Infection on friend's pc

codeman0013

codeman0013

Active Member
Here's the backstory. Friend brings me this pc which she says when logged in freezes. When no internet is connected to it it will run but as soon as the internet is connected it freezes attaching combofix and hijack this logs.

ComboFix 08-12-02.02 - Cody 2008-12-05 16:55:34.3 - NTFSx86
Running from: F:\ComboFix.exe
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
((((((((((((((((((((((((( Files Created from 2008-11-05 to 2008-12-05 )))))))))))))))))))))))))))))))
.
2100-04-01 17:22 . 2008-04-08 14:41 194 --a------ c:\windows\X83_DS.ini
2100-02-24 14:15 . 2001-04-02 16:30 821 --a------ c:\windows\Lexmark_ICM.ini
2100-02-16 16:09 . 2001-02-16 15:37 62 --a------ c:\windows\system32\LXASUSCI.INI
2008-12-04 23:03 . 2008-12-04 23:03 <DIR> d-------- c:\program files\Trend Micro
2008-12-04 18:42 . 2008-12-04 18:42 <DIR> d-------- c:\documents and settings\Cody\Application Data\Lavasoft
2008-12-04 17:22 . 2008-12-04 17:22 <DIR> d-------- c:\documents and settings\Cody\Application Data\AVGTOOLBAR
2008-12-04 17:16 . 2005-07-12 00:52 <DIR> d-------- c:\documents and settings\Cody\Application Data\Jasc Software Inc
2008-12-04 17:16 . 2005-07-12 01:04 <DIR> d-------- c:\documents and settings\Cody\Application Data\Creative
2008-12-04 17:16 . 2008-12-04 20:35 <DIR> d-------- c:\documents and settings\Cody
2008-12-04 17:00 . 2008-12-04 17:00 <DIR> d-------- c:\program files\Spybot - Search & Destroy
2008-12-04 17:00 . 2008-12-04 20:34 <DIR> d-------- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2008-12-03 21:56 . 2008-12-03 21:56 118 --a------ c:\windows\system32\MRT.INI
2008-12-03 19:29 . 2004-08-04 00:56 21,504 --a------ c:\windows\system32\hidserv.dll
2008-12-03 19:29 . 2004-08-04 00:56 21,504 --a------ c:\windows\system32\dllcache\hidserv.dll
2008-12-03 19:28 . 2004-08-03 23:08 31,616 --a------ c:\windows\system32\drivers\usbccgp.sys
2008-12-03 19:28 . 2004-08-03 23:08 31,616 --a------ c:\windows\system32\dllcache\usbccgp.sys
2008-12-03 19:28 . 2004-08-03 22:58 14,848 --a------ c:\windows\system32\drivers\kbdhid.sys
2008-12-03 19:28 . 2004-08-03 22:58 14,848 --a------ c:\windows\system32\dllcache\kbdhid.sys
2008-12-03 19:28 . 2001-08-17 13:48 12,160 --a------ c:\windows\system32\drivers\mouhid.sys
2008-12-03 19:28 . 2001-08-17 13:48 12,160 --a------ c:\windows\system32\dllcache\mouhid.sys
2008-12-03 19:28 . 2001-08-17 14:02 9,600 --a------ c:\windows\system32\drivers\hidusb.sys
2008-12-03 19:28 . 2001-08-17 14:02 9,600 --a------ c:\windows\system32\dllcache\hidusb.sys
2008-11-30 09:03 . 2008-12-03 20:10 <DIR> d-a------ c:\documents and settings\All Users\Application Data\TEMP
2008-11-10 21:58 . 2008-11-10 21:58 415 --a------ C:\swupdate.conf
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-04 03:24 --------- d-----w c:\program files\Microsoft Silverlight
2008-12-04 02:23 --------- d-----w c:\program files\Gmail Notifier GPL
2008-12-04 02:23 --------- d-----w c:\documents and settings\Jerry\Application Data\Yahoo!
2008-12-04 02:22 --------- d-----w c:\documents and settings\All Users\Application Data\AOL
2008-11-30 14:08 --------- d-----w c:\program files\DynGate
2008-10-24 11:10 453,632 ----a-w c:\windows\system32\drivers\mrxsmb.sys
2008-10-24 11:10 453,632 ----a-w c:\windows\system32\dllcache\mrxsmb.sys
2008-10-18 14:42 --------- d-----w c:\program files\Common Files\AOL
2008-10-18 14:39 --------- d-----w c:\documents and settings\All Users\Application Data\AOL Downloads
2008-10-16 20:13 202,776 ----a-w c:\windows\system32\wuweb.dll
2008-10-16 20:13 202,776 ----a-w c:\windows\system32\dllcache\wuweb.dll
2008-10-16 20:13 1,809,944 ----a-w c:\windows\system32\wuaueng.dll
2008-10-16 20:13 1,809,944 ----a-w c:\windows\system32\dllcache\wuaueng.dll
2008-10-16 20:12 561,688 ----a-w c:\windows\system32\wuapi.dll
2008-10-16 20:12 561,688 ----a-w c:\windows\system32\dllcache\wuapi.dll
2008-10-16 20:12 323,608 ----a-w c:\windows\system32\wucltui.dll
2008-10-16 20:12 323,608 ----a-w c:\windows\system32\dllcache\wucltui.dll
2008-10-16 20:09 92,696 ----a-w c:\windows\system32\dllcache\cdm.dll
2008-10-16 20:09 92,696 ----a-w c:\windows\system32\cdm.dll
2008-10-16 20:09 51,224 ----a-w c:\windows\system32\wuauclt.exe
2008-10-16 20:09 51,224 ----a-w c:\windows\system32\dllcache\wuauclt.exe
2008-10-16 20:09 43,544 ----a-w c:\windows\system32\wups2.dll
2008-10-16 20:08 34,328 ----a-w c:\windows\system32\wups.dll
2008-10-16 20:08 34,328 ----a-w c:\windows\system32\dllcache\wups.dll
2008-10-16 20:06 268,648 ----a-w c:\windows\system32\mucltui.dll
2008-10-16 20:06 208,744 ----a-w c:\windows\system32\muweb.dll
2008-10-15 16:57 332,800 ----a-w c:\windows\system32\dllcache\netapi32.dll
2008-10-03 17:41 6,066,176 ------w c:\windows\system32\dllcache\ieframe.dll
2008-09-30 22:43 1,286,152 ----a-w c:\windows\system32\msxml4.dll
2008-09-15 11:57 1,846,016 ----a-w c:\windows\system32\win32k.sys
2008-09-15 11:57 1,846,016 ----a-w c:\windows\system32\dllcache\win32k.sys
2001-06-20 22:19 40,960 ----a-w c:\program files\ACMonitor_X83.exe
2007-12-04 16:14 56 --sh--r c:\windows\system32\8BB0ABB5E4.sys
2007-12-04 16:14 1,682 --sha-w c:\windows\system32\KGyGaAvL.sys
.
((((((((((((((((((((((((((((( snapshot@2008-12-03_20.20.00.62 )))))))))))))))))))))))))))))))))))))))))
.
- 2005-01-28 19:44:28 258,296 ----a-w c:\windows\system32\dllcache\drmclien.dll
+ 2004-08-10 10:00:00 246,272 ----a-w c:\windows\system32\dllcache\drmclien.dll
- 2005-01-28 19:44:28 96,768 ----a-w c:\windows\system32\dllcache\drmstor.dll
+ 2004-08-10 10:00:00 92,672 ----a-w c:\windows\system32\dllcache\drmstor.dll
- 2004-08-10 09:11:42 39,424 ----a-w c:\windows\system32\dllcache\ehentt.dll
+ 2005-08-05 20:01:56 40,960 ----a-w c:\windows\system32\dllcache\ehentt.dll
- 2004-08-10 09:11:44 43,520 ----a-w c:\windows\system32\dllcache\ehjpnime.dll
+ 2005-08-05 20:01:56 45,056 ----a-w c:\windows\system32\dllcache\ehjpnime.dll
- 2004-08-10 09:11:44 151,552 ----a-w c:\windows\system32\dllcache\ehsqdb20.dll
+ 2005-08-05 20:01:58 151,552 ----a-w c:\windows\system32\dllcache\ehsqdb20.dll
- 2004-08-10 09:11:44 462,848 ----a-w c:\windows\system32\dllcache\ehsqqp20.dll
+ 2005-08-05 20:01:58 462,848 ----a-w c:\windows\system32\dllcache\ehsqqp20.dll
- 2004-08-10 09:11:44 110,592 ----a-w c:\windows\system32\dllcache\ehsqse20.dll
+ 2005-08-05 20:01:58 110,592 ----a-w c:\windows\system32\dllcache\ehsqse20.dll
+ 2004-09-29 23:04:48 61,440 ----a-w c:\windows\system32\dllcache\gacutil.exe
- 2004-08-10 10:00:00 407,552 ----a-w c:\windows\system32\dllcache\mstsc.exe
+ 2006-11-07 08:06:47 600,576 ----a-w c:\windows\system32\dllcache\mstsc.exe
- 2004-08-10 10:00:00 655,360 ----a-w c:\windows\system32\dllcache\mstscax.dll
+ 2006-11-13 06:02:58 1,866,240 ----a-w c:\windows\system32\dllcache\mstscax.dll
- 2006-05-14 08:44:08 181,248 ----a-w c:\windows\system32\dllcache\rasmans.dll
+ 2004-08-10 10:00:00 174,080 ----a-w c:\windows\system32\dllcache\rasmans.dll
- 2005-01-28 19:44:28 258,296 ----a-w c:\windows\system32\drmclien.dll
+ 2004-08-10 10:00:00 246,272 ----a-w c:\windows\system32\drmclien.dll
- 2005-01-28 19:44:28 96,768 ----a-w c:\windows\system32\drmstor.dll
+ 2004-08-10 10:00:00 92,672 ----a-w c:\windows\system32\drmstor.dll
- 2008-05-29 23:35:11 17,486,968 ----a-w c:\windows\system32\MRT.exe
+ 2008-11-03 22:10:26 17,318,336 ----a-w c:\windows\system32\MRT.exe
- 2006-05-14 08:44:08 181,248 ----a-w c:\windows\system32\rasmans.dll
+ 2004-08-10 10:00:00 174,080 ----a-w c:\windows\system32\rasmans.dll
+ 2004-08-10 10:00:00 36,096 ----a-w c:\windows\system32\ReinstallBackups\0018\DriverFiles\i386\intelppm.sys
+ 2004-08-10 10:00:00 36,096 ----a-w c:\windows\system32\ReinstallBackups\0019\DriverFiles\i386\intelppm.sys
+ 2008-04-14 00:12:36 7,680 ----a-w c:\windows\system32\spdwnwxp.exe
- 2006-10-16 22:10:58 23,856 ----a-w c:\windows\system32\spupdsvc.exe
+ 2007-08-11 01:46:18 26,488 ----a-w c:\windows\system32\spupdsvc.exe
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((((((((((( AWF ))))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
----a-w 339,968 2004-08-25 17:52:00 c:\program files\ATI Technologies\ATI Control Panel\bak\atiptaxx.exe
----a-w 50,736 2006-09-26 00:52:48 c:\program files\Common Files\AOL\1135138273\ee\bak\AOLSoftware.exe
----a-w 41,824 2008-06-24 18:34:50 c:\program files\Common Files\AOL\1135138273\ee\aolsoftware.exe
----a-w 221,184 2004-07-27 21:50:42 c:\program files\Common Files\InstallShield\UpdateService\bak\ISUSPM.exe
----a-w 185,784 2006-10-05 01:48:39 c:\program files\Common Files\Real\Update_OB\bak\realsched.exe
----a-w 992,808 2006-03-07 21:05:20 c:\program files\Copy of McAfee.com\personal firewall\bak\MPFTray.exe
----a-w 1,327,104 2004-08-22 21:31:28 c:\program files\Copy of McAfee.com\personal firewall\MpfTray.exe
----a-w 57,344 2003-09-17 15:43:36 c:\program files\Creative\Sound Blaster Live! 24-bit\Surround Mixer\bak\CTSysVol.exe
----a-w 221,184 2003-09-04 01:12:44 c:\program files\Intel\Modem Event Monitor\bak\IntelMEM.exe
----a-w 267,048 2008-01-15 09:22:56 c:\program files\iTunes\bak\iTunesHelper.exe
----a-w 289,064 2008-07-30 15:47:56 c:\program files\iTunes\iTunesHelper.exe
----a-w 53,248 2001-06-14 18:42:26 c:\program files\LexmarkX83\bak\AcBtnMgr_X83.exe
----a-w 53,248 2001-06-14 18:42:26 c:\program files\LexmarkX83\AcBtnMgr_X83.exe
----a-w 40,960 2001-10-18 16:25:18 c:\program files\LexmarkX83\bak\ACMonitor_X83.exe
----a-w 40,960 2001-10-18 16:25:18 c:\program files\LexmarkX83\ACMonitor_X83.exe
----a-w 992,808 2006-03-07 21:05:20 c:\program files\McAfee.com\personal firewall\bak\MPFTray.exe
----a-w 1,327,104 2004-08-22 21:31:28 c:\program files\McAfee.com\personal firewall\MpfTray.exe
----a-w 1,694,208 2004-10-13 16:24:37 c:\program files\Messenger\bak\msmsgs.exe
----a-w 1,498,032 2003-04-15 02:05:20 c:\program files\Messenger\msmsgs.exe
----a-w 385,024 2008-01-10 21:27:36 c:\program files\QuickTime\bak\qttask.exe
----a-w 413,696 2008-05-27 15:50:30 c:\program files\QuickTime\QTTask.exe
----a-w 15,360 2004-08-10 10:00:00 c:\windows\system32\bak\ctfmon.exe
----a-w 15,360 2004-08-10 10:00:00 c:\windows\system32\ctfmon.exe
----a-w 122,941 2005-05-31 10:33:00 c:\windows\system32\dla\bak\tfswctrl.exe
----a-w 36,864 2002-06-27 09:47:08 c:\windows\system32\spool\drivers\w32x86\3\bak\printray.exe
----a-w 36,864 2001-10-25 18:20:09 c:\windows\system32\spool\drivers\w32x86\3\printray.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-10 15360]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2008-11-27 1261336]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-07-22 116040]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=avgrsstx.dll
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Kodak EasyShare software.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Kodak EasyShare software.lnk
backup=c:\windows\pss\Kodak EasyShare software.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^KODAK Software Updater.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\KODAK Software Updater.lnk
backup=c:\windows\pss\KODAK Software Updater.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^QuickBooks Update Agent.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\QuickBooks Update Agent.lnk
backup=c:\windows\pss\QuickBooks Update Agent.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
--a------ 2008-01-11 22:16 39792 c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AOLDialer]
-ra------ 2006-10-23 06:50 71216 c:\program files\Common Files\AOL\ACS\AOLDial.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AOLSPScheduler]
c:\program files\Common Files\AOL\1135138273\ee\services\safetyCore\ver210_5_2_1\AOLSP Scheduler.exe [N/A]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DVDLauncher]
--------- 2005-02-23 15:19 53248 c:\program files\CyberLink\PowerDVD\DVDLauncher.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ehTray]
--a------ 2005-08-05 13:56 64512 c:\windows\ehome\ehtray.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HostManager]
--a------ 2008-06-24 12:34 41824 c:\program files\Common Files\AOL\1135138273\ee\aolsoftware.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
--a------ 2004-07-27 15:50 81920 c:\program files\Common Files\InstallShield\UpdateService\issch.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2008-07-30 09:47 289064 c:\program files\iTunes\iTunesHelper.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Lexmark X83 Button Manager]
--a------ 2001-06-14 12:42 53248 c:\progra~1\LEXMAR~1\AcBtnMgr_X83.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Lexmark X83 Button Monitor]
--a------ 2001-10-18 10:25 40960 c:\progra~1\LEXMAR~1\ACMonitor_X83.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Motive SmartBridge]
c:\progra~1\SBCSEL~1\SMARTB~1\MotiveSB.exe [N/A]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MPFExe]
--a------ 2004-08-22 15:31 1327104 c:\program files\McAfee.com\personal firewall\MpfTray.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSKAGENTEXE]
--a------ 2004-06-16 23:33 98304 c:\progra~1\McAfee\SPAMKI~1\MSKAgent.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSKDetectorExe]
--a------ 2004-10-25 12:18 1111552 c:\progra~1\McAfee\SPAMKI~1\MSKDetct.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--a------ 2003-04-14 20:05 1498032 c:\program files\Messenger\msmsgs.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PrinTray]
--a------ 2001-10-25 12:20 36864 c:\windows\system32\spool\drivers\w32x86\3\printray.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Pure Networks Port Magic]
c:\progra~1\PURENE~1\PORTMA~1\PortAOL.exe [N/A]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-05-27 09:50 413696 c:\program files\QuickTime\QTTask.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\sscRun]
c:\program files\Common Files\AOL\1135138273\ee\SSCRun.exe [N/A]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2008-06-10 03:27 144784 c:\program files\Java\jre1.6.0_07\bin\jusched.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
c:\program files\Common Files\Real\Update_OB\realsched.exe [N/A]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdReg]
--------- 2000-05-11 00:00 90112 c:\windows\Updreg.EXE
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\YBrowser]
c:\program files\Yahoo!\browser\ybrwicon.exe [N/A]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\P17Helper]
--a------ 2005-05-03 11:38 64512 c:\windows\system32\P17.dll
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"DisableNotifications"= 1 (0x1)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\yserver.exe"=
"c:\\Program Files\\Common Files\\AOL\\TopSpeed\\3.0\\aoltpsd3.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\Common Files\\AOL\\System Information\\sinf.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\DynGate\\DynGate.exe"=
"c:\\Program Files\\TeamViewer\\TeamViewer.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Common Files\\AOL\\1135138273\\ee\\aolsoftware.exe"=
"c:\\Program Files\\Common Files\\AOL\\1135138273\\ee\\AOLDesktop.exe"=
"c:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
.
Contents of the 'Scheduled Tasks' folder
2008-09-01 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34]
2008-07-09 c:\windows\Tasks\EasyShare Registration Task.job
- c:\windows\system32\rundll32.exe [2004-08-10 04:00]
2008-11-08 c:\windows\Tasks\McAfee.com Scan for Viruses - My Computer (ANN-Jerry).job
- c:\program files\mcafee.com\vso\mcmnhdlr.exe []
.
.
------- Supplementary Scan -------
.
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
IE: {3B8FB116-D358-48A3-A5C7-DB84F15CBB04} - http://www.expresstoolie.com/redirect.php
IE: {3B8FB116-D358-48A3-A5C7-DB84F15CBB04} - http://www.expresstoolie.com/redirect.php -
TCP: {7FF66A99-8360-41D2-BC62-38A22EF0BA0E} = 192.168.1.1
O16 -: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
c:\windows\Downloaded Program Files\Microsoft XML Parser for Java.osd
.
**************************************************************************
catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-12-05 16:57:52
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\77DBA2B83282EF28]
"ImagePath"="\??\c:\program files\Common Files\AOL\1135138273\ee\77DBA2B83282EF28\77DBA2B83282EF28"
[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\77DBA2B83282EF28]
"ImagePath"="\??\c:\program files\Common Files\AOL\1135138273\ee\77DBA2B83282EF28\77DBA2B83282EF28"
.
Completion time: 2008-12-05 16:59:01
ComboFix-quarantined-files.txt 2008-12-05 22:58:58
ComboFix2.txt 2008-12-04 03:31:29
ComboFix3.txt 2008-12-04 02:21:05
Pre-Run: 27,611,238,400 bytes free
Post-Run: 27,606,216,704 bytes free
270 --- E O F --- 2008-12-04 03:56:11





Hijack this log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:52:48 PM, on 12/5/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\PROGRA~1\McAfee\SPAMKI~1\MSKSrvr.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\TeamViewer3\TeamViewer_Host.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/cus.../sbcydsl/*http://www.yahoo.com/search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,First Home Page = http://go.microsoft.com/fwlink/?LinkId=54843
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: (no name) - {3B8FB116-D358-48A3-A5C7-DB84F15CBB04} - http://www.expresstoolie.com/redirect.php (file missing)
O9 - Extra 'Tools' menuitem: IExplorer Security - {3B8FB116-D358-48A3-A5C7-DB84F15CBB04} - http://www.expresstoolie.com/redirect.php (file missing)
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O17 - HKLM\System\CCS\Services\Tcpip\..\{7FF66A99-8360-41D2-BC62-38A22EF0BA0E}: NameServer = 192.168.1.1
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe (file missing)
O23 - Service: McAfee SpamKiller Server (MskService) - Networks Associates Technology. Inc. - C:\PROGRA~1\McAfee\SPAMKI~1\MSKSrvr.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: TeamViewer 3 (TeamViewer) - Unknown owner - C:\Program Files\TeamViewer3\TeamViewer_Host.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
--
End of file - 6320 bytes
 
Hello, sorry for the delay.

Please download and post a log with HiJackThis.

Click here to download HJTsetup.exe
  • Save HJTsetup.exe to your desktop.
  • Double click on the HJTsetup.exe icon on your desktop.
  • By default it will install to C:\Program Files\Hijack This.
  • Continue to click Next in the setup dialogue boxes until you get to the Select Additional Tasks dialogue.
  • Put a check by Create a desktop icon then click Next again.
  • Continue to follow the rest of the prompts from there.
  • At the final dialogue box click Finish and it will launch Hijack This.
  • Click on the Do a system scan and save a log file button. It will scan and then ask you to save the log.
  • Click Save to save the log file and then the log will open in notepad.
  • Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
  • Come back here to this thread and Paste the log in your next reply.
  • DO NOT have Hijack This fix anything yet. Most of what it finds will be harmless or even required.

Please run ATF Cleaner.

Download ATF Cleaner
  • Double-click ATF-Cleaner.exe to run the program.
  • Click Select All found at the bottom of the list.
  • Click the Empty Selected button.
If you use Firefox browser, do this also:
  • Click Firefox at the top and choose Select All from the list.
  • Click the Empty Selected button.
  • NOTE : If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browser, do this also:
  • Click Opera at the top and choose Select All from the list.
  • Click the Empty Selected button.
  • NOTE : If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.

Please run a scan with Malwarebytes'.

How to run a scan with Malwarebytes' Anti-Malware

Download Malwarebytes' Anti-Malware from Here or Here

Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
Note:
If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.
Click OK to either and let MBAM proceed with the disinfection process.
If asked to restart the computer, please do so immediately.

In your next reply i will need:
  • The Malwarebytes' log
  • A fresh HiJackThis log
  • An update on how your computer is running
 
Ok Ran all the steps and the compuer still freezes when you connect it to the internet here are the logs.

Malwarebytes' Anti-Malware 1.31
Database version: 1456
Windows 5.1.2600 Service Pack 2
12/6/2008 4:44:56 PM
mbam-log-2008-12-06 (16-44-56).txt
Scan type: Quick Scan
Objects scanned: 57603
Time elapsed: 6 minute(s), 47 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 4
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 3
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{3b8fb116-d358-48a3-a5c7-db84f15cbb04} (Trojan.Zlob) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{3b8fb116-d358-48a3-a5c7-db84f15cbb04} (Trojan.Zlob) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Weather Services (Adware.Hotbar) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Multimedia\WMPlayer\Schemes\f3pss (Adware.MyWebSearch) -> Quarantined and deleted successfully.
Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Control Panel\Cpls\wxfw.dll (Adware.Hotbar) -> Quarantined and deleted successfully.
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
C:\Documents and Settings\All Users\Start Menu\Antivirus Scan.url (Trojan.Zlob) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Start Menu\Online Antispyware Test.url (Trojan.Zlob) -> Quarantined and deleted successfully.
C:\Documents and Settings\Jerry\Favorites\Antivirus Scan.url (Rogue.Link) -> Quarantined and deleted successfully.


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:45:36 PM, on 12/6/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\eHome\ehSched.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\TeamViewer3\TeamViewer_Host.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,First Home Page = http://go.microsoft.com/fwlink/?LinkId=54843
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O3 - Toolbar: Yahoo! ¤u¨ã¦C - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: (no name) - {A057A204-BACC-4D26-9990-79A187E2698E} - (no file)
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\RunOnce: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O15 - Trusted Zone: *.imageservr.com (HKLM)
O15 - Trusted Zone: *.imagesrvr.com (HKLM)
O15 - Trusted Zone: *.trustedantivirus.com (HKLM)
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: avgrsstx.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: TeamViewer 3 (TeamViewer) - Unknown owner - C:\Program Files\TeamViewer3\TeamViewer_Host.exe
--
End of file - 5736 bytes
 
Hello, Malwarebytes' caught a few nasties which is always good.
Do you know if your friend is running McAfee firewall or any other for that matter?

You may want to print out these instructions or save them as a text file with Notepad to your desktop because we will be restarting into Safe Mode later on in the fix and you might not be able to access the Internet.

If you did not set these websites as trusted zones place a checkmark next to these entries, close all browsers and windows, and have HijackThis fix them by clicking Fix Checked:

O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O3 - Toolbar: (no name) - {A057A204-BACC-4D26-9990-79A187E2698E} - (no file)
O15 - Trusted Zone: *.imageservr.com (HKLM)
O15 - Trusted Zone: *.imagesrvr.com (HKLM)
O15 - Trusted Zone: *.trustedantivirus.com (HKLM)


Boot into Safe Mode:
Restart your computer and immediately begin tapping the F8 key on your keyboard.
If done right a Windows Advanced Options menu will appear. Select the Safe Mode option and press Enter.
To return to normal mode just restart your computer as you normally would.

Please remove these entries from Add/Remove Programs in the Control Panel(if present):


Hotbar
ShopperReports
MyWebSearch



Now you can restart the computer normally.
Please run HijackThis again and post a fresh log, just so I can make sure that all the malware was deleted according to plan. :)

Also run a Kaspersky online scan.

Run Kaspersky Online AV Scanner
Using Internet Explorer Go to http://www.kaspersky.com/kos/eng/partner/default/kavwebscan.html and click the Accept button at the end of the page.

Note for Internet Explorer 7 users: If at any time you have trouble with the accept button of the licence, click on the Zoom tool located at the right bottom of the IE window and set the zoom to 75 %. Once the license accepted, reset to 100%.
  • Read the Requirements and limitations before you click Accept.
  • Allow the ActiveX download if necessary.
  • Once the database has downloaded, click Next.
  • Click Scan Settings and change the "Scan using the following antivirus database" from standard to extended and then click OK.
  • Click on "My Computer" and then put the kettle on!
  • When the scan has completed, click Save Report As...
  • Enter a name for the file in the Filename: text box and then click the down arrow to the right of Save as type: and select text file (*.txt)
  • Click Save - by default the file will be saved to your Desktop, but you can change this if you wish.
Copy and paste the report into your next reply along with a fresh HJT log and a description of how your PC is behaving.


In your next reply i will need:
  • The Kaspersky log
  • A fresh HiJackThis log
  • An update on how your computer is running
 
Heres an update... Within safe mode everything works great.. Internet and all updates work but when i go back to normal windows it freezes again when i try to access anything on the internet.

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7 REPORT
Sunday, December 7, 2008
Operating System: Microsoft Windows XP Professional Service Pack 2 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Saturday, December 06, 2008 19:53:45
Records in database: 1440831
--------------------------------------------------------------------------------
Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes
Scan area - My Computer:
C:\
D:\
E:\
F:\
Scan statistics:
Files scanned: 65196
Threat name: 0
Infected objects: 0
Suspicious objects: 0
Duration of the scan: 01:39:16
No malware has been detected. The scan area is clean.
The selected area was scanned.


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:20:09 AM, on 12/7/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Safe mode with network support
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\LEXMAR~1\ACMonitor_X83.exe
C:\PROGRA~1\LEXMAR~1\ACBtnMgr_X83.exe
C:\WINDOWS\system32\ntvdm.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [Lexmark X83 Button Monitor] C:\PROGRA~1\LEXMAR~1\ACMonitor_X83.exe
O4 - HKLM\..\Run: [Lexmark X83 Button Manager] C:\PROGRA~1\LEXMAR~1\AcBtnMgr_X83.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Messenger (Yahoo!)] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\RunOnce: [ypagerps] cmd.exe /C del "C:\Program Files\Yahoo!\Messenger\ypagerps.dll"
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: avgrsstx.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: TeamViewer 3 (TeamViewer) - Unknown owner - C:\Program Files\TeamViewer3\TeamViewer_Host.exe
--
End of file - 4987 bytes
 
i had the same problem- get in...

I also had the same problem and I tried a different softwares. ccleaner and registryfix and non of them solved my problems so i bought software called MS-errors. It fixed the problem. maybe there are more good softwares but that one Ms-errors did a great job.
good luck
 
brainhol said:
I also had the same problem and I tried a different softwares. ccleaner and registryfix and non of them solved my problems so i bought software called MS-errors. It fixed the problem. maybe there are more good softwares but that one Ms-errors did a great job.
good luck
Click to expand...

OP Please ignore this user.

I'll get back to you as soon as i can.
 
well i think i'm going to be undertaking the long task of copying user files and reformatting this pc tonight as malywarebytes keeps finding the same zglob.mywebsearch over and over and when i logged into the normal sessions of windows nothing has changed still extreemly slow and freezes when i plug the internet into it unless you have any last minute suggestions?
 
codeman0013 said:
well i think i'm going to be undertaking the long task of copying user files and reformatting this pc tonight as malywarebytes keeps finding the same zglob.mywebsearch over and over and when i logged into the normal sessions of windows nothing has changed still extreemly slow and freezes when i plug the internet into it unless you have any last minute suggestions?
Click to expand...

Post an updated ComboFix and Kaspersky log; run them in that order.
 
kasperky will take like 3 hours again and everytime i ran it it came back with 0 i will do this after work again i guess will you be on at all tonight i will be home after 530cst tonight probably
 
codeman0013 said:
kasperky will take like 3 hours again and everytime i ran it it came back with 0 i will do this after work again i guess will you be on at all tonight i will be home after 530cst tonight probably
Click to expand...

Okay cool.

Make sure to run ComboFix first, and to download a new copy. :)
 
--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7 REPORT
Monday, December 8, 2008
Operating System: Microsoft Windows XP Professional Service Pack 2 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Monday, December 08, 2008 21:57:06
Records in database: 1444669
--------------------------------------------------------------------------------
Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes
Scan area - My Computer:
C:\
D:\
E:\
Scan statistics:
Files scanned: 64838
Threat name: 0
Infected objects: 0
Suspicious objects: 0
Duration of the scan: 01:31:07
No malware has been detected. The scan area is clean.
The selected area was scanned.
 
ComboFix 08-12-07.04 - Administrator 2008-12-08 17:43:06.4 - NTFSx86 NETWORK
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.359 [GMT -6:00]
Running from: c:\documents and settings\Administrator.ANN\Desktop\ComboFix.exe
.
((((((((((((((((((((((((( Files Created from 2008-11-08 to 2008-12-08 )))))))))))))))))))))))))))))))
.
2100-02-24 14:15 . 2001-04-02 16:30 821 --a------ c:\windows\Lexmark_ICM.ini
2100-02-16 16:09 . 2001-02-16 15:37 62 --a------ c:\windows\system32\LXASUSCI.INI
2008-12-08 17:44 . 2008-12-08 17:44 <DIR> d-------- c:\documents and settings\Administrator.ANN\Application Data\TeamViewer
2008-12-08 17:37 . 2005-07-12 00:52 <DIR> d-------- c:\documents and settings\Administrator.ANN\Application Data\Jasc Software Inc
2008-12-08 17:37 . 2005-07-12 01:04 <DIR> d-------- c:\documents and settings\Administrator.ANN\Application Data\Creative
2008-12-08 17:37 . 2008-12-08 17:37 <DIR> d-------- c:\documents and settings\Administrator.ANN
2008-12-08 07:20 . 2007-08-14 08:12 5,760 --------- c:\windows\system32\3A59.tmp
2008-12-08 07:19 . 2008-12-08 07:19 <DIR> d-------- c:\program files\Sophos
2008-12-07 21:17 . 2008-12-07 21:17 <DIR> d-------- c:\documents and settings\Jerry.ANN\Application Data\TeamViewer
2008-12-07 21:12 . 2008-12-07 21:12 <DIR> d-------- c:\documents and settings\Jerry.ANN\Application Data\Malwarebytes
2008-12-07 20:46 . 2007-07-15 07:46 49,943,864 --a------ c:\documents and settings\Jerry.ANN\iTunesSetup.exe
2008-12-07 20:46 . 2008-03-21 06:29 299,288 --a------ c:\documents and settings\Jerry.ANN\GmailInstaller.exe
2008-12-07 20:45 . 2008-12-07 20:46 <DIR> d-------- c:\documents and settings\Jerry.ANN\picture_hold
2008-12-07 20:45 . 2008-12-07 20:45 <DIR> d-------- c:\documents and settings\Jerry.ANN\peavey manual
2008-12-07 20:45 . 2008-12-07 20:45 <DIR> d-------- c:\documents and settings\Jerry.ANN\My Videos
2008-12-07 20:45 . 2008-12-07 20:45 <DIR> d-------- c:\documents and settings\Jerry.ANN\My PSP Files
2008-12-07 20:45 . 2008-12-07 20:45 <DIR> dr------- c:\documents and settings\Jerry.ANN\My Pictures
2008-12-07 20:35 . 2008-12-07 20:45 <DIR> dr------- c:\documents and settings\Jerry.ANN\My Music
2008-12-07 20:35 . 2008-12-07 20:35 <DIR> d-------- c:\documents and settings\Jerry.ANN\My albums
2008-12-07 20:35 . 2008-12-07 20:35 <DIR> d-------- c:\documents and settings\Jerry.ANN\dictionary
2008-12-07 20:35 . 2008-12-07 20:35 <DIR> d-------- c:\documents and settings\Jerry.ANN\Corel User Files
2008-12-07 20:35 . 2008-12-07 20:35 <DIR> d-------- c:\documents and settings\Jerry.ANN\CCWin
2008-12-07 20:33 . 2005-07-12 00:52 <DIR> d-------- c:\documents and settings\Jerry.ANN\Application Data\Jasc Software Inc
2008-12-07 20:33 . 2005-07-12 01:04 <DIR> d-------- c:\documents and settings\Jerry.ANN\Application Data\Creative
2008-12-07 20:33 . 2008-12-07 21:14 <DIR> d-------- c:\documents and settings\Jerry.ANN
2008-12-07 19:01 . 2008-12-08 07:23 <DIR> d-------- c:\program files\TeamViewer3
2008-12-07 18:52 . 2008-12-07 18:52 664 --a------ c:\windows\system32\d3d9caps.dat
2008-12-07 15:01 . 2008-12-07 15:01 <DIR> d-------- C:\VundoFix Backups
2008-12-07 13:42 . 2008-12-07 13:42 <DIR> d-------- c:\documents and settings\Annie\Application Data\Malwarebytes
2008-12-06 22:05 . 2008-12-06 22:05 <DIR> d-------- c:\documents and settings\Cody\WINDOWS
2008-12-06 21:55 . 2008-12-06 21:55 <DIR> d-------- C:\Intel
2008-12-06 21:55 . 2008-05-01 16:35 53,248 --a------ c:\windows\system32\CSVer.dll
2008-12-06 21:52 . 2008-12-06 21:52 <DIR> d-------- c:\program files\RadarSync
2008-12-06 20:51 . 2004-08-10 04:13 73,728 --a------ c:\windows\system32\dllcache\ehresja.dll
2008-12-06 20:51 . 2004-08-10 04:13 69,632 --a------ c:\windows\system32\dllcache\ehresko.dll
2008-12-06 20:51 . 2004-08-10 04:13 69,632 --a------ c:\windows\system32\dllcache\ehresfr.dll
2008-12-06 20:51 . 2004-08-10 04:13 69,632 --a------ c:\windows\system32\dllcache\ehresde.dll
2008-12-06 20:51 . 2004-08-10 04:13 61,440 --a------ c:\windows\system32\dllcache\ehreschs.dll
2008-12-06 16:37 . 2008-12-06 16:37 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2008-12-06 16:37 . 2008-12-06 16:37 <DIR> d-------- c:\documents and settings\Cody\Application Data\Malwarebytes
2008-12-06 16:37 . 2008-12-06 16:37 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2008-12-06 16:37 . 2008-12-03 19:54 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2008-12-06 16:37 . 2008-12-03 19:54 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2008-12-06 14:49 . 2008-12-06 14:49 <DIR> d-------- c:\program files\Lavasoft
2008-12-06 14:49 . 2008-12-06 14:49 <DIR> d-------- c:\documents and settings\All Users\Application Data\Lavasoft
2008-12-05 17:16 . 2008-12-05 17:16 <DIR> d-------- c:\windows\system32\drivers\Avg
2008-12-05 17:16 . 2008-12-05 17:16 97,928 --a------ c:\windows\system32\drivers\avgldx86.sys
2008-12-05 17:16 . 2008-12-05 17:16 76,040 --a------ c:\windows\system32\drivers\avgtdix.sys
2008-12-05 17:16 . 2008-12-05 17:16 10,520 --a------ c:\windows\system32\avgrsstx.dll
2008-12-04 23:03 . 2008-12-04 23:03 <DIR> d-------- c:\program files\Trend Micro
2008-12-04 18:42 . 2008-12-04 18:42 <DIR> d-------- c:\documents and settings\Cody\Application Data\Lavasoft
2008-12-04 17:16 . 2005-07-12 00:52 <DIR> d-------- c:\documents and settings\Cody\Application Data\Jasc Software Inc
2008-12-04 17:16 . 2005-07-12 01:04 <DIR> d-------- c:\documents and settings\Cody\Application Data\Creative
2008-12-04 17:16 . 2008-12-06 22:05 <DIR> d-------- c:\documents and settings\Cody
2008-12-04 17:00 . 2008-12-08 07:22 <DIR> d-------- c:\program files\Spybot - Search & Destroy
2008-12-04 17:00 . 2008-12-08 07:24 <DIR> d-------- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2008-12-04 07:26 . 2008-08-14 03:58 2,136,064 --a------ c:\windows\system32\ntoskrnl.exe
2008-12-03 21:56 . 2008-12-03 21:56 118 --a------ c:\windows\system32\MRT.INI
2008-12-03 19:29 . 2004-08-04 00:56 21,504 --a------ c:\windows\system32\hidserv.dll
2008-12-03 19:29 . 2004-08-04 00:56 21,504 --a------ c:\windows\system32\dllcache\hidserv.dll
2008-12-03 19:28 . 2001-08-17 13:48 12,160 --a------ c:\windows\system32\drivers\mouhid.sys
2008-12-03 19:28 . 2001-08-17 13:48 12,160 --a------ c:\windows\system32\dllcache\mouhid.sys
2008-11-30 09:03 . 2008-12-03 20:10 <DIR> d-a------ c:\documents and settings\All Users\Application Data\TEMP
2008-11-10 21:58 . 2008-11-10 21:58 415 --a------ C:\swupdate.conf
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-07 22:06 --------- d--h--w c:\program files\InstallShield Installation Information
2008-12-07 22:06 --------- d-----w c:\program files\ATI Technologies
2008-12-07 22:02 --------- d-----w c:\program files\LexmarkX83
2008-12-07 22:01 --------- d-----w c:\documents and settings\All Users\Application Data\Kodak
2008-12-07 04:03 --------- d-----w c:\documents and settings\All Users\Application Data\yahoo!
2008-12-07 03:55 --------- d-----w c:\program files\Intel
2008-12-06 20:54 --------- d-----w c:\program files\Common Files\AOL
2008-12-06 20:33 --------- d-----w c:\documents and settings\All Users\Application Data\AOL
2008-12-05 23:16 --------- d-----w c:\documents and settings\All Users\Application Data\avg8
2008-12-04 03:24 --------- d-----w c:\program files\Microsoft Silverlight
2008-11-30 14:08 --------- d-----w c:\program files\DynGate
2008-10-24 11:10 453,632 ----a-w c:\windows\system32\drivers\mrxsmb.sys
2008-10-18 14:39 --------- d-----w c:\documents and settings\All Users\Application Data\AOL Downloads
2001-06-20 22:19 40,960 ----a-w c:\program files\ACMonitor_X83.exe
2007-12-04 16:14 56 --sh--r c:\windows\system32\8BB0ABB5E4.sys
2007-12-04 16:14 1,682 --sha-w c:\windows\system32\KGyGaAvL.sys
.
((((((((((((((((((((((((((((( snapshot_2008-12-05_16.58.26.46 )))))))))))))))))))))))))))))))))))))))))
.
- 2004-08-19 21:03:50 8,704 ----a-w c:\windows\assembly\GAC\Accessibility\1.0.3300.0__b03f5f7f11d50a3a\Accessibility.dll
+ 2008-12-06 20:47:55 8,704 ----a-w c:\windows\assembly\GAC\Accessibility\1.0.3300.0__b03f5f7f11d50a3a\Accessibility.dll
- 2008-02-06 02:54:32 117,248 ----a-w c:\windows\assembly\GAC\BDATunePIA\6.0.3000.0__31bf3856ad364e35\bdatunepia.dll
+ 2008-12-06 20:57:25 117,248 ----a-w c:\windows\assembly\GAC\BDATunePIA\6.0.3000.0__31bf3856ad364e35\bdatunepia.dll
- 2004-08-19 21:03:50 12,288 ----a-w c:\windows\assembly\GAC\cscompmgd\7.0.3300.0__b03f5f7f11d50a3a\cscompmgd.dll
+ 2008-12-06 20:47:51 12,288 ----a-w c:\windows\assembly\GAC\cscompmgd\7.0.3300.0__b03f5f7f11d50a3a\cscompmgd.dll
- 2004-08-19 21:03:50 34,816 ----a-w c:\windows\assembly\GAC\CustomMarshalers\1.0.3300.0__b03f5f7f11d50a3a\CustomMarshalers.dll
+ 2008-12-06 20:47:55 34,816 ----a-w c:\windows\assembly\GAC\CustomMarshalers\1.0.3300.0__b03f5f7f11d50a3a\CustomMarshalers.dll
- 2008-02-06 02:54:30 102,400 ----a-w c:\windows\assembly\GAC\ehCIR\6.0.3000.0__31bf3856ad364e35\ehCIR.dll
+ 2008-12-06 20:57:19 102,400 ----a-w c:\windows\assembly\GAC\ehCIR\6.0.3000.0__31bf3856ad364e35\ehCIR.dll
- 2008-02-06 03:26:40 1,863,680 ----a-w c:\windows\assembly\GAC\EhCM\6.0.3000.0__31bf3856ad364e35\ehcm.dll
+ 2008-12-06 20:57:24 1,863,680 ----a-w c:\windows\assembly\GAC\EhCM\6.0.3000.0__31bf3856ad364e35\EhCM.dll
- 2008-02-06 02:54:31 192,512 ----a-w c:\windows\assembly\GAC\ehcommon\6.0.3000.0__31bf3856ad364e35\ehcommon.dll
+ 2008-12-06 20:57:24 192,512 ----a-w c:\windows\assembly\GAC\ehcommon\6.0.3000.0__31bf3856ad364e35\ehcommon.dll
- 2008-02-06 03:26:40 868,352 ----a-w c:\windows\assembly\GAC\ehepg\6.0.3000.0__31bf3856ad364e35\ehepg.dll
+ 2008-12-06 20:57:23 868,352 ----a-w c:\windows\assembly\GAC\ehepg\6.0.3000.0__31bf3856ad364e35\ehepg.dll
- 2008-02-06 02:54:30 126,976 ----a-w c:\windows\assembly\GAC\ehepgdat\6.0.3000.0__31bf3856ad364e35\ehepgdat.dll
+ 2008-12-06 20:57:20 126,976 ----a-w c:\windows\assembly\GAC\ehepgdat\6.0.3000.0__31bf3856ad364e35\ehepgdat.dll
- 2008-02-06 02:54:32 110,592 ----a-w c:\windows\assembly\GAC\ehExtCOM\6.0.3000.0__31bf3856ad364e35\ehExtCOM.dll
+ 2008-12-06 20:57:28 110,592 ----a-w c:\windows\assembly\GAC\ehExtCOM\6.0.3000.0__31bf3856ad364e35\ehExtCOM.dll
- 2008-02-06 02:54:30 8,192 ----a-w c:\windows\assembly\GAC\ehiExtCOM\6.0.3000.0__31bf3856ad364e35\ehiExtCOM.dll
+ 2008-12-06 20:57:18 8,192 ----a-w c:\windows\assembly\GAC\ehiExtCOM\6.0.3000.0__31bf3856ad364e35\ehiExtCOM.dll
- 2008-02-06 02:54:30 73,728 ----a-w c:\windows\assembly\GAC\ehiExtens\6.0.3000.0__31bf3856ad364e35\ehiExtens.dll
+ 2008-12-06 20:57:18 73,728 ----a-w c:\windows\assembly\GAC\ehiExtens\6.0.3000.0__31bf3856ad364e35\ehiExtens.dll
- 2008-02-06 02:54:31 167,936 ----a-w c:\windows\assembly\GAC\ehiMsgr\6.0.3000.0__31bf3856ad364e35\ehiMsgr.dll
+ 2008-12-06 20:57:23 167,936 ----a-w c:\windows\assembly\GAC\ehiMsgr\6.0.3000.0__31bf3856ad364e35\ehiMsgr.dll
- 2008-02-06 03:26:40 204,800 ----a-w c:\windows\assembly\GAC\ehiPlay\6.0.3000.0__31bf3856ad364e35\ehiplay.dll
+ 2008-12-06 20:57:20 204,800 ----a-w c:\windows\assembly\GAC\ehiPlay\6.0.3000.0__31bf3856ad364e35\ehiPlay.dll
- 2008-02-06 02:54:31 389,120 ----a-w c:\windows\assembly\GAC\ehiProxy\6.0.3000.0__31bf3856ad364e35\ehiProxy.dll
+ 2008-12-06 20:57:21 389,120 ----a-w c:\windows\assembly\GAC\ehiProxy\6.0.3000.0__31bf3856ad364e35\ehiProxy.dll
- 2008-02-06 02:54:31 18,944 ----a-w c:\windows\assembly\GAC\ehiUserXp\6.0.3000.0__31bf3856ad364e35\ehiuserxp.dll
+ 2008-12-06 20:57:22 18,944 ----a-w c:\windows\assembly\GAC\ehiUserXp\6.0.3000.0__31bf3856ad364e35\ehiuserxp.dll
- 2008-02-06 02:54:31 278,528 ----a-w c:\windows\assembly\GAC\ehiVidCtl\6.0.3000.0__31bf3856ad364e35\ehiVidCtl.dll
+ 2008-12-06 20:57:22 278,528 ----a-w c:\windows\assembly\GAC\ehiVidCtl\6.0.3000.0__31bf3856ad364e35\ehiVidCtl.dll
- 2008-02-06 02:54:30 122,880 ----a-w c:\windows\assembly\GAC\ehiwmp\6.0.3000.0__31bf3856ad364e35\ehiwmp.dll
+ 2008-12-06 20:57:18 122,880 ----a-w c:\windows\assembly\GAC\ehiwmp\6.0.3000.0__31bf3856ad364e35\ehiwmp.dll
- 2008-02-06 02:54:32 53,248 ----a-w c:\windows\assembly\GAC\ehiWUapi\6.0.3000.0__31bf3856ad364e35\ehiWUapi.dll
+ 2008-12-06 20:57:25 53,248 ----a-w c:\windows\assembly\GAC\ehiWUapi\6.0.3000.0__31bf3856ad364e35\ehiWUapi.dll
- 2008-02-06 02:54:30 389,120 ----a-w c:\windows\assembly\GAC\ehRecObj\6.0.3000.0__31bf3856ad364e35\ehRecObj.dll
+ 2008-12-06 20:57:19 389,120 ----a-w c:\windows\assembly\GAC\ehRecObj\6.0.3000.0__31bf3856ad364e35\ehRecObj.dll
- 2004-08-19 21:03:52 7,168 ----a-w c:\windows\assembly\GAC\IEExecRemote\1.0.3300.0__b03f5f7f11d50a3a\IEExecRemote.dll
+ 2008-12-06 20:48:06 7,168 ----a-w c:\windows\assembly\GAC\IEExecRemote\1.0.3300.0__b03f5f7f11d50a3a\IEExecRemote.dll
- 2004-08-19 21:03:52 32,768 ----a-w c:\windows\assembly\GAC\IEHost\1.0.3300.0__b03f5f7f11d50a3a\IEHost.dll
+ 2008-12-06 20:48:07 32,768 ----a-w c:\windows\assembly\GAC\IEHost\1.0.3300.0__b03f5f7f11d50a3a\IEHost.dll
- 2004-08-19 21:03:52 4,096 ----a-w c:\windows\assembly\GAC\IIEHost\1.0.3300.0__b03f5f7f11d50a3a\IIEHost.dll
+ 2008-12-06 20:48:07 4,096 ----a-w c:\windows\assembly\GAC\IIEHost\1.0.3300.0__b03f5f7f11d50a3a\IIEHost.dll
- 2004-08-19 21:03:52 27,136 ----a-w c:\windows\assembly\GAC\ISymWrapper\1.0.3300.0__b03f5f7f11d50a3a\ISymWrapper.dll
+ 2008-12-06 20:48:08 27,136 ----a-w c:\windows\assembly\GAC\ISymWrapper\1.0.3300.0__b03f5f7f11d50a3a\ISymWrapper.dll
- 2004-08-19 21:03:50 712,704 ----a-w c:\windows\assembly\GAC\Microsoft.JScript\7.0.3300.0__b03f5f7f11d50a3a\Microsoft.JScript.dll
+ 2008-12-06 20:47:53 712,704 ----a-w c:\windows\assembly\GAC\Microsoft.JScript\7.0.3300.0__b03f5f7f11d50a3a\Microsoft.JScript.dll
- 2008-02-06 02:54:32 45,056 ----a-w c:\windows\assembly\GAC\Microsoft.MediaCenter\6.0.3100.0__31bf3856ad364e35\Microsoft.MediaCenter.dll
+ 2008-12-06 20:57:26 45,056 ----a-w c:\windows\assembly\GAC\Microsoft.MediaCenter\6.0.3100.0__31bf3856ad364e35\Microsoft.MediaCenter.dll
- 2004-08-19 21:03:50 28,672 ----a-w c:\windows\assembly\GAC\Microsoft.VisualBasic.Vsa\7.0.3300.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.Vsa.dll
+ 2008-12-06 20:47:51 28,672 ----a-w c:\windows\assembly\GAC\Microsoft.VisualBasic.Vsa\7.0.3300.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.Vsa.dll
- 2004-08-19 21:03:50 286,720 ----a-w c:\windows\assembly\GAC\Microsoft.VisualBasic\7.0.3300.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll
+ 2008-12-06 20:47:53 286,720 ----a-w c:\windows\assembly\GAC\Microsoft.VisualBasic\7.0.3300.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll
- 2004-08-19 21:03:50 5,632 ----a-w c:\windows\assembly\GAC\Microsoft.VisualC\7.0.3300.0__b03f5f7f11d50a3a\Microsoft.VisualC.dll
+ 2008-12-06 20:47:53 5,632 ----a-w c:\windows\assembly\GAC\Microsoft.VisualC\7.0.3300.0__b03f5f7f11d50a3a\Microsoft.VisualC.dll
- 2004-08-19 21:03:50 11,264 ----a-w c:\windows\assembly\GAC\Microsoft.Vsa.Vb.CodeDOMProcessor\7.0.3300.0__b03f5f7f11d50a3a\Microsoft.Vsa.Vb.CodeDOMProcessor.dll
+ 2008-12-06 20:47:50 11,264 ----a-w c:\windows\assembly\GAC\Microsoft.Vsa.Vb.CodeDOMProcessor\7.0.3300.0__b03f5f7f11d50a3a\Microsoft.Vsa.Vb.CodeDOMProcessor.dll
- 2004-08-19 21:03:50 18,944 ----a-w c:\windows\assembly\GAC\Microsoft.Vsa\7.0.3300.0__b03f5f7f11d50a3a\Microsoft.Vsa.dll
+ 2008-12-06 20:47:51 18,944 ----a-w c:\windows\assembly\GAC\Microsoft.Vsa\7.0.3300.0__b03f5f7f11d50a3a\Microsoft.Vsa.dll
- 2004-08-19 21:03:50 6,656 ----a-w c:\windows\assembly\GAC\Microsoft_VsaVb\7.0.3300.0__b03f5f7f11d50a3a\Microsoft_VsaVb.dll
+ 2008-12-06 20:47:50 6,656 ----a-w c:\windows\assembly\GAC\Microsoft_VsaVb\7.0.3300.0__b03f5f7f11d50a3a\Microsoft_VsaVb.dll
- 2004-08-19 21:03:52 1,564,672 ----a-w c:\windows\assembly\GAC\mscorcfg\1.0.3300.0__b03f5f7f11d50a3a\mscorcfg.dll
+ 2008-12-06 20:48:09 1,564,672 ----a-w c:\windows\assembly\GAC\mscorcfg\1.0.3300.0__b03f5f7f11d50a3a\mscorcfg.dll
- 2004-08-19 21:03:50 32,768 ----a-w c:\windows\assembly\GAC\Regcode\1.0.3300.0__b03f5f7f11d50a3a\RegCode.dll
+ 2008-12-06 20:47:54 32,768 ----a-w c:\windows\assembly\GAC\Regcode\1.0.3300.0__b03f5f7f11d50a3a\RegCode.dll
- 2008-02-06 02:54:32 77,824 ----a-w c:\windows\assembly\GAC\SonicMCEBurnEngine\0.9.0.0__17c52700e9a64fd0\SonicMCEBurnEngine.dll
+ 2008-12-06 20:57:27 77,824 ----a-w c:\windows\assembly\GAC\SonicMCEBurnEngine\0.9.0.0__17c52700e9a64fd0\SonicMCEBurnEngine.dll
- 2004-08-19 21:03:50 77,824 ----a-w c:\windows\assembly\GAC\System.Configuration.Install\1.0.3300.0__b03f5f7f11d50a3a\System.Configuration.Install.dll
+ 2008-12-06 20:47:56 77,824 ----a-w c:\windows\assembly\GAC\System.Configuration.Install\1.0.3300.0__b03f5f7f11d50a3a\System.Configuration.Install.dll
- 2004-08-19 21:03:52 1,179,648 ----a-w c:\windows\assembly\GAC\System.Data\1.0.3300.0__b77a5c561934e089\System.Data.dll
+ 2008-12-06 20:48:02 1,179,648 ----a-w c:\windows\assembly\GAC\System.Data\1.0.3300.0__b77a5c561934e089\System.Data.dll
- 2004-08-19 21:03:52 1,695,744 ----a-w c:\windows\assembly\GAC\System.Design\1.0.3300.0__b03f5f7f11d50a3a\System.Design.dll
+ 2008-12-06 20:48:03 1,695,744 ----a-w c:\windows\assembly\GAC\System.Design\1.0.3300.0__b03f5f7f11d50a3a\System.Design.dll
- 2004-08-19 21:03:50 86,016 ----a-w c:\windows\assembly\GAC\System.DirectoryServices\1.0.3300.0__b03f5f7f11d50a3a\System.DirectoryServices.dll
+ 2008-12-06 20:47:56 86,016 ----a-w c:\windows\assembly\GAC\System.DirectoryServices\1.0.3300.0__b03f5f7f11d50a3a\System.DirectoryServices.dll
- 2004-08-19 21:03:50 65,536 ----a-w c:\windows\assembly\GAC\System.Drawing.Design\1.0.3300.0__b03f5f7f11d50a3a\System.Drawing.Design.dll
+ 2008-12-06 20:47:56 65,536 ----a-w c:\windows\assembly\GAC\System.Drawing.Design\1.0.3300.0__b03f5f7f11d50a3a\System.Drawing.Design.dll
- 2004-08-19 21:03:52 462,848 ----a-w c:\windows\assembly\GAC\System.Drawing\1.0.3300.0__b03f5f7f11d50a3a\System.Drawing.dll
+ 2008-12-06 20:48:04 462,848 ----a-w c:\windows\assembly\GAC\System.Drawing\1.0.3300.0__b03f5f7f11d50a3a\System.Drawing.dll
- 2004-08-19 21:03:50 212,992 ----a-w c:\windows\assembly\GAC\System.EnterpriseServices\1.0.3300.0__b03f5f7f11d50a3a\System.EnterpriseServices.dll
+ 2008-12-06 20:47:54 212,992 ----a-w c:\windows\assembly\GAC\System.EnterpriseServices\1.0.3300.0__b03f5f7f11d50a3a\System.EnterpriseServices.dll
- 2004-08-19 21:03:50 48,640 ----a-w c:\windows\assembly\GAC\System.EnterpriseServices\1.0.3300.0__b03f5f7f11d50a3a\System.EnterpriseServices.Thunk.dll
+ 2008-12-06 20:47:54 48,640 ----a-w c:\windows\assembly\GAC\System.EnterpriseServices\1.0.3300.0__b03f5f7f11d50a3a\System.EnterpriseServices.Thunk.dll
- 2004-08-19 21:03:52 352,256 ----a-w c:\windows\assembly\GAC\System.Management\1.0.3300.0__b03f5f7f11d50a3a\System.Management.dll
+ 2008-12-06 20:48:10 352,256 ----a-w c:\windows\assembly\GAC\System.Management\1.0.3300.0__b03f5f7f11d50a3a\System.Management.dll
- 2004-08-19 21:03:52 241,664 ----a-w c:\windows\assembly\GAC\System.Messaging\1.0.3300.0__b03f5f7f11d50a3a\System.Messaging.dll
+ 2008-12-06 20:48:05 241,664 ----a-w c:\windows\assembly\GAC\System.Messaging\1.0.3300.0__b03f5f7f11d50a3a\System.Messaging.dll
- 2004-08-19 21:03:52 311,296 ----a-w c:\windows\assembly\GAC\System.Runtime.Remoting\1.0.3300.0__b77a5c561934e089\System.Runtime.Remoting.dll
+ 2008-12-06 20:48:12 311,296 ----a-w c:\windows\assembly\GAC\System.Runtime.Remoting\1.0.3300.0__b77a5c561934e089\System.Runtime.Remoting.dll
- 2004-08-19 21:03:52 131,072 ----a-w c:\windows\assembly\GAC\System.Runtime.Serialization.Formatters.Soap\1.0.3300.0__b03f5f7f11d50a3a\System.Runtime.Serialization.Formatters.Soap.dll
+ 2008-12-06 20:48:13 131,072 ----a-w c:\windows\assembly\GAC\System.Runtime.Serialization.Formatters.Soap\1.0.3300.0__b03f5f7f11d50a3a\System.Runtime.Serialization.Formatters.Soap.dll
- 2004-08-19 21:03:50 77,824 ----a-w c:\windows\assembly\GAC\System.Security\1.0.3300.0__b03f5f7f11d50a3a\System.Security.dll
+ 2008-12-06 20:47:55 77,824 ----a-w c:\windows\assembly\GAC\System.Security\1.0.3300.0__b03f5f7f11d50a3a\System.Security.dll
- 2004-08-19 21:03:52 126,976 ----a-w c:\windows\assembly\GAC\System.ServiceProcess\1.0.3300.0__b03f5f7f11d50a3a\System.ServiceProcess.dll
+ 2008-12-06 20:47:57 126,976 ----a-w c:\windows\assembly\GAC\System.ServiceProcess\1.0.3300.0__b03f5f7f11d50a3a\System.ServiceProcess.dll
- 2004-08-19 21:03:52 61,440 ----a-w c:\windows\assembly\GAC\System.Web.RegularExpressions\1.0.3300.0__b03f5f7f11d50a3a\System.Web.RegularExpressions.dll
+ 2008-12-06 20:47:58 61,440 ----a-w c:\windows\assembly\GAC\System.Web.RegularExpressions\1.0.3300.0__b03f5f7f11d50a3a\System.Web.RegularExpressions.dll
- 2004-08-19 21:03:52 507,904 ----a-w c:\windows\assembly\GAC\System.Web.Services\1.0.3300.0__b03f5f7f11d50a3a\System.Web.Services.dll
+ 2008-12-06 20:47:58 507,904 ----a-w c:\windows\assembly\GAC\System.Web.Services\1.0.3300.0__b03f5f7f11d50a3a\System.Web.Services.dll
- 2007-07-11 04:20:36 1,200,128 ----a-w c:\windows\assembly\GAC\System.Web\1.0.3300.0__b03f5f7f11d50a3a\System.Web.dll
+ 2008-12-06 20:47:57 1,200,128 ----a-w c:\windows\assembly\GAC\System.Web\1.0.3300.0__b03f5f7f11d50a3a\System.Web.dll
- 2004-08-19 21:03:52 2,002,944 ----a-w c:\windows\assembly\GAC\System.Windows.Forms\1.0.3300.0__b77a5c561934e089\System.Windows.Forms.dll
+ 2008-12-06 20:47:58 2,002,944 ----a-w c:\windows\assembly\GAC\System.Windows.Forms\1.0.3300.0__b77a5c561934e089\System.Windows.Forms.dll
- 2004-08-19 21:03:52 1,302,528 ----a-w c:\windows\assembly\GAC\System.Xml\1.0.3300.0__b77a5c561934e089\System.Xml.dll
+ 2008-12-06 20:47:59 1,302,528 ----a-w c:\windows\assembly\GAC\System.Xml\1.0.3300.0__b77a5c561934e089\System.Xml.dll
- 2004-08-19 21:03:52 1,179,648 ----a-w c:\windows\assembly\GAC\System\1.0.3300.0__b77a5c561934e089\System.dll
+ 2008-12-06 20:48:05 1,179,648 ----a-w c:\windows\assembly\GAC\System\1.0.3300.0__b77a5c561934e089\System.dll
+ 2008-12-06 20:56:48 258,048 ----a-w c:\windows\assembly\NativeImages1_v1.1.4322\BDATunePIA\6.0.3000.0__31bf3856ad364e35_bddc0f30\BDATunePIA.dll
+ 2008-12-06 20:56:37 159,744 ----a-w c:\windows\assembly\NativeImages1_v1.1.4322\ehCIR\6.0.3000.0__31bf3856ad364e35_b9de75a1\ehCIR.dll
+ 2008-12-06 20:56:46 2,326,528 ----a-w c:\windows\assembly\NativeImages1_v1.1.4322\EhCM\6.0.3000.0__31bf3856ad364e35_bd8d4945\EhCM.dll
+ 2008-12-06 20:56:48 299,008 ----a-w c:\windows\assembly\NativeImages1_v1.1.4322\ehcommon\6.0.3000.0__31bf3856ad364e35_08c18bec\ehcommon.dll
+ 2008-12-06 20:56:43 1,306,624 ----a-w c:\windows\assembly\NativeImages1_v1.1.4322\ehepg\6.0.3000.0__31bf3856ad364e35_1e8b0b3f\ehepg.dll
+ 2008-12-06 20:56:37 167,936 ----a-w c:\windows\assembly\NativeImages1_v1.1.4322\ehepgdat\6.0.3000.0__31bf3856ad364e35_864f3f40\ehepgdat.dll
+ 2008-12-06 20:56:52 167,936 ----a-w c:\windows\assembly\NativeImages1_v1.1.4322\ehExtCOM\6.0.3000.0__31bf3856ad364e35_123371c7\ehExtCOM.dll
+ 2008-12-06 20:57:06 155,648 ----a-w c:\windows\assembly\NativeImages1_v1.1.4322\ehExtHost\6.0.3000.0__31bf3856ad364e35_49a6b5f1\ehExtHost.exe
+ 2008-12-06 20:56:30 10,752 ----a-w c:\windows\assembly\NativeImages1_v1.1.4322\ehiExtCOM\6.0.3000.0__31bf3856ad364e35_a3e7482a\ehiExtCOM.dll
+ 2008-12-06 20:56:30 102,400 ----a-w c:\windows\assembly\NativeImages1_v1.1.4322\ehiExtens\6.0.3000.0__31bf3856ad364e35_3f7e3739\ehiExtens.dll
+ 2008-12-06 20:56:40 266,240 ----a-w
 
c:\windows\assembly\NativeImages1_v1.1.4322\ehiMsgr\6.0.3000.0__31bf3856ad364e35_e198f768\ehiMsgr.dll+ 2008-12-06 20:56:38 380,928 ----a-w c:\windows\assembly\NativeImages1_v1.1.4322\ehiPlay\6.0.3000.0__31bf3856ad364e35_804ce42d\ehiPlay.dll
+ 2008-12-06 20:56:39 565,248 ----a-w c:\windows\assembly\NativeImages1_v1.1.4322\ehiProxy\6.0.3000.0__31bf3856ad364e35_a972b80d\ehiProxy.dll
+ 2008-12-06 20:56:39 40,960 ----a-w c:\windows\assembly\NativeImages1_v1.1.4322\ehiUserXp\6.0.3000.0__31bf3856ad364e35_a6ee2dcd\ehiUserXp.dll
+ 2008-12-06 20:56:40 458,752 ----a-w c:\windows\assembly\NativeImages1_v1.1.4322\ehiVidCtl\6.0.3000.0__31bf3856ad364e35_12f17c6a\ehiVidCtl.dll
+ 2008-12-06 20:56:29 180,224 ----a-w c:\windows\assembly\NativeImages1_v1.1.4322\ehiwmp\6.0.3000.0__31bf3856ad364e35_3de8549f\ehiwmp.dll
+ 2008-12-06 20:56:48 69,632 ----a-w c:\windows\assembly\NativeImages1_v1.1.4322\ehiWUapi\6.0.3000.0__31bf3856ad364e35_9c2e2e2d\ehiWUapi.dll
+ 2008-12-06 20:56:35 684,032 ----a-w c:\windows\assembly\NativeImages1_v1.1.4322\ehRecObj\6.0.3000.0__31bf3856ad364e35_cbd21b18\ehRecObj.dll
+ 2008-12-06 20:57:05 6,336,512 ----a-w c:\windows\assembly\NativeImages1_v1.1.4322\ehshell\6.0.3000.0__31bf3856ad364e35_1c41497f\ehshell.exe
+ 2008-12-06 20:56:48 65,536 ----a-w c:\windows\assembly\NativeImages1_v1.1.4322\Microsoft.MediaCenter\6.0.3100.0__31bf3856ad364e35_e1fb16b9\Microsoft.MediaCenter.dll
+ 2008-12-06 20:56:51 20,480 ----a-w c:\windows\assembly\NativeImages1_v1.1.4322\SonicMCEBurnEngine\0.9.0.0__17c52700e9a64fd0_0e7cee70\SonicMCEBurnEngine.dll
+ 2005-10-21 02:02:28 163,328 ----a-w c:\windows\ERDNT\subs\ERDNT.EXE
- 2008-02-09 17:05:36 88,843 ----a-w c:\windows\pchealth\helpctr\OfflineCache\index.dat
+ 2008-12-06 20:38:37 88,843 ----a-w c:\windows\pchealth\helpctr\OfflineCache\index.dat
- 2008-02-09 17:05:36 5,012 ----a-w c:\windows\pchealth\helpctr\PackageStore\SkuStore.bin
+ 2008-12-06 20:38:37 4,402 ----a-w c:\windows\pchealth\helpctr\PackageStore\SkuStore.bin
- 2008-07-22 03:18:28 26,824 ----a-w c:\windows\system32\drivers\avgmfx86.sys
+ 2008-12-05 23:16:45 26,824 ----a-w c:\windows\system32\drivers\avgmfx86.sys
+ 2008-04-29 16:19:50 12,960 ----a-w c:\windows\system32\drivers\Awrtpd.sys
+ 2008-04-29 16:19:54 15,648 ----a-w c:\windows\system32\drivers\Awrtrd.sys
+ 2008-04-29 16:20:00 15,648 ----a-w c:\windows\system32\drivers\NSDriver.sys
- 2004-08-04 04:07:48 68,224 ----a-w c:\windows\system32\drivers\pci.sys
+ 2004-08-04 05:07:48 68,224 ----a-w c:\windows\system32\drivers\pci.sys
- 2008-10-15 19:41:53 115,768 ----a-w c:\windows\system32\FNTCACHE.DAT
+ 2008-12-06 21:08:12 115,768 ----a-w c:\windows\system32\FNTCACHE.DAT
+ 2008-05-16 16:58:04 12,632 ----a-w c:\windows\system32\lsdelete.exe
+ 2004-08-04 05:07:48 68,224 ----a-w c:\windows\system32\ReinstallBackups\0020\DriverFiles\i386\pci.sys
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((((((((((( AWF ))))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
----a-w 339,968 2004-08-25 17:52:00 c:\program files\ATI Technologies\ATI Control Panel\bak\atiptaxx.exe
----a-w 221,184 2004-07-27 21:50:42 c:\program files\Common Files\InstallShield\UpdateService\bak\ISUSPM.exe
----a-w 185,784 2006-10-05 01:48:39 c:\program files\Common Files\Real\Update_OB\bak\realsched.exe
----a-w 57,344 2003-09-17 15:43:36 c:\program files\Creative\Sound Blaster Live! 24-bit\Surround Mixer\bak\CTSysVol.exe
----a-w 221,184 2003-09-04 01:12:44 c:\program files\Intel\Modem Event Monitor\bak\IntelMEM.exe
----a-w 267,048 2008-01-15 09:22:56 c:\program files\iTunes\bak\iTunesHelper.exe
----a-w 289,064 2008-07-30 15:47:56 c:\program files\iTunes\iTunesHelper.exe
----a-w 53,248 2001-06-14 18:42:26 c:\program files\LexmarkX83\bak\AcBtnMgr_X83.exe
----a-w 53,248 2001-06-14 18:42:26 c:\program files\LexmarkX83\AcBtnMgr_X83.exe
----a-w 40,960 2001-10-18 16:25:18 c:\program files\LexmarkX83\bak\ACMonitor_X83.exe
----a-w 40,960 2001-10-18 16:25:18 c:\program files\LexmarkX83\ACMonitor_X83.exe
----a-w 1,694,208 2004-10-13 16:24:37 c:\program files\Messenger\bak\msmsgs.exe
----a-w 1,498,032 2003-04-15 02:05:20 c:\program files\Messenger\msmsgs.exe
----a-w 385,024 2008-01-10 21:27:36 c:\program files\QuickTime\bak\qttask.exe
----a-w 413,696 2008-05-27 15:50:30 c:\program files\QuickTime\QTTask.exe
----a-w 15,360 2004-08-10 10:00:00 c:\windows\system32\bak\ctfmon.exe
----a-w 15,360 2004-08-10 10:00:00 c:\windows\system32\ctfmon.exe
----a-w 122,941 2005-05-31 10:33:00 c:\windows\system32\dla\bak\tfswctrl.exe
----a-w 36,864 2002-06-27 09:47:08 c:\windows\system32\spool\drivers\w32x86\3\bak\printray.exe
----a-w 36,864 2001-10-25 18:20:09 c:\windows\system32\spool\drivers\w32x86\3\printray.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-10 15360]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-07-22 116040]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2008-12-05 1261336]
"Lexmark X83 Button Monitor"="c:\progra~1\LEXMAR~1\ACMonitor_X83.exe" [2001-10-18 40960]
"Lexmark X83 Button Manager"="c:\progra~1\LEXMAR~1\AcBtnMgr_X83.exe" [2001-06-14 53248]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=avgrsstx.dll
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Kodak EasyShare software.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Kodak EasyShare software.lnk
backup=c:\windows\pss\Kodak EasyShare software.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^KODAK Software Updater.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\KODAK Software Updater.lnk
backup=c:\windows\pss\KODAK Software Updater.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^QuickBooks Update Agent.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\QuickBooks Update Agent.lnk
backup=c:\windows\pss\QuickBooks Update Agent.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
--a------ 2008-01-11 22:16 39792 c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AOLDialer]
c:\program files\Common Files\AOL\ACS\AOLDial.exe [N/A]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AOLSPScheduler]
c:\program files\Common Files\AOL\1135138273\ee\services\safetyCore\ver210_5_2_1\AOLSP Scheduler.exe [N/A]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DVDLauncher]
--------- 2005-02-23 15:19 53248 c:\program files\CyberLink\PowerDVD\DVDLauncher.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ehTray]
--a------ 2005-08-05 13:56 64512 c:\windows\ehome\ehtray.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HostManager]
c:\program files\Common Files\AOL\1135138273\ee\AOLSoftware.exe [N/A]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
--a------ 2004-07-27 15:50 81920 c:\program files\Common Files\InstallShield\UpdateService\issch.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2008-07-30 09:47 289064 c:\program files\iTunes\iTunesHelper.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Lexmark X83 Button Manager]
--a------ 2001-06-14 12:42 53248 c:\progra~1\LEXMAR~1\AcBtnMgr_X83.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Lexmark X83 Button Monitor]
--a------ 2001-10-18 10:25 40960 c:\progra~1\LEXMAR~1\ACMonitor_X83.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Motive SmartBridge]
c:\progra~1\SBCSEL~1\SMARTB~1\MotiveSB.exe [N/A]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MPFExe]
c:\program files\mcafee.com\personal firewall\MPfTray.exe [N/A]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSKAGENTEXE]
c:\progra~1\McAfee\SPAMKI~1\MskAgent.exe [N/A]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSKDetectorExe]
c:\progra~1\McAfee\SPAMKI~1\MSKDetct.exe [N/A]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--a------ 2003-04-14 20:05 1498032 c:\program files\Messenger\msmsgs.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PrinTray]
--a------ 2001-10-25 12:20 36864 c:\windows\system32\spool\drivers\w32x86\3\printray.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Pure Networks Port Magic]
c:\progra~1\PURENE~1\PORTMA~1\PortAOL.exe [N/A]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-05-27 09:50 413696 c:\program files\QuickTime\QTTask.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\sscRun]
c:\program files\Common Files\AOL\1135138273\ee\SSCRun.exe [N/A]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2008-06-10 03:27 144784 c:\program files\Java\jre1.6.0_07\bin\jusched.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
c:\program files\Common Files\Real\Update_OB\realsched.exe [N/A]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdReg]
--------- 2000-05-11 00:00 90112 c:\windows\Updreg.EXE
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\YBrowser]
c:\program files\Yahoo!\browser\ybrwicon.exe [N/A]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\P17Helper]
--a------ 2005-05-03 11:38 64512 c:\windows\system32\P17.dll
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"DisableNotifications"= 1 (0x1)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Common Files\\AOL\\System Information\\sinf.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\DynGate\\DynGate.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
S1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\Drivers\avgldx86.sys [2008-12-05 97928]
S2 77DBA2B83282EF28;77DBA2B83282EF28;\??\c:\program files\Common Files\AOL\1135138273\ee\77DBA2B83282EF28\77DBA2B83282EF28 []
S2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [2008-12-05 875288]
S2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2008-12-05 231704]
S2 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\Drivers\avgtdix.sys [2008-12-05 76040]
S2 BulkUsb;Genesys Logic USB Scanner Controller NT 5.0;c:\windows\system32\Drivers\usbscan.sys [2008-12-04 15104]
S2 TeamViewer;TeamViewer 3;"c:\program files\TeamViewer3\TeamViewer_Service.exe" -service [2008-11-17 185640]
S3 ATICDSDr;ATICDSDr;\??\c:\docume~1\TEMP\LOCALS~1\Temp\ATICDSDr.sys []
S3 MEMSWEEP2;MEMSWEEP2;\??\c:\windows\system32\2.tmp []
S3 NaiFiltr;NaiFiltr;c:\windows\system32\DRIVERS\NaiFiltr.sys [2008-02-03 23296]
.
Contents of the 'Scheduled Tasks' folder
2008-12-08 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34]
2008-12-06 c:\windows\Tasks\McAfee.com Scan for Viruses - My Computer (ANN-Jerry).job
- c:\program files\mcafee.com\vso\mcmnhdlr.exe []
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.dell4me.com/myway
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
O16 -: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
c:\windows\Downloaded Program Files\Microsoft XML Parser for Java.osd
.
**************************************************************************
catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-12-08 17:45:41
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\77DBA2B83282EF28]
"ImagePath"="\??\c:\program files\Common Files\AOL\1135138273\ee\77DBA2B83282EF28\77DBA2B83282EF28"
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\MEMSWEEP2]
"ImagePath"="\??\c:\windows\system32\2.tmp"
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\77DBA2B83282EF28]
"ImagePath"="\??\c:\program files\Common Files\AOL\1135138273\ee\77DBA2B83282EF28\77DBA2B83282EF28"
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Lavasoft\Ad-Aware\aawservice.exe
c:\program files\TeamViewer3\TeamViewer.exe
.
**************************************************************************
.
Completion time: 2008-12-08 17:48:17 - machine was rebooted
ComboFix-quarantined-files.txt 2008-12-08 23:48:15
ComboFix2.txt 2008-12-05 22:59:02
ComboFix3.txt 2008-12-04 03:31:29
ComboFix4.txt 2008-12-04 02:21:05
Pre-Run: 18,548,297,728 bytes free
Post-Run: 19,047,051,264 bytes free
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Windows XP Media Center Edition" /noexecute=optin /fastdetect
415 --- E O F --- 2008-12-04 03:56:11
 
Found some suspicious files...

Please go to Virus Total or Jotti and upload

c:\windows\system32\dllcache\ehresja.dll
c:\windows\system32\dllcache\ehresko.dll
c:\windows\system32\dllcache\ehresfr.dll
c:\windows\system32\dllcache\ehresde.dll
c:\windows\system32\dllcache\ehreschs.dll

For Virus Total

  1. Please copy and paste one of the files listed above
    in the text box next to the Browse button.
  2. Click on Send File.

For Jotti

  1. Please copy and paste one of the files listed above
    and in the text box next to the Browse button.
  2. Click on Submit.

Once those files have finished scanning please post the results here for a professional to look over them.
 
You must log in or register to reply here.
Back
Top