[Leashy]

I'm sure there's other viruses besides Antivirus 2009, but I think that's the main one giving me problems.

I can't even get to THIS site to download anything.

I was able to run ashampoo antispyware and it found over 300 infections, including plenty of trojans.

However, I still can't get into task manager by pressing ctrl, alt & delete or run and typing taskmgr. If I do either of those I get the "task manager has been disabled by the administrator" message and it opens 50 times.

The newest thing is the mouse doesn't work. I don't know for sure if it's related to the virus or not, but I think it is. I can get into the mouse settings, but it won't let me open the troubleshooting for it.

I can't just go anywhere... like I said, I can't even get to this website, or malwarebytes, or hijack this, etc. I don't know what else to do.

Any ideas for me that are not too hard to do with a keyboard only?

PS: This was my original post here... I couldn't even get windows to boot up. I can now, but not much else. http://www.geekstogo...ou-t219432.html

Edited by Leashy, 04 December 2008 - 01:19 PM.

[Advertisements]

Hello

Please download ComboFix from Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved and renamed following this process directly to your desktop**

• If you are using Firefox, make sure that your download settings are as follows:
  
  • Tools->Options->Main tab
  • Set to "Always ask me where to Save the files".
• During the download, rename Combofix to Combo-Fix as follows:
  
  
  
  
  
  
• It is important you rename Combofix during the download, but not after.
• Please do not rename Combofix to other names, but only to the one indicated.
• Close any open browsers.
• Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  

  -----------------------------------------------------------

  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
  • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
    

    -----------------------------------------------------------

  • Close any open browsers.
  • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
  • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
  • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.

  -----------------------------------------------------------

• Double click on combo-Fix.exe & follow the prompts.
• When finished, it will produce a report for you.
• Please post the "C:\Combo-Fix.txt" along with a new HijackThis log for further review.

**Note: Do not mouseclick combo-fix's window while it's running. That may cause it to stall**

[Rorschach112]

Hello

Please download ComboFix from Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved and renamed following this process directly to your desktop**

• If you are using Firefox, make sure that your download settings are as follows:
  
  • Tools->Options->Main tab
  • Set to "Always ask me where to Save the files".
• During the download, rename Combofix to Combo-Fix as follows:
  
  
  
  
  
  
• It is important you rename Combofix during the download, but not after.
• Please do not rename Combofix to other names, but only to the one indicated.
• Close any open browsers.
• Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  

  -----------------------------------------------------------

  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
  • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
    

    -----------------------------------------------------------

  • Close any open browsers.
  • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
  • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
  • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.

  -----------------------------------------------------------

• Double click on combo-Fix.exe & follow the prompts.
• When finished, it will produce a report for you.
• Please post the "C:\Combo-Fix.txt" along with a new HijackThis log for further review.

**Note: Do not mouseclick combo-fix's window while it's running. That may cause it to stall**

[Leashy]

Here's the combofix log... working on the hijackthis one now.

ComboFix 08-12-04.04 - Dave and Steph 2008-12-04 20:45:10.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.68 [GMT -5:00]
Running from: c:\documents and settings\Dave and Steph\Desktop\Combo-fix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\temp\1cb
c:\temp\1cb\syscheck.log
c:\windows\system32\av.exe
c:\windows\system32\AycbIRqr.ini
c:\windows\system32\bbwdxvfn.ini
c:\windows\system32\cJPWayay.ini
c:\windows\system32\djvxnixj.ini
c:\windows\system32\encvtykf.ini
c:\windows\system32\evbtniid.ini
c:\windows\system32\ewkgwktr.ini
c:\windows\system32\fgualtlb.ini
c:\windows\system32\fjhmmvcp.ini
c:\windows\system32\flxnhyjc.ini
c:\windows\system32\fmhmtepu.ini
c:\windows\system32\gfqnvscp.ini
c:\windows\system32\jmmawmrh.ini
c:\windows\system32\kssyxsjj.ini
c:\windows\system32\ljmkkrlx.ini
c:\windows\system32\mqoxuelq.ini
c:\windows\system32\ntpjyyxn.ini
c:\windows\system32\nXGOonmp.ini
c:\windows\system32\nXGOonmp.ini2
c:\windows\system32\oaxnbgme.ini
c:\windows\system32\ocglxuyk.ini
c:\windows\system32\OVGPonnn.ini
c:\windows\system32\qemgkgea.ini
c:\windows\system32\qhfwhqim.ini
c:\windows\system32\rftuhcpn.ini
c:\windows\system32\rtfrskyl.ini
c:\windows\system32\rxakffwg.ini
c:\windows\system32\skhkhqgo.ini
c:\windows\system32\tghufnlg.ini
c:\windows\system32\tncwadla.ini
c:\windows\system32\tqeipodv.ini
c:\windows\system32\wcyrfjjk.ini
c:\windows\system32\xggagxlf.ini
c:\windows\system32\ximyvgiq.ini
c:\windows\system32\xsetgfrn.ini
c:\windows\system32\ytohthxh.ini
c:\windows\system32\yvmfujnp.ini

c:\windows\system32\winlogon.exe . . . is infected!!

.
((((((((((((((((((((((((( Files Created from 2008-11-05 to 2008-12-05 )))))))))))))))))))))))))))))))
.

2008-12-04 20:28 . 2008-10-16 14:06 268,648 --a------ c:\windows\system32\mucltui.dll
2008-12-04 20:28 . 2008-10-16 14:06 208,744 --a------ c:\windows\system32\muweb.dll
2008-12-04 20:28 . 2008-10-16 14:06 27,496 --a------ c:\windows\system32\mucltui.dll.mui
2008-12-04 17:42 . 2008-12-04 17:35 96,976 --a------ c:\windows\system32\drivers\klin.dat
2008-12-04 17:42 . 2008-12-04 17:42 87,855 --a------ c:\windows\system32\drivers\klick.dat
2008-12-04 17:41 . 2008-12-04 17:41 <DIR> d-------- c:\program files\Kaspersky Lab
2008-12-04 17:41 . 2008-12-04 20:12 <DIR> d-------- c:\documents and settings\All Users\Application Data\Kaspersky Lab
2008-12-04 17:41 . 2008-12-04 20:50 2,150,432 --ahs---- c:\windows\system32\drivers\fidbox.dat
2008-12-04 17:41 . 2008-12-04 20:50 327,712 --ahs---- c:\windows\system32\drivers\fidbox2.dat
2008-12-04 17:41 . 2008-12-04 20:50 18,928 --ahs---- c:\windows\system32\drivers\fidbox.idx
2008-12-04 17:41 . 2008-12-04 20:50 2,200 --ahs---- c:\windows\system32\drivers\fidbox2.idx
2008-12-04 17:33 . 2008-12-03 19:52 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2008-12-04 17:32 . 2008-12-03 19:52 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2008-12-04 17:31 . 2008-12-04 17:31 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2008-12-04 17:30 . 2008-12-04 17:35 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2008-12-04 16:45 . 2008-12-04 16:45 <DIR> d-------- c:\documents and settings\All Users\Application Data\Kaspersky Lab Setup Files
2008-12-04 16:29 . 2008-12-04 16:29 <DIR> d-------- c:\documents and settings\Dave and Steph\Application Data\Malwarebytes
2008-12-04 13:06 . 2008-12-04 13:06 376 --a------ c:\windows\system32\drivers\kgpfr2.cfg
2008-12-04 04:30 . 2008-12-04 17:05 <DIR> d-------- c:\documents and settings\All Users\Application Data\SITEguard
2008-12-04 04:29 . 2008-12-04 04:29 <DIR> d-------- c:\program files\STOPzilla!
2008-12-04 04:29 . 2008-12-04 04:29 <DIR> d-------- c:\program files\Common Files\iS3
2008-12-04 04:29 . 2008-12-04 17:05 <DIR> d-------- c:\documents and settings\All Users\Application Data\STOPzilla!
2008-12-04 04:27 . 2008-12-04 04:27 3,096 --a------ c:\windows\system32\OEMINFO.PNF
2008-12-03 21:57 . 2008-12-03 21:57 <DIR> d-------- c:\program files\Ashampoo
2008-12-02 16:24 . 2008-12-04 17:14 364 --a------ c:\windows\system32\tmp.reg
2008-12-02 02:12 . 2007-11-27 22:56 91,328 --a------ c:\windows\system32\drivers\msfwdrv.sys
2008-12-02 02:11 . 2007-11-27 22:56 116,416 --a------ c:\windows\system32\drivers\msfwhlpr.sys
2008-12-02 01:56 . 2008-12-02 02:12 <DIR> d----c--- c:\windows\system32\DRVSTORE
2008-12-02 01:56 . 2008-05-15 16:15 53,168 --a------ c:\windows\system32\drivers\MpFilter.sys
2008-12-02 01:49 . 2007-03-29 07:56 18,944 -----c--- c:\windows\system32\dllcache\qmgrprxy.dll
2008-12-02 01:49 . 2007-03-29 07:56 8,192 -----c--- c:\windows\system32\dllcache\bitsprx2.dll
2008-12-02 01:49 . 2007-03-29 07:56 7,168 -----c--- c:\windows\system32\dllcache\bitsprx4.dll
2008-12-02 01:49 . 2007-03-29 07:56 7,168 -----c--- c:\windows\system32\dllcache\bitsprx3.dll
2008-12-02 01:49 . 2007-03-29 07:56 7,168 --------- c:\windows\system32\bitsprx4.dll
2008-12-02 00:56 . 2008-12-04 16:49 <DIR> d-------- c:\program files\Microsoft Windows OneCare Live
2008-12-01 23:59 . 2002-12-03 19:55 <DIR> d-------- c:\documents and settings\Administrator\Application Data\VERITAS
2008-12-01 23:59 . 2002-11-14 13:26 <DIR> d-------- c:\documents and settings\Administrator\Application Data\MSN6
2008-12-01 23:59 . 2002-11-14 13:42 <DIR> d-------- c:\documents and settings\Administrator\Application Data\InterTrust
2008-12-01 23:59 . 2002-12-03 19:59 <DIR> d-------- c:\documents and settings\Administrator\Application Data\Corel
2008-12-01 23:59 . 2008-12-02 17:01 <DIR> d-------- c:\documents and settings\Administrator
2008-12-01 22:42 . 2008-12-01 22:43 <DIR> d-------- c:\program files\CCleaner
2008-12-01 21:30 . 2008-12-01 21:30 <DIR> d-------- c:\program files\iPod
2008-11-11 14:35 . 2008-11-11 14:35 364,544 -ra------ c:\windows\system32\IS3DBA5.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-02 08:09 --------- d-----w c:\program files\Corel
2008-12-02 03:17 --------- d-----w c:\program files\Common Files\AOL
2008-12-02 03:01 --------- d-----w c:\documents and settings\All Users\Application Data\AOL
2008-12-02 02:58 --------- d-----w c:\program files\VERITAS Software
2008-12-02 02:55 --------- d--h--w c:\program files\InstallShield Installation Information
2008-12-02 02:40 --------- d-----w c:\program files\Java
2008-12-02 02:35 --------- d-----w c:\program files\McAfee.com
2008-12-02 02:28 --------- d-----w c:\program files\Common Files\Sony Shared
2008-12-02 02:22 --------- d-----w c:\program files\epson
2008-12-02 02:00 --------- d-----w c:\program files\Sony
2008-10-08 18:27 49,664 ----a-r c:\windows\system32\drivers\SZKG.sys
2007-05-02 23:17 836 -c--a-w c:\documents and settings\Dave and Steph\Application Data\ViewerApp.dat
2005-07-29 20:24 472 -csha-r c:\windows\RGF2ZSBhbmQgU3RlcGg\l3IZtm11vAk0oal5w30.vbs
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\OneCareMP]
@="Service"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Synchronizer.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Synchronizer.lnk
backup=c:\windows\pss\Adobe Reader Synchronizer.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^America Online 8.0 Tray Icon.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\America Online 8.0 Tray Icon.lnk
backup=c:\windows\pss\America Online 8.0 Tray Icon.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^America Online 9.0 Tray Icon.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\America Online 9.0 Tray Icon.lnk
backup=c:\windows\pss\America Online 9.0 Tray Icon.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^AOL Companion.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\AOL Companion.lnk
backup=c:\windows\pss\AOL Companion.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Billminder.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Billminder.lnk
backup=c:\windows\pss\Billminder.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^eBay Toolbar.LNK]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\eBay Toolbar.LNK
backup=c:\windows\pss\eBay Toolbar.LNKCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Kodak EasyShare software.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Kodak EasyShare software.lnk
backup=c:\windows\pss\Kodak EasyShare software.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^KODAK Software Updater.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\KODAK Software Updater.lnk
backup=c:\windows\pss\KODAK Software Updater.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Picture Package Menu.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Picture Package Menu.lnk
backup=c:\windows\pss\Picture Package Menu.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Picture Package VCD Maker.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Picture Package VCD Maker.lnk
backup=c:\windows\pss\Picture Package VCD Maker.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Quicken Scheduled Updates.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Quicken Scheduled Updates.lnk
backup=c:\windows\pss\Quicken Scheduled Updates.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Quicken Startup.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Quicken Startup.lnk
backup=c:\windows\pss\Quicken Startup.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Dave and Steph^Start Menu^Programs^Startup^Deewoo.lnk]
path=c:\documents and settings\Dave and Steph\Start Menu\Programs\Startup\Deewoo.lnk
backup=c:\windows\pss\Deewoo.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Dave and Steph^Start Menu^Programs^Startup^DW_Start.lnk]
path=c:\documents and settings\Dave and Steph\Start Menu\Programs\Startup\DW_Start.lnk
backup=c:\windows\pss\DW_Start.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Dave and Steph^Start Menu^Programs^Startup^LimeWire On Startup.lnk]
path=c:\documents and settings\Dave and Steph\Start Menu\Programs\Startup\LimeWire On Startup.lnk
backup=c:\windows\pss\LimeWire On Startup.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Dave and Steph^Start Menu^Programs^Startup^PowerReg Scheduler V3.exe]
path=c:\documents and settings\Dave and Steph\Start Menu\Programs\Startup\PowerReg Scheduler V3.exe
backup=c:\windows\pss\PowerReg Scheduler V3.exeStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
c:\windows\system32\dumprep 0 -k [X]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\'Ashampoo AntiSpyWare 2 Guard']
--a------ 2008-11-04 14:32 2347352 c:\program files\Ashampoo\Ashampoo AntiSpyWare 2\AntiSpyWare2Guard.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a------ 2004-08-04 02:56 15360 c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EPSON Stylus CX7800 Series]
--a--c--- 2005-04-06 23:00 98304 c:\windows\system32\spool\drivers\w32x86\3\E_FATIAFA.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ezShieldProtector for Px]
--a------ 2002-07-03 20:17 40960 c:\windows\system32\ezSP_Px.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
-ra------ 2002-06-19 21:05 114688 c:\windows\system32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
-ra------ 2002-06-19 21:14 155648 c:\windows\system32\igfxtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LexPPS.exe]
--a------ 2002-12-03 12:39 174592 c:\windows\system32\LEXPPS.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickFinder Scheduler]
--a--c--- 2002-08-15 07:54 77887 c:\program files\Corel\WordPerfect Office 2002\Programs\Qfschd100.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VAIO Recovery]
--a--c--- 2002-11-15 16:54 28672 c:\windows\SONYSYS\VAIO Recovery\PartSeal.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VAIOSURVEY]
--a--c--- 2002-11-21 18:04 1056768 c:\program files\Sony\VAIO Survey\SurveySA.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AGRSMMSG]
--a--c--- 2002-10-18 14:07 87751 c:\windows\AGRSMMSG.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"VAIOMediaPlatform-PhotoServer-UPnP"=2 (0x2)
"VAIOMediaPlatform-PhotoServer-HTTP"=2 (0x2)
"VAIOMediaPlatform-PhotoServer-AppServer"=2 (0x2)
"VAIOMediaPlatform-MusicServer-UPnP"=2 (0x2)
"VAIOMediaPlatform-MusicServer-HTTP"=2 (0x2)
"VAIOMediaPlatform-MusicServer-AppServer"=2 (0x2)
"Network Monitor"=2 (0x2)
"LexBceS"=2 (0x2)
"IDriverT"=3 (0x3)
"cmdService"=2 (0x2)
"aspnet_state"=3 (0x3)
"AOL TopSpeedMonitor"=2 (0x2)
"szserver"=2 (0x2)
"OneCareMP"=2 (0x2)
"msfwsvc"=2 (0x2)
"AASW2_Service"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\system32\\LEXPPS.EXE"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

R0 klbg;Kaspersky Lab Boot Guard Driver;c:\windows\system32\drivers\klbg.sys [2008-01-29 32784]
R0 szkg5;szkg;c:\windows\system32\DRIVERS\szkg.sys [2008-10-08 49664]
R3 klim5;Kaspersky Anti-Virus NDIS Filter;c:\windows\system32\DRIVERS\klim5.sys [2008-04-30 24592]
S4 AASW2_Service;Ashampoo AntiSpyWare 2 Service;c:\program files\Ashampoo\Ashampoo AntiSpyWare 2\AntiSpyWareService.exe [2008-12-03 749400]
.
Contents of the 'Scheduled Tasks' folder

2008-11-27 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2006-10-10 17:13]
.
- - - - ORPHANS REMOVED - - - -

BHO-{B0A795FE-DEE0-4383-9078-9ADC1CC150C1} - (no file)
BHO-{E77615BA-D7F5-4AE1-B34A-5BCCB9972441} - (no file)
HKU-Default-RunOnce-FlashPlayerUpdate - c:\windows\system32\Macromed\Flash\FlashUtil9c.exe
ShellExecuteHooks-{B0A795FE-DEE0-4383-9078-9ADC1CC150C1} - (no file)
MSConfigStartUp-19309334392581740417814437206296 - c:\program files\Antivirus 2009\av2009.exe
MSConfigStartUp-9kEdRE - c:\windows\qahnosa.exe
MSConfigStartUp-Adobe Reader Speed Launcher - c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe
MSConfigStartUp-AdobeUpdater - c:\program files\Common Files\Adobe\Updater5\AdobeUpdater.exe
MSConfigStartUp-Aim6 - c:\program files\Common Files\AOL\Launch\AOLLaunch.exe
MSConfigStartUp-AOL Fast Start - c:\program files\America Online 9.0a\AOL.EXE
MSConfigStartUp-AOL Spyware Protection - c:\progra~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe
MSConfigStartUp-AOLDialer - c:\program files\Common Files\AOL\ACS\AOLDial.exe
MSConfigStartUp-BM5fa34836 - c:\windows\system32\dgvebihg.dll
MSConfigStartUp-conscorr - c:\windows\conscorr.exe
MSConfigStartUp-dlmMgr - c:\program files\Common Files\Adobe\ESD\AdobeDownloadManager.exe
MSConfigStartUp-ExploreUpdSched - c:\windows\system32\scntnkdm.exe
MSConfigStartUp-HostManager - c:\program files\Common Files\AOL\1102883613\ee\AOLSoftware.exe
MSConfigStartUp-ieupdate - c:\windows\system32\ieupdates.exe
MSConfigStartUp-IPHSend - c:\program files\Common Files\AOL\IPHSend\IPHSend.exe
MSConfigStartUp-iTunesHelper - c:\program files\iTunes\iTunesHelper.exe
MSConfigStartUp-Lexmark X5100 Series - c:\program files\Lexmark X5100 Series\lxbabmgr.exe
MSConfigStartUp-lphc9guj0e10e - c:\windows\system32\lphc9guj0e10e.exe
MSConfigStartUp-McAgentexe - c:\progra~1\mcafee.com\agent\mcagent.exe
MSConfigStartUp-McUpdateexe - c:\progra~1\mcafee.com\agent\McUpdate.exe
MSConfigStartUp-MSMSGS - c:\program files\Messenger\msmsgs.exe
MSConfigStartUp-My Web Search Bar Search Scope Monitor - c:\progra~1\MYWEBS~1\bar\1.bin\m3SrchMn.exe
MSConfigStartUp-MyWebSearch Email Plugin - c:\progra~1\MYWEBS~1\bar\1.bin\mwsoemon.exe
MSConfigStartUp-NBJ - c:\program files\Ahead\Nero BackItUp\NBJ.exe
MSConfigStartUp-NeroFilterCheck - c:\windows\system32\NeroCheck.exe
MSConfigStartUp-OneCareUI - c:\program files\Microsoft Windows OneCare Live\winssnotify.exe
MSConfigStartUp-PhotoShow Deluxe Media Manager - c:\progra~1\Ahead\NEROPH~1\data\Xtras\mssysmgr.exe
MSConfigStartUp-Pure Networks Port Magic - c:\progra~1\PURENE~1\PORTMA~1\PortAOL.exe
MSConfigStartUp-QuickTime Task - c:\program files\QuickTime\qttask.exe
MSConfigStartUp-rgmrjtkgpz - c:\windows\system32\poirfgqvyognpkk.dll
MSConfigStartUp-runner1 - c:\windows\faceback.exe
MSConfigStartUp-sais - c:\program files\180solutions\sais.exe
MSConfigStartUp-satmat - c:\windows\satmat.exe
MSConfigStartUp-SeekmoOE - c:\program files\Seekmo\bin\10.0.427.0\OEAddOn.exe
MSConfigStartUp-SeekmoSA - c:\program files\Seekmo\bin\10.0.427.0\SeekmoSA.exe
MSConfigStartUp-StorageGuard - c:\program files\VERITAS Software\Update Manager\sgtray.exe
MSConfigStartUp-SunJavaUpdateSched - c:\program files\Java\jre1.6.0_07\bin\jusched.exe
MSConfigStartUp-SVCHOST - c:\windows\system32\drivers\svchost.exe
MSConfigStartUp-TkBellExe - c:\program files\Common Files\Real\Update_OB\realsched.exe
MSConfigStartUp-VirusScan Online - c:\progra~1\mcafee.com\vso\mcvsshld.exe
MSConfigStartUp-viubmthbhys - c:\windows\System32\mbmvwf.exe
MSConfigStartUp-wcmdmgr - c:\windows\wt\updater\wcmdmgrl.exe
MSConfigStartUp-WebRebates0 - c:\program files\Web_Rebates\WebRebates0.exe
MSConfigStartUp-WhenUSave - c:\program files\Save\Save.exe
MSConfigStartUp-WildTangent CDA - c:\program files\WildTangent\Apps\CDA\cdaEngine0400.dll
MSConfigStartUp-Yahoo! Pager - c:\program files\Yahoo!\Messenger\ypager.exe
MSConfigStartUp-{07-7B-B0-05-DW} - c:\windows\system32\jmwnw64o.exe
MSConfigStartUp-{8ef0fb28-f345-da13-54c5-e9dd74a3d12f} - c:\windows\system32\poirfgqvyognpkk.dll


.
------- Supplementary Scan -------
.
LSP: c:\program files\Common Files\iS3\Anti-Spyware\iS3lsp.dll

O16 -: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
c:\windows\Downloaded Program Files\DirectAnimation Java Classes.osd

O16 -: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
c:\windows\Downloaded Program Files\Microsoft XML Parser for Java.osd

O16 -: {D27CDB6E-AE6A-11CF-96B8-444553540000} - hxxp://hometown.aol.com/babygirlb328/myhomepage/ProfR1G.exe
FireFox -: Profile - c:\documents and settings\Dave and Steph\Application Data\Mozilla\Firefox\Profiles\kro6skfu.default\
FireFox -: prefs.js - STARTUP.HOMEPAGE - yahoo.com
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-12-04 20:51:20
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'lsass.exe'(948)
c:\program files\Common Files\iS3\Anti-Spyware\iS3lsp.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\wdfmgr.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2008-12-04 20:56:26 - machine was rebooted
ComboFix-quarantined-files.txt 2008-12-05 01:55:44

Pre-Run: 3,411,304,448 bytes free
Post-Run: 3,388,493,824 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect /NoExecute=OptIn

329 --- E O F --- 2008-08-15 07:03:07




Thank you!!

[Leashy]

Here's the log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:18:48 PM, on 12/4/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = https://www.firstcom...ndex_secure.asp
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: SITEguard BHO - {1827766B-9F49-4854-8034-F6EE26FCB1EC} - C:\Program Files\STOPzilla!\SZSG.dll
O2 - BHO: IEVkbdBHO - {59273AB4-E7D3-40F9-A1A8-6FA9CCA1862C} - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2009\ievkbd.dll
O2 - BHO: STOPzilla Browser Helper Object - {E3215F20-3212-11D6-9F8B-00D0B743919D} - C:\Program Files\STOPzilla!\SZIEBHO.dll
O3 - Toolbar: STOPzilla - {98828DED-A591-462F-83BA-D2F62A68B8B8} - C:\Program Files\STOPzilla!\SZSG.dll
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O9 - Extra button: Web traffic protection statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2009\SCIEPlgn.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O10 - Unknown file in Winsock LSP: c:\program files\common files\is3\anti-spyware\is3lsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\common files\is3\anti-spyware\is3lsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\common files\is3\anti-spyware\is3lsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\common files\is3\anti-spyware\is3lsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\common files\is3\anti-spyware\is3lsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\common files\is3\anti-spyware\is3lsp.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.sony.com/vaiopeople
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg...v45/yacscom.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {7D1E9C49-BD6A-11D3-87A8-009027A35D73} (Yahoo! Audio UI1) - http://chat.yahoo.com/cab/yacsui.cab
O16 - DPF: {D27CDB6E-AE6A-11CF-96B8-444553540000} - http://hometown.aol....age/ProfR1G.exe
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - http://fpdownload2.m...ash/swflash.cab
O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} - http://ax.phobos.app.../ITDetector.cab
O23 - Service: Kaspersky Anti-Virus (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2009\avp.exe

--
End of file - 3866 bytes



Mouse still isn't working. Tried plugging it into another computer and it works fine. Can that be virus related??

[Rorschach112]

Possibly

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

File::
c:\windows\system32\drivers\kgpfr2.cfg
c:\documents and settings\Dave and Steph\Start Menu\Programs\Startup\Deewoo.lnk
c:\windows\pss\Deewoo.lnkStartup
c:\documents and settings\Dave and Steph\Start Menu\Programs\Startup\DW_Start.lnk
c:\windows\pss\DW_Start.lnkStartup

Folder::
c:\windows\RGF2ZSBhbmQgU3RlcGg

KillAll::

FCopy::
C:\WINDOWS\system32\dllcache\winlogon.exe | c:\windows\system32\winlogon.exe

FileLook::
c:\windows\system32\IS3DBA5.dll

Registry::
[-HKLM\~\startupfolder\C:^Documents and Settings^Dave and Steph^Start Menu^Programs^Startup^Deewoo.lnk]
[-HKLM\~\startupfolder\C:^Documents and Settings^Dave and Steph^Start Menu^Programs^Startup^DW_Start.lnk]

Driver::

Save this as CFScript.txt, in the same location as ComboFix.exe




Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

[Leashy]

Here's the log... took a while because I had to get the mouse working to drag the txt file to combofix. It started working, then stopped, now it's working again. Not sure what's going on there. As I typed that, it stopped working again. grrr

ComboFix 08-12-05.01 - Dave and Steph 2008-12-05 13:45:36.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.77 [GMT -5:00]
Running from: c:\documents and settings\Dave and Steph\Desktop\Combo-fix.exe
Command switches used :: c:\documents and settings\Dave and Steph\Desktop\CFScript.txt
* Created a new restore point

FILE ::
c:\documents and settings\Dave and Steph\Start Menu\Programs\Startup\Deewoo.lnk
c:\documents and settings\Dave and Steph\Start Menu\Programs\Startup\DW_Start.lnk
c:\windows\pss\Deewoo.lnkStartup
c:\windows\pss\DW_Start.lnkStartup
c:\windows\system32\drivers\kgpfr2.cfg
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\RGF2ZSBhbmQgU3RlcGg
c:\windows\RGF2ZSBhbmQgU3RlcGg\l3IZtm11vAk0oal5w30.vbs

.
--------------- FCopy ---------------

c:\windows\system32\dllcache\winlogon.exe --> c:\windows\system32\winlogon.exe
.
((((((((((((((((((((((((( Files Created from 2008-11-05 to 2008-12-05 )))))))))))))))))))))))))))))))
.

2008-12-05 02:13 . 2008-12-05 13:32 <DIR> d-------- c:\windows\SxsCaPendDel
2008-12-04 21:18 . 2008-12-04 21:18 <DIR> d-------- c:\program files\Trend Micro
2008-12-04 20:28 . 2008-10-16 14:06 268,648 --a------ c:\windows\system32\mucltui.dll
2008-12-04 20:28 . 2008-10-16 14:06 208,744 --a------ c:\windows\system32\muweb.dll
2008-12-04 20:28 . 2008-10-16 14:06 27,496 --a------ c:\windows\system32\mucltui.dll.mui
2008-12-04 17:42 . 2008-12-04 17:35 96,976 --a------ c:\windows\system32\drivers\klin.dat
2008-12-04 17:42 . 2008-12-04 17:42 87,855 --a------ c:\windows\system32\drivers\klick.dat
2008-12-04 17:41 . 2008-12-04 17:41 <DIR> d-------- c:\program files\Kaspersky Lab
2008-12-04 17:41 . 2008-12-04 20:12 <DIR> d-------- c:\documents and settings\All Users\Application Data\Kaspersky Lab
2008-12-04 17:41 . 2008-12-05 13:48 2,150,432 --ahs---- c:\windows\system32\drivers\fidbox.dat
2008-12-04 17:41 . 2008-12-05 13:48 327,712 --ahs---- c:\windows\system32\drivers\fidbox2.dat
2008-12-04 17:41 . 2008-12-05 13:48 18,928 --ahs---- c:\windows\system32\drivers\fidbox.idx
2008-12-04 17:41 . 2008-12-05 13:48 2,200 --ahs---- c:\windows\system32\drivers\fidbox2.idx
2008-12-04 17:33 . 2008-12-03 19:52 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2008-12-04 17:32 . 2008-12-03 19:52 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2008-12-04 17:31 . 2008-12-04 17:31 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2008-12-04 17:30 . 2008-12-04 17:35 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2008-12-04 16:45 . 2008-12-04 16:45 <DIR> d-------- c:\documents and settings\All Users\Application Data\Kaspersky Lab Setup Files
2008-12-04 16:29 . 2008-12-04 16:29 <DIR> d-------- c:\documents and settings\Dave and Steph\Application Data\Malwarebytes
2008-12-04 04:30 . 2008-12-04 17:05 <DIR> d-------- c:\documents and settings\All Users\Application Data\SITEguard
2008-12-04 04:29 . 2008-12-04 04:29 <DIR> d-------- c:\program files\Common Files\iS3
2008-12-04 04:29 . 2008-12-05 02:13 <DIR> d-------- c:\documents and settings\All Users\Application Data\STOPzilla!
2008-12-04 04:27 . 2008-12-04 04:27 3,096 --a------ c:\windows\system32\OEMINFO.PNF
2008-12-03 21:57 . 2008-12-03 21:57 <DIR> d-------- c:\program files\Ashampoo
2008-12-02 16:24 . 2008-12-04 17:14 364 --a------ c:\windows\system32\tmp.reg
2008-12-02 02:12 . 2007-11-27 22:56 91,328 --a------ c:\windows\system32\drivers\msfwdrv.sys
2008-12-02 02:11 . 2007-11-27 22:56 116,416 --a------ c:\windows\system32\drivers\msfwhlpr.sys
2008-12-02 01:56 . 2008-12-02 02:12 <DIR> d----c--- c:\windows\system32\DRVSTORE
2008-12-02 01:56 . 2008-05-15 16:15 53,168 --a------ c:\windows\system32\drivers\MpFilter.sys
2008-12-02 01:49 . 2007-03-29 07:56 18,944 -----c--- c:\windows\system32\dllcache\qmgrprxy.dll
2008-12-02 01:49 . 2007-03-29 07:56 8,192 -----c--- c:\windows\system32\dllcache\bitsprx2.dll
2008-12-02 01:49 . 2007-03-29 07:56 7,168 -----c--- c:\windows\system32\dllcache\bitsprx4.dll
2008-12-02 01:49 . 2007-03-29 07:56 7,168 -----c--- c:\windows\system32\dllcache\bitsprx3.dll
2008-12-02 01:49 . 2007-03-29 07:56 7,168 --------- c:\windows\system32\bitsprx4.dll
2008-12-02 00:56 . 2008-12-04 16:49 <DIR> d-------- c:\program files\Microsoft Windows OneCare Live
2008-12-01 23:59 . 2002-12-03 19:55 <DIR> d-------- c:\documents and settings\Administrator\Application Data\VERITAS
2008-12-01 23:59 . 2002-11-14 13:26 <DIR> d-------- c:\documents and settings\Administrator\Application Data\MSN6
2008-12-01 23:59 . 2002-11-14 13:42 <DIR> d-------- c:\documents and settings\Administrator\Application Data\InterTrust
2008-12-01 23:59 . 2002-12-03 19:59 <DIR> d-------- c:\documents and settings\Administrator\Application Data\Corel
2008-12-01 23:59 . 2008-12-02 17:01 <DIR> d-------- c:\documents and settings\Administrator
2008-12-01 22:42 . 2008-12-01 22:43 <DIR> d-------- c:\program files\CCleaner
2008-12-01 21:30 . 2008-12-01 21:30 <DIR> d-------- c:\program files\iPod

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-02 08:09 --------- d-----w c:\program files\Corel
2008-12-02 03:17 --------- d-----w c:\program files\Common Files\AOL
2008-12-02 03:01 --------- d-----w c:\documents and settings\All Users\Application Data\AOL
2008-12-02 02:58 --------- d-----w c:\program files\VERITAS Software
2008-12-02 02:55 --------- d--h--w c:\program files\InstallShield Installation Information
2008-12-02 02:40 --------- d-----w c:\program files\Java
2008-12-02 02:35 --------- d-----w c:\program files\McAfee.com
2008-12-02 02:28 --------- d-----w c:\program files\Common Files\Sony Shared
2008-12-02 02:22 --------- d-----w c:\program files\epson
2008-12-02 02:00 --------- d-----w c:\program files\Sony
2008-10-24 11:10 453,632 ----a-w c:\windows\system32\drivers\mrxsmb.sys
2007-05-02 23:17 836 -c--a-w c:\documents and settings\Dave and Steph\Application Data\ViewerApp.dat
.

(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\IS3DBA5.dll -- Invalid filepath or file no longer exist


((((((((((((((((((((((((((((( snapshot@2008-12-04_20.54.33.18 )))))))))))))))))))))))))))))))))))))))))
.
- 2006-05-05 09:41:45 453,120 -c----w c:\windows\Driver Cache\i386\mrxsmb.sys
+ 2008-10-24 11:10:42 453,632 ------w c:\windows\Driver Cache\i386\mrxsmb.sys
- 2007-02-28 09:08:48 2,136,064 -c----w c:\windows\Driver Cache\i386\ntkrnlmp.exe
+ 2008-08-14 09:58:27 2,136,064 ------w c:\windows\Driver Cache\i386\ntkrnlmp.exe
- 2007-02-28 08:38:55 2,057,600 -c----w c:\windows\Driver Cache\i386\ntkrnlpa.exe
+ 2008-08-14 09:22:13 2,057,728 ------w c:\windows\Driver Cache\i386\ntkrnlpa.exe
- 2007-02-28 08:38:57 2,015,744 -c----w c:\windows\Driver Cache\i386\ntkrpamp.exe
+ 2008-08-14 09:22:14 2,015,744 ------w c:\windows\Driver Cache\i386\ntkrpamp.exe
- 2007-02-28 09:10:57 2,180,352 -c----w c:\windows\Driver Cache\i386\ntoskrnl.exe
+ 2008-08-14 10:00:45 2,180,352 ------w c:\windows\Driver Cache\i386\ntoskrnl.exe
+ 2008-06-23 16:57:27 124,928 -c----w c:\windows\ie7updates\KB956390-IE7\advpack.dll
+ 2008-06-23 16:57:27 347,136 -c----w c:\windows\ie7updates\KB956390-IE7\dxtmsft.dll
+ 2008-06-23 16:57:27 214,528 -c----w c:\windows\ie7updates\KB956390-IE7\dxtrans.dll
+ 2008-06-23 16:57:27 133,120 -c----w c:\windows\ie7updates\KB956390-IE7\extmgr.dll
+ 2008-06-23 16:57:28 63,488 -c----w c:\windows\ie7updates\KB956390-IE7\icardie.dll
+ 2008-06-23 09:20:25 70,656 -c----w c:\windows\ie7updates\KB956390-IE7\ie4uinit.exe
+ 2008-06-23 16:57:29 153,088 -c----w c:\windows\ie7updates\KB956390-IE7\ieakeng.dll
+ 2008-06-23 16:57:29 230,400 -c----w c:\windows\ie7updates\KB956390-IE7\ieaksie.dll
+ 2008-06-21 05:23:54 161,792 -c----w c:\windows\ie7updates\KB956390-IE7\ieakui.dll
+ 2008-06-23 16:57:29 383,488 -c----w c:\windows\ie7updates\KB956390-IE7\ieapfltr.dll
+ 2008-06-23 16:57:29 384,512 -c----w c:\windows\ie7updates\KB956390-IE7\iedkcs32.dll
+ 2008-06-23 16:57:33 6,066,176 -c----w c:\windows\ie7updates\KB956390-IE7\ieframe.dll
+ 2008-06-23 16:57:33 44,544 -c----w c:\windows\ie7updates\KB956390-IE7\iernonce.dll
+ 2008-06-23 16:57:34 267,776 -c----w c:\windows\ie7updates\KB956390-IE7\iertutil.dll
+ 2008-06-23 09:20:26 13,824 -c----w c:\windows\ie7updates\KB956390-IE7\ieudinit.exe
+ 2008-06-23 09:20:52 625,664 -c----w c:\windows\ie7updates\KB956390-IE7\iexplore.exe
+ 2008-06-23 16:57:35 27,648 -c----w c:\windows\ie7updates\KB956390-IE7\jsproxy.dll
+ 2008-06-23 16:57:36 459,264 -c----w c:\windows\ie7updates\KB956390-IE7\msfeeds.dll
+ 2008-06-23 16:57:36 52,224 -c----w c:\windows\ie7updates\KB956390-IE7\msfeedsbs.dll
+ 2008-06-24 14:57:40 3,592,192 -c----w c:\windows\ie7updates\KB956390-IE7\mshtml.dll
+ 2008-06-23 16:57:39 477,696 -c----w c:\windows\ie7updates\KB956390-IE7\mshtmled.dll
+ 2008-06-23 16:57:39 193,024 -c----w c:\windows\ie7updates\KB956390-IE7\msrating.dll
+ 2008-06-23 16:57:40 671,232 -c----w c:\windows\ie7updates\KB956390-IE7\mstime.dll
+ 2008-06-23 16:57:40 102,912 -c----w c:\windows\ie7updates\KB956390-IE7\occache.dll
+ 2008-06-23 16:57:40 44,544 -c----w c:\windows\ie7updates\KB956390-IE7\pngfilt.dll
+ 2007-03-06 01:22:41 213,216 -c----w c:\windows\ie7updates\KB956390-IE7\spuninst\spuninst.exe
+ 2007-03-06 01:23:51 371,424 -c----w c:\windows\ie7updates\KB956390-IE7\spuninst\updspapi.dll
+ 2008-06-23 16:57:40 105,984 -c----w c:\windows\ie7updates\KB956390-IE7\url.dll
+ 2008-06-23 16:57:40 1,159,680 -c----w c:\windows\ie7updates\KB956390-IE7\urlmon.dll
+ 2008-06-23 16:57:41 233,472 -c----w c:\windows\ie7updates\KB956390-IE7\webcheck.dll
+ 2008-06-23 16:57:41 826,368 -c----w c:\windows\ie7updates\KB956390-IE7\wininet.dll
- 2008-06-23 16:57:27 124,928 ----a-w c:\windows\system32\advpack.dll
+ 2008-08-26 07:24:28 124,928 ----a-w c:\windows\system32\advpack.dll
- 2008-06-23 16:57:27 124,928 -c----w c:\windows\system32\dllcache\advpack.dll
+ 2008-08-26 07:24:28 124,928 -c----w c:\windows\system32\dllcache\advpack.dll
- 2008-06-20 10:44:38 138,368 -c----w c:\windows\system32\dllcache\afd.sys
+ 2008-08-14 09:51:43 138,368 -c----w c:\windows\system32\dllcache\afd.sys
- 2008-06-23 16:57:27 347,136 -c--a-w c:\windows\system32\dllcache\dxtmsft.dll
+ 2008-08-26 07:24:28 347,136 -c--a-w c:\windows\system32\dllcache\dxtmsft.dll
- 2008-06-23 16:57:27 214,528 -c--a-w c:\windows\system32\dllcache\dxtrans.dll
+ 2008-08-26 07:24:28 214,528 -c--a-w c:\windows\system32\dllcache\dxtrans.dll
- 2008-06-23 16:57:27 133,120 -c--a-w c:\windows\system32\dllcache\extmgr.dll
+ 2008-08-26 07:24:28 133,120 -c--a-w c:\windows\system32\dllcache\extmgr.dll
- 2008-06-23 16:57:28 63,488 -c----w c:\windows\system32\dllcache\icardie.dll
+ 2008-08-26 07:24:28 63,488 -c----w c:\windows\system32\dllcache\icardie.dll
- 2008-06-23 09:20:25 70,656 -c----w c:\windows\system32\dllcache\ie4uinit.exe
+ 2008-08-25 08:37:59 70,656 -c----w c:\windows\system32\dllcache\ie4uinit.exe
- 2008-06-23 16:57:29 153,088 -c--a-w c:\windows\system32\dllcache\ieakeng.dll
+ 2008-08-26 07:24:28 153,088 -c--a-w c:\windows\system32\dllcache\ieakeng.dll
- 2008-06-23 16:57:29 230,400 -c--a-w c:\windows\system32\dllcache\ieaksie.dll
+ 2008-08-26 07:24:28 230,400 -c--a-w c:\windows\system32\dllcache\ieaksie.dll
- 2008-06-21 05:23:54 161,792 -c----w c:\windows\system32\dllcache\ieakui.dll
+ 2008-08-23 05:54:51 161,792 -c----w c:\windows\system32\dllcache\ieakui.dll
- 2008-06-23 16:57:29 383,488 -c----w c:\windows\system32\dllcache\ieapfltr.dll
+ 2008-08-26 07:24:28 383,488 -c----w c:\windows\system32\dllcache\ieapfltr.dll
- 2008-06-23 16:57:29 384,512 -c--a-w c:\windows\system32\dllcache\iedkcs32.dll
+ 2008-08-26 07:24:29 384,512 -c--a-w c:\windows\system32\dllcache\iedkcs32.dll
- 2008-06-23 16:57:33 6,066,176 -c----w c:\windows\system32\dllcache\ieframe.dll
+ 2008-10-03 17:41:15 6,066,176 -c----w c:\windows\system32\dllcache\ieframe.dll
- 2008-06-23 16:57:33 44,544 -c----w c:\windows\system32\dllcache\iernonce.dll
+ 2008-08-26 07:24:29 44,544 -c----w c:\windows\system32\dllcache\iernonce.dll
- 2008-06-23 16:57:34 267,776 -c----w c:\windows\system32\dllcache\iertutil.dll
+ 2008-08-26 07:24:29 267,776 -c----w c:\windows\system32\dllcache\iertutil.dll
- 2008-06-23 09:20:26 13,824 -c----w c:\windows\system32\dllcache\ieudinit.exe
+ 2008-08-25 08:38:00 13,824 -c----w c:\windows\system32\dllcache\ieudinit.exe
- 2008-06-23 09:20:52 625,664 -c----w c:\windows\system32\dllcache\iexplore.exe
+ 2008-08-23 05:56:15 635,848 -c----w c:\windows\system32\dllcache\iexplore.exe
- 2008-06-23 16:57:35 27,648 -c--a-w c:\windows\system32\dllcache\jsproxy.dll
+ 2008-08-26 07:24:30 27,648 -c--a-w c:\windows\system32\dllcache\jsproxy.dll
- 2006-05-05 09:41:45 453,120 -c----w c:\windows\system32\dllcache\mrxsmb.sys
+ 2008-10-24 11:10:42 453,632 -c----w c:\windows\system32\dllcache\mrxsmb.sys
- 2008-06-23 16:57:36 459,264 -c----w c:\windows\system32\dllcache\msfeeds.dll
+ 2008-08-26 07:24:30 459,264 -c----w c:\windows\system32\dllcache\msfeeds.dll
- 2008-06-23 16:57:36 52,224 -c----w c:\windows\system32\dllcache\msfeedsbs.dll
+ 2008-08-26 07:24:30 52,224 -c----w c:\windows\system32\dllcache\msfeedsbs.dll
- 2008-06-24 14:57:40 3,592,192 -c--a-w c:\windows\system32\dllcache\mshtml.dll
+ 2008-08-27 08:24:32 3,593,216 -c--a-w c:\windows\system32\dllcache\mshtml.dll
- 2008-06-23 16:57:39 477,696 -c--a-w c:\windows\system32\dllcache\mshtmled.dll
+ 2008-08-26 07:24:30 477,696 -c--a-w c:\windows\system32\dllcache\mshtmled.dll
- 2008-06-23 16:57:39 193,024 -c--a-w c:\windows\system32\dllcache\msrating.dll
+ 2008-08-26 07:24:30 193,024 -c--a-w c:\windows\system32\dllcache\msrating.dll
- 2008-06-23 16:57:40 671,232 -c--a-w c:\windows\system32\dllcache\mstime.dll
+ 2008-08-26 07:24:30 671,232 -c--a-w c:\windows\system32\dllcache\mstime.dll
- 2007-06-26 06:08:16 1,104,896 -c----w c:\windows\system32\dllcache\msxml3.dll
+ 2008-09-04 16:42:02 1,106,944 -c----w c:\windows\system32\dllcache\msxml3.dll
- 2006-08-17 12:28:27 332,288 -c----w c:\windows\system32\dllcache\netapi32.dll
+ 2008-10-15 16:57:55 332,800 -c----w c:\windows\system32\dllcache\netapi32.dll
- 2007-02-28 09:08:48 2,136,064 -c----w c:\windows\system32\dllcache\ntkrnlmp.exe
+ 2008-08-14 09:58:27 2,136,064 -c----w c:\windows\system32\dllcache\ntkrnlmp.exe
- 2007-02-28 08:38:55 2,057,600 -c----w c:\windows\system32\dllcache\ntkrnlpa.exe
+ 2008-08-14 09:22:13 2,057,728 -c----w c:\windows\system32\dllcache\ntkrnlpa.exe
- 2007-02-28 08:38:57 2,015,744 -c----w c:\windows\system32\dllcache\ntkrpamp.exe
+ 2008-08-14 09:22:14 2,015,744 -c----w c:\windows\system32\dllcache\ntkrpamp.exe
- 2007-02-28 09:10:57 2,180,352 -c----w c:\windows\system32\dllcache\ntoskrnl.exe
+ 2008-08-14 10:00:45 2,180,352 -c----w c:\windows\system32\dllcache\ntoskrnl.exe
- 2008-06-23 16:57:40 102,912 -c----w c:\windows\system32\dllcache\occache.dll
+ 2008-08-26 07:24:30 102,912 -c----w c:\windows\system32\dllcache\occache.dll
- 2008-06-23 16:57:40 44,544 -c--a-w c:\windows\system32\dllcache\pngfilt.dll
+ 2008-08-26 07:24:30 44,544 -c--a-w c:\windows\system32\dllcache\pngfilt.dll
- 2006-08-14 10:34:41 332,928 -c----w c:\windows\system32\dllcache\srv.sys
+ 2008-08-28 10:04:17 333,056 -c----w c:\windows\system32\dllcache\srv.sys
- 2008-06-23 16:57:40 105,984 -c----w c:\windows\system32\dllcache\url.dll
+ 2008-08-26 07:24:30 105,984 -c----w c:\windows\system32\dllcache\url.dll
- 2008-06-23 16:57:40 1,159,680 -c--a-w c:\windows\system32\dllcache\urlmon.dll
+ 2008-08-26 07:24:31 1,159,680 -c--a-w c:\windows\system32\dllcache\urlmon.dll
- 2008-06-23 16:57:41 233,472 -c----w c:\windows\system32\dllcache\webcheck.dll
+ 2008-08-26 07:24:31 233,472 -c----w c:\windows\system32\dllcache\webcheck.dll
- 2008-03-19 09:47:00 1,845,248 -c----w c:\windows\system32\dllcache\win32k.sys
+ 2008-09-15 11:57:41 1,846,016 -c----w c:\windows\system32\dllcache\win32k.sys
- 2008-06-23 16:57:41 826,368 -c--a-w c:\windows\system32\dllcache\wininet.dll
+ 2008-08-26 07:24:31 826,368 -c--a-w c:\windows\system32\dllcache\wininet.dll
- 2008-06-20 10:44:38 138,368 ----a-w c:\windows\system32\drivers\afd.sys
+ 2008-08-14 09:51:43 138,368 ----a-w c:\windows\system32\drivers\afd.sys
- 2006-08-14 10:34:41 332,928 ----a-w c:\windows\system32\drivers\srv.sys
+ 2008-08-28 10:04:17 333,056 ----a-w c:\windows\system32\drivers\srv.sys
- 2008-06-23 16:57:27 347,136 ----a-w c:\windows\system32\dxtmsft.dll
+ 2008-08-26 07:24:28 347,136 ----a-w c:\windows\system32\dxtmsft.dll
- 2008-06-23 16:57:27 214,528 ----a-w c:\windows\system32\dxtrans.dll
+ 2008-08-26 07:24:28 214,528 ----a-w c:\windows\system32\dxtrans.dll
- 2008-06-23 16:57:27 133,120 -c--a-w c:\windows\system32\extmgr.dll
+ 2008-08-26 07:24:28 133,120 ----a-w c:\windows\system32\extmgr.dll
- 2008-04-10 07:18:08 127,704 ----a-w c:\windows\system32\FNTCACHE.DAT
+ 2008-12-05 02:09:07 127,704 ----a-w c:\windows\system32\FNTCACHE.DAT
- 2008-06-23 16:57:28 63,488 ----a-w c:\windows\system32\icardie.dll
+ 2008-08-26 07:24:28 63,488 ----a-w c:\windows\system32\icardie.dll
- 2008-06-23 09:20:25 70,656 ----a-w c:\windows\system32\ie4uinit.exe
+ 2008-08-25 08:37:59 70,656 ----a-w c:\windows\system32\ie4uinit.exe
- 2008-06-23 16:57:29 153,088 -c--a-w c:\windows\system32\ieakeng.dll
+ 2008-08-26 07:24:28 153,088 ----a-w c:\windows\system32\ieakeng.dll
- 2008-06-23 16:57:29 230,400 -c--a-w c:\windows\system32\ieaksie.dll
+ 2008-08-26 07:24:28 230,400 ----a-w c:\windows\system32\ieaksie.dll
- 2008-06-21 05:23:54 161,792 ----a-w c:\windows\system32\ieakui.dll
+ 2008-08-23 05:54:51 161,792 ----a-w c:\windows\system32\ieakui.dll
- 2008-06-23 16:57:29 383,488 ----a-w c:\windows\system32\ieapfltr.dll
+ 2008-08-26 07:24:28 383,488 ----a-w c:\windows\system32\ieapfltr.dll
- 2008-06-23 16:57:29 384,512 -c--a-w c:\windows\system32\iedkcs32.dll
+ 2008-08-26 07:24:29 384,512 ----a-w c:\windows\system32\iedkcs32.dll
- 2008-06-23 16:57:33 6,066,176 ----a-w c:\windows\system32\ieframe.dll
+ 2008-10-03 17:41:15 6,066,176 ----a-w c:\windows\system32\ieframe.dll
- 2008-06-23 16:57:33 44,544 ----a-w c:\windows\system32\iernonce.dll
+ 2008-08-26 07:24:29 44,544 ----a-w c:\windows\system32\iernonce.dll
- 2008-06-23 16:57:34 267,776 ----a-w c:\windows\system32\iertutil.dll
+ 2008-08-26 07:24:29 267,776 ----a-w c:\windows\system32\iertutil.dll
- 2008-06-23 09:20:26 13,824 ----a-w c:\windows\system32\ieudinit.exe
+ 2008-08-25 08:38:00 13,824 ----a-w c:\windows\system32\ieudinit.exe
- 2008-06-23 16:57:35 27,648 ----a-w c:\windows\system32\jsproxy.dll
+ 2008-08-26 07:24:30 27,648 ----a-w c:\windows\system32\jsproxy.dll
- 2008-08-05 15:11:02 15,888,504 -c--a-w c:\windows\system32\MRT.exe
+ 2008-11-03 21:10:26 17,318,336 -c--a-w c:\windows\system32\MRT.exe
- 2008-06-23 16:57:36 459,264 ----a-w c:\windows\system32\msfeeds.dll
+ 2008-08-26 07:24:30 459,264 ----a-w c:\windows\system32\msfeeds.dll
- 2008-06-23 16:57:36 52,224 ----a-w c:\windows\system32\msfeedsbs.dll
+ 2008-08-26 07:24:30 52,224 ----a-w c:\windows\system32\msfeedsbs.dll
- 2008-06-24 14:57:40 3,592,192 ----a-w c:\windows\system32\mshtml.dll
+ 2008-08-27 08:24:32 3,593,216 ----a-w c:\windows\system32\mshtml.dll
- 2008-06-23 16:57:39 477,696 ----a-w c:\windows\system32\mshtmled.dll
+ 2008-08-26 07:24:30 477,696 ----a-w c:\windows\system32\mshtmled.dll
- 2008-06-23 16:57:39 193,024 ----a-w c:\windows\system32\msrating.dll
+ 2008-08-26 07:24:30 193,024 ----a-w c:\windows\system32\msrating.dll
- 2008-06-23 16:57:40 671,232 -c--a-w c:\windows\system32\mstime.dll
+ 2008-08-26 07:24:30 671,232 ----a-w c:\windows\system32\mstime.dll
- 2007-06-26 06:08:16 1,104,896 ----a-w c:\windows\system32\msxml3.dll
+ 2008-09-04 16:42:02 1,106,944 ----a-w c:\windows\system32\msxml3.dll
- 2006-08-17 12:28:27 332,288 ----a-w c:\windows\system32\netapi32.dll
+ 2008-10-15 16:57:55 332,800 ----a-w c:\windows\system32\netapi32.dll
- 2007-02-28 08:38:55 2,057,600 ----a-w c:\windows\system32\ntkrnlpa.exe
+ 2008-08-14 09:22:13 2,057,728 ----a-w c:\windows\system32\ntkrnlpa.exe
- 2007-02-28 09:10:57 2,180,352 ----a-w c:\windows\system32\ntoskrnl.exe
+ 2008-08-14 10:00:45 2,180,352 ----a-w c:\windows\system32\ntoskrnl.exe
- 2008-06-23 16:57:40 102,912 ----a-w c:\windows\system32\occache.dll
+ 2008-08-26 07:24:30 102,912 ----a-w c:\windows\system32\occache.dll
- 2008-06-23 16:57:40 44,544 ----a-w c:\windows\system32\pngfilt.dll
+ 2008-08-26 07:24:30 44,544 ----a-w c:\windows\system32\pngfilt.dll
- 2007-11-30 12:39:22 17,272 -c----w c:\windows\system32\spmsg.dll
+ 2007-11-30 11:18:51 17,272 ------w c:\windows\system32\spmsg.dll
- 2008-06-23 16:57:40 105,984 ----a-w c:\windows\system32\url.dll
+ 2008-08-26 07:24:30 105,984 ----a-w c:\windows\system32\url.dll
- 2008-06-23 16:57:40 1,159,680 ----a-w c:\windows\system32\urlmon.dll
+ 2008-08-26 07:24:31 1,159,680 ----a-w c:\windows\system32\urlmon.dll
- 2008-06-23 16:57:41 233,472 ----a-w c:\windows\system32\webcheck.dll
+ 2008-08-26 07:24:31 233,472 ----a-w c:\windows\system32\webcheck.dll
- 2008-03-19 09:47:00 1,845,248 ----a-w c:\windows\system32\win32k.sys
+ 2008-09-15 11:57:41 1,846,016 ----a-w c:\windows\system32\win32k.sys
- 2008-06-23 16:57:41 826,368 ----a-w c:\windows\system32\wininet.dll
+ 2008-08-26 07:24:31 826,368 ----a-w c:\windows\system32\wininet.dll
+ 2008-04-15 17:54:19 1,724,416 ----a-w c:\windows\WinSxS\x86_Microsoft.Windows.GdiPlus_6595b64144ccf1df_1.0.2600.3352_x-ww_81af8e88\GdiPlus.dll
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\OneCareMP]
@="Service"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Synchronizer.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Synchronizer.lnk
backup=c:\windows\pss\Adobe Reader Synchronizer.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^America Online 8.0 Tray Icon.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\America Online 8.0 Tray Icon.lnk
backup=c:\windows\pss\America Online 8.0 Tray Icon.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^America Online 9.0 Tray Icon.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\America Online 9.0 Tray Icon.lnk
backup=c:\windows\pss\America Online 9.0 Tray Icon.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^AOL Companion.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\AOL Companion.lnk
backup=c:\windows\pss\AOL Companion.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Billminder.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Billminder.lnk
backup=c:\windows\pss\Billminder.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^eBay Toolbar.LNK]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\eBay Toolbar.LNK
backup=c:\windows\pss\eBay Toolbar.LNKCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Kodak EasyShare software.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Kodak EasyShare software.lnk
backup=c:\windows\pss\Kodak EasyShare software.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^KODAK Software Updater.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\KODAK Software Updater.lnk
backup=c:\windows\pss\KODAK Software Updater.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Picture Package Menu.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Picture Package Menu.lnk
backup=c:\windows\pss\Picture Package Menu.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Picture Package VCD Maker.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Picture Package VCD Maker.lnk
backup=c:\windows\pss\Picture Package VCD Maker.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Quicken Scheduled Updates.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Quicken Scheduled Updates.lnk
backup=c:\windows\pss\Quicken Scheduled Updates.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Quicken Startup.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Quicken Startup.lnk
backup=c:\windows\pss\Quicken Startup.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Dave and Steph^Start Menu^Programs^Startup^LimeWire On Startup.lnk]
path=c:\documents and settings\Dave and Steph\Start Menu\Programs\Startup\LimeWire On Startup.lnk
backup=c:\windows\pss\LimeWire On Startup.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Dave and Steph^Start Menu^Programs^Startup^PowerReg Scheduler V3.exe]
path=c:\documents and settings\Dave and Steph\Start Menu\Programs\Startup\PowerReg Scheduler V3.exe
backup=c:\windows\pss\PowerReg Scheduler V3.exeStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
c:\windows\system32\dumprep 0 -k [X]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\'Ashampoo AntiSpyWare 2 Guard']
--a------ 2008-11-04 14:32 2347352 c:\program files\Ashampoo\Ashampoo AntiSpyWare 2\AntiSpyWare2Guard.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a------ 2004-08-04 02:56 15360 c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EPSON Stylus CX7800 Series]
--a--c--- 2005-04-06 23:00 98304 c:\windows\system32\spool\drivers\w32x86\3\E_FATIAFA.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ezShieldProtector for Px]
--a------ 2002-07-03 20:17 40960 c:\windows\system32\ezSP_Px.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
-ra------ 2002-06-19 21:05 114688 c:\windows\system32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LexPPS.exe]
--a------ 2002-12-03 12:39 174592 c:\windows\system32\LEXPPS.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickFinder Scheduler]
--a--c--- 2002-08-15 07:54 77887 c:\program files\Corel\WordPerfect Office 2002\Programs\Qfschd100.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VAIO Recovery]
--a--c--- 2002-11-15 16:54 28672 c:\windows\SONYSYS\VAIO Recovery\PartSeal.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VAIOSURVEY]
--a--c--- 2002-11-21 18:04 1056768 c:\program files\Sony\VAIO Survey\SurveySA.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"VAIOMediaPlatform-PhotoServer-UPnP"=2 (0x2)
"VAIOMediaPlatform-PhotoServer-HTTP"=2 (0x2)
"VAIOMediaPlatform-PhotoServer-AppServer"=2 (0x2)
"VAIOMediaPlatform-MusicServer-UPnP"=2 (0x2)
"VAIOMediaPlatform-MusicServer-HTTP"=2 (0x2)
"VAIOMediaPlatform-MusicServer-AppServer"=2 (0x2)
"Network Monitor"=2 (0x2)
"LexBceS"=2 (0x2)
"IDriverT"=3 (0x3)
"cmdService"=2 (0x2)
"aspnet_state"=3 (0x3)
"AOL TopSpeedMonitor"=2 (0x2)
"szserver"=2 (0x2)
"OneCareMP"=2 (0x2)
"msfwsvc"=2 (0x2)
"AASW2_Service"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\system32\\LEXPPS.EXE"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

R0 klbg;Kaspersky Lab Boot Guard Driver;c:\windows\system32\drivers\klbg.sys [2008-01-29 32784]
R3 klim5;Kaspersky Anti-Virus NDIS Filter;c:\windows\system32\DRIVERS\klim5.sys [2008-04-30 24592]
S4 AASW2_Service;Ashampoo AntiSpyWare 2 Service;c:\program files\Ashampoo\Ashampoo AntiSpyWare 2\AntiSpyWareService.exe [2008-12-03 749400]
.
Contents of the 'Scheduled Tasks' folder

2008-11-27 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2006-10-10 17:13]
.
.
------- Supplementary Scan -------
.

O16 -: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
c:\windows\Downloaded Program Files\DirectAnimation Java Classes.osd

O16 -: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
c:\windows\Downloaded Program Files\Microsoft XML Parser for Java.osd

O16 -: {D27CDB6E-AE6A-11CF-96B8-444553540000} - hxxp://hometown.aol.com/babygirlb328/myhomepage/ProfR1G.exe
FireFox -: Profile - c:\documents and settings\Dave and Steph\Application Data\Mozilla\Firefox\Profiles\kro6skfu.default\
FireFox -: prefs.js - STARTUP.HOMEPAGE - yahoo.com
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-12-05 13:49:30
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\wdfmgr.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2008-12-05 13:55:14 - machine was rebooted
ComboFix-quarantined-files.txt 2008-12-05 18:54:28
ComboFix2.txt 2008-12-05 01:56:28

Pre-Run: 3,169,538,048 bytes free
Post-Run: 3,159,400,448 bytes free

427 --- E O F --- 2008-12-05 02:07:47

[Rorschach112]

Hello

Please download ATF Cleaner by Atribune.
Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.
If you use Firefox browserClick Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browserClick Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.




Please download Malwarebytes' Anti-Malware from Here or Here

Double Click mbam-setup.exe to install the application.

• Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
• If an update is found, it will download and install the latest version.
• Once the program has loaded, select "Perform Quick Scan", then click Scan.
• The scan may take some time to finish,so please be patient.
• When the scan is complete, click OK, then Show Results to view the results.
• Make sure that everything is checked, and click Remove Selected.
• When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
• The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
• Copy&Paste the entire report in your next reply.

Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.






Go to Kaspersky website and perform an online antivirus scan.

• Read through the requirements and privacy statement and click on Accept button.
• It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
• When the downloads have finished, click on Settings.
• Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:
  • Spyware, Adware, Dialers, and other potentially dangerous programs
    Archives
    Mail databases
• Click on My Computer under Scan.
• Once the scan is complete, it will display the results. Click on View Scan Report.
• You will see a list of infected items there. Click on Save Report As....
• Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button. Then post it here.

[Leashy]

Hmm... found nothing with the anti-malware.

Malwarebytes' Anti-Malware 1.31
Database version: 1464
Windows 5.1.2600 Service Pack 2

12/5/2008 3:49:25 PM
mbam-log-2008-12-05 (15-49-25).txt

Scan type: Full Scan (C:\|D:\|)
Objects scanned: 88893
Time elapsed: 41 minute(s), 27 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


Doing the next thing now.

[Rorschach112]

Post a new HJT log with it

[Leashy]

Hello again.

I've been trying to get the online scan done and it just won't finish. It gets to 70-80% done and then freezes. I've tried it 4 times now. I will try once more, but here's a current HJT log for now.

Thanks again for your help!

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:18:12 PM, on 12/6/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = https://www.firstcom...ndex_secure.asp
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: Java™ Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O14 - IERESET.INF: START_PAGE_URL=http://www.sony.com/vaiopeople
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg...v45/yacscom.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {7D1E9C49-BD6A-11D3-87A8-009027A35D73} (Yahoo! Audio UI1) - http://chat.yahoo.com/cab/yacsui.cab
O16 - DPF: {D27CDB6E-AE6A-11CF-96B8-444553540000} - http://hometown.aol....age/ProfR1G.exe
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - http://fpdownload2.m...ash/swflash.cab
O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} - http://ax.phobos.app.../ITDetector.cab
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe

--
End of file - 3222 bytes

Edited by Leashy, 06 December 2008 - 11:24 AM.

[Rorschach112]

Ok if you cant get it running its fine, just let me know

[Leashy]

Stopped again at 78% and I realized it's been stopping at the same file. It says:

Now scanning: RDPWD.SY_
Location: C:\WINDOWS\I386

Frozen.

[Leashy]

No, I can't get it to finish, sorry.

Anything else for me to try?

[Rorschach112]

Your logs are clean

Follow these steps to uninstall Combofix and tools used in the removal of malware

• Click START then RUN
• Now type Combofix /u in the runbox and click OK. Note the space between the X and the U, it needs to be there.
  

• Make sure you have an Internet Connection.
• Download OTCleanIt to your desktop and run it
• A list of tool components used in the Cleanup of malware will be downloaded.
• If your Firewall or Real Time protection attempts to block OTCleanUp to reach the Internet, please allow the application to do so.
• Click Yes to beging the Cleanup process and remove these components, including this application.
• You will be asked to reboot the machine to finish the Cleanup process. If you are asked to reboot the machine choose Yes.

Below I have included a number of recommendations for how to protect your computer against malware infections.

* Keep Windows updated by regularly checking their website at :
http://windowsupdate.microsoft.com/
This will ensure your computer has always the latest security updates available installed on your computer.

* To reduce re-infection for malware in the future, I strongly recommend installing these free programs:

SpywareBlaster protects against bad ActiveX

* SpywareGuard offers realtime protection from spyware installation attempts. Make sure you are only running one real-time anti-spyware protection program or there will be a conflict.

Make Internet Explorer more secure

• Click Start > Run
• Type Inetcpl.cpl & click OK
• Click on the Security tab
• Click Reset all zones to default level
• Make sure the Internet Zone is selected & Click Custom level
• In the ActiveX section, set the first two options ("Download signed and unsigned ActiveX controls) to "Prompt", and ("Initialize and Script ActiveX controls not marked as safe") to "Disable".
• Next Click OK, then Apply button and then OK to exit the Internet Properties page.

*ATF Cleaner - Cleans temporary files from IE and Windows, empties the recycle bin and more. Great tool to help speed up your computer and knock out those nasties that like to reside in the temp folders.

*NoScript - Addon for Firefox that stops all scripts from running on websites. Stops malicious software from invading via flash, java, javascript, and many other entry points.

*Keep a backup of your important files - Now, more than ever, it's especially important to protect your digital files and memories. This article is full of good information on alternatives for home backup solutions.

* MVPS Hosts file replaces your current HOSTS file with one containing well known ad sites and other bad sites. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer, meaning it will be difficult to infect yourself in the future.

* Please consider using an alternate browser. Mozilla's Firefox browser is fantastic; it is much more
secure than Internet Explorer, immune to almost all known browser hijackers, and also has the best built-in pop up
blocker (as an added benefit!) that I have ever seen. If you are interested, Firefox may be downloaded from
Here

* Take a good look at the following suggestions for malware prevention by reading Tony Klein’s article 'How Did I Get Infected In The First Place'
Here

*ERUNT (Emergency Recovery Utility NT) allows you to keep a complete backup of your registry and restore it when needed. The standard registry backup options that come with Windows back up most of the registry but not all of it. ERUNT however creates a complete backup set, including the Security hive and user related sections. ERUNT is easy to use and since it creates a full backup, there are no options or choices other than to select the location of the backup files. The backup set includes a small executable that will launch the registry restore if needed.

* Recovery Console - Recent trends appear to indicate that future infections will include attacks to the boot sector of the computer. The installation of the Recovery Console in the computer will be our only defense against this threat. For more information and steps to install the Recovery Console see This Article. Should you need assistance in installing the Recovery Console, please do not hesitate to ask.

Thank you for your patience, and performing all of the procedures requested.

[Leashy]

Thank you for all your help!!