Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Win32 rootkit and other various viruses/trojans


  • This topic is locked This topic is locked
31 replies to this topic

#1 Helpme64

Helpme64

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:19 PM

Posted 19 August 2009 - 08:45 PM

So i have a virus that started off as a rootkit and i was finally about to figure it all out and eradicate it when about 10 new viruses seemed to have come out of no where. Problems i experience:

Cannot run any anti virus software.
When i search the internet, it takes me to fake search engines.
I have a background that says that my system is infected.
Every five minutes, i get popups saying i'm infected.
I have about 3 fake antivirus engines that pop up all the time.

HELP PLEASE!

BC AdBot (Login to Remove)

 


#2 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,417 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:03:19 PM

Posted 19 August 2009 - 09:40 PM

Hi, Helpme64 :thumbup2:

Welcome.

Download RootRepeal from one of the following locations and save it to your desktop:Link 1
Link 2
Link 3
  • Double click Posted Image to start the program
  • Click on the Report tab at the bottom of the program window
  • Click the Posted Image button
  • In the Select Scan dialog, check:
    • Drivers
    • Files
    • Processes
    • SSDT
    • Stealth Objects
    • Hidden Services
    • Shadow SSDT
  • Click the OK button
  • In the next dialog, select all drives showing
  • Click OK to start the scan

    Note: The scan can take some time. DO NOT run any other programs while the scan is running

  • When the scan is complete, click the Posted Image button and save the report to your Desktop as RootRepeal.txt
  • Go to File, then Exit to close the program
If the report is not too long, post the contents of RootRepeal.txt in your next reply. If the report is very long, it will not be complete if you post it, so please attach it to your reply instead.

To attach a file, do the following:
  • Click Add Reply
  • Under the reply panel is the Attachments Panel
  • Browse for the attachment file you want to upload, then click the green Upload button
  • Once it has uploaded, click the Manage Current Attachments drop down box
  • Click on Posted Image to insert the attachment into your post

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#3 Helpme64

Helpme64
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:19 PM

Posted 19 August 2009 - 09:54 PM

I downloaded and ran rootrepeal. it scanned the drivers but when it got to the files, it scanned all the way up to C:\Windows it stopped scanning and closed the window. :thumbup2:

#4 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,417 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:03:19 PM

Posted 19 August 2009 - 09:58 PM

Download This file. Note its name and save it to your root folder, such as C:\.
  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security program drivers will not conflict with this file.
  • Click on this link to see a list of programs that should be disabled.
  • Double-click on the downloaded file to start the program. (If running Vista, right click on it and select "Run as an Administrator")
  • Allow the driver to load if asked.
  • You may be prompted to scan immediately if it detects rootkit activity.
  • If you are prompted to scan your system click "Yes" to begin the scan.
  • If not prompted, click the "Rootkit/Malware" tab.
  • On the right-side, all items to be scanned should be checked by default except for "Show All". Leave that box unchecked.
  • Select all drives that are connected to your system to be scanned.
  • Click the Scan button to begin. (Please be patient as it can take some time to complete)
  • When the scan is finished, click Save to save the scan results to your Desktop.
  • Save the file as Results.log and copy/paste the contents in your next reply.
  • Exit the program and re-enable all active protection when done.

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#5 Helpme64

Helpme64
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:19 PM

Posted 19 August 2009 - 10:12 PM

Everytime i attempt to go into my root folder, the window closes. :thumbup2:

#6 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,417 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:03:19 PM

Posted 19 August 2009 - 10:18 PM

Everytime i attempt to go into my root folder, the window closes. :thumbup2:

Run that program from your desktop.

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#7 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,417 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:03:19 PM

Posted 19 August 2009 - 10:20 PM

Please perform this scan also:

Download the Win32kDiag.exe tool from the following location and save it to your desktop:

http://rootrepeal.psikotick.com/Win32kDiag.exe
http://download.bleepingcomputer.com/rootr.../Win32kDiag.exe
http://ad13.geekstogo.com/Win32kDiag.exe

Once downloaded, double-click on the program and let it finish. When it states Finished! Press any key to exit..., you can press any key on your keyboard to close the program. On your desktop should now be a file called Win32kDiag.txt.. Post its contents in a reply,

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#8 Helpme64

Helpme64
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:19 PM

Posted 20 August 2009 - 04:15 PM

:thumbup2: i ran the first application and it closed the window when it got towards the end of the scan and now i cannot run the application.

But here's what the second application said:

Searching 'C:\WINDOWS'...



Found mount point : C:\WINDOWS\$hf_mig$\{29F8DDC1-9487-49b8-B27E-3E0C3C1298FF}

Mount point destination : \Device\__max++>\^

Cannot access: C:\WINDOWS\system32\scecli.dll

[1] 2008-04-13 20:12:05 181248 C:\WINDOWS\SoftwareDistribution\Download\79123dd72d0f61d4ed8c7a816ed338d7\scecli.dll (Microsoft Corporation)

[1] 2004-08-10 15:00:00 60928 C:\WINDOWS\system32\scecli.dll ()

[2] 2004-08-10 15:00:00 180224 C:\WINDOWS\system32\sceclt.dll (Microsoft Corporation)





Finished!

#9 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,417 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:03:19 PM

Posted 20 August 2009 - 06:44 PM

Hi, Helpme64 :thumbup2:
  • Download the attached file [attachment=28493:remove.txt]and save it to your C:\ drive.
  • When having saved it, the file path should be C:\remove.txt
  • Download and unzip Avenger to your desktop.
  • Open the Avenger.
  • Select Load Script from the menu, then From File .
  • Browse to C:\remove.txt and click open.
  • Then click the Execute button.
  • This will begin the execution of the script currently in memory.
  • The Avenger will set itself up to run the next time you reboot your computer, and then will prompt you to restart immediately.
  • After your system restarts, a log file should open with the results of Avengerís actions. This log file is located at C:\avenger.txt. The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backups.zip.
Post the contents of the C:\avenger.txt file

Please read and follow all these instructions very carefully.

Posted Image Please download Malwarebytes' Anti-Malware from Here.

Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.
Extra Note:

If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediatly.

=====================================================================


Please download ComboFix from Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved and renamed following this process directly to your desktop**
  • If you are using Firefox, make sure that your download settings are as follows:
    • Tools->Options->Main tab
    • Set to "Always ask me where to Save the files".
  • During the download, rename Combofix to Combo-Fix as follows:

    Posted Image

    Posted Image

  • It is important you rename Combofix during the download, but not after.
  • Please do not rename Combofix to other names, but only to the one indicated.
  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

    -----------------------------------------------------------

    • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
    • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.

      -----------------------------------------------------------

    • Close any open browsers.
    • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
    • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
    • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.

    -----------------------------------------------------------

  • Double click on combo-Fix.exe & follow the prompts.
  • When finished, it will produce a report for you.
  • Please post the "C:\Combo-Fix.txt" .
**Note: Do not mouseclick combo-fix's window while it's running. That may cause it to stall**


Note: ComboFix may reset a number of Internet Explorer's settings, including making it the default browser.
Note: Combofix prevents autorun of ALL CDs, floppies and USB devices to assist with malware removal & increase security.

Please do not install any new programs or update anything unless told to do so while we are fixing your problem.

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#10 Helpme64

Helpme64
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:19 PM

Posted 20 August 2009 - 11:29 PM

The chnanges are very evident! Thanks so much for all the help so far! Everything worked! Here are all the logs:

Avenger:

Logfile of The Avenger Version 2.0, © by Swandog46
http://swandog46.geekstogo.com

Platform: Windows XP

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.
No rootkits found!

File move operation "C:\WINDOWS\SoftwareDistribution\Download\79123dd72d0f61d4ed8c7a816ed338d7\scecli.dll|C:\WINDOWS\system32\scecli.dll" completed successfully.

Error: could not open folder "C:\WINDOWS\$hf_mig$\{29F8DDC1-9487-49b8-B27E-3E0C3C1298FF}"
Deletion of folder "C:\WINDOWS\$hf_mig$\{29F8DDC1-9487-49b8-B27E-3E0C3C1298FF}" failed!
Status: 0xc000003a (STATUS_OBJECT_PATH_NOT_FOUND)
--> bad path / the parent directory does not exist


Completed script processing.

*******************

Finished! Terminate.




Malwarebytes:


Malwarebytes' Anti-Malware 1.40
Database version: 2551
Windows 5.1.2600 Service Pack 2

8/20/2009 11:47:55 PM
mbam-log-2009-08-20 (23-47-55).txt

Scan type: Quick Scan
Objects scanned: 107051
Time elapsed: 8 minute(s), 8 second(s)

Memory Processes Infected: 3
Memory Modules Infected: 4
Registry Keys Infected: 19
Registry Values Infected: 18
Registry Data Items Infected: 14
Folders Infected: 6
Files Infected: 49

Memory Processes Infected:
C:\Program Files\PC_Antispyware2010\PC_Antispyware2010.exe (Rogue.Multiple) -> Unloaded process successfully.
C:\Program Files\AdvancedVirusRemover\PAVRM.exe (Rogue.AdvancedVirusRemover) -> Unloaded process successfully.
C:\WINDOWS\msc.exe (Trojan.Agent) -> Unloaded process successfully.

Memory Modules Infected:
C:\Program Files\PC_Antispyware2010\htmlayout.dll (Rogue.AntiVirusPro2009) -> Delete on reboot.
C:\Program Files\PC_Antispyware2010\AVEngn.dll (Rogue.PC_Antispyware2010) -> Delete on reboot.
C:\Program Files\PC_Antispyware2010\pthreadVC2.dll (Rogue.PC_Antispyware2010) -> Delete on reboot.
C:\WINDOWS\system32\winhelper.dll (Trojan.FakeAlert) -> Delete on reboot.

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{afd4ad01-58c1-47db-a404-fbe00a6c5486} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{afd4ad01-58c1-47db-a404-fbe00a6c5486} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{19127ad2-394b-70f5-c650-b97867baa1f7} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{43bf8cd1-c5d5-2230-7bb2-98f22c2b7dc6} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{c48635ad-d6b5-3ee4-aaa2-540d5a173658} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{c48635ad-d6b5-3ee4-aaa2-540d5a173658} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{c48635ad-d6b5-3ee4-aaa2-540d5a173658} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\evdoserver (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\evdoserver (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\evdoserver (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\pc_antispyware2010 (Rogue.PC_Antispyware2010) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\PC_Antispyware2010 (Rogue.PC_Antispyware2010) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Win AntiVirus Pro (Rogue.WindowsAntiVirusPro) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\AVR (Rogue.AdvancedVirusRemover) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\adware professional 5.0_is1 (Rogue.AdwareProfessional) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Adware Professional (Rogue.AdwareProfessional) -> Quarantined and deleted successfully.
HKEY_USERS\S-1-5-18\SOFTWARE\Windows antiVirus pro (Rogue.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\NordBull (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NetLogin (Trojan.Downloader) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\advanced virus remover (Rogue.AdvancedVirusRemover) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\braviax (Trojan.Downloader) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\braviax (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Control Panel\don't load\scui.cpl (Hijack.SecurityCenter) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Control Panel\don't load\wscui.cpl (Hijack.SecurityCenter) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\BuildW (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\FirstInstallFlag (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\guid (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\i (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\mso (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\udso (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\uid (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Ulrn (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Update (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\UpdateNew (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winupdate.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\General\wallpaper (Hijack.Wallpaper) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\mEv (Malware.Trace) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell (Hijack.Shell) -> Bad: (Explorer.exe rundll32.exe tapi.nfo beforeglav) Good: (Explorer.exe) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Hijack.Userinit) -> Bad: (C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\sdra64.exe,) Good: (Userinit.exe) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop\NoChangingWallpaper (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\activedesktop\NoChangingWallpaper (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSetActiveDesktop (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoActiveDesktopChanges (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSetActiveDesktop (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoActiveDesktopChanges (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
C:\Program Files\AdvancedVirusRemover (Rogue.AdvancedVirusRemover) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Start Menu\Programs\Adware Professional (Rogue.AdwareProfessional) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner\Start Menu\Programs\PC_Antispyware2010 (Rogue.PC_Antispyware2010) -> Quarantined and deleted successfully.
C:\Program Files\PC_Antispyware2010 (Rogue.PC_Antispyware2010) -> Quarantined and deleted successfully.
C:\Program Files\PC_Antispyware2010\data (Rogue.PC_Antispyware2010) -> Quarantined and deleted successfully.
C:\Program Files\PC_Antispyware2010\Microsoft.VC80.CRT (Rogue.PC_Antispyware2010) -> Quarantined and deleted successfully.

Files Infected:
C:\Program Files\PC_Antispyware2010\PC_Antispyware2010.exe (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Program Files\PC_Antispyware2010\htmlayout.dll (Rogue.AntiVirusPro2009) -> Quarantined and deleted successfully.
C:\WINDOWS\sv2.exe (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\WINDOWS\cru629.dat (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\cru629.dat (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\dvdpaly.exe (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\EvdoServer.dll (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\wiwow64.exe (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\_scui.cpl (Rogue.HomeAntiVirus) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\t4m0_873329704780.bk.old (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\tmp0_268436770761.bk.old (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\tmp0_423644646741.bk.old (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\BYYQHD15\w[1].bin (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\BYYQHD15\w[2].bin (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\BYYQHD15\w[3].bin (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\Program Files\AdvancedVirusRemover\PAVRM.exe (Rogue.AdvancedVirusRemover) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Start Menu\Programs\Adware Professional\Adware Professional .lnk (Rogue.AdwareProfessional) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Start Menu\Programs\Adware Professional\Uninstall Adware Professional .lnk (Rogue.AdwareProfessional) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner\Start Menu\Programs\PC_Antispyware2010\PC_Antispyware2010.lnk (Rogue.PC_Antispyware2010) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner\Start Menu\Programs\PC_Antispyware2010\Uninstall.lnk (Rogue.PC_Antispyware2010) -> Quarantined and deleted successfully.
C:\Program Files\PC_Antispyware2010\AVEngn.dll (Rogue.PC_Antispyware2010) -> Quarantined and deleted successfully.
C:\Program Files\PC_Antispyware2010\PC_Antispyware2010.cfg (Rogue.PC_Antispyware2010) -> Quarantined and deleted successfully.
C:\Program Files\PC_Antispyware2010\pthreadVC2.dll (Rogue.PC_Antispyware2010) -> Quarantined and deleted successfully.
C:\Program Files\PC_Antispyware2010\Uninstall.exe (Rogue.PC_Antispyware2010) -> Quarantined and deleted successfully.
C:\Program Files\PC_Antispyware2010\wscui.cpl (Rogue.PC_Antispyware2010) -> Quarantined and deleted successfully.
C:\Program Files\PC_Antispyware2010\data\daily.cvd (Rogue.PC_Antispyware2010) -> Quarantined and deleted successfully.
C:\Program Files\PC_Antispyware2010\Microsoft.VC80.CRT\Microsoft.VC80.CRT.manifest (Rogue.PC_Antispyware2010) -> Quarantined and deleted successfully.
C:\Program Files\PC_Antispyware2010\Microsoft.VC80.CRT\msvcm80.dll (Rogue.PC_Antispyware2010) -> Quarantined and deleted successfully.
C:\Program Files\PC_Antispyware2010\Microsoft.VC80.CRT\msvcp80.dll (Rogue.PC_Antispyware2010) -> Quarantined and deleted successfully.
C:\Program Files\PC_Antispyware2010\Microsoft.VC80.CRT\msvcr80.dll (Rogue.PC_Antispyware2010) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner\Application Data\Microsoft\Internet Explorer\Quick Launch\PC_Antispyware2010.lnk (Rogue.PC_Antispyware2010) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner\Desktop\PC_Antispyware2010.lnk (Rogue.PCAntispy) -> Quarantined and deleted successfully.
C:\WINDOWS\msb.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\msc.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\FInstall.sys (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\beep.sys (Fake.Beep.sys) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\dllcache\beep.sys (Fake.Beep.sys) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\braviax.exe (Trojan.Downloader) -> Delete on reboot.
C:\WINDOWS\braviax.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner\Desktop\Advanced Virus Remover.lnk (Rogue.AdvancedVirusRemover) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner\Application Data\Microsoft\Internet Explorer\Quick Launch\Advanced Virus Remover.lnk (Rogue.AdvancedVirusRemover) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner\Start Menu\Advanced Virus Remover.lnk (Rogue.AdvancedVirusRemover) -> Quarantined and deleted successfully.
C:\WINDOWS\Tasks\{BB65B0FB-5712-401b-B616-E69AC55E2757}.job (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\critical_warning.html (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\wiawow32.sys (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\winhelper.dll (Trojan.FakeAlert) -> Delete on reboot.
C:\WINDOWS\system32\wisdstr.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\onhelp.htm (Rogue.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\Tasks\{7B02EF0B-A410-4938-8480-9BA26420A627}.job (Trojan.Downloader) -> Quarantined and deleted successfully.




Combo-Fix:

ComboFix 09-08-20.02 - Owner 08/21/2009 0:01.2.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.894.486 [GMT -4:00]
Running from: c:\documents and settings\Owner\Desktop\Combo-Fix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Owner\Local Settings\Temporary Internet Files\exyho.inf
c:\documents and settings\Owner\Local Settings\Temporary Internet Files\moraqo._sy
c:\documents and settings\Owner\Local Settings\Temporary Internet Files\odema.bin
c:\documents and settings\Owner\Local Settings\Temporary Internet Files\ygekisupiv.dl
c:\windows\Install.txt
c:\windows\system32\FInstall.sys
c:\windows\system32\wiawow32.sys
c:\windows\system32\wiwow64.exe
c:\windows\TEMP\mpj104862.dll
c:\windows\TEMP\mta108901.dll
c:\windows\TEMP\mta13187.dll
c:\windows\TEMP\t4m0_89606595037.bk.old
c:\windows\TEMP\x1c29943.dll
.
---- Previous Run -------
.
C:\ccwygkvw.exe
c:\documents and settings\Owner\Desktop\Windows Antivirus Pro.lnk
c:\documents and settings\Owner\Local Settings\Temporary Internet Files\temp.cab
c:\documents and settings\Owner\Start Menu\Programs\Windows Antivirus Pro\Windows Antivirus Pro.lnk
C:\hcel.exe
C:\niawndos.exe
c:\program files\Adware Professional\noadware4_021709.na
c:\program files\Adware Professional\nutilities.dll
c:\program files\Adware Professional\unins000.dat
c:\program files\Adware Professional\UninstlDll.dll
C:\umoikchf.exe
c:\windows\Install.txt
c:\windows\msa.exe
c:\windows\ppp3.dat
c:\windows\ppp4.dat
c:\windows\svchast.exe
c:\windows\system32\6to4v32.dll
c:\windows\system32\bennuar.old
c:\windows\system32\bincd32.dat
c:\windows\system32\certstore.dat
c:\windows\system32\dddesot.dll
c:\windows\system32\desot.exe
c:\windows\system32\drivers\smss.exe
c:\windows\system32\FInstall.sys
c:\windows\system32\images\i1.gif
c:\windows\system32\images\i2.gif
c:\windows\system32\images\i3.gif
c:\windows\system32\images\j1.gif
c:\windows\system32\images\j2.gif
c:\windows\system32\images\j3.gif
c:\windows\system32\images\jj1.gif
c:\windows\system32\images\jj2.gif
c:\windows\system32\images\jj3.gif
c:\windows\system32\images\l1.gif
c:\windows\system32\images\l2.gif
c:\windows\system32\images\l3.gif
c:\windows\system32\images\pix.gif
c:\windows\system32\images\t1.gif
c:\windows\system32\images\t2.gif
c:\windows\system32\images\up1.gif
c:\windows\system32\images\up2.gif
c:\windows\system32\images\w1.gif
c:\windows\system32\images\w11.gif
c:\windows\system32\images\w2.gif
c:\windows\system32\images\w3.gif
c:\windows\system32\images\w3.jpg
c:\windows\system32\images\wt1.gif
c:\windows\system32\images\wt2.gif
c:\windows\system32\images\wt3.gif
c:\windows\system32\lowsec\local.ds
c:\windows\system32\lowsec\user.ds
c:\windows\system32\msxml71.dll
c:\windows\system32\netcard.sys
c:\windows\system32\sdra64.exe
c:\windows\system32\sonhelp.htm
c:\windows\system32\sysnet.dat
c:\windows\system32\tapi.nfo
c:\windows\system32\wbem\proquota.exe
c:\windows\system32\wiawow32.sys
c:\windows\system32\wispex.html
c:\windows\system32\wiwow64.exe
c:\windows\TEMP\mpj92823.dll
c:\windows\TEMP\mta13187.dll
c:\windows\TEMP\mta37115.dll
c:\windows\TEMP\t4m0_365656698786.bk.old
c:\windows\TEMP\x1c104091.dll
C:\yedfjdy.exe
D:\Autorun.inf




c:\windows\system32\proquota.exe was missing
Restored copy from - c:\system volume information\_restore{348DB8EC-73A3-48FB-ADE8-4BD3BBE539B1}\RP177\A0014483.exe


.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_6TO4
-------\Legacy_ANTIPPRO2009_12
-------\Legacy_NETCARD
-------\Legacy_{79007602-0CDB-4405-9DBF-1257BB3226ED}
-------\Legacy_{79007602-0CDB-4405-9DBF-1257BB3226EE}
-------\Service_6to4
-------\Service_AntipPro2009_12
-------\Service_netcard
-------\Legacy_{79007602-0CDB-4405-9DBF-1257BB3226ED}
-------\Legacy_{79007602-0CDB-4405-9DBF-1257BB3226EE}


((((((((((((((((((((((((( Files Created from 2009-07-21 to 2009-08-21 )))))))))))))))))))))))))))))))
.

2009-08-21 03:37 . 2009-08-03 17:36 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-08-21 03:37 . 2009-08-21 03:37 -------- d-----w- C:\Malwarebytes' Anti-Malware
2009-08-21 03:37 . 2009-08-03 17:36 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-08-20 22:28 . 2009-08-20 22:28 11454 ----a-w- c:\program files\Common Files\boxuf.pif
2009-08-20 03:05 . 2009-08-20 03:05 288768 ----a-w- C:\sf2kkdiq.exe
2009-08-20 01:15 . 2009-08-20 01:15 19259 ----a-w- c:\windows\wudo.bin
2009-08-20 01:15 . 2009-08-20 01:15 18555 ----a-w- c:\program files\Common Files\mudijatic.bat
2009-08-20 01:15 . 2009-08-20 01:15 18188 ----a-w- c:\windows\welefaqomi.bat
2009-08-20 01:15 . 2009-08-20 01:15 17161 ----a-w- c:\windows\fevazodywo.dll
2009-08-20 01:15 . 2009-08-20 01:15 16097 ----a-w- c:\windows\otivi.dat
2009-08-20 01:15 . 2009-08-20 01:15 14809 ----a-w- c:\documents and settings\Owner\Local Settings\Application Data\wurerunod.com
2009-08-20 01:15 . 2009-08-20 01:15 14033 ----a-w- c:\documents and settings\Owner\Local Settings\Application Data\nyhahimyp.scr
2009-08-20 01:15 . 2009-08-20 01:15 10308 ----a-w- c:\windows\fujugez.vbs
2009-08-19 19:44 . 2004-08-10 19:00 50176 ----a-w- c:\windows\system32\proquota.exe
2009-08-18 22:40 . 2007-01-18 12:00 3968 ----a-w- c:\windows\system32\drivers\AvgArCln.sys
2009-08-17 11:47 . 2009-08-17 11:47 32290 ----a-w- c:\windows\system32\drivers\Partizan.sys
2009-08-17 11:47 . 2009-08-17 11:47 25600 ----a-w- c:\windows\system32\Partizan.exe
2009-08-17 11:47 . 2009-08-17 11:47 2 --shatr- c:\windows\winstart.bat
2009-08-12 15:45 . 2009-08-12 15:45 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Identities
2009-08-11 22:23 . 2009-08-11 22:23 -------- d-----w- c:\program files\Trend Micro
2009-08-11 00:25 . 2009-08-11 00:25 -------- d-----w- c:\documents and settings\Owner\Application Data\Malwarebytes
2009-08-11 00:25 . 2009-08-11 00:25 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-08-09 18:02 . 2009-08-09 18:02 -------- d-----w- c:\documents and settings\All Users\Application Data\SpinTop Games
2009-08-07 15:39 . 2009-08-07 15:39 128 ----a-w- c:\documents and settings\Owner\Local Settings\Application Data\fusioncache.dat
2009-08-07 14:21 . 2009-08-07 14:22 -------- d-----w- c:\windows\system32\URTTemp
2009-08-07 14:03 . 2009-08-09 18:06 -------- d-----w- c:\windows\system32\CatRoot
2009-08-07 13:47 . 2009-08-07 13:47 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Google
2009-08-07 13:42 . 2009-08-07 13:42 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\Temp
2009-08-07 13:42 . 2009-08-07 13:42 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Google
2009-08-06 17:06 . 2009-08-06 17:38 -------- d-----w- c:\program files\Shared
2009-08-03 00:47 . 2009-08-03 00:47 -------- d-----w- c:\documents and settings\All Users\Application Data\EscapeTheMuseum
2009-08-03 00:46 . 2009-08-03 00:46 -------- d-----w- c:\windows\Escape The Museum
2009-08-03 00:46 . 2009-08-03 16:06 -------- d-----w- c:\program files\Escape The Museum
2009-07-30 16:05 . 2009-07-30 16:05 -------- d-----w- c:\program files\ReflexiveArcade
2009-07-30 16:01 . 2009-07-30 16:01 -------- d-----w- c:\documents and settings\Owner\Application Data\SpinTop
2009-07-29 16:49 . 2009-07-29 16:49 -------- d-----w- c:\program files\Fox

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-08-20 12:40 . 2009-01-24 18:04 -------- d-----w- c:\documents and settings\All Users\Application Data\Google Updater
2009-08-18 22:37 . 2009-01-06 16:14 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-08-16 21:51 . 2008-12-30 03:08 91536 ----a-w- c:\documents and settings\Owner\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-08-09 18:28 . 2009-03-19 21:09 33 ----a-w- c:\windows\popcinfot.dat
2009-08-09 18:06 . 2009-03-19 21:09 -------- d-----w- c:\program files\PopCap Games
2009-08-07 22:01 . 2009-01-06 04:02 -------- d-----w- c:\program files\Common Files\Symantec Shared
2009-08-07 16:24 . 2009-01-06 16:14 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-08-07 16:08 . 2009-04-01 01:26 -------- d-----w- c:\program files\Common Files\McAfee
2009-08-07 16:08 . 2008-12-15 17:53 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee
2009-08-07 16:08 . 2008-12-15 17:53 -------- d-----w- c:\program files\McAfee
2009-08-07 15:47 . 2008-12-15 17:38 -------- d-----w- c:\program files\Google
2009-08-07 13:34 . 2009-04-01 02:03 -------- d-----w- c:\documents and settings\LocalService\Application Data\SACore
2009-07-30 16:01 . 2008-12-27 19:39 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-07-29 16:49 . 2009-07-29 16:49 86400 ----a-w- c:\windows\~GLC0000.TMP
2009-07-28 17:21 . 2009-01-31 22:24 34 ----a-w- c:\documents and settings\Owner\jagex_runescape_preferences.dat
2009-07-20 00:09 . 2009-07-20 00:09 -------- d-----w- c:\documents and settings\All Users\Application Data\PlayTime
2009-07-19 04:01 . 2009-07-19 04:01 -------- d-----w- c:\documents and settings\All Users\Application Data\Norton
2009-07-19 04:01 . 2009-03-30 22:12 -------- d-----w- c:\program files\Norton Security Scan
2009-07-19 04:00 . 2009-07-19 04:00 -------- d-----w- c:\documents and settings\All Users\Application Data\Symantec
2009-07-19 04:00 . 2009-07-19 04:00 -------- d-----w- c:\program files\NortonInstaller
2009-07-19 04:00 . 2009-07-19 04:00 -------- d-----w- c:\documents and settings\All Users\Application Data\NortonInstaller
2009-07-18 12:57 . 2009-03-11 23:37 -------- d-----w- c:\program files\PokerStars
2009-07-16 15:00 . 2009-07-16 15:00 -------- d-----w- c:\documents and settings\All Users\Application Data\nView_Profiles
.

------- Sigcheck -------

[-] 2008-04-14 00:12 14336 27C6D03BCDB8CFEB96B716F3D8BE3E18 c:\windows\SoftwareDistribution\Download\79123dd72d0f61d4ed8c7a816ed338d7\svchost.exe
[-] 2004-08-10 19:00 14336 8F078AE4ED187AAABC0A305146DE6716 c:\windows\system32\svchost.exe

[-] 2005-03-02 18:19 577024 1800F293BCCC8EDE8A70E12B88D80036 c:\windows\$hf_mig$\KB890859\SP2QFE\user32.dll
[-] 2007-03-08 15:48 578048 7AA4F6C00405DFC4B70ED4214E7D687B c:\windows\$hf_mig$\KB925902\SP2QFE\user32.dll
[-] 2005-03-02 18:09 577024 DE2DB164BBB35DB061AF0997E4499054 c:\windows\$NtUninstallKB925902$\user32.dll
[-] 2008-04-14 00:12 578560 B26B135FF1B9F60C9388B4A7D16F600B c:\windows\SoftwareDistribution\Download\79123dd72d0f61d4ed8c7a816ed338d7\user32.dll
[-] 2007-03-08 15:36 577536 B409909F6E2E8A7067076ED748ABF1E7 c:\windows\system32\user32.dll
[-] 2007-03-08 15:36 577536 B409909F6E2E8A7067076ED748ABF1E7 c:\windows\system32\dllcache\user32.dll

[-] 2008-04-14 00:12 82432 2CCC474EB85CEAA3E1FA1726580A3E5A c:\windows\SoftwareDistribution\Download\79123dd72d0f61d4ed8c7a816ed338d7\ws2_32.dll
[-] 2004-08-10 19:00 82944 2ED0B7F12A60F90092081C50FA0EC2B2 c:\windows\system32\ws2_32.dll

[-] 2004-09-29 18:27 656896 2C07195588D69A067C2AFDAA31759295 c:\windows\$hf_mig$\KB834707\SP2QFE\wininet.dll
[-] 2005-01-27 17:08 657920 A8EAC5330876548E9966A7D13025D196 c:\windows\$hf_mig$\KB867282\SP2QFE\wininet.dll
[-] 2005-03-10 07:43 657920 C8663B488996E89A84C3D17C1D12B79E c:\windows\$hf_mig$\KB890923\SP2QFE\wininet.dll
[-] 2005-09-02 23:53 660480 97A6FD7CAFD688CF2C78939EBAF0CD0C c:\windows\$hf_mig$\KB896688\SP2QFE\wininet.dll
[-] 2005-07-03 02:09 659456 6E533D155B259EB2363D3E04B5BE309F c:\windows\$hf_mig$\KB896727\SP2QFE\wininet.dll
[-] 2008-10-16 20:24 827904 0D5B75171FF51775B630A431B6C667E8 c:\windows\$hf_mig$\KB958215-IE7\SP2QFE\wininet.dll
[-] 2008-12-20 23:56 827904 044E0A4E9FE97C0FB9AFE9C89E2A82E6 c:\windows\$hf_mig$\KB961260-IE7\SP2QFE\wininet.dll
[-] 2005-09-02 23:52 658432 AF61EBB1F550175EFF406D545D6AB086 c:\windows\ie7\wininet.dll
[-] 2007-08-13 23:54 818688 A4A0FC92358F39538A6494C42EF99FE9 c:\windows\ie7updates\KB958215-IE7\wininet.dll
[-] 2008-10-16 20:38 826368 6741EAF7B7F110E803A6E38F6E5FA6B0 c:\windows\ie7updates\KB961260-IE7\wininet.dll
[-] 2008-04-14 00:12 666112 7A4F775ABB2F1C97DEF3E73AFA2FAEDD c:\windows\SoftwareDistribution\Download\79123dd72d0f61d4ed8c7a816ed338d7\wininet.dll
[-] 2008-12-20 23:15 826368 A82935D32D0672E8FF4E91AE398E901C c:\windows\system32\wininet.dll
[-] 2008-12-20 23:15 826368 A82935D32D0672E8FF4E91AE398E901C c:\windows\system32\dllcache\wininet.dll

[-] 2005-03-14 01:17 359936 6129E70F3D2F1E60860C930EBEAF92C2 c:\windows\$hf_mig$\KB893066\SP2QFE\tcpip.sys
[-] 2008-06-20 10:44 360960 744E57C99232201AE98C49168B918F48 c:\windows\$hf_mig$\KB951748\SP2QFE\tcpip.sys
[-] 2008-06-20 11:51 361600 9AEFA14BD6B182D61E3119FA5F436D3D c:\windows\$hf_mig$\KB951748\SP3GDR\tcpip.sys
[-] 2008-06-20 11:59 361600 AD978A1B783B5719720CFF204B666C8E c:\windows\$hf_mig$\KB951748\SP3QFE\tcpip.sys
[-] 2005-03-14 00:55 359808 0E66B538096A6529D1AC66E78EB0D5C8 c:\windows\$NtUninstallKB951748$\tcpip.sys
[-] 2008-04-13 19:20 361344 93EA8D04EC73A85DB02EB8805988F733 c:\windows\SoftwareDistribution\Download\79123dd72d0f61d4ed8c7a816ed338d7\tcpip.sys
[-] 2008-06-20 10:45 360320 2A5554FC5B1E04E131230E3CE035C3F9 c:\windows\system32\dllcache\tcpip.sys
[-] 2008-06-20 10:45 360320 2A5554FC5B1E04E131230E3CE035C3F9 c:\windows\system32\drivers\tcpip.sys

[-] 2008-04-14 00:12 507904 ED0EF0A136DEC83DF69F04118870003E c:\windows\SoftwareDistribution\Download\79123dd72d0f61d4ed8c7a816ed338d7\winlogon.exe
[-] 2004-08-10 19:00 502272 01C3346C241652F43AED8E2149881BFE c:\windows\system32\winlogon.exe

[-] 2008-04-13 19:20 182656 1DF7F42665C94B825322FAE71721130D c:\windows\SoftwareDistribution\Download\79123dd72d0f61d4ed8c7a816ed338d7\ndis.sys
[-] 2004-08-10 19:00 182912 558635D3AF1C7546D26067D5D9B6959E c:\windows\system32\drivers\ndis.sys

[-] 2008-04-13 18:53 36608 3BB22519A194418D5FEC05D800A19AD0 c:\windows\SoftwareDistribution\Download\79123dd72d0f61d4ed8c7a816ed338d7\ip6fw.sys
[-] 2004-08-10 19:00 29056 4448006B6BC60E6C027932CFC38D6855 c:\windows\system32\drivers\ip6fw.sys

[-] 2005-03-02 00:36 2056832 D8ABA3EAB509627E707A3B14F00FBB6B c:\windows\$hf_mig$\KB890859\SP2QFE\ntkrnlpa.exe
[-] 2008-08-14 09:18 2062976 63EC865DFF6CCFC7BEF94B5C50297CAD c:\windows\$hf_mig$\KB956841\SP2QFE\ntkrnlpa.exe
[-] 2008-08-14 09:33 2066048 4AC58F03EB94A72809949D757FC39D80 c:\windows\$hf_mig$\KB956841\SP3GDR\ntkrnlpa.exe
[-] 2008-08-14 20:39 2066048 A25E9B86EFFB2AF33BF51E676B68BFB0 c:\windows\$hf_mig$\KB956841\SP3QFE\ntkrnlpa.exe
[-] 2005-03-02 00:34 2056832 81013F36B21C7F72CF784CC6731E0002 c:\windows\$NtUninstallKB956841$\ntkrnlpa.exe
[-] 2008-08-14 09:22 2057728 BA002228743B6824D87F0551DBC86D45 c:\windows\Driver Cache\i386\ntkrnlpa.exe
[-] 2008-04-13 18:31 2065792 109F8E3E3C82E337BB71B6BC9B895D61 c:\windows\SoftwareDistribution\Download\79123dd72d0f61d4ed8c7a816ed338d7\ntkrnlpa.exe
[-] 2008-08-14 09:22 2057728 BA002228743B6824D87F0551DBC86D45 c:\windows\system32\ntkrnlpa.exe
[-] 2008-08-14 09:22 2057728 BA002228743B6824D87F0551DBC86D45 c:\windows\system32\dllcache\ntkrnlpa.exe

[-] 2005-03-02 01:04 2179456 28187802B7C368C0D3AEF7D4C382AABB c:\windows\$hf_mig$\KB890859\SP2QFE\ntoskrnl.exe
[-] 2008-08-14 09:57 2185984 CE69DBD54221F2D40E49FF6DB77C6507 c:\windows\$hf_mig$\KB956841\SP2QFE\ntoskrnl.exe
[-] 2008-08-14 10:11 2189184 EEAF32F8E15A24F62BECB1BD403BB5C5 c:\windows\$hf_mig$\KB956841\SP3GDR\ntoskrnl.exe
[-] 2008-08-14 21:11 2189184 31914172342BFF330063F343AC6958FE c:\windows\$hf_mig$\KB956841\SP3QFE\ntoskrnl.exe
[-] 2005-03-02 00:59 2179328 4D4CF2C14550A4B7718E94A6E581856E c:\windows\$NtUninstallKB956841$\ntoskrnl.exe
[-] 2008-08-14 10:00 2180352 21C91DA9CB53AA8A37041BA9684A8458 c:\windows\Driver Cache\i386\ntoskrnl.exe
[-] 2008-04-13 19:27 2188928 0C89243C7C3EE199B96FCC16990E0679 c:\windows\SoftwareDistribution\Download\79123dd72d0f61d4ed8c7a816ed338d7\ntoskrnl.exe
[-] 2008-08-14 10:00 2180352 21C91DA9CB53AA8A37041BA9684A8458 c:\windows\system32\ntoskrnl.exe
[-] 2008-08-14 10:00 2180352 21C91DA9CB53AA8A37041BA9684A8458 c:\windows\system32\dllcache\ntoskrnl.exe

[-] 2007-06-13 10:23 1033216 97BD6515465659FF8F3B7BE375B2EA87 c:\windows\explorer.exe
[-] 2007-06-13 11:26 1033216 7712DF0CDDE3A5AC89843E61CD5B3658 c:\windows\$hf_mig$\KB938828\SP2QFE\explorer.exe
[-] 2004-08-10 19:00 1032192 A0732187050030AE399B241436565E64 c:\windows\$NtUninstallKB938828$\explorer.exe
[-] 2008-04-14 00:12 1033728 12896823FB95BFB3DC9B46BCAEDC9923 c:\windows\SoftwareDistribution\Download\79123dd72d0f61d4ed8c7a816ed338d7\explorer.exe
[-] 2007-06-13 10:23 1033216 97BD6515465659FF8F3B7BE375B2EA87 c:\windows\system32\dllcache\explorer.exe

[-] 2008-04-14 00:12 108544 0E776ED5F7CC9F94299E70461B7B8185 c:\windows\SoftwareDistribution\Download\79123dd72d0f61d4ed8c7a816ed338d7\services.exe
[-] 2004-08-10 19:00 108032 C6CE6EEC82F187615D1002BB3BB50ED4 c:\windows\system32\services.exe

[-] 2008-04-14 00:12 13312 BF2466B3E18E970D8A976FB95FC1CA85 c:\windows\SoftwareDistribution\Download\79123dd72d0f61d4ed8c7a816ed338d7\lsass.exe
[-] 2004-08-10 19:00 13312 84885F9B82F4D55C6146EBF6065D75D2 c:\windows\system32\lsass.exe

[-] 2008-04-14 00:12 15360 5F1D5F88303D4A4DBC8E5F97BA967CC3 c:\windows\SoftwareDistribution\Download\79123dd72d0f61d4ed8c7a816ed338d7\ctfmon.exe
[-] 2004-08-10 19:00 15360 24232996A38C0B0CF151C2140AE29FC8 c:\windows\system32\ctfmon.exe

[-] 2005-06-11 00:17 57856 AD3D9D191AEA7B5445FE1D82FFBB4788 c:\windows\$hf_mig$\KB896423\SP2QFE\spoolsv.exe
[-] 2004-08-10 19:00 57856 7435B108B935E42EA92CA94F59C8E717 c:\windows\$NtUninstallKB896423$\spoolsv.exe
[-] 2008-04-14 00:12 57856 D8E14A61ACC1D4A6CD0D38AEBAC7FA3B c:\windows\SoftwareDistribution\Download\79123dd72d0f61d4ed8c7a816ed338d7\spoolsv.exe
[-] 2005-06-10 23:53 57856 DA81EC57ACD4CDC3D4C51CF3D409AF9F c:\windows\system32\spoolsv.exe

[-] 2008-04-14 00:12 26112 A93AEE1928A9D7CE3E16D24EC7380F89 c:\windows\SoftwareDistribution\Download\79123dd72d0f61d4ed8c7a816ed338d7\userinit.exe
[-] 2004-08-10 19:00 24576 39B1FFB03C2296323832ACBAE50D2AFF c:\windows\system32\userinit.exe

[-] 2008-04-14 00:12 295424 FF3477C03BE7201C294C35F684B3479F c:\windows\SoftwareDistribution\Download\79123dd72d0f61d4ed8c7a816ed338d7\termsrv.dll
[-] 2004-08-10 19:00 295424 B60C877D16D9C880B952FDA04ADF16E6 c:\windows\system32\termsrv.dll

[-] 2007-04-16 16:07 986112 09F7CB3687F86EDAA4CA081F7AB66C03 c:\windows\$hf_mig$\KB935839\SP2QFE\kernel32.dll
[-] 2004-08-10 19:00 983552 888190E31455FAD793312F8D087146EB c:\windows\$NtUninstallKB935839$\kernel32.dll
[-] 2008-04-14 00:11 989696 C24B983D211C34DA8FCC1AC38477971D c:\windows\SoftwareDistribution\Download\79123dd72d0f61d4ed8c7a816ed338d7\kernel32.dll
[-] 2007-04-16 15:52 984576 A01F9CA902A88F7CED06884174D6419D c:\windows\system32\kernel32.dll
[-] 2007-04-16 15:52 984576 A01F9CA902A88F7CED06884174D6419D c:\windows\system32\dllcache\kernel32.dll

[-] 2008-04-14 00:12 17408 50A166237A0FA771261275A405646CC0 c:\windows\SoftwareDistribution\Download\79123dd72d0f61d4ed8c7a816ed338d7\powrprof.dll
[-] 2004-08-10 19:00 17408 1B5F6923ABB450692E9FE0672C897AED c:\windows\system32\powrprof.dll

[-] 2008-04-14 00:11 110080 0DA85218E92526972A821587E6A8BF8F c:\windows\SoftwareDistribution\Download\79123dd72d0f61d4ed8c7a816ed338d7\imm32.dll
[-] 2004-08-10 19:00 110080 87CA7CE6469577F059297B9D6556D66D c:\windows\system32\imm32.dll

[-] 2004-09-29 19:27 3004928 087FF7C54E7EBE4A59BD4DFC1D0EE9B8 c:\windows\$hf_mig$\KB834707\SP2QFE\mshtml.dll
[-] 2005-01-27 17:08 3008000 91C5ADE25BC4E3322577854FA2E7B58B c:\windows\$hf_mig$\KB867282\SP2QFE\mshtml.dll
[-] 2005-03-10 07:43 3011072 255C2CE965543ABDC3E0A25A5DA1874A c:\windows\$hf_mig$\KB890923\SP2QFE\mshtml.dll
[-] 2005-10-05 00:51 3017728 3394299FBF1CD0B24089FC762611360B c:\windows\$hf_mig$\KB896688\SP2QFE\mshtml.dll
[-] 2005-07-20 02:03 3016192 A14A7A206AE22DE4FE563E44CFC7DDF5 c:\windows\$hf_mig$\KB896727\SP2QFE\mshtml.dll
[-] 2008-10-16 20:24 3595264 B74F31A4BD83797D7A083F922169287D c:\windows\$hf_mig$\KB958215-IE7\SP2QFE\mshtml.dll
[-] 2008-12-13 06:26 3594752 C79FAD61CD4A26ED5AA8C16D991C6FBD c:\windows\$hf_mig$\KB960714-IE7\SP2QFE\mshtml.dll
[-] 2009-01-16 16:24 3596288 CC9D001B7370B292C35B366CA05B12B4 c:\windows\$hf_mig$\KB961260-IE7\SP2QFE\mshtml.dll
[-] 2005-10-05 01:26 3015168 042AC20E084D21DD6BEE99B89CC30FB7 c:\windows\ie7\mshtml.dll
[-] 2007-08-13 23:54 3578368 C6EC2493346ED8888A549F59210A8ED3 c:\windows\ie7updates\KB958215-IE7\mshtml.dll
[-] 2008-10-17 07:08 3593216 EACAEDEF6FA2A969DE5B36190D45396F c:\windows\ie7updates\KB960714-IE7\mshtml.dll
[-] 2008-12-13 06:40 3593216 121EC39A64D64205A88C2C45B034B455 c:\windows\ie7updates\KB961260-IE7\mshtml.dll
[-] 2008-04-14 00:11 3066880 A706E122B398FE1AB85CB9B75D044223 c:\windows\SoftwareDistribution\Download\79123dd72d0f61d4ed8c7a816ed338d7\mshtml.dll
[-] 2009-01-17 02:35 3594752 3B413267DA8AE71C20E5EF3E54F74728 c:\windows\system32\mshtml.dll
[-] 2009-01-17 02:35 3594752 3B413267DA8AE71C20E5EF3E54F74728 c:\windows\system32\dllcache\mshtml.dll

[-] 2008-04-13 18:39 24576 463C1EC80CD17420A542B7F36A36F128 c:\windows\SoftwareDistribution\Download\79123dd72d0f61d4ed8c7a816ed338d7\kbdclass.sys
[-] 2004-08-10 19:00 24576 EBDEE8A2EE5393890A1ACEE971C4C246 c:\windows\system32\drivers\kbdclass.sys

[-] 2008-04-14 00:11 792064 1280A158C722FA95A80FB7AEBE78FA7D c:\windows\SoftwareDistribution\Download\79123dd72d0f61d4ed8c7a816ed338d7\comres.dll
[-] 2004-08-10 19:00 792064 6728270CB7DBB776ED086F5AC4C82310 c:\windows\system32\comres.dll

[-] 2008-04-14 00:11 22016 012DF358CEBAA23ACB26D82077820817 c:\windows\SoftwareDistribution\Download\79123dd72d0f61d4ed8c7a816ed338d7\lpk.dll


[-] 2004-08-10 19:00 2944 73C1E1F395918BC2C6DD67AF7591A3AD c:\windows\system32\drivers\null.sys

[-] 2006-02-15 00:30 142464 1EE7B434BA961EF845DE136224C30FEC c:\windows\$hf_mig$\KB900485\SP2QFE\aec.sys
[-] 2004-08-04 06:39 142464 841F385C6CFAF66B58FBD898722BB4F0 c:\windows\$NtUninstallKB900485$\aec.sys
[-] 2006-02-15 00:22 142464 1EE7B434BA961EF845DE136224C30FEC c:\windows\Driver Cache\i386\aec.sys
[-] 2008-04-13 16:39 142592 8BED39E3C35D6A489438B8141717A557 c:\windows\SoftwareDistribution\Download\79123dd72d0f61d4ed8c7a816ed338d7\aec.sys
[-] 2006-02-15 00:22 142464 1EE7B434BA961EF845DE136224C30FEC c:\windows\system32\dllcache\aec.sys
[-] 2006-02-15 00:22 142464 1EE7B434BA961EF845DE136224C30FEC c:\windows\system32\drivers\aec.sys

[-] 2004-08-10 19:00 924432 DDF8D47ACF8FC3FE5F7F2B95C4D4D136 c:\windows\$NtUninstallKB924667$\mfc40u.dll
[-] 2008-04-14 00:11 927504 CDDD4416B2B4C7295FE3FDB6DDE57E4E c:\windows\SoftwareDistribution\Download\79123dd72d0f61d4ed8c7a816ed338d7\mfc40u.dll
[-] 2006-11-01 19:17 927504 925F8B61ED301A317BA850EBEECBDAA0 c:\windows\system32\mfc40u.dll
[-] 2006-11-01 19:17 927504 925F8B61ED301A317BA850EBEECBDAA0 c:\windows\system32\dllcache\mfc40u.dll

[-] 2005-01-14 05:07 395776 94456045BEB4545B5EBE1DCC85951AFA c:\windows\$hf_mig$\KB873333\SP2QFE\rpcss.dll
[-] 2005-04-28 19:35 396288 DA383FB39A6F1C445F3AFC94B3EB1248 c:\windows\$hf_mig$\KB894391\SP2QFE\rpcss.dll
[-] 2005-07-26 04:20 398336 C369DF215D352B6F3A0B8C3469AA34F8 c:\windows\$hf_mig$\KB902400\SP2QFE\rpcss.dll
[-] 2008-04-14 00:12 399360 2589FE6015A316C0F5D5112B4DA7B509 c:\windows\SoftwareDistribution\Download\79123dd72d0f61d4ed8c7a816ed338d7\rpcss.dll
[-] 2005-07-26 04:39 397824 CE94A2BD25E3E9F4D46A7373FF455C6D c:\windows\system32\rpcss.dll

[-] 2008-04-14 00:11 33792 986B1FF5814366D71E0AC5755C88F2D3 c:\windows\SoftwareDistribution\Download\79123dd72d0f61d4ed8c7a816ed338d7\msgsvc.dll
[-] 2004-08-10 19:00 33792 95FD808E4AC22ABA025A7B3EAC0375D2 c:\windows\system32\msgsvc.dll

[-] 2004-08-10 19:00 611328 A77DFB85FAEE49D66C74DA6024EBC69B c:\windows\$NtUninstallKB923191$\comctl32.dll
[-] 2004-08-10 19:00 921088 AEF3D788DBF40C7C4D204EA45EB0C505 c:\windows\I386\ASMS\6000\MSFT\WINDOWS\COMMON\CONTROLS\COMCTL32.DLL
[-] 2008-04-14 00:11 617472 06F247492BC786CE5C24A23E178C711A c:\windows\SoftwareDistribution\Download\79123dd72d0f61d4ed8c7a816ed338d7\comctl32.dll
[-] 2008-04-14 00:12 1054208 BD38D1EBE24A46BD3EDA059560AFBA12 c:\windows\SoftwareDistribution\Download\79123dd72d0f61d4ed8c7a816ed338d7\asms\60\msft\windows\common\controls\comctl32.dll
[-] 2006-08-25 15:45 617472 B0124CB21D28B1C9F678B566B6B57D92 c:\windows\system32\comctl32.dll
[-] 2006-08-25 15:45 617472 B0124CB21D28B1C9F678B566B6B57D92 c:\windows\system32\dllcache\comctl32.dll
[-] 2004-08-10 19:00 921088 AEF3D788DBF40C7C4D204EA45EB0C505 c:\windows\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a\comctl32.dll
[-] 2004-08-10 19:00 1050624 5AF68A5E44734A082442668E9C787743 c:\windows\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2180_x-ww_a84f1ff9\comctl32.dll
[-] 2006-08-25 15:45 1054208 C4E80875C1CF1222FC5EFD0314AE5C01 c:\windows\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2982_x-ww_ac3f9c03\comctl32.dll

[-] 2004-08-10 19:00 11648 9859C0F6936E723E4892D7141B1327D5 c:\windows\system32\drivers\acpiec.sys

[-] 2008-04-14 00:12 5120 96E1C926F22EE1BFBAE82901A35F6BF3 c:\windows\SoftwareDistribution\Download\79123dd72d0f61d4ed8c7a816ed338d7\sfc.dll
[-] 2004-08-10 19:00 5120 E8A12A12EA9088B4327D49EDCA3ADD3E c:\windows\system32\sfc.dll

[-] 2008-04-14 00:12 407040 1B7F071C51B77C272875C3A23E1E4550 c:\windows\SoftwareDistribution\Download\79123dd72d0f61d4ed8c7a816ed338d7\netlogon.dll
[-] 2004-08-10 19:00 407040 96353FCECBA774BB8DA74A1C6507015A c:\windows\system32\netlogon.dll

[-] 2008-04-14 00:12 409088 574738F61FCA2935F5265DC4E5691314 c:\windows\SoftwareDistribution\Download\79123dd72d0f61d4ed8c7a816ed338d7\qmgr.dll
[-] 2004-08-10 19:00 382464 2C69EC7E5A311334D10DD95F338FCCEA c:\windows\system32\qmgr.dll

[-] 2008-04-14 00:12 181248 A86BB5E61BF3E39B62AB4C7E7085A084 c:\windows\system32\scecli.dll

[-] 2008-04-14 00:11 56320 6D4FEB43EE538FC5428CC7F0565AA656 c:\windows\SoftwareDistribution\Download\79123dd72d0f61d4ed8c7a816ed338d7\eventlog.dll
[-] 2004-08-10 19:00 55808 82B24CB70E5944E6E34662205A2A5B78 c:\windows\system32\eventlog.dll

[-] 2008-04-13 18:57 14336 B153AFFAC761E7F5FCFA822B9C4E97BC c:\windows\SoftwareDistribution\Download\79123dd72d0f61d4ed8c7a816ed338d7\asyncmac.sys
[-] 2004-08-10 19:00 14336 02000ABF34AF4C218C35D257024807D6 c:\windows\system32\drivers\asyncmac.sys

[-] 2007-02-09 11:23 574976 05AB81909514BFD69CBB1F2C147CF6B9 c:\windows\$hf_mig$\KB930916\SP2QFE\ntfs.sys
[-] 2004-08-10 19:00 574592 B78BE402C3F63DD55521F73876951CDD c:\windows\$NtUninstallKB930916$\ntfs.sys
[-] 2004-08-10 19:00 574592 B78BE402C3F63DD55521F73876951CDD c:\windows\I386\NTFS.SYS
[-] 2008-04-13 19:15 574976 78A08DD6A8D65E697C18E1DB01C5CDCA c:\windows\SoftwareDistribution\Download\79123dd72d0f61d4ed8c7a816ed338d7\ntfs.sys
[-] 2007-02-09 11:10 574464 19A811EF5F1ED5C926A028CE107FF1AF c:\windows\system32\dllcache\ntfs.sys
[-] 2007-02-09 11:10 574464 19A811EF5F1ED5C926A028CE107FF1AF c:\windows\system32\drivers\ntfs.sys

[-] 2004-08-10 19:00 25088 6EAA72FD9EF993EC1FA9A06DE65105DA c:\windows\system32\mspmsnsv.dll

[-] 2008-04-14 00:12 129024 295D21F14C335B53CB8154E5B1F892B9 c:\windows\SoftwareDistribution\Download\79123dd72d0f61d4ed8c7a816ed338d7\xmlprov.dll
[-] 2004-08-10 19:00 129536 EEF46DAB68229A14DA3D8E73C99E2959 c:\windows\system32\xmlprov.dll

[-] 2008-04-14 00:11 62464 3D4E199942E29207970E04315D02AD3B c:\windows\SoftwareDistribution\Download\79123dd72d0f61d4ed8c7a816ed338d7\cryptsvc.dll
[-] 2004-08-10 19:00 60416 10654F9DDCEA9C46CFB77554231BE73B c:\windows\system32\cryptsvc.dll

[-] 2008-04-14 00:11 77824 A06CE3399D16DB864F55FAEB1F1927A9 c:\windows\SoftwareDistribution\Download\79123dd72d0f61d4ed8c7a816ed338d7\browser.dll
[-] 2004-08-10 19:00 77312 E3CFCCDDA4EDD1D0DC9168B2E18F27B8 c:\windows\system32\browser.dll

[-] 2005-07-08 16:28 249344 1418A3A6E76E5A2E3F5E43866E793A8B c:\windows\$hf_mig$\KB893756\SP2QFE\tapisrv.dll
[-] 2008-04-14 00:12 249856 3CB78C17BB664637787C9A1C98F79C38 c:\windows\SoftwareDistribution\Download\79123dd72d0f61d4ed8c7a816ed338d7\tapisrv.dll
[-] 2005-07-08 16:27 249344 FB78839B36025AA286A51289ED28B73E c:\windows\system32\tapisrv.dll

[-] 2008-06-20 17:36 245248 1DFCA7713EA5A70D5D93B436AEA0317A c:\windows\$hf_mig$\KB951748\SP2QFE\mswsock.dll
[-] 2008-06-20 17:46 245248 832E4DD8964AB7ACC880B2837CB1ED20 c:\windows\$hf_mig$\KB951748\SP3GDR\mswsock.dll
[-] 2008-06-20 17:43 245248 FCEE5FCB99F7C724593365C706D28388 c:\windows\$hf_mig$\KB951748\SP3QFE\mswsock.dll
[-] 2004-08-10 19:00 245248 4E74AF063C3271FBEA20DD940CFD1184 c:\windows\$NtUninstallKB951748$\mswsock.dll
[-] 2008-04-14 00:12 245248 B4138E99236F0F57D4CF49BAE98A0746 c:\windows\SoftwareDistribution\Download\79123dd72d0f61d4ed8c7a816ed338d7\mswsock.dll
[-] 2008-06-20 17:41 245248 097722F235A1FB698BF9234E01B52637 c:\windows\system32\mswsock.dll
[-] 2008-06-20 17:41 245248 097722F235A1FB698BF9234E01B52637 c:\windows\system32\dllcache\mswsock.dll

[-] 2005-08-22 18:24 197632 3516D8A18B36784B1005B950B84232E1 c:\windows\$hf_mig$\KB905414\SP2QFE\netman.dll
[-] 2008-04-14 00:12 198144 13E67B55B3ABD7BF3FE7AAE5A0F9A9DE c:\windows\SoftwareDistribution\Download\79123dd72d0f61d4ed8c7a816ed338d7\netman.dll
[-] 2005-08-22 18:29 197632 36739B39267914BA69AD0610A0299732 c:\windows\system32\netman.dll

[-] 2005-07-26 04:20 243200 95F5FEA4C6DE2C3F28784D0DCC8F0DD3 c:\windows\$hf_mig$\KB902400\SP2QFE\es.dll
[-] 2008-07-07 20:06 253952 A4AB3DCA4A383F0DF4988ABDEB84F9A4 c:\windows\$hf_mig$\KB950974\SP2QFE\es.dll
[-] 2008-07-07 20:26 253952 D4991D98F2DB73C60D042F1AEF79EFAE c:\windows\$hf_mig$\KB950974\SP3GDR\es.dll
[-] 2008-07-07 20:23 253952 F17F6226BDC0CD5F0BEF0DAF84D29BEC c:\windows\$hf_mig$\KB950974\SP3QFE\es.dll
[-] 2005-07-26 04:39 243200 34BBD9ACC1538818F2C878898C64E793 c:\windows\$NtUninstallKB950974$\es.dll
[-] 2008-04-14 00:11 246272 19A799805B24990867B00C120D300C3A c:\windows\SoftwareDistribution\Download\79123dd72d0f61d4ed8c7a816ed338d7\es.dll
[-] 2008-07-07 20:32 253952 60D1A6342238378BFB7545C81EE3606C c:\windows\system32\es.dll
[-] 2008-07-07 20:32 253952 60D1A6342238378BFB7545C81EE3606C c:\windows\system32\dllcache\es.dll

[-] 2008-04-14 00:12 71680 0A5679B3714EDAB99E357057EE88FCA6 c:\windows\SoftwareDistribution\Download\79123dd72d0f61d4ed8c7a816ed338d7\ssdpsrv.dll
[-] 2004-08-10 19:00 71680 4B8D61792F7175BED48859CC18CE4E38 c:\windows\system32\ssdpsrv.dll

[-] 2007-02-05 20:19 185344 36ACA6CDC19C95FF468A1426EB7F32F0 c:\windows\$hf_mig$\KB931261\SP2QFE\upnphost.dll
[-] 2004-08-10 19:00 185344 0546477BDE979E33294FE97F6B3DE84A c:\windows\$NtUninstallKB931261$\upnphost.dll
[-] 2008-04-14 00:12 185856 1EBAFEB9A3FBDC41B8D9C7F0F687AD91 c:\windows\SoftwareDistribution\Download\79123dd72d0f61d4ed8c7a816ed338d7\upnphost.dll
[-] 2007-02-05 20:17 185344 ACA5D98663D879C6BAAFCEA7E2F1B710 c:\windows\system32\upnphost.dll
[-] 2007-02-05 20:17 185344 ACA5D98663D879C6BAAFCEA7E2F1B710 c:\windows\system32\dllcache\upnphost.dll

[-] 2008-04-14 00:12 171008 3805DF0AC4296A34BA4BF93B346CC378 c:\windows\SoftwareDistribution\Download\79123dd72d0f61d4ed8c7a816ed338d7\srsvc.dll
[-] 2004-08-10 19:00 170496 92BDF74F12D6CBEC43C94D4B7F804838 c:\windows\system32\srsvc.dll

[-] 2008-04-14 00:12 13824 F92E1076C42FCD6DB3D72D8CFE9816D5 c:\windows\SoftwareDistribution\Download\79123dd72d0f61d4ed8c7a816ed338d7\wscntfy.exe
[-] 2004-08-10 19:00 13824 49911DD39E023BB6C45E4E436CFBD297 c:\windows\system32\wscntfy.exe

[-] 2008-04-14 00:12 435200 156F64A3345BD23C600655FB4D10BC08 c:\windows\SoftwareDistribution\Download\79123dd72d0f61d4ed8c7a816ed338d7\ntmssvc.dll
[-] 2004-08-10 19:00 435200 B62F29C00AC55A761B2E45877D85EA0F c:\windows\system32\ntmssvc.dll

[-] 2008-04-14 00:12 88576 AD188BE7BDF94E8DF4CA0A55C00A5073 c:\windows\SoftwareDistribution\Download\79123dd72d0f61d4ed8c7a816ed338d7\rasauto.dll
[-] 2004-08-10 19:00 89088 44DB7A9BDD2FB58747D123FBF1D35ADB c:\windows\system32\rasauto.dll

[-] 2008-04-14 00:12 1614848 9DD07AF82244867CA36681EA2D29CE79 c:\windows\SoftwareDistribution\Download\79123dd72d0f61d4ed8c7a816ed338d7\sfcfiles.dll
[-] 2004-08-10 19:00 1580544 30A609E00BD1D4FFC49D6B5A432BE7F2 c:\windows\system32\sfcfiles.dll

[-] 2008-04-14 00:12 192512 0A9A7365A1CA4319AA7C1D6CD8E4EAFA c:\windows\SoftwareDistribution\Download\79123dd72d0f61d4ed8c7a816ed338d7\schedsvc.dll
[-] 2004-08-10 19:00 190976 92360854316611F6CC471612213C3D92 c:\windows\system32\schedsvc.dll

[-] 2008-04-14 00:12 59904 5B19B557B0C188210A56A6B699D90B8F c:\windows\SoftwareDistribution\Download\79123dd72d0f61d4ed8c7a816ed338d7\regsvc.dll
[-] 2004-08-10 19:00 59904 3151427DB7D87107D1C5BE58FAC53960 c:\windows\system32\regsvc.dll

[-] 2006-12-19 21:50 135168 53D9184A21C5CBF600D918E51EF3A7E5 c:\windows\$hf_mig$\KB928255\SP2QFE\shsvcs.dll
[-] 2004-08-10 19:00 134656 E7518DC542D3EBDCB80EDD98462C7821 c:\windows\$NtUninstallKB928255$\shsvcs.dll
[-] 2008-04-14 00:12 135168 1926899BF9FFE2602B63074971700412 c:\windows\SoftwareDistribution\Download\79123dd72d0f61d4ed8c7a816ed338d7\shsvcs.dll
[-] 2006-12-19 21:52 134656 6815DEF9B810AEFAC107EEAF72DA6F82 c:\windows\system32\shsvcs.dll
[-] 2006-12-19 21:52 134656 6815DEF9B810AEFAC107EEAF72DA6F82 c:\windows\system32\dllcache\shsvcs.dll

c:\windows\system32\lpk.dll ... is missing !!
c:\windows\system32\drivers\beep.sys ... is missing !!
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2004-10-13 1694208]
"SpybotSD TeaTimer"="c:\documents and settings\All Users\Desktop\Spybot - Search & Destroy\TeaTimer.exe" [2009-01-26 2144088]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-01-24 39408]
"NBJ"="c:\program files\Ahead\Nero BackItUp\NBJ.exe" [2005-06-03 1957888]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-10 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="c:\windows\ehome\ehtray.exe" [2004-08-10 59392]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"readericon"="c:\program files\Digital Media Reader\readericon45G.exe" [2005-08-27 139264]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2005-09-18 7204864]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2005-09-18 86016]
"HostManager"="c:\program files\Common Files\AOL\1229363331\EE\AOLHostManager.exe" [2004-11-03 125528]
"Reminder"="c:\windows\Creator\Remind_XP.exe" [2005-03-09 966656]
"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2002-09-14 212992]
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2004-11-03 32768]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-12-16 136600]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-11-04 413696]
"HPDJ Taskbar Utility"="c:\windows\system32\spool\drivers\w32x86\3\hpztsb07.exe" [2003-03-09 188416]
"iTunesHelper"="c:\nathan\iTunesHelper.exe" [2008-11-20 290088]
"McENUI"="c:\progra~1\McAfee\MHN\McENUI.exe" [2009-01-09 1176808]
"CHotkey"="zHotkey.exe" - c:\windows\zHotkey.exe [2005-05-03 543232]
"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2005-09-18 1519616]
"High Definition Audio Property Page Shortcut"="HDAShCut.exe" - c:\windows\system32\HdAShCut.exe [2005-01-08 61952]
"RTHDCPL"="RTHDCPL.EXE" - c:\windows\RTHDCPL.EXE [2005-09-14 14820864]

c:\documents and settings\Owner\Start Menu\Programs\Startup\
PowerReg Scheduler V3.exe [2009-4-25 225280]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
BigFix.lnk - c:\program files\BigFix\BigFix.exe [2008-12-15 1742384]
Event Reminder.lnk - c:\program files\Broderbund\PrintMaster\PMremind.exe [2008-12-16 442368]
hpoddt01.exe.lnk - c:\program files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe [2003-4-6 28672]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [1999-2-17 65588]
officejet 6100.lnk - c:\program files\Hewlett-Packard\Digital Imaging\bin\hposol08.exe [2003-4-6 147456]
Run Nintendo Wi-Fi USB Connector Registration Tool.lnk - c:\program files\WiFiConnector\NintendoWFCReg.exe [2009-1-17 1073152]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0Partizan

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\America Online 9.0\\waol.exe"=
"c:\\Program Files\\Common Files\\AOL\\TopSpeed\\2.0\\aoltsmon.exe"=
"c:\\Program Files\\Common Files\\AOL\\TopSpeed\\2.0\\aoltpspd.exe"=
"c:\\Program Files\\Common Files\\AOL\\1229363331\\EE\\AOLServiceHost.exe"=
"c:\\Program Files\\Common Files\\AOL\\System Information\\sinf.exe"=
"c:\\Program Files\\Common Files\\AolCoach\\en_en\\player\\AOLNySEV.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Nathan\\iTunes.exe"=
"c:\\Program Files\\WiFiConnector\\NintendoWFCReg.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=

R2 EvdoServer;EvdoServer;c:\windows\system32\svchost.exe -k netsvcs [2/11/2008 11:01 PM 14336]
R2 sofatnet;sofatnet Service;c:\windows\system32\sofatnet.exe [8/10/2004 3:00 PM 94208]
S3 Partizan;Partizan;c:\windows\system32\drivers\Partizan.sys [8/17/2009 7:47 AM 32290]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - EVDOSERVER
.
Contents of the 'Scheduled Tasks' folder

2009-08-14 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34]

2009-07-17 c:\windows\Tasks\FRU Task 2003-04-06 08:52ewlett-Packard2003-04-06 08:52p officejet 6100 series5E771253C1676EBED677BF361FDFC537825E15B8230054586.job
- c:\program files\Hewlett-Packard\Digital Imaging\Bin\hpqfrucl.exe [2003-04-06 05:52]

2009-08-21 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2009-01-24 21:54]

2009-08-19 c:\windows\Tasks\Norton Security Scan for Owner.job
- c:\program files\Norton Security Scan\Norton Security Scan\Engine\2.3.0.44\Nss.exe [2009-07-19 04:01]
.
- - - - ORPHANS REMOVED - - - -

WebBrowser-{604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - (no file)


.
------- Supplementary Scan -------
.
uLocal Page = \blank.htm
uStart Page = hxxp://www.google.com
mStart Page = hxxp://www.google.com
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://search.yahoo.com/search?fr=mcafee&p=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
DPF: {EF148DBB-5B6D-4130-B2A1-661571E86260} - hxxp://download-games.pogo.com/online2/pogo/mahjong_escape_ancient/PTGameLauncher.cab
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-08-21 00:12
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


c:\windows\Install.txt 265 bytes
c:\windows\system32\Install.txt 265 bytes
c:\windows\system32\wiawow32.sys 36864 bytes executable
c:\windows\system32\wiwow64.exe 128512 bytes executable

scan completed successfully
hidden files: 4

**************************************************************************
"ImagePath"="\??\c:\windows\system32\drivers\rootrepeal
[1].sys"


[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\rootrepeal[1]]
"ImagePath"="\??\c:\windows\system32\drivers\rootrepeal
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(2348)
c:\nathan\iTunesMiniPlayer.dll
c:\nathan\iTunesMiniPlayer.Resources\en.lproj\iTunesMiniPlayerLocalized.dll
c:\nathan\iTunesMiniPlayer.Resources\iTunesMiniPlayer.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Common Files\AOL\TopSpeed\2.0\aoltpspd.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\ehome\ehRecvr.exe
c:\windows\ehome\ehSched.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\progra~1\McAfee\MSC\mcmscsvc.exe
c:\progra~1\COMMON~1\McAfee\MNA\McNASvc.exe
c:\windows\system32\nvsvc32.exe
c:\program files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
c:\windows\system32\dllhost.exe
c:\progra~1\McAfee.com\Agent\mcagent.exe
c:\windows\system32\wscntfy.exe
c:\windows\TEMP\t4m0_212813142278.bk.old
c:\windows\system32\rundll32.exe
c:\windows\ehome\ehmsas.exe
c:\progra~1\COMMON~1\AOL\122936~1\EE\AOLServiceHost.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
c:\windows\system32\HPZipm12.exe
c:\program files\Hewlett-Packard\Digital Imaging\bin\hposts08.exe
c:\windows\system32\wiawow32.sys
.
**************************************************************************
.
Completion time: 2009-08-21 0:19 - machine was rebooted
ComboFix-quarantined-files.txt 2009-08-21 04:18

Pre-Run: 149,821,640,704 bytes free
Post-Run: 149,930,586,112 bytes free

520 --- E O F --- 2009-04-03 03:28

#11 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,417 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:03:19 PM

Posted 21 August 2009 - 12:29 AM

Hi, Helpme64 :thumbup2:

Download the enclosed folder. [attachment=28517:Testing_Crypto.zip]Save and extract its contents to the desktop. Once extracted, open the folder and click on the Testing_Crypto.vbs file. Post the resulting report.
  • Copy the entire contents of the Quote Box below to Notepad.
  • Name the file as CFScript.txt
  • Change the Save as Type to All Files
  • and Save it on the desktop

SysRst::

File::
c:\windows\TEMP\t4m0_212813142278.bk.old
c:\windows\system32\wiawow32.sys
c:\documents and settings\Owner\Start Menu\Programs\Startup\PowerReg Scheduler V3.exe


Posted Image

Once saved, referring to the picture above, drag CFScript.txt into ComboFix.exe, and post back the resulting report

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#12 Helpme64

Helpme64
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:19 PM

Posted 21 August 2009 - 03:08 PM

Combo-Fix


ComboFix 09-08-20.02 - Owner 08/21/2009 8:01.3.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.894.461 [GMT -4:00]
Running from: c:\documents and settings\Owner\Desktop\Combo-Fix.exe
Command switches used :: c:\documents and settings\Owner\Desktop\CFScript.txt

FILE ::
"c:\documents and settings\Owner\Start Menu\Programs\Startup\PowerReg Scheduler V3.exe"
"c:\windows\system32\wiawow32.sys"
"c:\windows\TEMP\t4m0_212813142278.bk.old"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Owner\Start Menu\Programs\Startup\PowerReg Scheduler V3.exe
c:\windows\Install.txt
c:\windows\system32\FInstall.sys
c:\windows\system32\wiawow32.sys
c:\windows\system32\wiwow64.exe
c:\windows\TEMP\mpj57499.dll
c:\windows\TEMP\mta13187.dll
c:\windows\TEMP\mta38720.dll
c:\windows\TEMP\t4m0_212813142278.bk.old
c:\windows\TEMP\x1c91030.dll


.
((((((((((((((((((((((((( Files Created from 2009-07-21 to 2009-08-21 )))))))))))))))))))))))))))))))
.

2009-08-21 03:37 . 2009-08-03 17:36 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-08-21 03:37 . 2009-08-21 03:37 -------- d-----w- C:\Malwarebytes' Anti-Malware
2009-08-21 03:37 . 2009-08-03 17:36 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-08-20 22:28 . 2009-08-20 22:28 11454 ----a-w- c:\program files\Common Files\boxuf.pif
2009-08-20 03:05 . 2009-08-20 03:05 288768 ----a-w- C:\sf2kkdiq.exe
2009-08-20 01:15 . 2009-08-20 01:15 19259 ----a-w- c:\windows\wudo.bin
2009-08-20 01:15 . 2009-08-20 01:15 18555 ----a-w- c:\program files\Common Files\mudijatic.bat
2009-08-20 01:15 . 2009-08-20 01:15 18188 ----a-w- c:\windows\welefaqomi.bat
2009-08-20 01:15 . 2009-08-20 01:15 17161 ----a-w- c:\windows\fevazodywo.dll
2009-08-20 01:15 . 2009-08-20 01:15 16097 ----a-w- c:\windows\otivi.dat
2009-08-20 01:15 . 2009-08-20 01:15 14809 ----a-w- c:\documents and settings\Owner\Local Settings\Application Data\wurerunod.com
2009-08-20 01:15 . 2009-08-20 01:15 14033 ----a-w- c:\documents and settings\Owner\Local Settings\Application Data\nyhahimyp.scr
2009-08-20 01:15 . 2009-08-20 01:15 10308 ----a-w- c:\windows\fujugez.vbs
2009-08-19 19:44 . 2004-08-10 19:00 50176 ----a-w- c:\windows\system32\proquota.exe
2009-08-18 22:40 . 2007-01-18 12:00 3968 ----a-w- c:\windows\system32\drivers\AvgArCln.sys
2009-08-17 11:47 . 2009-08-17 11:47 32290 ----a-w- c:\windows\system32\drivers\Partizan.sys
2009-08-17 11:47 . 2009-08-17 11:47 25600 ----a-w- c:\windows\system32\Partizan.exe
2009-08-17 11:47 . 2009-08-17 11:47 2 --shatr- c:\windows\winstart.bat
2009-08-12 15:45 . 2009-08-12 15:45 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Identities
2009-08-11 22:23 . 2009-08-11 22:23 -------- d-----w- c:\program files\Trend Micro
2009-08-11 00:25 . 2009-08-11 00:25 -------- d-----w- c:\documents and settings\Owner\Application Data\Malwarebytes
2009-08-11 00:25 . 2009-08-11 00:25 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-08-09 18:02 . 2009-08-09 18:02 -------- d-----w- c:\documents and settings\All Users\Application Data\SpinTop Games
2009-08-07 15:39 . 2009-08-07 15:39 128 ----a-w- c:\documents and settings\Owner\Local Settings\Application Data\fusioncache.dat
2009-08-07 14:21 . 2009-08-07 14:22 -------- d-----w- c:\windows\system32\URTTemp
2009-08-07 14:03 . 2009-08-09 18:06 -------- d-----w- c:\windows\system32\CatRoot
2009-08-07 13:47 . 2009-08-07 13:47 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Google
2009-08-07 13:42 . 2009-08-07 13:42 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\Temp
2009-08-07 13:42 . 2009-08-07 13:42 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Google
2009-08-06 17:06 . 2009-08-06 17:38 -------- d-----w- c:\program files\Shared
2009-08-03 00:47 . 2009-08-03 00:47 -------- d-----w- c:\documents and settings\All Users\Application Data\EscapeTheMuseum
2009-08-03 00:46 . 2009-08-03 00:46 -------- d-----w- c:\windows\Escape The Museum
2009-08-03 00:46 . 2009-08-03 16:06 -------- d-----w- c:\program files\Escape The Museum
2009-07-30 16:05 . 2009-07-30 16:05 -------- d-----w- c:\program files\ReflexiveArcade
2009-07-30 16:01 . 2009-07-30 16:01 -------- d-----w- c:\documents and settings\Owner\Application Data\SpinTop
2009-07-29 16:49 . 2009-07-29 16:49 -------- d-----w- c:\program files\Fox

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-08-20 12:40 . 2009-01-24 18:04 -------- d-----w- c:\documents and settings\All Users\Application Data\Google Updater
2009-08-18 22:37 . 2009-01-06 16:14 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-08-16 21:51 . 2008-12-30 03:08 91536 ----a-w- c:\documents and settings\Owner\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-08-09 18:28 . 2009-03-19 21:09 33 ----a-w- c:\windows\popcinfot.dat
2009-08-09 18:06 . 2009-03-19 21:09 -------- d-----w- c:\program files\PopCap Games
2009-08-07 22:01 . 2009-01-06 04:02 -------- d-----w- c:\program files\Common Files\Symantec Shared
2009-08-07 16:24 . 2009-01-06 16:14 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-08-07 16:08 . 2009-04-01 01:26 -------- d-----w- c:\program files\Common Files\McAfee
2009-08-07 16:08 . 2008-12-15 17:53 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee
2009-08-07 16:08 . 2008-12-15 17:53 -------- d-----w- c:\program files\McAfee
2009-08-07 15:47 . 2008-12-15 17:38 -------- d-----w- c:\program files\Google
2009-08-07 13:34 . 2009-04-01 02:03 -------- d-----w- c:\documents and settings\LocalService\Application Data\SACore
2009-07-30 16:01 . 2008-12-27 19:39 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-07-29 16:49 . 2009-07-29 16:49 86400 ----a-w- c:\windows\~GLC0000.TMP
2009-07-28 17:21 . 2009-01-31 22:24 34 ----a-w- c:\documents and settings\Owner\jagex_runescape_preferences.dat
2009-07-20 00:09 . 2009-07-20 00:09 -------- d-----w- c:\documents and settings\All Users\Application Data\PlayTime
2009-07-19 04:01 . 2009-07-19 04:01 -------- d-----w- c:\documents and settings\All Users\Application Data\Norton
2009-07-19 04:01 . 2009-03-30 22:12 -------- d-----w- c:\program files\Norton Security Scan
2009-07-19 04:00 . 2009-07-19 04:00 -------- d-----w- c:\documents and settings\All Users\Application Data\Symantec
2009-07-19 04:00 . 2009-07-19 04:00 -------- d-----w- c:\program files\NortonInstaller
2009-07-19 04:00 . 2009-07-19 04:00 -------- d-----w- c:\documents and settings\All Users\Application Data\NortonInstaller
2009-07-18 12:57 . 2009-03-11 23:37 -------- d-----w- c:\program files\PokerStars
2009-07-16 15:00 . 2009-07-16 15:00 -------- d-----w- c:\documents and settings\All Users\Application Data\nView_Profiles
.

------- Sigcheck -------

[-] 2008-04-14 00:12 14336 27C6D03BCDB8CFEB96B716F3D8BE3E18 c:\windows\SoftwareDistribution\Download\79123dd72d0f61d4ed8c7a816ed338d7\svchost.exe
[-] 2004-08-10 19:00 14336 8F078AE4ED187AAABC0A305146DE6716 c:\windows\system32\svchost.exe

[-] 2005-03-02 18:19 577024 1800F293BCCC8EDE8A70E12B88D80036 c:\windows\$hf_mig$\KB890859\SP2QFE\user32.dll
[-] 2007-03-08 15:48 578048 7AA4F6C00405DFC4B70ED4214E7D687B c:\windows\$hf_mig$\KB925902\SP2QFE\user32.dll
[-] 2005-03-02 18:09 577024 DE2DB164BBB35DB061AF0997E4499054 c:\windows\$NtUninstallKB925902$\user32.dll
[-] 2008-04-14 00:12 578560 B26B135FF1B9F60C9388B4A7D16F600B c:\windows\SoftwareDistribution\Download\79123dd72d0f61d4ed8c7a816ed338d7\user32.dll
[-] 2007-03-08 15:36 577536 B409909F6E2E8A7067076ED748ABF1E7 c:\windows\system32\user32.dll
[-] 2007-03-08 15:36 577536 B409909F6E2E8A7067076ED748ABF1E7 c:\windows\system32\dllcache\user32.dll

[-] 2008-04-14 00:12 82432 2CCC474EB85CEAA3E1FA1726580A3E5A c:\windows\SoftwareDistribution\Download\79123dd72d0f61d4ed8c7a816ed338d7\ws2_32.dll
[-] 2004-08-10 19:00 82944 2ED0B7F12A60F90092081C50FA0EC2B2 c:\windows\system32\ws2_32.dll

[-] 2004-09-29 18:27 656896 2C07195588D69A067C2AFDAA31759295 c:\windows\$hf_mig$\KB834707\SP2QFE\wininet.dll
[-] 2005-01-27 17:08 657920 A8EAC5330876548E9966A7D13025D196 c:\windows\$hf_mig$\KB867282\SP2QFE\wininet.dll
[-] 2005-03-10 07:43 657920 C8663B488996E89A84C3D17C1D12B79E c:\windows\$hf_mig$\KB890923\SP2QFE\wininet.dll
[-] 2005-09-02 23:53 660480 97A6FD7CAFD688CF2C78939EBAF0CD0C c:\windows\$hf_mig$\KB896688\SP2QFE\wininet.dll
[-] 2005-07-03 02:09 659456 6E533D155B259EB2363D3E04B5BE309F c:\windows\$hf_mig$\KB896727\SP2QFE\wininet.dll
[-] 2008-10-16 20:24 827904 0D5B75171FF51775B630A431B6C667E8 c:\windows\$hf_mig$\KB958215-IE7\SP2QFE\wininet.dll
[-] 2008-12-20 23:56 827904 044E0A4E9FE97C0FB9AFE9C89E2A82E6 c:\windows\$hf_mig$\KB961260-IE7\SP2QFE\wininet.dll
[-] 2005-09-02 23:52 658432 AF61EBB1F550175EFF406D545D6AB086 c:\windows\ie7\wininet.dll
[-] 2007-08-13 23:54 818688 A4A0FC92358F39538A6494C42EF99FE9 c:\windows\ie7updates\KB958215-IE7\wininet.dll
[-] 2008-10-16 20:38 826368 6741EAF7B7F110E803A6E38F6E5FA6B0 c:\windows\ie7updates\KB961260-IE7\wininet.dll
[-] 2008-04-14 00:12 666112 7A4F775ABB2F1C97DEF3E73AFA2FAEDD c:\windows\SoftwareDistribution\Download\79123dd72d0f61d4ed8c7a816ed338d7\wininet.dll
[-] 2008-12-20 23:15 826368 A82935D32D0672E8FF4E91AE398E901C c:\windows\system32\wininet.dll
[-] 2008-12-20 23:15 826368 A82935D32D0672E8FF4E91AE398E901C c:\windows\system32\dllcache\wininet.dll

[-] 2005-03-14 01:17 359936 6129E70F3D2F1E60860C930EBEAF92C2 c:\windows\$hf_mig$\KB893066\SP2QFE\tcpip.sys
[-] 2008-06-20 10:44 360960 744E57C99232201AE98C49168B918F48 c:\windows\$hf_mig$\KB951748\SP2QFE\tcpip.sys
[-] 2008-06-20 11:51 361600 9AEFA14BD6B182D61E3119FA5F436D3D c:\windows\$hf_mig$\KB951748\SP3GDR\tcpip.sys
[-] 2008-06-20 11:59 361600 AD978A1B783B5719720CFF204B666C8E c:\windows\$hf_mig$\KB951748\SP3QFE\tcpip.sys
[-] 2005-03-14 00:55 359808 0E66B538096A6529D1AC66E78EB0D5C8 c:\windows\$NtUninstallKB951748$\tcpip.sys
[-] 2008-04-13 19:20 361344 93EA8D04EC73A85DB02EB8805988F733 c:\windows\SoftwareDistribution\Download\79123dd72d0f61d4ed8c7a816ed338d7\tcpip.sys
[-] 2008-06-20 10:45 360320 2A5554FC5B1E04E131230E3CE035C3F9 c:\windows\system32\dllcache\tcpip.sys
[-] 2008-06-20 10:45 360320 2A5554FC5B1E04E131230E3CE035C3F9 c:\windows\system32\drivers\tcpip.sys

[-] 2008-04-14 00:12 507904 ED0EF0A136DEC83DF69F04118870003E c:\windows\SoftwareDistribution\Download\79123dd72d0f61d4ed8c7a816ed338d7\winlogon.exe
[-] 2004-08-10 19:00 502272 01C3346C241652F43AED8E2149881BFE c:\windows\system32\winlogon.exe

[-] 2008-04-13 19:20 182656 1DF7F42665C94B825322FAE71721130D c:\windows\SoftwareDistribution\Download\79123dd72d0f61d4ed8c7a816ed338d7\ndis.sys
[-] 2004-08-10 19:00 182912 558635D3AF1C7546D26067D5D9B6959E c:\windows\system32\drivers\ndis.sys

[-] 2008-04-13 18:53 36608 3BB22519A194418D5FEC05D800A19AD0 c:\windows\SoftwareDistribution\Download\79123dd72d0f61d4ed8c7a816ed338d7\ip6fw.sys
[-] 2004-08-10 19:00 29056 4448006B6BC60E6C027932CFC38D6855 c:\windows\system32\drivers\ip6fw.sys

[-] 2005-03-02 00:36 2056832 D8ABA3EAB509627E707A3B14F00FBB6B c:\windows\$hf_mig$\KB890859\SP2QFE\ntkrnlpa.exe
[-] 2008-08-14 09:18 2062976 63EC865DFF6CCFC7BEF94B5C50297CAD c:\windows\$hf_mig$\KB956841\SP2QFE\ntkrnlpa.exe
[-] 2008-08-14 09:33 2066048 4AC58F03EB94A72809949D757FC39D80 c:\windows\$hf_mig$\KB956841\SP3GDR\ntkrnlpa.exe
[-] 2008-08-14 20:39 2066048 A25E9B86EFFB2AF33BF51E676B68BFB0 c:\windows\$hf_mig$\KB956841\SP3QFE\ntkrnlpa.exe
[-] 2005-03-02 00:34 2056832 81013F36B21C7F72CF784CC6731E0002 c:\windows\$NtUninstallKB956841$\ntkrnlpa.exe
[-] 2008-08-14 09:22 2057728 BA002228743B6824D87F0551DBC86D45 c:\windows\Driver Cache\i386\ntkrnlpa.exe
[-] 2008-04-13 18:31 2065792 109F8E3E3C82E337BB71B6BC9B895D61 c:\windows\SoftwareDistribution\Download\79123dd72d0f61d4ed8c7a816ed338d7\ntkrnlpa.exe
[-] 2008-08-14 09:22 2057728 BA002228743B6824D87F0551DBC86D45 c:\windows\system32\ntkrnlpa.exe
[-] 2008-08-14 09:22 2057728 BA002228743B6824D87F0551DBC86D45 c:\windows\system32\dllcache\ntkrnlpa.exe

[-] 2005-03-02 01:04 2179456 28187802B7C368C0D3AEF7D4C382AABB c:\windows\$hf_mig$\KB890859\SP2QFE\ntoskrnl.exe
[-] 2008-08-14 09:57 2185984 CE69DBD54221F2D40E49FF6DB77C6507 c:\windows\$hf_mig$\KB956841\SP2QFE\ntoskrnl.exe
[-] 2008-08-14 10:11 2189184 EEAF32F8E15A24F62BECB1BD403BB5C5 c:\windows\$hf_mig$\KB956841\SP3GDR\ntoskrnl.exe
[-] 2008-08-14 21:11 2189184 31914172342BFF330063F343AC6958FE c:\windows\$hf_mig$\KB956841\SP3QFE\ntoskrnl.exe
[-] 2005-03-02 00:59 2179328 4D4CF2C14550A4B7718E94A6E581856E c:\windows\$NtUninstallKB956841$\ntoskrnl.exe
[-] 2008-08-14 10:00 2180352 21C91DA9CB53AA8A37041BA9684A8458 c:\windows\Driver Cache\i386\ntoskrnl.exe
[-] 2008-04-13 19:27 2188928 0C89243C7C3EE199B96FCC16990E0679 c:\windows\SoftwareDistribution\Download\79123dd72d0f61d4ed8c7a816ed338d7\ntoskrnl.exe
[-] 2008-08-14 10:00 2180352 21C91DA9CB53AA8A37041BA9684A8458 c:\windows\system32\ntoskrnl.exe
[-] 2008-08-14 10:00 2180352 21C91DA9CB53AA8A37041BA9684A8458 c:\windows\system32\dllcache\ntoskrnl.exe

[-] 2007-06-13 10:23 1033216 97BD6515465659FF8F3B7BE375B2EA87 c:\windows\explorer.exe
[-] 2007-06-13 11:26 1033216 7712DF0CDDE3A5AC89843E61CD5B3658 c:\windows\$hf_mig$\KB938828\SP2QFE\explorer.exe
[-] 2004-08-10 19:00 1032192 A0732187050030AE399B241436565E64 c:\windows\$NtUninstallKB938828$\explorer.exe
[-] 2008-04-14 00:12 1033728 12896823FB95BFB3DC9B46BCAEDC9923 c:\windows\SoftwareDistribution\Download\79123dd72d0f61d4ed8c7a816ed338d7\explorer.exe
[-] 2007-06-13 10:23 1033216 97BD6515465659FF8F3B7BE375B2EA87 c:\windows\system32\dllcache\explorer.exe

[-] 2008-04-14 00:12 108544 0E776ED5F7CC9F94299E70461B7B8185 c:\windows\SoftwareDistribution\Download\79123dd72d0f61d4ed8c7a816ed338d7\services.exe
[-] 2004-08-10 19:00 108032 C6CE6EEC82F187615D1002BB3BB50ED4 c:\windows\system32\services.exe

[-] 2008-04-14 00:12 13312 BF2466B3E18E970D8A976FB95FC1CA85 c:\windows\SoftwareDistribution\Download\79123dd72d0f61d4ed8c7a816ed338d7\lsass.exe
[-] 2004-08-10 19:00 13312 84885F9B82F4D55C6146EBF6065D75D2 c:\windows\system32\lsass.exe

[-] 2008-04-14 00:12 15360 5F1D5F88303D4A4DBC8E5F97BA967CC3 c:\windows\SoftwareDistribution\Download\79123dd72d0f61d4ed8c7a816ed338d7\ctfmon.exe
[-] 2004-08-10 19:00 15360 24232996A38C0B0CF151C2140AE29FC8 c:\windows\system32\ctfmon.exe

[-] 2005-06-11 00:17 57856 AD3D9D191AEA7B5445FE1D82FFBB4788 c:\windows\$hf_mig$\KB896423\SP2QFE\spoolsv.exe
[-] 2004-08-10 19:00 57856 7435B108B935E42EA92CA94F59C8E717 c:\windows\$NtUninstallKB896423$\spoolsv.exe
[-] 2008-04-14 00:12 57856 D8E14A61ACC1D4A6CD0D38AEBAC7FA3B c:\windows\SoftwareDistribution\Download\79123dd72d0f61d4ed8c7a816ed338d7\spoolsv.exe
[-] 2005-06-10 23:53 57856 DA81EC57ACD4CDC3D4C51CF3D409AF9F c:\windows\system32\spoolsv.exe

[-] 2008-04-14 00:12 26112 A93AEE1928A9D7CE3E16D24EC7380F89 c:\windows\SoftwareDistribution\Download\79123dd72d0f61d4ed8c7a816ed338d7\userinit.exe
[-] 2004-08-10 19:00 24576 39B1FFB03C2296323832ACBAE50D2AFF c:\windows\system32\userinit.exe

[-] 2008-04-14 00:12 295424 FF3477C03BE7201C294C35F684B3479F c:\windows\SoftwareDistribution\Download\79123dd72d0f61d4ed8c7a816ed338d7\termsrv.dll
[-] 2004-08-10 19:00 295424 B60C877D16D9C880B952FDA04ADF16E6 c:\windows\system32\termsrv.dll

[-] 2007-04-16 16:07 986112 09F7CB3687F86EDAA4CA081F7AB66C03 c:\windows\$hf_mig$\KB935839\SP2QFE\kernel32.dll
[-] 2004-08-10 19:00 983552 888190E31455FAD793312F8D087146EB c:\windows\$NtUninstallKB935839$\kernel32.dll
[-] 2008-04-14 00:11 989696 C24B983D211C34DA8FCC1AC38477971D c:\windows\SoftwareDistribution\Download\79123dd72d0f61d4ed8c7a816ed338d7\kernel32.dll
[-] 2007-04-16 15:52 984576 A01F9CA902A88F7CED06884174D6419D c:\windows\system32\kernel32.dll
[-] 2007-04-16 15:52 984576 A01F9CA902A88F7CED06884174D6419D c:\windows\system32\dllcache\kernel32.dll

[-] 2008-04-14 00:12 17408 50A166237A0FA771261275A405646CC0 c:\windows\SoftwareDistribution\Download\79123dd72d0f61d4ed8c7a816ed338d7\powrprof.dll
[-] 2004-08-10 19:00 17408 1B5F6923ABB450692E9FE0672C897AED c:\windows\system32\powrprof.dll

[-] 2008-04-14 00:11 110080 0DA85218E92526972A821587E6A8BF8F c:\windows\SoftwareDistribution\Download\79123dd72d0f61d4ed8c7a816ed338d7\imm32.dll
[-] 2004-08-10 19:00 110080 87CA7CE6469577F059297B9D6556D66D c:\windows\system32\imm32.dll

[-] 2004-09-29 19:27 3004928 087FF7C54E7EBE4A59BD4DFC1D0EE9B8 c:\windows\$hf_mig$\KB834707\SP2QFE\mshtml.dll
[-] 2005-01-27 17:08 3008000 91C5ADE25BC4E3322577854FA2E7B58B c:\windows\$hf_mig$\KB867282\SP2QFE\mshtml.dll
[-] 2005-03-10 07:43 3011072 255C2CE965543ABDC3E0A25A5DA1874A c:\windows\$hf_mig$\KB890923\SP2QFE\mshtml.dll
[-] 2005-10-05 00:51 3017728 3394299FBF1CD0B24089FC762611360B c:\windows\$hf_mig$\KB896688\SP2QFE\mshtml.dll
[-] 2005-07-20 02:03 3016192 A14A7A206AE22DE4FE563E44CFC7DDF5 c:\windows\$hf_mig$\KB896727\SP2QFE\mshtml.dll
[-] 2008-10-16 20:24 3595264 B74F31A4BD83797D7A083F922169287D c:\windows\$hf_mig$\KB958215-IE7\SP2QFE\mshtml.dll
[-] 2008-12-13 06:26 3594752 C79FAD61CD4A26ED5AA8C16D991C6FBD c:\windows\$hf_mig$\KB960714-IE7\SP2QFE\mshtml.dll
[-] 2009-01-16 16:24 3596288 CC9D001B7370B292C35B366CA05B12B4 c:\windows\$hf_mig$\KB961260-IE7\SP2QFE\mshtml.dll
[-] 2005-10-05 01:26 3015168 042AC20E084D21DD6BEE99B89CC30FB7 c:\windows\ie7\mshtml.dll
[-] 2007-08-13 23:54 3578368 C6EC2493346ED8888A549F59210A8ED3 c:\windows\ie7updates\KB958215-IE7\mshtml.dll
[-] 2008-10-17 07:08 3593216 EACAEDEF6FA2A969DE5B36190D45396F c:\windows\ie7updates\KB960714-IE7\mshtml.dll
[-] 2008-12-13 06:40 3593216 121EC39A64D64205A88C2C45B034B455 c:\windows\ie7updates\KB961260-IE7\mshtml.dll
[-] 2008-04-14 00:11 3066880 A706E122B398FE1AB85CB9B75D044223 c:\windows\SoftwareDistribution\Download\79123dd72d0f61d4ed8c7a816ed338d7\mshtml.dll
[-] 2009-01-17 02:35 3594752 3B413267DA8AE71C20E5EF3E54F74728 c:\windows\system32\mshtml.dll
[-] 2009-01-17 02:35 3594752 3B413267DA8AE71C20E5EF3E54F74728 c:\windows\system32\dllcache\mshtml.dll

[-] 2008-04-13 18:39 24576 463C1EC80CD17420A542B7F36A36F128 c:\windows\SoftwareDistribution\Download\79123dd72d0f61d4ed8c7a816ed338d7\kbdclass.sys
[-] 2004-08-10 19:00 24576 EBDEE8A2EE5393890A1ACEE971C4C246 c:\windows\system32\drivers\kbdclass.sys

[-] 2008-04-14 00:11 792064 1280A158C722FA95A80FB7AEBE78FA7D c:\windows\SoftwareDistribution\Download\79123dd72d0f61d4ed8c7a816ed338d7\comres.dll
[-] 2004-08-10 19:00 792064 6728270CB7DBB776ED086F5AC4C82310 c:\windows\system32\comres.dll

[-] 2008-04-14 00:11 22016 012DF358CEBAA23ACB26D82077820817 c:\windows\SoftwareDistribution\Download\79123dd72d0f61d4ed8c7a816ed338d7\lpk.dll


[-] 2004-08-10 19:00 2944 73C1E1F395918BC2C6DD67AF7591A3AD c:\windows\system32\drivers\null.sys

[-] 2006-02-15 00:30 142464 1EE7B434BA961EF845DE136224C30FEC c:\windows\$hf_mig$\KB900485\SP2QFE\aec.sys
[-] 2004-08-04 06:39 142464 841F385C6CFAF66B58FBD898722BB4F0 c:\windows\$NtUninstallKB900485$\aec.sys
[-] 2006-02-15 00:22 142464 1EE7B434BA961EF845DE136224C30FEC c:\windows\Driver Cache\i386\aec.sys
[-] 2008-04-13 16:39 142592 8BED39E3C35D6A489438B8141717A557 c:\windows\SoftwareDistribution\Download\79123dd72d0f61d4ed8c7a816ed338d7\aec.sys
[-] 2006-02-15 00:22 142464 1EE7B434BA961EF845DE136224C30FEC c:\windows\system32\dllcache\aec.sys
[-] 2006-02-15 00:22 142464 1EE7B434BA961EF845DE136224C30FEC c:\windows\system32\drivers\aec.sys

[-] 2004-08-10 19:00 924432 DDF8D47ACF8FC3FE5F7F2B95C4D4D136 c:\windows\$NtUninstallKB924667$\mfc40u.dll
[-] 2008-04-14 00:11 927504 CDDD4416B2B4C7295FE3FDB6DDE57E4E c:\windows\SoftwareDistribution\Download\79123dd72d0f61d4ed8c7a816ed338d7\mfc40u.dll
[-] 2006-11-01 19:17 927504 925F8B61ED301A317BA850EBEECBDAA0 c:\windows\system32\mfc40u.dll
[-] 2006-11-01 19:17 927504 925F8B61ED301A317BA850EBEECBDAA0 c:\windows\system32\dllcache\mfc40u.dll

[-] 2005-01-14 05:07 395776 94456045BEB4545B5EBE1DCC85951AFA c:\windows\$hf_mig$\KB873333\SP2QFE\rpcss.dll
[-] 2005-04-28 19:35 396288 DA383FB39A6F1C445F3AFC94B3EB1248 c:\windows\$hf_mig$\KB894391\SP2QFE\rpcss.dll
[-] 2005-07-26 04:20 398336 C369DF215D352B6F3A0B8C3469AA34F8 c:\windows\$hf_mig$\KB902400\SP2QFE\rpcss.dll
[-] 2008-04-14 00:12 399360 2589FE6015A316C0F5D5112B4DA7B509 c:\windows\SoftwareDistribution\Download\79123dd72d0f61d4ed8c7a816ed338d7\rpcss.dll
[-] 2005-07-26 04:39 397824 CE94A2BD25E3E9F4D46A7373FF455C6D c:\windows\system32\rpcss.dll

[-] 2008-04-14 00:11 33792 986B1FF5814366D71E0AC5755C88F2D3 c:\windows\SoftwareDistribution\Download\79123dd72d0f61d4ed8c7a816ed338d7\msgsvc.dll
[-] 2004-08-10 19:00 33792 95FD808E4AC22ABA025A7B3EAC0375D2 c:\windows\system32\msgsvc.dll

[-] 2004-08-10 19:00 611328 A77DFB85FAEE49D66C74DA6024EBC69B c:\windows\$NtUninstallKB923191$\comctl32.dll
[-] 2004-08-10 19:00 921088 AEF3D788DBF40C7C4D204EA45EB0C505 c:\windows\I386\ASMS\6000\MSFT\WINDOWS\COMMON\CONTROLS\COMCTL32.DLL
[-] 2008-04-14 00:11 617472 06F247492BC786CE5C24A23E178C711A c:\windows\SoftwareDistribution\Download\79123dd72d0f61d4ed8c7a816ed338d7\comctl32.dll
[-] 2008-04-14 00:12 1054208 BD38D1EBE24A46BD3EDA059560AFBA12 c:\windows\SoftwareDistribution\Download\79123dd72d0f61d4ed8c7a816ed338d7\asms\60\msft\windows\common\controls\comctl32.dll
[-] 2006-08-25 15:45 617472 B0124CB21D28B1C9F678B566B6B57D92 c:\windows\system32\comctl32.dll
[-] 2006-08-25 15:45 617472 B0124CB21D28B1C9F678B566B6B57D92 c:\windows\system32\dllcache\comctl32.dll
[-] 2004-08-10 19:00 921088 AEF3D788DBF40C7C4D204EA45EB0C505 c:\windows\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a\comctl32.dll
[-] 2004-08-10 19:00 1050624 5AF68A5E44734A082442668E9C787743 c:\windows\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2180_x-ww_a84f1ff9\comctl32.dll
[-] 2006-08-25 15:45 1054208 C4E80875C1CF1222FC5EFD0314AE5C01 c:\windows\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2982_x-ww_ac3f9c03\comctl32.dll

[-] 2004-08-10 19:00 11648 9859C0F6936E723E4892D7141B1327D5 c:\windows\system32\drivers\acpiec.sys

[-] 2008-04-14 00:12 5120 96E1C926F22EE1BFBAE82901A35F6BF3 c:\windows\SoftwareDistribution\Download\79123dd72d0f61d4ed8c7a816ed338d7\sfc.dll
[-] 2004-08-10 19:00 5120 E8A12A12EA9088B4327D49EDCA3ADD3E c:\windows\system32\sfc.dll

[-] 2008-04-14 00:12 407040 1B7F071C51B77C272875C3A23E1E4550 c:\windows\SoftwareDistribution\Download\79123dd72d0f61d4ed8c7a816ed338d7\netlogon.dll
[-] 2004-08-10 19:00 407040 96353FCECBA774BB8DA74A1C6507015A c:\windows\system32\netlogon.dll

[-] 2008-04-14 00:12 409088 574738F61FCA2935F5265DC4E5691314 c:\windows\SoftwareDistribution\Download\79123dd72d0f61d4ed8c7a816ed338d7\qmgr.dll
[-] 2004-08-10 19:00 382464 2C69EC7E5A311334D10DD95F338FCCEA c:\windows\system32\qmgr.dll

[-] 2008-04-14 00:12 181248 A86BB5E61BF3E39B62AB4C7E7085A084 c:\windows\system32\scecli.dll

[-] 2008-04-14 00:11 56320 6D4FEB43EE538FC5428CC7F0565AA656 c:\windows\SoftwareDistribution\Download\79123dd72d0f61d4ed8c7a816ed338d7\eventlog.dll
[-] 2004-08-10 19:00 55808 82B24CB70E5944E6E34662205A2A5B78 c:\windows\system32\eventlog.dll

[-] 2008-04-13 18:57 14336 B153AFFAC761E7F5FCFA822B9C4E97BC c:\windows\SoftwareDistribution\Download\79123dd72d0f61d4ed8c7a816ed338d7\asyncmac.sys
[-] 2004-08-10 19:00 14336 02000ABF34AF4C218C35D257024807D6 c:\windows\system32\drivers\asyncmac.sys

[-] 2007-02-09 11:23 574976 05AB81909514BFD69CBB1F2C147CF6B9 c:\windows\$hf_mig$\KB930916\SP2QFE\ntfs.sys
[-] 2004-08-10 19:00 574592 B78BE402C3F63DD55521F73876951CDD c:\windows\$NtUninstallKB930916$\ntfs.sys
[-] 2004-08-10 19:00 574592 B78BE402C3F63DD55521F73876951CDD c:\windows\I386\NTFS.SYS
[-] 2008-04-13 19:15 574976 78A08DD6A8D65E697C18E1DB01C5CDCA c:\windows\SoftwareDistribution\Download\79123dd72d0f61d4ed8c7a816ed338d7\ntfs.sys
[-] 2007-02-09 11:10 574464 19A811EF5F1ED5C926A028CE107FF1AF c:\windows\system32\dllcache\ntfs.sys
[-] 2007-02-09 11:10 574464 19A811EF5F1ED5C926A028CE107FF1AF c:\windows\system32\drivers\ntfs.sys

[-] 2004-08-10 19:00 25088 6EAA72FD9EF993EC1FA9A06DE65105DA c:\windows\system32\mspmsnsv.dll

[-] 2008-04-14 00:12 129024 295D21F14C335B53CB8154E5B1F892B9 c:\windows\SoftwareDistribution\Download\79123dd72d0f61d4ed8c7a816ed338d7\xmlprov.dll
[-] 2004-08-10 19:00 129536 EEF46DAB68229A14DA3D8E73C99E2959 c:\windows\system32\xmlprov.dll

[-] 2008-04-14 00:11 62464 3D4E199942E29207970E04315D02AD3B c:\windows\SoftwareDistribution\Download\79123dd72d0f61d4ed8c7a816ed338d7\cryptsvc.dll
[-] 2004-08-10 19:00 60416 10654F9DDCEA9C46CFB77554231BE73B c:\windows\system32\cryptsvc.dll

[-] 2008-04-14 00:11 77824 A06CE3399D16DB864F55FAEB1F1927A9 c:\windows\SoftwareDistribution\Download\79123dd72d0f61d4ed8c7a816ed338d7\browser.dll
[-] 2004-08-10 19:00 77312 E3CFCCDDA4EDD1D0DC9168B2E18F27B8 c:\windows\system32\browser.dll

[-] 2005-07-08 16:28 249344 1418A3A6E76E5A2E3F5E43866E793A8B c:\windows\$hf_mig$\KB893756\SP2QFE\tapisrv.dll
[-] 2008-04-14 00:12 249856 3CB78C17BB664637787C9A1C98F79C38 c:\windows\SoftwareDistribution\Download\79123dd72d0f61d4ed8c7a816ed338d7\tapisrv.dll
[-] 2005-07-08 16:27 249344 FB78839B36025AA286A51289ED28B73E c:\windows\system32\tapisrv.dll

[-] 2008-06-20 17:36 245248 1DFCA7713EA5A70D5D93B436AEA0317A c:\windows\$hf_mig$\KB951748\SP2QFE\mswsock.dll
[-] 2008-06-20 17:46 245248 832E4DD8964AB7ACC880B2837CB1ED20 c:\windows\$hf_mig$\KB951748\SP3GDR\mswsock.dll
[-] 2008-06-20 17:43 245248 FCEE5FCB99F7C724593365C706D28388 c:\windows\$hf_mig$\KB951748\SP3QFE\mswsock.dll
[-] 2004-08-10 19:00 245248 4E74AF063C3271FBEA20DD940CFD1184 c:\windows\$NtUninstallKB951748$\mswsock.dll
[-] 2008-04-14 00:12 245248 B4138E99236F0F57D4CF49BAE98A0746 c:\windows\SoftwareDistribution\Download\79123dd72d0f61d4ed8c7a816ed338d7\mswsock.dll
[-] 2008-06-20 17:41 245248 097722F235A1FB698BF9234E01B52637 c:\windows\system32\mswsock.dll
[-] 2008-06-20 17:41 245248 097722F235A1FB698BF9234E01B52637 c:\windows\system32\dllcache\mswsock.dll

[-] 2005-08-22 18:24 197632 3516D8A18B36784B1005B950B84232E1 c:\windows\$hf_mig$\KB905414\SP2QFE\netman.dll
[-] 2008-04-14 00:12 198144 13E67B55B3ABD7BF3FE7AAE5A0F9A9DE c:\windows\SoftwareDistribution\Download\79123dd72d0f61d4ed8c7a816ed338d7\netman.dll
[-] 2005-08-22 18:29 197632 36739B39267914BA69AD0610A0299732 c:\windows\system32\netman.dll

[-] 2005-07-26 04:20 243200 95F5FEA4C6DE2C3F28784D0DCC8F0DD3 c:\windows\$hf_mig$\KB902400\SP2QFE\es.dll
[-] 2008-07-07 20:06 253952 A4AB3DCA4A383F0DF4988ABDEB84F9A4 c:\windows\$hf_mig$\KB950974\SP2QFE\es.dll
[-] 2008-07-07 20:26 253952 D4991D98F2DB73C60D042F1AEF79EFAE c:\windows\$hf_mig$\KB950974\SP3GDR\es.dll
[-] 2008-07-07 20:23 253952 F17F6226BDC0CD5F0BEF0DAF84D29BEC c:\windows\$hf_mig$\KB950974\SP3QFE\es.dll
[-] 2005-07-26 04:39 243200 34BBD9ACC1538818F2C878898C64E793 c:\windows\$NtUninstallKB950974$\es.dll
[-] 2008-04-14 00:11 246272 19A799805B24990867B00C120D300C3A c:\windows\SoftwareDistribution\Download\79123dd72d0f61d4ed8c7a816ed338d7\es.dll
[-] 2008-07-07 20:32 253952 60D1A6342238378BFB7545C81EE3606C c:\windows\system32\es.dll
[-] 2008-07-07 20:32 253952 60D1A6342238378BFB7545C81EE3606C c:\windows\system32\dllcache\es.dll

[-] 2008-04-14 00:12 71680 0A5679B3714EDAB99E357057EE88FCA6 c:\windows\SoftwareDistribution\Download\79123dd72d0f61d4ed8c7a816ed338d7\ssdpsrv.dll
[-] 2004-08-10 19:00 71680 4B8D61792F7175BED48859CC18CE4E38 c:\windows\system32\ssdpsrv.dll

[-] 2007-02-05 20:19 185344 36ACA6CDC19C95FF468A1426EB7F32F0 c:\windows\$hf_mig$\KB931261\SP2QFE\upnphost.dll
[-] 2004-08-10 19:00 185344 0546477BDE979E33294FE97F6B3DE84A c:\windows\$NtUninstallKB931261$\upnphost.dll
[-] 2008-04-14 00:12 185856 1EBAFEB9A3FBDC41B8D9C7F0F687AD91 c:\windows\SoftwareDistribution\Download\79123dd72d0f61d4ed8c7a816ed338d7\upnphost.dll
[-] 2007-02-05 20:17 185344 ACA5D98663D879C6BAAFCEA7E2F1B710 c:\windows\system32\upnphost.dll
[-] 2007-02-05 20:17 185344 ACA5D98663D879C6BAAFCEA7E2F1B710 c:\windows\system32\dllcache\upnphost.dll

[-] 2008-04-14 00:12 171008 3805DF0AC4296A34BA4BF93B346CC378 c:\windows\SoftwareDistribution\Download\79123dd72d0f61d4ed8c7a816ed338d7\srsvc.dll
[-] 2004-08-10 19:00 170496 92BDF74F12D6CBEC43C94D4B7F804838 c:\windows\system32\srsvc.dll

[-] 2008-04-14 00:12 13824 F92E1076C42FCD6DB3D72D8CFE9816D5 c:\windows\SoftwareDistribution\Download\79123dd72d0f61d4ed8c7a816ed338d7\wscntfy.exe
[-] 2004-08-10 19:00 13824 49911DD39E023BB6C45E4E436CFBD297 c:\windows\system32\wscntfy.exe

[-] 2008-04-14 00:12 435200 156F64A3345BD23C600655FB4D10BC08 c:\windows\SoftwareDistribution\Download\79123dd72d0f61d4ed8c7a816ed338d7\ntmssvc.dll
[-] 2004-08-10 19:00 435200 B62F29C00AC55A761B2E45877D85EA0F c:\windows\system32\ntmssvc.dll

[-] 2008-04-14 00:12 88576 AD188BE7BDF94E8DF4CA0A55C00A5073 c:\windows\SoftwareDistribution\Download\79123dd72d0f61d4ed8c7a816ed338d7\rasauto.dll
[-] 2004-08-10 19:00 89088 44DB7A9BDD2FB58747D123FBF1D35ADB c:\windows\system32\rasauto.dll

[-] 2008-04-14 00:12 1614848 9DD07AF82244867CA36681EA2D29CE79 c:\windows\SoftwareDistribution\Download\79123dd72d0f61d4ed8c7a816ed338d7\sfcfiles.dll
[-] 2004-08-10 19:00 1580544 30A609E00BD1D4FFC49D6B5A432BE7F2 c:\windows\system32\sfcfiles.dll

[-] 2008-04-14 00:12 192512 0A9A7365A1CA4319AA7C1D6CD8E4EAFA c:\windows\SoftwareDistribution\Download\79123dd72d0f61d4ed8c7a816ed338d7\schedsvc.dll
[-] 2004-08-10 19:00 190976 92360854316611F6CC471612213C3D92 c:\windows\system32\schedsvc.dll

[-] 2008-04-14 00:12 59904 5B19B557B0C188210A56A6B699D90B8F c:\windows\SoftwareDistribution\Download\79123dd72d0f61d4ed8c7a816ed338d7\regsvc.dll
[-] 2004-08-10 19:00 59904 3151427DB7D87107D1C5BE58FAC53960 c:\windows\system32\regsvc.dll

[-] 2006-12-19 21:50 135168 53D9184A21C5CBF600D918E51EF3A7E5 c:\windows\$hf_mig$\KB928255\SP2QFE\shsvcs.dll
[-] 2004-08-10 19:00 134656 E7518DC542D3EBDCB80EDD98462C7821 c:\windows\$NtUninstallKB928255$\shsvcs.dll
[-] 2008-04-14 00:12 135168 1926899BF9FFE2602B63074971700412 c:\windows\SoftwareDistribution\Download\79123dd72d0f61d4ed8c7a816ed338d7\shsvcs.dll
[-] 2006-12-19 21:52 134656 6815DEF9B810AEFAC107EEAF72DA6F82 c:\windows\system32\shsvcs.dll
[-] 2006-12-19 21:52 134656 6815DEF9B810AEFAC107EEAF72DA6F82 c:\windows\system32\dllcache\shsvcs.dll

c:\windows\system32\lpk.dll ... is missing !!
c:\windows\system32\drivers\beep.sys ... is missing !!
.
((((((((((((((((((((((((((((( SnapShot@2009-08-21_04.12.29 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-08-21 12:19 . 2009-08-21 12:19 16384 c:\windows\Temp\Perflib_Perfdata_c54.dat
+ 2009-08-21 12:18 . 2009-08-21 12:18 16384 c:\windows\Temp\Perflib_Perfdata_714.dat
+ 2004-08-10 19:00 . 2004-08-10 19:00 44032 c:\windows\system32\EvdoServer.dll
+ 2009-08-21 12:20 . 2008-12-20 23:15 1160192 c:\windows\Temp\x1c30459.dll
+ 2009-08-21 12:18 . 2008-12-20 23:15 1160192 c:\windows\Temp\mpj71778.dll
.
((((((((((((((((((((((((((((((((((((((( System Restore )))))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\avenger\braviax.exe
08/20/2009 11:29 PM 10240 \RP205\A0019152.exe

c:\avenger\scecli.dll
08/10/2004 03:00 PM 60928 \RP205\A0019098.dll

c:\avenger\winhelper.dll
08/19/2009 09:01 PM 20992 \RP205\A0019153.dll

C:\ccwygkvw.exe
08/07/2009 10:01 AM 89600 \RP204\A0016952.exe

C:\cleanup.bat
08/20/2009 11:27 PM 574 \RP205\A0019101.bat

C:\cleanup.exe
08/20/2009 11:27 PM 19286 \RP205\A0019100.exe

07/29/2009 02:34 AM 3282 c:\combo-fix\Assoc.cmd
07/29/2009 02:34 AM 3282 \RP205\A0019168.cmd
07/29/2009 02:34 AM 3282 \RP205\A0019297.cmd

c:\combo-fix\Auto-RC.cmd
07/29/2009 02:46 AM 3034 \RP204\A0016941.cmd
07/29/2009 02:46 AM 3034 \RP205\A0019363.cmd

08/15/2009 01:31 PM 1340 c:\combo-fix\av.cmd
08/15/2009 01:31 PM 1340 \RP205\A0019170.cmd
08/15/2009 01:31 PM 1340 \RP205\A0019298.cmd

05/13/2009 06:09 PM 1464 c:\combo-fix\av.vbs
05/13/2009 06:09 PM 1464 \RP205\A0019171.vbs
05/13/2009 06:09 PM 1464 \RP205\A0019299.vbs

c:\combo-fix\AWF.cmd
04/29/2009 04:41 PM 629 \RP205\A0019172.cmd
04/29/2009 04:41 PM 629 \RP205\A0019411.cmd

06/14/2009 02:08 AM 1896 c:\combo-fix\Boot-Rk.cmd
06/14/2009 02:08 AM 1896 \RP205\A0019173.cmd
06/14/2009 02:08 AM 1896 \RP205\A0019300.cmd

08/12/2009 03:42 AM 7774 c:\combo-fix\Boot.bat
08/12/2009 03:42 AM 7774 \RP205\A0019174.bat
08/12/2009 03:42 AM 7774 \RP205\A0019301.bat

08/31/2000 08:00 AM 7680 c:\combo-fix\BootSect.dll
08/31/2000 08:00 AM 7680 \RP205\A0019175.dll
08/31/2000 08:00 AM 7680 \RP205\A0019302.dll

c:\combo-fix\c.bat
08/19/2009 09:25 PM 45963 \RP205\A0019176.bat
08/21/2009 08:56 AM 46039 \RP205\A0019385.bat

08/10/2009 02:22 AM 736 c:\combo-fix\Catch-sub.cmd
08/10/2009 02:22 AM 736 \RP205\A0019177.cmd
08/10/2009 02:22 AM 736 \RP205\A0019303.cmd

08/21/2009 08:18 AM 91 c:\combo-fix\CCS.bat
08/19/2009 03:33 PM 91 \RP204\A0016949.bat
08/21/2009 08:01 AM 91 \RP205\A0019383.bat

c:\combo-fix\CF-Script.cmd
08/12/2009 03:37 AM 25513 \RP204\A0016946.cmd
08/12/2009 03:37 AM 25513 \RP205\A0019368.cmd

c:\combo-fix\CF13155.exe
08/21/2009 12:00 AM 388608 \RP205\A0019304.exe

08/21/2009 08:00 AM 16 c:\combo-fix\CHCP.bat
08/20/2009 06:31 PM 16 \RP205\A0019180.bat
08/21/2009 12:00 AM 16 \RP205\A0019305.bat

08/31/2000 08:00 AM 1024 \RP205\A0019181.sys
08/31/2000 08:00 AM 1024 \RP205\A0019306.sys

c:\combo-fix\Combobatch.bat
08/12/2009 03:39 AM 7586 \RP205\A0019182.bat
08/21/2009 08:06 AM 7700 \RP205\A0019384.bat

c:\combo-fix\Create.cmd
08/14/2009 10:51 AM 6719 \RP205\A0019183.cmd
08/14/2009 10:51 AM 6719 \RP205\A0019407.cmd

08/12/2009 03:40 AM 3406 c:\combo-fix\CregC.cmd
08/12/2009 03:40 AM 3406 \RP205\A0019184.cmd
08/12/2009 03:40 AM 3406 \RP205\A0019307.cmd

05/25/2009 10:08 AM 1688 c:\combo-fix\CSet.cmd
05/25/2009 10:08 AM 1688 \RP205\A0019185.cmd
05/25/2009 10:08 AM 1688 \RP205\A0019308.cmd

07/23/2009 01:04 PM 1606 c:\combo-fix\DelClsid.bat
07/23/2009 01:04 PM 1606 \RP205\A0019186.bat
07/23/2009 01:04 PM 1606 \RP205\A0019310.bat

08/12/2009 03:53 AM 13693 c:\combo-fix\Exe.reg
08/12/2009 03:53 AM 13693 \RP205\A0019188.reg
08/12/2009 03:53 AM 13693 \RP205\A0019311.reg

c:\combo-fix\FD-SV.cmd
08/18/2009 02:01 PM 3162 \RP205\A0019189.cmd
08/20/2009 10:10 PM 3255 \RP205\A0019409.cmd

08/31/2000 08:00 AM 36201 c:\combo-fix\ffdefstr.dll
08/31/2000 08:00 AM 36201 \RP205\A0019190.dll
08/31/2000 08:00 AM 36201 \RP205\A0019312.dll

08/21/2009 08:56 AM 2210 c:\combo-fix\files.pif
08/19/2009 09:25 PM 2196 \RP205\A0019191.pif
08/21/2009 08:56 AM 2210 \RP205\A0019313.pif

08/12/2009 11:23 AM 28204 c:\combo-fix\FIND3M.bat
08/12/2009 11:23 AM 28204 \RP205\A0019192.bat
08/12/2009 11:23 AM 28204 \RP205\A0019314.bat

07/20/2009 09:21 AM 4668 c:\combo-fix\FIXLSP.bat
07/20/2009 09:21 AM 4668 \RP205\A0019193.bat
07/20/2009 09:21 AM 4668 \RP205\A0019315.bat

05/25/2009 10:05 AM 1095 c:\combo-fix\FKMGen.cmd
05/25/2009 10:05 AM 1095 \RP205\A0019194.cmd
05/25/2009 10:05 AM 1095 \RP205\A0019316.cmd

02/15/2001 03:03 PM 10240 c:\combo-fix\ForceLibrary.dll
02/15/2001 03:03 PM 10240 \RP205\A0019195.dll
02/15/2001 03:03 PM 10240 \RP205\A0019317.dll

08/12/2009 03:43 AM 5412 c:\combo-fix\GetHive.cmd
08/12/2009 03:43 AM 5412 \RP205\A0019196.cmd
08/12/2009 03:43 AM 5412 \RP205\A0019294.cmd

08/16/2005 01:54 AM 1536 c:\combo-fix\hidec.exe
08/16/2005 01:54 AM 1536 \RP205\A0019197.exe
08/16/2005 01:54 AM 1536 \RP205\A0019318.exe

08/12/2009 03:43 AM 908 c:\combo-fix\history.bat
08/12/2009 03:43 AM 908 \RP205\A0019198.bat
08/12/2009 03:43 AM 908 \RP205\A0019319.bat

04/20/2009 12:56 PM 31232 c:\combo-fix\iexplore.exe
04/20/2009 12:56 PM 31232 \RP205\A0019199.exe
04/20/2009 12:56 PM 31232 \RP205\A0019320.exe

c:\combo-fix\Install-RC.cmd
08/12/2009 03:44 AM 5645 \RP204\A0016942.cmd
08/12/2009 03:44 AM 5645 \RP205\A0019364.cmd

08/01/2009 04:17 AM 761 c:\combo-fix\katch.cmd
08/01/2009 04:17 AM 761 \RP205\A0019201.cmd
08/01/2009 04:17 AM 761 \RP205\A0019321.cmd

c:\combo-fix\Kill-All.cmd
07/13/2009 07:31 AM 1588 \RP204\A0016947.cmd
07/13/2009 07:31 AM 1588 \RP205\A0019369.cmd

08/12/2009 03:44 AM 3453 c:\combo-fix\Kollect.bat
08/12/2009 03:44 AM 3453 \RP205\A0019203.bat
08/12/2009 03:44 AM 3453 \RP205\A0019322.bat

08/21/2009 08:06 AM 192976 c:\combo-fix\Lang.bat
08/01/2009 02:09 AM 192718 \RP204\A0016979.bat
08/01/2009 02:09 AM 192718 \RP205\A0019376.bat

c:\combo-fix\List-B.bat
08/19/2009 02:00 AM 37967 \RP204\A0016950.bat
08/21/2009 08:56 AM 37982 \RP205\A0019371.bat

c:\combo-fix\List-C.bat
08/18/2009 01:03 PM 226067 \RP204\A0016976.bat
08/21/2009 07:42 AM 226087 \RP205\A0019374.bat

c:\combo-fix\List-D.bat
08/03/2009 06:28 PM 92837 \RP204\A0016944.bat
08/03/2009 06:28 PM 92837 \RP205\A0019366.bat

c:\combo-fix\List.bat
08/19/2009 08:46 AM 609209 \RP204\A0016945.bat
08/20/2009 09:00 PM 610208 \RP205\A0019367.bat

08/31/2000 08:00 AM 2428 c:\combo-fix\lnkread.vbs
08/31/2000 08:00 AM 2428 \RP205\A0019209.vbs
08/31/2000 08:00 AM 2428 \RP205\A0019324.vbs

08/21/2009 08:00 AM 5066 c:\combo-fix\md5sum.pif

C:\System Volume Inform
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2004-10-13 1694208]
"SpybotSD TeaTimer"="c:\documents and settings\All Users\Desktop\Spybot - Search & Destroy\TeaTimer.exe" [2009-01-26 2144088]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-01-24 39408]
"NBJ"="c:\program files\Ahead\Nero BackItUp\NBJ.exe" [2005-06-03 1957888]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-10 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="c:\windows\ehome\ehtray.exe" [2004-08-10 59392]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"readericon"="c:\program files\Digital Media Reader\readericon45G.exe" [2005-08-27 139264]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2005-09-18 7204864]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2005-09-18 86016]
"HostManager"="c:\program files\Common Files\AOL\1229363331\EE\AOLHostManager.exe" [2004-11-03 125528]
"Reminder"="c:\windows\Creator\Remind_XP.exe" [2005-03-09 966656]
"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2002-09-14 212992]
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2004-11-03 32768]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-12-16 136600]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-11-04 413696]
"HPDJ Taskbar Utility"="c:\windows\system32\spool\drivers\w32x86\3\hpztsb07.exe" [2003-03-09 188416]
"iTunesHelper"="c:\nathan\iTunesHelper.exe" [2008-11-20 290088]
"McENUI"="c:\progra~1\McAfee\MHN\McENUI.exe" [2009-01-09 1176808]
"CHotkey"="zHotkey.exe" - c:\windows\zHotkey.exe [2005-05-03 543232]
"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2005-09-18 1519616]
"High Definition Audio Property Page Shortcut"="HDAShCut.exe" - c:\windows\system32\HdAShCut.exe [2005-01-08 61952]
"RTHDCPL"="RTHDCPL.EXE" - c:\windows\RTHDCPL.EXE [2005-09-14 14820864]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
BigFix.lnk - c:\program files\BigFix\BigFix.exe [2008-12-15 1742384]
Event Reminder.lnk - c:\program files\Broderbund\PrintMaster\PMremind.exe [2008-12-16 442368]
hpoddt01.exe.lnk - c:\program files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe [2003-4-6 28672]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [1999-2-17 65588]
officejet 6100.lnk - c:\program files\Hewlett-Packard\Digital Imaging\bin\hposol08.exe [2003-4-6 147456]
Run Nintendo Wi-Fi USB Connector Registration Tool.lnk - c:\program files\WiFiConnector\NintendoWFCReg.exe [2009-1-17 1073152]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0Partizan

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\America Online 9.0\\waol.exe"=
"c:\\Program Files\\Common Files\\AOL\\TopSpeed\\2.0\\aoltsmon.exe"=
"c:\\Program Files\\Common Files\\AOL\\TopSpeed\\2.0\\aoltpspd.exe"=
"c:\\Program Files\\Common Files\\AOL\\1229363331\\EE\\AOLServiceHost.exe"=
"c:\\Program Files\\Common Files\\AOL\\System Information\\sinf.exe"=
"c:\\Program Files\\Common Files\\AolCoach\\en_en\\player\\AOLNySEV.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Nathan\\iTunes.exe"=
"c:\\Program Files\\WiFiConnector\\NintendoWFCReg.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=

R?4 EvdoServer;EvdoServer;c:\windows\system32\svchost.exe -k netsvcs [2/11/2008 11:01 PM 14336]
R2 sofatnet;sofatnet Service;c:\windows\system32\sofatnet.exe [8/10/2004 3:00 PM 94208]
S3 Partizan;Partizan;c:\windows\system32\drivers\Partizan.sys [8/17/2009 7:47 AM 32290]
.
Contents of the 'Scheduled Tasks' folder

2009-08-14 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34]

2009-07-17 c:\windows\Tasks\FRU Task 2003-04-06 08:52ewlett-Packard2003-04-06 08:52p officejet 6100 series5E771253C1676EBED677BF361FDFC537825E15B8230054586.job
- c:\program files\Hewlett-Packard\Digital Imaging\Bin\hpqfrucl.exe [2003-04-06 05:52]

2009-08-21 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2009-01-24 21:54]

2009-08-19 c:\windows\Tasks\Norton Security Scan for Owner.job
- c:\program files\Norton Security Scan\Norton Security Scan\Engine\2.3.0.44\Nss.exe [2009-07-19 04:01]
.
- - - - ORPHANS REMOVED - - - -

BHO-{76DC0B63-1533-4ba9-8BE8-D59EB676FA02} - (no file)
BHO-{AFD4AD01-58C1-47DB-A404-FBE00A6C5486} - (no file)
WebBrowser-{604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - (no file)


.
------- Supplementary Scan -------
.
uLocal Page = \blank.htm
uStart Page = hxxp://www.google.com
mStart Page = hxxp://www.google.com
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://search.yahoo.com/search?fr=mcafee&p=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
DPF: {EF148DBB-5B6D-4130-B2A1-661571E86260} - hxxp://download-games.pogo.com/online2/pogo/mahjong_escape_ancient/PTGameLauncher.cab
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-08-21 08:20
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


c:\windows\system32\wiawow32.sys 36864 bytes executable

scan completed successfully
hidden files: 1

**************************************************************************
"ImagePath"="\??\c:\windows\system32\drivers\rootrepeal
[1].sys"


[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\rootrepeal[1]]
"ImagePath"="\??\c:\windows\system32\drivers\rootrepeal
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(1620)
c:\nathan\iTunesMiniPlayer.dll
c:\nathan\iTunesMiniPlayer.Resources\en.lproj\iTunesMiniPlayerLocalized.dll
c:\nathan\iTunesMiniPlayer.Resources\iTunesMiniPlayer.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Common Files\AOL\TopSpeed\2.0\aoltpspd.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\ehome\ehRecvr.exe
c:\windows\ehome\ehSched.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\progra~1\McAfee\MSC\mcmscsvc.exe
c:\progra~1\COMMON~1\McAfee\MNA\McNASvc.exe
c:\windows\system32\nvsvc32.exe
c:\program files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
c:\windows\system32\rundll32.exe
c:\progra~1\McAfee.com\Agent\mcagent.exe
c:\progra~1\COMMON~1\AOL\122936~1\EE\AOLServiceHost.exe
c:\program files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
c:\windows\system32\dllhost.exe
c:\program files\iPod\bin\iPodService.exe
c:\windows\system32\HPZipm12.exe
c:\windows\system32\wscntfy.exe
c:\windows\TEMP\t4m0_77135018245.bk.oldd
c:\program files\Hewlett-Packard\Digital Imaging\bin\hposts08.exe
c:\windows\ehome\ehmsas.exe
c:\windows\system32\wiawow32.sys
.
**************************************************************************
.
Completion time: 2009-08-21 8:26 - machine was rebooted
ComboFix-quarantined-files.txt 2009-08-21 12:26
ComboFix2.txt 2009-08-21 04:19

Pre-Run: 149,959,110,656 bytes free
Post-Run: 149,930,049,536 bytes free

583 --- E O F --- 2009-04-03 03:28

#13 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,417 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:03:19 PM

Posted 21 August 2009 - 06:29 PM

Hi, Helpme64 :thumbup2:

combofix has detected two files missing, and no copies are available in System Restore.

c:\windows\system32\lpk.dll ... is missing !!
c:\windows\system32\drivers\beep.sys ... is missing !!


The first one has to do with a language pack, the other is a MSDOS beep system. I don't know if needed, but if you have a Windows XP CD we may be able to extract these files.

open a command prompt (Start -> Run, type CMD and click OK). Copy and paste each of the following at the command prompt and press Enter after each line. Post the resulting report

DIR /a/s %windir%\Beep.sys %windir%\lpk.dll >Log.txt
Net Start >>Log.txt & START notepad Log.txt


Type Exit and press Enter to return to Windows.

Lets check for remnants.

Please do an online scan with Kaspersky WebScanner

Kaspersky online scanner uses JAVA tecnology to perform the scan. If you do not have the latest JAVA version, follow the instrutions below under Upgrading Java, to download and install the latest vesion.
  • Read through the requirements and privacy statement and click on Accept button.
  • It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
  • When the downloads have finished, click on Settings.
  • Make sure the following is checked.
    • Spyware, Adware, Dialers, and other potentially dangerous programs
      Archives
      Mail databases
  • Click on My Computer under Scan.
  • Once the scan is complete, it will display the results. Click on View Scan Report.
  • You will see a list of infected items there. Click on Save Report As....
  • Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button.
  • Please post this log in your next reply.
Upgrading Java:
  • Download the latest version of Java SE Runtime Environment (JRE)JRE 6 Update 15.
  • Click the "Download" button to the right.
  • Select your Platform and check the box that says: "I agree to the Java SE Runtime Environment 6 License Agreement.".
  • Click on Continue.
  • Click on the link to download Windows Offline Installation (jre-6u15-windows-i586.exe) and save it to your desktop. Do NOT use the Sun Download Manager..
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Control Panel, double-click on Add/Remove programs and remove all older versions of Java.
  • Check any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java version.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on the download to install the newest version.(Vista users, right click on the jre-6u15-windows-i586.exe and select "Run as an Administrator.")

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#14 Helpme64

Helpme64
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:19 PM

Posted 22 August 2009 - 08:08 AM

CMD:

Volume in drive C has no label.
Volume Serial Number is 3C2C-A066

Directory of C:\WINDOWS\SoftwareDistribution\Download\79123dd72d0f61d4ed8c7a816ed338d7

04/13/2008 08:11 PM 22,016 lpk.dll
1 File(s) 22,016 bytes

Total Files Listed:
1 File(s) 22,016 bytes
0 Dir(s) 149,787,860,992 bytes free
These Windows services are started:

AOL TopSpeed Monitor
Apple Mobile Device
Application Layer Gateway Service
Automatic Updates
Bonjour Service
COM+ Event System
COM+ System Application
Computer Browser
CryptSvc
DCOM Server Process Launcher
DHCP Client
Distributed Link Tracking Client
DNS Client
Error Reporting Service
EvdoServer
Event Log
Fast User Switching Compatibility
Help and Support
HTTP SSL
iPod Service
IPSEC Services
Java Quick Starter
Logical Disk Manager
McAfee Network Agent
McAfee Services
Media Center Receiver Service
Media Center Scheduler Service
Network Connections
Network Location Awareness (NLA)
NVIDIA Display Driver Service
Plug and Play
Pml Driver HPZ12
Print Spooler
PrismXL
Protected Storage
Remote Access Auto Connection Manager
Remote Access Connection Manager
Remote Procedure Call (RPC)
Remote Registry
Secondary Logon
Security Accounts Manager
Security Center
Server
Shell Hardware Detection
sofatnet Service
SSDP Discovery Service
System Event Notification
System Restore Service
Task Scheduler
TCP/IP NetBIOS Helper
Telephony
Terminal Services
Themes
Universal Plug and Play Device Host
WebClient
Windows Audio
Windows Firewall/Internet Connection Sharing (ICS)
Windows Image Acquisition (WIA)
Windows Management Instrumentation
Windows Time
Wireless Zero Configuration
Workstation

The command completed successfully.




Kapersky Online Scan:


--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7.0: scan report
Saturday, August 22, 2009
Operating system: Microsoft Windows XP Professional Service Pack 2 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Last database update: Saturday, August 22, 2009 05:28:41
Records in database: 2674758
--------------------------------------------------------------------------------

Scan settings:
scan using the following database: extended
Scan archives: yes
Scan e-mail databases: yes

Scan area - My Computer:
C:\
D:\
E:\

Scan statistics:
Objects scanned: 155640
Threats found: 16
Infected objects found: 20
Suspicious objects found: 0
Scan duration: 03:09:13


File name / Threat / Threats count
C:\Documents and Settings\Owner\My Documents\Nathan\start.txt Infected: Trojan.BAT.Flood.c 1
C:\My Backup -- 08-12-15 0648AM\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\3BNYQYMW\1[1].htm Infected: Packed.JS.Agent.ad 1
C:\My Backup -- 08-12-15 0648AM\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\L3DHXFVY\count[1].htm Infected: Exploit.Win32.Agent.dh 1
C:\Qoobox\Quarantine\C\ccwygkvw.exe.vir Infected: Trojan.Win32.Agent.csaf 1
C:\Qoobox\Quarantine\C\hcel.exe.vir Infected: Trojan.Win32.Inject.ahft 1
C:\Qoobox\Quarantine\C\niawndos.exe.vir Infected: Trojan.Win32.Inject.ahft 1
C:\Qoobox\Quarantine\C\umoikchf.exe.vir Infected: Trojan.Win32.Small.cbh 1
C:\Qoobox\Quarantine\C\WINDOWS\msa.exe.vir Infected: Trojan.Win32.FraudPack.qbx 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\6to4v32.dll.vir Infected: Backdoor.Win32.Agent.akcl 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\netcard.sys.vir Infected: Rootkit.Win32.Tiny.gk 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\tapi.nfo.vir Infected: Trojan-Downloader.Win32.Small.alzl 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\wbem\proquota.exe.vir Infected: Backdoor.Win32.Bredolab.es 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\wiawow32.sys.vir Infected: Trojan.Win32.VBimay.oq 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\wiwow64.exe.vir Infected: Trojan-Downloader.Win32.DlfBfkg.yx 1
C:\Qoobox\Quarantine\C\WINDOWS\Temp\t4m0_212813142278.bk.old.vir Infected: Trojan-Downloader.Win32.DlfBfkg.ys 1
C:\Qoobox\Quarantine\C\WINDOWS\Temp\t4m0_365656698786.bk.old.vir Infected: Trojan-Downloader.Win32.DlfBfkg.ys 1
C:\Qoobox\Quarantine\C\WINDOWS\Temp\t4m0_89606595037.bk.old.vir Infected: Trojan-Downloader.Win32.DlfBfkg.yx 1
C:\Qoobox\Quarantine\C\yedfjdy.exe.vir Infected: Trojan-Spy.Win32.Zbot.aaer 1
C:\WINDOWS\Temp\t4m0_77135018245.bk.old Infected: Trojan-Downloader.Win32.DlfBfkg.ys 1
D:\i386\Apps\App00577\comps\toolbar\toolbr.exe Infected: not-a-virus:AdWare.Win32.SearchIt.t 1

Selected area has been scanned.

#15 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,417 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:03:19 PM

Posted 22 August 2009 - 11:03 AM

Hi, Helpme64 :thumbup2:
  • Copy the entire contents of the Quote Box below to Notepad.
  • Name the file as CFScript.txt
  • Change the Save as Type to All Files
  • and Save it on the desktop
File::C:\WINDOWS\Temp\t4m0_77135018245.bk.oldC:\My Backup -- 08-12-15 0648AM\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\3BNYQYMW\1[1].htm C:\My Backup -- 08-12-15 0648AM\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\L3DHXFVY\count[1].htmD:\i386\Apps\App00577\comps\toolbar\toolbr.exeC:\Documents and Settings\Owner\My Documents\Nathan\start.txt

Posted Image

Once saved, referring to the picture above, drag CFScript.txt into ComboFix.exe, and post back the resulting report.

Where you able to locate a Windows XP install CD? There seems to be a copy of lpk.dll in the computer but not the Beep.sys.

How is the computer doing?

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users