c:\documents and settings\all users\start menu\programs\active desktop calendar\license agreement.lnk, c:\documents and settings\all users\start menu\programs\active desktop calendar\license agreement.lnk",
27/01/2009 3:38 PM,Low,"idriver.exe made 8 modifications to your System Configuration., Resource, Resource",Detected,"No Action Required, No Action Required",c:\program files\common files\installshield\driver\7\intel 32\idriver.exe,"Tuesday, 27 January 2009 3:38 PM","Windows Startup Settings, System Configuration","c:\documents and settings\all users\start menu\programs\administrative tools, c:\documents and settings\fei\local settings\temp\{20d4a895-748c-4d88-871c-fdb1695b0169}\isrt.dll, c:\documents and settings\fei\local settings\temp\{20d4a895-748c-4d88-871c-fdb1695b0169}\_isres.dll, c:\documents and settings\fei\local settings\temp\{20d4a895-748c-4d88-871c-fdb1695b0169}\_isuser.dll, c:\documents and settings\fei\local settings\temp\msi7.tmp, c:\documents and settings\fei\local settings\temp\msi8.tmp, c:\program files\via\setup\viaagp\agpdrvnt.dll, c:\windows\system32\difxapi.dll",
2/02/2009 5:49 PM,Low,"wrar380.exe made 23 modifications to your System Configuration., Resource",Detected,"No Action Required, No Action Required",e:\software\wrar380.exe,"Monday, 2 February 2009 5:49 PM",System Configuration,"c:\program files\winrar\rar.exe, c:\program files\winrar\rarextloader.exe, c:\program files\winrar\uninstall.exe, c:\program files\winrar\unrar.exe, c:\program files\winrar\winrar.exe, c:\program files\winrar\formats\7zxa.dll, c:\program files\winrar\rarext.dll, c:\program files\winrar\rarext64.dll, c:\program files\winrar\formats\unacev2.dll, c:\program files\winrar\formats\7z.fmt, c:\program files\winrar\formats\ace.fmt, c:\program files\winrar\formats\arj.fmt, c:\program files\winrar\formats\bz2.fmt, c:\program files\winrar\formats\cab.fmt, c:\program files\winrar\formats\gz.fmt, c:\program files\winrar\formats\iso.fmt, c:\program files\winrar\formats\lzh.fmt, c:\program files\winrar\formats\tar.fmt, c:\program files\winrar\formats\uue.fmt, c:\program files\winrar\formats\z.fmt, c:\program files\winrar\default.sfx, c:\program files\winrar\wincon.sfx, c:\program files\winrar\zip.sfx",
27/01/2009 3:56 PM,Low,"install.exe made 45 modifications to your System Configuration., Resource",Detected,"No Action Required, No Action Required",c:\program files\analog devices\soundmax\install.exe,"Tuesday, 27 January 2009 3:56 PM",System Configuration,"c:\windows\system32\drivers\set4d.tmp, c:\windows\system32\set51.tmp, c:\windows\lastgood\system32\drivers\stream.sys, c:\windows\temp\old4f.tmp, c:\windows\system32\drivers\stream.sys, c:\windows\system32\drivers\set53.tmp, c:\windows\system32\ksproxy.ax, c:\windows\system32\set55.tmp, c:\windows\system32\drivers\drmk.sys, c:\windows\system32\ksuser.dll, c:\windows\system32\drivers\set57.tmp, c:\windows\system32\set59.tmp, c:\windows\system32\drivers\portcls.sys, c:\windows\system32\drivers\set5d.tmp, c:\windows\lastgood\system32\wdmaud.drv, c:\windows\temp\old5b.tmp, c:\windows\system32\wdmaud.drv, c:\windows\lastgood\system32\drivers\ks.sys, c:\windows\system32\drivers\ks.sys, c:\windows\system32\drivers\smwdm.sys, c:\windows\system32\drivers\senfilt.sys, c:\windows\system32\drivers\aeaudio.sys, c:\windows\system32\a3d.dll, \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce, \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\MSPCLOCK, \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\MSPQM, \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\MSKSSRV, \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\WDM_SYSAUDIO, \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\WDM_DRMKAUD0, \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\WDM_DRMKAUD1, \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\WDM_DRMKAUD2, \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\WDM_KMIXER0, \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\WDM_KMIXER1, \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\WDM_AEC0, \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\WDM_AEC1, \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\WDM_AEC2, \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\WDM_SWMIDI0, \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\WDM_SWMIDI1, \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\WDM_SWMIDI2, \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\WDM_DMUSIC0, \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\WDM_DMUSIC1, \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\WDM_DMUSIC2, \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\WDM_WDMAUD, \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\WDM_SPLITTER0, \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\WDM_SPLITTER1",
30/01/2009 2:53 PM,Low,"setupsg.exe made 21 modifications to your System Configuration., Resource",Detected,"No Action Required, No Action Required",c:\documents and settings\fei\local settings\temp\wzse0.tmp\setupsg.exe,"Friday, 30 January 2009 2:53 PM",System Configuration,"c:\canoscan\cnql25\cnql25\cnql1213.dll, c:\canoscan\cnql25\cnqsg110\balco.dll, c:\canoscan\cnql25\cnqsg110\cfine2.dll, c:\canoscan\cnql25\cnqsg110\cisds.ds, c:\canoscan\cnql25\cnqsg110\cnqu110.dll, c:\canoscan\cnql25\cnqsg110\iop.dll, c:\canoscan\cnql25\cnqsg110\itlib32.dll, c:\canoscan\cnql25\cnqsg110\jda_cimg.dll, c:\canoscan\cnql25\cnqsg110\libblc.dll, c:\canoscan\cnql25\cnqsg110\msvcrt.dll, c:\canoscan\cnql25\cnqsg110\nbs4mb.dll, c:\canoscan\cnql25\cnqsg110\nbscor4m.dll, c:\canoscan\cnql25\cnqsg110\rmslantc.dll, c:\canoscan\cnql25\cnqsg110\rstcol.dll, c:\canoscan\cnql25\cnqsg110\scanintf.dll, c:\canoscan\cnql25\cnqsg110\scrprmv.dll, c:\canoscan\cnql25\cnqsg110\sgui.dll, c:\canoscan\cnql25\cnqsg110\sgui_res.dll, c:\canoscan\cnql25\cnqsg110\tpm.dll, c:\canoscan\cnql25\cnqsg110\twain_32.dll, c:\canoscan\cnql25\cnqsg110\twunk_32.exe",
27/01/2009 4:02 PM,Low,"smax4.exe made 2 modifications to your computer., Resource",Detected,"No Action Required, No Action Required",c:\program files\analog devices\soundmax\smax4.exe,"Tuesday, 27 January 2009 4:02 PM",System Configuration,"\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Run, \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SoundMax",
2/02/2009 5:50 PM,Low,"adc.exe modified your System Configuration., Resource",Detected,"No Action Required, No Action Required",c:\documents and settings\fei\desktop\xemicomputers.active.desktop.calendar.v7.69.090119.winall.incl.keygen-crd\setup\adc.exe,"Monday, 2 February 2009 5:50 PM",System Configuration,c:\documents and settings\fei\local settings\temp\is-ptudp.tmp\adc.tmp,
29/01/2009 6:40 PM,Low,"klcodec445s.exe modified your System Configuration., Resource",Detected,"No Action Required, No Action Required",e:\software\codecs\klcodec445s.exe,"Thursday, 29 January 2009 6:40 PM",System Configuration,c:\documents and settings\fei\local settings\temp\is-sp5a1.tmp\klcodec445s.tmp,
27/01/2009 3:54 PM,Low,"ikernel.exe made 9 modifications to your System Configuration., Resource",Detected,"No Action Required, No Action Required",c:\program files\common files\installshield\engine\6\intel 32\ikernel.exe,"Tuesday, 27 January 2009 3:54 PM",System Configuration,"c:\program files\common files\installshield\engine\6\intel 32\ilog.dll, c:\program files\common files\installshield\engine\6\intel 32\ctor.dll, c:\program files\common files\installshield\engine\6\intel 32\objectps.dll, c:\program files\common files\installshield\engine\6\intel 32\iuser.dll, c:\program files\common files\installshield\iscript\iscript.dll, c:\documents and settings\fei\local settings\temp\{43801800-cfee-11d2-a41b-006097b55ad3}\aticim.dll, c:\documents and settings\fei\local settings\temp\{43801800-cfee-11d2-a41b-006097b55ad3}\isrt.dll, c:\documents and settings\fei\local settings\temp\{43801800-cfee-11d2-a41b-006097b55ad3}\_isres.dll, c:\documents and settings\fei\local settings\temp\{9b94be6f-7ca3-4c40-a266-62667ff746cc}\ati2saag.exe",
2/02/2009 5:49 PM,Low,"uninstall.exe made 17 modifications to your computer., Resource, Resource",Detected,"No Action Required, No Action Required",c:\program files\winrar\uninstall.exe,"Monday, 2 February 2009 5:49 PM","System Configuration, Windows Startup Settings","\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR\DefaultIcon, \REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.ZIP\DefaultIcon, \REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.REV\DefaultIcon, \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WinRAR archiver\UninstallString, \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WinRAR archiver\DisplayIcon, c:\documents and settings\fei\start menu\programs\winrar\winrar.lnk, c:\documents and settings\fei\start menu\programs\winrar\winrar.lnk, c:\documents and settings\fei\start menu\programs\winrar\winrar help.lnk, c:\documents and settings\fei\start menu\programs\winrar\winrar help.lnk, c:\documents and settings\fei\start menu\programs\winrar\console rar manual.lnk, c:\documents and settings\fei\start menu\programs\winrar\console rar manual.lnk, c:\documents and settings\all users\start menu\programs\winrar\winrar.lnk, c:\documents and settings\all users\start menu\programs\winrar\winrar.lnk, c:\documents and settings\all users\start menu\programs\winrar\winrar help.lnk, c:\documents and settings\all users\start menu\programs\winrar\winrar help.lnk, c:\documents and settings\all users\start menu\programs\winrar\console rar manual.lnk, c:\documents and settings\all users\start menu\programs\winrar\console rar manual.lnk",


Category: Silent Mode
Date & Time,Risk Level,Activity,Status,Recommended Action
1/02/2009 8:33 PM,Low,Light Silent Mode turned off.,Completed,No Action Required
1/02/2009 7:51 PM,Low,Light Silent Mode turned on.,Completed,No Action Required
1/02/2009 7:51 PM,Low,Light Silent Mode turned off.,Completed,No Action Required
1/02/2009 7:51 PM,Low,Light Silent Mode turned on.,Completed,No Action Required
1/02/2009 7:48 PM,Low,Light Silent Mode turned off.,Completed,No Action Required
1/02/2009 7:15 PM,Low,Light Silent Mode turned on.,Completed,No Action Required
1/02/2009 7:15 PM,Low,Light Silent Mode turned off.,Completed,No Action Required
1/02/2009 6:56 PM,Low,Light Silent Mode turned on.,Completed,No Action Required
1/02/2009 5:31 PM,Low,Light Silent Mode turned off.,Completed,No Action Required
1/02/2009 5:27 PM,Low,Light Silent Mode turned on.,Completed,No Action Required
30/01/2009 2:54 PM,Low,Light Silent Mode turned off.,Completed,No Action Required
30/01/2009 2:54 PM,Low,Light Silent Mode turned on.,Completed,No Action Required
30/01/2009 1:58 PM,Low,Light Silent Mode turned off.,Completed,No Action Required
30/01/2009 1:20 PM,Low,Light Silent Mode turned on.,Completed,No Action Required
30/01/2009 12:08 PM,Low,Light Silent Mode turned off.,Completed,No Action Required
30/01/2009 11:31 AM,Low,Light Silent Mode turned on.,Completed,No Action Required
30/01/2009 11:27 AM,Low,Light Silent Mode turned off.,Completed,No Action Required
30/01/2009 10:41 AM,Low,Light Silent Mode turned on.,Completed,No Action Required
29/01/2009 8:28 PM,Low,Light Silent Mode turned off.,Completed,No Action Required
29/01/2009 7:31 PM,Low,Light Silent Mode turned on.,Completed,No Action Required
29/01/2009 7:28 PM,Low,Light Silent Mode turned off.,Completed,No Action Required
29/01/2009 6:43 PM,Low,Light Silent Mode turned on.,Completed,No Action Required
29/01/2009 6:42 PM,Low,Light Silent Mode turned off.,Completed,No Action Required
29/01/2009 6:41 PM,Low,Light Silent Mode turned on.,Completed,No Action Required
28/01/2009 11:08 PM,Low,Light Silent Mode turned off.,Completed,No Action Required
28/01/2009 10:22 PM,Low,Light Silent Mode turned on.,Completed,No Action Required
28/01/2009 9:25 PM,Low,Light Silent Mode turned off.,Completed,No Action Required
28/01/2009 9:23 PM,Low,Light Silent Mode turned on.,Completed,No Action Required
28/01/2009 9:22 PM,Low,Light Silent Mode turned off.,Completed,No Action Required
28/01/2009 9:09 PM,Low,Light Silent Mode turned on.,Completed,No Action Required
28/01/2009 9:09 PM,Low,Light Silent Mode turned off.,Completed,No Action Required
28/01/2009 8:32 PM,Low,Light Silent Mode turned on.,Completed,No Action Required
28/01/2009 8:31 PM,Low,Light Silent Mode turned off.,Completed,No Action Required
28/01/2009 7:49 PM,Low,Light Silent Mode turned on.,Completed,No Action Required
28/01/2009 4:24 PM,Low,Light Silent Mode turned off.,Completed,No Action Required
28/01/2009 4:18 PM,Low,Light Silent Mode turned on.,Completed,No Action Required
28/01/2009 4:10 PM,Low,Light Silent Mode turned off.,Completed,No Action Required
28/01/2009 4:10 PM,Low,Light Silent Mode turned on.,Completed,No Action Required
28/01/2009 4:09 PM,Low,Light Silent Mode turned off.,Completed,No Action Required
28/01/2009 4:09 PM,Low,Light Silent Mode turned on.,Completed,No Action Required
28/01/2009 4:09 PM,Low,Light Silent Mode turned off.,Completed,No Action Required
28/01/2009 3:48 PM,Low,Light Silent Mode turned on.,Completed,No Action Required
28/01/2009 3:38 PM,Low,Light Silent Mode turned off.,Completed,No Action Required
28/01/2009 3:37 PM,Low,Light Silent Mode turned on.,Completed,No Action Required
27/01/2009 10:51 PM,Low,Light Silent Mode turned off.,Completed,No Action Required
27/01/2009 10:49 PM,Low,Light Silent Mode turned on.,Completed,No Action Required
27/01/2009 9:29 PM,Low,Light Silent Mode turned off.,Completed,No Action Required
27/01/2009 9:27 PM,Low,Light Silent Mode turned on.,Completed,No Action Required
27/01/2009 3:55 PM,Low,Light Silent Mode turned off.,Completed,No Action Required
27/01/2009 3:55 PM,Low,Light Silent Mode turned on.,Completed,No Action Required
27/01/2009 3:42 PM,Low,Light Silent Mode turned off.,Completed,No Action Required
27/01/2009 3:41 PM,Low,Light Silent Mode turned on.,Completed,No Action Required
27/01/2009 3:38 PM,Low,Light Silent Mode turned off.,Completed,No Action Required
27/01/2009 3:37 PM,Low,Light Silent Mode turned on.,Completed,No Action Required


Category: Norton Product Tamper Protection
Date & Time,Risk Level,Activity,Status,Recommended Action,Date,Actor,Actor PID,Target,Target PID,Action,Reaction
31/01/2009 11:53 PM,Medium,Unauthorized access blocked (Send Terminate Message to Window),Blocked,No Action Required,"Saturday, 31 January 2009 11:53 PM",c:\windows\explorer.exe,1952,C:\Program Files\Norton AntiVirus\Engine\16.2.0.7\ccSvcHst.exe,3112,Send Terminate Message to Window,Unauthorized access blocked
31/01/2009 11:18 PM,Medium,Unauthorized access blocked (Send Terminate Message to Window),Blocked,No Action Required,"Saturday, 31 January 2009 11:18 PM",c:\windows\explorer.exe,1952,C:\Program Files\Norton AntiVirus\Engine\16.2.0.7\ccSvcHst.exe,3112,Send Terminate Message to Window,Unauthorized access blocked
31/01/2009 4:00 PM,Medium,Unauthorized access blocked (Send Terminate Message to Window),Blocked,No Action Required,"Saturday, 31 January 2009 4:00 PM",c:\windows\explorer.exe,1976,C:\Program Files\Norton AntiVirus\Engine\16.2.0.7\ccSvcHst.exe,3080,Send Terminate Message to Window,Unauthorized access blocked
31/01/2009 1:45 PM,Medium,Unauthorized access blocked (Send Terminate Message to Window),Blocked,No Action Required,"Saturday, 31 January 2009 1:45 PM",c:\windows\explorer.exe,1976,C:\Program Files\Norton AntiVirus\Engine\16.2.0.7\MCUI32.exe,2244,Send Terminate Message to Window,Unauthorized access blocked
31/01/2009 3:55 AM,Medium,Unauthorized access blocked (Send Terminate Message to Window),Blocked,No Action Required,"Saturday, 31 January 2009 3:55 AM",c:\windows\explorer.exe,1724,C:\Program Files\Norton AntiVirus\Engine\16.2.0.7\ccSvcHst.exe,1588,Send Terminate Message to Window,Unauthorized access blocked
31/01/2009 2:18 AM,Medium,Unauthorized access blocked (Send Terminate Message to Window),Blocked,No Action Required,"Saturday, 31 January 2009 2:18 AM",c:\windows\explorer.exe,1724,C:\Program Files\Norton AntiVirus\Engine\16.2.0.7\MCUI32.exe,3416,Send Terminate Message to Window,Unauthorized access blocked
31/01/2009 2:16 AM,Medium,Unauthorized access blocked (Send Terminate Message to Window),Blocked,No Action Required,"Saturday, 31 January 2009 2:16 AM",c:\windows\explorer.exe,1724,C:\Program Files\Norton AntiVirus\Engine\16.2.0.7\MCUI32.exe,4004,Send Terminate Message to Window,Unauthorized access blocked
31/01/2009 2:15 AM,Medium,Unauthorized access blocked (Send Terminate Message to Window),Blocked,No Action Required,"Saturday, 31 January 2009 2:15 AM",c:\windows\explorer.exe,1724,C:\Program Files\Norton AntiVirus\Engine\16.2.0.7\MCUI32.exe,1540,Send Terminate Message to Window,Unauthorized access blocked
31/01/2009 2:15 AM,Medium,Unauthorized access blocked (Send Terminate Message to Window),Blocked,No Action Required,"Saturday, 31 January 2009 2:15 AM",c:\windows\explorer.exe,1724,C:\Program Files\Norton AntiVirus\Engine\16.2.0.7\ccSvcHst.exe,1588,Send Terminate Message to Window,Unauthorized access blocked
30/01/2009 12:52 AM,Medium,Unauthorized access blocked (Send Terminate Message to Window),Blocked,No Action Required,"Friday, 30 January 2009 12:52 AM",c:\windows\explorer.exe,1892,C:\Program Files\Norton AntiVirus\Engine\16.2.0.7\MCUI32.exe,3956,Send Terminate Message to Window,Unauthorized access blocked
29/01/2009 10:00 PM,Medium,Unauthorized access logged (Open Process),Logged,No Action Required,"Thursday, 29 January 2009 10:00 PM",e:\software\setupvirtualclonedrive5301.exe,1340,C:\Program Files\Norton AntiVirus\Engine\16.2.0.7\ccSvcHst.exe,1344,Open Process,Unauthorized access logged
29/01/2009 11:50 AM,Medium,Unauthorized access blocked (Send Terminate Message to Window),Blocked,No Action Required,"Thursday, 29 January 2009 11:50 AM",c:\windows\explorer.exe,1824,C:\Program Files\Norton AntiVirus\Engine\16.2.0.7\ccSvcHst.exe,2848,Send Terminate Message to Window,Unauthorized access blocked
28/01/2009 2:14 PM,Medium,Unauthorized access blocked (Send Terminate Message to Window),Blocked,No Action Required,"Wednesday, 28 January 2009 2:14 PM",c:\windows\explorer.exe,1928,C:\Program Files\Norton AntiVirus\Engine\16.2.0.7\MCUI32.exe,3044,Send Terminate Message to Window,Unauthorized access blocked
28/01/2009 2:03 PM,Medium,Unauthorized access blocked (Send Terminate Message to Window),Blocked,No Action Required,"Wednesday, 28 January 2009 2:03 PM",c:\windows\explorer.exe,1912,C:\Program Files\Norton AntiVirus\Engine\16.2.0.7\ccSvcHst.exe,2524,Send Terminate Message to Window,Unauthorized access blocked
27/01/2009 10:54 PM,Medium,Unauthorized access blocked (Send Terminate Message to Window),Blocked,No Action Required,"Tuesday, 27 January 2009 10:54 PM",c:\windows\explorer.exe,1908,C:\Program Files\Norton AntiVirus\Engine\16.2.0.7\ccSvcHst.exe,2812,Send Terminate Message to Window,Unauthorized access blocked
27/01/2009 4:54 PM,Medium,Unauthorized access logged (Open Process),Logged,No Action Required,"Tuesday, 27 January 2009 4:54 PM",c:\windows\system32\mrt.exe,1696,C:\Program Files\Norton AntiVirus\Engine\16.2.0.7\ccSvcHst.exe,636,Open Process,Unauthorized access logged
27/01/2009 4:49 PM,Medium,Unauthorized access logged (Open Process),Logged,No Action Required,"Tuesday, 27 January 2009 4:49 PM",c:\windows\softwaredistribution\download\0f4651f0d7e6cb55f0a983df3c4744d0\update\update.exe,2876,C:\Program Files\Norton AntiVirus\Engine\16.2.0.7\ccSvcHst.exe,636,Open Process,Unauthorized access logged
27/01/2009 4:47 PM,Medium,Unauthorized access logged (Open Process),Logged,No Action Required,"Tuesday, 27 January 2009 4:47 PM",c:\windows\system32\mrt.exe,2684,C:\Program Files\Norton AntiVirus\Engine\16.2.0.7\ccSvcHst.exe,636,Open Process,Unauthorized access logged
27/01/2009 3:42 PM,Medium,Unauthorized access logged (Open Process),Logged,No Action Required,"Tuesday, 27 January 2009 3:42 PM",c:\windows\system32\wbem\wmiadap.exe,1696,C:\Program Files\Norton AntiVirus\Engine\16.2.0.7\ccSvcHst.exe,480,Open Process,Unauthorized access logged
27/01/2009 3:30 PM,Medium,Unauthorized access logged (Open Process),Logged,No Action Required,"Tuesday, 27 January 2009 3:30 PM",c:\windows\system32\wbem\wmiadap.exe,2636,C:\Program Files\Norton AntiVirus\Engine\16.2.0.7\ccSvcHst.exe,1232,Open Process,Unauthorized access logged

Blade81
2009-02-05, 11:42
Hi there,

Please visit this webpage for download links, and instructions for running ComboFix tool:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Please ensure you read this guide carefully and install the Recovery Console first.

The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.

Once installed, you should see a blue screen prompt that says:

The Recovery Console was successfully installed.

Please continue as follows:


Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix, link (http://www.bleepingcomputer.com/forums/topic114351.html)
Remember to re-enable them afterwards.


Click Yes to allow ComboFix to continue scanning for malware.


When the tool is finished, it will produce a report for you.

Please include the following reports for further review, and so we may continue cleansing the system:

C:\ComboFix.txt
New HijackThis log.

A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix. This tool is not a toy and not for everyday use.

choconick
2009-02-05, 12:13
ComboFix 09-02-04.04 - Fei 2009-02-05 19:08:32.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.511.207 [GMT 9:00]
Running from: c:\documents and settings\Fei\Desktop\ComboFix.exe
AV: Norton AntiVirus *On-access scanning enabled* (Updated)
FW: COMODO Firewall *enabled*
.

((((((((((((((((((((((((( Files Created from 2009-01-05 to 2009-02-05 )))))))))))))))))))))))))))))))
.

2009-02-04 12:23 . 2009-02-04 12:23 <DIR> d-------- c:\program files\Chris PC-Lock
2009-02-04 12:23 . 2008-04-14 12:41 1,127 --a------ c:\windows\system32\javaut12qa.ax
2009-02-04 10:41 . 2009-02-04 10:44 <DIR> d-------- c:\program files\SystemRequirementsLab
2009-02-04 10:41 . 2009-02-04 10:43 <DIR> d-------- c:\documents and settings\Fei\Application Data\SystemRequirementsLab
2009-02-04 10:40 . 2009-02-04 10:40 <DIR> d-------- c:\windows\Sun
2009-02-04 00:17 . 2008-10-16 14:06 268,648 --a------ c:\windows\system32\mucltui.dll
2009-02-04 00:17 . 2008-10-16 14:06 208,744 --a------ c:\windows\system32\muweb.dll
2009-02-04 00:17 . 2008-10-16 14:06 27,496 --a------ c:\windows\system32\mucltui.dll.mui
2009-02-03 23:37 . 2009-02-05 10:46 <DIR> d-------- c:\documents and settings\Fei\Tracing
2009-02-03 23:35 . 2009-02-03 23:35 <DIR> d-------- c:\program files\QT Lite
2009-02-03 23:35 . 2009-02-03 23:35 <DIR> d-------- c:\program files\Microsoft
2009-02-03 23:35 . 2009-02-03 23:35 <DIR> d-------- c:\documents and settings\All Users\Application Data\Apple Computer
2009-02-03 23:35 . 2009-01-05 16:18 90,112 --a------ c:\windows\system32\QuickTimeVR.qtx
2009-02-03 23:35 . 2009-01-05 16:18 57,344 --a------ c:\windows\system32\QuickTime.qts
2009-02-03 23:34 . 2009-02-03 23:35 <DIR> d-------- c:\program files\Windows Live SkyDrive
2009-02-03 23:34 . 2009-02-03 23:35 <DIR> d-------- c:\program files\Windows Live
2009-02-03 23:32 . 2009-02-03 23:31 410,984 --a------ c:\windows\system32\deploytk.dll
2009-02-03 23:32 . 2009-02-03 23:31 73,728 --a------ c:\windows\system32\javacpl.cpl
2009-02-03 23:31 . 2009-02-03 23:31 <DIR> d-------- c:\program files\Java
2009-02-03 23:16 . 2009-02-03 23:16 <DIR> d-------- c:\program files\Common Files\Windows Live
2009-02-03 23:12 . 2009-02-05 16:02 <DIR> d-------- c:\program files\Westnet Usage Grabber
2009-02-03 23:12 . 2003-11-06 14:09 2,108,068 --a------ c:\windows\system32\cl32.dll
2009-02-03 23:12 . 2000-05-22 00:00 1,009,336 --a------ c:\windows\system32\MSCHRT20.OCX
2009-02-03 23:12 . 2003-04-27 19:04 98,304 --a------ c:\windows\system32\VBAlDTab6.OCX
2009-02-03 23:12 . 1999-12-14 12:57 41,008 --a------ c:\windows\system32\DCSysTray.ocx
2009-02-03 23:12 . 2003-01-26 13:41 40,960 --a------ c:\windows\system32\ssubtmr6.dll
2009-02-03 23:01 . 2009-02-03 23:01 <DIR> d-------- c:\documents and settings\Fei\Application Data\Locktime
2009-02-03 22:58 . 2009-02-03 22:58 <DIR> d-------- c:\documents and settings\All Users\Application Data\Locktime
2009-02-03 22:57 . 2009-02-03 22:58 <DIR> d-------- c:\program files\NetLimiter 2 Pro
2009-02-03 22:57 . 2009-02-03 22:57 <DIR> d-------- c:\program files\DAMN NFO Viewer
2009-02-03 16:30 . 2009-02-03 16:30 <DIR> d-------- c:\program files\Real Alternative
2009-02-03 16:30 . 2003-03-19 12:14 499,712 --a------ c:\windows\system32\msvcp71.dll
2009-02-03 16:30 . 2004-01-12 07:00 348,160 --a------ c:\windows\system32\msvcr71.dll
2009-02-02 18:32 . 2009-02-02 18:32 <DIR> d-------- c:\program files\Trend Micro
2009-02-02 18:28 . 2009-02-02 18:28 <DIR> d-------- c:\windows\system32\XPSViewer
2009-02-02 18:28 . 2009-02-02 18:28 <DIR> d-------- c:\program files\MSBuild
2009-02-02 18:27 . 2009-02-02 18:27 <DIR> d-------- c:\program files\Reference Assemblies
2009-02-02 18:24 . 2008-07-06 21:06 1,676,288 --------- c:\windows\system32\xpssvcs.dll
2009-02-02 18:24 . 2008-07-06 21:06 1,676,288 -----c--- c:\windows\system32\dllcache\xpssvcs.dll
2009-02-02 18:24 . 2008-07-06 19:50 597,504 -----c--- c:\windows\system32\dllcache\printfilterpipelinesvc.exe
2009-02-02 18:24 . 2008-07-06 21:06 575,488 --------- c:\windows\system32\xpsshhdr.dll
2009-02-02 18:24 . 2008-07-06 21:06 575,488 -----c--- c:\windows\system32\dllcache\xpsshhdr.dll
2009-02-02 18:24 . 2008-07-06 21:06 117,760 --------- c:\windows\system32\prntvpt.dll
2009-02-02 18:24 . 2008-07-06 21:06 89,088 -----c--- c:\windows\system32\dllcache\filterpipelineprintproc.dll
2009-02-02 17:51 . 2009-02-02 17:51 <DIR> d-------- c:\documents and settings\Fei\Application Data\XemiComputers
2009-02-02 17:50 . 2009-02-02 17:50 <DIR> d-------- c:\program files\XemiComputers
2009-01-30 14:58 . 2009-01-30 14:58 <DIR> d-------- c:\documents and settings\Fei\Application Data\Canon
2009-01-30 14:53 . 2009-01-30 14:53 <DIR> d--h----- C:\CanoScan
2009-01-30 14:53 . 2005-06-23 22:17 352,256 --a------ c:\windows\system32\CNQL1213.DLL
2009-01-30 14:53 . 2005-02-28 13:20 57,344 --a------ c:\windows\system32\CNQU110.DLL
2009-01-30 00:03 . 2009-01-30 00:03 <DIR> d-------- c:\program files\uTorrent
2009-01-30 00:03 . 2009-02-05 04:06 <DIR> d-------- c:\documents and settings\Fei\Application Data\uTorrent
2009-01-29 22:13 . 2009-01-29 22:13 <DIR> dr------- c:\documents and settings\Fei\Application Data\Brother
2009-01-29 22:04 . 2009-01-29 22:04 376 --a------ c:\windows\ODBC.INI
2009-01-29 22:03 . 2009-01-29 22:03 <DIR> d-------- c:\program files\Microsoft ActiveSync
2009-01-29 22:03 . 2007-04-09 20:23 28,040 --a------ c:\windows\system32\mdimon.dll
2009-01-29 22:02 . 2009-01-29 22:03 <DIR> d-------- c:\windows\SHELLNEW
2009-01-29 22:01 . 2009-01-29 22:01 0 ---hs---- c:\windows\S4A2193C4.tmp
2009-01-29 22:00 . 2009-01-29 22:00 <DIR> d-------- c:\program files\Elaborate Bytes
2009-01-29 21:51 . 2009-01-29 21:51 <DIR> d-------- c:\program files\Brownie
2009-01-29 21:51 . 2004-08-10 00:42 77,824 --------- c:\windows\system32\brlmw03a.dll
2009-01-29 21:51 . 2008-04-14 00:17 25,856 --a------ c:\windows\system32\drivers\usbprint.sys
2009-01-29 21:51 . 2008-04-14 00:17 25,856 --a--c--- c:\windows\system32\dllcache\usbprint.sys
2009-01-29 21:51 . 2009-01-29 21:51 9,853 --a------ c:\windows\HL-2140.INI
2009-01-29 21:51 . 2009-01-29 22:16 426 --a------ c:\windows\BRWMARK.INI
2009-01-29 21:51 . 2009-01-29 21:51 145 --a------ c:\windows\BRVIDEO.INI
2009-01-29 21:51 . 2004-08-10 01:00 114 --------- c:\windows\system32\brlmw03a.ini
2009-01-29 21:51 . 2009-01-29 21:51 34 --a------ c:\windows\system32\BD2140.DAT
2009-01-29 21:51 . 2009-01-29 21:51 0 --a------ c:\windows\brmx2001.ini
2009-01-29 21:50 . 2009-01-29 21:51 <DIR> d-------- c:\program files\Brother
2009-01-29 21:50 . 2007-04-24 01:30 192,512 --------- c:\windows\system32\Pdrvinst.dll
2009-01-29 21:50 . 2006-12-21 12:23 176,128 --a------ c:\windows\system32\BROSNMP.DLL
2009-01-29 21:50 . 2007-08-20 03:34 94,208 --a------ c:\windows\system32\BRRBTOOL.EXE
2009-01-29 21:50 . 2004-09-24 02:00 24,223 --a------ c:\windows\system32\BRLM03A.DLL
2009-01-29 21:50 . 2009-02-05 19:02 231 --a------ c:\windows\Brownie.ini
2009-01-29 18:41 . 2009-01-29 18:41 <DIR> d-------- c:\documents and settings\Fei\Application Data\Media Player Classic
2009-01-29 18:40 . 2009-01-29 18:40 <DIR> d-------- c:\program files\K-Lite Codec Pack
2009-01-29 18:40 . 2008-09-17 04:23 168,448 --a------ c:\windows\system32\unrar.dll
2009-01-29 18:33 . 2008-04-14 00:15 26,368 --a--c--- c:\windows\system32\dllcache\usbstor.sys
2009-01-29 11:15 . 2008-04-14 05:42 159,232 --a------ c:\windows\system32\ptpusd.dll
2009-01-29 11:15 . 2008-04-14 00:15 15,104 --a------ c:\windows\system32\drivers\usbscan.sys
2009-01-29 11:15 . 2008-04-14 00:15 15,104 --a--c--- c:\windows\system32\dllcache\usbscan.sys
2009-01-29 11:15 . 2001-08-17 22:36 5,632 --a------ c:\windows\system32\ptpusb.dll
2009-01-28 12:55 . 2009-02-03 23:33 <DIR> d-------- c:\program files\foobar2000
2009-01-28 12:55 . 2009-02-02 19:01 <DIR> d-------- c:\documents and settings\Fei\Application Data\foobar2000
2009-01-28 12:48 . 2009-01-28 12:48 <DIR> d-------- c:\program files\Google
2009-01-28 11:52 . 2009-01-28 11:52 <DIR> d-------- c:\program files\Foxit Software
2009-01-28 11:52 . 2009-01-28 11:52 <DIR> d-------- c:\documents and settings\Fei\Application Data\Foxit
2009-01-28 10:45 . 2008-10-17 05:38 459,264 -----c--- c:\windows\system32\dllcache\msfeeds.dll
2009-01-28 10:45 . 2008-10-17 05:38 267,776 -----c--- c:\windows\system32\dllcache\iertutil.dll
2009-01-28 10:45 . 2008-10-17 05:38 52,224 -----c--- c:\windows\system32\dllcache\msfeedsbs.dll
2009-01-28 10:44 . 2008-10-17 05:38 6,066,176 -----c--- c:\windows\system32\dllcache\ieframe.dll
2009-01-28 10:44 . 2007-04-17 18:32 2,455,488 -----c--- c:\windows\system32\dllcache\ieapfltr.dat
2009-01-28 10:44 . 2007-03-08 14:10 991,232 -----c--- c:\windows\system32\dllcache\ieframe.dll.mui
2009-01-28 10:44 . 2008-10-17 05:38 383,488 -----c--- c:\windows\system32\dllcache\ieapfltr.dll
2009-01-28 10:44 . 2008-10-17 05:38 63,488 -----c--- c:\windows\system32\dllcache\icardie.dll
2009-01-28 10:44 . 2008-10-16 22:11 13,824 -----c--- c:\windows\system32\dllcache\ieudinit.exe
2009-01-28 00:04 . 2001-08-18 07:36 8,704 --a------ c:\windows\system32\kbdjpn.dll
2009-01-28 00:04 . 2001-08-18 07:36 8,192 --a------ c:\windows\system32\kbdkor.dll
2009-01-28 00:04 . 2008-04-14 14:39 6,144 --a------ c:\windows\system32\kbd106.dll
2009-01-28 00:04 . 2001-08-17 23:55 6,144 --a------ c:\windows\system32\kbd101c.dll
2009-01-28 00:04 . 2001-08-17 23:55 6,144 --a------ c:\windows\system32\kbd101b.dll
2009-01-28 00:04 . 2001-08-17 23:55 5,632 --a------ c:\windows\system32\kbd103.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-02-02 10:00 --------- d-----w c:\documents and settings\All Users\Application Data\Norton
2009-01-30 05:54 --------- d--h--w c:\program files\InstallShield Installation Information
2009-01-27 07:54 --------- d-----w c:\documents and settings\All Users\Application Data\Symantec
2009-01-27 07:26 --------- d-----w c:\program files\Common Files\Symantec Shared
2009-01-27 07:20 --------- d-----w c:\program files\microsoft frontpage
2009-01-27 06:55 --------- d-----w c:\program files\Common Files\InstallShield
2009-01-27 06:55 --------- d-----w c:\program files\Analog Devices
2009-01-27 06:54 --------- d-----w c:\program files\ATI Technologies
2009-01-27 06:40 --------- d-----w c:\program files\VIA
2009-01-27 06:34 --------- d-----w c:\documents and settings\All Users\Application Data\comodo
2009-01-27 06:31 31,504 ----a-w c:\windows\system32\drivers\cmdhlp.sys
2009-01-27 06:31 147,192 ----a-w c:\windows\system32\guard32.dll
2009-01-27 06:31 101,776 ----a-w c:\windows\system32\drivers\cmdguard.sys
2009-01-27 06:31 --------- d-----w c:\program files\COMODO
2009-01-27 06:27 806 ----a-w c:\windows\system32\drivers\SYMEVENT.INF
2009-01-27 06:27 60,808 ----a-w c:\windows\system32\S32EVNT1.DLL
2009-01-27 06:27 36,272 ----a-r c:\windows\system32\drivers\SymIM.sys
2009-01-27 06:27 124,464 ----a-w c:\windows\system32\drivers\SYMEVENT.SYS
2009-01-27 06:27 10,635 ----a-w c:\windows\system32\drivers\SYMEVENT.CAT
2009-01-27 06:27 --------- d-----w c:\program files\Symantec
2009-01-27 06:27 --------- d-----w c:\program files\Norton AntiVirus
2009-01-27 06:26 --------- d-----w c:\program files\Windows Sidebar
2009-01-27 06:26 --------- d-----w c:\program files\NortonInstaller
2009-01-27 06:26 --------- d-----w c:\documents and settings\All Users\Application Data\NortonInstaller
2008-12-16 07:47 13,976 ----a-w c:\windows\system32\drivers\videX32.sys
2008-12-11 10:57 333,952 ----a-w c:\windows\system32\drivers\srv.sys
2008-12-02 13:37 49,480 ----a-w c:\windows\system32\sirenacm.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"Active Desktop Calendar"="c:\program files\XemiComputers\Active Desktop Calendar\ADC.exe" [2009-01-19 4482048]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2008-12-02 3882312]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2008-04-14 208952]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2008-04-14 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2008-04-14 455168]
"COMODO Internet Security"="c:\program files\COMODO\COMODO Internet Security\cfp.exe" [2009-01-27 1797880]
"SoundMAXPnP"="c:\program files\Analog Devices\SoundMAX\SMax4PNP.exe" [2004-04-01 1368064]
"{0228e555-4f9c-4e35-a3ec-b109a192b4c2}"="c:\program files\Google\Gmail Notifier\gnotify.exe" [2005-07-16 479232]
"BrStsWnd"="c:\program files\Brownie\BrstsWnd.exe" [2008-01-08 864256]
"VirtualCloneDrive"="c:\program files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe" [2006-04-29 94208]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-02-03 136600]
"Chris PC-Lock"="c:\program files\Chris PC-Lock\PCLock.exe" [2008-05-19 449050]

c:\documents and settings\Fei\Start Menu\Programs\Startup\
Westnet Usage Grabber.lnk - c:\program files\Westnet Usage Grabber\wug.exe [2009-02-03 241664]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\windows\system32\guard32.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=

R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\NAV\1002000.007\SymEFA.sys [2009-01-27 309296]
R1 BHDrvx86;Symantec Heuristics Driver;c:\windows\system32\drivers\NAV\1002000.007\BHDrvx86.sys [2009-01-27 255536]
R1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\NAV\1002000.007\cchpx86.sys [2009-01-27 362544]
R1 cmdGuard;COMODO Internet Security Sandbox Driver;c:\windows\system32\drivers\cmdguard.sys [2009-01-27 101776]
R1 cmdHlp;COMODO Internet Security Helper Driver;c:\windows\system32\drivers\cmdhlp.sys [2009-01-27 31504]
R1 IDSxpx86;IDSxpx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20090129.005\IDSxpx86.sys [2009-01-30 276344]
R1 nltdi;nltdi;c:\windows\system32\drivers\nltdi.sys [2007-04-23 82200]
R2 Norton AntiVirus;Norton AntiVirus;c:\program files\Norton AntiVirus\Engine\16.2.0.7\ccSvcHst.exe [2009-01-27 115560]
R2 VRAID Log Service;VRAID Log Service;c:\program files\VIA\RAID\vialogsv.exe [2009-01-27 52888]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2009-01-26 99376]
S2 .norton2009Reset;Norton 2009 Reset;c:\documents and settings\All Users\Application Data\Norton\Norton2009Reset.exe [2009-02-02 280833]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{e77fd248-ede7-11dd-8b16-0013d4c6fc1d}]
\Shell\AutoRun\command - 8uot.exe
\Shell\explore\Command - 8uot.exe
\Shell\open\Command - 8uot.exe
.
.
------- Supplementary Scan -------
.
FF - ProfilePath - c:\documents and settings\Fei\Application Data\Mozilla\Firefox\Profiles\8o27e7p7.default\
FF - component: c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\IPSFFPlgn\components\IPSFFPl.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npFoxitReaderPlugin.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-02-05 19:10:21
Windows 5.1.2600 Service Pack 3 NTFS

detected NTDLL code modification:
ZwClose

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Norton AntiVirus]
"ImagePath"="\"c:\program files\Norton AntiVirus\Engine\16.2.0.7\ccSvcHst.exe\" /s \"Norton AntiVirus\" /m \"c:\program files\Norton AntiVirus\Engine\16.2.0.7\diMaster.dll\" /prefetch:1"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1044)
c:\windows\system32\guard32.dll

- - - - - - - > 'lsass.exe'(1100)
c:\windows\system32\guard32.dll
.
Completion time: 2009-02-05 19:11:34
ComboFix-quarantined-files.txt 2009-02-05 10:11:32

Pre-Run: 19,142,209,536 bytes free
Post-Run: 19,311,308,800 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

230 --- E O F --- 2009-02-04 19:12:59

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:12:37 PM, on 5/02/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\Program Files\Analog Devices\SoundMAX\Smax4.exe
C:\Program Files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe
C:\Program Files\NetLimiter 2 Pro\nlsvc.exe
C:\Program Files\Norton AntiVirus\Engine\16.2.0.7\ccSvcHst.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\VIA\RAID\vialogsv.exe
C:\Program Files\Norton AntiVirus\Engine\16.2.0.7\ccSvcHst.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\explorer.exe
C:\Program Files\COMODO\COMODO Internet Security\cfp.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\Program Files\Norton AntiVirus\Engine\16.2.0.7\IPSBHO.DLL
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [COMODO Internet Security] "C:\Program Files\COMODO\COMODO Internet Security\cfp.exe" -h
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] C:\Program Files\Google\Gmail Notifier\gnotify.exe
O4 - HKLM\..\Run: [BrStsWnd] C:\Program Files\Brownie\BrstsWnd.exe Autorun
O4 - HKLM\..\Run: [VirtualCloneDrive] "C:\Program Files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe" /s
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [Chris PC-Lock] "C:\Program Files\Chris PC-Lock\PCLock.exe" /silent
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Active Desktop Calendar] C:\Program Files\XemiComputers\Active Desktop Calendar\ADC.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
O4 - Startup: Westnet Usage Grabber.lnk = C:\Program Files\Westnet Usage Grabber\wug.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O20 - AppInit_DLLs: C:\WINDOWS\system32\guard32.dll
O23 - Service: Norton 2009 Reset (.norton2009Reset) - Unknown owner - C:\Documents and Settings\All Users\Application Data\Norton\Norton2009Reset.exe
O23 - Service: COMODO Internet Security Helper Service (cmdAgent) - Unknown owner - C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe
O23 - Service: NetLimiter (nlsvc) - Locktime Software - C:\Program Files\NetLimiter 2 Pro\nlsvc.exe
O23 - Service: Norton AntiVirus - Symantec Corporation - C:\Program Files\Norton AntiVirus\Engine\16.2.0.7\ccSvcHst.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: VRAID Log Service - Unknown owner - C:\Program Files\VIA\RAID\vialogsv.exe

--
End of file - 5148 bytes

Blade81
2009-02-05, 19:05
Hi

Two things.

1) Your Norton seems to be illegal version. That means you have to uninstall it if you want me to continue helping with the cleaning. Removal tool can be downloaded here (http://service1.symantec.com/Support/tsgeninfo.nsf/docid/2005033108162039).


2) IMPORTANT I notice there are signs of one or more P2P (Peer to Peer) File Sharing Programs on your computer.

µTorrent


I'd like you to read this thread (http://forums.spybot.info/showthread.php?t=282).

Please go to Control Panel > Add/Remove Programs and uninstall the programs listed above (in red).

Delete these folders afterwards:

c:\program files\uTorrent
c:\documents and settings\Fei\Application Data\uTorrent

Empty Recycle Bin.


After those are done:

Download random's system information tool (RSIT) by random/random from here (http://images.malwareremoval.com/random/RSIT.exe) and save it to your desktop.
Double click on RSIT.exe to run RSIT.
Click Continue at the disclaimer screen.
Once it has finished, two logs will open. Please post the contents of both log.txt (<<will be maximized) and info.txt (<<will be minimized, if not you'll find it in c:\rsit folder)

choconick
2009-02-06, 03:30
info.txt logfile of random's system information tool 1.05 2009-02-06 10:26:20

======Uninstall list======

-->rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
Active Desktop Calendar 7.69-->"C:\Program Files\XemiComputers\Active Desktop Calendar\unins000.exe"
Adobe Flash Player 10 ActiveX-->C:\WINDOWS\system32\Macromed\Flash\uninstall_activeX.exe
Adobe Flash Player 10 Plugin-->C:\WINDOWS\system32\Macromed\Flash\uninstall_plugin.exe
ATI - Software Uninstall Utility-->C:\Program Files\ATI Technologies\UninstallAll\AtiCimUn.exe
Brother HL-2140-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\00\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{96BA9935-692C-464A-83E7-2E36AF10D6B5}\setup.exe" -l0x9 -removeonly /uninst
Canon ScanGear Starter-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{18A5DFF2-8A95-49F3-873F-743CB5549F3D}\SETUP.EXE" -l0x9 anything
Choice Guard-->MsiExec.exe /I{8FFC5648-FAF8-43A3-BC8F-42BA1E275C4E}
Chris PC-Lock 2.65-->"C:\Program Files\Chris PC-Lock\unins000.exe"
COMODO Internet Security-->C:\Program Files\COMODO\COMODO Internet Security\cfpconfg.exe -u
foobar2000 v0.9.6.2-->"C:\Program Files\foobar2000\uninstall.exe" _?=C:\Program Files\foobar2000
Foxit Reader-->C:\Program Files\Foxit Software\Foxit Reader\Uninstall.exe
Google Gmail Notifier-->"C:\Program Files\Google\Gmail Notifier\UninstallGmail.exe"
HijackThis 2.0.2-->"C:\Program Files\Trend Micro\HijackThis\HijackThis.exe" /uninstall
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)-->C:\WINDOWS\system32\msiexec.exe /package {CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9} /uninstall /qb+ REBOOTPROMPT=""
Hotfix for Windows XP (KB952287)-->"C:\WINDOWS\$NtUninstallKB952287$\spuninst\spuninst.exe"
Java(TM) 6 Update 11-->MsiExec.exe /X{26A24AE4-039D-4CA4-87B4-2F83216011FF}
K-Lite Codec Pack 4.4.5 (Standard)-->"C:\Program Files\K-Lite Codec Pack\unins000.exe"
Microsoft .NET Framework 2.0 Service Pack 2-->MsiExec.exe /I{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}
Microsoft .NET Framework 3.0 Service Pack 2-->MsiExec.exe /I{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}
Microsoft .NET Framework 3.5 SP1-->C:\WINDOWS\Microsoft.NET\Framework\v3.5\Microsoft .NET Framework 3.5 SP1\setup.exe
Microsoft .NET Framework 3.5 SP1-->MsiExec.exe /I{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}
Microsoft Internationalized Domain Names Mitigation APIs-->"C:\WINDOWS\$NtServicePackUninstallIDNMitigationAPIs$\spuninst\spuninst.exe"
Microsoft National Language Support Downlevel APIs-->"C:\WINDOWS\$NtServicePackUninstallNLSDownlevelMapping$\spuninst\spuninst.exe"
Microsoft Office Professional Edition 2003-->MsiExec.exe /I{90110409-6000-11D3-8CFE-0150048383C9}
Mozilla Firefox (3.0.5)-->C:\Program Files\Mozilla Firefox\uninstall\helper.exe
MSVCRT-->MsiExec.exe /I{22B775E7-6C42-4FC5-8E10-9A5E3257BD94}
NetLimiter 2 Pro (remove only)-->"C:\Program Files\NetLimiter 2 Pro\nl2uninst.exe"
OGA Notifier 1.7.0105.35.0-->MsiExec.exe /I{B148AB4B-C8FA-474B-B981-F2943C5B5BCD}
QT Lite 2.8.0-->"C:\Program Files\QT Lite\unins000.exe"
Real Alternative 1.9.0 Lite-->"C:\Program Files\Real Alternative\unins000.exe"
Security Update for Windows Internet Explorer 7 (KB938127-v2)-->"C:\WINDOWS\ie7updates\KB938127-v2-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB958215)-->"C:\WINDOWS\ie7updates\KB958215-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB960714)-->"C:\WINDOWS\ie7updates\KB960714-IE7\spuninst\spuninst.exe"
Security Update for Windows Media Player (KB952069)-->"C:\WINDOWS\$NtUninstallKB952069_WM9$\spuninst\spuninst.exe"
Security Update for Windows XP (KB938464)-->"C:\WINDOWS\$NtUninstallKB938464$\spuninst\spuninst.exe"
Security Update for Windows XP (KB946648)-->"C:\WINDOWS\$NtUninstallKB946648$\spuninst\spuninst.exe"
Security Update for Windows XP (KB950762)-->"C:\WINDOWS\$NtUninstallKB950762$\spuninst\spuninst.exe"
Security Update for Windows XP (KB950974)-->"C:\WINDOWS\$NtUninstallKB950974$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951066)-->"C:\WINDOWS\$NtUninstallKB951066$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951376-v2)-->"C:\WINDOWS\$NtUninstallKB951376-v2$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951698)-->"C:\WINDOWS\$NtUninstallKB951698$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951748)-->"C:\WINDOWS\$NtUninstallKB951748$\spuninst\spuninst.exe"
Security Update for Windows XP (KB952954)-->"C:\WINDOWS\$NtUninstallKB952954$\spuninst\spuninst.exe"
Security Update for Windows XP (KB954211)-->"C:\WINDOWS\$NtUninstallKB954211$\spuninst\spuninst.exe"
Security Update for Windows XP (KB954459)-->"C:\WINDOWS\$NtUninstallKB954459$\spuninst\spuninst.exe"
Security Update for Windows XP (KB954600)-->"C:\WINDOWS\$NtUninstallKB954600$\spuninst\spuninst.exe"
Security Update for Windows XP (KB955069)-->"C:\WINDOWS\$NtUninstallKB955069$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956391)-->"C:\WINDOWS\$NtUninstallKB956391$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956802)-->"C:\WINDOWS\$NtUninstallKB956802$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956803)-->"C:\WINDOWS\$NtUninstallKB956803$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956841)-->"C:\WINDOWS\$NtUninstallKB956841$\spuninst\spuninst.exe"
Security Update for Windows XP (KB957097)-->"C:\WINDOWS\$NtUninstallKB957097$\spuninst\spuninst.exe"
Security Update for Windows XP (KB958215)-->"C:\WINDOWS\$NtUninstallKB958215$\spuninst\spuninst.exe"
Security Update for Windows XP (KB958644)-->"C:\WINDOWS\$NtUninstallKB958644$\spuninst\spuninst.exe"
Security Update for Windows XP (KB958687)-->"C:\WINDOWS\$NtUninstallKB958687$\spuninst\spuninst.exe"
Security Update for Windows XP (KB960714)-->"C:\WINDOWS\$NtUninstallKB960714$\spuninst\spuninst.exe"
Segoe UI-->MsiExec.exe /I{A1F66FC9-11EE-4F2F-98C9-16F8D1E69FB7}
SoundMAX-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{F0A37341-D692-11D4-A984-009027EC0A9C}\setup.exe" -l0x9
System Requirements Lab-->C:\Program Files\SystemRequirementsLab\Uninstall.exe
Update for Windows XP (KB898461)-->"C:\WINDOWS\$NtUninstallKB898461$\spuninst\spuninst.exe"
Update for Windows XP (KB951978)-->"C:\WINDOWS\$NtUninstallKB951978$\spuninst\spuninst.exe"
Update for Windows XP (KB955839)-->"C:\WINDOWS\$NtUninstallKB955839$\spuninst\spuninst.exe"
VIA Platform Device Manager-->C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\7\INTEL3~1\IDriver.exe /M{20D4A895-748C-4D88-871C-FDB1695B0169}
VIA Rhine-Family Fast-Ethernet Adapter-->Rundll32.exe vuins32.dll,vuins32Ex $Rhine $VIA
VirtualCloneDrive-->"C:\Program Files\Elaborate Bytes\VirtualCloneDrive\vcd-uninst.exe" /D="C:\Program Files\Elaborate Bytes\VirtualCloneDrive"
Westnet Usage Grabber 7-->"C:\Program Files\Westnet Usage Grabber\unins000.exe"
Windows Internet Explorer 7-->"C:\WINDOWS\ie7\spuninst\spuninst.exe"
Windows Live Call-->MsiExec.exe /I{020D8396-D6D9-4B53-A9A1-83C47E2E27AA}
Windows Live Communications Platform-->MsiExec.exe /I{F69E83CF-B440-43F8-89E6-6EA80712109B}
Windows Live Essentials-->C:\Program Files\Windows Live\Installer\wlarp.exe
Windows Live Essentials-->MsiExec.exe /I{D9D754A1-EAC5-406C-A28B-C49B1E846711}
Windows Live Messenger-->MsiExec.exe /X{0AAA9C97-74D4-47CE-B089-0B147EF3553C}
Windows Live Sign-in Assistant-->MsiExec.exe /I{505DF7A3-88D5-4DD6-9AD5-C98C2ED0CEC4}
Windows Live Upload Tool-->MsiExec.exe /I{205C6BDD-7B73-42DE-8505-9A093F35A238}
WinRAR archiver-->C:\Program Files\WinRAR\uninstall.exe

======Security center information======

FW: COMODO Firewall

System event log

Computer Name: FEI-CA84B710800
Event Code: 15007
Message: Reservation for namespace identified by URL prefix http://*:2869/ was successfully added.

Record Number: 5
Source Name: HTTP
Time Written: 20090127161642.000000+540
Event Type: information
User:

Computer Name: FEI-CA84B710800
Event Code: 6011
Message: The NetBIOS name and DNS host name of this machine have been changed from MACHINENAME to FEI-CA84B710800.

Record Number: 4
Source Name: EventLog
Time Written: 20090127160750.000000+540
Event Type: information
User:

Computer Name: MACHINENAME
Event Code: 2
Message: While validating that \Device\Serial0 was really a serial port, a fifo was detected. The fifo will be used.

Record Number: 3
Source Name: Serial
Time Written: 20090127235020.000000+540
Event Type: information
User:

Computer Name: MACHINENAME
Event Code: 6005
Message: The Event log service was started.

Record Number: 2
Source Name: EventLog
Time Written: 20090127235009.000000+540
Event Type: information
User:

Computer Name: MACHINENAME
Event Code: 6009
Message: Microsoft (R) Windows (R) 5.01. 2600 Service Pack 3 Uniprocessor Free.

Record Number: 1
Source Name: EventLog
Time Written: 20090127235009.000000+540
Event Type: information
User:

Application event log

Computer Name: FEI-CA84B710800
Event Code: 1000
Message: Performance counters for the MSDTC (MSDTC) service were loaded successfully.
The Record Data contains the new index values assigned
to this service.

Record Number: 5
Source Name: LoadPerf
Time Written: 20090127161234.000000+540
Event Type: information
User:

Computer Name: FEI-CA84B710800
Event Code: 1000
Message: Performance counters for the TermService (Terminal Services) service were loaded successfully.
The Record Data contains the new index values assigned
to this service.

Record Number: 4
Source Name: LoadPerf
Time Written: 20090127161226.000000+540
Event Type: information
User:

Computer Name: FEI-CA84B710800
Event Code: 1000
Message: Performance counters for the RemoteAccess (Routing and Remote Access) service were loaded successfully.
The Record Data contains the new index values assigned
to this service.

Record Number: 3
Source Name: LoadPerf
Time Written: 20090127161025.000000+540
Event Type: information
User:

Computer Name: FEI-CA84B710800
Event Code: 1000
Message: Performance counters for the PSched (PSched) service were loaded successfully.
The Record Data contains the new index values assigned
to this service.

Record Number: 2
Source Name: LoadPerf
Time Written: 20090127160832.000000+540
Event Type: information
User:

Computer Name: FEI-CA84B710800
Event Code: 1000
Message: Performance counters for the RSVP (QoS RSVP) service were loaded successfully.
The Record Data contains the new index values assigned
to this service.

Record Number: 1
Source Name: LoadPerf
Time Written: 20090127160830.000000+540
Event Type: information
User:

======Environment variables======

"ComSpec"=%SystemRoot%\system32\cmd.exe
"Path"=%SystemRoot%\system32;%SystemRoot%;%SystemRoot%\System32\Wbem
"windir"=%SystemRoot%
"FP_NO_HOST_CHECK"=NO
"OS"=Windows_NT
"PROCESSOR_ARCHITECTURE"=x86
"PROCESSOR_LEVEL"=15
"PROCESSOR_IDENTIFIER"=x86 Family 15 Model 44 Stepping 2, AuthenticAMD
"PROCESSOR_REVISION"=2c02
"NUMBER_OF_PROCESSORS"=1
"PATHEXT"=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
"TEMP"=%SystemRoot%\TEMP
"TMP"=%SystemRoot%\TEMP

-----------------EOF-----------------
Logfile of random's system information tool 1.05 (written by random/random)
Run by Fei at 2009-02-06 10:26:05
Microsoft Windows XP Professional Service Pack 3
System drive C: has 19 GB (60%) free of 31 GB
Total RAM: 511 MB (38% free)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:26:17 AM, on 6/02/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\WgaTray.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\COMODO\COMODO Internet Security\cfp.exe
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\Program Files\Google\Gmail Notifier\gnotify.exe
C:\Program Files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe
C:\Program Files\NetLimiter 2 Pro\nlsvc.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\VIA\RAID\vialogsv.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Fei\Desktop\RSIT.exe
C:\Program Files\Trend Micro\HijackThis\Fei.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [COMODO Internet Security] "C:\Program Files\COMODO\COMODO Internet Security\cfp.exe" -h
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] C:\Program Files\Google\Gmail Notifier\gnotify.exe
O4 - HKLM\..\Run: [BrStsWnd] C:\Program Files\Brownie\BrstsWnd.exe Autorun
O4 - HKLM\..\Run: [VirtualCloneDrive] "C:\Program Files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe" /s
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [Chris PC-Lock] "C:\Program Files\Chris PC-Lock\PCLock.exe" /silent
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Active Desktop Calendar] C:\Program Files\XemiComputers\Active Desktop Calendar\ADC.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
O4 - Startup: Westnet Usage Grabber.lnk = C:\Program Files\Westnet Usage Grabber\wug.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O20 - AppInit_DLLs: C:\WINDOWS\system32\guard32.dll
O23 - Service: Norton 2009 Reset (.norton2009Reset) - Unknown owner - C:\Documents and Settings\All Users\Application Data\Norton\Norton2009Reset.exe
O23 - Service: COMODO Internet Security Helper Service (cmdAgent) - Unknown owner - C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe
O23 - Service: NetLimiter (nlsvc) - Locktime Software - C:\Program Files\NetLimiter 2 Pro\nlsvc.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: VRAID Log Service - Unknown owner - C:\Program Files\VIA\RAID\vialogsv.exe

--
End of file - 4829 bytes

======Scheduled tasks folder======

C:\WINDOWS\tasks\OGADaily.job
C:\WINDOWS\tasks\OGALogon.job

======Registry dump======

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5C255C8A-E604-49b4-9D64-90988571CECB}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}]
Java(tm) Plug-In SSV Helper - C:\Program Files\Java\jre6\bin\ssv.dll [2009-02-03 320920]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{9030D464-4C02-4ABF-8ECC-5164760863C6}]
Windows Live Sign-in Helper - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll [2008-11-18 408952]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DBC80044-A445-435b-BC74-9C25C1C588A9}]
Java(tm) Plug-In 2 SSV Helper - C:\Program Files\Java\jre6\bin\jp2ssv.dll [2009-02-03 34816]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"IMJPMIG8.1"=C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE [2008-04-14 208952]
"PHIME2002ASync"=C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE [2008-04-14 455168]
"PHIME2002A"=C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE [2008-04-14 455168]
"COMODO Internet Security"=C:\Program Files\COMODO\COMODO Internet Security\cfp.exe [2009-01-27 1797880]
"SoundMAXPnP"=C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe [2004-04-01 1368064]
"{0228e555-4f9c-4e35-a3ec-b109a192b4c2}"=C:\Program Files\Google\Gmail Notifier\gnotify.exe [2005-07-16 479232]
"BrStsWnd"=C:\Program Files\Brownie\BrstsWnd.exe [2008-01-08 864256]
"VirtualCloneDrive"=C:\Program Files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe [2006-04-29 94208]
"SunJavaUpdateSched"=C:\Program Files\Java\jre6\bin\jusched.exe [2009-02-03 136600]
"Chris PC-Lock"=C:\Program Files\Chris PC-Lock\PCLock.exe [2008-05-19 449050]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"=C:\WINDOWS\system32\ctfmon.exe [2008-04-14 15360]
"Active Desktop Calendar"=C:\Program Files\XemiComputers\Active Desktop Calendar\ADC.exe [2009-01-19 4482048]
"msnmsgr"=C:\Program Files\Windows Live\Messenger\msnmsgr.exe [2008-12-02 3882312]

C:\Documents and Settings\Fei\Start Menu\Programs\Startup
Westnet Usage Grabber.lnk - C:\Program Files\Westnet Usage Grabber\wug.exe

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLS"="C:\WINDOWS\system32\guard32.dll"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WgaLogon]
C:\WINDOWS\system32\WgaLogon.dll [2008-09-06 241704]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"DisableChangePassword"=0
"DisableLockWorkStation"=0

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDriveTypeAutoRun"=323
"NoLogOff"=0
"NoDriveAutoRun"=67108863
"NoDrives"=0

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDriveAutoRun"=
"NoDriveTypeAutoRun"=
"NoDrives"=

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\Program Files\Messenger\msmsgs.exe"="C:\Program Files\Messenger\msmsgs.exe:*:Enabled:Windows Messenger"
"C:\Program Files\Windows Live\Messenger\wlcsdk.exe"="C:\Program Files\Windows Live\Messenger\wlcsdk.exe:*:Enabled:Windows Live Call"
"C:\Program Files\Windows Live\Messenger\msnmsgr.exe"="C:\Program Files\Windows Live\Messenger\msnmsgr.exe:*:Enabled:Windows Live Messenger"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\Program Files\Windows Live\Messenger\wlcsdk.exe"="C:\Program Files\Windows Live\Messenger\wlcsdk.exe:*:Enabled:Windows Live Call"
"C:\Program Files\Windows Live\Messenger\msnmsgr.exe"="C:\Program Files\Windows Live\Messenger\msnmsgr.exe:*:Enabled:Windows Live Messenger"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{e77fd248-ede7-11dd-8b16-0013d4c6fc1d}]
shell\AutoRun\command - 8uot.exe
shell\explore\command - 8uot.exe
shell\open\command - 8uot.exe


======List of files/folders created in the last 1 months======

2009-02-06 10:26:05 ----D---- C:\rsit
2009-02-06 10:21:59 ----D---- C:\Documents and Settings\All Users\Application Data\Office Genuine Advantage
2009-02-06 10:21:38 ----D---- C:\00000082
2009-02-06 10:19:16 ----SHD---- C:\RECYCLER
2009-02-05 19:11:36 ----A---- C:\ComboFix.txt
2009-02-05 19:08:03 ----A---- C:\Boot.bak
2009-02-05 19:07:59 ----RASHD---- C:\cmdcons
2009-02-05 19:04:23 ----A---- C:\WINDOWS\zip.exe
2009-02-05 19:04:23 ----A---- C:\WINDOWS\VFIND.exe
2009-02-05 19:04:23 ----A---- C:\WINDOWS\SWXCACLS.exe
2009-02-05 19:04:23 ----A---- C:\WINDOWS\SWSC.exe
2009-02-05 19:04:23 ----A---- C:\WINDOWS\SWREG.exe
2009-02-05 19:04:23 ----A---- C:\WINDOWS\sed.exe
2009-02-05 19:04:23 ----A---- C:\WINDOWS\NIRCMD.exe
2009-02-05 19:04:23 ----A---- C:\WINDOWS\grep.exe
2009-02-05 19:04:23 ----A---- C:\WINDOWS\fdsv.exe
2009-02-05 19:04:03 ----D---- C:\WINDOWS\ERDNT
2009-02-05 19:04:03 ----D---- C:\Qoobox
2009-02-04 12:23:35 ----D---- C:\Program Files\Chris PC-Lock
2009-02-04 10:41:33 ----D---- C:\Program Files\SystemRequirementsLab
2009-02-04 10:41:00 ----D---- C:\Documents and Settings\Fei\Application Data\SystemRequirementsLab
2009-02-04 10:40:34 ----D---- C:\WINDOWS\Sun
2009-02-04 00:17:40 ----A---- C:\WINDOWS\system32\muweb.dll
2009-02-04 00:17:40 ----A---- C:\WINDOWS\system32\mucltui.dll.mui
2009-02-04 00:17:40 ----A---- C:\WINDOWS\system32\mucltui.dll
2009-02-03 23:35:38 ----D---- C:\Program Files\Microsoft
2009-02-03 23:35:30 ----D---- C:\Documents and Settings\All Users\Application Data\Apple Computer
2009-02-03 23:35:19 ----D---- C:\Program Files\QT Lite
2009-02-03 23:34:59 ----D---- C:\Program Files\Windows Live SkyDrive
2009-02-03 23:34:21 ----D---- C:\Program Files\Windows Live
2009-02-03 23:32:22 ----A---- C:\WINDOWS\system32\javaws.exe
2009-02-03 23:32:22 ----A---- C:\WINDOWS\system32\javaw.exe
2009-02-03 23:32:22 ----A---- C:\WINDOWS\system32\java.exe
2009-02-03 23:32:22 ----A---- C:\WINDOWS\system32\deploytk.dll
2009-02-03 23:31:32 ----D---- C:\Program Files\Java
2009-02-03 23:21:11 ----D---- C:\Documents and Settings\Fei\Application Data\Sun
2009-02-03 23:16:02 ----D---- C:\Program Files\Common Files\Windows Live
2009-02-03 23:12:44 ----A---- C:\WINDOWS\system32\cl32.dll
2009-02-03 23:12:43 ----A---- C:\WINDOWS\system32\ssubtmr6.dll
2009-02-03 23:12:29 ----D---- C:\Program Files\Westnet Usage Grabber
2009-02-03 23:01:49 ----D---- C:\Documents and Settings\Fei\Application Data\Locktime
2009-02-03 22:58:11 ----D---- C:\Documents and Settings\All Users\Application Data\Locktime
2009-02-03 22:57:52 ----D---- C:\Program Files\NetLimiter 2 Pro
2009-02-03 22:57:19 ----D---- C:\Program Files\DAMN NFO Viewer
2009-02-03 16:30:18 ----A---- C:\WINDOWS\system32\rmoc3260.dll
2009-02-03 16:30:18 ----A---- C:\WINDOWS\system32\pndx5032.dll
2009-02-03 16:30:18 ----A---- C:\WINDOWS\system32\pndx5016.dll
2009-02-03 16:30:18 ----A---- C:\WINDOWS\system32\pncrt.dll
2009-02-03 16:30:18 ----A---- C:\WINDOWS\system32\msvcp71.dll
2009-02-03 16:30:17 ----D---- C:\Program Files\Real Alternative
2009-02-03 16:30:17 ----D---- C:\Documents and Settings\Fei\Application Data\Real
2009-02-03 16:30:17 ----D---- C:\Documents and Settings\All Users\Application Data\Real
2009-02-03 16:30:17 ----A---- C:\WINDOWS\system32\msvcr71.dll
2009-02-02 18:32:51 ----D---- C:\Program Files\Trend Micro
2009-02-02 18:28:13 ----D---- C:\WINDOWS\system32\XPSViewer
2009-02-02 18:28:06 ----D---- C:\Program Files\MSBuild
2009-02-02 18:27:51 ----D---- C:\Program Files\Reference Assemblies
2009-02-02 18:24:55 ----N---- C:\WINDOWS\system32\prntvpt.dll
2009-02-02 18:24:50 ----N---- C:\WINDOWS\system32\xpsshhdr.dll
2009-02-02 18:24:47 ----N---- C:\WINDOWS\system32\xpssvcs.dll
2009-02-02 18:20:04 ----RSD---- C:\WINDOWS\assembly
2009-02-02 18:18:11 ----D---- C:\WINDOWS\Microsoft.NET
2009-02-02 17:51:21 ----D---- C:\Documents and Settings\Fei\Application Data\XemiComputers
2009-02-02 17:50:46 ----D---- C:\Program Files\XemiComputers
2009-02-02 17:49:52 ----D---- C:\Documents and Settings\Fei\Application Data\WinRAR
2009-02-02 17:49:09 ----D---- C:\Program Files\WinRAR
2009-01-30 14:58:03 ----D---- C:\Documents and Settings\Fei\Application Data\Canon
2009-01-30 14:53:44 ----HD---- C:\CanoScan
2009-01-30 14:53:44 ----A---- C:\WINDOWS\system32\CNQU110.DLL
2009-01-30 14:53:44 ----A---- C:\WINDOWS\system32\CNQL1213.DLL
2009-01-29 22:13:19 ----RD---- C:\Documents and Settings\Fei\Application Data\Brother
2009-01-29 22:04:05 ----A---- C:\WINDOWS\ODBC.INI
2009-01-29 22:03:54 ----A---- C:\WINDOWS\system32\mdimon.dll
2009-01-29 22:03:01 ----D---- C:\Program Files\Microsoft ActiveSync
2009-01-29 22:02:58 ----D---- C:\WINDOWS\SHELLNEW
2009-01-29 22:02:54 ----D---- C:\Program Files\Common Files\DESIGNER
2009-01-29 22:02:23 ----D---- C:\Program Files\Microsoft Office
2009-01-29 22:01:28 ----SH---- C:\WINDOWS\S4A2193C4.tmp
2009-01-29 22:00:48 ----D---- C:\Program Files\Elaborate Bytes
2009-01-29 21:51:42 ----N---- C:\WINDOWS\system32\brlmw03a.ini
2009-01-29 21:51:42 ----N---- C:\WINDOWS\system32\brlmw03a.dll
2009-01-29 21:51:42 ----A---- C:\WINDOWS\BRVIDEO.INI
2009-01-29 21:51:42 ----A---- C:\WINDOWS\brmx2001.ini
2009-01-29 21:51:41 ----D---- C:\Program Files\Brownie
2009-01-29 21:51:41 ----A---- C:\WINDOWS\HL-2140.INI
2009-01-29 21:51:25 ----A---- C:\WINDOWS\BRWMARK.INI
2009-01-29 21:50:20 ----A---- C:\WINDOWS\system32\BRRBTOOL.EXE
2009-01-29 21:50:20 ----A---- C:\WINDOWS\system32\BROSNMP.DLL
2009-01-29 21:50:19 ----N---- C:\WINDOWS\system32\Pdrvinst.dll
2009-01-29 21:50:19 ----D---- C:\Program Files\Brother
2009-01-29 21:50:19 ----A---- C:\WINDOWS\system32\BRLM03A.DLL
2009-01-29 21:50:08 ----A---- C:\WINDOWS\Brownie.ini
2009-01-29 18:41:26 ----D---- C:\Documents and Settings\Fei\Application Data\Media Player Classic
2009-01-29 18:40:48 ----A---- C:\WINDOWS\system32\unrar.dll
2009-01-29 18:40:43 ----D---- C:\Program Files\K-Lite Codec Pack
2009-01-29 11:15:16 ----A---- C:\WINDOWS\system32\ptpusb.dll
2009-01-29 11:15:14 ----A---- C:\WINDOWS\system32\ptpusd.dll
2009-01-28 12:55:46 ----D---- C:\Documents and Settings\Fei\Application Data\foobar2000
2009-01-28 12:55:28 ----D---- C:\Program Files\foobar2000
2009-01-28 12:48:06 ----D---- C:\Program Files\Google
2009-01-28 11:52:20 ----D---- C:\Program Files\Foxit Software
2009-01-28 11:52:20 ----D---- C:\Documents and Settings\Fei\Application Data\Foxit
2009-01-28 10:45:45 ----D---- C:\WINDOWS\ie7updates
2009-01-28 00:07:36 ----A---- C:\WINDOWS\system32\h323log.txt
2009-01-28 00:05:33 ----A---- C:\WINDOWS\system32\uniime.dll
2009-01-28 00:05:28 ----A---- C:\WINDOWS\system32\kbdlk41j.dll
2009-01-28 00:05:28 ----A---- C:\WINDOWS\system32\kbdlk41a.dll
2009-01-28 00:05:28 ----A---- C:\WINDOWS\system32\c_g18030.dll
2009-01-28 00:05:27 ----A---- C:\WINDOWS\system32\kbdibm02.dll
2009-01-28 00:05:27 ----A---- C:\WINDOWS\system32\kbdax2.dll
2009-01-28 00:05:27 ----A---- C:\WINDOWS\system32\kbd106n.dll
2009-01-28 00:05:27 ----A---- C:\WINDOWS\system32\kbd101.dll
2009-01-28 00:05:27 ----A---- C:\WINDOWS\system32\imjp81k.dll
2009-01-28 00:05:27 ----A---- C:\WINDOWS\system32\f3ahvoas.dll
2009-01-28 00:05:24 ----A---- C:\WINDOWS\system32\korwbrkr.dll
2009-01-28 00:05:24 ----A---- C:\WINDOWS\system32\chtbrkr.dll
2009-01-28 00:05:24 ----A---- C:\WINDOWS\system32\chsbrkr.dll
2009-01-28 00:05:23 ----A---- C:\WINDOWS\system32\msir3jp.dll
2009-01-28 00:05:15 ----A---- C:\WINDOWS\system32\kbd101a.dll
2009-01-28 00:05:10 ----A---- C:\WINDOWS\system32\kbdnecNT.dll
2009-01-28 00:05:10 ----A---- C:\WINDOWS\system32\kbdnecAT.dll
2009-01-28 00:05:10 ----A---- C:\WINDOWS\system32\kbdnec95.dll
2009-01-28 00:05:00 ----A---- C:\WINDOWS\system32\c_is2022.dll
2009-01-28 00:04:58 ----A---- C:\WINDOWS\system32\kbdkor.dll
2009-01-28 00:04:58 ----A---- C:\WINDOWS\system32\kbdjpn.dll
2009-01-28 00:04:58 ----A---- C:\WINDOWS\system32\kbd106.dll
2009-01-28 00:04:58 ----A---- C:\WINDOWS\system32\kbd103.dll
2009-01-28 00:04:58 ----A---- C:\WINDOWS\system32\kbd101c.dll
2009-01-28 00:04:58 ----A---- C:\WINDOWS\system32\kbd101b.dll
2009-01-27 23:56:53 ----A---- C:\WINDOWS\system32\ativvaxx.dll
2009-01-27 23:56:52 ----A---- C:\WINDOWS\system32\ati3duag.dll
2009-01-27 23:56:52 ----A---- C:\WINDOWS\system32\ati3d1ag.dll
2009-01-27 23:56:52 ----A---- C:\WINDOWS\system32\ati2dvag.dll
2009-01-27 23:56:52 ----A---- C:\WINDOWS\system32\ati2cqag.dll
2009-01-27 23:56:04 ----A---- C:\WINDOWS\system32\usbui.dll
2009-01-27 23:53:37 ----A---- C:\WINDOWS\imsins.BAK
2009-01-27 23:53:34 ----A---- C:\WINDOWS\system32\PerfStringBackup.INI
2009-01-27 23:53:33 ----SHD---- C:\WINDOWS\Installer
2009-01-27 23:53:31 ----D---- C:\Program Files\Common Files\ODBC
2009-01-27 23:53:31 ----A---- C:\WINDOWS\ODBCINST.INI
2009-01-27 23:53:25 ----D---- C:\Program Files\Common Files\SpeechEngines
2009-01-27 23:53:24 ----RD---- C:\Program Files
2009-01-27 23:53:24 ----D---- C:\Program Files\Common Files\Microsoft Shared
2009-01-27 23:53:24 ----D---- C:\Program Files\Common Files
2009-01-27 23:53:18 ----RA---- C:\WINDOWS\system32\kbdtuq.dll
2009-01-27 23:53:18 ----RA---- C:\WINDOWS\system32\kbdtuf.dll
2009-01-27 23:53:18 ----RA---- C:\WINDOWS\system32\kbdazel.dll
2009-01-27 23:53:15 ----RA---- C:\WINDOWS\system32\kbduzb.dll
2009-01-27 23:53:15 ----RA---- C:\WINDOWS\system32\kbdtat.dll
2009-01-27 23:53:15 ----RA---- C:\WINDOWS\system32\kbdmon.dll
2009-01-27 23:53:15 ----RA---- C:\WINDOWS\system32\kbdkyr.dll
2009-01-27 23:53:15 ----RA---- C:\WINDOWS\system32\kbdaze.dll
2009-01-27 23:53:14 ----RA---- C:\WINDOWS\system32\kbdycc.dll
2009-01-27 23:53:14 ----RA---- C:\WINDOWS\system32\kbdur.dll
2009-01-27 23:53:14 ----RA---- C:\WINDOWS\system32\kbdru1.dll
2009-01-27 23:53:14 ----RA---- C:\WINDOWS\system32\kbdru.dll
2009-01-27 23:53:14 ----RA---- C:\WINDOWS\system32\kbdkaz.dll
2009-01-27 23:53:14 ----RA---- C:\WINDOWS\system32\kbdbu.dll
2009-01-27 23:53:14 ----RA---- C:\WINDOWS\system32\kbdblr.dll
2009-01-27 23:53:11 ----RA---- C:\WINDOWS\system32\kbdhept.dll
2009-01-27 23:53:11 ----RA---- C:\WINDOWS\system32\kbdhela3.dll
2009-01-27 23:53:11 ----RA---- C:\WINDOWS\system32\kbdhela2.dll
2009-01-27 23:53:11 ----RA---- C:\WINDOWS\system32\kbdhe319.dll
2009-01-27 23:53:11 ----RA---- C:\WINDOWS\system32\kbdhe220.dll
2009-01-27 23:53:10 ----RA---- C:\WINDOWS\system32\kbdhe.dll
2009-01-27 23:53:10 ----RA---- C:\WINDOWS\system32\kbdgkl.dll
2009-01-27 23:53:08 ----RA---- C:\WINDOWS\system32\kbdlv1.dll
2009-01-27 23:53:08 ----RA---- C:\WINDOWS\system32\kbdlv.dll
2009-01-27 23:53:08 ----RA---- C:\WINDOWS\system32\kbdlt1.dll
2009-01-27 23:53:08 ----RA---- C:\WINDOWS\system32\kbdlt.dll
2009-01-27 23:53:08 ----RA---- C:\WINDOWS\system32\kbdest.dll
2009-01-27 23:53:05 ----RA---- C:\WINDOWS\system32\kbdsl1.dll
2009-01-27 23:53:05 ----RA---- C:\WINDOWS\system32\kbdsl.dll
2009-01-27 23:53:04 ----RA---- C:\WINDOWS\system32\kbdycl.dll
2009-01-27 23:53:04 ----RA---- C:\WINDOWS\system32\kbdro.dll
2009-01-27 23:53:04 ----RA---- C:\WINDOWS\system32\kbdpl1.dll
2009-01-27 23:53:04 ----RA---- C:\WINDOWS\system32\kbdpl.dll
2009-01-27 23:53:04 ----RA---- C:\WINDOWS\system32\kbdhu1.dll
2009-01-27 23:53:04 ----RA---- C:\WINDOWS\system32\kbdhu.dll
2009-01-27 23:53:04 ----RA---- C:\WINDOWS\system32\kbdcz2.dll
2009-01-27 23:53:04 ----RA---- C:\WINDOWS\system32\kbdcz1.dll
2009-01-27 23:53:04 ----RA---- C:\WINDOWS\system32\kbdcz.dll
2009-01-27 23:53:04 ----RA---- C:\WINDOWS\system32\kbdcr.dll
2009-01-27 23:53:04 ----RA---- C:\WINDOWS\system32\KBDAL.DLL
2009-01-27 23:53:01 ----A---- C:\WINDOWS\system32\irclass.dll
2009-01-27 23:53:00 ----A---- C:\WINDOWS\system32\spxcoins.dll
2009-01-27 23:53:00 ----A---- C:\WINDOWS\system32\EqnClass.Dll
2009-01-27 23:53:00 ----A---- C:\WINDOWS\system32\dgsetup.dll
2009-01-27 23:53:00 ----A---- C:\WINDOWS\system32\dgrpsetu.dll
2009-01-27 23:52:57 ----A---- C:\WINDOWS\TASKMAN.EXE
2009-01-27 23:52:56 ----N---- C:\WINDOWS\system32\CONFIG.TMP
2009-01-27 23:52:56 ----A---- C:\WINDOWS\system32\batt.dll
2009-01-27 23:52:55 ----A---- C:\WINDOWS\NOTEPAD.EXE
2009-01-27 23:52:54 ----A---- C:\WINDOWS\system32\storprop.dll
2009-01-27 23:52:34 ----ASH---- C:\Documents and Settings\All Users\Application Data\desktop.ini
2009-01-27 23:50:51 ----RA---- C:\WINDOWS\SET8.tmp
2009-01-27 23:50:48 ----RA---- C:\WINDOWS\SET4.tmp
2009-01-27 23:50:46 ----RA---- C:\WINDOWS\SET3.tmp
2009-01-27 23:50:38 ----D---- C:\WINDOWS\system32\CatRoot2
2009-01-27 23:50:38 ----D---- C:\WINDOWS\system32\CatRoot
2009-01-27 23:50:32 ----SD---- C:\Documents and Settings\All Users\Application Data\Microsoft
2009-01-27 23:50:01 ----A---- C:\WINDOWS\setuplog.txt
2009-01-27 23:49:58 ----D---- C:\Documents and Settings
2009-01-27 23:49:57 ----SHD---- C:\System Volume Information
2009-01-27 23:48:50 ----RASH---- C:\boot.ini
2009-01-27 23:48:34 ----D---- C:\Drivers
2009-01-27 23:44:59 ----RSHDC---- C:\WINDOWS\system32\dllcache
2009-01-27 23:44:59 ----RSD---- C:\WINDOWS\Fonts
2009-01-27 23:44:59 ----RD---- C:\WINDOWS\Web
2009-01-27 23:44:59 ----HD---- C:\WINDOWS\inf
2009-01-27 23:44:59 ----D---- C:\WINDOWS\WinSxS
2009-01-27 23:44:59 ----D---- C:\WINDOWS\twain_32
2009-01-27 23:44:59 ----D---- C:\WINDOWS\Temp
2009-01-27 23:44:59 ----D---- C:\WINDOWS\system32\wins
2009-01-27 23:44:59 ----D---- C:\WINDOWS\system32\wbem
2009-01-27 23:44:59 ----D---- C:\WINDOWS\system32\usmt
2009-01-27 23:44:59 ----D---- C:\WINDOWS\system32\spool
2009-01-27 23:44:59 ----D---- C:\WINDOWS\system32\ShellExt
2009-01-27 23:44:59 ----D---- C:\WINDOWS\system32\Setup
2009-01-27 23:44:59 ----D---- C:\WINDOWS\system32\scripting
2009-01-27 23:44:59 ----D---- C:\WINDOWS\system32\ras
2009-01-27 23:44:59 ----D---- C:\WINDOWS\system32\oobe
2009-01-27 23:44:59 ----D---- C:\WINDOWS\system32\npp
2009-01-27 23:44:59 ----D---- C:\WINDOWS\system32\mui
2009-01-27 23:44:59 ----D---- C:\WINDOWS\system32\inetsrv
2009-01-27 23:44:59 ----D---- C:\WINDOWS\system32\IME
2009-01-27 23:44:59 ----D---- C:\WINDOWS\system32\icsxml
2009-01-27 23:44:59 ----D---- C:\WINDOWS\system32\ias
2009-01-27 23:44:59 ----D---- C:\WINDOWS\system32\export
2009-01-27 23:44:59 ----D---- C:\WINDOWS\system32\en
2009-01-27 23:44:59 ----D---- C:\WINDOWS\system32\drivers
2009-01-27 23:44:59 ----D---- C:\WINDOWS\system32\dhcp
2009-01-27 23:44:59 ----D---- C:\WINDOWS\system32\config
2009-01-27 23:44:59 ----D---- C:\WINDOWS\system32\3com_dmi
2009-01-27 23:44:59 ----D---- C:\WINDOWS\system32\3076
2009-01-27 23:44:59 ----D---- C:\WINDOWS\system32\2052
2009-01-27 23:44:59 ----D---- C:\WINDOWS\system32\1054
2009-01-27 23:44:59 ----D---- C:\WINDOWS\system32\1042
2009-01-27 23:44:59 ----D---- C:\WINDOWS\system32\1041
2009-01-27 23:44:59 ----D---- C:\WINDOWS\system32\1037
2009-01-27 23:44:59 ----D---- C:\WINDOWS\system32\1033
2009-01-27 23:44:59 ----D---- C:\WINDOWS\system32\1031
2009-01-27 23:44:59 ----D---- C:\WINDOWS\system32\1028
2009-01-27 23:44:59 ----D---- C:\WINDOWS\system32\1025
2009-01-27 23:44:59 ----D---- C:\WINDOWS\system32
2009-01-27 23:44:59 ----D---- C:\WINDOWS\system
2009-01-27 23:44:59 ----D---- C:\WINDOWS\security
2009-01-27 23:44:59 ----D---- C:\WINDOWS\Resources
2009-01-27 23:44:59 ----D---- C:\WINDOWS\repair
2009-01-27 23:44:59 ----D---- C:\WINDOWS\Provisioning
2009-01-27 23:44:59 ----D---- C:\WINDOWS\PeerNet
2009-01-27 23:44:59 ----D---- C:\WINDOWS\pchealth
2009-01-27 23:44:59 ----D---- C:\WINDOWS\Network Diagnostic
2009-01-27 23:44:59 ----D---- C:\WINDOWS\mui
2009-01-27 23:44:59 ----D---- C:\WINDOWS\msapps
2009-01-27 23:44:59 ----D---- C:\WINDOWS\msagent
2009-01-27 23:44:59 ----D---- C:\WINDOWS\Media
2009-01-27 23:44:59 ----D---- C:\WINDOWS\L2Schemas
2009-01-27 23:44:59 ----D---- C:\WINDOWS\java
2009-01-27 23:44:59 ----D---- C:\WINDOWS\ime
2009-01-27 23:44:59 ----D---- C:\WINDOWS\Help
2009-01-27 23:44:59 ----D---- C:\WINDOWS\ehome
2009-01-27 23:44:59 ----D---- C:\WINDOWS\Driver Cache
2009-01-27 23:44:59 ----D---- C:\WINDOWS\Debug
2009-01-27 23:44:59 ----D---- C:\WINDOWS\Cursors
2009-01-27 23:44:59 ----D---- C:\WINDOWS\Connection Wizard
2009-01-27 23:44:59 ----D---- C:\WINDOWS\Config
2009-01-27 23:44:59 ----D---- C:\WINDOWS\AppPatch
2009-01-27 23:44:59 ----D---- C:\WINDOWS\addins
2009-01-27 23:44:59 ----D---- C:\WINDOWS
2009-01-27 17:25:08 ----D---- C:\Documents and Settings\Fei\Application Data\Mozilla
2009-01-27 17:24:44 ----D---- C:\Program Files\Mozilla Firefox
2009-01-27 17:02:35 ----HDC---- C:\WINDOWS\$NtUninstallKB951376-v2$
2009-01-27 17:02:10 ----HDC---- C:\WINDOWS\$NtUninstallKB952954$
2009-01-27 17:02:01 ----HDC---- C:\WINDOWS\$NtUninstallKB946648$
2009-01-27 17:01:54 ----HDC---- C:\WINDOWS\$NtUninstallKB956803$
2009-01-27 17:01:20 ----D---- C:\WINDOWS\WBEM
2009-01-27 16:56:29 ----HDC---- C:\WINDOWS\ie7
2009-01-27 16:56:13 ----HDC---- C:\WINDOWS\$NtServicePackUninstallIDNMitigationAPIs$
2009-01-27 16:55:52 ----HDC---- C:\WINDOWS\$NtServicePackUninstallNLSDownlevelMapping$
2009-01-27 16:54:33 ----D---- C:\Documents and Settings\All Users\Application Data\Symantec
2009-01-27 16:52:57 ----HDC---- C:\WINDOWS\$NtUninstallKB955839$
2009-01-27 16:52:48 ----HDC---- C:\WINDOWS\$NtUninstallKB956391$
2009-01-27 16:52:27 ----HDC---- C:\WINDOWS\$NtUninstallKB958215$
2009-01-27 16:52:13 ----HDC---- C:\WINDOWS\$NtUninstallKB951978$
2009-01-27 16:52:03 ----HDC---- C:\WINDOWS\$NtUninstallKB950974$
2009-01-27 16:51:52 ----D---- C:\Documents and Settings\All Users\Application Data\Windows Genuine Advantage
2009-01-27 16:50:57 ----HDC---- C:\WINDOWS\$NtUninstallKB951698$
2009-01-27 16:50:50 ----HDC---- C:\WINDOWS\$NtUninstallKB954211$
2009-01-27 16:50:37 ----HDC---- C:\WINDOWS\$NtUninstallKB956841$
2009-01-27 16:50:19 ----HDC---- C:\WINDOWS\$NtUninstallKB960714$
2009-01-27 16:50:11 ----HDC---- C:\WINDOWS\$NtUninstallKB950762$
2009-01-27 16:50:05 ----HDC---- C:\WINDOWS\$NtUninstallKB957097$
2009-01-27 16:49:56 ----HDC---- C:\WINDOWS\$NtUninstallKB958687$
2009-01-27 16:49:49 ----HDC---- C:\WINDOWS\$NtUninstallKB952287$
2009-01-27 16:49:42 ----HDC---- C:\WINDOWS\$NtUninstallKB951066$
2009-01-27 16:49:33 ----HDC---- C:\WINDOWS\$NtUninstallKB954459$
2009-01-27 16:49:25 ----HDC---- C:\WINDOWS\$NtUninstallKB952069_WM9$
2009-01-27 16:49:14 ----HDC---- C:\WINDOWS\$NtUninstallKB951748$
2009-01-27 16:49:00 ----HDC---- C:\WINDOWS\$NtUninstallKB938464$
2009-01-27 16:48:53 ----HDC---- C:\WINDOWS\$NtUninstallKB954600$
2009-01-27 16:48:45 ----HDC---- C:\WINDOWS\$NtUninstallKB958644$
2009-01-27 16:48:36 ----HDC---- C:\WINDOWS\$NtUninstallKB955069$
2009-01-27 16:48:25 ----HDC---- C:\WINDOWS\$NtUninstallKB956802$
2009-01-27 16:47:26 ----A---- C:\WINDOWS\system32\MRT.exe
2009-01-27 16:24:03 ----D---- C:\WINDOWS\SoftwareDistribution
2009-01-27 16:23:50 ----D---- C:\WINDOWS\Prefetch
2009-01-27 16:23:49 ----SD---- C:\WINDOWS\system32\Microsoft
2009-01-27 16:23:49 ----A---- C:\WINDOWS\SchedLgU.Txt
2009-01-27 16:20:02 ----D---- C:\WINDOWS\system32\xircom
2009-01-27 16:20:02 ----D---- C:\Program Files\xerox
2009-01-27 16:20:02 ----D---- C:\Program Files\microsoft frontpage
2009-01-27 16:19:21 ----A---- C:\WINDOWS\control.ini
2009-01-27 16:19:21 ----A---- C:\AUTOEXEC.BAT
2009-01-27 16:18:57 ----A---- C:\WINDOWS\OEWABLog.txt
2009-01-27 16:18:49 ----A---- C:\WINDOWS\system32\mapi32.dll
2009-01-27 16:17:04 ----SD---- C:\WINDOWS\Downloaded Program Files
2009-01-27 16:17:04 ----RD---- C:\WINDOWS\Offline Web Pages
2009-01-27 16:17:04 ----RAH---- C:\WINDOWS\system32\logonui.exe.manifest
2009-01-27 16:16:56 ----RAH---- C:\WINDOWS\system32\cdplayer.exe.manifest
2009-01-27 16:16:46 ----HD---- C:\Program Files\WindowsUpdate
2009-01-27 16:16:07 ----D---- C:\WINDOWS\system32\DirectX
2009-01-27 16:16:02 ----A---- C:\WINDOWS\system32\atrace.dll
2009-01-27 16:16:00 ----A---- C:\WINDOWS\system32\desktop.ini
2009-01-27 16:16:00 ----A---- C:\WINDOWS\desktop.ini
2009-01-27 16:15:54 ----A---- C:\WINDOWS\system32\nmevtmsg.dll
2009-01-27 16:15:53 ----A---- C:\WINDOWS\system32\acctres.dll
2009-01-27 16:15:52 ----D---- C:\Program Files\Common Files\Services
2009-01-27 16:15:50 ----SD---- C:\WINDOWS\Tasks
2009-01-27 16:15:50 ----A---- C:\WINDOWS\system32\icfgnt5.dll
2009-01-27 16:15:49 ----D---- C:\Program Files\Common Files\MSSoap
2009-01-27 16:15:41 ----D---- C:\WINDOWS\srchasst
2009-01-27 16:15:39 ----D---- C:\WINDOWS\system32\Macromed
2009-01-27 16:15:35 ----A---- C:\WINDOWS\system32\wuweb.dll
2009-01-27 16:15:35 ----A---- C:\WINDOWS\system32\wucltui.dll
2009-01-27 16:15:34 ----A---- C:\WINDOWS\system32\wuauserv.dll
2009-01-27 16:15:34 ----A---- C:\WINDOWS\system32\wuaueng1.dll
2009-01-27 16:15:33 ----A---- C:\WINDOWS\system32\wups.dll
2009-01-27 16:15:33 ----A---- C:\WINDOWS\system32\wuaueng.dll
2009-01-27 16:15:33 ----A---- C:\WINDOWS\system32\wuauclt1.exe
2009-01-27 16:15:33 ----A---- C:\WINDOWS\system32\wuauclt.exe
2009-01-27 16:15:32 ----A---- C:\WINDOWS\system32\wuapi.dll
2009-01-27 16:15:32 ----A---- C:\WINDOWS\system32\qmgrprxy.dll
2009-01-27 16:15:32 ----A---- C:\WINDOWS\system32\qmgr.dll
2009-01-27 16:15:32 ----A---- C:\WINDOWS\system32\bitsprx4.dll
2009-01-27 16:15:32 ----A---- C:\WINDOWS\system32\bitsprx3.dll
2009-01-27 16:15:32 ----A---- C:\WINDOWS\system32\bitsprx2.dll
2009-01-27 16:15:25 ----D---- C:\Program Files\Movie Maker
2009-01-27 16:14:57 ----A---- C:\WINDOWS\system32\safrslv.dll
2009-01-27 16:14:57 ----A---- C:\WINDOWS\system32\safrdm.dll
2009-01-27 16:14:57 ----A---- C:\WINDOWS\system32\safrcdlg.dll
2009-01-27 16:14:56 ----A---- C:\WINDOWS\system32\racpldlg.dll
2009-01-27 16:14:49 ----A---- C:\WINDOWS\system32\fltMc.exe
2009-01-27 16:14:49 ----A---- C:\WINDOWS\system32\fltlib.dll
2009-01-27 16:14:48 ----D---- C:\WINDOWS\system32\Restore
2009-01-27 16:14:48 ----A---- C:\WINDOWS\system32\srsvc.dll
2009-01-27 16:14:48 ----A---- C:\WINDOWS\system32\srrstr.dll
2009-01-27 16:14:48 ----A---- C:\WINDOWS\system32\srclient.dll
2009-01-27 16:14:47 ----A---- C:\WINDOWS\system32\mnmdd.dll
2009-01-27 16:14:47 ----A---- C:\WINDOWS\system32\isrdbg32.dll
2009-01-27 16:14:47 ----A---- C:\WINDOWS\system32\ils.dll
2009-01-27 16:14:46 ----A---- C:\WINDOWS\system32\nmmkcert.dll
2009-01-27 16:14:46 ----A---- C:\WINDOWS\system32\msconf.dll
2009-01-27 16:14:46 ----A---- C:\WINDOWS\system32\mnmsrvc.exe
2009-01-27 16:14:42 ----D---- C:\Program Files\NetMeeting
2009-01-27 16:14:42 ----A---- C:\WINDOWS\system32\msoert2.dll
2009-01-27 16:14:41 ----A---- C:\WINDOWS\system32\msoeacct.dll
2009-01-27 16:14:39 ----A---- C:\WINDOWS\system32\inetres.dll
2009-01-27 16:14:39 ----A---- C:\WINDOWS\system32\inetcomm.dll
2009-01-27 16:14:35 ----D---- C:\Program Files\Outlook Express
2009-01-27 16:14:35 ----A---- C:\WINDOWS\system32\schedsvc.dll
2009-01-27 16:14:34 ----A---- C:\WINDOWS\system32\mstinit.exe
2009-01-27 16:14:34 ----A---- C:\WINDOWS\system32\mstask.dll
2009-01-27 16:14:33 ----A---- C:\WINDOWS\system32\isign32.dll
2009-01-27 16:14:33 ----A---- C:\WINDOWS\system32\inetcfg.dll
2009-01-27 16:14:33 ----A---- C:\WINDOWS\system32\icwphbk.dll
2009-01-27 16:14:33 ----A---- C:\WINDOWS\system32\icwdial.dll
2009-01-27 16:14:24 ----D---- C:\Program Files\Common Files\System
2009-01-27 16:14:22 ----D---- C:\Program Files\Internet Explorer
2009-01-27 16:13:07 ----D---- C:\Program Files\ComPlus Applications
2009-01-27 16:13:00 ----A---- C:\WINDOWS\vbaddin.ini
2009-01-27 16:13:00 ----A---- C:\WINDOWS\vb.ini
2009-01-27 16:12:47 ----D---- C:\WINDOWS\Registration
2009-01-27 16:12:26 ----D---- C:\Program Files\Windows Media Player
2009-01-27 16:12:26 ----D---- C:\Program Files\Online Services
2009-01-27 16:12:09 ----D---- C:\Program Files\Messenger
2009-01-27 16:12:05 ----D---- C:\Program Files\MSN Gaming Zone
2009-01-27 16:12:05 ----A---- C:\WINDOWS\system32\write.exe
2009-01-27 16:11:56 ----A---- C:\WINDOWS\system32\sndvol32.exe
2009-01-27 16:11:56 ----A---- C:\WINDOWS\system32\hticons.dll
2009-01-27 16:11:56 ----A---- C:\WINDOWS\system32\avwav.dll
2009-01-27 16:11:56 ----A---- C:\WINDOWS\system32\avtapi.dll
2009-01-27 16:11:56 ----A---- C:\WINDOWS\system32\avmeter.dll
2009-01-27 16:11:55 ----A---- C:\WINDOWS\system32\winchat.exe
2009-01-27 16:11:49 ----A---- C:\WINDOWS\system32\sol.exe
2009-01-27 16:11:49 ----A---- C:\WINDOWS\system32\getuname.dll
2009-01-27 16:11:49 ----A---- C:\WINDOWS\system32\charmap.exe
2009-01-27 16:11:49 ----A---- C:\WINDOWS\system32\calc.exe
2009-01-27 16:11:48 ----A---- C:\WINDOWS\system32\winmine.exe
2009-01-27 16:11:48 ----A---- C:\WINDOWS\system32\usrlogon.cmd
2009-01-27 16:11:48 ----A---- C:\WINDOWS\system32\tsshutdn.exe
2009-01-27 16:11:48 ----A---- C:\WINDOWS\system32\tslabels.ini
2009-01-27 16:11:48 ----A---- C:\WINDOWS\system32\tskill.exe
2009-01-27 16:11:48 ----A---- C:\WINDOWS\system32\reset.exe
2009-01-27 16:11:48 ----A---- C:\WINDOWS\system32\mshearts.exe
2009-01-27 16:11:48 ----A---- C:\WINDOWS\system32\freecell.exe
2009-01-27 16:11:47 ----A---- C:\WINDOWS\system32\tsdiscon.exe
2009-01-27 16:11:47 ----A---- C:\WINDOWS\system32\tscon.exe
2009-01-27 16:11:47 ----A---- C:\WINDOWS\system32\shadow.exe
2009-01-27 16:11:47 ----A---- C:\WINDOWS\system32\rwinsta.exe
2009-01-27 16:11:47 ----A---- C:\WINDOWS\system32\regini.exe
2009-01-27 16:11:47 ----A---- C:\WINDOWS\system32\rdpcfgex.dll
2009-01-27 16:11:47 ----A---- C:\WINDOWS\system32\qwinsta.exe
2009-01-27 16:11:47 ----A---- C:\WINDOWS\system32\qappsrv.exe
2009-01-27 16:11:47 ----A---- C:\WINDOWS\system32\msg.exe
2009-01-27 16:11:47 ----A---- C:\WINDOWS\system32\logoff.exe
2009-01-27 16:11:47 ----A---- C:\WINDOWS\system32\cdmodem.dll
2009-01-27 16:11:46 ----A---- C:\WINDOWS\system32\msdtcprf.ini
2009-01-27 16:11:41 ----A---- C:\WINDOWS\system32\wmimgmt.msc
2009-01-27 16:11:29 ----D---- C:\Program Files\MSN
2009-01-27 16:11:28 ----A---- C:\WINDOWS\system32\sndrec32.exe
2009-01-27 16:11:28 ----A---- C:\WINDOWS\system32\mplay32.exe
2009-01-27 16:11:28 ----A---- C:\WINDOWS\system32\accwiz.exe
2009-01-27 16:11:27 ----A---- C:\WINDOWS\system32\hypertrm.dll
2009-01-27 16:11:26 ----D---- C:\Program Files\Windows NT
2009-01-27 16:11:26 ----A---- C:\WINDOWS\system32\mspaint.exe
2009-01-27 16:11:25 ----A---- C:\WINDOWS\system32\spider.exe
2009-01-27 16:11:25 ----A---- C:\WINDOWS\system32\clipbrd.exe
2009-01-27 16:11:24 ----D---- C:\WINDOWS\system32\en-US
2009-01-27 16:11:23 ----A---- C:\WINDOWS\system32\tsgqec.dll
2009-01-27 16:11:23 ----A---- C:\WINDOWS\system32\tscfgwmi.dll
2009-01-27 16:11:23 ----A---- C:\WINDOWS\system32\rhttpaa.dll
2009-01-27 16:11:23 ----A---- C:\WINDOWS\system32\aaclient.dll
2009-01-27 16:11:22 ----A---- C:\WINDOWS\system32\mstscax.dll
2009-01-27 16:11:21 ----A---- C:\WINDOWS\system32\remotepg.dll
2009-01-27 16:11:21 ----A---- C:\WINDOWS\system32\rdsaddin.exe
2009-01-27 16:11:21 ----A---- C:\WINDOWS\system32\mstsc.exe
2009-01-27 16:11:20 ----A---- C:\WINDOWS\system32\termsrv.dll
2009-01-27 16:11:20 ----A---- C:\WINDOWS\system32\sessmgr.exe
2009-01-27 16:11:20 ----A---- C:\WINDOWS\system32\rdshost.exe
2009-01-27 16:11:20 ----A---- C:\WINDOWS\system32\rdpwsx.dll
2009-01-27 16:11:20 ----A---- C:\WINDOWS\system32\rdchost.dll
2009-01-27 16:11:19 ----D---- C:\WINDOWS\system32\MsDtc
2009-01-27 16:11:19 ----A---- C:\WINDOWS\system32\rdpsnd.dll
2009-01-27 16:11:19 ----A---- C:\WINDOWS\system32\rdpclip.exe
2009-01-27 16:11:19 ----A---- C:\WINDOWS\system32\qprocess.exe
2009-01-27 16:11:19 ----A---- C:\WINDOWS\system32\msdtcuiu.dll
2009-01-27 16:11:19 ----A---- C:\WINDOWS\system32\icaapi.dll
2009-01-27 16:11:19 ----A---- C:\WINDOWS\system32\cfgbkend.dll
2009-01-27 16:11:18 ----A---- C:\WINDOWS\system32\mtxoci.dll
2009-01-27 16:11:18 ----A---- C:\WINDOWS\system32\msdtcprx.dll
2009-01-27 16:11:17 ----A---- C:\WINDOWS\system32\xolehlp.dll
2009-01-27 16:11:17 ----A---- C:\WINDOWS\system32\msdtctm.dll
2009-01-27 16:11:17 ----A---- C:\WINDOWS\system32\msdtclog.dll
2009-01-27 16:11:17 ----A---- C:\WINDOWS\system32\msdtc.exe
2009-01-27 16:11:15 ----D---- C:\WINDOWS\system32\Com
2009-01-27 16:11:15 ----A---- C:\WINDOWS\system32\mtxlegih.dll
2009-01-27 16:11:15 ----A---- C:\WINDOWS\system32\mtxex.dll
2009-01-27 16:11:15 ----A---- C:\WINDOWS\system32\mtxdm.dll
2009-01-27 16:11:15 ----A---- C:\WINDOWS\system32\dcomcnfg.exe
2009-01-27 16:11:15 ----A---- C:\WINDOWS\system32\comaddin.dll
2009-01-27 16:11:15 ----A---- C:\WINDOWS\system32\colbact.dll
2009-01-27 16:11:14 ----A---- C:\WINDOWS\system32\stclient.dll
2009-01-27 16:11:14 ----A---- C:\WINDOWS\system32\comrepl.dll
2009-01-27 16:11:14 ----A---- C:\WINDOWS\system32\clbcatex.dll
2009-01-27 16:11:14 ----A---- C:\WINDOWS\system32\catsrvps.dll
2009-01-27 16:11:13 ----A---- C:\WINDOWS\system32\catsrvut.dll
2009-01-27 16:11:13 ----A---- C:\WINDOWS\system32\catsrv.dll
2009-01-27 16:11:11 ----A---- C:\WINDOWS\system32\comuid.dll
2009-01-27 16:11:11 ----A---- C:\WINDOWS\system32\comsvcs.dll
2009-01-27 16:11:11 ----A---- C:\WINDOWS\system32\comsnap.dll
2009-01-27 16:11:10 ----A---- C:\WINDOWS\system32\clbcatq.dll
2009-01-27 16:11:00 ----A---- C:\WINDOWS\system32\servdeps.dll
2009-01-27 16:11:00 ----A---- C:\WINDOWS\system32\mmfutil.dll
2009-01-27 16:11:00 ----A---- C:\WINDOWS\system32\licwmi.dll
2009-01-27 16:11:00 ----A---- C:\WINDOWS\system32\cmprops.dll
2009-01-27 16:09:57 ----D---- C:\WINDOWS\system32\PreInstall
2009-01-27 16:09:54 ----N---- C:\WINDOWS\system32\spmsg.dll
2009-01-27 16:09:54 ----A---- C:\WINDOWS\system32\spupdsvc.exe
2009-01-27 16:09:53 ----HDC---- C:\WINDOWS\$NtUninstallKB898461$
2009-01-27 16:09:52 ----HD---- C:\WINDOWS\$hf_mig$
2009-01-27 16:06:01 ----D---- C:\WINDOWS\system32\SoftwareDistribution
2009-01-27 15:56:10 ----A---- C:\WINDOWS\system32\ksuser.dll
2009-01-27 15:56:03 ----A---- C:\WINDOWS\system32\a3d.dll
2009-01-27 15:56:00 ----A---- C:\WINDOWS\system32\wdmioctl.dll
2009-01-27 15:56:00 ----A---- C:\WINDOWS\system32\SMMedia.dll
2009-01-27 15:55:57 ----D---- C:\WINDOWS\VirtualEar
2009-01-27 15:55:57 ----A---- C:\WINDOWS\system32\virtear.dll
2009-01-27 15:55:57 ----A---- C:\WINDOWS\system32\Audio3d.dll
2009-01-27 15:55:53 ----D---- C:\Program Files\Analog Devices
2009-01-27 15:55:53 ----A---- C:\WINDOWS\system32\DSndUp.exe
2009-01-27 15:55:53 ----A---- C:\WINDOWS\system32\CleanUp.exe
2009-01-27 15:54:52 ----DC---- C:\WINDOWS\system32\DRVSTORE
2009-01-27 15:54:52 ----A---- C:\WINDOWS\system32\vuins32.dll
2009-01-27 15:54:18 ----D---- C:\Program Files\ATI Technologies
2009-01-27 15:53:12 ----D---- C:\ATI
2009-01-27 15:49:01 ----D---- C:\Documents and Settings\Fei\Application Data\Adobe
2009-01-27 15:41:59 ----HD---- C:\Program Files\InstallShield Installation Information
2009-01-27 15:40:46 ----D---- C:\Documents and Settings\Fei\Application Data\Macromedia
2009-01-27 15:38:37 ----D---- C:\WINDOWS\system32\ReinstallBackups
2009-01-27 15:37:59 ----A---- C:\WINDOWS\system32\difxapi.dll
2009-01-27 15:37:53 ----D---- C:\Program Files\VIA
2009-01-27 15:37:18 ----D---- C:\Program Files\Common Files\InstallShield
2009-01-27 15:31:39 ----D---- C:\Documents and Settings\All Users\Application Data\comodo
2009-01-27 15:31:39 ----A---- C:\WINDOWS\system32\guard32.dll
2009-01-27 15:31:30 ----D---- C:\Program Files\COMODO
2009-01-27 15:26:56 ----D---- C:\Documents and Settings\All Users\Application Data\Norton
2009-01-27 15:26:45 ----D---- C:\Program Files\NortonInstaller
2009-01-27 15:26:45 ----D---- C:\Documents and Settings\All Users\Application Data\NortonInstaller
2009-01-27 15:25:37 ----D---- C:\Documents and Settings\Fei\Application Data\Identities
2009-01-27 15:25:35 ----HD---- C:\Program Files\Uninstall Information
2009-01-27 15:25:10 ----ASH---- C:\Documents and Settings\Fei\Application Data\desktop.ini
2009-01-27 15:25:09 ----SD---- C:\Documents and Settings\Fei\Application Data\Microsoft

======List of files/folders modified in the last 1 months======

2009-02-05 19:10:23 ----A---- C:\WINDOWS\system.ini
2009-01-27 16:19:21 ----A---- C:\WINDOWS\win.ini

======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R1 cmdGuard;COMODO Internet Security Sandbox Driver; C:\WINDOWS\System32\DRIVERS\cmdguard.sys [2009-01-27 101776]
R1 cmdHlp;COMODO Internet Security Helper Driver; C:\WINDOWS\System32\DRIVERS\cmdhlp.sys [2009-01-27 31504]
R1 ElbyCDIO;ElbyCDIO Driver; C:\WINDOWS\System32\Drivers\ElbyCDIO.sys [2007-08-08 25160]
R1 nltdi;nltdi; \??\C:\WINDOWS\system32\drivers\nltdi.sys []
R1 VClone;VClone; C:\WINDOWS\system32\DRIVERS\VClone.sys [2008-03-30 25344]
R3 aeaudio;aeaudio; C:\WINDOWS\system32\drivers\aeaudio.sys [2008-06-12 116176]
R3 ati2mtag;ati2mtag; C:\WINDOWS\system32\DRIVERS\ati2mtag.sys [2008-04-14 701440]
R3 ElbyDelay;ElbyDelay; C:\WINDOWS\System32\Drivers\ElbyDelay.sys [2007-02-16 11984]
R3 FET5X86V;VIA Rhine-Family Fast-Ethernet Adapter Driver Service; C:\WINDOWS\system32\DRIVERS\fetnd5bv.sys [2007-09-21 43520]
R3 hidusb;Microsoft HID Class Driver; C:\WINDOWS\system32\DRIVERS\hidusb.sys [2008-04-14 10368]
R3 mouhid;Mouse HID Driver; C:\WINDOWS\system32\DRIVERS\mouhid.sys [2001-08-23 12160]
R3 senfilt;senfilt; C:\WINDOWS\system32\drivers\senfilt.sys [2004-04-27 381056]
R3 smwdm;smwdm; C:\WINDOWS\system32\drivers\smwdm.sys [2004-06-07 266880]
R3 usbehci;Microsoft USB 2.0 Enhanced Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbehci.sys [2008-04-14 30208]
R3 usbhub;USB2 Enabled Hub; C:\WINDOWS\system32\DRIVERS\usbhub.sys [2008-04-14 59520]
R3 usbscan;USB Scanner Driver; C:\WINDOWS\system32\DRIVERS\usbscan.sys [2008-04-14 15104]
R3 usbuhci;Microsoft USB Universal Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbuhci.sys [2008-04-14 20608]
S3 catchme;catchme; \??\C:\ComboFix\catchme.sys []
S3 FETNDIS;VIA PCI 10/100Mb Fast Ethernet Adapter NT Driver; C:\WINDOWS\system32\DRIVERS\fetnd5.sys [2001-08-17 27165]
S3 MidiSyn;MidiSyn; C:\WINDOWS\system32\drivers\MidiSyn.sys [2002-09-21 235100]
S3 usbprint;Microsoft USB PRINTER Class; C:\WINDOWS\system32\DRIVERS\usbprint.sys [2008-04-14 25856]
S3 USBSTOR;USB Mass Storage Driver; C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS [2008-04-14 26368]
S4 IntelIde;IntelIde; C:\WINDOWS\system32\drivers\IntelIde.sys []

======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R2 cmdAgent;COMODO Internet Security Helper Service; C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe [2009-01-27 618232]
R2 nlsvc;NetLimiter; C:\Program Files\NetLimiter 2 Pro\nlsvc.exe [2007-03-22 516096]
R2 SoundMAX Agent Service (default);SoundMAX Agent Service; C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe [2002-09-20 45056]
R2 VRAID Log Service;VRAID Log Service; C:\Program Files\VIA\RAID\vialogsv.exe [2008-09-24 52888]
S2 .norton2009Reset;Norton 2009 Reset; C:\Documents and Settings\All Users\Application Data\Norton\Norton2009Reset.exe [2009-02-02 280833]
S3 aspnet_state;ASP.NET State Service; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe [2008-07-25 34312]
S3 clr_optimization_v2.0.50727_32;.NET Runtime Optimization Service v2.0.50727_X86; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe [2008-07-25 69632]
S3 FontCache3.0.0.0;Windows Presentation Foundation Font Cache 3.0.0.0; C:\WINDOWS\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe [2008-07-29 46104]
S3 idsvc;Windows CardSpace; C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe [2008-07-29 881664]
S3 ose;Office Source Engine; C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE [2003-07-28 89136]
S4 NetTcpPortSharing;Net.Tcp Port Sharing Service; C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe [2008-07-29 132096]

-----------------EOF-----------------

Blade81
2009-02-06, 17:50
Good. Now we'll continue (I'll give recommendations for antivirus a bit later) :)

Start hjt, do a system scan, check (if found):
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)

Close browsers and fix checked.



Open notepad and copy/paste the text in the quotebox below into it:



Driver::
norton2009Reset

Folder::
c:\documents and settings\All Users\Application Data\Norton

Registry::
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{e77fd248-ede7-11dd-8b16-0013d4c6fc1d}]



Save this as
CFScript

A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine. This tool is not a toy and not for everyday use.

http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif

Refering to the picture above, drag CFScript into ComboFix.exe
Then post the resultant log.


Combofix should never take more that 20 minutes including the reboot if malware is detected.
If it does, open Task Manager then Processes tab (press ctrl, alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue.
If that happened we want to know, and also what process you had to end.


Download ATF (Atribune Temp File) Cleaner© by Atribune (http://www.atribune.org/ccount/click.php?id=1) to your desktop.

Double-click ATF Cleaner.exe to open it

Under Main choose:
Windows Temp
Current User Temp
All Users Temp
Cookies
Temporary Internet Files
Prefetch
Java Cache
*The other boxes are optional*
Then click the Empty Selected button.

If you use Firefox:
Click Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.

If you use Opera:
Click Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.

Click Exit on the Main menu to close the program.


Please run an online scan with Kaspersky Online Scanner (http://www.kaspersky.com/virusscanner) as instructed in the screenshot here (http://i275.photobucket.com/albums/jj285/Bleeping/KAS/KAS9.gif). If you get a message that latest Java must be installed "enable" the Java add-ons in IE7. Do that using "manage add-ons" from the IE7 toolbar.


Post back its report, a fresh hjt log and above mentioned ComboFix resultant log.

choconick
2009-02-08, 05:34
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:34:00 PM, on 8/02/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\WgaTray.exe
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\Program Files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe
C:\Program Files\NetLimiter 2 Pro\nlsvc.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\VIA\RAID\vialogsv.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\explorer.exe
C:\Program Files\NetLimiter 2 Pro\NLClient.exe
C:\Program Files\foobar2000\foobar2000.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\Windows Live\Contacts\wlcomm.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Java\jre6\bin\java.exe
C:\Program Files\Google\Gmail Notifier\gnotify.exe
C:\Program Files\K-Lite Codec Pack\Media Player Classic\mplayerc.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [COMODO Internet Security] "C:\Program Files\COMODO\COMODO Internet Security\cfp.exe" -h
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] C:\Program Files\Google\Gmail Notifier\gnotify.exe
O4 - HKLM\..\Run: [BrStsWnd] C:\Program Files\Brownie\BrstsWnd.exe Autorun
O4 - HKLM\..\Run: [VirtualCloneDrive] "C:\Program Files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe" /s
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [Chris PC-Lock] "C:\Program Files\Chris PC-Lock\PCLock.exe" /silent
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Active Desktop Calendar] C:\Program Files\XemiComputers\Active Desktop Calendar\ADC.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
O4 - Startup: Westnet Usage Grabber.lnk = C:\Program Files\Westnet Usage Grabber\wug.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O20 - AppInit_DLLs: C:\WINDOWS\system32\guard32.dll
O23 - Service: Norton 2009 Reset (.norton2009Reset) - Unknown owner - C:\Documents and Settings\All Users\Application Data\Norton\Norton2009Reset.exe (file missing)
O23 - Service: COMODO Internet Security Helper Service (cmdAgent) - Unknown owner - C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe
O23 - Service: NetLimiter (nlsvc) - Locktime Software - C:\Program Files\NetLimiter 2 Pro\nlsvc.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: VRAID Log Service - Unknown owner - C:\Program Files\VIA\RAID\vialogsv.exe

--
End of file - 4978 bytes

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7 REPORT
Sunday, February 8, 2009
Operating System: Microsoft Windows XP Professional Service Pack 3 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Sunday, February 08, 2009 02:15:54
Records in database: 1766523
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
A:\
C:\
D:\
E:\
F:\
G:\

Scan statistics:
Files scanned: 26818
Threat name: 0
Infected objects: 0
Suspicious objects: 0
Duration of the scan: 01:24:51

No malware has been detected. The scan area is clean.

The selected area was scanned.
ComboFix 09-02-06.01 - Fei 2009-02-07 10:39:41.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.511.241 [GMT 9:00]
Running from: c:\documents and settings\Fei\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Fei\Desktop\CFScript.txt
FW: COMODO Firewall *enabled*
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\Norton
c:\documents and settings\All Users\Application Data\Norton\00000082\000000fc\000002d3\cltLMS1.dat
c:\documents and settings\All Users\Application Data\Norton\00000082\000000fc\000002d3\cltLMS2.dat
c:\documents and settings\All Users\Application Data\Norton\00000082\000000fc\000002d8\cltLMS1.dat
c:\documents and settings\All Users\Application Data\Norton\00000082\000000fc\000002d8\cltLMS2.dat
c:\documents and settings\All Users\Application Data\Norton\Norton2009Reset.exe
c:\documents and settings\All Users\Application Data\Norton\symdata.xml

.
((((((((((((((((((((((((( Files Created from 2009-01-07 to 2009-02-07 )))))))))))))))))))))))))))))))
.

2009-02-06 10:26 . 2009-02-06 10:26 <DIR> d-------- C:\rsit
2009-02-06 10:21 . 2009-02-06 10:21 <DIR> d-------- c:\documents and settings\All Users\Application Data\Office Genuine Advantage
2009-02-06 10:21 . 2009-02-06 10:21 <DIR> d-------- C:\00000082
2009-02-04 12:23 . 2009-02-04 12:23 <DIR> d-------- c:\program files\Chris PC-Lock
2009-02-04 12:23 . 2008-04-14 12:41 1,127 --a------ c:\windows\system32\javaut12qa.ax
2009-02-04 10:41 . 2009-02-04 10:44 <DIR> d-------- c:\program files\SystemRequirementsLab
2009-02-04 10:41 . 2009-02-04 10:43 <DIR> d-------- c:\documents and settings\Fei\Application Data\SystemRequirementsLab
2009-02-04 10:40 . 2009-02-04 10:40 <DIR> d-------- c:\windows\Sun
2009-02-04 00:17 . 2008-10-16 14:06 268,648 --a------ c:\windows\system32\mucltui.dll
2009-02-04 00:17 . 2008-10-16 14:06 208,744 --a------ c:\windows\system32\muweb.dll
2009-02-04 00:17 . 2008-10-16 14:06 27,496 --a------ c:\windows\system32\mucltui.dll.mui
2009-02-03 23:37 . 2009-02-06 18:58 <DIR> d-------- c:\documents and settings\Fei\Tracing
2009-02-03 23:35 . 2009-02-03 23:35 <DIR> d-------- c:\program files\QT Lite
2009-02-03 23:35 . 2009-02-03 23:35 <DIR> d-------- c:\program files\Microsoft
2009-02-03 23:35 . 2009-02-03 23:35 <DIR> d-------- c:\documents and settings\All Users\Application Data\Apple Computer
2009-02-03 23:35 . 2009-01-05 16:18 90,112 --a------ c:\windows\system32\QuickTimeVR.qtx
2009-02-03 23:35 . 2009-01-05 16:18 57,344 --a------ c:\windows\system32\QuickTime.qts
2009-02-03 23:34 . 2009-02-03 23:35 <DIR> d-------- c:\program files\Windows Live SkyDrive
2009-02-03 23:34 . 2009-02-03 23:35 <DIR> d-------- c:\program files\Windows Live
2009-02-03 23:32 . 2009-02-03 23:31 410,984 --a------ c:\windows\system32\deploytk.dll
2009-02-03 23:32 . 2009-02-03 23:31 73,728 --a------ c:\windows\system32\javacpl.cpl
2009-02-03 23:31 . 2009-02-03 23:31 <DIR> d-------- c:\program files\Java
2009-02-03 23:16 . 2009-02-03 23:16 <DIR> d-------- c:\program files\Common Files\Windows Live
2009-02-03 23:12 . 2009-02-05 16:02 <DIR> d-------- c:\program files\Westnet Usage Grabber
2009-02-03 23:12 . 2003-11-06 14:09 2,108,068 --a------ c:\windows\system32\cl32.dll
2009-02-03 23:12 . 2000-05-22 00:00 1,009,336 --a------ c:\windows\system32\MSCHRT20.OCX
2009-02-03 23:12 . 2003-04-27 19:04 98,304 --a------ c:\windows\system32\VBAlDTab6.OCX
2009-02-03 23:12 . 1999-12-14 12:57 41,008 --a------ c:\windows\system32\DCSysTray.ocx
2009-02-03 23:12 . 2003-01-26 13:41 40,960 --a------ c:\windows\system32\ssubtmr6.dll
2009-02-03 23:01 . 2009-02-03 23:01 <DIR> d-------- c:\documents and settings\Fei\Application Data\Locktime
2009-02-03 22:58 . 2009-02-03 22:58 <DIR> d-------- c:\documents and settings\All Users\Application Data\Locktime
2009-02-03 22:57 . 2009-02-03 22:58 <DIR> d-------- c:\program files\NetLimiter 2 Pro
2009-02-03 22:57 . 2009-02-03 22:57 <DIR> d-------- c:\program files\DAMN NFO Viewer
2009-02-03 16:30 . 2009-02-03 16:30 <DIR> d-------- c:\program files\Real Alternative
2009-02-03 16:30 . 2003-03-19 12:14 499,712 --a------ c:\windows\system32\msvcp71.dll
2009-02-03 16:30 . 2004-01-12 07:00 348,160 --a------ c:\windows\system32\msvcr71.dll
2009-02-02 18:32 . 2009-02-02 18:32 <DIR> d-------- c:\program files\Trend Micro
2009-02-02 18:28 . 2009-02-02 18:28 <DIR> d-------- c:\windows\system32\XPSViewer
2009-02-02 18:28 . 2009-02-02 18:28 <DIR> d-------- c:\program files\MSBuild
2009-02-02 18:27 . 2009-02-02 18:27 <DIR> d-------- c:\program files\Reference Assemblies
2009-02-02 18:24 . 2008-07-06 21:06 1,676,288 --------- c:\windows\system32\xpssvcs.dll
2009-02-02 18:24 . 2008-07-06 21:06 1,676,288 -----c--- c:\windows\system32\dllcache\xpssvcs.dll
2009-02-02 18:24 . 2008-07-06 19:50 597,504 -----c--- c:\windows\system32\dllcache\printfilterpipelinesvc.exe
2009-02-02 18:24 . 2008-07-06 21:06 575,488 --------- c:\windows\system32\xpsshhdr.dll
2009-02-02 18:24 . 2008-07-06 21:06 575,488 -----c--- c:\windows\system32\dllcache\xpsshhdr.dll
2009-02-02 18:24 . 2008-07-06 21:06 117,760 --------- c:\windows\system32\prntvpt.dll
2009-02-02 18:24 . 2008-07-06 21:06 89,088 -----c--- c:\windows\system32\dllcache\filterpipelineprintproc.dll
2009-02-02 17:51 . 2009-02-02 17:51 <DIR> d-------- c:\documents and settings\Fei\Application Data\XemiComputers
2009-02-02 17:50 . 2009-02-02 17:50 <DIR> d-------- c:\program files\XemiComputers
2009-01-30 14:58 . 2009-01-30 14:58 <DIR> d-------- c:\documents and settings\Fei\Application Data\Canon
2009-01-30 14:53 . 2009-01-30 14:53 <DIR> d--h----- C:\CanoScan
2009-01-30 14:53 . 2005-06-23 22:17 352,256 --a------ c:\windows\system32\CNQL1213.DLL
2009-01-30 14:53 . 2005-02-28 13:20 57,344 --a------ c:\windows\system32\CNQU110.DLL
2009-01-29 22:13 . 2009-01-29 22:13 <DIR> dr------- c:\documents and settings\Fei\Application Data\Brother
2009-01-29 22:04 . 2009-01-29 22:04 376 --a------ c:\windows\ODBC.INI
2009-01-29 22:03 . 2009-01-29 22:03 <DIR> d-------- c:\program files\Microsoft ActiveSync
2009-01-29 22:03 . 2007-04-09 20:23 28,040 --a------ c:\windows\system32\mdimon.dll
2009-01-29 22:02 . 2009-01-29 22:03 <DIR> d-------- c:\windows\SHELLNEW
2009-01-29 22:01 . 2009-01-29 22:01 0 ---hs---- c:\windows\S4A2193C4.tmp
2009-01-29 22:00 . 2009-01-29 22:00 <DIR> d-------- c:\program files\Elaborate Bytes
2009-01-29 21:51 . 2009-01-29 21:51 <DIR> d-------- c:\program files\Brownie
2009-01-29 21:51 . 2004-08-10 00:42 77,824 --------- c:\windows\system32\brlmw03a.dll
2009-01-29 21:51 . 2008-04-14 00:17 25,856 --a------ c:\windows\system32\drivers\usbprint.sys
2009-01-29 21:51 . 2008-04-14 00:17 25,856 --a--c--- c:\windows\system32\dllcache\usbprint.sys
2009-01-29 21:51 . 2009-01-29 21:51 9,853 --a------ c:\windows\HL-2140.INI
2009-01-29 21:51 . 2009-01-29 22:16 426 --a------ c:\windows\BRWMARK.INI
2009-01-29 21:51 . 2009-01-29 21:51 145 --a------ c:\windows\BRVIDEO.INI
2009-01-29 21:51 . 2004-08-10 01:00 114 --------- c:\windows\system32\brlmw03a.ini
2009-01-29 21:51 . 2009-01-29 21:51 34 --a------ c:\windows\system32\BD2140.DAT
2009-01-29 21:51 . 2009-01-29 21:51 0 --a------ c:\windows\brmx2001.ini
2009-01-29 21:50 . 2009-01-29 21:51 <DIR> d-------- c:\program files\Brother
2009-01-29 21:50 . 2007-04-24 01:30 192,512 --------- c:\windows\system32\Pdrvinst.dll
2009-01-29 21:50 . 2006-12-21 12:23 176,128 --a------ c:\windows\system32\BROSNMP.DLL
2009-01-29 21:50 . 2007-08-20 03:34 94,208 --a------ c:\windows\system32\BRRBTOOL.EXE
2009-01-29 21:50 . 2004-09-24 02:00 24,223 --a------ c:\windows\system32\BRLM03A.DLL
2009-01-29 21:50 . 2009-02-06 10:21 231 --a------ c:\windows\Brownie.ini
2009-01-29 18:41 . 2009-01-29 18:41 <DIR> d-------- c:\documents and settings\Fei\Application Data\Media Player Classic
2009-01-29 18:40 . 2009-01-29 18:40 <DIR> d-------- c:\program files\K-Lite Codec Pack
2009-01-29 18:40 . 2008-09-17 04:23 168,448 --a------ c:\windows\system32\unrar.dll
2009-01-29 18:33 . 2008-04-14 00:15 26,368 --a--c--- c:\windows\system32\dllcache\usbstor.sys
2009-01-29 11:15 . 2008-04-14 05:42 159,232 --a------ c:\windows\system32\ptpusd.dll
2009-01-29 11:15 . 2008-04-14 00:15 15,104 --a------ c:\windows\system32\drivers\usbscan.sys
2009-01-29 11:15 . 2008-04-14 00:15 15,104 --a--c--- c:\windows\system32\dllcache\usbscan.sys
2009-01-29 11:15 . 2001-08-17 22:36 5,632 --a------ c:\windows\system32\ptpusb.dll
2009-01-28 12:55 . 2009-02-03 23:33 <DIR> d-------- c:\program files\foobar2000
2009-01-28 12:55 . 2009-02-07 10:27 <DIR> d-------- c:\documents and settings\Fei\Application Data\foobar2000
2009-01-28 12:48 . 2009-01-28 12:48 <DIR> d-------- c:\program files\Google
2009-01-28 11:52 . 2009-01-28 11:52 <DIR> d-------- c:\program files\Foxit Software
2009-01-28 11:52 . 2009-01-28 11:52 <DIR> d-------- c:\documents and settings\Fei\Application Data\Foxit
2009-01-28 10:45 . 2008-10-17 05:38 459,264 -----c--- c:\windows\system32\dllcache\msfeeds.dll
2009-01-28 10:45 . 2008-10-17 05:38 267,776 -----c--- c:\windows\system32\dllcache\iertutil.dll
2009-01-28 10:45 . 2008-10-17 05:38 52,224 -----c--- c:\windows\system32\dllcache\msfeedsbs.dll
2009-01-28 10:44 . 2008-10-17 05:38 6,066,176 -----c--- c:\windows\system32\dllcache\ieframe.dll
2009-01-28 10:44 . 2007-04-17 18:32 2,455,488 -----c--- c:\windows\system32\dllcache\ieapfltr.dat
2009-01-28 10:44 . 2007-03-08 14:10 991,232 -----c--- c:\windows\system32\dllcache\ieframe.dll.mui
2009-01-28 10:44 . 2008-10-17 05:38 383,488 -----c--- c:\windows\system32\dllcache\ieapfltr.dll
2009-01-28 10:44 . 2008-10-17 05:38 63,488 -----c--- c:\windows\system32\dllcache\icardie.dll
2009-01-28 10:44 . 2008-10-16 22:11 13,824 -----c--- c:\windows\system32\dllcache\ieudinit.exe
2009-01-28 00:04 . 2001-08-18 07:36 8,704 --a------ c:\windows\system32\kbdjpn.dll
2009-01-28 00:04 . 2001-08-18 07:36 8,192 --a------ c:\windows\system32\kbdkor.dll
2009-01-28 00:04 . 2008-04-14 14:39 6,144 --a------ c:\windows\system32\kbd106.dll
2009-01-28 00:04 . 2001-08-17 23:55 6,144 --a------ c:\windows\system32\kbd101c.dll
2009-01-28 00:04 . 2001-08-17 23:55 6,144 --a------ c:\windows\system32\kbd101b.dll
2009-01-28 00:04 . 2001-08-17 23:55 5,632 --a------ c:\windows\system32\kbd103.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-02-06 01:16 --------- d-----w c:\documents and settings\All Users\Application Data\NortonInstaller
2009-01-30 05:54 --------- d--h--w c:\program files\InstallShield Installation Information
2009-01-27 07:54 --------- d-----w c:\documents and settings\All Users\Application Data\Symantec
2009-01-27 07:20 --------- d-----w c:\program files\microsoft frontpage
2009-01-27 06:55 --------- d-----w c:\program files\Common Files\InstallShield
2009-01-27 06:55 --------- d-----w c:\program files\Analog Devices
2009-01-27 06:54 --------- d-----w c:\program files\ATI Technologies
2009-01-27 06:40 --------- d-----w c:\program files\VIA
2009-01-27 06:34 --------- d-----w c:\documents and settings\All Users\Application Data\comodo
2009-01-27 06:31 31,504 ----a-w c:\windows\system32\drivers\cmdhlp.sys
2009-01-27 06:31 147,192 ----a-w c:\windows\system32\guard32.dll
2009-01-27 06:31 101,776 ----a-w c:\windows\system32\drivers\cmdguard.sys
2009-01-27 06:31 --------- d-----w c:\program files\COMODO
2009-01-27 06:26 --------- d-----w c:\program files\NortonInstaller
2008-12-31 08:04 691,560 ----a-w c:\windows\system32\OGACheckControl.dll
2008-12-31 08:04 528,744 ----a-w c:\windows\system32\OGAVerify.exe
2008-12-31 08:04 502,120 ----a-w c:\windows\system32\OGAAddin.dll
2008-12-16 07:47 13,976 ----a-w c:\windows\system32\drivers\videX32.sys
2008-12-11 10:57 333,952 ----a-w c:\windows\system32\drivers\srv.sys
2008-12-02 13:37 49,480 ----a-w c:\windows\system32\sirenacm.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"Active Desktop Calendar"="c:\program files\XemiComputers\Active Desktop Calendar\ADC.exe" [2009-01-19 4482048]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2008-12-02 3882312]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2008-04-14 208952]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2008-04-14 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2008-04-14 455168]
"COMODO Internet Security"="c:\program files\COMODO\COMODO Internet Security\cfp.exe" [2009-01-27 1797880]
"SoundMAXPnP"="c:\program files\Analog Devices\SoundMAX\SMax4PNP.exe" [2004-04-01 1368064]
"{0228e555-4f9c-4e35-a3ec-b109a192b4c2}"="c:\program files\Google\Gmail Notifier\gnotify.exe" [2005-07-16 479232]
"BrStsWnd"="c:\program files\Brownie\BrstsWnd.exe" [2008-01-08 864256]
"VirtualCloneDrive"="c:\program files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe" [2006-04-29 94208]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-02-03 136600]
"Chris PC-Lock"="c:\program files\Chris PC-Lock\PCLock.exe" [2008-05-19 449050]

c:\documents and settings\Fei\Start Menu\Programs\Startup\
Westnet Usage Grabber.lnk - c:\program files\Westnet Usage Grabber\wug.exe [2009-02-03 241664]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\windows\system32\guard32.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=

R1 cmdGuard;COMODO Internet Security Sandbox Driver;c:\windows\system32\drivers\cmdguard.sys [2009-01-27 101776]
R1 cmdHlp;COMODO Internet Security Helper Driver;c:\windows\system32\drivers\cmdhlp.sys [2009-01-27 31504]
R1 nltdi;nltdi;c:\windows\system32\drivers\nltdi.sys [2007-04-23 82200]
R2 VRAID Log Service;VRAID Log Service;c:\program files\VIA\RAID\vialogsv.exe [2009-01-27 52888]
S2 .norton2009Reset;Norton 2009 Reset;c:\documents and settings\All Users\Application Data\Norton\Norton2009Reset.exe --> c:\documents and settings\All Users\Application Data\Norton\Norton2009Reset.exe [?]
.
Contents of the 'Scheduled Tasks' folder

2009-02-07 c:\windows\Tasks\OGADaily.job
- c:\windows\system32\OGAVerify.exe [2008-12-31 17:04]

2009-02-06 c:\windows\Tasks\OGALogon.job
- c:\windows\system32\OGAVerify.exe [2008-12-31 17:04]
.
.
------- Supplementary Scan -------
.
FF - ProfilePath - c:\documents and settings\Fei\Application Data\Mozilla\Firefox\Profiles\8o27e7p7.default\
FF - plugin: c:\program files\Mozilla Firefox\plugins\npFoxitReaderPlugin.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-02-07 10:41:05
Windows 5.1.2600 Service Pack 3 NTFS

detected NTDLL code modification:
ZwClose

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(768)
c:\windows\system32\guard32.dll

- - - - - - - > 'lsass.exe'(824)
c:\windows\system32\guard32.dll
.
Completion time: 2009-02-07 10:42:07
ComboFix-quarantined-files.txt 2009-02-07 01:42:05
ComboFix2.txt 2009-02-05 10:11:36

Pre-Run: 19,630,489,600 bytes free
Post-Run: 19,624,001,536 bytes free

221 --- E O F --- 2009-02-06 01:19:16

Blade81
2009-02-08, 18:10
Hi,

Start hjt, do a system scan, check:
O23 - Service: Norton 2009 Reset (.norton2009Reset) - Unknown owner - C:\Documents and Settings\All Users\Application Data\Norton\Norton2009Reset.exe (file missing)

Close browsers and fix checked.


Creating & executing batch file
-------------------------------

Open notepad and then copy and paste the bolded lines below into it. Go to File > save as and name the file fixes.bat, change the Save as type to all files and save it to your desktop. (If you are still unsure on how to do this there is a little tutorial with pictures here (http://www.nellie2.co.uk/file.htm#How_to_Make_a_.Bat_File))
@echo off
sc stop ".norton2009Reset"
sc delete ".norton2009Reset"

Double-click on fixes.bat file to execute it.

Reboot and post a fresh hjt log. How's the system running?

choconick
2009-02-08, 18:24
system is running fine.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:23:48 AM, on 9/02/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\WgaTray.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe
C:\Program Files\NetLimiter 2 Pro\nlsvc.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\VIA\RAID\vialogsv.exe
C:\Program Files\NetLimiter 2 Pro\NLClient.exe
C:\Program Files\COMODO\COMODO Internet Security\cfp.exe
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\Program Files\Google\Gmail Notifier\gnotify.exe
C:\Program Files\Brownie\BrstsWnd.exe
C:\Program Files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Chris PC-Lock\PCLock.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\XemiComputers\Active Desktop Calendar\ADC.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Brownie\brpjp04a.exe
C:\Program Files\Westnet Usage Grabber\wug.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [COMODO Internet Security] "C:\Program Files\COMODO\COMODO Internet Security\cfp.exe" -h
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] C:\Program Files\Google\Gmail Notifier\gnotify.exe
O4 - HKLM\..\Run: [BrStsWnd] C:\Program Files\Brownie\BrstsWnd.exe Autorun
O4 - HKLM\..\Run: [VirtualCloneDrive] "C:\Program Files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe" /s
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [Chris PC-Lock] "C:\Program Files\Chris PC-Lock\PCLock.exe" /silent
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Active Desktop Calendar] C:\Program Files\XemiComputers\Active Desktop Calendar\ADC.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
O4 - Startup: Westnet Usage Grabber.lnk = C:\Program Files\Westnet Usage Grabber\wug.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O20 - AppInit_DLLs: C:\WINDOWS\system32\guard32.dll
O23 - Service: COMODO Internet Security Helper Service (cmdAgent) - Unknown owner - C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe
O23 - Service: NetLimiter (nlsvc) - Locktime Software - C:\Program Files\NetLimiter 2 Pro\nlsvc.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: VRAID Log Service - Unknown owner - C:\Program Files\VIA\RAID\vialogsv.exe

--
End of file - 4929 bytes

Blade81
2009-02-08, 19:09
Well congrats, it appears your system is all clean Are you still noticing any problems? If not, it's time to secure your system to prevent against further intrusions.


THESE STEPS ARE VERY IMPORTANT

Let's reset system restore
Reset and Re-enable your System Restore to remove infected files that have been backed up by Windows. The files in System Restore are protected to prevent any programs changing those files. This is the only way to clean these files: You will lose all previous restore points which are likely to be infected. Please note you need Administrator Access to do clean the restore points.

1. Turn off System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.

2. Reboot.

3. Turn ON System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check *Turn off System Restore*.
Click Apply, and then click OK.
NOTE: only do this ONCE,NOT on a regular basis




Now lets uninstall ComboFix:

Click START then RUN
Now type Combofix /u in the runbox and click OK




UPDATING WINDOWS AND INTERNET EXPLORER

IMPORTANT: You Need to Update Windows and Internet Explorer to protect your computer from the malware that is around on the Internet. Please go to the windows update site (http://windowsupdate.microsoft.com/) to get the critical updates.

If you are running Microsoft Office, or any portion thereof, go to the Microsoft's Office Update site and make sure you have at least all the critical updates installed (Free) Microsoft Office Update.


Make your Internet Explorer more secure

This can be done by following these simple instructions:
From within Internet Explorer click on the Tools menu and then click on Options.
Click once on the Security tab
Click once on the Internet icon so it becomes highlighted.
Click once on the Custom Level button.
Change the Download signed ActiveX controls to Prompt
Change the Download unsigned ActiveX controls to Disable
Change the Initialize and script ActiveX controls not marked as safe to Disable
Change the Installation of desktop items to Prompt
Change the Launching programs and files in an IFRAME to Prompt
Change the Navigate sub-frames across different domains to Prompt
When all these settings have been made, click on the OK button.
If it prompts you as to whether or not you want to save the settings, press the Yes button.
Next press the Apply button and then the OK to exit the Internet Properties page.



The following are recommended third party programs that are designed to keep your computer clean. A link as well as a brief description is included with each item.


Download SpywareBlaster
Spyware blaster is a program that stops known malicious activex controls from installing on your computer. It works by changing settings in your registry. It makes
kill bits
in the registry, so that certain activex controls can't install.
If you don't know what activex controls are, see here (http://www.webopedia.com/TERM/A/ActiveX_control.html)
You can download SpywareBlaster here here (http://majorgeeks.com/downloadget.php?id=2859&file=11&evp=61b0e8ad41924a03c37615f4682b4cef)
SpywareBlaster tutorial (http://www.bleepingcomputer.com/forums/tutorial49.html)

hosts file:
Every version of windows has a hosts file as part of them. In a very basic sense, they are used to locate webpages. We can customize a hosts file so that it blocks certain webpages. However, it can slow down certain computers. This is why using a hosts file is optional!!
Download it here (http://www.mvps.org/winhelp2002/hosts.htm). Make sure you read the instructions on how to install the hosts file. There is a good tutorial here (http://www.bleepingcomputer.com/forums/tutorial51.html)
If you decide to download the hosts file, the slowdown problems can usually be avoided by following these steps:
Click the start button (at the lower left hand corner of your screen) Click run In the dialog box, type services.msc hit enter, then locate dns client Highlight it, then double-click it. On the dropdown box, change the setting from automatic to manual. Click ok

Get Anti Virus Software and keep it updated - Most AVs will update automatically, but if not I would recommend making updating the AV the first job every time the PC is connected to the internet. An AV that is using defs that are seven days old is not going to be much protection. If you do not update your anti virus software then it will not be able to catch any of the new variants that may come out. Good free antivirus programs are:
Antivir (http://free-av.com/en/download/1/download_avira_antivir_personal__free_antivirus.html)
Avast! (http://www.avast.com/eng/download-avast-home.html)



Just a final reminder for you. I am trying to stress these two points.
UPDATE UPDATE UPDATE!!! Make sure you do this about every 1-2 weeks.
Make sure all of your security programs are up to date.
Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.



Once again, please post and tell me how things are going with your system... problems etc.

Have a great day,
Blade :cool:

choconick
2009-02-09, 04:57
thanks man, system running smooth, however I found there a executable file in my ipod which looks suspicious.
it called

E:\8uot.exe

what should I do?

Blade81
2009-02-09, 09:42
Hi,

That file is part of a flash infection and must be removed. Please delete it and then download Flash Disinfector (http://download.bleepingcomputer.com/sUBs/Flash_Disinfector.exe) by sUBs to your desktop. Run it and follow the instructions given. Plug in your usb drive(s) when asked to do so in order to get it cleaned.

choconick
2009-02-09, 09:47
well, I think this is it.
Thanks a lot for the help:bigthumb:

Blade81
2009-02-10, 10:31
Since this issue appears to be resolved ... this Topic has been closed. Glad I could help. :)

Note:If it has been four days or more since your last post, and the helper assisting you posted a response to that post to which you did not reply, your topic will not be reopened. At that point, if you still require help, please start a new topic and include a fresh HijackThis log and a link to your previous thread.

If it has been less than four days since your last response and you need the thread re-opened, please send me or MOD a private message (pm). A valid, working link to the closed topic is required.