Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

iexplore (agprotect) virus


  • Please log in to reply
41 replies to this topic

#1 snoopdrew

snoopdrew

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:06:03 PM

Posted 17 August 2009 - 09:59 AM

I downloaded a game that had a trojan cuz my wallpaper changed to spam advertisement immediately after double clicking on the game setup. I turned it off right away but it was too late. I have used malwarebytes a few times, even in safe mode, and it always finds and claims to remove this agprotect virus with 4 tmp files in the windows temp folder, but iexplore.exe keeps coming back on my task manager. I have to manually end it to stop them momentarily, but it's like whack a mole.

below is a cut and paste of my dds.txt scan, and i've attached the attach.txt file too. thx.

DDS (Ver_09-07-30.01) - NTFSx86
Run by Yoda at 2:23:31.12 on Mon 08/17/2009
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.445 [GMT 9:00]


============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files\DAEMON Tools Lite\daemon.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\PROGRA~1\THEKMP~1\KMPlayer.exe
C:\temp\dds.scr

============== Pseudo HJT Report ===============

uInternet Settings,ProxyOverride = *.local
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [DAEMON Tools Lite] "c:\program files\daemon tools lite\daemon.exe" -autorun
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min
mRun: [Malwarebytes' Anti-Malware] "c:\program files\malwarebytes' anti-malware\mbamgui.exe" /starttray
IE: Append Link Target to Existing PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Append to Existing PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert Link Target to Adobe PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert to Adobe PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\microsoft office\office12\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\microsoft office\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\microsoft office\office12\REFIEBAR.DLL
DPF: {6414512b-b978-451d-a0d8-fcfdf33e833c} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1247327908609
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\yoda\applic~1\mozilla\firefox\profiles\da5r8v5r.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com
FF - plugin: c:\documents and settings\yoda\application data\mozilla\plugins\npPxPlay.dll

============= SERVICES / DRIVERS ===============

R1 avgio;avgio;c:\program files\avira\antivir desktop\avgio.sys [2009-7-13 11608]
R2 antivirschedulerservice;Avira AntiVir Scheduler;c:\program files\avira\antivir desktop\sched.exe [2009-7-13 108289]
R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2009-4-22 55656]
R2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2009-7-10 232720]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2009-7-10 19096]
S1 2ad4abee;2ad4abee;c:\windows\system32\drivers\2ad4abee.sys --> c:\windows\system32\drivers\2ad4abee.sys [?]
S1 7c6d2b0a;7c6d2b0a;c:\windows\system32\drivers\7c6d2b0a.sys --> c:\windows\system32\drivers\7c6d2b0a.sys [?]
S1 9f099bc0;9f099bc0;c:\windows\system32\drivers\9f099bc0.sys --> c:\windows\system32\drivers\9f099bc0.sys [?]
S2 bufw;bufw;c:\windows\system32\drivers\ltujn.sys --> c:\windows\system32\drivers\ltujn.sys [?]
S2 pokvbfk;pokvbfk;c:\windows\system32\drivers\gfhscwqv.sys --> c:\windows\system32\drivers\gfhscwqv.sys [?]
S2 slqxvzn;slqxvzn;c:\windows\system32\drivers\basbuizt.sys --> c:\windows\system32\drivers\basbuizt.sys [?]
S3 MEITUNER;FireBus MPEG2TS Tuner Subunit Device;c:\windows\system32\drivers\meistb.sys [2003-11-12 22891]
S4 antivirservice;Avira AntiVir Guard;c:\program files\avira\antivir desktop\avguard.exe [2009-7-13 185089]

=============== Created Last 30 ================

2009-08-17 01:29 44,295 a------- c:\temp\hj-join.zip
2009-08-16 23:29 359,932 a------- c:\temp\dds.scr
2009-08-12 20:22 687,104 a------- c:\windows\isRS-000.tmp
2009-07-26 20:56 <DIR> --ds---- C:\ComboFix
2009-07-26 15:37 217 a------- c:\windows\system32\MRT.INI
2009-07-26 14:36 <DIR> --d----- c:\windows\ie8updates
2009-07-26 14:23 246,272 -c------ c:\windows\system32\dllcache\ieproxy.dll
2009-07-26 14:23 12,800 -c------ c:\windows\system32\dllcache\xpshims.dll
2009-07-26 14:23 1,985,024 -c------ c:\windows\system32\dllcache\iertutil.dll
2009-07-26 14:23 11,064,832 -c------ c:\windows\system32\dllcache\ieframe.dll
2009-07-26 14:20 2,560 -------- c:\windows\system32\xpsp4res.dll
2009-07-26 14:20 1,203,922 -c------ c:\windows\system32\dllcache\sysmain.sdb
2009-07-26 14:20 215,552 -c------ c:\windows\system32\dllcache\wordpad.exe
2009-07-26 14:18 333,952 -c------ c:\windows\system32\dllcache\srv.sys
2009-07-26 14:16 455,296 -c------ c:\windows\system32\dllcache\mrxsmb.sys
2009-07-26 14:16 1,106,944 -c------ c:\windows\system32\dllcache\msxml3.dll
2009-07-26 14:15 337,408 -c------ c:\windows\system32\dllcache\netapi32.dll
2009-07-26 14:15 331,776 -c------ c:\windows\system32\dllcache\msadce.dll
2009-07-26 14:14 691,712 -c------ c:\windows\system32\dllcache\inetcomm.dll
2009-07-26 14:13 272,128 -c------ c:\windows\system32\dllcache\bthport.sys
2009-07-26 14:13 203,136 -c------ c:\windows\system32\dllcache\rmcast.sys
2009-07-26 14:10 <DIR> --d----- c:\windows\system32\PreInstall
2009-07-26 14:10 <DIR> --d-h--- c:\windows\$hf_mig$
2009-07-26 14:08 31,768 a------- c:\windows\system32\wucltui.dll.mui
2009-07-26 14:08 18,456 a------- c:\windows\system32\wuaueng.dll.mui
2009-07-26 14:08 23,576 a------- c:\windows\system32\wuaucpl.cpl.mui
2009-07-26 14:08 23,576 a------- c:\windows\system32\wuapi.dll.mui
2009-07-23 01:27 <DIR> a-dshr-- C:\cmdcons
2009-07-20 00:29 <DIR> --dsh--- c:\documents and settings\yoda\PrivacIE
2009-07-20 00:16 <DIR> -cd----- c:\windows\system32\dllcache\cache
2009-07-19 23:52 219,648 a------- c:\windows\PEV.exe
2009-07-19 23:52 161,792 a------- c:\windows\SWREG.exe
2009-07-19 23:52 98,816 a------- c:\windows\sed.exe
2009-07-19 02:40 3,137,363 a----r-- c:\temp\ComboFix.exe

==================== Find3M ====================

2009-08-08 00:26 55,656 a------- c:\windows\system32\drivers\avgntflt.sys
2009-08-03 13:36 38,160 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-08-03 13:36 19,096 a------- c:\windows\system32\drivers\mbam.sys
2009-07-14 01:07 721,904 a------- c:\windows\system32\drivers\sptd.sys
2009-07-10 14:14 182,656 a------- c:\windows\system32\drivers\ndis.sys
2009-06-16 23:36 119,808 a------- c:\windows\system32\t2embed.dll
2009-06-16 23:36 81,920 a------- c:\windows\system32\fontsub.dll
2009-06-05 11:42 2,060,288 a------- c:\windows\system32\usbaaplrc.dll
2009-06-04 04:09 1,291,264 a------- c:\windows\system32\quartz.dll

============= FINISH: 2:23:52.71 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:04:03 AM

Posted 18 August 2009 - 01:03 PM

Hello! :thumbup2:
My name is Sam and I will be helping you.

In order to see what's going on with your computer I will ask for you to post various logs from the tools that we will use to resolve your issue. Please also share with me any information about how your computer is reacting and behaving each step of the way as we work through this process.


We need to create an OTL Report
  • Please download OTL from here
  • Save it to your desktop.
  • Double click on the icon on your desktop.
  • Click the "Scan All Users" checkbox.
  • Push the "Run Scan" button.
  • The scan should take just a few minutes.
  • Copy the log that opens up and paste it back here in your next reply.



=============


The next log will show us any hidden files that are present.

Download GMER from here:
  • Unzip it to the desktop.
  • Open the program and click on the Rootkit tab.
  • Make sure all the boxes on the right of the screen are checked, EXCEPT for ‘Show All’.
  • Click on Scan.
  • When the scan has run click Copy and paste the results (if any) into this thread.

Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#3 snoopdrew

snoopdrew
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:06:03 PM

Posted 19 August 2009 - 08:57 AM

Here's my OTL Report:

OTL logfile created on: 8/19/2009 10:49:31 PM - Run 1
OTL by OldTimer - Version 3.0.10.7 Folder = C:\Documents and Settings\Yoda\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1022.54 Mb Total Physical Memory | 661.65 Mb Available Physical Memory | 64.71% Memory free
2.40 Gb Paging File | 2.18 Gb Available in Paging File | 90.69% Paging File free
Paging file location(s): E:\pagefile.sys 1533 1533 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 111.78 Gb Total Space | 49.49 Gb Free Space | 44.27% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
Drive E: | 279.47 Gb Total Space | 154.98 Gb Free Space | 55.46% Space Free | Partition Type: NTFS
Drive F: | 279.46 Gb Total Space | 77.44 Gb Free Space | 27.71% Space Free | Partition Type: NTFS
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: HTPC
Current User Name: Yoda
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard

========== Processes (SafeList) ==========

PRC - [2009/05/13 16:48:22 | 00,108,289 | ---- | M] (Avira GmbH) -- C:\Program Files\Avira\AntiVir Desktop\sched.exe
PRC - [2009/06/05 11:48:14 | 00,144,712 | ---- | M] (Apple Inc.) -- C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
PRC - [2009/08/03 13:36:16 | 00,232,720 | ---- | M] (Malwarebytes Corporation) -- C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
PRC - [2008/05/17 06:01:00 | 00,159,812 | ---- | M] (NVIDIA Corporation) -- C:\WINDOWS\System32\nvsvc32.exe
PRC - [2008/04/14 22:42:42 | 00,013,824 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\wscntfy.exe
PRC - [2008/04/14 22:42:20 | 01,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\Explorer.EXE
PRC - [2009/03/02 13:08:47 | 00,209,153 | ---- | M] (Avira GmbH) -- C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
PRC - [2009/04/23 22:51:38 | 00,691,656 | ---- | M] (DT Soft Ltd) -- C:\Program Files\DAEMON Tools Lite\daemon.exe
PRC - [2009/08/17 13:57:29 | 00,307,704 | ---- | M] (Mozilla Corporation) -- C:\Program Files\Mozilla Firefox\firefox.exe
PRC - [2008/04/14 22:42:38 | 00,135,680 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\taskmgr.exe
PRC - [2009/08/19 22:49:14 | 00,514,048 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Yoda\Desktop\OTL.exe

========== Win32 Services (SafeList) ==========

SRV - [2009/05/13 16:48:22 | 00,108,289 | ---- | M] (Avira GmbH) -- C:\Program Files\Avira\AntiVir Desktop\sched.exe -- (antivirschedulerservice [Auto | Running])
SRV - [2009/08/08 00:26:45 | 00,185,089 | ---- | M] (Avira GmbH) -- C:\Program Files\Avira\AntiVir Desktop\avguard.exe -- (antivirservice [Disabled | Stopped])
SRV - [2009/06/05 11:48:14 | 00,144,712 | ---- | M] (Apple Inc.) -- C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe -- (Apple Mobile Device [Auto | Running])
SRV - [2008/07/25 11:16:40 | 00,034,312 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe -- (aspnet_state [On_Demand | Stopped])
SRV - [2008/12/13 03:17:38 | 00,238,888 | ---- | M] (Apple Inc.) -- C:\Program Files\Bonjour\mDNSResponder.exe -- (Bonjour Service [On_Demand | Stopped])
SRV - [2008/07/25 11:17:02 | 00,069,632 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe -- (clr_optimization_v2.0.50727_32 [On_Demand | Stopped])
SRV - [2009/04/22 17:35:37 | 00,651,720 | ---- | M] (Macrovision Europe Ltd.) -- C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe -- (FLEXnet Licensing Service [On_Demand | Stopped])
SRV - [2008/07/29 21:10:04 | 00,046,104 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe -- (FontCache3.0.0.0 [On_Demand | Stopped])
SRV - [2008/04/14 22:42:04 | 00,038,400 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\PCHealth\HelpCtr\Binaries\pchsvc.dll -- (helpsvc [Auto | Running])
SRV - [2008/07/29 19:24:50 | 00,881,664 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe -- (idsvc [Unknown | Stopped])
SRV - [2009/06/05 13:39:14 | 00,541,992 | ---- | M] (Apple Inc.) -- C:\Program Files\iPod\bin\iPodService.exe -- (iPod Service [On_Demand | Stopped])
SRV - [2009/08/03 13:36:16 | 00,232,720 | ---- | M] (Malwarebytes Corporation) -- C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe -- (MBAMService [Auto | Running])
SRV - [2007/08/24 22:59:20 | 00,068,464 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft Office\Office12\GrooveAuditService.exe -- (Microsoft Office Groove Audit Service [On_Demand | Stopped])
SRV - [2008/07/29 19:16:38 | 00,132,096 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe -- (NetTcpPortSharing [Disabled | Stopped])
SRV - [2008/05/17 06:01:00 | 00,159,812 | ---- | M] (NVIDIA Corporation) -- C:\WINDOWS\System32\nvsvc32.exe -- (NVSvc [Auto | Running])
SRV - [2007/08/24 19:19:12 | 00,443,776 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Common Files\Microsoft Shared\OFFICE12\ODSERV.EXE -- (odserv [On_Demand | Stopped])
SRV - [2006/10/27 06:03:08 | 00,145,184 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE -- (ose [On_Demand | Stopped])
SRV - [2009/04/22 18:24:41 | 00,181,312 | ---- | M] () -- C:\Program Files\Photodex\ProShowGold\ScsiAccess.exe -- (ScsiAccess [Disabled | Stopped])
SRV - [2002/09/21 09:50:10 | 00,045,056 | ---- | M] (Analog Devices, Inc.) -- C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe -- (SoundMAX Agent Service (default) [Disabled | Stopped])

========== Driver Services (SafeList) ==========

DRV - [2008/04/14 17:16:22 | 00,048,128 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\DRIVERS\61883.sys -- (61883 [On_Demand | Stopped])
DRV - [2002/04/02 07:15:00 | 00,004,816 | ---- | M] (Andrea Electronics Corporation) -- C:\WINDOWS\System32\drivers\aeaudio.sys -- (aeaudio [On_Demand | Running])
DRV - [2008/04/14 17:16:22 | 00,038,912 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\DRIVERS\avc.sys -- (Avc [On_Demand | Stopped])
DRV - [2008/04/14 17:16:08 | 00,013,696 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\DRIVERS\avcstrm.sys -- (AVCSTRM [On_Demand | Stopped])
DRV - [2009/02/13 12:35:05 | 00,011,608 | ---- | M] (Avira GmbH) -- C:\Program Files\Avira\AntiVir Desktop\avgio.sys -- (avgio [System | Running])
DRV - [2009/08/08 00:26:45 | 00,055,656 | ---- | M] (Avira GmbH) -- C:\WINDOWS\System32\DRIVERS\avgntflt.sys -- (avgntflt [Auto | Running])
DRV - [2009/03/30 10:33:07 | 00,096,104 | ---- | M] (Avira GmbH) -- C:\WINDOWS\System32\DRIVERS\avipbb.sys -- (avipbb [System | Running])
DRV - [2009/03/20 08:32:48 | 00,023,400 | ---- | M] (GEAR Software Inc.) -- C:\WINDOWS\System32\DRIVERS\GEARAspiWDM.sys -- (GEARAspiWDM [On_Demand | Running])
DRV - [2009/08/03 13:36:06 | 00,019,096 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys -- (MBAMProtector [On_Demand | Running])
DRV - [2009/03/10 14:19:31 | 00,022,891 | ---- | M] (Matsubleepa Electric Industorial Co.,Ltd.) -- C:\WINDOWS\System32\DRIVERS\meistb.sys -- (MEITUNER [On_Demand | Stopped])
DRV - [2009/07/10 14:14:22 | 00,182,656 | ---- | M] () -- C:\WINDOWS\System32\drivers\ndis.sys -- (NDIS [Boot | Running])
DRV - [2008/05/17 06:01:00 | 06,557,408 | ---- | M] (NVIDIA Corporation) -- C:\WINDOWS\System32\DRIVERS\nv4_mini.sys -- (nv [On_Demand | Running])
DRV - [2003/03/31 21:00:00 | 00,017,792 | ---- | M] (Parallel Technologies, Inc.) -- C:\WINDOWS\System32\DRIVERS\ptilink.sys -- (Ptilink [On_Demand | Running])
DRV - [2008/04/14 15:05:40 | 00,020,992 | ---- | M] (Realtek Semiconductor Corporation) -- C:\WINDOWS\System32\DRIVERS\RTL8139.SYS -- (rtl8139 [On_Demand | Running])
DRV - [2008/04/14 15:09:16 | 00,020,480 | ---- | M] (Macrovision Corporation, Macrovision Europe Limited, and Macrovision Japan and Asia K.K.) -- C:\WINDOWS\System32\DRIVERS\secdrv.sys -- (Secdrv [On_Demand | Stopped])
DRV - [2003/08/30 08:09:00 | 00,578,304 | ---- | M] (Analog Devices, Inc.) -- C:\WINDOWS\System32\drivers\smwdm.sys -- (smwdm [On_Demand | Running])
DRV - [2009/07/14 01:07:37 | 00,721,904 | ---- | M] () -- C:\WINDOWS\System32\Drivers\sptd.sys -- (sptd [Boot | Running])
DRV - [2009/05/11 10:12:24 | 00,028,520 | ---- | M] (Avira GmbH) -- C:\WINDOWS\System32\DRIVERS\ssmdrv.sys -- (ssmdrv [System | Running])
DRV - [2009/06/05 11:42:38 | 00,039,424 | ---- | M] (Apple, Inc.) -- C:\WINDOWS\System32\Drivers\usbaapl.sys -- (USBAAPL [On_Demand | Stopped])

========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Secondary_Page_URL = [binary data]
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Extensions Off Page = about:NoAdd-ons
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\system32\blank.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Security Risk Page = about:SecurityRisk
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,CustomizeSearch = http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm


IE - HKU\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?p...amp;ar=iesearch
IE - HKU\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.microsoft.com/isapi/redir.dll?p...&ar=msnhome
IE - HKU\.DEFAULT\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?p...amp;ar=iesearch
IE - HKU\S-1-5-18\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.microsoft.com/isapi/redir.dll?p...&ar=msnhome
IE - HKU\S-1-5-18\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-19\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-20\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-21-854245398-2139871995-725345543-1003\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\system32\blank.htm
IE - HKU\S-1-5-21-854245398-2139871995-725345543-1003\SOFTWARE\Microsoft\Internet Explorer\Main,Page_Transitions = 1
IE - HKU\S-1-5-21-854245398-2139871995-725345543-1003\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?p...amp;ar=iesearch
IE - HKU\S-1-5-21-854245398-2139871995-725345543-1003\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.microsoft.com/isapi/redir.dll?p...&ar=msnhome
IE - HKU\S-1-5-21-854245398-2139871995-725345543-1003\S-1-5-21-854245398-2139871995-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKU\S-1-5-21-854245398-2139871995-725345543-1003\S-1-5-21-854245398-2139871995-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local

========== FireFox ==========

FF - prefs.js..browser.startup.homepage: "http://www.google.com"
FF - prefs.js..extensions.enabledItems: {20a82645-c095-46ed-80e3-08825760534b}:1.0
FF - prefs.js..extensions.enabledItems: {972ce4c6-7e08-4474-a285-3208198ce6fd}:3.0.13

FF - HKLM\software\mozilla\Firefox\Extensions\\{20a82645-c095-46ed-80e3-08825760534b}: C:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\ [2009/07/26 15:25:39 | 00,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.0.13\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2009/08/17 13:57:35 | 00,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.0.13\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2009/08/17 13:57:36 | 00,000,000 | ---D | M]

[2009/03/09 20:20:13 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Yoda\Application Data\mozilla\Extensions
[2009/03/09 20:20:13 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Yoda\Application Data\mozilla\Extensions\{ec8030f7-c20a-464f-9b0e-13a3a9e97384}
[2009/03/09 20:20:13 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Yoda\Application Data\mozilla\Firefox\Profiles\da5r8v5r.default\extensions
[2009/03/09 20:20:08 | 00,000,000 | ---D | M] -- C:\Program Files\mozilla firefox\extensions
[2009/08/17 13:57:29 | 00,000,000 | ---D | M] -- C:\Program Files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
[2009/08/17 13:57:28 | 00,023,032 | ---- | M] (Mozilla Foundation) -- C:\Program Files\mozilla firefox\components\browserdirprovider.dll
[2009/08/17 13:57:28 | 00,134,648 | ---- | M] (Mozilla Foundation) -- C:\Program Files\mozilla firefox\components\brwsrcmp.dll
[2009/08/17 13:57:32 | 00,065,528 | ---- | M] (mozilla.org) -- C:\Program Files\mozilla firefox\plugins\npnul32.dll
[2006/10/27 12:12:16 | 00,016,192 | ---- | M] (Microsoft Corporation) -- C:\Program Files\mozilla firefox\plugins\NPOFF12.DLL
[2008/06/12 14:45:28 | 00,103,792 | ---- | M] (Adobe Systems Inc.) -- C:\Program Files\mozilla firefox\plugins\nppdf32.dll
[2009/07/09 00:05:15 | 00,143,360 | ---- | M] (Apple Inc.) -- C:\Program Files\mozilla firefox\plugins\npqtplugin.dll
[2009/07/09 00:05:15 | 00,143,360 | ---- | M] (Apple Inc.) -- C:\Program Files\mozilla firefox\plugins\npqtplugin2.dll
[2009/07/09 00:05:15 | 00,143,360 | ---- | M] (Apple Inc.) -- C:\Program Files\mozilla firefox\plugins\npqtplugin3.dll
[2009/07/09 00:05:15 | 00,143,360 | ---- | M] (Apple Inc.) -- C:\Program Files\mozilla firefox\plugins\npqtplugin4.dll
[2009/07/09 00:05:15 | 00,143,360 | ---- | M] (Apple Inc.) -- C:\Program Files\mozilla firefox\plugins\npqtplugin5.dll
[2009/07/09 00:05:15 | 00,143,360 | ---- | M] (Apple Inc.) -- C:\Program Files\mozilla firefox\plugins\npqtplugin6.dll
[2009/07/09 00:05:15 | 00,143,360 | ---- | M] (Apple Inc.) -- C:\Program Files\mozilla firefox\plugins\npqtplugin7.dll
[2009/07/10 11:01:13 | 00,001,394 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\amazondotcom.xml
[2009/07/10 11:01:13 | 00,002,193 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\answers.xml
[2009/07/10 11:01:13 | 00,001,534 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\creativecommons.xml
[2009/07/10 11:01:13 | 00,002,343 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\eBay.xml
[2009/07/10 11:01:13 | 00,001,706 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\google.xml
[2009/07/10 11:01:13 | 00,001,178 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\wikipedia.xml
[2009/07/10 11:01:13 | 00,000,792 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\yahoo.xml

O1 HOSTS File: (27 bytes) - C:\WINDOWS\System32\drivers\etc\Hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (Groove GFS Browser Helper) - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll (Microsoft Corporation)
O3 - HKLM\..\Toolbar: (Adobe PDF) - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll (Adobe Systems Incorporated)
O3 - HKU\S-1-5-21-854245398-2139871995-725345543-1003\..\Toolbar\WebBrowser: (Adobe PDF) - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll (Adobe Systems Incorporated)
O4 - HKLM..\Run: [avgnt] C:\Program Files\Avira\AntiVir Desktop\avgnt.exe (Avira GmbH)
O4 - HKLM..\Run: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe (Malwarebytes Corporation)
O4 - HKLM..\Run: [NvCplDaemon] C:\WINDOWS\System32\NvCpl.DLL (NVIDIA Corporation)
O4 - HKLM..\Run: [NvMediaCenter] C:\WINDOWS\System32\NvMcTray.DLL (NVIDIA Corporation)
O4 - HKLM..\Run: [nwiz] C:\WINDOWS\System32\nwiz.exe ()
O4 - HKU\S-1-5-21-854245398-2139871995-725345543-1003..\Run: [DAEMON Tools Lite] C:\Program Files\DAEMON Tools Lite\daemon.exe (DT Soft Ltd)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: dontdisplaylastusername = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: legalnoticecaption =
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: legalnoticetext =
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: shutdownwithoutlogon = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: undockwithoutlogon = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: DisableRegistryTools = 0
O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-19_Classes\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-20_Classes\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-21-854245398-2139871995-725345543-1003\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-21-854245398-2139871995-725345543-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\S-1-5-21-854245398-2139871995-725345543-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoRecentDocsHistory = 1
O7 - HKU\S-1-5-21-854245398-2139871995-725345543-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-21-854245398-2139871995-725345543-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O7 - HKU\S-1-5-21-854245398-2139871995-725345543-1003_Classes\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: Append Link Target to Existing PDF - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Append to Existing PDF - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert Link Target to Adobe PDF - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert to Adobe PDF - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: E&xport to Microsoft Excel - C:\Program Files\Microsoft Office\Office12\EXCEL.EXE (Microsoft Corporation)
O9 - Extra Button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office12\ONBttnIE.dll (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office12\ONBttnIE.dll (Microsoft Corporation)
O9 - Extra Button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\Program Files\Microsoft Office\Office12\REFIEBAR.DLL (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe (Microsoft Corporation)
O9 - Extra Button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (Microsoft Corporation)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O15 - HKLM\..Trusted Domains: 1 domain(s) and sub-domain(s) not assigned to a zone.
O16 - DPF: {6414512b-b978-451d-a0d8-fcfdf33e833c} http://update.microsoft.com/windowsupdate/...b?1247327908609 (WUWebControl Class)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 61.41.153.2 203.248.252.2
O18 - Protocol\Handler\grooveLocalGWS {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll (Microsoft Corporation)
O18 - Protocol\Handler\http\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\http\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\https\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\https\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\ipp - No CLSID value found
O18 - Protocol\Handler\ipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\msdaipp - No CLSID value found
O18 - Protocol\Handler\msdaipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\msdaipp\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\ms-help {314111c7-a502-11d2-bbca-00c04f8ec294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll (Microsoft Corporation)
O18 - Protocol\Filter: - text/xml - C:\Program Files\Common Files\Microsoft Shared\OFFICE12\MSOXMLMF.DLL (Microsoft Corporation)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\Explorer.exe (Microsoft Corporation)
O24 - Desktop Components:0 (My Current Home Page) - About:Home
O28 - HKLM ShellExecuteHooks: {B5A7F190-DDA6-4420-B3BA-52453494E6CD} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll (Microsoft Corporation)
O31 - SafeBoot: AlternateShell - cmd.exe
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2009/03/09 19:56:06 | 00,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O32 - AutoRun File - [2009/03/05 16:06:14 | 00,000,000 | ---- | M] () - F:\AUTOEXEC.BAT -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck) - File not found
O34 - HKLM BootExecute: (autochk) - C:\WINDOWS\System32\autochk.exe (Microsoft Corporation)
O34 - HKLM BootExecute: (*) - File not found

========== Files/Folders - Created Within 30 Days ==========

[1 C:\WINDOWS\System32\*.tmp files]
[3 C:\WINDOWS\*.tmp files]
[2009/08/19 22:49:11 | 00,514,048 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Yoda\Desktop\OTL.exe
[2009/08/17 23:42:46 | 00,000,000 | ---D | C] -- C:\WINDOWS\System32\NtmsData
[2009/07/26 21:07:24 | 00,000,000 | ---D | C] -- C:\WINDOWS\temp
[2009/07/26 20:56:54 | 00,000,000 | --SD | C] -- C:\ComboFix
[2009/07/26 15:37:18 | 00,000,217 | ---- | C] () -- C:\WINDOWS\System32\MRT.INI
[2009/07/26 15:28:36 | 00,000,000 | -HSD | C] -- C:\Config.Msi
[2009/07/26 14:36:07 | 00,000,000 | ---D | C] -- C:\WINDOWS\ie8updates
[2009/07/26 14:23:34 | 00,246,272 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\ieproxy.dll
[2009/07/26 14:23:34 | 00,012,800 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\xpshims.dll
[2009/07/26 14:23:33 | 01,985,024 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\iertutil.dll
[2009/07/26 14:23:16 | 11,064,832 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\ieframe.dll
[2009/07/26 14:21:30 | 00,401,408 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\rpcss.dll
[2009/07/26 14:21:30 | 00,284,160 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\pdh.dll
[2009/07/26 14:21:29 | 00,473,600 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\fastprox.dll
[2009/07/26 14:21:29 | 00,110,592 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\services.exe
[2009/07/26 14:21:28 | 00,453,120 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\wmiprvsd.dll
[2009/07/26 14:21:28 | 00,227,840 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\wmiprvse.exe
[2009/07/26 14:21:27 | 00,729,088 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\lsasrv.dll
[2009/07/26 14:21:26 | 00,617,472 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\advapi32.dll
[2009/07/26 14:21:25 | 00,714,752 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\ntdll.dll
[2009/07/26 14:21:23 | 02,145,280 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\ntkrnlmp.exe
[2009/07/26 14:21:17 | 02,189,056 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\ntoskrnl.exe
[2009/07/26 14:21:11 | 02,023,936 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\ntkrpamp.exe
[2009/07/26 14:20:30 | 00,002,560 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\xpsp4res.dll
[2009/07/26 14:20:29 | 01,203,922 | ---- | C] () -- C:\WINDOWS\System32\dllcache\sysmain.sdb
[2009/07/26 14:20:28 | 00,215,552 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\wordpad.exe
[2009/07/26 14:18:46 | 00,333,952 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\srv.sys
[2009/07/26 14:16:37 | 00,455,296 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\mrxsmb.sys
[2009/07/26 14:16:05 | 01,106,944 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\msxml3.dll
[2009/07/26 14:15:55 | 00,337,408 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\netapi32.dll
[2009/07/26 14:15:46 | 00,331,776 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\msadce.dll
[2009/07/26 14:14:47 | 00,691,712 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\inetcomm.dll
[2009/07/26 14:13:33 | 00,272,128 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\bthport.sys
[2009/07/26 14:13:13 | 00,203,136 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\rmcast.sys
[2009/07/26 14:12:18 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Windows Genuine Advantage
[2009/07/26 14:10:44 | 00,000,000 | ---D | C] -- C:\WINDOWS\System32\PreInstall
[2009/07/26 14:10:42 | 00,000,000 | -H-D | C] -- C:\WINDOWS\$hf_mig$
[2009/07/26 14:08:06 | 00,043,544 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\wups2.dll
[2009/07/26 14:08:06 | 00,031,768 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\wucltui.dll.mui
[2009/07/26 14:08:05 | 00,018,456 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\wuaueng.dll.mui
[2009/07/26 14:08:03 | 00,023,576 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\wuaucpl.cpl.mui
[2009/07/26 14:08:01 | 00,023,576 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\wuapi.dll.mui
[2009/07/23 01:28:03 | 00,000,211 | ---- | C] () -- C:\Boot.bak
[2009/07/23 01:27:59 | 00,260,272 | ---- | C] () -- C:\cmldr
[2009/07/23 01:27:54 | 00,000,000 | RHSD | C] -- C:\cmdcons
[2009/07/14 01:28:17 | 00,354,816 | ---- | C] () -- C:\WINDOWS\System32\psisdecd.dll
[2009/07/14 01:07:37 | 00,721,904 | ---- | C] () -- C:\WINDOWS\System32\drivers\sptd.sys
[2009/04/22 17:57:26 | 00,000,165 | ---- | C] () -- C:\WINDOWS\QUICKEN.INI
[2009/03/09 20:48:05 | 00,000,044 | ---- | C] () -- C:\WINDOWS\System32\msssc.dll
[2008/05/17 06:01:00 | 01,703,936 | ---- | C] () -- C:\WINDOWS\System32\nvwdmcpl.dll
[2008/05/17 06:01:00 | 01,486,848 | ---- | C] () -- C:\WINDOWS\System32\nview.dll
[2008/05/17 06:01:00 | 01,019,904 | ---- | C] () -- C:\WINDOWS\System32\nvwimg.dll
[2008/05/17 06:01:00 | 00,466,944 | ---- | C] () -- C:\WINDOWS\System32\nvshell.dll
[2008/05/17 06:01:00 | 00,286,720 | ---- | C] () -- C:\WINDOWS\System32\nvnt4cpl.dll
[2003/03/31 21:00:00 | 00,182,656 | ---- | C] () -- C:\WINDOWS\System32\drivers\ndis.sys
[2003/03/31 21:00:00 | 00,000,562 | ---- | C] () -- C:\WINDOWS\win.ini
[2003/03/31 21:00:00 | 00,000,227 | ---- | C] () -- C:\WINDOWS\system.ini

========== Files - Modified Within 30 Days ==========

[1 C:\WINDOWS\System32\*.tmp files]
[3 C:\WINDOWS\*.tmp files]
[2009/08/19 22:49:14 | 00,514,048 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Yoda\Desktop\OTL.exe
[2009/08/19 21:28:39 | 00,000,104 | ---- | M] () -- C:\WINDOWS\System32\NvApps.xml
[2009/08/19 21:28:36 | 00,013,646 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2009/08/19 21:26:22 | 00,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2009/08/19 21:26:20 | 00,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2009/08/18 01:05:13 | 07,449,774 | -H-- | M] () -- C:\Documents and Settings\Yoda\Local Settings\Application Data\IconCache.db
[2009/08/16 23:25:17 | 00,070,328 | ---- | M] () -- C:\Documents and Settings\Yoda\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
[2009/08/08 00:26:45 | 00,055,656 | ---- | M] (Avira GmbH) -- C:\WINDOWS\System32\drivers\avgntflt.sys
[2009/08/03 13:36:28 | 00,038,160 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2009/08/03 13:36:06 | 00,019,096 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2009/07/26 21:04:54 | 00,000,227 | ---- | M] () -- C:\WINDOWS\system.ini
[2009/07/26 16:58:44 | 00,270,984 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2009/07/26 15:37:18 | 00,000,217 | ---- | M] () -- C:\WINDOWS\System32\MRT.INI
[2009/07/26 15:34:29 | 00,001,374 | ---- | M] () -- C:\WINDOWS\imsins.BAK
[2009/07/26 15:31:42 | 00,492,248 | ---- | M] () -- C:\WINDOWS\System32\PerfStringBackup.INI
[2009/07/26 15:31:42 | 00,435,260 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2009/07/26 15:31:42 | 00,068,156 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2009/07/23 01:28:03 | 00,000,281 | RHS- | M] () -- C:\boot.ini
< End of report >

#4 snoopdrew

snoopdrew
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:06:03 PM

Posted 19 August 2009 - 08:59 AM

There was also an Extras.Txt file from the OTL scan.


OTL Extras logfile created on: 8/19/2009 10:49:31 PM - Run 1
OTL by OldTimer - Version 3.0.10.7 Folder = C:\Documents and Settings\Yoda\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1022.54 Mb Total Physical Memory | 661.65 Mb Available Physical Memory | 64.71% Memory free
2.40 Gb Paging File | 2.18 Gb Available in Paging File | 90.69% Paging File free
Paging file location(s): E:\pagefile.sys 1533 1533 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 111.78 Gb Total Space | 49.49 Gb Free Space | 44.27% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
Drive E: | 279.47 Gb Total Space | 154.98 Gb Free Space | 55.46% Space Free | Partition Type: NTFS
Drive F: | 279.46 Gb Total Space | 77.44 Gb Free Space | 27.71% Space Free | Partition Type: NTFS
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: HTPC
Current User Name: Yoda
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.html [@ = htmlfile] -- C:\Program Files\Internet Explorer\IEXPLORE.EXE (Microsoft Corporation)

[HKEY_USERS\S-1-5-21-854245398-2139871995-725345543-1003\SOFTWARE\Classes\<extension>]
.html [@ = FirefoxHTML] -- C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"AntiVirusDisableNotify" = 0
"FirewallDisableNotify" = 0
"AntiVirusOverride" = 1
"FirewallOverride" = 0
"UpdatesDisableNotify" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List]
"3389:TCP" = 3389:TCP:*:Enabled:@xpsp2res.dll,-22009
"139:TCP" = 139:TCP:*:Enabled:@xpsp2res.dll,-22004
"445:TCP" = 445:TCP:*:Enabled:@xpsp2res.dll,-22005
"137:UDP" = 137:UDP:*:Enabled:@xpsp2res.dll,-22001
"138:UDP" = 138:UDP:*:Enabled:@xpsp2res.dll,-22002

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 1
"DoNotAllowExceptions" = 0
"DisableNotifications" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
"3389:TCP" = 3389:TCP:*:Enabled:@xpsp2res.dll,-22009
"139:TCP" = 139:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22004
"445:TCP" = 445:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22005
"137:UDP" = 137:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22001
"138:UDP" = 138:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22002

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\Network Diagnostic\xpnetdiag.exe" = %windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000 -- (Microsoft Corporation)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"%windir%\Network Diagnostic\xpnetdiag.exe" = %windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000 -- (Microsoft Corporation)
"C:\Program Files\NewsBin\nbpro.exe" = C:\Program Files\NewsBin\nbpro.exe:*:Enabled:NewsBin Pro -- (CMCEI)
"C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE" = C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE:*:Enabled:Microsoft Office Outlook -- (Microsoft Corporation)
"C:\Program Files\Microsoft Office\Office12\GROOVE.EXE" = C:\Program Files\Microsoft Office\Office12\GROOVE.EXE:*:Enabled:Microsoft Office Groove -- (Microsoft Corporation)
"C:\Program Files\Microsoft Office\Office12\ONENOTE.EXE" = C:\Program Files\Microsoft Office\Office12\ONENOTE.EXE:*:Enabled:Microsoft Office OneNote -- (Microsoft Corporation)
"C:\Program Files\Bonjour\mDNSResponder.exe" = C:\Program Files\Bonjour\mDNSResponder.exe:*:Enabled:Bonjour -- (Apple Inc.)
"C:\Program Files\iTunes\iTunes.exe" = C:\Program Files\iTunes\iTunes.exe:*:Enabled:iTunes -- (Apple Inc.)


========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{07287123-B8AC-41CE-8346-3D777245C35B}" = Bonjour
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{5D601655-6D54-4384-B52C-17EC5385FBBD}" = iTunes
"{6956856F-B6B3-4BE0-BA0B-8F495BE32033}" = Apple Software Update
"{8355F970-601D-442D-A79B-1D7DB4F24CAD}" = Apple Mobile Device Support
"{90120000-0010-0409-0000-0000000FF1CE}" = Microsoft Software Update for Web Folders (English) 12
"{90120000-0015-0409-0000-0000000FF1CE}" = Microsoft Office Access MUI (English) 2007
"{90120000-0015-0409-0000-0000000FF1CE}_ENTERPRISE_{4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}" = 2007 Microsoft Office Suite Service Pack 1 (SP1)
"{90120000-0016-0409-0000-0000000FF1CE}" = Microsoft Office Excel MUI (English) 2007
"{90120000-0016-0409-0000-0000000FF1CE}_ENTERPRISE_{4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}" = 2007 Microsoft Office Suite Service Pack 1 (SP1)
"{90120000-0018-0409-0000-0000000FF1CE}" = Microsoft Office PowerPoint MUI (English) 2007
"{90120000-0018-0409-0000-0000000FF1CE}_ENTERPRISE_{4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}" = 2007 Microsoft Office Suite Service Pack 1 (SP1)
"{90120000-0019-0409-0000-0000000FF1CE}" = Microsoft Office Publisher MUI (English) 2007
"{90120000-0019-0409-0000-0000000FF1CE}_ENTERPRISE_{4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}" = 2007 Microsoft Office Suite Service Pack 1 (SP1)
"{90120000-001A-0409-0000-0000000FF1CE}" = Microsoft Office Outlook MUI (English) 2007
"{90120000-001A-0409-0000-0000000FF1CE}_ENTERPRISE_{4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}" = 2007 Microsoft Office Suite Service Pack 1 (SP1)
"{90120000-001B-0409-0000-0000000FF1CE}" = Microsoft Office Word MUI (English) 2007
"{90120000-001B-0409-0000-0000000FF1CE}_ENTERPRISE_{4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}" = 2007 Microsoft Office Suite Service Pack 1 (SP1)
"{90120000-001F-0409-0000-0000000FF1CE}" = Microsoft Office Proof (English) 2007
"{90120000-001F-0409-0000-0000000FF1CE}_ENTERPRISE_{3EC77D26-799B-4CD8-914F-C1565E796173}" = 2007 Microsoft Office Suite Service Pack 1 (SP1)
"{90120000-001F-040C-0000-0000000FF1CE}" = Microsoft Office Proof (French) 2007
"{90120000-001F-040C-0000-0000000FF1CE}_ENTERPRISE_{430971B1-C31E-45DA-81E0-72C095BAB72C}" = 2007 Microsoft Office Suite Service Pack 1 (SP1)
"{90120000-001F-0C0A-0000-0000000FF1CE}" = Microsoft Office Proof (Spanish) 2007
"{90120000-001F-0C0A-0000-0000000FF1CE}_ENTERPRISE_{F7A31780-33C4-4E39-951A-5EC9B91D7BF1}" = 2007 Microsoft Office Suite Service Pack 1 (SP1)
"{90120000-002C-0409-0000-0000000FF1CE}" = Microsoft Office Proofing (English) 2007
"{90120000-0030-0000-0000-0000000FF1CE}" = Microsoft Office Enterprise 2007
"{90120000-0030-0000-0000-0000000FF1CE}_ENTERPRISE_{926CC8AE-8414-43DF-8EB4-CF26D9C3C663}" =
"{90120000-0030-0000-0000-0000000FF1CE}_ENTERPRISE_{BEE75E01-DD3F-4D5F-B96C-609E6538D419}" = 2007 Microsoft Office Suite Service Pack 1 (SP1)
"{90120000-0044-0409-0000-0000000FF1CE}" = Microsoft Office InfoPath MUI (English) 2007
"{90120000-0044-0409-0000-0000000FF1CE}_ENTERPRISE_{4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}" = 2007 Microsoft Office Suite Service Pack 1 (SP1)
"{90120000-006E-0409-0000-0000000FF1CE}" = Microsoft Office Shared MUI (English) 2007
"{90120000-006E-0409-0000-0000000FF1CE}_ENTERPRISE_{FAD8A83E-9BAC-4179-9268-A35948034D85}" = 2007 Microsoft Office Suite Service Pack 1 (SP1)
"{90120000-00A1-0409-0000-0000000FF1CE}" = Microsoft Office OneNote MUI (English) 2007
"{90120000-00A1-0409-0000-0000000FF1CE}_ENTERPRISE_{4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}" = 2007 Microsoft Office Suite Service Pack 1 (SP1)
"{90120000-00BA-0409-0000-0000000FF1CE}" = Microsoft Office Groove MUI (English) 2007
"{90120000-00BA-0409-0000-0000000FF1CE}_ENTERPRISE_{4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}" = 2007 Microsoft Office Suite Service Pack 1 (SP1)
"{90120000-0114-0409-0000-0000000FF1CE}" = Microsoft Office Groove Setup Metadata MUI (English) 2007
"{90120000-0114-0409-0000-0000000FF1CE}_ENTERPRISE_{4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}" = 2007 Microsoft Office Suite Service Pack 1 (SP1)
"{90120000-0115-0409-0000-0000000FF1CE}" = Microsoft Office Shared Setup Metadata MUI (English) 2007
"{90120000-0115-0409-0000-0000000FF1CE}_ENTERPRISE_{FAD8A83E-9BAC-4179-9268-A35948034D85}" = 2007 Microsoft Office Suite Service Pack 1 (SP1)
"{90120000-0117-0409-0000-0000000FF1CE}" = Microsoft Office Access Setup Metadata MUI (English) 2007
"{90120000-0117-0409-0000-0000000FF1CE}_ENTERPRISE_{4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}" = 2007 Microsoft Office Suite Service Pack 1 (SP1)
"{9A25302D-30C0-39D9-BD6F-21E6EC160475}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
"{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}" = Microsoft .NET Framework 3.0 Service Pack 2
"{AC76BA86-1033-F400-7761-000000000004}" = Adobe Acrobat 9 Pro Extended - English, Français, Deutsch
"{AC76BA86-1033-F400-7761-000000000004}{AC76BA86-1033-F400-7761-000000000004}" = Adobe Acrobat 9 Pro Extended - English, Français, Deutsch
"{ade91a13-434d-4229-00bc-182bad607303}" = Need for Speed™ Most Wanted
"{BAF78226-3200-4DB4-BE33-4D922A799840}" = Windows Presentation Foundation
"{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}" = Microsoft .NET Framework 2.0 Service Pack 2
"{C78EAC6F-7A73-452E-8134-DBB2165C5A68}" = QuickTime
"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
"{DBCC73BA-C69A-4BF5-B4BF-F07501EE7039}" = AnswerWorks 5.0 English Runtime
"{ED2A3C11-3EA8-4380-B59C-F2C1832731B0}" = Quicken 2009
"{F0A37341-D692-11D4-A984-009027EC0A9C}" = SoundMAX
"Adobe Flash Player Plugin" = Adobe Flash Player 10 Plugin
"avira antivir desktop" = Avira AntiVir Personal - Free Antivirus
"CoreAVC Professional Edition" = CoreAVC Professional Edition (remove only)
"daemon tools toolbar" = DAEMON Tools Toolbar
"ENTERPRISE" = Microsoft Office Enterprise 2007
"ie8" = Windows Internet Explorer 8
"Magic ISO Maker v5.5 (build 0273)" = Magic ISO Maker v5.5 (build 0273)
"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware
"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
"Mozilla Firefox (3.0.13)" = Mozilla Firefox (3.0.13)
"NewsBin5" = NewsBin Pro
"NVIDIA Drivers" = NVIDIA Drivers
"Photodex Presenter" = Photodex Presenter
"ProShow Gold" = ProShow Gold
"The KMPlayer" = The KMPlayer (remove only)
"VLC media player" = VLC media player 0.9.8a
"Windows XP Service Pack" = Windows XP Service Pack 3
"WinRAR archiver" = WinRAR archiver
"XpsEPSC" = XML Paper Specification Shared Components Pack 1.0

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 7/10/2009 2:31:57 AM | Computer Name = HTPC | Source = Application Error | ID = 1000
Description = Faulting application ihaupd32.exe, version 0.0.0.0, faulting module
ihaupd32.exe, version 0.0.0.0, fault address 0x000018cc.

Error - 7/10/2009 3:17:28 AM | Computer Name = HTPC | Source = Application Error | ID = 1005
Description = Windows cannot access the file F:\newsbin\malwarebytes\cjx0331a\setup\mbam-setup.exe
for one of the following reasons: there is a problem with the network connection,
the disk that the file is stored on, or the storage drivers installed on this computer;
or the disk is missing. Windows closed the program mbam-setup.exe because of this
error. Program: mbam-setup.exe File: F:\newsbin\malwarebytes\cjx0331a\setup\mbam-setup.exe

The
error value is listed in the Additional Data section. User Action 1. Open the file
again. This situation might be a temporary problem that corrects itself when the
program runs again. 2. If the file still cannot be accessed and - It is on the network,
your network administrator should verify that there is not a problem with the network
and that the server can be contacted. - It is on a removable disk, for example,
a floppy disk or CD-ROM, verify that the disk is fully inserted into the computer.
3.
Check and repair the file system by running CHKDSK. To run CHKDSK, click Start,
click Run, type CMD, and then click OK. At the command prompt, type CHKDSK /F,
and then press ENTER. 4. If the problem persists, restore the file from a backup
copy. 5. Determine whether other files on the same disk can be opened. If not, the
disk might be damaged. If it is a hard disk, contact your administrator or computer
hardware vendor for further assistance. Additional Data Error value: C0000185 Disk
type: 3

Error - 7/10/2009 3:17:38 AM | Computer Name = HTPC | Source = Application Error | ID = 1000
Description = Faulting application mbam-setup.exe, version 1.38.0.0, faulting module
mbam-setup.exe, version 1.38.0.0, fault address 0x0036c419.

Error - 7/10/2009 3:31:27 AM | Computer Name = HTPC | Source = Application Error | ID = 1000
Description = Faulting application ihaupd32.exe, version 0.0.0.0, faulting module
ihaupd32.exe, version 0.0.0.0, fault address 0x000018cc.

Error - 7/10/2009 12:10:09 PM | Computer Name = HTPC | Source = Application Error | ID = 1000
Description = Faulting application acrobat.exe, version 9.0.0.332, faulting module
acrobat.dll, version 9.0.0.332, fault address 0x00696110.

Error - 7/11/2009 2:31:13 PM | Computer Name = HTPC | Source = Application Error | ID = 1000
Description = Faulting application services.exe, version 5.1.2600.5512, faulting
module services.exe, version 5.1.2600.5512, fault address 0x00009654.

Error - 7/12/2009 12:51:24 PM | Computer Name = HTPC | Source = Application Error | ID = 1000
Description = Faulting application services.exe, version 5.1.2600.5512, faulting
module services.exe, version 5.1.2600.5512, fault address 0x00009654.

Error - 7/14/2009 1:49:21 PM | Computer Name = HTPC | Source = .NET Runtime 2.0 Error Reporting | ID = 5000
Description = EventType clr20r3, P1 run.exe, P2 1.0.0.0, P3 4a4d13bf, P4 system,
P5 2.0.0.0, P6 4333ae87, P7 221f, P8 c4, P9 system.net.webexception, P10 NIL.

Error - 7/18/2009 2:34:48 PM | Computer Name = HTPC | Source = Application Hang | ID = 1002
Description = Hanging application WinRAR.exe, version 3.80.0.0, hang module hungapp,
version 0.0.0.0, hang address 0x00000000.

Error - 7/18/2009 2:34:49 PM | Computer Name = HTPC | Source = Application Hang | ID = 1002
Description = Hanging application WinRAR.exe, version 3.80.0.0, hang module hungapp,
version 0.0.0.0, hang address 0x00000000.

[ System Events ]
Error - 7/11/2009 10:15:19 AM | Computer Name = HTPC | Source = Service Control Manager | ID = 7001
Description = The TCP/IP NetBIOS Helper service depends on the AFD Networking Support
Environment service which failed to start because of the following error: %%31

Error - 7/11/2009 10:15:19 AM | Computer Name = HTPC | Source = Service Control Manager | ID = 7001
Description = The Apple Mobile Device service depends on the TCP/IP Protocol Driver
service which failed to start because of the following error: %%31

Error - 7/11/2009 10:15:19 AM | Computer Name = HTPC | Source = Service Control Manager | ID = 7001
Description = The IPSEC Services service depends on the IPSEC driver service which
failed to start because of the following error: %%31

Error - 7/11/2009 10:15:19 AM | Computer Name = HTPC | Source = Service Control Manager | ID = 7026
Description = The following boot-start or system-start driver(s) failed to load:
AFD Fips intelppm IPSec MRxSmb NetBIOS NetBT RasAcd Rdbss Tcpip

Error - 7/11/2009 10:16:45 AM | Computer Name = HTPC | Source = DCOM | ID = 10005
Description = DCOM got error "%1084" attempting to start the service netman with
arguments "" in order to run the server: {BA126AE5-2166-11D1-B1D0-00805FC1270E}

Error - 7/11/2009 10:16:54 AM | Computer Name = HTPC | Source = DCOM | ID = 10005
Description = DCOM got error "%1084" attempting to start the service EventSystem
with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}

Error - 7/11/2009 10:18:12 AM | Computer Name = HTPC | Source = DCOM | ID = 10005
Description = DCOM got error "%1084" attempting to start the service StiSvc with
arguments "" in order to run the server: {A1F4E726-8CF1-11D1-BF92-0060081ED811}

Error - 7/11/2009 10:34:52 AM | Computer Name = HTPC | Source = DCOM | ID = 10005
Description = DCOM got error "%1084" attempting to start the service StiSvc with
arguments "" in order to run the server: {A1F4E726-8CF1-11D1-BF92-0060081ED811}

Error - 7/11/2009 10:35:10 AM | Computer Name = HTPC | Source = DCOM | ID = 10005
Description = DCOM got error "%1084" attempting to start the service netman with
arguments "" in order to run the server: {BA126AE5-2166-11D1-B1D0-00805FC1270E}

Error - 7/11/2009 10:35:17 AM | Computer Name = HTPC | Source = DCOM | ID = 10005
Description = DCOM got error "%1084" attempting to start the service EventSystem
with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}


< End of report >

#5 snoopdrew

snoopdrew
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:06:03 PM

Posted 19 August 2009 - 09:30 AM

Here are the results of the GMER scan:



GMER 1.0.15.15077 [bctmb4j2.exe] - http://www.gmer.net
Rootkit scan 2009-08-19 23:28:10
Windows 5.1.2600 Service Pack 3


---- System - GMER 1.0.15 ----

SSDT F7F83E96 ZwCreateKey
SSDT F7F83E8C ZwCreateThread
SSDT F7F83E9B ZwDeleteKey
SSDT F7F83EA5 ZwDeleteValueKey
SSDT sppc.sys ZwEnumerateKey [0xF7760CA4]
SSDT sppc.sys ZwEnumerateValueKey [0xF7761032]
SSDT F7F83EAA ZwLoadKey
SSDT sppc.sys ZwOpenKey [0xF77420C0]
SSDT F7F83E78 ZwOpenProcess
SSDT F7F83E7D ZwOpenThread
SSDT sppc.sys ZwQueryKey [0xF776110A]
SSDT sppc.sys ZwQueryValueKey [0xF7760F8A]
SSDT F7F83EB4 ZwReplaceKey
SSDT F7F83EAF ZwRestoreKey
SSDT F7F83EA0 ZwSetValueKey
SSDT F7F83E87 ZwTerminateProcess

INT 0x73 ? 86754BF8
INT 0x73 ? 86754BF8
INT 0x73 ? 86754BF8
INT 0x73 ? 86754BF8
INT 0x73 ? 864D1BF8
INT 0x73 ? 86754BF8
INT 0x83 ? 864D1BF8
INT 0x83 ? 864D1BF8
INT 0xA4 ? 864D1BF8
INT 0xB4 ? 864D1BF8

Code 866B6500 pIofCallDriver

---- Kernel code sections - GMER 1.0.15 ----

? sppc.sys The system cannot find the file specified. !
.text USBPORT.SYS!DllUnload F65658AC 5 Bytes JMP 864D11D8
.text ag62k4ps.SYS EE781386 35 Bytes [00, 00, 00, 00, 00, 00, 20, ...]
.text ag62k4ps.SYS EE7813AA 24 Bytes [00, 00, 00, 00, 00, 00, 00, ...]
.text ag62k4ps.SYS EE7813C4 3 Bytes [00, 70, 02] {ADD [EAX+0x2], DH}
.text ag62k4ps.SYS EE7813C9 1 Byte [30]
.text ag62k4ps.SYS EE7813C9 11 Bytes [30, 00, 00, 00, 5C, 02, 00, ...] {XOR [EAX], AL; ADD [EAX], AL; POP ESP; ADD AL, [EAX]; ADD [EAX], AL; ADD [EAX], AL}
.text ...

---- Kernel IAT/EAT - GMER 1.0.15 ----

IAT \WINDOWS\System32\Drivers\SCSIPORT.SYS[ntoskrnl.exe!DbgBreakPoint] 867572D8
IAT pci.sys[ntoskrnl.exe!IoDetachDevice] [F7773C4C] sppc.sys
IAT pci.sys[ntoskrnl.exe!IoAttachDeviceToDeviceStack] [F7773CA0] sppc.sys
IAT atapi.sys[HAL.dll!READ_PORT_UCHAR] [F7743042] sppc.sys
IAT atapi.sys[HAL.dll!READ_PORT_BUFFER_USHORT] [F774313E] sppc.sys
IAT atapi.sys[HAL.dll!READ_PORT_USHORT] [F77430C0] sppc.sys
IAT atapi.sys[HAL.dll!WRITE_PORT_BUFFER_USHORT] [F7743800] sppc.sys
IAT atapi.sys[HAL.dll!WRITE_PORT_UCHAR] [F77436D6] sppc.sys
IAT \SystemRoot\System32\DRIVERS\USBPORT.SYS[ntoskrnl.exe!DbgBreakPoint] 864D12D8
IAT \SystemRoot\System32\DRIVERS\i8042prt.sys[HAL.dll!READ_PORT_UCHAR] [F7752E9C] sppc.sys
IAT \SystemRoot\System32\Drivers\ag62k4ps.SYS[ntoskrnl.exe!RtlInitUnicodeString] 8800001C
IAT \SystemRoot\System32\Drivers\ag62k4ps.SYS[ntoskrnl.exe!swprintf] 001CB286
IAT \SystemRoot\System32\Drivers\ag62k4ps.SYS[ntoskrnl.exe!KeSetEvent] C61AEB00
IAT \SystemRoot\System32\Drivers\ag62k4ps.SYS[ntoskrnl.exe!IoCreateSymbolicLink] 001C8186
IAT \SystemRoot\System32\Drivers\ag62k4ps.SYS[ntoskrnl.exe!IoGetConfigurationInformation] 86C61200
IAT \SystemRoot\System32\Drivers\ag62k4ps.SYS[ntoskrnl.exe!IoDeleteSymbolicLink] 00001C83
IAT \SystemRoot\System32\Drivers\ag62k4ps.SYS[ntoskrnl.exe!MmFreeMappingAddress] 8E868801
IAT \SystemRoot\System32\Drivers\ag62k4ps.SYS[ntoskrnl.exe!IoFreeErrorLogEntry] 8800001C
IAT \SystemRoot\System32\Drivers\ag62k4ps.SYS[ntoskrnl.exe!IoDisconnectInterrupt] 001CAA86
IAT \SystemRoot\System32\Drivers\ag62k4ps.SYS[ntoskrnl.exe!MmUnmapIoSpace] 80968B00
IAT \SystemRoot\System32\Drivers\ag62k4ps.SYS[ntoskrnl.exe!ObReferenceObjectByPointer] 8900001C
IAT \SystemRoot\System32\Drivers\ag62k4ps.SYS[ntoskrnl.exe!IofCompleteRequest] 001C9C96
IAT \SystemRoot\System32\Drivers\ag62k4ps.SYS[ntoskrnl.exe!RtlCompareUnicodeString] C6168B00
IAT \SystemRoot\System32\Drivers\ag62k4ps.SYS[ntoskrnl.exe!IofCallDriver] 001CB986
IAT \SystemRoot\System32\Drivers\ag62k4ps.SYS[ntoskrnl.exe!MmAllocateMappingAddress] 428A0A00
IAT \SystemRoot\System32\Drivers\ag62k4ps.SYS[ntoskrnl.exe!IoAllocateErrorLogEntry] BA86880C
IAT \SystemRoot\System32\Drivers\ag62k4ps.SYS[ntoskrnl.exe!IoConnectInterrupt] 8B00001C
IAT \SystemRoot\System32\Drivers\ag62k4ps.SYS[ntoskrnl.exe!IoDetachDevice] 24A48DFA
IAT \SystemRoot\System32\Drivers\ag62k4ps.SYS[ntoskrnl.exe!KeWaitForSingleObject] 00000000
IAT \SystemRoot\System32\Drivers\ag62k4ps.SYS[ntoskrnl.exe!KeInitializeEvent] 4B8BDF8B
IAT \SystemRoot\System32\Drivers\ag62k4ps.SYS[ntoskrnl.exe!KeCancelTimer] 8D3F0304
IAT \SystemRoot\System32\Drivers\ag62k4ps.SYS[ntoskrnl.exe!RtlAnsiStringToUnicodeString] CB033043
IAT \SystemRoot\System32\Drivers\ag62k4ps.SYS[ntoskrnl.exe!RtlInitAnsiString] 0673C13B
IAT \SystemRoot\System32\Drivers\ag62k4ps.SYS[ntoskrnl.exe!IoBuildDeviceIoControlRequest] C13B0003
IAT \SystemRoot\System32\Drivers\ag62k4ps.SYS[ntoskrnl.exe!IoQueueWorkItem] 8366FA72
IAT \SystemRoot\System32\Drivers\ag62k4ps.SYS[ntoskrnl.exe!MmMapIoSpace] 75000E7B
IAT \SystemRoot\System32\Drivers\ag62k4ps.SYS[ntoskrnl.exe!IoInvalidateDeviceRelations] 0B7D80E3
IAT \SystemRoot\System32\Drivers\ag62k4ps.SYS[ntoskrnl.exe!IoReportDetectedDevice] 307B8D00
IAT \SystemRoot\System32\Drivers\ag62k4ps.SYS[ntoskrnl.exe!IoReportResourceForDetection] 00AA840F
IAT \SystemRoot\System32\Drivers\ag62k4ps.SYS[ntoskrnl.exe!RtlxAnsiStringToUnicodeSize] 83660000
IAT \SystemRoot\System32\Drivers\ag62k4ps.SYS[ntoskrnl.exe!NlsMbCodePageTag] 6A000E7A
IAT \SystemRoot\System32\Drivers\ag62k4ps.SYS[ntoskrnl.exe!PoRequestPowerIrp] C6647400
IAT \SystemRoot\System32\Drivers\ag62k4ps.SYS[ntoskrnl.exe!KeInsertByKeyDeviceQueue] 001CBB86
IAT \SystemRoot\System32\Drivers\ag62k4ps.SYS[ntoskrnl.exe!PoRegisterDeviceForIdleDetection] 4F8B0200
IAT \SystemRoot\System32\Drivers\ag62k4ps.SYS[ntoskrnl.exe!sprintf] 968D5140
IAT \SystemRoot\System32\Drivers\ag62k4ps.SYS[ntoskrnl.exe!MmMapLockedPagesSpecifyCache] 00001C90
IAT \SystemRoot\System32\Drivers\ag62k4ps.SYS[ntoskrnl.exe!ObfDereferenceObject] 2266E852
IAT \SystemRoot\System32\Drivers\ag62k4ps.SYS[ntoskrnl.exe!IoGetAttachedDeviceReference] 478B0000
IAT \SystemRoot\System32\Drivers\ag62k4ps.SYS[ntoskrnl.exe!IoInvalidateDeviceState] 50016A40
IAT \SystemRoot\System32\Drivers\ag62k4ps.SYS[ntoskrnl.exe!ZwClose] 1CAC8E8D
IAT \SystemRoot\System32\Drivers\ag62k4ps.SYS[ntoskrnl.exe!ObReferenceObjectByHandle] E8510000
IAT \SystemRoot\System32\Drivers\ag62k4ps.SYS[ntoskrnl.exe!ZwCreateDirectoryObject] 00002254
IAT \SystemRoot\System32\Drivers\ag62k4ps.SYS[ntoskrnl.exe!IoBuildSynchronousFsdRequest] 6A18538B
IAT \SystemRoot\System32\Drivers\ag62k4ps.SYS[ntoskrnl.exe!PoStartNextPowerIrp] 868D5200
IAT \SystemRoot\System32\Drivers\ag62k4ps.SYS[ntoskrnl.exe!IoCreateDevice] 00001C98
IAT \SystemRoot\System32\Drivers\ag62k4ps.SYS[ntoskrnl.exe!RtlCopyUnicodeString] 2242E850
IAT \SystemRoot\System32\Drivers\ag62k4ps.SYS[ntoskrnl.exe!IoAllocateDriverObjectExtension] 4B8B0000
IAT \SystemRoot\System32\Drivers\ag62k4ps.SYS[ntoskrnl.exe!RtlQueryRegistryValues] 51016A18
IAT \SystemRoot\System32\Drivers\ag62k4ps.SYS[ntoskrnl.exe!ZwOpenKey] 1CB4968D
IAT \SystemRoot\System32\Drivers\ag62k4ps.SYS[ntoskrnl.exe!RtlFreeUnicodeString] E8520000
IAT \SystemRoot\System32\Drivers\ag62k4ps.SYS[ntoskrnl.exe!IoStartTimer] 00002230
IAT \SystemRoot\System32\Drivers\ag62k4ps.SYS[ntoskrnl.exe!KeInitializeTimer] 8A05478A
IAT \SystemRoot\System32\Drivers\ag62k4ps.SYS[ntoskrnl.exe!IoInitializeTimer] 001CBB8E
IAT \SystemRoot\System32\Drivers\ag62k4ps.SYS[ntoskrnl.exe!KeInitializeDpc] 30C48300
IAT \SystemRoot\System32\Drivers\ag62k4ps.SYS[ntoskrnl.exe!KeInitializeSpinLock] 1CBD8688
IAT \SystemRoot\System32\Drivers\ag62k4ps.SYS[ntoskrnl.exe!IoInitializeIrp] 80E90000
IAT \SystemRoot\System32\Drivers\ag62k4ps.SYS[ntoskrnl.exe!ZwCreateKey] C6000000
IAT \SystemRoot\System32\Drivers\ag62k4ps.SYS[ntoskrnl.exe!RtlAppendUnicodeStringToString] 001CBB86
IAT \SystemRoot\System32\Drivers\ag62k4ps.SYS[ntoskrnl.exe!RtlIntegerToUnicodeString] 438B0100
IAT \SystemRoot\System32\Drivers\ag62k4ps.SYS[ntoskrnl.exe!ZwSetValueKey] 8E8D5018
IAT \SystemRoot\System32\Drivers\ag62k4ps.SYS[ntoskrnl.exe!KeInsertQueueDpc] 00001C90
IAT \SystemRoot\System32\Drivers\ag62k4ps.SYS[ntoskrnl.exe!KefAcquireSpinLockAtDpcLevel] 2202E851
IAT \SystemRoot\System32\Drivers\ag62k4ps.SYS[ntoskrnl.exe!IoStartPacket] 538B0000
IAT \SystemRoot\System32\Drivers\ag62k4ps.SYS[ntoskrnl.exe!KefReleaseSpinLockFromDpcLevel] 52016A18
IAT \SystemRoot\System32\Drivers\ag62k4ps.SYS[ntoskrnl.exe!IoBuildAsynchronousFsdRequest] 1CAC868D
IAT \SystemRoot\System32\Drivers\ag62k4ps.SYS[ntoskrnl.exe!IoFreeMdl] E8500000
IAT \SystemRoot\System32\Drivers\ag62k4ps.SYS[ntoskrnl.exe!MmUnlockPages] 000021F0
IAT \SystemRoot\System32\Drivers\ag62k4ps.SYS[ntoskrnl.exe!IoWriteErrorLogEntry] 8A05478A
IAT \SystemRoot\System32\Drivers\ag62k4ps.SYS[ntoskrnl.exe!KeRemoveByKeyDeviceQueue] 001CBB8E
IAT \SystemRoot\System32\Drivers\ag62k4ps.SYS[ntoskrnl.exe!MmMapLockedPagesWithReservedMapping] 18C48300
IAT \SystemRoot\System32\Drivers\ag62k4ps.SYS[ntoskrnl.exe!MmUnmapReservedMapping] 1CBD8688
IAT \SystemRoot\System32\Drivers\ag62k4ps.SYS[ntoskrnl.exe!KeSynchronizeExecution] 43EB0000
IAT \SystemRoot\System32\Drivers\ag62k4ps.SYS[ntoskrnl.exe!IoStartNextPacket] 320C538A
IAT \SystemRoot\System32\Drivers\ag62k4ps.SYS[ntoskrnl.exe!KeBugCheckEx] 88F93BC0
IAT \SystemRoot\System32\Drivers\ag62k4ps.SYS[ntoskrnl.exe!KeRemoveDeviceQueue] 001CBB96
IAT \SystemRoot\System32\Drivers\ag62k4ps.SYS[ntoskrnl.exe!KeSetTimer] F6317300
IAT \SystemRoot\System32\Drivers\ag62k4ps.SYS[ntoskrnl.exe!_allmul] 74070647
IAT \SystemRoot\System32\Drivers\ag62k4ps.SYS[ntoskrnl.exe!MmProbeAndLockPages] 75C0841A
IAT \SystemRoot\System32\Drivers\ag62k4ps.SYS[ntoskrnl.exe!_except_handler3] 05578A0B
IAT \SystemRoot\System32\Drivers\ag62k4ps.SYS[ntoskrnl.exe!PoSetPowerState] 968801B0
IAT \SystemRoot\System32\Drivers\ag62k4ps.SYS[ntoskrnl.exe!IoOpenDeviceRegistryKey] 00001CBD
IAT \SystemRoot\System32\Drivers\ag62k4ps.SYS[ntoskrnl.exe!RtlWriteRegistryValue] 57B60F66
IAT \SystemRoot\System32\Drivers\ag62k4ps.SYS[ntoskrnl.exe!RtlDeleteRegistryValue] 533B6604
IAT \SystemRoot\System32\Drivers\ag62k4ps.SYS[ntoskrnl.exe!_aulldiv] 03087408
IAT \SystemRoot\System32\Drivers\ag62k4ps.SYS[ntoskrnl.exe!strstr] 72F93B3F
IAT \SystemRoot\System32\Drivers\ag62k4ps.SYS[ntoskrnl.exe!_strupr] 8A09EBDA
IAT \SystemRoot\System32\Drivers\ag62k4ps.SYS[ntoskrnl.exe!KeQuerySystemTime] 86880547
IAT \SystemRoot\System32\Drivers\ag62k4ps.SYS[ntoskrnl.exe!IoWMIRegistrationControl] 00001CBD
IAT \SystemRoot\System32\Drivers\ag62k4ps.SYS[ntoskrnl.exe!KeTickCount] 88084B8A
IAT \SystemRoot\System32\Drivers\ag62k4ps.SYS[ntoskrnl.exe!IoAttachDeviceToDeviceStack] 001CBE8E
IAT \SystemRoot\System32\Drivers\ag62k4ps.SYS[ntoskrnl.exe!IoDeleteDevice] 40578B00
IAT \SystemRoot\System32\Drivers\ag62k4ps.SYS[ntoskrnl.exe!ExAllocatePoolWithTag] 8D52006A
IAT \SystemRoot\System32\Drivers\ag62k4ps.SYS[ntoskrnl.exe!IoAllocateWorkItem] 001CC086
IAT \SystemRoot\System32\Drivers\ag62k4ps.SYS[ntoskrnl.exe!IoAllocateIrp] 81E85000
IAT \SystemRoot\System32\Drivers\ag62k4ps.SYS[ntoskrnl.exe!IoAllocateMdl] 8B000021
IAT \SystemRoot\System32\Drivers\ag62k4ps.SYS[ntoskrnl.exe!MmBuildMdlForNonPagedPool] 001CB88E
IAT \SystemRoot\System32\Drivers\ag62k4ps.SYS[ntoskrnl.exe!MmLockPagableDataSection] BC968B00
IAT \SystemRoot\System32\Drivers\ag62k4ps.SYS[ntoskrnl.exe!IoGetDriverObjectExtension] 8900001C
IAT \SystemRoot\System32\Drivers\ag62k4ps.SYS[ntoskrnl.exe!MmUnlockPagableImageSection] 001CC48E
IAT \SystemRoot\System32\Drivers\ag62k4ps.SYS[ntoskrnl.exe!ExFreePoolWithTag] C8968900
IAT \SystemRoot\System32\Drivers\ag62k4ps.SYS[ntoskrnl.exe!IoFreeIrp] 8B00001C
IAT \SystemRoot\System32\Drivers\ag62k4ps.SYS[ntoskrnl.exe!IoFreeWorkItem] 016A4047
IAT \SystemRoot\System32\Drivers\ag62k4ps.SYS[ntoskrnl.exe!InitSafeBootMode] CCC68150
IAT \SystemRoot\System32\Drivers\ag62k4ps.SYS[ntoskrnl.exe!RtlCompareMemory] 5600001C
IAT \SystemRoot\System32\Drivers\ag62k4ps.SYS[ntoskrnl.exe!PoCallDriver] 002157E8
IAT \SystemRoot\System32\Drivers\ag62k4ps.SYS[ntoskrnl.exe!memmove] 18C48300
IAT \SystemRoot\System32\Drivers\ag62k4ps.SYS[ntoskrnl.exe!MmHighestUserAddress] 5D5B5E5F
IAT \SystemRoot\System32\Drivers\ag62k4ps.SYS[HAL.dll!KfAcquireSpinLock] 18C4830E
IAT \SystemRoot\System32\Drivers\ag62k4ps.SYS[HAL.dll!READ_PORT_UCHAR] 1C8D9E88
IAT \SystemRoot\System32\Drivers\ag62k4ps.SYS[HAL.dll!KeGetCurrentIrql] 9E880000
IAT \SystemRoot\System32\Drivers\ag62k4ps.SYS[HAL.dll!KfRaiseIrql] 00001CA9
IAT \SystemRoot\System32\Drivers\ag62k4ps.SYS[HAL.dll!KfLowerIrql] 0E798366
IAT \SystemRoot\System32\Drivers\ag62k4ps.SYS[HAL.dll!HalGetInterruptVector] 74AAB000
IAT \SystemRoot\System32\Drivers\ag62k4ps.SYS[HAL.dll!HalTranslateBusAddress] 8186C636
IAT \SystemRoot\System32\Drivers\ag62k4ps.SYS[HAL.dll!KeStallExecutionProcessor] 1A00001C
IAT \SystemRoot\System32\Drivers\ag62k4ps.SYS[HAL.dll!KfReleaseSpinLock] 1C8386C6
IAT \SystemRoot\System32\Drivers\ag62k4ps.SYS[HAL.dll!READ_PORT_BUFFER_USHORT] C6020000
IAT \SystemRoot\System32\Drivers\ag62k4ps.SYS[HAL.dll!READ_PORT_USHORT] 001C8E86
IAT \SystemRoot\System32\Drivers\ag62k4ps.SYS[HAL.dll!WRITE_PORT_BUFFER_USHORT] 86C60200
IAT \SystemRoot\System32\Drivers\ag62k4ps.SYS[HAL.dll!WRITE_PORT_UCHAR] 00001CAA
IAT \SystemRoot\System32\Drivers\ag62k4ps.SYS[WMILIB.SYS!WmiSystemControl] 8800001C
IAT \SystemRoot\System32\Drivers\ag62k4ps.SYS[WMILIB.SYS!WmiCompleteRequest] 001CB19E

