Solved Google Redirect

Hope we have better results this morning.

 

Thanks again for taking a look at this. I ran malwarebytes on the other computer with my infected hard drive as the slave. Mbam is what found it last time and restored cmd and regedit. No such luck this time. I began running a deep scan with avast, but didn't have time to check it this morning. I will report back when I get home tonight.

 

Oh I also meant to ask. On the clean computer I can access regedit. Is there a way I can manually remove the line you instructed me to with the infected hard drive hooked up as a slave? I opened regedit, but it was opening the registry for my clean computer. Is there another program I can use to access and edit the infected registry?

 

This is where we were before things went bonkers.

See if somehow you can get things over to the infected machine.


NEXT**
Open HijackThis. Click on Open the Misc Tools Section.

* On the screen, click on "Delete a file on reboot... ".
* Copy/paste the following path into the dialog box that popped up, and click 'Open':
C:\WINDOWS\ikpnk.ark

* HJT will ask you if you want to reboot, now. Click "NO ".


NEXT**
If you can transfer this program over that should be a plus.


Please download OTMoveIt3 by OldTimer and save it to your desktop

• Double-click OTMoveIt3.exe to run it.
• Copy the lines in the codebox below. ( Make sure you include rocesses )

Code:

:Processes
explorer.exe
:reg
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32]
 "aux "=-
:Commands
[Purity]
[EmptyTemp]
[Start Explorer]
[Reboot]

• Return to OTMoveIt3, right click in the Paste List of Files/Folders to Move window (under the yellow bar) and choose Paste.

• - Close ALL open windows (especially Internet Explorer!)-
• Click the red Moveit! button.
• Copy everything in the Results window (under the green bar), and paste it in your next reply.
• Close OTMoveIt3

If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

If the machine reboots, the Results log can be found here:
NOTE:
Make sure to reboot the computer.

c:\_OTMoveIt\MovedFiles\mmddyyyy_hhmmss.log

Where mmddyyyy_hhmmss is the date of the tool run.

 

I did this part. I had not rebooted the machine at that point. It was the next part (regedit4) where it broke down. I will try the OTMove when I get home. Thanks so much!

 

Good news! I have regained control of cmd and regedit. And I know how I messed it up. I didn't see which file was infected the first time the clean computer caught it. It was the pagefile.sys. That's why my computer was acting so slow. I looked and saw virtual memory wasn't enabled, and when I enabled it, it recreated the pagefile.sys and instantly the virus retook.

I did the thing with HJT and delete.reg. I'm about to do the move it thing. Thanks!

 

OT Log

========== PROCESSES ==========
Process explorer.exe killed successfully.
========== REGISTRY ==========
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32\\aux not found.
========== COMMANDS ==========
User's Temp folder emptied.
User's Internet Explorer cache folder emptied.
File delete failed. C:\Documents and Settings\Michael\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.
User's Temporary Internet Files folder emptied.
Local Service Temp folder emptied.
File delete failed. C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.
Local Service Temporary Internet Files folder emptied.
Network Service Temp folder emptied.
Network Service Temporary Internet Files folder emptied.
File delete failed. C:\WINDOWS\temp\Perflib_Perfdata_4d4.dat scheduled to be deleted on reboot.
File delete failed. C:\WINDOWS\temp\Perflib_Perfdata_658.dat scheduled to be deleted on reboot.
Windows Temp folder emptied.
Java cache emptied.
FireFox cache emptied.
Temp folders emptied.
Explorer started successfully

OTMoveIt3 by OldTimer - Version 1.0.10.0 log created on 04102009_195237

Files moved on Reboot...
File C:\WINDOWS\temp\Perflib_Perfdata_4d4.dat not found!
File C:\WINDOWS\temp\Perflib_Perfdata_658.dat not found!

 

I noticed that it didn't find 2 of those files on reboot, so I reran OT. It looks like those files are renaming themselves. I have not rebooted since I reran it.

========== PROCESSES ==========
Process explorer.exe killed successfully.
========== REGISTRY ==========
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32\\aux not found.
========== COMMANDS ==========
User's Temp folder emptied.
User's Internet Explorer cache folder emptied.
File delete failed. C:\Documents and Settings\Michael\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.
User's Temporary Internet Files folder emptied.
Local Service Temp folder emptied.
File delete failed. C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.
Local Service Temporary Internet Files folder emptied.
Network Service Temp folder emptied.
Network Service Temporary Internet Files folder emptied.
File delete failed. C:\WINDOWS\temp\Perflib_Perfdata_1f8.dat scheduled to be deleted on reboot.
File delete failed. C:\WINDOWS\temp\Perflib_Perfdata_290.dat scheduled to be deleted on reboot.
Windows Temp folder emptied.
Java cache emptied.
FireFox cache emptied.
Temp folders emptied.
Explorer started successfully

OTMoveIt3 by OldTimer - Version 1.0.10.0 log created on 04102009_200004

 

I also ran combofix per your earlier recommendation. Still haven't rebooted since last OT log:

ComboFix 09-04-04.01 - Michael 2009-04-10 20:17:52.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.3007.2408 [GMT -5:00]
Running from: c:\documents and settings\Michael\Desktop\ComboFixl.exe
AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated)
* Created a new restore point
.

((((((((((((((((((((((((( Files Created from 2009-03-11 to 2009-04-11 )))))))))))))))))))))))))))))))
.

2009-04-10 20:12 . 2009-04-10 20:13 <DIR> d-------- C:\ComboFix
2009-04-10 19:52 . 2009-04-10 19:52 <DIR> d-------- C:\_OTMoveIt
2009-04-09 21:58 . 2009-04-09 21:58 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2009-04-09 21:58 . 2009-04-06 15:32 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-09 21:58 . 2009-04-06 15:32 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2009-04-09 21:17 . 2009-04-09 21:17 <DIR> d--hs---- c:\documents and settings\Michael\IETldCache
2009-04-08 23:49 . 2009-04-08 23:48 410,984 --a------ c:\windows\system32\deploytk.dll
2009-04-08 01:40 . 2009-04-08 01:40 <DIR> d-------- c:\windows\ie8updates
2009-04-08 01:33 . 2009-04-08 01:38 <DIR> d--h-c--- c:\windows\ie8
2009-04-08 01:29 . 2009-02-27 23:55 105,984 -----c--- c:\windows\system32\dllcache\iecompat.dll
2009-04-08 00:22 . 2009-04-09 12:07 <DIR> d--h----- C:\$AVG8.VAULT$
2009-04-08 00:12 . 2009-04-10 19:34 <DIR> d-------- c:\windows\system32\drivers\Avg
2009-04-08 00:12 . 2009-04-08 00:12 <DIR> d-------- c:\program files\AVG
2009-04-08 00:12 . 2009-04-08 00:12 <DIR> d-------- c:\documents and settings\All Users\Application Data\avg8
2009-04-08 00:12 . 2009-04-08 00:12 325,640 --a------ c:\windows\system32\drivers\avgldx86.sys
2009-04-08 00:12 . 2009-04-08 00:12 108,552 --a------ c:\windows\system32\drivers\avgtdix.sys
2009-04-08 00:12 . 2009-04-08 00:12 10,520 --a------ c:\windows\system32\avgrsstx.dll
2009-04-06 22:56 . 2008-11-06 02:03 <DIR> d-------- C:\SDFix
2009-04-04 23:09 . 2009-04-04 23:09 <DIR> d-------- c:\documents and settings\All Users\Application Data\TEMP
2009-04-02 19:51 . 2009-04-02 19:51 <DIR> d-------- c:\windows\system32\scripting
2009-04-02 19:51 . 2009-04-02 19:51 <DIR> d-------- c:\windows\system32\en
2009-04-02 19:51 . 2009-04-03 18:24 <DIR> d-------- c:\windows\system32\bits
2009-04-02 19:51 . 2009-04-02 19:51 <DIR> d-------- c:\windows\l2schemas
2009-04-02 19:49 . 2007-08-10 21:46 33,656 --a------ c:\windows\system32\sprecovr.exe
2009-04-02 18:35 . 2009-04-08 00:08 <DIR> d-------- c:\program files\SUPERAntiSpyware
2009-04-02 18:35 . 2009-04-08 00:08 <DIR> d-------- c:\documents and settings\Michael\Application Data\SUPERAntiSpyware.com
2009-04-02 18:35 . 2009-04-02 18:35 <DIR> d-------- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-04-02 18:09 . 2009-04-08 00:12 <DIR> d-------- c:\documents and settings\Administrator
2009-04-02 17:33 . 2009-04-08 21:13 <DIR> d-------- c:\program files\Spybot - Search & Destroy
2009-04-02 17:33 . 2009-04-02 17:42 <DIR> d-------- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-04-02 01:30 . 2009-04-02 01:30 <DIR> d-------- c:\documents and settings\Michael\DoctorWeb
2009-04-01 23:53 . 2009-04-02 07:39 <DIR> d-------- c:\documents and settings\Michael\.housecall6.6
2009-04-01 23:03 . 2009-04-01 23:03 <DIR> d-------- c:\program files\Trend Micro
2009-03-31 22:35 . 2009-03-31 22:35 <DIR> d-------- c:\documents and settings\Michael\Application Data\Malwarebytes
2009-03-31 22:34 . 2009-03-31 22:34 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-03-26 00:00 . 2009-03-26 00:00 <DIR> d-------- c:\program files\Bonjour
2009-03-24 21:43 . 2009-03-24 21:45 <DIR> d-------- c:\program files\Windows Live Safety Center
2009-03-15 16:10 . 2009-03-15 16:10 <DIR> d-------- c:\documents and settings\All Users\Application Data\eXPert PDF 4
2009-03-13 23:07 . 2009-03-13 23:07 <DIR> d-------- c:\documents and settings\Michael\Application Data\eXPert PDF Editor
2009-03-13 23:03 . 2009-03-13 23:03 <DIR> d-------- c:\windows\My Documents
2009-03-13 23:03 . 2009-03-13 23:03 <DIR> d-------- c:\program files\Visagesoft
2009-03-13 23:03 . 2009-03-13 23:03 <DIR> d-------- c:\documents and settings\All Users\Application Data\eXPert PDF Jobs
2009-03-13 23:03 . 2009-03-13 23:03 <DIR> d-------- c:\documents and settings\All Users\Application Data\eXPert PDF
2009-03-13 23:03 . 2005-06-02 12:40 14,336 --a------ c:\windows\system32\vsmon1.dll
2009-03-12 23:59 . 2009-03-12 23:59 <DIR> d-------- c:\program files\FileZilla FTP Client
2009-03-12 23:59 . 2009-03-13 00:05 <DIR> d-------- c:\documents and settings\Michael\Application Data\FileZilla

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-04-11 00:56 --------- d-----w c:\program files\Steam
2009-04-10 02:17 --------- d-----w c:\program files\Google
2009-04-09 04:48 --------- d-----w c:\program files\Java
2009-04-09 01:13 --------- d-----w c:\program files\Common Files\Adobe
2009-04-08 05:08 --------- d-----w c:\program files\Common Files\Wise Installation Wizard
2009-04-08 05:07 --------- d-----w c:\documents and settings\Michael\Application Data\id Software
2009-04-08 05:06 --------- d--h--w c:\program files\InstallShield Installation Information
2009-04-05 04:00 --------- d-----w c:\documents and settings\All Users\Application Data\FLEXnet
2009-04-03 23:42 96,256 ----a-w c:\windows\system32\drivers\sptd4077.sys
2009-04-02 12:39 --------- d-----w c:\documents and settings\All Users\Application Data\ATTToolbar
2009-04-02 04:56 --------- d-----w c:\documents and settings\All Users\Application Data\WholeSecurity
2009-03-10 03:55 --------- d-----w c:\program files\7-Zip
2009-03-09 23:36 --------- d-----w c:\program files\PeerGuardian2
2009-03-09 23:36 --------- d-----w c:\documents and settings\Michael\Application Data\uTorrent
2009-03-08 09:34 914,944 ----a-w c:\windows\system32\wininet.dll
2009-03-08 09:34 43,008 ----a-w c:\windows\system32\licmgr10.dll
2009-03-08 09:33 420,352 ----a-w c:\windows\system32\vbscript.dll
2009-03-08 09:33 18,944 ----a-w c:\windows\system32\corpol.dll
2009-03-08 09:32 72,704 ----a-w c:\windows\system32\admparse.dll
2009-03-08 09:32 71,680 ----a-w c:\windows\system32\iesetup.dll
2009-03-08 09:31 48,128 ----a-w c:\windows\system32\mshtmler.dll
2009-03-08 09:31 45,568 ----a-w c:\windows\system32\mshta.exe
2009-03-08 09:31 34,816 ----a-w c:\windows\system32\imgutil.dll
2009-03-08 09:22 156,160 ----a-w c:\windows\system32\msls31.dll
2009-03-06 06:23 --------- d-----w c:\documents and settings\Michael\Application Data\Move Networks
2009-02-26 07:08 --------- d-----w c:\documents and settings\Michael\Application Data\Free Audio Editor
2009-02-19 03:37 188,896 -c--a-w c:\windows\system32\PnkBstrB.exe
2009-02-19 03:37 138,784 -c--a-w c:\windows\system32\drivers\PnkBstrK.sys
2009-02-19 03:31 70,968 ----a-w c:\windows\system32\PnkBstrA.exe
2009-02-19 03:28 22,328 -c--a-w c:\documents and settings\Michael\Application Data\PnkBstrK.sys
2009-02-19 03:28 2,246,144 -c--a-w c:\windows\system32\pbsvc.exe
2009-02-16 06:46 --------- d-----w c:\program files\TVersity Codec Pack
2009-02-16 06:46 --------- d-----w c:\program files\ffdshow
2009-02-16 06:44 --------- d-----w c:\program files\TVersity
2009-02-09 10:19 1,846,272 ----a-w c:\windows\system32\win32k.sys
2009-02-09 10:19 1,846,272 ----a-w c:\windows\system32\dllcache\win32k.sys
2007-11-17 04:21 94,080 -c--a-w c:\documents and settings\Michael\Application Data\ezplay.sys
2007-11-17 04:21 87,608 -c--a-w c:\documents and settings\Michael\Application Data\ezpinst.exe
2007-07-13 03:32 106 -c--a-w c:\program files\piconfig.lx
2006-12-27 04:34 47,360 -c--a-w c:\documents and settings\Michael\Application Data\pcouffin.sys
2007-01-23 20:07 1,847,296 -c--a-w c:\program files\mozilla firefox\plugins\Seadragon.dll
.

((((((((((((((((((((((((((((( SnapShot@2009-04-07_23.56.31.26 )))))))))))))))))))))))))))))))))))))))))
.
+ 2006-11-07 09:26:44 71,680 -c--a-w c:\windows\ie8\admparse.dll
+ 2008-12-20 23:15:11 124,928 -c--a-w c:\windows\ie8\advpack.dll
+ 2007-01-09 01:01:14 17,408 -c--a-w c:\windows\ie8\corpol.dll
+ 2008-12-20 23:15:12 347,136 -c--a-w c:\windows\ie8\dxtmsft.dll
+ 2008-12-20 23:15:13 214,528 -c--a-w c:\windows\ie8\dxtrans.dll
+ 2006-10-17 17:44:36 60,416 -c--a-w c:\windows\ie8\hmmapi.dll
+ 2008-12-20 23:15:13 63,488 -c--a-w c:\windows\ie8\icardie.dll
+ 2008-12-19 09:10:15 70,656 -c--a-w c:\windows\ie8\ie4uinit.exe
+ 2008-12-20 23:15:14 153,088 -c--a-w c:\windows\ie8\ieakeng.dll
+ 2008-12-20 23:15:14 230,400 -c--a-w c:\windows\ie8\ieaksie.dll
+ 2008-12-19 05:23:56 161,792 -c--a-w c:\windows\ie8\ieakui.dll
+ 2007-04-17 09:28:12 2,455,488 -c--a-w c:\windows\ie8\ieapfltr.dat
+ 2008-12-20 23:15:15 383,488 -c--a-w c:\windows\ie8\ieapfltr.dll
+ 2008-12-20 23:15:16 384,512 -c--a-w c:\windows\ie8\iedkcs32.dll
+ 2006-10-17 18:06:00 78,336 -c--a-w c:\windows\ie8\ieencode.dll
+ 2006-10-17 18:06:00 78,336 -c--a-w c:\windows\ie8\ieencode.dll.000
+ 2008-12-20 23:15:21 6,066,688 -c--a-w c:\windows\ie8\ieframe.dll
+ 2006-11-08 03:03:36 191,488 -c--a-w c:\windows\ie8\iepeers.dll
+ 2006-11-08 03:03:36 287,744 -c--a-w c:\windows\ie8\ieproxy.dll
+ 2008-12-20 23:15:21 44,544 -c--a-w c:\windows\ie8\iernonce.dll
+ 2008-12-20 23:15:22 267,776 -c--a-w c:\windows\ie8\iertutil.dll
+ 2006-11-07 09:26:42 55,296 -c--a-w c:\windows\ie8\iesetup.dll
+ 2006-11-08 03:03:36 180,736 -c--a-w c:\windows\ie8\ieui.dll
+ 2008-12-19 05:25:25 634,024 -c--a-w c:\windows\ie8\iexplore.exe
+ 2006-10-17 17:57:58 36,352 -c--a-w c:\windows\ie8\imgutil.dll
+ 2006-11-07 09:26:24 92,672 -c--a-w c:\windows\ie8\inseng.dll
+ 2006-10-17 18:00:00 491,520 -c--a-w c:\windows\ie8\jscript.dll
+ 2008-12-20 23:15:23 27,648 -c--a-w c:\windows\ie8\jsproxy.dll
+ 2006-10-17 18:05:10 40,960 -c--a-w c:\windows\ie8\licmgr10.dll
+ 2008-12-20 23:15:23 459,264 -c--a-w c:\windows\ie8\msfeeds.dll
+ 2008-12-20 23:15:24 52,224 -c--a-w c:\windows\ie8\msfeedsbs.dll
+ 2006-10-17 17:58:32 12,288 -c--a-w c:\windows\ie8\msfeedssync.exe
+ 2006-10-17 17:56:10 45,568 -c--a-w c:\windows\ie8\mshta.exe
+ 2009-01-17 03:35:14 3,594,752 -c--a-w c:\windows\ie8\mshtml.dll
+ 2008-12-20 23:15:30 477,696 -c--a-w c:\windows\ie8\mshtmled.dll
+ 2006-10-17 17:28:56 48,128 -c--a-w c:\windows\ie8\mshtmler.dll
+ 2006-11-08 03:03:36 156,160 -c--a-w c:\windows\ie8\msls31.dll
+ 2008-12-20 23:15:31 193,024 -c--a-w c:\windows\ie8\msrating.dll
+ 2008-12-20 23:15:32 671,232 -c--a-w c:\windows\ie8\mstime.dll
+ 2008-12-20 23:15:38 102,912 -c--a-w c:\windows\ie8\occache.dll
+ 2008-12-20 23:15:38 44,544 -c--a-w c:\windows\ie8\pngfilt.dll
+ 2006-09-06 22:43:16 213,216 -c--a-w c:\windows\ie8\spuninst.exe
+ 2009-03-08 19:23:50 58,464 -c--a-w c:\windows\ie8\spuninst\iecustom.dll
+ 2009-01-07 23:20:58 231,456 -c--a-w c:\windows\ie8\spuninst\spuninst.exe
+ 2009-01-07 23:21:02 382,496 -c--a-w c:\windows\ie8\spuninst\updspapi.dll
+ 2008-12-20 23:15:39 105,984 -c--a-w c:\windows\ie8\url.dll
+ 2008-12-20 23:15:40 1,160,192 -c--a-w c:\windows\ie8\urlmon.dll
+ 2006-11-08 03:03:36 413,696 -c--a-w c:\windows\ie8\vbscript.dll
+ 2007-07-12 23:31:54 765,952 -c--a-w c:\windows\ie8\vgx.dll
+ 2008-12-20 23:15:40 233,472 -c--a-w c:\windows\ie8\webcheck.dll
+ 2006-10-17 18:05:58 206,336 -c--a-w c:\windows\ie8\winfxdocobj.exe
+ 2008-12-20 23:15:41 826,368 -c--a-w c:\windows\ie8\wininet.dll
+ 2009-03-08 09:35:04 2,048 -c----w c:\windows\ie8updates\KB968220-IE8\iecompat.dll
+ 2007-11-30 12:39:22 231,288 -c----w c:\windows\ie8updates\KB968220-IE8\spuninst\spuninst.exe
+ 2007-11-30 12:39:22 382,840 -c----w c:\windows\ie8updates\KB968220-IE8\spuninst\updspapi.dll
- 2008-12-20 23:15:11 124,928 ----a-w c:\windows\system32\advpack.dll
+ 2009-03-08 09:32:48 128,512 ----a-w c:\windows\system32\advpack.dll
- 2006-11-07 09:26:44 71,680 -c--a-w c:\windows\system32\dllcache\admparse.dll
+ 2009-03-08 09:32:56 72,704 -c--a-w c:\windows\system32\dllcache\admparse.dll
- 2008-12-20 23:15:11 124,928 -c--a-w c:\windows\system32\dllcache\advpack.dll
+ 2009-03-08 09:32:48 128,512 -c--a-w c:\windows\system32\dllcache\advpack.dll
- 2007-01-09 01:01:14 17,408 ----a-w c:\windows\system32\dllcache\corpol.dll
+ 2009-03-08 09:33:40 18,944 -c--a-w c:\windows\system32\dllcache\corpol.dll
- 2008-12-20 23:15:12 347,136 -c--a-w c:\windows\system32\dllcache\dxtmsft.dll
+ 2009-03-08 09:31:44 348,160 -c--a-w c:\windows\system32\dllcache\dxtmsft.dll
- 2008-12-20 23:15:13 214,528 -c--a-w c:\windows\system32\dllcache\dxtrans.dll
+ 2009-03-08 09:31:38 216,064 -c--a-w c:\windows\system32\dllcache\dxtrans.dll
- 2006-10-17 17:44:36 60,416 -c--a-w c:\windows\system32\dllcache\hmmapi.dll
+ 2009-03-08 09:24:28 68,608 -c--a-w c:\windows\system32\dllcache\hmmapi.dll
- 2008-12-20 23:15:13 63,488 -c----w c:\windows\system32\dllcache\icardie.dll
+ 2009-03-08 09:31:52 59,904 -c--a-w c:\windows\system32\dllcache\icardie.dll
- 2008-12-19 09:10:15 70,656 -c--a-w c:\windows\system32\dllcache\ie4uinit.exe
+ 2009-03-08 09:32:54 173,056 -c--a-w c:\windows\system32\dllcache\ie4uinit.exe
- 2008-12-20 23:15:14 153,088 -c--a-w c:\windows\system32\dllcache\ieakeng.dll
+ 2009-03-08 09:33:02 125,952 -c--a-w c:\windows\system32\dllcache\ieakeng.dll
- 2008-12-20 23:15:14 230,400 -c--a-w c:\windows\system32\dllcache\ieaksie.dll
+ 2009-03-08 09:33:08 229,376 -c--a-w c:\windows\system32\dllcache\ieaksie.dll
- 2008-12-19 05:23:56 161,792 -c--a-w c:\windows\system32\dllcache\ieakui.dll
+ 2009-03-08 09:32:52 163,840 -c--a-w c:\windows\system32\dllcache\ieakui.dll
- 2007-04-17 09:28:12 2,455,488 -c----w c:\windows\system32\dllcache\ieapfltr.dat
+ 2009-02-07 02:07:58 3,698,584 -c--a-w c:\windows\system32\dllcache\ieapfltr.dat
- 2008-12-20 23:15:15 383,488 -c----w c:\windows\system32\dllcache\ieapfltr.dll
+ 2009-03-08 09:11:12 445,952 -c--a-w c:\windows\system32\dllcache\ieapfltr.dll
- 2008-12-20 23:15:16 384,512 -c--a-w c:\windows\system32\dllcache\iedkcs32.dll
+ 2009-03-08 19:09:26 391,536 -c--a-w c:\windows\system32\dllcache\iedkcs32.dll
- 2008-12-20 23:15:21 6,066,688 -c----w c:\windows\system32\dllcache\ieframe.dll
+ 2009-03-08 09:39:48 11,063,808 -c--a-w c:\windows\system32\dllcache\ieframe.dll
- 2006-11-08 03:03:36 191,488 -c--a-w c:\windows\system32\dllcache\iepeers.dll
+ 2009-03-08 09:31:56 183,808 -c--a-w c:\windows\system32\dllcache\iepeers.dll
- 2008-12-20 23:15:21 44,544 -c--a-w c:\windows\system32\dllcache\iernonce.dll
+ 2009-03-08 09:32:50 55,808 -c--a-w c:\windows\system32\dllcache\iernonce.dll
- 2008-12-20 23:15:22 267,776 -c----w c:\windows\system32\dllcache\iertutil.dll
+ 2009-03-08 09:32:22 1,985,024 -c--a-w c:\windows\system32\dllcache\iertutil.dll
- 2006-11-07 09:26:42 55,296 -c--a-w c:\windows\system32\dllcache\iesetup.dll
+ 2009-03-08 09:32:50 71,680 -c--a-w c:\windows\system32\dllcache\iesetup.dll
- 2008-12-19 05:25:25 634,024 -c--a-w c:\windows\system32\dllcache\iexplore.exe
+ 2009-03-08 19:09:26 638,816 -c--a-w c:\windows\system32\dllcache\iexplore.exe
- 2006-10-17 17:57:58 36,352 -c--a-w c:\windows\system32\dllcache\imgutil.dll
+ 2009-03-08 09:31:38 34,816 -c--a-w c:\windows\system32\dllcache\imgutil.dll
- 2006-11-07 09:26:24 92,672 -c--a-w c:\windows\system32\dllcache\inseng.dll
+ 2009-03-08 09:32:46 94,720 -c--a-w c:\windows\system32\dllcache\inseng.dll
- 2006-10-17 18:00:00 491,520 ----a-w c:\windows\system32\dllcache\jscript.dll
+ 2009-03-08 09:33:16 726,528 -c--a-w c:\windows\system32\dllcache\jscript.dll
- 2008-12-20 23:15:23 27,648 -c--a-w c:\windows\system32\dllcache\jsproxy.dll
+ 2009-03-08 09:33:26 25,600 -c--a-w c:\windows\system32\dllcache\jsproxy.dll
- 2006-10-17 18:05:10 40,960 -c--a-w c:\windows\system32\dllcache\licmgr10.dll
+ 2009-03-08 09:34:30 43,008 -c--a-w c:\windows\system32\dllcache\licmgr10.dll
- 2008-12-20 23:15:23 459,264 -c----w c:\windows\system32\dllcache\msfeeds.dll
+ 2009-03-08 09:32:26 594,432 -c--a-w c:\windows\system32\dllcache\msfeeds.dll
- 2008-12-20 23:15:24 52,224 -c----w c:\windows\system32\dllcache\msfeedsbs.dll
+ 2009-03-08 09:31:52 55,296 -c--a-w c:\windows\system32\dllcache\msfeedsbs.dll
- 2006-10-17 17:56:10 45,568 -c--a-w c:\windows\system32\dllcache\mshta.exe
+ 2009-03-08 09:31:02 45,568 -c--a-w c:\windows\system32\dllcache\mshta.exe
- 2009-01-17 03:35:14 3,594,752 -c--a-w c:\windows\system32\dllcache\mshtml.dll
+ 2009-03-08 09:41:16 5,937,152 -c--a-w c:\windows\system32\dllcache\mshtml.dll
- 2008-12-20 23:15:30 477,696 -c--a-w c:\windows\system32\dllcache\mshtmled.dll
+ 2009-03-08 09:31:26 66,560 -c--a-w c:\windows\system32\dllcache\mshtmled.dll
- 2006-10-17 17:28:56 48,128 -c--a-w c:\windows\system32\dllcache\mshtmler.dll
+ 2009-03-08 09:31:18 48,128 -c--a-w c:\windows\system32\dllcache\mshtmler.dll
- 2006-11-08 03:03:36 156,160 -c--a-w c:\windows\system32\dllcache\msls31.dll
+ 2009-03-08 09:22:38 156,160 -c--a-w c:\windows\system32\dllcache\msls31.dll
- 2008-12-20 23:15:31 193,024 -c--a-w c:\windows\system32\dllcache\msrating.dll
+ 2009-03-08 09:34:18 193,536 -c--a-w c:\windows\system32\dllcache\msrating.dll
- 2008-12-20 23:15:32 671,232 -c--a-w c:\windows\system32\dllcache\mstime.dll
+ 2009-03-08 09:32:04 611,840 -c--a-w c:\windows\system32\dllcache\mstime.dll
- 2008-12-20 23:15:38 102,912 -c--a-w c:\windows\system32\dllcache\occache.dll
+ 2009-03-08 09:34:18 109,568 -c--a-w c:\windows\system32\dllcache\occache.dll
- 2008-12-20 23:15:38 44,544 -c--a-w c:\windows\system32\dllcache\pngfilt.dll
+ 2009-03-08 09:31:36 46,592 -c--a-w c:\windows\system32\dllcache\pngfilt.dll
+ 2009-01-07 23:20:54 134,144 -c----w c:\windows\system32\dllcache\sqmapi.dll
- 2008-12-20 23:15:39 105,984 -c--a-w c:\windows\system32\dllcache\url.dll
+ 2009-03-08 09:34:28 105,984 -c--a-w c:\windows\system32\dllcache\url.dll
- 2008-12-20 23:15:40 1,160,192 -c--a-w c:\windows\system32\dllcache\urlmon.dll
+ 2009-03-08 09:34:56 1,206,784 -c--a-w c:\windows\system32\dllcache\urlmon.dll
- 2006-11-08 03:03:36 413,696 ----a-w c:\windows\system32\dllcache\vbscript.dll
+ 2009-03-08 09:33:06 420,352 -c--a-w c:\windows\system32\dllcache\vbscript.dll
- 2007-07-12 23:31:54 765,952 -c--a-w c:\windows\system32\dllcache\vgx.dll
+ 2009-03-08 09:33:48 759,296 -c--a-w c:\windows\system32\dllcache\VGX.dll
- 2008-12-20 23:15:40 233,472 -c--a-w c:\windows\system32\dllcache\webcheck.dll
+ 2009-03-08 09:34:48 236,544 -c--a-w c:\windows\system32\dllcache\webcheck.dll
- 2008-12-20 23:15:41 826,368 -c--a-w c:\windows\system32\dllcache\wininet.dll
+ 2009-03-08 09:34:58 914,944 -c--a-w c:\windows\system32\dllcache\wininet.dll
+ 2009-04-08 05:12:20 27,656 ----a-w c:\windows\system32\drivers\avgmfx86.sys
- 2008-12-20 23:15:12 347,136 ----a-w c:\windows\system32\dxtmsft.dll
+ 2009-03-08 09:31:44 348,160 ----a-w c:\windows\system32\dxtmsft.dll
- 2008-12-20 23:15:13 214,528 ----a-w c:\windows\system32\dxtrans.dll
+ 2009-03-08 09:31:38 216,064 ----a-w c:\windows\system32\dxtrans.dll
- 2008-12-20 23:15:13 63,488 ----a-w c:\windows\system32\icardie.dll
+ 2009-03-08 09:31:52 59,904 ----a-w c:\windows\system32\icardie.dll
- 2006-06-29 14:05:44 26,112 -c----w c:\windows\system32\idndl.dll
+ 2009-01-07 23:20:36 26,112 ----a-w c:\windows\system32\idndl.dll
- 2008-12-19 09:10:15 70,656 ----a-w c:\windows\system32\ie4uinit.exe
+ 2009-03-08 09:32:54 173,056 ----a-w c:\windows\system32\ie4uinit.exe
- 2008-12-20 23:15:14 153,088 ----a-w c:\windows\system32\ieakeng.dll
+ 2009-03-08 09:33:02 125,952 ----a-w c:\windows\system32\ieakeng.dll
- 2008-12-20 23:15:14 230,400 ----a-w c:\windows\system32\ieaksie.dll
+ 2009-03-08 09:33:08 229,376 ----a-w c:\windows\system32\ieaksie.dll
- 2008-12-19 05:23:56 161,792 ----a-w c:\windows\system32\ieakui.dll
+ 2009-03-08 09:32:52 163,840 ----a-w c:\windows\system32\ieakui.dll
- 2007-04-17 09:28:12 2,455,488 -c--a-w c:\windows\system32\ieapfltr.dat
+ 2009-02-07 02:07:58 3,698,584 ----a-w c:\windows\system32\ieapfltr.dat
- 2008-12-20 23:15:15 383,488 ----a-w c:\windows\system32\ieapfltr.dll
+ 2009-03-08 09:11:12 445,952 ----a-w c:\windows\system32\ieapfltr.dll
- 2008-12-20 23:15:16 384,512 ----a-w c:\windows\system32\iedkcs32.dll
+ 2009-03-08 19:09:26 391,536 ----a-w c:\windows\system32\iedkcs32.dll
- 2008-12-20 23:15:21 6,066,688 ----a-w c:\windows\system32\ieframe.dll
+ 2009-03-08 09:39:48 11,063,808 ----a-w c:\windows\system32\ieframe.dll
- 2006-11-08 03:03:36 191,488 ----a-w c:\windows\system32\iepeers.dll
+ 2009-03-08 09:31:56 183,808 ----a-w c:\windows\system32\iepeers.dll
- 2008-12-20 23:15:21 44,544 ----a-w c:\windows\system32\iernonce.dll
+ 2009-03-08 09:32:50 55,808 ----a-w c:\windows\system32\iernonce.dll
- 2008-12-20 23:15:22 267,776 ----a-w c:\windows\system32\iertutil.dll
+ 2009-03-08 09:32:22 1,985,024 ----a-w c:\windows\system32\iertutil.dll
- 2008-12-19 09:10:15 13,824 ----a-w c:\windows\system32\ieudinit.exe
+ 2009-03-08 09:32:52 36,864 ----a-w c:\windows\system32\ieudinit.exe
- 2006-11-08 03:03:36 180,736 ------w c:\windows\system32\ieui.dll
+ 2009-03-08 09:22:46 164,352 ----a-w c:\windows\system32\ieui.dll
- 2006-11-07 09:26:24 92,672 -c--a-w c:\windows\system32\inseng.dll
+ 2009-03-08 09:32:46 94,720 ----a-w c:\windows\system32\inseng.dll
- 2008-06-10 07:21:01 135,168 -c--a-w c:\windows\system32\java.exe
+ 2009-04-09 04:48:57 144,792 ----a-w c:\windows\system32\java.exe
- 2008-06-10 07:21:04 135,168 -c--a-w c:\windows\system32\javaw.exe
+ 2009-04-09 04:48:57 144,792 ----a-w c:\windows\system32\javaw.exe
- 2008-06-10 08:32:34 139,264 -c--a-w c:\windows\system32\javaws.exe
+ 2009-04-09 04:48:57 148,888 ----a-w c:\windows\system32\javaws.exe
- 2006-10-17 18:00:00 491,520 ----a-w c:\windows\system32\jscript.dll
+ 2009-03-08 09:33:16 726,528 ----a-w c:\windows\system32\jscript.dll
- 2008-12-20 23:15:23 27,648 ----a-w c:\windows\system32\jsproxy.dll
+ 2009-03-08 09:33:26 25,600 ----a-w c:\windows\system32\jsproxy.dll
+ 2009-01-07 23:20:18 265,720 ----a-w c:\windows\system32\msdbg2.dll
- 2008-12-20 23:15:23 459,264 ----a-w c:\windows\system32\msfeeds.dll
+ 2009-03-08 09:32:26 594,432 ----a-w c:\windows\system32\msfeeds.dll
- 2008-12-20 23:15:24 52,224 ----a-w c:\windows\system32\msfeedsbs.dll
+ 2009-03-08 09:31:52 55,296 ----a-w c:\windows\system32\msfeedsbs.dll
- 2006-10-17 17:58:32 12,288 -c----w c:\windows\system32\msfeedssync.exe
+ 2009-03-08 09:31:54 13,312 ----a-w c:\windows\system32\msfeedssync.exe
- 2009-01-17 03:35:14 3,594,752 ----a-w c:\windows\system32\mshtml.dll
+ 2009-03-08 09:41:16 5,937,152 ----a-w c:\windows\system32\mshtml.dll
- 2008-12-20 23:15:30 477,696 ----a-w c:\windows\system32\mshtmled.dll
+ 2009-03-08 09:31:26 66,560 ----a-w c:\windows\system32\mshtmled.dll
- 2007-02-13 22:22:54 947,472 -c--a-w c:\windows\system32\msjava.dll
+ 2007-02-13 21:22:54 947,472 ----a-w c:\windows\system32\msjava.dll
- 2008-12-20 23:15:31 193,024 ----a-w c:\windows\system32\msrating.dll
+ 2009-03-08 09:34:18 193,536 ----a-w c:\windows\system32\msrating.dll
- 2008-12-20 23:15:32 671,232 ----a-w c:\windows\system32\mstime.dll
+ 2009-03-08 09:32:04 611,840 ----a-w c:\windows\system32\mstime.dll
- 2006-06-28 23:59:26 24,576 -c----w c:\windows\system32\nlsdl.dll
+ 2009-01-07 23:20:38 24,576 ----a-w c:\windows\system32\nlsdl.dll
- 2006-06-29 14:05:44 23,552 ------w c:\windows\system32\normaliz.dll
+ 2009-01-07 23:20:36 23,552 ----a-w c:\windows\system32\normaliz.dll
- 2008-12-20 23:15:38 102,912 ----a-w c:\windows\system32\occache.dll
+ 2009-03-08 09:34:18 109,568 ----a-w c:\windows\system32\occache.dll
- 2008-12-20 23:15:38 44,544 ----a-w c:\windows\system32\pngfilt.dll
+ 2009-03-08 09:31:36 46,592 ----a-w c:\windows\system32\pngfilt.dll
- 2007-08-11 02:46:18 17,272 ------w c:\windows\system32\spmsg.dll
+ 2009-01-07 23:20:58 16,928 ------w c:\windows\system32\spmsg.dll
- 2007-08-11 02:46:18 26,488 ----a-w c:\windows\system32\spupdsvc.exe
+ 2009-01-07 23:21:00 26,144 ----a-w c:\windows\system32\spupdsvc.exe
- 2008-12-20 23:15:39 105,984 ----a-w c:\windows\system32\url.dll
+ 2009-03-08 09:34:28 105,984 ----a-w c:\windows\system32\url.dll
- 2008-12-20 23:15:40 1,160,192 ----a-w c:\windows\system32\urlmon.dll
+ 2009-03-08 09:34:56 1,206,784 ----a-w c:\windows\system32\urlmon.dll
- 2008-12-20 23:15:40 233,472 ----a-w c:\windows\system32\webcheck.dll
+ 2009-03-08 09:34:48 236,544 ----a-w c:\windows\system32\webcheck.dll
- 2006-10-17 18:05:58 206,336 -c----w c:\windows\system32\WinFXDocObj.exe
+ 2009-03-08 09:34:48 208,384 ----a-w c:\windows\system32\WinFXDocObj.exe
- 2006-07-14 15:51:51 121,856 ----a-w c:\windows\system32\xmllite.dll
+ 2009-01-07 23:21:04 121,856 ----a-w c:\windows\system32\xmllite.dll
+ 2009-04-11 00:54:34 16,384 ----atw c:\windows\temp\Perflib_Perfdata_1f8.dat
+ 2009-04-11 00:54:50 16,384 ----atw c:\windows\temp\Perflib_Perfdata_290.dat
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Steam "= "c:\program files\steam\steam.exe" [2009-01-08 1410296]
"NVIDIA nTune "= "c:\program files\NVIDIA Corporation\nTune\nTuneCmd.exe" [2007-07-03 81920]
"ctfmon.exe "= "c:\windows\system32\ctfmon.exe" [2004-08-04 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon "= "c:\windows\system32\NvCpl.dll" [2008-10-07 13574144]
"AVG8_TRAY "= "c:\progra~1\AVG\AVG8\avgtray.exe" [2009-04-08 1932568]
"QuickTime Task "= "c:\program files\QuickTime\qttask.exe" [2008-03-29 413696]
"SunJavaUpdateSched "= "c:\program files\Java\jre6\bin\jusched.exe" [2009-04-08 148888]
"CTHelper "= "CTHELPER.EXE" [2004-03-19 c:\windows\system32\CTHELPER.EXE]
"nwiz "= "nwiz.exe" [2008-10-07 c:\windows\system32\nwiz.exe]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoRecentDocsNetHood "= 01000000
"NoSMMyDocs "= 01000000
"NoSMMyPictures "= 01000000

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-04-08 00:12 10520 c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.I420 "= i420vfw.dll
"VIDC.VP40 "= vp4vfw.dll
"vidc.X264 "= x264vfw.dll
"VIDC.MSUD "= msulvc05.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\rootrepeal.sys]
@=" "

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\Electronic Arts\\Battlefield 2142\\BF2142.exe "=
"c:\\WINDOWS\\system32\\dpvsetup.exe "=
"c:\\Documents and Settings\\Michael\\My Documents\\utorrent.exe "=
"%windir%\\Network Diagnostic\\xpnetdiag.exe "=
"c:\\Program Files\\EA GAMES\\Battlefield 2\\BF2.exe "=
"c:\\Program Files\\Peer Impact\\peerimpact.exe "=
"c:\\Program Files\\Joost\\xulrunner\\tvprunner.exe "=
"c:\\Program Files\\Azureus\\Azureus.exe "=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe "=
"c:\\Program Files\\mIRC\\mirc.exe "=
"c:\\Program Files\\Steam\\steam.exe "=
"c:\\Program Files\\Steam\\SteamApps\\cooleyo\\team fortress 2\\hl2.exe "=
"c:\\WINDOWS\\system32\\sessmgr.exe "=
"c:\\Program Files\\Electronic Arts\\Crytek\\Crysis\\Bin32\\Crysis.exe "=
"c:\\Program Files\\Electronic Arts\\Crytek\\Crysis\\Bin32\\CrysisDedicatedServer.exe "=
"c:\\WINDOWS\\system32\\PnkBstrA.exe "=
"c:\\WINDOWS\\system32\\PnkBstrB.exe "=
"c:\\Program Files\\Activision\\Call of Duty 4 - Modern Warfare\\iw3mp.exe "=
"c:\\Program Files\\Microsoft Games\\Gears of War\\Binaries\\WarGame-G4WLive.exe "=
"c:\\Program Files\\TVUPlayer\\TVUPlayer.exe "=
"c:\\Program Files\\screen-scraper basic edition\\jre\\bin\\java.exe "=
"c:\\Program Files\\screen-scraper basic edition\\screen-scraper.exe "=
"c:\program files\Microsoft ActiveSync\rapimgr.exe "= c:\program files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"c:\program files\Microsoft ActiveSync\wcescomm.exe "= c:\program files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"c:\program files\Microsoft ActiveSync\WCESMgr.exe "= c:\program files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
"c:\\Program Files\\Capcom\\Bionic Commando Rearmed\\bcr.exe "=
"c:\\Program Files\\Ubisoft\\Far Cry 2\\bin\\FarCry2.exe "=
"c:\\Program Files\\Ubisoft\\Far Cry 2\\bin\\FC2Launcher.exe "=
"c:\\Program Files\\Ubisoft\\Far Cry 2\\bin\\FC2Editor.exe "=
"c:\\Program Files\\uTorrent\\uTorrent.exe "=
"c:\\Program Files\\Steam\\SteamApps\\common\\peggle extreme\\PeggleExtreme.exe "=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe "=
"c:\\Program Files\\TVersity\\Media Server\\MediaServer.exe "=
"%windir%\\system32\\sessmgr.exe "=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe "=
"c:\\Program Files\\AVG\\AVG8\\avgnsx.exe "=
"c:\\Program Files\\Steam\\SteamApps\\common\\left 4 dead\\srcds.exe "=
"c:\\Program Files\\Steam\\SteamApps\\common\\left 4 dead\\left4dead.exe "=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3074:TCP "= 3074:TCP:GearsofWar
"26675:TCP "= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service
"56147:TCP "= 56147:TCPandoRest Listening Port

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-04-08 325640]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-04-08 108552]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2009-04-08 298264]
R2 PStrip;PSTRIP;c:\windows\system32\drivers\PStrip.sys [2004-11-09 21968]
R3 dsnpfd;DeskSoft Service;c:\windows\system32\drivers\dsnpfd.sys [2007-10-21 16896]
S3 MEMSWEEP2;MEMSWEEP2;\??\c:\windows\system32\4B.tmp --> c:\windows\system32\4B.tmp [?]
S3 RTLWUSB;NETGEAR WG111v2 54Mbps Wireless USB 2.0 Adapter NT Driver;c:\windows\system32\DRIVERS\wg111v2.sys --> c:\windows\system32\DRIVERS\wg111v2.sys [?]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\F]
\Shell\AutoRun\command - F:\AutoRunCD.exe

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll ",BrandIEActiveSetup SIGNUP
.
Contents of the 'Scheduled Tasks' folder

2009-04-09 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-484763869-583907252-839522115-1003.job
- c:\documents and settings\Michael\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-09-03 21:48]

2009-03-18 c:\windows\Tasks\Uniblue SpeedUpMyPC Nag.job
- c:\program files\Uniblue\SpeedUpMyPC 3\SpeedUpMyPC.exe []

2008-06-01 c:\windows\Tasks\Uniblue SpeedUpMyPC.job
- c:\program files\Uniblue\SpeedUpMyPC 3\SpeedUpMyPC.exe []
.
.
------- Supplementary Scan -------
.
Trusted Zone: aol.com\free
FF - ProfilePath - c:\documents and settings\Michael\Application Data\Mozilla\Firefox\Profiles\hu99675r.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://my.yahoo.com/?.home=ytff
FF - component: c:\program files\AVG\AVG8\Firefox\components\avgssff.dll
FF - plugin: c:\documents and settings\Michael\Application Data\Mozilla\Firefox\Profiles\hu99675r.default\extensions\moveplayer@movenetworks.com\platform\WINNT_x86-msvc\plugins\npmnqmp071303000004.dll
FF - plugin: c:\documents and settings\Michael\Local Settings\Application Data\Google\Update\1.2.141.5\npGoogleOneClick7.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npGoogleGadgetPluginFirefoxWin.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npmozax.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\nppopcaploader.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\nppsynth.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPTURNMED.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npyaxmpb.dll
FF - plugin: c:\windows\system32\Photosynth\nppsynth.dll
.

**************************************************************************

catchme 0.3.1375 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-04-10 20:18:52
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\MEMSWEEP2]
"ImagePath "= "\??\c:\windows\system32\4B.tmp "
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-484763869-583907252-839522115-1003\Software\SecuROM\License information*]
"datasecu "=hex:76,90,10,69,7d,99,56,06,e4,80,f7,a5,c3,f6,b9,50,f8,8d,81,1b,e9,
1b,20,f1,ec,cb,e8,14,43,c1,89,34,0d,de,98,0a,2d,6c,b4,52,d7,20,15,47,69,3f,\
"rkeysecu "=hex:2c,73,a8,9a,05,2d,e9,c8,e6,8e,01,19,6e,c6,29,6a
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(972)
c:\windows\system32\Ati2evxx.dll
.
Completion time: 2009-04-10 20:20:41
ComboFix-quarantined-files.txt 2009-04-11 01:20:24
ComboFix2.txt 2009-04-08 04:57:09

Pre-Run: 54,102,401,024 bytes free
Post-Run: 54,086,307,840 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT= "Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS= "Microsoft Windows XP Professional" /noexecute=optin /fastdetect

480 --- E O F --- 2009-04-09 08:04:08

 

Sorry for my delay, we had horrible weather yesterday and no electricity.

Let's do a couple of things to see if the bad file has morphed into something else.


We'll run this tool again.

Please download RegQuery by Noviciate to your desktop

• Copy the following registry keypath by highlighting the text and pressing CTRL and C at the same time
  • [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
• Double click RegQuery.exe to run the program
• Paste the text you have copied using CRTL and V, into the textbox
• Click the Query button
• A Notepad file will open. Please paste the contents in your next reply
• You may now close the RegQuery program

Please download ATF Cleaner by Atribune From Here and save it to your Desktop.
Follow the instructions for the browser you use.
Read the instructions about the cookies. Delete what you do not need.

Double click ATF-Cleaner.exe to run the program.
Check the boxes to the left of:
Windows Temp
Current User Temp
All Users Temp
Temporary Internet Files
Java Cache
The rest are optional - if you want to remove the lot, check "Select All ".
Finally click Empty Selected. When you get the "Done Cleaning " message, click OK.
If you use the Firefox or Opera browsers, you can use this program
as a quick way to tidy those up as well.
When you have finished, click on the Exit button in the Main menu.
========================



NEXT**
I'd like for you to run this next online scan to check for remnants or anything that might be hidden.
The below scan can take up to an hour or longer, please be patient.

*Note
It is recommended to disable onboard antivirus program and antispyware programs while performing scans so no conflicts and to speed up scan time.
Please don't go surfing while your resident protection is disabled!
Once scan is finished remember to re-enable resident antivirus protection along with whatever antispyware app you use.


Using Internet Explorer, visit http://www.kaspersky.com/service?chapter=161739400

Other available links
Kaspersky Online Scanner or from here
http://www.kaspersky.com/virusscanner

Note: If you are using Windows Vista, open your browser by right-clicking on its icon and select 'Run as administrator' to perform this scan.

Click on the Accept button and install any components it needs.

• The program will install and then begin downloading the latest definition
  files.
• After the files have been downloaded on the left side of the page in the Scan section select My Computer.
• This will start the program and scan your system.
• The scan will take a while, so be patient and let it run. (At times it may appear to stall)
  * Once the update is complete, click on My Computer under the green Scan bar to the left to start the scan.
  * Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
  * Do NOT be alarmed by what you see in the report. Many of the finds have likely been quarantined.
  
• Once the scan is complete, click on View scan report To obtain the report:

Click on: Save Report As
Next, in the Save as prompt, Save in area, select: Desktop
In the File name area, use KScan, or something similar In Save as type, click the drop arrow and select:
Text file [*.txt]
Then, click: Save
Please post the Kaspersky Online Scanner Report in
your reply.

Animated tutorial
http://i275.photobucket.com/albums/jj285/Bleeping/KAS/KAS9.gif

(Note.. for Internet Explorer 7 users:
If at any time you have trouble with the "Accept" button of the license, click on the "Zoom" tool located at the bottom right of the IE window and set the zoom to 75 %. Once the license has been accepted, reset to 100%.)
Or use Firefox with IE-Tab plugin
https://addons.mozilla.org/en-US/firefox/addon/1419


In your next reply post:
RegQuery log
Kaspersky log
New HJT log taken after the above scans have run


You may need several replies to post the requested logs, otherwise they might get cut off.

 

I just want to say thanks again for all your help. It's really amazing that a community of volunteers has so much knowledge and are willing to help others. I appreciate it. We also had storms rip through here yesterday (Southeastern US) so I hope you made it through ok.

Here's the Reqquery log. I'm about to start running kaspersky, but as you recall, it took a a great deal of time so I might not post for awhile.

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"midimapper "= "midimap.dll "
"msacm.imaadpcm "= "imaadp32.acm "
"msacm.msadpcm "= "msadp32.acm "
"msacm.msg711 "= "msg711.acm "
"msacm.msgsm610 "= "msgsm32.acm "
"msacm.trspch "= "tssoft32.acm "
"vidc.cvid "= "iccvid.dll "
"VIDC.I420 "= "i420vfw.dll "
"vidc.iv31 "= "ir32_32.dll "
"vidc.iv32 "= "ir32_32.dll "
"vidc.iv41 "= "ir41_32.ax "
"VIDC.IYUV "= "iyuv_32.dll "
"vidc.mrle "= "msrle32.dll "
"vidc.msvc "= "msvidc32.dll "
"VIDC.UYVY "= "msyuv.dll "
"VIDC.YUY2 "= "msyuv.dll "
"VIDC.YVU9 "= "tsbyuv.dll "
"VIDC.YVYU "= "msyuv.dll "
"wavemapper "= "msacm32.drv "
"msacm.msg723 "= "msg723.acm "
"vidc.M263 "= "msh263.drv "
"vidc.M261 "= "msh261.drv "
"msacm.msaudio1 "= "msaud32.acm "
"msacm.sl_anet "= "sl_anet.acm "
"msacm.iac2 "= "C:\\WINDOWS\\system32\\iac25_32.ax "
"vidc.iv50 "= "ir50_32.dll "
"msacm.l3acm "= "C:\\WINDOWS\\system32\\l3codeca.acm "
"MSVideo8 "= "VfWWDM32.dll "
"msacm.lhacm "= "lhacm.acm "
"wave "= "wdmaud.drv "
"midi "= "wdmaud.drv "
"mixer "= "wdmaud.drv "
"VIDC.WMV3 "= "wmv9vcm.dll "
"VIDC.VP40 "= "vp4vfw.dll "
"msacm.voxacm160 "= "vct3216.acm "
"MSVideo "= "vfwwdm32.dll "
"wave1 "= "wdmaud.drv "
"midi1 "= "wdmaud.drv "
"mixer1 "= "wdmaud.drv "
"vidc.VP70 "= "vp7vfw.dll "
"vidc.X264 "= "x264vfw.dll "
"VIDC.FPS1 "= "frapsvid.dll "
"vidc.VP60 "= "vp6vfw.dll "
"vidc.VP61 "= "vp6vfw.dll "
"vidc.VP62 "= "vp6vfw.dll "
"VIDC.DRAW "= "DVIDEO.DLL "
"wave2 "= "wdmaud.drv "
"midi2 "= "wdmaud.drv "
"mixer2 "= "wdmaud.drv "
"aux1 "= "wdmaud.drv "
"wave3 "= "wdmaud.drv "
"midi3 "= "wdmaud.drv "
"mixer3 "= "wdmaud.drv "
"aux2 "= "wdmaud.drv "
"VIDC.MSUD "= "msulvc05.dll "
"wave4 "= "wdmaud.drv "
"midi4 "= "wdmaud.drv "
"mixer4 "= "wdmaud.drv "
"aux3 "= "wdmaud.drv "
"vidc.DIVX "= "DivX.dll "
"vidc.yv12 "= "DivX.dll "
"VIDC.FFDS "= "ff_vfw.dll "
"aux "= "wdmaud.drv "

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32\Terminal Server]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32\Terminal Server\RDP]
"wave "= "rdpsnd.dll "
"mixer "= "rdpsnd.dll "
"MaxBandwidth "=dword:000056b9
"wavemapper "= "msacm32.drv "
"EnableMP3Codec "=dword:00000001
"midimapper "= "midimap.dll "

 

I live in Tennessee so we were dodging and ducking most of the day and even into the evening.

ReqQuery log is clean so I have high hopes the rest will go OK.


How's the computer today?

 

I was in Tennessee last week!

I have not rebooted my computer since we last spoke, I don't want to do something that might mess it up (i.e. when I reactivated the virtual memory and the pagefile was recreated, thus reenabling the virus). Which also brings to mind, for speed purposes, I need to have virtual memory enabled, but I'm afraid it's going to bring the virus back.

Should I reboot before I run kaspersky? I have not rebooted since the last time I ran the OldTimer program. There's a couple of "perma" files that it couldn't delete.

 

like?
Were they files held in a quarantine folder?


btw, one day soon you will have to reboot....
I have no qualms about not rebooting but if we find files that have to be deleted it will require a reboot.

 

Here are the "perma" files from the last OT log I was referring to:

File delete failed. C:\WINDOWS\temp\Perflib_Perfdata_1f8.dat scheduled to be deleted on reboot.
File delete failed. C:\WINDOWS\temp\Perflib_Perfdata_290.dat scheduled to be deleted on reboot.

LOL. I'm not worried about rebooting, just wanted to make sure there wasn't a step to be done with the files above before I do it.

 

C:\WINDOWS\temp\Perflib_Perfdata_1f8.dat scheduled to be deleted on reboot.
Don't worry about that.
normally they they should be discarded on a normal shut down.

 

Update: Kaspersky has been running for 4.5 hours, and it is 7% done. I've got about 500 GB of data, and a lot of it is zipped files etc, but I don't think it should be taking so long. Pagefile.sys is still gone, so virtual memory is not active. I have 4GB of RAM (although I think only 3 GB is recognized since I don't have a 64 bit OS.

Should I continue to let this run?

 

Kaspersky:

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7.0 REPORT
Saturday, April 11, 2009
Operating System: Microsoft Windows XP Professional Service Pack 2 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Program database last update: Saturday, April 11, 2009 17:24:35
Records in database: 2035077
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
A:\
C:\
D:\
E:\
F:\

Scan statistics:
Files scanned: 138906
Threat name: 1
Infected objects: 1
Suspicious objects: 0
Duration of the scan: 10:34:08


File name / Threat name / Threats count
C:\Program Files\mIRC\mirc.exe Infected: not-a-virus:Client-IRC.Win32.mIRC.63 1

The selected area was scanned.

 

HJT:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:32:12 PM, on 4/11/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\program files\steam\steam.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Java\jre6\bin\java.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe "
O4 - HKCU\..\Run: [Steam] "c:\program files\steam\steam.exe" -silent
O4 - HKCU\..\Run: [NVIDIA nTune] "C:\Program Files\NVIDIA Corporation\nTune\nTuneCmd.exe" clear
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: nTune Service (nTuneService) - NVIDIA - C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe

--
End of file - 4243 bytes

 

Reg query from earlier:

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"midimapper "= "midimap.dll "
"msacm.imaadpcm "= "imaadp32.acm "
"msacm.msadpcm "= "msadp32.acm "
"msacm.msg711 "= "msg711.acm "
"msacm.msgsm610 "= "msgsm32.acm "
"msacm.trspch "= "tssoft32.acm "
"vidc.cvid "= "iccvid.dll "
"VIDC.I420 "= "i420vfw.dll "
"vidc.iv31 "= "ir32_32.dll "
"vidc.iv32 "= "ir32_32.dll "
"vidc.iv41 "= "ir41_32.ax "
"VIDC.IYUV "= "iyuv_32.dll "
"vidc.mrle "= "msrle32.dll "
"vidc.msvc "= "msvidc32.dll "
"VIDC.UYVY "= "msyuv.dll "
"VIDC.YUY2 "= "msyuv.dll "
"VIDC.YVU9 "= "tsbyuv.dll "
"VIDC.YVYU "= "msyuv.dll "
"wavemapper "= "msacm32.drv "
"msacm.msg723 "= "msg723.acm "
"vidc.M263 "= "msh263.drv "
"vidc.M261 "= "msh261.drv "
"msacm.msaudio1 "= "msaud32.acm "
"msacm.sl_anet "= "sl_anet.acm "
"msacm.iac2 "= "C:\\WINDOWS\\system32\\iac25_32.ax "
"vidc.iv50 "= "ir50_32.dll "
"msacm.l3acm "= "C:\\WINDOWS\\system32\\l3codeca.acm "
"MSVideo8 "= "VfWWDM32.dll "
"msacm.lhacm "= "lhacm.acm "
"wave "= "wdmaud.drv "
"midi "= "wdmaud.drv "
"mixer "= "wdmaud.drv "
"VIDC.WMV3 "= "wmv9vcm.dll "
"VIDC.VP40 "= "vp4vfw.dll "
"msacm.voxacm160 "= "vct3216.acm "
"MSVideo "= "vfwwdm32.dll "
"wave1 "= "wdmaud.drv "
"midi1 "= "wdmaud.drv "
"mixer1 "= "wdmaud.drv "
"vidc.VP70 "= "vp7vfw.dll "
"vidc.X264 "= "x264vfw.dll "
"VIDC.FPS1 "= "frapsvid.dll "
"vidc.VP60 "= "vp6vfw.dll "
"vidc.VP61 "= "vp6vfw.dll "
"vidc.VP62 "= "vp6vfw.dll "
"VIDC.DRAW "= "DVIDEO.DLL "
"wave2 "= "wdmaud.drv "
"midi2 "= "wdmaud.drv "
"mixer2 "= "wdmaud.drv "
"aux1 "= "wdmaud.drv "
"wave3 "= "wdmaud.drv "
"midi3 "= "wdmaud.drv "
"mixer3 "= "wdmaud.drv "
"aux2 "= "wdmaud.drv "
"VIDC.MSUD "= "msulvc05.dll "
"wave4 "= "wdmaud.drv "
"midi4 "= "wdmaud.drv "
"mixer4 "= "wdmaud.drv "
"aux3 "= "wdmaud.drv "
"vidc.DIVX "= "DivX.dll "
"vidc.yv12 "= "DivX.dll "
"VIDC.FFDS "= "ff_vfw.dll "
"aux "= "wdmaud.drv "

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32\Terminal Server]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32\Terminal Server\RDP]
"wave "= "rdpsnd.dll "
"mixer "= "rdpsnd.dll "
"MaxBandwidth "=dword:000056b9
"wavemapper "= "msacm32.drv "
"EnableMP3Codec "=dword:00000001
"midimapper "= "midimap.dll "