Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Hijack/Rootkit Infection

Started by storm92jk , Dec 20 2008 06:40 PM

  • This topic is locked This topic is locked

#1
storm92jk
Posted 20 December 2008 - 06:40 PM

storm92jk

    New Member

  • Member
  • Pip
  • 7 posts
Hello, I believe that my computer has rootkits and hijacks on it. When I use google, I get redirected to sites that I did not search for. Also I can not go to security based web sites, like Spybot's website, and I can not run certain programs. Spybot won't run and Malwarebytes' Anti-Malware won't install. But I did get Ad Aware to install. I ran BitDefender and it found a rootkit and removed it, but I do not know if it is still there or I still have rootkits that didn't get detected. I use Firefox and Firefox has been affected too, not just Internet Explorer. Thanks for the help in advance.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:12:53 PM, on 12/20/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\Program Files\Common Files\BitDefender\BitDefender Communicator\xcommsvr.exe
C:\Program Files\Common Files\BitDefender\BitDefender Update Service\livesrv.exe
C:\Program Files\BitDefender\vsserv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\BitDefender\bdagent.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
F:\Firefox\firefox.exe
C:\Documents and Settings\Joseph\Desktop\HJTInstall.exe
C:\Documents and Settings\Joseph\Desktop\mbam-setup.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: ZoneAlarm Spy Blocker BHO - {F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL
O3 - Toolbar: BitDefender Toolbar - {381FFDE8-2394-4f90-B10D-FC6124A40F8C} - C:\Program Files\BitDefender\IEToolbar.dll
O3 - Toolbar: ZoneAlarm Spy Blocker - {F0D4B239-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL
O4 - HKLM\..\Run: [BitDefender Antiphishing Helper] "C:\Program Files\BitDefender\IEShow.exe"
O4 - HKLM\..\Run: [BDAgent] "C:\Program Files\BitDefender\bdagent.exe"
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: ERUNT AutoBackup.lnk = C:\Program Files\ERUNT\AUTOBACK.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} - http://www.fileplane...DC_2.2.1.87.cab
O16 - DPF: {3DCEC959-378A-4922-AD7E-FD5C925D927F} (Disney Online Games ActiveX Control) - http://disney.go.com...OnlineGames.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1139604316827
O16 - DPF: {7584C670-2274-4EFB-B00B-D6AABA6D3850} (Microsoft Terminal Services Client Control (redist)) - https://remoteoffice...d.trans.ge.com
O16 - DPF: {9059F30F-4EB1-4BD2-9FDC-36F43A218F4A} (Microsoft RDP Client Control (redist)) - http://lots-server.l...TSWEB/msrdp.cab
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: BitDefender Desktop Update Service (LIVESRV) - BitDefender SRL - C:\Program Files\Common Files\BitDefender\BitDefender Update Service\livesrv.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: PnkBstrB - Unknown owner - C:\WINDOWS\system32\PnkBstrB.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: BitDefender Virus Shield (VSSERV) - BitDefender S.R.L. - C:\Program Files\BitDefender\vsserv.exe
O23 - Service: BitDefender Communicator (XCOMM) - BitDefender - C:\Program Files\Common Files\BitDefender\BitDefender Communicator\xcommsvr.exe

--
End of file - 6162 bytes
  • 0

Advertisements

#2
storm92jk
Posted 22 December 2008 - 01:59 PM

storm92jk

    New Member

  • Topic Starter
  • Member
  • Pip
  • 7 posts
Problem solved. I disabled the TDSSserv.sys from the device manager, restarted the computer and I got Malebyte Anti-Maleware to run and it fixed the problem.
  • 0

#3
Transience
Posted 22 December 2008 - 02:11 PM

Transience

    Unofficial Music Guru

  • Retired Staff
  • 2,448 posts
Hi storm92jk -

Sorry nobody got back to you for a day or so, as you can see these forums are busy and sometimes logs take a while to answer. As much as it's a good thing that you've been able to work on the problem on your own, with an infection like TDSS it is VERY likely that your computer isn't actually clean, even though your symptoms of infection may have gone away.

It would be my recommendation that you follow these instructions for running ComboFix so we can get a measure of what might be left. Of course it's your choice and if you wish to just be on your way then that's fine, I'll close this up. Let me know.

1. ComboFix

Please download and save ComboFix from one of these locations:

Link 1 | Link 2 | Link 3

* It is very important that ComboFix is saved directly to your desktop.

Notes:
  • Before running ComboFix, you should disable all Antivirus and Antispyware applications so they don't interfere. You can often do this just by right-clicking on the system tray icon and clicking "Disable" or similar. If you need further instructions for how to disable your programs, look here.
  • ComboFix will temporarily disconnect your machine from the internet and change your clock settings, this is normal and both will be restored before the program terminates.
  • Do not attempt to run any programs or click on ComboFix's window while it is running, just allow it to run uninterrupted aside from okaying any prompts. It may appear to be doing nothing at times, don't worry.
Next:
  • Double click on ComboFix.exe and follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install it.
* Note: If the Recovery Console is already installed, ComboFix will ignore the installation routines and continue its malware removal procedures.

Posted Image

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image

Click on Yes, to continue scanning for malware. The program will scan for malware and then perform various fixes. You may be asked to reboot, okay the prompt and allow your computer to reboot. Log in as normal and allow ComboFix to complete its run without doing anything else.

When it's finished, the program's log will appear in notepad as well as saving itself to C:\ComboFix.txt. Please include the full contents of the log in your next reply.

- Dave :)
  • 0

#4
storm92jk
Posted 22 December 2008 - 03:07 PM

storm92jk

    New Member

  • Topic Starter
  • Member
  • Pip
  • 7 posts
No problem for the delay.



ComboFix 08-12-21.04 - Joseph 2008-12-22 15:55:00.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1023.694 [GMT -5:00]
Running from: c:\documents and settings\Joseph\Desktop\ComboFix2.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Start Menu\Internet Explorer.lnk
c:\windows\system32\_005694_.tmp.dll
c:\windows\system32\_005695_.tmp.dll
c:\windows\system32\_005696_.tmp.dll
c:\windows\system32\_005697_.tmp.dll
c:\windows\system32\_005704_.tmp.dll
c:\windows\system32\_005705_.tmp.dll
c:\windows\system32\_005706_.tmp.dll
c:\windows\system32\_005707_.tmp.dll
c:\windows\system32\_005709_.tmp.dll
c:\windows\system32\_005710_.tmp.dll
c:\windows\system32\_005713_.tmp.dll
c:\windows\system32\_005714_.tmp.dll
c:\windows\system32\_005716_.tmp.dll
c:\windows\system32\_005717_.tmp.dll
c:\windows\system32\_005718_.tmp.dll
c:\windows\system32\_005720_.tmp.dll
c:\windows\system32\_005721_.tmp.dll
c:\windows\system32\_005723_.tmp.dll
c:\windows\system32\_005724_.tmp.dll
c:\windows\system32\_005728_.tmp.dll
c:\windows\system32\_005729_.tmp.dll
c:\windows\system32\_005731_.tmp.dll
c:\windows\system32\_005734_.tmp.dll
c:\windows\system32\_005737_.tmp.dll
c:\windows\system32\_005738_.tmp.dll
c:\windows\system32\_005739_.tmp.dll
c:\windows\system32\_005740_.tmp.dll
c:\windows\system32\_005741_.tmp.dll
c:\windows\system32\_005744_.tmp.dll
c:\windows\system32\_005745_.tmp.dll
c:\windows\system32\_005746_.tmp.dll
c:\windows\system32\_005747_.tmp.dll
c:\windows\system32\_005748_.tmp.dll
c:\windows\system32\_005753_.tmp.dll
c:\windows\system32\_005755_.tmp.dll
c:\windows\system32\_005756_.tmp.dll
c:\windows\system32\TDSSosvd.dat
F:\install.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_TDSSSERV.SYS
-------\Service_TDSSserv.sys


((((((((((((((((((((((((( Files Created from 2008-11-22 to 2008-12-22 )))))))))))))))))))))))))))))))
.

2008-12-22 15:46 . 2008-12-22 15:52 <DIR> d-------- C:\ComboFix
2008-12-22 12:50 . 2008-12-22 12:50 <DIR> d-------- c:\documents and settings\Joseph\Application Data\Malwarebytes
2008-12-22 10:26 . 2008-12-22 10:26 <DIR> d-------- c:\program files\SUPERAntiSpyware
2008-12-22 10:26 . 2008-12-22 10:26 <DIR> d-------- c:\documents and settings\Joseph\Application Data\SUPERAntiSpyware.com
2008-12-22 10:16 . 2008-12-22 12:40 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2008-12-22 10:16 . 2008-12-22 10:16 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2008-12-22 10:16 . 2008-12-03 19:52 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2008-12-22 10:16 . 2008-12-03 19:52 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2008-12-21 21:34 . 2008-12-21 21:34 <DIR> d-------- c:\program files\Lavasoft
2008-12-20 19:07 . 2008-12-20 19:07 <DIR> d-------- c:\program files\ERUNT
2008-12-20 17:39 . 2008-12-21 21:34 <DIR> d-------- c:\documents and settings\All Users\Application Data\Lavasoft
2008-12-11 15:37 . 2008-12-11 15:37 42,320 --a------ c:\windows\system32\xfcodec.dll
2008-12-09 22:14 . 2008-12-09 22:14 <DIR> d-------- c:\documents and settings\Kevin\Application Data\acccore
2008-12-09 22:13 . 2008-12-09 22:13 <DIR> d-------- c:\program files\Common Files\Software Update Utility
2008-12-09 22:12 . 2008-12-09 22:12 <DIR> d-------- c:\documents and settings\All Users\Application Data\acccore
2008-12-09 22:11 . 2008-12-09 22:11 <DIR> d-------- c:\program files\Common Files\AOL
2008-12-09 22:11 . 2008-12-09 22:13 <DIR> d-------- c:\program files\AIM6
2008-12-09 22:11 . 2008-12-09 22:11 13,440,584 --a------ c:\temp\Install_AIM(3).exe
2008-12-09 22:07 . 2008-12-09 22:07 13,440,584 --a------ c:\temp\Install_AIM(2).exe
2008-12-09 22:01 . 2008-12-09 22:01 13,440,584 --a------ c:\temp\Install_AIM.exe
2008-12-04 19:49 . 2008-12-20 18:47 <DIR> d-------- c:\windows\system32\scripting
2008-12-04 19:49 . 2008-12-20 18:47 <DIR> d-------- c:\windows\system32\en
2008-12-04 19:49 . 2008-12-20 18:47 <DIR> d-------- c:\windows\l2schemas
2008-12-04 19:37 . 2008-08-14 05:09 2,145,280 --a------ c:\windows\system32\ntoskrnl.exe
2008-11-30 11:51 . 2008-04-13 19:12 8,461,312 --a------ c:\windows\system32\SET1D7.tmp
2008-11-30 11:50 . 2008-04-13 19:11 2,843,136 --a------ c:\windows\system32\SET2BB.tmp
2008-11-30 11:49 . 2008-04-13 19:11 1,267,200 --a------ c:\windows\system32\SET3D6.tmp
2008-11-30 11:02 . 2008-05-01 09:33 331,776 -----c--- c:\windows\system32\dllcache\msadce.dll
2008-11-30 00:36 . 2008-08-14 05:11 2,189,184 -----c--- c:\windows\system32\dllcache\ntoskrnl.exe
2008-11-30 00:36 . 2008-08-14 05:09 2,145,280 -----c--- c:\windows\system32\dllcache\ntkrnlmp.exe
2008-11-30 00:36 . 2008-08-14 04:33 2,066,048 -----c--- c:\windows\system32\dllcache\ntkrnlpa.exe
2008-11-30 00:36 . 2008-08-14 04:33 2,023,936 -----c--- c:\windows\system32\dllcache\ntkrpamp.exe
2008-11-30 00:36 . 2008-09-15 07:12 1,846,400 -----c--- c:\windows\system32\dllcache\win32k.sys
2008-11-30 00:36 . 2008-10-24 06:21 455,296 -----c--- c:\windows\system32\dllcache\mrxsmb.sys
2008-11-30 00:36 . 2008-10-15 11:34 337,408 -----c--- c:\windows\system32\dllcache\netapi32.dll
2008-11-30 00:36 . 2008-09-08 05:41 333,824 -----c--- c:\windows\system32\dllcache\srv.sys
2008-11-30 00:36 . 2008-08-14 05:04 138,496 -----c--- c:\windows\system32\dllcache\afd.sys
2008-11-30 00:35 . 2008-04-11 14:04 691,712 -----c--- c:\windows\system32\dllcache\inetcomm.dll
2008-11-30 00:35 . 2008-06-13 06:05 272,128 -----c--- c:\windows\system32\dllcache\bthport.sys
2008-11-30 00:35 . 2008-05-08 09:02 203,136 -----c--- c:\windows\system32\dllcache\rmcast.sys
2008-11-29 17:43 . 2008-10-16 14:07 23,576 --a------ c:\windows\system32\wuapi.dll.mui
2008-11-29 15:42 . 2008-11-29 17:46 <DIR> d-------- c:\documents and settings\Joseph\.housecall6.6
2008-11-29 09:14 . 2008-11-29 09:14 <DIR> d-------- c:\documents and settings\Administrator\Application Data\BitDefender
2008-11-29 09:09 . 2008-11-29 15:27 <DIR> d-------- c:\documents and settings\Administrator
2008-11-28 22:10 . 2008-11-28 22:10 0 --a------ c:\windows\system32\bdaC.tmp

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-22 21:02 --------- d-----w c:\program files\BitDefender
2008-12-22 20:57 81,984 ----a-w c:\windows\system32\bdod.bin
2008-12-22 20:46 13,590,427 ----a-w c:\windows\Internet Logs\tvDebug.zip
2008-12-22 15:26 --------- d-----w c:\program files\Common Files\Wise Installation Wizard
2008-12-20 14:42 --------- d-----w c:\documents and settings\Joseph\Application Data\Xfire
2008-12-16 02:16 147,584 --sha-w c:\windows\system32\drivers\fidbox.idx
2008-12-16 02:16 12,234,784 --sha-w c:\windows\system32\drivers\fidbox.dat
2008-12-10 03:12 --------- d-----w c:\program files\Viewpoint
2008-12-10 03:12 --------- d-----w c:\documents and settings\All Users\Application Data\Viewpoint
2008-12-10 03:12 --------- d-----w c:\documents and settings\All Users\Application Data\AOL
2008-12-07 03:06 2,865,152 ----a-w c:\windows\Internet Logs\xDB35.tmp
2008-11-29 02:12 2,832,896 ----a-w c:\windows\Internet Logs\xDB34.tmp
2008-11-29 01:16 2,833,920 ----a-w c:\windows\Internet Logs\xDB33.tmp
2008-11-29 00:05 31 ----a-w c:\documents and settings\Ryan\jagex_runescape_preferences.dat
2008-11-28 23:43 --------- d-----w c:\program files\Steam
2008-11-17 02:09 --------- d-----w c:\program files\Real
2008-11-09 00:24 --------- d-----w c:\program files\Common Files\Blizzard Entertainment
2008-11-09 00:14 --------- d-----w c:\program files\TeaTimer (Spybot - Search & Destroy)
2008-11-09 00:14 --------- d-----w c:\program files\SDHelper (Spybot - Search & Destroy)
2008-11-09 00:14 --------- d-----w c:\program files\Misc. Support Library (Spybot - Search & Destroy)
2008-11-09 00:14 --------- d-----w c:\program files\File Scanner Library (Spybot - Search & Destroy)
2008-11-09 00:08 --------- d--h--w c:\program files\InstallShield Installation Information
2008-11-09 00:05 --------- d-----w c:\program files\Game Cam V2
2008-11-08 19:14 --------- d-----w c:\documents and settings\Ryan\Application Data\InstallShield
2008-10-24 11:21 455,296 ----a-w c:\windows\system32\drivers\mrxsmb.sys
2008-10-23 12:36 286,720 ----a-w c:\windows\system32\gdi32.dll
2008-10-16 20:38 826,368 ----a-w c:\windows\system32\wininet.dll
2008-10-16 19:13 202,776 ----a-w c:\windows\system32\wuweb.dll
2008-10-16 19:13 1,809,944 ----a-w c:\windows\system32\wuaueng.dll
2008-10-16 19:12 561,688 ----a-w c:\windows\system32\wuapi.dll
2008-10-16 19:12 323,608 ----a-w c:\windows\system32\wucltui.dll
2008-10-16 19:09 92,696 ----a-w c:\windows\system32\cdm.dll
2008-10-16 19:09 51,224 ----a-w c:\windows\system32\wuauclt.exe
2008-10-16 19:09 43,544 ----a-w c:\windows\system32\wups2.dll
2008-10-16 19:08 34,328 ----a-w c:\windows\system32\wups.dll
2008-10-16 19:06 268,648 ----a-w c:\windows\system32\mucltui.dll
2008-10-16 19:06 208,744 ----a-w c:\windows\system32\muweb.dll
2008-10-11 17:23 59,680 ----a-w c:\windows\Internet Logs\zlclient_2nd_2008_10_11_13_15_40_small.dmp.zip
2008-10-11 17:23 54,934 ----a-w c:\windows\Internet Logs\zlclient_2nd_2008_10_11_13_15_37_small.dmp.zip
2008-10-05 16:27 43,520 ----a-w c:\windows\system32\CmdLineExt03.dll
2008-10-03 10:02 247,326 ----a-w c:\windows\system32\strmdll.dll
2008-09-30 21:43 1,286,152 ----a-w c:\windows\system32\msxml4.dll
2008-09-29 00:27 2,731,520 ----a-w c:\windows\Internet Logs\xDB32.tmp
2008-09-14 16:12 24 ----a-w c:\documents and settings\Joseph\jagex_runescape_preferences.dat
2008-03-18 16:46 32 ----a-r c:\documents and settings\All Users\hash.dat
2006-03-30 23:27 3,329,446 ----a-w c:\documents and settings\Kevin\neoteris_read_9489155.reg
2006-03-30 23:25 3,329,446 ----a-w c:\documents and settings\Kevin\neoteris_read_27832.reg
2006-02-27 02:56 3,326,036 ----a-w c:\documents and settings\Joseph\neoteris_read_6386542.reg
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]
"AdobeUpdater"="c:\program files\Common Files\Adobe\Updater5\AdobeUpdater.exe" [2008-11-26 2356088]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BitDefender Antiphishing Helper"="c:\program files\BitDefender\IEShow.exe" [2007-11-01 61440]
"BDAgent"="c:\program files\BitDefender\bdagent.exe" [2008-09-18 368640]
"ZoneAlarm Client"="c:\program files\Zone Labs\ZoneAlarm\zlclient.exe" [2008-07-09 919016]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-08-11 7630848]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-01-31 385024]

c:\documents and settings\Joseph\Start Menu\Programs\Startup\
ERUNT AutoBackup.lnk - c:\program files\ERUNT\AUTOBACK.EXE [2005-10-20 38912]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-03 14:56 352256 c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.XFR1"= xfcodec.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.exe.lnk]
backup=c:\windows\pss\Adobe Gamma Loader.exe.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Find Fast.lnk]
backup=c:\windows\pss\Microsoft Find Fast.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Works Calendar Reminders.lnk]
backup=c:\windows\pss\Microsoft Works Calendar Reminders.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Office Startup.lnk]
backup=c:\windows\pss\Office Startup.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Microsoft Works Update Detection]
???\WkDetect.exe [?]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
c:\windows\system32\dumprep 0 -k [X]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
--a------ 2008-01-11 22:16 39792 c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a------ 2008-04-13 19:12 15360 c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EPSON Stylus Photo R300 Series]
--a------ 2003-06-04 03:00 99840 c:\windows\system32\spool\drivers\w32x86\3\E_S4I2F1.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\googletalk]
--a------ 2007-01-01 16:22 3739648 c:\program files\Google\Google Talk\googletalk.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2008-02-19 13:10 267048 c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--a------ 2008-04-13 19:12 1695232 c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
--a------ 2006-08-11 20:43 7630848 c:\windows\system32\nvcpl.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
--a------ 2006-08-11 20:43 86016 c:\windows\system32\nvmctray.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-01-31 23:13 385024 c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxioAudioCentral]
--a------ 2003-07-15 11:36 319488 c:\program files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxioDragToDisc]
--a------ 2003-07-18 16:23 868352 c:\program files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxioEngineUtility]
--a------ 2003-05-01 17:44 65536 c:\program files\Common Files\Roxio Shared\System\EngUtil.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]
--a------ 2008-11-08 18:49 1410296 c:\program files\Steam\steam.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2008-06-10 03:27 144784 c:\program files\Java\jre1.6.0_07\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
--a------ 2008-05-04 13:55 185632 c:\program files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Defender]
--a------ 2006-11-03 19:20 866584 c:\program files\Windows Defender\MSASCui.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WMPNSCFG]
--------- 2006-10-18 19:05 204288 c:\program files\Windows Media Player\wmpnscfg.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
--a------ 2006-08-11 20:43 1519616 c:\windows\system32\nwiz.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"WinDefend"=2 (0x2)
"MDM"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\Google\\Google Talk\\googletalk.exe"=
"c:\\Program Files\\Steam\\Steam.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"e:\\Battlefield 2\\BF2.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"e:\\THE SETTLERS - Rise of an Empire\\base\\bin\\Settlers6.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\lost planet extreme condition\\LostPlanetDX9.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\lost planet extreme condition\\LostPlanetDX10.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundEchoRequest"= 1 (0x1)

R2 Viewpoint Manager Service;Viewpoint Manager Service;"c:\program files\Viewpoint\Common\ViewpointService.exe" [2008-12-09 24652]
S3 hamachi_oem;PlayLinc Adapter;c:\windows\system32\DRIVERS\gan_adapter.sys [2006-10-19 10664]
S3 jgameenp;jgameenp;\??\c:\docume~1\Ryan\LOCALS~1\Temp\jgameenp.sys []
S3 LinksysFVNETusbl(AR)®;Linksys FVNETusbl(AR)® Service for Instant Wireless USB Network Adapter ver.2.6;c:\windows\system32\DRIVERS\vnetusbl.sys [2004-03-09 108032]
S3 USBNET_XP;Instant Wireless XP USB Network Adapter ver.2.6 Driver;c:\windows\system32\DRIVERS\netusbxp.sys [2006-10-04 72576]
S4 WinDefend;Windows Defender;"c:\program files\Windows Defender\MsMpEng.exe" [2006-11-03 13592]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
bdx REG_MULTI_SZ scan
.
Contents of the 'Scheduled Tasks' folder

2008-12-18 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-04-11 16:57]
.
- - - - ORPHANS REMOVED - - - -

Notify-AtiExtEvent - (no file)


.
------- Supplementary Scan -------
.
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000

O16 -: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
c:\windows\Downloaded Program Files\DirectAnimation Java Classes.osd

O16 -: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
c:\windows\Downloaded Program Files\Microsoft XML Parser for Java.osd
FF - ProfilePath - c:\documents and settings\Joseph\Application Data\Mozilla\Firefox\Profiles\w36meml8.default\
FF - prefs.js: browser.search.selectedEngine - Amazon.com
FF - prefs.js: browser.startup.homepage - www.google.com
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
FF - plugin: f:\firefox\plugins\npViewpoint.dll
FF - plugin: f:\firefox\plugins\npvirtools.dll
FF - plugin: f:\firefox\plugins\NPZoneSB.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-12-22 16:01:40
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\bdfsfltr]
"ImagePath"=hex:73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,44,00,52,\

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\bdfsfltr]
"ImagePath"=hex:73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,44,00,52,\

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\PSSdk23]
"ImagePath"="\??\c:\windows\system32\Drivers\PsSdk23.drv"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(820)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Lavasoft\Ad-Aware\aawservice.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\windows\system32\nvsvc32.exe
c:\windows\system32\PnkBstrA.exe
c:\windows\system32\snmp.exe
c:\windows\system32\ZoneLabs\vsmon.exe
c:\windows\system32\MsPMSPSv.exe
c:\program files\Common Files\BitDefender\BitDefender Communicator\xcommsvr.exe
c:\program files\Common Files\BitDefender\BitDefender Update Service\livesrv.exe
c:\program files\BitDefender\vsserv.exe
c:\program files\Windows Media Player\wmpnetwk.exe
.
**************************************************************************
.
Completion time: 2008-12-22 16:04:57 - machine was rebooted
ComboFix-quarantined-files.txt 2008-12-22 21:04:53

Pre-Run: 5,759,987,712 bytes free
Post-Run: 5,619,621,888 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect /NoExecute=OptIn

322 --- E O F --- 2008-12-21 14:44:58
  • 0

#5
Transience
Posted 22 December 2008 - 06:34 PM

Transience

    Unofficial Music Guru

  • Retired Staff
  • 2,448 posts
Hi storm -

Few things:

I see you're using or have in the past used p2p software such as LimeWire. Although p2p programs are not usually malware in their own right, oftentimes malware is installed alongside them. Even if the program is clean, people can and quite often do upload infected files to be shared using these programs, and it is very easy to end up compromising your PC. It's your decision about whether or not you use p2p programs, you don't have to remove them to be deemed clean and we'll still give you help if you want to keep them. It's just important that you're aware of the risks. If you want to continue using p2p programs that's fine with me, all I ask is that you not download anything from them until you're clean so we aren't taking steps backwards here. To remove p2p programs if you wish to do so, uninstall them from the Add/Remove Programs (it's Programs and Features in Vista) menu of your Control Panel.

Also in the Add/Remove Programs menu, please uninstall anything that says Viewpoint (Viewpoint Media Player, Viewpoint Manager, etc.). Finally, I see you have Spybot S&D installed. While Spybot was once top of the line, it's now not very effective anymore. Since you have SAS, which is a far superior antispyware app, I would recommend you remove Spybot. You'll still have more than adequate protection from BitDefender and ZoneAlarm.

So in summary you should uninstall Viewpoint, Spybot if you choose, and any p2p apps you wish to remove.

Next:

1. Run a ComboFix script
  • Copy the entire contents of the code box below to notepad (Start > Programs > Accessories > Notepad).
  • Click on File > Save and name the file CFScript.txt. This name is important and must not be changed.
  • Change the Save as Type to All Files.
  • Save it directly on your desktop.
File::
c:\windows\system32\bdaC.tmp

Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000000 

SysRst::
Note: If you are not the topic starter, DO NOT download or run this script as it could cause irreversible damage to your computer.

Please note that the same procedure applies to running ComboFix this time as before - disable your protection programs beforehand, close all other programs, don't interrupt it for any reason etc.

Posted Image

Once saved, refering to the picture above, drag CFScript.txt into ComboFix.exe. This will cause ComboFix to start again. Allow it to complete running, following any prompts. Once the program has completed the log should appear automatically, if it doesn't it can be found at C:\ComboFix.txt. Please post the contents of that log in your next reply.

Just need the CF log in your next reply, let me know what you decided to uninstall, and an update on the PC in general - how's it running?

Cheers,
Dave :)

Edited by Transience, 22 December 2008 - 06:35 PM.

  • 0

#6
storm92jk
Posted 22 December 2008 - 08:37 PM

storm92jk

    New Member

  • Topic Starter
  • Member
  • Pip
  • 7 posts
I uninstalled everything that you recommended. I had Limewire for a bit but I uninstalled it a long time ago, so I got rid of the files now. The PC seems to run normal from what I can remember, but the only thing right now that I noticed is before the welcome screen comes up, it says "Please Wait..." for a couple of seconds then the log on screen comes on. But all in all, the computer seems normal.

ComboFix 08-12-21.04 - Joseph 2008-12-22 21:28:16.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1023.602 [GMT -5:00]
Running from: c:\documents and settings\Joseph\Desktop\ComboFix2.exe
Command switches used :: c:\documents and settings\Joseph\Desktop\CFScript.txt
* Created a new restore point

FILE ::
c:\windows\system32\bdaC.tmp
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\bdaC.tmp

.
((((((((((((((((((((((((( Files Created from 2008-11-23 to 2008-12-23 )))))))))))))))))))))))))))))))
.

2008-12-22 21:17 . 2008-12-22 21:17 <DIR> d-------- c:\documents and settings\Joseph\Application Data\SUPERAntiSpyware.com
2008-12-22 21:17 . 2008-12-22 21:17 <DIR> d-------- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2008-12-22 15:46 . 2008-12-22 15:52 <DIR> d-------- C:\ComboFix
2008-12-22 12:50 . 2008-12-22 12:50 <DIR> d-------- c:\documents and settings\Joseph\Application Data\Malwarebytes
2008-12-22 10:16 . 2008-12-22 12:40 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2008-12-22 10:16 . 2008-12-22 10:16 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2008-12-22 10:16 . 2008-12-03 19:52 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2008-12-22 10:16 . 2008-12-03 19:52 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2008-12-20 19:07 . 2008-12-20 19:07 <DIR> d-------- c:\program files\ERUNT
2008-12-20 17:39 . 2008-12-22 18:04 <DIR> d-------- c:\documents and settings\All Users\Application Data\Lavasoft
2008-12-11 15:37 . 2008-12-11 15:37 42,320 --a------ c:\windows\system32\xfcodec.dll
2008-12-09 22:14 . 2008-12-09 22:14 <DIR> d-------- c:\documents and settings\Kevin\Application Data\acccore
2008-12-09 22:13 . 2008-12-09 22:13 <DIR> d-------- c:\program files\Common Files\Software Update Utility
2008-12-09 22:12 . 2008-12-09 22:12 <DIR> d-------- c:\documents and settings\All Users\Application Data\acccore
2008-12-09 22:11 . 2008-12-09 22:11 <DIR> d-------- c:\program files\Common Files\AOL
2008-12-09 22:11 . 2008-12-09 22:13 <DIR> d-------- c:\program files\AIM6
2008-12-09 22:11 . 2008-12-09 22:11 13,440,584 --a------ c:\temp\Install_AIM(3).exe
2008-12-09 22:07 . 2008-12-09 22:07 13,440,584 --a------ c:\temp\Install_AIM(2).exe
2008-12-09 22:01 . 2008-12-09 22:01 13,440,584 --a------ c:\temp\Install_AIM.exe
2008-12-04 19:49 . 2008-12-20 18:47 <DIR> d-------- c:\windows\system32\scripting
2008-12-04 19:49 . 2008-12-20 18:47 <DIR> d-------- c:\windows\system32\en
2008-12-04 19:49 . 2008-12-20 18:47 <DIR> d-------- c:\windows\l2schemas
2008-12-04 19:37 . 2008-08-14 05:09 2,145,280 --a------ c:\windows\system32\ntoskrnl.exe
2008-11-30 11:51 . 2008-04-13 19:12 8,461,312 --a------ c:\windows\system32\SET1D7.tmp
2008-11-30 11:50 . 2008-04-13 19:11 2,843,136 --a------ c:\windows\system32\SET2BB.tmp
2008-11-30 11:49 . 2008-04-13 19:11 1,267,200 --a------ c:\windows\system32\SET3D6.tmp
2008-11-30 11:02 . 2008-05-01 09:33 331,776 -----c--- c:\windows\system32\dllcache\msadce.dll
2008-11-30 00:36 . 2008-08-14 05:11 2,189,184 -----c--- c:\windows\system32\dllcache\ntoskrnl.exe
2008-11-30 00:36 . 2008-08-14 05:09 2,145,280 -----c--- c:\windows\system32\dllcache\ntkrnlmp.exe
2008-11-30 00:36 . 2008-08-14 04:33 2,066,048 -----c--- c:\windows\system32\dllcache\ntkrnlpa.exe
2008-11-30 00:36 . 2008-08-14 04:33 2,023,936 -----c--- c:\windows\system32\dllcache\ntkrpamp.exe
2008-11-30 00:36 . 2008-09-15 07:12 1,846,400 -----c--- c:\windows\system32\dllcache\win32k.sys
2008-11-30 00:36 . 2008-10-24 06:21 455,296 -----c--- c:\windows\system32\dllcache\mrxsmb.sys
2008-11-30 00:36 . 2008-10-15 11:34 337,408 -----c--- c:\windows\system32\dllcache\netapi32.dll
2008-11-30 00:36 . 2008-09-08 05:41 333,824 -----c--- c:\windows\system32\dllcache\srv.sys
2008-11-30 00:36 . 2008-08-14 05:04 138,496 -----c--- c:\windows\system32\dllcache\afd.sys
2008-11-30 00:35 . 2008-04-11 14:04 691,712 -----c--- c:\windows\system32\dllcache\inetcomm.dll
2008-11-30 00:35 . 2008-06-13 06:05 272,128 -----c--- c:\windows\system32\dllcache\bthport.sys
2008-11-30 00:35 . 2008-05-08 09:02 203,136 -----c--- c:\windows\system32\dllcache\rmcast.sys
2008-11-29 17:43 . 2008-10-16 14:07 23,576 --a------ c:\windows\system32\wuapi.dll.mui
2008-11-29 15:42 . 2008-11-29 17:46 <DIR> d-------- c:\documents and settings\Joseph\.housecall6.6
2008-11-29 09:14 . 2008-11-29 09:14 <DIR> d-------- c:\documents and settings\Administrator\Application Data\BitDefender
2008-11-29 09:09 . 2008-11-29 15:27 <DIR> d-------- c:\documents and settings\Administrator

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-23 02:30 81,984 ----a-w c:\windows\system32\bdod.bin
2008-12-23 02:21 --------- d-----w c:\program files\BitDefender
2008-12-23 02:17 --------- d-----w c:\program files\Common Files\Wise Installation Wizard
2008-12-23 02:15 --------- d-----w c:\documents and settings\All Users\Application Data\Viewpoint
2008-12-23 02:14 --------- d-----w c:\program files\Spybot - Search & Destroy
2008-12-23 02:14 --------- d-----w c:\program files\Common Files\Adobe
2008-12-23 02:14 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2008-12-22 20:46 13,590,427 ----a-w c:\windows\Internet Logs\tvDebug.zip
2008-12-20 14:42 --------- d-----w c:\documents and settings\Joseph\Application Data\Xfire
2008-12-16 02:16 147,584 --sha-w c:\windows\system32\drivers\fidbox.idx
2008-12-16 02:16 12,234,784 --sha-w c:\windows\system32\drivers\fidbox.dat
2008-12-10 03:12 --------- d-----w c:\documents and settings\All Users\Application Data\AOL
2008-12-07 03:06 2,865,152 ----a-w c:\windows\Internet Logs\xDB35.tmp
2008-11-29 02:12 2,832,896 ----a-w c:\windows\Internet Logs\xDB34.tmp
2008-11-29 01:16 2,833,920 ----a-w c:\windows\Internet Logs\xDB33.tmp
2008-11-29 00:05 31 ----a-w c:\documents and settings\Ryan\jagex_runescape_preferences.dat
2008-11-28 23:43 --------- d-----w c:\program files\Steam
2008-11-17 02:09 --------- d-----w c:\program files\Real
2008-11-09 00:24 --------- d-----w c:\program files\Common Files\Blizzard Entertainment
2008-11-09 00:14 --------- d-----w c:\program files\TeaTimer (Spybot - Search & Destroy)
2008-11-09 00:14 --------- d-----w c:\program files\SDHelper (Spybot - Search & Destroy)
2008-11-09 00:14 --------- d-----w c:\program files\Misc. Support Library (Spybot - Search & Destroy)
2008-11-09 00:14 --------- d-----w c:\program files\File Scanner Library (Spybot - Search & Destroy)
2008-11-09 00:08 --------- d--h--w c:\program files\InstallShield Installation Information
2008-11-09 00:05 --------- d-----w c:\program files\Game Cam V2
2008-11-08 19:14 --------- d-----w c:\documents and settings\Ryan\Application Data\InstallShield
2008-10-24 11:21 455,296 ----a-w c:\windows\system32\drivers\mrxsmb.sys
2008-10-23 12:36 286,720 ----a-w c:\windows\system32\gdi32.dll
2008-10-16 20:38 826,368 ----a-w c:\windows\system32\wininet.dll
2008-10-16 19:13 202,776 ----a-w c:\windows\system32\wuweb.dll
2008-10-16 19:13 1,809,944 ----a-w c:\windows\system32\wuaueng.dll
2008-10-16 19:12 561,688 ----a-w c:\windows\system32\wuapi.dll
2008-10-16 19:12 323,608 ----a-w c:\windows\system32\wucltui.dll
2008-10-16 19:09 92,696 ----a-w c:\windows\system32\cdm.dll
2008-10-16 19:09 51,224 ----a-w c:\windows\system32\wuauclt.exe
2008-10-16 19:09 43,544 ----a-w c:\windows\system32\wups2.dll
2008-10-16 19:08 34,328 ----a-w c:\windows\system32\wups.dll
2008-10-16 19:06 268,648 ----a-w c:\windows\system32\mucltui.dll
2008-10-16 19:06 208,744 ----a-w c:\windows\system32\muweb.dll
2008-10-11 17:23 59,680 ----a-w c:\windows\Internet Logs\zlclient_2nd_2008_10_11_13_15_40_small.dmp.zip
2008-10-11 17:23 54,934 ----a-w c:\windows\Internet Logs\zlclient_2nd_2008_10_11_13_15_37_small.dmp.zip
2008-10-05 16:27 43,520 ----a-w c:\windows\system32\CmdLineExt03.dll
2008-10-03 10:02 247,326 ----a-w c:\windows\system32\strmdll.dll
2008-09-30 21:43 1,286,152 ----a-w c:\windows\system32\msxml4.dll
2008-09-29 00:27 2,731,520 ----a-w c:\windows\Internet Logs\xDB32.tmp
2008-09-14 16:12 24 ----a-w c:\documents and settings\Joseph\jagex_runescape_preferences.dat
2008-03-18 16:46 32 ----a-r c:\documents and settings\All Users\hash.dat
2006-03-30 23:27 3,329,446 ----a-w c:\documents and settings\Kevin\neoteris_read_9489155.reg
2006-03-30 23:25 3,329,446 ----a-w c:\documents and settings\Kevin\neoteris_read_27832.reg
2006-02-27 02:56 3,326,036 ----a-w c:\documents and settings\Joseph\neoteris_read_6386542.reg
.

((((((((((((((((((((((((((((( snapshot@2008-12-22_16.04.14.50 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-12-23 02:14:47 295,606 ----a-r c:\windows\Installer\{AC76BA86-7AD7-1033-7B44-A81300000003}\SC_Reader.exe
- 2008-12-22 15:26:56 18,944 ----a-r c:\windows\Installer\{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}\IconCDDCBBF13.exe
+ 2008-12-23 02:17:43 18,944 ----a-r c:\windows\Installer\{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}\IconCDDCBBF13.exe
- 2008-12-22 15:26:56 65,024 ----a-r c:\windows\Installer\{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}\IconCDDCBBF15.exe
+ 2008-12-23 02:17:43 65,024 ----a-r c:\windows\Installer\{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}\IconCDDCBBF15.exe
+ 2008-12-23 02:21:21 16,384 ----atw c:\windows\Temp\Perflib_Perfdata_f4.dat
.
((((((((((((((((((((((((((((((((((((((( System Restore )))))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy\Backups\regLocal.reg
2007-07-13 20:42 15990724 {1ED0A523-A651-4045-963D-AD21C798177A}\RP288\A0174432.reg

c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy\Backups\regUsers.reg
2007-07-13 20:43 7190453 {1ED0A523-A651-4045-963D-AD21C798177A}\RP288\A0174433.reg

2008-04-13 19:12 26624 c:\documents and settings\LocalService\Application Data\Microsoft\UPnP Device Host\upnphost\udhisapi.dll
2008-04-13 19:12 26624 {1ED0A523-A651-4045-963D-AD21C798177A}\RP286\A0173096.dll
2008-04-13 19:12 26624 {1ED0A523-A651-4045-963D-AD21C798177A}\RP290\A0174535.dll

c:\documents and settings\Ryan\Local Settings\Application Data\RobloxVersions\version-05e5113378c344b1\fmodex.dll
2008-11-19 11:52 353280 {1ED0A523-A651-4045-963D-AD21C798177A}\RP288\A0174296.dll

c:\documents and settings\Ryan\Local Settings\Application Data\RobloxVersions\version-05e5113378c344b1\Microsoft.VC90.CRT\msvcm90.dll
2007-11-06 20:23 224768 {1ED0A523-A651-4045-963D-AD21C798177A}\RP288\A0174298.dll

c:\documents and settings\Ryan\Local Settings\Application Data\RobloxVersions\version-05e5113378c344b1\Microsoft.VC90.CRT\msvcp90.dll
2007-11-07 01:19 568832 {1ED0A523-A651-4045-963D-AD21C798177A}\RP288\A0174299.dll

c:\documents and settings\Ryan\Local Settings\Application Data\RobloxVersions\version-05e5113378c344b1\Microsoft.VC90.CRT\msvcr90.dll
2007-11-07 01:19 655872 {1ED0A523-A651-4045-963D-AD21C798177A}\RP288\A0174300.dll

c:\documents and settings\Ryan\Local Settings\Application Data\RobloxVersions\version-05e5113378c344b1\Microsoft.VC90.MFC\mfc90.dll
2007-11-07 01:19 1156600 {1ED0A523-A651-4045-963D-AD21C798177A}\RP288\A0174301.dll

c:\documents and settings\Ryan\Local Settings\Application Data\RobloxVersions\version-05e5113378c344b1\Microsoft.VC90.MFC\mfcm90.dll
2007-11-06 22:51 59904 {1ED0A523-A651-4045-963D-AD21C798177A}\RP288\A0174302.dll

c:\documents and settings\Ryan\Local Settings\Application Data\RobloxVersions\version-05e5113378c344b1\rgdx.dll
2008-11-19 11:54 1200128 {1ED0A523-A651-4045-963D-AD21C798177A}\RP288\A0174304.dll

c:\documents and settings\Ryan\Local Settings\Application Data\RobloxVersions\version-05e5113378c344b1\rggl.dll
2008-11-19 11:53 541184 {1ED0A523-A651-4045-963D-AD21C798177A}\RP288\A0174305.dll

c:\documents and settings\Ryan\Local Settings\Application Data\RobloxVersions\version-05e5113378c344b1\rgmain.dll
2008-11-19 11:54 4969984 {1ED0A523-A651-4045-963D-AD21C798177A}\RP288\A0174306.dll

c:\documents and settings\Ryan\Local Settings\Application Data\RobloxVersions\version-05e5113378c344b1\rgpar.dll
2008-11-19 11:54 103424 {1ED0A523-A651-4045-963D-AD21C798177A}\RP288\A0174307.dll

c:\documents and settings\Ryan\Local Settings\Application Data\RobloxVersions\version-05e5113378c344b1\Roblox.exe
2008-11-28 19:10 381544 {1ED0A523-A651-4045-963D-AD21C798177A}\RP288\A0174308.exe

c:\documents and settings\Ryan\Local Settings\Application Data\RobloxVersions\version-05e5113378c344b1\RobloxApp.exe
2008-11-26 13:20 7204480 {1ED0A523-A651-4045-963D-AD21C798177A}\RP288\A0174309.exe

c:\documents and settings\Ryan\Local Settings\Application Data\RobloxVersions\version-05e5113378c344b1\RobloxProxy.dll
2008-11-19 13:54 83064 {1ED0A523-A651-4045-963D-AD21C798177A}\RP288\A0174310.dll

c:\documents and settings\Ryan\Local Settings\Application Data\RobloxVersions\version-05e5113378c344b1\SciLexer.dll
2008-11-19 11:58 340992 {1ED0A523-A651-4045-963D-AD21C798177A}\RP288\A0174311.dll

c:\documents and settings\Ryan\Local Settings\Application Data\RobloxVersions\version-05e5113378c344b1\tbb.dll
2008-11-19 11:58 217600 {1ED0A523-A651-4045-963D-AD21C798177A}\RP288\A0174312.dll

c:\program files\Adobe\Security Update\HotFix64.exe
2008-06-07 02:25 54272 {1ED0A523-A651-4045-963D-AD21C798177A}\RP288\A0174325.exe

c:\program files\Common Files\BitDefender\BitDefender Threat Scanner\av32bit_9401\avxdisk.dll
2008-06-21 14:14 53248 {1ED0A523-A651-4045-963D-AD21C798177A}\RP286\A0173126.dll

c:\program files\Common Files\BitDefender\BitDefender Threat Scanner\av32bit_9401\avxs.dll
2002-01-14 13:49 10240 {1ED0A523-A651-4045-963D-AD21C798177A}\RP286\A0173127.dll

c:\program files\Common Files\BitDefender\BitDefender Threat Scanner\av32bit_9401\avxt.dll
2002-01-14 13:49 27136 {1ED0A523-A651-4045-963D-AD21C798177A}\RP286\A0173128.dll

c:\program files\Common Files\BitDefender\BitDefender Threat Scanner\av32bit_9401\bdc.exe
2006-10-28 22:06 92160 {1ED0A523-A651-4045-963D-AD21C798177A}\RP286\A0173129.exe

c:\program files\Common Files\BitDefender\BitDefender Threat Scanner\av32bit_9401\bdcore.dll
2008-09-18 18:29 102400 {1ED0A523-A651-4045-963D-AD21C798177A}\RP286\A0173125.dll

c:\program files\Common Files\BitDefender\BitDefender Threat Scanner\av32bit_9401\bdupd.dll
2005-09-03 10:28 77824 {1ED0A523-A651-4045-963D-AD21C798177A}\RP286\A0173131.dll

c:\program files\Common Files\BitDefender\BitDefender Threat Scanner\av32bit_9401\libfn.dll
2007-06-13 00:02 178176 {1ED0A523-A651-4045-963D-AD21C798177A}\RP286\A0173132.dll

c:\program files\Common Files\BitDefender\BitDefender Threat Scanner\av32bit_9402\avxdisk.dll
2008-06-21 14:14 53248 {1ED0A523-A651-4045-963D-AD21C798177A}\RP286\A0173140.dll

c:\program files\Common Files\BitDefender\BitDefender Threat Scanner\av32bit_9402\avxs.dll
2002-01-14 13:49 10240 {1ED0A523-A651-4045-963D-AD21C798177A}\RP286\A0173141.dll

c:\program files\Common Files\BitDefender\BitDefender Threat Scanner\av32bit_9402\avxt.dll
2002-01-14 13:49 27136 {1ED0A523-A651-4045-963D-AD21C798177A}\RP286\A0173142.dll

c:\program files\Common Files\BitDefender\BitDefender Threat Scanner\av32bit_9402\bdc.exe
2006-10-28 22:06 92160 {1ED0A523-A651-4045-963D-AD21C798177A}\RP286\A0173143.exe

c:\program files\Common Files\BitDefender\BitDefender Threat Scanner\av32bit_9402\bdcore.dll
2008-09-18 18:29 102400 {1ED0A523-A651-4045-963D-AD21C798177A}\RP286\A0173139.dll

c:\program files\Common Files\BitDefender\BitDefender Threat Scanner\av32bit_9402\bdupd.dll
2005-09-03 10:28 77824 {1ED0A523-A651-4045-963D-AD21C798177A}\RP286\A0173145.dll

c:\program files\Common Files\BitDefender\BitDefender Threat Scanner\av32bit_9402\libfn.dll
2007-06-13 00:02 178176 {1ED0A523-A651-4045-963D-AD21C798177A}\RP286\A0173146.dll

c:\program files\Common Files\BitDefender\BitDefender Threat Scanner\av32bit_9557\avxdisk.dll
2008-06-21 14:14 53248 {1ED0A523-A651-4045-963D-AD21C798177A}\RP287\A0173377.dll

c:\program files\Common Files\BitDefender\BitDefender Threat Scanner\av32bit_9557\avxs.dll
2002-01-14 13:49 10240 {1ED0A523-A651-4045-963D-AD21C798177A}\RP287\A0173378.dll

c:\program files\Common Files\BitDefender\BitDefender Threat Scanner\av32bit_9557\avxt.dll
2002-01-14 13:49 27136 {1ED0A523-A651-4045-963D-AD21C798177A}\RP287\A0173379.dll

c:\program files\Common Files\BitDefender\BitDefender Threat Scanner\av32bit_9557\bdc.exe
2006-10-28 22:06 92160 {1ED0A523-A651-4045-963D-AD21C798177A}\RP287\A0173380.exe

c:\program files\Common Files\BitDefender\BitDefender Threat Scanner\av32bit_9557\bdcore.dll
2008-09-18 18:29 102400 {1ED0A523-A651-4045-963D-AD21C798177A}\RP287\A0173376.dll

c:\program files\Common Files\BitDefender\BitDefender Threat Scanner\av32bit_9557\bdupd.dll
2005-09-03 10:28 77824 {1ED0A523-A651-4045-963D-AD21C798177A}\RP287\A0173382.dll

c:\program files\Common Files\BitDefender\BitDefender Threat Scanner\av32bit_9557\libfn.dll
2007-06-13 00:02 178176 {1ED0A523-A651-4045-963D-AD21C798177A}\RP287\A0173383.dll

c:\program files\Common Files\BitDefender\BitDefender Threat Scanner\av32bit_9558\avxdisk.dll
2008-06-21 14:14 53248 {1ED0A523-A651-4045-963D-AD21C798177A}\RP287\A0173388.dll

c:\program files\Common Files\BitDefender\BitDefender Threat Scanner\av32bit_9558\avxs.dll
2002-01-14 13:49 10240 {1ED0A523-A651-4045-963D-AD21C798177A}\RP287\A0173389.dll

c:\program files\Common Files\BitDefender\BitDefender Threat Scanner\av32bit_9558\avxt.dll
2002-01-14 13:49 27136 {1ED0A523-A651-4045-963D-AD21C798177A}\RP287\A0173390.dll

c:\program files\Common Files\BitDefender\BitDefender Threat Scanner\av32bit_9558\bdc.exe
2006-10-28 22:06 92160 {1ED0A523-A651-4045-963D-AD21C798177A}\RP287\A0173391.exe

c:\program files\Common Files\BitDefender\BitDefender Threat Scanner\av32bit_9558\bdcore.dll
2008-09-18 18:29 102400 {1ED0A523-A651-4045-963D-AD21C798177A}\RP287\A0173387.dll

c:\program files\Common Files\BitDefender\BitDefender Threat Scanner\av32bit_9558\bdupd.dll
2005-09-03 10:28 77824 {1ED0A523-A651-4045-963D-AD21C798177A}\RP287\A0173394.dll

c:\program files\Common Files\BitDefender\BitDefender Threat Scanner\av32bit_9558\libfn.dll
2007-06-13 00:02 178176 {1ED0A523-A651-4045-963D-AD21C798177A}\RP287\A0173395.dll

c:\program files\Common Files\BitDefender\BitDefender Threat Scanner\av32bit_9559\avxdisk.dll
2008-06-21 14:14 53248 {1ED0A523-A651-4045-963D-AD21C798177A}\RP288\A0174281.dll

c:\program files\Common Files\BitDefender\BitDefender Threat Scanner\av32bit_9559\avxs.dll
2002-01-14 13:49 10240 {1ED0A523-A651-4045-963D-AD21C798177A}\RP288\A0174282.dll

c:\program files\Common Files\BitDefender\BitDefender Threat Scanner\av32bit_9559\avxt.dll
2002-01-14 13:49 27136 {1ED0A523-A651-4045-963D-AD21C798177A}\RP288\A0174283.dll

c:\program files\Common Files\BitDefender\BitDefender Threat Scanner\av32bit_9559\bdc.exe
2006-10-28 22:06 92160 {1ED0A523-A651-4045-963D-AD21C798177A}\RP288\A0174284.exe

c:\program files\Common Files\BitDefender\BitDefender Threat Scanner\av32bit_9559\bdcore.dll
2008-09-18 18:29 102400 {1ED0A523-A651-4045-963D-AD21C798177A}\RP288\A0174280.dll

c:\program files\Common Files\BitDefender\BitDefender Threat Scanner\av32bit_9559\bdupd.dll
2005-09-03 10:28 77824 {1ED0A523-A651-4045-963D-AD21C798177A}\RP288\A0174286.dll

c:\program files\Common Files\BitDefender\BitDefender Threat Scanner\av32bit_9559\libfn.dll
2007-06-13 00:02 178176 {1ED0A523-A651-4045-963D-AD21C798177A}\RP288\A0174287.dll

c:\program files\Common Files\BitDefender\BitDefender Threat Scanner\av32bit_9560\avxdisk.dll
2008-06-21 14:14 53248 {1ED0A523-A651-4045-963D-AD21C798177A}\RP288\A0174314.dll

c:\program files\Common Files\BitDefender\BitDefender Threat Scanner\av32bit_9560\avxs.dll
2002-01-14 13:49 10240 {1ED0A523-A651-4045-963D-AD21C798177A}\RP288\A0174315.dll

c:\program files\Common Files\BitDefender\BitDefender Threat Scanner\av32bit_9560\avxt.dll
2002-01-14 13:49 27136 {1ED0A523-A651-4045-963D-AD21C798177A}\RP288\A0174316.dll

c:\program files\Common Files\BitDefender\BitDefender Threat Scanner\av32bit_9560\bdc.exe
2006-10-28 22:06 92160 {1ED0A523-A651-4045-963D-AD21C798177A}\RP288\A0174317.exe

c:\program files\Common Files\BitDefender\BitDefender Threat Scanner\av32bit_9560\bdcore.dll
2008-09-18 18:29 102400 {1ED0A523-A651-4045-963D-AD21C798177A}\RP288\A0174313.dll

c:\program files\Common Files\BitDefender\BitDefender Threat Scanner\av32bit_9560\bdupd.dll
2005-09-03 10:28 77824 {1ED0A523-A651-4045-963D-AD21C798177A}\RP288\A0174319.dll

c:\program files\Common Files\BitDefender\BitDefender Threat Scanner\av32bit_9560\libfn.dll
2007-06-13 00:02 178176 {1ED0A523-A651-4045-963D-AD21C798177A}\RP288\A0174320.dll

c:\program files\Spybot - Search & Destroy\advcheck.dll
2007-05-23 12:13 693848 {1ED0A523-A651-4045-963D-AD21C798177A}\RP288\A0174431.dll

c:\program files\Spybot - Search & Destroy\aports.dll
2005-05-31 00:04 28672 {1ED0A523-A651-4045-963D-AD21C798177A}\RP288\A0174430.dll

c:\program files\Spybot - Search & Destroy\blindman.exe
2005-05-31 00:04 47256 {1ED0A523-A651-4045-963D-AD21C798177A}\RP288\A0174429.exe

c:\program files\Spybot - Search & Destroy\borlndmm.dll
2005-05-31 00:04 22528 {1ED0A523-A651-4045-963D-AD21C798177A}\RP288\A0174428.dll

c:\program files\Spybot - Search & Destroy\delphimm.dll
2005-05-31 00:04 15872 {1ED0A523-A651-4045-963D-AD21C798177A}\RP288\A0174426.dll

c:\program files\Spybot - Search & Destroy\Dummies\dummy.cd_clint.dll
2005-05-31 00:04 48640 {1ED0A523-A651-4045-963D-AD21C798177A}\RP288\A0174417.dll

c:\program files\Spybot - Search & Destroy\SDHelper.dll
2005-05-31 00:04 853672 {1ED0A523-A651-4045-963D-AD21C798177A}\RP288\A0174424.dll

c:\program files\Spybot - Search & Destroy\SpybotSD.exe
2005-05-31 00:04 4393096 {1ED0A523-A651-4045-963D-AD21C798177A}\RP288\A0174423.exe

c:\program files\Spybot - Search & Destroy\TeaTimer.exe
2005-05-31 00:04 1415824 {1ED0A523-A651-4045-963D-AD21C798177A}\RP288\A0174422.exe

c:\program files\Spybot - Search & Destroy\Tools.dll
2007-07-31 12:06 622928 {1ED0A523-A651-4045-963D-AD21C798177A}\RP288\A0174421.dll

c:\program files\Spybot - Search & Destroy\unins000.exe
2007-07-13 20:39 649378 {1ED0A523-A651-4045-963D-AD21C798177A}\RP288\A0174435.exe

c:\program files\Spybot - Search & Destroy\UnzDll.dll
2005-05-31 00:04 122368 {1ED0A523-A651-4045-963D-AD21C798177A}\RP288\A0174420.dll

c:\program files\Spybot - Search & Destroy\Update.exe
2005-05-31 00:04 417408 {1ED0A523-A651-4045-963D-AD21C798177A}\RP288\A0174419.exe

c:\program files\Spybot - Search & Destroy\ZipDll.dll
2005-05-31 00:04 139776 {1ED0A523-A651-4045-963D-AD21C798177A}\RP288\A0174418.dll

c:\program files\Viewpoint\Common\ViewpointService.exe
2007-01-04 16:38 24652 {1ED0A523-A651-4045-963D-AD21C798177A}\RP288\A0174446.exe

c:\program files\Viewpoint\Viewpoint Experience Technology\AxMetaStream.dll
2008-02-06 19:58 262214 {1ED0A523-A651-4045-963D-AD21C798177A}\RP288\A0174485.dll

c:\program files\Viewpoint\Viewpoint Experience Technology\ComponentMgr.dll
2007-03-13 10:25 217158 {1ED0A523-A651-4045-963D-AD21C798177A}\RP288\A0174483.dll

c:\program files\Viewpoint\Viewpoint Experience Technology\ComponentMgr_0305001C.dll
2007-06-07 10:12 217158 {1ED0A523-A651-4045-963D-AD21C798177A}\RP288\A0174482.dll

c:\program files\Viewpoint\Viewpoint Experience Technology\Components\AOLArt.dll
2004-02-20 15:17 57344 {1ED0A523-A651-4045-963D-AD21C798177A}\RP288\A0174480.dll

c:\program files\Viewpoint\Viewpoint Experience Technology\Components\AOLShell.dll
2004-02-20 15:17 81978 {1ED0A523-A651-4045-963D-AD21C798177A}\RP288\A0174479.dll

c:\program files\Viewpoint\Viewpoint Experience Technology\Components\AOLUserShell.dll
2004-02-20 14:57 413746 {1ED0A523-A651-4045-963D-AD21C798177A}\RP288\A0174478.dll

c:\program files\Viewpoint\Viewpoint Experience Technology\Components\DataTracking.dll
2004-02-20 15:17 86016 {1ED0A523-A651-4045-963D-AD21C798177A}\RP288\A0174477.dll

c:\program files\Viewpoint\Viewpoint Experience Technology\Components\GifReader.dll
2004-02-20 15:11 192559 {1ED0A523-A651-4045-963D-AD21C798177A}\RP288\A0174476.dll

c:\program files\Viewpoint\Viewpoint Experience Technology\Components\JpegReader.dll
2004-02-20 14:47 122928 {1ED0A523-A651-4045-963D-AD21C798177A}\RP288\A0174475.dll

c:\program files\Viewpoint\Viewpoint Experience Technology\Components\LensFlares.dll
2004-02-20 15:04 196656 {1ED0A523-A651-4045-963D-AD21C798177A}\RP288\A0174474.dll

c:\program files\Viewpoint\Viewpoint Experience Technology\Components\Mts3Reader.dll
2004-02-20 14:49 204848 {1ED0A523-A651-4045-963D-AD21C798177A}\RP288\A0174473.dll

c:\program files\Viewpoint\Viewpoint Experience Technology\Components\ObjectMovie.dll
2004-02-20 15:11 163889 {1ED0A523-A651-4045-963D-AD21C798177A}\RP288\A0174472.dll

c:\program files\Viewpoint\Viewpoint Experience Technology\Components\SceneComponent.dll
2007-07-26 20:47 1282120 {1ED0A523-A651-4045-963D-AD21C798177A}\RP288\A0174471.dll

c:\program files\Viewpoint\Viewpoint Experience Technology\Components\ServiceComponent.dll
2004-02-20 15:12 53302 {1ED0A523-A651-4045-963D-AD21C798177A}\RP288\A0174470.dll

c:\program files\Viewpoint\Viewpoint Experience Technology\Components\SWFView.dll
2004-02-20 15:08 659501 {1ED0A523-A651-4045-963D-AD21C798177A}\RP288\A0174469.dll

c:\program files\Viewpoint\Viewpoint Experience Technology\Components\VectorView.dll
2004-02-20 15:10 606256 {1ED0A523-A651-4045-963D-AD21C798177A}\RP288\A0174468.dll

c:\program files\Viewpoint\Viewpoint Experience Technology\Components\VMPAudio.dll
2004-02-20 15:17 1093678 {1ED0A523-A651-4045-963D-AD21C798177A}\RP288\A0174467.dll

c:\program files\Viewpoint\Viewpoint Experience Technology\Components\VMPExtras.dll
2004-02-20 15:17 57344 {1ED0A523-A651-4045-963D-AD21C798177A}\RP288\A0174466.dll

c:\program files\Viewpoint\Viewpoint Experience Technology\Components\VMPSpeech.dll
2004-02-20 15:16 229423 {1ED0A523-A651-4045-963D-AD21C798177A}\RP288\A0174465.dll

c:\program files\Viewpoint\Viewpoint Experience Technology\Components\VMPVideo.dll
2004-02-20 15:15 630830 {1ED0A523-A651-4045-963D-AD21C798177A}\RP288\A0174464.dll

c:\program files\Viewpoint\Viewpoint Experience Technology\Components\WaveletReader.dll
2004-02-20 14:48 53299 {1ED0A523-A651-4045-963D-AD21C798177A}\RP288\A0174463.dll

c:\program files\Viewpoint\Viewpoint Experience Technology\Components\ZoomView.dll
2004-02-20 15:04 217134 {1ED0A523-A651-4045-963D-AD21C798177A}\RP288\A0174462.dll

c:\program files\Viewpoint\Viewpoint Experience Technology\MtsAxInstaller.exe
2008-02-06 19:57 114688 {1ED0A523-A651-4045-963D-AD21C798177A}\RP288\A0174458.exe

c:\program files\Viewpoint\Viewpoint Experience Technology\NewComponents\AOLUserShell.dll
2006-10-11 14:22 413766 {1ED0A523-A651-4045-963D-AD21C798177A}\RP288\A0174457.dll

c:\program files\Viewpoint\Viewpoint Experience Technology\NewComponents\Cursors.dll
2006-10-11 14:19 36864 {1ED0A523-A651-4045-963D-AD21C798177A}\RP288\A0174456.dll

c:\program files\Viewpoint\Viewpoint Experience Technology\NewComponents\JpegReader.dll
2006-10-11 14:10 122948 {1ED0A523-A651-4045-963D-AD21C798177A}\RP288\A0174455.dll

c:\program files\Viewpoint\Viewpoint Experience Technology\NewComponents\Mts3Reader.dll
2006-10-11 14:10 204868 {1ED0A523-A651-4045-963D-AD21C798177A}\RP288\A0174454.dll

c:\program files\Viewpoint\Viewpoint Experience Technology\NewComponents\SceneComponent.dll
2007-03-13 10:25 1282120 {1ED0A523-A651-4045-963D-AD21C798177A}\RP288\A0174453.dll

c:\program files\Viewpoint\Viewpoint Experience Technology\NewComponents\SreeDMMX.dll
2006-10-11 14:15 774210 {1ED0A523-A651-4045-963D-AD21C798177A}\RP288\A0174452.dll

c:\program files\Viewpoint\Viewpoint Experience Technology\NewComponents\SWFView.dll
2006-10-11 14:18 725057 {1ED0A523-A651-4045-963D-AD21C798177A}\RP288\A0174451.dll

c:\program files\Viewpoint\Viewpoint Experience Technology\NewComponents\VETScriptInterpreter.dll
2006-10-11 14:16 725070 {1ED0A523-A651-4045-963D-AD21C798177A}\RP288\A0174450.dll

c:\program files\Viewpoint\Viewpoint Experience Technology\NewComponents\VMPSpeech.dll
2006-10-11 14:22 249923 {1ED0A523-A651-4045-963D-AD21C798177A}\RP288\A0174449.dll

c:\program files\Viewpoint\Viewpoint Experience Technology\NewComponents\VMPVideo2.dll
2006-10-11 14:21 770115 {1ED0A523-A651-4045-963D-AD21C798177A}\RP288\A0174448.dll

c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
2007-04-16 12:07 180293 {1ED0A523-A651-4045-963D-AD21C798177A}\RP288\A0174447.dll

c:\windows\DED53B0BB67C4244AE6AD6FD3C28D1EF.TMP\WiseCustCall64.dll
2008-12-22 18:03 42248 {1ED0A523-A651-4045-963D-AD21C798177A}\RP288\A0173428.dll

c:\windows\DED53B0BB67C4244AE6AD6FD3C28D1EF.TMP\WiseCustomCall.dll
2008-12-22 18:03 27912 {1ED0A523-A651-4045-963D-AD21C798177A}\RP288\A0173429.dll

c:\windows\DED53B0BB67C4244AE6AD6FD3C28D1EF.TMP\WiseCustomCalla.dll
2008-12-22 18:03 73728 {1ED0A523-A651-4045-963D-AD21C798177A}\RP288\A0173430.dll

c:\windows\DED53B0BB67C4244AE6AD6FD3C28D1EF.TMP\WiseCustomCalla1.dll
2008-12-22 18:03 83296 {1ED0A523-A651-4045-963D-AD21C798177A}\RP288\A0173431.dll

c:\windows\Installer\{AC76BA86-7AD7-1033-7B44-A81200000003}\SC_Reader.exe
2008-02-10 16:22 295606 {1ED0A523-A651-4045-963D-AD21C798177A}\RP288\A0174437.exe

2008-12-22 21:17 18944 c:\windows\Installer\{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}\IconCDDCBBF13.exe
2008-12-22 10:26 18944 {1ED0A523-A651-4045-963D-AD21C798177A}\RP289\A0174516.exe

2008-12-22 21:17 65024 c:\windows\Installer\{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}\IconCDDCBBF15.exe
2008-12-22 10:26 65024 {1ED0A523-A651-4045-963D-AD21C798177A}\RP289\A0174517.exe

c:\windows\system32\_005694_.tmp.dll
2006-08-17 07:28 132096 {1ED0A523-A651-4045-963D-AD21C798177A}\RP287\A0173223.dll

c:\windows\system32\_005695_.tmp.dll
2004-08-04 02:56 146432 {1ED0A523-A651-4045-963D-AD21C798177A}\RP287\A0173224.dll

c:\windows\system32\_005696_.tmp.dll
2004-08-04 02:56 101888 {1ED0A523-A651-4045-963D-AD21C798177A}\RP287\A0173225.dll

c:\windows\system32\_005697_.tmp.dll
2008-09-15 06:57 1846016 {1ED0A523-A651-4045-963D-AD21C798177A}\RP287\A0173226.dll

c:\windows\system32\_005704_.tmp.dll
2004-12-07 14:32 96768 {1ED0A523-A651-4045-963D-AD21C798177A}\RP287\A0173227.dll

c:\windows\system32\_005705_.tmp.dll
2004-07-17 13:48 22040 {1ED0A523-A651-4045-963D-AD21C798177A}\RP287\A0173228.dll

c:\windows\system32\_005706_.tmp.dll
2004-08-04 02:56 50688 {1ED0A523-A651-4045-963D-AD21C798177A}\RP287\A0173229.dll

c:\windows\system32\_005707_.tmp.dll
2004-08-04 00:56 983552 {1ED0A523-A651-4045-963D-AD21C798177A}\RP287\A0173230.dll

c:\windows\system32\_005709_.tmp.dll
2004-08-04 02:56 108032 {1ED0A523-A651-4045-963D-AD21C798177A}\RP287\A0173231.dll

c:\windows\system32\_005710_.tmp.dll
2007-04-25 09:21 144896 {1ED0A523-A651-4045-963D-AD21C798177A}\RP287\A0173232.dll

c:\windows\system32\_005713_.tmp.dll
2004-08-04 02:56 415744 {1ED0A523-A651-4045-963D-AD21C798177A}\RP287\A0173233.dll

c:\windows\system32\_005714_.tmp.dll
2004-08-04 02:56 64000 {1ED0A523-A651-4045-963D-AD21C798177A}\RP287\A0173234.dll

c:\windows\system32\_005716_.tmp.dll
2004-08-04 02:56 58880 {1ED0A523-A651-4045-963D-AD21C798177A}\RP287\A0173235.dll

c:\windows\system32\_005717_.tmp.dll
2004-08-04 02:56 61440 {1ED0A523-A651-4045-963D-AD21C798177A}\RP287\A0173236.dll

c:\windows\system32\_005718_.tmp.dll
2004-08-04 02:56 657920 {1ED0A523-A651-4045-963D-AD21C798177A}\RP287\A0173237.dll

c:\windows\system32\_005720_.tmp.dll
2004-08-04 02:56 236544 {1ED0A523-A651-4045-963D-AD21C798177A}\RP287\A0173238.dll

c:\windows\system32\_005721_.tmp.dll
2004-08-04 02:56 560640 {1ED0A523-A651-4045-963D-AD21C798177A}\RP287\A0173239.dll

c:\windows\system32\_005723_.tmp.dll
2005-07-25 23:39 37888 {1ED0A523-A651-4045-963D-AD21C798177A}\RP287\A0173240.dll

c:\windows\system32\_005724_.tmp.dll
2007-12-04 13:38 550912 {1ED0A523-A651-4045-963D-AD21C798177A}\RP287\A0173241.dll

c:\windows\system32\_005728_.tmp.dll
2004-08-04 02:56 8192 {1ED0A523-A651-4045-963D-AD21C798177A}\RP287\A0173242.dll

c:\windows\system32\_005729_.tmp.dll
2004-08-04 02:56 708096 {1ED0A523-A651-4045-963D-AD21C798177A}\RP287\A0173243.dll

c:\windows\system32\_005731_.tmp.dll
2004-08-04 02:56 129536 {1ED0A523-A651-4045-963D-AD21C798177A}\RP287\A0173244.dll

c:\windows\system32\_005734_.tmp.dll
2007-11-07 04:26 721920 {1ED0A523-A651-4045-963D-AD21C798177A}\RP287\A0173245.dll

c:\windows\system32\_005737_.tmp.dll
2004-08-04 02:56 341504 {1ED0A523-A651-4045-963D-AD21C798177A}\RP287\A0173246.dll

c:\windows\system32\_005738_.tmp.dll
2004-07-17 13:48 249270 {1ED0A523-A651-4045-963D-AD21C798177A}\RP287\A0173247.dll

c:\windows\system32\_005739_.tmp.dll
2004-08-04 02:56 13824 {1ED0A523-A651-4045-963D-AD21C798177A}\RP287\A0173248.dll

c:\windows\system32\_005740_.tmp.dll
2007-04-16 10:52 984576 {1ED0A523-A651-4045-963D-AD21C798177A}\RP287\A0173249.dll

c:\windows\system32\_005741_.tmp.dll
2004-08-04 02:56 144384 {1ED0A523-A651-4045-963D-AD21C798177A}\RP287\A0173250.dll

c:\windows\system32\_005744_.tmp.dll
2006-05-19 07:59 111616 {1ED0A523-A651-4045-963D-AD21C798177A}\RP287\A0173251.dll

c:\windows\system32\_005745_.tmp.dll
2004-08-04 02:56 135168 {1ED0A523-A651-4045-963D-AD21C798177A}\RP287\A0173252.dll

c:\windows\system32\_005746_.tmp.dll
2004-08-04 02:56 32768 {1ED0A523-A651-4045-963D-AD21C798177A}\RP287\A0173253.dll

c:\windows\system32\_005747_.tmp.dll
2004-08-04 02:56 276992 {1ED0A523-A651-4045-963D-AD21C798177A}\RP287\A0173254.dll

c:\windows\system32\_005748_.tmp.dll
2006-08-25 10:45 617472 {1ED0A523-A651-4045-963D-AD21C798177A}\RP287\A0173255.dll

c:\windows\system32\_005753_.tmp.dll
2004-08-04 02:56 616960 {1ED0A523-A651-4045-963D-AD21C798177A}\RP287\A0173256.dll

c:\windows\system32\_005755_.tmp.dll
2004-08-04 02:56 2897920 {1ED0A523-A651-4045-963D-AD21C798177A}\RP287\A0173257.dll

c:\windows\system32\_005756_.tmp.dll
2004-08-04 02:56 382464 {1ED0A523-A651-4045-963D-AD21C798177A}\RP287\A0173258.dll

c:\windows\system32\drivers\hjdi.sys
2008-12-22 14:50 61440 {1ED0A523-A651-4045-963D-AD21C798177A}\RP286\A0173116.sys

c:\windows\system32\drivers\svchost.exe
2008-12-15 19:56 49152 {1ED0A523-A651-4045-963D-AD21C798177A}\RP286\A0173112.exe

c:\windows\system32\drivers\TDSSmhxt.sys
2008-12-19 10:03 60416 {1ED0A523-A651-4045-963D-AD21C798177A}\RP286\A0173110.sys

c:\windows\system32\TDSScfum.dll
2008-12-19 10:03 73728 {1ED0A523-A651-4045-963D-AD21C798177A}\RP286\A0173111.dll

c:\windows\system32\TDSSfxwp.dll
2008-12-22 10:15 2710 {1ED0A523-A651-4045-963D-AD21C798177A}\RP286\A0173113.dll

c:\windows\system32\TDSSnrsr.dll
2008-12-19 10:03 29696 {1ED0A523-A651-4045-963D-AD21C798177A}\RP286\A0173108.dll

c:\windows\system32\TDSSofxh.dll
2008-12-19 10:03 35840 {1ED0A523-A651-4045-963D-AD21C798177A}\RP286\A0173107.dll

c:\windows\system32\TDSSriqp.dll
2008-12-19 10:03 31232 {1ED0A523-A651-4045-963D-AD21C798177A}\RP286\A0173109.dll

2006-06-05 14:14 479232 c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.163_x-ww_681e29fb\msvcm80.dll
2006-06-05 14:14 479232 {1ED0A523-A651-4045-963D-AD21C798177A}\RP288\A0174404.dll

2006-06-05 14:14 548864 c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.163_x-ww_681e29fb\msvcp80.dll
2006-06-05 14:14 548864 {1ED0A523-A651-4045-963D-AD21C798177A}\RP288\A0174403.dll

2006-06-05 14:14 626688 c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.163_x-ww_681e29fb\msvcr80.dll
2006-06-05 14:14 626688 {1ED0A523-A651-4045-963D-AD21C798177A}\RP288\A0174405.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]
"SUPERAntiSpyware"="f:\super anti spyware\SUPERAntiSpyware.exe" [2008-12-04 1809648]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BitDefender Antiphishing Helper"="c:\program files\BitDefender\IEShow.exe" [2007-11-01 61440]
"BDAgent"="c:\program files\BitDefender\bdagent.exe" [2008-09-18 368640]
"ZoneAlarm Client"="c:\program files\Zone Labs\ZoneAlarm\zlclient.exe" [2008-07-09 919016]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-08-11 7630848]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-01-31 385024]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]

c:\documents and settings\Joseph\Start Menu\Programs\Startup\
ERUNT AutoBackup.lnk - c:\program files\ERUNT\AUTOBACK.EXE [2005-10-20 38912]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "f:\super anti spyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-03 14:56 352256 f:\super anti spyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.XFR1"= xfcodec.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.exe.lnk]
backup=c:\windows\pss\Adobe Gamma Loader.exe.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Find Fast.lnk]
backup=c:\windows\pss\Microsoft Find Fast.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Works Calendar Reminders.lnk]
backup=c:\windows\pss\Microsoft Works Calendar Reminders.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Office Startup.lnk]
backup=c:\windows\pss\Office Startup.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Microsoft Works Update Detection]
???\WkDetect.exe [?]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
c:\windows\system32\dumprep 0 -k [X]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
--a------ 2008-10-15 01:04 39792 c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a------ 2008-04-13 19:12 15360 c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EPSON Stylus Photo R300 Series]
--a------ 2003-06-04 03:00 99840 c:\windows\system32\spool\drivers\w32x86\3\E_S4I2F1.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\googletalk]
--a------ 2007-01-01 16:22 3739648 c:\program files\Google\Google Talk\googletalk.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2008-02-19 13:10 267048 c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--a------ 2008-04-13 19:12 1695232 c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
--a------ 2006-08-11 20:43 7630848 c:\windows\system32\nvcpl.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
--a------ 2006-08-11 20:43 86016 c:\windows\system32\nvmctray.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-01-31 23:13 385024 c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxioAudioCentral]
--a------ 2003-07-15 11:36 319488 c:\program files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxioDragToDisc]
--a------ 2003-07-18 16:23 868352 c:\program files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxioEngineUtility]
--a------ 2003-05-01 17:44 65536 c:\program files\Common Files\Roxio Shared\System\EngUtil.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]
--a------ 2008-11-08 18:49 1410296 c:\program files\Steam\steam.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2008-06-10 03:27 144784 c:\program files\Java\jre1.6.0_07\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
--a------ 2008-05-04 13:55 185632 c:\program files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Defender]
--a------ 2006-11-03 19:20 866584 c:\program files\Windows Defender\MSASCui.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WMPNSCFG]
--------- 2006-10-18 19:05 204288 c:\program files\Windows Media Player\wmpnscfg.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
--a------ 2006-08-11 20:43 1519616 c:\windows\system32\nwiz.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"WinDefend"=2 (0x2)
"MDM"=2 (0x2)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\Google\\Google Talk\\googletalk.exe"=
"c:\\Program Files\\Steam\\Steam.exe"=
"e:\\Battlefield 2\\BF2.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"e:\\THE SETTLERS - Rise of an Empire\\base\\bin\\Settlers6.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\lost planet extreme condition\\LostPlanetDX9.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\lost planet extreme condition\\LostPlanetDX10.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundEchoRequest"= 1 (0x1)

R1 SASDIFSV;SASDIFSV;\??\f:\super anti spyware\SASDIFSV.SYS [2008-12-04 8944]
R1 SASKUTIL;SASKUTIL;\??\f:\super anti spyware\SASKUTIL.sys [2008-12-04 55024]
R3 SASENUM;SASENUM;\??\f:\super anti spyware\SASENUM.SYS [2008-12-04 7408]
S3 hamachi_oem;PlayLinc Adapter;c:\windows\system32\DRIVERS\gan_adapter.sys [2006-10-19 10664]
S3 jgameenp;jgameenp;\??\c:\docume~1\Ryan\LOCALS~1\Temp\jgameenp.sys []
S3 LinksysFVNETusbl(AR)®;Linksys FVNETusbl(AR)® Service for Instant Wireless USB Network Adapter ver.2.6;c:\windows\system32\DRIVERS\vnetusbl.sys [2004-03-09 108032]
S3 USBNET_XP;Instant Wireless XP USB Network Adapter ver.2.6 Driver;c:\windows\system32\DRIVERS\netusbxp.sys [2006-10-04 72576]
S4 WinDefend;Windows Defender;"c:\program files\Windows Defender\MsMpEng.exe" [2006-11-03 13592]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
bdx REG_MULTI_SZ scan
.
Contents of the 'Scheduled Tasks' folder

2008-12-18 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-04-11 16:57]
.
.
------- Supplementary Scan -------
.
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000

O16 -: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
c:\windows\Downloaded Program Files\DirectAnimation Java Classes.osd

O16 -: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
c:\windows\Downloaded Program Files\Microsoft XML Parser for Java.osd
FF - ProfilePath - c:\documents and settings\Joseph\Application Data\Mozilla\Firefox\Profiles\w36meml8.default\
FF - prefs.js: browser.search.selectedEngine - Amazon.com
FF - prefs.js: browser.startup.homepage - www.google.com
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
FF - plugin: f:\firefox\plugins\npvirtools.dll
FF - plugin: f:\firefox\plugins\NPZoneSB.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-12-22 21:30:59
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\bdfsfltr]
"ImagePath"=hex:73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,44,00,52,\

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\bdfsfltr]
"ImagePath"=hex:73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,44,00,52,\

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\PSSdk23]
"ImagePath"="\??\c:\windows\system32\Drivers\PsSdk23.drv"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(772)
f:\super anti spyware\SASWINLO.dll
.
Completion time: 2008-12-22 21:32:00
ComboFix-quarantined-files.txt 2008-12-23 02:31:58
ComboFix2.txt 2008-12-22 21:05:00

Pre-Run: 5,319,307,264 bytes free
Post-Run: 5,368,668,160 bytes free

599 --- E O F --- 2008-12-21 14:44:58
  • 0

#7
storm92jk
Posted 23 December 2008 - 03:19 PM

storm92jk

    New Member

  • Topic Starter
  • Member
  • Pip
  • 7 posts
Ok I think I'm still not clean. Today Bitdefender detected and deleted trojan.TDss.AB and backdoor.Generic.119186 .
  • 0

#8
Transience
Posted 23 December 2008 - 04:35 PM

Transience

    Unofficial Music Guru

  • Retired Staff
  • 2,448 posts
Let's run some final in-depth scans, these will root out any orphans left undetected:

1. ATF Cleaner

Please download ATF Cleaner by Atribune to your desktop.
  • Double-click ATF-Cleaner.exe to run the program.
  • Under Main choose: Select All
  • Click the Empty Selected button.
If you use Firefox browser
  • Click Firefox at the top and choose: Select All
  • Click the Empty Selected button.
  • Note: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browser
  • Click Opera at the top and choose: Select All
  • Click the Empty Selected button.
  • Note: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.

2. Malwarebytes' Anti-Malware

Please download Malwarebytes' Anti-Malware from here or here.

Doubleclick mbam-setup.exe to install the program.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware at the end of setup, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select Perform Full Scan, then click Scan.
  • The scan will take a fairly long time to finish (you can leave it to run and go do something else), please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to restart.
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab.
  • Copy & Paste the entire report in your next reply.
Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so and allow MBAM to finish.

3. Kaspersky Online Scan

Kaspersky online scanner uses Java technology to perform the scan. Because your Java is out of date, we need to update it first so that the scan will run without issues.

Update Java

Please download JavaRa to your desktop and unzip it to its own folder
  • Run JavaRa.exe, pick the language of your choice and click Select. Then click Remove Older Versions.
  • Accept any prompts. A log will appear (JavaRa.log), please post the contents of this log on the forum in your next reply.
  • Open JavaRa.exe again and select Search For Updates.
  • Select Update Using Sun Java's Website then click Search and click on the Open Webpage button. Download and install the latest Java Runtime Environment (JRE) version for your computer.
Scan
  • Follow this link to the Kaspersky WebScanner
  • Read through the requirements and privacy statement and click on Accept button.
  • It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
  • When the downloads have finished, click on Settings.
  • Make sure the following is checked.
    • Spyware, Adware, Dialers, and other potentially dangerous programs
      Archives
      Mail databases
  • Click on My Computer under Scan.
  • Once the scan is complete, it will display the results. Click on View Scan Report.
  • You will see a list of infected items there. Click on Save Report As....
  • Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button.
  • Please post this log in your next reply.
So post back with the logs from MBAM and Kaspersky and give me an update on how the PC is running now.

- Dave
  • 0

#9
storm92jk
Posted 24 December 2008 - 05:05 PM

storm92jk

    New Member

  • Topic Starter
  • Member
  • Pip
  • 7 posts
MBAM Log


Malwarebytes' Anti-Malware 1.31
Database version: 1538
Windows 5.1.2600 Service Pack 3

12/23/2008 8:51:36 PM
mbam-log-2008-12-23 (20-51-36).txt

Scan type: Full Scan (C:\|D:\|E:\|F:\|)
Objects scanned: 232613
Time elapsed: 1 hour(s), 42 minute(s), 58 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\System Volume Information\_restore{1ED0A523-A651-4045-963D-AD21C798177A}\RP286\A0173110.sys (Trojan.TDSS) -> Quarantined and deleted successfully.


Kapersky Log


--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7 REPORT
Wednesday, December 24, 2008
Operating System: Microsoft Windows XP Home Edition Service Pack 3 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Wednesday, December 24, 2008 13:01:28
Records in database: 1509397
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
C:\
D:\
E:\
F:\
H:\
I:\

Scan statistics:
Files scanned: 184583
Threat name: 1
Infected objects: 1
Suspicious objects: 0
Duration of the scan: 03:30:39


File name / Threat name / Threats count
C:\Documents and Settings\Raechel\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\jvmimpro.jar-51fad18-71a97046.zip Infected: Exploit.Java.Gimsh.a 1

The selected area was scanned.


Everything seems to be fine about the computer except it has restarted randomly on 2 other users of the computer, once for each. It hasn't restarted randomly on me yet. I believe that for one of the users, it is the game that he plays because the computer always seems to restart after he plays that game for a while. Also I think when I did all the back ups from the thread that you are supposed to read first, the malware got backed up along with it, and I believe that is what Bitdefender is detecting. The location is C:/System Volume Information.

P.S. - Happy Holidays :)

Edited by storm92jk, 24 December 2008 - 05:06 PM.

  • 0

#10
Transience
Posted 24 December 2008 - 10:06 PM

Transience

    Unofficial Music Guru

  • Retired Staff
  • 2,448 posts
Hi storm -

A very happy holiday to you too :).

I believe that for one of the users, it is the game that he plays because the computer always seems to restart after he plays that game for a while.

Odd about the random restarts.. I would chalk it up to the regular hiccups you get with the PC now and then unless it seems like there's something specific that triggers it each time or it starts happening more often.

Also I think when I did all the back ups from the thread that you are supposed to read first, the malware got backed up along with it, and I believe that is what Bitdefender is detecting. The location is C:/System Volume Information.

You're absolutely right. C:\System Volume Information is the location of the System Restore Cache, System Restore can't tell the difference between good and bad files so it backs up everything. A lot of the time our scans detect files in System Restore, but they aren't anything to worry about unless you actually restore your PC. We'll clean out all your restore points and set a new clean one in a minute.

I believe that for one of the users, it is the game that he plays because the computer always seems to restart after he plays that game for a while.

If you'd like, you scan start a topic in the games forum here at Geeks to Go, somebody over there will likely be able to help you figure out the issue.

As for your log, the good news is you're clean!

We have a couple last things to take care of and then you're good to go.

Uninstall Combofix
  • Click START then RUN
  • Now type Combofix /u in the runbox and click OK. Note the space between the x and the /u, it needs to be there.
    Posted Image
Clean System Restore

Now to get you off to a good start we will clean your restore points so that all the bad stuff is gone for good. Then if you need to restore at some stage you will be clean. There are several ways to reset your restore points, but this is my method:

  • Select Start > All Programs > Accessories > System tools > System Restore.
  • On the dialogue box that appears select Create a Restore Point
  • Click NEXT
  • Enter a name e.g. Clean
  • Click CREATE
You now have a clean restore point, to get rid of the bad ones:
  • Select Start > All Programs > Accessories > System tools > Disk Cleanup.
  • In the Drop down box that appears select your main drive e.g. C
  • Click OK
  • The System will do some calculation and the display a dialogue box with TABS
  • Select the More Options Tab.
  • At the bottom will be a system restore box with a CLEANUP button click this
  • Accept the Warning and select OK again, the program will close and you are done
Here are some tips to reduce the potential for malware infection in the future; I strongly that you read them and take them to heart so that you don't have to endure the process of cleaning your computer again.

Proper use of antivirus and firewall
Antivirus and Firewall programs are integral to your computer security. However, just having them installed isn't enough. The definitions of these programs are frequently updated to detect the latest malware, and if you don't keep up with these updates then you'll be vulnerable to infection. Many antivirus and firewall programs have automatic update features, make use of those if you can. If your program doesn't, then get in the habit of routinely performing manual updates, because it's important.

You should keep your antivirus and firewall guard enabled at all times, don't shut them off unless there's a specific reason to do so. Also, regularly performing a full system scan with your antivirus program is a good idea to make sure nothing has slipped through your protection. Once a week works well for most people. You can set the scan to run during a time when you don't plan to use the computer and just leave it to complete on its own.

Finally, for a great tutorial on how to get the best protection out of your firewall, visit this link.

Safer web browser
Internet Explorer is not the most secure tool for browsing the web. It has been known to be very susceptible to infection, and there are a couple good free alternatives: Firefox and Opera. Both are excellent faster, safer, more powerful and functional free alternatives to Internet Explorer. It's definitely worth the short period of adjustment to start using one of these. If you wish to continue using Internet Explorer, it would be a good idea to follow the tutorial here which will help you to make IE much safer.

Being generally careful
Having security programs installed is very helpful to you, but none of them have the gift of human thought. The best way to make sure you don't get infected is to exercise common sense. Be careful of what websites you visit - if a site looks suspicious, trust your instincts and get out of there. Be careful of what attachments you open in emails and files you download from websites - check them over carefully and look at the file extensions to make sure that you know what you're getting. Using peer-to-peer file sharing programs or downloading cracks and keygens is something else to avoid - the files you will be downloading are infected in a vast majority of cases, and the benefits simply aren't worth the risk to your computer.

Here are some other excellent tools for increasing your PC security:
SpywareBlaster: An excellent protection tool that targets a great many specific malware infections to stop them from installing.
MVPS Hosts File: Changes the windows hosts file to redirect your computer away from a huge number of dangerous websites if it ever tries to access any of them.
IE-SPYAD: Adds thousands of malware domains to the IE restricted zone to stop your computer from accessing them.
ATF Cleaner: Cleans unnecessary temporary files from your computer, run regularly to save disk space and keep your computer performing smoothly.
McAfee SiteAdvisor: A great firefox add-on that puts McAfee's database of tested sites at your fingertips so you can know whether or not that link you're about to click is safe.

Updates
Along with keeping all of the programs above that you choose to use updated, it is also important to keep up on system updates from Microsoft, as these patch critical security vulnerabilities and keep you safe. You can update them at this site if they don't automatically install for you: http://www.windowsupdate.com. If you have automatic updates, you should always install them as soon as possible, that extra time is worth it over getting infected from an exploit and having to clean your PC again.

And finally, see TonyKlein's good advice (recently rewritten by our own admin Kat) which reinforces and extends on some of the above concepts:
So how did I get infected in the first place?

I'll leave this thread open for a couple days in case you come across any lingering problems that need fixing, then I'll close it up. If you need it reopened for any reason just shoot me a PM. It's been a pleasure working with you, now best of luck!

Cheers,
Dave
  • 0

#11
storm92jk
Posted 26 December 2008 - 03:40 PM

storm92jk

    New Member

  • Topic Starter
  • Member
  • Pip
  • 7 posts
Alright thanks for helping me! It has been a pleasure working with you too. I'd love to make a donation but I do not have any money at the moment, but I want to give you a big thanks! Farewell.
  • 0

#12
Transience
Posted 26 December 2008 - 04:33 PM

Transience

    Unofficial Music Guru

  • Retired Staff
  • 2,448 posts
It's okay, donations are gratefully accepted not required by any means. Your thanks are more than enough, it's been a pleasure working with you too :).

Cheers,
Dave
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP