Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

malware problems

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

malware problems

Unread postby pepin07 » February 16th, 2010, 2:17 pm

hello
i have a malware problem , every time i open my browser a pop out comes out i end up in a forum and i think that is have something to do with vundo trojan infection i used spysweeper and it said that something called neborabel located in c:windows/symstem32/timikeze.dll",a i downloaded hijakthis and this is my log, please help me to remove this file and all possible files that could harm my computer

Logfile of Trend Micro HijackThis v2.0.3 (BETA)
Scan saved at 12:14:18 PM, on 2/16/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\Program Files\Webroot\WebrootSecurity\WRConsumerService.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\iS3\Anti-Spyware\SZServer.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Webroot\WebrootSecurity\SpySweeper.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\HPQ\shared\hpqwmi.exe
C:\Program Files\Java\jre6\bin\jucheck.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\TrendMicro\HiJackThis\HiJackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE= ... &pf=laptop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://ie.redirect.hp.com/svs/rdr?TYPE= ... &pf=laptop
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SITEguard BHO - {1827766B-9F49-4854-8034-F6EE26FCB1EC} - C:\Program Files\Stopzilla!\Toolbar\SZSG.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Ask Toolbar BHO - {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files\Ask.com\GenericAskToolbar.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: STOPzilla Browser Helper Object - {E3215F20-3212-11D6-9F8B-00D0B743919D} - C:\Program Files\STOPzilla!\SZIEBHO.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: STOPzilla - {98828DED-A591-462F-83BA-D2F62A68B8B8} - C:\Program Files\Stopzilla!\Toolbar\SZSG.dll
O3 - Toolbar: Ask Toolbar - {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files\Ask.com\GenericAskToolbar.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [SynTPLpr] "C:\Program Files\Synaptics\SynTP\SynTPLpr.exe"
O4 - HKLM\..\Run: [SynTPEnh] "C:\Program Files\Synaptics\SynTP\SynTPEnh.exe"
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [Cpqset] "C:\Program Files\HPQ\Default Settings\cpqset.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [hpWirelessAssistant] C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\WebrootSecurity\SpySweeperUI.exe" /startintray
O4 - HKLM\..\Run: [neborabel] Rundll32.exe "c:\windows\system32\timikeze.dll",a
O4 - HKCU\..\Run: [ctfmon.exe] "C:\WINDOWS\system32\ctfmon.exe"
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
O4 - Startup: LimeWire On Startup.lnk = C:\Program Files\LimeWire\LimeWire.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {4A85DBE0-BFB2-4119-8401-186A7C6EB653} - http://messenger.zone.msn.com/Messenger ... 109791.cab
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/Messenger ... E_UNO1.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Me ... b56907.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/s ... wflash.cab
O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/Mi ... b56986.cab
O20 - AppInit_DLLs: loyijofi.dll c:\windows\system32\pobapajo.dll c:\windows\system32\timikeze.dll
O20 - Winlogon Notify: TPSvc - TPSvc.dll (file missing)
O21 - SSODL: lekomarob - {37c13b3c-4935-4600-9dcb-4b34e4d9345f} - c:\windows\system32\pobapajo.dll (file missing)
O21 - SSODL: yufediyal - {55177ea2-6379-4534-a681-8316238d2c73} - c:\windows\system32\timikeze.dll
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: mujuzedij - {37c13b3c-4935-4600-9dcb-4b34e4d9345f} - c:\windows\system32\pobapajo.dll (file missing)
O22 - SharedTaskScheduler: kupuhivus - {55177ea2-6379-4534-a681-8316238d2c73} - c:\windows\system32\timikeze.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Google Update Service (gupdate1ca4f8634bd17a0) (gupdate1ca4f8634bd17a0) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: HP WMI Interface (hpqwmi) - Hewlett-Packard Development Company, L.P. - C:\Program Files\HPQ\shared\hpqwmi.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: STOPzilla Service (szserver) - iS3, Inc. - C:\Program Files\Common Files\iS3\Anti-Spyware\SZServer.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. (http://www.webroot.com) - C:\Program Files\Webroot\WebrootSecurity\SpySweeper.exe
O23 - Service: Webroot Client Service (WRConsumerService) - Webroot Software, Inc. - C:\Program Files\Webroot\WebrootSecurity\WRConsumerService.exe

--
End of file - 10310 bytes
pepin07
Regular Member
 
Posts: 15
Joined: February 16th, 2010, 12:18 pm
Advertisement
Register to Remove

Re: malware problems

Unread postby MWR 3 day Mod » February 19th, 2010, 8:47 pm

Hi,

We are sorry to see your topic is over three days old and no one has yet been able to respond and offer help.

If you still require assistance, please post a link to your topic in our Waiting for help with malware removal? forum, and our staff will make an effort to assist you as promptly as possible. Only post a LINK to this topic, DO NOT post your DDS log!

Please do not reply to this topic.

If you haven't posted within two days in the "Waiting for help with malware removal?" forum, we will assume you have been able to get assistance in other ways and this topic will be closed.
MWR 3 day Mod
MRU Undergrad
MRU Undergrad
 
Posts: 2534
Joined: April 4th, 2008, 8:40 am

Re: malware problems

Unread postby xixo_12 » February 23rd, 2010, 10:36 am

Hello and Welcome to Malware Removal Forums.
  • My name is xixo_12 and I will guide you to encounter the problem that you have now.
  • We will work together and I need your attention to read all those instruction carefully.
  • Refrain from running self fixes as this will hinder the malware removal process.
  • You may wish to print them off or copy the instruction into Notepad.
  • If you have any question please don't hesitate to ask.
  • The instructions that I will give to you are specific to your current problem and shouldn't be used on other systems.
  • If you are receiving help or have received help on this problem elsewhere, please let us know.
  • Please post your replies to this thread only and keep interact with me until your computer is clean.

Everything I post to you will be review by MRU Teacher. This process will impact my response time to you. Be patient. ;)
Please! If you need more time to do all the instructions, let me know before 72hours is done. Otherwise, your thread will be closed

Please make sure you have done your reading on this topic : How to get help at this forum

Next,
Uninstall List.
  • Run the HiJack This.
  • Click on Open the Misc Tools section button.
  • Click on Misc Tools tab.
  • Under the System tools, click on Open Uninstall Manager button.
  • Find the Save list… button and save to the Desktop
  • Copy the content and paste the uninstall list here.

Next,
Checklist.
Please post.
  • Content of uninstall list.
User avatar
xixo_12
MRU Master Emeritus
 
Posts: 2340
Joined: October 14th, 2008, 11:40 am
Location: Malaysia

Re: malware problems

Unread postby pepin07 » February 23rd, 2010, 8:11 pm

thank you im gonna follow all the instructions , i will replied when im done
pepin07
Regular Member
 
Posts: 15
Joined: February 16th, 2010, 12:18 pm

uninstall list

Unread postby pepin07 » February 23rd, 2010, 8:25 pm

Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Reader 7.0
Apple Application Support
Apple Mobile Device Support
Apple Software Update
Athlon 64 Processor Driver
ATI - Software Uninstall Utility
ATI Control Panel
ATI Display Driver
avast! Free Antivirus
BitTorrent
Bonjour
Broadcom 802.11 Wireless LAN Adapter
CCleaner
Compresor WinRAR
Conexant AC-Link Audio
Data Fax SoftModem with SmartCP
DivX Codec
DivX Converter
DivX Player
DivX Plus DirectShow Filters
DivX Web Player
Google Chrome
Google Earth Plug-in
Google Update Helper
HiJackThis
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB970653-v3)
Hotfix for Windows XP (KB976098-v2)
HP Help and Support
HP PSC & OfficeJet 6.1.A
HP Software Update
HP User Guides 0001
HP Wireless Assistant 1.01 A2
InterVideo WinDVD
iTunes
J2SE Runtime Environment 5.0 Update 2
Java(TM) 6 Update 16
LimeWire 5.3.6
Messenger Plus! Live
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Security Update (KB953297)
Microsoft Choice Guard
Microsoft Office 2007 Service Pack 2 (SP2)
Microsoft Office 2007 Service Pack 2 (SP2)
Microsoft Office 2007 Service Pack 2 (SP2)
Microsoft Office 2007 Service Pack 2 (SP2)
Microsoft Office 2007 Service Pack 2 (SP2)
Microsoft Office 2007 Service Pack 2 (SP2)
Microsoft Office 2007 Service Pack 2 (SP2)
Microsoft Office Excel MUI (English) 2007
Microsoft Office Home and Student 2007
Microsoft Office Home and Student 2007 Trial
Microsoft Office OneNote MUI (English) 2007
Microsoft Office PowerPoint MUI (English) 2007
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proofing (English) 2007
Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Office Word MUI (English) 2007
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
Mozilla Firefox (3.6)
MSVCRT
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
MSXML 4.0 SP2 and SOAP Toolkit 3.0
muvee autoProducer 4.0 - SE
Philips PC Camera
Quick Launch Buttons 5.10 B2
QuickTime
RealPlayer
REALTEK Gigabit and Fast Ethernet NIC Driver
Security Update for 2007 Microsoft Office System (KB969559)
Security Update for 2007 Microsoft Office System (KB973704)
Security Update for CAPICOM (KB931906)
Security Update for CAPICOM (KB931906)
Security Update for Microsoft Office Excel 2007 (KB973593)
Security Update for Microsoft Office PowerPoint 2007 (KB957789)
Security Update for Microsoft Office system 2007 (972581)
Security Update for Microsoft Office system 2007 (KB969613)
Security Update for Microsoft Office system 2007 (KB974234)
Security Update for Microsoft Office Visio Viewer 2007 (KB973709)
Security Update for Microsoft Office Word 2007 (KB969604)
Security Update for Windows Internet Explorer 8 (KB971961)
Security Update for Windows Internet Explorer 8 (KB974455)
Security Update for Windows Internet Explorer 8 (KB976325)
Security Update for Windows Internet Explorer 8 (KB978207)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB954155)
Security Update for Windows Media Player (KB968816)
Security Update for Windows Media Player (KB973540)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB938464-v2)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956744)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958869)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961371-v2)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB968537)
Security Update for Windows XP (KB969059)
Security Update for Windows XP (KB969947)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB970430)
Security Update for Windows XP (KB971468)
Security Update for Windows XP (KB971486)
Security Update for Windows XP (KB971557)
Security Update for Windows XP (KB971633)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB972260)
Security Update for Windows XP (KB972270)
Security Update for Windows XP (KB973346)
Security Update for Windows XP (KB973354)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973525)
Security Update for Windows XP (KB973869)
Security Update for Windows XP (KB973904)
Security Update for Windows XP (KB974112)
Security Update for Windows XP (KB974318)
Security Update for Windows XP (KB974392)
Security Update for Windows XP (KB974455)
Security Update for Windows XP (KB974571)
Security Update for Windows XP (KB975025)
Security Update for Windows XP (KB975467)
Security Update for Windows XP (KB975560)
Security Update for Windows XP (KB975713)
Security Update for Windows XP (KB977165)
Security Update for Windows XP (KB977914)
Security Update for Windows XP (KB978037)
Security Update for Windows XP (KB978251)
Security Update for Windows XP (KB978262)
Security Update for Windows XP (KB978706)
Segoe UI
Sonic Audio Module
Sonic Copy Module
Sonic Data Module
Sonic Express Labeler
Sonic MyDVD Plus
Sonic Update Manager
STOPzilla
Stopzilla Toolbar
Synaptics Pointing Device Driver
TBS WMP Plug-in
Texas Instruments PCIxx21/x515 drivers.
TI Connect 1.6
TI NoteFolio Creator
Update for 2007 Microsoft Office System (KB967642)
Update for Microsoft Office InfoPath 2007 (KB976416)
Update for Windows Internet Explorer 8 (KB973874)
Update for Windows Internet Explorer 8 (KB976749)
Update for Windows XP (KB951978)
Update for Windows XP (KB955759)
Update for Windows XP (KB961503)
Update for Windows XP (KB967715)
Update for Windows XP (KB968389)
Update for Windows XP (KB971737)
Update for Windows XP (KB973687)
Update for Windows XP (KB973815)
VC80CRTRedist - 8.0.50727.4053
Windows Live Call
Windows Live Communications Platform
Windows Live Essentials
Windows Live Essentials
Windows Live Messenger
Windows Live Sign-in Assistant
Windows Live Upload Tool
Windows Media Format Runtime
Windows Media Player 10
Windows XP Service Pack 3
Zone Deluxe Games
pepin07
Regular Member
 
Posts: 15
Joined: February 16th, 2010, 12:18 pm

Re: malware problems

Unread postby xixo_12 » February 26th, 2010, 9:16 am

Hi,
Let's proceed.

First,
P2P software.
IMPORTANT: I notice there are signs of one or more P2P (Peer to Peer) File Sharing Programs on your computer.
BitTorrent
LimeWire 5.3.6

  • It's not a good idea to have them.
  • You will be sharing files from uncertified sources, and these are often infected. The bad guys use P2P filesharing as a major conduit to spread their wares.
  • Go to Control Panel > Add/Remove Programs and uninstall the P2P program(s) listed above.
  • If you do not wish to remove your P2P programs, don't proceed with the next instruction and please tell me to close this topic.

Next,
DDS by sUBs.
Please download from HERE and save to the desktop.
Note : Please disable any anti-malware program that will block scripts from running before running DDS.
Image
  • Double-Click on dds.scr to run it and a command window will appear. This is normal.
  • Shortly after two logs will appear:
    • DDS.txt
    • Attach.txt
  • Follow the instruction that appear on How to post the logs
    Note : Please save the logs on your desktop.

Next,
GMER.
Please download from HERE and save to the desktop.
  • Unzip/extract the file to its own folder.
  • Disconnect from the Internet and close all running programs.
    There is a small chance this application may crash your computer so save any work you have open.
  • Double-click on Gmer.exe to start the program.
  • Allow the gmer.sys driver to load if asked.
  • If it gives you a warning at program start about rootkit activity and asks if you want to run a scan,click NO.
  • Click on >>> symbol and choose on the Rootkit tab.
  • Look at the right hand side (under Files) and uncheck all drives with the exception of your C drive.
  • Make sure all other boxes on the right of the screen are checked, EXCEPT for "Show All".
  • Click on the Scan and wait for the scan to finish.
    Note: Before scanning, make sure all other running programs are closed and no other actions like a scheduled antivirus scan will occur while this scan completes. Also do not use your computer during the scan.
  • When completed, click on the Copy button and right-click on your Desktop, choose "New" > Text document. Once the file is created, open it and right-click again and choose Paste or Ctrl+V. Save the file as gmer.txt and copy the information in your next reply.
  • Note: If you have any problems, try running GMER in SAFE MODE"
Important! Please do not select the "Show all" checkbox during the scan..

Next,
Checklist.
Please post.
  • Content of DDS.txt and Attach.txt (Find both in c:\rsit)
  • Content of GMER.txt
User avatar
xixo_12
MRU Master Emeritus
 
Posts: 2340
Joined: October 14th, 2008, 11:40 am
Location: Malaysia

DDSLogs

Unread postby pepin07 » February 26th, 2010, 1:45 pm

DDS (Ver_09-12-01.01) - NTFSx86
Run by Pepin at 11:39:32.14 on Fri 02/26/2010
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_16
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1150.373 [GMT -6:00]

AV: avast! Antivirus *On-access scanning enabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
C:\Program Files\Common Files\iS3\Anti-Spyware\SZServer.exe
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\ALWILS~1\Avast5\avastUI.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\HPQ\shared\hpqwmi.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Windows Live\Contacts\wlcomm.exe
C:\WINDOWS\system32\notepad.exe
C:\Documents and Settings\Pepin\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com
uInternet Connection Wizard,ShellNext = hxxp://ie.redirect.hp.com/svs/rdr?TYPE= ... &pf=laptop
uInternet Settings,ProxyOverride = *.local
mURLSearchHooks: SrchHook Class: {d3f669eb-57ce-4f45-8fbd-e245cbb46366} - c:\program files\stopzilla!\toolbar\SZIESearchHook.dll
mURLSearchHooks: SrchHook Class: {d3f669eb-57ce-4f45-8fbd-e245cbb46366} - c:\program files\stopzilla!\toolbar\SZIESearchHook.dll
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: ZILLAbar Browser Helper Object: {1827766b-9f49-4854-8034-f6ee26fcb1ec} - c:\program files\stopzilla!\toolbar\SZSG.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\program files\real\realplayer\rpbrowserrecordplugin.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: STOPzilla Browser Helper Object: {e3215f20-3212-11d6-9f8b-00d0b743919d} - c:\program files\stopzilla!\SZIEBHO.dll
TB: STOPzilla: {98828ded-a591-462f-83ba-d2f62a68b8b8} - c:\program files\stopzilla!\toolbar\SZSG.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [msnmsgr] "c:\program files\windows live\messenger\msnmsgr.exe" /background
mRun: [avast5] c:\progra~1\alwils~1\avast5\avastUI.exe /nogui
mRun: [neborabel] Rundll32.exe "c:\windows\system32\timikeze.dll",a
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [SynTPLpr] "c:\program files\synaptics\syntp\SynTPLpr.exe"
mRun: [SynTPEnh] "c:\program files\synaptics\syntp\SynTPEnh.exe"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [IMJPMIG8.1] "c:\windows\ime\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
mRun: [hpWirelessAssistant] c:\program files\hpq\hp wireless assistant\HP Wireless Assistant.exe
mRun: [HP Software Update] "c:\program files\hp\hp software update\HPWuSchd2.exe"
mRun: [Cpqset] c:\program files\hpq\default settings\cpqset.exe
mRun: [ATIPTA] "c:\program files\ati technologies\ati control panel\atiptaxx.exe"
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office12\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~3\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office12\REFIEBAR.DLL
DPF: {4A85DBE0-BFB2-4119-8401-186A7C6EB653} - hxxp://messenger.zone.msn.com/Messenger ... 109791.cab
DPF: {5D6F45B3-9043-443D-A792-115447494D24} - hxxp://messenger.zone.msn.com/Messenger ... E_UNO1.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinsta ... s-i586.cab
DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} - hxxp://messenger.zone.msn.com/binary/Me ... b56907.cab
DPF: {CAFEEFAC-0015-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinsta ... s-i586.cab
DPF: {CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinsta ... s-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinsta ... s-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/s ... wflash.cab
DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} - hxxp://messenger.zone.msn.com/binary/Mi ... b56986.cab
Notify: AtiExtEvent - Ati2evxx.dll
Notify: TPSvc - TPSvc.dll
AppInit_DLLs: c:\windows\system32\timikeze.dll
SSODL: jiwolasav - {221ff01e-61ae-45c0-87ae-5c15dcdfba08} - c:\windows\system32\timikeze.dll
STS: gahurihor: {221ff01e-61ae-45c0-87ae-5c15dcdfba08} - c:\windows\system32\timikeze.dll
LSA: Notification Packages = scecli loyijofi.dll wopuwula.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\pepin\applic~1\mozilla\firefox\profiles\24lm75dh.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.msn.com/
FF - plugin: c:\documents and settings\pepin\application data\move networks\plugins\npqmp071503000010.dll
FF - plugin: c:\documents and settings\pepin\application data\move networks\plugins\npqmp071701000002.dll
FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\google\update\1.2.183.17\npGoogleOneClick8.dll
FF - plugin: c:\program files\mozilla firefox\plugins\NPTURNMED.dll
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - truec:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R0 szkg5;szkg5;c:\windows\system32\drivers\SZKG.sys [2009-12-7 61328]
R0 szkgfs;szkgfs;c:\windows\system32\drivers\SZKGFS.sys [2010-1-27 167312]
R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [2010-2-17 162512]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2010-2-17 19024]
R2 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast5\AvastSvc.exe [2010-2-17 40384]
R3 avast! Mail Scanner;avast! Mail Scanner;c:\program files\alwil software\avast5\AvastSvc.exe [2010-2-17 40384]
R3 HSFHWATI;HSFHWATI;c:\windows\system32\drivers\HSFHWATI.sys [2009-10-5 200192]
S0 is3srv;is3srv;c:\windows\system32\drivers\is3srv.sys [2009-12-7 61328]
S2 gupdate1ca4f8634bd17a0;Google Update Service (gupdate1ca4f8634bd17a0);c:\program files\google\update\GoogleUpdate.exe [2009-10-17 133104]
S3 avast! Web Scanner;avast! Web Scanner;c:\program files\alwil software\avast5\AvastSvc.exe [2010-2-17 40384]

=============== Created Last 30 ================

2010-02-18 05:16:11 0 d-----w- c:\docume~1\alluse~1\applic~1\Alwil Software
2010-02-17 00:41:04 0 d-----w- c:\program files\MSXML 4.0
2010-02-16 21:20:41 2713 --sh--w- c:\windows\system32\gahejeyu.dll
2010-02-16 18:40:06 0 d-sha-r- C:\cmdcons
2010-02-16 18:37:48 98816 ----a-w- c:\windows\sed.exe
2010-02-16 18:37:48 161792 ----a-w- c:\windows\SWREG.exe
2010-02-16 16:05:04 0 d-----w- c:\program files\TrendMicro
2010-02-16 15:46:52 0 d-----w- c:\program files\MSSOAP
2010-02-16 15:46:16 0 d-----w- c:\program files\Webroot
2010-02-16 15:45:33 164 ----a-w- c:\windows\install.dat
2010-02-15 21:44:16 0 d-----w- c:\program files\STOPzilla!
2010-02-14 21:34:56 10945 --sh--w- c:\windows\system32\jisagoyi.exe
2010-02-04 17:21:26 17408 ----a-r- c:\windows\system32\SZIO5.dll
2010-02-04 17:19:02 442368 ----a-r- c:\windows\system32\SZBase5.dll
2010-02-04 17:18:28 540672 ----a-r- c:\windows\system32\SZComp5.dll

==================== Find3M ====================

2010-01-27 16:19:32 167312 ----a-r- c:\windows\system32\drivers\SZKGFS.sys
2009-12-31 16:50:03 353792 ----a-w- c:\windows\system32\drivers\srv.sys
2009-12-21 19:14:05 916480 ----a-w- c:\windows\system32\wininet.dll
2009-12-16 18:43:27 343040 ----a-w- c:\windows\system32\mspaint.exe
2009-12-14 07:08:23 33280 ----a-w- c:\windows\system32\csrsrv.dll
2009-12-10 22:11:40 126976 ----a-r- c:\windows\system32\IS3HTUI5.dll
2009-12-10 22:11:32 393216 ----a-r- c:\windows\system32\IS3DBA5.dll
2009-12-10 22:09:24 385024 ----a-r- c:\windows\system32\IS3UI5.dll
2009-12-10 22:09:08 61440 ----a-r- c:\windows\system32\IS3Hks5.dll
2009-12-10 22:08:48 23040 ----a-r- c:\windows\system32\IS3XDat5.dll
2009-12-10 22:06:52 225280 ----a-r- c:\windows\system32\IS3Win325.dll
2009-12-10 22:06:30 94208 ----a-r- c:\windows\system32\IS3Inet5.dll
2009-12-10 22:05:54 94208 ----a-r- c:\windows\system32\IS3Svc5.dll
2009-12-10 22:02:42 729088 ----a-r- c:\windows\system32\IS3Base5.dll
2009-12-08 19:27:51 2189184 ----a-w- c:\windows\system32\ntoskrnl.exe
2009-12-08 18:43:50 2066048 ----a-w- c:\windows\system32\ntkrnlpa.exe
2009-12-03 07:32:29 103193 ----a-w- c:\windows\hpoins08.dat
2003-08-05 17:41:44 53248 ----a-w- c:\windows\inf\ap561.exe
2002-11-26 22:24:58 32768 ----a-w- c:\windows\inf\Remove561.exe
2002-11-22 21:56:52 118784 ----a-w- c:\windows\inf\ShowBmp.exe
2002-10-30 00:07:44 36864 ----a-w- c:\windows\inf\Setup8a.exe
2002-10-01 20:43:32 119798 ----a-w- c:\windows\inf\spca561.sys
1601-01-01 00:03:28 1 --sha-w- c:\windows\system32\vorehuye.dll
2009-10-19 21:59:30 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012009100520091012\index.dat
2009-10-19 21:59:30 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012009101920091020\index.dat

============= FINISH: 11:40:25.14 ===============
pepin07
Regular Member
 
Posts: 15
Joined: February 16th, 2010, 12:18 pm

2nd dds log

Unread postby pepin07 » February 26th, 2010, 1:53 pm

UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_09-12-01.01)

Microsoft Windows XP Home Edition
Boot Device: \Device\HarddiskVolume1
Install Date: 10/5/2009 3:53:59 AM
System Uptime: 2/26/2010 12:29:56 AM (11 hours ago)

Motherboard: Quanta | | 3097
Processor: Mobile AMD Sempron(tm) Processor 3000+ | U23 | 1794/200mhz

==== Disk Partitions =========================

C: is FIXED (NTFS) - 149 GiB total, 123.186 GiB free.
D: is CDROM ()

==== Disabled Device Manager Items =============

==== System Restore Points ===================

RP94: 11/29/2009 5:22:42 AM - System Checkpoint
RP95: 11/30/2009 6:22:44 AM - System Checkpoint
RP96: 12/1/2009 8:48:22 AM - System Checkpoint
RP97: 12/2/2009 9:30:07 AM - System Checkpoint
RP98: 12/3/2009 9:57:02 AM - System Checkpoint
RP99: 12/4/2009 10:29:29 AM - System Checkpoint
RP100: 12/5/2009 11:29:29 AM - System Checkpoint
RP101: 12/6/2009 12:29:31 PM - System Checkpoint
RP102: 12/7/2009 2:09:25 PM - System Checkpoint
RP103: 12/8/2009 2:29:32 PM - System Checkpoint
RP104: 12/9/2009 3:34:05 PM - System Checkpoint
RP105: 12/10/2009 3:44:10 PM - System Checkpoint
RP106: 12/11/2009 4:44:11 PM - System Checkpoint
RP107: 12/11/2009 10:32:16 PM - Software Distribution Service 3.0
RP108: 12/11/2009 10:45:16 PM - Software Distribution Service 3.0
RP109: 12/11/2009 10:47:00 PM - Software Distribution Service 3.0
RP110: 12/13/2009 5:01:22 AM - System Checkpoint
RP111: 12/14/2009 5:04:58 AM - System Checkpoint
RP112: 12/15/2009 5:43:32 AM - System Checkpoint
RP113: 12/16/2009 6:13:38 AM - System Checkpoint
RP114: 12/17/2009 6:42:28 AM - System Checkpoint
RP115: 12/18/2009 7:43:17 AM - System Checkpoint
RP116: 12/19/2009 8:42:14 AM - System Checkpoint
RP117: 12/20/2009 8:57:02 AM - System Checkpoint
RP118: 12/21/2009 9:57:03 AM - System Checkpoint
RP119: 12/22/2009 10:57:01 AM - System Checkpoint
RP120: 12/23/2009 11:57:02 AM - System Checkpoint
RP121: 12/24/2009 12:57:04 PM - System Checkpoint
RP122: 12/25/2009 1:11:05 PM - System Checkpoint
RP123: 12/26/2009 1:57:04 PM - System Checkpoint
RP124: 12/27/2009 1:57:18 PM - System Checkpoint
RP125: 12/28/2009 2:11:18 PM - System Checkpoint
RP126: 12/30/2009 1:14:27 AM - System Checkpoint
RP127: 12/31/2009 1:57:21 AM - System Checkpoint
RP128: 1/1/2010 1:58:24 AM - System Checkpoint
RP129: 1/2/2010 2:57:18 AM - System Checkpoint
RP130: 1/3/2010 3:20:36 AM - System Checkpoint
RP131: 1/4/2010 4:18:45 AM - System Checkpoint
RP132: 1/5/2010 4:57:27 AM - System Checkpoint
RP133: 1/6/2010 4:57:40 AM - System Checkpoint
RP134: 1/7/2010 10:52:32 PM - System Checkpoint
RP135: 1/8/2010 10:57:13 PM - System Checkpoint
RP136: 1/9/2010 11:07:25 PM - System Checkpoint
RP137: 1/10/2010 11:57:17 PM - System Checkpoint
RP138: 1/12/2010 2:55:49 AM - System Checkpoint
RP139: 1/12/2010 10:40:24 PM - Installed STOPzilla. Available with Windows Installer version 1.2 and later.
RP140: 1/13/2010 3:01:50 AM - Software Distribution Service 3.0
RP141: 1/14/2010 5:09:10 AM - System Checkpoint
RP142: 1/15/2010 5:56:40 AM - System Checkpoint
RP143: 1/16/2010 6:56:41 AM - System Checkpoint
RP144: 1/17/2010 7:56:40 AM - System Checkpoint
RP145: 1/18/2010 8:06:44 AM - System Checkpoint
RP146: 1/19/2010 9:06:46 AM - System Checkpoint
RP147: 1/20/2010 10:06:54 AM - System Checkpoint
RP148: 1/21/2010 11:05:18 AM - System Checkpoint
RP149: 1/21/2010 9:13:32 PM - Software Distribution Service 3.0
RP150: 1/22/2010 3:45:23 AM - Installed SUPERAntiSpyware Professional
RP151: 1/23/2010 4:20:53 AM - System Checkpoint
RP152: 1/24/2010 5:20:52 AM - System Checkpoint
RP153: 1/25/2010 5:49:02 AM - System Checkpoint
RP154: 1/26/2010 6:49:03 AM - System Checkpoint
RP155: 1/27/2010 6:49:11 AM - System Checkpoint
RP156: 1/28/2010 7:49:11 AM - System Checkpoint
RP157: 1/29/2010 8:49:13 AM - System Checkpoint
RP158: 1/30/2010 9:49:12 AM - System Checkpoint
RP159: 1/31/2010 10:49:11 AM - System Checkpoint
RP160: 2/1/2010 11:49:11 AM - System Checkpoint
RP161: 2/2/2010 1:07:08 PM - System Checkpoint
RP162: 2/3/2010 4:26:44 PM - System Checkpoint
RP163: 2/4/2010 4:49:23 PM - System Checkpoint
RP164: 2/5/2010 8:34:49 PM - System Checkpoint
RP165: 2/6/2010 8:52:31 PM - System Checkpoint
RP166: 2/7/2010 11:10:56 PM - System Checkpoint
RP167: 2/9/2010 2:44:40 AM - System Checkpoint
RP168: 2/10/2010 3:00:28 AM - Software Distribution Service 3.0
RP169: 2/11/2010 3:55:22 AM - System Checkpoint
RP170: 2/12/2010 11:53:54 PM - System Checkpoint
RP171: 2/14/2010 12:02:18 AM - System Checkpoint
RP172: 2/15/2010 3:52:20 AM - System Checkpoint
RP173: 2/15/2010 3:34:57 PM - Removed STOPzilla. Available with Windows Installer version 1.2 and later.
RP174: 2/15/2010 3:36:30 PM - Removed SUPERAntiSpyware Professional
RP175: 2/15/2010 3:37:04 PM - Removed STOPzilla Toolbar
RP176: 2/15/2010 3:43:58 PM - Installed STOPzilla. Available with Windows Installer version 1.2 and later.
RP177: 2/16/2010 10:04:57 AM - Installed HiJackThis
RP178: 2/16/2010 12:38:52 PM - ComboFix created restore point
RP179: 2/16/2010 4:56:51 PM - Removed Ask Toolbar.
RP180: 2/16/2010 6:40:49 PM - Software Distribution Service 3.0
RP181: 2/17/2010 1:23:17 AM - Removed STOPzilla. Available with Windows Installer version 1.2 and later.
RP182: 2/17/2010 1:28:01 AM - Installed STOPzilla. Available with Windows Installer version 1.2 and later.
RP183: 2/17/2010 11:24:15 PM - avast! Free Antivirus Setup
RP184: 2/20/2010 12:07:36 AM - System Checkpoint
RP185: 2/21/2010 1:37:42 AM - System Checkpoint
RP186: 2/24/2010 1:18:21 AM - System Checkpoint
RP187: 2/24/2010 3:00:18 AM - Software Distribution Service 3.0
RP188: 2/24/2010 9:58:12 PM - Installed Windows Media Player Firefox Plugin
RP189: 2/26/2010 12:01:27 AM - System Checkpoint

==== Installed Programs ======================

AAC Decoder
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Reader 7.0
AiO_Scan_CDA
Apple Application Support
Apple Mobile Device Support
Apple Software Update
Athlon 64 Processor Driver
ATI - Software Uninstall Utility
ATI Control Panel
ATI Display Driver
AutoUpdate
avast! Free Antivirus
Bonjour
Broadcom 802.11 Wireless LAN Adapter
CCleaner
Compresor WinRAR
Conexant AC-Link Audio
Data Fax SoftModem with SmartCP
DivX Codec
DivX Converter
DivX Player
DivX Plus DirectShow Filters
DivX Version Checker
DivX Web Player
Google Chrome
Google Earth Plug-in
Google Update Helper
H.264 Decoder
HiJackThis
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB970653-v3)
Hotfix for Windows XP (KB976098-v2)
Hotfix for Windows XP (KB979306)
HP Help and Support
HP PSC & OfficeJet 6.1.A
HP Software Update
HP User Guides 0001
HP Wireless Assistant 1.01 A2
InterVideo WinDVD
iTunes
J2SE Runtime Environment 5.0 Update 2
Java(TM) 6 Update 16
Messenger Plus! Live
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Security Update (KB953297)
Microsoft Application Error Reporting
Microsoft Choice Guard
Microsoft Office 2007 Service Pack 2 (SP2)
Microsoft Office Excel MUI (English) 2007
Microsoft Office Home and Student 2007
Microsoft Office Home and Student 2007 Trial
Microsoft Office OneNote MUI (English) 2007
Microsoft Office PowerPoint MUI (English) 2007
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proofing (English) 2007
Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Office Word MUI (English) 2007
Microsoft Software Update for Web Folders (English) 12
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
MKV Splitter
Move Media Player
Mozilla Firefox (3.6)
MSVCRT
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
MSXML 4.0 SP2 and SOAP Toolkit 3.0
muvee autoProducer 4.0 - SE
Philips PC Camera
QFolder
Quick Launch Buttons 5.10 B2
QuickTime
RealPlayer
REALTEK Gigabit and Fast Ethernet NIC Driver
Scan
Security Update for 2007 Microsoft Office System (KB969559)
Security Update for 2007 Microsoft Office System (KB973704)
Security Update for CAPICOM (KB931906)
Security Update for Microsoft Office Excel 2007 (KB973593)
Security Update for Microsoft Office PowerPoint 2007 (KB957789)
Security Update for Microsoft Office system 2007 (972581)
Security Update for Microsoft Office system 2007 (KB969613)
Security Update for Microsoft Office system 2007 (KB974234)
Security Update for Microsoft Office Visio Viewer 2007 (KB973709)
Security Update for Microsoft Office Word 2007 (KB969604)
Security Update for Windows Internet Explorer 8 (KB971961)
Security Update for Windows Internet Explorer 8 (KB974455)
Security Update for Windows Internet Explorer 8 (KB976325)
Security Update for Windows Internet Explorer 8 (KB978207)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB954155)
Security Update for Windows Media Player (KB968816)
Security Update for Windows Media Player (KB973540)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB938464-v2)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956744)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958869)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961371-v2)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB968537)
Security Update for Windows XP (KB969059)
Security Update for Windows XP (KB969947)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB970430)
Security Update for Windows XP (KB971468)
Security Update for Windows XP (KB971486)
Security Update for Windows XP (KB971557)
Security Update for Windows XP (KB971633)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB972260)
Security Update for Windows XP (KB972270)
Security Update for Windows XP (KB973346)
Security Update for Windows XP (KB973354)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973525)
Security Update for Windows XP (KB973869)
Security Update for Windows XP (KB973904)
Security Update for Windows XP (KB974112)
Security Update for Windows XP (KB974318)
Security Update for Windows XP (KB974392)
Security Update for Windows XP (KB974455)
Security Update for Windows XP (KB974571)
Security Update for Windows XP (KB975025)
Security Update for Windows XP (KB975467)
Security Update for Windows XP (KB975560)
Security Update for Windows XP (KB975713)
Security Update for Windows XP (KB977165)
Security Update for Windows XP (KB977914)
Security Update for Windows XP (KB978037)
Security Update for Windows XP (KB978251)
Security Update for Windows XP (KB978262)
Security Update for Windows XP (KB978706)
Segoe UI
Sonic Audio Module
Sonic Copy Module
Sonic Data Module
Sonic Express Labeler
Sonic MyDVD Plus
Sonic Update Manager
STOPzilla
Stopzilla Toolbar
Synaptics Pointing Device Driver
TBS WMP Plug-in
Texas Instruments PCIxx21/x515 drivers.
TI Connect 1.6
TI NoteFolio Creator
TIxx21
Update for 2007 Microsoft Office System (KB967642)
Update for Microsoft Office InfoPath 2007 (KB976416)
Update for Windows Internet Explorer 8 (KB973874)
Update for Windows Internet Explorer 8 (KB976662)
Update for Windows Internet Explorer 8 (KB976749)
Update for Windows XP (KB951978)
Update for Windows XP (KB955759)
Update for Windows XP (KB961503)
Update for Windows XP (KB967715)
Update for Windows XP (KB968389)
Update for Windows XP (KB971737)
Update for Windows XP (KB973687)
Update for Windows XP (KB973815)
VC80CRTRedist - 8.0.50727.4053
WebFldrs XP
Windows Genuine Advantage Validation Tool (KB892130)
Windows Internet Explorer 8
Windows Live Call
Windows Live Communications Platform
Windows Live Essentials
Windows Live Messenger
Windows Live Sign-in Assistant
Windows Live Upload Tool
Windows Media Format Runtime
Windows Media Player 10
Windows Media Player Firefox Plugin
Windows XP Service Pack 3
Zone Deluxe Games

==== Event Viewer Messages From Past Week ========

2/26/2010 12:25:27 AM, error: atapi [9] - The device, \Device\Ide\IdePort1, did not respond within the timeout period.

==== End Of File ===========================
pepin07
Regular Member
 
Posts: 15
Joined: February 16th, 2010, 12:18 pm

gmer checklist

Unread postby pepin07 » February 26th, 2010, 2:52 pm

GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-02-26 12:50:05
Windows 5.1.2600 Service Pack 3
Running: gmer.exe; Driver: C:\DOCUME~1\Pepin\LOCALS~1\Temp\fxlcrpoc.sys


---- System - GMER 1.0.15 ----

SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwClose [0xEE629C5A]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwCreateKey [0xEE629B16]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwDeleteKey [0xEE62A0CA]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwDeleteValueKey [0xEE629FF4]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwDuplicateObject [0xEE6296EC]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwOpenKey [0xEE629BF0]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwOpenProcess [0xEE62962C]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwOpenThread [0xEE629690]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwQueryValueKey [0xEE629D10]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwRenameKey [0xEE62A198]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwRestoreKey [0xEE629CD0]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwSetValueKey [0xEE629E50]
SSDT szkgfs.sys (STOPzilla Kernel Guard File System, x86-32 /iS3, Inc.) ZwTerminateProcess [0xF73F5100]

Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwCreateProcessEx [0xEE6364FE]
Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwCreateSection [0xEE636322]
Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwLoadDriver [0xEE63645C]
Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) NtCreateSection
Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ObInsertObject
Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ObMakeTemporaryObject

---- Kernel code sections - GMER 1.0.15 ----

PAGE ntkrnlpa.exe!ZwLoadDriver 80579608 7 Bytes JMP EE636460 \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software)
PAGE ntkrnlpa.exe!NtCreateSection 805A076A 7 Bytes JMP EE636326 \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software)
PAGE ntkrnlpa.exe!ObMakeTemporaryObject 805B1CEE 5 Bytes JMP EE6324BA \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software)
PAGE ntkrnlpa.exe!ObInsertObject 805B8B66 5 Bytes JMP EE633972 \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software)
PAGE ntkrnlpa.exe!ZwCreateProcessEx 805C73F8 7 Bytes JMP EE636502 \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software)

---- User IAT/EAT - GMER 1.0.15 ----

IAT C:\WINDOWS\system32\services.exe[728] @ C:\WINDOWS\system32\services.exe [ADVAPI32.dll!CreateProcessAsUserW] 00390002
IAT C:\WINDOWS\system32\services.exe[728] @ C:\WINDOWS\system32\services.exe [KERNEL32.dll!CreateProcessW] 00390000

---- Devices - GMER 1.0.15 ----

Device \FileSystem\Ntfs \Ntfs aswSP.SYS (avast! self protection module/ALWIL Software)

AttachedDevice \FileSystem\Ntfs \Ntfs szkgfs.sys (STOPzilla Kernel Guard File System, x86-32 /iS3, Inc.)
AttachedDevice \FileSystem\Ntfs \Ntfs aswMon2.SYS (avast! File System Filter Driver for Windows XP/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\Ip aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 EABFiltr.sys (QLB PS/2 Keyboard filter driver/Hewlett-Packard Company)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 EABFiltr.sys (QLB PS/2 Keyboard filter driver/Hewlett-Packard Company)
AttachedDevice \Driver\Tcpip \Device\Tcp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\Udp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\RawIp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)

---- EOF - GMER 1.0.15 ----
pepin07
Regular Member
 
Posts: 15
Joined: February 16th, 2010, 12:18 pm

Re: malware problems

Unread postby xixo_12 » February 27th, 2010, 7:44 am

Hi,
Let's proceed.

First,
Discussion.
I saw there is a sign of ComboFix usage on the previous event
For your reference :
RP178: 2/16/2010 12:38:52 PM - ComboFix created restore point

Please tell me, is it a self fixes or do you get help from any of anti-malware forums?

Next,
ERUNT by Lars Hederer
Download ERUNT and save to the desktop.
  • Double click on erunt-setup.exe to install the program.
  • Follow the prompts > uncheck Create NTREGOPT desktop icon at the Additional Tasks screen.
  • Click No when you are prompted about creating an ERUNT entry in the startup folder.
  • Next screen, uncheck Show documentation and check Launch ERUNT.
  • If ERUNT doesnt start by itself, launch it from the desktop shortcut.
  • At the configuration screen, make sure all 3 checkboxes are checked
  • Click Ok to run the backup process

Note:
The backups can be restored from here:
C:\windows\ERDNT\<todays date>\ERDNT.exe

Next,
Remove programs.
Please Click on Start > Control Panel > Add/Remove Programs
Remove the listed program(s) by clicking Remove
Messenger Plus! Live
STOPzilla
Stopzilla Toolbar

If some programs listed above are not in present, please do not panic and proceed to the next step.

Next,
Reboot into the usual account.

Next,
ComboFix
Download ComboFix from one of these locations (DO NOT download ComboFix from anywhere else but one of the provided links)
Save as Combo-Fix.exe <<Please have a look on the file name. You have to change it.
Link 1
Link 2

**IMPORTANT !!! Save Combo-Fix.exe to your Desktop**

  • Disable your AntiVirus/AntiSpyware/Firewall applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
    A guide to do this can be found here
  • Double click on Combo-Fix.exe & follow the prompts
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console
Image
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:
Image

  • Click on Yes, to continue scanning for malware.
  • When finished, it shall produce a log for you. Please include the contents of C:\ComboFix.txt in your next reply
A word of warning: Neither I nor sUBs are responsible for any damage you may cause to your machine by running ComboFix on your own. This tool is not a toy and not for everyday use.
ComboFix SHOULD NOT be used unless requested by a forum helper


Next,
HijackThis V2.0.2
Please download from HERE and save to the desktop.
NOTE: Please uninstall any older version or BETA version of HiJackThis after download this version.
  • Double click on the HJTInstall.exe icon on your desktop.
  • By default it will install to C:\Program Files\Trend Micro\HijackThis.
  • Click on Install and it will create a HiJackThis icon on the desktop
  • Once installed, it will launch HijackThis. If not, double click the HijackThis desktop icon.
  • Click on the "Do a system scan and save a Log file" button.
  • Notepad will open with a saved log file called hijackthis.log
  • In the Hijackthis log, go to the top menu, click on Format and uncheck Word Wrap if checked.
  • Click on Edit > Select All then click on Edit > Copy to copy the entire contents of the log.
  • Paste the contents of hijackthis.log file in your next reply.

Reminder : Do not fix anything yourself.

Next,
Checklist.
Please post.
  • Respond to our discussion
  • Content of ComboFix.txt
  • Content of hijackthis log
  • Please tell me how is your system behave now
User avatar
xixo_12
MRU Master Emeritus
 
Posts: 2340
Joined: October 14th, 2008, 11:40 am
Location: Malaysia

combofix log

Unread postby pepin07 » February 27th, 2010, 8:30 pm

ComboFix 10-02-27.04 - Pepin 02/27/2010 17:27:16.7.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1150.521 [GMT -6:00]
Running from: c:\documents and settings\Pepin\Desktop\Combo-Fix.exe
AV: avast! Antivirus *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\program files\Active Security
c:\windows\system32\gahejeyu.dll
c:\windows\system32\jisagoyi.exe
c:\windows\system32\vorehuye.dll

.
((((((((((((((((((((((((( Files Created from 2010-01-27 to 2010-02-27 )))))))))))))))))))))))))))))))
.

2010-02-27 22:59 . 2010-02-27 22:59 -------- d-----w- c:\program files\ERUNT
2010-02-18 05:24 . 2010-02-11 18:38 19024 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2010-02-18 05:24 . 2010-02-11 18:42 162512 ----a-w- c:\windows\system32\drivers\aswSP.sys
2010-02-18 05:24 . 2010-02-11 18:39 23376 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2010-02-18 05:24 . 2010-02-11 18:42 46672 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2010-02-18 05:24 . 2010-02-11 18:38 100432 ----a-w- c:\windows\system32\drivers\aswmon2.sys
2010-02-18 05:24 . 2010-02-11 18:38 94800 ----a-w- c:\windows\system32\drivers\aswmon.sys
2010-02-18 05:24 . 2010-02-11 18:38 28880 ----a-w- c:\windows\system32\drivers\aavmker4.sys
2010-02-18 05:24 . 2010-02-11 18:53 38848 ----a-w- c:\windows\system32\avastSS.scr
2010-02-18 05:24 . 2010-02-11 18:53 153184 ----a-w- c:\windows\system32\aswBoot.exe
2010-02-18 05:16 . 2010-02-18 05:16 -------- d-----w- c:\documents and settings\All Users\Application Data\Alwil Software
2010-02-17 00:41 . 2010-02-17 00:41 -------- d-----w- c:\program files\MSXML 4.0
2010-02-16 16:05 . 2010-02-16 16:05 388096 ----a-r- c:\documents and settings\Pepin\Application Data\Microsoft\Installer\{0761C9A8-8F3A-4216-B4A7-B7AFBF24A24A}\HiJackThis.exe
2010-02-16 16:05 . 2010-02-16 16:05 -------- d-----w- c:\program files\TrendMicro
2010-02-16 15:47 . 2010-02-16 15:47 128 ----a-w- c:\documents and settings\Pepin\Local Settings\Application Data\fusioncache.dat
2010-02-16 15:46 . 2010-02-16 15:46 -------- d-----w- c:\program files\MSSOAP
2010-02-16 15:46 . 2010-02-16 15:46 -------- d-----w- c:\program files\Webroot
2010-02-16 15:45 . 2010-02-16 15:45 164 ----a-w- c:\windows\install.dat
2010-02-14 21:34 . 2010-02-14 21:34 -------- d-sh--w- c:\windows\system32\config\systemprofile\PrivacIE
2010-02-10 23:23 . 2010-02-10 23:23 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Temp

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-02-27 23:05 . 2009-10-17 22:54 -------- d-----w- c:\documents and settings\All Users\Application Data\STOPzilla!
2010-02-27 23:04 . 2010-02-26 18:04 544 ----a-w- c:\windows\system32\drivers\kgpcpy.cfg
2010-02-26 06:32 . 2009-10-28 09:01 -------- d-----w- c:\documents and settings\Pepin\Application Data\LimeWire
2010-02-18 05:24 . 2009-10-05 17:22 -------- d-----w- c:\program files\Alwil Software
2010-02-16 23:36 . 2009-10-05 09:23 64200 ----a-w- c:\documents and settings\Pepin\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-02-15 21:36 . 2009-10-21 22:43 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2010-02-15 21:36 . 2010-01-22 09:45 -------- d-----w- c:\program files\SUPERAntiSpyware
2010-02-02 09:01 . 2009-10-10 20:17 -------- d-----w- c:\documents and settings\Pepin\Application Data\Move Networks
2010-01-27 07:27 . 2009-10-18 00:00 -------- d-----w- c:\program files\Google
2010-01-25 21:46 . 2009-10-19 07:10 -------- d-----w- c:\documents and settings\Pepin\Application Data\AdobeUM
2010-01-25 01:25 . 2009-10-17 00:03 143976 ----a-w- c:\documents and settings\Pepin\Application Data\Move Networks\uninstall.exe
2010-01-25 01:25 . 2009-10-15 00:50 5642688 ----a-w- c:\documents and settings\Pepin\Application Data\Move Networks\plugins\npqmp071701000002.dll
2010-01-25 01:25 . 2010-01-25 01:24 1794456 ----a-w- c:\documents and settings\Pepin\Application Data\Move Networks\MoveMediaPlayerWin_071701000002.exe
2010-01-22 21:29 . 2010-01-22 21:29 -------- d-----w- c:\documents and settings\Pepin\Application Data\DivX
2010-01-22 18:11 . 2010-01-22 09:46 117760 ----a-w- c:\documents and settings\Pepin\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2010-01-22 09:46 . 2010-01-22 09:46 52224 ----a-w- c:\documents and settings\Pepin\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
2010-01-22 09:45 . 2010-01-22 09:45 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2010-01-22 09:45 . 2010-01-22 09:45 -------- d-----w- c:\documents and settings\Pepin\Application Data\SUPERAntiSpyware.com
2010-01-13 21:03 . 2010-01-13 21:03 -------- d-----w- c:\program files\CCleaner
2010-01-08 16:24 . 2010-01-08 16:23 -------- d-----w- c:\program files\iTunes
2010-01-08 16:23 . 2010-01-08 16:23 -------- d-----w- c:\program files\iPod
2010-01-08 16:23 . 2009-10-05 17:33 -------- d-----w- c:\program files\Common Files\Apple
2010-01-08 16:17 . 2009-10-05 17:35 -------- d-----w- c:\program files\QuickTime
2010-01-08 16:06 . 2010-01-08 16:06 79144 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 9.0.2.25\SetupAdmin.exe
2009-12-31 16:50 . 2004-08-04 12:00 353792 ----a-w- c:\windows\system32\drivers\srv.sys
2009-12-21 19:14 . 2004-08-04 12:00 916480 ----a-w- c:\windows\system32\wininet.dll
2009-12-16 18:43 . 2009-10-05 08:46 343040 ----a-w- c:\windows\system32\mspaint.exe
2009-12-14 07:08 . 2004-08-04 12:00 33280 ----a-w- c:\windows\system32\csrsrv.dll
2009-12-08 19:27 . 2004-08-04 12:00 2189184 ----a-w- c:\windows\system32\ntoskrnl.exe
2009-12-08 18:43 . 2004-08-03 22:59 2066048 ----a-w- c:\windows\system32\ntkrnlpa.exe
2009-12-04 18:22 . 2004-08-04 12:00 455424 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2009-12-03 07:32 . 2009-12-03 06:14 103193 ----a-w- c:\windows\hpoins08.dat
2009-09-25 16:41 . 2009-09-25 16:41 1044480 ----a-w- c:\program files\mozilla firefox\plugins\libdivx.dll
2009-09-25 16:41 . 2009-09-25 16:41 200704 ----a-w- c:\program files\mozilla firefox\plugins\ssldivx.dll
.

((((((((((((((((((((((((((((( SnapShot_2010-02-18_08.53.55 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-02-27 23:33 . 2010-02-27 23:33 16384 c:\windows\temp\Perflib_Perfdata_170.dat
- 2009-10-05 09:50 . 2009-10-28 15:07 46080 c:\windows\system32\tzchange.exe
+ 2009-10-05 09:50 . 2010-01-23 08:11 46080 c:\windows\system32\tzchange.exe
- 2004-08-04 12:00 . 2010-02-18 08:21 53166 c:\windows\system32\perfc009.dat
+ 2004-08-04 12:00 . 2010-02-27 23:38 53166 c:\windows\system32\perfc009.dat
+ 2009-10-05 08:55 . 2010-02-26 02:01 49152 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
- 2009-10-05 08:55 . 2010-02-17 07:39 49152 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2009-10-05 08:55 . 2010-02-26 02:01 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2009-10-05 08:55 . 2010-02-17 07:39 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2009-10-05 08:55 . 2010-02-26 02:01 32768 c:\windows\system32\config\systemprofile\Cookies\index.dat
- 2009-10-05 08:55 . 2010-02-17 07:39 32768 c:\windows\system32\config\systemprofile\Cookies\index.dat
+ 2009-10-05 09:17 . 2009-10-05 09:17 82432 c:\windows\Installer\e768a.msi
+ 2009-10-05 10:00 . 2009-10-05 10:00 27136 c:\windows\Installer\a51ff.msi
+ 2009-10-05 09:59 . 2009-10-05 09:59 83456 c:\windows\Installer\a51eb.msi
+ 2009-10-05 09:59 . 2009-10-05 09:59 59904 c:\windows\Installer\a51e6.msi
+ 2009-12-03 07:32 . 2009-12-03 07:32 84992 c:\windows\Installer\68b68.msi
+ 2009-10-06 06:00 . 2009-10-06 06:00 48128 c:\windows\Installer\2a37637.msi
+ 2010-02-26 13:23 . 2010-02-26 13:23 22528 c:\windows\Installer\17aba1e.msi
+ 2010-02-27 23:00 . 2010-02-27 23:00 8192 c:\windows\ERDNT\2-27-2010\Users\00000004\UsrClass.dat
+ 2010-02-27 23:00 . 2010-02-27 23:00 8192 c:\windows\ERDNT\2-27-2010\Users\00000002\UsrClass.dat
+ 2004-08-04 12:00 . 2010-02-27 23:38 380918 c:\windows\system32\perfh009.dat
- 2004-08-04 12:00 . 2010-02-18 08:21 380918 c:\windows\system32\perfh009.dat
- 2004-08-04 12:00 . 2009-06-22 06:44 726528 c:\windows\system32\jscript.dll
+ 2004-08-04 12:00 . 2009-12-09 05:53 726528 c:\windows\system32\jscript.dll
+ 2004-08-04 12:00 . 2009-12-09 05:53 726528 c:\windows\system32\dllcache\jscript.dll
- 2004-08-04 12:00 . 2009-06-22 06:44 726528 c:\windows\system32\dllcache\jscript.dll
+ 2009-10-05 10:47 . 2004-08-04 12:00 366080 c:\windows\ServicePackFiles\i386\digreqex.msi
+ 2009-10-05 10:47 . 2004-08-04 12:00 863232 c:\windows\ServicePackFiles\i386\digopt.msi
+ 2009-05-26 23:53 . 2009-05-26 23:53 579072 c:\windows\Installer\c7e923e.msp
+ 2010-01-27 07:28 . 2010-01-27 07:28 919040 c:\windows\Installer\aaa3f5f.msi
+ 2009-10-05 10:00 . 2009-10-05 10:00 430080 c:\windows\Installer\a520a.msi
+ 2009-10-05 10:00 . 2009-10-05 10:00 155648 c:\windows\Installer\a5204.msi
+ 2009-10-05 10:00 . 2009-10-05 10:00 140288 c:\windows\Installer\a51fa.msi
+ 2009-10-05 10:00 . 2009-10-05 10:00 202752 c:\windows\Installer\a51f5.msi
+ 2009-10-05 10:00 . 2009-10-05 10:00 152576 c:\windows\Installer\a51f0.msi
+ 2009-10-05 09:59 . 2009-10-05 09:59 107008 c:\windows\Installer\a51e1.msi
+ 2009-10-05 09:59 . 2009-10-05 09:59 301056 c:\windows\Installer\a51dc.msi
+ 2007-10-15 04:44 . 2007-10-15 04:44 324608 c:\windows\Installer\a3ad7d5.msp
+ 2007-10-15 04:46 . 2007-10-15 04:46 324608 c:\windows\Installer\a3ad7cf.msp
+ 2009-12-03 07:31 . 2009-12-03 07:31 770048 c:\windows\Installer\68b63.msi
+ 2009-12-03 07:31 . 2009-12-03 07:31 314368 c:\windows\Installer\68b5e.msi
+ 2010-01-08 16:13 . 2010-01-08 16:13 796672 c:\windows\Installer\64b4b279.msi
+ 2009-10-21 07:48 . 2009-10-21 07:48 902656 c:\windows\Installer\5313908.msi
+ 2010-02-25 03:58 . 2010-02-25 03:58 836096 c:\windows\Installer\402713c.msi
+ 2010-02-18 05:24 . 2010-02-18 05:24 219648 c:\windows\Installer\33926.msi
+ 2009-10-06 08:11 . 2009-10-06 08:11 470528 c:\windows\Installer\31993ed.msi
+ 2009-10-18 00:01 . 2009-10-18 00:01 169472 c:\windows\Installer\2cde67.msi
+ 2010-02-17 00:41 . 2010-02-17 00:41 432640 c:\windows\Installer\2ba459.msi
+ 2010-02-17 00:41 . 2010-02-17 00:41 429568 c:\windows\Installer\2ba452.msi
+ 2009-10-06 06:01 . 2009-10-06 06:01 501248 c:\windows\Installer\2a3764d.msi
+ 2009-10-06 06:01 . 2009-10-06 06:01 506880 c:\windows\Installer\2a37648.msi
+ 2009-10-06 06:01 . 2009-10-06 06:01 516608 c:\windows\Installer\2a37642.msi
+ 2009-10-06 06:00 . 2009-10-06 06:00 513024 c:\windows\Installer\2a3763c.msi
+ 2009-10-06 05:59 . 2009-10-06 05:59 501248 c:\windows\Installer\2a37620.msi
+ 2009-10-05 09:40 . 2009-10-05 09:40 589312 c:\windows\Installer\20e6af.msi
+ 2009-10-05 09:35 . 2009-10-05 09:35 227840 c:\windows\Installer\20e6a9.msi
+ 2009-10-05 09:35 . 2009-10-05 09:35 226304 c:\windows\Installer\20e6a3.msi
+ 2009-10-05 09:35 . 2009-10-05 09:35 227328 c:\windows\Installer\20e69d.msi
+ 2009-10-05 08:56 . 2009-10-05 08:56 264704 c:\windows\Installer\1fb95.msi
+ 2009-10-28 08:54 . 2009-10-28 08:54 537600 c:\windows\Installer\1f90088d.msi
+ 2010-02-24 09:01 . 2008-07-08 13:02 382840 c:\windows\ie8updates\KB976662-IE8\spuninst\updspapi.dll
+ 2010-02-24 09:01 . 2008-07-08 13:02 231288 c:\windows\ie8updates\KB976662-IE8\spuninst\spuninst.exe
+ 2010-02-24 09:01 . 2009-06-22 06:44 726528 c:\windows\ie8updates\KB976662-IE8\jscript.dll
+ 2010-02-27 23:37 . 2010-02-27 23:37 303104 c:\windows\ERDNT\AutoBackup\2-27-2010\Users\00000002\UsrClass.dat
+ 2010-02-27 23:37 . 2005-10-20 18:02 163328 c:\windows\ERDNT\AutoBackup\2-27-2010\ERDNT.EXE
+ 2010-02-27 23:00 . 2010-02-27 23:00 303104 c:\windows\ERDNT\2-27-2010\Users\00000006\UsrClass.dat
+ 2010-02-27 23:00 . 2010-02-27 23:00 229376 c:\windows\ERDNT\2-27-2010\Users\00000003\NTUSER.DAT
+ 2010-02-27 23:00 . 2010-02-27 23:00 229376 c:\windows\ERDNT\2-27-2010\Users\00000001\NTUSER.DAT
+ 2010-02-27 23:00 . 2005-10-20 18:02 163328 c:\windows\ERDNT\2-27-2010\ERDNT.EXE
+ 2004-08-04 12:00 . 2004-08-04 12:00 1326080 c:\windows\system32\webfldrs.msi
+ 2009-10-05 10:48 . 2004-08-04 12:00 1326080 c:\windows\ServicePackFiles\i386\webfldrs.msi
+ 2009-10-05 10:47 . 2004-08-04 12:00 5080576 c:\windows\ServicePackFiles\i386\msnmsgs.msi
+ 2010-02-16 16:05 . 2010-02-16 16:05 1093632 c:\windows\Installer\e9912.msi
+ 2009-10-05 09:09 . 2009-10-05 09:09 3443712 c:\windows\Installer\d3107.msi
+ 2009-05-04 12:46 . 2009-05-04 12:46 8299008 c:\windows\Installer\c9a236b.msp
+ 2009-05-04 12:47 . 2009-05-04 12:47 9124864 c:\windows\Installer\c7e93d7.msp
+ 2009-04-24 17:30 . 2009-04-24 17:30 2583552 c:\windows\Installer\c7e93c5.msp
+ 2009-08-05 12:49 . 2009-08-05 12:49 3457024 c:\windows\Installer\c7e93b2.msp
+ 2009-04-24 17:28 . 2009-04-24 17:28 4450816 c:\windows\Installer\c7e939f.msp
+ 2009-07-27 09:31 . 2009-07-27 09:31 3738624 c:\windows\Installer\c7e938c.msp
+ 2009-04-04 22:10 . 2009-04-04 22:10 1282560 c:\windows\Installer\c7e937b.msp
+ 2009-04-04 22:10 . 2009-04-04 22:10 7888384 c:\windows\Installer\c7e9374.msp
+ 2009-04-04 22:10 . 2009-04-04 22:10 9926144 c:\windows\Installer\c7e936b.msp
+ 2009-08-18 18:08 . 2009-08-18 18:08 1373696 c:\windows\Installer\c7e922d.msp
+ 2009-04-24 17:29 . 2009-04-24 17:29 9013760 c:\windows\Installer\c7e921c.msp
+ 2009-10-16 13:09 . 2009-10-16 13:09 2518016 c:\windows\Installer\b9f3dcd.msp
+ 2007-10-15 04:43 . 2007-10-15 04:43 5749760 c:\windows\Installer\a3ad7af.msp
+ 2009-10-21 22:45 . 2009-10-21 22:45 5338624 c:\windows\Installer\866a3ea.msi
+ 2009-08-18 18:58 . 2009-08-18 18:58 8301056 c:\windows\Installer\80a0cc8.msp
+ 2009-08-18 18:57 . 2009-08-18 18:57 9122304 c:\windows\Installer\80a0cb7.msp
+ 2010-01-08 16:25 . 2010-01-08 16:25 4454912 c:\windows\Installer\64b4bca7.msi
+ 2010-01-08 16:17 . 2010-01-08 16:17 9473024 c:\windows\Installer\64b4b50c.msi
+ 2009-02-26 00:08 . 2009-02-26 00:08 8311808 c:\windows\Installer\50d1f4c.msp
+ 2010-01-25 21:46 . 2010-01-25 21:46 2727936 c:\windows\Installer\36ef7f7.msi
+ 2010-02-16 15:46 . 2010-02-16 15:46 1473024 c:\windows\Installer\36c10dc.msi
+ 2007-03-31 03:20 . 2007-03-31 03:20 5800960 c:\windows\Installer\2fe01df.msp
+ 2008-04-11 23:48 . 2008-04-11 23:48 6774272 c:\windows\Installer\2fe0176.msp
+ 2008-05-21 05:45 . 2008-05-21 05:45 5246976 c:\windows\Installer\2fe0163.msp
+ 2007-06-01 20:54 . 2007-06-01 20:54 9626624 c:\windows\Installer\2fe013c.msp
+ 2008-10-20 15:18 . 2008-10-20 15:18 6474240 c:\windows\Installer\2fe012b.msp
+ 2009-10-06 06:05 . 2009-10-06 06:05 9613312 c:\windows\Installer\2a37659.msi
+ 2009-10-06 06:01 . 2009-10-06 06:01 1652736 c:\windows\Installer\2a37652.msi
+ 2009-10-06 06:00 . 2009-10-06 06:00 1640960 c:\windows\Installer\2a3762f.msi
+ 2009-10-06 06:00 . 2009-10-06 06:00 1640960 c:\windows\Installer\2a3762a.msi
+ 2009-10-06 06:00 . 2009-10-06 06:00 1713152 c:\windows\Installer\2a37625.msi
+ 2009-10-06 05:59 . 2009-10-06 05:59 2397184 c:\windows\Installer\2a3761b.msi
+ 2009-11-23 23:02 . 2009-11-23 23:02 2368000 c:\windows\Installer\2246a49b.msi
+ 2009-10-05 09:34 . 2009-10-05 09:34 4866560 c:\windows\Installer\20e696.msi
+ 2009-10-05 09:32 . 2009-10-05 09:32 1096192 c:\windows\Installer\20e67c.msi
+ 2009-10-05 09:32 . 2009-10-05 09:32 1102848 c:\windows\Installer\20e5f9.msi
+ 2009-10-05 09:32 . 2009-10-05 09:32 1094656 c:\windows\Installer\20e575.msi
+ 2009-10-05 09:31 . 2009-10-05 09:31 5864960 c:\windows\Installer\20e569.msp
+ 2009-10-05 09:02 . 2009-10-05 09:02 3975680 c:\windows\Installer\1fba0.msi
+ 2009-10-05 17:36 . 2009-10-05 17:36 1659392 c:\windows\Installer\1aa112c.msi
+ 2009-10-05 17:34 . 2009-10-05 17:34 1549312 c:\windows\Installer\1aa10e9.msi
+ 2009-10-05 17:34 . 2009-10-05 17:34 3310592 c:\windows\Installer\1aa10e4.msi
+ 2009-10-05 09:40 . 2009-10-05 09:40 2220544 c:\windows\Hewlett-Packard\Setup Files\HP Software Update\{77C7D65D-7F07-4F6B-95DE-3D893B08E7FF}\HP Software Update.msi
+ 2010-02-27 23:37 . 2010-02-27 23:37 3788800 c:\windows\ERDNT\AutoBackup\2-27-2010\Users\00000001\NTUSER.DAT
+ 2010-02-27 23:00 . 2010-02-27 23:00 3788800 c:\windows\ERDNT\2-27-2010\Users\00000005\NTUSER.DAT
+ 2009-08-11 02:08 . 2009-08-11 02:08 11315712 c:\windows\Microsoft.NET\Framework\v1.1.4322\Updates\M953297\M953297Uninstall.msp
+ 2009-10-05 09:10 . 2009-10-05 09:10 19204096 c:\windows\Installer\e767d.msp
+ 2009-08-10 19:09 . 2009-08-10 19:09 17254912 c:\windows\Installer\d4bad54.msp
+ 2009-04-04 16:36 . 2009-04-04 16:36 21390848 c:\windows\Installer\c7e926e.msp
+ 2009-04-04 22:09 . 2009-04-04 22:09 15190016 c:\windows\Installer\c7e925d.msp
+ 2007-10-15 04:43 . 2007-10-15 04:43 12743168 c:\windows\Installer\a3ad7c0.msp
+ 2007-10-15 04:43 . 2007-10-15 04:43 21981184 c:\windows\Installer\a3ad793.msp
+ 2009-10-06 08:06 . 2009-10-06 08:06 15256576 c:\windows\Installer\31993e8.msp
+ 2008-08-11 16:51 . 2008-08-11 16:51 15916544 c:\windows\Installer\2fe01ce.msp
+ 2008-10-20 15:16 . 2008-10-20 15:16 13211648 c:\windows\Installer\2fe01bd.msp
+ 2008-08-11 16:49 . 2008-08-11 16:49 22457344 c:\windows\Installer\2fe01aa.msp
+ 2008-09-24 17:05 . 2008-09-24 17:05 16381440 c:\windows\Installer\2fe0199.msp
+ 2009-02-26 00:05 . 2009-02-26 00:05 11840000 c:\windows\Installer\2fe0188.msp
+ 2009-02-26 00:07 . 2009-02-26 00:07 11646464 c:\windows\Installer\2fe014d.msp
+ 2009-10-05 09:11 . 2009-10-05 09:11 20034560 c:\windows\Downloaded Installations\{EA6652A6-343E-4645-AF84-0BACF426C950}\iTunes.msi
+ 2009-04-04 22:08 . 2009-04-04 22:08 343058432 c:\windows\Installer\c7e9361.msp
+ 2007-10-15 04:43 . 2007-10-15 04:43 229852160 c:\windows\Installer\a3ad78c.msp
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-07-26 3883856]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"avast5"="c:\progra~1\ALWILS~1\Avast5\avastUI.exe" [2010-02-11 2756488]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2009-11-04 198160]
"SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2005-02-02 102492]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2005-02-02 692316]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-10-28 149280]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-11-11 417792]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-11-12 141600]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-04 208952]
"hpWirelessAssistant"="c:\program files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe" [2005-04-01 794624]
"HP Software Update"="c:\program files\Hp\HP Software Update\HPWuSchd2.exe" [2005-02-17 49152]
"Cpqset"="c:\program files\HPQ\Default Settings\cpqset.exe" [2005-02-17 233534]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-04-11 339968]

c:\documents and settings\Pepin\Start Menu\Programs\Startup\
ERUNT AutoBackup.lnk - c:\program files\ERUNT\AUTOBACK.EXE [2005-10-20 38912]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 29696]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\TPSvc]
TPSvc.dll [BU]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Hp\\Digital Imaging\\bin\\hpqscnvw.exe"=
"c:\\Program Files\\Hp\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\Hp\\Digital Imaging\\bin\\hpqnrs08.exe"=
"c:\\WINDOWS\\system32\\rtcshare.exe"=
"c:\\Program Files\\NetMeeting\\conf.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundEchoRequest"= 1 (0x1)

R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [2/17/2010 11:24 PM 162512]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2/17/2010 11:24 PM 19024]
R3 HSFHWATI;HSFHWATI;c:\windows\system32\drivers\HSFHWATI.sys [10/5/2009 2:58 AM 200192]
S2 gupdate1ca4f8634bd17a0;Google Update Service (gupdate1ca4f8634bd17a0);c:\program files\Google\Update\GoogleUpdate.exe [10/17/2009 6:01 PM 133104]
.
Contents of the 'Scheduled Tasks' folder

2010-02-26 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34]

2010-02-27 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-10-18 00:00]

2010-02-27 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-10-18 00:00]

2010-02-27 c:\windows\Tasks\User_Feed_Synchronization-{3AEC60E6-E8B8-47B2-8A33-893DE89E8FD8}.job
- c:\windows\system32\msfeedssync.exe [2009-03-08 09:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com
uInternet Connection Wizard,ShellNext = hxxp://ie.redirect.hp.com/svs/rdr?TYPE= ... &pf=laptop
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Pepin\Application Data\Mozilla\Firefox\Profiles\24lm75dh.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.msn.com/
FF - plugin: c:\documents and settings\Pepin\Application Data\Move Networks\plugins\npqmp071503000010.dll
FF - plugin: c:\documents and settings\Pepin\Application Data\Move Networks\plugins\npqmp071701000002.dll
FF - plugin: c:\program files\Google\Google Earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\Google\Update\1.2.183.17\npGoogleOneClick8.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPTURNMED.dll

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - truec:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-neborabel - c:\windows\system32\timikeze.dll
SharedTaskScheduler-{221ff01e-61ae-45c0-87ae-5c15dcdfba08} - c:\windows\system32\timikeze.dll
SSODL-jiwolasav-{221ff01e-61ae-45c0-87ae-5c15dcdfba08} - c:\windows\system32\timikeze.dll



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-02-27 17:36
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Cpqset = c:\program files\HPQ\Default Settings\cpqset.exe????????0?4?5?0??????? ???B?????????????hLC? ??????

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (LocalSystem)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,52,6b,d9,cd,04,fc,63,41,b5,e5,cc,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,52,6b,d9,cd,04,fc,63,41,b5,e5,cc,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(680)
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'explorer.exe'(2304)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\program files\Alwil Software\Avast5\AvastSvc.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\HPZipm12.exe
c:\windows\system32\wdfmgr.exe
c:\windows\system32\Ati2evxx.exe
c:\program files\HPQ\shared\hpqwmi.exe
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2010-02-27 17:41:00 - machine was rebooted
ComboFix-quarantined-files.txt 2010-02-27 23:40
ComboFix2.txt 2010-02-18 08:56
ComboFix3.txt 2010-02-17 21:29
ComboFix4.txt 2010-02-17 18:53
ComboFix5.txt 2010-02-27 23:26

Pre-Run: 132,147,974,144 bytes free
Post-Run: 132,064,628,736 bytes free

- - End Of File - - 04D7BEFBAEC5DB72242C97BA77183DE8
pepin07
Regular Member
 
Posts: 15
Joined: February 16th, 2010, 12:18 pm

hijackthis log

Unread postby pepin07 » February 27th, 2010, 8:34 pm

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:32:41 PM, on 2/27/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\PROGRA~1\ALWILS~1\Avast5\avastUI.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\HPQ\shared\hpqwmi.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Windows Live\Contacts\wlcomm.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://ie.redirect.hp.com/svs/rdr?TYPE= ... &pf=laptop
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [avast5] C:\PROGRA~1\ALWILS~1\Avast5\avastUI.exe /nogui
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SynTPLpr] "C:\Program Files\Synaptics\SynTP\SynTPLpr.exe"
O4 - HKLM\..\Run: [SynTPEnh] "C:\Program Files\Synaptics\SynTP\SynTPEnh.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [hpWirelessAssistant] C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
O4 - Startup: ERUNT AutoBackup.lnk = C:\Program Files\ERUNT\AUTOBACK.EXE
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {4A85DBE0-BFB2-4119-8401-186A7C6EB653} - http://messenger.zone.msn.com/Messenger ... 109791.cab
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/Messenger ... E_UNO1.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Me ... b56907.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/s ... wflash.cab
O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/Mi ... b56986.cab
O20 - Winlogon Notify: TPSvc - TPSvc.dll (file missing)
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Google Update Service (gupdate1ca4f8634bd17a0) (gupdate1ca4f8634bd17a0) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: HP WMI Interface (hpqwmi) - Hewlett-Packard Development Company, L.P. - C:\Program Files\HPQ\shared\hpqwmi.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

--
End of file - 7403 bytes
pepin07
Regular Member
 
Posts: 15
Joined: February 16th, 2010, 12:18 pm

Re: malware problems

Unread postby pepin07 » February 27th, 2010, 8:39 pm

And about the combo fix on my computer was a self fix but i didn't knew what to do so i ask help to you guys, also my computer is working normally with the exception that at start up appear a error window saying that a file could not be find it the file ends with c:windows/system32/timikaze.dll something like that
pepin07
Regular Member
 
Posts: 15
Joined: February 16th, 2010, 12:18 pm

Re: malware problems

Unread postby xixo_12 » February 28th, 2010, 8:23 pm

Hi,

***Important : Regarding ComboFix
You should aware that, this tool is not a toy and not for everyday use. Please refrain yourself to do self fixes using this tools in the future as I know you have run this tool several times.
It could result to unbootable situation rather than trying to solve your system problem.

Let's proceed.

Next,
CFScript
  • Close any open browsers.
  • Open notepad and copy/paste the text in the code box below into it:
    Code: Select all
    File::
    c:\windows\system32\drivers\kgpcpy.cfg
    c:\documents and settings\Pepin\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
    Folder::
    c:\program files\Webroot
    c:\documents and settings\All Users\Application Data\STOPzilla!
    c:\documents and settings\Pepin\Application Data\LimeWire
    Registry::
    [-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\TPSvc]
    RegLock::
    [HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]
  • Save this as CFScript.txt, in the same location as ComboFix.exe
  • Disable your AntiVirus/AntiSpyware/Firewall applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. A guide to do this can be found here
    Image
  • Refering to the picture above, drag CFScript into ComboFix.exe
  • When finished, it shall produce a log for you at "C:\ComboFix.txt"
Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall
A word of warning: Neither I nor sUBs are responsible for any damage you may cause to your machine by running ComboFix on your own. This tool is not a toy and not for everyday use.
ComboFix SHOULD NOT be used unless requested by a forum helper


Next,
Malwarebytes' Anti-Malware
Download Malwarebytes' Anti-Malware here and save to the desktop.
  • Double-click mbam-setup.exe and follow the prompts to install the program.
  • At the end, be sure a checkmark is placed next to:
    Update Malwarebytes' Anti-Malware
    Launch Malwarebytes' Anti-Malware
  • Then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select Perform full scan, then click Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
    Image
  • Refer to above image and then click Remove Selected to proceed.
  • When completed, a log will open in Notepad. Please copy and paste the log back into your next reply
Note:
  • The log can also be found here:
    C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt
  • Or via the Logs tab when Malwarebytes' Anti-Malware is started.
Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.
Click OK to either and let MBAM proceed with the disinfection process.
If asked to restart the computer, please do so. Failure to reboot will prevent MBAM from removing all the malware.


Next,
Discussion.
error window saying that a file could not be find it the file ends with c:windows/system32/timikaze.dll

How about this problem? Is it still appear?

Next,
Checklist.
Please post.
  • Content of ComboFix.txt
  • Content of MBAM log.
  • Response to our discussion
User avatar
xixo_12
MRU Master Emeritus
 
Posts: 2340
Joined: October 14th, 2008, 11:40 am
Location: Malaysia

combofix log

Unread postby pepin07 » February 28th, 2010, 9:52 pm

ComboFix 10-02-27.04 - Pepin 02/28/2010 19:42:19.8.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1150.743 [GMT -6:00]
Running from: c:\documents and settings\Pepin\Desktop\Combo-Fix.exe
Command switches used :: c:\documents and settings\Pepin\Desktop\CFScript.txt
AV: avast! Antivirus *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}

FILE ::
"c:\documents and settings\Pepin\Local Settings\Application Data\GDIPFONTCACHEV1.DAT"
"c:\windows\system32\drivers\kgpcpy.cfg"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\STOPzilla!
c:\documents and settings\All Users\Application Data\STOPzilla!\modules_scanned.db
c:\documents and settings\All Users\Application Data\STOPzilla!\modules_scanned.db.bak
c:\documents and settings\All Users\Application Data\STOPzilla!\scanner.log
c:\documents and settings\All Users\Application Data\STOPzilla!\sgdefs.db
c:\documents and settings\All Users\Application Data\STOPzilla!\sgdwc.db
c:\documents and settings\All Users\Application Data\STOPzilla!\userdata.db
c:\documents and settings\All Users\Application Data\STOPzilla!\zilla5.log
c:\documents and settings\Pepin\Application Data\LimeWire
c:\documents and settings\Pepin\Application Data\LimeWire\browser\xul-v2.0b2.4-do-not-remove
c:\documents and settings\Pepin\Application Data\LimeWire\browser\xulrunner\AccessibleMarshal.dll
c:\documents and settings\Pepin\Application Data\LimeWire\browser\xulrunner\chrome\branding.jar
c:\documents and settings\Pepin\Application Data\LimeWire\browser\xulrunner\chrome\branding.manifest
c:\documents and settings\Pepin\Application Data\LimeWire\browser\xulrunner\chrome\classic.jar
c:\documents and settings\Pepin\Application Data\LimeWire\browser\xulrunner\chrome\classic.manifest
c:\documents and settings\Pepin\Application Data\LimeWire\browser\xulrunner\chrome\comm.jar
c:\documents and settings\Pepin\Application Data\LimeWire\browser\xulrunner\chrome\comm.manifest
c:\documents and settings\Pepin\Application Data\LimeWire\browser\xulrunner\chrome\en-US.jar
c:\documents and settings\Pepin\Application Data\LimeWire\browser\xulrunner\chrome\en-US.manifest
c:\documents and settings\Pepin\Application Data\LimeWire\browser\xulrunner\chrome\limewire.jar
c:\documents and settings\Pepin\Application Data\LimeWire\browser\xulrunner\chrome\limewire.manifest
c:\documents and settings\Pepin\Application Data\LimeWire\browser\xulrunner\chrome\pippki.jar
c:\documents and settings\Pepin\Application Data\LimeWire\browser\xulrunner\chrome\pippki.manifest
c:\documents and settings\Pepin\Application Data\LimeWire\browser\xulrunner\chrome\toolkit.jar
c:\documents and settings\Pepin\Application Data\LimeWire\browser\xulrunner\chrome\toolkit.manifest
c:\documents and settings\Pepin\Application Data\LimeWire\browser\xulrunner\components\accessibility-msaa.xpt
c:\documents and settings\Pepin\Application Data\LimeWire\browser\xulrunner\components\accessibility.xpt
c:\documents and settings\Pepin\Application Data\LimeWire\browser\xulrunner\components\alerts.xpt
c:\documents and settings\Pepin\Application Data\LimeWire\browser\xulrunner\components\appshell.xpt
c:\documents and settings\Pepin\Application Data\LimeWire\browser\xulrunner\components\appshell_modal.dll
c:\documents and settings\Pepin\Application Data\LimeWire\browser\xulrunner\components\appshell_modal.xpt
c:\documents and settings\Pepin\Application Data\LimeWire\browser\xulrunner\components\appstartup.xpt
c:\documents and settings\Pepin\Application Data\LimeWire\browser\xulrunner\components\auth.dll
c:\documents and settings\Pepin\Application Data\LimeWire\browser\xulrunner\components\autocomplete.xpt
c:\documents and settings\Pepin\Application Data\LimeWire\browser\xulrunner\components\autoconfig.dll
c:\documents and settings\Pepin\Application Data\LimeWire\browser\xulrunner\components\autoconfig.xpt
c:\documents and settings\Pepin\Application Data\LimeWire\browser\xulrunner\components\caps.xpt
c:\documents and settings\Pepin\Application Data\LimeWire\browser\xulrunner\components\chardet.xpt
c:\documents and settings\Pepin\Application Data\LimeWire\browser\xulrunner\components\chrome.xpt
c:\documents and settings\Pepin\Application Data\LimeWire\browser\xulrunner\components\commandhandler.xpt
c:\documents and settings\Pepin\Application Data\LimeWire\browser\xulrunner\components\commandlines.xpt
c:\documents and settings\Pepin\Application Data\LimeWire\browser\xulrunner\components\composer.xpt
c:\documents and settings\Pepin\Application Data\LimeWire\browser\xulrunner\components\content_base.xpt
c:\documents and settings\Pepin\Application Data\LimeWire\browser\xulrunner\components\content_html.xpt
c:\documents and settings\Pepin\Application Data\LimeWire\browser\xulrunner\components\content_htmldoc.xpt
c:\documents and settings\Pepin\Application Data\LimeWire\browser\xulrunner\components\content_xmldoc.xpt
c:\documents and settings\Pepin\Application Data\LimeWire\browser\xulrunner\components\content_xslt.xpt
c:\documents and settings\Pepin\Application Data\LimeWire\browser\xulrunner\components\content_xtf.xpt
c:\documents and settings\Pepin\Application Data\LimeWire\browser\xulrunner\components\contentprefs.xpt
c:\documents and settings\Pepin\Application Data\LimeWire\browser\xulrunner\components\cookie.xpt
c:\documents and settings\Pepin\Application Data\LimeWire\browser\xulrunner\components\directory.xpt
c:\documents and settings\Pepin\Application Data\LimeWire\browser\xulrunner\components\docshell_base.xpt
c:\documents and settings\Pepin\Application Data\LimeWire\browser\xulrunner\components\dom.xpt
c:\documents and settings\Pepin\Application Data\LimeWire\browser\xulrunner\components\dom_base.xpt
c:\documents and settings\Pepin\Application Data\LimeWire\browser\xulrunner\components\dom_canvas.xpt
c:\documents and settings\Pepin\Application Data\LimeWire\browser\xulrunner\components\dom_core.xpt
c:\documents and settings\Pepin\Application Data\LimeWire\browser\xulrunner\components\dom_css.xpt
c:\documents and settings\Pepin\Application Data\LimeWire\browser\xulrunner\components\dom_events.xpt
c:\documents and settings\Pepin\Application Data\LimeWire\browser\xulrunner\components\dom_html.xpt
c:\documents and settings\Pepin\Application Data\LimeWire\browser\xulrunner\components\dom_json.xpt
c:\documents and settings\Pepin\Application Data\LimeWire\browser\xulrunner\components\dom_loadsave.xpt
c:\documents and settings\Pepin\Application Data\LimeWire\browser\xulrunner\components\dom_offline.xpt
c:\documents and settings\Pepin\Application Data\LimeWire\browser\xulrunner\components\dom_range.xpt
c:\documents and settings\Pepin\Application Data\LimeWire\browser\xulrunner\components\dom_sidebar.xpt
c:\documents and settings\Pepin\Application Data\LimeWire\browser\xulrunner\components\dom_storage.xpt
c:\documents and settings\Pepin\Application Data\LimeWire\browser\xulrunner\components\dom_stylesheets.xpt
c:\documents and settings\Pepin\Application Data\LimeWire\browser\xulrunner\components\dom_svg.xpt
c:\documents and settings\Pepin\Application Data\LimeWire\browser\xulrunner\components\dom_traversal.xpt
c:\documents and settings\Pepin\Application Data\LimeWire\browser\xulrunner\components\dom_views.xpt
c:\documents and settings\Pepin\Application Data\LimeWire\browser\xulrunner\components\dom_xbl.xpt
c:\documents and settings\Pepin\Application Data\LimeWire\browser\xulrunner\components\dom_xpath.xpt
c:\documents and settings\Pepin\Application Data\LimeWire\browser\xulrunner\components\dom_xul.xpt
c:\documents and settings\Pepin\Application Data\LimeWire\browser\xulrunner\components\downloads.xpt
c:\documents and settings\Pepin\Application Data\LimeWire\browser\xulrunner\components\editor.xpt
c:\documents and settings\Pepin\Application Data\LimeWire\browser\xulrunner\components\embed_base.xpt
c:\documents and settings\Pepin\Application Data\LimeWire\browser\xulrunner\components\extensions.xpt
c:\documents and settings\Pepin\Application Data\LimeWire\browser\xulrunner\components\exthandler.xpt
c:\documents and settings\Pepin\Application Data\LimeWire\browser\xulrunner\components\exthelper.xpt
c:\documents and settings\Pepin\Application Data\LimeWire\browser\xulrunner\components\fastfind.xpt
c:\documents and settings\Pepin\Application Data\LimeWire\browser\xulrunner\components\FeedProcessor.js
c:\documents and settings\Pepin\Application Data\LimeWire\browser\xulrunner\components\feeds.xpt
c:\documents and settings\Pepin\Application Data\LimeWire\browser\xulrunner\components\find.xpt
c:\documents and settings\Pepin\Application Data\LimeWire\browser\xulrunner\components\gfx.xpt
c:\documents and settings\Pepin\Application Data\LimeWire\browser\xulrunner\components\htmlparser.xpt
c:\documents and settings\Pepin\Application Data\LimeWire\browser\xulrunner\components\imgicon.xpt
c:\documents and settings\Pepin\Application Data\LimeWire\browser\xulrunner\components\imglib2.xpt
c:\documents and settings\Pepin\Application Data\LimeWire\browser\xulrunner\components\inspector.xpt
c:\documents and settings\Pepin\Application Data\LimeWire\browser\xulrunner\components\intl.xpt
c:\documents and settings\Pepin\Application Data\LimeWire\browser\xulrunner\components\jar.xpt
c:\documents and settings\Pepin\Application Data\LimeWire\browser\xulrunner\components\jsconsole-clhandler.js
c:\documents and settings\Pepin\Application Data\LimeWire\browser\xulrunner\components\jsdservice.xpt
c:\documents and settings\Pepin\Application Data\LimeWire\browser\xulrunner\components\layout_base.xpt
c:\documents and settings\Pepin\Application Data\LimeWire\browser\xulrunner\components\layout_printing.xpt
c:\documents and settings\Pepin\Application Data\LimeWire\browser\xulrunner\components\layout_xul.xpt
c:\documents and settings\Pepin\Application Data\LimeWire\browser\xulrunner\components\layout_xul_tree.xpt
c:\documents and settings\Pepin\Application Data\LimeWire\browser\xulrunner\components\locale.xpt
c:\documents and settings\Pepin\Application Data\LimeWire\browser\xulrunner\components\loginmgr.xpt
c:\documents and settings\Pepin\Application Data\LimeWire\browser\xulrunner\components\lwbrk.xpt
c:\documents and settings\Pepin\Application Data\LimeWire\browser\xulrunner\components\mimetype.xpt
c:\documents and settings\Pepin\Application Data\LimeWire\browser\xulrunner\components\mozbrwsr.xpt
c:\documents and settings\Pepin\Application Data\LimeWire\browser\xulrunner\components\mozfind.xpt
c:\documents and settings\Pepin\Application Data\LimeWire\browser\xulrunner\components\necko.xpt
c:\documents and settings\Pepin\Application Data\LimeWire\browser\xulrunner\components\necko_about.xpt
c:\documents and settings\Pepin\Application Data\LimeWire\browser\xulrunner\components\necko_cache.xpt
c:\documents and settings\Pepin\Application Data\LimeWire\browser\xulrunner\components\necko_cookie.xpt
c:\documents and settings\Pepin\Application Data\LimeWire\browser\xulrunner\components\necko_dns.xpt
c:\documents and settings\Pepin\Application Data\LimeWire\browser\xulrunner\components\necko_file.xpt
c:\documents and settings\Pepin\Application Data\LimeWire\browser\xulrunner\components\necko_ftp.xpt
c:\documents and settings\Pepin\Application Data\LimeWire\browser\xulrunner\components\necko_http.xpt
c:\documents and settings\Pepin\Application Data\LimeWire\browser\xulrunner\components\necko_res.xpt
c:\documents and settings\Pepin\Application Data\LimeWire\browser\xulrunner\components\necko_socket.xpt
c:\documents and settings\Pepin\Application Data\LimeWire\browser\xulrunner\components\necko_strconv.xpt
c:\documents and settings\Pepin\Application Data\LimeWire\browser\xulrunner\components\necko_viewsource.xpt
c:\documents and settings\Pepin\Application Data\LimeWire\browser\xulrunner\components\nsAddonRepository.js
c:\documents and settings\Pepin\Application Data\LimeWire\browser\xulrunner\components\nsBadCertHandler.js
c:\documents and settings\Pepin\Application Data\LimeWire\browser\xulrunner\components\nsBlocklistService.js
c:\documents and settings\Pepin\Application Data\LimeWire\browser\xulrunner\components\nsContentDispatchChooser.js
c:\documents and settings\Pepin\Application Data\LimeWire\browser\xulrunner\components\nsContentPrefService.js
c:\documents and settings\Pepin\Application Data\LimeWire\browser\xulrunner\components\nsDefaultCLH.js
c:\documents and settings\Pepin\Application Data\LimeWire\browser\xulrunner\components\nsDictionary.js
c:\documents and settings\Pepin\Application Data\LimeWire\browser\xulrunner\components\nsDownloadManagerUI.js
c:\documents and settings\Pepin\Application Data\LimeWire\browser\xulrunner\components\nsExtensionManager.js
c:\documents and settings\Pepin\Application Data\LimeWire\browser\xulrunner\components\nsHandlerService.js
c:\documents and settings\Pepin\Application Data\LimeWire\browser\xulrunner\components\nsHelperAppDlg.js
c:\documents and settings\Pepin\Application Data\LimeWire\browser\xulrunner\components\nsLivemarkService.js
c:\documents and settings\Pepin\Application Data\LimeWire\browser\xulrunner\components\nsLoginInfo.js
c:\documents and settings\Pepin\Application Data\LimeWire\browser\xulrunner\components\nsLoginManager.js
c:\documents and settings\Pepin\Application Data\LimeWire\browser\xulrunner\components\nsLoginManagerPrompter.js
c:\documents and settings\Pepin\Application Data\LimeWire\browser\xulrunner\components\nsPostUpdateWin.js
c:\documents and settings\Pepin\Application Data\LimeWire\browser\xulrunner\components\nsProgressDialog.js
c:\documents and settings\Pepin\Application Data\LimeWire\browser\xulrunner\components\nsProxyAutoConfig.js
c:\documents and settings\Pepin\Application Data\LimeWire\browser\xulrunner\components\nsResetPref.js
c:\documents and settings\Pepin\Application Data\LimeWire\browser\xulrunner\components\nsTaggingService.js
c:\documents and settings\Pepin\Application Data\LimeWire\browser\xulrunner\components\nsTryToClose.js
c:\documents and settings\Pepin\Application Data\LimeWire\browser\xulrunner\components\nsUpdateService.js
c:\documents and settings\Pepin\Application Data\LimeWire\browser\xulrunner\components\nsURLFormatter.js
c:\documents and settings\Pepin\Application Data\LimeWire\browser\xulrunner\components\nsWebHandlerApp.js
c:\documents and settings\Pepin\Application Data\LimeWire\browser\xulrunner\components\nsXmlRpcClient.js
c:\documents and settings\Pepin\Application Data\LimeWire\browser\xulrunner\components\nsXULAppInstall.js
c:\documents and settings\Pepin\Application Data\LimeWire\browser\xulrunner\components\oji.xpt
c:\documents and settings\Pepin\Application Data\LimeWire\browser\xulrunner\components\parentalcontrols.xpt
c:\documents and settings\Pepin\Application Data\LimeWire\browser\xulrunner\components\pipboot.dll
c:\documents and settings\Pepin\Application Data\LimeWire\browser\xulrunner\components\pipboot.xpt
c:\documents and settings\Pepin\Application Data\LimeWire\browser\xulrunner\components\pipnss.dll
c:\documents and settings\Pepin\Application Data\LimeWire\browser\xulrunner\components\pipnss.xpt
c:\documents and settings\Pepin\Application Data\LimeWire\browser\xulrunner\components\pippki.dll
c:\documents and settings\Pepin\Application Data\LimeWire\browser\xulrunner\components\pippki.xpt
c:\documents and settings\Pepin\Application Data\LimeWire\browser\xulrunner\components\places.xpt
c:\documents and settings\Pepin\Application Data\LimeWire\browser\xulrunner\components\plugin.xpt
c:\documents and settings\Pepin\Application Data\LimeWire\browser\xulrunner\components\pluginGlue.js
c:\documents and settings\Pepin\Application Data\LimeWire\browser\xulrunner\components\pref.xpt
c:\documents and settings\Pepin\Application Data\LimeWire\browser\xulrunner\components\prefetch.xpt
c:\documents and settings\Pepin\Application Data\LimeWire\browser\xulrunner\components\profile.xpt
c:\documents and settings\Pepin\Application Data\LimeWire\browser\xulrunner\components\proxyObject.xpt
c:\documents and settings\Pepin\Application Data\LimeWire\browser\xulrunner\components\rdf.xpt
c:\documents and settings\Pepin\Application Data\LimeWire\browser\xulrunner\components\satchel.xpt
c:\documents and settings\Pepin\Application Data\LimeWire\browser\xulrunner\components\saxparser.xpt
c:\documents and settings\Pepin\Application Data\LimeWire\browser\xulrunner\components\shistory.xpt
c:\documents and settings\Pepin\Application Data\LimeWire\browser\xulrunner\components\spellchecker.xpt
c:\documents and settings\Pepin\Application Data\LimeWire\browser\xulrunner\components\storage-Legacy.js
c:\documents and settings\Pepin\Application Data\LimeWire\browser\xulrunner\components\storage.xpt
c:\documents and settings\Pepin\Application Data\LimeWire\browser\xulrunner\components\toolkitprofile.xpt
c:\documents and settings\Pepin\Application Data\LimeWire\browser\xulrunner\components\transformiix.dll
c:\documents and settings\Pepin\Application Data\LimeWire\browser\xulrunner\components\txEXSLTRegExFunctions.js
c:\documents and settings\Pepin\Application Data\LimeWire\browser\xulrunner\components\txmgr.xpt
c:\documents and settings\Pepin\Application Data\LimeWire\browser\xulrunner\components\txtsvc.xpt
c:\documents and settings\Pepin\Application Data\LimeWire\browser\xulrunner\components\uconv.xpt
c:\documents and settings\Pepin\Application Data\LimeWire\browser\xulrunner\components\unicharutil.xpt
c:\documents and settings\Pepin\Application Data\LimeWire\browser\xulrunner\components\universalchardet.dll
c:\documents and settings\Pepin\Application Data\LimeWire\browser\xulrunner\components\update.xpt
c:\documents and settings\Pepin\Application Data\LimeWire\browser\xulrunner\components\uriloader.xpt
c:\documents and settings\Pepin\Application Data\LimeWire\browser\xulrunner\components\urlformatter.xpt
c:\documents and settings\Pepin\Application Data\LimeWire\browser\xulrunner\components\webBrowser_core.xpt
c:\documents and settings\Pepin\Application Data\LimeWire\browser\xulrunner\components\webbrowserpersist.xpt
c:\documents and settings\Pepin\Application Data\LimeWire\browser\xulrunner\components\webshell_idls.xpt
c:\documents and settings\Pepin\Application Data\LimeWire\browser\xulrunner\components\websrvcs.dll
c:\documents and settings\Pepin\Application Data\LimeWire\browser\xulrunner\components\widget.xpt
c:\documents and settings\Pepin\Application Data\LimeWire\browser\xulrunner\components\windowds.xpt
c:\documents and settings\Pepin\Application Data\LimeWire\browser\xulrunner\components\windowwatcher.xpt
c:\documents and settings\Pepin\Application Data\LimeWire\browser\xulrunner\components\xml-rpc.xpt
c:\documents and settings\Pepin\Application Data\LimeWire\browser\xulrunner\components\xmlextras.dll
c:\documents and settings\Pepin\Application Data\LimeWire\browser\xulrunner\components\xpcom_base.xpt
c:\documents and settings\Pepin\Application Data\LimeWire\browser\xulrunner\components\xpcom_components.xpt
c:\documents and settings\Pepin\Application Data\LimeWire\browser\xulrunner\components\xpcom_ds.xpt
c:\documents and settings\Pepin\Application Data\LimeWire\browser\xulrunner\components\xpcom_io.xpt
c:\documents and settings\Pepin\Application Data\LimeWire\browser\xulrunner\components\xpcom_system.xpt
c:\documents and settings\Pepin\Application Data\LimeWire\browser\xulrunner\components\xpcom_thread.xpt
c:\documents and settings\Pepin\Application Data\LimeWire\browser\xulrunner\components\xpcom_xpti.xpt
c:\documents and settings\Pepin\Application Data\LimeWire\browser\xulrunner\components\xpconnect.xpt
c:\documents and settings\Pepin\Application Data\LimeWire\browser\xulrunner\components\xpinstall.xpt
c:\documents and settings\Pepin\Application Data\LimeWire\browser\xulrunner\components\xulapp.xpt
c:\documents and settings\Pepin\Application Data\LimeWire\browser\xulrunner\components\xulapp_setup.xpt
c:\documents and settings\Pepin\Application Data\LimeWire\browser\xulrunner\components\xuldoc.xpt
c:\documents and settings\Pepin\Application Data\LimeWire\browser\xulrunner\components\xultmpl.xpt
c:\documents and settings\Pepin\Application Data\LimeWire\browser\xulrunner\components\xulutil.dll
c:\documents and settings\Pepin\Application Data\LimeWire\browser\xulrunner\components\zipwriter.xpt
c:\documents and settings\Pepin\Application Data\LimeWire\browser\xulrunner\crashreporter.exe
c:\documents and settings\Pepin\Application Data\LimeWire\browser\xulrunner\crashreporter.ini
c:\documents and settings\Pepin\Application Data\LimeWire\browser\xulrunner\defaults\autoconfig\platform.js
c:\documents and settings\Pepin\Application Data\LimeWire\browser\xulrunner\defaults\autoconfig\prefcalls.js
c:\documents and settings\Pepin\Application Data\LimeWire\browser\xulrunner\defaults\pref\xulrunner.js
c:\documents and settings\Pepin\Application Data\LimeWire\browser\xulrunner\defaults\profile\chrome\userChrome-example.css
c:\documents and settings\Pepin\Application Data\LimeWire\browser\xulrunner\defaults\profile\chrome\userContent-example.css
c:\documents and settings\Pepin\Application Data\LimeWire\browser\xulrunner\defaults\profile\localstore.rdf
c:\documents and settings\Pepin\Application Data\LimeWire\browser\xulrunner\defaults\profile\US\chrome\userChrome-example.css
c:\documents and settings\Pepin\Application Data\LimeWire\browser\xulrunner\defaults\profile\US\chrome\userContent-example.css
c:\documents and settings\Pepin\Application Data\LimeWire\browser\xulrunner\defaults\profile\US\localstore.rdf
c:\documents and settings\Pepin\Application Data\LimeWire\browser\xulrunner\dependentlibs.list
c:\documents and settings\Pepin\Application Data\LimeWire\browser\xulrunner\dictionaries\en-US.aff
c:\documents and settings\Pepin\Application Data\LimeWire\browser\xulrunner\dictionaries\en-US.dic
c:\documents and settings\Pepin\Application Data\LimeWire\browser\xulrunner\freebl3.chk
c:\documents and settings\Pepin\Application Data\LimeWire\browser\xulrunner\freebl3.dll
c:\documents and settings\Pepin\Application Data\LimeWire\browser\xulrunner\greprefs\all.js
c:\documents and settings\Pepin\Application Data\LimeWire\browser\xulrunner\greprefs\security-prefs.js
c:\documents and settings\Pepin\Application Data\LimeWire\browser\xulrunner\greprefs\xpinstall.js
c:\documents and settings\Pepin\Application Data\LimeWire\browser\xulrunner\IA2Marshal.dll
c:\documents and settings\Pepin\Application Data\LimeWire\browser\xulrunner\javaxpcom.jar
c:\documents and settings\Pepin\Application Data\LimeWire\browser\xulrunner\javaxpcomglue.dll
c:\documents and settings\Pepin\Application Data\LimeWire\browser\xulrunner\js3250.dll
c:\documents and settings\Pepin\Application Data\LimeWire\browser\xulrunner\LICENSE
c:\documents and settings\Pepin\Application Data\LimeWire\browser\xulrunner\modules\debug.js
c:\documents and settings\Pepin\Application Data\LimeWire\browser\xulrunner\modules\DownloadUtils.jsm
c:\documents and settings\Pepin\Application Data\LimeWire\browser\xulrunner\modules\ISO8601DateUtils.jsm
c:\documents and settings\Pepin\Application Data\LimeWire\browser\xulrunner\modules\JSON.jsm
c:\documents and settings\Pepin\Application Data\LimeWire\browser\xulrunner\modules\Microformats.js
c:\documents and settings\Pepin\Application Data\LimeWire\browser\xulrunner\modules\PluralForm.jsm
c:\documents and settings\Pepin\Application Data\LimeWire\browser\xulrunner\modules\utils.js
c:\documents and settings\Pepin\Application Data\LimeWire\browser\xulrunner\modules\XPCOMUtils.jsm
c:\documents and settings\Pepin\Application Data\LimeWire\browser\xulrunner\mozctl.dll
c:\documents and settings\Pepin\Application Data\LimeWire\browser\xulrunner\mozctlx.dll
c:\documents and settings\Pepin\Application Data\LimeWire\browser\xulrunner\MSVCP71.DLL
c:\documents and settings\Pepin\Application Data\LimeWire\browser\xulrunner\msvcr71.dll
c:\documents and settings\Pepin\Application Data\LimeWire\browser\xulrunner\nspr4.dll
c:\documents and settings\Pepin\Application Data\LimeWire\browser\xulrunner\nss3.dll
c:\documents and settings\Pepin\Application Data\LimeWire\browser\xulrunner\nssckbi.dll
c:\documents and settings\Pepin\Application Data\LimeWire\browser\xulrunner\nssdbm3.dll
c:\documents and settings\Pepin\Application Data\LimeWire\browser\xulrunner\nssutil3.dll
c:\documents and settings\Pepin\Application Data\LimeWire\browser\xulrunner\platform.ini
c:\documents and settings\Pepin\Application Data\LimeWire\browser\xulrunner\plc4.dll
c:\documents and settings\Pepin\Application Data\LimeWire\browser\xulrunner\plds4.dll
c:\documents and settings\Pepin\Application Data\LimeWire\browser\xulrunner\plugins\npnul32.dll
c:\documents and settings\Pepin\Application Data\LimeWire\browser\xulrunner\README.txt
c:\documents and settings\Pepin\Application Data\LimeWire\browser\xulrunner\res\arrow.gif
c:\documents and settings\Pepin\Application Data\LimeWire\browser\xulrunner\res\arrowd.gif
c:\documents and settings\Pepin\Application Data\LimeWire\browser\xulrunner\res\broken-image.gif
c:\documents and settings\Pepin\Application Data\LimeWire\browser\xulrunner\res\charsetalias.properties
c:\documents and settings\Pepin\Application Data\LimeWire\browser\xulrunner\res\charsetData.properties
c:\documents and settings\Pepin\Application Data\LimeWire\browser\xulrunner\res\contenteditable.css
c:\documents and settings\Pepin\Application Data\LimeWire\browser\xulrunner\res\designmode.css
c:\documents and settings\Pepin\Application Data\LimeWire\browser\xulrunner\res\dtd\mathml.dtd
c:\documents and settings\Pepin\Application Data\LimeWire\browser\xulrunner\res\dtd\xhtml11.dtd
c:\documents and settings\Pepin\Application Data\LimeWire\browser\xulrunner\res\EditorOverride.css
c:\documents and settings\Pepin\Application Data\LimeWire\browser\xulrunner\res\entityTables\html40Latin1.properties
c:\documents and settings\Pepin\Application Data\LimeWire\browser\xulrunner\res\entityTables\html40Special.properties
c:\documents and settings\Pepin\Application Data\LimeWire\browser\xulrunner\res\entityTables\html40Symbols.properties
c:\documents and settings\Pepin\Application Data\LimeWire\browser\xulrunner\res\entityTables\htmlEntityVersions.properties
c:\documents and settings\Pepin\Application Data\LimeWire\browser\xulrunner\res\entityTables\mathml20.properties
c:\documents and settings\Pepin\Application Data\LimeWire\browser\xulrunner\res\entityTables\transliterate.properties
c:\documents and settings\Pepin\Application Data\LimeWire\browser\xulrunner\res\fonts\mathfont.properties
c:\documents and settings\Pepin\Application Data\LimeWire\browser\xulrunner\res\fonts\mathfontStandardSymbolsL.properties
c:\documents and settings\Pepin\Application Data\LimeWire\browser\xulrunner\res\fonts\mathfontSTIXNonUnicode.properties
c:\documents and settings\Pepin\Application Data\LimeWire\browser\xulrunner\res\fonts\mathfontSTIXSize1.properties
c:\documents and settings\Pepin\Application Data\LimeWire\browser\xulrunner\res\fonts\mathfontSymbol.properties
c:\documents and settings\Pepin\Application Data\LimeWire\browser\xulrunner\res\fonts\mathfontUnicode.properties
c:\documents and settings\Pepin\Application Data\LimeWire\browser\xulrunner\res\forms.css
c:\documents and settings\Pepin\Application Data\LimeWire\browser\xulrunner\res\grabber.gif
c:\documents and settings\Pepin\Application Data\LimeWire\browser\xulrunner\res\hiddenWindow.html
c:\documents and settings\Pepin\Application Data\LimeWire\browser\xulrunner\res\html.css
c:\documents and settings\Pepin\Application Data\LimeWire\browser\xulrunner\res\html\folder.png
c:\documents and settings\Pepin\Application Data\LimeWire\browser\xulrunner\res\langGroups.properties
c:\documents and settings\Pepin\Application Data\LimeWire\browser\xulrunner\res\language.properties
c:\documents and settings\Pepin\Application Data\LimeWire\browser\xulrunner\res\loading-image.gif
c:\documents and settings\Pepin\Application Data\LimeWire\browser\xulrunner\res\mathml.css
c:\documents and settings\Pepin\Application Data\LimeWire\browser\xulrunner\res\quirk.css
c:\documents and settings\Pepin\Application Data\LimeWire\browser\xulrunner\res\svg.css
c:\documents and settings\Pepin\Application Data\LimeWire\browser\xulrunner\res\table-add-column-after-active.gif
c:\documents and settings\Pepin\Application Data\LimeWire\browser\xulrunner\res\table-add-column-after-hover.gif
c:\documents and settings\Pepin\Application Data\LimeWire\browser\xulrunner\res\table-add-column-after.gif
c:\documents and settings\Pepin\Application Data\LimeWire\browser\xulrunner\res\table-add-column-before-active.gif
c:\documents and settings\Pepin\Application Data\LimeWire\browser\xulrunner\res\table-add-column-before-hover.gif
c:\documents and settings\Pepin\Application Data\LimeWire\browser\xulrunner\res\table-add-column-before.gif
c:\documents and settings\Pepin\Application Data\LimeWire\browser\xulrunner\res\table-add-row-after-active.gif
c:\documents and settings\Pepin\Application Data\LimeWire\browser\xulrunner\res\table-add-row-after-hover.gif
c:\documents and settings\Pepin\Application Data\LimeWire\browser\xulrunner\res\table-add-row-after.gif
c:\documents and settings\Pepin\Application Data\LimeWire\browser\xulrunner\res\table-add-row-before-active.gif
c:\documents and settings\Pepin\Application Data\LimeWire\browser\xulrunner\res\table-add-row-before-hover.gif
c:\documents and settings\Pepin\Application Data\LimeWire\browser\xulrunner\res\table-add-row-before.gif
c:\documents and settings\Pepin\Application Data\LimeWire\browser\xulrunner\res\table-remove-column-active.gif
c:\documents and settings\Pepin\Application Data\LimeWire\browser\xulrunner\res\table-remove-column-hover.gif
c:\documents and settings\Pepin\Application Data\LimeWire\browser\xulrunner\res\table-remove-column.gif
c:\documents and settings\Pepin\Application Data\LimeWire\browser\xulrunner\res\table-remove-row-active.gif
c:\documents and settings\Pepin\Application Data\LimeWire\browser\xulrunner\res\table-remove-row-hover.gif
c:\documents and settings\Pepin\Application Data\LimeWire\browser\xulrunner\res\table-remove-row.gif
c:\documents and settings\Pepin\Application Data\LimeWire\browser\xulrunner\res\ua.css
c:\documents and settings\Pepin\Application Data\LimeWire\browser\xulrunner\res\viewsource.css
c:\documents and settings\Pepin\Application Data\LimeWire\browser\xulrunner\res\wincharset.properties
c:\documents and settings\Pepin\Application Data\LimeWire\browser\xulrunner\smime3.dll
c:\documents and settings\Pepin\Application Data\LimeWire\browser\xulrunner\softokn3.chk
c:\documents and settings\Pepin\Application Data\LimeWire\browser\xulrunner\softokn3.dll
c:\documents and settings\Pepin\Application Data\LimeWire\browser\xulrunner\sqlite3.dll
c:\documents and settings\Pepin\Application Data\LimeWire\browser\xulrunner\ssl3.dll
c:\documents and settings\Pepin\Application Data\LimeWire\browser\xulrunner\updater.exe
c:\documents and settings\Pepin\Application Data\LimeWire\browser\xulrunner\version.properties
c:\documents and settings\Pepin\Application Data\LimeWire\browser\xulrunner\xpcom.dll
c:\documents and settings\Pepin\Application Data\LimeWire\browser\xulrunner\xpcshell.exe
c:\documents and settings\Pepin\Application Data\LimeWire\browser\xulrunner\xpicleanup.exe
c:\documents and settings\Pepin\Application Data\LimeWire\browser\xulrunner\xpidl.exe
c:\documents and settings\Pepin\Application Data\LimeWire\browser\xulrunner\xpt_dump.exe
c:\documents and settings\Pepin\Application Data\LimeWire\browser\xulrunner\xpt_link.exe
c:\documents and settings\Pepin\Application Data\LimeWire\browser\xulrunner\xul.dll
c:\documents and settings\Pepin\Application Data\LimeWire\browser\xulrunner\xulrunner-stub.exe
c:\documents and settings\Pepin\Application Data\LimeWire\browser\xulrunner\xulrunner.exe
c:\documents and settings\Pepin\Application Data\LimeWire\certificate\limewire.keystore
c:\documents and settings\Pepin\Application Data\LimeWire\createtimes.cache
c:\documents and settings\Pepin\Application Data\LimeWire\downloads.dat
c:\documents and settings\Pepin\Application Data\LimeWire\fileurns.cache
c:\documents and settings\Pepin\Application Data\LimeWire\gnutella.net
c:\documents and settings\Pepin\Application Data\LimeWire\installation.props
c:\documents and settings\Pepin\Application Data\LimeWire\library.dat
c:\documents and settings\Pepin\Application Data\LimeWire\library5.dat
c:\documents and settings\Pepin\Application Data\LimeWire\limewire.props
c:\documents and settings\Pepin\Application Data\LimeWire\lock
c:\documents and settings\Pepin\Application Data\LimeWire\mojito.props
c:\documents and settings\Pepin\Application Data\LimeWire\mozilla-profile\.autoreg
c:\documents and settings\Pepin\Application Data\LimeWire\mozilla-profile\Cache\_CACHE_001_
c:\documents and settings\Pepin\Application Data\LimeWire\mozilla-profile\Cache\_CACHE_002_
c:\documents and settings\Pepin\Application Data\LimeWire\mozilla-profile\Cache\_CACHE_003_
c:\documents and settings\Pepin\Application Data\LimeWire\mozilla-profile\Cache\_CACHE_MAP_
c:\documents and settings\Pepin\Application Data\LimeWire\mozilla-profile\Cache\7BD6A121d01
c:\documents and settings\Pepin\Application Data\LimeWire\mozilla-profile\Cache\96336453d01
c:\documents and settings\Pepin\Application Data\LimeWire\mozilla-profile\Cache\AE98BDF4d01
c:\documents and settings\Pepin\Application Data\LimeWire\mozilla-profile\Cache\BAADB0B5d01
c:\documents and settings\Pepin\Application Data\LimeWire\mozilla-profile\Cache\BAFF9ABCd01
c:\documents and settings\Pepin\Application Data\LimeWire\mozilla-profile\Cache\CFF25DC1d01
c:\documents and settings\Pepin\Application Data\LimeWire\mozilla-profile\Cache\F27BAECCd01
c:\documents and settings\Pepin\Application Data\LimeWire\mozilla-profile\cert8.db
c:\documents and settings\Pepin\Application Data\LimeWire\mozilla-profile\compreg.dat
c:\documents and settings\Pepin\Application Data\LimeWire\mozilla-profile\cookies.sqlite
c:\documents and settings\Pepin\Application Data\LimeWire\mozilla-profile\downloads.sqlite
c:\documents and settings\Pepin\Application Data\LimeWire\mozilla-profile\extensions.cache
c:\documents and settings\Pepin\Application Data\LimeWire\mozilla-profile\extensions.ini
c:\documents and settings\Pepin\Application Data\LimeWire\mozilla-profile\history.dat
c:\documents and settings\Pepin\Application Data\LimeWire\mozilla-profile\key3.db
c:\documents and settings\Pepin\Application Data\LimeWire\mozilla-profile\permissions.sqlite
c:\documents and settings\Pepin\Application Data\LimeWire\mozilla-profile\places.sqlite-journal
c:\documents and settings\Pepin\Application Data\LimeWire\mozilla-profile\places.sqlite
c:\documents and settings\Pepin\Application Data\LimeWire\mozilla-profile\pluginreg.dat
c:\documents and settings\Pepin\Application Data\LimeWire\mozilla-profile\prefs.js
c:\documents and settings\Pepin\Application Data\LimeWire\mozilla-profile\secmod.db
c:\documents and settings\Pepin\Application Data\LimeWire\mozilla-profile\XPC.mfl
c:\documents and settings\Pepin\Application Data\LimeWire\mozilla-profile\xpti.dat
c:\documents and settings\Pepin\Application Data\LimeWire\player.props
c:\documents and settings\Pepin\Application Data\LimeWire\promotion\promodb.backup
c:\documents and settings\Pepin\Application Data\LimeWire\promotion\promodb.data
c:\documents and settings\Pepin\Application Data\LimeWire\promotion\promodb.properties
c:\documents and settings\Pepin\Application Data\LimeWire\promotion\promodb.script
c:\documents and settings\Pepin\Application Data\LimeWire\questions.props
c:\documents and settings\Pepin\Application Data\LimeWire\responses.cache
c:\documents and settings\Pepin\Application Data\LimeWire\simpp.xml
c:\documents and settings\Pepin\Application Data\LimeWire\spam.dat
c:\documents and settings\Pepin\Application Data\LimeWire\tables.props
c:\documents and settings\Pepin\Application Data\LimeWire\ttdata.cache
c:\documents and settings\Pepin\Application Data\LimeWire\ttroot.cache
c:\documents and settings\Pepin\Application Data\LimeWire\version.xml
c:\documents and settings\Pepin\Application Data\LimeWire\versions.props
c:\documents and settings\Pepin\Application Data\LimeWire\xml\data\audio.sxml3
c:\documents and settings\Pepin\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
c:\program files\Webroot
c:\windows\system32\drivers\kgpcpy.cfg

.
((((((((((((((((((((((((( Files Created from 2010-02-01 to 2010-03-01 )))))))))))))))))))))))))))))))
.

2010-02-28 00:31 . 2010-02-28 00:31 -------- d-----w- c:\program files\Trend Micro
2010-02-27 22:59 . 2010-02-27 22:59 -------- d-----w- c:\program files\ERUNT
2010-02-18 05:24 . 2010-02-11 18:38 19024 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2010-02-18 05:24 . 2010-02-11 18:42 162512 ----a-w- c:\windows\system32\drivers\aswSP.sys
2010-02-18 05:24 . 2010-02-11 18:39 23376 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2010-02-18 05:24 . 2010-02-11 18:42 46672 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2010-02-18 05:24 . 2010-02-11 18:38 100432 ----a-w- c:\windows\system32\drivers\aswmon2.sys
2010-02-18 05:24 . 2010-02-11 18:38 94800 ----a-w- c:\windows\system32\drivers\aswmon.sys
2010-02-18 05:24 . 2010-02-11 18:38 28880 ----a-w- c:\windows\system32\drivers\aavmker4.sys
2010-02-18 05:24 . 2010-02-11 18:53 38848 ----a-w- c:\windows\system32\avastSS.scr
2010-02-18 05:24 . 2010-02-11 18:53 153184 ----a-w- c:\windows\system32\aswBoot.exe
2010-02-18 05:16 . 2010-02-18 05:16 -------- d-----w- c:\documents and settings\All Users\Application Data\Alwil Software
2010-02-17 00:41 . 2010-02-17 00:41 -------- d-----w- c:\program files\MSXML 4.0
2010-02-16 16:05 . 2010-02-16 16:05 -------- d-----w- c:\program files\TrendMicro
2010-02-16 15:47 . 2010-02-16 15:47 128 ----a-w- c:\documents and settings\Pepin\Local Settings\Application Data\fusioncache.dat
2010-02-16 15:46 . 2010-02-16 15:46 -------- d-----w- c:\program files\MSSOAP
2010-02-16 15:45 . 2010-02-16 15:45 164 ----a-w- c:\windows\install.dat
2010-02-14 21:34 . 2010-02-14 21:34 -------- d-sh--w- c:\windows\system32\config\systemprofile\PrivacIE
2010-02-10 23:23 . 2010-02-10 23:23 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Temp

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-02-18 05:24 . 2009-10-05 17:22 -------- d-----w- c:\program files\Alwil Software
2010-02-15 21:36 . 2009-10-21 22:43 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2010-02-15 21:36 . 2010-01-22 09:45 -------- d-----w- c:\program files\SUPERAntiSpyware
2010-02-02 09:01 . 2009-10-10 20:17 -------- d-----w- c:\documents and settings\Pepin\Application Data\Move Networks
2010-01-27 07:27 . 2009-10-18 00:00 -------- d-----w- c:\program files\Google
2010-01-25 21:46 . 2009-10-19 07:10 -------- d-----w- c:\documents and settings\Pepin\Application Data\AdobeUM
2010-01-25 01:25 . 2009-10-17 00:03 143976 ----a-w- c:\documents and settings\Pepin\Application Data\Move Networks\uninstall.exe
2010-01-25 01:25 . 2009-10-15 00:50 5642688 ----a-w- c:\documents and settings\Pepin\Application Data\Move Networks\plugins\npqmp071701000002.dll
2010-01-25 01:25 . 2010-01-25 01:24 1794456 ----a-w- c:\documents and settings\Pepin\Application Data\Move Networks\MoveMediaPlayerWin_071701000002.exe
2010-01-22 21:29 . 2010-01-22 21:29 -------- d-----w- c:\documents and settings\Pepin\Application Data\DivX
2010-01-22 18:11 . 2010-01-22 09:46 117760 ----a-w- c:\documents and settings\Pepin\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2010-01-22 09:46 . 2010-01-22 09:46 52224 ----a-w- c:\documents and settings\Pepin\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
2010-01-22 09:45 . 2010-01-22 09:45 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2010-01-22 09:45 . 2010-01-22 09:45 -------- d-----w- c:\documents and settings\Pepin\Application Data\SUPERAntiSpyware.com
2010-01-13 21:03 . 2010-01-13 21:03 -------- d-----w- c:\program files\CCleaner
2010-01-08 16:24 . 2010-01-08 16:23 -------- d-----w- c:\program files\iTunes
2010-01-08 16:23 . 2010-01-08 16:23 -------- d-----w- c:\program files\iPod
2010-01-08 16:23 . 2009-10-05 17:33 -------- d-----w- c:\program files\Common Files\Apple
2010-01-08 16:17 . 2009-10-05 17:35 -------- d-----w- c:\program files\QuickTime
2010-01-08 16:06 . 2010-01-08 16:06 79144 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 9.0.2.25\SetupAdmin.exe
2009-12-31 16:50 . 2004-08-04 12:00 353792 ----a-w- c:\windows\system32\drivers\srv.sys
2009-12-21 19:14 . 2004-08-04 12:00 916480 ------w- c:\windows\system32\wininet.dll
2009-12-16 18:43 . 2009-10-05 08:46 343040 ----a-w- c:\windows\system32\mspaint.exe
2009-12-14 07:08 . 2004-08-04 12:00 33280 ----a-w- c:\windows\system32\csrsrv.dll
2009-12-08 19:27 . 2004-08-04 12:00 2189184 ------w- c:\windows\system32\ntoskrnl.exe
2009-12-08 18:43 . 2004-08-03 22:59 2066048 ------w- c:\windows\system32\ntkrnlpa.exe
2009-12-04 18:22 . 2004-08-04 12:00 455424 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2009-12-03 07:32 . 2009-12-03 06:14 103193 ----a-w- c:\windows\hpoins08.dat
2009-09-25 16:41 . 2009-09-25 16:41 1044480 ----a-w- c:\program files\mozilla firefox\plugins\libdivx.dll
2009-09-25 16:41 . 2009-09-25 16:41 200704 ----a-w- c:\program files\mozilla firefox\plugins\ssldivx.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-07-26 3883856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"avast5"="c:\progra~1\ALWILS~1\Avast5\avastUI.exe" [2010-02-11 2756488]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2009-11-04 198160]
"SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2005-02-02 102492]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2005-02-02 692316]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-10-28 149280]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-11-11 417792]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-11-12 141600]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-04 208952]
"hpWirelessAssistant"="c:\program files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe" [2005-04-01 794624]
"HP Software Update"="c:\program files\Hp\HP Software Update\HPWuSchd2.exe" [2005-02-17 49152]
"Cpqset"="c:\program files\HPQ\Default Settings\cpqset.exe" [2005-02-17 233534]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-04-11 339968]

c:\documents and settings\Pepin\Start Menu\Programs\Startup\
ERUNT AutoBackup.lnk - c:\program files\ERUNT\AUTOBACK.EXE [2005-10-20 38912]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 29696]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Hp\\Digital Imaging\\bin\\hpqscnvw.exe"=
"c:\\Program Files\\Hp\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\Hp\\Digital Imaging\\bin\\hpqnrs08.exe"=
"c:\\WINDOWS\\system32\\rtcshare.exe"=
"c:\\Program Files\\NetMeeting\\conf.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundEchoRequest"= 1 (0x1)

R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [2/17/2010 11:24 PM 162512]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2/17/2010 11:24 PM 19024]
R3 HSFHWATI;HSFHWATI;c:\windows\system32\drivers\HSFHWATI.sys [10/5/2009 2:58 AM 200192]
S2 gupdate1ca4f8634bd17a0;Google Update Service (gupdate1ca4f8634bd17a0);c:\program files\Google\Update\GoogleUpdate.exe [10/17/2009 6:01 PM 133104]
.
Contents of the 'Scheduled Tasks' folder

2010-02-26 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34]

2010-02-28 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-10-18 00:00]

2010-03-01 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-10-18 00:00]

2010-03-01 c:\windows\Tasks\User_Feed_Synchronization-{3AEC60E6-E8B8-47B2-8A33-893DE89E8FD8}.job
- c:\windows\system32\msfeedssync.exe [2009-03-08 09:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com
uInternet Connection Wizard,ShellNext = hxxp://ie.redirect.hp.com/svs/rdr?TYPE= ... &pf=laptop
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Pepin\Application Data\Mozilla\Firefox\Profiles\24lm75dh.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.msn.com/
FF - plugin: c:\documents and settings\Pepin\Application Data\Move Networks\plugins\npqmp071503000010.dll
FF - plugin: c:\documents and settings\Pepin\Application Data\Move Networks\plugins\npqmp071701000002.dll
FF - plugin: c:\program files\Google\Google Earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\Google\Update\1.2.183.17\npGoogleOneClick8.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPTURNMED.dll

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - truec:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-02-28 19:48
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Cpqset = c:\program files\HPQ\Default Settings\cpqset.exe????????0?4?5?0??????? ???B?????????????hLC? ??????

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(680)
c:\windows\system32\Ati2evxx.dll
.
Completion time: 2010-02-28 19:49:49
ComboFix-quarantined-files.txt 2010-03-01 01:49
ComboFix2.txt 2010-02-27 23:41
ComboFix3.txt 2010-02-18 08:56
ComboFix4.txt 2010-02-17 21:29
ComboFix5.txt 2010-03-01 01:41

Pre-Run: 131,918,159,872 bytes free
Post-Run: 131,863,703,552 bytes free

- - End Of File - - A26AB7463E9A2645DC6C824518507C8D
pepin07
Regular Member
 
Posts: 15
Joined: February 16th, 2010, 12:18 pm
Advertisement
Register to Remove

Next

  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 298 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware