Google redirecting trouble

February 24, 2009 at 18:33:06
Specs: Windows XP
Hello,
I'm having the same trouble that others are having with google. Both in IE and Firefox I am redirected to other pages. I've seen that the first step is runing Malwarebyte Anti-Malware, I will post the log after it is done. Thanks!.

See More: Google redirecting trouble

Report •


#1
February 24, 2009 at 18:37:11
Here is the Malware LOG:

Malwarebytes' Anti-Malware 1.31
Database version: 1501
Windows 5.1.2600 Service Pack 2

2/24/2009 8:31:57 PM
mbam-log-2009-02-24 (20-31-57).txt

Scan type: Quick Scan
Objects scanned: 65681
Time elapsed: 10 minute(s), 59 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


Report •

#2
February 24, 2009 at 18:37:55
Please download and install the latest version of HijackThis v2.0.2:


Download the "HijackThis" Installer from this link:
Hijack This

Rename the setup file, HJTInstall.exe, before you download it. To do that once the "enter name of file to save to" box appears as the download begins in the filename box rename HJTInstall.exe to tools.exe> click save.
1. Save " tools.exe" to your desktop.
2. Double click on tools.exe to run the program.
3. By default it will install to C:\Program Files\Trend Micro\HijackThis.
4. Accept the license agreement by clicking the "I Accept" button.
5.Click on the "Do a system scan and save a log file" button. It will scan and then ask you to save the log.
6. Click "Save log" to save the log file and then the log will open in Notepad.
7. Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
8. Paste the log in your next reply.
9. Do NOT have HijackThis fix anything yet! Most of what it finds will be harmless or even required.v


Report •

#3
February 24, 2009 at 18:40:40
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:39:30 PM, on 2/24/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\S24EvMon.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlservr.exe
C:\WINDOWS\system32\PSIService.exe
C:\WINDOWS\system32\RegSrvc.exe
C:\Program Files\Comcast\Desktop Doctor\bin\sprtsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\providerComcast\bin\tgsrvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\ZCfgSvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\1XConfig.exe
C:\WINDOWS\system32\WDBtnMgr.exe
C:\Program Files\Corel\Corel Paint Shop Pro Photo X2\CorelIOMonitor.exe
C:\Program Files\Comcast\Desktop Doctor\bin\sprtcmd.exe
C:\Program Files\Common Files\Corel\Corel PhotoDownloader\Corel Photo

Downloader.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\IObit\Advanced SystemCare 3\AWC.exe
C:\Program Files\Common Files\DataViz\DvzIncMsgr.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\rundll32.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
c:\windows\nfra.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\JMari\Desktop\HiJackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page =

http://go.microsoft.com/fwlink/?Lin...
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =

http://go.microsoft.com/fwlink/?Lin...
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL =

http://go.microsoft.com/fwlink/?Lin...
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page =

http://go.microsoft.com/fwlink/?Lin...
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =

http://go.microsoft.com/fwlink/?Lin...
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext =

http://www.sony.net/registration/di/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet

Settings,ProxyServer = http=localhost:7070
O2 - BHO: (no name) - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - (no file)
O2 - BHO: (no name) - {0D929918-C804-4756-B0AC-640EF3F061E9} - (no file)
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer -

{3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program

Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: (no name) - {35e071a3-dc0d-4ce4-b7fd-8e021a6045d4} - (no file)
O2 - BHO: (no name) - {4264A51F-7482-43BA-A25D-B1050149741F} - (no file)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} -

C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} -

C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -

C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: (no name) - {8F840F6D-85F3-4622-B021-B537AD5820C3} - (no file)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} -

C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O2 - BHO: Google Toolbar Notifier BHO -

{AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program

Files\Google\GoogleToolbarNotifier\5.0.926.3450\swg.dll
O2 - BHO: Google Dictionary Compression sdch -

{C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google

Toolbar\Component\fastsearch_219B3E1547538286.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: &Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} -

C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\Common Files\Sonic\Update

Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [WD Button Manager] WDBtnMgr.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec

Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program

Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software

Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [Corel File Shell Monitor] C:\Program Files\Corel\Corel

Paint Shop Pro Photo X2\CorelIOMonitor.exe
O4 - HKLM\..\Run: [ZCfgSvc.exe] C:\WINDOWS\system32\ZCfgSvc.exe
O4 - HKLM\..\Run: [PRONoMgr.exe] C:\Program

Files\Intel\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [ddoctorv2] "C:\Program Files\Comcast\Desktop

Doctor\bin\sprtcmd.exe" /P ddoctorv2
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program

Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Corel Photo Downloader] "C:\Program Files\Common

Files\Corel\Corel PhotoDownloader\Corel Photo Downloader.exe" -startup
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE"

-quiet
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program

Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [Advanced SystemCare 3] "C:\Program Files\IObit\Advanced

SystemCare 3\AWC.exe" /startup
O4 - HKCU\..\Run: [nfra] c:\windows\nfra.exe
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting]

"C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [Picasa Media Detector] C:\Program

Files\Picasa2\PicasaMediaDetector.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting]

"C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default

user')
O4 - Global Startup: DataViz Inc Messenger.lnk = C:\Program Files\Common

Files\DataViz\DvzIncMsgr.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} -

C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console -

{08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program

Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} -

C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote -

{2670000A-7350-4f3c-8081-5663EE0C6C49} -

C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} -

C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} -

C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration -

{DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} -

C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 -

{e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network

Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} -

C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger -

{FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program

Files\Messenger\msmsgs.exe
O16 - DPF: {814EA0DA-E0D9-4AA4-833C-A1A6D38E79E9} (DASWebDownload Class) -

http://das.microsoft.com/activate/c...
O16 - DPF: {BFF1950D-B1B4-4AE8-B842-B2CCF06D9A1B} (Zylom Games Player) -

http://aolsvc.aol.com/onlinegames/f...
O16 - DPF: {D4323BF2-006A-4440-A2F5-27E3E7AB25F8} -

http://a532.g.akamai.net/f/532/6712...

er/install/installer.exe
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} -

C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O20 - AppInit_DLLs: seystz.dll,c:\windows\system32\zodosamo.dll psmmrp.dll
O20 - Winlogon Notify: urqQiJAT - C:\WINDOWS\
O23 - Service: Ati HotKey Poller - Unknown owner -

C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation -

C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation -

C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc.

- C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec

Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program

Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision

Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel

32\IDriverT.exe
O23 - Service: iPod Service - Unknown owner - C:\Program

Files\iPod\bin\iPodService.exe (file missing)
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. -

C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: LiveUpdate - Symantec Corporation -

C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation -

C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: ProtexisLicensing - Unknown owner -

C:\WINDOWS\system32\PSIService.exe
O23 - Service: RegSrvc - Intel Corporation - C:\WINDOWS\system32\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation

- C:\WINDOWS\system32\S24EvMon.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec

AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec

Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation -

C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: SupportSoft Sprocket Service (ddoctorv2) (sprtsvc_ddoctorv2) -

SupportSoft, Inc. - C:\Program Files\Comcast\Desktop Doctor\bin\sprtsvc.exe
O23 - Service: SupportSoft RemoteAssist - SupportSoft, Inc. - C:\Program

Files\Common Files\supportsoft\bin\ssrc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program

Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: SupportSoft Repair Service (providercomcast)

(tgsrvc_providercomcast) - SupportSoft, Inc. - C:\Program

Files\providerComcast\bin\tgsrvc.exe

--
End of file - 11493 bytes


Report •

Related Solutions

#4
February 24, 2009 at 20:22:12
anybody know what to do next?

Report •

#5
February 24, 2009 at 20:51:26
I think I ran into this same problem. The malicious file is:

c:\windows\nfra.exe

Some webpages are auto-installing it onto people's machines, just seemed to start happening this evening. It copies an executable into the windows directory, updates the registry to auto-run it, and tries to start sending information out over the internet. It also directs Internet Explorer to redirect to port 7070 through some kind of proxy set-up.

I deleted the executable and am going to try to hand-edit the regitry entries as described below.

I found some details here:
http://www.threatexpert.com/report....

Here is what it is doing:
Memory Modifications

There were new processes created in the system:
Process Name Process Filename Main Module Size
nfra.exe %Windir%\nfra.exe 40,960 bytes
[filename of the sample #1] [file and pathname of the sample #1] 40,960 bytes


Registry Modifications

The newly created Registry Values are:
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings]
ProxyServer = "http=localhost:7070"
ProxyEnable = 0x00000001
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
ProxyServer = "http=localhost:7070"
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
nfra = "%Windir%\nfra.exe"

so that nfra.exe runs every time Windows starts

The following Registry Value was modified:
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
ProxyEnable = 0x00000001


Report •

#6
February 24, 2009 at 21:00:22
Follow up - I edited the registry entries described below to remove the new entries and to flip ProxyEnable back to 0, and now Internet Explorer is working again. So that seems to be the solution.

I imagine this will be big news tomorrow. I caught this virus by visiting a well-established news site (theAtlantic.com) and it installed right onto my machine without be choosing to download any files or do anything stupid. I only realized it was there when my firewall announced that something called NFRA.EXE was trying to access the internet to send out information. God knows what the little b---tard was really up to.

Delete the executable, modify those registry entries, and you should be fine.


Report •

#7
February 25, 2009 at 05:10:09
thanks

not sure how comfortable I am editing the reg files, but I will try it after work if no other help is posted.

in the mean time, I have the combofix logs and the kasperesky log if they need to be posted


Report •

#8
February 25, 2009 at 14:02:42
Tried all of that and it didn't work, my internet connection got hijacked and I had to go in and reset the proxy.

Still looking for help if anyone is out there. My internet is an important part of my work and this virus is not helping.


Report •

#9
February 25, 2009 at 14:20:35
Go to start> run> type in notepad then click ok> click format> uncheck "word wrap"> exit notepad.

Your java is out of date and may have been exploited.
Download the latest version of java from this link Java
Click on the JRE 6 Update 11 download button.
Check the box that says: "Accept License Agreement". The page will refresh.
Click on the link to download Windows Offline Installation with or without Multi-language and save to your desktop.
Close any programs you may have running - especially your web browser.
Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java. Check any item with Java Runtime Environment (JRE or J2SE) in the name. It should have the "coffee cup" icon next to it.
Click the Remove or Change/Remove button. Repeat as many times as necessary to remove each Java versions.
Reboot your computer once all Java components are removed
Then from your desktop double-click on jre-6u11-windows-i586-p.exe to install the newest version.

Please download ComboFix to the desktop from one of the following links:

Link1

Link 2

Link 3

Rename the setup file, combofix.exe, before you download it. To do that once the "enter name of file to save to" box appears as the download begins in the filename box rename combofix.exe to toolb.exe> click save.

Combofix is a powerful tool so follow the instructions exactly or you could damage your computer.

Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with Combofix and remove some of its embedded files which may cause "unpredictable results".
Click on This Link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.

In your case to run Combofix do the following:
1. Go offline turn off your Norton antivirus, Spybot, Windows defender and any other realtime antispyware that you may have.
2. Run Combofix by double clicking the toolb.exe icon on your desktop and save its log.
3. Restart the computer to get the antivirus running again but leave the antispyware programs off until we get the computer cleaned.
4. Post the Combofix log.


Remember to re-enable the protection again afterwards before connecting to the Internet.


Report •

#10
February 25, 2009 at 14:51:26
Ok, found the JRE download, about to do the combofix...be back ASAP

Report •

#11
February 25, 2009 at 15:45:54
Can't post the log for some reason. The page keeps going blank everytime I try.

Report •

#12
February 25, 2009 at 18:36:06
Try post it in segments, it may be to lage to post in one post. If that don't work try to PM me with it... to do that just click Private Messege at the bottom of one of my post.

Report •

#13
February 25, 2009 at 19:56:59
ComboFix 09-02-25.02 - JMari 2009-02-25 17:26:18.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1279.731 [GMT -6:00]
Running from: c:\documents and settings\JMari\Desktop\toolb.exe.exe
AV: Symantec Endpoint Protection *On-access scanning disabled* (Updated)
FW: Symantec Endpoint Protection *disabled*
* Created a new restore point
.

((((((((((((((((((((((((( Files Created from 2009-01-25 to 2009-02-25 )))))))))))))))))))))))))))))))
.

2100-04-01 16:22 . 2009-01-25 20:17 194 --a------ c:\windows\X83_DS.ini
2100-02-24 13:15 . 2001-04-02 15:30 821 --a------ c:\windows\Lexmark_ICM.ini
2100-02-16 15:09 . 2001-02-16 14:37 62 --a------ c:\windows\system32\LXASUSCI.INI
2009-02-25 17:19 . 2009-02-25 17:18 410,984 --a------ c:\windows\system32\deploytk.dll
2009-02-25 17:19 . 2009-02-25 17:18 73,728 --a------ c:\windows\system32\javacpl.cpl
2009-02-25 15:31 . 2009-02-25 15:31 <DIR> d-------- c:\program files\Uniblue
2009-02-25 15:31 . 2009-02-25 15:31 <DIR> d-------- c:\documents and settings\JMari\Application Data\Uniblue
2009-02-25 15:31 . 2009-02-25 15:37 <DIR> d-------- c:\documents and settings\All Users\Application Data\DriverScanner
2009-02-25 15:29 . 2009-02-25 15:31 <DIR> d--h-c--- c:\documents and settings\All Users\Application Data\{148D8B8A-8F96-4822-81EC-D510B626B7D5}
2009-02-25 14:24 . 2008-04-04 19:01 91,520 --a------ c:\windows\system32\drivers\SysPlant.sys
2009-02-25 14:23 . 2009-02-25 14:24 123,952 --a------ c:\windows\system32\drivers\SYMEVENT.SYS
2009-02-25 14:23 . 2009-02-25 14:24 60,800 --a------ c:\windows\system32\S32EVNT1.DLL
2009-02-25 14:23 . 2009-02-25 14:24 10,563 --a------ c:\windows\system32\drivers\SYMEVENT.CAT
2009-02-25 14:23 . 2009-02-25 14:24 805 --a------ c:\windows\system32\drivers\SYMEVENT.INF
2009-02-25 07:02 . 2009-02-25 07:02 1,374 --a------ c:\windows\imsins.BAK
2009-02-24 18:39 . 2009-02-24 18:39 0 --a------ c:\windows\system32\nfr.assembly
2009-02-21 23:51 . 2009-02-21 23:51 <DIR> d-------- c:\documents and settings\All Users\Application Data\Zylom
2009-02-07 15:34 . 2009-02-08 01:03 <DIR> d-------- c:\program files\Mozilla ActiveX Control v1.7.12
2009-02-07 15:34 . 2009-02-07 15:35 <DIR> d-------- c:\documents and settings\JMari\Application Data\MozillaControl
2009-02-07 15:34 . 2009-02-07 15:34 <DIR> d-------- c:\documents and settings\All Users\Application Data\Graboid Inc
2009-02-07 15:33 . 2009-02-07 15:33 <DIR> d-------- c:\program files\VideoLAN
2009-02-07 15:32 . 2009-02-08 01:03 <DIR> d-------- c:\program files\Graboid
2009-01-28 14:11 . 2009-02-24 20:57 <DIR> d-------- c:\documents and settings\JMari\Application Data\Hoyle Puzzle and Board Games
2009-01-27 18:33 . 2009-01-27 18:33 <DIR> d-------- c:\program files\Microsoft Silverlight

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-02-25 23:18 --------- d-----w c:\program files\Java
2009-02-25 22:18 --------- d-----w c:\program files\Spybot - Search & Destroy
2009-02-25 21:19 --------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-02-25 20:32 --------- d-----w c:\program files\Symantec AntiVirus
2009-02-25 20:30 --------- d-----w c:\documents and settings\All Users\Application Data\Symantec
2009-02-25 20:25 --------- d-----w c:\program files\Common Files\Symantec Shared
2009-02-25 20:24 --------- d-----w c:\program files\Symantec
2009-02-25 13:04 --------- d-----w c:\documents and settings\All Users\Application Data\Microsoft Help
2009-02-25 01:20 --------- d-----w c:\program files\EA GAMES
2009-02-25 01:07 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-02-22 07:23 --------- d-----w c:\documents and settings\JMari\Application Data\Hoyle
2009-02-11 16:19 38,496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-02-11 16:19 15,504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-01-28 20:22 --------- d-----w c:\documents and settings\JMari\Application Data\Hoyle FaceCreator
2009-01-28 20:07 --------- d-----w c:\program files\Encore
2009-01-26 03:35 --------- d-----w c:\program files\Common Files\DataViz
2009-01-26 02:34 --------- d-----w c:\program files\IObit
2009-01-26 02:34 --------- d-----w c:\documents and settings\JMari\Application Data\IObit
2009-01-26 02:17 --------- d-----w c:\program files\LexmarkX83
2009-01-26 02:04 --------- d-----w c:\program files\QuickTime
2009-01-26 01:53 --------- d-----w c:\program files\SimPE
2009-01-25 23:03 --------- d-----w c:\program files\SystemRequirementsLab
2009-01-25 23:02 --------- d-----w c:\documents and settings\JMari\Application Data\SystemRequirementsLab
2009-01-24 22:36 44,944 ------w c:\windows\system32\drivers\pxhelp20.sys
2009-01-24 03:28 --------- d-----w c:\program files\Google
2009-01-21 21:33 --------- d-----w c:\documents and settings\All Users\Application Data\HPSSUPPLY
2009-01-21 05:29 --------- d-----w c:\documents and settings\JMari\Application Data\Move Networks
2009-01-21 02:44 149,760 ----a-w c:\windows\system32\drivers\WpsHelper.sys
2009-01-14 23:09 --------- d-----w c:\program files\Play+Smile
2009-01-13 11:51 --------- d-----w c:\documents and settings\JMari\Application Data\GetRightToGo
2009-01-07 05:03 --------- d-----w c:\program files\Executive Software
2009-01-07 04:43 --------- d-----w c:\program files\LimeWire
2009-01-07 04:43 --------- d-----w c:\documents and settings\JMari\Application Data\DeepBurner
2009-01-07 04:43 --------- d-----w c:\documents and settings\All Users\Application Data\STOPzilla!
2009-01-07 04:38 --------- d-----w c:\documents and settings\JMari\Application Data\Software Informer
2009-01-07 04:35 --------- d-----w c:\documents and settings\All Users\Application Data\Apple Computer
2009-01-07 04:31 --------- d--h--w c:\program files\InstallShield Installation Information
2008-12-31 15:45 --------- d-----w c:\documents and settings\All Users\Application Data\SITEguard
2008-12-30 23:54 --------- d-----w c:\program files\Common Files\Adobe
2008-12-30 23:16 --------- d-----w c:\program files\Common Files\iS3
2008-12-30 22:42 --------- d-----w c:\program files\Sector 69
2008-12-28 08:51 --------- d-----w c:\program files\DivX
2008-12-28 04:35 278,528 ----a-w c:\windows\system32\livesnth.dll
2008-12-28 04:35 203,776 ----a-w c:\windows\system32\clrviddc.dll
2008-12-28 04:31 --------- d-----w c:\program files\Real
2008-12-28 04:31 --------- d-----w c:\program files\Common Files\xing shared
2008-12-28 04:31 --------- d-----w c:\program files\Common Files\Real
2008-12-20 23:15 826,368 ----a-w c:\windows\system32\wininet.dll
2008-05-05 00:04 560 ----a-w c:\documents and settings\JMari\Application Data\ViewerApp.dat
2001-06-20 22:19 40,960 ----a-w c:\program files\ACMonitor_X83.exe
2008-09-23 14:54 24,576 --sha-w c:\windows\system32\kofidutu.dll
.


Report •

#14
February 25, 2009 at 19:57:54
((((((((((((((((((((((((((((( SnapShot@2009-02-24_22.11.31.80 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-06-17 19:02:19 8,461,312 ----a-w c:\windows\$hf_mig$\KB967715\SP3GDR\shell32.dll
+ 2008-06-17 19:04:34 8,461,824 ----a-w c:\windows\$hf_mig$\KB967715\SP3QFE\shell32.dll
+ 2008-07-09 07:38:24 17,272 ----a-w c:\windows\$hf_mig$\KB967715\spmsg.dll
+ 2008-07-09 07:38:25 231,288 ----a-w c:\windows\$hf_mig$\KB967715\spuninst.exe
+ 2008-07-09 07:38:24 26,488 ----a-w c:\windows\$hf_mig$\KB967715\update\spcustom.dll
+ 2008-07-09 07:38:29 755,576 ----a-w c:\windows\$hf_mig$\KB967715\update\update.exe
+ 2008-07-09 07:38:37 382,840 ----a-w c:\windows\$hf_mig$\KB967715\update\updspapi.dll
+ 2008-10-16 20:38:34 124,928 -c----w c:\windows\ie7updates\KB961260-IE7\advpack.dll
+ 2008-10-16 20:38:34 347,136 -c----w c:\windows\ie7updates\KB961260-IE7\dxtmsft.dll
+ 2008-10-16 20:38:34 214,528 -c----w c:\windows\ie7updates\KB961260-IE7\dxtrans.dll
+ 2008-10-16 20:38:35 133,120 -c----w c:\windows\ie7updates\KB961260-IE7\extmgr.dll
+ 2008-10-16 20:38:35 63,488 -c----w c:\windows\ie7updates\KB961260-IE7\icardie.dll
+ 2008-10-16 13:11:09 70,656 -c----w c:\windows\ie7updates\KB961260-IE7\ie4uinit.exe
+ 2008-10-16 20:38:35 153,088 -c----w c:\windows\ie7updates\KB961260-IE7\ieakeng.dll
+ 2008-10-16 20:38:35 230,400 -c----w c:\windows\ie7updates\KB961260-IE7\ieaksie.dll
+ 2008-10-15 07:04:53 161,792 -c----w c:\windows\ie7updates\KB961260-IE7\ieakui.dll
+ 2008-10-16 20:38:35 383,488 -c----w c:\windows\ie7updates\KB961260-IE7\ieapfltr.dll
+ 2008-10-16 20:38:35 384,512 -c----w c:\windows\ie7updates\KB961260-IE7\iedkcs32.dll
+ 2008-10-16 20:38:37 6,066,176 -c----w c:\windows\ie7updates\KB961260-IE7\ieframe.dll
+ 2008-10-16 20:38:37 44,544 -c----w c:\windows\ie7updates\KB961260-IE7\iernonce.dll
+ 2008-10-16 20:38:37 267,776 -c----w c:\windows\ie7updates\KB961260-IE7\iertutil.dll
+ 2008-10-16 13:11:09 13,824 -c----w c:\windows\ie7updates\KB961260-IE7\ieudinit.exe
+ 2008-10-15 07:06:26 633,632 -c----w c:\windows\ie7updates\KB961260-IE7\iexplore.exe
+ 2008-10-16 20:38:37 27,648 -c----w c:\windows\ie7updates\KB961260-IE7\jsproxy.dll
+ 2008-10-16 20:38:37 459,264 -c----w c:\windows\ie7updates\KB961260-IE7\msfeeds.dll
+ 2008-10-16 20:38:37 52,224 -c----w c:\windows\ie7updates\KB961260-IE7\msfeedsbs.dll
+ 2008-12-13 06:40:02 3,593,216 -c----w c:\windows\ie7updates\KB961260-IE7\mshtml.dll
+ 2008-10-16 20:38:38 477,696 -c----w c:\windows\ie7updates\KB961260-IE7\mshtmled.dll
+ 2008-10-16 20:38:38 193,024 -c----w c:\windows\ie7updates\KB961260-IE7\msrating.dll
+ 2008-10-16 20:38:39 671,232 -c----w c:\windows\ie7updates\KB961260-IE7\mstime.dll
+ 2008-10-16 20:38:39 102,912 -c----w c:\windows\ie7updates\KB961260-IE7\occache.dll
+ 2008-10-16 20:38:39 44,544 -c----w c:\windows\ie7updates\KB961260-IE7\pngfilt.dll
+ 2007-03-06 01:22:41 213,216 -c----w c:\windows\ie7updates\KB961260-IE7\spuninst\spuninst.exe
+ 2007-03-06 01:23:51 371,424 -c----w c:\windows\ie7updates\KB961260-IE7\spuninst\updspapi.dll
+ 2008-10-16 20:38:39 105,984 -c----w c:\windows\ie7updates\KB961260-IE7\url.dll
+ 2008-10-16 20:38:39 1,160,192 -c----w c:\windows\ie7updates\KB961260-IE7\urlmon.dll
+ 2008-10-16 20:38:39 233,472 -c----w c:\windows\ie7updates\KB961260-IE7\webcheck.dll
+ 2008-10-16 20:38:40 826,368 -c----w c:\windows\ie7updates\KB961260-IE7\wininet.dll
+ 2009-02-25 20:25:16 21,446 ----a-r c:\windows\Installer\{76B2BC31-2D96-4170-9C44-09E13B5555F3}\ARPPRODUCTICON.exe
- 2008-12-12 07:20:17 1,165,584 ----a-r c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\accicons.exe
+ 2009-02-25 13:04:44 1,165,584 ----a-r c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\accicons.exe
- 2008-12-12 07:20:18 20,240 ----a-r c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\cagicon.exe
+ 2009-02-25 13:04:45 20,240 ----a-r c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\cagicon.exe
- 2008-12-12 07:20:18 159,504 ----a-r c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\inficon.exe
+ 2009-02-25 13:04:44 159,504 ----a-r c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\inficon.exe
- 2008-12-12 07:20:18 184,080 ----a-r c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\joticon.exe
+ 2009-02-25 13:04:45 184,080 ----a-r c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\joticon.exe
- 2008-12-12 07:20:18 217,864 ----a-r c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\misc.exe
+ 2009-02-25 13:04:45 217,864 ----a-r c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\misc.exe
- 2008-12-12 07:20:18 18,704 ----a-r c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\mspicons.exe
+ 2009-02-25 13:04:45 18,704 ----a-r c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\mspicons.exe
- 2008-12-12 07:20:18 35,088 ----a-r c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\oisicon.exe
+ 2009-02-25 13:04:45 35,088 ----a-r c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\oisicon.exe
- 2008-12-12 07:20:18 845,584 ----a-r c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\outicon.exe
+ 2009-02-25 13:04:45 845,584 ----a-r c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\outicon.exe
- 2008-12-12 07:20:18 922,384 ----a-r c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\pptico.exe
+ 2009-02-25 13:04:45 922,384 ----a-r c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\pptico.exe
- 2008-12-12 07:20:18 272,648 ----a-r c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\pubs.exe
+ 2009-02-25 13:04:45 272,648 ----a-r c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\pubs.exe
- 2008-12-12 07:20:18 888,080 ----a-r c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\wordicon.exe
+ 2009-02-25 13:04:45 888,080 ----a-r c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\wordicon.exe
- 2008-12-12 07:20:17 1,172,240 ----a-r c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\xlicons.exe
+ 2009-02-25 13:04:44 1,172,240 ----a-r c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\xlicons.exe
- 2008-10-16 20:38:34 124,928 ----a-w c:\windows\system32\advpack.dll
+ 2008-12-20 23:15:11 124,928 ----a-w c:\windows\system32\advpack.dll
- 2003-03-19 03:05:50 89,088 ----a-w c:\windows\system32\atl71.dll
+ 2006-11-01 02:24:10 89,088 ----a-w c:\windows\system32\atl71.dll
- 2006-09-02 21:36:33 466,944 ----a-w c:\windows\system32\capicom.dll
+ 2007-08-12 02:05:27 511,328 ----a-w c:\windows\system32\capicom.dll
- 2006-09-28 01:35:04 34,600 ----a-w c:\windows\system32\cba.dll
+ 2008-04-05 01:03:08 34,288 ----a-w c:\windows\system32\cba.dll
- 2008-10-16 20:38:34 124,928 -c----w c:\windows\system32\dllcache\advpack.dll
+ 2008-12-20 23:15:11 124,928 -c----w c:\windows\system32\dllcache\advpack.dll
- 2008-10-16 20:38:34 347,136 -c--a-w c:\windows\system32\dllcache\dxtmsft.dll
+ 2008-12-20 23:15:12 347,136 -c--a-w c:\windows\system32\dllcache\dxtmsft.dll
- 2008-10-16 20:38:34 214,528 -c----w c:\windows\system32\dllcache\dxtrans.dll
+ 2008-12-20 23:15:13 214,528 -c----w c:\windows\system32\dllcache\dxtrans.dll
- 2008-10-16 20:38:35 133,120 -c----w c:\windows\system32\dllcache\extmgr.dll
+ 2008-12-20 23:15:13 133,120 -c----w c:\windows\system32\dllcache\extmgr.dll
- 2008-10-16 20:38:35 63,488 -c----w c:\windows\system32\dllcache\icardie.dll
+ 2008-12-20 23:15:13 63,488 -c----w c:\windows\system32\dllcache\icardie.dll
- 2008-10-16 13:11:09 70,656 -c----w c:\windows\system32\dllcache\ie4uinit.exe
+ 2008-12-19 09:10:15 70,656 -c----w c:\windows\system32\dllcache\ie4uinit.exe
- 2008-10-16 20:38:35 153,088 -c----w c:\windows\system32\dllcache\ieakeng.dll
+ 2008-12-20 23:15:14 153,088 -c----w c:\windows\system32\dllcache\ieakeng.dll
- 2008-10-16 20:38:35 230,400 -c----w c:\windows\system32\dllcache\ieaksie.dll
+ 2008-12-20 23:15:14 230,400 -c----w c:\windows\system32\dllcache\ieaksie.dll
- 2008-10-15 07:04:53 161,792 -c----w c:\windows\system32\dllcache\ieakui.dll
+ 2008-12-19 05:23:56 161,792 -c----w c:\windows\system32\dllcache\ieakui.dll
- 2008-10-16 20:38:35 383,488 -c----w c:\windows\system32\dllcache\ieapfltr.dll
+ 2008-12-20 23:15:15 383,488 -c----w c:\windows\system32\dllcache\ieapfltr.dll
- 2008-10-16 20:38:35 384,512 -c----w c:\windows\system32\dllcache\iedkcs32.dll
+ 2008-12-20 23:15:16 384,512 -c----w c:\windows\system32\dllcache\iedkcs32.dll
- 2008-10-16 20:38:37 6,066,176 -c----w c:\windows\system32\dllcache\ieframe.dll
+ 2008-12-20 23:15:21 6,066,688 -c----w c:\windows\system32\dllcache\ieframe.dll
- 2008-10-16 20:38:37 44,544 -c----w c:\windows\system32\dllcache\iernonce.dll
+ 2008-12-20 23:15:21 44,544 -c----w c:\windows\system32\dllcache\iernonce.dll
- 2008-10-16 20:38:37 267,776 -c----w c:\windows\system32\dllcache\iertutil.dll
+ 2008-12-20 23:15:22 267,776 -c----w c:\windows\system32\dllcache\iertutil.dll
- 2008-10-16 13:11:09 13,824 -c----w c:\windows\system32\dllcache\ieudinit.exe
+ 2008-12-19 09:10:15 13,824 -c----w c:\windows\system32\dllcache\ieudinit.exe
- 2008-10-15 07:06:26 633,632 -c----w c:\windows\system32\dllcache\iexplore.exe
+ 2008-12-19 05:25:25 634,024 -c----w c:\windows\system32\dllcache\iexplore.exe
- 2008-10-16 20:38:37 27,648 -c----w c:\windows\system32\dllcache\jsproxy.dll
+ 2008-12-20 23:15:23 27,648 -c----w c:\windows\system32\dllcache\jsproxy.dll
- 2008-10-16 20:38:37 459,264 -c----w c:\windows\system32\dllcache\msfeeds.dll
+ 2008-12-20 23:15:23 459,264 -c----w c:\windows\system32\dllcache\msfeeds.dll
- 2008-10-16 20:38:37 52,224 -c----w c:\windows\system32\dllcache\msfeedsbs.dll
+ 2008-12-20 23:15:24 52,224 -c----w c:\windows\system32\dllcache\msfeedsbs.dll
- 2008-12-13 06:40:02 3,593,216 -c----w c:\windows\system32\dllcache\mshtml.dll
+ 2009-01-17 03:35:14 3,594,752 -c----w c:\windows\system32\dllcache\mshtml.dll
- 2008-10-16 20:38:38 477,696 -c----w c:\windows\system32\dllcache\mshtmled.dll
+ 2008-12-20 23:15:30 477,696 -c----w c:\windows\system32\dllcache\mshtmled.dll
- 2008-10-16 20:38:38 193,024 -c----w c:\windows\system32\dllcache\msrating.dll
+ 2008-12-20 23:15:31 193,024 -c----w c:\windows\system32\dllcache\msrating.dll
- 2008-10-16 20:38:39 671,232 -c----w c:\windows\system32\dllcache\mstime.dll
+ 2008-12-20 23:15:32 671,232 -c----w c:\windows\system32\dllcache\mstime.dll
- 2008-10-16 20:38:39 102,912 -c----w c:\windows\system32\dllcache\occache.dll
+ 2008-12-20 23:15:38 102,912 -c----w c:\windows\system32\dllcache\occache.dll
- 2008-10-16 20:38:39 44,544 -c--a-w c:\windows\system32\dllcache\pngfilt.dll
+ 2008-12-20 23:15:38 44,544 -c--a-w c:\windows\system32\dllcache\pngfilt.dll
- 2007-10-26 03:34:01 8,460,288 -c--a-w c:\windows\system32\dllcache\shell32.dll
+ 2008-07-03 13:03:29 8,460,800 -c--a-w c:\windows\system32\dllcache\shell32.dll
- 2008-08-28 10:04:17 333,056 -c--a-w c:\windows\system32\dllcache\srv.sys
+ 2008-12-11 11:57:21 333,184 -c--a-w c:\windows\system32\dllcache\srv.sys
- 2008-10-16 20:38:39 105,984 -c----w c:\windows\system32\dllcache\url.dll
+ 2008-12-20 23:15:39 105,984 -c----w c:\windows\system32\dllcache\url.dll
- 2008-10-16 20:38:39 1,160,192 -c----w c:\windows\system32\dllcache\urlmon.dll
+ 2008-12-20 23:15:40 1,160,192 -c----w c:\windows\system32\dllcache\urlmon.dll
- 2008-10-16 20:38:39 233,472 -c----w c:\windows\system32\dllcache\webcheck.dll
+ 2008-12-20 23:15:40 233,472 -c----w c:\windows\system32\dllcache\webcheck.dll
- 2008-10-16 20:38:40 826,368 -c----w c:\windows\system32\dllcache\wininet.dll
+ 2008-12-20 23:15:41 826,368 -c----w c:\windows\system32\dllcache\wininet.dll
+ 2008-07-30 23:42:12 23,888 ----a-w c:\windows\system32\drivers\COH_Mon.sys
+ 2008-03-22 01:14:24 279,088 ----a-w c:\windows\system32\drivers\srtsp.sys
+ 2008-03-22 01:14:24 317,616 ----a-w c:\windows\system32\drivers\srtspl.sys
+ 2008-03-22 01:14:24 43,696 ----a-w c:\windows\system32\drivers\srtspx.sys
- 2008-08-28 10:04:17 333,056 ----a-w c:\windows\system32\drivers\srv.sys
+ 2008-12-11 11:57:21 333,184 ----a-w c:\windows\system32\drivers\srv.sys
- 2006-08-07 21:01:56 12,992 -c--a-w c:\windows\system32\drivers\symdns.sys
+ 2007-10-31 02:55:14 12,848 ----a-w c:\windows\system32\drivers\symdns.sys
- 2006-08-07 21:02:02 110,784 -c--a-w c:\windows\system32\drivers\symfw.sys
+ 2007-10-31 02:55:20 145,968 ----a-w c:\windows\system32\drivers\symfw.sys
- 2006-08-07 21:02:18 31,936 -c--a-w c:\windows\system32\drivers\symids.sys
+ 2007-10-31 02:55:28 39,856 ----a-w c:\windows\system32\drivers\symids.sys
- 2006-08-07 21:02:14 28,352 -c--a-w c:\windows\system32\drivers\symndis.sys
+ 2007-10-31 02:55:24 35,120 ----a-w c:\windows\system32\drivers\symndis.sys
+ 2007-10-31 02:55:44 37,936 ----a-w c:\windows\system32\drivers\symndisv.sys
- 2006-08-07 21:02:22 24,768 ----a-w c:\windows\system32\drivers\symredrv.sys
+ 2007-10-31 02:55:34 27,696 ----a-w c:\windows\system32\drivers\symredrv.sys
- 2006-08-07 21:02:26 195,776 ----a-w c:\windows\system32\drivers\symtdi.sys
+ 2007-10-31 02:55:38 191,536 ----a-w c:\windows\system32\drivers\symtdi.sys
+ 2008-03-12 21:19:50 49,536 ----a-w c:\windows\system32\drivers\Teefer2.sys
+ 2008-04-04 08:45:34 38,632 ----a-w c:\windows\system32\drivers\WGX.SYS
+ 2008-04-05 00:59:46 40,832 ----a-w c:\windows\system32\drivers\WPSDRVnt.sys
- 2008-10-16 20:38:34 347,136 ----a-w c:\windows\system32\dxtmsft.dll
+ 2008-12-20 23:15:12 347,136 ----a-w c:\windows\system32\dxtmsft.dll
- 2008-10-16 20:38:34 214,528 ----a-w c:\windows\system32\dxtrans.dll
+ 2008-12-20 23:15:13 214,528 ----a-w c:\windows\system32\dxtrans.dll
- 2008-10-16 20:38:35 133,120 ------w c:\windows\system32\extmgr.dll
+ 2008-12-20 23:15:13 133,120 ------w c:\windows\system32\extmgr.dll
+ 2008-04-05 00:55:52 48,000 ----a-w c:\windows\system32\FwsVpn.dll
- 2008-10-16 20:38:35 63,488 ----a-w c:\windows\system32\icardie.dll
+ 2008-12-20 23:15:13 63,488 ----a-w c:\windows\system32\icardie.dll
- 2008-10-16 13:11:09 70,656 ------w c:\windows\system32\ie4uinit.exe
+ 2008-12-19 09:10:15 70,656 ------w c:\windows\system32\ie4uinit.exe
- 2008-10-16 20:38:35 153,088 ------w c:\windows\system32\ieakeng.dll
+ 2008-12-20 23:15:14 153,088 ------w c:\windows\system32\ieakeng.dll
- 2008-10-16 20:38:35 230,400 ------w c:\windows\system32\ieaksie.dll
+ 2008-12-20 23:15:14 230,400 ------w c:\windows\system32\ieaksie.dll
- 2008-10-15 07:04:53 161,792 ------w c:\windows\system32\ieakui.dll
+ 2008-12-19 05:23:56 161,792 ------w c:\windows\system32\ieakui.dll
- 2008-10-16 20:38:35 383,488 ----a-w c:\windows\system32\ieapfltr.dll
+ 2008-12-20 23:15:15 383,488 ----a-w c:\windows\system32\ieapfltr.dll
- 2008-10-16 20:38:35 384,512 ------w c:\windows\system32\iedkcs32.dll
+ 2008-12-20 23:15:16 384,512 ------w c:\windows\system32\iedkcs32.dll
- 2008-10-16 20:38:37 6,066,176 ----a-w c:\windows\system32\ieframe.dll
+ 2008-12-20 23:15:21 6,066,688 ----a-w c:\windows\system32\ieframe.dll
- 2008-10-16 20:38:37 44,544 ------w c:\windows\system32\iernonce.dll
+ 2008-12-20 23:15:21 44,544 ------w c:\windows\system32\iernonce.dll
- 2008-10-16 20:38:37 267,776 ----a-w c:\windows\system32\iertutil.dll
+ 2008-12-20 23:15:22 267,776 ----a-w c:\windows\system32\iertutil.dll
- 2008-10-16 13:11:09 13,824 ----a-w c:\windows\system32\ieudinit.exe
+ 2008-12-19 09:10:15 13,824 ----a-w c:\windows\system32\ieudinit.exe
- 2007-07-12 06:22:00 135,168 ----a-w c:\windows\system32\java.exe
+ 2009-02-25 23:18:50 144,792 ----a-w c:\windows\system32\java.exe
- 2007-07-12 06:22:04 135,168 ----a-w c:\windows\system32\javaw.exe
+ 2009-02-25 23:18:50 144,792 ----a-w c:\windows\system32\javaw.exe
- 2007-07-12 07:22:38 139,264 ----a-w c:\windows\system32\javaws.exe
+ 2009-02-25 23:18:50 148,888 ----a-w c:\windows\system32\javaws.exe
- 2008-10-16 20:38:37 27,648 ------w c:\windows\system32\jsproxy.dll
+ 2008-12-20 23:15:23 27,648 ------w c:\windows\system32\jsproxy.dll
- 2006-09-28 01:35:04 83,696 ----a-w c:\windows\system32\loc32vc0.dll
+ 2008-04-05 01:03:10 83,384 ----a-w c:\windows\system32\loc32vc0.dll
- 2003-03-19 03:20:00 1,060,864 ----a-w c:\windows\system32\mfc71.dll
+ 2007-03-22 02:39:00 1,060,864 ----a-w c:\windows\system32\MFC71.DLL
+ 2009-02-12 02:56:18 21,244,872 ----a-w c:\windows\system32\MRT.exe
- 2008-10-16 20:38:37 459,264 ----a-w c:\windows\system32\msfeeds.dll
+ 2008-12-20 23:15:23 459,264 ----a-w c:\windows\system32\msfeeds.dll
- 2008-10-16 20:38:37 52,224 ----a-w c:\windows\system32\msfeedsbs.dll
+ 2008-12-20 23:15:24 52,224 ----a-w c:\windows\system32\msfeedsbs.dll
- 2006-09-28 01:35:06 46,896 ----a-w c:\windows\system32\msgsys.dll
+ 2008-04-05 01:03:10 46,584 ----a-w c:\windows\system32\msgsys.dll
- 2008-12-13 06:40:02 3,593,216 ----a-w c:\windows\system32\mshtml.dll
+ 2009-01-17 03:35:14 3,594,752 ----a-w c:\windows\system32\mshtml.dll
- 2008-10-16 20:38:38 477,696 ----a-w c:\windows\system32\mshtmled.dll
+ 2008-12-20 23:15:30 477,696 ----a-w c:\windows\system32\mshtmled.dll
- 2008-10-16 20:38:38 193,024 ------w c:\windows\system32\msrating.dll
+ 2008-12-20 23:15:31 193,024 ------w c:\windows\system32\msrating.dll
- 2008-10-16 20:38:39 671,232 ------w c:\windows\system32\mstime.dll
+ 2008-12-20 23:15:32 671,232 ------w c:\windows\system32\mstime.dll
- 2003-03-19 02:14:52 499,712 ----a-w c:\windows\system32\msvcp71.dll
+ 2007-03-22 02:33:00 503,808 ----a-w c:\windows\system32\MSVCP71.DLL
- 2003-02-21 10:42:22 348,160 ----a-w c:\windows\system32\msvcr71.dll
+ 2007-03-22 02:33:00 348,160 ----a-w c:\windows\system32\MSVCR71.DLL
- 2006-09-28 01:35:06 83,752 ----a-w c:\windows\system32\nts.dll
+ 2008-04-05 01:03:10 91,632 ----a-w c:\windows\system32\nts.dll
- 2008-10-16 20:38:39 102,912 ------w c:\windows\system32\occache.dll
+ 2008-12-20 23:15:38 102,912 ------w c:\windows\system32\occache.dll
- 2006-09-28 01:35:08 83,752 ----a-w c:\windows\system32\pds.dll
+ 2008-04-05 01:03:12 83,440 ----a-w c:\windows\system32\pds.dll
- 2008-10-16 20:38:39 44,544 ----a-w c:\windows\system32\pngfilt.dll
+ 2008-12-20 23:15:38 44,544 ----a-w c:\windows\system32\pngfilt.dll
- 2007-10-26 03:34:01 8,460,288 ----a-w c:\windows\system32\shell32.dll
+ 2008-07-03 13:03:29 8,460,800 ----a-w c:\windows\system32\shell32.dll
- 2007-07-27 15:41:40 16,760 ----a-w c:\windows\system32\spmsg.dll
+ 2008-07-09 07:38:24 17,272 ------w c:\windows\system32\spmsg.dll
- 2006-08-07 21:02:32 534,208 ----a-w c:\windows\system32\SymNeti.dll
+ 2007-10-31 02:55:50 625,032 ----a-w c:\windows\system32\SymNeti.dll
- 2006-08-07 21:02:30 161,472 ----a-w c:\windows\system32\SymRedir.dll
+ 2007-10-31 02:55:48 242,056 ----a-w c:\windows\system32\SymRedir.dll
+ 2008-04-05 00:58:40 107,904 ----a-w c:\windows\system32\SymVPN.dll
+ 2008-04-05 00:58:44 357,760 ----a-w c:\windows\system32\sysfer.dll
- 2008-10-16 20:38:39 105,984 ----a-w c:\windows\system32\url.dll
+ 2008-12-20 23:15:39 105,984 ----a-w c:\windows\system32\url.dll
- 2008-10-16 20:38:39 1,160,192 ----a-w c:\windows\system32\urlmon.dll
+ 2008-12-20 23:15:40 1,160,192 ----a-w c:\windows\system32\urlmon.dll
- 2008-10-16 20:38:39 233,472 ----a-w c:\windows\system32\webcheck.dll
+ 2008-12-20 23:15:40 233,472 ----a-w c:\windows\system32\webcheck.dll
- 2007-10-29 10:04:03 350,720 ----a-w c:\windows\system32\xpsp3res.dll
+ 2008-02-15 09:06:21 351,744 ----a-w c:\windows\system32\xpsp3res.dll
+ 2009-02-25 23:19:12 16,384 ----atw c:\windows\Temp\Perflib_Perfdata_2ac.dat
+ 2009-02-25 23:17:00 16,384 ----atw c:\windows\Temp\Perflib_Perfdata_2c4.dat
+ 2009-02-25 23:17:54 16,384 ----atw c:\windows\Temp\Perflib_Perfdata_a48.dat
.

Report •

#15
February 25, 2009 at 19:57:58
its a browser hijacker virus u should remove it manually
http://darfuns.com/remove-google-se...

Report •

#16
February 25, 2009 at 19:58:45
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((((((((((( AWF ))))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
-c--a-w 151,552 2003-08-21 01:24:04 c:\program files\Apoint\bak\Apoint.exe
----a-w 0 2007-10-21 15:01:16 c:\program files\Apoint\Apoint.exe

-c--a-w 335,872 2003-10-30 16:15:00 c:\program files\ATI Technologies\ATI Control Panel\bak\atiptaxx.exe

-c--a-w 155,648 2003-02-13 06:01:00 c:\program files\Common Files\Sonic\Update Manager\bak\sgtray.exe
----a-w 0 2007-10-21 15:02:44 c:\program files\Common Files\Sonic\Update Manager\sgtray.exe

-c--a-w 52,896 2006-07-20 00:26:04 c:\program files\Common Files\Symantec Shared\bak\ccApp.exe
----a-w 115,560 2008-02-01 07:25:38 c:\program files\Common Files\Symantec Shared\ccApp.exe

-c--a-w 171,464 2007-08-29 15:09:40 c:\program files\DAEMON Tools\bak\daemon.exe

-c--a-w 204,800 2003-09-23 16:23:24 c:\program files\Dell\Media Experience\bak\PCMService.exe

-c--a-w 49,152 2006-12-11 02:52:38 c:\program files\HP\HP Software Update\bak\HPWuSchd2.exe
----a-w 0 2007-10-21 15:05:12 c:\program files\HP\HP Software Update\HPWuSchd2.exe

-c--a-w 86,016 2003-05-28 22:32:40 c:\program files\Intel\NCS\PROSet\bak\PRONoMgr.exe
----a-w 135,168 2005-06-27 14:31:14 c:\program files\Intel\NCS\PROSet\PRONoMgr.exe

-c--a-w 132,496 2007-07-12 09:00:36 c:\program files\Java\jre1.6.0_02\bin\bak\jusched.exe

-c--a-w 57,344 2003-08-19 10:43:46 c:\program files\Lexmark X1100 Series\bak\lxbkbmgr.exe
----a-w 0 2007-10-21 15:04:30 c:\program files\Lexmark X1100 Series\lxbkbmgr.exe

-c--a-w 53,248 2001-06-14 17:42:26 c:\program files\LexmarkX83\bak\AcBtnMgr_X83.exe
----a-w 0 2007-10-21 15:03:15 c:\program files\LexmarkX83\AcBtnMgr_X83.exe

-c--a-w 40,960 2001-10-18 15:25:18 c:\program files\LexmarkX83\bak\ACMonitor_X83.exe
----a-w 0 2007-10-21 15:02:59 c:\program files\LexmarkX83\ACMonitor_X83.exe

-c--a-w 156,160 2006-11-02 16:21:18 c:\program files\Nova Development\Greeting Card Factory Photo Card Maker\bak\ReminderApp.exe

-c--a-w 286,720 2007-06-29 11:24:52 c:\program files\QuickTime\bak\qttask.exe

-c--a-w 125,168 2006-09-28 01:33:44 c:\program files\Symantec AntiVirus\bak\VPTray.exe

-c--a-w 866,584 2006-11-03 23:20:12 c:\program files\Windows Defender\bak\MSASCui.exe

-c--a-w 15,360 2004-08-04 12:00:00 c:\windows\system32\bak\ctfmon.exe
----a-w 15,360 2004-08-04 12:00:00 c:\windows\system32\ctfmon.exe

-c--a-w 114,741 2003-08-06 06:04:00 c:\windows\system32\dla\bak\tfswctrl.exe
----a-w 0 2007-10-21 15:02:27 c:\windows\system32\dla\tfswctrl.exe

-c--a-w 36,864 2001-10-25 18:20:09 c:\windows\system32\spool\drivers\w32x86\3\bak\printray.exe

.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Yahoo! Pager"="c:\progra~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" [2007-03-27 4670968]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-01-23 39408]
"Advanced SystemCare 3"="c:\program files\IObit\Advanced SystemCare 3\AWC.exe" [2009-01-09 2262352]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Apoint"="c:\program files\Apoint\Apoint.exe" [2007-10-21 0]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2007-10-21 0]
"StorageGuard"="c:\program files\Common Files\Sonic\Update Manager\sgtray.exe" [2007-10-21 0]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-10-21 0]
"Corel File Shell Monitor"="c:\program files\Corel\Corel Paint Shop Pro Photo X2\CorelIOMonitor.exe" [2007-10-30 16200]
"ZCfgSvc.exe"="c:\windows\system32\ZCfgSvc.exe" [2005-07-05 639040]
"PRONoMgr.exe"="c:\program files\Intel\NCS\PROSet\PRONoMgr.exe" [2005-06-27 135168]
"ddoctorv2"="c:\program files\Comcast\Desktop Doctor\bin\sprtcmd.exe" [2008-04-24 202560]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2008-02-01 115560]
"Corel Photo Downloader"="c:\program files\Common Files\Corel\Corel PhotoDownloader\Corel Photo Downloader.exe" [2007-10-30 531784]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-02-25 136600]
"ATIModeChange"="Ati2mdxx.exe" [2001-09-04 c:\windows\system32\Ati2mdxx.exe]
"WD Button Manager"="WDBtnMgr.exe" [2006-10-01 c:\windows\system32\WDBtnMgr.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-08-24 437160]
"Picasa Media Detector"="c:\program files\Picasa2\PicasaMediaDetector.exe" [N/A]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" [2004-08-04 c:\windows\system32\narrator.exe]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
DataViz Inc Messenger.lnk - c:\program files\Common Files\DataViz\DvzIncMsgr.exe [2006-12-31 28672]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\Sebring]
2005-07-05 01:33 188482 c:\windows\system32\LgNotify.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccEvtMgr]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccSetMgr]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Symantec Antivirus]
@="Service"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Cisco Systems VPN Client.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Cisco Systems VPN Client.lnk
backup=c:\windows\pss\Cisco Systems VPN Client.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Picture Package Menu.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Picture Package Menu.lnk
backup=c:\windows\pss\Picture Package Menu.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Picture Package VCD Maker.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Picture Package VCD Maker.lnk
backup=c:\windows\pss\Picture Package VCD Maker.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
c:\windows\system32\dumprep 0 -k [X]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UserFaultCheck]
c:\windows\system32\dumprep 0 -u [X]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
--a------ 2008-10-15 01:04 39792 c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Corel Photo Downloader]
--a------ 2007-10-30 18:52 531784 c:\program files\Common Files\Corel\Corel PhotoDownloader\Corel Photo Downloader.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ddoctorv2]
--a------ 2008-04-24 12:25 202560 c:\program files\Comcast\Desktop Doctor\bin\sprtcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Desktop Search]
c:\program files\Google\Google Desktop Search\GoogleDesktop.exe [N/A]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GrooveMonitor]
--a------ 2007-08-24 06:00 33648 c:\program files\Microsoft Office\Office12\GrooveMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
c:\program files\iTunes\iTunesHelper.exe [N/A]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Lexmark X1100 Series]
--a------ 2007-10-21 09:04 0 c:\program files\Lexmark X1100 Series\lxbkbmgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Lexmark X83 Button Manager]
--a------ 2007-10-21 09:03 0 c:\progra~1\LEXMAR~1\AcBtnMgr_X83.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Lexmark X83 Button Monitor]
--a------ 2007-10-21 09:02 0 c:\progra~1\LEXMAR~1\ACMonitor_X83.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mmtask]
--a------ 2003-10-06 09:05 53248 c:\program files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--a------ 2004-10-13 10:24 1694208 c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MySpaceIM]
c:\program files\MySpace\IM\MySpaceIM.exe [N/A]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Picasa Media Detector]
c:\program files\Picasa2\PicasaMediaDetector.exe [N/A]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ReminderApp]
c:\program files\Nova Development\Greeting Card Factory Photo Card Maker\ReminderApp.exe [N/A]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]
-rahs---- 2008-08-18 18:41 1832272 c:\program files\Spybot - Search & Destroy\TeaTimer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001
"AntiVirusOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Common Files\\Symantec Shared\\ccEvtMgr.exe"=
"c:\\WINDOWS\\system32\\spoolsv.exe"=
"c:\\WINDOWS\\system32\\LEXBCES.EXE"=
"c:\\WINDOWS\\system32\\ZCfgSvc.exe"=
"c:\\WINDOWS\\system32\\WDBtnMgr.exe"=
"c:\\Program Files\\Intel\\NCS\\PROSet\\PRONoMgr.exe"=
"c:\\Program Files\\Common Files\\DataViz\\DvzIncMsgr.exe"=
"c:\\Program Files\\Spybot - Search & Destroy\\TeaTimer.exe"=
"c:\\Program Files\\Common Files\\Corel\\Corel PhotoDownloader\\Corel Photo Downloader.exe"=
"c:\\Program Files\\Encore\\Hoyle Card Games 2009\\Hoyle Card Games.exe"=
"c:\\Program Files\\Symantec AntiVirus\\Smc.exe"=
"c:\\Program Files\\Symantec AntiVirus\\SNAC.EXE"=
"c:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"80:TCP"= 80:TCP:nfra
"7070:TCP"= 7070:TCP:nfra

R2 tgsrvc_providercomcast;SupportSoft Repair Service (providercomcast);c:\program files\providerComcast\bin\tgsrvc.exe [2008-05-02 148768]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2008-09-12 99376]
S2 BulkUsb;Genesys Logic USB Scanner Controller NT 5.0;c:\windows\system32\drivers\usbscan.sys [2006-10-05 15104]
S2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [2006-11-03 13592]
S3 COH_Mon;COH_Mon;c:\windows\system32\drivers\COH_Mon.sys [2007-05-29 23888]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - JAVAQUICKSTARTERSERVICE

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\E]
\Shell\AutoRun\command - E:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{be108736-4d2f-11dd-95a0-000423a28c53}]
\Shell\AutoRun\command - E:\LaunchU3.exe -a
.
Contents of the 'Scheduled Tasks' folder

2009-02-12 c:\windows\Tasks\SmartDefrag.job
- c:\program files\IObit\IObit SmartDefrag\IObit SmartDefrag.exe [2009-01-14 13:15]

2009-02-12 c:\windows\Tasks\SmartDefrag.job
- c:\program files\IObit\IObit SmartDefrag\ [2009-01-25 20:34]
.
- - - - ORPHANS REMOVED - - - -

Notify-NavLogon - (no file)
SafeBoot-Symantec Antvirus


.
------- Supplementary Scan -------
.
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uStart Page = hxxp://www.google.com/
uInternet Connection Wizard,ShellNext = hxxp://www.sony.net/registration/di/
uInternet Settings,ProxyServer = http=localhost:7070
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
DPF: {BFF1950D-B1B4-4AE8-B842-B2CCF06D9A1B} - hxxp://aolsvc.aol.com/onlinegames/free-trial-yahtzee/zylomplayer.cab
FF - ProfilePath - c:\documents and settings\JMari\Application Data\Mozilla\Firefox\Profiles\xhx0n8ke.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - www.google.com
FF - component: c:\program files\Real\RealPlayer\browserrecord\components\nprpbrowserrecordplugin.dll
FF - plugin: c:\documents and settings\JMari\Application Data\Mozilla\Firefox\Profiles\xhx0n8ke.default\extensions\moveplayer@movenetworks.com\platform\WINNT_x86-msvc\plugins\npmnqmp071101000055.dll
FF - plugin: c:\progra~1\Yahoo!\Common\npyaxmpb.dll
.


Report •

#17
February 25, 2009 at 20:00:33
ok jabuck, I posted it in 3 segments

Thanks for your help so far :)


Report •

#18
February 25, 2009 at 20:21:30
Open Notepad and copy/paste everything between the X's into it and make sure the first word (such as KILLALL, File, Folder, Registry etc.) is at the very top of the page.
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
KILLALL::
File::
c:\windows\system32\nfr.assembly

AWF::
c:\program files\Apoint\bak\Apoint.exe
c:\program files\ATI Technologies\ATI Control Panel\bak\atiptaxx.exe
c:\program files\Common Files\Sonic\Update Manager\bak\sgtray.exe
c:\program files\Common Files\Symantec Shared\bak\ccApp.exe
c:\program files\DAEMON Tools\bak\daemon.exe
c:\program files\Dell\Media Experience\bak\PCMService.exe
c:\program files\HP\HP Software Update\bak\HPWuSchd2.exe
c:\program files\Intel\NCS\PROSet\bak\PRONoMgr.exe
c:\program files\Java\jre1.6.0_02\bin\bak\jusched.exe
c:\program files\Lexmark X1100 Series\bak\lxbkbmgr.exe
c:\program files\LexmarkX83\bak\AcBtnMgr_X83.exe
c:\program files\LexmarkX83\bak\ACMonitor_X83.exe
c:\program files\Nova Development\Greeting Card Factory Photo Card Maker\bak\ReminderApp.exe
c:\program files\QuickTime\bak\qttask.exe
c:\program files\Symantec AntiVirus\bak\VPTray.exe
c:\program files\Windows Defender\bak\MSASCui.exe
c:\windows\system32\bak\ctfmon.exe
c:\windows\system32\dla\bak\tfswctrl.exe
c:\windows\system32\spool\drivers\w32x86\3\bak\printray.exe

DDS::
uInternet Settings,ProxyServer = http=localhost:7070


Registry::
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"80:TCP"=-
"7070:TCP"=-

XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
Go to File on the top bar and choose" Save As", Change the "Save As Type" to All Files, Name it CFScript.txt then save it to your desktop.
Then drag/drop the CFScript.txt onto ComboFix.exe (the red symbol on your desktop) if combofix does not auto start click "run".

Please post the log that is produced.


Report •

#19
February 26, 2009 at 06:00:26
ComboFix 09-02-25.02 - JMari 2009-02-26 7:43:12.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1279.733 [GMT -6:00]
Running from: c:\documents and settings\JMari\Desktop\toolb.exe.exe
Command switches used :: c:\documents and settings\JMari\Desktop\CFScript.txt
AV: Symantec Endpoint Protection *On-access scanning enabled* (Updated)
FW: Symantec Endpoint Protection *enabled*
* Created a new restore point

FILE ::
c:\windows\system32\nfr.assembly
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\nfr.assembly

.
((((((((((((((((((((((((( Files Created from 2009-01-26 to 2009-02-26 )))))))))))))))))))))))))))))))
.

2100-04-01 16:22 . 2009-01-25 20:17 194 --a------ c:\windows\X83_DS.ini
2100-02-24 13:15 . 2001-04-02 15:30 821 --a------ c:\windows\Lexmark_ICM.ini
2100-02-16 15:09 . 2001-02-16 14:37 62 --a------ c:\windows\system32\LXASUSCI.INI
2009-02-26 07:40 . 2009-02-26 07:41 <DIR> d-------- C:\32788R22FWJFW
2009-02-25 17:52 . 2009-02-25 17:52 <DIR> d-------- C:\VersalSoft
2009-02-25 17:52 . 2009-02-25 17:52 <DIR> d-------- c:\program files\VersalSoft
2009-02-25 17:52 . 2009-02-25 17:52 <DIR> d-------- c:\program files\Universal
2009-02-25 17:19 . 2009-02-25 17:18 410,984 --a------ c:\windows\system32\deploytk.dll
2009-02-25 17:19 . 2009-02-25 17:18 73,728 --a------ c:\windows\system32\javacpl.cpl
2009-02-25 15:31 . 2009-02-25 15:31 <DIR> d-------- c:\program files\Uniblue
2009-02-25 15:31 . 2009-02-25 15:31 <DIR> d-------- c:\documents and settings\JMari\Application Data\Uniblue
2009-02-25 15:31 . 2009-02-25 15:37 <DIR> d-------- c:\documents and settings\All Users\Application Data\DriverScanner
2009-02-25 15:29 . 2009-02-25 15:31 <DIR> d--h-c--- c:\documents and settings\All Users\Application Data\{148D8B8A-8F96-4822-81EC-D510B626B7D5}
2009-02-25 14:24 . 2008-04-04 19:01 91,520 --a------ c:\windows\system32\drivers\SysPlant.sys
2009-02-25 14:23 . 2009-02-25 14:24 123,952 --a------ c:\windows\system32\drivers\SYMEVENT.SYS
2009-02-25 14:23 . 2009-02-25 14:24 60,800 --a------ c:\windows\system32\S32EVNT1.DLL
2009-02-25 14:23 . 2009-02-25 14:24 10,563 --a------ c:\windows\system32\drivers\SYMEVENT.CAT
2009-02-25 14:23 . 2009-02-25 14:24 805 --a------ c:\windows\system32\drivers\SYMEVENT.INF
2009-02-25 07:02 . 2009-02-25 07:02 1,374 --a------ c:\windows\imsins.BAK
2009-02-21 23:51 . 2009-02-21 23:51 <DIR> d-------- c:\documents and settings\All Users\Application Data\Zylom
2009-02-07 15:34 . 2009-02-08 01:03 <DIR> d-------- c:\program files\Mozilla ActiveX Control v1.7.12
2009-02-07 15:34 . 2009-02-07 15:35 <DIR> d-------- c:\documents and settings\JMari\Application Data\MozillaControl
2009-02-07 15:34 . 2009-02-07 15:34 <DIR> d-------- c:\documents and settings\All Users\Application Data\Graboid Inc
2009-02-07 15:33 . 2009-02-07 15:33 <DIR> d-------- c:\program files\VideoLAN
2009-02-07 15:32 . 2009-02-08 01:03 <DIR> d-------- c:\program files\Graboid
2009-01-28 14:11 . 2009-02-24 20:57 <DIR> d-------- c:\documents and settings\JMari\Application Data\Hoyle Puzzle and Board Games
2009-01-27 18:33 . 2009-01-27 18:33 <DIR> d-------- c:\program files\Microsoft Silverlight

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-02-26 13:50 --------- d-----w c:\program files\Windows Defender
2009-02-26 13:50 --------- d-----w c:\program files\Symantec AntiVirus
2009-02-26 13:50 --------- d-----w c:\program files\LexmarkX83
2009-02-26 13:50 --------- d-----w c:\program files\Lexmark X1100 Series
2009-02-26 13:50 --------- d-----w c:\program files\Common Files\Symantec Shared
2009-02-26 13:50 --------- d-----w c:\program files\Apoint
2009-02-26 13:43 --------- d-----w c:\program files\QuickTime
2009-02-26 13:43 --------- d-----w c:\program files\DAEMON Tools
2009-02-25 23:18 --------- d-----w c:\program files\Java
2009-02-25 22:18 --------- d-----w c:\program files\Spybot - Search & Destroy
2009-02-25 21:19 --------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-02-25 20:30 --------- d-----w c:\documents and settings\All Users\Application Data\Symantec
2009-02-25 20:24 --------- d-----w c:\program files\Symantec
2009-02-25 13:04 --------- d-----w c:\documents and settings\All Users\Application Data\Microsoft Help
2009-02-25 01:20 --------- d-----w c:\program files\EA GAMES
2009-02-25 01:07 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-02-22 07:23 --------- d-----w c:\documents and settings\JMari\Application Data\Hoyle
2009-02-11 16:19 38,496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-02-11 16:19 15,504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-01-28 20:22 --------- d-----w c:\documents and settings\JMari\Application Data\Hoyle FaceCreator
2009-01-28 20:07 --------- d-----w c:\program files\Encore
2009-01-26 03:35 --------- d-----w c:\program files\Common Files\DataViz
2009-01-26 02:34 --------- d-----w c:\program files\IObit
2009-01-26 02:34 --------- d-----w c:\documents and settings\JMari\Application Data\IObit
2009-01-26 01:53 --------- d-----w c:\program files\SimPE
2009-01-25 23:03 --------- d-----w c:\program files\SystemRequirementsLab
2009-01-25 23:02 --------- d-----w c:\documents and settings\JMari\Application Data\SystemRequirementsLab
2009-01-24 22:36 44,944 ------w c:\windows\system32\drivers\pxhelp20.sys
2009-01-24 03:28 --------- d-----w c:\program files\Google
2009-01-21 21:33 --------- d-----w c:\documents and settings\All Users\Application Data\HPSSUPPLY
2009-01-21 05:29 --------- d-----w c:\documents and settings\JMari\Application Data\Move Networks
2009-01-21 02:44 149,760 ----a-w c:\windows\system32\drivers\WpsHelper.sys
2009-01-14 23:09 --------- d-----w c:\program files\Play+Smile
2009-01-13 11:51 --------- d-----w c:\documents and settings\JMari\Application Data\GetRightToGo
2009-01-07 05:03 --------- d-----w c:\program files\Executive Software
2009-01-07 04:43 --------- d-----w c:\program files\LimeWire
2009-01-07 04:43 --------- d-----w c:\documents and settings\JMari\Application Data\DeepBurner
2009-01-07 04:43 --------- d-----w c:\documents and settings\All Users\Application Data\STOPzilla!
2009-01-07 04:38 --------- d-----w c:\documents and settings\JMari\Application Data\Software Informer
2009-01-07 04:35 --------- d-----w c:\documents and settings\All Users\Application Data\Apple Computer
2009-01-07 04:31 --------- d--h--w c:\program files\InstallShield Installation Information
2008-12-31 15:45 --------- d-----w c:\documents and settings\All Users\Application Data\SITEguard
2008-12-30 23:54 --------- d-----w c:\program files\Common Files\Adobe
2008-12-30 23:16 --------- d-----w c:\program files\Common Files\iS3
2008-12-30 22:42 --------- d-----w c:\program files\Sector 69
2008-12-28 08:51 --------- d-----w c:\program files\DivX
2008-12-28 04:35 278,528 ----a-w c:\windows\system32\livesnth.dll
2008-12-28 04:35 203,776 ----a-w c:\windows\system32\clrviddc.dll
2008-12-28 04:31 --------- d-----w c:\program files\Real
2008-12-28 04:31 --------- d-----w c:\program files\Common Files\xing shared
2008-12-28 04:31 --------- d-----w c:\program files\Common Files\Real
2008-12-20 23:15 826,368 ----a-w c:\windows\system32\wininet.dll
2008-05-05 00:04 560 ----a-w c:\documents and settings\JMari\Application Data\ViewerApp.dat
2001-06-20 22:19 40,960 ----a-w c:\program files\ACMonitor_X83.exe
2008-09-23 14:54 24,576 --sha-w c:\windows\system32\kofidutu.dll
.


Report •

#20
February 26, 2009 at 06:01:05
((((((((((((((((((((((((((((( SnapShot_2009-02-25_17.29.23.87 )))))))))))))))))))))))))))))))))))))))))
.
+ 2003-08-06 06:04:00 114,741 -c--a-w c:\windows\system32\dla\tfswctrl.exe
+ 2001-10-25 18:20:09 36,864 -c--a-w c:\windows\system32\spool\drivers\w32x86\3\printray.exe
+ 2009-02-26 13:49:03 16,384 ----atw c:\windows\Temp\Perflib_Perfdata_8ec.dat
+ 2009-02-26 13:50:31 16,384 ----atw c:\windows\Temp\Perflib_Perfdata_f04.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Yahoo! Pager"="c:\progra~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" [2007-03-27 4670968]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-01-23 39408]
"Advanced SystemCare 3"="c:\program files\IObit\Advanced SystemCare 3\AWC.exe" [2009-01-09 2262352]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Apoint"="c:\program files\Apoint\Apoint.exe" [2003-08-20 151552]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2003-08-06 114741]
"StorageGuard"="c:\program files\Common Files\Sonic\Update Manager\sgtray.exe" [2003-02-13 155648]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2006-12-10 49152]
"Corel File Shell Monitor"="c:\program files\Corel\Corel Paint Shop Pro Photo X2\CorelIOMonitor.exe" [2007-10-30 16200]
"ZCfgSvc.exe"="c:\windows\system32\ZCfgSvc.exe" [2005-07-05 639040]
"PRONoMgr.exe"="c:\program files\Intel\NCS\PROSet\PRONoMgr.exe" [2003-05-28 86016]
"ddoctorv2"="c:\program files\Comcast\Desktop Doctor\bin\sprtcmd.exe" [2008-04-24 202560]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2006-07-19 52896]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-02-25 136600]
"InternetDownload_upgrade"="c:\program files\VersalSoft\InternetDownload\InternetDownload.exe" [2009-01-05 361472]
"Corel Photo Downloader"="c:\program files\Common Files\Corel\Corel PhotoDownloader\Corel Photo Downloader.exe" [2007-10-30 531784]
"ATIModeChange"="Ati2mdxx.exe" [2001-09-04 c:\windows\system32\Ati2mdxx.exe]
"WD Button Manager"="WDBtnMgr.exe" [2006-10-01 c:\windows\system32\WDBtnMgr.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-08-24 437160]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" [2004-08-04 c:\windows\system32\narrator.exe]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
DataViz Inc Messenger.lnk - c:\program files\Common Files\DataViz\DvzIncMsgr.exe [2006-12-31 28672]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\Sebring]
2005-07-05 01:33 188482 c:\windows\system32\LgNotify.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\NavLogon]
[BU]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\urqQiJAT]
[BU]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccEvtMgr]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccSetMgr]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Symantec Antivirus]
@="Service"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Cisco Systems VPN Client.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Cisco Systems VPN Client.lnk
backup=c:\windows\pss\Cisco Systems VPN Client.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Picture Package Menu.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Picture Package Menu.lnk
backup=c:\windows\pss\Picture Package Menu.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Picture Package VCD Maker.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Picture Package VCD Maker.lnk
backup=c:\windows\pss\Picture Package VCD Maker.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
c:\windows\system32\dumprep 0 -k [X]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UserFaultCheck]
c:\windows\system32\dumprep 0 -u [X]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
--a------ 2008-10-15 01:04 39792 c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Corel Photo Downloader]
--a------ 2007-10-30 18:52 531784 c:\program files\Common Files\Corel\Corel PhotoDownloader\Corel Photo Downloader.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ddoctorv2]
--a------ 2008-04-24 12:25 202560 c:\program files\Comcast\Desktop Doctor\bin\sprtcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GrooveMonitor]
--a------ 2007-08-24 06:00 33648 c:\program files\Microsoft Office\Office12\GrooveMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Lexmark X1100 Series]
--a--c--- 2003-08-19 04:43 57344 c:\program files\Lexmark X1100 Series\lxbkbmgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Lexmark X83 Button Manager]
--a--c--- 2001-06-14 11:42 53248 c:\progra~1\LEXMAR~1\AcBtnMgr_X83.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Lexmark X83 Button Monitor]
--a--c--- 2001-10-18 09:25 40960 c:\progra~1\LEXMAR~1\ACMonitor_X83.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mmtask]
--a------ 2003-10-06 09:05 53248 c:\program files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--a------ 2004-10-13 10:24 1694208 c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ReminderApp]
--a--c--- 2006-11-02 10:21 156160 c:\program files\Nova Development\Greeting Card Factory Photo Card Maker\ReminderApp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]
-rahs---- 2008-08-18 18:41 1832272 c:\program files\Spybot - Search & Destroy\TeaTimer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001
"AntiVirusOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Common Files\\Symantec Shared\\ccEvtMgr.exe"=
"c:\\WINDOWS\\system32\\spoolsv.exe"=
"c:\\WINDOWS\\system32\\LEXBCES.EXE"=
"c:\\WINDOWS\\system32\\ZCfgSvc.exe"=
"c:\\WINDOWS\\system32\\WDBtnMgr.exe"=
"c:\\Program Files\\Intel\\NCS\\PROSet\\PRONoMgr.exe"=
"c:\\Program Files\\Common Files\\DataViz\\DvzIncMsgr.exe"=
"c:\\Program Files\\Spybot - Search & Destroy\\TeaTimer.exe"=
"c:\\Program Files\\Common Files\\Corel\\Corel PhotoDownloader\\Corel Photo Downloader.exe"=
"c:\\Program Files\\Encore\\Hoyle Card Games 2009\\Hoyle Card Games.exe"=
"c:\\Program Files\\Symantec AntiVirus\\Smc.exe"=
"c:\\Program Files\\Symantec AntiVirus\\SNAC.EXE"=
"c:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe"=

R2 tgsrvc_providercomcast;SupportSoft Repair Service (providercomcast);c:\program files\providerComcast\bin\tgsrvc.exe [2008-05-02 148768]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2009-02-25 101936]
S2 BulkUsb;Genesys Logic USB Scanner Controller NT 5.0;c:\windows\system32\drivers\usbscan.sys [2006-10-05 15104]
S2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [2006-11-03 13592]
S3 COH_Mon;COH_Mon;c:\windows\system32\drivers\COH_Mon.sys [2007-05-29 23888]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\E]
\Shell\AutoRun\command - E:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{be108736-4d2f-11dd-95a0-000423a28c53}]
\Shell\AutoRun\command - E:\LaunchU3.exe -a
.
Contents of the 'Scheduled Tasks' folder

2009-02-12 c:\windows\Tasks\SmartDefrag.job
- c:\program files\IObit\IObit SmartDefrag\IObit SmartDefrag.exe [2009-01-14 13:15]

2009-02-12 c:\windows\Tasks\SmartDefrag.job
- c:\program files\IObit\IObit SmartDefrag\ [2009-01-25 20:34]
.
- - - - ORPHANS REMOVED - - - -

BHO-{35e071a3-dc0d-4ce4-b7fd-8e021a6045d4} - (no file)
BHO-{4264A51F-7482-43BA-A25D-B1050149741F} - (no file)
BHO-{8F840F6D-85F3-4622-B021-B537AD5820C3} - (no file)
BHO-{B9B9503E-8289-4CA3-BD61-27FD823B220B} - (no file)
HKU-Default-Run-Picasa Media Detector - c:\program files\Picasa2\PicasaMediaDetector.exe
MSConfigStartUp-Google Desktop Search - c:\program files\Google\Google Desktop Search\GoogleDesktop.exe
MSConfigStartUp-iTunesHelper - c:\program files\iTunes\iTunesHelper.exe
MSConfigStartUp-MySpaceIM - c:\program files\MySpace\IM\MySpaceIM.exe
MSConfigStartUp-Picasa Media Detector - c:\program files\Picasa2\PicasaMediaDetector.exe


.
------- Supplementary Scan -------
.
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uStart Page = hxxp://www.google.com/
uInternet Connection Wizard,ShellNext = hxxp://www.sony.net/registration/di/
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: Download by VersalSoft Internet Download - c:\program files\VersalSoft\InternetDownload\adddownload.htm
IE: E&xport to Microsoft Excel
DPF: {BFF1950D-B1B4-4AE8-B842-B2CCF06D9A1B} - hxxp://aolsvc.aol.com/onlinegames/free-trial-yahtzee/zylomplayer.cab
FF - ProfilePath - c:\documents and settings\JMari\Application Data\Mozilla\Firefox\Profiles\xhx0n8ke.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - www.google.com
FF - component: c:\program files\Real\RealPlayer\browserrecord\components\nprpbrowserrecordplugin.dll
FF - plugin: c:\documents and settings\JMari\Application Data\Mozilla\Firefox\Profiles\xhx0n8ke.default\extensions\moveplayer@movenetworks.com\platform\WINNT_x86-msvc\plugins\npmnqmp071101000055.dll
FF - plugin: c:\progra~1\Yahoo!\Common\npyaxmpb.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-02-26 07:50:04
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\System*]
"OODEFRAG11.00.00.01WORKSTATION"="C7FEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CA6A0AC4980AC7933A6A0AC4980AC79335D575E7D6A3B98088EDD5E5BE2F6E667AD92EFBECF4B17627DD4A9DBC0AA35398CDF7F8675CCFAAE1F97C0EF715FB341F576C0D5E4127E9639521144E4FD0E1E726CD2A9AADC80959751133F6993C756260A3E39A9079CEA4B1C15CC43470BFE9F5BC785DC0B801F7385896AFCEE7B41273943ED2F9ABA9F15B45539361E866B0FE15F3A4BAF88C465BDA38D75B230870303F5AEE79428699A2E34FEF76C62635B4B5D1A9C7CA8F4411AA8F881F34426E9FAB867AC0D386F8431D8C82BF102DC487349AC5AF3F410034B20B0341A208CAD47B83A3772404E9C7AAEF553C0CBBFB84B702D71EF87ED4698D8EE8463AB1B4524627D28071C16D4D9E418D8BFACE836D8618CB41AFBD8CF5BE11F4ADE542B4AE0E73902DF294A3F33EDF508A813AA6DB5F16DD674F28C820211E0C6720D867E60C02D2C67C96216808289910D73C82F0DB827745090BCEA10810B1AD64BED43992648F2D967CCB34C1D0309CCC57C70A313C508567E8FB59A0EA44C1908929F9995B105CAE9E61837FBC3E7A084F24ACBA088F403E99EB4CBD7E94698411C3EFCD2C2751FC0066776A3E20A92AFCD79EFC6E280A581F7DCE2C54C588CF7A46FF86308BC11DE7168525929AF81CBA15F8D2BFCD1E2FB9D4A31FEEFB37B333DA3D48FC435AEBB668826AA17FD2060F700B53CB179B010063A1E732DEE437CE7F2EAE8EC9FD7CF14D7E1645F7CF4784C050E2910E6DB7C998E22D0908494DF1B98AABEAB1E459A1F0A8A9B6697DAA311BB4EE55C708301B8CB4D8EDA52F270C2F317295CB87E211FF53827C82181F5AB93452B8ECE9D61B41D4165809BB9C23D86C98012D9E1E59F18182155CB6A07F2235475519F6F66D2CFB4532B069370DD78EA6491D2A077A01069E88B31EDF23621EF83056495DDCC567096B59C0299EB13BA36D5D442629723002325CCB4D8366D225ABC820098D1C6D4B7B04DD95D22C78D9C8A791FB86B37C4340CFEBF5CA60707433F44F269835A52FDE06AC3E12FA7490112BAE492F7D8B4CADC0DDFA43191D14709D4052B77EF70F6402C3C51B7E86A928278968A8EB95F536C1F3D5E73D8453AC947A3B83887C8F379A9155850687F43A47589BE712C6981BFC15138FDC8BB2D64910D73444989096D6371AA8524AC4875D9E6D1D9A60ACC9264ECE6567124FAEF0B55C08CFD7612B1BCCB7BD6BE289B27312C6AF3488F71D25CB0217408FD3EB973E408771363A90E7AEE06B4003DFD9FE92CB3DDCE586C2261952345E5DE56BF6976375E9BBC31FE46FD8709D14B6EF7D70C5BAE9ED8815890E3ACAB87EFE8B5759B3D11CC7FCE35B0EB42AE43C6B57E334615EB409A3A7FEA3B01"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1856)
c:\windows\system32\Ati2evxx.dll
c:\windows\system32\LgNotify.dll
.
r Running Proce
.
c:\windows\system32\ati2evxx.exe
c:\windows\system32\S24EvMon.exe
c:\program files\Symantec AntiVirus\Smc.exe
c:\windows\system32\ati2evxx.exe
c:\program files\Common Files\Symantec Shared\ccSvcHst.exe
c:\windows\system32\1XConfig.exe
c:\windows\system32\LEXBCES.EXE
c:\windows\system32\LEXPPS.EXE
c:\program files\Cisco Systems\VPN Client\cvpnd.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\program files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlservr.exe
c:\windows\system32\PSIService.exe
c:\windows\system32\RegSrvc.exe
c:\program files\Comcast\Desktop Doctor\bin\sprtsvc.exe
c:\program files\Symantec AntiVirus\Rtvscan.exe
c:\progra~1\Yahoo!\MESSEN~1\Ymsgr_tray.exe
c:\program files\Apoint\ApntEx.exe
c:\program files\Symantec AntiVirus\SmcGui.exe
c:\program files\Symantec AntiVirus\DoScan.exe
c:\program files\Symantec AntiVirus\SavUI.exe
c:\windows\system32\verclsid.exe
.
**************************************************************************
.
Completion time: 2009-02-26 7:57:23 - machine was rebooted
ComboFix-quarantined-files.txt 2009-02-26 13:57:15
ComboFix2.txt 2009-02-25 23:30:52
ComboFix3.txt 2009-02-25 04:14:03

Pre-Run: 20,704,899,072 bytes free
Post-Run: 20,687,351,808 bytes free

316 --- E O F --- 2009-02-25 13:09:09


Report •

#21
February 26, 2009 at 14:12:57
Empty the restore folder. Go to start>control panel>system>system restore tab>check the box beside "turn off system restore>apply (takes a minute)>ok. Go back and uncheck the box to turn system restore back on>apply>ok.


Download ATF Cleaner from this link:
http://www.majorgeeks.com/ATF_Cleaner_d4949.html
Run ATF-Cleaner
Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.

Run an online scan with Kaspersky from the following link:
Kaspersky Online Scanner

Note: If you have used this particular scanner before, you MAY HAVE TO UNINSTALL the program through Add/Remove Programs before downloading the new ActiveX component

1. Click Accept, when prompted to download and install the program files and database of malware definitions.
2. Click Run at the Security prompt.
The program will then begin downloading and installing and will also update the database.
Please be patient as this can take several minutes.
3.Once the update is complete, click on My Computer under the green Scan bar to the left to start the scan.
4. Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
5. Do NOT be alarmed by what you see in the report. Many of the finds have likely been quarantined.
6. Click View scan report at the bottom.
7. Click the Save Report As... button.
8. Click the Save as Text button to save the file to your desktop so that you may post it in your next reply.
**Note**

To optimize scanning time and produce a more sensible report for review:
Close any open programs.
Turn off the real-time scanner of all antivirus or antispyware programs while performing the online scan.
Note for Internet Explorer 7 users: If at any time you have trouble viewing the accept button of the license, click on the Zoom tool located at the bottom right of the IE window and set the zoom to 75%. Once the license is accepted, reset to 100%.


Report •

#22
February 26, 2009 at 19:18:08
--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7 REPORT
Thursday, February 26, 2009
Operating System: Microsoft Windows XP Professional Service Pack 2 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Friday, February 27, 2009 00:04:15
Records in database: 1850059
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
C:\
D:\

Scan statistics:
Files scanned: 82290
Threat name: 14
Infected objects: 61
Suspicious objects: 0
Duration of the scan: 02:15:30


File name / Threat name / Threats count
C:\Documents and Settings\All Users\Application Data\Symantec\Cached Installs\{76B2BC31-2D96-4170-9C44-09E13B5555F3}\Quarantine\0B9C0000.VBN Infected: Trojan.Win32.Agent.bxj 1
C:\Documents and Settings\All Users\Application Data\Symantec\Cached Installs\{76B2BC31-2D96-4170-9C44-09E13B5555F3}\Quarantine\0B9C0001.VBN Infected: Trojan.Win32.Agent.bxj 1
C:\Documents and Settings\All Users\Application Data\Symantec\Cached Installs\{76B2BC31-2D96-4170-9C44-09E13B5555F3}\Quarantine\0B9C0002.VBN Infected: Trojan.Win32.Agent.bxj 1
C:\Documents and Settings\All Users\Application Data\Symantec\Cached Installs\{76B2BC31-2D96-4170-9C44-09E13B5555F3}\Quarantine\0B9C0003.VBN Infected: Trojan.Win32.Agent.bxj 1
C:\Documents and Settings\All Users\Application Data\Symantec\Cached Installs\{76B2BC31-2D96-4170-9C44-09E13B5555F3}\Quarantine\0BA80000.VBN Infected: Trojan.Win32.Agent.bxj 1
C:\Documents and Settings\All Users\Application Data\Symantec\Cached Installs\{76B2BC31-2D96-4170-9C44-09E13B5555F3}\Quarantine\0BA80001.VBN Infected: Trojan.Win32.Agent.bxj 1
C:\Documents and Settings\All Users\Application Data\Symantec\Cached Installs\{76B2BC31-2D96-4170-9C44-09E13B5555F3}\Quarantine\0BA80002.VBN Infected: Trojan.Win32.Agent.bxj 1
C:\Documents and Settings\All Users\Application Data\Symantec\Cached Installs\{76B2BC31-2D96-4170-9C44-09E13B5555F3}\Quarantine\0BA80003.VBN Infected: Trojan.Win32.Agent.bxj 1
C:\Documents and Settings\All Users\Application Data\Symantec\Cached Installs\{76B2BC31-2D96-4170-9C44-09E13B5555F3}\Quarantine\0BBC0000.VBN Infected: Trojan.Win32.Agent.bxj 1
C:\Documents and Settings\All Users\Application Data\Symantec\Cached Installs\{76B2BC31-2D96-4170-9C44-09E13B5555F3}\Quarantine\0BBC0001.VBN Infected: Trojan.Win32.Agent.bxj 1
C:\Documents and Settings\All Users\Application Data\Symantec\Cached Installs\{76B2BC31-2D96-4170-9C44-09E13B5555F3}\Quarantine\0BBC0002.VBN Infected: Trojan.Win32.Agent.bxj 1
C:\Documents and Settings\All Users\Application Data\Symantec\Cached Installs\{76B2BC31-2D96-4170-9C44-09E13B5555F3}\Quarantine\0BBC0003.VBN Infected: Trojan.Win32.Agent.bxj 1
C:\Documents and Settings\All Users\Application Data\Symantec\Cached Installs\{76B2BC31-2D96-4170-9C44-09E13B5555F3}\Quarantine\0BBC0004.VBN Infected: Trojan.Win32.Agent.bxj 1
C:\Documents and Settings\All Users\Application Data\Symantec\Cached Installs\{76B2BC31-2D96-4170-9C44-09E13B5555F3}\Quarantine\0F9C0001.VBN Infected: not-a-virus:PSWTool.Win32.Messen.ad 1
C:\Documents and Settings\All Users\Application Data\Symantec\Cached Installs\{76B2BC31-2D96-4170-9C44-09E13B5555F3}\Quarantine\0F9C0002.VBN Infected: not-a-virus:PSWTool.Win32.Messen.ad 1
C:\Documents and Settings\All Users\Application Data\Symantec\Cached Installs\{76B2BC31-2D96-4170-9C44-09E13B5555F3}\Quarantine\0F9C0003.VBN Infected: Trojan-Downloader.Win32.VB.bsa 1
C:\Documents and Settings\All Users\Application Data\Symantec\Cached Installs\{76B2BC31-2D96-4170-9C44-09E13B5555F3}\Quarantine\0F9C0004.VBN Infected: Trojan.Win32.Obfuscated.en 1
C:\Documents and Settings\All Users\Application Data\Symantec\Cached Installs\{76B2BC31-2D96-4170-9C44-09E13B5555F3}\Quarantine\0F9C0005.VBN Infected: Trojan.Win32.Obfuscated.en 1
C:\Documents and Settings\All Users\Application Data\Symantec\Cached Installs\{76B2BC31-2D96-4170-9C44-09E13B5555F3}\Quarantine\0F9C0006.VBN Infected: Worm.Win32.VB.an 1
C:\Documents and Settings\All Users\Application Data\Symantec\Cached Installs\{76B2BC31-2D96-4170-9C44-09E13B5555F3}\Quarantine\0F9C0006.VBN Infected: Email-Worm.VBS.Gedza 1
C:\Documents and Settings\All Users\Application Data\Symantec\Cached Installs\{76B2BC31-2D96-4170-9C44-09E13B5555F3}\Quarantine\0F9C0007.VBN Infected: not-a-virus:PSWTool.Win32.Messen.ad 1
C:\Documents and Settings\All Users\Application Data\Symantec\Cached Installs\{76B2BC31-2D96-4170-9C44-09E13B5555F3}\Quarantine\0F9C0008.VBN Infected: not-a-virus:PSWTool.Win32.Messen.ad 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\09340000\49B5BC6F.VBN Infected: Packed.Win32.Krap.f 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\09340001\49B5BC92.VBN Infected: Trojan.Win32.Monder.alkp 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\09340003\49B5BCA2.VBN Infected: Trojan.Win32.Monder.aidh 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\09340004\49B5BCA3.VBN Infected: Trojan.Win32.Monder.aidh 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\09340005\49B5BCA3.VBN Infected: Trojan.Win32.Monder.bedi 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\09340006\49B5BCA3.VBN Infected: Trojan.Win32.Monder.aidh 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\09340007\49B5BCA4.VBN Infected: Trojan.Win32.Monder.bedk 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\09340009\49B5BCA6.VBN Infected: Trojan.Win32.Monder.bedi 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0934000A\49B5BCA7.VBN Infected: Trojan.Win32.Monder.amrr 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0934000B\49B5BCA7.VBN Infected: Trojan.Win32.Monder.aidh 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0934000C\49B5BCA9.VBN Infected: Trojan.Win32.Monder.apfw 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0934000D\49B5BCB1.VBN Infected: Trojan.Win32.Monder.akko 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0934000E\49B5BCB1.VBN Infected: Trojan.Win32.Monder.amrr 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0934000F\49B5BCB1.VBN Infected: Trojan.Win32.Monder.bedk 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\09340010\49B5BCB2.VBN Infected: Trojan.Win32.Monder.alkp 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\09340011\49B5BCB2.VBN Infected: Trojan.Win32.Monder.apfw 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0B9C0000.VBN Infected: Trojan.Win32.Agent.bxj 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0B9C0001.VBN Infected: Trojan.Win32.Agent.bxj 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0B9C0002.VBN Infected: Trojan.Win32.Agent.bxj 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0B9C0003.VBN Infected: Trojan.Win32.Agent.bxj 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0BA80000.VBN Infected: Trojan.Win32.Agent.bxj 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0BA80001.VBN Infected: Trojan.Win32.Agent.bxj 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0BA80002.VBN Infected: Trojan.Win32.Agent.bxj 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0BA80003.VBN Infected: Trojan.Win32.Agent.bxj 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0BBC0000.VBN Infected: Trojan.Win32.Agent.bxj 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0BBC0001.VBN Infected: Trojan.Win32.Agent.bxj 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0BBC0002.VBN Infected: Trojan.Win32.Agent.bxj 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0BBC0003.VBN Infected: Trojan.Win32.Agent.bxj 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0BBC0004.VBN Infected: Trojan.Win32.Agent.bxj 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0F9C0001.VBN Infected: not-a-virus:PSWTool.Win32.Messen.ad 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0F9C0002.VBN Infected: not-a-virus:PSWTool.Win32.Messen.ad 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0F9C0003.VBN Infected: Trojan-Downloader.Win32.VB.bsa 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0F9C0004.VBN Infected: Trojan.Win32.Obfuscated.en 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0F9C0005.VBN Infected: Trojan.Win32.Obfuscated.en 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0F9C0006.VBN Infected: Worm.Win32.VB.an 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0F9C0006.VBN Infected: Email-Worm.VBS.Gedza 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0F9C0007.VBN Infected: not-a-virus:PSWTool.Win32.Messen.ad 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0F9C0008.VBN Infected: not-a-virus:PSWTool.Win32.Messen.ad 1
C:\WINDOWS\system32\kofidutu.dll Infected: Packed.Win32.Krap.f 1

The selected area was scanned.


Report •

#23
February 26, 2009 at 20:02:47
Open Notepad and copy/paste everything between the X's into it and make sure the first word (such as KILLALL, File, Folder, Registry etc.) is at the very top of the page.
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
KILLALL::
File::
C:\WINDOWS\system32\kofidutu.dll

XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
Go to File on the top bar and choose" Save As", Change the "Save As Type" to All Files, Name it CFScript.txt then save it to your desktop.
Then drag/drop the CFScript.txt onto ComboFix.exe (the red symbol on your desktop) if combofix does not auto start click "run".

Empty the Norton quarantine folders.

Empty your recycle bin.

Your computer appears to be clean other than the above exceptions.


Go to start> run> type in combofix /u (note the space after combofix) then press enter> run. This will uninstall combofix so give the uninstaller a minute to run.

Go to start> control panel> add/remove programs and uninstall these programs:

Hijack This

Malwarebytes

Kaspersky

You should keep AFT Cleaner and run it weekly.


You should consider adding "Spywareblaster" to your arsenol of antispyware tools, you can download it from this link Spywareblaster

Just download it,install it, and update it. Its free and runs in the background, so you don't actually run it, and re-writes malicious script before it can install on your computer. Look for updates weekly as there is no auto-update on the free version.

How is the computer operating?


Report •

#24
February 26, 2009 at 20:32:45
Hi jabuck,

I've done all of that and my computer is running great. No longer having any problems. Thank you so much for your help.


Report •

#25
February 26, 2009 at 22:37:14
I followed the tip of Matthew and it seemed to work fine. My internet is working fine now. I also updated to IE7.
Am I clear of this of this C:\window\nfra.exe malware/virus thing?

Or should I be doing something else?


Report •

#26
February 27, 2009 at 03:33:50
Glad we could help.

Report •


Ask Question