Author Topic: Alureon.H rootkit virus TermDD (Read 39838 times)

ishan · « **on:** May 25, 2010, 06:09:13 AM »

Hello All,

I've got this new Aluron.H rootkit virus which infected atapi earlier and now infecting TermDD even after I repaired my Windows XP installation. I ran SystemLook.exe and here are the output:

I ran Malwarbytes' but it does not find any virus, but my Microsoft Forefront Security does.

Please help

ishan · « **Reply #1 on:** May 25, 2010, 06:11:20 AM »

I ran SystemLook.exe and DDS. Here are the output:

SystemLook:

SystemLook v1.0 by jpshortstuff (11.01.10)
Log created at 04:49 on 25/05/2010 by iraval (Administrator - Elevation successful)

========== filefind ==========

Searching for "*termdd.sys"
C:\WINDOWS\system32\drivers\termdd.sys --a--- 40840 bytes [20:46 27/08/2007] [12:43 14/04/2008] 1AD549DB9D8F305DBFBC9387017405FE

-=End Of File=-

Allan · « **Reply #2 on:** May 25, 2010, 06:12:19 AM »

http://www.computerhope.com/forum/index.php/topic,46313.0.html

ishan · « **Reply #3 on:** May 25, 2010, 06:29:35 AM »

Thanks for quick reply!

At present, SUPERAntiSpyware is scanning my machine. I will keep posted.

ishan · « **Reply #4 on:** May 25, 2010, 06:35:51 AM »

DDS (Ver_09-09-29.01) - NTFSx86
Run by iraval at 4:51:16.93 on Tue 05/25/2010
Internet Explorer: 6.0.2900.5512 BrowserJavaVersion: 1.6.0_07
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1094 [GMT -7:00]

AV: Microsoft Forefront Client Security *On-access scanning enabled* (Updated) {926A3D4F-E4E7-4F47-9902-4EDD55FFE1AF}

============== Running Processes ===============

svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost -k DcomLaunch
c:\Program Files\Microsoft Forefront\Client Security\Client\Antimalware\MsMpEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\avs\bin\avagent.exe
C:\Program Files\Bonjour\mDNSResponder.exe
svchost.exe
C:\Program Files\Quest Software\Toad for Data Analysts 2.1\DB2 Client\BIN\db2mgmtsvc.exe
C:\Program Files\Juniper Networks\Common Files\dsNcService.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Microsoft Forefront\Client Security\Client\SSA\FcsSas.exe
C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\Program Files\AT&T Global Network Client\netcfgsvr.exe
C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
c:\WINDOWS\system32\rserver30\RServer3.exe
C:\WINDOWS\system32\StacSV.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\Program Files\Microsoft Forefront\Client Security\Client\Microsoft Operations Manager 2005\MOMService.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\CCM\CcmExec.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\Wave Systems Corp\Services Manager\DocMgr\bin\docmgr.exe
C:\Program Files\Wave Systems Corp\SecureUpgrade.exe
C:\Program Files\Apoint\Apoint.exe
C:\WINDOWS\system32\KADxMain.exe
C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Intel\Wireless\Bin\Dot1XCfg.exe
C:\Program Files\Apoint\ApMsgFwd.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Apoint\HidFind.exe
C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe
C:\Program Files\Logitech\QuickCam\Quickcam.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\Microsoft Forefront\Client Security\Client\Antimalware\MSASCui.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\WINDOWS\stsystra.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Session ShortCuts\ssc.exe
C:\Program Files\PicPick\picpick.exe
C:\Documents and Settings\iraval\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe
C:\Program Files\avs\bin\avscc.exe
C:\Program Files\Windows Desktop Search\WindowsSearch.exe
C:\Program Files\BSEMktWatch\BSE Mkt Watch.exe
C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\VirtuaWin\VirtuaWin.exe
C:\Program Files\Common Files\Logishrd\LQCVFX\COCIManager.exe
C:\Program Files\BSEMktWatch\Gadgetworker.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosA2dp.exe
C:\Program Files\VirtuaWin\modules\WinList.exe
C:\PROGRA~1\Webshots\315~1.761\Webshots.scr
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHid.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHsp.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\iraval\Desktop\SystemLook.exe
C:\WINDOWS\system32\SearchProtocolHost.exe
C:\Documents and Settings\iraval\Desktop\dds.com

ishan · « **Reply #5 on:** May 25, 2010, 06:37:35 AM »

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\iraval\applic~1\mozilla\firefox\profiles\ggy72g16.default\
FF - plugin: c:\documents and settings\iraval\application data\mozilla\plugins\npgoogletalk.dll
FF - plugin: c:\documents and settings\iraval\local settings\application data\google\update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\documents and settings\iraval\local settings\application data\yahoo!\browserplus\2.4.21\plugins\npybrowserplus_2.4.21.dll
FF - plugin: c:\program files\divx\divx plus web player\npdivx32.dll
FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\google\google updater\2.4.1851.5542\npCIDetect14.dll
FF - plugin: c:\program files\google\picasa3\npPicasa3.dll
FF - plugin: c:\program files\google\update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdnu.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdnupdater2.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0006-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
FF - user.js: network.protocol-handler.warn-external.dnupdate - falsec:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_ everywhere__temporarily_available_pref", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_a s_broken", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

============= SERVICES / DRIVERS ===============

R1 MpKsl4e9afcf2;MpKsl4e9afcf2;c:\documents and settings\all users\application data\microsoft\microsoft forefront\client security\client\antimalware\definition updates\{b01e06e4-0f57-4bfc-91c4-566b7b0083cb}\MpKsl4e9afcf2.sys [2010-5-25 28752]
R1 raddrvv3;raddrvv3;c:\windows\system32\rserver30\raddrvv3.sys [2007-6-29 40640]
R1 SBRE;SBRE;c:\windows\system32\drivers\SBREDrv.sys [2010-5-18 93872]
R2 agnwifi;AT&T Wi-Fi Support Driver;c:\windows\system32\drivers\agnwifi.sys [2007-8-28 19328]
R2 avbackup;Backup Agent;c:\program files\avs\bin\avagent.exe [2009-6-23 4576536]
R2 DB2MGMTSVC_TACOM21;DB2 Management Service (TACOM21);c:\program files\quest software\toad for data analysts 2.1\db2 client\bin\db2mgmtsvc.exe [2007-7-23 35616]
R2 FCSAM;Microsoft Forefront Client Security Antimalware Service;c:\program files\microsoft forefront\client security\client\antimalware\MsMpEng.exe [2010-1-19 16880]
R2 FcsSas;Microsoft Forefront Client Security State Assessment Service;c:\program files\microsoft forefront\client security\client\ssa\FcsSas.exe [2007-4-6 73120]
R2 IntuitUpdateService;Intuit Update Service;c:\program files\common files\intuit\update service\IntuitUpdateService.exe [2009-9-29 13088]
R2 MOM;MOM;c:\program files\microsoft forefront\client security\client\microsoft operations manager 2005\MOMService.exe [2005-7-21 134656]
R2 RServer3;Radmin Server V3;c:\windows\system32\rserver30\rserver3.exe [2007-7-10 1242432]
R2 Wave UCSPlus;Wave UCSPlus;c:\windows\system32\dllhost.exe [2008-4-14 5120]
R3 agnfilt;AGN Filter Interface;c:\windows\system32\drivers\agnfilt.sys [2007-8-28 218368]
R3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2010-3-20 38224]
R3 mirrorv3;mirrorv3;c:\windows\system32\drivers\rminiv3.sys [2006-11-1 3328]
S0 cgtfa;cgtfa;c:\windows\system32\drivers\rciwwjn.sys --> c:\windows\system32\drivers\rciwwjn.sys [?]
S1 MpKsl6bf6c1a0;MpKsl6bf6c1a0;\??\c:\documents and settings\all users\application data\microsoft\microsoft forefront\client security\client\antimalware\definition updates\{b01e06e4-0f57-4bfc-91c4-566b7b0083cb}\mpksl6bf6c1a0.sys --> c:\documents and settings\all users\application data\microsoft\microsoft forefront\client security\client\antimalware\definition updates\{b01e06e4-0f57-4bfc-91c4-566b7b0083cb}\MpKsl6bf6c1a0.sys [?]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-5-20 136176]
S3 Avgfwdx;Avgfwdx;c:\windows\system32\drivers\avgfwdx.sys [2009-12-5 30104]
S3 Avgfwfd;AVG network filter service;c:\windows\system32\drivers\avgfwdx.sys [2009-12-5 30104]
S3 DB2NTSECSERVER_TACOM21;DB2 Security Server (TACOM21);c:\program files\quest software\toad for data analysts 2.1\db2 client\bin\db2sec.exe [2007-7-23 14112]
S3 DXEC01;DXEC01;c:\windows\system32\drivers\dxec01.sys [2006-11-2 97536]
S3 OracleClientCache80;OracleClientCache80;c:\oracle\product\6.0\bin\ONRSD80.EXE [2010-1-28 101136]
S3 WinRM;Windows Remote Management (WS-Management);c:\windows\system32\svchost.exe -k WINRM [2008-4-14 14336]

=============== Created Last 30 ================

2010-05-25 04:25   <DIR>   --d-----   c:\windows\ms
2010-05-25 04:15   28,288   ac------   c:\windows\system32\dllcache\xjis.nls
2010-05-25 04:13   92,416   ac------   c:\windows\system32\dllcache\mga.sys
2010-05-25 04:12   187,938   ac------   c:\windows\system32\dllcache\c_20005.nls
2010-05-25 04:10   488   a---hr--   c:\windows\system32\logonui.exe.manifest
2010-05-25 04:10   749   a---hr--   c:\windows\WindowsShell.Manifest
2010-05-25 04:10   749   a---hr--   c:\windows\system32\wuaucpl.cpl.manifest
2010-05-25 04:10   749   a---hr--   c:\windows\system32\sapi.cpl.manifest
2010-05-25 04:10   749   a---hr--   c:\windows\system32\nwc.cpl.manifest
2010-05-25 04:10   749   a---hr--   c:\windows\system32\ncpa.cpl.manifest
2010-05-25 04:10   16,384   ac------   c:\windows\system32\dllcache\isignup.exe
2010-05-25 01:12   13,312   ac------   c:\windows\system32\dllcache\irclass.dll
2010-05-25 01:12   13,312   a-------   c:\windows\system32\irclass.dll
2010-05-25 01:12   24,661   ac------   c:\windows\system32\dllcache\spxcoins.dll
2010-05-25 01:12   24,661   a-------   c:\windows\system32\spxcoins.dll
2010-05-24 23:05   <DIR>   --d-----   c:\program files\ESET
2010-05-24 22:40   0   a-------   c:\windows\system32\SBRC.dat
2010-05-18 08:02   27,944   a-------   c:\windows\system32\sbbd.exe
2010-05-18 08:02   93,872   a-------   c:\windows\system32\drivers\SBREDrv.sys
2010-05-18 08:02   <DIR>   --d-----   C:\VIPRERESCUE
2010-05-16 00:35   1,837   a-------   C:\expstat.sql
2010-05-05 21:12   <DIR>   --d-----   c:\program files\iPod
2010-05-05 21:11   <DIR>   --d-----   c:\docume~1\alluse~1\applic~1\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
2010-05-05 21:11   <DIR>   --d-----   c:\program files\iTunes
2010-05-05 20:56   <DIR>   --d-----   c:\program files\Bonjour
2010-05-02 10:52   16,535   a----r--   c:\windows\SET90.tmp
2010-05-02 10:52   1,088,840   a----r--   c:\windows\SET84.tmp
2010-05-02 10:52   1,296,669   a----r--   c:\windows\SET81.tmp
2010-05-02 08:38   16,535   a----r--   c:\windows\SET8F.tmp
2010-05-02 08:38   1,088,840   a----r--   c:\windows\SET83.tmp
2010-05-02 08:38   1,296,669   a----r--   c:\windows\SET80.tmp
2010-05-02 07:41   16,535   a----r--   c:\windows\SETE5.tmp
2010-05-02 07:41   1,088,840   a----r--   c:\windows\SETD9.tmp
2010-05-02 07:41   1,296,669   a----r--   c:\windows\SETD6.tmp
2010-05-02 03:40   2,145,386,496   a-------   c:\windows\MEMORY.DMP
2010-05-02 02:05   <DIR>   --d-----   C:\WINXP
2010-05-01 22:42   <DIR>   --d-----   c:\program files\SiteAdvisor
2010-05-01 17:58   <DIR>   --d-----   c:\windows\system32\wbem\Repository
2010-04-28 14:10   73,728   a-------   c:\windows\system32\javacpl.cpl

==================== Find3M ====================

2010-05-25 04:09   24,908   a-------   c:\windows\system32\emptyregdb.dat
2010-05-25 01:20   95,194   a-------   c:\windows\system32\nvModes.dat
2010-05-06 10:36   221,568   --------   c:\windows\system32\MpSigStub.exe
2010-04-29 15:39   38,224   a-------   c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-29 15:39   20,952   a-------   c:\windows\system32\drivers\mbam.sys
2010-04-16 08:33   3,003,680   a-------   c:\windows\system32\usbaaplrc.dll
2010-04-16 08:33   41,472   a-------   c:\windows\system32\drivers\usbaapl.sys
2010-04-08 13:20   107,808   a-------   c:\windows\system32\dns-sd.exe
2010-04-08 13:20   91,424   a-------   c:\windows\system32\dnssd.dll

============= FINISH: 4:53:34.82 ===============

ishan · « **Reply #6 on:** May 25, 2010, 06:40:54 AM »

UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_09-09-29.01)

Microsoft Windows XP Professional
Boot Device: \Device\HarddiskVolume1
Install Date: 5/25/2010 4:15:16 AM
System Uptime: 5/25/2010 4:17:32 AM (0 hours ago)

Motherboard: Dell Inc. | |
Processor: Intel(R) Core(TM)2 Duo CPU T7250 @ 2.00GHz | Microprocessor | 1995/200mhz

==== Disk Partitions =========================

C: is FIXED (NTFS) - 75 GiB total, 12.484 GiB free.
D: is CDROM ()

==== Disabled Device Manager Items =============

==== System Restore Points ===================

RP1: 5/25/2010 4:32:12 AM - System Checkpoint
RP2: 5/25/2010 4:43:20 AM - Microsoft Forefront Client Security Checkpoint

==== Installed Programs ======================

32 Bit HP CIO Components Installer
7-Zip 9.07 beta
AAC Decoder
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Reader 9.1
AIM 7
AIO_Scan
Apple Application Support
Apple Mobile Device Support
Apple Software Update
AT&T Global Network Client Internet Edition
AutoUpdate
Backup for Windows
biolsp patch
Bluetooth Stack for Windows by Toshiba
Bonjour
Broadcom Gigabit Integrated Controller
Broadcom TPM Driver Installer
BSE Mkt Watch 1.0.0.9
CCleaner
ClearType Tuning Control Panel Applet
CmdHere Powertoy For Windows XP
Codesite client tools
Compatibility Pack for the 2007 Office system
Conexant HDA D330 MDC V.92 Modem
Dell Embassy Trust Suite by Wave Systems
Dell Touchpad
DivX Codec
DivX Converter
DivX Player
DivX Plus DirectShow Filters
DivX Plus Web Player
DivX Version Checker
Document Manager Lite
Download Updater (AOL LLC)
EMBASSY Security Center
EMBASSY Security Setup
EMBASSY Trust Suite by Wave Systems
ESC Home Page Plugin
ESET Online Scanner v3
ETS Upgrade
Garmin USB Drivers
Garmin WebUpdater
Google Chrome
Google Earth Plug-in
Google Talk (remove only)
Google Talk Plugin
Google Update Helper
Google Updater
GoToMeeting 4.5.0.452
GPL MPEG-1/2 DirectShow Decoder Filter
H.264 Decoder
Hotfix for Microsoft .NET Framework 3.0 (KB932471)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
ICE.TCP 4.3.1 for Windows 95
Image Resizer Powertoy for Windows XP
Intel(R) PROSet/Wireless Software
IntelliSonic Speech Enhancement
iSEEK AnswerWorks English Runtime
iTunes
Java(TM) 6 Update 6
Java(TM) 6 Update 7
Juniper Networks Host Checker
Juniper Networks Network Connect 6.4.0
Juniper Networks Network Connect 6.5.0
Juniper Networks Setup Client
Knowledge Xpert
Knowledge Xpert for Oracle Administration
Knowledge Xpert for PLSQL
Knowledge Xpert Oracle Common
Logitech QuickCam
Magic ISO Maker v5.5 (build 0276)
MagicDisc 2.7.106
Malwarebytes' Anti-Malware
mCore
mDriver
mDrWiFi
mHlpDell
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Security Update (KB953297)
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft Forefront Client Security Antimalware Service
Microsoft Forefront Client Security State Assessment Service
Microsoft Office 2007 Service Pack 2 (SP2)
Microsoft Office Access MUI (English) 2007
Microsoft Office Access Setup Metadata MUI (English) 2007
Microsoft Office Communicator 2007 R2
Microsoft Office Enterprise 2007
Microsoft Office Excel MUI (English) 2007
Microsoft Office Groove MUI (English) 2007
Microsoft Office Groove Setup Metadata MUI (English) 2007
Microsoft Office InfoPath MUI (English) 2007
Microsoft Office Live Meeting 2005
Microsoft Office Live Meeting 2007
Microsoft Office OneNote MUI (English) 2007
Microsoft Office Outlook MUI (English) 2007
Microsoft Office PowerPoint MUI (English) 2007
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proofing (English) 2007
Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
Microsoft Office Publisher MUI (English) 2007
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Office Visio Viewer 2007
Microsoft Office Web Components
Microsoft Office Word MUI (English) 2007
Microsoft Operations Manager 2005 Agent
Microsoft Silverlight
Microsoft Software Update for Web Folders (English) 12
Microsoft Virtual PC 2007 SP1
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual SourceSafe 6.0
mIWA
MKV Splitter
mLogView
mMHouse
Mouse Gestures for Internet Explorer (x86)
Mozilla Firefox (3.5.9)
mPfMgr
mPfWiz
mProSafe
mSCfg
mSSO
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
MSXML 6.0 Parser (KB933579)
mWlsSafe
mWMI
mZConfig
Notepad++
NTRU TCG Software Stack
NVIDIA Drivers
O2Micro USB Smart Card Reader
OGA Notifier 2.0.0048.0
Oracle Data Provider for .NET Help
OZ776 SCR Driver V1.1.3.9
PDFCreator
Picasa 3
PicPick
PowerDVD
Preboot Manager
Private Information Manager
PuTTY Connection Manager 0.7.1.136beta
PuTTY version 0.60
Quest Installer
Quest PuTTY 0.60_q1.129
Quest Software Toad for Data Analysts 2.1
Quest SQL Optimizer 7.4.1 for Oracle
Quest SQL Optimizer for Oracle Common
Quest SQL Tuning for Oracle
QuickSet
QuickTime
Radmin Server 3.0
RedMon - Redirection Port Monitor
Secure Update
Security Update for 2007 Microsoft Office System (KB969559)
Security Update for 2007 Microsoft Office System (KB976321)
Security Update for 2007 Microsoft Office System (KB978380)
Security Update for CAPICOM (KB931906)
Security Update for Microsoft Office Excel 2007 (KB978382)
Security Update for Microsoft Office Outlook 2007 (KB972363)
Security Update for Microsoft Office PowerPoint 2007 (KB957789)
Security Update for Microsoft Office Publisher 2007 (KB980470)
Security Update for Microsoft Office system 2007 (972581)
Security Update for Microsoft Office system 2007 (KB969613)
Security Update for Microsoft Office system 2007 (KB974234)
Security Update for Microsoft Office Visio Viewer 2007 (KB973709)
Security Wizards
Session ShortCuts 1.0.1
SigmaTel Audio
SMS Advanced Client
Spelling Dictionaries Support For Adobe Reader 8
SSRPM User Client Software
Toad for Oracle
Toolbox
tsp patch
TurboTax 2009
TurboTax 2009 wcaiper
TurboTax 2009 WinPerFedFormset
TurboTax 2009 WinPerReleaseEngine
TurboTax 2009 WinPerTaxSupport
TurboTax 2009 wmiiper
TurboTax 2009 wrapper
Tweak UI
Update for 2007 Microsoft Office System (KB967642)
Update for 2007 Microsoft Office System (KB981715)
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Microsoft Office 2007 Help for Common Features (KB963673)
Update for Microsoft Office Access 2007 Help (KB963663)
Update for Microsoft Office Excel 2007 Help (KB963678)
Update for Microsoft Office InfoPath 2007 (KB976416)
Update for Microsoft Office Infopath 2007 Help (KB963662)
Update for Microsoft Office OneNote 2007 (KB980729)
Update for Microsoft Office OneNote 2007 Help (KB963670)
Update for Microsoft Office Outlook 2007 Help (KB963677)
Update for Microsoft Office Powerpoint 2007 Help (KB963669)
Update for Microsoft Office Publisher 2007 Help (KB963667)
Update for Microsoft Office Script Editor Help (KB963671)
Update for Microsoft Office Word 2007 (KB974561)
Update for Microsoft Office Word 2007 Help (KB963665)
Update for Outlook 2007 Junk Email Filter (kb981726)
upekmsi
VC80CRTRedist - 8.0.50727.4053
ViewMail for Outlook 4.2(2)
VirtuaWin v4.1
VLC media player 1.0.5
Vuze
Wave Infrastructure Installer
Wave Support Software
WebEx
WebFldrs XP
Webshots Desktop
Windows Driver Package - Dell Inc. PBADRV System (09/25/2006 6.0.0.0)
Windows Driver Package - Garmin (grmnusb) GARMIN Devices (03/08/2007 2.2.1.0)
Windows Driver Package - O2Micro (guardian2) SmartCardReader (02/05/2007 1.1.3.7)
Windows Genuine Advantage Notifications (KB905474)
Windows Genuine Advantage Validation Tool (KB892130)
Windows Management Framework Core
Windows Media Format 11 runtime
Windows Media Player 11
Windows Presentation Foundation
Windows Support Tools
WinSCP 4.2.7
XML Paper Specification Shared Components Pack 1.0
Yahoo! BrowserPlus
Yahoo! Messenger

==== Event Viewer Messages From Past Week ========

5/25/2010 4:43:21 AM, error: FCSAM [1008] - Microsoft Forefront Client Security has encountered an error when taking action on spyware or other potentially unwanted software. For more information please see the following: http://go.microsoft.com/fwlink/?linkid=37020&name=Virus:Win32/Alureon.H&threatid=2147632576 Scan ID: {24C76FF8-61D7-4676-8CD4-A4B4CB494E96} Scan Type: AntiMalware User: CRICKET\iraval Name: Virus:Win32/Alureon.H ID: 2147632576 Severity: Severe Category: Virus Path: rootkit:Alureon->TermDD Action: Clean Error Code: 0x80508026 Error description: This program can't remove a potentially harmful item from the contents of an archived file. To remove the item, you need to delete the archive. For more information, search for removing spyware in Help and Support.
5/25/2010 4:17:02 AM, error: Setup [60055] - Windows Setup encountered non-fatal errors during installation. Please check the setuperr.log found in your Windows directory for more information.
5/25/2010 4:11:25 AM, error: DCOM [10005] - DCOM got error "%1058" attempting to start the service SENS with arguments "" in order to run the server: {D3938AB0-5B9D-11D1-8DD2-00AA004ABD5E}
5/25/2010 1:19:46 AM, error: SideBySide [59] - Resolve Partial Assembly failed for Microsoft.VC80.CRT. Reference error message: The referenced assembly is not installed on your system. .
5/25/2010 1:19:46 AM, error: SideBySide [32] - Dependent Assembly Microsoft.VC80.CRT could not be found and Last Error was The referenced assembly is not installed on your system.
5/25/2010 1:19:26 AM, error: SCardSvr [616] - Reader monitor 'O2Micro CCID SC Reader 0' received uncaught error code: The device does not recognize the command.
5/25/2010 1:19:26 AM, error: SCardSvr [612] - Reader insertion monitor error retry threshold reached: The device does not recognize the command.
5/25/2010 1:10:56 AM, error: Ftdisk [49] - Configuring the Page file for crash dump failed. Make sure there is a page file on the boot partition and that is large enough to contain all physical memory.
5/25/2010 1:10:56 AM, error: Ftdisk [45] - The system could not sucessfully load the crash dump driver.
5/24/2010 9:19:22 AM, error: Dhcp [1002] - The IP address lease 10.0.62.22 for the Network Card with network address 00FF98BC358A has been denied by the DHCP server 10.0.9.52 (The DHCP Server sent a DHCPNACK message).
5/24/2010 10:36:40 PM, error: FCSAM [1008] - Microsoft Forefront Client Security has encountered an error when taking action on spyware or other potentially unwanted software. For more information please see the following: http://go.microsoft.com/fwlink/?linkid=37020&name=Virus:Win32/Alureon.H&threatid=2147632576 Scan ID: {A3ECBBA0-C52C-44DC-B153-3D339689E25A} Scan Type: AntiMalware User: CRICKET\iraval Name: Virus:Win32/Alureon.H ID: 2147632576 Severity: Severe Category: Virus Path: rootkit:Alureon->atapi Action: Remove Error Code: 0x80508026 Error description: This program can't remove a potentially harmful item from the contents of an archived file. To remove the item, you need to delete the archive. For more information, search for removing spyware in Help and Support.
5/23/2010 5:56:56 PM, error: Dhcp [1002] - The IP address lease 10.0.62.96 for the Network Card with network address 00FF90B2338A has been denied by the DHCP server 10.0.9.52 (The DHCP Server sent a DHCPNACK message).
5/22/2010 7:59:30 AM, error: Service Control Manager [7011] - Timeout (30000 milliseconds) waiting for a transaction response from the ShellHWDetection service.
5/22/2010 7:59:09 AM, error: Service Control Manager [7011] - Timeout (30000 milliseconds) waiting for a transaction response from the WZCSVC service.
5/21/2010 8:02:04 PM, error: NETLOGON [5719] - No Domain Controller is available for domain CRICKET due to the following: There are currently no logon servers available to service the logon request. . Make sure that the computer is connected to the network and try again. If the problem persists, please contact your domain administrator.
5/21/2010 10:31:36 AM, error: Dhcp [1002] - The IP address lease 10.0.60.88 for the Network Card with network address 00FF20EA348A has been denied by the DHCP server 10.0.9.52 (The DHCP Server sent a DHCPNACK message).
5/20/2010 9:16:32 AM, error: Dhcp [1002] - The IP address lease 10.0.62.198 for the Network Card with network address 00FFA827358A has been denied by the DHCP server 10.0.9.52 (The DHCP Server sent a DHCPNACK message).
5/19/2010 9:46:25 AM, error: Dhcp [1002] - The IP address lease 10.0.62.198 for the Network Card with network address 00FF30753B8A has been denied by the DHCP server 10.0.9.52 (The DHCP Server sent a DHCPNACK message).
5/18/2010 9:51:57 AM, error: Dhcp [1002] - The IP address lease 10.0.62.78 for the Network Card with network address 00FF985C478A has been denied by the DHCP server 10.0.9.52 (The DHCP Server sent a DHCPNACK message).

==== End Of File ===========================

ishan · « **Reply #7 on:** May 25, 2010, 09:19:57 AM »

Well, as last resource, I repaired my windows XP installation, but still TermDD rootkit virus remains.

Any help?

Allan · « **Reply #8 on:** May 25, 2010, 09:43:58 AM »

A repair will not eliminate viruses. Either do a full format and reinstall or wait for one of CH's malware specialists to check your logs.

SuperDave · « **Reply #9 on:** May 25, 2010, 10:17:58 AM »

Hello and welcome to Computer Hope Forum. My name is Dave. I will be helping you out with your particular problem on your computer. I am working under the guidance of one of the specialist of this forum so it may take a bit longer to process your logs.

1. I will be working on your Malware issues. This may or may not solve other issues you have with your machine.
2. The fixes are specific to your problem and should only be used for this issue on this machine.
3. If you don't know or understand something, please don't hesitate to ask.
4. Please DO NOT run any other tools or scans while I am helping you.
5. It is important that you reply to this thread. Do not start a new topic.
6. Your security programs may give warnings for some of the tools I will ask you to use. Be assured, any links I give are safe.
7. Absence of symptoms does not mean that everything is clear.

First of all, you only have 12 GiB of free space on your HD. You should have 15%. Soon your computer will start having operating problems including crashes. You need to free up some more space.

============================
SUPERAntiSpyware

If you already have SUPERAntiSpyware be sure to check for updates before scanning!

Download SuperAntispyware Free Edition (SAS)
* Double-click the icon on your desktop to run the installer.
* When asked to Update the program definitions, click Yes
* If you encounter any problems while downloading the updates, manually download and unzip them from here
* Next click the Preferences button.

•Under Start-Up Options uncheck Start SUPERAntiSpyware when Windows starts
* Click the Scanning Control tab.
* Under Scanner Options make sure only the following are checked:

•Close browsers before scanning
•Scan for tracking cookies
•Terminate memory threats before quarantining
•Please leave the others unchecked

•Click the Close button to leave the control center screen.

* On the main screen click Scan your computer
* On the left check the box for the drive you are scanning.
* On the right choose Perform Complete Scan
* Click Next to start the scan. Please be patient while it scans your computer.
* After the scan is complete a summary box will appear. Click OK
* Make sure everything in the white box has a check next to it, then click Next
* It will quarantine what it found and if it asks if you want to reboot, click Yes

•To retrieve the removal information please do the following:
•After reboot, double-click the SUPERAntiSpyware icon on your desktop.
•Click Preferences. Click the Statistics/Logs tab.

•Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.

•It will open in your default text editor (preferably Notepad).
•Save the notepad file to your desktop by clicking (in notepad) File > Save As...

* Save the log somewhere you can easily find it. (normally the desktop)
* Click close and close again to exit the program.
*Copy and Paste the log in your post.

======================================

Please download Malwarebytes Anti-Malware from here.

Double Click mbam-setup.exe to install the application.

Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes Anti-Malware, then click Finish.
If an update is found, it will download and install the latest version.
Once the program has loaded, select "Perform Full Scan", then click Scan.
The scan may take some time to finish,so please be patient.
When the scan is complete, click OK, then Show Results to view the results.
Make sure that everything is checked, and click Remove Selected.
When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Extra Note)
Please save the log to a location you will remember.
The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
Copy and paste the entire report in your next reply.

Extra Note:

If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately.

======================================

Download ComboFix by sUBs from one of the below links.

Important! You MUST save ComboFix to your desktop

link # 1
Link # 2

Temporarily disable your Anti-virus and any Antispyware real time protection before performing a scan. Click this link to see a list of security programs that should be disabled and how to disable them.

Double click on ComboFix.exe & follow the prompts.

Vista users Right-Click on ComboFix.exe and select Run as administrator (you will receive a UAC prompt, please allow it)

Do not mouse-click ComboFix's window while it is running. That may cause it to stall.

When the scan completes it will open a text window.

Post the contents of that log in your next reply.

Remember to re-enable your Anti-virus and Antispyware protection when ComboFix is complete.

ishan · « **Reply #10 on:** May 25, 2010, 12:22:28 PM »

Hi SuperDave!

Thanks a lot for your help!

I am sorry for being a bit impatient in this case and not replying to your email quickly.

I did not have access to any other computer than infected one and I did not want to connect that to Internet.

It seems like the issue is fixed, but please verify the logs that I am going to upload and advise. Yes, I used combofix, but before you updated this, I was already on it so did not cancel that.

1. I downloaded Anti Trojan Elite (Free) and it did find virus. However, free version of the software does not allow to kill those viruses. So no help!

2. As already mentioned by Allan, I downloaded and SUPERAntiSpyware Free edition, which found and cleaned a few cookies. I did not think they were malicious, but I deleted them anyway.

3. My Microsoft Forefront Client security still complained about termDD rootkit virus in quick scan itself, as you can see from logs it was simply unable to remove it. I visited safety.live.com and did a quick scan. Onecare also found an issue and was unable to remove it.

4. I downloaded Combobox and decided to use with whatsoever side effects. Simply ran it and it did find rootkit activity. After reboot, it did some clean up (it fixed atapi.sys and few other files which I think were infected before I repaired the installation).

Excerpt of Combofix.txt

Other Delections
----------------
c:\documents and settings\All users\application data\Microsoft\Network\Downloader\qmgr0.dat
c:\documents and settings\All users\application data\Microsoft\Network\Downloader\qmgr1.dat
c:\windows\system32\AutoRun.inf
c:\windows\system32\VB40032.DLL

5. Microsoft Forefront still complained about TermDD rootkit virus. From a similar forum on bleepingcomputer.com on Alureon.H threat, I created a CFScript.txt

TDL::
C:\WINDOWS\system32\drivers\termdd.sys

and ran combofix again with this script

6. Again combofix found rootkit activity and forced a reboot. After reboot it was fixing the issue, it crashed with memory dump and blue screen.

7. I rebooted my machine, and did scan again. Well, not so easy

.. No luck this time. I just simply re-ran combobox (without CFScript.txt) and I think it ran well except a few memory 'can not be read' errors.

9. checked combofix log, and it seems that it fixed the rootkit! I did quick scan again with Forefront, it did not complain this time.

Excerpt of Combofix.txt

Other Delections
----------------
Infected copy of c:\windows\system32\drivers\termdd.sys was found and disinfected
Restored copy from - Kitty had a snack :p
Infected copy of c:\windows\system32\drivers\termdd.sys was found and disinfected
Restored copy from - Kitty ate it :p

10. At the moment, A full scan is being performed to find out more issues.

What do you suggest if full scan does not find any issue?

Thanks a lot once again!

Ishan

ishan · « **Reply #11 on:** May 25, 2010, 12:27:27 PM »

Hi Admin,

Please remove username/domain information from log that I posted earlier as I am unable to do it now.

thanks for your help.

SuperDave · « **Reply #12 on:** May 25, 2010, 01:31:21 PM »

I specifically asked you not to do this. If you want my help, you will have to follow instructions.

Quote

4. Please DO NOT run any other tools or scans while I am helping you.

Quote

5. Microsoft Forefront still complained about TermDD rootkit virus. From a similar forum on bleepingcomputer.com on Alureon.H threat, I created a CFScript.txt
TDL::
C:\WINDOWS\system32\drivers\termdd.sys

There is no syntax in ComboFix for TDL:: Please do not run anything until I ask you to do so!.

I still haven't seen any complete logs which I will need.

ishan · « **Reply #13 on:** May 25, 2010, 03:09:41 PM »

Quote from: SuperDave on May 25, 2010, 01:31:21 PM

I specifically asked you not to do this. If you want my help, you will have to follow instructions.
There is no syntax in ComboFix for TDL:: Please do not run anything until I ask you to do so!.

I am sorry, but by the time you updated this thread I already executed Combofix.

I still haven't seen any complete logs which I will need.

what logs shall I upload now?

SuperDave · « **Reply #14 on:** May 25, 2010, 05:50:29 PM »

I will need to see the SAS, MBAM and ComboFix logs, in this order.

ishan · « **Reply #15 on:** May 26, 2010, 12:09:44 AM »

Attached all reports/

[recovering disk space - old attachment deleted by admin]

ishan · « **Reply #16 on:** May 26, 2010, 12:10:55 AM »

2nd and last run of Combofix.

[recovering disk space - old attachment deleted by admin]

ishan · « **Reply #17 on:** May 26, 2010, 08:28:44 AM »

Help please?

SuperDave · « **Reply #18 on:** May 26, 2010, 01:43:43 PM »

Download GMER Rootkit Detector and save it your desktop.

* Extract it to your desktop and double-click GMER.exe
* Make sure all of the boxes on the right of the screen are checked, EXCEPT for "Show All".
* Click the Rootkit tab and then Scan.
* Don't check the Show All box while scanning in progress!
* When scanning is finished click Copy.
* This copies the log to clipboard
* Post the log in your reply.

ishan · « **Reply #19 on:** May 26, 2010, 04:29:38 PM »

I downloaded Gmer, extracted zip on desktop. When I tried to run it, windows hung. I rebooted machine, tried again with minimum app open and still it hung. It is even before I start scanning.

SuperDave · « **Reply #20 on:** May 26, 2010, 06:12:30 PM »

Ok Please try this one.

Please download RootRepeal from GooglePages.com.

Extract the program file to your Desktop.
Run the program RootRepeal.exe and go to the Report tab and click on the Scan button.
Select ALL of the checkboxes and then click OK and it will start scanning your system.
If you have multiple drives you only need to check the C: drive or the one Windows is installed on.
When done, click on Save Report
Save it to the Desktop.
Please copy/paste the contents of the report in your next reply.

Please remove any e-mail address in the RootRepeal report (if present).

ishan · « **Reply #21 on:** May 27, 2010, 01:46:12 AM »

ROOTREPEAL (c) AD, 2007-2009
==================================================
Scan Start Time:      2010/05/26 23:26
Program Version:      Version 1.3.5.0
Windows Version:      Windows XP SP3
==================================================

Drivers
-------------------
Name: dump_atapi.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys
Address: 0xB7952000   Size: 98304   File Visible: No   Signed: -
Status: -

Name: dump_WMILIB.SYS
Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS
Address: 0xBAE26000   Size: 8192   File Visible: No   Signed: -
Status: -

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xB42D8000   Size: 49152   File Visible: No   Signed: -
Status: -

Name: SASDIFSV.SYS
Image Path: C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS
Address: 0xBAC98000   Size: 24576   File Visible: No   Signed: -
Status: -

Name: SASKUTIL.SYS
Image Path: C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS
Address: 0xB7ACD000   Size: 139264   File Visible: No   Signed: -
Status: -

Hidden/Locked Files
-------------------
Path: C:\hiberfil.sys
Status: Locked to the Windows API!

Path: c:\windows\temp\microsoft operations manager\momservice(b).mc8
Status: Size mismatch (API: 71745, Raw: 68535)

Path: c:\windows\system32\ccm\servicedata\messaging\endpointqueues\policyagent_policyevaluator\000000gg.msg
Status: Allocation size mismatch (API: 12288, Raw: 8192)

Path: c:\windows\system32\ccm\servicedata\messaging\endpointqueues\ls_scheduledcleanup\0000002s.msg
Status: Allocation size mismatch (API: 61440, Raw: 57344)

Path: c:\windows\system32\ccm\servicedata\messaging\endpointqueues\policyagent_requestassignments\000001cs.msg
Status: Allocation size mismatch (API: 32768, Raw: 20480)

Path: c:\windows\system32\ccm\servicedata\messaging\outgoingqueues\mp_mp_hinvendpoint\0000002b.msg
Status: Allocation size mismatch (API: 65536, Raw: 61440)

Path: c:\windows\system32\ccm\servicedata\messaging\outgoingqueues\mp_statusreceiver\00000032.msg
Status: Allocation size mismatch (API: 90112, Raw: 73728)

Path: c:\windows\system32\ccm\servicedata\messaging\outgoingqueues\mp_[http]mp_locationmanager\0000006w.msg
Status: Allocation size mismatch (API: 4096, Raw: 0)

Path: c:\windows\system32\ccm\servicedata\messaging\outgoingqueues\mp_[http]mp_policymanager\000001cc.msg
Status: Allocation size mismatch (API: 73728, Raw: 57344)

Path: C:\Documents and Settings\iraval\Local Settings\Apps\2.0\BGNRHMAN.BEO\L9J62ZNZ.Q83\manifests\clickonce_bootstrap.exe.cdf-ms
Status: Locked to the Windows API!

Path: C:\Documents and Settings\iraval\Local Settings\Apps\2.0\BGNRHMAN.BEO\L9J62ZNZ.Q83\manifests\clickonce_bootstrap.exe.manifest
Status: Locked to the Windows API!

SSDT
-------------------
#: 257   Function Name: NtTerminateProcess
Status: Hooked by "C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS" at address 0xb7ad7620

Stealth Objects
-------------------
Object: Hidden Handle [Index: 4, Type: UnknownType]
Process: MsMpEng.exe (PID: 1944)   Address: 0xe4636818   Size: -

Object: Hidden Handle [Index: 4, Type: UnknownType]
Process: svchost.exe (PID: 1984)   Address: 0xe233b818   Size: -

Object: Hidden Handle [Index: 2052, Type: UnknownType]
Process: svchost.exe (PID: 1984)   Address: 0xe2e36020   Size: -

Object: Hidden Handle [Index: 6148, Type: UnknownType]
Process: svchost.exe (PID: 1984)   Address: 0xe5037020   Size: -

Object: Hidden Handle [Index: 8196, Type: UnknownType]
Process: svchost.exe (PID: 1984)   Address: 0xe4fe5020   Size: -

==EOF==

ishan · « **Reply #22 on:** May 27, 2010, 01:47:07 AM »

ROOTREPEAL (c) AD, 2007-2009
==================================================
Scan Start Time:      2010/05/26 23:26
Program Version:      Version 1.3.5.0
Windows Version:      Windows XP SP3
==================================================

Drivers
-------------------
Name: dump_atapi.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys
Address: 0xB7952000   Size: 98304   File Visible: No   Signed: -
Status: -

Name: dump_WMILIB.SYS
Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS
Address: 0xBAE26000   Size: 8192   File Visible: No   Signed: -
Status: -

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xB42D8000   Size: 49152   File Visible: No   Signed: -
Status: -

Name: SASDIFSV.SYS
Image Path: C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS
Address: 0xBAC98000   Size: 24576   File Visible: No   Signed: -
Status: -

Name: SASKUTIL.SYS
Image Path: C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS
Address: 0xB7ACD000   Size: 139264   File Visible: No   Signed: -
Status: -

Hidden/Locked Files
-------------------
Path: C:\hiberfil.sys
Status: Locked to the Windows API!

Path: c:\windows\temp\microsoft operations manager\momservice(b).mc8
Status: Size mismatch (API: 71745, Raw: 68535)

Path: c:\windows\system32\ccm\servicedata\messaging\endpointqueues\policyagent_policyevaluator\000000gg.msg
Status: Allocation size mismatch (API: 12288, Raw: 8192)

Path: c:\windows\system32\ccm\servicedata\messaging\endpointqueues\ls_scheduledcleanup\0000002s.msg
Status: Allocation size mismatch (API: 61440, Raw: 57344)

Path: c:\windows\system32\ccm\servicedata\messaging\endpointqueues\policyagent_requestassignments\000001cs.msg
Status: Allocation size mismatch (API: 32768, Raw: 20480)

Path: c:\windows\system32\ccm\servicedata\messaging\outgoingqueues\mp_mp_hinvendpoint\0000002b.msg
Status: Allocation size mismatch (API: 65536, Raw: 61440)

Path: c:\windows\system32\ccm\servicedata\messaging\outgoingqueues\mp_statusreceiver\00000032.msg
Status: Allocation size mismatch (API: 90112, Raw: 73728)

Path: c:\windows\system32\ccm\servicedata\messaging\outgoingqueues\mp_[http]mp_locationmanager\0000006w.msg
Status: Allocation size mismatch (API: 4096, Raw: 0)

Path: c:\windows\system32\ccm\servicedata\messaging\outgoingqueues\mp_[http]mp_policymanager\000001cc.msg
Status: Allocation size mismatch (API: 73728, Raw: 57344)

Path: C:\Documents and Settings\iraval\Local Settings\Apps\2.0\BGNRHMAN.BEO\L9J62ZNZ.Q83\manifests\clickonce_bootstrap.exe.cdf-ms
Status: Locked to the Windows API!

Path: C:\Documents and Settings\iraval\Local Settings\Apps\2.0\BGNRHMAN.BEO\L9J62ZNZ.Q83\manifests\clickonce_bootstrap.exe.manifest
Status: Locked to the Windows API!

SSDT
-------------------
#: 257   Function Name: NtTerminateProcess
Status: Hooked by "C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS" at address 0xb7ad7620

Stealth Objects
-------------------
Object: Hidden Handle [Index: 4, Type: UnknownType]
Process: MsMpEng.exe (PID: 1944)   Address: 0xe4636818   Size: -

Object: Hidden Handle [Index: 4, Type: UnknownType]
Process: svchost.exe (PID: 1984)   Address: 0xe233b818   Size: -

Object: Hidden Handle [Index: 2052, Type: UnknownType]
Process: svchost.exe (PID: 1984)   Address: 0xe2e36020   Size: -

Object: Hidden Handle [Index: 6148, Type: UnknownType]
Process: svchost.exe (PID: 1984)   Address: 0xe5037020   Size: -

Object: Hidden Handle [Index: 8196, Type: UnknownType]
Process: svchost.exe (PID: 1984)   Address: 0xe4fe5020   Size: -

==EOF==

SuperDave · « **Reply #23 on:** May 27, 2010, 09:44:48 AM »

Please follow these instructions carefully.

Please download and save HelpAsst_mebroot_fix.exe

•Double click to run the tool.

•When complete, run mbr -f then reboot.

•After reboot, provide the mbr log.

==============================

Download this << file >> & extract TDSSKiller.exe onto your Desktop

Then create this batch file to be placed next to TDSSKiller

=====

Open NOTEPAD.exe and copy/paste the text in the quotebox below into it:

Code: [Select]

@ECHO OFF
START /WAIT TDSSKILLER.exe -l Logit.txt -v
START Logit.txt
del %0

Save this as fix.bat Choose to "Save type as - All Files"
It should look like this:

Double click on fix.bat & allow it to run

Post back to tell me what it says

ishan · « **Reply #24 on:** May 27, 2010, 07:20:52 PM »

Please download and save HelpAsst_mebroot_fix.exe

I can not download this. There's no such download available.

SuperDave · « **Reply #25 on:** May 27, 2010, 07:55:52 PM »

Sorry about that. I fixed the link.

Please download and save HelpAsst_mebroot_fix.exe
•Double click to run the tool.

•When complete, run mbr -f then reboot.

•After reboot, provide the mbr log.

ishan · « **Reply #26 on:** May 27, 2010, 11:24:05 PM »

Here is MBR log that I found in C:\

C:\Ishan\Virus_Fix\HelpAsst_mebroot_fix.exe
Thu 05/27/2010 at 22:11:41.85

HelpAssistant account Inactive

~~ Checking for termsrv32.dll ~~

termsrv32.dll present! ~ attempting to remove
termsrv32.dll successfully removed

~~ Checking firewall ports ~~

backing up DomainProfile\GloballyOpenPorts\List registry key
closing rogue ports

HKLM\~\services\sharedaccess\parameters\firewallpolicy\domainprofile\globallyopenports\list
"65533:TCP"=-
"52344:TCP"=-
"6763:TCP"=-
"6764:TCP"=-
"3389:TCP"=-

backing up StandardProfile\GloballyOpenPorts\List registry key
closing rogue ports

HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\globallyopenports\list
"65533:TCP"=-
"52344:TCP"=-
"6763:TCP"=-
"6764:TCP"=-
"3389:TCP"=-

~~ Checking profile list ~~

HelpAssistant profile found in registry ~ backing up and removing S-1-5-21-1737608194-1000615609-2549537844-1005
~ No profile directory exists for S-1-5-21-1737608194-1000615609-2549537844-1005 ~

~ All HelpAssistant profiles removed from registry ~

~~ Checking mbr ~~

user & kernel MBR OK

ishan · « **Reply #27 on:** May 27, 2010, 11:29:17 PM »

TDSS killer report:

22:28:52:531 5048   TDSS rootkit removing tool 2.3.1.0 May 25 2010 12:52:14
22:28:52:531 5048   ================================================================================
22:28:52:531 5048   SystemInfo:

22:28:52:531 5048   OS Version: 5.1.2600 ServicePack: 3.0
22:28:52:531 5048   Product type: Workstation
22:28:52:531 5048   ComputerName: SAN
22:28:52:531 5048   UserName: iraval
22:28:52:531 5048   Windows directory: C:\WINDOWS
22:28:52:531 5048   Processor architecture: Intel x86
22:28:52:531 5048   Number of processors: 2
22:28:52:531 5048   Page size: 0x1000
22:28:52:531 5048   Boot type: Normal boot
22:28:52:531 5048   ================================================================================
22:28:52:796 5048   Initialize success
22:28:52:796 5048
22:28:52:796 5048   Scanning   Services ...
22:28:53:156 5048   Raw services enum returned 426 services
22:28:53:203 5048
22:28:53:203 5048   Scanning   Drivers ...
22:28:53:828 5048   ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys
22:28:53:859 5048   ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys
22:28:53:921 5048   aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys
22:28:53:953 5048   AegisP (a1ad1a4a9f18d900ca9c93fa3efdcb56) C:\WINDOWS\system32\DRIVERS\AegisP.sys
22:28:54:031 5048   AFD (7e775010ef291da96ad17ca4b17137d7) C:\WINDOWS\System32\drivers\afd.sys
22:28:54:125 5048   ApfiltrService (b8d65da679a4a8d048783ede2691b5d4) C:\WINDOWS\system32\DRIVERS\Apfiltr.sys
22:28:54:156 5048   APPDRV (ec94e05b76d033b74394e7b2175103cf) C:\WINDOWS\SYSTEM32\DRIVERS\APPDRV.SYS
22:28:54:187 5048   Arp1394 (b5b8a80875c1dededa8b02765642c32f) C:\WINDOWS\system32\DRIVERS\arp1394.sys
22:28:54:250 5048   AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
22:28:54:281 5048   atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys
22:28:54:343 5048   Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
22:28:54:390 5048   audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
22:28:54:406 5048   Avgfwdx (fa6336f05695e39995884d0c959c9608) C:\WINDOWS\system32\DRIVERS\avgfwdx.sys
22:28:54:421 5048   Avgfwfd (fa6336f05695e39995884d0c959c9608) C:\WINDOWS\system32\DRIVERS\avgfwdx.sys
22:28:54:484 5048   b57w2k (f96038aa1ec4013a93d2420fc689d1e9) C:\WINDOWS\system32\DRIVERS\b57xp32.sys
22:28:54:500 5048   BCMTPM (09a41ba9dc48f2f52ade4a42fe945d98) C:\WINDOWS\system32\DRIVERS\btpmw32.sys
22:28:54:562 5048   Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
22:28:54:578 5048   BthEnum (b279426e3c0c344893ed78a613a73bde) C:\WINDOWS\system32\DRIVERS\BthEnum.sys
22:28:54:609 5048   BthPan (80602b8746d3738f5886ce3d67ef06b6) C:\WINDOWS\system32\DRIVERS\bthpan.sys
22:28:54:703 5048   BTHPORT (662bfd909447dd9cc15b1a1c366583b4) C:\WINDOWS\system32\Drivers\BTHport.sys
22:28:54:750 5048   BTHUSB (61364cd71ef63b0f038b7e9df00f1efa) C:\WINDOWS\system32\Drivers\BTHUSB.sys
22:28:54:906 5048   cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
22:28:54:968 5048   CCDECODE (0be5aef125be881c4f854c554f2b025c) C:\WINDOWS\system32\DRIVERS\CCDECODE.sys
22:28:55:015 5048   Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
22:28:55:046 5048   Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys
22:28:55:093 5048   Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys
22:28:55:125 5048   CmBatt (0f6c187d38d98f8df904589a5f94d411) C:\WINDOWS\system32\DRIVERS\CmBatt.sys
22:28:55:156 5048   Compbatt (6e4c9f21f0fae8940661144f41b13203) C:\WINDOWS\system32\DRIVERS\compbatt.sys
22:28:55:203 5048   CSRBC (8e1945984e147562f9f08e1d344a69cc) C:\WINDOWS\system32\Drivers\csrbcxp.sys
22:28:55:265 5048   Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys
22:28:55:437 5048   dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys
22:28:55:734 5048   dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys
22:28:55:984 5048   dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
22:28:56:125 5048   DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys
22:28:56:312 5048   drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys
22:28:56:406 5048   dsNcAdpt (b2c3f71b86e25c3df78339ddb40a7562) C:\WINDOWS\system32\DRIVERS\dsNcAdpt.sys
22:28:56:515 5048   DXEC01 (549734664886d91222969845e4311d1b) C:\WINDOWS\system32\drivers\dxec01.sys
22:28:56:734 5048   Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys
22:28:56:968 5048   Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\drivers\Fdc.sys
22:28:57:062 5048   Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys
22:28:57:140 5048   Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\drivers\Flpydisk.sys
22:28:57:250 5048   FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\drivers\fltmgr.sys
22:28:57:421 5048   Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
22:28:57:515 5048   Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
22:28:57:640 5048   GEARAspiWDM (8182ff89c65e4d38b2de4bb0fb18564e) C:\WINDOWS\system32\DRIVERS\GEARAspiWDM.sys
22:28:57:812 5048   Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys
22:28:57:906 5048   guardian2 (0e1fd1ea2837d6b7a1d7b6c928014d05) C:\WINDOWS\system32\Drivers\oz776.sys
22:28:57:984 5048   HDAudBus (573c7d0a32852b48f3058cfd8026f511) C:\WINDOWS\system32\DRIVERS\HDAudBus.sys
22:28:58:000 5048   HidUsb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys
22:28:58:218 5048   HPZid412 (d03d10f7ded688fecf50f8fbf1ea9b8a) C:\WINDOWS\system32\DRIVERS\HPZid412.sys
22:28:58:375 5048   HPZipr12 (89f41658929393487b6b7d13c8528ce3) C:\WINDOWS\system32\DRIVERS\HPZipr12.sys
22:28:58:531 5048   HPZius12 (abcb05ccdbf03000354b9553820e39f8) C:\WINDOWS\system32\DRIVERS\HPZius12.sys
22:28:58:687 5048   HSFHWAZL (b1526810210980bed9d22315946c919d) C:\WINDOWS\system32\DRIVERS\HSFHWAZL.sys
22:28:59:015 5048   HSF_DPV (ddbd528e60f5961c142a490dc4ea7780) C:\WINDOWS\system32\DRIVERS\HSF_DPV.sys
22:28:59:281 5048   HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys
22:28:59:343 5048   i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
22:28:59:406 5048   iaStor (fd7f9d74c2b35dbda400804a3f5ed5d8) C:\WINDOWS\system32\drivers\iaStor.sys
22:28:59:468 5048   Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys
22:28:59:500 5048   intelppm (8c953733d8f36eb2133f5bb58808b66b) C:\WINDOWS\system32\DRIVERS\intelppm.sys
22:28:59:531 5048   Ip6Fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\drivers\ip6fw.sys
22:28:59:578 5048   IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
22:28:59:593 5048   IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys
22:28:59:625 5048   IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys
22:28:59:640 5048   IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys
22:28:59:687 5048   IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys
22:28:59:750 5048   isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys
22:28:59:765 5048   Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
22:28:59:781 5048   kbdhid (9ef487a186dea361aa06913a75b3fa99) C:\WINDOWS\system32\DRIVERS\kbdhid.sys
22:28:59:828 5048   klmd23 (0b06b0a25e08df0d536402bce3bde61e) C:\WINDOWS\system32\drivers\klmd.sys
22:28:59:843 5048   kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys
22:28:59:875 5048   KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys
22:28:59:968 5048   LVcKap (8113133ec42dd6c566908008ce913edd) C:\WINDOWS\system32\DRIVERS\LVcKap.sys
22:29:00:171 5048   LVMVDrv (0dd5b8af4917a2821047450195c511b3) C:\WINDOWS\system32\DRIVERS\LVMVDrv.sys
22:29:00:296 5048   LVPr2Mon (406b1d186f75b4b4832d6237859e1b00) C:\WINDOWS\system32\DRIVERS\LVPr2Mon.sys
22:29:00:328 5048   mcdbus (8fd868e32459ece2a1bb0169f513d31e) C:\WINDOWS\system32\DRIVERS\mcdbus.sys
22:29:00:421 5048   mdmxsdk (0cea2d0d3fa284b85ed5b68365114f76) C:\WINDOWS\system32\DRIVERS\mdmxsdk.sys
22:29:00:484 5048   mirrorv3 (d96ea49ab9a9174331bc023fd0cadc18) C:\WINDOWS\system32\DRIVERS\rminiv3.sys
22:29:00:500 5048   mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
22:29:00:531 5048   Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys
22:29:00:546 5048   Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys
22:29:00:562 5048   mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys
22:29:00:593 5048   MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys
22:29:00:609 5048   MpFilter (fbc56c853814eaa196e22edf596a4ebd) C:\WINDOWS\system32\DRIVERS\MpFilter.sys
22:29:00:703 5048   MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
22:29:00:765 5048   MRxSmb (f3aefb11abc521122b67095044169e98) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
22:29:00:812 5048   Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys
22:29:00:843 5048   MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys
22:29:00:890 5048   MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
22:29:00:937 5048   MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys
22:29:00:953 5048   mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
22:29:01:015 5048   MSTEE (e53736a9e30c45fa9e7b5eac55056d1d) C:\WINDOWS\system32\drivers\MSTEE.sys
22:29:01:031 5048   Mup (2f625d11385b1a94360bfc70aaefdee1) C:\WINDOWS\system32\drivers\Mup.sys
22:29:01:078 5048   n558 (88705dc61b9275b82e48904d53031f5b) C:\WINDOWS\system32\Drivers\n558.sys
22:29:01:125 5048   NABTSFEC (5b50f1b2a2ed47d560577b221da734db) C:\WINDOWS\system32\DRIVERS\NABTSFEC.sys
22:29:01:171 5048   NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys
22:29:01:234 5048   NdisIP (7ff1f1fd8609c149aa432f95a8163d97) C:\WINDOWS\system32\DRIVERS\NdisIP.sys
22:29:01:250 5048   NdisTapi (1ab3d00c991ab086e69db84b6c0ed78f) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
22:29:01:281 5048   Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
22:29:01:296 5048   NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
22:29:01:328 5048   NDProxy (6215023940cfd3702b46abc304e1d45a) C:\WINDOWS\system32\drivers\NDProxy.sys
22:29:01:343 5048   NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys
22:29:01:375 5048   NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys
22:29:01:468 5048   NETw4x32 (b5ab1108b377b5f3d37409fabda01453) C:\WINDOWS\system32\DRIVERS\NETw4x32.sys
22:29:01:531 5048   NIC1394 (e9e47cfb2d461fa0fc75b7a74c6383ea) C:\WINDOWS\system32\DRIVERS\nic1394.sys
22:29:01:562 5048   Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys
22:29:01:609 5048   Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys
22:29:01:656 5048   Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
22:29:01:859 5048   nv (8129d762cc3e3c5ab9cf2eabc377fb73) C:\WINDOWS\system32\DRIVERS\nv4_mini.sys
22:29:02:031 5048   NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
22:29:02:078 5048   NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
22:29:02:125 5048   ohci1394 (ca33832df41afb202ee7aeb05145922f) C:\WINDOWS\system32\DRIVERS\ohci1394.sys
22:29:02:171 5048   Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\DRIVERS\parport.sys
22:29:02:187 5048   PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys
22:29:02:234 5048   ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
22:29:02:265 5048   PBADRV (e3e6e724d6a82ab6a2afbcb21180ffce) C:\WINDOWS\system32\DRIVERS\PBADRV.sys
22:29:02:296 5048   PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys
22:29:02:312 5048   PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys
22:29:02:343 5048   Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\DRIVERS\pcmcia.sys
22:29:02:453 5048   PID_0928 (d2d2fa02b722336960eeae0ae7107891) C:\WINDOWS\system32\DRIVERS\LV561AV.SYS
22:29:02:500 5048   PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys
22:29:02:531 5048   prepdrvr (9b322103efe09f5f4a957af62b0387b1) C:\WINDOWS\system32\CCM\prepdrv.sys
22:29:02:578 5048   PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys
22:29:02:609 5048   Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
22:29:02:656 5048   PxHelp20 (49452bfcec22f36a7a9b9c2181bc3042) C:\WINDOWS\system32\Drivers\PxHelp20.sys
22:29:02:734 5048   raddrvv3 (06d87871fe0788d3f838f69a03168b7f) c:\WINDOWS\system32\rserver30\raddrvv3.sys
22:29:02:812 5048   RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
22:29:02:843 5048   Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
22:29:02:875 5048   RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
22:29:02:921 5048   Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
22:29:02:937 5048   Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys
22:29:02:984 5048   RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
22:29:03:015 5048   rdpdr (15cabd0f7c00c47c70124907916af3f1) C:\WINDOWS\system32\DRIVERS\rdpdr.sys
22:29:03:078 5048   RDPWD (6728e45b66f93c08f11de2e316fc70dd) C:\WINDOWS\system32\drivers\RDPWD.sys
22:29:03:109 5048   redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys
22:29:03:156 5048   RFCOMM (851c30df2807fcfa21e4c681a7d6440e) C:\WINDOWS\system32\DRIVERS\rfcomm.sys
22:29:03:203 5048   s24trans (eadfb87f911a7a75d1b80617f92901e8) C:\WINDOWS\system32\DRIVERS\s24trans.sys
22:29:03:234 5048   SBRE (e121185abcc7f6f2875843ed3236d245) C:\WINDOWS\system32\drivers\SBREdrv.sys
22:29:03:328 5048   Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys
22:29:03:359 5048   serenum (0f29512ccd6bead730039fb4bd2c85ce) C:\WINDOWS\system32\DRIVERS\serenum.sys
22:29:03:375 5048   Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\DRIVERS\serial.sys
22:29:03:437 5048   Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\DRIVERS\sfloppy.sys
22:29:03:500 5048   SLIP (866d538ebe33709a5c9f5c62b73b7d14) C:\WINDOWS\system32\DRIVERS\SLIP.sys
22:29:03:531 5048   splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys
22:29:03:562 5048   sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys
22:29:03:640 5048   Srv (89220b427890aa1dffd1a02648ae51c3) C:\WINDOWS\system32\DRIVERS\srv.sys
22:29:03:734 5048   STHDA (31ba85e1cff39a57f702a2a0877bb8e1) C:\WINDOWS\system32\drivers\sthda.sys
22:29:03:781 5048   streamip (77813007ba6265c4b6098187e6ed79d2) C:\WINDOWS\system32\DRIVERS\StreamIP.sys
22:29:03:828 5048   swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys
22:29:03:843 5048   swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys
22:29:03:890 5048   sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys
22:29:03:906 5048   Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys
22:29:03:953 5048   TcUsb (125f5adc14839b4afd31cc581629d2b3) C:\WINDOWS\system32\Drivers\tcusb.sys
22:29:03:968 5048   TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys
22:29:04:000 5048   TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys
22:29:04:031 5048   TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys
22:29:04:062 5048   tosporte (8d624d3bd1f2d78bd1c01a2d4e954b4e) C:\WINDOWS\system32\DRIVERS\tosporte.sys
22:29:04:125 5048   tosrfbd (435ac6cc2abed508ac5a495658cbaf0f) C:\WINDOWS\system32\DRIVERS\tosrfbd.sys
22:29:04:203 5048   tosrfbnp (90c8525bc578aaffe87c2d0ed4379e9e) C:\WINDOWS\system32\Drivers\tosrfbnp.sys
22:29:04:250 5048   Tosrfcom (5ba1ca3b3cddb1ddc67df473f05d1ec2) C:\WINDOWS\system32\Drivers\tosrfcom.sys
22:29:04:296 5048   Tosrfhid (28099a4e52148319afa685d93a2244d0) C:\WINDOWS\system32\DRIVERS\Tosrfhid.sys
22:29:04:312 5048   tosrfnds (c52fd27b9adf3a1f22cb90e6bcf9b0cb) C:\WINDOWS\system32\DRIVERS\tosrfnds.sys
22:29:04:343 5048   Tosrfusb (6bc529c5eca0c7654943fd6fab21c5fa) C:\WINDOWS\system32\DRIVERS\tosrfusb.sys
22:29:04:390 5048   Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys
22:29:04:437 5048   Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys
22:29:04:484 5048   USBAAPL (e8c1b9ebac65288e1b51e8a987d98af6) C:\WINDOWS\system32\Drivers\usbaapl.sys
22:29:04:515 5048   usbccgp (173f317ce0db8e21322e71b7e60a27e8) C:\WINDOWS\system32\DRIVERS\usbccgp.sys
22:29:04:546 5048   usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys
22:29:04:562 5048   usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys
22:29:04:609 5048   usbohci (0daecce65366ea32b162f85f07c6753b) C:\WINDOWS\system32\DRIVERS\usbohci.sys
22:29:04:687 5048   usbprint (a717c8721046828520c9edf31288fc00) C:\WINDOWS\system32\DRIVERS\usbprint.sys
22:29:04:734 5048   usbscan (a0b8cf9deb1184fbdd20784a58fa75d4) C:\WINDOWS\system32\DRIVERS\usbscan.sys
22:29:04:781 5048   usbstor (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
22:29:04:812 5048   usbuhci (26496f9dee2d787fc3e61ad54821ffe6) C:\WINDOWS\system32\DRIVERS\usbuhci.sys
22:29:04:843 5048   VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys
22:29:04:890 5048   vmm (817da66b1b889fad1dbf669e0e2f3228) C:\WINDOWS\system32\Drivers\vmm.sys
22:29:04:906 5048   VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys
22:29:04:953 5048   VPCNetS2 (2abe8281db609d8bb1bd1b2f93800d5f) C:\WINDOWS\system32\DRIVERS\VMNetSrv.sys
22:29:04:984 5048   Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys
22:29:05:046 5048   wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys
22:29:05:109 5048   winachsf (96aff1738271755a39b52eef7e35f98f) C:\WINDOWS\system32\DRIVERS\HSF_CNXT.sys
22:29:05:171 5048   WmiAcpi (c42584fd66ce9e17403aebca199f7bdb) C:\WINDOWS\system32\DRIVERS\wmiacpi.sys
22:29:05:187 5048   WS2IFSL (6abe6e225adb5a751622a9cc3bc19ce8) C:\WINDOWS\System32\drivers\ws2ifsl.sys
22:29:05:250 5048   WSTCODEC (c98b39829c2bbd34e454150633c62c78) C:\WINDOWS\system32\DRIVERS\WSTCODEC.SYS
22:29:05:343 5048   WudfPf (f15feafffbb3644ccc80c5da584e6311) C:\WINDOWS\system32\DRIVERS\WudfPf.sys
22:29:05:406 5048   WudfRd (28b524262bce6de1f7ef9f510ba3985b) C:\WINDOWS\system32\DRIVERS\wudfrd.sys
22:29:05:437 5048
22:29:05:437 5048   Completed
22:29:05:437 5048
22:29:05:437 5048   Results:
22:29:05:437 5048   Registry objects infected / cured / cured on reboot:   0 / 0 / 0
22:29:05:437 5048   File objects infected / cured / cured on reboot:   0 / 0 / 0
22:29:05:437 5048
22:29:05:437 5048   KLMD(ARK) unloaded successfully

SuperDave · « **Reply #28 on:** May 28, 2010, 08:39:04 AM »

That looks good. Could you please run another scan with ComboFix and send me the log?

ishan · « **Reply #29 on:** May 28, 2010, 11:07:23 PM »

ComboFix 10-05-28.02 - iraval 05/28/2010 21:01:52.3.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1229 [GMT -7:00]
Running from: c:\documents and settings\iraval\Desktop\ComboFix.exe
AV: Microsoft Forefront Client Security *On-access scanning disabled* (Updated) {926A3D4F-E4E7-4F47-9902-4EDD55FFE1AF}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat

----- BITS: Possible infected sites -----

hxxp://CASANSMS1:80
.
((((((((((((((((((((((((( Files Created from 2010-04-28 to 2010-05-29 )))))))))))))))))))))))))))))))
.

2010-05-28 05:11 . 2010-05-28 05:11   --------   d-----w-   C:\HelpAsst_backup
2010-05-27 00:14 . 2010-05-27 00:14   503808   ----a-w-   c:\documents and settings\iraval\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-4eb22189-n\msvcp71.dll
2010-05-27 00:14 . 2010-05-27 00:14   499712   ----a-w-   c:\documents and settings\iraval\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-4eb22189-n\jmc.dll
2010-05-27 00:14 . 2010-05-27 00:14   348160   ----a-w-   c:\documents and settings\iraval\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-4eb22189-n\msvcr71.dll
2010-05-27 00:13 . 2010-05-27 00:13   61440   ----a-w-   c:\documents and settings\iraval\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-7ad6e02a-n\decora-sse.dll
2010-05-27 00:13 . 2010-05-27 00:13   12800   ----a-w-   c:\documents and settings\iraval\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-7ad6e02a-n\decora-d3d.dll
2010-05-27 00:13 . 2010-05-27 00:13   --------   d-----w-   c:\program files\Common Files\Java
2010-05-27 00:13 . 2010-05-27 00:13   411368   ----a-w-   c:\windows\system32\deployJava1.dll
2010-05-26 18:26 . 2010-05-26 18:26   --------   d-----w-   c:\documents and settings\All Users\Application Data\Applications
2010-05-26 17:15 . 2009-10-20 16:20   265728   -c----w-   c:\windows\system32\dllcache\http.sys
2010-05-25 21:24 . 2008-06-13 11:05   272128   -c----w-   c:\windows\system32\dllcache\bthport.sys
2010-05-25 21:23 . 2010-02-24 13:11   455680   -c----w-   c:\windows\system32\dllcache\mrxsmb.sys
2010-05-25 21:20 . 2010-02-16 14:08   2146304   -c----w-   c:\windows\system32\dllcache\ntkrnlmp.exe
2010-05-25 21:20 . 2010-02-17 16:10   2189952   -c----w-   c:\windows\system32\dllcache\ntoskrnl.exe
2010-05-25 21:20 . 2010-02-16 13:25   2024448   -c----w-   c:\windows\system32\dllcache\ntkrpamp.exe
2010-05-25 21:20 . 2009-11-27 17:11   17920   -c----w-   c:\windows\system32\dllcache\msyuv.dll
2010-05-25 21:13 . 2009-11-27 16:07   8704   -c----w-   c:\windows\system32\dllcache\tsbyuv.dll
2010-05-25 21:13 . 2009-11-27 16:07   48128   -c----w-   c:\windows\system32\dllcache\iyuv_32.dll
2010-05-25 21:12 . 2010-03-11 12:38   459264   -c----w-   c:\windows\system32\dllcache\msfeeds.dll
2010-05-25 21:12 . 2010-03-11 12:38   268288   -c----w-   c:\windows\system32\dllcache\iertutil.dll
2010-05-25 21:12 . 2010-03-11 12:38   52224   -c----w-   c:\windows\system32\dllcache\msfeedsbs.dll
2010-05-25 21:12 . 2010-03-11 12:38   63488   -c----w-   c:\windows\system32\dllcache\icardie.dll
2010-05-25 21:12 . 2010-03-11 12:38   380928   -c----w-   c:\windows\system32\dllcache\ieapfltr.dll
2010-05-25 21:12 . 2010-03-10 13:18   13824   -c----w-   c:\windows\system32\dllcache\ieudinit.exe
2010-05-25 21:12 . 2009-06-29 08:33   2452872   -c----w-   c:\windows\system32\dllcache\ieapfltr.dat
2010-05-25 21:12 . 2010-03-11 12:38   6067200   -c----w-   c:\windows\system32\dllcache\ieframe.dll
2010-05-25 15:13 . 2010-05-25 15:13   --------   d-----w-   c:\windows\ms
2010-05-25 15:01 . 2008-04-14 12:00   221696   -c--a-w-   c:\windows\system32\dllcache\seo.dll
2010-05-25 15:00 . 2008-04-14 12:00   13463552   -c--a-w-   c:\windows\system32\dllcache\hwxjpn.dll
2010-05-25 14:59 . 2004-05-13 07:39   598071   -c--a-w-   c:\windows\system32\dllcache\fpmmc.dll
2010-05-25 14:40 . 2008-04-14 12:00   13312   -c--a-w-   c:\windows\system32\dllcache\irclass.dll
2010-05-25 14:40 . 2008-04-14 12:00   13312   ----a-w-   c:\windows\system32\irclass.dll
2010-05-25 14:40 . 2008-04-14 12:00   24661   -c--a-w-   c:\windows\system32\dllcache\spxcoins.dll
2010-05-25 14:40 . 2008-04-14 12:00   24661   ----a-w-   c:\windows\system32\spxcoins.dll
2010-05-25 11:10 . 2008-04-14 12:00   16384   -c--a-w-   c:\windows\system32\dllcache\isignup.exe
2010-05-25 06:05 . 2010-05-25 06:05   --------   d-----w-   c:\program files\ESET
2010-05-20 13:47 . 2010-05-20 13:47   --------   d-----w-   c:\documents and settings\LocalService\Local Settings\Application Data\Google
2010-05-18 15:02 . 2009-09-07 21:02   27944   ----a-w-   c:\windows\system32\sbbd.exe
2010-05-18 15:02 . 2009-08-05 22:58   93872   ----a-w-   c:\windows\system32\drivers\SBREDrv.sys
2010-05-18 15:02 . 2010-05-25 15:30   --------   d-----w-   C:\VIPRERESCUE
2010-05-06 04:12 . 2010-05-06 04:12   --------   d-----w-   c:\program files\iPod
2010-05-06 04:11 . 2010-05-06 04:13   --------   d-----w-   c:\documents and settings\All Users\Application Data\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
2010-05-06 04:11 . 2010-05-06 04:13   --------   d-----w-   c:\program files\iTunes
2010-05-06 04:00 . 2010-05-06 04:02   --------   d-----w-   c:\program files\QuickTime
2010-05-06 03:56 . 2010-05-06 03:56   --------   d-----w-   c:\program files\Bonjour
2010-05-06 03:40 . 2010-05-06 03:40   73000   ----a-w-   c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 9.1.1.12\SetupAdmin.exe
2010-05-06 01:30 . 2010-05-06 01:30   --------   d-----w-   c:\documents and settings\iraval\Local Settings\Application Data\Help
2010-05-02 09:05 . 2010-05-02 09:22   --------   d-----w-   C:\WINXP
2010-05-02 05:42 . 2010-05-03 19:36   --------   d-----w-   c:\program files\SiteAdvisor
2010-05-02 05:42 . 2010-05-03 18:25   --------   d-----w-   c:\documents and settings\All Users\Application Data\SiteAdvisor
2010-05-02 05:37 . 2010-05-03 19:38   --------   d-----w-   c:\documents and settings\All Users\Application Data\McAfee
2010-05-02 00:58 . 2010-05-02 00:58   --------   d-----w-   c:\windows\system32\wbem\Repository
2010-05-01 20:35 . 2010-05-01 20:35   --------   d-----w-   c:\documents and settings\admin\Local Settings\Application Data\Mozilla
2010-05-01 19:49 . 2010-05-25 15:52   --------   d-----w-   c:\program files\Windows Live Safety Center
2010-05-01 18:45 . 2010-05-01 18:45   --------   d-----w-   c:\documents and settings\admin\Application Data\Malwarebytes
2010-05-01 16:28 . 2010-05-02 01:28   --------   d-----w-   c:\documents and settings\HelpAssistant\Tracing
2010-05-01 16:28 . 2010-05-01 16:28   --------   d-----w-   c:\documents and settings\HelpAssistant\SametimeTranscripts
2010-05-01 16:26 . 2010-05-01 16:26   --------   d-----w-   c:\documents and settings\HelpAssistant\IBM
2010-05-01 16:22 . 2010-05-01 16:22   --------   d-----w-   c:\documents and settings\HelpAssistant\.ssh
2010-05-01 16:21 . 2007-08-27 22:25   --------   d-----w-   c:\documents and settings\HelpAssistant\UserData
2010-05-01 16:21 . 2010-05-02 01:28   --------   d-s---w-   c:\documents and settings\HelpAssistant

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-05-29 03:19 . 2009-11-17 07:50   --------   d-----w-   c:\program files\BSEMktWatch
2010-05-28 22:54 . 2010-03-20 20:59   --------   d-----w-   c:\documents and settings\iraval\Application Data\vlc
2010-05-27 00:13 . 2007-08-28 20:08   --------   d-----w-   c:\program files\Java
2010-05-26 14:44 . 2010-02-02 07:52   --------   d-----w-   c:\program files\MagicISO
2010-05-25 16:54 . 2009-11-17 01:50   --------   d-----w-   c:\documents and settings\iraval\Application Data\Wave Systems Corp
2010-05-25 14:56 . 2007-08-27 20:47   24924   ----a-w-   c:\windows\system32\emptyregdb.dat
2010-05-25 14:56 . 2010-05-25 14:56   1663   ----a-w-   c:\windows\inf\COMD6.tmp
2010-05-25 12:21 . 2010-01-03 06:30   --------   d-----w-   c:\documents and settings\iraval\Application Data\Azureus
2010-05-25 12:20 . 2009-12-06 02:59   --------   d-----w-   c:\program files\CCleaner
2010-05-25 11:08 . 2010-05-25 11:08   1663   ----a-w-   c:\windows\inf\COM12F.tmp
2010-05-25 08:20 . 2007-08-27 21:54   95194   ----a-w-   c:\windows\system32\nvModes.dat
2010-05-22 05:53 . 2010-01-03 06:29   --------   d-----w-   c:\program files\Vuze
2010-05-20 13:48 . 2009-11-17 07:50   --------   d-----w-   c:\program files\Google
2010-05-12 19:47 . 2009-07-22 20:03   --------   d-----w-   c:\documents and settings\All Users\Application Data\Microsoft Help
2010-05-06 17:36 . 2010-01-16 07:10   221568   ------w-   c:\windows\system32\MpSigStub.exe
2010-05-06 04:12 . 2009-11-23 07:43   --------   d-----w-   c:\program files\Common Files\Apple
2010-05-04 03:06 . 2010-03-20 23:30   --------   d-----w-   c:\program files\Malwarebytes' Anti-Malware
2010-05-02 21:22 . 2009-11-23 07:46   --------   d-----w-   c:\documents and settings\iraval\Application Data\Apple Computer
2010-05-02 18:33 . 2010-05-02 18:33   1663   ----a-w-   c:\windows\inf\COME3.tmp
2010-05-02 04:57 . 2009-12-06 01:20   --------   d-----w-   c:\documents and settings\All Users\Application Data\avg9
2010-05-02 01:15 . 2007-08-28 19:56   --------   d-----w-   c:\program files\Microsoft Office Communicator
2010-05-01 19:36 . 2010-01-22 12:58   --------   d-----w-   c:\documents and settings\admin\Application Data\Wave Systems Corp
2010-05-01 18:42 . 2010-01-22 12:58   71776   ----a-w-   c:\documents and settings\admin\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-04-29 22:39 . 2010-03-20 23:30   38224   ----a-w-   c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-29 22:39 . 2010-03-20 23:30   20952   ----a-w-   c:\windows\system32\drivers\mbam.sys
2010-04-26 03:26 . 2009-10-20 17:11   664   ----a-w-   c:\windows\system32\d3d9caps.dat
2010-04-19 21:59 . 2010-04-19 21:59   255472   ----a-w-   c:\documents and settings\iraval\Application Data\Mozilla\plugins\npgoogletalk.dll
2010-04-17 19:53 . 2009-12-06 01:26   --------   d-----w-   c:\documents and settings\All Users\Application Data\Norton
2010-04-17 19:53 . 2010-04-17 07:43   --------   d-----w-   c:\program files\Common Files\Symantec Shared
2010-04-16 15:33 . 2009-11-23 07:43   41472   ----a-w-   c:\windows\system32\drivers\usbaapl.sys
2010-04-16 15:33 . 2009-11-23 07:43   3003680   ----a-w-   c:\windows\system32\usbaaplrc.dll
2010-04-16 04:15 . 2010-03-28 07:29   894184   ----a-w-   c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
2010-04-15 16:18 . 2010-04-14 03:02   --------   d-----w-   c:\program files\PuTTY Connection Manager
2010-04-14 03:07 . 2009-11-17 07:20   --------   d-----w-   c:\program files\PuTTY
2010-04-14 02:55 . 2009-11-20 01:53   --------   d-----w-   c:\program files\Quest Software
2010-04-08 20:20 . 2010-04-08 20:20   91424   ----a-w-   c:\windows\system32\dnssd.dll
2010-04-08 20:20 . 2010-04-08 20:20   107808   ----a-w-   c:\windows\system32\dns-sd.exe
2010-04-02 05:08 . 2009-11-17 07:18   --------   d-----w-   c:\program files\WinSCP
2010-03-28 02:06 . 2007-08-27 22:09   71776   ----a-w-   c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-03-17 15:51 . 2009-08-18 16:08   82696   ----a-w-   c:\windows\system32\lmdimon8.dll
2010-03-11 12:38 . 2008-04-14 12:00   832512   ----a-w-   c:\windows\system32\wininet.dll
2010-03-11 12:38 . 2008-04-14 12:00   78336   ----a-w-   c:\windows\system32\ieencode.dll
2010-03-11 12:38 . 2008-04-14 12:00   17408   ----a-w-   c:\windows\system32\corpol.dll
2010-03-09 11:09 . 2008-04-14 12:00   430080   ----a-w-   c:\windows\system32\vbscript.dll
.

((((((((((((((((((((((((((((( SnapShot@2010-05-25_16.21.23 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-05-28 16:18 . 2010-05-28 16:18   16384 c:\windows\Temp\Perflib_Perfdata_930.dat
+ 2010-05-28 16:17 . 2010-05-28 16:17   16384 c:\windows\Temp\Perflib_Perfdata_554.dat
+ 2009-08-07 02:24 . 2009-08-07 02:24   44768 c:\windows\system32\wups2.dll
+ 2007-08-27 20:48 . 2009-08-07 03:24   35552 c:\windows\system32\wups.dll
+ 2007-08-27 20:48 . 2009-08-07 02:24   53472 c:\windows\system32\wuauclt.exe
+ 2008-04-14 12:00 . 2008-05-09 10:53   90112 c:\windows\system32\wshext.dll
- 2008-04-14 12:00 . 2008-04-14 12:00   90112 c:\windows\system32\wshext.dll
+ 2008-04-14 12:00 . 2006-10-19 04:47   99840 c:\windows\system32\wmpshell.dll
+ 2008-04-14 12:00 . 2006-10-19 04:47   37376 c:\windows\system32\wmdmps.dll
+ 2008-04-14 12:00 . 2006-10-19 04:47   33792 c:\windows\system32\wmdmlog.dll
+ 2008-04-14 12:00 . 2009-06-25 08:25   54272 c:\windows\system32\wdigest.dll
+ 2008-04-14 12:00 . 2010-04-21 13:28   46080 c:\windows\system32\tzchange.exe
+ 2008-04-14 12:00 . 2009-06-12 12:31   80896 c:\windows\system32\tlntsess.exe
+ 2008-04-14 12:00 . 2009-06-12 12:31   76288 c:\windows\system32\telnet.exe
- 2008-04-14 12:00 . 2008-04-14 12:00   75776 c:\windows\system32\strmfilt.dll
+ 2008-04-14 12:00 . 2009-10-21 05:38   75776 c:\windows\system32\strmfilt.dll
+ 2009-08-18 16:08 . 2010-03-17 15:51   82184 c:\windows\system32\spool\prtprocs\w32x86\lmdippr8.dll
- 2010-05-03 18:19 . 2009-05-26 11:40   17272 c:\windows\system32\spmsg.dll
+ 2010-05-26 15:03 . 2009-05-26 09:01   17272 c:\windows\system32\spmsg.dll
+ 2008-04-14 12:00 . 2009-06-25 08:25   56832 c:\windows\system32\secur32.dll
+ 2008-04-14 12:00 . 2009-02-06 10:39   35328 c:\windows\system32\sc.exe
+ 2008-04-14 12:00 . 2009-10-12 13:38   79872 c:\windows\system32\raschap.dll
- 2008-04-14 12:00 . 2008-04-14 12:00   79872 c:\windows\system32\raschap.dll
+ 2008-04-14 12:00 . 2010-03-11 12:38   44544 c:\windows\system32\pngfilt.dll
+ 2004-08-04 12:00 . 2010-05-26 20:54   89126 c:\windows\system32\perfc009.dat
+ 2008-04-14 12:00 . 2009-10-08 21:56   20480 c:\windows\system32\oleaccrc.dll
+ 2007-08-27 20:47 . 2008-06-12 14:23   91648 c:\windows\system32\mtxoci.dll
- 2007-08-27 20:47 . 2008-04-14 12:00   91648 c:\windows\system32\mtxoci.dll
+ 2008-04-14 12:00 . 2008-06-12 14:23   66560 c:\windows\system32\mtxclu.dll
- 2008-04-14 12:00 . 2008-04-14 12:00   66560 c:\windows\system32\mtxclu.dll
+ 2008-04-14 05:42 . 2009-11-27 17:11   17920 c:\windows\system32\msyuv.dll
+ 2008-04-14 12:00 . 2009-11-27 16:07   28672 c:\windows\system32\msvidc32.dll
+ 2008-04-14 12:00 . 2009-11-27 16:07   11264 c:\windows\system32\msrle32.dll
- 2008-04-14 12:00 . 2008-04-14 12:00   11264 c:\windows\system32\msrle32.dll
+ 2008-04-14 12:00 . 2006-10-19 04:47   27136 c:\windows\system32\mspmsnsv.dll
+ 2008-04-14 12:00 . 2007-08-14 01:01   48128 c:\windows\system32\mshtmler.dll
+ 2008-04-14 12:00 . 2007-08-14 01:32   45568 c:\windows\system32\mshta.exe
- 2007-08-27 20:47 . 2008-04-14 12:00   58880 c:\windows\system32\msdtclog.dll
+ 2007-08-27 20:47 . 2008-06-12 14:23   58880 c:\windows\system32\msdtclog.dll
+ 2008-04-14 12:00 . 2008-06-24 16:43   74240 c:\windows\system32\mscms.dll
+ 2008-04-14 12:00 . 2009-09-04 21:03   58880 c:\windows\system32\msasn1.dll
+ 2008-04-14 12:00 . 2007-08-14 01:44   40960 c:\windows\system32\licmgr10.dll
+ 2008-04-14 12:00 . 2006-10-19 04:47   11264 c:\windows\system32\LAPRXY.dll
+ 2008-04-14 12:00 . 2010-03-11 12:38   27648 c:\windows\system32\jsproxy.dll
+ 2008-04-14 05:41 . 2009-11-27 16:07   48128 c:\windows\system32\iyuv_32.dll
+ 2008-04-14 12:00 . 2007-08-14 01:39   92672 c:\windows\system32\inseng.dll
+ 2008-04-14 12:00 . 2007-08-14 01:36   36352 c:\windows\system32\imgutil.dll
+ 2008-04-14 12:00 . 2007-08-14 01:39   55296 c:\windows\system32\iesetup.dll
+ 2008-04-14 12:00 . 2010-03-11 12:38   44544 c:\windows\system32\iernonce.dll
+ 2008-04-14 12:00 . 2010-03-10 13:18   70656 c:\windows\system32\ie4uinit.exe
+ 2008-04-14 12:00 . 2009-10-21 05:38   25088 c:\windows\system32\httpapi.dll
+ 2008-04-14 12:00 . 2009-10-15 16:28   81920 c:\windows\system32\fontsub.dll
+ 2008-04-14 12:00 . 2009-06-24 11:18   92928 c:\windows\system32\drivers\ksecdd.sys
+ 2007-08-27 20:48 . 2009-08-07 03:24   35552 c:\windows\system32\dllcache\wups.dll
+ 2007-08-27 20:48 . 2009-08-07 02:24   53472 c:\windows\system32\dllcache\wuauclt.exe
+ 2008-04-14 12:00 . 2008-05-09 10:53   90112 c:\windows\system32\dllcache\wshext.dll
- 2008-04-14 12:00 . 2008-04-14 12:00   90112 c:\windows\system32\dllcache\wshext.dll
+ 2008-04-14 12:00 . 2006-10-19 04:47   99840 c:\windows\system32\dllcache\wmpshell.dll
+ 2007-08-27 20:48 . 2006-10-19 04:46   64000 c:\windows\system32\dllcache\wmplayer.exe
+ 2007-08-27 20:48 . 2006-10-19 04:47   96256 c:\windows\system32\dllcache\wmpband.dll
+ 2008-04-14 12:00 . 2006-10-19 04:47   37376 c:\windows\system32\dllcache\wmdmps.dll
+ 2008-04-14 12:00 . 2006-10-19 04:47   33792 c:\windows\system32\dllcache\wmdmlog.dll
+ 2008-04-14 12:00 . 2009-06-25 08:25   54272 c:\windows\system32\dllcache\wdigest.dll
+ 2008-04-14 12:00 . 2009-06-12 12:31   80896 c:\windows\system32\dllcache\tlntsess.exe
+ 2007-08-27 20:46 . 2008-04-14 12:43   40840 c:\windows\system32\dllcache\termdd.sys
+ 2008-04-14 12:00 . 2009-06-12 12:31   76288 c:\windows\system32\dllcache\telnet.exe
- 2008-04-14 12:00 . 2008-04-14 12:00   75776 c:\windows\system32\dllcache\strmfilt.dll
+ 2008-04-14 12:00 . 2009-10-21 05:38   75776 c:\windows\system32\dllcache\strmfilt.dll
+ 2008-04-14 12:00 . 2009-06-25 08:25   56832 c:\windows\system32\dllcache\secur32.dll
+ 2008-04-14 12:00 . 2009-02-06 10:39   35328 c:\windows\system32\dllcache\sc.exe
+ 2008-04-14 12:00 . 2009-10-12 13:38   79872 c:\windows\system32\dllcache\raschap.dll
- 2008-04-14 12:00 . 2008-04-14 12:00   79872 c:\windows\system32\dllcache\raschap.dll
+ 2008-04-14 12:00 . 2010-03-11 12:38   44544 c:\windows\system32\dllcache\pngfilt.dll
+ 2008-04-14 12:00 . 2009-10-08 21:56   20480 c:\windows\system32\dllcache\oleaccrc.dll
+ 2007-08-27 20:47 . 2008-06-12 14:23   91648 c:\windows\system32\dllcache\mtxoci.dll
- 2007-08-27 20:47 . 2008-04-14 12:00   91648 c:\windows\system32\dllcache\mtxoci.dll
+ 2008-04-14 12:00 . 2008-06-12 14:23   66560 c:\windows\system32\dllcache\mtxclu.dll
- 2008-04-14 12:00 . 2008-04-14 12:00   66560 c:\windows\system32\dllcache\mtxclu.dll
+ 2008-04-14 12:00 . 2009-11-27 16:07   28672 c:\windows\system32\dllcache\msvidc32.dll
- 2008-04-14 12:00 . 2008-04-14 12:00   11264 c:\windows\system32\dllcache\msrle32.dll
+ 2008-04-14 12:00 . 2009-11-27 16:07   11264 c:\windows\system32\dllcache\msrle32.dll
+ 2008-04-14 12:00 . 2006-10-19 04:47   27136 c:\windows\system32\dllcache\mspmsnsv.dll
+ 2008-04-14 12:00 . 2007-08-14 01:01   48128 c:\windows\system32\dllcache\mshtmler.dll
+ 2008-04-14 12:00 . 2007-08-14 01:32   45568 c:\windows\system32\dllcache\mshta.exe
+ 2007-08-27 20:47 . 2008-06-12 14:23   58880 c:\windows\system32\dllcache\msdtclog.dll
- 2007-08-27 20:47 . 2008-04-14 12:00   58880 c:\windows\system32\dllcache\msdtclog.dll
+ 2008-04-14 12:00 . 2008-06-24 16:43   74240 c:\windows\system32\dllcache\mscms.dll
+ 2008-04-14 12:00 . 2009-09-04 21:03   58880 c:\windows\system32\dllcache\msasn1.dll
+ 2008-04-14 12:00 . 2007-08-14 01:44   40960 c:\windows\system32\dllcache\licmgr10.dll
+ 2008-04-14 12:00 . 2006-10-19 04:47   11264 c:\windows\system32\dllcache\LAPRXY.dll
+ 2008-04-14 12:00 . 2009-06-24 11:18   92928 c:\windows\system32\dllcache\ksecdd.sys
+ 2008-04-14 12:00 . 2010-03-11 12:38   27648 c:\windows\system32\dllcache\jsproxy.dll
+ 2008-04-14 12:00 . 2007-08-14 01:39   92672 c:\windows\system32\dllcache\inseng.dll
+ 2008-04-14 12:00 . 2007-08-14 01:36   36352 c:\windows\system32\dllcache\imgutil.dll
+ 2008-04-14 12:00 . 2007-08-14 01:39   55296 c:\windows\system32\dllcache\iesetup.dll
+ 2008-04-14 12:00 . 2010-03-11 12:38   44544 c:\windows\system32\dllcache\iernonce.dll
+ 2008-04-14 12:00 . 2010-03-11 12:38   78336 c:\windows\system32\dllcache\ieencode.dll
+ 2007-08-27 20:48 . 2007-08-14 01:44   69120 c:\windows\system32\dllcache\iedw.exe
+ 2008-04-14 12:00 . 2010-03-10 13:18   70656 c:\windows\system32\dllcache\ie4uinit.exe
+ 2008-04-14 12:00 . 2009-10-21 05:38   25088 c:\windows\system32\dllcache\httpapi.dll
+ 2007-08-27 20:48 . 2007-08-14 01:18   60416 c:\windows\system32\dllcache\hmmapi.dll
+ 2008-04-14 12:00 . 2009-10-15 16:28   81920 c:\windows\system32\dllcache\fontsub.dll
+ 2007-08-27 20:48 . 2007-08-14 01:54   33792 c:\windows\system32\dllcache\custsat.dll
+ 2008-04-14 12:00 . 2009-12-14 07:08   33280 c:\windows\system32\dllcache\csrsrv.dll
+ 2008-04-14 12:00 . 2010-03-11 12:38   17408 c:\windows\system32\dllcache\corpol.dll
+ 2008-04-14 12:00 . 2009-08-07 02:24   96480 c:\windows\system32\dllcache\cdm.dll
+ 2008-04-14 12:00 . 2010-01-13 14:01   86016 c:\windows\system32\dllcache\cabview.dll
- 2008-04-14 12:00 . 2008-04-14 12:00   84992 c:\windows\system32\dllcache\avifil32.dll
+ 2008-04-14 12:00 . 2009-11-27 16:07   84992 c:\windows\system32\dllcache\avifil32.dll
- 2008-04-14 12:00 . 2008-04-14 12:00   58880 c:\windows\system32\dllcache\atl.dll
+ 2008-04-14 12:00 . 2009-07-17 19:01   58880 c:\windows\system32\dllcache\atl.dll
+ 2008-04-14 12:00 . 2007-08-14 01:39   71680 c:\windows\system32\dllcache\admparse.dll
+ 2008-04-14 12:00 . 2009-12-14 07:08   33280 c:\windows\system32\csrsrv.dll
+ 2008-04-14 12:00 . 2009-08-07 02:24   96480 c:\windows\system32\cdm.dll
+ 2008-04-14 12:00 . 2010-01-13 14:01   86016 c:\windows\system32\cabview.dll
+ 2008-04-14 12:00 . 2009-11-27 16:07   84992 c:\windows\system32\avifil32.dll
- 2008-04-14 12:00 . 2008-04-14 12:00   84992 c:\windows\system32\avifil32.dll
+ 2008-04-14 12:00 . 2009-07-17 19:01   58880 c:\windows\system32\atl.dll
- 2008-04-14 12:00 . 2008-04-14 12:00   58880 c:\windows\system32\atl.dll
+ 2008-04-14 12:00 . 2007-08-14 01:39   71680 c:\windows\system32\admparse.dll
+ 2010-05-25 18:03 . 2008-04-14 12:00   37888 c:\windows\ie7\url.dll
- 2009-12-14 18:55 . 2008-04-14 12:00   37888 c:\windows\ie7\url.dll
+ 2010-05-25 18:03 . 2008-04-14 12:00   39424 c:\windows\ie7\pngfilt.dll
- 2010-01-16 16:38 . 2008-04-14 12:00   39424 c:\windows\ie7\pngfilt.dll
+ 2010-05-25 18:03 . 2008-04-14 12:00   96256 c:\windows\ie7\occache.dll
- 2010-01-16 16:38 . 2008-04-14 12:00   96256 c:\windows\ie7\occache.dll
- 2010-01-16 16:38 . 2008-04-14 12:00   56832 c:\windows\ie7\mshtmler.dll
+ 2010-05-25 18:03 . 2008-04-14 12:00   56832 c:\windows\ie7\mshtmler.dll
- 2010-01-16 16:38 . 2008-04-14 12:00   29184 c:\windows\ie7\mshta.exe
+ 2010-05-25 18:03 . 2008-04-14 12:00   29184 c:\windows\ie7\mshta.exe
- 2010-01-16 16:38 . 2008-04-14 12:00   22016 c:\windows\ie7\licmgr10.dll
+ 2010-05-25 18:03 . 2008-04-14 12:00   22016 c:\windows\ie7\licmgr10.dll
- 2010-01-16 16:38 . 2008-04-14 12:00   15872 c:\windows\ie7\jsproxy.dll
+ 2010-05-25 18:03 . 2008-04-14 12:00   15872 c:\windows\ie7\jsproxy.dll
- 2010-01-16 16:38 . 2008-04-14 12:00   96256 c:\windows\ie7\inseng.dll
+ 2010-05-25 18:03 . 2008-04-14 12:00   96256 c:\windows\ie7\inseng.dll
- 2010-01-16 16:38 . 2008-04-14 12:00   35840 c:\windows\ie7\imgutil.dll
+ 2010-05-25 18:03 . 2008-04-14 12:00   35840 c:\windows\ie7\imgutil.dll
- 2010-01-16 16:38 . 2008-04-14 12:00   93184 c:\windows\ie7\iexplore.exe
+ 2010-05-25 18:03 . 2008-04-14 12:00   93184 c:\windows\ie7\iexplore.exe
+ 2010-05-25 18:03 . 2008-04-14 12:00   62976 c:\windows\ie7\iesetup.dll
- 2010-01-16 16:38 . 2008-04-14 12:00   62976 c:\windows\ie7\iesetup.dll
- 2010-01-16 16:38 . 2008-04-14 12:00   48640 c:\windows\ie7\iernonce.dll
+ 2010-05-25 18:03 . 2008-04-14 12:00   48640 c:\windows\ie7\iernonce.dll
- 2010-01-16 16:38 . 2008-04-14 12:00   18432 c:\windows\ie7\iedw.exe
+ 2010-05-25 18:03 . 2008-04-14 12:00   18432 c:\windows\ie7\iedw.exe
+ 2010-05-25 18:03 . 2008-04-14 12:00   34304 c:\windows\ie7\ie4uinit.exe
- 2010-01-16 16:38 . 2008-04-14 12:00   34304 c:\windows\ie7\ie4uinit.exe
- 2010-01-16 16:38 . 2008-04-14 12:00   38912 c:\windows\ie7\hmmapi.dll
+ 2010-05-25 18:03 . 2008-04-14 12:00   38912 c:\windows\ie7\hmmapi.dll
+ 2010-05-25 18:03 . 2008-04-14 12:00   55808 c:\windows\ie7\extmgr.dll
- 2010-01-16 16:38 . 2008-04-14 12:00   55808 c:\windows\ie7\extmgr.dll
+ 2010-05-25 18:03 . 2004-08-04 12:00   28672 c:\windows\ie7\custsat.dll
- 2010-01-16 16:38 . 2004-08-04 12:00   28672 c:\windows\ie7\custsat.dll
- 2010-01-16 16:38 . 2008-04-14 12:00   99840 c:\windows\ie7\advpack.dll
+ 2010-05-25 18:03 . 2008-04-14 12:00   99840 c:\windows\ie7\advpack.dll
- 2010-01-16 16:38 . 2008-04-14 12:00   61440 c:\windows\ie7\admparse.dll
+ 2010-05-25 18:03 . 2008-04-14 12:00   61440 c:\windows\ie7\admparse.dll
+ 2010-05-25 21:20 . 2009-11-27 17:11   17920 c:\windows\Driver Cache\i386\msyuv.dll
+ 2010-05-25 21:13 . 2009-11-27 16:07   48128 c:\windows\Driver Cache\i386\iyuv_32.dll
+ 2008-04-14 12:00 . 2006-10-19 04:47   4096 c:\windows\system32\wmvdmoe2.dll
+ 2008-04-14 12:00 . 2006-10-19 04:47   4096 c:\windows\system32\wmvdmod.dll
+ 2008-04-14 12:00 . 2006-10-19 04:47   4096 c:\windows\system32\wmsdmoe2.dll
+ 2008-04-14 12:00 . 2006-10-19 04:47   4096 c:\windows\system32\wmsdmod.dll
+ 2001-08-17 22:36 . 2009-11-27 16:07   8704 c:\windows\system32\tsbyuv.dll
+ 2008-04-14 12:00 . 2006-10-19 04:47   4096 c:\windows\system32\MPG4DMOD.dll
+ 2008-04-14 12:00 . 2006-10-19 04:47   4096 c:\windows\system32\MP4SDMOD.dll
+ 2008-04-14 12:00 . 2006-10-19 04:47   4096 c:\windows\system32\MP43DMOD.dll
+ 2008-04-14 12:00 . 2006-10-19 04:47   4096 c:\windows\system32\dllcache\wmvdmoe2.dll
+ 2008-04-14 12:00 . 2006-10-19 04:47   4096 c:\windows\system32\dllcache\wmvdmod.dll
+ 2008-04-14 12:00 . 2006-10-19 04:47   4096 c:\windows\system32\dllcache\wmsdmoe2.dll
+ 2008-04-14 12:00 . 2006-10-19 04:47   4096 c:\windows\system32\dllcache\wmsdmod.dll
+ 2008-04-14 12:00 . 2006-10-19 04:47   4096 c:\windows\system32\dllcache\MPG4DMOD.dll
+ 2008-04-14 12:00 . 2006-10-19 04:47   4096 c:\windows\system32\dllcache\MP4SDMOD.dll
+ 2008-04-14 12:00 . 2006-10-19 04:47   4096 c:\windows\system32\dllcache\MP43DMOD.dll
+ 2008-04-14 12:00 . 2006-10-19 04:47   7168 c:\windows\system32\dllcache\asferror.dll
+ 2008-04-14 12:00 . 2006-10-19 04:47   7168 c:\windows\system32\asferror.dll
+ 2010-05-25 21:13 . 2009-11-27 16:07   8704 c:\windows\Driver Cache\i386\tsbyuv.dll
+ 2007-08-27 20:48 . 2009-08-07 02:24   327896 c:\windows\system32\wucltui.dll
+ 2007-08-27 20:48 . 2009-08-07 02:23   575704 c:\windows\system32\wuapi.dll
- 2008-04-14 12:00 . 2008-04-14 12:00   155648 c:\windows\system32\wscript.exe
+ 2008-04-14 12:00 . 2008-05-08 11:24   155648 c:\windows\system32\wscript.exe
+ 2008-04-14 12:00 . 2009-04-02 06:02   604160 c:\windows\system32\wmspdmod.dll
+ 2008-04-14 12:00 . 2009-07-14 06:43   286208 c:\windows\system32\wmpdxm.dll
+ 2008-04-14 12:00 . 2006-10-19 04:47   242688 c:\windows\system32\wmpasf.dll
+ 2008-04-14 12:00 . 2008-06-18 12:03   938496 c:\windows\system32\WMNetmgr.dll
+ 2008-04-14 12:00 . 2006-10-19 04:47   157184 c:\windows\system32\wmidx.dll
+ 2008-04-14 12:00 . 2006-10-19 04:47   227328 c:\windows\system32\wmerror.dll
+ 2008-04-14 12:00 . 2007-10-28 00:40   222720 c:\windows\system32\wmasf.dll
+ 2008-04-14 12:00 . 2006-10-19 04:47   757248 c:\windows\system32\WMADMOD.dll
+ 2008-04-14 12:00 . 2009-06-10 06:14   132096 c:\windows\system32\wkssvc.dll
- 2008-04-14 12:00 . 2008-04-14 12:00   132096 c:\windows\system32\wkssvc.dll
+ 2008-04-14 12:00 . 2009-12-24 06:59   177664 c:\windows\system32\wintrust.dll
+ 2008-04-14 12:00 . 2009-08-25 09:17   354816 c:\windows\system32\winhttp.dll
+ 2008-04-14 12:00 . 2010-03-11 12:38   233472 c:\windows\system32\webcheck.dll
+ 2007-08-27 20:46 . 2009-02-06 10:10   227840 c:\windows\system32\wbem\wmiprvse.exe
+ 2007-08-27 20:46 . 2009-02-09 12:10   453120 c:\windows\system32\wbem\wmiprvsd.dll
+ 2007-08-27 20:46 . 2009-02-09 12:10   473600 c:\windows\system32\wbem\fastprox.dll
+ 2008-04-14 12:00 . 2010-03-11 12:38   105984 c:\windows\system32\url.dll
+ 2008-04-14 12:00 . 2009-10-15 16:28   119808 c:\windows\system32\t2embed.dll
+ 2008-04-14 12:00 . 2009-08-26 08:00   247326 c:\windows\system32\strmdll.dll
+ 2010-05-26 18:27 . 2010-03-17 15:51   160008 c:\windows\system32\spool\drivers\w32x86\3\lmdiui8.dll
+ 2010-05-26 18:27 . 2010-03-17 15:51   984336 c:\windows\system32\spool\drivers\w32x86\3\lmdigraph8.dll
- 2008-04-14 12:00 . 2008-04-14 12:00   474112 c:\windows\system32\shlwapi.dll
+ 2008-04-14 12:00 . 2009-12-08 09:23   474112 c:\windows\system32\shlwapi.dll
+ 2008-04-14 12:00 . 2009-02-06 11:11   110592 c:\windows\system32\services.exe
+ 2008-04-14 12:00 . 2008-05-09 10:53   172032 c:\windows\system32\scrrun.dll
- 2008-04-14 12:00 . 2008-04-14 12:00   172032 c:\windows\system32\scrrun.dll
+ 2008-04-14 12:00 . 2008-05-09 10:53   180224 c:\windows\system32\scrobj.dll
- 2008-04-14 12:00 . 2008-04-14 12:00   180224 c:\windows\system32\scrobj.dll
+ 2008-04-14 12:00 . 2009-06-25 08:25   147456 c:\windows\system32\schannel.dll
+ 2008-04-14 12:00 . 2009-02-09 12:10   401408 c:\windows\system32\rpcss.dll
+ 2008-04-14 12:00 . 2009-04-15 14:51   585216 c:\windows\system32\rpcrt4.dll
+ 2008-04-14 12:00 . 2009-10-12 13:38   149504 c:\windows\system32\rastls.dll
+ 2008-04-14 12:00 . 2006-10-19 04:47   211456 c:\windows\system32\qasf.dll
+ 2004-08-04 12:00 . 2010-05-26 20:54   505758 c:\windows\system32\perfh009.dat
- 2008-04-14 12:00 . 2008-04-14 12:00   284160 c:\windows\system32\pdh.dll
+ 2008-04-14 12:00 . 2009-03-06 14:22   284160 c:\windows\system32\pdh.dll
+ 2008-04-14 12:00 . 2009-10-08 21:57   220160 c:\windows\system32\oleacc.dll
+ 2008-04-14 12:00 . 2010-03-11 12:38   102912 c:\windows\system32\occache.dll
- 2008-04-14 12:00 . 2008-04-14 12:00   270336 c:\windows\system32\oakley.dll
+ 2008-04-14 12:00 . 2009-10-13 10:30   270336 c:\windows\system32\oakley.dll
+ 2008-04-14 12:00 . 2009-02-09 12:10   714752 c:\windows\system32\ntdll.dll
+ 2008-04-14 12:00 . 2008-10-15 16:34   337408 c:\windows\system32\netapi32.dll
- 2008-04-14 12:00 . 2008-04-14 12:00   337408 c:\windows\system32\netapi32.dll
+ 2008-04-14 12:00 . 2008-06-20 17:46   245248 c:\windows\system32\mswsock.dll
- 2008-04-14 12:00 . 2008-04-14 12:00   245248 c:\windows\system32\mswsock.dll
+ 2008-04-14 12:00 . 2006-10-19 04:47   321536 c:\windows\system32\mswmdm.dll
+ 2008-04-14 12:00 . 2009-08-05 09:01   204800 c:\windows\system32\mswebdvd.dll
+ 2008-04-14 12:00 . 2009-09-11 14:18   136192 c:\windows\system32\msv1_0.dll
+ 2008-04-14 12:00 . 2010-03-11 12:38   671232 c:\windows\system32\mstime.dll
+ 2008-04-14 12:00 . 2006-12-04 23:21   414720 c:\windows\system32\msscp.dll
+ 2008-04-14 12:00 . 2010-03-11 12:38   193024 c:\windows\system32\msrating.dll
+ 2008-04-14 12:00 . 2006-10-19 04:47   175616 c:\windows\system32\mspmsp.dll
+ 2007-08-27 20:47 . 2009-12-16 18:43   343040 c:\windows\system32\mspaint.exe
- 2007-08-27 20:47 . 2008-04-14 12:00   343040 c:\windows\system32\mspaint.exe
+ 2008-04-14 12:00 . 2006-10-19 04:47   179712 c:\windows\system32\msnetobj.dll
+ 2008-04-14 12:00 . 2007-08-14 01:54   156160 c:\windows\system32\msls31.dll
+ 2008-04-14 12:00 . 2010-03-11 12:38   477696 c:\windows\system32\mshtmled.dll
- 2007-08-27 20:47 . 2008-04-14 12:00   161792 c:\windows\system32\msdtcuiu.dll
+ 2007-08-27 20:47 . 2008-06-12 14:23   161792 c:\windows\system32\msdtcuiu.dll
+ 2007-08-27 20:47 . 2008-06-12 14:23   956928 c:\windows\system32\msdtctm.dll
- 2007-08-27 20:47 . 2008-04-14 12:00   956928 c:\windows\system32\msdtctm.dll
+ 2007-08-27 20:47 . 2008-06-13 02:53   428032 c:\windows\system32\msdtcprx.dll
+ 2008-04-14 12:00 . 2009-06-25 08:25   730112 c:\windows\system32\lsasrv.dll
+ 2008-04-14 12:00 . 2008-06-18 08:09   100864 c:\windows\system32\logagent.exe
+ 2008-04-14 12:00 . 2009-05-07 15:32   345600 c:\windows\system32\localspl.dll
+ 2008-04-14 12:00 . 2009-03-21 14:06   989696 c:\windows\system32\kernel32.dll
- 2008-04-14 12:00 . 2008-04-14 12:00   989696 c:\windows\system32\kernel32.dll
+ 2008-04-14 12:00 . 2009-06-25 08:25   301568 c:\windows\system32\kerberos.dll
+ 2008-04-14 12:00 . 2009-08-13 15:16   512000 c:\windows\system32\jscript.dll
- 2008-04-14 12:00 . 2008-04-14 12:00   512000 c:\windows\system32\jscript.dll
+ 2010-05-27 00:13 . 2010-05-27 00:13   153376 c:\windows\system32\javaws.exe
+ 2010-05-27 00:13 . 2010-05-27 00:13   145184 c:\windows\system32\javaw.exe
+ 2010-05-27 00:13 . 2010-05-27 00:13   145184 c:\windows\system32\java.exe
+ 2007-08-27 20:48 . 2010-01-29 15:01   691712 c:\windows\system32\inetcomm.dll
- 2007-08-27 20:48 . 2008-04-14 12:00   691712 c:\windows\system32\inetcomm.dll
+ 2008-04-14 12:00 . 2010-03-11 12:38   192512 c:\windows\system32\iepeers.dll
+ 2008-04-14 12:00 . 2010-03-11 12:38   385024 c:\windows\system32\iedkcs32.dll
+ 2008-04-14 12:00 . 2010-02-23 05:18   161792 c:\windows\system32\ieakui.dll
+ 2008-04-14 12:00 . 2010-03-11 12:38   230400 c:\windows\system32\ieaksie.dll
+ 2008-04-14 12:00 . 2010-03-11 12:38   153088 c:\windows\system32\ieakeng.dll
+ 2008-04-14 12:00 . 2008-10-23 12:36   286720 c:\windows\system32\gdi32.dll
- 2007-08-27 14:41 . 2010-05-25 11:17   276560 c:\windows\system32\FNTCACHE.DAT
+ 2007-08-27 14:41 . 2010-05-26 16:13   276560 c:\windows\system32\FNTCACHE.DAT
+ 2008-04-14 12:00 . 2010-03-11 12:38   133120 c:\windows\system32\extmgr.dll
+ 2008-04-14 12:00 . 2008-07-07 20:26   253952 c:\windows\system32\es.dll
+ 2008-04-14 12:00 . 2010-03-11 12:38   214528 c:\windows\system32\dxtrans.dll
+ 2008-04-14 12:00 . 2010-03-11 12:38   347136 c:\windows\system32\dxtmsft.dll
+ 2008-04-14 12:00 . 2006-10-19 04:47   991744 c:\windows\system32\drmv2clt.dll
+ 2008-04-14 12:00 . 2010-02-11 12:02   226880 c:\windows\system32\drivers\tcpip6.sys
+ 2008-04-14 12:00 . 2008-06-20 11:51   361600 c:\windows\system32\drivers\tcpip.sys
+ 2008-04-14 12:00 . 2009-12-31 16:50   353792 c:\windows\system32\drivers\srv.sys
+ 2008-04-14 12:00 . 2008-05-08 14:02   203136 c:\windows\system32\drivers\rmcast.sys
+ 2008-04-14 12:00 . 2010-02-24 13:11   455680 c:\windows\system32\drivers\mrxsmb.sys
+ 2008-04-14 12:00 . 2009-10-20 16:20   265728 c:\windows\system32\drivers\http.sys
+ 2008-04-14 12:00 . 2008-06-13 11:05   272128 c:\windows\system32\drivers\bthport.sys
+ 2008-04-14 12:00 . 2008-08-14 10:04   138496 c:\windows\system32\drivers\afd.sys
+ 2008-04-14 12:00 . 2008-06-20 17:46   147968 c:\windows\system32\dnsapi.dll
- 2008-04-14 12:00 . 2008-04-14 12:00   147968 c:\windows\system32\dnsapi.dll
+ 2007-08-27 20:48 . 2009-08-07 02:24   327896 c:\windows\system32\dllcache\wucltui.dll
+ 2007-08-27 20:48 . 2009-08-07 02:23   575704 c:\windows\system32\dllcache\wuapi.dll
- 2008-04-14 12:00 . 2008-04-14 12:00   155648 c:\windows\system32\dllcache\wscript.exe
+ 2008-04-14 12:00 . 2008-05-08 11:24   155648 c:\windows\system32\dllcache\wscript.exe
+ 2007-08-27 20:47 . 2008-04-21 12:08   215552 c:\windows\system32\dllcache\wordpad.exe
+ 2008-04-14 12:00 . 2009-04-02 06:02   604160 c:\windows\system32\dllcache\wmspdmod.dll
+ 2008-04-14 12:00 . 2009-07-14 06:43   286208 c:\windows\system32\dllcache\wmpdxm.dll
+ 2008-04-14 12:00 . 2006-10-19 04:47   242688 c:\windows\system32\dllcache\wmpasf.dll
+ 2008-04-14 12:00 . 2008-06-18 12:03   938496 c:\windows\system32\dllcache\WMNetmgr.dll
+ 2007-08-27 20:46 . 2009-02-06 10:10   227840 c:\windows\system32\dllcache\wmiprvse.exe
+ 2007-08-27 20:46 . 2009-02-09 12:10   453120 c:\windows\system32\dllcache\wmiprvsd.dll
+ 2008-04-14 12:00 . 2006-10-19 04:47   157184 c:\windows\system32\dllcache\wmidx.dll
+ 2008-04-14 12:00 . 2006-10-19 04:47   227328 c:\windows\system32\dllcache\wmerror.dll
+ 2008-04-14 12:00 . 2007-10-28 00:40   222720 c:\windows\system32\dllcache\wmasf.dll
+ 2008-04-14 12:00 . 2006-10-19 04:47   757248 c:\windows\system32\dllcache\WMADMOD.dll
+ 2008-04-14 12:00 . 2009-06-10 06:14   132096 c:\windows\system32\dllcache\wkssvc.dll
- 2008-04-14 12:00 . 2008-04-14 12:00   132096 c:\windows\system32\dllcache\wkssvc.dll
+ 2008-04-14 12:00 . 2009-12-24 06:59   177664 c:\windows\system32\dllcache\wintrust.dll
+ 2008-04-14 12:00 . 2010-03-11 12:38   832512 c:\windows\system32\dllcache\wininet.dll
+ 2008-04-14 12:00 . 2009-08-25 09:17   354816 c:\windows\system32\dllcache\winhttp.dll
+ 2008-04-14 12:00 . 2010-03-11 12:38   233472 c:\windows\system32\dllcache\webcheck.dll
+ 2007-08-27 20:48 . 2008-05-27 17:23   765952 c:\windows\system32\dllcache\vgx.dll
+ 2008-04-14 12:00 . 2010-03-09 11:09   430080 c:\windows\system32\dllcache\vbscript.dll
+ 2008-04-14 12:00 . 2010-03-11 12:38   105984 c:\windows\system32\dllcache\url.dll
+ 2008-04-14 12:00 . 2007-06-27 05:10   317440 c:\windows\system32\dllcache\unregmp2.exe
- 2007-08-27 20:48 . 2008-04-14 12:00   153088 c:\windows\system32\dllcache\triedit.dll
+ 2007-08-27 20:48 . 2009-06-21 21:44   153088 c:\windows\system32\dllcache\triedit.dll
+ 2008-04-14 12:00 . 2010-02-11 12:02   226880 c:\windows\system32\dllcache\tcpip6.sys
+ 2008-04-14 12:00 . 2008-06-20 11:51   361600 c:\windows\system32\dllcache\tcpip.sys
+ 2008-04-14 12:00 . 2009-10-15 16:28   119808 c:\windows\system32\dllcache\t2embed.dll
+ 2008-04-14 12:00 . 2009-08-26 08:00   247326 c:\windows\system32\dllcache\strmdll.dll
+ 2008-04-14 12:00 . 2009-12-31 16:50   353792 c:\windows\system32\dllcache\srv.sys
+ 2008-04-14 12:00 . 2009-12-08 09:23   474112 c:\windows\system32\dllcache\shlwapi.dll
- 2008-04-14 12:00 . 2008-04-14 12:00   474112 c:\windows\system32\dllcache\shlwapi.dll
+ 2008-04-14 12:00 . 2009-02-06 11:11   110592 c:\windows\system32\dllcache\services.exe
+ 2008-04-14 12:00 . 2008-05-09 10:53   172032 c:\windows\system32\dllcache\scrrun.dll
- 2008-04-14 12:00 . 2008-04-14 12:00   172032 c:\windows\system32\dllcache\scrrun.dll
- 2008-04-14 12:00 . 2008-04-14 12:00   180224 c:\windows\system32\dllcache\scrobj.dll
+ 2008-04-14 12:00 . 2008-05-09 10:53   180224 c:\windows\system32\dllcache\scrobj.dll
+ 2008-04-14 12:00 . 2009-06-25 08:25   147456 c:\windows\system32\dllcache\schannel.dll
+ 2008-04-14 12:00 . 2009-02-09 12:10   401408 c:\windows\system32\dllcache\rpcss.dll
+ 2008-04-14 12:00 . 2009-04-15 14:51   585216 c:\windows\system32\dllcache\rpcrt4.dll
+ 2008-04-14 12:00 . 2008-05-08 14:02   203136 c:\windows\system32\dllcache\rmcast.sys
+ 2008-04-14 12:00 . 2009-10-12 13:38   149504 c:\windows\system32\dllcache\rastls.dll
+ 2008-04-14 12:00 . 2006-10-19 04:47   211456 c:\windows\system32\dllcache\qasf.dll
- 2008-04-14 12:00 . 2008-04-14 12:00   284160 c:\windows\system32\dllcache\pdh.dll
+ 2008-04-14 12:00 . 2009-03-06 14:22   284160 c:\windows\system32\dllcache\pdh.dll
+ 2008-04-14 12:00 . 2009-10-08 21:57   220160 c:\windows\system32\dllcache\oleacc.dll
+ 2008-04-14 12:00 . 2010-03-11 12:38   102912 c:\windows\system32\dllcache\occache.dll
+ 2008-04-14 12:00 . 2009-10-13 10:30   270336 c:\windows\system32\dllcache\oakley.dll
- 2008-04-14 12:00 . 2008-04-14 12:00   270336 c:\windows\system32\dllcache\oakley.dll
+ 2008-04-14 12:00 . 2009-02-09 12:10   714752 c:\windows\system32\dllcache\ntdll.dll
- 2008-04-14 12:00 . 2008-04-14 12:00   337408 c:\windows\system32\dllcache\netapi32.dll
+ 2008-04-14 12:00 . 2008-10-15 16:34   337408 c:\windows\system32\dllcache\netapi32.dll
- 2008-04-14 12:00 . 2008-04-14 12:00   245248 c:\windows\system32\dllcache\mswsock.dll
+ 2008-04-14 12:00 . 2008-06-20 17:46   245248 c:\windows\system32\dllcache\mswsock.dll
+ 2008-04-14 12:00 . 2006-10-19 04:47   321536 c:\windows\system32\dllcache\mswmdm.dll
+ 2008-04-14 12:00 . 2009-08-05 09:01   204800 c:\windows\system32\dllcache\mswebdvd.dll
+ 2008-04-14 12:00 . 2009-09-11 14:18   136192 c:\windows\system32\dllcache\msv1_0.dll
+ 2008-04-14 12:00 . 2010-03-11 12:38   671232 c:\windows\system32\dllcache\mstime.dll
+ 2008-04-14 12:00 . 2006-12-04 23:21   414720 c:\windows\system32\dllcache\msscp.dll
+ 2008-04-14 12:00 . 2010-03-11 12:38   193024 c:\windows\system32\dllcache\msrating.dll
+ 2008-04-14 12:00 . 2006-10-19 04:47   175616 c:\windows\system32\dllcache\mspmsp.dll
- 2007-08-27 20:47 . 2008-04-14 12:00   343040 c:\windows\system32\dllcache\mspaint.exe
+ 2007-08-27 20:47 . 2009-12-16 18:43   343040 c:\windows\system32\dllcache\mspaint.exe
+ 2008-04-14 12:00 . 2006-10-19 04:47   179712 c:\windows\system32\dllcache\msnetobj.dll
+ 2008-04-14 12:00 . 2007-08-14 01:54   156160 c:\windows\system32\dllcache\msls31.dll
+ 2008-04-14 12:00 . 2010-03-11 12:38   477696 c:\windows\system32\dllcache\mshtmled.dll
+ 2007-08-27 20:47 . 2008-06-12 14:23   161792 c:\windows\system32\dllcache\msdtcuiu.dll
- 2007-08-27 20:47 . 2008-04-14 12:00   161792 c:\windows\system32\dllcache\msdtcuiu.dll
- 2007-08-27 20:47 . 2008-04-14 12:00   956928 c:\windows\system32\dllcache\msdtctm.dll
+ 2007-08-27 20:47 . 2008-06-12 14:23   956928 c:\windows\system32\dllcache\msdtctm.dll
+ 2007-08-27 20:47 . 2008-06-13 02:53   428032 c:\windows\system32\dllcache\msdtcprx.dll
+ 2007-08-27 20:48 . 2008-05-01 14:33   331776 c:\windows\system32\dllcache\msadce.dll
- 2007-08-27 20:48 . 2008-04-14 12:00   331776 c:\windows\system32\dllcache\msadce.dll
+ 2007-08-27 20:48 . 2006-10-19 04:47   243712 c:\windows\system32\dllcache\mpvis.dll
+ 2008-04-14 12:00 . 2009-06-25 08:25   730112 c:\windows\system32\dllcache\lsasrv.dll
+ 2008-04-14 12:00 . 2008-06-18 08:09   100864 c:\windows\system32\dllcache\logagent.exe
+ 2008-04-14 12:00 . 2009-05-07 15:32   345600 c:\windows\system32\dllcache\localspl.dll
- 2008-04-14 12:00 . 2008-04-14 12:00   989696 c:\windows\system32\dllcache\kernel32.dll
+ 2008-04-14 12:00 . 2009-03-21 14:06   989696 c:\windows\system32\dllcache\kernel32.dll
+ 2008-04-14 12:00 . 2009-06-25 08:25   301568 c:\windows\system32\dllcache\kerberos.dll
- 2008-04-14 12:00 . 2008-04-14 12:00   512000 c:\windows\system32\dllcache\jscript.dll
+ 2008-04-14 12:00 . 2009-08-13 15:16   512000 c:\windows\system32\dllcache\jscript.dll
- 2007-08-27 20:48 . 2008-04-14 12:00   691712 c:\windows\system32\dllcache\inetcomm.dll
+ 2007-08-27 20:48 . 2010-01-29 15:01   691712 c:\windows\system32\dllcache\inetcomm.dll
+ 2007-08-27 20:48 . 2010-02-23 05:20   634648 c:\windows\system32\dllcache\iexplore.exe
+ 2008-04-14 12:00 . 2010-03-11 12:38   192512 c:\windows\system32\dllcache\iepeers.dll
+ 2008-04-14 12:00 . 2010-03-11 12:38   385024 c:\windows\system32\dllcache\iedkcs32.dll
+ 2008-04-14 12:00 . 2010-02-23 05:18   161792 c:\windows\system32\dllcache\ieakui.dll
+ 2008-04-14 12:00 . 2010-03-11 12:38   230400 c:\windows\system32\dllcache\ieaksie.dll
+ 2008-04-14 12:00 . 2010-03-11 12:38   153088 c:\windows\system32\dllcache\ieakeng.dll
+ 2008-04-14 12:00 . 2008-10-23 12:36   286720 c:\windows\system32\dllcache\gdi32.dll
+ 2007-08-27 20:46 . 2009-02-09 12:10   473600 c:\windows\system32\dllcache\fastprox.dll
+ 2008-04-14 12:00 . 2010-03-11 12:38   133120 c:\windows\system32\dllcache\extmgr.dll
+ 2008-04-14 12:00 . 2008-07-07 20:26   253952 c:\windows\system32\dllcache\es.dll
+ 2008-04-14 12:00 . 2010-03-11 12:38   214528 c:\windows\system32\dllcache\dxtrans.dll
+ 2008-04-14 12:00 . 2010-03-11 12:38   347136 c:\windows\system32\dllcache\dxtmsft.dll
+ 2008-04-14 12:00 . 2006-10-19 04:47   991744 c:\windows\system32\dllcache\drmv2clt.dll
+ 2008-04-14 12:00 . 2008-06-20 17:46   147968 c:\windows\system32\dllcache\dnsapi.dll
- 2008-04-14 12:00 . 2008-04-14 12:00   147968 c:\windows\system32\dllcache\dnsapi.dll
+ 2008-04-14 12:00 . 2008-05-09 08:45   135168 c:\windows\system32\dllcache\cscript.exe
+ 2008-04-14 12:00 . 2006-10-19 04:47   229376 c:\windows\system32\dllcache\cewmdm.dll
+ 2008-04-14 12:00 . 2006-10-19 04:47   542720 c:\windows\system32\dllcache\blackbox.dll
+ 2008-04-14 12:00 . 2008-08-14 10:04   138496 c:\windows\system32\dllcache\afd.sys
+ 2008-04-14 12:00 . 2010-03-11 12:38   124928 c:\windows\system32\dllcache\advpack.dll
- 2008-04-14 12:00 . 2008-04-14 12:00   617472 c:\windows\system32\dllcache\advapi32.dll
+ 2008-04-14 12:00 . 2009-02-09 12:10   617472 c:\windows\system32\dllcache\advapi32.dll
+ 2008-04-14 12:00 . 2009-11-21 15:51   471552 c:\windows\system32\dllcache\aclayers.dll
+ 2008-04-14 12:00 . 2010-02-12 04:33   100864 c:\windows\system32\dllcache\6to4svc.dll
+ 2008-04-14 12:00 . 2008-05-09 08:45   135168 c:\windows\system32\cscript.exe
+ 2008-04-14 12:00 . 2006-10-19 04:47   229376 c:\windows\system32\cewmdm.dll
+ 2008-04-14 12:00 . 2006-10-19 04:47   542720 c:\windows\system32\blackbox.dll
+ 2008-04-14 12:00 . 2010-03-11 12:38   124928 c:\windows\system32\advpack.dll
- 2008-04-14 12:00 . 2008-04-14 12:00   617472 c:\windows\system32\advapi32.dll
+ 2008-04-14 12:00 . 2009-02-09 12:10   617472 c:\windows\system32\advapi32.dll
+ 2008-04-14 12:00 . 2010-02-12 04:33   100864 c:\windows\system32\6to4svc.dll
+ 2010-05-27 00:13 . 2010-05-27 00:13   180224 c:\windows\Installer\b1f912.msi
+ 2010-05-27 00:13 . 2010-05-27 00:13   576000 c:\windows\Installer\b1f90d.msi
+ 2008-04-14 12:00 . 2007-06-27 05:10   317440 c:\windows\inf\unregmp2.exe
+ 2010-05-25 18:03 . 2008-04-14 12:00   666112 c:\windows\ie7\wininet.

ishan · « **Reply #30 on:** May 28, 2010, 11:09:55 PM »

+ 2010-05-25 18:03 . 2008-04-14 12:00   666112 c:\windows\ie7\wininet.dll
- 2009-12-14 18:55 . 2008-04-14 12:00   666112 c:\windows\ie7\wininet.dll
- 2009-12-14 18:55 . 2008-04-14 12:00   276480 c:\windows\ie7\webcheck.dll
+ 2010-05-25 18:03 . 2008-04-14 12:00   276480 c:\windows\ie7\webcheck.dll
+ 2010-05-25 18:03 . 2008-04-14 12:00   851968 c:\windows\ie7\vgx.dll
- 2009-12-14 18:55 . 2008-04-14 12:00   851968 c:\windows\ie7\vgx.dll
- 2009-12-14 18:55 . 2008-04-14 12:00   619520 c:\windows\ie7\urlmon.dll
+ 2010-05-25 18:03 . 2008-04-14 12:00   619520 c:\windows\ie7\urlmon.dll
- 2010-01-16 16:38 . 2008-04-14 12:00   532480 c:\windows\ie7\mstime.dll
+ 2010-05-25 18:03 . 2008-04-14 12:00   532480 c:\windows\ie7\mstime.dll
+ 2010-05-25 18:03 . 2008-04-14 12:00   146432 c:\windows\ie7\msrating.dll
- 2010-01-16 16:38 . 2008-04-14 12:00   146432 c:\windows\ie7\msrating.dll
- 2010-01-16 16:38 . 2008-04-14 12:00   146432 c:\windows\ie7\msls31.dll
+ 2010-05-25 18:03 . 2008-04-14 12:00   146432 c:\windows\ie7\msls31.dll
+ 2010-05-25 18:03 . 2008-04-14 12:00   449024 c:\windows\ie7\mshtmled.dll
- 2010-01-16 16:38 . 2008-04-14 12:00   449024 c:\windows\ie7\mshtmled.dll
+ 2010-05-25 18:03 . 2008-04-14 12:00   251904 c:\windows\ie7\iepeers.dll
- 2010-01-16 16:38 . 2008-04-14 12:00   251904 c:\windows\ie7\iepeers.dll
+ 2010-05-25 18:03 . 2008-04-14 12:00   323584 c:\windows\ie7\iedkcs32.dll
- 2010-01-16 16:38 . 2008-04-14 12:00   323584 c:\windows\ie7\iedkcs32.dll
- 2010-01-16 16:38 . 2008-04-14 12:00   221184 c:\windows\ie7\ieakui.dll
+ 2010-05-25 18:03 . 2008-04-14 12:00   221184 c:\windows\ie7\ieakui.dll
+ 2010-05-25 18:03 . 2008-04-14 12:00   216576 c:\windows\ie7\ieaksie.dll
- 2010-01-16 16:38 . 2008-04-14 12:00   216576 c:\windows\ie7\ieaksie.dll
- 2010-01-16 16:38 . 2008-04-14 12:00   143360 c:\windows\ie7\ieakeng.dll
+ 2010-05-25 18:03 . 2008-04-14 12:00   143360 c:\windows\ie7\ieakeng.dll
- 2010-01-16 16:38 . 2008-04-14 12:00   205312 c:\windows\ie7\dxtrans.dll
+ 2010-05-25 18:03 . 2008-04-14 12:00   205312 c:\windows\ie7\dxtrans.dll
- 2010-01-16 16:38 . 2008-04-14 12:00   357888 c:\windows\ie7\dxtmsft.dll
+ 2010-05-25 18:03 . 2008-04-14 12:00   357888 c:\windows\ie7\dxtmsft.dll
+ 2010-05-25 21:23 . 2010-02-24 13:11   455680 c:\windows\Driver Cache\i386\mrxsmb.sys
+ 2010-05-26 17:15 . 2009-10-20 16:20   265728 c:\windows\Driver Cache\i386\http.sys
+ 2010-05-25 21:24 . 2008-06-13 11:05   272128 c:\windows\Driver Cache\i386\bthport.sys
+ 2008-04-14 12:00 . 2009-11-21 15:51   471552 c:\windows\AppPatch\aclayers.dll
- 2010-05-03 16:39 . 2009-08-13 13:55   1748992 c:\windows\WinSxS\x86_Microsoft.Windows.GdiPlus_6595b64144ccf1df_1.0.6001.22319_x-ww_f0b4c2df\GdiPlus.dll
+ 2010-05-25 21:23 . 2009-08-13 13:55   1748992 c:\windows\WinSxS\x86_Microsoft.Windows.GdiPlus_6595b64144ccf1df_1.0.6001.22319_x-ww_f0b4c2df\GdiPlus.dll
+ 2010-05-03 16:39 . 2009-08-13 13:55   1748992 c:\windows\WinSxS\InstallTemp\19236357\GdiPlus.dll
+ 2007-08-27 20:48 . 2009-08-07 02:23   1929952 c:\windows\system32\wuaueng.dll
+ 2008-04-14 12:00 . 2009-05-20 11:56   2458112 c:\windows\system32\WMVCore.dll
+ 2008-04-14 12:00 . 2006-10-19 04:47   1329152 c:\windows\system32\WMSPDMOE.dll
+ 2008-04-14 12:00 . 2006-10-19 04:47   8231936 c:\windows\system32\wmploc.dll
+ 2008-04-14 12:00 . 2006-10-19 04:47   1117696 c:\windows\system32\WMADMOE.dll
+ 2008-04-14 12:00 . 2009-08-14 13:21   1850624 c:\windows\system32\win32k.sys
+ 2008-04-14 12:00 . 2010-03-11 12:38   1168384 c:\windows\system32\urlmon.dll
- 2008-04-14 12:00 . 2008-04-14 12:00   8461312 c:\windows\system32\shell32.dll
+ 2008-04-14 12:00 . 2008-06-17 19:02   8461312 c:\windows\system32\shell32.dll
- 2008-04-14 12:00 . 2008-04-14 12:00   1435648 c:\windows\system32\query.dll
+ 2008-04-14 12:00 . 2009-07-17 16:22   1435648 c:\windows\system32\query.dll
+ 2008-04-14 12:00 . 2009-11-27 17:11   1291776 c:\windows\system32\quartz.dll
+ 2008-04-14 12:00 . 2010-02-16 14:08   2146304 c:\windows\system32\ntoskrnl.exe
+ 2008-04-14 00:01 . 2010-02-16 13:25   2024448 c:\windows\system32\ntkrnlpa.exe
+ 2008-04-14 12:00 . 2009-07-31 17:05   1372672 c:\windows\system32\msxml6.dll
+ 2008-04-14 12:00 . 2009-07-31 04:35   1172480 c:\windows\system32\msxml3.dll
+ 2008-04-14 12:00 . 2010-03-11 12:38   3599872 c:\windows\system32\mshtml.dll
+ 2007-08-27 20:48 . 2009-08-07 02:23   1929952 c:\windows\system32\dllcache\wuaueng.dll
+ 2008-04-14 12:00 . 2009-05-20 11:56   2458112 c:\windows\system32\dllcache\WMVCore.dll
+ 2008-04-14 12:00 . 2006-10-19 04:47   1329152 c:\windows\system32\dllcache\WMSPDMOE.dll
+ 2008-04-14 12:00 . 2006-10-19 04:47   8231936 c:\windows\system32\dllcache\wmploc.dll
+ 2008-04-14 12:00 . 2006-10-19 04:47   1117696 c:\windows\system32\dllcache\WMADMOE.dll
+ 2008-04-14 12:00 . 2009-08-14 13:21   1850624 c:\windows\system32\dllcache\win32k.sys
+ 2008-04-14 12:00 . 2010-03-11 12:38   1168384 c:\windows\system32\dllcache\urlmon.dll
- 2008-04-14 12:00 . 2008-04-14 12:00   8461312 c:\windows\system32\dllcache\shell32.dll
+ 2008-04-14 12:00 . 2008-06-17 19:02   8461312 c:\windows\system32\dllcache\shell32.dll
+ 2007-08-27 20:48 . 2006-11-02 01:31   1669120 c:\windows\system32\dllcache\setup_wm.exe
+ 2008-04-14 12:00 . 2009-07-17 16:22   1435648 c:\windows\system32\dllcache\query.dll
- 2008-04-14 12:00 . 2008-04-14 12:00   1435648 c:\windows\system32\dllcache\query.dll
+ 2008-04-14 12:00 . 2009-11-27 17:11   1291776 c:\windows\system32\dllcache\quartz.dll
+ 2009-02-08 02:02 . 2010-02-16 13:25   2066816 c:\windows\system32\dllcache\ntkrnlpa.exe
+ 2008-04-14 12:00 . 2009-07-31 17:05   1372672 c:\windows\system32\dllcache\msxml6.dll
+ 2008-04-14 12:00 . 2009-07-31 04:35   1172480 c:\windows\system32\dllcache\msxml3.dll
+ 2007-08-27 20:48 . 2010-01-30 03:31   1315328 c:\windows\system32\dllcache\msoe.dll
+ 2008-04-14 12:00 . 2010-03-11 12:38   3599872 c:\windows\system32\dllcache\mshtml.dll
- 2007-08-27 20:48 . 2008-04-14 12:00   3558912 c:\windows\system32\dllcache\moviemk.exe
+ 2007-08-27 20:48 . 2009-10-23 15:28   3558912 c:\windows\system32\dllcache\moviemk.exe
+ 2010-05-26 18:27 . 2010-05-26 18:27   1205760 c:\windows\Installer\7a26fe.msi
+ 2010-05-25 18:03 . 2008-04-14 12:00   3066880 c:\windows\ie7\mshtml.dll
- 2010-01-16 16:38 . 2008-04-14 12:00   3066880 c:\windows\ie7\mshtml.dll
+ 2010-05-25 21:20 . 2010-02-17 16:10   2189952 c:\windows\Driver Cache\i386\ntoskrnl.exe
+ 2010-05-25 21:20 . 2010-02-16 13:25   2024448 c:\windows\Driver Cache\i386\ntkrpamp.exe
+ 2009-02-08 02:02 . 2010-02-16 13:25   2066816 c:\windows\Driver Cache\i386\ntkrnlpa.exe
+ 2010-05-25 21:20 . 2010-02-16 14:08   2146304 c:\windows\Driver Cache\i386\ntkrnlmp.exe
+ 2008-04-14 12:00 . 2009-07-14 06:43   10841088 c:\windows\system32\wmp.dll
+ 2008-04-14 12:00 . 2009-07-14 06:43   10841088 c:\windows\system32\dllcache\wmp.dll
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{0bc6e3fa-78ef-4886-842c-5a1258c4455a}]
2008-07-25 18:16   282112   ----a-w-   c:\windows\system32\mscoree.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SSC"="c:\program files\Session ShortCuts\ssc.exe" [2008-06-12 265728]
"PicPick Start"="c:\program files\PicPick\picpick.exe" [2010-01-13 4057088]
"Google Update"="c:\documents and settings\iraval\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2009-11-21 135664]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-04-29 8429568]
"nwiz"="nwiz.exe" [2007-04-29 1626112]
"NVHotkey"="nvHotkey.dll" [2007-04-29 67584]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2007-04-29 81920]
"IntelZeroConfig"="c:\program files\Intel\Wireless\bin\ZCfgSvc.exe" [2007-07-25 823296]
"IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2007-07-25 974848]
"Document Manager"="c:\program files\Wave Systems Corp\Services Manager\DocMgr\bin\docmgr.exe" [2007-01-30 102400]
"SecureUpgrade"="c:\program files\Wave Systems Corp\SecureUpgrade.exe" [2007-01-22 212992]
"EmbassySecurityCheck"="c:\program files\Wave Systems Corp\EMBASSY Security Setup\EMBASSYSecurityCheck.exe" [2007-02-02 65536]
"Apoint"="c:\program files\Apoint\Apoint.exe" [2007-01-25 159744]
"KADxMain"="c:\windows\system32\KADxMain.exe" [2006-11-02 282624]
"PDVDDXSrv"="c:\program files\CyberLink\PowerDVD DX\PDVDDXSrv.exe" [2007-06-09 128560]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072]
"SSRPM Enrollment Wizard"="c:\program files\Tools4ever\SSRPM\Enrollment Wizard\SSRPMEnroll.exe" [2008-01-31 604672]
"Communicator"="c:\program files\Microsoft Office Communicator\communicator.exe" [2010-04-11 5116256]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2008-04-14 110592]
"LogitechCommunicationsManager"="c:\program files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe" [2007-10-26 563984]
"LogitechQuickCamRibbon"="c:\program files\Logitech\QuickCam\Quickcam.exe" [2007-10-26 2178832]
"Microsoft Forefront Client Security Antimalware Service"="c:\program files\Microsoft Forefront\Client Security\Client\Antimalware\MSASCui.exe" [2010-01-19 1033600]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-03-18 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-04-28 142120]
"SigmatelSysTrayApp"="stsystra.exe" [2007-02-19 303104]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Communicator"="c:\program files\Microsoft Office Communicator\Communicator.exe" [2010-04-11 5116256]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2008-11-04 435096]

c:\documents and settings\iraval\Start Menu\Programs\Startup\
BSEGadget.lnk - c:\program files\BSEMktWatch\BSE Mkt Watch.exe [2010-1-16 421888]
MagicDisc.lnk - c:\program files\MagicDisc\MagicDisc.exe [2010-2-2 576000]
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2009-2-26 97680]
To_DO.lnk - c:\documents and settings\iraval\Desktop\To_DO.txt [2010-5-18 700]
VirtuaWin.lnk - c:\program files\VirtuaWin\VirtuaWin.exe [2009-11-17 126464]
Webshots.lnk - c:\program files\Webshots\3.1.5.7617\Launcher.exe [2009-12-27 157088]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Bluetooth Manager.lnk - c:\program files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe [2007-1-11 2150400]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"ForceStartMenuLogOff"= 1 (0x1)
"NoWelcomeScreen"= 1 (0x1)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute   REG_MULTI_SZ     autocheck autochk *\0sprestrt\0sprestrt

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages   REG_MULTI_SZ     msv1_0 wvauth

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-709901224-932253684-619646970-103558\Scripts\Logon\0\0]
"Script"=Inventory4.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-709901224-932253684-619646970-103558\Scripts\Logon\0\1]
"Script"=ComputerDescript.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-709901224-932253684-619646970-103558\Scripts\Logon\1\0]
"Script"=servicenow.bat

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-709901224-932253684-619646970-103558\Scripts\Logon\2\0]
"Script"=list_lenovo_profiles_and_delete.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-709901224-932253684-619646970-98379\Scripts\Logon\0\0]
"Script"=Inventory4.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-709901224-932253684-619646970-98379\Scripts\Logon\0\1]
"Script"=ComputerDescript.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-709901224-932253684-619646970-98379\Scripts\Logon\1\0]
"Script"=list_lenovo_profiles_and_delete.vbs

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\FCSAM]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update]
2009-11-21 04:14   135664   ----atw-   c:\documents and settings\iraval\Local Settings\Application Data\Google\Update\GoogleUpdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Updater]
2010-02-02 07:30   160752   ----a-w-   c:\program files\Google\Google Updater\GoogleUpdater.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\googletalk]
2007-01-01 21:22   3739648   ----a-w-   c:\program files\Google\Google Talk\googletalk.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2010-04-28 22:06   142120   ----a-w-   c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Messenger (Yahoo!)]
2009-11-10 23:39   5244216   ----a-w-   c:\progra~1\Yahoo!\Messenger\YahooMessenger.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
2010-01-16 05:56   39408   ----a-w-   c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Documents and Settings\\iraval\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.dll"=
"c:\\Documents and Settings\\iraval\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Cygwin\\bin\\XWin.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\AIM\\aim.exe"=
"c:\\Program Files\\Vuze\\Azureus.exe"=
"c:\\Sametime\\STConnect7.5.1\\jre\\bin\\sametime75.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Microsoft Office Communicator\\communicator.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Microsoft Office\\Live Meeting 8\\Console\\PWConsole.exe"=

R1 raddrvv3;raddrvv3;c:\windows\system32\rserver30\raddrvv3.sys [6/29/2007 3:10 AM 40640]
R1 SBRE;SBRE;c:\windows\system32\drivers\SBREDrv.sys [5/18/2010 8:02 AM 93872]
R2 DB2MGMTSVC_TACOM21;DB2 Management Service (TACOM21);c:\program files\Quest Software\Toad for Data Analysts 2.1\DB2 Client\BIN\db2mgmtsvc.exe [7/23/2007 3:47 AM 35616]
R2 MOM;MOM;c:\program files\Microsoft Forefront\Client Security\Client\Microsoft Operations Manager 2005\MOMService.exe [7/21/2005 11:14 AM 134656]
R2 RServer3;Radmin Server V3;c:\windows\system32\rserver30\rserver3.exe [7/10/2007 5:14 PM 1242432]
R2 Wave UCSPlus;Wave UCSPlus;c:\windows\system32\dllhost.exe [4/14/2008 5:00 AM 5120]
S0 cgtfa;cgtfa;c:\windows\system32\drivers\rciwwjn.sys --> c:\windows\system32\drivers\rciwwjn.sys [?]
S1 MpKsl5fd50652;MpKsl5fd50652;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Forefront\Client Security\Client\Antimalware\Definition Updates\{B01E06E4-0F57-4BFC-91C4-566B7B0083CB}\MpKsl5fd50652.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Forefront\Client Security\Client\Antimalware\Definition Updates\{B01E06E4-0F57-4BFC-91C4-566B7B0083CB}\MpKsl5fd50652.sys [?]
S1 MpKsl6bf6c1a0;MpKsl6bf6c1a0;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Forefront\Client Security\Client\Antimalware\Definition Updates\{B01E06E4-0F57-4BFC-91C4-566B7B0083CB}\MpKsl6bf6c1a0.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Forefront\Client Security\Client\Antimalware\Definition Updates\{B01E06E4-0F57-4BFC-91C4-566B7B0083CB}\MpKsl6bf6c1a0.sys [?]
S2 ATE_PROCMON;ATE_PROCMON;\??\c:\program files\Anti Trojan Elite\ATEPMon.sys --> c:\program files\Anti Trojan Elite\ATEPMon.sys [?]
S2 avbackup;Backup Agent;"c:\program files\avs\bin\avagent.exe" /ServiceStart "--logfile=c:\program files\avs\var\avagent.log" --> c:\program files\avs\bin\avagent.exe [?]
S2 FCSAM;Microsoft Forefront Client Security Antimalware Service;c:\program files\Microsoft Forefront\Client Security\Client\Antimalware\MsMpEng.exe [1/19/2010 4:49 PM 16880]
S2 FcsSas;Microsoft Forefront Client Security State Assessment Service;c:\program files\Microsoft Forefront\Client Security\Client\SSA\FcsSas.exe [4/6/2007 4:12 AM 73120]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [5/20/2010 6:47 AM 136176]
S3 Avgfwdx;Avgfwdx;c:\windows\system32\drivers\avgfwdx.sys [12/5/2009 6:20 PM 30104]
S3 Avgfwfd;AVG network filter service;c:\windows\system32\drivers\avgfwdx.sys [12/5/2009 6:20 PM 30104]
S3 DB2NTSECSERVER_TACOM21;DB2 Security Server (TACOM21);c:\program files\Quest Software\Toad for Data Analysts 2.1\DB2 Client\BIN\db2sec.exe [7/23/2007 3:48 AM 14112]
S3 DXEC01;DXEC01;c:\windows\system32\drivers\dxec01.sys [11/2/2006 11:32 AM 97536]
S3 OracleClientCache80;OracleClientCache80;c:\oracle\product\6.0\BIN\ONRSD80.EXE [1/28/2010 2:27 PM 101136]
S3 WinRM;Windows Remote Management (WS-Management);c:\windows\system32\svchost.exe -k WINRM [4/14/2008 5:00 AM 14336]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12   REG_MULTI_SZ     Pml Driver HPZ12 Net Driver HPZ12
WINRM   REG_MULTI_SZ     WINRM
.
Contents of the 'Scheduled Tasks' folder

2010-05-27 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 20:34]

2010-05-28 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2010-01-16 07:30]

2010-05-28 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-05-20 11:24]

2010-05-29 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-05-20 11:24]

2010-05-26 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-709901224-932253684-619646970-103558Core.job
- c:\documents and settings\iraval\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-11-21 04:14]

2010-05-29 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-709901224-932253684-619646970-103558UA.job
- c:\documents and settings\iraval\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-11-21 04:14]

2010-05-28 c:\windows\Tasks\MP Scheduled Quick Scan.job
- c:\program files\Microsoft Forefront\Client Security\Client\Antimalware\MpCmdRun.exe [2010-01-19 23:49]

2010-05-28 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Microsoft Forefront\Client Security\Client\Antimalware\MpCmdRun.exe [2010-01-19 23:49]

2010-05-29 c:\windows\Tasks\MP Scheduled Signature Update.job
- c:\program files\Microsoft Forefront\Client Security\Client\Antimalware\MpCmdRun.exe [2010-01-19 23:49]
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
uInternet Settings,ProxyOverride = ;*.local;<local>
uInternet Settings,ProxyServer = http=127.0.0.1:5555
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
Trusted Zone: capitalone.com\servicing
Trusted Zone: intuit.com\ttlc
Trusted Zone: ultimatix.net\ipmsapp
Trusted Zone: ultimatix.net\www
DPF: {3D3B42C2-11BF-4732-A304-A01384B70D68} - hxxp://picasaweb.google.com/s/v/59.19/uploader2.cab
DPF: {708C978C-BBF5-4038-8DC1-64FF22BCFFB6} - hxxp://www.barracudanetworks.com/ns/products/spyware-removal-tool/tool/BarracudaSpyRemoval.cab
DPF: {F27237D7-93C8-44C2-AC6E-D6057B9A918F} - hxxps://sslvpn.leapwireless.com/dana-cached/sc/JuniperSetupClient.cab
FF - ProfilePath - c:\documents and settings\iraval\Application Data\Mozilla\Firefox\Profiles\ggy72g16.default\
FF - plugin: c:\documents and settings\iraval\Application Data\Mozilla\plugins\npgoogletalk.dll
FF - plugin: c:\documents and settings\iraval\Local Settings\Application Data\Google\Update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\program files\DivX\DivX Plus Web Player\npdivx32.dll
FF - plugin: c:\program files\Google\Google Earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\Google\Google Updater\2.4.1851.5542\npCIDetect14.dll
FF - plugin: c:\program files\Google\Picasa3\npPicasa3.dll
FF - plugin: c:\program files\Google\Update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\program files\Java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npdeployJava1.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npdnupdater2.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
FF - user.js: network.protocol-handler.warn-external.dnupdate - falsec:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_ everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_a s_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-Anti Trojan Elite - c:\program files\Anti Trojan Elite\TJEnder.exe

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-05-28 21:07
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1576)
c:\windows\system32\SSRPMGINA.dll

- - - - - - - > 'lsass.exe'(1636)
c:\windows\system32\wvauth.dll
c:\windows\system32\biolsp.dll
.
Completion time: 2010-05-28 21:09:46
ComboFix-quarantined-files.txt 2010-05-29 04:09

Pre-Run: 15,756,505,088 bytes free
Post-Run: 15,779,717,120 bytes free

- - End Of File - - 1766E50B15D541D51CA549C6AFD2E8E6
x

SuperDave · « **Reply #31 on:** May 30, 2010, 11:49:36 AM »

Download and save HelpAsst_mebroot_fix.exe to your desktop.
Double-click to run the tool
Please download MBR.EXE by GMER. Save the file in the C:\windows\system32\ folder.
Click Start --> Run type in mbr.exe -f and click OK.
Reboot. (IMPORTANT!)
Open Notepad and copy and paste the text in the codebox below (excluding the word Code) into Notepad.

Code: [Select]

@echo off
cd\
cd windows
cd system32
mbr.exe -t
start mbr.log

Next, select File --> Save As, change file type to All Files
(*.*), and save it as fixme.bat in your c:\ folder.
Open your c:\folder and double-click on fixme.bat. A logfile will open
(C:\windows\system32\mbr.log). Please paste the contents in your next
reply.

ishan · « **Reply #32 on:** May 31, 2010, 11:33:33 AM »

Quote from: SuperDave on May 30, 2010, 11:49:36 AM

Download and save HelpAsst_mebroot_fix.exe to your desktop.
Double-click to run the tool

=> I ran tool, however it seem to stuck at 'checking mbr', but I think it was supposed to do just that, so I waited for a few minutes and then continued with next steps.

Please download MBR.EXE by GMER. Save the file in the C:\windows\system32\ folder.
Click Start --> Run type in mbr.exe -f and click OK.
Reboot. (IMPORTANT!)
Open Notepad and copy and paste the text in the codebox below (excluding the word Code) into Notepad.
Code: [Select]
@echo off cd\ cd windows cd system32 mbr.exe -t start mbr.logNext, select File --> Save As, change file type to All Files
(*.*), and save it as fixme.bat in your c:\ folder.
Open your c:\folder and double-click on fixme.bat. A logfile will open
(C:\windows\system32\mbr.log). Please paste the contents in your next
reply.

=> Followed rest of the steps exactly as you mentioned and uploading output in next reply. So when my machine was being rebooted,HelpAsst_mebroot_fix.exe was still running.

ishan · « **Reply #33 on:** May 31, 2010, 11:33:56 AM »

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys atapi.sys hal.dll pciide.sys PCIIDEX.SYS
kernel: MBR read successfully
user & kernel MBR OK
copy of MBR has been found in sector 0x0950E4C1
malicious code @ sector 0x0950E4C4 !
PE file found in sector at 0x0950E4DA !

SuperDave · « **Reply #34 on:** May 31, 2010, 05:22:31 PM »

Ok. Let's try this again.

Please download and save HelpAsst_mebroot_fix.exe

Double click to run the tool.
When complete, run mbr -f then reboot.

After reboot, provide the log.

ishan · « **Reply #35 on:** May 31, 2010, 07:42:12 PM »

here is what I found at c:\ as HelpAsst.txt

C:\Documents and Settings\iraval\My Documents\Downloads\HelpAsst_mebroot_fix.exe
Mon 05/31/2010 at 18:36:39.92

HelpAssistant account Inactive

~~ Checking for termsrv32.dll ~~

termsrv32.dll not found

~~ Checking firewall ports ~~

HKLM\~\services\sharedaccess\parameters\firewallpolicy\domainprofile\globallyopenports\list

HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\globallyopenports\list

~~ Checking profile list ~~

No HelpAssistant profile in registry

~~ Checking mbr ~~

user & kernel MBR OK

SuperDave · « **Reply #36 on:** June 01, 2010, 10:05:32 AM »

Please go to Jotti's malware scan
(If more than one file needs scanned they must be done separately and links posted for each one)

* Copy the file path in the below Code box:

Code: [Select]

c:\windows\system32\dllcache\isignup.exe
c:\windows\system32\emptyregdb.dat
c:\windows\system32\drivers\rciwwjn.sys

* At the upload site, click once inside the window next to Browse.
* Press Ctrl+V on the keyboard (both at the same time) to paste the file path into the window.
* Next click Submit file
* Your file will possibly be entered into a queue which normally takes less than a minute to clear.
* This will perform a scan across multiple different virus scanning engines.
* Important: Wait for all of the scanning engines to complete.
* Once the scan is finished, Copy and then Paste the link in the address bar into your next reply.

===============================

P2P - I see you have P2P software installed on your machine. (Vuze, Azureus) We are not here to pass judgment on file-sharing as a concept. However, we will warn you that engaging in this activity and having this kind of software installed on your machine will always make you more susceptible to re-infections. It is certainly contributing to your current situation.

Please note: Even if you are using a "safe" P2P program, it is only the program that is safe. You will be sharing files from uncertified sources, and these are often infected. The bad guys use P2P filesharing as a major conduit to spread their wares.

I would strongly recommend that you uninstall them, however that choice is up to you. If you choose to remove these programs, you can do so via Control Panel >> Add or Remove Programs.

===================================

Re-running ComboFix to remove infections:

Close any open browsers.
Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
Open notepad and copy/paste the text in the quotebox below into it:
Quote
KillAll::

Folder::

c:\documents and settings\HelpAssistant

DDS::
Trusted Zone: capitalone.com\servicing
Trusted Zone: intuit.com\ttlc
Trusted Zone: ultimatix.net\ipmsapp
Trusted Zone: ultimatix.net\www
uInternet Settings,ProxyServer = http=127.0.0.1:5555

DirLook::
C:\WINXP

File::
c:\windows\inf\COMD6.tmp
c:\windows\inf\COMD6.tmp
c:\windows\inf\COME3.tmp
Save this as CFScript.txt, in the same location as ComboFix.exe
Referring to the picture above, drag CFScript into ComboFix.exe
When finished, it shall produce a log for you at C:\ComboFix.txt
Please post the contents of the log in your next reply.

ishan · « **Reply #37 on:** June 01, 2010, 11:35:48 AM »

Hi,

C:\WINDOWS is Windows Installation directory. WINXP is the one when I tried to do a fresh install on same drive when I got this virus back then.

You still mean CFScript to look into C:\WINXP or shall I change it to C:\WINDOWS?

SuperDave · « **Reply #38 on:** June 01, 2010, 12:27:21 PM »

Ok. Just erase this "DirLook::
C:\WINXP" from the script and run it.

ishan · « **Reply #39 on:** June 01, 2010, 10:57:37 PM »

1. http://virusscan.jotti.org/en/scanresult/d2d746eddfe458aae51e89ba5dbcbf156f574143/00071ebd72d1a0023c0818fa1d70ee808e64785a
2. http://virusscan.jotti.org/en/scanresult/7ce79c0b5ae9de9678fc5f3830e3bd983fe7352e
3. c:\windows\system32\drivers\rciwwjn.sys - it says file is empty, 0 bytes.

I going to run combofix and will let you know the results.

ishan · « **Reply #40 on:** June 01, 2010, 11:33:38 PM »

ComboFix 10-06-01.01 - iraval 06/01/2010 22:05:54.4.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1301 [GMT -7:00]
Running from: c:\documents and settings\iraval\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\iraval\Desktop\CFScript.txt
AV: Microsoft Forefront Client Security *On-access scanning disabled* (Updated) {926A3D4F-E4E7-4F47-9902-4EDD55FFE1AF}

FILE ::
"c:\windows\inf\COMD6.tmp"
"c:\windows\inf\COME3.tmp"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
c:\windows\inf\COMD6.tmp
c:\windows\inf\COME3.tmp

----- BITS: Possible infected sites -----

hxxp://CASANSMS1:80
hxxp://dendapvmexcas1.cricketcommunications.com
.
((((((((((((((((((((((((( Files Created from 2010-05-02 to 2010-06-02 )))))))))))))))))))))))))))))))
.

2010-05-31 22:44 . 2010-05-31 22:47   --------   d-----w-   c:\program files\Gabest
2010-05-31 22:40 . 2010-05-31 22:40   --------   d-----w-   c:\program files\DirectVobSub
2010-05-31 17:24 . 2010-05-31 17:24   66   ----a-w-   C:\fixme.bat
2010-05-31 17:22 . 2010-05-31 17:22   77312   ----a-w-   c:\windows\system32\mbr.exe
2010-05-28 05:11 . 2010-05-28 05:11   --------   d-----w-   C:\HelpAsst_backup
2010-05-27 00:13 . 2010-05-27 00:13   --------   d-----w-   c:\program files\Common Files\Java
2010-05-27 00:13 . 2010-05-27 00:13   411368   ----a-w-   c:\windows\system32\deployJava1.dll
2010-05-26 18:26 . 2010-05-26 18:26   --------   d-----w-   c:\documents and settings\All Users\Application Data\Applications
2010-05-26 17:15 . 2009-10-20 16:20   265728   -c----w-   c:\windows\system32\dllcache\http.sys
2010-05-25 21:24 . 2008-06-13 11:05   272128   -c----w-   c:\windows\system32\dllcache\bthport.sys
2010-05-25 21:23 . 2010-02-24 13:11   455680   -c----w-   c:\windows\system32\dllcache\mrxsmb.sys
2010-05-25 21:20 . 2010-02-16 14:08   2146304   -c----w-   c:\windows\system32\dllcache\ntkrnlmp.exe
2010-05-25 21:20 . 2010-02-17 16:10   2189952   -c----w-   c:\windows\system32\dllcache\ntoskrnl.exe
2010-05-25 21:20 . 2010-02-16 13:25   2024448   -c----w-   c:\windows\system32\dllcache\ntkrpamp.exe
2010-05-25 21:20 . 2009-11-27 17:11   17920   -c----w-   c:\windows\system32\dllcache\msyuv.dll
2010-05-25 21:13 . 2009-11-27 16:07   8704   -c----w-   c:\windows\system32\dllcache\tsbyuv.dll
2010-05-25 21:13 . 2009-11-27 16:07   48128   -c----w-   c:\windows\system32\dllcache\iyuv_32.dll
2010-05-25 21:12 . 2010-03-11 12:38   459264   -c----w-   c:\windows\system32\dllcache\msfeeds.dll
2010-05-25 21:12 . 2010-03-11 12:38   268288   -c----w-   c:\windows\system32\dllcache\iertutil.dll
2010-05-25 21:12 . 2010-03-11 12:38   52224   -c----w-   c:\windows\system32\dllcache\msfeedsbs.dll
2010-05-25 21:12 . 2010-03-11 12:38   63488   -c----w-   c:\windows\system32\dllcache\icardie.dll
2010-05-25 21:12 . 2010-03-11 12:38   380928   -c----w-   c:\windows\system32\dllcache\ieapfltr.dll
2010-05-25 21:12 . 2010-03-10 13:18   13824   -c----w-   c:\windows\system32\dllcache\ieudinit.exe
2010-05-25 21:12 . 2009-06-29 08:33   2452872   -c----w-   c:\windows\system32\dllcache\ieapfltr.dat
2010-05-25 21:12 . 2010-03-11 12:38   6067200   -c----w-   c:\windows\system32\dllcache\ieframe.dll
2010-05-25 15:13 . 2010-05-25 15:13   --------   d-----w-   c:\windows\ms
2010-05-25 15:01 . 2008-04-14 12:00   221696   -c--a-w-   c:\windows\system32\dllcache\seo.dll
2010-05-25 15:00 . 2008-04-14 12:00   13463552   -c--a-w-   c:\windows\system32\dllcache\hwxjpn.dll
2010-05-25 14:59 . 2004-05-13 07:39   598071   -c--a-w-   c:\windows\system32\dllcache\fpmmc.dll
2010-05-25 14:40 . 2008-04-14 12:00   13312   -c--a-w-   c:\windows\system32\dllcache\irclass.dll
2010-05-25 14:40 . 2008-04-14 12:00   13312   ----a-w-   c:\windows\system32\irclass.dll
2010-05-25 14:40 . 2008-04-14 12:00   24661   -c--a-w-   c:\windows\system32\dllcache\spxcoins.dll
2010-05-25 14:40 . 2008-04-14 12:00   24661   ----a-w-   c:\windows\system32\spxcoins.dll
2010-05-25 11:10 . 2008-04-14 12:00   16384   -c--a-w-   c:\windows\system32\dllcache\isignup.exe
2010-05-25 06:05 . 2010-05-25 06:05   --------   d-----w-   c:\program files\ESET
2010-05-20 13:47 . 2010-05-20 13:47   --------   d-----w-   c:\documents and settings\LocalService\Local Settings\Application Data\Google
2010-05-18 15:02 . 2009-09-07 21:02   27944   ----a-w-   c:\windows\system32\sbbd.exe
2010-05-18 15:02 . 2009-08-05 22:58   93872   ----a-w-   c:\windows\system32\drivers\SBREDrv.sys
2010-05-18 15:02 . 2010-05-25 15:30   --------   d-----w-   C:\VIPRERESCUE
2010-05-06 04:12 . 2010-05-06 04:12   --------   d-----w-   c:\program files\iPod
2010-05-06 04:11 . 2010-05-06 04:13   --------   d-----w-   c:\documents and settings\All Users\Application Data\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
2010-05-06 04:11 . 2010-05-06 04:13   --------   d-----w-   c:\program files\iTunes
2010-05-06 04:00 . 2010-05-06 04:02   --------   d-----w-   c:\program files\QuickTime
2010-05-06 03:56 . 2010-05-06 03:56   --------   d-----w-   c:\program files\Bonjour
2010-05-06 01:30 . 2010-05-06 01:30   --------   d-----w-   c:\documents and settings\iraval\Local Settings\Application Data\Help

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-06-02 05:24 . 2009-11-17 07:50   --------   d-----w-   c:\program files\BSEMktWatch
2010-06-01 16:10 . 2009-11-17 01:50   --------   d-----w-   c:\documents and settings\iraval\Application Data\Wave Systems Corp
2010-06-01 01:24 . 2010-03-20 20:59   --------   d-----w-   c:\documents and settings\iraval\Application Data\vlc
2010-05-29 21:32 . 2010-05-29 21:32   117427   ----a-w-   c:\documents and settings\iraval\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\digitaleditions\digitaleditions.exe
2010-05-27 00:14 . 2010-05-27 00:14   503808   ----a-w-   c:\documents and settings\iraval\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-4eb22189-n\msvcp71.dll
2010-05-27 00:14 . 2010-05-27 00:14   499712   ----a-w-   c:\documents and settings\iraval\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-4eb22189-n\jmc.dll
2010-05-27 00:14 . 2010-05-27 00:14   348160   ----a-w-   c:\documents and settings\iraval\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-4eb22189-n\msvcr71.dll
2010-05-27 00:13 . 2010-05-27 00:13   61440   ----a-w-   c:\documents and settings\iraval\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-7ad6e02a-n\decora-sse.dll
2010-05-27 00:13 . 2010-05-27 00:13   12800   ----a-w-   c:\documents and settings\iraval\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-7ad6e02a-n\decora-d3d.dll
2010-05-27 00:13 . 2007-08-28 20:08   --------   d-----w-   c:\program files\Java
2010-05-26 14:44 . 2010-02-02 07:52   --------   d-----w-   c:\program files\MagicISO
2010-05-25 15:52 . 2010-05-01 19:49   --------   d-----w-   c:\program files\Windows Live Safety Center
2010-05-25 14:56 . 2007-08-27 20:47   24924   ----a-w-   c:\windows\system32\emptyregdb.dat
2010-05-25 12:21 . 2010-01-03 06:30   --------   d-----w-   c:\documents and settings\iraval\Application Data\Azureus
2010-05-25 12:20 . 2009-12-06 02:59   --------   d-----w-   c:\program files\CCleaner
2010-05-25 11:08 . 2010-05-25 11:08   1663   ----a-w-   c:\windows\inf\COM12F.tmp
2010-05-25 08:20 . 2007-08-27 21:54   95194   ----a-w-   c:\windows\system32\nvModes.dat
2010-05-22 05:53 . 2010-01-03 06:29   --------   d-----w-   c:\program files\Vuze
2010-05-21 21:14 . 2010-01-16 07:10   221568   ------w-   c:\windows\system32\MpSigStub.exe
2010-05-20 13:48 . 2009-11-17 07:50   --------   d-----w-   c:\program files\Google
2010-05-12 19:47 . 2009-07-22 20:03   --------   d-----w-   c:\documents and settings\All Users\Application Data\Microsoft Help
2010-05-06 04:12 . 2009-11-23 07:43   --------   d-----w-   c:\program files\Common Files\Apple
2010-05-06 03:40 . 2010-05-06 03:40   73000   ----a-w-   c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 9.1.1.12\SetupAdmin.exe
2010-05-04 03:06 . 2010-03-20 23:30   --------   d-----w-   c:\program files\Malwarebytes' Anti-Malware
2010-05-03 19:38 . 2010-05-02 05:37   --------   d-----w-   c:\documents and settings\All Users\Application Data\McAfee
2010-05-03 19:36 . 2010-05-02 05:42   --------   d-----w-   c:\program files\SiteAdvisor
2010-05-03 18:25 . 2010-05-02 05:42   --------   d-----w-   c:\documents and settings\All Users\Application Data\SiteAdvisor
2010-05-02 21:22 . 2009-11-23 07:46   --------   d-----w-   c:\documents and settings\iraval\Application Data\Apple Computer
2010-05-02 04:57 . 2009-12-06 01:20   --------   d-----w-   c:\documents and settings\All Users\Application Data\avg9
2010-05-02 01:15 . 2007-08-28 19:56   --------   d-----w-   c:\program files\Microsoft Office Communicator
2010-05-01 19:36 . 2010-01-22 12:58   --------   d-----w-   c:\documents and settings\admin\Application Data\Wave Systems Corp
2010-05-01 18:45 . 2010-05-01 18:45   --------   d-----w-   c:\documents and settings\admin\Application Data\Malwarebytes
2010-05-01 18:42 . 2010-01-22 12:58   71776   ----a-w-   c:\documents and settings\admin\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-04-29 22:39 . 2010-03-20 23:30   38224   ----a-w-   c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-29 22:39 . 2010-03-20 23:30   20952   ----a-w-   c:\windows\system32\drivers\mbam.sys
2010-04-26 03:26 . 2009-10-20 17:11   664   ----a-w-   c:\windows\system32\d3d9caps.dat
2010-04-19 21:59 . 2010-04-19 21:59   255472   ----a-w-   c:\documents and settings\iraval\Application Data\Mozilla\plugins\npgoogletalk.dll
2010-04-17 19:53 . 2009-12-06 01:26   --------   d-----w-   c:\documents and settings\All Users\Application Data\Norton
2010-04-17 19:53 . 2010-04-17 07:43   --------   d-----w-   c:\program files\Common Files\Symantec Shared
2010-04-16 15:33 . 2009-11-23 07:43   41472   ----a-w-   c:\windows\system32\drivers\usbaapl.sys
2010-04-16 15:33 . 2009-11-23 07:43   3003680   ----a-w-   c:\windows\system32\usbaaplrc.dll
2010-04-16 04:15 . 2010-03-28 07:29   894184   ----a-w-   c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
2010-04-15 16:18 . 2010-04-14 03:02   --------   d-----w-   c:\program files\PuTTY Connection Manager
2010-04-14 03:07 . 2009-11-17 07:20   --------   d-----w-   c:\program files\PuTTY
2010-04-14 02:55 . 2009-11-20 01:53   --------   d-----w-   c:\program files\Quest Software
2010-04-08 20:20 . 2010-04-08 20:20   91424   ----a-w-   c:\windows\system32\dnssd.dll
2010-04-08 20:20 . 2010-04-08 20:20   107808   ----a-w-   c:\windows\system32\dns-sd.exe
2010-03-28 02:06 . 2007-08-27 22:09   71776   ----a-w-   c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-03-17 15:51 . 2009-08-18 16:08   82696   ----a-w-   c:\windows\system32\lmdimon8.dll
2010-03-11 12:38 . 2008-04-14 12:00   832512   ----a-w-   c:\windows\system32\wininet.dll
2010-03-11 12:38 . 2008-04-14 12:00   78336   ----a-w-   c:\windows\system32\ieencode.dll
2010-03-11 12:38 . 2008-04-14 12:00   17408   ----a-w-   c:\windows\system32\corpol.dll
2010-03-09 11:09 . 2008-04-14 12:00   430080   ----a-w-   c:\windows\system32\vbscript.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{0bc6e3fa-78ef-4886-842c-5a1258c4455a}]
2008-07-25 18:16   282112   ----a-w-   c:\windows\system32\mscoree.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SSC"="c:\program files\Session ShortCuts\ssc.exe" [2008-06-12 265728]
"PicPick Start"="c:\program files\PicPick\picpick.exe" [2010-01-13 4057088]
"Google Update"="c:\documents and settings\iraval\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2009-11-21 135664]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-04-29 8429568]
"nwiz"="nwiz.exe" [2007-04-29 1626112]
"NVHotkey"="nvHotkey.dll" [2007-04-29 67584]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2007-04-29 81920]
"IntelZeroConfig"="c:\program files\Intel\Wireless\bin\ZCfgSvc.exe" [2007-07-25 823296]
"IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2007-07-25 974848]
"Document Manager"="c:\program files\Wave Systems Corp\Services Manager\DocMgr\bin\docmgr.exe" [2007-01-30 102400]
"SecureUpgrade"="c:\program files\Wave Systems Corp\SecureUpgrade.exe" [2007-01-22 212992]
"EmbassySecurityCheck"="c:\program files\Wave Systems Corp\EMBASSY Security Setup\EMBASSYSecurityCheck.exe" [2007-02-02 65536]
"Apoint"="c:\program files\Apoint\Apoint.exe" [2007-01-25 159744]
"KADxMain"="c:\windows\system32\KADxMain.exe" [2006-11-02 282624]
"PDVDDXSrv"="c:\program files\CyberLink\PowerDVD DX\PDVDDXSrv.exe" [2007-06-09 128560]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072]
"SSRPM Enrollment Wizard"="c:\program files\Tools4ever\SSRPM\Enrollment Wizard\SSRPMEnroll.exe" [2008-01-31 604672]
"Communicator"="c:\program files\Microsoft Office Communicator\communicator.exe" [2010-04-11 5116256]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2008-04-14 110592]
"LogitechCommunicationsManager"="c:\program files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe" [2007-10-26 563984]
"LogitechQuickCamRibbon"="c:\program files\Logitech\QuickCam\Quickcam.exe" [2007-10-26 2178832]
"Microsoft Forefront Client Security Antimalware Service"="c:\program files\Microsoft Forefront\Client Security\Client\Antimalware\MSASCui.exe" [2010-01-19 1033600]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-03-18 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-04-28 142120]
"SigmatelSysTrayApp"="stsystra.exe" [2007-02-19 303104]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Communicator"="c:\program files\Microsoft Office Communicator\Communicator.exe" [2010-04-11 5116256]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2008-11-04 435096]

c:\documents and settings\iraval\Start Menu\Programs\Startup\
BSEGadget.lnk - c:\program files\BSEMktWatch\BSE Mkt Watch.exe [2010-1-16 421888]
MagicDisc.lnk - c:\program files\MagicDisc\MagicDisc.exe [2010-2-2 576000]
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2009-2-26 97680]
To_DO.lnk - c:\documents and settings\iraval\Desktop\To_DO.txt [2010-5-18 700]
VirtuaWin.lnk - c:\program files\VirtuaWin\VirtuaWin.exe [2009-11-17 126464]
Webshots.lnk - c:\program files\Webshots\3.1.5.7617\Launcher.exe [2009-12-27 157088]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Bluetooth Manager.lnk - c:\program files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe [2007-1-11 2150400]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"ForceStartMenuLogOff"= 1 (0x1)
"NoWelcomeScreen"= 1 (0x1)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute   REG_MULTI_SZ     autocheck autochk *\0sprestrt\0sprestrt

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages   REG_MULTI_SZ     msv1_0 wvauth

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-709901224-932253684-619646970-103558\Scripts\Logon\0\0]
"Script"=Inventory4.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-709901224-932253684-619646970-103558\Scripts\Logon\0\1]
"Script"=ComputerDescript.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-709901224-932253684-619646970-103558\Scripts\Logon\1\0]
"Script"=servicenow.bat

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-709901224-932253684-619646970-103558\Scripts\Logon\2\0]
"Script"=list_lenovo_profiles_and_delete.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-709901224-932253684-619646970-98379\Scripts\Logon\0\0]
"Script"=Inventory4.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-709901224-932253684-619646970-98379\Scripts\Logon\0\1]
"Script"=ComputerDescript.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-709901224-932253684-619646970-98379\Scripts\Logon\1\0]
"Script"=list_lenovo_profiles_and_delete.vbs

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\FCSAM]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update]
2009-11-21 04:14   135664   ----atw-   c:\documents and settings\iraval\Local Settings\Application Data\Google\Update\GoogleUpdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Updater]
2010-02-02 07:30   160752   ----a-w-   c:\program files\Google\Google Updater\GoogleUpdater.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\googletalk]
2007-01-01 21:22   3739648   ----a-w-   c:\program files\Google\Google Talk\googletalk.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2010-04-28 22:06   142120   ----a-w-   c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Messenger (Yahoo!)]
2009-11-10 23:39   5244216   ----a-w-   c:\progra~1\Yahoo!\Messenger\YahooMessenger.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
2010-01-16 05:56   39408   ----a-w-   c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Documents and Settings\\iraval\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.dll"=
"c:\\Documents and Settings\\iraval\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Cygwin\\bin\\XWin.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\AIM\\aim.exe"=
"c:\\Program Files\\Vuze\\Azureus.exe"=
"c:\\Sametime\\STConnect7.5.1\\jre\\bin\\sametime75.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Microsoft Office Communicator\\communicator.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Microsoft Office\\Live Meeting 8\\Console\\PWConsole.exe"=

R1 raddrvv3;raddrvv3;c:\windows\system32\rserver30\raddrvv3.sys [6/29/2007 3:10 AM 40640]
R1 SBRE;SBRE;c:\windows\system32\drivers\SBREDrv.sys [5/18/2010 8:02 AM 93872]
R2 DB2MGMTSVC_TACOM21;DB2 Management Service (TACOM21);c:\program files\Quest Software\Toad for Data Analysts 2.1\DB2 Client\BIN\db2mgmtsvc.exe [7/23/2007 3:47 AM 35616]
R2 FCSAM;Microsoft Forefront Client Security Antimalware Service;c:\program files\Microsoft Forefront\Client Security\Client\Antimalware\MsMpEng.exe [1/19/2010 4:49 PM 16880]
R2 FcsSas;Microsoft Forefront Client Security State Assessment Service;c:\program files\Microsoft Forefront\Client Security\Client\SSA\FcsSas.exe [4/6/2007 4:12 AM 73120]
R2 MOM;MOM;c:\program files\Microsoft Forefront\Client Security\Client\Microsoft Operations Manager 2005\MOMService.exe [7/21/2005 11:14 AM 134656]
R2 RServer3;Radmin Server V3;c:\windows\system32\rserver30\rserver3.exe [7/10/2007 5:14 PM 1242432]
R2 Wave UCSPlus;Wave UCSPlus;c:\windows\system32\dllhost.exe [4/14/2008 5:00 AM 5120]
S0 cgtfa;cgtfa;c:\windows\system32\drivers\rciwwjn.sys --> c:\windows\system32\drivers\rciwwjn.sys [?]
S1 MpKsl5fd50652;MpKsl5fd50652;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Forefront\Client Security\Client\Antimalware\Definition Updates\{B01E06E4-0F57-4BFC-91C4-566B7B0083CB}\MpKsl5fd50652.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Forefront\Client Security\Client\Antimalware\Definition Updates\{B01E06E4-0F57-4BFC-91C4-566B7B0083CB}\MpKsl5fd50652.sys [?]
S1 MpKsl6bf6c1a0;MpKsl6bf6c1a0;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Forefront\Client Security\Client\Antimalware\Definition Updates\{B01E06E4-0F57-4BFC-91C4-566B7B0083CB}\MpKsl6bf6c1a0.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Forefront\Client Security\Client\Antimalware\Definition Updates\{B01E06E4-0F57-4BFC-91C4-566B7B0083CB}\MpKsl6bf6c1a0.sys [?]
S2 ATE_PROCMON;ATE_PROCMON;\??\c:\program files\Anti Trojan Elite\ATEPMon.sys --> c:\program files\Anti Trojan Elite\ATEPMon.sys [?]
S2 avbackup;Backup Agent;"c:\program files\avs\bin\avagent.exe" /ServiceStart "--logfile=c:\program files\avs\var\avagent.log" --> c:\program files\avs\bin\avagent.exe [?]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [5/20/2010 6:47 AM 136176]
S3 Avgfwdx;Avgfwdx;c:\windows\system32\drivers\avgfwdx.sys [12/5/2009 6:20 PM 30104]
S3 Avgfwfd;AVG network filter service;c:\windows\system32\drivers\avgfwdx.sys [12/5/2009 6:20 PM 30104]
S3 DB2NTSECSERVER_TACOM21;DB2 Security Server (TACOM21);c:\program files\Quest Software\Toad for Data Analysts 2.1\DB2 Client\BIN\db2sec.exe [7/23/2007 3:48 AM 14112]
S3 DXEC01;DXEC01;c:\windows\system32\drivers\dxec01.sys [11/2/2006 11:32 AM 97536]
S3 OracleClientCache80;OracleClientCache80;c:\oracle\product\6.0\BIN\ONRSD80.EXE [1/28/2010 2:27 PM 101136]
S3 WinRM;Windows Remote Management (WS-Management);c:\windows\system32\svchost.exe -k WINRM [4/14/2008 5:00 AM 14336]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12   REG_MULTI_SZ     Pml Driver HPZ12 Net Driver HPZ12
WINRM   REG_MULTI_SZ     WINRM
.
Contents of the 'Scheduled Tasks' folder

2010-05-27 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 20:34]

2010-06-02 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2010-01-16 07:30]

2010-06-02 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-05-20 11:24]

2010-06-02 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-05-20 11:24]

2010-05-26 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-709901224-932253684-619646970-103558Core.job
- c:\documents and settings\iraval\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-11-21 04:14]

2010-06-02 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-709901224-932253684-619646970-103558UA.job
- c:\documents and settings\iraval\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-11-21 04:14]

2010-06-02 c:\windows\Tasks\MP Scheduled Quick Scan.job
- c:\program files\Microsoft Forefront\Client Security\Client\Antimalware\MpCmdRun.exe [2010-01-19 23:49]

2010-06-02 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Microsoft Forefront\Client Security\Client\Antimalware\MpCmdRun.exe [2010-01-19 23:49]

2010-06-02 c:\windows\Tasks\MP Scheduled Signature Update.job
- c:\program files\Microsoft Forefront\Client Security\Client\Antimalware\MpCmdRun.exe [2010-01-19 23:49]
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
uInternet Settings,ProxyOverride = ;*.local;<local>
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
DPF: {3D3B42C2-11BF-4732-A304-A01384B70D68} - hxxp://picasaweb.google.com/s/v/59.19/uploader2.cab
DPF: {708C978C-BBF5-4038-8DC1-64FF22BCFFB6} - hxxp://www.barracudanetworks.com/ns/products/spyware-removal-tool/tool/BarracudaSpyRemoval.cab
DPF: {F27237D7-93C8-44C2-AC6E-D6057B9A918F} - hxxps://sslvpn.leapwireless.com/dana-cached/sc/JuniperSetupClient.cab
FF - ProfilePath - c:\documents and settings\iraval\Application Data\Mozilla\Firefox\Profiles\ggy72g16.default\
FF - plugin: c:\documents and settings\iraval\Application Data\Mozilla\plugins\npgoogletalk.dll
FF - plugin: c:\documents and settings\iraval\Local Settings\Application Data\Google\Update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\program files\DivX\DivX Plus Web Player\npdivx32.dll
FF - plugin: c:\program files\Google\Google Earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\Google\Google Updater\2.4.1851.5542\npCIDetect14.dll
FF - plugin: c:\program files\Google\Picasa3\npPicasa3.dll
FF - plugin: c:\program files\Google\Update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\program files\Java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npdeployJava1.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npdnupdater2.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
FF - user.js: network.protocol-handler.warn-external.dnupdate - falsec:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_ everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_a s_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-06-01 22:22
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1584)
c:\windows\system32\SSRPMGINA.dll

- - - - - - - > 'lsass.exe'(1640)
c:\windows\system32\wvauth.dll
c:\windows\system32\biolsp.dll

- - - - - - - > 'explorer.exe'(8472)
c:\windows\system32\WININET.dll
c:\program files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\WPDShServiceObj.dll
c:\program files\Microsoft Virtual PC\VPCShExH.DLL
c:\program files\WinSCP\DragExt.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Intel\Wireless\Bin\S24EvMon.exe
c:\program files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
c:\windows\System32\SCardSvr.exe
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Juniper Networks\Common Files\dsNcService.exe
c:\program files\Intel\Wireless\Bin\EvtEng.exe
c:\program files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\program files\Dell\QuickSet\NICCONFIGSVC.exe
c:\windows\system32\nvsvc32.exe
c:\program files\Intel\Wireless\Bin\RegSrvc.exe
c:\windows\system32\StacSV.exe
c:\program files\NTRU Cryptosystems\NTRU TCG Software Stack\bin\tcsd_win32.exe
c:\program files\Intel\Wireless\Bin\WLKeeper.exe
c:\windows\system32\SearchIndexer.exe
c:\windows\system32\CCM\CcmExec.exe
c:\program files\Microsoft Forefront\Client Security\Client\Microsoft Operations Manager 2005\MOMHost.exe
c:\windows\system32\msdtc.exe
c:\program files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
c:\windows\system32\rundll32.exe
c:\windows\system32\RUNDLL32.EXE
c:\program files\Apoint\ApMsgFwd.exe
c:\program files\Intel\Wireless\Bin\Dot1XCfg.exe
c:\program files\Apoint\HidFind.exe
c:\program files\Apoint\Apntex.exe
c:\windows\system32\rundll32.exe
c:\windows\stsystra.exe
c:\program files\Windows Desktop Search\WindowsSearch.exe
c:\program files\BSEMktWatch\Gadgetworker.exe
c:\program files\Toshiba\Bluetooth Toshiba Stack\TosA2dp.exe
c:\windows\system32\NOTEPAD.EXE
c:\program files\VirtuaWin\modules\WinList.exe
c:\program files\Common Files\Logishrd\LQCVFX\COCIManager.exe
c:\progra~1\Webshots\315~1.761\Webshots.scr
c:\program files\Toshiba\Bluetooth Toshiba Stack\TosBtHid.exe
c:\program files\Toshiba\Bluetooth Toshiba Stack\TosBtHsp.exe
c:\program files\iPod\bin\iPodService.exe
c:\windows\system32\SearchProtocolHost.exe
c:\windows\system32\SearchFilterHost.exe
.
**************************************************************************
.
Completion time: 2010-06-01 22:30:23 - machine was rebooted
ComboFix-quarantined-files.txt 2010-06-02 05:30
ComboFix2.txt 2010-05-29 04:09

Pre-Run: 23,002,599,424 bytes free
Post-Run: 23,039,139,840 bytes free

- - End Of File - - C42645F1074F29D1AA6E845ECA0E92C5

SuperDave · « **Reply #41 on:** June 02, 2010, 10:32:38 AM »

Just one more script to run, please. It's been so long, how's your computer running?

Re-running ComboFix to remove infections:

Close any open browsers.
Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
Open notepad and copy/paste the text in the quotebox below into it:
Quote
KillAll::

File::

C:\fixme.bat (delete)
C:\HelpAsst_backup
c:\windows\inf\COM12F.tmp

Folder::

C:\HelpAsst_backup
Save this as CFScript.txt, in the same location as ComboFix.exe
Referring to the picture above, drag CFScript into ComboFix.exe
When finished, it shall produce a log for you at C:\ComboFix.txt
Please post the contents of the log in your next reply.

ishan · « **Reply #42 on:** June 02, 2010, 11:43:51 AM »

I have not had any problems after second combo fix run, I think. But I am not too sure. It is not slow or it does not redirect anymore. I did run several full scans, no issues were encountered.

I'll run combofix with new script and revert.

Thanks!

ishan · « **Reply #43 on:** June 03, 2010, 06:16:32 AM »

ComboFix 10-06-02.02 - iraval 06/02/2010 21:58:19.5.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1192 [GMT -7:00]
Running from: c:\documents and settings\iraval\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\iraval\Desktop\CFScript.txt
AV: Microsoft Forefront Client Security *On-access scanning disabled* (Updated) {926A3D4F-E4E7-4F47-9902-4EDD55FFE1AF}

FILE ::
"C:\fixme.bat (delete)"
"C:\HelpAsst_backup"
"c:\windows\inf\COM12F.tmp"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
C:\HelpAsst_backup
c:\helpasst_backup\DomainGOPList.reg
c:\helpasst_backup\S-1-5-21-1737608194-1000615609-2549537844-1005.reg
c:\helpasst_backup\StandardGOPList.reg
c:\helpasst_backup\termsrv32.dll
c:\windows\inf\COM12F.tmp

----- BITS: Possible infected sites -----

hxxp://CASANSMS1:80
.
((((((((((((((((((((((((( Files Created from 2010-05-03 to 2010-06-03 )))))))))))))))))))))))))))))))
.

2010-05-31 22:44 . 2010-05-31 22:47   --------   d-----w-   c:\program files\Gabest
2010-05-31 22:40 . 2010-05-31 22:40   --------   d-----w-   c:\program files\DirectVobSub
2010-05-31 17:24 . 2010-05-31 17:24   66   ----a-w-   C:\fixme.bat
2010-05-31 17:22 . 2010-05-31 17:22   77312   ----a-w-   c:\windows\system32\mbr.exe
2010-05-27 00:13 . 2010-05-27 00:13   --------   d-----w-   c:\program files\Common Files\Java
2010-05-27 00:13 . 2010-05-27 00:13   411368   ----a-w-   c:\windows\system32\deployJava1.dll
2010-05-26 18:26 . 2010-05-26 18:26   --------   d-----w-   c:\documents and settings\All Users\Application Data\Applications
2010-05-26 17:15 . 2009-10-20 16:20   265728   -c----w-   c:\windows\system32\dllcache\http.sys
2010-05-25 21:24 . 2008-06-13 11:05   272128   -c----w-   c:\windows\system32\dllcache\bthport.sys
2010-05-25 21:23 . 2010-02-24 13:11   455680   -c----w-   c:\windows\system32\dllcache\mrxsmb.sys
2010-05-25 21:20 . 2010-02-16 14:08   2146304   -c----w-   c:\windows\system32\dllcache\ntkrnlmp.exe
2010-05-25 21:20 . 2010-02-17 16:10   2189952   -c----w-   c:\windows\system32\dllcache\ntoskrnl.exe
2010-05-25 21:20 . 2010-02-16 13:25   2024448   -c----w-   c:\windows\system32\dllcache\ntkrpamp.exe
2010-05-25 21:20 . 2009-11-27 17:11   17920   -c----w-   c:\windows\system32\dllcache\msyuv.dll
2010-05-25 21:13 . 2009-11-27 16:07   8704   -c----w-   c:\windows\system32\dllcache\tsbyuv.dll
2010-05-25 21:13 . 2009-11-27 16:07   48128   -c----w-   c:\windows\system32\dllcache\iyuv_32.dll
2010-05-25 21:12 . 2010-03-11 12:38   459264   -c----w-   c:\windows\system32\dllcache\msfeeds.dll
2010-05-25 21:12 . 2010-03-11 12:38   268288   -c----w-   c:\windows\system32\dllcache\iertutil.dll
2010-05-25 21:12 . 2010-03-11 12:38   52224   -c----w-   c:\windows\system32\dllcache\msfeedsbs.dll
2010-05-25 21:12 . 2010-03-11 12:38   63488   -c----w-   c:\windows\system32\dllcache\icardie.dll
2010-05-25 21:12 . 2010-03-11 12:38   380928   -c----w-   c:\windows\system32\dllcache\ieapfltr.dll
2010-05-25 21:12 . 2010-03-10 13:18   13824   -c----w-   c:\windows\system32\dllcache\ieudinit.exe
2010-05-25 21:12 . 2009-06-29 08:33   2452872   -c----w-   c:\windows\system32\dllcache\ieapfltr.dat
2010-05-25 21:12 . 2010-03-11 12:38   6067200   -c----w-   c:\windows\system32\dllcache\ieframe.dll
2010-05-25 15:13 . 2010-05-25 15:13   --------   d-----w-   c:\windows\ms
2010-05-25 15:01 . 2008-04-14 12:00   221696   -c--a-w-   c:\windows\system32\dllcache\seo.dll
2010-05-25 15:00 . 2008-04-14 12:00   13463552   -c--a-w-   c:\windows\system32\dllcache\hwxjpn.dll
2010-05-25 14:59 . 2004-05-13 07:39   598071   -c--a-w-   c:\windows\system32\dllcache\fpmmc.dll
2010-05-25 14:40 . 2008-04-14 12:00   13312   -c--a-w-   c:\windows\system32\dllcache\irclass.dll
2010-05-25 14:40 . 2008-04-14 12:00   13312   ----a-w-   c:\windows\system32\irclass.dll
2010-05-25 14:40 . 2008-04-14 12:00   24661   -c--a-w-   c:\windows\system32\dllcache\spxcoins.dll
2010-05-25 14:40 . 2008-04-14 12:00   24661   ----a-w-   c:\windows\system32\spxcoins.dll
2010-05-25 11:10 . 2008-04-14 12:00   16384   -c--a-w-   c:\windows\system32\dllcache\isignup.exe
2010-05-25 06:05 . 2010-05-25 06:05   --------   d-----w-   c:\program files\ESET
2010-05-18 15:02 . 2009-09-07 21:02   27944   ----a-w-   c:\windows\system32\sbbd.exe
2010-05-18 15:02 . 2009-08-05 22:58   93872   ----a-w-   c:\windows\system32\drivers\SBREDrv.sys
2010-05-18 15:02 . 2010-05-25 15:30   --------   d-----w-   C:\VIPRERESCUE
2010-05-06 04:12 . 2010-05-06 04:12   --------   d-----w-   c:\program files\iPod
2010-05-06 04:11 . 2010-05-06 04:13   --------   d-----w-   c:\documents and settings\All Users\Application Data\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
2010-05-06 04:11 . 2010-05-06 04:13   --------   d-----w-   c:\program files\iTunes
2010-05-06 04:00 . 2010-05-06 04:02   --------   d-----w-   c:\program files\QuickTime
2010-05-06 03:56 . 2010-05-06 03:56   --------   d-----w-   c:\program files\Bonjour
2010-05-06 01:30 . 2010-05-06 01:30   --------   d-----w-   c:\documents and settings\iraval\Local Settings\Application Data\Help

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-06-03 12:11 . 2009-11-17 07:50   --------   d-----w-   c:\program files\BSEMktWatch
2010-06-03 12:09 . 2009-11-17 01:50   --------   d-----w-   c:\documents and settings\iraval\Application Data\Wave Systems Corp
2010-06-03 03:13 . 2009-10-20 17:11   664   ----a-w-   c:\windows\system32\d3d9caps.dat
2010-06-01 17:37 . 2010-01-16 07:10   221568   ------w-   c:\windows\system32\MpSigStub.exe
2010-06-01 01:24 . 2010-03-20 20:59   --------   d-----w-   c:\documents and settings\iraval\Application Data\vlc
2010-05-27 00:13 . 2007-08-28 20:08   --------   d-----w-   c:\program files\Java
2010-05-26 14:44 . 2010-02-02 07:52   --------   d-----w-   c:\program files\MagicISO
2010-05-25 15:52 . 2010-05-01 19:49   --------   d-----w-   c:\program files\Windows Live Safety Center
2010-05-25 14:56 . 2007-08-27 20:47   24924   ----a-w-   c:\windows\system32\emptyregdb.dat
2010-05-25 12:21 . 2010-01-03 06:30   --------   d-----w-   c:\documents and settings\iraval\Application Data\Azureus
2010-05-25 12:20 . 2009-12-06 02:59   --------   d-----w-   c:\program files\CCleaner
2010-05-25 08:20 . 2007-08-27 21:54   95194   ----a-w-   c:\windows\system32\nvModes.dat
2010-05-22 05:53 . 2010-01-03 06:29   --------   d-----w-   c:\program files\Vuze
2010-05-20 13:48 . 2009-11-17 07:50   --------   d-----w-   c:\program files\Google
2010-05-12 19:47 . 2009-07-22 20:03   --------   d-----w-   c:\documents and settings\All Users\Application Data\Microsoft Help
2010-05-06 04:12 . 2009-11-23 07:43   --------   d-----w-   c:\program files\Common Files\Apple
2010-05-04 03:06 . 2010-03-20 23:30   --------   d-----w-   c:\program files\Malwarebytes' Anti-Malware
2010-05-03 19:38 . 2010-05-02 05:37   --------   d-----w-   c:\documents and settings\All Users\Application Data\McAfee
2010-05-03 19:36 . 2010-05-02 05:42   --------   d-----w-   c:\program files\SiteAdvisor
2010-05-03 18:25 . 2010-05-02 05:42   --------   d-----w-   c:\documents and settings\All Users\Application Data\SiteAdvisor
2010-05-02 21:22 . 2009-11-23 07:46   --------   d-----w-   c:\documents and settings\iraval\Application Data\Apple Computer
2010-05-02 04:57 . 2009-12-06 01:20   --------   d-----w-   c:\documents and settings\All Users\Application Data\avg9
2010-05-02 01:15 . 2007-08-28 19:56   --------   d-----w-   c:\program files\Microsoft Office Communicator
2010-04-29 22:39 . 2010-03-20 23:30   38224   ----a-w-   c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-29 22:39 . 2010-03-20 23:30   20952   ----a-w-   c:\windows\system32\drivers\mbam.sys
2010-04-17 19:53 . 2009-12-06 01:26   --------   d-----w-   c:\documents and settings\All Users\Application Data\Norton
2010-04-17 19:53 . 2010-04-17 07:43   --------   d-----w-   c:\program files\Common Files\Symantec Shared
2010-04-16 15:33 . 2009-11-23 07:43   41472   ----a-w-   c:\windows\system32\drivers\usbaapl.sys
2010-04-16 15:33 . 2009-11-23 07:43   3003680   ----a-w-   c:\windows\system32\usbaaplrc.dll
2010-04-15 16:18 . 2010-04-14 03:02   --------   d-----w-   c:\program files\PuTTY Connection Manager
2010-04-14 03:07 . 2009-11-17 07:20   --------   d-----w-   c:\program files\PuTTY
2010-04-14 02:55 . 2009-11-20 01:53   --------   d-----w-   c:\program files\Quest Software
2010-04-08 20:20 . 2010-04-08 20:20   91424   ----a-w-   c:\windows\system32\dnssd.dll
2010-04-08 20:20 . 2010-04-08 20:20   107808   ----a-w-   c:\windows\system32\dns-sd.exe
2010-03-17 15:51 . 2009-08-18 16:08   82696   ----a-w-   c:\windows\system32\lmdimon8.dll
2010-03-11 12:38 . 2008-04-14 12:00   832512   ----a-w-   c:\windows\system32\wininet.dll
2010-03-11 12:38 . 2008-04-14 12:00   78336   ----a-w-   c:\windows\system32\ieencode.dll
2010-03-11 12:38 . 2008-04-14 12:00   17408   ----a-w-   c:\windows\system32\corpol.dll
2010-03-09 11:09 . 2008-04-14 12:00   430080   ----a-w-   c:\windows\system32\vbscript.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{0bc6e3fa-78ef-4886-842c-5a1258c4455a}]
2008-07-25 18:16   282112   ----a-w-   c:\windows\system32\mscoree.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SSC"="c:\program files\Session ShortCuts\ssc.exe" [2008-06-12 265728]
"PicPick Start"="c:\program files\PicPick\picpick.exe" [2010-01-13 4057088]
"Google Update"="c:\documents and settings\iraval\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2009-11-21 135664]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-04-29 8429568]
"nwiz"="nwiz.exe" [2007-04-29 1626112]
"NVHotkey"="nvHotkey.dll" [2007-04-29 67584]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2007-04-29 81920]
"IntelZeroConfig"="c:\program files\Intel\Wireless\bin\ZCfgSvc.exe" [2007-07-25 823296]
"IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2007-07-25 974848]
"Document Manager"="c:\program files\Wave Systems Corp\Services Manager\DocMgr\bin\docmgr.exe" [2007-01-30 102400]
"SecureUpgrade"="c:\program files\Wave Systems Corp\SecureUpgrade.exe" [2007-01-22 212992]
"EmbassySecurityCheck"="c:\program files\Wave Systems Corp\EMBASSY Security Setup\EMBASSYSecurityCheck.exe" [2007-02-02 65536]
"Apoint"="c:\program files\Apoint\Apoint.exe" [2007-01-25 159744]
"KADxMain"="c:\windows\system32\KADxMain.exe" [2006-11-02 282624]
"PDVDDXSrv"="c:\program files\CyberLink\PowerDVD DX\PDVDDXSrv.exe" [2007-06-09 128560]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072]
"SSRPM Enrollment Wizard"="c:\program files\Tools4ever\SSRPM\Enrollment Wizard\SSRPMEnroll.exe" [2008-01-31 604672]
"Communicator"="c:\program files\Microsoft Office Communicator\communicator.exe" [2010-04-11 5116256]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2008-04-14 110592]
"LogitechCommunicationsManager"="c:\program files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe" [2007-10-26 563984]
"LogitechQuickCamRibbon"="c:\program files\Logitech\QuickCam\Quickcam.exe" [2007-10-26 2178832]
"Microsoft Forefront Client Security Antimalware Service"="c:\program files\Microsoft Forefront\Client Security\Client\Antimalware\MSASCui.exe" [2010-01-19 1033600]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-03-18 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-04-28 142120]
"SigmatelSysTrayApp"="stsystra.exe" [2007-02-19 303104]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Communicator"="c:\program files\Microsoft Office Communicator\Communicator.exe" [2010-04-11 5116256]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2008-11-04 435096]

c:\documents and settings\iraval\Start Menu\Programs\Startup\
BSEGadget.lnk - c:\program files\BSEMktWatch\BSE Mkt Watch.exe [2010-1-16 421888]
MagicDisc.lnk - c:\program files\MagicDisc\MagicDisc.exe [2010-2-2 576000]
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2009-2-26 97680]
To_DO.lnk - c:\documents and settings\iraval\Desktop\To_DO.txt [2010-5-18 700]
VirtuaWin.lnk - c:\program files\VirtuaWin\VirtuaWin.exe [2009-11-17 126464]
Webshots.lnk - c:\program files\Webshots\3.1.5.7617\Launcher.exe [2009-12-27 157088]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Bluetooth Manager.lnk - c:\program files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe [2007-1-11 2150400]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"ForceStartMenuLogOff"= 1 (0x1)
"NoWelcomeScreen"= 1 (0x1)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute   REG_MULTI_SZ     autocheck autochk *\0sprestrt\0sprestrt

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages   REG_MULTI_SZ     msv1_0 wvauth

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-709901224-932253684-619646970-103558\Scripts\Logon\0\0]
"Script"=Inventory4.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-709901224-932253684-619646970-103558\Scripts\Logon\0\1]
"Script"=ComputerDescript.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-709901224-932253684-619646970-103558\Scripts\Logon\1\0]
"Script"=servicenow.bat

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-709901224-932253684-619646970-103558\Scripts\Logon\2\0]
"Script"=list_lenovo_profiles_and_delete.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-709901224-932253684-619646970-98379\Scripts\Logon\0\0]
"Script"=Inventory4.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-709901224-932253684-619646970-98379\Scripts\Logon\0\1]
"Script"=ComputerDescript.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-709901224-932253684-619646970-98379\Scripts\Logon\1\0]
"Script"=list_lenovo_profiles_and_delete.vbs

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\FCSAM]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update]
2009-11-21 04:14   135664   ----atw-   c:\documents and settings\iraval\Local Settings\Application Data\Google\Update\GoogleUpdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Updater]
2010-02-02 07:30   160752   ----a-w-   c:\program files\Google\Google Updater\GoogleUpdater.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\googletalk]
2007-01-01 21:22   3739648   ----a-w-   c:\program files\Google\Google Talk\googletalk.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2010-04-28 22:06   142120   ----a-w-   c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Messenger (Yahoo!)]
2009-11-10 23:39   5244216   ----a-w-   c:\progra~1\Yahoo!\Messenger\YahooMessenger.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
2010-01-16 05:56   39408   ----a-w-   c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Documents and Settings\\iraval\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.dll"=
"c:\\Documents and Settings\\iraval\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Cygwin\\bin\\XWin.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\AIM\\aim.exe"=
"c:\\Program Files\\Vuze\\Azureus.exe"=
"c:\\Sametime\\STConnect7.5.1\\jre\\bin\\sametime75.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Microsoft Office Communicator\\communicator.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Microsoft Office\\Live Meeting 8\\Console\\PWConsole.exe"=

R1 raddrvv3;raddrvv3;c:\windows\system32\rserver30\raddrvv3.sys [6/29/2007 3:10 AM 40640]
R1 SBRE;SBRE;c:\windows\system32\drivers\SBREDrv.sys [5/18/2010 8:02 AM 93872]
R2 DB2MGMTSVC_TACOM21;DB2 Management Service (TACOM21);c:\program files\Quest Software\Toad for Data Analysts 2.1\DB2 Client\BIN\db2mgmtsvc.exe [7/23/2007 3:47 AM 35616]
R2 FCSAM;Microsoft Forefront Client Security Antimalware Service;c:\program files\Microsoft Forefront\Client Security\Client\Antimalware\MsMpEng.exe [1/19/2010 4:49 PM 16880]
R2 FcsSas;Microsoft Forefront Client Security State Assessment Service;c:\program files\Microsoft Forefront\Client Security\Client\SSA\FcsSas.exe [4/6/2007 4:12 AM 73120]
R2 MOM;MOM;c:\program files\Microsoft Forefront\Client Security\Client\Microsoft Operations Manager 2005\MOMService.exe [7/21/2005 11:14 AM 134656]
R2 RServer3;Radmin Server V3;c:\windows\system32\rserver30\rserver3.exe [7/10/2007 5:14 PM 1242432]
R2 Wave UCSPlus;Wave UCSPlus;c:\windows\system32\dllhost.exe [4/14/2008 5:00 AM 5120]
S0 cgtfa;cgtfa;c:\windows\system32\drivers\rciwwjn.sys --> c:\windows\system32\drivers\rciwwjn.sys [?]
S1 MpKsl5fd50652;MpKsl5fd50652;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Forefront\Client Security\Client\Antimalware\Definition Updates\{B01E06E4-0F57-4BFC-91C4-566B7B0083CB}\MpKsl5fd50652.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Forefront\Client Security\Client\Antimalware\Definition Updates\{B01E06E4-0F57-4BFC-91C4-566B7B0083CB}\MpKsl5fd50652.sys [?]
S1 MpKsl6bf6c1a0;MpKsl6bf6c1a0;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Forefront\Client Security\Client\Antimalware\Definition Updates\{B01E06E4-0F57-4BFC-91C4-566B7B0083CB}\MpKsl6bf6c1a0.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Forefront\Client Security\Client\Antimalware\Definition Updates\{B01E06E4-0F57-4BFC-91C4-566B7B0083CB}\MpKsl6bf6c1a0.sys [?]
S2 ATE_PROCMON;ATE_PROCMON;\??\c:\program files\Anti Trojan Elite\ATEPMon.sys --> c:\program files\Anti Trojan Elite\ATEPMon.sys [?]
S2 avbackup;Backup Agent;"c:\program files\avs\bin\avagent.exe" /ServiceStart "--logfile=c:\program files\avs\var\avagent.log" --> c:\program files\avs\bin\avagent.exe [?]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [5/20/2010 6:47 AM 136176]
S3 Avgfwdx;Avgfwdx;c:\windows\system32\drivers\avgfwdx.sys [12/5/2009 6:20 PM 30104]
S3 Avgfwfd;AVG network filter service;c:\windows\system32\drivers\avgfwdx.sys [12/5/2009 6:20 PM 30104]
S3 DB2NTSECSERVER_TACOM21;DB2 Security Server (TACOM21);c:\program files\Quest Software\Toad for Data Analysts 2.1\DB2 Client\BIN\db2sec.exe [7/23/2007 3:48 AM 14112]
S3 DXEC01;DXEC01;c:\windows\system32\drivers\dxec01.sys [11/2/2006 11:32 AM 97536]
S3 OracleClientCache80;OracleClientCache80;c:\oracle\product\6.0\BIN\ONRSD80.EXE [1/28/2010 2:27 PM 101136]
S3 WinRM;Windows Remote Management (WS-Management);c:\windows\system32\svchost.exe -k WINRM [4/14/2008 5:00 AM 14336]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12   REG_MULTI_SZ     Pml Driver HPZ12 Net Driver HPZ12
WINRM   REG_MULTI_SZ     WINRM
.
Contents of the 'Scheduled Tasks' folder

2010-06-03 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 20:34]

2010-06-03 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2010-01-16 07:30]

2010-06-03 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-05-20 11:24]

2010-06-03 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-05-20 11:24]

2010-05-26 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-709901224-932253684-619646970-103558Core.job
- c:\documents and settings\iraval\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-11-21 04:14]

2010-06-03 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-709901224-932253684-619646970-103558UA.job
- c:\documents and settings\iraval\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-11-21 04:14]

2010-06-03 c:\windows\Tasks\MP Scheduled Quick Scan.job
- c:\program files\Microsoft Forefront\Client Security\Client\Antimalware\MpCmdRun.exe [2010-01-19 23:49]

2010-06-03 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Microsoft Forefront\Client Security\Client\Antimalware\MpCmdRun.exe [2010-01-19 23:49]

2010-06-03 c:\windows\Tasks\MP Scheduled Signature Update.job
- c:\program files\Microsoft Forefront\Client Security\Client\Antimalware\MpCmdRun.exe [2010-01-19 23:49]
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
uInternet Settings,ProxyOverride = ;*.local;<local>
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
DPF: {3D3B42C2-11BF-4732-A304-A01384B70D68} - hxxp://picasaweb.google.com/s/v/59.19/uploader2.cab
DPF: {708C978C-BBF5-4038-8DC1-64FF22BCFFB6} - hxxp://www.barracudanetworks.com/ns/products/spyware-removal-tool/tool/BarracudaSpyRemoval.cab
DPF: {F27237D7-93C8-44C2-AC6E-D6057B9A918F} - hxxps://sslvpn.leapwireless.com/dana-cached/sc/JuniperSetupClient.cab
FF - ProfilePath - c:\documents and settings\iraval\Application Data\Mozilla\Firefox\Profiles\ggy72g16.default\
FF - plugin: c:\documents and settings\iraval\Application Data\Mozilla\plugins\npgoogletalk.dll
FF - plugin: c:\documents and settings\iraval\Local Settings\Application Data\Google\Update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\program files\DivX\DivX Plus Web Player\npdivx32.dll
FF - plugin: c:\program files\Google\Google Earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\Google\Google Updater\2.4.1851.5542\npCIDetect14.dll
FF - plugin: c:\program files\Google\Picasa3\npPicasa3.dll
FF - plugin: c:\program files\Google\Update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\program files\Java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npdeployJava1.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npdnupdater2.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
FF - user.js: network.protocol-handler.warn-external.dnupdate - falsec:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_ everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_a s_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-06-03 05:08
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1220)
c:\windows\system32\SSRPMGINA.dll

- - - - - - - > 'lsass.exe'(1276)
c:\windows\system32\wvauth.dll
c:\windows\system32\biolsp.dll

- - - - - - - > 'explorer.exe'(9540)
c:\windows\system32\WININET.dll
c:\program files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\WPDShServiceObj.dll
c:\program files\Microsoft Virtual PC\VPCShExH.DLL
c:\program files\WinSCP\DragExt.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Intel\Wireless\Bin\S24EvMon.exe
c:\program files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
c:\windows\System32\SCardSvr.exe
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Juniper Networks\Common Files\dsNcService.exe
c:\program files\Intel\Wireless\Bin\EvtEng.exe
c:\program files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\program files\Dell\QuickSet\NICCONFIGSVC.exe
c:\windows\system32\nvsvc32.exe
c:\program files\Intel\Wireless\Bin\RegSrvc.exe
c:\windows\system32\StacSV.exe
c:\program files\NTRU Cryptosystems\NTRU TCG Software Stack\bin\tcsd_win32.exe
c:\program files\Intel\Wireless\Bin\WLKeeper.exe
c:\windows\system32\SearchIndexer.exe
c:\windows\system32\CCM\CcmExec.exe
c:\program files\Microsoft Forefront\Client Security\Client\Microsoft Operations Manager 2005\MOMHost.exe
c:\windows\system32\msdtc.exe
c:\windows\system32\rundll32.exe
c:\windows\system32\RUNDLL32.EXE
c:\program files\Apoint\ApMsgFwd.exe
c:\windows\system32\rundll32.exe
c:\program files\Apoint\Apntex.exe
c:\program files\Apoint\HidFind.exe
c:\program files\Intel\Wireless\Bin\Dot1XCfg.exe
c:\windows\stsystra.exe
c:\program files\Windows Desktop Search\WindowsSearch.exe
c:\program files\Common Files\Logishrd\LQCVFX\COCIManager.exe
c:\program files\Toshiba\Bluetooth Toshiba Stack\TosA2dp.exe
c:\windows\system32\NOTEPAD.EXE
c:\program files\Toshiba\Bluetooth Toshiba Stack\TosBtHid.exe
c:\program files\Toshiba\Bluetooth Toshiba Stack\TosBtHsp.exe
c:\program files\BSEMktWatch\Gadgetworker.exe
c:\program files\VirtuaWin\modules\WinList.exe
c:\progra~1\Webshots\315~1.761\Webshots.scr
c:\program files\iPod\bin\iPodService.exe
c:\windows\system32\SearchProtocolHost.exe
c:\windows\system32\SearchFilterHost.exe
.
**************************************************************************
.
Completion time: 2010-06-03 05:18:39 - machine was rebooted
ComboFix-quarantined-files.txt 2010-06-03 12:18
ComboFix2.txt 2010-06-02 05:30
ComboFix3.txt 2010-05-29 04:09

Pre-Run: 22,852,235,264 bytes free
Post-Run: 22,858,293,248 bytes free

- - End Of File - - 63CE8C5ED79CF5504A7E3067565FE9AF

SuperDave · « **Reply #44 on:** June 03, 2010, 07:55:39 AM »

Ok. That looks good. Let's try this and post the log, if any.

I'd like us to scan your machine with ESET OnlineScan

•Hold down Control and click on the following link to open ESET OnlineScan in a new window.
ESET OnlineScan
•Click the

button.
•For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)

Click on to download the ESET Smart Installer. Save it to your desktop.
Double click on the icon on your desktop.

•Check

•Click the

button.
•Accept any security warnings from your browser.
•Check

•Push the Start button.
•ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
•When the scan completes, push

•Push

, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
•Push the

button.
•Push

A log file will be saved here: C:\Program Files\ESET\ESET Online Scanner\log.txt

ishan · « **Reply #45 on:** June 04, 2010, 06:08:33 AM »

ESET Scan result:
------------------------

C:\Documents and Settings\HelpAssistant\Local Settings\Temp\jar_cache57910.tmp   a variant of Java/TrojanDownloader.Agent.NAN trojan   deleted - quarantined
C:\Documents and Settings\HelpAssistant\Local Settings\Temp\jar_cache7136.tmp   a variant of Java/TrojanDownloader.Agent.NAN trojan   deleted - quarantined

Log file content:
--------------------
ESETSmartInstaller@High as CAB hook log:
OnlineScanner.ocx - registred OK
# version=7
# iexplore.exe=7.00.6000.17023 (vista_gdr.100222-0012)
# OnlineScanner.ocx=1.0.0.6211
# api_version=3.0.2
# EOSSerial=30832513b651c148a9e0d6094cf3eca9
# end=finished
# remove_checked=true
# archives_checked=true
# unwanted_checked=true
# unsafe_checked=true
# antistealth_checked=true
# utc_time=2010-06-04 10:29:58
# local_time=2010-06-04 03:29:58 (-0800, Pacific Daylight Time)
# country="United States"
# lang=1033
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=1024 16777215 100 0 0 0 0 0
# compatibility_mode=2560 16777215 100 0 0 0 0 0
# compatibility_mode=8192 67108863 100 0 0 0 0 0
# scanned=239584
# found=2
# cleaned=2
# scan_time=24685
C:\Documents and Settings\HelpAssistant\Local Settings\Temp\jar_cache57910.tmp   a variant of Java/TrojanDownloader.Agent.NAN trojan (deleted - quarantined)   00000000000000000000000000000000   C
C:\Documents and Settings\HelpAssistant\Local Settings\Temp\jar_cache7136.tmp   a variant of Java/TrojanDownloader.Agent.NAN trojan (deleted - quarantined)   00000000000000000000000000000000   C

SuperDave · « **Reply #46 on:** June 04, 2010, 07:11:51 PM »

That looks good. If there are no other issues, it's time for some clean-up

* Click START then RUN - Vista users press the Windows Key and the R keys for the Run box.
* Now type Combofix /uninstall in the runbox
* Make sure there's a space between Combofix and /Uninstall
* Then hit Enter

* The above procedure will:
* Delete the following:
* ComboFix and its associated files and folders.
* Reset the clock settings.
* Hide file extensions, if required.
* Hide System/Hidden files, if required.
* Set a new, clean Restore Point.

==============================

Download OTC by OldTimer and save it to your desktop.

1. Double-click OTC to run it.
2. Click the CleanUp! button.
3. Select Yes when the "Begin cleanup Process?" prompt appears.
4. If you are prompted to Reboot during the cleanup, select Yes
5. OTC should delete itself once it finishes, if not delete it yourself.

===============================

Clean out your temporary internet files and temp files.

Download TFC by OldTimer to your desktop.

Double-click TFC.exe to run it.

Note: If you are running on Vista, right-click on the file and choose Run As Administrator

TFC will close all programs when run, so make sure you have saved all your work before you begin.

* Click the Start button to begin the cleaning process.
* Depending on how often you clean temp files, execution time should be anywhere from a few seconds to a minute or two.
* Please let TFC run uninterrupted until it is finished.

Once TFC is finished it should restart your computer. If it does not, please manually restart the computer yourself to ensure a complete cleaning.

============================

Looking over your log it seems you don't have any evidence of a third party firewall.

Firewalls protect against hackers and malicious intruders. You need to download a free firewall from one of these reliable vendors.

Remember only install ONE firewall

1) Comodo Personal Firewall (Uncheck during installation "Install Comodo SafeSurf..", Make Comodo my default search provider" and "Make Comodo Search my homepage" and uncheck any HopSurf and/or Ask.com options if you choose this one)
2) Online Armor
3) Agnitum Outpost
4) PC Tools Firewall Plus

If you are using the built-in Windows XP firewall, it is not recommended as it does not block outgoing connections. This means that any malware on your computer is free to "phone home" for more instructions. Simply put, Windows XP contains a mediocre firewall. This firewall is NO replacement for a dedicated software solution. Remember to use only one firewall at the same time.

===============================

Use the Secunia Software Inspector to check for out of date software.

•Click Start Now

•Check the box next to Enable thorough system inspection.

•Click Start

•Allow the scan to finish and scroll down to see if any updates are needed.
•Update anything listed.
.
----------

Go to Microsoft Windows Update and get all critical updates.

----------

I suggest using WOT - Web of Trust. WOT is a free Internet security addon for your browser. It will keep you safe from online scams, identity theft, spyware, spam, viruses and unreliable shopping sites. WOT warns you before you interact with a risky website. It's easy and it's free.

SpywareBlaster- Secure your Internet Explorer to make it harder for ActiveX programs to run on your computer. Also stop certain cookies from being added to your computer when running Mozilla based browsers like Firefox.
* Using SpywareBlaster to protect your computer from Spyware and Malware
* If you don't know what ActiveX controls are, see here

Protect yourself against spyware using the Immunize feature in Spybot - Search & Destroy. Guide: Use Spybot's Immunize Feature to prevent spyware infection in real-time. Note: To ensure you have the latest Immunizations always update Spybot - Search & Destroy before Immunizing. Spybot - Search & Destroy FAQ

Check out Keeping Yourself Safe On The Web for tips and free tools to help keep you safe in the future.

Also see Slow Computer? It may not be Malware for free cleaning/maintenance tools to help keep your computer running smoothly.
Safe Surfing!

ishan · « **Reply #47 on:** June 04, 2010, 10:28:27 PM »

Thanks. I have not had any more issues recently. I will perform those steps and revert.

ishan · « **Reply #48 on:** July 05, 2010, 08:43:29 AM »

SuperDev:

I installed Comodo Plus firewall and since then I did not encounter any issues. However, Firewall keeps popping up for any action that is being performed against important files.

I think firewall does learn on its own and will be fine later.

Thanks so much for your help.

Any other advice for me?

Thanks!

SuperDave · « **Reply #49 on:** July 05, 2010, 01:13:00 PM »

I had that same problem when I install Comodo but now I hardly notice it. One thing I do when I'm installing a new program is to disable it and enable my Windows Firewall because Comodo can make a simple install into a 1/2 hr. ordeal.

Computer Hope Forum

News:

Author Topic: Alureon.H rootkit virus TermDD (Read 39838 times)

ishan

ishan

Allan

ishan

ishan

ishan

ishan

ishan

Allan

SuperDave

ishan

ishan

SuperDave

ishan

SuperDave

ishan

ishan

ishan

SuperDave

ishan

SuperDave

ishan

ishan

SuperDave

ishan

SuperDave

ishan

ishan

SuperDave

ishan

ishan

SuperDave

ishan

ishan

SuperDave

ishan

SuperDave

ishan

SuperDave

ishan

ishan

SuperDave

ishan

ishan

SuperDave

ishan

SuperDave

ishan

ishan

SuperDave