Computer Hope
Software => Computer viruses and spyware => Virus and spyware removal => Topic started by: ishan on May 25, 2010, 06:09:13 AM
-
Hello All,
I've got this new Aluron.H rootkit virus which infected atapi earlier and now infecting TermDD even after I repaired my Windows XP installation. I ran SystemLook.exe and here are the output:
I ran Malwarbytes' but it does not find any virus, but my Microsoft Forefront Security does.
Please help
-
I ran SystemLook.exe and DDS. Here are the output:
SystemLook:
SystemLook v1.0 by jpshortstuff (11.01.10)
Log created at 04:49 on 25/05/2010 by iraval (Administrator - Elevation successful)
========== filefind ==========
Searching for "*termdd.sys"
C:\WINDOWS\system32\drivers\termdd.sys --a--- 40840 bytes [20:46 27/08/2007] [12:43 14/04/2008] 1AD549DB9D8F305DBFBC9387017405FE
-=End Of File=-
-
http://www.computerhope.com/forum/index.php/topic,46313.0.html
-
Thanks for quick reply!
At present, SUPERAntiSpyware is scanning my machine. I will keep posted.
-
DDS (Ver_09-09-29.01) - NTFSx86
Run by iraval at 4:51:16.93 on Tue 05/25/2010
Internet Explorer: 6.0.2900.5512 BrowserJavaVersion: 1.6.0_07
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1094 [GMT -7:00]
AV: Microsoft Forefront Client Security *On-access scanning enabled* (Updated) {926A3D4F-E4E7-4F47-9902-4EDD55FFE1AF}
============== Running Processes ===============
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost -k DcomLaunch
c:\Program Files\Microsoft Forefront\Client Security\Client\Antimalware\MsMpEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\avs\bin\avagent.exe
C:\Program Files\Bonjour\mDNSResponder.exe
svchost.exe
C:\Program Files\Quest Software\Toad for Data Analysts 2.1\DB2 Client\BIN\db2mgmtsvc.exe
C:\Program Files\Juniper Networks\Common Files\dsNcService.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Microsoft Forefront\Client Security\Client\SSA\FcsSas.exe
C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\Program Files\AT&T Global Network Client\netcfgsvr.exe
C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
c:\WINDOWS\system32\rserver30\RServer3.exe
C:\WINDOWS\system32\StacSV.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\Program Files\Microsoft Forefront\Client Security\Client\Microsoft Operations Manager 2005\MOMService.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\CCM\CcmExec.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\Wave Systems Corp\Services Manager\DocMgr\bin\docmgr.exe
C:\Program Files\Wave Systems Corp\SecureUpgrade.exe
C:\Program Files\Apoint\Apoint.exe
C:\WINDOWS\system32\KADxMain.exe
C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Intel\Wireless\Bin\Dot1XCfg.exe
C:\Program Files\Apoint\ApMsgFwd.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Apoint\HidFind.exe
C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe
C:\Program Files\Logitech\QuickCam\Quickcam.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\Microsoft Forefront\Client Security\Client\Antimalware\MSASCui.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\WINDOWS\stsystra.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Session ShortCuts\ssc.exe
C:\Program Files\PicPick\picpick.exe
C:\Documents and Settings\iraval\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe
C:\Program Files\avs\bin\avscc.exe
C:\Program Files\Windows Desktop Search\WindowsSearch.exe
C:\Program Files\BSEMktWatch\BSE Mkt Watch.exe
C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\VirtuaWin\VirtuaWin.exe
C:\Program Files\Common Files\Logishrd\LQCVFX\COCIManager.exe
C:\Program Files\BSEMktWatch\Gadgetworker.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosA2dp.exe
C:\Program Files\VirtuaWin\modules\WinList.exe
C:\PROGRA~1\Webshots\315~1.761\Webshots.scr
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHid.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHsp.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\iraval\Desktop\SystemLook.exe
C:\WINDOWS\system32\SearchProtocolHost.exe
C:\Documents and Settings\iraval\Desktop\dds.com
-
================= FIREFOX ===================
FF - ProfilePath - c:\docume~1\iraval\applic~1\mozilla\firefox\profiles\ggy72g16.default\
FF - plugin: c:\documents and settings\iraval\application data\mozilla\plugins\npgoogletalk.dll
FF - plugin: c:\documents and settings\iraval\local settings\application data\google\update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\documents and settings\iraval\local settings\application data\yahoo!\browserplus\2.4.21\plugins\npybrowserplus_2.4.21.dll
FF - plugin: c:\program files\divx\divx plus web player\npdivx32.dll
FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\google\google updater\2.4.1851.5542\npCIDetect14.dll
FF - plugin: c:\program files\google\picasa3\npPicasa3.dll
FF - plugin: c:\program files\google\update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdnu.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdnupdater2.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0006-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}
---- FIREFOX POLICIES ----
FF - user.js: network.protocol-handler.warn-external.dnupdate - falsec:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_ everywhere__temporarily_available_pref", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_a s_broken", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
============= SERVICES / DRIVERS ===============
R1 MpKsl4e9afcf2;MpKsl4e9afcf2;c:\documents and settings\all users\application data\microsoft\microsoft forefront\client security\client\antimalware\definition updates\{b01e06e4-0f57-4bfc-91c4-566b7b0083cb}\MpKsl4e9afcf2.sys [2010-5-25 28752]
R1 raddrvv3;raddrvv3;c:\windows\system32\rserver30\raddrvv3.sys [2007-6-29 40640]
R1 SBRE;SBRE;c:\windows\system32\drivers\SBREDrv.sys [2010-5-18 93872]
R2 agnwifi;AT&T Wi-Fi Support Driver;c:\windows\system32\drivers\agnwifi.sys [2007-8-28 19328]
R2 avbackup;Backup Agent;c:\program files\avs\bin\avagent.exe [2009-6-23 4576536]
R2 DB2MGMTSVC_TACOM21;DB2 Management Service (TACOM21);c:\program files\quest software\toad for data analysts 2.1\db2 client\bin\db2mgmtsvc.exe [2007-7-23 35616]
R2 FCSAM;Microsoft Forefront Client Security Antimalware Service;c:\program files\microsoft forefront\client security\client\antimalware\MsMpEng.exe [2010-1-19 16880]
R2 FcsSas;Microsoft Forefront Client Security State Assessment Service;c:\program files\microsoft forefront\client security\client\ssa\FcsSas.exe [2007-4-6 73120]
R2 IntuitUpdateService;Intuit Update Service;c:\program files\common files\intuit\update service\IntuitUpdateService.exe [2009-9-29 13088]
R2 MOM;MOM;c:\program files\microsoft forefront\client security\client\microsoft operations manager 2005\MOMService.exe [2005-7-21 134656]
R2 RServer3;Radmin Server V3;c:\windows\system32\rserver30\rserver3.exe [2007-7-10 1242432]
R2 Wave UCSPlus;Wave UCSPlus;c:\windows\system32\dllhost.exe [2008-4-14 5120]
R3 agnfilt;AGN Filter Interface;c:\windows\system32\drivers\agnfilt.sys [2007-8-28 218368]
R3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2010-3-20 38224]
R3 mirrorv3;mirrorv3;c:\windows\system32\drivers\rminiv3.sys [2006-11-1 3328]
S0 cgtfa;cgtfa;c:\windows\system32\drivers\rciwwjn.sys --> c:\windows\system32\drivers\rciwwjn.sys [?]
S1 MpKsl6bf6c1a0;MpKsl6bf6c1a0;\??\c:\documents and settings\all users\application data\microsoft\microsoft forefront\client security\client\antimalware\definition updates\{b01e06e4-0f57-4bfc-91c4-566b7b0083cb}\mpksl6bf6c1a0.sys --> c:\documents and settings\all users\application data\microsoft\microsoft forefront\client security\client\antimalware\definition updates\{b01e06e4-0f57-4bfc-91c4-566b7b0083cb}\MpKsl6bf6c1a0.sys [?]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-5-20 136176]
S3 Avgfwdx;Avgfwdx;c:\windows\system32\drivers\avgfwdx.sys [2009-12-5 30104]
S3 Avgfwfd;AVG network filter service;c:\windows\system32\drivers\avgfwdx.sys [2009-12-5 30104]
S3 DB2NTSECSERVER_TACOM21;DB2 Security Server (TACOM21);c:\program files\quest software\toad for data analysts 2.1\db2 client\bin\db2sec.exe [2007-7-23 14112]
S3 DXEC01;DXEC01;c:\windows\system32\drivers\dxec01.sys [2006-11-2 97536]
S3 OracleClientCache80;OracleClientCache80;c:\oracle\product\6.0\bin\ONRSD80.EXE [2010-1-28 101136]
S3 WinRM;Windows Remote Management (WS-Management);c:\windows\system32\svchost.exe -k WINRM [2008-4-14 14336]
=============== Created Last 30 ================
2010-05-25 04:25 <DIR> --d----- c:\windows\ms
2010-05-25 04:15 28,288 ac------ c:\windows\system32\dllcache\xjis.nls
2010-05-25 04:13 92,416 ac------ c:\windows\system32\dllcache\mga.sys
2010-05-25 04:12 187,938 ac------ c:\windows\system32\dllcache\c_20005.nls
2010-05-25 04:10 488 a---hr-- c:\windows\system32\logonui.exe.manifest
2010-05-25 04:10 749 a---hr-- c:\windows\WindowsShell.Manifest
2010-05-25 04:10 749 a---hr-- c:\windows\system32\wuaucpl.cpl.manifest
2010-05-25 04:10 749 a---hr-- c:\windows\system32\sapi.cpl.manifest
2010-05-25 04:10 749 a---hr-- c:\windows\system32\nwc.cpl.manifest
2010-05-25 04:10 749 a---hr-- c:\windows\system32\ncpa.cpl.manifest
2010-05-25 04:10 16,384 ac------ c:\windows\system32\dllcache\isignup.exe
2010-05-25 01:12 13,312 ac------ c:\windows\system32\dllcache\irclass.dll
2010-05-25 01:12 13,312 a------- c:\windows\system32\irclass.dll
2010-05-25 01:12 24,661 ac------ c:\windows\system32\dllcache\spxcoins.dll
2010-05-25 01:12 24,661 a------- c:\windows\system32\spxcoins.dll
2010-05-24 23:05 <DIR> --d----- c:\program files\ESET
2010-05-24 22:40 0 a------- c:\windows\system32\SBRC.dat
2010-05-18 08:02 27,944 a------- c:\windows\system32\sbbd.exe
2010-05-18 08:02 93,872 a------- c:\windows\system32\drivers\SBREDrv.sys
2010-05-18 08:02 <DIR> --d----- C:\VIPRERESCUE
2010-05-16 00:35 1,837 a------- C:\expstat.sql
2010-05-05 21:12 <DIR> --d----- c:\program files\iPod
2010-05-05 21:11 <DIR> --d----- c:\docume~1\alluse~1\applic~1\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
2010-05-05 21:11 <DIR> --d----- c:\program files\iTunes
2010-05-05 20:56 <DIR> --d----- c:\program files\Bonjour
2010-05-02 10:52 16,535 a----r-- c:\windows\SET90.tmp
2010-05-02 10:52 1,088,840 a----r-- c:\windows\SET84.tmp
2010-05-02 10:52 1,296,669 a----r-- c:\windows\SET81.tmp
2010-05-02 08:38 16,535 a----r-- c:\windows\SET8F.tmp
2010-05-02 08:38 1,088,840 a----r-- c:\windows\SET83.tmp
2010-05-02 08:38 1,296,669 a----r-- c:\windows\SET80.tmp
2010-05-02 07:41 16,535 a----r-- c:\windows\SETE5.tmp
2010-05-02 07:41 1,088,840 a----r-- c:\windows\SETD9.tmp
2010-05-02 07:41 1,296,669 a----r-- c:\windows\SETD6.tmp
2010-05-02 03:40 2,145,386,496 a------- c:\windows\MEMORY.DMP
2010-05-02 02:05 <DIR> --d----- C:\WINXP
2010-05-01 22:42 <DIR> --d----- c:\program files\SiteAdvisor
2010-05-01 17:58 <DIR> --d----- c:\windows\system32\wbem\Repository
2010-04-28 14:10 73,728 a------- c:\windows\system32\javacpl.cpl
==================== Find3M ====================
2010-05-25 04:09 24,908 a------- c:\windows\system32\emptyregdb.dat
2010-05-25 01:20 95,194 a------- c:\windows\system32\nvModes.dat
2010-05-06 10:36 221,568 -------- c:\windows\system32\MpSigStub.exe
2010-04-29 15:39 38,224 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-29 15:39 20,952 a------- c:\windows\system32\drivers\mbam.sys
2010-04-16 08:33 3,003,680 a------- c:\windows\system32\usbaaplrc.dll
2010-04-16 08:33 41,472 a------- c:\windows\system32\drivers\usbaapl.sys
2010-04-08 13:20 107,808 a------- c:\windows\system32\dns-sd.exe
2010-04-08 13:20 91,424 a------- c:\windows\system32\dnssd.dll
============= FINISH: 4:53:34.82 ===============
-
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
DDS (Ver_09-09-29.01)
Microsoft Windows XP Professional
Boot Device: \Device\HarddiskVolume1
Install Date: 5/25/2010 4:15:16 AM
System Uptime: 5/25/2010 4:17:32 AM (0 hours ago)
Motherboard: Dell Inc. | |
Processor: Intel(R) Core(TM)2 Duo CPU T7250 @ 2.00GHz | Microprocessor | 1995/200mhz
==== Disk Partitions =========================
C: is FIXED (NTFS) - 75 GiB total, 12.484 GiB free.
D: is CDROM ()
==== Disabled Device Manager Items =============
==== System Restore Points ===================
RP1: 5/25/2010 4:32:12 AM - System Checkpoint
RP2: 5/25/2010 4:43:20 AM - Microsoft Forefront Client Security Checkpoint
==== Installed Programs ======================
32 Bit HP CIO Components Installer
7-Zip 9.07 beta
AAC Decoder
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Reader 9.1
AIM 7
AIO_Scan
Apple Application Support
Apple Mobile Device Support
Apple Software Update
AT&T Global Network Client Internet Edition
AutoUpdate
Backup for Windows
biolsp patch
Bluetooth Stack for Windows by Toshiba
Bonjour
Broadcom Gigabit Integrated Controller
Broadcom TPM Driver Installer
BSE Mkt Watch 1.0.0.9
CCleaner
ClearType Tuning Control Panel Applet
CmdHere Powertoy For Windows XP
Codesite client tools
Compatibility Pack for the 2007 Office system
Conexant HDA D330 MDC V.92 Modem
Dell Embassy Trust Suite by Wave Systems
Dell Touchpad
DivX Codec
DivX Converter
DivX Player
DivX Plus DirectShow Filters
DivX Plus Web Player
DivX Version Checker
Document Manager Lite
Download Updater (AOL LLC)
EMBASSY Security Center
EMBASSY Security Setup
EMBASSY Trust Suite by Wave Systems
ESC Home Page Plugin
ESET Online Scanner v3
ETS Upgrade
Garmin USB Drivers
Garmin WebUpdater
Google Chrome
Google Earth Plug-in
Google Talk (remove only)
Google Talk Plugin
Google Update Helper
Google Updater
GoToMeeting 4.5.0.452
GPL MPEG-1/2 DirectShow Decoder Filter
H.264 Decoder
Hotfix for Microsoft .NET Framework 3.0 (KB932471)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
ICE.TCP 4.3.1 for Windows 95
Image Resizer Powertoy for Windows XP
Intel(R) PROSet/Wireless Software
IntelliSonic Speech Enhancement
iSEEK AnswerWorks English Runtime
iTunes
Java(TM) 6 Update 6
Java(TM) 6 Update 7
Juniper Networks Host Checker
Juniper Networks Network Connect 6.4.0
Juniper Networks Network Connect 6.5.0
Juniper Networks Setup Client
Knowledge Xpert
Knowledge Xpert for Oracle Administration
Knowledge Xpert for PLSQL
Knowledge Xpert Oracle Common
Logitech QuickCam
Magic ISO Maker v5.5 (build 0276)
MagicDisc 2.7.106
Malwarebytes' Anti-Malware
mCore
mDriver
mDrWiFi
mHlpDell
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Security Update (KB953297)
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft Forefront Client Security Antimalware Service
Microsoft Forefront Client Security State Assessment Service
Microsoft Office 2007 Service Pack 2 (SP2)
Microsoft Office Access MUI (English) 2007
Microsoft Office Access Setup Metadata MUI (English) 2007
Microsoft Office Communicator 2007 R2
Microsoft Office Enterprise 2007
Microsoft Office Excel MUI (English) 2007
Microsoft Office Groove MUI (English) 2007
Microsoft Office Groove Setup Metadata MUI (English) 2007
Microsoft Office InfoPath MUI (English) 2007
Microsoft Office Live Meeting 2005
Microsoft Office Live Meeting 2007
Microsoft Office OneNote MUI (English) 2007
Microsoft Office Outlook MUI (English) 2007
Microsoft Office PowerPoint MUI (English) 2007
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proofing (English) 2007
Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
Microsoft Office Publisher MUI (English) 2007
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Office Visio Viewer 2007
Microsoft Office Web Components
Microsoft Office Word MUI (English) 2007
Microsoft Operations Manager 2005 Agent
Microsoft Silverlight
Microsoft Software Update for Web Folders (English) 12
Microsoft Virtual PC 2007 SP1
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual SourceSafe 6.0
mIWA
MKV Splitter
mLogView
mMHouse
Mouse Gestures for Internet Explorer (x86)
Mozilla Firefox (3.5.9)
mPfMgr
mPfWiz
mProSafe
mSCfg
mSSO
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
MSXML 6.0 Parser (KB933579)
mWlsSafe
mWMI
mZConfig
Notepad++
NTRU TCG Software Stack
NVIDIA Drivers
O2Micro USB Smart Card Reader
OGA Notifier 2.0.0048.0
Oracle Data Provider for .NET Help
OZ776 SCR Driver V1.1.3.9
PDFCreator
Picasa 3
PicPick
PowerDVD
Preboot Manager
Private Information Manager
PuTTY Connection Manager 0.7.1.136beta
PuTTY version 0.60
Quest Installer
Quest PuTTY 0.60_q1.129
Quest Software Toad for Data Analysts 2.1
Quest SQL Optimizer 7.4.1 for Oracle
Quest SQL Optimizer for Oracle Common
Quest SQL Tuning for Oracle
QuickSet
QuickTime
Radmin Server 3.0
RedMon - Redirection Port Monitor
Secure Update
Security Update for 2007 Microsoft Office System (KB969559)
Security Update for 2007 Microsoft Office System (KB976321)
Security Update for 2007 Microsoft Office System (KB978380)
Security Update for CAPICOM (KB931906)
Security Update for Microsoft Office Excel 2007 (KB978382)
Security Update for Microsoft Office Outlook 2007 (KB972363)
Security Update for Microsoft Office PowerPoint 2007 (KB957789)
Security Update for Microsoft Office Publisher 2007 (KB980470)
Security Update for Microsoft Office system 2007 (972581)
Security Update for Microsoft Office system 2007 (KB969613)
Security Update for Microsoft Office system 2007 (KB974234)
Security Update for Microsoft Office Visio Viewer 2007 (KB973709)
Security Wizards
Session ShortCuts 1.0.1
SigmaTel Audio
SMS Advanced Client
Spelling Dictionaries Support For Adobe Reader 8
SSRPM User Client Software
Toad for Oracle
Toolbox
tsp patch
TurboTax 2009
TurboTax 2009 wcaiper
TurboTax 2009 WinPerFedFormset
TurboTax 2009 WinPerReleaseEngine
TurboTax 2009 WinPerTaxSupport
TurboTax 2009 wmiiper
TurboTax 2009 wrapper
Tweak UI
Update for 2007 Microsoft Office System (KB967642)
Update for 2007 Microsoft Office System (KB981715)
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Microsoft Office 2007 Help for Common Features (KB963673)
Update for Microsoft Office Access 2007 Help (KB963663)
Update for Microsoft Office Excel 2007 Help (KB963678)
Update for Microsoft Office InfoPath 2007 (KB976416)
Update for Microsoft Office Infopath 2007 Help (KB963662)
Update for Microsoft Office OneNote 2007 (KB980729)
Update for Microsoft Office OneNote 2007 Help (KB963670)
Update for Microsoft Office Outlook 2007 Help (KB963677)
Update for Microsoft Office Powerpoint 2007 Help (KB963669)
Update for Microsoft Office Publisher 2007 Help (KB963667)
Update for Microsoft Office Script Editor Help (KB963671)
Update for Microsoft Office Word 2007 (KB974561)
Update for Microsoft Office Word 2007 Help (KB963665)
Update for Outlook 2007 Junk Email Filter (kb981726)
upekmsi
VC80CRTRedist - 8.0.50727.4053
ViewMail for Outlook 4.2(2)
VirtuaWin v4.1
VLC media player 1.0.5
Vuze
Wave Infrastructure Installer
Wave Support Software
WebEx
WebFldrs XP
Webshots Desktop
Windows Driver Package - Dell Inc. PBADRV System (09/25/2006 6.0.0.0)
Windows Driver Package - Garmin (grmnusb) GARMIN Devices (03/08/2007 2.2.1.0)
Windows Driver Package - O2Micro (guardian2) SmartCardReader (02/05/2007 1.1.3.7)
Windows Genuine Advantage Notifications (KB905474)
Windows Genuine Advantage Validation Tool (KB892130)
Windows Management Framework Core
Windows Media Format 11 runtime
Windows Media Player 11
Windows Presentation Foundation
Windows Support Tools
WinSCP 4.2.7
XML Paper Specification Shared Components Pack 1.0
Yahoo! BrowserPlus
Yahoo! Messenger
==== Event Viewer Messages From Past Week ========
5/25/2010 4:43:21 AM, error: FCSAM [1008] - Microsoft Forefront Client Security has encountered an error when taking action on spyware or other potentially unwanted software. For more information please see the following: http://go.microsoft.com/fwlink/?linkid=37020&name=Virus:Win32/Alureon.H&threatid=2147632576 Scan ID: {24C76FF8-61D7-4676-8CD4-A4B4CB494E96} Scan Type: AntiMalware User: CRICKET\iraval Name: Virus:Win32/Alureon.H ID: 2147632576 Severity: Severe Category: Virus Path: rootkit:Alureon->TermDD Action: Clean Error Code: 0x80508026 Error description: This program can't remove a potentially harmful item from the contents of an archived file. To remove the item, you need to delete the archive. For more information, search for removing spyware in Help and Support.
5/25/2010 4:17:02 AM, error: Setup [60055] - Windows Setup encountered non-fatal errors during installation. Please check the setuperr.log found in your Windows directory for more information.
5/25/2010 4:11:25 AM, error: DCOM [10005] - DCOM got error "%1058" attempting to start the service SENS with arguments "" in order to run the server: {D3938AB0-5B9D-11D1-8DD2-00AA004ABD5E}
5/25/2010 1:19:46 AM, error: SideBySide [59] - Resolve Partial Assembly failed for Microsoft.VC80.CRT. Reference error message: The referenced assembly is not installed on your system. .
5/25/2010 1:19:46 AM, error: SideBySide [32] - Dependent Assembly Microsoft.VC80.CRT could not be found and Last Error was The referenced assembly is not installed on your system.
5/25/2010 1:19:26 AM, error: SCardSvr [616] - Reader monitor 'O2Micro CCID SC Reader 0' received uncaught error code: The device does not recognize the command.
5/25/2010 1:19:26 AM, error: SCardSvr [612] - Reader insertion monitor error retry threshold reached: The device does not recognize the command.
5/25/2010 1:10:56 AM, error: Ftdisk [49] - Configuring the Page file for crash dump failed. Make sure there is a page file on the boot partition and that is large enough to contain all physical memory.
5/25/2010 1:10:56 AM, error: Ftdisk [45] - The system could not sucessfully load the crash dump driver.
5/24/2010 9:19:22 AM, error: Dhcp [1002] - The IP address lease 10.0.62.22 for the Network Card with network address 00FF98BC358A has been denied by the DHCP server 10.0.9.52 (The DHCP Server sent a DHCPNACK message).
5/24/2010 10:36:40 PM, error: FCSAM [1008] - Microsoft Forefront Client Security has encountered an error when taking action on spyware or other potentially unwanted software. For more information please see the following: http://go.microsoft.com/fwlink/?linkid=37020&name=Virus:Win32/Alureon.H&threatid=2147632576 Scan ID: {A3ECBBA0-C52C-44DC-B153-3D339689E25A} Scan Type: AntiMalware User: CRICKET\iraval Name: Virus:Win32/Alureon.H ID: 2147632576 Severity: Severe Category: Virus Path: rootkit:Alureon->atapi Action: Remove Error Code: 0x80508026 Error description: This program can't remove a potentially harmful item from the contents of an archived file. To remove the item, you need to delete the archive. For more information, search for removing spyware in Help and Support.
5/23/2010 5:56:56 PM, error: Dhcp [1002] - The IP address lease 10.0.62.96 for the Network Card with network address 00FF90B2338A has been denied by the DHCP server 10.0.9.52 (The DHCP Server sent a DHCPNACK message).
5/22/2010 7:59:30 AM, error: Service Control Manager [7011] - Timeout (30000 milliseconds) waiting for a transaction response from the ShellHWDetection service.
5/22/2010 7:59:09 AM, error: Service Control Manager [7011] - Timeout (30000 milliseconds) waiting for a transaction response from the WZCSVC service.
5/21/2010 8:02:04 PM, error: NETLOGON [5719] - No Domain Controller is available for domain CRICKET due to the following: There are currently no logon servers available to service the logon request. . Make sure that the computer is connected to the network and try again. If the problem persists, please contact your domain administrator.
5/21/2010 10:31:36 AM, error: Dhcp [1002] - The IP address lease 10.0.60.88 for the Network Card with network address 00FF20EA348A has been denied by the DHCP server 10.0.9.52 (The DHCP Server sent a DHCPNACK message).
5/20/2010 9:16:32 AM, error: Dhcp [1002] - The IP address lease 10.0.62.198 for the Network Card with network address 00FFA827358A has been denied by the DHCP server 10.0.9.52 (The DHCP Server sent a DHCPNACK message).
5/19/2010 9:46:25 AM, error: Dhcp [1002] - The IP address lease 10.0.62.198 for the Network Card with network address 00FF30753B8A has been denied by the DHCP server 10.0.9.52 (The DHCP Server sent a DHCPNACK message).
5/18/2010 9:51:57 AM, error: Dhcp [1002] - The IP address lease 10.0.62.78 for the Network Card with network address 00FF985C478A has been denied by the DHCP server 10.0.9.52 (The DHCP Server sent a DHCPNACK message).
==== End Of File ===========================
-
Well, as last resource, I repaired my windows XP installation, but still TermDD rootkit virus remains.
Any help?
-
A repair will not eliminate viruses. Either do a full format and reinstall or wait for one of CH's malware specialists to check your logs.
-
Hello and welcome to Computer Hope Forum. My name is Dave. I will be helping you out with your particular problem on your computer. I am working under the guidance of one of the specialist of this forum so it may take a bit longer to process your logs.
1. I will be working on your Malware issues. This may or may not solve other issues you have with your machine.
2. The fixes are specific to your problem and should only be used for this issue on this machine.
3. If you don't know or understand something, please don't hesitate to ask.
4. Please DO NOT run any other tools or scans while I am helping you.
5. It is important that you reply to this thread. Do not start a new topic.
6. Your security programs may give warnings for some of the tools I will ask you to use. Be assured, any links I give are safe.
7. Absence of symptoms does not mean that everything is clear.
First of all, you only have 12 GiB of free space on your HD. You should have 15%. Soon your computer will start having operating problems including crashes. You need to free up some more space.
============================
SUPERAntiSpyware
If you already have SUPERAntiSpyware be sure to check for updates before scanning!
Download SuperAntispyware Free Edition (SAS) (http://www.superantispyware.com/download.html)
* Double-click the icon on your desktop to run the installer.
* When asked to Update the program definitions, click Yes
* If you encounter any problems while downloading the updates, manually download and unzip them from here
* Next click the Preferences button.
•Under Start-Up Options uncheck Start SUPERAntiSpyware when Windows starts
* Click the Scanning Control tab.
* Under Scanner Options make sure only the following are checked:
•Close browsers before scanning
•Scan for tracking cookies
•Terminate memory threats before quarantining
•Please leave the others unchecked
•Click the Close button to leave the control center screen.
* On the main screen click Scan your computer
* On the left check the box for the drive you are scanning.
* On the right choose Perform Complete Scan
* Click Next to start the scan. Please be patient while it scans your computer.
* After the scan is complete a summary box will appear. Click OK
* Make sure everything in the white box has a check next to it, then click Next
* It will quarantine what it found and if it asks if you want to reboot, click Yes
•To retrieve the removal information please do the following:
•After reboot, double-click the SUPERAntiSpyware icon on your desktop.
•Click Preferences. Click the Statistics/Logs tab.
•Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
•It will open in your default text editor (preferably Notepad).
•Save the notepad file to your desktop by clicking (in notepad) File > Save As...
* Save the log somewhere you can easily find it. (normally the desktop)
* Click close and close again to exit the program.
*Copy and Paste the log in your post.
======================================
(http://img233.imageshack.us/img233/7729/mbamicontw5.gif) Please download Malwarebytes Anti-Malware from here (http://www.malwarebytes.org/mbam/program/mbam-setup.exe).
Double Click mbam-setup.exe to install the application.
- Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes Anti-Malware, then click Finish.
- If an update is found, it will download and install the latest version.
- Once the program has loaded, select "Perform Full Scan", then click Scan.
- The scan may take some time to finish,so please be patient.
- When the scan is complete, click OK, then Show Results to view the results.
- Make sure that everything is checked, and click Remove Selected.
- When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Extra Note)
- Please save the log to a location you will remember.
- The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
- Copy and paste the entire report in your next reply.
Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately.
======================================
Download ComboFix by sUBs from one of the below links.
Important! You MUST save ComboFix to your desktop
link # 1 (http://download.bleepingcomputer.com/sUBs/ComboFix.exe)
Link # 2 (http://subs.geekstogo.com/ComboFix.exe)
Temporarily disable your Anti-virus and any Antispyware real time protection before performing a scan. Click this link (http://www.bleepingcomputer.com/forums/topic114351.html) to see a list of security programs that should be disabled and how to disable them.
Double click on ComboFix.exe & follow the prompts.
Vista users Right-Click on ComboFix.exe and select Run as administrator (you will receive a UAC prompt, please allow it)
Do not mouse-click ComboFix's window while it is running. That may cause it to stall.
When the scan completes it will open a text window.
Post the contents of that log in your next reply.
Remember to re-enable your Anti-virus and Antispyware protection when ComboFix is complete.
-
Hi SuperDave!
Thanks a lot for your help!
I am sorry for being a bit impatient in this case and not replying to your email quickly.
I did not have access to any other computer than infected one and I did not want to connect that to Internet.
It seems like the issue is fixed, but please verify the logs that I am going to upload and advise. Yes, I used combofix, but before you updated this, I was already on it so did not cancel that.
1. I downloaded Anti Trojan Elite (Free) and it did find virus. However, free version of the software does not allow to kill those viruses. So no help!
2. As already mentioned by Allan, I downloaded and SUPERAntiSpyware Free edition, which found and cleaned a few cookies. I did not think they were malicious, but I deleted them anyway.
3. My Microsoft Forefront Client security still complained about termDD rootkit virus in quick scan itself, as you can see from logs it was simply unable to remove it. I visited safety.live.com and did a quick scan. Onecare also found an issue and was unable to remove it.
4. I downloaded Combobox and decided to use with whatsoever side effects. Simply ran it and it did find rootkit activity. After reboot, it did some clean up (it fixed atapi.sys and few other files which I think were infected before I repaired the installation).
Excerpt of Combofix.txt
Other Delections
----------------
c:\documents and settings\All users\application data\Microsoft\Network\Downloader\qmgr0.dat
c:\documents and settings\All users\application data\Microsoft\Network\Downloader\qmgr1.dat
c:\windows\system32\AutoRun.inf
c:\windows\system32\VB40032.DLL
5. Microsoft Forefront still complained about TermDD rootkit virus. From a similar forum on bleepingcomputer.com on Alureon.H threat, I created a CFScript.txt
TDL::
C:\WINDOWS\system32\drivers\termdd.sys
and ran combofix again with this script
6. Again combofix found rootkit activity and forced a reboot. After reboot it was fixing the issue, it crashed with memory dump and blue screen.
7. I rebooted my machine, and did scan again. Well, not so easy :(.. No luck this time. I just simply re-ran combobox (without CFScript.txt) and I think it ran well except a few memory 'can not be read' errors.
9. checked combofix log, and it seems that it fixed the rootkit! I did quick scan again with Forefront, it did not complain this time.
Excerpt of Combofix.txt
Other Delections
----------------
Infected copy of c:\windows\system32\drivers\termdd.sys was found and disinfected
Restored copy from - Kitty had a snack :p
Infected copy of c:\windows\system32\drivers\termdd.sys was found and disinfected
Restored copy from - Kitty ate it :p
10. At the moment, A full scan is being performed to find out more issues.
What do you suggest if full scan does not find any issue?
Thanks a lot once again!
Ishan
-
Hi Admin,
Please remove username/domain information from log that I posted earlier as I am unable to do it now.
thanks for your help.
-
I specifically asked you not to do this. If you want my help, you will have to follow instructions.
4. Please DO NOT run any other tools or scans while I am helping you.
5. Microsoft Forefront still complained about TermDD rootkit virus. From a similar forum on bleepingcomputer.com on Alureon.H threat, I created a CFScript.txt
TDL::
C:\WINDOWS\system32\drivers\termdd.sys
There is no syntax in ComboFix for TDL:: Please do not run anything until I ask you to do so!.
I still haven't seen any complete logs which I will need.
-
I specifically asked you not to do this. If you want my help, you will have to follow instructions.
There is no syntax in ComboFix for TDL:: Please do not run anything until I ask you to do so!.
I am sorry, but by the time you updated this thread I already executed Combofix.
I still haven't seen any complete logs which I will need.
what logs shall I upload now?
-
I will need to see the SAS, MBAM and ComboFix logs, in this order.
-
Attached all reports/
[recovering disk space - old attachment deleted by admin]
-
2nd and last run of Combofix.
[recovering disk space - old attachment deleted by admin]
-
Help please?
-
Download GMER Rootkit Detector (http://majorgeeks.com/GMER_d5198.html) and save it your desktop.
* Extract it to your desktop and double-click GMER.exe
* Make sure all of the boxes on the right of the screen are checked, EXCEPT for "Show All".
* Click the Rootkit tab and then Scan.
* Don't check the Show All box while scanning in progress!
* When scanning is finished click Copy.
* This copies the log to clipboard
* Post the log in your reply.
-
I downloaded Gmer, extracted zip on desktop. When I tried to run it, windows hung. I rebooted machine, tried again with minimum app open and still it hung. It is even before I start scanning.
-
Ok Please try this one.
Please download RootRepeal from GooglePages.com (http://rootrepeal.googlepages.com/RootRepeal.zip).- Extract the program file to your Desktop.
- Run the program RootRepeal.exe and go to the Report tab and click on the Scan button.
(http://i39.tinypic.com/nclahc.gif)
- Select ALL of the checkboxes and then click OK and it will start scanning your system.
(http://i39.tinypic.com/2j5lb6.gif)
- If you have multiple drives you only need to check the C: drive or the one Windows is installed on.
- When done, click on Save Report
- Save it to the Desktop.
- Please copy/paste the contents of the report in your next reply.
Please remove any e-mail address in the RootRepeal report (if present).
-
ROOTREPEAL (c) AD, 2007-2009
==================================================
Scan Start Time: 2010/05/26 23:26
Program Version: Version 1.3.5.0
Windows Version: Windows XP SP3
==================================================
Drivers
-------------------
Name: dump_atapi.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys
Address: 0xB7952000 Size: 98304 File Visible: No Signed: -
Status: -
Name: dump_WMILIB.SYS
Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS
Address: 0xBAE26000 Size: 8192 File Visible: No Signed: -
Status: -
Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xB42D8000 Size: 49152 File Visible: No Signed: -
Status: -
Name: SASDIFSV.SYS
Image Path: C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS
Address: 0xBAC98000 Size: 24576 File Visible: No Signed: -
Status: -
Name: SASKUTIL.SYS
Image Path: C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS
Address: 0xB7ACD000 Size: 139264 File Visible: No Signed: -
Status: -
Hidden/Locked Files
-------------------
Path: C:\hiberfil.sys
Status: Locked to the Windows API!
Path: c:\windows\temp\microsoft operations manager\momservice(b).mc8
Status: Size mismatch (API: 71745, Raw: 68535)
Path: c:\windows\system32\ccm\servicedata\messaging\endpointqueues\policyagent_policyevaluator\000000gg.msg
Status: Allocation size mismatch (API: 12288, Raw: 8192)
Path: c:\windows\system32\ccm\servicedata\messaging\endpointqueues\ls_scheduledcleanup\0000002s.msg
Status: Allocation size mismatch (API: 61440, Raw: 57344)
Path: c:\windows\system32\ccm\servicedata\messaging\endpointqueues\policyagent_requestassignments\000001cs.msg
Status: Allocation size mismatch (API: 32768, Raw: 20480)
Path: c:\windows\system32\ccm\servicedata\messaging\outgoingqueues\mp_mp_hinvendpoint\0000002b.msg
Status: Allocation size mismatch (API: 65536, Raw: 61440)
Path: c:\windows\system32\ccm\servicedata\messaging\outgoingqueues\mp_statusreceiver\00000032.msg
Status: Allocation size mismatch (API: 90112, Raw: 73728)
Path: c:\windows\system32\ccm\servicedata\messaging\outgoingqueues\mp_[http]mp_locationmanager\0000006w.msg
Status: Allocation size mismatch (API: 4096, Raw: 0)
Path: c:\windows\system32\ccm\servicedata\messaging\outgoingqueues\mp_[http]mp_policymanager\000001cc.msg
Status: Allocation size mismatch (API: 73728, Raw: 57344)
Path: C:\Documents and Settings\iraval\Local Settings\Apps\2.0\BGNRHMAN.BEO\L9J62ZNZ.Q83\manifests\clickonce_bootstrap.exe.cdf-ms
Status: Locked to the Windows API!
Path: C:\Documents and Settings\iraval\Local Settings\Apps\2.0\BGNRHMAN.BEO\L9J62ZNZ.Q83\manifests\clickonce_bootstrap.exe.manifest
Status: Locked to the Windows API!
SSDT
-------------------
#: 257 Function Name: NtTerminateProcess
Status: Hooked by "C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS" at address 0xb7ad7620
Stealth Objects
-------------------
Object: Hidden Handle [Index: 4, Type: UnknownType]
Process: MsMpEng.exe (PID: 1944) Address: 0xe4636818 Size: -
Object: Hidden Handle [Index: 4, Type: UnknownType]
Process: svchost.exe (PID: 1984) Address: 0xe233b818 Size: -
Object: Hidden Handle [Index: 2052, Type: UnknownType]
Process: svchost.exe (PID: 1984) Address: 0xe2e36020 Size: -
Object: Hidden Handle [Index: 6148, Type: UnknownType]
Process: svchost.exe (PID: 1984) Address: 0xe5037020 Size: -
Object: Hidden Handle [Index: 8196, Type: UnknownType]
Process: svchost.exe (PID: 1984) Address: 0xe4fe5020 Size: -
==EOF==
-
ROOTREPEAL (c) AD, 2007-2009
==================================================
Scan Start Time: 2010/05/26 23:26
Program Version: Version 1.3.5.0
Windows Version: Windows XP SP3
==================================================
Drivers
-------------------
Name: dump_atapi.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys
Address: 0xB7952000 Size: 98304 File Visible: No Signed: -
Status: -
Name: dump_WMILIB.SYS
Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS
Address: 0xBAE26000 Size: 8192 File Visible: No Signed: -
Status: -
Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xB42D8000 Size: 49152 File Visible: No Signed: -
Status: -
Name: SASDIFSV.SYS
Image Path: C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS
Address: 0xBAC98000 Size: 24576 File Visible: No Signed: -
Status: -
Name: SASKUTIL.SYS
Image Path: C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS
Address: 0xB7ACD000 Size: 139264 File Visible: No Signed: -
Status: -
Hidden/Locked Files
-------------------
Path: C:\hiberfil.sys
Status: Locked to the Windows API!
Path: c:\windows\temp\microsoft operations manager\momservice(b).mc8
Status: Size mismatch (API: 71745, Raw: 68535)
Path: c:\windows\system32\ccm\servicedata\messaging\endpointqueues\policyagent_policyevaluator\000000gg.msg
Status: Allocation size mismatch (API: 12288, Raw: 8192)
Path: c:\windows\system32\ccm\servicedata\messaging\endpointqueues\ls_scheduledcleanup\0000002s.msg
Status: Allocation size mismatch (API: 61440, Raw: 57344)
Path: c:\windows\system32\ccm\servicedata\messaging\endpointqueues\policyagent_requestassignments\000001cs.msg
Status: Allocation size mismatch (API: 32768, Raw: 20480)
Path: c:\windows\system32\ccm\servicedata\messaging\outgoingqueues\mp_mp_hinvendpoint\0000002b.msg
Status: Allocation size mismatch (API: 65536, Raw: 61440)
Path: c:\windows\system32\ccm\servicedata\messaging\outgoingqueues\mp_statusreceiver\00000032.msg
Status: Allocation size mismatch (API: 90112, Raw: 73728)
Path: c:\windows\system32\ccm\servicedata\messaging\outgoingqueues\mp_[http]mp_locationmanager\0000006w.msg
Status: Allocation size mismatch (API: 4096, Raw: 0)
Path: c:\windows\system32\ccm\servicedata\messaging\outgoingqueues\mp_[http]mp_policymanager\000001cc.msg
Status: Allocation size mismatch (API: 73728, Raw: 57344)
Path: C:\Documents and Settings\iraval\Local Settings\Apps\2.0\BGNRHMAN.BEO\L9J62ZNZ.Q83\manifests\clickonce_bootstrap.exe.cdf-ms
Status: Locked to the Windows API!
Path: C:\Documents and Settings\iraval\Local Settings\Apps\2.0\BGNRHMAN.BEO\L9J62ZNZ.Q83\manifests\clickonce_bootstrap.exe.manifest
Status: Locked to the Windows API!
SSDT
-------------------
#: 257 Function Name: NtTerminateProcess
Status: Hooked by "C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS" at address 0xb7ad7620
Stealth Objects
-------------------
Object: Hidden Handle [Index: 4, Type: UnknownType]
Process: MsMpEng.exe (PID: 1944) Address: 0xe4636818 Size: -
Object: Hidden Handle [Index: 4, Type: UnknownType]
Process: svchost.exe (PID: 1984) Address: 0xe233b818 Size: -
Object: Hidden Handle [Index: 2052, Type: UnknownType]
Process: svchost.exe (PID: 1984) Address: 0xe2e36020 Size: -
Object: Hidden Handle [Index: 6148, Type: UnknownType]
Process: svchost.exe (PID: 1984) Address: 0xe5037020 Size: -
Object: Hidden Handle [Index: 8196, Type: UnknownType]
Process: svchost.exe (PID: 1984) Address: 0xe4fe5020 Size: -
==EOF==
-
Please follow these instructions carefully.
Please download and save HelpAsst_mebroot_fix.exe (http://noahdfear.net/downloads/HelpAsst_mebroot_fix.exe)
•Double click to run the tool.
•When complete, run mbr -f then reboot.
•After reboot, provide the mbr log.
==============================
Download this << file >> (http://support.kaspersky.com/downloads/utils/tdsskiller.zip) & extract TDSSKiller.exe onto your Desktop
Then create this batch file to be placed next to TDSSKiller
=====
Open NOTEPAD.exe and copy/paste the text in the quotebox below into it:
@ECHO OFF
START /WAIT TDSSKILLER.exe -l Logit.txt -v
START Logit.txt
del %0Save this as fix.bat Choose to "Save type as - All Files"
It should look like this: (http://i266.photobucket.com/albums/ii277/sUBs_/bat_icon.gif)
Double click on fix.bat & allow it to run
Post back to tell me what it says
-
Please download and save HelpAsst_mebroot_fix.exe (http://noahdfear.net/downloads/HelpAsst_mebroot_fix.exe)
I can not download this. There's no such download available.
-
Sorry about that. I fixed the link.
Please download and save HelpAsst_mebroot_fix.exe (http://noahdfear.net/downloads/HelpAsst/HelpAsst_mebroot_fix.exe)
•Double click to run the tool.
•When complete, run mbr -f then reboot.
•After reboot, provide the mbr log.
-
Here is MBR log that I found in C:\
C:\Ishan\Virus_Fix\HelpAsst_mebroot_fix.exe
Thu 05/27/2010 at 22:11:41.85
HelpAssistant account Inactive
~~ Checking for termsrv32.dll ~~
termsrv32.dll present! ~ attempting to remove
termsrv32.dll successfully removed
~~ Checking firewall ports ~~
backing up DomainProfile\GloballyOpenPorts\List registry key
closing rogue ports
HKLM\~\services\sharedaccess\parameters\firewallpolicy\domainprofile\globallyopenports\list
"65533:TCP"=-
"52344:TCP"=-
"6763:TCP"=-
"6764:TCP"=-
"3389:TCP"=-
backing up StandardProfile\GloballyOpenPorts\List registry key
closing rogue ports
HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\globallyopenports\list
"65533:TCP"=-
"52344:TCP"=-
"6763:TCP"=-
"6764:TCP"=-
"3389:TCP"=-
~~ Checking profile list ~~
HelpAssistant profile found in registry ~ backing up and removing S-1-5-21-1737608194-1000615609-2549537844-1005
~ No profile directory exists for S-1-5-21-1737608194-1000615609-2549537844-1005 ~
~ All HelpAssistant profiles removed from registry ~
~~ Checking mbr ~~
user & kernel MBR OK
-
TDSS killer report:
22:28:52:531 5048 TDSS rootkit removing tool 2.3.1.0 May 25 2010 12:52:14
22:28:52:531 5048 ================================================================================
22:28:52:531 5048 SystemInfo:
22:28:52:531 5048 OS Version: 5.1.2600 ServicePack: 3.0
22:28:52:531 5048 Product type: Workstation
22:28:52:531 5048 ComputerName: SAN
22:28:52:531 5048 UserName: iraval
22:28:52:531 5048 Windows directory: C:\WINDOWS
22:28:52:531 5048 Processor architecture: Intel x86
22:28:52:531 5048 Number of processors: 2
22:28:52:531 5048 Page size: 0x1000
22:28:52:531 5048 Boot type: Normal boot
22:28:52:531 5048 ================================================================================
22:28:52:796 5048 Initialize success
22:28:52:796 5048
22:28:52:796 5048 Scanning Services ...
22:28:53:156 5048 Raw services enum returned 426 services
22:28:53:203 5048
22:28:53:203 5048 Scanning Drivers ...
22:28:53:828 5048 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys
22:28:53:859 5048 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys
22:28:53:921 5048 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys
22:28:53:953 5048 AegisP (a1ad1a4a9f18d900ca9c93fa3efdcb56) C:\WINDOWS\system32\DRIVERS\AegisP.sys
22:28:54:031 5048 AFD (7e775010ef291da96ad17ca4b17137d7) C:\WINDOWS\System32\drivers\afd.sys
22:28:54:125 5048 ApfiltrService (b8d65da679a4a8d048783ede2691b5d4) C:\WINDOWS\system32\DRIVERS\Apfiltr.sys
22:28:54:156 5048 APPDRV (ec94e05b76d033b74394e7b2175103cf) C:\WINDOWS\SYSTEM32\DRIVERS\APPDRV.SYS
22:28:54:187 5048 Arp1394 (b5b8a80875c1dededa8b02765642c32f) C:\WINDOWS\system32\DRIVERS\arp1394.sys
22:28:54:250 5048 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
22:28:54:281 5048 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys
22:28:54:343 5048 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
22:28:54:390 5048 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
22:28:54:406 5048 Avgfwdx (fa6336f05695e39995884d0c959c9608) C:\WINDOWS\system32\DRIVERS\avgfwdx.sys
22:28:54:421 5048 Avgfwfd (fa6336f05695e39995884d0c959c9608) C:\WINDOWS\system32\DRIVERS\avgfwdx.sys
22:28:54:484 5048 b57w2k (f96038aa1ec4013a93d2420fc689d1e9) C:\WINDOWS\system32\DRIVERS\b57xp32.sys
22:28:54:500 5048 BCMTPM (09a41ba9dc48f2f52ade4a42fe945d98) C:\WINDOWS\system32\DRIVERS\btpmw32.sys
22:28:54:562 5048 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
22:28:54:578 5048 BthEnum (b279426e3c0c344893ed78a613a73bde) C:\WINDOWS\system32\DRIVERS\BthEnum.sys
22:28:54:609 5048 BthPan (80602b8746d3738f5886ce3d67ef06b6) C:\WINDOWS\system32\DRIVERS\bthpan.sys
22:28:54:703 5048 BTHPORT (662bfd909447dd9cc15b1a1c366583b4) C:\WINDOWS\system32\Drivers\BTHport.sys
22:28:54:750 5048 BTHUSB (61364cd71ef63b0f038b7e9df00f1efa) C:\WINDOWS\system32\Drivers\BTHUSB.sys
22:28:54:906 5048 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
22:28:54:968 5048 CCDECODE (0be5aef125be881c4f854c554f2b025c) C:\WINDOWS\system32\DRIVERS\CCDECODE.sys
22:28:55:015 5048 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
22:28:55:046 5048 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys
22:28:55:093 5048 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys
22:28:55:125 5048 CmBatt (0f6c187d38d98f8df904589a5f94d411) C:\WINDOWS\system32\DRIVERS\CmBatt.sys
22:28:55:156 5048 Compbatt (6e4c9f21f0fae8940661144f41b13203) C:\WINDOWS\system32\DRIVERS\compbatt.sys
22:28:55:203 5048 CSRBC (8e1945984e147562f9f08e1d344a69cc) C:\WINDOWS\system32\Drivers\csrbcxp.sys
22:28:55:265 5048 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys
22:28:55:437 5048 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys
22:28:55:734 5048 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys
22:28:55:984 5048 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
22:28:56:125 5048 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys
22:28:56:312 5048 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys
22:28:56:406 5048 dsNcAdpt (b2c3f71b86e25c3df78339ddb40a7562) C:\WINDOWS\system32\DRIVERS\dsNcAdpt.sys
22:28:56:515 5048 DXEC01 (549734664886d91222969845e4311d1b) C:\WINDOWS\system32\drivers\dxec01.sys
22:28:56:734 5048 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys
22:28:56:968 5048 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\drivers\Fdc.sys
22:28:57:062 5048 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys
22:28:57:140 5048 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\drivers\Flpydisk.sys
22:28:57:250 5048 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\drivers\fltmgr.sys
22:28:57:421 5048 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
22:28:57:515 5048 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
22:28:57:640 5048 GEARAspiWDM (8182ff89c65e4d38b2de4bb0fb18564e) C:\WINDOWS\system32\DRIVERS\GEARAspiWDM.sys
22:28:57:812 5048 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys
22:28:57:906 5048 guardian2 (0e1fd1ea2837d6b7a1d7b6c928014d05) C:\WINDOWS\system32\Drivers\oz776.sys
22:28:57:984 5048 HDAudBus (573c7d0a32852b48f3058cfd8026f511) C:\WINDOWS\system32\DRIVERS\HDAudBus.sys
22:28:58:000 5048 HidUsb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys
22:28:58:218 5048 HPZid412 (d03d10f7ded688fecf50f8fbf1ea9b8a) C:\WINDOWS\system32\DRIVERS\HPZid412.sys
22:28:58:375 5048 HPZipr12 (89f41658929393487b6b7d13c8528ce3) C:\WINDOWS\system32\DRIVERS\HPZipr12.sys
22:28:58:531 5048 HPZius12 (abcb05ccdbf03000354b9553820e39f8) C:\WINDOWS\system32\DRIVERS\HPZius12.sys
22:28:58:687 5048 HSFHWAZL (b1526810210980bed9d22315946c919d) C:\WINDOWS\system32\DRIVERS\HSFHWAZL.sys
22:28:59:015 5048 HSF_DPV (ddbd528e60f5961c142a490dc4ea7780) C:\WINDOWS\system32\DRIVERS\HSF_DPV.sys
22:28:59:281 5048 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys
22:28:59:343 5048 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
22:28:59:406 5048 iaStor (fd7f9d74c2b35dbda400804a3f5ed5d8) C:\WINDOWS\system32\drivers\iaStor.sys
22:28:59:468 5048 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys
22:28:59:500 5048 intelppm (8c953733d8f36eb2133f5bb58808b66b) C:\WINDOWS\system32\DRIVERS\intelppm.sys
22:28:59:531 5048 Ip6Fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\drivers\ip6fw.sys
22:28:59:578 5048 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
22:28:59:593 5048 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys
22:28:59:625 5048 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys
22:28:59:640 5048 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys
22:28:59:687 5048 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys
22:28:59:750 5048 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys
22:28:59:765 5048 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
22:28:59:781 5048 kbdhid (9ef487a186dea361aa06913a75b3fa99) C:\WINDOWS\system32\DRIVERS\kbdhid.sys
22:28:59:828 5048 klmd23 (0b06b0a25e08df0d536402bce3bde61e) C:\WINDOWS\system32\drivers\klmd.sys
22:28:59:843 5048 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys
22:28:59:875 5048 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys
22:28:59:968 5048 LVcKap (8113133ec42dd6c566908008ce913edd) C:\WINDOWS\system32\DRIVERS\LVcKap.sys
22:29:00:171 5048 LVMVDrv (0dd5b8af4917a2821047450195c511b3) C:\WINDOWS\system32\DRIVERS\LVMVDrv.sys
22:29:00:296 5048 LVPr2Mon (406b1d186f75b4b4832d6237859e1b00) C:\WINDOWS\system32\DRIVERS\LVPr2Mon.sys
22:29:00:328 5048 mcdbus (8fd868e32459ece2a1bb0169f513d31e) C:\WINDOWS\system32\DRIVERS\mcdbus.sys
22:29:00:421 5048 mdmxsdk (0cea2d0d3fa284b85ed5b68365114f76) C:\WINDOWS\system32\DRIVERS\mdmxsdk.sys
22:29:00:484 5048 mirrorv3 (d96ea49ab9a9174331bc023fd0cadc18) C:\WINDOWS\system32\DRIVERS\rminiv3.sys
22:29:00:500 5048 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
22:29:00:531 5048 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys
22:29:00:546 5048 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys
22:29:00:562 5048 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys
22:29:00:593 5048 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys
22:29:00:609 5048 MpFilter (fbc56c853814eaa196e22edf596a4ebd) C:\WINDOWS\system32\DRIVERS\MpFilter.sys
22:29:00:703 5048 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
22:29:00:765 5048 MRxSmb (f3aefb11abc521122b67095044169e98) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
22:29:00:812 5048 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys
22:29:00:843 5048 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys
22:29:00:890 5048 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
22:29:00:937 5048 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys
22:29:00:953 5048 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
22:29:01:015 5048 MSTEE (e53736a9e30c45fa9e7b5eac55056d1d) C:\WINDOWS\system32\drivers\MSTEE.sys
22:29:01:031 5048 Mup (2f625d11385b1a94360bfc70aaefdee1) C:\WINDOWS\system32\drivers\Mup.sys
22:29:01:078 5048 n558 (88705dc61b9275b82e48904d53031f5b) C:\WINDOWS\system32\Drivers\n558.sys
22:29:01:125 5048 NABTSFEC (5b50f1b2a2ed47d560577b221da734db) C:\WINDOWS\system32\DRIVERS\NABTSFEC.sys
22:29:01:171 5048 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys
22:29:01:234 5048 NdisIP (7ff1f1fd8609c149aa432f95a8163d97) C:\WINDOWS\system32\DRIVERS\NdisIP.sys
22:29:01:250 5048 NdisTapi (1ab3d00c991ab086e69db84b6c0ed78f) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
22:29:01:281 5048 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
22:29:01:296 5048 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
22:29:01:328 5048 NDProxy (6215023940cfd3702b46abc304e1d45a) C:\WINDOWS\system32\drivers\NDProxy.sys
22:29:01:343 5048 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys
22:29:01:375 5048 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys
22:29:01:468 5048 NETw4x32 (b5ab1108b377b5f3d37409fabda01453) C:\WINDOWS\system32\DRIVERS\NETw4x32.sys
22:29:01:531 5048 NIC1394 (e9e47cfb2d461fa0fc75b7a74c6383ea) C:\WINDOWS\system32\DRIVERS\nic1394.sys
22:29:01:562 5048 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys
22:29:01:609 5048 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys
22:29:01:656 5048 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
22:29:01:859 5048 nv (8129d762cc3e3c5ab9cf2eabc377fb73) C:\WINDOWS\system32\DRIVERS\nv4_mini.sys
22:29:02:031 5048 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
22:29:02:078 5048 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
22:29:02:125 5048 ohci1394 (ca33832df41afb202ee7aeb05145922f) C:\WINDOWS\system32\DRIVERS\ohci1394.sys
22:29:02:171 5048 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\DRIVERS\parport.sys
22:29:02:187 5048 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys
22:29:02:234 5048 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
22:29:02:265 5048 PBADRV (e3e6e724d6a82ab6a2afbcb21180ffce) C:\WINDOWS\system32\DRIVERS\PBADRV.sys
22:29:02:296 5048 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys
22:29:02:312 5048 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys
22:29:02:343 5048 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\DRIVERS\pcmcia.sys
22:29:02:453 5048 PID_0928 (d2d2fa02b722336960eeae0ae7107891) C:\WINDOWS\system32\DRIVERS\LV561AV.SYS
22:29:02:500 5048 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys
22:29:02:531 5048 prepdrvr (9b322103efe09f5f4a957af62b0387b1) C:\WINDOWS\system32\CCM\prepdrv.sys
22:29:02:578 5048 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys
22:29:02:609 5048 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
22:29:02:656 5048 PxHelp20 (49452bfcec22f36a7a9b9c2181bc3042) C:\WINDOWS\system32\Drivers\PxHelp20.sys
22:29:02:734 5048 raddrvv3 (06d87871fe0788d3f838f69a03168b7f) c:\WINDOWS\system32\rserver30\raddrvv3.sys
22:29:02:812 5048 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
22:29:02:843 5048 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
22:29:02:875 5048 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
22:29:02:921 5048 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
22:29:02:937 5048 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys
22:29:02:984 5048 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
22:29:03:015 5048 rdpdr (15cabd0f7c00c47c70124907916af3f1) C:\WINDOWS\system32\DRIVERS\rdpdr.sys
22:29:03:078 5048 RDPWD (6728e45b66f93c08f11de2e316fc70dd) C:\WINDOWS\system32\drivers\RDPWD.sys
22:29:03:109 5048 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys
22:29:03:156 5048 RFCOMM (851c30df2807fcfa21e4c681a7d6440e) C:\WINDOWS\system32\DRIVERS\rfcomm.sys
22:29:03:203 5048 s24trans (eadfb87f911a7a75d1b80617f92901e8) C:\WINDOWS\system32\DRIVERS\s24trans.sys
22:29:03:234 5048 SBRE (e121185abcc7f6f2875843ed3236d245) C:\WINDOWS\system32\drivers\SBREdrv.sys
22:29:03:328 5048 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys
22:29:03:359 5048 serenum (0f29512ccd6bead730039fb4bd2c85ce) C:\WINDOWS\system32\DRIVERS\serenum.sys
22:29:03:375 5048 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\DRIVERS\serial.sys
22:29:03:437 5048 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\DRIVERS\sfloppy.sys
22:29:03:500 5048 SLIP (866d538ebe33709a5c9f5c62b73b7d14) C:\WINDOWS\system32\DRIVERS\SLIP.sys
22:29:03:531 5048 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys
22:29:03:562 5048 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys
22:29:03:640 5048 Srv (89220b427890aa1dffd1a02648ae51c3) C:\WINDOWS\system32\DRIVERS\srv.sys
22:29:03:734 5048 STHDA (31ba85e1cff39a57f702a2a0877bb8e1) C:\WINDOWS\system32\drivers\sthda.sys
22:29:03:781 5048 streamip (77813007ba6265c4b6098187e6ed79d2) C:\WINDOWS\system32\DRIVERS\StreamIP.sys
22:29:03:828 5048 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys
22:29:03:843 5048 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys
22:29:03:890 5048 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys
22:29:03:906 5048 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys
22:29:03:953 5048 TcUsb (125f5adc14839b4afd31cc581629d2b3) C:\WINDOWS\system32\Drivers\tcusb.sys
22:29:03:968 5048 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys
22:29:04:000 5048 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys
22:29:04:031 5048 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys
22:29:04:062 5048 tosporte (8d624d3bd1f2d78bd1c01a2d4e954b4e) C:\WINDOWS\system32\DRIVERS\tosporte.sys
22:29:04:125 5048 tosrfbd (435ac6cc2abed508ac5a495658cbaf0f) C:\WINDOWS\system32\DRIVERS\tosrfbd.sys
22:29:04:203 5048 tosrfbnp (90c8525bc578aaffe87c2d0ed4379e9e) C:\WINDOWS\system32\Drivers\tosrfbnp.sys
22:29:04:250 5048 Tosrfcom (5ba1ca3b3cddb1ddc67df473f05d1ec2) C:\WINDOWS\system32\Drivers\tosrfcom.sys
22:29:04:296 5048 Tosrfhid (28099a4e52148319afa685d93a2244d0) C:\WINDOWS\system32\DRIVERS\Tosrfhid.sys
22:29:04:312 5048 tosrfnds (c52fd27b9adf3a1f22cb90e6bcf9b0cb) C:\WINDOWS\system32\DRIVERS\tosrfnds.sys
22:29:04:343 5048 Tosrfusb (6bc529c5eca0c7654943fd6fab21c5fa) C:\WINDOWS\system32\DRIVERS\tosrfusb.sys
22:29:04:390 5048 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys
22:29:04:437 5048 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys
22:29:04:484 5048 USBAAPL (e8c1b9ebac65288e1b51e8a987d98af6) C:\WINDOWS\system32\Drivers\usbaapl.sys
22:29:04:515 5048 usbccgp (173f317ce0db8e21322e71b7e60a27e8) C:\WINDOWS\system32\DRIVERS\usbccgp.sys
22:29:04:546 5048 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys
22:29:04:562 5048 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys
22:29:04:609 5048 usbohci (0daecce65366ea32b162f85f07c6753b) C:\WINDOWS\system32\DRIVERS\usbohci.sys
22:29:04:687 5048 usbprint (a717c8721046828520c9edf31288fc00) C:\WINDOWS\system32\DRIVERS\usbprint.sys
22:29:04:734 5048 usbscan (a0b8cf9deb1184fbdd20784a58fa75d4) C:\WINDOWS\system32\DRIVERS\usbscan.sys
22:29:04:781 5048 usbstor (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
22:29:04:812 5048 usbuhci (26496f9dee2d787fc3e61ad54821ffe6) C:\WINDOWS\system32\DRIVERS\usbuhci.sys
22:29:04:843 5048 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys
22:29:04:890 5048 vmm (817da66b1b889fad1dbf669e0e2f3228) C:\WINDOWS\system32\Drivers\vmm.sys
22:29:04:906 5048 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys
22:29:04:953 5048 VPCNetS2 (2abe8281db609d8bb1bd1b2f93800d5f) C:\WINDOWS\system32\DRIVERS\VMNetSrv.sys
22:29:04:984 5048 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys
22:29:05:046 5048 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys
22:29:05:109 5048 winachsf (96aff1738271755a39b52eef7e35f98f) C:\WINDOWS\system32\DRIVERS\HSF_CNXT.sys
22:29:05:171 5048 WmiAcpi (c42584fd66ce9e17403aebca199f7bdb) C:\WINDOWS\system32\DRIVERS\wmiacpi.sys
22:29:05:187 5048 WS2IFSL (6abe6e225adb5a751622a9cc3bc19ce8) C:\WINDOWS\System32\drivers\ws2ifsl.sys
22:29:05:250 5048 WSTCODEC (c98b39829c2bbd34e454150633c62c78) C:\WINDOWS\system32\DRIVERS\WSTCODEC.SYS
22:29:05:343 5048 WudfPf (f15feafffbb3644ccc80c5da584e6311) C:\WINDOWS\system32\DRIVERS\WudfPf.sys
22:29:05:406 5048 WudfRd (28b524262bce6de1f7ef9f510ba3985b) C:\WINDOWS\system32\DRIVERS\wudfrd.sys
22:29:05:437 5048
22:29:05:437 5048 Completed
22:29:05:437 5048
22:29:05:437 5048 Results:
22:29:05:437 5048 Registry objects infected / cured / cured on reboot: 0 / 0 / 0
22:29:05:437 5048 File objects infected / cured / cured on reboot: 0 / 0 / 0
22:29:05:437 5048
22:29:05:437 5048 KLMD(ARK) unloaded successfully
-
That looks good. Could you please run another scan with ComboFix and send me the log?
-
ComboFix 10-05-28.02 - iraval 05/28/2010 21:01:52.3.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1229 [GMT -7:00]
Running from: c:\documents and settings\iraval\Desktop\ComboFix.exe
AV: Microsoft Forefront Client Security *On-access scanning disabled* (Updated) {926A3D4F-E4E7-4F47-9902-4EDD55FFE1AF}
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
----- BITS: Possible infected sites -----
hxxp://CASANSMS1:80
.
((((((((((((((((((((((((( Files Created from 2010-04-28 to 2010-05-29 )))))))))))))))))))))))))))))))
.
2010-05-28 05:11 . 2010-05-28 05:11 -------- d-----w- C:\HelpAsst_backup
2010-05-27 00:14 . 2010-05-27 00:14 503808 ----a-w- c:\documents and settings\iraval\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-4eb22189-n\msvcp71.dll
2010-05-27 00:14 . 2010-05-27 00:14 499712 ----a-w- c:\documents and settings\iraval\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-4eb22189-n\jmc.dll
2010-05-27 00:14 . 2010-05-27 00:14 348160 ----a-w- c:\documents and settings\iraval\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-4eb22189-n\msvcr71.dll
2010-05-27 00:13 . 2010-05-27 00:13 61440 ----a-w- c:\documents and settings\iraval\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-7ad6e02a-n\decora-sse.dll
2010-05-27 00:13 . 2010-05-27 00:13 12800 ----a-w- c:\documents and settings\iraval\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-7ad6e02a-n\decora-d3d.dll
2010-05-27 00:13 . 2010-05-27 00:13 -------- d-----w- c:\program files\Common Files\Java
2010-05-27 00:13 . 2010-05-27 00:13 411368 ----a-w- c:\windows\system32\deployJava1.dll
2010-05-26 18:26 . 2010-05-26 18:26 -------- d-----w- c:\documents and settings\All Users\Application Data\Applications
2010-05-26 17:15 . 2009-10-20 16:20 265728 -c----w- c:\windows\system32\dllcache\http.sys
2010-05-25 21:24 . 2008-06-13 11:05 272128 -c----w- c:\windows\system32\dllcache\bthport.sys
2010-05-25 21:23 . 2010-02-24 13:11 455680 -c----w- c:\windows\system32\dllcache\mrxsmb.sys
2010-05-25 21:20 . 2010-02-16 14:08 2146304 -c----w- c:\windows\system32\dllcache\ntkrnlmp.exe
2010-05-25 21:20 . 2010-02-17 16:10 2189952 -c----w- c:\windows\system32\dllcache\ntoskrnl.exe
2010-05-25 21:20 . 2010-02-16 13:25 2024448 -c----w- c:\windows\system32\dllcache\ntkrpamp.exe
2010-05-25 21:20 . 2009-11-27 17:11 17920 -c----w- c:\windows\system32\dllcache\msyuv.dll
2010-05-25 21:13 . 2009-11-27 16:07 8704 -c----w- c:\windows\system32\dllcache\tsbyuv.dll
2010-05-25 21:13 . 2009-11-27 16:07 48128 -c----w- c:\windows\system32\dllcache\iyuv_32.dll
2010-05-25 21:12 . 2010-03-11 12:38 459264 -c----w- c:\windows\system32\dllcache\msfeeds.dll
2010-05-25 21:12 . 2010-03-11 12:38 268288 -c----w- c:\windows\system32\dllcache\iertutil.dll
2010-05-25 21:12 . 2010-03-11 12:38 52224 -c----w- c:\windows\system32\dllcache\msfeedsbs.dll
2010-05-25 21:12 . 2010-03-11 12:38 63488 -c----w- c:\windows\system32\dllcache\icardie.dll
2010-05-25 21:12 . 2010-03-11 12:38 380928 -c----w- c:\windows\system32\dllcache\ieapfltr.dll
2010-05-25 21:12 . 2010-03-10 13:18 13824 -c----w- c:\windows\system32\dllcache\ieudinit.exe
2010-05-25 21:12 . 2009-06-29 08:33 2452872 -c----w- c:\windows\system32\dllcache\ieapfltr.dat
2010-05-25 21:12 . 2010-03-11 12:38 6067200 -c----w- c:\windows\system32\dllcache\ieframe.dll
2010-05-25 15:13 . 2010-05-25 15:13 -------- d-----w- c:\windows\ms
2010-05-25 15:01 . 2008-04-14 12:00 221696 -c--a-w- c:\windows\system32\dllcache\seo.dll
2010-05-25 15:00 . 2008-04-14 12:00 13463552 -c--a-w- c:\windows\system32\dllcache\hwxjpn.dll
2010-05-25 14:59 . 2004-05-13 07:39 598071 -c--a-w- c:\windows\system32\dllcache\fpmmc.dll
2010-05-25 14:40 . 2008-04-14 12:00 13312 -c--a-w- c:\windows\system32\dllcache\irclass.dll
2010-05-25 14:40 . 2008-04-14 12:00 13312 ----a-w- c:\windows\system32\irclass.dll
2010-05-25 14:40 . 2008-04-14 12:00 24661 -c--a-w- c:\windows\system32\dllcache\spxcoins.dll
2010-05-25 14:40 . 2008-04-14 12:00 24661 ----a-w- c:\windows\system32\spxcoins.dll
2010-05-25 11:10 . 2008-04-14 12:00 16384 -c--a-w- c:\windows\system32\dllcache\isignup.exe
2010-05-25 06:05 . 2010-05-25 06:05 -------- d-----w- c:\program files\ESET
2010-05-20 13:47 . 2010-05-20 13:47 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Google
2010-05-18 15:02 . 2009-09-07 21:02 27944 ----a-w- c:\windows\system32\sbbd.exe
2010-05-18 15:02 . 2009-08-05 22:58 93872 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2010-05-18 15:02 . 2010-05-25 15:30 -------- d-----w- C:\VIPRERESCUE
2010-05-06 04:12 . 2010-05-06 04:12 -------- d-----w- c:\program files\iPod
2010-05-06 04:11 . 2010-05-06 04:13 -------- d-----w- c:\documents and settings\All Users\Application Data\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
2010-05-06 04:11 . 2010-05-06 04:13 -------- d-----w- c:\program files\iTunes
2010-05-06 04:00 . 2010-05-06 04:02 -------- d-----w- c:\program files\QuickTime
2010-05-06 03:56 . 2010-05-06 03:56 -------- d-----w- c:\program files\Bonjour
2010-05-06 03:40 . 2010-05-06 03:40 73000 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 9.1.1.12\SetupAdmin.exe
2010-05-06 01:30 . 2010-05-06 01:30 -------- d-----w- c:\documents and settings\iraval\Local Settings\Application Data\Help
2010-05-02 09:05 . 2010-05-02 09:22 -------- d-----w- C:\WINXP
2010-05-02 05:42 . 2010-05-03 19:36 -------- d-----w- c:\program files\SiteAdvisor
2010-05-02 05:42 . 2010-05-03 18:25 -------- d-----w- c:\documents and settings\All Users\Application Data\SiteAdvisor
2010-05-02 05:37 . 2010-05-03 19:38 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee
2010-05-02 00:58 . 2010-05-02 00:58 -------- d-----w- c:\windows\system32\wbem\Repository
2010-05-01 20:35 . 2010-05-01 20:35 -------- d-----w- c:\documents and settings\admin\Local Settings\Application Data\Mozilla
2010-05-01 19:49 . 2010-05-25 15:52 -------- d-----w- c:\program files\Windows Live Safety Center
2010-05-01 18:45 . 2010-05-01 18:45 -------- d-----w- c:\documents and settings\admin\Application Data\Malwarebytes
2010-05-01 16:28 . 2010-05-02 01:28 -------- d-----w- c:\documents and settings\HelpAssistant\Tracing
2010-05-01 16:28 . 2010-05-01 16:28 -------- d-----w- c:\documents and settings\HelpAssistant\SametimeTranscripts
2010-05-01 16:26 . 2010-05-01 16:26 -------- d-----w- c:\documents and settings\HelpAssistant\IBM
2010-05-01 16:22 . 2010-05-01 16:22 -------- d-----w- c:\documents and settings\HelpAssistant\.ssh
2010-05-01 16:21 . 2007-08-27 22:25 -------- d-----w- c:\documents and settings\HelpAssistant\UserData
2010-05-01 16:21 . 2010-05-02 01:28 -------- d-s---w- c:\documents and settings\HelpAssistant
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-05-29 03:19 . 2009-11-17 07:50 -------- d-----w- c:\program files\BSEMktWatch
2010-05-28 22:54 . 2010-03-20 20:59 -------- d-----w- c:\documents and settings\iraval\Application Data\vlc
2010-05-27 00:13 . 2007-08-28 20:08 -------- d-----w- c:\program files\Java
2010-05-26 14:44 . 2010-02-02 07:52 -------- d-----w- c:\program files\MagicISO
2010-05-25 16:54 . 2009-11-17 01:50 -------- d-----w- c:\documents and settings\iraval\Application Data\Wave Systems Corp
2010-05-25 14:56 . 2007-08-27 20:47 24924 ----a-w- c:\windows\system32\emptyregdb.dat
2010-05-25 14:56 . 2010-05-25 14:56 1663 ----a-w- c:\windows\inf\COMD6.tmp
2010-05-25 12:21 . 2010-01-03 06:30 -------- d-----w- c:\documents and settings\iraval\Application Data\Azureus
2010-05-25 12:20 . 2009-12-06 02:59 -------- d-----w- c:\program files\CCleaner
2010-05-25 11:08 . 2010-05-25 11:08 1663 ----a-w- c:\windows\inf\COM12F.tmp
2010-05-25 08:20 . 2007-08-27 21:54 95194 ----a-w- c:\windows\system32\nvModes.dat
2010-05-22 05:53 . 2010-01-03 06:29 -------- d-----w- c:\program files\Vuze
2010-05-20 13:48 . 2009-11-17 07:50 -------- d-----w- c:\program files\Google
2010-05-12 19:47 . 2009-07-22 20:03 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2010-05-06 17:36 . 2010-01-16 07:10 221568 ------w- c:\windows\system32\MpSigStub.exe
2010-05-06 04:12 . 2009-11-23 07:43 -------- d-----w- c:\program files\Common Files\Apple
2010-05-04 03:06 . 2010-03-20 23:30 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-05-02 21:22 . 2009-11-23 07:46 -------- d-----w- c:\documents and settings\iraval\Application Data\Apple Computer
2010-05-02 18:33 . 2010-05-02 18:33 1663 ----a-w- c:\windows\inf\COME3.tmp
2010-05-02 04:57 . 2009-12-06 01:20 -------- d-----w- c:\documents and settings\All Users\Application Data\avg9
2010-05-02 01:15 . 2007-08-28 19:56 -------- d-----w- c:\program files\Microsoft Office Communicator
2010-05-01 19:36 . 2010-01-22 12:58 -------- d-----w- c:\documents and settings\admin\Application Data\Wave Systems Corp
2010-05-01 18:42 . 2010-01-22 12:58 71776 ----a-w- c:\documents and settings\admin\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-04-29 22:39 . 2010-03-20 23:30 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-29 22:39 . 2010-03-20 23:30 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-04-26 03:26 . 2009-10-20 17:11 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-04-19 21:59 . 2010-04-19 21:59 255472 ----a-w- c:\documents and settings\iraval\Application Data\Mozilla\plugins\npgoogletalk.dll
2010-04-17 19:53 . 2009-12-06 01:26 -------- d-----w- c:\documents and settings\All Users\Application Data\Norton
2010-04-17 19:53 . 2010-04-17 07:43 -------- d-----w- c:\program files\Common Files\Symantec Shared
2010-04-16 15:33 . 2009-11-23 07:43 41472 ----a-w- c:\windows\system32\drivers\usbaapl.sys
2010-04-16 15:33 . 2009-11-23 07:43 3003680 ----a-w- c:\windows\system32\usbaaplrc.dll
2010-04-16 04:15 . 2010-03-28 07:29 894184 ----a-w- c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
2010-04-15 16:18 . 2010-04-14 03:02 -------- d-----w- c:\program files\PuTTY Connection Manager
2010-04-14 03:07 . 2009-11-17 07:20 -------- d-----w- c:\program files\PuTTY
2010-04-14 02:55 . 2009-11-20 01:53 -------- d-----w- c:\program files\Quest Software
2010-04-08 20:20 . 2010-04-08 20:20 91424 ----a-w- c:\windows\system32\dnssd.dll
2010-04-08 20:20 . 2010-04-08 20:20 107808 ----a-w- c:\windows\system32\dns-sd.exe
2010-04-02 05:08 . 2009-11-17 07:18 -------- d-----w- c:\program files\WinSCP
2010-03-28 02:06 . 2007-08-27 22:09 71776 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-03-17 15:51 . 2009-08-18 16:08 82696 ----a-w- c:\windows\system32\lmdimon8.dll
2010-03-11 12:38 . 2008-04-14 12:00 832512 ----a-w- c:\windows\system32\wininet.dll
2010-03-11 12:38 . 2008-04-14 12:00 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-03-11 12:38 . 2008-04-14 12:00 17408 ----a-w- c:\windows\system32\corpol.dll
2010-03-09 11:09 . 2008-04-14 12:00 430080 ----a-w- c:\windows\system32\vbscript.dll
.
((((((((((((((((((((((((((((( SnapShot@2010-05-25_16.21.23 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-05-28 16:18 . 2010-05-28 16:18 16384 c:\windows\Temp\Perflib_Perfdata_930.dat
+ 2010-05-28 16:17 . 2010-05-28 16:17 16384 c:\windows\Temp\Perflib_Perfdata_554.dat
+ 2009-08-07 02:24 . 2009-08-07 02:24 44768 c:\windows\system32\wups2.dll
+ 2007-08-27 20:48 . 2009-08-07 03:24 35552 c:\windows\system32\wups.dll
+ 2007-08-27 20:48 . 2009-08-07 02:24 53472 c:\windows\system32\wuauclt.exe
+ 2008-04-14 12:00 . 2008-05-09 10:53 90112 c:\windows\system32\wshext.dll
- 2008-04-14 12:00 . 2008-04-14 12:00 90112 c:\windows\system32\wshext.dll
+ 2008-04-14 12:00 . 2006-10-19 04:47 99840 c:\windows\system32\wmpshell.dll
+ 2008-04-14 12:00 . 2006-10-19 04:47 37376 c:\windows\system32\wmdmps.dll
+ 2008-04-14 12:00 . 2006-10-19 04:47 33792 c:\windows\system32\wmdmlog.dll
+ 2008-04-14 12:00 . 2009-06-25 08:25 54272 c:\windows\system32\wdigest.dll
+ 2008-04-14 12:00 . 2010-04-21 13:28 46080 c:\windows\system32\tzchange.exe
+ 2008-04-14 12:00 . 2009-06-12 12:31 80896 c:\windows\system32\tlntsess.exe
+ 2008-04-14 12:00 . 2009-06-12 12:31 76288 c:\windows\system32\telnet.exe
- 2008-04-14 12:00 . 2008-04-14 12:00 75776 c:\windows\system32\strmfilt.dll
+ 2008-04-14 12:00 . 2009-10-21 05:38 75776 c:\windows\system32\strmfilt.dll
+ 2009-08-18 16:08 . 2010-03-17 15:51 82184 c:\windows\system32\spool\prtprocs\w32x86\lmdippr8.dll
- 2010-05-03 18:19 . 2009-05-26 11:40 17272 c:\windows\system32\spmsg.dll
+ 2010-05-26 15:03 . 2009-05-26 09:01 17272 c:\windows\system32\spmsg.dll
+ 2008-04-14 12:00 . 2009-06-25 08:25 56832 c:\windows\system32\secur32.dll
+ 2008-04-14 12:00 . 2009-02-06 10:39 35328 c:\windows\system32\sc.exe
+ 2008-04-14 12:00 . 2009-10-12 13:38 79872 c:\windows\system32\raschap.dll
- 2008-04-14 12:00 . 2008-04-14 12:00 79872 c:\windows\system32\raschap.dll
+ 2008-04-14 12:00 . 2010-03-11 12:38 44544 c:\windows\system32\pngfilt.dll
+ 2004-08-04 12:00 . 2010-05-26 20:54 89126 c:\windows\system32\perfc009.dat
+ 2008-04-14 12:00 . 2009-10-08 21:56 20480 c:\windows\system32\oleaccrc.dll
+ 2007-08-27 20:47 . 2008-06-12 14:23 91648 c:\windows\system32\mtxoci.dll
- 2007-08-27 20:47 . 2008-04-14 12:00 91648 c:\windows\system32\mtxoci.dll
+ 2008-04-14 12:00 . 2008-06-12 14:23 66560 c:\windows\system32\mtxclu.dll
- 2008-04-14 12:00 . 2008-04-14 12:00 66560 c:\windows\system32\mtxclu.dll
+ 2008-04-14 05:42 . 2009-11-27 17:11 17920 c:\windows\system32\msyuv.dll
+ 2008-04-14 12:00 . 2009-11-27 16:07 28672 c:\windows\system32\msvidc32.dll
+ 2008-04-14 12:00 . 2009-11-27 16:07 11264 c:\windows\system32\msrle32.dll
- 2008-04-14 12:00 . 2008-04-14 12:00 11264 c:\windows\system32\msrle32.dll
+ 2008-04-14 12:00 . 2006-10-19 04:47 27136 c:\windows\system32\mspmsnsv.dll
+ 2008-04-14 12:00 . 2007-08-14 01:01 48128 c:\windows\system32\mshtmler.dll
+ 2008-04-14 12:00 . 2007-08-14 01:32 45568 c:\windows\system32\mshta.exe
- 2007-08-27 20:47 . 2008-04-14 12:00 58880 c:\windows\system32\msdtclog.dll
+ 2007-08-27 20:47 . 2008-06-12 14:23 58880 c:\windows\system32\msdtclog.dll
+ 2008-04-14 12:00 . 2008-06-24 16:43 74240 c:\windows\system32\mscms.dll
+ 2008-04-14 12:00 . 2009-09-04 21:03 58880 c:\windows\system32\msasn1.dll
+ 2008-04-14 12:00 . 2007-08-14 01:44 40960 c:\windows\system32\licmgr10.dll
+ 2008-04-14 12:00 . 2006-10-19 04:47 11264 c:\windows\system32\LAPRXY.dll
+ 2008-04-14 12:00 . 2010-03-11 12:38 27648 c:\windows\system32\jsproxy.dll
+ 2008-04-14 05:41 . 2009-11-27 16:07 48128 c:\windows\system32\iyuv_32.dll
+ 2008-04-14 12:00 . 2007-08-14 01:39 92672 c:\windows\system32\inseng.dll
+ 2008-04-14 12:00 . 2007-08-14 01:36 36352 c:\windows\system32\imgutil.dll
+ 2008-04-14 12:00 . 2007-08-14 01:39 55296 c:\windows\system32\iesetup.dll
+ 2008-04-14 12:00 . 2010-03-11 12:38 44544 c:\windows\system32\iernonce.dll
+ 2008-04-14 12:00 . 2010-03-10 13:18 70656 c:\windows\system32\ie4uinit.exe
+ 2008-04-14 12:00 . 2009-10-21 05:38 25088 c:\windows\system32\httpapi.dll
+ 2008-04-14 12:00 . 2009-10-15 16:28 81920 c:\windows\system32\fontsub.dll
+ 2008-04-14 12:00 . 2009-06-24 11:18 92928 c:\windows\system32\drivers\ksecdd.sys
+ 2007-08-27 20:48 . 2009-08-07 03:24 35552 c:\windows\system32\dllcache\wups.dll
+ 2007-08-27 20:48 . 2009-08-07 02:24 53472 c:\windows\system32\dllcache\wuauclt.exe
+ 2008-04-14 12:00 . 2008-05-09 10:53 90112 c:\windows\system32\dllcache\wshext.dll
- 2008-04-14 12:00 . 2008-04-14 12:00 90112 c:\windows\system32\dllcache\wshext.dll
+ 2008-04-14 12:00 . 2006-10-19 04:47 99840 c:\windows\system32\dllcache\wmpshell.dll
+ 2007-08-27 20:48 . 2006-10-19 04:46 64000 c:\windows\system32\dllcache\wmplayer.exe
+ 2007-08-27 20:48 . 2006-10-19 04:47 96256 c:\windows\system32\dllcache\wmpband.dll
+ 2008-04-14 12:00 . 2006-10-19 04:47 37376 c:\windows\system32\dllcache\wmdmps.dll
+ 2008-04-14 12:00 . 2006-10-19 04:47 33792 c:\windows\system32\dllcache\wmdmlog.dll
+ 2008-04-14 12:00 . 2009-06-25 08:25 54272 c:\windows\system32\dllcache\wdigest.dll
+ 2008-04-14 12:00 . 2009-06-12 12:31 80896 c:\windows\system32\dllcache\tlntsess.exe
+ 2007-08-27 20:46 . 2008-04-14 12:43 40840 c:\windows\system32\dllcache\termdd.sys
+ 2008-04-14 12:00 . 2009-06-12 12:31 76288 c:\windows\system32\dllcache\telnet.exe
- 2008-04-14 12:00 . 2008-04-14 12:00 75776 c:\windows\system32\dllcache\strmfilt.dll
+ 2008-04-14 12:00 . 2009-10-21 05:38 75776 c:\windows\system32\dllcache\strmfilt.dll
+ 2008-04-14 12:00 . 2009-06-25 08:25 56832 c:\windows\system32\dllcache\secur32.dll
+ 2008-04-14 12:00 . 2009-02-06 10:39 35328 c:\windows\system32\dllcache\sc.exe
+ 2008-04-14 12:00 . 2009-10-12 13:38 79872 c:\windows\system32\dllcache\raschap.dll
- 2008-04-14 12:00 . 2008-04-14 12:00 79872 c:\windows\system32\dllcache\raschap.dll
+ 2008-04-14 12:00 . 2010-03-11 12:38 44544 c:\windows\system32\dllcache\pngfilt.dll
+ 2008-04-14 12:00 . 2009-10-08 21:56 20480 c:\windows\system32\dllcache\oleaccrc.dll
+ 2007-08-27 20:47 . 2008-06-12 14:23 91648 c:\windows\system32\dllcache\mtxoci.dll
- 2007-08-27 20:47 . 2008-04-14 12:00 91648 c:\windows\system32\dllcache\mtxoci.dll
+ 2008-04-14 12:00 . 2008-06-12 14:23 66560 c:\windows\system32\dllcache\mtxclu.dll
- 2008-04-14 12:00 . 2008-04-14 12:00 66560 c:\windows\system32\dllcache\mtxclu.dll
+ 2008-04-14 12:00 . 2009-11-27 16:07 28672 c:\windows\system32\dllcache\msvidc32.dll
- 2008-04-14 12:00 . 2008-04-14 12:00 11264 c:\windows\system32\dllcache\msrle32.dll
+ 2008-04-14 12:00 . 2009-11-27 16:07 11264 c:\windows\system32\dllcache\msrle32.dll
+ 2008-04-14 12:00 . 2006-10-19 04:47 27136 c:\windows\system32\dllcache\mspmsnsv.dll
+ 2008-04-14 12:00 . 2007-08-14 01:01 48128 c:\windows\system32\dllcache\mshtmler.dll
+ 2008-04-14 12:00 . 2007-08-14 01:32 45568 c:\windows\system32\dllcache\mshta.exe
+ 2007-08-27 20:47 . 2008-06-12 14:23 58880 c:\windows\system32\dllcache\msdtclog.dll
- 2007-08-27 20:47 . 2008-04-14 12:00 58880 c:\windows\system32\dllcache\msdtclog.dll
+ 2008-04-14 12:00 . 2008-06-24 16:43 74240 c:\windows\system32\dllcache\mscms.dll
+ 2008-04-14 12:00 . 2009-09-04 21:03 58880 c:\windows\system32\dllcache\msasn1.dll
+ 2008-04-14 12:00 . 2007-08-14 01:44 40960 c:\windows\system32\dllcache\licmgr10.dll
+ 2008-04-14 12:00 . 2006-10-19 04:47 11264 c:\windows\system32\dllcache\LAPRXY.dll
+ 2008-04-14 12:00 . 2009-06-24 11:18 92928 c:\windows\system32\dllcache\ksecdd.sys
+ 2008-04-14 12:00 . 2010-03-11 12:38 27648 c:\windows\system32\dllcache\jsproxy.dll
+ 2008-04-14 12:00 . 2007-08-14 01:39 92672 c:\windows\system32\dllcache\inseng.dll
+ 2008-04-14 12:00 . 2007-08-14 01:36 36352 c:\windows\system32\dllcache\imgutil.dll
+ 2008-04-14 12:00 . 2007-08-14 01:39 55296 c:\windows\system32\dllcache\iesetup.dll
+ 2008-04-14 12:00 . 2010-03-11 12:38 44544 c:\windows\system32\dllcache\iernonce.dll
+ 2008-04-14 12:00 . 2010-03-11 12:38 78336 c:\windows\system32\dllcache\ieencode.dll
+ 2007-08-27 20:48 . 2007-08-14 01:44 69120 c:\windows\system32\dllcache\iedw.exe
+ 2008-04-14 12:00 . 2010-03-10 13:18 70656 c:\windows\system32\dllcache\ie4uinit.exe
+ 2008-04-14 12:00 . 2009-10-21 05:38 25088 c:\windows\system32\dllcache\httpapi.dll
+ 2007-08-27 20:48 . 2007-08-14 01:18 60416 c:\windows\system32\dllcache\hmmapi.dll
+ 2008-04-14 12:00 . 2009-10-15 16:28 81920 c:\windows\system32\dllcache\fontsub.dll
+ 2007-08-27 20:48 . 2007-08-14 01:54 33792 c:\windows\system32\dllcache\custsat.dll
+ 2008-04-14 12:00 . 2009-12-14 07:08 33280 c:\windows\system32\dllcache\csrsrv.dll
+ 2008-04-14 12:00 . 2010-03-11 12:38 17408 c:\windows\system32\dllcache\corpol.dll
+ 2008-04-14 12:00 . 2009-08-07 02:24 96480 c:\windows\system32\dllcache\cdm.dll
+ 2008-04-14 12:00 . 2010-01-13 14:01 86016 c:\windows\system32\dllcache\cabview.dll
- 2008-04-14 12:00 . 2008-04-14 12:00 84992 c:\windows\system32\dllcache\avifil32.dll
+ 2008-04-14 12:00 . 2009-11-27 16:07 84992 c:\windows\system32\dllcache\avifil32.dll
- 2008-04-14 12:00 . 2008-04-14 12:00 58880 c:\windows\system32\dllcache\atl.dll
+ 2008-04-14 12:00 . 2009-07-17 19:01 58880 c:\windows\system32\dllcache\atl.dll
+ 2008-04-14 12:00 . 2007-08-14 01:39 71680 c:\windows\system32\dllcache\admparse.dll
+ 2008-04-14 12:00 . 2009-12-14 07:08 33280 c:\windows\system32\csrsrv.dll
+ 2008-04-14 12:00 . 2009-08-07 02:24 96480 c:\windows\system32\cdm.dll
+ 2008-04-14 12:00 . 2010-01-13 14:01 86016 c:\windows\system32\cabview.dll
+ 2008-04-14 12:00 . 2009-11-27 16:07 84992 c:\windows\system32\avifil32.dll
- 2008-04-14 12:00 . 2008-04-14 12:00 84992 c:\windows\system32\avifil32.dll
+ 2008-04-14 12:00 . 2009-07-17 19:01 58880 c:\windows\system32\atl.dll
- 2008-04-14 12:00 . 2008-04-14 12:00 58880 c:\windows\system32\atl.dll
+ 2008-04-14 12:00 . 2007-08-14 01:39 71680 c:\windows\system32\admparse.dll
+ 2010-05-25 18:03 . 2008-04-14 12:00 37888 c:\windows\ie7\url.dll
- 2009-12-14 18:55 . 2008-04-14 12:00 37888 c:\windows\ie7\url.dll
+ 2010-05-25 18:03 . 2008-04-14 12:00 39424 c:\windows\ie7\pngfilt.dll
- 2010-01-16 16:38 . 2008-04-14 12:00 39424 c:\windows\ie7\pngfilt.dll
+ 2010-05-25 18:03 . 2008-04-14 12:00 96256 c:\windows\ie7\occache.dll
- 2010-01-16 16:38 . 2008-04-14 12:00 96256 c:\windows\ie7\occache.dll
- 2010-01-16 16:38 . 2008-04-14 12:00 56832 c:\windows\ie7\mshtmler.dll
+ 2010-05-25 18:03 . 2008-04-14 12:00 56832 c:\windows\ie7\mshtmler.dll
- 2010-01-16 16:38 . 2008-04-14 12:00 29184 c:\windows\ie7\mshta.exe
+ 2010-05-25 18:03 . 2008-04-14 12:00 29184 c:\windows\ie7\mshta.exe
- 2010-01-16 16:38 . 2008-04-14 12:00 22016 c:\windows\ie7\licmgr10.dll
+ 2010-05-25 18:03 . 2008-04-14 12:00 22016 c:\windows\ie7\licmgr10.dll
- 2010-01-16 16:38 . 2008-04-14 12:00 15872 c:\windows\ie7\jsproxy.dll
+ 2010-05-25 18:03 . 2008-04-14 12:00 15872 c:\windows\ie7\jsproxy.dll
- 2010-01-16 16:38 . 2008-04-14 12:00 96256 c:\windows\ie7\inseng.dll
+ 2010-05-25 18:03 . 2008-04-14 12:00 96256 c:\windows\ie7\inseng.dll
- 2010-01-16 16:38 . 2008-04-14 12:00 35840 c:\windows\ie7\imgutil.dll
+ 2010-05-25 18:03 . 2008-04-14 12:00 35840 c:\windows\ie7\imgutil.dll
- 2010-01-16 16:38 . 2008-04-14 12:00 93184 c:\windows\ie7\iexplore.exe
+ 2010-05-25 18:03 . 2008-04-14 12:00 93184 c:\windows\ie7\iexplore.exe
+ 2010-05-25 18:03 . 2008-04-14 12:00 62976 c:\windows\ie7\iesetup.dll
- 2010-01-16 16:38 . 2008-04-14 12:00 62976 c:\windows\ie7\iesetup.dll
- 2010-01-16 16:38 . 2008-04-14 12:00 48640 c:\windows\ie7\iernonce.dll
+ 2010-05-25 18:03 . 2008-04-14 12:00 48640 c:\windows\ie7\iernonce.dll
- 2010-01-16 16:38 . 2008-04-14 12:00 18432 c:\windows\ie7\iedw.exe
+ 2010-05-25 18:03 . 2008-04-14 12:00 18432 c:\windows\ie7\iedw.exe
+ 2010-05-25 18:03 . 2008-04-14 12:00 34304 c:\windows\ie7\ie4uinit.exe
- 2010-01-16 16:38 . 2008-04-14 12:00 34304 c:\windows\ie7\ie4uinit.exe
- 2010-01-16 16:38 . 2008-04-14 12:00 38912 c:\windows\ie7\hmmapi.dll
+ 2010-05-25 18:03 . 2008-04-14 12:00 38912 c:\windows\ie7\hmmapi.dll
+ 2010-05-25 18:03 . 2008-04-14 12:00 55808 c:\windows\ie7\extmgr.dll
- 2010-01-16 16:38 . 2008-04-14 12:00 55808 c:\windows\ie7\extmgr.dll
+ 2010-05-25 18:03 . 2004-08-04 12:00 28672 c:\windows\ie7\custsat.dll
- 2010-01-16 16:38 . 2004-08-04 12:00 28672 c:\windows\ie7\custsat.dll
- 2010-01-16 16:38 . 2008-04-14 12:00 99840 c:\windows\ie7\advpack.dll
+ 2010-05-25 18:03 . 2008-04-14 12:00 99840 c:\windows\ie7\advpack.dll
- 2010-01-16 16:38 . 2008-04-14 12:00 61440 c:\windows\ie7\admparse.dll
+ 2010-05-25 18:03 . 2008-04-14 12:00 61440 c:\windows\ie7\admparse.dll
+ 2010-05-25 21:20 . 2009-11-27 17:11 17920 c:\windows\Driver Cache\i386\msyuv.dll
+ 2010-05-25 21:13 . 2009-11-27 16:07 48128 c:\windows\Driver Cache\i386\iyuv_32.dll
+ 2008-04-14 12:00 . 2006-10-19 04:47 4096 c:\windows\system32\wmvdmoe2.dll
+ 2008-04-14 12:00 . 2006-10-19 04:47 4096 c:\windows\system32\wmvdmod.dll
+ 2008-04-14 12:00 . 2006-10-19 04:47 4096 c:\windows\system32\wmsdmoe2.dll
+ 2008-04-14 12:00 . 2006-10-19 04:47 4096 c:\windows\system32\wmsdmod.dll
+ 2001-08-17 22:36 . 2009-11-27 16:07 8704 c:\windows\system32\tsbyuv.dll
+ 2008-04-14 12:00 . 2006-10-19 04:47 4096 c:\windows\system32\MPG4DMOD.dll
+ 2008-04-14 12:00 . 2006-10-19 04:47 4096 c:\windows\system32\MP4SDMOD.dll
+ 2008-04-14 12:00 . 2006-10-19 04:47 4096 c:\windows\system32\MP43DMOD.dll
+ 2008-04-14 12:00 . 2006-10-19 04:47 4096 c:\windows\system32\dllcache\wmvdmoe2.dll
+ 2008-04-14 12:00 . 2006-10-19 04:47 4096 c:\windows\system32\dllcache\wmvdmod.dll
+ 2008-04-14 12:00 . 2006-10-19 04:47 4096 c:\windows\system32\dllcache\wmsdmoe2.dll
+ 2008-04-14 12:00 . 2006-10-19 04:47 4096 c:\windows\system32\dllcache\wmsdmod.dll
+ 2008-04-14 12:00 . 2006-10-19 04:47 4096 c:\windows\system32\dllcache\MPG4DMOD.dll
+ 2008-04-14 12:00 . 2006-10-19 04:47 4096 c:\windows\system32\dllcache\MP4SDMOD.dll
+ 2008-04-14 12:00 . 2006-10-19 04:47 4096 c:\windows\system32\dllcache\MP43DMOD.dll
+ 2008-04-14 12:00 . 2006-10-19 04:47 7168 c:\windows\system32\dllcache\asferror.dll
+ 2008-04-14 12:00 . 2006-10-19 04:47 7168 c:\windows\system32\asferror.dll
+ 2010-05-25 21:13 . 2009-11-27 16:07 8704 c:\windows\Driver Cache\i386\tsbyuv.dll
+ 2007-08-27 20:48 . 2009-08-07 02:24 327896 c:\windows\system32\wucltui.dll
+ 2007-08-27 20:48 . 2009-08-07 02:23 575704 c:\windows\system32\wuapi.dll
- 2008-04-14 12:00 . 2008-04-14 12:00 155648 c:\windows\system32\wscript.exe
+ 2008-04-14 12:00 . 2008-05-08 11:24 155648 c:\windows\system32\wscript.exe
+ 2008-04-14 12:00 . 2009-04-02 06:02 604160 c:\windows\system32\wmspdmod.dll
+ 2008-04-14 12:00 . 2009-07-14 06:43 286208 c:\windows\system32\wmpdxm.dll
+ 2008-04-14 12:00 . 2006-10-19 04:47 242688 c:\windows\system32\wmpasf.dll
+ 2008-04-14 12:00 . 2008-06-18 12:03 938496 c:\windows\system32\WMNetmgr.dll
+ 2008-04-14 12:00 . 2006-10-19 04:47 157184 c:\windows\system32\wmidx.dll
+ 2008-04-14 12:00 . 2006-10-19 04:47 227328 c:\windows\system32\wmerror.dll
+ 2008-04-14 12:00 . 2007-10-28 00:40 222720 c:\windows\system32\wmasf.dll
+ 2008-04-14 12:00 . 2006-10-19 04:47 757248 c:\windows\system32\WMADMOD.dll
+ 2008-04-14 12:00 . 2009-06-10 06:14 132096 c:\windows\system32\wkssvc.dll
- 2008-04-14 12:00 . 2008-04-14 12:00 132096 c:\windows\system32\wkssvc.dll
+ 2008-04-14 12:00 . 2009-12-24 06:59 177664 c:\windows\system32\wintrust.dll
+ 2008-04-14 12:00 . 2009-08-25 09:17 354816 c:\windows\system32\winhttp.dll
+ 2008-04-14 12:00 . 2010-03-11 12:38 233472 c:\windows\system32\webcheck.dll
+ 2007-08-27 20:46 . 2009-02-06 10:10 227840 c:\windows\system32\wbem\wmiprvse.exe
+ 2007-08-27 20:46 . 2009-02-09 12:10 453120 c:\windows\system32\wbem\wmiprvsd.dll
+ 2007-08-27 20:46 . 2009-02-09 12:10 473600 c:\windows\system32\wbem\fastprox.dll
+ 2008-04-14 12:00 . 2010-03-11 12:38 105984 c:\windows\system32\url.dll
+ 2008-04-14 12:00 . 2009-10-15 16:28 119808 c:\windows\system32\t2embed.dll
+ 2008-04-14 12:00 . 2009-08-26 08:00 247326 c:\windows\system32\strmdll.dll
+ 2010-05-26 18:27 . 2010-03-17 15:51 160008 c:\windows\system32\spool\drivers\w32x86\3\lmdiui8.dll
+ 2010-05-26 18:27 . 2010-03-17 15:51 984336 c:\windows\system32\spool\drivers\w32x86\3\lmdigraph8.dll
- 2008-04-14 12:00 . 2008-04-14 12:00 474112 c:\windows\system32\shlwapi.dll
+ 2008-04-14 12:00 . 2009-12-08 09:23 474112 c:\windows\system32\shlwapi.dll
+ 2008-04-14 12:00 . 2009-02-06 11:11 110592 c:\windows\system32\services.exe
+ 2008-04-14 12:00 . 2008-05-09 10:53 172032 c:\windows\system32\scrrun.dll
- 2008-04-14 12:00 . 2008-04-14 12:00 172032 c:\windows\system32\scrrun.dll
+ 2008-04-14 12:00 . 2008-05-09 10:53 180224 c:\windows\system32\scrobj.dll
- 2008-04-14 12:00 . 2008-04-14 12:00 180224 c:\windows\system32\scrobj.dll
+ 2008-04-14 12:00 . 2009-06-25 08:25 147456 c:\windows\system32\schannel.dll
+ 2008-04-14 12:00 . 2009-02-09 12:10 401408 c:\windows\system32\rpcss.dll
+ 2008-04-14 12:00 . 2009-04-15 14:51 585216 c:\windows\system32\rpcrt4.dll
+ 2008-04-14 12:00 . 2009-10-12 13:38 149504 c:\windows\system32\rastls.dll
+ 2008-04-14 12:00 . 2006-10-19 04:47 211456 c:\windows\system32\qasf.dll
+ 2004-08-04 12:00 . 2010-05-26 20:54 505758 c:\windows\system32\perfh009.dat
- 2008-04-14 12:00 . 2008-04-14 12:00 284160 c:\windows\system32\pdh.dll
+ 2008-04-14 12:00 . 2009-03-06 14:22 284160 c:\windows\system32\pdh.dll
+ 2008-04-14 12:00 . 2009-10-08 21:57 220160 c:\windows\system32\oleacc.dll
+ 2008-04-14 12:00 . 2010-03-11 12:38 102912 c:\windows\system32\occache.dll
- 2008-04-14 12:00 . 2008-04-14 12:00 270336 c:\windows\system32\oakley.dll
+ 2008-04-14 12:00 . 2009-10-13 10:30 270336 c:\windows\system32\oakley.dll
+ 2008-04-14 12:00 . 2009-02-09 12:10 714752 c:\windows\system32\ntdll.dll
+ 2008-04-14 12:00 . 2008-10-15 16:34 337408 c:\windows\system32\netapi32.dll
- 2008-04-14 12:00 . 2008-04-14 12:00 337408 c:\windows\system32\netapi32.dll
+ 2008-04-14 12:00 . 2008-06-20 17:46 245248 c:\windows\system32\mswsock.dll
- 2008-04-14 12:00 . 2008-04-14 12:00 245248 c:\windows\system32\mswsock.dll
+ 2008-04-14 12:00 . 2006-10-19 04:47 321536 c:\windows\system32\mswmdm.dll
+ 2008-04-14 12:00 . 2009-08-05 09:01 204800 c:\windows\system32\mswebdvd.dll
+ 2008-04-14 12:00 . 2009-09-11 14:18 136192 c:\windows\system32\msv1_0.dll
+ 2008-04-14 12:00 . 2010-03-11 12:38 671232 c:\windows\system32\mstime.dll
+ 2008-04-14 12:00 . 2006-12-04 23:21 414720 c:\windows\system32\msscp.dll
+ 2008-04-14 12:00 . 2010-03-11 12:38 193024 c:\windows\system32\msrating.dll
+ 2008-04-14 12:00 . 2006-10-19 04:47 175616 c:\windows\system32\mspmsp.dll
+ 2007-08-27 20:47 . 2009-12-16 18:43 343040 c:\windows\system32\mspaint.exe
- 2007-08-27 20:47 . 2008-04-14 12:00 343040 c:\windows\system32\mspaint.exe
+ 2008-04-14 12:00 . 2006-10-19 04:47 179712 c:\windows\system32\msnetobj.dll
+ 2008-04-14 12:00 . 2007-08-14 01:54 156160 c:\windows\system32\msls31.dll
+ 2008-04-14 12:00 . 2010-03-11 12:38 477696 c:\windows\system32\mshtmled.dll
- 2007-08-27 20:47 . 2008-04-14 12:00 161792 c:\windows\system32\msdtcuiu.dll
+ 2007-08-27 20:47 . 2008-06-12 14:23 161792 c:\windows\system32\msdtcuiu.dll
+ 2007-08-27 20:47 . 2008-06-12 14:23 956928 c:\windows\system32\msdtctm.dll
- 2007-08-27 20:47 . 2008-04-14 12:00 956928 c:\windows\system32\msdtctm.dll
+ 2007-08-27 20:47 . 2008-06-13 02:53 428032 c:\windows\system32\msdtcprx.dll
+ 2008-04-14 12:00 . 2009-06-25 08:25 730112 c:\windows\system32\lsasrv.dll
+ 2008-04-14 12:00 . 2008-06-18 08:09 100864 c:\windows\system32\logagent.exe
+ 2008-04-14 12:00 . 2009-05-07 15:32 345600 c:\windows\system32\localspl.dll
+ 2008-04-14 12:00 . 2009-03-21 14:06 989696 c:\windows\system32\kernel32.dll
- 2008-04-14 12:00 . 2008-04-14 12:00 989696 c:\windows\system32\kernel32.dll
+ 2008-04-14 12:00 . 2009-06-25 08:25 301568 c:\windows\system32\kerberos.dll
+ 2008-04-14 12:00 . 2009-08-13 15:16 512000 c:\windows\system32\jscript.dll
- 2008-04-14 12:00 . 2008-04-14 12:00 512000 c:\windows\system32\jscript.dll
+ 2010-05-27 00:13 . 2010-05-27 00:13 153376 c:\windows\system32\javaws.exe
+ 2010-05-27 00:13 . 2010-05-27 00:13 145184 c:\windows\system32\javaw.exe
+ 2010-05-27 00:13 . 2010-05-27 00:13 145184 c:\windows\system32\java.exe
+ 2007-08-27 20:48 . 2010-01-29 15:01 691712 c:\windows\system32\inetcomm.dll
- 2007-08-27 20:48 . 2008-04-14 12:00 691712 c:\windows\system32\inetcomm.dll
+ 2008-04-14 12:00 . 2010-03-11 12:38 192512 c:\windows\system32\iepeers.dll
+ 2008-04-14 12:00 . 2010-03-11 12:38 385024 c:\windows\system32\iedkcs32.dll
+ 2008-04-14 12:00 . 2010-02-23 05:18 161792 c:\windows\system32\ieakui.dll
+ 2008-04-14 12:00 . 2010-03-11 12:38 230400 c:\windows\system32\ieaksie.dll
+ 2008-04-14 12:00 . 2010-03-11 12:38 153088 c:\windows\system32\ieakeng.dll
+ 2008-04-14 12:00 . 2008-10-23 12:36 286720 c:\windows\system32\gdi32.dll
- 2007-08-27 14:41 . 2010-05-25 11:17 276560 c:\windows\system32\FNTCACHE.DAT
+ 2007-08-27 14:41 . 2010-05-26 16:13 276560 c:\windows\system32\FNTCACHE.DAT
+ 2008-04-14 12:00 . 2010-03-11 12:38 133120 c:\windows\system32\extmgr.dll
+ 2008-04-14 12:00 . 2008-07-07 20:26 253952 c:\windows\system32\es.dll
+ 2008-04-14 12:00 . 2010-03-11 12:38 214528 c:\windows\system32\dxtrans.dll
+ 2008-04-14 12:00 . 2010-03-11 12:38 347136 c:\windows\system32\dxtmsft.dll
+ 2008-04-14 12:00 . 2006-10-19 04:47 991744 c:\windows\system32\drmv2clt.dll
+ 2008-04-14 12:00 . 2010-02-11 12:02 226880 c:\windows\system32\drivers\tcpip6.sys
+ 2008-04-14 12:00 . 2008-06-20 11:51 361600 c:\windows\system32\drivers\tcpip.sys
+ 2008-04-14 12:00 . 2009-12-31 16:50 353792 c:\windows\system32\drivers\srv.sys
+ 2008-04-14 12:00 . 2008-05-08 14:02 203136 c:\windows\system32\drivers\rmcast.sys
+ 2008-04-14 12:00 . 2010-02-24 13:11 455680 c:\windows\system32\drivers\mrxsmb.sys
+ 2008-04-14 12:00 . 2009-10-20 16:20 265728 c:\windows\system32\drivers\http.sys
+ 2008-04-14 12:00 . 2008-06-13 11:05 272128 c:\windows\system32\drivers\bthport.sys
+ 2008-04-14 12:00 . 2008-08-14 10:04 138496 c:\windows\system32\drivers\afd.sys
+ 2008-04-14 12:00 . 2008-06-20 17:46 147968 c:\windows\system32\dnsapi.dll
- 2008-04-14 12:00 . 2008-04-14 12:00 147968 c:\windows\system32\dnsapi.dll
+ 2007-08-27 20:48 . 2009-08-07 02:24 327896 c:\windows\system32\dllcache\wucltui.dll
+ 2007-08-27 20:48 . 2009-08-07 02:23 575704 c:\windows\system32\dllcache\wuapi.dll
- 2008-04-14 12:00 . 2008-04-14 12:00 155648 c:\windows\system32\dllcache\wscript.exe
+ 2008-04-14 12:00 . 2008-05-08 11:24 155648 c:\windows\system32\dllcache\wscript.exe
+ 2007-08-27 20:47 . 2008-04-21 12:08 215552 c:\windows\system32\dllcache\wordpad.exe
+ 2008-04-14 12:00 . 2009-04-02 06:02 604160 c:\windows\system32\dllcache\wmspdmod.dll
+ 2008-04-14 12:00 . 2009-07-14 06:43 286208 c:\windows\system32\dllcache\wmpdxm.dll
+ 2008-04-14 12:00 . 2006-10-19 04:47 242688 c:\windows\system32\dllcache\wmpasf.dll
+ 2008-04-14 12:00 . 2008-06-18 12:03 938496 c:\windows\system32\dllcache\WMNetmgr.dll
+ 2007-08-27 20:46 . 2009-02-06 10:10 227840 c:\windows\system32\dllcache\wmiprvse.exe
+ 2007-08-27 20:46 . 2009-02-09 12:10 453120 c:\windows\system32\dllcache\wmiprvsd.dll
+ 2008-04-14 12:00 . 2006-10-19 04:47 157184 c:\windows\system32\dllcache\wmidx.dll
+ 2008-04-14 12:00 . 2006-10-19 04:47 227328 c:\windows\system32\dllcache\wmerror.dll
+ 2008-04-14 12:00 . 2007-10-28 00:40 222720 c:\windows\system32\dllcache\wmasf.dll
+ 2008-04-14 12:00 . 2006-10-19 04:47 757248 c:\windows\system32\dllcache\WMADMOD.dll
+ 2008-04-14 12:00 . 2009-06-10 06:14 132096 c:\windows\system32\dllcache\wkssvc.dll
- 2008-04-14 12:00 . 2008-04-14 12:00 132096 c:\windows\system32\dllcache\wkssvc.dll
+ 2008-04-14 12:00 . 2009-12-24 06:59 177664 c:\windows\system32\dllcache\wintrust.dll
+ 2008-04-14 12:00 . 2010-03-11 12:38 832512 c:\windows\system32\dllcache\wininet.dll
+ 2008-04-14 12:00 . 2009-08-25 09:17 354816 c:\windows\system32\dllcache\winhttp.dll
+ 2008-04-14 12:00 . 2010-03-11 12:38 233472 c:\windows\system32\dllcache\webcheck.dll
+ 2007-08-27 20:48 . 2008-05-27 17:23 765952 c:\windows\system32\dllcache\vgx.dll
+ 2008-04-14 12:00 . 2010-03-09 11:09 430080 c:\windows\system32\dllcache\vbscript.dll
+ 2008-04-14 12:00 . 2010-03-11 12:38 105984 c:\windows\system32\dllcache\url.dll
+ 2008-04-14 12:00 . 2007-06-27 05:10 317440 c:\windows\system32\dllcache\unregmp2.exe
- 2007-08-27 20:48 . 2008-04-14 12:00 153088 c:\windows\system32\dllcache\triedit.dll
+ 2007-08-27 20:48 . 2009-06-21 21:44 153088 c:\windows\system32\dllcache\triedit.dll
+ 2008-04-14 12:00 . 2010-02-11 12:02 226880 c:\windows\system32\dllcache\tcpip6.sys
+ 2008-04-14 12:00 . 2008-06-20 11:51 361600 c:\windows\system32\dllcache\tcpip.sys
+ 2008-04-14 12:00 . 2009-10-15 16:28 119808 c:\windows\system32\dllcache\t2embed.dll
+ 2008-04-14 12:00 . 2009-08-26 08:00 247326 c:\windows\system32\dllcache\strmdll.dll
+ 2008-04-14 12:00 . 2009-12-31 16:50 353792 c:\windows\system32\dllcache\srv.sys
+ 2008-04-14 12:00 . 2009-12-08 09:23 474112 c:\windows\system32\dllcache\shlwapi.dll
- 2008-04-14 12:00 . 2008-04-14 12:00 474112 c:\windows\system32\dllcache\shlwapi.dll
+ 2008-04-14 12:00 . 2009-02-06 11:11 110592 c:\windows\system32\dllcache\services.exe
+ 2008-04-14 12:00 . 2008-05-09 10:53 172032 c:\windows\system32\dllcache\scrrun.dll
- 2008-04-14 12:00 . 2008-04-14 12:00 172032 c:\windows\system32\dllcache\scrrun.dll
- 2008-04-14 12:00 . 2008-04-14 12:00 180224 c:\windows\system32\dllcache\scrobj.dll
+ 2008-04-14 12:00 . 2008-05-09 10:53 180224 c:\windows\system32\dllcache\scrobj.dll
+ 2008-04-14 12:00 . 2009-06-25 08:25 147456 c:\windows\system32\dllcache\schannel.dll
+ 2008-04-14 12:00 . 2009-02-09 12:10 401408 c:\windows\system32\dllcache\rpcss.dll
+ 2008-04-14 12:00 . 2009-04-15 14:51 585216 c:\windows\system32\dllcache\rpcrt4.dll
+ 2008-04-14 12:00 . 2008-05-08 14:02 203136 c:\windows\system32\dllcache\rmcast.sys
+ 2008-04-14 12:00 . 2009-10-12 13:38 149504 c:\windows\system32\dllcache\rastls.dll
+ 2008-04-14 12:00 . 2006-10-19 04:47 211456 c:\windows\system32\dllcache\qasf.dll
- 2008-04-14 12:00 . 2008-04-14 12:00 284160 c:\windows\system32\dllcache\pdh.dll
+ 2008-04-14 12:00 . 2009-03-06 14:22 284160 c:\windows\system32\dllcache\pdh.dll
+ 2008-04-14 12:00 . 2009-10-08 21:57 220160 c:\windows\system32\dllcache\oleacc.dll
+ 2008-04-14 12:00 . 2010-03-11 12:38 102912 c:\windows\system32\dllcache\occache.dll
+ 2008-04-14 12:00 . 2009-10-13 10:30 270336 c:\windows\system32\dllcache\oakley.dll
- 2008-04-14 12:00 . 2008-04-14 12:00 270336 c:\windows\system32\dllcache\oakley.dll
+ 2008-04-14 12:00 . 2009-02-09 12:10 714752 c:\windows\system32\dllcache\ntdll.dll
- 2008-04-14 12:00 . 2008-04-14 12:00 337408 c:\windows\system32\dllcache\netapi32.dll
+ 2008-04-14 12:00 . 2008-10-15 16:34 337408 c:\windows\system32\dllcache\netapi32.dll
- 2008-04-14 12:00 . 2008-04-14 12:00 245248 c:\windows\system32\dllcache\mswsock.dll
+ 2008-04-14 12:00 . 2008-06-20 17:46 245248 c:\windows\system32\dllcache\mswsock.dll
+ 2008-04-14 12:00 . 2006-10-19 04:47 321536 c:\windows\system32\dllcache\mswmdm.dll
+ 2008-04-14 12:00 . 2009-08-05 09:01 204800 c:\windows\system32\dllcache\mswebdvd.dll
+ 2008-04-14 12:00 . 2009-09-11 14:18 136192 c:\windows\system32\dllcache\msv1_0.dll
+ 2008-04-14 12:00 . 2010-03-11 12:38 671232 c:\windows\system32\dllcache\mstime.dll
+ 2008-04-14 12:00 . 2006-12-04 23:21 414720 c:\windows\system32\dllcache\msscp.dll
+ 2008-04-14 12:00 . 2010-03-11 12:38 193024 c:\windows\system32\dllcache\msrating.dll
+ 2008-04-14 12:00 . 2006-10-19 04:47 175616 c:\windows\system32\dllcache\mspmsp.dll
- 2007-08-27 20:47 . 2008-04-14 12:00 343040 c:\windows\system32\dllcache\mspaint.exe
+ 2007-08-27 20:47 . 2009-12-16 18:43 343040 c:\windows\system32\dllcache\mspaint.exe
+ 2008-04-14 12:00 . 2006-10-19 04:47 179712 c:\windows\system32\dllcache\msnetobj.dll
+ 2008-04-14 12:00 . 2007-08-14 01:54 156160 c:\windows\system32\dllcache\msls31.dll
+ 2008-04-14 12:00 . 2010-03-11 12:38 477696 c:\windows\system32\dllcache\mshtmled.dll
+ 2007-08-27 20:47 . 2008-06-12 14:23 161792 c:\windows\system32\dllcache\msdtcuiu.dll
- 2007-08-27 20:47 . 2008-04-14 12:00 161792 c:\windows\system32\dllcache\msdtcuiu.dll
- 2007-08-27 20:47 . 2008-04-14 12:00 956928 c:\windows\system32\dllcache\msdtctm.dll
+ 2007-08-27 20:47 . 2008-06-12 14:23 956928 c:\windows\system32\dllcache\msdtctm.dll
+ 2007-08-27 20:47 . 2008-06-13 02:53 428032 c:\windows\system32\dllcache\msdtcprx.dll
+ 2007-08-27 20:48 . 2008-05-01 14:33 331776 c:\windows\system32\dllcache\msadce.dll
- 2007-08-27 20:48 . 2008-04-14 12:00 331776 c:\windows\system32\dllcache\msadce.dll
+ 2007-08-27 20:48 . 2006-10-19 04:47 243712 c:\windows\system32\dllcache\mpvis.dll
+ 2008-04-14 12:00 . 2009-06-25 08:25 730112 c:\windows\system32\dllcache\lsasrv.dll
+ 2008-04-14 12:00 . 2008-06-18 08:09 100864 c:\windows\system32\dllcache\logagent.exe
+ 2008-04-14 12:00 . 2009-05-07 15:32 345600 c:\windows\system32\dllcache\localspl.dll
- 2008-04-14 12:00 . 2008-04-14 12:00 989696 c:\windows\system32\dllcache\kernel32.dll
+ 2008-04-14 12:00 . 2009-03-21 14:06 989696 c:\windows\system32\dllcache\kernel32.dll
+ 2008-04-14 12:00 . 2009-06-25 08:25 301568 c:\windows\system32\dllcache\kerberos.dll
- 2008-04-14 12:00 . 2008-04-14 12:00 512000 c:\windows\system32\dllcache\jscript.dll
+ 2008-04-14 12:00 . 2009-08-13 15:16 512000 c:\windows\system32\dllcache\jscript.dll
- 2007-08-27 20:48 . 2008-04-14 12:00 691712 c:\windows\system32\dllcache\inetcomm.dll
+ 2007-08-27 20:48 . 2010-01-29 15:01 691712 c:\windows\system32\dllcache\inetcomm.dll
+ 2007-08-27 20:48 . 2010-02-23 05:20 634648 c:\windows\system32\dllcache\iexplore.exe
+ 2008-04-14 12:00 . 2010-03-11 12:38 192512 c:\windows\system32\dllcache\iepeers.dll
+ 2008-04-14 12:00 . 2010-03-11 12:38 385024 c:\windows\system32\dllcache\iedkcs32.dll
+ 2008-04-14 12:00 . 2010-02-23 05:18 161792 c:\windows\system32\dllcache\ieakui.dll
+ 2008-04-14 12:00 . 2010-03-11 12:38 230400 c:\windows\system32\dllcache\ieaksie.dll
+ 2008-04-14 12:00 . 2010-03-11 12:38 153088 c:\windows\system32\dllcache\ieakeng.dll
+ 2008-04-14 12:00 . 2008-10-23 12:36 286720 c:\windows\system32\dllcache\gdi32.dll
+ 2007-08-27 20:46 . 2009-02-09 12:10 473600 c:\windows\system32\dllcache\fastprox.dll
+ 2008-04-14 12:00 . 2010-03-11 12:38 133120 c:\windows\system32\dllcache\extmgr.dll
+ 2008-04-14 12:00 . 2008-07-07 20:26 253952 c:\windows\system32\dllcache\es.dll
+ 2008-04-14 12:00 . 2010-03-11 12:38 214528 c:\windows\system32\dllcache\dxtrans.dll
+ 2008-04-14 12:00 . 2010-03-11 12:38 347136 c:\windows\system32\dllcache\dxtmsft.dll
+ 2008-04-14 12:00 . 2006-10-19 04:47 991744 c:\windows\system32\dllcache\drmv2clt.dll
+ 2008-04-14 12:00 . 2008-06-20 17:46 147968 c:\windows\system32\dllcache\dnsapi.dll
- 2008-04-14 12:00 . 2008-04-14 12:00 147968 c:\windows\system32\dllcache\dnsapi.dll
+ 2008-04-14 12:00 . 2008-05-09 08:45 135168 c:\windows\system32\dllcache\cscript.exe
+ 2008-04-14 12:00 . 2006-10-19 04:47 229376 c:\windows\system32\dllcache\cewmdm.dll
+ 2008-04-14 12:00 . 2006-10-19 04:47 542720 c:\windows\system32\dllcache\blackbox.dll
+ 2008-04-14 12:00 . 2008-08-14 10:04 138496 c:\windows\system32\dllcache\afd.sys
+ 2008-04-14 12:00 . 2010-03-11 12:38 124928 c:\windows\system32\dllcache\advpack.dll
- 2008-04-14 12:00 . 2008-04-14 12:00 617472 c:\windows\system32\dllcache\advapi32.dll
+ 2008-04-14 12:00 . 2009-02-09 12:10 617472 c:\windows\system32\dllcache\advapi32.dll
+ 2008-04-14 12:00 . 2009-11-21 15:51 471552 c:\windows\system32\dllcache\aclayers.dll
+ 2008-04-14 12:00 . 2010-02-12 04:33 100864 c:\windows\system32\dllcache\6to4svc.dll
+ 2008-04-14 12:00 . 2008-05-09 08:45 135168 c:\windows\system32\cscript.exe
+ 2008-04-14 12:00 . 2006-10-19 04:47 229376 c:\windows\system32\cewmdm.dll
+ 2008-04-14 12:00 . 2006-10-19 04:47 542720 c:\windows\system32\blackbox.dll
+ 2008-04-14 12:00 . 2010-03-11 12:38 124928 c:\windows\system32\advpack.dll
- 2008-04-14 12:00 . 2008-04-14 12:00 617472 c:\windows\system32\advapi32.dll
+ 2008-04-14 12:00 . 2009-02-09 12:10 617472 c:\windows\system32\advapi32.dll
+ 2008-04-14 12:00 . 2010-02-12 04:33 100864 c:\windows\system32\6to4svc.dll
+ 2010-05-27 00:13 . 2010-05-27 00:13 180224 c:\windows\Installer\b1f912.msi
+ 2010-05-27 00:13 . 2010-05-27 00:13 576000 c:\windows\Installer\b1f90d.msi
+ 2008-04-14 12:00 . 2007-06-27 05:10 317440 c:\windows\inf\unregmp2.exe
+ 2010-05-25 18:03 . 2008-04-14 12:00 666112 c:\windows\ie7\wininet.
-
+ 2010-05-25 18:03 . 2008-04-14 12:00 666112 c:\windows\ie7\wininet.dll
- 2009-12-14 18:55 . 2008-04-14 12:00 666112 c:\windows\ie7\wininet.dll
- 2009-12-14 18:55 . 2008-04-14 12:00 276480 c:\windows\ie7\webcheck.dll
+ 2010-05-25 18:03 . 2008-04-14 12:00 276480 c:\windows\ie7\webcheck.dll
+ 2010-05-25 18:03 . 2008-04-14 12:00 851968 c:\windows\ie7\vgx.dll
- 2009-12-14 18:55 . 2008-04-14 12:00 851968 c:\windows\ie7\vgx.dll
- 2009-12-14 18:55 . 2008-04-14 12:00 619520 c:\windows\ie7\urlmon.dll
+ 2010-05-25 18:03 . 2008-04-14 12:00 619520 c:\windows\ie7\urlmon.dll
- 2010-01-16 16:38 . 2008-04-14 12:00 532480 c:\windows\ie7\mstime.dll
+ 2010-05-25 18:03 . 2008-04-14 12:00 532480 c:\windows\ie7\mstime.dll
+ 2010-05-25 18:03 . 2008-04-14 12:00 146432 c:\windows\ie7\msrating.dll
- 2010-01-16 16:38 . 2008-04-14 12:00 146432 c:\windows\ie7\msrating.dll
- 2010-01-16 16:38 . 2008-04-14 12:00 146432 c:\windows\ie7\msls31.dll
+ 2010-05-25 18:03 . 2008-04-14 12:00 146432 c:\windows\ie7\msls31.dll
+ 2010-05-25 18:03 . 2008-04-14 12:00 449024 c:\windows\ie7\mshtmled.dll
- 2010-01-16 16:38 . 2008-04-14 12:00 449024 c:\windows\ie7\mshtmled.dll
+ 2010-05-25 18:03 . 2008-04-14 12:00 251904 c:\windows\ie7\iepeers.dll
- 2010-01-16 16:38 . 2008-04-14 12:00 251904 c:\windows\ie7\iepeers.dll
+ 2010-05-25 18:03 . 2008-04-14 12:00 323584 c:\windows\ie7\iedkcs32.dll
- 2010-01-16 16:38 . 2008-04-14 12:00 323584 c:\windows\ie7\iedkcs32.dll
- 2010-01-16 16:38 . 2008-04-14 12:00 221184 c:\windows\ie7\ieakui.dll
+ 2010-05-25 18:03 . 2008-04-14 12:00 221184 c:\windows\ie7\ieakui.dll
+ 2010-05-25 18:03 . 2008-04-14 12:00 216576 c:\windows\ie7\ieaksie.dll
- 2010-01-16 16:38 . 2008-04-14 12:00 216576 c:\windows\ie7\ieaksie.dll
- 2010-01-16 16:38 . 2008-04-14 12:00 143360 c:\windows\ie7\ieakeng.dll
+ 2010-05-25 18:03 . 2008-04-14 12:00 143360 c:\windows\ie7\ieakeng.dll
- 2010-01-16 16:38 . 2008-04-14 12:00 205312 c:\windows\ie7\dxtrans.dll
+ 2010-05-25 18:03 . 2008-04-14 12:00 205312 c:\windows\ie7\dxtrans.dll
- 2010-01-16 16:38 . 2008-04-14 12:00 357888 c:\windows\ie7\dxtmsft.dll
+ 2010-05-25 18:03 . 2008-04-14 12:00 357888 c:\windows\ie7\dxtmsft.dll
+ 2010-05-25 21:23 . 2010-02-24 13:11 455680 c:\windows\Driver Cache\i386\mrxsmb.sys
+ 2010-05-26 17:15 . 2009-10-20 16:20 265728 c:\windows\Driver Cache\i386\http.sys
+ 2010-05-25 21:24 . 2008-06-13 11:05 272128 c:\windows\Driver Cache\i386\bthport.sys
+ 2008-04-14 12:00 . 2009-11-21 15:51 471552 c:\windows\AppPatch\aclayers.dll
- 2010-05-03 16:39 . 2009-08-13 13:55 1748992 c:\windows\WinSxS\x86_Microsoft.Windows.GdiPlus_6595b64144ccf1df_1.0.6001.22319_x-ww_f0b4c2df\GdiPlus.dll
+ 2010-05-25 21:23 . 2009-08-13 13:55 1748992 c:\windows\WinSxS\x86_Microsoft.Windows.GdiPlus_6595b64144ccf1df_1.0.6001.22319_x-ww_f0b4c2df\GdiPlus.dll
+ 2010-05-03 16:39 . 2009-08-13 13:55 1748992 c:\windows\WinSxS\InstallTemp\19236357\GdiPlus.dll
+ 2007-08-27 20:48 . 2009-08-07 02:23 1929952 c:\windows\system32\wuaueng.dll
+ 2008-04-14 12:00 . 2009-05-20 11:56 2458112 c:\windows\system32\WMVCore.dll
+ 2008-04-14 12:00 . 2006-10-19 04:47 1329152 c:\windows\system32\WMSPDMOE.dll
+ 2008-04-14 12:00 . 2006-10-19 04:47 8231936 c:\windows\system32\wmploc.dll
+ 2008-04-14 12:00 . 2006-10-19 04:47 1117696 c:\windows\system32\WMADMOE.dll
+ 2008-04-14 12:00 . 2009-08-14 13:21 1850624 c:\windows\system32\win32k.sys
+ 2008-04-14 12:00 . 2010-03-11 12:38 1168384 c:\windows\system32\urlmon.dll
- 2008-04-14 12:00 . 2008-04-14 12:00 8461312 c:\windows\system32\shell32.dll
+ 2008-04-14 12:00 . 2008-06-17 19:02 8461312 c:\windows\system32\shell32.dll
- 2008-04-14 12:00 . 2008-04-14 12:00 1435648 c:\windows\system32\query.dll
+ 2008-04-14 12:00 . 2009-07-17 16:22 1435648 c:\windows\system32\query.dll
+ 2008-04-14 12:00 . 2009-11-27 17:11 1291776 c:\windows\system32\quartz.dll
+ 2008-04-14 12:00 . 2010-02-16 14:08 2146304 c:\windows\system32\ntoskrnl.exe
+ 2008-04-14 00:01 . 2010-02-16 13:25 2024448 c:\windows\system32\ntkrnlpa.exe
+ 2008-04-14 12:00 . 2009-07-31 17:05 1372672 c:\windows\system32\msxml6.dll
+ 2008-04-14 12:00 . 2009-07-31 04:35 1172480 c:\windows\system32\msxml3.dll
+ 2008-04-14 12:00 . 2010-03-11 12:38 3599872 c:\windows\system32\mshtml.dll
+ 2007-08-27 20:48 . 2009-08-07 02:23 1929952 c:\windows\system32\dllcache\wuaueng.dll
+ 2008-04-14 12:00 . 2009-05-20 11:56 2458112 c:\windows\system32\dllcache\WMVCore.dll
+ 2008-04-14 12:00 . 2006-10-19 04:47 1329152 c:\windows\system32\dllcache\WMSPDMOE.dll
+ 2008-04-14 12:00 . 2006-10-19 04:47 8231936 c:\windows\system32\dllcache\wmploc.dll
+ 2008-04-14 12:00 . 2006-10-19 04:47 1117696 c:\windows\system32\dllcache\WMADMOE.dll
+ 2008-04-14 12:00 . 2009-08-14 13:21 1850624 c:\windows\system32\dllcache\win32k.sys
+ 2008-04-14 12:00 . 2010-03-11 12:38 1168384 c:\windows\system32\dllcache\urlmon.dll
- 2008-04-14 12:00 . 2008-04-14 12:00 8461312 c:\windows\system32\dllcache\shell32.dll
+ 2008-04-14 12:00 . 2008-06-17 19:02 8461312 c:\windows\system32\dllcache\shell32.dll
+ 2007-08-27 20:48 . 2006-11-02 01:31 1669120 c:\windows\system32\dllcache\setup_wm.exe
+ 2008-04-14 12:00 . 2009-07-17 16:22 1435648 c:\windows\system32\dllcache\query.dll
- 2008-04-14 12:00 . 2008-04-14 12:00 1435648 c:\windows\system32\dllcache\query.dll
+ 2008-04-14 12:00 . 2009-11-27 17:11 1291776 c:\windows\system32\dllcache\quartz.dll
+ 2009-02-08 02:02 . 2010-02-16 13:25 2066816 c:\windows\system32\dllcache\ntkrnlpa.exe
+ 2008-04-14 12:00 . 2009-07-31 17:05 1372672 c:\windows\system32\dllcache\msxml6.dll
+ 2008-04-14 12:00 . 2009-07-31 04:35 1172480 c:\windows\system32\dllcache\msxml3.dll
+ 2007-08-27 20:48 . 2010-01-30 03:31 1315328 c:\windows\system32\dllcache\msoe.dll
+ 2008-04-14 12:00 . 2010-03-11 12:38 3599872 c:\windows\system32\dllcache\mshtml.dll
- 2007-08-27 20:48 . 2008-04-14 12:00 3558912 c:\windows\system32\dllcache\moviemk.exe
+ 2007-08-27 20:48 . 2009-10-23 15:28 3558912 c:\windows\system32\dllcache\moviemk.exe
+ 2010-05-26 18:27 . 2010-05-26 18:27 1205760 c:\windows\Installer\7a26fe.msi
+ 2010-05-25 18:03 . 2008-04-14 12:00 3066880 c:\windows\ie7\mshtml.dll
- 2010-01-16 16:38 . 2008-04-14 12:00 3066880 c:\windows\ie7\mshtml.dll
+ 2010-05-25 21:20 . 2010-02-17 16:10 2189952 c:\windows\Driver Cache\i386\ntoskrnl.exe
+ 2010-05-25 21:20 . 2010-02-16 13:25 2024448 c:\windows\Driver Cache\i386\ntkrpamp.exe
+ 2009-02-08 02:02 . 2010-02-16 13:25 2066816 c:\windows\Driver Cache\i386\ntkrnlpa.exe
+ 2010-05-25 21:20 . 2010-02-16 14:08 2146304 c:\windows\Driver Cache\i386\ntkrnlmp.exe
+ 2008-04-14 12:00 . 2009-07-14 06:43 10841088 c:\windows\system32\wmp.dll
+ 2008-04-14 12:00 . 2009-07-14 06:43 10841088 c:\windows\system32\dllcache\wmp.dll
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{0bc6e3fa-78ef-4886-842c-5a1258c4455a}]
2008-07-25 18:16 282112 ----a-w- c:\windows\system32\mscoree.dll
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SSC"="c:\program files\Session ShortCuts\ssc.exe" [2008-06-12 265728]
"PicPick Start"="c:\program files\PicPick\picpick.exe" [2010-01-13 4057088]
"Google Update"="c:\documents and settings\iraval\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2009-11-21 135664]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-04-29 8429568]
"nwiz"="nwiz.exe" [2007-04-29 1626112]
"NVHotkey"="nvHotkey.dll" [2007-04-29 67584]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2007-04-29 81920]
"IntelZeroConfig"="c:\program files\Intel\Wireless\bin\ZCfgSvc.exe" [2007-07-25 823296]
"IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2007-07-25 974848]
"Document Manager"="c:\program files\Wave Systems Corp\Services Manager\DocMgr\bin\docmgr.exe" [2007-01-30 102400]
"SecureUpgrade"="c:\program files\Wave Systems Corp\SecureUpgrade.exe" [2007-01-22 212992]
"EmbassySecurityCheck"="c:\program files\Wave Systems Corp\EMBASSY Security Setup\EMBASSYSecurityCheck.exe" [2007-02-02 65536]
"Apoint"="c:\program files\Apoint\Apoint.exe" [2007-01-25 159744]
"KADxMain"="c:\windows\system32\KADxMain.exe" [2006-11-02 282624]
"PDVDDXSrv"="c:\program files\CyberLink\PowerDVD DX\PDVDDXSrv.exe" [2007-06-09 128560]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072]
"SSRPM Enrollment Wizard"="c:\program files\Tools4ever\SSRPM\Enrollment Wizard\SSRPMEnroll.exe" [2008-01-31 604672]
"Communicator"="c:\program files\Microsoft Office Communicator\communicator.exe" [2010-04-11 5116256]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2008-04-14 110592]
"LogitechCommunicationsManager"="c:\program files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe" [2007-10-26 563984]
"LogitechQuickCamRibbon"="c:\program files\Logitech\QuickCam\Quickcam.exe" [2007-10-26 2178832]
"Microsoft Forefront Client Security Antimalware Service"="c:\program files\Microsoft Forefront\Client Security\Client\Antimalware\MSASCui.exe" [2010-01-19 1033600]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-03-18 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-04-28 142120]
"SigmatelSysTrayApp"="stsystra.exe" [2007-02-19 303104]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Communicator"="c:\program files\Microsoft Office Communicator\Communicator.exe" [2010-04-11 5116256]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2008-11-04 435096]
c:\documents and settings\iraval\Start Menu\Programs\Startup\
BSEGadget.lnk - c:\program files\BSEMktWatch\BSE Mkt Watch.exe [2010-1-16 421888]
MagicDisc.lnk - c:\program files\MagicDisc\MagicDisc.exe [2010-2-2 576000]
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2009-2-26 97680]
To_DO.lnk - c:\documents and settings\iraval\Desktop\To_DO.txt [2010-5-18 700]
VirtuaWin.lnk - c:\program files\VirtuaWin\VirtuaWin.exe [2009-11-17 126464]
Webshots.lnk - c:\program files\Webshots\3.1.5.7617\Launcher.exe [2009-12-27 157088]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Bluetooth Manager.lnk - c:\program files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe [2007-1-11 2150400]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"ForceStartMenuLogOff"= 1 (0x1)
"NoWelcomeScreen"= 1 (0x1)
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0sprestrt\0sprestrt
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 wvauth
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-709901224-932253684-619646970-103558\Scripts\Logon\0\0]
"Script"=Inventory4.vbs
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-709901224-932253684-619646970-103558\Scripts\Logon\0\1]
"Script"=ComputerDescript.vbs
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-709901224-932253684-619646970-103558\Scripts\Logon\1\0]
"Script"=servicenow.bat
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-709901224-932253684-619646970-103558\Scripts\Logon\2\0]
"Script"=list_lenovo_profiles_and_delete.vbs
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-709901224-932253684-619646970-98379\Scripts\Logon\0\0]
"Script"=Inventory4.vbs
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-709901224-932253684-619646970-98379\Scripts\Logon\0\1]
"Script"=ComputerDescript.vbs
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-709901224-932253684-619646970-98379\Scripts\Logon\1\0]
"Script"=list_lenovo_profiles_and_delete.vbs
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\FCSAM]
@="Service"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update]
2009-11-21 04:14 135664 ----atw- c:\documents and settings\iraval\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Updater]
2010-02-02 07:30 160752 ----a-w- c:\program files\Google\Google Updater\GoogleUpdater.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\googletalk]
2007-01-01 21:22 3739648 ----a-w- c:\program files\Google\Google Talk\googletalk.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2010-04-28 22:06 142120 ----a-w- c:\program files\iTunes\iTunesHelper.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Messenger (Yahoo!)]
2009-11-10 23:39 5244216 ----a-w- c:\progra~1\Yahoo!\Messenger\YahooMessenger.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
2010-01-16 05:56 39408 ----a-w- c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Documents and Settings\\iraval\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.dll"=
"c:\\Documents and Settings\\iraval\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Cygwin\\bin\\XWin.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\AIM\\aim.exe"=
"c:\\Program Files\\Vuze\\Azureus.exe"=
"c:\\Sametime\\STConnect7.5.1\\jre\\bin\\sametime75.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Microsoft Office Communicator\\communicator.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Microsoft Office\\Live Meeting 8\\Console\\PWConsole.exe"=
R1 raddrvv3;raddrvv3;c:\windows\system32\rserver30\raddrvv3.sys [6/29/2007 3:10 AM 40640]
R1 SBRE;SBRE;c:\windows\system32\drivers\SBREDrv.sys [5/18/2010 8:02 AM 93872]
R2 DB2MGMTSVC_TACOM21;DB2 Management Service (TACOM21);c:\program files\Quest Software\Toad for Data Analysts 2.1\DB2 Client\BIN\db2mgmtsvc.exe [7/23/2007 3:47 AM 35616]
R2 MOM;MOM;c:\program files\Microsoft Forefront\Client Security\Client\Microsoft Operations Manager 2005\MOMService.exe [7/21/2005 11:14 AM 134656]
R2 RServer3;Radmin Server V3;c:\windows\system32\rserver30\rserver3.exe [7/10/2007 5:14 PM 1242432]
R2 Wave UCSPlus;Wave UCSPlus;c:\windows\system32\dllhost.exe [4/14/2008 5:00 AM 5120]
S0 cgtfa;cgtfa;c:\windows\system32\drivers\rciwwjn.sys --> c:\windows\system32\drivers\rciwwjn.sys [?]
S1 MpKsl5fd50652;MpKsl5fd50652;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Forefront\Client Security\Client\Antimalware\Definition Updates\{B01E06E4-0F57-4BFC-91C4-566B7B0083CB}\MpKsl5fd50652.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Forefront\Client Security\Client\Antimalware\Definition Updates\{B01E06E4-0F57-4BFC-91C4-566B7B0083CB}\MpKsl5fd50652.sys [?]
S1 MpKsl6bf6c1a0;MpKsl6bf6c1a0;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Forefront\Client Security\Client\Antimalware\Definition Updates\{B01E06E4-0F57-4BFC-91C4-566B7B0083CB}\MpKsl6bf6c1a0.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Forefront\Client Security\Client\Antimalware\Definition Updates\{B01E06E4-0F57-4BFC-91C4-566B7B0083CB}\MpKsl6bf6c1a0.sys [?]
S2 ATE_PROCMON;ATE_PROCMON;\??\c:\program files\Anti Trojan Elite\ATEPMon.sys --> c:\program files\Anti Trojan Elite\ATEPMon.sys [?]
S2 avbackup;Backup Agent;"c:\program files\avs\bin\avagent.exe" /ServiceStart "--logfile=c:\program files\avs\var\avagent.log" --> c:\program files\avs\bin\avagent.exe [?]
S2 FCSAM;Microsoft Forefront Client Security Antimalware Service;c:\program files\Microsoft Forefront\Client Security\Client\Antimalware\MsMpEng.exe [1/19/2010 4:49 PM 16880]
S2 FcsSas;Microsoft Forefront Client Security State Assessment Service;c:\program files\Microsoft Forefront\Client Security\Client\SSA\FcsSas.exe [4/6/2007 4:12 AM 73120]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [5/20/2010 6:47 AM 136176]
S3 Avgfwdx;Avgfwdx;c:\windows\system32\drivers\avgfwdx.sys [12/5/2009 6:20 PM 30104]
S3 Avgfwfd;AVG network filter service;c:\windows\system32\drivers\avgfwdx.sys [12/5/2009 6:20 PM 30104]
S3 DB2NTSECSERVER_TACOM21;DB2 Security Server (TACOM21);c:\program files\Quest Software\Toad for Data Analysts 2.1\DB2 Client\BIN\db2sec.exe [7/23/2007 3:48 AM 14112]
S3 DXEC01;DXEC01;c:\windows\system32\drivers\dxec01.sys [11/2/2006 11:32 AM 97536]
S3 OracleClientCache80;OracleClientCache80;c:\oracle\product\6.0\BIN\ONRSD80.EXE [1/28/2010 2:27 PM 101136]
S3 WinRM;Windows Remote Management (WS-Management);c:\windows\system32\svchost.exe -k WINRM [4/14/2008 5:00 AM 14336]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
WINRM REG_MULTI_SZ WINRM
.
Contents of the 'Scheduled Tasks' folder
2010-05-27 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 20:34]
2010-05-28 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2010-01-16 07:30]
2010-05-28 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-05-20 11:24]
2010-05-29 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-05-20 11:24]
2010-05-26 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-709901224-932253684-619646970-103558Core.job
- c:\documents and settings\iraval\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-11-21 04:14]
2010-05-29 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-709901224-932253684-619646970-103558UA.job
- c:\documents and settings\iraval\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-11-21 04:14]
2010-05-28 c:\windows\Tasks\MP Scheduled Quick Scan.job
- c:\program files\Microsoft Forefront\Client Security\Client\Antimalware\MpCmdRun.exe [2010-01-19 23:49]
2010-05-28 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Microsoft Forefront\Client Security\Client\Antimalware\MpCmdRun.exe [2010-01-19 23:49]
2010-05-29 c:\windows\Tasks\MP Scheduled Signature Update.job
- c:\program files\Microsoft Forefront\Client Security\Client\Antimalware\MpCmdRun.exe [2010-01-19 23:49]
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
uInternet Settings,ProxyOverride = ;*.local;<local>
uInternet Settings,ProxyServer = http=127.0.0.1:5555
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
Trusted Zone: capitalone.com\servicing
Trusted Zone: intuit.com\ttlc
Trusted Zone: ultimatix.net\ipmsapp
Trusted Zone: ultimatix.net\www
DPF: {3D3B42C2-11BF-4732-A304-A01384B70D68} - hxxp://picasaweb.google.com/s/v/59.19/uploader2.cab
DPF: {708C978C-BBF5-4038-8DC1-64FF22BCFFB6} - hxxp://www.barracudanetworks.com/ns/products/spyware-removal-tool/tool/BarracudaSpyRemoval.cab
DPF: {F27237D7-93C8-44C2-AC6E-D6057B9A918F} - hxxps://sslvpn.leapwireless.com/dana-cached/sc/JuniperSetupClient.cab
FF - ProfilePath - c:\documents and settings\iraval\Application Data\Mozilla\Firefox\Profiles\ggy72g16.default\
FF - plugin: c:\documents and settings\iraval\Application Data\Mozilla\plugins\npgoogletalk.dll
FF - plugin: c:\documents and settings\iraval\Local Settings\Application Data\Google\Update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\program files\DivX\DivX Plus Web Player\npdivx32.dll
FF - plugin: c:\program files\Google\Google Earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\Google\Google Updater\2.4.1851.5542\npCIDetect14.dll
FF - plugin: c:\program files\Google\Picasa3\npPicasa3.dll
FF - plugin: c:\program files\Google\Update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\program files\Java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npdeployJava1.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npdnupdater2.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
---- FIREFOX POLICIES ----
FF - user.js: network.protocol-handler.warn-external.dnupdate - falsec:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_ everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_a s_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
.
- - - - ORPHANS REMOVED - - - -
HKLM-Run-Anti Trojan Elite - c:\program files\Anti Trojan Elite\TJEnder.exe
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-05-28 21:07
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(1576)
c:\windows\system32\SSRPMGINA.dll
- - - - - - - > 'lsass.exe'(1636)
c:\windows\system32\wvauth.dll
c:\windows\system32\biolsp.dll
.
Completion time: 2010-05-28 21:09:46
ComboFix-quarantined-files.txt 2010-05-29 04:09
Pre-Run: 15,756,505,088 bytes free
Post-Run: 15,779,717,120 bytes free
- - End Of File - - 1766E50B15D541D51CA549C6AFD2E8E6
x
-
Download and save HelpAsst_mebroot_fix.exe (http://noahdfear.net/downloads/HelpAsst/HelpAsst_mebroot_fix.exe) to your desktop.
Double-click to run the tool
Please download MBR.EXE (http://www2.gmer.net/mbr/mbr.exe) by GMER. Save the file in the C:\windows\system32\ folder.
Click Start --> Run type in mbr.exe -f and click OK.
Reboot. (IMPORTANT!)
Open Notepad and copy and paste the text in the codebox below (excluding the word Code) into Notepad.
@echo off
cd\
cd windows
cd system32
mbr.exe -t
start mbr.logNext, select File --> Save As, change file type to All Files
(*.*), and save it as fixme.bat in your c:\ folder.
Open your c:\folder and double-click on fixme.bat. A logfile will open
(C:\windows\system32\mbr.log). Please paste the contents in your next
reply.
-
Download and save HelpAsst_mebroot_fix.exe (http://noahdfear.net/downloads/HelpAsst/HelpAsst_mebroot_fix.exe) to your desktop.
Double-click to run the tool
=> I ran tool, however it seem to stuck at 'checking mbr', but I think it was supposed to do just that, so I waited for a few minutes and then continued with next steps.
Please download MBR.EXE (http://www2.gmer.net/mbr/mbr.exe) by GMER. Save the file in the C:\windows\system32\ folder.
Click Start --> Run type in mbr.exe -f and click OK.
Reboot. (IMPORTANT!)
Open Notepad and copy and paste the text in the codebox below (excluding the word Code) into Notepad.
@echo off
cd\
cd windows
cd system32
mbr.exe -t
start mbr.logNext, select File --> Save As, change file type to All Files
(*.*), and save it as fixme.bat in your c:\ folder.
Open your c:\folder and double-click on fixme.bat. A logfile will open
(C:\windows\system32\mbr.log). Please paste the contents in your next
reply.
=> Followed rest of the steps exactly as you mentioned and uploading output in next reply. So when my machine was being rebooted,HelpAsst_mebroot_fix.exe was still running.
-
Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net
device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys atapi.sys hal.dll pciide.sys PCIIDEX.SYS
kernel: MBR read successfully
user & kernel MBR OK
copy of MBR has been found in sector 0x0950E4C1
malicious code @ sector 0x0950E4C4 !
PE file found in sector at 0x0950E4DA !
-
Ok. Let's try this again.
Please download and save HelpAsst_mebroot_fix.exe (http://noahdfear.net/downloads/HelpAsst/HelpAsst_mebroot_fix.exe)
Double click to run the tool.
When complete, run mbr -f then reboot.
After reboot, provide the log.
-
here is what I found at c:\ as HelpAsst.txt
C:\Documents and Settings\iraval\My Documents\Downloads\HelpAsst_mebroot_fix.exe
Mon 05/31/2010 at 18:36:39.92
HelpAssistant account Inactive
~~ Checking for termsrv32.dll ~~
termsrv32.dll not found
~~ Checking firewall ports ~~
HKLM\~\services\sharedaccess\parameters\firewallpolicy\domainprofile\globallyopenports\list
HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\globallyopenports\list
~~ Checking profile list ~~
No HelpAssistant profile in registry
~~ Checking mbr ~~
user & kernel MBR OK
-
Please go to Jotti's malware scan (http://virusscan.jotti.org/)
(If more than one file needs scanned they must be done separately and links posted for each one)
* Copy the file path in the below Code box:
c:\windows\system32\dllcache\isignup.exe
c:\windows\system32\emptyregdb.dat
c:\windows\system32\drivers\rciwwjn.sys
* At the upload site, click once inside the window next to Browse.
* Press Ctrl+V on the keyboard (both at the same time) to paste the file path into the window.
* Next click Submit file
* Your file will possibly be entered into a queue which normally takes less than a minute to clear.
* This will perform a scan across multiple different virus scanning engines.
* Important: Wait for all of the scanning engines to complete.
* Once the scan is finished, Copy and then Paste the link in the address bar into your next reply.
===============================
P2P - I see you have P2P software installed on your machine. (Vuze, Azureus) We are not here to pass judgment on file-sharing as a concept. However, we will warn you that engaging in this activity and having this kind of software installed on your machine will always make you more susceptible to re-infections. It is certainly contributing to your current situation.
Please note: Even if you are using a "safe" P2P program, it is only the program that is safe. You will be sharing files from uncertified sources, and these are often infected. The bad guys use P2P filesharing as a major conduit to spread their wares.
I would strongly recommend that you uninstall them, however that choice is up to you. If you choose to remove these programs, you can do so via Control Panel >> Add or Remove Programs.
===================================
Re-running ComboFix to remove infections:
- Close any open browsers.
- Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
- Open notepad and copy/paste the text in the quotebox below into it:
KillAll::
Folder::
c:\documents and settings\HelpAssistant
DDS::
Trusted Zone: capitalone.com\servicing
Trusted Zone: intuit.com\ttlc
Trusted Zone: ultimatix.net\ipmsapp
Trusted Zone: ultimatix.net\www
uInternet Settings,ProxyServer = http=127.0.0.1:5555
DirLook::
C:\WINXP
File::
c:\windows\inf\COMD6.tmp
c:\windows\inf\COMD6.tmp
c:\windows\inf\COME3.tmp
- Save this as CFScript.txt, in the same location as ComboFix.exe
(http://img19.imageshack.us/img19/5660/cfscriptb4.gif)
- Referring to the picture above, drag CFScript into ComboFix.exe
- When finished, it shall produce a log for you at C:\ComboFix.txt
- Please post the contents of the log in your next reply.
-
Hi,
C:\WINDOWS is Windows Installation directory. WINXP is the one when I tried to do a fresh install on same drive when I got this virus back then.
You still mean CFScript to look into C:\WINXP or shall I change it to C:\WINDOWS?
-
Ok. Just erase this "DirLook::
C:\WINXP" from the script and run it.
-
1. http://virusscan.jotti.org/en/scanresult/d2d746eddfe458aae51e89ba5dbcbf156f574143/00071ebd72d1a0023c0818fa1d70ee808e64785a
2. http://virusscan.jotti.org/en/scanresult/7ce79c0b5ae9de9678fc5f3830e3bd983fe7352e
3. c:\windows\system32\drivers\rciwwjn.sys - it says file is empty, 0 bytes.
I going to run combofix and will let you know the results.
-
ComboFix 10-06-01.01 - iraval 06/01/2010 22:05:54.4.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1301 [GMT -7:00]
Running from: c:\documents and settings\iraval\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\iraval\Desktop\CFScript.txt
AV: Microsoft Forefront Client Security *On-access scanning disabled* (Updated) {926A3D4F-E4E7-4F47-9902-4EDD55FFE1AF}
FILE ::
"c:\windows\inf\COMD6.tmp"
"c:\windows\inf\COME3.tmp"
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
c:\windows\inf\COMD6.tmp
c:\windows\inf\COME3.tmp
----- BITS: Possible infected sites -----
hxxp://CASANSMS1:80
hxxp://dendapvmexcas1.cricketcommunications.com
.
((((((((((((((((((((((((( Files Created from 2010-05-02 to 2010-06-02 )))))))))))))))))))))))))))))))
.
2010-05-31 22:44 . 2010-05-31 22:47 -------- d-----w- c:\program files\Gabest
2010-05-31 22:40 . 2010-05-31 22:40 -------- d-----w- c:\program files\DirectVobSub
2010-05-31 17:24 . 2010-05-31 17:24 66 ----a-w- C:\fixme.bat
2010-05-31 17:22 . 2010-05-31 17:22 77312 ----a-w- c:\windows\system32\mbr.exe
2010-05-28 05:11 . 2010-05-28 05:11 -------- d-----w- C:\HelpAsst_backup
2010-05-27 00:13 . 2010-05-27 00:13 -------- d-----w- c:\program files\Common Files\Java
2010-05-27 00:13 . 2010-05-27 00:13 411368 ----a-w- c:\windows\system32\deployJava1.dll
2010-05-26 18:26 . 2010-05-26 18:26 -------- d-----w- c:\documents and settings\All Users\Application Data\Applications
2010-05-26 17:15 . 2009-10-20 16:20 265728 -c----w- c:\windows\system32\dllcache\http.sys
2010-05-25 21:24 . 2008-06-13 11:05 272128 -c----w- c:\windows\system32\dllcache\bthport.sys
2010-05-25 21:23 . 2010-02-24 13:11 455680 -c----w- c:\windows\system32\dllcache\mrxsmb.sys
2010-05-25 21:20 . 2010-02-16 14:08 2146304 -c----w- c:\windows\system32\dllcache\ntkrnlmp.exe
2010-05-25 21:20 . 2010-02-17 16:10 2189952 -c----w- c:\windows\system32\dllcache\ntoskrnl.exe
2010-05-25 21:20 . 2010-02-16 13:25 2024448 -c----w- c:\windows\system32\dllcache\ntkrpamp.exe
2010-05-25 21:20 . 2009-11-27 17:11 17920 -c----w- c:\windows\system32\dllcache\msyuv.dll
2010-05-25 21:13 . 2009-11-27 16:07 8704 -c----w- c:\windows\system32\dllcache\tsbyuv.dll
2010-05-25 21:13 . 2009-11-27 16:07 48128 -c----w- c:\windows\system32\dllcache\iyuv_32.dll
2010-05-25 21:12 . 2010-03-11 12:38 459264 -c----w- c:\windows\system32\dllcache\msfeeds.dll
2010-05-25 21:12 . 2010-03-11 12:38 268288 -c----w- c:\windows\system32\dllcache\iertutil.dll
2010-05-25 21:12 . 2010-03-11 12:38 52224 -c----w- c:\windows\system32\dllcache\msfeedsbs.dll
2010-05-25 21:12 . 2010-03-11 12:38 63488 -c----w- c:\windows\system32\dllcache\icardie.dll
2010-05-25 21:12 . 2010-03-11 12:38 380928 -c----w- c:\windows\system32\dllcache\ieapfltr.dll
2010-05-25 21:12 . 2010-03-10 13:18 13824 -c----w- c:\windows\system32\dllcache\ieudinit.exe
2010-05-25 21:12 . 2009-06-29 08:33 2452872 -c----w- c:\windows\system32\dllcache\ieapfltr.dat
2010-05-25 21:12 . 2010-03-11 12:38 6067200 -c----w- c:\windows\system32\dllcache\ieframe.dll
2010-05-25 15:13 . 2010-05-25 15:13 -------- d-----w- c:\windows\ms
2010-05-25 15:01 . 2008-04-14 12:00 221696 -c--a-w- c:\windows\system32\dllcache\seo.dll
2010-05-25 15:00 . 2008-04-14 12:00 13463552 -c--a-w- c:\windows\system32\dllcache\hwxjpn.dll
2010-05-25 14:59 . 2004-05-13 07:39 598071 -c--a-w- c:\windows\system32\dllcache\fpmmc.dll
2010-05-25 14:40 . 2008-04-14 12:00 13312 -c--a-w- c:\windows\system32\dllcache\irclass.dll
2010-05-25 14:40 . 2008-04-14 12:00 13312 ----a-w- c:\windows\system32\irclass.dll
2010-05-25 14:40 . 2008-04-14 12:00 24661 -c--a-w- c:\windows\system32\dllcache\spxcoins.dll
2010-05-25 14:40 . 2008-04-14 12:00 24661 ----a-w- c:\windows\system32\spxcoins.dll
2010-05-25 11:10 . 2008-04-14 12:00 16384 -c--a-w- c:\windows\system32\dllcache\isignup.exe
2010-05-25 06:05 . 2010-05-25 06:05 -------- d-----w- c:\program files\ESET
2010-05-20 13:47 . 2010-05-20 13:47 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Google
2010-05-18 15:02 . 2009-09-07 21:02 27944 ----a-w- c:\windows\system32\sbbd.exe
2010-05-18 15:02 . 2009-08-05 22:58 93872 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2010-05-18 15:02 . 2010-05-25 15:30 -------- d-----w- C:\VIPRERESCUE
2010-05-06 04:12 . 2010-05-06 04:12 -------- d-----w- c:\program files\iPod
2010-05-06 04:11 . 2010-05-06 04:13 -------- d-----w- c:\documents and settings\All Users\Application Data\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
2010-05-06 04:11 . 2010-05-06 04:13 -------- d-----w- c:\program files\iTunes
2010-05-06 04:00 . 2010-05-06 04:02 -------- d-----w- c:\program files\QuickTime
2010-05-06 03:56 . 2010-05-06 03:56 -------- d-----w- c:\program files\Bonjour
2010-05-06 01:30 . 2010-05-06 01:30 -------- d-----w- c:\documents and settings\iraval\Local Settings\Application Data\Help
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-06-02 05:24 . 2009-11-17 07:50 -------- d-----w- c:\program files\BSEMktWatch
2010-06-01 16:10 . 2009-11-17 01:50 -------- d-----w- c:\documents and settings\iraval\Application Data\Wave Systems Corp
2010-06-01 01:24 . 2010-03-20 20:59 -------- d-----w- c:\documents and settings\iraval\Application Data\vlc
2010-05-29 21:32 . 2010-05-29 21:32 117427 ----a-w- c:\documents and settings\iraval\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\digitaleditions\digitaleditions.exe
2010-05-27 00:14 . 2010-05-27 00:14 503808 ----a-w- c:\documents and settings\iraval\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-4eb22189-n\msvcp71.dll
2010-05-27 00:14 . 2010-05-27 00:14 499712 ----a-w- c:\documents and settings\iraval\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-4eb22189-n\jmc.dll
2010-05-27 00:14 . 2010-05-27 00:14 348160 ----a-w- c:\documents and settings\iraval\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-4eb22189-n\msvcr71.dll
2010-05-27 00:13 . 2010-05-27 00:13 61440 ----a-w- c:\documents and settings\iraval\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-7ad6e02a-n\decora-sse.dll
2010-05-27 00:13 . 2010-05-27 00:13 12800 ----a-w- c:\documents and settings\iraval\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-7ad6e02a-n\decora-d3d.dll
2010-05-27 00:13 . 2007-08-28 20:08 -------- d-----w- c:\program files\Java
2010-05-26 14:44 . 2010-02-02 07:52 -------- d-----w- c:\program files\MagicISO
2010-05-25 15:52 . 2010-05-01 19:49 -------- d-----w- c:\program files\Windows Live Safety Center
2010-05-25 14:56 . 2007-08-27 20:47 24924 ----a-w- c:\windows\system32\emptyregdb.dat
2010-05-25 12:21 . 2010-01-03 06:30 -------- d-----w- c:\documents and settings\iraval\Application Data\Azureus
2010-05-25 12:20 . 2009-12-06 02:59 -------- d-----w- c:\program files\CCleaner
2010-05-25 11:08 . 2010-05-25 11:08 1663 ----a-w- c:\windows\inf\COM12F.tmp
2010-05-25 08:20 . 2007-08-27 21:54 95194 ----a-w- c:\windows\system32\nvModes.dat
2010-05-22 05:53 . 2010-01-03 06:29 -------- d-----w- c:\program files\Vuze
2010-05-21 21:14 . 2010-01-16 07:10 221568 ------w- c:\windows\system32\MpSigStub.exe
2010-05-20 13:48 . 2009-11-17 07:50 -------- d-----w- c:\program files\Google
2010-05-12 19:47 . 2009-07-22 20:03 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2010-05-06 04:12 . 2009-11-23 07:43 -------- d-----w- c:\program files\Common Files\Apple
2010-05-06 03:40 . 2010-05-06 03:40 73000 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 9.1.1.12\SetupAdmin.exe
2010-05-04 03:06 . 2010-03-20 23:30 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-05-03 19:38 . 2010-05-02 05:37 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee
2010-05-03 19:36 . 2010-05-02 05:42 -------- d-----w- c:\program files\SiteAdvisor
2010-05-03 18:25 . 2010-05-02 05:42 -------- d-----w- c:\documents and settings\All Users\Application Data\SiteAdvisor
2010-05-02 21:22 . 2009-11-23 07:46 -------- d-----w- c:\documents and settings\iraval\Application Data\Apple Computer
2010-05-02 04:57 . 2009-12-06 01:20 -------- d-----w- c:\documents and settings\All Users\Application Data\avg9
2010-05-02 01:15 . 2007-08-28 19:56 -------- d-----w- c:\program files\Microsoft Office Communicator
2010-05-01 19:36 . 2010-01-22 12:58 -------- d-----w- c:\documents and settings\admin\Application Data\Wave Systems Corp
2010-05-01 18:45 . 2010-05-01 18:45 -------- d-----w- c:\documents and settings\admin\Application Data\Malwarebytes
2010-05-01 18:42 . 2010-01-22 12:58 71776 ----a-w- c:\documents and settings\admin\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-04-29 22:39 . 2010-03-20 23:30 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-29 22:39 . 2010-03-20 23:30 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-04-26 03:26 . 2009-10-20 17:11 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-04-19 21:59 . 2010-04-19 21:59 255472 ----a-w- c:\documents and settings\iraval\Application Data\Mozilla\plugins\npgoogletalk.dll
2010-04-17 19:53 . 2009-12-06 01:26 -------- d-----w- c:\documents and settings\All Users\Application Data\Norton
2010-04-17 19:53 . 2010-04-17 07:43 -------- d-----w- c:\program files\Common Files\Symantec Shared
2010-04-16 15:33 . 2009-11-23 07:43 41472 ----a-w- c:\windows\system32\drivers\usbaapl.sys
2010-04-16 15:33 . 2009-11-23 07:43 3003680 ----a-w- c:\windows\system32\usbaaplrc.dll
2010-04-16 04:15 . 2010-03-28 07:29 894184 ----a-w- c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
2010-04-15 16:18 . 2010-04-14 03:02 -------- d-----w- c:\program files\PuTTY Connection Manager
2010-04-14 03:07 . 2009-11-17 07:20 -------- d-----w- c:\program files\PuTTY
2010-04-14 02:55 . 2009-11-20 01:53 -------- d-----w- c:\program files\Quest Software
2010-04-08 20:20 . 2010-04-08 20:20 91424 ----a-w- c:\windows\system32\dnssd.dll
2010-04-08 20:20 . 2010-04-08 20:20 107808 ----a-w- c:\windows\system32\dns-sd.exe
2010-03-28 02:06 . 2007-08-27 22:09 71776 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-03-17 15:51 . 2009-08-18 16:08 82696 ----a-w- c:\windows\system32\lmdimon8.dll
2010-03-11 12:38 . 2008-04-14 12:00 832512 ----a-w- c:\windows\system32\wininet.dll
2010-03-11 12:38 . 2008-04-14 12:00 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-03-11 12:38 . 2008-04-14 12:00 17408 ----a-w- c:\windows\system32\corpol.dll
2010-03-09 11:09 . 2008-04-14 12:00 430080 ----a-w- c:\windows\system32\vbscript.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{0bc6e3fa-78ef-4886-842c-5a1258c4455a}]
2008-07-25 18:16 282112 ----a-w- c:\windows\system32\mscoree.dll
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SSC"="c:\program files\Session ShortCuts\ssc.exe" [2008-06-12 265728]
"PicPick Start"="c:\program files\PicPick\picpick.exe" [2010-01-13 4057088]
"Google Update"="c:\documents and settings\iraval\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2009-11-21 135664]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-04-29 8429568]
"nwiz"="nwiz.exe" [2007-04-29 1626112]
"NVHotkey"="nvHotkey.dll" [2007-04-29 67584]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2007-04-29 81920]
"IntelZeroConfig"="c:\program files\Intel\Wireless\bin\ZCfgSvc.exe" [2007-07-25 823296]
"IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2007-07-25 974848]
"Document Manager"="c:\program files\Wave Systems Corp\Services Manager\DocMgr\bin\docmgr.exe" [2007-01-30 102400]
"SecureUpgrade"="c:\program files\Wave Systems Corp\SecureUpgrade.exe" [2007-01-22 212992]
"EmbassySecurityCheck"="c:\program files\Wave Systems Corp\EMBASSY Security Setup\EMBASSYSecurityCheck.exe" [2007-02-02 65536]
"Apoint"="c:\program files\Apoint\Apoint.exe" [2007-01-25 159744]
"KADxMain"="c:\windows\system32\KADxMain.exe" [2006-11-02 282624]
"PDVDDXSrv"="c:\program files\CyberLink\PowerDVD DX\PDVDDXSrv.exe" [2007-06-09 128560]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072]
"SSRPM Enrollment Wizard"="c:\program files\Tools4ever\SSRPM\Enrollment Wizard\SSRPMEnroll.exe" [2008-01-31 604672]
"Communicator"="c:\program files\Microsoft Office Communicator\communicator.exe" [2010-04-11 5116256]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2008-04-14 110592]
"LogitechCommunicationsManager"="c:\program files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe" [2007-10-26 563984]
"LogitechQuickCamRibbon"="c:\program files\Logitech\QuickCam\Quickcam.exe" [2007-10-26 2178832]
"Microsoft Forefront Client Security Antimalware Service"="c:\program files\Microsoft Forefront\Client Security\Client\Antimalware\MSASCui.exe" [2010-01-19 1033600]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-03-18 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-04-28 142120]
"SigmatelSysTrayApp"="stsystra.exe" [2007-02-19 303104]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Communicator"="c:\program files\Microsoft Office Communicator\Communicator.exe" [2010-04-11 5116256]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2008-11-04 435096]
c:\documents and settings\iraval\Start Menu\Programs\Startup\
BSEGadget.lnk - c:\program files\BSEMktWatch\BSE Mkt Watch.exe [2010-1-16 421888]
MagicDisc.lnk - c:\program files\MagicDisc\MagicDisc.exe [2010-2-2 576000]
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2009-2-26 97680]
To_DO.lnk - c:\documents and settings\iraval\Desktop\To_DO.txt [2010-5-18 700]
VirtuaWin.lnk - c:\program files\VirtuaWin\VirtuaWin.exe [2009-11-17 126464]
Webshots.lnk - c:\program files\Webshots\3.1.5.7617\Launcher.exe [2009-12-27 157088]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Bluetooth Manager.lnk - c:\program files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe [2007-1-11 2150400]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"ForceStartMenuLogOff"= 1 (0x1)
"NoWelcomeScreen"= 1 (0x1)
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0sprestrt\0sprestrt
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 wvauth
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-709901224-932253684-619646970-103558\Scripts\Logon\0\0]
"Script"=Inventory4.vbs
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-709901224-932253684-619646970-103558\Scripts\Logon\0\1]
"Script"=ComputerDescript.vbs
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-709901224-932253684-619646970-103558\Scripts\Logon\1\0]
"Script"=servicenow.bat
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-709901224-932253684-619646970-103558\Scripts\Logon\2\0]
"Script"=list_lenovo_profiles_and_delete.vbs
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-709901224-932253684-619646970-98379\Scripts\Logon\0\0]
"Script"=Inventory4.vbs
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-709901224-932253684-619646970-98379\Scripts\Logon\0\1]
"Script"=ComputerDescript.vbs
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-709901224-932253684-619646970-98379\Scripts\Logon\1\0]
"Script"=list_lenovo_profiles_and_delete.vbs
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\FCSAM]
@="Service"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update]
2009-11-21 04:14 135664 ----atw- c:\documents and settings\iraval\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Updater]
2010-02-02 07:30 160752 ----a-w- c:\program files\Google\Google Updater\GoogleUpdater.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\googletalk]
2007-01-01 21:22 3739648 ----a-w- c:\program files\Google\Google Talk\googletalk.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2010-04-28 22:06 142120 ----a-w- c:\program files\iTunes\iTunesHelper.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Messenger (Yahoo!)]
2009-11-10 23:39 5244216 ----a-w- c:\progra~1\Yahoo!\Messenger\YahooMessenger.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
2010-01-16 05:56 39408 ----a-w- c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Documents and Settings\\iraval\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.dll"=
"c:\\Documents and Settings\\iraval\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Cygwin\\bin\\XWin.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\AIM\\aim.exe"=
"c:\\Program Files\\Vuze\\Azureus.exe"=
"c:\\Sametime\\STConnect7.5.1\\jre\\bin\\sametime75.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Microsoft Office Communicator\\communicator.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Microsoft Office\\Live Meeting 8\\Console\\PWConsole.exe"=
R1 raddrvv3;raddrvv3;c:\windows\system32\rserver30\raddrvv3.sys [6/29/2007 3:10 AM 40640]
R1 SBRE;SBRE;c:\windows\system32\drivers\SBREDrv.sys [5/18/2010 8:02 AM 93872]
R2 DB2MGMTSVC_TACOM21;DB2 Management Service (TACOM21);c:\program files\Quest Software\Toad for Data Analysts 2.1\DB2 Client\BIN\db2mgmtsvc.exe [7/23/2007 3:47 AM 35616]
R2 FCSAM;Microsoft Forefront Client Security Antimalware Service;c:\program files\Microsoft Forefront\Client Security\Client\Antimalware\MsMpEng.exe [1/19/2010 4:49 PM 16880]
R2 FcsSas;Microsoft Forefront Client Security State Assessment Service;c:\program files\Microsoft Forefront\Client Security\Client\SSA\FcsSas.exe [4/6/2007 4:12 AM 73120]
R2 MOM;MOM;c:\program files\Microsoft Forefront\Client Security\Client\Microsoft Operations Manager 2005\MOMService.exe [7/21/2005 11:14 AM 134656]
R2 RServer3;Radmin Server V3;c:\windows\system32\rserver30\rserver3.exe [7/10/2007 5:14 PM 1242432]
R2 Wave UCSPlus;Wave UCSPlus;c:\windows\system32\dllhost.exe [4/14/2008 5:00 AM 5120]
S0 cgtfa;cgtfa;c:\windows\system32\drivers\rciwwjn.sys --> c:\windows\system32\drivers\rciwwjn.sys [?]
S1 MpKsl5fd50652;MpKsl5fd50652;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Forefront\Client Security\Client\Antimalware\Definition Updates\{B01E06E4-0F57-4BFC-91C4-566B7B0083CB}\MpKsl5fd50652.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Forefront\Client Security\Client\Antimalware\Definition Updates\{B01E06E4-0F57-4BFC-91C4-566B7B0083CB}\MpKsl5fd50652.sys [?]
S1 MpKsl6bf6c1a0;MpKsl6bf6c1a0;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Forefront\Client Security\Client\Antimalware\Definition Updates\{B01E06E4-0F57-4BFC-91C4-566B7B0083CB}\MpKsl6bf6c1a0.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Forefront\Client Security\Client\Antimalware\Definition Updates\{B01E06E4-0F57-4BFC-91C4-566B7B0083CB}\MpKsl6bf6c1a0.sys [?]
S2 ATE_PROCMON;ATE_PROCMON;\??\c:\program files\Anti Trojan Elite\ATEPMon.sys --> c:\program files\Anti Trojan Elite\ATEPMon.sys [?]
S2 avbackup;Backup Agent;"c:\program files\avs\bin\avagent.exe" /ServiceStart "--logfile=c:\program files\avs\var\avagent.log" --> c:\program files\avs\bin\avagent.exe [?]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [5/20/2010 6:47 AM 136176]
S3 Avgfwdx;Avgfwdx;c:\windows\system32\drivers\avgfwdx.sys [12/5/2009 6:20 PM 30104]
S3 Avgfwfd;AVG network filter service;c:\windows\system32\drivers\avgfwdx.sys [12/5/2009 6:20 PM 30104]
S3 DB2NTSECSERVER_TACOM21;DB2 Security Server (TACOM21);c:\program files\Quest Software\Toad for Data Analysts 2.1\DB2 Client\BIN\db2sec.exe [7/23/2007 3:48 AM 14112]
S3 DXEC01;DXEC01;c:\windows\system32\drivers\dxec01.sys [11/2/2006 11:32 AM 97536]
S3 OracleClientCache80;OracleClientCache80;c:\oracle\product\6.0\BIN\ONRSD80.EXE [1/28/2010 2:27 PM 101136]
S3 WinRM;Windows Remote Management (WS-Management);c:\windows\system32\svchost.exe -k WINRM [4/14/2008 5:00 AM 14336]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
WINRM REG_MULTI_SZ WINRM
.
Contents of the 'Scheduled Tasks' folder
2010-05-27 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 20:34]
2010-06-02 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2010-01-16 07:30]
2010-06-02 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-05-20 11:24]
2010-06-02 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-05-20 11:24]
2010-05-26 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-709901224-932253684-619646970-103558Core.job
- c:\documents and settings\iraval\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-11-21 04:14]
2010-06-02 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-709901224-932253684-619646970-103558UA.job
- c:\documents and settings\iraval\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-11-21 04:14]
2010-06-02 c:\windows\Tasks\MP Scheduled Quick Scan.job
- c:\program files\Microsoft Forefront\Client Security\Client\Antimalware\MpCmdRun.exe [2010-01-19 23:49]
2010-06-02 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Microsoft Forefront\Client Security\Client\Antimalware\MpCmdRun.exe [2010-01-19 23:49]
2010-06-02 c:\windows\Tasks\MP Scheduled Signature Update.job
- c:\program files\Microsoft Forefront\Client Security\Client\Antimalware\MpCmdRun.exe [2010-01-19 23:49]
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
uInternet Settings,ProxyOverride = ;*.local;<local>
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
DPF: {3D3B42C2-11BF-4732-A304-A01384B70D68} - hxxp://picasaweb.google.com/s/v/59.19/uploader2.cab
DPF: {708C978C-BBF5-4038-8DC1-64FF22BCFFB6} - hxxp://www.barracudanetworks.com/ns/products/spyware-removal-tool/tool/BarracudaSpyRemoval.cab
DPF: {F27237D7-93C8-44C2-AC6E-D6057B9A918F} - hxxps://sslvpn.leapwireless.com/dana-cached/sc/JuniperSetupClient.cab
FF - ProfilePath - c:\documents and settings\iraval\Application Data\Mozilla\Firefox\Profiles\ggy72g16.default\
FF - plugin: c:\documents and settings\iraval\Application Data\Mozilla\plugins\npgoogletalk.dll
FF - plugin: c:\documents and settings\iraval\Local Settings\Application Data\Google\Update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\program files\DivX\DivX Plus Web Player\npdivx32.dll
FF - plugin: c:\program files\Google\Google Earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\Google\Google Updater\2.4.1851.5542\npCIDetect14.dll
FF - plugin: c:\program files\Google\Picasa3\npPicasa3.dll
FF - plugin: c:\program files\Google\Update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\program files\Java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npdeployJava1.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npdnupdater2.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
---- FIREFOX POLICIES ----
FF - user.js: network.protocol-handler.warn-external.dnupdate - falsec:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_ everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_a s_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-06-01 22:22
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(1584)
c:\windows\system32\SSRPMGINA.dll
- - - - - - - > 'lsass.exe'(1640)
c:\windows\system32\wvauth.dll
c:\windows\system32\biolsp.dll
- - - - - - - > 'explorer.exe'(8472)
c:\windows\system32\WININET.dll
c:\program files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\WPDShServiceObj.dll
c:\program files\Microsoft Virtual PC\VPCShExH.DLL
c:\program files\WinSCP\DragExt.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Intel\Wireless\Bin\S24EvMon.exe
c:\program files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
c:\windows\System32\SCardSvr.exe
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Juniper Networks\Common Files\dsNcService.exe
c:\program files\Intel\Wireless\Bin\EvtEng.exe
c:\program files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\program files\Dell\QuickSet\NICCONFIGSVC.exe
c:\windows\system32\nvsvc32.exe
c:\program files\Intel\Wireless\Bin\RegSrvc.exe
c:\windows\system32\StacSV.exe
c:\program files\NTRU Cryptosystems\NTRU TCG Software Stack\bin\tcsd_win32.exe
c:\program files\Intel\Wireless\Bin\WLKeeper.exe
c:\windows\system32\SearchIndexer.exe
c:\windows\system32\CCM\CcmExec.exe
c:\program files\Microsoft Forefront\Client Security\Client\Microsoft Operations Manager 2005\MOMHost.exe
c:\windows\system32\msdtc.exe
c:\program files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
c:\windows\system32\rundll32.exe
c:\windows\system32\RUNDLL32.EXE
c:\program files\Apoint\ApMsgFwd.exe
c:\program files\Intel\Wireless\Bin\Dot1XCfg.exe
c:\program files\Apoint\HidFind.exe
c:\program files\Apoint\Apntex.exe
c:\windows\system32\rundll32.exe
c:\windows\stsystra.exe
c:\program files\Windows Desktop Search\WindowsSearch.exe
c:\program files\BSEMktWatch\Gadgetworker.exe
c:\program files\Toshiba\Bluetooth Toshiba Stack\TosA2dp.exe
c:\windows\system32\NOTEPAD.EXE
c:\program files\VirtuaWin\modules\WinList.exe
c:\program files\Common Files\Logishrd\LQCVFX\COCIManager.exe
c:\progra~1\Webshots\315~1.761\Webshots.scr
c:\program files\Toshiba\Bluetooth Toshiba Stack\TosBtHid.exe
c:\program files\Toshiba\Bluetooth Toshiba Stack\TosBtHsp.exe
c:\program files\iPod\bin\iPodService.exe
c:\windows\system32\SearchProtocolHost.exe
c:\windows\system32\SearchFilterHost.exe
.
**************************************************************************
.
Completion time: 2010-06-01 22:30:23 - machine was rebooted
ComboFix-quarantined-files.txt 2010-06-02 05:30
ComboFix2.txt 2010-05-29 04:09
Pre-Run: 23,002,599,424 bytes free
Post-Run: 23,039,139,840 bytes free
- - End Of File - - C42645F1074F29D1AA6E845ECA0E92C5
-
Just one more script to run, please. It's been so long, how's your computer running?
Re-running ComboFix to remove infections:
- Close any open browsers.
- Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
- Open notepad and copy/paste the text in the quotebox below into it:
KillAll::
File::
C:\fixme.bat (delete)
C:\HelpAsst_backup
c:\windows\inf\COM12F.tmp
Folder::
C:\HelpAsst_backup
- Save this as CFScript.txt, in the same location as ComboFix.exe
(http://img19.imageshack.us/img19/5660/cfscriptb4.gif)
- Referring to the picture above, drag CFScript into ComboFix.exe
- When finished, it shall produce a log for you at C:\ComboFix.txt
- Please post the contents of the log in your next reply.
-
I have not had any problems after second combo fix run, I think. But I am not too sure. It is not slow or it does not redirect anymore. I did run several full scans, no issues were encountered.
I'll run combofix with new script and revert.
Thanks!
-
ComboFix 10-06-02.02 - iraval 06/02/2010 21:58:19.5.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1192 [GMT -7:00]
Running from: c:\documents and settings\iraval\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\iraval\Desktop\CFScript.txt
AV: Microsoft Forefront Client Security *On-access scanning disabled* (Updated) {926A3D4F-E4E7-4F47-9902-4EDD55FFE1AF}
FILE ::
"C:\fixme.bat (delete)"
"C:\HelpAsst_backup"
"c:\windows\inf\COM12F.tmp"
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
C:\HelpAsst_backup
c:\helpasst_backup\DomainGOPList.reg
c:\helpasst_backup\S-1-5-21-1737608194-1000615609-2549537844-1005.reg
c:\helpasst_backup\StandardGOPList.reg
c:\helpasst_backup\termsrv32.dll
c:\windows\inf\COM12F.tmp
----- BITS: Possible infected sites -----
hxxp://CASANSMS1:80
.
((((((((((((((((((((((((( Files Created from 2010-05-03 to 2010-06-03 )))))))))))))))))))))))))))))))
.
2010-05-31 22:44 . 2010-05-31 22:47 -------- d-----w- c:\program files\Gabest
2010-05-31 22:40 . 2010-05-31 22:40 -------- d-----w- c:\program files\DirectVobSub
2010-05-31 17:24 . 2010-05-31 17:24 66 ----a-w- C:\fixme.bat
2010-05-31 17:22 . 2010-05-31 17:22 77312 ----a-w- c:\windows\system32\mbr.exe
2010-05-27 00:13 . 2010-05-27 00:13 -------- d-----w- c:\program files\Common Files\Java
2010-05-27 00:13 . 2010-05-27 00:13 411368 ----a-w- c:\windows\system32\deployJava1.dll
2010-05-26 18:26 . 2010-05-26 18:26 -------- d-----w- c:\documents and settings\All Users\Application Data\Applications
2010-05-26 17:15 . 2009-10-20 16:20 265728 -c----w- c:\windows\system32\dllcache\http.sys
2010-05-25 21:24 . 2008-06-13 11:05 272128 -c----w- c:\windows\system32\dllcache\bthport.sys
2010-05-25 21:23 . 2010-02-24 13:11 455680 -c----w- c:\windows\system32\dllcache\mrxsmb.sys
2010-05-25 21:20 . 2010-02-16 14:08 2146304 -c----w- c:\windows\system32\dllcache\ntkrnlmp.exe
2010-05-25 21:20 . 2010-02-17 16:10 2189952 -c----w- c:\windows\system32\dllcache\ntoskrnl.exe
2010-05-25 21:20 . 2010-02-16 13:25 2024448 -c----w- c:\windows\system32\dllcache\ntkrpamp.exe
2010-05-25 21:20 . 2009-11-27 17:11 17920 -c----w- c:\windows\system32\dllcache\msyuv.dll
2010-05-25 21:13 . 2009-11-27 16:07 8704 -c----w- c:\windows\system32\dllcache\tsbyuv.dll
2010-05-25 21:13 . 2009-11-27 16:07 48128 -c----w- c:\windows\system32\dllcache\iyuv_32.dll
2010-05-25 21:12 . 2010-03-11 12:38 459264 -c----w- c:\windows\system32\dllcache\msfeeds.dll
2010-05-25 21:12 . 2010-03-11 12:38 268288 -c----w- c:\windows\system32\dllcache\iertutil.dll
2010-05-25 21:12 . 2010-03-11 12:38 52224 -c----w- c:\windows\system32\dllcache\msfeedsbs.dll
2010-05-25 21:12 . 2010-03-11 12:38 63488 -c----w- c:\windows\system32\dllcache\icardie.dll
2010-05-25 21:12 . 2010-03-11 12:38 380928 -c----w- c:\windows\system32\dllcache\ieapfltr.dll
2010-05-25 21:12 . 2010-03-10 13:18 13824 -c----w- c:\windows\system32\dllcache\ieudinit.exe
2010-05-25 21:12 . 2009-06-29 08:33 2452872 -c----w- c:\windows\system32\dllcache\ieapfltr.dat
2010-05-25 21:12 . 2010-03-11 12:38 6067200 -c----w- c:\windows\system32\dllcache\ieframe.dll
2010-05-25 15:13 . 2010-05-25 15:13 -------- d-----w- c:\windows\ms
2010-05-25 15:01 . 2008-04-14 12:00 221696 -c--a-w- c:\windows\system32\dllcache\seo.dll
2010-05-25 15:00 . 2008-04-14 12:00 13463552 -c--a-w- c:\windows\system32\dllcache\hwxjpn.dll
2010-05-25 14:59 . 2004-05-13 07:39 598071 -c--a-w- c:\windows\system32\dllcache\fpmmc.dll
2010-05-25 14:40 . 2008-04-14 12:00 13312 -c--a-w- c:\windows\system32\dllcache\irclass.dll
2010-05-25 14:40 . 2008-04-14 12:00 13312 ----a-w- c:\windows\system32\irclass.dll
2010-05-25 14:40 . 2008-04-14 12:00 24661 -c--a-w- c:\windows\system32\dllcache\spxcoins.dll
2010-05-25 14:40 . 2008-04-14 12:00 24661 ----a-w- c:\windows\system32\spxcoins.dll
2010-05-25 11:10 . 2008-04-14 12:00 16384 -c--a-w- c:\windows\system32\dllcache\isignup.exe
2010-05-25 06:05 . 2010-05-25 06:05 -------- d-----w- c:\program files\ESET
2010-05-18 15:02 . 2009-09-07 21:02 27944 ----a-w- c:\windows\system32\sbbd.exe
2010-05-18 15:02 . 2009-08-05 22:58 93872 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2010-05-18 15:02 . 2010-05-25 15:30 -------- d-----w- C:\VIPRERESCUE
2010-05-06 04:12 . 2010-05-06 04:12 -------- d-----w- c:\program files\iPod
2010-05-06 04:11 . 2010-05-06 04:13 -------- d-----w- c:\documents and settings\All Users\Application Data\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
2010-05-06 04:11 . 2010-05-06 04:13 -------- d-----w- c:\program files\iTunes
2010-05-06 04:00 . 2010-05-06 04:02 -------- d-----w- c:\program files\QuickTime
2010-05-06 03:56 . 2010-05-06 03:56 -------- d-----w- c:\program files\Bonjour
2010-05-06 01:30 . 2010-05-06 01:30 -------- d-----w- c:\documents and settings\iraval\Local Settings\Application Data\Help
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-06-03 12:11 . 2009-11-17 07:50 -------- d-----w- c:\program files\BSEMktWatch
2010-06-03 12:09 . 2009-11-17 01:50 -------- d-----w- c:\documents and settings\iraval\Application Data\Wave Systems Corp
2010-06-03 03:13 . 2009-10-20 17:11 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-06-01 17:37 . 2010-01-16 07:10 221568 ------w- c:\windows\system32\MpSigStub.exe
2010-06-01 01:24 . 2010-03-20 20:59 -------- d-----w- c:\documents and settings\iraval\Application Data\vlc
2010-05-27 00:13 . 2007-08-28 20:08 -------- d-----w- c:\program files\Java
2010-05-26 14:44 . 2010-02-02 07:52 -------- d-----w- c:\program files\MagicISO
2010-05-25 15:52 . 2010-05-01 19:49 -------- d-----w- c:\program files\Windows Live Safety Center
2010-05-25 14:56 . 2007-08-27 20:47 24924 ----a-w- c:\windows\system32\emptyregdb.dat
2010-05-25 12:21 . 2010-01-03 06:30 -------- d-----w- c:\documents and settings\iraval\Application Data\Azureus
2010-05-25 12:20 . 2009-12-06 02:59 -------- d-----w- c:\program files\CCleaner
2010-05-25 08:20 . 2007-08-27 21:54 95194 ----a-w- c:\windows\system32\nvModes.dat
2010-05-22 05:53 . 2010-01-03 06:29 -------- d-----w- c:\program files\Vuze
2010-05-20 13:48 . 2009-11-17 07:50 -------- d-----w- c:\program files\Google
2010-05-12 19:47 . 2009-07-22 20:03 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2010-05-06 04:12 . 2009-11-23 07:43 -------- d-----w- c:\program files\Common Files\Apple
2010-05-04 03:06 . 2010-03-20 23:30 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-05-03 19:38 . 2010-05-02 05:37 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee
2010-05-03 19:36 . 2010-05-02 05:42 -------- d-----w- c:\program files\SiteAdvisor
2010-05-03 18:25 . 2010-05-02 05:42 -------- d-----w- c:\documents and settings\All Users\Application Data\SiteAdvisor
2010-05-02 21:22 . 2009-11-23 07:46 -------- d-----w- c:\documents and settings\iraval\Application Data\Apple Computer
2010-05-02 04:57 . 2009-12-06 01:20 -------- d-----w- c:\documents and settings\All Users\Application Data\avg9
2010-05-02 01:15 . 2007-08-28 19:56 -------- d-----w- c:\program files\Microsoft Office Communicator
2010-04-29 22:39 . 2010-03-20 23:30 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-29 22:39 . 2010-03-20 23:30 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-04-17 19:53 . 2009-12-06 01:26 -------- d-----w- c:\documents and settings\All Users\Application Data\Norton
2010-04-17 19:53 . 2010-04-17 07:43 -------- d-----w- c:\program files\Common Files\Symantec Shared
2010-04-16 15:33 . 2009-11-23 07:43 41472 ----a-w- c:\windows\system32\drivers\usbaapl.sys
2010-04-16 15:33 . 2009-11-23 07:43 3003680 ----a-w- c:\windows\system32\usbaaplrc.dll
2010-04-15 16:18 . 2010-04-14 03:02 -------- d-----w- c:\program files\PuTTY Connection Manager
2010-04-14 03:07 . 2009-11-17 07:20 -------- d-----w- c:\program files\PuTTY
2010-04-14 02:55 . 2009-11-20 01:53 -------- d-----w- c:\program files\Quest Software
2010-04-08 20:20 . 2010-04-08 20:20 91424 ----a-w- c:\windows\system32\dnssd.dll
2010-04-08 20:20 . 2010-04-08 20:20 107808 ----a-w- c:\windows\system32\dns-sd.exe
2010-03-17 15:51 . 2009-08-18 16:08 82696 ----a-w- c:\windows\system32\lmdimon8.dll
2010-03-11 12:38 . 2008-04-14 12:00 832512 ----a-w- c:\windows\system32\wininet.dll
2010-03-11 12:38 . 2008-04-14 12:00 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-03-11 12:38 . 2008-04-14 12:00 17408 ----a-w- c:\windows\system32\corpol.dll
2010-03-09 11:09 . 2008-04-14 12:00 430080 ----a-w- c:\windows\system32\vbscript.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{0bc6e3fa-78ef-4886-842c-5a1258c4455a}]
2008-07-25 18:16 282112 ----a-w- c:\windows\system32\mscoree.dll
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SSC"="c:\program files\Session ShortCuts\ssc.exe" [2008-06-12 265728]
"PicPick Start"="c:\program files\PicPick\picpick.exe" [2010-01-13 4057088]
"Google Update"="c:\documents and settings\iraval\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2009-11-21 135664]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-04-29 8429568]
"nwiz"="nwiz.exe" [2007-04-29 1626112]
"NVHotkey"="nvHotkey.dll" [2007-04-29 67584]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2007-04-29 81920]
"IntelZeroConfig"="c:\program files\Intel\Wireless\bin\ZCfgSvc.exe" [2007-07-25 823296]
"IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2007-07-25 974848]
"Document Manager"="c:\program files\Wave Systems Corp\Services Manager\DocMgr\bin\docmgr.exe" [2007-01-30 102400]
"SecureUpgrade"="c:\program files\Wave Systems Corp\SecureUpgrade.exe" [2007-01-22 212992]
"EmbassySecurityCheck"="c:\program files\Wave Systems Corp\EMBASSY Security Setup\EMBASSYSecurityCheck.exe" [2007-02-02 65536]
"Apoint"="c:\program files\Apoint\Apoint.exe" [2007-01-25 159744]
"KADxMain"="c:\windows\system32\KADxMain.exe" [2006-11-02 282624]
"PDVDDXSrv"="c:\program files\CyberLink\PowerDVD DX\PDVDDXSrv.exe" [2007-06-09 128560]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072]
"SSRPM Enrollment Wizard"="c:\program files\Tools4ever\SSRPM\Enrollment Wizard\SSRPMEnroll.exe" [2008-01-31 604672]
"Communicator"="c:\program files\Microsoft Office Communicator\communicator.exe" [2010-04-11 5116256]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2008-04-14 110592]
"LogitechCommunicationsManager"="c:\program files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe" [2007-10-26 563984]
"LogitechQuickCamRibbon"="c:\program files\Logitech\QuickCam\Quickcam.exe" [2007-10-26 2178832]
"Microsoft Forefront Client Security Antimalware Service"="c:\program files\Microsoft Forefront\Client Security\Client\Antimalware\MSASCui.exe" [2010-01-19 1033600]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-03-18 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-04-28 142120]
"SigmatelSysTrayApp"="stsystra.exe" [2007-02-19 303104]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Communicator"="c:\program files\Microsoft Office Communicator\Communicator.exe" [2010-04-11 5116256]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2008-11-04 435096]
c:\documents and settings\iraval\Start Menu\Programs\Startup\
BSEGadget.lnk - c:\program files\BSEMktWatch\BSE Mkt Watch.exe [2010-1-16 421888]
MagicDisc.lnk - c:\program files\MagicDisc\MagicDisc.exe [2010-2-2 576000]
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2009-2-26 97680]
To_DO.lnk - c:\documents and settings\iraval\Desktop\To_DO.txt [2010-5-18 700]
VirtuaWin.lnk - c:\program files\VirtuaWin\VirtuaWin.exe [2009-11-17 126464]
Webshots.lnk - c:\program files\Webshots\3.1.5.7617\Launcher.exe [2009-12-27 157088]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Bluetooth Manager.lnk - c:\program files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe [2007-1-11 2150400]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"ForceStartMenuLogOff"= 1 (0x1)
"NoWelcomeScreen"= 1 (0x1)
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0sprestrt\0sprestrt
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 wvauth
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-709901224-932253684-619646970-103558\Scripts\Logon\0\0]
"Script"=Inventory4.vbs
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-709901224-932253684-619646970-103558\Scripts\Logon\0\1]
"Script"=ComputerDescript.vbs
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-709901224-932253684-619646970-103558\Scripts\Logon\1\0]
"Script"=servicenow.bat
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-709901224-932253684-619646970-103558\Scripts\Logon\2\0]
"Script"=list_lenovo_profiles_and_delete.vbs
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-709901224-932253684-619646970-98379\Scripts\Logon\0\0]
"Script"=Inventory4.vbs
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-709901224-932253684-619646970-98379\Scripts\Logon\0\1]
"Script"=ComputerDescript.vbs
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-709901224-932253684-619646970-98379\Scripts\Logon\1\0]
"Script"=list_lenovo_profiles_and_delete.vbs
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\FCSAM]
@="Service"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update]
2009-11-21 04:14 135664 ----atw- c:\documents and settings\iraval\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Updater]
2010-02-02 07:30 160752 ----a-w- c:\program files\Google\Google Updater\GoogleUpdater.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\googletalk]
2007-01-01 21:22 3739648 ----a-w- c:\program files\Google\Google Talk\googletalk.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2010-04-28 22:06 142120 ----a-w- c:\program files\iTunes\iTunesHelper.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Messenger (Yahoo!)]
2009-11-10 23:39 5244216 ----a-w- c:\progra~1\Yahoo!\Messenger\YahooMessenger.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
2010-01-16 05:56 39408 ----a-w- c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Documents and Settings\\iraval\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.dll"=
"c:\\Documents and Settings\\iraval\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Cygwin\\bin\\XWin.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\AIM\\aim.exe"=
"c:\\Program Files\\Vuze\\Azureus.exe"=
"c:\\Sametime\\STConnect7.5.1\\jre\\bin\\sametime75.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Microsoft Office Communicator\\communicator.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Microsoft Office\\Live Meeting 8\\Console\\PWConsole.exe"=
R1 raddrvv3;raddrvv3;c:\windows\system32\rserver30\raddrvv3.sys [6/29/2007 3:10 AM 40640]
R1 SBRE;SBRE;c:\windows\system32\drivers\SBREDrv.sys [5/18/2010 8:02 AM 93872]
R2 DB2MGMTSVC_TACOM21;DB2 Management Service (TACOM21);c:\program files\Quest Software\Toad for Data Analysts 2.1\DB2 Client\BIN\db2mgmtsvc.exe [7/23/2007 3:47 AM 35616]
R2 FCSAM;Microsoft Forefront Client Security Antimalware Service;c:\program files\Microsoft Forefront\Client Security\Client\Antimalware\MsMpEng.exe [1/19/2010 4:49 PM 16880]
R2 FcsSas;Microsoft Forefront Client Security State Assessment Service;c:\program files\Microsoft Forefront\Client Security\Client\SSA\FcsSas.exe [4/6/2007 4:12 AM 73120]
R2 MOM;MOM;c:\program files\Microsoft Forefront\Client Security\Client\Microsoft Operations Manager 2005\MOMService.exe [7/21/2005 11:14 AM 134656]
R2 RServer3;Radmin Server V3;c:\windows\system32\rserver30\rserver3.exe [7/10/2007 5:14 PM 1242432]
R2 Wave UCSPlus;Wave UCSPlus;c:\windows\system32\dllhost.exe [4/14/2008 5:00 AM 5120]
S0 cgtfa;cgtfa;c:\windows\system32\drivers\rciwwjn.sys --> c:\windows\system32\drivers\rciwwjn.sys [?]
S1 MpKsl5fd50652;MpKsl5fd50652;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Forefront\Client Security\Client\Antimalware\Definition Updates\{B01E06E4-0F57-4BFC-91C4-566B7B0083CB}\MpKsl5fd50652.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Forefront\Client Security\Client\Antimalware\Definition Updates\{B01E06E4-0F57-4BFC-91C4-566B7B0083CB}\MpKsl5fd50652.sys [?]
S1 MpKsl6bf6c1a0;MpKsl6bf6c1a0;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Forefront\Client Security\Client\Antimalware\Definition Updates\{B01E06E4-0F57-4BFC-91C4-566B7B0083CB}\MpKsl6bf6c1a0.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Forefront\Client Security\Client\Antimalware\Definition Updates\{B01E06E4-0F57-4BFC-91C4-566B7B0083CB}\MpKsl6bf6c1a0.sys [?]
S2 ATE_PROCMON;ATE_PROCMON;\??\c:\program files\Anti Trojan Elite\ATEPMon.sys --> c:\program files\Anti Trojan Elite\ATEPMon.sys [?]
S2 avbackup;Backup Agent;"c:\program files\avs\bin\avagent.exe" /ServiceStart "--logfile=c:\program files\avs\var\avagent.log" --> c:\program files\avs\bin\avagent.exe [?]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [5/20/2010 6:47 AM 136176]
S3 Avgfwdx;Avgfwdx;c:\windows\system32\drivers\avgfwdx.sys [12/5/2009 6:20 PM 30104]
S3 Avgfwfd;AVG network filter service;c:\windows\system32\drivers\avgfwdx.sys [12/5/2009 6:20 PM 30104]
S3 DB2NTSECSERVER_TACOM21;DB2 Security Server (TACOM21);c:\program files\Quest Software\Toad for Data Analysts 2.1\DB2 Client\BIN\db2sec.exe [7/23/2007 3:48 AM 14112]
S3 DXEC01;DXEC01;c:\windows\system32\drivers\dxec01.sys [11/2/2006 11:32 AM 97536]
S3 OracleClientCache80;OracleClientCache80;c:\oracle\product\6.0\BIN\ONRSD80.EXE [1/28/2010 2:27 PM 101136]
S3 WinRM;Windows Remote Management (WS-Management);c:\windows\system32\svchost.exe -k WINRM [4/14/2008 5:00 AM 14336]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
WINRM REG_MULTI_SZ WINRM
.
Contents of the 'Scheduled Tasks' folder
2010-06-03 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 20:34]
2010-06-03 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2010-01-16 07:30]
2010-06-03 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-05-20 11:24]
2010-06-03 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-05-20 11:24]
2010-05-26 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-709901224-932253684-619646970-103558Core.job
- c:\documents and settings\iraval\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-11-21 04:14]
2010-06-03 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-709901224-932253684-619646970-103558UA.job
- c:\documents and settings\iraval\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-11-21 04:14]
2010-06-03 c:\windows\Tasks\MP Scheduled Quick Scan.job
- c:\program files\Microsoft Forefront\Client Security\Client\Antimalware\MpCmdRun.exe [2010-01-19 23:49]
2010-06-03 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Microsoft Forefront\Client Security\Client\Antimalware\MpCmdRun.exe [2010-01-19 23:49]
2010-06-03 c:\windows\Tasks\MP Scheduled Signature Update.job
- c:\program files\Microsoft Forefront\Client Security\Client\Antimalware\MpCmdRun.exe [2010-01-19 23:49]
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
uInternet Settings,ProxyOverride = ;*.local;<local>
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
DPF: {3D3B42C2-11BF-4732-A304-A01384B70D68} - hxxp://picasaweb.google.com/s/v/59.19/uploader2.cab
DPF: {708C978C-BBF5-4038-8DC1-64FF22BCFFB6} - hxxp://www.barracudanetworks.com/ns/products/spyware-removal-tool/tool/BarracudaSpyRemoval.cab
DPF: {F27237D7-93C8-44C2-AC6E-D6057B9A918F} - hxxps://sslvpn.leapwireless.com/dana-cached/sc/JuniperSetupClient.cab
FF - ProfilePath - c:\documents and settings\iraval\Application Data\Mozilla\Firefox\Profiles\ggy72g16.default\
FF - plugin: c:\documents and settings\iraval\Application Data\Mozilla\plugins\npgoogletalk.dll
FF - plugin: c:\documents and settings\iraval\Local Settings\Application Data\Google\Update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\program files\DivX\DivX Plus Web Player\npdivx32.dll
FF - plugin: c:\program files\Google\Google Earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\Google\Google Updater\2.4.1851.5542\npCIDetect14.dll
FF - plugin: c:\program files\Google\Picasa3\npPicasa3.dll
FF - plugin: c:\program files\Google\Update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\program files\Java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npdeployJava1.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npdnupdater2.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
---- FIREFOX POLICIES ----
FF - user.js: network.protocol-handler.warn-external.dnupdate - falsec:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_ everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_a s_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-06-03 05:08
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(1220)
c:\windows\system32\SSRPMGINA.dll
- - - - - - - > 'lsass.exe'(1276)
c:\windows\system32\wvauth.dll
c:\windows\system32\biolsp.dll
- - - - - - - > 'explorer.exe'(9540)
c:\windows\system32\WININET.dll
c:\program files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\WPDShServiceObj.dll
c:\program files\Microsoft Virtual PC\VPCShExH.DLL
c:\program files\WinSCP\DragExt.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Intel\Wireless\Bin\S24EvMon.exe
c:\program files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
c:\windows\System32\SCardSvr.exe
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Juniper Networks\Common Files\dsNcService.exe
c:\program files\Intel\Wireless\Bin\EvtEng.exe
c:\program files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\program files\Dell\QuickSet\NICCONFIGSVC.exe
c:\windows\system32\nvsvc32.exe
c:\program files\Intel\Wireless\Bin\RegSrvc.exe
c:\windows\system32\StacSV.exe
c:\program files\NTRU Cryptosystems\NTRU TCG Software Stack\bin\tcsd_win32.exe
c:\program files\Intel\Wireless\Bin\WLKeeper.exe
c:\windows\system32\SearchIndexer.exe
c:\windows\system32\CCM\CcmExec.exe
c:\program files\Microsoft Forefront\Client Security\Client\Microsoft Operations Manager 2005\MOMHost.exe
c:\windows\system32\msdtc.exe
c:\windows\system32\rundll32.exe
c:\windows\system32\RUNDLL32.EXE
c:\program files\Apoint\ApMsgFwd.exe
c:\windows\system32\rundll32.exe
c:\program files\Apoint\Apntex.exe
c:\program files\Apoint\HidFind.exe
c:\program files\Intel\Wireless\Bin\Dot1XCfg.exe
c:\windows\stsystra.exe
c:\program files\Windows Desktop Search\WindowsSearch.exe
c:\program files\Common Files\Logishrd\LQCVFX\COCIManager.exe
c:\program files\Toshiba\Bluetooth Toshiba Stack\TosA2dp.exe
c:\windows\system32\NOTEPAD.EXE
c:\program files\Toshiba\Bluetooth Toshiba Stack\TosBtHid.exe
c:\program files\Toshiba\Bluetooth Toshiba Stack\TosBtHsp.exe
c:\program files\BSEMktWatch\Gadgetworker.exe
c:\program files\VirtuaWin\modules\WinList.exe
c:\progra~1\Webshots\315~1.761\Webshots.scr
c:\program files\iPod\bin\iPodService.exe
c:\windows\system32\SearchProtocolHost.exe
c:\windows\system32\SearchFilterHost.exe
.
**************************************************************************
.
Completion time: 2010-06-03 05:18:39 - machine was rebooted
ComboFix-quarantined-files.txt 2010-06-03 12:18
ComboFix2.txt 2010-06-02 05:30
ComboFix3.txt 2010-05-29 04:09
Pre-Run: 22,852,235,264 bytes free
Post-Run: 22,858,293,248 bytes free
- - End Of File - - 63CE8C5ED79CF5504A7E3067565FE9AF
-
Ok. That looks good. Let's try this and post the log, if any.
I'd like us to scan your machine with ESET OnlineScan
•Hold down Control and click on the following link to open ESET OnlineScan in a new window.
ESET OnlineScan (http://eset.com/onlinescan)
•Click the (http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetOnline.png) button.
•For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
- Click on (http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetSmartInstall.png) to download the ESET Smart Installer. Save it to your desktop.
- Double click on the (http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetSmartInstallDesktopIcon.png) icon on your desktop.
•Check (http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetAcceptTerms.png)
•Click the (http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetStart.png) button.
•Accept any security warnings from your browser.
•Check (http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetScanArchives.png)
•Push the Start button.
•ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
•When the scan completes, push (http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetListThreats.png)
•Push (http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetExport.png), and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
•Push the (http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetBack.png) button.
•Push (http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetFinish.png)
A log file will be saved here: C:\Program Files\ESET\ESET Online Scanner\log.txt
-
ESET Scan result:
------------------------
C:\Documents and Settings\HelpAssistant\Local Settings\Temp\jar_cache57910.tmp a variant of Java/TrojanDownloader.Agent.NAN trojan deleted - quarantined
C:\Documents and Settings\HelpAssistant\Local Settings\Temp\jar_cache7136.tmp a variant of Java/TrojanDownloader.Agent.NAN trojan deleted - quarantined
Log file content:
--------------------
ESETSmartInstaller@High as CAB hook log:
OnlineScanner.ocx - registred OK
# version=7
# iexplore.exe=7.00.6000.17023 (vista_gdr.100222-0012)
# OnlineScanner.ocx=1.0.0.6211
# api_version=3.0.2
# EOSSerial=30832513b651c148a9e0d6094cf3eca9
# end=finished
# remove_checked=true
# archives_checked=true
# unwanted_checked=true
# unsafe_checked=true
# antistealth_checked=true
# utc_time=2010-06-04 10:29:58
# local_time=2010-06-04 03:29:58 (-0800, Pacific Daylight Time)
# country="United States"
# lang=1033
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=1024 16777215 100 0 0 0 0 0
# compatibility_mode=2560 16777215 100 0 0 0 0 0
# compatibility_mode=8192 67108863 100 0 0 0 0 0
# scanned=239584
# found=2
# cleaned=2
# scan_time=24685
C:\Documents and Settings\HelpAssistant\Local Settings\Temp\jar_cache57910.tmp a variant of Java/TrojanDownloader.Agent.NAN trojan (deleted - quarantined) 00000000000000000000000000000000 C
C:\Documents and Settings\HelpAssistant\Local Settings\Temp\jar_cache7136.tmp a variant of Java/TrojanDownloader.Agent.NAN trojan (deleted - quarantined) 00000000000000000000000000000000 C
-
That looks good. If there are no other issues, it's time for some clean-up
* Click START then RUN - Vista users press the Windows Key and the R keys for the Run box.
* Now type Combofix /uninstall in the runbox
* Make sure there's a space between Combofix and /Uninstall
* Then hit Enter
* The above procedure will:
* Delete the following:
* ComboFix and its associated files and folders.
* Reset the clock settings.
* Hide file extensions, if required.
* Hide System/Hidden files, if required.
* Set a new, clean Restore Point.
==============================
Download OTC by OldTimer (http://oldtimer.geekstogo.com/OTC.exe) and save it to your desktop.
1. Double-click OTC to run it.
2. Click the CleanUp! button.
3. Select Yes when the "Begin cleanup Process?" prompt appears.
4. If you are prompted to Reboot during the cleanup, select Yes
5. OTC should delete itself once it finishes, if not delete it yourself.
===============================
Clean out your temporary internet files and temp files.
Download TFC by OldTimer (http://oldtimer.geekstogo.com/TFC.exe) to your desktop.
Double-click TFC.exe to run it.
Note: If you are running on Vista, right-click on the file and choose Run As Administrator
TFC will close all programs when run, so make sure you have saved all your work before you begin.
* Click the Start button to begin the cleaning process.
* Depending on how often you clean temp files, execution time should be anywhere from a few seconds to a minute or two.
* Please let TFC run uninterrupted until it is finished.
Once TFC is finished it should restart your computer. If it does not, please manually restart the computer yourself to ensure a complete cleaning.
============================
Looking over your log it seems you don't have any evidence of a third party firewall.
Firewalls protect against hackers and malicious intruders. You need to download a free firewall from one of these reliable vendors.
Remember only install ONE firewall
1) Comodo Personal Firewall (http://www.majorgeeks.com/Comodo_Personal_Firewall_d5033.html) (Uncheck during installation "Install Comodo SafeSurf..", Make Comodo my default search provider" and "Make Comodo Search my homepage" and uncheck any HopSurf and/or Ask.com options if you choose this one)
2) Online Armor (http://www.majorgeeks.com/Online_Armor_Free_d4872.html)
3) Agnitum Outpost (http://www.majorgeeks.com/Outpost_Firewall_Free_d1056.html)
4) PC Tools Firewall Plus (http://www.majorgeeks.com/PC_Tools_Firewall_Plus_d5470.html)
If you are using the built-in Windows XP firewall, it is not recommended as it does not block outgoing connections. This means that any malware on your computer is free to "phone home" for more instructions. Simply put, Windows XP contains a mediocre firewall. This firewall is NO replacement for a dedicated software solution. Remember to use only one firewall at the same time.
===============================
Use the Secunia Software Inspector (http://secunia.com/software_inspector) to check for out of date software.
•Click Start Now
•Check the box next to Enable thorough system inspection.
•Click Start
•Allow the scan to finish and scroll down to see if any updates are needed.
•Update anything listed.
.
----------
Go to Microsoft Windows Update (http://windowsupdate.microsoft.com/) and get all critical updates.
----------
I suggest using WOT - Web of Trust (http://www.mywot.com/). WOT is a free Internet security addon for your browser. It will keep you safe from online scams, identity theft, spyware, spam, viruses and unreliable shopping sites. WOT warns you before you interact with a risky website. It's easy and it's free.
SpywareBlaster (http://www.javacoolsoftware.com/spywareblaster.html)- Secure your Internet Explorer to make it harder for ActiveX programs to run on your computer. Also stop certain cookies from being added to your computer when running Mozilla based browsers like Firefox.
* Using SpywareBlaster to protect your computer (http://www.bleepingcomputer.com/forums/tutorial49.html) from Spyware and Malware
* If you don't know what ActiveX controls are, see here (http://www.webopedia.com/TERM/A/ActiveX_control.html)
Protect yourself against spyware using the Immunize feature in Spybot - Search & Destroy. (http://www.safer-networking.org/en/spybotsd/index.html) Guide: Use Spybot's Immunize Feature (http://www.bleepingcomputer.com/tutorials/tutorial43.html#immunize) to prevent spyware infection in real-time. Note: To ensure you have the latest Immunizations always update Spybot - Search & Destroy before Immunizing. Spybot - Search & Destroy FAQ (http://www.safer-networking.org/en/faq/index.html)
Check out Keeping Yourself Safe On The Web (http://evilfantasy.wordpress.com/2008/05/20/keeping-yourself-safe-on-the-web/) for tips and free tools to help keep you safe in the future.
Also see Slow Computer? It may not be Malware (http://evilfantasy.wordpress.com/2008/05/24/slow-computer-it-may-not-be-malware/) for free cleaning/maintenance tools to help keep your computer running smoothly.
Safe Surfing!
-
Thanks. I have not had any more issues recently. I will perform those steps and revert.
-
SuperDev:
I installed Comodo Plus firewall and since then I did not encounter any issues. However, Firewall keeps popping up for any action that is being performed against important files.
I think firewall does learn on its own and will be fine later.
Thanks so much for your help.
Any other advice for me?
Thanks!
-
I had that same problem when I install Comodo but now I hardly notice it. One thing I do when I'm installing a new program is to disable it and enable my Windows Firewall because Comodo can make a simple install into a 1/2 hr. ordeal.