Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Google SERP Hijack + Other Malware Issues


  • This topic is locked This topic is locked
32 replies to this topic

#1 TheGriz43

TheGriz43

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Location:Grove City, Ohio
  • Local time:07:07 PM

Posted 11 August 2009 - 02:46 PM

Good afternoon BleepingComputer,

I have been commissioned to fix my son and daughter-in-law's computer and rid it of all the nasty "things" that are going on. Computer is Dell XPS 400, Intel coreduo @3.00Ghz, 1Gb ram, 70 GB hard drive, ATI Radeon X300 video. I have to work (mostly) via RDP, as they are 30 miles away.

The symptoms I am seeing are:
1. IE home page changed from whatever to Google,
2. Google SERP's have been hijacked to go to CouponMountain, Bizrate, and others, etc. ad nauseam,
3. McAfee on-demand scanner reports the error: "Scanning has encountered a problem from which it cannot recover. Here are the problem details: -Error starting on demand scanner." I ran McAfee's Virtual Technician, it didn't fix anything, even though it reported problems as fixed.
4. I've tried downloading and running several of the Anti-Malware packages. They haven't been able to fix anything and some of them have terminated early (within seconds of start). When I try to re-execute them I get a Windows (??) popup with the following message "Windows cannot access the specified device, path, or file. You may not have the appropriate permissions to access the item."
5. (NEW) I was attempting to run Trend Micro's online (IE/Java) malware scan when it terminated prematurely, and now I can't even launch Internet Explorer.

As per your Preparation Guide I have downloaded and run DDS.SCR. Please find dds.txt inserted below:

======================DDS.TXT==================================================


DDS (Ver_09-07-30.01) - NTFSx86
Run by TheGriz43 at 15:04:01.31 on Tue 08/11/2009
Internet Explorer: 7.0.5730.13
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.550 [GMT -4:00]

AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
AV: McAfee VirusScan *On-access scanning enabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\McAfee\MSK\MskSrver.exe
svchost.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\MsPMSPSv.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Dell Photo AIO Printer 962\dlbxmon.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\WINDOWS\system32\dlbxcoms.exe
C:\WINDOWS\system32\rdpclip.exe
C:\WINDOWS\system32\logonui.exe
C:\Documents and Settings\TheGriz43\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
mDefault_Search_URL = hxxp://www.google.com/ie
mSearch Page = hxxp://www.google.com
mStart Page = hxxp://www.google.com
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\adobe acrobat 7.0\acrobat\AcroIEFavClient.dll
TB: {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - No File
uRun: [DellSupport] "c:\program files\dell support\DSAgnt.exe" /startup
uRun: [DellSupport-] "c:\program files\dell support\DSAgnt.exe" /startup
mRun: [DLBXCATS] rundll32 c:\windows\system32\spool\drivers\w32x86\3\DLBXtime.dll,_RunDLLEntry@16
mRun: [mcagent_exe] "c:\program files\mcafee.com\agent\mcagent.exe" /runkey
mRun: [dlbxmon.exe] "c:\program files\dell photo aio printer 962\dlbxmon.exe"
mRun: [realteks] "c:\documents and settings\jamie\application data\google\edpgz16420882.exe" 2
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
mRun: [SNM] c:\program files\spynomore\SNM.exe /startup
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE}
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\mi3aa1~1\INetRepl.dll
IE: {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\mi3aa1~1\INetRepl.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
IE: {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - {552781AF-37E4-4FEE-920A-CED9E648EADD} - c:\program files\common files\microsoft shared\encarta search bar\ENCSBAR.DLL
Trusted Zone: internet
Trusted Zone: mcafee.com
DPF: Microsoft XML Parser for Java - file:///C:/WINDOWS/Java/classes/xmldso.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/C/0/C/C0CBBA88-A6F2-48D9-9B0E-1719D1177202/LegitCheckControl.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} - hxxp://download.mcafee.com/molbin/iss-loc/mcfscan/2,2,0,5701/mcfscan.cab
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
Notify: avgrsstarter - avgrsstx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

============= SERVICES / DRIVERS ===============

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-8-6 335752]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2009-8-6 27784]
R1 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2007-6-16 214024]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2008-12-4 8944]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2008-12-4 55024]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2009-8-6 298776]
R2 McProxy;McAfee Proxy Service;c:\progra~1\common~1\mcafee\mcproxy\mcproxy.exe [2007-6-16 359952]
R2 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-5 99328]
R2 McShield;McAfee Real-time Scanner;c:\progra~1\mcafee\viruss~1\mcshield.exe [2007-6-16 144704]
R3 McSysmon;McAfee SystemGuards;c:\progra~1\mcafee\viruss~1\mcsysmon.exe [2007-6-16 606736]
R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2007-6-16 79880]
R3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2007-6-16 35272]
R3 mfesmfk;McAfee Inc. mfesmfk;c:\windows\system32\drivers\mfesmfk.sys [2007-6-16 40552]
S2 gupdate1c9b13c257aa5de;Google Update Service (gupdate1c9b13c257aa5de);c:\program files\google\update\GoogleUpdate.exe [2009-3-30 133104]
S3 MEMSWEEP2;MEMSWEEP2;\??\c:\windows\system32\4.tmp --> c:\windows\system32\4.tmp [?]
S3 mferkdk;McAfee Inc. mferkdk;c:\windows\system32\drivers\mferkdk.sys [2007-6-16 34216]
S3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2008-12-4 7408]
S3 StkMini;VideoAdvantage USB;c:\windows\system32\drivers\StkMini.sys [2006-9-24 600617]
S4 IntuitUpdateService;Intuit Update Service;c:\program files\common files\intuit\update service\IntuitUpdateService.exe [2008-10-10 13088]

=============== Created Last 30 ================

2009-08-11 00:24 <DIR> --d-h--- c:\windows\PIF
2009-08-11 00:24 <DIR> --d----- c:\program files\Sophos
2009-08-11 00:23 <DIR> --d----- c:\docume~1\thegri~1\applic~1\Malwarebytes
2009-08-11 00:23 <DIR> --d----- c:\docume~1\thegri~1\applic~1\AVG8
2009-08-09 15:40 102,664 a------- c:\windows\system32\drivers\tmcomm.sys
2009-08-09 15:39 <DIR> --d----- c:\documents and settings\thegriz43\.housecall6.6
2009-08-09 15:16 1,152 a------- c:\windows\system32\windrv.sys
2009-08-09 15:15 <DIR> --d----- c:\program files\SpyNoMore
2009-08-07 14:29 <DIR> --d----- c:\docume~1\thegri~1\applic~1\McAfee
2009-08-07 14:28 <DIR> --d----- c:\windows\McAfee.com
2009-08-07 09:58 0 a------- c:\windows\B1BCF79A.x86.dll
2009-08-06 18:41 <DIR> --d----- c:\docume~1\thegri~1\applic~1\.clamwin
2009-08-06 18:40 <DIR> --d----- c:\documents and settings\TheGriz43
2009-08-06 17:07 0 a------- c:\windows\C3467FBC.x86.dll
2009-08-06 08:56 <DIR> --d-h--- C:\$AVG8.VAULT$
2009-08-06 08:46 11,952 a------- c:\windows\system32\avgrsstx.dll
2009-08-06 08:46 335,752 a------- c:\windows\system32\drivers\avgldx86.sys
2009-08-06 08:45 <DIR> --d----- c:\windows\system32\drivers\Avg
2009-08-06 08:45 <DIR> --d----- c:\program files\AVG
2009-08-06 08:45 <DIR> --d----- c:\docume~1\alluse~1\applic~1\avg8
2009-08-06 00:35 <DIR> --d----- c:\program files\common files\Wise Installation Wizard
2009-08-06 00:31 <DIR> --d----- c:\windows\system32\CatRoot
2009-08-06 00:28 0 a------- C:\vkywt.exe
2009-08-06 00:28 0 a------- C:\phheq.exe
2009-08-06 00:28 0 a------- C:\ibts.exe
2009-08-06 00:28 0 a------- C:\criqmsck.exe
2009-08-06 00:28 0 a------- C:\403606165
2009-07-28 19:27 410,984 a------- c:\windows\system32\deploytk.dll
2009-07-27 10:43 <DIR> --d----- c:\program files\HERACTSTG
2009-07-24 17:17 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-07-16 22:54 54,156 a---h--- c:\windows\QTFont.qfn
2009-07-16 22:54 1,409 a------- c:\windows\QTFont.for

==================== Find3M ====================

2009-07-21 20:37 15,600 a------- c:\windows\system32\drivers\???????
2009-05-16 20:01 2,560 a------- c:\windows\_MSRSTRT.EXE

============= FINISH: 15:04:35.03 ===============

I have also attached the zipped up ATTACH.TXT

Any and all assistance will be greatly appreciated,

TheGriz43

Attached Files



BC AdBot (Login to Remove)

 


#2 Net_Surfer

Net_Surfer

  • Banned
  • 2,154 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:07 PM

Posted 23 August 2009 - 06:15 AM

Hello and :thumbup2: to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here
.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.


Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.

Thanks and again sorry for the delay
.

-----------------------------------------------------------

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.

Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE


Kind regards
Net_Surfer

:)

#3 TheGriz43

TheGriz43
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Location:Grove City, Ohio
  • Local time:07:07 PM

Posted 23 August 2009 - 09:35 PM

Dear Net_Surfer,

As per your instructions I downloaded DDS.PIF and DDS.SCR. When I execute DDS.SCR it opens a command prompt window, prints its instructions as follows:
=====================================================
As per the instructions you would have received, kindly ensure any onboard
script blocking tools have been disabled for they shall interfere with DDS.

DDS is a non-invasive diagnostic tool.

- DDS makes no registry writes/changes

- DDS does not create any permanent files/folders.

This scan should not take longer than three minutes to complete.

When the scan is complete, a logfile/report shall pop open.

Post the contents of the logfile to the forum where it was requested

We only require it to run just once. Dispose after use.

=======================================================

and just sits there. I gave it an hour before I gave up and closed the command prompt window.

As far as I am able to ascertain I believe I have any and all script-blocking tools disabled. I used msconfig to completely disable McAfee and AVG (which I can't uninstall, but more on that later), then rebooted the system. I re-executed DDS with the same results, just sits there for an hour or so before I give up and close the window.

I never receive a logfile window, like I did for my original post.

Any suggestions?

Your assistance is greatly appreciated,

TheGriz43

Edited by TheGriz43, 23 August 2009 - 09:36 PM.


#4 syler

syler

  • Malware Response Team
  • 8,150 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Warrington, UK
  • Local time:12:07 AM

Posted 27 August 2009 - 02:53 PM

Hello TheGriz43

My name is Syler, I will be helping you to solve your Malware issues. Whilst I am helping you, I would
be grateful if you would note the following:
  • Please do not run other tools or scans unless I ask you to and follow all the steps I give you, in order.
  • Copy and paste all logs requested in you reply, Do not attach them unless asked too.
  • If you don't know or understand something, please don't hesitate to say or ask before you proceed with my instructions.
  • Please continue to work with me, until I tell you your machine appears to be clean. Absence of symptoms does not mean that everything is clear.
  • If I do not hear back from you within 5 days of my last post, then this topic will be closed.
I do not recommend that you have more than one anti virus product installed and running on your computer at a time. The reason for this is that if both products have their automatic (Real-Time) protection switched on, then those products which do not encrypt the virus strings within them can cause other anti virus products to cause "false alarms". It can also lead to a clash as both products fight for access to files which are opened again this is the resident/automatic protection. In general terms, the two programs may conflict and cause:
1) False Alarms: When the anti virus software tells you that your PC has a virus when it actually doesn't.
2) System Performance Problems: Your system may lock up due to both products attempting to access the same file at the same time.
Therefore please go to add/remove in the control panel and remove either McAfee or AVG.

Next
  • Download random's system information tool (RSIT) by random/random from here and save it to your desktop.
  • Double click on RSIT.exe to run RSIT.
  • Click Continue at the disclaimer screen.
  • Once it has finished, two logs will open. Please post the contents of both log.txt (<info.txt (<
Next
  • Download RootRepeal from the following location and save it to your desktop.
  • Extract the contents of RootRepeal.zip, to your desktop.
  • Double click Posted Image on your desktop.
  • Click on the report tab, then click scan
  • Check all seven boxes:
    Posted Image
  • Click Ok
  • Check the box for your main system drive (Usually C:), and press Ok.
  • Allow RootRepeal to run a scan of your system. This may take some time.
  • Once the scan completes, Click the Save Report button. Save the log as RootRepeal.txt and post it in your next reply.
Then please post back here with the following:
  • log.txt
  • info.txt
  • RootRepeal.txt
Thanks

Edited by syler, 27 August 2009 - 02:59 PM.

unite.jpg


#5 TheGriz43

TheGriz43
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Location:Grove City, Ohio
  • Local time:07:07 PM

Posted 27 August 2009 - 07:40 PM

Hello Syler, and thank you for trying to help my solve this problem.

I noted your comment on multiple anti-virus products, and I agree with you. Unfortunately, AVG won't uninstall. Maybe we can work on that later, currently its resident shield is disabled.

I downloaded the two pieces of software that you and attempted to run them with the following results:

1. I launched RSIT and it displayed its disclaimer box. I clicked "Continue" and it immediately displayed the following error message box :

-------------------------------------------------------
Autolt error

Line -1:

Error: variable used without being declared.
-------------------------------------------------------

2. I downloaded and un-zipped RootRepeal.zip. I then clicked the desktop icon to launch it and checked all the boxes that you indicated that I should check and then started a scan. RootRepeal scanned for about 20-30 seconds and then disappeared, as if something terminated the process. Now, when I try to launch the program I receive the following error box:

----------------------------------------------------------------------------------------------------------
C:\Documents and Settings\TheGriz43\Desktop\RootRepeal.exe

Windows cannot access the specified device, path, or file. You may not have the appropriate
permissions to access the item.
-----------------------------------------------------------------------------------------------------------

Sorry for all the problems I seem to be having. I can't seem to get any of your diagnostics tools to execute.

TheGriz43

#6 syler

syler

  • Malware Response Team
  • 8,150 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Warrington, UK
  • Local time:12:07 AM

Posted 27 August 2009 - 07:45 PM

No need to sorry it's not your fault it is likely the malware causing these problems, lets try another tool, hopefully this one will run :thumbup2:

Download Combofix from any of the links below. You must rename it before saving it. Save it to your desktop.

* IMPORTANT !!! Save ComboFix.exe to your Desktop
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools

    Link 1
    Link 2
    Link 3

    Posted Image


    Posted Image
    --------------------------------------------------------------------

    Double click on Combo-Fix.exe & follow the prompts.
    [list]When finished, it will produce a report for you.
  • Please post the C:\ComboFix.txt .

unite.jpg


#7 TheGriz43

TheGriz43
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Location:Grove City, Ohio
  • Local time:07:07 PM

Posted 27 August 2009 - 08:33 PM

Dear Syler,

Well, FINALLY, something worked!!!! Please find the log/text file from Combo-Fix embedded below:

===========================Begin text file===========================================
ComboFix 09-08-27.02 - TheGriz43 08/27/2009 20:57.1.2 - NTFSx86
Running from: c:\documents and settings\TheGriz43\Desktop\Combo-Fix.exe
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
AV: McAfee VirusScan *On-access scanning enabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
* Created a new restore point
* Resident AV is active

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\criqmsck.exe
c:\docume~1\THEGRI~1\LOCALS~1\Temp\Temporary Directory 1 for R107621a.zip\DMPlus2001Upg.exe
c:\documents and settings\TheGriz43\Local Settings\Temp\Temporary Directory 1 for R107621a.zip\DMPlus2001Upg.exe
C:\ibts.exe
C:\phheq.exe
c:\recycler\S-1-5-21-3226349313-1886404851-4157740341-1012
C:\vkywt.exe
c:\windows\B1BCF79A.x86.dll
c:\windows\C3467FBC.x86.dll
c:\windows\db32.txt
c:\windows\Downloaded Program Files\Temp
c:\windows\Installer\42e3576.msi
c:\windows\Installer\54f388b.msp
c:\windows\Installer\54f3891.msp
c:\windows\Installer\54f389e.msp
c:\windows\Installer\54f3922.msp
c:\windows\Installer\54f3acb.msp
c:\windows\Installer\54f3baa.msp
c:\windows\Installer\54f3bcd.msp
c:\windows\Installer\9fe4d.msi


.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_ASPIMGR
-------\Legacy_{79007602-0CDB-4405-9DBF-1257BB3226ED}
-------\Legacy_{79007602-0CDB-4405-9DBF-1257BB3226EE}


((((((((((((((((((((((((( Files Created from 2009-07-28 to 2009-08-28 )))))))))))))))))))))))))))))))
.

2009-08-27 23:59 . 2009-08-27 23:59 34816 ----a-w- c:\windows\system32\drivers\xyzabc.sys
2009-08-27 23:53 . 2009-08-27 23:53 -------- d-----w- C:\rsit
2009-08-22 13:02 . 2009-08-22 13:02 -------- d-----w- c:\documents and settings\Ellis Kids.ELLIS\Local Settings\Application Data\Mozilla
2009-08-16 03:00 . 2009-08-16 03:00 -------- d-----w- c:\documents and settings\Warren\Local Settings\Application Data\Ahead
2009-08-15 22:13 . 2009-08-15 22:13 -------- d-----w- c:\documents and settings\TheGriz43\Local Settings\Application Data\Ahead
2009-08-15 14:45 . 2004-07-16 12:40 2019328 ------w- c:\windows\UNMRW.exe
2009-08-15 14:45 . 2004-07-16 12:54 27648 ------w- c:\windows\system32\drivers\InCDrm.sys
2009-08-15 14:45 . 2004-07-16 12:40 2019328 ------w- c:\windows\NuNinst.exe
2009-08-15 14:45 . 2004-07-16 18:57 7680 ------w- c:\windows\system32\drivers\InCDrec.sys
2009-08-15 14:45 . 2004-07-16 18:53 28672 ------w- c:\windows\system32\drivers\InCDpass.sys
2009-08-15 14:45 . 2004-07-16 18:53 92672 ------w- c:\windows\system32\drivers\InCDfs.sys
2009-08-15 14:45 . 2009-08-15 14:45 -------- d-----w- c:\windows\InCD
2009-08-15 14:44 . 2004-06-23 17:26 1994752 ------w- c:\windows\UNNMP.exe
2009-08-15 14:41 . 2001-07-09 15:50 155648 ----a-w- c:\windows\system32\NeroCheck.exe
2009-08-15 14:40 . 2004-10-11 07:23 2277376 ------w- c:\windows\UNNeroVision.exe
2009-08-15 14:40 . 2009-08-15 14:40 -------- d-----w- c:\documents and settings\All Users\Application Data\Ahead
2009-08-15 14:40 . 2004-07-20 21:24 471040 ------w- c:\windows\system32\ImagXRA7.dll
2009-08-15 14:40 . 2004-07-09 13:43 364544 ------w- c:\windows\system32\TwnLib4.dll
2009-08-15 14:39 . 2004-07-20 21:24 476320 ------w- c:\windows\system32\ImagXpr7.dll
2009-08-15 14:39 . 2004-07-20 21:24 262144 ------w- c:\windows\system32\ImagXR7.dll
2009-08-15 14:39 . 2004-07-20 21:24 1568768 ------w- c:\windows\system32\ImagX7.dll
2009-08-15 14:39 . 2000-06-26 15:45 106496 ----a-w- c:\windows\system32\TwnLib20.dll
2009-08-15 14:39 . 2001-06-26 12:15 38912 ------w- c:\windows\system32\picn20.dll
2009-08-15 14:39 . 2009-08-15 14:40 -------- d-----w- c:\program files\Common Files\Ahead
2009-08-15 14:39 . 2009-08-15 14:45 -------- d-----w- c:\program files\Ahead
2009-08-13 20:45 . 2009-08-13 20:45 -------- d-----w- c:\documents and settings\Jamie\Local Settings\Application Data\Mozilla
2009-08-13 20:37 . 2009-08-13 20:37 -------- d-----w- c:\documents and settings\Warren\Application Data\PCF-VLC
2009-08-13 20:26 . 2009-08-13 20:26 -------- d-----w- c:\documents and settings\Warren\Application Data\Participatory Culture Foundation
2009-08-13 19:07 . 2009-08-13 19:07 -------- d-----w- c:\documents and settings\Warren\Local Settings\Application Data\Mozilla
2009-08-13 16:34 . 2009-08-13 16:34 -------- d-----w- c:\documents and settings\TheGriz43\Local Settings\Application Data\Mozilla
2009-08-12 20:40 . 2009-08-12 22:47 -------- d-----w- c:\program files\Adaptec
2009-08-12 20:40 . 2009-08-12 22:47 57344 ----a-w- c:\windows\uneng.exe
2009-08-12 20:39 . 2009-08-12 23:05 -------- d-----w- c:\program files\Common Files\Adaptec Shared
2009-08-11 19:22 . 2009-08-03 17:36 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-08-11 19:22 . 2009-08-11 19:22 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-08-11 19:22 . 2009-08-03 17:36 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-08-11 04:24 . 2009-08-11 04:24 -------- d--h--w- c:\windows\PIF
2009-08-11 04:24 . 2009-08-11 04:24 -------- d-----w- c:\program files\Sophos
2009-08-11 04:23 . 2009-08-11 04:23 -------- d-----w- c:\documents and settings\TheGriz43\Application Data\Malwarebytes
2009-08-11 04:23 . 2009-08-11 04:23 -------- d-----w- c:\documents and settings\TheGriz43\Application Data\AVG8
2009-08-11 04:22 . 2009-08-11 04:22 -------- d-----w- c:\documents and settings\TheGriz43\Local Settings\Application Data\BVRP Software
2009-08-11 04:22 . 2009-08-12 23:38 -------- d-----w- c:\documents and settings\TheGriz43\Local Settings\Application Data\ApplicationHistory
2009-08-11 04:22 . 2009-08-11 04:22 -------- d-----w- c:\documents and settings\TheGriz43\Local Settings\Application Data\{7148F0A6-6813-11D6-A77B-00B0D0142030}
2009-08-11 04:22 . 2009-08-11 04:22 -------- d-----w- c:\documents and settings\Jamie\Application Data\AVG8
2009-08-09 19:40 . 2009-08-09 19:39 102664 ----a-w- c:\windows\system32\drivers\tmcomm.sys
2009-08-09 19:39 . 2009-08-11 04:19 -------- d-----w- c:\documents and settings\TheGriz43\.housecall6.6
2009-08-09 19:16 . 2009-08-09 19:16 1152 ----a-w- c:\windows\system32\windrv.sys
2009-08-09 19:15 . 2009-08-11 04:19 -------- d-----w- c:\program files\SpyNoMore
2009-08-07 18:29 . 2009-07-13 05:42 286880 ----a-r- c:\documents and settings\TheGriz43\Application Data\McAfee\Supportability\MVTLogs\Results\detect.dll
2009-08-07 18:29 . 2009-08-07 18:29 -------- d-----w- c:\documents and settings\TheGriz43\Application Data\McAfee
2009-08-07 18:28 . 2009-08-07 18:28 -------- d-----w- c:\windows\McAfee.com
2009-08-07 13:57 . 2009-08-07 13:56 417560 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgcclix.dll
2009-08-07 13:57 . 2009-08-07 13:56 382744 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgclitx.dll
2009-08-07 13:57 . 2009-08-07 13:56 594712 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgnsx.exe
2009-08-07 13:57 . 2009-08-07 13:56 161048 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avglvex.dll
2009-08-07 13:57 . 2009-08-07 13:56 274200 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgamnot.dll
2009-08-07 13:57 . 2009-08-07 13:56 760600 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgscanx.exe
2009-08-07 02:09 . 2009-08-07 02:09 -------- d-----w- c:\documents and settings\Warren\Application Data\.clamwin
2009-08-06 22:41 . 2009-08-06 22:41 -------- d-----w- c:\documents and settings\TheGriz43\Application Data\.clamwin
2009-08-06 20:26 . 2009-08-07 21:17 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-08-06 18:29 . 2009-08-07 13:56 836888 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgcfgx.dll
2009-08-06 18:29 . 2009-08-07 13:56 310528 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avglngx.dll
2009-08-06 18:29 . 2009-08-07 13:56 177432 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgmail.dll
2009-08-06 18:29 . 2009-08-07 13:56 2352920 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgresf.dll
2009-08-06 18:29 . 2009-08-07 13:56 486680 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgrsx.exe
2009-08-06 18:29 . 2009-08-07 13:56 11952 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgrsstx.dll
2009-08-06 18:29 . 2009-08-07 13:56 353048 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgxch32.dll
2009-08-06 18:29 . 2009-08-07 13:56 27784 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgmfx86.sys
2009-08-06 18:27 . 2009-08-06 18:27 1471768 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgupd.dll
2009-08-06 18:27 . 2009-08-06 18:27 1086744 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgupd.exe
2009-08-06 18:27 . 2009-08-06 18:27 755992 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avginet.dll
2009-08-06 18:27 . 2009-08-06 18:27 587032 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgiproxy.exe
2009-08-06 13:46 . 2009-07-13 05:42 286880 ----a-r- c:\documents and settings\Jamie\Application Data\McAfee\Supportability\MVTLogs\Results\detect.dll
2009-08-06 13:44 . 2009-08-06 13:44 49152 ----a-r- c:\documents and settings\Jamie\Application Data\Microsoft\Installer\{FCC07EEA-FA18-4A21-9105-9666603C6885}\IconFCC07EEA1.exe
2009-08-06 13:44 . 2009-08-06 13:44 49152 ----a-r- c:\documents and settings\Jamie\Application Data\Microsoft\Installer\{FCC07EEA-FA18-4A21-9105-9666603C6885}\IconFCC07EEA.exe
2009-08-06 12:56 . 2009-08-20 16:41 -------- d--h--w- C:\$AVG8.VAULT$
2009-08-06 12:46 . 2009-08-20 12:07 11952 ----a-w- c:\windows\system32\avgrsstx.dll
2009-08-06 12:46 . 2009-08-20 12:07 335240 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-08-06 12:46 . 2009-08-20 12:07 27784 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2009-08-06 12:45 . 2009-08-27 13:27 -------- d-----w- c:\windows\system32\drivers\Avg
2009-08-06 12:45 . 2009-08-06 12:45 -------- d-----w- c:\program files\AVG
2009-08-06 12:45 . 2009-08-24 01:47 -------- d-----w- c:\documents and settings\All Users\Application Data\avg8
2009-08-06 12:17 . 2009-08-06 12:17 -------- d-----w- c:\documents and settings\Warren\Local Settings\Application Data\Identities
2009-08-06 04:36 . 2009-08-06 04:36 117760 ----a-w- c:\documents and settings\Jamie\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2009-08-06 04:35 . 2009-08-06 04:35 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-08-06 04:31 . 2009-08-12 21:39 -------- d-----w- c:\windows\system32\CatRoot

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-08-28 00:26 . 2005-11-18 22:55 -------- d-----w- c:\program files\McAfee
2009-08-27 02:04 . 2005-11-04 20:09 -------- d-----w- c:\program files\Dl_cats
2009-08-23 12:22 . 2007-09-10 00:55 -------- d-----w- c:\documents and settings\All Users\Application Data\Google Updater
2009-08-16 13:20 . 2005-10-21 18:55 -------- d-----w- c:\program files\Microsoft ActiveSync
2009-08-14 13:31 . 2009-03-06 18:55 1324 ----a-w- c:\windows\system32\d3d9caps.dat
2009-08-12 23:31 . 2009-08-06 22:40 132 ----a-w- c:\documents and settings\TheGriz43\Local Settings\Application Data\fusioncache.dat
2009-08-12 22:47 . 2000-03-13 21:55 1044480 -c--a-w- c:\windows\system32\ROBOEX32.DLL
2009-08-06 13:44 . 2005-11-18 23:01 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee
2009-08-06 04:35 . 2008-12-09 21:47 -------- d-----w- c:\program files\SUPERAntiSpyware
2009-08-06 04:35 . 2008-12-09 21:47 -------- d-----w- c:\documents and settings\Jamie\Application Data\SUPERAntiSpyware.com
2009-07-28 23:27 . 2009-07-28 23:27 410984 ----a-w- c:\windows\system32\deploytk.dll
2009-07-28 23:27 . 2005-10-21 18:48 -------- d-----w- c:\program files\Java
2009-07-28 23:26 . 2009-07-28 23:26 152576 ----a-w- c:\documents and settings\Jamie\Application Data\Sun\Java\jre1.6.0_14\lzma.dll
2009-07-27 14:43 . 2009-07-27 14:43 -------- d-----w- c:\program files\HERACTSTG
2009-07-27 14:43 . 2007-08-24 21:02 -------- d-----w- c:\program files\Common Files\SupportSoft
2009-07-25 00:01 . 2009-07-25 00:01 -------- d-----w- c:\documents and settings\Jamie\Application Data\Malwarebytes
2009-07-24 21:17 . 2009-07-24 21:17 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-07-22 00:37 . 2009-02-27 17:48 15600 ----a-w- c:\windows\system32\drivers\???????
2009-07-21 18:52 . 2009-07-21 18:52 422 ----a-w- c:\documents and settings\Jamie\Application Data\Corel Photo Album\mario.exe
2009-07-21 18:52 . 2009-07-21 18:52 16141 ----a-w- c:\documents and settings\Jamie\Application Data\CyberLink\flamiks32.exe
2009-07-21 18:52 . 2009-07-21 18:52 145131 ----a-w- c:\documents and settings\Jamie\Application Data\Creative\pingo.dll
2009-07-21 18:52 . 2009-07-21 18:52 13221 ----a-w- c:\documents and settings\Jamie\Application Data\AdobeUM\xl12.exe
2009-07-21 18:52 . 2009-07-21 18:52 11232 ----a-w- c:\documents and settings\Jamie\Application Data\Adobe\norigami.dll
2009-07-11 16:45 . 2009-07-11 16:44 -------- d-----w- c:\documents and settings\Warren\Application Data\SecondLife
2007-01-05 22:43 . 2005-10-28 04:30 56 -csh--r- c:\windows\system32\80B6C558E1.sys
2007-01-05 22:43 . 2005-10-28 04:30 3350 -csha-w- c:\windows\system32\KGyGaAvL.sys
.

------- Sigcheck -------

[-] 2004-08-10 10:00 14336 8F078AE4ED187AAABC0A305146DE6716 c:\windows\$NtServicePackUninstall$\svchost.exe
[-] 2008-04-14 00:12 14336 27C6D03BCDB8CFEB96B716F3D8BE3E18 c:\windows\ServicePackFiles\i386\svchost.exe
[-] 2008-04-14 00:12 14336 27C6D03BCDB8CFEB96B716F3D8BE3E18 c:\windows\system32\svchost.exe

[-] 2005-03-02 18:19 577024 1800F293BCCC8EDE8A70E12B88D80036 c:\windows\$hf_mig$\KB890859\SP2QFE\user32.dll
[-] 2007-03-08 15:48 578048 7AA4F6C00405DFC4B70ED4214E7D687B c:\windows\$hf_mig$\KB925902\SP2QFE\user32.dll
[-] 2007-03-08 15:36 577536 B409909F6E2E8A7067076ED748ABF1E7 c:\windows\$NtServicePackUninstall$\user32.dll
[-] 2004-08-10 10:00 577024 C72661F8552ACE7C5C85E16A3CF505C4 c:\windows\$NtUninstallKB890859$\user32.dll
[-] 2005-03-02 18:09 577024 DE2DB164BBB35DB061AF0997E4499054 c:\windows\$NtUninstallKB925902$\user32.dll
[-] 2008-04-14 00:12 578560 B26B135FF1B9F60C9388B4A7D16F600B c:\windows\ServicePackFiles\i386\user32.dll
[-] 2008-04-14 00:12 578560 B26B135FF1B9F60C9388B4A7D16F600B c:\windows\system32\user32.dll

[-] 2004-08-10 10:00 82944 2ED0B7F12A60F90092081C50FA0EC2B2 c:\windows\$NtServicePackUninstall$\ws2_32.dll
[-] 2008-04-14 00:12 82432 2CCC474EB85CEAA3E1FA1726580A3E5A c:\windows\ServicePackFiles\i386\ws2_32.dll
[-] 2008-04-14 00:12 82432 2CCC474EB85CEAA3E1FA1726580A3E5A c:\windows\system32\ws2_32.dll

[-] 2005-05-02 20:57 658944 E1E18136F9DD3DF1AD9C82193A5898A6 c:\windows\$hf_mig$\KB883939\SP2QFE\wininet.dll
[-] 2005-09-02 23:53 660480 97A6FD7CAFD688CF2C78939EBAF0CD0C c:\windows\$hf_mig$\KB896688\SP2QFE\wininet.dll
[-] 2005-10-21 03:38 661504 AF785C4947676A7FC1673FDC5C8D0B5B c:\windows\$hf_mig$\KB905915\SP2QFE\wininet.dll
[-] 2006-03-04 03:58 663552 C0845ECBF4F9164E618EE381B79C9032 c:\windows\$hf_mig$\KB912812\SP2QFE\wininet.dll
[-] 2006-05-10 05:25 663552 D94CFFDB53E7AC867438E2DFD50E7CBC c:\windows\$hf_mig$\KB916281\SP2QFE\wininet.dll
[-] 2006-06-23 11:25 664576 64CE26DB72810B30F7855EA51E1DF836 c:\windows\$hf_mig$\KB918899\SP2QFE\wininet.dll
[-] 2006-09-14 08:31 664576 D207370287CF769AEBEBF03837784963 c:\windows\$hf_mig$\KB922760\SP2QFE\wininet.dll
[-] 2006-10-23 15:34 664576 231EF4179ACABE486376B5CA893F1076 c:\windows\$hf_mig$\KB925454\SP2QFE\wininet.dll
[-] 2007-01-04 14:05 665088 3FFA1573FC274E5AA7467D03941C45EE c:\windows\$hf_mig$\KB928090\SP2QFE\wininet.dll
[-] 2007-04-18 12:46 665600 4261BA03AFD659DE04F0A17DFBDD454D c:\windows\$hf_mig$\KB933566\SP2QFE\wininet.dll
[-] 2007-06-26 14:35 665600 E1A3DD68B5380B360A7310A64D9BB188 c:\windows\$hf_mig$\KB937143\SP2QFE\wininet.dll
[-] 2007-10-11 05:57 666112 80D660A49E0D118144423099B2A9F5DA c:\windows\$hf_mig$\KB942615\SP2QFE\wininet.dll
[-] 2007-10-10 23:47 825344 0E5D918F87EFA7D2424D66B499C7EB04 c:\windows\$hf_mig$\KB942615-IE7\SP2QFE\wininet.dll
[-] 2008-06-23 16:01 827904 C66402A06B83B036C195242C0C8CF83C c:\windows\$hf_mig$\KB953838-IE7\SP2QFE\wininet.dll
[-] 2008-08-26 09:08 827904 77C192FE56A70D7FA0247BA0A6201C32 c:\windows\$hf_mig$\KB956390-IE7\SP2QFE\wininet.dll
[-] 2008-10-16 20:24 827904 0D5B75171FF51775B630A431B6C667E8 c:\windows\$hf_mig$\KB958215-IE7\SP2QFE\wininet.dll
[-] 2009-04-29 04:49 828928 62CCA075F44015147B8971DAFFBCFF76 c:\windows\$hf_mig$\KB969897-IE7\SP3QFE\wininet.dll
[-] 2005-05-02 20:52 657920 1A078AF3F85D10BA56444C23B3A18E74 c:\windows\$NtUninstallKB896688$\wininet.dll
[-] 2005-09-02 23:52 658432 AF61EBB1F550175EFF406D545D6AB086 c:\windows\$NtUninstallKB905915$\wininet.dll
[-] 2005-10-21 03:39 658432 E7B27B6B6E06CE34EA019FD8B858C613 c:\windows\$NtUninstallKB912812$\wininet.dll
[-] 2006-03-04 03:33 658432 1C0979C7A489BEE573CD0BF4AD94BB06 c:\windows\$NtUninstallKB916281$\wininet.dll
[-] 2006-05-10 05:23 658432 38AB7A56F566D9AAAD31812494944824 c:\windows\$NtUninstallKB918899$\wininet.dll
[-] 2006-06-23 11:02 658944 2B4DB890936430C71419037039502752 c:\windows\$NtUninstallKB922760$\wininet.dll
[-] 2006-09-14 08:39 658944 621AF3F6174A3F60677F5230E28BCC07 c:\windows\$NtUninstallKB925454$\wininet.dll
[-] 2006-10-23 15:17 658944 6B2735ADFF5A5D3B9130CA4A794722F0 c:\windows\$NtUninstallKB928090$\wininet.dll
[-] 2007-01-04 13:37 658944 8C393DF5234CBCBFF1EE31902D6B40AE c:\windows\$NtUninstallKB933566$\wininet.dll
[-] 2007-04-18 12:31 658944 B7156CD97E739F3014BC4D61758F868A c:\windows\$NtUninstallKB937143$\wininet.dll
[-] 2007-06-26 14:09 658944 184E47C8F7B331025E6DC92740DB188F c:\windows\$NtUninstallKB942615$\wininet.dll
[-] 2007-08-13 23:54 818688 A4A0FC92358F39538A6494C42EF99FE9 c:\windows\ie7updates\KB942615-IE7\wininet.dll
[-] 2007-10-10 23:56 824832 30C1E0F34AD2972C72A01DB5C74AB065 c:\windows\ie7updates\KB953838-IE7\wininet.dll
[-] 2008-06-23 16:57 826368 8C13D4A7479FA0A026EDA8ABCE82C0ED c:\windows\ie7updates\KB956390-IE7\wininet.dll
[-] 2008-08-26 07:24 826368 EF8EBA98145BFA44E80D17A3B3453300 c:\windows\ie7updates\KB958215-IE7\wininet.dll
[-] 2008-10-16 20:38 826368 6741EAF7B7F110E803A6E38F6E5FA6B0 c:\windows\ie7updates\KB969897-IE7\wininet.dll
[-] 2008-04-14 00:12 666112 7A4F775ABB2F1C97DEF3E73AFA2FAEDD c:\windows\ServicePackFiles\i386\wininet.dll
[-] 2009-06-29 16:12 827392 A39B7BA7AB9B1CC2A0009F59772DB83C c:\windows\SoftwareDistribution\Download\33ec000c08e174dc768520b0fd388192\SP3GDR\wininet.dll
[-] 2009-06-29 16:23 828928 4C6B4138165A4C53FE8A5B1D809526C3 c:\windows\SoftwareDistribution\Download\33ec000c08e174dc768520b0fd388192\SP3QFE\wininet.dll
[-] 2007-10-10 23:56 824832 30C1E0F34AD2972C72A01DB5C74AB065 c:\windows\SoftwareDistribution\Download\e3709fbfd9557a7d083f543d51d38612\SP2GDR\wininet.dll
[-] 2007-10-10 23:47 825344 0E5D918F87EFA7D2424D66B499C7EB04 c:\windows\SoftwareDistribution\Download\e3709fbfd9557a7d083f543d51d38612\SP2QFE\wininet.dll
[-] 2009-04-29 04:56 827392 8E2D471157B0DF329D8D0EA5D83B0DDB c:\windows\system32\wininet.dll
[-] 2009-04-29 04:56 827392 8E2D471157B0DF329D8D0EA5D83B0DDB c:\windows\system32\dllcache\wininet.dll

[-] 2005-05-25 19:07 359936 63FDFEA54EB53DE2D863EE454937CE1E c:\windows\$hf_mig$\KB893066\SP2QFE\tcpip.sys
[-] 2006-01-13 17:07 360448 5562CC0A47B2AEF06D3417B733F3C195 c:\windows\$hf_mig$\KB913446\SP2QFE\tcpip.sys
[-] 2006-04-20 12:18 360576 B2220C618B42A2212A59D91EBD6FC4B4 c:\windows\$hf_mig$\KB917953\SP2QFE\tcpip.sys
[-] 2008-06-20 10:44 360960 744E57C99232201AE98C49168B918F48 c:\windows\$hf_mig$\KB951748\SP2QFE\tcpip.sys
[-] 2008-06-20 11:51 361600 9AEFA14BD6B182D61E3119FA5F436D3D c:\windows\$hf_mig$\KB951748\SP3GDR\tcpip.sys
[-] 2008-06-20 11:59 361600 AD978A1B783B5719720CFF204B666C8E c:\windows\$hf_mig$\KB951748\SP3QFE\tcpip.sys
[-] 2008-06-20 10:45 360320 2A5554FC5B1E04E131230E3CE035C3F9 c:\windows\$NtServicePackUninstall$\tcpip.sys
[-] 2004-08-10 10:00 359040 9F4B36614A0FC234525BA224957DE55C c:\windows\$NtUninstallKB893066$\tcpip.sys
[-] 2005-05-25 19:04 359808 88763A98A4C26C409741B4AA162720C9 c:\windows\$NtUninstallKB913446$\tcpip.sys
[-] 2006-01-13 02:28 359808 583E063FDC888CA30D05C2724B0D7EF4 c:\windows\$NtUninstallKB917953$\tcpip.sys
[-] 2008-04-13 19:20 361344 93EA8D04EC73A85DB02EB8805988F733 c:\windows\$NtUninstallKB951748$\tcpip.sys
[-] 2006-04-20 11:51 359808 1DBF125862891817F374F407626967F4 c:\windows\$NtUninstallKB951748_0$\tcpip.sys
[-] 2008-04-13 19:20 361344 93EA8D04EC73A85DB02EB8805988F733 c:\windows\ServicePackFiles\i386\tcpip.sys
[-] 2008-06-20 11:51 361600 9AEFA14BD6B182D61E3119FA5F436D3D c:\windows\system32\dllcache\tcpip.sys
[-] 2008-06-20 11:51 361600 9AEFA14BD6B182D61E3119FA5F436D3D c:\windows\system32\drivers\tcpip.sys

[-] 2004-08-10 10:00 502272 01C3346C241652F43AED8E2149881BFE c:\windows\$NtServicePackUninstall$\winlogon.exe
[-] 2008-04-14 00:12 507904 ED0EF0A136DEC83DF69F04118870003E c:\windows\ServicePackFiles\i386\winlogon.exe
[-] 2008-04-14 00:12 507904 ED0EF0A136DEC83DF69F04118870003E c:\windows\system32\winlogon.exe

[-] 2004-08-10 10:00 182912 558635D3AF1C7546D26067D5D9B6959E c:\windows\$NtServicePackUninstall$\ndis.sys
[-] 2008-04-13 19:20 182656 1DF7F42665C94B825322FAE71721130D c:\windows\ServicePackFiles\i386\ndis.sys
[-] 2008-04-13 19:20 182656 1DF7F42665C94B825322FAE71721130D c:\windows\system32\dllcache\ndis.sys
[-] 2008-04-13 19:20 182656 1DF7F42665C94B825322FAE71721130D c:\windows\system32\drivers\ndis.sys

[-] 2004-08-10 10:00 29056 4448006B6BC60E6C027932CFC38D6855 c:\windows\$NtServicePackUninstall$\ip6fw.sys
[-] 2008-04-13 18:53 36608 3BB22519A194418D5FEC05D800A19AD0 c:\windows\ServicePackFiles\i386\ip6fw.sys
[-] 2008-04-13 18:53 36608 3BB22519A194418D5FEC05D800A19AD0 c:\windows\system32\drivers\ip6fw.sys

[-] 2005-03-02 00:36 2056832 D8ABA3EAB509627E707A3B14F00FBB6B c:\windows\$hf_mig$\KB890859\SP2QFE\ntkrnlpa.exe
[-] 2007-02-28 09:15 2059392 4D3DBDCCBF97F5BA1E74F322B155C3BA c:\windows\$hf_mig$\KB931784\SP2QFE\ntkrnlpa.exe
[-] 2008-08-14 19:39 2066048 A25E9B86EFFB2AF33BF51E676B68BFB0 c:\windows\$hf_mig$\KB956841\SP3QFE\ntkrnlpa.exe
[-] 2007-02-28 08:38 2015744 A58AC1C6199EF34228ABEE7FC057AE09 c:\windows\$NtServicePackUninstall$\ntkrnlpa.exe
[-] 2004-08-04 03:59 2015232 FB142B7007CA2EEA76966C6C5CC12150 c:\windows\$NtUninstallKB890859$\ntkrnlpa.exe
[-] 2005-03-02 00:34 2015232 3CD941E472DDF3534E53038535719771 c:\windows\$NtUninstallKB931784$\ntkrnlpa.exe
[-] 2008-04-13 18:31 2023936 7F653A89F6E89E3AE0D49830EECE35D4 c:\windows\$NtUninstallKB956841$\ntkrnlpa.exe
[-] 2008-08-14 09:33 2066048 4AC58F03EB94A72809949D757FC39D80 c:\windows\Driver Cache\i386\ntkrnlpa.exe
[-] 2008-04-13 18:31 2065792 109F8E3E3C82E337BB71B6BC9B895D61 c:\windows\ServicePackFiles\i386\ntkrnlpa.exe
[-] 2008-08-14 09:33 2023936 8206B5F94A6A9450E934029420C1693F c:\windows\system32\ntkrnlpa.exe
[-] 2008-08-14 09:33 2066048 4AC58F03EB94A72809949D757FC39D80 c:\windows\system32\dllcache\ntkrnlpa.exe

[-] 2005-03-02 01:04 2179456 28187802B7C368C0D3AEF7D4C382AABB c:\windows\$hf_mig$\KB890859\SP2QFE\ntoskrnl.exe
[-] 2007-02-28 09:55 2182144 5A5C8DB4AA962C714C8371FBDF189FC9 c:\windows\$hf_mig$\KB931784\SP2QFE\ntoskrnl.exe
[-] 2008-08-14 20:11 2189184 31914172342BFF330063F343AC6958FE c:\windows\$hf_mig$\KB956841\SP3QFE\ntoskrnl.exe
[-] 2007-02-28 09:08 2136064 1220FAF071DEA8653EE21DE7DCDA8BFD c:\windows\$NtServicePackUninstall$\ntoskrnl.exe
[-] 2004-08-04 04:18 2148352 626309040459C3915997EF98EC1C8D40 c:\windows\$NtUninstallKB890859$\ntoskrnl.exe
[-] 2005-03-02 00:57 2135552 48B3E89AF7074CEE0314A3E0C7FAFFDB c:\windows\$NtUninstallKB931784$\ntoskrnl.exe
[-] 2008-04-13 19:24 2145280 40F8880122A030A7E9E1FEDEA833B33D c:\windows\$NtUninstallKB956841$\ntoskrnl.exe
[-] 2008-08-14 10:11 2189184 EEAF32F8E15A24F62BECB1BD403BB5C5 c:\windows\Driver Cache\i386\ntoskrnl.exe
[-] 2008-04-13 19:27 2188928 0C89243C7C3EE199B96FCC16990E0679 c:\windows\ServicePackFiles\i386\ntoskrnl.exe
[-] 2008-08-14 10:09 2145280 F6F8245B3A2E9CA834DD318E7AE0C6D0 c:\windows\system32\ntoskrnl.exe
[-] 2008-08-14 10:11 2189184 EEAF32F8E15A24F62BECB1BD403BB5C5 c:\windows\system32\dllcache\ntoskrnl.exe

[-] 2008-04-14 00:12 1033728 12896823FB95BFB3DC9B46BCAEDC9923 c:\windows\explorer.exe
[-] 2007-06-13 11:26 1033216 7712DF0CDDE3A5AC89843E61CD5B3658 c:\windows\$hf_mig$\KB938828\SP2QFE\explorer.exe
[-] 2007-06-13 10:23 1033216 97BD6515465659FF8F3B7BE375B2EA87 c:\windows\$NtServicePackUninstall$\explorer.exe
[-] 2004-08-10 10:00 1032192 A0732187050030AE399B241436565E64 c:\windows\$NtUninstallKB938828$\explorer.exe
[-] 2008-04-14 00:12 1033728 12896823FB95BFB3DC9B46BCAEDC9923 c:\windows\ServicePackFiles\i386\explorer.exe

[-] 2004-08-10 10:00 108032 C6CE6EEC82F187615D1002BB3BB50ED4 c:\windows\$NtServicePackUninstall$\services.exe
[-] 2008-04-14 00:12 108544 0E776ED5F7CC9F94299E70461B7B8185 c:\windows\ServicePackFiles\i386\services.exe
[-] 2008-04-14 00:12 108544 0E776ED5F7CC9F94299E70461B7B8185 c:\windows\system32\services.exe

[-] 2004-08-10 10:00 13312 84885F9B82F4D55C6146EBF6065D75D2 c:\windows\$NtServicePackUninstall$\lsass.exe
[-] 2008-04-14 00:12 13312 BF2466B3E18E970D8A976FB95FC1CA85 c:\windows\ServicePackFiles\i386\lsass.exe
[-] 2008-04-14 00:12 13312 BF2466B3E18E970D8A976FB95FC1CA85 c:\windows\system32\lsass.exe

[-] 2004-08-10 10:00 15360 24232996A38C0B0CF151C2140AE29FC8 c:\windows\$NtServicePackUninstall$\ctfmon.exe
[-] 2008-04-14 00:12 15360 5F1D5F88303D4A4DBC8E5F97BA967CC3 c:\windows\ServicePackFiles\i386\ctfmon.exe
[-] 2008-04-14 00:12 15360 5F1D5F88303D4A4DBC8E5F97BA967CC3 c:\windows\system32\ctfmon.exe
[-] 2004-08-10 10:00 15360 24232996A38C0B0CF151C2140AE29FC8 c:\windows\system32\bak\ctfmon.exe

[-] 2005-06-11 00:17 57856 AD3D9D191AEA7B5445FE1D82FFBB4788 c:\windows\$hf_mig$\KB896423\SP2QFE\spoolsv.exe
[-] 2005-06-10 23:53 57856 DA81EC57ACD4CDC3D4C51CF3D409AF9F c:\windows\$NtServicePackUninstall$\spoolsv.exe
[-] 2004-08-10 10:00 57856 7435B108B935E42EA92CA94F59C8E717 c:\windows\$NtUninstallKB896423$\spoolsv.exe
[-] 2008-04-14 00:12 57856 D8E14A61ACC1D4A6CD0D38AEBAC7FA3B c:\windows\ServicePackFiles\i386\spoolsv.exe
[-] 2008-04-14 00:12 57856 D8E14A61ACC1D4A6CD0D38AEBAC7FA3B c:\windows\system32\spoolsv.exe

[-] 2004-08-10 10:00 24576 39B1FFB03C2296323832ACBAE50D2AFF c:\windows\$NtServicePackUninstall$\userinit.exe
[-] 2008-04-14 00:12 26112 A93AEE1928A9D7CE3E16D24EC7380F89 c:\windows\ServicePackFiles\i386\userinit.exe
[-] 2008-04-14 00:12 26112 A93AEE1928A9D7CE3E16D24EC7380F89 c:\windows\system32\userinit.exe

[-] 2004-08-10 10:00 295424 B60C877D16D9C880B952FDA04ADF16E6 c:\windows\$NtServicePackUninstall$\termsrv.dll
[-] 2008-04-14 00:12 295424 FF3477C03BE7201C294C35F684B3479F c:\windows\ServicePackFiles\i386\termsrv.dll
[-] 2008-04-14 00:12 295424 FF3477C03BE7201C294C35F684B3479F c:\windows\system32\termsrv.dll

[-] 2006-07-05 10:57 985088 0FDD84928A5DDE2510761B7EC76CCEC9 c:\windows\$hf_mig$\KB917422\SP2QFE\kernel32.dll
[-] 2007-04-16 16:07 986112 09F7CB3687F86EDAA4CA081F7AB66C03 c:\windows\$hf_mig$\KB935839\SP2QFE\kernel32.dll
[-] 2007-04-16 15:52 984576 A01F9CA902A88F7CED06884174D6419D c:\windows\$NtServicePackUninstall$\kernel32.dll
[-] 2004-08-10 10:00 983552 888190E31455FAD793312F8D087146EB c:\windows\$NtUninstallKB917422$\kernel32.dll
[-] 2006-07-05 10:55 984064 D8DB5397DE07577C1CB50BA6D23B3AD4 c:\windows\$NtUninstallKB935839$\kernel32.dll
[-] 2008-04-14 00:11 989696 C24B983D211C34DA8FCC1AC38477971D c:\windows\ServicePackFiles\i386\kernel32.dll
[-] 2008-04-14 00:11 989696 C24B983D211C34DA8FCC1AC38477971D c:\windows\system32\kernel32.dll

[-] 2004-08-10 10:00 17408 1B5F6923ABB450692E9FE0672C897AED c:\windows\$NtServicePackUninstall$\powrprof.dll
[-] 2008-04-14 00:12 17408 50A166237A0FA771261275A405646CC0 c:\windows\ServicePackFiles\i386\powrprof.dll
[-] 2008-04-14 00:12 17408 50A166237A0FA771261275A405646CC0 c:\windows\system32\powrprof.dll

[-] 2004-08-10 10:00 110080 87CA7CE6469577F059297B9D6556D66D c:\windows\$NtServicePackUninstall$\imm32.dll
[-] 2008-04-14 00:11 110080 0DA85218E92526972A821587E6A8BF8F c:\windows\ServicePackFiles\i386\imm32.dll
[-] 2008-04-14 00:11 110080 0DA85218E92526972A821587E6A8BF8F c:\windows\system32\imm32.dll

[-] 2005-05-02 20:57 3014144 DCC5C79B99F02EEF8C826B074DBFC222 c:\windows\$hf_mig$\KB883939\SP2QFE\mshtml.dll
[-] 2005-10-05 00:51 3017728 3394299FBF1CD0B24089FC762611360B c:\windows\$hf_mig$\KB896688\SP2QFE\mshtml.dll
[-] 2005-11-24 01:07 3018240 D3F037F5DA702AE9DDD7663EC9D78BA7 c:\windows\$hf_mig$\KB905915\SP2QFE\mshtml.dll
[-] 2006-03-23 20:31 3055616 ABCD123F888E4E97C8751378CCCC4F26 c:\windows\$hf_mig$\KB912812\SP2QFE\mshtml.dll
[-] 2006-05-19 15:06 3055104 8687E029BE63C77D4919485068C54D77 c:\windows\$hf_mig$\KB916281\SP2QFE\mshtml.dll
[-] 2006-07-28 11:30 3058176 D251679BD9EF0250201FB899EC40FD32 c:\windows\$hf_mig$\KB918899\SP2QFE\mshtml.dll
[-] 2006-09-14 08:31 3058688 CEFEA1C301139A817931BE132F0359FE c:\windows\$hf_mig$\KB922760\SP2QFE\mshtml.dll
[-] 2006-10-23 15:34 3061248 88E1C15BB1A9ED3CBA4D6F2F408D5010 c:\windows\$hf_mig$\KB925454\SP2QFE\mshtml.dll
[-] 2007-01-04 14:05 3062272 1C45525574EF206346FBAFCAAC7CC4A5 c:\windows\$hf_mig$\KB928090\SP2QFE\mshtml.dll
[-] 2007-05-04 12:59 3064320 00ADCB32832A10ED9419493BCEA97526 c:\windows\$hf_mig$\KB933566\SP2QFE\mshtml.dll
[-] 2007-06-15 08:12 3064320 53F3FD772C010622346C39284C4A863B c:\windows\$hf_mig$\KB937143\SP2QFE\mshtml.dll
[-] 2007-10-30 09:55 3065856 79314A0A6B0DA78AFE491FF2D8B117BA c:\windows\$hf_mig$\KB942615\SP2QFE\mshtml.dll
[-] 2007-10-30 23:48 3593216 54D8B404F17AA74C666F7F3AEF2AE459 c:\windows\$hf_mig$\KB942615-IE7\SP2QFE\mshtml.dll
[-] 2008-06-23 16:01 3594240 28B8231CA8D55FC85E027A57C90F5C88 c:\windows\$hf_mig$\KB953838-IE7\SP2QFE\mshtml.dll
[-] 2008-08-26 09:08 3594752 25CC085720EE3617FD1F8AB9E2F7CAB2 c:\windows\$hf_mig$\KB956390-IE7\SP2QFE\mshtml.dll
[-] 2008-10-16 20:24 3595264 B74F31A4BD83797D7A083F922169287D c:\windows\$hf_mig$\KB958215-IE7\SP2QFE\mshtml.dll
[-] 2008-12-13 06:26 3594752 C79FAD61CD4A26ED5AA8C16D991C6FBD c:\windows\$hf_mig$\KB960714-IE7\SP2QFE\mshtml.dll
[-] 2009-04-29 04:49 3598336 C6FD770D518FB024245A0EE217D72BC1 c:\windows\$hf_mig$\KB969897-IE7\SP3QFE\mshtml.dll
[-] 2005-05-02 18:52 3012608 DCFAC5470EE0A159EC4222BC28AE3EE6 c:\windows\$NtUninstallKB896688$\mshtml.dll
[-] 2005-10-04 22:26 3015168 042AC20E084D21DD6BEE99B89CC30FB7 c:\windows\$NtUninstallKB905915$\mshtml.dll
[-] 2005-11-24 01:06 3015680 5E7A39950EA133BB54719A6E08C544A7 c:\windows\$NtUninstallKB912812$\mshtml.dll
[-] 2006-03-23 20:32 3053568 DEAA438EA31095E14A196FF647E38D13 c:\windows\$NtUninstallKB916281$\mshtml.dll
[-] 2006-05-19 15:08 3052544 284CE76B71DD5260B42A3CCF0135AF67 c:\windows\$NtUninstallKB918899$\mshtml.dll
[-] 2006-07-28 11:28 3054080 C7074DA3D8F8C0F6C03874BA0B05069C c:\windows\$NtUninstallKB922760$\mshtml.dll
[-] 2006-09-14 08:39 3054592 BE45460D1453B7342E01EAE79BFBC681 c:\windows\$NtUninstallKB925454$\mshtml.dll
[-] 2006-10-23 15:17 3055104 5FC7DE1195C8E9B5360FD65DBE95E5B0 c:\windows\$NtUninstallKB928090$\mshtml.dll
[-] 2007-01-04 13:36 3056640 F31274D7667D83E73C6EE16D2206B76C c:\windows\$NtUninstallKB933566$\mshtml.dll
[-] 2007-05-04 12:29 3058688 4D92717B5BBCE85F1254BAD23B0D357C c:\windows\$NtUninstallKB937143$\mshtml.dll
[-] 2007-06-14 18:09 3058688 F049C52772FC86FD5F6C16D77A2A6204 c:\windows\$NtUninstallKB942615$\mshtml.dll
[-] 2007-08-13 23:54 3578368 C6EC2493346ED8888A549F59210A8ED3 c:\windows\ie7updates\KB942615-IE7\mshtml.dll
[-] 2007-10-31 10:12 3590656 8AB7ECF59D6EBBE986277B65ED4A40A1 c:\windows\ie7updates\KB953838-IE7\mshtml.dll
[-] 2008-06-24 14:57 3592192 EC936148284F557F19C333178768109B c:\windows\ie7updates\KB956390-IE7\mshtml.dll
[-] 2008-08-27 08:24 3593216 1AD035E04A7068EC2820B055A3131ED8 c:\windows\ie7updates\KB958215-IE7\mshtml.dll
[-] 2008-10-17 07:08 3593216 EACAEDEF6FA2A969DE5B36190D45396F c:\windows\ie7updates\KB960714-IE7\mshtml.dll
[-] 2008-12-13 06:40 3593216 121EC39A64D64205A88C2C45B034B455 c:\windows\ie7updates\KB969897-IE7\mshtml.dll
[-] 2008-04-14 00:11 3066880 A706E122B398FE1AB85CB9B75D044223 c:\windows\ServicePackFiles\i386\mshtml.dll
[-] 2009-07-19 23:03 3597824 758C8BEDAB7CE5F9070C85E2E57CBD80 c:\windows\SoftwareDistribution\Download\33ec000c08e174dc768520b0fd388192\SP3GDR\mshtml.dll
[-] 2009-07-19 13:31 3600384 F6098CC1B1C3858D53F20F3CB5774F3B c:\windows\SoftwareDistribution\Download\33ec000c08e174dc768520b0fd388192\SP3QFE\mshtml.dll
[-] 2007-10-31 10:12 3590656 8AB7ECF59D6EBBE986277B65ED4A40A1 c:\windows\SoftwareDistribution\Download\e3709fbfd9557a7d083f543d51d38612\SP2GDR\mshtml.dll
[-] 2007-10-30 23:48 3593216 54D8B404F17AA74C666F7F3AEF2AE459 c:\windows\SoftwareDistribution\Download\e3709fbfd9557a7d083f543d51d38612\SP2QFE\mshtml.dll
[-] 2009-04-29 04:56 3596288 2B4315EC9E3124408A2A5074C4B97700 c:\windows\system32\mshtml.dll
[-] 2009-04-29 04:56 3596288 2B4315EC9E3124408A2A5074C4B97700 c:\windows\system32\dllcache\mshtml.dll

[-] 2004-08-04 03:58 24576 EBDEE8A2EE5393890A1ACEE971C4C246 c:\windows\$NtServicePackUninstall$\kbdclass.sys
[-] 2008-04-13 18:39 24576 463C1EC80CD17420A542B7F36A36F128 c:\windows\ServicePackFiles\i386\kbdclass.sys
[-] 2008-04-13 18:39 24576 463C1EC80CD17420A542B7F36A36F128 c:\windows\system32\drivers\kbdclass.sys

[-] 2004-08-10 10:00 792064 6728270CB7DBB776ED086F5AC4C82310 c:\windows\$NtServicePackUninstall$\comres.dll
[-] 2008-04-14 00:11 792064 1280A158C722FA95A80FB7AEBE78FA7D c:\windows\ServicePackFiles\i386\comres.dll
[-] 2008-04-14 00:11 792064 1280A158C722FA95A80FB7AEBE78FA7D c:\windows\system32\comres.dll

[-] 2004-08-10 10:00 22016 74D66B3DE265E8789153414E75175F26 c:\windows\$NtServicePackUninstall$\lpk.dll
[-] 2008-04-14 00:11 22016 012DF358CEBAA23ACB26D82077820817 c:\windows\ServicePackFiles\i386\lpk.dll
[-] 2008-04-14 00:11 22016 012DF358CEBAA23ACB26D82077820817 c:\windows\system32\lpk.dll

[-] 2004-08-10 10:00 4224 DA1F27D85E0D1525F6621372E7B685E9 c:\windows\system32\drivers\beep.sys

[-] 2004-08-10 10:00 2944 73C1E1F395918BC2C6DD67AF7591A3AD c:\windows\system32\drivers\null.sys

[-] 2006-02-15 00:30 142464 1EE7B434BA961EF845DE136224C30FEC c:\windows\$hf_mig$\KB900485\SP2QFE\aec.sys
[-] 2006-02-15 00:22 142464 1EE7B434BA961EF845DE136224C30FEC c:\windows\$NtServicePackUninstall$\aec.sys
[-] 2004-08-04 03:39 142464 841F385C6CFAF66B58FBD898722BB4F0 c:\windows\$NtUninstallKB900485$\aec.sys
[-] 2008-04-13 16:39 142592 8BED39E3C35D6A489438B8141717A557 c:\windows\ServicePackFiles\i386\aec.sys
[-] 2008-04-13 16:39 142592 8BED39E3C35D6A489438B8141717A557 c:\windows\system32\drivers\aec.sys

[-] 2006-11-01 19:17 927504 925F8B61ED301A317BA850EBEECBDAA0 c:\windows\$NtServicePackUninstall$\mfc40u.dll
[-] 2004-08-10 10:00 924432 DDF8D47ACF8FC3FE5F7F2B95C4D4D136 c:\windows\$NtUninstallKB924667$\mfc40u.dll
[-] 2008-04-14 00:11 927504 CDDD4416B2B4C7295FE3FDB6DDE57E4E c:\windows\ServicePackFiles\i386\mfc40u.dll
[-] 2008-04-14 00:11 927504 CDDD4416B2B4C7295FE3FDB6DDE57E4E c:\windows\system32\mfc40u.dll

[-] 2005-04-28 19:35 396288 DA383FB39A6F1C445F3AFC94B3EB1248 c:\windows\$hf_mig$\KB894391\SP2QFE\rpcss.dll
[-] 2005-07-26 04:20 398336 C369DF215D352B6F3A0B8C3469AA34F8 c:\windows\$hf_mig$\KB902400\SP2QFE\rpcss.dll
[-] 2005-07-26 04:39 397824 CE94A2BD25E3E9F4D46A7373FF455C6D c:\windows\$NtServicePackUninstall$\rpcss.dll
[-] 2004-08-10 10:00 395776 5C83A4408604F737717AB96371201680 c:\windows\$NtUninstallKB894391$\rpcss.dll
[-] 2005-04-28 19:31 395776 C8061F289E000703E7672916B7FE1571 c:\windows\$NtUninstallKB902400$\rpcss.dll
[-] 2008-04-14 00:12 399360 2589FE6015A316C0F5D5112B4DA7B509 c:\windows\ServicePackFiles\i386\rpcss.dll
[-] 2008-04-14 00:12 399360 2589FE6015A316C0F5D5112B4DA7B509 c:\windows\system32\rpcss.dll

[-] 2004-08-10 10:00 33792 95FD808E4AC22ABA025A7B3EAC0375D2 c:\windows\$NtServicePackUninstall$\msgsvc.dll
[-] 2008-04-14 00:11 33792 986B1FF5814366D71E0AC5755C88F2D3 c:\windows\ServicePackFiles\i386\msgsvc.dll
[-] 2008-04-14 00:11 33792 986B1FF5814366D71E0AC5755C88F2D3 c:\windows\system32\msgsvc.dll

[-] 2006-08-25 15:45 617472 B0124CB21D28B1C9F678B566B6B57D92 c:\windows\$NtServicePackUninstall$\comctl32.dll
[-] 2004-08-10 10:00 611328 A77DFB85FAEE49D66C74DA6024EBC69B c:\windows\$NtUninstallKB923191$\comctl32.dll
[-] 2008-04-14 00:11 617472 06F247492BC786CE5C24A23E178C711A c:\windows\ServicePackFiles\i386\comctl32.dll
[-] 2008-04-14 00:11 617472 06F247492BC786CE5C24A23E178C711A c:\windows\system32\comctl32.dll
[-] 2004-08-10 10:00 921088 AEF3D788DBF40C7C4D204EA45EB0C505 c:\windows\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a\comctl32.dll
[-] 2004-08-10 10:00 1050624 5AF68A5E44734A082442668E9C787743 c:\windows\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2180_x-ww_a84f1ff9\comctl32.dll
[-] 2006-08-25 15:45 1054208 C4E80875C1CF1222FC5EFD0314AE5C01 c:\windows\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2982_x-ww_ac3f9c03\comctl32.dll
[-] 2008-04-14 00:12 1054208 BD38D1EBE24A46BD3EDA059560AFBA12 c:\windows\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83\comctl32.dll

[-] 2004-08-10 10:00 11648 9859C0F6936E723E4892D7141B1327D5 c:\windows\system32\dllcache\acpiec.sys
[-] 2004-08-10 10:00 11648 9859C0F6936E723E4892D7141B1327D5 c:\windows\system32\drivers\acpiec.sys

[-] 2004-08-10 10:00 5120 E8A12A12EA9088B4327D49EDCA3ADD3E c:\windows\$NtServicePackUninstall$\sfc.dll
[-] 2008-04-14 00:12 5120 96E1C926F22EE1BFBAE82901A35F6BF3 c:\windows\ServicePackFiles\i386\sfc.dll
[-] 2008-04-14 00:12 5120 96E1C926F22EE1BFBAE82901A35F6BF3 c:\windows\system32\sfc.dll

[-] 2004-08-10 10:00 407040 96353FCECBA774BB8DA74A1C6507015A c:\windows\$NtServicePackUninstall$\netlogon.dll
[-] 2008-04-14 00:12 407040 1B7F071C51B77C272875C3A23E1E4550 c:\windows\ServicePackFiles\i386\netlogon.dll
[-] 2008-04-14 00:12 407040 1B7F071C51B77C272875C3A23E1E4550 c:\windows\system32\netlogon.dll

[-] 2004-08-10 10:00 382464 2C69EC7E5A311334D10DD95F338FCCEA c:\windows\$NtServicePackUninstall$\qmgr.dll
[-] 2008-04-14 00:12 409088 574738F61FCA2935F5265DC4E5691314 c:\windows\ServicePackFiles\i386\qmgr.dll
[-] 2008-04-14 00:12 409088 574738F61FCA2935F5265DC4E5691314 c:\windows\system32\qmgr.dll
[-] 2008-04-14 00:12 409088 574738F61FCA2935F5265DC4E5691314 c:\windows\system32\bits\qmgr.dll

[-] 2004-08-10 10:00 180224 0F78E27F563F2AAF74B91A49E2ABF19A c:\windows\$NtServicePackUninstall$\scecli.dll
[-] 2008-04-14 00:12 181248 A86BB5E61BF3E39B62AB4C7E7085A084 c:\windows\ServicePackFiles\i386\scecli.dll
[-] 2008-04-14 00:12 60928 !HASH: COULD NOT OPEN FILE !!!!! c:\windows\system32\scecli.dll

[-] 2004-08-10 10:00 55808 82B24CB70E5944E6E34662205A2A5B78 c:\windows\$NtServicePackUninstall$\eventlog.dll
[-] 2008-04-14 00:11 56320 6D4FEB43EE538FC5428CC7F0565AA656 c:\windows\ServicePackFiles\i386\eventlog.dll
[-] 2008-04-14 00:11 56320 6D4FEB43EE538FC5428CC7F0565AA656 c:\windows\system32\eventlog.dll

[-] 2004-08-10 10:00 14336 02000ABF34AF4C218C35D257024807D6 c:\windows\$NtServicePackUninstall$\asyncmac.sys
[-] 2008-04-13 18:57 14336 B153AFFAC761E7F5FCFA822B9C4E97BC c:\windows\ServicePackFiles\i386\asyncmac.sys
[-] 2008-04-13 18:57 14336 B153AFFAC761E7F5FCFA822B9C4E97BC c:\windows\system32\drivers\asyncmac.sys

[-] 2007-02-09 11:23 574976 05AB81909514BFD69CBB1F2C147CF6B9 c:\windows\$hf_mig$\KB930916\SP2QFE\ntfs.sys
[-] 2007-02-09 11:10 574464 19A811EF5F1ED5C926A028CE107FF1AF c:\windows\$NtServicePackUninstall$\ntfs.sys
[-] 2004-08-10 10:00 574592 B78BE402C3F63DD55521F73876951CDD c:\windows\$NtUninstallKB930916$\ntfs.sys
[-] 2008-04-13 19:15 574976 78A08DD6A8D65E697C18E1DB01C5CDCA c:\windows\ServicePackFiles\i386\ntfs.sys
[-] 2008-04-13 19:15 574976 78A08DD6A8D65E697C18E1DB01C5CDCA c:\windows\system32\dllcache\ntfs.sys
[-] 2008-04-13 19:15 574976 78A08DD6A8D65E697C18E1DB01C5CDCA c:\windows\system32\drivers\ntfs.sys

[-] 2005-08-03 23:29 25088 B9715B9C18BC6C8F4B66733D208CC9F7 c:\windows\$NtUninstallWMFDist11$\mspmsnsv.dll
[-] 2005-08-03 23:29 25088 B9715B9C18BC6C8F4B66733D208CC9F7 c:\windows\RegisteredPackages\{30C7234B-6482-4A55-A11D-ECD9030313F2}\MsPMSNSv.dll
[-] 2004-08-10 10:00 25088 6EAA72FD9EF993EC1FA9A06DE65105DA c:\windows\RegisteredPackages\{30C7234B-6482-4A55-A11D-ECD9030313F2}$BACKUP$\System\MsPMSNSv.dll
[-] 2006-10-19 02:47 27136 C51B4A5C05A5475708E3C81C7765B71D c:\windows\system32\mspmsnsv.dll
[-] 2006-10-19 02:47 27136 C51B4A5C05A5475708E3C81C7765B71D c:\windows\system32\dllcache\mspmsnsv.dll

[-] 2004-08-10 10:00 129536 EEF46DAB68229A14DA3D8E73C99E2959 c:\windows\$NtServicePackUninstall$\xmlprov.dll
[-] 2008-04-14 00:12 129024 295D21F14C335B53CB8154E5B1F892B9 c:\windows\ServicePackFiles\i386\xmlprov.dll
[-] 2008-04-14 00:12 129024 295D21F14C335B53CB8154E5B1F892B9 c:\windows\system32\xmlprov.dll

[-] 2004-08-10 10:00 60416 10654F9DDCEA9C46CFB77554231BE73B c:\windows\$NtServicePackUninstall$\cryptsvc.dll
[-] 2008-04-14 00:11 62464 3D4E199942E29207970E04315D02AD3B c:\windows\ServicePackFiles\i386\cryptsvc.dll
[-] 2008-04-14 00:11 62464 3D4E199942E29207970E04315D02AD3B c:\windows\system32\cryptsvc.dll

[-] 2004-08-10 10:00 77312 E3CFCCDDA4EDD1D0DC9168B2E18F27B8 c:\windows\$NtServicePackUninstall$\browser.dll
[-] 2008-04-14 00:11 77824 A06CE3399D16DB864F55FAEB1F1927A9 c:\windows\ServicePackFiles\i386\browser.dll
[-] 2008-04-14 00:11 77824 A06CE3399D16DB864F55FAEB1F1927A9 c:\windows\system32\browser.dll

[-] 2005-07-08 16:28 249344 1418A3A6E76E5A2E3F5E43866E793A8B c:\windows\$hf_mig$\KB893756\SP2QFE\tapisrv.dll
[-] 2005-07-08 16:27 249344 FB78839B36025AA286A51289ED28B73E c:\windows\$NtServicePackUninstall$\tapisrv.dll
[-] 2004-08-10 10:00 246272 EB4A4187D74A8EFDCBEA3EA2CB1BDFBD c:\windows\$NtUninstallKB893756$\tapisrv.dll
[-] 2008-04-14 00:12 249856 3CB78C17BB664637787C9A1C98F79C38 c:\windows\ServicePackFiles\i386\tapisrv.dll
[-] 2008-04-14 00:12 249856 3CB78C17BB664637787C9A1C98F79C38 c:\windows\system32\tapisrv.dll

[-] 2008-06-20 17:36 245248 1DFCA7713EA5A70D5D93B436AEA0317A c:\windows\$hf_mig$\KB951748\SP2QFE\mswsock.dll
[-] 2008-06-20 17:46 245248 832E4DD8964AB7ACC880B2837CB1ED20 c:\windows\$hf_mig$\KB951748\SP3GDR\mswsock.dll
[-] 2008-06-20 17:43 245248 FCEE5FCB99F7C724593365C706D28388 c:\windows\$hf_mig$\KB951748\SP3QFE\mswsock.dll
[-] 2008-06-20 17:41 245248 097722F235A1FB698BF9234E01B52637 c:\windows\$NtServicePackUninstall$\mswsock.dll
[-] 2008-04-14 00:12 245248 B4138E99236F0F57D4CF49BAE98A0746 c:\windows\$NtUninstallKB951748$\mswsock.dll
[-] 2004-08-10 10:00 245248 4E74AF063C3271FBEA20DD940CFD1184 c:\windows\$NtUninstallKB951748_0$\mswsock.dll
[-] 2008-04-14 00:12 245248 B4138E99236F0F57D4CF49BAE98A0746 c:\windows\ServicePackFiles\i386\mswsock.dll
[-] 2008-06-20 17:46 245248 832E4DD8964AB7ACC880B2837CB1ED20 c:\windows\system32\mswsock.dll
[-] 2008-06-20 17:46 245248 832E4DD8964AB7ACC880B2837CB1ED20 c:\windows\system32\dllcache\mswsock.dll

[-] 2005-08-22 18:24 197632 3516D8A18B36784B1005B950B84232E1 c:\windows\$hf_mig$\KB905414\SP2QFE\netman.dll
[-] 2005-08-22 18:29 197632 36739B39267914BA69AD0610A0299732 c:\windows\$NtServicePackUninstall$\netman.dll
[-] 2004-08-10 10:00 198144 DAB9E6C7105D2EF49876FE92C524F565 c:\windows\$NtUninstallKB905414$\netman.dll
[-] 2008-04-14 00:12 198144 13E67B55B3ABD7BF3FE7AAE5A0F9A9DE c:\windows\ServicePackFiles\i386\netman.dll
[-] 2008-04-14 00:12 198144 13E67B55B3ABD7BF3FE7AAE5A0F9A9DE c:\windows\system32\netman.dll

[-] 2005-07-26 04:20 243200 95F5FEA4C6DE2C3F28784D0DCC8F0DD3 c:\windows\$hf_mig$\KB902400\SP2QFE\es.dll
[-] 2008-07-07 20:06 253952 A4AB3DCA4A383F0DF4988ABDEB84F9A4 c:\windows\$hf_mig$\KB950974\SP2QFE\es.dll
[-] 2008-07-07 20:26 253952 D4991D98F2DB73C60D042F1AEF79EFAE c:\windows\$hf_mig$\KB950974\SP3GDR\es.dll
[-] 2008-07-07 20:23 253952 F17F6226BDC0CD5F0BEF0DAF84D29BEC c:\windows\$hf_mig$\KB950974\SP3QFE\es.dll
[-] 2008-07-07 20:32 253952 60D1A6342238378BFB7545C81EE3606C c:\windows\$NtServicePackUninstall$\es.dll
[-] 2004-08-10 10:00 243200 ACD36A2DD7D1E9D8A060AA651DC07E63 c:\windows\$NtUninstallKB902400$\es.dll
[-] 2008-04-14 00:11 246272 19A799805B24990867B00C120D300C3A c:\windows\$NtUninstallKB950974$\es.dll
[-] 2005-07-26 04:39 243200 34BBD9ACC1538818F2C878898C64E793 c:\windows\$NtUninstallKB950974_0$\es.dll
[-] 2008-04-14 00:11 246272 19A799805B24990867B00C120D300C3A c:\windows\ServicePackFiles\i386\es.dll
[-] 2008-07-07 20:26 253952 D4991D98F2DB73C60D042F1AEF79EFAE c:\windows\system32\es.dll
[-] 2008-07-07 20:26 253952 D4991D98F2DB73C60D042F1AEF79EFAE c:\windows\system32\dllcache\es.dll

[-] 2005-09-01 01:44 19968 648BF0B4DDE4F7A1156DAE7174D36EFA c:\windows\$hf_mig$\KB900725\SP2QFE\linkinfo.dll
[-] 2005-09-01 01:41 19968 A1A688EE56CF3BBD24EDEB815D48E9BA c:\windows\$NtServicePackUninstall$\linkinfo.dll
[-] 2004-08-10 10:00 18944 C2BBD044C741EA4292016C36F718D2E4 c:\windows\$NtUninstallKB900725$\linkinfo.dll
[-] 2008-04-14 00:11 19968 2DC5A8019E2387987905F77C664E4BE2 c:\windows\ServicePackFiles\i386\linkinfo.dll
[-] 2008-04-14 00:11 19968 2DC5A8019E2387987905F77C664E4BE2 c:\windows\system32\linkinfo.dll

[-] 2004-08-10 10:00 71680 4B8D61792F7175BED48859CC18CE4E38 c:\windows\$NtServicePackUninstall$\ssdpsrv.dll
[-] 2008-04-14 00:12 71680 0A5679B3714EDAB99E357057EE88FCA6 c:\windows\ServicePackFiles\i386\ssdpsrv.dll
[-] 2008-04-14 00:12 71680 0A5679B3714EDAB99E357057EE88FCA6 c:\windows\system32\ssdpsrv.dll

[-] 2007-02-05 20:19 185344 36ACA6CDC19C95FF468A1426EB7F32F0 c:\windows\$hf_mig$\KB931261\SP2QFE\upnphost.dll
[-] 2007-02-05 20:17 185344 ACA5D98663D879C6BAAFCEA7E2F1B710 c:\windows\$NtServicePackUninstall$\upnphost.dll
[-] 2004-08-10 10:00 185344 0546477BDE979E33294FE97F6B3DE84A c:\windows\$NtUninstallKB931261$\upnphost.dll
[-] 2008-04-14 00:12 185856 1EBAFEB9A3FBDC41B8D9C7F0F687AD91 c:\windows\ServicePackFiles\i386\upnphost.dll
[-] 2008-04-14 00:12 185856 1EBAFEB9A3FBDC41B8D9C7F0F687AD91 c:\windows\system32\upnphost.dll

[-] 2004-08-10 10:00 170496 92BDF74F12D6CBEC43C94D4B7F804838 c:\windows\$NtServicePackUninstall$\srsvc.dll
[-] 2008-04-14 00:12 171008 3805DF0AC4296A34BA4BF93B346CC378 c:\windows\ServicePackFiles\i386\srsvc.dll
[-] 2008-04-14 00:12 171008 3805DF0AC4296A34BA4BF93B346CC378 c:\windows\system32\srsvc.dll

[-] 2004-08-10 10:00 13824 49911DD39E023BB6C45E4E436CFBD297 c:\windows\$NtServicePackUninstall$\wscntfy.exe
[-] 2008-04-14 00:12 13824 F92E1076C42FCD6DB3D72D8CFE9816D5 c:\windows\ServicePackFiles\i386\wscntfy.exe
[-] 2008-04-14 00:12 13824 F92E1076C42FCD6DB3D72D8CFE9816D5 c:\windows\system32\wscntfy.exe

[-] 2004-08-10 10:00 435200 B62F29C00AC55A761B2E45877D85EA0F c:\windows\$NtServicePackUninstall$\ntmssvc.dll
[-] 2008-04-14 00:12 435200 156F64A3345BD23C600655FB4D10BC08 c:\windows\ServicePackFiles\i386\ntmssvc.dll
[-] 2008-04-14 00:12 435200 156F64A3345BD23C600655FB4D10BC08 c:\windows\system32\ntmssvc.dll

[-] 2004-08-10 10:00 89088 44DB7A9BDD2FB58747D123FBF1D35ADB c:\windows\$NtServicePackUninstall$\rasauto.dll
[-] 2008-04-14 00:12 88576 AD188BE7BDF94E8DF4CA0A55C00A5073 c:\windows\ServicePackFiles\i386\rasauto.dll
[-] 2008-04-14 00:12 88576 AD188BE7BDF94E8DF4CA0A55C00A5073 c:\windows\system32\rasauto.dll

[-] 2004-08-10 10:00 1580544 30A609E00BD1D4FFC49D6B5A432BE7F2 c:\windows\$NtServicePackUninstall$\sfcfiles.dll
[-] 2008-04-14 00:12 1614848 9DD07AF82244867CA36681EA2D29CE79 c:\windows\ServicePackFiles\i386\sfcfiles.dll
[-] 2008-04-14 00:12 1614848 9DD07AF82244867CA36681EA2D29CE79 c:\windows\system32\sfcfiles.dll

[-] 2004-08-10 10:00 190976 92360854316611F6CC471612213C3D92 c:\windows\$NtServicePackUninstall$\schedsvc.dll
[-] 2008-04-14 00:12 192512 0A9A7365A1CA4319AA7C1D6CD8E4EAFA c:\windows\ServicePackFiles\i386\schedsvc.dll
[-] 2008-04-14 00:12 192512 0A9A7365A1CA4319AA7C1D6CD8E4EAFA c:\windows\system32\schedsvc.dll

[-] 2004-08-10 10:00 59904 3151427DB7D87107D1C5BE58FAC53960 c:\windows\$NtServicePackUninstall$\regsvc.dll
[-] 2008-04-14 00:12 59904 5B19B557B0C188210A56A6B699D90B8F c:\windows\ServicePackFiles\i386\regsvc.dll
[-] 2008-04-14 00:12 59904 5B19B557B0C188210A56A6B699D90B8F c:\windows\system32\regsvc.dll

[-] 2006-12-19 21:50 135168 53D9184A21C5CBF600D918E51EF3A7E5 c:\windows\$hf_mig$\KB928255\SP2QFE\shsvcs.dll
[-] 2006-12-19 21:52 134656 6815DEF9B810AEFAC107EEAF72DA6F82 c:\windows\$NtServicePackUninstall$\shsvcs.dll
[-] 2004-08-10 10:00 134656 E7518DC542D3EBDCB80EDD98462C7821 c:\windows\$NtUninstallKB928255$\shsvcs.dll
[-] 2008-04-14 00:12 135168 1926899BF9FFE2602B63074971700412 c:\windows\ServicePackFiles\i386\shsvcs.dll
[-] 2008-04-14 00:12 135168 1926899BF9FFE2602B63074971700412 c:\windows\system32\shsvcs.dll
.
((((((((((((((((((((((((((((((((((((((((((((( AWF ))))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2005-04-04 23:58 . 2005-04-04 23:58 856064 c:\program files\Adobe\Adobe Version Cue CS2\ControlPanel\bak\VersionCueCS2Tray.exe

2007-05-11 07:06 . 2007-05-11 07:06 40048 c:\program files\Adobe\Reader 8.0\Reader\bak\Reader_sl.exe
2008-01-12 02:16 . 2008-01-12 02:16 39792 c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe

2007-09-10 01:58 . 2007-09-13 13:56 185632 c:\program files\Common Files\Real\Update_OB\bak\realsched.exe

2007-07-24 14:08 . 2007-07-12 08:00 132496 c:\program files\Java\jre1.6.0_02\bin\bak\jusched.exe

2005-10-21 19:04 . 2007-08-04 06:33 582992 c:\program files\McAfee.com\Agent\bak\mcagent.exe
2005-10-21 19:04 . 2009-01-09 01:30 645328 c:\program files\McAfee.com\Agent\mcagent.exe

2005-10-21 19:00 . 2005-10-21 19:00 98304 c:\program files\QuickTime\bak\qttask.exe

2004-08-19 20:50 . 2004-08-10 10:00 15360 c:\windows\system32\bak\ctfmon.exe
2004-08-19 20:50 . 2008-04-14 00:12 15360 c:\windows\system32\ctfmon.exe

.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DellSupport"="c:\program files\Dell Support\DSAgnt.exe" [N/A]
"DellSupport-"="c:\program files\Dell Support\DSAgnt.exe" [N/A]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"KernelFaultCheck"="c:\windows\system32\dumprep 0 -k" [X]
"DLBXCATS"="c:\windows\System32\spool\DRIVERS\W32X86\3\DLBXtime.dll" [2004-12-07 69632]
"dlbxmon.exe"="c:\program files\Dell Photo AIO Printer 962\dlbxmon.exe" [2005-01-18 425984]
"realteks"="c:\documents and settings\Jamie\Application Data\Google\edpgz16420882.exe" [N/A]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-07-28 148888]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"InCD"="c:\program files\Ahead\InCD\InCD.exe" [2004-07-16 1409136]
"VSOCheckTask"="c:\progra~1\McAfee.com\VSO\mcmnhdlr.exe" [N/A]
"VirusScan Online"="c:\program files\McAfee.com\VSO\mcvsshld.exe" [N/A]
"OASClnt"="c:\program files\McAfee.com\VSO\oasclnt.exe" [N/A]
"MSKDetectorExe"="c:\progra~1\McAfee\SPAMKI~1\MSKDetct.exe" [N/A]
"MSKAGENTEXE"="c:\progra~1\McAfee\SPAMKI~1\MskAgent.exe" [N/A]
"MPSExe"="c:\progra~1\mcafee.com\mps\mscifapp.exe" [N/A]
"MPFExe"="c:\progra~1\McAfee.com\PERSON~1\MpfTray.exe" [N/A]
"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2009-01-09 645328]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-08-20 2007832]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-03 18:56 352256 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-08-20 12:07 11952 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Acrobat Speed Launcher.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Acrobat Speed Launcher.lnk
backup=c:\windows\pss\Adobe Acrobat Speed Launcher.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Gamma.lnk
backup=c:\windows\pss\Adobe Gamma.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Billminder.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Billminder.lnk
backup=c:\windows\pss\Billminder.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^EMBARQ Help.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\EMBARQ Help.lnk
backup=c:\windows\pss\EMBARQ Help.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Google Updater.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Google Updater.lnk
backup=c:\windows\pss\Google Updater.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^QuickBooks Update Agent.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\QuickBooks Update Agent.lnk
backup=c:\windows\pss\QuickBooks Update Agent.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Quicken Startup.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Quicken Startup.lnk
backup=c:\windows\pss\Quicken Startup.lnkCommon Startup
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPHmon05
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPHUPD05

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"TabletService"=2 (0x2)
"WZCSVC"=2 (0x2)
"TapiSrv"=3 (0x3)
"Schedule"=2 (0x2)
"ehSched"=2 (0x2)
"ehRecvr"=2 (0x2)
"Ati HotKey Poller"=2 (0x2)
"seclogon"=2 (0x2)
"SCardSvr"=3 (0x3)
"ose"=3 (0x3)
"MDM"=2 (0x2)
"Fax"=2 (0x2)
"FastUserSwitchingCompatibility"=2 (0x2)
"DSBrokerService"=3 (0x3)
"Creative Service for CDROM Access"=2 (0x2)
"clr_optimization_v2.0.50727_32"=3 (0x3)
"CiSvc"=3 (0x3)
"aspimgr"=2 (0x2)
"Adobe Version Cue CS2"=2 (0x2)
"Adobe LM Service"=3 (0x3)
"xmlprov"=3 (0x3)
"WmdmPmSN"=3 (0x3)
"VSS"=3 (0x3)
"SysmonLog"=3 (0x3)
"SwPrv"=3 (0x3)
"stisvc"=2 (0x2)
"MSDTC"=3 (0x3)
"mnmsrvc"=3 (0x3)
"ImapiService"=3 (0x3)
"hkmsvc"=3 (0x3)
"EapHost"=3 (0x3)
"Dot3svc"=3 (0x3)
"ClipSrv"=3 (0x3)
"McciCMService"=2 (0x2)
"idsvc"=3 (0x3)
"wuauserv"=2 (0x2)
"WMPNetworkSvc"=3 (0x3)
"RDSessMgr"=2 (0x2)
"RasMan"=2 (0x2)
"RasAuto"=2 (0x2)
"IntuitUpdateService"=2 (0x2)
"gusvc"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"FirewallDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\Adobe\\Adobe Version Cue CS2\\bin\\VersionCueCS2.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\dlbxcoms.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\program files\Microsoft ActiveSync\rapimgr.exe"= c:\program files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"c:\program files\Microsoft ActiveSync\wcescomm.exe"= c:\program files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"c:\program files\Microsoft ActiveSync\WCESMgr.exe"= c:\program files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
"c:\\Program Files\\Motorola\\Software Update\\msu.exe"=
"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=
"%windir%\\system32\\drivers\\svchost.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service

R2 0072751251397380mcinstcleanup;McAfee Application Installer Cleanup (0072751251397380);c:\windows\TEMP\007275~1.EXE [x]
R2 gupdate1c9b13c257aa5de;Google Update Service (gupdate1c9b13c257aa5de);c:\program files\Google\Update\GoogleUpdate.exe [2009-03-30 133104]
R3 MEMSWEEP2;MEMSWEEP2;c:\windows\system32\4.tmp [x]
R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2008-12-04 7408]
R3 StkMini;VideoAdvantage USB;c:\windows\system32\Drivers\StkMini.sys [2004-09-01 600617]
R3 xyzabc;xyzabc;c:\windows\system32\drivers\xyzabc.sys [2009-08-27 34816]
R4 IntuitUpdateService;Intuit Update Service;c:\program files\Common Files\Intuit\Update Service\IntuitUpdateService.exe [2008-10-10 13088]
S1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\System32\Drivers\avgldx86.sys [2009-08-20 335240]
S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [2008-12-04 8944]
S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.sys [2008-12-04 55024]
S2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2009-08-20 297752]


--- Other Services/Drivers In Memory ---

*NewlyCreated* - 0072751251397380MCINSTCLEANUP
*NewlyCreated* - {79007602-0CDB-4405-9DBF-1257BB3226ED}
*NewlyCreated* - {79007602-0CDB-4405-9DBF-1257BB3226EE}
*Deregistered* - {79007602-0CDB-4405-9DBF-1257BB3226ED}
*Deregistered* - {79007602-0CDB-4405-9DBF-1257BB3226EE}
.
Contents of the 'Scheduled Tasks' folder

2009-08-23 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2007-09-10 13:32]

2009-05-06 c:\windows\Tasks\GoogleUpdateTaskMachine.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-03-30 13:33]

2008-08-15 c:\windows\Tasks\McDefragTask.job
- c:\program files\mcafee\mqc\QcConsol.exe [2007-06-16 15:53]

2008-09-01 c:\windows\Tasks\McQcTask.job
- c:\program files\mcafee\mqc\QcConsol.exe [2007-06-16 15:53]

2009-02-21 c:\windows\Tasks\ParetoLogic Registration.job
- c:\program files\Common Files\ParetoLogic\UUS2\UUS.dll [2009-01-21 05:36]

2009-02-27 c:\windows\Tasks\ParetoLogic Update Version2.job
- c:\program files\Common Files\ParetoLogic\UUS2\Pareto_Update.exe [2009-01-21 05:36]
.
- - - - ORPHANS REMOVED - - - -

Toolbar-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
mDefault_Search_URL = hxxp://www.google.com/ie
mSearch Page = hxxp://www.google.com
mStart Page = hxxp://www.google.com
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
Trusted Zone: internet
Trusted Zone: mcafee.com
DPF: Microsoft XML Parser for Java - file:///C:/WINDOWS/Java/classes/xmldso.cab
FF - ProfilePath - c:\documents and settings\TheGriz43\Application Data\Mozilla\Firefox\Profiles\gubvgwz3.default\
FF - plugin: c:\program files\Google\Google Updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.enforce_same_site_origin", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.cache_size", 51200);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.ogg.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.wave.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.autoplay.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.urlbar.autocomplete.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.mailnews.*.wholeText", "noAccess");
c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.storage.default_quota", 5120);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("content.sink.event_probe_rate", 3);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.http.prompt-temp-redirect", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("layout.css.dpi", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("layout.css.devPixelsPerPx", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("gestures.enable_single_finger_input", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.max_chrome_script_run_time", 0);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.tcp.sendbuffer", 131072);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("geo.enabled", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.remember_cert_checkbox_default_setting", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr", "moz35");
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-cjkt", "moz35");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.blocklist.level", 2);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.urlbar.restrict.typed", "~");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.urlbar.default.behavior", 0);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.history", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.formdata", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.passwords", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.downloads", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cookies", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cache", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.sessions", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.offlineApps", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.siteSettings", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.history", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.formdata", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.passwords", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.downloads", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.cookies", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.cache", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.sessions", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.offlineApps", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.siteSettings", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.sanitize.migrateFx3Prefs", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.ssl_override_behavior", 2);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("security.alternate_certificate_error_page", "certerror");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.autostart", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.dont_prompt_on_enter", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("geo.wifi.uri", "https://www.google.com/loc/json");
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-08-27 21:14
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
DLBXCATS = rundll32 c:\windows\System32\spool\DRIVERS\W32X86\3\DLBXtime.dll,_RunDLLEntry@16???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\MEMSWEEP2]
"ImagePath"="\??\c:\windows\system32\4.tmp"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\DMusic]
"ImagePath"="system32\drivers\DMusic.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Dnscache]
"ServiceDll"="%SystemRoot%\System32\dnsrslvr.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Dot3svc]
"ServiceDll"="%SystemRoot%\System32\dot3svc.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\dpti2o]
"ImagePath"="\SystemRoot\system32\DRIVERS\dpti2o.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\drmkaud]
"ImagePath"="system32\drivers\drmkaud.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\drvmcdb]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\drvncdb]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\drvnddm]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\DSBrokerService]
"ImagePath"="\"c:\program files\DellSupport\brkrsvc.exe\""

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\DSproct]
"ImagePath"="\??\c:\program files\DellSupport\GTAction\triggers\DSproct.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\dsunidrv]
"ImagePath"="system32\DRIVERS\dsunidrv.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\E100B]
"ImagePath"="system32\DRIVERS\e100b325.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\e1express]
"ImagePath"="system32\DRIVERS\e1e5132.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\EapHost]
"ServiceDll"="%SystemRoot%\System32\eapsvc.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ehRecvr]
"ImagePath"="c:\windows\eHome\ehRecvr.exe"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ehSched]
"ImagePath"="c:\windows\eHome\ehSched.exe"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ERSvc]
"ServiceDll"="%SystemRoot%\System32\ersvc.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Eventlog]
"ImagePath"="%SystemRoot%\system32\services.exe"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\EventSystem]
"ServiceDll"="c:\windows\system32\es.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Fastfat]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\FastUserSwitchingCompatibility]
"ServiceDll"="%SystemRoot%\System32\shsvcs.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Fax]
"ImagePath"="%systemroot%\system32\fxssvc.exe"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Fdc]
"ImagePath"="system32\DRIVERS\fdc.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Fips]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Flpydisk]
"ImagePath"="system32\DRIVERS\flpydisk.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\FltMgr]
"ImagePath"="system32\drivers\fltmgr.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\FontCache3.0.0.0]
"ImagePath"="c:\windows\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Fs_Rec]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Ftdisk]
"ImagePath"="system32\DRIVERS\ftdisk.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Gpc]
"ImagePath"="system32\DRIVERS\msgpc.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\gupdate1c9b13c257aa5de]
"ImagePath"="\"c:\program files\Google\Update\GoogleUpdate.exe\" /svc"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\gusvc]
"ImagePath"="\"c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe\""

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\HDAudBus]
"ImagePath"="system32\DRIVERS\HDAudBus.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\helpsvc]
"ServiceDll"="%WINDIR%\PCHealth\HelpCtr\Binaries\pchsvc.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\HidServ]
"ServiceDll"="%SystemRoot%\System32\hidserv.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\HidUsb]
"ImagePath"="system32\DRIVERS\hidusb.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\hkmsvc]
"ServiceDll"="%SystemRoot%\System32\kmsvc.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\hpn]
"ImagePath"="\SystemRoot\system32\DRIVERS\hpn.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\HPZid412]
"ImagePath"="system32\DRIVERS\HPZid412.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\HPZipr12]
"ImagePath"="system32\DRIVERS\HPZipr12.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\HPZius12]
"ImagePath"="system32\DRIVERS\HPZius12.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\HTTP]
"ImagePath"="System32\Drivers\HTTP.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\HTTPFilter]
"ServiceDll"="%SystemRoot%\System32\w3ssl.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\i2omgmt]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\i2omp]
"ImagePath"="\SystemRoot\system32\DRIVERS\i2omp.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\i8042prt]
"ImagePath"="system32\DRIVERS\i8042prt.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\IAANTMon]
"ImagePath"="c:\program files\Intel\Intel Matrix Storage Manager\iaantmon.exe"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\iastor]
"ImagePath"="system32\drivers\iastor.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\idsvc]
"ImagePath"="\"c:\windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe\""

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ILADFtmi]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Imapi]
"ImagePath"="system32\drivers\Imapi.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ImapiService]
"ImagePath"="%systemroot%\system32\imapi.exe"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\InCDfs]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\InCDPass]
"ImagePath"="System32\DRIVERS\InCDPass.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\InCDrec]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\incdrm]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\InCDsrv]
"ImagePath"="c:\program files\Ahead\InCD\InCDsrv.exe"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\InCDsrvR]
"ImagePath"="c:\program files\Ahead\InCD\InCDsrv.exe -r"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\inetaccs]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ini910u]
"ImagePath"="\SystemRoot\system32\DRIVERS\ini910u.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Inport]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\IntelC51]
"ImagePath"="system32\DRIVERS\IntelC51.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\IntelC52]
"ImagePath"="system32\DRIVERS\IntelC52.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\IntelC53]
"ImagePath"="system32\DRIVERS\IntelC53.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\IntelIde]
"ImagePath"="\SystemRoot\system32\DRIVERS\intelide.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\intelppm]
"ImagePath"="system32\DRIVERS\intelppm.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\IntuitUpdateService]
"ImagePath"="\"c:\program files\Common Files\Intuit\Update Service\IntuitUpdateService.exe\""

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Ip6Fw]
"ImagePath"="system32\drivers\ip6fw.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\IpFilterDriver]
"ImagePath"="System32\DRIVERS\ipfltdrv.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\IpInIp]
"ImagePath"="system32\DRIVERS\ipinip.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\IpNat]
"ImagePath"="system32\DRIVERS\ipnat.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\IPSec]
"ImagePath"="system32\DRIVERS\ipsec.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\IRENUM]
"ImagePath"="system32\DRIVERS\irenum.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ISAPISearch]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\isapnp]
"ImagePath"="system32\DRIVERS\isapnp.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\JavaQuickStarterService]
"ImagePath"="\"c:\program files\Java\jre6\bin\jqs.exe\" -service -config \"c:\program files\Java\jre6\lib\deploy\jqs\jqs.conf\""

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Kbdclass]
"ImagePath"="system32\DRIVERS\kbdclass.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\kbdhid]
"ImagePath"="system32\DRIVERS\kbdhid.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\kmixer]
"ImagePath"="system32\drivers\kmixer.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\KSecDD]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\lanmanserver]
"ServiceDll"="%SystemRoot%\System32\srvsvc.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\lanmanworkstation]
"ServiceDll"="%SystemRoot%\System32\wkssvc.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\lbrtfdc]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ldap]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\LicenseService]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\LmHosts]
"ServiceDll"="%SystemRoot%\System32\lmhsvc.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\McciCMService]
"ImagePath"="\"c:\program files\Common Files\Motive\McciCMService.exe\""

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\mcmscsvc]
"ImagePath"="c:\progra~1\McAfee\MSC\mcmscsvc.exe"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\McNASvc]
"ImagePath"="\"c:\program files\common files\mcafee\mna\mcnasvc.exe\""

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\McODS]
"ImagePath"="c:\progra~1\McAfee\VIRUSS~1\mcods.exe"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\McProxy]
"ImagePath"="c:\progra~1\COMMON~1\mcafee\mcproxy\mcproxy.exe"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\McrdSvc]
"ImagePath"="c:\windows\ehome\mcrdsvc.exe"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\McShield]
"ImagePath"="c:\progra~1\McAfee\VIRUSS~1\mcshield.exe"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\McSysmon]
"ImagePath"="c:\progra~1\McAfee\VIRUSS~1\mcsysmon.exe"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\MDM]
"ImagePath"="\"c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE\""

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\MEMSWEEP2]
"ImagePath"="\??\c:\windows\system32\4.tmp"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Messenger]
"ServiceDll"="%SystemRoot%\System32\msgsvc.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\mfeavfk]
"ImagePath"="system32\drivers\mfeavfk.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\mfebopk]
"ImagePath"="system32\drivers\mfebopk.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\mfehidk]
"ImagePath"="system32\drivers\mfehidk.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\mferkdk]
"ImagePath"="system32\drivers\mferkdk.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\mfesmfk]
"ImagePath"="system32\drivers\mfesmfk.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\MHN]
"ServiceDll"="%SystemRoot%\System32\mhn.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\MHNDRV]
"ImagePath"="system32\DRIVERS\mhndrv.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\mnmdd]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\mnmsrvc]
"ImagePath"="c:\windows\system32\mnmsrvc.exe"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Modem]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\MODEMCSA]
"ImagePath"="system32\drivers\MODEMCSA.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\mohfilt]
"ImagePath"="system32\DRIVERS\mohfilt.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Mouclass]
"ImagePath"="system32\DRIVERS\mouclass.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\mouhid]
"ImagePath"="system32\DRIVERS\mouhid.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\MountMgr]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\MPFP]
"ImagePath"="System32\Drivers\Mpfp.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\MpfService]
"ImagePath"="\"c:\program files\McAfee\MPF\MPFSrv.exe\""

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\mraid35x]
"ImagePath"="\SystemRoot\system32\DRIVERS\mraid35x.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\MREMP50]
"ImagePath"="\??\c:\progra~1\COMMON~1\Motive\MREMP50.SYS"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\MREMP50a64]
"ImagePath"="\??\c:\progra~1\COMMON~1\Motive\MREMP50a64.SYS"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\MRESP50]
"ImagePath"="\??\c:\progra~1\COMMON~1\Motive\MRESP50.SYS"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\MRESP50a64]
"ImagePath"="\??\c:\progra~1\COMMON~1\Motive\MRESP50a64.SYS"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\MRxDAV]
"ImagePath"="system32\DRIVERS\mrxdav.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\MRxSmb]
"ImagePath"="system32\DRIVERS\mrxsmb.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\MSDTC]
"ImagePath"="c:\windows\system32\msdtc.exe"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\MSDTC Bridge 3.0.0.0]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Msfs]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\MSIServer]
"ImagePath"="%systemroot%\system32\msiexec.exe /V"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\MSK80Service]
"ImagePath"="\"c:\program files\McAfee\MSK\MskSrver.exe\""

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\MSKSSRV]
"ImagePath"="system32\drivers\MSKSSRV.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\MSPCLOCK]
"ImagePath"="system32\drivers\MSPCLOCK.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\MSPQM]
"ImagePath"="system32\drivers\MSPQM.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\mssmbios]
"ImagePath"="system32\DRIVERS\mssmbios.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\MSTEE]
"ImagePath"="system32\drivers\MSTEE.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Mup]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\NABTSFEC]
"ImagePath"="system32\DRIVERS\NABTSFEC.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\napagent]
"ServiceDll"="%SystemRoot%\System32\qagentrt.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\NDIS]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\NdisIP]
"ImagePath"="system32\DRIVERS\NdisIP.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\NdisTapi]
"ImagePath"="system32\DRIVERS\ndistapi.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Ndisuio]
"ImagePath"="system32\DRIVERS\ndisuio.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\NdisWan]
"ImagePath"="system32\DRIVERS\ndiswan.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\NDProxy]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\NetBIOS]
"ImagePath"="system32\DRIVERS\netbios.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\NetBT]
"ImagePath"="system32\DRIVERS\netbt.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\NetDDE]
"ImagePath"="%SystemRoot%\system32\netdde.exe"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\NetDDEdsdm]
"ImagePath"="%SystemRoot%\system32\netdde.exe"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Netlogon]
"ImagePath"="%SystemRoot%\system32\lsass.exe"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Netman]
"ServiceDll"="%SystemRoot%\System32\netman.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\NetSvc]
"ImagePath"="c:\program files\Intel\PROSetWired\NCS\Sync\NetSvc.exe"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\NetTcpPortSharing]
"ImagePath"="\"c:\windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe\""

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Nla]
"ServiceDll"="%SystemRoot%\System32\mswsock.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Npfs]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Ntfs]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\NtLmSsp]
"ImagePath"="%SystemRoot%\system32\lsass.exe"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\NtmsSvc]
"ServiceDll"="%SystemRoot%\system32\ntmssvc.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Null]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\nv]
"ImagePath"="system32\DRIVERS\nv4_mini.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\NwlnkFlt]
"ImagePath"="system32\DRIVERS\nwlnkflt.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\NwlnkFwd]
"ImagePath"="system32\DRIVERS\nwlnkfwd.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ose]
"ImagePath"="\"c:\program files\Common Files\Microsoft Shared\Source Engine\OSE.EXE\""

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Outlook]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Parport]
"ImagePath"="system32\DRIVERS\parport.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\PartMgr]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ParVdm]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\PCI]
"ImagePath"="system32\DRIVERS\pci.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\PCIDump]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\PCIIde]
"ImagePath"="system32\DRIVERS\pciide.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Pcmcia]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\PDCOMP]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\PDFRAME]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\PDRELI]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\PDRFRAME]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\perc2]
"ImagePath"="\SystemRoot\system32\DRIVERS\perc2.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\perc2hib]
"ImagePath"="\SystemRoot\system32\DRIVERS\perc2hib.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\PerfDisk]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\PerfNet]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\PerfOS]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\PerfProc]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\pfc]
"ImagePath"="system32\drivers\pfc.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\PlugPlay]
"ImagePath"="%SystemRoot%\system32\services.exe"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Pml Driver HPZ12]
"ImagePath"="c:\windows\system32\HPZipm12.exe"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\PolicyAgent]
"ImagePath"="%SystemRoot%\system32\lsass.exe"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\PptpMiniport]
"ImagePath"="system32\DRIVERS\raspptp.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ProtectedStorage]
"ImagePath"="%SystemRoot%\system32\lsass.exe"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\PSched]
"ImagePath"="system32\DRIVERS\psched.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Ptilink]
"ImagePath"="system32\DRIVERS\ptilink.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\PxHelp20]
"ImagePath"="System32\Drivers\PxHelp20.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ql1080]
"ImagePath"="\SystemRoot\system32\DRIVERS\ql1080.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Ql10wnt]
"ImagePath"="\SystemRoot\system32\DRIVERS\ql10wnt.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ql12160]
"ImagePath"="\SystemRoot\system32\DRIVERS\ql12160.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ql1240]
"ImagePath"="\SystemRoot\system32\DRIVERS\ql1240.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ql1280]
"ImagePath"="\SystemRoot\system32\DRIVERS\ql1280.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\RasAcd]
"ImagePath"="system32\DRIVERS\rasacd.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\RasAuto]
"ServiceDll"="%SystemRoot%\System32\rasauto.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Rasl2tp]
"ImagePath"="system32\DRIVERS\rasl2tp.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\RasMan]
"ServiceDll"="%SystemRoot%\System32\rasmans.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\RasPppoe]
"ImagePath"="system32\DRIVERS\raspppoe.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Raspti]
"ImagePath"="system32\DRIVERS\raspti.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Rdbss]
"ImagePath"="system32\DRIVERS\rdbss.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\RDPCDD]
"ImagePath"="System32\DRIVERS\RDPCDD.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\RDPDD]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\rdpdr]
"ImagePath"="system32\DRIVERS\rdpdr.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\RDPNP]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\RDPWD]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\RDSessMgr]
"ImagePath"="c:\windows\system32\sessmgr.exe"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\redbook]
"ImagePath"="system32\DRIVERS\redbook.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\RemoteAccess]
"ServiceDll"="%SystemRoot%\System32\mprdim.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\RemoteRegistry]
"ServiceDll"="%SystemRoot%\system32\regsvc.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\RpcLocator]
"ImagePath"="%SystemRoot%\system32\locator.exe"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\RpcSs]
"ServiceDll"="%SystemRoot%\System32\rpcss.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\RSVP]
"ImagePath"="%SystemRoot%\system32\rsvp.exe"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SamSs]
"ImagePath"="%SystemRoot%\system32\lsass.exe"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SASDIFSV]
"ImagePath"="\??\c:\program files\SUPERAntiSpyware\SASDIFSV.SYS"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SASENUM]
"ImagePath"="\??\c:\program files\SUPERAntiSpyware\SASENUM.SYS"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SASKUTIL]
"ImagePath"="\??\c:\program files\SUPERAntiSpyware\SASKUTIL.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SbcpHid]
"ImagePath"="\??\c:\windows\system32\Drivers\SbcpHid.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SCardSvr]
"ImagePath"="%SystemRoot%\System32\SCardSvr.exe"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Schedule]
"ServiceDll"="%SystemRoot%\system32\schedsvc.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ScsiPort]
"ImagePath"="%SystemRoot%\system32\drivers\scsiport.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Secdrv]
"ImagePath"="system32\DRIVERS\secdrv.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\seclogon]
"ServiceDll"="%SystemRoot%\System32\seclogon.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SENS]
"ServiceDll"="%SystemRoot%\system32\sens.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\serenum]
"ImagePath"="system32\DRIVERS\serenum.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Serial]
"ImagePath"="system32\DRIVERS\serial.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ServiceModelEndpoint 3.0.0.0]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ServiceModelOperation 3.0.0.0]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ServiceModelService 3.0.0.0]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Sfloppy]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SharedAccess]
"ServiceDll"="%SystemRoot%\System32\ipnathlp.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ShellHWDetection]
"ServiceDll"="%SystemRoot%\System32\shsvcs.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Simbad]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\sisagp]
"ImagePath"="\SystemRoot\system32\DRIVERS\sisagp.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SLIP]
"ImagePath"="system32\DRIVERS\SLIP.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SMSvcHost 3.0.0.0]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Sparrow]
"ImagePath"="\SystemRoot\system32\DRIVERS\sparrow.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\splitter]
"ImagePath"="system32\drivers\splitter.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Spooler]
"ImagePath"="%SystemRoot%\system32\spoolsv.exe"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\sr]
"ImagePath"="system32\DRIVERS\sr.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\srservice]
"ServiceDll"="%SystemRoot%\system32\srsvc.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Srv]
"ImagePath"="system32\DRIVERS\srv.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SSDPSRV]
"ServiceDll"="%SystemRoot%\System32\ssdpsrv.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\STHDA]
"ImagePath"="system32\drivers\sthda.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\stisvc]
"ServiceDll"="%SystemRoot%\system32\wiaservc.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\StkMini]
"ImagePath"="System32\Drivers\StkMini.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\StkScan]
"ImagePath"="System32\Drivers\StkScan.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\streamip]
"ImagePath"="system32\DRIVERS\StreamIP.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\swenum]
"ImagePath"="system32\DRIVERS\swenum.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\swmidi]
"ImagePath"="system32\drivers\swmidi.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SwPrv]
"ImagePath"="c:\windows\system32\dllhost.exe /Processid:{B961CCBB-6B89-4FEA-B07E-37CC5131741E}"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\swwd]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\symc810]
"ImagePath"="\SystemRoot\system32\DRIVERS\symc810.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\symc8xx]
"ImagePath"="\SystemRoot\system32\DRIVERS\symc8xx.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\sym_hi]
"ImagePath"="\SystemRoot\system32\DRIVERS\sym_hi.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\sym_u3]
"ImagePath"="\SystemRoot\system32\DRIVERS\sym_u3.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\sysaudio]
"ImagePath"="system32\drivers\sysaudio.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SysmonLog]
"ImagePath"="%SystemRoot%\system32\smlogsvc.exe"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\TapiSrv]
"ServiceDll"="%SystemRoot%\System32\tapisrv.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip]
"ImagePath"="system32\DRIVERS\tcpip.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\TDPIPE]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\TDTCP]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\TermDD]
"ImagePath"="system32\DRIVERS\termdd.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\TermService]
"ServiceDll"="%SystemRoot%\System32\termsrv.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Themes]
"ServiceDll"="%SystemRoot%\System32\shsvcs.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\TlntSvr]
"ImagePath"="c:\windows\system32\tlntsvr.exe"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\tmcomm]
"ImagePath"="\??\c:\windows\system32\drivers\tmcomm.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\TosIde]
"ImagePath"="\SystemRoot\system32\DRIVERS\toside.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\TrkWks]
"ServiceDll"="%SystemRoot%\system32\trkwks.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\TSDDD]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Udfs]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ultra]
"ImagePath"="\SystemRoot\system32\DRIVERS\ultra.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Update]
"ImagePath"="system32\DRIVERS\update.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\upnphost]
"ServiceDll"="%SystemRoot%\System32\upnphost.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\UPS]
"ImagePath"="%SystemRoot%\System32\ups.exe"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\usb]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\usbaudio]
"ImagePath"="system32\drivers\usbaudio.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\usbccgp]
"ImagePath"="system32\DRIVERS\usbccgp.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\usbehci]
"ImagePath"="system32\DRIVERS\usbehci.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\usbhub]
"ImagePath"="system32\DRIVERS\usbhub.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\usbprint]
"ImagePath"="system32\DRIVERS\usbprint.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\usbscan]
"ImagePath"="system32\DRIVERS\usbscan.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\USBSTOR]
"ImagePath"="system32\DRIVERS\USBSTOR.SYS"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\usbuhci]
"ImagePath"="system32\DRIVERS\usbuhci.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\usb_rndisx]
"ImagePath"="system32\DRIVERS\usb8023x.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\VgaSave]
"ImagePath"="\SystemRoot\System32\drivers\vga.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\viaagp]
"ImagePath"="\SystemRoot\system32\DRIVERS\viaagp.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ViaIde]
"ImagePath"="\SystemRoot\system32\DRIVERS\viaide.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\VolSnap]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\VSS]
"ImagePath"="%SystemRoot%\System32\vssvc.exe"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\VxD]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\w32time]
"ServiceDll"="%systemroot%\system32\w32time.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\W3SVC]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Wanarp]
"ImagePath"="system32\DRIVERS\wanarp.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\wanatw]
"ImagePath"="system32\DRIVERS\wanatw4.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\WDICA]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\wdmaud]
"ImagePath"="system32\drivers\wdmaud.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\WebClient]
"ServiceDll"="%SystemRoot%\System32\webclnt.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Windows Workflow Foundation 3.0.0.0]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\winmgmt]
"ServiceDll"="%SystemRoot%\system32\wbem\WMIsvc.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Winsock]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\WinSock2]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\WinTrust]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\WMDM PMSP Service]
"ImagePath"="c:\windows\system32\MsPMSPSv.exe"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\WmdmPmSN]
"ServiceDll"="c:\windows\system32\MsPMSNSv.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Wmi]
"ServiceDll"="%SystemRoot%\System32\advapi32.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\WmiApRpl]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\WmiApSrv]
"ImagePath"="c:\windows\system32\wbem\wmiapsrv.exe"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\WMPNetworkSvc]
"ImagePath"="\"c:\program files\Windows Media Player\WMPNetwk.exe\""

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\WS2IFSL]
"ImagePath"="\SystemRoot\System32\drivers\ws2ifsl.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\wscsvc]
"ServiceDll"="%SYSTEMROOT%\system32\wscsvc.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\WSTCODEC]
"ImagePath"="system32\DRIVERS\WSTCODEC.SYS"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\wuauserv]
"ServiceDll"="c:\windows\system32\wuauserv.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\WudfPf]
"ImagePath"="system32\DRIVERS\WudfPf.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\WudfRd]
"ImagePath"="system32\DRIVERS\wudfrd.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\WudfSvc]
"ServiceDll"="%SystemRoot%\System32\WUDFSvc.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\WZCSVC]
"ServiceDll"="%SystemRoot%\System32\wzcsvc.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\xmlprov]
"ServiceDll"="%SystemRoot%\System32\xmlprov.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\xyzabc]
"ImagePath"="\??\c:\windows\system32\drivers\xyzabc.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\{0E129CA8-760B-4E40-AAE5-A70FF8B01F67}]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\{F5F80E6C-907D-4F11-A6B6-89872F612B1E}]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\{F73318BC-2EF1-4E09-BDCF-4C83248288FC}]
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{4233ADD3-CD31-D295-804BA870321FDEF4}\{F4A8E5F3-7E68-2DD0-FA9D328203A7D1A7}\{07380252-9142-5EC5-94F639FC4AE64832}*]
"NRDFOBLVNAUE2QOGEQXAH1Y2DD1"=hex:01,00,01,00,00,00,00,00,b0,0a,ac,41,7a,16,04,
de,35,81,92,71,e8,29,5a,84,14,35,16,70,d8,6e,ff,61

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Windows\AutorunsDisabled]
"Appinit_Dlls"="c:\\WINDOWS\\system32\\litunude.dll,c:\\WINDOWS\\system32\\tegawula.dll,c:\\windows\\system32\\yazeriza.dll"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(772)
c:\program files\SUPERAntiSpyware\SASWINLO.dll

- - - - - - - > 'winlogon.exe'(3732)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\logonui.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\McAfee\MNA\McNASvc.exe
c:\program files\AVG\AVG8\avgrsx.exe
c:\program files\McAfee\MPF\MpfSrv.exe
c:\program files\McAfee\MSK\msksrver.exe
c:\windows\system32\locator.exe
c:\windows\system32\rdpclip.exe
c:\progra~1\McAfee.com\Agent\mcagent.exe
c:\windows\system32\dlbxcoms.exe
c:\program files\Java\jre6\bin\jucheck.exe
c:\windows\system32\logon.scr
.
**************************************************************************
.
Completion time: 2009-08-28 21:20 - machine was rebooted
ComboFix-quarantined-files.txt 2009-08-28 01:20

Pre-Run: 39,856,181,248 bytes free
Post-Run: 44,974,153,728 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Windows XP Media Center Edition" /noexecute=optin /fastdetect

1345 --- E O F --- 2009-02-05 03:07
=================================End text file======================================

Good luck analyzing all the above. I really appreciate the promt response.

TheGriz43

#8 syler

syler

  • Malware Response Team
  • 8,150 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Warrington, UK
  • Local time:12:07 AM

Posted 27 August 2009 - 08:43 PM

TheGriz43,

I will need some time to look over this log it looks like their is quite a bit of crud there including a backdoor trojan. In the mean time could you please
run the following tool and post the results.

One or more of the identified infections is a backdoor trojan/Rootkit.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:
How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
When Should I Format, How Should I Reinstall

We can still clean this machine but I can't guarantee that it will be 100% secure afterwards. Let me know what you decide to do.

If you decide you want to proceed with trying to clean your machine please follow these next steps.


Download and run Win32kDiag:
  • Download Win32kDiag from any of the following locations and save it to your Desktop.
  • Double-click Win32kDiag.exe to run Win32kDiag and let it finish.
  • Once it has finished, press any key to close the program.
  • It will create the file Win32kDiag.txt on your Desktop Copy and paste the contents in your next reply.
Thanks

unite.jpg


#9 TheGriz43

TheGriz43
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Location:Grove City, Ohio
  • Local time:07:07 PM

Posted 27 August 2009 - 09:54 PM

Syler,

Please find embedded the Win32kDiag.txt. The computer I am attempting to heal is my son/daughter-in-law's. I access it using Remote Desktop Protocol. I agree that possibly the best course of action might be to re-format/reload the hard drive, but I'm not sure they can locate all the "stuff" necessary to do this.

So, until I can confer with them, let's proceed as if we can "heal" this system.

I appreciate being able to work with you in near-real-time, but I'm going to have to sign off now. I hope we can continue this project in the morning.

Here's the Win32kDiag.txt file:

==============================================================================
Log file is located at: C:\Documents and Settings\TheGriz43\Desktop\Win32kDiag.txt

WARNING: Could not get backup privileges!

Searching 'C:\WINDOWS'...



Found mount point : C:\WINDOWS\$hf_mig$\{29F8DDC1-9487-49b8-B27E-3E0C3C1298FF}

Mount point destination : \Device\__max++>\^

Cannot access: C:\WINDOWS\system32\dumprep.exe

[1] 2004-08-10 06:00:00 10752 C:\WINDOWS\$NtServicePackUninstall$\dumprep.exe (Microsoft Corporation)

[1] 2008-04-13 20:12:18 10752 C:\WINDOWS\ServicePackFiles\i386\dumprep.exe (Microsoft Corporation)

[1] 2008-04-13 20:12:18 10752 C:\WINDOWS\system32\dumprep.exe ()

[1] 2004-08-10 06:00:00 10752 C:\i386\dumprep.exe (Microsoft Corporation)



Cannot access: C:\WINDOWS\system32\MRT.exe

[1] 2009-07-07 08:10:58 24539592 C:\WINDOWS\system32\MRT.exe ()

[2] 2009-01-09 18:35:30 20853704 C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP1084\A0147987.exe (Microsoft Corporation)

[2] 2009-07-07 08:10:58 24539592 C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP1090\A0148410.exe (Microsoft Corporation)

[2] 2009-07-07 08:10:58 24539592 C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP1091\A0148969.exe (Microsoft Corporation)

[2] 2009-07-07 08:10:58 24539592 C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP1092\A0149525.exe (Microsoft Corporation)

[2] 2009-07-07 08:10:58 24539592 C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP1093\A0150081.exe (Microsoft Corporation)

[2] 2009-07-07 08:10:58 24539592 C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP1094\A0150637.exe (Microsoft Corporation)

[2] 2009-07-07 08:10:58 24539592 C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP1095\A0151193.exe (Microsoft Corporation)



Cannot access: C:\WINDOWS\system32\scecli.dll

[1] 2004-08-10 06:00:00 180224 C:\WINDOWS\$NtServicePackUninstall$\scecli.dll (Microsoft Corporation)

[1] 2008-04-13 20:12:05 181248 C:\WINDOWS\ServicePackFiles\i386\scecli.dll (Microsoft Corporation)

[1] 2008-04-13 20:12:05 60928 C:\WINDOWS\system32\scecli.dll ()

[2] 2008-04-13 20:12:05 181248 C:\WINDOWS\system32\sceclt.dll (Microsoft Corporation)

[1] 2004-08-10 06:00:00 180224 C:\i386\scecli.dll (Microsoft Corporation)



Cannot access: C:\WINDOWS\system32\wbem\wmiprvse.exe

[1] 2004-08-10 06:00:00 218112 C:\WINDOWS\$NtServicePackUninstall$\wmiprvse.exe (Microsoft Corporation)

[1] 2008-04-13 20:12:40 218112 C:\WINDOWS\ServicePackFiles\i386\wmiprvse.exe (Microsoft Corporation)

[1] 2008-04-13 20:12:40 218112 C:\WINDOWS\system32\wbem\wmiprvse.exe ()

[1] 2004-08-10 06:00:00 218112 C:\i386\wmiprvse.exe (Microsoft Corporation)





Finished!

==============================================================================

TheGriz43

#10 syler

syler

  • Malware Response Team
  • 8,150 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Warrington, UK
  • Local time:12:07 AM

Posted 27 August 2009 - 10:05 PM

I appreciate being able to work with you in near-real-time, but I'm going to have to sign off now. I hope we can continue this project in the morning.


You just got lucky that we have been online at the same time and I haven't had many replies in other topics I am working on, even if we are not online
at the same time my replies to you shouldn't be to delayed.

Syler

Edited by syler, 27 August 2009 - 10:29 PM.

unite.jpg


#11 syler

syler

  • Malware Response Team
  • 8,150 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Warrington, UK
  • Local time:12:07 AM

Posted 27 August 2009 - 10:28 PM

Ok, here are my next instructions.

Go to Start >> Run then copy the following line into the run box:

"%userprofile%\desktop\win32kdiag.exe" -f -r

When it's finished, there will be a log called Win32kDiag.txt on your desktop.
Please open it with notepad and post the contents in your next reply.

Next

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

FCopy::
C:\WINDOWS\ServicePackFiles\i386\scecli.dll | C:\WINDOWS\system32\scecli.dll

Save this as CFScript.txt, in the same location as ComboFix.exe


Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

Then please post back here with the following:
  • Win32kDiag.txt
  • Combofix.txt
Thanks

Edited by syler, 27 August 2009 - 10:29 PM.

unite.jpg


#12 TheGriz43

TheGriz43
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Location:Grove City, Ohio
  • Local time:07:07 PM

Posted 28 August 2009 - 10:02 AM

Syler,

Please find embedded the Win32kDiag.txt and ComboFix.txt file contents:

===================== Win32kDiag.txt ===============================================

Log file is located at: C:\Documents and Settings\TheGriz43\Desktop\Win32kDiag.txt

Removing all found mount points.

Attempting to reset file permissions.

WARNING: Could not get backup privileges!

Searching 'C:\WINDOWS'...



Found mount point : C:\WINDOWS\$hf_mig$\{29F8DDC1-9487-49b8-B27E-3E0C3C1298FF}

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\$hf_mig$\{29F8DDC1-9487-49b8-B27E-3E0C3C1298FF}

Cannot access: C:\WINDOWS\system32\dumprep.exe

Attempting to restore permissions of : C:\WINDOWS\system32\dumprep.exe

[1] 2004-08-10 06:00:00 10752 C:\WINDOWS\$NtServicePackUninstall$\dumprep.exe (Microsoft Corporation)

[1] 2008-04-13 20:12:18 10752 C:\WINDOWS\ServicePackFiles\i386\dumprep.exe (Microsoft Corporation)

[1] 2008-04-13 20:12:18 10752 C:\WINDOWS\system32\dumprep.exe (Microsoft Corporation)

[1] 2004-08-10 06:00:00 10752 C:\i386\dumprep.exe (Microsoft Corporation)



Cannot access: C:\WINDOWS\system32\MRT.exe

Attempting to restore permissions of : C:\WINDOWS\system32\MRT.exe

[1] 2009-07-07 08:10:58 24539592 C:\WINDOWS\system32\MRT.exe (Microsoft Corporation)



Cannot access: C:\WINDOWS\system32\scecli.dll

Attempting to restore permissions of : C:\WINDOWS\system32\scecli.dll

[1] 2004-08-10 06:00:00 180224 C:\WINDOWS\$NtServicePackUninstall$\scecli.dll (Microsoft Corporation)

[1] 2008-04-13 20:12:05 181248 C:\WINDOWS\ServicePackFiles\i386\scecli.dll (Microsoft Corporation)

[1] 2008-04-13 20:12:05 60928 C:\WINDOWS\system32\scecli.dll ()

[2] 2008-04-13 20:12:05 181248 C:\WINDOWS\system32\sceclt.dll (Microsoft Corporation)

[1] 2004-08-10 06:00:00 180224 C:\i386\scecli.dll (Microsoft Corporation)



Cannot access: C:\WINDOWS\system32\wbem\wmiprvse.exe

Attempting to restore permissions of : C:\WINDOWS\system32\wbem\wmiprvse.exe

[1] 2004-08-10 06:00:00 218112 C:\WINDOWS\$NtServicePackUninstall$\wmiprvse.exe (Microsoft Corporation)

[1] 2008-04-13 20:12:40 218112 C:\WINDOWS\ServicePackFiles\i386\wmiprvse.exe (Microsoft Corporation)

[1] 2008-04-13 20:12:40 218112 C:\WINDOWS\system32\wbem\wmiprvse.exe (Microsoft Corporation)

[1] 2004-08-10 06:00:00 218112 C:\i386\wmiprvse.exe (Microsoft Corporation)





Finished!

===========================ComboFix.txt ==========================================

ComboFix 09-08-27.02 - TheGriz43 08/28/2009 10:21.3.2 - NTFSx86
Running from: c:\documents and settings\TheGriz43\Desktop\Combo-Fix.exe
Command switches used :: c:\documents and settings\TheGriz43\Desktop\CFScript.txt.txt
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
AV: McAfee VirusScan *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
---- Previous Run -------
.
c:\windows\system32\scecli.dll



.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_{79007602-0CDB-4405-9DBF-1257BB3226ED}
-------\Legacy_{79007602-0CDB-4405-9DBF-1257BB3226EE}


((((((((((((((((((((((((( Files Created from 2009-07-28 to 2009-08-28 )))))))))))))))))))))))))))))))
.

2009-08-28 14:26 . 2008-04-14 00:12 181248 ----a-w- c:\windows\system32\scecli.dll
2009-08-28 14:17 . 2009-08-28 14:17 34216 ----a-w- c:\documents and settings\TheGriz43\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-08-27 23:59 . 2009-08-27 23:59 34816 ----a-w- c:\windows\system32\drivers\xyzabc.sys
2009-08-27 23:53 . 2009-08-27 23:53 -------- d-----w- C:\rsit
2009-08-22 13:02 . 2009-08-22 13:02 -------- d-----w- c:\documents and settings\Ellis Kids.ELLIS\Local Settings\Application Data\Mozilla
2009-08-16 03:00 . 2009-08-16 03:00 -------- d-----w- c:\documents and settings\Warren\Local Settings\Application Data\Ahead
2009-08-15 22:13 . 2009-08-15 22:13 -------- d-----w- c:\documents and settings\TheGriz43\Local Settings\Application Data\Ahead
2009-08-15 14:45 . 2004-07-16 12:40 2019328 ------w- c:\windows\UNMRW.exe
2009-08-15 14:45 . 2004-07-16 12:54 27648 ------w- c:\windows\system32\drivers\InCDrm.sys
2009-08-15 14:45 . 2004-07-16 12:40 2019328 ------w- c:\windows\NuNinst.exe
2009-08-15 14:45 . 2004-07-16 18:57 7680 ------w- c:\windows\system32\drivers\InCDrec.sys
2009-08-15 14:45 . 2004-07-16 18:53 28672 ------w- c:\windows\system32\drivers\InCDpass.sys
2009-08-15 14:45 . 2004-07-16 18:53 92672 ------w- c:\windows\system32\drivers\InCDfs.sys
2009-08-15 14:45 . 2009-08-15 14:45 -------- d-----w- c:\windows\InCD
2009-08-15 14:44 . 2004-06-23 17:26 1994752 ------w- c:\windows\UNNMP.exe
2009-08-15 14:41 . 2001-07-09 15:50 155648 ----a-w- c:\windows\system32\NeroCheck.exe
2009-08-15 14:40 . 2004-10-11 07:23 2277376 ------w- c:\windows\UNNeroVision.exe
2009-08-15 14:40 . 2009-08-15 14:40 -------- d-----w- c:\documents and settings\All Users\Application Data\Ahead
2009-08-15 14:40 . 2004-07-20 21:24 471040 ------w- c:\windows\system32\ImagXRA7.dll
2009-08-15 14:40 . 2004-07-09 13:43 364544 ------w- c:\windows\system32\TwnLib4.dll
2009-08-15 14:39 . 2004-07-20 21:24 476320 ------w- c:\windows\system32\ImagXpr7.dll
2009-08-15 14:39 . 2004-07-20 21:24 262144 ------w- c:\windows\system32\ImagXR7.dll
2009-08-15 14:39 . 2004-07-20 21:24 1568768 ------w- c:\windows\system32\ImagX7.dll
2009-08-15 14:39 . 2000-06-26 15:45 106496 ----a-w- c:\windows\system32\TwnLib20.dll
2009-08-15 14:39 . 2001-06-26 12:15 38912 ------w- c:\windows\system32\picn20.dll
2009-08-15 14:39 . 2009-08-15 14:40 -------- d-----w- c:\program files\Common Files\Ahead
2009-08-15 14:39 . 2009-08-15 14:45 -------- d-----w- c:\program files\Ahead
2009-08-13 20:45 . 2009-08-13 20:45 -------- d-----w- c:\documents and settings\Jamie\Local Settings\Application Data\Mozilla
2009-08-13 20:37 . 2009-08-13 20:37 -------- d-----w- c:\documents and settings\Warren\Application Data\PCF-VLC
2009-08-13 20:26 . 2009-08-13 20:26 -------- d-----w- c:\documents and settings\Warren\Application Data\Participatory Culture Foundation
2009-08-13 19:07 . 2009-08-13 19:07 -------- d-----w- c:\documents and settings\Warren\Local Settings\Application Data\Mozilla
2009-08-13 16:34 . 2009-08-13 16:34 -------- d-----w- c:\documents and settings\TheGriz43\Local Settings\Application Data\Mozilla
2009-08-12 20:40 . 2009-08-12 22:47 -------- d-----w- c:\program files\Adaptec
2009-08-12 20:40 . 2009-08-12 22:47 57344 ----a-w- c:\windows\uneng.exe
2009-08-12 20:39 . 2009-08-12 23:05 -------- d-----w- c:\program files\Common Files\Adaptec Shared
2009-08-11 19:22 . 2009-08-03 17:36 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-08-11 19:22 . 2009-08-11 19:22 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-08-11 19:22 . 2009-08-03 17:36 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-08-11 04:24 . 2009-08-11 04:24 -------- d--h--w- c:\windows\PIF
2009-08-11 04:24 . 2009-08-11 04:24 -------- d-----w- c:\program files\Sophos
2009-08-11 04:23 . 2009-08-11 04:23 -------- d-----w- c:\documents and settings\TheGriz43\Application Data\Malwarebytes
2009-08-11 04:23 . 2009-08-11 04:23 -------- d-----w- c:\documents and settings\TheGriz43\Application Data\AVG8
2009-08-11 04:22 . 2009-08-11 04:22 -------- d-----w- c:\documents and settings\TheGriz43\Local Settings\Application Data\BVRP Software
2009-08-11 04:22 . 2009-08-12 23:38 -------- d-----w- c:\documents and settings\TheGriz43\Local Settings\Application Data\ApplicationHistory
2009-08-11 04:22 . 2009-08-11 04:22 -------- d-----w- c:\documents and settings\TheGriz43\Local Settings\Application Data\{7148F0A6-6813-11D6-A77B-00B0D0142030}
2009-08-11 04:22 . 2009-08-11 04:22 -------- d-----w- c:\documents and settings\Jamie\Application Data\AVG8
2009-08-09 19:40 . 2009-08-09 19:39 102664 ----a-w- c:\windows\system32\drivers\tmcomm.sys
2009-08-09 19:39 . 2009-08-11 04:19 -------- d-----w- c:\documents and settings\TheGriz43\.housecall6.6
2009-08-09 19:16 . 2009-08-09 19:16 1152 ----a-w- c:\windows\system32\windrv.sys
2009-08-09 19:15 . 2009-08-11 04:19 -------- d-----w- c:\program files\SpyNoMore
2009-08-07 18:29 . 2009-07-13 05:42 286880 ----a-r- c:\documents and settings\TheGriz43\Application Data\McAfee\Supportability\MVTLogs\Results\detect.dll
2009-08-07 18:29 . 2009-08-07 18:29 -------- d-----w- c:\documents and settings\TheGriz43\Application Data\McAfee
2009-08-07 18:28 . 2009-08-07 18:28 -------- d-----w- c:\windows\McAfee.com
2009-08-07 13:57 . 2009-08-07 13:56 417560 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgcclix.dll
2009-08-07 13:57 . 2009-08-07 13:56 382744 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgclitx.dll
2009-08-07 13:57 . 2009-08-07 13:56 594712 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgnsx.exe
2009-08-07 13:57 . 2009-08-07 13:56 161048 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avglvex.dll
2009-08-07 13:57 . 2009-08-07 13:56 274200 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgamnot.dll
2009-08-07 13:57 . 2009-08-07 13:56 760600 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgscanx.exe
2009-08-07 02:09 . 2009-08-07 02:09 -------- d-----w- c:\documents and settings\Warren\Application Data\.clamwin
2009-08-06 22:41 . 2009-08-06 22:41 -------- d-----w- c:\documents and settings\TheGriz43\Application Data\.clamwin
2009-08-06 20:26 . 2009-08-07 21:17 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-08-06 18:29 . 2009-08-07 13:56 836888 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgcfgx.dll
2009-08-06 18:29 . 2009-08-07 13:56 310528 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avglngx.dll
2009-08-06 18:29 . 2009-08-07 13:56 177432 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgmail.dll
2009-08-06 18:29 . 2009-08-07 13:56 2352920 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgresf.dll
2009-08-06 18:29 . 2009-08-07 13:56 486680 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgrsx.exe
2009-08-06 18:29 . 2009-08-07 13:56 11952 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgrsstx.dll
2009-08-06 18:29 . 2009-08-07 13:56 353048 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgxch32.dll
2009-08-06 18:29 . 2009-08-07 13:56 27784 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgmfx86.sys
2009-08-06 18:27 . 2009-08-06 18:27 1471768 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgupd.dll
2009-08-06 18:27 . 2009-08-06 18:27 1086744 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgupd.exe
2009-08-06 18:27 . 2009-08-06 18:27 755992 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avginet.dll
2009-08-06 18:27 . 2009-08-06 18:27 587032 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgiproxy.exe
2009-08-06 13:46 . 2009-07-13 05:42 286880 ----a-r- c:\documents and settings\Jamie\Application Data\McAfee\Supportability\MVTLogs\Results\detect.dll
2009-08-06 13:44 . 2009-08-06 13:44 49152 ----a-r- c:\documents and settings\Jamie\Application Data\Microsoft\Installer\{FCC07EEA-FA18-4A21-9105-9666603C6885}\IconFCC07EEA1.exe
2009-08-06 13:44 . 2009-08-06 13:44 49152 ----a-r- c:\documents and settings\Jamie\Application Data\Microsoft\Installer\{FCC07EEA-FA18-4A21-9105-9666603C6885}\IconFCC07EEA.exe
2009-08-06 12:56 . 2009-08-20 16:41 -------- d--h--w- C:\$AVG8.VAULT$
2009-08-06 12:46 . 2009-08-20 12:07 11952 ----a-w- c:\windows\system32\avgrsstx.dll
2009-08-06 12:46 . 2009-08-20 12:07 335240 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-08-06 12:46 . 2009-08-20 12:07 27784 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2009-08-06 12:45 . 2009-08-28 12:45 -------- d-----w- c:\windows\system32\drivers\Avg
2009-08-06 12:45 . 2009-08-06 12:45 -------- d-----w- c:\program files\AVG
2009-08-06 12:45 . 2009-08-24 01:47 -------- d-----w- c:\documents and settings\All Users\Application Data\avg8
2009-08-06 12:17 . 2009-08-06 12:17 -------- d-----w- c:\documents and settings\Warren\Local Settings\Application Data\Identities
2009-08-06 04:36 . 2009-08-06 04:36 117760 ----a-w- c:\documents and settings\Jamie\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2009-08-06 04:35 . 2009-08-06 04:35 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-08-06 04:31 . 2009-08-12 21:39 -------- d-----w- c:\windows\system32\CatRoot

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-08-28 11:28 . 2005-11-18 22:55 -------- d-----w- c:\program files\McAfee
2009-08-27 02:04 . 2005-11-04 20:09 -------- d-----w- c:\program files\Dl_cats
2009-08-23 12:22 . 2007-09-10 00:55 -------- d-----w- c:\documents and settings\All Users\Application Data\Google Updater
2009-08-16 13:20 . 2005-10-21 18:55 -------- d-----w- c:\program files\Microsoft ActiveSync
2009-08-14 13:31 . 2009-03-06 18:55 1324 ----a-w- c:\windows\system32\d3d9caps.dat
2009-08-12 23:31 . 2009-08-06 22:40 132 ----a-w- c:\documents and settings\TheGriz43\Local Settings\Application Data\fusioncache.dat
2009-08-12 22:47 . 2000-03-13 21:55 1044480 -c--a-w- c:\windows\system32\ROBOEX32.DLL
2009-08-06 13:44 . 2005-11-18 23:01 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee
2009-08-06 04:35 . 2008-12-09 21:47 -------- d-----w- c:\program files\SUPERAntiSpyware
2009-08-06 04:35 . 2008-12-09 21:47 -------- d-----w- c:\documents and settings\Jamie\Application Data\SUPERAntiSpyware.com
2009-07-28 23:27 . 2009-07-28 23:27 410984 ----a-w- c:\windows\system32\deploytk.dll
2009-07-28 23:27 . 2005-10-21 18:48 -------- d-----w- c:\program files\Java
2009-07-28 23:26 . 2009-07-28 23:26 152576 ----a-w- c:\documents and settings\Jamie\Application Data\Sun\Java\jre1.6.0_14\lzma.dll
2009-07-27 14:43 . 2009-07-27 14:43 -------- d-----w- c:\program files\HERACTSTG
2009-07-27 14:43 . 2007-08-24 21:02 -------- d-----w- c:\program files\Common Files\SupportSoft
2009-07-25 00:01 . 2009-07-25 00:01 -------- d-----w- c:\documents and settings\Jamie\Application Data\Malwarebytes
2009-07-24 21:17 . 2009-07-24 21:17 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-07-22 00:37 . 2009-02-27 17:48 15600 ----a-w- c:\windows\system32\drivers\???????
2009-07-21 18:52 . 2009-07-21 18:52 422 ----a-w- c:\documents and settings\Jamie\Application Data\Corel Photo Album\mario.exe
2009-07-21 18:52 . 2009-07-21 18:52 16141 ----a-w- c:\documents and settings\Jamie\Application Data\CyberLink\flamiks32.exe
2009-07-21 18:52 . 2009-07-21 18:52 145131 ----a-w- c:\documents and settings\Jamie\Application Data\Creative\pingo.dll
2009-07-21 18:52 . 2009-07-21 18:52 13221 ----a-w- c:\documents and settings\Jamie\Application Data\AdobeUM\xl12.exe
2009-07-21 18:52 . 2009-07-21 18:52 11232 ----a-w- c:\documents and settings\Jamie\Application Data\Adobe\norigami.dll
2009-07-11 16:45 . 2009-07-11 16:44 -------- d-----w- c:\documents and settings\Warren\Application Data\SecondLife
2007-01-05 22:43 . 2005-10-28 04:30 56 -csh--r- c:\windows\system32\80B6C558E1.sys
2007-01-05 22:43 . 2005-10-28 04:30 3350 -csha-w- c:\windows\system32\KGyGaAvL.sys
.

------- Sigcheck -------

[-] 2004-08-10 10:00 14336 8F078AE4ED187AAABC0A305146DE6716 c:\windows\$NtServicePackUninstall$\svchost.exe
[-] 2008-04-14 00:12 14336 27C6D03BCDB8CFEB96B716F3D8BE3E18 c:\windows\ServicePackFiles\i386\svchost.exe
[-] 2008-04-14 00:12 14336 27C6D03BCDB8CFEB96B716F3D8BE3E18 c:\windows\system32\svchost.exe

[-] 2005-03-02 18:19 577024 1800F293BCCC8EDE8A70E12B88D80036 c:\windows\$hf_mig$\KB890859\SP2QFE\user32.dll
[-] 2007-03-08 15:48 578048 7AA4F6C00405DFC4B70ED4214E7D687B c:\windows\$hf_mig$\KB925902\SP2QFE\user32.dll
[-] 2007-03-08 15:36 577536 B409909F6E2E8A7067076ED748ABF1E7 c:\windows\$NtServicePackUninstall$\user32.dll
[-] 2004-08-10 10:00 577024 C72661F8552ACE7C5C85E16A3CF505C4 c:\windows\$NtUninstallKB890859$\user32.dll
[-] 2005-03-02 18:09 577024 DE2DB164BBB35DB061AF0997E4499054 c:\windows\$NtUninstallKB925902$\user32.dll
[-] 2008-04-14 00:12 578560 B26B135FF1B9F60C9388B4A7D16F600B c:\windows\ServicePackFiles\i386\user32.dll
[-] 2008-04-14 00:12 578560 B26B135FF1B9F60C9388B4A7D16F600B c:\windows\system32\user32.dll

[-] 2004-08-10 10:00 82944 2ED0B7F12A60F90092081C50FA0EC2B2 c:\windows\$NtServicePackUninstall$\ws2_32.dll
[-] 2008-04-14 00:12 82432 2CCC474EB85CEAA3E1FA1726580A3E5A c:\windows\ServicePackFiles\i386\ws2_32.dll
[-] 2008-04-14 00:12 82432 2CCC474EB85CEAA3E1FA1726580A3E5A c:\windows\system32\ws2_32.dll

[-] 2005-05-02 20:57 658944 E1E18136F9DD3DF1AD9C82193A5898A6 c:\windows\$hf_mig$\KB883939\SP2QFE\wininet.dll
[-] 2005-09-02 23:53 660480 97A6FD7CAFD688CF2C78939EBAF0CD0C c:\windows\$hf_mig$\KB896688\SP2QFE\wininet.dll
[-] 2005-10-21 03:38 661504 AF785C4947676A7FC1673FDC5C8D0B5B c:\windows\$hf_mig$\KB905915\SP2QFE\wininet.dll
[-] 2006-03-04 03:58 663552 C0845ECBF4F9164E618EE381B79C9032 c:\windows\$hf_mig$\KB912812\SP2QFE\wininet.dll
[-] 2006-05-10 05:25 663552 D94CFFDB53E7AC867438E2DFD50E7CBC c:\windows\$hf_mig$\KB916281\SP2QFE\wininet.dll
[-] 2006-06-23 11:25 664576 64CE26DB72810B30F7855EA51E1DF836 c:\windows\$hf_mig$\KB918899\SP2QFE\wininet.dll
[-] 2006-09-14 08:31 664576 D207370287CF769AEBEBF03837784963 c:\windows\$hf_mig$\KB922760\SP2QFE\wininet.dll
[-] 2006-10-23 15:34 664576 231EF4179ACABE486376B5CA893F1076 c:\windows\$hf_mig$\KB925454\SP2QFE\wininet.dll
[-] 2007-01-04 14:05 665088 3FFA1573FC274E5AA7467D03941C45EE c:\windows\$hf_mig$\KB928090\SP2QFE\wininet.dll
[-] 2007-04-18 12:46 665600 4261BA03AFD659DE04F0A17DFBDD454D c:\windows\$hf_mig$\KB933566\SP2QFE\wininet.dll
[-] 2007-06-26 14:35 665600 E1A3DD68B5380B360A7310A64D9BB188 c:\windows\$hf_mig$\KB937143\SP2QFE\wininet.dll
[-] 2007-10-11 05:57 666112 80D660A49E0D118144423099B2A9F5DA c:\windows\$hf_mig$\KB942615\SP2QFE\wininet.dll
[-] 2007-10-10 23:47 825344 0E5D918F87EFA7D2424D66B499C7EB04 c:\windows\$hf_mig$\KB942615-IE7\SP2QFE\wininet.dll
[-] 2008-06-23 16:01 827904 C66402A06B83B036C195242C0C8CF83C c:\windows\$hf_mig$\KB953838-IE7\SP2QFE\wininet.dll
[-] 2008-08-26 09:08 827904 77C192FE56A70D7FA0247BA0A6201C32 c:\windows\$hf_mig$\KB956390-IE7\SP2QFE\wininet.dll
[-] 2008-10-16 20:24 827904 0D5B75171FF51775B630A431B6C667E8 c:\windows\$hf_mig$\KB958215-IE7\SP2QFE\wininet.dll
[-] 2009-04-29 04:49 828928 62CCA075F44015147B8971DAFFBCFF76 c:\windows\$hf_mig$\KB969897-IE7\SP3QFE\wininet.dll
[-] 2005-05-02 20:52 657920 1A078AF3F85D10BA56444C23B3A18E74 c:\windows\$NtUninstallKB896688$\wininet.dll
[-] 2005-09-02 23:52 658432 AF61EBB1F550175EFF406D545D6AB086 c:\windows\$NtUninstallKB905915$\wininet.dll
[-] 2005-10-21 03:39 658432 E7B27B6B6E06CE34EA019FD8B858C613 c:\windows\$NtUninstallKB912812$\wininet.dll
[-] 2006-03-04 03:33 658432 1C0979C7A489BEE573CD0BF4AD94BB06 c:\windows\$NtUninstallKB916281$\wininet.dll
[-] 2006-05-10 05:23 658432 38AB7A56F566D9AAAD31812494944824 c:\windows\$NtUninstallKB918899$\wininet.dll
[-] 2006-06-23 11:02 658944 2B4DB890936430C71419037039502752 c:\windows\$NtUninstallKB922760$\wininet.dll
[-] 2006-09-14 08:39 658944 621AF3F6174A3F60677F5230E28BCC07 c:\windows\$NtUninstallKB925454$\wininet.dll
[-] 2006-10-23 15:17 658944 6B2735ADFF5A5D3B9130CA4A794722F0 c:\windows\$NtUninstallKB928090$\wininet.dll
[-] 2007-01-04 13:37 658944 8C393DF5234CBCBFF1EE31902D6B40AE c:\windows\$NtUninstallKB933566$\wininet.dll
[-] 2007-04-18 12:31 658944 B7156CD97E739F3014BC4D61758F868A c:\windows\$NtUninstallKB937143$\wininet.dll
[-] 2007-06-26 14:09 658944 184E47C8F7B331025E6DC92740DB188F c:\windows\$NtUninstallKB942615$\wininet.dll
[-] 2007-08-13 23:54 818688 A4A0FC92358F39538A6494C42EF99FE9 c:\windows\ie7updates\KB942615-IE7\wininet.dll
[-] 2007-10-10 23:56 824832 30C1E0F34AD2972C72A01DB5C74AB065 c:\windows\ie7updates\KB953838-IE7\wininet.dll
[-] 2008-06-23 16:57 826368 8C13D4A7479FA0A026EDA8ABCE82C0ED c:\windows\ie7updates\KB956390-IE7\wininet.dll
[-] 2008-08-26 07:24 826368 EF8EBA98145BFA44E80D17A3B3453300 c:\windows\ie7updates\KB958215-IE7\wininet.dll
[-] 2008-10-16 20:38 826368 6741EAF7B7F110E803A6E38F6E5FA6B0 c:\windows\ie7updates\KB969897-IE7\wininet.dll
[-] 2008-04-14 00:12 666112 7A4F775ABB2F1C97DEF3E73AFA2FAEDD c:\windows\ServicePackFiles\i386\wininet.dll
[-] 2009-06-29 16:12 827392 A39B7BA7AB9B1CC2A0009F59772DB83C c:\windows\SoftwareDistribution\Download\33ec000c08e174dc768520b0fd388192\SP3GDR\wininet.dll
[-] 2009-06-29 16:23 828928 4C6B4138165A4C53FE8A5B1D809526C3 c:\windows\SoftwareDistribution\Download\33ec000c08e174dc768520b0fd388192\SP3QFE\wininet.dll
[-] 2007-10-10 23:56 824832 30C1E0F34AD2972C72A01DB5C74AB065 c:\windows\SoftwareDistribution\Download\e3709fbfd9557a7d083f543d51d38612\SP2GDR\wininet.dll
[-] 2007-10-10 23:47 825344 0E5D918F87EFA7D2424D66B499C7EB04 c:\windows\SoftwareDistribution\Download\e3709fbfd9557a7d083f543d51d38612\SP2QFE\wininet.dll
[-] 2009-04-29 04:56 827392 8E2D471157B0DF329D8D0EA5D83B0DDB c:\windows\system32\wininet.dll
[-] 2009-04-29 04:56 827392 8E2D471157B0DF329D8D0EA5D83B0DDB c:\windows\system32\dllcache\wininet.dll

[-] 2005-05-25 19:07 359936 63FDFEA54EB53DE2D863EE454937CE1E c:\windows\$hf_mig$\KB893066\SP2QFE\tcpip.sys
[-] 2006-01-13 17:07 360448 5562CC0A47B2AEF06D3417B733F3C195 c:\windows\$hf_mig$\KB913446\SP2QFE\tcpip.sys
[-] 2006-04-20 12:18 360576 B2220C618B42A2212A59D91EBD6FC4B4 c:\windows\$hf_mig$\KB917953\SP2QFE\tcpip.sys
[-] 2008-06-20 10:44 360960 744E57C99232201AE98C49168B918F48 c:\windows\$hf_mig$\KB951748\SP2QFE\tcpip.sys
[-] 2008-06-20 11:51 361600 9AEFA14BD6B182D61E3119FA5F436D3D c:\windows\$hf_mig$\KB951748\SP3GDR\tcpip.sys
[-] 2008-06-20 11:59 361600 AD978A1B783B5719720CFF204B666C8E c:\windows\$hf_mig$\KB951748\SP3QFE\tcpip.sys
[-] 2008-06-20 10:45 360320 2A5554FC5B1E04E131230E3CE035C3F9 c:\windows\$NtServicePackUninstall$\tcpip.sys
[-] 2004-08-10 10:00 359040 9F4B36614A0FC234525BA224957DE55C c:\windows\$NtUninstallKB893066$\tcpip.sys
[-] 2005-05-25 19:04 359808 88763A98A4C26C409741B4AA162720C9 c:\windows\$NtUninstallKB913446$\tcpip.sys
[-] 2006-01-13 02:28 359808 583E063FDC888CA30D05C2724B0D7EF4 c:\windows\$NtUninstallKB917953$\tcpip.sys
[-] 2008-04-13 19:20 361344 93EA8D04EC73A85DB02EB8805988F733 c:\windows\$NtUninstallKB951748$\tcpip.sys
[-] 2006-04-20 11:51 359808 1DBF125862891817F374F407626967F4 c:\windows\$NtUninstallKB951748_0$\tcpip.sys
[-] 2008-04-13 19:20 361344 93EA8D04EC73A85DB02EB8805988F733 c:\windows\ServicePackFiles\i386\tcpip.sys
[-] 2008-06-20 11:51 361600 9AEFA14BD6B182D61E3119FA5F436D3D c:\windows\system32\dllcache\tcpip.sys
[-] 2008-06-20 11:51 361600 9AEFA14BD6B182D61E3119FA5F436D3D c:\windows\system32\drivers\tcpip.sys

[-] 2004-08-10 10:00 502272 01C3346C241652F43AED8E2149881BFE c:\windows\$NtServicePackUninstall$\winlogon.exe
[-] 2008-04-14 00:12 507904 ED0EF0A136DEC83DF69F04118870003E c:\windows\ServicePackFiles\i386\winlogon.exe
[-] 2008-04-14 00:12 507904 ED0EF0A136DEC83DF69F04118870003E c:\windows\system32\winlogon.exe

[-] 2004-08-10 10:00 182912 558635D3AF1C7546D26067D5D9B6959E c:\windows\$NtServicePackUninstall$\ndis.sys
[-] 2008-04-13 19:20 182656 1DF7F42665C94B825322FAE71721130D c:\windows\ServicePackFiles\i386\ndis.sys
[-] 2008-04-13 19:20 182656 1DF7F42665C94B825322FAE71721130D c:\windows\system32\dllcache\ndis.sys
[-] 2008-04-13 19:20 182656 1DF7F42665C94B825322FAE71721130D c:\windows\system32\drivers\ndis.sys

[-] 2004-08-10 10:00 29056 4448006B6BC60E6C027932CFC38D6855 c:\windows\$NtServicePackUninstall$\ip6fw.sys
[-] 2008-04-13 18:53 36608 3BB22519A194418D5FEC05D800A19AD0 c:\windows\ServicePackFiles\i386\ip6fw.sys
[-] 2008-04-13 18:53 36608 3BB22519A194418D5FEC05D800A19AD0 c:\windows\system32\drivers\ip6fw.sys

[-] 2005-03-02 00:36 2056832 D8ABA3EAB509627E707A3B14F00FBB6B c:\windows\$hf_mig$\KB890859\SP2QFE\ntkrnlpa.exe
[-] 2007-02-28 09:15 2059392 4D3DBDCCBF97F5BA1E74F322B155C3BA c:\windows\$hf_mig$\KB931784\SP2QFE\ntkrnlpa.exe
[-] 2008-08-14 19:39 2066048 A25E9B86EFFB2AF33BF51E676B68BFB0 c:\windows\$hf_mig$\KB956841\SP3QFE\ntkrnlpa.exe
[-] 2007-02-28 08:38 2015744 A58AC1C6199EF34228ABEE7FC057AE09 c:\windows\$NtServicePackUninstall$\ntkrnlpa.exe
[-] 2004-08-04 03:59 2015232 FB142B7007CA2EEA76966C6C5CC12150 c:\windows\$NtUninstallKB890859$\ntkrnlpa.exe
[-] 2005-03-02 00:34 2015232 3CD941E472DDF3534E53038535719771 c:\windows\$NtUninstallKB931784$\ntkrnlpa.exe
[-] 2008-04-13 18:31 2023936 7F653A89F6E89E3AE0D49830EECE35D4 c:\windows\$NtUninstallKB956841$\ntkrnlpa.exe
[-] 2008-08-14 09:33 2066048 4AC58F03EB94A72809949D757FC39D80 c:\windows\Driver Cache\i386\ntkrnlpa.exe
[-] 2008-04-13 18:31 2065792 109F8E3E3C82E337BB71B6BC9B895D61 c:\windows\ServicePackFiles\i386\ntkrnlpa.exe
[-] 2008-08-14 09:33 2023936 8206B5F94A6A9450E934029420C1693F c:\windows\system32\ntkrnlpa.exe
[-] 2008-08-14 09:33 2066048 4AC58F03EB94A72809949D757FC39D80 c:\windows\system32\dllcache\ntkrnlpa.exe

[-] 2005-03-02 01:04 2179456 28187802B7C368C0D3AEF7D4C382AABB c:\windows\$hf_mig$\KB890859\SP2QFE\ntoskrnl.exe
[-] 2007-02-28 09:55 2182144 5A5C8DB4AA962C714C8371FBDF189FC9 c:\windows\$hf_mig$\KB931784\SP2QFE\ntoskrnl.exe
[-] 2008-08-14 20:11 2189184 31914172342BFF330063F343AC6958FE c:\windows\$hf_mig$\KB956841\SP3QFE\ntoskrnl.exe
[-] 2007-02-28 09:08 2136064 1220FAF071DEA8653EE21DE7DCDA8BFD c:\windows\$NtServicePackUninstall$\ntoskrnl.exe
[-] 2004-08-04 04:18 2148352 626309040459C3915997EF98EC1C8D40 c:\windows\$NtUninstallKB890859$\ntoskrnl.exe
[-] 2005-03-02 00:57 2135552 48B3E89AF7074CEE0314A3E0C7FAFFDB c:\windows\$NtUninstallKB931784$\ntoskrnl.exe
[-] 2008-04-13 19:24 2145280 40F8880122A030A7E9E1FEDEA833B33D c:\windows\$NtUninstallKB956841$\ntoskrnl.exe
[-] 2008-08-14 10:11 2189184 EEAF32F8E15A24F62BECB1BD403BB5C5 c:\windows\Driver Cache\i386\ntoskrnl.exe
[-] 2008-04-13 19:27 2188928 0C89243C7C3EE199B96FCC16990E0679 c:\windows\ServicePackFiles\i386\ntoskrnl.exe
[-] 2008-08-14 10:09 2145280 F6F8245B3A2E9CA834DD318E7AE0C6D0 c:\windows\system32\ntoskrnl.exe
[-] 2008-08-14 10:11 2189184 EEAF32F8E15A24F62BECB1BD403BB5C5 c:\windows\system32\dllcache\ntoskrnl.exe

[-] 2008-04-14 00:12 1033728 12896823FB95BFB3DC9B46BCAEDC9923 c:\windows\explorer.exe
[-] 2007-06-13 11:26 1033216 7712DF0CDDE3A5AC89843E61CD5B3658 c:\windows\$hf_mig$\KB938828\SP2QFE\explorer.exe
[-] 2007-06-13 10:23 1033216 97BD6515465659FF8F3B7BE375B2EA87 c:\windows\$NtServicePackUninstall$\explorer.exe
[-] 2004-08-10 10:00 1032192 A0732187050030AE399B241436565E64 c:\windows\$NtUninstallKB938828$\explorer.exe
[-] 2008-04-14 00:12 1033728 12896823FB95BFB3DC9B46BCAEDC9923 c:\windows\ServicePackFiles\i386\explorer.exe

[-] 2004-08-10 10:00 108032 C6CE6EEC82F187615D1002BB3BB50ED4 c:\windows\$NtServicePackUninstall$\services.exe
[-] 2008-04-14 00:12 108544 0E776ED5F7CC9F94299E70461B7B8185 c:\windows\ServicePackFiles\i386\services.exe
[-] 2008-04-14 00:12 108544 0E776ED5F7CC9F94299E70461B7B8185 c:\windows\system32\services.exe

[-] 2004-08-10 10:00 13312 84885F9B82F4D55C6146EBF6065D75D2 c:\windows\$NtServicePackUninstall$\lsass.exe
[-] 2008-04-14 00:12 13312 BF2466B3E18E970D8A976FB95FC1CA85 c:\windows\ServicePackFiles\i386\lsass.exe
[-] 2008-04-14 00:12 13312 BF2466B3E18E970D8A976FB95FC1CA85 c:\windows\system32\lsass.exe

[-] 2004-08-10 10:00 15360 24232996A38C0B0CF151C2140AE29FC8 c:\windows\$NtServicePackUninstall$\ctfmon.exe
[-] 2008-04-14 00:12 15360 5F1D5F88303D4A4DBC8E5F97BA967CC3 c:\windows\ServicePackFiles\i386\ctfmon.exe
[-] 2008-04-14 00:12 15360 5F1D5F88303D4A4DBC8E5F97BA967CC3 c:\windows\system32\ctfmon.exe
[-] 2004-08-10 10:00 15360 24232996A38C0B0CF151C2140AE29FC8 c:\windows\system32\bak\ctfmon.exe

[-] 2005-06-11 00:17 57856 AD3D9D191AEA7B5445FE1D82FFBB4788 c:\windows\$hf_mig$\KB896423\SP2QFE\spoolsv.exe
[-] 2005-06-10 23:53 57856 DA81EC57ACD4CDC3D4C51CF3D409AF9F c:\windows\$NtServicePackUninstall$\spoolsv.exe
[-] 2004-08-10 10:00 57856 7435B108B935E42EA92CA94F59C8E717 c:\windows\$NtUninstallKB896423$\spoolsv.exe
[-] 2008-04-14 00:12 57856 D8E14A61ACC1D4A6CD0D38AEBAC7FA3B c:\windows\ServicePackFiles\i386\spoolsv.exe
[-] 2008-04-14 00:12 57856 D8E14A61ACC1D4A6CD0D38AEBAC7FA3B c:\windows\system32\spoolsv.exe

[-] 2004-08-10 10:00 24576 39B1FFB03C2296323832ACBAE50D2AFF c:\windows\$NtServicePackUninstall$\userinit.exe
[-] 2008-04-14 00:12 26112 A93AEE1928A9D7CE3E16D24EC7380F89 c:\windows\ServicePackFiles\i386\userinit.exe
[-] 2008-04-14 00:12 26112 A93AEE1928A9D7CE3E16D24EC7380F89 c:\windows\system32\userinit.exe

[-] 2004-08-10 10:00 295424 B60C877D16D9C880B952FDA04ADF16E6 c:\windows\$NtServicePackUninstall$\termsrv.dll
[-] 2008-04-14 00:12 295424 FF3477C03BE7201C294C35F684B3479F c:\windows\ServicePackFiles\i386\termsrv.dll
[-] 2008-04-14 00:12 295424 FF3477C03BE7201C294C35F684B3479F c:\windows\system32\termsrv.dll

[-] 2006-07-05 10:57 985088 0FDD84928A5DDE2510761B7EC76CCEC9 c:\windows\$hf_mig$\KB917422\SP2QFE\kernel32.dll
[-] 2007-04-16 16:07 986112 09F7CB3687F86EDAA4CA081F7AB66C03 c:\windows\$hf_mig$\KB935839\SP2QFE\kernel32.dll
[-] 2007-04-16 15:52 984576 A01F9CA902A88F7CED06884174D6419D c:\windows\$NtServicePackUninstall$\kernel32.dll
[-] 2004-08-10 10:00 983552 888190E31455FAD793312F8D087146EB c:\windows\$NtUninstallKB917422$\kernel32.dll
[-] 2006-07-05 10:55 984064 D8DB5397DE07577C1CB50BA6D23B3AD4 c:\windows\$NtUninstallKB935839$\kernel32.dll
[-] 2008-04-14 00:11 989696 C24B983D211C34DA8FCC1AC38477971D c:\windows\ServicePackFiles\i386\kernel32.dll
[-] 2008-04-14 00:11 989696 C24B983D211C34DA8FCC1AC38477971D c:\windows\system32\kernel32.dll

[-] 2004-08-10 10:00 17408 1B5F6923ABB450692E9FE0672C897AED c:\windows\$NtServicePackUninstall$\powrprof.dll
[-] 2008-04-14 00:12 17408 50A166237A0FA771261275A405646CC0 c:\windows\ServicePackFiles\i386\powrprof.dll
[-] 2008-04-14 00:12 17408 50A166237A0FA771261275A405646CC0 c:\windows\system32\powrprof.dll

[-] 2004-08-10 10:00 110080 87CA7CE6469577F059297B9D6556D66D c:\windows\$NtServicePackUninstall$\imm32.dll
[-] 2008-04-14 00:11 110080 0DA85218E92526972A821587E6A8BF8F c:\windows\ServicePackFiles\i386\imm32.dll
[-] 2008-04-14 00:11 110080 0DA85218E92526972A821587E6A8BF8F c:\windows\system32\imm32.dll

[-] 2005-05-02 20:57 3014144 DCC5C79B99F02EEF8C826B074DBFC222 c:\windows\$hf_mig$\KB883939\SP2QFE\mshtml.dll
[-] 2005-10-05 00:51 3017728 3394299FBF1CD0B24089FC762611360B c:\windows\$hf_mig$\KB896688\SP2QFE\mshtml.dll
[-] 2005-11-24 01:07 3018240 D3F037F5DA702AE9DDD7663EC9D78BA7 c:\windows\$hf_mig$\KB905915\SP2QFE\mshtml.dll
[-] 2006-03-23 20:31 3055616 ABCD123F888E4E97C8751378CCCC4F26 c:\windows\$hf_mig$\KB912812\SP2QFE\mshtml.dll
[-] 2006-05-19 15:06 3055104 8687E029BE63C77D4919485068C54D77 c:\windows\$hf_mig$\KB916281\SP2QFE\mshtml.dll
[-] 2006-07-28 11:30 3058176 D251679BD9EF0250201FB899EC40FD32 c:\windows\$hf_mig$\KB918899\SP2QFE\mshtml.dll
[-] 2006-09-14 08:31 3058688 CEFEA1C301139A817931BE132F0359FE c:\windows\$hf_mig$\KB922760\SP2QFE\mshtml.dll
[-] 2006-10-23 15:34 3061248 88E1C15BB1A9ED3CBA4D6F2F408D5010 c:\windows\$hf_mig$\KB925454\SP2QFE\mshtml.dll
[-] 2007-01-04 14:05 3062272 1C45525574EF206346FBAFCAAC7CC4A5 c:\windows\$hf_mig$\KB928090\SP2QFE\mshtml.dll
[-] 2007-05-04 12:59 3064320 00ADCB32832A10ED9419493BCEA97526 c:\windows\$hf_mig$\KB933566\SP2QFE\mshtml.dll
[-] 2007-06-15 08:12 3064320 53F3FD772C010622346C39284C4A863B c:\windows\$hf_mig$\KB937143\SP2QFE\mshtml.dll
[-] 2007-10-30 09:55 3065856 79314A0A6B0DA78AFE491FF2D8B117BA c:\windows\$hf_mig$\KB942615\SP2QFE\mshtml.dll
[-] 2007-10-30 23:48 3593216 54D8B404F17AA74C666F7F3AEF2AE459 c:\windows\$hf_mig$\KB942615-IE7\SP2QFE\mshtml.dll
[-] 2008-06-23 16:01 3594240 28B8231CA8D55FC85E027A57C90F5C88 c:\windows\$hf_mig$\KB953838-IE7\SP2QFE\mshtml.dll
[-] 2008-08-26 09:08 3594752 25CC085720EE3617FD1F8AB9E2F7CAB2 c:\windows\$hf_mig$\KB956390-IE7\SP2QFE\mshtml.dll
[-] 2008-10-16 20:24 3595264 B74F31A4BD83797D7A083F922169287D c:\windows\$hf_mig$\KB958215-IE7\SP2QFE\mshtml.dll
[-] 2008-12-13 06:26 3594752 C79FAD61CD4A26ED5AA8C16D991C6FBD c:\windows\$hf_mig$\KB960714-IE7\SP2QFE\mshtml.dll
[-] 2009-04-29 04:49 3598336 C6FD770D518FB024245A0EE217D72BC1 c:\windows\$hf_mig$\KB969897-IE7\SP3QFE\mshtml.dll
[-] 2005-05-02 18:52 3012608 DCFAC5470EE0A159EC4222BC28AE3EE6 c:\windows\$NtUninstallKB896688$\mshtml.dll
[-] 2005-10-04 22:26 3015168 042AC20E084D21DD6BEE99B89CC30FB7 c:\windows\$NtUninstallKB905915$\mshtml.dll
[-] 2005-11-24 01:06 3015680 5E7A39950EA133BB54719A6E08C544A7 c:\windows\$NtUninstallKB912812$\mshtml.dll
[-] 2006-03-23 20:32 3053568 DEAA438EA31095E14A196FF647E38D13 c:\windows\$NtUninstallKB916281$\mshtml.dll
[-] 2006-05-19 15:08 3052544 284CE76B71DD5260B42A3CCF0135AF67 c:\windows\$NtUninstallKB918899$\mshtml.dll
[-] 2006-07-28 11:28 3054080 C7074DA3D8F8C0F6C03874BA0B05069C c:\windows\$NtUninstallKB922760$\mshtml.dll
[-] 2006-09-14 08:39 3054592 BE45460D1453B7342E01EAE79BFBC681 c:\windows\$NtUninstallKB925454$\mshtml.dll
[-] 2006-10-23 15:17 3055104 5FC7DE1195C8E9B5360FD65DBE95E5B0 c:\windows\$NtUninstallKB928090$\mshtml.dll
[-] 2007-01-04 13:36 3056640 F31274D7667D83E73C6EE16D2206B76C c:\windows\$NtUninstallKB933566$\mshtml.dll
[-] 2007-05-04 12:29 3058688 4D92717B5BBCE85F1254BAD23B0D357C c:\windows\$NtUninstallKB937143$\mshtml.dll
[-] 2007-06-14 18:09 3058688 F049C52772FC86FD5F6C16D77A2A6204 c:\windows\$NtUninstallKB942615$\mshtml.dll
[-] 2007-08-13 23:54 3578368 C6EC2493346ED8888A549F59210A8ED3 c:\windows\ie7updates\KB942615-IE7\mshtml.dll
[-] 2007-10-31 10:12 3590656 8AB7ECF59D6EBBE986277B65ED4A40A1 c:\windows\ie7updates\KB953838-IE7\mshtml.dll
[-] 2008-06-24 14:57 3592192 EC936148284F557F19C333178768109B c:\windows\ie7updates\KB956390-IE7\mshtml.dll
[-] 2008-08-27 08:24 3593216 1AD035E04A7068EC2820B055A3131ED8 c:\windows\ie7updates\KB958215-IE7\mshtml.dll
[-] 2008-10-17 07:08 3593216 EACAEDEF6FA2A969DE5B36190D45396F c:\windows\ie7updates\KB960714-IE7\mshtml.dll
[-] 2008-12-13 06:40 3593216 121EC39A64D64205A88C2C45B034B455 c:\windows\ie7updates\KB969897-IE7\mshtml.dll
[-] 2008-04-14 00:11 3066880 A706E122B398FE1AB85CB9B75D044223 c:\windows\ServicePackFiles\i386\mshtml.dll
[-] 2009-07-19 23:03 3597824 758C8BEDAB7CE5F9070C85E2E57CBD80 c:\windows\SoftwareDistribution\Download\33ec000c08e174dc768520b0fd388192\SP3GDR\mshtml.dll
[-] 2009-07-19 13:31 3600384 F6098CC1B1C3858D53F20F3CB5774F3B c:\windows\SoftwareDistribution\Download\33ec000c08e174dc768520b0fd388192\SP3QFE\mshtml.dll
[-] 2007-10-31 10:12 3590656 8AB7ECF59D6EBBE986277B65ED4A40A1 c:\windows\SoftwareDistribution\Download\e3709fbfd9557a7d083f543d51d38612\SP2GDR\mshtml.dll
[-] 2007-10-30 23:48 3593216 54D8B404F17AA74C666F7F3AEF2AE459 c:\windows\SoftwareDistribution\Download\e3709fbfd9557a7d083f543d51d38612\SP2QFE\mshtml.dll
[-] 2009-04-29 04:56 3596288 2B4315EC9E3124408A2A5074C4B97700 c:\windows\system32\mshtml.dll
[-] 2009-04-29 04:56 3596288 2B4315EC9E3124408A2A5074C4B97700 c:\windows\system32\dllcache\mshtml.dll

[-] 2004-08-04 03:58 24576 EBDEE8A2EE5393890A1ACEE971C4C246 c:\windows\$NtServicePackUninstall$\kbdclass.sys
[-] 2008-04-13 18:39 24576 463C1EC80CD17420A542B7F36A36F128 c:\windows\ServicePackFiles\i386\kbdclass.sys
[-] 2008-04-13 18:39 24576 463C1EC80CD17420A542B7F36A36F128 c:\windows\system32\drivers\kbdclass.sys

[-] 2004-08-10 10:00 792064 6728270CB7DBB776ED086F5AC4C82310 c:\windows\$NtServicePackUninstall$\comres.dll
[-] 2008-04-14 00:11 792064 1280A158C722FA95A80FB7AEBE78FA7D c:\windows\ServicePackFiles\i386\comres.dll
[-] 2008-04-14 00:11 792064 1280A158C722FA95A80FB7AEBE78FA7D c:\windows\system32\comres.dll

[-] 2004-08-10 10:00 22016 74D66B3DE265E8789153414E75175F26 c:\windows\$NtServicePackUninstall$\lpk.dll
[-] 2008-04-14 00:11 22016 012DF358CEBAA23ACB26D82077820817 c:\windows\ServicePackFiles\i386\lpk.dll
[-] 2008-04-14 00:11 22016 012DF358CEBAA23ACB26D82077820817 c:\windows\system32\lpk.dll

[-] 2004-08-10 10:00 4224 DA1F27D85E0D1525F6621372E7B685E9 c:\windows\system32\drivers\beep.sys

[-] 2004-08-10 10:00 2944 73C1E1F395918BC2C6DD67AF7591A3AD c:\windows\system32\drivers\null.sys

[-] 2006-02-15 00:30 142464 1EE7B434BA961EF845DE136224C30FEC c:\windows\$hf_mig$\KB900485\SP2QFE\aec.sys
[-] 2006-02-15 00:22 142464 1EE7B434BA961EF845DE136224C30FEC c:\windows\$NtServicePackUninstall$\aec.sys
[-] 2004-08-04 03:39 142464 841F385C6CFAF66B58FBD898722BB4F0 c:\windows\$NtUninstallKB900485$\aec.sys
[-] 2008-04-13 16:39 142592 8BED39E3C35D6A489438B8141717A557 c:\windows\ServicePackFiles\i386\aec.sys
[-] 2008-04-13 16:39 142592 8BED39E3C35D6A489438B8141717A557 c:\windows\system32\drivers\aec.sys

[-] 2006-11-01 19:17 927504 925F8B61ED301A317BA850EBEECBDAA0 c:\windows\$NtServicePackUninstall$\mfc40u.dll
[-] 2004-08-10 10:00 924432 DDF8D47ACF8FC3FE5F7F2B95C4D4D136 c:\windows\$NtUninstallKB924667$\mfc40u.dll
[-] 2008-04-14 00:11 927504 CDDD4416B2B4C7295FE3FDB6DDE57E4E c:\windows\ServicePackFiles\i386\mfc40u.dll
[-] 2008-04-14 00:11 927504 CDDD4416B2B4C7295FE3FDB6DDE57E4E c:\windows\system32\mfc40u.dll

[-] 2005-04-28 19:35 396288 DA383FB39A6F1C445F3AFC94B3EB1248 c:\windows\$hf_mig$\KB894391\SP2QFE\rpcss.dll
[-] 2005-07-26 04:20 398336 C369DF215D352B6F3A0B8C3469AA34F8 c:\windows\$hf_mig$\KB902400\SP2QFE\rpcss.dll
[-] 2005-07-26 04:39 397824 CE94A2BD25E3E9F4D46A7373FF455C6D c:\windows\$NtServicePackUninstall$\rpcss.dll
[-] 2004-08-10 10:00 395776 5C83A4408604F737717AB96371201680 c:\windows\$NtUninstallKB894391$\rpcss.dll
[-] 2005-04-28 19:31 395776 C8061F289E000703E7672916B7FE1571 c:\windows\$NtUninstallKB902400$\rpcss.dll
[-] 2008-04-14 00:12 399360 2589FE6015A316C0F5D5112B4DA7B509 c:\windows\ServicePackFiles\i386\rpcss.dll
[-] 2008-04-14 00:12 399360 2589FE6015A316C0F5D5112B4DA7B509 c:\windows\system32\rpcss.dll

[-] 2004-08-10 10:00 33792 95FD808E4AC22ABA025A7B3EAC0375D2 c:\windows\$NtServicePackUninstall$\msgsvc.dll
[-] 2008-04-14 00:11 33792 986B1FF5814366D71E0AC5755C88F2D3 c:\windows\ServicePackFiles\i386\msgsvc.dll
[-] 2008-04-14 00:11 33792 986B1FF5814366D71E0AC5755C88F2D3 c:\windows\system32\msgsvc.dll

[-] 2006-08-25 15:45 617472 B0124CB21D28B1C9F678B566B6B57D92 c:\windows\$NtServicePackUninstall$\comctl32.dll
[-] 2004-08-10 10:00 611328 A77DFB85FAEE49D66C74DA6024EBC69B c:\windows\$NtUninstallKB923191$\comctl32.dll
[-] 2008-04-14 00:11 617472 06F247492BC786CE5C24A23E178C711A c:\windows\ServicePackFiles\i386\comctl32.dll
[-] 2008-04-14 00:11 617472 06F247492BC786CE5C24A23E178C711A c:\windows\system32\comctl32.dll
[-] 2004-08-10 10:00 921088 AEF3D788DBF40C7C4D204EA45EB0C505 c:\windows\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a\comctl32.dll
[-] 2004-08-10 10:00 1050624 5AF68A5E44734A082442668E9C787743 c:\windows\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2180_x-ww_a84f1ff9\comctl32.dll
[-] 2006-08-25 15:45 1054208 C4E80875C1CF1222FC5EFD0314AE5C01 c:\windows\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2982_x-ww_ac3f9c03\comctl32.dll
[-] 2008-04-14 00:12 1054208 BD38D1EBE24A46BD3EDA059560AFBA12 c:\windows\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83\comctl32.dll

[-] 2004-08-10 10:00 11648 9859C0F6936E723E4892D7141B1327D5 c:\windows\system32\dllcache\acpiec.sys
[-] 2004-08-10 10:00 11648 9859C0F6936E723E4892D7141B1327D5 c:\windows\system32\drivers\acpiec.sys

[-] 2004-08-10 10:00 5120 E8A12A12EA9088B4327D49EDCA3ADD3E c:\windows\$NtServicePackUninstall$\sfc.dll
[-] 2008-04-14 00:12 5120 96E1C926F22EE1BFBAE82901A35F6BF3 c:\windows\ServicePackFiles\i386\sfc.dll
[-] 2008-04-14 00:12 5120 96E1C926F22EE1BFBAE82901A35F6BF3 c:\windows\system32\sfc.dll

[-] 2004-08-10 10:00 407040 96353FCECBA774BB8DA74A1C6507015A c:\windows\$NtServicePackUninstall$\netlogon.dll
[-] 2008-04-14 00:12 407040 1B7F071C51B77C272875C3A23E1E4550 c:\windows\ServicePackFiles\i386\netlogon.dll
[-] 2008-04-14 00:12 407040 1B7F071C51B77C272875C3A23E1E4550 c:\windows\system32\netlogon.dll

[-] 2004-08-10 10:00 382464 2C69EC7E5A311334D10DD95F338FCCEA c:\windows\$NtServicePackUninstall$\qmgr.dll
[-] 2008-04-14 00:12 409088 574738F61FCA2935F5265DC4E5691314 c:\windows\ServicePackFiles\i386\qmgr.dll
[-] 2008-04-14 00:12 409088 574738F61FCA2935F5265DC4E5691314 c:\windows\system32\qmgr.dll
[-] 2008-04-14 00:12 409088 574738F61FCA2935F5265DC4E5691314 c:\windows\system32\bits\qmgr.dll

[-] 2004-08-10 10:00 180224 0F78E27F563F2AAF74B91A49E2ABF19A c:\windows\$NtServicePackUninstall$\scecli.dll
[-] 2008-04-14 00:12 181248 A86BB5E61BF3E39B62AB4C7E7085A084 c:\windows\ServicePackFiles\i386\scecli.dll
[-] 2008-04-14 00:12 181248 A86BB5E61BF3E39B62AB4C7E7085A084 c:\windows\system32\scecli.dll

[-] 2004-08-10 10:00 55808 82B24CB70E5944E6E34662205A2A5B78 c:\windows\$NtServicePackUninstall$\eventlog.dll
[-] 2008-04-14 00:11 56320 6D4FEB43EE538FC5428CC7F0565AA656 c:\windows\ServicePackFiles\i386\eventlog.dll
[-] 2008-04-14 00:11 56320 6D4FEB43EE538FC5428CC7F0565AA656 c:\windows\system32\eventlog.dll

[-] 2004-08-10 10:00 14336 02000ABF34AF4C218C35D257024807D6 c:\windows\$NtServicePackUninstall$\asyncmac.sys
[-] 2008-04-13 18:57 14336 B153AFFAC761E7F5FCFA822B9C4E97BC c:\windows\ServicePackFiles\i386\asyncmac.sys
[-] 2008-04-13 18:57 14336 B153AFFAC761E7F5FCFA822B9C4E97BC c:\windows\system32\drivers\asyncmac.sys

[-] 2007-02-09 11:23 574976 05AB81909514BFD69CBB1F2C147CF6B9 c:\windows\$hf_mig$\KB930916\SP2QFE\ntfs.sys
[-] 2007-02-09 11:10 574464 19A811EF5F1ED5C926A028CE107FF1AF c:\windows\$NtServicePackUninstall$\ntfs.sys
[-] 2004-08-10 10:00 574592 B78BE402C3F63DD55521F73876951CDD c:\windows\$NtUninstallKB930916$\ntfs.sys
[-] 2008-04-13 19:15 574976 78A08DD6A8D65E697C18E1DB01C5CDCA c:\windows\ServicePackFiles\i386\ntfs.sys
[-] 2008-04-13 19:15 574976 78A08DD6A8D65E697C18E1DB01C5CDCA c:\windows\system32\dllcache\ntfs.sys
[-] 2008-04-13 19:15 574976 78A08DD6A8D65E697C18E1DB01C5CDCA c:\windows\system32\drivers\ntfs.sys

[-] 2005-08-03 23:29 25088 B9715B9C18BC6C8F4B66733D208CC9F7 c:\windows\$NtUninstallWMFDist11$\mspmsnsv.dll
[-] 2005-08-03 23:29 25088 B9715B9C18BC6C8F4B66733D208CC9F7 c:\windows\RegisteredPackages\{30C7234B-6482-4A55-A11D-ECD9030313F2}\MsPMSNSv.dll
[-] 2004-08-10 10:00 25088 6EAA72FD9EF993EC1FA9A06DE65105DA c:\windows\RegisteredPackages\{30C7234B-6482-4A55-A11D-ECD9030313F2}$BACKUP$\System\MsPMSNSv.dll
[-] 2006-10-19 02:47 27136 C51B4A5C05A5475708E3C81C7765B71D c:\windows\system32\mspmsnsv.dll
[-] 2006-10-19 02:47 27136 C51B4A5C05A5475708E3C81C7765B71D c:\windows\system32\dllcache\mspmsnsv.dll

[-] 2004-08-10 10:00 129536 EEF46DAB68229A14DA3D8E73C99E2959 c:\windows\$NtServicePackUninstall$\xmlprov.dll
[-] 2008-04-14 00:12 129024 295D21F14C335B53CB8154E5B1F892B9 c:\windows\ServicePackFiles\i386\xmlprov.dll
[-] 2008-04-14 00:12 129024 295D21F14C335B53CB8154E5B1F892B9 c:\windows\system32\xmlprov.dll

[-] 2004-08-10 10:00 60416 10654F9DDCEA9C46CFB77554231BE73B c:\windows\$NtServicePackUninstall$\cryptsvc.dll
[-] 2008-04-14 00:11 62464 3D4E199942E29207970E04315D02AD3B c:\windows\ServicePackFiles\i386\cryptsvc.dll
[-] 2008-04-14 00:11 62464 3D4E199942E29207970E04315D02AD3B c:\windows\system32\cryptsvc.dll

[-] 2004-08-10 10:00 77312 E3CFCCDDA4EDD1D0DC9168B2E18F27B8 c:\windows\$NtServicePackUninstall$\browser.dll
[-] 2008-04-14 00:11 77824 A06CE3399D16DB864F55FAEB1F1927A9 c:\windows\ServicePackFiles\i386\browser.dll
[-] 2008-04-14 00:11 77824 A06CE3399D16DB864F55FAEB1F1927A9 c:\windows\system32\browser.dll

[-] 2005-07-08 16:28 249344 1418A3A6E76E5A2E3F5E43866E793A8B c:\windows\$hf_mig$\KB893756\SP2QFE\tapisrv.dll
[-] 2005-07-08 16:27 249344 FB78839B36025AA286A51289ED28B73E c:\windows\$NtServicePackUninstall$\tapisrv.dll
[-] 2004-08-10 10:00 246272 EB4A4187D74A8EFDCBEA3EA2CB1BDFBD c:\windows\$NtUninstallKB893756$\tapisrv.dll
[-] 2008-04-14 00:12 249856 3CB78C17BB664637787C9A1C98F79C38 c:\windows\ServicePackFiles\i386\tapisrv.dll
[-] 2008-04-14 00:12 249856 3CB78C17BB664637787C9A1C98F79C38 c:\windows\system32\tapisrv.dll

[-] 2008-06-20 17:36 245248 1DFCA7713EA5A70D5D93B436AEA0317A c:\windows\$hf_mig$\KB951748\SP2QFE\mswsock.dll
[-] 2008-06-20 17:46 245248 832E4DD8964AB7ACC880B2837CB1ED20 c:\windows\$hf_mig$\KB951748\SP3GDR\mswsock.dll
[-] 2008-06-20 17:43 245248 FCEE5FCB99F7C724593365C706D28388 c:\windows\$hf_mig$\KB951748\SP3QFE\mswsock.dll
[-] 2008-06-20 17:41 245248 097722F235A1FB698BF9234E01B52637 c:\windows\$NtServicePackUninstall$\mswsock.dll
[-] 2008-04-14 00:12 245248 B4138E99236F0F57D4CF49BAE98A0746 c:\windows\$NtUninstallKB951748$\mswsock.dll
[-] 2004-08-10 10:00 245248 4E74AF063C3271FBEA20DD940CFD1184 c:\windows\$NtUninstallKB951748_0$\mswsock.dll
[-] 2008-04-14 00:12 245248 B4138E99236F0F57D4CF49BAE98A0746 c:\windows\ServicePackFiles\i386\mswsock.dll
[-] 2008-06-20 17:46 245248 832E4DD8964AB7ACC880B2837CB1ED20 c:\windows\system32\mswsock.dll
[-] 2008-06-20 17:46 245248 832E4DD8964AB7ACC880B2837CB1ED20 c:\windows\system32\dllcache\mswsock.dll

[-] 2005-08-22 18:24 197632 3516D8A18B36784B1005B950B84232E1 c:\windows\$hf_mig$\KB905414\SP2QFE\netman.dll
[-] 2005-08-22 18:29 197632 36739B39267914BA69AD0610A0299732 c:\windows\$NtServicePackUninstall$\netman.dll
[-] 2004-08-10 10:00 198144 DAB9E6C7105D2EF49876FE92C524F565 c:\windows\$NtUninstallKB905414$\netman.dll
[-] 2008-04-14 00:12 198144 13E67B55B3ABD7BF3FE7AAE5A0F9A9DE c:\windows\ServicePackFiles\i386\netman.dll
[-] 2008-04-14 00:12 198144 13E67B55B3ABD7BF3FE7AAE5A0F9A9DE c:\windows\system32\netman.dll

[-] 2005-07-26 04:20 243200 95F5FEA4C6DE2C3F28784D0DCC8F0DD3 c:\windows\$hf_mig$\KB902400\SP2QFE\es.dll
[-] 2008-07-07 20:06 253952 A4AB3DCA4A383F0DF4988ABDEB84F9A4 c:\windows\$hf_mig$\KB950974\SP2QFE\es.dll
[-] 2008-07-07 20:26 253952 D4991D98F2DB73C60D042F1AEF79EFAE c:\windows\$hf_mig$\KB950974\SP3GDR\es.dll
[-] 2008-07-07 20:23 253952 F17F6226BDC0CD5F0BEF0DAF84D29BEC c:\windows\$hf_mig$\KB950974\SP3QFE\es.dll
[-] 2008-07-07 20:32 253952 60D1A6342238378BFB7545C81EE3606C c:\windows\$NtServicePackUninstall$\es.dll
[-] 2004-08-10 10:00 243200 ACD36A2DD7D1E9D8A060AA651DC07E63 c:\windows\$NtUninstallKB902400$\es.dll
[-] 2008-04-14 00:11 246272 19A799805B24990867B00C120D300C3A c:\windows\$NtUninstallKB950974$\es.dll
[-] 2005-07-26 04:39 243200 34BBD9ACC1538818F2C878898C64E793 c:\windows\$NtUninstallKB950974_0$\es.dll
[-] 2008-04-14 00:11 246272 19A799805B24990867B00C120D300C3A c:\windows\ServicePackFiles\i386\es.dll
[-] 2008-07-07 20:26 253952 D4991D98F2DB73C60D042F1AEF79EFAE c:\windows\system32\es.dll
[-] 2008-07-07 20:26 253952 D4991D98F2DB73C60D042F1AEF79EFAE c:\windows\system32\dllcache\es.dll

[-] 2005-09-01 01:44 19968 648BF0B4DDE4F7A1156DAE7174D36EFA c:\windows\$hf_mig$\KB900725\SP2QFE\linkinfo.dll
[-] 2005-09-01 01:41 19968 A1A688EE56CF3BBD24EDEB815D48E9BA c:\windows\$NtServicePackUninstall$\linkinfo.dll
[-] 2004-08-10 10:00 18944 C2BBD044C741EA4292016C36F718D2E4 c:\windows\$NtUninstallKB900725$\linkinfo.dll
[-] 2008-04-14 00:11 19968 2DC5A8019E2387987905F77C664E4BE2 c:\windows\ServicePackFiles\i386\linkinfo.dll
[-] 2008-04-14 00:11 19968 2DC5A8019E2387987905F77C664E4BE2 c:\windows\system32\linkinfo.dll

[-] 2004-08-10 10:00 71680 4B8D61792F7175BED48859CC18CE4E38 c:\windows\$NtServicePackUninstall$\ssdpsrv.dll
[-] 2008-04-14 00:12 71680 0A5679B3714EDAB99E357057EE88FCA6 c:\windows\ServicePackFiles\i386\ssdpsrv.dll
[-] 2008-04-14 00:12 71680 0A5679B3714EDAB99E357057EE88FCA6 c:\windows\system32\ssdpsrv.dll

[-] 2007-02-05 20:19 185344 36ACA6CDC19C95FF468A1426EB7F32F0 c:\windows\$hf_mig$\KB931261\SP2QFE\upnphost.dll
[-] 2007-02-05 20:17 185344 ACA5D98663D879C6BAAFCEA7E2F1B710 c:\windows\$NtServicePackUninstall$\upnphost.dll
[-] 2004-08-10 10:00 185344 0546477BDE979E33294FE97F6B3DE84A c:\windows\$NtUninstallKB931261$\upnphost.dll
[-] 2008-04-14 00:12 185856 1EBAFEB9A3FBDC41B8D9C7F0F687AD91 c:\windows\ServicePackFiles\i386\upnphost.dll
[-] 2008-04-14 00:12 185856 1EBAFEB9A3FBDC41B8D9C7F0F687AD91 c:\windows\system32\upnphost.dll

[-] 2004-08-10 10:00 170496 92BDF74F12D6CBEC43C94D4B7F804838 c:\windows\$NtServicePackUninstall$\srsvc.dll
[-] 2008-04-14 00:12 171008 3805DF0AC4296A34BA4BF93B346CC378 c:\windows\ServicePackFiles\i386\srsvc.dll
[-] 2008-04-14 00:12 171008 3805DF0AC4296A34BA4BF93B346CC378 c:\windows\system32\srsvc.dll

[-] 2004-08-10 10:00 13824 49911DD39E023BB6C45E4E436CFBD297 c:\windows\$NtServicePackUninstall$\wscntfy.exe
[-] 2008-04-14 00:12 13824 F92E1076C42FCD6DB3D72D8CFE9816D5 c:\windows\ServicePackFiles\i386\wscntfy.exe
[-] 2008-04-14 00:12 13824 F92E1076C42FCD6DB3D72D8CFE9816D5 c:\windows\system32\wscntfy.exe

[-] 2004-08-10 10:00 435200 B62F29C00AC55A761B2E45877D85EA0F c:\windows\$NtServicePackUninstall$\ntmssvc.dll
[-] 2008-04-14 00:12 435200 156F64A3345BD23C600655FB4D10BC08 c:\windows\ServicePackFiles\i386\ntmssvc.dll
[-] 2008-04-14 00:12 435200 156F64A3345BD23C600655FB4D10BC08 c:\windows\system32\ntmssvc.dll

[-] 2004-08-10 10:00 89088 44DB7A9BDD2FB58747D123FBF1D35ADB c:\windows\$NtServicePackUninstall$\rasauto.dll
[-] 2008-04-14 00:12 88576 AD188BE7BDF94E8DF4CA0A55C00A5073 c:\windows\ServicePackFiles\i386\rasauto.dll
[-] 2008-04-14 00:12 88576 AD188BE7BDF94E8DF4CA0A55C00A5073 c:\windows\system32\rasauto.dll

[-] 2004-08-10 10:00 1580544 30A609E00BD1D4FFC49D6B5A432BE7F2 c:\windows\$NtServicePackUninstall$\sfcfiles.dll
[-] 2008-04-14 00:12 1614848 9DD07AF82244867CA36681EA2D29CE79 c:\windows\ServicePackFiles\i386\sfcfiles.dll
[-] 2008-04-14 00:12 1614848 9DD07AF82244867CA36681EA2D29CE79 c:\windows\system32\sfcfiles.dll

[-] 2004-08-10 10:00 190976 92360854316611F6CC471612213C3D92 c:\windows\$NtServicePackUninstall$\schedsvc.dll
[-] 2008-04-14 00:12 192512 0A9A7365A1CA4319AA7C1D6CD8E4EAFA c:\windows\ServicePackFiles\i386\schedsvc.dll
[-] 2008-04-14 00:12 192512 0A9A7365A1CA4319AA7C1D6CD8E4EAFA c:\windows\system32\schedsvc.dll

[-] 2004-08-10 10:00 59904 3151427DB7D87107D1C5BE58FAC53960 c:\windows\$NtServicePackUninstall$\regsvc.dll
[-] 2008-04-14 00:12 59904 5B19B557B0C188210A56A6B699D90B8F c:\windows\ServicePackFiles\i386\regsvc.dll
[-] 2008-04-14 00:12 59904 5B19B557B0C188210A56A6B699D90B8F c:\windows\system32\regsvc.dll

[-] 2006-12-19 21:50 135168 53D9184A21C5CBF600D918E51EF3A7E5 c:\windows\$hf_mig$\KB928255\SP2QFE\shsvcs.dll
[-] 2006-12-19 21:52 134656 6815DEF9B810AEFAC107EEAF72DA6F82 c:\windows\$NtServicePackUninstall$\shsvcs.dll
[-] 2004-08-10 10:00 134656 E7518DC542D3EBDCB80EDD98462C7821 c:\windows\$NtUninstallKB928255$\shsvcs.dll
[-] 2008-04-14 00:12 135168 1926899BF9FFE2602B63074971700412 c:\windows\ServicePackFiles\i386\shsvcs.dll
[-] 2008-04-14 00:12 135168 1926899BF9FFE2602B63074971700412 c:\windows\system32\shsvcs.dll
.
((((((((((((((((((((((((((((( SnapShot@2009-08-28_01.14.27 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-08-28 14:27 . 2009-08-28 14:27 16384 c:\windows\temp\Perflib_Perfdata_73c.dat
+ 2005-10-28 03:32 . 2009-08-28 11:28 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2005-10-28 03:32 . 2009-08-28 00:25 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2005-10-28 03:32 . 2009-08-28 11:28 32768 c:\windows\system32\config\systemprofile\Cookies\index.dat
- 2005-10-28 03:32 . 2009-08-28 00:25 32768 c:\windows\system32\config\systemprofile\Cookies\index.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DLBXCATS"="c:\windows\System32\spool\DRIVERS\W32X86\3\DLBXtime.dll" [2004-12-07 69632]
"dlbxmon.exe"="c:\program files\Dell Photo AIO Printer 962\dlbxmon.exe" [2005-01-18 425984]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-07-28 148888]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"InCD"="c:\program files\Ahead\InCD\InCD.exe" [2004-07-16 1409136]
"MSConfig"="c:\windows\pchealth\helpctr\Binaries\MSCONFIG.EXE" [2008-04-14 169984]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-03 18:56 352256 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-08-20 12:07 11952 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Acrobat Speed Launcher.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Acrobat Speed Launcher.lnk
backup=c:\windows\pss\Adobe Acrobat Speed Launcher.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Gamma.lnk
backup=c:\windows\pss\Adobe Gamma.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Billminder.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Billminder.lnk
backup=c:\windows\pss\Billminder.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^EMBARQ Help.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\EMBARQ Help.lnk
backup=c:\windows\pss\EMBARQ Help.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Google Updater.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Google Updater.lnk
backup=c:\windows\pss\Google Updater.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^QuickBooks Update Agent.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\QuickBooks Update Agent.lnk
backup=c:\windows\pss\QuickBooks Update Agent.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Quicken Startup.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Quicken Startup.lnk
backup=c:\windows\pss\Quicken Startup.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"TabletService"=2 (0x2)
"WZCSVC"=2 (0x2)
"TapiSrv"=3 (0x3)
"Schedule"=2 (0x2)
"ehSched"=2 (0x2)
"ehRecvr"=2 (0x2)
"Ati HotKey Poller"=2 (0x2)
"seclogon"=2 (0x2)
"SCardSvr"=3 (0x3)
"ose"=3 (0x3)
"MDM"=2 (0x2)
"Fax"=2 (0x2)
"FastUserSwitchingCompatibility"=2 (0x2)
"DSBrokerService"=3 (0x3)
"Creative Service for CDROM Access"=2 (0x2)
"clr_optimization_v2.0.50727_32"=3 (0x3)
"CiSvc"=3 (0x3)
"aspimgr"=2 (0x2)
"Adobe Version Cue CS2"=2 (0x2)
"Adobe LM Service"=3 (0x3)
"xmlprov"=3 (0x3)
"WmdmPmSN"=3 (0x3)
"VSS"=3 (0x3)
"SysmonLog"=3 (0x3)
"SwPrv"=3 (0x3)
"stisvc"=2 (0x2)
"MSDTC"=3 (0x3)
"mnmsrvc"=3 (0x3)
"ImapiService"=3 (0x3)
"hkmsvc"=3 (0x3)
"EapHost"=3 (0x3)
"Dot3svc"=3 (0x3)
"ClipSrv"=3 (0x3)
"McciCMService"=2 (0x2)
"idsvc"=3 (0x3)
"wuauserv"=2 (0x2)
"WMPNetworkSvc"=3 (0x3)
"RDSessMgr"=2 (0x2)
"RasMan"=2 (0x2)
"RasAuto"=2 (0x2)
"IntuitUpdateService"=2 (0x2)
"gusvc"=2 (0x2)
"McSysmon"=3 (0x3)
"MSK80Service"=2 (0x2)
"mcmscsvc"=2 (0x2)
"McODS"=3 (0x3)
"McShield"=2 (0x2)
"McProxy"=2 (0x2)
"MpfService"=2 (0x2)
"McNASvc"=2 (0x2)
"0013901251425681mcinstcleanup"=2 (0x2)
"avg8wd"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\Adobe\\Adobe Version Cue CS2\\bin\\VersionCueCS2.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\dlbxcoms.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\program files\Microsoft ActiveSync\rapimgr.exe"= c:\program files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"c:\program files\Microsoft ActiveSync\wcescomm.exe"= c:\program files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"c:\program files\Microsoft ActiveSync\WCESMgr.exe"= c:\program files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
"c:\\Program Files\\Motorola\\Software Update\\msu.exe"=
"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=
"%windir%\\system32\\drivers\\svchost.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service

R2 gupdate1c9b13c257aa5de;Google Update Service (gupdate1c9b13c257aa5de);c:\program files\Google\Update\GoogleUpdate.exe [2009-03-30 133104]
R3 MEMSWEEP2;MEMSWEEP2;c:\windows\system32\4.tmp [x]
R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2008-12-04 7408]
R3 StkMini;VideoAdvantage USB;c:\windows\system32\Drivers\StkMini.sys [2004-09-01 600617]
R3 xyzabc;xyzabc;c:\windows\system32\drivers\xyzabc.sys [2009-08-27 34816]
R4 0013901251425681mcinstcleanup;McAfee Application Installer Cleanup (0013901251425681);c:\windows\TEMP\001390~1.EXE [x]
R4 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2009-08-20 297752]
R4 IntuitUpdateService;Intuit Update Service;c:\program files\Common Files\Intuit\Update Service\IntuitUpdateService.exe [2008-10-10 13088]
S1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\System32\Drivers\avgldx86.sys [2009-08-20 335240]
S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [2008-12-04 8944]
S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.sys [2008-12-04 55024]

.
Contents of the 'Scheduled Tasks' folder

2009-08-23 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2007-09-10 13:32]

2009-05-06 c:\windows\Tasks\GoogleUpdateTaskMachine.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-03-30 13:33]

2008-08-15 c:\windows\Tasks\McDefragTask.job
- c:\program files\mcafee\mqc\QcConsol.exe [2007-06-16 15:53]

2008-09-01 c:\windows\Tasks\McQcTask.job
- c:\program files\mcafee\mqc\QcConsol.exe [2007-06-16 15:53]

2009-02-21 c:\windows\Tasks\ParetoLogic Registration.job
- c:\program files\Common Files\ParetoLogic\UUS2\UUS.dll [2009-01-21 05:36]

2009-02-27 c:\windows\Tasks\ParetoLogic Update Version2.job
- c:\program files\Common Files\ParetoLogic\UUS2\Pareto_Update.exe [2009-01-21 05:36]
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-DellSupport - c:\program files\Dell Support\DSAgnt.exe
HKCU-Run-DellSupport- - c:\program files\Dell Support\DSAgnt.exe
HKLM-Run-realteks - c:\documents and settings\Jamie\Application Data\Google\edpgz16420882.exe


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
mStart Page = hxxp://www.google.com
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
Trusted Zone: internet
Trusted Zone: mcafee.com
DPF: Microsoft XML Parser for Java - file:///C:/WINDOWS/Java/classes/xmldso.cab
FF - ProfilePath - c:\documents and settings\Jamie\Application Data\Mozilla\Firefox\Profiles\y1hqshrz.default\
FF - plugin: c:\program files\Google\Google Updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.enforce_same_site_origin", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.cache_size", 51200);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.ogg.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.wave.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.autoplay.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.urlbar.autocomplete.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.mailnews.*.wholeText", "noAccess");
c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.storage.default_quota", 5120);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("content.sink.event_probe_rate", 3);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.http.prompt-temp-redirect", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("layout.css.dpi", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("layout.css.devPixelsPerPx", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("gestures.enable_single_finger_input", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.max_chrome_script_run_time", 0);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.tcp.sendbuffer", 131072);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("geo.enabled", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.remember_cert_checkbox_default_setting", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr", "moz35");
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-cjkt", "moz35");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.blocklist.level", 2);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.urlbar.restrict.typed", "~");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.urlbar.default.behavior", 0);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.history", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.formdata", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.passwords", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.downloads", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cookies", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cache", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.sessions", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.offlineApps", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.siteSettings", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.history", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.formdata", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.passwords", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.downloads", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.cookies", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.cache", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.sessions", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.offlineApps", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.siteSettings", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.sanitize.migrateFx3Prefs", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.ssl_override_behavior", 2);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("security.alternate_certificate_error_page", "certerror");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.autostart", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.dont_prompt_on_enter", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("geo.wifi.uri", "https://www.google.com/loc/json");
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-08-28 10:29
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
DLBXCATS = rundll32 c:\windows\System32\spool\DRIVERS\W32X86\3\DLBXtime.dll,_RunDLLEntry@16???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\MEMSWEEP2]
"ImagePath"="\??\c:\windows\system32\4.tmp"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{4233ADD3-CD31-D295-804BA870321FDEF4}\{F4A8E5F3-7E68-2DD0-FA9D328203A7D1A7}\{07380252-9142-5EC5-94F639FC4AE64832}*]
"NRDFOBLVNAUE2QOGEQXAH1Y2DD1"=hex:01,00,01,00,00,00,00,00,b0,0a,ac,41,7a,16,04,
de,35,81,92,71,e8,29,5a,84,14,35,16,70,d8,6e,ff,61

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Windows\AutorunsDisabled]
"Appinit_Dlls"="c:\\WINDOWS\\system32\\litunude.dll,c:\\WINDOWS\\system32\\tegawula.dll,c:\\windows\\system32\\yazeriza.dll"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(772)
c:\program files\SUPERAntiSpyware\SASWINLO.dll

- - - - - - - > 'winlogon.exe'(1168)
c:\program files\SUPERAntiSpyware\SASWINLO.dll

- - - - - - - > 'explorer.exe'(3476)
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\logonui.exe
c:\program files\Ahead\InCD\InCDsrv.exe
c:\program files\AVG\AVG8\avgrsx.exe
c:\program files\Intel\Intel Matrix Storage Manager\IAANTMon.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\locator.exe
c:\windows\system32\MsPMSPSv.exe
c:\windows\ehome\mcrdsvc.exe
c:\windows\system32\rdpclip.exe
c:\windows\system32\wscntfy.exe
c:\windows\system32\dlbxcoms.exe
c:\program files\Java\jre6\bin\jucheck.exe
.
**************************************************************************
.
Completion time: 2009-08-28 10:35 - machine was rebooted
ComboFix-quarantined-files.txt 2009-08-28 14:35

Pre-Run: 50,446,856,192 bytes free
Post-Run: 50,426,798,080 bytes free

743 --- E O F --- 2009-02-05 03:07

==============================================================================

Regards,
TheGriz43

#13 syler

syler

  • Malware Response Team
  • 8,150 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Warrington, UK
  • Local time:12:07 AM

Posted 28 August 2009 - 01:19 PM

Hi TheGriz43,

It looks like we are starting to get somewhere now :thumbup2: You have some entries disabled via Msconfig and also some disabled with Autoruns, I need
you to enable all these, to enable the MSconfig entries do the following.

Click Start >> Run, then type msconfig in the box.
Under the general tab, select Normal Startup - load all devices and services.
Click Apply then Close and restart your computer.

Next
  • Download peek.bat and save it to your Desktop.
  • Double-click peek.bat to run it.
  • A Command Prompt window will appear for a few seconds then close when it's finished.
  • Once it is finished, copy and paste the contents of the Log.txt file it creates, in your next reply.
Next

Please click this link-->Jotti
When the jotti page has finished loading, click the Browse button and navigate to the following files one by one and click Submit.

c:\documents and settings\Jamie\Application Data\Corel Photo Album\mario.exe
c:\documents and settings\Jamie\Application Data\CyberLink\flamiks32.exe
c:\documents and settings\Jamie\Application Data\Creative\pingo.dll
c:\documents and settings\Jamie\Application Data\AdobeUM\xl12.exe
c:\documents and settings\Jamie\Application Data\Adobe\norigami.dll

Please post back the results of the scan in your next post.
If Jotti is busy, try the same at Virustotal: http://www.virustotal.com/

Next

Please download Malwarebytes' Anti-Malware from Here

Note: If you already have Malwarebytes' Anti-Malware, just update then run it.
  • Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Full Scan", then click Scan (the scan may take some time to finish, so please be patient).
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy and Paste the entire report in your next reply .
Note: If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.


Once you have done these steps please try to uninstall AVG again and also try to run Rsit again then post back with the following:
  • Log.txt (from peek.bat)
  • Jotti results
  • MBAM report
  • log.txt (from Rsit)
  • info.txt
Thanks
Syler

unite.jpg


#14 TheGriz43

TheGriz43
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Location:Grove City, Ohio
  • Local time:07:07 PM

Posted 29 August 2009 - 09:40 AM

Hi Siler,

I have enabled all start-up items and system services and restarted system with normal startup with msconfig.

Here are the latest results from your requested operations:

1. First, the PEEK.BAT log file:

==============================================================================
Volume in drive C has no label.
Volume Serial Number is 180E-8A95

Directory of C:\WINDOWS\$NtServicePackUninstall$

08/10/2004 06:00 AM 180,224 scecli.dll

Directory of C:\WINDOWS\$NtServicePackUninstall$

08/10/2004 06:00 AM 407,040 netlogon.dll

Directory of C:\WINDOWS\$NtServicePackUninstall$

08/10/2004 06:00 AM 55,808 eventlog.dll
3 File(s) 643,072 bytes

Directory of C:\WINDOWS\ServicePackFiles\i386

04/13/2008 08:12 PM 181,248 scecli.dll

Directory of C:\WINDOWS\ServicePackFiles\i386

04/13/2008 08:12 PM 407,040 netlogon.dll

Directory of C:\WINDOWS\ServicePackFiles\i386

04/13/2008 08:11 PM 56,320 eventlog.dll
3 File(s) 644,608 bytes

Directory of C:\WINDOWS\system32

04/13/2008 08:12 PM 181,248 scecli.dll

Directory of C:\WINDOWS\system32

04/13/2008 08:12 PM 407,040 netlogon.dll

Directory of C:\WINDOWS\system32

04/13/2008 08:11 PM 56,320 eventlog.dll
3 File(s) 644,608 bytes

Total Files Listed:
9 File(s) 1,932,288 bytes
0 Dir(s) 50,441,035,776 bytes free

==============================================================================

Second, the results of file scans through virusscan.jotti.org:

==============================================================================

c:\documents and settings\Jamie\Application Data\Corel Photo Album\mario.exe -- Clean
c:\documents and settings\Jamie\Application Data\CyberLink\flamiks32.exe -- Clean
c:\documents and settings\Jamie\Application Data\Creative\pingo.dll -- Clean
c:\documents and settings\Jamie\Application Data\AdobeUM\xl12.exe -- Clean
c:\documents and settings\Jamie\Application Data\Adobe\norigami.dll -- Clean

==============================================================================

Third, the results of system scan with malwarebytes anti-malware. Please note that, while the log states "no action taken" for infected items, I did, in fact, remove all such items:

==============================================================================

Malwarebytes' Anti-Malware 1.40
Database version: 2711
Windows 5.1.2600 Service Pack 3

8/28/2009 11:20:38 PM
mbam-log-2009-08-28 (23-20-24).txt

Scan type: Full Scan (C:\|)
Objects scanned: 242824
Time elapsed: 1 hour(s), 13 minute(s), 57 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 4
Registry Values Infected: 2
Registry Data Items Infected: 1
Folders Infected: 4
Files Infected: 29

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\spynomore (Rogue.SpyNoMore) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Illysoft (Rogue.SpyNoMore) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Illysoft (Rogue.SpyNoMore) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\SNM.exe (Rogue.SpyNoMore) -> No action taken.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\jerobabibi (Trojan.Vundo.H) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cpm1b3db9a6 (Trojan.Vundo.H) -> No action taken.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> No action taken.

Folders Infected:
C:\Program Files\SpyNoMore (Rogue.SpyNoMore) -> No action taken.
C:\Program Files\SpyNoMore\RollBack (Rogue.SpyNoMore) -> No action taken.
C:\Program Files\SpyNoMore\Temp (Rogue.SpyNoMore) -> No action taken.
C:\Documents and Settings\TheGriz43\Start Menu\Programs\SpyNoMore (Rogue.SpyNoMore) -> No action taken.

Files Infected:
C:\Documents and Settings\TheGriz43\Desktop\spynomore.exe (Rogue.SpyNoMore) -> No action taken.
C:\Program Files\SpyNoMore\license.txt (Rogue.SpyNoMore) -> No action taken.
C:\Program Files\SpyNoMore\RegAllowedKeys.cfg (Rogue.SpyNoMore) -> No action taken.
C:\Program Files\SpyNoMore\RegBlockedKeys.cfg (Rogue.SpyNoMore) -> No action taken.
C:\Program Files\SpyNoMore\Smart.db (Rogue.SpyNoMore) -> No action taken.
C:\Program Files\SpyNoMore\SNM.chm (Rogue.SpyNoMore) -> No action taken.
C:\Program Files\SpyNoMore\SNM.exe (Rogue.SpyNoMore) -> No action taken.
C:\Program Files\SpyNoMore\snm.ico (Rogue.SpyNoMore) -> No action taken.
C:\Program Files\SpyNoMore\snmExt.d01 (Rogue.SpyNoMore) -> No action taken.
C:\Program Files\SpyNoMore\snmExt.d02 (Rogue.SpyNoMore) -> No action taken.
C:\Program Files\SpyNoMore\snmExt.d03 (Rogue.SpyNoMore) -> No action taken.
C:\Program Files\SpyNoMore\snmExt.d04 (Rogue.SpyNoMore) -> No action taken.
C:\Program Files\SpyNoMore\snmIeGuard.dat (Rogue.SpyNoMore) -> No action taken.
C:\Program Files\SpyNoMore\snmIeGuard.dll (Rogue.SpyNoMore) -> No action taken.
C:\Program Files\SpyNoMore\SNMMain.da1 (Rogue.SpyNoMore) -> No action taken.
C:\Program Files\SpyNoMore\SNMMain.da2 (Rogue.SpyNoMore) -> No action taken.
C:\Program Files\SpyNoMore\SNMMain.da3 (Rogue.SpyNoMore) -> No action taken.
C:\Program Files\SpyNoMore\SNMMain.da4 (Rogue.SpyNoMore) -> No action taken.
C:\Program Files\SpyNoMore\SNMMain.da5 (Rogue.SpyNoMore) -> No action taken.
C:\Program Files\SpyNoMore\SNMMain.da6 (Rogue.SpyNoMore) -> No action taken.
C:\Program Files\SpyNoMore\SNMMain.dat (Rogue.SpyNoMore) -> No action taken.
C:\Program Files\SpyNoMore\snmShield.dat (Rogue.SpyNoMore) -> No action taken.
C:\Program Files\SpyNoMore\snmVaccinate.dat (Rogue.SpyNoMore) -> No action taken.
C:\Program Files\SpyNoMore\SpyNoMore.url (Rogue.SpyNoMore) -> No action taken.
C:\Program Files\SpyNoMore\uninst.exe (Rogue.SpyNoMore) -> No action taken.
C:\Documents and Settings\TheGriz43\Start Menu\Programs\SpyNoMore\SpyNoMore.lnk (Rogue.SpyNoMore) -> No action taken.
C:\Documents and Settings\TheGriz43\Start Menu\Programs\SpyNoMore\Uninstall.lnk (Rogue.SpyNoMore) -> No action taken.
C:\Documents and Settings\TheGriz43\Start Menu\Programs\SpyNoMore\Website.lnk (Rogue.SpyNoMore) -> No action taken.
C:\Documents and Settings\TheGriz43\Desktop\SpyNoMore.lnk (Rogue.SpyNoMore) -> No action taken.

==============================================================================

Fourth, I attempted to uninstall AVG. Uninstall failed with the error message detail as follows:

==============================================================================
Local machine: installation failed
Initialization:
Warning: Checking of state of the item file avgcsrvx.exe failed.
File opening failed. %FILE% = ""
Error 0xe001042c
Installation:
Error: Action failed for file avgcsrvx.exe: creating backup....
Error 0x80070005 %DESTINATION% = "C:\Program Files\AVG\AVG8\avgcsrvx.exe.install_backup", %SOURCE% = "C:\Program Files\AVG\AVG8\avgcsrvx.exe"

==============================================================================

Fifth, I attempted to re-execute RSIT. It pops up its disclamer box, I click "Continue", it then fails with the same error message as it previously did.

With my sincerest appreciation,
The Griz43

Edited by TheGriz43, 29 August 2009 - 09:45 AM.


#15 syler

syler

  • Malware Response Team
  • 8,150 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Warrington, UK
  • Local time:12:07 AM

Posted 29 August 2009 - 12:10 PM

Hey The Griz43,

Look like the infection has been messing with some of your files, lets try and repair these first.

We need to scan the system with this special tool.
  • Please download Junction.zip and save it.
  • Unzip it and put junction.exe in the Windows directory (C:\Windows).
  • Go to Start => Run... => Copy and paste the following command in the run box and click OK:

    cmd /c junction -s c:\ >log.txt&log.txt& del log.txt

    A command window opens starting to scan the system. Wait until a log file opens. Copy and paste or attach the content of it.
Thanks
Syler :thumbup2:

unite.jpg





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users