hijacked?

Discussion in 'Malware Help (A Specialist Will Reply)' started by squid_liquor, Jun 14, 2012.

  1. squid_liquor

    squid_liquor Private E-2

    hey guys, wonder if you can help me again..

    last night whilst half-asleep one of the children asked if they could install a minecraft mod.. half asleep i said it was ok provided i dont have to do anything.

    this morning i find out that iLivid and associated crap has been installed and browsers are all going to the wrong place etc etc.. i think a standard sweep has dont it but can someone take a look at my logs to make sure please.

    thanks guys

    ========================================================
    ========================================================


    SUPERAntiSpyware Scan Log
    http://www.superantispyware.com

    Generated 06/14/2012 at 09:59 AM

    Application Version : 5.0.1146

    Core Rules Database Version : 8732
    Trace Rules Database Version: 6544

    Scan type : Quick Scan
    Total Scan Time : 00:09:39

    Operating System Information
    Windows XP Professional 32-bit, Service Pack 3 (Build 5.01.2600)
    Administrator

    Memory items scanned : 580
    Memory threats detected : 0
    Registry items scanned : 28550
    Registry threats detected : 0
    File items scanned : 6886
    File threats detected : 0

    ========================================================
    ========================================================


    Malwarebytes Anti-Malware 1.61.0.1400
    www.malwarebytes.org

    Database version: v2012.06.14.05

    Windows XP Service Pack 3 x86 NTFS
    Internet Explorer 8.0.6001.18702
    Home :: COMPUTERCAT [administrator]

    14/06/2012 10:08:51
    mbam-log-2012-06-14 (10-08-51).txt

    Scan type: Quick scan
    Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
    Scan options disabled: P2P
    Objects scanned: 206678
    Time elapsed: 4 minute(s), 29 second(s)

    Memory Processes Detected: 0
    (No malicious items detected)

    Memory Modules Detected: 0
    (No malicious items detected)

    Registry Keys Detected: 1
    HKLM\SOFTWARE\Google\chrome\Extensions\fdloijijlkoblmigdofommgnheckmaki (PUP.Funmoods) -> Quarantined and deleted successfully.

    Registry Values Detected: 1
    HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run|dplaysvr (Trojan.QHost.BG) -> Data: C:\Documents and Settings\Home\Application Data\dplaysvr.exe -> Quarantined and deleted successfully.

    Registry Data Items Detected: 0
    (No malicious items detected)

    Folders Detected: 0
    (No malicious items detected)

    Files Detected: 0
    (No malicious items detected)

    (end)

    ======================================================
    ======================================================