---- Devices - GMER 1.0.15 ----

Device \FileSystem\Ntfs \Ntfs 867531F8
Device \Driver\NDIS \Device\Ndis [8662B984] NDIS.sys[.reloc]
Device \Driver\usbuhci \Device\USBPDO-0 864D01F8
Device \Driver\dmio \Device\DmControl\DmIoDaemon 867D81F8
Device \Driver\dmio \Device\DmControl\DmConfig 867D81F8
Device \Driver\dmio \Device\DmControl\DmPnP 867D81F8
Device \Driver\dmio \Device\DmControl\DmInfo 867D81F8
Device \Driver\usbuhci \Device\USBPDO-1 864D01F8
Device \Driver\usbuhci \Device\USBPDO-2 864D01F8
Device \Driver\NetBT \Device\NetBT_Tcpip_{9CDE496F-1A66-4ED7-B975-28313046E590} 864ED1F8
Device \Driver\usbuhci \Device\USBPDO-3 864D01F8
Device \Driver\usbehci \Device\USBPDO-4 864A31F8
Device \Driver\Ftdisk \Device\HarddiskVolume1 867551F8
Device \Driver\PCI_PNP4020 \Device\00000071 sppc.sys
Device \Driver\Ftdisk \Device\HarddiskVolume2 867551F8
Device \Driver\Cdrom \Device\CdRom0 864911F8
Device \Driver\Ftdisk \Device\HarddiskVolume3 867551F8
Device \Driver\Cdrom \Device\CdRom1 864911F8
Device \Driver\NetBT \Device\NetBt_Wins_Export 864ED1F8
Device \Driver\NetBT \Device\NetbiosSmb 864ED1F8
Device \Driver\usbstor \Device\0000006b 861881F8
Device \Driver\usbuhci \Device\USBFDO-0 864D01F8
Device \Driver\usbstor \Device\0000006c 861881F8
Device \Driver\sptd \Device\2520659020 sppc.sys
Device \Driver\usbstor \Device\0000006d 861881F8
Device \Driver\usbuhci \Device\USBFDO-1 864D01F8
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver 8618A1F8
Device \Driver\usbstor \Device\0000006e 861881F8
Device \Driver\usbuhci \Device\USBFDO-2 864D01F8
Device \FileSystem\MRxSmb \Device\LanmanRedirector 8618A1F8
Device \Driver\usbstor \Device\0000006f 861881F8
Device \Driver\usbuhci \Device\USBFDO-3 864D01F8
Device \Driver\usbehci \Device\USBFDO-4 864A31F8
Device \Driver\Ftdisk \Device\FtControl 867551F8
Device \Driver\ag62k4ps \Device\Scsi\ag62k4ps1Port4Path0Target0Lun0 86404500
Device \Driver\ag62k4ps \Device\Scsi\ag62k4ps1 86404500
Device \FileSystem\Cdfs \Cdfs 86360500

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\cfg@s1 771343423
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\cfg@s2 285507792
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\cfg@h0 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\cfg\14919ea49a8f3b4aa3cf1058d9a64cec
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\cfg\14919ea49a8f3b4aa3cf1058d9a64cec@p0 C:\Program Files\DAEMON Tools Lite\
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\cfg\14919ea49a8f3b4aa3cf1058d9a64cec@h0 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\cfg\14919ea49a8f3b4aa3cf1058d9a64cec@hdf12 0x61 0x68 0xFE 0xC4 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\cfg\14919ea49a8f3b4aa3cf1058d9a64cec\00000001
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\cfg\14919ea49a8f3b4aa3cf1058d9a64cec\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\cfg\14919ea49a8f3b4aa3cf1058d9a64cec\00000001@hdf12 0xFE 0x70 0xDE 0x4E ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\cfg\14919ea49a8f3b4aa3cf1058d9a64cec\00000001\gdq0
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\cfg\14919ea49a8f3b4aa3cf1058d9a64cec\00000001\gdq0@hdf12 0x04 0xA3 0x5B 0x6D ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\cfg\14919ea49a8f3b4aa3cf1058d9a64cec (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\cfg\14919ea49a8f3b4aa3cf1058d9a64cec@p0 C:\Program Files\DAEMON Tools Lite\
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\cfg\14919ea49a8f3b4aa3cf1058d9a64cec@h0 0
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\cfg\14919ea49a8f3b4aa3cf1058d9a64cec@hdf12 0x61 0x68 0xFE 0xC4 ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\cfg\14919ea49a8f3b4aa3cf1058d9a64cec\00000001 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\cfg\14919ea49a8f3b4aa3cf1058d9a64cec\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\cfg\14919ea49a8f3b4aa3cf1058d9a64cec\00000001@hdf12 0xFE 0x70 0xDE 0x4E ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\cfg\14919ea49a8f3b4aa3cf1058d9a64cec\00000001\gdq0 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\cfg\14919ea49a8f3b4aa3cf1058d9a64cec\00000001\gdq0@hdf12 0x04 0xA3 0x5B 0x6D ...

---- Files - GMER 1.0.15 ----

File C:\WINDOWS\system32\drivers\ndis.sys (size mismatch) 212224/182656 bytes executable
File C:\WINDOWS\$NtServicePackUninstall$\ndis.sys (size mismatch) 167552/182656 bytes executable
File E:\$ntservicepackuninstall$\ndis.sys (size mismatch) 182912/182656 bytes executable

---- EOF - GMER 1.0.15 ----

#6 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:04:03 AM

Posted 19 August 2009 - 12:06 PM

What steps have you taken since posting your first log?
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#7 snoopdrew

snoopdrew
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:06:03 PM

Posted 20 August 2009 - 10:53 PM

I haven't taken any steps since posting my first log, as far as trying to remove it. I just use my computer normally without anything requiring logins, passwords, or account numbers as a precaution. Every couple of minutes, I'll check task manager and sometimes iexplore.exe is there with one to four separate processes and sometimes it isn't. I'll kill them all, and sometimes it comes back right away and sometimes they don't come back after 10-15 minutes. I have always used and continue to use firefox.

Also, I don't know if this is related, but I have a bunch of svchost.exe processes and one is usually hogging up almost 100% CPU usage. I notice that if I kill the svchost.exe process with 100% usage, almost immediately and always, the same process returns hogging up the CPU again, AND, i'll trigger maybe one or two of those pesky iexplore.exe processes as well.

#8 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:04:03 AM

Posted 21 August 2009 - 11:30 AM

Download and scan with SUPERAntiSpyware Free for Home Users
  • Double-click SUPERAntiSpyware.exe and use the default settings for installation.
  • An icon will be created on your desktop. Double-click that icon to launch the program.
  • If asked to update the program definitions, click "Yes". If not, update the definitions before scanning by selecting "Check for Updates". (If you encounter any problems while downloading the updates, manually download and unzip them from here.)
  • Under "Configuration and Preferences", click the Preferences button.
  • Click the Scanning Control tab.
  • Under Scanner Options make sure the following are checked (leave all others unchecked):
    • Close browsers before scanning.
    • Scan for tracking cookies.
    • Terminate memory threats before quarantining.
  • Click the "Close" button to leave the control center screen.
  • Back on the main screen, under "Scan for Harmful Software" click Scan your computer.
  • On the left, make sure you check C:\Fixed Drive.
  • On the right, under "Complete Scan", choose Perform Complete Scan.
  • Click "Next" to start the scan. Please be patient while it scans your computer.
  • After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click "OK".
  • Make sure everything has a checkmark next to it and click "Next".
  • A notification will appear that "Quarantine and Removal is Complete". Click "OK" and then click the "Finish" button to return to the main menu.
  • If asked if you want to reboot, click "Yes".
  • To retrieve the removal information after reboot, launch SUPERAntispyware again.
    • Click Preferences, then click the Statistics/Logs tab.
    • Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
    • If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.
    • Please copy and paste the Scan Log results in your next reply.
  • Click Close to exit the program.

Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#9 snoopdrew

snoopdrew
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:06:03 PM

Posted 22 August 2009 - 01:22 AM

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 08/22/2009 at 03:04 PM

Application Version : 4.27.1002

Core Rules Database Version : 4067
Trace Rules Database Version: 2007

Scan type : Complete Scan
Total Scan Time : 01:06:36

Memory items scanned : 221
Memory threats detected : 0
Registry items scanned : 4972
Registry threats detected : 2
File items scanned : 20638
File threats detected : 20

Adware.Tracking Cookie
C:\Documents and Settings\Yoda\Cookies\yoda@questionmarket[2].txt
C:\Documents and Settings\Yoda\Cookies\yoda@ad.yieldmanager[2].txt
C:\Documents and Settings\Yoda\Cookies\yoda@ad-indicator[1].txt
C:\Documents and Settings\Yoda\Cookies\yoda@atdmt[2].txt
C:\Documents and Settings\Yoda\Cookies\yoda@microsoftwindows.112.2o7[1].txt
C:\Documents and Settings\Yoda\Cookies\yoda@fastclick[1].txt
C:\Documents and Settings\Yoda\Cookies\yoda@msnportal.112.2o7[1].txt
C:\Documents and Settings\Yoda\Cookies\yoda@doubleclick[2].txt
C:\Documents and Settings\Yoda\Cookies\yoda@interclick[1].txt
C:\WINDOWS\system32\config\systemprofile\Cookies\system@atdmt[2].txt
C:\WINDOWS\system32\config\systemprofile\Cookies\system@ad.yieldmanager[1].txt
C:\WINDOWS\system32\config\systemprofile\Cookies\system@questionmarket[2].txt
C:\WINDOWS\system32\config\systemprofile\Cookies\system@ads.pointroll[1].txt
C:\WINDOWS\system32\config\systemprofile\Cookies\system@apmebf[1].txt
C:\WINDOWS\system32\config\systemprofile\Cookies\system@c7.zedo[1].txt
C:\WINDOWS\system32\config\systemprofile\Cookies\system@doubleclick[2].txt
C:\WINDOWS\system32\config\systemprofile\Cookies\system@mediaplex[2].txt
C:\WINDOWS\system32\config\systemprofile\Cookies\system@msnaccountservices.112.2o7[1].txt
C:\WINDOWS\system32\config\systemprofile\Cookies\system@msnportal.112.2o7[1].txt
C:\WINDOWS\system32\config\systemprofile\Cookies\system@zedo[2].txt

Trojan.Unknown Origin
HKLM\Software\AGProtect
HKLM\Software\AGProtect#Cfg

#10 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:04:03 AM

Posted 22 August 2009 - 11:48 AM

Please download ComboFix from one of these locations:

Link 1
Link 2
Link 3

Important!
You should NOT use Combofix unless you have been instructed to do so by a Malware Removal Expert.
It is intended by its creator to be used under the guidance and supervision of an Malware Removal Expert, not for private use.
Using this tool incorrectly could lead to disastrous problems with your operating system such as preventing it from ever starting again.



Make sure that you save ComboFix.exe to your Desktop
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools

  • Double click on ComboFix.exe & follow the prompts.

  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.


Posted Image


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image


Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#11 snoopdrew

snoopdrew
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:06:03 PM

Posted 22 August 2009 - 11:02 PM

just so you know, i know it's too early to say, but i've not had the iexplore processes come back again after the super antispyware scan.

ComboFix 09-08-22.06 - Yoda 08/23/2009 12:39.4.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.676 [GMT 9:00]
Running from: c:\documents and settings\Yoda\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\ctfmon .exe


.
((((((((((((((((((((((((( Files Created from 2009-07-23 to 2009-08-23 )))))))))))))))))))))))))))))))
.

2009-08-23 03:36 . 2009-08-23 03:36 3182166 ----a-w- c:\temp\ComboFix(2).exe
2009-08-22 04:35 . 2009-08-23 03:32 117760 ----a-w- c:\documents and settings\Yoda\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2009-08-22 04:35 . 2009-08-22 04:35 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-08-22 04:33 . 2009-08-22 04:33 -------- d-----w- c:\program files\SUPERAntiSpyware
2009-08-22 04:33 . 2009-08-22 04:33 -------- d-----w- c:\documents and settings\Yoda\Application Data\SUPERAntiSpyware.com
2009-08-22 04:33 . 2009-08-22 04:33 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-08-22 04:31 . 2009-08-22 04:32 6881824 ----a-w- c:\temp\SUPERAntiSpyware.exe
2009-08-19 13:48 . 2009-08-19 13:48 514048 ----a-w- c:\temp\OTL.exe
2009-08-17 14:42 . 2009-08-17 14:46 -------- d-----w- c:\windows\system32\NtmsData
2009-08-16 16:29 . 2009-08-16 16:29 44295 ----a-w- c:\temp\hj-join.zip
2009-08-16 14:29 . 2009-08-16 14:29 359932 ----a-w- c:\temp\dds.scr
2009-07-26 05:36 . 2009-07-26 05:36 -------- d-----w- c:\windows\ie8updates
2009-07-26 05:23 . 2009-04-30 21:22 12800 -c----w- c:\windows\system32\dllcache\xpshims.dll
2009-07-26 05:23 . 2009-04-30 21:22 246272 -c----w- c:\windows\system32\dllcache\ieproxy.dll
2009-07-26 05:23 . 2009-04-30 21:22 1985024 -c----w- c:\windows\system32\dllcache\iertutil.dll
2009-07-26 05:23 . 2009-04-30 21:22 11064832 -c----w- c:\windows\system32\dllcache\ieframe.dll
2009-07-26 05:21 . 2009-03-06 14:22 284160 -c----w- c:\windows\system32\dllcache\pdh.dll
2009-07-26 05:21 . 2009-02-09 12:10 401408 -c----w- c:\windows\system32\dllcache\rpcss.dll
2009-07-26 05:21 . 2009-02-09 12:10 473600 -c----w- c:\windows\system32\dllcache\fastprox.dll
2009-07-26 05:21 . 2009-02-06 11:11 110592 -c----w- c:\windows\system32\dllcache\services.exe
2009-07-26 05:21 . 2009-02-09 12:10 453120 -c----w- c:\windows\system32\dllcache\wmiprvsd.dll
2009-07-26 05:21 . 2009-02-06 10:10 227840 -c----w- c:\windows\system32\dllcache\wmiprvse.exe
2009-07-26 05:21 . 2009-02-09 12:10 729088 -c----w- c:\windows\system32\dllcache\lsasrv.dll
2009-07-26 05:21 . 2009-02-09 12:10 617472 -c----w- c:\windows\system32\dllcache\advapi32.dll
2009-07-26 05:21 . 2009-02-09 12:10 714752 -c----w- c:\windows\system32\dllcache\ntdll.dll
2009-07-26 05:21 . 2009-02-06 11:06 2145280 -c----w- c:\windows\system32\dllcache\ntkrnlmp.exe
2009-07-26 05:21 . 2009-02-06 11:08 2189056 -c----w- c:\windows\system32\dllcache\ntoskrnl.exe
2009-07-26 05:21 . 2009-02-06 10:32 2023936 -c----w- c:\windows\system32\dllcache\ntkrpamp.exe
2009-07-26 05:20 . 2008-05-03 11:55 2560 ------w- c:\windows\system32\xpsp4res.dll
2009-07-26 05:20 . 2008-04-21 12:08 215552 -c----w- c:\windows\system32\dllcache\wordpad.exe
2009-07-26 05:18 . 2008-12-11 10:57 333952 -c----w- c:\windows\system32\dllcache\srv.sys
2009-07-26 05:16 . 2008-10-24 11:21 455296 -c----w- c:\windows\system32\dllcache\mrxsmb.sys
2009-07-26 05:16 . 2008-09-04 17:15 1106944 -c----w- c:\windows\system32\dllcache\msxml3.dll
2009-07-26 05:15 . 2008-10-15 16:34 337408 -c----w- c:\windows\system32\dllcache\netapi32.dll
2009-07-26 05:15 . 2008-05-01 14:33 331776 -c----w- c:\windows\system32\dllcache\msadce.dll
2009-07-26 05:14 . 2008-04-11 19:04 691712 -c----w- c:\windows\system32\dllcache\inetcomm.dll
2009-07-26 05:13 . 2008-06-13 11:05 272128 -c----w- c:\windows\system32\dllcache\bthport.sys
2009-07-26 05:13 . 2008-05-08 14:02 203136 -c----w- c:\windows\system32\dllcache\rmcast.sys
2009-07-26 05:10 . 2009-07-26 06:37 -------- d--h--w- c:\windows\$hf_mig$
2009-07-26 05:08 . 2008-10-16 05:09 43544 ----a-w- c:\windows\system32\wups2.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-08-16 14:25 . 2009-03-09 11:15 70328 ----a-w- c:\documents and settings\Yoda\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-08-16 14:03 . 2009-07-10 07:18 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-08-12 11:22 . 2009-07-18 16:19 3942048 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2009-08-07 15:26 . 2009-04-22 08:43 55656 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2009-08-03 04:36 . 2009-07-10 07:18 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-08-03 04:36 . 2009-07-10 07:18 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-07-13 16:24 . 2009-07-13 16:07 -------- d-----w- c:\documents and settings\Yoda\Application Data\DAEMON Tools Lite
2009-07-13 16:13 . 2009-07-13 16:13 -------- d-----w- c:\documents and settings\All Users\Application Data\DAEMON Tools Lite
2009-07-13 16:13 . 2009-07-13 16:13 -------- d-----w- c:\program files\DAEMON Tools Toolbar
2009-07-13 16:13 . 2009-07-13 16:13 -------- d-----w- c:\program files\DAEMON Tools Lite
2009-07-13 16:07 . 2009-07-13 16:07 721904 ----a-w- c:\windows\system32\drivers\sptd.sys
2009-07-12 17:51 . 2009-07-12 17:51 -------- d-----w- c:\program files\Avira
2009-07-12 17:51 . 2009-07-12 17:51 -------- d-----w- c:\documents and settings\All Users\Application Data\Avira
2009-07-10 16:09 . 2009-04-22 08:39 -------- d-----w- c:\documents and settings\All Users\Application Data\FLEXnet
2009-07-10 07:18 . 2009-07-10 07:18 -------- d-----w- c:\documents and settings\Yoda\Application Data\Malwarebytes
2009-07-10 07:18 . 2009-07-10 07:18 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-07-10 06:21 . 2009-07-10 06:11 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-07-10 05:14 . 2003-03-31 12:00 212224 ----a-w- c:\windows\system32\drivers\ndis.sys
2009-07-08 18:47 . 2009-04-22 09:32 -------- d-----w- c:\program files\MSBuild
2009-07-08 18:40 . 2009-07-08 18:40 -------- d-----w- c:\program files\Reference Assemblies
2009-07-08 18:32 . 2009-05-02 07:51 -------- d-----w- c:\documents and settings\Yoda\Application Data\Apple Computer
2009-07-08 17:47 . 2009-07-08 17:46 -------- d-----w- c:\program files\MagicISO
2009-07-08 17:08 . 2009-03-09 12:10 -------- d-----w- c:\documents and settings\Yoda\Application Data\dvdcss
2009-07-08 16:16 . 2009-04-22 08:57 -------- d-----w- c:\program files\Quicken
2009-07-08 16:14 . 2009-07-08 16:14 2904064 ----a-w- c:\documents and settings\All Users\Application Data\Intuit\Quicken\Inet\Common\patch\Update\18154-181625.dll
2009-07-08 16:13 . 2009-04-22 08:59 242976 ----a-w- c:\documents and settings\All Users\Application Data\Intuit\Quicken\Inet\Common\patch\Update\QWPATCH.EXE
2009-07-08 15:09 . 2009-07-08 15:08 -------- d-----w- c:\program files\iTunes
2009-07-08 15:08 . 2009-07-08 15:08 -------- d-----w- c:\program files\iPod
2009-07-08 15:08 . 2009-05-02 07:50 -------- d-----w- c:\program files\Common Files\Apple
2009-07-08 15:05 . 2009-07-08 15:04 -------- d-----w- c:\program files\QuickTime
2009-07-08 15:00 . 2009-05-02 07:50 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple
2009-07-01 08:37 . 2009-03-09 11:54 8 ----a-w- c:\windows\system32\nvModes.dat
2009-06-16 14:36 . 2003-03-31 12:00 81920 ----a-w- c:\windows\system32\fontsub.dll
2009-06-16 14:36 . 2003-03-31 12:00 119808 ----a-w- c:\windows\system32\t2embed.dll
2009-06-05 04:57 . 2009-06-05 04:57 75048 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 8.2.0.23\SetupAdmin.exe
2009-06-05 02:42 . 2009-05-02 07:50 39424 ----a-w- c:\windows\system32\drivers\usbaapl.sys
2009-06-05 02:42 . 2009-05-02 07:50 2060288 ----a-w- c:\windows\system32\usbaaplrc.dll
2009-06-03 19:09 . 2003-03-31 12:00 1291264 ----a-w- c:\windows\system32\quartz.dll
.

------- Sigcheck -------

[-] 2003-03-31 12:00 12800 0F7D9C87B0CE1FA520473119752C6F79 c:\windows\$NtServicePackUninstall$\svchost.exe
[-] 2008-04-14 13:42 14336 27C6D03BCDB8CFEB96B716F3D8BE3E18 c:\windows\ServicePackFiles\i386\svchost.exe
[-] 2008-04-14 13:42 14336 27C6D03BCDB8CFEB96B716F3D8BE3E18 c:\windows\system32\svchost.exe

[-] 2003-03-31 12:00 560128 DD9269230C21EE8FB7FD3FCCC3B1CFCB c:\windows\$NtServicePackUninstall$\user32.dll
[-] 2008-04-14 13:42 578560 B26B135FF1B9F60C9388B4A7D16F600B c:\windows\ServicePackFiles\i386\user32.dll
[-] 2008-04-14 13:42 578560 B26B135FF1B9F60C9388B4A7D16F600B c:\windows\system32\user32.dll

[-] 2003-03-31 12:00 75264 8529C295DF59B564D37A73B5629162B1 c:\windows\$NtServicePackUninstall$\ws2_32.dll
[-] 2008-04-14 13:42 82432 2CCC474EB85CEAA3E1FA1726580A3E5A c:\windows\ServicePackFiles\i386\ws2_32.dll
[-] 2008-04-14 13:42 82432 2CCC474EB85CEAA3E1FA1726580A3E5A c:\windows\system32\ws2_32.dll

[-] 2003-03-31 12:00 516608 2246D8D8F4714A2CEDB21AB9B1849ABB c:\windows\$NtServicePackUninstall$\winlogon.exe
[-] 2008-04-14 13:42 507904 ED0EF0A136DEC83DF69F04118870003E c:\windows\ServicePackFiles\i386\winlogon.exe
[-] 2008-04-14 13:42 507904 ED0EF0A136DEC83DF69F04118870003E c:\windows\system32\winlogon.exe

[-] 2003-03-31 12:00 167552 3B350E5A2A5E951453F3993275A4523A c:\windows\$NtServicePackUninstall$\ndis.sys
[-] 2008-04-14 08:50 182656 1DF7F42665C94B825322FAE71721130D c:\windows\ServicePackFiles\i386\ndis.sys
[-] 2009-07-10 05:14 212224 58357C46BEB236D8D1566F3530DDFBF2 c:\windows\system32\drivers\ndis.sys

[-] 2008-04-14 08:23 36608 3BB22519A194418D5FEC05D800A19AD0 c:\windows\ServicePackFiles\i386\ip6fw.sys
[-] 2008-04-14 08:23 36608 3BB22519A194418D5FEC05D800A19AD0 c:\windows\system32\drivers\ip6fw.sys

[7] 2009-02-06 10:30 2066176 607352B9CB3D708C67F6039097801B5A c:\windows\$hf_mig$\KB956572\SP3QFE\ntkrnlpa.exe
[-] 2003-03-31 12:00 1920512 71FF7EC0EEEA4896DD219C661C90DB29 c:\windows\$NtServicePackUninstall$\ntkrnlpa.exe
[7] 2009-02-07 10:02 2066048 5BA7F2141BC6DB06100D0E5A732C617A c:\windows\Driver Cache\i386\ntkrnlpa.exe
[-] 2008-04-14 08:01 2065792 109F8E3E3C82E337BB71B6BC9B895D61 c:\windows\ServicePackFiles\i386\ntkrnlpa.exe
[-] 2008-04-14 08:01 2023936 7F653A89F6E89E3AE0D49830EECE35D4 c:\windows\system32\ntkrnlpa.exe
[7] 2009-02-07 10:02 2066048 5BA7F2141BC6DB06100D0E5A732C617A c:\windows\system32\dllcache\ntkrnlpa.exe

[7] 2009-02-07 10:35 2189184 EFE8EACE83EAAD5849A7A548FB75B584 c:\windows\$hf_mig$\KB956572\SP3QFE\ntoskrnl.exe
[-] 2003-03-31 12:00 1891840 25A90EB7D1EEE12AB198DC9421BFA353 c:\windows\$NtServicePackUninstall$\ntoskrnl.exe
[7] 2009-02-06 11:08 2189056 7A95B10A73737EBF24139AAA63F5212B c:\windows\Driver Cache\i386\ntoskrnl.exe
[-] 2008-04-14 08:57 2188928 0C89243C7C3EE199B96FCC16990E0679 c:\windows\ServicePackFiles\i386\ntoskrnl.exe
[-] 2008-04-14 08:54 2145280 40F8880122A030A7E9E1FEDEA833B33D c:\windows\system32\ntoskrnl.exe
[7] 2009-02-06 11:08 2189056 7A95B10A73737EBF24139AAA63F5212B c:\windows\system32\dllcache\ntoskrnl.exe

[-] 2008-04-14 13:42 1033728 12896823FB95BFB3DC9B46BCAEDC9923 c:\windows\explorer.exe
[-] 2003-03-31 12:00 1004032 A82B28BFC2E4455FE43022A498C0EF0A c:\windows\$NtServicePackUninstall$\explorer.exe
[-] 2008-04-14 13:42 1033728 12896823FB95BFB3DC9B46BCAEDC9923 c:\windows\ServicePackFiles\i386\explorer.exe

[-] 2003-03-31 12:00 11776 B2B6BA905D0E3F8A32A0EB3B4051807B c:\windows\$NtServicePackUninstall$\lsass.exe
[-] 2008-04-14 13:42 13312 BF2466B3E18E970D8A976FB95FC1CA85 c:\windows\ServicePackFiles\i386\lsass.exe
[-] 2008-04-14 13:42 13312 BF2466B3E18E970D8A976FB95FC1CA85 c:\windows\system32\lsass.exe

[-] 2003-03-31 12:00 13312 414DE7CF9D3F19C3EA902F1BB38EC116 c:\windows\$NtServicePackUninstall$\ctfmon.exe
[-] 2008-04-14 13:42 15360 5F1D5F88303D4A4DBC8E5F97BA967CC3 c:\windows\ServicePackFiles\i386\ctfmon.exe
[-] 2008-04-14 13:42 15360 5F1D5F88303D4A4DBC8E5F97BA967CC3 c:\windows\system32\dllcache\ctfmon.exe

[-] 2003-03-31 12:00 51200 9B4155BA58192D4073082B8FC5D42612 c:\windows\$NtServicePackUninstall$\spoolsv.exe
[-] 2008-04-14 13:42 57856 D8E14A61ACC1D4A6CD0D38AEBAC7FA3B c:\windows\ServicePackFiles\i386\spoolsv.exe
[-] 2008-04-14 13:42 57856 D8E14A61ACC1D4A6CD0D38AEBAC7FA3B c:\windows\system32\spoolsv.exe

[-] 2003-03-31 12:00 22016 E931E0A2B8BF0019DB902E98D03662CB c:\windows\$NtServicePackUninstall$\userinit.exe
[-] 2008-04-14 13:42 26112 A93AEE1928A9D7CE3E16D24EC7380F89 c:\windows\ServicePackFiles\i386\userinit.exe
[-] 2008-04-14 13:42 26112 A93AEE1928A9D7CE3E16D24EC7380F89 c:\windows\system32\userinit.exe

[-] 2003-03-31 12:00 200192 FE84E045A09A4ABC4DEEF7270448B64E c:\windows\$NtServicePackUninstall$\termsrv.dll
[-] 2008-04-14 13:42 295424 FF3477C03BE7201C294C35F684B3479F c:\windows\ServicePackFiles\i386\termsrv.dll
[-] 2008-04-14 13:42 295424 FF3477C03BE7201C294C35F684B3479F c:\windows\system32\termsrv.dll

[-] 2003-03-31 12:00 14848 865AD7CCB20856727D5BD994B094DC5E c:\windows\$NtServicePackUninstall$\powrprof.dll
[-] 2008-04-14 13:42 17408 50A166237A0FA771261275A405646CC0 c:\windows\ServicePackFiles\i386\powrprof.dll
[-] 2008-04-14 13:42 17408 50A166237A0FA771261275A405646CC0 c:\windows\system32\powrprof.dll

[-] 2003-03-31 12:00 103936 C9F9E3E6B59C6D6CBCE7F14494A4518A c:\windows\$NtServicePackUninstall$\imm32.dll
[-] 2008-04-14 13:41 110080 0DA85218E92526972A821587E6A8BF8F c:\windows\ServicePackFiles\i386\imm32.dll
[-] 2008-04-14 13:41 110080 0DA85218E92526972A821587E6A8BF8F c:\windows\system32\imm32.dll

[-] 2003-03-31 12:00 23424 1E7F78C2FC393356CD884C6FDE7966F9 c:\windows\$NtServicePackUninstall$\kbdclass.sys
[-] 2008-04-14 08:09 24576 463C1EC80CD17420A542B7F36A36F128 c:\windows\ServicePackFiles\i386\kbdclass.sys
[-] 2008-04-14 08:09 24576 463C1EC80CD17420A542B7F36A36F128 c:\windows\system32\drivers\kbdclass.sys

[-] 2003-03-31 12:00 792064 1F51839ECCF908FD86558198909262E4 c:\windows\$NtServicePackUninstall$\comres.dll
[-] 2008-04-14 13:41 792064 1280A158C722FA95A80FB7AEBE78FA7D c:\windows\ServicePackFiles\i386\comres.dll
[-] 2008-04-14 13:41 792064 1280A158C722FA95A80FB7AEBE78FA7D c:\windows\system32\comres.dll

[-] 2003-03-31 12:00 18944 55990CA08692E2739A8DDCE0B04352AC c:\windows\$NtServicePackUninstall$\lpk.dll
[-] 2008-04-14 13:41 22016 012DF358CEBAA23ACB26D82077820817 c:\windows\ServicePackFiles\i386\lpk.dll
[-] 2008-04-14 13:41 22016 012DF358CEBAA23ACB26D82077820817 c:\windows\system32\lpk.dll

[-] 2003-03-31 12:00 4224 DA1F27D85E0D1525F6621372E7B685E9 c:\windows\system32\dllcache\beep.sys
[-] 2003-03-31 12:00 4224 DA1F27D85E0D1525F6621372E7B685E9 c:\windows\system32\drivers\beep.sys

[-] 2003-03-31 12:00 2944 73C1E1F395918BC2C6DD67AF7591A3AD c:\windows\system32\dllcache\null.sys
[-] 2003-03-31 12:00 2944 73C1E1F395918BC2C6DD67AF7591A3AD c:\windows\system32\drivers\null.sys

[-] 2008-04-14 06:09 142592 8BED39E3C35D6A489438B8141717A557 c:\windows\ServicePackFiles\i386\aec.sys
[-] 2008-04-14 06:09 142592 8BED39E3C35D6A489438B8141717A557 c:\windows\system32\dllcache\aec.sys
[-] 2008-04-14 06:09 142592 8BED39E3C35D6A489438B8141717A557 c:\windows\system32\drivers\aec.sys

[-] 2003-03-31 12:00 924432 DDF8D47ACF8FC3FE5F7F2B95C4D4D136 c:\windows\$NtServicePackUninstall$\mfc40u.dll
[-] 2008-04-14 13:41 927504 CDDD4416B2B4C7295FE3FDB6DDE57E4E c:\windows\ServicePackFiles\i386\mfc40u.dll
[-] 2008-04-14 13:41 927504 CDDD4416B2B4C7295FE3FDB6DDE57E4E c:\windows\system32\mfc40u.dll

[-] 2003-03-31 12:00 34304 A81487520F11F65BF270D50EE29887B2 c:\windows\$NtServicePackUninstall$\msgsvc.dll
[-] 2008-04-14 13:42 33792 986B1FF5814366D71E0AC5755C88F2D3 c:\windows\ServicePackFiles\i386\msgsvc.dll
[-] 2008-04-14 13:42 33792 986B1FF5814366D71E0AC5755C88F2D3 c:\windows\system32\msgsvc.dll

[-] 2003-03-31 12:00 557056 0B5D337119929505EE72D4E4A41ED1FD c:\windows\$NtServicePackUninstall$\comctl32.dll
[-] 2008-04-14 13:41 617472 06F247492BC786CE5C24A23E178C711A c:\windows\ServicePackFiles\i386\comctl32.dll
[-] 2008-04-14 13:41 617472 06F247492BC786CE5C24A23E178C711A c:\windows\system32\comctl32.dll
[-] 2003-03-31 12:00 921088 AEF3D788DBF40C7C4D204EA45EB0C505 c:\windows\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a\comctl32.dll
[-] 2003-03-31 12:00 921600 76B90BD220F1B1CC9E183C6B1AE9FBB4 c:\windows\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.10.0_x-ww_f7fb5805\comctl32.dll
[-] 2008-04-14 13:42 1054208 BD38D1EBE24A46BD3EDA059560AFBA12 c:\windows\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83\comctl32.dll

[-] 2003-03-31 12:00 11648 9859C0F6936E723E4892D7141B1327D5 c:\windows\system32\drivers\acpiec.sys

[-] 2003-03-31 12:00 4096 52BB2A508CB3EB8AAA5F6F142F5B73D6 c:\windows\$NtServicePackUninstall$\sfc.dll
[-] 2008-04-14 13:42 5120 96E1C926F22EE1BFBAE82901A35F6BF3 c:\windows\ServicePackFiles\i386\sfc.dll
[-] 2008-04-14 13:42 5120 96E1C926F22EE1BFBAE82901A35F6BF3 c:\windows\system32\sfc.dll

[-] 2003-03-31 12:00 399360 3ADD563ED7A1C66E6F5E0F7A661AA96D c:\windows\$NtServicePackUninstall$\netlogon.dll
[-] 2008-04-14 13:42 407040 1B7F071C51B77C272875C3A23E1E4550 c:\windows\ServicePackFiles\i386\netlogon.dll
[-] 2008-04-14 13:42 407040 1B7F071C51B77C272875C3A23E1E4550 c:\windows\system32\netlogon.dll

[-] 2003-03-31 12:00 221696 6A1CF14D0E7D0B2241F552223769C8A7 c:\windows\$NtServicePackUninstall$\qmgr.dll
[-] 2008-04-14 13:42 409088 574738F61FCA2935F5265DC4E5691314 c:\windows\ServicePackFiles\i386\qmgr.dll
[-] 2008-04-14 13:42 409088 574738F61FCA2935F5265DC4E5691314 c:\windows\system32\qmgr.dll
[-] 2008-04-14 13:42 409088 574738F61FCA2935F5265DC4E5691314 c:\windows\system32\bits\qmgr.dll

[-] 2003-03-31 12:00 174592 97418A5C642A5C748A28BD7CF6860B57 c:\windows\$NtServicePackUninstall$\scecli.dll
[-] 2008-04-14 13:42 181248 A86BB5E61BF3E39B62AB4C7E7085A084 c:\windows\ServicePackFiles\i386\scecli.dll
[-] 2008-04-14 13:42 181248 A86BB5E61BF3E39B62AB4C7E7085A084 c:\windows\system32\scecli.dll

[-] 2003-03-31 12:00 49152 BF3C8CF53C77B48206B39910B6D6CBCC c:\windows\$NtServicePackUninstall$\eventlog.dll
[-] 2008-04-14 13:41 56320 6D4FEB43EE538FC5428CC7F0565AA656 c:\windows\ServicePackFiles\i386\eventlog.dll
[-] 2008-04-14 13:41 56320 6D4FEB43EE538FC5428CC7F0565AA656 c:\windows\system32\eventlog.dll

[-] 2003-03-31 12:00 13568 03F403B07A884FC2AA54A0916C410931 c:\windows\$NtServicePackUninstall$\asyncmac.sys
[-] 2008-04-14 08:27 14336 B153AFFAC761E7F5FCFA822B9C4E97BC c:\windows\ServicePackFiles\i386\asyncmac.sys
[-] 2008-04-14 08:27 14336 B153AFFAC761E7F5FCFA822B9C4E97BC c:\windows\system32\drivers\asyncmac.sys

[-] 2003-03-31 12:00 561920 E3AE9C79498210A5F39FE5A9AD62BC55 c:\windows\$NtServicePackUninstall$\ntfs.sys
[-] 2008-04-14 08:45 574976 78A08DD6A8D65E697C18E1DB01C5CDCA c:\windows\ServicePackFiles\i386\ntfs.sys
[-] 2008-04-14 08:45 574976 78A08DD6A8D65E697C18E1DB01C5CDCA c:\windows\system32\drivers\ntfs.sys

[-] 2008-04-14 13:42 52224 C7E39EA41233E9F5B86C8DA3A9F1E4A8 c:\windows\system32\mspmsnsv.dll
[-] 2008-04-14 13:42 52224 C7E39EA41233E9F5B86C8DA3A9F1E4A8 c:\windows\system32\dllcache\mspmsnsv.dll

[-] 2008-04-14 13:42 129024 295D21F14C335B53CB8154E5B1F892B9 c:\windows\ServicePackFiles\i386\xmlprov.dll
[-] 2008-04-14 13:42 129024 295D21F14C335B53CB8154E5B1F892B9 c:\windows\system32\xmlprov.dll

[-] 2003-03-31 12:00 53248 41C70161BFCB17E7E12ED89BADD2AEF4 c:\windows\$NtServicePackUninstall$\cryptsvc.dll
[-] 2008-04-14 13:41 62464 3D4E199942E29207970E04315D02AD3B c:\windows\ServicePackFiles\i386\cryptsvc.dll
[-] 2008-04-14 13:41 62464 3D4E199942E29207970E04315D02AD3B c:\windows\system32\cryptsvc.dll

[-] 2003-03-31 12:00 49152 3671D928554E124A8AC326A1769F2FFB c:\windows\$NtServicePackUninstall$\browser.dll
[-] 2008-04-14 13:41 77824 A06CE3399D16DB864F55FAEB1F1927A9 c:\windows\ServicePackFiles\i386\browser.dll
[-] 2008-04-14 13:41 77824 A06CE3399D16DB864F55FAEB1F1927A9 c:\windows\system32\browser.dll

[-] 2003-03-31 12:00 233984 9B3A213B6591A79EBABBFB4E4EA0A23E c:\windows\$NtServicePackUninstall$\tapisrv.dll
[-] 2008-04-14 13:42 249856 3CB78C17BB664637787C9A1C98F79C38 c:\windows\ServicePackFiles\i386\tapisrv.dll
[-] 2008-04-14 13:42 249856 3CB78C17BB664637787C9A1C98F79C38 c:\windows\system32\tapisrv.dll

[-] 2003-03-31 12:00 154112 E7FF9267BBEB1386975278A27378526F c:\windows\$NtServicePackUninstall$\netman.dll
[-] 2008-04-14 13:42 198144 13E67B55B3ABD7BF3FE7AAE5A0F9A9DE c:\windows\ServicePackFiles\i386\netman.dll
[-] 2008-04-14 13:42 198144 13E67B55B3ABD7BF3FE7AAE5A0F9A9DE c:\windows\system32\netman.dll

[-] 2003-03-31 12:00 43008 75B5821307B2F4491F9ED06732366872 c:\windows\$NtServicePackUninstall$\ssdpsrv.dll
[-] 2008-04-14 13:42 71680 0A5679B3714EDAB99E357057EE88FCA6 c:\windows\ServicePackFiles\i386\ssdpsrv.dll
[-] 2008-04-14 13:42 71680 0A5679B3714EDAB99E357057EE88FCA6 c:\windows\system32\ssdpsrv.dll

[-] 2003-03-31 12:00 164864 848CE0601B58410FF2DFB6BC8449AFE7 c:\windows\$NtServicePackUninstall$\upnphost.dll
[-] 2008-04-14 13:42 185856 1EBAFEB9A3FBDC41B8D9C7F0F687AD91 c:\windows\ServicePackFiles\i386\upnphost.dll
[-] 2008-04-14 13:42 185856 1EBAFEB9A3FBDC41B8D9C7F0F687AD91 c:\windows\system32\upnphost.dll

[-] 2003-03-31 12:00 158720 38E9CFAC7881435764051FD7B1F010FB c:\windows\$NtServicePackUninstall$\srsvc.dll
[-] 2008-04-14 13:42 171008 3805DF0AC4296A34BA4BF93B346CC378 c:\windows\ServicePackFiles\i386\srsvc.dll
[-] 2008-04-14 13:42 171008 3805DF0AC4296A34BA4BF93B346CC378 c:\windows\system32\srsvc.dll

[-] 2008-04-14 13:42 13824 F92E1076C42FCD6DB3D72D8CFE9816D5 c:\windows\ServicePackFiles\i386\wscntfy.exe
[-] 2008-04-14 13:42 13824 F92E1076C42FCD6DB3D72D8CFE9816D5 c:\windows\system32\wscntfy.exe

[-] 2003-03-31 12:00 392704 AAC49EF5C84A2EBD7409A51A1B65C542 c:\windows\$NtServicePackUninstall$\ntmssvc.dll
[-] 2008-04-14 13:42 435200 156F64A3345BD23C600655FB4D10BC08 c:\windows\ServicePackFiles\i386\ntmssvc.dll
[-] 2008-04-14 13:42 435200 156F64A3345BD23C600655FB4D10BC08 c:\windows\system32\ntmssvc.dll

[-] 2003-03-31 12:00 82944 442ED09256E1D55D128219CF1AB27554 c:\windows\$NtServicePackUninstall$\rasauto.dll
[-] 2008-04-14 13:42 88576 AD188BE7BDF94E8DF4CA0A55C00A5073 c:\windows\ServicePackFiles\i386\rasauto.dll
[-] 2008-04-14 13:42 88576 AD188BE7BDF94E8DF4CA0A55C00A5073 c:\windows\system32\rasauto.dll

[-] 2003-03-31 12:00 1157632 2564949DBE5F643F50913BBE45D346E2 c:\windows\$NtServicePackUninstall$\sfcfiles.dll
[-] 2008-04-14 13:42 1614848 9DD07AF82244867CA36681EA2D29CE79 c:\windows\ServicePackFiles\i386\sfcfiles.dll
[-] 2008-04-14 13:42 1614848 9DD07AF82244867CA36681EA2D29CE79 c:\windows\system32\sfcfiles.dll

[-] 2003-03-31 12:00 159232 719B05113003A1934EA25EA1FED68C85 c:\windows\$NtServicePackUninstall$\schedsvc.dll
[-] 2008-04-14 13:42 192512 0A9A7365A1CA4319AA7C1D6CD8E4EAFA c:\windows\ServicePackFiles\i386\schedsvc.dll
[-] 2008-04-14 13:42 192512 0A9A7365A1CA4319AA7C1D6CD8E4EAFA c:\windows\system32\schedsvc.dll

[-] 2003-03-31 12:00 51712 9DF4527D53613601D3F79946EAA1DCB1 c:\windows\$NtServicePackUninstall$\regsvc.dll
[-] 2008-04-14 13:42 59904 5B19B557B0C188210A56A6B699D90B8F c:\windows\ServicePackFiles\i386\regsvc.dll
[-] 2008-04-14 13:42 59904 5B19B557B0C188210A56A6B699D90B8F c:\windows\system32\regsvc.dll

[-] 2003-03-31 12:00 116224 61684089A54936E40F65DA02D47A28AE c:\windows\$NtServicePackUninstall$\shsvcs.dll
[-] 2008-04-14 13:42 135168 1926899BF9FFE2602B63074971700412 c:\windows\ServicePackFiles\i386\shsvcs.dll
[-] 2008-04-14 13:42 135168 1926899BF9FFE2602B63074971700412 c:\windows\system32\shsvcs.dll

c:\windows\system32\ctfmon.exe ... is missing !!
.
((((((((((((((((((((((((((((( SnapShot_2009-07-26_12.04.54 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-07-11 15:22 . 2009-08-22 04:42 81920 c:\windows\system32\config\systemprofile\PrivacIE\index.dat
- 2009-07-11 15:22 . 2009-07-26 11:32 81920 c:\windows\system32\config\systemprofile\PrivacIE\index.dat
+ 2009-08-07 15:11 . 2009-08-22 04:42 98304 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2009-08-19 15:49 . 2009-08-19 15:58 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012009082020090821\index.dat
+ 2009-08-19 14:41 . 2009-08-19 14:56 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012009081920090820\index.dat
+ 2009-08-17 14:56 . 2009-08-17 14:56 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012009081720090818\index.dat
+ 2009-08-17 14:56 . 2009-08-17 14:56 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012009080320090810\index.dat
+ 2009-08-07 15:56 . 2009-08-07 15:57 36864 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\{D79B2CEE-836A-11DE-8AF7-000EA61EC9D6}.dat
+ 2009-08-19 14:41 . 2009-08-19 14:54 35840 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\{6928C608-8CCE-11DE-8AFD-000EA61EC9D6}.dat
+ 2009-08-19 14:55 . 2009-08-19 14:56 22016 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\{6627ADFA-8CD0-11DE-8AFD-000EA61EC9D6}.dat
- 2009-07-11 15:43 . 2009-07-26 11:32 32768 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Feeds Cache\index.dat
+ 2009-07-11 15:43 . 2009-08-22 04:42 32768 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Feeds Cache\index.dat
- 2009-03-09 10:57 . 2009-07-26 11:32 32768 c:\windows\system32\config\systemprofile\Cookies\index.dat
+ 2009-03-09 10:57 . 2009-08-22 04:42 32768 c:\windows\system32\config\systemprofile\Cookies\index.dat
+ 2009-08-22 04:33 . 2009-08-22 04:33 65024 c:\windows\Installer\{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}\IconCDDCBBF15.exe
+ 2009-08-22 04:33 . 2009-08-22 04:33 18944 c:\windows\Installer\{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}\IconCDDCBBF13.exe
+ 2009-08-19 14:31 . 2009-08-19 14:41 5120 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\RecoveryStore.{FEF0A2BA-8CCC-11DE-8AFD-000EA61EC9D6}.dat
+ 2009-08-17 15:31 . 2009-08-17 15:31 5120 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\RecoveryStore.{FB062A66-8B42-11DE-8AFC-000EA61EC9D6}.dat
+ 2009-08-17 15:30 . 2009-08-17 15:30 3584 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\RecoveryStore.{F1AA0F14-8B42-11DE-8AFC-000EA61EC9D6}.dat
+ 2009-08-12 10:28 . 2009-08-12 10:28 3584 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\RecoveryStore.{F02BBFD2-872A-11DE-8AF9-000EA61EC9D6}.dat
+ 2009-08-16 14:13 . 2009-08-16 14:13 3584 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\RecoveryStore.{EE47128F-8A6E-11DE-8AFA-000EA61EC9D6}.dat
+ 2009-08-19 15:49 . 2009-08-19 15:49 5120 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\RecoveryStore.{E9ABE04E-8CD7-11DE-8AFD-000EA61EC9D6}.dat
+ 2009-08-16 14:12 . 2009-08-16 14:12 3584 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\RecoveryStore.{E2A79BCF-8A6E-11DE-8AFA-000EA61EC9D6}.dat
+ 2009-08-17 15:30 . 2009-08-17 15:30 3584 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\RecoveryStore.{DD8C37B4-8B42-11DE-8AFC-000EA61EC9D6}.dat
+ 2009-08-12 10:28 . 2009-08-12 10:28 3584 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\RecoveryStore.{DAC01F39-872A-11DE-8AF9-000EA61EC9D6}.dat
+ 2009-08-16 14:12 . 2009-08-16 14:12 3584 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\RecoveryStore.{D91E33CF-8A6E-11DE-8AFA-000EA61EC9D6}.dat
+ 2009-08-19 15:49 . 2009-08-19 15:49 3584 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\RecoveryStore.{D8CBBB46-8CD7-11DE-8AFD-000EA61EC9D6}.dat
+ 2009-08-07 15:56 . 2009-08-07 15:56 3584 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\RecoveryStore.{D79B2CED-836A-11DE-8AF7-000EA61EC9D6}.dat
+ 2009-08-17 15:08 . 2009-08-17 15:08 3584 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\RecoveryStore.{D47AE862-8B3F-11DE-8AFC-000EA61EC9D6}.dat
+ 2009-08-17 14:39 . 2009-08-17 14:45 5120 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\RecoveryStore.{D43FB0F2-8B3B-11DE-8AFC-000EA61EC9D6}.dat
+ 2009-08-19 15:49 . 2009-08-19 15:49 5120 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\RecoveryStore.{D43453F4-8CD7-11DE-8AFD-000EA61EC9D6}.dat
+ 2009-08-12 10:28 . 2009-08-12 10:28 3584 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\RecoveryStore.{D233707D-872A-11DE-8AF9-000EA61EC9D6}.dat
+ 2009-08-16 14:12 . 2009-08-16 14:12 3584 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\RecoveryStore.{D0512595-8A6E-11DE-8AFA-000EA61EC9D6}.dat
+ 2009-08-19 15:48 . 2009-08-19 15:49 5120 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\RecoveryStore.{CA84C654-8CD7-11DE-8AFD-000EA61EC9D6}.dat
+ 2009-08-12 10:27 . 2009-08-12 10:27 3584 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\RecoveryStore.{C8CB696A-872A-11DE-8AF9-000EA61EC9D6}.dat
+ 2009-08-16 14:12 . 2009-08-16 14:12 3584 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\RecoveryStore.{C7546853-8A6E-11DE-8AFA-000EA61EC9D6}.dat
+ 2009-08-17 15:08 . 2009-08-17 15:08 3584 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\RecoveryStore.{C70A8714-8B3F-11DE-8AFC-000EA61EC9D6}.dat
+ 2009-08-16 14:26 . 2009-08-16 14:26 3584 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\RecoveryStore.{C6F1450F-8A70-11DE-8AFA-000EA61EC9D6}.dat
+ 2009-08-17 15:07 . 2009-08-17 15:07 3584 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\RecoveryStore.{BFD06644-8B3F-11DE-8AFC-000EA61EC9D6}.dat
+ 2009-08-12 10:27 . 2009-08-12 10:27 3584 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\RecoveryStore.{BF55143A-872A-11DE-8AF9-000EA61EC9D6}.dat
+ 2009-08-16 14:26 . 2009-08-16 14:26 3584 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\RecoveryStore.{BDD7EB95-8A70-11DE-8AFA-000EA61EC9D6}.dat
+ 2009-08-16 14:11 . 2009-08-16 14:11 3584 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\RecoveryStore.{BC950E9F-8A6E-11DE-8AFA-000EA61EC9D6}.dat
+ 2009-08-22 04:31 . 2009-08-22 04:32 5632 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\RecoveryStore.{BA8D2CE1-8ED4-11DE-8AFE-000EA61EC9D6}.dat
+ 2009-08-16 14:11 . 2009-08-16 14:11 5120 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\RecoveryStore.{B3AB642D-8A6E-11DE-8AFA-000EA61EC9D6}.dat
+ 2009-08-22 04:17 . 2009-08-22 04:17 3584 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\RecoveryStore.{AFBC2338-8ED2-11DE-8AFE-000EA61EC9D6}.dat
+ 2009-08-12 10:27 . 2009-08-12 10:27 5120 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\RecoveryStore.{AEA962EE-872A-11DE-8AF9-000EA61EC9D6}.dat
+ 2009-08-17 14:45 . 2009-08-17 14:45 3584 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\RecoveryStore.{A9406788-8B3C-11DE-8AFC-000EA61EC9D6}.dat
+ 2009-08-22 04:31 . 2009-08-22 04:31 3584 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\RecoveryStore.{A8BE9CB2-8ED4-11DE-8AFE-000EA61EC9D6}.dat
+ 2009-08-16 14:11 . 2009-08-16 14:11 3584 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\RecoveryStore.{A6553CBD-8A6E-11DE-8AFA-000EA61EC9D6}.dat
+ 2009-08-12 10:26 . 2009-08-12 10:26 3584 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\RecoveryStore.{A1474FBC-872A-11DE-8AF9-000EA61EC9D6}.dat
+ 2009-08-16 14:10 . 2009-08-16 14:10 3584 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\RecoveryStore.{9CFDE61F-8A6E-11DE-8AFA-000EA61EC9D6}.dat
+ 2009-08-22 04:31 . 2009-08-22 04:31 3584 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\RecoveryStore.{9BE6D1E4-8ED4-11DE-8AFE-000EA61EC9D6}.dat
+ 2009-08-17 15:06 . 2009-08-17 15:07 5120 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\RecoveryStore.{95AE57CC-8B3F-11DE-8AFC-000EA61EC9D6}.dat
+ 2009-08-12 10:26 . 2009-08-12 10:26 3584 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\RecoveryStore.{957CEEA8-872A-11DE-8AF9-000EA61EC9D6}.dat
+ 2009-08-22 04:30 . 2009-08-22 04:30 3584 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\RecoveryStore.{8FDE73AC-8ED4-11DE-8AFE-000EA61EC9D6}.dat
+ 2009-08-19 15:54 . 2009-08-19 15:54 3584 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\RecoveryStore.{8F93C30A-8CD8-11DE-8AFD-000EA61EC9D6}.dat
+ 2009-08-12 10:26 . 2009-08-12 10:26 3584 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\RecoveryStore.{88DE5C4A-872A-11DE-8AF9-000EA61EC9D6}.dat
+ 2009-08-19 15:54 . 2009-08-19 15:54 5632 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\RecoveryStore.{8249875C-8CD8-11DE-8AFD-000EA61EC9D6}.dat
+ 2009-08-22 04:30 . 2009-08-22 04:30 3584 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\RecoveryStore.{7FBD0AC4-8ED4-11DE-8AFE-000EA61EC9D6}.dat
+ 2009-08-19 14:56 . 2009-08-19 14:57 5632 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\RecoveryStore.{7F26D596-8CD0-11DE-8AFD-000EA61EC9D6}.dat
+ 2009-08-16 14:09 . 2009-08-16 14:10 3584 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\RecoveryStore.{7AB8185E-8A6E-11DE-8AFA-000EA61EC9D6}.dat
+ 2009-08-19 14:56 . 2009-08-19 14:56 3584 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\RecoveryStore.{77862FA8-8CD0-11DE-8AFD-000EA61EC9D6}.dat
+ 2009-08-19 14:56 . 2009-08-19 14:56 3584 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\RecoveryStore.{73F9CFB6-8CD0-11DE-8AFD-000EA61EC9D6}.dat
+ 2009-08-12 10:25 . 2009-08-12 10:25 3584 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\RecoveryStore.{7086194E-872A-11DE-8AF9-000EA61EC9D6}.dat
+ 2009-08-17 15:19 . 2009-08-17 15:20 5632 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\RecoveryStore.{6CE96028-8B41-11DE-8AFC-000EA61EC9D6}.dat
+ 2009-08-12 10:25 . 2009-08-12 10:25 3584 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\RecoveryStore.{661A31E8-872A-11DE-8AF9-000EA61EC9D6}.dat
+ 2009-08-17 15:19 . 2009-08-17 15:19 3584 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\RecoveryStore.{639DF54C-8B41-11DE-8AFC-000EA61EC9D6}.dat
+ 2009-08-19 15:53 . 2009-08-19 15:53 5632 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\RecoveryStore.{63358032-8CD8-11DE-8AFD-000EA61EC9D6}.dat
+ 2009-08-16 14:09 . 2009-08-16 14:09 3584 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\RecoveryStore.{62E5FC72-8A6E-11DE-8AFA-000EA61EC9D6}.dat
+ 2009-08-17 15:19 . 2009-08-17 15:19 5120 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\RecoveryStore.{5B7C9062-8B41-11DE-8AFC-000EA61EC9D6}.dat
+ 2009-08-19 14:55 . 2009-08-19 14:55 5120 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\RecoveryStore.{54A5690E-8CD0-11DE-8AFD-000EA61EC9D6}.dat
+ 2009-08-19 15:52 . 2009-08-19 15:52 3584 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\RecoveryStore.{53FB5B64-8CD8-11DE-8AFD-000EA61EC9D6}.dat
+ 2009-08-22 04:29 . 2009-08-22 04:29 3584 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\RecoveryStore.{538E76F4-8ED4-11DE-8AFE-000EA61EC9D6}.dat
+ 2009-08-07 15:59 . 2009-08-07 15:59 3584 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\RecoveryStore.{4E8B9CBB-836B-11DE-8AF7-000EA61EC9D6}.dat
+ 2009-08-17 15:19 . 2009-08-17 15:19 5632 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\RecoveryStore.{4B756158-8B41-11DE-8AFC-000EA61EC9D6}.dat
+ 2009-08-07 15:59 . 2009-08-07 15:59 3584 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\RecoveryStore.{426DC959-836B-11DE-8AF7-000EA61EC9D6}.dat
+ 2009-08-17 15:18 . 2009-08-17 15:18 3584 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\RecoveryStore.{41CA986C-8B41-11DE-8AFC-000EA61EC9D6}.dat
+ 2009-08-22 04:42 . 2009-08-22 04:42 3584 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\RecoveryStore.{3FA8752A-8ED6-11DE-8AFE-000EA61EC9D6}.dat
+ 2009-08-19 15:52 . 2009-08-19 15:52 5120 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\RecoveryStore.{3C55E8C6-8CD8-11DE-8AFD-000EA61EC9D6}.dat
+ 2009-08-19 15:51 . 2009-08-19 15:51 5120 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\RecoveryStore.{30524F42-8CD8-11DE-8AFD-000EA61EC9D6}.dat
+ 2009-08-07 15:22 . 2009-08-07 15:22 3584 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\RecoveryStore.{2E9C20D3-8366-11DE-8AF7-000EA61EC9D6}.dat
+ 2009-08-07 15:22 . 2009-08-07 15:22 3584 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\RecoveryStore.{25662B21-8366-11DE-8AF7-000EA61EC9D6}.dat
+ 2009-08-17 14:56 . 2009-08-17 14:56 3584 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\RecoveryStore.{222604EA-8B3E-11DE-8AFC-000EA61EC9D6}.dat
+ 2009-08-19 15:58 . 2009-08-19 16:07 5632 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\RecoveryStore.{212BBD04-8CD9-11DE-8AFD-000EA61EC9D6}.dat
+ 2009-08-17 15:32 . 2009-08-17 15:32 5632 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\RecoveryStore.{1F47CD08-8B43-11DE-8AFC-000EA61EC9D6}.dat
+ 2009-08-16 14:14 . 2009-08-16 14:14 3584 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\RecoveryStore.{1EE6E810-8A6F-11DE-8AFA-000EA61EC9D6}.dat
+ 2009-08-07 15:22 . 2009-08-07 15:22 3584 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\RecoveryStore.{1C4A6F4C-8366-11DE-8AF7-000EA61EC9D6}.dat
+ 2009-08-19 15:58 . 2009-08-19 15:58 3584 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\RecoveryStore.{1BDF22FA-8CD9-11DE-8AFD-000EA61EC9D6}.dat
+ 2009-08-19 15:58 . 2009-08-19 15:58 3584 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\RecoveryStore.{1662D9E8-8CD9-11DE-8AFD-000EA61EC9D6}.dat
+ 2009-08-16 14:14 . 2009-08-16 14:14 3584 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\RecoveryStore.{1403CB17-8A6F-11DE-8AFA-000EA61EC9D6}.dat
+ 2009-08-19 15:57 . 2009-08-19 15:57 3584 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\RecoveryStore.{0D0DE5A4-8CD9-11DE-8AFD-000EA61EC9D6}.dat
+ 2009-08-07 15:22 . 2009-08-07 15:22 3584 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\RecoveryStore.{0D0B85CB-8366-11DE-8AF7-000EA61EC9D6}.dat
+ 2009-08-16 14:13 . 2009-08-16 14:14 3584 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\RecoveryStore.{0A32DC8B-8A6F-11DE-8AFA-000EA61EC9D6}.dat
+ 2009-08-17 15:31 . 2009-08-17 15:31 3584 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\RecoveryStore.{0A1C8BEE-8B43-11DE-8AFC-000EA61EC9D6}.dat
+ 2009-08-12 10:29 . 2009-08-12 10:29 5120 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\RecoveryStore.{06266D82-872B-11DE-8AF9-000EA61EC9D6}.dat
+ 2009-08-16 14:13 . 2009-08-16 14:13 3584 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\RecoveryStore.{00E771AF-8A6F-11DE-8AFA-000EA61EC9D6}.dat
+ 2009-08-19 15:57 . 2009-08-19 15:57 5120 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\RecoveryStore.{0071B5A0-8CD9-11DE-8AFD-000EA61EC9D6}.dat
+ 2009-08-19 14:31 . 2009-08-19 14:31 4608 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\{FEF0A2BB-8CCC-11DE-8AFD-000EA61EC9D6}.dat
+ 2009-08-17 15:31 . 2009-08-17 15:31 4608 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\{FB062A68-8B42-11DE-8AFC-000EA61EC9D6}.dat
+ 2009-08-17 15:30 . 2009-08-17 15:30 4096 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\{F1AA0F15-8B42-11DE-8AFC-000EA61EC9D6}.dat
+ 2009-08-12 10:28 . 2009-08-12 10:29 4608 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\{F02BBFD3-872A-11DE-8AF9-000EA61EC9D6}.dat
+ 2009-08-16 14:13 . 2009-08-16 14:13 4096 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\{EE471290-8A6E-11DE-8AFA-000EA61EC9D6}.dat
+ 2009-08-19 15:49 . 2009-08-19 15:49 4096 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\{E9ABE050-8CD7-11DE-8AFD-000EA61EC9D6}.dat
+ 2009-08-16 14:12 . 2009-08-16 14:12 4096 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\{E2A79BD0-8A6E-11DE-8AFA-000EA61EC9D6}.dat
+ 2009-08-17 15:30 . 2009-08-17 15:30 4096 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\{DD8C37B5-8B42-11DE-8AFC-000EA61EC9D6}.dat
+ 2009-08-12 10:28 . 2009-08-12 10:28 4096 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\{DAC01F3B-872A-11DE-8AF9-000EA61EC9D6}.dat
+ 2009-08-16 14:12 . 2009-08-16 14:12 4608 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\{D91E33D0-8A6E-11DE-8AFA-000EA61EC9D6}.dat
+ 2009-08-19 15:49 . 2009-08-19 15:49 4096 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\{D8CBBB47-8CD7-11DE-8AFD-000EA61EC9D6}.dat
+ 2009-08-17 15:08 . 2009-08-17 15:08 4608 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\{D47AE863-8B3F-11DE-8AFC-000EA61EC9D6}.dat
+ 2009-08-19 15:49 . 2009-08-19 15:49 4096 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\{D43453F6-8CD7-11DE-8AFD-000EA61EC9D6}.dat
+ 2009-08-12 10:28 . 2009-08-12 10:28 4096 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\{D233707F-872A-11DE-8AF9-000EA61EC9D6}.dat
+ 2009-08-19 15:49 . 2009-08-19 15:49 5120 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\{D12650A7-8CD7-11DE-8AFD-000EA61EC9D6}.dat
+ 2009-08-16 14:12 . 2009-08-16 14:12 4608 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\{D0512596-8A6E-11DE-8AFA-000EA61EC9D6}.dat
+ 2009-08-12 10:27 . 2009-08-12 10:27 4096 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\{C8CB696B-872A-11DE-8AF9-000EA61EC9D6}.dat
+ 2009-08-16 14:12 . 2009-08-16 14:12 4096 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\{C7546854-8A6E-11DE-8AFA-000EA61EC9D6}.dat
+ 2009-08-17 15:08 . 2009-08-17 15:08 4608 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\{C70A8715-8B3F-11DE-8AFC-000EA61EC9D6}.dat
+ 2009-08-16 14:26 . 2009-08-16 14:26 4096 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\{C6F14510-8A70-11DE-8AFA-000EA61EC9D6}.dat
+ 2009-08-17 15:07 . 2009-08-17 15:08 4608 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\{BFD06645-8B3F-11DE-8AFC-000EA61EC9D6}.dat
+ 2009-08-12 10:27 . 2009-08-12 10:27 4096 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\{BF55143B-872A-11DE-8AF9-000EA61EC9D6}.dat
+ 2009-08-16 14:26 . 2009-08-16 14:26 4096 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\{BDD7EB96-8A70-11DE-8AFA-000EA61EC9D6}.dat
+ 2009-08-16 14:11 . 2009-08-16 14:11 4096 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\{BC950EA0-8A6E-11DE-8AFA-000EA61EC9D6}.dat
+ 2009-08-17 15:07 . 2009-08-17 15:07 4608 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\{B9313E4A-8B3F-11DE-8AFC-000EA61EC9D6}.dat
+ 2009-08-16 14:11 . 2009-08-16 14:11 4608 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\{B3AB642F-8A6E-11DE-8AFA-000EA61EC9D6}.dat
+ 2009-08-22 04:17 . 2009-08-22 04:17 4608 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\{AFBC2339-8ED2-11DE-8AFE-000EA61EC9D6}.dat
+ 2009-08-12 10:27 . 2009-08-12 10:27 4096 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\{AEA962F0-872A-11DE-8AF9-000EA61EC9D6}.dat
+ 2009-08-17 14:45 . 2009-08-17 14:45 4608 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\{A9406789-8B3C-11DE-8AFC-000EA61EC9D6}.dat
+ 2009-08-22 04:31 . 2009-08-22 04:31 4096 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\{A8BE9CB3-8ED4-11DE-8AFE-000EA61EC9D6}.dat
+ 2009-08-16 14:11 . 2009-08-16 14:11 4096 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\{A6553CBE-8A6E-11DE-8AFA-000EA61EC9D6}.dat
+ 2009-08-17 14:45 . 2009-08-17 14:45 4096 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\{A3292598-8B3C-11DE-8AFC-000EA61EC9D6}.dat
+ 2009-08-12 10:26 . 2009-08-12 10:26 4096 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\{A1474FBD-872A-11DE-8AF9-000EA61EC9D6}.dat
+ 2009-08-16 14:10 . 2009-08-16 14:10 4608 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\{9CFDE620-8A6E-11DE-8AFA-000EA61EC9D6}.dat
+ 2009-08-22 04:31 . 2009-08-22 04:31 4096 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\{9BE6D1E5-8ED4-11DE-8AFE-000EA61EC9D6}.dat
+ 2009-08-12 10:26 . 2009-08-12 10:26 4096 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\{957CEEA9-872A-11DE-8AF9-000EA61EC9D6}.dat
+ 2009-08-22 04:30 . 2009-08-22 04:30 4096 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\{8FDE73AD-8ED4-11DE-8AFE-000EA61EC9D6}.dat
+ 2009-08-19 15:54 . 2009-08-19 15:54 4608 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\{8F93C30B-8CD8-11DE-8AFD-000EA61EC9D6}.dat
+ 2009-08-19 14:57 . 2009-08-19 14:57 5120 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\{8D2643FC-8CD0-11DE-8AFD-000EA61EC9D6}.dat
+ 2009-08-12 10:26 . 2009-08-12 10:26 4096 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\{88DE5C4B-872A-11DE-8AF9-000EA61EC9D6}.dat
+ 2009-08-19 15:54 . 2009-08-19 15:54 5120 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\{8886EEED-8CD8-11DE-8AFD-000EA61EC9D6}.dat
+ 2009-08-22 04:30 . 2009-08-22 04:30 4608 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\{7FBD0AC5-8ED4-11DE-8AFE-000EA61EC9D6}.dat
+ 2009-08-16 14:10 . 2009-08-16 14:10 4096 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\{7AB81860-8A6E-11DE-8AFA-000EA61EC9D6}.dat
+ 2009-08-19 14:56 . 2009-08-19 14:56 4096 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\{77862FA9-8CD0-11DE-8AFD-000EA61EC9D6}.dat
+ 2009-08-19 14:56 . 2009-08-19 14:56 4608 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\{73F9CFB7-8CD0-11DE-8AFD-000EA61EC9D6}.dat
+ 2009-08-17 15:20 . 2009-08-17 15:20 5120 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\{7307C925-8B41-11DE-8AFC-000EA61EC9D6}.dat
+ 2009-08-12 10:25 . 2009-08-12 10:25 4608 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\{7086194F-872A-11DE-8AF9-000EA61EC9D6}.dat
+ 2009-08-19 16:07 . 2009-08-19 16:07 4608 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\{6FC6C3F2-8CDA-11DE-8AFD-000EA61EC9D6}.dat
+ 2009-08-19 15:53 . 2009-08-19 15:53 4096 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\{694F247B-8CD8-11DE-8AFD-000EA61EC9D6}.dat
+ 2009-08-12 10:25 . 2009-08-12 10:25 4096 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\{661A31E9-872A-11DE-8AF9-000EA61EC9D6}.dat
+ 2009-08-17 15:19 . 2009-08-17 15:19 4608 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\{639DF54D-8B41-11DE-8AFC-000EA61EC9D6}.dat
+ 2009-08-16 14:09 . 2009-08-16 14:09 4096 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\{62E5FC73-8A6E-11DE-8AFA-000EA61EC9D6}.dat
+ 2009-08-17 15:19 . 2009-08-17 15:19 4608 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\{5B7C9064-8B41-11DE-8AFC-000EA61EC9D6}.dat
+ 2009-08-19 15:52 . 2009-08-19 15:52 4096 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\{53FB5B65-8CD8-11DE-8AFD-000EA61EC9D6}.dat
+ 2009-08-22 04:29 . 2009-08-22 04:29 4096 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\{538E76F5-8ED4-11DE-8AFE-000EA61EC9D6}.dat
+ 2009-08-17 15:19 . 2009-08-17 15:19 5120 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\{519167FD-8B41-11DE-8AFC-000EA61EC9D6}.dat
+ 2009-08-19 15:52 . 2009-08-19 15:52 4096 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\{5076227D-8CD8-11DE-8AFD-000EA61EC9D6}.dat
+ 2009-08-19 15:52 . 2009-08-19 15:52 4096 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\{5076227C-8CD8-11DE-8AFD-000EA61EC9D6}.dat
+ 2009-08-07 15:59 . 2009-08-07 15:59 4608 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\{4E8B9CBC-836B-11DE-8AF7-000EA61EC9D6}.dat
+ 2009-08-19 15:52 . 2009-08-19 15:52 5120 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\{486C9520-8CD8-11DE-8AFD-000EA61EC9D6}.dat
+ 2009-08-07 15:59 . 2009-08-07 15:59 4096 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\{426DC95A-836B-11DE-8AF7-000EA61EC9D6}.dat
+ 2009-08-17 15:18 . 2009-08-17 15:18 4608 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\{41CA986D-8B41-11DE-8AFC-000EA61EC9D6}.dat
+ 2009-08-22 04:42 . 2009-08-22 04:45 9728 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\{3FA8752B-8ED6-11DE-8AFE-000EA61EC9D6}.dat
+ 2009-08-19 15:51 . 2009-08-19 15:51 7168 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\{30524F44-8CD8-11DE-8AFD-000EA61EC9D6}.dat
+ 2009-08-07 15:22 . 2009-08-07 15:22 4608 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\{2E9C20D4-8366-11DE-8AF7-000EA61EC9D6}.dat
+ 2009-08-17 15:32 . 2009-08-17 15:32 4608 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\{2CBF5562-8B43-11DE-8AFC-000EA61EC9D6}.dat
+ 2009-08-07 15:22 . 2009-08-07 15:22 4608 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\{25662B22-8366-11DE-8AF7-000EA61EC9D6}.dat
+ 2009-08-17 14:56 . 2009-08-17 14:56 4608 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\{222604EB-8B3E-11DE-8AFC-000EA61EC9D6}.dat
+ 2009-08-16 14:14 . 2009-08-16 14:14 4096 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\{1EE6E812-8A6F-11DE-8AFA-000EA61EC9D6}.dat
+ 2009-08-07 15:22 . 2009-08-07 15:22 4608 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\{1C4A6F4E-8366-11DE-8AF7-000EA61EC9D6}.dat
+ 2009-08-19 15:58 . 2009-08-19 15:58 4608 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\{1BDF22FB-8CD9-11DE-8AFD-000EA61EC9D6}.dat
+ 2009-08-19 15:58 . 2009-08-19 15:58 4096 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\{1662D9E9-8CD9-11DE-8AFD-000EA61EC9D6}.dat
+ 2009-08-16 14:14 . 2009-08-16 14:14 4096 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\{1403CB18-8A6F-11DE-8AFA-000EA61EC9D6}.dat
+ 2009-08-19 15:57 . 2009-08-19 15:57 5632 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\{0D0DE5A5-8CD9-11DE-8AFD-000EA61EC9D6}.dat
+ 2009-08-07 15:22 . 2009-08-07 15:22 4608 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\{0D0B85CC-8366-11DE-8AF7-000EA61EC9D6}.dat
+ 2009-08-12 10:29 . 2009-08-12 10:29 4096 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\{0C8EBF65-872B-11DE-8AF9-000EA61EC9D6}.dat
+ 2009-08-16 14:14 . 2009-08-16 14:14 4096 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\{0A32DC8C-8A6F-11DE-8AFA-000EA61EC9D6}.dat
+ 2009-08-17 15:31 . 2009-08-17 15:31 4608 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\{0A1C8BEF-8B43-11DE-8AFC-000EA61EC9D6}.dat
+ 2009-08-19 15:57 . 2009-08-19 15:57 4096 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\{068DBC44-8CD9-11DE-8AFD-000EA61EC9D6}.dat
+ 2009-08-16 14:13 . 2009-08-16 14:13 4096 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\{00E771B0-8A6F-11DE-8AFA-000EA61EC9D6}.dat
+ 2009-08-19 15:57 . 2009-08-19 15:57 7680 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\{0071B5A1-8CD9-11DE-8AFD-000EA61EC9D6}.dat
- 2009-03-09 10:57 . 2009-07-26 11:32 131072 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2009-03-09 10:57 . 2009-08-22 04:42 131072 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2009-07-11 15:19 . 2009-07-26 11:16 245760 c:\windows\system32\config\systemprofile\IETldCache\index.dat
+ 2009-07-11 15:19 . 2009-08-17 15:32 245760 c:\windows\system32\config\systemprofile\IETldCache\index.dat
+ 2009-08-22 04:33 . 2009-08-22 04:33 1516544 c:\windows\Installer\be77f.msi
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DAEMON Tools Lite"="c:\program files\DAEMON Tools Lite\daemon.exe" [2009-04-23 691656]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2009-08-05 1830128]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-05-16 13529088]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-05-16 86016]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]
"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2009-08-03 419088]
"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2008-05-16 1630208]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-22 03:05 356352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKLM\~\startupfolder\c:^documents and settings^yoda^start menu^programs^startup^ihaupd32.exe]
path=c:\documents and settings\Yoda\Start Menu\Programs\Startup\ihaupd32.exe
backup=c:\windows\pss\ihaupd32.exeStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"SoundMAX Agent Service (default)"=2 (0x2)
"idsvc"=3 (0x3)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\NewsBin\\nbpro.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [8/5/2009 4:06 PM 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [8/5/2009 4:06 PM 74480]
R2 antivirschedulerservice;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [7/13/2009 2:51 AM 108289]
R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [7/10/2009 4:18 PM 232720]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [7/10/2009 4:18 PM 19096]
R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [8/5/2009 4:06 PM 7408]
S1 2ad4abee;2ad4abee;c:\windows\system32\drivers\2ad4abee.sys --> c:\windows\system32\drivers\2ad4abee.sys [?]
S1 7c6d2b0a;7c6d2b0a;c:\windows\system32\drivers\7c6d2b0a.sys --> c:\windows\system32\drivers\7c6d2b0a.sys [?]
S1 9f099bc0;9f099bc0;c:\windows\system32\drivers\9f099bc0.sys --> c:\windows\system32\drivers\9f099bc0.sys [?]
S2 bufw;bufw;c:\windows\system32\drivers\ltujn.sys --> c:\windows\system32\drivers\ltujn.sys [?]
S2 pokvbfk;pokvbfk;c:\windows\system32\drivers\gfhscwqv.sys --> c:\windows\system32\drivers\gfhscwqv.sys [?]
S2 slqxvzn;slqxvzn;c:\windows\system32\drivers\basbuizt.sys --> c:\windows\system32\drivers\basbuizt.sys [?]
S3 MEITUNER;FireBus MPEG2TS Tuner Subunit Device;c:\windows\system32\drivers\meistb.sys [11/12/2003 12:34 AM 22891]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60b49e34-c7cc-11d0-8953-00a0c90347ff}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
.
------- Supplementary Scan -------
.
uInternet Settings,ProxyOverride = *.local
IE: Append Link Target to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Append to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert Link Target to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\Microsoft Office\Office12\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Yoda\Application Data\Mozilla\Firefox\Profiles\da5r8v5r.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com
FF - plugin: c:\documents and settings\Yoda\Application Data\Mozilla\plugins\npPxPlay.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-08-23 12:45
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\user preferences]
@Denied: (2) (LocalSystem)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,c6,54,38,4d,06,5f,50,41,94,98,06,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,c6,54,38,4d,06,5f,50,41,94,98,06,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(564)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\WININET.dll
.
Completion time: 2009-08-23 12:48
ComboFix-quarantined-files.txt 2009-08-23 03:48
ComboFix2.txt 2009-07-26 12:07
ComboFix3.txt 2009-07-22 16:34
ComboFix4.txt 2009-07-19 15:18

Pre-Run: 53,183,176,704 bytes free
Post-Run: 53,206,433,792 bytes free

529

#12 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:04:03 AM

Posted 23 August 2009 - 08:51 AM

Sounds promising.

Copy and paste ALL the following text in the Quote box below into Notepad.
Click on File(in the menu at the top)>Save as../Save as Type: 'All Files' /File name: CFScript to your desktop.

Driver::
2ad4abee
7c6d2b0a
9f099bc0
bufw
pokvbfk
slqxvzn

File::
c:\windows\system32\drivers\2ad4abee.sys 
c:\windows\system32\drivers\7c6d2b0a.sys 
c:\windows\system32\drivers\9f099bc0.sys 
c:\windows\system32\drivers\ltujn.sys 
c:\windows\system32\drivers\gfhscwqv.sys 
c:\windows\system32\drivers\basbuizt.sys

RegLock::
[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\user preferences]
Prior to running Combofix.exe you should disable your antivirus program.

Now drag then drop the CFScript file onto ComboFix.exe as seen in the image below.

Posted Image

This will start ComboFix again.
After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#13 snoopdrew

snoopdrew
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:06:03 PM

Posted 23 August 2009 - 11:43 AM

ComboFix 09-08-22.06 - Yoda 08/24/2009 1:17.5.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.677 [GMT 9:00]
Running from: c:\documents and settings\Yoda\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Yoda\Desktop\CFScript.txt
* Created a new restore point

FILE ::
"c:\windows\system32\drivers\2ad4abee.sys"
"c:\windows\system32\drivers\7c6d2b0a.sys"
"c:\windows\system32\drivers\9f099bc0.sys"
"c:\windows\system32\drivers\basbuizt.sys"
"c:\windows\system32\drivers\gfhscwqv.sys"
"c:\windows\system32\drivers\ltujn.sys"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.


.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_BUFW
-------\Legacy_POKVBFK
-------\Legacy_SLQXVZN
-------\Service_2ad4abee
-------\Service_7c6d2b0a
-------\Service_9f099bc0
-------\Service_bufw
-------\Service_pokvbfk
-------\Service_slqxvzn


((((((((((((((((((((((((( Files Created from 2009-07-23 to 2009-08-23 )))))))))))))))))))))))))))))))
.

2009-08-23 03:36 . 2009-08-23 03:36 3182166 ----a-w- c:\temp\ComboFix(2).exe
2009-08-22 04:35 . 2009-08-23 16:32 117760 ----a-w- c:\documents and settings\Yoda\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2009-08-22 04:35 . 2009-08-22 04:35 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-08-22 04:33 . 2009-08-22 04:33 -------- d-----w- c:\program files\SUPERAntiSpyware
2009-08-22 04:33 . 2009-08-22 04:33 -------- d-----w- c:\documents and settings\Yoda\Application Data\SUPERAntiSpyware.com
2009-08-22 04:33 . 2009-08-22 04:33 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-08-22 04:31 . 2009-08-22 04:32 6881824 ----a-w- c:\temp\SUPERAntiSpyware.exe
2009-08-19 13:48 . 2009-08-19 13:48 514048 ----a-w- c:\temp\OTL.exe
2009-08-17 14:42 . 2009-08-17 14:46 -------- d-----w- c:\windows\system32\NtmsData
2009-08-16 16:29 . 2009-08-16 16:29 44295 ----a-w- c:\temp\hj-join.zip
2009-08-16 14:29 . 2009-08-16 14:29 359932 ----a-w- c:\temp\dds.scr
2009-07-26 05:36 . 2009-07-26 05:36 -------- d-----w- c:\windows\ie8updates
2009-07-26 05:23 . 2009-04-30 21:22 12800 -c----w- c:\windows\system32\dllcache\xpshims.dll
2009-07-26 05:23 . 2009-04-30 21:22 246272 -c----w- c:\windows\system32\dllcache\ieproxy.dll
2009-07-26 05:23 . 2009-04-30 21:22 1985024 -c----w- c:\windows\system32\dllcache\iertutil.dll
2009-07-26 05:23 . 2009-04-30 21:22 11064832 -c----w- c:\windows\system32\dllcache\ieframe.dll
2009-07-26 05:21 . 2009-03-06 14:22 284160 -c----w- c:\windows\system32\dllcache\pdh.dll
2009-07-26 05:21 . 2009-02-09 12:10 401408 -c----w- c:\windows\system32\dllcache\rpcss.dll
2009-07-26 05:21 . 2009-02-09 12:10 473600 -c----w- c:\windows\system32\dllcache\fastprox.dll
2009-07-26 05:21 . 2009-02-06 11:11 110592 -c----w- c:\windows\system32\dllcache\services.exe
2009-07-26 05:21 . 2009-02-09 12:10 453120 -c----w- c:\windows\system32\dllcache\wmiprvsd.dll
2009-07-26 05:21 . 2009-02-06 10:10 227840 -c----w- c:\windows\system32\dllcache\wmiprvse.exe
2009-07-26 05:21 . 2009-02-09 12:10 729088 -c----w- c:\windows\system32\dllcache\lsasrv.dll
2009-07-26 05:21 . 2009-02-09 12:10 617472 -c----w- c:\windows\system32\dllcache\advapi32.dll
2009-07-26 05:21 . 2009-02-09 12:10 714752 -c----w- c:\windows\system32\dllcache\ntdll.dll
2009-07-26 05:21 . 2009-02-06 11:06 2145280 -c----w- c:\windows\system32\dllcache\ntkrnlmp.exe
2009-07-26 05:21 . 2009-02-06 11:08 2189056 -c----w- c:\windows\system32\dllcache\ntoskrnl.exe
2009-07-26 05:21 . 2009-02-06 10:32 2023936 -c----w- c:\windows\system32\dllcache\ntkrpamp.exe
2009-07-26 05:20 . 2008-05-03 11:55 2560 ------w- c:\windows\system32\xpsp4res.dll
2009-07-26 05:20 . 2008-04-21 12:08 215552 -c----w- c:\windows\system32\dllcache\wordpad.exe
2009-07-26 05:18 . 2008-12-11 10:57 333952 -c----w- c:\windows\system32\dllcache\srv.sys
2009-07-26 05:16 . 2008-10-24 11:21 455296 -c----w- c:\windows\system32\dllcache\mrxsmb.sys
2009-07-26 05:16 . 2008-09-04 17:15 1106944 -c----w- c:\windows\system32\dllcache\msxml3.dll
2009-07-26 05:15 . 2008-10-15 16:34 337408 -c----w- c:\windows\system32\dllcache\netapi32.dll
2009-07-26 05:15 . 2008-05-01 14:33 331776 -c----w- c:\windows\system32\dllcache\msadce.dll
2009-07-26 05:14 . 2008-04-11 19:04 691712 -c----w- c:\windows\system32\dllcache\inetcomm.dll
2009-07-26 05:13 . 2008-06-13 11:05 272128 -c----w- c:\windows\system32\dllcache\bthport.sys
2009-07-26 05:13 . 2008-05-08 14:02 203136 -c----w- c:\windows\system32\dllcache\rmcast.sys
2009-07-26 05:10 . 2009-07-26 06:37 -------- d--h--w- c:\windows\$hf_mig$
2009-07-26 05:08 . 2008-10-16 05:09 43544 ----a-w- c:\windows\system32\wups2.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-08-16 14:25 . 2009-03-09 11:15 70328 ----a-w- c:\documents and settings\Yoda\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-08-16 14:03 . 2009-07-10 07:18 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-08-12 11:22 . 2009-07-18 16:19 3942048 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2009-08-07 15:26 . 2009-04-22 08:43 55656 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2009-08-03 04:36 . 2009-07-10 07:18 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-08-03 04:36 . 2009-07-10 07:18 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-07-13 16:24 . 2009-07-13 16:07 -------- d-----w- c:\documents and settings\Yoda\Application Data\DAEMON Tools Lite
2009-07-13 16:13 . 2009-07-13 16:13 -------- d-----w- c:\documents and settings\All Users\Application Data\DAEMON Tools Lite
2009-07-13 16:13 . 2009-07-13 16:13 -------- d-----w- c:\program files\DAEMON Tools Toolbar
2009-07-13 16:13 . 2009-07-13 16:13 -------- d-----w- c:\program files\DAEMON Tools Lite
2009-07-13 16:07 . 2009-07-13 16:07 721904 ----a-w- c:\windows\system32\drivers\sptd.sys
2009-07-12 17:51 . 2009-07-12 17:51 -------- d-----w- c:\program files\Avira
2009-07-12 17:51 . 2009-07-12 17:51 -------- d-----w- c:\documents and settings\All Users\Application Data\Avira
2009-07-10 16:09 . 2009-04-22 08:39 -------- d-----w- c:\documents and settings\All Users\Application Data\FLEXnet
2009-07-10 07:18 . 2009-07-10 07:18 -------- d-----w- c:\documents and settings\Yoda\Application Data\Malwarebytes
2009-07-10 07:18 . 2009-07-10 07:18 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-07-10 06:21 . 2009-07-10 06:11 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-07-10 05:14 . 2003-03-31 12:00 182656 ----a-w- c:\windows\system32\drivers\ndis.sys
2009-07-08 18:47 . 2009-04-22 09:32 -------- d-----w- c:\program files\MSBuild
2009-07-08 18:40 . 2009-07-08 18:40 -------- d-----w- c:\program files\Reference Assemblies
2009-07-08 18:32 . 2009-05-02 07:51 -------- d-----w- c:\documents and settings\Yoda\Application Data\Apple Computer
2009-07-08 17:47 . 2009-07-08 17:46 -------- d-----w- c:\program files\MagicISO
2009-07-08 17:08 . 2009-03-09 12:10 -------- d-----w- c:\documents and settings\Yoda\Application Data\dvdcss
2009-07-08 16:16 . 2009-04-22 08:57 -------- d-----w- c:\program files\Quicken
2009-07-08 16:14 . 2009-07-08 16:14 2904064 ----a-w- c:\documents and settings\All Users\Application Data\Intuit\Quicken\Inet\Common\patch\Update\18154-181625.dll
2009-07-08 16:13 . 2009-04-22 08:59 242976 ----a-w- c:\documents and settings\All Users\Application Data\Intuit\Quicken\Inet\Common\patch\Update\QWPATCH.EXE
2009-07-08 15:09 . 2009-07-08 15:08 -------- d-----w- c:\program files\iTunes
2009-07-08 15:08 . 2009-07-08 15:08 -------- d-----w- c:\program files\iPod
2009-07-08 15:08 . 2009-05-02 07:50 -------- d-----w- c:\program files\Common Files\Apple
2009-07-08 15:05 . 2009-07-08 15:04 -------- d-----w- c:\program files\QuickTime
2009-07-08 15:00 . 2009-05-02 07:50 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple
2009-07-01 08:37 . 2009-03-09 11:54 8 ----a-w- c:\windows\system32\nvModes.dat
2009-06-16 14:36 . 2003-03-31 12:00 81920 ----a-w- c:\windows\system32\fontsub.dll
2009-06-16 14:36 . 2003-03-31 12:00 119808 ----a-w- c:\windows\system32\t2embed.dll
2009-06-05 04:57 . 2009-06-05 04:57 75048 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 8.2.0.23\SetupAdmin.exe
2009-06-05 02:42 . 2009-05-02 07:50 39424 ----a-w- c:\windows\system32\drivers\usbaapl.sys
2009-06-05 02:42 . 2009-05-02 07:50 2060288 ----a-w- c:\windows\system32\usbaaplrc.dll
2009-06-03 19:09 . 2003-03-31 12:00 1291264 ----a-w- c:\windows\system32\quartz.dll
.

------- Sigcheck -------

[-] 2003-03-31 12:00 12800 0F7D9C87B0CE1FA520473119752C6F79 c:\windows\$NtServicePackUninstall$\svchost.exe
[-] 2008-04-14 13:42 14336 27C6D03BCDB8CFEB96B716F3D8BE3E18 c:\windows\ServicePackFiles\i386\svchost.exe
[-] 2008-04-14 13:42 14336 27C6D03BCDB8CFEB96B716F3D8BE3E18 c:\windows\system32\svchost.exe

[-] 2003-03-31 12:00 560128 DD9269230C21EE8FB7FD3FCCC3B1CFCB c:\windows\$NtServicePackUninstall$\user32.dll
[-] 2008-04-14 13:42 578560 B26B135FF1B9F60C9388B4A7D16F600B c:\windows\ServicePackFiles\i386\user32.dll
[-] 2008-04-14 13:42 578560 B26B135FF1B9F60C9388B4A7D16F600B c:\windows\system32\user32.dll

[-] 2003-03-31 12:00 75264 8529C295DF59B564D37A73B5629162B1 c:\windows\$NtServicePackUninstall$\ws2_32.dll
[-] 2008-04-14 13:42 82432 2CCC474EB85CEAA3E1FA1726580A3E5A c:\windows\ServicePackFiles\i386\ws2_32.dll
[-] 2008-04-14 13:42 82432 2CCC474EB85CEAA3E1FA1726580A3E5A c:\windows\system32\ws2_32.dll

[-] 2003-03-31 12:00 516608 2246D8D8F4714A2CEDB21AB9B1849ABB c:\windows\$NtServicePackUninstall$\winlogon.exe
[-] 2008-04-14 13:42 507904 ED0EF0A136DEC83DF69F04118870003E c:\windows\ServicePackFiles\i386\winlogon.exe
[-] 2008-04-14 13:42 507904 ED0EF0A136DEC83DF69F04118870003E c:\windows\system32\winlogon.exe

[-] 2003-03-31 12:00 182656 1DF7F42665C94B825322FAE71721130D c:\windows\$NtServicePackUninstall$\ndis.sys
[-] 2008-04-14 08:50 182656 1DF7F42665C94B825322FAE71721130D c:\windows\ServicePackFiles\i386\ndis.sys
[-] 2009-07-10 05:14 182656 1DF7F42665C94B825322FAE71721130D c:\windows\system32\drivers\ndis.sys

[-] 2008-04-14 08:23 36608 3BB22519A194418D5FEC05D800A19AD0 c:\windows\ServicePackFiles\i386\ip6fw.sys
[-] 2008-04-14 08:23 36608 3BB22519A194418D5FEC05D800A19AD0 c:\windows\system32\drivers\ip6fw.sys

[7] 2009-02-06 10:30 2066176 607352B9CB3D708C67F6039097801B5A c:\windows\$hf_mig$\KB956572\SP3QFE\ntkrnlpa.exe
[-] 2003-03-31 12:00 1920512 71FF7EC0EEEA4896DD219C661C90DB29 c:\windows\$NtServicePackUninstall$\ntkrnlpa.exe
[7] 2009-02-07 10:02 2066048 5BA7F2141BC6DB06100D0E5A732C617A c:\windows\Driver Cache\i386\ntkrnlpa.exe
[-] 2008-04-14 08:01 2065792 109F8E3E3C82E337BB71B6BC9B895D61 c:\windows\ServicePackFiles\i386\ntkrnlpa.exe
[-] 2008-04-14 08:01 2023936 7F653A89F6E89E3AE0D49830EECE35D4 c:\windows\system32\ntkrnlpa.exe
[7] 2009-02-07 10:02 2066048 5BA7F2141BC6DB06100D0E5A732C617A c:\windows\system32\dllcache\ntkrnlpa.exe

[7] 2009-02-07 10:35 2189184 EFE8EACE83EAAD5849A7A548FB75B584 c:\windows\$hf_mig$\KB956572\SP3QFE\ntoskrnl.exe
[-] 2003-03-31 12:00 1891840 25A90EB7D1EEE12AB198DC9421BFA353 c:\windows\$NtServicePackUninstall$\ntoskrnl.exe
[7] 2009-02-06 11:08 2189056 7A95B10A73737EBF24139AAA63F5212B c:\windows\Driver Cache\i386\ntoskrnl.exe
[-] 2008-04-14 08:57 2188928 0C89243C7C3EE199B96FCC16990E0679 c:\windows\ServicePackFiles\i386\ntoskrnl.exe
[-] 2008-04-14 08:54 2145280 40F8880122A030A7E9E1FEDEA833B33D c:\windows\system32\ntoskrnl.exe
[7] 2009-02-06 11:08 2189056 7A95B10A73737EBF24139AAA63F5212B c:\windows\system32\dllcache\ntoskrnl.exe

[-] 2008-04-14 13:42 1033728 12896823FB95BFB3DC9B46BCAEDC9923 c:\windows\explorer.exe
[-] 2003-03-31 12:00 1004032 A82B28BFC2E4455FE43022A498C0EF0A c:\windows\$NtServicePackUninstall$\explorer.exe
[-] 2008-04-14 13:42 1033728 12896823FB95BFB3DC9B46BCAEDC9923 c:\windows\ServicePackFiles\i386\explorer.exe

[-] 2003-03-31 12:00 11776 B2B6BA905D0E3F8A32A0EB3B4051807B c:\windows\$NtServicePackUninstall$\lsass.exe
[-] 2008-04-14 13:42 13312 BF2466B3E18E970D8A976FB95FC1CA85 c:\windows\ServicePackFiles\i386\lsass.exe
[-] 2008-04-14 13:42 13312 BF2466B3E18E970D8A976FB95FC1CA85 c:\windows\system32\lsass.exe

[-] 2003-03-31 12:00 13312 414DE7CF9D3F19C3EA902F1BB38EC116 c:\windows\$NtServicePackUninstall$\ctfmon.exe
[-] 2008-04-14 13:42 15360 5F1D5F88303D4A4DBC8E5F97BA967CC3 c:\windows\ServicePackFiles\i386\ctfmon.exe
[-] 2008-04-14 13:42 15360 5F1D5F88303D4A4DBC8E5F97BA967CC3 c:\windows\system32\dllcache\ctfmon.exe

[-] 2003-03-31 12:00 51200 9B4155BA58192D4073082B8FC5D42612 c:\windows\$NtServicePackUninstall$\spoolsv.exe
[-] 2008-04-14 13:42 57856 D8E14A61ACC1D4A6CD0D38AEBAC7FA3B c:\windows\ServicePackFiles\i386\spoolsv.exe
[-] 2008-04-14 13:42 57856 D8E14A61ACC1D4A6CD0D38AEBAC7FA3B c:\windows\system32\spoolsv.exe

[-] 2003-03-31 12:00 22016 E931E0A2B8BF0019DB902E98D03662CB c:\windows\$NtServicePackUninstall$\userinit.exe
[-] 2008-04-14 13:42 26112 A93AEE1928A9D7CE3E16D24EC7380F89 c:\windows\ServicePackFiles\i386\userinit.exe
[-] 2008-04-14 13:42 26112 A93AEE1928A9D7CE3E16D24EC7380F89 c:\windows\system32\userinit.exe

[-] 2003-03-31 12:00 200192 FE84E045A09A4ABC4DEEF7270448B64E c:\windows\$NtServicePackUninstall$\termsrv.dll
[-] 2008-04-14 13:42 295424 FF3477C03BE7201C294C35F684B3479F c:\windows\ServicePackFiles\i386\termsrv.dll
[-] 2008-04-14 13:42 295424 FF3477C03BE7201C294C35F684B3479F c:\windows\system32\termsrv.dll

[-] 2003-03-31 12:00 14848 865AD7CCB20856727D5BD994B094DC5E c:\windows\$NtServicePackUninstall$\powrprof.dll
[-] 2008-04-14 13:42 17408 50A166237A0FA771261275A405646CC0 c:\windows\ServicePackFiles\i386\powrprof.dll
[-] 2008-04-14 13:42 17408 50A166237A0FA771261275A405646CC0 c:\windows\system32\powrprof.dll

[-] 2003-03-31 12:00 103936 C9F9E3E6B59C6D6CBCE7F14494A4518A c:\windows\$NtServicePackUninstall$\imm32.dll
[-] 2008-04-14 13:41 110080 0DA85218E92526972A821587E6A8BF8F c:\windows\ServicePackFiles\i386\imm32.dll
[-] 2008-04-14 13:41 110080 0DA85218E92526972A821587E6A8BF8F c:\windows\system32\imm32.dll

[-] 2003-03-31 12:00 23424 1E7F78C2FC393356CD884C6FDE7966F9 c:\windows\$NtServicePackUninstall$\kbdclass.sys
[-] 2008-04-14 08:09 24576 463C1EC80CD17420A542B7F36A36F128 c:\windows\ServicePackFiles\i386\kbdclass.sys
[-] 2008-04-14 08:09 24576 463C1EC80CD17420A542B7F36A36F128 c:\windows\system32\drivers\kbdclass.sys

[-] 2003-03-31 12:00 792064 1F51839ECCF908FD86558198909262E4 c:\windows\$NtServicePackUninstall$\comres.dll
[-] 2008-04-14 13:41 792064 1280A158C722FA95A80FB7AEBE78FA7D c:\windows\ServicePackFiles\i386\comres.dll
[-] 2008-04-14 13:41 792064 1280A158C722FA95A80FB7AEBE78FA7D c:\windows\system32\comres.dll

[-] 2003-03-31 12:00 18944 55990CA08692E2739A8DDCE0B04352AC c:\windows\$NtServicePackUninstall$\lpk.dll
[-] 2008-04-14 13:41 22016 012DF358CEBAA23ACB26D82077820817 c:\windows\ServicePackFiles\i386\lpk.dll
[-] 2008-04-14 13:41 22016 012DF358CEBAA23ACB26D82077820817 c:\windows\system32\lpk.dll

[-] 2003-03-31 12:00 4224 DA1F27D85E0D1525F6621372E7B685E9 c:\windows\system32\dllcache\beep.sys
[-] 2003-03-31 12:00 4224 DA1F27D85E0D1525F6621372E7B685E9 c:\windows\system32\drivers\beep.sys

[-] 2003-03-31 12:00 2944 73C1E1F395918BC2C6DD67AF7591A3AD c:\windows\system32\dllcache\null.sys
[-] 2003-03-31 12:00 2944 73C1E1F395918BC2C6DD67AF7591A3AD c:\windows\system32\drivers\null.sys

[-] 2008-04-14 06:09 142592 8BED39E3C35D6A489438B8141717A557 c:\windows\ServicePackFiles\i386\aec.sys
[-] 2008-04-14 06:09 142592 8BED39E3C35D6A489438B8141717A557 c:\windows\system32\dllcache\aec.sys
[-] 2008-04-14 06:09 142592 8BED39E3C35D6A489438B8141717A557 c:\windows\system32\drivers\aec.sys

[-] 2003-03-31 12:00 924432 DDF8D47ACF8FC3FE5F7F2B95C4D4D136 c:\windows\$NtServicePackUninstall$\mfc40u.dll
[-] 2008-04-14 13:41 927504 CDDD4416B2B4C7295FE3FDB6DDE57E4E c:\windows\ServicePackFiles\i386\mfc40u.dll
[-] 2008-04-14 13:41 927504 CDDD4416B2B4C7295FE3FDB6DDE57E4E c:\windows\system32\mfc40u.dll

[-] 2003-03-31 12:00 34304 A81487520F11F65BF270D50EE29887B2 c:\windows\$NtServicePackUninstall$\msgsvc.dll
[-] 2008-04-14 13:42 33792 986B1FF5814366D71E0AC5755C88F2D3 c:\windows\ServicePackFiles\i386\msgsvc.dll
[-] 2008-04-14 13:42 33792 986B1FF5814366D71E0AC5755C88F2D3 c:\windows\system32\msgsvc.dll

[-] 2003-03-31 12:00 557056 0B5D337119929505EE72D4E4A41ED1FD c:\windows\$NtServicePackUninstall$\comctl32.dll
[-] 2008-04-14 13:41 617472 06F247492BC786CE5C24A23E178C711A c:\windows\ServicePackFiles\i386\comctl32.dll
[-] 2008-04-14 13:41 617472 06F247492BC786CE5C24A23E178C711A c:\windows\system32\comctl32.dll
[-] 2003-03-31 12:00 921088 AEF3D788DBF40C7C4D204EA45EB0C505 c:\windows\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a\comctl32.dll
[-] 2003-03-31 12:00 921600 76B90BD220F1B1CC9E183C6B1AE9FBB4 c:\windows\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.10.0_x-ww_f7fb5805\comctl32.dll
[-] 2008-04-14 13:42 1054208 BD38D1EBE24A46BD3EDA059560AFBA12 c:\windows\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83\comctl32.dll

[-] 2003-03-31 12:00 11648 9859C0F6936E723E4892D7141B1327D5 c:\windows\system32\drivers\acpiec.sys

[-] 2003-03-31 12:00 4096 52BB2A508CB3EB8AAA5F6F142F5B73D6 c:\windows\$NtServicePackUninstall$\sfc.dll
[-] 2008-04-14 13:42 5120 96E1C926F22EE1BFBAE82901A35F6BF3 c:\windows\ServicePackFiles\i386\sfc.dll
[-] 2008-04-14 13:42 5120 96E1C926F22EE1BFBAE82901A35F6BF3 c:\windows\system32\sfc.dll

[-] 2003-03-31 12:00 399360 3ADD563ED7A1C66E6F5E0F7A661AA96D c:\windows\$NtServicePackUninstall$\netlogon.dll
[-] 2008-04-14 13:42 407040 1B7F071C51B77C272875C3A23E1E4550 c:\windows\ServicePackFiles\i386\netlogon.dll
[-] 2008-04-14 13:42 407040 1B7F071C51B77C272875C3A23E1E4550 c:\windows\system32\netlogon.dll

[-] 2003-03-31 12:00 221696 6A1CF14D0E7D0B2241F552223769C8A7 c:\windows\$NtServicePackUninstall$\qmgr.dll
[-] 2008-04-14 13:42 409088 574738F61FCA2935F5265DC4E5691314 c:\windows\ServicePackFiles\i386\qmgr.dll
[-] 2008-04-14 13:42 409088 574738F61FCA2935F5265DC4E5691314 c:\windows\system32\qmgr.dll
[-] 2008-04-14 13:42 409088 574738F61FCA2935F5265DC4E5691314 c:\windows\system32\bits\qmgr.dll

[-] 2003-03-31 12:00 174592 97418A5C642A5C748A28BD7CF6860B57 c:\windows\$NtServicePackUninstall$\scecli.dll
[-] 2008-04-14 13:42 181248 A86BB5E61BF3E39B62AB4C7E7085A084 c:\windows\ServicePackFiles\i386\scecli.dll
[-] 2008-04-14 13:42 181248 A86BB5E61BF3E39B62AB4C7E7085A084 c:\windows\system32\scecli.dll

[-] 2003-03-31 12:00 49152 BF3C8CF53C77B48206B39910B6D6CBCC c:\windows\$NtServicePackUninstall$\eventlog.dll
[-] 2008-04-14 13:41 56320 6D4FEB43EE538FC5428CC7F0565AA656 c:\windows\ServicePackFiles\i386\eventlog.dll
[-] 2008-04-14 13:41 56320 6D4FEB43EE538FC5428CC7F0565AA656 c:\windows\system32\eventlog.dll

[-] 2003-03-31 12:00 13568 03F403B07A884FC2AA54A0916C410931 c:\windows\$NtServicePackUninstall$\asyncmac.sys
[-] 2008-04-14 08:27 14336 B153AFFAC761E7F5FCFA822B9C4E97BC c:\windows\ServicePackFiles\i386\asyncmac.sys
[-] 2008-04-14 08:27 14336 B153AFFAC761E7F5FCFA822B9C4E97BC c:\windows\system32\drivers\asyncmac.sys

[-] 2003-03-31 12:00 561920 E3AE9C79498210A5F39FE5A9AD62BC55 c:\windows\$NtServicePackUninstall$\ntfs.sys
[-] 2008-04-14 08:45 574976 78A08DD6A8D65E697C18E1DB01C5CDCA c:\windows\ServicePackFiles\i386\ntfs.sys
[-] 2008-04-14 08:45 574976 78A08DD6A8D65E697C18E1DB01C5CDCA c:\windows\system32\drivers\ntfs.sys

[-] 2008-04-14 13:42 52224 C7E39EA41233E9F5B86C8DA3A9F1E4A8 c:\windows\system32\mspmsnsv.dll
[-] 2008-04-14 13:42 52224 C7E39EA41233E9F5B86C8DA3A9F1E4A8 c:\windows\system32\dllcache\mspmsnsv.dll

[-] 2008-04-14 13:42 129024 295D21F14C335B53CB8154E5B1F892B9 c:\windows\ServicePackFiles\i386\xmlprov.dll
[-] 2008-04-14 13:42 129024 295D21F14C335B53CB8154E5B1F892B9 c:\windows\system32\xmlprov.dll

[-] 2003-03-31 12:00 53248 41C70161BFCB17E7E12ED89BADD2AEF4 c:\windows\$NtServicePackUninstall$\cryptsvc.dll
[-] 2008-04-14 13:41 62464 3D4E199942E29207970E04315D02AD3B c:\windows\ServicePackFiles\i386\cryptsvc.dll
[-] 2008-04-14 13:41 62464 3D4E199942E29207970E04315D02AD3B c:\windows\system32\cryptsvc.dll

[-] 2003-03-31 12:00 49152 3671D928554E124A8AC326A1769F2FFB c:\windows\$NtServicePackUninstall$\browser.dll
[-] 2008-04-14 13:41 77824 A06CE3399D16DB864F55FAEB1F1927A9 c:\windows\ServicePackFiles\i386\browser.dll
[-] 2008-04-14 13:41 77824 A06CE3399D16DB864F55FAEB1F1927A9 c:\windows\system32\browser.dll

[-] 2003-03-31 12:00 233984 9B3A213B6591A79EBABBFB4E4EA0A23E c:\windows\$NtServicePackUninstall$\tapisrv.dll
[-] 2008-04-14 13:42 249856 3CB78C17BB664637787C9A1C98F79C38 c:\windows\ServicePackFiles\i386\tapisrv.dll
[-] 2008-04-14 13:42 249856 3CB78C17BB664637787C9A1C98F79C38 c:\windows\system32\tapisrv.dll

[-] 2003-03-31 12:00 154112 E7FF9267BBEB1386975278A27378526F c:\windows\$NtServicePackUninstall$\netman.dll
[-] 2008-04-14 13:42 198144 13E67B55B3ABD7BF3FE7AAE5A0F9A9DE c:\windows\ServicePackFiles\i386\netman.dll
[-] 2008-04-14 13:42 198144 13E67B55B3ABD7BF3FE7AAE5A0F9A9DE c:\windows\system32\netman.dll

[-] 2003-03-31 12:00 43008 75B5821307B2F4491F9ED06732366872 c:\windows\$NtServicePackUninstall$\ssdpsrv.dll
[-] 2008-04-14 13:42 71680 0A5679B3714EDAB99E357057EE88FCA6 c:\windows\ServicePackFiles\i386\ssdpsrv.dll
[-] 2008-04-14 13:42 71680 0A5679B3714EDAB99E357057EE88FCA6 c:\windows\system32\ssdpsrv.dll

[-] 2003-03-31 12:00 164864 848CE0601B58410FF2DFB6BC8449AFE7 c:\windows\$NtServicePackUninstall$\upnphost.dll
[-] 2008-04-14 13:42 185856 1EBAFEB9A3FBDC41B8D9C7F0F687AD91 c:\windows\ServicePackFiles\i386\upnphost.dll
[-] 2008-04-14 13:42 185856 1EBAFEB9A3FBDC41B8D9C7F0F687AD91 c:\windows\system32\upnphost.dll

[-] 2003-03-31 12:00 158720 38E9CFAC7881435764051FD7B1F010FB c:\windows\$NtServicePackUninstall$\srsvc.dll
[-] 2008-04-14 13:42 171008 3805DF0AC4296A34BA4BF93B346CC378 c:\windows\ServicePackFiles\i386\srsvc.dll
[-] 2008-04-14 13:42 171008 3805DF0AC4296A34BA4BF93B346CC378 c:\windows\system32\srsvc.dll

[-] 2008-04-14 13:42 13824 F92E1076C42FCD6DB3D72D8CFE9816D5 c:\windows\ServicePackFiles\i386\wscntfy.exe
[-] 2008-04-14 13:42 13824 F92E1076C42FCD6DB3D72D8CFE9816D5 c:\windows\system32\wscntfy.exe

[-] 2003-03-31 12:00 392704 AAC49EF5C84A2EBD7409A51A1B65C542 c:\windows\$NtServicePackUninstall$\ntmssvc.dll
[-] 2008-04-14 13:42 435200 156F64A3345BD23C600655FB4D10BC08 c:\windows\ServicePackFiles\i386\ntmssvc.dll
[-] 2008-04-14 13:42 435200 156F64A3345BD23C600655FB4D10BC08 c:\windows\system32\ntmssvc.dll

[-] 2003-03-31 12:00 82944 442ED09256E1D55D128219CF1AB27554 c:\windows\$NtServicePackUninstall$\rasauto.dll
[-] 2008-04-14 13:42 88576 AD188BE7BDF94E8DF4CA0A55C00A5073 c:\windows\ServicePackFiles\i386\rasauto.dll
[-] 2008-04-14 13:42 88576 AD188BE7BDF94E8DF4CA0A55C00A5073 c:\windows\system32\rasauto.dll

[-] 2003-03-31 12:00 1157632 2564949DBE5F643F50913BBE45D346E2 c:\windows\$NtServicePackUninstall$\sfcfiles.dll
[-] 2008-04-14 13:42 1614848 9DD07AF82244867CA36681EA2D29CE79 c:\windows\ServicePackFiles\i386\sfcfiles.dll
[-] 2008-04-14 13:42 1614848 9DD07AF82244867CA36681EA2D29CE79 c:\windows\system32\sfcfiles.dll

[-] 2003-03-31 12:00 159232 719B05113003A1934EA25EA1FED68C85 c:\windows\$NtServicePackUninstall$\schedsvc.dll
[-] 2008-04-14 13:42 192512 0A9A7365A1CA4319AA7C1D6CD8E4EAFA c:\windows\ServicePackFiles\i386\schedsvc.dll
[-] 2008-04-14 13:42 192512 0A9A7365A1CA4319AA7C1D6CD8E4EAFA c:\windows\system32\schedsvc.dll

[-] 2003-03-31 12:00 51712 9DF4527D53613601D3F79946EAA1DCB1 c:\windows\$NtServicePackUninstall$\regsvc.dll
[-] 2008-04-14 13:42 59904 5B19B557B0C188210A56A6B699D90B8F c:\windows\ServicePackFiles\i386\regsvc.dll
[-] 2008-04-14 13:42 59904 5B19B557B0C188210A56A6B699D90B8F c:\windows\system32\regsvc.dll

[-] 2003-03-31 12:00 116224 61684089A54936E40F65DA02D47A28AE c:\windows\$NtServicePackUninstall$\shsvcs.dll
[-] 2008-04-14 13:42 135168 1926899BF9FFE2602B63074971700412 c:\windows\ServicePackFiles\i386\shsvcs.dll
[-] 2008-04-14 13:42 135168 1926899BF9FFE2602B63074971700412 c:\windows\system32\shsvcs.dll

c:\windows\system32\ctfmon.exe ... is missing !!
.
((((((((((((((((((((((((((((( SnapShot_2009-08-23_03.45.18 )))))))))))))))))))))))))))))))))))))))))
.
- 2009-07-11 15:22 . 2009-08-22 04:42 81920 c:\windows\system32\config\systemprofile\PrivacIE\index.dat
+ 2009-07-11 15:22 . 2009-08-23 15:55 81920 c:\windows\system32\config\systemprofile\PrivacIE\index.dat
- 2009-08-07 15:11 . 2009-08-22 04:42 98304 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2009-08-07 15:11 . 2009-08-23 15:55 98304 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
- 2009-07-11 15:43 . 2009-08-22 04:42 32768 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Feeds Cache\index.dat
+ 2009-07-11 15:43 . 2009-08-23 15:55 32768 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Feeds Cache\index.dat
+ 2009-03-09 10:57 . 2009-08-23 15:55 32768 c:\windows\system32\config\systemprofile\Cookies\index.dat
- 2009-03-09 10:57 . 2009-08-22 04:42 32768 c:\windows\system32\config\systemprofile\Cookies\index.dat
+ 2009-08-23 15:55 . 2009-08-23 15:59 5120 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\RecoveryStore.{658F7C7A-8FFD-11DE-8B02-000EA61EC9D6}.dat
+ 2009-08-23 15:55 . 2009-08-23 15:55 4608 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\{658F7C7B-8FFD-11DE-8B02-000EA61EC9D6}.dat
+ 2009-03-09 10:57 . 2009-08-23 15:55 131072 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2009-03-09 10:57 . 2009-08-22 04:42 131072 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2009-03-09 11:04 . 2003-03-31 12:00 182656 c:\windows\$NtServicePackUninstall$\ndis.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DAEMON Tools Lite"="c:\program files\DAEMON Tools Lite\daemon.exe" [2009-04-23 691656]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2009-08-05 1830128]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-05-16 13529088]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-05-16 86016]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]
"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2009-08-03 419088]
"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2008-05-16 1630208]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-22 03:05 356352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKLM\~\startupfolder\c:^documents and settings^yoda^start menu^programs^startup^ihaupd32.exe]
path=c:\documents and settings\Yoda\Start Menu\Programs\Startup\ihaupd32.exe
backup=c:\windows\pss\ihaupd32.exeStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"SoundMAX Agent Service (default)"=2 (0x2)
"idsvc"=3 (0x3)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\NewsBin\\nbpro.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [8/5/2009 4:06 PM 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [8/5/2009 4:06 PM 74480]
R2 antivirschedulerservice;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [7/13/2009 2:51 AM 108289]
R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [7/10/2009 4:18 PM 232720]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [7/10/2009 4:18 PM 19096]
R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [8/5/2009 4:06 PM 7408]
S3 MEITUNER;FireBus MPEG2TS Tuner Subunit Device;c:\windows\system32\drivers\meistb.sys [11/12/2003 12:34 AM 22891]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60b49e34-c7cc-11d0-8953-00a0c90347ff}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
.
------- Supplementary Scan -------
.
uInternet Settings,ProxyOverride = *.local
IE: Append Link Target to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Append to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert Link Target to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\Microsoft Office\Office12\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Yoda\Application Data\Mozilla\Firefox\Profiles\da5r8v5r.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com
FF - plugin: c:\documents and settings\Yoda\Application Data\Mozilla\plugins\npPxPlay.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-08-24 01:31
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(592)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\WININET.dll

- - - - - - - > 'explorer.exe'(5668)
c:\windows\system32\WININET.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.3053_x-ww_b80fa8ca\MSVCR80.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\windows\system32\nvsvc32.exe
c:\windows\system32\wscntfy.exe
c:\windows\system32\rundll32.exe
.
**************************************************************************
.
Completion time: 2009-08-23 1:36 - machine was rebooted
ComboFix-quarantined-files.txt 2009-08-23 16:36
ComboFix2.txt 2009-08-23 03:48
ComboFix3.txt 2009-07-26 12:07
ComboFix4.txt 2009-07-22 16:34
ComboFix5.txt 2009-08-23 16:16

Pre-Run: 53,203,103,744 bytes free
Post-Run: 53,171,396,608 bytes free

377

#14 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:04:03 AM

Posted 23 August 2009 - 03:25 PM

Looks pretty good to me. How are things on your end?
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#15 snoopdrew

snoopdrew
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:06:03 PM

Posted 24 August 2009 - 10:31 AM

All looks great! Thanks Sam! You are _the_ man! :)

No more iexplore tasks and the svchost thing hogging up CPU as well. Phew! What a nightmare... learned my lesson. :)

:thumbup2:




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users