 |  |  |  |  |  |  |  |
HijackThis Log W/ Computer Problems
Thread Solved |
•
•
Join Date: Feb 2004
Posts: 10,048
Reputation: 
Solved Threads: 761
Give it a try and see what happens. At worst, I imagine you will have to do a system restore if it's still the same after 
.
. Proud member of ASAP (Alliance of Security analysis Professionals).
Opera AVAST anti-virus Comodo Firewall Spywareblaster
Opera AVAST anti-virus Comodo Firewall Spywareblaster
Well nothing better to do at 1:47 AM so here we go. So once I put this up Ill reboot see if I can get in normally if not well then its a system restore and im guessing go back a day fix what broke and not undo alot of wok already done. but Ill wait for your go to be 100% sure if we got to do one :o
OK here is ComboFix
ComboFix 08-01-04.1 - Ed 2008-01-05 1:38:00.2 - NTFSx86 NETWORK
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.221 [GMT -5:00]
Running from: C:\Documents and Settings\Ed\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Ed\Desktop\CFScript.txt
FILE
C:\mssys.com
C:\Program Files\q330994.exe
C:\WINDOWS\cvchost.exe
C:\WINDOWS\dl.exe
C:\WINDOWS\dlm.exe
C:\WINDOWS\msstasks.exe
C:\WINDOWS\mssys.com
C:\WINDOWS\mstasks1.exe
C:\WINDOWS\mstaskss.exe
C:\WINDOWS\msxmidi.exe
C:\WINDOWS\ntldr.exe
C:\WINDOWS\rocky.exe
C:\WINDOWS\seksdialer.exe
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\mssys.com
C:\Program Files\q330994.exe
C:\WINDOWS\cvchost.exe
C:\WINDOWS\dl.exe
C:\WINDOWS\dlm.exe
C:\WINDOWS\Downloaded Program Files\ODCTOOLS
C:\WINDOWS\msstasks.exe
C:\WINDOWS\mssys.com
C:\WINDOWS\mstasks1.exe
C:\WINDOWS\mstaskss.exe
C:\WINDOWS\msxmidi.exe
C:\WINDOWS\ntldr.exe
C:\WINDOWS\rocky.exe
C:\WINDOWS\seksdialer.exe
C:\WINDOWS\SYSTEM32\1691481241.dll
.
((((((((((((((((((((((((( Files Created from 2007-12-05 to 2008-01-05 )))))))))))))))))))))))))))))))
.
2008-01-04 18:13 . 2008-01-04 18:13 <DIR> d--h----- C:\Documents and Settings\All Users\WLANProfiles
2008-01-04 18:12 . 2008-01-04 18:12 17,801 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\AegisP.sys
2008-01-04 17:49 . 2008-01-04 17:49 <DIR> d-------- C:\WINDOWS\LastGood.Tmp
2008-01-04 17:39 . 2008-01-04 18:09 <DIR> d-------- C:\Intel
2008-01-04 16:02 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\NirCmd.exe
2008-01-04 15:28 . 2008-01-04 15:28 2 --a------ C:\B.tmp
2008-01-04 15:28 . 2008-01-04 15:28 0 --a------ C:\C.tmp
2008-01-04 15:28 . 2008-01-04 15:28 0 --a------ C:\A.tmp
2008-01-04 15:28 . 2008-01-04 15:28 0 --a------ C:\9.tmp
2008-01-04 15:28 . 2008-01-04 15:28 0 --a------ C:\2.tmp
2008-01-03 17:23 . 2008-01-03 17:23 2 --a------ C:\5.tmp
2008-01-03 17:23 . 2008-01-03 17:23 0 --a------ C:\8.tmp
2008-01-03 17:23 . 2008-01-03 17:23 0 --a------ C:\7.tmp
2008-01-03 17:23 . 2008-01-03 17:23 0 --a------ C:\6.tmp
2008-01-03 17:23 . 2008-01-03 17:23 0 --a------ C:\3.tmp
2008-01-02 16:03 . 2008-01-02 16:04 <DIR> d-------- C:\ERDNT
2007-12-31 14:53 . 2007-12-31 14:53 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Grisoft
2007-12-31 14:43 . 2007-12-31 14:44 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Spyware Terminator
2007-12-31 12:20 . 2007-12-31 14:37 <DIR> d-------- C:\Program Files\Norton AntiVirus
2007-12-31 12:17 . 2007-12-31 15:05 <DIR> d-------- C:\Program Files\Symantec
2007-12-31 11:56 . 2007-12-31 11:56 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Avg7
2007-12-31 10:32 . 2007-12-31 10:32 <DIR> d-------- C:\Documents and Settings\Ed\Application Data\Grisoft
2007-12-31 10:32 . 2007-05-30 07:10 10,872 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\AvgAsCln.sys
2007-12-31 10:31 . 2007-01-18 07:00 3,968 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\AvgArCln.sys
2007-12-30 22:24 . 2007-12-30 17:55 102,664 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\tmcomm.sys
2007-12-30 18:49 . 2007-12-30 19:47 <DIR> d-------- C:\Program Files\EsetOnlineScanner
2007-12-30 17:54 . 2007-12-30 22:37 <DIR> d-------- C:\Documents and Settings\Ed\.housecall6.6
2007-12-30 17:08 . 2007-12-30 17:08 <DIR> d-------- C:\Program Files\WinClamAVShield
2007-12-30 15:05 . 2007-12-30 15:05 60,968 --a------ C:\Documents and Settings\Ed\GoToAssistDownloadHelper.exe
2007-12-30 14:53 . 2007-12-30 14:53 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Citrix
2007-12-30 14:52 . 2007-12-30 14:52 <DIR> d-------- C:\Program Files\Citrix
2007-12-30 14:52 . 2007-12-30 14:52 60,968 --a------ C:\Documents and Settings\Administrator\GoToAssistDownloadHelper.exe
2007-12-30 13:32 . 2007-12-30 13:32 76,576 --a------ C:\WINDOWS\SYSTEM32\GDIPFONTCACHEV1.DAT
2007-12-30 13:12 . 2006-02-28 07:00 214,528 --a--c--- C:\WINDOWS\SYSTEM32\DLLCACHE\wordpad.exe
2007-12-30 13:12 . 2006-02-28 07:00 113,222 --a--c--- C:\WINDOWS\SYSTEM32\DLLCACHE\zoneclim.dll
2007-12-30 13:12 . 2006-02-28 07:00 41,029 --a--c--- C:\WINDOWS\SYSTEM32\DLLCACHE\zcorem.dll
2007-12-30 13:12 . 2006-02-28 07:00 36,937 --a--c--- C:\WINDOWS\SYSTEM32\DLLCACHE\zclientm.exe
2007-12-30 13:12 . 2006-02-28 07:00 29,760 --a--c--- C:\WINDOWS\SYSTEM32\DLLCACHE\znetm.dll
2007-12-30 13:12 . 2006-02-28 07:00 28,288 --a--c--- C:\WINDOWS\SYSTEM32\DLLCACHE\xjis.nls
2007-12-30 13:12 . 2006-02-28 07:00 13,894 --a--c--- C:\WINDOWS\SYSTEM32\DLLCACHE\zonelibm.dll
2007-12-30 13:12 . 2006-02-28 07:00 5,632 --a--c--- C:\WINDOWS\SYSTEM32\DLLCACHE\write.exe
2007-12-30 13:12 . 2006-02-28 07:00 4,677 --a--c--- C:\WINDOWS\SYSTEM32\DLLCACHE\zeeverm.dll
2007-12-30 13:10 . 2006-02-28 07:00 1,875,968 --a--c--- C:\WINDOWS\SYSTEM32\DLLCACHE\msir3jp.lex
2007-12-30 13:09 . 2006-02-28 07:00 10,129,408 --a--c--- C:\WINDOWS\SYSTEM32\DLLCACHE\hwxkor.dll
2007-12-30 13:08 . 2006-02-28 07:00 13,463,552 --a--c--- C:\WINDOWS\SYSTEM32\DLLCACHE\hwxjpn.dll
2007-12-30 13:07 . 2006-02-28 07:00 1,817,687 --a--c--- C:\WINDOWS\SYSTEM32\DLLCACHE\bckgres.dll
2007-12-30 13:06 . 2004-05-13 00:39 876,653 --a--c--- C:\WINDOWS\SYSTEM32\DLLCACHE\fp4awel.dll
2007-12-30 13:03 . 2007-12-30 13:03 749 -rah----- C:\WINDOWS\WindowsShell.Manifest
2007-12-30 13:03 . 2007-12-30 13:03 749 -rah----- C:\WINDOWS\SYSTEM32\wuaucpl.cpl.manifest
2007-12-30 13:03 . 2007-12-30 13:03 749 -rah----- C:\WINDOWS\SYSTEM32\sapi.cpl.manifest
2007-12-30 13:03 . 2007-12-30 13:03 749 -rah----- C:\WINDOWS\SYSTEM32\ncpa.cpl.manifest
2007-12-30 13:03 . 2007-12-30 13:03 488 -rah----- C:\WINDOWS\SYSTEM32\logonui.exe.manifest
2007-12-30 13:02 . 2006-02-28 07:00 32,768 --a--c--- C:\WINDOWS\SYSTEM32\DLLCACHE\mnmsrvc.exe
2007-12-30 13:00 . 2006-02-28 07:00 140,800 --a--c--- C:\WINDOWS\SYSTEM32\DLLCACHE\sessmgr.exe
2007-12-30 13:00 . 2006-02-28 07:00 126,464 --a--c--- C:\WINDOWS\SYSTEM32\DLLCACHE\wmiapsrv.exe
2007-12-30 13:00 . 2006-02-28 07:00 6,144 --a--c--- C:\WINDOWS\SYSTEM32\DLLCACHE\msdtc.exe
2007-12-30 12:54 . 2006-02-28 07:00 168,806 --a--c--- C:\WINDOWS\SYSTEM32\DLLCACHE\startoc.cat
2007-12-30 12:54 . 2006-02-28 07:00 24,661 --a------ C:\WINDOWS\SYSTEM32\spxcoins.dll
2007-12-30 12:54 . 2006-02-28 07:00 24,661 --a--c--- C:\WINDOWS\SYSTEM32\DLLCACHE\spxcoins.dll
2007-12-30 12:54 . 2006-02-28 07:00 24,209 --a--c--- C:\WINDOWS\SYSTEM32\DLLCACHE\msn7.cat
2007-12-30 12:54 . 2006-02-28 07:00 14,573 -ra------ C:\WINDOWS\SET89.tmp
2007-12-30 12:54 . 2006-02-28 07:00 13,312 --a------ C:\WINDOWS\SYSTEM32\irclass.dll
