Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Registry Lockout [Solved]

Started by bugatronic25 , Apr 01 2009 03:34 AM

  • This topic is locked This topic is locked

#1
bugatronic25
Posted 01 April 2009 - 03:34 AM

bugatronic25

    Member

  • Member
  • PipPip
  • 27 posts
Hi All,

I have been trying to remove viruses, spyware etc. from my PC without luck. I ran ATF cleaner, ERUNT, Malwarebytes (found and removed 38 things), all windows updates (excluding XP SP3 due to size), rootkit and OTListIt2, still having issues. SysRestorePoint would not run without v2 .NET framework, have tried windows system restore using two different restore points but this failed both times so perhaps this would not help anyway

Norton 360 anti-virus and anti-spyware scans currently clean (even before the malwarebytes scan). Viruses previously found and removed (symptoms started when no anti-virus was installed)

Symptoms include:

- Running regedit.exe, regedt32.exe do not open regedit, instead the desktop and task bar are removed for a second or two before being reinstated. Opening any .reg file or alternate registry editor does the same thing. Tried setting the registry editor block in gpedit.msc to disabled but this did not help

- Running reg.exe flashes the command prompt up then closes it

- System Protector rogue registry cleaner was running - managed to remove it but it still showed in control panel and when right-clicking a file offering to scan it. Now removed - guessing thanks to Malwarebytes

- System slow to load internet pages - ccSvcHist.exe, svchost.exe and dump something.exe often at the top in task manager

- Selecting google search results often does a jump and redirect

- Generic win32 host service, internet explorer and symantec service framework crashing on semi regular basis. Mobile Broadband internet sometimes being disconnected

- cmd.exe does the same thing as running regedit.exe and regedt32.exe but command.com works

- Task manager through Ctrl + Alt + Del and right-clicking on the taskbar was disabled - fixed by editing the restriction in gpedit.msc

- Changing the screen resolution isn't actually doing anything - can select the 1024x768 option and apply but the screen does not actually resize from 800x600

- Getting a black screen when performing a windows restart - using the windows turn off function then powering on works fine

- Windows System Restore is not working

I am running windows xp professional SP2, internet explorer 7

Here are the rootkit and OTListIt2 logs. Appreciate your help, have been googling and troubleshooting for 4 days with limited success




rootkit
--------

Microsoft Windows XP Professional (5.1.2600) Service Pack 2

C:\ [Fixed] - NTFS - (Total:76308 Mo/Free:3911 Mo)
D:\ [CD-Rom] (Total:0 Mo/Free:0 Mo)
E:\ [CD-Rom] (Total:22 Mo/Free:0 Mo)
F:\ [Removable] (Total:0 Mo/Free:0 Mo)

Wed 04/01/2009|19:41

----------------------\\ Processes..

--Locked-- [System Process]
---------- System
---------- \SystemRoot\System32\smss.exe
---------- \??\C:\WINDOWS\system32\csrss.exe
---------- \??\C:\WINDOWS\system32\winlogon.exe
---------- C:\WINDOWS\system32\services.exe
---------- C:\WINDOWS\system32\lsass.exe
---------- C:\WINDOWS\system32\Ati2evxx.exe
---------- C:\WINDOWS\system32\svchost.exe
---------- C:\WINDOWS\system32\svchost.exe
---------- C:\WINDOWS\System32\svchost.exe
---------- C:\WINDOWS\system32\Ati2evxx.exe
---------- C:\WINDOWS\system32\svchost.exe
---------- C:\WINDOWS\system32\svchost.exe
---------- C:\WINDOWS\system32\spoolsv.exe
---------- C:\WINDOWS\Explorer.EXE
---------- C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
---------- C:\Program Files\Bonjour\mDNSResponder.exe
---------- C:\Program Files\Java\jre6\bin\jqs.exe
---------- C:\Program Files\Norton 360\Engine\3.0.0.135\ccSvcHst.exe
---------- C:\Program Files\Spyware Doctor\pctsAuxs.exe
---------- C:\WINDOWS\system32\ctfmon.exe
---------- C:\Program Files\3 MobileBroadband\3 MobileBroadband.exe
---------- C:\Program Files\Spyware Doctor\pctsSvc.exe
---------- C:\Program Files\Spyware Doctor\pctsTray.exe
---------- c:\program files\idt\intelxpv_v83\wdm\STacSV.exe
---------- C:\Program Files\Norton 360\Engine\3.0.0.135\ccSvcHst.exe
---------- C:\WINDOWS\System32\alg.exe
---------- C:\Program Files\Internet Explorer\iexplore.exe
---------- C:\WINDOWS\system32\wuauclt.exe
---------- C:\WINDOWS\system32\wuauclt.exe
---------- C:\WINDOWS\system32\cmd.exe
---------- C:\Rooter$\RK.exe

----------------------\\ Search..

----------------------\\ ROOTKIT !!



1 - "C:\Rooter$\Rooter_1.txt" - Wed 04/01/2009|19:42




OTListIt
---------

OTListIt logfile created on: 4/1/2009 7:46:14 PM - Run 1
OTListIt2 by OldTimer - Version 2.0.8.0 Folder = C:\Documents and Settings\Michael\Desktop\Virus
Windows XP Professional Edition Service Pack 2 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 7.0.5730.13)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1021.58 Mb Total Physical Memory | 569.11 Mb Available Physical Memory | 55.71% Memory free
2.39 Gb Paging File | 1.82 Gb Available in Paging File | 76.18% Paging File free
Paging file location(s): C:\pagefile.sys 1524 3048;

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 74.52 Gb Total Space | 63.82 Gb Free Space | 85.64% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
Drive E: | 23.31 Mb Total Space | 0.00 Mb Free Space | 0.00% Space Free | Partition Type: CDFS
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: SNUGGLEGLOOM
Current User Name: Michael
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Output = Minimal
File Age = 30 Days
Company Name Whitelist: On

========== Processes (SafeList) ==========

PRC - C:\WINDOWS\system32\Ati2evxx.exe (ATI Technologies Inc.)
PRC - C:\WINDOWS\system32\Ati2evxx.exe (ATI Technologies Inc.)
PRC - C:\WINDOWS\Explorer.EXE (Microsoft Corporation)
PRC - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe (Apple Inc.)
PRC - C:\Program Files\Bonjour\mDNSResponder.exe (Apple Inc.)
PRC - C:\Program Files\Java\jre6\bin\jqs.exe (Sun Microsystems, Inc.)
PRC - C:\Program Files\Norton 360\Engine\3.0.0.135\ccSvcHst.exe (Symantec Corporation)
PRC - C:\Program Files\Spyware Doctor\pctsAuxs.exe (PC Tools)
PRC - C:\Program Files\3 MobileBroadband\3 MobileBroadband.exe ()
PRC - C:\Program Files\Spyware Doctor\pctsSvc.exe (PC Tools)
PRC - C:\Program Files\Spyware Doctor\pctsTray.exe (PC Tools)
PRC - c:\program files\idt\intelxpv_v83\wdm\STacSV.exe (IDT, Inc.)
PRC - C:\Program Files\Norton 360\Engine\3.0.0.135\ccSvcHst.exe (Symantec Corporation)
PRC - C:\Program Files\Internet Explorer\iexplore.exe (Microsoft Corporation)
PRC - C:\WINDOWS\system32\cmd.exe (Microsoft Corporation)
PRC - C:\WINDOWS\system32\wbem\wmiprvse.exe (Microsoft Corporation)
PRC - C:\Documents and Settings\Michael\Desktop\Virus\OTListIt2.exe (OldTimer Tools)

========== Win32 Services (SafeList) ==========

SRV - (Apple Mobile Device [Auto | Running]) -- C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe (Apple Inc.)
SRV - (aspnet_state [On_Demand | Stopped]) -- C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\aspnet_state.exe (Microsoft Corporation)
SRV - (Ati HotKey Poller [Auto | Running]) -- C:\WINDOWS\system32\Ati2evxx.exe (ATI Technologies Inc.)
SRV - (ATI Smart [Auto | Stopped]) -- C:\WINDOWS\system32\ati2sgag.exe ()
SRV - (Bonjour Service [Auto | Running]) -- C:\Program Files\Bonjour\mDNSResponder.exe (Apple Inc.)
SRV - (helpsvc [Auto | Running]) -- C:\WINDOWS\PCHealth\HelpCtr\Binaries\pchsvc.dll (Microsoft Corporation)
SRV - (IDriverT [On_Demand | Stopped]) -- C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe (Macrovision Corporation)
SRV - (iPod Service [On_Demand | Stopped]) -- C:\Program Files\iPod\bin\iPodService.exe (Apple Inc.)
SRV - (JavaQuickStarterService [Auto | Running]) -- C:\Program Files\Java\jre6\bin\jqs.exe (Sun Microsystems, Inc.)
SRV - (N360 [Auto | Running]) -- C:\Program Files\Norton 360\Engine\3.0.0.135\ccSvcHst.exe (Symantec Corporation)
SRV - (sdAuxService [Auto | Running]) -- C:\Program Files\Spyware Doctor\pctsAuxs.exe (PC Tools)
SRV - (sdCoreService [Auto | Running]) -- C:\Program Files\Spyware Doctor\pctsSvc.exe (PC Tools)
SRV - (STacSV [Auto | Running]) -- c:\program files\idt\intelxpv_v83\wdm\STacSV.exe (IDT, Inc.)

========== Driver Services (SafeList) ==========

DRV - (ati2mtag [On_Demand | Running]) -- C:\WINDOWS\system32\DRIVERS\ati2mtag.sys (ATI Technologies Inc.)
DRV - (BHDrvx86 [System | Running]) -- C:\WINDOWS\system32\drivers\N360\0300000.087\BHDrvx86.sys (Symantec Corporation)
DRV - (ccHP [System | Running]) -- C:\WINDOWS\system32\drivers\N360\0300000.087\ccHPx86.sys (Symantec Corporation)
DRV - (cercsr6 [Boot | Stopped]) -- C:\WINDOWS\System32\drivers\cercsr6.sys (Adaptec, Inc.)
DRV - (e1express [On_Demand | Stopped]) -- C:\WINDOWS\system32\DRIVERS\e1e5132.sys (Intel Corporation)
DRV - (eeCtrl [System | Running]) -- C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys (Symantec Corporation)
DRV - (EraserUtilRebootDrv [On_Demand | Running]) -- C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys (Symantec Corporation)
DRV - (GEARAspiWDM [On_Demand | Running]) -- C:\WINDOWS\system32\DRIVERS\GEARAspiWDM.sys (GEAR Software Inc.)
DRV - (HDAudBus [On_Demand | Running]) -- C:\WINDOWS\system32\DRIVERS\HDAudBus.sys (Windows ® Server 2003 DDK provider)
DRV - (hwdatacard [On_Demand | Running]) -- C:\WINDOWS\system32\DRIVERS\ewusbmdm.sys (Huawei Technologies Co., Ltd.)
DRV - (ialm [On_Demand | Stopped]) -- C:\WINDOWS\system32\DRIVERS\ialmnt5.sys (Intel Corporation)
DRV - (IDSxpx86 [System | Running]) -- C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\ipsdefs\20090331.003\IDSxpx86.sys (Symantec Corporation)
DRV - (NAVENG [On_Demand | Running]) -- C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20090331.052\NAVENG.SYS (Symantec Corporation)
DRV - (NAVEX15 [On_Demand | Running]) -- C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20090331.052\NAVEX15.SYS (Symantec Corporation)
DRV - (PCTCore [Boot | Running]) -- C:\WINDOWS\system32\drivers\PCTCore.sys (PC Tools)
DRV - (Ptilink [On_Demand | Running]) -- C:\WINDOWS\system32\DRIVERS\ptilink.sys (Parallel Technologies, Inc.)
DRV - (SE2Ebus [On_Demand | Stopped]) -- C:\WINDOWS\system32\DRIVERS\SE2Ebus.sys (MCCI)
DRV - (SE2Emdfl [On_Demand | Stopped]) -- C:\WINDOWS\system32\DRIVERS\SE2Emdfl.sys (MCCI)
DRV - (SE2Emdm [On_Demand | Stopped]) -- C:\WINDOWS\system32\DRIVERS\SE2Emdm.sys (MCCI)
DRV - (SE2Emgmt [On_Demand | Stopped]) -- C:\WINDOWS\system32\DRIVERS\SE2Emgmt.sys (MCCI)
DRV - (se2End5 [On_Demand | Stopped]) -- C:\WINDOWS\system32\DRIVERS\se2End5.sys (MCCI)
DRV - (SE2Eobex [On_Demand | Stopped]) -- C:\WINDOWS\system32\DRIVERS\SE2Eobex.sys (MCCI)
DRV - (se2Eunic [On_Demand | Stopped]) -- C:\WINDOWS\system32\DRIVERS\se2Eunic.sys (MCCI)
DRV - (Secdrv [Auto | Running]) -- C:\WINDOWS\system32\DRIVERS\secdrv.sys ()
DRV - (SRTSP [System | Running]) -- C:\WINDOWS\system32\drivers\N360\0300000.087\SRTSP.SYS (Symantec Corporation)
DRV - (SRTSPX [System | Running]) -- C:\WINDOWS\system32\drivers\N360\0300000.087\SRTSPX.SYS (Symantec Corporation)
DRV - (STHDA [On_Demand | Running]) -- C:\WINDOWS\system32\drivers\sthda.sys (IDT, Inc.)
DRV - (SymEFA [Boot | Running]) -- C:\WINDOWS\system32\drivers\N360\0300000.087\SYMEFA.SYS (Symantec Corporation)
DRV - (SymEvent [On_Demand | Running]) -- C:\WINDOWS\system32\Drivers\SYMEVENT.SYS (Symantec Corporation)
DRV - (SYMFW [On_Demand | Running]) -- C:\WINDOWS\system32\drivers\N360\0300000.087\SYMFW.SYS (Symantec Corporation)
DRV - (SYMIDS [On_Demand | Running]) -- C:\WINDOWS\system32\drivers\N360\0300000.087\SYMIDS.SYS (Symantec Corporation)
DRV - (SymIM [On_Demand | Stopped]) -- C:\WINDOWS\system32\DRIVERS\SymIM.sys (Symantec Corporation)
DRV - (SymIMMP [On_Demand | Running]) -- C:\WINDOWS\system32\DRIVERS\SymIM.sys (Symantec Corporation)
DRV - (SYMNDIS [On_Demand | Running]) -- C:\WINDOWS\system32\drivers\N360\0300000.087\SYMNDIS.SYS (Symantec Corporation)
DRV - (SYMTDI [System | Running]) -- C:\WINDOWS\system32\drivers\N360\0300000.087\SYMTDI.SYS (Symantec Corporation)

========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Secondary_Page_URL =
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Extensions Off Page = about:NoAdd-ons
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Security Risk Page = about:SecurityRisk
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,First Home Page = http://go.microsoft....k/?LinkId=54843
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\system32\blank.htm
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://au.games.yahoo.com/
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========

FF - prefs.js..browser.startup.homepage: "http://au.games.yahoo.com/"
FF - prefs.js..extensions.enabledItems: {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}:1.0.1
FF - prefs.js..extensions.enabledItems: [email protected]:1.0
FF - prefs.js..extensions.enabledItems: {972ce4c6-7e08-4474-a285-3208198ce6fd}:3.0.8

FF - HKLM\software\mozilla\Firefox\extensions\\[email protected]: C:\PROGRAM FILES\JAVA\JRE6\LIB\DEPLOY\JQS\FF [2009/03/08 18:35:04 | 00,000,000 | ---D | M]
FF - HKLM\software\mozilla\Firefox\extensions\\{1A16DA43-1CC3-42AA-9CC0-26FAE2E0E090}: C:\DOCUMENTS AND SETTINGS\MICHAEL\LOCAL SETTINGS\APPLICATION DATA\{1A16DA43-1CC3-42AA-9CC0-26FAE2E0E090}\ [2009/03/31 09:08:35 | 00,000,000 | ---D | M]

[2009/03/28 18:42:26 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Michael\Application Data\mozilla\Extensions
[2009/03/28 18:42:26 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Michael\Application Data\mozilla\Extensions\{ec8030f7-c20a-464f-9b0e-13a3a9e97384}
[2009/03/29 03:54:37 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Michael\Application Data\mozilla\Firefox\Profiles\h20omo8p.default\extensions
[2009/03/28 20:15:18 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Michael\Application Data\mozilla\Firefox\Profiles\h20omo8p.default\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}

O1 HOSTS File: (734 bytes) - C:\WINDOWS\System32\drivers\etc\Hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (AcroIEHlprObj Class) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
O2 - BHO: (Symantec NCO BHO) - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files\Norton 360\Engine\3.0.0.135\coIEPlg.dll (Symantec Corporation)
O2 - BHO: (Symantec Intrusion Prevention) - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\Program Files\Norton 360\Engine\3.0.0.135\IPSBHO.DLL (Symantec Corporation)
O2 - BHO: (Java™ Plug-In 2 SSV Helper) - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll (Sun Microsystems, Inc.)
O2 - BHO: (JQSIEStartDetectorImpl Class) - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll (Sun Microsystems, Inc.)
O3 - HKLM\..\Toolbar: (Norton Toolbar) - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Norton 360\Engine\3.0.0.135\coIEPlg.dll (Symantec Corporation)
O3 - HKCU\..\Toolbar\ShellBrowser: (no name) - {01E04581-4EEE-11D0-BFE9-00AA005B4383} - Reg Error: Key error. File not found
O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Norton 360\Engine\3.0.0.135\coIEPlg.dll (Symantec Corporation)
O4 - HKLM..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe (Intel Corporation)
O4 - HKLM..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe (Intel Corporation)
O4 - HKCU..\Run: [Mobile Partner] "C:\Program Files\3 MobileBroadband\3 MobileBroadband.exe" ()
O4 - Startup: C:\Documents and Settings\Michael\Start Menu\Programs\Startup\ERUNT AutoBackup.lnk = C:\Program Files\ERUNT\AUTOBACK.EXE ()
O4 - Startup: C:\Documents and Settings\Michael\Start Menu\Programs\Startup\PowerReg Scheduler V3.exe (Leader Technologies)
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Toolbars present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoFolderOptions = [binary data]
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 255
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoRun = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoControlPanel = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoClose = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoSetFolders = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoTrayContextMenu = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoLogoff = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: StartMenuLogOff = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoWindowsUpdate = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoViewOnDrive = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoFind = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: dontdisplaylastusername = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: legalnoticecaption =
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: legalnoticetext =
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: shutdownwithoutlogon = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: undockwithoutlogon = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: DisableRegistryTools = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: NoDispCPL = 0
O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Toolbars present
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoFolderOptions = [binary data]
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: RestrictRun = 0
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoRun = 0
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoControlPanel = 0
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoClose = 0
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoSetFolders = 0
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoTrayContextMenu = 0
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoLogoff = 0
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: StartMenuLogOff = 0
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoWindowsUpdate = 0
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoViewOnDrive = 0
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoFind = 0
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: NoSecCPL = 0
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: NoDispCPL = 0
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: NoDispSettingsPage = 0
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: NoDevMgrPage = 0
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: NoConfigPage = 0
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: NoVirtMemPage = 0
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: NoFileSysPage = 0
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: NoNetSetup = 0
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: NoNetSetupIDPage = 0
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: NoNetSetupSecurityPage = 0
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: NoWorkgroupContents = 0
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: NoEntireNetwork = 0
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: NoFileSharingControl = 0
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: DisableRegistryTools = 0
O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [mdnsNSP] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O16 - DPF: {049A470D-F818-4E34-B14D-E4E237DADCF8} http://games.bigfish...eb.1.0.0.21.cab (CPlayFirstFashionDasControl Object)
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} http://download.macr...director/sw.cab (Shockwave ActiveX Control)
O16 - DPF: {195B4BBF-E1E4-4020-9773-0A8C6F65EA35} http://games.bigfish...Web.1.0.0.9.cab (CPlayFirstCookingDasControl Object)
O16 - DPF: {26E6B759-DEEB-42A1-A21C-78CD29098411} http://games.bigfish...eb.1.0.0.11.cab (CPlayFirstFitnessDasControl Object)
O16 - DPF: {44990301-3C9D-426D-81DF-AAB636FA4345} https://www-secure.s...abs/tgctlsr.cab (Reg Error: Key error.)
O16 - DPF: {459E93B6-150E-45D5-8D4B-45C66FC035FE} http://apps.corel.co...IEGetPlugin.ocx (get_atlcom Class)
O16 - DPF: {4DCA1E08-4147-4A3D-8CA6-E095DF189FAB} http://games.bigfish...Web.1.0.0.9.cab (CPlayFirstNightshiftControl Object)
O16 - DPF: {74EF5274-F439-2168-B543-14745B625C72} http://games.bigfish...eb.1.0.0.11.cab (CPlayFirstWeddingDasControl Object)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_13)
O16 - DPF: {BAE1D8DF-0B35-47E3-A1E7-EEB3FF2ECD19} http://games.bigfish...tg.1.0.0.33.cab (CPlayFirstddfotgControl Object)
O16 - DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_13)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_13)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload.ma...ash/swflash.cab (Shockwave Flash Object)
O16 - DPF: {D40F5876-A494-4124-8161-82625BB28C06} http://games.bigfish...eb.1.0.0.10.cab (CPlayFirstChocolatieControl Object)
O16 - DPF: {D77EF652-9A6B-40C8-A4B9-1C0697C6CF41} http://games.bigfish...inematycoon.cab (TikGames Online Control)
O16 - DPF: {EA6246B4-F380-443F-8727-9AEA3371146C} http://gamecenter.ob...sh.1.0.0.47.cab (CPlayFirstWeddingDashControl Object)
O16 - DPF: {F135A813-7152-4532-AC8D-28AC2136DFC7} http://games.bigfish...sh.1.0.0.10.cab (CPlayFirstParkingDasControl Object)
O18 - Protocol\Handler\http\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\http\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\https\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\https\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\ipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\msdaipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\msdaipp\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\symres {AA1061FE-6C41-421f-9344-69640C9732AB} - C:\Program Files\Norton 360\Engine\3.0.0.135\coIEPlg.dll (Symantec Corporation)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\Explorer.exe (Microsoft Corporation)
O20 - HKCU Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\Explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\AtiExtEvent: DllName - Ati2evxx.dll - C:\WINDOWS\system32\Ati2evxx.dll (ATI Technologies Inc.)
O20 - Winlogon\Notify\igfxcui: DllName - igfxdev.dll - C:\WINDOWS\system32\igfxdev.dll (Intel Corporation)
O24 - Desktop Components:0 (My Current Home Page) - About:Home
O31 - SafeBoot: AlternateShell - cmd.exe
O32 - HKLM CDRom: AutoRun - 1
O32 - Autorun File - C:\AUTOEXEC.BAT () - [ NTFS ]
O32 - Autorun File - E:\AutoRun.exe (Huawei Technologies Co., Ltd.) - [ CDFS ]
O32 - Autorun File - E:\AUTORUN.INF () - [ CDFS ]
O33 - MountPoints2\{5914b09a-0b98-11de-99c1-cda28a94d62d}\Shell - "" = AutoRun
O33 - MountPoints2\{5914b09a-0b98-11de-99c1-cda28a94d62d}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{5914b09a-0b98-11de-99c1-cda28a94d62d}\Shell\AutoRun\command - "" = E:\AutoRun.exe -- [2008/09/03 11:07:56 | 00,114,688 | R--- | M] (Huawei Technologies Co., Ltd.)
O33 - MountPoints2\E\Shell - "" = AutoRun
O33 - MountPoints2\E\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\E\Shell\AutoRun\command - "" = E:\AutoRun.exe -- [2008/09/03 11:07:56 | 00,114,688 | R--- | M] (Huawei Technologies Co., Ltd.)
O34 - HKLM BootExecute: (autocheck autochk *) - File not found

========== Files/Folders - Created Within 30 Days ==========

[1 C:\WINDOWS\System32\*.tmp files]
[3 C:\WINDOWS\*.tmp files]
[2009/04/01 19:41:35 | 00,000,000 | ---D | C] -- C:\Rooter$
[2009/04/01 19:39:01 | 00,000,000 | ---D | C] -- C:\WINDOWS\LastGood
[2009/04/01 18:54:00 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Michael\Application Data\Malwarebytes
[2009/04/01 18:53:56 | 00,000,696 | ---- | C] () -- C:\DOCUME~1\ALLUSE~1\Desktop\Malwarebytes' Anti-Malware.lnk
[2009/04/01 18:53:55 | 00,015,504 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2009/04/01 18:53:52 | 00,038,496 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2009/04/01 18:53:51 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Malwarebytes
[2009/04/01 18:53:50 | 00,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2009/04/01 18:51:24 | 00,000,000 | ---D | C] -- C:\WINDOWS\ERDNT
[2009/04/01 18:49:22 | 00,000,767 | ---- | C] () -- C:\Documents and Settings\Michael\Start Menu\Programs\Startup\ERUNT AutoBackup.lnk
[2009/04/01 18:49:09 | 00,000,611 | ---- | C] () -- C:\DOCUME~1\Michael\Desktop\NTREGOPT.lnk
[2009/04/01 18:49:09 | 00,000,592 | ---- | C] () -- C:\DOCUME~1\Michael\Desktop\ERUNT.lnk
[2009/04/01 18:49:07 | 00,000,000 | ---D | C] -- C:\Program Files\ERUNT
[2009/04/01 18:26:22 | 00,000,000 | ---D | C] -- C:\hijackthis
[2009/04/01 18:14:54 | 00,000,452 | ---- | C] () -- C:\WINDOWS\tasks\XoftSpySE 2.job
[2009/04/01 18:14:53 | 00,000,366 | ---- | C] () -- C:\WINDOWS\tasks\XoftSpySE.job
[2009/04/01 18:14:51 | 00,000,682 | ---- | C] () -- C:\DOCUME~1\Michael\Desktop\XoftSpySE.lnk
[2009/04/01 18:14:51 | 00,000,000 | ---D | C] -- C:\Program Files\XoftSpySE
[2009/04/01 16:50:40 | 25,932,272 | ---- | C] () -- C:\WINDOWS\Copy of Software.reg
[2009/04/01 16:09:43 | 00,000,010 | ---- | C] () -- C:\WINDOWS\WININIT.INI
[2009/04/01 05:37:58 | 25,932,272 | ---- | C] () -- C:\WINDOWS\Software.reg
[2009/04/01 05:31:20 | 00,000,000 | ---D | C] -- C:\WINDOWS\Special Agent P. C. Secure
[2009/04/01 05:31:20 | 00,000,000 | ---D | C] -- C:\Program Files\Easy Desk Utilities
[2009/04/01 05:10:00 | 00,000,000 | ---D | C] -- C:\DOCUME~1\Michael\Desktop\Virus
[2009/04/01 04:51:55 | 00,159,600 | ---- | C] (PC Tools) -- C:\WINDOWS\System32\drivers\pctgntdi.sys
[2009/04/01 04:51:45 | 00,130,424 | ---- | C] (PC Tools) -- C:\WINDOWS\System32\drivers\PCTCore.sys
[2009/04/01 04:51:45 | 00,073,840 | ---- | C] (PC Tools) -- C:\WINDOWS\System32\drivers\PCTAppEvent.sys
[2009/04/01 04:51:32 | 00,064,392 | ---- | C] (PC Tools) -- C:\WINDOWS\System32\drivers\pctplsg.sys
[2009/04/01 04:51:32 | 00,000,000 | ---D | C] -- C:\Program Files\Common Files\PC Tools
[2009/04/01 04:51:21 | 00,000,000 | ---D | C] -- C:\Program Files\Spyware Doctor
[2009/04/01 04:51:21 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Michael\Application Data\PC Tools
[2009/04/01 04:51:21 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\PC Tools
[2009/04/01 04:51:19 | 00,024,576 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\STKIT432.DLL
[2009/04/01 04:51:18 | 01,081,616 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\MSCOMCTL.OCX
[2009/04/01 04:51:14 | 00,000,000 | ---D | C] -- C:\Program Files\Registry Mechanic
[2009/04/01 03:16:01 | 00,000,000 | ---D | C] -- C:\EmergencyUtils
[2009/04/01 03:10:02 | 00,000,000 | ---D | C] -- C:\WINDOWS\pss
[2009/04/01 02:23:20 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Michael\Application Data\Uniblue
[2009/04/01 02:23:11 | 00,000,000 | ---D | C] -- C:\Program Files\Uniblue
[2009/04/01 02:03:00 | 00,000,000 | -H-D | C] -- C:\WINDOWS\$MSI31Uninstall_KB893803v2$
[2009/04/01 02:01:34 | 00,000,000 | -H-D | C] -- C:\Documents and Settings\All Users\Application Data\{92E7A367-8E12-4830-AA70-29C32E331A81}
[2009/04/01 01:43:20 | 00,000,000 | R--D | C] -- C:\Program Files\Norton Support
[2009/04/01 01:04:41 | 00,016,244 | ---- | C] () -- C:\WINDOWS\System32\rrt_is.wav
[2009/04/01 01:04:41 | 00,007,302 | ---- | C] () -- C:\WINDOWS\System32\rrt_vf.wav
[2009/04/01 01:04:41 | 00,007,148 | ---- | C] () -- C:\WINDOWS\System32\rrt_tv.wav
[2009/04/01 01:04:41 | 00,006,282 | ---- | C] () -- C:\WINDOWS\System32\rrt_tn.wav
[2009/04/01 01:03:43 | 00,000,000 | -HSD | C] -- C:\WINDOWS\CSC
[2009/03/31 21:10:56 | 00,000,000 | -H-D | C] -- C:\WINDOWS\System32\GroupPolicy
[2009/03/31 14:28:13 | 00,001,572 | ---- | C] () -- C:\DOCUME~1\ALLUSE~1\Desktop\Play My Games.lnk
[2009/03/31 14:28:13 | 00,001,550 | ---- | C] () -- C:\DOCUME~1\ALLUSE~1\Desktop\More Great Games.lnk
[2009/03/31 14:28:12 | 00,000,000 | ---D | C] -- C:\Program Files\bfgclient
[2009/03/31 14:27:12 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\BigFishGamesCache
[2009/03/31 12:26:29 | 00,000,648 | ---- | C] () -- C:\DOCUME~1\Michael\Desktop\wlkbuddy.lnk
[2009/03/31 12:26:04 | 00,000,000 | ---D | C] -- C:\Program Files\wlkbuddy
[2009/03/31 12:25:41 | 00,763,863 | ---- | C] () -- C:\DOCUME~1\Michael\My Documents\install.exe
[2009/03/31 11:43:52 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Michael\Local Settings\Application Data\Symantec
[2009/03/31 11:18:43 | 74,949,864 | ---- | C] (Symantec Corporation) -- C:\DOCUME~1\Michael\My Documents\N360S300EN.exe
[2009/03/31 09:56:30 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\{7B6BA59A-FB0E-4499-8536-A7420338BF3B}
[2009/03/31 09:56:29 | 01,108,782 | ---- | C] () -- C:\WINDOWS\System32\drivers\N360\0300000.087\Cat.DB
[2009/03/31 09:56:23 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Michael\Local Settings\Application Data\Downloaded Installations
[2009/03/31 09:56:15 | 00,036,400 | R--- | C] (Symantec Corporation) -- C:\WINDOWS\System32\drivers\SymIM.sys
[2009/03/31 09:56:11 | 00,124,464 | ---- | C] (Symantec Corporation) -- C:\WINDOWS\System32\drivers\SYMEVENT.SYS
[2009/03/31 09:56:11 | 00,060,808 | ---- | C] (Symantec Corporation) -- C:\WINDOWS\System32\S32EVNT1.DLL
[2009/03/31 09:56:11 | 00,007,386 | ---- | C] () -- C:\WINDOWS\System32\drivers\SYMEVENT.CAT
[2009/03/31 09:56:11 | 00,000,805 | ---- | C] () -- C:\WINDOWS\System32\drivers\SYMEVENT.INF
[2009/03/31 09:56:11 | 00,000,000 | ---D | C] -- C:\Program Files\Symantec
[2009/03/31 09:56:11 | 00,000,000 | ---D | C] -- C:\Program Files\Common Files\Symantec Shared
[2009/03/31 09:56:04 | 00,001,909 | ---- | C] () -- C:\DOCUME~1\ALLUSE~1\Desktop\Norton 360.LNK
[2009/03/31 09:56:03 | 00,310,320 | ---- | C] (Symantec Corporation) -- C:\WINDOWS\System32\drivers\N360\0300000.087\SymEFA.sys
[2009/03/31 09:56:03 | 00,307,760 | ---- | C] (Symantec Corporation) -- C:\WINDOWS\System32\drivers\N360\0300000.087\srtsp.sys
[2009/03/31 09:56:03 | 00,217,392 | ---- | C] (Symantec Corporation) -- C:\WINDOWS\System32\drivers\N360\0300000.087\symtdi.sys
[2009/03/31 09:56:03 | 00,089,776 | ---- | C] (Symantec Corporation) -- C:\WINDOWS\System32\drivers\N360\0300000.087\symfw.sys
[2009/03/31 09:56:03 | 00,043,696 | ---- | C] (Symantec Corporation) -- C:\WINDOWS\System32\drivers\N360\0300000.087\srtspx.sys
[2009/03/31 09:56:03 | 00,039,984 | ---- | C] (Symantec Corporation) -- C:\WINDOWS\System32\drivers\N360\0300000.087\symndisv.sys
[2009/03/31 09:56:03 | 00,037,296 | ---- | C] (Symantec Corporation) -- C:\WINDOWS\System32\drivers\N360\0300000.087\symndis.sys
[2009/03/31 09:56:03 | 00,034,736 | ---- | C] (Symantec Corporation) -- C:\WINDOWS\System32\drivers\N360\0300000.087\symids.sys
[2009/03/31 09:56:02 | 00,482,352 | ---- | C] (Symantec Corporation) -- C:\WINDOWS\System32\drivers\N360\0300000.087\cchpx86.sys
[2009/03/31 09:56:02 | 00,258,608 | ---- | C] (Symantec Corporation) -- C:\WINDOWS\System32\drivers\N360\0300000.087\BHDrvx86.sys
[2009/03/31 09:55:46 | 00,003,373 | ---- | C] () -- C:\WINDOWS\System32\drivers\N360\0300000.087\SymEFA.inf
[2009/03/31 09:55:46 | 00,001,753 | ---- | C] () -- C:\WINDOWS\System32\drivers\N360\0300000.087\ccHPx86.inf
[2009/03/31 09:55:46 | 00,001,528 | ---- | C] () -- C:\WINDOWS\System32\drivers\N360\0300000.087\SymNet.inf
[2009/03/31 09:55:46 | 00,001,389 | ---- | C] () -- C:\WINDOWS\System32\drivers\N360\0300000.087\srtspx.inf
[2009/03/31 09:55:46 | 00,001,383 | ---- | C] () -- C:\WINDOWS\System32\drivers\N360\0300000.087\srtsp.inf
[2009/03/31 09:55:46 | 00,000,640 | ---- | C] () -- C:\WINDOWS\System32\drivers\N360\0300000.087\BHDrvx86.inf
[2009/03/31 09:55:46 | 00,000,172 | ---- | C] () -- C:\WINDOWS\System32\drivers\N360\0300000.087\isolate.ini
[2009/03/31 09:55:36 | 00,009,423 | ---- | C] () -- C:\WINDOWS\System32\drivers\N360\0300000.087\SymNet.cat
[2009/03/31 09:55:36 | 00,007,410 | ---- | C] () -- C:\WINDOWS\System32\drivers\N360\0300000.087\SymEFA.cat
[2009/03/31 09:55:36 | 00,007,372 | ---- | C] () -- C:\WINDOWS\System32\drivers\N360\0300000.087\srtspx.cat
[2009/03/31 09:55:36 | 00,007,364 | ---- | C] () -- C:\WINDOWS\System32\drivers\N360\0300000.087\BHDrvx86.CAT
[2009/03/31 09:55:36 | 00,007,355 | ---- | C] () -- C:\WINDOWS\System32\drivers\N360\0300000.087\srtsp.cat
[2009/03/31 09:55:36 | 00,007,347 | ---- | C] () -- C:\WINDOWS\System32\drivers\N360\0300000.087\ccHPx86.cat
[2009/03/31 09:55:36 | 00,000,000 | ---D | C] -- C:\WINDOWS\System32\drivers\N360\0300000.087
[2009/03/31 09:55:36 | 00,000,000 | ---D | C] -- C:\WINDOWS\System32\drivers\N360
[2009/03/31 09:55:34 | 00,000,000 | ---D | C] -- C:\Program Files\Windows Sidebar
[2009/03/31 09:55:34 | 00,000,000 | ---D | C] -- C:\Program Files\Norton 360
[2009/03/31 09:55:34 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Symantec
[2009/03/31 09:55:32 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Norton
[2009/03/31 09:55:23 | 00,000,000 | ---D | C] -- C:\Program Files\NortonInstaller
[2009/03/31 09:55:23 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\NortonInstaller
[2009/03/31 09:23:07 | 00,000,418 | ---- | C] () -- C:\WINDOWS\tasks\RegTool Scan.job
[2009/03/31 09:23:04 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Michael\Application Data\RegTool
[2009/03/31 09:08:35 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Michael\Local Settings\Application Data\{1A16DA43-1CC3-42AA-9CC0-26FAE2E0E090}
[2009/03/31 09:08:31 | 00,155,648 | ---- | C] (Mozilla Foundation) -- C:\WINDOWS\atefidel.dll
[2009/03/31 08:56:19 | 00,042,496 | ---- | C] (Johnson-Grace Company) -- C:\WINDOWS\Ctozovilo.dll
[2009/03/30 11:07:21 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\GamesBar
[2009/03/30 11:07:14 | 00,000,000 | ---D | C] -- C:\Program Files\GamesBar
[2009/03/29 05:15:51 | 00,000,000 | ---D | C] -- C:\WINDOWS\WBEM
[2009/03/29 05:15:50 | 00,000,000 | ---D | C] -- C:\WINDOWS\System32\en-US
[2009/03/29 05:14:42 | 00,000,000 | -H-D | C] -- C:\WINDOWS\ie7
[2009/03/29 05:14:27 | 00,000,000 | -H-D | C] -- C:\WINDOWS\$NtServicePackUninstallIDNMitigationAPIs$
[2009/03/29 05:13:57 | 00,000,000 | -H-D | C] -- C:\WINDOWS\$NtServicePackUninstallNLSDownlevelMapping$
[2009/03/29 05:13:08 | 00,121,856 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\xmllite.dll
[2009/03/29 03:58:20 | 00,000,000 | ---D | C] -- C:\plan change receipt
[2009/03/29 03:58:07 | 00,000,000 | ---D | C] -- C:\katamari
[2009/03/29 03:57:51 | 00,000,000 | ---D | C] -- C:\video card driver
[2009/03/29 03:55:09 | 00,000,000 | ---D | C] -- C:\WINDOWS\System32\appmgmt
[2009/03/29 03:36:57 | 00,000,434 | ---- | C] () -- C:\WINDOWS\tasks\RegFixPro Scan.job
[2009/03/29 03:36:55 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Michael\Application Data\RegFixPro
[2009/03/29 03:23:46 | 00,004,608 | ---- | C] () -- C:\Documents and Settings\Michael\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2009/03/29 03:23:33 | 00,000,000 | ---D | C] -- C:\WINDOWS\movies
[2009/03/29 03:08:02 | 00,221,184 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\wmpns.dll
[2009/03/28 18:42:27 | 00,000,000 | ---- | C] () -- C:\WINDOWS\nsreg.dat
[2009/03/28 18:42:25 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Michael\Local Settings\Application Data\Mozilla
[2009/03/28 18:42:25 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Michael\Application Data\Mozilla
[2009/03/28 17:24:07 | 00,000,000 | ---D | C] -- C:\Program Files\Mozilla Firefox
[2009/03/26 12:32:57 | 00,000,000 | ---D | C] -- C:\DOCUME~1\Michael\My Documents\My Games
[2009/03/26 12:32:45 | 00,001,782 | ---- | C] () -- C:\DOCUME~1\ALLUSE~1\Desktop\Age of Mythology - The Titans Expansion.lnk
[2009/03/25 13:54:57 | 00,520,192 | ---- | C] (ScreenTime Media) -- C:\WINDOWS\System32\Beautiful Katamari.scr
[2009/03/25 13:54:57 | 00,000,000 | ---D | C] -- C:\WINDOWS\System32\Beautiful Katamari dir
[2009/03/23 10:11:44 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Google
[2009/03/23 10:05:12 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Michael\Application Data\Google
[2009/03/23 10:04:02 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Michael\Local Settings\Application Data\Google
[2009/03/23 10:02:50 | 00,000,000 | ---D | C] -- C:\Program Files\Google
[2009/03/23 02:17:07 | 00,000,000 | ---D | C] -- C:\WINDOWS\System32\Adobe
[2009/03/21 14:39:25 | 00,001,773 | ---- | C] () -- C:\DOCUME~1\ALLUSE~1\Desktop\Age of Mythology.lnk
[2009/03/21 12:41:51 | 00,000,000 | ---- | C] () -- C:\WINDOWS\ativpsrm.bin
[2009/03/21 12:40:29 | 00,593,920 | ---- | C] () -- C:\WINDOWS\System32\ati2sgag.exe
[2009/03/21 12:39:57 | 00,000,000 | ---D | C] -- C:\ATI
[2009/03/17 08:54:39 | 00,002,137 | ---- | C] () -- C:\DOCUME~1\ALLUSE~1\Desktop\iTunes.lnk
[2009/03/17 08:54:22 | 00,000,000 | ---D | C] -- C:\Program Files\iPod
[2009/03/17 08:54:19 | 00,000,000 | ---D | C] -- C:\Program Files\iTunes
[2009/03/17 08:54:19 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\{00D89592-F643-4D8D-8F0F-AFAE0F14D4C3}
[2009/03/17 08:54:06 | 00,000,000 | ---D | C] -- C:\Program Files\Bonjour
[2009/03/17 08:53:50 | 00,001,604 | ---- | C] () -- C:\DOCUME~1\ALLUSE~1\Desktop\QuickTime Player.lnk
[2009/03/17 08:53:14 | 00,054,156 | -H-- | C] () -- C:\WINDOWS\QTFont.qfn
[2009/03/17 08:53:14 | 00,001,409 | ---- | C] () -- C:\WINDOWS\QTFont.for
[2009/03/17 08:52:53 | 00,000,284 | ---- | C] () -- C:\WINDOWS\tasks\AppleSoftwareUpdate.job
[2009/03/17 08:52:53 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Michael\Local Settings\Application Data\Apple
[2009/03/17 08:52:51 | 00,000,000 | ---D | C] -- C:\Program Files\Apple Software Update
[2009/03/17 08:52:29 | 00,000,000 | ---D | C] -- C:\Program Files\Common Files\Apple
[2009/03/17 08:52:29 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Apple
[2009/03/17 08:51:59 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Michael\Local Settings\Application Data\Apple Computer
[2009/03/16 15:02:08 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Michael\Local Settings\Application Data\Adobe
[2009/03/10 20:48:34 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Michael\Application Data\PlayFirst
[2009/03/10 20:48:34 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\PlayFirst
[2009/03/10 20:48:24 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\TEMP
[2009/03/10 20:48:07 | 00,000,000 | ---D | C] -- C:\Program Files\Common Files\Oberon Media
[2009/03/10 20:48:06 | 00,000,000 | ---D | C] -- C:\Program Files\Oberon Media
[2009/03/09 03:24:41 | 00,000,000 | ---D | C] -- C:\Program Files\MSXML 4.0
[2009/03/08 18:37:56 | 00,000,000 | ---D | C] -- C:\WINDOWS\Sun
[2009/03/08 18:35:01 | 00,000,000 | ---D | C] -- C:\Program Files\Java
[2009/03/08 18:33:31 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Michael\Application Data\Sun
[2009/03/08 17:15:57 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\SpinTop Games
[2009/03/08 17:15:47 | 00,000,906 | ---- | C] () -- C:\DOCUME~1\ALLUSE~1\Desktop\Mystery P.I. - The Lottery Ticket.lnk
[2009/03/08 17:15:46 | 00,000,000 | ---D | C] -- C:\Program Files\PopCap Games
[2009/03/08 15:57:34 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Michael\Application Data\Macromedia
[2009/03/08 15:29:15 | 00,272,128 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\drivers\bthport.sys
[2009/03/08 15:29:15 | 00,272,128 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\bthport.sys
[2009/03/08 15:21:08 | 00,000,790 | ---- | C] () -- C:\DOCUME~1\ALLUSE~1\Desktop\3 MobileBroadband.lnk
[2009/03/08 15:20:55 | 00,872,192 | ---- | C] (DiBcom SA) -- C:\WINDOWS\System32\drivers\mod7700.sys
[2009/03/08 15:20:55 | 00,103,168 | ---- | C] (Huawei Technologies Co., Ltd.) -- C:\WINDOWS\System32\drivers\ewusbfake.sys
[2009/03/08 15:20:55 | 00,101,376 | ---- | C] (Huawei Technologies Co., Ltd.) -- C:\WINDOWS\System32\drivers\ewusbmdm.sys
[2009/03/08 15:20:55 | 00,100,992 | ---- | C] (Huawei Technologies Co., Ltd.) -- C:\WINDOWS\System32\drivers\ewusbnet.sys
[2009/03/08 15:20:55 | 00,024,448 | ---- | C] (Huawei Tech. Co., Ltd.) -- C:\WINDOWS\System32\drivers\ewdcsc.sys
[2009/03/08 15:20:25 | 00,000,000 | ---D | C] -- C:\Program Files\3 MobileBroadband
[2009/03/07 20:23:56 | 00,001,857 | ---- | C] () -- C:\DOCUME~1\ALLUSE~1\Desktop\MSN Installer.lnk
[2009/03/07 19:00:12 | 00,018,704 | R--- | C] (MCCI) -- C:\WINDOWS\System32\drivers\se2End5.sys
[2009/03/07 19:00:08 | 00,090,800 | R--- | C] (MCCI) -- C:\WINDOWS\System32\drivers\se2Eunic.sys
[2009/03/07 19:00:08 | 00,004,128 | R--- | C] (MCCI) -- C:\WINDOWS\System32\drivers\se2Ecr.sys
[2009/03/07 17:49:37 | 21,244,872 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\MRT.exe
[2009/03/07 17:38:45 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Michael\Application Data\Apple Computer
[2009/03/07 17:37:31 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Michael\Application Data\AdobeUM
[2009/03/07 17:35:15 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Michael\Local Settings\Application Data\Sony Ericsson
[2009/03/07 17:35:05 | 00,088,688 | R--- | C] (MCCI) -- C:\WINDOWS\System32\drivers\SE2Emgmt.sys
[2009/03/07 17:35:01 | 00,086,560 | R--- | C] (MCCI) -- C:\WINDOWS\System32\drivers\SE2Eobex.sys
[2009/03/07 17:34:52 | 00,097,184 | R--- | C] (MCCI) -- C:\WINDOWS\System32\drivers\SE2Emdm.sys
[2009/03/07 17:34:52 | 00,009,360 | R--- | C] (MCCI) -- C:\WINDOWS\System32\drivers\SE2Emdfl.sys
[2009/03/07 17:34:52 | 00,006,240 | R--- | C] (MCCI) -- C:\WINDOWS\System32\drivers\SE2Ecmnt.sys
[2009/03/07 17:34:52 | 00,006,240 | R--- | C] (MCCI) -- C:\WINDOWS\System32\drivers\SE2Ecm.sys
[2009/03/07 17:34:48 | 00,061,600 | R--- | C] (MCCI) -- C:\WINDOWS\System32\drivers\SE2Ebus.sys
[2009/03/07 17:34:48 | 00,005,872 | R--- | C] (MCCI) -- C:\WINDOWS\System32\drivers\SE2Ewhnt.sys
[2009/03/07 17:34:48 | 00,005,872 | R--- | C] (MCCI) -- C:\WINDOWS\System32\drivers\SE2Ewh.sys
[2009/03/07 17:32:53 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Michael\Application Data\Adobe
[2009/03/07 17:32:47 | 00,002,007 | ---- | C] () -- C:\DOCUME~1\ALLUSE~1\Desktop\Adobe Photoshop Album Starter Edition 3.0.lnk
[2009/03/07 17:32:16 | 00,001,740 | ---- | C] () -- C:\DOCUME~1\ALLUSE~1\Desktop\Adobe Reader 7.0.lnk
[2009/03/07 17:32:13 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Adobe
[2009/03/07 17:29:45 | 00,000,000 | ---D | C] -- C:\Program Files\QuickTime
[2009/03/07 17:29:33 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Apple Computer
[2009/03/07 17:27:56 | 00,015,360 | ---- | C] () -- C:\Documents and Settings\Michael\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
[2009/03/07 17:27:30 | 00,000,000 | ---D | C] -- C:\Program Files\Disc2Phone
[2009/03/07 17:24:14 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Michael\Local Settings\Application Data\ApplicationHistory
[2009/03/07 17:20:12 | 00,000,000 | R-SD | C] -- C:\WINDOWS\assembly
[2009/03/07 17:20:12 | 00,000,000 | ---D | C] -- C:\WINDOWS\Microsoft.NET
[2009/03/07 17:20:11 | 00,000,000 | ---D | C] -- C:\WINDOWS\System32\URTTemp
[2009/03/07 17:18:18 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Michael\Application Data\Teleca
[2009/03/07 17:17:41 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Michael\Application Data\Sony Ericsson
[2009/03/07 17:15:39 | 00,002,673 | ---- | C] () -- C:\DOCUME~1\ALLUSE~1\Desktop\Sony Ericsson PC Suite.lnk
[2009/03/07 17:15:39 | 00,000,000 | ---D | C] -- C:\WINDOWS\System32\DRVSTORE
[2009/03/07 17:15:35 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Sony Ericsson
[2009/03/07 17:15:24 | 00,000,000 | ---D | C] -- C:\Program Files\Common Files\Sony Ericsson Shared
[2009/03/07 17:15:21 | 00,000,000 | ---D | C] -- C:\Program Files\Common Files\Teleca Shared
[2009/03/07 17:15:20 | 00,000,000 | ---D | C] -- C:\Program Files\Sony Ericsson
[2009/03/07 17:15:20 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Teleca
[2009/03/07 17:15:14 | 00,000,000 | ---D | C] -- C:\WINDOWS\Downloaded Installations
[2009/03/07 17:10:48 | 00,001,589 | ---- | C] () -- C:\DOCUME~1\Michael\Desktop\The Puzzle Collection.lnk
[2009/03/07 17:10:16 | 00,000,882 | ---- | C] () -- C:\DOCUME~1\ALLUSE~1\Desktop\Acrobat Reader 5.1.lnk
[2009/03/07 17:10:14 | 00,000,000 | ---D | C] -- C:\WINDOWS\Profiles
[2009/03/07 17:10:13 | 00,000,000 | ---D | C] -- C:\Program Files\Common Files\Adobe
[2009/03/07 17:10:13 | 00,000,000 | ---D | C] -- C:\Program Files\Adobe
[2009/03/07 17:10:13 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Michael\Application Data\InterTrust
[2009/03/07 17:10:13 | 00,000,000 | ---D | C] -- C:\DOCUME~1\Michael\My Documents\My eBooks
[2009/03/07 17:09:29 | 00,000,000 | ---D | C] -- C:\Program Files\The Puzzle Collection
[2009/03/07 17:05:40 | 00,000,856 | ---- | C] () -- C:\DOCUME~1\Michael\Desktop\MahJongg.LNK
[2009/03/07 17:03:58 | 00,000,000 | ---D | C] -- C:\Program Files\Classic Games
[2009/03/07 17:03:33 | 00,000,036 | ---- | C] () -- C:\WINDOWS\Tiny_Run.ini
[2009/03/07 17:01:50 | 00,001,801 | ---- | C] () -- C:\DOCUME~1\Michael\Desktop\Age of Empires.lnk
[2009/03/07 16:57:45 | 00,000,000 | ---D | C] -- C:\Program Files\Microsoft Games
[2009/03/07 16:48:18 | 00,001,909 | ---- | C] () -- C:\DOCUME~1\ALLUSE~1\Desktop\RollerCoaster Tycoon 2 Triple Thrill Pack.lnk
[2009/03/07 16:48:13 | 00,225,280 | ---- | C] (Leader Technologies) -- C:\Documents and Settings\Michael\Start Menu\Programs\Startup\PowerReg Scheduler V3.exe
[2009/03/07 16:48:02 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Michael\Application Data\Leadertech
[2009/03/07 16:45:24 | 00,000,000 | ---D | C] -- C:\Program Files\Atari
[2009/03/07 13:20:49 | 00,000,000 | ---D | C] -- C:\WINDOWS\System32\CatRoot_bak
[2009/03/07 13:20:39 | 05,365,922 | -H-- | C] () -- C:\Documents and Settings\Michael\Local Settings\Application Data\IconCache.db
[2009/03/07 13:20:26 | 00,012,598 | ---- | C] () -- C:\WINDOWS\System32\wpa.bak
[2009/03/07 13:19:12 | 02,180,352 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\ntoskrnl.exe
[2009/03/07 13:19:12 | 02,136,064 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\ntkrnlmp.exe
[2009/03/07 13:19:12 | 02,015,744 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\ntkrpamp.exe
[2009/03/07 13:19:11 | 02,057,728 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\ntkrnlpa.exe
[2009/03/07 13:18:58 | 00,453,632 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\mrxsmb.sys
[2009/03/07 13:18:06 | 00,000,786 | ---- | C] () -- C:\DOCUME~1\Michael\Desktop\Windows Media Player.lnk
[2009/03/07 13:18:04 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Michael\Application Data\Identities
[2009/03/07 13:18:03 | 00,000,000 | ---D | C] -- C:\WINDOWS\System32\PreInstall
[2009/03/07 13:18:01 | 00,017,272 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\spmsg.dll
[2009/03/07 13:17:58 | 00,000,000 | -H-D | C] -- C:\WINDOWS\$hf_mig$
[2009/03/07 13:17:56 | 00,000,078 | -HS- | C] () -- C:\DOCUME~1\Michael\My Documents\desktop.ini
[2009/03/07 13:17:56 | 00,000,000 | R--D | C] -- C:\DOCUME~1\Michael\My Documents\My Pictures
[2009/03/07 13:17:56 | 00,000,000 | R--D | C] -- C:\DOCUME~1\Michael\My Documents\My Music
[2009/03/07 13:17:51 | 00,000,084 | -HS- | C] () -- C:\Documents and Settings\Michael\Start Menu\Programs\Startup\desktop.ini
[2009/03/07 13:17:51 | 00,000,062 | -HS- | C] () -- C:\Documents and Settings\Michael\Application Data\desktop.ini
[2009/03/07 13:17:50 | 00,000,000 | --SD | C] -- C:\Documents and Settings\Michael\Application Data\Microsoft
[2009/03/07 13:17:50 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Michael\Local Settings\Application Data\Microsoft

========== Files - Modified Within 30 Days ==========

[1 C:\WINDOWS\System32\*.tmp files]
[3 C:\WINDOWS\*.tmp files]
[2009/04/01 19:36:52 | 00,000,452 | ---- | M] () -- C:\WINDOWS\tasks\XoftSpySE 2.job
[2009/04/01 19:36:51 | 00,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2009/04/01 19:36:47 | 00,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2009/04/01 19:35:17 | 05,365,922 | -H-- | M] () -- C:\Documents and Settings\Michael\Local Settings\Application Data\IconCache.db
[2009/04/01 19:21:16 | 00,000,696 | ---- | M] () -- C:\DOCUME~1\ALLUSE~1\Desktop\Malwarebytes' Anti-Malware.lnk
[2009/04/01 18:49:22 | 00,000,767 | ---- | M] () -- C:\Documents and Settings\Michael\Start Menu\Programs\Startup\ERUNT AutoBackup.lnk
[2009/04/01 18:49:09 | 00,000,611 | ---- | M] () -- C:\DOCUME~1\Michael\Desktop\NTREGOPT.lnk
[2009/04/01 18:49:09 | 00,000,592 | ---- | M] () -- C:\DOCUME~1\Michael\Desktop\ERUNT.lnk
[2009/04/01 18:14:54 | 00,000,366 | ---- | M] () -- C:\WINDOWS\tasks\XoftSpySE.job
[2009/04/01 18:14:51 | 00,000,682 | ---- | M] () -- C:\DOCUME~1\Michael\Desktop\XoftSpySE.lnk
[2009/04/01 16:22:28 | 00,000,010 | ---- | M] () -- C:\WINDOWS\WININIT.INI
[2009/04/01 12:00:00 | 00,000,434 | ---- | M] () -- C:\WINDOWS\tasks\RegFixPro Scan.job
[2009/04/01 12:00:00 | 00,000,418 | ---- | M] () -- C:\WINDOWS\tasks\RegTool Scan.job
[2009/04/01 06:02:02 | 00,000,477 | ---- | M] () -- C:\WINDOWS\win.ini
[2009/04/01 06:02:02 | 00,000,227 | ---- | M] () -- C:\WINDOWS\system.ini
[2009/04/01 06:02:02 | 00,000,211 | -H-- | M] () -- C:\boot.ini
[2009/04/01 05:38:05 | 25,932,272 | ---- | M] () -- C:\WINDOWS\Software.reg
[2009/04/01 05:38:05 | 25,932,272 | ---- | M] () -- C:\WINDOWS\Copy of Software.reg
[2009/04/01 04:49:06 | 00,002,137 | ---- | M] () -- C:\DOCUME~1\ALLUSE~1\Desktop\iTunes.lnk
[2009/04/01 02:03:33 | 01,108,782 | ---- | M] () -- C:\WINDOWS\System32\drivers\N360\0300000.087\Cat.DB
[2009/04/01 01:04:41 | 00,016,244 | ---- | M] () -- C:\WINDOWS\System32\rrt_is.wav
[2009/04/01 01:04:41 | 00,007,302 | ---- | M] () -- C:\WINDOWS\System32\rrt_vf.wav
[2009/04/01 01:04:41 | 00,007,148 | ---- | M] () -- C:\WINDOWS\System32\rrt_tv.wav
[2009/04/01 01:04:41 | 00,006,282 | ---- | M] () -- C:\WINDOWS\System32\rrt_tn.wav
[2009/03/31 14:30:25 | 00,001,550 | ---- | M] () -- C:\DOCUME~1\ALLUSE~1\Desktop\More Great Games.lnk
[2009/03/31 14:28:13 | 00,001,572 | ---- | M] () -- C:\DOCUME~1\ALLUSE~1\Desktop\Play My Games.lnk
[2009/03/31 12:26:29 | 00,000,648 | ---- | M] () -- C:\DOCUME~1\Michael\Desktop\wlkbuddy.lnk
[2009/03/31 12:26:01 | 00,763,863 | ---- | M] () -- C:\DOCUME~1\Michael\My Documents\install.exe
[2009/03/31 09:56:11 | 00,124,464 | ---- | M] (Symantec Corporation) -- C:\WINDOWS\System32\drivers\SYMEVENT.SYS
[2009/03/31 09:56:11 | 00,060,808 | ---- | M] (Symantec Corporation) -- C:\WINDOWS\System32\S32EVNT1.DLL
[2009/03/31 09:56:11 | 00,007,386 | ---- | M] () -- C:\WINDOWS\System32\drivers\SYMEVENT.CAT
[2009/03/31 09:56:11 | 00,000,805 | ---- | M] () -- C:\WINDOWS\System32\drivers\SYMEVENT.INF
[2009/03/31 09:56:04 | 00,001,909 | ---- | M] () -- C:\DOCUME~1\ALLUSE~1\Desktop\Norton 360.LNK
[2009/03/31 09:56:03 | 00,310,320 | ---- | M] (Symantec Corporation) -- C:\WINDOWS\System32\drivers\N360\0300000.087\SymEFA.sys
[2009/03/31 09:56:03 | 00,307,760 | ---- | M] (Symantec Corporation) -- C:\WINDOWS\System32\drivers\N360\0300000.087\srtsp.sys
[2009/03/31 09:56:03 | 00,217,392 | ---- | M] (Symantec Corporation) -- C:\WINDOWS\System32\drivers\N360\0300000.087\symtdi.sys
[2009/03/31 09:56:03 | 00,089,776 | ---- | M] (Symantec Corporation) -- C:\WINDOWS\System32\drivers\N360\0300000.087\symfw.sys
[2009/03/31 09:56:03 | 00,043,696 | ---- | M] (Symantec Corporation) -- C:\WINDOWS\System32\drivers\N360\0300000.087\srtspx.sys
[2009/03/31 09:56:03 | 00,039,984 | ---- | M] (Symantec Corporation) -- C:\WINDOWS\System32\drivers\N360\0300000.087\symndisv.sys
[2009/03/31 09:56:03 | 00,037,296 | ---- | M] (Symantec Corporation) -- C:\WINDOWS\System32\drivers\N360\0300000.087\symndis.sys
[2009/03/31 09:56:03 | 00,036,400 | R--- | M] (Symantec Corporation) -- C:\WINDOWS\System32\drivers\SymIM.sys
[2009/03/31 09:56:03 | 00,034,736 | ---- | M] (Symantec Corporation) -- C:\WINDOWS\System32\drivers\N360\0300000.087\symids.sys
[2009/03/31 09:56:02 | 00,482,352 | ---- | M] (Symantec Corporation) -- C:\WINDOWS\System32\drivers\N360\0300000.087\cchpx86.sys
[2009/03/31 09:56:02 | 00,258,608 | ---- | M] (Symantec Corporation) -- C:\WINDOWS\System32\drivers\N360\0300000.087\BHDrvx86.sys
[2009/03/31 09:55:46 | 00,003,373 | ---- | M] () -- C:\WINDOWS\System32\drivers\N360\0300000.087\SymEFA.inf
[2009/03/31 09:55:46 | 00,001,753 | ---- | M] () -- C:\WINDOWS\System32\drivers\N360\0300000.087\ccHPx86.inf
[2009/03/31 09:55:46 | 00,001,528 | ---- | M] () -- C:\WINDOWS\System32\drivers\N360\0300000.087\SymNet.inf
[2009/03/31 09:55:46 | 00,001,389 | ---- | M] () -- C:\WINDOWS\System32\drivers\N360\0300000.087\srtspx.inf
[2009/03/31 09:55:46 | 00,001,383 | ---- | M] () -- C:\WINDOWS\System32\drivers\N360\0300000.087\srtsp.inf
[2009/03/31 09:55:46 | 00,000,640 | ---- | M] () -- C:\WINDOWS\System32\drivers\N360\0300000.087\BHDrvx86.inf
[2009/03/31 09:55:46 | 00,000,172 | ---- | M] () -- C:\WINDOWS\System32\drivers\N360\0300000.087\isolate.ini
[2009/03/31 09:55:36 | 00,009,423 | ---- | M] () -- C:\WINDOWS\System32\drivers\N360\0300000.087\SymNet.cat
[2009/03/31 09:55:36 | 00,007,410 | ---- | M] () -- C:\WINDOWS\System32\drivers\N360\0300000.087\SymEFA.cat
[2009/03/31 09:55:36 | 00,007,372 | ---- | M] () -- C:\WINDOWS\System32\drivers\N360\0300000.087\srtspx.cat
[2009/03/31 09:55:36 | 00,007,364 | ---- | M] () -- C:\WINDOWS\System32\drivers\N360\0300000.087\BHDrvx86.CAT
[2009/03/31 09:55:36 | 00,007,355 | ---- | M] () -- C:\WINDOWS\System32\drivers\N360\0300000.087\srtsp.cat
[2009/03/31 09:55:36 | 00,007,347 | ---- | M] () -- C:\WINDOWS\System32\drivers\N360\0300000.087\ccHPx86.cat
[2009/03/31 09:55:16 | 74,949,864 | ---- | M] (Symantec Corporation) -- C:\DOCUME~1\Michael\My Documents\N360S300EN.exe
[2009/03/31 09:08:34 | 00,155,648 | ---- | M] (Mozilla Foundation) -- C:\WINDOWS\atefidel.dll
[2009/03/31 08:56:19 | 00,042,496 | ---- | M] (Johnson-Grace Company) -- C:\WINDOWS\Ctozovilo.dll
[2009/03/29 05:18:48 | 00,000,078 | -HS- | M] () -- C:\DOCUME~1\Michael\My Documents\desktop.ini
[2009/03/29 05:16:03 | 00,001,374 | ---- | M] () -- C:\WINDOWS\imsins.BAK
[2009/03/29 03:29:28 | 00,004,608 | ---- | M] () -- C:\Documents and Settings\Michael\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2009/03/29 03:08:03 | 00,000,786 | ---- | M] () -- C:\DOCUME~1\Michael\Desktop\Windows Media Player.lnk
[2009/03/29 02:57:30 | 00,098,256 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2009/03/29 02:10:04 | 00,015,360 | ---- | M] () -- C:\Documents and Settings\Michael\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
[2009/03/28 18:42:27 | 00,000,000 | ---- | M] () -- C:\WINDOWS\nsreg.dat
[2009/03/28 12:09:07 | 00,012,598 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2009/03/26 16:49:56 | 00,038,496 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2009/03/26 16:49:50 | 00,015,504 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2009/03/26 12:32:46 | 00,001,782 | ---- | M] () -- C:\DOCUME~1\ALLUSE~1\Desktop\Age of Mythology - The Titans Expansion.lnk
[2009/03/25 13:54:57 | 00,520,192 | ---- | M] (ScreenTime Media) -- C:\WINDOWS\System32\Beautiful Katamari.scr
[2009/03/21 15:35:09 | 00,000,284 | ---- | M] () -- C:\WINDOWS\tasks\AppleSoftwareUpdate.job
[2009/03/21 14:39:25 | 00,001,773 | ---- | M] () -- C:\DOCUME~1\ALLUSE~1\Desktop\Age of Mythology.lnk
[2009/03/21 12:41:51 | 00,000,000 | ---- | M] () -- C:\WINDOWS\ativpsrm.bin
[2009/03/17 13:56:58 | 00,002,673 | ---- | M] () -- C:\DOCUME~1\ALLUSE~1\Desktop\Sony Ericsson PC Suite.lnk
[2009/03/17 08:53:50 | 00,001,604 | ---- | M] () -- C:\DOCUME~1\ALLUSE~1\Desktop\QuickTime Player.lnk
[2009/03/17 08:53:14 | 00,054,156 | -H-- | M] () -- C:\WINDOWS\QTFont.qfn
[2009/03/17 08:53:14 | 00,001,409 | ---- | M] () -- C:\WINDOWS\QTFont.for
[2009/03/08 17:15:47 | 00,000,906 | ---- | M] () -- C:\DOCUME~1\ALLUSE~1\Desktop\Mystery P.I. - The Lottery Ticket.lnk
[2009/03/08 15:22:56 | 00,439,376 | ---- | M] () -- C:\WINDOWS\System32\PerfStringBackup.INI
[2009/03/08 15:22:56 | 00,380,350 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2009/03/08 15:22:56 | 00,052,764 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2009/03/08 15:21:08 | 00,000,790 | ---- | M] () -- C:\DOCUME~1\ALLUSE~1\Desktop\3 MobileBroadband.lnk
[2009/03/07 20:23:56 | 00,001,857 | ---- | M] () -- C:\DOCUME~1\ALLUSE~1\Desktop\MSN Installer.lnk
[2009/03/07 17:32:48 | 00,002,007 | ---- | M] () -- C:\DOCUME~1\ALLUSE~1\Desktop\Adobe Photoshop Album Starter Edition 3.0.lnk
[2009/03/07 17:32:16 | 00,001,740 | ---- | M] () -- C:\DOCUME~1\ALLUSE~1\Desktop\Adobe Reader 7.0.lnk
[2009/03/07 17:10:48 | 00,001,589 | ---- | M] () -- C:\DOCUME~1\Michael\Desktop\The Puzzle Collection.lnk
[2009/03/07 17:10:16 | 00,000,882 | ---- | M] () -- C:\DOCUME~1\ALLUSE~1\Desktop\Acrobat Reader 5.1.lnk
[2009/03/07 17:05:40 | 00,000,856 | ---- | M] () -- C:\DOCUME~1\Michael\Desktop\MahJongg.LNK
[2009/03/07 17:03:33 | 00,000,036 | ---- | M] () -- C:\WINDOWS\Tiny_Run.ini
[2009/03/07 17:01:50 | 00,001,801 | ---- | M] () -- C:\DOCUME~1\Michael\Desktop\Age of Empires.lnk
[2009/03/07 16:48:18 | 00,001,909 | ---- | M] () -- C:\DOCUME~1\ALLUSE~1\Desktop\RollerCoaster Tycoon 2 Triple Thrill Pack.lnk
[2009/03/07 16:48:13 | 00,225,280 | ---- | M] (Leader Technologies) -- C:\Documents and Settings\Michael\Start Menu\Programs\Startup\PowerReg Scheduler V3.exe
[2009/03/07 13:20:24 | 00,012,598 | ---- | M] () -- C:\WINDOWS\System32\wpa.bak
[2009/03/07 13:17:22 | 00,000,263 | ---- | M] () -- C:\WINDOWS\System32\$winnt$.inf
[2009/03/06 16:45:06 | 00,130,424 | ---- | M] (PC Tools) -- C:\WINDOWS\System32\drivers\PCTCore.sys

========== Alternate Data Streams ==========

@Alternate Data Stream - 120 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:ABE89FFE
@Alternate Data Stream - 116 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:D1B5B4F1
@Alternate Data Stream - 112 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:DFC5A2B2
@Alternate Data Stream - 112 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:3064D21D
@Alternate Data Stream - 108 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:37994DBE
< End of report >




OTListIt Extras
-----------------

OTListIt Extras logfile created on: 4/1/2009 7:46:14 PM - Run 1
OTListIt2 by OldTimer - Version 2.0.8.0 Folder = C:\Documents and Settings\Michael\Desktop\Virus
Windows XP Professional Edition Service Pack 2 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 7.0.5730.13)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1021.58 Mb Total Physical Memory | 569.11 Mb Available Physical Memory | 55.71% Memory free
2.39 Gb Paging File | 1.82 Gb Available in Paging File | 76.18% Paging File free
Paging file location(s): C:\pagefile.sys 1524 3048;

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 74.52 Gb Total Space | 63.82 Gb Free Space | 85.64% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
Drive E: | 23.31 Mb Total Space | 0.00 Mb Free Space | 0.00% Space Free | Partition Type: CDFS
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: SNUGGLEGLOOM
Current User Name: Michael
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Output = Minimal
File Age = 30 Days
Company Name Whitelist: On

========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.html [@ = htmlfile] -- C:\Program Files\Internet Explorer\IEXPLORE.EXE (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"FirstRunDisabled" = 1
"AntiVirusDisableNotify" = 0
"FirewallDisableNotify" = 0
"UpdatesDisableNotify" = 0
"AntiVirusOverride" = 0
"FirewallOverride" = 0
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile
"EnableFirewall" = 0
"DoNotAllowExceptions" = 0

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List
"139:TCP" = 139:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22004
"445:TCP" = 445:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22005
"137:UDP" = 137:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22001
"138:UDP" = 138:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22002

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
C:\Program Files\Bonjour\mDNSResponder.exe:*:Enabled:Bonjour (Apple Inc.)
C:\Program Files\iTunes\iTunes.exe:*:Enabled:iTunes (Apple Inc.)

========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{01501EBA-EC35-4F9F-8889-3BE346E5DA13}" = MSXML4 Parser
"{07287123-B8AC-41CE-8346-3D777245C35B}" = Bonjour
"{162B71B8-8464-4680-A086-601D555B331D}" = Apple Mobile Device Support
"{216AB108-2AE1-4130-B3D5-20B2C4C80F8F}" = QuickTime
"{2222B364-0854-4265-B32E-A142DB9DC7BB}" = Intel® PRO Network Connections 11.2.0.69
"{26A24AE4-039D-4CA4-87B4-2F83216012FF}" = Java™ 6 Update 13
"{2EA45803-BEB7-46C4-9ADC-46A5F9E7BB77}" = GEAR driver installer for x86 and x64
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{4BDFD2CE-6329-42E4-9801-9B3D1F10D79B}" = Adobe® Photoshop® Album Starter Edition 3.0
"{4C5D15D2-5351-4F05-A96E-56C20554F977}" = RollerCoaster Tycoon 2 Triple Thrill Pack
"{6956856F-B6B3-4BE0-BA0B-8F495BE32033}" = Apple Software Update
"{8A708DD8-A5E6-11D4-A706-000629E95E20}" = Intel® Graphics Media Accelerator Driver
"{AC76BA86-7AD7-1033-7B44-A70000000000}" = Adobe Reader 7.0
"{C26B06A9-27BB-45B0-9873-9C623EC2BA38}" = iTunes
"{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}" = Microsoft .NET Framework 1.1
"{CD35616B-ECAE-4D48-8F3A-677035EFB26F}" = The Puzzle Collection
"{E3A5A8AB-58F6-45FF-AFCB-C9AE18C05001}" = IDT Audio
"{E63E34A7-E552-412B-9E40-FD6FC5227ABA}" = Uniblue RegistryBooster 2009
"{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}" = Realtek High Definition Audio Driver
"{FC906D5C-91F9-4DA4-A765-6DCBB669F317}" = Sony Ericsson PC Suite
"{FFAB5ABB-8AAB-42E2-847F-1743E51E01E9}" = Disc2Phone
"3 MobileBroadband" = 3 MobileBroadband
"Adobe Acrobat 5.0" = Adobe Acrobat 5.0
"Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX
"Adobe Shockwave Player" = Adobe Shockwave Player
"Age of Empires" = Microsoft Age of Empires
"Age of Mythology 1.0" = Age of Mythology
"Age of Mythology Expansion Pack 1.0" = Age of Mythology - The Titans Expansion
"ATI Display Driver" = ATI Display Driver
"Beautiful Katamari" = Beautiful Katamari Screen Saver
"BFGC" = Big Fish Games Client
"Classic Games" = Classic Games
"ERUNT_is1" = ERUNT 1.1j
"GamesBar" = GamesBar 2.0.1.12
"HijackThis" = HijackThis 2.0.2
"IDNMitigationAPIs" = Microsoft Internationalized Domain Names Mitigation APIs
"ie7" = Windows Internet Explorer 7
"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware
"Microsoft .NET Framework 1.1 (1033)" = Microsoft .NET Framework 1.1
"MSNINST" = MSN
"Mystery P.I. - The Lottery Ticket 1.0.0.5" = Mystery P.I. - The Lottery Ticket 1.0.0.5
"N360" = Norton 360
"NLSDownlevelMapping" = Microsoft National Language Support Downlevel APIs
"PROSet" = Intel® PRO Network Connections Drivers
"Registry Mechanic_is1" = Registry Mechanic 8.0
"Special Agent P. C. Secure1.3.01" = Special Agent P. C. Secure
"Spyware Doctor" = Spyware Doctor 6.0
"Uniblue RegistryBooster 2009" = Uniblue RegistryBooster 2009
"XoftSpySE" = XoftSpySE

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 3/30/2009 6:11:03 PM | Computer Name = SNUGGLEGLOOM | Source = ESENT | ID = 490
Description = wuauclt (1724) An attempt to open the file "C:\WINDOWS\SoftwareDistribution\DataStore\Logs\edb.chk"
for read / write access failed with system error 32 (0x00000020): "The process
cannot access the file because it is being used by another process. ". The open
file operation will fail with error -1032 (0xfffffbf8).

Error - 3/30/2009 6:11:13 PM | Computer Name = SNUGGLEGLOOM | Source = ESENT | ID = 490
Description = wuauclt (1724) An attempt to open the file "C:\WINDOWS\SoftwareDistribution\DataStore\Logs\edb.log"
for read / write access failed with system error 32 (0x00000020): "The process
cannot access the file because it is being used by another process. ". The open
file operation will fail with error -1032 (0xfffffbf8).

Error - 3/30/2009 6:11:23 PM | Computer Name = SNUGGLEGLOOM | Source = ESENT | ID = 490
Description = wuauclt (3528) An attempt to open the file "C:\WINDOWS\SoftwareDistribution\DataStore\Logs\edb.chk"
for read / write access failed with system error 32 (0x00000020): "The process
cannot access the file because it is being used by another process. ". The open
file operation will fail with error -1032 (0xfffffbf8).

Error - 3/30/2009 6:11:33 PM | Computer Name = SNUGGLEGLOOM | Source = ESENT | ID = 490
Description = wuauclt (3528) An attempt to open the file "C:\WINDOWS\SoftwareDistribution\DataStore\Logs\edb.log"
for read / write access failed with system error 32 (0x00000020): "The process
cannot access the file because it is being used by another process. ". The open
file operation will fail with error -1032 (0xfffffbf8).

Error - 3/30/2009 6:11:44 PM | Computer Name = SNUGGLEGLOOM | Source = ESENT | ID = 490
Description = wuauclt (3584) An attempt to open the file "C:\WINDOWS\SoftwareDistribution\DataStore\Logs\edb.chk"
for read / write access failed with system error 32 (0x00000020): "The process
cannot access the file because it is being used by another process. ". The open
file operation will fail with error -1032 (0xfffffbf8).

Error - 3/30/2009 6:11:54 PM | Computer Name = SNUGGLEGLOOM | Source = ESENT | ID = 490
Description = wuauclt (3584) An attempt to open the file "C:\WINDOWS\SoftwareDistribution\DataStore\Logs\edb.log"
for read / write access failed with system error 32 (0x00000020): "The process
cannot access the file because it is being used by another process. ". The open
file operation will fail with error -1032 (0xfffffbf8).

Error - 3/30/2009 6:19:10 PM | Computer Name = SNUGGLEGLOOM | Source = Application Error | ID = 1000
Description = Faulting application , version 0.0.0.0, faulting module unknown, version
0.0.0.0, fault address 0x00000000.

Error - 3/30/2009 6:46:23 PM | Computer Name = SNUGGLEGLOOM | Source = Application Error | ID = 1000
Description = Faulting application iexplore.exe, version 7.0.5730.13, faulting module
ntdll.dll, version 5.1.2600.2180, fault address 0x00011d69.

Error - 3/30/2009 6:46:30 PM | Computer Name = SNUGGLEGLOOM | Source = Application Error | ID = 1000
Description = Faulting application , version 0.0.0.0, faulting module unknown, version
0.0.0.0, fault address 0x00000000.

Error - 3/30/2009 8:39:54 PM | Computer Name = SNUGGLEGLOOM | Source = Application Error | ID = 1000
Description = Faulting application ccSvcHst.exe, version 108.1.0.24, faulting module
unknown, version 0.0.0.0, fault address 0x10031e39.

[ System Events ]
Error - 3/23/2009 12:01:43 AM | Computer Name = SNUGGLEGLOOM | Source = Service Control Manager | ID = 7011
Description = Timeout (30000 milliseconds) waiting for a transaction response from
the stisvc service.

Error - 3/23/2009 12:03:34 AM | Computer Name = SNUGGLEGLOOM | Source = Service Control Manager | ID = 7011
Description = Timeout (30000 milliseconds) waiting for a transaction response from
the stisvc service.

Error - 3/23/2009 12:05:11 AM | Computer Name = SNUGGLEGLOOM | Source = Service Control Manager | ID = 7011
Description = Timeout (30000 milliseconds) waiting for a transaction response from
the stisvc service.

Error - 3/23/2009 12:09:57 AM | Computer Name = SNUGGLEGLOOM | Source = Service Control Manager | ID = 7011
Description = Timeout (30000 milliseconds) waiting for a transaction response from
the stisvc service.

Error - 3/25/2009 4:07:30 AM | Computer Name = SNUGGLEGLOOM | Source = Srv | ID = 2006
Description = The server received an incorrectly formatted request from \\115.130.32.146.

Error - 3/25/2009 7:38:46 AM | Computer Name = SNUGGLEGLOOM | Source = Srv | ID = 2006
Description = The server received an incorrectly formatted request from \\115.130.40.93.

Error - 3/26/2009 9:27:37 AM | Computer Name = SNUGGLEGLOOM | Source = Srv | ID = 2006
Description = The server received an incorrectly formatted request from \\115.130.12.146.

Error - 3/27/2009 7:42:23 AM | Computer Name = SNUGGLEGLOOM | Source = Srv | ID = 2006
Description = The server received an incorrectly formatted request from \\115.130.15.223.

Error - 3/27/2009 8:34:03 AM | Computer Name = SNUGGLEGLOOM | Source = Srv | ID = 2006
Description = The server received an incorrectly formatted request from \\115.130.27.214.

Error - 3/28/2009 1:46:40 AM | Computer Name = SNUGGLEGLOOM | Source = Srv | ID = 2006
Description = The server received an incorrectly formatted request from \\115.130.43.32.


< End of report >
  • 0

Advertisements

#2
andrewuk
Posted 04 April 2009 - 10:04 AM

andrewuk

    Trusted Helper

  • Malware Removal
  • 5,297 posts
Hello bugatronic25

welcome to geekstogo :) and sorry to keep you waiting.

We will begin with ComboFix.exe. Please visit this webpage for download links, and instructions for running the tool:

http://www.bleepingc...to-use-combofix

* Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Please include the C:\ComboFix.txt in your next reply for further review and a new hijackthis log

and then:

Click here to download HJTInstall.exe
  • Save HJTInstall.exe to your desktop.
  • Doubleclick on the HJTInstall.exe icon on your desktop.
  • By default it will install to C:\Program Files\Trend Micro\HijackThis .
  • Click on Install.
  • It will create a HijackThis icon on the desktop.
  • Once installed, it will launch Hijackthis.
  • Click on the Do a system scan and save a logfile button. It will scan and the log should open in notepad.
  • Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
  • Come back here to this thread and Paste the log in your next reply.
  • DO NOT have Hijackthis fix anything yet. Most of what it finds will be harmless or even required.
andrewuk
  • 0

#3
bugatronic25
Posted 05 April 2009 - 12:27 AM

bugatronic25

    Member

  • Topic Starter
  • Member
  • PipPip
  • 27 posts
Hi Andrewuk,

Thanks very much for your reply. I have followed the steps you provided and attach the logs you requested below. I can also report the following information with regards to what happened when following the steps and how the system is running now:

Combo Fix
bleepingcomputer site appeared to be down though seems OK now. Managed to access the site via the 'cached' option in google search and read the instructions, then link to a geekstogo page to download combofix.

Tried to run combofix, it said Norton 360 was still running though I couldn't find anything in applications, processes or system tray that seemed to be related. OK'd past the combofix warning about Norton 360 anti-virus still running, got the command prompt but nothing happened after that.

Rebooted (off/on not restart as restart not working), uninstalled Norton 360, rebooted to complete uninstall process, re-ran combo fix, same message appeared about Norton 360 running (even thouugh I just uninstalled it) but this time when continuing it started running.

It wanted to install the windows recovery console, needed an internet connection, internet would not connect (later found this was because I took the mobile broadband internet key modem I use for my internet connection out), continued anyway

Process completed quite quickly, removed a couple of files, full log below

combofix did not reset the startup selection in msconfig from selective to normal, did this manually and restarted. RegBooster came straight up after this restart and starting scanning, ended the application in task manager as could not close the window, uninstalled from add/remove programs, ran a malwarebytes quick scan after this and it came back clean

Reinstalled Norton 360, ran hijackthis, completed without incident

Symptoms
Not everything was resolved but there have definitely been a lot of improvements since running combofix - thanks for that the computer is a lot more usable

System Performance
A lot more idle time shown in task manager than before, e.g. when playing yahoo dice slider, gone from around 65 to 90 percent idle, and that is excluding the times when svchost, ccsvchst and dumprep would just take over all resource. svchost.exe no longer appears to be a problem (Thanks), nor does dumprep. ccsvchist came up once for about 5 seconds but this appears to be norton 360 updating definitions, google search advises this is a symantec program, and norton 360's time since update appears consistent with when this runs

Crashing
Appears to have been resolved - thanks again

Regedit.exe, regdt32.exe, cmd.exe, reg.exe
Regedit.exe, regdt32.exe, cmd.exe all running now - thanks. reg.exe still flashes up the command prompt and closes - maybe this is all it is supposed to do not sure, can get into regedit using the other programs

System Protector
Still OK

Task Manager
Still OK

Google Search Link Redirects
Another one that looks good now :)

Screen resolution & Restarts
Still not working. One thing that may be relevant to this is this PC had to have a video card added as the other one died (PC switched off and would not start up again at all), this was only 2 weeks after purchasing the PC from a second-hand retailer, done under warranty. This replacement was around two weeks ago, have had the PC for around 4 weeks. Screen resolution changes were definitely working after this though, can't recall whether the restart worked after this. These problems started about 1 week ago.

Now that I can get into registry again, is there something that can be done to change screen resolution there, or give me the ability to change it again in the display properties window?

For clarity I have included descriptions of these problems from my original post below

- Changing the screen resolution isn't actually doing anything - can select the 1024x768 option and apply but the screen does not actually resize from 800x600

- Getting a black screen when performing a windows restart - using the windows turn off function then powering on works fine

Windows System Restore
I have not tried this since combofix was was run

Here are the combofix and hijackthis logs. You have been a great help so far, I hope that you are able to assist further with the screen resolution and restart issues in particular




Combo Fix

ComboFix 09-04-04.01 - Michael 2009-04-05 13:47:55.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1022.732 [GMT 10:00]
Running from: c:\documents and settings\Michael\Desktop\ComboFix.exe
AV: Norton 360 *On-access scanning enabled* (Updated)
FW: Norton 360 *enabled*
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\atefidel.dll
c:\windows\Ctozovilo.dll

.
((((((((((((((((((((((((( Files Created from 2009-03-05 to 2009-04-05 )))))))))))))))))))))))))))))))
.

2009-04-05 12:50 . 2009-04-05 12:50 <DIR> d-------- c:\program files\Trend Micro
2009-04-03 15:41 . 2009-04-03 15:42 <DIR> d-------- c:\program files\Roller Rush
2009-04-03 15:02 . 2009-04-03 15:02 <DIR> d-------- c:\windows\system32\lightningstrikes_3123875 dir
2009-04-03 15:02 . 2009-04-03 15:02 520,192 --a------ c:\windows\system32\lightningstrikes_3123875.scr
2009-04-03 14:57 . 2009-04-03 14:57 <DIR> d-------- c:\windows\system32\kittenandbutterfly_3122093 dir
2009-04-03 14:57 . 2009-04-03 14:57 520,192 --a------ c:\windows\system32\kittenandbutterfly_3122093.scr
2009-04-03 14:55 . 2009-04-03 14:55 <DIR> d-------- c:\windows\system32\kittyinthewindow_3102795 dir
2009-04-03 14:55 . 2009-04-03 14:55 520,192 --a------ c:\windows\system32\kittyinthewindow_3102795.scr
2009-04-01 18:41 . 2009-04-01 18:42 <DIR> d-------- C:\Rooter$
2009-04-01 17:54 . 2009-04-01 17:54 <DIR> d-------- c:\documents and settings\Michael\Application Data\Malwarebytes
2009-04-01 17:53 . 2009-04-01 18:21 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2009-04-01 17:53 . 2009-04-01 17:53 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-04-01 17:53 . 2009-03-26 15:49 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-01 17:53 . 2009-03-26 15:49 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2009-04-01 17:49 . 2009-04-01 17:49 <DIR> d-------- c:\program files\ERUNT
2009-04-01 17:26 . 2009-04-01 17:26 <DIR> d-------- C:\hijackthis
2009-04-01 17:14 . 2009-04-01 17:14 <DIR> d-------- c:\program files\XoftSpySE
2009-04-01 15:50 . 2009-04-01 04:38 25,932,272 --a------ c:\windows\Copy of Software.reg
2009-04-01 15:09 . 2009-04-01 15:22 10 --a------ c:\windows\WININIT.INI
2009-04-01 05:05 . 2009-04-01 05:05 <DIR> d-------- c:\documents and settings\Administrator
2009-04-01 04:37 . 2009-04-01 04:38 25,932,272 --a------ c:\windows\Software.reg
2009-04-01 04:31 . 2009-04-01 04:31 <DIR> d-------- c:\windows\Special Agent P. C. Secure
2009-04-01 04:31 . 2009-04-01 04:31 <DIR> d-------- c:\program files\Easy Desk Utilities
2009-04-01 03:51 . 2009-04-04 10:18 <DIR> d-------- c:\program files\Spyware Doctor
2009-04-01 03:51 . 2009-04-01 03:52 <DIR> d-------- c:\program files\Common Files\PC Tools
2009-04-01 03:51 . 2009-04-01 03:51 <DIR> d-------- c:\documents and settings\Michael\Application Data\PC Tools
2009-04-01 03:51 . 2009-04-01 03:51 <DIR> d-------- c:\documents and settings\All Users\Application Data\PC Tools
2009-04-01 03:51 . 2004-03-09 00:00 1,081,616 --a------ c:\windows\system32\MSCOMCTL.OCX
2009-04-01 03:51 . 2008-12-11 07:38 159,600 --a------ c:\windows\system32\drivers\pctgntdi.sys
2009-04-01 03:51 . 2009-03-06 15:45 130,424 --a------ c:\windows\system32\drivers\PCTCore.sys
2009-04-01 03:51 . 2008-12-18 11:16 73,840 --a------ c:\windows\system32\drivers\PCTAppEvent.sys
2009-04-01 03:51 . 2008-12-10 11:36 64,392 --a------ c:\windows\system32\drivers\pctplsg.sys
2009-04-01 02:16 . 2009-04-01 02:16 <DIR> d-------- C:\EmergencyUtils
2009-04-01 01:23 . 2009-04-01 01:23 <DIR> d-------- c:\program files\Uniblue
2009-04-01 01:23 . 2009-04-01 01:23 <DIR> d-------- c:\documents and settings\Michael\Application Data\Uniblue
2009-04-01 01:01 . 2009-04-01 01:23 <DIR> d--h-c--- c:\documents and settings\All Users\Application Data\{92E7A367-8E12-4830-AA70-29C32E331A81}
2009-04-01 00:04 . 2009-04-01 00:04 16,244 --a------ c:\windows\system32\rrt_is.wav
2009-04-01 00:04 . 2009-04-01 00:04 7,302 --a------ c:\windows\system32\rrt_vf.wav
2009-04-01 00:04 . 2009-04-01 00:04 7,148 --a------ c:\windows\system32\rrt_tv.wav
2009-04-01 00:04 . 2009-04-01 00:04 6,282 --a------ c:\windows\system32\rrt_tn.wav
2009-03-31 20:10 . 2009-03-31 20:10 <DIR> d--h----- c:\windows\system32\GroupPolicy
2009-03-31 13:28 . 2009-03-31 13:28 <DIR> d-------- c:\program files\bfgclient
2009-03-31 13:27 . 2009-04-03 15:39 <DIR> d-------- c:\documents and settings\All Users\Application Data\BigFishGamesCache
2009-03-31 11:26 . 2009-03-31 11:26 <DIR> d-------- c:\program files\wlkbuddy
2009-03-31 08:56 . 2009-04-05 13:42 <DIR> d-------- c:\documents and settings\All Users\Application Data\{7B6BA59A-FB0E-4499-8536-A7420338BF3B}
2009-03-31 08:55 . 2009-03-31 08:55 <DIR> d-------- c:\program files\NortonInstaller
2009-03-31 08:55 . 2009-04-01 03:38 <DIR> d-------- c:\documents and settings\All Users\Application Data\Symantec
2009-03-31 08:55 . 2009-03-31 08:55 <DIR> d-------- c:\documents and settings\All Users\Application Data\NortonInstaller
2009-03-31 08:55 . 2009-04-05 13:42 <DIR> d-------- c:\documents and settings\All Users\Application Data\Norton
2009-03-31 08:23 . 2009-03-31 08:23 <DIR> d-------- c:\documents and settings\Michael\Application Data\RegTool
2009-03-30 10:07 . 2009-04-01 18:06 <DIR> d-------- c:\program files\GamesBar
2009-03-30 10:07 . 2009-03-30 11:36 <DIR> d-------- c:\documents and settings\All Users\Application Data\GamesBar
2009-03-29 02:58 . 2009-03-29 02:58 <DIR> d-------- C:\plan change receipt
2009-03-29 02:58 . 2009-03-29 02:58 <DIR> d-------- C:\katamari
2009-03-29 02:57 . 2009-03-29 02:57 <DIR> d-------- C:\video card driver
2009-03-29 02:36 . 2009-03-29 02:38 <DIR> d-------- c:\documents and settings\Michael\Application Data\RegFixPro
2009-03-29 02:23 . 2009-03-29 02:23 <DIR> d-------- c:\windows\movies
2009-03-29 02:08 . 2004-08-04 22:00 221,184 --a------ c:\windows\system32\wmpns.dll
2009-03-28 17:42 . 2009-03-28 17:42 0 --a------ c:\windows\nsreg.dat
2009-03-25 12:54 . 2009-04-01 03:29 <DIR> d-------- c:\windows\system32\Beautiful Katamari dir
2009-03-25 12:54 . 2009-03-25 12:54 520,192 --a------ c:\windows\system32\Beautiful Katamari.scr
2009-03-23 09:02 . 2009-03-23 13:27 <DIR> d-------- c:\program files\Google
2009-03-23 01:17 . 2009-03-23 01:17 <DIR> d-------- c:\windows\system32\Adobe
2009-03-21 11:41 . 2009-03-21 11:41 0 --a------ c:\windows\ativpsrm.bin
2009-03-21 11:40 . 2009-02-25 14:15 593,920 --------- c:\windows\system32\ati2sgag.exe
2009-03-21 11:39 . 2009-03-21 11:39 <DIR> d-------- C:\ATI
2009-03-17 07:54 . 2009-03-17 07:54 <DIR> d-------- c:\program files\iTunes
2009-03-17 07:54 . 2009-03-17 07:54 <DIR> d-------- c:\program files\iPod
2009-03-17 07:54 . 2009-03-17 07:54 <DIR> d-------- c:\program files\Bonjour
2009-03-17 07:54 . 2009-03-17 07:54 <DIR> d-------- c:\documents and settings\All Users\Application Data\{00D89592-F643-4D8D-8F0F-AFAE0F14D4C3}
2009-03-17 07:54 . 2008-04-17 11:12 107,368 --a------ c:\windows\system32\GEARAspi.dll
2009-03-17 07:54 . 2009-01-15 11:19 23,848 --a------ c:\windows\system32\drivers\GEARAspiWDM.sys
2009-03-17 07:53 . 2009-03-17 07:53 54,156 --ah----- c:\windows\QTFont.qfn
2009-03-17 07:53 . 2009-03-17 07:53 1,409 --a------ c:\windows\QTFont.for
2009-03-17 07:52 . 2009-03-17 07:54 <DIR> d-------- c:\program files\Common Files\Apple
2009-03-17 07:52 . 2009-03-17 07:52 <DIR> d-------- c:\program files\Apple Software Update
2009-03-17 07:52 . 2009-03-17 07:52 <DIR> d-------- c:\documents and settings\All Users\Application Data\Apple
2009-03-10 19:48 . 2009-03-30 11:32 <DIR> d-------- c:\program files\Oberon Media
2009-03-10 19:48 . 2009-03-10 19:48 <DIR> d-------- c:\program files\Common Files\Oberon Media
2009-03-10 19:48 . 2009-03-30 10:07 <DIR> d-------- c:\documents and settings\Michael\Application Data\PlayFirst
2009-03-10 19:48 . 2009-04-05 13:18 <DIR> d-a------ c:\documents and settings\All Users\Application Data\TEMP
2009-03-10 19:48 . 2009-03-27 15:19 <DIR> d-------- c:\documents and settings\All Users\Application Data\PlayFirst
2009-03-09 02:24 . 2009-03-09 02:24 <DIR> d-------- c:\program files\MSXML 4.0
2009-03-08 17:37 . 2009-03-08 17:37 <DIR> d-------- c:\windows\Sun
2009-03-08 17:35 . 2009-03-27 09:14 <DIR> d-------- c:\program files\Java
2009-03-08 17:35 . 2009-03-09 04:19 410,984 --a------ c:\windows\system32\deploytk.dll
2009-03-08 17:35 . 2009-03-09 01:53 73,728 --a------ c:\windows\system32\javacpl.cpl
2009-03-08 16:15 . 2009-03-08 16:15 <DIR> d-------- c:\program files\PopCap Games
2009-03-08 16:15 . 2009-03-08 16:15 <DIR> d-------- c:\documents and settings\All Users\Application Data\SpinTop Games
2009-03-08 15:51 . 2009-03-08 15:51 <DIR> d--hs---- c:\documents and settings\Michael\UserData
2009-03-08 14:29 . 2008-06-13 23:10 272,128 --------- c:\windows\system32\drivers\bthport.sys
2009-03-08 14:29 . 2008-06-13 23:10 272,128 -----c--- c:\windows\system32\dllcache\bthport.sys
2009-03-08 14:20 . 2009-03-08 14:21 <DIR> d-------- c:\program files\3 MobileBroadband
2009-03-08 14:20 . 2008-03-16 13:47 872,192 --a------ c:\windows\system32\drivers\mod7700.sys
2009-03-08 14:20 . 2008-03-17 10:56 103,168 --a------ c:\windows\system32\drivers\ewusbfake.sys
2009-03-08 14:20 . 2008-03-17 10:03 101,376 --a------ c:\windows\system32\drivers\ewusbmdm.sys
2009-03-08 14:20 . 2008-01-22 14:09 100,992 --a------ c:\windows\system32\drivers\ewusbnet.sys
2009-03-08 14:20 . 2007-08-09 03:13 24,448 --a------ c:\windows\system32\drivers\ewdcsc.sys
2009-03-07 18:31 . 2009-03-07 18:31 <DIR> d-------- c:\documents and settings\Admin\Application Data\Teleca
2009-03-07 18:31 . 2009-03-07 18:31 <DIR> d-------- c:\documents and settings\Admin\Application Data\Sony Ericsson
2009-03-07 18:00 . 2006-11-10 17:24 90,800 -ra------ c:\windows\system32\drivers\se2Eunic.sys
2009-03-07 18:00 . 2006-11-10 17:23 18,704 -ra------ c:\windows\system32\drivers\se2End5.sys
2009-03-07 18:00 . 2006-11-10 17:23 4,128 -ra------ c:\windows\system32\drivers\se2Ecr.sys
2009-03-07 16:38 . 2009-03-17 07:54 <DIR> d-------- c:\documents and settings\Michael\Application Data\Apple Computer
2009-03-07 16:37 . 2009-03-07 16:37 <DIR> d-------- c:\documents and settings\Michael\Application Data\AdobeUM
2009-03-07 16:35 . 2006-11-10 17:23 88,688 -ra------ c:\windows\system32\drivers\SE2Emgmt.sys
2009-03-07 16:35 . 2006-11-10 17:23 86,560 -ra------ c:\windows\system32\drivers\SE2Eobex.sys
2009-03-07 16:34 . 2006-11-10 17:23 97,184 -ra------ c:\windows\system32\drivers\SE2Emdm.sys
2009-03-07 16:34 . 2006-11-10 17:23 61,600 -ra------ c:\windows\system32\drivers\SE2Ebus.sys
2009-03-07 16:34 . 2006-11-10 17:23 9,360 -ra------ c:\windows\system32\drivers\SE2Emdfl.sys
2009-03-07 16:34 . 2006-11-10 17:23 6,240 -ra------ c:\windows\system32\drivers\SE2Ecmnt.sys
2009-03-07 16:34 . 2006-11-10 17:23 6,240 -ra------ c:\windows\system32\drivers\SE2Ecm.sys
2009-03-07 16:34 . 2006-11-10 17:24 5,872 -ra------ c:\windows\system32\drivers\SE2Ewhnt.sys
2009-03-07 16:34 . 2006-11-10 17:24 5,872 -ra------ c:\windows\system32\drivers\SE2Ewh.sys
2009-03-07 16:29 . 2009-03-17 07:53 <DIR> d-------- c:\program files\QuickTime
2009-03-07 16:29 . 2009-03-07 16:29 <DIR> d-------- c:\documents and settings\All Users\Application Data\Apple Computer
2009-03-07 16:27 . 2009-03-07 16:27 <DIR> d-------- c:\program files\Disc2Phone
2009-03-07 16:20 . 2009-03-07 16:20 <DIR> d-------- c:\windows\system32\URTTemp
2009-03-07 16:18 . 2009-03-07 16:18 <DIR> d-------- c:\documents and settings\Michael\Application Data\Teleca
2009-03-07 16:17 . 2009-03-07 16:17 <DIR> d-------- c:\documents and settings\Michael\Application Data\Sony Ericsson
2009-03-07 16:15 . 2009-03-17 07:54 <DIR> d----c--- c:\windows\system32\DRVSTORE
2009-03-07 16:15 . 2009-03-07 16:15 <DIR> d-------- c:\windows\Downloaded Installations
2009-03-07 16:15 . 2009-03-07 16:15 <DIR> d-------- c:\program files\Sony Ericsson
2009-03-07 16:15 . 2009-03-07 16:15 <DIR> d-------- c:\program files\Common Files\Teleca Shared
2009-03-07 16:15 . 2009-03-07 16:15 <DIR> d-------- c:\program files\Common Files\Sony Ericsson Shared

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-03-21 01:40 --------- d--h--w c:\program files\InstallShield Installation Information
2009-03-07 22:39 --------- d-----w c:\program files\IDT
2009-03-07 06:14 --------- d-----w c:\program files\Common Files\InstallShield
2009-02-25 22:58 3,565,568 ----a-w c:\windows\system32\drivers\ati2mtag.sys
2009-02-25 21:42 442,368 ----a-w c:\windows\system32\ATIDEMGX.dll
2009-02-25 21:41 325,120 ----a-w c:\windows\system32\ati2dvag.dll
2009-02-25 21:30 204,800 ----a-w c:\windows\system32\atipdlxx.dll
2009-02-25 21:30 11,841,536 ----a-w c:\windows\system32\atioglxx.dll
2009-02-25 21:29 43,520 ----a-w c:\windows\system32\ati2edxx.dll
2009-02-25 21:29 26,112 ----a-w c:\windows\system32\Ati2mdxx.exe
2009-02-25 21:29 155,648 ----a-w c:\windows\system32\Oemdspif.dll
2009-02-25 21:29 155,648 ----a-w c:\windows\system32\ati2evxx.dll
2009-02-25 21:27 602,112 ----a-w c:\windows\system32\ati2evxx.exe
2009-02-25 21:26 53,248 ----a-w c:\windows\system32\ATIDDC.DLL
2009-02-25 21:16 3,817,984 ----a-w c:\windows\system32\ati3duag.dll
2009-02-25 21:09 307,200 ----a-w c:\windows\system32\atiiiexx.dll
2009-02-25 20:59 2,670,080 ----a-w c:\windows\system32\ativvaxx.dll
2009-02-25 20:44 49,664 ----a-w c:\windows\system32\amdpcom32.dll
2009-02-25 20:40 475,136 ----a-w c:\windows\system32\atikvmag.dll
2009-02-25 20:38 17,408 ----a-w c:\windows\system32\atitvo32.dll
2009-02-25 20:38 126,976 ----a-w c:\windows\system32\atiadlxx.dll
2009-02-25 20:37 53,248 ----a-w c:\windows\system32\drivers\ati2erec.dll
2009-02-25 20:35 290,816 ----a-w c:\windows\system32\atiok3x2.dll
2009-02-25 20:32 626,688 ----a-w c:\windows\system32\ati2cqag.dll
2009-02-25 20:32 45,056 ----a-w c:\windows\system32\aticalrt.dll
2009-02-25 20:32 45,056 ----a-w c:\windows\system32\aticalcl.dll
2009-02-25 20:30 3,227,648 ----a-w c:\windows\system32\aticaldd.dll
2009-02-09 10:19 1,846,272 ----a-w c:\windows\system32\win32k.sys
2009-02-09 02:34 --------- d-----w c:\program files\Realtek
2009-02-09 02:28 --------- d-----w c:\program files\Intel
2009-02-09 00:04 --------- d-----w c:\program files\microsoft frontpage
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]
"Mobile Partner"="c:\program files\3 MobileBroadband\3 MobileBroadband.exe" [2009-03-08 110592]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2005-04-05 94208]
"Persistence"="c:\windows\system32\igfxpers.exe" [2005-04-05 114688]
"MSConfig"="c:\windows\PCHealth\HelpCtr\Binaries\MSConfig.exe" [2004-08-04 158208]

c:\documents and settings\Michael\Start Menu\Programs\Startup\
ERUNT AutoBackup.lnk - c:\program files\ERUNT\AUTOBACK.EXE [2005-10-20 38912]
PowerReg Scheduler V3.exe [2009-03-07 225280]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"NoSecCPL"= 0 (0x0)
"NoDevMgrPage"= 0 (0x0)
"NoConfigPage"= 0 (0x0)
"NoVirtMemPage"= 0 (0x0)
"NoFileSysPage"= 0 (0x0)
"NoNetSetup"= 0 (0x0)
"NoNetSetupIDPage"= 0 (0x0)
"NoNetSetupSecurityPage"= 0 (0x0)
"NoWorkgroupContents"= 0 (0x0)
"NoEntireNetwork"= 0 (0x0)
"NoFileSharingControl"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoViewOnDrive"= 0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"RestrictRun"= 0 (0x0)
"NoViewOnDrive"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.iv41"= ir41_32.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Photo Downloader]
--a------ 2005-06-06 22:46 57344 c:\program files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2009-03-12 19:56 342312 c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2009-01-05 15:18 413696 c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Sony Ericsson PC Suite]
-ra------ 2006-11-24 00:06 487424 c:\program files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2009-03-09 04:19 148888 c:\program files\Java\jre6\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Uniblue RegistryBooster 2009]
--a------ 2008-08-27 02:48 2019624 c:\program files\Uniblue\RegistryBooster\RegistryBooster.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"wuauserv"=2 (0x2)
"wscsvc"=2 (0x2)
"N360"=2 (0x2)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [2009-04-01 130424]
S3 sdAuxService;PC Tools Auxiliary Service;c:\program files\Spyware Doctor\pctsAuxs.exe [2009-04-01 348752]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\E]
\Shell\AutoRun\command - E:\AutoRun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{5914b09a-0b98-11de-99c1-cda28a94d62d}]
\Shell\AutoRun\command - E:\AutoRun.exe
.
Contents of the 'Scheduled Tasks' folder

2009-03-21 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34]

2009-04-05 c:\windows\Tasks\RegFixPro Scan.job
- c:\program files\RegFixPro\RegFixPro.exe []

2009-04-05 c:\windows\Tasks\RegFixPro Scan.job
- c:\program files\RegFixPro []

2009-04-05 c:\windows\Tasks\RegTool Scan.job
- c:\program files\RegTool\RegTool.exe []

2009-04-05 c:\windows\Tasks\RegTool Scan.job
- c:\program files\RegTool []

2009-04-05 c:\windows\Tasks\XoftSpySE 2.job
- c:\program files\XoftSpySE\XoftSpy.exe [2009-03-25 23:45]

2009-04-01 c:\windows\Tasks\XoftSpySE.job
- c:\program files\XoftSpySE\XoftSpy.exe [2009-03-25 23:45]
.
- - - - ORPHANS REMOVED - - - -

MSConfigStartUp-AdwareAlert - c:\program files\AdwareAlert\AdwareAlert.exe
MSConfigStartUp-RegFixPro - c:\program files\RegFixPro\RegFixPro.exe
MSConfigStartUp-RRT-Auto - c:\documents and settings\Michael\Desktop\RRT\RRT.exe


.
------- Supplementary Scan -------
.
uStart Page = hxxp://au.games.yahoo.com/
mStart Page = hxxp://au.games.yahoo.com/
uInternet Settings,ProxyOverride = *.local
DPF: {049A470D-F818-4E34-B14D-E4E237DADCF8} - hxxp://games.bigfishgames.com/en_fashion-dash/online/fashiondashweb.1.0.0.21.cab
DPF: {195B4BBF-E1E4-4020-9773-0A8C6F65EA35} - hxxp://games.bigfishgames.com/en_cooking-dash/online/CookingDashWeb.1.0.0.9.cab
DPF: {26E6B759-DEEB-42A1-A21C-78CD29098411} - hxxp://games.bigfishgames.com/en_fitness-dash/online/FitnessDashWeb.1.0.0.11.cab
DPF: {4DCA1E08-4147-4A3D-8CA6-E095DF189FAB} - hxxp://games.bigfishgames.com/en_nightshift-legacy-the-jaguars-eye/online/Nightshift2Web.1.0.0.9.cab
DPF: {74EF5274-F439-2168-B543-14745B625C72} - hxxp://games.bigfishgames.com/en_wedding-dash-2-rings-around-world-game/online/WeddingDash2Web.1.0.0.11.cab
DPF: {D40F5876-A494-4124-8161-82625BB28C06} - hxxp://games.bigfishgames.com/en_chocolatier-2-secret-ingredients/online/Chocolatier2Web.1.0.0.10.cab
DPF: {F135A813-7152-4532-AC8D-28AC2136DFC7} - hxxp://games.bigfishgames.com/en_parking-dash/online/parkingdash.1.0.0.10.cab
.

**************************************************************************

catchme 0.3.1375 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-04-05 13:49:56
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(644)
c:\windows\system32\Ati2evxx.dll
.
Completion time: 2009-04-05 13:51:22
ComboFix-quarantined-files.txt 2009-04-05 03:51:19

Pre-Run: 68,099,223,552 bytes free
Post-Run: 68,336,836,608 bytes free

294 --- E O F --- 2009-04-01 10:14:38




HiJackThis

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:18:53 PM, on 4/5/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16791)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Norton 360\Engine\3.0.0.135\ccSvcHst.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\3 MobileBroadband\3 MobileBroadband.exe
c:\program files\idt\intelxpv_v83\wdm\STacSV.exe
C:\Program Files\Norton 360\Engine\3.0.0.135\ccSvcHst.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\internet explorer\iexplore.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://au.games.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://au.games.yahoo.com/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Symantec NCO BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files\Norton 360\Engine\3.0.0.135\coIEPlg.dll
O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\Program Files\Norton 360\Engine\3.0.0.135\IPSBHO.DLL
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Norton 360\Engine\3.0.0.135\coIEPlg.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Mobile Partner] "C:\Program Files\3 MobileBroadband\3 MobileBroadband.exe"
O4 - HKCU\..\Run: [Uniblue RegistryBooster 2009] C:\Program Files\Uniblue\RegistryBooster\RegistryBooster.exe /S
O4 - Startup: ERUNT AutoBackup.lnk = C:\Program Files\ERUNT\AUTOBACK.EXE
O4 - Startup: PowerReg Scheduler V3.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Toolbars\Restrictions present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Toolbars\Restrictions present
O16 - DPF: {049A470D-F818-4E34-B14D-E4E237DADCF8} (CPlayFirstFashionDasControl Object) - http://games.bigfish...eb.1.0.0.21.cab
O16 - DPF: {195B4BBF-E1E4-4020-9773-0A8C6F65EA35} (CPlayFirstCookingDasControl Object) - http://games.bigfish...Web.1.0.0.9.cab
O16 - DPF: {26E6B759-DEEB-42A1-A21C-78CD29098411} (CPlayFirstFitnessDasControl Object) - http://games.bigfish...eb.1.0.0.11.cab
O16 - DPF: {44990301-3C9D-426D-81DF-AAB636FA4345} - https://www-secure.s...abs/tgctlsr.cab
O16 - DPF: {459E93B6-150E-45D5-8D4B-45C66FC035FE} (get_atlcom Class) - http://apps.corel.co...IEGetPlugin.ocx
O16 - DPF: {4DCA1E08-4147-4A3D-8CA6-E095DF189FAB} (CPlayFirstNightshiftControl Object) - http://games.bigfish...Web.1.0.0.9.cab
O16 - DPF: {74EF5274-F439-2168-B543-14745B625C72} (CPlayFirstWeddingDasControl Object) - http://games.bigfish...eb.1.0.0.11.cab
O16 - DPF: {BAE1D8DF-0B35-47E3-A1E7-EEB3FF2ECD19} (CPlayFirstddfotgControl Object) - http://games.bigfish...tg.1.0.0.33.cab
O16 - DPF: {D40F5876-A494-4124-8161-82625BB28C06} (CPlayFirstChocolatieControl Object) - http://games.bigfish...eb.1.0.0.10.cab
O16 - DPF: {D77EF652-9A6B-40C8-A4B9-1C0697C6CF41} (TikGames Online Control) - http://games.bigfish...inematycoon.cab
O16 - DPF: {EA6246B4-F380-443F-8727-9AEA3371146C} (CPlayFirstWeddingDashControl Object) - http://gamecenter.ob...sh.1.0.0.47.cab
O16 - DPF: {F135A813-7152-4532-AC8D-28AC2136DFC7} (CPlayFirstParkingDasControl Object) - http://games.bigfish...sh.1.0.0.10.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{EDD114B4-C5B6-4EED-AC28-96C9A45FC6B0}: NameServer = 202.124.76.98 202.124.68.130
O18 - Protocol: symres - {AA1061FE-6C41-421F-9344-69640C9732AB} - C:\Program Files\Norton 360\Engine\3.0.0.135\coIEPlg.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Norton 360 (N360) - Symantec Corporation - C:\Program Files\Norton 360\Engine\3.0.0.135\ccSvcHst.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: Audio Service (STacSV) - IDT, Inc. - c:\program files\idt\intelxpv_v83\wdm\STacSV.exe

--
End of file - 6916 bytes
  • 0

#4
andrewuk
Posted 05 April 2009 - 12:22 PM

andrewuk

    Trusted Helper

  • Malware Removal
  • 5,297 posts
we have a bit to go yet. leave the system restore alone, it will be infected.


====STEP 1====
there are some files and folders that i dont recognise. do you recognise them (dont run them)?

c:\windows\system32\lightningstrikes_3123875 dir
c:\windows\system32\lightningstrikes_3123875.scr
c:\windows\system32\kittenandbutterfly_3122093 dir
c:\windows\system32\kittenandbutterfly_3122093.scr
c:\windows\system32\kittyinthewindow_3102795 dir
c:\windows\system32\kittyinthewindow_3102795.scr

c:\windows\system32\rrt_is.wav
c:\windows\system32\rrt_vf.wav
c:\windows\system32\rrt_tv.wav
c:\windows\system32\rrt_tn.wav

C:\plan change receipt
C:\katamari
C:\video card driver
c:\windows\movies

c:\windows\system32\Beautiful Katamari dir
c:\windows\system32\Beautiful Katamari.scr


any idea what this is?c:\windows\Copy of Software.reg


do you recnogise this address?
3G Mobile Service Provider
Pyrmont NSW
AU


====STEP 2====
1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

File::
c:\windows\Tasks\RegFixPro Scan.job
c:\program files\RegFixPro\RegFixPro.exe
c:\windows\Tasks\RegFixPro Scan.job
c:\windows\Tasks\RegTool Scan.job
c:\program files\RegTool\RegTool.exe
c:\windows\Tasks\RegTool Scan.job

Folder::
c:\documents and settings\All Users\Application Data\BigFishGamesCache
c:\program files\GamesBar
c:\documents and settings\All Users\Application Data\GamesBar

Registry::
[-HKEY_CURRENT_USER\Software\Policies\Microsoft\Internet Explorer\Toolbars\Restrictions]
[-HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Restrictions]
[-HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Control Panel]
[-HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Toolbars\Restrictions]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{049A470D-F818-4E34-B14D-E4E237DADCF8}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{195B4BBF-E1E4-4020-9773-0A8C6F65EA35}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{26E6B759-DEEB-42A1-A21C-78CD29098411}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{4DCA1E08-4147-4A3D-8CA6-E095DF189FAB}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{74EF5274-F439-2168-B543-14745B625C72}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{D40F5876-A494-4124-8161-82625BB28C06}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{F135A813-7152-4532-AC8D-28AC2136DFC7}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\E]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{5914b09a-0b98-11de-99c1-cda28a94d62d}]

DirLook::
c:\program files\Roller Rush
c:\program files\wlkbuddy


Save this as CFScript.txt, in the same location as ComboFix.exe


Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.


====STEP 3====
  • Please go to VirSCAN.org FREE on-line scan service
  • Copy and paste the following file path into the "Suspicious files to scan"box on the top of the page:

    • C:\Program Files\3 MobileBroadband\3 MobileBroadband.exe
  • Click on the Upload button
  • Once the Scan is completed, click on the "Copy to Clipboard" button. This will copy the link of the report into the Clipboard.
  • Paste the contents of the Clipboard in your next reply (you will need to paste the link onto a notepad before you do the other scans below, else the contents of your clipboard will be written over with the new links).
Could you do the same for the following files:
  • c:\windows\system32\kittyinthewindow_3102795.scr
  • c:\windows\system32\Beautiful Katamari.scr



In your next reply could i see:
1. the answers to the above questions
2. a new combofix log
3. a new hijackthis log
4. the virscan logs or links

The text from these files may exceed the maximum post length for this forum. Hence, you may need to post the information over 2 or more posts.

andrewuk
  • 0

#5
bugatronic25
Posted 06 April 2009 - 03:57 AM

bugatronic25

    Member

  • Topic Starter
  • Member
  • PipPip
  • 27 posts
Hi Andrewuk,

Thanks for your response. In reply:

Step 1
All of the files you listed seem familiar, but I have no issue with deleting any of them if needed

The .dir and .scr files in c:\windows\system32 are screen savers
The rrt files are probably related to downloading 'Remove Restrictions Tool' from www.sergiwa.com when I was trying to fix these issues myself before my first post.

C:\plan change receipt is a folder I created to store a receipt from when I changed my internet plan online
C:\katamari was created to store a download of an application that you can run to have a little character running around your desktop to entertain you
C:\video card driver is a folder the second-hand retailer created to save the driver he downloaded from the AMD website before installing for the replacement video card
c:\windows\movies is a folder I created to store movie downloads
c:\windows\Copy of Software.reg I created when trying to fix these issues before my first post

The address:

3G Mobile Service Provider
Pyrmont NSW
AU

appears to be for my mobile broadband internet via Hutchison/3

Step 2
I opened the internet connection this time to allow combofix to install the windows recovery console but accidentally closed it before the install finished. I also noticed in the log file afterwards that I named the script file CFScript.txt.txt but the process did complete, log below

Step 3
None of the scans found anything

Ran HiJackThis as well to produce new log, see below
Thanks again for your help



ComboFix

ComboFix 09-04-04.01 - Michael 2009-04-06 18:59:13.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1022.717 [GMT 10:00]
Running from: c:\documents and settings\Michael\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Michael\Desktop\CFScript.txt.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((( Files Created from 2009-03-06 to 2009-04-06 )))))))))))))))))))))))))))))))
.

2009-04-06 09:01 . 2009-04-06 09:01 <DIR> d-------- c:\documents and settings\Michael\Application Data\Yahoo!
2009-04-06 08:59 . 2009-04-06 09:27 <DIR> d-------- c:\program files\Yahoo!
2009-04-06 08:59 . 2009-04-06 09:27 <DIR> d-------- c:\documents and settings\All Users\Application Data\Yahoo!
2009-04-05 14:31 . 2008-12-21 09:15 6,066,688 -----c--- c:\windows\system32\dllcache\ieframe.dll
2009-04-05 14:31 . 2007-04-17 19:32 2,455,488 -----c--- c:\windows\system32\dllcache\ieapfltr.dat
2009-04-05 14:31 . 2007-03-08 15:10 991,232 -----c--- c:\windows\system32\dllcache\ieframe.dll.mui
2009-04-05 14:31 . 2008-12-21 09:15 459,264 -----c--- c:\windows\system32\dllcache\msfeeds.dll
2009-04-05 14:31 . 2008-12-21 09:15 383,488 -----c--- c:\windows\system32\dllcache\ieapfltr.dll
2009-04-05 14:31 . 2008-12-21 09:15 267,776 -----c--- c:\windows\system32\dllcache\iertutil.dll
2009-04-05 14:31 . 2008-12-21 09:15 63,488 -----c--- c:\windows\system32\dllcache\icardie.dll
2009-04-05 14:31 . 2008-12-21 09:15 52,224 -----c--- c:\windows\system32\dllcache\msfeedsbs.dll
2009-04-05 14:31 . 2008-12-19 19:10 13,824 -----c--- c:\windows\system32\dllcache\ieudinit.exe
2009-04-05 12:50 . 2009-04-05 12:50 <DIR> d-------- c:\program files\Trend Micro
2009-04-03 15:41 . 2009-04-03 15:42 <DIR> d-------- c:\program files\Roller Rush
2009-04-03 15:02 . 2009-04-03 15:02 <DIR> d-------- c:\windows\system32\lightningstrikes_3123875 dir
2009-04-03 15:02 . 2009-04-03 15:02 520,192 --a------ c:\windows\system32\lightningstrikes_3123875.scr
2009-04-03 14:57 . 2009-04-03 14:57 <DIR> d-------- c:\windows\system32\kittenandbutterfly_3122093 dir
2009-04-03 14:57 . 2009-04-03 14:57 520,192 --a------ c:\windows\system32\kittenandbutterfly_3122093.scr
2009-04-03 14:55 . 2009-04-03 14:55 <DIR> d-------- c:\windows\system32\kittyinthewindow_3102795 dir
2009-04-03 14:55 . 2009-04-03 14:55 520,192 --a------ c:\windows\system32\kittyinthewindow_3102795.scr
2009-04-01 18:41 . 2009-04-01 18:42 <DIR> d-------- C:\Rooter$
2009-04-01 17:54 . 2009-04-01 17:54 <DIR> d-------- c:\documents and settings\Michael\Application Data\Malwarebytes
2009-04-01 17:53 . 2009-04-01 18:21 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2009-04-01 17:53 . 2009-04-01 17:53 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-04-01 17:53 . 2009-03-26 15:49 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-01 17:53 . 2009-03-26 15:49 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2009-04-01 17:49 . 2009-04-01 17:49 <DIR> d-------- c:\program files\ERUNT
2009-04-01 17:26 . 2009-04-01 17:26 <DIR> d-------- C:\hijackthis
2009-04-01 17:14 . 2009-04-01 17:14 <DIR> d-------- c:\program files\XoftSpySE
2009-04-01 15:50 . 2009-04-01 04:38 25,932,272 --a------ c:\windows\Copy of Software.reg
2009-04-01 15:09 . 2009-04-01 15:22 10 --a------ c:\windows\WININIT.INI
2009-04-01 05:05 . 2009-04-01 05:05 <DIR> d-------- c:\documents and settings\Administrator
2009-04-01 04:37 . 2009-04-01 04:38 25,932,272 --a------ c:\windows\Software.reg
2009-04-01 04:31 . 2009-04-01 04:31 <DIR> d-------- c:\windows\Special Agent P. C. Secure
2009-04-01 04:31 . 2009-04-01 04:31 <DIR> d-------- c:\program files\Easy Desk Utilities
2009-04-01 03:51 . 2009-04-04 10:18 <DIR> d-------- c:\program files\Spyware Doctor
2009-04-01 03:51 . 2009-04-01 03:52 <DIR> d-------- c:\program files\Common Files\PC Tools
2009-04-01 03:51 . 2009-04-01 03:51 <DIR> d-------- c:\documents and settings\Michael\Application Data\PC Tools
2009-04-01 03:51 . 2009-04-01 03:51 <DIR> d-------- c:\documents and settings\All Users\Application Data\PC Tools
2009-04-01 03:51 . 2004-03-09 00:00 1,081,616 --a------ c:\windows\system32\MSCOMCTL.OCX
2009-04-01 03:51 . 2008-12-11 07:38 159,600 --a------ c:\windows\system32\drivers\pctgntdi.sys
2009-04-01 03:51 . 2009-03-06 15:45 130,424 --a------ c:\windows\system32\drivers\PCTCore.sys
2009-04-01 03:51 . 2008-12-18 11:16 73,840 --a------ c:\windows\system32\drivers\PCTAppEvent.sys
2009-04-01 03:51 . 2008-12-10 11:36 64,392 --a------ c:\windows\system32\drivers\pctplsg.sys
2009-04-01 02:16 . 2009-04-01 02:16 <DIR> d-------- C:\EmergencyUtils
2009-04-01 01:23 . 2009-04-01 01:23 <DIR> d-------- c:\documents and settings\Michael\Application Data\Uniblue
2009-04-01 00:04 . 2009-04-01 00:04 16,244 --a------ c:\windows\system32\rrt_is.wav
2009-04-01 00:04 . 2009-04-01 00:04 7,302 --a------ c:\windows\system32\rrt_vf.wav
2009-04-01 00:04 . 2009-04-01 00:04 7,148 --a------ c:\windows\system32\rrt_tv.wav
2009-04-01 00:04 . 2009-04-01 00:04 6,282 --a------ c:\windows\system32\rrt_tn.wav
2009-03-31 20:10 . 2009-03-31 20:10 <DIR> d--h----- c:\windows\system32\GroupPolicy
2009-03-31 13:28 . 2009-03-31 13:28 <DIR> d-------- c:\program files\bfgclient
2009-03-31 13:27 . 2009-04-03 15:39 <DIR> d-------- c:\documents and settings\All Users\Application Data\BigFishGamesCache
2009-03-31 11:26 . 2009-03-31 11:26 <DIR> d-------- c:\program files\wlkbuddy
2009-03-31 08:56 . 2009-04-06 18:53 <DIR> d-------- c:\documents and settings\All Users\Application Data\{7B6BA59A-FB0E-4499-8536-A7420338BF3B}
2009-03-31 08:55 . 2009-03-31 08:55 <DIR> d-------- c:\program files\NortonInstaller
2009-03-31 08:55 . 2009-04-06 18:54 <DIR> d-------- c:\documents and settings\All Users\Application Data\Symantec
2009-03-31 08:55 . 2009-04-05 14:24 <DIR> d-------- c:\documents and settings\All Users\Application Data\NortonInstaller
2009-03-31 08:55 . 2009-04-06 18:54 <DIR> d-------- c:\documents and settings\All Users\Application Data\Norton
2009-03-31 08:23 . 2009-03-31 08:23 <DIR> d-------- c:\documents and settings\Michael\Application Data\RegTool
2009-03-30 10:07 . 2009-04-01 18:06 <DIR> d-------- c:\program files\GamesBar
2009-03-30 10:07 . 2009-03-30 11:36 <DIR> d-------- c:\documents and settings\All Users\Application Data\GamesBar
2009-03-29 02:58 . 2009-03-29 02:58 <DIR> d-------- C:\plan change receipt
2009-03-29 02:58 . 2009-03-29 02:58 <DIR> d-------- C:\katamari
2009-03-29 02:57 . 2009-03-29 02:57 <DIR> d-------- C:\video card driver
2009-03-29 02:36 . 2009-03-29 02:38 <DIR> d-------- c:\documents and settings\Michael\Application Data\RegFixPro
2009-03-29 02:23 . 2009-03-29 02:23 <DIR> d-------- c:\windows\movies
2009-03-29 02:08 . 2004-08-04 22:00 221,184 --a------ c:\windows\system32\wmpns.dll
2009-03-28 17:42 . 2009-03-28 17:42 0 --a------ c:\windows\nsreg.dat
2009-03-25 12:54 . 2009-04-01 03:29 <DIR> d-------- c:\windows\system32\Beautiful Katamari dir
2009-03-25 12:54 . 2009-03-25 12:54 520,192 --a------ c:\windows\system32\Beautiful Katamari.scr
2009-03-23 09:02 . 2009-03-23 13:27 <DIR> d-------- c:\program files\Google
2009-03-23 01:17 . 2009-03-23 01:17 <DIR> d-------- c:\windows\system32\Adobe
2009-03-21 11:41 . 2009-03-21 11:41 0 --a------ c:\windows\ativpsrm.bin
2009-03-21 11:40 . 2009-02-25 14:15 593,920 --------- c:\windows\system32\ati2sgag.exe
2009-03-21 11:39 . 2009-03-21 11:39 <DIR> d-------- C:\ATI
2009-03-17 07:54 . 2009-03-17 07:54 <DIR> d-------- c:\program files\iTunes
2009-03-17 07:54 . 2009-03-17 07:54 <DIR> d-------- c:\program files\iPod
2009-03-17 07:54 . 2009-03-17 07:54 <DIR> d-------- c:\program files\Bonjour
2009-03-17 07:54 . 2009-03-17 07:54 <DIR> d-------- c:\documents and settings\All Users\Application Data\{00D89592-F643-4D8D-8F0F-AFAE0F14D4C3}
2009-03-17 07:54 . 2008-04-17 11:12 107,368 --a------ c:\windows\system32\GEARAspi.dll
2009-03-17 07:54 . 2009-01-15 11:19 23,848 --a------ c:\windows\system32\drivers\GEARAspiWDM.sys
2009-03-17 07:53 . 2009-03-17 07:53 54,156 --ah----- c:\windows\QTFont.qfn
2009-03-17 07:53 . 2009-03-17 07:53 1,409 --a------ c:\windows\QTFont.for
2009-03-17 07:52 . 2009-03-17 07:54 <DIR> d-------- c:\program files\Common Files\Apple
2009-03-17 07:52 . 2009-03-17 07:52 <DIR> d-------- c:\program files\Apple Software Update
2009-03-17 07:52 . 2009-03-17 07:52 <DIR> d-------- c:\documents and settings\All Users\Application Data\Apple
2009-03-10 19:48 . 2009-03-30 11:32 <DIR> d-------- c:\program files\Oberon Media
2009-03-10 19:48 . 2009-03-10 19:48 <DIR> d-------- c:\program files\Common Files\Oberon Media
2009-03-10 19:48 . 2009-03-30 10:07 <DIR> d-------- c:\documents and settings\Michael\Application Data\PlayFirst
2009-03-10 19:48 . 2009-04-05 13:18 <DIR> d-a------ c:\documents and settings\All Users\Application Data\TEMP
2009-03-10 19:48 . 2009-03-27 15:19 <DIR> d-------- c:\documents and settings\All Users\Application Data\PlayFirst
2009-03-09 02:24 . 2009-03-09 02:24 <DIR> d-------- c:\program files\MSXML 4.0
2009-03-08 17:37 . 2009-03-08 17:37 <DIR> d-------- c:\windows\Sun
2009-03-08 17:35 . 2009-03-27 09:14 <DIR> d-------- c:\program files\Java
2009-03-08 17:35 . 2009-03-09 04:19 410,984 --a------ c:\windows\system32\deploytk.dll
2009-03-08 17:35 . 2009-03-09 01:53 73,728 --a------ c:\windows\system32\javacpl.cpl
2009-03-08 16:15 . 2009-03-08 16:15 <DIR> d-------- c:\program files\PopCap Games
2009-03-08 16:15 . 2009-03-08 16:15 <DIR> d-------- c:\documents and settings\All Users\Application Data\SpinTop Games
2009-03-08 15:51 . 2009-03-08 15:51 <DIR> d--hs---- c:\documents and settings\Michael\UserData
2009-03-08 14:29 . 2008-06-13 23:10 272,128 --------- c:\windows\system32\drivers\bthport.sys
2009-03-08 14:29 . 2008-06-13 23:10 272,128 -----c--- c:\windows\system32\dllcache\bthport.sys
2009-03-08 14:20 . 2009-03-08 14:21 <DIR> d-------- c:\program files\3 MobileBroadband
2009-03-08 14:20 . 2008-03-16 13:47 872,192 --a------ c:\windows\system32\drivers\mod7700.sys
2009-03-08 14:20 . 2008-03-17 10:56 103,168 --a------ c:\windows\system32\drivers\ewusbfake.sys
2009-03-08 14:20 . 2008-03-17 10:03 101,376 --a------ c:\windows\system32\drivers\ewusbmdm.sys
2009-03-08 14:20 . 2008-01-22 14:09 100,992 --a------ c:\windows\system32\drivers\ewusbnet.sys
2009-03-08 14:20 . 2007-08-09 03:13 24,448 --a------ c:\windows\system32\drivers\ewdcsc.sys
2009-03-07 18:31 . 2009-03-07 18:31 <DIR> d-------- c:\documents and settings\Admin\Application Data\Teleca
2009-03-07 18:31 . 2009-03-07 18:31 <DIR> d-------- c:\documents and settings\Admin\Application Data\Sony Ericsson
2009-03-07 18:00 . 2006-11-10 17:24 90,800 -ra------ c:\windows\system32\drivers\se2Eunic.sys
2009-03-07 18:00 . 2006-11-10 17:23 18,704 -ra------ c:\windows\system32\drivers\se2End5.sys
2009-03-07 18:00 . 2006-11-10 17:23 4,128 -ra------ c:\windows\system32\drivers\se2Ecr.sys
2009-03-07 16:38 . 2009-03-17 07:54 <DIR> d-------- c:\documents and settings\Michael\Application Data\Apple Computer
2009-03-07 16:37 . 2009-03-07 16:37 <DIR> d-------- c:\documents and settings\Michael\Application Data\AdobeUM
2009-03-07 16:35 . 2006-11-10 17:23 88,688 -ra------ c:\windows\system32\drivers\SE2Emgmt.sys
2009-03-07 16:35 . 2006-11-10 17:23 86,560 -ra------ c:\windows\system32\drivers\SE2Eobex.sys
2009-03-07 16:34 . 2006-11-10 17:23 97,184 -ra------ c:\windows\system32\drivers\SE2Emdm.sys
2009-03-07 16:34 . 2006-11-10 17:23 61,600 -ra------ c:\windows\system32\drivers\SE2Ebus.sys
2009-03-07 16:34 . 2006-11-10 17:23 9,360 -ra------ c:\windows\system32\drivers\SE2Emdfl.sys
2009-03-07 16:34 . 2006-11-10 17:23 6,240 -ra------ c:\windows\system32\drivers\SE2Ecmnt.sys
2009-03-07 16:34 . 2006-11-10 17:23 6,240 -ra------ c:\windows\system32\drivers\SE2Ecm.sys
2009-03-07 16:34 . 2006-11-10 17:24 5,872 -ra------ c:\windows\system32\drivers\SE2Ewhnt.sys
2009-03-07 16:34 . 2006-11-10 17:24 5,872 -ra------ c:\windows\system32\drivers\SE2Ewh.sys
2009-03-07 16:29 . 2009-03-17 07:53 <DIR> d-------- c:\program files\QuickTime

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-03-21 01:40 --------- d--h--w c:\program files\InstallShield Installation Information
2009-03-07 22:39 --------- d-----w c:\program files\IDT
2009-03-07 06:14 --------- d-----w c:\program files\Common Files\InstallShield
2009-02-25 22:58 3,565,568 ----a-w c:\windows\system32\drivers\ati2mtag.sys
2009-02-25 21:42 442,368 ----a-w c:\windows\system32\ATIDEMGX.dll
2009-02-25 21:41 325,120 ----a-w c:\windows\system32\ati2dvag.dll
2009-02-25 21:30 204,800 ----a-w c:\windows\system32\atipdlxx.dll
2009-02-25 21:30 11,841,536 ----a-w c:\windows\system32\atioglxx.dll
2009-02-25 21:29 43,520 ----a-w c:\windows\system32\ati2edxx.dll
2009-02-25 21:29 26,112 ----a-w c:\windows\system32\Ati2mdxx.exe
2009-02-25 21:29 155,648 ----a-w c:\windows\system32\Oemdspif.dll
2009-02-25 21:29 155,648 ----a-w c:\windows\system32\ati2evxx.dll
2009-02-25 21:27 602,112 ----a-w c:\windows\system32\ati2evxx.exe
2009-02-25 21:26 53,248 ----a-w c:\windows\system32\ATIDDC.DLL
2009-02-25 21:16 3,817,984 ----a-w c:\windows\system32\ati3duag.dll
2009-02-25 21:09 307,200 ----a-w c:\windows\system32\atiiiexx.dll
2009-02-25 20:59 2,670,080 ----a-w c:\windows\system32\ativvaxx.dll
2009-02-25 20:44 49,664 ----a-w c:\windows\system32\amdpcom32.dll
2009-02-25 20:40 475,136 ----a-w c:\windows\system32\atikvmag.dll
2009-02-25 20:38 17,408 ----a-w c:\windows\system32\atitvo32.dll
2009-02-25 20:38 126,976 ----a-w c:\windows\system32\atiadlxx.dll
2009-02-25 20:37 53,248 ----a-w c:\windows\system32\drivers\ati2erec.dll
2009-02-25 20:35 290,816 ----a-w c:\windows\system32\atiok3x2.dll
2009-02-25 20:32 626,688 ----a-w c:\windows\system32\ati2cqag.dll
2009-02-25 20:32 45,056 ----a-w c:\windows\system32\aticalrt.dll
2009-02-25 20:32 45,056 ----a-w c:\windows\system32\aticalcl.dll
2009-02-25 20:30 3,227,648 ----a-w c:\windows\system32\aticaldd.dll
2009-02-09 10:19 1,846,272 ----a-w c:\windows\system32\win32k.sys
2009-02-09 02:34 --------- d-----w c:\program files\Realtek
2009-02-09 02:28 --------- d-----w c:\program files\Intel
2009-02-09 00:04 --------- d-----w c:\program files\microsoft frontpage
.

((((((((((((((((((((((((((((( SnapShot@2009-04-05_13.50.28.70 )))))))))))))))))))))))))))))))))))))))))
.
+ 2005-10-20 01:02:28 163,328 ----a-w c:\windows\ERDNT\AutoBackup\4-6-2009\ERDNT.EXE
+ 2009-04-05 22:38:25 2,822,144 ----a-w c:\windows\ERDNT\AutoBackup\4-6-2009\Users\00000001\NTUSER.DAT
+ 2009-04-05 22:38:25 163,840 ----a-w c:\windows\ERDNT\AutoBackup\4-6-2009\Users\00000002\UsrClass.dat
+ 2007-03-06 01:22:39 213,216 -c----w c:\windows\ie7updates\KB938127-v2-IE7\spuninst\spuninst.exe
+ 2007-03-06 01:23:47 371,424 -c----w c:\windows\ie7updates\KB938127-v2-IE7\spuninst\updspapi.dll
+ 2007-08-13 07:54:10 765,952 -c----w c:\windows\ie7updates\KB938127-v2-IE7\vgx.dll
+ 2007-08-13 07:39:00 123,904 -c----w c:\windows\ie7updates\KB961260-IE7\advpack.dll
+ 2007-08-13 07:35:46 346,624 -c----w c:\windows\ie7updates\KB961260-IE7\dxtmsft.dll
+ 2007-08-13 07:35:38 214,528 -c----w c:\windows\ie7updates\KB961260-IE7\dxtrans.dll
+ 2007-08-13 07:54:10 131,584 -c----w c:\windows\ie7updates\KB961260-IE7\extmgr.dll
+ 2007-08-13 07:36:26 61,952 -c----w c:\windows\ie7updates\KB961260-IE7\icardie.dll
+ 2007-08-13 07:39:06 54,784 -c----w c:\windows\ie7updates\KB961260-IE7\ie4uinit.exe
+ 2007-08-13 07:39:26 152,064 -c----w c:\windows\ie7updates\KB961260-IE7\ieakeng.dll
+ 2007-08-13 07:39:54 229,376 -c----w c:\windows\ie7updates\KB961260-IE7\ieaksie.dll
+ 2007-08-13 06:56:54 161,792 -c----w c:\windows\ie7updates\KB961260-IE7\ieakui.dll
+ 2007-02-12 05:10:12 2,451,312 -c----w c:\windows\ie7updates\KB961260-IE7\ieapfltr.dat
+ 2007-07-11 01:27:48 383,488 -c----w c:\windows\ie7updates\KB961260-IE7\ieapfltr.dll
+ 2007-08-13 07:39:50 382,976 -c----w c:\windows\ie7updates\KB961260-IE7\iedkcs32.dll
+ 2007-08-13 07:54:10 6,049,280 -c----w c:\windows\ie7updates\KB961260-IE7\ieframe.dll
+ 2007-08-13 07:39:10 43,008 -c----w c:\windows\ie7updates\KB961260-IE7\iernonce.dll
+ 2007-08-13 07:34:04 266,752 -c----w c:\windows\ie7updates\KB961260-IE7\iertutil.dll
+ 2007-08-13 07:39:10 13,312 -c----w c:\windows\ie7updates\KB961260-IE7\ieudinit.exe
+ 2007-08-13 07:43:56 622,080 -c----w c:\windows\ie7updates\KB961260-IE7\iexplore.exe
+ 2007-08-13 07:54:10 27,136 -c----w c:\windows\ie7updates\KB961260-IE7\jsproxy.dll
+ 2007-08-13 07:54:10 458,752 -c----w c:\windows\ie7updates\KB961260-IE7\msfeeds.dll
+ 2007-08-13 07:54:10 50,688 -c----w c:\windows\ie7updates\KB961260-IE7\msfeedsbs.dll
+ 2007-08-13 07:54:12 3,578,368 -c----w c:\windows\ie7updates\KB961260-IE7\mshtml.dll
+ 2007-08-13 07:54:10 475,648 -c----w c:\windows\ie7updates\KB961260-IE7\mshtmled.dll
+ 2007-08-13 07:44:26 192,000 -c----w c:\windows\ie7updates\KB961260-IE7\msrating.dll
+ 2007-08-13 07:54:10 670,720 -c----w c:\windows\ie7updates\KB961260-IE7\mstime.dll
+ 2007-08-13 07:44:06 101,376 -c----w c:\windows\ie7updates\KB961260-IE7\occache.dll
+ 2007-08-13 07:36:12 44,544 -c----w c:\windows\ie7updates\KB961260-IE7\pngfilt.dll
+ 2007-03-06 01:22:41 213,216 -c----w c:\windows\ie7updates\KB961260-IE7\spuninst\spuninst.exe
+ 2007-03-06 01:23:51 371,424 -c----w c:\windows\ie7updates\KB961260-IE7\spuninst\updspapi.dll
+ 2007-08-13 07:44:30 105,984 -c----w c:\windows\ie7updates\KB961260-IE7\url.dll
+ 2007-08-13 07:54:10 1,162,240 -c----w c:\windows\ie7updates\KB961260-IE7\urlmon.dll
+ 2007-08-13 07:54:10 231,424 -c----w c:\windows\ie7updates\KB961260-IE7\webcheck.dll
+ 2007-08-13 07:54:10 818,688 -c----w c:\windows\ie7updates\KB961260-IE7\wininet.dll
- 2007-08-13 07:39:00 123,904 ----a-w c:\windows\system32\advpack.dll
+ 2008-12-20 23:15:11 124,928 ----a-w c:\windows\system32\advpack.dll
- 2007-08-13 07:39:00 123,904 -c--a-w c:\windows\system32\dllcache\advpack.dll
+ 2008-12-20 23:15:11 124,928 -c--a-w c:\windows\system32\dllcache\advpack.dll
- 2007-08-13 07:35:46 346,624 -c--a-w c:\windows\system32\dllcache\dxtmsft.dll
+ 2008-12-20 23:15:12 347,136 -c--a-w c:\windows\system32\dllcache\dxtmsft.dll
- 2007-08-13 07:35:38 214,528 -c--a-w c:\windows\system32\dllcache\dxtrans.dll
+ 2008-12-20 23:15:13 214,528 -c--a-w c:\windows\system32\dllcache\dxtrans.dll
- 2007-08-13 07:54:10 131,584 -c--a-w c:\windows\system32\dllcache\extmgr.dll
+ 2008-12-20 23:15:13 133,120 -c--a-w c:\windows\system32\dllcache\extmgr.dll
- 2007-08-13 07:39:06 54,784 -c--a-w c:\windows\system32\dllcache\ie4uinit.exe
+ 2008-12-19 09:10:15 70,656 -c--a-w c:\windows\system32\dllcache\ie4uinit.exe
- 2007-08-13 07:39:26 152,064 -c--a-w c:\windows\system32\dllcache\ieakeng.dll
+ 2008-12-20 23:15:14 153,088 -c--a-w c:\windows\system32\dllcache\ieakeng.dll
- 2007-08-13 07:39:54 229,376 -c--a-w c:\windows\system32\dllcache\ieaksie.dll
+ 2008-12-20 23:15:14 230,400 -c--a-w c:\windows\system32\dllcache\ieaksie.dll
- 2007-08-13 06:56:54 161,792 -c--a-w c:\windows\system32\dllcache\ieakui.dll
+ 2008-12-19 05:23:56 161,792 -c--a-w c:\windows\system32\dllcache\ieakui.dll
- 2007-08-13 07:39:50 382,976 -c--a-w c:\windows\system32\dllcache\iedkcs32.dll
+ 2008-12-20 23:15:16 384,512 -c--a-w c:\windows\system32\dllcache\iedkcs32.dll
- 2007-08-13 07:39:10 43,008 -c--a-w c:\windows\system32\dllcache\iernonce.dll
+ 2008-12-20 23:15:21 44,544 -c--a-w c:\windows\system32\dllcache\iernonce.dll
- 2007-08-13 07:43:56 622,080 -c--a-w c:\windows\system32\dllcache\iexplore.exe
+ 2008-12-19 05:25:25 634,024 -c--a-w c:\windows\system32\dllcache\iexplore.exe
- 2007-08-13 07:54:10 27,136 -c--a-w c:\windows\system32\dllcache\jsproxy.dll
+ 2008-12-20 23:15:23 27,648 -c--a-w c:\windows\system32\dllcache\jsproxy.dll
- 2007-08-13 07:54:12 3,578,368 -c--a-w c:\windows\system32\dllcache\mshtml.dll
+ 2009-01-16 11:35:14 3,594,752 -c--a-w c:\windows\system32\dllcache\mshtml.dll
- 2007-08-13 07:54:10 475,648 -c--a-w c:\windows\system32\dllcache\mshtmled.dll
+ 2008-12-20 23:15:30 477,696 -c--a-w c:\windows\system32\dllcache\mshtmled.dll
- 2007-08-13 07:44:26 192,000 -c--a-w c:\windows\system32\dllcache\msrating.dll
+ 2008-12-20 23:15:31 193,024 -c--a-w c:\windows\system32\dllcache\msrating.dll
- 2007-08-13 07:54:10 670,720 -c--a-w c:\windows\system32\dllcache\mstime.dll
+ 2008-12-20 23:15:32 671,232 -c--a-w c:\windows\system32\dllcache\mstime.dll
- 2007-08-13 07:44:06 101,376 -c--a-w c:\windows\system32\dllcache\occache.dll
+ 2008-12-20 23:15:38 102,912 -c--a-w c:\windows\system32\dllcache\occache.dll
- 2007-08-13 07:36:12 44,544 -c--a-w c:\windows\system32\dllcache\pngfilt.dll
+ 2008-12-20 23:15:38 44,544 -c--a-w c:\windows\system32\dllcache\pngfilt.dll
- 2007-08-13 07:44:30 105,984 -c--a-w c:\windows\system32\dllcache\url.dll
+ 2008-12-20 23:15:39 105,984 -c--a-w c:\windows\system32\dllcache\url.dll
- 2007-08-13 07:54:10 1,162,240 -c--a-w c:\windows\system32\dllcache\urlmon.dll
+ 2008-12-20 23:15:40 1,160,192 -c--a-w c:\windows\system32\dllcache\urlmon.dll
- 2007-08-13 07:54:10 765,952 -c--a-w c:\windows\system32\dllcache\VGX.dll
+ 2008-05-27 17:23:58 765,952 -c--a-w c:\windows\system32\dllcache\vgx.dll
- 2007-08-13 07:54:10 231,424 -c--a-w c:\windows\system32\dllcache\webcheck.dll
+ 2008-12-20 23:15:40 233,472 -c--a-w c:\windows\system32\dllcache\webcheck.dll
- 2007-08-13 07:54:10 818,688 -c--a-w c:\windows\system32\dllcache\wininet.dll
+ 2008-12-20 23:15:41 826,368 -c--a-w c:\windows\system32\dllcache\wininet.dll
- 2007-08-13 07:35:46 346,624 ----a-w c:\windows\system32\dxtmsft.dll
+ 2008-12-20 23:15:12 347,136 ----a-w c:\windows\system32\dxtmsft.dll
- 2007-08-13 07:35:38 214,528 ----a-w c:\windows\system32\dxtrans.dll
+ 2008-12-20 23:15:13 214,528 ----a-w c:\windows\system32\dxtrans.dll
- 2007-08-13 07:54:10 131,584 ----a-w c:\windows\system32\extmgr.dll
+ 2008-12-20 23:15:13 133,120 ----a-w c:\windows\system32\extmgr.dll
- 2007-08-13 07:36:26 61,952 ------w c:\windows\system32\icardie.dll
+ 2008-12-20 23:15:13 63,488 ----a-w c:\windows\system32\icardie.dll
- 2007-08-13 07:39:06 54,784 ----a-w c:\windows\system32\ie4uinit.exe
+ 2008-12-19 09:10:15 70,656 ----a-w c:\windows\system32\ie4uinit.exe
- 2007-08-13 07:39:26 152,064 ----a-w c:\windows\system32\ieakeng.dll
+ 2008-12-20 23:15:14 153,088 ----a-w c:\windows\system32\ieakeng.dll
- 2007-08-13 07:39:54 229,376 ----a-w c:\windows\system32\ieaksie.dll
+ 2008-12-20 23:15:14 230,400 ----a-w c:\windows\system32\ieaksie.dll
- 2007-08-13 06:56:54 161,792 ----a-w c:\windows\system32\ieakui.dll
+ 2008-12-19 05:23:56 161,792 ----a-w c:\windows\system32\ieakui.dll
- 2007-02-12 05:10:12 2,451,312 ------w c:\windows\system32\ieapfltr.dat
+ 2007-04-17 09:32:38 2,455,488 ----a-w c:\windows\system32\ieapfltr.dat
- 2007-07-11 01:27:48 383,488 ------w c:\windows\system32\ieapfltr.dll
+ 2008-12-20 23:15:15 383,488 ----a-w c:\windows\system32\ieapfltr.dll
- 2007-08-13 07:39:50 382,976 ----a-w c:\windows\system32\iedkcs32.dll
+ 2008-12-20 23:15:16 384,512 ----a-w c:\windows\system32\iedkcs32.dll
- 2007-08-13 07:54:10 6,049,280 ------w c:\windows\system32\ieframe.dll
+ 2008-12-20 23:15:21 6,066,688 ----a-w c:\windows\system32\ieframe.dll
- 2007-08-13 07:39:10 43,008 ----a-w c:\windows\system32\iernonce.dll
+ 2008-12-20 23:15:21 44,544 ----a-w c:\windows\system32\iernonce.dll
- 2007-08-13 07:34:04 266,752 ------w c:\windows\system32\iertutil.dll
+ 2008-12-20 23:15:22 267,776 ----a-w c:\windows\system32\iertutil.dll
- 2007-08-13 07:39:10 13,312 ----a-w c:\windows\system32\ieudinit.exe
+ 2008-12-19 09:10:15 13,824 ----a-w c:\windows\system32\ieudinit.exe
- 2007-08-13 07:54:10 27,136 ----a-w c:\windows\system32\jsproxy.dll
+ 2008-12-20 23:15:23 27,648 ----a-w c:\windows\system32\jsproxy.dll
- 2007-08-13 07:54:10 458,752 ------w c:\windows\system32\msfeeds.dll
+ 2008-12-20 23:15:23 459,264 ----a-w c:\windows\system32\msfeeds.dll
- 2007-08-13 07:54:10 50,688 ------w c:\windows\system32\msfeedsbs.dll
+ 2008-12-20 23:15:24 52,224 ----a-w c:\windows\system32\msfeedsbs.dll
- 2007-08-13 07:54:12 3,578,368 ----a-w c:\windows\system32\mshtml.dll
+ 2009-01-16 11:35:14 3,594,752 ----a-w c:\windows\system32\mshtml.dll
- 2007-08-13 07:54:10 475,648 ----a-w c:\windows\system32\mshtmled.dll
+ 2008-12-20 23:15:30 477,696 ----a-w c:\windows\system32\mshtmled.dll
- 2007-08-13 07:44:26 192,000 ----a-w c:\windows\system32\msrating.dll
+ 2008-12-20 23:15:31 193,024 ----a-w c:\windows\system32\msrating.dll
- 2007-08-13 07:54:10 670,720 ----a-w c:\windows\system32\mstime.dll
+ 2008-12-20 23:15:32 671,232 ----a-w c:\windows\system32\mstime.dll
- 2007-08-13 07:44:06 101,376 ----a-w c:\windows\system32\occache.dll
+ 2008-12-20 23:15:38 102,912 ----a-w c:\windows\system32\occache.dll
- 2007-08-13 07:36:12 44,544 ----a-w c:\windows\system32\pngfilt.dll
+ 2008-12-20 23:15:38 44,544 ----a-w c:\windows\system32\pngfilt.dll
- 2007-08-13 07:44:30 105,984 ----a-w c:\windows\system32\url.dll
+ 2008-12-20 23:15:39 105,984 ----a-w c:\windows\system32\url.dll
- 2007-08-13 07:54:10 1,162,240 ----a-w c:\windows\system32\urlmon.dll
+ 2008-12-20 23:15:40 1,160,192 ----a-w c:\windows\system32\urlmon.dll
- 2007-08-13 07:54:10 231,424 ----a-w c:\windows\system32\webcheck.dll
+ 2008-12-20 23:15:40 233,472 ----a-w c:\windows\system32\webcheck.dll
- 2007-08-13 07:54:10 818,688 ----a-w c:\windows\system32\wininet.dll
+ 2008-12-20 23:15:41 826,368 ----a-w c:\windows\system32\wininet.dll
+ 2009-04-06 08:56:41 16,384 ----atw c:\windows\Temp\Perflib_Perfdata_598.dat
+ 2006-12-01 12:56:00 96,256 ----a-w c:\windows\WinSxS\x86_Microsoft.VC80.ATL_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_cbb27474\ATL80.dll
+ 2006-12-01 14:25:52 1,101,824 ----a-w c:\windows\WinSxS\x86_Microsoft.VC80.MFC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_3bf8fa05\mfc80.dll
+ 2006-12-01 14:25:56 1,093,120 ----a-w c:\windows\WinSxS\x86_Microsoft.VC80.MFC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_3bf8fa05\mfc80u.dll
+ 2006-12-01 14:25:58 69,632 ----a-w c:\windows\WinSxS\x86_Microsoft.VC80.MFC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_3bf8fa05\mfcm80.dll
+ 2006-12-01 14:26:00 57,856 ----a-w c:\windows\WinSxS\x86_Microsoft.VC80.MFC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_3bf8fa05\mfcm80u.dll
+ 2006-12-01 14:08:00 40,960 ----a-w c:\windows\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_91481303\mfc80CHS.dll
+ 2006-12-01 14:08:00 45,056 ----a-w c:\windows\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_91481303\mfc80CHT.dll
+ 2006-12-01 14:08:00 65,536 ----a-w c:\windows\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_91481303\mfc80DEU.dll
+ 2006-12-01 14:08:00 57,344 ----a-w c:\windows\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_91481303\mfc80ENU.dll
+ 2006-12-01 14:08:00 61,440 ----a-w c:\windows\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_91481303\mfc80ESP.dll
+ 2006-12-01 14:08:00 61,440 ----a-w c:\windows\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_91481303\mfc80FRA.dll
+ 2006-12-01 14:08:00 61,440 ----a-w c:\windows\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_91481303\mfc80ITA.dll
+ 2006-12-01 14:08:00 49,152 ----a-w c:\windows\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_91481303\mfc80JPN.dll
+ 2006-12-01 14:08:00 49,152 ----a-w c:\windows\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_91481303\mfc80KOR.dll
+ 2006-12-01 14:46:44 65,536 ----a-w c:\windows\WinSxS\x86_Microsoft.VC80.OpenMP_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_6c18549a\vcomp.dll
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]
"Mobile Partner"="c:\program files\3 MobileBroadband\3 MobileBroadband.exe" [2009-03-08 110592]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2005-04-05 94208]
"Persistence"="c:\windows\system32\igfxpers.exe" [2005-04-05 114688]

c:\documents and settings\Michael\Start Menu\Programs\Startup\
ERUNT AutoBackup.lnk - c:\program files\ERUNT\AUTOBACK.EXE [2005-10-20 38912]
PowerReg Scheduler V3.exe [2009-03-07 225280]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"NoSecCPL"= 0 (0x0)
"NoDevMgrPage"= 0 (0x0)
"NoConfigPage"= 0 (0x0)
"NoVirtMemPage"= 0 (0x0)
"NoFileSysPage"= 0 (0x0)
"NoNetSetup"= 0 (0x0)
"NoNetSetupIDPage"= 0 (0x0)
"NoNetSetupSecurityPage"= 0 (0x0)
"NoWorkgroupContents"= 0 (0x0)
"NoEntireNetwork"= 0 (0x0)
"NoFileSharingControl"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoViewOnDrive"= 0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"RestrictRun"= 0 (0x0)
"NoViewOnDrive"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.iv41"= ir41_32.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Photo Downloader]
--a------ 2005-06-06 22:46 57344 c:\program files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2009-03-12 19:56 342312 c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2009-01-05 15:18 413696 c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Sony Ericsson PC Suite]
-ra------ 2006-11-24 00:06 487424 c:\program files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2009-03-09 04:19 148888 c:\program files\Java\jre6\bin\jusched.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [2009-04-01 130424]
S3 sdAuxService;PC Tools Auxiliary Service;c:\program files\Spyware Doctor\pctsAuxs.exe [2009-04-01 348752]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\E]
\Shell\AutoRun\command - E:\AutoRun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{5914b09a-0b98-11de-99c1-cda28a94d62d}]
\Shell\AutoRun\command - E:\AutoRun.exe
.
Contents of the 'Scheduled Tasks' folder

2009-03-21 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34]

2009-04-06 c:\windows\Tasks\RegFixPro Scan.job
- c:\program files\RegFixPro\RegFixPro.exe []

2009-04-06 c:\windows\Tasks\RegFixPro Scan.job
- c:\program files\RegFixPro []

2009-04-06 c:\windows\Tasks\RegTool Scan.job
- c:\program files\RegTool\RegTool.exe []

2009-04-06 c:\windows\Tasks\RegTool Scan.job
- c:\program files\RegTool []

2009-04-06 c:\windows\Tasks\XoftSpySE 2.job
- c:\program files\XoftSpySE\XoftSpy.exe [2009-03-25 23:45]

2009-04-01 c:\windows\Tasks\XoftSpySE.job
- c:\program files\XoftSpySE\XoftSpy.exe [2009-03-25 23:45]
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-Uniblue RegistryBooster 2009 - c:\program files\Uniblue\RegistryBooster\RegistryBooster.exe


.
------- Supplementary Scan -------
.
uStart Page = hxxp://au.games.yahoo.com/
mStart Page = hxxp://au.games.yahoo.com/
DPF: {049A470D-F818-4E34-B14D-E4E237DADCF8} - hxxp://games.bigfishgames.com/en_fashion-dash/online/fashiondashweb.1.0.0.21.cab
DPF: {195B4BBF-E1E4-4020-9773-0A8C6F65EA35} - hxxp://games.bigfishgames.com/en_cooking-dash/online/CookingDashWeb.1.0.0.9.cab
DPF: {26E6B759-DEEB-42A1-A21C-78CD29098411} - hxxp://games.bigfishgames.com/en_fitness-dash/online/FitnessDashWeb.1.0.0.11.cab
DPF: {4DCA1E08-4147-4A3D-8CA6-E095DF189FAB} - hxxp://games.bigfishgames.com/en_nightshift-legacy-the-jaguars-eye/online/Nightshift2Web.1.0.0.9.cab
DPF: {74EF5274-F439-2168-B543-14745B625C72} - hxxp://games.bigfishgames.com/en_wedding-dash-2-rings-around-world-game/online/WeddingDash2Web.1.0.0.11.cab
DPF: {D40F5876-A494-4124-8161-82625BB28C06} - hxxp://games.bigfishgames.com/en_chocolatier-2-secret-ingredients/online/Chocolatier2Web.1.0.0.10.cab
DPF: {F135A813-7152-4532-AC8D-28AC2136DFC7} - hxxp://games.bigfishgames.com/en_parking-dash/online/parkingdash.1.0.0.10.cab
.

**************************************************************************

catchme 0.3.1375 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-04-06 19:00:58
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(496)
c:\windows\system32\Ati2evxx.dll
.
Completion time: 2009-04-06 19:02:15
ComboFix-quarantined-files.txt 2009-04-06 09:02:13

Pre-Run: 68,032,811,008 bytes free
Post-Run: 68,067,020,800 bytes free

438 --- E O F --- 2009-04-05 05:11:39




HiJackThis

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:21:27 PM, on 4/6/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16791)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
c:\program files\idt\intelxpv_v83\wdm\STacSV.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\Program Files\3 MobileBroadband\3 MobileBroadband.exe
C:\Program Files\internet explorer\iexplore.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://au.games.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://au.games.yahoo.com/
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Mobile Partner] "C:\Program Files\3 MobileBroadband\3 MobileBroadband.exe"
O4 - Startup: ERUNT AutoBackup.lnk = C:\Program Files\ERUNT\AUTOBACK.EXE
O4 - Startup: PowerReg Scheduler V3.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Toolbars\Restrictions present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Toolbars\Restrictions present
O16 - DPF: {049A470D-F818-4E34-B14D-E4E237DADCF8} (CPlayFirstFashionDasControl Object) - http://games.bigfish...eb.1.0.0.21.cab
O16 - DPF: {195B4BBF-E1E4-4020-9773-0A8C6F65EA35} (CPlayFirstCookingDasControl Object) - http://games.bigfish...Web.1.0.0.9.cab
O16 - DPF: {26E6B759-DEEB-42A1-A21C-78CD29098411} (CPlayFirstFitnessDasControl Object) - http://games.bigfish...eb.1.0.0.11.cab
O16 - DPF: {44990301-3C9D-426D-81DF-AAB636FA4345} - https://www-secure.s...abs/tgctlsr.cab
O16 - DPF: {459E93B6-150E-45D5-8D4B-45C66FC035FE} (get_atlcom Class) - http://apps.corel.co...IEGetPlugin.ocx
O16 - DPF: {4DCA1E08-4147-4A3D-8CA6-E095DF189FAB} (CPlayFirstNightshiftControl Object) - http://games.bigfish...Web.1.0.0.9.cab
O16 - DPF: {74EF5274-F439-2168-B543-14745B625C72} (CPlayFirstWeddingDasControl Object) - http://games.bigfish...eb.1.0.0.11.cab
O16 - DPF: {BAE1D8DF-0B35-47E3-A1E7-EEB3FF2ECD19} (CPlayFirstddfotgControl Object) - http://games.bigfish...tg.1.0.0.33.cab
O16 - DPF: {D40F5876-A494-4124-8161-82625BB28C06} (CPlayFirstChocolatieControl Object) - http://games.bigfish...eb.1.0.0.10.cab
O16 - DPF: {D77EF652-9A6B-40C8-A4B9-1C0697C6CF41} (TikGames Online Control) - http://games.bigfish...inematycoon.cab
O16 - DPF: {EA6246B4-F380-443F-8727-9AEA3371146C} (CPlayFirstWeddingDashControl Object) - http://gamecenter.ob...sh.1.0.0.47.cab
O16 - DPF: {F135A813-7152-4532-AC8D-28AC2136DFC7} (CPlayFirstParkingDasControl Object) - http://games.bigfish...sh.1.0.0.10.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{EDD114B4-C5B6-4EED-AC28-96C9A45FC6B0}: NameServer = 202.124.76.98 202.124.68.130
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: Audio Service (STacSV) - IDT, Inc. - c:\program files\idt\intelxpv_v83\wdm\STacSV.exe

--
End of file - 6152 bytes




VirSCAN C:\Program Files\3 MobileBroadband\3 MobileBroadband.exe

VirSCAN.org Scanned Report :
Scanned time : 2009/04/06 19:06:43 (EST)
Scanner results: All Scanners reported not find malware!
File Name : 3 MobileBroadband.exe
File Size : 110592 byte
File Type : PE32 executable for MS Windows (GUI) Intel 80386 32-bit
MD5 : e7c4b8feb68e8f2759213b3c889b7349
SHA1 : 0cd7ced74b39314c63ccd4803b7a30471e469b9d
Online report : http://virscan.org/r...29253f1b25.html

Scanner Engine Ver Sig Ver Sig Date Time Scan result
a-squared 4.0.0.32 20090406020355 2009-04-06 2.62 -
AhnLab V3 2009.04.06.02 2009.04.06 2009-04-06 1.72 -
AntiVir 7.9.0.138 7.1.3.16 2009-04-06 2.61 -
Antiy 2.0.18 20090406.2281954 2009-04-06 0.12 -
Authentium 5.1.1 200904051244 2009-04-05 1.34 -
AVAST! 3.0.1 090405-1 2009-04-05 0.01 -
AVG 7.5.52.442 270.11.43/2043 2009-04-06 2.06 -
BitDefender 7.81008.2828940 7.24644 2009-04-06 2.65 -
CA (VET) 9.0.0.143 31.6.6435 2009-04-04 6.92 -
ClamAV 0.95 9205 2009-04-05 0.03 -
Comodo 3.8 1100 2009-04-05 1.10 -
CP Secure 1.1.0.715 2009.04.06 2009-04-06 8.04 -
Dr.Web 4.44.0.9170 2009.04.06 2009-04-06 4.36 -
F-Prot 4.4.4.56 20090405 2009-04-05 1.25 -
F-Secure 5.51.6100 2009.04.06.03 2009-04-06 0.06 -
Fortinet 2.81-3.117 10.251 2009-04-05 0.98 -
GData 19.4437/19.290 20090406 2009-04-06 5.04 -
ViRobot 20090404 2009.04.04 2009-04-04 0.80 -
Ikarus T3.1.01.49 2009.04.06.72531 2009-04-06 3.32 -
JiangMin 11.0.706 2009.04.05 2009-04-05 1.86 -
Kaspersky 5.5.10 2009.04.06 2009-04-06 0.05 -
KingSoft 2009.2.5.15 2009.4.6.14 2009-04-06 0.65 -
McAfee 5.3.00 5575 2009-04-05 2.72 -
Microsoft 1.4502 2009.04.06 2009-04-06 4.67 -
mks_vir 2.01 2009.04.05 2009-04-05 2.80 -
Norman 6.00.06 6.00.00 2009-04-03 10.01 -
Panda 9.05.01 2009.04.05 2009-04-05 1.58 -
Trend Micro 8.700-1004 5.944.02 2009-04-03 0.04 -
Quick Heal 10.00 2009.04.04 2009-04-04 1.10 -
Rising 20.0 21.23.40.00 2009-04-03 1.07 -
Sophos 2.85.0 4.40 2009-04-06 2.02 -
Sunbelt 5078 5078 2009-04-04 5.48 -
Symantec 1.3.0.24 20090405.003 2009-04-05 0.17 -
nProtect 20090406.01 3423365 2009-04-06 7.94 -
The Hacker 6.3.4.0 v00302 2009-04-05 0.58 -
VBA32 3.12.10.2 20090405.1443 2009-04-05 1.91 -
VirusBuster 4.5.11.10 10.102.34/1210107 2009-04-05 1.68 -




VirSCAN c:\windows\system32\kittyinthewindow_3102795.scr

VirSCAN.org Scanned Report :
Scanned time : 2009/04/06 19:12:52 (EST)
Scanner results: All Scanners reported not find malware!
File Name : kittyinthewindow_3102795.scr
File Size : 520192 byte
File Type : PE32 executable for MS Windows (GUI) Intel 80386 32-bit
MD5 : 4b970a6d73ed6d2932e9a3ab52ef9801
SHA1 : 79feb0265a84c8e8ea554bca5dc262ce31058f49
Online report : http://virscan.org/r...08e3862ee5.html

Scanner Engine Ver Sig Ver Sig Date Time Scan result
a-squared 4.0.0.32 20090406020355 2009-04-06 3.59 -
AhnLab V3 2009.04.06.02 2009.04.06 2009-04-06 0.71 -
AntiVir 7.9.0.138 7.1.3.16 2009-04-06 1.98 -
Antiy 2.0.18 20090406.2281954 2009-04-06 0.12 -
Authentium 5.1.1 200904051244 2009-04-05 2.16 -
AVAST! 3.0.1 090405-1 2009-04-05 0.06 -
AVG 7.5.52.442 270.11.43/2043 2009-04-06 2.01 -
BitDefender 7.81008.2828940 7.24644 2009-04-06 2.65 -
CA (VET) 9.0.0.143 31.6.6435 2009-04-04 3.83 -
ClamAV 0.95 9205 2009-04-05 0.11 -
Comodo 3.8 1100 2009-04-05 0.56 -
CP Secure 1.1.0.715 2009.04.06 2009-04-06 8.01 -
Dr.Web 4.44.0.9170 2009.04.06 2009-04-06 4.55 -
F-Prot 4.4.4.56 20090405 2009-04-05 2.09 -
F-Secure 5.51.6100 2009.04.06.03 2009-04-06 0.09 -
Fortinet 2.81-3.117 10.251 2009-04-05 0.22 -
GData 19.4437/19.290 20090406 2009-04-06 3.60 -
ViRobot 20090404 2009.04.04 2009-04-04 0.74 -
Ikarus T3.1.01.49 2009.04.06.72531 2009-04-06 3.68 -
JiangMin 11.0.706 2009.04.05 2009-04-05 2.07 -
Kaspersky 5.5.10 2009.04.06 2009-04-06 0.07 -
KingSoft 2009.2.5.15 2009.4.6.14 2009-04-06 0.60 -
McAfee 5.3.00 5575 2009-04-05 2.80 -
Microsoft 1.4502 2009.04.06 2009-04-06 6.67 -
mks_vir 2.01 2009.04.05 2009-04-05 2.74 -
Norman 6.00.06 6.00.00 2009-04-03 8.01 -
Panda 9.05.01 2009.04.05 2009-04-05 1.96 -
Trend Micro 8.700-1004 5.944.02 2009-04-03 0.04 -
Quick Heal 10.00 2009.04.04 2009-04-04 1.23 -
Rising 20.0 21.23.40.00 2009-04-03 0.89 -
Sophos 2.85.0 4.40 2009-04-06 2.04 -
Sunbelt 5078 5078 2009-04-04 0.80 -
Symantec 1.3.0.24 20090405.003 2009-04-05 0.06 -
nProtect 20090406.01 3423365 2009-04-06 5.02 -
The Hacker 6.3.4.0 v00302 2009-04-05 0.78 -
VBA32 3.12.10.2 20090405.1443 2009-04-05 2.91 -
VirusBuster 4.5.11.10 10.102.34/1210107 2009-04-05 1.61 -




VirSCAN c:\windows\system32\Beautiful Katamari.scr

VirSCAN.org Scanned Report :
Scanned time : 2009/04/06 19:16:35 (EST)
Scanner results: All Scanners reported not find malware!
File Name : Beautiful Katamari.scr
File Size : 520192 byte
File Type : PE32 executable for MS Windows (GUI) Intel 80386 32-bit
MD5 : 7bb8f9473789a107e115c77f2374a07b
SHA1 : d201f4f91e28f50b98191efa24db67a702049e80
Online report : http://virscan.org/r...98afff82b0.html

Scanner Engine Ver Sig Ver Sig Date Time Scan result
a-squared 4.0.0.32 20090406020355 2009-04-06 2.26 -
AhnLab V3 2009.04.06.02 2009.04.06 2009-04-06 0.62 -
AntiVir 7.9.0.138 7.1.3.16 2009-04-06 1.99 -
Antiy 2.0.18 20090406.2281954 2009-04-06 0.12 -
Authentium 5.1.1 200904051244 2009-04-05 2.13 -
AVAST! 3.0.1 090405-1 2009-04-05 0.06 -
AVG 7.5.52.442 270.11.43/2043 2009-04-06 2.05 -
BitDefender 7.81008.2828940 7.24644 2009-04-06 2.66 -
CA (VET) 9.0.0.143 31.6.6435 2009-04-04 6.55 -
ClamAV 0.95 9205 2009-04-05 0.11 -
Comodo 3.8 1100 2009-04-05 0.79 -
CP Secure 1.1.0.715 2009.04.06 2009-04-06 8.17 -
Dr.Web 4.44.0.9170 2009.04.06 2009-04-06 4.81 -
F-Prot 4.4.4.56 20090405 2009-04-05 2.56 -
F-Secure 5.51.6100 2009.04.06.03 2009-04-06 5.41 -
Fortinet 2.81-3.117 10.251 2009-04-05 0.97 -
GData 19.4437/19.290 20090406 2009-04-06 8.13 -
ViRobot 20090404 2009.04.04 2009-04-04 0.94 -
Ikarus T3.1.01.49 2009.04.06.72531 2009-04-06 4.61 -
JiangMin 11.0.706 2009.04.05 2009-04-05 3.84 -
Kaspersky 5.5.10 2009.04.06 2009-04-06 0.08 -
KingSoft 2009.2.5.15 2009.4.6.14 2009-04-06 4.27 -
McAfee 5.3.00 5575 2009-04-05 2.77 -
Microsoft 1.4502 2009.04.06 2009-04-06 11.66 -
mks_vir 2.01 2009.04.05 2009-04-05 2.76 -
Norman 6.00.06 6.00.00 2009-04-03 10.01 -
Panda 9.05.01 2009.04.05 2009-04-05 3.09 -
Trend Micro 8.700-1004 5.944.02 2009-04-03 0.04 -
Quick Heal 10.00 2009.04.04 2009-04-04 1.91 -
Rising 20.0 21.23.40.00 2009-04-03 1.05 -
Sophos 2.85.0 4.40 2009-04-06 2.13 -
Sunbelt 5078 5078 2009-04-04 2.30 -
Symantec 1.3.0.24 20090405.003 2009-04-05 0.52 -
nProtect 20090406.01 3423365 2009-04-06 7.58 -
The Hacker 6.3.4.0 v00302 2009-04-05 2.46 -
VBA32 3.12.10.2 20090405.1443 2009-04-05 2.92 -
VirusBuster 4.5.11.10 10.102.34/1210107 2009-04-05 1.61 -
  • 0

#6
andrewuk
Posted 06 April 2009 - 04:51 AM

andrewuk

    Trusted Helper

  • Malware Removal
  • 5,297 posts
the .scr and .dir files seem to be ok, so we will leave them in, but we will delete the rrt files. seems though that the combofix script did not go through - so we will try again. i am hoping when it does you will be able to get access regedit again.

stay away from system restore, it will still be infected right the way through to our final post (we flush it at the end).

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

File::
c:\windows\Tasks\RegFixPro Scan.job
c:\program files\RegFixPro\RegFixPro.exe
c:\windows\Tasks\RegFixPro Scan.job
c:\windows\Tasks\RegTool Scan.job
c:\program files\RegTool\RegTool.exe
c:\windows\Tasks\RegTool Scan.job
c:\windows\system32\rrt_is.wav
c:\windows\system32\rrt_vf.wav
c:\windows\system32\rrt_tv.wav
c:\windows\system32\rrt_tn.wav

Folder::
c:\documents and settings\All Users\Application Data\BigFishGamesCache
c:\program files\GamesBar
c:\documents and settings\All Users\Application Data\GamesBar

Registry::
[-HKEY_CURRENT_USER\Software\Policies\Microsoft\Internet Explorer\Toolbars\Restrictions]
[-HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Restrictions]
[-HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Control Panel]
[-HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Toolbars\Restrictions]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{049A470D-F818-4E34-B14D-E4E237DADCF8}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{195B4BBF-E1E4-4020-9773-0A8C6F65EA35}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{26E6B759-DEEB-42A1-A21C-78CD29098411}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{4DCA1E08-4147-4A3D-8CA6-E095DF189FAB}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{74EF5274-F439-2168-B543-14745B625C72}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{D40F5876-A494-4124-8161-82625BB28C06}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{F135A813-7152-4532-AC8D-28AC2136DFC7}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\E]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{5914b09a-0b98-11de-99c1-cda28a94d62d}]

DirLook::
c:\program files\Roller Rush
c:\program files\wlkbuddy


Save this as CFScript.txt, in the same location as ComboFix.exe


Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.


and a new hijackthis log please


The text from these files may exceed the maximum post length for this forum. Hence, you may need to post the information over 2 or more posts.

andrewuk
  • 0

#7
bugatronic25
Posted 06 April 2009 - 08:38 AM

bugatronic25

    Member

  • Topic Starter
  • Member
  • PipPip
  • 27 posts
Hi Andrewuk,

I saw ComboFix going through and deleting files this time, I'm guessing it worked this time having named CFScript.txt correctly. Didn't try to install the windows recovery console, managed to get ComboFix to run with Norton 360 disabled and not entirely uninstalled

regedit has been good since I ran ComboFix the first time per my earlier post

New logs included below
Thanks



ComboFix

ComboFix 09-04-04.01 - Michael 2009-04-07 0:17:04.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1022.604 [GMT 10:00]
Running from: c:\documents and settings\Michael\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Michael\Desktop\CFScript.txt
AV: Norton 360 *On-access scanning disabled* (Updated)
FW: Norton 360 *disabled*
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
c:\program files\RegFixPro\RegFixPro.exe
c:\program files\RegTool\RegTool.exe
c:\windows\system32\rrt_is.wav
c:\windows\system32\rrt_tn.wav
c:\windows\system32\rrt_tv.wav
c:\windows\system32\rrt_vf.wav
c:\windows\Tasks\RegFixPro Scan.job
c:\windows\Tasks\RegTool Scan.job
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\BigFishGamesCache
c:\documents and settings\All Users\Application Data\BigFishGamesCache\DRM1\ActivationInformation.xml
c:\documents and settings\All Users\Application Data\BigFishGamesCache\GameManager\ClientConfig\config.xml
c:\documents and settings\All Users\Application Data\BigFishGamesCache\GameManager\log\bfglog.txt
c:\documents and settings\All Users\Application Data\BigFishGamesCache\GameManager\log\gamemanager_install_log.txt
c:\documents and settings\All Users\Application Data\BigFishGamesCache\GameManager\log\gamestub_install_log.txt
c:\documents and settings\All Users\Application Data\BigFishGamesCache\Persistant\persistant.xml
c:\documents and settings\All Users\Application Data\BigFishGamesCache\Upgrade\downloadtest_F731T1L1.bin
c:\documents and settings\All Users\Application Data\BigFishGamesCache\Upgrade\stub\rollerrush_s1_l1_gF731T1L1_d483818842.exe
c:\documents and settings\All Users\Application Data\GamesBar
c:\documents and settings\All Users\Application Data\GamesBar\about.gif
c:\documents and settings\All Users\Application Data\GamesBar\action.gif
c:\documents and settings\All Users\Application Data\GamesBar\alabama_smith16x16.gif
c:\documents and settings\All Users\Application Data\GamesBar\allTimefavorite.gif
c:\documents and settings\All Users\Application Data\GamesBar\arcade.gif
c:\documents and settings\All Users\Application Data\GamesBar\blockbuster.gif
c:\documents and settings\All Users\Application Data\GamesBar\buy.gif
c:\documents and settings\All Users\Application Data\GamesBar\cards.gif
c:\documents and settings\All Users\Application Data\GamesBar\deals.gif
c:\documents and settings\All Users\Application Data\GamesBar\download.gif
c:\documents and settings\All Users\Application Data\GamesBar\dream_day_honeymoon16x16.gif
c:\documents and settings\All Users\Application Data\GamesBar\familyFun.gif
c:\documents and settings\All Users\Application Data\GamesBar\farm_frenzy_216x16.gif
c:\documents and settings\All Users\Application Data\GamesBar\feedback.gif
c:\documents and settings\All Users\Application Data\GamesBar\gourmania16x16.gif
c:\documents and settings\All Users\Application Data\GamesBar\heartwild_solitaire16x16.gif
c:\documents and settings\All Users\Application Data\GamesBar\help.gif
c:\documents and settings\All Users\Application Data\GamesBar\highlight.gif
c:\documents and settings\All Users\Application Data\GamesBar\hospital_hustle16x16.gif
c:\documents and settings\All Users\Application Data\GamesBar\MagicBall2_NW16x16.gif
c:\documents and settings\All Users\Application Data\GamesBar\mahjong.gif
c:\documents and settings\All Users\Application Data\GamesBar\mobile.gif
c:\documents and settings\All Users\Application Data\GamesBar\multiplayer.gif
c:\documents and settings\All Users\Application Data\GamesBar\mygames.gif
c:\documents and settings\All Users\Application Data\GamesBar\newGames.gif
c:\documents and settings\All Users\Application Data\GamesBar\oberonconfig.xm_
c:\documents and settings\All Users\Application Data\GamesBar\onload\loading.gif
c:\documents and settings\All Users\Application Data\GamesBar\partner.gif
c:\documents and settings\All Users\Application Data\GamesBar\puzzle.gif
c:\documents and settings\All Users\Application Data\GamesBar\search.gif
c:\documents and settings\All Users\Application Data\GamesBar\search_yahoo.gif
c:\documents and settings\All Users\Application Data\GamesBar\searchAndFind.gif
c:\documents and settings\All Users\Application Data\GamesBar\sendafriend.gif
c:\documents and settings\All Users\Application Data\GamesBar\strike_ball_316x16.gif
c:\documents and settings\All Users\Application Data\GamesBar\treasure_masters16x16.gif
c:\documents and settings\All Users\Application Data\GamesBar\trial.gif
c:\documents and settings\All Users\Application Data\GamesBar\uninstall.gif
c:\documents and settings\All Users\Application Data\GamesBar\update.gif
c:\documents and settings\All Users\Application Data\GamesBar\webgame.gif
c:\documents and settings\All Users\Application Data\GamesBar\womens_murder_club16x16.gif
c:\documents and settings\All Users\Application Data\GamesBar\word.gif
c:\documents and settings\All Users\Application Data\GamesBar\world_mosaics16x16.gif
c:\program files\GamesBar
c:\program files\GamesBar\Localization2-English.ini
c:\program files\GamesBar\uninst.exe
c:\windows\system32\rrt_is.wav
c:\windows\system32\rrt_tn.wav
c:\windows\system32\rrt_tv.wav
c:\windows\system32\rrt_vf.wav
c:\windows\Tasks\RegFixPro Scan.job
c:\windows\Tasks\RegTool Scan.job

.
((((((((((((((((((((((((( Files Created from 2009-03-06 to 2009-04-06 )))))))))))))))))))))))))))))))
.

2009-04-06 20:00 . 2009-04-06 19:59 36,400 -ra------ c:\windows\system32\drivers\SymIM.sys
2009-04-06 19:59 . 2009-04-06 19:59 <DIR> d-------- c:\windows\system32\drivers\N360
2009-04-06 19:59 . 2009-04-06 19:59 <DIR> d-------- c:\windows\LastGood
2009-04-06 19:59 . 2009-04-06 19:59 <DIR> d-------- c:\program files\Windows Sidebar
2009-04-06 19:59 . 2009-04-06 19:59 <DIR> d-------- c:\program files\Symantec
2009-04-06 19:59 . 2009-04-06 19:59 <DIR> d-------- c:\program files\Norton 360
2009-04-06 19:59 . 2009-04-06 19:59 <DIR> d-------- c:\program files\Common Files\Symantec Shared
2009-04-06 19:59 . 2009-04-06 19:59 124,464 --a------ c:\windows\system32\drivers\SYMEVENT.SYS
2009-04-06 19:59 . 2009-04-06 19:59 60,808 --a------ c:\windows\system32\S32EVNT1.DLL
2009-04-06 19:59 . 2009-04-06 19:59 7,386 --a------ c:\windows\system32\drivers\SYMEVENT.CAT
2009-04-06 19:59 . 2009-04-06 19:59 805 --a------ c:\windows\system32\drivers\SYMEVENT.INF
2009-04-06 09:01 . 2009-04-06 09:01 <DIR> d-------- c:\documents and settings\Michael\Application Data\Yahoo!
2009-04-06 08:59 . 2009-04-06 09:27 <DIR> d-------- c:\program files\Yahoo!
2009-04-06 08:59 . 2009-04-06 09:27 <DIR> d-------- c:\documents and settings\All Users\Application Data\Yahoo!
2009-04-05 14:31 . 2008-12-21 09:15 6,066,688 -----c--- c:\windows\system32\dllcache\ieframe.dll
2009-04-05 14:31 . 2007-04-17 19:32 2,455,488 -----c--- c:\windows\system32\dllcache\ieapfltr.dat
2009-04-05 14:31 . 2007-03-08 15:10 991,232 -----c--- c:\windows\system32\dllcache\ieframe.dll.mui
2009-04-05 14:31 . 2008-12-21 09:15 459,264 -----c--- c:\windows\system32\dllcache\msfeeds.dll
2009-04-05 14:31 . 2008-12-21 09:15 383,488 -----c--- c:\windows\system32\dllcache\ieapfltr.dll
2009-04-05 14:31 . 2008-12-21 09:15 267,776 -----c--- c:\windows\system32\dllcache\iertutil.dll
2009-04-05 14:31 . 2008-12-21 09:15 63,488 -----c--- c:\windows\system32\dllcache\icardie.dll
2009-04-05 14:31 . 2008-12-21 09:15 52,224 -----c--- c:\windows\system32\dllcache\msfeedsbs.dll
2009-04-05 14:31 . 2008-12-19 19:10 13,824 -----c--- c:\windows\system32\dllcache\ieudinit.exe
2009-04-05 12:50 . 2009-04-05 12:50 <DIR> d-------- c:\program files\Trend Micro
2009-04-03 15:41 . 2009-04-03 15:42 <DIR> d-------- c:\program files\Roller Rush
2009-04-03 15:02 . 2009-04-03 15:02 <DIR> d-------- c:\windows\system32\lightningstrikes_3123875 dir
2009-04-03 15:02 . 2009-04-03 15:02 520,192 --a------ c:\windows\system32\lightningstrikes_3123875.scr
2009-04-03 14:57 . 2009-04-03 14:57 <DIR> d-------- c:\windows\system32\kittenandbutterfly_3122093 dir
2009-04-03 14:57 . 2009-04-03 14:57 520,192 --a------ c:\windows\system32\kittenandbutterfly_3122093.scr
2009-04-03 14:55 . 2009-04-03 14:55 <DIR> d-------- c:\windows\system32\kittyinthewindow_3102795 dir
2009-04-03 14:55 . 2009-04-03 14:55 520,192 --a------ c:\windows\system32\kittyinthewindow_3102795.scr
2009-04-01 18:41 . 2009-04-01 18:42 <DIR> d-------- C:\Rooter$
2009-04-01 17:54 . 2009-04-01 17:54 <DIR> d-------- c:\documents and settings\Michael\Application Data\Malwarebytes
2009-04-01 17:53 . 2009-04-01 18:21 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2009-04-01 17:53 . 2009-04-01 17:53 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-04-01 17:53 . 2009-03-26 15:49 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-01 17:53 . 2009-03-26 15:49 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2009-04-01 17:49 . 2009-04-01 17:49 <DIR> d-------- c:\program files\ERUNT
2009-04-01 17:26 . 2009-04-01 17:26 <DIR> d-------- C:\hijackthis
2009-04-01 17:14 . 2009-04-01 17:14 <DIR> d-------- c:\program files\XoftSpySE
2009-04-01 15:50 . 2009-04-01 04:38 25,932,272 --a------ c:\windows\Copy of Software.reg
2009-04-01 15:09 . 2009-04-01 15:22 10 --a------ c:\windows\WININIT.INI
2009-04-01 05:05 . 2009-04-01 05:05 <DIR> d-------- c:\documents and settings\Administrator
2009-04-01 04:37 . 2009-04-01 04:38 25,932,272 --a------ c:\windows\Software.reg
2009-04-01 04:31 . 2009-04-01 04:31 <DIR> d-------- c:\windows\Special Agent P. C. Secure
2009-04-01 04:31 . 2009-04-01 04:31 <DIR> d-------- c:\program files\Easy Desk Utilities
2009-04-01 03:51 . 2009-04-04 10:18 <DIR> d-------- c:\program files\Spyware Doctor
2009-04-01 03:51 . 2009-04-01 03:52 <DIR> d-------- c:\program files\Common Files\PC Tools
2009-04-01 03:51 . 2009-04-01 03:51 <DIR> d-------- c:\documents and settings\Michael\Application Data\PC Tools
2009-04-01 03:51 . 2009-04-01 03:51 <DIR> d-------- c:\documents and settings\All Users\Application Data\PC Tools
2009-04-01 03:51 . 2004-03-09 00:00 1,081,616 --a------ c:\windows\system32\MSCOMCTL.OCX
2009-04-01 03:51 . 2008-12-11 07:38 159,600 --a------ c:\windows\system32\drivers\pctgntdi.sys
2009-04-01 03:51 . 2009-03-06 15:45 130,424 --a------ c:\windows\system32\drivers\PCTCore.sys
2009-04-01 03:51 . 2008-12-18 11:16 73,840 --a------ c:\windows\system32\drivers\PCTAppEvent.sys
2009-04-01 03:51 . 2008-12-10 11:36 64,392 --a------ c:\windows\system32\drivers\pctplsg.sys
2009-04-01 02:16 . 2009-04-01 02:16 <DIR> d-------- C:\EmergencyUtils
2009-04-01 01:23 . 2009-04-01 01:23 <DIR> d-------- c:\documents and settings\Michael\Application Data\Uniblue
2009-03-31 20:10 . 2009-03-31 20:10 <DIR> d--h----- c:\windows\system32\GroupPolicy
2009-03-31 13:28 . 2009-03-31 13:28 <DIR> d-------- c:\program files\bfgclient
2009-03-31 11:26 . 2009-03-31 11:26 <DIR> d-------- c:\program files\wlkbuddy
2009-03-31 08:56 . 2009-04-06 20:00 <DIR> d-------- c:\documents and settings\All Users\Application Data\{7B6BA59A-FB0E-4499-8536-A7420338BF3B}
2009-03-31 08:55 . 2009-03-31 08:55 <DIR> d-------- c:\program files\NortonInstaller
2009-03-31 08:55 . 2009-04-06 19:59 <DIR> d-------- c:\documents and settings\All Users\Application Data\Symantec
2009-03-31 08:55 . 2009-04-06 19:59 <DIR> d-------- c:\documents and settings\All Users\Application Data\NortonInstaller
2009-03-31 08:55 . 2009-04-06 19:59 <DIR> d-------- c:\documents and settings\All Users\Application Data\Norton
2009-03-31 08:23 . 2009-03-31 08:23 <DIR> d-------- c:\documents and settings\Michael\Application Data\RegTool
2009-03-29 02:58 . 2009-03-29 02:58 <DIR> d-------- C:\plan change receipt
2009-03-29 02:58 . 2009-03-29 02:58 <DIR> d-------- C:\katamari
2009-03-29 02:57 . 2009-03-29 02:57 <DIR> d-------- C:\video card driver
2009-03-29 02:36 . 2009-03-29 02:38 <DIR> d-------- c:\documents and settings\Michael\Application Data\RegFixPro
2009-03-29 02:23 . 2009-03-29 02:23 <DIR> d-------- c:\windows\movies
2009-03-29 02:08 . 2004-08-04 22:00 221,184 --a------ c:\windows\system32\wmpns.dll
2009-03-28 17:42 . 2009-03-28 17:42 0 --a------ c:\windows\nsreg.dat
2009-03-25 12:54 . 2009-04-01 03:29 <DIR> d-------- c:\windows\system32\Beautiful Katamari dir
2009-03-25 12:54 . 2009-03-25 12:54 520,192 --a------ c:\windows\system32\Beautiful Katamari.scr
2009-03-23 09:02 . 2009-03-23 13:27 <DIR> d-------- c:\program files\Google
2009-03-23 01:17 . 2009-03-23 01:17 <DIR> d-------- c:\windows\system32\Adobe
2009-03-21 11:41 . 2009-03-21 11:41 0 --a------ c:\windows\ativpsrm.bin
2009-03-21 11:40 . 2009-02-25 14:15 593,920 --------- c:\windows\system32\ati2sgag.exe
2009-03-21 11:39 . 2009-03-21 11:39 <DIR> d-------- C:\ATI
2009-03-17 07:54 . 2009-03-17 07:54 <DIR> d-------- c:\program files\iTunes
2009-03-17 07:54 . 2009-03-17 07:54 <DIR> d-------- c:\program files\iPod
2009-03-17 07:54 . 2009-03-17 07:54 <DIR> d-------- c:\program files\Bonjour
2009-03-17 07:54 . 2009-03-17 07:54 <DIR> d-------- c:\documents and settings\All Users\Application Data\{00D89592-F643-4D8D-8F0F-AFAE0F14D4C3}
2009-03-17 07:54 . 2008-04-17 11:12 107,368 --a------ c:\windows\system32\GEARAspi.dll
2009-03-17 07:54 . 2009-01-15 11:19 23,848 --a------ c:\windows\system32\drivers\GEARAspiWDM.sys
2009-03-17 07:53 . 2009-03-17 07:53 54,156 --ah----- c:\windows\QTFont.qfn
2009-03-17 07:53 . 2009-03-17 07:53 1,409 --a------ c:\windows\QTFont.for
2009-03-17 07:52 . 2009-03-17 07:54 <DIR> d-------- c:\program files\Common Files\Apple
2009-03-17 07:52 . 2009-03-17 07:52 <DIR> d-------- c:\program files\Apple Software Update
2009-03-17 07:52 . 2009-03-17 07:52 <DIR> d-------- c:\documents and settings\All Users\Application Data\Apple
2009-03-10 19:48 . 2009-03-30 11:32 <DIR> d-------- c:\program files\Oberon Media
2009-03-10 19:48 . 2009-03-10 19:48 <DIR> d-------- c:\program files\Common Files\Oberon Media
2009-03-10 19:48 . 2009-03-30 10:07 <DIR> d-------- c:\documents and settings\Michael\Application Data\PlayFirst
2009-03-10 19:48 . 2009-04-05 13:18 <DIR> d-a------ c:\documents and settings\All Users\Application Data\TEMP
2009-03-10 19:48 . 2009-03-27 15:19 <DIR> d-------- c:\documents and settings\All Users\Application Data\PlayFirst
2009-03-09 02:24 . 2009-03-09 02:24 <DIR> d-------- c:\program files\MSXML 4.0
2009-03-08 17:37 . 2009-03-08 17:37 <DIR> d-------- c:\windows\Sun
2009-03-08 17:35 . 2009-03-27 09:14 <DIR> d-------- c:\program files\Java
2009-03-08 17:35 . 2009-03-09 04:19 410,984 --a------ c:\windows\system32\deploytk.dll
2009-03-08 17:35 . 2009-03-09 01:53 73,728 --a------ c:\windows\system32\javacpl.cpl
2009-03-08 16:15 . 2009-03-08 16:15 <DIR> d-------- c:\program files\PopCap Games
2009-03-08 16:15 . 2009-03-08 16:15 <DIR> d-------- c:\documents and settings\All Users\Application Data\SpinTop Games
2009-03-08 15:51 . 2009-03-08 15:51 <DIR> d--hs---- c:\documents and settings\Michael\UserData
2009-03-08 14:29 . 2008-06-13 23:10 272,128 --------- c:\windows\system32\drivers\bthport.sys
2009-03-08 14:29 . 2008-06-13 23:10 272,128 -----c--- c:\windows\system32\dllcache\bthport.sys
2009-03-08 14:20 . 2009-03-08 14:21 <DIR> d-------- c:\program files\3 MobileBroadband
2009-03-08 14:20 . 2008-03-16 13:47 872,192 --a------ c:\windows\system32\drivers\mod7700.sys
2009-03-08 14:20 . 2008-03-17 10:56 103,168 --a------ c:\windows\system32\drivers\ewusbfake.sys
2009-03-08 14:20 . 2008-03-17 10:03 101,376 --a------ c:\windows\system32\drivers\ewusbmdm.sys
2009-03-08 14:20 . 2008-01-22 14:09 100,992 --a------ c:\windows\system32\drivers\ewusbnet.sys
2009-03-08 14:20 . 2007-08-09 03:13 24,448 --a------ c:\windows\system32\drivers\ewdcsc.sys
2009-03-07 18:31 . 2009-03-07 18:31 <DIR> d-------- c:\documents and settings\Admin\Application Data\Teleca
2009-03-07 18:31 . 2009-03-07 18:31 <DIR> d-------- c:\documents and settings\Admin\Application Data\Sony Ericsson
2009-03-07 18:00 . 2006-11-10 17:24 90,800 -ra------ c:\windows\system32\drivers\se2Eunic.sys
2009-03-07 18:00 . 2006-11-10 17:23 18,704 -ra------ c:\windows\system32\drivers\se2End5.sys
2009-03-07 18:00 . 2006-11-10 17:23 4,128 -ra------ c:\windows\system32\drivers\se2Ecr.sys
2009-03-07 16:38 . 2009-03-17 07:54 <DIR> d-------- c:\documents and settings\Michael\Application Data\Apple Computer
2009-03-07 16:37 . 2009-03-07 16:37 <DIR> d-------- c:\documents and settings\Michael\Application Data\AdobeUM
2009-03-07 16:35 . 2006-11-10 17:23 88,688 -ra------ c:\windows\system32\drivers\SE2Emgmt.sys
2009-03-07 16:35 . 2006-11-10 17:23 86,560 -ra------ c:\windows\system32\drivers\SE2Eobex.sys
2009-03-07 16:34 . 2006-11-10 17:23 97,184 -ra------ c:\windows\system32\drivers\SE2Emdm.sys
2009-03-07 16:34 . 2006-11-10 17:23 61,600 -ra------ c:\windows\system32\drivers\SE2Ebus.sys
2009-03-07 16:34 . 2006-11-10 17:23 9,360 -ra------ c:\windows\system32\drivers\SE2Emdfl.sys
2009-03-07 16:34 . 2006-11-10 17:23 6,240 -ra------ c:\windows\system32\drivers\SE2Ecmnt.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-03-21 01:40 --------- d--h--w c:\program files\InstallShield Installation Information
2009-03-07 22:39 --------- d-----w c:\program files\IDT
2009-03-07 06:14 --------- d-----w c:\program files\Common Files\InstallShield
2009-02-25 22:58 3,565,568 ----a-w c:\windows\system32\drivers\ati2mtag.sys
2009-02-25 21:42 442,368 ----a-w c:\windows\system32\ATIDEMGX.dll
2009-02-25 21:41 325,120 ----a-w c:\windows\system32\ati2dvag.dll
2009-02-25 21:30 204,800 ----a-w c:\windows\system32\atipdlxx.dll
2009-02-25 21:30 11,841,536 ----a-w c:\windows\system32\atioglxx.dll
2009-02-25 21:29 43,520 ----a-w c:\windows\system32\ati2edxx.dll
2009-02-25 21:29 26,112 ----a-w c:\windows\system32\Ati2mdxx.exe
2009-02-25 21:29 155,648 ----a-w c:\windows\system32\Oemdspif.dll
2009-02-25 21:29 155,648 ----a-w c:\windows\system32\ati2evxx.dll
2009-02-25 21:27 602,112 ----a-w c:\windows\system32\ati2evxx.exe
2009-02-25 21:26 53,248 ----a-w c:\windows\system32\ATIDDC.DLL
2009-02-25 21:16 3,817,984 ----a-w c:\windows\system32\ati3duag.dll
2009-02-25 21:09 307,200 ----a-w c:\windows\system32\atiiiexx.dll
2009-02-25 20:59 2,670,080 ----a-w c:\windows\system32\ativvaxx.dll
2009-02-25 20:44 49,664 ----a-w c:\windows\system32\amdpcom32.dll
2009-02-25 20:40 475,136 ----a-w c:\windows\system32\atikvmag.dll
2009-02-25 20:38 17,408 ----a-w c:\windows\system32\atitvo32.dll
2009-02-25 20:38 126,976 ----a-w c:\windows\system32\atiadlxx.dll
2009-02-25 20:37 53,248 ----a-w c:\windows\system32\drivers\ati2erec.dll
2009-02-25 20:35 290,816 ----a-w c:\windows\system32\atiok3x2.dll
2009-02-25 20:32 626,688 ----a-w c:\windows\system32\ati2cqag.dll
2009-02-25 20:32 45,056 ----a-w c:\windows\system32\aticalrt.dll
2009-02-25 20:32 45,056 ----a-w c:\windows\system32\aticalcl.dll
2009-02-25 20:30 3,227,648 ----a-w c:\windows\system32\aticaldd.dll
2009-02-09 10:19 1,846,272 ----a-w c:\windows\system32\win32k.sys
2009-02-09 02:34 --------- d-----w c:\program files\Realtek
2009-02-09 02:28 --------- d-----w c:\program files\Intel
2009-02-09 00:04 --------- d-----w c:\program files\microsoft frontpage
.

(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.

---- Directory of c:\program files\Roller Rush ----

2009-04-03 15:41 648 --a------ c:\program files\Roller Rush\bfgstate.xml
2009-04-03 15:41 123019 --a------ c:\program files\Roller Rush\Uninstall.exe
2009-04-03 15:39 58454 --a------ c:\program files\Roller Rush\pics\rollerrush_175x150.swf
2008-01-11 10:17 97 --a------ c:\program files\Roller Rush\activation_info.xml
2008-01-11 10:17 820552 --a------ c:\program files\Roller Rush\nrwvfhl.exe
2008-01-11 10:17 531 --a------ c:\program files\Roller Rush\LaunchGame.bfg
2008-01-11 10:17 497 --a------ c:\program files\Roller Rush\UnlockGame.bfg
2008-01-11 10:17 14546248 ---h----- c:\program files\Roller Rush\Roller Rush.exe
2008-01-08 10:43 72192 --a------ c:\program files\Roller Rush\Xtras\FILEIO.X32
2008-01-08 10:43 69632 --a------ c:\program files\Roller Rush\Xtras\Media Support\SWADCmpr.x32
2008-01-08 10:43 561152 --a------ c:\program files\Roller Rush\iml32.dll
2008-01-08 10:43 53248 --a------ c:\program files\Roller Rush\Xtras\Media Support\Sound Control.x32
2008-01-08 10:43 4861 --a------ c:\program files\Roller Rush\pics\80x80.jpg
2008-01-08 10:43 40960 --a------ c:\program files\Roller Rush\Xtras\Save As Java Files\JavaUiHelper.x32
2008-01-08 10:43 339968 --a------ c:\program files\Roller Rush\Xtras\Flash Asset\Flash Asset.x32
2008-01-08 10:43 32768 --a------ c:\program files\Roller Rush\Xtras\Devices\DirectSound.x32
2008-01-08 10:43 290816 --a------ c:\program files\Roller Rush\Xtras\budapi.x32
2008-01-08 10:43 266293 --a------ c:\program files\Roller Rush\msvcrt.dll
2008-01-08 10:43 2162 --a------ c:\program files\Roller Rush\pics\60x40.jpg
2008-01-08 10:43 151552 --a------ c:\program files\Roller Rush\proj.dll
2008-01-08 10:43 14317 --a------ c:\program files\Roller Rush\pics\feature.jpg
2008-01-08 10:43 1097728 --a------ c:\program files\Roller Rush\dirapi.dll

---- Directory of c:\program files\wlkbuddy ----

2009-03-31 17:59 50 --a------ c:\program files\wlkbuddy\wlkbuddy.ini
2009-03-31 11:26 92 --a------ c:\program files\wlkbuddy\cleanup.ini
2009-03-31 11:26 763863 --a------ c:\program files\wlkbuddy\setup.exe
2009-03-31 11:26 1511175 --a------ c:\program files\wlkbuddy\wlkbuddy.exe
2009-03-31 11:26 15046 --a------ c:\program files\wlkbuddy\wlkbuddy.ico


((((((((((((((((((((((((((((( SnapShot_2009-04-06_19.01.29.71 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-04-06 09:59:44 258,608 ----a-w c:\windows\system32\drivers\N360\0300000.087\BHDrvx86.sys
+ 2009-04-06 09:59:44 482,352 ----a-w c:\windows\system32\drivers\N360\0300000.087\cchpx86.sys
+ 2009-04-06 09:59:44 307,760 ----a-w c:\windows\system32\drivers\N360\0300000.087\srtsp.sys
+ 2009-04-06 09:59:44 43,696 ----a-w c:\windows\system32\drivers\N360\0300000.087\srtspx.sys
+ 2009-04-06 09:59:44 310,320 ----a-w c:\windows\system32\drivers\N360\0300000.087\SymEFA.sys
+ 2009-04-06 09:59:44 89,776 ----a-w c:\windows\system32\drivers\N360\0300000.087\symfw.sys
+ 2009-04-06 09:59:44 34,736 ----a-w c:\windows\system32\drivers\N360\0300000.087\symids.sys
+ 2009-04-06 09:59:44 37,296 ----a-w c:\windows\system32\drivers\N360\0300000.087\symndis.sys
+ 2009-04-06 09:59:44 39,984 ----a-w c:\windows\system32\drivers\N360\0300000.087\symndisv.sys
+ 2009-04-06 09:59:44 217,392 ----a-w c:\windows\system32\drivers\N360\0300000.087\symtdi.sys
+ 2009-04-06 10:00:42 16,384 ----atw c:\windows\Temp\Perflib_Perfdata_9a0.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]
"Mobile Partner"="c:\program files\3 MobileBroadband\3 MobileBroadband.exe" [2009-03-08 110592]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2005-04-05 94208]
"Persistence"="c:\windows\system32\igfxpers.exe" [2005-04-05 114688]

c:\documents and settings\Michael\Start Menu\Programs\Startup\
ERUNT AutoBackup.lnk - c:\program files\ERUNT\AUTOBACK.EXE [2005-10-20 38912]
PowerReg Scheduler V3.exe [2009-03-07 225280]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"NoSecCPL"= 0 (0x0)
"NoDevMgrPage"= 0 (0x0)
"NoConfigPage"= 0 (0x0)
"NoVirtMemPage"= 0 (0x0)
"NoFileSysPage"= 0 (0x0)
"NoNetSetup"= 0 (0x0)
"NoNetSetupIDPage"= 0 (0x0)
"NoNetSetupSecurityPage"= 0 (0x0)
"NoWorkgroupContents"= 0 (0x0)
"NoEntireNetwork"= 0 (0x0)
"NoFileSharingControl"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoViewOnDrive"= 0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"RestrictRun"= 0 (0x0)
"NoViewOnDrive"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.iv41"= ir41_32.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SymEFA.sys]
@="FSFilter Activity Monitor"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Photo Downloader]
--a------ 2005-06-06 22:46 57344 c:\program files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2009-03-12 19:56 342312 c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2009-01-05 15:18 413696 c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Sony Ericsson PC Suite]
-ra------ 2006-11-24 00:06 487424 c:\program files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2009-03-09 04:19 148888 c:\program files\Java\jre6\bin\jusched.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [2009-04-01 130424]
R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\N360\0300000.087\SymEFA.sys [2009-04-06 19:59:44 310320]
R1 BHDrvx86;Symantec Heuristics Driver;c:\windows\system32\drivers\N360\0300000.087\BHDrvx86.sys [2009-04-06 19:59:44 258608]
R1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\N360\0300000.087\cchpx86.sys [2009-04-06 19:59:44 482352]
R1 IDSxpx86;IDSxpx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20090206.001\IDSxpx86.sys [2009-04-06 276344]
R2 N360;Norton 360;c:\program files\Norton 360\Engine\3.0.0.135\ccSvcHst.exe [2009-04-06 115560]
S3 sdAuxService;PC Tools Auxiliary Service;c:\program files\Spyware Doctor\pctsAuxs.exe [2009-04-01 348752]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - BHDRVX86
*NewlyCreated* - CCHP
*NewlyCreated* - N360
*NewlyCreated* - SRTSP
*NewlyCreated* - SRTSPX
*Deregistered* - SYMFW
*Deregistered* - SYMIDS
*Deregistered* - SYMNDIS
.
Contents of the 'Scheduled Tasks' folder

2009-03-21 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34]

2009-04-06 c:\windows\Tasks\XoftSpySE 2.job
- c:\program files\XoftSpySE\XoftSpy.exe [2009-03-25 23:45]

2009-04-01 c:\windows\Tasks\XoftSpySE.job
- c:\program files\XoftSpySE\XoftSpy.exe [2009-03-25 23:45]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://au.games.yahoo.com/
mStart Page = hxxp://au.games.yahoo.com/
.

**************************************************************************

catchme 0.3.1375 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-04-07 00:19:39
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\N360]
"ImagePath"="\"c:\program files\Norton 360\Engine\3.0.0.135\ccSvcHst.exe\" /s \"N360\" /m \"c:\program files\Norton 360\Engine\3.0.0.135\diMaster.dll\" /prefetch:1"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(496)
c:\windows\system32\Ati2evxx.dll
.
Completion time: 2009-04-07 0:21:16
ComboFix-quarantined-files.txt 2009-04-06 14:21:13
ComboFix2.txt 2009-04-06 09:02:18

Pre-Run: 67,805,073,408 bytes free
Post-Run: 67,841,765,376 bytes free

393 --- E O F --- 2009-04-05 05:11:39




HiJackThis

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:22:40 AM, on 4/7/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16791)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
c:\program files\idt\intelxpv_v83\wdm\STacSV.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Norton 360\Engine\3.0.0.135\ccSvcHst.exe
C:\Program Files\Norton 360\Engine\3.0.0.135\ccSvcHst.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\explorer.exe
C:\Program Files\3 MobileBroadband\3 MobileBroadband.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://au.games.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://au.games.yahoo.com/
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Symantec NCO BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files\Norton 360\Engine\3.0.0.135\coIEPlg.dll
O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\Program Files\Norton 360\Engine\3.0.0.135\IPSBHO.DLL
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Norton 360\Engine\3.0.0.135\coIEPlg.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Mobile Partner] "C:\Program Files\3 MobileBroadband\3 MobileBroadband.exe"
O4 - Startup: ERUNT AutoBackup.lnk = C:\Program Files\ERUNT\AUTOBACK.EXE
O4 - Startup: PowerReg Scheduler V3.exe
O16 - DPF: {44990301-3C9D-426D-81DF-AAB636FA4345} - https://www-secure.s...abs/tgctlsr.cab
O16 - DPF: {459E93B6-150E-45D5-8D4B-45C66FC035FE} (get_atlcom Class) - http://apps.corel.co...IEGetPlugin.ocx
O16 - DPF: {BAE1D8DF-0B35-47E3-A1E7-EEB3FF2ECD19} (CPlayFirstddfotgControl Object) - http://games.bigfish...tg.1.0.0.33.cab
O16 - DPF: {D77EF652-9A6B-40C8-A4B9-1C0697C6CF41} (TikGames Online Control) - http://games.bigfish...inematycoon.cab
O16 - DPF: {EA6246B4-F380-443F-8727-9AEA3371146C} (CPlayFirstWeddingDashControl Object) - http://gamecenter.ob...sh.1.0.0.47.cab
O18 - Protocol: symres - {AA1061FE-6C41-421F-9344-69640C9732AB} - C:\Program Files\Norton 360\Engine\3.0.0.135\coIEPlg.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Norton 360 (N360) - Symantec Corporation - C:\Program Files\Norton 360\Engine\3.0.0.135\ccSvcHst.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: Audio Service (STacSV) - IDT, Inc. - c:\program files\idt\intelxpv_v83\wdm\STacSV.exe

--
End of file - 5179 bytes
  • 0

#8
andrewuk
Posted 06 April 2009 - 12:16 PM

andrewuk

    Trusted Helper

  • Malware Removal
  • 5,297 posts
looking better.

is this meant to be your home page? http://au.games.yahoo.com/

in this post we will do some general scans to clear out the remnants and ensure nothing else sneaked onto your machine.

the scans will likely take 4 hours, quite possibly much longer. so just let them run.


====STEP 1====
Please download ATF Cleaner by Atribune.

Caution: This program is for Windows 2000, XP and Vista only
Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.
If you use Firefox browserClick Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browserClick Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.



====STEP 2====
we will update and re-run your malwarebytes:

double click the malwarebytes icon on your desktop to open the program
  • on the tabs at the top, select Update and then press the Check for Updates button on that page. If an update is found, it will download and install the latest version.
  • once complete (a new version of malwarebytes may download) select the tab Scanner
  • select "Perform Full Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.
Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.



====STEP 3====
Download and scan with SUPERAntiSpyware Free for Home Users
  • Double-click SUPERAntiSpyware.exe and use the default settings for installation.
  • An icon will be created on your desktop. Double-click that icon to launch the program.
  • If asked to update the program definitions, click "Yes". If not, update the definitions before scanning by selecting "Check for Updates". (If you encounter any problems while downloading the updates, manually download and unzip them from here.)
  • Under "Configuration and Preferences", click the Preferences button.
  • Click the Scanning Control tab.
  • Under Scanner Options make sure the following are checked (leave all others unchecked):
    • Close browsers before scanning.
    • Scan for tracking cookies.
    • Terminate memory threats before quarantining.
  • Click the "Close" button to leave the control center screen.
  • Back on the main screen, under "Scan for Harmful Software" click Scan your computer.
  • On the left, make sure you check C:\Fixed Drive.
  • On the right, under "Complete Scan", choose Perform Complete Scan.
  • Click "Next" to start the scan. Please be patient while it scans your computer.
  • After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click "OK".
  • Make sure everything has a checkmark next to it and click "Next".
  • A notification will appear that "Quarantine and Removal is Complete". Click "OK" and then click the "Finish" button to return to the main menu.
  • If asked if you want to reboot, click "Yes".
  • To retrieve the removal information after reboot, launch SUPERAntispyware again.
    • Click Preferences, then click the Statistics/Logs tab.
    • Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
    • If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.
    • Please copy and paste the Scan Log results in your next reply.
  • Click Close to exit the program.
====STEP 4====
  • Please go to VirSCAN.org FREE on-line scan service
  • Copy and paste the following file path into the "Suspicious files to scan"box on the top of the page:

    • c:\program files\Roller Rush\nrwvfhl.exe
  • Click on the Upload button
  • Once the Scan is completed, click on the "Copy to Clipboard" button. This will copy the link of the report into the Clipboard.
  • Paste the contents of the Clipboard in your next reply (you will need to paste the link onto a notepad before you do the other scans below, else the contents of your clipboard will be written over with the new links).
Could you do the same for the following files:
  • c:\program files\wlkbuddy\wlkbuddy.exe
====STEP 5====
Please do an online scan with Kaspersky WebScanner (this will identify any issues, we will clear them in the following post)

Kaspersky online scanner uses JAVA tecnology to perform the scan. If you do not have the latest JAVA version, follow the instrutions below under Upgrading Java, to download and install the latest vesion.

  • Read through the requirements and privacy statement and click on Accept button.
  • It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
  • When the downloads have finished, click on Settings.
  • Make sure the following is checked.
    • Spyware, Adware, Dialers, and other potentially dangerous programs
      Archives
      Mail databases
  • Click on My Computer under Scan.
  • Once the scan is complete, it will display the results. Click on View Scan Report.
  • You will see a list of infected items there. Click on Save Report As....
  • Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button.
  • Please post this log in your next reply.
Upgrading Java:
  • Download the latest version of Java SE Runtime Environment (JRE) 6 Update 12.
  • Click the "Download" button to the right.
  • Select your Platform and check the box that says: "I agree to the Java SE Runtime Environment 6 License Agreement.".
  • Click on Continue.
  • Click on the link to download Windows Offline Installation (jre-6u11-windows-i586-p.exe) and save it to your desktop. Do NOT use the Sun Download Manager..
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Control Panel, double-click on Add/Remove programs and remove all older versions of Java.
  • Check any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java version.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on the download to install the newest version.(Vista users, right click on the jre-6u11-windows-i586-p.exe and select "Run as an Administrator.")
In your next reply could i see:
1. the malwarebytes log
2. the superantispyware log
3. the virscan logs or links
4. the kaspersky log
5. some idea of how your machine is running now

The text from these files may exceed the maximum post length for this forum. Hence, you may need to post the information over 2 or more posts.

andrewuk
  • 0

#9
bugatronic25
Posted 08 April 2009 - 08:11 AM

bugatronic25

    Member

  • Topic Starter
  • Member
  • PipPip
  • 27 posts
Hi Andrewuk,

Thanks for your reply. I have now managed to complete all the scans, there were a few things found. I already had java update 13 and yes yahoo games http://au.games.yahoo.com/ is my correct home page.

System is still performing well in terms of speed, crashes etc. as it has been since the first combofix run, but the remaining issues after that combofix run being reg.exe flashing the command prompt and closing, screen resolution changes not applying and windows restarts getting stuck on the way back up are still an issue and possibly system restore as well. Please see previous posts for details

I did get XoftSpy coming up by itself to do a registry scan, managed to close this and uninstall the application

Here are all the logs. Appreciate your efforts in helping me get on top of all this



Malwarebytes

Malwarebytes' Anti-Malware 1.36
Database version: 1947
Windows 5.1.2600 Service Pack 2

4/7/2009 9:33:01 PM
mbam-log-2009-04-07 (21-33-01).txt

Scan type: Full Scan (C:\|D:\|E:\|F:\|)
Objects scanned: 148995
Time elapsed: 2 hour(s), 48 minute(s), 35 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Qoobox\Quarantine\C\WINDOWS\Ctozovilo.dll.vir (Trojan.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{29CDF472-C58C-4DA9-9E20-04215089920B}\RP54\A0031213.dll (Trojan.Agent) -> Quarantined and deleted successfully.




SuperAntiSpyware

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 04/07/2009 at 10:45 PM

Application Version : 4.26.1000

Core Rules Database Version : 3832
Trace Rules Database Version: 1788

Scan type : Complete Scan
Total Scan Time : 00:37:13

Memory items scanned : 466
Memory threats detected : 0
Registry items scanned : 3916
Registry threats detected : 0
File items scanned : 54263
File threats detected : 5

Adware.Tracking Cookie
C:\Documents and Settings\Michael\Cookies\[email protected][1].txt
C:\Documents and Settings\Michael\Cookies\michael@doubleclick[1].txt
C:\Documents and Settings\Michael\Cookies\michael@atdmt[1].txt

Application.PowerReg Scheduler
C:\DOCUMENTS AND SETTINGS\MICHAEL\START MENU\PROGRAMS\STARTUP\POWERREG SCHEDULER V3.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{29CDF472-C58C-4DA9-9E20-04215089920B}\RP43\A0013115.EXE




Virscan c:\program files\Roller Rush\nrwvfhl.exe

VirSCAN.org Scanned Report :
Scanned time : 2009/04/07 22:58:22 (EST)
Scanner results: 3% Scanner(1/37) found malware!
File Name : nrwvfhl.exe
File Size : 820552 byte
File Type : PE32 executable for MS Windows (GUI) Intel 80386 32-bit
MD5 : e50908a683b018393fe2ff821f87de77
SHA1 : 481caa0e46c141cba2ec7df11bcc45cf65f51879
Online report : http://virscan.org/r...37324c59a1.html

Scanner Engine Ver Sig Ver Sig Date Time Scan result
a-squared 4.0.0.32 20090407161122 2009-04-07 2.14 -
AhnLab V3 2009.04.07.01 2009.04.07 2009-04-07 0.72 -
AntiVir 7.9.0.138 7.1.3.24 2009-04-07 2.03 -
Antiy 2.0.18 20090407.2283465 2009-04-07 0.12 -
Authentium 5.1.1 200904062043 2009-04-06 1.69 -
AVAST! 3.0.1 090406-0 2009-04-06 0.04 -
AVG 7.5.52.442 270.11.45/2045 2009-04-07 2.05 -
BitDefender 7.81008.2828992 7.24655 2009-04-07 2.74 -
CA (VET) 9.0.0.143 31.6.6442 2009-04-07 2.33 -
ClamAV 0.95 9209 2009-04-07 0.15 -
Comodo 3.8 1102 2009-04-07 0.59 -
CP Secure 1.1.0.715 2009.04.06 2009-04-06 8.07 BackDoor.W32.SpyBoter.fb
Dr.Web 4.44.0.9170 2009.04.07 2009-04-07 4.39 -
F-Prot 4.4.4.56 20090406 2009-04-06 1.53 -
F-Secure 5.51.6100 2009.04.07.07 2009-04-07 0.15 -
Fortinet 2.81-3.117 10.255 2009-04-06 0.56 -
GData 19.4449/19.291 20090407 2009-04-07 3.59 -
ViRobot 20090406 2009.04.06 2009-04-06 1.23 -
Ikarus T3.1.01.49 2009.04.07.72539 2009-04-07 3.77 -
JiangMin 11.0.706 2009.04.07 2009-04-07 1.64 -
Kaspersky 5.5.10 2009.04.07 2009-04-07 0.10 -
KingSoft 2009.2.5.15 2009.4.7.18 2009-04-07 0.97 -
McAfee 5.3.00 5576 2009-04-06 4.06 -
Microsoft 1.4502 2009.04.07 2009-04-07 8.31 -
mks_vir 2.01 2009.04.07 2009-04-07 2.81 -
Norman 6.00.06 6.00.00 2009-04-03 10.01 -
Panda 9.05.01 2009.04.06 2009-04-06 3.97 -
Trend Micro 8.700-1004 5.944.02 2009-04-03 0.05 -
Quick Heal 10.00 2009.04.07 2009-04-07 1.58 -
Rising 20.0 21.23.40.00 2009-04-03 1.07 -
Sophos 2.85.0 4.40 2009-04-07 2.11 -
Sunbelt 5079 5079 2009-04-06 0.97 -
Symantec 1.3.0.24 20090406.003 2009-04-06 0.16 -
nProtect 20090407.02 3428315 2009-04-07 4.51 -
The Hacker 6.3.4.0 v00303 2009-04-06 0.75 -
VBA32 3.12.10.2 20090406.1414 2009-04-06 2.06 -
VirusBuster 4.5.11.10 10.102.35/1214847 2009-04-06 1.79 -




Virscan c:\program files\wlkbuddy\wlkbuddy.exe

VirSCAN.org Scanned Report :
Scanned time : 2009/04/07 23:04:21 (EST)
Scanner results: All Scanners reported not find malware!
File Name : wlkbuddy.exe
File Size : 1511175 byte
File Type : PE32 executable for MS Windows (GUI) Intel 80386 32-bit
MD5 : d99e07b6b1b9eb10c010a46b9b4e755e
SHA1 : d334eb588c8ac379d5a21361ce0984f4dee75e89
Online report : http://virscan.org/r...376aac081e.html

Scanner Engine Ver Sig Ver Sig Date Time Scan result
a-squared 4.0.0.32 20090407161122 2009-04-07 2.66 -
AhnLab V3 2009.04.07.01 2009.04.07 2009-04-07 0.62 -
AntiVir 7.9.0.138 7.1.3.24 2009-04-07 1.97 -
Antiy 2.0.18 20090407.2283465 2009-04-07 0.22 -
Authentium 5.1.1 200904062043 2009-04-06 1.14 -
AVAST! 3.0.1 090406-0 2009-04-06 0.96 -
AVG 7.5.52.442 270.11.45/2045 2009-04-07 2.02 -
BitDefender 7.81008.2828992 7.24655 2009-04-07 2.67 -
CA (VET) 9.0.0.143 31.6.6442 2009-04-07 3.88 -
ClamAV 0.95 9209 2009-04-07 0.25 -
Comodo 3.8 1102 2009-04-07 0.55 -
CP Secure 1.1.0.715 2009.04.06 2009-04-06 8.13 -
Dr.Web 4.44.0.9170 2009.04.07 2009-04-07 6.80 -
F-Prot 4.4.4.56 20090406 2009-04-06 1.13 -
F-Secure 5.51.6100 2009.04.07.07 2009-04-07 5.14 -
Fortinet 2.81-3.117 10.255 2009-04-06 0.21 -
GData 19.4449/19.291 20090407 2009-04-07 3.49 -
ViRobot 20090406 2009.04.06 2009-04-06 0.41 -
Ikarus T3.1.01.49 2009.04.07.72539 2009-04-07 2.90 -
JiangMin 11.0.706 2009.04.07 2009-04-07 1.63 -
Kaspersky 5.5.10 2009.04.07 2009-04-07 0.07 -
KingSoft 2009.2.5.15 2009.4.7.21 2009-04-07 0.58 -
McAfee 5.3.00 5576 2009-04-06 2.73 -
Microsoft 1.4502 2009.04.07 2009-04-07 5.56 -
mks_vir 2.01 2009.04.07 2009-04-07 2.87 -
Norman 6.00.06 6.00.00 2009-04-03 10.01 -
Panda 9.05.01 2009.04.06 2009-04-06 1.91 -
Trend Micro 8.700-1004 5.944.02 2009-04-03 0.03 -
Quick Heal 10.00 2009.04.07 2009-04-07 1.36 -
Rising 20.0 21.23.40.00 2009-04-03 0.84 -
Sophos 2.85.0 4.40 2009-04-07 2.05 -
Sunbelt 5079 5079 2009-04-06 5.35 -
Symantec 1.3.0.24 20090406.003 2009-04-06 0.20 -
nProtect 20090407.02 3428315 2009-04-07 4.81 -
The Hacker 6.3.4.0 v00303 2009-04-06 0.79 -
VBA32 3.12.10.2 20090406.1414 2009-04-06 1.85 -
VirusBuster 4.5.11.10 10.102.35/1214847 2009-04-06 2.14 -




Kaspersky

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7 REPORT
Wednesday, April 8, 2009
Operating System: Microsoft Windows XP Professional Service Pack 2 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Wednesday, April 08, 2009 03:23:26
Records in database: 2021814
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
C:\
D:\
E:\
F:\

Scan statistics:
Files scanned: 75676
Threat name: 1
Infected objects: 1
Suspicious objects: 0
Duration of the scan: 02:05:53


File name / Threat name / Threats count
C:\Program Files\Easy Desk Utilities\PC Secure\DNS.exe Infected: Trojan-Downloader.Win32.Agent.bexi 1

The selected area was scanned.
  • 0

#10
andrewuk
Posted 08 April 2009 - 09:56 AM

andrewuk

    Trusted Helper

  • Malware Removal
  • 5,297 posts
1. was this one of the programs you loaded on to resolve your issues before? C:\Program Files\Easy Desk Utilities

2. on the reg.exe. now, my understanding here was that it operated from the command prompt window? START >>> RUN type CMD and then start entering the REG commands?
. . . . . or as a batch file? typing reg.exe will merely open and close a window?

3. how often does the window restart get stuck? or does it seem random?

4. on the screen resolutions, once we wrap this up i will most likely need to refer you elsewhere - that is somewhat beyond me and does not look like malware.

andrewuk
  • 0

Advertisements

#11
bugatronic25
Posted 08 April 2009 - 11:49 AM

bugatronic25

    Member

  • Topic Starter
  • Member
  • PipPip
  • 27 posts
Hi Andrewuk,

1. Yes I think so, happy to uninstall if that is the best way to remove the virus

2. You are probably right so happy to disregard

3. Every time you select Start > Turn Off Computer > Restart the computer powers off, starts up, gets past the Ipex manufacturer screen, the screen then goes black then dark grey/black and stays there with no cursor etc. Like windows doesn't want to start. Start > Turn Off Computer > Turn Off always works and boot up always works

4. I just uninstalled and reinstalled the video card driver, I was then stuck on 640x480, even less than the 800x600 I was on before. I uninstalled the driver and now it using using a windows default at 800x600 but still can't change the resolution. Again I can drag the slider and select OK then even get the popup that the settings have changed do I want to keep them, but nothing actually changed and when selecting OK the slider reverts

Perhaps both 3 and 4 are related to something else, if you can refer me for further assistance that would be great

Please advise what I should do next in completing the malware removal
Thanks again
  • 0

#12
andrewuk
Posted 08 April 2009 - 12:43 PM

andrewuk

    Trusted Helper

  • Malware Removal
  • 5,297 posts
ok, whilst we get rid of that program, lets try a couple of quick ideas on the other issues.

stay away from system restore still, we have yet to flush it.

====STEP 1====
Please download the OTMoveIt3 by OldTimer.
  • Save it to your desktop.
  • Please double-click OTMoveIt3.exe to run it. (Note: If you are running on Vista, right-click on the file and choose Run As Administrator).
  • Copy the lines in the codebox below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

    :Processes
explorer.exe

:Files
c:\program files\Easy Desk Utilities

:Commands
[purity]
[emptytemp]
[start explorer]
[Reboot]
  • Return to OTMoveIt3, right click in the "Paste Instructions for Items to be Moved" window (under the yellow bar) and choose Paste.
  • Click the red Moveit! button.
  • Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
  • Close OTMoveIt3
Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes. In this case, after the reboot, open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTMoveIt\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.




====STEP 2====
for the screen resolution issue:

take a look at these posts are see if they resolve the issue:

here

here




====STEP 3====
for the restart issue:

its a long shot, but try uninstalling and reinstalling your Norton



let me know how it all goes. in any event, in the next post we will wrap up the malware part of this.

andrewuk
  • 0

#13
bugatronic25
Posted 09 April 2009 - 05:47 AM

bugatronic25

    Member

  • Topic Starter
  • Member
  • PipPip
  • 27 posts
Hi Andrewuk,

Thanks for your reply
OTMoveIt3 complete, log below

Screen resolution
Unfortunately those links did not help

Link 1 - there is no ! against the drivers in my device manager under display adapters, and I tried uninstalling and reinstalling the driver in my last post. Since then because the 640x480 the reinstall produced was too small I uninstalled again then let windows find a driver, this produced 1024x768 but yet again I can't change it

Link 2 - the safe mode screen resolution is 800x600 but can't change it in here even so my issue does not appear to be the same as this one where a startup service not executed in safe mode was the issue

Restart
Tried rebooting into safe mode - same issue
Uninstalled Norton and rebooted - same issue
Reinstalled Norton and rebooted - same issue

Should I start a post in Hardware, Components and Peripherals including a link to this one and specifying the details there?

Here is the OTMoveIt3 log, thanks for your help and look forward to your next reply




OTMoveIt3

========== PROCESSES ==========
Process explorer.exe killed successfully.
========== FILES ==========
c:\program files\Easy Desk Utilities\PC Secure\Logs moved successfully.
c:\program files\Easy Desk Utilities\PC Secure\Images moved successfully.
c:\program files\Easy Desk Utilities\PC Secure moved successfully.
c:\program files\Easy Desk Utilities moved successfully.
========== COMMANDS ==========
File delete failed. C:\DOCUME~1\Michael\LOCALS~1\Temp\~DF334C.tmp scheduled to be deleted on reboot.
User's Temp folder emptied.
User's Internet Explorer cache folder emptied.
File delete failed. C:\Documents and Settings\Michael\Local Settings\Temporary Internet Files\Content.IE5\T1KP8VIY\Resolution-problems-t232373[1].htm scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Michael\Local Settings\Temporary Internet Files\Content.IE5\H9IZMOXA\iframe[1].htm scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Michael\Local Settings\Temporary Internet Files\Content.IE5\H9IZMOXA\Registry-Lockout-t234127[1].htm scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Michael\Local Settings\Temporary Internet Files\Content.IE5\A1BIKZ3J\ATI-Control-Panel-failed-to-initialize-t232558[2].htm scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Michael\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.
User's Temporary Internet Files folder emptied.
Local Service Temp folder emptied.
File delete failed. C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.
Local Service Temporary Internet Files folder emptied.
Network Service Temp folder emptied.
Network Service Temporary Internet Files folder emptied.
File delete failed. C:\WINDOWS\temp\Perflib_Perfdata_674.dat scheduled to be deleted on reboot.
Windows Temp folder emptied.
Java cache emptied.
FireFox cache emptied.
Temp folders emptied.
Explorer started successfully

OTMoveIt3 by OldTimer - Version 1.0.10.0 log created on 04092009_204217

Files moved on Reboot...
C:\DOCUME~1\Michael\LOCALS~1\Temp\~DF334C.tmp moved successfully.
File C:\Documents and Settings\Michael\Local Settings\Temporary Internet Files\Content.IE5\T1KP8VIY\Resolution-problems-t232373[1].htm not found!
File C:\Documents and Settings\Michael\Local Settings\Temporary Internet Files\Content.IE5\H9IZMOXA\iframe[1].htm not found!
File C:\Documents and Settings\Michael\Local Settings\Temporary Internet Files\Content.IE5\H9IZMOXA\Registry-Lockout-t234127[1].htm not found!
File C:\Documents and Settings\Michael\Local Settings\Temporary Internet Files\Content.IE5\A1BIKZ3J\ATI-Control-Panel-failed-to-initialize-t232558[2].htm not found!
File C:\WINDOWS\temp\Perflib_Perfdata_674.dat not found!
  • 0

#14
andrewuk
Posted 09 April 2009 - 02:54 PM

andrewuk

    Trusted Helper

  • Malware Removal
  • 5,297 posts
Hello bugatronic25

congratulations, your logs are clean and another fix is in the can :)

Should I start a post in Hardware, Components and Peripherals including a link to this one and specifying the details there?

the malware side of things is clear. to resolve your other issues, then yes first post in the Hardware, Components and Peripherals to resolve your Resolution issue. i suspect you will need to post in the Windows XP™, 2000, 2003, NT to resolve the start up issue. do one at a time, specify the details there, and say your machine has been cleared of malware, you can link back here if need be.

in this post we will clear away the fix tools (this is so that should you ever be re-infected, you will download updated versions and it will also remove the quarantined Malware from your computer), reset your restore points (there will be infections lurking in there) and i will leave you with some ideas on how to enhance the protection of your machine against future infection.

====STEP 1====
Follow these steps to uninstall Combofix, the tools used in the removal of malware and to flush your system restore points
  • Click START then RUN
  • Now type Combofix /u in the runbox and click OK. Note the space between the X and the U, it needs to be there.
    Posted Image


====STEP 2====
Please download the OTCleanIt by OldTimer.
  • Save it to your desktop.
  • Please double-click OTCleanIT.exe to run it. (Vista users, please right click on OTMoveit2.exe and select "Run as an Administrator")
  • Click on the CleanUp! button to begin the Cleanup process and remove these components, including this application.
  • You will be asked to reboot the machine to finish the Cleanup process. If you are asked to reboot the machine choose Yes.
you can also clear away any other tools we used.


====IDEAS TO SPEED UP YOUR MACHINE====
this page http://users.telenet...owcomputer.html gives some good ideas on how to improve the efficiency of your machine and has one or two useful links to help you further.


====AND FINALLY====
The following is a list of tools and utilities that I like to suggest to people. This list is full of great tools and utilities to help you understand how you got infected and how to keep from getting infected again.
  • MBAM - Malware Bytes Anti Malware is an excellent tool for anyone's antimalware arsenal. This program should be updated and run often.
  • SpywareBlaster - Great prevention tool to keep nasties from installing on your system.
  • SpywareGuard - Works as a Spyware "Shield" to protect your computer from getting malware in the first place.
  • IE-SpyAd - puts over 5000 sites in your restricted zone so you'll be protected when you visit innocent-looking sites that aren't actually innocent at all.
  • ATF Cleaner - Cleans temporary files from IE and Windows, empties the recycle bin and more. Great tool to help speed up your computer and knock out those nasties that like to reside in the temp folders.
  • Windows Updates - It is very important to make sure that both Internet Explorer and Windows are kept current with the latest critical security patches from Microsoft. To do this just start Internet Explorer and select Tools > Windows Update, and follow the online instructions from there.
  • Comodo Firewall - The use of a firewall is a personal preference, but its certainly a good idea. Comodo is free and light. Remember, never install more than 1 firewall. also remember, do not download the comodo antivirus program if you already have an antivirus program on your machine.
  • Digsby or Miranda-IM - These are Malware free Instant Messenger programs which allow you to connect to multiple IM services in one program! (AOL, Yahoo, ICQ, IRC, MSN)
  • Keep a backup of your important files - Now, more than ever, it's especially important to protect your digital files and memories. This article is full of good information on alternatives for home backup solutions.
  • FireFox - Alternate web browser. Open source and quick, Firefox is usually the first thing I install on a new system.
  • NoScript - Addon for Firefox that stops all scripts from running on websites. Stops malicious software from invading via flash, java, javascript, and many other entry points.
To find out more information about how you got infected in the first place and some great guidelines to follow to prevent future infections you can read this article by Tony Klein

best wishes

andrewuk
  • 0

#15
bugatronic25
Posted 10 April 2009 - 05:11 AM

bugatronic25

    Member

  • Topic Starter
  • Member
  • PipPip
  • 27 posts
Hi Andrewuk,

Thanks for your reply. Steps 1 and 2 complete, and a new topic has been created for the restart issue http://www.geekstogo...rt-t235116.html

I have been busy reading up on the information you provided on speeding up and protecting my machine and have made quite a few changes, removed files and programs and installed some new ones (was running norton 360 on 30-day trial, now I am running comodo antivirus and firewall).

Superantispyware and Spyware Guard are running in the system tray along with comodo safe surf, I also have Malwarebytes Anti-Malware and Spyware Blaster installed with ATF Cleaner, StartUpLite, ERUNT and resetdma.vbs (a script that fixes the IDE transfer mode in device manager, a link from your link http://users.telenet...owcomputer.html which fixed a problem I did not realise I had) utlities, plus IE-SpyAd/Zoned Out restritcions and Digsby Messenger

In the midst of this the screen resolution issue was resolved! (I think this was from electing to install XP SP3 from your prevention item 6) and hopefully the restart issue can also be resolved on my new topic

So not only have you saved me from needing a new PC and purchasing commercial anti-virus software, I now know a lot more about PC protection and optimisation so my machine can run better than a new one would have! Thought you would like to know the difference you have made after all the time and effort you have put in so thanks again
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP