Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

google redirect problem


  • This topic is locked This topic is locked
25 replies to this topic

#1 gville

gville

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:11:32 PM

Posted 15 February 2009 - 12:50 AM

I have acquired a virus(?) that redirects me to an ad site when I click on a search result on google. I have tried using AVG, spydoctor, and mcafee; none of these have been successful. The DDS log is as follows: (thanks for your help!!!!)


DDS (Ver_09-02-01.01) - NTFSx86
Run by HP_Owner at 0:36:50.54 on Sun 02/15/2009
Internet Explorer: 6.0.2900.2180
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1022.578 [GMT -5:00]

AV: Norton Internet Security *On-access scanning enabled* (Outdated)
FW: Norton Internet Security *enabled*

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
c:\Program Files\Common Files\Symantec Shared\ccProxy.exe
c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
c:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Java\jre1.5.0_05\bin\jusched.exe
C:\windows\system\hpsysdrv.exe
C:\Program Files\Java\jre1.5.0_05\bin\jucheck.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Creative\SBAudigy4\DVDAudio\CTDVDDET.EXE
C:\Program Files\Creative\SBAudigy4\Surround Mixer\CTSysVol.exe
C:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe
C:\WINDOWS\CTHELPER.EXE
C:\HP\KBD\KBD.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Updates from HP\9972322\Program\Updates from HP.exe
c:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\HP_Owner.KRYPTONITE\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q106&bd=pavilion&pf=desktop
uSearch Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q106&bd=pavilion&pf=desktop
uDefault_Page_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q106&bd=pavilion&pf=desktop
uDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q106&bd=pavilion&pf=desktop
uSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q106&bd=pavilion&pf=desktop
mDefault_Page_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q106&bd=pavilion&pf=desktop
mDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q106&bd=pavilion&pf=desktop
mSearch Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q106&bd=pavilion&pf=desktop
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q106&bd=pavilion&pf=desktop
mSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q106&bd=pavilion&pf=desktop
mSearchAssistant = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q106&bd=pavilion&pf=desktop
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\googletoolbar1.dll
BHO: CNavExtBho Class: {bdf3e430-b101-42ad-a544-fadc6b084872} - c:\program files\norton internet security\norton antivirus\NavShExt.dll
TB: &Google: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\googletoolbar1.dll
TB: Norton AntiVirus: {42cdd1bf-3ffb-4238-8ad1-7859df00b1d6} - c:\program files\norton internet security\norton antivirus\NavShExt.dll
mRun: [ATICCC] "c:\program files\ati technologies\ati.ace\cli.exe" runtime -Delay
mRun: [CTDVDDET] "c:\program files\creative\sbaudigy4\dvdaudio\CTDVDDET.EXE"
mRun: [CTSysVol] c:\program files\creative\sbaudigy4\surround mixer\CTSysVol.exe /r
mRun: [AudioDrvEmulator] "c:\program files\creative\shared files\module loader\dllml.exe" -1 audiodrvemulator "c:\program files\creative\shared files\module loader\audio emulator\AudDrvEm.dll"
mRun: [CTHelper] CTHELPER.EXE
mRun: [UpdReg] c:\windows\UpdReg.EXE
mRun: [HPHUPD08] c:\program files\hp\digital imaging\{33d6cc28-9f75-4d1b-a11d-98895b3a3729}\hphupd08.exe
mRun: [<NO NAME>]
mRun: [PCDrProfiler] "c:\program files\pc-doctor 5 for windows\RunProfiler.exe" -r
mRun: [SSC_UserPrompt] c:\program files\common files\symantec shared\security center\UsrPrmpt.exe
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
mRun: [IS CfgWiz] c:\program files\norton internet security\cfgwiz.exe /GUID {257BBC47-1B26-432e-9F84-188603799DD3} /MODE CfgWiz /CMDLINE "REBOOT"
mRun: [URLLSTCK.exe] c:\program files\norton internet security\UrlLstCk.exe
mRun: [HPBootOp] "c:\program files\hewlett-packard\hp boot optimizer\HPBootOp.exe" /run
mRun: [HP Software Update] c:\program files\hp\hp software update\HPwuSchd2.exe
mRunOnce: [regcmdcons] c:\windows\regedit.exe /s c:\hp\bin\cmdcons2.reg
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\gatorl~1.lnk - c:\windows\installer\{51fb15f4-ad27-43bc-ad4b-dd0354fb6bbd}\Icon3E5562ED7.ico
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\update~1.lnk - c:\program files\updates from hp\9972322\program\Updates from HP.exe
IE: &Google Search - c:\program files\google\GoogleToolbar1.dll/cmsearch.html
IE: &Translate English Word - c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html
IE: Backward Links - c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
IE: Cached Snapshot of Page - c:\program files\google\GoogleToolbar1.dll/cmcache.html
IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office11\EXCEL.EXE/3000
IE: Similar Pages - c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
IE: Translate Page into English - c:\program files\google\GoogleToolbar1.dll/cmtrans.html
IE: {E2D4D26B-0180-43a4-B05F-462D6D54C789} - c:\windows\pchealth\helpctr\vendors\cn=hewlett-packard,l=cupertino,s=ca,c=us\iebutton\support.htm
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0015-0000-0005-ABCDEFFEDCBC} - c:\program files\java\jre1.5.0_05\bin\npjpi150_05.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~4\office11\REFIEBAR.DLL
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_05-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_05-windows-i586.cab
Notify: AtiExtEvent - Ati2evxx.dll

============= SERVICES / DRIVERS ===============

R2 ccEvtMgr;Symantec Event Manager;c:\program files\common files\symantec shared\ccEvtMgr.exe [2005-3-4 185968]
R2 ccProxy;Symantec Network Proxy;c:\program files\common files\symantec shared\ccProxy.exe [2005-3-4 239216]
R2 ccSetMgr;Symantec Settings Manager;c:\program files\common files\symantec shared\ccSetMgr.exe [2005-3-4 161392]
R2 navapsvc;Norton AntiVirus Auto-Protect Service;c:\program files\norton internet security\norton antivirus\navapsvc.exe [2005-3-24 127088]
R2 SAVRTPEL;SAVRTPEL;c:\program files\norton internet security\norton antivirus\Savrtpel.sys [2005-2-4 53896]
R3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20051003.006\NAVENG.Sys [2006-2-25 77816]
R3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20051003.006\NavEx15.Sys [2006-2-25 665816]
R3 SAVRT;SAVRT;c:\program files\norton internet security\norton antivirus\savrt.sys [2005-2-4 324232]
S3 ccPwdSvc;Symantec Password Validation;c:\program files\common files\symantec shared\ccPwdSvc.exe [2005-3-4 83568]
S3 SAVScan;SAVScan;c:\program files\norton internet security\norton antivirus\SAVScan.exe [2005-2-17 198368]

=============== Created Last 30 ================

2009-02-15 00:15 221,184 a------- c:\windows\system32\wmpns.dll
2009-02-15 00:15 1,761 a--shr-- c:\windows\system32\drivers\103C_HP_CPC_PX181AV-ABA d4100y_YC_0Pavi_QMXG608_E61NAhcBLU4_48_ILITHIUM_SASUSTek Computer INC._V1.04_B3.12_T060112_WXH2_L409_M1023_J80_7Intel_8Pentium D_93_#060928_N808627DC_Z_G100271C0_OTSSTcorp CD DVDW TS-H552D.MRK
2009-02-15 00:15 90,112 a------- c:\windows\system32\ps2.EXE
2009-02-15 00:14 <DIR> --d----- c:\docume~1\hp_own~1.kry\applic~1\Intuit
2009-02-15 00:13 <DIR> --d----- c:\documents and settings\hp_owner.kryptonite\WINDOWS
2009-02-15 00:13 <DIR> --d----- c:\docume~1\hp_own~1.kry\applic~1\Symantec
2009-02-15 00:13 <DIR> --d----- c:\documents and settings\HP_Owner.KRYPTONITE
2009-02-15 00:10 <DIR> --d----- c:\windows\system32\SoftwareDistribution
2009-02-14 21:12 <DIR> --d----- c:\program files\Western Digital Technologies
2009-02-14 20:35 <DIR> --d----- c:\program files\Trend Micro
2009-02-14 17:47 <DIR> --d-h--- C:\$AVG8.VAULT$
2009-02-14 17:30 <DIR> --d----- c:\program files\AVG
2009-02-14 17:30 <DIR> --d----- c:\docume~1\alluse~1\applic~1\avg8
2009-02-14 14:37 <DIR> --d----- C:\RECYCLER(2)
2009-02-14 14:10 161,792 a------- c:\windows\SWREG.exe
2009-02-14 14:10 98,816 a------- c:\windows\sed.exe
2009-02-14 14:10 <DIR> --d----- C:\ComboFix
2009-02-11 17:39 2,204 a------- c:\windows\tklbramh
2009-01-27 22:17 0 a------- c:\windows\SMMVSplitter.INI
2009-01-27 22:13 <DIR> --d----- c:\program files\Solveig Multimedia
2009-01-27 22:13 <DIR> --d----- c:\program files\common files\Solveig Multimedia
2009-01-24 00:30 <DIR> --d----- c:\program files\Dimdim
2009-01-20 17:56 <DIR> --d----- c:\program files\CoreFTPServer
2009-01-17 12:13 <DIR> --d----- c:\windows\l2schemas
2009-01-17 12:09 <DIR> --d----- c:\windows\ServicePackFiles
2009-01-17 12:01 <DIR> --d----- c:\windows\EHome

==================== Find3M ====================


============= FINISH: 0:37:14.71 ===============

BC AdBot (Login to Remove)

 


#2 Blade81

Blade81

    Bleepin' Rocker


  • Malware Response Team
  • 6,465 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:06:32 AM

Posted 22 February 2009 - 02:58 PM

Hi,

Sorry for delayed response. Forums have been really busy. If you still need help with this post a fresh dds log and also ComboFix.txt contents (you shouldn't had run ComboFix by yourself!), please.

Microsoft Windows Insider MVP 2016-2017

Microsoft MVP Consumer Security 2008-2015
UNITE member since 2006
unite_blue.png

Provided malware removal related instructions are meant to be used in the correspondent user's case only. If you have similar symptoms create own topic instead of following instructions given to some other, please.


#3 gville

gville
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:11:32 PM

Posted 23 February 2009 - 09:11 PM

Sorry I didn't reply sooner, I kept getting an error message when I tried to reply. I finally figured out that I had to validate an email change, which I assume is the same reason I didn't get an email notification!!! :thumbup2: I don't have the combofix log anymore. Do I dl and run again? Here's my dds log: I really appreciate your help!!!


DDS (Ver_09-02-01.01) - NTFSx86
Run by HP_Owner at 20:50:48.06 on Mon 02/23/2009
Internet Explorer: 6.0.2900.2180
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1022.450 [GMT -5:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated)

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Creative\SBAudigy4\DVDAudio\CTDVDDET.EXE
C:\Program Files\Creative\SBAudigy4\Surround Mixer\CTSysVol.exe
C:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe
C:\WINDOWS\CTHELPER.EXE
C:\Program Files\HP\HP Software Update\HPwuSchd2.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Updates from HP\9972322\Program\Updates from HP.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\HP\KBD\KBD.EXE
c:\windows\system\hpsysdrv.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\HP_Owner.KRYPTONITE\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q106&bd=pavilion&pf=desktop
uDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q106&bd=pavilion&pf=desktop
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q106&bd=pavilion&pf=desktop
mSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q106&bd=pavilion&pf=desktop
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\progra~1\micros~4\office12\GRA8E1~1.DLL
BHO: AVG Security Toolbar: {a057a204-bacc-4d26-9990-79a187e2698e} - c:\progra~1\avg\avg8\AVGTOO~1.DLL
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\googletoolbar1.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: &Google: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\googletoolbar1.dll
TB: AVG Security Toolbar: {a057a204-bacc-4d26-9990-79a187e2698e} - c:\progra~1\avg\avg8\AVGTOO~1.DLL
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [EPSON Stylus CX8400 Series] c:\windows\system32\spool\drivers\w32x86\3\e_faticea.exe /fu "c:\windows\temp\E_S94.tmp" /EF "HKCU"
mRun: [ATICCC] "c:\program files\ati technologies\ati.ace\cli.exe" runtime -Delay
mRun: [CTDVDDET] "c:\program files\creative\sbaudigy4\dvdaudio\CTDVDDET.EXE"
mRun: [CTSysVol] c:\program files\creative\sbaudigy4\surround mixer\CTSysVol.exe /r
mRun: [AudioDrvEmulator] "c:\program files\creative\shared files\module loader\dllml.exe" -1 audiodrvemulator "c:\program files\creative\shared files\module loader\audio emulator\AudDrvEm.dll"
mRun: [CTHelper] CTHELPER.EXE
mRun: [UpdReg] c:\windows\UpdReg.EXE
mRun: [HPHUPD08] c:\program files\hp\digital imaging\{33d6cc28-9f75-4d1b-a11d-98895b3a3729}\hphupd08.exe
mRun: [PCDrProfiler]
mRun: [HPBootOp] "c:\program files\hewlett-packard\hp boot optimizer\HPBootOp.exe" /run
mRun: [HP Software Update] c:\program files\hp\hp software update\HPwuSchd2.exe
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\gatorl~1.lnk - c:\windows\installer\{51fb15f4-ad27-43bc-ad4b-dd0354fb6bbd}\Icon3E5562ED7.ico
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\update~1.lnk - c:\program files\updates from hp\9972322\program\Updates from HP.exe
IE: &Google Search - c:\program files\google\GoogleToolbar1.dll/cmsearch.html
IE: &Translate English Word - c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html
IE: Backward Links - c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
IE: Cached Snapshot of Page - c:\program files\google\GoogleToolbar1.dll/cmcache.html
IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office12\EXCEL.EXE/3000
IE: Similar Pages - c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
IE: Translate Page into English - c:\program files\google\GoogleToolbar1.dll/cmtrans.html
IE: {E2D4D26B-0180-43a4-B05F-462D6D54C789} - c:\windows\pchealth\helpctr\vendors\cn=hewlett-packard,l=cupertino,s=ca,c=us\iebutton\support.htm
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~4\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~4\office12\REFIEBAR.DLL
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_12-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_12-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_12-windows-i586.cab
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\progra~1\micros~4\office12\GR99D3~1.DLL
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
Notify: AtiExtEvent - Ati2evxx.dll
Notify: avgrsstarter - avgrsstx.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\progra~1\micros~4\office12\GRA8E1~1.DLL

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\hp_own~1.kry\applic~1\mozilla\firefox\profiles\lva45n47.default\
FF - prefs.js: browser.startup.homepage - hxxp://my.yahoo.com/|http://www.google.com/
FF - component: c:\documents and settings\hp_owner.kryptonite\application data\mozilla\firefox\profiles\lva45n47.default\extensions\{a7c6cf7f-112c-4500-a7ea-39801a327e5f}\platform\winnt_x86-msvc\components\ipc.dll
FF - component: c:\program files\avg\avg8\firefox\components\avgssff.dll
FF - component: c:\program files\avg\avg8\toolbarff\components\vmAVGConnector.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npbittorrent.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npDimdimControl.dll

============= SERVICES / DRIVERS ===============

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-2-15 325128]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2009-2-15 27656]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-2-15 107272]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2009-2-14 298264]

============== File Associations ===============

regfile="regedit.exe" "%1"

=============== Created Last 30 ================


==================== Find3M ====================

2008-12-12 12:33 3,060,224 a------- c:\windows\system32\dllcache\mshtml.dll
2008-12-11 06:57 333,184 a------- c:\windows\system32\dllcache\srv.sys

============= FINISH: 20:51:17.32 ===============

#4 Blade81

Blade81

    Bleepin' Rocker


  • Malware Response Team
  • 6,465 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:06:32 AM

Posted 24 February 2009 - 03:48 AM

I don't have the combofix log anymore.

Hi

Please see if you can find one in c:\combofix folder. If not, search for ComboFix.txt file from whole c: drive. If none was found then download a fresh copy of ComboFix.exe and run it.

Microsoft Windows Insider MVP 2016-2017

Microsoft MVP Consumer Security 2008-2015
UNITE member since 2006
unite_blue.png

Provided malware removal related instructions are meant to be used in the correspondent user's case only. If you have similar symptoms create own topic instead of following instructions given to some other, please.


#5 gville

gville
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:11:32 PM

Posted 24 February 2009 - 10:16 AM

I found it!

ComboFix 09-02-14.01 - HP_Owner 2009-02-15 10:52:32.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1022.663 [GMT -5:00]
Running from: c:\documents and settings\HP_Owner.KRYPTONITE\Desktop\ComboFix.exe
AV: Norton Internet Security *On-access scanning enabled* (Outdated)
FW: Norton Internet Security *enabled*
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

D:\Autorun.inf

.
((((((((((((((((((((((((( Files Created from 2009-01-15 to 2009-02-15 )))))))))))))))))))))))))))))))
.

2009-02-15 10:42 . 2009-02-15 10:42 <DIR> d-------- c:\documents and settings\NetworkService\Application Data\Symantec
2009-02-15 01:20 . 2009-02-15 01:20 <DIR> d-------- c:\program files\Common Files\Adobe AIR
2009-02-15 01:10 . 2009-02-15 10:21 <DIR> d-------- c:\program files\NOS
2009-02-15 01:10 . 2009-02-15 10:21 <DIR> d-------- c:\documents and settings\All Users\Application Data\NOS
2009-02-15 01:04 . 2009-02-15 01:04 410,984 --a------ c:\windows\system32\deploytk.dll
2009-02-15 01:04 . 2009-02-15 01:04 73,728 --a------ c:\windows\system32\javacpl.cpl
2009-02-15 01:01 . 2004-08-03 23:01 25,856 --a------ c:\windows\system32\drivers\usbprint.sys
2009-02-15 01:01 . 2004-08-03 23:01 25,856 --a------ c:\windows\system32\dllcache\usbprint.sys
2009-02-15 01:00 . 2004-08-03 23:08 31,616 --a------ c:\windows\system32\drivers\usbccgp.sys
2009-02-15 01:00 . 2004-08-03 23:08 31,616 --a------ c:\windows\system32\dllcache\usbccgp.sys
2009-02-15 00:15 . 2004-08-04 07:00 221,184 --a------ c:\windows\system32\wmpns.dll
2009-02-15 00:15 . 2004-10-25 17:17 90,112 --a------ c:\windows\system32\ps2.EXE
2009-02-15 00:15 . 2009-02-15 00:15 1,761 -rahs---- c:\windows\system32\drivers\103C_HP_CPC_PX181AV-ABA d4100y_YC_0Pavi_QMXG608_E61NAhcBLU4_48_ILITHIUM_SASUSTek Computer INC._V1.04_B3.12_T060112_WXH2_L409_M1023_J80_7Intel_8Pentium D_93_#060928_N808627DC_Z_G100271C0_OTSSTcorp CD DVDW TS-H552D.MRK
2009-02-15 00:13 . 2009-02-15 00:17 <DIR> d-------- c:\documents and settings\HP_Owner.KRYPTONITE
2009-02-15 00:12 . 2006-02-25 04:01 <DIR> d-------- c:\windows\system32\config\systemprofile\WINDOWS
2009-02-14 21:12 . 2009-02-14 21:12 <DIR> d-------- c:\program files\Western Digital Technologies
2009-02-14 20:35 . 2009-02-14 20:35 <DIR> d-------- c:\program files\Trend Micro
2009-02-14 17:47 . 2009-02-14 19:10 <DIR> d--h----- C:\$AVG8.VAULT$
2009-02-14 17:30 . 2009-02-14 17:30 <DIR> d-------- c:\program files\AVG
2009-02-14 17:30 . 2009-02-14 17:30 <DIR> d-------- c:\documents and settings\All Users\Application Data\avg8
2009-02-14 14:37 . 2009-02-14 15:46 <DIR> d-------- C:\RECYCLER(2)
2009-02-11 17:39 . 2009-02-14 23:24 2,204 --a------ c:\windows\tklbramh
2009-01-27 22:17 . 2009-01-27 22:17 0 --a------ c:\windows\SMMVSplitter.INI
2009-01-27 22:13 . 2009-01-27 22:13 <DIR> d-------- c:\program files\Solveig Multimedia
2009-01-27 22:13 . 2009-01-27 22:13 <DIR> d-------- c:\program files\Common Files\Solveig Multimedia
2009-01-24 00:30 . 2009-01-24 00:30 <DIR> d-------- c:\program files\Dimdim
2009-01-24 00:30 . 2009-01-24 00:30 100,144 --a------ c:\documents and settings\HP_Owner\DimdimSetup.exe
2009-01-20 17:56 . 2009-01-20 17:56 <DIR> d-------- c:\program files\CoreFTPServer
2009-01-17 12:13 . 2009-01-17 12:13 <DIR> d-------- c:\windows\l2schemas
2009-01-17 12:09 . 2009-01-17 12:13 <DIR> d-------- c:\windows\ServicePackFiles
2009-01-17 12:01 . 2009-01-17 12:01 <DIR> d-------- c:\windows\EHome

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-02-15 15:48 --------- d-----w c:\program files\Symantec
2009-02-15 15:48 --------- d-----w c:\program files\Common Files\Symantec Shared
2009-02-15 15:46 --------- d-----w c:\documents and settings\All Users\Application Data\Symantec
2009-02-15 04:24 --------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2009-02-15 04:18 --------- d-----w c:\program files\DNA
2009-02-14 19:08 --------- d-----w c:\documents and settings\All Users\Application Data\Google Updater
2009-02-13 15:59 --------- d-----w c:\program files\Spyware Doctor
2009-02-09 14:53 --------- d-----w c:\documents and settings\All Users\Application Data\Microsoft Help
2009-01-13 03:04 --------- d-----w c:\documents and settings\All Users\Application Data\HP Product Assistant
2009-01-13 03:01 --------- d-----w c:\program files\Common Files\Deterministic Networks
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]
"EPSON Stylus CX8400 Series"="c:\windows\System32\spool\DRIVERS\W32X86\3\E_FATICEA.EXE" [2007-02-15 179200]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATICCC"="c:\program files\ATI Technologies\ATI.ACE\cli.exe" [2005-08-13 45056]
"CTDVDDET"="c:\program files\Creative\SBAudigy4\DVDAudio\CTDVDDET.EXE" [2003-06-18 45056]
"CTSysVol"="c:\program files\Creative\SBAudigy4\Surround Mixer\CTSysVol.exe" [2005-02-16 57344]
"AudioDrvEmulator"="c:\program files\Creative\Shared Files\Module Loader\DLLML.exe" [2005-06-17 49152]
"UpdReg"="c:\windows\UpdReg.EXE" [2000-05-11 90112]
"HPHUPD08"="c:\program files\HP\Digital Imaging\{33D6CC28-9F75-4d1b-A11D-98895B3A3729}\hphupd08.exe" [2005-06-02 49152]
"PCDrProfiler"="c:\program files\PC-Doctor 5 for Windows\RunProfiler.exe" [2005-08-09 53248]
"SSC_UserPrompt"="c:\program files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe" [2004-11-03 218240]
"HPBootOp"="c:\program files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" [2005-09-21 1605740]
"HP Software Update"="c:\program files\HP\HP Software Update\HPwuSchd2.exe" [2005-05-12 49152]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-02-15 148888]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672]
"CTHelper"="CTHELPER.EXE" [2005-08-22 c:\windows\CTHELPER.EXE]

c:\documents and settings\Administrator\Start Menu\Programs\Startup\
Pin.lnk - c:\hp\bin\CLOAKER.EXE [2006-02-25 27136]

c:\documents and settings\HP_Owner\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2006-10-26 98632]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Gatorlink VPN Client.lnk - c:\windows\Installer\{51FB15F4-AD27-43BC-AD4B-DD0354FB6BBD}\Icon3E5562ED7.ico [2009-01-12 6144]
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2005-05-12 282624]
Updates from HP.lnk - c:\program files\Updates from HP\9972322\Program\Updates from HP.exe [2006-02-25 36903]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\Updates from HP\\9972322\\Program\\Updates from HP.exe"=


--- Other Services/Drivers In Memory ---

*NewlyCreated* - AUTOMATIC_LIVEUPDATE_SCHEDULER
*NewlyCreated* - LIVEUPDATE
*Deregistered* - NAVENG
*Deregistered* - NAVEX15
*Deregistered* - SAVRT
*Deregistered* - SAVRTPEL
*Deregistered* - SymEvent
*Deregistered* - SYMREDRV

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{2d435b36-e506-11d9-9b78-e6b009352ae7}]
\Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Info.exe protect.ed 480 480
.
Contents of the 'Scheduled Tasks' folder

2009-01-26 c:\windows\Tasks\chkdsk.job
- c:\windows\system32\chkdsk.exe [2004-08-04 07:00]

2009-02-02 c:\windows\Tasks\defrag.job
- c:\windows\system32\defrag.exe [2004-08-04 07:00]

2009-02-02 c:\windows\Tasks\Disk Cleanup.job
- c:\windows\system32\cleanmgr.exe [2004-08-04 07:00]
.
- - - - ORPHANS REMOVED - - - -

HKLM-RunOnce-isDeleteMe - c:\docume~1\HP_OWN~1.KRY\LOCALS~1\Temp\isDel.bat


.
------- Supplementary Scan -------
.
uStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q106&bd=pavilion&pf=desktop
uDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q106&bd=pavilion&pf=desktop
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q106&bd=pavilion&pf=desktop
mSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q106&bd=pavilion&pf=desktop
IE: &Google Search - c:\program files\Google\GoogleToolbar1.dll/cmsearch.html
IE: &Translate English Word - c:\program files\Google\GoogleToolbar1.dll/cmwordtrans.html
IE: Backward Links - c:\program files\Google\GoogleToolbar1.dll/cmbacklinks.html
IE: Cached Snapshot of Page - c:\program files\Google\GoogleToolbar1.dll/cmcache.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
IE: Similar Pages - c:\program files\Google\GoogleToolbar1.dll/cmsimilar.html
IE: Translate Page into English - c:\program files\Google\GoogleToolbar1.dll/cmtrans.html
FF - ProfilePath - c:\documents and settings\HP_Owner\Application Data\Mozilla\Firefox\Profiles\0z5vsu9s.default\
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-02-15 10:55:23
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(700)
c:\windows\system32\Ati2evxx.dll
.
Completion time: 2009-02-15 10:56:50
ComboFix-quarantined-files.txt 2009-02-15 15:56:32
ComboFix2.txt 2009-02-14 19:27:27

Pre-Run: 19,835,428,864 bytes free
Post-Run: 20,037,320,704 bytes free

162

#6 Blade81

Blade81

    Bleepin' Rocker


  • Malware Response Team
  • 6,465 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:06:32 AM

Posted 24 February 2009 - 12:42 PM

Good. Now we continue :thumbup2:



Open notepad and copy/paste the text in the quotebox below into it:

File::
c:\windows\tklbramh

Folder::
C:\RECYCLER(2)

DDS::
DPF: {CAFEEFAC-0015-0000-0005-ABCDEFFEDCBA} -


Save this as
CFScript

A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine. This tool is not a toy and not for everyday use.

Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe (let ComboFix update if asked for permission)
Then post the resultant log.


Combofix should never take more that 20 minutes including the reboot if malware is detected.
If it does, open Task Manager then Processes tab (press ctrl, alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue.
If that happened we want to know, and also what process you had to end.


Download ATF (Atribune Temp File) Cleanerę by Atribune to your desktop.

Double-click ATF Cleaner.exe to open it

Under Main choose:
Windows Temp
Current User Temp
All Users Temp
Cookies
Temporary Internet Files
Prefetch
Java Cache

*The other boxes are optional*
Then click the Empty Selected button.

If you use Firefox:
Click Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.

If you use Opera:
Click Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.

Click Exit on the Main menu to close the program.


Please run an online scan with Kaspersky Online Scanner as instructed in the screenshot here.


Post back its report, a fresh dds log and above mentioned ComboFix resultant log.

Microsoft Windows Insider MVP 2016-2017

Microsoft MVP Consumer Security 2008-2015
UNITE member since 2006
unite_blue.png

Provided malware removal related instructions are meant to be used in the correspondent user's case only. If you have similar symptoms create own topic instead of following instructions given to some other, please.


#7 gville

gville
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:11:32 PM

Posted 24 February 2009 - 11:54 PM

DDS (Ver_09-02-01.01) - NTFSx86
Run by HP_Owner at 23:49:34.15 on Tue 02/24/2009
Internet Explorer: 6.0.2900.2180
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1022.430 [GMT -5:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated)

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Creative\SBAudigy4\Surround Mixer\CTSysVol.exe
C:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe
C:\Program Files\HP\HP Software Update\HPwuSchd2.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Updates from HP\9972322\Program\Updates from HP.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\HP\KBD\KBD.EXE
c:\windows\system\hpsysdrv.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Java\jre6\bin\java.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Adobe\Reader 9.0\Reader\AcroRd32.exe
C:\Program Files\Java\jre6\bin\java.exe
C:\Documents and Settings\HP_Owner.KRYPTONITE\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q106&bd=pavilion&pf=desktop
uDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q106&bd=pavilion&pf=desktop
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q106&bd=pavilion&pf=desktop
mSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q106&bd=pavilion&pf=desktop
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\progra~1\micros~4\office12\GRA8E1~1.DLL
BHO: AVG Security Toolbar: {a057a204-bacc-4d26-9990-79a187e2698e} - c:\progra~1\avg\avg8\AVGTOO~1.DLL
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\googletoolbar1.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: &Google: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\googletoolbar1.dll
TB: AVG Security Toolbar: {a057a204-bacc-4d26-9990-79a187e2698e} - c:\progra~1\avg\avg8\AVGTOO~1.DLL
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [EPSON Stylus CX8400 Series] c:\windows\system32\spool\drivers\w32x86\3\e_faticea.exe /fu "c:\windows\temp\E_S94.tmp" /EF "HKCU"
mRun: [ATICCC] "c:\program files\ati technologies\ati.ace\cli.exe" runtime -Delay
mRun: [CTDVDDET] "c:\program files\creative\sbaudigy4\dvdaudio\CTDVDDET.EXE"
mRun: [CTSysVol] c:\program files\creative\sbaudigy4\surround mixer\CTSysVol.exe /r
mRun: [AudioDrvEmulator] "c:\program files\creative\shared files\module loader\dllml.exe" -1 audiodrvemulator "c:\program files\creative\shared files\module loader\audio emulator\AudDrvEm.dll"
mRun: [CTHelper] CTHELPER.EXE
mRun: [UpdReg] c:\windows\UpdReg.EXE
mRun: [HPHUPD08] c:\program files\hp\digital imaging\{33d6cc28-9f75-4d1b-a11d-98895b3a3729}\hphupd08.exe
mRun: [HPBootOp] "c:\program files\hewlett-packard\hp boot optimizer\HPBootOp.exe" /run
mRun: [HP Software Update] c:\program files\hp\hp software update\HPwuSchd2.exe
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\gatorl~1.lnk - c:\windows\installer\{51fb15f4-ad27-43bc-ad4b-dd0354fb6bbd}\Icon3E5562ED7.ico
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\update~1.lnk - c:\program files\updates from hp\9972322\program\Updates from HP.exe
IE: &Google Search - c:\program files\google\GoogleToolbar1.dll/cmsearch.html
IE: &Translate English Word - c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html
IE: Backward Links - c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
IE: Cached Snapshot of Page - c:\program files\google\GoogleToolbar1.dll/cmcache.html
IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office12\EXCEL.EXE/3000
IE: Similar Pages - c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
IE: Translate Page into English - c:\program files\google\GoogleToolbar1.dll/cmtrans.html
IE: {E2D4D26B-0180-43a4-B05F-462D6D54C789} - c:\windows\pchealth\helpctr\vendors\cn=hewlett-packard,l=cupertino,s=ca,c=us\iebutton\support.htm
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~4\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~4\office12\REFIEBAR.DLL
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_12-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_12-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_12-windows-i586.cab
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\progra~1\micros~4\office12\GR99D3~1.DLL
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
Notify: AtiExtEvent - Ati2evxx.dll
Notify: avgrsstarter - avgrsstx.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\progra~1\micros~4\office12\GRA8E1~1.DLL

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\hp_own~1.kry\applic~1\mozilla\firefox\profiles\lva45n47.default\
FF - prefs.js: browser.startup.homepage - hxxp://my.yahoo.com/|http://www.google.com/
FF - component: c:\documents and settings\hp_owner.kryptonite\application data\mozilla\firefox\profiles\lva45n47.default\extensions\{a7c6cf7f-112c-4500-a7ea-39801a327e5f}\platform\winnt_x86-msvc\components\ipc.dll
FF - component: c:\program files\avg\avg8\firefox\components\avgssff.dll
FF - component: c:\program files\avg\avg8\toolbarff\components\vmAVGConnector.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npbittorrent.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npDimdimControl.dll

============= SERVICES / DRIVERS ===============

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-2-15 325128]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2009-2-15 27656]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-2-15 107272]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2009-2-14 298264]

=============== Created Last 30 ================

2009-02-23 23:43 <DIR> --ds---- c:\documents and settings\hp_owner.kryptonite\UserData
2009-02-22 21:16 217,088 a------- c:\windows\system32\rewire.dll
2009-02-22 21:15 1,294,336 a------- c:\windows\system32\vorbis.acm
2009-02-21 18:10 5,632 a------- c:\windows\system32\ptpusb.dll
2009-02-21 18:10 159,232 a------- c:\windows\system32\ptpusd.dll
2009-02-16 22:05 15,104 a------- c:\windows\system32\drivers\usbscan.sys
2009-02-16 22:05 15,104 a------- c:\windows\system32\dllcache\usbscan.sys
2009-02-16 22:01 67,072 a------- c:\windows\system32\escwiad.dll
2009-02-16 03:04 <DIR> --d----- c:\windows\system32\CatRoot_bak
2009-02-16 03:03 272,128 -------- c:\windows\system32\drivers\bthport.sys
2009-02-16 03:03 272,128 -------- c:\windows\system32\dllcache\bthport.sys
2009-02-16 03:03 2,136,064 -------- c:\windows\system32\dllcache\ntkrnlmp.exe
2009-02-16 03:03 2,180,352 -------- c:\windows\system32\dllcache\ntoskrnl.exe
2009-02-16 03:03 2,015,744 -------- c:\windows\system32\dllcache\ntkrpamp.exe
2009-02-16 03:03 2,057,728 -------- c:\windows\system32\dllcache\ntkrnlpa.exe
2009-02-16 03:02 453,632 -------- c:\windows\system32\dllcache\mrxsmb.sys
2009-02-16 03:00 <DIR> --d----- c:\windows\system32\PreInstall
2009-02-15 19:52 107,272 a------- c:\windows\system32\drivers\avgtdix.sys
2009-02-15 19:52 10,520 a------- c:\windows\system32\avgrsstx.dll
2009-02-15 19:52 325,128 a------- c:\windows\system32\drivers\avgldx86.sys
2009-02-15 19:52 <DIR> --d----- c:\windows\system32\drivers\Avg
2009-02-15 19:52 <DIR> --d----- c:\docume~1\hp_own~1.kry\applic~1\AVGTOOLBAR
2009-02-15 12:52 32,592 a------- c:\windows\system32\msonpmon.dll
2009-02-15 11:37 <DIR> --d----- C:\worksnow
2009-02-15 01:27 <DIR> --d----- c:\docume~1\hp_own~1.kry\applic~1\HPQ
2009-02-15 01:20 <DIR> --dshr-- C:\cmdcons
2009-02-15 01:19 <DIR> --d----- c:\windows\setupupd
2009-02-15 01:18 <DIR> --d----- c:\docume~1\hp_own~1.kry\applic~1\com.adobe.mauby.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1
2009-02-15 01:04 410,984 a------- c:\windows\system32\deploytk.dll
2009-02-15 01:04 73,728 a------- c:\windows\system32\javacpl.cpl
2009-02-15 01:01 25,856 a------- c:\windows\system32\drivers\usbprint.sys
2009-02-15 01:01 25,856 a------- c:\windows\system32\dllcache\usbprint.sys
2009-02-15 01:00 31,616 a------- c:\windows\system32\drivers\usbccgp.sys
2009-02-15 01:00 31,616 a------- c:\windows\system32\dllcache\usbccgp.sys
2009-02-15 00:15 221,184 a------- c:\windows\system32\wmpns.dll
2009-02-15 00:15 1,761 a--shr-- c:\windows\system32\drivers\103C_HP_CPC_PX181AV-ABA d4100y_YC_0Pavi_QMXG608_E61NAhcBLU4_48_ILITHIUM_SASUSTek Computer INC._V1.04_B3.12_T060112_WXH2_L409_M1023_J80_7Intel_8Pentium D_93_#060928_N808627DC_Z_G100271C0_OTSSTcorp CD DVDW TS-H552D.MRK
2009-02-15 00:15 90,112 a------- c:\windows\system32\ps2.EXE
2009-02-15 00:14 <DIR> --d----- c:\docume~1\hp_own~1.kry\applic~1\Intuit
2009-02-15 00:13 <DIR> --d----- c:\documents and settings\hp_owner.kryptonite\WINDOWS
2009-02-15 00:13 <DIR> --d----- c:\docume~1\hp_own~1.kry\applic~1\Symantec
2009-02-15 00:13 <DIR> --d----- c:\documents and settings\HP_Owner.KRYPTONITE
2009-02-15 00:10 <DIR> --d----- c:\windows\system32\SoftwareDistribution
2009-02-14 21:12 <DIR> --d----- c:\program files\Western Digital Technologies
2009-02-14 20:35 <DIR> --d----- c:\program files\Trend Micro
2009-02-14 17:47 <DIR> --d-h--- C:\$AVG8.VAULT$
2009-02-14 17:30 <DIR> --d----- c:\program files\AVG
2009-02-14 17:30 <DIR> --d----- c:\docume~1\alluse~1\applic~1\avg8
2009-02-14 14:10 161,792 a------- c:\windows\SWREG.exe
2009-02-14 14:10 98,816 a------- c:\windows\sed.exe
2009-01-27 22:17 0 a------- c:\windows\SMMVSplitter.INI
2009-01-27 22:13 <DIR> --d----- c:\program files\Solveig Multimedia
2009-01-27 22:13 <DIR> --d----- c:\program files\common files\Solveig Multimedia

==================== Find3M ====================

2008-12-12 12:33 3,060,224 a------- c:\windows\system32\dllcache\mshtml.dll
2008-12-11 06:57 333,184 a------- c:\windows\system32\dllcache\srv.sys

============= FINISH: 23:50:37.62 ===============
--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7 REPORT
Tuesday, February 24, 2009
Operating System: Microsoft Windows XP Home Edition Service Pack 2 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Tuesday, February 24, 2009 21:34:32
Records in database: 1840457
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
A:\
C:\
D:\
E:\
F:\

Scan statistics:
Files scanned: 151178
Threat name: 5
Infected objects: 11
Suspicious objects: 0
Duration of the scan: 03:43:11


File name / Threat name / Threats count
C:\hp\bin\wbug\HPPavillion_Spring06.exe Infected: not-a-virus:AdWare.Win32.WeatherBug.a 2
C:\Program Files\mIRC\mirc.exe Infected: not-a-virus:Client-IRC.Win32.mIRC.62 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\seneka.sys.vir Infected: Rootkit.Win32.TDSS.phm 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\senekaxboewnsi.sys.vir Infected: Rootkit.Win32.TDSS.phm 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\senekaapmyrdos.dll.vir Infected: Rootkit.Win32.Agent.hcr 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\senekayrgikfuw.dll.vir Infected: Rootkit.Win32.Agent.hcq 1
D:\I386\Apps\APP02646\src\CompaqPresario_Spring06.exe Infected: not-a-virus:AdWare.Win32.WeatherBug.a 2
D:\I386\Apps\APP02646\src\HPPavillion_Spring06.exe Infected: not-a-virus:AdWare.Win32.WeatherBug.a 2

The selected area was scanned.
ComboFix 09-02-24.01 - HP_Owner 2009-02-24 17:05:00.4 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1022.609 [GMT -5:00]
Running from: c:\documents and settings\HP_Owner.KRYPTONITE\Desktop\Bugs\ComboFix.exe
Command switches used :: c:\documents and settings\HP_Owner.KRYPTONITE\Desktop\CFScript.txt
AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated)
* Created a new restore point

FILE ::
c:\windows\tklbramh
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\RECYCLER(2)
c:\recycler(2)\S-1-5-21-6263914-3745612796-1955438619-1009(2)\Dc10.ivd
c:\recycler(2)\S-1-5-21-6263914-3745612796-1955438619-1009(2)\Dc11.cvd
c:\recycler(2)\S-1-5-21-6263914-3745612796-1955438619-1009(2)\Dc12.ivd
c:\recycler(2)\S-1-5-21-6263914-3745612796-1955438619-1009(2)\Dc13.rvd
c:\recycler(2)\S-1-5-21-6263914-3745612796-1955438619-1009(2)\Dc14.cvd
c:\recycler(2)\S-1-5-21-6263914-3745612796-1955438619-1009(2)\Dc15.cvd
c:\recycler(2)\S-1-5-21-6263914-3745612796-1955438619-1009(2)\Dc16.ivd
c:\recycler(2)\S-1-5-21-6263914-3745612796-1955438619-1009(2)\Dc17.cvd
c:\recycler(2)\S-1-5-21-6263914-3745612796-1955438619-1009(2)\Dc18.ivd
c:\recycler(2)\S-1-5-21-6263914-3745612796-1955438619-1009(2)\Dc19.ivd
c:\recycler(2)\S-1-5-21-6263914-3745612796-1955438619-1009(2)\Dc20.cvd
c:\recycler(2)\S-1-5-21-6263914-3745612796-1955438619-1009(2)\Dc21.cvd
c:\recycler(2)\S-1-5-21-6263914-3745612796-1955438619-1009(2)\Dc22.cvd
c:\recycler(2)\S-1-5-21-6263914-3745612796-1955438619-1009(2)\Dc23.cvd
c:\recycler(2)\S-1-5-21-6263914-3745612796-1955438619-1009(2)\Dc24.ivd
c:\recycler(2)\S-1-5-21-6263914-3745612796-1955438619-1009(2)\Dc25.cvd
c:\recycler(2)\S-1-5-21-6263914-3745612796-1955438619-1009(2)\Dc26.cvd
c:\recycler(2)\S-1-5-21-6263914-3745612796-1955438619-1009(2)\Dc27.cvd
c:\recycler(2)\S-1-5-21-6263914-3745612796-1955438619-1009(2)\Dc28.cvd

#8 Blade81

Blade81

    Bleepin' Rocker


  • Malware Response Team
  • 6,465 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:06:32 AM

Posted 25 February 2009 - 10:28 AM

Hi

Looks like the ending part of ComboFix log got cut off. Could you post a complete one, please?

Microsoft Windows Insider MVP 2016-2017

Microsoft MVP Consumer Security 2008-2015
UNITE member since 2006
unite_blue.png

Provided malware removal related instructions are meant to be used in the correspondent user's case only. If you have similar symptoms create own topic instead of following instructions given to some other, please.


#9 gville

gville
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:11:32 PM

Posted 25 February 2009 - 11:22 AM

Oops! Here it is:

ComboFix 09-02-24.01 - HP_Owner 2009-02-24 17:05:00.4 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1022.609 [GMT -5:00]
Running from: c:\documents and settings\HP_Owner.KRYPTONITE\Desktop\Bugs\ComboFix.exe
Command switches used :: c:\documents and settings\HP_Owner.KRYPTONITE\Desktop\CFScript.txt
AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated)
* Created a new restore point

FILE ::
c:\windows\tklbramh
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\RECYCLER(2)
c:\recycler(2)\S-1-5-21-6263914-3745612796-1955438619-1009(2)\Dc10.ivd
c:\recycler(2)\S-1-5-21-6263914-3745612796-1955438619-1009(2)\Dc11.cvd
c:\recycler(2)\S-1-5-21-6263914-3745612796-1955438619-1009(2)\Dc12.ivd
c:\recycler(2)\S-1-5-21-6263914-3745612796-1955438619-1009(2)\Dc13.rvd
c:\recycler(2)\S-1-5-21-6263914-3745612796-1955438619-1009(2)\Dc14.cvd
c:\recycler(2)\S-1-5-21-6263914-3745612796-1955438619-1009(2)\Dc15.cvd
c:\recycler(2)\S-1-5-21-6263914-3745612796-1955438619-1009(2)\Dc16.ivd
c:\recycler(2)\S-1-5-21-6263914-3745612796-1955438619-1009(2)\Dc17.cvd
c:\recycler(2)\S-1-5-21-6263914-3745612796-1955438619-1009(2)\Dc18.ivd
c:\recycler(2)\S-1-5-21-6263914-3745612796-1955438619-1009(2)\Dc19.ivd
c:\recycler(2)\S-1-5-21-6263914-3745612796-1955438619-1009(2)\Dc20.cvd
c:\recycler(2)\S-1-5-21-6263914-3745612796-1955438619-1009(2)\Dc21.cvd
c:\recycler(2)\S-1-5-21-6263914-3745612796-1955438619-1009(2)\Dc22.cvd
c:\recycler(2)\S-1-5-21-6263914-3745612796-1955438619-1009(2)\Dc23.cvd
c:\recycler(2)\S-1-5-21-6263914-3745612796-1955438619-1009(2)\Dc24.ivd
c:\recycler(2)\S-1-5-21-6263914-3745612796-1955438619-1009(2)\Dc25.cvd
c:\recycler(2)\S-1-5-21-6263914-3745612796-1955438619-1009(2)\Dc26.cvd
c:\recycler(2)\S-1-5-21-6263914-3745612796-1955438619-1009(2)\Dc27.cvd
c:\recycler(2)\S-1-5-21-6263914-3745612796-1955438619-1009(2)\Dc28.cvd
c:\recycler(2)\S-1-5-21-6263914-3745612796-1955438619-1009(2)\Dc29.cvd
c:\recycler(2)\S-1-5-21-6263914-3745612796-1955438619-1009(2)\Dc3.txt
c:\recycler(2)\S-1-5-21-6263914-3745612796-1955438619-1009(2)\Dc30.cvd
c:\recycler(2)\S-1-5-21-6263914-3745612796-1955438619-1009(2)\Dc31.cvd
c:\recycler(2)\S-1-5-21-6263914-3745612796-1955438619-1009(2)\Dc32.cvd
c:\recycler(2)\S-1-5-21-6263914-3745612796-1955438619-1009(2)\Dc33.cvd
c:\recycler(2)\S-1-5-21-6263914-3745612796-1955438619-1009(2)\Dc34.cvd
c:\recycler(2)\S-1-5-21-6263914-3745612796-1955438619-1009(2)\Dc35.ivd
c:\recycler(2)\S-1-5-21-6263914-3745612796-1955438619-1009(2)\Dc36.cvd
c:\recycler(2)\S-1-5-21-6263914-3745612796-1955438619-1009(2)\Dc37.ivd
c:\recycler(2)\S-1-5-21-6263914-3745612796-1955438619-1009(2)\Dc38.dat
c:\recycler(2)\S-1-5-21-6263914-3745612796-1955438619-1009(2)\Dc39.dat
c:\recycler(2)\S-1-5-21-6263914-3745612796-1955438619-1009(2)\Dc40.dat
c:\recycler(2)\S-1-5-21-6263914-3745612796-1955438619-1009(2)\Dc41.cvd
c:\recycler(2)\S-1-5-21-6263914-3745612796-1955438619-1009(2)\Dc42.ivd
c:\recycler(2)\S-1-5-21-6263914-3745612796-1955438619-1009(2)\Dc43.cvd
c:\recycler(2)\S-1-5-21-6263914-3745612796-1955438619-1009(2)\Dc44.wav
c:\recycler(2)\S-1-5-21-6263914-3745612796-1955438619-1009(2)\Dc45.wav
c:\recycler(2)\S-1-5-21-6263914-3745612796-1955438619-1009(2)\Dc46.wav
c:\recycler(2)\S-1-5-21-6263914-3745612796-1955438619-1009(2)\Dc7.cvd
c:\recycler(2)\S-1-5-21-6263914-3745612796-1955438619-1009(2)\Dc8.cvd
c:\recycler(2)\S-1-5-21-6263914-3745612796-1955438619-1009(2)\Dc9.cvd
c:\recycler(2)\S-1-5-21-6263914-3745612796-1955438619-1009(2)\INFO2
c:\windows\tklbramh
F:\Autorun.inf

.
((((((((((((((((((((((((( Files Created from 2009-01-24 to 2009-02-24 )))))))))))))))))))))))))))))))
.

2009-02-23 23:43 . 2009-02-23 23:43 <DIR> d---s---- c:\documents and settings\HP_Owner.KRYPTONITE\UserData
2009-02-22 21:16 . 2003-04-07 06:07 217,088 --a------ c:\windows\system32\rewire.dll
2009-02-22 21:15 . 2002-07-07 18:14 1,294,336 --a------ c:\windows\system32\vorbis.acm
2009-02-22 12:35 . 2009-02-22 12:35 <DIR> d-------- c:\documents and settings\HP_Owner.KRYPTONITE\Application Data\Sonic
2009-02-22 12:35 . 2009-02-22 12:35 <DIR> d-------- c:\documents and settings\HP_Owner.KRYPTONITE\Application Data\Leadertech
2009-02-21 18:10 . 2004-08-04 00:56 159,232 --a------ c:\windows\system32\ptpusd.dll
2009-02-21 18:10 . 2001-08-17 22:36 5,632 --a------ c:\windows\system32\ptpusb.dll
2009-02-16 22:05 . 2004-08-03 22:58 15,104 --a------ c:\windows\system32\drivers\usbscan.sys
2009-02-16 22:05 . 2004-08-03 22:58 15,104 --a------ c:\windows\system32\dllcache\usbscan.sys
2009-02-16 22:01 . 2007-04-18 00:00 67,072 --a------ c:\windows\system32\escwiad.dll
2009-02-16 03:04 . 2009-02-16 03:13 <DIR> d-------- c:\windows\system32\CatRoot_bak
2009-02-16 03:03 . 2008-08-14 05:00 2,180,352 --------- c:\windows\system32\dllcache\ntoskrnl.exe
2009-02-16 03:03 . 2008-08-14 04:58 2,136,064 --------- c:\windows\system32\dllcache\ntkrnlmp.exe
2009-02-16 03:03 . 2008-08-14 04:22 2,057,728 --------- c:\windows\system32\dllcache\ntkrnlpa.exe
2009-02-16 03:03 . 2008-08-14 04:22 2,015,744 --------- c:\windows\system32\dllcache\ntkrpamp.exe
2009-02-16 03:03 . 2008-06-13 08:10 272,128 --------- c:\windows\system32\drivers\bthport.sys
2009-02-16 03:03 . 2008-06-13 08:10 272,128 --------- c:\windows\system32\dllcache\bthport.sys
2009-02-16 03:02 . 2008-10-24 06:10 453,632 --------- c:\windows\system32\dllcache\mrxsmb.sys
2009-02-15 19:52 . 2009-02-24 10:10 <DIR> d-------- c:\windows\system32\drivers\Avg
2009-02-15 19:52 . 2009-02-15 19:54 <DIR> d-------- c:\documents and settings\HP_Owner.KRYPTONITE\Application Data\AVGTOOLBAR
2009-02-15 19:52 . 2009-02-15 19:52 325,128 --a------ c:\windows\system32\drivers\avgldx86.sys
2009-02-15 19:52 . 2009-02-15 19:52 107,272 --a------ c:\windows\system32\drivers\avgtdix.sys
2009-02-15 19:52 . 2009-02-15 19:52 10,520 --a------ c:\windows\system32\avgrsstx.dll
2009-02-15 12:52 . 2006-10-26 18:56 32,592 --a------ c:\windows\system32\msonpmon.dll
2009-02-15 11:37 . 2009-02-15 11:39 <DIR> d-------- C:\worksnow
2009-02-15 10:42 . 2009-02-15 10:42 <DIR> d-------- c:\documents and settings\NetworkService\Application Data\Symantec
2009-02-15 01:27 . 2009-02-15 01:27 <DIR> d-------- c:\documents and settings\HP_Owner.KRYPTONITE\Application Data\HPQ
2009-02-15 01:20 . 2009-02-15 01:20 <DIR> d-------- c:\program files\Common Files\Adobe AIR
2009-02-15 01:18 . 2009-02-15 01:18 <DIR> d-------- c:\documents and settings\HP_Owner.KRYPTONITE\Application Data\com.adobe.mauby.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1
2009-02-15 01:10 . 2009-02-15 10:21 <DIR> d-------- c:\program files\NOS
2009-02-15 01:10 . 2009-02-15 10:21 <DIR> d-------- c:\documents and settings\All Users\Application Data\NOS
2009-02-15 01:04 . 2009-02-15 01:04 410,984 --a------ c:\windows\system32\deploytk.dll
2009-02-15 01:04 . 2009-02-15 01:04 73,728 --a------ c:\windows\system32\javacpl.cpl
2009-02-15 01:01 . 2004-08-03 23:01 25,856 --a------ c:\windows\system32\drivers\usbprint.sys
2009-02-15 01:01 . 2004-08-03 23:01 25,856 --a------ c:\windows\system32\dllcache\usbprint.sys
2009-02-15 01:00 . 2004-08-03 23:08 31,616 --a------ c:\windows\system32\drivers\usbccgp.sys
2009-02-15 01:00 . 2004-08-03 23:08 31,616 --a------ c:\windows\system32\dllcache\usbccgp.sys
2009-02-15 00:15 . 2004-08-04 07:00 221,184 --a------ c:\windows\system32\wmpns.dll
2009-02-15 00:15 . 2004-10-25 17:17 90,112 --a------ c:\windows\system32\ps2.EXE
2009-02-15 00:15 . 2009-02-15 00:15 1,761 -rahs---- c:\windows\system32\drivers\103C_HP_CPC_PX181AV-ABA d4100y_YC_0Pavi_QMXG608_E61NAhcBLU4_48_ILITHIUM_SASUSTek Computer INC._V1.04_B3.12_T060112_WXH2_L409_M1023_J80_7Intel_8Pentium D_93_#060928_N808627DC_Z_G100271C0_OTSSTcorp CD DVDW TS-H552D.MRK
2009-02-15 00:14 . 2006-02-25 04:04 <DIR> d-------- c:\documents and settings\HP_Owner.KRYPTONITE\Application Data\Intuit
2009-02-15 00:14 . 2006-02-25 03:36 <DIR> d-------- c:\documents and settings\HP_Owner.KRYPTONITE\Application Data\Creative
2009-02-15 00:14 . 2006-02-25 03:36 <DIR> d-------- c:\documents and settings\HP_Owner.KRYPTONITE\Application Data\ATI
2009-02-15 00:13 . 2006-02-25 04:01 <DIR> d-------- c:\documents and settings\HP_Owner.KRYPTONITE\WINDOWS
2009-02-15 00:13 . 2009-02-15 10:41 <DIR> d-------- c:\documents and settings\HP_Owner.KRYPTONITE\Application Data\Symantec
2009-02-15 00:13 . 2009-02-23 23:43 <DIR> d-------- c:\documents and settings\HP_Owner.KRYPTONITE
2009-02-15 00:12 . 2006-02-25 04:01 <DIR> d-------- c:\windows\system32\config\systemprofile\WINDOWS
2009-02-14 21:12 . 2009-02-14 21:12 <DIR> d-------- c:\program files\Western Digital Technologies
2009-02-14 20:35 . 2009-02-14 20:35 <DIR> d-------- c:\program files\Trend Micro
2009-02-14 17:47 . 2009-02-15 21:35 <DIR> d--h----- C:\$AVG8.VAULT$
2009-02-14 17:30 . 2009-02-14 17:30 <DIR> d-------- c:\program files\AVG
2009-02-14 17:30 . 2009-02-15 19:51 <DIR> d-------- c:\documents and settings\All Users\Application Data\avg8
2009-01-27 22:17 . 2009-01-27 22:17 0 --a------ c:\windows\SMMVSplitter.INI
2009-01-27 22:13 . 2009-01-27 22:13 <DIR> d-------- c:\program files\Solveig Multimedia
2009-01-27 22:13 . 2009-01-27 22:13 <DIR> d-------- c:\program files\Common Files\Solveig Multimedia
2009-01-24 00:30 . 2009-01-24 00:30 <DIR> d-------- c:\program files\Dimdim
2009-01-24 00:30 . 2009-01-24 00:30 100,144 --a------ c:\documents and settings\HP_Owner\DimdimSetup.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-02-23 02:48 --------- d-----w c:\program files\Winamp
2009-02-17 02:20 --------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2009-02-16 01:00 --------- d--h--w c:\program files\InstallShield Installation Information
2009-02-16 00:59 --------- d-----w c:\program files\Microsoft Works
2009-02-16 00:55 --------- d-----w c:\program files\Quicken
2009-02-15 17:57 --------- d-----w c:\documents and settings\All Users\Application Data\Microsoft Help
2009-02-15 17:39 --------- d-----w c:\documents and settings\All Users\Application Data\Symantec
2009-02-15 04:18 --------- d-----w c:\program files\DNA
2009-02-14 19:08 --------- d-----w c:\documents and settings\All Users\Application Data\Google Updater
2009-01-20 22:56 --------- d-----w c:\program files\CoreFTPServer
2009-01-13 03:04 --------- d-----w c:\documents and settings\All Users\Application Data\HP Product Assistant
2009-01-13 03:01 --------- d-----w c:\program files\Common Files\Deterministic Networks
2008-12-12 17:33 3,060,224 ----a-w c:\windows\system32\dllcache\mshtml.dll
2008-12-11 11:57 333,184 ----a-w c:\windows\system32\dllcache\srv.sys
.

((((((((((((((((((((((((((((( SnapShot@2009-02-15_10.55.55.14 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-07-09 07:38:24 17,272 ----a-w c:\windows\$hf_mig$\KB960715\spmsg.dll
+ 2008-07-09 07:38:25 231,288 ----a-w c:\windows\$hf_mig$\KB960715\spuninst.exe
+ 2008-07-09 07:38:24 26,488 ----a-w c:\windows\$hf_mig$\KB960715\update\spcustom.dll
+ 2008-11-15 17:18:04 755,576 ----a-w c:\windows\$hf_mig$\KB960715\update\update.exe
+ 2008-07-09 07:38:37 382,840 ----a-w c:\windows\$hf_mig$\KB960715\update\updspapi.dll
+ 2007-11-30 12:39:22 26,488 -c----w c:\windows\$NtUninstallKB938464$\spcustom.dll
+ 2007-11-30 12:39:22 17,272 -c----w c:\windows\$NtUninstallKB938464$\spmsg.dll
+ 2007-11-30 12:39:22 231,288 -c----w c:\windows\$NtUninstallKB938464$\spuninst.exe
+ 2007-11-30 11:20:44 755,576 -c----w c:\windows\$NtUninstallKB938464$\update.exe
+ 2007-11-30 12:39:22 382,840 -c----w c:\windows\$NtUninstallKB938464$\updspapi.dll
- 2008-04-14 00:11:59 82,944 -c----w c:\windows\$NtUninstallKB946648$\msgsc.dll
+ 2004-08-04 15:06:34 82,944 -c----w c:\windows\$NtUninstallKB946648$\msgsc.dll
+ 2007-11-30 12:39:22 26,488 -c----w c:\windows\$NtUninstallKB946648$\spcustom.dll
+ 2007-11-30 12:39:22 17,272 -c----w c:\windows\$NtUninstallKB946648$\spmsg.dll
+ 2007-11-30 12:39:22 231,288 -c----w c:\windows\$NtUninstallKB946648$\spuninst.exe
+ 2007-11-30 11:20:44 755,576 -c----w c:\windows\$NtUninstallKB946648$\update.exe
+ 2007-11-30 12:39:22 382,840 -c----w c:\windows\$NtUninstallKB946648$\updspapi.dll
+ 2007-11-30 12:39:22 26,488 -c----w c:\windows\$NtUninstallKB950760$\spcustom.dll
+ 2007-11-30 12:39:22 17,272 -c----w c:\windows\$NtUninstallKB950760$\spmsg.dll
+ 2007-11-30 12:39:22 231,288 -c----w c:\windows\$NtUninstallKB950760$\spuninst.exe
+ 2007-11-30 12:39:22 755,576 -c----w c:\windows\$NtUninstallKB950760$\update.exe
+ 2007-11-30 12:39:22 382,840 -c----w c:\windows\$NtUninstallKB950760$\updspapi.dll
- 2008-04-13 18:55:08 202,624 -c----w c:\windows\$NtUninstallKB950762$\rmcast.sys
+ 2004-08-04 12:00:00 200,064 -c----w c:\windows\$NtUninstallKB950762$\rmcast.sys
+ 2007-11-30 12:39:22 26,488 -c----w c:\windows\$NtUninstallKB950762$\spcustom.dll
+ 2007-11-30 12:39:22 17,272 -c----w c:\windows\$NtUninstallKB950762$\spmsg.dll
+ 2007-11-30 12:39:22 231,288 -c----w c:\windows\$NtUninstallKB950762$\spuninst.exe
+ 2007-11-30 12:39:22 755,576 -c----w c:\windows\$NtUninstallKB950762$\update.exe
+ 2007-11-30 12:39:22 382,840 -c----w c:\windows\$NtUninstallKB950762$\updspapi.dll
- 2008-04-14 00:11:53 246,272 -c----w c:\windows\$NtUninstallKB950974$\es.dll
+ 2005-07-26 11:39:46 243,200 -c----w c:\windows\$NtUninstallKB950974$\es.dll
+ 2007-11-30 12:39:22 26,488 -c----w c:\windows\$NtUninstallKB950974$\spcustom.dll
+ 2007-11-30 12:39:22 17,272 -c----w c:\windows\$NtUninstallKB950974$\spmsg.dll
+ 2007-11-30 12:39:22 231,288 -c----w c:\windows\$NtUninstallKB950974$\spuninst.exe
+ 2007-11-30 12:39:18 755,576 -c----w c:\windows\$NtUninstallKB950974$\update.exe
+ 2007-11-30 12:39:19 382,840 -c----w c:\windows\$NtUninstallKB950974$\updspapi.dll
- 2008-04-14 00:11:54 691,712 -c----w c:\windows\$NtUninstallKB951066$\inetcomm.dll
+ 2004-08-04 12:00:00 678,400 -c----w c:\windows\$NtUninstallKB951066$\inetcomm.dll
+ 2007-11-30 12:39:22 26,488 -c----w c:\windows\$NtUninstallKB951066$\spcustom.dll
+ 2007-11-30 12:39:22 17,272 -c----w c:\windows\$NtUninstallKB951066$\spmsg.dll
+ 2007-11-30 12:39:22 231,288 -c----w c:\windows\$NtUninstallKB951066$\spuninst.exe
+ 2007-12-03 15:25:31 755,576 -c----w c:\windows\$NtUninstallKB951066$\update.exe
+ 2007-11-30 12:39:22 382,840 -c----w c:\windows\$NtUninstallKB951066$\updspapi.dll
+ 2007-11-30 11:18:51 26,488 -c----w c:\windows\$NtUninstallKB951376-v2$\spcustom.dll
+ 2007-11-30 11:18:51 17,272 -c----w c:\windows\$NtUninstallKB951376-v2$\spmsg.dll
+ 2007-11-30 11:18:51 231,288 -c----w c:\windows\$NtUninstallKB951376-v2$\spuninst.exe
+ 2007-11-30 11:18:51 755,576 -c----w c:\windows\$NtUninstallKB951376-v2$\update.exe
+ 2007-11-30 11:18:51 382,840 -c----w c:\windows\$NtUninstallKB951376-v2$\updspapi.dll
- 2008-04-14 00:12:03 1,288,192 -c----w c:\windows\$NtUninstallKB951698$\quartz.dll
+ 2004-08-04 12:00:00 1,287,680 -c----w c:\windows\$NtUninstallKB951698$\quartz.dll
+ 2007-11-30 11:18:51 26,488 -c----w c:\windows\$NtUninstallKB951698$\spcustom.dll
+ 2007-11-30 11:18:51 17,272 -c----w c:\windows\$NtUninstallKB951698$\spmsg.dll
+ 2007-11-30 11:18:51 231,288 -c----w c:\windows\$NtUninstallKB951698$\spuninst.exe
+ 2007-11-30 12:39:22 755,576 -c----w c:\windows\$NtUninstallKB951698$\update.exe
+ 2007-11-30 12:39:22 382,840 -c----w c:\windows\$NtUninstallKB951698$\updspapi.dll
+ 2004-08-04 12:00:00 100,352 -c----w c:\windows\$NtUninstallKB951748$\6to4svc.dll
- 2008-04-13 19:19:23 138,112 -c----w c:\windows\$NtUninstallKB951748$\afd.sys
+ 2004-08-04 12:00:00 138,496 -c----w c:\windows\$NtUninstallKB951748$\afd.sys
- 2008-04-14 00:11:52 147,968 -c----w c:\windows\$NtUninstallKB951748$\dnsapi.dll
+ 2004-08-04 12:00:00 148,480 -c----w c:\windows\$NtUninstallKB951748$\dnsapi.dll
- 2008-04-14 00:12:01 245,248 -c----w c:\windows\$NtUninstallKB951748$\mswsock.dll
+ 2004-08-04 12:00:00 245,248 -c----w c:\windows\$NtUninstallKB951748$\mswsock.dll
+ 2007-11-30 12:39:22 26,488 -c----w c:\windows\$NtUninstallKB951748$\spcustom.dll
+ 2007-11-30 12:39:22 17,272 -c----w c:\windows\$NtUninstallKB951748$\spmsg.dll
+ 2007-11-30 12:39:22 231,288 -c----w c:\windows\$NtUninstallKB951748$\spuninst.exe
- 2008-04-13 19:20:16 361,344 -c----w c:\windows\$NtUninstallKB951748$\tcpip.sys
+ 2005-03-14 07:55:08 359,808 -c----w c:\windows\$NtUninstallKB951748$\tcpip.sys
- 2008-04-13 19:00:02 225,664 -c----w c:\windows\$NtUninstallKB951748$\tcpip6.sys
+ 2004-08-04 12:00:00 223,616 -c----w c:\windows\$NtUninstallKB951748$\tcpip6.sys
+ 2007-11-30 12:39:18 755,576 -c----w c:\windows\$NtUninstallKB951748$\update.exe
+ 2007-11-30 12:39:19 382,840 -c----w c:\windows\$NtUninstallKB951748$\updspapi.dll
- 2006-10-19 00:03:58 100,864 -c----w c:\windows\$NtUninstallKB952069_WM9$\logagent.exe
+ 2005-01-29 04:44:28 96,768 -c----w c:\windows\$NtUninstallKB952069_WM9$\logagent.exe
- 2006-10-19 01:47:20 937,984 -c----w c:\windows\$NtUninstallKB952069_WM9$\wmnetmgr.dll
+ 2005-01-29 04:44:28 1,027,072 -c----w c:\windows\$NtUninstallKB952069_WM9$\wmnetmgr.dll
- 2006-10-19 01:47:22 2,450,944 -c----w c:\windows\$NtUninstallKB952069_WM9$\wmvcore.dll
+ 2006-12-07 05:29:34 2,374,472 -c----w c:\windows\$NtUninstallKB952069_WM9$\wmvcore.dll
- 2008-05-01 14:30:33 331,776 -c----w c:\windows\$NtUninstallKB952287$\msadce.dll
+ 2004-08-04 12:00:00 331,776 -c----w c:\windows\$NtUninstallKB952287$\msadce.dll
+ 2007-11-30 11:18:51 26,488 -c----w c:\windows\$NtUninstallKB952287$\spcustom.dll
+ 2007-11-30 11:18:51 17,272 -c----w c:\windows\$NtUninstallKB952287$\spmsg.dll
+ 2007-11-30 11:18:51 231,288 -c----w c:\windows\$NtUninstallKB952287$\spuninst.exe
+ 2007-11-30 11:18:51 755,576 -c----w c:\windows\$NtUninstallKB952287$\update.exe
+ 2007-11-30 11:18:51 382,840 -c----w c:\windows\$NtUninstallKB952287$\updspapi.dll
- 2008-04-14 00:11:58 73,728 -c----w c:\windows\$NtUninstallKB952954$\mscms.dll
+ 2005-06-29 08:46:00 74,240 -c----w c:\windows\$NtUninstallKB952954$\mscms.dll
+ 2007-11-30 12:39:22 26,488 -c----w c:\windows\$NtUninstallKB952954$\spcustom.dll
+ 2007-11-30 12:39:22 17,272 -c----w c:\windows\$NtUninstallKB952954$\spmsg.dll
+ 2007-11-30 12:39:22 231,288 -c----w c:\windows\$NtUninstallKB952954$\spuninst.exe
+ 2007-11-30 12:39:22 755,576 -c----w c:\windows\$NtUninstallKB952954$\update.exe
+ 2007-11-30 12:39:22 382,840 -c----w c:\windows\$NtUninstallKB952954$\updspapi.dll
+ 2007-11-30 12:39:22 26,488 -c----w c:\windows\$NtUninstallKB954211$\spcustom.dll
+ 2007-11-30 12:39:22 17,272 -c----w c:\windows\$NtUninstallKB954211$\spmsg.dll
+ 2007-11-30 12:39:22 231,288 -c----w c:\windows\$NtUninstallKB954211$\spuninst.exe
+ 2008-07-09 07:38:29 755,576 -c----w c:\windows\$NtUninstallKB954211$\update.exe
+ 2007-11-30 12:39:22 382,840 -c----w c:\windows\$NtUninstallKB954211$\updspapi.dll
- 2008-04-13 19:30:10 1,845,632 -c----w c:\windows\$NtUninstallKB954211$\win32k.sys
+ 2004-08-04 12:00:00 1,835,904 -c----w c:\windows\$NtUninstallKB954211$\win32k.sys
+ 2007-11-30 12:39:22 26,488 -c----w c:\windows\$NtUninstallKB954600$\spcustom.dll
+ 2007-11-30 12:39:22 17,272 -c----w c:\windows\$NtUninstallKB954600$\spmsg.dll
+ 2007-11-30 12:39:22 231,288 -c----w c:\windows\$NtUninstallKB954600$\spuninst.exe
- 2008-10-03 10:15:47 247,326 -c----w c:\windows\$NtUninstallKB954600$\strmdll.dll
+ 2004-08-04 12:00:00 246,302 -c----w c:\windows\$NtUninstallKB954600$\strmdll.dll
+ 2007-11-30 11:18:51 755,576 -c----w c:\windows\$NtUninstallKB954600$\update.exe
+ 2007-11-30 11:18:51 382,840 -c----w c:\windows\$NtUninstallKB954600$\updspapi.dll
- 2008-09-04 16:42:02 1,106,944 -c----w c:\windows\$NtUninstallKB955069$\msxml3.dll
+ 2004-08-04 12:00:00 1,236,480 -c----w c:\windows\$NtUninstallKB955069$\msxml3.dll
+ 2007-11-30 11:18:51 26,488 -c----w c:\windows\$NtUninstallKB955069$\spcustom.dll
+ 2007-11-30 11:18:51 17,272 -c----w c:\windows\$NtUninstallKB955069$\spmsg.dll
+ 2007-11-30 11:18:51 231,288 -c----w c:\windows\$NtUninstallKB955069$\spuninst.exe
+ 2007-11-30 11:18:51 755,576 -c----w c:\windows\$NtUninstallKB955069$\update.exe
+ 2008-07-09 18:08:38 382,840 -c----w c:\windows\$NtUninstallKB955069$\updspapi.dll
+ 2007-11-30 12:39:22 26,488 -c----w c:\windows\$NtUninstallKB955839$\spcustom.dll
+ 2007-11-30 12:39:22 17,272 -c----w c:\windows\$NtUninstallKB955839$\spmsg.dll
+ 2007-11-30 12:39:22 231,288 -c----w c:\windows\$NtUninstallKB955839$\spuninst.exe
+ 2007-11-30 12:39:22 755,576 -c----w c:\windows\$NtUninstallKB955839$\update.exe
+ 2007-11-30 12:39:22 382,840 -c----w c:\windows\$NtUninstallKB955839$\updspapi.dll
- 2008-04-14 00:11:54 285,184 -c----w c:\windows\$NtUninstallKB956802$\gdi32.dll
+ 2004-08-04 12:00:00 278,016 -c----w c:\windows\$NtUninstallKB956802$\gdi32.dll
+ 2008-07-08 13:02:01 26,488 -c----w c:\windows\$NtUninstallKB956802$\spcustom.dll
+ 2008-07-08 13:02:01 17,272 -c----w c:\windows\$NtUninstallKB956802$\spmsg.dll
+ 2008-07-08 13:02:02 231,288 -c----w c:\windows\$NtUninstallKB956802$\spuninst.exe
+ 2008-07-09 07:38:29 755,576 -c----w c:\windows\$NtUninstallKB956802$\update.exe
+ 2008-07-09 07:38:37 382,840 -c----w c:\windows\$NtUninstallKB956802$\updspapi.dll
- 2008-06-20 11:40:08 138,496 -c----w c:\windows\$NtUninstallKB956803$\afd.sys
+ 2008-06-20 10:44:38 138,368 -c----w c:\windows\$NtUninstallKB956803$\afd.sys
+ 2008-06-20 10:44:38 138,368 -c----w c:\windows\$NtUninstallKB956803$\afd.sys.000
+ 2007-11-30 11:18:51 26,488 -c----w c:\windows\$NtUninstallKB956803$\spcustom.dll
+ 2007-11-30 11:18:51 17,272 -c----w c:\windows\$NtUninstallKB956803$\spmsg.dll
+ 2007-11-30 11:18:51 231,288 -c----w c:\windows\$NtUninstallKB956803$\spuninst.exe
+ 2007-11-30 11:18:51 755,576 -c----w c:\windows\$NtUninstallKB956803$\update.exe
+ 2007-11-30 11:18:51 382,840 -c----w c:\windows\$NtUninstallKB956803$\updspapi.dll
- 2008-04-13 18:31:21 2,023,936 -c----w c:\windows\$NtUninstallKB956841$\ntkrnlpa.exe
+ 2004-08-04 19:00:00 2,015,232 -c----w c:\windows\$NtUninstallKB956841$\ntkrnlpa.exe
- 2008-04-13 19:24:37 2,145,280 -c----w c:\windows\$NtUninstallKB956841$\ntoskrnl.exe
+ 2004-08-04 19:00:00 2,148,352 -c----w c:\windows\$NtUninstallKB956841$\ntoskrnl.exe
+ 2007-11-30 11:18:51 26,488 -c----w c:\windows\$NtUninstallKB956841$\spcustom.dll
+ 2007-11-30 11:18:51 17,272 -c----w c:\windows\$NtUninstallKB956841$\spmsg.dll
+ 2007-11-30 11:18:51 231,288 -c----w c:\windows\$NtUninstallKB956841$\spuninst.exe
+ 2007-11-30 11:18:51 755,576 -c----w c:\windows\$NtUninstallKB956841$\update.exe
+ 2008-07-09 07:38:37 382,840 -c----w c:\windows\$NtUninstallKB956841$\updspapi.dll
- 2008-04-13 19:17:01 456,576 -c----w c:\windows\$NtUninstallKB957097$\mrxsmb.sys
+ 2005-01-19 11:26:52 451,584 -c----w c:\windows\$NtUninstallKB957097$\mrxsmb.sys
+ 2008-07-08 13:02:01 26,488 -c----w c:\windows\$NtUninstallKB957097$\spcustom.dll
+ 2008-07-08 13:02:01 17,272 -c----w c:\windows\$NtUninstallKB957097$\spmsg.dll
+ 2008-07-08 13:02:02 231,288 -c----w c:\windows\$NtUninstallKB957097$\spuninst.exe
+ 2008-07-08 13:02:04 755,576 -c----w c:\windows\$NtUninstallKB957097$\update.exe
+ 2008-07-08 13:02:12 382,840 -c----w c:\windows\$NtUninstallKB957097$\updspapi.dll
- 2008-04-14 00:12:01 337,408 -c----w c:\windows\$NtUninstallKB958644$\netapi32.dll
+ 2004-08-04 12:00:00 332,288 -c----w c:\windows\$NtUninstallKB958644$\netapi32.dll
+ 2007-11-30 11:18:51 26,488 -c----w c:\windows\$NtUninstallKB958644$\spcustom.dll
+ 2007-11-30 11:18:51 17,272 -c----w c:\windows\$NtUninstallKB958644$\spmsg.dll
+ 2007-11-30 11:18:51 231,288 -c----w c:\windows\$NtUninstallKB958644$\spuninst.exe
+ 2007-11-30 11:18:51 755,576 -c----w c:\windows\$NtUninstallKB958644$\update.exe
+ 2007-11-30 11:18:51 382,840 -c----w c:\windows\$NtUninstallKB958644$\updspapi.dll
+ 2007-11-30 12:39:22 26,488 -c----w c:\windows\$NtUninstallKB958687$\spcustom.dll
+ 2007-11-30 12:39:22 17,272 -c----w c:\windows\$NtUninstallKB958687$\spmsg.dll
+ 2007-11-30 12:39:22 231,288 -c----w c:\windows\$NtUninstallKB958687$\spuninst.exe
- 2008-09-08 10:41:42 333,824 -c----w c:\windows\$NtUninstallKB958687$\srv.sys
+ 2005-05-10 07:17:52 332,544 -c----w c:\windows\$NtUninstallKB958687$\srv.sys
+ 2007-11-30 11:18:51 755,576 -c----w c:\windows\$NtUninstallKB958687$\update.exe
+ 2007-11-30 11:18:51 382,840 -c----w c:\windows\$NtUninstallKB958687$\updspapi.dll
+ 2008-07-09 07:38:25 231,288 -c----w c:\windows\$NtUninstallKB960715$\spuninst\spuninst.exe
+ 2008-07-09 07:38:37 382,840 -c----w c:\windows\$NtUninstallKB960715$\spuninst\updspapi.dll
- 2006-02-25 08:59:46 371,296 ----a-w c:\windows\assembly\GAC\Microsoft.Vbe.Interop.Forms\11.0.0.0__71e9bce111e9429c\Microsoft.Vbe.Interop.Forms.dll
+ 2009-02-15 17:49:42 371,496 ----a-w c:\windows\assembly\GAC\Microsoft.Vbe.Interop.Forms\11.0.0.0__71e9bce111e9429c\Microsoft.Vbe.Interop.Forms.dll
- 2006-02-25 08:14:33 1,257,472 ----a-w c:\windows\assembly\GAC\System.Web\1.0.5000.0__b03f5f7f11d50a3a\System.Web.dll
+ 2009-02-16 13:56:26 1,265,664 ----a-w c:\windows\assembly\GAC\System.Web\1.0.5000.0__b03f5f7f11d50a3a\System.Web.dll
- 2006-02-25 08:14:34 1,224,704 ----a-w c:\windows\assembly\GAC\System\1.0.5000.0__b77a5c561934e089\System.dll
+ 2009-02-16 13:56:27 1,232,896 ----a-w c:\windows\assembly\GAC\System\1.0.5000.0__b77a5c561934e089\System.dll
+ 2009-02-16 13:56:54 3,391,488 ----a-w c:\windows\assembly\NativeImages1_v1.1.4322\mscorlib\1.0.5000.0__b77a5c561934e089_c489fcb0\mscorlib.dll
+ 2009-02-16 13:56:41 1,966,080 ----a-w c:\windows\assembly\NativeImages1_v1.1.4322\System\1.0.5000.0__b77a5c561934e089_6e4b93d0\System.dll
- 2005-01-19 11:26:52 451,584 ----a-w c:\windows\Driver Cache\i386\mrxsmb.sys
+ 2008-10-24 11:10:42 453,632 ----a-w c:\windows\Driver Cache\i386\mrxsmb.sys
- 2001-12-08 00:32:04 1,081,344 ----a-w c:\windows\Help\SBSI\Training\orun32.exe
+ 2006-08-21 20:57:14 1,077,321 ----a-w c:\windows\Help\SBSI\Training\orun32.exe
+ 2009-02-16 13:52:42 32,768 ----a-r c:\windows\Installer\{86493ADD-824D-4B8E-BD72-8C5DCDC52A71}\icon.exe
- 2008-04-19 19:09:11 1,165,584 ----a-r c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\accicons.exe
+ 2009-02-15 17:52:13 1,165,584 ----a-r c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\accicons.exe
- 2008-04-19 19:09:12 20,240 ----a-r c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\cagicon.exe
+ 2009-02-15 17:52:15 20,240 ----a-r c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\cagicon.exe
- 2008-04-19 19:09:12 159,504 ----a-r c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\inficon.exe
+ 2009-02-15 17:52:15 159,504 ----a-r c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\inficon.exe
- 2008-04-19 19:09:12 184,080 ----a-r c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\joticon.exe
+ 2009-02-15 17:52:15 184,080 ----a-r c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\joticon.exe
- 2008-04-19 19:09:12 217,864 ----a-r c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\misc.exe
+ 2009-02-15 17:52:15 217,864 ----a-r c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\misc.exe
- 2008-04-19 19:09:12 18,704 ----a-r c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\mspicons.exe
+ 2009-02-15 17:52:16 18,704 ----a-r c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\mspicons.exe
- 2008-04-19 19:09:13 35,088 ----a-r c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\oisicon.exe
+ 2009-02-15 17:52:16 35,088 ----a-r c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\oisicon.exe
- 2008-04-19 19:09:12 845,584 ----a-r c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\outicon.exe
+ 2009-02-15 17:52:15 845,584 ----a-r c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\outicon.exe
- 2008-04-19 19:09:12 922,384 ----a-r c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\pptico.exe
+ 2009-02-15 17:52:15 922,384 ----a-r c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\pptico.exe
- 2008-04-19 19:09:12 272,648 ----a-r c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\pubs.exe
+ 2009-02-15 17:52:15 272,648 ----a-r c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\pubs.exe
- 2008-04-19 19:09:13 888,080 ----a-r c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\wordicon.exe
+ 2009-02-15 17:52:16 888,080 ----a-r c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\wordicon.exe
- 2008-04-19 19:09:12 1,172,240 ----a-r c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\xlicons.exe
+ 2009-02-15 17:52:14 1,172,240 ----a-r c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\xlicons.exe
- 2008-04-19 19:13:46 217,864 ----a-r c:\windows\Installer\{90120000-006E-0409-0000-0000000FF1CE}\misc.exe
+ 2009-02-15 17:57:14 217,864 ----a-r c:\windows\Installer\{90120000-006E-0409-0000-0000000FF1CE}\misc.exe
- 2004-07-15 16:49:16 258,048 ----a-w c:\windows\Microsoft.NET\Framework\v1.1.4322\aspnet_isapi.dll
+ 2007-04-14 02:30:52 258,048 ----a-w c:\windows\Microsoft.NET\Framework\v1.1.4322\aspnet_isapi.dll
- 2004-07-15 16:49:22 32,768 ----a-w c:\windows\Microsoft.NET\Framework\v1.1.4322\aspnet_wp.exe
+ 2007-04-14 02:30:52 32,768 ----a-w c:\windows\Microsoft.NET\Framework\v1.1.4322\aspnet_wp.exe
- 2004-07-15 15:32:22 81,920 ----a-w c:\windows\Microsoft.NET\Framework\v1.1.4322\CORPerfMonExt.dll
+ 2007-04-14 01:57:52 81,920 ----a-w c:\windows\Microsoft.NET\Framework\v1.1.4322\CORPerfMonExt.dll
- 2003-02-21 10:09:14 86,016 ----a-w c:\windows\Microsoft.NET\Framework\v1.1.4322\mscorie.dll
+ 2007-04-14 01:57:58 86,016 ----a-w c:\windows\Microsoft.NET\Framework\v1.1.4322\mscorie.dll
- 2004-07-15 15:25:06 315,392 ----a-w c:\windows\Microsoft.NET\Framework\v1.1.4322\mscorjit.dll
+ 2007-04-14 01:56:30 315,392 ----a-w c:\windows\Microsoft.NET\Framework\v1.1.4322\mscorjit.dll
- 2004-07-15 15:33:04 102,400 ----a-w c:\windows\Microsoft.NET\Framework\v1.1.4322\mscorld.dll
+ 2007-04-14 01:58:00 102,400 ----a-w c:\windows\Microsoft.NET\Framework\v1.1.4322\mscorld.dll
- 2004-07-16 05:29:02 2,138,112 ----a-w c:\windows\Microsoft.NET\Framework\v1.1.4322\mscorlib.dll
+ 2007-04-14 01:50:46 2,142,208 ----a-w c:\windows\Microsoft.NET\Framework\v1.1.4322\mscorlib.dll
- 2003-02-21 10:09:18 77,824 ----a-w c:\windows\Microsoft.NET\Framework\v1.1.4322\mscorsn.dll
+ 2007-04-14 01:58:02 77,824 ----a-w c:\windows\Microsoft.NET\Framework\v1.1.4322\mscorsn.dll
- 2004-07-15 15:26:52 2,510,848 ----a-w c:\windows\Microsoft.NET\Framework\v1.1.4322\mscorsvr.dll
+ 2007-04-14 01:57:00 2,523,136 ----a-w c:\windows\Microsoft.NET\Framework\v1.1.4322\mscorsvr.dll
- 2004-07-15 15:28:34 2,502,656 ----a-w c:\windows\Microsoft.NET\Framework\v1.1.4322\mscorwks.dll
+ 2007-04-14 01:57:28 2,514,944 ----a-w c:\windows\Microsoft.NET\Framework\v1.1.4322\mscorwks.dll
- 2004-08-11 07:20:00 106,496 ----a-w c:\windows\Microsoft.NET\Framework\v1.1.4322\netfxupdate.exe
+ 2007-01-15 21:11:26 73,728 ----a-w c:\windows\Microsoft.NET\Framework\v1.1.4322\netfxupdate.exe
+ 2004-07-15 16:49:16 258,048 ----a-w c:\windows\Microsoft.NET\Framework\v1.1.4322\SHADOW1148\_aspnet_isapi.dll
+ 2004-07-15 15:32:22 81,920 ----a-w c:\windows\Microsoft.NET\Framework\v1.1.4322\SHADOW1148\_CORPerfMonExt.dll
+ 2004-07-15 15:24:30 282,624 ----a-w c:\windows\Microsoft.NET\Framework\v1.1.4322\SHADOW1148\_fusion.dll
+ 2004-07-15 15:25:06 315,392 ----a-w c:\windows\Microsoft.NET\Framework\v1.1.4322\SHADOW1148\_mscorjit.dll
+ 2004-07-16 05:29:02 2,138,112 ----a-w c:\windows\Microsoft.NET\Framework\v1.1.4322\SHADOW1148\_mscorlib.dll
+ 2003-02-21 10:09:18 77,824 ----a-w c:\windows\Microsoft.NET\Framework\v1.1.4322\SHADOW1148\_mscorsn.dll
+ 2004-07-15 15:26:52 2,510,848 ----a-w c:\windows\Microsoft.NET\Framework\v1.1.4322\SHADOW1148\_mscorsvr.dll
+ 2004-07-15 15:28:34 2,502,656 ----a-w c:\windows\Microsoft.NET\Framework\v1.1.4322\SHADOW1148\_mscorwks.dll
+ 2003-02-21 19:42:22 348,160 ----a-w c:\windows\Microsoft.NET\Framework\v1.1.4322\SHADOW1148\_msvcr71.dll
+ 2004-07-15 15:34:50 94,208 ----a-w c:\windows\Microsoft.NET\Framework\v1.1.4322\SHADOW1148\_PerfCounter.dll
- 2004-07-16 05:31:16 1,224,704 ----a-w c:\windows\Microsoft.NET\Framework\v1.1.4322\System.dll
+ 2007-04-14 02:35:38 1,232,896 ----a-w c:\windows\Microsoft.NET\Framework\v1.1.4322\System.dll
- 2004-07-16 05:29:00 1,257,472 ----a-w c:\windows\Microsoft.NET\Framework\v1.1.4322\System.Web.dll
+ 2007-04-14 02:35:46 1,265,664 ----a-w c:\windows\Microsoft.NET\Framework\v1.1.4322\System.Web.dll
- 2004-08-04 12:00:00 100,352 ----a-w c:\windows\system32\6to4svc.dll
+ 2006-08-16 11:58:05 100,352 ----a-w c:\windows\system32\6to4svc.dll
- 2005-09-03 06:52:04 1,019,904 ----a-w c:\windows\system32\browseui.dll
+ 2008-10-16 10:37:04 1,023,488 ----a-w c:\windows\system32\browseui.dll
- 2005-09-03 06:52:04 151,040 ----a-w c:\windows\system32\cdfview.dll
+ 2008-10-16 10:37:02 151,040 ----a-w c:\windows\system32\cdfview.dll
- 2005-09-03 06:52:04 1,053,696 ----a-w c:\windows\system32\danim.dll
+ 2008-10-16 10:37:02 1,054,208 ----a-w c:\windows\system32\danim.dll
- 2004-08-04 12:00:00 100,352 ----a-w c:\windows\system32\dllcache\6to4svc.dll
+ 2006-08-16 11:58:05 100,352 ----a-w c:\windows\system32\dllcache\6to4svc.dll
- 2004-08-04 12:00:00 138,496 ----a-w c:\windows\system32\dllcache\afd.sys
+ 2008-08-14 09:51:43 138,368 ------w c:\windows\system32\dllcache\afd.sys
- 2005-09-03 06:52:04 1,019,904 ----a-w c:\windows\system32\dllcache\browseui.dll
+ 2008-10-16 10:37:04 1,023,488 ----a-w c:\windows\system32\dllcache\browseui.dll
- 2005-09-03 06:52:04 151,040 ----a-w c:\windows\system32\dllcache\cdfview.dll
+ 2008-10-16 10:37:02 151,040 ----a-w c:\windows\system32\dllcache\cdfview.dll
- 2005-09-03 06:52:04 1,053,696 ----a-w c:\windows\system32\dllcache\danim.dll
+ 2008-10-16 10:37:02 1,054,208 ----a-w c:\windows\system32\dllcache\danim.dll
- 2004-08-04 12:00:00 148,480 ----a-w c:\windows\system32\dllcache\dnsapi.dll
+ 2008-06-20 17:41:10 148,992 ----a-w c:\windows\system32\dllcache\dnsapi.dll
- 2004-08-04 12:00:00 357,888 ----a-w c:\windows\system32\dllcache\dxtmsft.dll
+ 2008-10-16 10:37:02 357,888 ----a-w c:\windows\system32\dllcache\dxtmsft.dll
- 2005-09-03 06:52:04 205,312 ----a-w c:\windows\system32\dllcache\dxtrans.dll
+ 2008-10-16 10:37:02 205,312 ----a-w c:\windows\system32\dllcache\dxtrans.dll
- 2005-07-26 11:39:46 243,200 ----a-w c:\windows\system32\dllcache\es.dll
+ 2008-07-07 20:32:22 253,952 ----a-w c:\windows\system32\dllcache\es.dll
- 2005-09-03 06:52:04 55,808 ----a-w c:\windows\system32\dllcache\extmgr.dll
+ 2008-10-16 10:37:02 55,808 ----a-w c:\windows\system32\dllcache\extmgr.dll
- 2004-08-04 12:00:00 278,016 ----a-w c:\windows\system32\dllcache\gdi32.dll
+ 2008-10-23 13:01:36 283,648 ----a-w c:\windows\system32\dllcache\gdi32.dll
- 2005-09-03 04:50:40 18,432 ----a-w c:\windows\system32\dllcache\iedw.exe
+ 2008-10-15 09:45:01 18,432 ----a-w c:\windows\system32\dllcache\iedw.exe
- 2005-09-03 06:52:04 251,392 ----a-w c:\windows\system32\dllcache\iepeers.dll
+ 2008-10-16 10:37:02 251,392 ----a-w c:\windows\system32\dllcache\iepeers.dll
- 2004-08-04 12:00:00 678,400 ----a-w c:\windows\system32\dllcache\inetcomm.dll
+ 2008-04-11 18:50:43 683,520 ----a-w c:\windows\system32\dllcache\inetcomm.dll
- 2005-09-03 06:52:04 96,256 ----a-w c:\windows\system32\dllcache\inseng.dll
+ 2008-10-16 10:37:02 96,256 ----a-w c:\windows\system32\dllcache\inseng.dll
- 2004-08-04 12:00:00 450,560 ----a-w c:\windows\system32\dllcache\jscript.dll
+ 2007-12-18 14:40:58 450,560 ----a-w c:\windows\system32\dllcache\jscript.dll
- 2004-08-04 12:00:00 15,872 ----a-w c:\windows\system32\dllcache\jsproxy.dll
+ 2008-10-16 10:37:03 16,384 ----a-w c:\windows\system32\dllcache\jsproxy.dll
- 2005-01-29 04:44:28 96,768 ----a-w c:\windows\system32\dllcache\logagent.exe
+ 2008-06-10 10:52:04 96,768 ----a-w c:\windows\system32\dllcache\logagent.exe
- 2004-08-04 12:00:00 331,776 ----a-w c:\windows\system32\dllcache\msadce.dll
+ 2008-05-01 14:30:33 331,776 ----a-w c:\windows\system32\dllcache\msadce.dll
- 2005-06-29 08:46:00 74,240 ----a-w c:\windows\system32\dllcache\mscms.dll
+ 2008-06-24 16:23:05 74,240 ----a-w c:\windows\system32\dllcache\mscms.dll
- 2005-09-03 06:52:06 448,512 ----a-w c:\windows\system32\dllcache\mshtmled.dll
+ 2008-10-16 10:37:03 449,024 ----a-w c:\windows\system32\dllcache\mshtmled.dll
- 2004-08-04 12:00:00 2,804,224 ----a-w c:\windows\system32\dllcache\msi.dll
+ 2005-05-04 19:45:32 2,890,240 ----a-w c:\windows\system32\dllcache\msi.dll
- 2004-08-04 12:00:00 77,312 ----a-w c:\windows\system32\dllcache\msiexec.exe
+ 2005-05-04 19:45:36 78,848 ----a-w c:\windows\system32\dllcache\msiexec.exe
- 2004-08-04 12:00:00 331,264 ----a-w c:\windows\system32\dllcache\msihnd.dll
+ 2005-05-04 19:45:36 271,360 ----a-w c:\windows\system32\dllcache\msihnd.dll
- 2004-08-04 12:00:00 884,736 ----a-w c:\windows\system32\dllcache\msimsg.dll
+ 2005-05-04 19:45:36 884,736 ----a-w c:\windows\system32\dllcache\msimsg.dll
- 2004-08-04 12:00:00 44,032 ----a-w c:\windows\system32\dllcache\msisip.dll
+ 2005-05-04 19:45:36 15,360 ----a-w c:\windows\system32\dllcache\msisip.dll
- 2005-09-03 06:52:06 146,432 ----a-w c:\windows\system32\dllcache\msrating.dll
+ 2008-10-16 10:37:02 146,432 ----a-w c:\windows\system32\dllcache\msrating.dll
- 2005-09-03 06:52:06 530,432 ----a-w c:\windows\system32\dllcache\mstime.dll
+ 2008-10-16 10:37:02 532,480 ----a-w c:\windows\system32\dllcache\mstime.dll
- 2004-08-04 12:00:00 245,248 ----a-w c:\windows\system32\dllcache\mswsock.dll
+ 2008-06-20 17:41:10 245,248 ----a-w c:\windows\system32\dllcache\mswsock.dll
- 2004-08-04 12:00:00 1,236,480 ----a-w c:\windows\system32\dllcache\msxml3.dll
+ 2008-09-04 16:42:02 1,106,944 ----a-w c:\windows\system32\dllcache\msxml3.dll
- 2004-08-04 12:00:00 332,288 ----a-w c:\windows\system32\dllcache\netapi32.dll
+ 2008-10-15 16:57:55 332,800 ----a-w c:\windows\system32\dllcache\netapi32.dll
- 2005-09-03 06:52:06 39,424 ----a-w c:\windows\system32\dllcache\pngfilt.dll
+ 2008-10-16 10:37:02 39,424 ----a-w c:\windows\system32\dllcache\pngfilt.dll
- 2004-08-04 12:00:00 1,287,680 ----a-w c:\windows\system32\dllcache\quartz.dll
+ 2008-05-07 05:18:48 1,287,680 ----a-w c:\windows\system32\dllcache\quartz.dll
- 2004-08-04 12:00:00 200,064 ----a-w c:\windows\system32\dllcache\rmcast.sys
+ 2008-05-08 12:28:49 202,752 ----a-w c:\windows\system32\dllcache\rmcast.sys
- 2005-09-03 06:52:06 1,483,776 ----a-w c:\windows\system32\dllcache\shdocvw.dll
+ 2008-10-16 10:37:03 1,494,528 ----a-w c:\windows\system32\dllcache\shdocvw.dll
- 2005-09-03 06:52:06 473,600 ----a-w c:\windows\system32\dllcache\shlwapi.dll
+ 2008-10-16 10:37:03 474,112 ----a-w c:\windows\system32\dllcache\shlwapi.dll
- 2004-08-04 12:00:00 246,302 ----a-w c:\windows\system32\dllcache\strmdll.dll
+ 2008-10-03 10:15:47 247,326 ----a-w c:\windows\system32\dllcache\strmdll.dll
- 2005-03-14 07:55:08 359,808 ----a-w c:\windows\system32\dllcache\tcpip.sys
+ 2008-06-20 10:45:13 360,320 ----a-w c:\windows\system32\dllcache\tcpip.sys
- 2004-08-04 12:00:00 223,616 ----a-w c:\windows\system32\dllcache\tcpip6.sys
+ 2008-06-20 09:52:06 225,920 ----a-w c:\windows\system32\dllcache\tcpip6.sys
- 2005-09-03 06:52:06 608,768 ----a-w c:\windows\system32\dllcache\urlmon.dll
+ 2008-10-16 10:37:04 615,936 ----a-w c:\windows\system32\dllcache\urlmon.dll
- 2004-08-04 12:00:00 417,792 ----a-w c:\windows\system32\dllcache\vbscript.dll
+ 2007-12-18 14:40:58 417,792 ----a-w c:\windows\system32\dllcache\vbscript.dll
- 2004-08-04 12:00:00 1,835,904 ----a-w c:\windows\system32\dllcache\win32k.sys
+ 2008-09-15 11:57:41 1,846,016 ----a-w c:\windows\system32\dllcache\win32k.sys
- 2005-09-03 06:52:06 658,432 ----a-w c:\windows\system32\dllcache\wininet.dll
+ 2008-10-16 10:37:03 659,456 ----a-w c:\windows\system32\dllcache\wininet.dll
- 2005-01-29 04:44:28 224,768 ----a-w c:\windows\system32\dllcache\wmasf.dll
+ 2007-10-27 22:40:06 227,328 ----a-w c:\windows\system32\dllcache\wmasf.dll
- 2005-01-29 04:44:28 1,027,072 ----a-w c:\windows\system32\dllcache\wmnetmgr.dll
+ 2008-06-10 11:28:36 1,028,096 ----a-w c:\windows\system32\dllcache\WMNetmgr.dll
- 2004-08-11 16:45:04 5,550,080 ----a-w c:\windows\system32\dllcache\wmp.dll
+ 2007-04-30 13:20:24 5,537,792 ----a-w c:\windows\system32\dllcache\wmp.dll
- 2005-01-29 04:44:28 2,370,296 ----a-w c:\windows\system32\dllcache\wmvcore.dll
+ 2008-06-10 12:07:24 2,376,760 ----a-w c:\windows\system32\dllcache\WMVCore.dll
- 2004-08-04 12:00:00 148,480 ----a-w c:\windows\system32\dnsapi.dll
+ 2008-06-20 17:41:10 148,992 ----a-w c:\windows\system32\dnsapi.dll
- 2004-08-04 12:00:00 138,496 ----a-w c:\windows\system32\drivers\afd.sys
+ 2008-08-14 09:51:43 138,368 ----a-w c:\windows\system32\drivers\afd.sys
+ 2009-02-16 00:52:03 27,656 ----a-w c:\windows\system32\drivers\avgmfx86.sys
- 2005-01-19 11:26:52 451,584 ----a-w c:\windows\system32\drivers\mrxsmb.sys
+ 2008-10-24 11:10:42 453,632 ----a-w c:\windows\system32\drivers\mrxsmb.sys
- 2004-08-04 12:00:00 200,064 ----a-w c:\windows\system32\drivers\RMCast.sys
+ 2008-05-08 12:28:49 202,752 ----a-w c:\windows\system32\drivers\rmcast.sys
- 2005-05-10 07:17:52 332,544 ----a-w c:\windows\system32\drivers\srv.sys
+ 2008-12-11 11:57:21 333,184 ----a-w c:\windows\system32\drivers\srv.sys
- 2005-03-14 07:55:08 359,808 ----a-w c:\windows\system32\drivers\tcpip.sys
+ 2008-06-20 10:45:13 360,320 ----a-w c:\windows\system32\drivers\tcpip.sys
- 2004-08-04 12:00:00 223,616 ----a-w c:\windows\system32\drivers\tcpip6.sys
+ 2008-06-20 09:52:06 225,920 ----a-w c:\windows\system32\drivers\tcpip6.sys
- 2004-08-04 12:00:00 357,888 ----a-w c:\windows\system32\dxtmsft.dll
+ 2008-10-16 10:37:02 357,888 ----a-w c:\windows\system32\dxtmsft.dll
- 2005-09-03 06:52:04 205,312 ----a-w c:\windows\system32\dxtrans.dll
+ 2008-10-16 10:37:02 205,312 ----a-w c:\windows\system32\dxtrans.dll
- 2005-07-26 11:39:46 243,200 ----a-w c:\windows\system32\es.dll
+ 2008-07-07 20:32:22 253,952 ----a-w c:\windows\system32\es.dll
- 2005-09-03 06:52:04 55,808 ----a-w c:\windows\system32\extmgr.dll
+ 2008-10-16 10:37:02 55,808 ----a-w c:\windows\system32\extmgr.dll
- 2003-08-04 01:56:16 1,146,184 ----a-w c:\windows\system32\FM20.DLL
+ 2006-10-26 19:10:08 1,190,688 ----a-w c:\windows\system32\FM20.DLL
- 2003-07-15 13:57:04 32,584 ----a-w c:\windows\system32\FM20ENU.DLL
+ 2006-10-26 19:10:06 33,088 ----a-w c:\windows\system32\FM20ENU.DLL
- 2009-02-15 05:13:24 189,000 ----a-w c:\windows\system32\FNTCACHE.DAT
+ 2009-02-16 15:13:06 306,008 ----a-w c:\windows\system32\FNTCACHE.DAT
- 2004-08-04 12:00:00 278,016 ----a-w c:\windows\system32\gdi32.dll
+ 2008-10-23 13:01:36 283,648 ----a-w c:\windows\system32\gdi32.dll
- 2005-09-03 06:52:04 251,392 ----a-w c:\windows\system32\iepeers.dll
+ 2008-10-16 10:37:02 251,392 ----a-w c:\windows\system32\iepeers.dll
- 2004-08-04 12:00:00 678,400 ----a-w c:\windows\system32\inetcomm.dll
+ 2008-04-11 18:50:43 683,520 ----a-w c:\windows\system32\inetcomm.dll
- 2002-08-21 20:10:16 204,800 ----a-w c:\windows\system32\INKED.DLL
+ 2006-10-26 18:45:04 207,360 ----a-w c:\windows\system32\INKED.DLL
- 2005-09-03 06:52:04 96,256 ----a-w c:\windows\system32\inseng.dll
+ 2008-10-16 10:37:02 96,256 ----a-w c:\windows\system32\inseng.dll
- 2004-08-04 12:00:00 450,560 ----a-w c:\windows\system32\jscript.dll
+ 2007-12-18 14:40:58 450,560 ----a-w c:\windows\system32\jscript.dll
- 2004-08-04 12:00:00 15,872 ----a-w c:\windows\system32\jsproxy.dll
+ 2008-10-16 10:37:03 16,384 ----a-w c:\windows\system32\jsproxy.dll
- 2005-01-29 04:44:28 96,768 ----a-w c:\windows\system32\logagent.exe
+ 2008-06-10 10:52:04 96,768 ----a-w c:\windows\system32\logagent.exe
- 2005-06-29 08:46:00 74,240 ----a-w c:\windows\system32\mscms.dll
+ 2008-06-24 16:23:05 74,240 ----a-w c:\windows\system32\mscms.dll
- 2004-07-15 15:24:50 155,648 ----a-w c:\windows\system32\mscoree.dll
+ 2006-12-22 17:28:14 271,360 ----a-w c:\windows\system32\mscoree.dll
- 2005-10-05 08:26:00 3,015,168 ----a-w c:\windows\system32\mshtml.dll
+ 2008-12-12 17:33:23 3,060,224 ----a-w c:\windows\system32\mshtml.dll
- 2005-09-03 06:52:06 448,512 ----a-w c:\windows\system32\mshtmled.dll
+ 2008-10-16 10:37:03 449,024 ----a-w c:\windows\system32\mshtmled.dll
- 2004-08-04 12:00:00 2,804,224 ----a-w c:\windows\system32\msi.dll
+ 2005-05-04 19:45:32 2,890,240 ----a-w c:\windows\system32\msi.dll
- 2004-08-04 12:00:00 77,312 ----a-w c:\windows\system32\msiexec.exe
+ 2005-05-04 19:45:36 78,848 ----a-w c:\windows\system32\msiexec.exe
- 2004-08-04 12:00:00 331,264 ----a-w c:\windows\system32\msihnd.dll
+ 2005-05-04 19:45:36 271,360 ----a-w c:\windows\system32\msihnd.dll
- 2004-08-04 12:00:00 884,736 ----a-w c:\windows\system32\msimsg.dll
+ 2005-05-04 19:45:36 884,736 ----a-w c:\windows\system32\msimsg.dll
- 2004-08-04 12:00:00 44,032 ----a-w c:\windows\system32\msisip.dll
+ 2005-05-04 19:45:36 15,360 ----a-w c:\windows\system32\msisip.dll
- 2005-09-03 06:52:06 146,432 ----a-w c:\windows\system32\msrating.dll
+ 2008-10-16 10:37:02 146,432 ----a-w c:\windows\system32\msrating.dll
- 2005-09-03 06:52:06 530,432 ----a-w c:\windows\system32\mstime.dll
+ 2008-10-16 10:37:02 532,480 ----a-w c:\windows\system32\mstime.dll
- 2004-08-04 12:00:00 1,392,671 ----a-w c:\windows\system32\msvbvm60.dll
+ 2004-02-24 02:42:40 1,386,496 ----a-w c:\windows\system32\msvbvm60.dll
- 2004-08-04 12:00:00 245,248 ----a-w c:\windows\system32\mswsock.dll
+ 2008-06-20 17:41:10 245,248 ----a-w c:\windows\system32\mswsock.dll
- 2004-08-04 12:00:00 1,236,480 ----a-w c:\windows\system32\msxml3.dll
+ 2008-09-04 16:42:02 1,106,944 ----a-w c:\windows\system32\msxml3.dll
- 2003-04-18 23:46:22 1,233,920 ----a-w c:\windows\system32\msxml4.dll
+ 2008-09-30 21:43:34 1,286,152 ----a-w c:\windows\system32\msxml4.dll
+ 2006-12-22 18:02:36 6,144 ----a-w c:\windows\system32\mui\0409\mscorees.dll
- 2004-08-04 12:00:00 332,288 ----a-w c:\windows\system32\netapi32.dll
+ 2008-10-15 16:57:55 332,800 ----a-w c:\windows\system32\netapi32.dll
- 2004-08-04 19:00:00 2,015,232 ----a-w c:\windows\system32\ntkrnlpa.exe
+ 2008-08-14 09:22:14 2,015,744 ----a-w c:\windows\system32\ntkrnlpa.exe
- 2004-08-04 19:00:00 2,148,352 ----a-w c:\windows\system32\ntoskrnl.exe
+ 2008-08-14 09:58:27 2,136,064 ----a-w c:\windows\system32\ntoskrnl.exe
- 2009-02-15 05:17:01 53,436 ----a-w c:\windows\system32\perfc009.dat
+ 2009-02-16 00:30:21 53,436 ----a-w c:\windows\system32\perfc009.dat
- 2009-02-15 05:17:02 381,692 ----a-w c:\windows\system32\perfh009.dat
+ 2009-02-16 00:30:21 381,692 ----a-w c:\windows\system32\perfh009.dat
- 2005-09-03 06:52:06 39,424 ----a-w c:\windows\system32\pngfilt.dll
+ 2008-10-16 10:37:02 39,424 ----a-w c:\windows\system32\pngfilt.dll
- 2004-08-04 12:00:00 1,287,680 ----a-w c:\windows\system32\quartz.dll
+ 2008-05-07 05:18:48 1,287,680 ----a-w c:\windows\system32\quartz.dll
- 1998-03-25 12:54:08 15,872 ----a-w c:\windows\system32\SCP32.DLL
+ 2006-07-24 15:50:40 39,728 ----a-w c:\windows\system32\SCP32.DLL
- 2005-09-03 06:52:06 1,483,776 ----a-w c:\windows\system32\shdocvw.dll
+ 2008-10-16 10:37:03 1,494,528 ----a-w c:\windows\system32\shdocvw.dll
- 2005-09-03 06:52:06 473,600 ----a-w c:\windows\system32\shlwapi.dll
+ 2008-10-16 10:37:03 474,112 ----a-w c:\windows\system32\shlwapi.dll
- 2005-02-25 10:35:06 14,048 ----a-w c:\windows\system32\spmsg.dll
+ 2007-11-30 11:18:51 17,272 ------w c:\windows\system32\spmsg.dll
+ 2006-10-26 23:56:16 864,080 ----a-w c:\windows\system32\spool\drivers\w32x86\3\msonpdrv.dll
+ 2006-10-26 23:56:14 67,408 ----a-w c:\windows\system32\spool\drivers\w32x86\3\msonpui.dll
+ 2006-10-26 23:56:16 864,080 ----a-w c:\windows\system32\spool\drivers\w32x86\msonpdrv.dll
+ 2006-10-26 23:56:14 67,408 ----a-w c:\windows\system32\spool\drivers\w32x86\msonpui.dll
+ 2006-10-26 23:56:12 33,104 ----a-w c:\windows\system32\spool\prtprocs\w32x86\msonpppr.dll
- 2004-11-19 01:42:52 22,752 ----a-w c:\windows\system32\spupdsvc.exe
+ 2005-06-28 15:21:34 22,752 ----a-w c:\windows\system32\spupdsvc.exe
- 2004-08-04 12:00:00 246,302 ----a-w c:\windows\system32\strmdll.dll
+ 2008-10-03 10:15:47 247,326 ----a-w c:\windows\system32\strmdll.dll
+ 2008-10-22 09:47:07 62,976 ------w c:\windows\system32\tzchange.exe
- 2005-09-03 06:52:06 608,768 ----a-w c:\windows\system32\urlmon.dll
+ 2008-10-16 10:37:04 615,936 ----a-w c:\windows\system32\urlmon.dll
- 1999-11-25 09:40:50 40,960 ----a-w c:\windows\system32\VBAME.DLL
+ 2006-07-24 15:50:40 47,920 ----a-w c:\windows\system32\VBAME.DLL
- 2004-08-04 12:00:00 417,792 ----a-w c:\windows\system32\vbscript.dll
+ 2007-12-18 14:40:58 417,792 ----a-w c:\windows\system32\vbscript.dll
- 2004-08-04 12:00:00 1,835,904 ----a-w c:\windows\system32\win32k.sys
+ 2008-09-15 11:57:41 1,846,016 ----a-w c:\windows\system32\win32k.sys
- 2005-09-03 06:52:06 658,432 ----a-w c:\windows\system32\wininet.dll
+ 2008-10-16 10:37:03 659,456 ----a-w c:\windows\system32\wininet.dll
- 2002-08-21 20:13:12 189,952 ----a-w c:\windows\system32\WISPTIS.EXE
+ 2006-10-26 18:45:04 293,376 ----a-w c:\windows\system32\WISPTIS.EXE
- 2005-01-29 04:44:28 224,768 ----a-w c:\windows\system32\wmasf.dll
+ 2007-10-27 22:40:06 227,328 ----a-w c:\windows\system32\wmasf.dll
- 2005-01-29 04:44:28 1,027,072 ----a-w c:\windows\system32\wmnetmgr.dll
+ 2008-06-10 11:28:36 1,028,096 ----a-w c:\windows\system32\WMNetmgr.dll
- 2004-08-11 16:45:04 5,550,080 ----a-w c:\windows\system32\wmp.dll
+ 2007-04-30 13:20:24 5,537,792 ----a-w c:\windows\system32\wmp.dll
- 2005-01-29 04:44:28 2,370,296 ----a-w c:\windows\system32\wmvcore.dll
+ 2008-06-10 12:07:24 2,376,760 ----a-w c:\windows\system32\WMVCore.dll
+ 2008-10-15 14:00:41 351,744 ------w c:\windows\system32\xpsp3res.dll
+ 2009-02-24 21:55:35 16,384 ----atw c:\windows\Temp\Perflib_Perfdata_468.dat
+ 2008-09-30 21:42:08 1,286,152 ----a-w c:\windows\WinSxS\x86_Microsoft.MSXML2_6bd6b9abf345378f_4.20.9870.0_x-ww_a32d74cf\msxml4.dll
+ 2008-09-30 21:45:12 91,656 ----a-w c:\windows\WinSxS\x86_Microsoft.MSXML2R_6bd6b9abf345378f_4.1.1.0_x-ww_2a41bceb\msxml4r.dll
+ 2006-10-26 18:40:34 95,744 ----a-w c:\windows\WinSxS\x86_Microsoft.VC80.ATL_1fc8b3b9a1e18e3b_8.0.50727.42_x-ww_6e805841\ATL80.dll
+ 2006-12-02 03:56:00 96,256 ----a-w c:\windows\WinSxS\x86_Microsoft.VC80.ATL_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_cbb27474\ATL80.dll
+ 2006-10-26 18:40:36 479,232 ----a-w c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.42_x-ww_0de06acd\msvcm80.dll
+ 2006-10-26 18:40:36 548,864 ----a-w c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.42_x-ww_0de06acd\msvcp80.dll
+ 2006-10-26 18:40:36 626,688 ----a-w c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.42_x-ww_0de06acd\msvcr80.dll
+ 2006-10-26 18:40:36 1,093,632 ----a-w c:\windows\WinSxS\x86_Microsoft.VC80.MFC_1fc8b3b9a1e18e3b_8.0.50727.42_x-ww_dec6ddd2\mfc80.dll
+ 2006-10-26 18:40:36 1,079,808 ----a-w c:\windows\WinSxS\x86_Microsoft.VC80.MFC_1fc8b3b9a1e18e3b_8.0.50727.42_x-ww_dec6ddd2\mfc80u.dll
+ 2006-10-26 18:40:36 69,632 ----a-w c:\windows\WinSxS\x86_Microsoft.VC80.MFC_1fc8b3b9a1e18e3b_8.0.50727.42_x-ww_dec6ddd2\mfcm80.dll
+ 2006-10-26 18:40:36 57,344 ----a-w c:\windows\WinSxS\x86_Microsoft.VC80.MFC_1fc8b3b9a1e18e3b_8.0.50727.42_x-ww_dec6ddd2\mfcm80u.dll
+ 2006-12-02 05:25:52 1,101,824 ----a-w c:\windows\WinSxS\x86_Microsoft.VC80.MFC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_3bf8fa05\mfc80.dll
+ 2006-12-02 05:25:56 1,093,120 ----a-w c:\windows\WinSxS\x86_Microsoft.VC80.MFC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_3bf8fa05\mfc80u.dll
+ 2006-12-02 05:25:58 69,632 ----a-w c:\windows\WinSxS\x86_Microsoft.VC80.MFC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_3bf8fa05\mfcm80.dll
+ 2006-12-02 05:26:00 57,856 ----a-w c:\windows\WinSxS\x86_Microsoft.VC80.MFC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_3bf8fa05\mfcm80u.dll
+ 2006-10-26 18:40:36 40,960 ----a-w c:\windows\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.42_x-ww_3415f6d0\mfc80CHS.dll
+ 2006-10-26 18:40:36 45,056 ----a-w c:\windows\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.42_x-ww_3415f6d0\mfc80CHT.dll
+ 2006-10-26 18:40:36 65,536 ----a-w c:\windows\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.42_x-ww_3415f6d0\mfc80DEU.dll
+ 2006-10-26 18:40:36 57,344 ----a-w c:\windows\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.42_x-ww_3415f6d0\mfc80ENU.dll
+ 2006-10-26 18:40:36 61,440 ----a-w c:\windows\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.42_x-ww_3415f6d0\mfc80ESP.dll
+ 2006-10-26 18:40:36 61,440 ----a-w c:\windows\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.42_x-ww_3415f6d0\mfc80FRA.dll
+ 2006-10-26 18:40:36 61,440 ----a-w c:\windows\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.42_x-ww_3415f6d0\mfc80ITA.dll
+ 2006-10-26 18:40:36 49,152 ----a-w c:\windows\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.42_x-ww_3415f6d0\mfc80JPN.dll
+ 2006-10-26 18:40:36 49,152 ----a-w c:\windows\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.42_x-ww_3415f6d0\mfc80KOR.dll
+ 2006-12-02 05:08:00 40,960 ----a-w c:\windows\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_91481303\mfc80CHS.dll
+ 2006-12-02 05:08:00 45,056 ----a-w c:\windows\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_91481303\mfc80CHT.dll
+ 2006-12-02 05:08:00 65,536 ----a-w c:\windows\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_91481303\mfc80DEU.dll
+ 2006-12-02 05:08:00 57,344 ----a-w c:\windows\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_91481303\mfc80ENU.dll
+ 2006-12-02 05:08:00 61,440 ----a-w c:\windows\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_91481303\mfc80ESP.dll
+ 2006-12-02 05:08:00 61,440 ----a-w c:\windows\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_91481303\mfc80FRA.dll
+ 2006-12-02 05:08:00 61,440 ----a-w c:\windows\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_91481303\mfc80ITA.dll
+ 2006-12-02 05:08:00 49,152 ----a-w c:\windows\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_91481303\mfc80JPN.dll
+ 2006-12-02 05:08:00 49,152 ----a-w c:\windows\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_91481303\mfc80KOR.dll
+ 2006-12-02 05:46:44 65,536 ----a-w c:\windows\WinSxS\x86_Microsoft.VC80.OpenMP_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_6c18549a\vcomp.dll
+ 2008-04-15 17:54:19 1,724,416 ----a-w c:\windows\WinSxS\x86_Microsoft.Windows.GdiPlus_6595b64144ccf1df_1.0.2600.3352_x-ww_81af8e88\GdiPlus.dll
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]
"EPSON Stylus CX8400 Series"="c:\windows\System32\spool\DRIVERS\W32X86\3\E_FATICEA.EXE" [2007-02-15 179200]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATICCC"="c:\program files\ATI Technologies\ATI.ACE\cli.exe" [2005-08-13 45056]
"CTDVDDET"="c:\program files\Creative\SBAudigy4\DVDAudio\CTDVDDET.EXE" [2003-06-18 45056]
"CTSysVol"="c:\program files\Creative\SBAudigy4\Surround Mixer\CTSysVol.exe" [2005-02-16 57344]
"AudioDrvEmulator"="c:\program files\Creative\Shared Files\Module Loader\DLLML.exe" [2005-06-17 49152]
"UpdReg"="c:\windows\UpdReg.EXE" [2000-05-11 90112]
"HPHUPD08"="c:\program files\HP\Digital Imaging\{33D6CC28-9F75-4d1b-A11D-98895B3A3729}\hphupd08.exe" [2005-06-02 49152]
"HPBootOp"="c:\program files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" [2005-09-21 1605740]
"HP Software Update"="c:\program files\HP\HP Software Update\HPwuSchd2.exe" [2005-05-12 49152]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-02-15 148888]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-26 31016]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-02-14 1601304]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2006-02-25 180269]
"CTHelper"="CTHELPER.EXE" [2005-08-22 c:\windows\CTHELPER.EXE]

c:\documents and settings\Administrator\Start Menu\Programs\Startup\
Pin.lnk - c:\hp\bin\CLOAKER.EXE [2006-02-25 27136]

c:\documents and settings\HP_Owner\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2006-10-26 98632]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Gatorlink VPN Client.lnk - c:\windows\Installer\{51FB15F4-AD27-43BC-AD4B-DD0354FB6BBD}\Icon3E5562ED7.ico [2009-01-12 6144]
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2005-05-12 282624]
Updates from HP.lnk - c:\program files\Updates from HP\9972322\Program\Updates from HP.exe [2006-02-25 36903]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-02-15 19:52 10520 c:\windows\system32\avgrsstx.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\Updates from HP\\9972322\\Program\\Updates from HP.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\java.exe"=

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-02-15 325128]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-02-15 107272]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2009-02-14 298264]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{2d435b36-e506-11d9-9b78-e6b009352ae7}]
\Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Info.exe protect.ed 480 480
.
Contents of the 'Scheduled Tasks' folder

2009-02-16 c:\windows\Tasks\chkdsk.job
- c:\windows\system32\chkdsk.exe [2004-08-04 07:00]

2009-02-02 c:\windows\Tasks\defrag.job
- c:\windows\system32\defrag.exe [2004-08-04 07:00]

2009-02-16 c:\windows\Tasks\Disk Cleanup.job
- c:\windows\system32\cleanmgr.exe [2004-08-04 07:00]
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-PCDrProfiler - (no file)


.
------- Supplementary Scan -------
.
uStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q106&bd=pavilion&pf=desktop
uDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q106&bd=pavilion&pf=desktop
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q106&bd=pavilion&pf=desktop
mSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q106&bd=pavilion&pf=desktop
IE: &Google Search - c:\program files\Google\GoogleToolbar1.dll/cmsearch.html
IE: &Translate English Word - c:\program files\Google\GoogleToolbar1.dll/cmwordtrans.html
IE: Backward Links - c:\program files\Google\GoogleToolbar1.dll/cmbacklinks.html
IE: Cached Snapshot of Page - c:\program files\Google\GoogleToolbar1.dll/cmcache.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\Office12\EXCEL.EXE/3000
IE: Similar Pages - c:\program files\Google\GoogleToolbar1.dll/cmsimilar.html
IE: Translate Page into English - c:\program files\Google\GoogleToolbar1.dll/cmtrans.html
FF - ProfilePath - c:\documents and settings\HP_Owner.KRYPTONITE\Application Data\Mozilla\Firefox\Profiles\lva45n47.default\
FF - prefs.js: browser.startup.homepage - hxxp://my.yahoo.com/|http://www.google.com/
FF - component: c:\documents and settings\HP_Owner.KRYPTONITE\Application Data\Mozilla\Firefox\Profiles\lva45n47.default\extensions\{a7c6cf7f-112c-4500-a7ea-39801a327e5f}\platform\WINNT_x86-msvc\components\ipc.dll
FF - component: c:\program files\AVG\AVG8\Firefox\components\avgssff.dll
FF - component: c:\program files\AVG\AVG8\ToolbarFF\components\vmAVGConnector.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npbittorrent.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npDimdimControl.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-02-24 17:08:09
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(684)
c:\windows\system32\Ati2evxx.dll
.
Completion time: 2009-02-24 17:09:17
ComboFix-quarantined-files.txt 2009-02-24 22:09:15
ComboFix2.txt 2009-02-15 16:39:39
ComboFix3.txt 2009-02-15 16:34:02
ComboFix4.txt 2009-02-15 15:56:51
ComboFix5.txt 2009-02-24 22:03:55

Pre-Run: 17,474,605,056 bytes free
Post-Run: 17,695,399,936 bytes free

761 --- E O F --- 2009-02-16 13:58:49

#10 Blade81

Blade81

    Bleepin' Rocker


  • Malware Response Team
  • 6,465 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:06:32 AM

Posted 26 February 2009 - 02:06 AM

Looks quite good. How's the system running now?

Microsoft Windows Insider MVP 2016-2017

Microsoft MVP Consumer Security 2008-2015
UNITE member since 2006
unite_blue.png

Provided malware removal related instructions are meant to be used in the correspondent user's case only. If you have similar symptoms create own topic instead of following instructions given to some other, please.


#11 gville

gville
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:11:32 PM

Posted 26 February 2009 - 09:36 AM

I still have the redirect problem. Annoying isn't it?

#12 Blade81

Blade81

    Bleepin' Rocker


  • Malware Response Team
  • 6,465 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:06:32 AM

Posted 26 February 2009 - 12:54 PM

Hi

Does redirecting happen only with Firefox or with it and IE both? If only with Firefox could you reinstall it by first uninstalling completely (profile items included) and then installing again?

Microsoft Windows Insider MVP 2016-2017

Microsoft MVP Consumer Security 2008-2015
UNITE member since 2006
unite_blue.png

Provided malware removal related instructions are meant to be used in the correspondent user's case only. If you have similar symptoms create own topic instead of following instructions given to some other, please.


#13 gville

gville
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:11:32 PM

Posted 26 February 2009 - 04:03 PM

It happens in both and on any search engine. I have already tried reinstalling firefox. :thumbup2:

I have noticed this on the scan:

uStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q106&bd=pavilion&pf=desktop
uDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q106&bd=pavilion&pf=desktop
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q106&bd=pavilion&pf=desktop
mSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q106&bd=pavilion&pf=desktop

Is that normal?

Edited by gville, 26 February 2009 - 04:06 PM.


#14 Blade81

Blade81

    Bleepin' Rocker


  • Malware Response Team
  • 6,465 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:06:32 AM

Posted 27 February 2009 - 06:46 AM

Hi

Those entries should be ok.


Upload c:\program files\google\GoogleToolbar1.dll file to http://www.virustotal.com and post back the results.


Do you use a router to connect internet? If you do please reset it to factory default settings (there should be reset button/hole there on the router) and change the password to stronger one from default.


Download GMER and save it your desktop:
  • Extract it to your desktop and double-click GMER.exe
  • Click rootkit-tab and then scan.
  • Don't check
    Show All
    box while scanning in progress!
  • When scanning is ready, click Copy.
  • This copies log to clipboard
  • Post log in your reply.

Microsoft Windows Insider MVP 2016-2017

Microsoft MVP Consumer Security 2008-2015
UNITE member since 2006
unite_blue.png

Provided malware removal related instructions are meant to be used in the correspondent user's case only. If you have similar symptoms create own topic instead of following instructions given to some other, please.


#15 gville

gville
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:11:32 PM

Posted 27 February 2009 - 01:49 PM

I don't use a router.

GMER 1.0.14.14536 - http://www.gmer.net
Rootkit scan 2009-02-27 13:47:41
Windows 5.1.2600 Service Pack 2


---- Devices - GMER 1.0.14 ----

AttachedDevice \FileSystem\Ntfs \Ntfs bb-run.sys (Promise Disk Accelerator/Promise Technology, Inc.)
AttachedDevice \Driver\Tcpip \Device\Ip avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\Ip ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation)
AttachedDevice \Driver\Tcpip \Device\Tcp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\Tcp ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation)
AttachedDevice \Driver\Tcpip \Device\Udp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\Udp ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation)
AttachedDevice \Driver\Tcpip \Device\RawIp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\RawIp ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation)
AttachedDevice \FileSystem\Fastfat \Fat bb-run.sys (Promise Disk Accelerator/Promise Technology, Inc.)
AttachedDevice \FileSystem\Fastfat \Fat fltMgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

---- EOF - GMER 1.0.14 ----

Result: 0/39 (0%)
Loading server information...
Your file is queued in position: 3.
Estimated start time is between 56 and 80 seconds.
Do not close the window until scan is complete.
The scanner that was processing your file is stopped at this moment, we are going to wait a few seconds to try to recover your result.
If you are waiting for more than five minutes you have to resend your file.
Your file is being scanned by VirusTotal in this moment,
results will be shown as they're generated.
Compact Compact
Print results Print results
Your file has expired or does not exists.
Service is stopped in this moments, your file is waiting to be scanned (position: ) for an undefined time.

You can wait for web response (automatic reload) or type your email in the form below and click "request" so the system sends you a notification when the scan is finished.
Email:

Antivirus Version Last Update Result
a-squared 4.0.0.101 2009.02.27 -
AhnLab-V3 5.0.0.2 2009.02.27 -
AntiVir 7.9.0.98 2009.02.27 -
Authentium 5.1.0.4 2009.02.27 -
Avast 4.8.1335.0 2009.02.26 -
AVG 8.0.0.237 2009.02.27 -
BitDefender 7.2 2009.02.27 -
CAT-QuickHeal 10.00 2009.02.27 -
ClamAV 0.94.1 2009.02.27 -
Comodo 986 2009.02.20 -
DrWeb 4.44.0.09170 2009.02.27 -
eSafe 7.0.17.0 2009.02.26 -
eTrust-Vet 31.6.6376 2009.02.27 -
F-Prot 4.4.4.56 2009.02.26 -
F-Secure 8.0.14470.0 2009.02.27 -
Fortinet 3.117.0.0 2009.02.27 -
GData 19 2009.02.27 -
Ikarus T3.1.1.45.0 2009.02.27 -
K7AntiVirus 7.10.649 2009.02.27 -
Kaspersky 7.0.0.125 2009.02.27 -
McAfee 5537 2009.02.26 -
McAfee+Artemis 5537 2009.02.26 -
Microsoft 1.4306 2009.02.27 -
NOD32 3894 2009.02.27 -
Norman 6.00.06 2009.02.27 -
nProtect 2009.1.8.0 2009.02.27 -
Panda 10.0.0.10 2009.02.26 -
PCTools 4.4.2.0 2009.02.27 -
Prevx1 V2 2009.02.27 -
Rising 21.18.42.00 2009.02.27 -
SecureWeb-Gateway 6.7.6 2009.02.27 -
Sophos 4.39.0 2009.02.27 -
Sunbelt 3.2.1858.2 2009.02.26 -
Symantec 10 2009.02.27 -
TheHacker 6.3.2.5.267 2009.02.27 -
TrendMicro 8.700.0.1004 2009.02.27 -
VBA32 3.12.10.1 2009.02.26 -
ViRobot 2009.2.27.1627 2009.02.27 -
VirusBuster 4.5.11.0 2009.02.27 -
Additional information
File size: 1157120 bytes
MD5...: 8b5a0b5054e5a604e6fa6c87450c6649
SHA1..: c8467e8530a2b7142c9788e80905722fb9b41f9b
SHA256: 185aeb3a9b293a38d95f7a282bad1b28d60f8d22497d043a751659de57b8fd12
SHA512: c0f93e03050b405ecad483bc216e18e35cc19e01069d0ceb09c9fe296640ac59
df62019e38eee12f6738e7c0c512cacf1fd7995d2f095b679a437eaf5850bdaa
ssdeep: 24576:8T8EfSNfZCJasy+S/e0H42KhSkQFXZxT5+YiUEnwgy:8TWiasyH42zFXV+
7wg
PEiD..: -
TrID..: File type identification
DirectShow filter (53.7%)
Windows OCX File (32.9%)
Win32 Executable MS Visual C++ (generic) (10.0%)
Win32 Executable Generic (2.2%)
Generic Win/DOS Executable (0.5%)
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0x88b16
timedatestamp.....: 0x42d43c8d (Tue Jul 12 21:56:29 2005)
machinetype.......: 0x14c (I386)

( 5 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0x1000 0xa6e1f 0xa7000 6.63 42ac1790f7dc0fb48ae9b377c3f3fa32
.rdata 0xa8000 0x2737c 0x27400 4.50 942581a87fdb974cdc1481f107217cda
.data 0xd0000 0x11414 0x6a00 3.70 a544274dc1e9edbba6e85ab8cc0a44e0
.rsrc 0xe2000 0x37698 0x37800 6.43 aa85b8a71ea64626e17bb2e0002ba83e
.reloc 0x11a000 0xdc6c 0xde00 5.86 39f142536048e528e78d4ee7d9f55dd0

( 17 imports )
> SETUPAPI.dll: SetupIterateCabinetW
> SHLWAPI.dll: UrlGetPartW, SHRegGetUSValueW, SHSetValueW, PathFileExistsW, PathAppendW, ColorRGBToHLS, SHRegSetUSValueW, SHDeleteValueW, SHDeleteKeyW, SHGetValueW, SHRegOpenUSKeyW, SHRegCloseUSKey, PathCombineW, PathCanonicalizeW, PathRemoveFileSpecW, SHOpenRegStream2W, ColorHLSToRGB, SHCopyKeyW
> WININET.dll: InternetSetStatusCallbackA, InternetCrackUrlW, HttpOpenRequestA, InternetConnectA, HttpQueryInfoW, InternetCloseHandle, InternetOpenUrlW, InternetOpenW, UnlockUrlCacheEntryStream, RetrieveUrlCacheEntryStreamW, ReadUrlCacheEntryStream, InternetGetConnectedState, InternetSetOptionW, HttpAddRequestHeadersW, HttpSendRequestW, InternetQueryDataAvailable, InternetReadFile, InternetCreateUrlW
> urlmon.dll: CreateURLMoniker
> WSOCK32.dll: -, -, -, -, -, -, -, -
> CRYPT32.dll: CertFreeCertificateContext, CertNameToStrW, CertDuplicateCertificateContext, CertEnumCertificatesInStore, CryptQueryObject, CryptDecodeObject
> WINTRUST.dll: WinVerifyTrust
> WINMM.dll: PlaySoundW
> imagehlp.dll: ImageGetDigestStream, ImageAddCertificate, ImageGetCertificateData, ImageGetCertificateHeader, ImageRemoveCertificate
> KERNEL32.dll: GetFileType, GetModuleHandleA, GetModuleHandleW, GetProcAddress, GetFileAttributesW, GetVersion, InterlockedExchange, GetACP, GetLocaleInfoA, GetThreadLocale, GetVersionExW, RaiseException, InitializeCriticalSection, DeleteCriticalSection, LoadLibraryW, GetLastError, SetLastError, GetModuleFileNameW, OutputDebugStringA, SizeofResource, LockResource, LoadResource, FindResourceW, FindResourceExW, MultiByteToWideChar, WideCharToMultiByte, InterlockedDecrement, CreateDirectoryW, CloseHandle, LeaveCriticalSection, TryEnterCriticalSection, ExpandEnvironmentStringsW, FindClose, FindFirstFileW, Sleep, EnterCriticalSection, InterlockedIncrement, lstrlenW, GetTickCount, GetCurrentThreadId, DeleteFileW, FindNextFileW, lstrcpyW, LoadLibraryA, GetShortPathNameW, WritePrivateProfileStringW, lstrcatW, GetWindowsDirectoryW, MoveFileExW, FreeLibrary, GetCurrentProcessId, GetFullPathNameW, GlobalUnlock, GlobalSize, GlobalLock, GlobalAlloc, LocalFree, FormatMessageW, ReadFile, GetFileSize, CreateFileW, SetFilePointer, WriteFile, UnmapViewOfFile, CreateFileMappingW, GetTempPathW, GetTempFileNameW, WaitForMultipleObjects, lstrcpynW, LoadLibraryExW, MulDiv, CreateProcessW, GetExitCodeThread, WaitForSingleObject, SetFileAttributesW, GetCurrentDirectoryW, CompareFileTime, SystemTimeToFileTime, GetSystemTime, FileTimeToSystemTime, SetEndOfFile, MapViewOfFileEx, IsBadReadPtr, GetVersionExA, SetProcessWorkingSetSize, GetStartupInfoW, GetExitCodeProcess, OpenProcess, SetThreadPriority, GetCurrentThread, TerminateProcess, CreateRemoteThread, DuplicateHandle, GetCurrentProcess, lstrcmpiW, GlobalMemoryStatus, RemoveDirectoryW, PeekNamedPipe, GetFileInformationByHandle, FileTimeToLocalFileTime, GetSystemTimeAsFileTime, CreateThread, ExitThread, ExitProcess, RtlUnwind, GetProcessHeap, HeapSize, HeapReAlloc, HeapFree, HeapAlloc, HeapDestroy, lstrlenA, GetTimeZoneInformation, ResumeThread, MoveFileW, GetDriveTypeW, GetCommandLineA, LCMapStringA, LCMapStringW, GetCPInfo, TlsAlloc, TlsFree, TlsSetValue, TlsGetValue, QueryPerformanceCounter, GetModuleFileNameA, SetUnhandledExceptionFilter, VirtualQuery, HeapCreate, VirtualFree, VirtualAlloc, IsBadWritePtr, GetStringTypeA, GetStringTypeW, VirtualProtect, GetSystemInfo, FlushFileBuffers, UnhandledExceptionFilter, GetOEMCP, SetStdHandle, SetHandleCount, GetStdHandle, GetStartupInfoA, GetCurrentDirectoryA, FreeEnvironmentStringsA, GetEnvironmentStrings, FreeEnvironmentStringsW, GetEnvironmentStringsW, DebugBreak, GetUserDefaultLCID, EnumSystemLocalesA, IsValidLocale, IsValidCodePage, IsBadCodePtr, GetDriveTypeA, CreateFileA, GetLocaleInfoW, CompareStringA, CompareStringW, SetEnvironmentVariableA, LocalAlloc, GetCommandLineW
> USER32.dll: SendDlgItemMessageW, DialogBoxParamW, AppendMenuW, PtInRect, MessageBoxIndirectW, GetClassInfoW, SetParent, UpdateWindow, SetCapture, ReleaseCapture, SetWindowsHookExW, OpenClipboard, GetClipboardData, CloseClipboard, RegisterClipboardFormatW, TranslateMessage, DispatchMessageW, DefWindowProcW, GetClassLongW, ShowWindow, TrackPopupMenuEx, EnumChildWindows, UnhookWindowsHookEx, DestroyCursor, ScreenToClient, GetForegroundWindow, GetWindowThreadProcessId, GetKeyState, GetWindowTextLengthW, IsWindowVisible, CallNextHookEx, GetClassNameW, DrawTextExW, InflateRect, CreateWindowExW, RegisterClassW, RemoveMenu, CreatePopupMenu, InsertMenuItemW, DeleteMenu, GetMenuItemInfoW, GetMenuItemCount, GetSystemMetrics, LoadIconW, DrawTextW, ClientToScreen, CallWindowProcW, GetDC, ReleaseDC, GetCursorPos, SetWindowLongW, InvalidateRect, SetRectEmpty, LoadBitmapW, FrameRect, SetDlgItemTextW, TrackPopupMenu, DrawIconEx, CopyImage, GetScrollInfo, DrawFrameControl, GetDesktopWindow, SetWindowPos, GetMessagePos, MapWindowPoints, SystemParametersInfoA, MessageBeep, FillRect, GetParent, GetClientRect, MoveWindow, GetWindowRect, KillTimer, LoadImageW, PostMessageW, GetWindowLongW, GetFocus, IsChild, DestroyWindow, FindWindowExW, DestroyMenu, OffsetRect, GetWindowTextW, GetSysColor, SetTimer, LoadCursorW, SetCursor, SetFocus, MessageBoxW, EnableWindow, EndDialog, GetDlgItem, SetWindowTextW, IsWindow, IsDlgButtonChecked, SendMessageW, GetAsyncKeyState, BeginPaint, EndPaint, GetDlgCtrlID, SetPropW, IsWindowEnabled, IntersectRect, DrawFocusRect, SystemParametersInfoW, GetPropW
> GDI32.dll: GetBkColor, GetTextExtentExPointW, ExtTextOutW, CreateBitmap, GetLayout, SelectPalette, CreateHalftonePalette, RealizePalette, CreateDIBSection, CreateCompatibleBitmap, SetDIBits, TextOutW, LineTo, MoveToEx, CreatePen, SetBkMode, GetTextExtentPoint32W, CreateICW, SetBkColor, GetTextFaceW, GetDeviceCaps, GetTextMetricsW, GetStockObject, RestoreDC, DeleteObject, DeleteDC, SetTextColor, SaveDC, GetObjectW, CreateFontIndirectW, CreateCompatibleDC, SelectObject, BitBlt, CreateSolidBrush, EnumFontFamiliesExW
> ADVAPI32.dll: RegSetValueExW, RegEnumKeyW, RegEnumValueW, RegDeleteValueW, RegOpenKeyExW, RegCloseKey, RegEnumKeyExW, RegQueryValueExA, RegOpenKeyExA, CryptCreateHash, CryptImportKey, CryptVerifySignatureW, CryptHashData, CryptAcquireContextW, CryptReleaseContext, CryptDestroyKey, CryptDestroyHash, RegQueryValueExW, RegCreateKeyExW, RegDeleteKeyW, RegQueryInfoKeyW
> SHELL32.dll: SHGetPathFromIDListW, SHGetMalloc, SHGetDesktopFolder, SHGetSpecialFolderLocation
> ole32.dll: OleRun, CreateStreamOnHGlobal, CLSIDFromProgID, OleSaveToStream, CoInitializeSecurity, StringFromGUID2, RevokeDragDrop, RegisterDragDrop, CoCreateGuid, CoCreateInstance
> OLEAUT32.dll: -, -, -, -, -, -, -, -, -, -, -, -, -
> MSIMG32.dll: AlphaBlend

( 10 exports )
DllCanUnloadNow, DllGetClassObject, DllInfoA, DllRegisterServer, DllUnregisterServer, DllUpdated, DllUpdated2, DllVersionStringA, DllVersionStringW, GDSCompatibilityCheck
ThreatExpert info: <a href='http://www.threatexpert.com/report.aspx?md5=8b5a0b5054e5a604e6fa6c87450c6649' target='_blank'>http://www.threatexpert.com/report.aspx?md5=8b5a0b5054e5a604e6fa6c87450c6649</a>




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users