2007-12-30 12:54 . 2006-02-28 07:00 13,312 --a--c--- C:\WINDOWS\SYSTEM32\DLLCACHE\irclass.dll
2007-12-30 12:54 . 2006-02-28 07:00 11,651 --a--c--- C:\WINDOWS\SYSTEM32\DLLCACHE\msn9.cat
2007-12-30 12:54 . 2006-02-28 07:00 7,382 --a--c--- C:\WINDOWS\SYSTEM32\DLLCACHE\OEMBIOS.CAT
2007-12-30 11:07 . 2007-12-30 11:07 <DIR> d-------- C:\Program Files\Trend Micro
2007-12-30 10:38 . 2007-12-30 10:38 <DIR> d-------- C:\Program Files\Lavasoft
2007-12-30 10:38 . 2007-12-30 10:38 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2007-12-30 10:37 . 2007-12-30 10:37 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-12-30 07:40 . 2008-01-05 01:32 0 --a------ C:\WINDOWS\MEMORY.DMP
2007-12-30 00:15 . 2007-12-30 00:15 <DIR> d-------- C:\WINDOWS\ERUNT
2007-12-29 23:23 . 2007-12-29 23:59 <DIR> d-------- C:\Documents and Settings\Ed\Application Data\SUPERAntiSpyware.com
2007-12-29 23:23 . 2007-12-29 23:23 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2007-12-29 19:12 . 2007-12-31 11:55 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2007-12-29 18:59 . 2007-12-29 18:59 230 --a------ C:\WINDOWS\SYSTEM32\spupdsvc.inf
2007-12-29 17:04 . 2006-09-06 17:43 22,752 --a------ C:\WINDOWS\SYSTEM32\spupdsvc.exe
2007-12-29 17:00 . 2007-12-29 17:00 0 --a------ C:\WINDOWS\nsreg.dat
2007-12-29 16:14 . 2007-12-29 16:14 <DIR> d-------- C:\Program Files\Broadcom
2007-12-29 16:12 . 2003-03-17 22:03 966,656 --a------ C:\WINDOWS\SYSTEM32\W70MLRES.DLL
2007-12-29 16:10 . 1999-05-07 13:24 645,616 --a------ C:\WINDOWS\SYSTEM32\MSCOMCT2.OCX
2007-12-29 16:10 . 2000-03-23 12:50 446,464 -ra------ C:\WINDOWS\SYSTEM32\hhactivex.dll
2007-12-29 16:10 . 1999-05-07 13:24 414,944 --a------ C:\WINDOWS\SYSTEM32\COMCT332.OCX
2007-12-29 16:10 . 1998-11-10 10:46 328,480 --a------ C:\WINDOWS\SYSTEM32\ssa3d30.ocx
2007-12-29 16:10 . 2002-01-08 17:00 176,128 --a------ C:\WINDOWS\SYSTEM32\RcdScan.dll
2007-12-29 16:10 . 1998-06-17 23:00 89,360 --a------ C:\WINDOWS\SYSTEM32\VB5DB.DLL
2007-12-29 15:26 . 2007-12-29 15:26 <DIR> d-------- C:\Program Files\Uniblue
2007-12-29 15:26 . 2007-12-29 15:26 <DIR> d-------- C:\Documents and Settings\Ed\Application Data\Uniblue
2007-12-29 15:26 . 2007-12-29 15:26 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Uniblue
2007-12-29 13:24 . 2007-09-05 23:22 289,144 --a------ C:\WINDOWS\SYSTEM32\VCCLSID.exe
2007-12-29 13:24 . 2006-04-27 16:49 288,417 --a------ C:\WINDOWS\SYSTEM32\SrchSTS.exe
2007-12-29 13:24 . 2007-12-20 23:11 81,920 --a------ C:\WINDOWS\SYSTEM32\IEDFix.exe
2007-12-29 13:24 . 2004-07-31 17:50 51,200 --a------ C:\WINDOWS\SYSTEM32\dumphive.exe
2007-12-29 13:24 . 2007-10-03 23:36 25,600 --a------ C:\WINDOWS\SYSTEM32\WS2Fix.exe
2007-12-29 13:24 . 2007-12-29 20:24 1,450 --a------ C:\WINDOWS\SYSTEM32\tmp.reg
2007-12-29 11:04 . 2006-02-28 07:00 221,184 --a------ C:\WINDOWS\SYSTEM32\wmpns.dll
2007-12-29 10:49 . 2006-02-28 07:00 1,086,058 -ra------ C:\WINDOWS\SET47.tmp
2007-12-29 10:49 . 2006-02-28 07:00 14,573 -ra------ C:\WINDOWS\SET80.tmp
2007-12-29 10:49 . 2006-02-28 07:00 13,753 -ra------ C:\WINDOWS\SET53.tmp
2007-12-29 10:49 . 2006-02-28 07:00 7,334 --a--c--- C:\WINDOWS\SYSTEM32\DLLCACHE\wmerrenu.cat
2007-12-29 10:48 . 2006-02-28 07:00 1,042,903 -ra------ C:\WINDOWS\SET46.tmp
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-04 23:12 --------- d-----w C:\Program Files\Intel
2007-12-31 18:01 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2007-12-31 18:01 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2007-12-31 17:20 805 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.INF
2007-12-31 17:20 60,800 ----a-w C:\WINDOWS\SYSTEM32\S32EVNT1.DLL
2007-12-31 17:20 123,952 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.SYS
2007-12-31 17:20 10,740 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.CAT
2007-12-31 03:53 --------- d-----w C:\Program Files\Common Files\aolshare
2007-12-31 03:50 --------- d-----w C:\Program Files\Common Files\InstallShield
2007-12-31 00:22 --------- d-----w C:\Program Files\AIM
2007-12-29 21:14 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-12-29 12:20 --------- d-----w C:\Program Files\Apoint
2007-12-29 06:16 --------- d-----w C:\Program Files\AWS
2007-12-29 06:16 --------- d-----w C:\Documents and Settings\Ed\Application Data\Rex-Services
2007-12-27 20:05 --------- d-----w C:\Documents and Settings\Ed\Application Data\Symantec
2007-12-27 16:38 --------- d-----w C:\Program Files\QuickTime
2007-12-25 19:10 --------- d-----w C:\Documents and Settings\Ed\Application Data\U3
2007-12-10 16:23 --------- d-----w C:\Documents and Settings\Ed\Application Data\MSN6
2007-12-01 04:57 43,696 ----a-w C:\WINDOWS\system32\drivers\srtspx.sys
2007-12-01 04:57 317,616 ----a-w C:\WINDOWS\system32\drivers\srtspl.sys
2007-12-01 04:57 279,088 ----a-w C:\WINDOWS\system32\drivers\srtsp.sys
2007-11-25 03:37 --------- d-----w C:\Program Files\Tribeca Labs
2007-11-12 23:50 --------- d-----w C:\Documents and Settings\Ed\Application Data\Move Networks
2007-11-10 22:39 76,576 ----a-w C:\Documents and Settings\Ed\Application Data\GDIPFONTCACHEV1.DAT
2005-03-10 17:28 0 ----a-w C:\Documents and Settings\Ed\Upgrade.exe
2004-12-22 00:10 0 -csha-r C:\WINDOWS\SYSTEM\wmscrop.exe
.
((((((((((((((((((((((((((((( snapshot@2008-01-04_16.16.36.26 )))))))))))))))))))))))))))))))))))))))))
.
+ 2007-01-18 05:27:00 345,512 ----a-w C:\WINDOWS\Downloaded Program Files\MSDcode.dll
+ 2008-01-04 23:13:00 40,960 ----a-r C:\WINDOWS\Installer\{74C9DFA1-338F-4bf3-B317-99A9EC8EF9A6}\PROSet.56285FC4_11A9_11D6_8473_00902745D287.exe
- 2003-06-20 11:56:06 184,320 ----a-w C:\WINDOWS\SYSTEM32\1XConfig.exe
+ 2006-08-03 08:14:14 389,186 ----a-w C:\WINDOWS\SYSTEM32\1XConfig.exe
- 2003-06-20 12:09:04 450,560 ----a-w C:\WINDOWS\SYSTEM32\AdHocWiz.exe
+ 2006-08-03 08:23:12 450,560 ----a-w C:\WINDOWS\SYSTEM32\AdHocWiz.exe
- 2003-06-20 12:00:50 204,800 ----a-w C:\WINDOWS\SYSTEM32\C1XStngs.dll
+ 2006-08-03 08:15:16 528,453 ----a-w C:\WINDOWS\SYSTEM32\C1XStngs.dll
+ 2006-08-03 08:14:18 69,632 ----a-w C:\WINDOWS\SYSTEM32\D8021Xps.dll
- 2003-06-20 11:54:04 10,970 ----a-w C:\WINDOWS\SYSTEM32\DRIVERS\s24trans.sys
+ 2006-08-03 18:11:32 10,970 ----a-w C:\WINDOWS\SYSTEM32\DRIVERS\s24trans.sys
- 2003-06-11 10:06:44 2,477,952 ----a-w C:\WINDOWS\SYSTEM32\DRIVERS\w70n51.sys
+ 2003-06-11 11:06:44 2,477,952 ----a-w C:\WINDOWS\SYSTEM32\DRIVERS\w70n51.sys
- 2003-07-31 14:17:16 417,792 ----a-w C:\WINDOWS\SYSTEM32\IntelAE5.dll
+ 2005-07-05 05:55:26 1,396,841 ----a-w C:\WINDOWS\SYSTEM32\IntelAE5.dll
- 2003-06-20 12:03:28 110,592 ----a-w C:\WINDOWS\SYSTEM32\LgNotify.dll
+ 2006-08-03 08:20:40 188,482 ----a-w C:\WINDOWS\SYSTEM32\LgNotify.dll
- 2002-12-04 15:57:00 651,264 ----a-w C:\WINDOWS\SYSTEM32\libeay32.dll
+ 2005-01-13 08:00:10 651,264 ----a-w C:\WINDOWS\SYSTEM32\libeay32.dll
+ 2006-08-03 08:24:08 45,124 ----a-w C:\WINDOWS\SYSTEM32\LsaWrApi.dll
- 2003-06-20 11:55:00 217,088 ----a-w C:\WINDOWS\SYSTEM32\PfMgrApi.dll
+ 2006-08-03 08:15:50 327,748 ----a-w C:\WINDOWS\SYSTEM32\PfMgrApi.dll
+ 2006-08-03 08:24:58 20,480 ----a-w C:\WINDOWS\SYSTEM32\PfMgrTool.exe
- 2003-06-20 12:03:22 389,120 ----a-w C:\WINDOWS\SYSTEM32\PfWizard.exe
+ 2006-08-03 08:20:36 430,080 ----a-w C:\WINDOWS\SYSTEM32\PfWizard.exe
- 2003-06-20 12:09:38 192,512 ----a-w C:\WINDOWS\SYSTEM32\Pn802_11.dll
+ 2006-08-03 08:23:32 217,152 ----a-w C:\WINDOWS\SYSTEM32\Pn802_11.dll
- 2003-06-20 11:59:58 794,624 ----a-w C:\WINDOWS\SYSTEM32\PsGuiMgr.dll
+ 2006-08-03 08:18:54 942,147 ----a-w C:\WINDOWS\SYSTEM32\PsGuiMgr.dll
- 2003-06-20 11:54:30 167,936 ----a-w C:\WINDOWS\SYSTEM32\PsRegApi.dll
+ 2006-08-03 08:13:38 172,032 ----a-w C:\WINDOWS\SYSTEM32\PsRegApi.dll
+ 2006-08-03 08:13:32 122,880 ----a-w C:\WINDOWS\SYSTEM32\RegSrvc.exe
+ 2003-03-18 03:01:22 966,656 ----a-w C:\WINDOWS\SYSTEM32\ReinstallBackups\0014\DriverFiles\W20MLRes.dll
+ 2008-01-04 22:40:31 409,667 ----a-w C:\WINDOWS\SYSTEM32\ReinstallBackups\0014\DriverFiles\W20NCPA.dll
+ 2008-01-04 22:40:32 674,560 ----a-w C:\WINDOWS\SYSTEM32\ReinstallBackups\0014\DriverFiles\w70n51.sys
+ 2003-11-03 12:55:00 32,768 ----a-r C:\WINDOWS\SYSTEM32\ReinstallBackups\0014\DriverFiles\w70n5msg.dll
+ 2006-08-03 08:16:08 426,051 ----a-w C:\WINDOWS\SYSTEM32\S24EvMon.exe
- 2003-06-20 11:55:28 69,632 ----a-w C:\WINDOWS\SYSTEM32\S24MUDLL.DLL
+ 2006-08-03 08:16:12 81,920 ----a-w C:\WINDOWS\SYSTEM32\S24MUDLL.DLL
- 2002-12-15 06:43:40 30,938 ----a-w C:\WINDOWS\SYSTEM32\s24NCfg.dll
+ 2004-02-22 19:34:00 30,938 ----a-w C:\WINDOWS\SYSTEM32\s24NCfg.dll
- 2003-06-20 12:10:16 192,512 ----a-w C:\WINDOWS\SYSTEM32\SbrngAPI.dll
+ 2006-08-03 08:24:06 262,144 ----a-w C:\WINDOWS\SYSTEM32\SbrngAPI.dll
- 2003-06-20 11:55:06 49,152 ----a-w C:\WINDOWS\SYSTEM32\SbrngSvc.exe
+ 2006-08-03 08:15:56 49,152 ----a-w C:\WINDOWS\SYSTEM32\SbrngSvc.exe
+ 2006-08-03 08:16:54 139,264 ----a-w C:\WINDOWS\SYSTEM32\ShellNav.dll
- 2002-12-15 06:43:40 53,248 ----a-w C:\WINDOWS\SYSTEM32\SMSUnins.dll
+ 2004-02-22 19:35:00 65,536 ----a-w C:\WINDOWS\SYSTEM32\SMSUnins.dll
- 2002-12-04 15:57:00 147,456 ----a-w C:\WINDOWS\SYSTEM32\ssleay32.dll
+ 2005-01-13 08:00:14 147,456 ----a-w C:\WINDOWS\SYSTEM32\ssleay32.dll
- 2003-01-20 21:01:00 78,096 ----a-w C:\WINDOWS\SYSTEM32\TPIDI32.dll
+ 2004-02-22 19:35:00 78,096 ----a-w C:\WINDOWS\SYSTEM32\TPIDI32.dll
- 2003-01-20 21:01:00 142,256 ----a-w C:\WINDOWS\SYSTEM32\TPIDITST.exe
+ 2004-02-22 19:35:00 142,256 ----a-w C:\WINDOWS\SYSTEM32\TPIDITST.exe
- 2003-01-19 21:49:12 32,768 ----a-w C:\WINDOWS\SYSTEM32\w70n5msg.dll
+ 2003-01-19 22:49:12 32,768 ----a-w C:\WINDOWS\SYSTEM32\w70n5msg.dll
- 2003-06-20 11:56:40 475,136 ----a-w C:\WINDOWS\SYSTEM32\WConfig.dll
+ 2006-08-03 08:16:46 532,567 ----a-w C:\WINDOWS\SYSTEM32\WConfig.dll
- 2003-06-20 11:55:40 110,592 ----a-w C:\WINDOWS\SYSTEM32\WiFiAdap.dll
+ 2006-08-03 08:16:20 110,592 ----a-w C:\WINDOWS\SYSTEM32\WiFiAdap.dll
- 2003-06-20 12:01:48 258,048 ----a-w C:\WINDOWS\SYSTEM32\WLANDLL.dll
+ 2006-08-03 08:19:42 253,952 ----a-w C:\WINDOWS\SYSTEM32\WLANDLL.dll
- 2003-06-20 12:01:12 356,352 ----a-w C:\WINDOWS\SYSTEM32\ZCfgSvc.exe
+ 2006-08-03 08:19:18 639,040 ----a-w C:\WINDOWS\SYSTEM32\ZCfgSvc.exe
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"FreeRAM XP"="C:\Program Files\YourWare Solutions\FreeRAM XP Pro\FreeRAM XP Pro.exe" [2007-12-28 23:07 1591808]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpywareTerminator"="C:\Program Files\Spyware Terminator\SpywareTerminatorShield.exe" [2007-12-28 21:58 2778112]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 04:25 6731312]
"ZCfgSvc.exe"="C:\WINDOWS\system32\ZCfgSvc.exe" [2006-08-03 03:19 639040]
"PRONoMgr.exe"="C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe" [2005-07-07 06:08 135168]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"tscuninstall"="C:\WINDOWS\system32\tscupgrd.exe" [2006-02-28 07:00 44544]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoResolveSearch"= 1 (0x1)
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\GoToAssist]
C:\Program Files\Citrix\GoToAssist\480\G2AWinLogon.dll 2007-12-30 14:52 10792 C:\Program Files\Citrix\GoToAssist\480\g2awinlogon.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\Sebring]
C:\WINDOWS\system32\LgNotify.dll 2006-08-03 03:20 188482 C:\WINDOWS\SYSTEM32\LgNotify.dll
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Uae48.sys]
@="Driver"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Administrator^Start Menu^Programs^Startup^.protected]
path=C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\.protected
backup=C:\WINDOWS\pss\.protectedStartup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^.protected]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\.protected
backup=C:\WINDOWS\pss\.protectedCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^America Online 8.0 Tray Icon.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\America Online 8.0 Tray Icon.lnk
backup=C:\WINDOWS\pss\America Online 8.0 Tray Icon.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^winlogin.exe]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\winlogin.exe
backup=C:\WINDOWS\pss\winlogin.exeCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Ed^Start Menu^Programs^Startup^.protected]
path=C:\Documents and Settings\Ed\Start Menu\Programs\Startup\.protected
backup=C:\WINDOWS\pss\.protectedStartup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Ed^Start Menu^Programs^Startup^HotSync Manager.lnk]
path=C:\Documents and Settings\Ed\Start Menu\Programs\Startup\HotSync Manager.lnk
backup=C:\WINDOWS\pss\HotSync Manager.lnkStartup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Ed^Start Menu^Programs^Startup^Photobot.lnk]
path=C:\Documents and Settings\Ed\Start Menu\Programs\Startup\Photobot.lnk
backup=C:\WINDOWS\pss\Photobot.lnkStartup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"UPS"=3 (0x3)
"Symantec Core LC"=3 (0x3)
"sp_rssrv"=2 (0x2)
"LiveUpdate Notice Service"=2 (0x2)
"LiveUpdate Notice Ex"=2 (0x2)
"LiveUpdate"=3 (0x3)
"iPodService"=3 (0x3)
"IDriverT"=3 (0x3)
"comHost"=3 (0x3)
"CLTNetCnService"=2 (0x2)
"ccSetMgr"=2 (0x2)
"ccEvtMgr"=2 (0x2)
"CCALib8"=2 (0x2)
"Ati HotKey Poller"=2 (0x2)
"aspnet_state"=3 (0x3)
"aawservice"=2 (0x2)
"a2free"=2 (0x2)
"WANMiniportService"=2 (0x2)
"RasMan"=3 (0x3)
"ImapiService"=3 (0x3)
"Automatic LiveUpdate Scheduler"=2 (0x2)
S1 sp_rsdrv2;Spyware Terminator Driver 2;C:\WINDOWS\System32\drivers\sp_rsdrv2.sys [2007-12-29 01:55]
S2 init_3b0c-6b44;init_3b0c-6b44;C:\WINDOWS\System32\init_3b0c-6b44.sys []
S3 EraserUtilDrv10621;EraserUtilDrv10621;C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilDrv10621.sys []
S3 GoToAssist;GoToAssist;"C:\Program Files\Citrix\GoToAssist\480\g2aservice.exe" Start=service []
S3 NAL;Nal Service ;C:\WINDOWS\system32\Drivers\iqvw32.sys []
S3 O2SCBUS;O2Micro SmartCardBus Reader;C:\WINDOWS\system32\DRIVERS\ozscr.sys [2002-11-08 14:13]
.
Contents of the 'Scheduled Tasks' folder
"2007-12-30 00:06:26 C:\WINDOWS\Tasks\Uniblue SpyEraser Nag.job"
- C:\Program Files\Uniblue\SpyEraser\SpyEraser.exe
"2007-12-29 20:49:02 C:\WINDOWS\Tasks\Uniblue SpyEraser.job"
- C:\Program Files\Uniblue\SpyEraser\SpyEraser.exe
.
**************************************************************************
catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-05 01:40:23
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
Completion time: 2008-01-05 1:41:06
ComboFix-quarantined-files.txt 2008-01-05 06:40:40
ComboFix2.txt 2008-01-04 21:17:35
.
2008-01-05 00:41:53 --- E O F ---
And now a Hijackthis So this one is in safe mode and I can get a normal one once we get back into normal windows
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:51:13 AM, on 1/5/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Safe mode with network support
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\ZCfgSvc.exe
C:\WINDOWS\explorer.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O4 - HKLM\..\Run: [SpywareTerminator] "C:\Program Files\Spyware Terminator\SpywareTerminatorShield.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [ZCfgSvc.exe] C:\WINDOWS\system32\ZCfgSvc.exe
O4 - HKLM\..\Run: [PRONoMgr.exe] C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
O4 - HKCU\..\Run: [FreeRAM XP] "C:\Program Files\YourWare Solutions\FreeRAM XP Pro\FreeRAM XP Pro.exe" -win
O4 - HKUS\S-1-5-18\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'Default user')
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: &Viewpoint Search - res://C:\Program Files\Viewpoint\Viewpoint Toolbar\ViewBar.dll/CXTSEARCH.HTML
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {0742B9EF-8C83-41CA-BFBA-830A59E23533} (Microsoft Data Collection Control) - https://support.microsoft.com/OAS/ActiveX/MSDcode.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/...toUploader.cab
O16 - DPF: {E008A543-CEFB-4559-912F-C27C2B89F13B} (Domino Web Access 7 Control) - http://body1.spfldcol.edu/dwa7W.cab
O20 - Winlogon Notify: GoToAssist - C:\Program Files\Citrix\GoToAssist\480\G2AWinLogon.dll
O23 - Service: Application Layer Gateway Service (ALG) - Unknown owner - C:\WINDOWS\System32\alg.exe (file missing)
O23 - Service: AVG Anti-Spyware Guard - Unknown owner - C:\WINDOWS\TEMP\157967.exe (file missing)
O23 - Service: Indexing Service (CiSvc) - Unknown owner - C:\WINDOWS\system32\cisvc.exe (file missing)
O23 - Service: COMSysApp - Unknown owner - C:\WINDOWS\TEMP\158557.exe (file missing)
O23 - Service: dmserver - Unknown owner - C:\WINDOWS\TEMP\137738.exe (file missing)
O23 - Service: GoToAssist - Citrix Online, a division of Citrix Systems, Inc. - C:\Program Files\Citrix\GoToAssist\480\g2aservice.exe
O23 - Service: HTTPFilter - Unknown owner - C:\WINDOWS\TEMP\183173.exe (file missing)
O23 - Service: lanmanserver - Unknown owner - C:\WINDOWS\TEMP\130377.exe (file missing)
O23 - Service: Distributed Transaction Coordinator (MSDTC) - Unknown owner - C:\WINDOWS\System32\msdtc.exe (file missing)
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: RDSessMgr - Unknown owner - C:\WINDOWS\system32\sessmgr.exe (file missing)
O23 - Service: RegSrvc - Intel Corporation - C:\WINDOWS\system32\RegSrvc.exe
O23 - Service: Remote Procedure Call (RPC) Locator (RpcLocator) - Unknown owner - C:\WINDOWS\system32\locator.exe (file missing)
O23 - Service: RSVP - Unknown owner - C:\WINDOWS\system32\rsvp.exe (file missing)
O23 - Service: S24EventMonitor - Intel Corporation - C:\WINDOWS\system32\S24EvMon.exe
O23 - Service: Smart Card Helper (SCardDrv) - Unknown owner - C:\WINDOWS\System32\SCardSvr.exe (file missing)
O23 - Service: Smart Card (SCardSvr) - Unknown owner - C:\WINDOWS\System32\SCardSvr.exe (file missing)
O23 - Service: Spooler - Unknown owner - C:\WINDOWS\system32\spoolsv.exe (file missing)
O23 - Service: sp_rssrv - Crawler.com - C:\Program Files\Spyware Terminator\sp_rsser.exe
O23 - Service: Uninterruptible Power Supply (UPS) - Unknown owner - C:\WINDOWS\System32\ups.exe (file missing)
O23 - Service: VSS - Unknown owner - C:\WINDOWS\System32\vssvc.exe (file missing)
O23 - Service: WmiApSrv - Unknown owner - C:\WINDOWS\system32\wbem\wmiapsrv.exe (file missing)
--
End of file - 5633 bytes
OK here is ComboFix
ComboFix 08-01-04.1 - Ed 2008-01-05 1:38:00.2 - NTFSx86 NETWORK
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.221 [GMT -5:00]
Running from: C:\Documents and Settings\Ed\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Ed\Desktop\CFScript.txt
FILE
C:\mssys.com
C:\Program Files\q330994.exe
C:\WINDOWS\cvchost.exe
C:\WINDOWS\dl.exe
C:\WINDOWS\dlm.exe
C:\WINDOWS\msstasks.exe
C:\WINDOWS\mssys.com
C:\WINDOWS\mstasks1.exe
C:\WINDOWS\mstaskss.exe
C:\WINDOWS\msxmidi.exe
C:\WINDOWS\ntldr.exe
C:\WINDOWS\rocky.exe
C:\WINDOWS\seksdialer.exe
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\mssys.com
C:\Program Files\q330994.exe
C:\WINDOWS\cvchost.exe
C:\WINDOWS\dl.exe
C:\WINDOWS\dlm.exe
C:\WINDOWS\Downloaded Program Files\ODCTOOLS
C:\WINDOWS\msstasks.exe
C:\WINDOWS\mssys.com
C:\WINDOWS\mstasks1.exe
C:\WINDOWS\mstaskss.exe
C:\WINDOWS\msxmidi.exe
C:\WINDOWS\ntldr.exe
C:\WINDOWS\rocky.exe
C:\WINDOWS\seksdialer.exe
C:\WINDOWS\SYSTEM32\1691481241.dll
.
((((((((((((((((((((((((( Files Created from 2007-12-05 to 2008-01-05 )))))))))))))))))))))))))))))))
.
2008-01-04 18:13 . 2008-01-04 18:13 <DIR> d--h----- C:\Documents and Settings\All Users\WLANProfiles
2008-01-04 18:12 . 2008-01-04 18:12 17,801 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\AegisP.sys
2008-01-04 17:49 . 2008-01-04 17:49 <DIR> d-------- C:\WINDOWS\LastGood.Tmp
2008-01-04 17:39 . 2008-01-04 18:09 <DIR> d-------- C:\Intel
2008-01-04 16:02 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\NirCmd.exe
2008-01-04 15:28 . 2008-01-04 15:28 2 --a------ C:\B.tmp
2008-01-04 15:28 . 2008-01-04 15:28 0 --a------ C:\C.tmp
2008-01-04 15:28 . 2008-01-04 15:28 0 --a------ C:\A.tmp
2008-01-04 15:28 . 2008-01-04 15:28 0 --a------ C:\9.tmp
2008-01-04 15:28 . 2008-01-04 15:28 0 --a------ C:\2.tmp
2008-01-03 17:23 . 2008-01-03 17:23 2 --a------ C:\5.tmp
2008-01-03 17:23 . 2008-01-03 17:23 0 --a------ C:\8.tmp
2008-01-03 17:23 . 2008-01-03 17:23 0 --a------ C:\7.tmp
2008-01-03 17:23 . 2008-01-03 17:23 0 --a------ C:\6.tmp
2008-01-03 17:23 . 2008-01-03 17:23 0 --a------ C:\3.tmp
2008-01-02 16:03 . 2008-01-02 16:04 <DIR> d-------- C:\ERDNT
2007-12-31 14:53 . 2007-12-31 14:53 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Grisoft
2007-12-31 14:43 . 2007-12-31 14:44 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Spyware Terminator
2007-12-31 12:20 . 2007-12-31 14:37 <DIR> d-------- C:\Program Files\Norton AntiVirus
2007-12-31 12:17 . 2007-12-31 15:05 <DIR> d-------- C:\Program Files\Symantec
2007-12-31 11:56 . 2007-12-31 11:56 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Avg7
2007-12-31 10:32 . 2007-12-31 10:32 <DIR> d-------- C:\Documents and Settings\Ed\Application Data\Grisoft
2007-12-31 10:32 . 2007-05-30 07:10 10,872 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\AvgAsCln.sys
2007-12-31 10:31 . 2007-01-18 07:00 3,968 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\AvgArCln.sys
2007-12-30 22:24 . 2007-12-30 17:55 102,664 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\tmcomm.sys
2007-12-30 18:49 . 2007-12-30 19:47 <DIR> d-------- C:\Program Files\EsetOnlineScanner
2007-12-30 17:54 . 2007-12-30 22:37 <DIR> d-------- C:\Documents and Settings\Ed\.housecall6.6
2007-12-30 17:08 . 2007-12-30 17:08 <DIR> d-------- C:\Program Files\WinClamAVShield
2007-12-30 15:05 . 2007-12-30 15:05 60,968 --a------ C:\Documents and Settings\Ed\GoToAssistDownloadHelper.exe
2007-12-30 14:53 . 2007-12-30 14:53 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Citrix
2007-12-30 14:52 . 2007-12-30 14:52 <DIR> d-------- C:\Program Files\Citrix
2007-12-30 14:52 . 2007-12-30 14:52 60,968 --a------ C:\Documents and Settings\Administrator\GoToAssistDownloadHelper.exe
2007-12-30 13:32 . 2007-12-30 13:32 76,576 --a------ C:\WINDOWS\SYSTEM32\GDIPFONTCACHEV1.DAT
2007-12-30 13:12 . 2006-02-28 07:00 214,528 --a--c--- C:\WINDOWS\SYSTEM32\DLLCACHE\wordpad.exe
2007-12-30 13:12 . 2006-02-28 07:00 113,222 --a--c--- C:\WINDOWS\SYSTEM32\DLLCACHE\zoneclim.dll
2007-12-30 13:12 . 2006-02-28 07:00 41,029 --a--c--- C:\WINDOWS\SYSTEM32\DLLCACHE\zcorem.dll
2007-12-30 13:12 . 2006-02-28 07:00 36,937 --a--c--- C:\WINDOWS\SYSTEM32\DLLCACHE\zclientm.exe
2007-12-30 13:12 . 2006-02-28 07:00 29,760 --a--c--- C:\WINDOWS\SYSTEM32\DLLCACHE\znetm.dll
2007-12-30 13:12 . 2006-02-28 07:00 28,288 --a--c--- C:\WINDOWS\SYSTEM32\DLLCACHE\xjis.nls
2007-12-30 13:12 . 2006-02-28 07:00 13,894 --a--c--- C:\WINDOWS\SYSTEM32\DLLCACHE\zonelibm.dll
2007-12-30 13:12 . 2006-02-28 07:00 5,632 --a--c--- C:\WINDOWS\SYSTEM32\DLLCACHE\write.exe
2007-12-30 13:12 . 2006-02-28 07:00 4,677 --a--c--- C:\WINDOWS\SYSTEM32\DLLCACHE\zeeverm.dll
2007-12-30 13:10 . 2006-02-28 07:00 1,875,968 --a--c--- C:\WINDOWS\SYSTEM32\DLLCACHE\msir3jp.lex
2007-12-30 13:09 . 2006-02-28 07:00 10,129,408 --a--c--- C:\WINDOWS\SYSTEM32\DLLCACHE\hwxkor.dll
2007-12-30 13:08 . 2006-02-28 07:00 13,463,552 --a--c--- C:\WINDOWS\SYSTEM32\DLLCACHE\hwxjpn.dll
2007-12-30 13:07 . 2006-02-28 07:00 1,817,687 --a--c--- C:\WINDOWS\SYSTEM32\DLLCACHE\bckgres.dll
2007-12-30 13:06 . 2004-05-13 00:39 876,653 --a--c--- C:\WINDOWS\SYSTEM32\DLLCACHE\fp4awel.dll
2007-12-30 13:03 . 2007-12-30 13:03 749 -rah----- C:\WINDOWS\WindowsShell.Manifest
2007-12-30 13:03 . 2007-12-30 13:03 749 -rah----- C:\WINDOWS\SYSTEM32\wuaucpl.cpl.manifest
2007-12-30 13:03 . 2007-12-30 13:03 749 -rah----- C:\WINDOWS\SYSTEM32\sapi.cpl.manifest
2007-12-30 13:03 . 2007-12-30 13:03 749 -rah----- C:\WINDOWS\SYSTEM32\ncpa.cpl.manifest
2007-12-30 13:03 . 2007-12-30 13:03 488 -rah----- C:\WINDOWS\SYSTEM32\logonui.exe.manifest
2007-12-30 13:02 . 2006-02-28 07:00 32,768 --a--c--- C:\WINDOWS\SYSTEM32\DLLCACHE\mnmsrvc.exe
2007-12-30 13:00 . 2006-02-28 07:00 140,800 --a--c--- C:\WINDOWS\SYSTEM32\DLLCACHE\sessmgr.exe
2007-12-30 13:00 . 2006-02-28 07:00 126,464 --a--c--- C:\WINDOWS\SYSTEM32\DLLCACHE\wmiapsrv.exe
2007-12-30 13:00 . 2006-02-28 07:00 6,144 --a--c--- C:\WINDOWS\SYSTEM32\DLLCACHE\msdtc.exe
2007-12-30 12:54 . 2006-02-28 07:00 168,806 --a--c--- C:\WINDOWS\SYSTEM32\DLLCACHE\startoc.cat
2007-12-30 12:54 . 2006-02-28 07:00 24,661 --a------ C:\WINDOWS\SYSTEM32\spxcoins.dll
2007-12-30 12:54 . 2006-02-28 07:00 24,661 --a--c--- C:\WINDOWS\SYSTEM32\DLLCACHE\spxcoins.dll
2007-12-30 12:54 . 2006-02-28 07:00 24,209 --a--c--- C:\WINDOWS\SYSTEM32\DLLCACHE\msn7.cat
2007-12-30 12:54 . 2006-02-28 07:00 14,573 -ra------ C:\WINDOWS\SET89.tmp
2007-12-30 12:54 . 2006-02-28 07:00 13,312 --a------ C:\WINDOWS\SYSTEM32\irclass.dll
2007-12-30 12:54 . 2006-02-28 07:00 13,312 --a--c--- C:\WINDOWS\SYSTEM32\DLLCACHE\irclass.dll
2007-12-30 12:54 . 2006-02-28 07:00 11,651 --a--c--- C:\WINDOWS\SYSTEM32\DLLCACHE\msn9.cat
2007-12-30 12:54 . 2006-02-28 07:00 7,382 --a--c--- C:\WINDOWS\SYSTEM32\DLLCACHE\OEMBIOS.CAT
2007-12-30 11:07 . 2007-12-30 11:07 <DIR> d-------- C:\Program Files\Trend Micro
2007-12-30 10:38 . 2007-12-30 10:38 <DIR> d-------- C:\Program Files\Lavasoft
2007-12-30 10:38 . 2007-12-30 10:38 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2007-12-30 10:37 . 2007-12-30 10:37 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-12-30 07:40 . 2008-01-05 01:32 0 --a------ C:\WINDOWS\MEMORY.DMP
2007-12-30 00:15 . 2007-12-30 00:15 <DIR> d-------- C:\WINDOWS\ERUNT
2007-12-29 23:23 . 2007-12-29 23:59 <DIR> d-------- C:\Documents and Settings\Ed\Application Data\SUPERAntiSpyware.com
2007-12-29 23:23 . 2007-12-29 23:23 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2007-12-29 19:12 . 2007-12-31 11:55 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2007-12-29 18:59 . 2007-12-29 18:59 230 --a------ C:\WINDOWS\SYSTEM32\spupdsvc.inf
2007-12-29 17:04 . 2006-09-06 17:43 22,752 --a------ C:\WINDOWS\SYSTEM32\spupdsvc.exe
2007-12-29 17:00 . 2007-12-29 17:00 0 --a------ C:\WINDOWS\nsreg.dat
2007-12-29 16:14 . 2007-12-29 16:14 <DIR> d-------- C:\Program Files\Broadcom
2007-12-29 16:12 . 2003-03-17 22:03 966,656 --a------ C:\WINDOWS\SYSTEM32\W70MLRES.DLL
2007-12-29 16:10 . 1999-05-07 13:24 645,616 --a------ C:\WINDOWS\SYSTEM32\MSCOMCT2.OCX
2007-12-29 16:10 . 2000-03-23 12:50 446,464 -ra------ C:\WINDOWS\SYSTEM32\hhactivex.dll
2007-12-29 16:10 . 1999-05-07 13:24 414,944 --a------ C:\WINDOWS\SYSTEM32\COMCT332.OCX
2007-12-29 16:10 . 1998-11-10 10:46 328,480 --a------ C:\WINDOWS\SYSTEM32\ssa3d30.ocx
2007-12-29 16:10 . 2002-01-08 17:00 176,128 --a------ C:\WINDOWS\SYSTEM32\RcdScan.dll
2007-12-29 16:10 . 1998-06-17 23:00 89,360 --a------ C:\WINDOWS\SYSTEM32\VB5DB.DLL
2007-12-29 15:26 . 2007-12-29 15:26 <DIR> d-------- C:\Program Files\Uniblue
2007-12-29 15:26 . 2007-12-29 15:26 <DIR> d-------- C:\Documents and Settings\Ed\Application Data\Uniblue
2007-12-29 15:26 . 2007-12-29 15:26 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Uniblue
2007-12-29 13:24 . 2007-09-05 23:22 289,144 --a------ C:\WINDOWS\SYSTEM32\VCCLSID.exe
2007-12-29 13:24 . 2006-04-27 16:49 288,417 --a------ C:\WINDOWS\SYSTEM32\SrchSTS.exe
2007-12-29 13:24 . 2007-12-20 23:11 81,920 --a------ C:\WINDOWS\SYSTEM32\IEDFix.exe
2007-12-29 13:24 . 2004-07-31 17:50 51,200 --a------ C:\WINDOWS\SYSTEM32\dumphive.exe
2007-12-29 13:24 . 2007-10-03 23:36 25,600 --a------ C:\WINDOWS\SYSTEM32\WS2Fix.exe
2007-12-29 13:24 . 2007-12-29 20:24 1,450 --a------ C:\WINDOWS\SYSTEM32\tmp.reg
2007-12-29 11:04 . 2006-02-28 07:00 221,184 --a------ C:\WINDOWS\SYSTEM32\wmpns.dll
2007-12-29 10:49 . 2006-02-28 07:00 1,086,058 -ra------ C:\WINDOWS\SET47.tmp
2007-12-29 10:49 . 2006-02-28 07:00 14,573 -ra------ C:\WINDOWS\SET80.tmp
2007-12-29 10:49 . 2006-02-28 07:00 13,753 -ra------ C:\WINDOWS\SET53.tmp
2007-12-29 10:49 . 2006-02-28 07:00 7,334 --a--c--- C:\WINDOWS\SYSTEM32\DLLCACHE\wmerrenu.cat
2007-12-29 10:48 . 2006-02-28 07:00 1,042,903 -ra------ C:\WINDOWS\SET46.tmp
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-04 23:12 --------- d-----w C:\Program Files\Intel
2007-12-31 18:01 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2007-12-31 18:01 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2007-12-31 17:20 805 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.INF
2007-12-31 17:20 60,800 ----a-w C:\WINDOWS\SYSTEM32\S32EVNT1.DLL
2007-12-31 17:20 123,952 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.SYS
2007-12-31 17:20 10,740 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.CAT
2007-12-31 03:53 --------- d-----w C:\Program Files\Common Files\aolshare
2007-12-31 03:50 --------- d-----w C:\Program Files\Common Files\InstallShield
2007-12-31 00:22 --------- d-----w C:\Program Files\AIM
2007-12-29 21:14 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-12-29 12:20 --------- d-----w C:\Program Files\Apoint
2007-12-29 06:16 --------- d-----w C:\Program Files\AWS
2007-12-29 06:16 --------- d-----w C:\Documents and Settings\Ed\Application Data\Rex-Services
2007-12-27 20:05 --------- d-----w C:\Documents and Settings\Ed\Application Data\Symantec
2007-12-27 16:38 --------- d-----w C:\Program Files\QuickTime
2007-12-25 19:10 --------- d-----w C:\Documents and Settings\Ed\Application Data\U3
2007-12-10 16:23 --------- d-----w C:\Documents and Settings\Ed\Application Data\MSN6
2007-12-01 04:57 43,696 ----a-w C:\WINDOWS\system32\drivers\srtspx.sys
2007-12-01 04:57 317,616 ----a-w C:\WINDOWS\system32\drivers\srtspl.sys
2007-12-01 04:57 279,088 ----a-w C:\WINDOWS\system32\drivers\srtsp.sys
2007-11-25 03:37 --------- d-----w C:\Program Files\Tribeca Labs
2007-11-12 23:50 --------- d-----w C:\Documents and Settings\Ed\Application Data\Move Networks
2007-11-10 22:39 76,576 ----a-w C:\Documents and Settings\Ed\Application Data\GDIPFONTCACHEV1.DAT
2005-03-10 17:28 0 ----a-w C:\Documents and Settings\Ed\Upgrade.exe
2004-12-22 00:10 0 -csha-r C:\WINDOWS\SYSTEM\wmscrop.exe
.
((((((((((((((((((((((((((((( snapshot@2008-01-04_16.16.36.26 )))))))))))))))))))))))))))))))))))))))))
.
+ 2007-01-18 05:27:00 345,512 ----a-w C:\WINDOWS\Downloaded Program Files\MSDcode.dll
+ 2008-01-04 23:13:00 40,960 ----a-r C:\WINDOWS\Installer\{74C9DFA1-338F-4bf3-B317-99A9EC8EF9A6}\PROSet.56285FC4_11A9_11D6_8473_00902745D287.exe
- 2003-06-20 11:56:06 184,320 ----a-w C:\WINDOWS\SYSTEM32\1XConfig.exe
+ 2006-08-03 08:14:14 389,186 ----a-w C:\WINDOWS\SYSTEM32\1XConfig.exe
- 2003-06-20 12:09:04 450,560 ----a-w C:\WINDOWS\SYSTEM32\AdHocWiz.exe
+ 2006-08-03 08:23:12 450,560 ----a-w C:\WINDOWS\SYSTEM32\AdHocWiz.exe
- 2003-06-20 12:00:50 204,800 ----a-w C:\WINDOWS\SYSTEM32\C1XStngs.dll
+ 2006-08-03 08:15:16 528,453 ----a-w C:\WINDOWS\SYSTEM32\C1XStngs.dll
+ 2006-08-03 08:14:18 69,632 ----a-w C:\WINDOWS\SYSTEM32\D8021Xps.dll
- 2003-06-20 11:54:04 10,970 ----a-w C:\WINDOWS\SYSTEM32\DRIVERS\s24trans.sys
+ 2006-08-03 18:11:32 10,970 ----a-w C:\WINDOWS\SYSTEM32\DRIVERS\s24trans.sys
- 2003-06-11 10:06:44 2,477,952 ----a-w C:\WINDOWS\SYSTEM32\DRIVERS\w70n51.sys
+ 2003-06-11 11:06:44 2,477,952 ----a-w C:\WINDOWS\SYSTEM32\DRIVERS\w70n51.sys
- 2003-07-31 14:17:16 417,792 ----a-w C:\WINDOWS\SYSTEM32\IntelAE5.dll
+ 2005-07-05 05:55:26 1,396,841 ----a-w C:\WINDOWS\SYSTEM32\IntelAE5.dll
- 2003-06-20 12:03:28 110,592 ----a-w C:\WINDOWS\SYSTEM32\LgNotify.dll
+ 2006-08-03 08:20:40 188,482 ----a-w C:\WINDOWS\SYSTEM32\LgNotify.dll
- 2002-12-04 15:57:00 651,264 ----a-w C:\WINDOWS\SYSTEM32\libeay32.dll
+ 2005-01-13 08:00:10 651,264 ----a-w C:\WINDOWS\SYSTEM32\libeay32.dll
+ 2006-08-03 08:24:08 45,124 ----a-w C:\WINDOWS\SYSTEM32\LsaWrApi.dll
- 2003-06-20 11:55:00 217,088 ----a-w C:\WINDOWS\SYSTEM32\PfMgrApi.dll
+ 2006-08-03 08:15:50 327,748 ----a-w C:\WINDOWS\SYSTEM32\PfMgrApi.dll
+ 2006-08-03 08:24:58 20,480 ----a-w C:\WINDOWS\SYSTEM32\PfMgrTool.exe
- 2003-06-20 12:03:22 389,120 ----a-w C:\WINDOWS\SYSTEM32\PfWizard.exe
+ 2006-08-03 08:20:36 430,080 ----a-w C:\WINDOWS\SYSTEM32\PfWizard.exe
- 2003-06-20 12:09:38 192,512 ----a-w C:\WINDOWS\SYSTEM32\Pn802_11.dll
+ 2006-08-03 08:23:32 217,152 ----a-w C:\WINDOWS\SYSTEM32\Pn802_11.dll
- 2003-06-20 11:59:58 794,624 ----a-w C:\WINDOWS\SYSTEM32\PsGuiMgr.dll
+ 2006-08-03 08:18:54 942,147 ----a-w C:\WINDOWS\SYSTEM32\PsGuiMgr.dll
- 2003-06-20 11:54:30 167,936 ----a-w C:\WINDOWS\SYSTEM32\PsRegApi.dll
+ 2006-08-03 08:13:38 172,032 ----a-w C:\WINDOWS\SYSTEM32\PsRegApi.dll
+ 2006-08-03 08:13:32 122,880 ----a-w C:\WINDOWS\SYSTEM32\RegSrvc.exe
+ 2003-03-18 03:01:22 966,656 ----a-w C:\WINDOWS\SYSTEM32\ReinstallBackups\0014\DriverFiles\W20MLRes.dll
+ 2008-01-04 22:40:31 409,667 ----a-w C:\WINDOWS\SYSTEM32\ReinstallBackups\0014\DriverFiles\W20NCPA.dll
+ 2008-01-04 22:40:32 674,560 ----a-w C:\WINDOWS\SYSTEM32\ReinstallBackups\0014\DriverFiles\w70n51.sys
+ 2003-11-03 12:55:00 32,768 ----a-r C:\WINDOWS\SYSTEM32\ReinstallBackups\0014\DriverFiles\w70n5msg.dll
+ 2006-08-03 08:16:08 426,051 ----a-w C:\WINDOWS\SYSTEM32\S24EvMon.exe
- 2003-06-20 11:55:28 69,632 ----a-w C:\WINDOWS\SYSTEM32\S24MUDLL.DLL
+ 2006-08-03 08:16:12 81,920 ----a-w C:\WINDOWS\SYSTEM32\S24MUDLL.DLL
- 2002-12-15 06:43:40 30,938 ----a-w C:\WINDOWS\SYSTEM32\s24NCfg.dll
+ 2004-02-22 19:34:00 30,938 ----a-w C:\WINDOWS\SYSTEM32\s24NCfg.dll
- 2003-06-20 12:10:16 192,512 ----a-w C:\WINDOWS\SYSTEM32\SbrngAPI.dll
+ 2006-08-03 08:24:06 262,144 ----a-w C:\WINDOWS\SYSTEM32\SbrngAPI.dll
- 2003-06-20 11:55:06 49,152 ----a-w C:\WINDOWS\SYSTEM32\SbrngSvc.exe
+ 2006-08-03 08:15:56 49,152 ----a-w C:\WINDOWS\SYSTEM32\SbrngSvc.exe
+ 2006-08-03 08:16:54 139,264 ----a-w C:\WINDOWS\SYSTEM32\ShellNav.dll
- 2002-12-15 06:43:40 53,248 ----a-w C:\WINDOWS\SYSTEM32\SMSUnins.dll
+ 2004-02-22 19:35:00 65,536 ----a-w C:\WINDOWS\SYSTEM32\SMSUnins.dll
- 2002-12-04 15:57:00 147,456 ----a-w C:\WINDOWS\SYSTEM32\ssleay32.dll
+ 2005-01-13 08:00:14 147,456 ----a-w C:\WINDOWS\SYSTEM32\ssleay32.dll
- 2003-01-20 21:01:00 78,096 ----a-w C:\WINDOWS\SYSTEM32\TPIDI32.dll
+ 2004-02-22 19:35:00 78,096 ----a-w C:\WINDOWS\SYSTEM32\TPIDI32.dll
- 2003-01-20 21:01:00 142,256 ----a-w C:\WINDOWS\SYSTEM32\TPIDITST.exe
+ 2004-02-22 19:35:00 142,256 ----a-w C:\WINDOWS\SYSTEM32\TPIDITST.exe
- 2003-01-19 21:49:12 32,768 ----a-w C:\WINDOWS\SYSTEM32\w70n5msg.dll
+ 2003-01-19 22:49:12 32,768 ----a-w C:\WINDOWS\SYSTEM32\w70n5msg.dll
- 2003-06-20 11:56:40 475,136 ----a-w C:\WINDOWS\SYSTEM32\WConfig.dll
+ 2006-08-03 08:16:46 532,567 ----a-w C:\WINDOWS\SYSTEM32\WConfig.dll
- 2003-06-20 11:55:40 110,592 ----a-w C:\WINDOWS\SYSTEM32\WiFiAdap.dll
+ 2006-08-03 08:16:20 110,592 ----a-w C:\WINDOWS\SYSTEM32\WiFiAdap.dll
- 2003-06-20 12:01:48 258,048 ----a-w C:\WINDOWS\SYSTEM32\WLANDLL.dll
+ 2006-08-03 08:19:42 253,952 ----a-w C:\WINDOWS\SYSTEM32\WLANDLL.dll
- 2003-06-20 12:01:12 356,352 ----a-w C:\WINDOWS\SYSTEM32\ZCfgSvc.exe
+ 2006-08-03 08:19:18 639,040 ----a-w C:\WINDOWS\SYSTEM32\ZCfgSvc.exe
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"FreeRAM XP"="C:\Program Files\YourWare Solutions\FreeRAM XP Pro\FreeRAM XP Pro.exe" [2007-12-28 23:07 1591808]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpywareTerminator"="C:\Program Files\Spyware Terminator\SpywareTerminatorShield.exe" [2007-12-28 21:58 2778112]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 04:25 6731312]
"ZCfgSvc.exe"="C:\WINDOWS\system32\ZCfgSvc.exe" [2006-08-03 03:19 639040]
"PRONoMgr.exe"="C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe" [2005-07-07 06:08 135168]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"tscuninstall"="C:\WINDOWS\system32\tscupgrd.exe" [2006-02-28 07:00 44544]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoResolveSearch"= 1 (0x1)
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\GoToAssist]
C:\Program Files\Citrix\GoToAssist\480\G2AWinLogon.dll 2007-12-30 14:52 10792 C:\Program Files\Citrix\GoToAssist\480\g2awinlogon.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\Sebring]
C:\WINDOWS\system32\LgNotify.dll 2006-08-03 03:20 188482 C:\WINDOWS\SYSTEM32\LgNotify.dll
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Uae48.sys]
@="Driver"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Administrator^Start Menu^Programs^Startup^.protected]
path=C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\.protected
backup=C:\WINDOWS\pss\.protectedStartup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^.protected]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\.protected
backup=C:\WINDOWS\pss\.protectedCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^America Online 8.0 Tray Icon.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\America Online 8.0 Tray Icon.lnk
backup=C:\WINDOWS\pss\America Online 8.0 Tray Icon.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^winlogin.exe]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\winlogin.exe
backup=C:\WINDOWS\pss\winlogin.exeCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Ed^Start Menu^Programs^Startup^.protected]
path=C:\Documents and Settings\Ed\Start Menu\Programs\Startup\.protected
backup=C:\WINDOWS\pss\.protectedStartup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Ed^Start Menu^Programs^Startup^HotSync Manager.lnk]
path=C:\Documents and Settings\Ed\Start Menu\Programs\Startup\HotSync Manager.lnk
backup=C:\WINDOWS\pss\HotSync Manager.lnkStartup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Ed^Start Menu^Programs^Startup^Photobot.lnk]
path=C:\Documents and Settings\Ed\Start Menu\Programs\Startup\Photobot.lnk
backup=C:\WINDOWS\pss\Photobot.lnkStartup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"UPS"=3 (0x3)
"Symantec Core LC"=3 (0x3)
"sp_rssrv"=2 (0x2)
"LiveUpdate Notice Service"=2 (0x2)
"LiveUpdate Notice Ex"=2 (0x2)
"LiveUpdate"=3 (0x3)
"iPodService"=3 (0x3)
"IDriverT"=3 (0x3)
"comHost"=3 (0x3)
"CLTNetCnService"=2 (0x2)
"ccSetMgr"=2 (0x2)
"ccEvtMgr"=2 (0x2)
"CCALib8"=2 (0x2)
"Ati HotKey Poller"=2 (0x2)
"aspnet_state"=3 (0x3)
"aawservice"=2 (0x2)
"a2free"=2 (0x2)
"WANMiniportService"=2 (0x2)
"RasMan"=3 (0x3)
"ImapiService"=3 (0x3)
"Automatic LiveUpdate Scheduler"=2 (0x2)
S1 sp_rsdrv2;Spyware Terminator Driver 2;C:\WINDOWS\System32\drivers\sp_rsdrv2.sys [2007-12-29 01:55]
S2 init_3b0c-6b44;init_3b0c-6b44;C:\WINDOWS\System32\init_3b0c-6b44.sys []
S3 EraserUtilDrv10621;EraserUtilDrv10621;C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilDrv10621.sys []
S3 GoToAssist;GoToAssist;"C:\Program Files\Citrix\GoToAssist\480\g2aservice.exe" Start=service []
S3 NAL;Nal Service ;C:\WINDOWS\system32\Drivers\iqvw32.sys []
S3 O2SCBUS;O2Micro SmartCardBus Reader;C:\WINDOWS\system32\DRIVERS\ozscr.sys [2002-11-08 14:13]
.
Contents of the 'Scheduled Tasks' folder
"2007-12-30 00:06:26 C:\WINDOWS\Tasks\Uniblue SpyEraser Nag.job"
- C:\Program Files\Uniblue\SpyEraser\SpyEraser.exe
"2007-12-29 20:49:02 C:\WINDOWS\Tasks\Uniblue SpyEraser.job"
- C:\Program Files\Uniblue\SpyEraser\SpyEraser.exe
.
**************************************************************************
catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-05 01:40:23
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
Completion time: 2008-01-05 1:41:06
ComboFix-quarantined-files.txt 2008-01-05 06:40:40
ComboFix2.txt 2008-01-04 21:17:35
.
2008-01-05 00:41:53 --- E O F ---
And now a Hijackthis So this one is in safe mode and I can get a normal one once we get back into normal windows
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:51:13 AM, on 1/5/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Safe mode with network support
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\ZCfgSvc.exe
C:\WINDOWS\explorer.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O4 - HKLM\..\Run: [SpywareTerminator] "C:\Program Files\Spyware Terminator\SpywareTerminatorShield.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [ZCfgSvc.exe] C:\WINDOWS\system32\ZCfgSvc.exe
O4 - HKLM\..\Run: [PRONoMgr.exe] C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
O4 - HKCU\..\Run: [FreeRAM XP] "C:\Program Files\YourWare Solutions\FreeRAM XP Pro\FreeRAM XP Pro.exe" -win
O4 - HKUS\S-1-5-18\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'Default user')
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: &Viewpoint Search - res://C:\Program Files\Viewpoint\Viewpoint Toolbar\ViewBar.dll/CXTSEARCH.HTML
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {0742B9EF-8C83-41CA-BFBA-830A59E23533} (Microsoft Data Collection Control) - https://support.microsoft.com/OAS/ActiveX/MSDcode.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/...toUploader.cab
O16 - DPF: {E008A543-CEFB-4559-912F-C27C2B89F13B} (Domino Web Access 7 Control) - http://body1.spfldcol.edu/dwa7W.cab
O20 - Winlogon Notify: GoToAssist - C:\Program Files\Citrix\GoToAssist\480\G2AWinLogon.dll
O23 - Service: Application Layer Gateway Service (ALG) - Unknown owner - C:\WINDOWS\System32\alg.exe (file missing)
O23 - Service: AVG Anti-Spyware Guard - Unknown owner - C:\WINDOWS\TEMP\157967.exe (file missing)
O23 - Service: Indexing Service (CiSvc) - Unknown owner - C:\WINDOWS\system32\cisvc.exe (file missing)
O23 - Service: COMSysApp - Unknown owner - C:\WINDOWS\TEMP\158557.exe (file missing)
O23 - Service: dmserver - Unknown owner - C:\WINDOWS\TEMP\137738.exe (file missing)
O23 - Service: GoToAssist - Citrix Online, a division of Citrix Systems, Inc. - C:\Program Files\Citrix\GoToAssist\480\g2aservice.exe
O23 - Service: HTTPFilter - Unknown owner - C:\WINDOWS\TEMP\183173.exe (file missing)
O23 - Service: lanmanserver - Unknown owner - C:\WINDOWS\TEMP\130377.exe (file missing)
O23 - Service: Distributed Transaction Coordinator (MSDTC) - Unknown owner - C:\WINDOWS\System32\msdtc.exe (file missing)
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: RDSessMgr - Unknown owner - C:\WINDOWS\system32\sessmgr.exe (file missing)
O23 - Service: RegSrvc - Intel Corporation - C:\WINDOWS\system32\RegSrvc.exe
O23 - Service: Remote Procedure Call (RPC) Locator (RpcLocator) - Unknown owner - C:\WINDOWS\system32\locator.exe (file missing)
O23 - Service: RSVP - Unknown owner - C:\WINDOWS\system32\rsvp.exe (file missing)
O23 - Service: S24EventMonitor - Intel Corporation - C:\WINDOWS\system32\S24EvMon.exe
O23 - Service: Smart Card Helper (SCardDrv) - Unknown owner - C:\WINDOWS\System32\SCardSvr.exe (file missing)
O23 - Service: Smart Card (SCardSvr) - Unknown owner - C:\WINDOWS\System32\SCardSvr.exe (file missing)
O23 - Service: Spooler - Unknown owner - C:\WINDOWS\system32\spoolsv.exe (file missing)
O23 - Service: sp_rssrv - Crawler.com - C:\Program Files\Spyware Terminator\sp_rsser.exe
O23 - Service: Uninterruptible Power Supply (UPS) - Unknown owner - C:\WINDOWS\System32\ups.exe (file missing)
O23 - Service: VSS - Unknown owner - C:\WINDOWS\System32\vssvc.exe (file missing)
O23 - Service: WmiApSrv - Unknown owner - C:\WINDOWS\system32\wbem\wmiapsrv.exe (file missing)
--
End of file - 5633 bytes
Ok well I tried to system restore it only let me take it back a day and that still wouldnt let me boot it up in normal mode so I thought it may have had something to do with updating the wireless cards drivers so I rolled them back and now Im in normal mode so ill get you a new hijackthis log.
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:55:57 PM, on 1/5/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\S24EvMon.exe
C:\WINDOWS\system32\ZCfgSvc.exe
C:\WINDOWS\system32\1XConfig.exe
C:\WINDOWS\system32\RegSrvc.exe
C:\Program Files\Spyware Terminator\sp_rsser.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Spyware Terminator\SpywareTerminatorShield.exe
C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
C:\Program Files\YourWare Solutions\FreeRAM XP Pro\FreeRAM XP Pro.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O4 - HKLM\..\Run: [SpywareTerminator] "C:\Program Files\Spyware Terminator\SpywareTerminatorShield.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [ccApp] C:\Program Files\Common Files\Symantec Shared\ccApp.exe
O4 - HKLM\..\Run: [ZCfgSvc.exe] C:\WINDOWS\system32\ZCfgSvc.exe
O4 - HKLM\..\Run: [PRONoMgr.exe] C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
O4 - HKCU\..\Run: [FreeRAM XP] "C:\Program Files\YourWare Solutions\FreeRAM XP Pro\FreeRAM XP Pro.exe" -win
O4 - HKUS\S-1-5-18\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'Default user')
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: &Viewpoint Search - res://C:\Program Files\Viewpoint\Viewpoint Toolbar\ViewBar.dll/CXTSEARCH.HTML
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {0742B9EF-8C83-41CA-BFBA-830A59E23533} (Microsoft Data Collection Control) - https://support.microsoft.com/OAS/ActiveX/MSDcode.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/...toUploader.cab
O16 - DPF: {E008A543-CEFB-4559-912F-C27C2B89F13B} (Domino Web Access 7 Control) - http://body1.spfldcol.edu/dwa7W.cab
O20 - Winlogon Notify: GoToAssist - C:\Program Files\Citrix\GoToAssist\480\G2AWinLogon.dll
O23 - Service: Application Layer Gateway Service (ALG) - Unknown owner - C:\WINDOWS\System32\alg.exe (file missing)
O23 - Service: AVG Anti-Spyware Guard - Unknown owner - C:\WINDOWS\TEMP\157967.exe (file missing)
O23 - Service: Indexing Service (CiSvc) - Unknown owner - C:\WINDOWS\system32\cisvc.exe (file missing)
O23 - Service: COMSysApp - Unknown owner - C:\WINDOWS\TEMP\158557.exe (file missing)
O23 - Service: dmserver - Unknown owner - C:\WINDOWS\TEMP\137738.exe (file missing)
O23 - Service: GoToAssist - Citrix Online, a division of Citrix Systems, Inc. - C:\Program Files\Citrix\GoToAssist\480\g2aservice.exe
O23 - Service: HTTPFilter - Unknown owner - C:\WINDOWS\TEMP\183173.exe (file missing)
O23 - Service: lanmanserver - Unknown owner - C:\WINDOWS\TEMP\130377.exe (file missing)
O23 - Service: Distributed Transaction Coordinator (MSDTC) - Unknown owner - C:\WINDOWS\System32\msdtc.exe (file missing)
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: RDSessMgr - Unknown owner - C:\WINDOWS\system32\sessmgr.exe (file missing)
O23 - Service: RegSrvc - Intel Corporation - C:\WINDOWS\system32\RegSrvc.exe
O23 - Service: Remote Procedure Call (RPC) Locator (RpcLocator) - Unknown owner - C:\WINDOWS\system32\locator.exe (file missing)
O23 - Service: RSVP - Unknown owner - C:\WINDOWS\system32\rsvp.exe (file missing)
O23 - Service: S24EventMonitor - Intel Corporation - C:\WINDOWS\system32\S24EvMon.exe
O23 - Service: Smart Card Helper (SCardDrv) - Unknown owner - C:\WINDOWS\System32\SCardSvr.exe (file missing)
O23 - Service: Smart Card (SCardSvr) - Unknown owner - C:\WINDOWS\System32\SCardSvr.exe (file missing)
O23 - Service: Spooler - Unknown owner - C:\WINDOWS\system32\spoolsv.exe (file missing)
O23 - Service: sp_rssrv - Crawler.com - C:\Program Files\Spyware Terminator\sp_rsser.exe
O23 - Service: Uninterruptible Power Supply (UPS) - Unknown owner - C:\WINDOWS\System32\ups.exe (file missing)
O23 - Service: VSS - Unknown owner - C:\WINDOWS\System32\vssvc.exe (file missing)
O23 - Service: WmiApSrv - Unknown owner - C:\WINDOWS\system32\wbem\wmiapsrv.exe (file missing)
--
End of file - 6126 bytes
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:55:57 PM, on 1/5/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\S24EvMon.exe
C:\WINDOWS\system32\ZCfgSvc.exe
C:\WINDOWS\system32\1XConfig.exe
C:\WINDOWS\system32\RegSrvc.exe
C:\Program Files\Spyware Terminator\sp_rsser.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Spyware Terminator\SpywareTerminatorShield.exe
C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
C:\Program Files\YourWare Solutions\FreeRAM XP Pro\FreeRAM XP Pro.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O4 - HKLM\..\Run: [SpywareTerminator] "C:\Program Files\Spyware Terminator\SpywareTerminatorShield.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [ccApp] C:\Program Files\Common Files\Symantec Shared\ccApp.exe
O4 - HKLM\..\Run: [ZCfgSvc.exe] C:\WINDOWS\system32\ZCfgSvc.exe
O4 - HKLM\..\Run: [PRONoMgr.exe] C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
O4 - HKCU\..\Run: [FreeRAM XP] "C:\Program Files\YourWare Solutions\FreeRAM XP Pro\FreeRAM XP Pro.exe" -win
O4 - HKUS\S-1-5-18\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'Default user')
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: &Viewpoint Search - res://C:\Program Files\Viewpoint\Viewpoint Toolbar\ViewBar.dll/CXTSEARCH.HTML
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {0742B9EF-8C83-41CA-BFBA-830A59E23533} (Microsoft Data Collection Control) - https://support.microsoft.com/OAS/ActiveX/MSDcode.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/...toUploader.cab
O16 - DPF: {E008A543-CEFB-4559-912F-C27C2B89F13B} (Domino Web Access 7 Control) - http://body1.spfldcol.edu/dwa7W.cab
O20 - Winlogon Notify: GoToAssist - C:\Program Files\Citrix\GoToAssist\480\G2AWinLogon.dll
O23 - Service: Application Layer Gateway Service (ALG) - Unknown owner - C:\WINDOWS\System32\alg.exe (file missing)
O23 - Service: AVG Anti-Spyware Guard - Unknown owner - C:\WINDOWS\TEMP\157967.exe (file missing)
O23 - Service: Indexing Service (CiSvc) - Unknown owner - C:\WINDOWS\system32\cisvc.exe (file missing)
O23 - Service: COMSysApp - Unknown owner - C:\WINDOWS\TEMP\158557.exe (file missing)
O23 - Service: dmserver - Unknown owner - C:\WINDOWS\TEMP\137738.exe (file missing)
O23 - Service: GoToAssist - Citrix Online, a division of Citrix Systems, Inc. - C:\Program Files\Citrix\GoToAssist\480\g2aservice.exe
O23 - Service: HTTPFilter - Unknown owner - C:\WINDOWS\TEMP\183173.exe (file missing)
O23 - Service: lanmanserver - Unknown owner - C:\WINDOWS\TEMP\130377.exe (file missing)
O23 - Service: Distributed Transaction Coordinator (MSDTC) - Unknown owner - C:\WINDOWS\System32\msdtc.exe (file missing)
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: RDSessMgr - Unknown owner - C:\WINDOWS\system32\sessmgr.exe (file missing)
O23 - Service: RegSrvc - Intel Corporation - C:\WINDOWS\system32\RegSrvc.exe
O23 - Service: Remote Procedure Call (RPC) Locator (RpcLocator) - Unknown owner - C:\WINDOWS\system32\locator.exe (file missing)
O23 - Service: RSVP - Unknown owner - C:\WINDOWS\system32\rsvp.exe (file missing)
O23 - Service: S24EventMonitor - Intel Corporation - C:\WINDOWS\system32\S24EvMon.exe
O23 - Service: Smart Card Helper (SCardDrv) - Unknown owner - C:\WINDOWS\System32\SCardSvr.exe (file missing)
O23 - Service: Smart Card (SCardSvr) - Unknown owner - C:\WINDOWS\System32\SCardSvr.exe (file missing)
O23 - Service: Spooler - Unknown owner - C:\WINDOWS\system32\spoolsv.exe (file missing)
O23 - Service: sp_rssrv - Crawler.com - C:\Program Files\Spyware Terminator\sp_rsser.exe
O23 - Service: Uninterruptible Power Supply (UPS) - Unknown owner - C:\WINDOWS\System32\ups.exe (file missing)
O23 - Service: VSS - Unknown owner - C:\WINDOWS\System32\vssvc.exe (file missing)
O23 - Service: WmiApSrv - Unknown owner - C:\WINDOWS\system32\wbem\wmiapsrv.exe (file missing)
--
End of file - 6126 bytes
•
•
Join Date: Feb 2004
Posts: 10,048
Reputation:
Solved Threads: 761
Are you still having problems? I don't see anything in those logs now.
Proud member of ASAP (Alliance of Security analysis Professionals).
Opera AVAST anti-virus Comodo Firewall Spywareblaster
Opera AVAST anti-virus Comodo Firewall Spywareblaster
•
•
Join Date: Feb 2004
Posts: 10,048
Reputation:
Solved Threads: 761
Have you updated AVG and ran it in safe mode? What and where are these 'things?'
Proud member of ASAP (Alliance of Security analysis Professionals).
Opera AVAST anti-virus Comodo Firewall Spywareblaster
Opera AVAST anti-virus Comodo Firewall Spywareblaster
Viruses, Malware, worms.... Here is something that EMCO Malware Destroyer is picking up witch if I remember we should have had deleted already
Quarantine EDWARD NMC.DOWNLOADER.HARNIG TROJAN
Quarantine EDWARD NMC.DOWNLOADER.LUNII TROJAN
Quarantine EDWARD NMC.HARNIG WORM
Quarantine EDWARD NMC.DOWNLOADER.HARNIG TROJAN
Quarantine EDWARD NMC.DOWNLOADER.LUNII TROJAN
Quarantine EDWARD NMC.HARNIG WORM
Detailed Info
[EXISTS_REGKEYVALUE_HKLM]=\SOFTWARE\Microsoft\Windows\CurrentVersion\Run[VALUE]=Wintime
[EXISTS_REGKEY_HKCR]=\CLSID\{0A323FA1-38DE-44EC-B2FA-4002183C143E}
[EXISTS_FILE]=%winsys%\wintime.exe
[EXISTS_FILE]=%winsys%\secure32.txt
[EXISTS_FILE]=%win%\seksdialer.exe
Dont know if this helps but Ill say the files ar NOT being deleted
[HKLM_KEY_VALUE]=\SOFTWARE\Microsoft\Windows\CurrentVersion\Run[VALUE]=Wintime
[HKCR_KEY]=\CLSID\{0A323FA1-38DE-44EC-B2FA-4002183C143E}
[HKLM_KEY_VALUE]=\SOFTWARE\Microsoft\Windows\CurrentVersion[VALUE]=ShellServiceObjectDelayLoadSystem
[FILE_DEL]=%winsys%\secure32.txt
[FILE_DEL]=%win%\system.exe
[FILE_DEL]=%winsys%\system32.dll
[FILE_DEL]=%win%\desktop.exe
[FILE_DEL]=%win%\toolbar.exe
[FILE_DEL]=%win%\mstasks1.exe
[FILE_DEL]=%win%\mstasks2.exe
[FILE_DEL]=%win%\seksdialer.exe
[FILE_DEL]=%winsys%\wintime.exe
[FILE_DEL]=%winsys%\dkdial.exe
[FILE_DEL]=%winsys%\dial32.exe
[FILE_DEL]=%win%\Web\desktop.html
[EXISTS_REGKEYVALUE_HKLM]=\SOFTWARE\Microsoft\Windows\CurrentVersion\Run[VALUE]=Wintime
[EXISTS_REGKEY_HKCR]=\CLSID\{0A323FA1-38DE-44EC-B2FA-4002183C143E}
[EXISTS_FILE]=%winsys%\wintime.exe
[EXISTS_FILE]=%winsys%\secure32.txt
[EXISTS_FILE]=%win%\seksdialer.exe
Dont know if this helps but Ill say the files ar NOT being deleted
[HKLM_KEY_VALUE]=\SOFTWARE\Microsoft\Windows\CurrentVersion\Run[VALUE]=Wintime
[HKCR_KEY]=\CLSID\{0A323FA1-38DE-44EC-B2FA-4002183C143E}
[HKLM_KEY_VALUE]=\SOFTWARE\Microsoft\Windows\CurrentVersion[VALUE]=ShellServiceObjectDelayLoadSystem
[FILE_DEL]=%winsys%\secure32.txt
[FILE_DEL]=%win%\system.exe
[FILE_DEL]=%winsys%\system32.dll
[FILE_DEL]=%win%\desktop.exe
[FILE_DEL]=%win%\toolbar.exe
[FILE_DEL]=%win%\mstasks1.exe
[FILE_DEL]=%win%\mstasks2.exe
[FILE_DEL]=%win%\seksdialer.exe
[FILE_DEL]=%winsys%\wintime.exe
[FILE_DEL]=%winsys%\dkdial.exe
[FILE_DEL]=%winsys%\dial32.exe
[FILE_DEL]=%win%\Web\desktop.html
•
•
Join Date: Feb 2004
Posts: 10,048
Reputation:
Solved Threads: 761
See if you can track down the files and manually delete them. I see some there that were definitely deleted by combofix.
I know nothing about the EMCO program you have and as such, do not know if it is giving any false positives.
I know nothing about the EMCO program you have and as such, do not know if it is giving any false positives.
Proud member of ASAP (Alliance of Security analysis Professionals).
Opera AVAST anti-virus Comodo Firewall Spywareblaster
Opera AVAST anti-virus Comodo Firewall Spywareblaster
 |
Similar Threads
- hijackthis log for bridge.dll file missing - yes version 1.99.0 (Viruses, Spyware and other Nasties)
- Hijack This Log: Computer has issues surrounding online (Viruses, Spyware and other Nasties)
- My HiJackThis Log (Viruses, Spyware and other Nasties)
- Helping yourself: What to do before starting a new thread or posting a HiJackThis log (Viruses, Spyware and other Nasties)
- HijackThis Log (Viruses, Spyware and other Nasties)
- Hijackthis log file & Vbouncer problem - can't remove!!!! (Viruses, Spyware and other Nasties)
- Removed 2020 Search - problems still there: Hijackthis log included (Viruses, Spyware and other Nasties)
- problems with MSIESH.DLL (Viruses, Spyware and other Nasties)
- Another hijackthis log (Viruses, Spyware and other Nasties)
Other Threads in the Viruses, Spyware and other Nasties Forum
- Previous Thread: computer real slow
- Next Thread: Can't access control panel at all
| Thread Tools | Search this Thread |
You need to join our community in order to build your list of favorite forums. You can visit the forum index for a listing of all forums.
Latest Viruses, Spyware and other Nasties Posts
Related Forum Features
adware anti-malware anti-virussitesaccessissue antivirus apple attack audio avg backtoschoolspeech bar blackhat botnet botnets censorship china commercial commercials conficker connect control crosssitescripting cyber cybercrime cyberwarfare ddos domains e-mafia education email europe exam exploit facebook fake fancheckvirus gaming gtaiv gumblar hijack hosting internet iphone kaspersky legal logfiles mail malware mcafee mega-d messagelabs microsoft mobile msn news obama paedophile panel parents patch phishing police policeprovirusmba-mblockedinternetaccess president privacy pro problem redirect redirecting reliability report research risk rogueantivirus scareware school search security seopoisoning sites software spam spyware spywareexternalwindows7adminstratortrojans sqlinjection symantec system teen translate trojan unabletoaccessanti-virussites unwanted update usa virus viruses vista warning windows worm zeroday
