Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Fixed? Malwarebytes & HJT logs


  • This topic is locked This topic is locked
20 replies to this topic

#1 tysnowboard

tysnowboard

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:11:37 AM

Posted 27 May 2009 - 12:42 AM

I got an infection on my system, I had a number of problems: popups; the virus changed my desktop wallpaper; google search would redirect to ads; it prevented explorer.exe from launching at startup i couldn't even do it manually through task manager, etc.
I ran malwarebytes and the first attachment is the initial log i got.
I ran Malwarebytes again and kept getting a few things come up when i ran it. This is the seond attachment.
explorer.exe wouldn't launch at this point, so...
I ran Wise Registry Cleaner, it seems to have worked, Malwarebytes comes up with no items now.
i wanted to verify that my hijack this log looks clean to make sure that it's all gone. The third attachment is my Hijack this log.
Thanks for any help you can give me!

Attached Files



BC AdBot (Login to Remove)

 


#2 thcbytes

thcbytes

  • Malware Response Team
  • 14,790 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:37 PM

Posted 08 June 2009 - 09:21 AM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.


Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE
Proud member - Unified Network of Instructors and Trained Eliminators
Posted Image

I do not accept personal donations for assistance provided. I would ask that you instead consider donating the greatest gift - Organ Donation. Your organs are of no use to you when your gone. You will save a life that would otherwise be lost!

http://donatelife.net/register-now/

#3 tysnowboard

tysnowboard
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:11:37 AM

Posted 08 June 2009 - 08:00 PM

Hi,
Thank you for responding to my request. I think I have gotten rid of most of the symptoms of the malware i had. I am still experiencing 1 thing that i find strange. In my processes tab of task manager i will sometimes see two instances of Iexplorer.exe running when i only have 1 window of it open. I will be browsing the internet then it will click off of my window and when i look in my processes tab there will be two iexplorer.exe processes running.
Here are the DDS logs and a fresh HJT log.
Thanks for the help!

DDS (Ver_09-05-14.01) - NTFSx86
Run by Compaq_Owner at 17:42:58.21 on Mon 06/08/2009
Internet Explorer: 7.0.5730.13
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1022.646 [GMT -7:00]

AV: ZoneAlarm Security Suite Antivirus *On-access scanning disabled* (Outdated) {5D467B10-818C-4CAB-9FF7-6893B5B8F3CF}
AV: AntiVir Desktop *On-access scanning disabled* (Outdated) {AD166499-45F9-482A-A743-FDD3350758C7}
FW: ZoneAlarm Security Suite Firewall *disabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\NETGEAR\WG111v2\WG111v2.exe
svchost
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\Iexplore.exe
C:\Documents and Settings\Compaq_Owner\Desktop\dds.pif

============== Pseudo HJT Report ===============

uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
uDefault_Page_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q405&bd=presario&pf=desktop&parm1=seconduser
uSearchMigratedDefaultURL = 687474703a2f2f7777772e676f6f676c652e636f6d2f
uDefault_Search_URL = 687474703a2f2f7777772e676f6f676c652e636f6d2f
mSearch Bar = 687474703a2f2f7777772e676f6f676c652e636f6d2f
mSearchMigratedDefaultURL = 687474703a2f2f7777772e676f6f676c652e636f6d2f
uInternet Connection Wizard,ShellNext = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q405&bd=presario&pf=desktop&parm1=seconduser
uInternet Settings,ProxyServer = http=localhost:7171
uInternet Settings,ProxyOverride = *.local;<local>
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchURL = 687474703a2f2f7777772e676f6f676c652e636f6d2f
mSearchAssistant = hxxp://www.google.com/ie
TB: Easy-WebPrint: {327c2873-e90d-4c37-aa9d-10ac9baba46c} - c:\program files\canon\easy-webprint\Toolband.dll
TB: Internet Service: {3bebf2fe-7248-40e2-9752-8163eb6c4038} - c:\program files\applications\iebr.dll
TB: &Google: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\googletoolbar1.dll
TB: {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No File
TB: &Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [Aim6]
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
mRun: [ZoneAlarm Client] "c:\program files\zone labs\zonealarm\zlclient.exe"
dRun: [Diagnostic Manager] c:\windows\temp\617651884.exe
StartupFolder: c:\documents and settings\compaq_owner\start menu\programs\startup\PowerReg Scheduler.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\netgea~1.lnk - c:\program files\netgear\wg111v2\WG111v2.exe
uPolicies-system: EnableProfileQuota = 1 (0x1)
dPolicies-explorer: NoFolderOptions = 1 (0x1)
dPolicies-system: DisableRegistryTools = 1 (0x1)
IE: E&xport to Microsoft Excel - c:\progra~1\mi1933~1\office12\EXCEL.EXE/3000
IE: Easy-WebPrint Add To Print List - c:\program files\canon\easy-webprint\Resource.dll/RC_AddToList.html
IE: Easy-WebPrint High Speed Print - c:\program files\canon\easy-webprint\Resource.dll/RC_HSPrint.html
IE: Easy-WebPrint Preview - c:\program files\canon\easy-webprint\Resource.dll/RC_Preview.html
IE: Easy-WebPrint Print - c:\program files\canon\easy-webprint\Resource.dll/RC_Print.html
IE: {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1}
IE: {E2D4D26B-0180-43a4-B05F-462D6D54C789} - c:\windows\pchealth\helpctr\vendors\cn=hewlett-packard,l=cupertino,s=ca,c=us\iebutton\support.htm
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0015-0000-0000-ABCDEFFEDCBC} - c:\program files\java\jre1.5.0\bin\npjpi150.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\mi1933~1\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office12\REFIEBAR.DLL
DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} - hxxp://www.ipix.com/viewers/ipixx.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
DPF: {31435657-9980-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/e/2/f/e2fcec4b-6c8b-48b7-adab-ab9c403a978f/wvc1dmo.cab
DPF: {48DD0448-9209-4F81-9F6D-D83562940134} - hxxp://lads.myspace.com/upload/MySpaceUploader1006.cab
DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} - hxxp://download.divx.com/player/DivXBrowserPlugin.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1199077325187
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
Notify: AtiExtEvent - Ati2evxx.dll
AppInit_DLLs: frmwgk.dll
STS: {8dc71747-ace0-40c1-8947-54f107d0639b} - No File
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\compaq~1\applic~1\mozilla\firefox\profiles\qze3jp95.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.search.selectedEngine - Search
FF - plugin: c:\program files\google\google updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\java\jre1.5.0\bin\NPJava11.dll
FF - plugin: c:\program files\java\jre1.5.0\bin\NPJava12.dll
FF - plugin: c:\program files\java\jre1.5.0\bin\NPJava13.dll
FF - plugin: c:\program files\java\jre1.5.0\bin\NPJava14.dll
FF - plugin: c:\program files\java\jre1.5.0\bin\NPJava32.dll
FF - plugin: c:\program files\java\jre1.5.0\bin\NPJPI150.dll
FF - plugin: c:\program files\java\jre1.5.0\bin\NPOJI610.dll

============= SERVICES / DRIVERS ===============

R1 avgio;avgio;c:\program files\avira\antivir desktop\avgio.sys [2009-5-19 11608]
R1 KLIF;KLIF;c:\windows\system32\drivers\klif.sys [2009-6-6 150544]
R1 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2009-6-2 365448]
R2 aawservice;Ad-Aware 2007 Service;c:\program files\lavasoft\ad-aware 2007\aawservice.exe [2008-3-19 607576]
R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2009-5-19 55640]
R2 EAPPkt;Realtek EAPPkt Protocol;c:\windows\system32\drivers\EAPPkt.sys [2006-3-18 66048]
S1 552f0996;552f0996;c:\windows\system32\drivers\552f0996.sys --> c:\windows\system32\drivers\552f0996.sys [?]
S2 antivirschedulerservice;Avira AntiVir Scheduler;c:\program files\avira\antivir desktop\sched.exe [2009-5-19 108289]
S2 antivirservice;Avira AntiVir Guard;c:\program files\avira\antivir desktop\avguard.exe [2009-5-19 185089]
S2 vsmon;TrueVector Internet Monitor;c:\windows\system32\zonelabs\vsmon.exe -service --> c:\windows\system32\zonelabs\vsmon.exe -service [?]
S3 RTLWUSB;NETGEAR WG111v2 54Mbps Wireless USB 2.0 Adapter NT Driver;c:\windows\system32\drivers\wg111v2.sys [2007-11-27 194304]

============== File Associations ===============

regfile=regedit.exe "%1" %*
scrfile="%1" %*

=============== Created Last 30 ================

2009-06-02 21:34 <DIR> --d----- c:\docume~1\compaq~1\applic~1\MailFrontier
2009-06-02 21:21 <DIR> --d----- c:\program files\Zone Labs
2009-05-26 22:13 <DIR> --d----- c:\program files\Trend Micro
2009-05-26 20:44 <DIR> --d----- c:\program files\Wise Registry Cleaner
2009-05-19 23:00 <DIR> --d----- c:\program files\Avira
2009-05-19 23:00 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Avira
2009-05-19 21:12 <DIR> --d----- c:\docume~1\alluse~1\applic~1\92786396
2009-05-19 21:12 <DIR> --d----- c:\docume~1\alluse~1\applic~1\12776404

==================== Find3M ====================

2009-06-06 19:33 4,212 a---h--- c:\windows\system32\zllictbl.dat
2009-05-28 20:25 72,584 a------- c:\windows\zllsputility.exe
2009-05-28 20:25 1,221,512 a------- c:\windows\system32\zpeng25.dll
2009-05-19 21:13 182,656 a------- c:\windows\system32\drivers\ndis.sys
2009-05-19 21:13 182,656 -------- c:\windows\system32\dllcache\ndis.sys
2009-02-22 23:04 3,580 a------- c:\docume~1\compaq~1\applic~1\wklnhst.dat

============= FINISH: 17:44:55.84 ===============

Attached Files



#4 syler

syler

  • Malware Response Team
  • 8,150 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Warrington, UK
  • Local time:07:37 PM

Posted 09 June 2009 - 01:07 PM

Hello and welcome to Bleeping Computer.

My name is Syler, I will be helping you to solve your Malware issues. Whilst I am helping you, I would
be grateful if you would note the following:
  • Please do not run other tools or scans unless I ask you to and follow all the steps I give you, in order.
  • If you don't know or understand something, please don't hesitate to say or ask before you proceed with my instructions.
  • Please continue to work with me, until I tell you your machine appears to be clean. Absence of symptoms does not mean that everything is clear.
  • If I do not hear back from you within 5 days of my last post, then this topic will be closed.


One or more of the identified infections is a backdoor trojan/Rootkit.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:
How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
When Should I Format, How Should I Reinstall

We can still clean this machine but I can't guarantee that it will be 100% secure afterwards. Let me know what you decide to do.

If you decide you want to proceed with trying to clean your machine please follow these next steps.



We will begin with ComboFix.

Please download ComboFix from one of these locations:

Link 1
Link 2
Link 3

* IMPORTANT !!! Save ComboFix.exe to your Desktop
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image


Click on Yes, to continue scanning for malware.

When finished, it will produce a log for you. Please include the C:\ComboFix.txt in your next reply.

This tool is not a toy and not for everyday use.
ComboFix SHOULD NOT be used unless requested by a forum helper


If you need help, see this link:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Next

We need to scan for Rootkits with GMER
  • Please download GMER from one of the following locations, and save it to your desktop:
    • Main Mirror
      This version will download a randomly named file (Recommended)
    • Zip Mirror
      This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  • Close any and all open programs, as this process may crash your computer.
  • Double click Posted Image or Posted Image on your desktop.
  • Allow the gmer.sys driver to load if asked.
  • You may see this window. If you do, click No.
    Posted Image
  • Click on Posted Image and wait for the scan to finish.
  • If you see a rootkit warning window, click OK.
  • Push Posted Image and save the logfile to your desktop.
  • Copy and Paste the contents of that file in your next post.



Then please post back here with Combofix.txt and the Gmer log.

Thanks

unite.jpg


#5 tysnowboard

tysnowboard
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:11:37 AM

Posted 10 June 2009 - 08:50 PM

I would like to try to clean out the computer without doing a full reformat and install of the OS.

I downloaded combofix, and have the icon on my desktop when i try to run it, it brings up the Windows Security Warning asking me if i want to run Combofix, i will click run, and it wont do anything. Should i go ahead and try to run GMER without having run combofix, or should i try something else?

Thank you,

Edited by tysnowboard, 10 June 2009 - 08:51 PM.


#6 syler

syler

  • Malware Response Team
  • 8,150 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Warrington, UK
  • Local time:07:37 PM

Posted 10 June 2009 - 08:58 PM

Delete the copy of Combofix you have, then try downloading and renaming it then post back with Combofix and Gmer logs.
If this still doesn't work let me no.


Download Combofix from any of the links below. You must rename it before saving it. Save it to your desktop.

Link 1
Link 2
Link 3

Posted Image


Posted Image
--------------------------------------------------------------------

Double click on Combo-Fix.exe & follow the prompts.
  • When finished, it will produce a report for you.
  • Please post the C:\ComboFix.txt .

unite.jpg


#7 tysnowboard

tysnowboard
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:11:37 AM

Posted 15 June 2009 - 01:26 AM

OK that worked for the combofix. Attached is the combofix log, and pasted in the message here is the gmer log.
Thanks

GMER 1.0.15.14972 - http://www.gmer.net
Rootkit scan 2009-06-13 20:59:01
Windows 5.1.2600 Service Pack 3


---- System - GMER 1.0.15 ----

SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwConnectPort [0xF3EB6C30]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwCreateFile [0xF3EB34F0]
SSDT F7D87456 ZwCreateKey
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwCreatePort [0xF3EB7320]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwCreateProcess [0xF3ECB760]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwCreateProcessEx [0xF3ECB970]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwCreateSection [0xF3ED0310]
SSDT F7D8744C ZwCreateThread
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwCreateWaitablePort [0xF3EB7410]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwDeleteFile [0xF3EB3D20]
SSDT F7D8745B ZwDeleteKey
SSDT F7D87465 ZwDeleteValueKey
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwDuplicateObject [0xF3ECB0E0]
SSDT F7D8746A ZwLoadKey
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwLoadKey2 [0xF3ECF5E0]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwMapViewOfSection [0xF3ED0590]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwOpenFile [0xF3EB3A80]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwOpenProcess [0xF3ECD070]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwOpenThread [0xF3ECCE30]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwRenameKey [0xF3ECFDD0]
SSDT F7D87474 ZwReplaceKey
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwRequestWaitReplyPort [0xF3EB6840]
SSDT F7D8746F ZwRestoreKey
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwSecureConnectPort [0xF3EB6E80]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwSetInformationFile [0xF3EB3F90]
SSDT F7D87460 ZwSetValueKey
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwSystemDebugControl [0xF3ECC0F0]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwTerminateProcess [0xF3ECBF70]

---- Kernel code sections - GMER 1.0.15 ----

.text ntkrnlpa.exe!ZwCallbackReturn + 2C7C 80504518 12 Bytes [20, 73, EB, F3, 60, B7, EC, ...]
? srescan.sys The system cannot find the file specified. !

---- Kernel IAT/EAT - GMER 1.0.15 ----

IAT \SystemRoot\system32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisRegisterProtocol] [F3EBB8D0] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\system32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisOpenAdapter] [F3EBB6E0] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\system32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisCloseAdapter] [F3EBC010] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\system32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisDeregisterProtocol] [F3EB9C40] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\system32\DRIVERS\psched.sys[NDIS.SYS!NdisDeregisterProtocol] [F3EB9C40] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\system32\DRIVERS\psched.sys[NDIS.SYS!NdisRegisterProtocol] [F3EBB8D0] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\system32\DRIVERS\psched.sys[NDIS.SYS!NdisOpenAdapter] [F3EBB6E0] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\system32\DRIVERS\psched.sys[NDIS.SYS!NdisCloseAdapter] [F3EBC010] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisRegisterProtocol] [F3EBB8D0] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisDeregisterProtocol] [F3EB9C40] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisCloseAdapter] [F3EBC010] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisOpenAdapter] [F3EBB6E0] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\system32\DRIVERS\tcpip.sys[NDIS.SYS!NdisCloseAdapter] [F3EBC010] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\system32\DRIVERS\tcpip.sys[NDIS.SYS!NdisOpenAdapter] [F3EBB6E0] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\system32\DRIVERS\tcpip.sys[NDIS.SYS!NdisRegisterProtocol] [F3EBB8D0] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\system32\DRIVERS\wanarp.sys[NDIS.SYS!NdisDeregisterProtocol] [F3EB9C40] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\system32\DRIVERS\wanarp.sys[NDIS.SYS!NdisRegisterProtocol] [F3EBB8D0] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\system32\DRIVERS\wanarp.sys[NDIS.SYS!NdisOpenAdapter] [F3EBB6E0] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\system32\DRIVERS\wanarp.sys[NDIS.SYS!NdisCloseAdapter] [F3EBC010] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\system32\DRIVERS\arp1394.sys[NDIS.SYS!NdisCloseAdapter] [F3EBC010] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\system32\DRIVERS\arp1394.sys[NDIS.SYS!NdisOpenAdapter] [F3EBB6E0] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\system32\DRIVERS\arp1394.sys[NDIS.SYS!NdisDeregisterProtocol] [F3EB9C40] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\system32\DRIVERS\arp1394.sys[NDIS.SYS!NdisRegisterProtocol] [F3EBB8D0] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\system32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisRegisterProtocol] [F3EBB8D0] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\system32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisDeregisterProtocol] [F3EB9C40] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\system32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisCloseAdapter] [F3EBC010] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\system32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisOpenAdapter] [F3EBB6E0] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs bb-run.sys (Promise Disk Accelerator/Promise Technology, Inc.)

Device \Driver\Tcpip \Device\Ip vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
Device \Driver\Tcpip \Device\Tcp vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
Device \Driver\prodrv06 \Device\ProDrv06 E1F42848
Device \Driver\atapi \Device\Ide\IdePort0 prosync1.sys (StarForce Protection Synchronization Driver/Protection Technology)
Device \Driver\atapi \Device\Ide\IdePort1 prosync1.sys (StarForce Protection Synchronization Driver/Protection Technology)
Device \Driver\atapi \Device\Ide\IdePort2 prosync1.sys (StarForce Protection Synchronization Driver/Protection Technology)
Device \Driver\atapi \Device\Ide\IdePort3 prosync1.sys (StarForce Protection Synchronization Driver/Protection Technology)
Device \Driver\atapi \Device\Ide\IdeDeviceP2T0L0-12 prosync1.sys (StarForce Protection Synchronization Driver/Protection Technology)
Device \Driver\atapi \Device\Ide\IdeDeviceP3T0L0-7 prosync1.sys (StarForce Protection Synchronization Driver/Protection Technology)
Device \Driver\prohlp02 \Device\ProHlp02 E17E3358
Device \Driver\Tcpip \Device\Udp vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
Device \Driver\Tcpip \Device\RawIp vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
Device \Driver\Tcpip \Device\IPMULTICAST vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)

AttachedDevice \FileSystem\Fastfat \Fat bb-run.sys (Promise Disk Accelerator/Promise Technology, Inc.)
AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

---- EOF - GMER 1.0.15 ----

Attached Files



#8 syler

syler

  • Malware Response Team
  • 8,150 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Warrington, UK
  • Local time:07:37 PM

Posted 15 June 2009 - 12:57 PM

Hi tysnowboard, your Combofix log looks like it has been edited or distorted, can you please post that log again, do not attach the log
or any other logs unless I ask you to.

Thanks

Edited by syler, 15 June 2009 - 12:57 PM.

unite.jpg


#9 tysnowboard

tysnowboard
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:11:37 AM

Posted 15 June 2009 - 11:17 PM

Hi, here is the combofix log, I hope this is what you need.
Thanks a lot for your help.

ComboFix 09-06-11.06 - Compaq_Owner 06/11/2009 17:58.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1022.585 [GMT -7:00]
Running from: c:\documents and settings\Compaq_Owner\Desktop\Combo-Fix.exe
AV: AntiVir Desktop *On-access scanning disabled* (Outdated) {AD166499-45F9-482A-A743-FDD3350758C7}
AV: ZoneAlarm Security Suite Antivirus *On-access scanning disabled* (Outdated) {5D467B10-818C-4CAB-9FF7-6893B5B8F3CF}
FW: ZoneAlarm Security Suite Firewall *disabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}
* Resident AV is active

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\drivers\kungsfwxwhemuf.sys
c:\windows\system32\drivers\UACruwsqtepkknmlrv.sys
c:\windows\system32\UACcsxoxdnlhebirlw.dll
c:\windows\system32\UACimyogjimhbrddlq.dll
c:\windows\system32\UACjkvdoevmgpuldwe.dll
c:\windows\system32\UACnkdpwtfujovcxew.dll
c:\windows\system32\UACrownttrsalmlorg.dat
c:\windows\system32\UACtpntyicooduyifq.log
c:\windows\system32\UACwnersdmhylavfqo.log
c:\windows\system32\UACwwgyavhxyxvjdwy.dll
c:\windows\system32\UACwwvkvoahssmjsxt.log
c:\windows\system32\avast!Antivirus.exe
c:\windows\system32\drivers\kungsfwxwhemuf.sys
c:\windows\system32\drivers\UACruwsqtepkknmlrv.sys
c:\windows\system32\kungsflowbyqxn.dll
c:\windows\system32\kungsfsgxfrlwk.dat
c:\windows\system32\kungsfxumkbegv.dll
c:\windows\system32\nfr.assembly
c:\windows\system32\nfr.gpref
c:\windows\system32\UACcsxoxdnlhebirlw.dll
c:\windows\system32\UACimyogjimhbrddlq.dll
c:\windows\system32\uacinit.dll
c:\windows\system32\UACjkvdoevmgpuldwe.dll
c:\windows\system32\UACnkdpwtfujovcxew.dll
c:\windows\system32\UACrownttrsalmlorg.dat
c:\windows\system32\UACtpntyicooduyifq.log
c:\windows\system32\UACwnersdmhylavfqo.log
c:\windows\system32\UACwwgyavhxyxvjdwy.dll
c:\windows\system32\UACwwvkvoahssmjsxt.log
c:\windows\system32\wbem\proquota.exe
c:\windows\Tasks\fqdbxajh.job
C:\xcrashdump.dat
D:\Autorun.inf
D:\Desktop.ini

c:\windows\system32\proquota.exe was missing
Restored copy from - c:\windows\system32\dllcache\proquota.exe

Infected copy of c:\windows\system32\drivers\ndis.sys was found and disinfected
Restored copy from - The cat ate it :thumbup2:
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_UACd.sys
-------\Legacy_AVAST!ANTIVIRUS
-------\Legacy_sfc
-------\Service_avast!Antivirus
-------\Service_kungsfrmehxlyf
-------\Service_sfc


((((((((((((((((((((((((( Files Created from 2009-05-12 to 2009-06-12 )))))))))))))))))))))))))))))))
.

2009-06-12 01:41 . 2009-06-12 01:41 -------- d-----w- c:\windows\LastGood
2009-06-12 01:19 . 2008-04-14 00:12 50176 ----a-w- c:\windows\system32\proquota.exe
2009-06-12 01:19 . 2008-04-14 00:12 50176 ----a-w- c:\windows\system32\dllcache\proquota.exe
2009-06-12 01:14 . 2009-06-12 01:14 20992 ----a-w- c:\windows\system32\_SKYNETwsp.dll_.vir
2009-06-12 00:55 . 2009-06-12 04:58 7284512 --sha-w- c:\windows\system32\drivers\fidbox.dat
2009-06-10 14:14 . 2009-06-12 00:48 20992 ----a-w- c:\windows\system32\SKYNETwsp.dll
2009-06-10 14:14 . 2009-06-12 00:48 19968 ----a-w- c:\windows\system32\SKYNETrk.sys
2009-06-10 05:50 . 2009-06-12 00:48 53992 ----a-w- c:\windows\system32\SKYNETlog.dat
2009-06-07 02:29 . 2009-05-29 03:25 69000 ----a-w- c:\windows\system32\zlcomm.dll
2009-06-07 02:29 . 2009-05-29 03:25 103816 ----a-w- c:\windows\system32\zlcommdb.dll
2009-06-06 02:53 . 2009-06-06 02:53 422 ----a-w- c:\documents and settings\Compaq_Owner\Application Data\AdobeUM\socks1.exe
2009-06-06 02:53 . 2009-06-06 02:53 16141 ----a-w- c:\documents and settings\Compaq_Owner\Application Data\Azureus\lego.exe
2009-06-06 02:53 . 2009-06-06 02:53 145131 ----a-w- c:\documents and settings\Compaq_Owner\Application Data\Apple Computer\nomad.exe
2009-06-06 02:53 . 2009-06-06 02:53 13221 ----a-w- c:\documents and settings\Compaq_Owner\Application Data\Adobe\rengo.dll
2009-06-06 02:53 . 2009-06-06 02:53 11410 ----a-w- c:\documents and settings\Compaq_Owner\Application Data\DivX\msgdi.dll
2009-06-06 02:53 . 2009-06-06 02:53 11232 ----a-w- c:\documents and settings\Compaq_Owner\Application Data\acccore\shalom.exe
2009-06-06 02:53 . 2009-06-06 02:53 10121 ----a-w- c:\documents and settings\Compaq_Owner\Application Data\GRETECH\kern.dll
2009-06-03 04:34 . 2009-06-03 04:34 -------- d-----w- c:\documents and settings\Compaq_Owner\Application Data\MailFrontier
2009-06-03 04:22 . 2009-06-03 04:22 -------- d-----w- c:\documents and settings\All Users\Application Data\MailFrontier
2009-06-03 04:21 . 2009-06-07 02:33 4212 ---ha-w- c:\windows\system32\zllictbl.dat
2009-06-03 04:21 . 2009-05-29 03:25 72584 ----a-w- c:\windows\zllsputility.exe
2009-06-03 04:21 . 2009-05-29 03:25 1221512 ----a-w- c:\windows\system32\zpeng25.dll
2009-06-03 04:21 . 2009-06-12 00:31 -------- d-----w- c:\windows\system32\ZoneLabs
2009-06-03 04:21 . 2009-06-03 04:21 -------- d-----w- c:\program files\Zone Labs
2009-06-03 04:20 . 2009-06-12 01:51 -------- d-----w- c:\windows\Internet Logs
2009-05-27 05:13 . 2009-05-27 05:13 -------- d-----w- c:\program files\Trend Micro
2009-05-27 03:44 . 2009-05-27 04:01 -------- d-----w- c:\program files\Wise Registry Cleaner
2009-05-22 06:42 . 2008-04-13 23:12 116224 ----a-w- c:\windows\system32\dllcache\xrxwiadr.dll
2009-05-22 06:42 . 2001-08-18 05:36 23040 ----a-w- c:\windows\system32\dllcache\xrxwbtmp.dll
2009-05-22 06:42 . 2008-04-13 23:12 18944 ----a-w- c:\windows\system32\dllcache\xrxscnui.dll
2009-05-22 06:40 . 2001-08-18 05:36 87040 ----a-w- c:\windows\system32\dllcache\wiafbdrv.dll
2009-05-22 06:39 . 2001-08-17 20:28 765884 ----a-w- c:\windows\system32\dllcache\usrti.sys
2009-05-22 06:38 . 2001-08-18 05:36 211968 ----a-w- c:\windows\system32\dllcache\um54scan.dll
2009-05-22 06:37 . 2001-08-17 21:01 241664 ----a-w- c:\windows\system32\dllcache\tosdvd02.sys
2009-05-22 06:36 . 2001-08-17 20:50 103936 ----a-w- c:\windows\system32\dllcache\sx.sys
2009-05-22 06:35 . 2001-08-17 20:56 7552 ----a-w- c:\windows\system32\dllcache\sonypvu1.sys
2009-05-22 06:34 . 2008-04-13 17:46 11136 ----a-w- c:\windows\system32\dllcache\slip.sys
2009-05-22 06:33 . 2001-08-17 20:53 6784 ----a-w- c:\windows\system32\dllcache\serscan.sys
2009-05-22 06:32 . 2001-08-17 19:50 41216 ----a-w- c:\windows\system32\dllcache\s3mt3d.sys
2009-05-22 06:31 . 2001-08-17 20:52 49024 ----a-w- c:\windows\system32\dllcache\ql1280.sys
2009-05-22 06:30 . 2001-08-17 21:04 173696 ----a-w- c:\windows\system32\dllcache\philcam2.sys
2009-05-22 06:29 . 2001-08-18 05:36 116736 ----a-w- c:\windows\system32\dllcache\ovcodec2.dll
2009-05-22 06:28 . 2001-08-17 19:12 32840 ----a-w- c:\windows\system32\dllcache\ngrpci.sys
2009-05-22 06:27 . 2008-04-13 17:39 5504 ----a-w- c:\windows\system32\dllcache\mstee.sys
2009-05-22 06:26 . 2001-08-17 19:12 164586 ----a-w- c:\windows\system32\dllcache\mdgndis5.sys
2009-05-22 06:25 . 2001-08-18 05:36 8192 ----a-w- c:\windows\system32\dllcache\kbdkor.dll
2009-05-22 06:24 . 2001-08-17 21:06 154496 ----a-w- c:\windows\system32\dllcache\icam4usb.sys
2009-05-22 06:23 . 2001-08-17 20:28 199711 ----a-w- c:\windows\system32\dllcache\hsf_faxx.sys
2009-05-22 06:22 . 2008-04-13 17:45 59136 ----a-w- c:\windows\system32\dllcache\gckernel.sys
2009-05-22 06:21 . 2001-08-17 19:19 63360 ----a-w- c:\windows\system32\dllcache\ess.sys
2009-05-22 06:20 . 2001-08-17 19:20 334208 ----a-w- c:\windows\system32\dllcache\ds1wdm.sys
2009-05-22 06:19 . 2001-08-17 20:52 179584 ----a-w- c:\windows\system32\dllcache\dac2w2k.sys
2009-05-22 06:18 . 2001-08-17 21:05 314752 ----a-w- c:\windows\system32\dllcache\camdro21.sys
2009-05-22 06:17 . 2004-08-04 04:31 36224 ----a-w- c:\windows\system32\dllcache\an983.sys
2009-05-20 06:00 . 2009-03-30 17:33 96104 ----a-w- c:\windows\system32\drivers\avipbb.sys
2009-05-20 06:00 . 2009-03-24 23:08 55640 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2009-05-20 06:00 . 2009-02-13 19:29 22360 ----a-w- c:\windows\system32\drivers\avgntmgr.sys
2009-05-20 06:00 . 2009-02-13 19:17 45416 ----a-w- c:\windows\system32\drivers\avgntdd.sys
2009-05-20 06:00 . 2009-05-20 06:00 -------- d-----w- c:\program files\Avira
2009-05-20 06:00 . 2009-05-20 06:00 -------- d-----w- c:\documents and settings\All Users\Application Data\Avira
2009-05-20 04:12 . 2009-05-20 06:04 -------- d-----w- c:\documents and settings\All Users\Application Data\92786396
2009-05-20 04:12 . 2009-05-20 06:04 -------- d-----w- c:\documents and settings\All Users\Application Data\12776404

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-06-12 01:34 . 2009-06-12 00:55 52172 --sha-w- c:\windows\system32\drivers\fidbox.idx
2009-06-12 01:33 . 2009-06-12 01:35 341504 ----a-w- c:\windows\Internet Logs\xDB4.tmp
2009-06-12 01:18 . 2004-08-04 05:00 182656 ----a-w- c:\windows\system32\drivers\ndis.sys
2009-06-11 07:46 . 2009-06-12 00:31 1683968 ----a-w- c:\windows\Internet Logs\xDB3.tmp
2009-06-11 07:45 . 2009-06-12 00:31 2483200 ----a-w- c:\windows\Internet Logs\xDB2.tmp
2009-06-10 05:50 . 2008-06-27 05:41 -------- d-----w- c:\documents and settings\All Users\Application Data\Google Updater
2009-06-06 02:54 . 2009-06-06 02:55 2066432 ----a-w- c:\windows\Internet Logs\xDB1.tmp
2009-06-06 00:56 . 2008-03-18 03:02 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2009-06-06 00:52 . 2005-12-25 16:47 78960 ----a-w- c:\documents and settings\Compaq_Owner\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-06-06 00:49 . 2009-04-02 05:15 3371383 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2009-06-03 03:25 . 2008-04-07 04:38 -------- d-----w- c:\documents and settings\Compaq_Owner\Application Data\gtk-2.0
2009-05-22 00:41 . 2007-10-08 05:05 -------- d-----w- c:\documents and settings\All Users\Application Data\Viewpoint
2009-05-21 00:39 . 2008-08-27 03:59 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-05-02 21:56 . 2008-09-10 05:46 -------- d-----w- c:\documents and settings\Compaq_Owner\Application Data\Azureus
2009-05-01 08:24 . 2008-09-10 05:45 -------- d-----w- c:\program files\Vuze
2009-04-06 22:32 . 2008-08-27 03:59 38496 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-06 22:32 . 2008-08-27 03:59 15504 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-04-02 23:29 . 2009-04-02 23:29 75048 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 8.1.1.10\SetupAdmin.exe
2009-03-19 23:32 . 2009-03-19 23:32 23400 ----a-w- c:\documents and settings\All Users\Application Data\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}\x86\x86\GEARAspiWDM.sys
2009-03-19 23:32 . 2005-03-07 18:52 23400 ----a-w- c:\windows\system32\drivers\GEARAspiWDM.sys
.

------- Sigcheck -------

[7] 2004-08-04 05:00 1580544 30A609E00BD1D4FFC49D6B5A432BE7F2 c:\windows\$NtServicePackUninstall$\sfcfiles.dll
[7] 2008-04-14 00:12 1614848 9DD07AF82244867CA36681EA2D29CE79 c:\windows\ServicePackFiles\i386\sfcfiles.dll
[-] 2008-04-14 00:12 1614848 !HASH: ERROR_LOCK_VIOLATION ! c:\windows\system32\sfcfiles.dll
.
((((((((((((((((((((((((((((((((((((((((((((( AWF ))))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2005-09-03 00:41 . 2005-05-10 17:50 253952 c:\hp\drivers\hplsbwatcher\bak\lsburnwatcher.exe

2005-09-03 00:35 . 2005-09-03 00:35 180269 c:\program files\Common Files\Real\Update_OB\bak\realsched.exe

2005-03-04 09:40 . 2005-12-27 22:54 48800 c:\program files\Common Files\Symantec Shared\bak\ccApp.exe

2005-02-25 22:34 . 2005-02-25 22:34 245760 c:\program files\Hewlett-Packard\HP Boot Optimizer\bak\HPBootOp.exe

2005-02-17 06:11 . 2005-02-17 06:11 49152 c:\program files\HP\HP Software Update\bak\HPwuSchd2.exe

2005-09-03 00:48 . 2005-09-03 00:48 98304 c:\program files\QuickTime\bak\qttask.exe
2009-01-05 23:18 . 2009-01-05 23:18 413696 c:\program files\QuickTime\QTTask.exe

2006-03-20 01:09 . 2006-03-20 01:09 100056 c:\program files\SymNetDrv\bak\SNDMon.exe

2004-08-04 05:00 . 2004-08-04 05:00 15360 c:\windows\system32\bak\ctfmon.exe
2004-08-04 05:00 . 2008-04-14 00:12 15360 c:\windows\system32\ctfmon.exe

.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"Aim6"="" [N/A]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-10-07 13574144]
"ZoneAlarm Client"="c:\program files\Zone Labs\ZoneAlarm\zlclient.exe" [2009-05-29 1005960]

c:\documents and settings\Compaq_Owner\Start Menu\Programs\Startup\
PowerReg Scheduler.exe [2006-1-2 189952]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
NETGEAR WG111v2 Smart Wizard.lnk - c:\program files\NETGEAR\WG111v2\WG111v2.exe [2007-11-27 1261568]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\24227

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\WINDOWS\\system32\\dpnsvr.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"%windir%\\system32\\drivers\\svchost.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"9138:TCP"= 9138:TCP:*:Disabled:BitComet 9138 TCP
"9138:UDP"= 9138:UDP:*:Disabled:BitComet 9138 UDP
"15799:TCP"= 15799:TCP:*:Disabled:BitComet 15799 TCP
"15799:UDP"= 15799:UDP:*:Disabled:BitComet 15799 UDP
"21315:TCP"= 21315:TCP:*:Disabled:BitComet 21315 TCP
"21315:UDP"= 21315:UDP:*:Disabled:BitComet 21315 UDP
"23778:TCP"= 23778:TCP:*:Disabled:BitComet 23778 TCP
"23778:UDP"= 23778:UDP:*:Disabled:BitComet 23778 UDP

R2 EAPPkt;Realtek EAPPkt Protocol;c:\windows\system32\drivers\EAPPkt.sys [3/18/2006 3:28 PM 66048]
S1 552f0996;552f0996;c:\windows\system32\drivers\552f0996.sys --> c:\windows\system32\drivers\552f0996.sys [?]
S2 antivirschedulerservice;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [5/19/2009 11:00 PM 108289]
S3 RTLWUSB;NETGEAR WG111v2 54Mbps Wireless USB 2.0 Adapter NT Driver;c:\windows\system32\drivers\wg111v2.sys [11/27/2007 7:55 PM 194304]
.
Contents of the 'Scheduled Tasks' folder

2009-04-11 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 19:34]

2009-06-12 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2008-06-27 04:51]
.
- - - - ORPHANS REMOVED - - - -

SharedTaskScheduler-{8dc71747-ace0-40c1-8947-54f107d0639b} - (no file)


.
------- Supplementary Scan -------
.
uSearchMigratedDefaultURL = 687474703a2f2f7777772e676f6f676c652e636f6d2f
uDefault_Search_URL = 687474703a2f2f7777772e676f6f676c652e636f6d2f
mSearch Bar = 687474703a2f2f7777772e676f6f676c652e636f6d2f
mSearchMigratedDefaultURL = 687474703a2f2f7777772e676f6f676c652e636f6d2f
uInternet Connection Wizard,ShellNext = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q405&bd=presario&pf=desktop&parm1=seconduser
uInternet Settings,ProxyServer = http=localhost:7171
uInternet Settings,ProxyOverride = *.local;<local>
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchURL = 687474703a2f2f7777772e676f6f676c652e636f6d2f
IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\Office12\EXCEL.EXE/3000
IE: Easy-WebPrint Add To Print List - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
IE: Easy-WebPrint High Speed Print - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
IE: Easy-WebPrint Preview - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
IE: Easy-WebPrint Print - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
FF - ProfilePath -
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-06-11 21:54
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(584)
c:\windows\system32\RtlGina2.dll
c:\windows\system32\Ati2evxx.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ZoneLabs\vsmon.exe
c:\windows\system32\ZoneLabs\avsys\ScanningProcess.exe
c:\program files\Lavasoft\Ad-Aware 2007\aawservice.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\windows\system32\nvsvc32.exe
c:\windows\system32\wdfmgr.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2009-06-12 22:07 - machine was rebooted
ComboFix-quarantined-files.txt 2009-06-12 05:07

Pre-Run: 40,584,962,048 bytes free
Post-Run: 41,309,425,664 bytes free

270 --- E O F --- 2009-02-11 07:36

#10 syler

syler

  • Malware Response Team
  • 8,150 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Warrington, UK
  • Local time:07:37 PM

Posted 15 June 2009 - 11:33 PM

Peer-to-Peer Programs Warning
Your log shows that you are using so called peer-to-peer or file-sharing programs (in your case Azureus and BitComet). These programs allow to share files between users as the name(s) suggest. In today's world cyber crime has come to an enormous dimension and any means is used to infect personal computers to make use of their stored data or machine power for further propagation of the malware files. A popular means is the use of file-sharing tools as a tremendous amount of prospective victims can be reached through it.

It is therefore possible to be infected by downloading manipulated files via peer-to-peer tools and thus suggested to be used with intense care. Some further readings on this subject, along the included links, are as follows: File-Sharing, otherwise known as Peer To Peer and Risks of File-Sharing Technology.

It is also important to note that sharing entertainment files and proprietary software infringes the copyright laws in many countries over the world and you are putting yourself at risk of being indicted through organizations watching over the rights of the authors of such files (i.e. the RIAA for music files, or the MPAA for movie files in the USA) or the authors of the files themselves.

Naturally there are also legal ways to use these services, such as downloading Linux distributions or office suites such as "Open Office."

It is your decision whether or not you wish to keep your program(s). However, please refrain from using them until your computer has been declared clean.

Also

I can see that you have the registry cleaner program installed
Please be aware that bleepingcomputer staff do not recommend the usage of registry cleaners / tools due to the following facts:
  • Registry tools can cause irreparable damage to your Operating System
  • Registry tools can, as a result of the above, render your pc to be inoperable.
This is done, assuming that the major audience here at this board might be inexperienced users and thus a suggested safeguard from our side.
If you feel you have the need for a registry cleaner, then you are just as welcome to keep it. This is what we refer to an "optional fix" and is
up to the user, so just take this as a recommendation from my side.



1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

File::
c:\windows\system32\_SKYNETwsp.dll_.vir
c:\windows\system32\SKYNETwsp.dll
c:\windows\system32\SKYNETrk.sys
c:\windows\system32\SKYNETlog.dat
c:\documents and settings\Compaq_Owner\Application Data\AdobeUM\socks1.exe
c:\documents and settings\Compaq_Owner\Application Data\Azureus\lego.exe
c:\documents and settings\Compaq_Owner\Application Data\Apple Computer\nomad.exe
c:\documents and settings\Compaq_Owner\Application Data\Adobe\rengo.dll
c:\documents and settings\Compaq_Owner\Application Data\DivX\msgdi.dll
c:\documents and settings\Compaq_Owner\Application Data\acccore\shalom.exe
c:\documents and settings\Compaq_Owner\Application Data\GRETECH\kern.dll

Folder::
c:\documents and settings\All Users\Application Data\Viewpoint
c:\hp\drivers\hplsbwatcher\bak
c:\program files\Common Files\Real\Update_OB\bak
c:\program files\Common Files\Symantec Shared\bak
c:\program files\Hewlett-Packard\HP Boot Optimizer\bak
c:\program files\HP\HP Software Update\bak
c:\program files\QuickTime\bak
c:\program files\SymNetDrv\bak
c:\windows\system32\bak

Registry::
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Aim6"=-
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000000
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\drivers\\svchost.exe"=-
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main]
"SearchMigratedDefaultURL"=-
"Default_Search_URL"=-
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyServer"=-
"ProxyOverride"=-
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main]
"SearchMigratedDefaultURL"=-
"Search Bar"=-
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer]
"SearchURL"=-
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\24227]

Driver::
552f0996

DirLook::
c:\documents and settings\All Users\Application Data\92786396
c:\documents and settings\All Users\Application Data\12776404

Save this as CFScript.txt, in the same location as ComboFix.exe


Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

unite.jpg


#11 tysnowboard

tysnowboard
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:11:37 AM

Posted 16 June 2009 - 01:27 AM

OK, so i dragged CFScript.txt into the combo-fix.exe. Here is the new Combofix log.


ComboFix 09-06-11.06 - Compaq_Owner 06/15/2009 23:05.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1022.655 [GMT -7:00]
Running from: c:\documents and settings\Compaq_Owner\Desktop\Combo-Fix.exe
Command switches used :: c:\documents and settings\Compaq_Owner\Desktop\CFScript.txt
AV: AntiVir Desktop *On-access scanning disabled* (Outdated) {AD166499-45F9-482A-A743-FDD3350758C7}
AV: ZoneAlarm Security Suite Antivirus *On-access scanning disabled* (Updated) {5D467B10-818C-4CAB-9FF7-6893B5B8F3CF}
FW: ZoneAlarm Security Suite Firewall *disabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}

FILE ::
"c:\documents and settings\Compaq_Owner\Application Data\acccore\shalom.exe"
"c:\documents and settings\Compaq_Owner\Application Data\Adobe\rengo.dll"
"c:\documents and settings\Compaq_Owner\Application Data\AdobeUM\socks1.exe"
"c:\documents and settings\Compaq_Owner\Application Data\Apple Computer\nomad.exe"
"c:\documents and settings\Compaq_Owner\Application Data\Azureus\lego.exe"
"c:\documents and settings\Compaq_Owner\Application Data\DivX\msgdi.dll"
"c:\documents and settings\Compaq_Owner\Application Data\GRETECH\kern.dll"
"c:\windows\system32\_SKYNETwsp.dll_.vir"
"c:\windows\system32\SKYNETlog.dat"
"c:\windows\system32\SKYNETrk.sys"
"c:\windows\system32\SKYNETwsp.dll"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\Viewpoint
c:\hp\drivers\hplsbwatcher\bak
c:\program files\Common Files\Real\Update_OB\bak
c:\program files\Common Files\Symantec Shared\bak
c:\program files\Hewlett-Packard\HP Boot Optimizer\bak
c:\program files\HP\HP Software Update\bak
c:\program files\QuickTime\bak
c:\program files\SymNetDrv\bak
c:\windows\system32\bak
c:\documents and settings\Compaq_Owner\Application Data\acccore\shalom.exe
c:\documents and settings\Compaq_Owner\Application Data\Adobe\rengo.dll
c:\documents and settings\Compaq_Owner\Application Data\AdobeUM\socks1.exe
c:\documents and settings\Compaq_Owner\Application Data\Apple Computer\nomad.exe
c:\documents and settings\Compaq_Owner\Application Data\Azureus\lego.exe
c:\documents and settings\Compaq_Owner\Application Data\DivX\msgdi.dll
c:\documents and settings\Compaq_Owner\Application Data\GRETECH\kern.dll
c:\hp\drivers\hplsbwatcher\bak\lsburnwatcher.exe
c:\program files\Common Files\Real\Update_OB\bak\realsched.exe
c:\program files\Common Files\Symantec Shared\bak\ccApp.exe
c:\program files\Hewlett-Packard\HP Boot Optimizer\bak\HPBootOp.exe
c:\program files\HP\HP Software Update\bak\HPwuSchd2.exe
c:\program files\QuickTime\bak\qttask.exe
c:\program files\SymNetDrv\bak\SNDMon.exe
c:\windows\system32\bak\ctfmon.exe
c:\windows\system32\SKYNETlog.dat

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_552f0996


((((((((((((((((((((((((( Files Created from 2009-05-16 to 2009-06-16 )))))))))))))))))))))))))))))))
.

2009-06-12 01:41 . 2008-05-03 11:55 2560 ------w- c:\windows\system32\xpsp4res.dll
2009-06-12 01:19 . 2008-04-14 00:12 50176 ----a-w- c:\windows\system32\proquota.exe
2009-06-12 01:19 . 2008-04-14 00:12 50176 ----a-w- c:\windows\system32\dllcache\proquota.exe
2009-06-12 00:55 . 2009-06-16 06:17 29503520 --sha-w- c:\windows\system32\drivers\fidbox.dat
2009-06-07 02:29 . 2009-05-29 03:25 69000 ----a-w- c:\windows\system32\zlcomm.dll
2009-06-07 02:29 . 2009-05-29 03:25 103816 ----a-w- c:\windows\system32\zlcommdb.dll
2009-06-03 04:34 . 2009-06-03 04:34 -------- d-----w- c:\documents and settings\Compaq_Owner\Application Data\MailFrontier
2009-06-03 04:22 . 2009-06-03 04:22 -------- d-----w- c:\documents and settings\All Users\Application Data\MailFrontier
2009-06-03 04:21 . 2009-06-07 02:33 4212 ---ha-w- c:\windows\system32\zllictbl.dat
2009-06-03 04:21 . 2009-05-29 03:25 72584 ----a-w- c:\windows\zllsputility.exe
2009-06-03 04:21 . 2009-05-29 03:25 1221512 ----a-w- c:\windows\system32\zpeng25.dll
2009-06-03 04:21 . 2009-06-13 03:52 -------- d-----w- c:\windows\system32\ZoneLabs
2009-06-03 04:21 . 2009-06-03 04:21 -------- d-----w- c:\program files\Zone Labs
2009-06-03 04:20 . 2009-06-16 06:01 -------- d-----w- c:\windows\Internet Logs
2009-05-27 05:13 . 2009-05-27 05:13 -------- d-----w- c:\program files\Trend Micro
2009-05-27 03:44 . 2009-05-27 04:01 -------- d-----w- c:\program files\Wise Registry Cleaner
2009-05-22 06:42 . 2008-04-13 23:12 116224 ----a-w- c:\windows\system32\dllcache\xrxwiadr.dll
2009-05-22 06:42 . 2001-08-18 05:36 23040 ----a-w- c:\windows\system32\dllcache\xrxwbtmp.dll
2009-05-22 06:42 . 2008-04-13 23:12 18944 ----a-w- c:\windows\system32\dllcache\xrxscnui.dll
2009-05-22 06:40 . 2001-08-18 05:36 87040 ----a-w- c:\windows\system32\dllcache\wiafbdrv.dll
2009-05-22 06:39 . 2001-08-17 20:28 765884 ----a-w- c:\windows\system32\dllcache\usrti.sys
2009-05-22 06:38 . 2001-08-18 05:36 211968 ----a-w- c:\windows\system32\dllcache\um54scan.dll
2009-05-22 06:37 . 2001-08-17 21:01 241664 ----a-w- c:\windows\system32\dllcache\tosdvd02.sys
2009-05-22 06:36 . 2001-08-17 20:50 103936 ----a-w- c:\windows\system32\dllcache\sx.sys
2009-05-22 06:35 . 2001-08-17 20:56 7552 ----a-w- c:\windows\system32\dllcache\sonypvu1.sys
2009-05-22 06:34 . 2008-04-13 17:46 11136 ----a-w- c:\windows\system32\dllcache\slip.sys
2009-05-22 06:33 . 2001-08-17 20:53 6784 ----a-w- c:\windows\system32\dllcache\serscan.sys
2009-05-22 06:32 . 2001-08-17 19:50 41216 ----a-w- c:\windows\system32\dllcache\s3mt3d.sys
2009-05-22 06:31 . 2001-08-17 20:52 49024 ----a-w- c:\windows\system32\dllcache\ql1280.sys
2009-05-22 06:30 . 2001-08-17 21:04 173696 ----a-w- c:\windows\system32\dllcache\philcam2.sys
2009-05-22 06:29 . 2001-08-18 05:36 116736 ----a-w- c:\windows\system32\dllcache\ovcodec2.dll
2009-05-22 06:28 . 2001-08-17 19:12 32840 ----a-w- c:\windows\system32\dllcache\ngrpci.sys
2009-05-22 06:27 . 2008-04-13 17:39 5504 ----a-w- c:\windows\system32\dllcache\mstee.sys
2009-05-22 06:26 . 2001-08-17 19:12 164586 ----a-w- c:\windows\system32\dllcache\mdgndis5.sys
2009-05-22 06:25 . 2001-08-18 05:36 8192 ----a-w- c:\windows\system32\dllcache\kbdkor.dll
2009-05-22 06:24 . 2001-08-17 21:06 154496 ----a-w- c:\windows\system32\dllcache\icam4usb.sys
2009-05-22 06:23 . 2001-08-17 20:28 199711 ----a-w- c:\windows\system32\dllcache\hsf_faxx.sys
2009-05-22 06:22 . 2008-04-13 17:45 59136 ----a-w- c:\windows\system32\dllcache\gckernel.sys
2009-05-22 06:21 . 2001-08-17 19:19 63360 ----a-w- c:\windows\system32\dllcache\ess.sys
2009-05-22 06:20 . 2001-08-17 19:20 334208 ----a-w- c:\windows\system32\dllcache\ds1wdm.sys
2009-05-22 06:19 . 2001-08-17 20:52 179584 ----a-w- c:\windows\system32\dllcache\dac2w2k.sys
2009-05-22 06:18 . 2001-08-17 21:05 314752 ----a-w- c:\windows\system32\dllcache\camdro21.sys
2009-05-22 06:17 . 2004-08-04 04:31 36224 ----a-w- c:\windows\system32\dllcache\an983.sys
2009-05-20 06:00 . 2009-03-30 17:33 96104 ----a-w- c:\windows\system32\drivers\avipbb.sys
2009-05-20 06:00 . 2009-03-24 23:08 55640 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2009-05-20 06:00 . 2009-02-13 19:29 22360 ----a-w- c:\windows\system32\drivers\avgntmgr.sys
2009-05-20 06:00 . 2009-02-13 19:17 45416 ----a-w- c:\windows\system32\drivers\avgntdd.sys
2009-05-20 06:00 . 2009-05-20 06:00 -------- d-----w- c:\program files\Avira
2009-05-20 06:00 . 2009-05-20 06:00 -------- d-----w- c:\documents and settings\All Users\Application Data\Avira
2009-05-20 04:12 . 2009-05-20 06:04 -------- d-----w- c:\documents and settings\All Users\Application Data\92786396
2009-05-20 04:12 . 2009-05-20 06:04 -------- d-----w- c:\documents and settings\All Users\Application Data\12776404

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-06-16 06:14 . 2009-06-12 00:55 395228 --sha-w- c:\windows\system32\drivers\fidbox.idx
2009-06-16 06:06 . 2006-03-20 01:09 -------- d-----w- c:\program files\SymNetDrv
2009-06-16 06:06 . 2005-09-03 00:48 -------- d-----w- c:\program files\QuickTime
2009-06-16 06:06 . 2005-09-03 01:05 -------- d-----w- c:\program files\Common Files\Symantec Shared
2009-06-16 06:05 . 2008-09-15 05:27 -------- d-----w- c:\documents and settings\Compaq_Owner\Application Data\GRETECH
2009-06-16 06:05 . 2007-11-10 20:37 -------- d-----w- c:\documents and settings\Compaq_Owner\Application Data\DivX
2009-06-16 06:05 . 2008-09-10 05:46 -------- d-----w- c:\documents and settings\Compaq_Owner\Application Data\Azureus
2009-06-16 06:05 . 2006-05-08 05:24 -------- d-----w- c:\documents and settings\Compaq_Owner\Application Data\AdobeUM
2009-06-16 06:05 . 2005-12-25 16:42 -------- d-----w- c:\documents and settings\Compaq_Owner\Application Data\Apple Computer
2009-06-16 06:05 . 2007-10-08 05:05 -------- d-----w- c:\documents and settings\Compaq_Owner\Application Data\acccore
2009-06-16 01:14 . 2008-06-27 05:41 -------- d-----w- c:\documents and settings\All Users\Application Data\Google Updater
2009-06-13 10:03 . 2008-03-18 03:02 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2009-06-12 01:35 . 2009-06-12 05:08 8704 ----a-w- c:\windows\Internet Logs\xDB2D.tmp
2009-06-12 01:33 . 2009-06-12 01:35 341504 ----a-w- c:\windows\Internet Logs\xDB4.tmp
2009-06-12 01:18 . 2004-08-04 05:00 182656 ----a-w- c:\windows\system32\drivers\ndis.sys
2009-06-11 07:46 . 2009-06-12 00:31 1683968 ----a-w- c:\windows\Internet Logs\xDB3.tmp
2009-06-11 07:45 . 2009-06-12 00:31 2483200 ----a-w- c:\windows\Internet Logs\xDB2.tmp
2009-06-06 02:54 . 2009-06-06 02:55 2066432 ----a-w- c:\windows\Internet Logs\xDB1.tmp
2009-06-06 00:52 . 2005-12-25 16:47 78960 ----a-w- c:\documents and settings\Compaq_Owner\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-06-06 00:49 . 2009-04-02 05:15 3371383 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2009-06-03 03:25 . 2008-04-07 04:38 -------- d-----w- c:\documents and settings\Compaq_Owner\Application Data\gtk-2.0
2009-05-21 00:39 . 2008-08-27 03:59 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-05-07 15:32 . 2004-08-04 05:00 345600 ----a-w- c:\windows\system32\localspl.dll
2009-05-01 08:24 . 2008-09-10 05:45 -------- d-----w- c:\program files\Vuze
2009-04-29 04:56 . 2004-08-04 05:00 827392 ----a-w- c:\windows\system32\wininet.dll
2009-04-29 04:55 . 2004-08-04 05:00 78336 ----a-w- c:\windows\system32\ieencode.dll
2009-04-17 12:26 . 2004-08-04 05:00 1847168 ----a-w- c:\windows\system32\win32k.sys
2009-04-15 14:51 . 2004-08-04 05:00 585216 ----a-w- c:\windows\system32\rpcrt4.dll
2009-04-06 22:32 . 2008-08-27 03:59 38496 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-06 22:32 . 2008-08-27 03:59 15504 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-04-02 23:29 . 2009-04-02 23:29 75048 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 8.1.1.10\SetupAdmin.exe
2009-03-19 23:32 . 2009-03-19 23:32 23400 ----a-w- c:\documents and settings\All Users\Application Data\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}\x86\x86\GEARAspiWDM.sys
2009-03-19 23:32 . 2005-03-07 18:52 23400 ----a-w- c:\windows\system32\drivers\GEARAspiWDM.sys
.

(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
---- Directory of c:\documents and settings\All Users\Application Data\12776404 ----

2009-05-20 04:12 . 2009-05-20 04:12 64784 ----a-w- c:\documents and settings\All Users\Application Data\12776404\12776404.glu

---- Directory of c:\documents and settings\All Users\Application Data\92786396 ----



((((((((((((((((((((((((((((( SnapShot@2009-06-12_04.55.31 )))))))))))))))))))))))))))))))))))))))))
.
+ 2005-09-03 00:27 . 2008-07-09 07:38 26488 c:\windows\system32\spupdsvc.exe
- 2005-09-03 00:27 . 2007-08-11 03:46 26488 c:\windows\system32\spupdsvc.exe
- 2005-09-03 00:25 . 2008-07-09 07:38 17272 c:\windows\system32\spmsg.dll
+ 2005-09-03 00:25 . 2007-11-30 11:18 17272 c:\windows\system32\spmsg.dll
+ 2004-08-04 05:00 . 2009-02-03 19:59 56832 c:\windows\system32\secur32.dll
+ 2004-08-04 05:00 . 2009-02-06 10:39 35328 c:\windows\system32\sc.exe
+ 2004-08-04 05:00 . 2009-04-29 04:56 44544 c:\windows\system32\pngfilt.dll
- 2004-08-04 05:00 . 2008-12-20 23:15 44544 c:\windows\system32\pngfilt.dll
- 2005-06-24 22:43 . 2009-03-10 03:19 54484 c:\windows\system32\perfc009.dat
+ 2005-06-24 22:43 . 2009-06-12 11:13 54484 c:\windows\system32\perfc009.dat
+ 2004-08-04 05:00 . 2008-06-12 14:23 91648 c:\windows\system32\mtxoci.dll
- 2004-08-04 05:00 . 2008-04-14 00:12 91648 c:\windows\system32\mtxoci.dll
- 2004-08-04 05:00 . 2008-04-14 00:12 66560 c:\windows\system32\mtxclu.dll
+ 2004-08-04 05:00 . 2008-06-12 14:23 66560 c:\windows\system32\mtxclu.dll
+ 2007-08-14 02:54 . 2009-04-29 04:55 52224 c:\windows\system32\msfeedsbs.dll
- 2007-08-14 02:54 . 2008-12-20 23:15 52224 c:\windows\system32\msfeedsbs.dll
- 2004-08-04 05:00 . 2008-04-14 00:11 58880 c:\windows\system32\msdtclog.dll
+ 2004-08-04 05:00 . 2008-06-12 14:23 58880 c:\windows\system32\msdtclog.dll
- 2004-08-04 05:00 . 2008-12-20 23:15 27648 c:\windows\system32\jsproxy.dll
+ 2004-08-04 05:00 . 2009-04-29 04:55 27648 c:\windows\system32\jsproxy.dll
+ 2007-08-14 02:39 . 2009-04-28 09:05 13824 c:\windows\system32\ieudinit.exe
- 2007-08-14 02:39 . 2008-12-19 09:10 13824 c:\windows\system32\ieudinit.exe
+ 2004-08-04 05:00 . 2009-04-29 04:55 44544 c:\windows\system32\iernonce.dll
- 2004-08-04 05:00 . 2008-12-20 23:15 44544 c:\windows\system32\iernonce.dll
+ 2004-08-04 05:00 . 2009-04-28 09:05 70656 c:\windows\system32\ie4uinit.exe
- 2004-08-04 05:00 . 2008-12-19 09:10 70656 c:\windows\system32\ie4uinit.exe
+ 2007-08-14 02:36 . 2009-04-29 04:55 63488 c:\windows\system32\icardie.dll
- 2007-08-14 02:36 . 2008-12-20 23:15 63488 c:\windows\system32\icardie.dll
+ 2004-08-04 05:00 . 2009-02-03 19:59 56832 c:\windows\system32\dllcache\secur32.dll
+ 2004-08-04 05:00 . 2009-02-06 10:39 35328 c:\windows\system32\dllcache\sc.exe
- 2004-08-04 05:00 . 2008-12-20 23:15 44544 c:\windows\system32\dllcache\pngfilt.dll
+ 2004-08-04 05:00 . 2009-04-29 04:56 44544 c:\windows\system32\dllcache\pngfilt.dll
+ 2004-08-04 05:00 . 2008-06-12 14:23 91648 c:\windows\system32\dllcache\mtxoci.dll
- 2004-08-04 05:00 . 2008-04-14 00:12 91648 c:\windows\system32\dllcache\mtxoci.dll
+ 2004-08-04 05:00 . 2008-06-12 14:23 66560 c:\windows\system32\dllcache\mtxclu.dll
- 2004-08-04 05:00 . 2008-04-14 00:12 66560 c:\windows\system32\dllcache\mtxclu.dll
+ 2008-11-10 03:30 . 2009-04-29 04:55 52224 c:\windows\system32\dllcache\msfeedsbs.dll
- 2008-11-10 03:30 . 2008-12-20 23:15 52224 c:\windows\system32\dllcache\msfeedsbs.dll
- 2004-08-04 05:00 . 2008-04-14 00:11 58880 c:\windows\system32\dllcache\msdtclog.dll
+ 2004-08-04 05:00 . 2008-06-12 14:23 58880 c:\windows\system32\dllcache\msdtclog.dll
- 2004-08-04 05:00 . 2008-12-20 23:15 27648 c:\windows\system32\dllcache\jsproxy.dll
+ 2004-08-04 05:00 . 2009-04-29 04:55 27648 c:\windows\system32\dllcache\jsproxy.dll
- 2008-11-10 03:30 . 2008-12-19 09:10 13824 c:\windows\system32\dllcache\ieudinit.exe
+ 2008-11-10 03:30 . 2009-04-28 09:05 13824 c:\windows\system32\dllcache\ieudinit.exe
- 2004-08-04 05:00 . 2008-12-20 23:15 44544 c:\windows\system32\dllcache\iernonce.dll
+ 2004-08-04 05:00 . 2009-04-29 04:55 44544 c:\windows\system32\dllcache\iernonce.dll
+ 2004-08-04 05:00 . 2009-04-29 04:55 78336 c:\windows\system32\dllcache\ieencode.dll
+ 2004-08-04 05:00 . 2009-04-28 09:05 70656 c:\windows\system32\dllcache\ie4uinit.exe
- 2004-08-04 05:00 . 2008-12-19 09:10 70656 c:\windows\system32\dllcache\ie4uinit.exe
+ 2008-11-10 03:30 . 2009-04-29 04:55 63488 c:\windows\system32\dllcache\icardie.dll
- 2008-11-10 03:30 . 2008-12-20 23:15 63488 c:\windows\system32\dllcache\icardie.dll
- 2009-06-12 01:42 . 2007-11-30 12:39 26488 c:\windows\SoftwareDistribution\Download\fae8bc4d2da2adc1b9109ef4e6cecd1f\update\spcustom.dll
- 2009-06-12 01:42 . 2007-11-30 12:39 17272 c:\windows\SoftwareDistribution\Download\fae8bc4d2da2adc1b9109ef4e6cecd1f\spmsg.dll
- 2009-06-12 01:43 . 2007-11-30 11:18 26488 c:\windows\SoftwareDistribution\Download\d194d4b245b41b1828615f889a43f7e0\update\spcustom.dll
- 2009-06-12 01:43 . 2007-11-30 11:18 17272 c:\windows\SoftwareDistribution\Download\d194d4b245b41b1828615f889a43f7e0\spmsg.dll
+ 2004-07-15 07:34 . 2004-07-15 07:34 94208 c:\windows\Microsoft.NET\Framework\v1.1.4322\SHADOW1388\_PerfCounter.dll
+ 2003-02-21 02:09 . 2003-02-21 02:09 77824 c:\windows\Microsoft.NET\Framework\v1.1.4322\SHADOW1388\_mscorsn.dll
+ 2004-07-15 07:32 . 2004-07-15 07:32 81920 c:\windows\Microsoft.NET\Framework\v1.1.4322\SHADOW1388\_CORPerfMonExt.dll
- 2003-02-21 02:09 . 2003-02-21 02:09 77824 c:\windows\Microsoft.NET\Framework\v1.1.4322\mscorsn.dll
+ 2007-04-14 03:58 . 2007-04-14 03:58 77824 c:\windows\Microsoft.NET\Framework\v1.1.4322\mscorsn.dll
- 2003-02-21 02:09 . 2003-02-21 02:09 86016 c:\windows\Microsoft.NET\Framework\v1.1.4322\mscorie.dll
+ 2007-04-14 03:57 . 2007-04-14 03:57 86016 c:\windows\Microsoft.NET\Framework\v1.1.4322\mscorie.dll
- 2004-07-15 07:32 . 2004-07-15 07:32 81920 c:\windows\Microsoft.NET\Framework\v1.1.4322\CORPerfMonExt.dll
+ 2007-04-14 03:57 . 2007-04-14 03:57 81920 c:\windows\Microsoft.NET\Framework\v1.1.4322\CORPerfMonExt.dll
- 2004-07-15 08:49 . 2004-07-15 08:49 32768 c:\windows\Microsoft.NET\Framework\v1.1.4322\aspnet_wp.exe
+ 2007-04-14 04:30 . 2007-04-14 04:30 32768 c:\windows\Microsoft.NET\Framework\v1.1.4322\aspnet_wp.exe
- 2008-02-28 06:22 . 2008-12-10 07:21 40960 c:\windows\Installer\{90850409-6000-11D3-8CFE-0150048383C9}\wrdvicon.exe
+ 2008-02-28 06:22 . 2009-06-12 10:10 40960 c:\windows\Installer\{90850409-6000-11D3-8CFE-0150048383C9}\wrdvicon.exe
- 2008-03-18 03:13 . 2009-02-11 07:34 35088 c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\oisicon.exe
+ 2008-03-18 03:13 . 2009-06-13 10:03 35088 c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\oisicon.exe
+ 2008-03-18 03:13 . 2009-06-13 10:03 18704 c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\mspicons.exe
- 2008-03-18 03:13 . 2009-02-11 07:34 18704 c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\mspicons.exe
+ 2008-03-18 03:13 . 2009-06-13 10:03 20240 c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\cagicon.exe
- 2008-03-18 03:13 . 2009-02-11 07:34 20240 c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\cagicon.exe
+ 2006-10-27 04:13 . 2006-10-27 04:13 72472 c:\windows\Installer\$PatchCache$\Managed\00002109030000000000000000F01FEC\12.0.4518\XL12CNVP.DLL
+ 2006-10-27 03:55 . 2006-10-27 03:55 55056 c:\windows\Installer\$PatchCache$\Managed\00002109030000000000000000F01FEC\12.0.4518\SCANOST.EXE
+ 2006-10-27 03:55 . 2006-10-27 03:55 76576 c:\windows\Installer\$PatchCache$\Managed\00002109030000000000000000F01FEC\12.0.4518\RM.DLL
+ 2006-10-27 03:55 . 2006-10-27 03:55 39208 c:\windows\Installer\$PatchCache$\Managed\00002109030000000000000000F01FEC\12.0.4518\RECALL.DLL
+ 2006-10-27 03:55 . 2006-10-27 03:55 53048 c:\windows\Installer\$PatchCache$\Managed\00002109030000000000000000F01FEC\12.0.4518\OUTLVBA.DLL
+ 2006-10-27 03:55 . 2006-10-27 03:55 21312 c:\windows\Installer\$PatchCache$\Managed\00002109030000000000000000F01FEC\12.0.4518\MLSHEXT.DLL
+ 2006-10-27 03:55 . 2006-10-27 03:55 35160 c:\windows\Installer\$PatchCache$\Managed\00002109030000000000000000F01FEC\12.0.4518\DUMPSTER.DLL
+ 2009-06-12 10:02 . 2008-12-20 23:15 44544 c:\windows\ie7updates\KB969897-IE7\pngfilt.dll
+ 2009-06-12 10:02 . 2008-12-20 23:15 52224 c:\windows\ie7updates\KB969897-IE7\msfeedsbs.dll
+ 2009-06-12 10:02 . 2008-12-20 23:15 27648 c:\windows\ie7updates\KB969897-IE7\jsproxy.dll
+ 2009-06-12 10:02 . 2008-12-19 09:10 13824 c:\windows\ie7updates\KB969897-IE7\ieudinit.exe
+ 2009-06-12 10:02 . 2008-12-20 23:15 44544 c:\windows\ie7updates\KB969897-IE7\iernonce.dll
+ 2009-06-12 10:02 . 2008-04-14 00:11 81920 c:\windows\ie7updates\KB969897-IE7\ieencode.dll
+ 2009-06-12 10:02 . 2008-12-19 09:10 70656 c:\windows\ie7updates\KB969897-IE7\ie4uinit.exe
+ 2009-06-12 10:02 . 2008-12-20 23:15 63488 c:\windows\ie7updates\KB969897-IE7\icardie.dll
+ 2009-06-12 10:07 . 2009-06-12 10:07 90112 c:\windows\assembly\NativeImages1_v1.1.4322\System.Drawing.Design\1.0.5000.0__b03f5f7f11d50a3a_6ea43965\System.Drawing.Design.dll
+ 2009-06-12 10:07 . 2009-06-12 10:07 61440 c:\windows\assembly\NativeImages1_v1.1.4322\CustomMarshalers\1.0.5000.0__b03f5f7f11d50a3a_70cfe5c2\CustomMarshalers.dll
+ 2009-06-07 02:33 . 2009-06-16 06:15 105504 c:\windows\system32\ZoneLabs\avsys\bases\sfdb.dat
- 2004-08-04 05:00 . 2008-04-14 00:12 354304 c:\windows\system32\winhttp.dll
+ 2004-08-04 05:00 . 2008-12-16 12:30 354304 c:\windows\system32\winhttp.dll
+ 2004-08-04 05:00 . 2009-04-29 04:56 233472 c:\windows\system32\webcheck.dll
- 2004-08-04 05:00 . 2008-12-20 23:15 233472 c:\windows\system32\webcheck.dll
+ 2004-08-04 05:00 . 2009-02-06 10:10 227840 c:\windows\system32\wbem\wmiprvse.exe
+ 2004-08-04 05:00 . 2009-02-09 12:10 453120 c:\windows\system32\wbem\wmiprvsd.dll
+ 2004-08-04 05:00 . 2009-02-09 12:10 473600 c:\windows\system32\wbem\fastprox.dll
+ 2004-08-04 05:00 . 2009-04-29 04:56 105984 c:\windows\system32\url.dll
- 2004-08-04 05:00 . 2008-12-20 23:15 105984 c:\windows\system32\url.dll
+ 2004-08-04 05:00 . 2009-02-06 11:11 110592 c:\windows\system32\services.exe
+ 2004-08-04 05:00 . 2008-12-05 06:54 144896 c:\windows\system32\schannel.dll
+ 2004-08-04 05:00 . 2009-02-09 12:10 401408 c:\windows\system32\rpcss.dll
- 2005-06-24 22:43 . 2009-03-10 03:19 384926 c:\windows\system32\perfh009.dat
+ 2005-06-24 22:43 . 2009-06-12 11:13 384926 c:\windows\system32\perfh009.dat
- 2004-08-04 05:00 . 2008-04-14 00:12 284160 c:\windows\system32\pdh.dll
+ 2004-08-04 05:00 . 2009-03-06 14:22 284160 c:\windows\system32\pdh.dll
+ 2004-08-04 05:00 . 2009-04-29 04:56 102912 c:\windows\system32\occache.dll
- 2004-08-04 05:00 . 2008-12-20 23:15 102912 c:\windows\system32\occache.dll
+ 2004-08-04 12:00 . 2009-02-09 12:10 714752 c:\windows\system32\ntdll.dll
+ 2004-08-04 05:00 . 2009-04-29 04:56 671232 c:\windows\system32\mstime.dll
- 2004-08-04 05:00 . 2008-12-20 23:15 671232 c:\windows\system32\mstime.dll
- 2004-08-04 05:00 . 2008-12-20 23:15 193024 c:\windows\system32\msrating.dll
+ 2004-08-04 05:00 . 2009-04-29 04:56 193024 c:\windows\system32\msrating.dll
- 2004-08-04 05:00 . 2008-12-20 23:15 477696 c:\windows\system32\mshtmled.dll
+ 2004-08-04 05:00 . 2009-04-29 04:56 477696 c:\windows\system32\mshtmled.dll
- 2007-08-14 02:54 . 2008-12-20 23:15 459264 c:\windows\system32\msfeeds.dll
+ 2007-08-14 02:54 . 2009-04-29 04:55 459264 c:\windows\system32\msfeeds.dll
+ 2004-08-04 05:00 . 2008-06-12 14:23 161792 c:\windows\system32\msdtcuiu.dll
- 2004-08-04 05:00 . 2008-04-14 00:11 161792 c:\windows\system32\msdtcuiu.dll
- 2004-08-04 05:00 . 2008-04-14 00:11 956928 c:\windows\system32\msdtctm.dll
+ 2004-08-04 05:00 . 2008-06-12 14:23 956928 c:\windows\system32\msdtctm.dll
+ 2004-08-04 05:00 . 2008-06-12 14:23 428032 c:\windows\system32\msdtcprx.dll
+ 2004-08-04 05:00 . 2009-02-09 12:10 729088 c:\windows\system32\lsasrv.dll
- 2004-08-04 05:00 . 2008-04-14 00:11 989696 c:\windows\system32\kernel32.dll
+ 2004-08-04 05:00 . 2009-03-21 14:06 989696 c:\windows\system32\kernel32.dll
+ 2007-08-14 02:34 . 2009-04-29 04:55 268288 c:\windows\system32\iertutil.dll
+ 2004-08-04 05:00 . 2009-04-29 04:55 385024 c:\windows\system32\iedkcs32.dll
+ 2007-07-11 20:27 . 2009-04-29 04:55 383488 c:\windows\system32\ieapfltr.dll
- 2007-07-11 20:27 . 2008-12-20 23:15 383488 c:\windows\system32\ieapfltr.dll
- 2004-08-04 05:00 . 2008-12-19 05:23 161792 c:\windows\system32\ieakui.dll
+ 2004-08-04 05:00 . 2009-04-25 05:26 161792 c:\windows\system32\ieakui.dll
- 2004-08-04 05:00 . 2008-12-20 23:15 230400 c:\windows\system32\ieaksie.dll
+ 2004-08-04 05:00 . 2009-04-29 04:55 230400 c:\windows\system32\ieaksie.dll
- 2004-08-04 05:00 . 2008-12-20 23:15 153088 c:\windows\system32\ieakeng.dll
+ 2004-08-04 05:00 . 2009-04-29 04:55 153088 c:\windows\system32\ieakeng.dll
+ 2005-06-24 22:42 . 2009-06-12 10:17 291680 c:\windows\system32\FNTCACHE.DAT
- 2005-06-24 22:42 . 2009-05-27 04:05 291680 c:\windows\system32\FNTCACHE.DAT
- 2004-08-04 05:00 . 2008-12-20 23:15 133120 c:\windows\system32\extmgr.dll
+ 2004-08-04 05:00 . 2009-04-29 04:55 133120 c:\windows\system32\extmgr.dll
- 2004-08-04 05:00 . 2008-12-20 23:15 214528 c:\windows\system32\dxtrans.dll
+ 2004-08-04 05:00 . 2009-04-29 04:55 214528 c:\windows\system32\dxtrans.dll
- 2004-08-04 05:00 . 2008-12-20 23:15 347136 c:\windows\system32\dxtmsft.dll
+ 2004-08-04 05:00 . 2009-04-29 04:55 347136 c:\windows\system32\dxtmsft.dll
+ 2004-08-04 05:00 . 2008-04-21 12:08 215552 c:\windows\system32\dllcache\wordpad.exe
+ 2004-08-04 05:00 . 2009-02-06 10:10 227840 c:\windows\system32\dllcache\wmiprvse.exe
+ 2004-08-04 05:00 . 2009-02-09 12:10 453120 c:\windows\system32\dllcache\wmiprvsd.dll
+ 2004-08-04 05:00 . 2009-04-29 04:56 827392 c:\windows\system32\dllcache\wininet.dll
+ 2004-08-04 05:00 . 2008-12-16 12:30 354304 c:\windows\system32\dllcache\winhttp.dll
- 2004-08-04 05:00 . 2008-04-14 00:12 354304 c:\windows\system32\dllcache\winhttp.dll
- 2004-08-04 05:00 . 2008-12-20 23:15 233472 c:\windows\system32\dllcache\webcheck.dll
+ 2004-08-04 05:00 . 2009-04-29 04:56 233472 c:\windows\system32\dllcache\webcheck.dll
+ 2004-08-04 05:00 . 2009-04-29 04:56 105984 c:\windows\system32\dllcache\url.dll
- 2004-08-04 05:00 . 2008-12-20 23:15 105984 c:\windows\system32\dllcache\url.dll
+ 2004-08-04 05:00 . 2009-02-06 11:11 110592 c:\windows\system32\dllcache\services.exe
+ 2004-08-04 05:00 . 2008-12-05 06:54 144896 c:\windows\system32\dllcache\schannel.dll
+ 2004-08-04 05:00 . 2009-02-09 12:10 401408 c:\windows\system32\dllcache\rpcss.dll
+ 2004-08-04 05:00 . 2009-04-15 14:51 585216 c:\windows\system32\dllcache\rpcrt4.dll
- 2004-08-04 05:00 . 2008-04-14 00:12 284160 c:\windows\system32\dllcache\pdh.dll
+ 2004-08-04 05:00 . 2009-03-06 14:22 284160 c:\windows\system32\dllcache\pdh.dll
- 2004-08-04 05:00 . 2008-12-20 23:15 102912 c:\windows\system32\dllcache\occache.dll
+ 2004-08-04 05:00 . 2009-04-29 04:56 102912 c:\windows\system32\dllcache\occache.dll
+ 2004-08-04 12:00 . 2009-02-09 12:10 714752 c:\windows\system32\dllcache\ntdll.dll
- 2004-08-04 05:00 . 2008-12-20 23:15 671232 c:\windows\system32\dllcache\mstime.dll
+ 2004-08-04 05:00 . 2009-04-29 04:56 671232 c:\windows\system32\dllcache\mstime.dll
- 2004-08-04 05:00 . 2008-12-20 23:15 193024 c:\windows\system32\dllcache\msrating.dll
+ 2004-08-04 05:00 . 2009-04-29 04:56 193024 c:\windows\system32\dllcache\msrating.dll
- 2004-08-04 05:00 . 2008-12-20 23:15 477696 c:\windows\system32\dllcache\mshtmled.dll
+ 2004-08-04 05:00 . 2009-04-29 04:56 477696 c:\windows\system32\dllcache\mshtmled.dll
- 2008-11-10 03:30 . 2008-12-20 23:15 459264 c:\windows\system32\dllcache\msfeeds.dll
+ 2008-11-10 03:30 . 2009-04-29 04:55 459264 c:\windows\system32\dllcache\msfeeds.dll
- 2004-08-04 05:00 . 2008-04-14 00:11 161792 c:\windows\system32\dllcache\msdtcuiu.dll
+ 2004-08-04 05:00 . 2008-06-12 14:23 161792 c:\windows\system32\dllcache\msdtcuiu.dll
+ 2004-08-04 05:00 . 2008-06-12 14:23 956928 c:\windows\system32\dllcache\msdtctm.dll
- 2004-08-04 05:00 . 2008-04-14 00:11 956928 c:\windows\system32\dllcache\msdtctm.dll
+ 2004-08-04 05:00 . 2008-06-12 14:23 428032 c:\windows\system32\dllcache\msdtcprx.dll
+ 2004-08-04 05:00 . 2009-02-09 12:10 729088 c:\windows\system32\dllcache\lsasrv.dll
+ 2004-08-04 05:00 . 2009-05-07 15:32 345600 c:\windows\system32\dllcache\localspl.dll
- 2004-08-04 05:00 . 2008-04-14 00:11 989696 c:\windows\system32\dllcache\kernel32.dll
+ 2004-08-04 05:00 . 2009-03-21 14:06 989696 c:\windows\system32\dllcache\kernel32.dll
+ 2004-08-04 05:00 . 2009-04-25 05:27 636088 c:\windows\system32\dllcache\iexplore.exe
+ 2008-11-10 03:30 . 2009-04-29 04:55 268288 c:\windows\system32\dllcache\iertutil.dll
+ 2004-08-04 05:00 . 2009-04-29 04:55 385024 c:\windows\system32\dllcache\iedkcs32.dll
+ 2008-11-10 03:30 . 2009-04-29 04:55 383488 c:\windows\system32\dllcache\ieapfltr.dll
- 2008-11-10 03:30 . 2008-12-20 23:15 383488 c:\windows\system32\dllcache\ieapfltr.dll
- 2004-08-04 05:00 . 2008-12-19 05:23 161792 c:\windows\system32\dllcache\ieakui.dll
+ 2004-08-04 05:00 . 2009-04-25 05:26 161792 c:\windows\system32\dllcache\ieakui.dll
+ 2004-08-04 05:00 . 2009-04-29 04:55 230400 c:\windows\system32\dllcache\ieaksie.dll
- 2004-08-04 05:00 . 2008-12-20 23:15 230400 c:\windows\system32\dllcache\ieaksie.dll
+ 2004-08-04 05:00 . 2009-04-29 04:55 153088 c:\windows\system32\dllcache\ieakeng.dll
- 2004-08-04 05:00 . 2008-12-20 23:15 153088 c:\windows\system32\dllcache\ieakeng.dll
+ 2004-08-04 05:00 . 2009-02-09 12:10 473600 c:\windows\system32\dllcache\fastprox.dll
- 2004-08-04 05:00 . 2008-12-20 23:15 133120 c:\windows\system32\dllcache\extmgr.dll
+ 2004-08-04 05:00 . 2009-04-29 04:55 133120 c:\windows\system32\dllcache\extmgr.dll
- 2004-08-04 05:00 . 2008-12-20 23:15 214528 c:\windows\system32\dllcache\dxtrans.dll
+ 2004-08-04 05:00 . 2009-04-29 04:55 214528 c:\windows\system32\dllcache\dxtrans.dll
- 2004-08-04 05:00 . 2008-12-20 23:15 347136 c:\windows\system32\dllcache\dxtmsft.dll
+ 2004-08-04 05:00 . 2009-04-29 04:55 347136 c:\windows\system32\dllcache\dxtmsft.dll
- 2004-08-04 05:00 . 2008-12-20 23:15 124928 c:\windows\system32\dllcache\advpack.dll
+ 2004-08-04 05:00 . 2009-04-29 04:55 124928 c:\windows\system32\dllcache\advpack.dll
+ 2004-08-04 05:00 . 2009-02-09 12:10 617472 c:\windows\system32\dllcache\advapi32.dll
- 2004-08-04 05:00 . 2008-04-14 00:11 617472 c:\windows\system32\dllcache\advapi32.dll
+ 2004-08-04 05:00 . 2009-04-29 04:55 124928 c:\windows\system32\advpack.dll
- 2004-08-04 05:00 . 2008-12-20 23:15 124928 c:\windows\system32\advpack.dll
- 2004-08-04 05:00 . 2008-04-14 00:11 617472 c:\windows\system32\advapi32.dll
+ 2004-08-04 05:00 . 2009-02-09 12:10 617472 c:\windows\system32\advapi32.dll
- 2009-06-12 01:42 . 2007-11-30 12:39 382840 c:\windows\SoftwareDistribution\Download\fae8bc4d2da2adc1b9109ef4e6cecd1f\update\updspapi.dll
- 2009-06-12 01:42 . 2007-11-30 12:39 755576 c:\windows\SoftwareDistribution\Download\fae8bc4d2da2adc1b9109ef4e6cecd1f\update\update.exe
- 2009-06-12 01:42 . 2007-11-30 12:39 231288 c:\windows\SoftwareDistribution\Download\fae8bc4d2da2adc1b9109ef4e6cecd1f\spuninst.exe
- 2009-06-12 01:43 . 2007-11-30 12:39 382840 c:\windows\SoftwareDistribution\Download\d194d4b245b41b1828615f889a43f7e0\update\updspapi.dll
- 2009-06-12 01:43 . 2007-11-30 12:39 755576 c:\windows\SoftwareDistribution\Download\d194d4b245b41b1828615f889a43f7e0\update\update.exe
- 2009-06-12 01:43 . 2007-11-30 11:18 231288 c:\windows\SoftwareDistribution\Download\d194d4b245b41b1828615f889a43f7e0\spuninst.exe
+ 2003-02-21 11:42 . 2003-02-21 11:42 348160 c:\windows\Microsoft.NET\Framework\v1.1.4322\SHADOW1388\_msvcr71.dll
+ 2004-07-15 07:25 . 2004-07-15 07:25 315392 c:\windows\Microsoft.NET\Framework\v1.1.4322\SHADOW1388\_mscorjit.dll
+ 2004-07-15 07:24 . 2004-07-15 07:24 282624 c:\windows\Microsoft.NET\Framework\v1.1.4322\SHADOW1388\_fusion.dll
+ 2004-07-15 08:49 . 2004-07-15 08:49 258048 c:\windows\Microsoft.NET\Framework\v1.1.4322\SHADOW1388\_aspnet_isapi.dll
- 2004-07-15 07:33 . 2004-07-15 07:33 102400 c:\windows\Microsoft.NET\Framework\v1.1.4322\mscorld.dll
+ 2007-04-14 03:58 . 2007-04-14 03:58 102400 c:\windows\Microsoft.NET\Framework\v1.1.4322\mscorld.dll
- 2004-07-15 07:25 . 2004-07-15 07:25 315392 c:\windows\Microsoft.NET\Framework\v1.1.4322\mscorjit.dll
+ 2007-04-14 03:56 . 2007-04-14 03:56 315392 c:\windows\Microsoft.NET\Framework\v1.1.4322\mscorjit.dll
+ 2007-04-14 04:30 . 2007-04-14 04:30 258048 c:\windows\Microsoft.NET\Framework\v1.1.4322\aspnet_isapi.dll
- 2004-07-15 08:49 . 2004-07-15 08:49 258048 c:\windows\Microsoft.NET\Framework\v1.1.4322\aspnet_isapi.dll
+ 2008-02-28 06:22 . 2009-06-12 10:10 135168 c:\windows\Installer\{90850409-6000-11D3-8CFE-0150048383C9}\misc.exe
- 2008-02-28 06:22 . 2008-12-10 07:21 135168 c:\windows\Installer\{90850409-6000-11D3-8CFE-0150048383C9}\misc.exe
+ 2008-03-18 03:13 . 2009-06-13 10:03 888080 c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\wordicon.exe
- 2008-03-18 03:13 . 2009-02-11 07:34 888080 c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\wordicon.exe
- 2008-03-18 03:13 . 2009-02-11 07:34 272648 c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\pubs.exe
+ 2008-03-18 03:13 . 2009-06-13 10:03 272648 c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\pubs.exe
+ 2008-03-18 03:13 . 2009-06-13 10:03 922384 c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\pptico.exe
- 2008-03-18 03:13 . 2009-02-11 07:34 922384 c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\pptico.exe
- 2008-03-18 03:13 . 2009-02-11 07:34 845584 c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\outicon.exe
+ 2008-03-18 03:13 . 2009-06-13 10:03 845584 c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\outicon.exe
+ 2008-03-18 03:13 . 2009-06-13 10:03 217864 c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\misc.exe
- 2008-03-18 03:13 . 2009-02-11 07:34 217864 c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\misc.exe
- 2008-03-18 03:13 . 2009-02-11 07:34 184080 c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\joticon.exe
+ 2008-03-18 03:13 . 2009-06-13 10:03 184080 c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\joticon.exe
+ 2008-03-18 03:13 . 2009-06-13 10:03 159504 c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\inficon.exe
- 2008-03-18 03:13 . 2009-02-11 07:34 159504 c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\inficon.exe
+ 2006-10-27 22:16 . 2006-10-27 22:16 408880 c:\windows\Installer\$PatchCache$\Managed\00002109030000000000000000F01FEC\12.0.4518\RTFHTML.DLL
+ 2006-10-27 22:16 . 2006-10-27 22:16 138512 c:\windows\Installer\$PatchCache$\Managed\00002109030000000000000000F01FEC\12.0.4518\OUTLCTL.DLL
+ 2006-10-27 03:55 . 2006-10-27 03:55 254776 c:\windows\Installer\$PatchCache$\Managed\00002109030000000000000000F01FEC\12.0.4518\OLKFSTUB.DLL
+ 2006-10-27 03:55 . 2006-10-27 03:55 154960 c:\windows\Installer\$PatchCache$\Managed\00002109030000000000000000F01FEC\12.0.4518\ENVELOPE.DLL
+ 2006-10-27 03:55 . 2006-10-27 03:55 116544 c:\windows\Installer\$PatchCache$\Managed\00002109030000000000000000F01FEC\12.0.4518\EMABLT32.DLL
+ 2009-06-12 10:02 . 2008-12-20 23:15 826368 c:\windows\ie7updates\KB969897-IE7\wininet.dll
+ 2009-06-12 10:02 . 2008-12-20 23:15 233472 c:\windows\ie7updates\KB969897-IE7\webcheck.dll
+ 2009-06-12 10:02 . 2008-12-20 23:15 105984 c:\windows\ie7updates\KB969897-IE7\url.dll
+ 2009-06-12 10:02 . 2008-07-09 07:38 382840 c:\windows\ie7updates\KB969897-IE7\spuninst\updspapi.dll
+ 2009-06-12 10:02 . 2008-07-09 07:38 231288 c:\windows\ie7updates\KB969897-IE7\spuninst\spuninst.exe
+ 2009-06-12 10:02 . 2008-12-20 23:15 102912 c:\windows\ie7updates\KB969897-IE7\occache.dll
+ 2009-06-12 10:02 . 2008-12-20 23:15 671232 c:\windows\ie7updates\KB969897-IE7\mstime.dll
+ 2009-06-12 10:02 . 2008-12-20 23:15 193024 c:\windows\ie7updates\KB969897-IE7\msrating.dll
+ 2009-06-12 10:02 . 2008-12-20 23:15 477696 c:\windows\ie7updates\KB969897-IE7\mshtmled.dll
+ 2009-06-12 10:02 . 2008-12-20 23:15 459264 c:\windows\ie7updates\KB969897-IE7\msfeeds.dll
+ 2009-06-12 10:02 . 2008-12-19 05:25 634024 c:\windows\ie7updates\KB969897-IE7\iexplore.exe
+ 2009-06-12 10:02 . 2008-12-20 23:15 267776 c:\windows\ie7updates\KB969897-IE7\iertutil.dll
+ 2009-06-12 10:02 . 2008-12-20 23:15 384512 c:\windows\ie7updates\KB969897-IE7\iedkcs32.dll
+ 2009-06-12 10:02 . 2008-12-20 23:15 383488 c:\windows\ie7updates\KB969897-IE7\ieapfltr.dll
+ 2009-06-12 10:02 . 2008-12-19 05:23 161792 c:\windows\ie7updates\KB969897-IE7\ieakui.dll
+ 2009-06-12 10:02 . 2008-12-20 23:15 230400 c:\windows\ie7updates\KB969897-IE7\ieaksie.dll
+ 2009-06-12 10:02 . 2008-12-20 23:15 153088 c:\windows\ie7updates\KB969897-IE7\ieakeng.dll
+ 2009-06-12 10:02 . 2008-12-20 23:15 133120 c:\windows\ie7updates\KB969897-IE7\extmgr.dll
+ 2009-06-12 10:02 . 2008-12-20 23:15 214528 c:\windows\ie7updates\KB969897-IE7\dxtrans.dll
+ 2009-06-12 10:02 . 2008-12-20 23:15 347136 c:\windows\ie7updates\KB969897-IE7\dxtmsft.dll
+ 2009-06-12 10:02 . 2008-12-20 23:15 124928 c:\windows\ie7updates\KB969897-IE7\advpack.dll
+ 2009-06-12 10:07 . 2009-06-12 10:07 835584 c:\windows\assembly\NativeImages1_v1.1.4322\System.Drawing\1.0.5000.0__b03f5f7f11d50a3a_1f0a7be0\System.Drawing.dll
+ 2009-06-12 10:07 . 2009-06-12 10:07 192512 c:\windows\assembly\NativeImages1_v1.1.4322\System.Drawing.Design\1.0.5000.0__b03f5f7f11d50a3a_e74cd777\System.Drawing.Design.dll
+ 2009-06-12 10:07 . 2009-06-12 10:07 118784 c:\windows\assembly\NativeImages1_v1.1.4322\CustomMarshalers\1.0.5000.0__b03f5f7f11d50a3a_f3e2ba2f\CustomMarshalers.dll
+ 2009-06-12 10:05 . 2009-06-12 10:05 350064 c:\windows\assembly\GAC\Microsoft.Office.Interop.PowerPoint\12.0.0.0__71e9bce111e9429c\Microsoft.Office.Interop.PowerPoint.dll
+ 2009-06-12 01:42 . 2008-04-15 17:47 1724416 c:\windows\WinSxS\x86_Microsoft.Windows.GdiPlus_6595b64144ccf1df_1.0.2600.5581_x-ww_dfbc4fc4\GdiPlus.dll
+ 2004-08-04 05:00 . 2009-04-29 04:56 1159680 c:\windows\system32\urlmon.dll
+ 2004-08-04 05:00 . 2008-06-17 19:02 8461312 c:\windows\system32\shell32.dll
- 2004-08-04 05:00 . 2008-04-14 00:12 8461312 c:\windows\system32\shell32.dll
+ 2004-08-04 05:00 . 2008-12-20 22:14 1288192 c:\windows\system32\quartz.dll
- 2004-08-04 05:00 . 2008-05-07 05:12 1288192 c:\windows\system32\quartz.dll
+ 2004-08-04 12:00 . 2009-02-06 11:06 2145280 c:\windows\system32\ntoskrnl.exe
- 2004-08-04 12:00 . 2008-08-14 10:09 2145280 c:\windows\system32\ntoskrnl.exe
- 2004-08-04 12:00 . 2008-08-14 09:33 2023936 c:\windows\system32\ntkrnlpa.exe
+ 2004-08-04 12:00 . 2009-02-06 10:32 2023936 c:\windows\system32\ntkrnlpa.exe
+ 2004-08-04 05:00 . 2009-04-29 04:56 3596288 c:\windows\system32\mshtml.dll
+ 2007-08-14 02:54 . 2009-04-29 04:55 6066176 c:\windows\system32\ieframe.dll
- 2007-02-13 00:10 . 2007-04-17 09:32 2455488 c:\windows\system32\ieapfltr.dat
+ 2007-02-13 00:10 . 2008-07-09 14:25 2455488 c:\windows\system32\ieapfltr.dat
+ 2004-08-04 05:00 . 2009-04-17 12:26 1847168 c:\windows\system32\dllcache\win32k.sys
+ 2004-08-04 05:00 . 2009-04-29 04:56 1159680 c:\windows\system32\dllcache\urlmon.dll
+ 2004-08-04 05:00 . 2008-06-17 19:02 8461312 c:\windows\system32\dllcache\shell32.dll
- 2004-08-04 05:00 . 2008-04-14 00:12 8461312 c:\windows\system32\dllcache\shell32.dll
+ 2004-08-04 05:00 . 2008-12-20 22:14 1288192 c:\windows\system32\dllcache\quartz.dll
- 2004-08-04 05:00 . 2008-05-07 05:12 1288192 c:\windows\system32\dllcache\quartz.dll
+ 2008-10-15 04:20 . 2009-02-06 11:08 2189056 c:\windows\system32\dllcache\ntoskrnl.exe
+ 2004-08-04 12:00 . 2009-02-06 10:32 2023936 c:\windows\system32\dllcache\ntkrpamp.exe
- 2004-08-04 12:00 . 2008-08-14 09:33 2023936 c:\windows\system32\dllcache\ntkrpamp.exe
- 2008-10-15 04:20 . 2008-08-14 09:33 2066048 c:\windows\system32\dllcache\ntkrnlpa.exe
+ 2008-10-15 04:20 . 2009-02-08 02:02 2066048 c:\windows\system32\dllcache\ntkrnlpa.exe
+ 2004-08-04 12:00 . 2009-02-06 11:06 2145280 c:\windows\system32\dllcache\ntkrnlmp.exe
- 2004-08-04 12:00 . 2008-08-14 10:09 2145280 c:\windows\system32\dllcache\ntkrnlmp.exe
+ 2004-08-04 05:00 . 2009-04-29 04:56 3596288 c:\windows\system32\dllcache\mshtml.dll
+ 2008-11-10 03:30 . 2009-04-29 04:55 6066176 c:\windows\system32\dllcache\ieframe.dll
+ 2008-11-10 03:30 . 2008-07-09 14:25 2455488 c:\windows\system32\dllcache\ieapfltr.dat
- 2008-11-10 03:30 . 2007-04-17 09:32 2455488 c:\windows\system32\dllcache\ieapfltr.dat
+ 2007-04-14 04:35 . 2007-04-14 04:35 1265664 c:\windows\Microsoft.NET\Framework\v1.1.4322\System.Web.dll
+ 2007-04-14 04:35 . 2007-04-14 04:35 1232896 c:\windows\Microsoft.NET\Framework\v1.1.4322\System.dll
+ 2004-07-15 07:28 . 2004-07-15 07:28 2502656 c:\windows\Microsoft.NET\Framework\v1.1.4322\SHADOW1388\_mscorwks.dll
+ 2004-07-15 07:26 . 2004-07-15 07:26 2510848 c:\windows\Microsoft.NET\Framework\v1.1.4322\SHADOW1388\_mscorsvr.dll
+ 2004-07-15 21:29 . 2004-07-15 21:29 2138112 c:\windows\Microsoft.NET\Framework\v1.1.4322\SHADOW1388\_mscorlib.dll
+ 2007-04-14 03:57 . 2007-04-14 03:57 2514944 c:\windows\Microsoft.NET\Framework\v1.1.4322\mscorwks.dll
+ 2007-04-14 03:57 . 2007-04-14 03:57 2523136 c:\windows\Microsoft.NET\Framework\v1.1.4322\mscorsvr.dll
+ 2007-04-14 03:50 . 2007-04-14 03:50 2142208 c:\windows\Microsoft.NET\Framework\v1.1.4322\mscorlib.dll
- 2008-03-18 03:13 . 2009-02-11 07:34 1172240 c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\xlicons.exe
+ 2008-03-18 03:13 . 2009-06-13 10:03 1172240 c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\xlicons.exe
+ 2008-03-18 03:13 . 2009-06-13 10:03 1165584 c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\accicons.exe
- 2008-03-18 03:13 . 2009-02-11 07:34 1165584 c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\accicons.exe
+ 2009-06-12 10:02 . 2008-12-20 23:15 1160192 c:\windows\ie7updates\KB969897-IE7\urlmon.dll
+ 2009-06-12 10:02 . 2009-01-17 05:35 3594752 c:\windows\ie7updates\KB969897-IE7\mshtml.dll
+ 2009-06-12 10:02 . 2008-12-20 23:15 6066688 c:\windows\ie7updates\KB969897-IE7\ieframe.dll
+ 2009-06-12 10:02 . 2007-04-17 09:32 2455488 c:\windows\ie7updates\KB969897-IE7\ieapfltr.dat
+ 2008-10-15 04:20 . 2009-02-06 11:08 2189056 c:\windows\Driver Cache\i386\ntoskrnl.exe
- 2008-10-15 04:20 . 2008-08-14 09:33 2023936 c:\windows\Driver Cache\i386\ntkrpamp.exe
+ 2008-10-15 04:20 . 2009-02-06 10:32 2023936 c:\windows\Driver Cache\i386\ntkrpamp.exe
+ 2008-10-15 04:20 . 2009-02-08 02:02 2066048 c:\windows\Driver Cache\i386\ntkrnlpa.exe
- 2008-10-15 04:20 . 2008-08-14 09:33 2066048 c:\windows\Driver Cache\i386\ntkrnlpa.exe
- 2008-10-15 04:20 . 2008-08-14 10:09 2145280 c:\windows\Driver Cache\i386\ntkrnlmp.exe
+ 2008-10-15 04:20 . 2009-02-06 11:06 2145280 c:\windows\Driver Cache\i386\ntkrnlmp.exe
+ 2009-06-12 10:07 . 2009-06-12 10:07 4788224 c:\windows\assembly\NativeImages1_v1.1.4322\System\1.0.5000.0__b77a5c561934e089_714894dd\System.dll
+ 2009-06-12 10:07 . 2009-06-12 10:07 1966080 c:\windows\assembly\NativeImages1_v1.1.4322\System\1.0.5000.0__b77a5c561934e089_6e22c4fa\System.dll
+ 2009-06-12 10:07 . 2009-06-12 10:07 2088960 c:\windows\assembly\NativeImages1_v1.1.4322\System.Xml\1.0.5000.0__b77a5c561934e089_fecb510f\System.Xml.dll
+ 2009-06-12 10:08 . 2009-06-12 10:08 5513216 c:\windows\assembly\NativeImages1_v1.1.4322\System.Xml\1.0.5000.0__b77a5c561934e089_2235aa9b\System.Xml.dll
+ 2009-06-12 10:07 . 2009-06-12 10:07 3018752 c:\windows\assembly\NativeImages1_v1.1.4322\System.Windows.Forms\1.0.5000.0__b77a5c561934e089_ea49bfa3\System.Windows.Forms.dll
+ 2009-06-12 10:07 . 2009-06-12 10:07 7884800 c:\windows\assembly\NativeImages1_v1.1.4322\System.Windows.Forms\1.0.5000.0__b77a5c561934e089_9425ed36\System.Windows.Forms.dll
+ 2009-06-12 10:08 . 2009-06-12 10:08 2244608 c:\windows\assembly\NativeImages1_v1.1.4322\System.Drawing\1.0.5000.0__b03f5f7f11d50a3a_9e0a60f2\System.Drawing.dll
+ 2009-06-12 10:08 . 2009-06-12 10:08 3395584 c:\windows\assembly\NativeImages1_v1.1.4322\System.Design\1.0.5000.0__b03f5f7f11d50a3a_80086fd0\System.Design.dll
+ 2009-06-12 10:07 . 2009-06-12 10:07 1470464 c:\windows\assembly\NativeImages1_v1.1.4322\System.Design\1.0.5000.0__b03f5f7f11d50a3a_6e72b20e\System.Design.dll
+ 2009-06-12 10:07 . 2009-06-12 10:07 3391488 c:\windows\assembly\NativeImages1_v1.1.4322\mscorlib\1.0.5000.0__b77a5c561934e089_f230bce5\mscorlib.dll
+ 2009-06-12 10:08 . 2009-06-12 10:08 8908800 c:\windows\assembly\NativeImages1_v1.1.4322\mscorlib\1.0.5000.0__b77a5c561934e089_69c467a6\mscorlib.dll
+ 2009-06-12 10:07 . 2009-06-12 10:07 1232896 c:\windows\assembly\GAC\System\1.0.5000.0__b77a5c561934e089\System.dll
+ 2009-06-12 10:07 . 2009-06-12 10:07 1265664 c:\windows\assembly\GAC\System.Web\1.0.5000.0__b03f5f7f11d50a3a\System.Web.dll
+ 2009-06-07 02:29 . 2009-06-13 03:52 12555154 c:\windows\system32\ZoneLabs\spyware.dat
+ 2006-10-17 05:43 . 2009-06-01 16:51 23635392 c:\windows\system32\MRT.exe
+ 2009-06-03 05:57 . 2009-06-16 02:19 443941376 c:\windows\system32\ZoneLabs\zlqrtdb.dat
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-10-07 13574144]
"ZoneAlarm Client"="c:\program files\Zone Labs\ZoneAlarm\zlclient.exe" [2009-05-29 1005960]

c:\documents and settings\Compaq_Owner\Start Menu\Programs\Startup\
PowerReg Scheduler.exe [2006-1-2 189952]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
NETGEAR WG111v2 Smart Wizard.lnk - c:\program files\NETGEAR\WG111v2\WG111v2.exe [2007-11-27 1261568]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\WINDOWS\\system32\\dpnsvr.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"9138:TCP"= 9138:TCP:*:Disabled:BitComet 9138 TCP
"9138:UDP"= 9138:UDP:*:Disabled:BitComet 9138 UDP
"15799:TCP"= 15799:TCP:*:Disabled:BitComet 15799 TCP
"15799:UDP"= 15799:UDP:*:Disabled:BitComet 15799 UDP
"21315:TCP"= 21315:TCP:*:Disabled:BitComet 21315 TCP
"21315:UDP"= 21315:UDP:*:Disabled:BitComet 21315 UDP
"23778:TCP"= 23778:TCP:*:Disabled:BitComet 23778 TCP
"23778:UDP"= 23778:UDP:*:Disabled:BitComet 23778 UDP

R2 EAPPkt;Realtek EAPPkt Protocol;c:\windows\system32\drivers\EAPPkt.sys [3/18/2006 3:28 PM 66048]
S2 antivirschedulerservice;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [5/19/2009 11:00 PM 108289]
S3 RTLWUSB;NETGEAR WG111v2 54Mbps Wireless USB 2.0 Adapter NT Driver;c:\windows\system32\drivers\wg111v2.sys [11/27/2007 7:55 PM 194304]
.
Contents of the 'Scheduled Tasks' folder

2009-04-11 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 19:34]

2009-06-16 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2008-06-27 04:51]
.
.
------- Supplementary Scan -------
.
uSearchMigratedDefaultURL = 687474703a2f2f7777772e676f6f676c652e636f6d2f
uDefault_Search_URL = 687474703a2f2f7777772e676f6f676c652e636f6d2f
mSearch Bar = 687474703a2f2f7777772e676f6f676c652e636f6d2f
mSearchMigratedDefaultURL = 687474703a2f2f7777772e676f6f676c652e636f6d2f
uInternet Connection Wizard,ShellNext = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q405&bd=presario&pf=desktop&parm1=seconduser
uInternet Settings,ProxyServer = http=localhost:7171
uInternet Settings,ProxyOverride = *.local;<local>
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchURL = 687474703a2f2f7777772e676f6f676c652e636f6d2f
IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\Office12\EXCEL.EXE/3000
IE: Easy-WebPrint Add To Print List - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
IE: Easy-WebPrint High Speed Print - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
IE: Easy-WebPrint Preview - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
IE: Easy-WebPrint Print - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
FF - ProfilePath -
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-06-15 23:16
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(588)
c:\windows\system32\RtlGina2.dll
c:\windows\system32\Ati2evxx.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Lavasoft\Ad-Aware 2007\aawservice.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\windows\system32\nvsvc32.exe
c:\windows\system32\wdfmgr.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2009-06-16 23:22 - machine was rebooted
ComboFix-quarantined-files.txt 2009-06-16 06:22

Pre-Run: 45,191,938,048 bytes free
Post-Run: 45,472,419,840 bytes free

587 --- E O F --- 2009-06-13 10:04

#12 syler

syler

  • Malware Response Team
  • 8,150 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Warrington, UK
  • Local time:07:37 PM

Posted 16 June 2009 - 04:10 PM

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

Folder::
c:\documents and settings\All Users\Application Data\92786396
c:\documents and settings\All Users\Application Data\12776404

Registry::
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main]
"SearchMigratedDefaultURL"=-
"Default_Search_URL"=-
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyServer"=-
"ProxyOverride"=-
[HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main]
"SearchMigratedDefaultURL"=-
"Search Bar"=-
[HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer]
"SearchURL"=-

Save this as CFScript.txt, in the same location as ComboFix.exe


Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

Then navigate to this file C:\Qoobox\Add-Remove Programs.txt and post back with the contents of it.

unite.jpg


#13 tysnowboard

tysnowboard
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:11:37 AM

Posted 18 June 2009 - 01:21 AM

Here is the new Combofix log-


ComboFix 09-06-17.02 - Compaq_Owner 06/17/2009 23:09.3 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1022.698 [GMT -7:00]
Running from: c:\documents and settings\Compaq_Owner\Desktop\Combo-Fix.exe
Command switches used :: c:\documents and settings\Compaq_Owner\Desktop\CFScript.txt
AV: AntiVir Desktop *On-access scanning disabled* (Outdated) {AD166499-45F9-482A-A743-FDD3350758C7}
AV: ZoneAlarm Security Suite Antivirus *On-access scanning disabled* (Updated) {5D467B10-818C-4CAB-9FF7-6893B5B8F3CF}
FW: ZoneAlarm Security Suite Firewall *disabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\12776404
c:\documents and settings\All Users\Application Data\92786396
c:\documents and settings\All Users\Application Data\12776404\12776404.glu

.
((((((((((((((((((((((((( Files Created from 2009-05-18 to 2009-06-18 )))))))))))))))))))))))))))))))
.

2009-06-12 01:41 . 2008-05-03 11:55 2560 ------w- c:\windows\system32\xpsp4res.dll
2009-06-12 01:19 . 2008-04-14 00:12 50176 ----a-w- c:\windows\system32\proquota.exe
2009-06-12 01:19 . 2008-04-14 00:12 50176 ----a-w- c:\windows\system32\dllcache\proquota.exe
2009-06-12 00:55 . 2009-06-18 06:16 31636000 --sha-w- c:\windows\system32\drivers\fidbox.dat
2009-06-07 02:29 . 2009-05-29 03:25 69000 ----a-w- c:\windows\system32\zlcomm.dll
2009-06-07 02:29 . 2009-05-29 03:25 103816 ----a-w- c:\windows\system32\zlcommdb.dll
2009-06-03 04:34 . 2009-06-03 04:34 -------- d-----w- c:\documents and settings\Compaq_Owner\Application Data\MailFrontier
2009-06-03 04:22 . 2009-06-03 04:22 -------- d-----w- c:\documents and settings\All Users\Application Data\MailFrontier
2009-06-03 04:21 . 2009-06-17 00:48 4212 ---ha-w- c:\windows\system32\zllictbl.dat
2009-06-03 04:21 . 2009-05-29 03:25 72584 ----a-w- c:\windows\zllsputility.exe
2009-06-03 04:21 . 2009-05-29 03:25 1221512 ----a-w- c:\windows\system32\zpeng25.dll
2009-06-03 04:21 . 2009-06-17 01:14 -------- d-----w- c:\windows\system32\ZoneLabs
2009-06-03 04:21 . 2009-06-03 04:21 -------- d-----w- c:\program files\Zone Labs
2009-06-03 04:20 . 2009-06-18 01:25 -------- d-----w- c:\windows\Internet Logs
2009-05-27 05:13 . 2009-05-27 05:13 -------- d-----w- c:\program files\Trend Micro
2009-05-27 03:44 . 2009-05-27 04:01 -------- d-----w- c:\program files\Wise Registry Cleaner
2009-05-22 06:42 . 2008-04-13 23:12 116224 ----a-w- c:\windows\system32\dllcache\xrxwiadr.dll
2009-05-22 06:42 . 2001-08-18 05:36 23040 ----a-w- c:\windows\system32\dllcache\xrxwbtmp.dll
2009-05-22 06:42 . 2008-04-13 23:12 18944 ----a-w- c:\windows\system32\dllcache\xrxscnui.dll
2009-05-22 06:40 . 2001-08-18 05:36 87040 ----a-w- c:\windows\system32\dllcache\wiafbdrv.dll
2009-05-22 06:39 . 2001-08-17 20:28 765884 ----a-w- c:\windows\system32\dllcache\usrti.sys
2009-05-22 06:38 . 2001-08-18 05:36 211968 ----a-w- c:\windows\system32\dllcache\um54scan.dll
2009-05-22 06:37 . 2001-08-17 21:01 241664 ----a-w- c:\windows\system32\dllcache\tosdvd02.sys
2009-05-22 06:36 . 2001-08-17 20:50 103936 ----a-w- c:\windows\system32\dllcache\sx.sys
2009-05-22 06:35 . 2001-08-17 20:56 7552 ----a-w- c:\windows\system32\dllcache\sonypvu1.sys
2009-05-22 06:34 . 2008-04-13 17:46 11136 ----a-w- c:\windows\system32\dllcache\slip.sys
2009-05-22 06:33 . 2001-08-17 20:53 6784 ----a-w- c:\windows\system32\dllcache\serscan.sys
2009-05-22 06:32 . 2001-08-17 19:50 41216 ----a-w- c:\windows\system32\dllcache\s3mt3d.sys
2009-05-22 06:31 . 2001-08-17 20:52 49024 ----a-w- c:\windows\system32\dllcache\ql1280.sys
2009-05-22 06:30 . 2001-08-17 21:04 173696 ----a-w- c:\windows\system32\dllcache\philcam2.sys
2009-05-22 06:29 . 2001-08-18 05:36 116736 ----a-w- c:\windows\system32\dllcache\ovcodec2.dll
2009-05-22 06:28 . 2001-08-17 19:12 32840 ----a-w- c:\windows\system32\dllcache\ngrpci.sys
2009-05-22 06:27 . 2008-04-13 17:39 5504 ----a-w- c:\windows\system32\dllcache\mstee.sys
2009-05-22 06:26 . 2001-08-17 19:12 164586 ----a-w- c:\windows\system32\dllcache\mdgndis5.sys
2009-05-22 06:25 . 2001-08-18 05:36 8192 ----a-w- c:\windows\system32\dllcache\kbdkor.dll
2009-05-22 06:24 . 2001-08-17 21:06 154496 ----a-w- c:\windows\system32\dllcache\icam4usb.sys
2009-05-22 06:23 . 2001-08-17 20:28 199711 ----a-w- c:\windows\system32\dllcache\hsf_faxx.sys
2009-05-22 06:22 . 2008-04-13 17:45 59136 ----a-w- c:\windows\system32\dllcache\gckernel.sys
2009-05-22 06:21 . 2001-08-17 19:19 63360 ----a-w- c:\windows\system32\dllcache\ess.sys
2009-05-22 06:20 . 2001-08-17 19:20 334208 ----a-w- c:\windows\system32\dllcache\ds1wdm.sys
2009-05-22 06:19 . 2001-08-17 20:52 179584 ----a-w- c:\windows\system32\dllcache\dac2w2k.sys
2009-05-22 06:18 . 2001-08-17 21:05 314752 ----a-w- c:\windows\system32\dllcache\camdro21.sys
2009-05-22 06:17 . 2004-08-04 04:31 36224 ----a-w- c:\windows\system32\dllcache\an983.sys
2009-05-20 06:00 . 2009-03-30 17:33 96104 ----a-w- c:\windows\system32\drivers\avipbb.sys
2009-05-20 06:00 . 2009-03-24 23:08 55640 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2009-05-20 06:00 . 2009-02-13 19:29 22360 ----a-w- c:\windows\system32\drivers\avgntmgr.sys
2009-05-20 06:00 . 2009-02-13 19:17 45416 ----a-w- c:\windows\system32\drivers\avgntdd.sys
2009-05-20 06:00 . 2009-05-20 06:00 -------- d-----w- c:\program files\Avira
2009-05-20 06:00 . 2009-05-20 06:00 -------- d-----w- c:\documents and settings\All Users\Application Data\Avira

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-06-18 03:16 . 2008-06-27 05:41 -------- d-----w- c:\documents and settings\All Users\Application Data\Google Updater
2009-06-17 07:59 . 2009-06-12 00:55 406532 --sha-w- c:\windows\system32\drivers\fidbox.idx
2009-06-16 06:06 . 2006-03-20 01:09 -------- d-----w- c:\program files\SymNetDrv
2009-06-16 06:06 . 2005-09-03 00:48 -------- d-----w- c:\program files\QuickTime
2009-06-16 06:06 . 2005-09-03 01:05 -------- d-----w- c:\program files\Common Files\Symantec Shared
2009-06-16 06:05 . 2008-09-15 05:27 -------- d-----w- c:\documents and settings\Compaq_Owner\Application Data\GRETECH
2009-06-16 06:05 . 2007-11-10 20:37 -------- d-----w- c:\documents and settings\Compaq_Owner\Application Data\DivX
2009-06-16 06:05 . 2008-09-10 05:46 -------- d-----w- c:\documents and settings\Compaq_Owner\Application Data\Azureus
2009-06-16 06:05 . 2006-05-08 05:24 -------- d-----w- c:\documents and settings\Compaq_Owner\Application Data\AdobeUM
2009-06-16 06:05 . 2005-12-25 16:42 -------- d-----w- c:\documents and settings\Compaq_Owner\Application Data\Apple Computer
2009-06-16 06:05 . 2007-10-08 05:05 -------- d-----w- c:\documents and settings\Compaq_Owner\Application Data\acccore
2009-06-13 10:03 . 2008-03-18 03:02 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2009-06-12 01:35 . 2009-06-12 05:08 8704 ----a-w- c:\windows\Internet Logs\xDB2D.tmp
2009-06-12 01:33 . 2009-06-12 01:35 341504 ----a-w- c:\windows\Internet Logs\xDB4.tmp
2009-06-12 01:18 . 2004-08-04 05:00 182656 ----a-w- c:\windows\system32\drivers\ndis.sys
2009-06-11 07:46 . 2009-06-12 00:31 1683968 ----a-w- c:\windows\Internet Logs\xDB3.tmp
2009-06-11 07:45 . 2009-06-12 00:31 2483200 ----a-w- c:\windows\Internet Logs\xDB2.tmp
2009-06-06 02:54 . 2009-06-06 02:55 2066432 ----a-w- c:\windows\Internet Logs\xDB1.tmp
2009-06-06 00:52 . 2005-12-25 16:47 78960 ----a-w- c:\documents and settings\Compaq_Owner\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-06-06 00:49 . 2009-04-02 05:15 3371383 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2009-06-03 03:25 . 2008-04-07 04:38 -------- d-----w- c:\documents and settings\Compaq_Owner\Application Data\gtk-2.0
2009-05-21 00:39 . 2008-08-27 03:59 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-05-07 15:32 . 2004-08-04 05:00 345600 ----a-w- c:\windows\system32\localspl.dll
2009-05-01 08:24 . 2008-09-10 05:45 -------- d-----w- c:\program files\Vuze
2009-04-29 04:56 . 2004-08-04 05:00 827392 ----a-w- c:\windows\system32\wininet.dll
2009-04-29 04:55 . 2004-08-04 05:00 78336 ----a-w- c:\windows\system32\ieencode.dll
2009-04-17 12:26 . 2004-08-04 05:00 1847168 ----a-w- c:\windows\system32\win32k.sys
2009-04-15 14:51 . 2004-08-04 05:00 585216 ----a-w- c:\windows\system32\rpcrt4.dll
2009-04-06 22:32 . 2008-08-27 03:59 38496 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-06 22:32 . 2008-08-27 03:59 15504 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-04-02 23:29 . 2009-04-02 23:29 75048 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 8.1.1.10\SetupAdmin.exe
.

((((((((((((((((((((((((((((( SnapShot_2009-06-16_06.16.53 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-06-07 02:33 . 2009-06-18 06:05 106624 c:\windows\system32\ZoneLabs\avsys\bases\sfdb.dat
+ 2009-06-07 02:29 . 2009-06-17 01:14 12673978 c:\windows\system32\ZoneLabs\spyware.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-10-07 13574144]
"ZoneAlarm Client"="c:\program files\Zone Labs\ZoneAlarm\zlclient.exe" [2009-05-29 1005960]

c:\documents and settings\Compaq_Owner\Start Menu\Programs\Startup\
PowerReg Scheduler.exe [2006-1-2 189952]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
NETGEAR WG111v2 Smart Wizard.lnk - c:\program files\NETGEAR\WG111v2\WG111v2.exe [2007-11-27 1261568]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\WINDOWS\\system32\\dpnsvr.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"9138:TCP"= 9138:TCP:*:Disabled:BitComet 9138 TCP
"9138:UDP"= 9138:UDP:*:Disabled:BitComet 9138 UDP
"15799:TCP"= 15799:TCP:*:Disabled:BitComet 15799 TCP
"15799:UDP"= 15799:UDP:*:Disabled:BitComet 15799 UDP
"21315:TCP"= 21315:TCP:*:Disabled:BitComet 21315 TCP
"21315:UDP"= 21315:UDP:*:Disabled:BitComet 21315 UDP
"23778:TCP"= 23778:TCP:*:Disabled:BitComet 23778 TCP
"23778:UDP"= 23778:UDP:*:Disabled:BitComet 23778 UDP

R2 EAPPkt;Realtek EAPPkt Protocol;c:\windows\system32\drivers\EAPPkt.sys [3/18/2006 3:28 PM 66048]
S2 antivirschedulerservice;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [5/19/2009 11:00 PM 108289]
S3 RTLWUSB;NETGEAR WG111v2 54Mbps Wireless USB 2.0 Adapter NT Driver;c:\windows\system32\drivers\wg111v2.sys [11/27/2007 7:55 PM 194304]
.
Contents of the 'Scheduled Tasks' folder

2009-04-11 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 19:34]

2009-06-18 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2008-06-27 04:51]
.
.
------- Supplementary Scan -------
.
uInternet Connection Wizard,ShellNext = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q405&bd=presario&pf=desktop&parm1=seconduser
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\Office12\EXCEL.EXE/3000
IE: Easy-WebPrint Add To Print List - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
IE: Easy-WebPrint High Speed Print - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
IE: Easy-WebPrint Preview - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
IE: Easy-WebPrint Print - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
FF - ProfilePath -
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-06-17 23:15
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(584)
c:\windows\system32\RtlGina2.dll
c:\windows\system32\Ati2evxx.dll
.
Completion time: 2009-06-18 23:18
ComboFix-quarantined-files.txt 2009-06-18 06:18
ComboFix2.txt 2009-06-16 06:22

Pre-Run: 45,519,310,848 bytes free
Post-Run: 45,504,385,024 bytes free

187 --- E O F --- 2009-06-13 10:04

#14 syler

syler

  • Malware Response Team
  • 8,150 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Warrington, UK
  • Local time:07:37 PM

Posted 18 June 2009 - 04:44 PM

Then navigate to this file C:\Qoobox\Add-Remove Programs.txt and post back with the contents of it.


How about this?

unite.jpg


#15 tysnowboard

tysnowboard
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:11:37 AM

Posted 18 June 2009 - 08:36 PM

I saw that i forgot to add that log in when i was at work today...
here it is.

2007 Microsoft Office Suite Service Pack 1 (SP1)
Ad-Aware 2007
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Reader 7.0
Age of Empires III
Agere Systems PCI Soft Modem
AIM 6
Apple Mobile Device Support
Apple Software Update
ATI Display Driver
AutoUpdate
Canon iP1600
Canon Utilities Easy-PhotoPrint
CCleaner (remove only)
Click-N-Type
CPUKILLER 2.05
DivX Codec
DivX Converter
DivX Player
DivX Web Player
Easy-WebPrint
EVGA Display Driver
Fallout
GIMP 2.4.5
GOM Player
Google Earth
Google Toolbar for Internet Explorer
Google Updater
High Definition Audio Driver Package - KB888111
HijackThis 2.0.2
Hotfix for Windows XP (KB952287)
HP Boot Optimizer
HP Image Zone Express
HP Software Update
HpSdpAppCoreApp
Indeo® software
InterVideo WinDVD Player
iTunes
J2SE Runtime Environment 5.0
Jahshaka
Kate's Video Converter 3.0.2
LimeWire 4.12.6
Malwarebytes' Anti-Malware
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft Flight Simulator X
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft Money 2005
Microsoft National Language Support Downlevel APIs
Microsoft Office Access MUI (English) 2007
Microsoft Office Access Setup Metadata MUI (English) 2007
Microsoft Office Enterprise 2007
Microsoft Office Excel MUI (English) 2007
Microsoft Office Groove MUI (English) 2007
Microsoft Office Groove Setup Metadata MUI (English) 2007
Microsoft Office InfoPath MUI (English) 2007
Microsoft Office OneNote MUI (English) 2007
Microsoft Office Outlook MUI (English) 2007
Microsoft Office PowerPoint MUI (English) 2007
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proofing (English) 2007
Microsoft Office Publisher MUI (English) 2007
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Office Word MUI (English) 2007
Microsoft Office Word Viewer 2003
Microsoft Plus! Digital Media Edition Installer
Microsoft Plus! Photo Story 2 LE
Microsoft Software Update for Web Folders (English) 12
Microsoft Visual C++ 2005 Redistributable
Microsoft Works
Mozilla Firefox (2.0.0.13)
Mozilla Firefox (3.0.6)
MPEG2 Codec(libmpeg2/mad)
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 Parser and SDK
msxml4
Notepad++
NVIDIA Drivers
Nvu 1.0
OpenLibraries
Password Keychain 1.0
Pictomio
QuickTime
RealPlayer
Roll
Security Update for 2007 Microsoft Office System (KB951550)
Security Update for 2007 Microsoft Office System (KB951944)
Security Update for 2007 Microsoft Office System (KB969559)
Security Update for 2007 Microsoft Office System (KB969679)
Security Update for CAPICOM (KB931906)
Security Update for Microsoft Office Excel 2007 (KB969682)
Security Update for Microsoft Office OneNote 2007 (KB950130)
Security Update for Microsoft Office PowerPoint 2007 (KB957789)
Security Update for Microsoft Office Publisher 2007 (KB950114)
Security Update for Microsoft Office system 2007 (KB954326)
Security Update for Microsoft Office system 2007 (KB969613)
Security Update for Microsoft Office Word 2007 (KB969604)
Security Update for Step By Step Interactive Training (KB898458)
Security Update for Step By Step Interactive Training (KB923723)
Security Update for Visio 2007 (KB947590)
Security Update for Windows Internet Explorer 7 (KB938127-v2)
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB956390)
Security Update for Windows Internet Explorer 7 (KB958215)
Security Update for Windows Internet Explorer 7 (KB960714)
Security Update for Windows Internet Explorer 7 (KB961260)
Security Update for Windows Internet Explorer 7 (KB969897)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows Media Player 10 (KB936782)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB938464-v2)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950759)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951376)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953838)
Security Update for Windows XP (KB953839)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956390)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960715)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB961373)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB968537)
Security Update for Windows XP (KB969898)
Security Update for Windows XP (KB970238)
Sid Meier's SimGolf
Ski Resort Tycoon 2
Sonic Express Labeler
Sonic MyDVD Plus
Sonic RecordNow Audio
Sonic RecordNow Copy
Sonic RecordNow Data
Sonic Update Manager
SuperMegaSpoof 2.0
Update for 2007 Microsoft Office System (KB967642)
Update for Microsoft Office Outlook 2007 (KB969907)
Update for Outlook 2007 Junk Email Filter (kb970012)
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB951978)
Update for Windows XP (KB953356)
Update for Windows XP (KB955839)
Update for Windows XP (KB967715)
VC 9.0 Runtime
VC80CRTRedist - 8.0.50727.762
Visual C++ 8.0 ATL (x86) WinSXS MSM
Visual C++ 8.0 CRT (x86) WinSXS MSM
Vuze
WebFldrs XP
Windows Genuine Advantage Notifications (KB905474)
Windows Genuine Advantage Validation Tool (KB892130)
Windows Internet Explorer 7
Windows Media Format Runtime
Windows Media Player 10
Windows XP Service Pack 3
WinRAR archiver
Wise Registry Cleaner 4 Free 4.4
WordBiz version 1.8
World of Warcraft
XviD 1.1 final uninstall
ZoneAlarm Security Suite




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users