Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected with Troj/Rustok-N


  • This topic is locked This topic is locked
15 replies to this topic

#1 Lee Fried

Lee Fried

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:09:37 PM

Posted 20 June 2009 - 12:15 PM

Some sites (yes porn) say I have this malware on my computer. I've run Ad-Aware, but couldn't update it. I ran Malwarebytes' Anti-Malware full scan and removed all infections. I can't access any other antivirus sites and my updates don't work. I have to run the computer in safe mode or I get a svchost.exe must be terminated error that never goes away.

Help?

Attached Files


Edited by Lee Fried, 20 June 2009 - 12:16 PM.


BC AdBot (Login to Remove)

 


#2 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,505 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:09:37 PM

Posted 25 June 2009 - 03:22 PM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.


Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#3 Lee Fried

Lee Fried
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:09:37 PM

Posted 25 June 2009 - 06:17 PM

DDS (Ver_09-05-14.01) - NTFSx86 NETWORK
Run by Administrator at 18:16:13.34 on Thu 06/25/2009
Internet Explorer: 8.0.6001.18241
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.3319.2726 [GMT -5:00]


============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Administrator\Desktop\dds.scr

============== Pseudo HJT Report ===============

BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\progra~1\yahoo!\companion\installs\cpn\yt.dll
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_07\bin\ssv.dll
BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\4.1.805.4472\swg.dll
BHO: Cooliris Plug-In for Internet Explorer: {eaee5c74-6d0d-4aca-9232-0da4a7b866ba} - c:\program files\piclensie\cooliris.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\progra~1\yahoo!\companion\installs\cpn\yt.dll
EB: Adobe PDF: {182ec0be-5110-49c8-a062-beb1d02a220b} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [SunJavaUpdateSched] "c:\program files\java\jre1.6.0_07\bin\jusched.exe"
mRun: [AlcxMonitor] ALCXMNTR.EXE
mRun: [DAEMON Tools-1033] "c:\program files\d-tools\daemon.exe" -lang 1033
mRun: [Acrobat Assistant 8.0] "c:\program files\adobe\acrobat 8.0\acrobat\Acrotray.exe"
mRun: [<NO NAME>]
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [SoundMan] SOUNDMAN.EXE
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRunOnce: [Malwarebytes Anti-Malware (reboot)] "d:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\autoca~1.lnk - c:\program files\common files\autodesk shared\acstart16.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_07\bin\npjpi160_07.dll
IE: {3437D640-C91A-458f-89F5-B9095EA4C28B} - {04F93351-81D2-4484-9982-0D55DEFFFAE6} - c:\program files\piclensie\cooliris.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://fpdownload.macromedia.com/get/shockwave/cabs/director/sw.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/5/b/0/5b0d4654-aa20-495c-b89f-c1c34c691085/LegitCheckControl.cab
DPF: {48DD0448-9209-4F81-9F6D-D83562940134} - hxxp://lads.myspace.com/upload/MySpaceUploader1006.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1193014128151
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1193014123135
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} - hxxps://h17000.www1.hp.com/ewfrf-JAVA/Secure/HPGetDownloadManager.ocx
DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {EAC139A9-D22D-4C29-8D1C-252BE63750F9} - hxxp://www.cooliris.com/shared/plinstll.cab
Notify: igfxcui - igfxdev.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

============= SERVICES / DRIVERS ===============

R2 aawservice;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\aawservice.exe [2008-5-12 611664]
S3 TucbDriverV32;TucbDriverV32;c:\windows\system32\drivers\TucbDriverV32.sys [2008-3-23 506496]
S3 TucbVideo32;TucbVideo32;c:\windows\system32\drivers\TucbVideo32.sys [2008-3-23 3768]

=============== Created Last 30 ================

2009-06-25 10:19 5,485 a------- c:\windows\9094a5dwarz2269.bin
2009-06-25 01:04 12,567 a------- c:\windows\system32\z12abackdo9r16415.bin
2009-06-23 22:54 10,510 a------- c:\windows\system32\24284hack95ol7za.ocx
2009-06-21 21:56 12,968 a------- c:\windows\system32\5f75th5ez1029.exe
2009-06-21 12:09 14,774 a------- c:\windows\system32\6ez75ir294.ocx
2009-06-21 03:08 16,835 a------- c:\windows\6f50s9ywarez723.bin
2009-06-20 14:38 3,290 a------- c:\windows\9z62thr5at13381.dll
2009-06-20 13:08 61,440 a------- c:\windows\system32\drivers\whlimjeu.sys
2009-06-20 10:59 <DIR> --d----- c:\program files\Trend Micro
2009-06-20 10:05 17,179 a------- c:\windows\16713zpam59t2ed.cpl
2009-06-20 06:26 5,198 a------- c:\windows\system32\18696not-a-viru55zc.bin
2009-06-20 01:30 16,225 a------- c:\windows\7cz9ir531.cpl
2009-06-20 00:27 <DIR> --d----- c:\docume~1\admini~1\applic~1\Malwarebytes
2009-06-20 00:27 38,160 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-06-20 00:27 19,096 a------- c:\windows\system32\drivers\mbam.sys
2009-06-20 00:27 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-06-17 19:34 17,838 a------- c:\windows\z728s9y71d5.ocx
2009-06-13 23:48 14,178 a------- c:\windows\151z6spambot4569.exe
2009-06-13 23:17 2,641 a------- c:\windows\system32\17067spam5ot69z9.cpl
2009-06-13 15:19 10,211 a------- c:\windows\a31s9arze598.exe
2009-06-12 20:01 12,110 a------- c:\windows\system32\23a2downloa5ez979.exe
2009-06-09 17:21 5,559 a------- c:\windows\system32\6z14a5dware2978.exe
2009-06-08 11:31 9,944 a------- c:\windows\743spar9e5988z.bin
2009-06-02 08:49 14,557 a------- c:\windows\system32\71sz5609.ocx
2009-06-02 04:38 5,002 a------- c:\windows\system32\z9e5th5eat29897.bin
2009-05-28 01:29 11,904 a------- c:\windows\3195wormz85.ocx
2009-05-27 20:30 13,641 a------- c:\windows\3a33d5wnlza9er3159.cpl
2009-05-27 19:36 16,916 a------- c:\windows\8z58spamb9t525.exe
2009-05-27 08:34 15,605 a------- c:\windows\3c96backdoor2995z.bin
2009-05-26 23:43 8,243 a------- c:\windows\system32\1ebz9p5ware1222.exe

==================== Find3M ====================

2009-05-25 01:40 4,868 a------- c:\windows\z291addwa5e1971.dll
2009-05-23 18:56 14,062 a------- c:\windows\system32\28586sp9mboz5d2.exe
2009-05-23 07:03 5,170 a------- c:\windows\system32\2449hacktool55z.dll
2009-05-23 02:07 16,872 a------- c:\windows\2d0zaddwa9e3915.bin
2009-05-19 11:17 8,722 a------- c:\windows\5871szam9ot36e.exe
2009-05-19 06:24 10,022 a------- c:\windows\system32\13661not-a9viruz45f.dll
2009-05-18 17:10 3,889 a------- c:\windows\system32\92145szambo570c.dll
2009-05-17 13:05 15,725 a------- c:\windows\74a59ir30z0.dll
2009-05-16 04:13 3,286 a------- c:\windows\15919ackzoor750.exe
2009-05-16 00:59 15,077 a------- c:\windows\system32\19572not-a-viruz157.exe
2009-05-15 09:20 14,462 a------- c:\windows\system32\84zvir9425.bin
2009-05-08 13:12 17,027 a------- c:\windows\system32\309z6troj6945.dll
2009-05-07 06:59 18,345 a------- c:\windows\system32\957thie5z09.exe
2009-04-27 22:48 18,061 a------- c:\windows\system32\9c55bzckdoor2553.bin
2009-04-23 18:53 3,471 a------- c:\windows\359dthreat2z559.exe
2009-04-23 02:09 8,084 a------- c:\windows\system32\6119s95zfe.bin
2009-04-18 18:26 7,695 a------- c:\windows\9fb3azdware395.exe
2009-04-18 15:04 3,767 a------- c:\windows\5f1cvi9500z.bin
2009-04-18 02:52 17,682 a------- c:\windows\system32\15083sz93a2.dll
2009-04-17 03:22 15,431 a------- c:\windows\5584spy29z9.exe
2009-04-14 00:35 13,977 a------- c:\windows\5f25sp9rsz838.dll
2009-04-11 04:02 9,908 a------- c:\windows\system32\140astealz5159.dll
2009-04-06 04:38 17,519 a------- c:\windows\15401hack5ool409z.bin
2009-04-03 08:16 5,346 a------- c:\windows\system32\95c0st5al16z.exe
2009-04-02 04:27 9,707 a------- c:\windows\system32\1zfdthreat31159.exe
2009-03-28 15:36 17,931 a------- c:\windows\system32\z9452hackt5o9452.exe
2009-01-20 13:01 16,384 a--sh--- c:\windows\temp\cookies\index.dat
2009-01-20 13:01 32,768 a--sh--- c:\windows\temp\history\history.ie5\index.dat
2009-01-20 13:01 49,152 a--sh--- c:\windows\temp\temporary internet files\content.ie5\index.dat

============= FINISH: 18:17:03.82 ===============

#4 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:02:37 AM

Posted 26 June 2009 - 05:47 PM

Hi Lee Fried,

Welcome to Bleeping Computer. My name is m0le and I will be helping you with your log.
  • Please subscribe to this topic, if you haven't already.
  • Please avoid installing/uninstalling or updating any programs and attempting any unsupervised fixes or scans. This can make helping you impossible.
  • Please reply to this post so I know you are there.
The forum is busy and we need to have replies as soon as possible. If I haven't had a reply after 3 days I will bump the topic and if you do not reply by the following day then I will close the topic.

Thanks :thumbup2:
Posted Image
m0le is a proud member of UNITE

#5 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:02:37 AM

Posted 26 June 2009 - 05:54 PM

Hi Lee Fried,

There's plenty of malware files in the log.

Please download ComboFix from one of these locations:* IMPORTANT !!! Save ComboFix.exe to your Desktop but rename it Combo-Fix.exe
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Click on this link to see a list of programs that should be disabled. The list is not all inclusive.)
  • Double click on Combo-Fix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image


Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

Then

Please download Malwarebytes Anti-Malware and save it to your desktop.
  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application or, if you are using Vista, right-click and select Run As Administrator on mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
  • MBAM will automatically start and you will be asked to update the program before performing a scan. If an update is found, the program will automatically update itself. Press the OK button to close that box and continue. If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install.
  • On the Scanner tab:
    • Make sure the "Perform Full Scan" option is selected.
    • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
  • Back at the main Scanner screen, click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply and exit MBAM.
Note: If MBAM encounters a file that is difficult to remove, you may be asked to reboot your computer so it can proceed with the disinfection process. Regardless if prompted to restart the computer or not, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware. MBAM may make changes to your registry as part of its disinfection routine. If you're using other security programs that detect registry changes, they may alert you after scanning with MBAM. Please permit the program to allow the changes.

Thanks :thumbup2:
Posted Image
m0le is a proud member of UNITE

#6 Lee Fried

Lee Fried
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:09:37 PM

Posted 28 June 2009 - 12:48 AM

ComboFix 09-06-26.02 - Administrator 06/27/2009 15:25.1 - NTFSx86 NETWORK
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.3319.2967 [GMT -5:00]
Running from: c:\documents and settings\Administrator\Desktop\Combo-Fix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Autorun.inf
c:\windows\103z49irus3e15.bin
c:\windows\10741tro59bz.cpl
c:\windows\10997spyz5.ocx
c:\windows\11591sp9mbotzce5.exe
c:\windows\12759spy1f9z.bin
c:\windows\133895orm4z9.exe
c:\windows\1389stea53z72.ocx
c:\windows\13936v5rzs6ee.exe
c:\windows\13ebs9e5lz493.dll
c:\windows\1408sz9rs5594.exe
c:\windows\14257sz9mbo5773.bin
c:\windows\144555orm9zf.exe
c:\windows\1463z9r5j1f2.ocx
c:\windows\14f2sza9se32525.ocx
c:\windows\151z6spambot4569.exe
c:\windows\152z5parse19909.cpl
c:\windows\153aaddware9207z.ocx
c:\windows\15401hack5ool409z.bin
c:\windows\15919ackzoor750.exe
c:\windows\1599zspa5bot5bb.bin
c:\windows\15z1sp9ware511.cpl
c:\windows\15z95spa59ot85.ocx
c:\windows\1661ba9kzoo52062.cpl
c:\windows\1669a5dwzre468.dll
c:\windows\16713zpam59t2ed.cpl
c:\windows\17306no5-a-vzr9s6f7.bin
c:\windows\17z23not-a-v9r5s1f0.exe
c:\windows\18z69t9o511e.ocx
c:\windows\19035worm3zb.ocx
c:\windows\19122not-azv5rus911.ocx
c:\windows\19191t5oj338z.cpl
c:\windows\192105p9z53.dll
c:\windows\19418ha9ktozl5035.dll
c:\windows\19573virus23z.cpl
c:\windows\19942zpy552.ocx
c:\windows\19cfthrzat4357.bin
c:\windows\1b51t5rzat20916.bin
c:\windows\1b9adzwnloader9501.ocx
c:\windows\1bz9addwa5e219.bin
c:\windows\1cb1addwzr921605.bin
c:\windows\1d199ack5oor8z3.cpl
c:\windows\1f68bac9do5z414.exe
c:\windows\1ff95hre9z10955.cpl
c:\windows\1z0445py398.bin
c:\windows\1z104not-a-vi59s225.ocx
c:\windows\1z22not-a5virus2bb9.dll
c:\windows\20573zirus7c69.dll
c:\windows\20728w5rmzcf9.cpl
c:\windows\2099addwzre151.dll
c:\windows\210575zrus169.cpl
c:\windows\211115irus1z9.exe
c:\windows\214z4n5t-9-virus43e.cpl
c:\windows\21b45parse29z9.exe
c:\windows\22085t5oz796.dll
c:\windows\22898zr5j1ba.cpl
c:\windows\231zaddware295.bin
c:\windows\23279not-a5zirus1d9.dll
c:\windows\234519azktoolbf.bin
c:\windows\23465spy9z8.dll
c:\windows\2399zspamb5t68c.dll
c:\windows\24235spz279.ocx
c:\windows\2509znot-a-virus5385.cpl
c:\windows\25436not-a9zirus11d.dll
c:\windows\25491spzmb9t7bd.exe
c:\windows\25583troz596.exe
c:\windows\255cbackd9or595z.exe
c:\windows\25966notza-virus19.ocx
c:\windows\259cad5ware2532z.bin
c:\windows\2610d5wnl9adzr1649.dll
c:\windows\26464h9cktozl785.dll
c:\windows\264945ot-a-zir9s604.ocx
c:\windows\2672addzare5918.bin
c:\windows\269375roj42z.cpl
c:\windows\26999zroj4da5.exe
c:\windows\2752hackzool3e9.dll
c:\windows\27a9ad5ware1z76.cpl
c:\windows\27ezthie510299.cpl
c:\windows\2878895zj85.dll
c:\windows\28989hacktzol4085.bin
c:\windows\29376wormza5.exe
c:\windows\2950sparse19z6.exe
c:\windows\2953dzwnloader1359.ocx
c:\windows\29669zo9mc5.exe
c:\windows\299z2hacktool955.bin
c:\windows\2b5dbac9dozr5723.cpl
c:\windows\2b6fd9wnloadzr5950.exe
c:\windows\2d0zaddwa9e3915.bin
c:\windows\2dz6spywar54209.cpl
c:\windows\2e9th5zf16739.exe
c:\windows\2f38backdo9r2536z.cpl
c:\windows\2fa5spzwa5e992.bin
c:\windows\2z285virusa89.bin
c:\windows\2z585hacktool1f9.bin
c:\windows\2z875vir9s70.exe
c:\windows\2z8995py3a7.ocx
c:\windows\2z95vi5us7a0.exe
c:\windows\30265sz9mbot77a.bin
c:\windows\305b9pazse18725.cpl
c:\windows\3089z5roj632.cpl
c:\windows\309519zrm368.dll
c:\windows\30955s9y3cz.dll
c:\windows\30z98vir5s3f9.cpl
c:\windows\31444not5a-virus9z5.bin
c:\windows\3195wormz85.ocx
c:\windows\31b5sparse94z4.cpl
c:\windows\32295ddwzre492.exe
c:\windows\32305zirus759.bin
c:\windows\32471not9a-vi5us46z.ocx
c:\windows\32587viruz499.bin
c:\windows\32587wzrm239.cpl
c:\windows\330zdow9loader17295.dll
c:\windows\3395sparse2z8.bin
c:\windows\3459viz2925.exe
c:\windows\359dthreat2z559.exe
c:\windows\36959ot-a-virus1d7z.exe
c:\windows\3774vi59z26c.exe
c:\windows\37f5spyz59e1320.exe
c:\windows\38cfzteal2579.cpl
c:\windows\39235no5-a-virus8z.bin
c:\windows\3995spyzar91634.ocx
c:\windows\39b15zief373.ocx
c:\windows\3a33d5wnlza9er3159.cpl
c:\windows\3c96backdoor2995z.bin
c:\windows\3eb4spy9az53059.ocx
c:\windows\3ef9spzrse15875.bin
c:\windows\3z190wor569.ocx
c:\windows\4053spar9e17z.bin
c:\windows\415thiefz5309.ocx
c:\windows\4188thi9f20z5.exe
c:\windows\41a9stea51669z.ocx
c:\windows\41acb95kdoor271z.ocx
c:\windows\41z9t9reat71085.bin
c:\windows\4232hzc9too5676.dll
c:\windows\42d9thief52z.cpl
c:\windows\4392v9r2155z.dll
c:\windows\445bdownlo9dez5976.bin
c:\windows\44d05iz2169.ocx
c:\windows\4599addw9rez271.ocx
c:\windows\4655sparsez8999.ocx
c:\windows\4730szar9e5079.dll
c:\windows\47b8zp5w9re923.bin
c:\windows\47edown59zder814.cpl
c:\windows\47z3s9am5ot509.exe
c:\windows\4925thzeat4707.exe
c:\windows\49dzaddwar521189.cpl
c:\windows\4az4ad95are1391.bin
c:\windows\4b95steal16z5.bin
c:\windows\4b9a5ir2z57.ocx
c:\windows\4d6e59reat4301z.dll
c:\windows\4d98doz59oader198.exe
c:\windows\5018adzw5re1699.cpl
c:\windows\5025viruz925.cpl
c:\windows\50319ozm95.dll
c:\windows\50z0h9ckto5l166.dll
c:\windows\51105pzrs9119.bin
c:\windows\5172steal9z5.ocx
c:\windows\5178zspambot6b9.bin
c:\windows\51cfthiez9559.bin
c:\windows\529cstezl1253.bin
c:\windows\5510ztroj93a.exe
c:\windows\5542not-azvirus3589.cpl
c:\windows\5559st9al23z5.exe
c:\windows\5584spy29z9.exe
c:\windows\559zspy159.ocx
c:\windows\559zsteal2190.dll
c:\windows\55ae5ddzare996.bin
c:\windows\55c0vir918z.bin
c:\windows\55f3sparse92z1.dll
c:\windows\55z7backdo9r852.bin
c:\windows\5609vizus205.cpl
c:\windows\5640s59202z.bin
c:\windows\56527sz9mbot721.exe
c:\windows\5655addz9re3126.exe
c:\windows\5659stz95688.bin
c:\windows\5659stzal8799.ocx
c:\windows\575z9ownloader366.cpl
c:\windows\576789ot-a-virus72z.cpl
c:\windows\57fe5dzware2593.dll
c:\windows\57z5backdoor9744.cpl
c:\windows\5841vi92666z.dll
c:\windows\5871szam9ot36e.exe
c:\windows\587d5zckdoor1292.cpl
c:\windows\589cbackdoor52z5.dll
c:\windows\591z5virus3939.cpl
c:\windows\593759zcktool765.exe
c:\windows\5937worm19ez.ocx
c:\windows\594759pza3.ocx
c:\windows\59560vizus2a9.dll
c:\windows\59573ha9ktoolz65.dll
c:\windows\59753noz-a-virusa09.dll
c:\windows\5993vzrus469.cpl
c:\windows\599zdow9loa5er1615.bin
c:\windows\59bthzef4659.ocx
c:\windows\59e3tz9ef1543.cpl
c:\windows\5abzd5wn9oader388.cpl
c:\windows\5b35downl5ader11z89.cpl
c:\windows\5bczthrea911495.exe
c:\windows\5bz0s9yware1555.cpl
c:\windows\5c59tzrea532421.bin
c:\windows\5c81addwz5e3099.ocx
c:\windows\5c8asteal95z0.cpl
c:\windows\5ccthrezt8937.exe
c:\windows\5cfd5z9rse252.cpl
c:\windows\5d56thzea516957.ocx
c:\windows\5e57s9eaz2596.exe
c:\windows\5e899hief131z.cpl
c:\windows\5f1cvi9500z.bin
c:\windows\5f25sp9rsz838.dll
c:\windows\5z506spy396.cpl
c:\windows\5z58ha9ktool13c.exe
c:\windows\5z5caddware89.exe
c:\windows\5z799worm5f09.cpl
c:\windows\5z9thief8845.ocx
c:\windows\5zddstea5359.cpl
c:\windows\5ze1sp9rse278.bin
c:\windows\5zf3thief9929.cpl
c:\windows\6059v5ru9565z.exe
c:\windows\605backdo9z5423.exe
c:\windows\6155zir9s85.cpl
c:\windows\629cv5rz10.bin
c:\windows\62d3d59nlozder871.cpl
c:\windows\6356spar9e3271z.ocx
c:\windows\63edsp5wzre859.exe
c:\windows\6549sparse259z.exe
c:\windows\6595stezl2099.cpl
c:\windows\65f8stzal1729.exe
c:\windows\6750bac9doz5898.bin
c:\windows\6750ste9l25z.cpl
c:\windows\675bzpywar92711.cpl
c:\windows\68079pz55a.cpl
c:\windows\6a8s9ywaze58.dll
c:\windows\6b76steal9785z.cpl
c:\windows\6c9ethr5at14543z.ocx
c:\windows\6cz9sparse354.exe
c:\windows\6dd9baczd5or189.ocx
c:\windows\6f50s9ywarez723.bin
c:\windows\6z55spywa9e3227.dll
c:\windows\711c59arse2z32.cpl
c:\windows\7269zhief53.cpl
c:\windows\7353virus69z9.dll
c:\windows\73z0v5r1689.dll
c:\windows\74115py31z9.bin
c:\windows\743spar9e5988z.bin
c:\windows\74a59ir30z0.dll
c:\windows\75025zamb9t599.cpl
c:\windows\7579spywa9e22z5.cpl
c:\windows\75f3back9oor501z.exe
c:\windows\75z2st9al1579.bin
c:\windows\75z5t9ief2618.cpl
c:\windows\779fthr5az98946.ocx
c:\windows\78dzthie91551.cpl
c:\windows\78fcv951z56.cpl
c:\windows\793a9ddwaz52547.exe
c:\windows\795ethzea54065.dll
c:\windows\79acvzr1514.bin
c:\windows\79b8zhreat157545.exe
c:\windows\79z95hreat27022.bin
c:\windows\7a93szars59341.ocx
c:\windows\7b57thre9z12233.exe
c:\windows\7cz9ir531.cpl
c:\windows\7dzcth9ef3159.exe
c:\windows\7e1zbackdoo91155.cpl
c:\windows\7f05zte5l2091.cpl
c:\windows\7z2faddw5re999.cpl
c:\windows\8034spz955.dll
c:\windows\853thi9f10z5.cpl
c:\windows\8556zpy196.bin
c:\windows\8864no9-a-virus356z.ocx
c:\windows\8d05aczdoo9986.cpl
c:\windows\8z58spamb9t525.exe
c:\windows\9069threat125z5.exe
c:\windows\9089troj15z.ocx
c:\windows\908sza95ot47c.exe
c:\windows\9094a5dwarz2269.bin
c:\windows\9154hack9zol441.ocx
c:\windows\9176wo5964z.ocx
c:\windows\91bbd5wnloader292z.bin
c:\windows\92b45zeal2373.cpl
c:\windows\9310not-a-virus2z05.dll
c:\windows\934fstea5z82.bin
c:\windows\9490zir695.ocx
c:\windows\94955spamzot6e8.cpl
c:\windows\95117worm3z25.cpl
c:\windows\954fth5eat23z89.dll
c:\windows\95znot-a-virus551.dll
c:\windows\9709sp5mbotze9.ocx
c:\windows\971z25roj4d4.ocx
c:\windows\972z5virus556.dll
c:\windows\97hzc9t5ol210.exe
c:\windows\97zdownloa59r376.ocx
c:\windows\9865szeal1174.bin
c:\windows\98c6spyzare3275.dll
c:\windows\99069acktoz546e.exe
c:\windows\993czp5rse2697.exe
c:\windows\9969vzr15785.exe
c:\windows\9975n9t-a-vzrus33d.cpl
c:\windows\9995not-a-virus6bz.ocx
c:\windows\9995zorm5649.dll
c:\windows\9b5esparze2139.ocx
c:\windows\9cthrea528z23.exe
c:\windows\9czbackd5or193.exe
c:\windows\9fb3azdware395.exe
c:\windows\9z62thr5at13381.dll
c:\windows\9zf5add5are2536.exe
c:\windows\a31s9arze598.exe
c:\windows\a80tzief57419.exe
c:\windows\a92azdware1953.ocx
c:\windows\b2daddwa5z1696.exe
c:\windows\b8czpyw9r5899.dll
c:\windows\b9thiz91775.cpl
c:\windows\bz8spy9ar52016.dll
c:\windows\c175h9efz279.cpl
c:\windows\ccesp9rse311z5.bin
c:\windows\d38spzw9re1758.ocx
c:\windows\d5bsp9wzre1016.dll
c:\windows\e6zspy5are390.exe
c:\windows\ebbthzef9165.cpl
c:\windows\f27ste5l1z889.cpl
c:\windows\fz9addw5r91969.exe
c:\windows\system32\_000116_.tmp.dll
c:\windows\system32\10120zacktoo97be5.cpl
c:\windows\system32\10z14ha5ktool519.bin
c:\windows\system32\11934ziru55bc.exe
c:\windows\system32\11czstea9516.ocx
c:\windows\system32\126955rzj559.dll
c:\windows\system32\1278z59ware1492.cpl
c:\windows\system32\12d6virz859.dll
c:\windows\system32\12f5do9nloadz53257.bin
c:\windows\system32\13661not-a9viruz45f.dll
c:\windows\system32\13941sz5mbot6089.cpl
c:\windows\system32\140astealz5159.dll
c:\windows\system32\14159not-a-vz5us49.ocx
c:\windows\system32\14504zroj399.ocx
c:\windows\system32\14729sp95dz.bin
c:\windows\system32\14932z9o546c.dll
c:\windows\system32\15009tzal410.bin
c:\windows\system32\15072not-a5virusz92.exe
c:\windows\system32\15083sz93a2.dll
c:\windows\system32\15559spambotedz.dll
c:\windows\system32\15698vzrus5c9.exe
c:\windows\system32\15788tzoj1a59.exe
c:\windows\system32\15840vi9zs615.cpl
c:\windows\system32\15939spy9z4.exe
c:\windows\system32\159zaddware3023.dll
c:\windows\system32\1605zpambo919e.dll
c:\windows\system32\1609dzwnloader3520.cpl
c:\windows\system32\16367troz5959.cpl
c:\windows\system32\16615worz51a9.exe
c:\windows\system32\1669zh5ckto9l365.bin
c:\windows\system32\1673zworm9ea5.bin
c:\windows\system32\168bdownlo5d9r1z29.bin
c:\windows\system32\17067spam5ot69z9.cpl
c:\windows\system32\17588spam9oz4d7.exe
c:\windows\system32\18524hack5o9l17bz.dll
c:\windows\system32\18696not-a-viru55zc.bin
c:\windows\system32\18908hackz5ol4c2.ocx
c:\windows\system32\18998s5ambzt96e.cpl
c:\windows\system32\1905sparse1315z.exe
c:\windows\system32\19335hackz5ol1f8.dll
c:\windows\system32\1945s9a5bot48z.bin
c:\windows\system32\19534hacktoo932z.cpl
c:\windows\system32\19572not-a-viruz157.exe
c:\windows\system32\195z7spambot5f6.bin
c:\windows\system32\195zthreat9067.ocx
c:\windows\system32\19725ot9a-zirus6da.dll
c:\windows\system32\19d9sp5zare1798.cpl
c:\windows\system32\19e195eal1z09.exe
c:\windows\system32\1b9fthrezt10547.bin
c:\windows\system32\1c33vir30z95.ocx
c:\windows\system32\1d9zstea51392.dll
c:\windows\system32\1ebz9p5ware1222.exe
c:\windows\system32\1f005tezl9969.dll
c:\windows\system32\1f1adownl9adez14735.cpl
c:\windows\system32\1z15sparse3902.ocx
c:\windows\system32\1z194spy5bf9.cpl
c:\windows\system32\1z531s5ambotcf9.exe
c:\windows\system32\1z771s59mbot527.bin
c:\windows\system32\1z9d5te9l163.bin
c:\windows\system32\1zfdthreat31159.exe
c:\windows\system32\20195worza5.ocx
c:\windows\system32\207z9not-a-virus5259.cpl
c:\windows\system32\20889viruz55a.ocx
c:\windows\system32\20z9not-a5viru9184.bin
c:\windows\system32\2132659t-a-virzs271.cpl
c:\windows\system32\216835ro96dz.cpl
c:\windows\system32\219475zy935.exe
c:\windows\system32\22177not-z9viruse5.ocx
c:\windows\system32\222z1w5rm42f9.exe
c:\windows\system32\22475zyw9re798.bin
c:\windows\system32\22554not-a-virus193z.cpl
c:\windows\system32\228z7not9a-5irus236.dll
c:\windows\system32\22970spz575.dll
c:\windows\system32\2359zspambot55f.bin
c:\windows\system32\235e9zeal2303.dll
c:\windows\system32\23658szam9o53ef.exe
c:\windows\system32\23a2downloa5ez979.exe
c:\windows\system32\23z345py90a.ocx
c:\windows\system32\24073spamb9tz5.exe
c:\windows\system32\24150not-a-vzrus259.bin
c:\windows\system32\241badd9are155z.ocx
c:\windows\system32\24223virus6z59.cpl
c:\windows\system32\24284hack95ol7za.ocx
c:\windows\system32\2439st5al108z.dll
c:\windows\system32\2449hacktool55z.dll
c:\windows\system32\24c5addw5r92969z.bin
c:\windows\system32\25092s5amboz790.ocx
c:\windows\system32\2510haczto5l7059.cpl
c:\windows\system32\25381worm98cz.bin
c:\windows\system32\25411zo9m455.ocx
c:\windows\system32\2541not-azv9rus515.cpl
c:\windows\system32\2550tzief299.cpl
c:\windows\system32\25573vi59s4zf.bin
c:\windows\system32\2561v5rzs5029.cpl
c:\windows\system32\25730v9zus11c.cpl
c:\windows\system32\25795t5o913z.dll
c:\windows\system32\25879zackt5ol4ef.dll
c:\windows\system32\2589do9nloade5z67.bin
c:\windows\system32\258ct5ief2579z.ocx
c:\windows\system32\25970virusz539.cpl
c:\windows\system32\2598hackt5ol6za.cpl
c:\windows\system32\259z4vir5s9f.cpl
c:\windows\system32\25z55spamb5t9d3.dll
c:\windows\system32\26505sp9mbot5acz.cpl
c:\windows\system32\26539hacktool23dz.exe
c:\windows\system32\26z25p92b7.bin
c:\windows\system32\27405wo9m5z9.cpl
c:\windows\system32\274zbackdo5r1959.exe
c:\windows\system32\2767z9orm6f5.bin
c:\windows\system32\279zaddwar91851.exe
c:\windows\system32\27b3spyw9rz8175.exe
c:\windows\system32\27z395roj284.dll
c:\windows\system32\28586sp9mboz5d2.exe
c:\windows\system32\29025worm57dz.exe
c:\windows\system32\2905not-a-vi9us6z9.exe
c:\windows\system32\2924sparze5490.cpl
c:\windows\system32\29479sp9zbo569c.bin
c:\windows\system32\29502zpa5b9t644.bin
c:\windows\system32\2985spzmbot117.bin
c:\windows\system32\2az2spyw5re9960.exe
c:\windows\system32\2b55tzie9639.cpl
c:\windows\system32\2c92downloade9z2155.ocx
c:\windows\system32\2cz55h9ef1062.cpl
c:\windows\system32\2ec7a5z9are575.cpl
c:\windows\system32\2ezcb5ckdoor1982.ocx
c:\windows\system32\2z542hack5o9l37a.exe
c:\windows\system32\30458zpy95.bin
c:\windows\system32\30549tr5j1z2.dll
c:\windows\system32\3073z9py35b.bin
c:\windows\system32\307d9pywarz2551.ocx
c:\windows\system32\3082thie9153z.exe
c:\windows\system32\3095vir5s69cz.dll
c:\windows\system32\309z6troj6945.dll
c:\windows\system32\310439or5z90.cpl
c:\windows\system32\310z5v5ru98a.dll
c:\windows\system32\31107vzr5950.exe
c:\windows\system32\31498hazk5ool522.cpl
c:\windows\system32\318cback9ozr2151.dll
c:\windows\system32\31915hac5toz9614.ocx
c:\windows\system32\32415nzt-a-9i5us6c4.dll
c:\windows\system32\32503no5-a-9irusz71.cpl
c:\windows\system32\3252t9oz43.dll
c:\windows\system32\Drivers\whlimjeu.sys
c:\windows\z0048tro9351.exe
c:\windows\z14959r5j6ac.exe
c:\windows\z1554vir9s65d.bin
c:\windows\z15steal2492.bin
c:\windows\z198ste5l926.ocx
c:\windows\z1995tro579b.ocx
c:\windows\z269ha9ktool506.bin
c:\windows\z285s9y6a95.ocx
c:\windows\z291addwa5e1971.dll
c:\windows\z2959wor92ca.cpl
c:\windows\z4595sp54e7.cpl
c:\windows\z476st5al963.dll
c:\windows\z5559virus2c4.bin
c:\windows\z56back9oor1426.bin
c:\windows\z5athie91795.bin
c:\windows\z708spam9ot559.cpl
c:\windows\z728s9y71d5.ocx
c:\windows\z778virus459.dll
c:\windows\z8835not-a-5iru95bc.bin
c:\windows\z88d5teal30529.ocx
c:\windows\z932s5917a.ocx
c:\windows\z958spyware5441.ocx
c:\windows\z9732spamb5t572.cpl
c:\windows\za55downloade51986.dll
D:\autorun.inf

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_gaopdxserv.sys


((((((((((((((((((((((((( Files Created from 2009-05-27 to 2009-06-27 )))))))))))))))))))))))))))))))
.

2009-12-27 04:46 . 2009-12-27 04:46 7184 ----a-w- c:\windows\system32\52fz5ir951.bin
2009-12-09 03:24 . 2009-12-09 03:24 6519 ----a-w- c:\windows\system32\5528vi98z5.dll
2009-12-03 14:51 . 2009-12-03 14:51 16274 ----a-w- c:\windows\system32\z0332hacktool9d5.dll
2009-11-18 00:42 . 2009-11-18 00:42 5278 ----a-w- c:\windows\system32\91d2zteal351.exe
2009-11-13 12:27 . 2009-11-13 12:27 17888 ----a-w- c:\windows\system32\39z5spyware895.bin
2009-11-10 15:29 . 2009-11-10 15:29 3405 ----a-w- c:\windows\system32\z295th9ef1185.bin
2009-11-09 14:45 . 2009-11-09 14:45 11065 ----a-w- c:\windows\system32\z17575or93b5.exe
2009-11-09 04:03 . 2009-11-09 04:03 10562 ----a-w- c:\windows\system32\3b445tea981z.dll
2009-10-28 15:29 . 2009-10-28 15:29 14304 ----a-w- c:\windows\system32\9978viru5z89.exe
2009-10-22 13:18 . 2009-10-22 13:18 5649 ----a-w- c:\windows\system32\7659spzr5e2419.exe
2009-10-22 02:33 . 2009-10-22 02:33 5956 ----a-w- c:\windows\system32\5fd3addz9re702.exe
2009-10-21 09:16 . 2009-10-21 09:16 7696 ----a-w- c:\windows\system32\7f4bs59rse139z.dll
2009-10-15 19:42 . 2009-10-15 19:42 3577 ----a-w- c:\windows\system32\5a05st9al172z.exe
2009-10-14 08:27 . 2009-10-14 08:27 8845 ----a-w- c:\windows\system32\51295irz979.bin
2009-10-10 21:12 . 2009-10-10 21:12 14469 ----a-w- c:\windows\system32\4b249ownzoader1757.dll
2009-10-09 14:52 . 2009-10-09 14:52 8164 ----a-w- c:\windows\system32\49a2dz5nloader365.dll
2009-10-08 00:11 . 2009-10-08 00:11 4087 ----a-w- c:\windows\system32\4955addwarz900.bin
2009-10-05 21:54 . 2009-10-05 21:54 17356 ----a-w- c:\windows\system32\5a59s9arsz13045.bin
2009-09-26 09:33 . 2009-09-26 09:33 10282 ----a-w- c:\windows\system32\6820ad5w9rez56.bin
2009-09-22 15:33 . 2009-09-22 15:33 13953 ----a-w- c:\windows\system32\392fs9yw5rz2530.bin
2009-09-22 06:56 . 2009-09-22 06:56 14749 ----a-w- c:\windows\system32\z6415ha5kto9l33a.exe
2009-09-14 16:33 . 2009-09-14 16:33 2550 ----a-w- c:\windows\system32\98832v5rus72cz.dll
2009-09-08 04:16 . 2009-09-08 04:16 10477 ----a-w- c:\windows\system32\4996vzru5458.dll
2009-08-20 05:22 . 2009-08-20 05:22 6223 ----a-w- c:\windows\system32\9625viz9s2c5.dll
2009-08-19 00:14 . 2009-08-19 00:14 9315 ----a-w- c:\windows\system32\512zstea52359.dll
2009-08-06 08:34 . 2009-08-06 08:34 16945 ----a-w- c:\windows\system32\76599hzea59531.exe
2009-07-22 16:54 . 2009-07-22 16:54 14795 ----a-w- c:\windows\system32\32f5zac9do5r2878.dll
2009-07-15 20:40 . 2009-07-15 20:40 2722 ----a-w- c:\windows\system32\992down5oadez1331.bin
2009-07-14 23:00 . 2009-07-14 23:00 8601 ----a-w- c:\windows\system32\4f5czo9nloader703.exe
2009-07-11 10:36 . 2009-07-11 10:36 10026 ----a-w- c:\windows\system32\99505szambote5.bin
2009-07-09 07:02 . 2009-07-09 07:02 16938 ----a-w- c:\windows\system32\458virus9z.exe
2009-07-05 06:06 . 2009-07-05 06:06 6613 ----a-w- c:\windows\system32\z97s9yw5re617.bin
2009-06-25 06:04 . 2009-06-25 06:04 12567 ----a-w- c:\windows\system32\z12abackdo9r16415.bin
2009-06-22 15:04 . 2009-06-22 15:04 -------- d-----w- c:\documents and settings\Leland\Application Data\Malwarebytes
2009-06-22 02:56 . 2009-06-22 02:56 12968 ----a-w- c:\windows\system32\5f75th5ez1029.exe
2009-06-20 15:59 . 2009-06-20 15:59 -------- d-----w- c:\program files\Trend Micro
2009-06-20 05:27 . 2009-06-20 05:27 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2009-06-20 05:27 . 2009-06-17 16:27 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-06-20 05:27 . 2009-06-20 05:27 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-06-20 05:27 . 2009-06-17 16:27 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-06-09 22:21 . 2009-06-09 22:21 5559 ----a-w- c:\windows\system32\6z14a5dware2978.exe
2009-06-02 09:38 . 2009-06-02 09:38 5002 ----a-w- c:\windows\system32\z9e5th5eat29897.bin

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-06-20 16:46 . 2007-12-25 06:16 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-06-20 05:27 . 2008-10-07 02:09 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-05-18 22:10 . 2009-05-18 22:10 3889 ----a-w- c:\windows\system32\92145szambo570c.dll
2009-05-15 14:20 . 2009-05-15 14:20 14462 ----a-w- c:\windows\system32\84zvir9425.bin
2009-05-07 11:59 . 2009-05-07 11:59 18345 ----a-w- c:\windows\system32\957thie5z09.exe
2009-04-28 03:48 . 2009-04-28 03:48 18061 ----a-w- c:\windows\system32\9c55bzckdoor2553.bin
2009-04-23 07:09 . 2009-04-23 07:09 8084 ----a-w- c:\windows\system32\6119s95zfe.bin
2009-04-03 13:16 . 2009-04-03 13:16 5346 ----a-w- c:\windows\system32\95c0st5al16z.exe
.

------- Sigcheck -------

[-] 2001-08-23 12:00 12800 0F7D9C87B0CE1FA520473119752C6F79 c:\windows\$NtServicePackUninstall$\svchost.exe
[7] 2004-08-04 06:56 14336 8F078AE4ED187AAABC0A305146DE6716 c:\windows\ServicePackFiles\i386\svchost.exe
[7] 2004-08-04 06:56 14336 8F078AE4ED187AAABC0A305146DE6716 c:\windows\system32\svchost.exe

[7] 2005-03-02 18:19 577024 1800F293BCCC8EDE8A70E12B88D80036 c:\windows\$hf_mig$\KB890859\SP2QFE\user32.dll
[7] 2007-03-08 15:48 578048 7AA4F6C00405DFC4B70ED4214E7D687B c:\windows\$hf_mig$\KB925902\SP2QFE\user32.dll
[-] 2001-08-23 12:00 561152 BE57A5C3ABD240514B98F6BCA872FB21 c:\windows\$NtServicePackUninstall$\user32.dll
[7] 2004-08-04 06:56 577024 C72661F8552ACE7C5C85E16A3CF505C4 c:\windows\$NtUninstallKB890859$\user32.dll
[7] 2005-03-02 18:09 577024 DE2DB164BBB35DB061AF0997E4499054 c:\windows\$NtUninstallKB925902$\user32.dll
[7] 2004-08-04 06:56 577024 C72661F8552ACE7C5C85E16A3CF505C4 c:\windows\ServicePackFiles\i386\user32.dll
[7] 2007-03-08 15:36 577536 B409909F6E2E8A7067076ED748ABF1E7 c:\windows\system32\user32.dll
[7] 2007-03-08 15:36 577536 B409909F6E2E8A7067076ED748ABF1E7 c:\windows\system32\dllcache\user32.dll

[-] 2001-08-23 12:00 75264 8529C295DF59B564D37A73B5629162B1 c:\windows\$NtServicePackUninstall$\ws2_32.dll
[7] 2004-08-04 06:56 82944 2ED0B7F12A60F90092081C50FA0EC2B2 c:\windows\ServicePackFiles\i386\ws2_32.dll
[7] 2004-08-04 06:56 82944 2ED0B7F12A60F90092081C50FA0EC2B2 c:\windows\system32\ws2_32.dll

[-] 2001-08-23 12:00 593920 CF9F1EEF71F42EDE71B6F4AA05D5CA1A c:\windows\$NtServicePackUninstall$\wininet.dll
[7] 2006-11-08 03:03 818688 92995334F993E6E49C25C6D02EC04401 c:\windows\ie7\wininet.dll
[7] 2006-11-08 03:03 818688 92995334F993E6E49C25C6D02EC04401 c:\windows\ie8\wininet.dll
[7] 2004-08-04 06:56 656384 C0823FC5469663BA63E7DB88F9919D70 c:\windows\ServicePackFiles\i386\wininet.dll
[7] 2008-08-22 08:08 878592 DF1CB456ED1E038B276123365A1A93C4 c:\windows\system32\wininet.dll
[7] 2008-08-22 08:08 878592 DF1CB456ED1E038B276123365A1A93C4 c:\windows\system32\dllcache\wininet.dll

[7] 2008-06-20 10:44 360960 744E57C99232201AE98C49168B918F48 c:\windows\$hf_mig$\KB951748\SP2QFE\tcpip.sys
[7] 2008-06-20 11:51 361600 9AEFA14BD6B182D61E3119FA5F436D3D c:\windows\$hf_mig$\KB951748\SP3GDR\tcpip.sys
[7] 2008-06-20 11:59 361600 AD978A1B783B5719720CFF204B666C8E c:\windows\$hf_mig$\KB951748\SP3QFE\tcpip.sys
[-] 2001-08-23 12:00 327168 E7774698BB0D14B0710A9A31E209F9B6 c:\windows\$NtServicePackUninstall$\tcpip.sys
[7] 2004-08-04 05:14 359040 9F4B36614A0FC234525BA224957DE55C c:\windows\$NtUninstallKB951748$\tcpip.sys
[7] 2004-08-04 05:14 359040 9F4B36614A0FC234525BA224957DE55C c:\windows\ServicePackFiles\i386\tcpip.sys
[7] 2008-06-20 10:45 360320 2A5554FC5B1E04E131230E3CE035C3F9 c:\windows\system32\dllcache\tcpip.sys
[7] 2008-06-20 10:45 360320 2A5554FC5B1E04E131230E3CE035C3F9 c:\windows\system32\drivers\tcpip.sys

[-] 2001-08-23 12:00 430080 2B0E480E975EE51F2D5CE5F068FED6E2 c:\windows\$NtServicePackUninstall$\winlogon.exe
[7] 2004-08-04 06:56 502272 01C3346C241652F43AED8E2149881BFE c:\windows\ServicePackFiles\i386\winlogon.exe
[7] 2004-08-04 06:56 502272 01C3346C241652F43AED8E2149881BFE c:\windows\system32\winlogon.exe

[-] 2001-08-23 12:00 161536 3EFD4F59BA0A340DE0A3AB984001DBF7 c:\windows\$NtServicePackUninstall$\ndis.sys
[7] 2004-08-04 05:14 182912 558635D3AF1C7546D26067D5D9B6959E c:\windows\ServicePackFiles\i386\ndis.sys
[7] 2004-08-04 05:14 182912 558635D3AF1C7546D26067D5D9B6959E c:\windows\system32\drivers\ndis.sys

[7] 2004-08-04 05:00 29056 4448006B6BC60E6C027932CFC38D6855 c:\windows\ServicePackFiles\i386\ip6fw.sys
[7] 2004-08-04 05:00 29056 4448006B6BC60E6C027932CFC38D6855 c:\windows\system32\drivers\ip6fw.sys

[7] 2005-03-02 00:36 2056832 D8ABA3EAB509627E707A3B14F00FBB6B c:\windows\$hf_mig$\KB890859\SP2QFE\ntkrnlpa.exe
[7] 2008-08-14 09:18 2062976 63EC865DFF6CCFC7BEF94B5C50297CAD c:\windows\$hf_mig$\KB956841\SP2QFE\ntkrnlpa.exe
[7] 2008-08-14 09:33 2066048 4AC58F03EB94A72809949D757FC39D80 c:\windows\$hf_mig$\KB956841\SP3GDR\ntkrnlpa.exe
[7] 2008-08-14 20:39 2066048 A25E9B86EFFB2AF33BF51E676B68BFB0 c:\windows\$hf_mig$\KB956841\SP3QFE\ntkrnlpa.exe
[-] 2001-08-23 12:00 1896704 46E2E3DCF54B819CFB2EBFE48A22B5C9 c:\windows\$NtServicePackUninstall$\ntkrnlpa.exe
[7] 2004-08-04 04:59 2056832 947FB1D86D14AFCFFDB54BF837EC25D0 c:\windows\$NtUninstallKB890859$\ntkrnlpa.exe
[7] 2005-03-02 00:34 2056832 81013F36B21C7F72CF784CC6731E0002 c:\windows\$NtUninstallKB956841$\ntkrnlpa.exe
[7] 2008-08-14 09:22 2057728 BA002228743B6824D87F0551DBC86D45 c:\windows\Driver Cache\i386\ntkrnlpa.exe
[7] 2004-08-04 04:59 2056832 947FB1D86D14AFCFFDB54BF837EC25D0 c:\windows\ServicePackFiles\i386\ntkrnlpa.exe
[7] 2008-08-14 09:22 2057728 BA002228743B6824D87F0551DBC86D45 c:\windows\system32\ntkrnlpa.exe
[7] 2008-08-14 09:22 2057728 BA002228743B6824D87F0551DBC86D45 c:\windows\system32\dllcache\ntkrnlpa.exe

[7] 2005-03-02 01:04 2179456 28187802B7C368C0D3AEF7D4C382AABB c:\windows\$hf_mig$\KB890859\SP2QFE\ntoskrnl.exe
[7] 2008-08-14 09:57 2185984 CE69DBD54221F2D40E49FF6DB77C6507 c:\windows\$hf_mig$\KB956841\SP2QFE\ntoskrnl.exe
[7] 2008-08-14 10:11 2189184 EEAF32F8E15A24F62BECB1BD403BB5C5 c:\windows\$hf_mig$\KB956841\SP3GDR\ntoskrnl.exe
[7] 2008-08-14 21:11 2189184 31914172342BFF330063F343AC6958FE c:\windows\$hf_mig$\KB956841\SP3QFE\ntoskrnl.exe
[-] 2001-08-23 12:00 1982208 A29222D5281056E497408FCC9062F749 c:\windows\$NtServicePackUninstall$\ntoskrnl.exe
[7] 2004-08-04 05:20 2180992 CE218BC7088681FAA06633E218596CA7 c:\windows\$NtUninstallKB890859$\ntoskrnl.exe
[7] 2005-03-02 00:59 2179328 4D4CF2C14550A4B7718E94A6E581856E c:\windows\$NtUninstallKB956841$\ntoskrnl.exe
[7] 2008-08-14 10:00 2180352 21C91DA9CB53AA8A37041BA9684A8458 c:\windows\Driver Cache\i386\ntoskrnl.exe
[7] 2004-08-04 05:20 2180992 CE218BC7088681FAA06633E218596CA7 c:\windows\ServicePackFiles\i386\ntoskrnl.exe
[7] 2008-08-14 10:00 2180352 21C91DA9CB53AA8A37041BA9684A8458 c:\windows\system32\ntoskrnl.exe
[7] 2008-08-14 10:00 2180352 21C91DA9CB53AA8A37041BA9684A8458 c:\windows\system32\dllcache\ntoskrnl.exe

[7] 2007-06-13 10:23 1033216 97BD6515465659FF8F3B7BE375B2EA87 c:\windows\explorer.exe
[7] 2007-06-13 11:26 1033216 7712DF0CDDE3A5AC89843E61CD5B3658 c:\windows\$hf_mig$\KB938828\SP2QFE\explorer.exe
[-] 2001-08-23 12:00 1000960 5A26FC6010886D25B3E412493DD95ED8 c:\windows\$NtServicePackUninstall$\explorer.exe
[7] 2004-08-04 06:56 1032192 A0732187050030AE399B241436565E64 c:\windows\$NtUninstallKB938828$\explorer.exe
[7] 2004-08-04 06:56 1032192 A0732187050030AE399B241436565E64 c:\windows\ServicePackFiles\i386\explorer.exe
[7] 2007-06-13 10:23 1033216 97BD6515465659FF8F3B7BE375B2EA87 c:\windows\system32\dllcache\explorer.exe

[-] 2001-08-23 12:00 101376 E3DF4A0252D287C44606EE55355E1623 c:\windows\$NtServicePackUninstall$\services.exe
[7] 2004-08-04 06:56 108032 C6CE6EEC82F187615D1002BB3BB50ED4 c:\windows\ServicePackFiles\i386\services.exe
[7] 2004-08-04 06:56 108032 C6CE6EEC82F187615D1002BB3BB50ED4 c:\windows\system32\services.exe

[-] 2001-08-23 12:00 11776 8A590EA109B5E0C7629E022F8A6B17C5 c:\windows\$NtServicePackUninstall$\lsass.exe
[7] 2004-08-04 06:56 13312 84885F9B82F4D55C6146EBF6065D75D2 c:\windows\ServicePackFiles\i386\lsass.exe
[7] 2004-08-04 06:56 13312 84885F9B82F4D55C6146EBF6065D75D2 c:\windows\system32\lsass.exe

[-] 2001-08-23 12:00 13312 85B1054DB58D13AA42D7DCA778C30F57 c:\windows\$NtServicePackUninstall$\ctfmon.exe
[7] 2004-08-04 06:56 15360 24232996A38C0B0CF151C2140AE29FC8 c:\windows\ServicePackFiles\i386\ctfmon.exe
[7] 2004-08-04 06:56 15360 24232996A38C0B0CF151C2140AE29FC8 c:\windows\system32\ctfmon.exe

[7] 2005-06-11 00:17 57856 AD3D9D191AEA7B5445FE1D82FFBB4788 c:\windows\$hf_mig$\KB896423\SP2QFE\spoolsv.exe
[-] 2001-08-23 12:00 51200 9B4155BA58192D4073082B8FC5D42612 c:\windows\$NtServicePackUninstall$\spoolsv.exe
[7] 2004-08-04 06:56 57856 7435B108B935E42EA92CA94F59C8E717 c:\windows\$NtUninstallKB896423$\spoolsv.exe
[7] 2004-08-04 06:56 57856 7435B108B935E42EA92CA94F59C8E717 c:\windows\ServicePackFiles\i386\spoolsv.exe
[7] 2005-06-10 23:53 57856 DA81EC57ACD4CDC3D4C51CF3D409AF9F c:\windows\system32\spoolsv.exe

[-] 2001-08-23 12:00 112128 EBB80E7DE7C23D8BD2187F9A0B93709B c:\windows\$NtServicePackUninstall$\wuauclt.exe
[7] 2004-08-04 06:56 111104 4126D27CECE4471E00E425411F7306B5 c:\windows\ServicePackFiles\i386\wuauclt.exe
[7] 2008-10-16 19:09 51224 E654B78D2F1D791B30D0ED9A8195EC22 c:\windows\system32\wuauclt.exe
[7] 2008-10-16 19:09 51224 E654B78D2F1D791B30D0ED9A8195EC22 c:\windows\system32\dllcache\wuauclt.exe

[-] 2001-08-23 12:00 21504 585398603F570F9705774D65D292E5D1 c:\windows\$NtServicePackUninstall$\userinit.exe
[7] 2004-08-04 06:56 24576 39B1FFB03C2296323832ACBAE50D2AFF c:\windows\ServicePackFiles\i386\userinit.exe
[7] 2004-08-04 06:56 24576 39B1FFB03C2296323832ACBAE50D2AFF c:\windows\system32\userinit.exe

[-] 2001-08-23 12:00 197632 458635D2E4559526CF9C895340A38702 c:\windows\$NtServicePackUninstall$\termsrv.dll
[7] 2004-08-04 06:56 295424 B60C877D16D9C880B952FDA04ADF16E6 c:\windows\ServicePackFiles\i386\termsrv.dll
[7] 2004-08-04 06:56 295424 B60C877D16D9C880B952FDA04ADF16E6 c:\windows\system32\termsrv.dll

[7] 2007-04-16 16:07 986112 09F7CB3687F86EDAA4CA081F7AB66C03 c:\windows\$hf_mig$\KB935839\SP2QFE\kernel32.dll
[-] 2001-08-23 12:00 926720 379B0B31D7F8D2C9F7FF302B454A6C54 c:\windows\$NtServicePackUninstall$\kernel32.dll
[7] 2004-08-04 06:56 983552 888190E31455FAD793312F8D087146EB c:\windows\$NtUninstallKB935839$\kernel32.dll
[7] 2004-08-04 06:56 983552 888190E31455FAD793312F8D087146EB c:\windows\ServicePackFiles\i386\kernel32.dll
[7] 2007-04-16 15:52 984576 A01F9CA902A88F7CED06884174D6419D c:\windows\system32\kernel32.dll
[7] 2007-04-16 15:52 984576 A01F9CA902A88F7CED06884174D6419D c:\windows\system32\dllcache\kernel32.dll

[-] 2001-08-23 12:00 14848 865AD7CCB20856727D5BD994B094DC5E c:\windows\$NtServicePackUninstall$\powrprof.dll
[7] 2004-08-04 06:56 17408 1B5F6923ABB450692E9FE0672C897AED c:\windows\ServicePackFiles\i386\powrprof.dll
[7] 2004-08-04 06:56 17408 1B5F6923ABB450692E9FE0672C897AED c:\windows\system32\powrprof.dll

[-] 2001-08-23 12:00 96768 E046037FD5BCDF92CE1A122B749B9B09 c:\windows\$NtServicePackUninstall$\imm32.dll
[7] 2004-08-04 06:56 110080 87CA7CE6469577F059297B9D6556D66D c:\windows\ServicePackFiles\i386\imm32.dll
[7] 2004-08-04 06:56 110080 87CA7CE6469577F059297B9D6556D66D c:\windows\system32\imm32.dll

[-] 2001-08-23 12:00 1562112 9E415EFDF50F26BCBC97C80F4E6C30CC c:\windows\$NtServicePackUninstall$\sfcfiles.dll
[7] 2004-08-04 06:56 1580544 30A609E00BD1D4FFC49D6B5A432BE7F2 c:\windows\ServicePackFiles\i386\sfcfiles.dll
[7] 2004-08-04 06:56 1580544 30A609E00BD1D4FFC49D6B5A432BE7F2 c:\windows\system32\sfcfiles.dll

[-] 2001-08-23 12:00 155648 14F36167D270C83C7F90956B1F0BBBB6 c:\windows\$NtServicePackUninstall$\appmgmts.dll
[7] 2004-08-04 06:56 167936 9C3C12975C97119412802B181FBEEFFE c:\windows\ServicePackFiles\i386\appmgmts.dll
[7] 2004-08-04 06:56 167936 9C3C12975C97119412802B181FBEEFFE c:\windows\system32\appmgmts.dll

[-] 2001-08-23 12:00 23424 9C30CD464D87102497FD7C32910E6253 c:\windows\$NtServicePackUninstall$\kbdclass.sys
[7] 2004-08-04 04:58 24576 EBDEE8A2EE5393890A1ACEE971C4C246 c:\windows\ServicePackFiles\i386\kbdclass.sys
[7] 2004-08-04 04:58 24576 EBDEE8A2EE5393890A1ACEE971C4C246 c:\windows\system32\drivers\kbdclass.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2004-10-13 1694208]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2006-10-19 204288]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-04-29 68856]
"AdobeUpdater"="c:\program files\Common Files\Adobe\Updater5\AdobeUpdater.exe" [2007-03-01 2321600]
"CurseClient"="c:\program files\Curse\CurseClient.exe" [2008-11-02 4789760]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"DAEMON Tools-1033"="c:\program files\D-Tools\daemon.exe" [2004-08-22 81920]
"Acrobat Assistant 8.0"="c:\program files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [2008-01-12 623992]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-01-10 385024]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-01-15 267048]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-12-19 135168]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-12-19 159744]
"Persistence"="c:\windows\system32\igfxpers.exe" [2007-12-19 131072]
"AlcxMonitor"="ALCXMNTR.EXE" - c:\windows\ALCXMNTR.EXE [2004-09-07 57344]
"SoundMan"="SOUNDMAN.EXE" - c:\windows\soundman.exe [2007-04-16 577536]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
AutoCAD Startup Accelerator.lnk - c:\program files\Common Files\Autodesk Shared\acstart16.exe [2005-3-5 10872]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Curse\\CurseClient.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Ventrilo\\Ventrilo.exe"=

S3 TucbDriverV32;TucbDriverV32;c:\windows\system32\drivers\TucbDriverV32.sys [3/23/2008 4:09 PM 506496]
S3 TucbVideo32;TucbVideo32;c:\windows\system32\drivers\TucbVideo32.sys [3/23/2008 4:09 PM 3768]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\E]
\Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL RECYCLER\S-2-9-95-100019009-100014676-100007918-5147.com d:\
\Shell\Open\command - RECYCLER\S-2-9-95-100019009-100014676-100007918-5147.com d:\

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\G]
\Shell\AutoRun\command - G:\Setup.exe -auto

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{016e3ff0-21fc-11dc-9057-806d6172696f}]
\Shell\AutoRun\command - F:\setup.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{6695f91e-03b5-11de-8648-00402b3b4eb2}]
\Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL RECYCLER\S-5-6-67-100017640-100026369-100002855-7474.com c:\
\Shell\Open\command - d:\recycler\S-5-6-67-100017640-100026369-100002855-7474.com c:\
.
Contents of the 'Scheduled Tasks' folder

2009-01-20 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34]
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-Messenger (Yahoo!) - ~c:\program files\Yahoo!\Messenger\YahooMessenger.exe


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
IE: Append to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
DPF: {EAC139A9-D22D-4C29-8D1C-252BE63750F9} - hxxp://www.cooliris.com/shared/plinstll.cab
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-06-27 15:42
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-2052111302-884357618-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID]
@Denied: (Full) (LocalSystem)
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(1956)
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Lavasoft\Ad-Aware\aawservice.exe
c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\windows\system32\igfxsrvc.exe
c:\program files\Windows Media Player\wmpnetwk.exe
c:\windows\system32\wscntfy.exe
c:\program files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2009-06-27 15:58 - machine was rebooted [Leland]
ComboFix-quarantined-files.txt 2009-06-27 20:58

Pre-Run: 2,986,655,744 bytes free
Post-Run: 4,593,459,200 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /NoExecute=OptIn

784 --- E O F --- 2009-02-26 09:07





and MalwareBytes:

Malwarebytes' Anti-Malware 1.38
Database version: 2297
Windows 5.1.2600 Service Pack 2

6/28/2009 12:47:41 AM
mbam-log-2009-06-28 (00-47-41).txt

Scan type: Full Scan (C:\|D:\|)
Objects scanned: 279508
Time elapsed: 2 hour(s), 17 minute(s), 35 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

#7 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:02:37 AM

Posted 28 June 2009 - 10:38 AM

Hi Lee Fried,

MBAM has it clear but we need to run Combofix again because it isn't clean yet. :thumbup2:

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

File::
c:\windows\system32\52fz5ir951.bin
c:\windows\system32\5528vi98z5.dll
c:\windows\system32\z0332hacktool9d5.dll
c:\windows\system32\91d2zteal351.exe
c:\windows\system32\39z5spyware895.bin
c:\windows\system32\z295th9ef1185.bin
c:\windows\system32\z17575or93b5.exe
c:\windows\system32\3b445tea981z.dll
c:\windows\system32\9978viru5z89.exe
c:\windows\system32\7659spzr5e2419.exe
c:\windows\system32\5fd3addz9re702.exe
c:\windows\system32\7f4bs59rse139z.dll
c:\windows\system32\5a05st9al172z.exe
c:\windows\system32\51295irz979.bin
c:\windows\system32\4b249ownzoader1757.dll
c:\windows\system32\49a2dz5nloader365.dll
c:\windows\system32\4955addwarz900.bin
c:\windows\system32\5a59s9arsz13045.bin
c:\windows\system32\6820ad5w9rez56.bin
c:\windows\system32\392fs9yw5rz2530.bin
c:\windows\system32\z6415ha5kto9l33a.exe
c:\windows\system32\98832v5rus72cz.dll
c:\windows\system32\4996vzru5458.dll
c:\windows\system32\9625viz9s2c5.dll
c:\windows\system32\512zstea52359.dll
c:\windows\system32\76599hzea59531.exe
c:\windows\system32\32f5zac9do5r2878.dll
c:\windows\system32\992down5oadez1331.bin
c:\windows\system32\4f5czo9nloader703.exe
c:\windows\system32\99505szambote5.bin
c:\windows\system32\458virus9z.exe
c:\windows\system32\z97s9yw5re617.bin
c:\windows\system32\z12abackdo9r16415.bin
c:\windows\system32\5f75th5ez1029.exe
c:\windows\system32\6z14a5dware2978.exe
c:\windows\system32\z9e5th5eat29897.bin
c:\windows\system32\92145szambo570c.dll
c:\windows\system32\84zvir9425.bin
c:\windows\system32\957thie5z09.exe
c:\windows\system32\9c55bzckdoor2553.bin
c:\windows\system32\6119s95zfe.bin
c:\windows\system32\95c0st5al16z.exe


Save this as CFScript.txt, in the same location as ComboFix.exe


Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

Let's see where that leaves us. :)
Posted Image
m0le is a proud member of UNITE

#8 Lee Fried

Lee Fried
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:09:37 PM

Posted 28 June 2009 - 12:25 PM

ComboFix 09-06-26.02 - Leland 06/28/2009 12:01.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.3319.2752 [GMT -5:00]
Running from: c:\documents and settings\All Users\Desktop\Combo-Fix.exe
Command switches used :: c:\documents and settings\Leland\Desktop\CFScript.txt
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\3259zworm3f7.exe
c:\windows\system32\32f5zac9do5r2878.dll
c:\windows\system32\3412s9y550z.dll
c:\windows\system32\35955zrus219.cpl
c:\windows\system32\3709not-azvir5s165.ocx
c:\windows\system32\372zadd5are2129.ocx
c:\windows\system32\3750down5oader669z.bin
c:\windows\system32\3791spyw5ze1928.exe
c:\windows\system32\37f6spa9se15z.dll
c:\windows\system32\392fs9yw5rz2530.bin
c:\windows\system32\3969t5rezt15892.dll
c:\windows\system32\3985vzr1365.bin
c:\windows\system32\39z5spyware895.bin
c:\windows\system32\39zbadd9a5e2573.bin
c:\windows\system32\3ae2zddw9re583.bin
c:\windows\system32\3b445tea981z.dll
c:\windows\system32\3b8sparze91845.ocx
c:\windows\system32\3z26no5-a-virus1ec9.bin
c:\windows\system32\3z5aaddwar91935.ocx
c:\windows\system32\3z87spyw9re2453.dll
c:\windows\system32\3z93troj595.cpl
c:\windows\system32\3z9r25575.exe
c:\windows\system32\4048v9z11855.ocx
c:\windows\system32\4055zot-a-vi95s470.bin
c:\windows\system32\4092spazbot4a95.dll
c:\windows\system32\411zsp9war52978.ocx
c:\windows\system32\4223t5oj699z.bin
c:\windows\system32\4434threa5399z6.dll
c:\windows\system32\458virus9z.exe
c:\windows\system32\45z0thr5at16911.cpl
c:\windows\system32\45zethief21509.bin
c:\windows\system32\4695szyware1037.dll
c:\windows\system32\4833ad5zare2929.dll
c:\windows\system32\487zspy5are27429.bin
c:\windows\system32\4955addwarz900.bin
c:\windows\system32\4961w9rm5cbz.bin
c:\windows\system32\497bthreaz5976.cpl
c:\windows\system32\4996vzru5458.dll
c:\windows\system32\499hzcktool145.cpl
c:\windows\system32\49a2dz5nloader365.dll
c:\windows\system32\4a88downloz5er249.bin
c:\windows\system32\4b249ownzoader1757.dll
c:\windows\system32\4ce7b9c5dzor295.ocx
c:\windows\system32\4d8fd9wnl5zder2682.ocx
c:\windows\system32\4d9azhreat268579.exe
c:\windows\system32\4e90steal15z9.bin
c:\windows\system32\4ee09pyware1590z.bin
c:\windows\system32\4f5czo9nloader703.exe
c:\windows\system32\4z849ackdo5r2743.cpl
c:\windows\system32\505zspar9e2634.cpl
c:\windows\system32\5081t9izf22735.dll
c:\windows\system32\50z86v9rus4f1.cpl
c:\windows\system32\50z9backdo5r2946.bin
c:\windows\system32\5118s9zrse1400.bin
c:\windows\system32\51295irz979.bin
c:\windows\system32\512zstea52359.dll
c:\windows\system32\5185spazb9t183.cpl
c:\windows\system32\51fz9parse2148.dll
c:\windows\system32\5228znot-a-vi9us496.ocx
c:\windows\system32\52395not-a-vizus25b.ocx
c:\windows\system32\5242ba9zdo5r939.cpl
c:\windows\system32\52ezvir1098.bin
c:\windows\system32\52fz5ir951.bin
c:\windows\system32\5353s9ywzre1104.cpl
c:\windows\system32\5399spambo5z25.ocx
c:\windows\system32\5399zir2521.bin
c:\windows\system32\53d5tzreat323199.ocx
c:\windows\system32\53z6backd9or1531.exe
c:\windows\system32\54299zroj1cd.ocx
c:\windows\system32\5433spy59az.bin
c:\windows\system32\54576vzrus92.cpl
c:\windows\system32\5478vz92992.bin
c:\windows\system32\5488vzrus590.bin
c:\windows\system32\5522hac9tool5ze.ocx
c:\windows\system32\5528vi98z5.dll
c:\windows\system32\5530thi9z452.cpl
c:\windows\system32\5567spaz5ot219.bin
c:\windows\system32\559ztr5j5b.ocx
c:\windows\system32\55e1thief939z.cpl
c:\windows\system32\55eab9ckdooz19065.cpl
c:\windows\system32\55z09hief498.bin
c:\windows\system32\57269aczdoor2477.dll
c:\windows\system32\57886tzoj5b9.cpl
c:\windows\system32\58f35aczdoor980.dll
c:\windows\system32\58z47hacktoo934b.dll
c:\windows\system32\590addwarz30995.cpl
c:\windows\system32\59391troz674.exe
c:\windows\system32\5955addware317z.cpl
c:\windows\system32\5976threat578z.exe
c:\windows\system32\59928spy6a5z.dll
c:\windows\system32\59afth5eaz94890.dll
c:\windows\system32\59b0stzal13279.dll
c:\windows\system32\59bastzal1371.exe
c:\windows\system32\59f7spywa9526z3.ocx
c:\windows\system32\5a05st9al172z.exe
c:\windows\system32\5a59s9arsz13045.bin
c:\windows\system32\5a5stezl92385.dll
c:\windows\system32\5a67s9eal163z.ocx
c:\windows\system32\5a90spa9se1z89.ocx
c:\windows\system32\5a94t5i9f824z.exe
c:\windows\system32\5b1459czdoor1711.ocx
c:\windows\system32\5b3fback9oorz486.exe
c:\windows\system32\5b5aazdwa592299.exe
c:\windows\system32\5b9spyzare555.ocx
c:\windows\system32\5bdzsteal9199.cpl
c:\windows\system32\5c54spywar92z05.dll
c:\windows\system32\5d01th5ef199z.ocx
c:\windows\system32\5d1cbackdoz915745.cpl
c:\windows\system32\5d1fdo5nloade911z4.exe
c:\windows\system32\5d1fdownlozder1559.dll
c:\windows\system32\5e51ste9lz750.ocx
c:\windows\system32\5f0eba5kd9oz1475.ocx
c:\windows\system32\5f75th5ez1029.exe
c:\windows\system32\5fd3addz9re702.exe
c:\windows\system32\5z6f5teal9650.exe
c:\windows\system32\5z98steal591.bin
c:\windows\system32\6091a9dwarez451.ocx
c:\windows\system32\60f5ba5kdoor2879z.exe
c:\windows\system32\6119s95zfe.bin
c:\windows\system32\618zaddwar5996.dll
c:\windows\system32\61e9azdwar52879.dll
c:\windows\system32\628t5oj5b9z.dll
c:\windows\system32\62e7th9ef5z5.bin
c:\windows\system32\6378sz5rse3096.cpl
c:\windows\system32\63fz9hief3205.ocx
c:\windows\system32\645dthizf9993.exe
c:\windows\system32\6534zorm5159.dll
c:\windows\system32\65adsp5rse9954z.ocx
c:\windows\system32\65f4thi5f9z19.bin
c:\windows\system32\66395zt-a-virus40.ocx
c:\windows\system32\66749py5za.bin
c:\windows\system32\6764zorm9125.bin
c:\windows\system32\6805thr9at1z536.bin
c:\windows\system32\6820ad5w9rez56.bin
c:\windows\system32\6963zpy75.ocx
c:\windows\system32\69z9hackto9l6645.ocx
c:\windows\system32\6a98downloazer20445.bin
c:\windows\system32\6d19spywz5e2160.dll
c:\windows\system32\6d5aaddwa9e128z.bin
c:\windows\system32\6d72t5r9zt17799.cpl
c:\windows\system32\6ez75ir294.ocx
c:\windows\system32\6f329hrezt3605.cpl
c:\windows\system32\6f339pzrse24265.dll
c:\windows\system32\6z02threa56919.bin
c:\windows\system32\6z14a5dware2978.exe
c:\windows\system32\70ffdownlzad592592.exe
c:\windows\system32\715not-9-virus7b1z.dll
c:\windows\system32\7168spywzre14985.dll
c:\windows\system32\71dth9ea517z29.dll
c:\windows\system32\71sz5609.ocx
c:\windows\system32\728bdownlz9der185.cpl
c:\windows\system32\7441downl9ader125z.ocx
c:\windows\system32\757cthief53z9.dll
c:\windows\system32\76599hzea59531.exe
c:\windows\system32\7659spzr5e2419.exe

.
((((((((((((((((((((((((( Files Created from 2009-05-28 to 2009-06-28 )))))))))))))))))))))))))))))))
.

2009-12-03 14:51 . 2009-12-03 14:51 16274 ----a-w- c:\windows\system32\z0332hacktool9d5.dll
2009-11-18 00:42 . 2009-11-18 00:42 5278 ----a-w- c:\windows\system32\91d2zteal351.exe
2009-11-10 15:29 . 2009-11-10 15:29 3405 ----a-w- c:\windows\system32\z295th9ef1185.bin
2009-11-09 14:45 . 2009-11-09 14:45 11065 ----a-w- c:\windows\system32\z17575or93b5.exe
2009-10-28 15:29 . 2009-10-28 15:29 14304 ----a-w- c:\windows\system32\9978viru5z89.exe
2009-10-21 09:16 . 2009-10-21 09:16 7696 ----a-w- c:\windows\system32\7f4bs59rse139z.dll
2009-09-22 06:56 . 2009-09-22 06:56 14749 ----a-w- c:\windows\system32\z6415ha5kto9l33a.exe
2009-09-14 16:33 . 2009-09-14 16:33 2550 ----a-w- c:\windows\system32\98832v5rus72cz.dll
2009-08-20 05:22 . 2009-08-20 05:22 6223 ----a-w- c:\windows\system32\9625viz9s2c5.dll
2009-07-15 20:40 . 2009-07-15 20:40 2722 ----a-w- c:\windows\system32\992down5oadez1331.bin
2009-07-11 10:36 . 2009-07-11 10:36 10026 ----a-w- c:\windows\system32\99505szambote5.bin
2009-07-05 06:06 . 2009-07-05 06:06 6613 ----a-w- c:\windows\system32\z97s9yw5re617.bin
2009-06-28 16:33 . 2009-06-28 16:31 410984 ----a-w- c:\windows\system32\deploytk.dll
2009-06-28 16:30 . 2009-06-28 16:30 152576 ----a-w- c:\documents and settings\Leland\Application Data\Sun\Java\jre1.6.0_13\lzma.dll
2009-06-28 16:29 . 2009-06-28 16:29 -------- d-----w- c:\windows\LastGood
2009-06-28 08:34 . 2009-06-28 16:32 -------- d-----w- c:\windows\system32\KB905474
2009-06-28 08:34 . 2009-03-11 03:18 453512 ----a-w- c:\windows\system32\KB905474\wgasetup.exe
2009-06-28 06:49 . 2009-06-28 06:49 -------- d-----w- c:\windows\system32\RTCOM
2009-06-28 06:46 . 2009-06-28 06:46 -------- d-----w- c:\program files\Realtek
2009-06-28 06:45 . 2008-08-25 21:17 528384 ----a-r- c:\windows\RtlExUpd.dll
2009-06-27 21:01 . 2009-03-06 14:44 283648 -c----w- c:\windows\system32\dllcache\pdh.dll
2009-06-27 21:01 . 2005-07-26 04:39 60416 -c----w- c:\windows\system32\dllcache\colbact.dll
2009-06-27 21:01 . 2009-02-09 10:20 399360 -c----w- c:\windows\system32\dllcache\rpcss.dll
2009-06-27 21:01 . 2009-02-09 10:20 473088 -c----w- c:\windows\system32\dllcache\fastprox.dll
2009-06-27 21:01 . 2009-02-09 10:20 453120 -c----w- c:\windows\system32\dllcache\wmiprvsd.dll
2009-06-27 21:01 . 2009-02-06 17:14 110592 -c----w- c:\windows\system32\dllcache\services.exe
2009-06-27 21:01 . 2009-02-06 16:39 227840 -c----w- c:\windows\system32\dllcache\wmiprvse.exe
2009-06-27 21:01 . 2009-02-09 10:20 616960 -c----w- c:\windows\system32\dllcache\advapi32.dll
2009-06-27 21:01 . 2009-02-09 10:20 714752 -c----w- c:\windows\system32\dllcache\ntdll.dll
2009-06-27 20:59 . 2008-04-21 10:02 215552 -c----w- c:\windows\system32\dllcache\wordpad.exe
2009-06-27 20:54 . 2009-06-27 20:54 -------- dc----w- c:\windows\system32\dllcache\cache
2009-06-25 06:04 . 2009-06-25 06:04 12567 ----a-w- c:\windows\system32\z12abackdo9r16415.bin
2009-06-22 15:04 . 2009-06-22 15:04 -------- d-----w- c:\documents and settings\Leland\Application Data\Malwarebytes
2009-06-20 15:59 . 2009-06-20 15:59 -------- d-----w- c:\program files\Trend Micro
2009-06-20 05:27 . 2009-06-20 05:27 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2009-06-20 05:27 . 2009-06-17 16:27 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-06-20 05:27 . 2009-06-20 05:27 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-06-20 05:27 . 2009-06-17 16:27 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-06-02 09:38 . 2009-06-02 09:38 5002 ----a-w- c:\windows\system32\z9e5th5eat29897.bin

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-06-28 16:31 . 2007-10-02 02:40 -------- d-----w- c:\program files\Java
2009-06-28 08:28 . 2007-10-14 17:18 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2009-06-28 06:46 . 2007-09-15 19:16 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-06-27 20:53 . 2008-04-29 01:01 -------- d-----w- c:\documents and settings\All Users\Application Data\Google Updater
2009-06-20 16:46 . 2007-12-25 06:16 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-06-20 05:27 . 2008-10-07 02:09 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-05-18 22:10 . 2009-05-18 22:10 3889 ----a-w- c:\windows\system32\92145szambo570c.dll
2009-05-15 14:20 . 2009-05-15 14:20 14462 ----a-w- c:\windows\system32\84zvir9425.bin
2009-05-07 15:44 . 2001-08-23 12:00 344064 ----a-w- c:\windows\system32\localspl.dll
2009-05-07 11:59 . 2009-05-07 11:59 18345 ----a-w- c:\windows\system32\957thie5z09.exe
2009-04-28 03:48 . 2009-04-28 03:48 18061 ----a-w- c:\windows\system32\9c55bzckdoor2553.bin
2009-04-17 09:58 . 2001-08-23 12:00 1846656 ----a-w- c:\windows\system32\win32k.sys
2009-04-15 15:11 . 2001-08-23 12:00 584192 ----a-w- c:\windows\system32\rpcrt4.dll
2009-04-03 13:16 . 2009-04-03 13:16 5346 ----a-w- c:\windows\system32\95c0st5al16z.exe
.

------- Sigcheck -------

[-] 2001-08-23 12:00 12800 0F7D9C87B0CE1FA520473119752C6F79 c:\windows\$NtServicePackUninstall$\svchost.exe
[7] 2004-08-04 06:56 14336 8F078AE4ED187AAABC0A305146DE6716 c:\windows\ServicePackFiles\i386\svchost.exe
[7] 2004-08-04 06:56 14336 8F078AE4ED187AAABC0A305146DE6716 c:\windows\system32\svchost.exe

[7] 2005-03-02 18:19 577024 1800F293BCCC8EDE8A70E12B88D80036 c:\windows\$hf_mig$\KB890859\SP2QFE\user32.dll
[7] 2007-03-08 15:48 578048 7AA4F6C00405DFC4B70ED4214E7D687B c:\windows\$hf_mig$\KB925902\SP2QFE\user32.dll
[-] 2001-08-23 12:00 561152 BE57A5C3ABD240514B98F6BCA872FB21 c:\windows\$NtServicePackUninstall$\user32.dll
[7] 2004-08-04 06:56 577024 C72661F8552ACE7C5C85E16A3CF505C4 c:\windows\$NtUninstallKB890859$\user32.dll
[7] 2005-03-02 18:09 577024 DE2DB164BBB35DB061AF0997E4499054 c:\windows\$NtUninstallKB925902$\user32.dll
[7] 2004-08-04 06:56 577024 C72661F8552ACE7C5C85E16A3CF505C4 c:\windows\ServicePackFiles\i386\user32.dll
[7] 2007-03-08 15:36 577536 B409909F6E2E8A7067076ED748ABF1E7 c:\windows\system32\user32.dll
[7] 2007-03-08 15:36 577536 B409909F6E2E8A7067076ED748ABF1E7 c:\windows\system32\dllcache\user32.dll

[-] 2001-08-23 12:00 75264 8529C295DF59B564D37A73B5629162B1 c:\windows\$NtServicePackUninstall$\ws2_32.dll
[7] 2004-08-04 06:56 82944 2ED0B7F12A60F90092081C50FA0EC2B2 c:\windows\ServicePackFiles\i386\ws2_32.dll
[7] 2004-08-04 06:56 82944 2ED0B7F12A60F90092081C50FA0EC2B2 c:\windows\system32\ws2_32.dll

[-] 2001-08-23 12:00 593920 CF9F1EEF71F42EDE71B6F4AA05D5CA1A c:\windows\$NtServicePackUninstall$\wininet.dll
[7] 2006-11-08 03:03 818688 92995334F993E6E49C25C6D02EC04401 c:\windows\ie7\wininet.dll
[7] 2006-11-08 03:03 818688 92995334F993E6E49C25C6D02EC04401 c:\windows\ie8\wininet.dll
[7] 2004-08-04 06:56 656384 C0823FC5469663BA63E7DB88F9919D70 c:\windows\ServicePackFiles\i386\wininet.dll
[7] 2008-08-22 08:08 878592 DF1CB456ED1E038B276123365A1A93C4 c:\windows\system32\wininet.dll
[7] 2008-08-22 08:08 878592 DF1CB456ED1E038B276123365A1A93C4 c:\windows\system32\dllcache\wininet.dll

[7] 2008-06-20 10:44 360960 744E57C99232201AE98C49168B918F48 c:\windows\$hf_mig$\KB951748\SP2QFE\tcpip.sys
[7] 2008-06-20 11:51 361600 9AEFA14BD6B182D61E3119FA5F436D3D c:\windows\$hf_mig$\KB951748\SP3GDR\tcpip.sys
[7] 2008-06-20 11:59 361600 AD978A1B783B5719720CFF204B666C8E c:\windows\$hf_mig$\KB951748\SP3QFE\tcpip.sys
[-] 2001-08-23 12:00 327168 E7774698BB0D14B0710A9A31E209F9B6 c:\windows\$NtServicePackUninstall$\tcpip.sys
[7] 2004-08-04 05:14 359040 9F4B36614A0FC234525BA224957DE55C c:\windows\$NtUninstallKB951748$\tcpip.sys
[7] 2004-08-04 05:14 359040 9F4B36614A0FC234525BA224957DE55C c:\windows\ServicePackFiles\i386\tcpip.sys
[7] 2008-06-20 10:45 360320 2A5554FC5B1E04E131230E3CE035C3F9 c:\windows\system32\dllcache\tcpip.sys
[7] 2008-06-20 10:45 360320 2A5554FC5B1E04E131230E3CE035C3F9 c:\windows\system32\drivers\tcpip.sys

[-] 2001-08-23 12:00 430080 2B0E480E975EE51F2D5CE5F068FED6E2 c:\windows\$NtServicePackUninstall$\winlogon.exe
[7] 2004-08-04 06:56 502272 01C3346C241652F43AED8E2149881BFE c:\windows\ServicePackFiles\i386\winlogon.exe
[7] 2004-08-04 06:56 502272 01C3346C241652F43AED8E2149881BFE c:\windows\system32\winlogon.exe

[-] 2001-08-23 12:00 161536 3EFD4F59BA0A340DE0A3AB984001DBF7 c:\windows\$NtServicePackUninstall$\ndis.sys
[7] 2004-08-04 05:14 182912 558635D3AF1C7546D26067D5D9B6959E c:\windows\ServicePackFiles\i386\ndis.sys
[7] 2004-08-04 05:14 182912 558635D3AF1C7546D26067D5D9B6959E c:\windows\system32\drivers\ndis.sys

[7] 2004-08-04 05:00 29056 4448006B6BC60E6C027932CFC38D6855 c:\windows\ServicePackFiles\i386\ip6fw.sys
[7] 2004-08-04 05:00 29056 4448006B6BC60E6C027932CFC38D6855 c:\windows\system32\drivers\ip6fw.sys

[7] 2005-03-02 00:36 2056832 D8ABA3EAB509627E707A3B14F00FBB6B c:\windows\$hf_mig$\KB890859\SP2QFE\ntkrnlpa.exe
[7] 2009-02-06 09:49 2062976 9D832AF3FD1917DB0E1E8B2F000A2E3A c:\windows\$hf_mig$\KB956572\SP2QFE\ntkrnlpa.exe
[7] 2009-02-08 00:02 2066048 5BA7F2141BC6DB06100D0E5A732C617A c:\windows\$hf_mig$\KB956572\SP3GDR\ntkrnlpa.exe
[7] 2009-02-06 10:30 2066176 607352B9CB3D708C67F6039097801B5A c:\windows\$hf_mig$\KB956572\SP3QFE\ntkrnlpa.exe
[7] 2008-08-14 09:18 2062976 63EC865DFF6CCFC7BEF94B5C50297CAD c:\windows\$hf_mig$\KB956841\SP2QFE\ntkrnlpa.exe
[7] 2008-08-14 09:33 2066048 4AC58F03EB94A72809949D757FC39D80 c:\windows\$hf_mig$\KB956841\SP3GDR\ntkrnlpa.exe
[7] 2008-08-14 20:39 2066048 A25E9B86EFFB2AF33BF51E676B68BFB0 c:\windows\$hf_mig$\KB956841\SP3QFE\ntkrnlpa.exe
[-] 2001-08-23 12:00 1896704 46E2E3DCF54B819CFB2EBFE48A22B5C9 c:\windows\$NtServicePackUninstall$\ntkrnlpa.exe
[7] 2004-08-04 04:59 2056832 947FB1D86D14AFCFFDB54BF837EC25D0 c:\windows\$NtUninstallKB890859$\ntkrnlpa.exe
[7] 2008-08-14 09:22 2057728 BA002228743B6824D87F0551DBC86D45 c:\windows\$NtUninstallKB956572$\ntkrnlpa.exe
[7] 2005-03-02 00:34 2056832 81013F36B21C7F72CF784CC6731E0002 c:\windows\$NtUninstallKB956841$\ntkrnlpa.exe
[7] 2009-02-06 16:49 2057728 3006410E24772CC6953F0B5C01BEB35F c:\windows\Driver Cache\i386\ntkrnlpa.exe
[7] 2004-08-04 04:59 2056832 947FB1D86D14AFCFFDB54BF837EC25D0 c:\windows\ServicePackFiles\i386\ntkrnlpa.exe
[7] 2009-02-06 16:49 2057728 3006410E24772CC6953F0B5C01BEB35F c:\windows\SoftwareDistribution\Download\51401b498f4675531d9efb941ee01ef3\SP2GDR\ntkrnlpa.exe
[7] 2009-02-06 09:49 2062976 9D832AF3FD1917DB0E1E8B2F000A2E3A c:\windows\SoftwareDistribution\Download\51401b498f4675531d9efb941ee01ef3\SP2QFE\ntkrnlpa.exe
[7] 2009-02-08 00:02 2066048 5BA7F2141BC6DB06100D0E5A732C617A c:\windows\SoftwareDistribution\Download\51401b498f4675531d9efb941ee01ef3\SP3GDR\ntkrnlpa.exe
[7] 2009-02-06 10:30 2066176 607352B9CB3D708C67F6039097801B5A c:\windows\SoftwareDistribution\Download\51401b498f4675531d9efb941ee01ef3\SP3QFE\ntkrnlpa.exe
[7] 2009-02-06 16:49 2057728 3006410E24772CC6953F0B5C01BEB35F c:\windows\system32\ntkrnlpa.exe
[7] 2009-02-06 16:49 2057728 3006410E24772CC6953F0B5C01BEB35F c:\windows\system32\dllcache\ntkrnlpa.exe

[7] 2005-03-02 01:04 2179456 28187802B7C368C0D3AEF7D4C382AABB c:\windows\$hf_mig$\KB890859\SP2QFE\ntoskrnl.exe
[7] 2009-02-06 10:32 2186112 6A936E9D7BADAF3CAAEED1E1966EC1B0 c:\windows\$hf_mig$\KB956572\SP2QFE\ntoskrnl.exe
[7] 2009-02-06 11:08 2189056 7A95B10A73737EBF24139AAA63F5212B c:\windows\$hf_mig$\KB956572\SP3GDR\ntoskrnl.exe
[7] 2009-02-08 00:35 2189184 EFE8EACE83EAAD5849A7A548FB75B584 c:\windows\$hf_mig$\KB956572\SP3QFE\ntoskrnl.exe
[7] 2008-08-14 09:57 2185984 CE69DBD54221F2D40E49FF6DB77C6507 c:\windows\$hf_mig$\KB956841\SP2QFE\ntoskrnl.exe
[7] 2008-08-14 10:11 2189184 EEAF32F8E15A24F62BECB1BD403BB5C5 c:\windows\$hf_mig$\KB956841\SP3GDR\ntoskrnl.exe
[7] 2008-08-14 21:11 2189184 31914172342BFF330063F343AC6958FE c:\windows\$hf_mig$\KB956841\SP3QFE\ntoskrnl.exe
[-] 2001-08-23 12:00 1982208 A29222D5281056E497408FCC9062F749 c:\windows\$NtServicePackUninstall$\ntoskrnl.exe
[7] 2004-08-04 05:20 2180992 CE218BC7088681FAA06633E218596CA7 c:\windows\$NtUninstallKB890859$\ntoskrnl.exe
[7] 2008-08-14 10:00 2180352 21C91DA9CB53AA8A37041BA9684A8458 c:\windows\$NtUninstallKB956572$\ntoskrnl.exe
[7] 2005-03-02 00:59 2179328 4D4CF2C14550A4B7718E94A6E581856E c:\windows\$NtUninstallKB956841$\ntoskrnl.exe
[7] 2009-02-06 17:24 2180480 FACEBB0CA3154F77009CDFEE78A00BBB c:\windows\Driver Cache\i386\ntoskrnl.exe
[7] 2004-08-04 05:20 2180992 CE218BC7088681FAA06633E218596CA7 c:\windows\ServicePackFiles\i386\ntoskrnl.exe
[7] 2009-02-06 17:24 2180480 FACEBB0CA3154F77009CDFEE78A00BBB c:\windows\SoftwareDistribution\Download\51401b498f4675531d9efb941ee01ef3\SP2GDR\ntoskrnl.exe
[7] 2009-02-06 10:32 2186112 6A936E9D7BADAF3CAAEED1E1966EC1B0 c:\windows\SoftwareDistribution\Download\51401b498f4675531d9efb941ee01ef3\SP2QFE\ntoskrnl.exe
[7] 2009-02-06 11:08 2189056 7A95B10A73737EBF24139AAA63F5212B c:\windows\SoftwareDistribution\Download\51401b498f4675531d9efb941ee01ef3\SP3GDR\ntoskrnl.exe
[7] 2009-02-08 00:35 2189184 EFE8EACE83EAAD5849A7A548FB75B584 c:\windows\SoftwareDistribution\Download\51401b498f4675531d9efb941ee01ef3\SP3QFE\ntoskrnl.exe
[7] 2009-02-06 17:24 2180480 FACEBB0CA3154F77009CDFEE78A00BBB c:\windows\system32\ntoskrnl.exe
[7] 2009-02-06 17:24 2180480 FACEBB0CA3154F77009CDFEE78A00BBB c:\windows\system32\dllcache\ntoskrnl.exe

[7] 2007-06-13 10:23 1033216 97BD6515465659FF8F3B7BE375B2EA87 c:\windows\explorer.exe
[7] 2007-06-13 11:26 1033216 7712DF0CDDE3A5AC89843E61CD5B3658 c:\windows\$hf_mig$\KB938828\SP2QFE\explorer.exe
[-] 2001-08-23 12:00 1000960 5A26FC6010886D25B3E412493DD95ED8 c:\windows\$NtServicePackUninstall$\explorer.exe
[7] 2004-08-04 06:56 1032192 A0732187050030AE399B241436565E64 c:\windows\$NtUninstallKB938828$\explorer.exe
[7] 2004-08-04 06:56 1032192 A0732187050030AE399B241436565E64 c:\windows\ServicePackFiles\i386\explorer.exe
[7] 2007-06-13 10:23 1033216 97BD6515465659FF8F3B7BE375B2EA87 c:\windows\system32\dllcache\explorer.exe

[7] 2009-02-06 10:22 110592 4712531AB7A01B7EE059853CA17D39BD c:\windows\$hf_mig$\KB956572\SP2QFE\services.exe
[7] 2009-02-06 11:11 110592 65DF52F5B8B6E9BBD183505225C37315 c:\windows\$hf_mig$\KB956572\SP3GDR\services.exe
[7] 2009-02-06 11:06 110592 020CEAAEDC8EB655B6506B8C70D53BB6 c:\windows\$hf_mig$\KB956572\SP3QFE\services.exe
[-] 2001-08-23 12:00 101376 E3DF4A0252D287C44606EE55355E1623 c:\windows\$NtServicePackUninstall$\services.exe
[7] 2004-08-04 06:56 108032 C6CE6EEC82F187615D1002BB3BB50ED4 c:\windows\$NtUninstallKB956572$\services.exe
[7] 2004-08-04 06:56 108032 C6CE6EEC82F187615D1002BB3BB50ED4 c:\windows\ServicePackFiles\i386\services.exe
[7] 2009-02-06 17:14 110592 37561F8D4160D62DA86D24AE41FAE8DE c:\windows\SoftwareDistribution\Download\51401b498f4675531d9efb941ee01ef3\SP2GDR\services.exe
[7] 2009-02-06 10:22 110592 4712531AB7A01B7EE059853CA17D39BD c:\windows\SoftwareDistribution\Download\51401b498f4675531d9efb941ee01ef3\SP2QFE\services.exe
[7] 2009-02-06 11:11 110592 65DF52F5B8B6E9BBD183505225C37315 c:\windows\SoftwareDistribution\Download\51401b498f4675531d9efb941ee01ef3\SP3GDR\services.exe
[7] 2009-02-06 11:06 110592 020CEAAEDC8EB655B6506B8C70D53BB6 c:\windows\SoftwareDistribution\Download\51401b498f4675531d9efb941ee01ef3\SP3QFE\services.exe
[7] 2009-02-06 17:14 110592 37561F8D4160D62DA86D24AE41FAE8DE c:\windows\system32\services.exe
[7] 2009-02-06 17:14 110592 37561F8D4160D62DA86D24AE41FAE8DE c:\windows\system32\dllcache\services.exe

[-] 2001-08-23 12:00 11776 8A590EA109B5E0C7629E022F8A6B17C5 c:\windows\$NtServicePackUninstall$\lsass.exe
[7] 2004-08-04 06:56 13312 84885F9B82F4D55C6146EBF6065D75D2 c:\windows\ServicePackFiles\i386\lsass.exe
[7] 2004-08-04 06:56 13312 84885F9B82F4D55C6146EBF6065D75D2 c:\windows\system32\lsass.exe

[-] 2001-08-23 12:00 13312 85B1054DB58D13AA42D7DCA778C30F57 c:\windows\$NtServicePackUninstall$\ctfmon.exe
[7] 2004-08-04 06:56 15360 24232996A38C0B0CF151C2140AE29FC8 c:\windows\ServicePackFiles\i386\ctfmon.exe
[7] 2004-08-04 06:56 15360 24232996A38C0B0CF151C2140AE29FC8 c:\windows\system32\ctfmon.exe

[7] 2005-06-11 00:17 57856 AD3D9D191AEA7B5445FE1D82FFBB4788 c:\windows\$hf_mig$\KB896423\SP2QFE\spoolsv.exe
[-] 2001-08-23 12:00 51200 9B4155BA58192D4073082B8FC5D42612 c:\windows\$NtServicePackUninstall$\spoolsv.exe
[7] 2004-08-04 06:56 57856 7435B108B935E42EA92CA94F59C8E717 c:\windows\$NtUninstallKB896423$\spoolsv.exe
[7] 2004-08-04 06:56 57856 7435B108B935E42EA92CA94F59C8E717 c:\windows\ServicePackFiles\i386\spoolsv.exe
[7] 2005-06-10 23:53 57856 DA81EC57ACD4CDC3D4C51CF3D409AF9F c:\windows\system32\spoolsv.exe

[-] 2001-08-23 12:00 112128 EBB80E7DE7C23D8BD2187F9A0B93709B c:\windows\$NtServicePackUninstall$\wuauclt.exe
[7] 2004-08-04 06:56 111104 4126D27CECE4471E00E425411F7306B5 c:\windows\ServicePackFiles\i386\wuauclt.exe
[7] 2008-10-16 19:09 51224 E654B78D2F1D791B30D0ED9A8195EC22 c:\windows\system32\wuauclt.exe
[7] 2008-10-16 19:09 51224 E654B78D2F1D791B30D0ED9A8195EC22 c:\windows\system32\dllcache\wuauclt.exe

[-] 2001-08-23 12:00 21504 585398603F570F9705774D65D292E5D1 c:\windows\$NtServicePackUninstall$\userinit.exe
[7] 2004-08-04 06:56 24576 39B1FFB03C2296323832ACBAE50D2AFF c:\windows\ServicePackFiles\i386\userinit.exe
[7] 2004-08-04 06:56 24576 39B1FFB03C2296323832ACBAE50D2AFF c:\windows\system32\userinit.exe

[-] 2001-08-23 12:00 197632 458635D2E4559526CF9C895340A38702 c:\windows\$NtServicePackUninstall$\termsrv.dll
[7] 2004-08-04 06:56 295424 B60C877D16D9C880B952FDA04ADF16E6 c:\windows\ServicePackFiles\i386\termsrv.dll
[7] 2004-08-04 06:56 295424 B60C877D16D9C880B952FDA04ADF16E6 c:\windows\system32\termsrv.dll

[7] 2007-04-16 16:07 986112 09F7CB3687F86EDAA4CA081F7AB66C03 c:\windows\$hf_mig$\KB935839\SP2QFE\kernel32.dll
[7] 2009-03-21 13:54 989184 80202858D245FF07DAA1739C57A3E19B c:\windows\$hf_mig$\KB959426\SP2QFE\kernel32.dll
[7] 2009-03-21 14:06 989696 B921FB870C9AC0D509B2CCABBBBE95F3 c:\windows\$hf_mig$\KB959426\SP3GDR\kernel32.dll
[7] 2009-03-21 13:59 991744 DA11D9D6ECBDF0F93436A4B7C13F7BEC c:\windows\$hf_mig$\KB959426\SP3QFE\kernel32.dll
[-] 2001-08-23 12:00 926720 379B0B31D7F8D2C9F7FF302B454A6C54 c:\windows\$NtServicePackUninstall$\kernel32.dll
[7] 2004-08-04 06:56 983552 888190E31455FAD793312F8D087146EB c:\windows\$NtUninstallKB935839$\kernel32.dll
[7] 2007-04-16 15:52 984576 A01F9CA902A88F7CED06884174D6419D c:\windows\$NtUninstallKB959426$\kernel32.dll
[7] 2004-08-04 06:56 983552 888190E31455FAD793312F8D087146EB c:\windows\ServicePackFiles\i386\kernel32.dll
[7] 2009-03-21 14:18 986112 B6ACAED7588295129791E0E6A2B0FADE c:\windows\SoftwareDistribution\Download\022593ca08eb4cd8e9681a7116f902d9\sp2gdr\kernel32.dll
[7] 2009-03-21 13:54 989184 80202858D245FF07DAA1739C57A3E19B c:\windows\SoftwareDistribution\Download\022593ca08eb4cd8e9681a7116f902d9\sp2qfe\kernel32.dll
[7] 2009-03-21 14:06 989696 B921FB870C9AC0D509B2CCABBBBE95F3 c:\windows\SoftwareDistribution\Download\022593ca08eb4cd8e9681a7116f902d9\sp3gdr\kernel32.dll
[7] 2009-03-21 13:59 991744 DA11D9D6ECBDF0F93436A4B7C13F7BEC c:\windows\SoftwareDistribution\Download\022593ca08eb4cd8e9681a7116f902d9\sp3qfe\kernel32.dll
[7] 2009-03-21 14:18 986112 B6ACAED7588295129791E0E6A2B0FADE c:\windows\system32\kernel32.dll
[7] 2009-03-21 14:18 986112 B6ACAED7588295129791E0E6A2B0FADE c:\windows\system32\dllcache\kernel32.dll

[-] 2001-08-23 12:00 14848 865AD7CCB20856727D5BD994B094DC5E c:\windows\$NtServicePackUninstall$\powrprof.dll
[7] 2004-08-04 06:56 17408 1B5F6923ABB450692E9FE0672C897AED c:\windows\ServicePackFiles\i386\powrprof.dll
[7] 2004-08-04 06:56 17408 1B5F6923ABB450692E9FE0672C897AED c:\windows\system32\powrprof.dll

[-] 2001-08-23 12:00 96768 E046037FD5BCDF92CE1A122B749B9B09 c:\windows\$NtServicePackUninstall$\imm32.dll
[7] 2004-08-04 06:56 110080 87CA7CE6469577F059297B9D6556D66D c:\windows\ServicePackFiles\i386\imm32.dll
[7] 2004-08-04 06:56 110080 87CA7CE6469577F059297B9D6556D66D c:\windows\system32\imm32.dll

[-] 2001-08-23 12:00 1562112 9E415EFDF50F26BCBC97C80F4E6C30CC c:\windows\$NtServicePackUninstall$\sfcfiles.dll
[7] 2004-08-04 06:56 1580544 30A609E00BD1D4FFC49D6B5A432BE7F2 c:\windows\ServicePackFiles\i386\sfcfiles.dll
[7] 2004-08-04 06:56 1580544 30A609E00BD1D4FFC49D6B5A432BE7F2 c:\windows\system32\sfcfiles.dll

[-] 2001-08-23 12:00 155648 14F36167D270C83C7F90956B1F0BBBB6 c:\windows\$NtServicePackUninstall$\appmgmts.dll
[7] 2004-08-04 06:56 167936 9C3C12975C97119412802B181FBEEFFE c:\windows\ServicePackFiles\i386\appmgmts.dll
[7] 2004-08-04 06:56 167936 9C3C12975C97119412802B181FBEEFFE c:\windows\system32\appmgmts.dll

[-] 2001-08-23 12:00 23424 9C30CD464D87102497FD7C32910E6253 c:\windows\$NtServicePackUninstall$\kbdclass.sys
[7] 2004-08-04 04:58 24576 EBDEE8A2EE5393890A1ACEE971C4C246 c:\windows\ServicePackFiles\i386\kbdclass.sys
[7] 2004-08-04 04:58 24576 EBDEE8A2EE5393890A1ACEE971C4C246 c:\windows\system32\drivers\kbdclass.sys
.
((((((((((((((((((((((((((((( SnapShot@2009-06-27_20.44.23 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-06-28 16:33 . 2009-06-28 16:33 16384 c:\windows\temp\Perflib_Perfdata_da8.dat
+ 2009-06-28 16:32 . 2009-06-28 16:32 16384 c:\windows\temp\Perflib_Perfdata_8f4.dat
+ 2007-09-18 04:16 . 2004-08-04 05:56 23552 c:\windows\system32\wdmaud.drv
- 2007-09-18 04:16 . 2004-08-04 06:56 23552 c:\windows\system32\wdmaud.drv
+ 2009-06-28 08:06 . 2007-11-30 12:39 17272 c:\windows\system32\spmsg.dll
+ 2001-08-23 12:00 . 2009-02-03 20:08 55808 c:\windows\system32\secur32.dll
- 2001-08-23 12:00 . 2004-08-04 06:56 55808 c:\windows\system32\secur32.dll
+ 2001-08-23 12:00 . 2009-02-06 16:54 35328 c:\windows\system32\sc.exe
+ 2009-06-28 06:47 . 2009-03-12 20:34 39424 c:\windows\system32\RtkCoInstXP.dll
- 2001-08-23 12:00 . 2009-06-24 00:11 63188 c:\windows\system32\perfc009.dat
+ 2001-08-23 12:00 . 2009-06-28 16:46 63188 c:\windows\system32\perfc009.dat
+ 2007-06-20 01:09 . 2008-06-12 14:16 91648 c:\windows\system32\mtxoci.dll
+ 2001-08-23 12:00 . 2008-06-12 14:16 66560 c:\windows\system32\mtxclu.dll
- 2001-08-23 12:00 . 2006-03-01 19:42 66560 c:\windows\system32\mtxclu.dll
+ 2007-06-20 01:09 . 2008-06-12 14:16 58880 c:\windows\system32\msdtclog.dll
- 2007-06-20 01:09 . 2004-08-04 06:56 58880 c:\windows\system32\msdtclog.dll
+ 2005-01-07 22:07 . 2005-01-07 22:07 61952 c:\windows\system32\HdAShCut.exe
+ 2005-01-07 22:07 . 2005-01-07 22:07 25088 c:\windows\system32\HdAProp.dll
+ 2007-09-18 04:16 . 2004-08-04 05:56 23552 c:\windows\system32\dllcache\wdmaud.drv
- 2007-09-18 04:16 . 2004-08-04 06:56 23552 c:\windows\system32\dllcache\wdmaud.drv
+ 2009-02-03 20:08 . 2009-02-03 20:08 55808 c:\windows\system32\dllcache\secur32.dll
+ 2001-08-23 12:00 . 2009-02-06 16:54 35328 c:\windows\system32\dllcache\sc.exe
+ 2008-06-12 14:16 . 2008-06-12 14:16 91648 c:\windows\system32\dllcache\mtxoci.dll
+ 2008-06-12 14:16 . 2008-06-12 14:16 66560 c:\windows\system32\dllcache\mtxclu.dll
+ 2008-06-12 14:16 . 2008-06-12 14:16 58880 c:\windows\system32\dllcache\msdtclog.dll
+ 2007-09-18 04:15 . 2008-08-19 18:26 77824 c:\windows\SOUNDMAN.EXE
+ 2007-10-14 17:28 . 2009-06-28 08:28 35088 c:\windows\Installer\{90120000-0051-0000-0000-0000000FF1CE}\oisicon.exe
- 2007-10-14 17:28 . 2009-02-26 09:04 35088 c:\windows\Installer\{90120000-0051-0000-0000-0000000FF1CE}\oisicon.exe
- 2007-10-14 17:28 . 2009-02-26 09:04 18704 c:\windows\Installer\{90120000-0051-0000-0000-0000000FF1CE}\mspicons.exe
+ 2007-10-14 17:28 . 2009-06-28 08:28 18704 c:\windows\Installer\{90120000-0051-0000-0000-0000000FF1CE}\mspicons.exe
- 2007-10-14 17:28 . 2009-02-26 09:04 20240 c:\windows\Installer\{90120000-0051-0000-0000-0000000FF1CE}\cagicon.exe
+ 2007-10-14 17:28 . 2009-06-28 08:28 20240 c:\windows\Installer\{90120000-0051-0000-0000-0000000FF1CE}\cagicon.exe
+ 2007-06-20 01:40 . 2009-06-28 08:35 23040 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\unbndico.exe
- 2007-06-20 01:40 . 2009-02-26 09:05 23040 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\unbndico.exe
+ 2007-06-20 01:40 . 2009-06-28 08:35 61440 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\pubs.exe
- 2007-06-20 01:40 . 2009-02-26 09:05 61440 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\pubs.exe
- 2007-06-20 01:40 . 2009-02-26 09:05 27136 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\oisicon.exe
+ 2007-06-20 01:40 . 2009-06-28 08:35 27136 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\oisicon.exe
- 2007-06-20 01:40 . 2009-02-26 09:05 11264 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\mspicons.exe
+ 2007-06-20 01:40 . 2009-06-28 08:35 11264 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\mspicons.exe
- 2007-06-20 01:40 . 2009-02-26 09:05 86016 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\inficon.exe
+ 2007-06-20 01:40 . 2009-06-28 08:35 86016 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\inficon.exe
- 2007-06-20 01:40 . 2009-02-26 09:05 12288 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\cagicon.exe
+ 2007-06-20 01:40 . 2009-06-28 08:35 12288 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\cagicon.exe
+ 2007-03-23 00:05 . 2007-03-23 00:05 97632 c:\windows\Installer\$PatchCache$\Managed\9040110900063D11C8EF10054038389C\11.0.8173\PP7X32.DLL
+ 2009-06-28 06:47 . 2009-03-02 16:14 57344 c:\windows\ALCMTR.EXE
+ 2005-01-07 22:07 . 2005-01-07 22:07 5120 c:\windows\system32\HdAudRes.dll
+ 2007-06-20 01:40 . 2009-06-28 08:35 4096 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\opwicon.exe
- 2007-06-20 01:40 . 2009-02-26 09:05 4096 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\opwicon.exe
+ 2009-06-28 06:47 . 2008-10-23 22:42 290816 c:\windows\vncutil.exe
+ 2006-10-16 10:21 . 2009-04-15 09:24 351744 c:\windows\system32\xpsp3res.dll
- 2007-06-20 05:10 . 2004-08-04 06:56 351232 c:\windows\system32\winhttp.dll
+ 2007-06-20 05:10 . 2008-12-16 12:47 351232 c:\windows\system32\winhttp.dll
+ 2008-09-06 04:29 . 2009-03-11 03:18 934792 c:\windows\system32\WgaTray.exe
+ 2007-06-20 01:09 . 2009-02-06 16:39 227840 c:\windows\system32\wbem\wmiprvse.exe
+ 2007-06-20 01:09 . 2009-02-09 10:20 453120 c:\windows\system32\wbem\wmiprvsd.dll
+ 2007-06-20 01:09 . 2009-02-09 10:20 473088 c:\windows\system32\wbem\fastprox.dll
- 2001-08-23 12:00 . 2007-04-25 14:21 144896 c:\windows\system32\schannel.dll
+ 2001-08-23 12:00 . 2008-12-05 07:12 144896 c:\windows\system32\schannel.dll
+ 2009-06-28 06:47 . 2009-03-05 18:35 131072 c:\windows\system32\RTCOM\RTLCPAPI.dll
+ 2009-06-28 06:47 . 2009-03-05 18:36 266240 c:\windows\system32\RTCOM\RTCOMDLL.dll
+ 2001-08-23 12:00 . 2009-02-09 10:20 399360 c:\windows\system32\rpcss.dll
- 2001-08-23 12:00 . 2009-06-24 00:11 403968 c:\windows\system32\perfh009.dat
+ 2001-08-23 12:00 . 2009-06-28 16:46 403968 c:\windows\system32\perfh009.dat
- 2001-08-23 12:00 . 2004-08-04 06:56 283648 c:\windows\system32\pdh.dll
+ 2001-08-23 12:00 . 2009-03-06 14:44 283648 c:\windows\system32\pdh.dll
+ 2001-08-23 12:00 . 2009-02-09 10:20 714752 c:\windows\system32\ntdll.dll
+ 2007-06-20 01:09 . 2008-06-12 14:16 161792 c:\windows\system32\msdtcuiu.dll
+ 2007-06-20 01:09 . 2008-06-12 14:16 956928 c:\windows\system32\msdtctm.dll
+ 2007-06-20 01:09 . 2008-06-12 14:16 428032 c:\windows\system32\msdtcprx.dll
+ 2001-08-23 12:00 . 2009-02-09 10:20 723456 c:\windows\system32\lsasrv.dll
+ 2009-06-28 16:33 . 2009-06-28 16:31 148888 c:\windows\system32\javaws.exe
+ 2009-06-28 16:33 . 2009-06-28 16:31 144792 c:\windows\system32\javaw.exe
+ 2009-06-28 16:33 . 2009-06-28 16:31 144792 c:\windows\system32\java.exe
+ 2007-06-19 18:52 . 2009-06-28 08:42 352976 c:\windows\system32\FNTCACHE.DAT
- 2007-06-19 18:52 . 2008-11-05 11:11 352976 c:\windows\system32\FNTCACHE.DAT
+ 2007-09-18 04:16 . 2004-03-16 15:58 136960 c:\windows\system32\drivers\portcls.sys
+ 2005-01-07 22:07 . 2005-01-07 22:07 145920 c:\windows\system32\drivers\Hdaudio.sys
+ 2005-01-07 22:07 . 2005-01-07 22:07 138752 c:\windows\system32\drivers\Hdaudbus.sys
+ 2008-12-16 12:47 . 2008-12-16 12:47 351232 c:\windows\system32\dllcache\winhttp.dll
+ 2008-09-06 04:29 . 2009-03-11 03:18 934792 c:\windows\system32\dllcache\WgaTray.exe
+ 2008-09-06 04:30 . 2009-03-11 03:18 239496 c:\windows\system32\dllcache\wgaLogon.dll
- 2007-04-25 14:21 . 2007-04-25 14:21 144896 c:\windows\system32\dllcache\schannel.dll
+ 2007-04-25 14:21 . 2008-12-05 07:12 144896 c:\windows\system32\dllcache\schannel.dll
+ 2008-10-25 19:33 . 2009-04-15 15:11 584192 c:\windows\system32\dllcache\rpcrt4.dll
- 2008-10-25 19:33 . 2007-07-09 13:09 584192 c:\windows\system32\dllcache\rpcrt4.dll
+ 2007-09-18 04:16 . 2004-03-16 15:58 136960 c:\windows\system32\dllcache\portcls.sys
+ 2008-06-12 14:16 . 2008-06-12 14:16 161792 c:\windows\system32\dllcache\msdtcuiu.dll
+ 2008-06-12 14:16 . 2008-06-12 14:16 956928 c:\windows\system32\dllcache\msdtctm.dll
+ 2008-06-12 14:16 . 2008-06-12 14:16 428032 c:\windows\system32\dllcache\msdtcprx.dll
+ 2007-11-07 09:26 . 2009-02-09 10:20 723456 c:\windows\system32\dllcache\lsasrv.dll
+ 2009-05-07 15:44 . 2009-05-07 15:44 344064 c:\windows\system32\dllcache\localspl.dll
+ 2001-08-23 12:00 . 2009-02-09 10:20 616960 c:\windows\system32\advapi32.dll
- 2001-08-23 12:00 . 2004-08-04 06:56 616960 c:\windows\system32\advapi32.dll
+ 2009-06-28 06:47 . 2008-06-24 19:46 104992 c:\windows\RtkAudioService.exe
+ 2007-10-14 17:28 . 2009-06-28 08:28 327952 c:\windows\Installer\{90120000-0051-0000-0000-0000000FF1CE}\visicon.exe
- 2007-10-14 17:28 . 2009-02-26 09:04 327952 c:\windows\Installer\{90120000-0051-0000-0000-0000000FF1CE}\visicon.exe
- 2007-10-14 17:28 . 2009-02-26 09:04 217864 c:\windows\Installer\{90120000-0051-0000-0000-0000000FF1CE}\misc.exe
+ 2007-10-14 17:28 . 2009-06-28 08:28 217864 c:\windows\Installer\{90120000-0051-0000-0000-0000000FF1CE}\misc.exe
- 2007-06-20 01:40 . 2009-02-26 09:05 409600 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\xlicons.exe
+ 2007-06-20 01:40 . 2009-06-28 08:35 409600 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\xlicons.exe
- 2007-06-20 01:40 . 2009-02-26 09:05 286720 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\wordicon.exe
+ 2007-06-20 01:40 . 2009-06-28 08:35 286720 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\wordicon.exe
+ 2007-06-20 01:40 . 2009-06-28 08:35 249856 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\pptico.exe
- 2007-06-20 01:40 . 2009-02-26 09:05 249856 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\pptico.exe
- 2007-06-20 01:40 . 2009-02-26 09:05 794624 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\outicon.exe
+ 2007-06-20 01:40 . 2009-06-28 08:35 794624 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\outicon.exe
+ 2007-06-20 01:40 . 2009-06-28 08:35 135168 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\misc.exe
- 2007-06-20 01:40 . 2009-02-26 09:05 135168 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\misc.exe
- 2007-06-20 01:40 . 2009-02-26 09:05 593920 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\accicons.exe
+ 2007-06-20 01:40 . 2009-06-28 08:35 593920 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\accicons.exe
+ 2004-03-16 15:58 . 2004-03-16 15:58 136960 c:\windows\Driver Cache\i386\portcls.sys
+ 2001-08-23 12:00 . 2008-12-20 22:43 1287680 c:\windows\system32\quartz.dll
- 2001-08-23 12:00 . 2008-05-07 05:18 1287680 c:\windows\system32\quartz.dll
+ 2007-04-24 17:32 . 2009-03-11 03:18 1482112 c:\windows\system32\LegitCheckControl.dll
+ 2009-06-28 06:47 . 2009-03-12 22:25 5051904 c:\windows\system32\drivers\RtkHDAud.sys
+ 2009-06-28 06:47 . 2006-01-04 20:41 1389056 c:\windows\system32\drivers\Monfilt.sys
+ 2009-06-28 06:47 . 2008-08-06 01:10 1684736 c:\windows\system32\drivers\Ambfilt.sys
+ 2007-03-08 13:47 . 2009-04-17 09:58 1846656 c:\windows\system32\dllcache\win32k.sys
+ 2008-05-07 05:18 . 2008-12-20 22:43 1287680 c:\windows\system32\dllcache\quartz.dll
- 2008-05-07 05:18 . 2008-05-07 05:18 1287680 c:\windows\system32\dllcache\quartz.dll
- 2008-10-25 19:23 . 2008-08-14 09:22 2015744 c:\windows\system32\dllcache\ntkrpamp.exe
+ 2008-10-25 19:23 . 2009-02-06 16:49 2015744 c:\windows\system32\dllcache\ntkrpamp.exe
+ 2008-10-25 19:23 . 2009-02-06 17:22 2136064 c:\windows\system32\dllcache\ntkrnlmp.exe
- 2008-10-25 19:23 . 2008-08-14 09:58 2136064 c:\windows\system32\dllcache\ntkrnlmp.exe
+ 2009-06-28 06:47 . 2007-11-20 23:15 1826816 c:\windows\SkyTel.exe
+ 2009-06-28 06:47 . 2009-01-21 20:54 1206816 c:\windows\RtlUpd.exe
+ 2009-06-28 06:47 . 2008-06-19 21:27 9715200 c:\windows\RTLCPL.EXE
+ 2009-06-28 06:47 . 2009-03-10 19:32 2168320 c:\windows\MicCal.exe
+ 2005-03-02 00:34 . 2009-02-06 16:49 2015744 c:\windows\Driver Cache\i386\ntkrpamp.exe
- 2005-03-02 00:34 . 2008-08-14 09:22 2015744 c:\windows\Driver Cache\i386\ntkrpamp.exe
- 2005-03-02 00:57 . 2008-08-14 09:58 2136064 c:\windows\Driver Cache\i386\ntkrnlmp.exe
+ 2005-03-02 00:57 . 2009-02-06 17:22 2136064 c:\windows\Driver Cache\i386\ntkrnlmp.exe
+ 2009-06-28 06:47 . 2008-06-19 21:42 2808832 c:\windows\ALCWZRD.EXE
+ 2007-06-20 05:10 . 2008-11-11 23:34 10838016 c:\windows\system32\wmp.dll
+ 2008-09-04 02:05 . 2009-06-01 14:51 23635392 c:\windows\system32\MRT.exe
+ 2007-06-20 05:10 . 2008-11-11 23:34 10838016 c:\windows\system32\dllcache\wmp.dll
+ 2009-06-28 06:47 . 2009-03-12 22:21 17531392 c:\windows\RTHDCPL.EXE
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2006-10-19 204288]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-04-29 68856]
"CurseClient"="c:\program files\Curse\CurseClient.exe" [2009-06-28 1934336]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-06-28 148888]
"DAEMON Tools-1033"="c:\program files\D-Tools\daemon.exe" [2004-08-22 81920]
"Acrobat Assistant 8.0"="c:\program files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [2008-01-12 623992]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-01-10 385024]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-01-15 267048]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-12-19 135168]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-12-19 159744]
"Persistence"="c:\windows\system32\igfxpers.exe" [2007-12-19 131072]
"AlcxMonitor"="ALCXMNTR.EXE" - c:\windows\ALCXMNTR.EXE [2004-09-07 57344]
"RTHDCPL"="RTHDCPL.EXE" - c:\windows\RTHDCPL.EXE [2009-03-12 17531392]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
AutoCAD Startup Accelerator.lnk - c:\program files\Common Files\Autodesk Shared\acstart16.exe [2005-3-5 10872]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Curse\\CurseClient.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Ventrilo\\Ventrilo.exe"=

S2 spupdsvc;Windows Service Pack Installer update service;c:\windows\system32\spupdsvc.exe [6/20/2007 12:02 AM 26144]
S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [6/28/2009 1:47 AM 1684736]
S3 TucbDriverV32;TucbDriverV32;c:\windows\system32\drivers\TucbDriverV32.sys [3/23/2008 4:09 PM 506496]
S3 TucbVideo32;TucbVideo32;c:\windows\system32\drivers\TucbVideo32.sys [3/23/2008 4:09 PM 3768]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - JAVAQUICKSTARTERSERVICE
.
Contents of the 'Scheduled Tasks' folder

2009-01-20 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
IE: Append to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
DPF: {EAC139A9-D22D-4C29-8D1C-252BE63750F9} - hxxp://www.cooliris.com/shared/plinstll.cab
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-06-28 12:11
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-2052111302-884357618-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID]
@Denied: (Full) (LocalSystem)
.
Completion time: 2009-06-28 12:17
ComboFix-quarantined-files.txt 2009-06-28 17:17
ComboFix2.txt 2009-06-27 20:58

Pre-Run: 3,343,818,752 bytes free
Post-Run: 3,548,225,536 bytes free

591 --- E O F --- 2009-06-28 08:35

#9 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:02:37 AM

Posted 28 June 2009 - 12:49 PM

Edited

Edited by m0le, 28 June 2009 - 12:59 PM.

Posted Image
m0le is a proud member of UNITE

#10 Lee Fried

Lee Fried
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:09:37 PM

Posted 28 June 2009 - 12:55 PM

I'll run that, but I have one question to the P2P programs....Ventrilo? Isn't that a chat server? I mean, I didn't know it was even possible to transfer files through there.

I've got no problem uninstalling LimeWire and uTorrent, they've only ever gotten me in trouble.

#11 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:02:37 AM

Posted 28 June 2009 - 12:57 PM

Sorry, yes, Ventrilo should not have been on that list.

I am making an edit to the script. Please hold on and I will repost.

My bad. :thumbup2:

Edited by m0le, 28 June 2009 - 12:58 PM.

Posted Image
m0le is a proud member of UNITE

#12 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:02:37 AM

Posted 28 June 2009 - 01:09 PM

Okay, there's less but it's still multiplying.

By the way, the probable cause of this infection is P2P programs.

The log shows that you have been using so called peer-to-peer or file-sharing programmes (in your case uTorrent and Limewire). These programmes allow to share files between users as the name(s) suggest. In today's world the cyber crime has come a long way and any means is used to infect personal computers to make use of their stored data or machine power for further propagation of their malware files. A popular means is the use of file-sharing tools as a tremendous amount of prospective victims can be reached through it.

It is therefore possible to be infected by downloading manipulated files via peer-to-peer tools and thus suggested to be used with intense care. Some further readings on this subject, along the included links, are as follows: "File-Sharing, otherwise known as Peer To Peer" and "Risks of File-Sharing Technology."

It is also important to note that sharing entertainment files and proprietary software infringes the copyright laws in many countries over the world and you are putting yourself at risk of being indicted through organisations watching over the rights of the authors of such files (i.e. the RIAA for music files, or the MPAA for movie files in the USA) or the authors of the files themselves.

Naturally there are also legal ways to use these services, such as downloading Linux distributions or office suites such as "Open Office."

Back to the fix, this may take a few more runs...

Please run Combofix again with the script below

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

File::
c:\windows\system32\z0332hacktool9d5.dll
c:\windows\system32\91d2zteal351.exe
c:\windows\system32\z295th9ef1185.bin
c:\windows\system32\z17575or93b5.exe
c:\windows\system32\9978viru5z89.exe
c:\windows\system32\7f4bs59rse139z.dll
c:\windows\system32\z6415ha5kto9l33a.exe
c:\windows\system32\98832v5rus72cz.dll
c:\windows\system32\9625viz9s2c5.dll
c:\windows\system32\992down5oadez1331.bin
c:\windows\system32\99505szambote5.bin
c:\windows\system32\z97s9yw5re617.bin
c:\windows\system32\z12abackdo9r16415.bin
c:\windows\system32\z9e5th5eat29897.bin
c:\windows\system32\92145szambo570c.dll
c:\windows\system32\84zvir9425.bin
c:\windows\system32\957thie5z09.exe
c:\windows\system32\9c55bzckdoor2553.bin
c:\windows\system32\95c0st5al16z.exe

FCopy::
c:\windows\$NtServicePackUninstall$\svchost.exe | c:\windows\system32\svchost.exe
c:\windows\$NtServicePackUninstall$\user32.dll | c:\windows\system32\dllcache\user32.dll
c:\windows\$NtServicePackUninstall$\ws2_32.dll | c:\windows\system32\ws2_32.dll
c:\windows\$NtServicePackUninstall$\wininet.dll | c:\windows\system32\dllcache\wininet.dll
c:\windows\$NtServicePackUninstall$\tcpip.sys | c:\windows\system32\drivers\tcpip.sys
c:\windows\$NtServicePackUninstall$\winlogon.exe | c:\windows\system32\winlogon.exe
c:\windows\$NtServicePackUninstall$\ndis.sys | c:\windows\system32\drivers\ndis.sys
c:\windows\$NtServicePackUninstall$\ntkrnlpa.exe | c:\windows\system32\dllcache\ntoskrnl.exe
c:\windows\$NtServicePackUninstall$\ntoskrnl.exe | c:\windows\system32\dllcache\ntoskrnl.exe
c:\windows\$NtServicePackUninstall$\explorer.exe | c:\windows\system32\dllcache\explorer.exe
c:\windows\$NtServicePackUninstall$\services.exe | c:\windows\system32\dllcache\services.exe
c:\windows\$NtServicePackUninstall$\lsass.exe | c:\windows\system32\lsass.exe
c:\windows\$NtServicePackUninstall$\ctfmon.exe | c:\windows\system32\ctfmon.exe
c:\windows\$NtServicePackUninstall$\wuauclt.exe | c:\windows\system32\dllcache\wuauclt.exe
c:\windows\$NtServicePackUninstall$\userinit.exe | c:\windows\system32\userinit.exe
c:\windows\$NtServicePackUninstall$\termsrv.dll | c:\windows\system32\termsrv.dll
c:\windows\$NtServicePackUninstall$\kernel32.dll | c:\windows\system32\dllcache\kernel32.dll
c:\windows\$NtServicePackUninstall$\powrprof.dll | c:\windows\system32\powrprof.dll
c:\windows\$NtServicePackUninstall$\imm32.dll | c:\windows\system32\imm32.dll
c:\windows\$NtServicePackUninstall$\sfcfiles.dll | c:\windows\system32\sfcfiles.dll
c:\windows\$NtServicePackUninstall$\appmgmts.dll | c:\windows\system32\appmgmts.dll
c:\windows\$NtServicePackUninstall$\kbdclass.sys | c:\windows\system32\drivers\kbdclass.sys


Save this as CFScript.txt, in the same location as ComboFix.exe


Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.
Posted Image
m0le is a proud member of UNITE

#13 Lee Fried

Lee Fried
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:09:37 PM

Posted 28 June 2009 - 01:28 PM

I had already ran it before you changed the script....Do I need to do it again? Is it alright to uninstall uTorrent and LimeWire at this point in the process?

Here's the log regardless:




ComboFix 09-06-26.02 - Leland 06/28/2009 12:59.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.3319.2629 [GMT -5:00]
Running from: c:\documents and settings\All Users\Desktop\Combo-Fix.exe
Command switches used :: c:\documents and settings\Leland\Desktop\CFScript.txt

FILE ::
"c:\windows\system32\7f4bs59rse139z.dll"
"c:\windows\system32\84zvir9425.bin"
"c:\windows\system32\91d2zteal351.exe"
"c:\windows\system32\92145szambo570c.dll"
"c:\windows\system32\957thie5z09.exe"
"c:\windows\system32\95c0st5al16z.exe"
"c:\windows\system32\9625viz9s2c5.dll"
"c:\windows\system32\98832v5rus72cz.dll"
"c:\windows\system32\992down5oadez1331.bin"
"c:\windows\system32\99505szambote5.bin"
"c:\windows\system32\9978viru5z89.exe"
"c:\windows\system32\9c55bzckdoor2553.bin"
"c:\windows\system32\z0332hacktool9d5.dll"
"c:\windows\system32\z12abackdo9r16415.bin"
"c:\windows\system32\z17575or93b5.exe"
"c:\windows\system32\z295th9ef1185.bin"
"c:\windows\system32\z6415ha5kto9l33a.exe"
"c:\windows\system32\z97s9yw5re617.bin"
"c:\windows\system32\z9e5th5eat29897.bin"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\7769bazkdoor1365.bin
c:\windows\system32\79cbdowzloader7085.exe
c:\windows\system32\79d4b5ckdozr1724.bin
c:\windows\system32\79z895rus519.exe
c:\windows\system32\7aa19hief210z5.ocx
c:\windows\system32\7c5bszea91995.exe
c:\windows\system32\7c6aa5dware9186z.dll
c:\windows\system32\7cd2adzware9504.bin
c:\windows\system32\7eb0vir9z05.exe
c:\windows\system32\7ed395dwzre2735.dll
c:\windows\system32\7f4bs59rse139z.dll
c:\windows\system32\7f60spywa5e29z.dll
c:\windows\system32\7z7spar5e926.dll
c:\windows\system32\7zf5addwa9e22045.exe
c:\windows\system32\809stezl1254.cpl
c:\windows\system32\8181hac5t9zl593.dll
c:\windows\system32\84zvir9425.bin
c:\windows\system32\885vzr5s19c.bin
c:\windows\system32\90z6wor5949.cpl
c:\windows\system32\917945pambot4z7.ocx
c:\windows\system32\91837hacz5ool3b8.ocx
c:\windows\system32\91d2zteal351.exe
c:\windows\system32\92145szambo570c.dll
c:\windows\system32\9272sp91ez5.exe
c:\windows\system32\92zworm551.exe
c:\windows\system32\93400spambotc5z.exe
c:\windows\system32\9391not-a5zirus70.exe
c:\windows\system32\9438tr5z907.ocx
c:\windows\system32\9485spazse5184.ocx
c:\windows\system32\949365zy537.cpl
c:\windows\system32\94za5ownloader3035.cpl
c:\windows\system32\9509ziru5599.cpl
c:\windows\system32\957thie5z09.exe
c:\windows\system32\9584worm5z2.bin
c:\windows\system32\95c0st5al16z.exe
c:\windows\system32\9625viz9s2c5.dll
c:\windows\system32\968z9hacktoo5467.bin
c:\windows\system32\976w9r544z.ocx
c:\windows\system32\9808spy35fz.cpl
c:\windows\system32\9815ha5kto9l5z9.cpl
c:\windows\system32\98499worm5a5z.ocx
c:\windows\system32\98832v5rus72cz.dll
c:\windows\system32\992down5oadez1331.bin
c:\windows\system32\99505szambote5.bin
c:\windows\system32\9978viru5z89.exe
c:\windows\system32\99ethizf95455.cpl
c:\windows\system32\9b5ezhief662.bin
c:\windows\system32\9c55bzckdoor2553.bin
c:\windows\system32\9z59ir2384.cpl
c:\windows\system32\9zsteal765.ocx
c:\windows\system32\a84do59loaderz023.dll
c:\windows\system32\b75z9w5loader916.exe
c:\windows\system32\bz9bac5door15.dll
c:\windows\system32\c1zthrea5157659.cpl
c:\windows\system32\c9dadzw5re16899.dll
c:\windows\system32\c9dspy95re6z9.exe
c:\windows\system32\cd6d5wzloader909.dll
c:\windows\system32\f15s9a5se2z87.dll
c:\windows\system32\fc5zackdoo987.exe
c:\windows\system32\z0332hacktool9d5.dll
c:\windows\system32\z0855t5oj5de9.ocx
c:\windows\system32\z12abackdo9r16415.bin
c:\windows\system32\z17575or93b5.exe
c:\windows\system32\z1970virus956.cpl
c:\windows\system32\z20bdown9o5der581.dll
c:\windows\system32\z2599troj9e7.ocx
c:\windows\system32\z262bac9door583.ocx
c:\windows\system32\z295th9ef1185.bin
c:\windows\system32\z4992not5a9virus657.cpl
c:\windows\system32\z5f9do5nloader2490.cpl
c:\windows\system32\z635spa5bot695.bin
c:\windows\system32\z6415ha5kto9l33a.exe
c:\windows\system32\z672259y34d.ocx
c:\windows\system32\z7041spa9b5t5de.cpl
c:\windows\system32\z793spywar5214.exe
c:\windows\system32\z795sp9rse249.bin
c:\windows\system32\z800s9amb5tdb.ocx
c:\windows\system32\z8074sp5mb9t2a5.cpl
c:\windows\system32\z9255spy744.cpl
c:\windows\system32\z9452hackt5o9452.exe
c:\windows\system32\z975thief1055.exe
c:\windows\system32\z97s9yw5re617.bin
c:\windows\system32\z9815ir2356.bin
c:\windows\system32\z9938hacktoo55e9.bin
c:\windows\system32\z9e5th5eat29897.bin
c:\windows\system32\zfbvir23589.exe

.
--------------- FCopy ---------------

c:\windows\system32\svchost.exe --> c:\windows\$NtServicePackUninstall$\svchost.exe
c:\windows\system32\dllcache\user32.dll --> c:\windows\$NtServicePackUninstall$\user32.dll
c:\windows\system32\ws2_32.dll --> c:\windows\$NtServicePackUninstall$\ws2_32.dll
c:\windows\system32\dllcache\wininet.dll --> c:\windows\$NtServicePackUninstall$\wininet.dll
c:\windows\system32\drivers\tcpip.sys --> c:\windows\$NtServicePackUninstall$\tcpip.sys
c:\windows\system32\winlogon.exe --> c:\windows\$NtServicePackUninstall$\winlogon.exe
c:\windows\system32\drivers\ndis.sys --> c:\windows\$NtServicePackUninstall$\ndis.sys
c:\windows\system32\dllcache\ntoskrnl.exe --> c:\windows\$NtServicePackUninstall$\ntkrnlpa.exe
c:\windows\system32\dllcache\ntoskrnl.exe --> c:\windows\$NtServicePackUninstall$\ntoskrnl.exe
c:\windows\system32\dllcache\explorer.exe --> c:\windows\$NtServicePackUninstall$\explorer.exe
c:\windows\system32\dllcache\services.exe --> c:\windows\$NtServicePackUninstall$\services.exe
c:\windows\system32\lsass.exe --> c:\windows\$NtServicePackUninstall$\lsass.exe
c:\windows\system32\ctfmon.exe --> c:\windows\$NtServicePackUninstall$\ctfmon.exe
c:\windows\system32\dllcache\wuauclt.exe --> c:\windows\$NtServicePackUninstall$\wuauclt.exe
c:\windows\system32\userinit.exe --> c:\windows\$NtServicePackUninstall$\userinit.exe
c:\windows\system32\termsrv.dll --> c:\windows\$NtServicePackUninstall$\termsrv.dll
c:\windows\system32\dllcache\kernel32.dll --> c:\windows\$NtServicePackUninstall$\kernel32.dll
c:\windows\system32\powrprof.dll --> c:\windows\$NtServicePackUninstall$\powrprof.dll
c:\windows\system32\imm32.dll --> c:\windows\$NtServicePackUninstall$\imm32.dll
c:\windows\system32\sfcfiles.dll --> c:\windows\$NtServicePackUninstall$\sfcfiles.dll
c:\windows\system32\appmgmts.dll --> c:\windows\$NtServicePackUninstall$\appmgmts.dll
c:\windows\system32\drivers\kbdclass.sys --> c:\windows\$NtServicePackUninstall$\kbdclass.sys
.
((((((((((((((((((((((((( Files Created from 2009-05-28 to 2009-06-28 )))))))))))))))))))))))))))))))
.

2009-06-28 16:33 . 2009-06-28 16:31 410984 ----a-w- c:\windows\system32\deploytk.dll
2009-06-28 16:30 . 2009-06-28 16:30 152576 ----a-w- c:\documents and settings\Leland\Application Data\Sun\Java\jre1.6.0_13\lzma.dll
2009-06-28 16:29 . 2009-06-28 16:29 -------- d-----w- c:\windows\LastGood
2009-06-28 08:34 . 2009-06-28 16:32 -------- d-----w- c:\windows\system32\KB905474
2009-06-28 08:34 . 2009-03-11 03:18 453512 ----a-w- c:\windows\system32\KB905474\wgasetup.exe
2009-06-28 06:49 . 2009-06-28 06:49 -------- d-----w- c:\windows\system32\RTCOM
2009-06-28 06:46 . 2009-06-28 06:46 -------- d-----w- c:\program files\Realtek
2009-06-28 06:45 . 2008-08-25 21:17 528384 ----a-r- c:\windows\RtlExUpd.dll
2009-06-27 21:01 . 2009-03-06 14:44 283648 -c----w- c:\windows\system32\dllcache\pdh.dll
2009-06-27 21:01 . 2005-07-26 04:39 60416 -c----w- c:\windows\system32\dllcache\colbact.dll
2009-06-27 21:01 . 2009-02-09 10:20 399360 -c----w- c:\windows\system32\dllcache\rpcss.dll
2009-06-27 21:01 . 2009-02-09 10:20 473088 -c----w- c:\windows\system32\dllcache\fastprox.dll
2009-06-27 21:01 . 2009-02-09 10:20 453120 -c----w- c:\windows\system32\dllcache\wmiprvsd.dll
2009-06-27 21:01 . 2009-02-06 17:14 110592 -c----w- c:\windows\system32\dllcache\services.exe
2009-06-27 21:01 . 2009-02-06 16:39 227840 -c----w- c:\windows\system32\dllcache\wmiprvse.exe
2009-06-27 21:01 . 2009-02-09 10:20 616960 -c----w- c:\windows\system32\dllcache\advapi32.dll
2009-06-27 21:01 . 2009-02-09 10:20 714752 -c----w- c:\windows\system32\dllcache\ntdll.dll
2009-06-27 20:59 . 2008-04-21 10:02 215552 -c----w- c:\windows\system32\dllcache\wordpad.exe
2009-06-27 20:54 . 2009-06-27 20:54 -------- dc----w- c:\windows\system32\dllcache\cache
2009-06-22 15:04 . 2009-06-22 15:04 -------- d-----w- c:\documents and settings\Leland\Application Data\Malwarebytes
2009-06-20 15:59 . 2009-06-20 15:59 -------- d-----w- c:\program files\Trend Micro
2009-06-20 05:27 . 2009-06-20 05:27 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2009-06-20 05:27 . 2009-06-17 16:27 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-06-20 05:27 . 2009-06-20 05:27 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-06-20 05:27 . 2009-06-17 16:27 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-06-20 05:03 . 2009-06-20 05:03 830976 ----a-w- c:\windows\system32\setup2(malware).exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-06-28 16:31 . 2007-10-02 02:40 -------- d-----w- c:\program files\Java
2009-06-28 08:28 . 2007-10-14 17:18 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2009-06-28 06:46 . 2007-09-15 19:16 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-06-27 20:53 . 2008-04-29 01:01 -------- d-----w- c:\documents and settings\All Users\Application Data\Google Updater
2009-06-20 16:46 . 2007-12-25 06:16 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-06-20 05:27 . 2008-10-07 02:09 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-05-07 15:44 . 2001-08-23 12:00 344064 ----a-w- c:\windows\system32\localspl.dll
2009-04-17 09:58 . 2001-08-23 12:00 1846656 ----a-w- c:\windows\system32\win32k.sys
2009-04-15 15:11 . 2001-08-23 12:00 584192 ----a-w- c:\windows\system32\rpcrt4.dll
.

------- Sigcheck -------

[7] 2004-08-04 06:56 14336 8F078AE4ED187AAABC0A305146DE6716 c:\windows\$NtServicePackUninstall$\svchost.exe
[7] 2004-08-04 06:56 14336 8F078AE4ED187AAABC0A305146DE6716 c:\windows\ServicePackFiles\i386\svchost.exe
[7] 2004-08-04 06:56 14336 8F078AE4ED187AAABC0A305146DE6716 c:\windows\system32\svchost.exe

[7] 2005-03-02 18:19 577024 1800F293BCCC8EDE8A70E12B88D80036 c:\windows\$hf_mig$\KB890859\SP2QFE\user32.dll
[7] 2007-03-08 15:48 578048 7AA4F6C00405DFC4B70ED4214E7D687B c:\windows\$hf_mig$\KB925902\SP2QFE\user32.dll
[7] 2007-03-08 15:36 577536 B409909F6E2E8A7067076ED748ABF1E7 c:\windows\$NtServicePackUninstall$\user32.dll
[7] 2004-08-04 06:56 577024 C72661F8552ACE7C5C85E16A3CF505C4 c:\windows\$NtUninstallKB890859$\user32.dll
[7] 2005-03-02 18:09 577024 DE2DB164BBB35DB061AF0997E4499054 c:\windows\$NtUninstallKB925902$\user32.dll
[7] 2004-08-04 06:56 577024 C72661F8552ACE7C5C85E16A3CF505C4 c:\windows\ServicePackFiles\i386\user32.dll
[7] 2007-03-08 15:36 577536 B409909F6E2E8A7067076ED748ABF1E7 c:\windows\system32\user32.dll
[7] 2007-03-08 15:36 577536 B409909F6E2E8A7067076ED748ABF1E7 c:\windows\system32\dllcache\user32.dll

[7] 2004-08-04 06:56 82944 2ED0B7F12A60F90092081C50FA0EC2B2 c:\windows\$NtServicePackUninstall$\ws2_32.dll
[7] 2004-08-04 06:56 82944 2ED0B7F12A60F90092081C50FA0EC2B2 c:\windows\ServicePackFiles\i386\ws2_32.dll
[7] 2004-08-04 06:56 82944 2ED0B7F12A60F90092081C50FA0EC2B2 c:\windows\system32\ws2_32.dll

[7] 2008-08-22 08:08 878592 DF1CB456ED1E038B276123365A1A93C4 c:\windows\$NtServicePackUninstall$\wininet.dll
[7] 2006-11-08 03:03 818688 92995334F993E6E49C25C6D02EC04401 c:\windows\ie7\wininet.dll
[7] 2006-11-08 03:03 818688 92995334F993E6E49C25C6D02EC04401 c:\windows\ie8\wininet.dll
[7] 2004-08-04 06:56 656384 C0823FC5469663BA63E7DB88F9919D70 c:\windows\ServicePackFiles\i386\wininet.dll
[7] 2008-08-22 08:08 878592 DF1CB456ED1E038B276123365A1A93C4 c:\windows\system32\wininet.dll
[7] 2008-08-22 08:08 878592 DF1CB456ED1E038B276123365A1A93C4 c:\windows\system32\dllcache\wininet.dll

[7] 2008-06-20 10:44 360960 744E57C99232201AE98C49168B918F48 c:\windows\$hf_mig$\KB951748\SP2QFE\tcpip.sys
[7] 2008-06-20 11:51 361600 9AEFA14BD6B182D61E3119FA5F436D3D c:\windows\$hf_mig$\KB951748\SP3GDR\tcpip.sys
[7] 2008-06-20 11:59 361600 AD978A1B783B5719720CFF204B666C8E c:\windows\$hf_mig$\KB951748\SP3QFE\tcpip.sys
[7] 2008-06-20 10:45 360320 2A5554FC5B1E04E131230E3CE035C3F9 c:\windows\$NtServicePackUninstall$\tcpip.sys
[7] 2004-08-04 05:14 359040 9F4B36614A0FC234525BA224957DE55C c:\windows\$NtUninstallKB951748$\tcpip.sys
[7] 2004-08-04 05:14 359040 9F4B36614A0FC234525BA224957DE55C c:\windows\ServicePackFiles\i386\tcpip.sys
[7] 2008-06-20 10:45 360320 2A5554FC5B1E04E131230E3CE035C3F9 c:\windows\system32\dllcache\tcpip.sys
[7] 2008-06-20 10:45 360320 2A5554FC5B1E04E131230E3CE035C3F9 c:\windows\system32\drivers\tcpip.sys

[7] 2004-08-04 06:56 502272 01C3346C241652F43AED8E2149881BFE c:\windows\$NtServicePackUninstall$\winlogon.exe
[7] 2004-08-04 06:56 502272 01C3346C241652F43AED8E2149881BFE c:\windows\ServicePackFiles\i386\winlogon.exe
[7] 2004-08-04 06:56 502272 01C3346C241652F43AED8E2149881BFE c:\windows\system32\winlogon.exe

[7] 2004-08-04 05:14 182912 558635D3AF1C7546D26067D5D9B6959E c:\windows\$NtServicePackUninstall$\ndis.sys
[7] 2004-08-04 05:14 182912 558635D3AF1C7546D26067D5D9B6959E c:\windows\ServicePackFiles\i386\ndis.sys
[7] 2004-08-04 05:14 182912 558635D3AF1C7546D26067D5D9B6959E c:\windows\system32\drivers\ndis.sys

[7] 2004-08-04 05:00 29056 4448006B6BC60E6C027932CFC38D6855 c:\windows\ServicePackFiles\i386\ip6fw.sys
[7] 2004-08-04 05:00 29056 4448006B6BC60E6C027932CFC38D6855 c:\windows\system32\drivers\ip6fw.sys

[7] 2005-03-02 00:36 2056832 D8ABA3EAB509627E707A3B14F00FBB6B c:\windows\$hf_mig$\KB890859\SP2QFE\ntkrnlpa.exe
[7] 2009-02-06 09:49 2062976 9D832AF3FD1917DB0E1E8B2F000A2E3A c:\windows\$hf_mig$\KB956572\SP2QFE\ntkrnlpa.exe
[7] 2009-02-08 00:02 2066048 5BA7F2141BC6DB06100D0E5A732C617A c:\windows\$hf_mig$\KB956572\SP3GDR\ntkrnlpa.exe
[7] 2009-02-06 10:30 2066176 607352B9CB3D708C67F6039097801B5A c:\windows\$hf_mig$\KB956572\SP3QFE\ntkrnlpa.exe
[7] 2008-08-14 09:18 2062976 63EC865DFF6CCFC7BEF94B5C50297CAD c:\windows\$hf_mig$\KB956841\SP2QFE\ntkrnlpa.exe
[7] 2008-08-14 09:33 2066048 4AC58F03EB94A72809949D757FC39D80 c:\windows\$hf_mig$\KB956841\SP3GDR\ntkrnlpa.exe
[7] 2008-08-14 20:39 2066048 A25E9B86EFFB2AF33BF51E676B68BFB0 c:\windows\$hf_mig$\KB956841\SP3QFE\ntkrnlpa.exe
[7] 2009-02-06 17:24 2180480 FACEBB0CA3154F77009CDFEE78A00BBB c:\windows\$NtServicePackUninstall$\ntkrnlpa.exe
[7] 2004-08-04 04:59 2056832 947FB1D86D14AFCFFDB54BF837EC25D0 c:\windows\$NtUninstallKB890859$\ntkrnlpa.exe
[7] 2008-08-14 09:22 2057728 BA002228743B6824D87F0551DBC86D45 c:\windows\$NtUninstallKB956572$\ntkrnlpa.exe
[7] 2005-03-02 00:34 2056832 81013F36B21C7F72CF784CC6731E0002 c:\windows\$NtUninstallKB956841$\ntkrnlpa.exe
[7] 2009-02-06 16:49 2057728 3006410E24772CC6953F0B5C01BEB35F c:\windows\Driver Cache\i386\ntkrnlpa.exe
[7] 2004-08-04 04:59 2056832 947FB1D86D14AFCFFDB54BF837EC25D0 c:\windows\ServicePackFiles\i386\ntkrnlpa.exe
[7] 2009-02-06 16:49 2057728 3006410E24772CC6953F0B5C01BEB35F c:\windows\SoftwareDistribution\Download\51401b498f4675531d9efb941ee01ef3\SP2GDR\ntkrnlpa.exe
[7] 2009-02-06 09:49 2062976 9D832AF3FD1917DB0E1E8B2F000A2E3A c:\windows\SoftwareDistribution\Download\51401b498f4675531d9efb941ee01ef3\SP2QFE\ntkrnlpa.exe
[7] 2009-02-08 00:02 2066048 5BA7F2141BC6DB06100D0E5A732C617A c:\windows\SoftwareDistribution\Download\51401b498f4675531d9efb941ee01ef3\SP3GDR\ntkrnlpa.exe
[7] 2009-02-06 10:30 2066176 607352B9CB3D708C67F6039097801B5A c:\windows\SoftwareDistribution\Download\51401b498f4675531d9efb941ee01ef3\SP3QFE\ntkrnlpa.exe
[7] 2009-02-06 16:49 2057728 3006410E24772CC6953F0B5C01BEB35F c:\windows\system32\ntkrnlpa.exe
[7] 2009-02-06 16:49 2057728 3006410E24772CC6953F0B5C01BEB35F c:\windows\system32\dllcache\ntkrnlpa.exe

[7] 2005-03-02 01:04 2179456 28187802B7C368C0D3AEF7D4C382AABB c:\windows\$hf_mig$\KB890859\SP2QFE\ntoskrnl.exe
[7] 2009-02-06 10:32 2186112 6A936E9D7BADAF3CAAEED1E1966EC1B0 c:\windows\$hf_mig$\KB956572\SP2QFE\ntoskrnl.exe
[7] 2009-02-06 11:08 2189056 7A95B10A73737EBF24139AAA63F5212B c:\windows\$hf_mig$\KB956572\SP3GDR\ntoskrnl.exe
[7] 2009-02-08 00:35 2189184 EFE8EACE83EAAD5849A7A548FB75B584 c:\windows\$hf_mig$\KB956572\SP3QFE\ntoskrnl.exe
[7] 2008-08-14 09:57 2185984 CE69DBD54221F2D40E49FF6DB77C6507 c:\windows\$hf_mig$\KB956841\SP2QFE\ntoskrnl.exe
[7] 2008-08-14 10:11 2189184 EEAF32F8E15A24F62BECB1BD403BB5C5 c:\windows\$hf_mig$\KB956841\SP3GDR\ntoskrnl.exe
[7] 2008-08-14 21:11 2189184 31914172342BFF330063F343AC6958FE c:\windows\$hf_mig$\KB956841\SP3QFE\ntoskrnl.exe
[7] 2009-02-06 17:24 2180480 FACEBB0CA3154F77009CDFEE78A00BBB c:\windows\$NtServicePackUninstall$\ntoskrnl.exe
[7] 2004-08-04 05:20 2180992 CE218BC7088681FAA06633E218596CA7 c:\windows\$NtUninstallKB890859$\ntoskrnl.exe
[7] 2008-08-14 10:00 2180352 21C91DA9CB53AA8A37041BA9684A8458 c:\windows\$NtUninstallKB956572$\ntoskrnl.exe
[7] 2005-03-02 00:59 2179328 4D4CF2C14550A4B7718E94A6E581856E c:\windows\$NtUninstallKB956841$\ntoskrnl.exe
[7] 2009-02-06 17:24 2180480 FACEBB0CA3154F77009CDFEE78A00BBB c:\windows\Driver Cache\i386\ntoskrnl.exe
[7] 2004-08-04 05:20 2180992 CE218BC7088681FAA06633E218596CA7 c:\windows\ServicePackFiles\i386\ntoskrnl.exe
[7] 2009-02-06 17:24 2180480 FACEBB0CA3154F77009CDFEE78A00BBB c:\windows\SoftwareDistribution\Download\51401b498f4675531d9efb941ee01ef3\SP2GDR\ntoskrnl.exe
[7] 2009-02-06 10:32 2186112 6A936E9D7BADAF3CAAEED1E1966EC1B0 c:\windows\SoftwareDistribution\Download\51401b498f4675531d9efb941ee01ef3\SP2QFE\ntoskrnl.exe
[7] 2009-02-06 11:08 2189056 7A95B10A73737EBF24139AAA63F5212B c:\windows\SoftwareDistribution\Download\51401b498f4675531d9efb941ee01ef3\SP3GDR\ntoskrnl.exe
[7] 2009-02-08 00:35 2189184 EFE8EACE83EAAD5849A7A548FB75B584 c:\windows\SoftwareDistribution\Download\51401b498f4675531d9efb941ee01ef3\SP3QFE\ntoskrnl.exe
[7] 2009-02-06 17:24 2180480 FACEBB0CA3154F77009CDFEE78A00BBB c:\windows\system32\ntoskrnl.exe
[7] 2009-02-06 17:24 2180480 FACEBB0CA3154F77009CDFEE78A00BBB c:\windows\system32\dllcache\ntoskrnl.exe

[7] 2007-06-13 10:23 1033216 97BD6515465659FF8F3B7BE375B2EA87 c:\windows\explorer.exe
[7] 2007-06-13 11:26 1033216 7712DF0CDDE3A5AC89843E61CD5B3658 c:\windows\$hf_mig$\KB938828\SP2QFE\explorer.exe
[7] 2007-06-13 10:23 1033216 97BD6515465659FF8F3B7BE375B2EA87 c:\windows\$NtServicePackUninstall$\explorer.exe
[7] 2004-08-04 06:56 1032192 A0732187050030AE399B241436565E64 c:\windows\$NtUninstallKB938828$\explorer.exe
[7] 2004-08-04 06:56 1032192 A0732187050030AE399B241436565E64 c:\windows\ServicePackFiles\i386\explorer.exe
[7] 2007-06-13 10:23 1033216 97BD6515465659FF8F3B7BE375B2EA87 c:\windows\system32\dllcache\explorer.exe

[7] 2009-02-06 10:22 110592 4712531AB7A01B7EE059853CA17D39BD c:\windows\$hf_mig$\KB956572\SP2QFE\services.exe
[7] 2009-02-06 11:11 110592 65DF52F5B8B6E9BBD183505225C37315 c:\windows\$hf_mig$\KB956572\SP3GDR\services.exe
[7] 2009-02-06 11:06 110592 020CEAAEDC8EB655B6506B8C70D53BB6 c:\windows\$hf_mig$\KB956572\SP3QFE\services.exe
[7] 2009-02-06 17:14 110592 37561F8D4160D62DA86D24AE41FAE8DE c:\windows\$NtServicePackUninstall$\services.exe
[7] 2004-08-04 06:56 108032 C6CE6EEC82F187615D1002BB3BB50ED4 c:\windows\$NtUninstallKB956572$\services.exe
[7] 2004-08-04 06:56 108032 C6CE6EEC82F187615D1002BB3BB50ED4 c:\windows\ServicePackFiles\i386\services.exe
[7] 2009-02-06 17:14 110592 37561F8D4160D62DA86D24AE41FAE8DE c:\windows\SoftwareDistribution\Download\51401b498f4675531d9efb941ee01ef3\SP2GDR\services.exe
[7] 2009-02-06 10:22 110592 4712531AB7A01B7EE059853CA17D39BD c:\windows\SoftwareDistribution\Download\51401b498f4675531d9efb941ee01ef3\SP2QFE\services.exe
[7] 2009-02-06 11:11 110592 65DF52F5B8B6E9BBD183505225C37315 c:\windows\SoftwareDistribution\Download\51401b498f4675531d9efb941ee01ef3\SP3GDR\services.exe
[7] 2009-02-06 11:06 110592 020CEAAEDC8EB655B6506B8C70D53BB6 c:\windows\SoftwareDistribution\Download\51401b498f4675531d9efb941ee01ef3\SP3QFE\services.exe
[7] 2009-02-06 17:14 110592 37561F8D4160D62DA86D24AE41FAE8DE c:\windows\system32\services.exe
[7] 2009-02-06 17:14 110592 37561F8D4160D62DA86D24AE41FAE8DE c:\windows\system32\dllcache\services.exe

[7] 2004-08-04 06:56 13312 84885F9B82F4D55C6146EBF6065D75D2 c:\windows\$NtServicePackUninstall$\lsass.exe
[7] 2004-08-04 06:56 13312 84885F9B82F4D55C6146EBF6065D75D2 c:\windows\ServicePackFiles\i386\lsass.exe
[7] 2004-08-04 06:56 13312 84885F9B82F4D55C6146EBF6065D75D2 c:\windows\system32\lsass.exe

[7] 2004-08-04 06:56 15360 24232996A38C0B0CF151C2140AE29FC8 c:\windows\$NtServicePackUninstall$\ctfmon.exe
[7] 2004-08-04 06:56 15360 24232996A38C0B0CF151C2140AE29FC8 c:\windows\ServicePackFiles\i386\ctfmon.exe
[7] 2004-08-04 06:56 15360 24232996A38C0B0CF151C2140AE29FC8 c:\windows\system32\ctfmon.exe

[7] 2005-06-11 00:17 57856 AD3D9D191AEA7B5445FE1D82FFBB4788 c:\windows\$hf_mig$\KB896423\SP2QFE\spoolsv.exe
[-] 2001-08-23 12:00 51200 9B4155BA58192D4073082B8FC5D42612 c:\windows\$NtServicePackUninstall$\spoolsv.exe
[7] 2004-08-04 06:56 57856 7435B108B935E42EA92CA94F59C8E717 c:\windows\$NtUninstallKB896423$\spoolsv.exe
[7] 2004-08-04 06:56 57856 7435B108B935E42EA92CA94F59C8E717 c:\windows\ServicePackFiles\i386\spoolsv.exe
[7] 2005-06-10 23:53 57856 DA81EC57ACD4CDC3D4C51CF3D409AF9F c:\windows\system32\spoolsv.exe

[7] 2008-10-16 19:09 51224 E654B78D2F1D791B30D0ED9A8195EC22 c:\windows\$NtServicePackUninstall$\wuauclt.exe
[7] 2004-08-04 06:56 111104 4126D27CECE4471E00E425411F7306B5 c:\windows\ServicePackFiles\i386\wuauclt.exe
[7] 2008-10-16 19:09 51224 E654B78D2F1D791B30D0ED9A8195EC22 c:\windows\system32\wuauclt.exe
[7] 2008-10-16 19:09 51224 E654B78D2F1D791B30D0ED9A8195EC22 c:\windows\system32\dllcache\wuauclt.exe

[7] 2004-08-04 06:56 24576 39B1FFB03C2296323832ACBAE50D2AFF c:\windows\$NtServicePackUninstall$\userinit.exe
[7] 2004-08-04 06:56 24576 39B1FFB03C2296323832ACBAE50D2AFF c:\windows\ServicePackFiles\i386\userinit.exe
[7] 2004-08-04 06:56 24576 39B1FFB03C2296323832ACBAE50D2AFF c:\windows\system32\userinit.exe

[7] 2004-08-04 06:56 295424 B60C877D16D9C880B952FDA04ADF16E6 c:\windows\$NtServicePackUninstall$\termsrv.dll
[7] 2004-08-04 06:56 295424 B60C877D16D9C880B952FDA04ADF16E6 c:\windows\ServicePackFiles\i386\termsrv.dll
[7] 2004-08-04 06:56 295424 B60C877D16D9C880B952FDA04ADF16E6 c:\windows\system32\termsrv.dll

[7] 2007-04-16 16:07 986112 09F7CB3687F86EDAA4CA081F7AB66C03 c:\windows\$hf_mig$\KB935839\SP2QFE\kernel32.dll
[7] 2009-03-21 13:54 989184 80202858D245FF07DAA1739C57A3E19B c:\windows\$hf_mig$\KB959426\SP2QFE\kernel32.dll
[7] 2009-03-21 14:06 989696 B921FB870C9AC0D509B2CCABBBBE95F3 c:\windows\$hf_mig$\KB959426\SP3GDR\kernel32.dll
[7] 2009-03-21 13:59 991744 DA11D9D6ECBDF0F93436A4B7C13F7BEC c:\windows\$hf_mig$\KB959426\SP3QFE\kernel32.dll
[7] 2009-03-21 14:18 986112 B6ACAED7588295129791E0E6A2B0FADE c:\windows\$NtServicePackUninstall$\kernel32.dll
[7] 2004-08-04 06:56 983552 888190E31455FAD793312F8D087146EB c:\windows\$NtUninstallKB935839$\kernel32.dll
[7] 2007-04-16 15:52 984576 A01F9CA902A88F7CED06884174D6419D c:\windows\$NtUninstallKB959426$\kernel32.dll
[7] 2004-08-04 06:56 983552 888190E31455FAD793312F8D087146EB c:\windows\ServicePackFiles\i386\kernel32.dll
[7] 2009-03-21 14:18 986112 B6ACAED7588295129791E0E6A2B0FADE c:\windows\SoftwareDistribution\Download\022593ca08eb4cd8e9681a7116f902d9\sp2gdr\kernel32.dll
[7] 2009-03-21 13:54 989184 80202858D245FF07DAA1739C57A3E19B c:\windows\SoftwareDistribution\Download\022593ca08eb4cd8e9681a7116f902d9\sp2qfe\kernel32.dll
[7] 2009-03-21 14:06 989696 B921FB870C9AC0D509B2CCABBBBE95F3 c:\windows\SoftwareDistribution\Download\022593ca08eb4cd8e9681a7116f902d9\sp3gdr\kernel32.dll
[7] 2009-03-21 13:59 991744 DA11D9D6ECBDF0F93436A4B7C13F7BEC c:\windows\SoftwareDistribution\Download\022593ca08eb4cd8e9681a7116f902d9\sp3qfe\kernel32.dll
[7] 2009-03-21 14:18 986112 B6ACAED7588295129791E0E6A2B0FADE c:\windows\system32\kernel32.dll
[7] 2009-03-21 14:18 986112 B6ACAED7588295129791E0E6A2B0FADE c:\windows\system32\dllcache\kernel32.dll

[7] 2004-08-04 06:56 17408 1B5F6923ABB450692E9FE0672C897AED c:\windows\$NtServicePackUninstall$\powrprof.dll
[7] 2004-08-04 06:56 17408 1B5F6923ABB450692E9FE0672C897AED c:\windows\ServicePackFiles\i386\powrprof.dll
[7] 2004-08-04 06:56 17408 1B5F6923ABB450692E9FE0672C897AED c:\windows\system32\powrprof.dll

[7] 2004-08-04 06:56 110080 87CA7CE6469577F059297B9D6556D66D c:\windows\$NtServicePackUninstall$\imm32.dll
[7] 2004-08-04 06:56 110080 87CA7CE6469577F059297B9D6556D66D c:\windows\ServicePackFiles\i386\imm32.dll
[7] 2004-08-04 06:56 110080 87CA7CE6469577F059297B9D6556D66D c:\windows\system32\imm32.dll

[7] 2004-08-04 06:56 1580544 30A609E00BD1D4FFC49D6B5A432BE7F2 c:\windows\$NtServicePackUninstall$\sfcfiles.dll
[7] 2004-08-04 06:56 1580544 30A609E00BD1D4FFC49D6B5A432BE7F2 c:\windows\ServicePackFiles\i386\sfcfiles.dll
[7] 2004-08-04 06:56 1580544 30A609E00BD1D4FFC49D6B5A432BE7F2 c:\windows\system32\sfcfiles.dll

[7] 2004-08-04 06:56 167936 9C3C12975C97119412802B181FBEEFFE c:\windows\$NtServicePackUninstall$\appmgmts.dll
[7] 2004-08-04 06:56 167936 9C3C12975C97119412802B181FBEEFFE c:\windows\ServicePackFiles\i386\appmgmts.dll
[7] 2004-08-04 06:56 167936 9C3C12975C97119412802B181FBEEFFE c:\windows\system32\appmgmts.dll

[7] 2004-08-04 04:58 24576 EBDEE8A2EE5393890A1ACEE971C4C246 c:\windows\$NtServicePackUninstall$\kbdclass.sys
[7] 2004-08-04 04:58 24576 EBDEE8A2EE5393890A1ACEE971C4C246 c:\windows\ServicePackFiles\i386\kbdclass.sys
[7] 2004-08-04 04:58 24576 EBDEE8A2EE5393890A1ACEE971C4C246 c:\windows\system32\drivers\kbdclass.sys
.
((((((((((((((((((((((((((((( SnapShot_2009-06-28_17.12.27 )))))))))))))))))))))))))))))))))))))))))
.
+ 2007-06-20 05:01 . 2008-10-16 19:09 51224 c:\windows\$NtServicePackUninstall$\wuauclt.exe
+ 2007-06-20 05:00 . 2004-08-04 06:56 82944 c:\windows\$NtServicePackUninstall$\ws2_32.dll
+ 2007-06-20 05:00 . 2004-08-04 06:56 24576 c:\windows\$NtServicePackUninstall$\userinit.exe
+ 2007-06-20 05:00 . 2004-08-04 06:56 14336 c:\windows\$NtServicePackUninstall$\svchost.exe
+ 2007-06-20 05:00 . 2004-08-04 06:56 17408 c:\windows\$NtServicePackUninstall$\powrprof.dll
+ 2007-06-20 05:00 . 2004-08-04 06:56 13312 c:\windows\$NtServicePackUninstall$\lsass.exe
+ 2007-06-20 05:00 . 2004-08-04 04:58 24576 c:\windows\$NtServicePackUninstall$\kbdclass.sys
+ 2007-06-20 05:00 . 2004-08-04 06:56 15360 c:\windows\$NtServicePackUninstall$\ctfmon.exe
+ 2007-06-20 05:00 . 2004-08-04 06:56 502272 c:\windows\$NtServicePackUninstall$\winlogon.exe
+ 2007-06-20 05:00 . 2008-08-22 08:08 878592 c:\windows\$NtServicePackUninstall$\wininet.dll
+ 2007-06-20 05:00 . 2007-03-08 15:36 577536 c:\windows\$NtServicePackUninstall$\user32.dll
+ 2007-06-20 05:00 . 2004-08-04 06:56 295424 c:\windows\$NtServicePackUninstall$\termsrv.dll
+ 2007-06-20 05:00 . 2008-06-20 10:45 360320 c:\windows\$NtServicePackUninstall$\tcpip.sys
+ 2007-06-20 05:00 . 2009-02-06 17:14 110592 c:\windows\$NtServicePackUninstall$\services.exe
+ 2007-06-20 05:00 . 2004-08-04 05:14 182912 c:\windows\$NtServicePackUninstall$\ndis.sys
+ 2007-06-20 05:00 . 2009-03-21 14:18 986112 c:\windows\$NtServicePackUninstall$\kernel32.dll
+ 2007-06-20 05:00 . 2004-08-04 06:56 110080 c:\windows\$NtServicePackUninstall$\imm32.dll
+ 2007-06-20 05:01 . 2004-08-04 06:56 167936 c:\windows\$NtServicePackUninstall$\appmgmts.dll
+ 2007-06-20 05:00 . 2004-08-04 06:56 1580544 c:\windows\$NtServicePackUninstall$\sfcfiles.dll
+ 2007-06-20 05:00 . 2009-02-06 17:24 2180480 c:\windows\$NtServicePackUninstall$\ntoskrnl.exe
+ 2007-06-20 05:00 . 2009-02-06 17:24 2180480 c:\windows\$NtServicePackUninstall$\ntkrnlpa.exe
+ 2007-06-20 05:01 . 2007-06-13 10:23 1033216 c:\windows\$NtServicePackUninstall$\explorer.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2006-10-19 204288]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-04-29 68856]
"CurseClient"="c:\program files\Curse\CurseClient.exe" [2009-06-28 1934336]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-06-28 148888]
"DAEMON Tools-1033"="c:\program files\D-Tools\daemon.exe" [2004-08-22 81920]
"Acrobat Assistant 8.0"="c:\program files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [2008-01-12 623992]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-01-10 385024]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-01-15 267048]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-12-19 135168]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-12-19 159744]
"Persistence"="c:\windows\system32\igfxpers.exe" [2007-12-19 131072]
"AlcxMonitor"="ALCXMNTR.EXE" - c:\windows\ALCXMNTR.EXE [2004-09-07 57344]
"RTHDCPL"="RTHDCPL.EXE" - c:\windows\RTHDCPL.EXE [2009-03-12 17531392]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
AutoCAD Startup Accelerator.lnk - c:\program files\Common Files\Autodesk Shared\acstart16.exe [2005-3-5 10872]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Curse\\CurseClient.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Ventrilo\\Ventrilo.exe"=

S2 spupdsvc;Windows Service Pack Installer update service;c:\windows\system32\spupdsvc.exe [6/20/2007 12:02 AM 26144]
S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [6/28/2009 1:47 AM 1684736]
S3 TucbDriverV32;TucbDriverV32;c:\windows\system32\drivers\TucbDriverV32.sys [3/23/2008 4:09 PM 506496]
S3 TucbVideo32;TucbVideo32;c:\windows\system32\drivers\TucbVideo32.sys [3/23/2008 4:09 PM 3768]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - JAVAQUICKSTARTERSERVICE
.
Contents of the 'Scheduled Tasks' folder

2009-01-20 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
IE: Append to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
DPF: {EAC139A9-D22D-4C29-8D1C-252BE63750F9} - hxxp://www.cooliris.com/shared/plinstll.cab
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-06-28 13:06
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-2052111302-884357618-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID]
@Denied: (Full) (LocalSystem)
.
Completion time: 2009-06-28 13:12
ComboFix-quarantined-files.txt 2009-06-28 18:12
ComboFix2.txt 2009-06-28 17:17
ComboFix3.txt 2009-06-27 20:58

Pre-Run: 3,508,256,768 bytes free
Post-Run: 3,520,360,448 bytes free

431 --- E O F --- 2009-06-28 08:35

Edited by Lee Fried, 28 June 2009 - 01:29 PM.


#14 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:02:37 AM

Posted 28 June 2009 - 01:50 PM

Hi Lee Fried,

At this stage you should uninstall Limewire and uTorrent. The script change is not a vital stage so do not worry.

Combofix seems to have done the job on the files this time. :thumbup2:

Please run an online scan.

Please go to Kaspersky website and perform an online antivirus scan.

  • Read through the requirements and privacy statement and click on Accept button.
  • It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
  • When the downloads have finished, click on Settings.
  • Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:
    • Spyware, Adware, Dialers, and other potentially dangerous programs
      Archives
      Mail databases
  • Click on My Computer under Scan.
  • Once the scan is complete, it will display the results. Click on View Scan Report.
  • You will see a list of infected items there. Click on Save Report As....
  • Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button.
  • Please post this log in your next reply.
Please also post fresh DDS logs
Posted Image
m0le is a proud member of UNITE

#15 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:02:37 AM

Posted 01 July 2009 - 11:50 AM

Hi Lee Fried,

I have not had a reply from you for 3 days. Can you please tell me if you still need help with your computer as I am unable to help other members with their problems while I have your topic still open.

If you like you can PM me.

Thanks,


m0le
Posted Image
m0le is a proud member of UNITE




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users