Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Help, I Think I'm Infected.


  • Please log in to reply
7 replies to this topic

#1 nonetheless

nonetheless

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:10:00 AM

Posted 01 October 2008 - 10:56 AM

Okay, here's the deal. My anti-virus keeps popping up this weird thing that it cannot remove. Sometimes when I try to open the C drive, some weird message comes up. I also happen to have some "application dummies" inside some of my folders (for example, let's say that I have a folder named "Beach Pictures." When I open that folder, there would be an application named "Beach Pictures" inside.). Plus, my computer's gone mental. Sometimes, it would slow down to a crawl out of nowhere. Please, please. I need this laptop for my thesis. Any help would be greatly appreciated.

Here's my log file (I downloaded my HiJackThis version from MajorGeeks):

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:32:02 PM, on 10/1/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\ibmpmsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\Program Files\Common Files\Lenovo\tvt_reg_monitor_svc.exe
C:\WINDOWS\system32\TpKmpSVC.exe
C:\Program Files\Common Files\Lenovo\Scheduler\tvtsched.exe
C:\Program Files\ThinkPad\ConnectUtilities\AcSvc.exe
C:\Program Files\Lenovo\System Update\SUService.exe
C:\Program Files\ThinkPad\ConnectUtilities\SvcGuiHlpr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\tp4serv.exe
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\Program Files\Analog Devices\SoundMAX\Smax4.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\SiteAdvisor\6253\SiteAdv.exe
C:\PROGRA~1\Lenovo\PkgMgr\HOTKEY\TPHKMGR.exe
C:\Program Files\Lenovo\PkgMgr\HOTKEY\TPONSCR.exe
C:\Program Files\Lenovo\PkgMgr\HOTKEY_1\TpScrex.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\WINDOWS\system32\taskswitch.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\YourWare Solutions\FreeRAM XP Pro\FreeRAM XP Pro.exe
C:\Program Files\DNA\btdna.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Ryan\My Documents\Downloads\Programs\HiJackThis.exe
C:\WINDOWS\system32\wuauclt.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.live.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = jaymyka.wen9.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn1\yt.dll
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe
O2 - BHO: IDM Helper - {0055C089-8582-441B-A0BF-17B458C2A3A8} - C:\Program Files\Internet Download Manager\IDMIECC.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn1\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - C:\Program Files\SiteAdvisor\6261\SiteAdv.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: ContextAdvisor - {87E68009-29A8-D669-F7C2-B31D08635C50} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: IEHlprObj Class - {CE7C3CF0-4B15-11D1-ABED-709549C10000} - (no file)
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\6261\SiteAdv.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn1\yt.dll
O4 - HKLM\..\Run: [TrackPointSrv] tp4serv.exe
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: [SoundMAX] "C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray
O4 - HKLM\..\Run: [BMMLREF] C:\Program Files\ThinkPad\Utilities\BMMLREF.EXE
O4 - HKLM\..\Run: [BMMMONWND] rundll32.exe C:\PROGRA~1\ThinkPad\UTILIT~1\BatInfEx.dll,BMMAutonomicMonitor
O4 - HKLM\..\Run: [BLOG] rundll32.exe C:\PROGRA~1\ThinkPad\UTILIT~1\BatLogEx.DLL,StartBattLog
O4 - HKLM\..\Run: [SiteAdvisor] C:\Program Files\SiteAdvisor\6253\SiteAdv.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [TPHOTKEY] C:\PROGRA~1\Lenovo\PkgMgr\HOTKEY\TPHKMGR.exe
O4 - HKLM\..\Run: [TPKMAPHELPER] C:\Program Files\ThinkPad\Utilities\TpKmapAp.exe -helper
O4 - HKLM\..\Run: [TP4EX] tp4ex.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [CoolSwitch] C:\WINDOWS\system32\taskswitch.exe
O4 - HKLM\..\Run: [ampli] WINDOWS\system32\mveo.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" /hide /waitservice
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [TVT Scheduler Proxy] C:\Program Files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [FreeRAM XP] "C:\Program Files\YourWare Solutions\FreeRAM XP Pro\FreeRAM XP Pro.exe" -win
O4 - HKCU\..\Run: [BitTorrent DNA] "C:\Program Files\DNA\btdna.exe"
O4 - HKCU\..\Run: [kxva] C:\WINDOWS\system32\kxvo.exe
O4 - HKCU\..\Run: [kamsoft] C:\WINDOWS\system32\ckvo.exe
O4 - HKUS\S-1-5-19\..\RunOnce: [nlpo_01] cmd.exe /c md "%USERPROFILE%\Local Settings\Temp" (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [nlpo_02] rundll32 advpack.dll,LaunchINFSection nlite.inf,nLiteReg (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [nlpo_03] rundll32 advpack.dll,LaunchINFSection nlite.inf,S (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [nlpo_01] cmd.exe /c md "%USERPROFILE%\Local Settings\Temp" (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'Default user')
O4 - S-1-5-18 Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe (User 'SYSTEM')
O4 - .DEFAULT Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe (User 'Default user')
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O8 - Extra context menu item: Download all links with IDM - C:\Program Files\Internet Download Manager\IEGetAll.htm
O8 - Extra context menu item: Download FLV video content with IDM - C:\Program Files\Internet Download Manager\IEGetVL.htm
O8 - Extra context menu item: Download with IDM - C:\Program Files\Internet Download Manager\IEExt.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: PalTalk - {4EAFEF58-EEFA-4116-983D-03B49BCBFFFE} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/flas...ent/swflash.cab
O20 - Winlogon Notify: ACNotify - ACNotify.dll (file missing)
O23 - Service: Ac Profile Manager Service (AcPrfMgrSvc) - Lenovo - C:\Program Files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe
O23 - Service: Access Connections Main Service (AcSvc) - Lenovo - C:\Program Files\ThinkPad\ConnectUtilities\AcSvc.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Eset HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe
O23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
O23 - Service: Intel® PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: ThinkPad PM Service (IBMPMSVC) - Lenovo - C:\WINDOWS\system32\ibmpmsvc.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Intel® PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel® PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: System Update (SUService) - Lenovo Group Limited - C:\Program Files\Lenovo\System Update\SUService.exe
O23 - Service: ThinkVantage Registry Monitor Service - Lenovo Group Limited - C:\Program Files\Common Files\Lenovo\tvt_reg_monitor_svc.exe
O23 - Service: IBM KCU Service (TpKmpSVC) - Unknown owner - C:\WINDOWS\system32\TpKmpSVC.exe
O23 - Service: TVT Scheduler - Lenovo Group Limited - C:\Program Files\Common Files\Lenovo\Scheduler\tvtsched.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O24 - Desktop Component 1: (no name) - http://www.google.com.ph/

--
End of file - 13148 bytes

BC AdBot (Login to Remove)

 


m

#2 kahdah

kahdah

  • Security Colleague
  • 11,138 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:10:00 PM

Posted 01 October 2008 - 11:06 AM

Hello nonetheless

Welcome to BleepingComputer :thumbsup:
========================
We will begin with ComboFix.exe. Please visit this webpage for download links, and instructions for running the tool:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix


Please ensure you read this guide carefully and install the Recovery Console first.

The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.

Once installed, you should see a blue screen prompt that says:

The Recovery Console was successfully installed.

Please continue as follows:
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

  • Click Yes to allow ComboFix to continue scanning for malware.
When the tool is finished, it will produce a report for you.

Please include the following reports for further review, and so we may continue cleansing the system:

C:\ComboFix.txt
New HijackThis log.

Please do not pm for help, post it in the forums instead.

If I am helping you and have not responded for 48 hours please send me a pm as I don't always get notifications.

My help is always free, however, if you would like to make a donation to me for the help I have provided please click here Posted Image

#3 nonetheless

nonetheless
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:10:00 AM

Posted 01 October 2008 - 05:10 PM

I'm sorry. I didn't have my Windows XP CD available so I didn't install the Recovery Console. I also didn't disable my resident AV (anyway. it didn't matter because the AV didn't act weird while ComboFix was running).

Here's the report by ComboFix:

ComboFix 08-09-30.03 - Ryan 2008-10-02 1:38:46.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.205 [GMT 8:00]
Running from: C:\Documents and Settings\Ryan\Desktop\ComboFix.exe
* Created a new restore point
* Resident AV is active


WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\2i6rj.exe
C:\Autorun.inf
C:\otyh.cmd
C:\WINDOWS\system32\AutoRun.inf
C:\WINDOWS\system32\ckvo.exe
C:\WINDOWS\system32\ckvo0.dll
C:\WINDOWS\system32\ckvo1.dll
C:\WINDOWS\system32\kxvo.exe
C:\WINDOWS\system32\Memman.vxd
C:\WINDOWS\system32\skinboxer43.dll

.
((((((((((((((((((((((((( Files Created from 2008-09-01 to 2008-10-01 )))))))))))))))))))))))))))))))
.

2008-10-02 00:10 . 2008-10-02 00:45 <DIR> d-------- C:\WINDOWS\system32\CatRoot_bak
2008-10-01 23:58 . 2008-10-01 23:58 25,550 --a------ C:\Documents and Settings\Ryan\so7.exe
2008-09-12 08:47 . 2000-01-11 18:49 42,734 --a------ C:\WINDOWS\system32\Ryan's Setting.scr

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-10-01 17:43 --------- d-----w C:\Documents and Settings\Ryan\Application Data\DNA
2008-10-01 17:40 --------- d-----w C:\Documents and Settings\Ryan\Application Data\DMCache
2008-10-01 17:22 --------- d-----w C:\Documents and Settings\Ryan\Application Data\IDM
2008-10-01 15:27 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-10-01 15:06 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-09-22 05:19 --------- d-----w C:\Documents and Settings\Ryan\Application Data\Apple Computer
2008-08-14 19:08 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Help
2008-08-12 21:02 --------- d-----w C:\Documents and Settings\Ryan\Application Data\uTorrent
2008-08-11 15:29 --------- d-----w C:\Program Files\Alarm Clock
2008-08-11 15:27 --------- d-----w C:\Program Files\Alarm
2008-02-23 09:56 92,064 ----a-w C:\Documents and Settings\Ryan\mqdmmdm.sys
2008-02-23 09:56 9,232 ----a-w C:\Documents and Settings\Ryan\mqdmmdfl.sys
2008-02-23 09:56 79,328 ----a-w C:\Documents and Settings\Ryan\mqdmserd.sys
2008-02-23 09:56 66,656 ----a-w C:\Documents and Settings\Ryan\mqdmbus.sys
2008-02-23 09:56 6,208 ----a-w C:\Documents and Settings\Ryan\mqdmcmnt.sys
2008-02-23 09:56 5,936 ----a-w C:\Documents and Settings\Ryan\mqdmwhnt.sys
2008-02-23 09:56 4,048 ----a-w C:\Documents and Settings\Ryan\mqdmcr.sys
2008-02-23 09:56 25,600 ----a-w C:\Documents and Settings\Ryan\usbsermptxp.sys
2008-02-23 09:56 22,768 ----a-w C:\Documents and Settings\Ryan\usbsermpt.sys
2008-01-30 03:34 376 ----a-w C:\Program Files\firebird.log
2007-11-16 12:45 23 --sha-w C:\WINDOWS\system32\aafefeba8_r.dll
2007-09-11 11:30 414 --sha-r C:\WINDOWS\system32\alecks.bat
2007-09-11 11:19 540 --sha-r C:\WINDOWS\system32\alecks.reg
2007-10-20 13:21 14,533,152 --sha-w C:\WINDOWS\system32\drivers\fidbox.dat
2007-10-20 13:21 1,081,632 --sha-w C:\WINDOWS\system32\drivers\fidbox2.dat
.

------- Sigcheck -------

2004-08-04 08:56 14336 8f078ae4ed187aaabc0a305146de6716 C:\WINDOWS\SoftwareDistribution\Download\fd0264849c01086f3c6b505dc02dbd44\backup\svchost.exe
2004-08-04 08:56 14336 8f078ae4ed187aaabc0a305146de6716 C:\WINDOWS\system32\svchost.exe
2004-08-04 08:56 14336 8f078ae4ed187aaabc0a305146de6716 C:\WINDOWS\system32\dllcache\svchost.exe

2005-10-14 04:36 577024 1800f293bccc8ede8a70e12b88d80036 C:\WINDOWS\$NtUninstallKB925902$\user32.dll
2007-03-08 23:48 578048 7aa4f6c00405dfc4b70ed4214e7d687b C:\WINDOWS\system32\user32.dll
2007-03-08 23:48 578048 7aa4f6c00405dfc4b70ed4214e7d687b C:\WINDOWS\system32\dllcache\user32.dll

2004-08-04 08:56 82944 2ed0b7f12a60f90092081c50fa0ec2b2 C:\WINDOWS\SoftwareDistribution\Download\fd0264849c01086f3c6b505dc02dbd44\backup\ws2_32.dll
2004-08-04 08:56 82944 2ed0b7f12a60f90092081c50fa0ec2b2 C:\WINDOWS\system32\ws2_32.dll
2004-08-04 08:56 82944 2ed0b7f12a60f90092081c50fa0ec2b2 C:\WINDOWS\system32\dllcache\ws2_32.dll

2007-06-27 22:40 824320 d6ed5e042c5207553e7f5e842918137f C:\WINDOWS\$hf_mig$\KB937143-IE7\SP2QFE\wininet.dll
2007-08-20 18:02 825344 357d54bf94fe9d6d8505a96b5c2a3bca C:\WINDOWS\$hf_mig$\KB939653-IE7\SP2QFE\wininet.dll
2007-10-11 07:47 825344 0e5d918f87efa7d2424d66b499c7eb04 C:\WINDOWS\$hf_mig$\KB942615-IE7\SP2QFE\wininet.dll
2007-12-07 10:01 825344 b5b411bb229ae6ead7652a32ed47bfb9 C:\WINDOWS\$hf_mig$\KB944533-IE7\SP2QFE\wininet.dll
2008-03-01 21:03 827392 6316c2f0c61271c8abdff7429174879e C:\WINDOWS\$hf_mig$\KB947864-IE7\SP2QFE\wininet.dll
2008-04-23 11:35 827392 41546b396a526918da7995a02ea04e51 C:\WINDOWS\$hf_mig$\KB950759-IE7\SP2QFE\wininet.dll
2008-06-24 00:01 827904 c66402a06b83b036c195242c0c8cf83c C:\WINDOWS\$hf_mig$\KB953838-IE7\SP2QFE\wininet.dll
2006-06-17 23:43 663552 d94cffdb53e7ac867438e2dfd50e7cbc C:\WINDOWS\$NtUninstallKB947864$\wininet.dll
2008-02-16 17:32 666112 bb1eacd6ab47e78ebca02eb781550d55 C:\WINDOWS\ie7\wininet.dll
2006-11-07 21:03 818688 92995334f993e6e49c25c6d02ec04401 C:\WINDOWS\ie7updates\KB937143-IE7\wininet.dll
2007-06-27 22:34 823808 8068cbb58fe60cc95aeb2cff70178208 C:\WINDOWS\ie7updates\KB939653-IE7\wininet.dll
2007-08-20 18:04 824832 774435e499d8e9643ec961a6103c361f C:\WINDOWS\ie7updates\KB942615-IE7\wininet.dll
2007-08-13 18:54 818688 a4a0fc92358f39538a6494c42ef99fe9 C:\WINDOWS\ie7updates\KB944533-IE7\wininet.dll
2007-12-07 10:21 824832 806d274c9a6c3aaea5eae8e4af841e04 C:\WINDOWS\ie7updates\KB947864-IE7\wininet.dll
2008-03-01 21:06 826368 ad21461aef8244edec2ef18e55e1dcf3 C:\WINDOWS\ie7updates\KB950759-IE7\wininet.dll
2008-04-23 12:16 826368 f6589be784647cfdbc22ea51ccb1a57a C:\WINDOWS\ie7updates\KB953838-IE7\wininet.dll
2008-03-01 21:06 826368 ad21461aef8244edec2ef18e55e1dcf3 C:\WINDOWS\SoftwareDistribution\Download\574548bb1821009dfc939b99bf38919d\SP2GDR\wininet.dll
2008-03-01 21:03 827392 6316c2f0c61271c8abdff7429174879e C:\WINDOWS\SoftwareDistribution\Download\574548bb1821009dfc939b99bf38919d\SP2QFE\wininet.dll
2007-12-07 10:21 824832 806d274c9a6c3aaea5eae8e4af841e04 C:\WINDOWS\SoftwareDistribution\Download\e5a204b08ee9dd0f7a20547e61486b27\SP2GDR\wininet.dll
2007-12-07 10:01 825344 b5b411bb229ae6ead7652a32ed47bfb9 C:\WINDOWS\SoftwareDistribution\Download\e5a204b08ee9dd0f7a20547e61486b27\SP2QFE\wininet.dll
2008-06-24 00:57 826368 8c13d4a7479fa0a026eda8abce82c0ed C:\WINDOWS\system32\wininet.dll
2008-06-24 00:57 826368 8c13d4a7479fa0a026eda8abce82c0ed C:\WINDOWS\system32\dllcache\wininet.dll

2008-06-20 19:51 361600 9aefa14bd6b182d61e3119fa5f436d3d C:\WINDOWS\$hf_mig$\KB951748\SP3GDR\tcpip.sys
2008-06-20 19:59 361600 ad978a1b783b5719720cff204b666c8e C:\WINDOWS\$hf_mig$\KB951748\SP3QFE\tcpip.sys
2006-06-17 23:43 360576 b2220c618b42a2212a59d91ebd6fc4b4 C:\WINDOWS\$NtUninstallKB941644$\tcpip.sys
2007-10-31 00:53 360832 64798ecfa43d78c7178375fcdd16d8c8 C:\WINDOWS\$NtUninstallKB951748$\tcpip.sys
2008-06-20 18:44 360960 744e57c99232201ae98c49168b918f48 C:\WINDOWS\system32\dllcache\tcpip.sys
2008-06-20 18:44 360960 744e57c99232201ae98c49168b918f48 C:\WINDOWS\system32\drivers\tcpip.sys

2004-08-04 08:56 502272 01c3346c241652f43aed8e2149881bfe C:\WINDOWS\SoftwareDistribution\Download\fd0264849c01086f3c6b505dc02dbd44\backup\winlogon.exe
2004-08-04 08:56 502272 01c3346c241652f43aed8e2149881bfe C:\WINDOWS\system32\winlogon.exe
2004-08-04 08:56 502272 01c3346c241652f43aed8e2149881bfe C:\WINDOWS\system32\dllcache\winlogon.exe

2004-08-04 07:14 182912 558635d3af1c7546d26067d5d9b6959e C:\WINDOWS\SoftwareDistribution\Download\fd0264849c01086f3c6b505dc02dbd44\backup\ndis.sys
2004-08-04 07:14 182912 558635d3af1c7546d26067d5d9b6959e C:\WINDOWS\system32\dllcache\ndis.sys
2004-08-04 07:14 182912 558635d3af1c7546d26067d5d9b6959e C:\WINDOWS\system32\drivers\ndis.sys

2004-08-04 07:00 29056 4448006b6bc60e6c027932cfc38d6855 C:\WINDOWS\SoftwareDistribution\Download\fd0264849c01086f3c6b505dc02dbd44\backup\ip6fw.sys
2004-08-04 07:00 29056 4448006b6bc60e6c027932cfc38d6855 C:\WINDOWS\system32\dllcache\ip6fw.sys
2004-08-04 07:00 29056 4448006b6bc60e6c027932cfc38d6855 C:\WINDOWS\system32\drivers\ip6fw.sys

2006-07-01 13:18 2058368 d20855e9a650415e4f65e0ce249839bd C:\WINDOWS\$NtUninstallKB931784$\ntkrnlpa.exe
2007-02-28 01:15 2059392 4d3dbdccbf97f5ba1e74f322b155c3ba C:\WINDOWS\Driver Cache\i386\ntkrnlpa.exe
2007-02-28 01:15 2059392 4d3dbdccbf97f5ba1e74f322b155c3ba C:\WINDOWS\system32\ntkrnlpa.exe
2007-02-28 01:15 2059392 4d3dbdccbf97f5ba1e74f322b155c3ba C:\WINDOWS\system32\dllcache\ntkrnlpa.exe

2006-06-17 23:43 2181248 da58ba325f6148ec49abfc93c656a1df C:\WINDOWS\$NtUninstallKB931784$\ntoskrnl.exe
2007-02-28 17:55 2182144 5a5c8db4aa962c714c8371fbdf189fc9 C:\WINDOWS\Driver Cache\i386\ntoskrnl.exe
2007-02-28 17:55 2182144 5a5c8db4aa962c714c8371fbdf189fc9 C:\WINDOWS\system32\ntoskrnl.exe
2007-02-28 17:55 2182144 5a5c8db4aa962c714c8371fbdf189fc9 C:\WINDOWS\system32\dllcache\ntoskrnl.exe

2007-06-13 19:26 1033216 7712df0cdde3a5ac89843e61cd5b3658 C:\WINDOWS\explorer.exe
2005-10-15 16:07 1032192 45757077a47c68a603a79b03a1a836ab C:\WINDOWS\$NtUninstallKB938828$\explorer.exe
2007-06-13 19:26 1033216 7712df0cdde3a5ac89843e61cd5b3658 C:\WINDOWS\system32\dllcache\explorer.exe

2004-08-04 08:56 108032 c6ce6eec82f187615d1002bb3bb50ed4 C:\WINDOWS\SoftwareDistribution\Download\fd0264849c01086f3c6b505dc02dbd44\backup\services.exe
2004-08-04 08:56 108032 c6ce6eec82f187615d1002bb3bb50ed4 C:\WINDOWS\system32\services.exe
2004-08-04 08:56 108032 c6ce6eec82f187615d1002bb3bb50ed4 C:\WINDOWS\system32\dllcache\services.exe

2004-08-04 08:56 13312 84885f9b82f4d55c6146ebf6065d75d2 C:\WINDOWS\SoftwareDistribution\Download\fd0264849c01086f3c6b505dc02dbd44\backup\lsass.exe
2004-08-04 08:56 13312 84885f9b82f4d55c6146ebf6065d75d2 C:\WINDOWS\system32\lsass.exe
2004-08-04 08:56 13312 84885f9b82f4d55c6146ebf6065d75d2 C:\WINDOWS\system32\dllcache\lsass.exe

2004-08-04 08:56 15360 24232996a38c0b0cf151c2140ae29fc8 C:\WINDOWS\SoftwareDistribution\Download\fd0264849c01086f3c6b505dc02dbd44\backup\ctfmon.exe
2004-08-04 08:56 15360 24232996a38c0b0cf151c2140ae29fc8 C:\WINDOWS\system32\ctfmon.exe
2004-08-04 08:56 15360 24232996a38c0b0cf151c2140ae29fc8 C:\WINDOWS\system32\dllcache\ctfmon.exe

2005-10-14 04:36 57856 ad3d9d191aea7b5445fe1d82ffbb4788 C:\WINDOWS\system32\spoolsv.exe
2005-10-14 04:36 57856 ad3d9d191aea7b5445fe1d82ffbb4788 C:\WINDOWS\system32\dllcache\spoolsv.exe

2004-08-04 08:56 24576 39b1ffb03c2296323832acbae50d2aff C:\WINDOWS\SoftwareDistribution\Download\fd0264849c01086f3c6b505dc02dbd44\backup\userinit.exe
2004-08-04 08:56 24576 39b1ffb03c2296323832acbae50d2aff C:\WINDOWS\system32\userinit.exe
2004-08-04 08:56 24576 39b1ffb03c2296323832acbae50d2aff C:\WINDOWS\system32\dllcache\userinit.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 15360]
"FreeRAM XP"="C:\Program Files\YourWare Solutions\FreeRAM XP Pro\FreeRAM XP Pro.exe" [2006-03-23 1591808]
"BitTorrent DNA"="C:\Program Files\DNA\btdna.exe" [2008-10-01 289088]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMAXPnP"="C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe" [2004-04-01 1368064]
"BMMLREF"="C:\Program Files\ThinkPad\Utilities\BMMLREF.EXE" [2005-04-20 20480]
"BMMMONWND"="C:\PROGRA~1\ThinkPad\UTILIT~1\BatInfEx.dll" [2005-04-20 396288]
"BLOG"="C:\PROGRA~1\ThinkPad\UTILIT~1\BatLogEx.DLL" [2005-04-20 208896]
"SiteAdvisor"="C:\Program Files\SiteAdvisor\6253\SiteAdv.exe" [2007-03-30 36904]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 155648]
"TPHOTKEY"="C:\PROGRA~1\Lenovo\PkgMgr\HOTKEY\TPHKMGR.exe" [2006-10-02 94208]
"TPKMAPHELPER"="C:\Program Files\ThinkPad\Utilities\TpKmapAp.exe" [2007-01-09 868352]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 144784]
"CoolSwitch"="C:\WINDOWS\system32\taskswitch.exe" [2002-03-19 45632]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-01-31 385024]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-02-04 267048]
"egui"="C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" [2008-03-13 1443072]
"igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [2006-02-07 94208]
"igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [2006-02-07 77824]
"igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [2006-02-07 118784]
"TVT Scheduler Proxy"="C:\Program Files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe" [2008-03-04 487424]
"TrackPointSrv"="tp4serv.exe" [2007-04-26 C:\WINDOWS\system32\tp4serv.exe]
"TP4EX"="tp4ex.exe" [2005-10-17 C:\WINDOWS\system32\TP4EX.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"nlpo_01"="md %USERPROFILE%\Local Settings\Temp" [X]
"tscuninstall"="C:\WINDOWS\system32\tscupgrd.exe" [2004-08-04 44544]
"nlpo_02"="advpack.dll" [2008-06-24 C:\WINDOWS\system32\advpack.dll]
"nlpo_03"="advpack.dll" [2008-06-24 C:\WINDOWS\system32\advpack.dll]

C:\Documents and Settings\Ryan\Start Menu\Programs\Startup\
Adobe Gamma.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-03-16 113664]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Digital Line Detect.lnk - C:\Program Files\Digital Line Detect\DLG.exe [2007-10-30 24576]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{C5F43BEF-CE2F-46D8-AFE6-A647BACD1F09}"= "C:\WINDOWS\system32\Bitkv0.dll" [2007-06-13 69632]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ACNotify]
2007-07-05 14:52 32768 C:\Program Files\ThinkPad\ConnectUtilities\ACNotify.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tpfnf2]
2005-07-05 23:45 28672 C:\WINDOWS\system32\notifyf2.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tphotkey]
2005-11-30 20:16 24576 C:\WINDOWS\system32\tphklock.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.YV12"= yv12vfw.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Notification Packages REG_MULTI_SZ scecli ACGina

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
backup=C:\WINDOWS\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"C:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"C:\\Program Files\\LimeWire\\LimeWire.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"C:\\Program Files\\BitTorrent\\bittorrent.exe"=
"C:\\Program Files\\uTorrent\\uTorrent.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\DNA\\btdna.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"6881:TCP"= 6881:TCP:Bittorrent

R1 ANC;ANC;C:\WINDOWS\system32\drivers\ANC.SYS [2005-11-08 11520]
R1 epfwtdir;epfwtdir;C:\WINDOWS\system32\DRIVERS\epfwtdir.sys [2008-03-13 33800]
R1 IBMTPCHK;IBMTPCHK;C:\WINDOWS\system32\Drivers\IBMBLDID.sys [2007-04-02 4224]
R1 TPPWR;TPPWR;C:\WINDOWS\system32\drivers\Tppwr.sys [2005-04-20 16384]
R3 Tp4Track;PS/2 TrackPoint Driver;C:\WINDOWS\system32\DRIVERS\tp4track.sys [2007-04-26 22832]
S3 MotDev;Motorola Inc. USB Device;C:\WINDOWS\system32\DRIVERS\motodrv.sys [ ]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\C]
\Shell\AutoRun\command - C:\
\Shell\explore\Command - WScript.exe .\alecks.vbs
\Shell\open\Command - WScript.exe .\alecks.vbs

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{170cca31-afd4-11dc-9e4c-000ae4352462}]
\Shell\0pen\command - E:\krag.exe
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL krag.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{1a79b190-8063-11dd-a0ee-000ae4352462}]
\Shell\AutoRun\command - E:\1t6yxlxx.cmd
\Shell\explore\Command - E:\1t6yxlxx.cmd
\Shell\open\Command - E:\1t6yxlxx.cmd

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{257dc000-47d0-11dd-a033-000ae4352462}]
\Shell\AutoRun\command - E:\2i6rj.exe
\Shell\explore\Command - E:\2i6rj.exe
\Shell\open\Command - E:\2i6rj.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{2f11f070-6cf0-11dd-a0d4-000ae4352462}]
\Shell\AutoRun\command - E:\2i6rj.exe
\Shell\explore\Command - E:\2i6rj.exe
\Shell\open\Command - E:\2i6rj.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{50f6b830-7ed6-11dd-a0eb-000ae4352462}]
\Shell\Auto\command - E:\Recycled/dllcache32.exe
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Recycled/dllcache32.exe
\Shell\explore\Command - E:\Recycled/dllcache32.exe
\Shell\open\Command - E:\Recycled/dllcache32.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{822e3242-838d-11dd-a0f2-000ae4352462}]
\Shell\AutoRun\command - E:\2i6rj.exe
\Shell\explore\Command - E:\2i6rj.exe
\Shell\open\Command - E:\2i6rj.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{8fffb8ab-7564-11dc-9d95-000ae4352462}]
\Shell\0pen\command - E:\krag.exe
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL krag.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{9bc2d0a2-fa55-11dc-9eee-000ae4352462}]
\Shell\AutoRun\command - E:\g2lbn.cmd
\Shell\explore\Command - E:\g2lbn.cmd
\Shell\open\Command - E:\g2lbn.cmd

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{ac617a44-8845-11dd-a0f7-000ae4352462}]
\Shell\AutoRun\command - E:\password_viewer.exe %1
\Shell\Explore\command - E:\password_viewer.exe %1
\Shell\Open\command - E:\password_viewer.exe %1

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{ac617a45-8845-11dd-a0f7-000ae4352462}]
\Shell\AutoRun\command - E:\2i6rj.exe
\Shell\explore\Command - E:\2i6rj.exe
\Shell\open\Command - E:\2i6rj.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{bc28cfcd-eab9-11dc-9ec2-000ae4352462}]
\Shell\AutoRun\command - E:\
\Shell\explore\Command - WScript.exe .\alecks.vbs
\Shell\open\Command - WScript.exe .\alecks.vbs

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{ca235bc0-8e10-11dd-a0fe-000ae4352462}]
\Shell\AutoRun\command - E:\2i6rj.exe
\Shell\explore\Command - E:\2i6rj.exe
\Shell\open\Command - E:\2i6rj.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{e4c0330b-6bd0-11dc-9d73-000ae4352462}]
\Shell\0pen\command - krag.exe
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL krag.exe
.
Contents of the 'Scheduled Tasks' folder
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-kamsoft - C:\WINDOWS\system32\ckvo.exe
HKCU-Run-FlyAway - (no file)
HKLM-Run-ampli - WINDOWS\system32\mveo.exe
HKU-Default-Run-Picasa Media Detector - C:\Program Files\Picasa2\PicasaMediaDetector.exe
HKU-Default-Run-Tok-Cirrhatus - C:\Documents and Settings\Ryan\Local Settings\Application Data\smss.exe
ShellExecuteHooks-{16664848-0E00-11D2-8059-000000000000} - (no file)


.
------- Supplementary Scan -------
.
FireFox -: Profile - C:\Documents and Settings\Ryan\Application Data\Mozilla\Firefox\Profiles\fr8sayf2.default\
FireFox -: prefs.js - STARTUP.HOMEPAGE - hxxp://www.google.com
FF -: plugin - C:\Program Files\Adobe\Acrobat 7.0\Reader\browser\nppdf32.dll
FF -: plugin - C:\Program Files\DNA\plugins\npbtdna.dll
FF -: plugin - C:\Program Files\iTunes\Mozilla Plugins\npitunes.dll
FF -: plugin - C:\Program Files\K-Lite Codec Pack\Real\browser\plugins\nppl3260.dll
FF -: plugin - C:\Program Files\K-Lite Codec Pack\Real\browser\plugins\nprpjplug.dll
FF -: plugin - C:\Program Files\Mozilla Firefox\plugins\npbittorrent.dll
FF -: plugin - C:\Program Files\Opera\program\plugins\NP_IDM1.dll
FF -: plugin - C:\Program Files\Opera\program\plugins\NP_IDM2.dll
FF -: plugin - C:\Program Files\Opera\program\plugins\NP_IDM3.dll
FF -: plugin - C:\Program Files\Opera\program\plugins\NP_IDM4.dll
FF -: plugin - C:\Program Files\Opera\program\plugins\NP_IDM5.dll
FF -: plugin - C:\Program Files\Yahoo!\Shared\npYState.dll
.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-10-02 01:46:31
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\WINDOWS\system32\tphklock.dll

PROCESS: C:\WINDOWS\explorer.exe
-> C:\Program Files\SiteAdvisor\6253\saHook.dll
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\ibmpmsvc.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\Program Files\Common Files\Lenovo\tvt_reg_monitor_svc.exe
C:\WINDOWS\system32\TpKmpSvc.exe
C:\Program Files\Common Files\Lenovo\Scheduler\tvtsched.exe
C:\Program Files\ThinkPad\ConnectUtilities\AcSvc.exe
C:\Program Files\Lenovo\System Update\SUService.exe
C:\Program Files\ThinkPad\ConnectUtilities\SvcGuiHlpr.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Lenovo\PkgMgr\HOTKEY\TPONSCR.exe
C:\Program Files\Lenovo\PkgMgr\HOTKEY_1\TpScrex.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\igfxsrvc.exe
.
**************************************************************************
.
Completion time: 2008-10-02 1:55:51 - machine was rebooted
ComboFix-quarantined-files.txt 2008-10-01 17:55:44

Pre-Run: 4,115,861,504 bytes free
Post-Run: 4,035,186,688 bytes free

334 --- E O F --- 2008-10-01 12:06:11

Here's the log by HiJackThis:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:10:06 AM, on 10/2/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\ibmpmsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\Program Files\Common Files\Lenovo\tvt_reg_monitor_svc.exe
C:\WINDOWS\system32\TpKmpSVC.exe
C:\Program Files\Common Files\Lenovo\Scheduler\tvtsched.exe
C:\Program Files\ThinkPad\ConnectUtilities\AcSvc.exe
C:\Program Files\Lenovo\System Update\SUService.exe
C:\Program Files\ThinkPad\ConnectUtilities\SvcGuiHlpr.exe
C:\WINDOWS\system32\tp4serv.exe
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\SiteAdvisor\6253\SiteAdv.exe
C:\PROGRA~1\Lenovo\PkgMgr\HOTKEY\TPHKMGR.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\WINDOWS\system32\taskswitch.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
C:\Program Files\Lenovo\PkgMgr\HOTKEY\TPONSCR.exe
C:\WINDOWS\system32\igfxtray.exe
C:\Program Files\Lenovo\PkgMgr\HOTKEY_1\TpScrex.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\YourWare Solutions\FreeRAM XP Pro\FreeRAM XP Pro.exe
C:\Program Files\DNA\btdna.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\SoftwareDistribution\Download\fd0264849c01086f3c6b505dc02dbd44\update\update.exe
C:\Documents and Settings\Ryan\Desktop\HiJackThis.exe
C:\WINDOWS\explorer.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.live.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn1\yt.dll
O2 - BHO: IDM Helper - {0055C089-8582-441B-A0BF-17B458C2A3A8} - C:\Program Files\Internet Download Manager\IDMIECC.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn1\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - C:\Program Files\SiteAdvisor\6261\SiteAdv.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\6261\SiteAdv.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn1\yt.dll
O4 - HKLM\..\Run: [TrackPointSrv] tp4serv.exe
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: [BMMLREF] C:\Program Files\ThinkPad\Utilities\BMMLREF.EXE
O4 - HKLM\..\Run: [BMMMONWND] rundll32.exe C:\PROGRA~1\ThinkPad\UTILIT~1\BatInfEx.dll,BMMAutonomicMonitor
O4 - HKLM\..\Run: [BLOG] rundll32.exe C:\PROGRA~1\ThinkPad\UTILIT~1\BatLogEx.DLL,StartBattLog
O4 - HKLM\..\Run: [SiteAdvisor] C:\Program Files\SiteAdvisor\6253\SiteAdv.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [TPHOTKEY] C:\PROGRA~1\Lenovo\PkgMgr\HOTKEY\TPHKMGR.exe
O4 - HKLM\..\Run: [TPKMAPHELPER] C:\Program Files\ThinkPad\Utilities\TpKmapAp.exe -helper
O4 - HKLM\..\Run: [TP4EX] tp4ex.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [CoolSwitch] C:\WINDOWS\system32\taskswitch.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" /hide /waitservice
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [TVT Scheduler Proxy] C:\Program Files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [FreeRAM XP] "C:\Program Files\YourWare Solutions\FreeRAM XP Pro\FreeRAM XP Pro.exe" -win
O4 - HKCU\..\Run: [BitTorrent DNA] "C:\Program Files\DNA\btdna.exe"
O4 - HKUS\S-1-5-19\..\RunOnce: [nlpo_01] cmd.exe /c md "%USERPROFILE%\Local Settings\Temp" (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [nlpo_02] rundll32 advpack.dll,LaunchINFSection nlite.inf,nLiteReg (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [nlpo_03] rundll32 advpack.dll,LaunchINFSection nlite.inf,S (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [nlpo_01] cmd.exe /c md "%USERPROFILE%\Local Settings\Temp" (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'Default user')
O4 - S-1-5-18 Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe (User 'SYSTEM')
O4 - .DEFAULT Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe (User 'Default user')
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O8 - Extra context menu item: Download all links with IDM - C:\Program Files\Internet Download Manager\IEGetAll.htm
O8 - Extra context menu item: Download FLV video content with IDM - C:\Program Files\Internet Download Manager\IEGetVL.htm
O8 - Extra context menu item: Download with IDM - C:\Program Files\Internet Download Manager\IEExt.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/flas...ent/swflash.cab
O20 - Winlogon Notify: ACNotify - ACNotify.dll (file missing)
O23 - Service: Ac Profile Manager Service (AcPrfMgrSvc) - Lenovo - C:\Program Files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe
O23 - Service: Access Connections Main Service (AcSvc) - Lenovo - C:\Program Files\ThinkPad\ConnectUtilities\AcSvc.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Eset HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe
O23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
O23 - Service: Intel® PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: ThinkPad PM Service (IBMPMSVC) - Lenovo - C:\WINDOWS\system32\ibmpmsvc.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Intel® PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel® PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: System Update (SUService) - Lenovo Group Limited - C:\Program Files\Lenovo\System Update\SUService.exe
O23 - Service: ThinkVantage Registry Monitor Service - Lenovo Group Limited - C:\Program Files\Common Files\Lenovo\tvt_reg_monitor_svc.exe
O23 - Service: IBM KCU Service (TpKmpSVC) - Unknown owner - C:\WINDOWS\system32\TpKmpSVC.exe
O23 - Service: TVT Scheduler - Lenovo Group Limited - C:\Program Files\Common Files\Lenovo\Scheduler\tvtsched.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O24 - Desktop Component 1: (no name) - http://www.google.com.ph/

--
End of file - 11961 bytes

#4 kahdah

kahdah

  • Security Colleague
  • 11,138 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:10:00 PM

Posted 01 October 2008 - 07:55 PM

I will need you to disable your antivirus protection as well each time we run Combofix as it can hinder in the removal of the malware present.
I will also need you to install the recovery console before we proceed.
You don't need your xp disk.
====================
The Windows recovery console will allow you to boot up into a special recovery mode that allows us to help you in the case that your computer has a problem after an attempted removal of malware.

Go to Microsoft's website => http://support.microsoft.com/kb/310994
Select the download that's appropriate for your Operating System.


Posted Image


Download the file & save it as it's originally named, next to ComboFix.exe.



Posted Image

Now close all open windows and programs, then drag the setup package onto ComboFix.exe and drop it. Follow the prompts to start ComboFix and when prompted, agree to the End-User License Agreement to install the Microsoft Recovery Console. When prompted to scan for infected files chose NO, when done a log named CF_RC.txt will open. Please post the contents of that log.


Please do not reboot your machine until we have reviewed the log.
Please do not pm for help, post it in the forums instead.

If I am helping you and have not responded for 48 hours please send me a pm as I don't always get notifications.

My help is always free, however, if you would like to make a donation to me for the help I have provided please click here Posted Image

#5 nonetheless

nonetheless
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:10:00 AM

Posted 02 October 2008 - 09:30 AM

Thanks!

Okay. I disabled my anti-virus and then did as you said. Here's the log file:

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

#6 kahdah

kahdah

  • Security Colleague
  • 11,138 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:10:00 PM

Posted 02 October 2008 - 10:42 AM

Please insert all removable drives while running Combofix.

1. Please open Notepad
  • Click Start , then Run
  • type in notepad in the Run Box then hit ok.
2. Now copy/paste the entire content of the codebox below into the Notepad window:

File::
C:\Documents and Settings\Ryan\so7.exe
C:\WINDOWS\system32\aafefeba8_r.dll
C:\WINDOWS\system32\alecks.bat
C:\WINDOWS\system32\alecks.reg
E:\krag.exe
E:\1t6yxlxx.cmd
E:\2i6rj.exe
E:\Recycled/dllcache32.exe
E:\g2lbn.cmd
E:\password_viewer.exe 

Registry::
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\C]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{170cca31-afd4-11dc-9e4c-000ae4352462}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{1a79b190-8063-11dd-a0ee-000ae4352462}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{257dc000-47d0-11dd-a033-000ae4352462}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{2f11f070-6cf0-11dd-a0d4-000ae4352462}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{50f6b830-7ed6-11dd-a0eb-000ae4352462}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{822e3242-838d-11dd-a0f2-000ae4352462}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{8fffb8ab-7564-11dc-9d95-000ae4352462}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{9bc2d0a2-fa55-11dc-9eee-000ae4352462}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{ac617a44-8845-11dd-a0f7-000ae4352462}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{bc28cfcd-eab9-11dc-9ec2-000ae4352462}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{ca235bc0-8e10-11dd-a0fe-000ae4352462}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{e4c0330b-6bd0-11dc-9d73-000ae4352462}]


3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

Posted Image


5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
  • Combofix.txt
  • A new HijackThis log.

Please do not pm for help, post it in the forums instead.

If I am helping you and have not responded for 48 hours please send me a pm as I don't always get notifications.

My help is always free, however, if you would like to make a donation to me for the help I have provided please click here Posted Image

#7 nonetheless

nonetheless
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:10:00 AM

Posted 02 October 2008 - 06:50 PM

I did just as you said. Here's the ComboFix report:

ComboFix 08-10-01.02 - Ryan 2008-10-03 7:10:31.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.192 [GMT 8:00]
Running from: C:\Documents and Settings\Ryan\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Ryan\Desktop\CFScript.txt
* Created a new restore point

FILE ::
C:\Documents and Settings\Ryan\so7.exe
C:\WINDOWS\system32\aafefeba8_r.dll
C:\WINDOWS\system32\alecks.bat
C:\WINDOWS\system32\alecks.reg
E:\1t6yxlxx.cmd
E:\2i6rj.exe
E:\g2lbn.cmd
E:\krag.exe
E:\password_viewer.exe
E:\Recycled/dllcache32.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\autorun.inf
C:\WINDOWS\system32\aafefeba8_r.dll
C:\WINDOWS\system32\alecks.bat
C:\WINDOWS\system32\alecks.reg
C:\WINDOWS\system32\ckvo.exe
C:\WINDOWS\system32\ckvo0.dll
C:\WINDOWS\system32\ckvo1.dll
C:\yew.bat
C:\Documents and Settings\Ryan\so7.exe . . . . failed to delete

.
((((((((((((((((((((((((( Files Created from 2008-09-02 to 2008-10-02 )))))))))))))))))))))))))))))))
.

2008-10-02 00:10 . 2008-10-03 03:33 <DIR> d-------- C:\WINDOWS\system32\CatRoot_bak
2008-10-01 23:58 . 2008-10-01 23:58 25,550 --a------ C:\Documents and Settings\Ryan\so7.exe
2008-09-12 08:47 . 2000-01-11 18:49 42,734 --a------ C:\WINDOWS\system32\Ryan's Setting.scr

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-10-02 23:15 --------- d-----w C:\Documents and Settings\Ryan\Application Data\DNA
2008-10-02 22:53 --------- d-----w C:\Documents and Settings\Ryan\Application Data\uTorrent
2008-10-02 19:24 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Help
2008-10-02 14:18 --------- d-----w C:\Documents and Settings\Ryan\Application Data\DMCache
2008-10-02 14:16 --------- d-----w C:\Documents and Settings\Ryan\Application Data\IDM
2008-10-01 22:29 --------- d-----w C:\Program Files\Microsoft Silverlight
2008-10-01 22:16 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-10-01 15:27 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-09-22 05:19 --------- d-----w C:\Documents and Settings\Ryan\Application Data\Apple Computer
2008-08-11 15:29 --------- d-----w C:\Program Files\Alarm Clock
2008-08-11 15:27 --------- d-----w C:\Program Files\Alarm
2008-02-23 09:56 92,064 ----a-w C:\Documents and Settings\Ryan\mqdmmdm.sys
2008-02-23 09:56 9,232 ----a-w C:\Documents and Settings\Ryan\mqdmmdfl.sys
2008-02-23 09:56 79,328 ----a-w C:\Documents and Settings\Ryan\mqdmserd.sys
2008-02-23 09:56 66,656 ----a-w C:\Documents and Settings\Ryan\mqdmbus.sys
2008-02-23 09:56 6,208 ----a-w C:\Documents and Settings\Ryan\mqdmcmnt.sys
2008-02-23 09:56 5,936 ----a-w C:\Documents and Settings\Ryan\mqdmwhnt.sys
2008-02-23 09:56 4,048 ----a-w C:\Documents and Settings\Ryan\mqdmcr.sys
2008-02-23 09:56 25,600 ----a-w C:\Documents and Settings\Ryan\usbsermptxp.sys
2008-02-23 09:56 22,768 ----a-w C:\Documents and Settings\Ryan\usbsermpt.sys
2008-01-30 03:34 376 ----a-w C:\Program Files\firebird.log
2007-10-20 13:21 14,533,152 --sha-w C:\WINDOWS\system32\drivers\fidbox.dat
2007-10-20 13:21 1,081,632 --sha-w C:\WINDOWS\system32\drivers\fidbox2.dat
.

------- Sigcheck -------

2008-04-14 08:12 14336 27c6d03bcdb8cfeb96b716f3d8be3e18 C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\svchost.exe
2004-08-04 08:56 14336 8f078ae4ed187aaabc0a305146de6716 C:\WINDOWS\system32\svchost.exe
2004-08-04 08:56 14336 8f078ae4ed187aaabc0a305146de6716 C:\WINDOWS\system32\dllcache\svchost.exe

2008-04-14 08:12 82432 2ccc474eb85ceaa3e1fa1726580a3e5a C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\ws2_32.dll
2004-08-04 08:56 82944 2ed0b7f12a60f90092081c50fa0ec2b2 C:\WINDOWS\system32\ws2_32.dll
2004-08-04 08:56 82944 2ed0b7f12a60f90092081c50fa0ec2b2 C:\WINDOWS\system32\dllcache\ws2_32.dll

2007-06-27 22:40 824320 d6ed5e042c5207553e7f5e842918137f C:\WINDOWS\$hf_mig$\KB937143-IE7\SP2QFE\wininet.dll
2007-08-20 18:02 825344 357d54bf94fe9d6d8505a96b5c2a3bca C:\WINDOWS\$hf_mig$\KB939653-IE7\SP2QFE\wininet.dll
2007-10-11 07:47 825344 0e5d918f87efa7d2424d66b499c7eb04 C:\WINDOWS\$hf_mig$\KB942615-IE7\SP2QFE\wininet.dll
2007-12-07 10:01 825344 b5b411bb229ae6ead7652a32ed47bfb9 C:\WINDOWS\$hf_mig$\KB944533-IE7\SP2QFE\wininet.dll
2008-03-01 21:03 827392 6316c2f0c61271c8abdff7429174879e C:\WINDOWS\$hf_mig$\KB947864-IE7\SP2QFE\wininet.dll
2008-04-23 11:35 827392 41546b396a526918da7995a02ea04e51 C:\WINDOWS\$hf_mig$\KB950759-IE7\SP2QFE\wininet.dll
2008-06-24 00:01 827904 c66402a06b83b036c195242c0c8cf83c C:\WINDOWS\$hf_mig$\KB953838-IE7\SP2QFE\wininet.dll
2006-06-17 23:43 663552 d94cffdb53e7ac867438e2dfd50e7cbc C:\WINDOWS\$NtUninstallKB947864$\wininet.dll
2008-02-16 17:32 666112 bb1eacd6ab47e78ebca02eb781550d55 C:\WINDOWS\ie7\wininet.dll
2006-11-07 21:03 818688 92995334f993e6e49c25c6d02ec04401 C:\WINDOWS\ie7updates\KB937143-IE7\wininet.dll
2007-06-27 22:34 823808 8068cbb58fe60cc95aeb2cff70178208 C:\WINDOWS\ie7updates\KB939653-IE7\wininet.dll
2007-08-20 18:04 824832 774435e499d8e9643ec961a6103c361f C:\WINDOWS\ie7updates\KB942615-IE7\wininet.dll
2007-08-13 18:54 818688 a4a0fc92358f39538a6494c42ef99fe9 C:\WINDOWS\ie7updates\KB944533-IE7\wininet.dll
2007-12-07 10:21 824832 806d274c9a6c3aaea5eae8e4af841e04 C:\WINDOWS\ie7updates\KB947864-IE7\wininet.dll
2008-03-01 21:06 826368 ad21461aef8244edec2ef18e55e1dcf3 C:\WINDOWS\ie7updates\KB950759-IE7\wininet.dll
2008-04-23 12:16 826368 f6589be784647cfdbc22ea51ccb1a57a C:\WINDOWS\ie7updates\KB953838-IE7\wininet.dll
2008-03-01 21:06 826368 ad21461aef8244edec2ef18e55e1dcf3 C:\WINDOWS\SoftwareDistribution\Download\574548bb1821009dfc939b99bf38919d\SP2GDR\wininet.dll
2008-03-01 21:03 827392 6316c2f0c61271c8abdff7429174879e C:\WINDOWS\SoftwareDistribution\Download\574548bb1821009dfc939b99bf38919d\SP2QFE\wininet.dll
2008-04-14 08:12 666112 7a4f775abb2f1c97def3e73afa2faedd C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\wininet.dll
2007-12-07 10:21 824832 806d274c9a6c3aaea5eae8e4af841e04 C:\WINDOWS\SoftwareDistribution\Download\e5a204b08ee9dd0f7a20547e61486b27\SP2GDR\wininet.dll
2007-12-07 10:01 825344 b5b411bb229ae6ead7652a32ed47bfb9 C:\WINDOWS\SoftwareDistribution\Download\e5a204b08ee9dd0f7a20547e61486b27\SP2QFE\wininet.dll
2008-06-24 00:57 826368 8c13d4a7479fa0a026eda8abce82c0ed C:\WINDOWS\system32\wininet.dll
2008-06-24 00:57 826368 8c13d4a7479fa0a026eda8abce82c0ed C:\WINDOWS\system32\dllcache\wininet.dll

2008-06-20 19:51 361600 9aefa14bd6b182d61e3119fa5f436d3d C:\WINDOWS\$hf_mig$\KB951748\SP3GDR\tcpip.sys
2008-06-20 19:59 361600 ad978a1b783b5719720cff204b666c8e C:\WINDOWS\$hf_mig$\KB951748\SP3QFE\tcpip.sys
2006-06-17 23:43 360576 b2220c618b42a2212a59d91ebd6fc4b4 C:\WINDOWS\$NtUninstallKB941644$\tcpip.sys
2007-10-31 00:53 360832 64798ecfa43d78c7178375fcdd16d8c8 C:\WINDOWS\$NtUninstallKB951748$\tcpip.sys
2008-04-14 03:20 361344 93ea8d04ec73a85db02eb8805988f733 C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\tcpip.sys
2008-06-20 18:44 360960 744e57c99232201ae98c49168b918f48 C:\WINDOWS\system32\dllcache\tcpip.sys
2008-06-20 18:44 360960 744e57c99232201ae98c49168b918f48 C:\WINDOWS\system32\drivers\tcpip.sys

2008-04-14 08:12 507904 ed0ef0a136dec83df69f04118870003e C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\winlogon.exe
2004-08-04 08:56 502272 01c3346c241652f43aed8e2149881bfe C:\WINDOWS\system32\winlogon.exe
2004-08-04 08:56 502272 01c3346c241652f43aed8e2149881bfe C:\WINDOWS\system32\dllcache\winlogon.exe

2008-04-14 03:20 182656 1df7f42665c94b825322fae71721130d C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\ndis.sys
2004-08-04 07:14 182912 558635d3af1c7546d26067d5d9b6959e C:\WINDOWS\system32\dllcache\ndis.sys
2004-08-04 07:14 182912 558635d3af1c7546d26067d5d9b6959e C:\WINDOWS\system32\drivers\ndis.sys

2008-04-14 02:53 36608 3bb22519a194418d5fec05d800a19ad0 C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\ip6fw.sys
2004-08-04 07:00 29056 4448006b6bc60e6c027932cfc38d6855 C:\WINDOWS\system32\dllcache\ip6fw.sys
2004-08-04 07:00 29056 4448006b6bc60e6c027932cfc38d6855 C:\WINDOWS\system32\drivers\ip6fw.sys

2008-04-14 08:12 108544 0e776ed5f7cc9f94299e70461b7b8185 C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\services.exe
2004-08-04 08:56 108032 c6ce6eec82f187615d1002bb3bb50ed4 C:\WINDOWS\system32\services.exe
2004-08-04 08:56 108032 c6ce6eec82f187615d1002bb3bb50ed4 C:\WINDOWS\system32\dllcache\services.exe

2008-04-14 08:12 13312 bf2466b3e18e970d8a976fb95fc1ca85 C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\lsass.exe
2004-08-04 08:56 13312 84885f9b82f4d55c6146ebf6065d75d2 C:\WINDOWS\system32\lsass.exe
2004-08-04 08:56 13312 84885f9b82f4d55c6146ebf6065d75d2 C:\WINDOWS\system32\dllcache\lsass.exe

2008-04-14 08:12 15360 5f1d5f88303d4a4dbc8e5f97ba967cc3 C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\ctfmon.exe
2004-08-04 08:56 15360 24232996a38c0b0cf151c2140ae29fc8 C:\WINDOWS\system32\ctfmon.exe
2004-08-04 08:56 15360 24232996a38c0b0cf151c2140ae29fc8 C:\WINDOWS\system32\dllcache\ctfmon.exe

2008-04-14 08:12 26112 a93aee1928a9d7ce3e16d24ec7380f89 C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\userinit.exe
2004-08-04 08:56 24576 39b1ffb03c2296323832acbae50d2aff C:\WINDOWS\system32\userinit.exe
2004-08-04 08:56 24576 39b1ffb03c2296323832acbae50d2aff C:\WINDOWS\system32\dllcache\userinit.exe
.
((((((((((((((((((((((((((((( snapshot@2008-10-02_ 1.55.18.25 )))))))))))))))))))))))))))))))))))))))))
.
+ 2006-10-27 07:00:10 576,376 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\00002109030000000000000000F01FEC\12.0.4518\ACACEDAO.DLL
+ 2006-10-26 13:18:12 162,616 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\00002109030000000000000000F01FEC\12.0.4518\ACCWIZ.DLL
+ 2006-10-27 07:00:12 1,751,904 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\00002109030000000000000000F01FEC\12.0.4518\ACECORE.DLL
+ 2006-10-27 07:00:10 576,376 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\00002109030000000000000000F01FEC\12.0.4518\ACEDAO.DLL
+ 2006-10-27 07:00:06 47,976 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\00002109030000000000000000F01FEC\12.0.4518\ACEERR.DLL
+ 2006-10-27 07:00:08 191,360 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\00002109030000000000000000F01FEC\12.0.4518\ACEES.DLL
+ 2006-10-26 12:13:34 338,800 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\00002109030000000000000000F01FEC\12.0.4518\ACEEXCH.DLL
+ 2006-10-26 12:13:44 629,616 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\00002109030000000000000000F01FEC\12.0.4518\ACEEXCL.DLL
+ 2006-10-26 12:13:28 207,736 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\00002109030000000000000000F01FEC\12.0.4518\ACELTS.DLL
+ 2006-10-26 12:13:32 279,352 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\00002109030000000000000000F01FEC\12.0.4518\ACEODBC.DLL
+ 2006-10-26 12:13:08 15,160 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\00002109030000000000000000F01FEC\12.0.4518\ACEODDBS.DLL
+ 2006-10-26 12:13:08 15,160 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\00002109030000000000000000F01FEC\12.0.4518\ACEODEXL.DLL
+ 2006-10-26 12:13:08 15,160 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\00002109030000000000000000F01FEC\12.0.4518\ACEODPDX.DLL
+ 2006-10-26 12:13:12 15,160 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\00002109030000000000000000F01FEC\12.0.4518\ACEODTXT.DLL
+ 2006-10-27 07:00:06 387,960 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\00002109030000000000000000F01FEC\12.0.4518\ACEOLEDB.DLL
+ 2006-10-26 12:13:38 392,048 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\00002109030000000000000000F01FEC\12.0.4518\ACEPDE.DLL
+ 2006-10-26 12:13:30 260,976 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\00002109030000000000000000F01FEC\12.0.4518\ACER2X.DLL
+ 2006-10-26 12:13:32 289,648 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\00002109030000000000000000F01FEC\12.0.4518\ACER3X.DLL
+ 2006-10-26 12:13:20 56,120 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\00002109030000000000000000F01FEC\12.0.4518\ACERCLR.DLL
+ 2006-10-26 12:13:38 551,800 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\00002109030000000000000000F01FEC\12.0.4518\ACEREP.DLL
+ 2006-10-26 12:13:30 224,104 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\00002109030000000000000000F01FEC\12.0.4518\ACETXT.DLL
+ 2006-10-27 07:40:34 208,760 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\00002109030000000000000000F01FEC\12.0.4518\ACEWSS.DLL
+ 2006-10-26 12:13:34 371,568 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\00002109030000000000000000F01FEC\12.0.4518\ACEXBE.DLL
+ 2006-10-27 07:41:04 399,640 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\00002109030000000000000000F01FEC\12.0.4518\CDLMSO.DLL
+ 2006-10-26 11:59:24 205,616 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\00002109030000000000000000F01FEC\12.0.4518\CLVIEW.EXE
+ 2006-10-26 12:12:52 189,760 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\00002109030000000000000000F01FEC\12.0.4518\CONTACTPICKER.DLL
+ 2006-10-26 11:48:14 439,568 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\00002109030000000000000000F01FEC\12.0.4518\DWDCW20.DLL
+ 2006-10-26 06:10:08 1,190,688 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\00002109030000000000000000F01FEC\12.0.4518\FM20.DLL
+ 2006-10-26 06:04:58 75,576 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\00002109030000000000000000F01FEC\12.0.4518\FORM.DLL
+ 2006-10-26 11:21:24 1,682,232 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\00002109030000000000000000F01FEC\12.0.4518\FPSRVUTL.DLL
+ 2006-10-27 07:09:36 983,376 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\00002109030000000000000000F01FEC\12.0.4518\FPWEC.DLL
+ 2006-10-26 12:02:12 2,526,520 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\00002109030000000000000000F01FEC\12.0.4518\GRAPH.EXE
+ 2006-10-26 12:12:52 173,328 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\00002109030000000000000000F01FEC\12.0.4518\IEAWSDC.DLL
+ 2006-10-27 07:10:08 1,439,032 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\00002109030000000000000000F01FEC\12.0.4518\INFOPATH.EXE
+ 2006-10-27 07:10:10 5,456,704 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\00002109030000000000000000F01FEC\12.0.4518\IPDESIGN.DLL
+ 2006-10-27 07:10:10 5,281,592 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\00002109030000000000000000F01FEC\12.0.4518\IPEDITOR.DLL
+ 2006-10-26 13:42:00 176,976 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\00002109030000000000000000F01FEC\12.0.4518\IPOLK.DLL
+ 2006-10-26 11:55:10 828,704 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\00002109030000000000000000F01FEC\12.0.4518\MEDCAT.DLL
+ 2006-10-27 07:01:34 10,371,880 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\00002109030000000000000000F01FEC\12.0.4518\MSACCESS.EXE
+ 2006-10-26 13:18:06 66,880 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\00002109030000000000000000F01FEC\12.0.4518\MSAEXP30.DLL
+ 2006-10-27 06:59:06 161,080 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\00002109030000000000000000F01FEC\12.0.4518\MSOCF.DLL
+ 2006-10-26 11:48:12 14,664 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\00002109030000000000000000F01FEC\12.0.4518\MSOCFU.DLL
+ 2006-10-26 12:12:58 428,816 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\00002109030000000000000000F01FEC\12.0.4518\MSODCW.DLL
+ 2006-10-26 13:13:36 26,936 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\00002109030000000000000000F01FEC\12.0.4518\MSOEURO.DLL
+ 2006-10-26 12:00:08 6,635,320 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\00002109030000000000000000F01FEC\12.0.4518\MSORES.DLL
+ 2006-10-26 05:56:36 436,520 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\00002109030000000000000000F01FEC\12.0.4518\MSORUN.DLL
+ 2006-10-26 11:50:04 672,024 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\00002109030000000000000000F01FEC\12.0.4518\MSQRY32.EXE
+ 2006-10-26 05:56:40 505,136 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\00002109030000000000000000F01FEC\12.0.4518\MSSOAP30.DLL
+ 2006-10-26 11:55:12 832,800 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\00002109030000000000000000F01FEC\12.0.4518\MSTORDB.EXE
+ 2006-10-26 11:55:06 538,904 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\00002109030000000000000000F01FEC\12.0.4518\MSTORES.DLL
+ 2006-10-26 12:12:30 65,824 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\00002109030000000000000000F01FEC\12.0.4518\NAME.DLL
+ 2006-10-27 07:14:34 14,151,456 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\00002109030000000000000000F01FEC\12.0.4518\OART.DLL
+ 2006-10-26 12:06:54 232,816 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\00002109030000000000000000F01FEC\12.0.4518\ODEPLOY.EXE
+ 2006-10-26 12:14:06 7,033,152 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\00002109030000000000000000F01FEC\12.0.4518\OFFOWC.DLL
+ 2006-10-27 07:18:36 1,658,152 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\00002109030000000000000000F01FEC\12.0.4518\OGL.DLL
+ 2006-10-26 12:00:08 274,744 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\00002109030000000000000000F01FEC\12.0.4518\OIS.EXE
+ 2006-10-26 12:00:12 998,208 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\00002109030000000000000000F01FEC\12.0.4518\OISAPP.DLL
+ 2006-10-26 12:00:10 285,008 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\00002109030000000000000000F01FEC\12.0.4518\OISGRAPH.DLL
+ 2006-10-26 12:32:42 604,000 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\00002109030000000000000000F01FEC\12.0.4518\ONBTTNIE.DLL
+ 2006-10-27 07:39:36 687,432 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\00002109030000000000000000F01FEC\12.0.4518\ONBTTNOL.DLL
+ 2006-10-27 07:03:04 1,018,664 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\00002109030000000000000000F01FEC\12.0.4518\ONENOTE.EXE
+ 2006-10-26 12:24:54 98,632 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\00002109030000000000000000F01FEC\12.0.4518\ONENOTEM.EXE
+ 2006-10-26 12:24:50 72,504 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\00002109030000000000000000F01FEC\12.0.4518\ONFILTER.DLL
+ 2006-10-26 12:24:58 1,165,112 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\00002109030000000000000000F01FEC\12.0.4518\ONLIBS.DLL
+ 2006-10-27 07:03:06 6,579,512 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\00002109030000000000000000F01FEC\12.0.4518\ONMAIN.DLL
+ 2006-10-26 12:07:04 6,536,992 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\00002109030000000000000000F01FEC\12.0.4518\OSETUP.DLL
+ 2006-07-26 10:53:56 459,080 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\00002109030000000000000000F01FEC\12.0.4518\OUTLFLTR.DLL
+ 2006-10-26 13:30:44 482,088 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\00002109030000000000000000F01FEC\12.0.4518\PORTCONN.DLL
+ 2006-10-26 11:52:10 2,012,480 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\00002109030000000000000000F01FEC\12.0.4518\PPTVIEW.EXE
+ 2006-10-26 06:05:00 77,144 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\00002109030000000000000000F01FEC\12.0.4518\PSOM.DLL
+ 2006-10-26 13:13:38 38,168 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\00002109030000000000000000F01FEC\12.0.4518\REFEDIT.DLL
+ 2006-10-26 06:04:44 19,784 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\00002109030000000000000000F01FEC\12.0.4518\REVERSE.DLL
+ 2006-10-26 12:13:00 503,624 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\00002109030000000000000000F01FEC\12.0.4518\SELFCERT.EXE
+ 2006-10-26 12:06:58 439,600 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\00002109030000000000000000F01FEC\12.0.4518\SETUP.EXE
+ 2006-10-26 13:18:16 502,608 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\00002109030000000000000000F01FEC\12.0.4518\SOA.DLL
+ 2006-07-28 07:21:58 277,320 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\00002109030000000000000000F01FEC\12.0.4518\SSGEN.DLL
+ 2006-10-27 06:57:08 2,330,968 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\00002109030000000000000000F01FEC\12.0.4518\STSLIST.DLL
+ 2006-10-26 06:04:48 29,976 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\00002109030000000000000000F01FEC\12.0.4518\THOCRAPI.DLL
+ 2006-10-26 06:05:04 126,784 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\00002109030000000000000000F01FEC\12.0.4518\TWCUTCHR.DLL
+ 2006-10-26 06:05:02 86,840 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\00002109030000000000000000F01FEC\12.0.4518\TWCUTLIN.DLL
+ 2006-10-26 06:04:56 58,168 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\00002109030000000000000000F01FEC\12.0.4518\TWLAY32.DLL
+ 2006-10-26 06:04:48 27,456 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\00002109030000000000000000F01FEC\12.0.4518\TWORIENT.DLL
+ 2006-10-26 06:04:54 51,008 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\00002109030000000000000000F01FEC\12.0.4518\TWRECE.DLL
+ 2006-10-26 06:04:44 19,784 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\00002109030000000000000000F01FEC\12.0.4518\TWRECS.DLL
+ 2006-10-26 06:04:58 76,624 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\00002109030000000000000000F01FEC\12.0.4518\TWSTRUCT.DLL
+ 2006-09-29 16:42:56 2,583,344 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\00002109030000000000000000F01FEC\12.0.4518\VBE6.DLL
+ 2006-10-26 14:58:38 3,732,792 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\00002109030000000000000000F01FEC\12.0.4518\VVIEWER.DLL
+ 2006-10-26 06:05:08 1,181,520 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\00002109030000000000000000F01FEC\12.0.4518\XIMAGE3B.DLL
+ 2006-10-26 06:05:08 530,760 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\00002109030000000000000000F01FEC\12.0.4518\XPAGE3C.DLL
+ 2006-10-26 14:58:24 144,664 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\00002109150000000000000000F01FEC\12.0.4518\DWGCNV.DLL
+ 2007-08-28 15:22:30 1,754,536 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\00002109150000000000000000F01FEC\12.0.6215\ACECORE.DLL
+ 2007-08-28 15:22:36 579,008 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\00002109150000000000000000F01FEC\12.0.6215\ACEDAO.DLL
+ 2007-08-28 15:22:38 50,616 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\00002109150000000000000000F01FEC\12.0.6215\ACEERR.DLL
+ 2007-08-28 15:22:40 193,992 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\00002109150000000000000000F01FEC\12.0.6215\ACEES.DLL
+ 2007-08-23 19:46:10 341,440 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\00002109150000000000000000F01FEC\12.0.6215\ACEEXCH.DLL
+ 2007-08-23 19:46:14 632,248 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\00002109150000000000000000F01FEC\12.0.6215\ACEEXCL.DLL
+ 2007-08-23 19:46:16 210,368 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\00002109150000000000000000F01FEC\12.0.6215\ACELTS.DLL
+ 2007-08-23 19:46:18 281,992 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\00002109150000000000000000F01FEC\12.0.6215\ACEODBC.DLL
+ 2007-08-23 19:46:20 17,800 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\00002109150000000000000000F01FEC\12.0.6215\ACEODDBS.DLL
+ 2007-08-23 19:46:22 17,800 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\00002109150000000000000000F01FEC\12.0.6215\ACEODEXL.DLL
+ 2007-08-23 19:46:22 17,800 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\00002109150000000000000000F01FEC\12.0.6215\ACEODPDX.DLL
+ 2007-08-23 19:46:22 17,800 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\00002109150000000000000000F01FEC\12.0.6215\ACEODTXT.DLL
+ 2007-08-28 15:22:44 390,600 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\00002109150000000000000000F01FEC\12.0.6215\ACEOLEDB.DLL
+ 2007-08-23 19:46:28 394,688 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\00002109150000000000000000F01FEC\12.0.6215\ACEPDE.DLL
+ 2007-08-23 19:46:30 263,616 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\00002109150000000000000000F01FEC\12.0.6215\ACER2X.DLL
+ 2007-08-23 19:46:32 292,288 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\00002109150000000000000000F01FEC\12.0.6215\ACER3X.DLL
+ 2007-08-23 19:46:34 58,760 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\00002109150000000000000000F01FEC\12.0.6215\ACERCLR.DLL
+ 2007-08-23 19:46:38 554,440 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\00002109150000000000000000F01FEC\12.0.6215\ACEREP.DLL
+ 2007-08-23 19:46:40 226,744 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\00002109150000000000000000F01FEC\12.0.6215\ACETXT.DLL
+ 2007-08-28 16:52:12 201,664 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\00002109150000000000000000F01FEC\12.0.6215\ACEWSS.DLL
+ 2007-08-23 19:46:44 374,200 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\00002109150000000000000000F01FEC\12.0.6215\ACEXBE.DLL
+ 2007-08-28 16:53:12 402,784 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\00002109150000000000000000F01FEC\12.0.6215\CDLMSO.DLL
+ 2007-08-23 19:45:50 208,256 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\00002109150000000000000000F01FEC\12.0.6215\CLVIEW.EXE
+ 2007-08-23 19:18:14 442,208 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\00002109150000000000000000F01FEC\12.0.6215\DWDCW20.DLL
+ 2007-08-23 19:18:18 437,160 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\00002109150000000000000000F01FEC\12.0.6215\DWTRIG20.EXE
+ 2007-08-22 17:03:38 1,195,888 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\00002109150000000000000000F01FEC\12.0.6215\FM20.DLL
+ 2007-08-25 11:11:44 1,685,896 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\00002109150000000000000000F01FEC\12.0.6215\FPSRVUTL.DLL
+ 2007-08-28 15:45:00 985,496 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\00002109150000000000000000F01FEC\12.0.6215\FPWEC.DLL
+ 2007-08-23 19:36:58 175,968 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\00002109150000000000000000F01FEC\12.0.6215\IEAWSDC.DLL
+ 2007-08-28 16:45:54 831,856 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\00002109150000000000000000F01FEC\12.0.6215\MEDCAT.DLL
+ 2007-08-28 16:52:02 120,704 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\00002109150000000000000000F01FEC\12.0.6215\MSCONV97.DLL
+ 2007-08-28 15:20:06 163,712 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\00002109150000000000000000F01FEC\12.0.6215\MSOCF.DLL
+ 2007-08-28 15:20:12 17,304 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\00002109150000000000000000F01FEC\12.0.6215\MSOCFU.DLL
+ 2007-09-06 09:55:08 431,456 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\00002109150000000000000000F01FEC\12.0.6215\MSODCW.DLL
+ 2007-08-23 21:50:10 29,576 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\00002109150000000000000000F01FEC\12.0.6215\MSOEURO.DLL
+ 2007-08-27 12:20:14 6,637,960 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\00002109150000000000000000F01FEC\12.0.6215\MSORES.DLL
+ 2007-08-28 16:18:20 439,160 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\00002109150000000000000000F01FEC\12.0.6215\MSORUN.DLL
+ 2007-08-22 17:12:20 507,768 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\00002109150000000000000000F01FEC\12.0.6215\MSSOAP30.DLL
+ 2007-08-28 16:45:58 835,952 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\00002109150000000000000000F01FEC\12.0.6215\MSTORDB.EXE
+ 2007-08-28 16:46:06 542,568 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\00002109150000000000000000F01FEC\12.0.6215\MSTORES.DLL
+ 2007-08-23 19:37:50 68,464 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\00002109150000000000000000F01FEC\12.0.6215\NAME.DLL
+ 2007-10-05 12:44:24 14,168,600 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\00002109150000000000000000F01FEC\12.0.6215\OART.DLL
+ 2007-09-01 17:55:16 235,456 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\00002109150000000000000000F01FEC\12.0.6215\ODEPLOY.EXE
+ 2007-08-28 16:37:40 7,039,888 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\00002109150000000000000000F01FEC\12.0.6215\OFFOWC.DLL
+ 2007-08-23 20:06:28 277,384 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\00002109150000000000000000F01FEC\12.0.6215\OIS.EXE
+ 2007-08-23 20:06:32 1,000,848 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\00002109150000000000000000F01FEC\12.0.6215\OISAPP.DLL
+ 2007-08-23 20:06:38 288,152 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\00002109150000000000000000F01FEC\12.0.6215\OISGRAPH.DLL
+ 2007-09-01 17:55:54 6,540,656 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\00002109150000000000000000F01FEC\12.0.6215\OSETUP.DLL
+ 2007-06-07 11:51:00 465,800 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\00002109150000000000000000F01FEC\12.0.6215\OUTLFLTR.DLL
+ 2007-09-06 09:50:34 485,232 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\00002109150000000000000000F01FEC\12.0.6215\PORTCONN.DLL
+ 2007-08-23 21:50:10 41,832 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\00002109150000000000000000F01FEC\12.0.6215\REFEDIT.DLL
+ 2007-09-06 09:55:22 505,752 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\00002109150000000000000000F01FEC\12.0.6215\SELFCERT.EXE
+ 2007-09-01 17:55:34 442,240 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\00002109150000000000000000F01FEC\12.0.6215\SETUP.EXE
+ 2007-08-28 15:28:26 2,330,024 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\00002109150000000000000000F01FEC\12.0.6215\STSLIST.DLL
+ 2007-06-27 12:58:12 2,585,936 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\00002109150000000000000000F01FEC\12.0.6215\VBE6.DLL
+ 2006-10-27 07:03:38 903,960 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\00002109B30000000000000000F01FEC\12.0.4518\ATLCONV.DLL
+ 2006-10-26 13:06:06 71,480 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\00002109B30000000000000000F01FEC\12.0.4518\NAMEEXT.DLL
+ 2006-10-26 13:06:26 1,325,920 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\00002109B30000000000000000F01FEC\12.0.4518\PJ11OD11.DLL
+ 2006-10-26 13:06:18 326,480 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\00002109B30000000000000000F01FEC\12.0.4518\PJRESC.DLL
+ 2006-10-27 07:03:40 3,648,336 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\00002109B30000000000000000F01FEC\12.0.4518\PRJRES.DLL
+ 2006-10-26 13:06:18 731,952 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\00002109B30000000000000000F01FEC\12.0.4518\SERCONV.DLL
+ 2006-10-27 07:03:44 17,251,112 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\00002109B30000000000000000F01FEC\12.0.4518\WINPROJ.EXE
+ 2007-08-28 15:22:30 1,754,536 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\00002109B30000000000000000F01FEC\12.0.6215\ACECORE.DLL
+ 2007-08-28 15:22:36 579,008 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\00002109B30000000000000000F01FEC\12.0.6215\ACEDAO.DLL
+ 2007-08-28 15:22:38 50,616 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\00002109B30000000000000000F01FEC\12.0.6215\ACEERR.DLL
+ 2007-08-28 15:22:40 193,992 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\00002109B30000000000000000F01FEC\12.0.6215\ACEES.DLL
+ 2007-08-23 19:46:10 341,440 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\00002109B30000000000000000F01FEC\12.0.6215\ACEEXCH.DLL
+ 2007-08-23 19:46:14 632,248 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\00002109B30000000000000000F01FEC\12.0.6215\ACEEXCL.DLL
+ 2007-08-23 19:46:16 210,368 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\00002109B30000000000000000F01FEC\12.0.6215\ACELTS.DLL
+ 2007-08-23 19:46:18 281,992 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\00002109B30000000000000000F01FEC\12.0.6215\ACEODBC.DLL
+ 2007-08-23 19:46:20 17,800 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\00002109B30000000000000000F01FEC\12.0.6215\ACEODDBS.DLL
+ 2007-08-23 19:46:22 17,800 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\00002109B30000000000000000F01FEC\12.0.6215\ACEODEXL.DLL
+ 2007-08-23 19:46:22 17,800 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\00002109B30000000000000000F01FEC\12.0.6215\ACEODPDX.DLL
+ 2007-08-23 19:46:22 17,800 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\00002109B30000000000000000F01FEC\12.0.6215\ACEODTXT.DLL
+ 2007-08-28 15:22:44 390,600 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\00002109B30000000000000000F01FEC\12.0.6215\ACEOLEDB.DLL
+ 2007-08-23 19:46:28 394,688 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\00002109B30000000000000000F01FEC\12.0.6215\ACEPDE.DLL
+ 2007-08-23 19:46:30 263,616 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\00002109B30000000000000000F01FEC\12.0.6215\ACER2X.DLL
+ 2007-08-23 19:46:32 292,288 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\00002109B30000000000000000F01FEC\12.0.6215\ACER3X.DLL
+ 2007-08-23 19:46:34 58,760 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\00002109B30000000000000000F01FEC\12.0.6215\ACERCLR.DLL
+ 2007-08-23 19:46:38 554,440 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\00002109B30000000000000000F01FEC\12.0.6215\ACEREP.DLL
+ 2007-08-23 19:46:40 226,744 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\00002109B30000000000000000F01FEC\12.0.6215\ACETXT.DLL
+ 2007-08-23 19:46:44 374,200 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\00002109B30000000000000000F01FEC\12.0.6215\ACEXBE.DLL
+ 2007-08-28 16:53:12 402,784 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\00002109B30000000000000000F01FEC\12.0.6215\CDLMSO.DLL
+ 2007-08-23 19:45:50 208,256 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\00002109B30000000000000000F01FEC\12.0.6215\CLVIEW.EXE
+ 2007-08-23 19:18:14 442,208 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\00002109B30000000000000000F01FEC\12.0.6215\DWDCW20.DLL
+ 2007-08-23 19:18:18 437,160 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\00002109B30000000000000000F01FEC\12.0.6215\DWTRIG20.EXE
+ 2007-08-22 17:03:38 1,195,888 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\00002109B30000000000000000F01FEC\12.0.6215\FM20.DLL
+ 2007-08-25 11:11:44 1,685,896 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\00002109B30000000000000000F01FEC\12.0.6215\FPSRVUTL.DLL
+ 2007-08-28 15:45:00 985,496 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\00002109B30000000000000000F01FEC\12.0.6215\FPWEC.DLL
+ 2007-08-23 19:36:58 175,968 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\00002109B30000000000000000F01FEC\12.0.6215\IEAWSDC.DLL
+ 2007-08-28 16:45:54 831,856 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\00002109B30000000000000000F01FEC\12.0.6215\MEDCAT.DLL
+ 2007-08-28 16:52:02 120,704 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\00002109B30000000000000000F01FEC\12.0.6215\MSCONV97.DLL
+ 2007-08-28 15:20:06 163,712 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\00002109B30000000000000000F01FEC\12.0.6215\MSOCF.DLL
+ 2007-08-28 15:20:12 17,304 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\00002109B30000000000000000F01FEC\12.0.6215\MSOCFU.DLL
+ 2007-09-06 09:55:08 431,456 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\00002109B30000000000000000F01FEC\12.0.6215\MSODCW.DLL
+ 2007-08-23 21:50:10 29,576 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\00002109B30000000000000000F01FEC\12.0.6215\MSOEURO.DLL
+ 2007-08-27 12:20:14 6,637,960 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\00002109B30000000000000000F01FEC\12.0.6215\MSORES.DLL
+ 2007-08-28 16:18:20 439,160 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\00002109B30000000000000000F01FEC\12.0.6215\MSORUN.DLL
+ 2007-08-22 17:12:20 507,768 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\00002109B30000000000000000F01FEC\12.0.6215\MSSOAP30.DLL
+ 2007-08-28 16:45:58 835,952 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\00002109B30000000000000000F01FEC\12.0.6215\MSTORDB.EXE
+ 2007-08-28 16:46:06 542,568 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\00002109B30000000000000000F01FEC\12.0.6215\MSTORES.DLL
+ 2007-08-23 19:37:50 68,464 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\00002109B30000000000000000F01FEC\12.0.6215\NAME.DLL
+ 2007-10-05 12:44:24 14,168,600 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\00002109B30000000000000000F01FEC\12.0.6215\OART.DLL
+ 2007-09-01 17:55:16 235,456 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\00002109B30000000000000000F01FEC\12.0.6215\ODEPLOY.EXE
+ 2007-08-28 16:37:40 7,039,888 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\00002109B30000000000000000F01FEC\12.0.6215\OFFOWC.DLL
+ 2007-08-23 20:06:28 277,384 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\00002109B30000000000000000F01FEC\12.0.6215\OIS.EXE
+ 2007-08-23 20:06:32 1,000,848 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\00002109B30000000000000000F01FEC\12.0.6215\OISAPP.DLL
+ 2007-08-23 20:06:38 288,152 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\00002109B30000000000000000F01FEC\12.0.6215\OISGRAPH.DLL
+ 2007-09-01 17:55:54 6,540,656 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\00002109B30000000000000000F01FEC\12.0.6215\OSETUP.DLL
+ 2007-06-07 11:51:00 465,800 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\00002109B30000000000000000F01FEC\12.0.6215\OUTLFLTR.DLL
+ 2007-09-06 09:50:34 485,232 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\00002109B30000000000000000F01FEC\12.0.6215\PORTCONN.DLL
+ 2007-08-23 21:50:10 41,832 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\00002109B30000000000000000F01FEC\12.0.6215\REFEDIT.DLL
+ 2007-09-06 09:55:22 505,752 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\00002109B30000000000000000F01FEC\12.0.6215\SELFCERT.EXE
+ 2007-09-01 17:55:34 442,240 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\00002109B30000000000000000F01FEC\12.0.6215\SETUP.EXE
+ 2007-06-27 12:58:12 2,585,936 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\00002109B30000000000000000F01FEC\12.0.6215\VBE6.DLL
- 2008-08-14 19:08:48 1,165,584 ----a-r C:\WINDOWS\Installer\{90120000-0030-0000-0000-0000000FF1CE}\accicons.exe
+ 2008-10-02 19:24:07 1,165,584 ----a-r C:\WINDOWS\Installer\{90120000-0030-0000-0000-0000000FF1CE}\accicons.exe
- 2008-08-14 19:08:49 20,240 ----a-r C:\WINDOWS\Installer\{90120000-0030-0000-0000-0000000FF1CE}\cagicon.exe
+ 2008-10-02 19:24:08 20,240 ----a-r C:\WINDOWS\Installer\{90120000-0030-0000-0000-0000000FF1CE}\cagicon.exe
- 2008-08-14 19:08:48 159,504 ----a-r C:\WINDOWS\Installer\{90120000-0030-0000-0000-0000000FF1CE}\inficon.exe
+ 2008-10-02 19:24:07 159,504 ----a-r C:\WINDOWS\Installer\{90120000-0030-0000-0000-0000000FF1CE}\inficon.exe
- 2008-08-14 19:08:48 184,080 ----a-r C:\WINDOWS\Installer\{90120000-0030-0000-0000-0000000FF1CE}\joticon.exe
+ 2008-10-02 19:24:07 184,080 ----a-r C:\WINDOWS\Installer\{90120000-0030-0000-0000-0000000FF1CE}\joticon.exe
- 2008-08-14 19:08:49 217,864 ----a-r C:\WINDOWS\Installer\{90120000-0030-0000-0000-0000000FF1CE}\misc.exe
+ 2008-10-02 19:24:08 217,864 ----a-r C:\WINDOWS\Installer\{90120000-0030-0000-0000-0000000FF1CE}\misc.exe
- 2008-08-14 19:08:49 18,704 ----a-r C:\WINDOWS\Installer\{90120000-0030-0000-0000-0000000FF1CE}\mspicons.exe
+ 2008-10-02 19:24:08 18,704 ----a-r C:\WINDOWS\Installer\{90120000-0030-0000-0000-0000000FF1CE}\mspicons.exe
- 2008-08-14 19:08:50 35,088 ----a-r C:\WINDOWS\Installer\{90120000-0030-0000-0000-0000000FF1CE}\oisicon.exe
+ 2008-10-02 19:24:09 35,088 ----a-r C:\WINDOWS\Installer\{90120000-0030-0000-0000-0000000FF1CE}\oisicon.exe
- 2008-08-14 19:08:49 845,584 ----a-r C:\WINDOWS\Installer\{90120000-0030-0000-0000-0000000FF1CE}\outicon.exe
+ 2008-10-02 19:24:07 845,584 ----a-r C:\WINDOWS\Installer\{90120000-0030-0000-0000-0000000FF1CE}\outicon.exe
- 2008-08-14 19:08:49 922,384 ----a-r C:\WINDOWS\Installer\{90120000-0030-0000-0000-0000000FF1CE}\pptico.exe
+ 2008-10-02 19:24:07 922,384 ----a-r C:\WINDOWS\Installer\{90120000-0030-0000-0000-0000000FF1CE}\pptico.exe
- 2008-08-14 19:08:49 272,648 ----a-r C:\WINDOWS\Installer\{90120000-0030-0000-0000-0000000FF1CE}\pubs.exe
+ 2008-10-02 19:24:08 272,648 ----a-r C:\WINDOWS\Installer\{90120000-0030-0000-0000-0000000FF1CE}\pubs.exe
- 2008-08-14 19:08:50 888,080 ----a-r C:\WINDOWS\Installer\{90120000-0030-0000-0000-0000000FF1CE}\wordicon.exe
+ 2008-10-02 19:24:08 888,080 ----a-r C:\WINDOWS\Installer\{90120000-0030-0000-0000-0000000FF1CE}\wordicon.exe
- 2008-08-14 19:08:48 1,172,240 ----a-r C:\WINDOWS\Installer\{90120000-0030-0000-0000-0000000FF1CE}\xlicons.exe
+ 2008-10-02 19:24:07 1,172,240 ----a-r C:\WINDOWS\Installer\{90120000-0030-0000-0000-0000000FF1CE}\xlicons.exe
- 2008-04-13 12:53:19 20,240 ----a-r C:\WINDOWS\Installer\{90120000-003B-0000-0000-0000000FF1CE}\cagicon.exe
+ 2008-10-02 19:15:18 20,240 ----a-r C:\WINDOWS\Installer\{90120000-003B-0000-0000-0000000FF1CE}\cagicon.exe
- 2008-04-13 12:53:19 217,864 ----a-r C:\WINDOWS\Installer\{90120000-003B-0000-0000-0000000FF1CE}\misc.exe
+ 2008-10-02 19:15:18 217,864 ----a-r C:\WINDOWS\Installer\{90120000-003B-0000-0000-0000000FF1CE}\misc.exe
- 2008-04-13 12:53:19 18,704 ----a-r C:\WINDOWS\Installer\{90120000-003B-0000-0000-0000000FF1CE}\mspicons.exe
+ 2008-10-02 19:15:18 18,704 ----a-r C:\WINDOWS\Installer\{90120000-003B-0000-0000-0000000FF1CE}\mspicons.exe
- 2008-04-13 12:53:19 35,088 ----a-r C:\WINDOWS\Installer\{90120000-003B-0000-0000-0000000FF1CE}\oisicon.exe
+ 2008-10-02 19:15:18 35,088 ----a-r C:\WINDOWS\Installer\{90120000-003B-0000-0000-0000000FF1CE}\oisicon.exe
- 2008-04-13 12:53:18 239,376 ----a-r C:\WINDOWS\Installer\{90120000-003B-0000-0000-0000000FF1CE}\pj11icon.exe
+ 2008-10-02 19:15:18 239,376 ----a-r C:\WINDOWS\Installer\{90120000-003B-0000-0000-0000000FF1CE}\pj11icon.exe
- 2008-05-02 15:40:05 20,240 ----a-r C:\WINDOWS\Installer\{90120000-0051-0000-0000-0000000FF1CE}\cagicon.exe
+ 2008-10-02 19:12:48 20,240 ----a-r C:\WINDOWS\Installer\{90120000-0051-0000-0000-0000000FF1CE}\cagicon.exe
- 2008-05-02 15:40:06 217,864 ----a-r C:\WINDOWS\Installer\{90120000-0051-0000-0000-0000000FF1CE}\misc.exe
+ 2008-10-02 19:12:48 217,864 ----a-r C:\WINDOWS\Installer\{90120000-0051-0000-0000-0000000FF1CE}\misc.exe
- 2008-05-02 15:40:05 18,704 ----a-r C:\WINDOWS\Installer\{90120000-0051-0000-0000-0000000FF1CE}\mspicons.exe
+ 2008-10-02 19:12:48 18,704 ----a-r C:\WINDOWS\Installer\{90120000-0051-0000-0000-0000000FF1CE}\mspicons.exe
- 2008-05-02 15:40:06 35,088 ----a-r C:\WINDOWS\Installer\{90120000-0051-0000-0000-0000000FF1CE}\oisicon.exe
+ 2008-10-02 19:12:48 35,088 ----a-r C:\WINDOWS\Installer\{90120000-0051-0000-0000-0000000FF1CE}\oisicon.exe
- 2008-05-02 15:40:05 327,952 ----a-r C:\WINDOWS\Installer\{90120000-0051-0000-0000-0000000FF1CE}\visicon.exe
+ 2008-10-02 19:12:48 327,952 ----a-r C:\WINDOWS\Installer\{90120000-0051-0000-0000-0000000FF1CE}\visicon.exe
- 2008-05-02 15:41:13 217,864 ----a-r C:\WINDOWS\Installer\{90120000-006E-0409-0000-0000000FF1CE}\misc.exe
+ 2008-10-02 19:21:18 217,864 ----a-r C:\WINDOWS\Installer\{90120000-006E-0409-0000-0000000FF1CE}\misc.exe
- 2007-07-30 11:19:20 92,504 ----a-w C:\WINDOWS\system32\cdm.dll
+ 2008-07-18 14:10:48 94,920 ----a-w C:\WINDOWS\system32\cdm.dll
- 2007-07-30 11:19:20 92,504 -c--a-w C:\WINDOWS\system32\dllcache\cdm.dll
+ 2008-07-18 14:10:48 94,920 -c--a-w C:\WINDOWS\system32\dllcache\cdm.dll
- 2007-07-30 11:19:36 549,720 -c--a-w C:\WINDOWS\system32\dllcache\wuapi.dll
+ 2008-07-18 14:09:44 563,912 -c--a-w C:\WINDOWS\system32\dllcache\wuapi.dll
- 2007-07-30 11:19:16 53,080 -c--a-w C:\WINDOWS\system32\dllcache\wuauclt.exe
+ 2008-07-18 14:10:42 53,448 -c--a-w C:\WINDOWS\system32\dllcache\wuauclt.exe
- 2007-07-30 11:19:42 1,712,984 -c--a-w C:\WINDOWS\system32\dllcache\wuaueng.dll
+ 2008-07-18 14:09:42 1,811,656 -c--a-w C:\WINDOWS\system32\dllcache\wuaueng.dll
- 2007-07-30 11:19:32 325,976 -c--a-w C:\WINDOWS\system32\dllcache\wucltui.dll
+ 2008-07-18 14:09:46 325,832 -c--a-w C:\WINDOWS\system32\dllcache\wucltui.dll
- 2007-07-30 11:18:40 33,624 -c--a-w C:\WINDOWS\system32\dllcache\wups.dll
+ 2008-07-18 14:10:20 36,552 -c--a-w C:\WINDOWS\system32\dllcache\wups.dll
- 2007-07-30 11:19:28 203,096 -c--a-w C:\WINDOWS\system32\dllcache\wuweb.dll
+ 2008-07-18 14:09:44 205,000 -c--a-w C:\WINDOWS\system32\dllcache\wuweb.dll
- 2006-10-26 06:10:08 1,190,688 ----a-w C:\WINDOWS\system32\FM20.DLL
+ 2007-08-22 17:03:38 1,195,888 ----a-w C:\WINDOWS\system32\FM20.DLL
- 2008-08-05 18:11:01 15,888,504 ----a-w C:\WINDOWS\system32\MRT.exe
+ 2008-08-26 20:28:12 16,208,504 ----a-w C:\WINDOWS\system32\MRT.exe
- 2007-07-30 11:19:10 271,224 ----a-w C:\WINDOWS\system32\mucltui.dll
+ 2008-07-18 14:07:34 270,880 ----a-w C:\WINDOWS\system32\mucltui.dll
- 2007-07-30 11:19:04 207,736 ----a-w C:\WINDOWS\system32\muweb.dll
+ 2008-07-18 14:07:32 210,976 ----a-w C:\WINDOWS\system32\muweb.dll
+ 2008-07-18 14:10:20 36,552 ----a-w C:\WINDOWS\system32\SoftwareDistribution\Setup\ServiceStartup\wups.dll\7.2.6001.784\wups.dll
+ 2008-07-18 14:10:40 45,768 ----a-w C:\WINDOWS\system32\SoftwareDistribution\Setup\ServiceStartup\wups2.dll\7.2.6001.784\wups2.dll
+ 2006-10-26 11:56:16 864,080 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\msonpdrv.dll
+ 2006-10-26 11:56:14 67,408 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\msonpui.dll
- 2006-10-18 13:47:20 295,936 ----a-w C:\WINDOWS\system32\wmpeffects.dll
+ 2008-06-24 10:12:58 295,936 ----a-w C:\WINDOWS\system32\wmpeffects.dll
- 2007-07-30 11:19:36 549,720 ----a-w C:\WINDOWS\system32\wuapi.dll
+ 2008-07-18 14:09:44 563,912 ----a-w C:\WINDOWS\system32\wuapi.dll
- 2007-07-30 11:19:16 53,080 ----a-w C:\WINDOWS\system32\wuauclt.exe
+ 2008-07-18 14:10:42 53,448 ----a-w C:\WINDOWS\system32\wuauclt.exe
- 2007-07-30 11:19:42 1,712,984 ----a-w C:\WINDOWS\system32\wuaueng.dll
+ 2008-07-18 14:09:42 1,811,656 ----a-w C:\WINDOWS\system32\wuaueng.dll
- 2007-07-30 11:19:32 325,976 ----a-w C:\WINDOWS\system32\wucltui.dll
+ 2008-07-18 14:09:46 325,832 ----a-w C:\WINDOWS\system32\wucltui.dll
- 2007-07-30 11:18:40 33,624 ----a-w C:\WINDOWS\system32\wups.dll
+ 2008-07-18 14:10:20 36,552 ----a-w C:\WINDOWS\system32\wups.dll
- 2007-07-30 11:19:12 43,352 ----a-w C:\WINDOWS\system32\wups2.dll
+ 2008-07-18 14:10:40 45,768 ----a-w C:\WINDOWS\system32\wups2.dll
- 2007-07-30 11:19:28 203,096 ----a-w C:\WINDOWS\system32\wuweb.dll
+ 2008-07-18 14:09:44 205,000 ----a-w C:\WINDOWS\system32\wuweb.dll
+ 2007-08-22 16:18:08 1,101,824 ----a-w C:\WINDOWS\WinSxS\x86_Microsoft.VC80.MFC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_3bf8fa05\mfc80.dll
+ 2007-08-22 16:18:08 1,093,120 ----a-w C:\WINDOWS\WinSxS\x86_Microsoft.VC80.MFC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_3bf8fa05\mfc80u.dll
+ 2007-08-22 16:18:08 69,632 ----a-w C:\WINDOWS\WinSxS\x86_Microsoft.VC80.MFC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_3bf8fa05\mfcm80.dll
+ 2007-08-22 16:18:08 57,856 ----a-w C:\WINDOWS\WinSxS\x86_Microsoft.VC80.MFC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_3bf8fa05\mfcm80u.dll
+ 2007-08-22 16:18:08 40,960 ----a-w C:\WINDOWS\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_91481303\mfc80CHS.dll
+ 2007-08-22 16:18:08 45,056 ----a-w C:\WINDOWS\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_91481303\mfc80CHT.dll
+ 2007-08-22 16:18:08 65,536 ----a-w C:\WINDOWS\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_91481303\mfc80DEU.dll
+ 2007-08-22 16:18:08 57,344 ----a-w C:\WINDOWS\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_91481303\mfc80ENU.dll
+ 2007-08-22 16:18:08 61,440 ----a-w C:\WINDOWS\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_91481303\mfc80ESP.dll
+ 2007-08-22 16:18:08 61,440 ----a-w C:\WINDOWS\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_91481303\mfc80FRA.dll
+ 2007-08-22 16:18:08 61,440 ----a-w C:\WINDOWS\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_91481303\mfc80ITA.dll
+ 2007-08-22 16:18:08 49,152 ----a-w C:\WINDOWS\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_91481303\mfc80JPN.dll
+ 2007-08-22 16:18:08 49,152 ----a-w C:\WINDOWS\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_91481303\mfc80KOR.dll
+ 2008-04-15 17:54:19 1,724,416 ----a-w C:\WINDOWS\WinSxS\x86_Microsoft.Windows.GdiPlus_6595b64144ccf1df_1.0.2600.3352_x-ww_81af8e88\GdiPlus.dll
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 15360]
"FreeRAM XP"="C:\Program Files\YourWare Solutions\FreeRAM XP Pro\FreeRAM XP Pro.exe" [2006-03-23 1591808]
"BitTorrent DNA"="C:\Program Files\DNA\btdna.exe" [2008-10-01 289088]
"kamsoft"="C:\WINDOWS\system32\ckvo.exe" [BU]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMAXPnP"="C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe" [2004-04-01 1368064]
"BMMLREF"="C:\Program Files\ThinkPad\Utilities\BMMLREF.EXE" [2005-04-20 20480]
"BMMMONWND"="C:\PROGRA~1\ThinkPad\UTILIT~1\BatInfEx.dll" [2005-04-20 396288]
"BLOG"="C:\PROGRA~1\ThinkPad\UTILIT~1\BatLogEx.DLL" [2005-04-20 208896]
"SiteAdvisor"="C:\Program Files\SiteAdvisor\6253\SiteAdv.exe" [2007-03-30 36904]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 155648]
"TPHOTKEY"="C:\PROGRA~1\Lenovo\PkgMgr\HOTKEY\TPHKMGR.exe" [2006-10-02 94208]
"TPKMAPHELPER"="C:\Program Files\ThinkPad\Utilities\TpKmapAp.exe" [2007-01-09 868352]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 144784]
"CoolSwitch"="C:\WINDOWS\system32\taskswitch.exe" [2002-03-19 45632]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-01-31 385024]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-02-04 267048]
"egui"="C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" [2008-03-13 1443072]
"igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [2006-02-07 94208]
"igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [2006-02-07 77824]
"igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [2006-02-07 118784]
"TVT Scheduler Proxy"="C:\Program Files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe" [2008-03-04 487424]
"TrackPointSrv"="tp4serv.exe" [2007-04-26 C:\WINDOWS\system32\tp4serv.exe]
"TP4EX"="tp4ex.exe" [2005-10-17 C:\WINDOWS\system32\TP4EX.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"nlpo_01"="md %USERPROFILE%\Local Settings\Temp" [X]
"tscuninstall"="C:\WINDOWS\system32\tscupgrd.exe" [2004-08-04 44544]
"nlpo_02"="advpack.dll" [2008-06-24 C:\WINDOWS\system32\advpack.dll]
"nlpo_03"="advpack.dll" [2008-06-24 C:\WINDOWS\system32\advpack.dll]

C:\Documents and Settings\Ryan\Start Menu\Programs\Startup\
Adobe Gamma.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-03-16 113664]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Digital Line Detect.lnk - C:\Program Files\Digital Line Detect\DLG.exe [2007-10-30 24576]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{C5F43BEF-CE2F-46D8-AFE6-A647BACD1F09}"= "C:\WINDOWS\system32\Bitkv0.dll" [2007-06-13 69632]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ACNotify]
2007-07-05 14:52 32768 C:\Program Files\ThinkPad\ConnectUtilities\ACNotify.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tpfnf2]
2005-07-05 23:45 28672 C:\WINDOWS\system32\notifyf2.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tphotkey]
2005-11-30 20:16 24576 C:\WINDOWS\system32\tphklock.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.YV12"= yv12vfw.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Notification Packages REG_MULTI_SZ scecli ACGina

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
backup=C:\WINDOWS\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"C:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"C:\\Program Files\\LimeWire\\LimeWire.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"C:\\Program Files\\BitTorrent\\bittorrent.exe"=
"C:\\Program Files\\uTorrent\\uTorrent.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\DNA\\btdna.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"6881:TCP"= 6881:TCP:Bittorrent

R1 ANC;ANC;C:\WINDOWS\system32\drivers\ANC.SYS [2005-11-08 11520]
R1 epfwtdir;epfwtdir;C:\WINDOWS\system32\DRIVERS\epfwtdir.sys [2008-03-13 33800]
R1 IBMTPCHK;IBMTPCHK;C:\WINDOWS\system32\Drivers\IBMBLDID.sys [2007-04-02 4224]
R1 TPPWR;TPPWR;C:\WINDOWS\system32\drivers\Tppwr.sys [2005-04-20 16384]
R3 Tp4Track;PS/2 TrackPoint Driver;C:\WINDOWS\system32\DRIVERS\tp4track.sys [2007-04-26 22832]
S3 MotDev;Motorola Inc. USB Device;C:\WINDOWS\system32\DRIVERS\motodrv.sys [ ]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{ac617a45-8845-11dd-a0f7-000ae4352462}]
\Shell\AutoRun\command - E:\2i6rj.exe
\Shell\explore\Command - E:\2i6rj.exe
\Shell\open\Command - E:\2i6rj.exe
.
Contents of the 'Scheduled Tasks' folder
.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-10-03 07:18:24
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\WINDOWS\system32\tphklock.dll

PROCESS: C:\WINDOWS\explorer.exe
-> C:\Program Files\SiteAdvisor\6253\saHook.dll
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\ibmpmsvc.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\Program Files\Common Files\Lenovo\tvt_reg_monitor_svc.exe
C:\WINDOWS\system32\TpKmpSvc.exe
C:\Program Files\Common Files\Lenovo\Scheduler\tvtsched.exe
C:\Program Files\ThinkPad\ConnectUtilities\AcSvc.exe
C:\Program Files\Lenovo\System Update\SUService.exe
C:\Program Files\ThinkPad\ConnectUtilities\SvcGuiHlpr.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Lenovo\PkgMgr\HOTKEY\TPONSCR.exe
C:\Program Files\Lenovo\PkgMgr\HOTKEY_1\TpScrex.exe
C:\Program Files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2008-10-03 7:28:16 - machine was rebooted [Ryan]
ComboFix-quarantined-files.txt 2008-10-02 23:28:10
ComboFix2.txt 2008-10-01 17:55:52

Pre-Run: 2,725,392,384 bytes free
Post-Run: 2,711,900,160 bytes free

566 --- E O F --- 2008-10-02 19:24:22

Here's a fresh HijackThis log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:46:29 AM, on 10/3/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\ibmpmsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\Program Files\Common Files\Lenovo\tvt_reg_monitor_svc.exe
C:\WINDOWS\system32\TpKmpSVC.exe
C:\Program Files\Common Files\Lenovo\Scheduler\tvtsched.exe
C:\Program Files\ThinkPad\ConnectUtilities\AcSvc.exe
C:\Program Files\Lenovo\System Update\SUService.exe
C:\Program Files\ThinkPad\ConnectUtilities\SvcGuiHlpr.exe
C:\WINDOWS\system32\tp4serv.exe
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\SiteAdvisor\6253\SiteAdv.exe
C:\PROGRA~1\Lenovo\PkgMgr\HOTKEY\TPHKMGR.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\WINDOWS\system32\taskswitch.exe
C:\Program Files\Lenovo\PkgMgr\HOTKEY\TPONSCR.exe
C:\Program Files\Lenovo\PkgMgr\HOTKEY_1\TpScrex.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\YourWare Solutions\FreeRAM XP Pro\FreeRAM XP Pro.exe
C:\Program Files\DNA\btdna.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Ryan\Desktop\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.live.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn1\yt.dll
O2 - BHO: IDM Helper - {0055C089-8582-441B-A0BF-17B458C2A3A8} - C:\Program Files\Internet Download Manager\IDMIECC.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn1\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - C:\Program Files\SiteAdvisor\6261\SiteAdv.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\6261\SiteAdv.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn1\yt.dll
O4 - HKLM\..\Run: [TrackPointSrv] tp4serv.exe
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: [BMMLREF] C:\Program Files\ThinkPad\Utilities\BMMLREF.EXE
O4 - HKLM\..\Run: [BMMMONWND] rundll32.exe C:\PROGRA~1\ThinkPad\UTILIT~1\BatInfEx.dll,BMMAutonomicMonitor
O4 - HKLM\..\Run: [BLOG] rundll32.exe C:\PROGRA~1\ThinkPad\UTILIT~1\BatLogEx.DLL,StartBattLog
O4 - HKLM\..\Run: [SiteAdvisor] C:\Program Files\SiteAdvisor\6253\SiteAdv.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [TPHOTKEY] C:\PROGRA~1\Lenovo\PkgMgr\HOTKEY\TPHKMGR.exe
O4 - HKLM\..\Run: [TPKMAPHELPER] C:\Program Files\ThinkPad\Utilities\TpKmapAp.exe -helper
O4 - HKLM\..\Run: [TP4EX] tp4ex.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [CoolSwitch] C:\WINDOWS\system32\taskswitch.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" /hide /waitservice
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [TVT Scheduler Proxy] C:\Program Files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [FreeRAM XP] "C:\Program Files\YourWare Solutions\FreeRAM XP Pro\FreeRAM XP Pro.exe" -win
O4 - HKCU\..\Run: [BitTorrent DNA] "C:\Program Files\DNA\btdna.exe"
O4 - HKCU\..\Run: [kamsoft] C:\WINDOWS\system32\ckvo.exe
O4 - HKUS\S-1-5-19\..\RunOnce: [nlpo_01] cmd.exe /c md "%USERPROFILE%\Local Settings\Temp" (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [nlpo_02] rundll32 advpack.dll,LaunchINFSection nlite.inf,nLiteReg (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [nlpo_03] rundll32 advpack.dll,LaunchINFSection nlite.inf,S (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [nlpo_01] cmd.exe /c md "%USERPROFILE%\Local Settings\Temp" (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'Default user')
O4 - S-1-5-18 Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe (User 'SYSTEM')
O4 - .DEFAULT Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe (User 'Default user')
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O8 - Extra context menu item: Download all links with IDM - C:\Program Files\Internet Download Manager\IEGetAll.htm
O8 - Extra context menu item: Download FLV video content with IDM - C:\Program Files\Internet Download Manager\IEGetVL.htm
O8 - Extra context menu item: Download with IDM - C:\Program Files\Internet Download Manager\IEExt.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/flas...ent/swflash.cab
O20 - Winlogon Notify: ACNotify - ACNotify.dll (file missing)
O23 - Service: Ac Profile Manager Service (AcPrfMgrSvc) - Lenovo - C:\Program Files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe
O23 - Service: Access Connections Main Service (AcSvc) - Lenovo - C:\Program Files\ThinkPad\ConnectUtilities\AcSvc.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Eset HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe
O23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
O23 - Service: Intel® PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: ThinkPad PM Service (IBMPMSVC) - Lenovo - C:\WINDOWS\system32\ibmpmsvc.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Intel® PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel® PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: System Update (SUService) - Lenovo Group Limited - C:\Program Files\Lenovo\System Update\SUService.exe
O23 - Service: ThinkVantage Registry Monitor Service - Lenovo Group Limited - C:\Program Files\Common Files\Lenovo\tvt_reg_monitor_svc.exe
O23 - Service: IBM KCU Service (TpKmpSVC) - Unknown owner - C:\WINDOWS\system32\TpKmpSVC.exe
O23 - Service: TVT Scheduler - Lenovo Group Limited - C:\Program Files\Common Files\Lenovo\Scheduler\tvtsched.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O24 - Desktop Component 1: (no name) - http://www.google.com.ph/

--
End of file - 11894 bytes

#8 kahdah

kahdah

  • Security Colleague
  • 11,138 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:10:00 PM

Posted 03 October 2008 - 05:30 AM

Please keep drive E: plugged in during this run of Combofix:

1. Please open Notepad
  • Click Start , then Run
  • type in notepad in the Run Box then hit ok.
2. Now copy/paste the entire content of the codebox below into the Notepad window:

File::
E:\2i6rj.exe
C:\WINDOWS\system32\ckvo.exe
C:\Documents and Settings\Ryan\so7.exe
C:\WINDOWS\system32\Bitkv0.dll

Registry::
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{ac617a45-8845-11dd-a0f7-000ae4352462}]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"kamsoft"=-
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{C5F43BEF-CE2F-46D8-AFE6-A647BACD1F09}"=-


3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

Posted Image


5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
  • Combofix.txt
  • A new HijackThis log.

Please do not pm for help, post it in the forums instead.

If I am helping you and have not responded for 48 hours please send me a pm as I don't always get notifications.

My help is always free, however, if you would like to make a donation to me for the help I have provided please click here Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users