Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Slow Computer, Antivirus 2009, other weird stuff going on


  • This topic is locked This topic is locked
25 replies to this topic

#1 Bob The Chainsaw

Bob The Chainsaw

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Local time:12:07 AM

Posted 05 April 2009 - 03:17 PM

So yeah, I've been having some strange symptons lately. This is odd because it all suddenly popped up out of nowhere, I didn't go to any shady sites (I checked my history) or download any shady files that might've given me all these trojans. So yeah. Here are the logs.

Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_11
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1023.574 [GMT -4:00]


============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
C:\WINDOWS\system32\svchost -k rpcss
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k NetworkService
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Google\Update\GoogleUpdate.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\ALCXMNTR.EXE
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\program files\steam\steam.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\DAEMON Tools Lite\daemon.exe
C:\WINDOWS\system32\ctfmon.exe
C:\DOCUME~1\Andrew\LOCALS~1\Temp\1563744616.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Andrew\Desktop\dds(2).scr
C:\WINDOWS\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uWindow Title = Windows Internet Explorer provided by Comcast
mWindow Title = Windows Internet Explorer provided by Comcast
BHO: : {437f6485-ecb2-453d-aba1-fd2b6ea20d95} - c:\windows\system32\xedfnmw.dll
BHO: {D5BF49A0-94F3-42BD-F434-3604812C8955} - No File
uRun: [Steam] "c:\program files\steam\steam.exe" -silent
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [DAEMON Tools Lite] "c:\program files\daemon tools lite\daemon.exe" -autorun
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [<NO NAME>] c:\windows\temp\m3t9ojfzw.exe
uRun: [Diagnostic Manager] c:\docume~1\andrew\locals~1\temp\1563744616.exe
mRun: [AlcxMonitor] ALCXMNTR.EXE
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [Tgijemunajazeti] rundll32.exe "c:\windows\ofinuhece.dll",e
uPolicies-explorer: NoFolderOptions = 1 (0x1)
uPolicies-system: DisableRegistryTools = 1 (0x1)
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
DPF: {31435657-9980-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/e/2/f/e2fcec4b-6c8b-48b7-adab-ab9c403a978f/wvc1dmo.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_06-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
Notify: AtiExtEvent - Ati2evxx.dll
Notify: tzsbmqij - xedfnmw.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
LSA: Notification Packages = scecli acmsder.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\andrew\applic~1\mozilla\firefox\profiles\08zony13.default\
FF - plugin: c:\documents and settings\andrew\application data\mozilla\firefox\profiles\08zony13.default\extensions\battlefieldheroespatcher@ea.com\platform\winnt_x86-msvc\plugins\npBFHUpdater.dll
FF - plugin: c:\program files\google\google updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\google\update\1.2.141.5\npGoogleOneClick7.dll
FF - HiddenExtension: XUL Cache: {990A051D-3EC4-46A0-9687-9BB1C33C2236} - c:\documents and settings\andrew\local settings\application data\{990A051D-3EC4-46A0-9687-9BB1C33C2236}

============= SERVICES / DRIVERS ===============

R2 sxhkdvkx;Microsoft USB 2.0 Enhanced Host Controller Miniport Monitor;c:\windows\system32\svchost.exe -k netsvcs [2006-2-28 14336]
S2 gupdate1c9870b98610a3a;Google Update Service (gupdate1c9870b98610a3a);c:\program files\google\update\GoogleUpdate.exe [2009-2-4 133104]

=============== Created Last 30 ================

2009-03-25 13:52 <DIR> --d----- c:\program files\VTFEdit
2009-03-20 16:43 <DIR> --d----- c:\program files\EA Games
2009-03-14 20:55 90,112 a------- c:\windows\unvise32.exe
2009-03-14 20:53 54,784 a------- c:\windows\system32\MSSTDFMT.DLL
2009-03-14 12:52 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Soulseek
2009-03-14 00:55 <DIR> --d----- c:\program files\SoulseekNS

==================== Find3M ====================

2009-02-09 06:19 1,846,272 a------- c:\windows\system32\win32k.sys
2009-01-26 13:23 1,632 a------- c:\program files\pfcri.txt
2009-01-19 15:10 34,807 a------- c:\windows\scunin.dat
2009-01-19 15:10 70,656 a------- c:\windows\ScUnin.exe
2009-01-10 12:38 2,692 a------- c:\windows\system32\ealregsnapshot1.reg
2009-01-07 16:38 410,984 a------- c:\windows\system32\deploytk.dll
2008-07-01 19:20 23 a------- c:\documents and settings\andrew\jagex_runescape_preferences.dat

============= FINISH: 16:14:06.92 ===============
Attached File  Attach.txt   8.77KB   30 downloads

BC AdBot (Login to Remove)

 


#2 thewall

thewall

  • Malware Response Team
  • 6,425 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:12:07 AM

Posted 06 April 2009 - 09:05 AM

Hello Bob The Chainsaw :thumbup2: Welcome to the BC HijackThis Log and Analysis forum. I will be assisting you in cleaning up your system.


I ask that you refrain from running tools other than those we suggest to you while we are cleaning up your computer. The reason for this is so we know what is going on with the machine at any time. Some programs can interfere with others and hamper the recovery process.


In the upper right hand corner of the topic you will see a button called Options. If you click on this in the drop-down menu you can choose Track this topic. By doing this and then choosing Immediate E-Mail notification and then clicking on Proceed you will be advised when we respond the your topic and facilitate the cleaning of your machine.

After 5 days if a topic is not replied to we assume it has been abandoned and it is closed.





Please perform the following:



Do an online scan with Kaspersky WebScanner

Click on Kaspersky Online Scanner

You will be prompted to install an ActiveX component from Kaspersky, Click Yes.
  • The program will launch and then begin downloading the latest definition files:
  • Once the files have been downloaded click on NEXT
  • Now click on Scan Settings
  • In the scan settings make that the following are selected:
    • Scan using the following Anti-Virus database:
    Extended (if available otherwise Standard)
    • Scan Options:
    Scan Archives
    Scan Mail Bases
  • Click OK
  • Now under select a target to scan:Select My Computer
  • This will program will start and scan your system.
  • The scan will take a while so be patient and let it run.
  • Once the scan is complete it will display if your system has been infected.
    • Now click on the Save as Text button:
  • Save the file to your desktop.
  • Copy and paste that information in your next post.



  • Download random's system information tool (RSIT) by random/random from here and save it to your desktop.
  • Double click on RSIT.exe to run RSIT.
  • Click Continue at the disclaimer screen.
  • Once it has finished, two logs will open. At this time I will need only the log.txt. You will not need to post the info.txt.





When completed please post the log fromRSIT as well as the one from Kaspersky. Do not post either as an attachment.





Thanks,



thewall
If I have helped you then please consider donating so I can continue the fight against malware Posted Image
All donations go directly to the helper

Posted Image

Due to the large amount of backlogs we have I cannot respond to PMs for help unless I am already working with you

#3 Bob The Chainsaw

Bob The Chainsaw
  • Topic Starter

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Local time:12:07 AM

Posted 06 April 2009 - 12:28 PM

Alright, thanks.
--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7 REPORT
Monday, April 6, 2009
Operating System: Microsoft Windows XP Professional Service Pack 2 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Monday, April 06, 2009 11:58:52
Records in database: 2017642
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
A:\
C:\
E:\
F:\
G:\
H:\

Scan statistics:
Files scanned: 124874
Threat name: 8
Infected objects: 11
Suspicious objects: 0
Duration of the scan: 02:29:41


File name / Threat name / Threats count
C:\Documents and Settings\Andrew\Desktop\ComboFix.exe Infected: Trojan.Win32.Agent2.doi 1
C:\Documents and Settings\Andrew\Desktop\ComboFix.exe Infected: Trojan.Win32.Agent2.fft 1
C:\Documents and Settings\Andrew\Local Settings\Temporary Internet Files\Content.IE5\0EG71GFN\flash[1].swf Infected: Exploit.SWF.Downloader.ks 1
C:\Documents and Settings\Andrew\Local Settings\Temporary Internet Files\Content.IE5\0EG71GFN\pdf.exp[1].pdf Infected: Exploit.Win32.Pidief.aka 1
C:\Documents and Settings\Andrew\Local Settings\Temporary Internet Files\Content.IE5\F4O0YCU7\load[1].exe Infected: Trojan.Win32.Inject.rlh 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\25d47df9.sys.vir Infected: Rootkit.Win32.Agent.gtd 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\_25d47df9_.sys.zip Infected: Rootkit.Win32.Agent.gtd 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\kedohugu.dll.vir Infected: Trojan.Win32.Agent.bqeg 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\szyxci.dll.vir Infected: Trojan.Win32.Agent.bqeg 1
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\O5IJGDQJ\164[1].exe Infected: Trojan-Downloader.Win32.FraudLoad.ebo 1
C:\WINDOWS\temp\rdlC6.tmp Infected: Trojan-Downloader.Win32.FraudLoad.ebo 1

The selected area was scanned.

RSIT:

Logfile of random's system information tool 1.06 (written by random/random)
Run by Andrew at 2009-04-06 13:26:45
Microsoft Windows XP Professional Service Pack 2
System drive C: has 39 GB (35%) free of 111 GB
Total RAM: 1023 MB (64% free)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:26:55 PM, on 4/6/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16791)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Google\Update\GoogleUpdate.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\ALCXMNTR.EXE
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\program files\steam\steam.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\DAEMON Tools Lite\daemon.exe
C:\WINDOWS\system32\ctfmon.exe
C:\DOCUME~1\Andrew\LOCALS~1\Temp\1563744616.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Andrew\Desktop\RSIT.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\Program Files\Trend Micro\HijackThis\Andrew.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Windows Internet Explorer provided by Comcast
O2 - BHO: (no name) - {437F6485-ECB2-453D-ABA1-FD2B6EA20D95} - c:\windows\system32\xedfnmw.dll
O2 - BHO: (no name) - {D5BF49A0-94F3-42BD-F434-3604812C8955} - (no file)
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Tgijemunajazeti] rundll32.exe "C:\WINDOWS\ofinuhece.dll",e
O4 - HKCU\..\Run: [Steam] "c:\program files\steam\steam.exe" -silent
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [DAEMON Tools Lite] "C:\Program Files\DAEMON Tools Lite\daemon.exe" -autorun
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [] C:\WINDOWS\TEMP\m3t9ojfzw.exe
O4 - HKCU\..\Run: [Diagnostic Manager] C:\DOCUME~1\Andrew\LOCALS~1\Temp\1563744616.exe
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O20 - Winlogon Notify: tzsbmqij - C:\WINDOWS\SYSTEM32\xedfnmw.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Google Update Service (gupdate1c9870b98610a3a) (gupdate1c9870b98610a3a) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe

--
End of file - 4796 bytes

======Scheduled tasks folder======

C:\WINDOWS\tasks\AppleSoftwareUpdate.job
C:\WINDOWS\tasks\At1.job
C:\WINDOWS\tasks\Google Software Updater.job
C:\WINDOWS\tasks\GoogleUpdateTaskMachine.job

======Registry dump======

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{437F6485-ECB2-453D-ABA1-FD2B6EA20D95}]
c:\windows\system32\xedfnmw.dll [2006-02-28 102912]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{D5BF49A0-94F3-42BD-F434-3604812C8955}]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"AlcxMonitor"=C:\WINDOWS\ALCXMNTR.EXE [2004-09-07 57344]
"Adobe Reader Speed Launcher"=C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe [2008-01-11 39792]
"SunJavaUpdateSched"=C:\Program Files\Java\jre6\bin\jusched.exe [2009-01-07 136600]
"QuickTime Task"=C:\Program Files\QuickTime\qttask.exe [2008-11-04 413696]
"iTunesHelper"=C:\Program Files\iTunes\iTunesHelper.exe [2008-11-20 290088]
"Tgijemunajazeti"=C:\WINDOWS\ofinuhece.dll [2007-03-08 158208]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"Steam"=c:\program files\steam\steam.exe [2008-09-08 1410296]
"MSMSGS"=C:\Program Files\Messenger\msmsgs.exe [2004-10-13 1694208]
"DAEMON Tools Lite"=C:\Program Files\DAEMON Tools Lite\daemon.exe [2008-04-01 486856]
"ctfmon.exe"=C:\WINDOWS\system32\ctfmon.exe [2006-02-28 15360]
""=C:\WINDOWS\TEMP\m3t9ojfzw.exe []
"Diagnostic Manager"=C:\DOCUME~1\Andrew\LOCALS~1\Temp\1563744616.exe [2009-04-05 22017]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\AtiExtEvent]
C:\WINDOWS\system32\Ati2evxx.dll [2007-09-29 122880]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\tzsbmqij]
C:\WINDOWS\system32\xedfnmw.dll [2006-02-28 102912]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WgaLogon]
C:\WINDOWS\system32\WgaLogon.dll [2007-04-10 236928]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll [2006-10-18 133632]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa]
"notification packages"=scecli
acmsder.dll

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"DisableRegistryTools"=1

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDriveTypeAutoRun"=323
"NoDriveAutoRun"=67108863
"NoDrives"=0
"NoFolderOptions"=1

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDriveAutoRun"=
"NoDriveTypeAutoRun"=
"NoDrives"=
"HonorAutoRunSetting"=

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\Program Files\Steam\steamapps\dilandau_sama\team fortress 2\hl2.exe"="C:\Program Files\Steam\steamapps\dilandau_sama\team fortress 2\hl2.exe:*:Enabled:hl2"
"C:\Program Files\Steam\steamapps\dilandau_sama\counter-strike source\hl2.exe"="C:\Program Files\Steam\steamapps\dilandau_sama\counter-strike source\hl2.exe:*:Enabled:hl2"
"C:\Program Files\Steam\steamapps\dilandau_sama\the ship\ship.exe"="C:\Program Files\Steam\steamapps\dilandau_sama\the ship\ship.exe:*:Enabled:ship"
"C:\Program Files\THQ\Company of Heroes\RelicCOH.exe"="C:\Program Files\THQ\Company of Heroes\RelicCOH.exe:*:Enabled:RelicCOH"
"C:\Program Files\Steam\steamapps\dilandau_sama\garrysmod\hl2.exe"="C:\Program Files\Steam\steamapps\dilandau_sama\garrysmod\hl2.exe:*:Enabled:hl2"
"C:\Program Files\Steam\steamapps\dilandau_sama\day of defeat source\hl2.exe"="C:\Program Files\Steam\steamapps\dilandau_sama\day of defeat source\hl2.exe:*:Enabled:hl2"
"C:\Program Files\Steam\steamapps\dilandau_sama\day of defeat source beta\hl2.exe"="C:\Program Files\Steam\steamapps\dilandau_sama\day of defeat source beta\hl2.exe:*:Enabled:hl2"
"C:\Program Files\Steam\steamapps\thebunnylord\day of defeat source\hl2.exe"="C:\Program Files\Steam\steamapps\thebunnylord\day of defeat source\hl2.exe:*:Enabled:hl2"
"C:\Program Files\Steam\Steam.exe"="C:\Program Files\Steam\Steam.exe:*:Enabled:Steam"
"C:\Program Files\BitTorrent\bittorrent.exe"="C:\Program Files\BitTorrent\bittorrent.exe:*:Enabled:BitTorrent"
"C:\Program Files\Steam\steamapps\rollercoastergy\team fortress 2\hl2.exe"="C:\Program Files\Steam\steamapps\rollercoastergy\team fortress 2\hl2.exe:*:Enabled:hl2"
"C:\Program Files\Steam\steamapps\thebunnylord\team fortress 2\hl2.exe"="C:\Program Files\Steam\steamapps\thebunnylord\team fortress 2\hl2.exe:*:Enabled:hl2"
"C:\Program Files\Steam\steamapps\dilandau_sama\source sdk base\hl2.exe"="C:\Program Files\Steam\steamapps\dilandau_sama\source sdk base\hl2.exe:*:Enabled:hl2"
"C:\Program Files\Steam\steamapps\dilandau_sama\source sdk base 2007\hl2.exe"="C:\Program Files\Steam\steamapps\dilandau_sama\source sdk base 2007\hl2.exe:*:Enabled:hl2"
"C:\Program Files\Steam\steamapps\dilandau_sama\half-life 2 deathmatch\hl2.exe"="C:\Program Files\Steam\steamapps\dilandau_sama\half-life 2 deathmatch\hl2.exe:*:Enabled:hl2"
"C:\Program Files\Steam\steamapps\ericesn\counter-strike source\hl2.exe"="C:\Program Files\Steam\steamapps\ericesn\counter-strike source\hl2.exe:*:Enabled:hl2"
"C:\Program Files\Steam\steamapps\ericesn\half-life 2 deathmatch\hl2.exe"="C:\Program Files\Steam\steamapps\ericesn\half-life 2 deathmatch\hl2.exe:*:Enabled:hl2"
"C:\Program Files\Steam\steamapps\thebunnylord\source sdk base\hl2.exe"="C:\Program Files\Steam\steamapps\thebunnylord\source sdk base\hl2.exe:*:Enabled:hl2"
"C:\Program Files\iPod\bin\iPodService.exe"="C:\Program Files\iPod\bin\iPodService.exe:*:Enabled:iPodService"
"C:\Program Files\PlayOnline\SquareEnix\PlayOnlineViewer\pol.exe"="C:\Program Files\PlayOnline\SquareEnix\PlayOnlineViewer\pol.exe:*:Enabled:PlayOnline Viewer"
"C:\Program Files\iTunes\iTunes.exe"="C:\Program Files\iTunes\iTunes.exe:*:Enabled:iTunes"
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{aebedefe-2c04-11dd-8484-0010dcd13d87}]
shell\AutoRun\command - I:\LaunchU3.exe -a


======List of files/folders created in the last 1 months======

2009-04-06 13:26:45 ----D---- C:\rsit
2009-04-06 11:45:53 ----D---- C:\Documents and Settings\Andrew\Application Data\yyraqdon
2009-03-25 13:52:17 ----D---- C:\Program Files\VTFEdit
2009-03-20 16:43:55 ----D---- C:\Program Files\EA Games
2009-03-14 20:55:11 ----A---- C:\WINDOWS\unvise32.exe
2009-03-14 20:53:45 ----A---- C:\WINDOWS\system32\MSSTDFMT.DLL
2009-03-14 12:52:44 ----D---- C:\Documents and Settings\All Users\Application Data\Soulseek
2009-03-14 00:55:14 ----D---- C:\Program Files\SoulseekNS
2009-03-11 22:30:21 ----HDC---- C:\WINDOWS\$NtUninstallKB960225$
2009-03-11 22:30:13 ----HDC---- C:\WINDOWS\$NtUninstallKB958690$
2009-03-11 22:29:34 ----HDC---- C:\WINDOWS\$NtUninstallKB959772_WM11$

======List of files/folders modified in the last 1 months======

2009-04-06 13:24:52 ----D---- C:\Program Files\Mozilla Firefox
2009-04-06 11:46:12 ----D---- C:\WINDOWS\temp
2009-04-06 11:45:59 ----D---- C:\WINDOWS\Prefetch
2009-04-06 11:43:02 ----SHD---- C:\System Volume Information
2009-04-06 11:43:02 ----D---- C:\WINDOWS\system32\Restore
2009-04-06 11:08:22 ----SD---- C:\WINDOWS\Tasks
2009-04-06 10:11:02 ----D---- C:\Program Files\Steam
2009-04-05 23:01:00 ----A---- C:\WINDOWS\SchedLgU.Txt
2009-04-05 16:07:25 ----D---- C:\WINDOWS\system32
2009-04-05 16:07:19 ----D---- C:\Program Files\Common Files
2009-04-05 15:48:14 ----D---- C:\WINDOWS
2009-04-05 15:40:50 ----RD---- C:\Program Files
2009-04-05 15:40:50 ----D---- C:\WINDOWS\system32\drivers
2009-04-05 10:07:58 ----D---- C:\Documents and Settings\All Users\Application Data\Google Updater
2009-03-30 22:36:39 ----A---- C:\WINDOWS\system32\PerfStringBackup.INI
2009-03-30 16:53:22 ----D---- C:\WINDOWS\system32\CatRoot2
2009-03-24 11:52:42 ----D---- C:\Program Files\Microsoft Silverlight
2009-03-23 17:43:49 ----SHD---- C:\WINDOWS\Installer
2009-03-22 17:36:30 ----RSHDC---- C:\WINDOWS\system32\dllcache
2009-03-12 15:30:21 ----HD---- C:\WINDOWS\inf
2009-03-11 22:30:18 ----A---- C:\WINDOWS\imsins.BAK
2009-03-11 10:44:48 ----HD---- C:\WINDOWS\$hf_mig$
2009-03-07 17:05:10 ----D---- C:\Program Files\internet explorer

======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R1 intelppm;Intel Processor Driver; C:\WINDOWS\system32\DRIVERS\intelppm.sys [2006-02-28 36096]
R3 ALCXWDM;Service for Realtek AC97 Audio (WDM); C:\WINDOWS\system32\drivers\ALCXWDM.SYS [2004-10-01 2279424]
R3 Arp1394;1394 ARP Client Protocol; C:\WINDOWS\system32\DRIVERS\arp1394.sys [2006-02-28 60800]
R3 ati2mtag;ati2mtag; C:\WINDOWS\system32\DRIVERS\ati2mtag.sys [2007-09-29 2456064]
R3 GEARAspiWDM;GEAR ASPI Filter Driver; C:\WINDOWS\System32\Drivers\GEARAspiWDM.sys [2008-04-17 15464]
R3 ltmodem5;LT Modem Driver; C:\WINDOWS\system32\DRIVERS\ltmdmnt.sys [2003-03-31 625537]
R3 NIC1394;1394 Net Driver; C:\WINDOWS\system32\DRIVERS\nic1394.sys [2006-02-28 61824]
R3 rtl8139;Realtek RTL8139(A/B/C)-based PCI Fast Ethernet Adapter NT Driver; C:\WINDOWS\system32\DRIVERS\RTL8139.SYS [2004-08-03 20992]
R3 usbehci;Microsoft USB 2.0 Enhanced Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbehci.sys [2006-02-28 26624]
R3 usbhub;USB2 Enabled Hub; C:\WINDOWS\system32\DRIVERS\usbhub.sys [2006-02-28 57600]
R3 usbscan;USB Scanner Driver; C:\WINDOWS\system32\DRIVERS\usbscan.sys [2004-08-03 15104]
R3 usbuhci;Microsoft USB Universal Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbuhci.sys [2006-02-28 20480]
S3 aly5n7wj;aly5n7wj; C:\WINDOWS\system32\drivers\aly5n7wj.sys []
S3 USBAAPL;Apple Mobile USB Driver; C:\WINDOWS\System32\Drivers\usbaapl.sys [2008-11-07 32000]
S3 usbccgp;Microsoft USB Generic Parent Driver; C:\WINDOWS\system32\DRIVERS\usbccgp.sys [2006-02-28 31616]
S3 usbprint;Microsoft USB PRINTER Class; C:\WINDOWS\system32\DRIVERS\usbprint.sys [2004-08-03 25856]
S3 usbstor;USB Mass Storage Driver; C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS [2006-02-28 26496]
S3 WudfPf;Windows Driver Foundation - User-mode Driver Framework Platform Driver; C:\WINDOWS\system32\DRIVERS\WudfPf.sys [2006-09-28 77568]
S3 WudfRd;Windows Driver Foundation - User-mode Driver Framework Reflector; C:\WINDOWS\system32\DRIVERS\wudfrd.sys [2006-09-28 82944]

======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R2 Apple Mobile Device;Apple Mobile Device; C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe [2008-11-07 132424]
R2 Ati HotKey Poller;Ati HotKey Poller; C:\WINDOWS\system32\Ati2evxx.exe [2007-09-29 483328]
R2 JavaQuickStarterService;Java Quick Starter; C:\Program Files\Java\jre6\bin\jqs.exe [2009-01-07 152984]
R2 sxhkdvkx;Microsoft USB 2.0 Enhanced Host Controller Miniport Monitor; C:\WINDOWS\System32\svchost.exe [2006-02-28 14336]
R3 iPod Service;iPod Service; C:\Program Files\iPod\bin\iPodService.exe [2008-11-20 536872]
S2 gupdate1c9870b98610a3a;Google Update Service (gupdate1c9870b98610a3a); C:\Program Files\Google\Update\GoogleUpdate.exe [2009-02-04 133104]
S2 gusvc;Google Software Updater; C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe [2009-03-23 183280]
S3 aspnet_state;ASP.NET State Service; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe [2007-10-24 33800]
S3 clr_optimization_v2.0.50727_32;.NET Runtime Optimization Service v2.0.50727_X86; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe [2007-10-24 70144]
S3 IDriverT;InstallDriver Table Manager; C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe [2005-04-04 69632]
S3 WMPNetworkSvc;Windows Media Player Network Sharing Service; C:\Program Files\Windows Media Player\WMPNetwk.exe [2006-10-18 913408]
S3 WudfSvc;Windows Driver Foundation - User-mode Driver Framework; C:\WINDOWS\system32\svchost.exe [2006-02-28 14336]

-----------------EOF-----------------

#4 thewall

thewall

  • Malware Response Team
  • 6,425 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:12:07 AM

Posted 06 April 2009 - 12:43 PM

I see Qoobox showing up in the scan. Have you used ComboFix recently or is this a leftover from its use sometime in the past? Is it on your computer now?
If I have helped you then please consider donating so I can continue the fight against malware Posted Image
All donations go directly to the helper

Posted Image

Due to the large amount of backlogs we have I cannot respond to PMs for help unless I am already working with you

#5 Bob The Chainsaw

Bob The Chainsaw
  • Topic Starter

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Local time:12:07 AM

Posted 06 April 2009 - 01:01 PM

I have used Combofix in the past, yes.

#6 thewall

thewall

  • Malware Response Team
  • 6,425 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:12:07 AM

Posted 06 April 2009 - 01:10 PM

Is it still on your computer or did you delete it. The reason I asked is it could be important if we should need to use it again. When we uninstall ComboFix then Qoobox is taken off as well.
If I have helped you then please consider donating so I can continue the fight against malware Posted Image
All donations go directly to the helper

Posted Image

Due to the large amount of backlogs we have I cannot respond to PMs for help unless I am already working with you

#7 Bob The Chainsaw

Bob The Chainsaw
  • Topic Starter

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Local time:12:07 AM

Posted 06 April 2009 - 05:43 PM

Yes, it's still installed.

#8 thewall

thewall

  • Malware Response Team
  • 6,425 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:12:07 AM

Posted 06 April 2009 - 09:23 PM

OK, thanks. I know it was showing in the scan but I wasn't seeing it anywhere else on the RSIT log. Just needed to make sure.

I will put together a fix and then it must be approved by a coach. We are really busy as always but I will get back just as quickly as possible.
If I have helped you then please consider donating so I can continue the fight against malware Posted Image
All donations go directly to the helper

Posted Image

Due to the large amount of backlogs we have I cannot respond to PMs for help unless I am already working with you

#9 thewall

thewall

  • Malware Response Team
  • 6,425 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:12:07 AM

Posted 10 April 2009 - 08:57 AM

I apologize for the delay, should have something up shortly.
If I have helped you then please consider donating so I can continue the fight against malware Posted Image
All donations go directly to the helper

Posted Image

Due to the large amount of backlogs we have I cannot respond to PMs for help unless I am already working with you

#10 thewall

thewall

  • Malware Response Team
  • 6,425 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:12:07 AM

Posted 10 April 2009 - 01:04 PM

One of the infected files Kaspersky has identified is a dialer. These type programs dial premium rate numbers without your knowledge or consent. We have identified it and should be able to clean it off but I needed to make you aware it was on your machine.




Your log(s) show that you are using so called peer-to-peer or file-sharing programs (in your case BitTorrent ). These programs allow to share files between users as the name(s) suggest. In today's world the cyber crime has come to an enormous dimension and any means is used to infect personal computers to make use of their stored data or machine power for further propagation of the Malware files. A popular means is the use of file-sharing tools as a tremendous amount of prospective victims can be reached through it.

It is therefore possible to be infected by downloading manipulated files via peer-to-peer tools and thus suggested to be used with intense care. Some further readings on this subject, along the included links, are as follows: "File-Sharing, otherwise known as Peer To Peer" and "Risks of File-Sharing Technology.




You show no signs of either a third-party firewall or an anti-virus program on your machine and this is highly dangerous with all of the Malware floating around out there. I will give you some links to free ones in my next post but in the meantime I would suggest not doing much of any surfing until we can get you cleaned up some.




What we want to do is get rid of the old ComboFix and put a new version on so please delete the one you have now and follow the instructions below:






Please download ComboFix from one of these locations:

Link 1
Link 2
Link 3

* IMPORTANT !!! Save ComboFix.exe to your Desktop
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. Instruction can be found HERE
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image

Click on Yes, to continue scanning for malware.

When finished, it will produce a log for you. Please include the C:\ComboFix.txt in your next reply along with a new HJT log.
If I have helped you then please consider donating so I can continue the fight against malware Posted Image
All donations go directly to the helper

Posted Image

Due to the large amount of backlogs we have I cannot respond to PMs for help unless I am already working with you

#11 Bob The Chainsaw

Bob The Chainsaw
  • Topic Starter

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Local time:12:07 AM

Posted 10 April 2009 - 03:10 PM

Okay, thanks! But I was just like to inform you that I haven't used BitTorrent in months, even years. I'm not sure if that's what give me these issues.

ComboFix 09-04-04.01 - Andrew 2009-04-10 15:52:27.7 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1023.576 [GMT -4:00]
Running from: c:\documents and settings\Andrew\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\xedfnmw.dll
c:\windows\Tasks\At1.job
c:\windows\temp\727774412.exe
c:\windows\temp\934493162.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_SXHKDVKX
-------\Service_sxhkdvkx


((((((((((((((((((((((((( Files Created from 2009-03-10 to 2009-04-10 )))))))))))))))))))))))))))))))
.

2009-04-09 18:53 . 2009-04-09 18:53 <DIR> d-------- c:\documents and settings\Andrew\Application Data\yyraqdon
2009-04-08 18:00 . 2009-04-08 18:00 <DIR> d-------- c:\documents and settings\NetworkService\Application Data\yyraqdon
2009-04-08 15:22 . 2009-04-10 15:40 408 --a------ c:\windows\Sbosacupodo.dat
2009-04-08 15:22 . 2009-04-10 09:38 0 --a------ c:\windows\Upafa.bin
2009-04-07 12:53 . 2009-04-07 12:53 <DIR> d-------- c:\documents and settings\Carol\Application Data\yyraqdon
2009-04-06 13:26 . 2009-04-06 13:26 <DIR> d-------- C:\rsit
2009-04-05 17:13 . 2009-04-05 17:13 <DIR> d-------- c:\documents and settings\Amy\Application Data\yyraqdon
2009-03-25 13:52 . 2009-03-25 13:53 <DIR> d-------- c:\program files\VTFEdit
2009-03-20 16:43 . 2009-03-20 16:43 <DIR> d-------- c:\program files\EA Games
2009-03-14 20:55 . 2003-03-15 21:15 90,112 --a------ c:\windows\unvise32.exe
2009-03-14 20:53 . 2008-11-18 08:56 54,784 --a------ c:\windows\system32\MSSTDFMT.DLL
2009-03-14 12:52 . 2009-03-14 12:52 <DIR> d-------- c:\documents and settings\All Users\Application Data\Soulseek
2009-03-14 00:55 . 2009-03-14 00:55 <DIR> d-------- c:\program files\SoulseekNS

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-04-10 19:58 --------- d-----w c:\program files\Steam
2009-04-08 19:21 --------- d-----w c:\documents and settings\All Users\Application Data\Google Updater
2009-03-24 15:52 --------- d-----w c:\program files\Microsoft Silverlight
2009-02-13 01:28 --------- d-----w c:\program files\Google
2009-02-11 21:02 --------- d-----w c:\program files\IrfanView
2009-01-26 17:23 1,632 ----a-w c:\program files\pfcri.txt
2009-01-19 19:10 70,656 ----a-w c:\windows\ScUnin.exe
2008-07-01 23:20 23 ----a-w c:\documents and settings\Andrew\jagex_runescape_preferences.dat
.

((((((((((((((((((((((((((((( snapshot@2009-01-31_10.28.57.04 )))))))))))))))))))))))))))))))))))))))))
.
+ 2006-03-24 04:47:44 49,152 ----a-w c:\windows\$hf_mig$\KB904942\SP2QFE\wdigest.dll
+ 2005-10-12 23:12:25 14,048 ----a-w c:\windows\$hf_mig$\KB904942\spmsg.dll
+ 2005-10-12 23:12:26 213,216 ----a-w c:\windows\$hf_mig$\KB904942\spuninst.exe
+ 2005-10-12 23:12:25 22,752 ----a-w c:\windows\$hf_mig$\KB904942\update\spcustom.dll
+ 2005-10-12 23:12:29 716,000 ----a-w c:\windows\$hf_mig$\KB904942\update\update.exe
+ 2005-10-12 23:12:34 371,424 ----a-w c:\windows\$hf_mig$\KB904942\update\updspapi.dll
+ 2006-07-14 15:52:22 121,856 ----a-w c:\windows\$hf_mig$\KB915865\SP2QFE\xmllite.dll
+ 2005-10-12 23:12:25 14,048 ----a-w c:\windows\$hf_mig$\KB915865\spmsg.dll
+ 2005-10-12 23:12:26 213,216 ----a-w c:\windows\$hf_mig$\KB915865\spuninst.exe
+ 2005-10-12 23:12:25 22,752 ----a-w c:\windows\$hf_mig$\KB915865\update\spcustom.dll
+ 2005-10-12 23:12:28 716,000 ----a-w c:\windows\$hf_mig$\KB915865\update\update.exe
+ 2005-10-12 23:12:33 371,424 ----a-w c:\windows\$hf_mig$\KB915865\update\updspapi.dll
+ 2007-07-12 23:28:55 765,952 ----a-w c:\windows\$hf_mig$\KB938127-IE7\SP2QFE\vgx.dll
+ 2007-03-06 01:22:36 14,048 ----a-w c:\windows\$hf_mig$\KB938127-IE7\spmsg.dll
+ 2007-03-06 01:22:41 213,216 ----a-w c:\windows\$hf_mig$\KB938127-IE7\spuninst.exe
+ 2007-03-06 01:22:34 22,752 ----a-w c:\windows\$hf_mig$\KB938127-IE7\update\spcustom.dll
+ 2007-03-06 01:22:59 716,000 ----a-w c:\windows\$hf_mig$\KB938127-IE7\update\update.exe
+ 2007-03-06 01:23:51 371,424 ----a-w c:\windows\$hf_mig$\KB938127-IE7\update\updspapi.dll
+ 2008-05-27 17:31:16 765,952 ----a-w c:\windows\$hf_mig$\KB938127-v2-IE7\SP2QFE\vgx.dll
+ 2007-03-06 01:22:33 14,048 ----a-w c:\windows\$hf_mig$\KB938127-v2-IE7\spmsg.dll
+ 2007-03-06 01:22:39 213,216 ----a-w c:\windows\$hf_mig$\KB938127-v2-IE7\spuninst.exe
+ 2007-03-06 01:22:31 22,752 ----a-w c:\windows\$hf_mig$\KB938127-v2-IE7\update\spcustom.dll
+ 2007-03-06 01:22:56 716,000 ----a-w c:\windows\$hf_mig$\KB938127-v2-IE7\update\update.exe
+ 2007-03-06 01:23:47 371,424 ----a-w c:\windows\$hf_mig$\KB938127-v2-IE7\update\updspapi.dll
+ 2008-08-26 09:08:35 124,928 ----a-w c:\windows\$hf_mig$\KB956390-IE7\SP2QFE\advpack.dll
+ 2008-08-26 09:08:36 347,136 ----a-w c:\windows\$hf_mig$\KB956390-IE7\SP2QFE\dxtmsft.dll
+ 2008-08-26 09:08:36 214,528 ----a-w c:\windows\$hf_mig$\KB956390-IE7\SP2QFE\dxtrans.dll
+ 2008-08-26 09:08:36 132,608 ----a-w c:\windows\$hf_mig$\KB956390-IE7\SP2QFE\extmgr.dll
+ 2008-08-26 09:08:36 63,488 ----a-w c:\windows\$hf_mig$\KB956390-IE7\SP2QFE\icardie.dll
+ 2008-08-25 08:43:21 70,656 ----a-w c:\windows\$hf_mig$\KB956390-IE7\SP2QFE\ie4uinit.exe
+ 2008-08-26 09:08:36 153,088 ----a-w c:\windows\$hf_mig$\KB956390-IE7\SP2QFE\ieakeng.dll
+ 2008-08-26 09:08:36 230,400 ----a-w c:\windows\$hf_mig$\KB956390-IE7\SP2QFE\ieaksie.dll
+ 2008-08-23 05:54:50 161,792 ----a-w c:\windows\$hf_mig$\KB956390-IE7\SP2QFE\ieakui.dll
+ 2007-04-17 09:32:38 2,455,488 ----a-w c:\windows\$hf_mig$\KB956390-IE7\SP2QFE\ieapfltr.dat
+ 2008-08-26 09:08:36 380,928 ----a-w c:\windows\$hf_mig$\KB956390-IE7\SP2QFE\ieapfltr.dll
+ 2008-08-26 09:08:37 388,608 ----a-w c:\windows\$hf_mig$\KB956390-IE7\SP2QFE\iedkcs32.dll
+ 2008-10-03 17:26:50 6,068,224 ----a-w c:\windows\$hf_mig$\KB956390-IE7\SP2QFE\ieframe.dll
+ 2008-08-26 09:08:39 44,544 ----a-w c:\windows\$hf_mig$\KB956390-IE7\SP2QFE\iernonce.dll
+ 2008-08-26 09:08:39 267,776 ----a-w c:\windows\$hf_mig$\KB956390-IE7\SP2QFE\iertutil.dll
+ 2008-08-25 08:43:21 13,824 ----a-w c:\windows\$hf_mig$\KB956390-IE7\SP2QFE\ieudinit.exe
+ 2008-08-23 05:56:16 635,848 ----a-w c:\windows\$hf_mig$\KB956390-IE7\SP2QFE\iexplore.exe
+ 2008-08-26 09:08:40 27,648 ----a-w c:\windows\$hf_mig$\KB956390-IE7\SP2QFE\jsproxy.dll
+ 2008-08-26 09:08:40 459,264 ----a-w c:\windows\$hf_mig$\KB956390-IE7\SP2QFE\msfeeds.dll
+ 2008-08-26 09:08:40 52,224 ----a-w c:\windows\$hf_mig$\KB956390-IE7\SP2QFE\msfeedsbs.dll
+ 2008-08-26 09:08:43 3,594,752 ----a-w c:\windows\$hf_mig$\KB956390-IE7\SP2QFE\mshtml.dll
+ 2008-08-26 09:08:43 477,696 ----a-w c:\windows\$hf_mig$\KB956390-IE7\SP2QFE\mshtmled.dll
+ 2008-08-26 09:08:44 193,024 ----a-w c:\windows\$hf_mig$\KB956390-IE7\SP2QFE\msrating.dll
+ 2008-08-26 09:08:44 671,232 ----a-w c:\windows\$hf_mig$\KB956390-IE7\SP2QFE\mstime.dll
+ 2008-08-26 09:08:44 102,912 ----a-w c:\windows\$hf_mig$\KB956390-IE7\SP2QFE\occache.dll
+ 2008-08-26 09:08:44 44,544 ----a-w c:\windows\$hf_mig$\KB956390-IE7\SP2QFE\pngfilt.dll
+ 2008-08-26 09:08:44 105,984 ----a-w c:\windows\$hf_mig$\KB956390-IE7\SP2QFE\url.dll
+ 2008-08-26 09:08:45 1,162,752 ----a-w c:\windows\$hf_mig$\KB956390-IE7\SP2QFE\urlmon.dll
+ 2008-08-26 09:08:45 233,472 ----a-w c:\windows\$hf_mig$\KB956390-IE7\SP2QFE\webcheck.dll
+ 2008-08-26 09:08:45 827,904 ----a-w c:\windows\$hf_mig$\KB956390-IE7\SP2QFE\wininet.dll
+ 2007-03-06 01:22:33 14,048 ----a-w c:\windows\$hf_mig$\KB956390-IE7\spmsg.dll
+ 2007-03-06 01:22:39 213,216 ----a-w c:\windows\$hf_mig$\KB956390-IE7\spuninst.exe
+ 2007-03-06 01:22:31 22,752 ----a-w c:\windows\$hf_mig$\KB956390-IE7\update\spcustom.dll
+ 2007-03-06 01:22:59 716,000 ----a-w c:\windows\$hf_mig$\KB956390-IE7\update\update.exe
+ 2007-03-06 01:23:51 371,424 ----a-w c:\windows\$hf_mig$\KB956390-IE7\update\updspapi.dll
+ 2008-07-09 07:38:24 17,272 ----a-w c:\windows\$hf_mig$\KB960715\spmsg.dll
+ 2008-07-09 07:38:25 231,288 ----a-w c:\windows\$hf_mig$\KB960715\spuninst.exe
+ 2008-07-09 07:38:24 26,488 ----a-w c:\windows\$hf_mig$\KB960715\update\spcustom.dll
+ 2008-11-15 17:18:04 755,576 ----a-w c:\windows\$hf_mig$\KB960715\update\update.exe
+ 2008-07-09 07:38:37 382,840 ----a-w c:\windows\$hf_mig$\KB960715\update\updspapi.dll
+ 2008-12-20 23:55:43 124,928 ----a-w c:\windows\$hf_mig$\KB961260-IE7\SP2QFE\advpack.dll
+ 2008-12-20 23:55:44 347,136 ----a-w c:\windows\$hf_mig$\KB961260-IE7\SP2QFE\dxtmsft.dll
+ 2008-12-20 23:55:44 214,528 ----a-w c:\windows\$hf_mig$\KB961260-IE7\SP2QFE\dxtrans.dll
+ 2008-12-20 23:55:44 132,608 ----a-w c:\windows\$hf_mig$\KB961260-IE7\SP2QFE\extmgr.dll
+ 2008-12-20 23:55:45 63,488 ----a-w c:\windows\$hf_mig$\KB961260-IE7\SP2QFE\icardie.dll
+ 2008-12-19 09:41:51 70,656 ----a-w c:\windows\$hf_mig$\KB961260-IE7\SP2QFE\ie4uinit.exe
+ 2008-12-20 23:55:45 153,088 ----a-w c:\windows\$hf_mig$\KB961260-IE7\SP2QFE\ieakeng.dll
+ 2008-12-20 23:55:45 230,400 ----a-w c:\windows\$hf_mig$\KB961260-IE7\SP2QFE\ieaksie.dll
+ 2008-12-19 05:24:02 161,792 ----a-w c:\windows\$hf_mig$\KB961260-IE7\SP2QFE\ieakui.dll
+ 2007-04-17 09:32:38 2,455,488 ----a-w c:\windows\$hf_mig$\KB961260-IE7\SP2QFE\ieapfltr.dat
+ 2008-12-20 23:55:46 380,928 ----a-w c:\windows\$hf_mig$\KB961260-IE7\SP2QFE\ieapfltr.dll
+ 2008-12-20 23:55:46 388,608 ----a-w c:\windows\$hf_mig$\KB961260-IE7\SP2QFE\iedkcs32.dll
+ 2008-12-20 23:55:50 6,068,736 ----a-w c:\windows\$hf_mig$\KB961260-IE7\SP2QFE\ieframe.dll
+ 2008-12-20 23:55:50 44,544 ----a-w c:\windows\$hf_mig$\KB961260-IE7\SP2QFE\iernonce.dll
+ 2008-12-20 23:55:50 267,776 ----a-w c:\windows\$hf_mig$\KB961260-IE7\SP2QFE\iertutil.dll
+ 2008-12-19 09:41:52 13,824 ----a-w c:\windows\$hf_mig$\KB961260-IE7\SP2QFE\ieudinit.exe
+ 2008-12-19 05:25:30 634,024 ----a-w c:\windows\$hf_mig$\KB961260-IE7\SP2QFE\iexplore.exe
+ 2008-12-20 23:55:51 27,648 ----a-w c:\windows\$hf_mig$\KB961260-IE7\SP2QFE\jsproxy.dll
+ 2008-12-20 23:55:51 459,264 ----a-w c:\windows\$hf_mig$\KB961260-IE7\SP2QFE\msfeeds.dll
+ 2008-12-20 23:55:51 52,224 ----a-w c:\windows\$hf_mig$\KB961260-IE7\SP2QFE\msfeedsbs.dll
+ 2009-01-16 16:24:38 3,596,288 ----a-w c:\windows\$hf_mig$\KB961260-IE7\SP2QFE\mshtml.dll
+ 2008-12-20 23:55:56 477,696 ----a-w c:\windows\$hf_mig$\KB961260-IE7\SP2QFE\mshtmled.dll
+ 2008-12-20 23:55:56 193,024 ----a-w c:\windows\$hf_mig$\KB961260-IE7\SP2QFE\msrating.dll
+ 2008-12-20 23:55:57 671,232 ----a-w c:\windows\$hf_mig$\KB961260-IE7\SP2QFE\mstime.dll
+ 2008-12-20 23:55:57 102,912 ----a-w c:\windows\$hf_mig$\KB961260-IE7\SP2QFE\occache.dll
+ 2008-12-20 23:55:57 44,544 ----a-w c:\windows\$hf_mig$\KB961260-IE7\SP2QFE\pngfilt.dll
+ 2008-12-20 23:55:57 105,984 ----a-w c:\windows\$hf_mig$\KB961260-IE7\SP2QFE\url.dll
+ 2008-12-20 23:55:59 1,163,264 ----a-w c:\windows\$hf_mig$\KB961260-IE7\SP2QFE\urlmon.dll
+ 2008-12-20 23:55:59 233,472 ----a-w c:\windows\$hf_mig$\KB961260-IE7\SP2QFE\webcheck.dll
+ 2008-12-20 23:56:00 827,904 ----a-w c:\windows\$hf_mig$\KB961260-IE7\SP2QFE\wininet.dll
+ 2007-03-06 01:22:36 14,048 ----a-w c:\windows\$hf_mig$\KB961260-IE7\spmsg.dll
+ 2007-03-06 01:22:41 213,216 ----a-w c:\windows\$hf_mig$\KB961260-IE7\spuninst.exe
+ 2007-03-06 01:22:34 22,752 ----a-w c:\windows\$hf_mig$\KB961260-IE7\update\spcustom.dll
+ 2007-03-06 01:22:59 716,000 ----a-w c:\windows\$hf_mig$\KB961260-IE7\update\update.exe
+ 2007-03-06 01:23:51 371,424 ----a-w c:\windows\$hf_mig$\KB961260-IE7\update\updspapi.dll
+ 2008-07-03 13:03:29 8,460,800 ----a-w c:\windows\$hf_mig$\KB967715\SP2QFE\shell32.dll
+ 2008-02-15 09:06:21 351,744 ----a-w c:\windows\$hf_mig$\KB967715\SP2QFE\xpsp3res.dll
+ 2008-06-17 19:02:19 8,461,312 ----a-w c:\windows\$hf_mig$\KB967715\SP3GDR\shell32.dll
+ 2008-06-17 19:04:34 8,461,824 ----a-w c:\windows\$hf_mig$\KB967715\SP3QFE\shell32.dll
+ 2008-07-09 07:38:24 17,272 ----a-w c:\windows\$hf_mig$\KB967715\spmsg.dll
+ 2008-07-09 07:38:25 231,288 ----a-w c:\windows\$hf_mig$\KB967715\spuninst.exe
+ 2008-07-09 07:38:24 26,488 ----a-w c:\windows\$hf_mig$\KB967715\update\spcustom.dll
+ 2008-07-09 07:38:29 755,576 ----a-w c:\windows\$hf_mig$\KB967715\update\update.exe
+ 2008-07-09 07:38:37 382,840 ----a-w c:\windows\$hf_mig$\KB967715\update\updspapi.dll
+ 2006-05-25 15:29:04 213,216 -c----w c:\windows\$NtServicePackUninstallIDNMitigationAPIs$\spuninst\spuninst.exe
+ 2006-05-25 15:29:04 371,424 -c----w c:\windows\$NtServicePackUninstallIDNMitigationAPIs$\spuninst\updspapi.dll
+ 2006-05-24 17:32:48 213,216 -c----w c:\windows\$NtServicePackUninstallNLSDownlevelMapping$\spuninst\spuninst.exe
+ 2006-05-24 17:32:48 371,424 -c----w c:\windows\$NtServicePackUninstallNLSDownlevelMapping$\spuninst\updspapi.dll
+ 2005-10-12 23:12:26 213,216 -c----w c:\windows\$NtUninstallKB904942$\spuninst\spuninst.exe
+ 2005-10-12 23:12:34 371,424 -c----w c:\windows\$NtUninstallKB904942$\spuninst\updspapi.dll
+ 2006-02-28 12:00:00 49,152 -c----w c:\windows\$NtUninstallKB904942$\wdigest.dll
+ 2006-02-28 12:00:00 28,672 -c----w c:\windows\$NtUninstallKB914440$\custsat.dll
+ 2005-10-12 23:12:26 213,216 -c----w c:\windows\$NtUninstallKB914440$\spuninst\spuninst.exe
+ 2005-10-12 23:12:33 371,424 -c----w c:\windows\$NtUninstallKB914440$\spuninst\updspapi.dll
+ 2005-10-12 23:12:26 213,216 -c----w c:\windows\$NtUninstallKB915865$\spuninst\spuninst.exe
+ 2005-10-12 23:12:33 371,424 -c----w c:\windows\$NtUninstallKB915865$\spuninst\updspapi.dll
+ 2008-07-09 07:38:25 231,288 -c----w c:\windows\$NtUninstallKB960715$\spuninst\spuninst.exe
+ 2008-07-09 07:38:37 382,840 -c----w c:\windows\$NtUninstallKB960715$\spuninst\updspapi.dll
+ 2007-10-26 03:36:51 8,454,656 -c----w c:\windows\$NtUninstallKB967715$\shell32.dll
+ 2008-07-09 07:38:25 231,288 -c----w c:\windows\$NtUninstallKB967715$\spuninst\spuninst.exe
+ 2008-07-09 07:38:37 382,840 -c----w c:\windows\$NtUninstallKB967715$\spuninst\updspapi.dll
+ 2007-03-08 15:36:28 28,672 ----a-w c:\windows\acmsder.dll
- 2005-10-21 01:02:28 163,328 ----a-w c:\windows\ERDNT\Hiv-backup\ERDNT.EXE
+ 2005-10-21 00:02:28 163,328 ----a-w c:\windows\ERDNT\Hiv-backup\ERDNT.EXE
+ 2005-10-21 00:02:28 163,328 ----a-w c:\windows\ERDNT\subs\ERDNT.EXE
+ 2006-02-28 12:00:00 61,440 -c--a-w c:\windows\ie7\admparse.dll
+ 2006-02-28 12:00:00 99,840 -c--a-w c:\windows\ie7\advpack.dll
+ 2006-02-28 12:00:00 35,328 -c--a-w c:\windows\ie7\corpol.dll
+ 2006-06-03 11:40:49 33,792 -c--a-w c:\windows\ie7\custsat.dll
+ 2008-10-16 10:37:02 357,888 -c--a-w c:\windows\ie7\dxtmsft.dll
+ 2008-10-16 10:37:02 205,312 -c--a-w c:\windows\ie7\dxtrans.dll
+ 2008-10-16 10:37:02 55,808 -c--a-w c:\windows\ie7\extmgr.dll
+ 2006-02-28 12:00:00 38,912 -c--a-w c:\windows\ie7\hmmapi.dll
+ 2006-02-28 12:00:00 34,304 -c--a-w c:\windows\ie7\ie4uinit.exe
+ 2006-02-28 12:00:00 139,264 -c--a-w c:\windows\ie7\ieakeng.dll
+ 2006-02-28 12:00:00 216,576 -c--a-w c:\windows\ie7\ieaksie.dll
+ 2006-02-28 12:00:00 221,184 -c--a-w c:\windows\ie7\ieakui.dll
+ 2006-02-28 12:00:00 323,584 -c--a-w c:\windows\ie7\iedkcs32.dll
+ 2008-10-15 09:45:01 18,432 -c--a-w c:\windows\ie7\iedw.exe
+ 2006-02-28 12:00:00 81,920 -c--a-w c:\windows\ie7\ieencode.dll
+ 2008-10-16 10:37:02 251,392 -c--a-w c:\windows\ie7\iepeers.dll
+ 2006-02-28 12:00:00 48,640 -c--a-w c:\windows\ie7\iernonce.dll
+ 2006-02-28 12:00:00 62,976 -c--a-w c:\windows\ie7\iesetup.dll
+ 2006-02-28 12:00:00 93,184 -c--a-w c:\windows\ie7\iexplore.exe
+ 2006-02-28 12:00:00 35,840 -c--a-w c:\windows\ie7\imgutil.dll
+ 2008-10-16 10:37:02 96,256 -c--a-w c:\windows\ie7\inseng.dll
+ 2007-12-18 14:40:58 450,560 -c--a-w c:\windows\ie7\jscript.dll
+ 2008-10-16 10:37:03 16,384 -c--a-w c:\windows\ie7\jsproxy.dll
+ 2006-02-28 12:00:00 22,016 -c--a-w c:\windows\ie7\licmgr10.dll
+ 2006-02-28 12:00:00 29,184 -c--a-w c:\windows\ie7\mshta.exe
+ 2008-12-12 17:33:23 3,060,224 -c--a-w c:\windows\ie7\mshtml.dll
+ 2008-10-16 10:37:03 449,024 -c--a-w c:\windows\ie7\mshtmled.dll
+ 2006-02-28 12:00:00 56,832 -c--a-w c:\windows\ie7\mshtmler.dll
+ 2006-02-28 12:00:00 146,432 -c--a-w c:\windows\ie7\msls31.dll
+ 2008-10-16 10:37:02 146,432 -c--a-w c:\windows\ie7\msrating.dll
+ 2008-10-16 10:37:02 532,480 -c--a-w c:\windows\ie7\mstime.dll
+ 2006-02-28 12:00:00 96,256 -c--a-w c:\windows\ie7\occache.dll
+ 2008-10-16 10:37:02 39,424 -c--a-w c:\windows\ie7\pngfilt.dll
+ 2007-08-13 23:54:42 32,960 -c--a-w c:\windows\ie7\spuninst\iecustom.dll
+ 2007-08-13 23:52:06 66,048 -c--a-w c:\windows\ie7\spuninst\ieResetIcons.exe
+ 2006-09-06 22:43:16 213,216 -c--a-w c:\windows\ie7\spuninst\spuninst.exe
+ 2006-09-06 22:43:18 371,424 -c--a-w c:\windows\ie7\spuninst\updspapi.dll
+ 2006-02-28 12:00:00 37,888 -c--a-w c:\windows\ie7\url.dll
+ 2008-10-16 10:37:04 615,936 -c--a-w c:\windows\ie7\urlmon.dll
+ 2007-12-18 14:40:58 417,792 -c--a-w c:\windows\ie7\vbscript.dll
+ 2007-06-26 15:13:22 851,968 -c--a-w c:\windows\ie7\vgx.dll
+ 2006-02-28 12:00:00 276,480 -c--a-w c:\windows\ie7\webcheck.dll
+ 2008-10-16 10:37:03 659,456 -c--a-w c:\windows\ie7\wininet.dll
+ 2007-03-06 01:22:41 213,216 -c----w c:\windows\ie7updates\KB938127-IE7\spuninst\spuninst.exe
+ 2007-03-06 01:23:51 371,424 -c----w c:\windows\ie7updates\KB938127-IE7\spuninst\updspapi.dll
+ 2007-08-13 23:54:10 765,952 -c----w c:\windows\ie7updates\KB938127-IE7\vgx.dll
+ 2007-03-06 01:22:39 213,216 -c----w c:\windows\ie7updates\KB938127-v2-IE7\spuninst\spuninst.exe
+ 2007-03-06 01:23:47 371,424 -c----w c:\windows\ie7updates\KB938127-v2-IE7\spuninst\updspapi.dll
+ 2007-07-12 23:31:54 765,952 -c----w c:\windows\ie7updates\KB938127-v2-IE7\vgx.dll
+ 2007-08-13 23:39:00 123,904 -c----w c:\windows\ie7updates\KB956390-IE7\advpack.dll
+ 2007-08-13 23:35:46 346,624 -c----w c:\windows\ie7updates\KB956390-IE7\dxtmsft.dll
+ 2007-08-13 23:35:38 214,528 -c----w c:\windows\ie7updates\KB956390-IE7\dxtrans.dll
+ 2007-08-13 23:54:10 131,584 -c----w c:\windows\ie7updates\KB956390-IE7\extmgr.dll
+ 2007-08-13 23:36:26 61,952 -c----w c:\windows\ie7updates\KB956390-IE7\icardie.dll
+ 2007-08-13 23:39:06 54,784 -c----w c:\windows\ie7updates\KB956390-IE7\ie4uinit.exe
+ 2007-08-13 23:39:26 152,064 -c----w c:\windows\ie7updates\KB956390-IE7\ieakeng.dll
+ 2007-08-13 23:39:54 229,376 -c----w c:\windows\ie7updates\KB956390-IE7\ieaksie.dll
+ 2007-08-13 22:56:54 161,792 -c----w c:\windows\ie7updates\KB956390-IE7\ieakui.dll
+ 2007-02-12 21:10:12 2,451,312 -c----w c:\windows\ie7updates\KB956390-IE7\ieapfltr.dat
+ 2007-07-11 17:27:48 383,488 -c----w c:\windows\ie7updates\KB956390-IE7\ieapfltr.dll
+ 2007-08-13 23:39:50 382,976 -c----w c:\windows\ie7updates\KB956390-IE7\iedkcs32.dll
+ 2007-08-13 23:54:10 6,049,280 -c----w c:\windows\ie7updates\KB956390-IE7\ieframe.dll
+ 2007-08-13 23:39:10 43,008 -c----w c:\windows\ie7updates\KB956390-IE7\iernonce.dll
+ 2007-08-13 23:34:04 266,752 -c----w c:\windows\ie7updates\KB956390-IE7\iertutil.dll
+ 2007-08-13 23:39:10 13,312 -c----w c:\windows\ie7updates\KB956390-IE7\ieudinit.exe
+ 2007-08-13 23:43:56 622,080 -c----w c:\windows\ie7updates\KB956390-IE7\iexplore.exe
+ 2007-08-13 23:43:56 622,080 -c----w c:\windows\ie7updates\KB956390-IE7\iexplore.exe.000
+ 2007-08-13 23:54:10 27,136 -c----w c:\windows\ie7updates\KB956390-IE7\jsproxy.dll
+ 2007-08-13 23:54:10 458,752 -c----w c:\windows\ie7updates\KB956390-IE7\msfeeds.dll
+ 2007-08-13 23:54:10 50,688 -c----w c:\windows\ie7updates\KB956390-IE7\msfeedsbs.dll
+ 2007-08-13 23:54:12 3,578,368 -c----w c:\windows\ie7updates\KB956390-IE7\mshtml.dll
+ 2007-08-13 23:54:10 475,648 -c----w c:\windows\ie7updates\KB956390-IE7\mshtmled.dll
+ 2007-08-13 23:44:26 192,000 -c----w c:\windows\ie7updates\KB956390-IE7\msrating.dll
+ 2007-08-13 23:54:10 670,720 -c----w c:\windows\ie7updates\KB956390-IE7\mstime.dll
+ 2007-08-13 23:44:06 101,376 -c----w c:\windows\ie7updates\KB956390-IE7\occache.dll
+ 2007-08-13 23:36:12 44,544 -c----w c:\windows\ie7updates\KB956390-IE7\pngfilt.dll
+ 2007-03-06 01:22:39 213,216 -c----w c:\windows\ie7updates\KB956390-IE7\spuninst\spuninst.exe
+ 2007-03-06 01:23:51 371,424 -c----w c:\windows\ie7updates\KB956390-IE7\spuninst\updspapi.dll
+ 2007-08-13 23:44:30 105,984 -c----w c:\windows\ie7updates\KB956390-IE7\url.dll
+ 2007-08-13 23:54:10 1,162,240 -c----w c:\windows\ie7updates\KB956390-IE7\urlmon.dll
+ 2007-08-13 23:54:10 231,424 -c----w c:\windows\ie7updates\KB956390-IE7\webcheck.dll
+ 2007-08-13 23:54:10 818,688 -c----w c:\windows\ie7updates\KB956390-IE7\wininet.dll
+ 2008-08-26 07:24:28 124,928 -c----w c:\windows\ie7updates\KB961260-IE7\advpack.dll
+ 2008-08-26 07:24:28 124,928 -c----w c:\windows\ie7updates\KB961260-IE7\advpack.dll.000
+ 2008-08-26 07:24:28 347,136 -c----w c:\windows\ie7updates\KB961260-IE7\dxtmsft.dll
+ 2008-08-26 07:24:28 214,528 -c----w c:\windows\ie7updates\KB961260-IE7\dxtrans.dll
+ 2008-08-26 07:24:28 133,120 -c----w c:\windows\ie7updates\KB961260-IE7\extmgr.dll
+ 2008-08-26 07:24:28 63,488 -c----w c:\windows\ie7updates\KB961260-IE7\icardie.dll
+ 2008-08-26 07:24:28 63,488 -c----w c:\windows\ie7updates\KB961260-IE7\icardie.dll.000
+ 2008-08-25 08:37:59 70,656 -c----w c:\windows\ie7updates\KB961260-IE7\ie4uinit.exe
+ 2008-08-26 07:24:28 153,088 -c----w c:\windows\ie7updates\KB961260-IE7\ieakeng.dll
+ 2008-08-26 07:24:28 230,400 -c----w c:\windows\ie7updates\KB961260-IE7\ieaksie.dll
+ 2008-08-23 05:54:51 161,792 -c----w c:\windows\ie7updates\KB961260-IE7\ieakui.dll
+ 2007-04-17 09:32:38 2,455,488 -c----w c:\windows\ie7updates\KB961260-IE7\ieapfltr.dat
+ 2008-08-26 07:24:28 383,488 -c----w c:\windows\ie7updates\KB961260-IE7\ieapfltr.dll
+ 2008-08-26 07:24:28 383,488 -c----w c:\windows\ie7updates\KB961260-IE7\ieapfltr.dll.000
+ 2008-08-26 07:24:29 384,512 -c----w c:\windows\ie7updates\KB961260-IE7\iedkcs32.dll
+ 2008-10-03 17:41:15 6,066,176 -c----w c:\windows\ie7updates\KB961260-IE7\ieframe.dll
+ 2008-10-03 17:41:15 6,066,176 -c----w c:\windows\ie7updates\KB961260-IE7\ieframe.dll.000
+ 2008-08-26 07:24:29 44,544 -c----w c:\windows\ie7updates\KB961260-IE7\iernonce.dll
+ 2008-08-26 07:24:29 267,776 -c----w c:\windows\ie7updates\KB961260-IE7\iertutil.dll
+ 2008-08-26 07:24:29 267,776 -c----w c:\windows\ie7updates\KB961260-IE7\iertutil.dll.000
+ 2008-08-25 08:38:00 13,824 -c----w c:\windows\ie7updates\KB961260-IE7\ieudinit.exe
+ 2008-08-23 05:56:15 635,848 -c----w c:\windows\ie7updates\KB961260-IE7\iexplore.exe
+ 2008-08-26 07:24:30 27,648 -c----w c:\windows\ie7updates\KB961260-IE7\jsproxy.dll
+ 2008-08-26 07:24:30 459,264 -c----w c:\windows\ie7updates\KB961260-IE7\msfeeds.dll
+ 2008-08-26 07:24:30 459,264 -c----w c:\windows\ie7updates\KB961260-IE7\msfeeds.dll.000
+ 2008-08-26 07:24:30 52,224 -c----w c:\windows\ie7updates\KB961260-IE7\msfeedsbs.dll
+ 2008-08-26 07:24:30 52,224 -c----w c:\windows\ie7updates\KB961260-IE7\msfeedsbs.dll.000
+ 2008-08-27 18:54:32 3,593,216 -c----w c:\windows\ie7updates\KB961260-IE7\mshtml.dll
+ 2008-08-27 18:54:32 3,593,216 -c----w c:\windows\ie7updates\KB961260-IE7\mshtml.dll.000
+ 2008-08-26 07:24:30 477,696 -c----w c:\windows\ie7updates\KB961260-IE7\mshtmled.dll
+ 2008-08-26 07:24:30 193,024 -c----w c:\windows\ie7updates\KB961260-IE7\msrating.dll
+ 2008-08-26 07:24:30 671,232 -c----w c:\windows\ie7updates\KB961260-IE7\mstime.dll
+ 2008-08-26 07:24:30 102,912 -c----w c:\windows\ie7updates\KB961260-IE7\occache.dll
+ 2008-08-26 07:24:30 44,544 -c----w c:\windows\ie7updates\KB961260-IE7\pngfilt.dll
+ 2007-03-06 01:22:41 213,216 -c----w c:\windows\ie7updates\KB961260-IE7\spuninst\spuninst.exe
+ 2007-03-06 01:23:51 371,424 -c----w c:\windows\ie7updates\KB961260-IE7\spuninst\updspapi.dll
+ 2008-08-26 07:24:30 105,984 -c----w c:\windows\ie7updates\KB961260-IE7\url.dll
+ 2008-08-26 07:24:30 105,984 -c----w c:\windows\ie7updates\KB961260-IE7\url.dll.000
+ 2008-08-26 07:24:31 1,159,680 -c----w c:\windows\ie7updates\KB961260-IE7\urlmon.dll
+ 2008-08-26 07:24:31 1,159,680 -c----w c:\windows\ie7updates\KB961260-IE7\urlmon.dll.000
+ 2008-08-26 07:24:31 233,472 -c----w c:\windows\ie7updates\KB961260-IE7\webcheck.dll
+ 2008-08-26 07:24:31 233,472 -c----w c:\windows\ie7updates\KB961260-IE7\webcheck.dll.000
+ 2008-08-26 07:24:31 826,368 -c----w c:\windows\ie7updates\KB961260-IE7\wininet.dll
+ 2008-08-26 07:24:31 826,368 -c----w c:\windows\ie7updates\KB961260-IE7\wininet.dll.000
- 2008-12-25 14:58:25 102,400 ----a-r c:\windows\Installer\{318AB667-3230-41B5-A617-CB3BF748D371}\iTunesIco.exe
+ 2009-04-06 23:10:06 102,400 ----a-r c:\windows\Installer\{318AB667-3230-41B5-A617-CB3BF748D371}\iTunesIco.exe
+ 2009-02-04 21:01:40 363,246 ----a-r c:\windows\Installer\{548EAC70-EE00-11DD-908C-005056806466}\ARPPRODUCTICON.exe
+ 2009-02-04 21:01:40 25,214 ----a-r c:\windows\Installer\{548EAC70-EE00-11DD-908C-005056806466}\googleearth.exe_407B9B5CDAC54F44A756B57CAB4E6A8B.exe
+ 2009-02-04 21:01:40 25,214 ----a-r c:\windows\Installer\{548EAC70-EE00-11DD-908C-005056806466}\googleearth.exe1_407B9B5CDAC54F44A756B57CAB4E6A8B.exe
+ 2009-02-04 21:01:40 25,214 ----a-r c:\windows\Installer\{548EAC70-EE00-11DD-908C-005056806466}\ShortcutDX_EB071909B9884F8CBF3D6115D4ADEE5E.exe
+ 2009-02-04 21:01:40 25,214 ----a-r c:\windows\Installer\{548EAC70-EE00-11DD-908C-005056806466}\ShortcutOGL_EB071909B9884F8CBF3D6115D4ADEE5E.exe
+ 2009-02-04 21:01:40 25,214 ----a-r c:\windows\Installer\{548EAC70-EE00-11DD-908C-005056806466}\UNINST_Uninstall_G_408FFBEED62349E08B232864A94D2864.exe
+ 2006-06-03 11:40:49 33,792 ------w c:\windows\network diagnostic\custsat.dll
+ 2006-10-10 12:44:50 557,568 ------w c:\windows\network diagnostic\xpnetdiag.exe
- 2000-08-31 13:00:00 29,696 ----a-w c:\windows\NIRCMD.exe
+ 2000-08-31 12:00:00 29,696 ----a-w c:\windows\NIRCMD.exe
+ 2007-03-08 15:36:28 158,208 ----a-w c:\windows\ofinuhece.dll
- 2000-08-31 13:00:00 161,792 ----a-w c:\windows\SWREG.exe
+ 2000-08-31 12:00:00 161,792 ----a-w c:\windows\SWREG.exe
- 2006-02-28 12:00:00 61,440 ----a-w c:\windows\system32\admparse.dll
+ 2007-08-13 23:39:20 71,680 ----a-w c:\windows\system32\admparse.dll
- 2006-02-28 12:00:00 99,840 ----a-w c:\windows\system32\advpack.dll
+ 2008-12-20 23:15:11 124,928 ----a-w c:\windows\system32\advpack.dll
- 2009-01-06 20:46:00 32,768 ----a-w c:\windows\system32\config\systemprofile\Cookies\index.dat
+ 2009-04-07 16:09:11 32,768 ----a-w c:\windows\system32\config\systemprofile\Cookies\index.dat
+ 2009-04-05 19:19:01 16,384 --sha-w c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Feeds Cache\index.dat
- 2009-01-06 20:46:00 32,768 ----a-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2009-04-07 16:09:11 32,768 ----a-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2009-04-05 19:11:01 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012009040520090406\index.dat
+ 2009-04-05 19:11:16 78,924 ----a-w c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat
+ 2009-04-05 19:10:20 23,552 ----a-w c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\G1ARWHEV\test1[1].exe
+ 2009-04-07 16:09:11 32,768 ----a-w c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2009-04-05 19:09:46 78,859 ----a-w c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\O5IJGDQJ\164[1].exe
+ 2009-04-05 19:10:39 159,232 ----a-w c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\OPINCTUB\installing_test2[1].exe
+ 2009-04-05 19:10:02 28,672 ----a-w c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\S5IF45QB\install[1].exe
- 2006-02-28 12:00:00 35,328 ----a-w c:\windows\system32\corpol.dll
+ 2007-08-13 23:42:54 17,408 ----a-w c:\windows\system32\corpol.dll
- 2006-02-28 12:00:00 61,440 -c--a-w c:\windows\system32\dllcache\admparse.dll
+ 2007-08-13 23:39:20 71,680 -c--a-w c:\windows\system32\dllcache\admparse.dll
- 2006-02-28 12:00:00 99,840 -c--a-w c:\windows\system32\dllcache\advpack.dll
+ 2008-12-20 23:15:11 124,928 -c----w c:\windows\system32\dllcache\advpack.dll
- 2006-02-28 12:00:00 35,328 -c--a-w c:\windows\system32\dllcache\corpol.dll
+ 2007-08-13 23:42:54 17,408 -c--a-w c:\windows\system32\dllcache\corpol.dll
- 2006-02-28 12:00:00 28,672 -c--a-w c:\windows\system32\dllcache\custsat.dll
+ 2007-08-13 23:54:10 33,792 -c--a-w c:\windows\system32\dllcache\custsat.dll
- 2008-10-16 10:37:02 357,888 -c--a-w c:\windows\system32\dllcache\dxtmsft.dll
+ 2008-12-20 23:15:12 347,136 -c----w c:\windows\system32\dllcache\dxtmsft.dll
- 2008-10-16 10:37:02 205,312 -c--a-w c:\windows\system32\dllcache\dxtrans.dll
+ 2008-12-20 23:15:13 214,528 -c----w c:\windows\system32\dllcache\dxtrans.dll
- 2008-10-16 10:37:02 55,808 -c--a-w c:\windows\system32\dllcache\extmgr.dll
+ 2008-12-20 23:15:13 133,120 -c----w c:\windows\system32\dllcache\extmgr.dll
- 2006-02-28 12:00:00 38,912 -c--a-w c:\windows\system32\dllcache\hmmapi.dll
+ 2007-08-13 23:18:02 60,416 -c--a-w c:\windows\system32\dllcache\hmmapi.dll
+ 2008-12-20 23:15:13 63,488 -c----w c:\windows\system32\dllcache\icardie.dll
- 2006-02-28 12:00:00 34,304 -c--a-w c:\windows\system32\dllcache\ie4uinit.exe
+ 2008-12-19 09:10:15 70,656 -c----w c:\windows\system32\dllcache\ie4uinit.exe
- 2006-02-28 12:00:00 139,264 -c--a-w c:\windows\system32\dllcache\ieakeng.dll
+ 2008-12-20 23:15:14 153,088 -c----w c:\windows\system32\dllcache\ieakeng.dll
- 2006-02-28 12:00:00 216,576 -c--a-w c:\windows\system32\dllcache\ieaksie.dll
+ 2008-12-20 23:15:14 230,400 -c----w c:\windows\system32\dllcache\ieaksie.dll
- 2006-02-28 12:00:00 221,184 -c--a-w c:\windows\system32\dllcache\ieakui.dll
+ 2008-12-19 05:23:56 161,792 -c----w c:\windows\system32\dllcache\ieakui.dll
+ 2007-04-17 09:32:38 2,455,488 -c----w c:\windows\system32\dllcache\ieapfltr.dat
+ 2008-12-20 23:15:15 383,488 -c----w c:\windows\system32\dllcache\ieapfltr.dll
- 2006-02-28 12:00:00 323,584 -c--a-w c:\windows\system32\dllcache\iedkcs32.dll
+ 2008-12-20 23:15:16 384,512 -c----w c:\windows\system32\dllcache\iedkcs32.dll
- 2008-10-15 09:45:01 18,432 -c--a-w c:\windows\system32\dllcache\iedw.exe
+ 2007-08-13 23:44:02 69,120 -c--a-w c:\windows\system32\dllcache\iedw.exe
- 2006-02-28 12:00:00 81,920 -c--a-w c:\windows\system32\dllcache\ieencode.dll
+ 2007-08-13 23:45:18 78,336 -c--a-w c:\windows\system32\dllcache\ieencode.dll
+ 2008-12-20 23:15:21 6,066,688 -c----w c:\windows\system32\dllcache\ieframe.dll
- 2008-10-16 10:37:02 251,392 -c--a-w c:\windows\system32\dllcache\iepeers.dll
+ 2007-08-13 23:54:10 191,488 -c--a-w c:\windows\system32\dllcache\iepeers.dll
- 2006-02-28 12:00:00 48,640 -c--a-w c:\windows\system32\dllcache\iernonce.dll
+ 2008-12-20 23:15:21 44,544 -c----w c:\windows\system32\dllcache\iernonce.dll
+ 2008-12-20 23:15:22 267,776 -c----w c:\windows\system32\dllcache\iertutil.dll
- 2006-02-28 12:00:00 62,976 -c--a-w c:\windows\system32\dllcache\iesetup.dll
+ 2007-08-13 23:39:12 55,296 -c--a-w c:\windows\system32\dllcache\iesetup.dll
+ 2008-12-19 09:10:15 13,824 -c----w c:\windows\system32\dllcache\ieudinit.exe
- 2006-02-28 12:00:00 93,184 -c--a-w c:\windows\system32\dllcache\iexplore.exe
+ 2008-12-19 05:25:25 634,024 -c----w c:\windows\system32\dllcache\iexplore.exe
- 2006-02-28 12:00:00 35,840 -c--a-w c:\windows\system32\dllcache\imgutil.dll
+ 2007-08-13 23:36:06 36,352 -c--a-w c:\windows\system32\dllcache\imgutil.dll
- 2008-10-16 10:37:02 96,256 -c--a-w c:\windows\system32\dllcache\inseng.dll
+ 2007-08-13 23:39:02 92,672 -c--a-w c:\windows\system32\dllcache\inseng.dll
- 2007-12-18 14:40:58 450,560 -c--a-w c:\windows\system32\dllcache\jscript.dll
+ 2007-08-13 23:38:04 491,520 -c--a-w c:\windows\system32\dllcache\jscript.dll
- 2008-10-16 10:37:03 16,384 -c--a-w c:\windows\system32\dllcache\jsproxy.dll
+ 2008-12-20 23:15:23 27,648 -c----w c:\windows\system32\dllcache\jsproxy.dll
- 2006-02-28 12:00:00 22,016 -c--a-w c:\windows\system32\dllcache\licmgr10.dll
+ 2007-08-13 23:44:18 40,960 -c--a-w c:\windows\system32\dllcache\licmgr10.dll
+ 2008-12-20 23:15:23 459,264 -c----w c:\windows\system32\dllcache\msfeeds.dll
+ 2008-12-20 23:15:24 52,224 -c----w c:\windows\system32\dllcache\msfeedsbs.dll
- 2006-02-28 12:00:00 29,184 -c--a-w c:\windows\system32\dllcache\mshta.exe
+ 2007-08-13 23:32:30 45,568 -c--a-w c:\windows\system32\dllcache\mshta.exe
- 2008-12-12 17:33:23 3,060,224 -c--a-w c:\windows\system32\dllcache\mshtml.dll
+ 2009-01-17 02:35:14 3,594,752 -c----w c:\windows\system32\dllcache\mshtml.dll
- 2008-10-16 10:37:03 449,024 -c--a-w c:\windows\system32\dllcache\mshtmled.dll
+ 2008-12-20 23:15:30 477,696 -c----w c:\windows\system32\dllcache\mshtmled.dll
- 2006-02-28 12:00:00 56,832 -c--a-w c:\windows\system32\dllcache\mshtmler.dll
+ 2007-08-13 23:01:12 48,128 -c--a-w c:\windows\system32\dllcache\mshtmler.dll
- 2006-02-28 12:00:00 146,432 -c--a-w c:\windows\system32\dllcache\msls31.dll
+ 2007-08-13 23:54:10 156,160 -c--a-w c:\windows\system32\dllcache\msls31.dll
- 2008-10-16 10:37:02 146,432 -c--a-w c:\windows\system32\dllcache\msrating.dll
+ 2008-12-20 23:15:31 193,024 -c----w c:\windows\system32\dllcache\msrating.dll
- 2008-10-16 10:37:02 532,480 -c--a-w c:\windows\system32\dllcache\mstime.dll
+ 2008-12-20 23:15:32 671,232 -c----w c:\windows\system32\dllcache\mstime.dll
- 2006-02-28 12:00:00 96,256 -c--a-w c:\windows\system32\dllcache\occache.dll
+ 2008-12-20 23:15:38 102,912 -c----w c:\windows\system32\dllcache\occache.dll
- 2008-10-16 10:37:02 39,424 -c--a-w c:\windows\system32\dllcache\pngfilt.dll
+ 2008-12-20 23:15:38 44,544 -c----w c:\windows\system32\dllcache\pngfilt.dll
- 2007-04-25 14:21:15 144,896 -c--a-w c:\windows\system32\dllcache\schannel.dll
+ 2008-12-05 07:12:45 144,896 -c--a-w c:\windows\system32\dllcache\schannel.dll
- 2007-10-26 03:36:51 8,454,656 -c--a-w c:\windows\system32\dllcache\shell32.dll
+ 2008-07-03 13:16:57 8,454,656 -c--a-w c:\windows\system32\dllcache\shell32.dll
- 2006-02-28 12:00:00 37,888 -c--a-w c:\windows\system32\dllcache\url.dll
+ 2008-12-20 23:15:39 105,984 -c----w c:\windows\system32\dllcache\url.dll
- 2008-10-16 10:37:04 615,936 -c--a-w c:\windows\system32\dllcache\urlmon.dll
+ 2008-12-20 23:15:40 1,160,192 -c----w c:\windows\system32\dllcache\urlmon.dll
- 2007-12-18 14:40:58 417,792 -c--a-w c:\windows\system32\dllcache\vbscript.dll
+ 2007-08-13 23:54:10 413,696 -c--a-w c:\windows\system32\dllcache\vbscript.dll
- 2007-06-26 15:13:22 851,968 -c--a-w c:\windows\system32\dllcache\vgx.dll
+ 2008-05-27 17:23:58 765,952 -c--a-w c:\windows\system32\dllcache\vgx.dll
- 2006-02-28 12:00:00 49,152 -c--a-w c:\windows\system32\dllcache\wdigest.dll
+ 2006-03-24 04:37:50 49,152 -c--a-w c:\windows\system32\dllcache\wdigest.dll
- 2006-02-28 12:00:00 276,480 -c--a-w c:\windows\system32\dllcache\webcheck.dll
+ 2008-12-20 23:15:40 233,472 -c----w c:\windows\system32\dllcache\webcheck.dll
- 2008-09-15 11:57:41 1,846,016 -c--a-w c:\windows\system32\dllcache\win32k.sys
+ 2009-02-09 10:19:34 1,846,272 -c--a-w c:\windows\system32\dllcache\win32k.sys
- 2008-10-16 10:37:03 659,456 -c--a-w c:\windows\system32\dllcache\wininet.dll
+ 2008-12-20 23:15:41 826,368 -c----w c:\windows\system32\dllcache\wininet.dll
- 2007-06-12 04:51:12 10,834,944 -c--a-w c:\windows\system32\dllcache\wmp.dll
+ 2008-11-11 22:34:42 10,838,016 -c--a-w c:\windows\system32\dllcache\wmp.dll
- 2008-12-04 00:53:36 15,504 ----a-w c:\windows\system32\drivers\mbam.sys
+ 2009-01-14 21:11:28 15,504 ----a-w c:\windows\system32\drivers\mbam.sys
- 2008-12-04 00:53:40 38,496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
+ 2009-01-14 21:11:32 38,496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
- 2008-10-16 10:37:02 357,888 ----a-w c:\windows\system32\dxtmsft.dll
+ 2008-12-20 23:15:12 347,136 ------w c:\windows\system32\dxtmsft.dll
- 2008-10-16 10:37:02 205,312 ----a-w c:\windows\system32\dxtrans.dll
+ 2008-12-20 23:15:13 214,528 ------w c:\windows\system32\dxtrans.dll
- 2002-09-04 04:00:00 90,112 ----a-w c:\windows\system32\epcomdd.dll
+ 2002-09-04 05:00:00 90,112 ----a-w c:\windows\system32\epcomdd.dll
- 2002-06-17 04:00:00 86,016 ----a-w c:\windows\system32\Epfb5cpl.dll
+ 2002-06-17 05:00:00 86,016 ----a-w c:\windows\system32\Epfb5cpl.dll
- 2001-11-15 04:00:00 33,280 ----a-w c:\windows\system32\esccm.dll
+ 2001-11-15 05:00:00 33,280 ----a-w c:\windows\system32\esccm.dll
- 2002-06-20 04:00:00 22,528 ----a-w c:\windows\system32\esccmd.dll
+ 2002-06-20 05:00:00 22,528 ----a-w c:\windows\system32\esccmd.dll
- 2002-02-08 04:00:00 23,552 ----a-w c:\windows\system32\esccmn.dll
+ 2002-02-08 05:00:00 23,552 ----a-w c:\windows\system32\esccmn.dll
- 2001-11-15 04:00:00 27,648 ----a-w c:\windows\system32\escimg.dll
+ 2001-11-15 05:00:00 27,648 ----a-w c:\windows\system32\escimg.dll
- 2001-11-15 04:00:00 47,104 ----a-w c:\windows\system32\escimgd.dll
+ 2001-11-15 05:00:00 47,104 ----a-w c:\windows\system32\escimgd.dll
- 2002-02-08 04:00:00 47,104 ----a-w c:\windows\system32\escimgn.dll
+ 2002-02-08 05:00:00 47,104 ----a-w c:\windows\system32\escimgn.dll
- 2002-08-09 04:00:00 184,320 ----a-w c:\windows\system32\esdtr.dll
+ 2002-08-09 05:00:00 184,320 ----a-w c:\windows\system32\ESDTR.dll
- 2000-10-11 04:00:00 53,248 ----a-w c:\windows\system32\ESICM.dll
+ 2000-10-11 05:00:00 53,248 ----a-w c:\windows\system32\ESICM.dll
- 2002-01-31 04:00:00 126,976 ----a-w c:\windows\system32\Esint23.dll
+ 2002-01-31 05:00:00 126,976 ----a-w c:\windows\system32\Esint23.dll
- 2001-05-21 04:00:00 77,824 ----a-w c:\windows\system32\Esintpl.dll
+ 2001-05-21 05:00:00 77,824 ----a-w c:\windows\system32\Esintpl.dll
- 2008-10-16 10:37:02 55,808 ----a-w c:\windows\system32\extmgr.dll
+ 2008-12-20 23:15:13 133,120 ------w c:\windows\system32\extmgr.dll
- 2008-09-15 19:17:56 90,296 ----a-w c:\windows\system32\FNTCACHE.DAT
+ 2009-03-12 14:12:34 90,296 ----a-w c:\windows\system32\FNTCACHE.DAT
+ 2006-02-28 12:00:00 218,880 ----a-w c:\windows\system32\ibixibqf.dat
+ 2008-12-20 23:15:13 63,488 ----a-w c:\windows\system32\icardie.dll
+ 2006-06-29 13:05:44 26,112 ------w c:\windows\system32\idndl.dll
- 2006-02-28 12:00:00 34,304 ----a-w c:\windows\system32\ie4uinit.exe
+ 2008-12-19 09:10:15 70,656 ------w c:\windows\system32\ie4uinit.exe
- 2006-02-28 12:00:00 139,264 ----a-w c:\windows\system32\ieakeng.dll
+ 2008-12-20 23:15:14 153,088 ------w c:\windows\system32\ieakeng.dll
- 2006-02-28 12:00:00 216,576 ----a-w c:\windows\system32\ieaksie.dll
+ 2008-12-20 23:15:14 230,400 ------w c:\windows\system32\ieaksie.dll
- 2006-02-28 12:00:00 221,184 ----a-w c:\windows\system32\ieakui.dll
+ 2008-12-19 05:23:56 161,792 ------w c:\windows\system32\ieakui.dll
+ 2007-04-17 09:32:38 2,455,488 ----a-w c:\windows\system32\ieapfltr.dat
+ 2008-12-20 23:15:15 383,488 ----a-w c:\windows\system32\ieapfltr.dll
- 2006-02-28 12:00:00 323,584 ----a-w c:\windows\system32\iedkcs32.dll
+ 2008-12-20 23:15:16 384,512 ------w c:\windows\system32\iedkcs32.dll
- 2006-02-28 12:00:00 81,920 ----a-w c:\windows\system32\ieencode.dll
+ 2007-08-13 23:45:18 78,336 ----a-w c:\windows\system32\ieencode.dll
+ 2008-12-20 23:15:21 6,066,688 ----a-w c:\windows\system32\ieframe.dll
- 2008-10-16 10:37:02 251,392 ----a-w c:\windows\system32\iepeers.dll
+ 2007-08-13 23:54:10 191,488 ----a-w c:\windows\system32\iepeers.dll
- 2006-02-28 12:00:00 48,640 ----a-w c:\windows\system32\iernonce.dll
+ 2008-12-20 23:15:21 44,544 ------w c:\windows\system32\iernonce.dll
+ 2008-12-20 23:15:22 267,776 ----a-w c:\windows\system32\iertutil.dll
- 2006-02-28 12:00:00 62,976 ----a-w c:\windows\system32\iesetup.dll
+ 2007-08-13 23:39:12 55,296 ----a-w c:\windows\system32\iesetup.dll
+ 2008-12-19 09:10:15 13,824 ----a-w c:\windows\system32\ieudinit.exe
+ 2007-08-13 23:54:10 180,736 ------w c:\windows\system32\ieui.dll
- 2006-02-28 12:00:00 35,840 ----a-w c:\windows\system32\imgutil.dll
+ 2007-08-13 23:36:06 36,352 ----a-w c:\windows\system32\imgutil.dll
- 2008-10-16 10:37:02 96,256 ----a-w c:\windows\system32\inseng.dll
+ 2007-08-13 23:39:02 92,672 ----a-w c:\windows\system32\inseng.dll
- 2007-12-18 14:40:58 450,560 ----a-w c:\windows\system32\jscript.dll
+ 2007-08-13 23:38:04 491,520 ----a-w c:\windows\system32\jscript.dll
- 2008-10-16 10:37:03 16,384 ----a-w c:\windows\system32\jsproxy.dll
+ 2008-12-20 23:15:23 27,648 ------w c:\windows\system32\jsproxy.dll
+ 2006-02-28 12:00:00 1,015,808 ----a-w c:\windows\system32\libeay32.dll
+ 2006-02-28 12:00:00 196,608 ----a-w c:\windows\system32\libssl32.dll
- 2006-02-28 12:00:00 22,016 ----a-w c:\windows\system32\licmgr10.dll
+ 2007-08-13 23:44:18 40,960 ----a-w c:\windows\system32\licmgr10.dll
+ 2009-02-03 20:21:14 21,244,864 ----a-w c:\windows\system32\MRT.exe
+ 2008-12-20 23:15:23 459,264 ----a-w c:\windows\system32\msfeeds.dll
+ 2008-12-20 23:15:24 52,224 ----a-w c:\windows\system32\msfeedsbs.dll
+ 2007-08-13 23:36:40 12,288 ------w c:\windows\system32\msfeedssync.exe
- 2006-02-28 12:00:00 29,184 ----a-w c:\windows\system32\mshta.exe
+ 2007-08-13 23:32:30 45,568 ----a-w c:\windows\system32\mshta.exe
- 2008-12-12 17:33:23 3,060,224 ----a-w c:\windows\system32\mshtml.dll
+ 2009-01-17 02:35:14 3,594,752 ----a-w c:\windows\system32\mshtml.dll
- 2008-10-16 10:37:03 449,024 ----a-w c:\windows\system32\mshtmled.dll
+ 2008-12-20 23:15:30 477,696 ------w c:\windows\system32\mshtmled.dll
- 2006-02-28 12:00:00 56,832 ----a-w c:\windows\system32\mshtmler.dll
+ 2007-08-13 23:01:12 48,128 ----a-w c:\windows\system32\mshtmler.dll
- 2006-02-28 12:00:00 146,432 ----a-w c:\windows\system32\msls31.dll
+ 2007-08-13 23:54:10 156,160 ----a-w c:\windows\system32\msls31.dll
- 2008-10-16 10:37:02 146,432 ----a-w c:\windows\system32\msrating.dll
+ 2008-12-20 23:15:31 193,024 ------w c:\windows\system32\msrating.dll
- 2008-10-16 10:37:02 532,480 ----a-w c:\windows\system32\mstime.dll
+ 2008-12-20 23:15:32 671,232 ------w c:\windows\system32\mstime.dll
+ 2006-06-28 22:59:26 24,576 ------w c:\windows\system32\nlsdl.dll
+ 2006-06-29 13:05:44 23,552 ------w c:\windows\system32\normaliz.dll
- 2006-02-28 12:00:00 96,256 ----a-w c:\windows\system32\occache.dll
+ 2008-12-20 23:15:38 102,912 ------w c:\windows\system32\occache.dll
+ 2006-02-28 12:00:00 36,608 ----a-w c:\windows\system32\oxvpvacr.dat
- 2009-01-30 17:03:17 59,780 ----a-w c:\windows\system32\perfc009.dat
+ 2009-03-31 02:36:39 59,780 ----a-w c:\windows\system32\perfc009.dat
- 2009-01-30 17:03:18 397,560 ----a-w c:\windows\system32\perfh009.dat
+ 2009-03-31 02:36:39 397,560 ----a-w c:\windows\system32\perfh009.dat
- 2008-10-16 10:37:02 39,424 ----a-w c:\windows\system32\pngfilt.dll
+ 2008-12-20 23:15:38 44,544 ------w c:\windows\system32\pngfilt.dll
+ 2006-02-28 12:00:00 37,120 ----a-w c:\windows\system32\qjuwmckh.dat
- 2007-04-25 14:21:15 144,896 ----a-w c:\windows\system32\schannel.dll
+ 2008-12-05 07:12:45 144,896 ----a-w c:\windows\system32\schannel.dll
- 2007-10-26 03:36:51 8,454,656 ----a-w c:\windows\system32\shell32.dll
+ 2008-07-03 13:16:57 8,454,656 ----a-w c:\windows\system32\shell32.dll
+ 2006-02-28 12:00:00 633,600 ----a-w c:\windows\system32\sjbmokub.dat
- 2007-11-30 12:39:22 17,272 ------w c:\windows\system32\spmsg.dll
+ 2007-11-30 11:18:51 17,272 ------w c:\windows\system32\spmsg.dll
- 2006-09-25 22:58:48 23,856 ----a-w c:\windows\system32\spupdsvc.exe
+ 2007-07-27 13:41:38 26,488 ----a-w c:\windows\system32\spupdsvc.exe
+ 2006-02-28 12:00:00 6,566,656 ----a-w c:\windows\system32\thnytlot.dat
- 2006-02-28 12:00:00 37,888 ----a-w c:\windows\system32\url.dll
+ 2008-12-20 23:15:39 105,984 ----a-w c:\windows\system32\url.dll
- 2008-10-16 10:37:04 615,936 ----a-w c:\windows\system32\urlmon.dll
+ 2008-12-20 23:15:40 1,160,192 ----a-w c:\windows\system32\urlmon.dll
- 2007-12-18 14:40:58 417,792 ----a-w c:\windows\system32\vbscript.dll
+ 2007-08-13 23:54:10 413,696 ----a-w c:\windows\system32\vbscript.dll
+ 2006-02-28 12:00:00 102,912 ----a-w c:\windows\system32\vydnlkp.dll
- 2006-02-28 12:00:00 49,152 ----a-w c:\windows\system32\wdigest.dll
+ 2006-03-24 04:37:50 49,152 ----a-w c:\windows\system32\wdigest.dll
- 2006-02-28 12:00:00 276,480 ----a-w c:\windows\system32\webcheck.dll
+ 2008-12-20 23:15:40 233,472 ----a-w c:\windows\system32\webcheck.dll
- 2008-09-15 11:57:41 1,846,016 ----a-w c:\windows\system32\win32k.sys
+ 2009-02-09 10:19:34 1,846,272 ----a-w c:\windows\system32\win32k.sys
+ 2007-08-13 23:45:16 206,336 ------w c:\windows\system32\WinFXDocObj.exe
- 2008-10-16 10:37:03 659,456 ----a-w c:\windows\system32\wininet.dll
+ 2008-12-20 23:15:41 826,368 ----a-w c:\windows\system32\wininet.dll
- 2007-06-12 04:51:12 10,834,944 ----a-w c:\windows\system32\wmp.dll
+ 2008-11-11 22:34:42 10,838,016 ----a-w c:\windows\system32\wmp.dll
+ 2006-02-28 12:00:00 50,944 ----a-w c:\windows\system32\wuqsjbab.dat
+ 2006-07-14 15:51:51 121,856 ------w c:\windows\system32\xmllite.dll
+ 2009-04-10 19:58:11 16,384 ----atw c:\windows\temp\Perflib_Perfdata_71c.dat
- 2002-09-11 04:00:00 233,472 ----a-w c:\windows\twain_32\epfb5\EsImFl.dll
+ 2002-09-11 05:00:00 233,472 ----a-w c:\windows\twain_32\epfb5\EsImFl.dll
- 2002-11-01 04:00:00 1,388,544 ----a-w c:\windows\twain_32\epfb5\ESTW5UI.dll
+ 2002-11-01 05:00:00 1,388,544 ----a-w c:\windows\twain_32\epfb5\ESTW5UI.dll
- 2002-06-17 04:00:00 102,400 ----a-w c:\windows\twain_32\epfb5\PMDDTW5.dll
+ 2002-06-17 05:00:00 102,400 ----a-w c:\windows\twain_32\epfb5\PMDDTW5.dll
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Steam"="c:\program files\steam\steam.exe" [2008-09-08 1410296]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2004-10-13 1694208]
"DAEMON Tools Lite"="c:\program files\DAEMON Tools Lite\daemon.exe" [2008-04-01 486856]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2006-02-28 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-01-07 136600]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-11-04 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-11-20 290088]
"Tgijemunajazeti"="c:\windows\ofinuhece.dll" [2007-03-08 158208]
"AlcxMonitor"="ALCXMNTR.EXE" [2004-09-07 c:\windows\ALCXMNTR.EXE]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Notification Packages REG_MULTI_SZ scecli acmsder.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Steam\\steamapps\\dilandau_sama\\team fortress 2\\hl2.exe"=
"c:\\Program Files\\Steam\\steamapps\\dilandau_sama\\counter-strike source\\hl2.exe"=
"c:\\Program Files\\Steam\\steamapps\\dilandau_sama\\the ship\\ship.exe"=
"c:\\Program Files\\THQ\\Company of Heroes\\RelicCOH.exe"=
"c:\\Program Files\\Steam\\steamapps\\dilandau_sama\\garrysmod\\hl2.exe"=
"c:\\Program Files\\Steam\\steamapps\\dilandau_sama\\day of defeat source\\hl2.exe"=
"c:\\Program Files\\Steam\\steamapps\\dilandau_sama\\day of defeat source beta\\hl2.exe"=
"c:\\Program Files\\Steam\\steamapps\\thebunnylord\\day of defeat source\\hl2.exe"=
"c:\\Program Files\\Steam\\Steam.exe"=
"c:\\Program Files\\BitTorrent\\bittorrent.exe"=
"c:\\Program Files\\Steam\\steamapps\\rollercoastergy\\team fortress 2\\hl2.exe"=
"c:\\Program Files\\Steam\\steamapps\\thebunnylord\\team fortress 2\\hl2.exe"=
"c:\\Program Files\\Steam\\steamapps\\dilandau_sama\\source sdk base\\hl2.exe"=
"c:\\Program Files\\Steam\\steamapps\\dilandau_sama\\source sdk base 2007\\hl2.exe"=
"c:\\Program Files\\Steam\\steamapps\\dilandau_sama\\half-life 2 deathmatch\\hl2.exe"=
"c:\\Program Files\\Steam\\steamapps\\ericesn\\counter-strike source\\hl2.exe"=
"c:\\Program Files\\Steam\\steamapps\\ericesn\\half-life 2 deathmatch\\hl2.exe"=
"c:\\Program Files\\Steam\\steamapps\\thebunnylord\\source sdk base\\hl2.exe"=
"c:\\Program Files\\iPod\\bin\\iPodService.exe"=
"c:\\Program Files\\PlayOnline\\SquareEnix\\PlayOnlineViewer\\pol.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

S2 gupdate1c9870b98610a3a;Google Update Service (gupdate1c9870b98610a3a);c:\program files\Google\Update\GoogleUpdate.exe [2009-02-04 133104]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{aebedefe-2c04-11dd-8484-0010dcd13d87}]
\Shell\AutoRun\command - I:\LaunchU3.exe -a
.
Contents of the 'Scheduled Tasks' folder

2008-12-25 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 13:34]

2009-04-10 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2009-03-23 20:22]

2009-04-10 c:\windows\Tasks\GoogleUpdateTaskMachine.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-02-04 17:00]
.
- - - - ORPHANS REMOVED - - - -

BHO-{437F6485-ECB2-453D-ABA1-FD2B6EA20D95} - c:\windows\system32\xedfnmw.dll
BHO-{D5BF49A0-94F3-42BD-F434-3604812C8955} - (no file)


.
------- Supplementary Scan -------
.
mWindow Title = Windows Internet Explorer provided by Comcast
FF - ProfilePath - c:\documents and settings\Andrew\Application Data\Mozilla\Firefox\Profiles\08zony13.default\
FF - plugin: c:\documents and settings\Andrew\Application Data\Mozilla\Firefox\Profiles\08zony13.default\extensions\battlefieldheroespatcher@ea.com\platform\WINNT_x86-msvc\plugins\npBFHUpdater.dll
FF - plugin: c:\program files\Google\Google Updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\Google\Update\1.2.141.5\npGoogleOneClick7.dll
.

**************************************************************************

catchme 0.3.1375 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-04-10 15:58:42
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1547161642-776561741-839522115-1006\Software\SecuROM\License information*]
"datasecu"=hex:e0,3f,8d,a6,82,71,0e,0e,fd,b6,53,d4,eb,cd,ce,6b,b3,b2,df,df,63,
93,34,b9,45,62,16,a4,21,68,6f,d2,53,c5,84,0e,e7,65,15,ad,c4,9a,23,36,1e,0b,\
"rkeysecu"=hex:cb,bd,f2,61,5a,4e,c6,95,f2,29,8b,82,ba,6b,3d,44
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(592)
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'lsass.exe'(672)
c:\windows\acmsder.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ati2evxx.exe
c:\windows\system32\ati2evxx.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\wscntfy.exe
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2009-04-10 16:04:06 - machine was rebooted
ComboFix-quarantined-files.txt 2009-04-10 20:04:03
ComboFix2.txt 2009-02-02 23:38:08
ComboFix3.txt 2009-02-01 22:50:26
ComboFix4.txt 2009-02-01 15:54:20
ComboFix5.txt 2009-04-10 19:51:42

Pre-Run: 41,348,788,224 bytes free
Post-Run: 42,149,138,432 bytes free

687 --- E O F --- 2009-03-12 02:30:25


Hijack This Log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:07:04 PM, on 4/10/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16791)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Google\Update\GoogleUpdate.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\ALCXMNTR.EXE
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\program files\steam\steam.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\DAEMON Tools Lite\daemon.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Tgijemunajazeti] rundll32.exe "C:\WINDOWS\ofinuhece.dll",e
O4 - HKCU\..\Run: [Steam] "c:\program files\steam\steam.exe" -silent
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [DAEMON Tools Lite] "C:\Program Files\DAEMON Tools Lite\daemon.exe" -autorun
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Google Update Service (gupdate1c9870b98610a3a) (gupdate1c9870b98610a3a) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe

--
End of file - 3924 bytes

#12 thewall

thewall

  • Malware Response Team
  • 6,425 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:12:07 AM

Posted 10 April 2009 - 03:44 PM

Do you know anything at all about the following folder. There are three instances of it in your 30 day list and I am fairly sure they are Malware but I wanted to ask if you knew anything about them before we start targeting them for removal.

2009-04-09 18:53 . 2009-04-09 18:53 <DIR> d-------- c:\documents and settings\Andrew\Application Data\yyraqdon


Let's also run these two files through Jotti and let them take a look.


Go to http://virusscan.jotti.org
Copy the following line into the white textbox:
c:\windows\Sbosacupodo.dat
Click Submit.
Please post the results of this scan to this thread.

Do the same for c:\windows\Upafa.bin




Alternate site if Jottis' doesn't work or is too busy

Go to http://www.virustotal.com/en/indexf.html
Copy the following line into the white textbox:
c:\windows\Sbosacupodo.dat
Click Send.

Same for c:\windows\Upafa.bin

Please post the results of this scan to this thread.
If I have helped you then please consider donating so I can continue the fight against malware Posted Image
All donations go directly to the helper

Posted Image

Due to the large amount of backlogs we have I cannot respond to PMs for help unless I am already working with you

#13 Bob The Chainsaw

Bob The Chainsaw
  • Topic Starter

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Local time:12:07 AM

Posted 10 April 2009 - 04:01 PM

I don't know what that folder is, sorry. But here are the scan results:
1st one
Scan taken on 10 Apr 2009 20:56:36 (GMT)
A-Squared
Found nothing
AntiVir
Found nothing
ArcaVir
Found nothing
Avast
Found nothing
AVG Antivirus
Found nothing
BitDefender
Found nothing
ClamAV
Found nothing
CPsecure
Found nothing
Dr.Web
Found nothing
F-Prot Antivirus
Found nothing
F-Secure Anti-Virus
Found nothing
Ikarus
Found nothing
Kaspersky Anti-Virus
Found nothing
NOD32
Found nothing
Norman Virus Control
Found nothing
Panda Antivirus
Found nothing
Quick Heal
Found nothing
Sophos Antivirus
Found nothing
VirusBuster
Found nothing
VBA32
Found nothing

And for the second one it stated "The file you uploaded is 0 bytes. It is very likely a firewall or a piece of malware is prohibiting you from uploading this file". I'm willing to bet that's Malware.

#14 thewall

thewall

  • Malware Response Team
  • 6,425 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:12:07 AM

Posted 10 April 2009 - 05:18 PM

Thanks, I'm sorry I meant to include the following file also for checking with Jotti. I would appreciate if you would run it also.


c:\windows\acmsder.dll
If I have helped you then please consider donating so I can continue the fight against malware Posted Image
All donations go directly to the helper

Posted Image

Due to the large amount of backlogs we have I cannot respond to PMs for help unless I am already working with you

#15 Bob The Chainsaw

Bob The Chainsaw
  • Topic Starter

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Local time:12:07 AM

Posted 11 April 2009 - 09:51 AM

Okay. Avast found Win32:Vupa but every other program found nothing.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users