Internet Problem - Hijack this log

Hey 2oldgeek

You missed one in the HijackThis log:
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 127.0.0.1:8080

Thanks for finishing this problem. You say Malware-bytes is really good at Vundo? How about superantispyware? Their database on vundo is getting bigger and bigger. Spybot 1.6 is said to be good at vundo as well. I don't suppose any vundo-infected victim will be willing to be a test subject

Best Regards

 

@cdavfrew

No, I didn’t miss it… Just failed to get it into my post early this morning, (yesterday morning) before I went to bed. LOL

Intended to go over the ComboFix Log before coming to work but was running behind and will not get a chance tonight. Maybe in the morning before I retire. : )

There are some strange ones in here that I want to research when I get the chance..

You notice that MBAM took out 2 of the 5 – 015 lines.. I was hoping it would get all of them : (

Comodo BOClean has got quite a lot of the Vundo/virtumundo’s in it’s definitions also..


@twentytwo,

Please fix this line in HJT and it just might help your internet. That is if your not using a proxy server for anything??

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 127.0.0.1:8080

Well, back to the grind stone. Got work to do…

 

@2old, i deleted it. Was able to update everything! your the man!

new hjt just incase you wanted:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:16:33 AM, on 8/15/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE
C:\Program Files\Unlocker\UnlockerAssistant.exe
C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\Program Files\Ventrilo\Ventrilo.exe
C:\Program Files\Xfire\xfire.exe
C:\Valve\Steam\Steam.exe
C:\WINDOWS\explorer.exe
C:\Program Files\AIM6\aim6.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Documents and Settings\Angela Williams\Desktop\gtrewert\pvpTool\usethis.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell4me.com/mywaybiz
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = local
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll (file missing)
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: (no name) - {63F507E2-0C11-4D37-ABD7-E1A9CF111D5E} - C:\WINDOWS\system32\comrep.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O2 - BHO: Viewpoint Toolbar BHO - {A7327C09-B521-4EDB-8509-7D2660C9EC98} - C:\Program Files\Viewpoint\Viewpoint Toolbar\3.8.0\ViewBarBHO.dll
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O3 - Toolbar: Viewpoint Toolbar - {F8AD5AA5-D966-4667-9DAF-2561D68B2012} - C:\Program Files\Common Files\Viewpoint\Toolbar Runtime\3.8.0\IEViewBar.dll
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe"
O4 - HKLM\..\Run: [UnlockerAssistant] "C:\Program Files\Unlocker\UnlockerAssistant.exe"
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [IMEKRMIG6.1] C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe"
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\pchealth\helpctr\Binaries\MSCONFIG.EXE /auto
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} -
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcafee.com/molbin/shared/mcgdmgr/en-us/1,0,0,23/mcgdmgr.cab
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Unknown owner - C:\Program Files\Eset\nod32krn.exe (file missing)
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

--
End of file - 6119 bytes

 

Hey twentytwo,

Well, I’m off work and this is the obvious stuff that I see..
Let’s take care of it and then if anything else shows up, we’ll get that next trip.. ; )


Fix entries using HiJackThis

Launch HiJackThis
Click the Do a system scan only button
Put a check next to the entries listed below (if they still remain)


R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell4me.com/mywaybiz

R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)

O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll (file missing)

O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)

O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll (file missing)

O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} –

O23 - Service: NOD32 Kernel Service (NOD32krn) - Unknown owner - C:\Program Files\Eset\nod32krn.exe (file missing)



IMPORTANT: Do NOT click fix until you exit all browser sessions including the one you are reading in right now
Click the Fix checked button and close HiJackThis



Open Notepad - it must be Notepad, not Wordpad.
Copy the text below in the quote box by highlighting all the text with your mouse and pressing Ctrl+C

Go to the Notepad window and click Edit > Paste
Then click File > Save
Name the file "CFScript.txt" (including the quotes)
Save the file to your Desktop





Referring to the picture above, drag CFScript into ComboFix.exe

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.





2OG

 

done: newest logs combo fix first

ComboFix 08-08-16.01 - Angela Williams 2008-08-17 0:15:04.5 - NTFSx86
Running from: C:\Documents and Settings\Angela Williams\Desktop\Combo-Fix.exe
Command switches used :: C:\Documents and Settings\Angela Williams\Desktop\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Angela Williams\Application Data\Microsoft\SystemCertificates\My
C:\Documents and Settings\Angela Williams\Cookies\angela williams@adtrgt[2].txt
C:\Documents and Settings\Angela Williams\Cookies\angela williams@getmusicfree.aavalue[2].txt
C:\Documents and Settings\Angela Williams\Cookies\angela williams@grouplotto.aavalue[2].txt
C:\Documents and Settings\Angela Williams\Cookies\angela williams@jrtux[2].txt
C:\Documents and Settings\Angela Williams\Cookies\angela williams@lwken[2].txt
C:\Documents and Settings\Angela Williams\Cookies\angela williams@myspace[1].txt
C:\Documents and Settings\Angela Williams\Cookies\angela williams@nbjmp[1].txt
C:\Documents and Settings\Angela Williams\Cookies\angela williams@npvos[2].txt
C:\Documents and Settings\Angela Williams\Cookies\angela williams@personals.yahoo[2].txt
C:\Documents and Settings\Angela Williams\Cookies\angela williams@specificclick[2].txt
C:\Documents and Settings\LocalService\Application Data\Microsoft\SystemCertificates\My
C:\Documents and Settings\NetworkService\Application Data\Microsoft\SystemCertificates\My
C:\Documents and Settings\test\Application Data\Microsoft\SystemCertificates\My
C:\Documents and Settings\test\Cookies\test@adtrgt[2].txt
C:\Documents and Settings\test\Cookies\test@arn.aavalue[1].txt
C:\Documents and Settings\test\Cookies\test@avsystemcare[1].txt
C:\Documents and Settings\test\Cookies\test@avsystemcare[3].txt
C:\Documents and Settings\test\Cookies\test@ehg.ripetv[2].txt
C:\Documents and Settings\test\Cookies\test@lativio[2].txt
C:\Documents and Settings\test\Cookies\test@myspace[2].txt
C:\Documents and Settings\test\Cookies\test@pcprivacytool[1].txt

.
((((((((((((((((((((((((( Files Created from 2008-07-17 to 2008-08-17 )))))))))))))))))))))))))))))))
.

2008-08-15 04:29 . 2008-05-01 10:30 331,776 --------- C:\WINDOWS\system32\dllcache\msadce.dll
2008-08-14 23:34 . 2008-08-14 23:41 <DIR> d-------- C:\Documents and Settings\Angela Williams\Application Data\Bioshock
2008-08-14 04:45 . 2004-08-04 00:56 159,232 --a------ C:\WINDOWS\system32\ptpusd.dll
2008-08-14 04:45 . 2004-08-03 22:58 15,104 --a------ C:\WINDOWS\system32\drivers\usbscan.sys
2008-08-14 04:45 . 2004-08-03 22:58 15,104 --a------ C:\WINDOWS\system32\dllcache\usbscan.sys
2008-08-14 04:45 . 2001-08-17 22:36 5,632 --a------ C:\WINDOWS\system32\ptpusb.dll
2008-08-14 01:51 . 2008-08-14 01:51 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-08-14 01:51 . 2008-08-14 01:51 <DIR> d-------- C:\Documents and Settings\Angela Williams\Application Data\Malwarebytes
2008-08-14 01:51 . 2008-08-14 01:51 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-08-14 01:51 . 2008-07-30 20:07 38,472 --a------ C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2008-08-14 01:51 . 2008-07-30 20:07 17,144 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-08-13 22:41 . 2008-08-13 22:41 <DIR> d--hs---- C:\found.000
2008-08-13 22:01 . 2008-08-13 22:01 <DIR> d-------- C:\Program Files\Trend Micro
2008-08-13 20:20 . 2008-08-14 20:52 <DIR> d-------- C:\Program Files\ESET
2008-08-13 19:26 . 2008-08-13 19:32 <DIR> d-------- C:\ComboFix
2008-08-13 19:15 . 2008-08-13 19:15 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\Xfire
2008-08-13 07:28 . 2008-08-13 07:28 <DIR> d-------- C:\Documents and Settings\Angela Williams\Application Data\SUPERAntiSpyware.com
2008-08-13 07:28 . 2008-08-13 07:28 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-08-13 07:11 . 2008-08-13 07:11 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Avg7
2008-08-06 22:25 . 2008-08-06 22:30 <DIR> d-------- C:\Documents and Settings\Angela Williams\Application Data\Winamp
2008-08-05 20:26 . 2008-08-05 20:26 42,320 --a------ C:\WINDOWS\system32\xfcodec.dll
2008-07-30 19:48 . 2008-07-30 19:48 8,192 --a------ C:\0ARCADE_RAM.srm
2008-07-29 00:02 . 1999-05-01 00:00 2,097,664 --a------ C:\Super Punchout (E).smc
2008-07-29 00:02 . 2008-07-30 20:06 8,192 --a------ C:\Super Punchout (E).srm
2008-07-24 14:46 . 2008-07-24 14:46 <DIR> d-------- C:\Documents and Settings\Angela Williams\TW
2008-07-24 14:22 . 2008-07-24 14:22 <DIR> d-------- C:\Documents and Settings\Angela Williams\DefaultClasses
2008-07-24 14:20 . 2008-07-24 14:20 <DIR> d-------- C:\Documents and Settings\Angela Williams\Classes
2008-07-24 14:20 . 2008-07-24 14:20 <DIR> d-------- C:\Documents and Settings\Angela Williams\Accounts
2008-07-24 14:19 . 2008-07-24 14:19 <DIR> d-------- C:\Documents and Settings\Angela Williams\Scripts
2008-07-24 14:19 . 2008-07-24 14:22 <DIR> d-------- C:\Documents and Settings\Angela Williams\DefaultScripts
2008-07-24 14:19 . 2008-07-24 14:18 880,640 --a------ C:\Documents and Settings\Angela Williams\uygljsms.exe
2008-07-24 14:18 . 2008-07-24 14:18 15,872 --a------ C:\Documents and Settings\Angela Williams\awejpi9iao.exe
2008-07-23 18:09 . 2008-08-13 02:12 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-07-23 18:09 . 2008-07-23 18:09 1,409 --a------ C:\WINDOWS\QTFont.for
2008-07-21 21:12 . 2008-07-21 21:12 <DIR> d-------- C:\Program Files\KLC
2008-07-21 21:12 . 1999-12-07 07:00 61,491 --a------ C:\WINDOWS\system32\wbemdisp.TLB
2008-07-21 21:08 . 1996-11-08 02:48 368,912 --a------ C:\WINDOWS\system32\vbar332.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-08-16 06:31 --------- d-----w C:\Program Files\Diablo II
2008-08-16 05:46 --------- d-----w C:\Documents and Settings\Angela Williams\Application Data\Xfire
2008-08-15 03:44 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-08-15 03:44 --------- d-----w C:\Program Files\EA GAMES
2008-08-14 09:43 --------- d-----w C:\Documents and Settings\Angela Williams\Application Data\Desktopicon
2008-08-14 00:28 --------- d-----w C:\Documents and Settings\Angela Williams\Application Data\OpenOffice.org2
2008-08-13 23:20 --------- d-----w C:\Program Files\Xfire
2008-08-13 11:27 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-08-05 00:19 --------- d-----w C:\Program Files\Warcraft III
2008-08-02 06:31 --------- d-----w C:\Program Files\World of Warcraft
2008-08-02 04:43 --------- d-----w C:\Documents and Settings\Angela Williams\Application Data\Hamachi
2008-07-24 18:18 40,960 ----a-w C:\Documents and Settings\Angela Williams\GliderTell.exe
2008-07-24 18:18 35,712 ----a-w C:\Documents and Settings\Angela Williams\Shadow.sys
2008-07-24 18:18 286,720 ----a-w C:\Documents and Settings\Angela Williams\GRefs.dat
2008-07-14 04:17 --------- d-----w C:\Documents and Settings\Angela Williams\Application Data\Apple Computer
2008-07-08 02:52 --------- d-----w C:\Documents and Settings\Angela Williams\Application Data\uTorrent
2008-07-08 01:02 94,208 ----a-w C:\WINDOWS\DIIUnin.exe
2008-07-08 01:02 2,829 ----a-w C:\WINDOWS\DIIUnin.pif
2008-07-01 20:10 --------- d-----w C:\Documents and Settings\Angela Williams\Application Data\Corel
2008-07-01 01:22 --------- d-----w C:\Program Files\Octoshape Streaming Services
2008-06-24 18:15 --------- d-----w C:\Program Files\Hamachi
2008-06-24 18:14 25,280 ----a-w C:\WINDOWS\system32\drivers\hamachi.sys
2008-06-20 10:45 360,320 ----a-w C:\WINDOWS\system32\drivers\tcpip.sys
2008-06-20 10:44 138,368 ----a-w C:\WINDOWS\system32\drivers\afd.sys
2008-06-20 09:52 225,920 ----a-w C:\WINDOWS\system32\drivers\tcpip6.sys
.

((((((((((((((((((((((((((((( snapshot_2008-08-14_ 7.26.05.96 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-07-07 20:06:43 253,952 ----a-w C:\WINDOWS\$hf_mig$\KB950974\SP2QFE\es.dll
+ 2008-07-07 20:26:58 253,952 ----a-w C:\WINDOWS\$hf_mig$\KB950974\SP3GDR\es.dll
+ 2008-07-07 20:23:18 253,952 ----a-w C:\WINDOWS\$hf_mig$\KB950974\SP3QFE\es.dll
+ 2007-11-30 12:39:22 17,272 ----a-w C:\WINDOWS\$hf_mig$\KB950974\spmsg.dll
+ 2007-11-30 12:39:22 231,288 ----a-w C:\WINDOWS\$hf_mig$\KB950974\spuninst.exe
+ 2007-11-30 12:39:22 26,488 ----a-w C:\WINDOWS\$hf_mig$\KB950974\update\spcustom.dll
+ 2007-11-30 12:39:18 755,576 ----a-w C:\WINDOWS\$hf_mig$\KB950974\update\update.exe
+ 2007-11-30 12:39:19 382,840 ----a-w C:\WINDOWS\$hf_mig$\KB950974\update\updspapi.dll
+ 2008-07-14 11:03:00 62,976 ----a-w C:\WINDOWS\$hf_mig$\KB951072-v2\SP2QFE\tzchange.exe
+ 2008-07-11 12:42:28 62,976 ----a-w C:\WINDOWS\$hf_mig$\KB951072-v2\SP3GDR\tzchange.exe
+ 2008-07-11 12:51:51 62,976 ----a-w C:\WINDOWS\$hf_mig$\KB951072-v2\SP3QFE\tzchange.exe
+ 2007-11-30 11:18:51 17,272 ----a-w C:\WINDOWS\$hf_mig$\KB951072-v2\spmsg.dll
+ 2007-11-30 11:18:51 231,288 ----a-w C:\WINDOWS\$hf_mig$\KB951072-v2\spuninst.exe
+ 2007-11-30 11:18:51 26,488 ----a-w C:\WINDOWS\$hf_mig$\KB951072-v2\update\spcustom.dll
+ 2007-11-30 12:39:22 755,576 ----a-w C:\WINDOWS\$hf_mig$\KB951072-v2\update\update.exe
+ 2007-11-30 12:39:22 382,840 ----a-w C:\WINDOWS\$hf_mig$\KB951072-v2\update\updspapi.dll
+ 2008-06-24 16:28:00 74,240 ----a-w C:\WINDOWS\$hf_mig$\KB952954\SP2QFE\mscms.dll
+ 2008-06-24 16:43:16 74,240 ----a-w C:\WINDOWS\$hf_mig$\KB952954\SP3GDR\mscms.dll
+ 2008-06-24 16:53:10 74,240 ----a-w C:\WINDOWS\$hf_mig$\KB952954\SP3QFE\mscms.dll
+ 2007-11-30 12:39:22 17,272 ----a-w C:\WINDOWS\$hf_mig$\KB952954\spmsg.dll
+ 2007-11-30 12:39:22 231,288 ----a-w C:\WINDOWS\$hf_mig$\KB952954\spuninst.exe
+ 2007-11-30 12:39:22 26,488 ----a-w C:\WINDOWS\$hf_mig$\KB952954\update\spcustom.dll
+ 2007-11-30 12:39:22 755,576 ----a-w C:\WINDOWS\$hf_mig$\KB952954\update\update.exe
+ 2007-11-30 12:39:22 382,840 ----a-w C:\WINDOWS\$hf_mig$\KB952954\update\updspapi.dll
+ 2008-06-23 16:11:40 1,024,000 ----a-w C:\WINDOWS\$hf_mig$\KB953838\SP2QFE\browseui.dll
+ 2008-06-23 16:11:40 151,040 ----a-w C:\WINDOWS\$hf_mig$\KB953838\SP2QFE\cdfview.dll
+ 2008-06-23 16:11:42 1,054,208 ----a-w C:\WINDOWS\$hf_mig$\KB953838\SP2QFE\danim.dll
+ 2008-06-23 16:11:43 357,888 ----a-w C:\WINDOWS\$hf_mig$\KB953838\SP2QFE\dxtmsft.dll
+ 2008-06-23 16:11:43 205,312 ----a-w C:\WINDOWS\$hf_mig$\KB953838\SP2QFE\dxtrans.dll
+ 2008-06-23 16:11:43 55,808 ----a-w C:\WINDOWS\$hf_mig$\KB953838\SP2QFE\extmgr.dll
+ 2008-06-23 09:53:58 18,432 ----a-w C:\WINDOWS\$hf_mig$\KB953838\SP2QFE\iedw.exe
+ 2008-06-23 16:11:52 251,904 ----a-w C:\WINDOWS\$hf_mig$\KB953838\SP2QFE\iepeers.dll
+ 2008-06-23 16:11:52 96,256 ----a-w C:\WINDOWS\$hf_mig$\KB953838\SP2QFE\inseng.dll
+ 2008-06-23 16:11:52 16,384 ----a-w C:\WINDOWS\$hf_mig$\KB953838\SP2QFE\jsproxy.dll
+ 2008-06-23 16:11:58 3,067,392 ----a-w C:\WINDOWS\$hf_mig$\KB953838\SP2QFE\mshtml.dll
+ 2008-06-23 16:12:00 449,024 ----a-w C:\WINDOWS\$hf_mig$\KB953838\SP2QFE\mshtmled.dll
+ 2008-06-23 16:12:02 146,432 ----a-w C:\WINDOWS\$hf_mig$\KB953838\SP2QFE\msrating.dll
+ 2008-06-23 16:12:02 532,480 ----a-w C:\WINDOWS\$hf_mig$\KB953838\SP2QFE\mstime.dll
+ 2008-06-23 16:12:02 39,424 ----a-w C:\WINDOWS\$hf_mig$\KB953838\SP2QFE\pngfilt.dll
+ 2008-06-23 16:12:05 1,499,136 ----a-w C:\WINDOWS\$hf_mig$\KB953838\SP2QFE\shdocvw.dll
+ 2008-06-23 16:12:05 474,112 ----a-w C:\WINDOWS\$hf_mig$\KB953838\SP2QFE\shlwapi.dll
+ 2008-06-23 16:12:06 618,496 ----a-w C:\WINDOWS\$hf_mig$\KB953838\SP2QFE\urlmon.dll
+ 2008-06-23 16:12:08 667,136 ----a-w C:\WINDOWS\$hf_mig$\KB953838\SP2QFE\wininet.dll
+ 2008-07-03 09:14:02 351,744 ----a-w C:\WINDOWS\$hf_mig$\KB953838\SP2QFE\xpsp3res.dll
+ 2008-06-23 15:09:27 3,067,392 ----a-w C:\WINDOWS\$hf_mig$\KB953838\SP3GDR\mshtml.dll
+ 2008-06-26 08:15:29 1,499,136 ----a-w C:\WINDOWS\$hf_mig$\KB953838\SP3GDR\shdocvw.dll
+ 2008-06-26 08:15:30 619,520 ----a-w C:\WINDOWS\$hf_mig$\KB953838\SP3GDR\urlmon.dll
+ 2008-06-23 15:09:27 666,112 ----a-w C:\WINDOWS\$hf_mig$\KB953838\SP3GDR\wininet.dll
+ 2008-06-25 04:24:48 3,067,904 ----a-w C:\WINDOWS\$hf_mig$\KB953838\SP3QFE\mshtml.dll
+ 2008-06-26 08:00:52 1,499,136 ----a-w C:\WINDOWS\$hf_mig$\KB953838\SP3QFE\shdocvw.dll
+ 2008-06-26 08:00:52 619,520 ----a-w C:\WINDOWS\$hf_mig$\KB953838\SP3QFE\urlmon.dll
+ 2008-06-23 14:54:47 666,624 ----a-w C:\WINDOWS\$hf_mig$\KB953838\SP3QFE\wininet.dll
+ 2007-11-30 12:39:22 17,272 ----a-w C:\WINDOWS\$hf_mig$\KB953838\spmsg.dll
+ 2007-11-30 12:39:22 231,288 ----a-w C:\WINDOWS\$hf_mig$\KB953838\spuninst.exe
+ 2007-11-30 12:39:22 26,488 ----a-w C:\WINDOWS\$hf_mig$\KB953838\update\spcustom.dll
+ 2007-11-30 12:39:18 755,576 ----a-w C:\WINDOWS\$hf_mig$\KB953838\update\update.exe
+ 2007-11-30 12:39:19 382,840 ----a-w C:\WINDOWS\$hf_mig$\KB953838\update\updspapi.dll
- 2008-04-23 17:34:12 53,248 ----a-w C:\WINDOWS\assembly\GAC\Microsoft.DirectX.AudioVideoPlayback\1.0.2902.0__31bf3856ad364e35\Microsoft.DirectX.AudioVideoPlayback.dll
+ 2008-08-15 03:33:36 53,248 ----a-w C:\WINDOWS\assembly\GAC\Microsoft.DirectX.AudioVideoPlayback\1.0.2902.0__31bf3856ad364e35\Microsoft.DirectX.AudioVideoPlayback.dll
- 2008-04-23 17:34:13 12,800 ----a-w C:\WINDOWS\assembly\GAC\Microsoft.DirectX.Diagnostics\1.0.2902.0__31bf3856ad364e35\Microsoft.DirectX.Diagnostics.dll
+ 2008-08-15 03:33:37 12,800 ----a-w C:\WINDOWS\assembly\GAC\Microsoft.DirectX.Diagnostics\1.0.2902.0__31bf3856ad364e35\Microsoft.DirectX.Diagnostics.dll
- 2008-04-23 17:34:13 473,600 ----a-w C:\WINDOWS\assembly\GAC\Microsoft.DirectX.Direct3D\1.0.2902.0__31bf3856ad364e35\Microsoft.DirectX.Direct3D.dll
+ 2008-08-15 03:33:37 473,600 ----a-w C:\WINDOWS\assembly\GAC\Microsoft.DirectX.Direct3D\1.0.2902.0__31bf3856ad364e35\Microsoft.DirectX.Direct3D.dll
- 2008-04-23 17:34:07 2,676,224 ----a-w C:\WINDOWS\assembly\GAC\Microsoft.DirectX.Direct3DX\1.0.2902.0__31bf3856ad364e35\Microsoft.DirectX.Direct3DX.dll
+ 2008-08-15 03:33:31 2,676,224 ----a-w C:\WINDOWS\assembly\GAC\Microsoft.DirectX.Direct3DX\1.0.2902.0__31bf3856ad364e35\Microsoft.DirectX.Direct3DX.dll
- 2008-04-23 17:34:08 2,846,720 ----a-w C:\WINDOWS\assembly\GAC\Microsoft.DirectX.Direct3DX\1.0.2903.0__31bf3856ad364e35\Microsoft.DirectX.Direct3DX.dll
+ 2008-08-15 03:33:32 2,846,720 ----a-w C:\WINDOWS\assembly\GAC\Microsoft.DirectX.Direct3DX\1.0.2903.0__31bf3856ad364e35\Microsoft.DirectX.Direct3DX.dll
- 2008-04-23 17:34:09 563,712 ----a-w C:\WINDOWS\assembly\GAC\Microsoft.DirectX.Direct3DX\1.0.2904.0__31bf3856ad364e35\Microsoft.DirectX.Direct3DX.dll
+ 2008-08-15 03:33:33 563,712 ----a-w C:\WINDOWS\assembly\GAC\Microsoft.DirectX.Direct3DX\1.0.2904.0__31bf3856ad364e35\Microsoft.DirectX.Direct3DX.dll
- 2008-04-23 17:34:09 567,296 ----a-w C:\WINDOWS\assembly\GAC\Microsoft.DirectX.Direct3DX\1.0.2905.0__31bf3856ad364e35\Microsoft.DirectX.Direct3DX.dll
+ 2008-08-15 03:33:33 567,296 ----a-w C:\WINDOWS\assembly\GAC\Microsoft.DirectX.Direct3DX\1.0.2905.0__31bf3856ad364e35\Microsoft.DirectX.Direct3DX.dll
- 2008-04-23 17:34:10 576,000 ----a-w C:\WINDOWS\assembly\GAC\Microsoft.DirectX.Direct3DX\1.0.2906.0__31bf3856ad364e35\Microsoft.DirectX.Direct3DX.dll
+ 2008-08-15 03:33:34 576,000 ----a-w C:\WINDOWS\assembly\GAC\Microsoft.DirectX.Direct3DX\1.0.2906.0__31bf3856ad364e35\Microsoft.DirectX.Direct3DX.dll
- 2008-04-23 17:34:10 577,024 ----a-w C:\WINDOWS\assembly\GAC\Microsoft.DirectX.Direct3DX\1.0.2907.0__31bf3856ad364e35\Microsoft.DirectX.Direct3DX.dll
+ 2008-08-15 03:33:34 577,024 ----a-w C:\WINDOWS\assembly\GAC\Microsoft.DirectX.Direct3DX\1.0.2907.0__31bf3856ad364e35\Microsoft.DirectX.Direct3DX.dll
- 2008-04-23 17:34:10 577,536 ----a-w C:\WINDOWS\assembly\GAC\Microsoft.DirectX.Direct3DX\1.0.2908.0__31bf3856ad364e35\Microsoft.DirectX.Direct3DX.dll
+ 2008-08-15 03:33:34 577,536 ----a-w C:\WINDOWS\assembly\GAC\Microsoft.DirectX.Direct3DX\1.0.2908.0__31bf3856ad364e35\Microsoft.DirectX.Direct3DX.dll
- 2008-04-23 17:34:11 577,536 ----a-w C:\WINDOWS\assembly\GAC\Microsoft.DirectX.Direct3DX\1.0.2909.0__31bf3856ad364e35\Microsoft.DirectX.Direct3DX.dll
+ 2008-08-15 03:33:35 577,536 ----a-w C:\WINDOWS\assembly\GAC\Microsoft.DirectX.Direct3DX\1.0.2909.0__31bf3856ad364e35\Microsoft.DirectX.Direct3DX.dll
- 2008-04-23 17:34:11 578,560 ----a-w C:\WINDOWS\assembly\GAC\Microsoft.DirectX.Direct3DX\1.0.2910.0__31bf3856ad364e35\Microsoft.DirectX.Direct3DX.dll
+ 2008-08-15 03:33:35 578,560 ----a-w C:\WINDOWS\assembly\GAC\Microsoft.DirectX.Direct3DX\1.0.2910.0__31bf3856ad364e35\Microsoft.DirectX.Direct3DX.dll
- 2008-04-23 17:34:13 578,560 ----a-w C:\WINDOWS\assembly\GAC\Microsoft.DirectX.Direct3DX\1.0.2911.0__31bf3856ad364e35\Microsoft.DirectX.Direct3DX.dll
+ 2008-08-15 03:33:37 578,560 ----a-w C:\WINDOWS\assembly\GAC\Microsoft.DirectX.Direct3DX\1.0.2911.0__31bf3856ad364e35\Microsoft.DirectX.Direct3DX.dll
- 2008-04-23 17:34:13 145,920 ----a-w C:\WINDOWS\assembly\GAC\Microsoft.DirectX.DirectDraw\1.0.2902.0__31bf3856ad364e35\Microsoft.DirectX.DirectDraw.dll
+ 2008-08-15 03:33:38 145,920 ----a-w C:\WINDOWS\assembly\GAC\Microsoft.DirectX.DirectDraw\1.0.2902.0__31bf3856ad364e35\Microsoft.DirectX.DirectDraw.dll
- 2008-04-23 17:34:14 159,232 ----a-w C:\WINDOWS\assembly\GAC\Microsoft.DirectX.DirectInput\1.0.2902.0__31bf3856ad364e35\Microsoft.DirectX.DirectInput.dll
+ 2008-08-15 03:33:38 159,232 ----a-w C:\WINDOWS\assembly\GAC\Microsoft.DirectX.DirectInput\1.0.2902.0__31bf3856ad364e35\Microsoft.DirectX.DirectInput.dll
- 2008-04-23 17:34:14 364,544 ----a-w C:\WINDOWS\assembly\GAC\Microsoft.DirectX.DirectPlay\1.0.2902.0__31bf3856ad364e35\Microsoft.DirectX.DirectPlay.dll
+ 2008-08-15 03:33:38 364,544 ----a-w C:\WINDOWS\assembly\GAC\Microsoft.DirectX.DirectPlay\1.0.2902.0__31bf3856ad364e35\Microsoft.DirectX.DirectPlay.dll
- 2008-04-23 17:34:15 178,176 ----a-w C:\WINDOWS\assembly\GAC\Microsoft.DirectX.DirectSound\1.0.2902.0__31bf3856ad364e35\Microsoft.DirectX.DirectSound.dll
+ 2008-08-15 03:33:39 178,176 ----a-w C:\WINDOWS\assembly\GAC\Microsoft.DirectX.DirectSound\1.0.2902.0__31bf3856ad364e35\Microsoft.DirectX.DirectSound.dll
- 2008-04-23 17:34:12 223,232 ----a-w C:\WINDOWS\assembly\GAC\Microsoft.DirectX\1.0.2902.0__31bf3856ad364e35\Microsoft.DirectX.dll
+ 2008-08-15 03:33:36 223,232 ----a-w C:\WINDOWS\assembly\GAC\Microsoft.DirectX\1.0.2902.0__31bf3856ad364e35\Microsoft.DirectX.dll
- 2008-04-21 07:03:56 1,023,488 ----a-w C:\WINDOWS\system32\browseui.dll
+ 2008-06-23 15:38:28 1,023,488 ----a-w C:\WINDOWS\system32\browseui.dll
- 2008-04-21 07:03:56 151,040 ----a-w C:\WINDOWS\system32\cdfview.dll
+ 2008-06-23 15:38:29 151,040 ----a-w C:\WINDOWS\system32\cdfview.dll
- 2008-04-21 07:03:57 1,054,208 ----a-w C:\WINDOWS\system32\danim.dll
+ 2008-06-23 15:38:30 1,054,208 ----a-w C:\WINDOWS\system32\danim.dll
- 2008-04-21 07:03:56 1,023,488 ------w C:\WINDOWS\system32\dllcache\browseui.dll
+ 2008-06-23 15:38:28 1,023,488 ------w C:\WINDOWS\system32\dllcache\browseui.dll
- 2008-04-21 07:03:56 151,040 ------w C:\WINDOWS\system32\dllcache\cdfview.dll
+ 2008-06-23 15:38:29 151,040 ------w C:\WINDOWS\system32\dllcache\cdfview.dll
- 2008-04-21 07:03:57 1,054,208 ------w C:\WINDOWS\system32\dllcache\danim.dll
+ 2008-06-23 15:38:30 1,054,208 ------w C:\WINDOWS\system32\dllcache\danim.dll
- 2008-04-21 07:03:57 357,888 ------w C:\WINDOWS\system32\dllcache\dxtmsft.dll
+ 2008-06-23 15:38:30 357,888 ------w C:\WINDOWS\system32\dllcache\dxtmsft.dll
- 2008-04-21 07:03:57 205,312 ------w C:\WINDOWS\system32\dllcache\dxtrans.dll
+ 2008-06-23 15:38:30 205,312 ------w C:\WINDOWS\system32\dllcache\dxtrans.dll
+ 2008-07-07 20:32:22 253,952 ------w C:\WINDOWS\system32\dllcache\es.dll
- 2008-04-21 07:03:57 55,808 ------w C:\WINDOWS\system32\dllcache\extmgr.dll
+ 2008-06-23 15:38:30 55,808 ------w C:\WINDOWS\system32\dllcache\extmgr.dll
- 2008-04-17 10:52:54 18,432 ------w C:\WINDOWS\system32\dllcache\iedw.exe
+ 2008-06-23 09:49:29 18,432 ------w C:\WINDOWS\system32\dllcache\iedw.exe
- 2008-04-21 07:03:58 251,392 ------w C:\WINDOWS\system32\dllcache\iepeers.dll
+ 2008-06-23 15:38:31 251,392 ------w C:\WINDOWS\system32\dllcache\iepeers.dll
- 2007-08-21 06:15:44 683,520 ------w C:\WINDOWS\system32\dllcache\inetcomm.dll
+ 2008-04-11 18:50:43 683,520 ------w C:\WINDOWS\system32\dllcache\inetcomm.dll
- 2008-04-21 07:03:58 96,256 ------w C:\WINDOWS\system32\dllcache\inseng.dll
+ 2008-06-23 15:38:31 96,256 ------w C:\WINDOWS\system32\dllcache\inseng.dll
- 2008-04-21 07:03:58 16,384 ------w C:\WINDOWS\system32\dllcache\jsproxy.dll
+ 2008-06-23 15:38:31 16,384 ------w C:\WINDOWS\system32\dllcache\jsproxy.dll
+ 2008-06-24 16:23:05 74,240 ------w C:\WINDOWS\system32\dllcache\mscms.dll
- 2008-04-21 07:03:59 3,059,712 ------w C:\WINDOWS\system32\dllcache\mshtml.dll
+ 2008-06-23 15:38:33 3,059,712 ------w C:\WINDOWS\system32\dllcache\mshtml.dll
- 2008-04-21 07:03:59 449,024 ------w C:\WINDOWS\system32\dllcache\mshtmled.dll
+ 2008-06-23 15:38:33 449,024 ------w C:\WINDOWS\system32\dllcache\mshtmled.dll
- 2008-04-21 07:03:59 146,432 ------w C:\WINDOWS\system32\dllcache\msrating.dll
+ 2008-06-23 15:38:33 146,432 ------w C:\WINDOWS\system32\dllcache\msrating.dll
- 2008-04-21 07:03:59 532,480 ------w C:\WINDOWS\system32\dllcache\mstime.dll
+ 2008-06-23 15:38:33 532,480 ------w C:\WINDOWS\system32\dllcache\mstime.dll
- 2008-04-21 07:03:59 39,424 ------w C:\WINDOWS\system32\dllcache\pngfilt.dll
+ 2008-06-23 15:38:33 39,424 ------w C:\WINDOWS\system32\dllcache\pngfilt.dll
- 2008-04-21 07:04:00 1,494,528 ------w C:\WINDOWS\system32\dllcache\shdocvw.dll
+ 2008-06-23 15:38:34 1,494,528 ------w C:\WINDOWS\system32\dllcache\shdocvw.dll
- 2008-04-21 07:04:00 474,112 ------w C:\WINDOWS\system32\dllcache\shlwapi.dll
+ 2008-06-23 15:38:34 474,112 ------w C:\WINDOWS\system32\dllcache\shlwapi.dll
- 2008-04-21 07:04:00 615,936 ------w C:\WINDOWS\system32\dllcache\urlmon.dll
+ 2008-06-23 15:38:34 615,936 ------w C:\WINDOWS\system32\dllcache\urlmon.dll
- 2008-04-21 07:04:00 659,456 ------w C:\WINDOWS\system32\dllcache\wininet.dll
+ 2008-06-23 15:38:34 659,456 ------w C:\WINDOWS\system32\dllcache\wininet.dll
- 2008-04-21 07:03:57 357,888 ----a-w C:\WINDOWS\system32\dxtmsft.dll
+ 2008-06-23 15:38:30 357,888 ----a-w C:\WINDOWS\system32\dxtmsft.dll
- 2008-04-21 07:03:57 205,312 ----a-w C:\WINDOWS\system32\dxtrans.dll
+ 2008-06-23 15:38:30 205,312 ----a-w C:\WINDOWS\system32\dxtrans.dll
- 2005-07-26 04:39:45 243,200 ----a-w C:\WINDOWS\system32\es.dll
+ 2008-07-07 20:32:22 253,952 ----a-w C:\WINDOWS\system32\es.dll
- 2008-04-21 07:03:57 55,808 ----a-w C:\WINDOWS\system32\extmgr.dll
+ 2008-06-23 15:38:30 55,808 ----a-w C:\WINDOWS\system32\extmgr.dll
- 2008-04-21 07:03:58 251,392 ----a-w C:\WINDOWS\system32\iepeers.dll
+ 2008-06-23 15:38:31 251,392 ----a-w C:\WINDOWS\system32\iepeers.dll
- 2007-08-21 06:15:44 683,520 ----a-w C:\WINDOWS\system32\inetcomm.dll
+ 2008-04-11 18:50:43 683,520 ----a-w C:\WINDOWS\system32\inetcomm.dll
- 2008-04-21 07:03:58 96,256 ----a-w C:\WINDOWS\system32\inseng.dll
+ 2008-06-23 15:38:31 96,256 ----a-w C:\WINDOWS\system32\inseng.dll
- 2008-04-21 07:03:58 16,384 ----a-w C:\WINDOWS\system32\jsproxy.dll
+ 2008-06-23 15:38:31 16,384 ----a-w C:\WINDOWS\system32\jsproxy.dll
- 2008-06-25 16:15:46 17,972,344 ----a-w C:\WINDOWS\system32\MRT.exe
+ 2008-08-05 18:11:01 15,888,504 ----a-w C:\WINDOWS\system32\MRT.exe
- 2005-06-29 01:46:00 74,240 ----a-w C:\WINDOWS\system32\mscms.dll
+ 2008-06-24 16:23:05 74,240 ----a-w C:\WINDOWS\system32\mscms.dll
- 2008-04-21 07:03:59 3,059,712 ----a-w C:\WINDOWS\system32\mshtml.dll
+ 2008-06-23 15:38:33 3,059,712 ----a-w C:\WINDOWS\system32\mshtml.dll
- 2008-04-21 07:03:59 449,024 ----a-w C:\WINDOWS\system32\mshtmled.dll
+ 2008-06-23 15:38:33 449,024 ----a-w C:\WINDOWS\system32\mshtmled.dll
- 2008-04-21 07:03:59 146,432 ----a-w C:\WINDOWS\system32\msrating.dll
+ 2008-06-23 15:38:33 146,432 ----a-w C:\WINDOWS\system32\msrating.dll
- 2008-04-21 07:03:59 532,480 ----a-w C:\WINDOWS\system32\mstime.dll
+ 2008-06-23 15:38:33 532,480 ----a-w C:\WINDOWS\system32\mstime.dll
- 2008-04-21 07:03:59 39,424 ----a-w C:\WINDOWS\system32\pngfilt.dll
+ 2008-06-23 15:38:33 39,424 ----a-w C:\WINDOWS\system32\pngfilt.dll
- 2008-04-21 07:04:00 1,494,528 ----a-w C:\WINDOWS\system32\shdocvw.dll
+ 2008-06-23 15:38:34 1,494,528 ----a-w C:\WINDOWS\system32\shdocvw.dll
- 2008-04-21 07:04:00 474,112 ----a-w C:\WINDOWS\system32\shlwapi.dll
+ 2008-06-23 15:38:34 474,112 ----a-w C:\WINDOWS\system32\shlwapi.dll
- 2007-11-13 11:31:11 60,416 ----a-w C:\WINDOWS\system32\tzchange.exe
+ 2008-07-14 11:09:18 62,976 ----a-w C:\WINDOWS\system32\tzchange.exe
- 2008-04-21 07:04:00 615,936 ----a-w C:\WINDOWS\system32\urlmon.dll
+ 2008-06-23 15:38:34 615,936 ----a-w C:\WINDOWS\system32\urlmon.dll
- 2008-04-21 07:04:00 659,456 ----a-w C:\WINDOWS\system32\wininet.dll
+ 2008-06-23 15:38:34 659,456 ----a-w C:\WINDOWS\system32\wininet.dll
- 2008-04-17 10:37:04 351,744 ----a-w C:\WINDOWS\system32\xpsp3res.dll
+ 2008-07-03 09:14:02 351,744 ----a-w C:\WINDOWS\system32\xpsp3res.dll
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{63F507E2-0C11-4D37-ABD7-E1A9CF111D5E}]
C:\WINDOWS\system32\comrep.dll [BU]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DellSupport"="C:\Program Files\DellSupport\DSAgnt.exe" [2007-03-15 11:09 460784]
"Aim6"="C:\Program Files\AIM6\aim6.exe" [2007-10-04 11:20 50528]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-05-12 21:05 344064]
"dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [2004-12-06 02:05 127035]
"ISUSPM Startup"="C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 17:50 221184]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 17:50 81920]
"StartCCC"="C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2006-11-10 13:35 90112]
"UnlockerAssistant"="C:\Program Files\Unlocker\UnlockerAssistant.exe" [2008-03-01 01:10 15872]
"IMJPMIG8.1"="C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" [2004-08-04 06:00 208952]
"IMEKRMIG6.1"="C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE" [2004-08-04 06:00 44032]
"MSPY2002"="C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-04 06:00 59392]
"PHIME2002ASync"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 06:00 455168]
"PHIME2002A"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 06:00 455168]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe" [2008-03-25 04:28 144784]
"MSConfig"="C:\WINDOWS\pchealth\helpctr\Binaries\MSCONFIG.EXE" [2004-08-04 06:00 158208]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableChangePassword"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.XFR1"= xfcodec.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Synchronizer.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Synchronizer.lnk
backup=C:\WINDOWS\pss\Adobe Reader Synchronizer.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=C:\WINDOWS\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^QuickBooks Update Agent.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\QuickBooks Update Agent.lnk
backup=C:\WINDOWS\pss\QuickBooks Update Agent.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Angela Williams^Start Menu^Programs^Startup^MagicDisc.lnk]
path=C:\Documents and Settings\Angela Williams\Start Menu\Programs\Startup\MagicDisc.lnk
backup=C:\WINDOWS\pss\MagicDisc.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Angela Williams^Start Menu^Programs^Startup^OpenOffice.org 2.3.lnk]
path=C:\Documents and Settings\Angela Williams\Start Menu\Programs\Startup\OpenOffice.org 2.3.lnk
backup=C:\WINDOWS\pss\OpenOffice.org 2.3.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Angela Williams^Start Menu^Programs^Startup^Xfire.lnk]
path=C:\Documents and Settings\Angela Williams\Start Menu\Programs\Startup\Xfire.lnk
backup=C:\WINDOWS\pss\Xfire.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Aim6]
--a------ 2007-10-04 11:20 50528 C:\Program Files\AIM6\aim6.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DellTransferAgent]
--a------ 2007-11-13 17:46 135168 C:\Documents and Settings\All Users\Application Data\Dell\TransferAgent\TransferAgent.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DVDLauncher]
--------- 2005-02-23 17:19 53248 C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2005-10-18 12:58 278528 C:\Program Files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Octoshape Streaming Services]
--a------ 2008-05-22 09:59 156944 C:\Program Files\Octoshape Streaming Services\Angela Williams\OctoshapeClient.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]
--a------ 2007-11-30 12:36 1266936 c:\Program Files\Valve\Steam\Steam.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2007-09-25 02:11 132496 C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TRACTION In-Game Radio Player]
--a------ 2007-12-23 16:50 838 C:\Program Files\TRACTION In-Game Radio Player\TRACTION In-Game Radio Player.lnk

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"Viewpoint Manager Service"=2 (0x2)
"Smartlaunch Server"=2 (0x2)
"rpcapd"=3 (0x3)
"NetSvc"=3 (0x3)
"iPodService"=3 (0x3)
"IDriverT"=3 (0x3)
"DSBrokerService"=3 (0x3)
"DomainService"=2 (0x2)
"MCVSRte"=2 (0x2)
"idsvc"=3 (0x3)
"aawservice"=2 (0x2)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\Palm\\HOTSYNC.EXE"=
"C:\\Program Files\\Sony\\Station\\Launchpad\\LaunchPad.exe"=
"C:\\Program Files\\Valve\\Steam\\caserver.exe"=
"C:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"C:\\Program Files\\SmartFTP Client\\SmartFTP.exe"=
"C:\\Program Files\\Xfire\\xfire.exe"=
"C:\\Program Files\\uTorrent\\uTorrent.exe"=
"C:\\Program Files\\Stardock Games\\Sins of a Solar Empire\\Sins of a Solar Empire.exe"=
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"C:\\Program Files\\PlayOnline\\SquareEnix\\PlayOnlineViewer\\pol.exe"=
"C:\\Program Files\\AIM6\\aim6.exe"=
"C:\\Program Files\\Octoshape Streaming Services\\Angela Williams\\OctoshapeClient.exe"=
"C:\\Valve\\Steam\\SteamApps\\teh_pozer\\counter-strike source\\hl2.exe"=
"C:\\Program Files\\Diablo II\\Game.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3724:TCP"= 3724:TCP:3724
"6112:TCP"= 6112:TCP:6112

R3 USBCamera;Digital Still Image Capture;C:\WINDOWS\system32\Drivers\Bulk533.sys [2002-07-25 11:19]
R3 xljefnq;xljefnq;C:\Documents and Settings\Angela Williams\Desktop\xljefnq.sys []
R3 zeqgrq;zeqgrq;C:\Documents and Settings\Angela Williams\Desktop\zeqgrq.sys []
R4 Smartlaunch Server;Smartlaunch Server;C:\Program Files\SmartLaunch\Server\server.exe []
R4 Viewpoint Manager Service;Viewpoint Manager Service;C:\Program Files\Viewpoint\Common\ViewpointService.exe [2007-01-04 17:38]
S0 ruemxsgz;ruemxsgz;C:\WINDOWS\system32\drivers\sxwuhstc.dat []

.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-08-17 00:21:02
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\PSSdk23]
"ImagePath"="\??\C:\WINDOWS\system32\Drivers\PsSdk23.drv"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ruemxsgz]
"ImagePath"="system32\drivers\sxwuhstc.dat"
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\ati2evxx.exe
C:\WINDOWS\system32\ati2evxx.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
C:\Program Files\AIM6\aolsoftware.exe
.
**************************************************************************
.
Completion time: 2008-08-17 0:25:50 - machine was rebooted [Angela Williams]
ComboFix-quarantined-files.txt 2008-08-17 04:25:44
ComboFix2.txt 2008-08-14 11:26:36
ComboFix3.txt 2008-08-13 23:31:36

Pre-Run: 23,971,278,848 bytes free
Post-Run: 23,966,621,696 bytes free

427 --- E O F --- 2008-08-16 07:02:56


HJT:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:28:53 AM, on 8/17/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE
C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\Program Files\AIM6\aim6.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: (no name) - {63F507E2-0C11-4D37-ABD7-E1A9CF111D5E} - C:\WINDOWS\system32\comrep.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O2 - BHO: Viewpoint Toolbar BHO - {A7327C09-B521-4EDB-8509-7D2660C9EC98} - C:\Program Files\Viewpoint\Viewpoint Toolbar\3.8.0\ViewBarBHO.dll
O3 - Toolbar: Viewpoint Toolbar - {F8AD5AA5-D966-4667-9DAF-2561D68B2012} - C:\Program Files\Common Files\Viewpoint\Toolbar Runtime\3.8.0\IEViewBar.dll
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe"
O4 - HKLM\..\Run: [UnlockerAssistant] "C:\Program Files\Unlocker\UnlockerAssistant.exe"
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [IMEKRMIG6.1] C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe"
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\pchealth\helpctr\Binaries\MSCONFIG.EXE /auto
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcafee.com/molbin/shared/mcgdmgr/en-us/1,0,0,23/mcgdmgr.cab
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Unknown owner - C:\Program Files\Eset\nod32krn.exe (file missing)
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

--
End of file - 5327 bytes

 

Hang in there, twentytwo, I’m going over your logs now. I just see one item I overlooked but I’m confused about some random name files that you have. I can’t find any info on them…

How is your computer acting?? Any problems??

 

Seems pretty fine to me, what programs are you confused about?

 

Hi twentytwo,

Well, first I am confussed about your ESET Nod32 did you un-install it?

I just assumed that you had since it showed up as (file missing) in your last HJT Log.

If you’re not running an Antivirus, I can recommend a very good, free one… let me know.

Also, I had you delete some files and a Line in HJT using ComboFix but most of them still show up.. Strange.

Use HJT to delete these lines again, and we’ll see what happens.

O2 - BHO: (no name) - {63F507E2-0C11-4D37-ABD7-E1A9CF111D5E} - C:\WINDOWS\system32\comrep.dll (file missing)

O23 - Service: NOD32 Kernel Service (NOD32krn) - Unknown owner - C:\Program Files\Eset\nod32krn.exe (file missing)


Now use your windows explorer and search for the following files to see if they remain…
They may be hidden so please use the search hidden files option..

uygljsms.exe

awejpi9iao.exe

xljefnq.sys

zeqgrq.sys


Let me know if you find any of them and where they are located..

2OG

 

yeah, i deleted nod32 to run combo fix because i couldn't figure out how to disable it, process would still be on after stopping it.

Yes, I need a free anti-virus.

As for the first one, it was a program I randomly renamed because I had two, deleted.
Found the second one too, Deleted.

No results on the last 2.

 

newest hjt:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:40:43 AM, on 8/17/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE
C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\Program Files\AIM6\aim6.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Xfire\xfire.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: (no name) - {63F507E2-0C11-4D37-ABD7-E1A9CF111D5E} - C:\WINDOWS\system32\comrep.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O2 - BHO: Viewpoint Toolbar BHO - {A7327C09-B521-4EDB-8509-7D2660C9EC98} - C:\Program Files\Viewpoint\Viewpoint Toolbar\3.8.0\ViewBarBHO.dll
O3 - Toolbar: Viewpoint Toolbar - {F8AD5AA5-D966-4667-9DAF-2561D68B2012} - C:\Program Files\Common Files\Viewpoint\Toolbar Runtime\3.8.0\IEViewBar.dll
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe"
O4 - HKLM\..\Run: [UnlockerAssistant] "C:\Program Files\Unlocker\UnlockerAssistant.exe"
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [IMEKRMIG6.1] C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe"
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\pchealth\helpctr\Binaries\MSCONFIG.EXE /auto
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcafee.com/molbin/shared/mcgdmgr/en-us/1,0,0,23/mcgdmgr.cab
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Unknown owner - C:\Program Files\Eset\nod32krn.exe (file missing)
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

--
End of file - 5314 bytes

 

Did you use HJT to delete these lines and are they returning??

O2 - BHO: (no name) - {63F507E2-0C11-4D37-ABD7-E1A9CF111D5E} - C:\WINDOWS\system32\comrep.dll (file missing)

O23 - Service: NOD32 Kernel Service (NOD32krn) - Unknown owner - C:\Program Files\Eset\nod32krn.exe (file missing)


Glad to know what those other files were : )

 

twentytwo, I recommend Avira Antivir as your Antivirus. It is better than most of the Paid AV’s. Most people won’t use it because of the Nag screens after it updates, trying to get you to buy it, but there is a way around that…. ; )


Download Avira Antivir -> HERE


In order to disable the Nag screens in Avira Antivir you must use the Safe Mode in an Administrator account.

1. Boot into Safe Mode (tap F8 repeatedly after you restart the computer)
2. Log in using the Administrator account
3. Go to C:\Program Files\(Avira)\AntiVir PersonalEdition Classic\avnotify.exe
4. Right-click avnotify.exe-> properties-> security tab
5. Under the Group or user names: you will see all of the users. Start with the first user and click, highlight….
6. Check the Deny Read and Execute box the Read box will automatically check.
7. Now perform step 6 for all of the other users-> apply-> yes/ok-> close all open windows
8. Reboot the computer into Normal Mode (start-> shutdown-> restart)


2OG

 

yes, I tried deleting this things a few times.

 

I’ve seen stranger things happen

Since the file is missing in both of these start up’s, they can do no harm. Just annoying trash and I like a clean kitchen. Lol

Unless you have any problems, I would say you’re clean. Anything?
Let me know and I’ll give you some final stuff to do….. Did you get an AV?

 

yeah, got avira running a scan right now. It found something but I quarantined it. Seems smooth and good atm.

 

Congratulations twentyone, your CLEAN


Things to do:

Install a firewall – see below.

Get XP SP3 -> HERE

Update your IE6 to IE7 (safer) or use Firefox (even safer yet)

Update your Java – see below.


Hhere are a few other things you must do once you are completely clean:

1. Time for some housekeeping

Please download the OTMoveIt2 by OldTimer

• Save it to your desktop.
• Run the tool by clicking on the icon.
• Click the Cleanup button.

• The tools that we used as well as this one will be removed from your system.


2. Please download ATF Cleaner by Atribune.
This program is for XP and Windows 2000 only

Double-click ATF-Cleaner.exe to run the program.

• Under Main "Select Files to Delete" choose: Select All.
• Click the Empty Selected button.

• If you use Firefox browser click Firefox at the top and choose: Select All
• Click the Empty Selected button.
If you would like to keep your saved passwords, please click No at the prompt.

• If you use Opera browser click Opera at the top and choose: Select All
• Click the Empty Selected button.
If you would like to keep your saved passwords, please click No at the prompt.

• Click Exit on the Main menu to close the program.


3. Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. A malicious site could render Java content under older, vulnerable versions of Sun's software if the user has not removed them.
Please follow these steps to remove older version Java components and update:

• Download the latest version of Java Runtime Environment (JRE) 6 Update 7 and save it to your desktop.
• Scroll down to where it says The Java SE Runtime Environment (JRE) allows end-users to run Java applications..
• Click the Download button to the right.
• Select Windows on platform combobox and check the box that says:
Accept License Agreement. Click continue.
• The page will refresh.
• Click on the link to download Windows Offline Installation with or without Multi-language and save to your desktop.
• Close any programs you may have running - especially your web browser.
• Go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove all older versions of Java.
• Check (highlight) any item with Java Runtime Environment (JRE or J2SE) in the name.
• Click the Remove or Change/Remove button.
• Repeat as many times as necessary to remove each Java versions.
• Reboot your computer once all Java components are removed.
• Then from your desktop double-click on jre-6u7-windows-i586-p.exe to install the newest version.




4. Now Set a New Restore Point to prevent possible reinfection from an old one.
Some of the malware you picked up could have been saved in System Restore. Since System Restore is a protected directory, your tools can not access it to delete these bad files which sometimes can reinfect your system. Setting a new restore point AFTER cleaning your system will help prevent this and enable your computer to "roll-back" to a clean working state.

The easiest and safest way to do this is:

• Go to Start > Programs > Accessories > System Tools and click "System Restore".

• Choose the radio button marked "Create a Restore Point" on the first screen then click "Next". Give the R.P. a name then click "Create". The new point will be stamped with the current date and time. Keep a log of this so you can find it easily should you need to use System Restore.

• Then go to Start > Run and type: Cleanmgr
• Click "OK"
Select the drive you want to clean usually C:
Click OK
When it completes the scan:
• Click the "More Options" Tab.
• Click "Clean Up" in the System Restore section to remove all previous restore points except the newly created one.


5. Defragment your Hard Drive

1.Open My Computer.
2.Right-click the local disk volume that you want to defragment, and then click Properties.
3.On the Tools tab, click Defragment Now.
4.Click Defragment.




And here are some tips to reduce the potential for spyware infection in the future:


Use a Firewall.
It is critical that you use a firewall to protect your computer from hackers. We don't recommend the firewall that comes built in to Windows. It doesn't block everything that may try to get in, and the entire firewall is written to the registry. As various kinds of malware hack the Registry in order to disable the Windows firewall, it's far preferable to install one of the excellent third party solutions. Two good ones are are Comodo Free and Online Armor Personal Firewall
I have recently changed my firewall to Comodo, love it and highly recommend it..

Make sure you keep your Windows OS current by visiting Windows update
regularly to download and install any critical updates and service packs. With out these you are leaving the backdoor open.

I strongly recommend installing the following applications:


To protect your machine, I highly recommend BOClean. It’s FREE and it works. I use it and never get one of these infections.

In order to prevent the installation of Trojans and Malware on your machine:
Download and install: Comodo BOClean

Comodo BOClean protects your computer against trojans, malware and other threats. It constantly scans your system in the background and intercepts any recognized trojan activity. The program can ask the user what to do, or run in unattended mode and automatically shutdown and remove any suspected trojan application. Comodo BOClean currently supports more than 59000 malware items and offers automatic daily updates. Other features include updating via network share, tamper protection and stealth mode.

• Spywareblaster <= SpywareBlaster will prevent spyware from being installed.


• MVPS Hosts file <= The MVPS Hosts file replaces your current HOSTS file with one containing well know Malware sites etc. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer


See Slow Computer? It May Not Be Malware for free cleaning/maintenance tools to help keep your computer running smooth.


And also see TonyKlein's good advice
So how did I get infected in the first place?




Enjoy your clean computer. Any questions?

The oldgeek knows how to get the bugs out…. Oops, missed one..



2OG

 

thanks a ton for your help ^^

 

You're very welcome, twentytwo.

It has been a pleasure. I hope you can keep your nose clean..


2OG

 

I said nothing.