Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

Google Redirected & AvSystemCare Warnings - Phew!!

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Google Redirected & AvSystemCare Warnings - Phew!!

Unread postby Hollboy » January 23rd, 2008, 11:49 am

Dear MR

I used google as my search engine without any previous problems. However, I have started encountering a problem whereby google finds the webspage link I am looking for but when I click the link, it redirects me to a bogus web page. By bogus I mean it takes me to a page that I hadn't wanted. For example another search engine page with some reference to what I was searching on – examples are

hxxp://www.search-daily.com/search.php? ... estaurants

hxxp://live312.com/mapping.cfm?pt=2&rpt=1&kt=1

hxxp://clicks.smartbizsearch.com/

hxxp://www.fresh-weather.com/uk/results ... eField.y=2

hxxp://bbebbo.com/Spantik%20Peak.cfm?pt=2&rpt=1&kt=1 etc... etc...[/i]

It takes me about 2 or 3 clicks on the web page address to actually get me to the site I wanted to get to. Starting to wear a tad thin I can tell you!

Also getting pop-ups for strange advertisements and then shortly thereafter a "WARNING" sign came up that said that my computer might be "at risk." It then asked if I wanted to run AVSystemCare software to detect problems. I clicked on Cancel, & closed all tabs in IE7. Realise from research that it tries to scare people into buying its software (One of the specific pop-ups says: "NOTICE: if your computer is infected, you could suffer data loss, erratic PC behavior, PC freezes and crashes. Detect and remove viruses before they activate themselves on your PC to prevent all these problems. Do you want to install AVSystemCare to scan your PC for malware now? (Recommended)" ) & who knows what would happen then!

Obviously, there is some rogue software that has magically installed itself to make IE(7) do this but I cant find it. Not sure if 2 things are linked but they did start appearing at same time ... Have McAfee Security Centre on always & have run Avast antivirus (freeware) scan , tried spyware using Ad-aware (freeware), also SpyBot but no joy. Tried CWShredder (all clean).

Any ideas for a not very computer savvy person? Please!

Thanks

p.s. I think this is the right forum but if not please advise of correct one so I can redirect it.

malware links disabled - random/random
Hollboy
Active Member
 
Posts: 5
Joined: January 23rd, 2008, 11:21 am
Advertisement
Register to Remove

Re: Google Redirected & AvSystemCare Warnings - Phew!!

Unread postby random/random » January 24th, 2008, 4:03 pm

Please download Malwarebytes' Anti-Malware to your desktop.

  • Double-click mbam-setup.exe and follow the prompts to install the program.
  • Be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select Perform full scan, then click Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Be sure that everything is checked, and click Remove Selected.
  • When completed, a log will open in Notepad. Please save it to a convenient location. The log can also be opened by going to Start > All Programs > Malwarebytes' Anti-Malware > Logs > log-date.txt

Please do the following to download and install the latest version of HijackThis v2.0.2:

CLICK HERE to download the HijackThis Installer:
  1. Save HJTInstall.exe to your desktop.
  2. Double-click on HJTInstall.exe to run the program.
  3. By default it will install to C:\Program Files\Trend Micro\HijackThis.
  4. Accept the license agreement by clicking the "I Accept" button.
  5. Click on the "Do a system scan and save a log file" button. It will scan and then ask you to save the log.
  6. Click "Save log" to save the log file and then the log will open in Notepad.
  7. Click on "Edit -> Select All" then click on "Edit -> Copy" to copy the entire contents of the log.
  8. Come back here to this thread and paste the log in your next reply, along with the malwarebytes antimalware log.
  9. Do NOT have HijackThis fix anything yet! Most of what it finds will be harmless or even required.

You may delete the older version once you have successfully downloaded and installed the latest version of HijackThis v2.0.2.
User avatar
random/random
Developer
Developer
 
Posts: 7733
Joined: December 18th, 2005, 3:30 pm

Re: Google Redirected & AvSystemCare Warnings - Phew!!

Unread postby Hollboy » January 25th, 2008, 8:54 am

Ta for looking at problem. I did 1st part (Malwarebytes' Anti-Malware scan) and nothing was found. Here is the 2nd part, the log you require.

__________________________________________________________________________

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:45:45, on 25/01/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16414)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\AdAware\aawservice.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\WINDOWS\ALCXMNTR.EXE
C:\Program Files\McAfee.com\VSO\mcvsshld.exe
C:\Program Files\McAfee.com\VSO\oasclnt.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
C:\PROGRA~1\mcafee.com\mps\mscifapp.exe
C:\PROGRA~1\McAfee\SPAMKI~1\MskAgent.exe
C:\Program Files\SiteAdvisor\6066\SiteAdv.exe
C:\Program Files\Windows Defender\MSASCui.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\Program Files\QuickTime Alternative\qttask.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\Java\jre1.5.0_07\bin\jusched.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\SuperAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\Program Files\Olympus\DeviceDetector\DevDtct2.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\Nikon\PictureProject\NkbMonitor.exe
C:\Program Files\BT Broadband Basic Help\bin\mpbtn.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\Program Files\a-squared Free\a2service.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
c:\program files\mcafee.com\agent\mcdetect.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfService.exe
C:\PROGRA~1\McAfee\SPAMKI~1\MSKSrvr.exe
C:\WINDOWS\system32\svchost.exe
c:\Program Files\UPHClean\uphclean.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\WINDOWS\System32\dmadmin.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfAgent.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Java\jre1.5.0_07\bin\jucheck.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\MalwareRemovalForum\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?LinkId=74005
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - C:\Program Files\SiteAdvisor\6066\SiteAdv.dll
O2 - BHO: McBrwHelper Class - {227B8AA8-DAF2-4892-BD1D-73F568BCB24E} - c:\PROGRA~1\mcafee.com\mps\mcbrhlpr.dll
O2 - BHO: McAfee PopupKiller - {3EC8255F-E043-4cae-8B3B-B191550C2A22} - c:\program files\mcafee.com\mps\popupkiller.dll
O2 - BHO: McAfee AntiPhishing Filter - {41D68ED8-4CFF-4115-88A6-6EBB8AF19000} - c:\PROGRA~1\mcafee\SPAMKI~1\mcapfbho.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {590B2D4B-AE15-40FC-9CA3-DF19E5C560E1} - C:\WINDOWS\system32\ds32gtw.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\6066\SiteAdv.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [Apoint] "C:\Program Files\Apoint2K\Apoint.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [REGSHAVE] "C:\Program Files\REGSHAVE\REGSHAVE.EXE" /AUTORUN
O4 - HKLM\..\Run: [McafWelcome] C:\Program Files\McAfee.com\Agent\mcwelcom.exe
O4 - HKLM\..\Run: [VSOCheckTask] "C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] C:\Program Files\McAfee.com\VSO\mcvsshld.exe
O4 - HKLM\..\Run: [OASClnt] C:\Program Files\McAfee.com\VSO\oasclnt.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] c:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
O4 - HKLM\..\Run: [MPSExe] "c:\PROGRA~1\mcafee.com\mps\mscifapp.exe" /embedding
O4 - HKLM\..\Run: [MSKAGENTEXE] C:\PROGRA~1\McAfee\SPAMKI~1\MskAgent.exe
O4 - HKLM\..\Run: [MSKDetectorExe] "C:\PROGRA~1\McAfee\SPAMKI~1\MSKDetct.exe" /startup
O4 - HKLM\..\Run: [SiteAdvisor] "C:\Program Files\SiteAdvisor\6066\SiteAdv.exe"
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime Alternative\qttask.exe" -atboottime
O4 - HKLM\..\Run: [hpppta] "C:\Program Files\Hewlett-Packard\HP PrecisionScan\PrecisionScan\hpppta.exe" /ICON
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_07\bin\jusched.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SuperAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: BT Broadband Basic Help.lnk = C:\Program Files\BT Broadband Basic Help\bin\matcli.exe
O4 - Global Startup: Device Detector 3.lnk = C:\Program Files\Olympus\DeviceDetector\DevDtct2.exe
O4 - Global Startup: hp psc 2000 Series.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
O4 - Global Startup: hpoddt01.exe.lnk = ?
O4 - Global Startup: NkbMonitor.exe.lnk = C:\Program Files\Nikon\PictureProject\NkbMonitor.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O9 - Extra button: (no name) - {39FD89BF-D3F1-45b6-BB56-3582CCF489E1} - c:\PROGRA~1\mcafee\SPAMKI~1\mcapfbho.dll
O9 - Extra 'Tools' menuitem: McAfee AntiPhishing Filter - {39FD89BF-D3F1-45b6-BB56-3582CCF489E1} - c:\PROGRA~1\mcafee\SPAMKI~1\mcapfbho.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0B79F48A-E8D6-11DB-9283-E25056D89593} (F-Secure Online Scanner 3.1) - http://support.f-secure.com/ols/fscax.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/share ... insctl.cab
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.5.0) - http://javadl-esd.sun.com/update/1.5.0/ ... s-i586.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: a-squared Free Service (a2free) - Emsi Software GmbH - C:\Program Files\a-squared Free\a2service.exe
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\AdAware\aawservice.exe
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe
O23 - Service: McAfee.com McShield (McShield) - McAfee Inc. - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee Corporation - C:\PROGRA~1\McAfee.com\PERSON~1\MpfService.exe
O23 - Service: McAfee SpamKiller Server (MskService) - McAfee Inc. - C:\PROGRA~1\McAfee\SPAMKI~1\MSKSrvr.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

--
End of file - 11909 bytes

___________________________________________________________________________-


I did get advised to try System Restore but found that it was turned off and couldn't turn it on. Any reason/ideas?

Someone on a forum advised problem might be solved by running a "Smitfraudfix.exe" . Ever heard of this? Any comments.

Apologies for extra questions!
Thanks for your efforts

HollBoy
Hollboy
Active Member
 
Posts: 5
Joined: January 23rd, 2008, 11:21 am

Re: Google Redirected & AvSystemCare Warnings - Phew!!

Unread postby random/random » January 25th, 2008, 4:33 pm

We'll deal with the system restore issue once we clear the malware up

As for smitfraudfix, it is a specialised tool used against infections which you do not currently appear to have

We'll begin with ComboFix. Please visit this webpage for download links, and instructions for running the tool:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Post the combofix log and a new HijackThis log as a reply to this topic.
User avatar
random/random
Developer
Developer
 
Posts: 7733
Joined: December 18th, 2005, 3:30 pm

Re: Google Redirected & AvSystemCare Warnings - Phew!!

Unread postby Hollboy » January 26th, 2008, 3:14 pm

Thanks for help. Can you explain reaons for actions as you go along please!

Here the ComboFix log: what is REGSHAVE.exe ?

_____________________________________________________
ComboFix 08-01-23.1C - User 2008-01-26 18:57:19.1 - NTFSx86
Running from: C:\Program Files\MalwareRemovalForum\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((( Files Created from 2007-12-26 to 2008-01-26 )))))))))))))))))))))))))))))))
.

2008-01-26 18:54 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\Nircmd.exe
2008-01-25 10:56 . 2008-01-26 18:52 <DIR> d-------- C:\Program Files\MalwareRemovalForum
2008-01-23 18:21 . 2007-01-18 12:00 3,968 --a------ C:\WINDOWS\system32\drivers\AvgArCln.sys
2008-01-23 17:26 . 2007-05-30 12:10 10,872 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2008-01-23 15:57 . 2008-01-23 20:31 <DIR> d-------- C:\Program Files\AVG Grisoft
2008-01-21 11:49 . 2008-01-21 11:49 15,452,536 --a------ C:\Program Files\IE7-WindowsXP-x86-enu.exe
2008-01-20 19:57 . 2008-01-20 19:57 30,233,142 --a------ C:\WINDOWS\Stupa_late_sun.bmp
2008-01-20 15:43 . 2008-01-20 16:58 <DIR> d-------- C:\Program Files\a-squared Free
2008-01-20 13:54 . 2008-01-21 09:43 <DIR> d-------- C:\Program Files\AVSystemCare_REMOVER
2008-01-19 13:00 . 2005-08-25 18:19 115,920 --a------ C:\WINDOWS\system32\MSINET.OCX
2008-01-19 12:55 . 2008-01-19 13:00 <DIR> d-------- C:\Program Files\SpywareBlaster
2008-01-18 18:59 . 2008-01-18 18:59 <DIR> d-------- C:\WINDOWS\Sun
2008-01-18 18:56 . 2008-01-19 15:39 <DIR> d-------- C:\Program Files\Google
2008-01-18 18:55 . 2006-05-03 02:56 49,265 --a------ C:\WINDOWS\system32\jpicpl32.cpl
2008-01-18 18:54 . 2008-01-18 18:55 <DIR> d-------- C:\Program Files\Java
2008-01-18 18:39 . 2008-01-18 18:39 <DIR> d-------- C:\Program Files\Common Files\Java
2008-01-17 19:18 . 2008-01-25 14:13 <DIR> d-------- C:\Program Files\SuperAntiSpyware
2008-01-17 18:17 . 2008-01-17 18:18 <DIR> d-------- C:\Program Files\CWShredder
2008-01-17 15:46 . 2008-01-17 15:47 <DIR> d-------- C:\Program Files\RogueRemover FREE
2008-01-17 14:57 . 2008-01-17 14:57 30,233,142 --a------ C:\WINDOWS\Bodnath_Flags.bmp
2008-01-14 11:39 . 2008-01-17 19:53 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-01-13 17:56 . 2008-01-26 18:01 <DIR> d-------- C:\Program Files\AdAware
2008-01-12 17:13 . 2004-08-04 13:00 83,968 --a------ C:\WINDOWS\system32\ds32gtw.dll
2008-01-05 16:30 . 2008-01-05 16:30 164 --a------ C:\install.dat
2008-01-05 13:47 . 2008-01-05 13:47 <DIR> d-------- C:\Program Files\Avira
2008-01-04 17:40 . 2008-01-05 13:41 <DIR> d-------- C:\Program Files\Avira_AntiVirus
2007-12-31 19:23 . 2007-12-31 19:20 21,233,718 --a------ C:\WINDOWS\kipper.bmp

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-26 18:01 6,938 ----a-w C:\Program Files\AdAwareAdAware event.log
2008-01-25 16:13 2,321 ----a-w C:\Program Files\AdAwareAd-Aware update.log
2008-01-20 15:38 --------- d-----w C:\Program Files\a-squared Anti-Malware
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{590B2D4B-AE15-40FC-9CA3-DF19E5C560E1}]
2004-08-04 13:00 83968 --a------ C:\WINDOWS\system32\ds32gtw.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A0F2E429-B563-49F8-A68F-5F41DC821E17}]
2004-08-04 13:00 83968 --a------ C:\WINDOWS\system32\ds32gtw.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 13:00 15360]
"SUPERAntiSpyware"="C:\Program Files\SuperAntiSpyware\SUPERAntiSpyware.exe" [2007-06-21 14:06 1318912]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe" [2008-01-19 12:45 171448]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Apoint"="C:\Program Files\Apoint2K\Apoint.exe" [2003-10-07 19:40 159744]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 09:50 155648]
"RemoteControl"="C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [2004-11-02 19:24 32768]
"AlcxMonitor"="ALCXMNTR.EXE" [2004-09-07 20:47 57344 C:\WINDOWS\ALCXMNTR.EXE]
"REGSHAVE"="C:\Program Files\REGSHAVE\REGSHAVE.exe" [2002-02-04 21:32 53248]
"McafWelcome"="C:\Program Files\McAfee.com\Agent\mcwelcom.exe" [ ]
"VSOCheckTask"="C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" [2005-07-08 17:18 151552]
"VirusScan Online"="C:\Program Files\McAfee.com\VSO\mcvsshld.exe" [2005-08-10 11:49 163840]
"OASClnt"="C:\Program Files\McAfee.com\VSO\oasclnt.exe" [2005-08-11 21:02 53248]
"MCAgentExe"="c:\PROGRA~1\mcafee.com\agent\mcagent.exe" [2005-09-22 17:29 303104]
"MCUpdateExe"="C:\PROGRA~1\mcafee.com\agent\McUpdate.exe" [2006-01-11 11:05 212992]
"MPFExe"="C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe" [2005-11-11 16:00 1005096]
"MPSExe"="c:\PROGRA~1\mcafee.com\mps\mscifapp.exe" [2006-03-30 13:31 296488]
"MSKAGENTEXE"="C:\PROGRA~1\McAfee\SPAMKI~1\MskAgent.exe" [2005-09-26 09:26 110592]
"MSKDetectorExe"="C:\PROGRA~1\McAfee\SPAMKI~1\MSKDetct.exe" [2006-11-07 13:49 1121280]
"SiteAdvisor"="C:\Program Files\SiteAdvisor\6066\SiteAdv.exe" [2007-03-30 15:42 36904]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2006-11-03 18:20 866584]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-11 02:06 40048]
"QuickTime Task"="C:\Program Files\QuickTime Alternative\qttask.exe" [2007-07-09 10:22 282624]
"hpppta"="C:\Program Files\Hewlett-Packard\HP PrecisionScan\PrecisionScan\hpppta.exe" [2000-12-05 12:02 86016]
"avgnt"="C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [2008-01-05 14:02 249896]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_07\bin\jusched.exe" [2006-05-03 02:56 36975]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 09:25 6731312]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 13:00 15360]
"DWQueuedReporting"="C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-03-13 15:38 39264]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
BT Broadband Basic Help.lnk - C:\Program Files\BT Broadband Basic Help\bin\matcli.exe [2007-04-06 16:08:14 200704]
Device Detector 3.lnk - C:\Program Files\Olympus\DeviceDetector\DevDtct2.exe [2007-04-06 16:29:35 114688]
hp psc 2000 Series.lnk - C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe [2003-04-06 00:37:10 323646]
hpoddt01.exe.lnk - C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe [2003-04-06 01:06:58 28672]
NkbMonitor.exe.lnk - C:\Program Files\Nikon\PictureProject\NkbMonitor.exe [2007-07-09 10:23:57 118784]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"disablecad"= 1 (0x1)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 13:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 13:41 294912 C:\Program Files\SuperAntiSpyware\SASWINLO.dll

R1 ATMhelpr;ATMhelpr;C:\WINDOWS\system32\drivers\ATMhelpr.sys [1997-06-17 03:00]
S3 usbprint;Microsoft USB PRINTER Class;C:\WINDOWS\system32\DRIVERS\usbprint.sys [2004-08-03 22:01]
S3 VNUSB;VN Series Device;C:\WINDOWS\system32\DRIVERS\VNUSB.sys [2003-12-15 17:22]

*Newly Created Service* - PROCEXP90
.
Contents of the 'Scheduled Tasks' folder
"2008-01-14 12:15:09 C:\WINDOWS\Tasks\FRU Task #Hewlett-Packard#hp psc 2200 series#1194178465.job"
- C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpqfrucl.exe4-I
"2008-01-26 18:00:25 C:\WINDOWS\Tasks\McAfee.com Scan for Viruses - My Computer (HOME-MACHINE-User).job"
- c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe
"2008-01-26 18:03:13 C:\WINDOWS\Tasks\MP Scheduled Scan.job"
- C:\Program Files\Windows Defender\MpCmdRun.exe
"2008-01-14 12:44:14 C:\WINDOWS\Tasks\WebReg 20080114124414.job"
- C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpqwrg.exeQ/TaskName 20080114124414 /N
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-26 19:00:54
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-01-26 19:02:01

____________________________________________________________________________


What is the new C:/QooBox directory?

____________________________________________________________________________

The new Hijack this log :

________________________________________________________________________


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 19:11:42, on 26/01/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16414)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\AdAware\aawservice.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\a-squared Free\a2service.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
c:\program files\mcafee.com\agent\mcdetect.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
c:\PROGRA~1\mcafee.com\vso\OasClnt.exe
c:\program files\mcafee.com\vso\mcvsshld.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfService.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\PROGRA~1\McAfee\SPAMKI~1\MSKSrvr.exe
C:\WINDOWS\system32\svchost.exe
c:\Program Files\UPHClean\uphclean.exe
C:\WINDOWS\System32\dmadmin.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\WINDOWS\ALCXMNTR.EXE
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
C:\PROGRA~1\mcafee.com\mps\mscifapp.exe
C:\PROGRA~1\McAfee\SPAMKI~1\MskAgent.exe
C:\Program Files\SiteAdvisor\6066\SiteAdv.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\QuickTime Alternative\qttask.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\Java\jre1.5.0_07\bin\jusched.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfAgent.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\SuperAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\Program Files\Olympus\DeviceDetector\DevDtct2.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\BT Broadband Basic Help\bin\mpbtn.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Java\jre1.5.0_07\bin\jucheck.exe
C:\Program Files\internet explorer\iexplore.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\Program Files\MalwareRemovalForum\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?LinkId=74005
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - C:\Program Files\SiteAdvisor\6066\SiteAdv.dll
O2 - BHO: McBrwHelper Class - {227B8AA8-DAF2-4892-BD1D-73F568BCB24E} - c:\PROGRA~1\mcafee.com\mps\mcbrhlpr.dll
O2 - BHO: (no name) - {273E78B2-CDEF-43F2-86BF-14B1F28ED820} - C:\WINDOWS\system32\ds32gtw.dll
O2 - BHO: McAfee PopupKiller - {3EC8255F-E043-4cae-8B3B-B191550C2A22} - c:\program files\mcafee.com\mps\popupkiller.dll
O2 - BHO: McAfee AntiPhishing Filter - {41D68ED8-4CFF-4115-88A6-6EBB8AF19000} - c:\PROGRA~1\mcafee\SPAMKI~1\mcapfbho.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {590B2D4B-AE15-40FC-9CA3-DF19E5C560E1} - C:\WINDOWS\system32\ds32gtw.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O2 - BHO: (no name) - {A0F2E429-B563-49F8-A68F-5F41DC821E17} - C:\WINDOWS\system32\ds32gtw.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\6066\SiteAdv.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [Apoint] "C:\Program Files\Apoint2K\Apoint.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [REGSHAVE] "C:\Program Files\REGSHAVE\REGSHAVE.EXE" /AUTORUN
O4 - HKLM\..\Run: [McafWelcome] C:\Program Files\McAfee.com\Agent\mcwelcom.exe
O4 - HKLM\..\Run: [VSOCheckTask] "C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] C:\Program Files\McAfee.com\VSO\mcvsshld.exe
O4 - HKLM\..\Run: [OASClnt] C:\Program Files\McAfee.com\VSO\oasclnt.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
O4 - HKLM\..\Run: [MPSExe] "c:\PROGRA~1\mcafee.com\mps\mscifapp.exe" /embedding
O4 - HKLM\..\Run: [MSKAGENTEXE] C:\PROGRA~1\McAfee\SPAMKI~1\MskAgent.exe
O4 - HKLM\..\Run: [MSKDetectorExe] "C:\PROGRA~1\McAfee\SPAMKI~1\MSKDetct.exe" /startup
O4 - HKLM\..\Run: [SiteAdvisor] "C:\Program Files\SiteAdvisor\6066\SiteAdv.exe"
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime Alternative\qttask.exe" -atboottime
O4 - HKLM\..\Run: [hpppta] "C:\Program Files\Hewlett-Packard\HP PrecisionScan\PrecisionScan\hpppta.exe" /ICON
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_07\bin\jusched.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SuperAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: BT Broadband Basic Help.lnk = C:\Program Files\BT Broadband Basic Help\bin\matcli.exe
O4 - Global Startup: Device Detector 3.lnk = C:\Program Files\Olympus\DeviceDetector\DevDtct2.exe
O4 - Global Startup: hp psc 2000 Series.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
O4 - Global Startup: hpoddt01.exe.lnk = ?
O4 - Global Startup: NkbMonitor.exe.lnk = C:\Program Files\Nikon\PictureProject\NkbMonitor.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O9 - Extra button: (no name) - {39FD89BF-D3F1-45b6-BB56-3582CCF489E1} - c:\PROGRA~1\mcafee\SPAMKI~1\mcapfbho.dll
O9 - Extra 'Tools' menuitem: McAfee AntiPhishing Filter - {39FD89BF-D3F1-45b6-BB56-3582CCF489E1} - c:\PROGRA~1\mcafee\SPAMKI~1\mcapfbho.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0B79F48A-E8D6-11DB-9283-E25056D89593} (F-Secure Online Scanner 3.1) - http://support.f-secure.com/ols/fscax.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/share ... insctl.cab
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.5.0) - http://javadl-esd.sun.com/update/1.5.0/ ... s-i586.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: a-squared Free Service (a2free) - Emsi Software GmbH - C:\Program Files\a-squared Free\a2service.exe
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\AdAware\aawservice.exe
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe
O23 - Service: McAfee.com McShield (McShield) - McAfee Inc. - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee Corporation - C:\PROGRA~1\McAfee.com\PERSON~1\MpfService.exe
O23 - Service: McAfee SpamKiller Server (MskService) - McAfee Inc. - C:\PROGRA~1\McAfee\SPAMKI~1\MSKSrvr.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

--
End of file - 12098 bytes

_________________________________________________________________________


Thanks.
Yours trustingly!!
Hollboy
Hollboy
Active Member
 
Posts: 5
Joined: January 23rd, 2008, 11:21 am

Re: Google Redirected & AvSystemCare Warnings - Phew!!

Unread postby random/random » January 27th, 2008, 1:18 pm

REGSHAVE.EXE appears to be a Fujifilm camera software utility

C:\qoobox is the quarantine folder that combofix creates

We now need to install the recovery console. To quote from the bleepingcomputer combofix tutorial:

he Windows recovery console will allow you to boot up into a special recovery mode that allows us to help you in the case that your computer has a problem after an attempted removal of malware. If you use Windows XP and have a Windows CD, then you can follow the instructions found in the tutorial listed below.


Go to Microsoft's website => http://support.microsoft.com/kb/310994
Select the download that's appropriate for your Operating System

Image


Download the file & save it as it's originally named, next to ComboFix.exe.



Image


Now close all open windows and programs, then drag the setup package onto ComboFix.exe and drop it. Follow the prompts to start ComboFix and when prompted, agree to the End-User License Agreement to install the Microsoft Recovery Console. When complete, a log named CF_RC.txt will open. Please post the contents of that log.

Please do not reboot your machine until we have reviewed the log.
User avatar
random/random
Developer
Developer
 
Posts: 7733
Joined: December 18th, 2005, 3:30 pm

Re: Google Redirected & AvSystemCare Warnings - Phew!!

Unread postby Hollboy » January 28th, 2008, 7:53 am

Did it all but unable to log onto internet as soon as finished so couldn't send log. Then system crashed so had to reboot. This is log anyway.

--------------------------------------------------------------------------------
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons


--------------------------------------------------------------------------------

Getting nervous now!! Shall I retry?!
Thanks
Hollboy
Active Member
 
Posts: 5
Joined: January 23rd, 2008, 11:21 am

Re: Google Redirected & AvSystemCare Warnings - Phew!!

Unread postby random/random » January 28th, 2008, 2:44 pm

That looks fine. Please rerun combofix and post the log it produces
User avatar
random/random
Developer
Developer
 
Posts: 7733
Joined: December 18th, 2005, 3:30 pm

Re: Google Redirected & AvSystemCare Warnings - Phew!!

Unread postby Hollboy » January 29th, 2008, 10:55 am

Hi. Did ComboFix & system rebooted itself. As asked before could I have some idea of this process? Also:
What is the cmdcons directory?
What is the ComboFix/inkread.vbs script that the firewall warns as suspicious when ComboFix runs?
What is the gmer.net software you are using?

Here is log -
_____________________________________________________

ComboFix 08-01-23.1C - User 2008-01-29 14:33:11.2 - NTFSx86
Running from: C:\Program Files\MalwareRemovalForum\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\drivers\izaxzouv.dat
C:\WINDOWS\system32\ds32gtw.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_NZCURRQU
-------\nzcurrqu


((((((((((((((((((((((((( Files Created from 2007-12-28 to 2008-01-29 )))))))))))))))))))))))))))))))
.

2008-01-28 12:56 . 2008-01-28 12:56 97,557,954 --a------ C:\WINDOWS\Burma_1200b.bmp
2008-01-28 12:09 . 2008-01-28 12:09 335 --a------ C:\WINDOWS\nsreg.dat
2008-01-28 11:11 . 2004-08-03 23:00 260,272 --a------ C:\cmldr
2008-01-28 11:11 . 2007-04-04 11:55 211 --a------ C:\Boot.bak
2008-01-27 17:04 . 2008-01-27 17:04 732 --ah----- C:\Temp\hpothb07.dat
2008-01-26 18:54 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\Nircmd.exe
2008-01-25 10:56 . 2008-01-28 18:37 <DIR> d-------- C:\Program Files\MalwareRemovalForum
2008-01-23 18:21 . 2007-01-18 12:00 3,968 --a------ C:\WINDOWS\system32\drivers\AvgArCln.sys
2008-01-23 17:26 . 2007-05-30 12:10 10,872 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2008-01-23 15:57 . 2008-01-23 20:31 <DIR> d-------- C:\Program Files\AVG Grisoft
2008-01-21 11:49 . 2008-01-21 11:49 15,452,536 --a------ C:\Program Files\IE7-WindowsXP-x86-enu.exe
2008-01-20 19:57 . 2008-01-20 19:57 30,233,142 --a------ C:\WINDOWS\Stupa_late_sun.bmp
2008-01-20 15:43 . 2008-01-27 18:46 <DIR> d-------- C:\Program Files\a-squared Free
2008-01-20 13:54 . 2008-01-26 21:24 <DIR> d-------- C:\Program Files\AVSystemCare_REMOVER
2008-01-19 13:00 . 2005-08-25 18:19 115,920 --a------ C:\WINDOWS\system32\MSINET.OCX
2008-01-19 12:55 . 2008-01-19 13:00 <DIR> d-------- C:\Program Files\SpywareBlaster
2008-01-18 18:59 . 2008-01-18 18:59 <DIR> d-------- C:\WINDOWS\Sun
2008-01-18 18:56 . 2008-01-19 15:39 <DIR> d-------- C:\Program Files\Google
2008-01-18 18:55 . 2006-05-03 02:56 49,265 --a------ C:\WINDOWS\system32\jpicpl32.cpl
2008-01-18 18:54 . 2008-01-18 18:55 <DIR> d-------- C:\Program Files\Java
2008-01-18 18:39 . 2008-01-18 18:39 <DIR> d-------- C:\Program Files\Common Files\Java
2008-01-17 19:18 . 2008-01-28 11:59 <DIR> d-------- C:\Program Files\SuperAntiSpyware
2008-01-17 18:17 . 2008-01-17 18:18 <DIR> d-------- C:\Program Files\CWShredder
2008-01-17 15:46 . 2008-01-17 15:47 <DIR> d-------- C:\Program Files\RogueRemover FREE
2008-01-17 14:57 . 2008-01-17 14:57 30,233,142 --a------ C:\WINDOWS\Bodnath_Flags.bmp
2008-01-14 11:39 . 2008-01-17 19:53 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-01-13 17:56 . 2008-01-29 13:41 <DIR> d-------- C:\Program Files\AdAware
2008-01-05 16:30 . 2008-01-05 16:30 164 --a------ C:\install.dat
2008-01-05 13:47 . 2008-01-05 13:47 <DIR> d-------- C:\Program Files\Avira
2008-01-04 17:40 . 2008-01-05 13:41 <DIR> d-------- C:\Program Files\Avira_AntiVirus
2007-12-31 19:23 . 2007-12-31 19:20 21,233,718 --a------ C:\WINDOWS\kipper.bmp

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-29 14:38 8,121 ----a-w C:\Program Files\AdAwareAdAware event.log
2008-01-29 14:38 3,096 ----a-w C:\Program Files\AdAwareAd-Aware update.log
2008-01-28 12:05 --------- d-----w C:\Program Files\McAfee
2008-01-20 15:38 --------- d-----w C:\Program Files\a-squared Anti-Malware
.

((((((((((((((((((((((((((((( snapshot@2008-01-26_19.01.06.20 )))))))))))))))))))))))))))))))))))))))))
.
+ 2007-05-17 11:25:21 549,888 ----a-w C:\WINDOWS\$hf_mig$\KB921503\SP2QFE\oleaut32.dll
+ 2005-10-12 23:12:25 14,048 ----a-w C:\WINDOWS\$hf_mig$\KB921503\spmsg.dll
+ 2005-10-12 23:12:26 213,216 ----a-w C:\WINDOWS\$hf_mig$\KB921503\spuninst.exe
+ 2005-10-12 23:12:25 22,752 ----a-w C:\WINDOWS\$hf_mig$\KB921503\update\spcustom.dll
+ 2005-10-12 23:12:29 716,000 ----a-w C:\WINDOWS\$hf_mig$\KB921503\update\update.exe
+ 2005-10-12 23:12:34 371,424 ----a-w C:\WINDOWS\$hf_mig$\KB921503\update\updspapi.dll
+ 2007-02-09 11:23:36 574,976 ----a-w C:\WINDOWS\$hf_mig$\KB930916\SP2QFE\ntfs.sys
+ 2005-10-12 23:12:25 14,048 ----a-w C:\WINDOWS\$hf_mig$\KB930916\spmsg.dll
+ 2005-10-12 23:12:26 213,216 ----a-w C:\WINDOWS\$hf_mig$\KB930916\spuninst.exe
+ 2005-10-12 23:12:25 22,752 ----a-w C:\WINDOWS\$hf_mig$\KB930916\update\spcustom.dll
+ 2005-10-12 23:12:29 716,000 ----a-w C:\WINDOWS\$hf_mig$\KB930916\update\update.exe
+ 2005-10-12 23:12:34 371,424 ----a-w C:\WINDOWS\$hf_mig$\KB930916\update\updspapi.dll
+ 2007-04-16 16:07:27 986,112 ----a-w C:\WINDOWS\$hf_mig$\KB935839\SP2QFE\kernel32.dll
+ 2005-10-12 23:12:25 14,048 ----a-w C:\WINDOWS\$hf_mig$\KB935839\spmsg.dll
+ 2005-10-12 23:12:26 213,216 ----a-w C:\WINDOWS\$hf_mig$\KB935839\spuninst.exe
+ 2005-10-12 23:12:25 22,752 ----a-w C:\WINDOWS\$hf_mig$\KB935839\update\spcustom.dll
+ 2005-10-12 23:12:29 716,000 ----a-w C:\WINDOWS\$hf_mig$\KB935839\update\update.exe
+ 2005-10-12 23:12:34 371,424 ----a-w C:\WINDOWS\$hf_mig$\KB935839\update\updspapi.dll
+ 2007-04-25 20:32:22 144,896 ----a-w C:\WINDOWS\$hf_mig$\KB935840\SP2QFE\schannel.dll
+ 2006-01-19 19:29:19 14,048 ----a-w C:\WINDOWS\$hf_mig$\KB935840\spmsg.dll
+ 2006-01-19 19:29:19 213,216 ----a-w C:\WINDOWS\$hf_mig$\KB935840\spuninst.exe
+ 2006-01-19 19:29:19 22,752 ----a-w C:\WINDOWS\$hf_mig$\KB935840\update\spcustom.dll
+ 2006-01-19 19:29:19 716,000 ----a-w C:\WINDOWS\$hf_mig$\KB935840\update\update.exe
+ 2006-01-19 19:29:19 371,424 ----a-w C:\WINDOWS\$hf_mig$\KB935840\update\updspapi.dll
+ 2007-07-12 23:28:55 765,952 ----a-w C:\WINDOWS\$hf_mig$\KB938127-IE7\SP2QFE\vgx.dll
+ 2007-03-06 01:22:36 14,048 ----a-w C:\WINDOWS\$hf_mig$\KB938127-IE7\spmsg.dll
+ 2007-03-06 01:22:41 213,216 ----a-w C:\WINDOWS\$hf_mig$\KB938127-IE7\spuninst.exe
+ 2007-03-06 01:22:34 22,752 ----a-w C:\WINDOWS\$hf_mig$\KB938127-IE7\update\spcustom.dll
+ 2007-03-06 01:22:59 716,000 ----a-w C:\WINDOWS\$hf_mig$\KB938127-IE7\update\update.exe
+ 2007-03-06 01:23:51 371,424 ----a-w C:\WINDOWS\$hf_mig$\KB938127-IE7\update\updspapi.dll
+ 2007-10-29 22:35:13 1,287,680 ----a-w C:\WINDOWS\$hf_mig$\KB941568\SP2QFE\quartz.dll
+ 2007-03-06 01:22:36 14,048 ----a-w C:\WINDOWS\$hf_mig$\KB941568\spmsg.dll
+ 2007-03-06 01:22:41 213,216 ----a-w C:\WINDOWS\$hf_mig$\KB941568\spuninst.exe
+ 2007-03-06 01:22:34 22,752 ----a-w C:\WINDOWS\$hf_mig$\KB941568\update\spcustom.dll
+ 2007-03-06 01:22:59 716,000 ----a-w C:\WINDOWS\$hf_mig$\KB941568\update\update.exe
+ 2007-03-06 01:23:51 371,424 ----a-w C:\WINDOWS\$hf_mig$\KB941568\update\updspapi.dll
+ 2007-11-07 09:50:47 727,040 ----a-w C:\WINDOWS\$hf_mig$\KB943485\SP2QFE\lsasrv.dll
+ 2007-03-06 01:22:36 14,048 ----a-w C:\WINDOWS\$hf_mig$\KB943485\spmsg.dll
+ 2007-03-06 01:22:41 213,216 ----a-w C:\WINDOWS\$hf_mig$\KB943485\spuninst.exe
+ 2007-03-06 01:22:34 22,752 ----a-w C:\WINDOWS\$hf_mig$\KB943485\update\spcustom.dll
+ 2007-03-06 01:22:59 716,000 ----a-w C:\WINDOWS\$hf_mig$\KB943485\update\update.exe
+ 2007-03-06 01:23:51 371,424 ----a-w C:\WINDOWS\$hf_mig$\KB943485\update\updspapi.dll
+ 2007-11-13 08:47:45 20,480 ----a-w C:\WINDOWS\$hf_mig$\KB944653\SP2QFE\secdrv.sys
+ 2007-03-06 01:22:36 14,048 ----a-w C:\WINDOWS\$hf_mig$\KB944653\spmsg.dll
+ 2007-03-06 01:22:41 213,216 ----a-w C:\WINDOWS\$hf_mig$\KB944653\spuninst.exe
+ 2007-03-06 01:22:34 22,752 ----a-w C:\WINDOWS\$hf_mig$\KB944653\update\spcustom.dll
+ 2007-03-06 01:22:59 716,000 ----a-w C:\WINDOWS\$hf_mig$\KB944653\update\update.exe
+ 2007-03-06 01:23:51 371,424 ----a-w C:\WINDOWS\$hf_mig$\KB944653\update\updspapi.dll
- 2007-04-04 13:22:37 7,168 ----a-w C:\WINDOWS\assembly\GAC\IEExecRemote\1.0.5000.0__b03f5f7f11d50a3a\IEExecRemote.dll
+ 2008-01-28 13:14:55 8,192 ----a-w C:\WINDOWS\assembly\GAC\IEExecRemote\1.0.5000.0__b03f5f7f11d50a3a\IEExecRemote.dll
- 2007-04-04 13:22:35 32,768 ----a-w C:\WINDOWS\assembly\GAC\IEHost\1.0.5000.0__b03f5f7f11d50a3a\IEHost.dll
+ 2008-01-28 13:14:56 32,768 ----a-w C:\WINDOWS\assembly\GAC\IEHost\1.0.5000.0__b03f5f7f11d50a3a\IEHost.dll
- 2007-04-04 13:22:32 716,800 ----a-w C:\WINDOWS\assembly\GAC\Microsoft.JScript\7.0.5000.0__b03f5f7f11d50a3a\Microsoft.JScript.dll
+ 2008-01-28 13:15:04 720,896 ----a-w C:\WINDOWS\assembly\GAC\Microsoft.JScript\7.0.5000.0__b03f5f7f11d50a3a\Microsoft.JScript.dll
- 2007-04-04 13:22:32 299,008 ----a-w C:\WINDOWS\assembly\GAC\Microsoft.VisualBasic\7.0.5000.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll
+ 2008-01-28 13:14:57 299,008 ----a-w C:\WINDOWS\assembly\GAC\Microsoft.VisualBasic\7.0.5000.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll
- 2007-04-04 13:22:38 32,768 ----a-w C:\WINDOWS\assembly\GAC\Regcode\1.0.5000.0__b03f5f7f11d50a3a\RegCode.dll
+ 2008-01-28 13:15:02 32,768 ----a-w C:\WINDOWS\assembly\GAC\Regcode\1.0.5000.0__b03f5f7f11d50a3a\RegCode.dll
- 2007-04-04 13:22:39 299,008 ----a-w C:\WINDOWS\assembly\GAC\System.Data.OracleClient\1.0.5000.0__b77a5c561934e089\System.Data.OracleClient.dll
+ 2008-01-28 13:15:00 303,104 ----a-w C:\WINDOWS\assembly\GAC\System.Data.OracleClient\1.0.5000.0__b77a5c561934e089\System.Data.OracleClient.dll
- 2007-04-04 13:22:36 1,290,240 ----a-w C:\WINDOWS\assembly\GAC\System.Data\1.0.5000.0__b77a5c561934e089\System.Data.dll
+ 2008-01-28 13:15:02 1,294,336 ----a-w C:\WINDOWS\assembly\GAC\System.Data\1.0.5000.0__b77a5c561934e089\System.Data.dll
- 2007-04-04 13:22:36 1,699,840 ----a-w C:\WINDOWS\assembly\GAC\System.Design\1.0.5000.0__b03f5f7f11d50a3a\System.Design.dll
+ 2008-01-28 13:14:55 1,703,936 ----a-w C:\WINDOWS\assembly\GAC\System.Design\1.0.5000.0__b03f5f7f11d50a3a\System.Design.dll
- 2007-04-04 13:22:36 86,016 ----a-w C:\WINDOWS\assembly\GAC\System.DirectoryServices\1.0.5000.0__b03f5f7f11d50a3a\System.DirectoryServices.dll
+ 2008-01-28 13:15:03 90,112 ----a-w C:\WINDOWS\assembly\GAC\System.DirectoryServices\1.0.5000.0__b03f5f7f11d50a3a\System.DirectoryServices.dll
- 2007-04-04 13:22:37 466,944 ----a-w C:\WINDOWS\assembly\GAC\System.Drawing\1.0.5000.0__b03f5f7f11d50a3a\System.Drawing.dll
+ 2008-01-28 13:14:59 466,944 ----a-w C:\WINDOWS\assembly\GAC\System.Drawing\1.0.5000.0__b03f5f7f11d50a3a\System.Drawing.dll
- 2007-04-04 13:22:36 241,664 ----a-w C:\WINDOWS\assembly\GAC\System.EnterpriseServices\1.0.5000.0__b03f5f7f11d50a3a\System.EnterpriseServices.dll
+ 2008-01-28 13:14:58 241,664 ----a-w C:\WINDOWS\assembly\GAC\System.EnterpriseServices\1.0.5000.0__b03f5f7f11d50a3a\System.EnterpriseServices.dll
- 2007-04-04 13:22:36 64,000 ----a-w C:\WINDOWS\assembly\GAC\System.EnterpriseServices\1.0.5000.0__b03f5f7f11d50a3a\System.EnterpriseServices.Thunk.dll
+ 2008-01-28 13:14:58 66,560 ----a-w C:\WINDOWS\assembly\GAC\System.EnterpriseServices\1.0.5000.0__b03f5f7f11d50a3a\System.EnterpriseServices.Thunk.dll
- 2007-04-04 13:22:37 368,640 ----a-w C:\WINDOWS\assembly\GAC\System.Management\1.0.5000.0__b03f5f7f11d50a3a\System.Management.dll
+ 2008-01-28 13:15:01 372,736 ----a-w C:\WINDOWS\assembly\GAC\System.Management\1.0.5000.0__b03f5f7f11d50a3a\System.Management.dll
- 2007-04-04 13:22:37 241,664 ----a-w C:\WINDOWS\assembly\GAC\System.Messaging\1.0.5000.0__b03f5f7f11d50a3a\System.Messaging.dll
+ 2008-01-28 13:15:04 241,664 ----a-w C:\WINDOWS\assembly\GAC\System.Messaging\1.0.5000.0__b03f5f7f11d50a3a\System.Messaging.dll
- 2007-04-04 13:22:37 323,584 ----a-w C:\WINDOWS\assembly\GAC\System.Runtime.Remoting\1.0.5000.0__b77a5c561934e089\System.Runtime.Remoting.dll
+ 2008-01-28 13:15:00 323,584 ----a-w C:\WINDOWS\assembly\GAC\System.Runtime.Remoting\1.0.5000.0__b77a5c561934e089\System.Runtime.Remoting.dll
- 2007-04-04 13:22:37 131,072 ----a-w C:\WINDOWS\assembly\GAC\System.Runtime.Serialization.Formatters.Soap\1.0.5000.0__b03f5f7f11d50a3a\System.Runtime.Serialization.Formatters.Soap.dll
+ 2008-01-28 13:14:58 131,072 ----a-w C:\WINDOWS\assembly\GAC\System.Runtime.Serialization.Formatters.Soap\1.0.5000.0__b03f5f7f11d50a3a\System.Runtime.Serialization.Formatters.Soap.dll
- 2007-04-04 13:22:37 77,824 ----a-w C:\WINDOWS\assembly\GAC\System.Security\1.0.5000.0__b03f5f7f11d50a3a\System.Security.dll
+ 2008-01-28 13:14:59 77,824 ----a-w C:\WINDOWS\assembly\GAC\System.Security\1.0.5000.0__b03f5f7f11d50a3a\System.Security.dll
- 2007-04-04 13:22:37 126,976 ----a-w C:\WINDOWS\assembly\GAC\System.ServiceProcess\1.0.5000.0__b03f5f7f11d50a3a\System.ServiceProcess.dll
+ 2008-01-28 13:15:03 126,976 ----a-w C:\WINDOWS\assembly\GAC\System.ServiceProcess\1.0.5000.0__b03f5f7f11d50a3a\System.ServiceProcess.dll
- 2007-04-04 13:22:38 819,200 ----a-w C:\WINDOWS\assembly\GAC\System.Web.Mobile\1.0.5000.0__b03f5f7f11d50a3a\System.Web.Mobile.dll
+ 2008-01-28 13:14:55 819,200 ----a-w C:\WINDOWS\assembly\GAC\System.Web.Mobile\1.0.5000.0__b03f5f7f11d50a3a\System.Web.Mobile.dll
- 2007-04-04 13:22:37 57,344 ----a-w C:\WINDOWS\assembly\GAC\System.Web.RegularExpressions\1.0.5000.0__b03f5f7f11d50a3a\System.Web.RegularExpressions.dll
+ 2008-01-28 13:14:57 57,344 ----a-w C:\WINDOWS\assembly\GAC\System.Web.RegularExpressions\1.0.5000.0__b03f5f7f11d50a3a\System.Web.RegularExpressions.dll
- 2007-04-04 13:22:37 569,344 ----a-w C:\WINDOWS\assembly\GAC\System.Web.Services\1.0.5000.0__b03f5f7f11d50a3a\System.Web.Services.dll
+ 2008-01-28 13:14:56 573,440 ----a-w C:\WINDOWS\assembly\GAC\System.Web.Services\1.0.5000.0__b03f5f7f11d50a3a\System.Web.Services.dll
- 2007-04-04 13:22:37 1,245,184 ----a-w C:\WINDOWS\assembly\GAC\System.Web\1.0.5000.0__b03f5f7f11d50a3a\System.Web.dll
+ 2008-01-28 13:15:03 1,257,472 ----a-w C:\WINDOWS\assembly\GAC\System.Web\1.0.5000.0__b03f5f7f11d50a3a\System.Web.dll
- 2007-04-04 13:22:37 2,039,808 ----a-w C:\WINDOWS\assembly\GAC\System.Windows.Forms\1.0.5000.0__b77a5c561934e089\System.Windows.Forms.dll
+ 2008-01-28 13:14:59 2,052,096 ----a-w C:\WINDOWS\assembly\GAC\System.Windows.Forms\1.0.5000.0__b77a5c561934e089\System.Windows.Forms.dll
- 2007-04-04 13:22:37 1,335,296 ----a-w C:\WINDOWS\assembly\GAC\System.Xml\1.0.5000.0__b77a5c561934e089\System.Xml.dll
+ 2008-01-28 13:15:01 1,339,392 ----a-w C:\WINDOWS\assembly\GAC\System.Xml\1.0.5000.0__b77a5c561934e089\System.XML.dll
- 2007-04-04 13:22:37 1,216,512 ----a-w C:\WINDOWS\assembly\GAC\System\1.0.5000.0__b77a5c561934e089\System.dll
+ 2008-01-28 13:15:05 1,224,704 ----a-w C:\WINDOWS\assembly\GAC\System\1.0.5000.0__b77a5c561934e089\System.dll
+ 2008-01-28 13:15:19 61,440 ----a-w C:\WINDOWS\assembly\NativeImages1_v1.1.4322\CustomMarshalers\1.0.5000.0__b03f5f7f11d50a3a_8000987b\CustomMarshalers.dll
+ 2008-01-28 13:16:19 118,784 ----a-w C:\WINDOWS\assembly\NativeImages1_v1.1.4322\CustomMarshalers\1.0.5000.0__b03f5f7f11d50a3a_a29ff63b\CustomMarshalers.dll
+ 2008-01-28 13:16:05 3,379,200 ----a-w C:\WINDOWS\assembly\NativeImages1_v1.1.4322\mscorlib\1.0.5000.0__b77a5c561934e089_5bbd6a5c\mscorlib.dll
+ 2008-01-28 13:16:49 8,880,128 ----a-w C:\WINDOWS\assembly\NativeImages1_v1.1.4322\mscorlib\1.0.5000.0__b77a5c561934e089_72460a79\mscorlib.dll
+ 2008-01-28 13:16:41 3,395,584 ----a-w C:\WINDOWS\assembly\NativeImages1_v1.1.4322\System.Design\1.0.5000.0__b03f5f7f11d50a3a_752367ac\System.Design.dll
+ 2008-01-28 13:15:58 1,466,368 ----a-w C:\WINDOWS\assembly\NativeImages1_v1.1.4322\System.Design\1.0.5000.0__b03f5f7f11d50a3a_feb7af50\System.Design.dll
+ 2008-01-28 13:16:20 192,512 ----a-w C:\WINDOWS\assembly\NativeImages1_v1.1.4322\System.Drawing.Design\1.0.5000.0__b03f5f7f11d50a3a_0d08106c\System.Drawing.Design.dll
+ 2008-01-28 13:15:23 90,112 ----a-w C:\WINDOWS\assembly\NativeImages1_v1.1.4322\System.Drawing.Design\1.0.5000.0__b03f5f7f11d50a3a_74df1b94\System.Drawing.Design.dll
+ 2008-01-28 13:16:02 835,584 ----a-w C:\WINDOWS\assembly\NativeImages1_v1.1.4322\System.Drawing\1.0.5000.0__b03f5f7f11d50a3a_7cdd27cd\System.Drawing.dll
+ 2008-01-28 13:16:46 2,244,608 ----a-w C:\WINDOWS\assembly\NativeImages1_v1.1.4322\System.Drawing\1.0.5000.0__b03f5f7f11d50a3a_7dd3e386\System.Drawing.dll
+ 2008-01-28 13:15:37 3,014,656 ----a-w C:\WINDOWS\assembly\NativeImages1_v1.1.4322\System.Windows.Forms\1.0.5000.0__b77a5c561934e089_72ac5509\System.Windows.Forms.dll
+ 2008-01-28 13:16:29 7,880,704 ----a-w C:\WINDOWS\assembly\NativeImages1_v1.1.4322\System.Windows.Forms\1.0.5000.0__b77a5c561934e089_87d34458\System.Windows.Forms.dll
+ 2008-01-28 13:15:50 2,088,960 ----a-w C:\WINDOWS\assembly\NativeImages1_v1.1.4322\System.Xml\1.0.5000.0__b77a5c561934e089_27f56695\System.Xml.dll
+ 2008-01-28 13:16:38 5,505,024 ----a-w C:\WINDOWS\assembly\NativeImages1_v1.1.4322\System.Xml\1.0.5000.0__b77a5c561934e089_aa59dd75\System.Xml.dll
+ 2008-01-28 13:15:18 1,953,792 ----a-w C:\WINDOWS\assembly\NativeImages1_v1.1.4322\System\1.0.5000.0__b77a5c561934e089_1a859075\System.dll
+ 2008-01-28 13:16:15 4,763,648 ----a-w C:\WINDOWS\assembly\NativeImages1_v1.1.4322\System\1.0.5000.0__b77a5c561934e089_f9bfbcfa\System.dll
- 2008-01-26 18:56:52 245,760 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000001\NTUSER.DAT
+ 2008-01-28 11:10:28 245,760 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000001\NTUSER.DAT
- 2008-01-26 18:56:52 8,192 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000002\UsrClass.dat
+ 2008-01-28 11:10:28 8,192 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000002\UsrClass.dat
- 2008-01-26 18:56:52 245,760 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000003\NTUSER.DAT
+ 2008-01-28 11:10:28 245,760 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000003\NTUSER.DAT
- 2008-01-26 18:56:53 8,192 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000004\UsrClass.dat
+ 2008-01-28 11:10:28 8,192 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000004\UsrClass.dat
- 2008-01-26 18:56:53 5,341,184 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000005\NTUSER.DAT
+ 2008-01-28 11:10:29 5,349,376 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000005\NTUSER.DAT
- 2008-01-26 18:56:53 299,008 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000006\UsrClass.dat
+ 2008-01-28 11:10:29 299,008 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000006\UsrClass.dat
+ 2000-08-31 08:00:00 163,328 ----a-w C:\WINDOWS\erdnt\subs\ERDNT.EXE
+ 2007-03-06 01:22:41 213,216 -c----w C:\WINDOWS\ie7updates\KB938127-IE7\spuninst\spuninst.exe
+ 2007-03-06 01:23:51 371,424 -c----w C:\WINDOWS\ie7updates\KB938127-IE7\spuninst\updspapi.dll
+ 2006-12-22 09:49:12 765,952 -c----w C:\WINDOWS\ie7updates\KB938127-IE7\vgx.dll
- 2006-11-01 17:31:34 315,904 ----a-w C:\WINDOWS\inf\unregmp2.exe
+ 2007-06-26 22:10:26 317,440 ----a-w C:\WINDOWS\inf\unregmp2.exe
+ 2008-01-28 12:05:45 57,344 ----a-r C:\WINDOWS\Installer\{122DFE14-63EF-4CEC-B972-D9F14C8EB7D7}\NewShortcut1_122DFE1463EF4CECB972D9F14C8EB7D7.exe
+ 2008-01-28 13:13:52 32,768 ----a-r C:\WINDOWS\Installer\{C04E32E0-0416-434D-AFB9-6969D703A9EF}\icon.exe
- 2003-02-20 18:19:32 253,952 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\aspnet_isapi.dll
+ 2004-07-15 01:49:16 258,048 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\aspnet_isapi.dll
- 2003-02-20 18:19:34 20,480 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\aspnet_regiis.exe
+ 2004-07-15 01:49:18 20,480 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\aspnet_regiis.exe
- 2003-02-20 18:19:38 32,768 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\aspnet_state.exe
+ 2004-07-15 01:49:26 32,768 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\aspnet_state.exe
- 2003-02-20 18:19:36 32,768 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\aspnet_wp.exe
+ 2004-07-15 01:49:22 32,768 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\aspnet_wp.exe
- 2003-02-20 18:09:08 77,824 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\CORPerfMonExt.dll
+ 2004-07-15 00:32:22 81,920 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\CORPerfMonExt.dll
- 2003-02-21 09:20:44 49,152 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\csc.exe
+ 2004-07-15 11:23:28 49,152 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\csc.exe
- 2003-02-21 09:21:00 626,688 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\cscomp.dll
+ 2004-07-15 11:23:44 626,688 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\cscomp.dll
- 2003-02-20 18:06:20 282,624 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\fusion.dll
+ 2004-07-15 00:24:30 282,624 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\fusion.dll
+ 2003-10-08 14:30:14 81,920 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\gacutil.exe
- 2003-02-21 06:24:38 7,168 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\IEExecRemote.dll
+ 2004-07-15 14:31:00 8,192 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\IEExecRemote.dll
- 2003-02-21 06:24:40 32,768 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\IEHost.dll
+ 2004-07-15 14:31:04 32,768 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\IEHost.dll
- 2003-02-20 18:09:40 196,608 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\ilasm.exe
+ 2004-07-15 00:35:30 196,608 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\ilasm.exe
- 2003-02-21 06:26:36 716,800 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Microsoft.JScript.dll
+ 2004-07-15 14:28:58 720,896 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Microsoft.JScript.dll
- 2003-02-21 06:26:38 299,008 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Microsoft.VisualBasic.dll
+ 2004-07-15 14:28:56 299,008 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Microsoft.VisualBasic.dll
- 2003-02-21 06:25:04 49,152 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\MigPol.exe
+ 2004-07-15 14:28:50 49,152 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\MigPol.exe
- 2003-02-21 06:25:04 49,152 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\MigPolWin.exe
+ 2004-07-15 14:28:50 49,152 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\MigPolWin.exe
- 2003-02-20 18:09:12 77,824 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\mscordbc.dll
+ 2004-07-15 00:32:44 86,016 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\mscordbc.dll
- 2003-02-20 18:09:12 233,472 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\mscordbi.dll
+ 2004-07-15 00:32:46 233,472 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\mscordbi.dll
- 2003-02-20 18:06:32 311,296 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\mscorjit.dll
+ 2004-07-15 00:25:06 315,392 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\mscorjit.dll
- 2003-02-20 18:09:16 98,304 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\mscorld.dll
+ 2004-07-15 00:33:04 102,400 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\mscorld.dll
- 2003-02-21 06:26:34 2,088,960 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\mscorlib.dll
+ 2004-07-15 14:29:02 2,138,112 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\mscorlib.dll
- 2003-02-20 18:09:18 143,360 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\mscorrc.dll
+ 2004-07-15 00:33:22 143,360 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\mscorrc.dll
- 2003-02-20 18:09:18 81,920 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\mscorsec.dll
+ 2004-07-15 00:33:24 81,920 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\mscorsec.dll
- 2003-02-20 18:07:34 2,494,464 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\mscorsvr.dll
+ 2004-07-15 00:26:52 2,510,848 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\mscorsvr.dll
- 2003-02-20 18:08:32 2,482,176 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\mscorwks.dll
+ 2004-07-15 00:28:34 2,502,656 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\mscorwks.dll
+ 2004-08-10 16:20:00 106,496 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\netfxupdate.exe
- 2003-02-20 18:09:30 90,112 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\PerfCounter.dll
+ 2004-07-15 00:34:50 94,208 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\PerfCounter.dll
- 2003-02-21 06:26:46 32,768 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\RegCode.dll
+ 2004-07-15 14:28:48 32,768 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\RegCode.dll
- 2003-02-20 18:09:34 319,488 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\SOS.dll
+ 2004-07-15 00:35:04 319,488 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\SOS.dll
- 2003-02-21 06:26:38 1,290,240 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\System.Data.dll
+ 2004-07-15 14:32:00 1,294,336 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\System.Data.dll
- 2003-02-21 06:25:42 299,008 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\System.Data.OracleClient.dll
+ 2004-07-15 14:31:14 303,104 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\System.Data.OracleClient.dll
- 2003-02-21 06:26:42 1,699,840 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\System.Design.dll
+ 2004-07-15 14:29:02 1,703,936 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\System.Design.dll
- 2003-02-21 06:26:44 86,016 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\System.DirectoryServices.dll
+ 2004-07-15 14:28:54 90,112 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\System.DirectoryServices.dll
- 2003-02-21 06:26:46 1,216,512 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\System.dll
+ 2004-07-15 14:31:16 1,224,704 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\System.dll
- 2003-02-21 06:26:50 466,944 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\System.Drawing.dll
+ 2004-07-15 14:28:58 466,944 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\System.Drawing.dll
- 2003-02-21 06:26:50 241,664 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\System.EnterpriseServices.dll
+ 2004-07-15 14:28:56 241,664 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\System.EnterpriseServices.dll
- 2003-02-20 18:09:36 64,000 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\System.EnterpriseServices.Thunk.dll
+ 2004-07-15 00:35:12 66,560 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\System.EnterpriseServices.Thunk.dll
- 2003-02-21 06:26:52 368,640 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\System.Management.dll
+ 2004-07-15 14:31:58 372,736 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\System.Management.dll
- 2003-02-21 06:26:54 241,664 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\System.Messaging.dll
+ 2004-07-15 14:31:12 241,664 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\System.Messaging.dll
- 2003-02-21 06:26:56 323,584 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\System.Runtime.Remoting.dll
+ 2004-07-15 14:28:58 323,584 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\System.Runtime.Remoting.dll
- 2003-02-21 06:26:56 131,072 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\System.Runtime.Serialization.Formatters.Soap.dll
+ 2004-07-15 14:31:54 131,072 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\System.Runtime.Serialization.Formatters.Soap.dll
- 2003-02-21 06:26:58 77,824 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\System.Security.dll
+ 2004-07-15 14:28:52 77,824 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\System.Security.dll
- 2003-02-21 06:27:00 126,976 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\System.ServiceProcess.dll
+ 2004-07-15 14:28:54 126,976 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\System.ServiceProcess.dll
- 2003-02-21 06:27:02 1,245,184 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\System.Web.dll
+ 2004-07-15 14:29:00 1,257,472 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\System.Web.dll
- 2003-02-21 06:27:06 819,200 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\System.Web.Mobile.dll
+ 2004-07-15 14:28:58 819,200 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\System.Web.Mobile.dll
- 2003-02-21 06:24:18 57,344 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\System.Web.RegularExpressions.dll
+ 2004-07-15 14:28:52 57,344 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\System.Web.RegularExpressions.dll
- 2003-02-21 06:27:06 569,344 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\System.Web.Services.dll
+ 2004-07-15 14:31:16 573,440 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\System.Web.Services.dll
- 2003-02-21 06:27:08 2,039,808 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\System.Windows.Forms.dll
+ 2004-07-15 14:32:02 2,052,096 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\System.Windows.Forms.dll
- 2003-02-21 06:27:10 1,335,296 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\System.XML.dll
+ 2004-07-15 14:29:00 1,339,392 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\System.XML.dll
+ 2004-06-22 13:51:38 53,248 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Updates\hotfix.exe
- 2003-02-21 09:20:38 737,280 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\vbc.exe
+ 2004-07-15 11:23:20 737,280 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\vbc.exe
- 2003-02-21 04:04:18 1,032,192 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\VsaVb7rt.dll
+ 2004-07-15 08:15:14 1,032,192 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\VsaVb7rt.dll
- 2003-02-20 19:10:40 31,744 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\WMINet_Utils.dll
+ 2004-07-15 02:11:56 31,744 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\WMINet_Utils.dll
- 2006-10-12 14:02:52 57,344 ----a-w C:\WINDOWS\msagent\agentdpv.dll
+ 2007-03-09 13:58:57 57,344 ----a-w C:\WINDOWS\msagent\agentdpv.dll
- 2006-10-12 14:02:52 57,344 -c--a-w C:\WINDOWS\system32\dllcache\agentdpv.dll
+ 2007-03-09 13:58:57 57,344 -c--a-w C:\WINDOWS\system32\dllcache\agentdpv.dll
- 2006-07-05 10:55:01 984,064 -c--a-w C:\WINDOWS\system32\dllcache\kernel32.dll
+ 2007-04-16 15:52:53 984,576 -c--a-w C:\WINDOWS\system32\dllcache\kernel32.dll
- 2006-08-17 12:28:27 721,920 -c--a-w C:\WINDOWS\system32\dllcache\lsasrv.dll
+ 2007-11-07 09:26:56 721,920 -c--a-w C:\WINDOWS\system32\dllcache\lsasrv.dll
- 2004-08-04 13:00:00 574,592 -c--a-w C:\WINDOWS\system32\dllcache\ntfs.sys
+ 2007-02-09 11:10:35 574,464 -c--a-w C:\WINDOWS\system32\dllcache\ntfs.sys
- 2004-08-04 13:00:00 553,472 -c--a-w C:\WINDOWS\system32\dllcache\oleaut32.dll
+ 2007-05-17 11:28:05 549,376 -c--a-w C:\WINDOWS\system32\dllcache\oleaut32.dll
- 2005-08-30 03:54:26 1,287,168 -c--a-w C:\WINDOWS\system32\dllcache\quartz.dll
+ 2007-10-29 22:43:03 1,287,680 -c--a-w C:\WINDOWS\system32\dllcache\quartz.dll
- 2004-08-04 13:00:00 581,120 -c--a-w C:\WINDOWS\system32\dllcache\rpcrt4.dll
+ 2007-07-09 13:16:16 582,656 -c--a-w C:\WINDOWS\system32\dllcache\rpcrt4.dll
- 2004-08-04 13:00:00 144,896 -c--a-w C:\WINDOWS\system32\dllcache\schannel.dll
+ 2007-04-25 14:21:15 144,896 -c--a-w C:\WINDOWS\system32\dllcache\schannel.dll
- 2006-11-01 17:31:34 315,904 -c--a-w C:\WINDOWS\system32\dllcache\unregmp2.exe
+ 2007-06-26 22:10:26 317,440 -c--a-w C:\WINDOWS\system32\dllcache\unregmp2.exe
- 2006-12-22 09:49:12 765,952 -c--a-w C:\WINDOWS\system32\dllcache\vgx.dll
+ 2007-07-12 23:31:54 765,952 -c--a-w C:\WINDOWS\system32\dllcache\vgx.dll
- 2007-11-04 12:14:16 82,380 ----a-w C:\WINDOWS\system32\drivers\AFS2K.SYS
+ 2004-10-08 01:16:04 35,840 ----a-w C:\WINDOWS\system32\drivers\AFS2K.SYS
- 2004-08-04 13:00:00 574,592 ----a-w C:\WINDOWS\system32\drivers\ntfs.sys
+ 2007-02-09 11:10:35 574,464 ----a-w C:\WINDOWS\system32\drivers\ntfs.sys
- 2004-08-04 13:00:00 27,440 ----a-w C:\WINDOWS\system32\drivers\secdrv.sys
+ 2007-11-13 10:25:53 20,480 ----a-w C:\WINDOWS\system32\drivers\secdrv.sys
- 2006-07-05 10:55:01 984,064 ----a-w C:\WINDOWS\system32\kernel32.dll
+ 2007-04-16 15:52:53 984,576 ----a-w C:\WINDOWS\system32\kernel32.dll
- 2006-08-17 12:28:27 721,920 ----a-w C:\WINDOWS\system32\lsasrv.dll
+ 2007-11-07 09:26:56 721,920 ----a-w C:\WINDOWS\system32\lsasrv.dll
- 2003-04-18 15:46:22 1,233,920 ----a-w C:\WINDOWS\system32\msxml4.dll
+ 2007-05-08 15:03:04 1,275,392 ----a-w C:\WINDOWS\system32\msxml4.dll
- 2004-08-04 13:00:00 553,472 ----a-w C:\WINDOWS\system32\oleaut32.dll
+ 2007-05-17 11:28:05 549,376 ----a-w C:\WINDOWS\system32\oleaut32.dll
- 2007-10-29 10:12:06 71,366 ----a-w C:\WINDOWS\system32\perfc009.dat
+ 2008-01-28 13:14:49 71,046 ----a-w C:\WINDOWS\system32\perfc009.dat
- 2007-10-29 10:12:06 439,598 ----a-w C:\WINDOWS\system32\perfh009.dat
+ 2008-01-28 13:14:49 438,960 ----a-w C:\WINDOWS\system32\perfh009.dat
- 2005-08-30 03:54:26 1,287,168 ----a-w C:\WINDOWS\system32\quartz.dll
+ 2007-10-29 22:43:03 1,287,680 ----a-w C:\WINDOWS\system32\quartz.dll
- 2004-08-04 13:00:00 581,120 ----a-w C:\WINDOWS\system32\rpcrt4.dll
+ 2007-07-09 13:16:16 582,656 ----a-w C:\WINDOWS\system32\rpcrt4.dll
- 2004-08-04 13:00:00 144,896 ----a-w C:\WINDOWS\system32\schannel.dll
+ 2007-04-25 14:21:15 144,896 ----a-w C:\WINDOWS\system32\schannel.dll
- 2007-01-04 10:50:42 248,320 ----a-w C:\WINDOWS\system32\xpsp3res.dll
+ 2007-06-19 07:24:36 350,720 ----a-w C:\WINDOWS\system32\xpsp3res.dll
+ 2007-05-08 15:06:44 1,275,392 ----a-w C:\WINDOWS\WinSxS\x86_Microsoft.MSXML2_6bd6b9abf345378f_4.20.9848.0_x-ww_1b897e9a\msxml4.dll
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 13:00 15360]
"SUPERAntiSpyware"="C:\Program Files\SuperAntiSpyware\SUPERAntiSpyware.exe" [2007-06-21 14:06 1318912]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe" [2008-01-19 12:45 171448]
"QuickClean Imonitor"="C:\Program Files\McAfee\McAfee QuickClean\Plguni.exe" [2003-10-14 04:00 81920]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Apoint"="C:\Program Files\Apoint2K\Apoint.exe" [2003-10-07 19:40 159744]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 09:50 155648]
"RemoteControl"="C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [2004-11-02 19:24 32768]
"AlcxMonitor"="ALCXMNTR.EXE" [2004-09-07 20:47 57344 C:\WINDOWS\ALCXMNTR.EXE]
"REGSHAVE"="C:\Program Files\REGSHAVE\REGSHAVE.exe" [2002-02-04 21:32 53248]
"McafWelcome"="C:\Program Files\McAfee.com\Agent\mcwelcom.exe" [ ]
"VSOCheckTask"="C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" [2005-07-08 17:18 151552]
"VirusScan Online"="C:\Program Files\McAfee.com\VSO\mcvsshld.exe" [2005-08-10 11:49 163840]
"OASClnt"="C:\Program Files\McAfee.com\VSO\oasclnt.exe" [2005-08-11 21:02 53248]
"MCAgentExe"="c:\PROGRA~1\mcafee.com\agent\mcagent.exe" [2005-09-22 17:29 303104]
"MCUpdateExe"="C:\PROGRA~1\mcafee.com\agent\mcupdate.exe" [2006-01-11 11:05 212992]
"MPFExe"="C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe" [2005-11-11 16:00 1005096]
"MPSExe"="c:\PROGRA~1\mcafee.com\mps\mscifapp.exe" [2006-03-30 13:31 296488]
"MSKAGENTEXE"="C:\PROGRA~1\McAfee\SPAMKI~1\MskAgent.exe" [2005-09-26 09:26 110592]
"MSKDetectorExe"="C:\PROGRA~1\McAfee\SPAMKI~1\MSKDetct.exe" [2006-11-07 13:49 1121280]
"SiteAdvisor"="C:\Program Files\SiteAdvisor\6066\SiteAdv.exe" [2007-03-30 15:42 36904]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2006-11-03 18:20 866584]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-11 02:06 40048]
"QuickTime Task"="C:\Program Files\QuickTime Alternative\qttask.exe" [2007-07-09 10:22 282624]
"hpppta"="C:\Program Files\Hewlett-Packard\HP PrecisionScan\PrecisionScan\hpppta.exe" [2000-12-05 12:02 86016]
"avgnt"="C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [2008-01-05 14:02 249896]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_07\bin\jusched.exe" [2006-05-03 02:56 36975]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 09:25 6731312]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 13:00 15360]
"DWQueuedReporting"="C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-03-13 15:38 39264]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
BT Broadband Basic Help.lnk - C:\Program Files\BT Broadband Basic Help\bin\matcli.exe [2007-04-06 16:08:14 200704]
Device Detector 3.lnk - C:\Program Files\Olympus\DeviceDetector\DevDtct2.exe [2007-04-06 16:29:35 114688]
hp psc 2000 Series.lnk - C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe [2003-04-06 00:37:10 323646]
hpoddt01.exe.lnk - C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe [2003-04-06 01:06:58 28672]
NkbMonitor.exe.lnk - C:\Program Files\Nikon\PictureProject\NkbMonitor.exe [2007-07-09 10:23:57 118784]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"disablecad"= 1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"= 0 (0x0)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 13:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 13:41 294912 C:\Program Files\SuperAntiSpyware\SASWINLO.dll

R1 ATMhelpr;ATMhelpr;C:\WINDOWS\system32\drivers\ATMhelpr.sys [1997-06-17 03:00]
S3 usbprint;Microsoft USB PRINTER Class;C:\WINDOWS\system32\DRIVERS\usbprint.sys [2004-08-03 22:01]
S3 VNUSB;VN Series Device;C:\WINDOWS\system32\DRIVERS\VNUSB.sys [2003-12-15 17:22]

.
Contents of the 'Scheduled Tasks' folder
"2008-01-14 12:15:09 C:\WINDOWS\Tasks\FRU Task #Hewlett-Packard#hp psc 2200 series#1194178465.job"
- C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpqfrucl.exe
"2008-01-29 14:39:02 C:\WINDOWS\Tasks\McAfee.com Scan for Viruses - My Computer (HOME-MACHINE-User).job"
- c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe
"2008-01-29 14:41:43 C:\WINDOWS\Tasks\MP Scheduled Scan.job"
- C:\Program Files\Windows Defender\MpCmdRun.exe
"2008-01-14 12:44:14 C:\WINDOWS\Tasks\WebReg 20080114124414.job"
- C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpqwrg.exeQ/TaskName 20080114124414 /N
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-29 14:39:55
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-01-29 14:43:24 - machine was rebooted
ComboFix-quarantined-files.txt 2008-01-29 14:43:16
ComboFix2.txt 2008-01-26 19:02:02
.
2008-01-28 13:16:46 --- E O F ---

__________________________________________________________________________


With thanks
Hollboy
Active Member
 
Posts: 5
Joined: January 23rd, 2008, 11:21 am

Re: Google Redirected & AvSystemCare Warnings - Phew!!

Unread postby random/random » January 29th, 2008, 5:29 pm

What is the cmdcons directory?


That is the directory that the recovery console was installed to

What is the ComboFix/inkread.vbs script that the firewall warns as suspicious when ComboFix runs?
What is the gmer.net software you are using?


These questions I cannot answer because I don't know the answer for the first one, and also because the developer of combofix has stated that any details on ow combofix works should not be posted in public, as this would give the malware writers information that could help them overcome the tool, and also in inexperienced hands it can be an extremely dangerous tool.

There's one folder left over from an infection you had. Please delete this folder: C:\Program Files\AVSystemCare_REMOVER

Aside from that, your logs are looking good, so let's run an online scanner to check for any lingering malware remnants.

Go here to run an online scannner from ESET.
  • Note: You will need to use Internet explorer for this scan
  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start
  • When asked, allow the activex control to install
  • Click Start
  • Make sure that the option Remove found threats is unticked, and the option Scan unwanted applications is checked
  • Click Scan
  • Wait for the scan to finish
  • Use notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
  • Copy and paste that log as a reply to this topic, along with a new HijackThis log and a description of any remaining problems
User avatar
random/random
Developer
Developer
 
Posts: 7733
Joined: December 18th, 2005, 3:30 pm

Re: Google Redirected & AvSystemCare Warnings - Phew!!

Unread postby 'KotaGuy » February 20th, 2008, 12:29 pm

This topic is now closed due to inactivity. If you wish it to be reopened, please send us an email to 'admin at malwareremoval.com' with a link to your thread.

If it has been 10 days or more since your last post, and the helper assisting you posted a response to that post to which you did not reply, this topic will not be reopened. If you still require help, please start a new topic and include a fresh HijackThis log and a link to this thread in your new topic.

You can help support this site from this link :
Donations For Malware Removal

Please do not contact us if you are not the topic starter. A valid, working link to the closed topic is required along with the user name used. If the user name does not match the one in the thread linked, the email will be deleted.
User avatar
'KotaGuy
Admin/Teacher Emeritus
 
Posts: 12472
Joined: April 7th, 2005, 7:06 pm
Location: Alberta, Canada
Advertisement
Register to Remove


  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 294 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware