Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected With Virtumonde


  • This topic is locked This topic is locked
11 replies to this topic

#1 justinmc

justinmc

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:06:59 PM

Posted 10 March 2008 - 08:28 PM

I have been trying for a week now to rid my computer of virtumonde. I ran through the preparation guide before posting this and ran into problems during a Housecall Anti Virus scan. It recognized that my computer is infected with it but could not remove the following files:
ngandsqb.dll
vturq.dll
bdmxrhn.dll_old
Spybot S&D finds and temporarily removes it but it always restores itself(I have even tried in safe mode). Please help.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:00:55 PM, on 3/10/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\PROGRA~1\McAfee\MPS\mps.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\WINDOWS\system32\svchost.exe
C:\Program Files\McAfee\MPS\mpsevh.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Digital Media Reader\shwiconem.exe
C:\WINDOWS\SOUNDMAN.EXE
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\WINDOWS\system32\MAFWTray.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\DIGStream\digstream.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\ESPNRunTime\DIGServices.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Common Files\Logitech\KHAL\KHALMNPR.EXE
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Support.com\bin\tgcmd.exe
C:\Program Files\Trend Micro\HijackThis\fredflinstone.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Internet Explorer\iexplore.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.comcast.net/toolbar2.0/search/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/comcast.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.comcast.net/toolbar2.0/search/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn3\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {0D42DE98-D74A-40BE-B20A-2282076B4671} - C:\WINDOWS\system32\vturq.dll
O2 - BHO: (no name) - {1293C943-8E2B-4B3C-B6A5-2AC190D61F12} - blank (file missing)
O2 - BHO: (no name) - {1e424f3b-e81e-422a-b143-b713f78c63ee} - (no file)
O2 - BHO: (no name) - {2845B756-09CC-4770-9586-1E0AFA56BE9A} - (no file)
O2 - BHO: (no name) - {43279D2A-A0F2-4C87-BEF6-2E4D0F4AE81F} - blank (file missing)
O2 - BHO: (no name) - {4892ADA3-A328-40F3-851B-E6B6831E6FE5} - (no file)
O2 - BHO: Comcast Toolbar - {4E7BD74F-2B8D-469E-93BE-BE2DF4D9AE29} - C:\PROGRA~1\COMCAS~2\COMCAS~1.DLL
O2 - BHO: (no name) - {4F547549-B70E-4E06-91AB-CB8320D3B6FA} - (no file)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: 0 - {7D151EF5-370C-48D2-6AAD-A1E4F74D04F1} - blank (file missing)
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - c:\PROGRA~1\mcafee\VIRUSS~1\scriptcl.dll
O2 - BHO: (no name) - {852652ED-3907-4499-9123-40679065B698} - blank (file missing)
O2 - BHO: (no name) - {A90DACE1-4279-4ACF-92D3-910EBDCB0CC9} - (no file)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar4.dll
O2 - BHO: {df214a3e-dee8-ea1b-28f4-63a0e1c6caec} - {ceac6c1e-0a36-4f82-b1ae-8eede3a412fd} - C:\WINDOWS\system32\gktgjqmp.dll
O2 - BHO: (no name) - {E5374B39-6B69-4720-A0BA-A97DB28D9967} - (no file)
O2 - BHO: (no name) - {ED120D76-BF31-412C-A99B-783C6676E128} - blank (file missing)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn3\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
O3 - Toolbar: Comcast Toolbar - {4E7BD74F-2B8D-469E-93BE-BE2DF4D9AE29} - C:\PROGRA~1\COMCAS~2\COMCAS~1.DLL
O4 - HKLM\..\Run: [VOBRegCheck] C:\WINDOWS\System32\VOBREGCheck.exe -CheckReg
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [tgcmd] "C:\Program Files\Support.com\bin\tgcmd.exe" /server /startmonitor /deaf
O4 - HKLM\..\Run: [SunKistEM] "C:\Program Files\Digital Media Reader\shwiconem.exe"
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [ShowWnd] ShowWnd.exe
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [MAFWTaskbarApp] C:\WINDOWS\system32\MAFWTray.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [DIGStream] "C:\Program Files\DIGStream\digstream.exe"
O4 - HKLM\..\Run: [CHotkey] zHotkey.exe
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [BMd3ca0a65] Rundll32.exe "C:\WINDOWS\system32\cknwxqiu.dll",s
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SP2 Connection Patcher] "C:\Program Files\SP2 Connection Patcher\SP2ConnPatcher.exe" -n=200
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O16 - DPF: {22E5D91F-89E6-4405-AD9C-0AF27BA6F06B} (HidInputMonitorX Control) -
O16 - DPF: {4F63D44B-6274-4D60-8AB1-CAA7116B8AF3} (A9Helper.A9) -
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/...wlscbase370.cab
O16 - DPF: {6F750202-1362-4815-A476-88533DE61D0C} (Kodak Gallery Easy Upload Manager Class) - http://www.kodakgallery.com/downloads/BUM/..._2/axofupld.cab
O16 - DPF: {87587503-20F0-4FF5-8DA3-0107C4C03FDC} (vmLaunch Class) - http://downloads.comcast.net/videomail/vmLauncher.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} -
O16 - DPF: {CE74A05D-ED12-473A-97F8-85FB0E2F479F} (dlControl.UserControl1) - http://stash.nugs.net/dev/dlControl.CAB
O16 - DPF: {DECEAAA2-370A-49BB-9362-68C3A58DDC62} - http://static.zangocash.com/cab/Zango/ie/b...dbf4c44a0363a5c
O16 - DPF: {EF148DBB-5B6D-4130-B2A1-661571E86260} (Playtime Games Launcher) - http://playgames.comcast.net/online2/mahjo...ameLauncher.cab
O20 - Winlogon Notify: xxywttt - xxywttt.dll (file missing)
O20 - Winlogon Notify: yayxxut - yayxxut.dll (file missing)
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: McAfee E-mail Proxy (Emproxy) - McAfee, Inc. - C:\PROGRA~1\COMMON~1\McAfee\EmProxy\emproxy.exe
O23 - Service: McAfee HackerWatch Service - McAfee, Inc. - C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
O23 - Service: McAfee Update Manager (mcmispupdmgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcupdmgr.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Protection Manager (mcpromgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Redirector Service (McRedirector) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: McAfee Privacy Service (MPS9) - McAfee, Inc. - C:\PROGRA~1\McAfee\MPS\mps.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS

--
End of file - 10108 bytes

BC AdBot (Login to Remove)

 


#2 lusitano

lusitano

    Portuguese Malware Fighter


  • Members
  • 1,443 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Portugal
  • Local time:11:59 PM

Posted 12 March 2008 - 05:39 AM

Hi, Wellcome to Bleeping Computer Forums!

You might want to save this page on your favorites, so you can find it again when you return.


Please take note of the following:
  • I will be handling your log and helping you, please do not make any system changes yet.
  • The process is not instant. Please continue to review my answers until I tell you that your computer is clean. Be patience.
  • The fixes are specific to your problem and should only be used for this issue on this machine
  • If there's anything that you don't understand, please ask your question(s) before proceeding with the fixes.
  • Please reply to this thread. Do not start a new topic.
Please give me some time to look over your log and I will get back to you as soon as possible.

:thumbsup:
Posted Image
Please do not PM me asking for support.
Please be courteous, polite, and say thank you.
Please post the final results, good or bad. We like to know!

#3 lusitano

lusitano

    Portuguese Malware Fighter


  • Members
  • 1,443 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Portugal
  • Local time:11:59 PM

Posted 12 March 2008 - 12:16 PM

Hi,

Download ComboFix from Here or Here to your Desktop.
  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
    Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
  • Double click combofix.exe and follow the prompts.
  • When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next reply
Note: Do not mouseclick combofix's window while its running. That may cause it to stall.

Extra-Note: Please, DO NOT use ComboFix on your own. It is a very powerful tool designed to deal with sophisticated infections and if something goes wrong or you use it incorrectly, you could possibly lose the use of your computer. It is ONLY meant to be used under the direct supervision of a malware removal specialist.

Regards
Posted Image
Please do not PM me asking for support.
Please be courteous, polite, and say thank you.
Please post the final results, good or bad. We like to know!

#4 justinmc

justinmc
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:06:59 PM

Posted 12 March 2008 - 07:35 PM

Hello,
I ran combofix with my anti-virus disabled and I also reran the HiJackthis program. Here is what I got.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:26:37 PM, on 3/12/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Support.com\bin\tgcmd.exe
C:\Program Files\Digital Media Reader\shwiconem.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\system32\MAFWTray.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\DIGStream\digstream.exe
C:\WINDOWS\zHotkey.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\ESPNRunTime\DIGServices.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\HP\hpcoretech\comp\hptskmgr.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Common Files\Logitech\KHAL\KHALMNPR.EXE
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Trend Micro\HijackThis\fredflinstone.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/comcast.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn3\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {0D42DE98-D74A-40BE-B20A-2282076B4671} - C:\WINDOWS\system32\vturq.dll (file missing)
O2 - BHO: (no name) - {1293C943-8E2B-4B3C-B6A5-2AC190D61F12} - blank (file missing)
O2 - BHO: (no name) - {43279D2A-A0F2-4C87-BEF6-2E4D0F4AE81F} - blank (file missing)
O2 - BHO: Comcast Toolbar - {4E7BD74F-2B8D-469E-93BE-BE2DF4D9AE29} - C:\PROGRA~1\COMCAS~2\COMCAS~1.DLL
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: 0 - {7D151EF5-370C-48D2-6AAD-A1E4F74D04F1} - blank (file missing)
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - c:\PROGRA~1\mcafee\VIRUSS~1\scriptcl.dll
O2 - BHO: (no name) - {852652ED-3907-4499-9123-40679065B698} - blank (file missing)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar4.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn3\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
O3 - Toolbar: Comcast Toolbar - {4E7BD74F-2B8D-469E-93BE-BE2DF4D9AE29} - C:\PROGRA~1\COMCAS~2\COMCAS~1.DLL
O4 - HKLM\..\Run: [VOBRegCheck] C:\WINDOWS\System32\VOBREGCheck.exe -CheckReg
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [tgcmd] "C:\Program Files\Support.com\bin\tgcmd.exe" /server /startmonitor /deaf
O4 - HKLM\..\Run: [SunKistEM] "C:\Program Files\Digital Media Reader\shwiconem.exe"
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [ShowWnd] ShowWnd.exe
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [MAFWTaskbarApp] C:\WINDOWS\system32\MAFWTray.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [DIGStream] "C:\Program Files\DIGStream\digstream.exe"
O4 - HKLM\..\Run: [CHotkey] zHotkey.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SP2 Connection Patcher] "C:\Program Files\SP2 Connection Patcher\SP2ConnPatcher.exe" -n=200
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O16 - DPF: {22E5D91F-89E6-4405-AD9C-0AF27BA6F06B} (HidInputMonitorX Control) -
O16 - DPF: {4F63D44B-6274-4D60-8AB1-CAA7116B8AF3} (A9Helper.A9) -
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/...wlscbase370.cab
O16 - DPF: {6F750202-1362-4815-A476-88533DE61D0C} (Kodak Gallery Easy Upload Manager Class) - http://www.kodakgallery.com/downloads/BUM/..._2/axofupld.cab
O16 - DPF: {87587503-20F0-4FF5-8DA3-0107C4C03FDC} (vmLaunch Class) - http://downloads.comcast.net/videomail/vmLauncher.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} -
O16 - DPF: {CE74A05D-ED12-473A-97F8-85FB0E2F479F} (dlControl.UserControl1) - http://stash.nugs.net/dev/dlControl.CAB
O16 - DPF: {DECEAAA2-370A-49BB-9362-68C3A58DDC62} - http://static.zangocash.com/cab/Zango/ie/b...dbf4c44a0363a5c
O16 - DPF: {EF148DBB-5B6D-4130-B2A1-661571E86260} (Playtime Games Launcher) - http://playgames.comcast.net/online2/mahjo...ameLauncher.cab
O20 - Winlogon Notify: xxywttt - xxywttt.dll (file missing)
O20 - Winlogon Notify: yayxxut - yayxxut.dll (file missing)
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: McAfee HackerWatch Service - McAfee, Inc. - C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS

--
End of file - 7613 bytes




ComboFix 08-03-10.1 - Owner 2008-03-12 18:10:32.2 - NTFSx86
Running from: C:\Documents and Settings\Owner\Desktop\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Temp\sanR24
C:\Temp\tpBe12
C:\Temp\tpBe12\etFr.log
C:\WINDOWS\BMd3ca0a65.xml
C:\WINDOWS\cookies.ini
C:\WINDOWS\pskt.ini
C:\WINDOWS\system32\aknlosej.dll
C:\WINDOWS\system32\auwcihhw.ini
C:\WINDOWS\system32\axsjomnj.dll
C:\WINDOWS\system32\brsjhfpd.dll
C:\WINDOWS\system32\cknwxqiu.dll
C:\WINDOWS\system32\clfpcdrj.ini
C:\WINDOWS\system32\dhmdsiww.dll
C:\WINDOWS\system32\dpfhjsrb.ini
C:\WINDOWS\system32\ex1
C:\WINDOWS\system32\fgjlm.ini
C:\WINDOWS\system32\fgjlm.ini2
C:\WINDOWS\system32\gipuwgli.dll
C:\WINDOWS\system32\gktgjqmp.dll
C:\WINDOWS\system32\gnvkckjt.dll
C:\WINDOWS\system32\iDlo01
C:\WINDOWS\system32\ilgwupig.ini
C:\WINDOWS\system32\ineWc01
C:\WINDOWS\system32\iocoglly.dll
C:\WINDOWS\system32\jesolnka.ini
C:\WINDOWS\system32\jnmojsxa.ini
C:\WINDOWS\system32\jrdcpflc.dll
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\ngandsqb.dll
C:\WINDOWS\system32\oc9
C:\WINDOWS\system32\pac.txt
C:\WINDOWS\system32\plwfxurt.dll
C:\WINDOWS\system32\qrutv.ini
C:\WINDOWS\system32\qrutv.ini2
C:\WINDOWS\system32\shel9
C:\WINDOWS\system32\tjkckvng.ini
C:\WINDOWS\system32\whhicwua.dll
D:\Autorun.inf

.
((((((((((((((((((((((((( Files Created from 2008-02-13 to 2008-03-13 )))))))))))))))))))))))))))))))
.

2008-03-12 03:02 . 2008-03-12 03:02 127 --a------ C:\WINDOWS\system32\MRT.INI
2008-03-09 21:29 . 2008-03-10 17:27 <DIR> d-------- C:\Documents and Settings\Owner\.housecall6.6
2008-03-09 17:57 . 2008-03-10 18:02 4,364,878 ---hs---- C:\WINDOWS\system32\govyanqy.ini
2008-03-09 17:53 . 2008-03-09 17:53 <DIR> d-------- C:\Program Files\Lavasoft
2008-03-09 17:51 . 2008-03-09 17:51 89,664 --a------ C:\WINDOWS\system32\bdmuxrhn.dll_old
2008-03-08 17:56 . 2008-03-09 17:12 1,304,115 ---hs---- C:\WINDOWS\system32\isdlvfmh.ini
2008-03-05 12:26 . 2008-03-06 20:40 3,347,418 ---hs---- C:\WINDOWS\system32\acdggvyn.ini
2008-03-04 18:25 . 2008-03-04 18:25 <DIR> d-------- C:\Program Files\Common Files\Scanner
2008-03-04 18:25 . 2008-03-04 18:25 <DIR> d-------- C:\Program Files\ComcastToolbar
2008-03-04 18:25 . 2008-03-10 19:04 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\ComcastToolbar
2008-03-04 16:39 . 2008-03-12 18:03 5,414 --a------ C:\WINDOWS\system32\Config.MPF
2008-03-04 16:32 . 2006-03-03 12:07 143,360 --a------ C:\WINDOWS\system32\dunzip32.dll
2008-03-04 16:29 . 2008-02-06 10:51 171,400 --a------ C:\WINDOWS\system32\drivers\mfehidk.sys
2008-03-04 16:29 . 2007-03-02 15:16 109,608 --a------ C:\WINDOWS\system32\drivers\Mpfp.sys
2008-03-04 16:29 . 2007-06-25 15:54 71,496 --a------ C:\WINDOWS\system32\drivers\mfeavfk.sys
2008-03-04 16:29 . 2007-06-25 11:57 37,480 --a------ C:\WINDOWS\system32\drivers\mfesmfk.sys
2008-03-04 16:29 . 2007-06-25 11:57 34,184 --a------ C:\WINDOWS\system32\drivers\mfebopk.sys
2008-03-04 16:29 . 2007-06-25 11:57 32,008 --a------ C:\WINDOWS\system32\drivers\mferkdk.sys
2008-03-04 16:28 . 2008-03-04 16:28 <DIR> d-------- C:\Program Files\McAfee.com
2008-03-04 16:21 . 2008-03-04 16:21 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Avg7
2008-03-04 16:05 . 2008-03-04 16:32 <DIR> d-------- C:\Program Files\McAfee
2008-03-04 16:05 . 2008-03-04 16:32 <DIR> d-------- C:\Program Files\Common Files\McAfee
2008-03-03 19:09 . 2008-03-03 19:11 <DIR> d-------- C:\Program Files\Windows Live Safety Center
2008-03-02 18:21 . 2008-03-02 18:21 2,550 --a------ C:\WINDOWS\system32\Uninstall.ico
2008-03-02 18:21 . 2008-03-02 18:21 1,406 --a------ C:\WINDOWS\system32\Help.ico
2008-03-02 15:52 . 2008-03-02 15:52 164 --a------ C:\install.dat
2008-03-02 12:26 . 2008-03-02 23:42 4,378,086 ---hs---- C:\WINDOWS\system32\rucceqma.ini
2008-03-02 10:39 . 2008-03-06 20:36 22 --a------ C:\Module.ini
2008-03-01 09:01 . 2008-03-01 09:00 691,545 --a------ C:\WINDOWS\unins000.exe
2008-03-01 09:01 . 2008-03-01 09:01 2,541 --a------ C:\WINDOWS\unins000.dat
2008-03-01 08:42 . 2008-03-06 22:58 32 --a------ C:\WINDOWS\system32\thxcfg.ini
2008-02-29 12:19 . 2008-03-01 12:20 5,398,893 ---hs---- C:\WINDOWS\system32\rfmfnwbc.ini
2008-02-28 18:06 . 2008-02-28 18:06 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Logitech
2008-02-28 16:02 . 2008-02-28 16:02 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-02-28 16:02 . 2008-02-28 16:02 1,409 --a------ C:\WINDOWS\QTFont.for
2008-02-28 15:49 . 2006-01-20 19:02 13,440 --a------ C:\WINDOWS\system32\drivers\L8042Kbd.SYS
2008-02-28 15:48 . 2004-12-07 11:11 258,352 --a------ C:\WINDOWS\system32\unicows.dll
2008-02-28 15:48 . 2006-01-31 11:10 143,360 --a------ C:\WINDOWS\system32\kemutb.dll
2008-02-28 15:48 . 2006-01-31 11:10 90,112 --a------ C:\WINDOWS\system32\KemUtil.dll
2008-02-28 15:48 . 2006-01-31 11:10 86,016 --a------ C:\WINDOWS\system32\KemWnd.dll
2008-02-28 15:48 . 2006-01-31 11:13 65,536 --a------ C:\WINDOWS\system32\KemXML.dll
2008-02-28 15:47 . 2008-02-28 15:47 <DIR> d-------- C:\Program Files\Logitech
2008-02-28 15:47 . 2008-02-28 15:48 <DIR> d-------- C:\Program Files\Common Files\Logitech
2008-02-28 15:47 . 2006-01-20 19:03 69,376 --a------ C:\WINDOWS\system32\drivers\LMouKE.Sys
2008-02-28 15:47 . 2006-01-20 19:02 55,552 --a------ C:\WINDOWS\system32\drivers\L8042mou.Sys
2008-02-28 15:47 . 2006-01-20 18:46 28,160 --a------ C:\WINDOWS\KHALMNPR.Exe
2008-02-16 19:18 . 2005-04-14 22:43 0 --------- C:\WINDOWS\hpimdl01.dat
2008-02-13 18:39 . 2008-02-16 19:12 72,508 --------- C:\WINDOWS\hpiins01.dat.temp
2008-02-13 18:39 . 2005-04-14 22:43 0 --------- C:\WINDOWS\hpimdl01.dat.temp

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-13 00:23 --------- d-----w C:\Program Files\SP2 Connection Patcher
2008-03-13 00:23 --------- d-----w C:\Documents and Settings\All Users\Application Data\DIGStream
2008-03-09 23:53 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-03-07 05:00 --------- d-----w C:\Program Files\TrojanHunter 5.0
2008-03-04 22:38 --------- d-----w C:\Documents and Settings\All Users\Application Data\McAfee
2008-03-03 02:57 --------- d-----w C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-03-03 00:14 --------- d-----w C:\Program Files\Enigma Software Group
2008-03-02 16:23 --------- d-----w C:\Program Files\vso
2008-03-02 16:22 --------- d-----w C:\Program Files\PlayFirst
2008-03-02 16:13 --------- d-----w C:\Program Files\Yahoo!
2008-03-02 16:12 --------- d-----w C:\Documents and Settings\All Users\Application Data\YAHOO
2008-03-01 15:03 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-03-01 15:02 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-02-28 21:47 --------- d--h--w C:\Program Files\InstallShield Installation Information
2005-10-04 03:19 124 -c--a-w C:\Program Files\Warez P2P ClientIPGUARD.LOG
2005-06-26 22:52 0 -csha-w C:\WINDOWS\SMINST\HPCD.sys
.

------- Sigcheck -------

2005-05-25 13:07 359936 63fdfea54eb53de2d863ee454937ce1e C:\WINDOWS\$hf_mig$\KB893066\SP2QFE\tcpip.sys
2006-01-13 11:07 360448 5562cc0a47b2aef06d3417b733f3c195 C:\WINDOWS\$hf_mig$\KB913446\SP2QFE\tcpip.sys
2006-04-20 06:18 360576 b2220c618b42a2212a59d91ebd6fc4b4 C:\WINDOWS\$hf_mig$\KB917953\SP2QFE\tcpip.sys
2007-10-30 10:53 360832 64798ecfa43d78c7178375fcdd16d8c8 C:\WINDOWS\$hf_mig$\KB941644\SP2QFE\tcpip.sys
2004-08-10 13:00 359040 9f4b36614a0fc234525ba224957de55c C:\WINDOWS\$NtUninstallKB893066$\tcpip.sys
2005-10-03 21:18 359808 14143695e27b2718dee96ea2e50428b3 C:\WINDOWS\$NtUninstallKB913446$\tcpip.sys
2006-02-17 04:08 359808 eb98d5e55321cefd803e8173dbb000db C:\WINDOWS\$NtUninstallKB917953$\tcpip.sys
2007-08-15 03:12 359808 ba57942c0029b0878afba052a3e33689 C:\WINDOWS\$NtUninstallKB941644$\tcpip.sys
2008-01-09 04:10 360064 34a663e7f74ae8b2c992c2513343477e C:\WINDOWS\system32\drivers\tcpip.sys
.
((((((((((((((((((((((((((((( snapshot@2007-12-18_21.28.48.20 )))))))))))))))))))))))))))))))))))))))))
.
+ 2007-10-30 16:53:32 360,832 ----a-w C:\WINDOWS\$hf_mig$\KB941644\SP2QFE\tcpip.sys
+ 2007-03-06 01:22:36 14,048 ----a-w C:\WINDOWS\$hf_mig$\KB941644\spmsg.dll
+ 2007-03-06 01:22:41 213,216 ----a-w C:\WINDOWS\$hf_mig$\KB941644\spuninst.exe
+ 2007-03-06 01:22:34 22,752 ----a-w C:\WINDOWS\$hf_mig$\KB941644\update\spcustom.dll
+ 2007-03-06 01:22:59 716,000 ----a-w C:\WINDOWS\$hf_mig$\KB941644\update\update.exe
+ 2007-03-06 01:23:51 371,424 ----a-w C:\WINDOWS\$hf_mig$\KB941644\update\updspapi.dll
+ 2007-12-04 18:29:10 551,936 ----a-w C:\WINDOWS\$hf_mig$\KB943055\SP2QFE\oleaut32.dll
+ 2007-03-06 01:22:36 14,048 ----a-w C:\WINDOWS\$hf_mig$\KB943055\spmsg.dll
+ 2007-03-06 01:22:41 213,216 ----a-w C:\WINDOWS\$hf_mig$\KB943055\spuninst.exe
+ 2007-03-06 01:22:34 22,752 ----a-w C:\WINDOWS\$hf_mig$\KB943055\update\spcustom.dll
+ 2007-03-06 01:22:59 716,000 ----a-w C:\WINDOWS\$hf_mig$\KB943055\update\update.exe
+ 2007-03-06 01:23:51 371,424 ----a-w C:\WINDOWS\$hf_mig$\KB943055\update\updspapi.dll
+ 2007-11-07 09:50:47 727,040 ----a-w C:\WINDOWS\$hf_mig$\KB943485\SP2QFE\lsasrv.dll
+ 2007-03-06 01:22:36 14,048 ----a-w C:\WINDOWS\$hf_mig$\KB943485\spmsg.dll
+ 2007-03-06 01:22:41 213,216 ----a-w C:\WINDOWS\$hf_mig$\KB943485\spuninst.exe
+ 2007-03-06 01:22:34 22,752 ----a-w C:\WINDOWS\$hf_mig$\KB943485\update\spcustom.dll
+ 2007-03-06 01:22:59 716,000 ----a-w C:\WINDOWS\$hf_mig$\KB943485\update\update.exe
+ 2007-03-06 01:23:51 371,424 ----a-w C:\WINDOWS\$hf_mig$\KB943485\update\updspapi.dll
+ 2007-12-07 02:01:07 124,928 ----a-w C:\WINDOWS\$hf_mig$\KB944533-IE7\SP2QFE\advpack.dll
+ 2007-12-19 22:57:52 347,136 ----a-w C:\WINDOWS\$hf_mig$\KB944533-IE7\SP2QFE\dxtmsft.dll
+ 2007-12-07 02:01:07 214,528 ----a-w C:\WINDOWS\$hf_mig$\KB944533-IE7\SP2QFE\dxtrans.dll
+ 2007-12-07 02:01:07 133,120 ----a-w C:\WINDOWS\$hf_mig$\KB944533-IE7\SP2QFE\extmgr.dll
+ 2007-12-07 02:01:07 63,488 ----a-w C:\WINDOWS\$hf_mig$\KB944533-IE7\SP2QFE\icardie.dll
+ 2007-12-06 08:34:28 70,656 ----a-w C:\WINDOWS\$hf_mig$\KB944533-IE7\SP2QFE\ie4uinit.exe
+ 2007-12-07 02:01:08 153,088 ----a-w C:\WINDOWS\$hf_mig$\KB944533-IE7\SP2QFE\ieakeng.dll
+ 2007-12-07 02:01:08 230,400 ----a-w C:\WINDOWS\$hf_mig$\KB944533-IE7\SP2QFE\ieaksie.dll
+ 2007-12-06 05:00:02 161,792 ----a-w C:\WINDOWS\$hf_mig$\KB944533-IE7\SP2QFE\ieakui.dll
+ 2007-04-17 09:32:38 2,455,488 ----a-w C:\WINDOWS\$hf_mig$\KB944533-IE7\SP2QFE\ieapfltr.dat
+ 2007-12-07 02:01:08 383,488 ----a-w C:\WINDOWS\$hf_mig$\KB944533-IE7\SP2QFE\ieapfltr.dll
+ 2007-12-07 02:01:08 388,096 ----a-w C:\WINDOWS\$hf_mig$\KB944533-IE7\SP2QFE\iedkcs32.dll
+ 2007-12-07 02:01:10 6,067,200 ----a-w C:\WINDOWS\$hf_mig$\KB944533-IE7\SP2QFE\ieframe.dll
+ 2007-12-07 02:01:10 44,544 ----a-w C:\WINDOWS\$hf_mig$\KB944533-IE7\SP2QFE\iernonce.dll
+ 2007-12-07 02:01:11 267,776 ----a-w C:\WINDOWS\$hf_mig$\KB944533-IE7\SP2QFE\iertutil.dll
+ 2007-12-06 08:34:29 13,824 ----a-w C:\WINDOWS\$hf_mig$\KB944533-IE7\SP2QFE\ieudinit.exe
+ 2007-12-06 08:34:45 625,664 ----a-w C:\WINDOWS\$hf_mig$\KB944533-IE7\SP2QFE\iexplore.exe
+ 2007-12-07 02:01:11 27,648 ----a-w C:\WINDOWS\$hf_mig$\KB944533-IE7\SP2QFE\jsproxy.dll
+ 2007-12-07 02:01:11 459,264 ----a-w C:\WINDOWS\$hf_mig$\KB944533-IE7\SP2QFE\msfeeds.dll
+ 2007-12-07 02:01:11 52,224 ----a-w C:\WINDOWS\$hf_mig$\KB944533-IE7\SP2QFE\msfeedsbs.dll
+ 2007-12-07 02:01:12 3,593,216 ----a-w C:\WINDOWS\$hf_mig$\KB944533-IE7\SP2QFE\mshtml.dll
+ 2007-12-07 02:01:12 478,208 ----a-w C:\WINDOWS\$hf_mig$\KB944533-IE7\SP2QFE\mshtmled.dll
+ 2007-12-07 02:01:13 193,024 ----a-w C:\WINDOWS\$hf_mig$\KB944533-IE7\SP2QFE\msrating.dll
+ 2007-12-07 02:01:13 671,232 ----a-w C:\WINDOWS\$hf_mig$\KB944533-IE7\SP2QFE\mstime.dll
+ 2007-12-07 02:01:13 102,912 ----a-w C:\WINDOWS\$hf_mig$\KB944533-IE7\SP2QFE\occache.dll
+ 2008-01-11 05:57:26 44,544 ----a-w C:\WINDOWS\$hf_mig$\KB944533-IE7\SP2QFE\pngfilt.dll
+ 2007-12-07 02:01:13 105,984 ----a-w C:\WINDOWS\$hf_mig$\KB944533-IE7\SP2QFE\url.dll
+ 2007-12-07 02:01:13 1,162,752 ----a-w C:\WINDOWS\$hf_mig$\KB944533-IE7\SP2QFE\urlmon.dll
+ 2007-12-07 02:01:13 233,472 ----a-w C:\WINDOWS\$hf_mig$\KB944533-IE7\SP2QFE\webcheck.dll
+ 2007-12-07 02:01:13 825,344 ----a-w C:\WINDOWS\$hf_mig$\KB944533-IE7\SP2QFE\wininet.dll
+ 2007-03-06 01:22:36 14,048 ----a-w C:\WINDOWS\$hf_mig$\KB944533-IE7\spmsg.dll
+ 2007-03-06 01:22:41 213,216 ----a-w C:\WINDOWS\$hf_mig$\KB944533-IE7\spuninst.exe
+ 2007-03-06 01:22:34 22,752 ----a-w C:\WINDOWS\$hf_mig$\KB944533-IE7\update\spcustom.dll
+ 2007-03-06 01:22:59 716,000 ----a-w C:\WINDOWS\$hf_mig$\KB944533-IE7\update\update.exe
+ 2007-03-06 01:23:51 371,424 ----a-w C:\WINDOWS\$hf_mig$\KB944533-IE7\update\updspapi.dll
+ 2007-12-18 09:38:59 179,712 ----a-w C:\WINDOWS\$hf_mig$\KB946026\SP2QFE\mrxdav.sys
+ 2007-03-06 01:22:36 14,048 ----a-w C:\WINDOWS\$hf_mig$\KB946026\spmsg.dll
+ 2007-03-06 01:22:41 213,216 ----a-w C:\WINDOWS\$hf_mig$\KB946026\spuninst.exe
+ 2007-03-06 01:22:34 22,752 ----a-w C:\WINDOWS\$hf_mig$\KB946026\update\spcustom.dll
+ 2007-03-06 01:22:59 716,000 ----a-w C:\WINDOWS\$hf_mig$\KB946026\update\update.exe
+ 2007-03-06 01:23:51 371,424 ----a-w C:\WINDOWS\$hf_mig$\KB946026\update\updspapi.dll
+ 2007-03-06 01:22:41 213,216 -c----w C:\WINDOWS\$NtUninstallKB941644$\spuninst\spuninst.exe
+ 2007-03-06 01:23:51 371,424 -c----w C:\WINDOWS\$NtUninstallKB941644$\spuninst\updspapi.dll
+ 2007-08-15 09:12:40 359,808 -c----w C:\WINDOWS\$NtUninstallKB941644$\tcpip.sys
+ 2006-08-17 12:28:27 721,920 -c----w C:\WINDOWS\$NtUninstallKB943485$\lsasrv.dll
+ 2007-03-06 01:22:41 213,216 -c----w C:\WINDOWS\$NtUninstallKB943485$\spuninst\spuninst.exe
+ 2007-03-06 01:23:51 371,424 -c----w C:\WINDOWS\$NtUninstallKB943485$\spuninst\updspapi.dll
+ 2008-03-03 02:39:08 68,608 ----a-w C:\WINDOWS\assembly\GAC_32\CustomMarshalers\2.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll
+ 2008-03-03 02:39:40 72,192 ----a-w C:\WINDOWS\assembly\GAC_32\ISymWrapper\2.0.0.0__b03f5f7f11d50a3a\ISymWrapper.dll
+ 2008-03-03 02:39:44 4,308,992 ----a-w C:\WINDOWS\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\mscorlib.dll
+ 2008-03-03 02:39:49 482,304 ----a-w C:\WINDOWS\assembly\GAC_32\System.Data.OracleClient\2.0.0.0__b77a5c561934e089\System.Data.OracleClient.dll
+ 2008-03-03 02:39:27 2,878,976 ----a-w C:\WINDOWS\assembly\GAC_32\System.Data\2.0.0.0__b77a5c561934e089\System.Data.dll
+ 2008-03-03 02:38:54 258,048 ----a-w C:\WINDOWS\assembly\GAC_32\System.EnterpriseServices\2.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.dll
+ 2008-03-03 02:38:54 114,176 ----a-w C:\WINDOWS\assembly\GAC_32\System.EnterpriseServices\2.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll
+ 2008-03-03 02:40:11 260,096 ----a-w C:\WINDOWS\assembly\GAC_32\System.Transactions\2.0.0.0__b77a5c561934e089\System.Transactions.dll
+ 2008-03-03 02:39:17 5,025,792 ----a-w C:\WINDOWS\assembly\GAC_32\System.Web\2.0.0.0__b03f5f7f11d50a3a\System.Web.dll
+ 2008-03-03 02:39:05 10,752 ----a-w C:\WINDOWS\assembly\GAC_MSIL\Accessibility\2.0.0.0__b03f5f7f11d50a3a\Accessibility.dll
+ 2008-03-03 02:38:52 503,808 ----a-w C:\WINDOWS\assembly\GAC_MSIL\AspNetMMCExt\2.0.0.0__b03f5f7f11d50a3a\AspNetMMCExt.dll
+ 2008-03-03 02:38:57 13,312 ----a-w C:\WINDOWS\assembly\GAC_MSIL\cscompmgd\8.0.0.0__b03f5f7f11d50a3a\cscompmgd.dll
+ 2008-03-03 02:39:35 8,192 ----a-w C:\WINDOWS\assembly\GAC_MSIL\IEExecRemote\2.0.0.0__b03f5f7f11d50a3a\IEExecRemote.dll
+ 2008-03-03 02:39:36 36,864 ----a-w C:\WINDOWS\assembly\GAC_MSIL\IEHost\2.0.0.0__b03f5f7f11d50a3a\IEHost.dll
+ 2008-03-03 02:39:38 5,632 ----a-w C:\WINDOWS\assembly\GAC_MSIL\IIEHost\2.0.0.0__b03f5f7f11d50a3a\IIEHost.dll
+ 2008-03-03 02:39:00 413,696 ----a-w C:\WINDOWS\assembly\GAC_MSIL\Microsoft.Build.Engine\2.0.0.0__b03f5f7f11d50a3a\Microsoft.Build.Engine.dll
+ 2008-03-03 02:39:01 36,864 ----a-w C:\WINDOWS\assembly\GAC_MSIL\Microsoft.Build.Framework\2.0.0.0__b03f5f7f11d50a3a\Microsoft.Build.Framework.dll
+ 2008-03-03 02:39:03 647,168 ----a-w C:\WINDOWS\assembly\GAC_MSIL\Microsoft.Build.Tasks\2.0.0.0__b03f5f7f11d50a3a\Microsoft.Build.Tasks.dll
+ 2008-03-03 02:39:04 73,728 ----a-w C:\WINDOWS\assembly\GAC_MSIL\Microsoft.Build.Utilities\2.0.0.0__b03f5f7f11d50a3a\Microsoft.Build.Utilities.dll
+ 2008-03-03 02:38:59 745,472 ----a-w C:\WINDOWS\assembly\GAC_MSIL\Microsoft.JScript\8.0.0.0__b03f5f7f11d50a3a\Microsoft.JScript.dll
+ 2008-03-03 02:40:18 110,592 ----a-w C:\WINDOWS\assembly\GAC_MSIL\Microsoft.VisualBasic.Compatibility.Data\8.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.Compatibility.Data.dll
+ 2008-03-03 02:40:17 372,736 ----a-w C:\WINDOWS\assembly\GAC_MSIL\Microsoft.VisualBasic.Compatibility\8.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.Compatibility.dll
+ 2008-03-03 02:38:39 28,672 ----a-w C:\WINDOWS\assembly\GAC_MSIL\Microsoft.VisualBasic.Vsa\8.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.Vsa.dll
+ 2008-03-03 02:40:16 667,648 ----a-w C:\WINDOWS\assembly\GAC_MSIL\Microsoft.VisualBasic\8.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll
+ 2008-03-03 02:40:20 5,632 ----a-w C:\WINDOWS\assembly\GAC_MSIL\Microsoft.VisualC\8.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualC.Dll
+ 2008-03-03 02:38:50 12,800 ----a-w C:\WINDOWS\assembly\GAC_MSIL\Microsoft.Vsa.Vb.CodeDOMProcessor\8.0.0.0__b03f5f7f11d50a3a\Microsoft.Vsa.Vb.CodeDOMProcessor.dll
+ 2008-03-03 02:38:48 32,768 ----a-w C:\WINDOWS\assembly\GAC_MSIL\Microsoft.Vsa\8.0.0.0__b03f5f7f11d50a3a\Microsoft.Vsa.dll
+ 2008-03-03 02:38:49 7,168 ----a-w C:\WINDOWS\assembly\GAC_MSIL\Microsoft_VsaVb\8.0.0.0__b03f5f7f11d50a3a\Microsoft_VsaVb.dll
+ 2008-03-03 02:39:58 110,592 ----a-w C:\WINDOWS\assembly\GAC_MSIL\sysglobl\2.0.0.0__b03f5f7f11d50a3a\sysglobl.dll
+ 2008-03-03 02:39:08 81,920 ----a-w C:\WINDOWS\assembly\GAC_MSIL\System.Configuration.Install\2.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll
+ 2008-03-03 02:40:01 389,120 ----a-w C:\WINDOWS\assembly\GAC_MSIL\System.Configuration\2.0.0.0__b03f5f7f11d50a3a\System.configuration.dll
+ 2008-03-03 02:39:51 716,800 ----a-w C:\WINDOWS\assembly\GAC_MSIL\System.Data.SqlXml\2.0.0.0__b77a5c561934e089\System.Data.SqlXml.dll
+ 2008-03-03 02:38:56 884,736 ----a-w C:\WINDOWS\assembly\GAC_MSIL\System.Deployment\2.0.0.0__b03f5f7f11d50a3a\System.Deployment.dll
+ 2008-03-03 02:39:32 5,050,368 ----a-w C:\WINDOWS\assembly\GAC_MSIL\System.Design\2.0.0.0__b03f5f7f11d50a3a\System.Design.dll
+ 2008-03-03 02:39:11 188,416 ----a-w C:\WINDOWS\assembly\GAC_MSIL\System.DirectoryServices.Protocols\2.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.Protocols.dll
+ 2008-03-03 02:39:10 397,312 ----a-w C:\WINDOWS\assembly\GAC_MSIL\System.DirectoryServices\2.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll
+ 2008-03-03 02:39:12 81,920 ----a-w C:\WINDOWS\assembly\GAC_MSIL\System.Drawing.Design\2.0.0.0__b03f5f7f11d50a3a\System.Drawing.Design.dll
+ 2008-03-03 02:40:07 700,416 ----a-w C:\WINDOWS\assembly\GAC_MSIL\System.Drawing\2.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll
+ 2008-03-03 02:39:54 368,640 ----a-w C:\WINDOWS\assembly\GAC_MSIL\System.Management\2.0.0.0__b03f5f7f11d50a3a\System.Management.dll
+ 2008-03-03 02:40:09 258,048 ----a-w C:\WINDOWS\assembly\GAC_MSIL\System.Messaging\2.0.0.0__b03f5f7f11d50a3a\System.Messaging.dll
+ 2008-03-03 02:39:55 299,008 ----a-w C:\WINDOWS\assembly\GAC_MSIL\System.Runtime.Remoting\2.0.0.0__b77a5c561934e089\System.Runtime.Remoting.dll
+ 2008-03-03 02:39:56 131,072 ----a-w C:\WINDOWS\assembly\GAC_MSIL\System.Runtime.Serialization.Formatters.Soap\2.0.0.0__b03f5f7f11d50a3a\System.Runtime.Serialization.Formatters.Soap.dll
+ 2008-03-03 02:39:06 258,048 ----a-w C:\WINDOWS\assembly\GAC_MSIL\System.Security\2.0.0.0__b03f5f7f11d50a3a\System.Security.dll
+ 2008-03-03 02:39:15 114,688 ----a-w C:\WINDOWS\assembly\GAC_MSIL\System.ServiceProcess\2.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll
+ 2008-03-03 02:40:13 835,584 ----a-w C:\WINDOWS\assembly\GAC_MSIL\System.Web.Mobile\2.0.0.0__b03f5f7f11d50a3a\System.Web.Mobile.dll
+ 2008-03-03 02:39:19 86,016 ----a-w C:\WINDOWS\assembly\GAC_MSIL\System.Web.RegularExpressions\2.0.0.0__b03f5f7f11d50a3a\System.Web.RegularExpressions.dll
+ 2008-03-03 02:39:20 823,296 ----a-w C:\WINDOWS\assembly\GAC_MSIL\System.Web.Services\2.0.0.0__b03f5f7f11d50a3a\System.Web.Services.dll
+ 2008-03-03 02:39:24 5,316,608 ----a-w C:\WINDOWS\assembly\GAC_MSIL\System.Windows.Forms\2.0.0.0__b77a5c561934e089\System.Windows.Forms.dll
+ 2008-03-03 02:39:26 2,035,712 ----a-w C:\WINDOWS\assembly\GAC_MSIL\System.Xml\2.0.0.0__b77a5c561934e089\System.XML.dll
+ 2008-03-03 02:40:05 3,018,752 ----a-w C:\WINDOWS\assembly\GAC_MSIL\System\2.0.0.0__b77a5c561934e089\System.dll
+ 2008-03-03 04:10:53 26,624 ----a-w C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Accessibility\793653d83737e84585aebd939732e379\Accessibility.ni.dll
+ 2008-03-03 04:11:27 860,160 ----a-w C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\AspNetMMCExt\c108883444f197409769c90cc26c6ff3\AspNetMMCExt.ni.dll
+ 2008-03-03 04:11:50 237,568 ----a-w C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\CustomMarshalers\b27425877da3d6489b14387bd6afc766\CustomMarshalers.ni.dll
+ 2008-03-03 04:11:44 15,360 ----a-w C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\dfsvc\54cb6d48257cf745bf9fd0d8ebf01897\dfsvc.ni.exe
+ 2008-03-03 04:12:06 880,640 ----a-w C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Microsoft.Build.Eng#\8776784254e99a41983c51a759cf0c51\Microsoft.Build.Engine.ni.dll
+ 2008-03-03 04:12:10 81,920 ----a-w C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Microsoft.Build.Fra#\35143a538e4e0149bd95b37a79405378\Microsoft.Build.Framework.ni.dll
+ 2008-03-03 04:12:36 1,691,648 ----a-w C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Microsoft.Build.Tas#\dc4306eb81785c4184397bea9a8979e2\Microsoft.Build.Tasks.ni.dll
+ 2008-03-03 04:12:50 163,840 ----a-w C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Microsoft.Build.Uti#\cfd4e2dcce992241b0732fe51d5dc08a\Microsoft.Build.Utilities.ni.dll
+ 2008-03-03 04:13:10 1,724,416 ----a-w C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualBas#\a51b3f06fd4b1e41987265842ddb21c9\Microsoft.VisualBasic.ni.dll
+ 2008-03-03 02:42:52 11,411,456 ----a-w C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\mscorlib\2dafc4aff890084b99d5b1f4773dcba9\mscorlib.ni.dll
+ 2008-03-03 04:13:16 962,560 ----a-w C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.Configuration\75f545223e13844395ab1374e93bf081\System.Configuration.ni.dll
+ 2008-03-03 02:46:55 6,688,768 ----a-w C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.Data\4f549fe6c323364a8ef0872c4090cafa\System.Data.ni.dll
+ 2008-03-03 04:13:23 1,712,128 ----a-w C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.Deployment\ae09154593f16d46b630300fe6673ecf\System.Deployment.ni.dll
+ 2008-03-03 02:48:00 10,723,328 ----a-w C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.Design\69f90cc67fc6514bbb99f1ff96a97e15\System.Design.ni.dll
+ 2008-03-03 04:13:34 512,000 ----a-w C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.DirectorySer#\28ce1aac2f36d04598972c35413efc4d\System.DirectoryServices.Protocols.ni.dll
+ 2008-03-03 04:13:29 1,220,608 ----a-w C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.DirectorySer#\7ba32ed90d831043acfa0858b3831fd5\System.DirectoryServices.ni.dll
+ 2008-03-03 02:44:42 229,376 ----a-w C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.Drawing.Desi#\ed19a5df884fd34580fa38c08aed0924\System.Drawing.Design.ni.dll
+ 2008-03-03 02:45:05 1,626,112 ----a-w C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.Drawing\8eefae81d907d54cb513e2edb750da81\System.Drawing.ni.dll
+ 2008-03-03 04:13:41 659,456 ----a-w C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.EnterpriseSe#\f3f2522d0b512e45b7e2fcf9ebc14a8e\System.EnterpriseServices.ni.dll
+ 2008-03-03 04:13:40 294,912 ----a-w C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.EnterpriseSe#\f3f2522d0b512e45b7e2fcf9ebc14a8e\System.EnterpriseServices.Wrapper.dll
+ 2008-03-03 04:13:47 729,088 ----a-w C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.Security\a704019bafa11a4fa342797a83222fbb\System.Security.ni.dll
+ 2008-03-03 04:13:51 684,032 ----a-w C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.Transactions\bedf6cbdc1344e40961d6f30ccddd343\System.Transactions.ni.dll
+ 2008-03-03 04:15:17 2,310,144 ----a-w C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.Web.Mobile\40982be077ac6c4f93ebf26d0066eb80\System.Web.Mobile.ni.dll
+ 2008-03-03 04:15:20 237,568 ----a-w C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.Web.RegularE#\73fffcc84e0167498b3a35293cf4a2eb\System.Web.RegularExpressions.ni.dll
+ 2008-03-03 04:15:30 1,945,600 ----a-w C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.Web.Services\b0456be31825dc4f9ec9bd54b8a0e5e7\System.Web.Services.ni.dll
+ 2008-03-03 04:14:40 11,808,768 ----a-w C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.Web\18cb12adfe25834bb330df18cf565a1e\System.Web.ni.dll
+ 2008-03-03 02:45:54 13,107,200 ----a-w C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.Windows.Forms\e46e744aace6804ca936d16fa8c33af3\System.Windows.Forms.ni.dll
+ 2008-03-03 02:46:26 5,640,192 ----a-w C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.Xml\e00e0a29e5c37747ae355e4277a108a0\System.Xml.ni.dll
+ 2008-03-03 02:44:17 8,093,696 ----a-w C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System\0efba9d92d4c60468c2d896c4a39f4e1\System.ni.dll
+ 2008-01-22 04:34:22 465,472 ----a-w C:\WINDOWS\Downloaded Program Files\wlscBase.dll
+ 2000-08-31 14:00:00 163,328 ----a-w C:\WINDOWS\erdnt\Hiv-backup\ERDNT.EXE
- 2007-03-13 17:57:10 163,328 ----a-w C:\WINDOWS\erdnt\subs\ERDNT.EXE
+ 2000-08-31 14:00:00 163,328 ----a-w C:\WINDOWS\erdnt\subs\ERDNT.EXE
- 2006-05-23 23:22:32 72,853 ----a-w C:\WINDOWS\hpiins01.dat
+ 2008-02-17 01:26:32 72,850 ----a-w C:\WINDOWS\hpiins01.dat
+ 2007-10-10 23:55:51 124,928 -c----w C:\WINDOWS\ie7updates\KB944533-IE7\advpack.dll
+ 2007-08-14 01:35:46 346,624 -c----w C:\WINDOWS\ie7updates\KB944533-IE7\dxtmsft.dll
+ 2007-10-10 23:55:51 214,528 -c----w C:\WINDOWS\ie7updates\KB944533-IE7\dxtrans.dll
+ 2007-10-10 23:55:51 132,608 -c----w C:\WINDOWS\ie7updates\KB944533-IE7\extmgr.dll
+ 2007-10-10 23:55:51 63,488 -c----w C:\WINDOWS\ie7updates\KB944533-IE7\icardie.dll
+ 2007-10-10 10:59:40 70,656 -c----w C:\WINDOWS\ie7updates\KB944533-IE7\ie4uinit.exe
+ 2007-10-10 23:55:51 153,088 -c----w C:\WINDOWS\ie7updates\KB944533-IE7\ieakeng.dll
+ 2007-10-10 23:55:51 230,400 -c----w C:\WINDOWS\ie7updates\KB944533-IE7\ieaksie.dll
+ 2007-10-10 05:46:55 161,792 -c----w C:\WINDOWS\ie7updates\KB944533-IE7\ieakui.dll
+ 2007-10-10 23:55:52 383,488 -c----w C:\WINDOWS\ie7updates\KB944533-IE7\ieapfltr.dll
+ 2007-10-10 23:55:52 384,512 -c----w C:\WINDOWS\ie7updates\KB944533-IE7\iedkcs32.dll
+ 2007-10-10 23:55:54 6,065,664 -c----w C:\WINDOWS\ie7updates\KB944533-IE7\ieframe.dll
+ 2007-10-10 23:55:55 44,544 -c----w C:\WINDOWS\ie7updates\KB944533-IE7\iernonce.dll
+ 2007-10-10 23:55:55 267,776 -c----w C:\WINDOWS\ie7updates\KB944533-IE7\iertutil.dll
+ 2007-10-10 10:59:40 13,824 -c----w C:\WINDOWS\ie7updates\KB944533-IE7\ieudinit.exe
+ 2007-10-10 10:59:52 625,152 -c----w C:\WINDOWS\ie7updates\KB944533-IE7\iexplore.exe
+ 2007-10-10 23:55:56 27,648 -c----w C:\WINDOWS\ie7updates\KB944533-IE7\jsproxy.dll
+ 2007-10-10 23:55:56 459,264 -c----w C:\WINDOWS\ie7updates\KB944533-IE7\msfeeds.dll
+ 2007-10-10 23:55:56 52,224 -c----w C:\WINDOWS\ie7updates\KB944533-IE7\msfeedsbs.dll
+ 2007-10-30 23:42:28 3,590,656 -c----w C:\WINDOWS\ie7updates\KB944533-IE7\mshtml.dll
+ 2007-10-10 23:55:58 478,208 -c----w C:\WINDOWS\ie7updates\KB944533-IE7\mshtmled.dll
+ 2007-10-10 23:55:58 193,024 -c----w C:\WINDOWS\ie7updates\KB944533-IE7\msrating.dll
+ 2007-10-10 23:55:59 671,232 -c----w C:\WINDOWS\ie7updates\KB944533-IE7\mstime.dll
+ 2007-10-10 23:55:59 102,400 -c----w C:\WINDOWS\ie7updates\KB944533-IE7\occache.dll
+ 2007-08-14 01:36:12 44,544 -c----w C:\WINDOWS\ie7updates\KB944533-IE7\pngfilt.dll
+ 2007-03-06 01:22:41 213,216 -c----w C:\WINDOWS\ie7updates\KB944533-IE7\spuninst\spuninst.exe
+ 2007-03-06 01:23:51 371,424 -c----w C:\WINDOWS\ie7updates\KB944533-IE7\spuninst\updspapi.dll
+ 2007-10-10 23:55:59 105,984 -c----w C:\WINDOWS\ie7updates\KB944533-IE7\url.dll
+ 2007-10-10 23:56:00 1,159,680 -c----w C:\WINDOWS\ie7updates\KB944533-IE7\urlmon.dll
+ 2007-10-10 23:56:00 232,960 -c----w C:\WINDOWS\ie7updates\KB944533-IE7\webcheck.dll
+ 2007-10-10 23:56:00 824,832 -c----w C:\WINDOWS\ie7updates\KB944533-IE7\wininet.dll
- 2006-05-23 01:08:18 24,190 ----a-r C:\WINDOWS\Installer\{D518592A-0F1E-40ca-BECB-3D3F026C6B0D}\Unload_sm.exe
+ 2008-02-17 01:21:45 24,190 ----a-r C:\WINDOWS\Installer\{D518592A-0F1E-40ca-BECB-3D3F026C6B0D}\Unload_sm.exe
- 2007-12-18 00:32:19 1,038,336 ----a-r C:\WINDOWS\Installer\{DED53B0B-B67C-4244-AE6A-D6FD3C28D1EF}\Icon0E6AB9FC.exe
+ 2008-03-09 23:54:06 1,038,336 ----a-r C:\WINDOWS\Installer\{DED53B0B-B67C-4244-AE6A-D6FD3C28D1EF}\Icon0E6AB9FC.exe
- 2007-12-18 00:32:19 178,688 ----a-r C:\WINDOWS\Installer\{DED53B0B-B67C-4244-AE6A-D6FD3C28D1EF}\Icon0E6AB9FC1.exe
+ 2008-03-09 23:54:06 178,688 ----a-r C:\WINDOWS\Installer\{DED53B0B-B67C-4244-AE6A-D6FD3C28D1EF}\Icon0E6AB9FC1.exe
- 2007-12-18 00:32:19 171,008 ----a-r C:\WINDOWS\Installer\{DED53B0B-B67C-4244-AE6A-D6FD3C28D1EF}\IconDED53B0B.exe
+ 2008-03-09 23:54:06 171,008 ----a-r C:\WINDOWS\Installer\{DED53B0B-B67C-4244-AE6A-D6FD3C28D1EF}\IconDED53B0B.exe
- 2007-12-18 00:32:19 8,704 ----a-r C:\WINDOWS\Installer\{DED53B0B-B67C-4244-AE6A-D6FD3C28D1EF}\IconDED53B0B1.exe
+ 2008-03-09 23:54:06 8,704 ----a-r C:\WINDOWS\Installer\{DED53B0B-B67C-4244-AE6A-D6FD3C28D1EF}\IconDED53B0B1.exe
+ 2005-09-23 14:28:52 72,704 ----a-w C:\WINDOWS\Microsoft.NET\Framework\NETFXSBS10.exe
+ 2005-09-23 14:29:04 5,120 ----a-w C:\WINDOWS\Microsoft.NET\Framework\sbs_diasymreader.dll
+ 2005-09-23 14:29:04 5,120 ----a-w C:\WINDOWS\Microsoft.NET\Framework\sbs_iehost.dll
+ 2005-09-23 14:29:04 5,120 ----a-w C:\WINDOWS\Microsoft.NET\Framework\sbs_microsoft.jscript.dll
+ 2005-09-23 14:29:04 5,632 ----a-w C:\WINDOWS\Microsoft.NET\Framework\sbs_microsoft.vsa.vb.codedomprocessor.dll
+ 2005-09-23 14:29:04 5,120 ----a-w C:\WINDOWS\Microsoft.NET\Framework\sbs_mscordbi.dll
+ 2005-09-23 14:29:04 5,120 ----a-w C:\WINDOWS\Microsoft.NET\Framework\sbs_mscorrc.dll
+ 2005-09-23 14:29:04 5,120 ----a-w C:\WINDOWS\Microsoft.NET\Framework\sbs_mscorsec.dll
+ 2005-09-23 14:29:04 5,120 ----a-w C:\WINDOWS\Microsoft.NET\Framework\sbs_system.configuration.install.dll
+ 2005-09-23 14:29:04 5,120 ----a-w C:\WINDOWS\Microsoft.NET\Framework\sbs_system.data.dll
+ 2005-09-23 14:29:04 5,120 ----a-w C:\WINDOWS\Microsoft.NET\Framework\sbs_system.enterpriseservices.dll
+ 2005-09-23 14:29:04 5,120 ----a-w C:\WINDOWS\Microsoft.NET\Framework\sbs_VsaVb7rt.dll
+ 2005-09-23 14:29:04 5,120 ----a-w C:\WINDOWS\Microsoft.NET\Framework\sbs_wminet_utils.dll
- 2003-02-21 03:09:32 5,120 -c--a-w C:\WINDOWS\Microsoft.NET\Framework\sbscmp10.dll
+ 2005-09-23 14:28:52 7,680 ----a-w C:\WINDOWS\Microsoft.NET\Framework\sbscmp10.dll
+ 2005-09-23 14:28:56 7,680 ----a-w C:\WINDOWS\Microsoft.NET\Framework\sbscmp20_mscorwks.dll
+ 2005-09-23 14:28:58 7,680 ----a-w C:\WINDOWS\Microsoft.NET\Framework\sbscmp20_perfcounter.dll
+ 2005-09-23 14:28:56 7,680 ----a-w C:\WINDOWS\Microsoft.NET\Framework\SharedReg12.dll
- 2003-02-21 02:43:50 131,072 -c--a-w C:\WINDOWS\Microsoft.NET\Framework\v1.0.3705\mscormmc.dll
+ 2005-09-23 14:28:52 86,528 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.0.3705\mscormmc.dll
+ 2004-07-15 08:49:16 258,048 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\SHADOW428\_aspnet_isapi.dll
+ 2004-07-15 07:32:22 81,920 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\SHADOW428\_CORPerfMonExt.dll
+ 2004-07-15 07:24:30 282,624 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\SHADOW428\_fusion.dll
+ 2004-07-15 07:25:06 315,392 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\SHADOW428\_mscorjit.dll
+ 2004-07-15 21:29:02 2,138,112 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\SHADOW428\_mscorlib.dll
+ 2003-02-21 02:09:18 77,824 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\SHADOW428\_mscorsn.dll
+ 2004-07-15 07:26:52 2,510,848 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\SHADOW428\_mscorsvr.dll
+ 2004-07-15 07:28:34 2,502,656 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\SHADOW428\_mscorwks.dll
+ 2003-02-21 11:42:22 348,160 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\SHADOW428\_msvcr71.dll
+ 2004-07-15 07:34:50 94,208 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\SHADOW428\_PerfCounter.dll
+ 2005-09-23 14:28:36 18,944 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\1033\alinkui.dll
+ 2005-09-23 14:28:42 136,192 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\1033\cscompui.dll
+ 2005-09-23 14:28:44 4,608 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\1033\CvtResUI.dll
+ 2005-09-23 14:29:04 183,808 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\1033\vbc7ui.dll
+ 2005-09-23 14:28:28 208,896 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\1033\Vsavb7rtUI.dll
+ 2005-09-23 14:28:56 10,752 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Accessibility.dll
+ 2005-09-23 14:28:58 138,240 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\AdoNetDiag.dll
+ 2005-09-23 14:28:36 87,552 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\alink.dll
+ 2005-09-23 14:28:58 55,488 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe
+ 2005-09-23 14:28:32 36,864 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_compiler.exe
+ 2005-09-23 14:28:32 10,752 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_filter.dll
+ 2005-09-23 14:28:32 8,192 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_isapi.dll
+ 2005-09-23 14:28:32 23,552 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Aspnet_perf.dll
+ 2005-09-23 14:28:32 70,656 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_rc.dll
+ 2005-09-23 14:28:32 13,824 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_regbrowsers.exe
+ 2005-09-23 14:28:32 26,824 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_regiis.exe
+ 2005-09-23 14:28:32 106,496 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_regsql.exe
+ 2005-09-23 14:28:32 29,896 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe
+ 2005-09-23 14:28:32 29,888 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_wp.exe
+ 2005-09-23 14:28:32 503,808 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\AspNetMMCExt.dll
+ 2005-09-23 14:28:56 106,496 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\CasPol.exe
+ 2005-09-23 14:28:56 88,576 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\CORPerfMonExt.dll
+ 2005-09-23 14:28:42 76,984 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\csc.exe
+ 2005-09-23 14:28:42 1,144,832 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\cscomp.dll
+ 2005-09-23 14:28:42 13,312 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\cscompmgd.dll
+ 2005-09-23 14:28:58 17,920 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Culture.dll
+ 2005-09-23 14:28:56 68,608 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\CustomMarshalers.dll
+ 2005-09-23 14:28:44 31,936 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
+ 2005-09-23 14:28:38 52,736 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\dfdll.dll
+ 2005-09-23 14:28:38 4,608 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\dfsvc.exe
+ 2005-09-23 14:29:12 547,840 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\diasymreader.dll
+ 2005-09-23 14:28:56 788,992 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\EventLogMessages.dll
+ 2005-09-23 14:28:50 9,216 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\fusion.dll
+ 2005-09-23 14:28:56 9,728 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\IEExec.exe
+ 2005-09-23 14:28:56 8,192 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\IEExecRemote.dll
+ 2005-09-23 14:28:56 36,864 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\IEHost.dll
+ 2005-09-23 14:28:56 5,632 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\IIEHost.dll
+ 2005-09-23 14:28:56 224,952 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\ilasm.exe
+ 2005-09-23 14:28:56 28,672 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe
+ 2005-09-23 14:28:56 55,296 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\InstallUtilLib.dll
+ 2005-09-23 14:28:56 72,192 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\ISymWrapper.dll
+ 2005-09-23 14:28:48 40,960 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\jsc.exe
+ 2005-09-23 14:01:16 609,472 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Microsoft .NET Framework 2.0\install.exe
+ 2005-09-23 13:29:48 80,896 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Microsoft .NET Framework 2.0\install.res.1025.dll
+ 2005-09-23 13:32:24 80,896 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Microsoft .NET Framework 2.0\install.res.1028.dll
+ 2005-09-23 13:34:10 82,944 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Microsoft .NET Framework 2.0\install.res.1029.dll
+ 2005-09-23 13:34:12 81,920 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Microsoft .NET Framework 2.0\install.res.1030.dll
+ 2005-09-23 13:34:44 85,504 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Microsoft .NET Framework 2.0\install.res.1031.dll
+ 2005-09-23 13:36:24 87,552 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Microsoft .NET Framework 2.0\install.res.1032.dll
+ 2005-09-23 10:46:14 80,896 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Microsoft .NET Framework 2.0\install.res.1033.dll
+ 2005-09-23 13:38:26 81,408 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Microsoft .NET Framework 2.0\install.res.1035.dll
+ 2005-09-23 13:38:52 86,016 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Microsoft .NET Framework 2.0\install.res.1036.dll
+ 2005-09-23 13:40:30 80,896 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Microsoft .NET Framework 2.0\install.res.1037.dll
+ 2005-09-23 13:40:32 83,968 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Microsoft .NET Framework 2.0\install.res.1038.dll
+ 2005-09-23 13:40:56 84,480 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Microsoft .NET Framework 2.0\install.res.1040.dll
+ 2005-09-23 13:42:58 80,896 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Microsoft .NET Framework 2.0\install.res.1041.dll
+ 2005-09-23 13:44:58 80,896 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Microsoft .NET Framework 2.0\install.res.1042.dll
+ 2005-09-23 13:46:38 83,456 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Microsoft .NET Framework 2.0\install.res.1043.dll
+ 2005-09-23 13:46:38 81,920 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Microsoft .NET Framework 2.0\install.res.1044.dll
+ 2005-09-23 13:46:40 83,456 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Microsoft .NET Framework 2.0\install.res.1045.dll
+ 2005-09-23 13:47:04 82,432 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Microsoft .NET Framework 2.0\install.res.1046.dll
+ 2005-09-23 13:47:30 82,432 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Microsoft .NET Framework 2.0\install.res.1049.dll
+ 2005-09-23 13:47:32 81,920 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Microsoft .NET Framework 2.0\install.res.1053.dll
+ 2005-09-23 13:47:32 80,896 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Microsoft .NET Framework 2.0\install.res.1055.dll
+ 2005-09-23 13:30:18 80,896 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Microsoft .NET Framework 2.0\install.res.2052.dll
+ 2005-09-23 13:47:06 84,480 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Microsoft .NET Framework 2.0\install.res.2070.dll
+ 2005-09-23 13:29:50 80,896 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Microsoft .NET Framework 2.0\install.res.3076.dll
+ 2005-09-23 13:36:48 85,504 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Microsoft .NET Framework 2.0\install.res.3082.dll
+ 2005-09-23 14:57:06 245,408 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Microsoft .NET Framework 2.0\unicows.dll
+ 2005-09-23 14:28:48 413,696 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Microsoft.Build.Engine.dll
+ 2005-09-23 14:28:48 36,864 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Microsoft.Build.Framework.dll
+ 2005-09-23 14:28:48 647,168 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Microsoft.Build.Tasks.dll
+ 2005-09-23 14:28:48 73,728 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Microsoft.Build.Utilities.dll
+ 2005-09-23 14:28:48 745,472 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Microsoft.JScript.dll
+ 2005-09-23 14:29:10 110,592 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Microsoft.VisualBasic.Compatibility.Data.dll
+ 2005-09-23 14:29:10 372,736 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Microsoft.VisualBasic.Compatibility.dll
+ 2005-09-23 14:29:08 667,648 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Microsoft.VisualBasic.dll
+ 2005-09-23 14:28:30 28,672 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Microsoft.VisualBasic.Vsa.dll
+ 2005-09-23 14:29:10 5,632 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Microsoft.VisualC.Dll
+ 2005-09-23 14:28:30 32,768 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Microsoft.Vsa.dll
+ 2005-09-23 14:28:30 12,800 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Microsoft.Vsa.Vb.CodeDOMProcessor.dll
+ 2005-09-23 14:28:30 7,168 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Microsoft_VsaVb.dll
+ 2005-09-23 14:28:32 87,552 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\MmcAspExt.dll
+ 2005-09-23 14:28:48 69,632 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe
+ 2005-09-23 14:28:56 800,768 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscordacwks.dll
+ 2005-09-23 14:28:56 73,216 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscordbc.dll
+ 2005-09-23 14:28:56 288,768 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscordbi.dll
+ 2005-09-23 14:28:56 36,864 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorie.dll
+ 2005-09-23 14:28:56 326,144 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorjit.dll
+ 2005-09-23 14:28:56 81,408 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorld.dll
+ 2005-09-23 14:28:56 4,308,992 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorlib.dll
+ 2005-09-23 14:28:56 102,400 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorpe.dll
+ 2005-09-23 14:29:00 330,752 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorrc.dll
+ 2005-09-23 14:28:56 67,072 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsec.dll
+ 2005-09-23 14:28:50 9,216 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsn.dll
+ 2005-09-23 14:28:56 226,816 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvc.dll
+ 2005-09-23 14:28:56 66,240 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
+ 2005-09-23 14:28:56 10,240 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscortim.dll
+ 2005-09-23 14:28:50 5,615,616 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorwks.dll
+ 2005-09-23 14:29:00 22,528 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\MUI\0409\mscorsecr.dll
+ 2005-09-23 14:28:56 96,440 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\ngen.exe
+ 2005-09-23 14:28:56 14,848 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\normalization.dll
+ 2005-09-23 14:28:56 78,336 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\PerfCounter.dll
+ 2005-09-23 14:28:50 136,192 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\peverify.dll
+ 2005-09-23 14:28:56 53,248 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
+ 2005-09-23 14:28:56 32,768 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
+ 2005-09-23 14:29:02 59,072 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\regtlibv12.exe
+ 2005-09-23 14:28:58 7,680 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\sbscmp20_mscorlib.dll
+ 2005-09-23 14:28:56 107,520 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\shfusion.dll
+ 2005-09-23 14:29:00 85,504 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\ShFusRes.dll
+ 2005-09-23 14:28:56 377,344 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\SOS.dll
+ 2005-09-23 14:28:56 110,592 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\sysglobl.dll
+ 2005-09-23 14:28:58 389,120 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\System.configuration.dll
+ 2005-09-23 14:28:56 81,920 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\System.Configuration.Install.dll
+ 2005-09-23 14:28:56 2,878,976 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\System.Data.dll
+ 2005-09-23 14:28:56 482,304 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\System.Data.OracleClient.dll
+ 2005-09-23 14:28:56 716,800 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\System.Data.SqlXml.dll
+ 2005-09-23 14:28:38 884,736 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\System.Deployment.dll
+ 2005-09-23 14:28:56 5,050,368 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\System.Design.dll
+ 2005-09-23 14:28:56 397,312 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\System.DirectoryServices.dll
+ 2005-09-23 14:28:56 188,416 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\System.DirectoryServices.Protocols.dll
+ 2005-09-23 14:28:56 3,018,752 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\System.dll
+ 2005-09-23 14:28:56 81,920 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\System.Drawing.Design.dll
+ 2005-09-23 14:28:56 700,416 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\System.Drawing.dll
+ 2005-09-23 14:28:56 258,048 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\System.EnterpriseServices.dll
+ 2005-09-23 14:28:56 47,616 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\System.EnterpriseServices.Thunk.dll
+ 2005-09-23 14:28:56 114,176 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\System.EnterpriseServices.Wrapper.dll
+ 2005-09-23 14:28:56 368,640 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\System.Management.dll
+ 2005-09-23 14:28:56 258,048 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\System.Messaging.dll
+ 2005-09-23 14:28:56 299,008 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\System.Runtime.Remoting.dll
+ 2005-09-23 14:28:56 131,072 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\System.Runtime.Serialization.Formatters.Soap.dll
+ 2005-09-23 14:28:56 258,048 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\System.Security.dll
+ 2005-09-23 14:28:56 114,688 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\System.ServiceProcess.dll
+ 2005-09-23 14:28:56 260,096 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\System.Transactions.dll
+ 2005-09-23 14:28:56 5,025,792 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\System.Web.dll
+ 2005-09-23 14:28:56 835,584 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\System.Web.Mobile.dll
+ 2005-09-23 14:28:56 86,016 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\System.Web.RegularExpressions.dll
+ 2005-09-23 14:28:56 823,296 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\System.Web.Services.dll
+ 2005-09-23 14:28:56 5,316,608 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\System.Windows.Forms.dll
+ 2005-09-23 14:28:56 2,035,712 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\System.XML.dll
+ 2005-09-23 14:28:56 71,680 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\TLBREF.DLL
+ 2005-09-23 14:29:06 1,140,920 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\vbc.exe
+ 2005-09-23 14:28:30 1,306,624 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\VsaVb7rt.dll
+ 2005-09-23 14:28:32 298,496 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\webengine.dll
+ 2005-09-23 14:28:56 28,160 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\WMINet_Utils.dll
+ 2000-08-31 14:00:00 28,160 ----a-w C:\WINDOWS\Nircmd.exe
+ 2004-11-16 01:20:20 77,824 ----a-r C:\WINDOWS\SOUNDMAN.EXE
+ 2004-08-10 19:00:00 73,376 -c--a-w C:\WINDOWS\system\MCIAVI.DRV
+ 2004-08-10 19:00:00 25,264 -c--a-w C:\WINDOWS\system\MCISEQ.DRV
+ 2004-08-10 19:00:00 28,160 -c--a-w C:\WINDOWS\system\MCIWAVE.DRV
+ 2004-08-10 19:00:00 3,360 -c--a-w C:\WINDOWS\system\SYSTEM.DRV
+ 2004-08-10 19:00:00 4,048 -c--a-w C:\WINDOWS\system\TIMER.DRV
+ 2004-08-10 19:00:00 13,600 -c--a-w C:\WINDOWS\system\WFWNET.DRV
+ 2004-08-10 19:00:00 146,432 -c--a-w C:\WINDOWS\system\WINSPOOL.DRV
- 2007-10-10 23:55:51 124,928 ----a-w C:\WINDOWS\system32\advpack.dll
+ 2007-12-07 02:21:45 124,928 ----a-w C:\WINDOWS\system32\advpack.dll
+ 2006-08-02 19:39:06 73,728 ----a-w C:\WINDOWS\system32\asuninst.exe
- 2003-03-18 20:05:50 89,088 ----a-w C:\WINDOWS\system32\atl71.dll
+ 2005-01-19 19:50:50 89,088 ----a-w C:\WINDOWS\system32\atl71.dll
+ 2004-08-10 19:00:00 10,544 -c--a-w C:\WINDOWS\system32\comm.drv
- 2007-10-12 17:56:18 16,384 -c--a-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
+ 2008-02-28 18:56:23 16,384 -c--a-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
- 2007-10-12 17:56:18 32,768 -c--a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2008-02-28 18:56:23 32,768 -c--a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2007-10-12 17:56:18 32,768 -c--a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2008-02-28 18:56:23 32,768 -c--a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
- 2004-08-10 19:00:00 35,328 ----a-w C:\WINDOWS\system32\corpol.dll
+ 2007-08-14 01:42:54 17,408 ----a-w C:\WINDOWS\system32\corpol.dll
+ 2005-09-23 14:28:38 83,456 ----a-w C:\WINDOWS\system32\dfshim.dll
- 2007-10-10 23:55:51 124,928 -c--a-w C:\WINDOWS\system32\dllcache\advpack.dll
+ 2007-12-07 02:21:45 124,928 -c--a-w C:\WINDOWS\system32\dllcache\advpack.dll
- 2007-08-14 01:35:46 346,624 -c--a-w C:\WINDOWS\system32\dllcache\dxtmsft.dll
+ 2007-12-19 23:01:06 347,136 -c--a-w C:\WINDOWS\system32\dllcache\dxtmsft.dll
- 2007-10-10 23:55:51 214,528 -c--a-w C:\WINDOWS\system32\dllcache\dxtrans.dll
+ 2007-12-07 02:21:45 214,528 -c--a-w C:\WINDOWS\system32\dllcache\dxtrans.dll
- 2007-10-10 23:55:51 132,608 -c--a-w C:\WINDOWS\system32\dllcache\extmgr.dll
+ 2007-12-07 02:21:45 133,120 -c--a-w C:\WINDOWS\system32\dllcache\extmgr.dll
+ 2004-08-04 06:14:38 52,736 -c--a-w C:\WINDOWS\system32\dllcache\i8042prt.sys
- 2007-10-10 23:55:51 63,488 -c--a-w C:\WINDOWS\system32\dllcache\icardie.dll
+ 2007-12-07 02:21:45 63,488 -c--a-w C:\WINDOWS\system32\dllcache\icardie.dll
- 2007-10-10 10:59:40 70,656 -c--a-w C:\WINDOWS\system32\dllcache\ie4uinit.exe
+ 2007-12-06 11:00:57 70,656 -c--a-w C:\WINDOWS\system32\dllcache\ie4uinit.exe
- 2007-10-10 23:55:51 153,088 -c--a-w C:\WINDOWS\system32\dllcache\ieakeng.dll
+ 2007-12-07 02:21:45 153,088 -c--a-w C:\WINDOWS\system32\dllcache\ieakeng.dll
- 2007-10-10 23:55:51 230,400 -c--a-w C:\WINDOWS\system32\dllcache\ieaksie.dll
+ 2007-12-07 02:21:45 230,400 -c--a-w C:\WINDOWS\system32\dllcache\ieaksie.dll
- 2007-10-10 05:46:55 161,792 -c--a-w C:\WINDOWS\system32\dllcache\ieakui.dll
+ 2007-12-06 04:59:51 161,792 -c--a-w C:\WINDOWS\system32\dllcache\ieakui.dll
- 2007-10-10 23:55:52 383,488 -c--a-w C:\WINDOWS\system32\dllcache\ieapfltr.dll
+ 2007-12-07 02:21:45 383,488 -c--a-w C:\WINDOWS\system32\dllcache\ieapfltr.dll
- 2007-10-10 23:55:52 384,512 -c--a-w C:\WINDOWS\system32\dllcache\iedkcs32.dll
+ 2007-12-07 02:21:45 384,512 -c--a-w C:\WINDOWS\system32\dllcache\iedkcs32.dll
- 2007-10-10 23:55:54 6,065,664 -c--a-w C:\WINDOWS\system32\dllcache\ieframe.dll
+ 2007-12-07 02:21:46 6,066,176 -c--a-w C:\WINDOWS\system32\dllcache\ieframe.dll
- 2007-10-10 23:55:55 44,544 -c--a-w C:\WINDOWS\system32\dllcache\iernonce.dll
+ 2007-12-07 02:21:46 44,544 -c--a-w C:\WINDOWS\system32\dllcache\iernonce.dll
- 2007-10-10 23:55:55 267,776 -c--a-w C:\WINDOWS\system32\dllcache\iertutil.dll
+ 2007-12-07 02:21:46 267,776 -c--a-w C:\WINDOWS\system32\dllcache\iertutil.dll
- 2007-10-10 10:59:40 13,824 -c--a-w C:\WINDOWS\system32\dllcache\ieudinit.exe
+ 2007-12-06 11:00:58 13,824 -c--a-w C:\WINDOWS\system32\dllcache\ieudinit.exe
- 2007-10-10 10:59:52 625,152 -c--a-w C:\WINDOWS\system32\dllcache\iexplore.exe
+ 2007-12-06 11:01:25 625,664 -c--a-w C:\WINDOWS\system32\dllcache\iexplore.exe
- 2007-10-10 23:55:56 27,648 -c--a-w C:\WINDOWS\system32\dllcache\jsproxy.dll
+ 2007-12-07 02:21:47 27,648 -c--a-w C:\WINDOWS\system32\dllcache\jsproxy.dll
- 2006-08-17 12:28:27 721,920 -c--a-w C:\WINDOWS\system32\dllcache\lsasrv.dll
+ 2007-11-07 09:26:56 721,920 -c--a-w C:\WINDOWS\system32\dllcache\lsasrv.dll
+ 2004-08-10 19:00:00 73,376 -c--a-w C:\WINDOWS\system32\dllcache\mciavi.drv
+ 2004-08-10 19:00:00 25,264 -c--a-w C:\WINDOWS\system32\dllcache\mciseq.drv
+ 2004-08-10 19:00:00 28,160 -c--a-w C:\WINDOWS\system32\dllcache\mciwave.drv
+ 2004-08-04 05:58:34 23,040 -c--a-w C:\WINDOWS\system32\dllcache\mouclass.sys
+ 2007-12-18 09:51:35 179,584 -c--a-w C:\WINDOWS\system32\dllcache\mrxdav.sys
- 2007-10-10 23:55:56 459,264 -c--a-w C:\WINDOWS\system32\dllcache\msfeeds.dll
+ 2007-12-07 02:21:47 459,264 -c--a-w C:\WINDOWS\system32\dllcache\msfeeds.dll
- 2007-10-10 23:55:56 52,224 -c--a-w C:\WINDOWS\system32\dllcache\msfeedsbs.dll
+ 2007-12-07 02:21:47 52,224 -c--a-w C:\WINDOWS\system32\dllcache\msfeedsbs.dll
- 2007-10-30 23:42:28 3,590,656 -c--a-w C:\WINDOWS\system32\dllcache\mshtml.dll
+ 2007-12-08 05:21:48 3,592,192 -c--a-w C:\WINDOWS\system32\dllcache\mshtml.dll
- 2007-10-10 23:55:58 478,208 -c--a-w C:\WINDOWS\system32\dllcache\mshtmled.dll
+ 2007-12-07 02:21:47 478,208 -c--a-w C:\WINDOWS\system32\dllcache\mshtmled.dll
- 2007-10-10 23:55:58 193,024 -c--a-w C:\WINDOWS\system32\dllcache\msrating.dll
+ 2007-12-07 02:21:48 193,024 -c--a-w C:\WINDOWS\system32\dllcache\msrating.dll
- 2007-10-10 23:55:59 671,232 -c--a-w C:\WINDOWS\system32\dllcache\mstime.dll
+ 2007-12-07 02:21:48 671,232 -c--a-w C:\WINDOWS\system32\dllcache\mstime.dll
- 2007-10-10 23:55:59 102,400 -c--a-w C:\WINDOWS\system32\dllcache\occache.dll
+ 2007-12-07 02:21:48 102,912 -c--a-w C:\WINDOWS\system32\dllcache\occache.dll
- 2007-05-17 11:28:05 549,376 -c--a-w C:\WINDOWS\system32\dllcache\oleaut32.dll
+ 2007-12-04 18:38:13 550,912 -c--a-w C:\WINDOWS\system32\dllcache\oleaut32.dll
- 2007-08-14 01:36:12 44,544 -c--a-w C:\WINDOWS\system32\dllcache\pngfilt.dll
+ 2008-01-11 05:53:32 44,544 -c--a-w C:\WINDOWS\system32\dllcache\pngfilt.dll
+ 2004-08-10 19:00:00 3,360 -c--a-w C:\WINDOWS\system32\dllcache\system.drv
+ 2004-08-10 19:00:00 4,048 -c--a-w C:\WINDOWS\system32\dllcache\timer.drv
- 2007-10-10 23:55:59 105,984 -c--a-w C:\WINDOWS\system32\dllcache\url.dll
+ 2007-12-07 02:21:48 105,984 -c--a-w C:\WINDOWS\system32\dllcache\url.dll
- 2007-10-10 23:56:00 1,159,680 -c--a-w C:\WINDOWS\system32\dllcache\urlmon.dll
+ 2007-12-07 02:21:48 1,159,680 -c--a-w C:\WINDOWS\system32\dllcache\urlmon.dll
- 2004-08-04 04:58:46 15,104 -c--a-w C:\WINDOWS\system32\dllcache\usbscan.sys
+ 2004-08-04 05:58:46 15,104 -c--a-w C:\WINDOWS\system32\dllcache\usbscan.sys
+ 2004-08-04 07:56:58 23,552 -c--a-w C:\WINDOWS\system32\dllcache\wdmaud.drv
- 2007-10-10 23:56:00 232,960 -c--a-w C:\WINDOWS\system32\dllcache\webcheck.dll
+ 2007-12-07 02:21:48 233,472 -c--a-w C:\WINDOWS\system32\dllcache\webcheck.dll
+ 2004-08-10 19:00:00 13,600 -c--a-w C:\WINDOWS\system32\dllcache\wfwnet.drv
- 2007-10-10 23:56:00 824,832 -c--a-w C:\WINDOWS\system32\dllcache\wininet.dll
+ 2007-12-07 02:21:48 824,832 -c--a-w C:\WINDOWS\system32\dllcache\wininet.dll
+ 2004-08-10 19:00:00 146,432 -c--a-w C:\WINDOWS\system32\dllcache\winspool.drv
+ 2004-11-18 02:05:38 2,297,664 ----a-r C:\WINDOWS\system32\drivers\ALCXWDM.SYS
- 2007-07-11 20:37:26 6,272 ----a-w C:\WINDOWS\system32\drivers\AWRTPD.sys
+ 2007-07-11 19:37:26 6,272 ----a-w C:\WINDOWS\system32\drivers\AWRTPD.sys
- 2007-08-07 19:58:08 8,320 ----a-w C:\WINDOWS\system32\drivers\AWRTRD.sys
+ 2007-08-07 18:58:08 8,320 ----a-w C:\WINDOWS\system32\drivers\AWRTRD.sys
+ 2004-06-17 22:55:38 685,056 ----a-w C:\WINDOWS\system32\drivers\HSF_CNXT.sys
+ 2004-06-17 22:55:04 1,041,536 ----a-w C:\WINDOWS\system32\drivers\HSF_DP.sys
+ 2004-06-17 22:56:22 220,032 ----a-w C:\WINDOWS\system32\drivers\HSFHWBS2.sys
- 2004-08-10 19:00:00 52,736 ----a-w C:\WINDOWS\system32\drivers\i8042prt.sys
+ 2004-08-04 06:14:38 52,736 ----a-w C:\WINDOWS\system32\drivers\i8042prt.sys
+ 2004-03-17 19:04:14 13,059 ----a-w C:\WINDOWS\system32\drivers\mdmxsdk.sys
- 2004-08-04 12:58:34 23,040 ----a-w C:\WINDOWS\system32\drivers\mouclass.sys
+ 2004-08-04 05:58:34 23,040 ----a-w C:\WINDOWS\system32\drivers\mouclass.sys
- 2004-08-10 19:00:00 181,248 ----a-w C:\WINDOWS\system32\drivers\mrxdav.sys
+ 2007-12-18 09:51:35 179,584 ----a-w C:\WINDOWS\system32\drivers\mrxdav.sys
- 2007-08-07 19:56:58 9,344 ----a-w C:\WINDOWS\system32\drivers\NSDriver.sys
+ 2007-08-07 18:56:58 9,344 ----a-w C:\WINDOWS\system32\drivers\NSDriver.sys
- 2004-08-04 04:58:46 15,104 ----a-w C:\WINDOWS\system32\drivers\usbscan.sys
+ 2004-08-04 05:58:46 15,104 ----a-w C:\WINDOWS\system32\drivers\usbscan.sys
- 2007-08-14 01:35:46 346,624 ----a-w C:\WINDOWS\system32\dxtmsft.dll
+ 2007-12-19 23:01:06 347,136 ----a-w C:\WINDOWS\system32\dxtmsft.dll
- 2007-10-10 23:55:51 214,528 ----a-w C:\WINDOWS\system32\dxtrans.dll
+ 2007-12-07 02:21:45 214,528 ----a-w C:\WINDOWS\system32\dxtrans.dll
- 2007-10-10 23:55:51 132,608 ----a-w C:\WINDOWS\system32\extmgr.dll
+ 2007-12-07 02:21:45 133,120 ----a-w C:\WINDOWS\system32\extmgr.dll
+ 2000-08-31 14:00:00 73,728 ----a-w C:\WINDOWS\system32\fdsv.exe
+ 2000-08-31 14:00:00 80,412 ----a-w C:\WINDOWS\system32\grep.exe
- 2006-03-04 04:03:10 69,632 ----a-w C:\WINDOWS\system32\HPZipm12.exe
+ 2007-08-09 07:27:52 73,728 ----a-w C:\WINDOWS\system32\HPZipm12.exe
+ 2004-08-04 22:34:48 39,018 ----a-w C:\WINDOWS\system32\HSFCI011.dll
- 2007-10-10 23:55:51 63,488 ----a-w C:\WINDOWS\system32\icardie.dll
+ 2007-12-07 02:21:45 63,488 ----a-w C:\WINDOWS\system32\icardie.dll
- 2007-10-10 10:59:40 70,656 ----a-w C:\WINDOWS\system32\ie4uinit.exe
+ 2007-12-06 11:00:57 70,656 ----a-w C:\WINDOWS\system32\ie4uinit.exe
- 2007-10-10 23:55:51 153,088 ----a-w C:\WINDOWS\system32\ieakeng.dll
+ 2007-12-07 02:21:45 153,088 ----a-w C:\WINDOWS\system32\ieakeng.dll
- 2007-10-10 23:55:51 230,400 ----a-w C:\WINDOWS\system32\ieaksie.dll
+ 2007-12-07 02:21:45 230,400 ----a-w C:\WINDOWS\system32\ieaksie.dll
- 2007-10-10 05:46:55 161,792 ----a-w C:\WINDOWS\system32\ieakui.dll
+ 2007-12-06 04:59:51 161,792 ----a-w C:\WINDOWS\system32\ieakui.dll
- 2007-10-10 23:55:52 383,488 ----a-w C:\WINDOWS\system32\ieapfltr.dll
+ 2007-12-07 02:21:45 383,488 ----a-w C:\WINDOWS\system32\ieapfltr.dll
- 2007-10-10 23:55:52 384,512 ----a-w C:\WINDOWS\system32\iedkcs32.dll
+ 2007-12-07 02:21:45 384,512 ----a-w C:\WINDOWS\system32\iedkcs32.dll
- 2007-10-10 23:55:54 6,065,664 ----a-w C:\WINDOWS\system32\ieframe.dll
+ 2007-12-07 02:21:46 6,066,176 ----a-w C:\WINDOWS\system32\ieframe.dll
- 2007-10-10 23:55:55 44,544 ----a-w C:\WINDOWS\system32\iernonce.dll
+ 2007-12-07 02:21:46 44,544 ----a-w C:\WINDOWS\system32\iernonce.dll
- 2007-10-10 23:55:55 267,776 ----a-w C:\WINDOWS\system32\iertutil.dll
+ 2007-12-07 02:21:46 267,776 ----a-w C:\WINDOWS\system32\iertutil.dll
- 2007-10-10 10:59:40 13,824 ----a-w C:\WINDOWS\system32\ieudinit.exe
+ 2007-08-14 01:39:10 13,312 ----a-w C:\WINDOWS\system32\ieudinit.exe
- 2007-10-10 23:55:56 27,648 ----a-w C:\WINDOWS\system32\jsproxy.dll
+ 2007-12-07 02:21:47 27,648 ----a-w C:\WINDOWS\system32\jsproxy.dll
+ 2004-08-10 19:00:00 221,600 -c--a-w C:\WINDOWS\system32\lanman.drv
- 2006-08-17 12:28:27 721,920 ----a-w C:\WINDOWS\system32\lsasrv.dll
+ 2007-11-07 09:26:56 721,920 ----a-w C:\WINDOWS\system32\lsasrv.dll
- 2007-04-13 21:19:52 7,680 ----a-w C:\WINDOWS\system32\lsdelete.exe
+ 2008-03-02 16:15:40 12,632 ----a-w C:\WINDOWS\system32\lsdelete.exe
+ 2007-11-21 00:04:14 218,496 ----a-r C:\WINDOWS\system32\Macromed\Flash\FlashUtil9e.exe
+ 2008-02-14 13:43:44 74,137 ----a-w C:\WINDOWS\system32\Macromed\Flash\uninstall_activeX.exe
+ 2004-08-10 19:00:00 73,376 -c--a-w C:\WINDOWS\system32\mciavi.drv
+ 2004-08-10 19:00:00 25,264 -c--a-w C:\WINDOWS\system32\mciseq.drv
+ 2004-08-10 19:00:00 28,160 -c--a-w C:\WINDOWS\system32\mciwave.drv
+ 2004-03-17 19:00:32 86,016 ----a-w C:\WINDOWS\system32\mdmxsdk.dll
- 2004-06-30 17:49:14 1,060,864 ----a-w C:\WINDOWS\system32\mfc71.dll
+ 2005-01-19 19:50:50 1,060,864 ----a-w C:\WINDOWS\system32\MFC71.dll
- 2003-03-18 22:12:12 1,047,552 -c--a-w C:\WINDOWS\system32\mfc71u.dll
+ 2005-01-19 19:50:50 1,047,552 ----a-w C:\WINDOWS\system32\MFC71u.dll
- 2007-12-02 23:00:05 18,684,536 ----a-w C:\WINDOWS\system32\MRT.exe
+ 2008-03-05 16:30:54 19,148,408 ----a-w C:\WINDOWS\system32\MRT.exe
+ 2004-08-10 19:00:00 20,480 ----a-w C:\WINDOWS\system32\msacm32.drv
+ 2005-09-23 14:28:52 150,016 ----a-w C:\WINDOWS\system32\mscorier.dll
- 2003-02-21 03:09:14 106,496 ----a-w C:\WINDOWS\system32\mscories.dll
+ 2005-09-23 14:28:52 74,240 ----a-w C:\WINDOWS\system32\mscories.dll
- 2007-10-10 23:55:56 459,264 ----a-w C:\WINDOWS\system32\msfeeds.dll
+ 2007-12-07 02:21:47 459,264 ----a-w C:\WINDOWS\system32\msfeeds.dll
- 2007-10-10 23:55:56 52,224 ----a-w C:\WINDOWS\system32\msfeedsbs.dll
+ 2007-12-07 02:21:47 52,224 ----a-w C:\WINDOWS\system32\msfeedsbs.dll
+ 2004-08-10 19:00:00 188,416 ----a-w C:\WINDOWS\system32\msh261.drv
+ 2004-08-04 07:56:58 294,912 ----a-w C:\WINDOWS\system32\msh263.drv
- 2007-10-30 23:42:28 3,590,656 ----a-w C:\WINDOWS\system32\mshtml.dll
+ 2007-12-08 05:21:48 3,592,192 ----a-w C:\WINDOWS\system32\mshtml.dll
- 2007-10-10 23:55:58 478,208 ----a-w C:\WINDOWS\system32\mshtmled.dll
+ 2007-12-07 02:21:47 478,208 ----a-w C:\WINDOWS\system32\mshtmled.dll
- 2007-10-10 23:55:58 193,024 ----a-w C:\WINDOWS\system32\msrating.dll
+ 2007-12-07 02:21:48 193,024 ----a-w C:\WINDOWS\system32\msrating.dll
- 2007-10-10 23:55:59 671,232 ----a-w C:\WINDOWS\system32\mstime.dll
+ 2007-12-07 02:21:48 671,232 ----a-w C:\WINDOWS\system32\mstime.dll
- 2003-03-18 21:14:52 499,712 ----a-w C:\WINDOWS\system32\msvcp71.dll
+ 2005-01-19 19:50:50 499,712 ----a-w C:\WINDOWS\system32\msvcp71.dll
- 2003-02-21 05:42:22 348,160 ----a-w C:\WINDOWS\system32\msvcr71.dll
+ 2005-01-19 19:50:50 348,160 ----a-w C:\WINDOWS\system32\msvcr71.dll
+ 2005-09-23 14:29:00 6,144 ----a-w C:\WINDOWS\system32\mui\0409\mscorees.dll
- 2007-10-10 23:55:59 102,400 ----a-w C:\WINDOWS\system32\occache.dll
+ 2007-12-07 02:21:48 102,912 ----a-w C:\WINDOWS\system32\occache.dll
- 2007-05-17 11:28:05 549,376 ----a-w C:\WINDOWS\system32\oleaut32.dll
+ 2007-12-04 18:38:13 550,912 ----a-w C:\WINDOWS\system32\oleaut32.dll
- 2007-12-19 04:14:43 45,612 ----a-w C:\WINDOWS\system32\perfc009.dat
+ 2008-03-09 22:09:53 58,858 ----a-w C:\WINDOWS\system32\perfc009.dat
- 2007-12-19 04:14:43 364,064 ----a-w C:\WINDOWS\system32\perfh009.dat
+ 2008-03-09 22:09:53 393,066 ----a-w C:\WINDOWS\system32\perfh009.dat
- 2007-08-14 01:36:12 44,544 ----a-w C:\WINDOWS\system32\pngfilt.dll
+ 2008-01-11 05:53:32 44,544 ----a-w C:\WINDOWS\system32\pngfilt.dll
+ 2004-08-04 08:56:58 294,912 -c--a-w C:\WINDOWS\system32\ReinstallBackups\0002\DriverFiles\i386\msh263.drv
+ 2004-08-04 08:56:58 23,552 -c--a-w C:\WINDOWS\system32\ReinstallBackups\0002\DriverFiles\i386\wdmaud.drv
+ 2004-11-23 18:15:10 229,376 ----a-w C:\WINDOWS\system32\ReinstallBackups\0003\DriverFiles\HPptp05.dll
+ 2004-08-04 04:58:46 15,104 ----a-w C:\WINDOWS\system32\ReinstallBackups\0003\DriverFiles\i386\usbscan.sys
+ 2004-08-10 19:00:00 52,736 ----a-w C:\WINDOWS\system32\ReinstallBackups\0004\DriverFiles\i386\i8042prt.sys
+ 2004-08-04 12:58:34 23,040 ----a-w C:\WINDOWS\system32\ReinstallBackups\0004\DriverFiles\i386\mouclass.sys
+ 2004-09-07 21:23:16 156,672 ----a-r C:\WINDOWS\system32\RTLCPAPI.dll
+ 2004-11-17 23:11:28 9,319,936 ----a-r C:\WINDOWS\system32\RTLCPL.EXE
+ 2000-08-31 14:00:00 98,816 ----a-w C:\WINDOWS\system32\sed.exe
- 2006-03-03 01:49:14 69,632 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\3\HPZIPM12.EXE
+ 2007-08-09 07:27:52 73,728 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\3\HPZIPM12.EXE
- 2007-12-14 04:26:50 156,160 ----a-w C:\WINDOWS\system32\swreg.exe
+ 2000-08-31 14:00:00 161,792 ----a-w C:\WINDOWS\system32\swreg.exe
- 2007-12-04 08:00:42 136,704 ----a-w C:\WINDOWS\system32\swsc.exe
+ 2000-08-31 14:00:00 136,704 ----a-w C:\WINDOWS\system32\swsc.exe
- 2006-12-01 12:20:32 212,480 ----a-w C:\WINDOWS\system32\swxcacls.exe
+ 2000-08-31 14:00:00 212,480 ----a-w C:\WINDOWS\system32\swxcacls.exe
+ 2004-08-10 19:00:00 3,360 -c--a-w C:\WINDOWS\system32\system.drv
+ 2004-08-10 19:00:00 4,048 -c--a-w C:\WINDOWS\system32\timer.drv
- 2007-10-10 23:55:59 105,984 ----a-w C:\WINDOWS\system32\url.dll
+ 2007-12-07 02:21:48 105,984 ----a-w C:\WINDOWS\system32\url.dll
- 2007-10-10 23:56:00 1,159,680 ----a-w C:\WINDOWS\system32\urlmon.dll
+ 2007-12-07 02:21:48 1,159,680 ----a-w C:\WINDOWS\system32\urlmon.dll
- 2006-11-27 09:34:46 49,152 ----a-w C:\WINDOWS\system32\VFind.exe
+ 2000-08-31 14:00:00 49,152 ----a-w C:\WINDOWS\system32\VFind.exe
+ 2004-08-04 07:56:58 23,552 ----a-w C:\WINDOWS\system32\wdmaud.drv
- 2007-10-10 23:56:00 232,960 ----a-w C:\WINDOWS\system32\webcheck.dll
+ 2007-12-07 02:21:48 233,472 ----a-w C:\WINDOWS\system32\webcheck.dll
+ 2004-08-10 19:00:00 13,600 -c--a-w C:\WINDOWS\system32\wfwnet.drv
- 2007-10-10 23:56:00 824,832 ----a-w C:\WINDOWS\system32\wininet.dll
+ 2007-12-07 02:21:48 824,832 ----a-w C:\WINDOWS\system32\wininet.dll
+ 2004-08-10 19:00:00 146,432 ----a-w C:\WINDOWS\system32\winspool.drv
+ 2000-08-31 14:00:00 68,096 ----a-w C:\WINDOWS\system32\zip.exe
+ 2008-03-03 02:38:54 258,048 ----a-w C:\WINDOWS\WinSxS\x86_System.EnterpriseServices_b03f5f7f11d50a3a_2.0.0.0_x-ww_7d5f3790\System.EnterpriseServices.dll
+ 2008-03-03 02:38:54 114,176 ----a-w C:\WINDOWS\WinSxS\x86_System.EnterpriseServices_b03f5f7f11d50a3a_2.0.0.0_x-ww_7d5f3790\System.EnterpriseServices.Wrapper.dll
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{0D42DE98-D74A-40BE-B20A-2282076B4671}]
C:\WINDOWS\system32\vturq.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{1293C943-8E2B-4B3C-B6A5-2AC190D61F12}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{43279D2A-A0F2-4C87-BEF6-2E4D0F4AE81F}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{7D151EF5-370C-48D2-6AAD-A1E4F74D04F1}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{852652ED-3907-4499-9123-40679065B698}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-10 13:00 15360]
"SP2 Connection Patcher"="C:\Program Files\SP2 Connection Patcher\SP2ConnPatcher.exe" [2005-07-11 05:51 409600]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"VOBRegCheck"="C:\WINDOWS\System32\VOBREGCheck.exe" [2003-01-08 15:55 153088]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2005-07-07 19:00 180269]
"tgcmd"="C:\Program Files\Support.com\bin\tgcmd.exe" [2007-03-07 10:58 1773568]
"SunKistEM"="C:\Program Files\Digital Media Reader\shwiconem.exe" [2004-11-15 17:04 135168]
"SoundMan"="SOUNDMAN.EXE" [2004-11-15 19:20 77824 C:\WINDOWS\SOUNDMAN.EXE]
"ShowWnd"="ShowWnd.exe" [2003-09-19 11:09 36864 C:\WINDOWS\ShowWnd.exe]
"Recguard"="C:\WINDOWS\SMINST\RECGUARD.EXE" [2002-09-13 14:42 212992]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 13:50 155648]
"MAFWTaskbarApp"="C:\WINDOWS\system32\MAFWTray.exe" [2004-11-02 17:15 151552]
"HPDJ Taskbar Utility"="C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe" [2001-11-29 13:44 196608]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2005-05-11 23:12 49152]
"HP Component Manager"="C:\Program Files\HP\hpcoretech\hpcmpmgr.exe" [2003-12-22 08:38 241664]
"ehTray"="C:\WINDOWS\ehome\ehtray.exe" [2004-08-10 12:04 59392]
"DIGStream"="C:\Program Files\DIGStream\digstream.exe" [2005-05-18 14:49 282624]
"CHotkey"="zHotkey.exe" [2004-05-17 20:30 543232 C:\WINDOWS\zHotkey.exe]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Logitech SetPoint.lnk - C:\Program Files\Logitech\SetPoint\SetPoint.exe [2008-02-28 15:48:29 532480]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"= C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"= C:\WINDOWS\Resources\Themes\Royale.theme

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\xxywttt]
xxywttt.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\yayxxut]
yayxxut.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^BigFix.lnk]
backup=C:\WINDOWS\pss\BigFix.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=C:\WINDOWS\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Image Zone Fast Start.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Image Zone Fast Start.lnk
backup=C:\WINDOWS\pss\HP Image Zone Fast Start.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Kodak EasyShare software.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Kodak EasyShare software.lnk
backup=C:\WINDOWS\pss\Kodak EasyShare software.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Run Nintendo Wi-Fi USB Connector Registration Tool.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Run Nintendo Wi-Fi USB Connector Registration Tool.lnk
backup=C:\WINDOWS\pss\Run Nintendo Wi-Fi USB Connector Registration Tool.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Aim6]
--a------ 2006-11-07 09:29 50736 C:\Program Files\AIM6\aim6.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AVG7_CC]
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTSyncU.exe]
--------- 2006-06-12 15:32 700416 C:\Program Files\Creative\Sync Manager Unicode\CTSyncU.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DIGServices]
--a------ 2005-05-19 13:55 101888 C:\Program Files\ESPNRunTime\DIGServices.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dvd43]
--a------ 2005-04-27 18:23 788992 C:\Program Files\dvd43\dvd43_tray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPHUPD08]
--a------ 2005-06-01 10:35 49152 C:\Program Files\HP\Digital Imaging\{33D6CC28-9F75-4d1b-A11D-98895B3A3729}\hphupd08.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Logitech Hardware Abstraction Layer]
--a------ 2006-01-20 18:46 28160 C:\WINDOWS\KHALMNPR.Exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MCAgentExe]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\McRegWiz]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MCUpdateExe]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2007-02-10 18:10 282624 C:\Program Files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RegistryMechanic]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]
-rahs---- 2008-01-28 12:43 2097488 C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updateMgr]
-ra------ 2006-03-30 17:45 313472 C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VideoraiPodConverter]
--a------ 2005-11-11 12:32 483328 C:\Program Files\VideoraiPodConverter\VideoraiPodConverter.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WebBuying]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\_AntiSpyware]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\# Lh'9Ӝ3rWC:]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\# Lh'9Ӝ3rWC:\Program Files]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\# Lh'9Ӝ3rWC:\Program Files\ISTsvc]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\# Lh'9Ӝ3rWC:\Program Files\ISTsvc\istsvc.exe]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"cmdService"=2 (0x2)
"KodakCCS"=3 (0x3)
"gusvc"=3 (0x3)
"Creative Service for CDROM Access"=2 (0x2)
"aawservice"=2 (0x2)
"MPS9"=2 (0x2)
"MpfService"=2 (0x2)
"McSysmon"=3 (0x3)
"McShield"=2 (0x2)
"McRedirector"=2 (0x2)
"McProxy"=2 (0x2)
"mcpromgr"=2 (0x2)
"McODS"=2 (0x2)
"mcmscsvc"=2 (0x2)
"mcmispupdmgr"=3 (0x3)
"Emproxy"=3 (0x3)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\\Program Files\\WiFiConnector\\NintendoWFCReg.exe"=
"C:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=
"C:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=

R1 oreans32;oreans32;C:\WINDOWS\system32\drivers\oreans32.sys [2006-07-10 21:06]
S0 epstwnt;epstwnt;C:\WINDOWS\system32\Drivers\epstwnt.mpd []
S2 SHARSHTL;Shuttle Sharer;C:\WINDOWS\system32\Drivers\sharshtl.sys []

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D]
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Info.exe folder.htt 480 480

.
Contents of the 'Scheduled Tasks' folder
"2008-03-04 22:28:50 C:\WINDOWS\Tasks\McDefragTask.job"
- c:\PROGRA~1\mcafee\mqc\QcConsol.exe'
"2008-03-04 22:28:49 C:\WINDOWS\Tasks\McQcTask.job"
- c:\PROGRA~1\mcafee\mqc\QcConsol.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-12 18:23:06
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\epstwnt]
"ImagePath"="System32\Drivers\epstwnt.mpd"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\explorer.exe [6.00.2900.3156]
-> C:\WINDOWS\HKNTDLL.dll
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\HP\hpcoretech\comp\hptskmgr.exe
C:\Program Files\Common Files\Logitech\KHAL\KHALMNPR.EXE
.
**************************************************************************
.
Completion time: 2008-03-12 18:25:55 - machine was rebooted [Owner]
ComboFix-quarantined-files.txt 2008-03-13 00:25:51
ComboFix2.txt 2007-12-19 04:31:54
.
2008-03-12 23:51:47 --- E O F ---

#5 justinmc

justinmc
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:06:59 PM

Posted 16 March 2008 - 04:27 PM

Hello,
I ran Spybot S&D because the computer seemed like it was back to normal and it found no threats. Prior to posting the Combofix log a balloon popup in the bottom right corner of the screen said virtumonde had been removed but I didn't think anything of it since it always restores itself. I think earlier that day Windows downloaded an update that may have removed the threat. Please let me know if you see any traces of it left.
Thank you.

#6 lusitano

lusitano

    Portuguese Malware Fighter


  • Members
  • 1,443 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Portugal
  • Local time:11:59 PM

Posted 17 March 2008 - 01:08 PM

Hello,

:) Please uninstall any of the following program(s) using Add/Remove Programs if they are present.
To do this, go to Start > Settings > Control Panel and double-click on Add/Remove Programs. From within Add/Remove Programs highlight each one and select Remove.

WebBuying
- Read about that software here <-


:blink: Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.



:) Now, close any open browsers.
  • Open notepad and copy/paste the text in the quotebox below into it:
http://www.bleepingcomputer.com/forums/t/135656/infected-with-virtumonde/
Collect::[4]
C:\WINDOWS\system32\govyanqy.ini
C:\WINDOWS\system32\bdmuxrhn.dll_old
C:\WINDOWS\system32\isdlvfmh.ini
C:\WINDOWS\system32\acdggvyn.ini
C:\WINDOWS\system32\rucceqma.ini
C:\WINDOWS\system32\rfmfnwbc.ini
C:\WINDOWS\system32\vturq.dll
File::
C:\WINDOWS\system32\thxcfg.ini
Suspect::
C:\install.dat
Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{0D42DE98-D74A-40BE-B20A-2282076B4671}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{1293C943-8E2B-4B3C-B6A5-2AC190D61F12}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{43279D2A-A0F2-4C87-BEF6-2E4D0F4AE81F}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{7D151EF5-370C-48D2-6AAD-A1E4F74D04F1}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{852652ED-3907-4499-9123-40679065B698}]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\xxywttt]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\yayxxut]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\#  Lh'9Ӝ3rWC:\Program Files]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\#  Lh'9Ӝ3rWC:\Program Files\ISTsvc]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\#  Lh'9Ӝ3rWC:\Program Files\ISTsvc\istsvc.exe]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D]
IMPORTANT: The above script was written specifically for this infection on this person's computer. It is NOT to be used on another computer, as it may cause damage that could result in a format!
  • Save the above as CFScript.txt
  • Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.
  • Posted Image
  • This will start ComboFix again. Upon reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThislog.
  • When ComboFix finishes running, the ComboFix log will open along with a message box--do not be alarmed, and read it carefully.
  • With the above script, ComboFix will capture a file to submit for analysis.
  • Ensure you are connected to the internet and click OK.
  • A browser will open. Simply follow the instructions to copy/paste/send the requested file.
:wacko: Jotti File Submission:
  • Please go to Jotti's malware scan
  • Copy and paste the following file path into the "File to upload & scan"box on the top of the page:
    • C:\install.dat
  • Click on the submit button
  • Please post the results in your next reply.
:thumbsup: In your next reply, please post:
- The results from ComboFix (step n 3)
- The results from Jotti's (step n 4)
- A new HijackThis log.

Thanks
Posted Image
Please do not PM me asking for support.
Please be courteous, polite, and say thank you.
Please post the final results, good or bad. We like to know!

#7 justinmc

justinmc
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:06:59 PM

Posted 18 March 2008 - 07:32 PM

Hi,
I did not find Webbuying on my add/remove programs list. I followed everything else you told me to and this is what I got.
Thanks

File: install.dat
Status:
OK
MD5: 1311e234cd958864f793ce212b95e0be
Packers detected:
-
Bit9 reports: File not found
Scanner results
Scan taken on 19 Mar 2008 00:22:19 (GMT)
A-Squared
Found nothing
AntiVir
Found nothing
ArcaVir
Found nothing
Avast
Found nothing
AVG Antivirus
Found nothing
BitDefender
Found nothing
ClamAV
Found nothing
CPsecure
Found nothing
Dr.Web
Found nothing
F-Prot Antivirus
Found nothing
F-Secure Anti-Virus
Found nothing
Fortinet
Found nothing
Ikarus
Found nothing
Kaspersky Anti-Virus
Found nothing
NOD32
Found nothing
Norman Virus Control
Found nothing
Panda Antivirus
Found nothing
Rising Antivirus
Found nothing
Sophos Antivirus
Found nothing
VirusBuster
Found nothing
VBA32
Found nothing

Statistics
Last file scanned at least one scanner reported something about: keyfinder.exe (MD5: 042f13cb1818a8b9fe026a250c4eef93, size: 272357 bytes), detected by:

Scanner Malware name
A-Squared Riskware.PSWTool.Win32.RAS.a
AntiVir SPR/PSW.RAS.A.4
ArcaVir Riskware.Pswtool.Ras.A
Avast X
AVG Antivirus X
BitDefender Application.Findkeyxp.G
ClamAV PUA.PWTool.PWDump-2
CPsecure PSWTool.W32.RAS.A
Dr.Web X
F-Prot Antivirus X
F-Secure Anti-Virus not-a-virus:PSWTool.Win32.RAS.a (6, 2, 605)
Fortinet X
Ikarus X
Kaspersky Anti-Virus not-a-virus:PSWTool.Win32.RAS.a
NOD32 a variant of Win32/PSWTool.RAS.A application
Norman Virus Control X
Panda Antivirus X
Rising Antivirus X
Sophos Antivirus X
VirusBuster X
VBA32 X


ComboFix 08-03-10.1 - Owner 2008-03-18 16:51:30.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.110 [GMT -6:00]
Running from: C:\Documents and Settings\Owner\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Owner\Desktop\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
C:\WINDOWS\system32\thxcfg.ini
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\acdggvyn.ini
C:\WINDOWS\system32\bdmuxrhn.dll_old
C:\WINDOWS\system32\govyanqy.ini
C:\WINDOWS\system32\isdlvfmh.ini
C:\WINDOWS\system32\rfmfnwbc.ini
C:\WINDOWS\system32\rucceqma.ini
C:\WINDOWS\system32\thxcfg.ini

.
((((((((((((((((((((((((( Files Created from 2008-02-18 to 2008-03-18 )))))))))))))))))))))))))))))))
.

2008-03-12 03:02 . 2008-03-12 03:02 127 --a------ C:\WINDOWS\system32\MRT.INI
2008-03-09 21:29 . 2008-03-10 17:27 <DIR> d-------- C:\Documents and Settings\Owner\.housecall6.6
2008-03-09 17:53 . 2008-03-09 17:53 <DIR> d-------- C:\Program Files\Lavasoft
2008-03-04 18:25 . 2008-03-04 18:25 <DIR> d-------- C:\Program Files\Common Files\Scanner
2008-03-04 18:25 . 2008-03-04 18:25 <DIR> d-------- C:\Program Files\ComcastToolbar
2008-03-04 18:25 . 2008-03-16 22:42 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\ComcastToolbar
2008-03-04 16:39 . 2008-03-12 18:03 5,414 --a------ C:\WINDOWS\system32\Config.MPF
2008-03-04 16:32 . 2006-03-03 12:07 143,360 --a------ C:\WINDOWS\system32\dunzip32.dll
2008-03-04 16:29 . 2008-02-06 10:51 171,400 --a------ C:\WINDOWS\system32\drivers\mfehidk.sys
2008-03-04 16:29 . 2007-03-02 15:16 109,608 --a------ C:\WINDOWS\system32\drivers\Mpfp.sys
2008-03-04 16:29 . 2007-06-25 15:54 71,496 --a------ C:\WINDOWS\system32\drivers\mfeavfk.sys
2008-03-04 16:29 . 2007-06-25 11:57 37,480 --a------ C:\WINDOWS\system32\drivers\mfesmfk.sys
2008-03-04 16:29 . 2007-06-25 11:57 34,184 --a------ C:\WINDOWS\system32\drivers\mfebopk.sys
2008-03-04 16:29 . 2007-06-25 11:57 32,008 --a------ C:\WINDOWS\system32\drivers\mferkdk.sys
2008-03-04 16:28 . 2008-03-04 16:28 <DIR> d-------- C:\Program Files\McAfee.com
2008-03-04 16:21 . 2008-03-04 16:21 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Avg7
2008-03-04 16:05 . 2008-03-04 16:32 <DIR> d-------- C:\Program Files\McAfee
2008-03-04 16:05 . 2008-03-04 16:32 <DIR> d-------- C:\Program Files\Common Files\McAfee
2008-03-03 19:09 . 2008-03-03 19:11 <DIR> d-------- C:\Program Files\Windows Live Safety Center
2008-03-02 18:21 . 2008-03-02 18:21 2,550 --a------ C:\WINDOWS\system32\Uninstall.ico
2008-03-02 18:21 . 2008-03-02 18:21 1,406 --a------ C:\WINDOWS\system32\Help.ico
2008-03-02 15:52 . 2008-03-02 15:52 164 --a------ C:\install.dat
2008-03-02 10:39 . 2008-03-06 20:36 22 --a------ C:\Module.ini
2008-03-01 09:01 . 2008-03-01 09:00 691,545 --a------ C:\WINDOWS\unins000.exe
2008-03-01 09:01 . 2008-03-01 09:01 2,541 --a------ C:\WINDOWS\unins000.dat
2008-02-28 18:06 . 2008-02-28 18:06 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Logitech
2008-02-28 16:02 . 2008-02-28 16:02 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-02-28 16:02 . 2008-02-28 16:02 1,409 --a------ C:\WINDOWS\QTFont.for
2008-02-28 15:49 . 2006-01-20 19:02 13,440 --a------ C:\WINDOWS\system32\drivers\L8042Kbd.SYS
2008-02-28 15:48 . 2004-12-07 11:11 258,352 --a------ C:\WINDOWS\system32\unicows.dll
2008-02-28 15:48 . 2006-01-31 11:10 143,360 --a------ C:\WINDOWS\system32\kemutb.dll
2008-02-28 15:48 . 2006-01-31 11:10 90,112 --a------ C:\WINDOWS\system32\KemUtil.dll
2008-02-28 15:48 . 2006-01-31 11:10 86,016 --a------ C:\WINDOWS\system32\KemWnd.dll
2008-02-28 15:48 . 2006-01-31 11:13 65,536 --a------ C:\WINDOWS\system32\KemXML.dll
2008-02-28 15:47 . 2008-02-28 15:47 <DIR> d-------- C:\Program Files\Logitech
2008-02-28 15:47 . 2008-02-28 15:48 <DIR> d-------- C:\Program Files\Common Files\Logitech
2008-02-28 15:47 . 2006-01-20 19:03 69,376 --a------ C:\WINDOWS\system32\drivers\LMouKE.Sys
2008-02-28 15:47 . 2006-01-20 19:02 55,552 --a------ C:\WINDOWS\system32\drivers\L8042mou.Sys
2008-02-28 15:47 . 2006-01-20 18:46 28,160 --a------ C:\WINDOWS\KHALMNPR.Exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-18 22:31 --------- d-----w C:\Documents and Settings\All Users\Application Data\DIGStream
2008-03-16 20:47 --------- d-----w C:\Program Files\SP2 Connection Patcher
2008-03-09 23:53 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-03-07 05:00 --------- d-----w C:\Program Files\TrojanHunter 5.0
2008-03-04 22:38 --------- d-----w C:\Documents and Settings\All Users\Application Data\McAfee
2008-03-03 02:57 --------- d-----w C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-03-03 00:14 --------- d-----w C:\Program Files\Enigma Software Group
2008-03-02 16:23 --------- d-----w C:\Program Files\vso
2008-03-02 16:22 --------- d-----w C:\Program Files\PlayFirst
2008-03-02 16:15 12,632 ----a-w C:\WINDOWS\system32\lsdelete.exe
2008-03-02 16:13 --------- d-----w C:\Program Files\Yahoo!
2008-03-02 16:12 --------- d-----w C:\Documents and Settings\All Users\Application Data\YAHOO
2008-03-01 15:03 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-03-01 15:02 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-02-28 21:47 --------- d--h--w C:\Program Files\InstallShield Installation Information
2005-10-04 03:19 124 -c--a-w C:\Program Files\Warez P2P ClientIPGUARD.LOG
2005-05-12 05:36 12,288 ----a-w C:\WINDOWS\Fonts\RandFont.dll
2005-06-26 22:52 0 -csha-w C:\WINDOWS\SMINST\HPCD.sys
.

------- Sigcheck -------

2005-05-25 13:07 359936 63fdfea54eb53de2d863ee454937ce1e C:\WINDOWS\$hf_mig$\KB893066\SP2QFE\tcpip.sys
2006-01-13 11:07 360448 5562cc0a47b2aef06d3417b733f3c195 C:\WINDOWS\$hf_mig$\KB913446\SP2QFE\tcpip.sys
2006-04-20 06:18 360576 b2220c618b42a2212a59d91ebd6fc4b4 C:\WINDOWS\$hf_mig$\KB917953\SP2QFE\tcpip.sys
2007-10-30 10:53 360832 64798ecfa43d78c7178375fcdd16d8c8 C:\WINDOWS\$hf_mig$\KB941644\SP2QFE\tcpip.sys
2004-08-10 13:00 359040 9f4b36614a0fc234525ba224957de55c C:\WINDOWS\$NtUninstallKB893066$\tcpip.sys
2005-10-03 21:18 359808 14143695e27b2718dee96ea2e50428b3 C:\WINDOWS\$NtUninstallKB913446$\tcpip.sys
2006-02-17 04:08 359808 eb98d5e55321cefd803e8173dbb000db C:\WINDOWS\$NtUninstallKB917953$\tcpip.sys
2007-08-15 03:12 359808 ba57942c0029b0878afba052a3e33689 C:\WINDOWS\$NtUninstallKB941644$\tcpip.sys
2008-01-09 04:10 360064 34a663e7f74ae8b2c992c2513343477e C:\WINDOWS\system32\drivers\tcpip.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-10 13:00 15360]
"SP2 Connection Patcher"="C:\Program Files\SP2 Connection Patcher\SP2ConnPatcher.exe" [2005-07-11 05:51 409600]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"VOBRegCheck"="C:\WINDOWS\System32\VOBREGCheck.exe" [2003-01-08 15:55 153088]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2005-07-07 19:00 180269]
"tgcmd"="C:\Program Files\Support.com\bin\tgcmd.exe" [2007-03-07 10:58 1773568]
"SunKistEM"="C:\Program Files\Digital Media Reader\shwiconem.exe" [2004-11-15 17:04 135168]
"SoundMan"="SOUNDMAN.EXE" [2004-11-15 19:20 77824 C:\WINDOWS\SOUNDMAN.EXE]
"ShowWnd"="ShowWnd.exe" [2003-09-19 11:09 36864 C:\WINDOWS\ShowWnd.exe]
"Recguard"="C:\WINDOWS\SMINST\RECGUARD.EXE" [2002-09-13 14:42 212992]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 13:50 155648]
"MAFWTaskbarApp"="C:\WINDOWS\system32\MAFWTray.exe" [2004-11-02 17:15 151552]
"HPDJ Taskbar Utility"="C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe" [2001-11-29 13:44 196608]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2005-05-11 23:12 49152]
"HP Component Manager"="C:\Program Files\HP\hpcoretech\hpcmpmgr.exe" [2003-12-22 08:38 241664]
"ehTray"="C:\WINDOWS\ehome\ehtray.exe" [2004-08-10 12:04 59392]
"DIGStream"="C:\Program Files\DIGStream\digstream.exe" [2005-05-18 14:49 282624]
"CHotkey"="zHotkey.exe" [2004-05-17 20:30 543232 C:\WINDOWS\zHotkey.exe]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Logitech SetPoint.lnk - C:\Program Files\Logitech\SetPoint\SetPoint.exe [2008-02-28 15:48:29 532480]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"= C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"= C:\WINDOWS\Resources\Themes\Royale.theme

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^BigFix.lnk]
backup=C:\WINDOWS\pss\BigFix.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=C:\WINDOWS\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Image Zone Fast Start.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Image Zone Fast Start.lnk
backup=C:\WINDOWS\pss\HP Image Zone Fast Start.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Kodak EasyShare software.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Kodak EasyShare software.lnk
backup=C:\WINDOWS\pss\Kodak EasyShare software.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Run Nintendo Wi-Fi USB Connector Registration Tool.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Run Nintendo Wi-Fi USB Connector Registration Tool.lnk
backup=C:\WINDOWS\pss\Run Nintendo Wi-Fi USB Connector Registration Tool.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Aim6]
--a------ 2006-11-07 09:29 50736 C:\Program Files\AIM6\aim6.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AVG7_CC]
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTSyncU.exe]
--------- 2006-06-12 15:32 700416 C:\Program Files\Creative\Sync Manager Unicode\CTSyncU.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DIGServices]
--a------ 2005-05-19 13:55 101888 C:\Program Files\ESPNRunTime\DIGServices.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dvd43]
--a------ 2005-04-27 18:23 788992 C:\Program Files\dvd43\dvd43_tray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPHUPD08]
--a------ 2005-06-01 10:35 49152 C:\Program Files\HP\Digital Imaging\{33D6CC28-9F75-4d1b-A11D-98895B3A3729}\hphupd08.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Logitech Hardware Abstraction Layer]
--a------ 2006-01-20 18:46 28160 C:\WINDOWS\KHALMNPR.Exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MCAgentExe]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\McRegWiz]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MCUpdateExe]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2007-02-10 18:10 282624 C:\Program Files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RegistryMechanic]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]
-rahs---- 2008-01-28 12:43 2097488 C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updateMgr]
-ra------ 2006-03-30 17:45 313472 C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VideoraiPodConverter]
--a------ 2005-11-11 12:32 483328 C:\Program Files\VideoraiPodConverter\VideoraiPodConverter.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WebBuying]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\_AntiSpyware]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\# Lh'9Ӝ3rWC:]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\# Lh'9Ӝ3rWC:\Program Files]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\# Lh'9Ӝ3rWC:\Program Files\ISTsvc]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\# Lh'9Ӝ3rWC:\Program Files\ISTsvc\istsvc.exe]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"cmdService"=2 (0x2)
"KodakCCS"=3 (0x3)
"gusvc"=3 (0x3)
"Creative Service for CDROM Access"=2 (0x2)
"aawservice"=2 (0x2)
"MPS9"=2 (0x2)
"MpfService"=2 (0x2)
"McSysmon"=3 (0x3)
"McShield"=2 (0x2)
"McRedirector"=2 (0x2)
"McProxy"=2 (0x2)
"mcpromgr"=2 (0x2)
"McODS"=2 (0x2)
"mcmscsvc"=2 (0x2)
"mcmispupdmgr"=3 (0x3)
"Emproxy"=3 (0x3)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\\Program Files\\WiFiConnector\\NintendoWFCReg.exe"=
"C:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=
"C:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=

R1 oreans32;oreans32;C:\WINDOWS\system32\drivers\oreans32.sys [2006-07-10 21:06]
S0 epstwnt;epstwnt;C:\WINDOWS\system32\Drivers\epstwnt.mpd []
S2 SHARSHTL;Shuttle Sharer;C:\WINDOWS\system32\Drivers\sharshtl.sys []

.
Contents of the 'Scheduled Tasks' folder
"2008-03-15 07:06:06 C:\WINDOWS\Tasks\McDefragTask.job"
- c:\PROGRA~1\mcafee\mqc\QcConsol.exe'
"2008-03-04 22:28:49 C:\WINDOWS\Tasks\McQcTask.job"
- c:\PROGRA~1\mcafee\mqc\QcConsol.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-18 16:53:46
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\epstwnt]
"ImagePath"="System32\Drivers\epstwnt.mpd"
.
Completion time: 2008-03-18 16:54:36
ComboFix-quarantined-files.txt 2008-03-18 22:54:22
ComboFix2.txt 2008-03-13 00:25:56
ComboFix3.txt 2007-12-19 04:31:54
.
2008-03-12 23:51:47 --- E O F ---



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:17:21 PM, on 3/18/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Support.com\bin\tgcmd.exe
C:\Program Files\Digital Media Reader\shwiconem.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\system32\MAFWTray.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\DIGStream\digstream.exe
C:\WINDOWS\zHotkey.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\ESPNRunTime\DIGServices.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Common Files\Logitech\KHAL\KHALMNPR.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Trend Micro\HijackThis\fredflinstone.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/comcast.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn3\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Comcast Toolbar - {4E7BD74F-2B8D-469E-93BE-BE2DF4D9AE29} - C:\PROGRA~1\COMCAS~2\COMCAS~1.DLL
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - c:\PROGRA~1\mcafee\VIRUSS~1\scriptcl.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar4.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn3\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
O3 - Toolbar: Comcast Toolbar - {4E7BD74F-2B8D-469E-93BE-BE2DF4D9AE29} - C:\PROGRA~1\COMCAS~2\COMCAS~1.DLL
O4 - HKLM\..\Run: [VOBRegCheck] C:\WINDOWS\System32\VOBREGCheck.exe -CheckReg
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [tgcmd] "C:\Program Files\Support.com\bin\tgcmd.exe" /server /startmonitor /deaf
O4 - HKLM\..\Run: [SunKistEM] "C:\Program Files\Digital Media Reader\shwiconem.exe"
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [ShowWnd] ShowWnd.exe
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [MAFWTaskbarApp] C:\WINDOWS\system32\MAFWTray.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [DIGStream] "C:\Program Files\DIGStream\digstream.exe"
O4 - HKLM\..\Run: [CHotkey] zHotkey.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SP2 Connection Patcher] "C:\Program Files\SP2 Connection Patcher\SP2ConnPatcher.exe" -n=200
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O16 - DPF: {22E5D91F-89E6-4405-AD9C-0AF27BA6F06B} (HidInputMonitorX Control) -
O16 - DPF: {4F63D44B-6274-4D60-8AB1-CAA7116B8AF3} (A9Helper.A9) -
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/...wlscbase370.cab
O16 - DPF: {6F750202-1362-4815-A476-88533DE61D0C} (Kodak Gallery Easy Upload Manager Class) - http://www.kodakgallery.com/downloads/BUM/..._2/axofupld.cab
O16 - DPF: {87587503-20F0-4FF5-8DA3-0107C4C03FDC} (vmLaunch Class) - http://downloads.comcast.net/videomail/vmLauncher.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} -
O16 - DPF: {CE74A05D-ED12-473A-97F8-85FB0E2F479F} (dlControl.UserControl1) - http://stash.nugs.net/dev/dlControl.CAB
O16 - DPF: {DECEAAA2-370A-49BB-9362-68C3A58DDC62} - http://static.zangocash.com/cab/Zango/ie/b...dbf4c44a0363a5c
O16 - DPF: {EF148DBB-5B6D-4130-B2A1-661571E86260} (Playtime Games Launcher) - http://playgames.comcast.net/online2/mahjo...ameLauncher.cab
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: McAfee HackerWatch Service - McAfee, Inc. - C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS

--
End of file - 6967 bytes

#8 lusitano

lusitano

    Portuguese Malware Fighter


  • Members
  • 1,443 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Portugal
  • Local time:11:59 PM

Posted 21 March 2008 - 10:01 AM

Hello justinmc

# Step 1 #

Optional fixes:

soundman.exe (Realtek AC97 Audio Sound Manager) process can be removed to free up resources without compromising system performance. System Tray icon for the Realtek AC97 Audio Sound Manager for AC97 onboard audio. Available via Start -> Settings-> Control Panel. This program is not required to start automatically as you can start it manually if you need it. It is advised that you disable this program so that it does not take up necessary resources. Many users have reported this process slows their boot time. It may be worthwhile to fix it with HijackThis. Item(s) to fix in HijackThis:

O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE


nerocheck.exe (Nero CD writing or Nero CD/DVD software) is a process associated with the Nero CD writing or Nero CD/DVD software. It is used to install or control the Nero driver nerocd2k.sys application. This process should not be removed while using the Nero CD Writing software. This program constantly checks for known drivers that can conflict with our Nero/Nero Express/NeroVision Express software. This program is not required to start automatically as you can start it manually if you need it. It is advised that you disable this program so that it does not take up necessary resources. It may be worthwhile to fix it with HijackThis. Item(s) to fix in HijackThis:

O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe


ehtray.exe (Media Center) process can be removed to free up resources without compromising system performance. This startup loads a system tray icon that allows you to control various aspects of Media Center. Enables the user to access Windows Messenger from within Media Center. This is a valid program, but it is up to you whether or not you want it to run on startup. Whether or not you need to run this program on startup must be decided by you. If you feel that you want this program starting automatically so that you have it available as needed, then do not disable it. This program is not required to start automatically as you can start it manually if you need it. It is advised that you disable this program so that it does not take up necessary resources. Many users have reported this process slows their boot time. It may be worthwhile to fix it with HijackThis. Item(s) to fix in HijackThis:

O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe



# Step 2 #

Go to Start Run type: regedit OK.
  • On the leftside, click to highlight My Computer at the top.
  • Go up to File Export
    • Make sure in that window there is a tick next to "All" under Export Branch.
      Leave the "Save As Type" as "Registration Files".
      Under "Filename" put RegBackup.
  • Choose to save it to C:\
  • Click save and then go to File Exit.
# Step 3 #

Go to Start Run type: Notepad OK.
Copy (Ctrl+C) and paste (Ctrl+V) the following text inside the code box below (starting with REGEDIT4) to Notepad. (Be sure to use Notepad, not Wordpad, otherwise it won't work).

REGEDIT4

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WebBuying]

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\_AntiSpyware]

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\#  Lh'9Ӝ3rWC:]

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\#  Lh'9Ӝ3rWC:\Program Files]

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\#  Lh'9Ӝ3rWC:\Program Files\ISTsvc]

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\#  Lh'9Ӝ3rWC:\Program Files\ISTsvc\istsvc.exe]
  • Click File at the top and then choose Save As.
  • Change Save As Type to All Files.
  • Name it Fixme.reg and save it on your desktop.
  • Double click Fixme.reg. It will ask you if you want to merge it to the registry, click Yes.
# Step 4 #

Please download ATF Cleaner by Atribune.
This program is for XP and Windows 2000 onlyDouble-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.
If you use Firefox browserClick Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browserClick Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.



# Step 5 #

Please do an online scan with Kaspersky WebScanner

Click on Posted Image

You will be prompted to install an ActiveX component from Kaspersky, Click Posted Image
  • The program will launch and then begin downloading the latest definition files:
  • Once the files have been downloaded click on Posted Image
  • Now click on Posted Image
  • In the scan settings make that the following are selected:
    • Scan using the following Anti-Virus database:
    Extended (if available otherwise Standard)
    • Scan Options:
    Scan Archives
    Scan Mail Bases
  • Click Posted Image
  • Now under select a target to scan:Select My Computer
  • This will program will start and scan your system.
  • The scan will take a while so be patient and let it run.
  • Once the scan is complete it will display if your system has been infected.
    • Now click on the Save as Text button:
  • Save the file to your desktop.
  • Copy and paste that information in your next post, along whit a new HijackThis log. Also let me know how i your computer its running.

Posted Image
Please do not PM me asking for support.
Please be courteous, polite, and say thank you.
Please post the final results, good or bad. We like to know!

#9 justinmc

justinmc
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:06:59 PM

Posted 21 March 2008 - 11:52 PM

Hello,
The computer seems like it is running better. I made the changes like you suggested. Here are the logs.
Thank you,
Justin

KASPERSKY ONLINE SCANNER REPORT
Friday, March 21, 2008 10:46:34 PM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 22/03/2008
Kaspersky Anti-Virus database records: 654287


Scan Settings
Scan using the following antivirus database extended
Scan Archives true
Scan Mail Bases true

Scan Target My Computer
C:\
D:\
E:\
F:\
G:\
H:\
I:\
J:\
K:\

Scan Statistics
Total number of scanned objects 73659
Number of viruses found 12
Number of infected objects 49
Number of suspicious objects 20
Duration of the scan process 00:45:29

Infected Object Name Virus Name Last Action
C:\Documents and Settings\All Users\Application Data\McAfee\MNA\NAData Object is locked skipped

C:\Documents and Settings\All Users\Application Data\McAfee\VirusScan\Logs\OAS.Log Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Microsoft\eHome\logs\ehRecvr.log Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\DyFuCAInternetOptimizer1.zip/install.exe Suspicious: Password-protected-EXE skipped

C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\DyFuCAInternetOptimizer1.zip ZIP: suspicious - 1 skipped

C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\ISearchTechISTsvc1.zip/istsvc.exe Suspicious: Password-protected-EXE skipped

C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\ISearchTechISTsvc1.zip ZIP: suspicious - 1 skipped

C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\ISearchTechISTsvc5.zip/istsvc.exe Suspicious: Password-protected-EXE skipped

C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\ISearchTechISTsvc5.zip ZIP: suspicious - 1 skipped

C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\ISearchTechISTsvc6.zip/istsvc.exe Suspicious: Password-protected-EXE skipped

C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\ISearchTechISTsvc6.zip ZIP: suspicious - 1 skipped

C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\ISearchTechISTsvc7.zip/istsvc.exe Suspicious: Password-protected-EXE skipped

C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\ISearchTechISTsvc7.zip ZIP: suspicious - 1 skipped

C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\ISearchTechISTsvc8.zip/istsvc.exe Suspicious: Password-protected-EXE skipped

C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\ISearchTechISTsvc8.zip ZIP: suspicious - 1 skipped

C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\ISearchTechISTsvc9.zip/istsvc.exe Suspicious: Password-protected-EXE skipped

C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\ISearchTechISTsvc9.zip ZIP: suspicious - 1 skipped

C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\ISearchTechSlotch12.zip/istsvc.exe Suspicious: Password-protected-EXE skipped

C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\ISearchTechSlotch12.zip ZIP: suspicious - 1 skipped

C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\ISearchTechSlotch16.zip/istsvc.exe Suspicious: Password-protected-EXE skipped

C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\ISearchTechSlotch16.zip ZIP: suspicious - 1 skipped

C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\ISearchTechSlotch8.zip/istsvc.exe Suspicious: Password-protected-EXE skipped

C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\ISearchTechSlotch8.zip ZIP: suspicious - 1 skipped

C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\NetworkMonitor1.zip/netmon.exe Infected: not-a-virus:Monitor.Win32.NetMon.a skipped

C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\NetworkMonitor1.zip ZIP: infected - 1 skipped

C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\NewDotNet.zip/NDNuninstall6_90.exe Infected: not-a-virus:AdWare.Win32.NewDotNet.e skipped

C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\NewDotNet.zip ZIP: infected - 1 skipped

C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\NewDotNet1.zip/NDNuninstall6_38.exe Infected: not-a-virus:AdWare.Win32.NewDotNet skipped

C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\NewDotNet1.zip ZIP: infected - 1 skipped

C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\NewDotNet17.zip/newdotnet7_14.dll Infected: not-a-virus:AdWare.Win32.NewDotNet.h skipped

C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\NewDotNet17.zip ZIP: infected - 1 skipped

C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\NewDotNet18.zip/NDNuninstall7_14.exe Infected: not-a-virus:AdWare.Win32.NewDotNet.e skipped

C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\NewDotNet18.zip ZIP: infected - 1 skipped

C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\NewDotNet19.zip/NDNuninstall6_98.exe Infected: not-a-virus:AdWare.Win32.NewDotNet.e skipped

C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\NewDotNet19.zip ZIP: infected - 1 skipped

C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\NewDotNet2.zip/uninstall6_38.exe Infected: not-a-virus:AdWare.Win32.NewDotNet skipped

C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\NewDotNet2.zip ZIP: infected - 1 skipped

C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\NewDotNet8.zip/newdotnet7_14.dll Infected: not-a-virus:AdWare.Win32.NewDotNet.h skipped

C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\NewDotNet8.zip/uninstall7_14.exe Infected: not-a-virus:AdWare.Win32.NewDotNet.e skipped

C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\NewDotNet8.zip ZIP: infected - 2 skipped

C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Pacimedia.zip/mqexdlm.srg Infected: not-a-virus:AdWare.Win32.BargainBuddy.q skipped

C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Pacimedia.zip ZIP: infected - 1 skipped

C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Pacimedia1.zip/exdl1.exe Infected: not-a-virus:AdWare.Win32.BargainBuddy.q skipped

C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Pacimedia1.zip ZIP: infected - 1 skipped

C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudCCoreService21.zip/core.sys Infected: Rootkit.Win32.Agent.sg skipped

C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudCCoreService21.zip ZIP: infected - 1 skipped

C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SolutionsSearchAssistant.zip/res9.tmp Infected: not-a-virus:AdWare.Win32.180Solutions.g skipped

C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SolutionsSearchAssistant.zip ZIP: infected - 1 skipped

C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SolutionsSearchAssistant1.zip/Del8.tmp Infected: Trojan-Downloader.Win32.Small.asf skipped

C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SolutionsSearchAssistant1.zip ZIP: infected - 1 skipped

C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SolutionsSearchAssistant4.zip/sais.exe Infected: not-a-virus:AdWare.Win32.180Solutions.g skipped

C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SolutionsSearchAssistant4.zip ZIP: infected - 1 skipped

C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\VirtumondeDll.zip/bdmuxrhn.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped

C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\VirtumondeDll.zip ZIP: infected - 1 skipped

C:\Documents and Settings\All Users\Application Data\Support.com\profiles\Owner\triggers.log Object is locked skipped

C:\Documents and Settings\All Users\Documents\Recorded TV\TempRec\TempSBE\MSDVRMM_3505994070_12451840_13663 Object is locked skipped

C:\Documents and Settings\All Users\Documents\Recorded TV\TempRec\TempSBE\SBE1.tmp Object is locked skipped

C:\Documents and Settings\All Users\Documents\Recorded TV\TempRec\{63B67A07-5A08-4F62-9946-CA9B2A35607B}.TmpSBE Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\Temp\Cookies\index.dat Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\Temp\History\History.IE5\index.dat Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\Temp\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped

C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped

C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped

C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped

C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped

C:\Documents and Settings\Owner\.housecall6.6\Quarantine\abnduruq.dll.bac_a01828 Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped

C:\Documents and Settings\Owner\.housecall6.6\Quarantine\ebpoemdj.dll.bac_a01828 Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped

C:\Documents and Settings\Owner\.housecall6.6\Quarantine\egyppflu.dll.bac_a01828 Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped

C:\Documents and Settings\Owner\.housecall6.6\Quarantine\ktjjvbpy.dll.bac_a01828 Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped

C:\Documents and Settings\Owner\.housecall6.6\Quarantine\ngandsqb.dll.bac_a01828 Infected: not-a-virus:AdWare.Win32.Virtumonde.jxa skipped

C:\Documents and Settings\Owner\.housecall6.6\Quarantine\nndkbmmw.dll.bac_a01828 Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped

C:\Documents and Settings\Owner\.housecall6.6\Quarantine\promylyk.html.vir.bac_a01828 Infected: Trojan-Clicker.HTML.IFrame.dn skipped

C:\Documents and Settings\Owner\.housecall6.6\Quarantine\tvgwiqxy.dll.bac_a01828 Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped

C:\Documents and Settings\Owner\.housecall6.6\Quarantine\vturq.dll.bac_a01828 Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped

C:\Documents and Settings\Owner\.housecall6.6\Quarantine\xnlnqeji.dll.bac_a01828 Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped

C:\Documents and Settings\Owner\Cookies\index.dat Object is locked skipped

C:\Documents and Settings\Owner\Desktop\[4]-Submit_2008-03-18@16.50.zip/bdmuxrhn.dll_old Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped

C:\Documents and Settings\Owner\Desktop\[4]-Submit_2008-03-18@16.50.zip ZIP: infected - 1 skipped

C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\Owner\Local Settings\History\History.IE5\index.dat Object is locked skipped

C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat Object is locked skipped

C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped

C:\Documents and Settings\Owner\NTUSER.DAT Object is locked skipped

C:\Documents and Settings\Owner\ntuser.dat.LOG Object is locked skipped

C:\Program Files\HP\hpcoretech\hpcmerr.log Object is locked skipped

C:\qoobox\Quarantine\C\WINDOWS\system32\cknwxqiu.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped

C:\qoobox\Quarantine\C\WINDOWS\system32\dhmdsiww.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped

C:\qoobox\Quarantine\C\WINDOWS\system32\gktgjqmp.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped

C:\qoobox\Quarantine\C\WINDOWS\system32\iocoglly.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped

C:\qoobox\Quarantine\C\WINDOWS\system32\ngandsqb.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.jxa skipped

C:\qoobox\Quarantine\C\WINDOWS\system32\plwfxurt.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped

C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped

C:\System Volume Information\_restore{348DB8EC-73A3-48FB-ADE8-4BD3BBE539B1}\RP9\change.log Object is locked skipped

C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped

C:\WINDOWS\ModemLog_SoftV92 Data Fax Modem with SmartCP.txt Object is locked skipped

C:\WINDOWS\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{18D128E3-132E-4E14-9493-DCF019C42A92}.crmlog Object is locked skipped

C:\WINDOWS\SchedLgU.Txt Object is locked skipped

C:\WINDOWS\SoftwareDistribution\EventCache\{6B8CB768-AA36-47E7-9046-4347016B9E62}.bin Object is locked skipped

C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped

C:\WINDOWS\Sti_Trace.log Object is locked skipped

C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped

C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped

C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped

C:\WINDOWS\system32\config\default Object is locked skipped

C:\WINDOWS\system32\config\default.LOG Object is locked skipped

C:\WINDOWS\system32\config\Internet.evt Object is locked skipped

C:\WINDOWS\system32\config\Media Ce.evt Object is locked skipped

C:\WINDOWS\system32\config\SAM Object is locked skipped

C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped

C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped

C:\WINDOWS\system32\config\SECURITY Object is locked skipped

C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped

C:\WINDOWS\system32\config\software Object is locked skipped

C:\WINDOWS\system32\config\software.LOG Object is locked skipped

C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped

C:\WINDOWS\system32\config\system Object is locked skipped

C:\WINDOWS\system32\config\system.LOG Object is locked skipped

C:\WINDOWS\system32\h323log.txt Object is locked skipped

C:\WINDOWS\system32\spool\PRINTERS\FP00000.SHD Object is locked skipped

C:\WINDOWS\system32\spool\PRINTERS\FP00000.SPL Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped

C:\WINDOWS\wiadebug.log Object is locked skipped

C:\WINDOWS\wiaservc.log Object is locked skipped

C:\WINDOWS\WindowsUpdate.log Object is locked skipped

D:\System Volume Information\_restore{348DB8EC-73A3-48FB-ADE8-4BD3BBE539B1}\RP9\change.log Object is locked skipped

Scan process completed.


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:52:55 PM, on 3/21/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Support.com\bin\tgcmd.exe
C:\Program Files\Digital Media Reader\shwiconem.exe
C:\WINDOWS\system32\MAFWTray.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\DIGStream\digstream.exe
C:\WINDOWS\zHotkey.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\ESPNRunTime\DIGServices.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Common Files\Logitech\KHAL\KHALMNPR.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\HP\hpcoretech\comp\hptskmgr.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\fredflinstone.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.comcast.net/toolbar2.0/search/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/comcast.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.comcast.net/toolbar2.0/search/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn3\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Comcast Toolbar - {4E7BD74F-2B8D-469E-93BE-BE2DF4D9AE29} - C:\PROGRA~1\COMCAS~2\COMCAS~1.DLL
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - c:\PROGRA~1\mcafee\VIRUSS~1\scriptcl.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar4.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn3\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
O3 - Toolbar: Comcast Toolbar - {4E7BD74F-2B8D-469E-93BE-BE2DF4D9AE29} - C:\PROGRA~1\COMCAS~2\COMCAS~1.DLL
O4 - HKLM\..\Run: [VOBRegCheck] C:\WINDOWS\System32\VOBREGCheck.exe -CheckReg
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [tgcmd] "C:\Program Files\Support.com\bin\tgcmd.exe" /server /startmonitor /deaf
O4 - HKLM\..\Run: [SunKistEM] "C:\Program Files\Digital Media Reader\shwiconem.exe"
O4 - HKLM\..\Run: [ShowWnd] ShowWnd.exe
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [MAFWTaskbarApp] C:\WINDOWS\system32\MAFWTray.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [DIGStream] "C:\Program Files\DIGStream\digstream.exe"
O4 - HKLM\..\Run: [CHotkey] zHotkey.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SP2 Connection Patcher] "C:\Program Files\SP2 Connection Patcher\SP2ConnPatcher.exe" -n=200
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/u...can_unicode.cab
O16 - DPF: {22E5D91F-89E6-4405-AD9C-0AF27BA6F06B} (HidInputMonitorX Control) -
O16 - DPF: {4F63D44B-6274-4D60-8AB1-CAA7116B8AF3} (A9Helper.A9) -
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/...wlscbase370.cab
O16 - DPF: {6F750202-1362-4815-A476-88533DE61D0C} (Kodak Gallery Easy Upload Manager Class) - http://www.kodakgallery.com/downloads/BUM/..._2/axofupld.cab
O16 - DPF: {87587503-20F0-4FF5-8DA3-0107C4C03FDC} (vmLaunch Class) - http://downloads.comcast.net/videomail/vmLauncher.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} -
O16 - DPF: {CE74A05D-ED12-473A-97F8-85FB0E2F479F} (dlControl.UserControl1) - http://stash.nugs.net/dev/dlControl.CAB
O16 - DPF: {DECEAAA2-370A-49BB-9362-68C3A58DDC62} - http://static.zangocash.com/cab/Zango/ie/b...dbf4c44a0363a5c
O16 - DPF: {EF148DBB-5B6D-4130-B2A1-661571E86260} (Playtime Games Launcher) - http://playgames.comcast.net/online2/mahjo...ameLauncher.cab
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: McAfee HackerWatch Service - McAfee, Inc. - C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS

--
End of file - 7178 bytes

#10 lusitano

lusitano

    Portuguese Malware Fighter


  • Members
  • 1,443 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Portugal
  • Local time:11:59 PM

Posted 25 March 2008 - 05:42 AM

Hello,

# Step 1 #

Go to Start Run type: regedit OK.
  • On the leftside, click to highlight My Computer at the top.
  • Go up to File Export
    • Make sure in that window there is a tick next to "All" under Export Branch.
      Leave the "Save As Type" as "Registration Files".
      Under "Filename" put RegBackup.
  • Choose to save it to C:\
  • Click save and then go to File Exit.
# Step 2 #

Go to Start Run type: Notepad OK.
Copy (Ctrl+C) and paste (Ctrl+V) the following text inside the code box below (starting with REGEDIT4) to Notepad. (Be sure to use Notepad, not Wordpad, otherwise it won't work).

REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"cmdService"=-
  • Click File at the top and then choose Save As.
  • Change Save As Type to All Files.
  • Name it Fixme.reg and save it on your desktop.
  • Double click Fixme.reg. It will ask you if you want to merge it to the registry, click Yes.
# Step 3 #

Time for some housekeeping

To clear out Spybot Search & Destroy's quarantine:

* Run Spybot Search & Destroy
* Click the Recovery icon
* Select all the items present
* Click purge selected items


Using Windows Explorer (to get there right-click your Start button and go to "Explore"), please delete the contents from this folder:

C:\Documents and Settings\Owner\.housecall6.6\Quarantine <- the CONTENTS from this folder



Using Windows Explorer (to get there right-click your Start button and go to "Explore"), delete this file, "if present":

C:\Documents and Settings\Owner\Desktop\[4]-Submit_2008-03-18@16.50.zip <- delete this file
  • Click START then RUN
  • Now type Combofix /u in the runbox and click OK
    • Posted Image
  • When shown the disclaimer, Select "2"
The above procedure will:
  • Delete the following:
    • ComboFix and its associated files and folders.
    • VundoFix backups, if present
    • The C:\Deckard folder, if present
    • The C:_OtMoveIt folder, if present
  • Reset the clock settings.
  • Hide file extensions, if required.
  • Hide System/Hidden files, if required.
  • Reset System Restore.
Now that you are clean, please follow these simple steps in order to keep your computer clean and secure:
  • Disable and Enable System Restore. - If you are using Windows ME or XP then you should disable and re-enable system restore to make sure there are no infected files found in a restore point.

    You can find instructions on how to enable and reenable system restore here:

    Windows XP System Restore Guide

    Reenable system restore with instructions from tutorial above

  • Make your Internet Explorer more secure - This can be done by following these simple instructions:
    • From within Internet Explorer click on the Tools menu and then click on Options.
    • Click once on the Security tab
    • Click once on the Internet icon so it becomes highlighted.
    • Click once on the Custom Level button.
      • Change the Download signed ActiveX controls to Prompt
      • Change the Download unsigned ActiveX controls to Disable
      • Change the Initialize and script ActiveX controls not marked as safe to Disable
      • Change the Installation of desktop items to Prompt
      • Change the Launching programs and files in an IFRAME to Prompt
      • Change the Navigate sub-frames across different domains to Prompt
      • When all these settings have been made, click on the OK button.
      • If it prompts you as to whether or not you want to save the settings, press the Yes button.
    • Next press the Apply button and then the OK to exit the Internet Properties page.
  • Use an AntiVirus Software - It is very important that your computer has an anti-virus software running on your machine. This alone can save you a lot of trouble with malware in the future.

    See this link for a listing of some online & their stand-alone antivirus programs:

    Virus, Spyware, and Malware Protection and Removal Resources

  • Update your AntiVirus Software - It is imperitive that you update your Antivirus software at least once a week (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out.

  • Use a Firewall - I can not stress how important it is that you use a Firewall on your computer. Without a firewall your computer is succeptible to being hacked and taken over. I am very serious about this and see it happen almost every day with my clients. Simply using a Firewall in its default configuration can lower your risk greatly.

    For a tutorial on Firewalls and a listing of some available ones see the link below:

    Understanding and Using Firewalls

  • Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.

  • Install Spybot - Search and Destroy - Install and download Spybot - Search and Destroy with its TeaTimer option. This will provide realtime spyware & hijacker protection on your computer alongside your virus protection. You should also scan your computer with program on a regular basis just as you would an antivirus software.

    A tutorial on installing & using this product can be found here:

    Using Spybot - Search & Destroy to remove Spyware , Malware, and Hijackers

  • Install Ad-Aware - Install and download Ad-Aware. ou should also scan your computer with program on a regular basis just as you would an antivirus software in conjunction with Spybot.

    A tutorial on installing & using this product can be found here:

    Using Ad-aware to remove Spyware, Malware, & Hijackers from Your Computer

  • Install SpywareBlaster - SpywareBlaster will added a large list of programs and sites into your Internet Explorer settings that will protect you from running and downloading known malicious programs.

    A tutorial on installing & using this product can be found here:

    Using SpywareBlaster to protect your computer from Spyware and Malware

  • Read the TonyKlein's good advice: So how did I get infected in the first place?

  • Also visit the Secunia Software Inspector

  • Update all these programs regularly - Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.
Follow this list and your potential for being infected again will reduce dramatically.

here are some additional utilities that will enhance your safety
  • IE/Spyad <= IE/Spyad places over 4000 websites and domains in the IE Restricted list which will severely impair attempts to infect your system. It basically prevents any downloads (Cookies etc) from the sites listed, although you will still be able to connect to the sites.
  • MVPS Hosts file <= The MVPS Hosts file replaces your current HOSTS file with one containing well know ad sites etc. Basically, this prevents your coputer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer
  • Google Toolbar <= Get the free google toolbar to help stop pop up windows.
  • Winpatrol <= Download and install the free version of Winpatrol. a tutorial for this product is located here:
    Using Winpatrol to protect your computer from malicious software

Posted Image
Please do not PM me asking for support.
Please be courteous, polite, and say thank you.
Please post the final results, good or bad. We like to know!

#11 justinmc

justinmc
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:06:59 PM

Posted 26 March 2008 - 04:29 PM

Hello,
I followed all of the steps and the computer is running perfect. I greatly appreciate the help you have provided.

Thank you,
Justin

#12 __RiP_ChAiN_

__RiP_ChAiN_

    Eh, whatever goes here.


  • Members
  • 1,592 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Omaha, Nebraska U.S.A
  • Local time:06:59 PM

Posted 27 March 2008 - 01:32 PM

Since this issue appears to be resolved ... this Topic has been closed. Glad we could help.

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.
Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users