Internet Problem - Hijack this log

Discussion in 'Windows - Virus and spyware problems' started by twentytwo, Aug 13, 2008.

  1. cdavfrew

    cdavfrew Regular member

    Joined:
    May 19, 2008
    Messages:
    1,183
    Likes Received:
    0
    Trophy Points:
    46
    Hey 2oldgeek

    You missed one in the HijackThis log:
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 127.0.0.1:8080

    Thanks for finishing this problem. You say Malware-bytes is really good at Vundo? How about superantispyware? Their database on vundo is getting bigger and bigger. Spybot 1.6 is said to be good at vundo as well. I don't suppose any vundo-infected victim will be willing to be a test subject :)

    Best Regards :D
     
  2. 2oldGeek

    2oldGeek Active member

    Joined:
    Jun 16, 2005
    Messages:
    3,658
    Likes Received:
    38
    Trophy Points:
    78
    @cdavfrew

    No, I didn’t miss it… Just failed to get it into my post early this morning, (yesterday morning) before I went to bed. LOL

    Intended to go over the ComboFix Log before coming to work but was running behind and will not get a chance tonight. Maybe in the morning before I retire. : )

    There are some strange ones in here that I want to research when I get the chance..

    You notice that MBAM took out 2 of the 5 – 015 lines.. I was hoping it would get all of them : (

    Comodo BOClean has got quite a lot of the Vundo/virtumundo’s in it’s definitions also..


    @twentytwo,

    Please fix this line in HJT and it just might help your internet. That is if your not using a proxy server for anything??

    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 127.0.0.1:8080

    Well, back to the grind stone. Got work to do…
     
  3. twentytwo

    twentytwo Member

    Joined:
    Aug 13, 2008
    Messages:
    17
    Likes Received:
    0
    Trophy Points:
    11
    @2old, i deleted it. Was able to update everything! your the man!

    new hjt just incase you wanted:

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 4:16:33 AM, on 8/15/2008
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\system32\HPZipm12.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\wscntfy.exe
    C:\WINDOWS\system32\dla\tfswctrl.exe
    C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
    C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE
    C:\Program Files\Unlocker\UnlockerAssistant.exe
    C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe
    C:\Program Files\DellSupport\DSAgnt.exe
    C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
    C:\Program Files\Ventrilo\Ventrilo.exe
    C:\Program Files\Xfire\xfire.exe
    C:\Valve\Steam\Steam.exe
    C:\WINDOWS\explorer.exe
    C:\Program Files\AIM6\aim6.exe
    C:\Program Files\AIM6\aolsoftware.exe
    C:\WINDOWS\system32\NOTEPAD.EXE
    C:\Documents and Settings\Angela Williams\Desktop\gtrewert\pvpTool\usethis.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.com/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell4me.com/mywaybiz
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = local
    R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll (file missing)
    O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
    O2 - BHO: (no name) - {63F507E2-0C11-4D37-ABD7-E1A9CF111D5E} - C:\WINDOWS\system32\comrep.dll (file missing)
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
    O2 - BHO: Viewpoint Toolbar BHO - {A7327C09-B521-4EDB-8509-7D2660C9EC98} - C:\Program Files\Viewpoint\Viewpoint Toolbar\3.8.0\ViewBarBHO.dll
    O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
    O3 - Toolbar: Viewpoint Toolbar - {F8AD5AA5-D966-4667-9DAF-2561D68B2012} - C:\Program Files\Common Files\Viewpoint\Toolbar Runtime\3.8.0\IEViewBar.dll
    O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
    O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
    O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
    O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe"
    O4 - HKLM\..\Run: [UnlockerAssistant] "C:\Program Files\Unlocker\UnlockerAssistant.exe"
    O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
    O4 - HKLM\..\Run: [IMEKRMIG6.1] C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE
    O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
    O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
    O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe"
    O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\pchealth\helpctr\Binaries\MSCONFIG.EXE /auto
    O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup
    O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
    O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll (file missing)
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
    O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} -
    O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcafee.com/molbin/shared/mcgdmgr/en-us/1,0,0,23/mcgdmgr.cab
    O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
    O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
    O23 - Service: NOD32 Kernel Service (NOD32krn) - Unknown owner - C:\Program Files\Eset\nod32krn.exe (file missing)
    O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

    --
    End of file - 6119 bytes
     
  4. 2oldGeek

    2oldGeek Active member

    Joined:
    Jun 16, 2005
    Messages:
    3,658
    Likes Received:
    38
    Trophy Points:
    78
    Hey twentytwo,

    Well, I’m off work and this is the obvious stuff that I see..
    Let’s take care of it and then if anything else shows up, we’ll get that next trip.. ; )


    Fix entries using HiJackThis

    Launch HiJackThis
    Click the Do a system scan only button
    Put a check next to the entries listed below (if they still remain)


    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell4me.com/mywaybiz

    R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)

    O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll (file missing)

    O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)

    O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll (file missing)

    O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} –

    O23 - Service: NOD32 Kernel Service (NOD32krn) - Unknown owner - C:\Program Files\Eset\nod32krn.exe (file missing)




    IMPORTANT: Do NOT click fix until you exit all browser sessions including the one you are reading in right now
    Click the Fix checked button and close HiJackThis



    Open Notepad - it must be Notepad, not Wordpad.
    Copy the text below in the quote box by highlighting all the text with your mouse and pressing Ctrl+C



    Go to the Notepad window and click Edit > Paste
    Then click File > Save
    Name the file "CFScript.txt" (including the quotes)
    Save the file to your Desktop


    [​IMG]


    Referring to the picture above, drag CFScript into ComboFix.exe

    This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.





    2OG
     
  5. twentytwo

    twentytwo Member

    Joined:
    Aug 13, 2008
    Messages:
    17
    Likes Received:
    0
    Trophy Points:
    11
    done: newest logs combo fix first

    ComboFix 08-08-16.01 - Angela Williams 2008-08-17 0:15:04.5 - NTFSx86
    Running from: C:\Documents and Settings\Angela Williams\Desktop\Combo-Fix.exe
    Command switches used :: C:\Documents and Settings\Angela Williams\Desktop\CFScript.txt
    * Created a new restore point

    WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
    .

    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    C:\Documents and Settings\Angela Williams\Application Data\Microsoft\SystemCertificates\My
    C:\Documents and Settings\Angela Williams\Cookies\angela williams@adtrgt[2].txt
    C:\Documents and Settings\Angela Williams\Cookies\angela williams@getmusicfree.aavalue[2].txt
    C:\Documents and Settings\Angela Williams\Cookies\angela williams@grouplotto.aavalue[2].txt
    C:\Documents and Settings\Angela Williams\Cookies\angela williams@jrtux[2].txt
    C:\Documents and Settings\Angela Williams\Cookies\angela williams@lwken[2].txt
    C:\Documents and Settings\Angela Williams\Cookies\angela williams@myspace[1].txt
    C:\Documents and Settings\Angela Williams\Cookies\angela williams@nbjmp[1].txt
    C:\Documents and Settings\Angela Williams\Cookies\angela williams@npvos[2].txt
    C:\Documents and Settings\Angela Williams\Cookies\angela williams@personals.yahoo[2].txt
    C:\Documents and Settings\Angela Williams\Cookies\angela williams@specificclick[2].txt
    C:\Documents and Settings\LocalService\Application Data\Microsoft\SystemCertificates\My
    C:\Documents and Settings\NetworkService\Application Data\Microsoft\SystemCertificates\My
    C:\Documents and Settings\test\Application Data\Microsoft\SystemCertificates\My
    C:\Documents and Settings\test\Cookies\test@adtrgt[2].txt
    C:\Documents and Settings\test\Cookies\test@arn.aavalue[1].txt
    C:\Documents and Settings\test\Cookies\test@avsystemcare[1].txt
    C:\Documents and Settings\test\Cookies\test@avsystemcare[3].txt
    C:\Documents and Settings\test\Cookies\test@ehg.ripetv[2].txt
    C:\Documents and Settings\test\Cookies\test@lativio[2].txt
    C:\Documents and Settings\test\Cookies\test@myspace[2].txt
    C:\Documents and Settings\test\Cookies\test@pcprivacytool[1].txt

    .
    ((((((((((((((((((((((((( Files Created from 2008-07-17 to 2008-08-17 )))))))))))))))))))))))))))))))
    .

    2008-08-15 04:29 . 2008-05-01 10:30 331,776 --------- C:\WINDOWS\system32\dllcache\msadce.dll
    2008-08-14 23:34 . 2008-08-14 23:41 <DIR> d-------- C:\Documents and Settings\Angela Williams\Application Data\Bioshock
    2008-08-14 04:45 . 2004-08-04 00:56 159,232 --a------ C:\WINDOWS\system32\ptpusd.dll
    2008-08-14 04:45 . 2004-08-03 22:58 15,104 --a------ C:\WINDOWS\system32\drivers\usbscan.sys
    2008-08-14 04:45 . 2004-08-03 22:58 15,104 --a------ C:\WINDOWS\system32\dllcache\usbscan.sys
    2008-08-14 04:45 . 2001-08-17 22:36 5,632 --a------ C:\WINDOWS\system32\ptpusb.dll
    2008-08-14 01:51 . 2008-08-14 01:51 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
    2008-08-14 01:51 . 2008-08-14 01:51 <DIR> d-------- C:\Documents and Settings\Angela Williams\Application Data\Malwarebytes
    2008-08-14 01:51 . 2008-08-14 01:51 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
    2008-08-14 01:51 . 2008-07-30 20:07 38,472 --a------ C:\WINDOWS\system32\drivers\mbamswissarmy.sys
    2008-08-14 01:51 . 2008-07-30 20:07 17,144 --a------ C:\WINDOWS\system32\drivers\mbam.sys
    2008-08-13 22:41 . 2008-08-13 22:41 <DIR> d--hs---- C:\found.000
    2008-08-13 22:01 . 2008-08-13 22:01 <DIR> d-------- C:\Program Files\Trend Micro
    2008-08-13 20:20 . 2008-08-14 20:52 <DIR> d-------- C:\Program Files\ESET
    2008-08-13 19:26 . 2008-08-13 19:32 <DIR> d-------- C:\ComboFix
    2008-08-13 19:15 . 2008-08-13 19:15 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\Xfire
    2008-08-13 07:28 . 2008-08-13 07:28 <DIR> d-------- C:\Documents and Settings\Angela Williams\Application Data\SUPERAntiSpyware.com
    2008-08-13 07:28 . 2008-08-13 07:28 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
    2008-08-13 07:11 . 2008-08-13 07:11 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Avg7
    2008-08-06 22:25 . 2008-08-06 22:30 <DIR> d-------- C:\Documents and Settings\Angela Williams\Application Data\Winamp
    2008-08-05 20:26 . 2008-08-05 20:26 42,320 --a------ C:\WINDOWS\system32\xfcodec.dll
    2008-07-30 19:48 . 2008-07-30 19:48 8,192 --a------ C:\0ARCADE_RAM.srm
    2008-07-29 00:02 . 1999-05-01 00:00 2,097,664 --a------ C:\Super Punchout (E).smc
    2008-07-29 00:02 . 2008-07-30 20:06 8,192 --a------ C:\Super Punchout (E).srm
    2008-07-24 14:46 . 2008-07-24 14:46 <DIR> d-------- C:\Documents and Settings\Angela Williams\TW
    2008-07-24 14:22 . 2008-07-24 14:22 <DIR> d-------- C:\Documents and Settings\Angela Williams\DefaultClasses
    2008-07-24 14:20 . 2008-07-24 14:20 <DIR> d-------- C:\Documents and Settings\Angela Williams\Classes
    2008-07-24 14:20 . 2008-07-24 14:20 <DIR> d-------- C:\Documents and Settings\Angela Williams\Accounts
    2008-07-24 14:19 . 2008-07-24 14:19 <DIR> d-------- C:\Documents and Settings\Angela Williams\Scripts
    2008-07-24 14:19 . 2008-07-24 14:22 <DIR> d-------- C:\Documents and Settings\Angela Williams\DefaultScripts
    2008-07-24 14:19 . 2008-07-24 14:18 880,640 --a------ C:\Documents and Settings\Angela Williams\uygljsms.exe
    2008-07-24 14:18 . 2008-07-24 14:18 15,872 --a------ C:\Documents and Settings\Angela Williams\awejpi9iao.exe
    2008-07-23 18:09 . 2008-08-13 02:12 54,156 --ah----- C:\WINDOWS\QTFont.qfn
    2008-07-23 18:09 . 2008-07-23 18:09 1,409 --a------ C:\WINDOWS\QTFont.for
    2008-07-21 21:12 . 2008-07-21 21:12 <DIR> d-------- C:\Program Files\KLC
    2008-07-21 21:12 . 1999-12-07 07:00 61,491 --a------ C:\WINDOWS\system32\wbemdisp.TLB
    2008-07-21 21:08 . 1996-11-08 02:48 368,912 --a------ C:\WINDOWS\system32\vbar332.dll

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2008-08-16 06:31 --------- d-----w C:\Program Files\Diablo II
    2008-08-16 05:46 --------- d-----w C:\Documents and Settings\Angela Williams\Application Data\Xfire
    2008-08-15 03:44 --------- d--h--w C:\Program Files\InstallShield Installation Information
    2008-08-15 03:44 --------- d-----w C:\Program Files\EA GAMES
    2008-08-14 09:43 --------- d-----w C:\Documents and Settings\Angela Williams\Application Data\Desktopicon
    2008-08-14 00:28 --------- d-----w C:\Documents and Settings\Angela Williams\Application Data\OpenOffice.org2
    2008-08-13 23:20 --------- d-----w C:\Program Files\Xfire
    2008-08-13 11:27 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
    2008-08-05 00:19 --------- d-----w C:\Program Files\Warcraft III
    2008-08-02 06:31 --------- d-----w C:\Program Files\World of Warcraft
    2008-08-02 04:43 --------- d-----w C:\Documents and Settings\Angela Williams\Application Data\Hamachi
    2008-07-24 18:18 40,960 ----a-w C:\Documents and Settings\Angela Williams\GliderTell.exe
    2008-07-24 18:18 35,712 ----a-w C:\Documents and Settings\Angela Williams\Shadow.sys
    2008-07-24 18:18 286,720 ----a-w C:\Documents and Settings\Angela Williams\GRefs.dat
    2008-07-14 04:17 --------- d-----w C:\Documents and Settings\Angela Williams\Application Data\Apple Computer
    2008-07-08 02:52 --------- d-----w C:\Documents and Settings\Angela Williams\Application Data\uTorrent
    2008-07-08 01:02 94,208 ----a-w C:\WINDOWS\DIIUnin.exe
    2008-07-08 01:02 2,829 ----a-w C:\WINDOWS\DIIUnin.pif
    2008-07-01 20:10 --------- d-----w C:\Documents and Settings\Angela Williams\Application Data\Corel
    2008-07-01 01:22 --------- d-----w C:\Program Files\Octoshape Streaming Services
    2008-06-24 18:15 --------- d-----w C:\Program Files\Hamachi
    2008-06-24 18:14 25,280 ----a-w C:\WINDOWS\system32\drivers\hamachi.sys
    2008-06-20 10:45 360,320 ----a-w C:\WINDOWS\system32\drivers\tcpip.sys
    2008-06-20 10:44 138,368 ----a-w C:\WINDOWS\system32\drivers\afd.sys
    2008-06-20 09:52 225,920 ----a-w C:\WINDOWS\system32\drivers\tcpip6.sys
    .

    ((((((((((((((((((((((((((((( snapshot_2008-08-14_ 7.26.05.96 )))))))))))))))))))))))))))))))))))))))))
    .
    + 2008-07-07 20:06:43 253,952 ----a-w C:\WINDOWS\$hf_mig$\KB950974\SP2QFE\es.dll
    + 2008-07-07 20:26:58 253,952 ----a-w C:\WINDOWS\$hf_mig$\KB950974\SP3GDR\es.dll
    + 2008-07-07 20:23:18 253,952 ----a-w C:\WINDOWS\$hf_mig$\KB950974\SP3QFE\es.dll
    + 2007-11-30 12:39:22 17,272 ----a-w C:\WINDOWS\$hf_mig$\KB950974\spmsg.dll
    + 2007-11-30 12:39:22 231,288 ----a-w C:\WINDOWS\$hf_mig$\KB950974\spuninst.exe
    + 2007-11-30 12:39:22 26,488 ----a-w C:\WINDOWS\$hf_mig$\KB950974\update\spcustom.dll
    + 2007-11-30 12:39:18 755,576 ----a-w C:\WINDOWS\$hf_mig$\KB950974\update\update.exe
    + 2007-11-30 12:39:19 382,840 ----a-w C:\WINDOWS\$hf_mig$\KB950974\update\updspapi.dll
    + 2008-07-14 11:03:00 62,976 ----a-w C:\WINDOWS\$hf_mig$\KB951072-v2\SP2QFE\tzchange.exe
    + 2008-07-11 12:42:28 62,976 ----a-w C:\WINDOWS\$hf_mig$\KB951072-v2\SP3GDR\tzchange.exe
    + 2008-07-11 12:51:51 62,976 ----a-w C:\WINDOWS\$hf_mig$\KB951072-v2\SP3QFE\tzchange.exe
    + 2007-11-30 11:18:51 17,272 ----a-w C:\WINDOWS\$hf_mig$\KB951072-v2\spmsg.dll
    + 2007-11-30 11:18:51 231,288 ----a-w C:\WINDOWS\$hf_mig$\KB951072-v2\spuninst.exe
    + 2007-11-30 11:18:51 26,488 ----a-w C:\WINDOWS\$hf_mig$\KB951072-v2\update\spcustom.dll
    + 2007-11-30 12:39:22 755,576 ----a-w C:\WINDOWS\$hf_mig$\KB951072-v2\update\update.exe
    + 2007-11-30 12:39:22 382,840 ----a-w C:\WINDOWS\$hf_mig$\KB951072-v2\update\updspapi.dll
    + 2008-06-24 16:28:00 74,240 ----a-w C:\WINDOWS\$hf_mig$\KB952954\SP2QFE\mscms.dll
    + 2008-06-24 16:43:16 74,240 ----a-w C:\WINDOWS\$hf_mig$\KB952954\SP3GDR\mscms.dll
    + 2008-06-24 16:53:10 74,240 ----a-w C:\WINDOWS\$hf_mig$\KB952954\SP3QFE\mscms.dll
    + 2007-11-30 12:39:22 17,272 ----a-w C:\WINDOWS\$hf_mig$\KB952954\spmsg.dll
    + 2007-11-30 12:39:22 231,288 ----a-w C:\WINDOWS\$hf_mig$\KB952954\spuninst.exe
    + 2007-11-30 12:39:22 26,488 ----a-w C:\WINDOWS\$hf_mig$\KB952954\update\spcustom.dll
    + 2007-11-30 12:39:22 755,576 ----a-w C:\WINDOWS\$hf_mig$\KB952954\update\update.exe
    + 2007-11-30 12:39:22 382,840 ----a-w C:\WINDOWS\$hf_mig$\KB952954\update\updspapi.dll
    + 2008-06-23 16:11:40 1,024,000 ----a-w C:\WINDOWS\$hf_mig$\KB953838\SP2QFE\browseui.dll
    + 2008-06-23 16:11:40 151,040 ----a-w C:\WINDOWS\$hf_mig$\KB953838\SP2QFE\cdfview.dll
    + 2008-06-23 16:11:42 1,054,208 ----a-w C:\WINDOWS\$hf_mig$\KB953838\SP2QFE\danim.dll
    + 2008-06-23 16:11:43 357,888 ----a-w C:\WINDOWS\$hf_mig$\KB953838\SP2QFE\dxtmsft.dll
    + 2008-06-23 16:11:43 205,312 ----a-w C:\WINDOWS\$hf_mig$\KB953838\SP2QFE\dxtrans.dll
    + 2008-06-23 16:11:43 55,808 ----a-w C:\WINDOWS\$hf_mig$\KB953838\SP2QFE\extmgr.dll
    + 2008-06-23 09:53:58 18,432 ----a-w C:\WINDOWS\$hf_mig$\KB953838\SP2QFE\iedw.exe
    + 2008-06-23 16:11:52 251,904 ----a-w C:\WINDOWS\$hf_mig$\KB953838\SP2QFE\iepeers.dll
    + 2008-06-23 16:11:52 96,256 ----a-w C:\WINDOWS\$hf_mig$\KB953838\SP2QFE\inseng.dll
    + 2008-06-23 16:11:52 16,384 ----a-w C:\WINDOWS\$hf_mig$\KB953838\SP2QFE\jsproxy.dll
    + 2008-06-23 16:11:58 3,067,392 ----a-w C:\WINDOWS\$hf_mig$\KB953838\SP2QFE\mshtml.dll
    + 2008-06-23 16:12:00 449,024 ----a-w C:\WINDOWS\$hf_mig$\KB953838\SP2QFE\mshtmled.dll
    + 2008-06-23 16:12:02 146,432 ----a-w C:\WINDOWS\$hf_mig$\KB953838\SP2QFE\msrating.dll
    + 2008-06-23 16:12:02 532,480 ----a-w C:\WINDOWS\$hf_mig$\KB953838\SP2QFE\mstime.dll
    + 2008-06-23 16:12:02 39,424 ----a-w C:\WINDOWS\$hf_mig$\KB953838\SP2QFE\pngfilt.dll
    + 2008-06-23 16:12:05 1,499,136 ----a-w C:\WINDOWS\$hf_mig$\KB953838\SP2QFE\shdocvw.dll
    + 2008-06-23 16:12:05 474,112 ----a-w C:\WINDOWS\$hf_mig$\KB953838\SP2QFE\shlwapi.dll
    + 2008-06-23 16:12:06 618,496 ----a-w C:\WINDOWS\$hf_mig$\KB953838\SP2QFE\urlmon.dll
    + 2008-06-23 16:12:08 667,136 ----a-w C:\WINDOWS\$hf_mig$\KB953838\SP2QFE\wininet.dll
    + 2008-07-03 09:14:02 351,744 ----a-w C:\WINDOWS\$hf_mig$\KB953838\SP2QFE\xpsp3res.dll
    + 2008-06-23 15:09:27 3,067,392 ----a-w C:\WINDOWS\$hf_mig$\KB953838\SP3GDR\mshtml.dll
    + 2008-06-26 08:15:29 1,499,136 ----a-w C:\WINDOWS\$hf_mig$\KB953838\SP3GDR\shdocvw.dll
    + 2008-06-26 08:15:30 619,520 ----a-w C:\WINDOWS\$hf_mig$\KB953838\SP3GDR\urlmon.dll
    + 2008-06-23 15:09:27 666,112 ----a-w C:\WINDOWS\$hf_mig$\KB953838\SP3GDR\wininet.dll
    + 2008-06-25 04:24:48 3,067,904 ----a-w C:\WINDOWS\$hf_mig$\KB953838\SP3QFE\mshtml.dll
    + 2008-06-26 08:00:52 1,499,136 ----a-w C:\WINDOWS\$hf_mig$\KB953838\SP3QFE\shdocvw.dll
    + 2008-06-26 08:00:52 619,520 ----a-w C:\WINDOWS\$hf_mig$\KB953838\SP3QFE\urlmon.dll
    + 2008-06-23 14:54:47 666,624 ----a-w C:\WINDOWS\$hf_mig$\KB953838\SP3QFE\wininet.dll
    + 2007-11-30 12:39:22 17,272 ----a-w C:\WINDOWS\$hf_mig$\KB953838\spmsg.dll
    + 2007-11-30 12:39:22 231,288 ----a-w C:\WINDOWS\$hf_mig$\KB953838\spuninst.exe
    + 2007-11-30 12:39:22 26,488 ----a-w C:\WINDOWS\$hf_mig$\KB953838\update\spcustom.dll
    + 2007-11-30 12:39:18 755,576 ----a-w C:\WINDOWS\$hf_mig$\KB953838\update\update.exe
    + 2007-11-30 12:39:19 382,840 ----a-w C:\WINDOWS\$hf_mig$\KB953838\update\updspapi.dll
    - 2008-04-23 17:34:12 53,248 ----a-w C:\WINDOWS\assembly\GAC\Microsoft.DirectX.AudioVideoPlayback\1.0.2902.0__31bf3856ad364e35\Microsoft.DirectX.AudioVideoPlayback.dll
    + 2008-08-15 03:33:36 53,248 ----a-w C:\WINDOWS\assembly\GAC\Microsoft.DirectX.AudioVideoPlayback\1.0.2902.0__31bf3856ad364e35\Microsoft.DirectX.AudioVideoPlayback.dll
    - 2008-04-23 17:34:13 12,800 ----a-w C:\WINDOWS\assembly\GAC\Microsoft.DirectX.Diagnostics\1.0.2902.0__31bf3856ad364e35\Microsoft.DirectX.Diagnostics.dll
    + 2008-08-15 03:33:37 12,800 ----a-w C:\WINDOWS\assembly\GAC\Microsoft.DirectX.Diagnostics\1.0.2902.0__31bf3856ad364e35\Microsoft.DirectX.Diagnostics.dll
    - 2008-04-23 17:34:13 473,600 ----a-w C:\WINDOWS\assembly\GAC\Microsoft.DirectX.Direct3D\1.0.2902.0__31bf3856ad364e35\Microsoft.DirectX.Direct3D.dll
    + 2008-08-15 03:33:37 473,600 ----a-w C:\WINDOWS\assembly\GAC\Microsoft.DirectX.Direct3D\1.0.2902.0__31bf3856ad364e35\Microsoft.DirectX.Direct3D.dll
    - 2008-04-23 17:34:07 2,676,224 ----a-w C:\WINDOWS\assembly\GAC\Microsoft.DirectX.Direct3DX\1.0.2902.0__31bf3856ad364e35\Microsoft.DirectX.Direct3DX.dll
    + 2008-08-15 03:33:31 2,676,224 ----a-w C:\WINDOWS\assembly\GAC\Microsoft.DirectX.Direct3DX\1.0.2902.0__31bf3856ad364e35\Microsoft.DirectX.Direct3DX.dll
    - 2008-04-23 17:34:08 2,846,720 ----a-w C:\WINDOWS\assembly\GAC\Microsoft.DirectX.Direct3DX\1.0.2903.0__31bf3856ad364e35\Microsoft.DirectX.Direct3DX.dll
    + 2008-08-15 03:33:32 2,846,720 ----a-w C:\WINDOWS\assembly\GAC\Microsoft.DirectX.Direct3DX\1.0.2903.0__31bf3856ad364e35\Microsoft.DirectX.Direct3DX.dll
    - 2008-04-23 17:34:09 563,712 ----a-w C:\WINDOWS\assembly\GAC\Microsoft.DirectX.Direct3DX\1.0.2904.0__31bf3856ad364e35\Microsoft.DirectX.Direct3DX.dll
    + 2008-08-15 03:33:33 563,712 ----a-w C:\WINDOWS\assembly\GAC\Microsoft.DirectX.Direct3DX\1.0.2904.0__31bf3856ad364e35\Microsoft.DirectX.Direct3DX.dll
    - 2008-04-23 17:34:09 567,296 ----a-w C:\WINDOWS\assembly\GAC\Microsoft.DirectX.Direct3DX\1.0.2905.0__31bf3856ad364e35\Microsoft.DirectX.Direct3DX.dll
    + 2008-08-15 03:33:33 567,296 ----a-w C:\WINDOWS\assembly\GAC\Microsoft.DirectX.Direct3DX\1.0.2905.0__31bf3856ad364e35\Microsoft.DirectX.Direct3DX.dll
    - 2008-04-23 17:34:10 576,000 ----a-w C:\WINDOWS\assembly\GAC\Microsoft.DirectX.Direct3DX\1.0.2906.0__31bf3856ad364e35\Microsoft.DirectX.Direct3DX.dll
    + 2008-08-15 03:33:34 576,000 ----a-w C:\WINDOWS\assembly\GAC\Microsoft.DirectX.Direct3DX\1.0.2906.0__31bf3856ad364e35\Microsoft.DirectX.Direct3DX.dll
    - 2008-04-23 17:34:10 577,024 ----a-w C:\WINDOWS\assembly\GAC\Microsoft.DirectX.Direct3DX\1.0.2907.0__31bf3856ad364e35\Microsoft.DirectX.Direct3DX.dll
    + 2008-08-15 03:33:34 577,024 ----a-w C:\WINDOWS\assembly\GAC\Microsoft.DirectX.Direct3DX\1.0.2907.0__31bf3856ad364e35\Microsoft.DirectX.Direct3DX.dll
    - 2008-04-23 17:34:10 577,536 ----a-w C:\WINDOWS\assembly\GAC\Microsoft.DirectX.Direct3DX\1.0.2908.0__31bf3856ad364e35\Microsoft.DirectX.Direct3DX.dll
    + 2008-08-15 03:33:34 577,536 ----a-w C:\WINDOWS\assembly\GAC\Microsoft.DirectX.Direct3DX\1.0.2908.0__31bf3856ad364e35\Microsoft.DirectX.Direct3DX.dll
    - 2008-04-23 17:34:11 577,536 ----a-w C:\WINDOWS\assembly\GAC\Microsoft.DirectX.Direct3DX\1.0.2909.0__31bf3856ad364e35\Microsoft.DirectX.Direct3DX.dll
    + 2008-08-15 03:33:35 577,536 ----a-w C:\WINDOWS\assembly\GAC\Microsoft.DirectX.Direct3DX\1.0.2909.0__31bf3856ad364e35\Microsoft.DirectX.Direct3DX.dll
    - 2008-04-23 17:34:11 578,560 ----a-w C:\WINDOWS\assembly\GAC\Microsoft.DirectX.Direct3DX\1.0.2910.0__31bf3856ad364e35\Microsoft.DirectX.Direct3DX.dll
    + 2008-08-15 03:33:35 578,560 ----a-w C:\WINDOWS\assembly\GAC\Microsoft.DirectX.Direct3DX\1.0.2910.0__31bf3856ad364e35\Microsoft.DirectX.Direct3DX.dll
    - 2008-04-23 17:34:13 578,560 ----a-w C:\WINDOWS\assembly\GAC\Microsoft.DirectX.Direct3DX\1.0.2911.0__31bf3856ad364e35\Microsoft.DirectX.Direct3DX.dll
    + 2008-08-15 03:33:37 578,560 ----a-w C:\WINDOWS\assembly\GAC\Microsoft.DirectX.Direct3DX\1.0.2911.0__31bf3856ad364e35\Microsoft.DirectX.Direct3DX.dll
    - 2008-04-23 17:34:13 145,920 ----a-w C:\WINDOWS\assembly\GAC\Microsoft.DirectX.DirectDraw\1.0.2902.0__31bf3856ad364e35\Microsoft.DirectX.DirectDraw.dll
    + 2008-08-15 03:33:38 145,920 ----a-w C:\WINDOWS\assembly\GAC\Microsoft.DirectX.DirectDraw\1.0.2902.0__31bf3856ad364e35\Microsoft.DirectX.DirectDraw.dll
    - 2008-04-23 17:34:14 159,232 ----a-w C:\WINDOWS\assembly\GAC\Microsoft.DirectX.DirectInput\1.0.2902.0__31bf3856ad364e35\Microsoft.DirectX.DirectInput.dll
    + 2008-08-15 03:33:38 159,232 ----a-w C:\WINDOWS\assembly\GAC\Microsoft.DirectX.DirectInput\1.0.2902.0__31bf3856ad364e35\Microsoft.DirectX.DirectInput.dll
    - 2008-04-23 17:34:14 364,544 ----a-w C:\WINDOWS\assembly\GAC\Microsoft.DirectX.DirectPlay\1.0.2902.0__31bf3856ad364e35\Microsoft.DirectX.DirectPlay.dll
    + 2008-08-15 03:33:38 364,544 ----a-w C:\WINDOWS\assembly\GAC\Microsoft.DirectX.DirectPlay\1.0.2902.0__31bf3856ad364e35\Microsoft.DirectX.DirectPlay.dll
    - 2008-04-23 17:34:15 178,176 ----a-w C:\WINDOWS\assembly\GAC\Microsoft.DirectX.DirectSound\1.0.2902.0__31bf3856ad364e35\Microsoft.DirectX.DirectSound.dll
    + 2008-08-15 03:33:39 178,176 ----a-w C:\WINDOWS\assembly\GAC\Microsoft.DirectX.DirectSound\1.0.2902.0__31bf3856ad364e35\Microsoft.DirectX.DirectSound.dll
    - 2008-04-23 17:34:12 223,232 ----a-w C:\WINDOWS\assembly\GAC\Microsoft.DirectX\1.0.2902.0__31bf3856ad364e35\Microsoft.DirectX.dll
    + 2008-08-15 03:33:36 223,232 ----a-w C:\WINDOWS\assembly\GAC\Microsoft.DirectX\1.0.2902.0__31bf3856ad364e35\Microsoft.DirectX.dll
    - 2008-04-21 07:03:56 1,023,488 ----a-w C:\WINDOWS\system32\browseui.dll
    + 2008-06-23 15:38:28 1,023,488 ----a-w C:\WINDOWS\system32\browseui.dll
    - 2008-04-21 07:03:56 151,040 ----a-w C:\WINDOWS\system32\cdfview.dll
    + 2008-06-23 15:38:29 151,040 ----a-w C:\WINDOWS\system32\cdfview.dll
    - 2008-04-21 07:03:57 1,054,208 ----a-w C:\WINDOWS\system32\danim.dll
    + 2008-06-23 15:38:30 1,054,208 ----a-w C:\WINDOWS\system32\danim.dll
    - 2008-04-21 07:03:56 1,023,488 ------w C:\WINDOWS\system32\dllcache\browseui.dll
    + 2008-06-23 15:38:28 1,023,488 ------w C:\WINDOWS\system32\dllcache\browseui.dll
    - 2008-04-21 07:03:56 151,040 ------w C:\WINDOWS\system32\dllcache\cdfview.dll
    + 2008-06-23 15:38:29 151,040 ------w C:\WINDOWS\system32\dllcache\cdfview.dll
    - 2008-04-21 07:03:57 1,054,208 ------w C:\WINDOWS\system32\dllcache\danim.dll
    + 2008-06-23 15:38:30 1,054,208 ------w C:\WINDOWS\system32\dllcache\danim.dll
    - 2008-04-21 07:03:57 357,888 ------w C:\WINDOWS\system32\dllcache\dxtmsft.dll
    + 2008-06-23 15:38:30 357,888 ------w C:\WINDOWS\system32\dllcache\dxtmsft.dll
    - 2008-04-21 07:03:57 205,312 ------w C:\WINDOWS\system32\dllcache\dxtrans.dll
    + 2008-06-23 15:38:30 205,312 ------w C:\WINDOWS\system32\dllcache\dxtrans.dll
    + 2008-07-07 20:32:22 253,952 ------w C:\WINDOWS\system32\dllcache\es.dll
    - 2008-04-21 07:03:57 55,808 ------w C:\WINDOWS\system32\dllcache\extmgr.dll
    + 2008-06-23 15:38:30 55,808 ------w C:\WINDOWS\system32\dllcache\extmgr.dll
    - 2008-04-17 10:52:54 18,432 ------w C:\WINDOWS\system32\dllcache\iedw.exe
    + 2008-06-23 09:49:29 18,432 ------w C:\WINDOWS\system32\dllcache\iedw.exe
    - 2008-04-21 07:03:58 251,392 ------w C:\WINDOWS\system32\dllcache\iepeers.dll
    + 2008-06-23 15:38:31 251,392 ------w C:\WINDOWS\system32\dllcache\iepeers.dll
    - 2007-08-21 06:15:44 683,520 ------w C:\WINDOWS\system32\dllcache\inetcomm.dll
    + 2008-04-11 18:50:43 683,520 ------w C:\WINDOWS\system32\dllcache\inetcomm.dll
    - 2008-04-21 07:03:58 96,256 ------w C:\WINDOWS\system32\dllcache\inseng.dll
    + 2008-06-23 15:38:31 96,256 ------w C:\WINDOWS\system32\dllcache\inseng.dll
    - 2008-04-21 07:03:58 16,384 ------w C:\WINDOWS\system32\dllcache\jsproxy.dll
    + 2008-06-23 15:38:31 16,384 ------w C:\WINDOWS\system32\dllcache\jsproxy.dll
    + 2008-06-24 16:23:05 74,240 ------w C:\WINDOWS\system32\dllcache\mscms.dll
    - 2008-04-21 07:03:59 3,059,712 ------w C:\WINDOWS\system32\dllcache\mshtml.dll
    + 2008-06-23 15:38:33 3,059,712 ------w C:\WINDOWS\system32\dllcache\mshtml.dll
    - 2008-04-21 07:03:59 449,024 ------w C:\WINDOWS\system32\dllcache\mshtmled.dll
    + 2008-06-23 15:38:33 449,024 ------w C:\WINDOWS\system32\dllcache\mshtmled.dll
    - 2008-04-21 07:03:59 146,432 ------w C:\WINDOWS\system32\dllcache\msrating.dll
    + 2008-06-23 15:38:33 146,432 ------w C:\WINDOWS\system32\dllcache\msrating.dll
    - 2008-04-21 07:03:59 532,480 ------w C:\WINDOWS\system32\dllcache\mstime.dll
    + 2008-06-23 15:38:33 532,480 ------w C:\WINDOWS\system32\dllcache\mstime.dll
    - 2008-04-21 07:03:59 39,424 ------w C:\WINDOWS\system32\dllcache\pngfilt.dll
    + 2008-06-23 15:38:33 39,424 ------w C:\WINDOWS\system32\dllcache\pngfilt.dll
    - 2008-04-21 07:04:00 1,494,528 ------w C:\WINDOWS\system32\dllcache\shdocvw.dll
    + 2008-06-23 15:38:34 1,494,528 ------w C:\WINDOWS\system32\dllcache\shdocvw.dll
    - 2008-04-21 07:04:00 474,112 ------w C:\WINDOWS\system32\dllcache\shlwapi.dll
    + 2008-06-23 15:38:34 474,112 ------w C:\WINDOWS\system32\dllcache\shlwapi.dll
    - 2008-04-21 07:04:00 615,936 ------w C:\WINDOWS\system32\dllcache\urlmon.dll
    + 2008-06-23 15:38:34 615,936 ------w C:\WINDOWS\system32\dllcache\urlmon.dll
    - 2008-04-21 07:04:00 659,456 ------w C:\WINDOWS\system32\dllcache\wininet.dll
    + 2008-06-23 15:38:34 659,456 ------w C:\WINDOWS\system32\dllcache\wininet.dll
    - 2008-04-21 07:03:57 357,888 ----a-w C:\WINDOWS\system32\dxtmsft.dll
    + 2008-06-23 15:38:30 357,888 ----a-w C:\WINDOWS\system32\dxtmsft.dll
    - 2008-04-21 07:03:57 205,312 ----a-w C:\WINDOWS\system32\dxtrans.dll
    + 2008-06-23 15:38:30 205,312 ----a-w C:\WINDOWS\system32\dxtrans.dll
    - 2005-07-26 04:39:45 243,200 ----a-w C:\WINDOWS\system32\es.dll
    + 2008-07-07 20:32:22 253,952 ----a-w C:\WINDOWS\system32\es.dll
    - 2008-04-21 07:03:57 55,808 ----a-w C:\WINDOWS\system32\extmgr.dll
    + 2008-06-23 15:38:30 55,808 ----a-w C:\WINDOWS\system32\extmgr.dll
    - 2008-04-21 07:03:58 251,392 ----a-w C:\WINDOWS\system32\iepeers.dll
    + 2008-06-23 15:38:31 251,392 ----a-w C:\WINDOWS\system32\iepeers.dll
    - 2007-08-21 06:15:44 683,520 ----a-w C:\WINDOWS\system32\inetcomm.dll
    + 2008-04-11 18:50:43 683,520 ----a-w C:\WINDOWS\system32\inetcomm.dll
    - 2008-04-21 07:03:58 96,256 ----a-w C:\WINDOWS\system32\inseng.dll
    + 2008-06-23 15:38:31 96,256 ----a-w C:\WINDOWS\system32\inseng.dll
    - 2008-04-21 07:03:58 16,384 ----a-w C:\WINDOWS\system32\jsproxy.dll
    + 2008-06-23 15:38:31 16,384 ----a-w C:\WINDOWS\system32\jsproxy.dll
    - 2008-06-25 16:15:46 17,972,344 ----a-w C:\WINDOWS\system32\MRT.exe
    + 2008-08-05 18:11:01 15,888,504 ----a-w C:\WINDOWS\system32\MRT.exe
    - 2005-06-29 01:46:00 74,240 ----a-w C:\WINDOWS\system32\mscms.dll
    + 2008-06-24 16:23:05 74,240 ----a-w C:\WINDOWS\system32\mscms.dll
    - 2008-04-21 07:03:59 3,059,712 ----a-w C:\WINDOWS\system32\mshtml.dll
    + 2008-06-23 15:38:33 3,059,712 ----a-w C:\WINDOWS\system32\mshtml.dll
    - 2008-04-21 07:03:59 449,024 ----a-w C:\WINDOWS\system32\mshtmled.dll
    + 2008-06-23 15:38:33 449,024 ----a-w C:\WINDOWS\system32\mshtmled.dll
    - 2008-04-21 07:03:59 146,432 ----a-w C:\WINDOWS\system32\msrating.dll
    + 2008-06-23 15:38:33 146,432 ----a-w C:\WINDOWS\system32\msrating.dll
    - 2008-04-21 07:03:59 532,480 ----a-w C:\WINDOWS\system32\mstime.dll
    + 2008-06-23 15:38:33 532,480 ----a-w C:\WINDOWS\system32\mstime.dll
    - 2008-04-21 07:03:59 39,424 ----a-w C:\WINDOWS\system32\pngfilt.dll
    + 2008-06-23 15:38:33 39,424 ----a-w C:\WINDOWS\system32\pngfilt.dll
    - 2008-04-21 07:04:00 1,494,528 ----a-w C:\WINDOWS\system32\shdocvw.dll
    + 2008-06-23 15:38:34 1,494,528 ----a-w C:\WINDOWS\system32\shdocvw.dll
    - 2008-04-21 07:04:00 474,112 ----a-w C:\WINDOWS\system32\shlwapi.dll
    + 2008-06-23 15:38:34 474,112 ----a-w C:\WINDOWS\system32\shlwapi.dll
    - 2007-11-13 11:31:11 60,416 ----a-w C:\WINDOWS\system32\tzchange.exe
    + 2008-07-14 11:09:18 62,976 ----a-w C:\WINDOWS\system32\tzchange.exe
    - 2008-04-21 07:04:00 615,936 ----a-w C:\WINDOWS\system32\urlmon.dll
    + 2008-06-23 15:38:34 615,936 ----a-w C:\WINDOWS\system32\urlmon.dll
    - 2008-04-21 07:04:00 659,456 ----a-w C:\WINDOWS\system32\wininet.dll
    + 2008-06-23 15:38:34 659,456 ----a-w C:\WINDOWS\system32\wininet.dll
    - 2008-04-17 10:37:04 351,744 ----a-w C:\WINDOWS\system32\xpsp3res.dll
    + 2008-07-03 09:14:02 351,744 ----a-w C:\WINDOWS\system32\xpsp3res.dll
    .
    -- Snapshot reset to current date --
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{63F507E2-0C11-4D37-ABD7-E1A9CF111D5E}]
    C:\WINDOWS\system32\comrep.dll [BU]

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "DellSupport"="C:\Program Files\DellSupport\DSAgnt.exe" [2007-03-15 11:09 460784]
    "Aim6"="C:\Program Files\AIM6\aim6.exe" [2007-10-04 11:20 50528]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-05-12 21:05 344064]
    "dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [2004-12-06 02:05 127035]
    "ISUSPM Startup"="C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 17:50 221184]
    "ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 17:50 81920]
    "StartCCC"="C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2006-11-10 13:35 90112]
    "UnlockerAssistant"="C:\Program Files\Unlocker\UnlockerAssistant.exe" [2008-03-01 01:10 15872]
    "IMJPMIG8.1"="C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" [2004-08-04 06:00 208952]
    "IMEKRMIG6.1"="C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE" [2004-08-04 06:00 44032]
    "MSPY2002"="C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-04 06:00 59392]
    "PHIME2002ASync"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 06:00 455168]
    "PHIME2002A"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 06:00 455168]
    "SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe" [2008-03-25 04:28 144784]
    "MSConfig"="C:\WINDOWS\pchealth\helpctr\Binaries\MSCONFIG.EXE" [2004-08-04 06:00 158208]

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
    "DisableChangePassword"= 0 (0x0)

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
    "VIDC.XFR1"= xfcodec.dll

    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
    path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
    backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Synchronizer.lnk]
    path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Synchronizer.lnk
    backup=C:\WINDOWS\pss\Adobe Reader Synchronizer.lnkCommon Startup

    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
    path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
    backup=C:\WINDOWS\pss\HP Digital Imaging Monitor.lnkCommon Startup

    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^QuickBooks Update Agent.lnk]
    path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\QuickBooks Update Agent.lnk
    backup=C:\WINDOWS\pss\QuickBooks Update Agent.lnkCommon Startup

    [HKLM\~\startupfolder\C:^Documents and Settings^Angela Williams^Start Menu^Programs^Startup^MagicDisc.lnk]
    path=C:\Documents and Settings\Angela Williams\Start Menu\Programs\Startup\MagicDisc.lnk
    backup=C:\WINDOWS\pss\MagicDisc.lnkStartup

    [HKLM\~\startupfolder\C:^Documents and Settings^Angela Williams^Start Menu^Programs^Startup^OpenOffice.org 2.3.lnk]
    path=C:\Documents and Settings\Angela Williams\Start Menu\Programs\Startup\OpenOffice.org 2.3.lnk
    backup=C:\WINDOWS\pss\OpenOffice.org 2.3.lnkStartup

    [HKLM\~\startupfolder\C:^Documents and Settings^Angela Williams^Start Menu^Programs^Startup^Xfire.lnk]
    path=C:\Documents and Settings\Angela Williams\Start Menu\Programs\Startup\Xfire.lnk
    backup=C:\WINDOWS\pss\Xfire.lnkStartup

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Aim6]
    --a------ 2007-10-04 11:20 50528 C:\Program Files\AIM6\aim6.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DellTransferAgent]
    --a------ 2007-11-13 17:46 135168 C:\Documents and Settings\All Users\Application Data\Dell\TransferAgent\TransferAgent.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DVDLauncher]
    --------- 2005-02-23 17:19 53248 C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
    --a------ 2005-10-18 12:58 278528 C:\Program Files\iTunes\iTunesHelper.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Octoshape Streaming Services]
    --a------ 2008-05-22 09:59 156944 C:\Program Files\Octoshape Streaming Services\Angela Williams\OctoshapeClient.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]
    --a------ 2007-11-30 12:36 1266936 c:\Program Files\Valve\Steam\Steam.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
    --a------ 2007-09-25 02:11 132496 C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TRACTION In-Game Radio Player]
    --a------ 2007-12-23 16:50 838 C:\Program Files\TRACTION In-Game Radio Player\TRACTION In-Game Radio Player.lnk

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
    "Viewpoint Manager Service"=2 (0x2)
    "Smartlaunch Server"=2 (0x2)
    "rpcapd"=3 (0x3)
    "NetSvc"=3 (0x3)
    "iPodService"=3 (0x3)
    "IDriverT"=3 (0x3)
    "DSBrokerService"=3 (0x3)
    "DomainService"=2 (0x2)
    "MCVSRte"=2 (0x2)
    "idsvc"=3 (0x3)
    "aawservice"=2 (0x2)

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
    "EnableFirewall"= 0 (0x0)

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "C:\\Program Files\\Messenger\\msmsgs.exe"=
    "C:\\Program Files\\iTunes\\iTunes.exe"=
    "C:\\Program Files\\Palm\\HOTSYNC.EXE"=
    "C:\\Program Files\\Sony\\Station\\Launchpad\\LaunchPad.exe"=
    "C:\\Program Files\\Valve\\Steam\\caserver.exe"=
    "C:\\Program Files\\Mozilla Firefox\\firefox.exe"=
    "C:\\Program Files\\SmartFTP Client\\SmartFTP.exe"=
    "C:\\Program Files\\Xfire\\xfire.exe"=
    "C:\\Program Files\\uTorrent\\uTorrent.exe"=
    "C:\\Program Files\\Stardock Games\\Sins of a Solar Empire\\Sins of a Solar Empire.exe"=
    "C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
    "C:\\Program Files\\PlayOnline\\SquareEnix\\PlayOnlineViewer\\pol.exe"=
    "C:\\Program Files\\AIM6\\aim6.exe"=
    "C:\\Program Files\\Octoshape Streaming Services\\Angela Williams\\OctoshapeClient.exe"=
    "C:\\Valve\\Steam\\SteamApps\\teh_pozer\\counter-strike source\\hl2.exe"=
    "C:\\Program Files\\Diablo II\\Game.exe"=

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
    "3724:TCP"= 3724:TCP:3724
    "6112:TCP"= 6112:TCP:6112

    R3 USBCamera;Digital Still Image Capture;C:\WINDOWS\system32\Drivers\Bulk533.sys [2002-07-25 11:19]
    R3 xljefnq;xljefnq;C:\Documents and Settings\Angela Williams\Desktop\xljefnq.sys []
    R3 zeqgrq;zeqgrq;C:\Documents and Settings\Angela Williams\Desktop\zeqgrq.sys []
    R4 Smartlaunch Server;Smartlaunch Server;C:\Program Files\SmartLaunch\Server\server.exe []
    R4 Viewpoint Manager Service;Viewpoint Manager Service;C:\Program Files\Viewpoint\Common\ViewpointService.exe [2007-01-04 17:38]
    S0 ruemxsgz;ruemxsgz;C:\WINDOWS\system32\drivers\sxwuhstc.dat []

    .
    **************************************************************************

    catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2008-08-17 00:21:02
    Windows 5.1.2600 Service Pack 2 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************

    [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\PSSdk23]
    "ImagePath"="\??\C:\WINDOWS\system32\Drivers\PsSdk23.drv"

    [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ruemxsgz]
    "ImagePath"="system32\drivers\sxwuhstc.dat"
    .
    ------------------------ Other Running Processes ------------------------
    .
    C:\WINDOWS\system32\ati2evxx.exe
    C:\WINDOWS\system32\ati2evxx.exe
    C:\WINDOWS\system32\HPZipm12.exe
    C:\WINDOWS\system32\wdfmgr.exe
    C:\WINDOWS\system32\wscntfy.exe
    C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
    C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
    C:\Program Files\AIM6\aolsoftware.exe
    .
    **************************************************************************
    .
    Completion time: 2008-08-17 0:25:50 - machine was rebooted [Angela Williams]
    ComboFix-quarantined-files.txt 2008-08-17 04:25:44
    ComboFix2.txt 2008-08-14 11:26:36
    ComboFix3.txt 2008-08-13 23:31:36

    Pre-Run: 23,971,278,848 bytes free
    Post-Run: 23,966,621,696 bytes free

    427 --- E O F --- 2008-08-16 07:02:56


    HJT:

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 12:28:53 AM, on 8/17/2008
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\system32\HPZipm12.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\wscntfy.exe
    C:\WINDOWS\system32\dla\tfswctrl.exe
    C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
    C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE
    C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe
    C:\Program Files\DellSupport\DSAgnt.exe
    C:\Program Files\AIM6\aim6.exe
    C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
    C:\Program Files\AIM6\aolsoftware.exe
    C:\WINDOWS\explorer.exe
    C:\WINDOWS\system32\notepad.exe
    C:\WINDOWS\system32\NOTEPAD.EXE
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.com/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = local
    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
    O2 - BHO: (no name) - {63F507E2-0C11-4D37-ABD7-E1A9CF111D5E} - C:\WINDOWS\system32\comrep.dll (file missing)
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
    O2 - BHO: Viewpoint Toolbar BHO - {A7327C09-B521-4EDB-8509-7D2660C9EC98} - C:\Program Files\Viewpoint\Viewpoint Toolbar\3.8.0\ViewBarBHO.dll
    O3 - Toolbar: Viewpoint Toolbar - {F8AD5AA5-D966-4667-9DAF-2561D68B2012} - C:\Program Files\Common Files\Viewpoint\Toolbar Runtime\3.8.0\IEViewBar.dll
    O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
    O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
    O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
    O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe"
    O4 - HKLM\..\Run: [UnlockerAssistant] "C:\Program Files\Unlocker\UnlockerAssistant.exe"
    O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
    O4 - HKLM\..\Run: [IMEKRMIG6.1] C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE
    O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
    O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
    O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe"
    O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\pchealth\helpctr\Binaries\MSCONFIG.EXE /auto
    O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup
    O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
    O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcafee.com/molbin/shared/mcgdmgr/en-us/1,0,0,23/mcgdmgr.cab
    O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
    O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
    O23 - Service: NOD32 Kernel Service (NOD32krn) - Unknown owner - C:\Program Files\Eset\nod32krn.exe (file missing)
    O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

    --
    End of file - 5327 bytes
     
  6. 2oldGeek

    2oldGeek Active member

    Joined:
    Jun 16, 2005
    Messages:
    3,658
    Likes Received:
    38
    Trophy Points:
    78
    Hang in there, twentytwo, I’m going over your logs now. I just see one item I overlooked but I’m confused about some random name files that you have. I can’t find any info on them…

    How is your computer acting?? Any problems??
     
  7. twentytwo

    twentytwo Member

    Joined:
    Aug 13, 2008
    Messages:
    17
    Likes Received:
    0
    Trophy Points:
    11
    Seems pretty fine to me, what programs are you confused about?
     
  8. 2oldGeek

    2oldGeek Active member

    Joined:
    Jun 16, 2005
    Messages:
    3,658
    Likes Received:
    38
    Trophy Points:
    78
    Hi twentytwo,

    Well, first I am confussed about your ESET Nod32 did you un-install it?

    I just assumed that you had since it showed up as (file missing) in your last HJT Log.

    If you’re not running an Antivirus, I can recommend a very good, free one… let me know.

    Also, I had you delete some files and a Line in HJT using ComboFix but most of them still show up.. Strange.

    Use HJT to delete these lines again, and we’ll see what happens.

    O2 - BHO: (no name) - {63F507E2-0C11-4D37-ABD7-E1A9CF111D5E} - C:\WINDOWS\system32\comrep.dll (file missing)

    O23 - Service: NOD32 Kernel Service (NOD32krn) - Unknown owner - C:\Program Files\Eset\nod32krn.exe (file missing)



    Now use your windows explorer and search for the following files to see if they remain…
    They may be hidden so please use the search hidden files option..

    uygljsms.exe

    awejpi9iao.exe

    xljefnq.sys

    zeqgrq.sys



    Let me know if you find any of them and where they are located..

    2OG
     
  9. twentytwo

    twentytwo Member

    Joined:
    Aug 13, 2008
    Messages:
    17
    Likes Received:
    0
    Trophy Points:
    11
    yeah, i deleted nod32 to run combo fix because i couldn't figure out how to disable it, process would still be on after stopping it.

    Yes, I need a free anti-virus.

    As for the first one, it was a program I randomly renamed because I had two, deleted.
    Found the second one too, Deleted.

    No results on the last 2.
     
  10. twentytwo

    twentytwo Member

    Joined:
    Aug 13, 2008
    Messages:
    17
    Likes Received:
    0
    Trophy Points:
    11
    newest hjt:

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 6:40:43 AM, on 8/17/2008
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\system32\HPZipm12.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\wscntfy.exe
    C:\WINDOWS\system32\dla\tfswctrl.exe
    C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
    C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE
    C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe
    C:\Program Files\DellSupport\DSAgnt.exe
    C:\Program Files\AIM6\aim6.exe
    C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
    C:\Program Files\AIM6\aolsoftware.exe
    C:\WINDOWS\explorer.exe
    C:\WINDOWS\system32\notepad.exe
    C:\Program Files\Xfire\xfire.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.com/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = local
    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
    O2 - BHO: (no name) - {63F507E2-0C11-4D37-ABD7-E1A9CF111D5E} - C:\WINDOWS\system32\comrep.dll (file missing)
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
    O2 - BHO: Viewpoint Toolbar BHO - {A7327C09-B521-4EDB-8509-7D2660C9EC98} - C:\Program Files\Viewpoint\Viewpoint Toolbar\3.8.0\ViewBarBHO.dll
    O3 - Toolbar: Viewpoint Toolbar - {F8AD5AA5-D966-4667-9DAF-2561D68B2012} - C:\Program Files\Common Files\Viewpoint\Toolbar Runtime\3.8.0\IEViewBar.dll
    O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
    O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
    O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
    O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe"
    O4 - HKLM\..\Run: [UnlockerAssistant] "C:\Program Files\Unlocker\UnlockerAssistant.exe"
    O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
    O4 - HKLM\..\Run: [IMEKRMIG6.1] C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE
    O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
    O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
    O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe"
    O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\pchealth\helpctr\Binaries\MSCONFIG.EXE /auto
    O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup
    O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
    O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcafee.com/molbin/shared/mcgdmgr/en-us/1,0,0,23/mcgdmgr.cab
    O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
    O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
    O23 - Service: NOD32 Kernel Service (NOD32krn) - Unknown owner - C:\Program Files\Eset\nod32krn.exe (file missing)
    O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

    --
    End of file - 5314 bytes
     
  11. 2oldGeek

    2oldGeek Active member

    Joined:
    Jun 16, 2005
    Messages:
    3,658
    Likes Received:
    38
    Trophy Points:
    78
    Did you use HJT to delete these lines and are they returning??

    O2 - BHO: (no name) - {63F507E2-0C11-4D37-ABD7-E1A9CF111D5E} - C:\WINDOWS\system32\comrep.dll (file missing)

    O23 - Service: NOD32 Kernel Service (NOD32krn) - Unknown owner - C:\Program Files\Eset\nod32krn.exe (file missing)



    Glad to know what those other files were : )
     
  12. 2oldGeek

    2oldGeek Active member

    Joined:
    Jun 16, 2005
    Messages:
    3,658
    Likes Received:
    38
    Trophy Points:
    78
    twentytwo, I recommend Avira Antivir as your Antivirus. It is better than most of the Paid AV’s. Most people won’t use it because of the Nag screens after it updates, trying to get you to buy it, but there is a way around that…. ; )


    Download Avira Antivir -> HERE


    In order to disable the Nag screens in Avira Antivir you must use the Safe Mode in an Administrator account.

    1. Boot into Safe Mode (tap F8 repeatedly after you restart the computer)
    2. Log in using the Administrator account
    3. Go to C:\Program Files\(Avira)\AntiVir PersonalEdition Classic\avnotify.exe
    4. Right-click avnotify.exe-> properties-> security tab
    5. Under the Group or user names: you will see all of the users. Start with the first user and click, highlight….
    6. Check the Deny Read and Execute box the Read box will automatically check.
    7. Now perform step 6 for all of the other users-> apply-> yes/ok-> close all open windows
    8. Reboot the computer into Normal Mode (start-> shutdown-> restart)


    2OG
     
    Last edited: Aug 17, 2008
  13. twentytwo

    twentytwo Member

    Joined:
    Aug 13, 2008
    Messages:
    17
    Likes Received:
    0
    Trophy Points:
    11

    yes, I tried deleting this things a few times.
     
  14. 2oldGeek

    2oldGeek Active member

    Joined:
    Jun 16, 2005
    Messages:
    3,658
    Likes Received:
    38
    Trophy Points:
    78
    I’ve seen stranger things happen [​IMG]

    Since the file is missing in both of these start up’s, they can do no harm. Just annoying trash and I like a clean kitchen. Lol

    Unless you have any problems, I would say you’re clean. Anything?
    Let me know and I’ll give you some final stuff to do….. Did you get an AV?
     
  15. twentytwo

    twentytwo Member

    Joined:
    Aug 13, 2008
    Messages:
    17
    Likes Received:
    0
    Trophy Points:
    11
    yeah, got avira running a scan right now. It found something but I quarantined it. Seems smooth and good atm.
     
  16. 2oldGeek

    2oldGeek Active member

    Joined:
    Jun 16, 2005
    Messages:
    3,658
    Likes Received:
    38
    Trophy Points:
    78
    Congratulations twentyone, your CLEAN [​IMG]


    Things to do:

    Install a firewall – see below.

    Get XP SP3 -> HERE

    Update your IE6 to IE7 (safer) or use Firefox (even safer yet)

    Update your Java – see below.


    Hhere are a few other things you must do once you are completely clean:

    1. Time for some housekeeping

    Please download the OTMoveIt2 by OldTimer

    Save it to your desktop.
    Run the tool by clicking on the icon.
    • Click the Cleanup button.

    • The tools that we used as well as this one will be removed from your system.


    2. Please download ATF Cleaner by Atribune.
    This program is for XP and Windows 2000 only


    Double-click ATF-Cleaner.exe to run the program.

    • Under Main "Select Files to Delete" choose: Select All.
    • Click the Empty Selected button.

    • If you use Firefox browser click Firefox at the top and choose: Select All
    • Click the Empty Selected button.
    If you would like to keep your saved passwords, please click No at the prompt.

    • If you use Opera browser click Opera at the top and choose: Select All
    • Click the Empty Selected button.
    If you would like to keep your saved passwords, please click No at the prompt.

    • Click Exit on the Main menu to close the program.


    3. Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. A malicious site could render Java content under older, vulnerable versions of Sun's software if the user has not removed them.
    Please follow these steps to remove older version Java components and update:

    • Download the latest version of Java Runtime Environment (JRE) 6 Update 7 and save it to your desktop.
    • Scroll down to where it says The Java SE Runtime Environment (JRE) allows end-users to run Java applications..
    • Click the Download button to the right.
    • Select Windows on platform combobox and check the box that says:
    Accept License Agreement. Click continue.
    • The page will refresh.
    • Click on the link to download Windows Offline Installation with or without Multi-language and save to your desktop.
    • Close any programs you may have running - especially your web browser.
    • Go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove all older versions of Java.
    • Check (highlight) any item with Java Runtime Environment (JRE or J2SE) in the name.
    • Click the Remove or Change/Remove button.
    • Repeat as many times as necessary to remove each Java versions.
    • Reboot your computer once all Java components are removed.
    • Then from your desktop double-click on jre-6u7-windows-i586-p.exe to install the newest version.




    4. Now Set a New Restore Point to prevent possible reinfection from an old one.
    Some of the malware you picked up could have been saved in System Restore. Since System Restore is a protected directory, your tools can not access it to delete these bad files which sometimes can reinfect your system. Setting a new restore point AFTER cleaning your system will help prevent this and enable your computer to "roll-back" to a clean working state.

    The easiest and safest way to do this is:

    • Go to Start > Programs > Accessories > System Tools and click "System Restore".

    • Choose the radio button marked "Create a Restore Point" on the first screen then click "Next". Give the R.P. a name then click "Create". The new point will be stamped with the current date and time. Keep a log of this so you can find it easily should you need to use System Restore.

    • Then go to Start > Run and type: Cleanmgr
    • Click "OK"
    Select the drive you want to clean usually C:
    Click OK
    When it completes the scan:
    • Click the "More Options" Tab.
    • Click "Clean Up" in the System Restore section to remove all previous restore points except the newly created one.


    5. Defragment your Hard Drive

    1.Open My Computer.
    2.Right-click the local disk volume that you want to defragment, and then click Properties.
    3.On the Tools tab, click Defragment Now.
    4.Click Defragment.




    And here are some tips to reduce the potential for spyware infection in the future:


    Use a Firewall.
    It is critical that you use a firewall to protect your computer from hackers. We don't recommend the firewall that comes built in to Windows. It doesn't block everything that may try to get in, and the entire firewall is written to the registry. As various kinds of malware hack the Registry in order to disable the Windows firewall, it's far preferable to install one of the excellent third party solutions. Two good ones are are Comodo Free and Online Armor Personal Firewall
    I have recently changed my firewall to Comodo, love it and highly recommend it..

    Make sure you keep your Windows OS current by visiting Windows update
    regularly to download and install any critical updates and service packs. With out these you are leaving the backdoor open.

    I strongly recommend installing the following applications:


    To protect your machine, I highly recommend BOClean. It’s FREE and it works. I use it and never get one of these infections.

    In order to prevent the installation of Trojans and Malware on your machine:
    Download and install: Comodo BOClean

    Comodo BOClean protects your computer against trojans, malware and other threats. It constantly scans your system in the background and intercepts any recognized trojan activity. The program can ask the user what to do, or run in unattended mode and automatically shutdown and remove any suspected trojan application. Comodo BOClean currently supports more than 59000 malware items and offers automatic daily updates. Other features include updating via network share, tamper protection and stealth mode.

    Spywareblaster <= SpywareBlaster will prevent spyware from being installed.


    MVPS Hosts file <= The MVPS Hosts file replaces your current HOSTS file with one containing well know Malware sites etc. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer


    See Slow Computer? It May Not Be Malware for free cleaning/maintenance tools to help keep your computer running smooth.


    And also see TonyKlein's good advice
    So how did I get infected in the first place?




    Enjoy your clean computer. Any questions?

    The oldgeek knows how to get the bugs out…. Oops, missed one..[​IMG]



    2OG
     
  17. twentytwo

    twentytwo Member

    Joined:
    Aug 13, 2008
    Messages:
    17
    Likes Received:
    0
    Trophy Points:
    11
    thanks a ton for your help ^^
     
  18. 2oldGeek

    2oldGeek Active member

    Joined:
    Jun 16, 2005
    Messages:
    3,658
    Likes Received:
    38
    Trophy Points:
    78
    You're very welcome, twentytwo.

    It has been a pleasure. I hope you can keep your nose clean.. [​IMG]


    2OG
     
  19. cdavfrew

    cdavfrew Regular member

    Joined:
    May 19, 2008
    Messages:
    1,183
    Likes Received:
    0
    Trophy Points:
    46
    I said nothing.
     
    Last edited: Aug 24, 2008

Share This Page