    ComboFix 12-06-13.05 - Home 14/06/2012 10:40:49.2.2 - x86
    Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2814.2405 [GMT 1:00]
    Running from: c:\documents and settings\Home\Desktop\ComboFix.exe
    AV: Microsoft Security Essentials *Disabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
    * Created a new restore point
    .
    .
    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    c:\documents and settings\All Users\Application Data\TEMP
    c:\winxp\$NtUninstallKB8692$
    c:\winxp\$NtUninstallKB8692$\808388006
    c:\winxp\system32\dds_trash_log.cmd
    .
    .
    ((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    -------\Service_.cdrom
    -------\Service_.i8042prt
    -------\Service_.serial
    .
    .
    ((((((((((((((((((((((((( Files Created from 2012-05-14 to 2012-06-14 )))))))))))))))))))))))))))))))
    .
    .
    2073-04-13 16:17 . 2006-11-21 19:48 203576 ------w- c:\program files\Microsoft Games\Age of Empires III\autopatcher2.exe
    2012-06-13 18:52 . 2012-06-13 18:52 -------- d-----w- c:\documents and settings\Home\Local Settings\Application Data\Ilivid Player
    2012-06-13 18:50 . 2012-06-13 18:50 -------- d-----w- c:\documents and settings\Home\Application Data\searchqutoolbar
    2012-06-13 18:50 . 2012-06-14 07:22 -------- d-----w- c:\documents and settings\All Users\Application Data\boost_interprocess
    2012-06-13 18:50 . 2012-06-13 18:50 -------- d-----w- c:\program files\Searchqu Toolbar
    2012-06-09 17:41 . 2012-05-08 16:40 6737808 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{BAE557AE-A29A-4011-AF84-8BA8D68828E1}\mpengine.dll
    2012-05-25 18:53 . 2012-05-25 18:53 -------- d-----w- c:\program files\Dropbox
    .
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2012-05-08 16:40 . 2011-02-10 16:33 6737808 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
    2012-04-04 14:56 . 2012-03-29 14:02 22344 ----a-w- c:\winxp\system32\drivers\mbam.sys
    2012-03-23 16:55 . 2011-12-06 13:51 414368 ----a-w- c:\winxp\system32\FlashPlayerCPLApp.cpl
    2012-04-25 19:38 . 2012-02-15 08:10 97208 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
    .
    .
    ((((((((((((((((((((((((((((( SnapShot@2011-12-12_11.17.12 )))))))))))))))))))))))))))))))))))))))))
    .
    + 2012-06-14 09:52 . 2012-06-14 09:52 16384 c:\winxp\Temp\Perflib_Perfdata_4c4.dat
    - 2008-04-14 11:00 . 2011-10-31 08:02 84706 c:\winxp\system32\perfc009.dat
    + 2008-04-14 11:00 . 2012-03-26 10:02 84706 c:\winxp\system32\perfc009.dat
    + 1774-08-29 13:22 . 1774-08-29 13:22 56832 c:\winxp\system32\iyvu9_32.dll
    + 2012-05-06 20:19 . 2002-12-11 23:14 46592 c:\winxp\system32\dxdllreg.exe
    + 2012-05-06 20:20 . 2004-07-09 03:26 18688 c:\winxp\system32\drivers\wstcodec.sys
    + 2012-05-06 20:20 . 2004-07-09 03:26 14976 c:\winxp\system32\drivers\streamip.sys
    + 2012-05-06 20:20 . 2004-07-09 03:26 10880 c:\winxp\system32\drivers\slip.sys
    - 2008-04-14 11:00 . 2008-04-14 11:00 64512 c:\winxp\system32\drivers\serial.sys
    + 2012-03-29 13:55 . 2008-04-13 21:45 64512 c:\winxp\system32\drivers\serial.sys
    + 2012-05-06 20:20 . 2004-07-09 03:26 10112 c:\winxp\system32\drivers\ndisip.sys
    + 2012-05-06 20:20 . 2004-07-09 03:26 83968 c:\winxp\system32\drivers\nabtsfec.sys
    + 2012-05-06 20:20 . 2004-07-09 03:26 52096 c:\winxp\system32\drivers\msdv.sys
    + 2012-05-06 20:20 . 2004-07-09 03:26 15104 c:\winxp\system32\drivers\mpe.sys
    - 2008-04-14 11:00 . 2008-04-14 11:00 52480 c:\winxp\system32\drivers\i8042prt.sys
    + 2012-03-29 13:53 . 2008-04-13 21:48 52480 c:\winxp\system32\drivers\i8042prt.sys
    - 2008-04-14 11:00 . 2008-04-14 11:00 62976 c:\winxp\system32\drivers\cdrom.sys
    + 2012-03-29 13:54 . 2008-04-13 21:10 62976 c:\winxp\system32\drivers\cdrom.sys
    + 2012-05-06 20:20 . 2004-07-09 03:26 16384 c:\winxp\system32\drivers\ccdecode.sys
    + 2012-05-06 20:20 . 2004-07-09 03:26 11392 c:\winxp\system32\drivers\bdasup.sys
    + 2012-05-06 20:20 . 2004-07-09 03:26 18688 c:\winxp\system32\dllcache\wstcodec.sys
    + 2012-05-06 20:20 . 2004-07-09 03:26 14976 c:\winxp\system32\dllcache\streamip.sys
    + 2012-05-06 20:20 . 2004-07-09 03:26 10880 c:\winxp\system32\dllcache\slip.sys
    + 2012-03-29 13:55 . 2008-04-13 21:45 64512 c:\winxp\system32\dllcache\serial.sys
    + 2012-05-06 20:19 . 2002-08-29 02:41 31744 c:\winxp\system32\dllcache\pid.dll
    + 2012-05-06 20:20 . 2004-07-09 03:26 10112 c:\winxp\system32\dllcache\ndisip.sys
    + 2012-05-06 20:20 . 2004-07-09 03:26 83968 c:\winxp\system32\dllcache\nabtsfec.sys
    + 2012-05-06 20:20 . 2004-07-09 03:26 52096 c:\winxp\system32\dllcache\msdv.sys
    + 2012-05-06 20:20 . 2004-07-09 03:26 15104 c:\winxp\system32\dllcache\mpe.sys
    + 2012-03-29 13:53 . 2008-04-13 21:48 52480 c:\winxp\system32\dllcache\i8042prt.sys
    + 2012-03-29 13:54 . 2008-04-13 21:10 62976 c:\winxp\system32\dllcache\cdrom.sys
    + 2012-05-06 20:20 . 2004-07-09 03:26 16384 c:\winxp\system32\dllcache\ccdecode.sys
    + 2012-05-06 20:20 . 2004-07-09 03:26 11392 c:\winxp\system32\dllcache\bdasup.sys
    + 2012-05-06 20:20 . 2004-07-09 03:26 47104 c:\winxp\RegisteredPackages\{AA936DF4-2B08-4B1F-B071-72192E287704}\wstdecod.dll
    + 2012-05-06 20:20 . 2004-07-09 03:26 18688 c:\winxp\RegisteredPackages\{AA936DF4-2B08-4B1F-B071-72192E287704}\wstcodec.sys
    + 2012-05-06 20:20 . 2004-07-09 03:26 14976 c:\winxp\RegisteredPackages\{AA936DF4-2B08-4B1F-B071-72192E287704}\streamip.sys
    + 2012-05-06 20:20 . 2004-07-09 03:26 10880 c:\winxp\RegisteredPackages\{AA936DF4-2B08-4B1F-B071-72192E287704}\slip.sys
    + 2012-05-06 20:20 . 2004-07-09 03:26 10112 c:\winxp\RegisteredPackages\{AA936DF4-2B08-4B1F-B071-72192E287704}\ndisip.sys
    + 2012-05-06 20:20 . 2004-07-09 03:26 83968 c:\winxp\RegisteredPackages\{AA936DF4-2B08-4B1F-B071-72192E287704}\nabtsfec.sys
    + 2012-05-06 20:20 . 2004-07-09 03:26 16896 c:\winxp\RegisteredPackages\{AA936DF4-2B08-4B1F-B071-72192E287704}\msyuv.dll
    + 2012-05-06 20:20 . 2004-07-09 03:26 15104 c:\winxp\RegisteredPackages\{AA936DF4-2B08-4B1F-B071-72192E287704}\mpe.sys
    + 2012-05-06 20:20 . 2004-07-09 03:26 16384 c:\winxp\RegisteredPackages\{AA936DF4-2B08-4B1F-B071-72192E287704}\ccdecode.sys
    + 2012-05-06 20:20 . 2004-07-09 03:26 11392 c:\winxp\RegisteredPackages\{AA936DF4-2B08-4B1F-B071-72192E287704}\bdasup.sys
    + 2012-05-06 20:20 . 2004-07-09 03:27 48512 c:\winxp\RegisteredPackages\{44BBA855-CC51-11CF-AAFA-00AA00B6015C}\stream.sys
    + 2012-05-06 20:20 . 2002-12-11 23:14 13312 c:\winxp\RegisteredPackages\{44BBA855-CC51-11CF-AAFA-00AA00B6015C}\msdmo.dll
    + 2012-05-06 20:19 . 2002-12-11 23:14 34304 c:\winxp\RegisteredPackages\{44BBA855-CC51-11CF-AAFA-00AA00B6015C}\mciqtz32.dll
    + 2012-05-06 20:19 . 2002-12-11 23:14 18944 c:\winxp\RegisteredPackages\{44BBA855-CC51-11CF-AAFA-00AA00B6015C}\encapi.dll
    + 2012-05-06 20:19 . 2002-12-11 23:14 46592 c:\winxp\RegisteredPackages\{44BBA855-CC51-11CF-AAFA-00AA00B6015C}\dxdllreg.exe
    + 2012-05-06 20:19 . 2002-12-11 23:14 18432 c:\winxp\RegisteredPackages\{44BBA855-CC51-11CF-AAFA-00AA00B6015C}\dswave.dll
    + 2012-05-06 20:19 . 2004-07-09 03:27 79360 c:\winxp\RegisteredPackages\{44BBA855-CC51-11CF-AAFA-00AA00B6015C}\dpwsockx.dll
    + 2012-05-06 20:19 . 2002-12-11 23:14 80896 c:\winxp\RegisteredPackages\{44BBA855-CC51-11CF-AAFA-00AA00B6015C}\dpvsetup.exe
    + 2012-05-06 20:19 . 2002-12-11 23:14 19968 c:\winxp\RegisteredPackages\{44BBA855-CC51-11CF-AAFA-00AA00B6015C}\dpvacm.dll
    + 2012-05-06 20:19 . 2002-12-11 23:14 16896 c:\winxp\RegisteredPackages\{44BBA855-CC51-11CF-AAFA-00AA00B6015C}\dpnsvr.exe
    + 2012-05-06 20:19 . 2003-03-24 08:00 68096 c:\winxp\RegisteredPackages\{44BBA855-CC51-11CF-AAFA-00AA00B6015C}\dpnhupnp.dll
    + 2012-05-06 20:19 . 2003-03-24 08:00 32768 c:\winxp\RegisteredPackages\{44BBA855-CC51-11CF-AAFA-00AA00B6015C}\dpnhpast.dll
    + 2012-05-06 20:19 . 2002-12-11 23:14 77824 c:\winxp\RegisteredPackages\{44BBA855-CC51-11CF-AAFA-00AA00B6015C}\dpmodemx.dll
    + 2012-05-06 20:19 . 2002-12-11 23:14 28160 c:\winxp\RegisteredPackages\{44BBA855-CC51-11CF-AAFA-00AA00B6015C}\dplaysvr.exe
    + 2012-05-06 20:19 . 2002-12-11 23:14 98816 c:\winxp\RegisteredPackages\{44BBA855-CC51-11CF-AAFA-00AA00B6015C}\dmstyle.dll
    + 2012-05-06 20:19 . 2002-12-11 23:14 76800 c:\winxp\RegisteredPackages\{44BBA855-CC51-11CF-AAFA-00AA00B6015C}\dmscript.dll
    + 2012-05-06 20:19 . 2002-12-11 23:14 33280 c:\winxp\RegisteredPackages\{44BBA855-CC51-11CF-AAFA-00AA00B6015C}\dmloader.dll
    + 2012-05-06 20:19 . 2002-12-11 23:14 58368 c:\winxp\RegisteredPackages\{44BBA855-CC51-11CF-AAFA-00AA00B6015C}\dmcompos.dll
    + 2012-05-06 20:19 . 2002-12-11 23:14 27136 c:\winxp\RegisteredPackages\{44BBA855-CC51-11CF-AAFA-00AA00B6015C}\dmband.dll
    + 2012-05-06 20:19 . 2002-12-11 23:14 24064 c:\winxp\RegisteredPackages\{44BBA855-CC51-11CF-AAFA-00AA00B6015C}\ddrawex.dll
    + 2012-05-06 20:19 . 2002-12-11 23:14 64512 c:\winxp\RegisteredPackages\{44BBA855-CC51-11CF-AAFA-00AA00B6015C}\amstream.dll
    + 2012-05-06 20:19 . 2012-05-06 20:19 61440 c:\winxp\Installer\{7B9CC60A-9B81-46A3-A953-76B6BF9EEC97}\ARPPRODUCTICON.exe
    + 2011-06-06 11:55 . 2011-06-06 11:55 17304 c:\winxp\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744AA0100000010\10.1.0\ViewerPS.dll
    + 2011-06-06 11:55 . 2011-06-06 11:55 35736 c:\winxp\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744AA0100000010\10.1.0\reader_sl.exe
    + 2011-06-06 11:55 . 2011-06-06 11:55 88992 c:\winxp\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744AA0100000010\10.1.0\PDFPrevHndlr.dll
    + 2011-06-06 11:55 . 2011-06-06 11:55 94608 c:\winxp\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744AA0100000010\10.1.0\eula.exe
    + 2011-06-06 11:55 . 2011-06-06 11:55 49064 c:\winxp\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744AA0100000010\10.1.0\acrotextextractor.exe
    + 2011-06-06 11:55 . 2011-06-06 11:55 17824 c:\winxp\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744AA0100000010\10.1.0\AcroRd32Info.exe
    + 2011-06-06 11:55 . 2011-06-06 11:55 63912 c:\winxp\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744AA0100000010\10.1.0\acroiehelpershim.dll
    + 2011-06-06 11:55 . 2011-06-06 11:55 64928 c:\winxp\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744AA0100000010\10.1.0\AcroIEHelper.dll
    + 2011-06-06 11:55 . 2011-06-06 11:55 63384 c:\winxp\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744AA0100000010\10.1.0\Acrofx32.dll
    + 2012-05-06 20:20 . 2004-07-09 03:26 18688 c:\winxp\Driver Cache\i386\wstcodec.sys
    + 2012-05-06 20:20 . 2004-07-09 03:26 14976 c:\winxp\Driver Cache\i386\streamip.sys
    + 2012-05-06 20:20 . 2004-07-09 03:27 48512 c:\winxp\Driver Cache\i386\stream.sys
    + 2012-05-06 20:20 . 2004-07-09 03:26 10880 c:\winxp\Driver Cache\i386\slip.sys
    + 2012-05-06 20:19 . 2002-08-29 02:41 31744 c:\winxp\Driver Cache\i386\pid.dll
    + 2012-05-06 20:20 . 2004-07-09 03:26 10112 c:\winxp\Driver Cache\i386\ndisip.sys
    + 2012-05-06 20:20 . 2004-07-09 03:26 83968 c:\winxp\Driver Cache\i386\nabtsfec.sys
    + 2012-05-06 20:20 . 2004-07-09 03:26 16896 c:\winxp\Driver Cache\i386\msyuv.dll
    + 2012-05-06 20:20 . 2004-07-09 03:26 52096 c:\winxp\Driver Cache\i386\msdv.sys
    + 2012-05-06 20:20 . 2004-07-09 03:26 15104 c:\winxp\Driver Cache\i386\mpe.sys
    + 2012-05-06 20:20 . 2004-07-09 03:26 16384 c:\winxp\Driver Cache\i386\ccdecode.sys
    + 2012-05-06 20:20 . 2004-07-09 03:26 11392 c:\winxp\Driver Cache\i386\bdasup.sys
    - 2011-02-28 17:12 . 2011-02-28 17:12 12800 c:\winxp\assembly\GAC\Microsoft.DirectX.Diagnostics\1.0.2902.0__31bf3856ad364e35\Microsoft.DirectX.Diagnostics.dll
    + 2012-05-06 20:21 . 2012-05-06 20:21 12800 c:\winxp\assembly\GAC\Microsoft.DirectX.Diagnostics\1.0.2902.0__31bf3856ad364e35\Microsoft.DirectX.Diagnostics.dll
    - 2011-02-28 17:12 . 2011-02-28 17:12 53248 c:\winxp\assembly\GAC\Microsoft.DirectX.AudioVideoPlayback\1.0.2902.0__31bf3856ad364e35\Microsoft.DirectX.AudioVideoPlayback.dll
    + 2012-05-06 20:21 . 2012-05-06 20:21 53248 c:\winxp\assembly\GAC\Microsoft.DirectX.AudioVideoPlayback\1.0.2902.0__31bf3856ad364e35\Microsoft.DirectX.AudioVideoPlayback.dll
    + 2012-01-12 16:59 . 2001-08-17 20:36 5632 c:\winxp\system32\ptpusb.dll
    + 2012-05-06 20:20 . 2002-12-11 23:14 5504 c:\winxp\system32\drivers\mstee.sys
    + 2012-05-06 20:20 . 2002-12-11 23:14 5504 c:\winxp\system32\dllcache\mstee.sys
    + 2012-05-06 20:20 . 2002-12-11 23:14 4096 c:\winxp\RegisteredPackages\{44BBA855-CC51-11CF-AAFA-00AA00B6015C}\swenum.sys
    + 2012-05-06 20:20 . 2002-12-11 23:14 5504 c:\winxp\RegisteredPackages\{44BBA855-CC51-11CF-AAFA-00AA00B6015C}\mstee.sys
    + 2012-05-06 20:20 . 2001-08-23 04:00 4608 c:\winxp\RegisteredPackages\{44BBA855-CC51-11CF-AAFA-00AA00B6015C}\mspqm.sys
    + 2012-05-06 20:20 . 2002-12-11 23:14 5248 c:\winxp\RegisteredPackages\{44BBA855-CC51-11CF-AAFA-00AA00B6015C}\mspclock.sys
    + 2012-05-06 20:20 . 2002-12-11 23:14 7424 c:\winxp\RegisteredPackages\{44BBA855-CC51-11CF-AAFA-00AA00B6015C}\mskssrv.sys
    + 2012-05-06 20:20 . 2002-12-11 23:14 4096 c:\winxp\RegisteredPackages\{44BBA855-CC51-11CF-AAFA-00AA00B6015C}\ksuser.dll
    + 2012-05-06 20:19 . 2002-12-11 23:14 3072 c:\winxp\RegisteredPackages\{44BBA855-CC51-11CF-AAFA-00AA00B6015C}\dpnlobby.dll
    + 2012-05-06 20:19 . 2002-12-11 23:14 3072 c:\winxp\RegisteredPackages\{44BBA855-CC51-11CF-AAFA-00AA00B6015C}\dpnaddr.dll
    + 2012-05-06 20:19 . 2002-12-11 23:14 8192 c:\winxp\RegisteredPackages\{44BBA855-CC51-11CF-AAFA-00AA00B6015C}\d3d8thk.dll
    + 2012-05-06 20:20 . 2002-12-11 23:14 4096 c:\winxp\Driver Cache\i386\swenum.sys
    + 2012-05-06 20:20 . 2002-12-11 23:14 5504 c:\winxp\Driver Cache\i386\mstee.sys
    + 2012-05-06 20:20 . 2001-08-23 04:00 4608 c:\winxp\Driver Cache\i386\mspqm.sys
    + 2012-05-06 20:20 . 2002-12-11 23:14 5248 c:\winxp\Driver Cache\i386\mspclock.sys
    + 2012-05-06 20:20 . 2002-12-11 23:14 7424 c:\winxp\Driver Cache\i386\mskssrv.sys
    + 2012-05-06 20:20 . 2002-12-11 23:14 4096 c:\winxp\Driver Cache\i386\ksuser.dll
    + 2012-01-03 20:18 . 2012-01-03 20:18 4096 c:\winxp\d3dx.dat
    + 2012-01-12 16:59 . 2008-04-14 03:42 159232 c:\winxp\system32\ptpusd.dll
    + 2012-05-06 20:20 . 2004-07-09 03:26 354816 c:\winxp\system32\psisdecd.dll
    - 2008-04-14 11:00 . 2011-10-31 08:02 494288 c:\winxp\system32\perfh009.dat
    + 2008-04-14 11:00 . 2012-03-26 10:02 494288 c:\winxp\system32\perfh009.dat
    - 2011-02-10 16:33 . 2010-10-19 20:51 222080 c:\winxp\system32\MpSigStub.exe
    + 2011-02-10 16:33 . 2011-11-15 14:29 222080 c:\winxp\system32\MpSigStub.exe
    + 2012-03-23 16:55 . 2012-03-23 16:55 250528 c:\winxp\system32\Macromed\Flash\FlashUtil11g_Plugin.exe
    - 2011-07-03 18:05 . 2011-05-04 03:52 157472 c:\winxp\system32\javaws.exe
    + 2012-01-03 20:05 . 2011-11-10 05:54 157472 c:\winxp\system32\javaws.exe
    + 2012-01-03 20:05 . 2011-11-10 05:54 149280 c:\winxp\system32\javaw.exe
    + 2012-01-03 20:05 . 2011-11-10 05:54 149280 c:\winxp\system32\java.exe
    + 1774-08-29 13:22 . 1774-08-29 13:22 143872 c:\winxp\system32\iacenc.dll
    + 2011-02-10 13:35 . 2012-05-07 08:36 134072 c:\winxp\system32\FNTCACHE.DAT
    + 2012-05-06 20:20 . 2004-07-09 03:26 354816 c:\winxp\system32\dllcache\psisdecd.dll
    + 2011-02-11 23:05 . 2011-11-10 05:54 472808 c:\winxp\system32\deployJava1.dll
    - 2011-02-11 23:05 . 2011-05-04 03:52 472808 c:\winxp\system32\deployJava1.dll
    + 2012-05-06 20:20 . 2004-07-09 03:26 354816 c:\winxp\RegisteredPackages\{AA936DF4-2B08-4B1F-B071-72192E287704}\psisdecd.dll
    + 2012-05-06 20:20 . 2002-12-11 23:14 733184 c:\winxp\RegisteredPackages\{44BBA855-CC51-11CF-AAFA-00AA00B6015C}\qedwipes.dll
    + 2012-05-06 20:19 . 2004-07-09 03:27 470528 c:\winxp\RegisteredPackages\{44BBA855-CC51-11CF-AAFA-00AA00B6015C}\qdvd.dll
    + 2012-05-06 20:19 . 2004-07-09 03:27 316928 c:\winxp\RegisteredPackages\{44BBA855-CC51-11CF-AAFA-00AA00B6015C}\qdv.dll
    + 2012-05-06 20:19 . 2002-12-11 23:14 257024 c:\winxp\RegisteredPackages\{44BBA855-CC51-11CF-AAFA-00AA00B6015C}\qcap.dll
    + 2012-05-06 20:20 . 2002-12-11 23:14 173056 c:\winxp\RegisteredPackages\{44BBA855-CC51-11CF-AAFA-00AA00B6015C}\qasf.dll
    + 2012-05-06 20:20 . 2002-12-11 23:14 324096 c:\winxp\RegisteredPackages\{44BBA855-CC51-11CF-AAFA-00AA00B6015C}\mswebdvd.dll
    + 2012-05-06 20:20 . 2002-12-11 23:14 130304 c:\winxp\RegisteredPackages\{44BBA855-CC51-11CF-AAFA-00AA00B6015C}\ks.sys
    + 2012-05-06 20:19 . 2004-07-09 03:27 974848 c:\winxp\RegisteredPackages\{44BBA855-CC51-11CF-AAFA-00AA00B6015C}\dxdiag.exe
    + 2012-05-06 20:19 . 2002-12-11 23:14 602624 c:\winxp\RegisteredPackages\{44BBA855-CC51-11CF-AAFA-00AA00B6015C}\dx7vb.dll
    + 2012-05-06 20:19 . 2004-07-09 03:27 381952 c:\winxp\RegisteredPackages\{44BBA855-CC51-11CF-AAFA-00AA00B6015C}\dsound.dll
    + 2012-05-06 20:19 . 2002-12-11 23:14 491520 c:\winxp\RegisteredPackages\{44BBA855-CC51-11CF-AAFA-00AA00B6015C}\dsdmoprp.dll
    + 2012-05-06 20:19 . 2002-12-11 23:14 186880 c:\winxp\RegisteredPackages\{44BBA855-CC51-11CF-AAFA-00AA00B6015C}\dsdmo.dll
    + 2012-05-06 20:19 . 2002-12-11 23:14 112128 c:\winxp\RegisteredPackages\{44BBA855-CC51-11CF-AAFA-00AA00B6015C}\dpvvox.dll
    + 2012-05-06 20:19 . 2002-12-11 23:14 381952 c:\winxp\RegisteredPackages\{44BBA855-CC51-11CF-AAFA-00AA00B6015C}\dpvoice.dll
    + 2012-05-06 20:19 . 2002-12-11 23:14 723968 c:\winxp\RegisteredPackages\{44BBA855-CC51-11CF-AAFA-00AA00B6015C}\dpnet.dll
    + 2012-05-06 20:19 . 2004-07-09 03:27 230400 c:\winxp\RegisteredPackages\{44BBA855-CC51-11CF-AAFA-00AA00B6015C}\dplayx.dll
    + 2012-05-06 20:19 . 2004-07-09 03:27 122880 c:\winxp\RegisteredPackages\{44BBA855-CC51-11CF-AAFA-00AA00B6015C}\dmusic.dll
    + 2012-05-06 20:19 . 2002-12-11 23:14 100864 c:\winxp\RegisteredPackages\{44BBA855-CC51-11CF-AAFA-00AA00B6015C}\dmsynth.dll
    + 2012-05-06 20:19 . 2004-07-09 03:27 181248 c:\winxp\RegisteredPackages\{44BBA855-CC51-11CF-AAFA-00AA00B6015C}\dmime.dll
    + 2012-05-06 20:19 . 2003-05-30 08:00 132608 c:\winxp\RegisteredPackages\{44BBA855-CC51-11CF-AAFA-00AA00B6015C}\devenum.dll
    + 2012-05-06 20:19 . 2004-07-09 03:27 292864 c:\winxp\RegisteredPackages\{44BBA855-CC51-11CF-AAFA-00AA00B6015C}\ddraw.dll
    + 2012-05-06 20:19 . 2003-05-30 08:00 797184 c:\winxp\RegisteredPackages\{44BBA855-CC51-11CF-AAFA-00AA00B6015C}\d3dim700.dll
    + 2012-01-03 20:06 . 2012-01-03 20:06 203776 c:\winxp\Installer\2525f82.msi
    + 2012-05-19 15:49 . 2012-05-19 15:49 341504 c:\winxp\Installer\175cdae.msi
    + 2011-06-06 11:55 . 2011-06-06 11:55 249232 c:\winxp\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744AA0100000010\10.1.0\sqlite.dll
    + 2011-06-06 11:55 . 2011-06-06 11:55 394136 c:\winxp\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744AA0100000010\10.1.0\pdfshell.dll
    + 2011-06-06 11:55 . 2011-06-06 11:55 103848 c:\winxp\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744AA0100000010\10.1.0\PDFPrevHndlrShim.exe
    + 2011-06-06 11:55 . 2011-06-06 11:55 183696 c:\winxp\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744AA0100000010\10.1.0\nppdf32.dll
    + 2011-06-06 11:55 . 2011-06-06 11:55 104344 c:\winxp\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744AA0100000010\10.1.0\AiodLite.dll
    + 2011-06-06 11:55 . 2011-06-06 11:55 937920 c:\winxp\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744AA0100000010\10.1.0\adobearm.exe
    + 2011-06-06 11:55 . 2011-06-06 11:55 102808 c:\winxp\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744AA0100000010\10.1.0\AcroRdIF.dll
    + 2011-06-06 11:55 . 2011-06-06 11:55 755088 c:\winxp\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744AA0100000010\10.1.0\AcroPDF.dll
    + 2011-06-06 11:55 . 2011-06-06 11:55 296344 c:\winxp\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744AA0100000010\10.1.0\acrobroker.exe
    + 2011-06-06 11:55 . 2011-06-06 11:55 205720 c:\winxp\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744AA0100000010\10.1.0\a3dutils.dll
    + 2012-05-06 20:20 . 2004-07-09 03:26 354816 c:\winxp\Driver Cache\i386\psisdecd.dll
    + 2012-05-06 20:20 . 2002-12-11 23:14 130304 c:\winxp\Driver Cache\i386\ks.sys
    + 2012-05-06 20:20 . 2012-05-06 20:20 223232 c:\winxp\assembly\GAC\Microsoft.DirectX\1.0.2902.0__31bf3856ad364e35\Microsoft.DirectX.dll
    - 2011-02-28 17:12 . 2011-02-28 17:12 223232 c:\winxp\assembly\GAC\Microsoft.DirectX\1.0.2902.0__31bf3856ad364e35\Microsoft.DirectX.dll
    - 2011-02-28 17:12 . 2011-02-28 17:12 178176 c:\winxp\assembly\GAC\Microsoft.DirectX.DirectSound\1.0.2902.0__31bf3856ad364e35\Microsoft.DirectX.DirectSound.dll
    + 2012-05-06 20:21 . 2012-05-06 20:21 178176 c:\winxp\assembly\GAC\Microsoft.DirectX.DirectSound\1.0.2902.0__31bf3856ad364e35\Microsoft.DirectX.DirectSound.dll
    - 2011-02-28 17:12 . 2011-02-28 17:12 364544 c:\winxp\assembly\GAC\Microsoft.DirectX.DirectPlay\1.0.2902.0__31bf3856ad364e35\Microsoft.DirectX.DirectPlay.dll
    + 2012-05-06 20:21 . 2012-05-06 20:21 364544 c:\winxp\assembly\GAC\Microsoft.DirectX.DirectPlay\1.0.2902.0__31bf3856ad364e35\Microsoft.DirectX.DirectPlay.dll
    - 2011-02-28 17:12 . 2011-02-28 17:12 159232 c:\winxp\assembly\GAC\Microsoft.DirectX.DirectInput\1.0.2902.0__31bf3856ad364e35\Microsoft.DirectX.DirectInput.dll
    + 2012-05-06 20:21 . 2012-05-06 20:21 159232 c:\winxp\assembly\GAC\Microsoft.DirectX.DirectInput\1.0.2902.0__31bf3856ad364e35\Microsoft.DirectX.DirectInput.dll
    + 2012-05-06 20:21 . 2012-05-06 20:21 145920 c:\winxp\assembly\GAC\Microsoft.DirectX.DirectDraw\1.0.2902.0__31bf3856ad364e35\Microsoft.DirectX.DirectDraw.dll
    - 2011-02-28 17:12 . 2011-02-28 17:12 145920 c:\winxp\assembly\GAC\Microsoft.DirectX.DirectDraw\1.0.2902.0__31bf3856ad364e35\Microsoft.DirectX.DirectDraw.dll
    - 2011-02-28 17:12 . 2011-02-28 17:12 576000 c:\winxp\assembly\GAC\Microsoft.DirectX.Direct3DX\1.0.2906.0__31bf3856ad364e35\Microsoft.DirectX.Direct3DX.dll
    + 2012-05-06 20:21 . 2012-05-06 20:21 576000 c:\winxp\assembly\GAC\Microsoft.DirectX.Direct3DX\1.0.2906.0__31bf3856ad364e35\Microsoft.DirectX.Direct3DX.dll
    + 2012-05-06 20:20 . 2012-05-06 20:20 567296 c:\winxp\assembly\GAC\Microsoft.DirectX.Direct3DX\1.0.2905.0__31bf3856ad364e35\Microsoft.DirectX.Direct3DX.dll
    - 2011-02-28 17:12 . 2011-02-28 17:12 567296 c:\winxp\assembly\GAC\Microsoft.DirectX.Direct3DX\1.0.2905.0__31bf3856ad364e35\Microsoft.DirectX.Direct3DX.dll
    + 2012-05-06 20:21 . 2012-05-06 20:21 473600 c:\winxp\assembly\GAC\Microsoft.DirectX.Direct3D\1.0.2902.0__31bf3856ad364e35\Microsoft.DirectX.Direct3D.dll
    - 2011-02-28 17:12 . 2011-02-28 17:12 473600 c:\winxp\assembly\GAC\Microsoft.DirectX.Direct3D\1.0.2902.0__31bf3856ad364e35\Microsoft.DirectX.Direct3D.dll
    + 2012-05-06 20:14 . 2012-05-06 20:14 1230336 c:\winxp\WinSxS\x86_Microsoft.MSXML2_6bd6b9abf345378f_4.1.0.0_x-ww_b319d8da\msxml4.dll
    + 2011-02-10 16:57 . 2012-03-23 16:55 8527520 c:\winxp\system32\Macromed\Flash\NPSWF32.dll
    + 2012-05-06 20:20 . 2004-07-09 03:26 1230336 c:\winxp\RegisteredPackages\{AA936DF4-2B08-4B1F-B071-72192E287704}\msvidctl.dll
    + 2012-05-06 20:20 . 2003-05-30 08:00 1962496 c:\winxp\RegisteredPackages\{44BBA855-CC51-11CF-AAFA-00AA00B6015C}\quartz.dll
    + 2012-05-06 20:20 . 2002-12-11 23:14 1798144 c:\winxp\RegisteredPackages\{44BBA855-CC51-11CF-AAFA-00AA00B6015C}\qedit.dll
    + 2012-05-06 20:19 . 2003-05-30 08:00 1189888 c:\winxp\RegisteredPackages\{44BBA855-CC51-11CF-AAFA-00AA00B6015C}\dx8vb.dll
    + 2012-05-06 20:19 . 2002-12-11 23:14 1294336 c:\winxp\RegisteredPackages\{44BBA855-CC51-11CF-AAFA-00AA00B6015C}\dsound3d.dll
    + 2012-05-06 20:19 . 2004-07-09 03:27 1201152 c:\winxp\RegisteredPackages\{44BBA855-CC51-11CF-AAFA-00AA00B6015C}\d3d8.dll
    + 2012-05-06 20:19 . 2012-05-06 20:19 1602560 c:\winxp\Installer\2b0dd54.msi
    + 2012-04-14 16:12 . 2012-04-14 16:12 2295808 c:\winxp\Installer\261bf.msi
    + 2011-06-06 11:55 . 2011-06-06 11:55 2215312 c:\winxp\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744AA0100000010\10.1.0\rt3d.dll
    + 2011-06-06 11:55 . 2011-06-06 11:55 6543768 c:\winxp\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744AA0100000010\10.1.0\authplay.dll
    + 2011-06-06 11:55 . 2011-06-06 11:55 1240992 c:\winxp\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744AA0100000010\10.1.0\AdobeCollabSync.exe
    + 2011-06-06 11:55 . 2011-06-06 11:55 1480600 c:\winxp\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744AA0100000010\10.1.0\AcroRd32.exe
    + 2012-04-04 13:32 . 2012-04-04 13:32 16613376 c:\winxp\Installer\26252.msp
    + 2011-06-06 11:55 . 2011-06-06 11:55 24731544 c:\winxp\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744AA0100000010\10.1.0\AcroRd32.dll
    .
    -- Snapshot reset to current date --
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
    @="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
    [HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
    2010-10-06 23:36 94208 ----a-w- c:\documents and settings\Home\Application Data\Dropbox\bin\DropboxExt.14.dll
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
    @="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
    [HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
    2010-10-06 23:36 94208 ----a-w- c:\documents and settings\Home\Application Data\Dropbox\bin\DropboxExt.14.dll
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
    @="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
    [HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
    2010-10-06 23:36 94208 ----a-w- c:\documents and settings\Home\Application Data\Dropbox\bin\DropboxExt.14.dll
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt4]
    @="{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}"
    [HKEY_CLASSES_ROOT\CLSID\{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}]
    2010-10-06 23:36 94208 ----a-w- c:\documents and settings\Home\Application Data\Dropbox\bin\DropboxExt.14.dll
    .
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2012-03-29 3905920]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2009-10-01 98304]
    "NVRaidService"="c:\winxp\system32\nvraidservice.exe" [2006-09-21 137216]
    "MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2011-06-15 997920]
    "RTHDCPL"="RTHDCPL.EXE" [2006-09-12 16264192]
    "SkyTel"="SkyTel.EXE" [2006-05-16 2879488]
    "SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-06-09 254696]
    "Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-04-04 843712]
    .
    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
    "CTFMON.EXE"="c:\winxp\system32\CTFMON.EXE" [2008-04-14 15360]
    .
    c:\documents and settings\Home\Start Menu\Programs\Startup\
    Dropbox.lnk - c:\documents and settings\Home\Application Data\Dropbox\bin\Dropbox.exe [2012-5-24 27112840]
    .
    [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
    "{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2011-07-19 113024]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
    2011-05-04 17:54 551296 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\!SASCORE]
    @=""
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
    @="Service"
    .
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
    "EnableFirewall"= 0 (0x0)
    .
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    "%windir%\\system32\\sessmgr.exe"=
    "c:\\Program Files\\Messenger\\msmsgs.exe"=
    "c:\\Program Files\\BitTorrent\\BitTorrent.exe"=
    "c:\\Documents and Settings\\Home\\Application Data\\Dropbox\\bin\\Dropbox.exe"=
    "c:\\Program Files\\Winamp\\winamp.exe"=
    "c:\\Program Files\\Java\\jre6\\bin\\javaw.exe"=
    "c:\\Documents and Settings\\Home\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.exe"=
    "c:\\Program Files\\SilicMobile\\PC Remote Controller\\PC Remote Controller.exe"=
    "c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
    "c:\\Program Files\\Microsoft Games\\Age of Empires II\\age2_x1\\age2_x1.exe"=
    "c:\\Program Files\\Searchqu Toolbar\\Datamngr\\ToolBar\\dtUser.exe"=
    .
    R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [22/07/2011 17:27 12880]
    R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [12/07/2011 22:55 67664]
    R2 !SASCORE;SAS Core Service;c:\program files\SUPERAntiSpyware\SASCore.exe [12/08/2011 00:38 116608]
    R2 EPSON_EB_RPCV4_04;EPSON V5 Service4(04);c:\program files\Common Files\EPSON\EPW!3 SSRP\E_S50ST7.EXE [12/02/2011 00:08 153600]
    R2 EPSON_PM_RPCV4_04;EPSON V3 Service4(04);c:\program files\Common Files\EPSON\EPW!3 SSRP\E_S50RP7.EXE [12/02/2011 00:08 121856]
    S1 tdx;@%SystemRoot%\system32\tcpipcfg.dll,-50004;c:\winxp\system32\DRIVERS\tdx.sys --> c:\winxp\system32\DRIVERS\tdx.sys [?]
    S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\winxp\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [18/03/2010 13:16 130384]
    S2 iphlpsvc;@%SystemRoot%\system32\iphlpsvc.dll,-200;c:\winxp\System32\svchost.exe -k NetSvcs [14/04/2008 12:00 14336]
    S3 Ambfilt;Ambfilt;c:\winxp\system32\drivers\Ambfilt.sys [11/02/2011 11:47 1691480]
    S3 MozillaMaintenance;Mozilla Maintenance Service;c:\program files\Mozilla Maintenance Service\maintenanceservice.exe [25/04/2012 20:38 129976]
    S3 optousb;OPTO ELECTRONICS optousb;c:\winxp\system32\drivers\optousb.sys [24/03/2011 19:41 18432]
    S3 optovcm;OPTO ELECTRONICS optovcm;c:\winxp\system32\drivers\optovcm.sys [24/03/2011 19:41 26368]
    S3 PciCon;PciCon;\??\d:\pcicon.sys --> d:\PciCon.sys [?]
    S3 WinDefend;Windows Defender;c:\winxp\System32\svchost.exe -k secsvcs [14/04/2008 12:00 14336]
    S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\winxp\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [18/03/2010 13:16 753504]
    .
    Contents of the 'Scheduled Tasks' folder
    .
    2012-06-13 c:\winxp\Tasks\GoogleUpdateTaskUserS-1-5-21-1659004503-682003330-1138704460-1003Core.job
    - c:\documents and settings\Home\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-05-04 10:57]
    .
    2012-06-14 c:\winxp\Tasks\GoogleUpdateTaskUserS-1-5-21-1659004503-682003330-1138704460-1003UA.job
    - c:\documents and settings\Home\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-05-04 10:57]
    .
    2012-06-14 c:\winxp\Tasks\WGASetup.job
    - c:\winxp\system32\KB905474\wgasetup.exe [2011-02-12 22:18]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://www.searchnu.com/406
    LSP: %SYSTEMROOT%\system32\nvappfilter.dll
    TCP: DhcpNameServer = 194.168.4.100 194.168.8.100
    DPF: {EBB176D2-AF75-4706-832F-4C8448F72757} - hxxp://www.shopandscan.com/TNSClickrc.CAB
    FF - ProfilePath - c:\documents and settings\Home\Application Data\Mozilla\Firefox\Profiles\5fxaocts.default\
    FF - prefs.js: browser.search.selectedEngine - Search Results
    FF - prefs.js: browser.startup.homepage - hxxp://www.searchnu.com/406
    FF - prefs.js: keyword.URL - hxxp://dts.search-results.com/sr?src=ffb&appid=394&systemid=406&sr=0&q=
    FF - user.js: extensions.funmoods_i.hmpg - true
    FF - user.js: extensions.funmoods_i.hmpgUrl - hxxp://start.funmoods.com/?f=1&a=adknlg
    FF - user.js: extensions.funmoods_i.dfltSrch - true
    FF - user.js: extensions.funmoods_i.srchPrvdr - Search
    FF - user.js: extensions.funmoods_i.dnsErr - true
    FF - user.js: extensions.funmoods_i.newTab - true
    FF - user.js: extensions.funmoods_i.newTabUrl - hxxp://start.funmoods.com/?f=2&a=adknlg
    FF - user.js: extensions.funmoods_i.tlbrSrchUrl - hxxp://start.funmoods.com/results.php?f=3&a=adknlg&q=
    FF - user.js: extensions.funmoods_i.id - 44fb89f900000000000000044b01869e
    FF - user.js: extensions.funmoods_i.instlDay - 15403
    FF - user.js: extensions.funmoods_i.vrsn - 1.5.11.16
    FF - user.js: extensions.funmoods_i.vrsni - 1.5.11.16
    FF - user.js: extensions.funmoods_i.vrsnTs - 1.5.11.1619:16
    FF - user.js: extensions.funmoods_i.prtnrId - funmoods
    FF - user.js: extensions.funmoods_i.prdct - funmoods
    FF - user.js: extensions.funmoods_i.aflt - adknlg
    FF - user.js: extensions.funmoods_i.smplGrp - none
    FF - user.js: extensions.funmoods_i.tlbrId - base
    FF - user.js: extensions.funmoods_i.instlRef -
    FF - user.js: extensions.funmoods_i.dfltLng -
    FF - user.js: extensions.funmoods_i.excTlbr - false
    .
    - - - - ORPHANS REMOVED - - - -
    .
    Toolbar-10 - (no file)
    .
    .
    .
    **************************************************************************
    .
    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2012-06-14 10:53
    Windows 5.1.2600 Service Pack 3 NTFS
    .
    scanning hidden processes ...
    .
    scanning hidden autostart entries ...
    .
    scanning hidden files ...
    .
    scan completed successfully
    hidden files: 0
    .
    **************************************************************************
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------
    .
    - - - - - - - > 'winlogon.exe'(752)
    c:\program files\SUPERAntiSpyware\SASWINLO.DLL
    c:\winxp\system32\WININET.dll
    c:\winxp\system32\Ati2evxx.dll
    .
    - - - - - - - > 'lsass.exe'(808)
    c:\winxp\system32\nvappfilter.dll
    .
    - - - - - - - > 'explorer.exe'(3688)
    c:\winxp\system32\WININET.dll
    c:\documents and settings\Home\Application Data\Dropbox\bin\DropboxExt.14.dll
    c:\winxp\system32\ieframe.dll
    c:\winxp\system32\webcheck.dll
    c:\winxp\system32\wpdshserviceobj.dll
    c:\winxp\system32\portabledevicetypes.dll
    c:\winxp\system32\portabledeviceapi.dll
    .
    ------------------------ Other Running Processes ------------------------
    .
    c:\winxp\system32\Ati2evxx.exe
    c:\program files\Microsoft Security Client\Antimalware\MsMpEng.exe
    c:\winxp\system32\Ati2evxx.exe
    c:\program files\Java\jre6\bin\jqs.exe
    c:\program files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcAppFlt.exe
    c:\program files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
    c:\winxp\RTHDCPL.EXE
    c:\progra~1\SEARCH~1\Datamngr\DATAMN~1.EXE
    c:\program files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
    c:\winxp\system32\wscntfy.exe
    c:\program files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
    .
    **************************************************************************
    .
    Completion time: 2012-06-14 10:57:23 - machine was rebooted
    ComboFix-quarantined-files.txt 2012-06-14 09:57
    ComboFix2.txt 2011-12-12 11:19
    ComboFix3.txt 2011-12-08 12:52
    .
    Pre-Run: 63,525,781,504 bytes free
    Post-Run: 63,524,225,024 bytes free
    .
    - - End Of File - - 858920AC9868699576E7229A5F238715

    ========================================================
    ========================================================


    ROOTREPEAL (c) AD, 2007-2009
    ==================================================
    Scan Start Time: 2012/06/14 11:27
    Program Version: Version 1.3.5.0
    Windows Version: Windows XP SP3
    ==================================================

    Hidden/Locked Files
    -------------------
    Path: c:\documents and settings\home\local settings\temp\etilqs_dcmohbuv51avuzt
    Status: Allocation size mismatch (API: 4096, Raw: 0)

    Path: c:\documents and settings\home\local settings\temp\etilqs_eyszmtvpmkggnuc
    Status: Allocation size mismatch (API: 32768, Raw: 0)

    Path: c:\documents and settings\home\local settings\temp\etilqs_sdfvvgiq4xhmakl
    Status: Allocation size mismatch (API: 8192, Raw: 0)

    Path: c:\documents and settings\home\local settings\temp\etilqs_tqvn8cvfbcagxcr
    Status: Allocation size mismatch (API: 32768, Raw: 0)

    =======================================================
    =======================================================


    MGlogs attached to post.
     

    Attached Files:

    squid_liquor, Jun 14, 2012
    #1
  2. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Your logs are clean. NOTE: In the future, attach all your logs, do not cut and paste them into your post.

    What issues are you still having, if any?
     
    TimW, Jun 14, 2012
    #2
  3. squid_liquor

    squid_liquor Private E-2

    doesnt appear that we are having any now. initial problem was browser hijack and several toolbars installing themselves, combined with quick search showing iLivid as something you dont want about. did all the standard stuff.. if it's fixed it then great.. thanks for letting us know.
     
    squid_liquor, Jun 14, 2012
    #3
  4. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Use windows explorer to find and delete:
    C:\Documents and Settings\Home\Local Settings\Application Data\Ilivid Player

    If you are not having any other malware problems, it is time to do our final steps:

    1. We recommend you keep SUPERAntiSpyware and Malwarebytes Anti-Malware for scanning/removal of malware. Unless you purchase them, they provide no real time protection. They do not use any significant amount of resources ( except a little disk space ) until you run a scan.We recommend them for doing backup scans when you suspect a malware infection.
    2. If we had you use ComboFix, uninstall ComboFix (This uninstall will only work as written if you installed ComboFix on your Desktop like we requested.)
      • Click START then RUN and enter the below into the run box and then click OK. Note the quotes are required
      • "%userprofile%\Desktop\combofix" /uninstall
        • Notes: The space between the combofix" and the /uninstall, it must be there.
        • This will uninstall ComboFix and also reset hidden files and folders settings back to Windows defaults.


    3. Go back to step 6 of the READ ME and renable your Disk Emulation software with Defogger if you had disabled it.
    4. Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.
    5. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
    6. If running Vista, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
    7. Go to add/remove programs and uninstall HijackThis.
    8. Goto the C:\MGtools folder and find the MGclean.bat file. Double click on this file to run this cleanup program that will remove files and folders related to MGtools and some other items from our cleaning procedures.
    9. If you are running Win 7, Vista, Windows XP or Windows ME, do the below:
      • Refer to the cleaning procedures pointed to by step 7 of the READ ME
        for your Window version and see the instructions to Disable System Restore which will flush your Restore Points.
      • Then reboot and Enable System Restore to create a new clean Restore Point.

    10. After doing the above, you should work thru the below link:


    Malware removal from a National Chain = $149
    Malware removal from MajorGeeks = $0
     
    TimW, Jun 15, 2012
    #4

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds