Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Trojan.Smitfraud Variant-Gen/Bensorty.SharedTaskScheduler infection


  • This topic is locked This topic is locked
50 replies to this topic

#1 mr. fang

mr. fang

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Local time:12:24 PM

Posted 21 September 2009 - 10:55 PM

I'm running Windows XP Professional (SP3) and experienced one or more malware infections today, including the Trojan.Smitfraud Variant-Gen/Bensorty.SharedTaskScheduler mentioned in the subject line. I know this was one of them because I spotted NZFIU3H78DI.DLL and deleted it. I also used the Microsoft Windows Malicious Software Removal tool to remove something else as well, but am unable to run other software such as Malwarebytes' Anti-Malware due to error messages. At this point I'm not sure if my system is still infected with the malware, but it's definitely crippled. The start button and task bar do not show up, even though I've tried starting Windows in safe mode, and tried restoring them by removing the StuckRects2 registry entry. They are not hidden at the edges of the screen. Additionally, some other basic Windows functions are not working, such as the ability to move or paste files and the ability to connect to the Internet. I also noticed that the system file svchost.exe has somehow been deleted from the System32 folder, and assume this may be contributing to my problems. I tried running the Windows System File Checker (sfc /scannow), but it did not appear to do anything. I appreciate all assistance here, and am looking forward to having a clean system again. Log files were saved to a memory stick and brought to another computer for posting here.

Here's the DDS log:

DDS (Ver_09-07-30.01) - NTFSx86
Run by St. Thomas at 22:13:30.51 on Mon 09/21/2009
Internet Explorer: 6.0.2900.5512 BrowserJavaVersion: 1.6.0_05

============== Pseudo HJT Report ===============

uStart Page = https://gmail.google.com/?dest=http%3A%2F%2...gle.com%2Fgmail
mStart Page = about:blank
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
TB: &Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - e:\program files\google\google toolbar\GoogleToolbar.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
EB: &Yahoo! Messenger: {4528bbe0-4e08-11d5-ad55-00010333d0ad} - e:\program files\yahoo!\messenger\yhexbmes0521.dll
uRun: [NvMediaCenter] RUNDLL32.EXE e:\windows\system32\NVMCTRAY.DLL,NvTaskbarInit
uRun: [NBJ] "e:\program files\ahead\nero backitup\NBJ.exe"
uRun: [swg] e:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe
uRun: [DAEMON Tools Lite] "e:\program files\daemon tools lite\daemon.exe" -autorun
mRun: [SoundMan] SOUNDMAN.EXE
mRun: [NvCplDaemon] RUNDLL32.EXE e:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [NeroFilterCheck] e:\windows\system32\NeroCheck.exe
mRun: [ADUserMon] e:\program files\iomega\autodisk\ADUserMon.exe
mRun: [Iomega Drive Icons] e:\program files\iomega\driveicons\ImgIcon.exe
mRun: [Deskup] e:\program files\iomega\driveicons\deskup.exe /IMGSTART
mRun: [CTSysVol] e:\program files\creative\sound blaster\surround mixer\CTSysVol.exe /r
mRun: [SbUsb AudCtrl] RunDll32 sbusbdll.dll,RCMonitor
mRun: [UpdReg] e:\windows\UpdReg.EXE
mRun: [SunJavaUpdateSched] "e:\program files\java\jre1.6.0_05\bin\jusched.exe"
mRun: [iTunesHelper] "e:\program files\itunes\iTunesHelper.exe"
mRun: [QuickTime Task] "e:\program files\quicktime\QTTask.exe" -atboottime
mRun: [CanonSolutionMenu] e:\program files\canon\solutionmenu\CNSLMAIN.exe /logon
mRun: [CanonMyPrinter] e:\program files\canon\myprinter\BJMyPrt.exe /logon
IE: {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - e:\program files\aim\aim.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - e:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBC} - e:\program files\java\jre1.6.0_05\bin\ssv.dll
IE: {4528BBE0-4E08-11D5-AD55-00010333D0AD} - {4C171D40-8277-11D5-AD55-00010333D0AD} - e:\program files\yahoo!\messenger\yhexbmes0521.dll
LSP: e:\windows\system32\8gfwg5qqfvsk.dll
Trusted Zone: aol.com\free
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://fpdownload.macromedia.com/get/shockwave/cabs/director/sw.cab
DPF: {33564D57-0000-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0004-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_04-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0009-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_09-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
SSODL: pBotni - {303D8D40-9A97-27EA-1118-5E8061B4C972} - e:\windows\system32\smba.dll

================= FIREFOX ===================

FF - ProfilePath - e:\docume~1\ste39f~1.tho\applic~1\mozilla\firefox\profiles\mz40samm.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxps://www.google.com/accounts/ServiceLogin?service=mail&passive=true&rm=false&continue=http%3A%2F%2Fmail.google.com%2Fmail%2F%3Fui%3Dhtml%26zy%3Dl&bsv=1k96igf4806cy&ltmpl=default&ltmplcache=2
FF - plugin: e:\program files\google\google earth plugin\npgeplugin.dll
FF - plugin: e:\program files\google\google updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: e:\program files\google\update\1.2.183.7\npGoogleOneClick8.dll
FF - plugin: e:\program files\mozilla firefox\plugins\npunagi2.dll
FF - plugin: e:\program files\mozilla firefox\plugins\npViewpoint.dll
FF - plugin: e:\program files\real\realone player\netscape6\nppl3260.dll
FF - plugin: e:\program files\real\realone player\netscape6\nprjplug.dll
FF - plugin: e:\program files\real\realone player\netscape6\nprpjplug.dll
FF - plugin: e:\program files\viewpoint\viewpoint media player\npViewpoint.dll
FF - HiddenExtension: Java Console: No Registry Reference - e:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - e:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - e:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA}

============= SERVICES / DRIVERS ===============


=============== Created Last 30 ================

2009-09-21 21:02 <DIR> --d----- e:\windows\system32\CatRoot_bak
2009-09-21 19:05 <DIR> --d----- e:\program files\Trend Micro
2009-09-21 18:37 39,424 a------- e:\windows\system32\grpconv.exe
2009-09-21 18:30 229,888 a------- e:\windows\PEV.exe
2009-09-21 18:30 161,792 a------- e:\windows\SWREG.exe
2009-09-21 18:30 98,816 a------- e:\windows\sed.exe
2009-09-21 18:30 <DIR> --d----- E:\Combo-Fix
2009-09-21 18:20 38,224 a------- e:\windows\system32\drivers\mbamswissarmy.sys
2009-09-21 18:20 19,160 a------- e:\windows\system32\drivers\mbam.sys
2009-09-21 18:20 <DIR> --d----- e:\program files\Malwarebytes' Anti-Malware
2009-09-21 18:20 <DIR> --d----- e:\docume~1\alluse~1\applic~1\Malwarebytes
2009-09-21 18:16 <DIR> -cd-h--- e:\docume~1\alluse~1\applic~1\{EF63305C-BAD7-4144-9208-D65528260864}
2009-09-21 16:15 <DIR> --d----- e:\program files\TouchStoneSoftware
2009-09-21 15:59 286,720 a--shr-- e:\windows\system32\8gfwg5qqfvsk.dll
2009-09-21 15:27 67,208 a------- e:\windows\UnDeploy.exe
2009-09-21 14:54 <DIR> --d----- e:\program files\OfficeRecovery
2009-09-21 03:57 <DIR> --d----- e:\windows\MjM Free Photo Recovery Software
2009-09-21 02:20 224 a------- e:\windows\system32\9B13A86D.plf
2009-09-21 02:09 <DIR> --d----- e:\docume~1\ste39f~1.tho\applic~1\PandoraRecovery
2009-09-21 02:09 <DIR> --d----- e:\program files\Pandora Recovery
2009-09-21 01:25 <DIR> --d----- e:\docume~1\alluse~1\applic~1\Cached Installations
2009-09-21 01:14 765 a------- e:\windows\ONFORMAT.INI
2009-09-21 01:14 341 a------- e:\windows\RECMGRUN.INI
2009-09-21 01:13 3,455 a------- e:\windows\RECVCALL.INI
2009-09-01 20:48 223,744 a------- e:\windows\system32\CNMLM97.DLL
2009-09-01 20:42 25,856 a------- e:\windows\system32\drivers\usbprint.sys

==================== Find3M ====================

2009-08-05 04:01 204,800 a------- e:\windows\system32\mswebdvd.dll
2009-07-17 14:01 58,880 a------- e:\windows\system32\atl.dll
2009-07-13 10:08 286,720 a------- e:\windows\system32\wmpdxm.dll
2009-06-26 11:50 666,624 a------- e:\windows\system32\wininet.dll
2009-06-26 11:50 81,920 -------- e:\windows\system32\ieencode.dll
2009-06-25 03:25 730,112 a------- e:\windows\system32\lsasrv.dll
2009-06-25 03:25 301,568 a------- e:\windows\system32\kerberos.dll
2009-06-25 03:25 147,456 a------- e:\windows\system32\schannel.dll
2009-06-25 03:25 136,192 a------- e:\windows\system32\msv1_0.dll
2009-06-25 03:25 56,832 a------- e:\windows\system32\secur32.dll
2009-06-25 03:25 54,272 a------- e:\windows\system32\wdigest.dll
2005-01-31 21:45 262,144 a------- e:\documents and settings\st. thomas\psftp.exe

============= FINISH: 22:13:55.73 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 schrauber

schrauber

    Mr.Mechanic


  • Malware Response Team
  • 24,794 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Munich,Germany
  • Local time:06:24 PM

Posted 08 October 2009 - 11:49 AM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.


Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE
regards,
schrauber

Posted Image
Posted Image

If I've not posted back within 48 hrs., feel free to send a PM with your topic link. Thank you!

If I have helped you then please consider donating to continue the fight against malware Posted Image

#3 mr. fang

mr. fang
  • Topic Starter

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Local time:12:24 PM

Posted 08 October 2009 - 12:32 PM

DDS (Ver_09-09-29.01) - NTFSx86
Run by St. Thomas at 12:28:48.90 on Thu 10/08/2009
Internet Explorer: 6.0.2900.5512 BrowserJavaVersion: 1.6.0_05

============== Pseudo HJT Report ===============

uStart Page = https://gmail.google.com/?dest=http%3A%2F%2...gle.com%2Fgmail
mStart Page = about:blank
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
TB: &Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - e:\program files\google\google toolbar\GoogleToolbar.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
EB: &Yahoo! Messenger: {4528bbe0-4e08-11d5-ad55-00010333d0ad} - e:\program files\yahoo!\messenger\yhexbmes0521.dll
uRun: [NvMediaCenter] RUNDLL32.EXE e:\windows\system32\NVMCTRAY.DLL,NvTaskbarInit
uRun: [NBJ] "e:\program files\ahead\nero backitup\NBJ.exe"
uRun: [swg] e:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe
uRun: [DAEMON Tools Lite] "e:\program files\daemon tools lite\daemon.exe" -autorun
mRun: [SoundMan] SOUNDMAN.EXE
mRun: [NvCplDaemon] RUNDLL32.EXE e:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [NeroFilterCheck] e:\windows\system32\NeroCheck.exe
mRun: [ADUserMon] e:\program files\iomega\autodisk\ADUserMon.exe
mRun: [Iomega Drive Icons] e:\program files\iomega\driveicons\ImgIcon.exe
mRun: [Deskup] e:\program files\iomega\driveicons\deskup.exe /IMGSTART
mRun: [CTSysVol] e:\program files\creative\sound blaster\surround mixer\CTSysVol.exe /r
mRun: [SbUsb AudCtrl] RunDll32 sbusbdll.dll,RCMonitor
mRun: [UpdReg] e:\windows\UpdReg.EXE
mRun: [SunJavaUpdateSched] "e:\program files\java\jre1.6.0_05\bin\jusched.exe"
mRun: [iTunesHelper] "e:\program files\itunes\iTunesHelper.exe"
mRun: [QuickTime Task] "e:\program files\quicktime\QTTask.exe" -atboottime
mRun: [CanonSolutionMenu] e:\program files\canon\solutionmenu\CNSLMAIN.exe /logon
mRun: [CanonMyPrinter] e:\program files\canon\myprinter\BJMyPrt.exe /logon
IE: {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - e:\program files\aim\aim.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - e:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBC} - e:\program files\java\jre1.6.0_05\bin\ssv.dll
IE: {4528BBE0-4E08-11D5-AD55-00010333D0AD} - {4C171D40-8277-11D5-AD55-00010333D0AD} - e:\program files\yahoo!\messenger\yhexbmes0521.dll
LSP: e:\windows\system32\8gfwg5qqfvsk.dll
Trusted Zone: aol.com\free
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://fpdownload.macromedia.com/get/shockwave/cabs/director/sw.cab
DPF: {33564D57-0000-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0004-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_04-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0009-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_09-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
SSODL: pBotni - {303D8D40-9A97-27EA-1118-5E8061B4C972} - e:\windows\system32\smba.dll

================= FIREFOX ===================

FF - ProfilePath -
FF - HiddenExtension: Java Console: No Registry Reference - e:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - e:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - e:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA}

============= SERVICES / DRIVERS ===============


=============== Created Last 30 ================

2009-09-21 21:02 <DIR> --d----- e:\windows\system32\CatRoot_bak
2009-09-21 19:05 <DIR> --d----- e:\program files\Trend Micro
2009-09-21 18:37 39,424 a------- e:\windows\system32\grpconv.exe
2009-09-21 18:30 229,888 a------- e:\windows\PEV.exe
2009-09-21 18:30 161,792 a------- e:\windows\SWREG.exe
2009-09-21 18:30 98,816 a------- e:\windows\sed.exe
2009-09-21 18:30 <DIR> --d----- E:\Combo-Fix
2009-09-21 18:20 38,224 a------- e:\windows\system32\drivers\mbamswissarmy.sys
2009-09-21 18:20 19,160 a------- e:\windows\system32\drivers\mbam.sys
2009-09-21 18:20 <DIR> --d----- e:\program files\Malwarebytes' Anti-Malware
2009-09-21 18:20 <DIR> --d----- e:\docume~1\alluse~1\applic~1\Malwarebytes
2009-09-21 18:16 <DIR> -cd-h--- e:\docume~1\alluse~1\applic~1\{EF63305C-BAD7-4144-9208-D65528260864}
2009-09-21 16:15 <DIR> --d----- e:\program files\TouchStoneSoftware
2009-09-21 15:59 286,720 a--shr-- e:\windows\system32\8gfwg5qqfvsk.dll
2009-09-21 15:27 67,208 a------- e:\windows\UnDeploy.exe
2009-09-21 14:54 <DIR> --d----- e:\program files\OfficeRecovery
2009-09-21 03:57 <DIR> --d----- e:\windows\MjM Free Photo Recovery Software
2009-09-21 02:20 224 a------- e:\windows\system32\9B13A86D.plf
2009-09-21 02:09 <DIR> --d----- e:\docume~1\ste39f~1.tho\applic~1\PandoraRecovery
2009-09-21 02:09 <DIR> --d----- e:\program files\Pandora Recovery
2009-09-21 01:25 <DIR> --d----- e:\docume~1\alluse~1\applic~1\Cached Installations
2009-09-21 01:14 765 a------- e:\windows\ONFORMAT.INI
2009-09-21 01:14 341 a------- e:\windows\RECMGRUN.INI
2009-09-21 01:13 3,455 a------- e:\windows\RECVCALL.INI

==================== Find3M ====================

2009-08-05 04:01 204,800 a------- e:\windows\system32\mswebdvd.dll
2009-07-17 14:01 58,880 a------- e:\windows\system32\atl.dll
2009-07-13 10:08 286,720 a------- e:\windows\system32\wmpdxm.dll
2005-01-31 21:45 262,144 a------- e:\documents and settings\st. thomas\psftp.exe

============= FINISH: 12:29:15.65 ===============

#4 schrauber

schrauber

    Mr.Mechanic


  • Malware Response Team
  • 24,794 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Munich,Germany
  • Local time:06:24 PM

Posted 09 October 2009 - 10:45 PM

Hello, mr.fang and again
Welcome to the Bleeping Computer Forums. My name is Thomas (Tom is fine), and I will be helping you fixing your problems.

If you do not make a reply in 5 days, we will have to close your topic.

You may want to keep the link to this topic in your favourites. Alternatively, you can click the Posted Image button at the top bar of this topic and Track this Topic. The topics you are tracking can be found here.

Please take note of some guidelines for this fix:
  • Refrain from making any changes to your computer including installing/uninstall programs, deleting files, modifying the registry, and running scanners or tools. Doing so could cause changes to the directions I have to give you and prolong the time required. Further more, you should not be taking any advice relating to this computer from any other source throughout the course of this fix.
  • If you do not understand any step(s) provided, please do not hesitate to ask before continuing. I would much rather clarify instructions or explain them differently than have something important broken.
  • Even if things appear to be better, it might not mean we are finished. Please continue to follow my instructions and reply back until I give you the "all clean". We do not want to clean you part-way, only to have the system re-infect itself.
  • Please reply using the Posted Image button in the lower right hand corner of your screen. Do not start a new topic. The logs that you post should be pasted directly into the reply. Only attach them if requested or if they do not fit into the post.
  • Old topics are closed after 3 days with no reply, and working topics are closed after 5 days. If for any reason you cannot complete instructions within that time, that's fine, just post back here so that we know you're still here.
  • Please set your system to show all files.
    Click Start, open My Computer, select the Tools menu and click Folder Options.
    Select the View Tab. Under the Hidden files and folders heading, select Show hidden files and folders.
    Uncheck: Hide file extensions for known file types
    Uncheck the Hide protected operating system files (recommended) option.
    Click Yes to confirm.






Your log(s) show that you are using so called peer-to-peer or file-sharing programmes (in your case Bittorent). These programmes allow to share files between users as the name(s) suggest. In today's world the cyber crime has come to an enormous dimension and any means is used to infect personal computers to make use of their stored data or machine power for further propagation of the malware files. A popular means is the use of file-sharing tools as a tremendous amount of prospective victims can be reached through it.

It is therefore possible to be infected by downloading manipulated files via peer-to-peer tools and thus suggested to be used with intense care. Some further readings on this subject, along the included links, are as follows: "File-Sharing, otherwise known as Peer To Peer" and "Risks of File-Sharing Technology."

It is also important to note that sharing entertainment files and proprietary software infringes the copyright laws in many countries over the world and you are putting yourself at risk of being indicted through organisations watching over the rights of the authors of such files (i.e. the RIAA for music files, or the MPAA for movie files in the USA) or the authors of the files themselves.

Naturally there are also legal ways to use these services, such as downloading Linux distributions or office suites such as "Open Office."








Step 1

Viewpoint Manager is considered as foistware instead of malware since it is installed without users approval but doesn't spy or do anything "bad". This changed from what we know in 2006 read this article:

http://www.clickz.com/news/article.php/3561546

I suggest you remove the program now. Click on start > run > and then paste the following into the "open" field: appwiz.cpl and press OK. From within Add or Remove Programs uninstall the following if they exist: Viewpoint, Viewpoint Manager, Viewpoint Media Player.








Step 2

Download and run Win32kDiag:





Step3

Please download GMER from one of the following locations and save it to your desktop:
  • Main Mirror
    This version will download a randomly named file (Recommended)
  • Zipped Mirror
    This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
  • Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
  • Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.

    Posted Image
  • GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
  • If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
  • Now click the Scan button. If you see a rootkit warning window, click OK.
  • When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
  • Click the Copy button and paste the results into your next reply.
  • Exit GMER and re-enable all active protection when done.
-- If you encounter any problems, try running GMER in Safe Mode.









Step 4

I see that you have used Combofix by your one. Please note that using Combofix without supervision of a trained expert is very dangerous. Can you find the Logfile from Combofix at E:\Combofix.txt?

If yes please post back with the Content of the Logfile. Do not run Combofix again.






Please post back with:
  • Win32kDiag-Logfile
  • Gmer-Logfile
  • Combofix-Logfile

regards,
schrauber

Posted Image
Posted Image

If I've not posted back within 48 hrs., feel free to send a PM with your topic link. Thank you!

If I have helped you then please consider donating to continue the fight against malware Posted Image

#5 mr. fang

mr. fang
  • Topic Starter

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Local time:12:24 PM

Posted 10 October 2009 - 04:27 PM

Regarding step 1, I still have no Start button, but I was able to use Windows Explorer to get to the Control Panel and used the Add/Remove Programs to remove Viewpoint Manager.

I downloaded Win32kDiag and GMER onto a different computer since the one we're fixing still can't connect to the Internet. I then put them on a USB memory stick. Copying and pasting files is still impossible on the crippled machine, but I made zip files of both applications and then extracted the exe files to the desktop so that I could run them. I saved copies of the log files to the memory stick.

Here are the three log files you requested. The Win32kDiag log file doesn't really have anything in it.

Log file #1 (Win32kDiag):

Running from: E:\Documents and Settings\St. Thomas\Desktop\Win32kDiag.exe Log file at : E:\Documents and Settings\St. Thomas\Desktop\Win32kDiag.txt WARNING: Could not get backup privileges! Searching 'E:\WINDOWS'... Finished!

Log file #2 (GMER):

GMER 1.0.15.15125 - http://www.gmer.net
Rootkit scan 2009-10-10 16:23:43
Windows 5.1.2600 Service Pack 3
Running: pzps6wp5.exe; Driver: E:\DOCUME~1\STE39F~1.THO\LOCALS~1\Temp\pxtdypob.sys


---- System - GMER 1.0.15 ----

SSDT spel.sys ZwCreateKey [0xF85560E0]
SSDT spel.sys ZwEnumerateKey [0xF8574CA4]
SSDT spel.sys ZwEnumerateValueKey [0xF8575032]
SSDT spel.sys ZwOpenKey [0xF85560C0]
SSDT spel.sys ZwQueryKey [0xF857510A]
SSDT spel.sys ZwQueryValueKey [0xF8574F8A]
SSDT spel.sys ZwSetValueKey [0xF857519C]

INT 0x62 ? 833DEBF8
INT 0x82 ? 833DEBF8

---- Kernel code sections - GMER 1.0.15 ----

.text ntoskrnl.exe!_abnormal_termination + 168 804E27C4 2 Bytes [A4, 4C] {MOVSB ; DEC ESP}
.text ntoskrnl.exe!_abnormal_termination + 16B 804E27C7 1 Byte [F8]
.text ntoskrnl.exe!_abnormal_termination + 2CC 804E2928 2 Bytes [0A, 51]
.text ntoskrnl.exe!_abnormal_termination + 2CF 804E292B 1 Byte [F8]
.text ntoskrnl.exe!_abnormal_termination + 428 804E2A84 2 Bytes [9C, 51] {PUSHF ; PUSH ECX}
.text ...
? spel.sys The system cannot find the file specified. !
.text acqhfc5o.SYS F66B9386 35 Bytes [00, 00, 00, 00, 00, 00, 20, ...]
.text acqhfc5o.SYS F66B93AA 24 Bytes [00, 00, 00, 00, 00, 00, 00, ...]
.text acqhfc5o.SYS F66B93C4 3 Bytes [00, 70, 02] {ADD [EAX+0x2], DH}
.text acqhfc5o.SYS F66B93C9 1 Byte [30]
.text acqhfc5o.SYS F66B93C9 11 Bytes [30, 00, 00, 00, 5C, 02, 00, ...] {XOR [EAX], AL; ADD [EAX], AL; POP ESP; ADD AL, [EAX]; ADD [EAX], AL; ADD [EAX], AL}
.text ...

---- User code sections - GMER 1.0.15 ----

.rsrc E:\WINDOWS\system32\winlogon.exe[692] E:\WINDOWS\system32\winlogon.exe section is executable [0x01077000, 0xB000, 0x60000060]
.rsrc E:\WINDOWS\system32\winlogon.exe[692] E:\WINDOWS\system32\winlogon.exe entry point in ".rsrc" section [0x01081000]
.rsrc E:\WINDOWS\system32\services.exe[740] E:\WINDOWS\system32\services.exe section is executable [0x0101C000, 0x2000, 0x60000060]
.rsrc E:\WINDOWS\system32\services.exe[740] E:\WINDOWS\system32\services.exe entry point in ".rsrc" section [0x0101D000]
.text E:\Documents and Settings\St. Thomas\Desktop\pzps6wp5.exe[896] SHELL32.dll!SHFileOperationW 7CA70924 5 Bytes JMP 3000141E E:\Program Files\Iomega\DriveIcons\IMGHOOK.DLL (IMGHOOK/Iomega Corporation)
.text E:\Documents and Settings\St. Thomas\Desktop\pzps6wp5.exe[896] SHELL32.dll!SHFileOperation 7CA70C0C 5 Bytes JMP 30001430 E:\Program Files\Iomega\DriveIcons\IMGHOOK.DLL (IMGHOOK/Iomega Corporation)
.reloc E:\WINDOWS\Explorer.EXE[1520] E:\WINDOWS\Explorer.EXE section is executable [0x010FB000, 0x5000, 0x62000060]
.reloc E:\WINDOWS\Explorer.EXE[1520] E:\WINDOWS\Explorer.EXE entry point in ".reloc" section [0x010FF000]
.text E:\WINDOWS\Explorer.EXE[1520] SHELL32.dll!SHFileOperationW 7CA70924 5 Bytes JMP 3000141E E:\Program Files\Iomega\DriveIcons\IMGHOOK.DLL (IMGHOOK/Iomega Corporation)
.text E:\WINDOWS\Explorer.EXE[1520] SHELL32.dll!SHFileOperation 7CA70C0C 5 Bytes JMP 30001430 E:\Program Files\Iomega\DriveIcons\IMGHOOK.DLL (IMGHOOK/Iomega Corporation)
.text E:\Program Files\Iomega\DriveIcons\ImgIcon.exe[1744] SHELL32.dll!SHFileOperationW 7CA70924 5 Bytes JMP 3000141E E:\Program Files\Iomega\DriveIcons\IMGHOOK.DLL (IMGHOOK/Iomega Corporation)
.text E:\Program Files\Iomega\DriveIcons\ImgIcon.exe[1744] SHELL32.dll!SHFileOperation 7CA70C0C 5 Bytes JMP 30001430 E:\Program Files\Iomega\DriveIcons\IMGHOOK.DLL (IMGHOOK/Iomega Corporation)
.text E:\Program Files\Creative\Sound Blaster\Surround Mixer\CTSysVol.exe[1760] SHELL32.dll!SHFileOperationW 7CA70924 5 Bytes JMP 3000141E E:\Program Files\Iomega\DriveIcons\IMGHOOK.DLL (IMGHOOK/Iomega Corporation)
.text E:\Program Files\Creative\Sound Blaster\Surround Mixer\CTSysVol.exe[1760] SHELL32.dll!SHFileOperation 7CA70C0C 5 Bytes JMP 30001430 E:\Program Files\Iomega\DriveIcons\IMGHOOK.DLL (IMGHOOK/Iomega Corporation)
.text E:\Program Files\D-Link AirPlus G\AirPlus.exe[1884] SHELL32.dll!SHFileOperationW 7CA70924 5 Bytes JMP 3000141E E:\Program Files\Iomega\DriveIcons\IMGHOOK.DLL (IMGHOOK/Iomega Corporation)
.text E:\Program Files\D-Link AirPlus G\AirPlus.exe[1884] SHELL32.dll!SHFileOperation 7CA70C0C 5 Bytes JMP 30001430 E:\Program Files\Iomega\DriveIcons\IMGHOOK.DLL (IMGHOOK/Iomega Corporation)

---- Kernel IAT/EAT - GMER 1.0.15 ----

IAT \WINDOWS\System32\Drivers\SCSIPORT.SYS[ntoskrnl.exe!DbgBreakPoint] 833732D8
IAT pci.sys[ntoskrnl.exe!IoDetachDevice] [F8587C4C] spel.sys
IAT pci.sys[ntoskrnl.exe!IoAttachDeviceToDeviceStack] [F8587CA0] spel.sys
IAT atapi.sys[HAL.dll!READ_PORT_UCHAR] [F8557042] spel.sys
IAT atapi.sys[HAL.dll!READ_PORT_BUFFER_USHORT] [F855713E] spel.sys
IAT atapi.sys[HAL.dll!READ_PORT_USHORT] [F85570C0] spel.sys
IAT atapi.sys[HAL.dll!WRITE_PORT_BUFFER_USHORT] [F8557800] spel.sys
IAT atapi.sys[HAL.dll!WRITE_PORT_UCHAR] [F85576D6] spel.sys
IAT \SystemRoot\System32\DRIVERS\USBPORT.SYS[ntoskrnl.exe!DbgBreakPoint] FFAF15E0
IAT \SystemRoot\System32\DRIVERS\i8042prt.sys[HAL.dll!READ_PORT_UCHAR] [F8566E9C] spel.sys
IAT \SystemRoot\System32\Drivers\acqhfc5o.SYS[ntoskrnl.exe!RtlInitUnicodeString] 8800001C
IAT \SystemRoot\System32\Drivers\acqhfc5o.SYS[ntoskrnl.exe!swprintf] 001CB286
IAT \SystemRoot\System32\Drivers\acqhfc5o.SYS[ntoskrnl.exe!KeSetEvent] C61AEB00
IAT \SystemRoot\System32\Drivers\acqhfc5o.SYS[ntoskrnl.exe!IoCreateSymbolicLink] 001C8186
IAT \SystemRoot\System32\Drivers\acqhfc5o.SYS[ntoskrnl.exe!IoGetConfigurationInformation] 86C61200
IAT \SystemRoot\System32\Drivers\acqhfc5o.SYS[ntoskrnl.exe!IoDeleteSymbolicLink] 00001C83
IAT \SystemRoot\System32\Drivers\acqhfc5o.SYS[ntoskrnl.exe!MmFreeMappingAddress] 8E868801
IAT \SystemRoot\System32\Drivers\acqhfc5o.SYS[ntoskrnl.exe!IoFreeErrorLogEntry] 8800001C
IAT \SystemRoot\System32\Drivers\acqhfc5o.SYS[ntoskrnl.exe!IoDisconnectInterrupt] 001CAA86
IAT \SystemRoot\System32\Drivers\acqhfc5o.SYS[ntoskrnl.exe!MmUnmapIoSpace] 80968B00
IAT \SystemRoot\System32\Drivers\acqhfc5o.SYS[ntoskrnl.exe!ObReferenceObjectByPointer] 8900001C
IAT \SystemRoot\System32\Drivers\acqhfc5o.SYS[ntoskrnl.exe!IofCompleteRequest] 001C9C96
IAT \SystemRoot\System32\Drivers\acqhfc5o.SYS[ntoskrnl.exe!RtlCompareUnicodeString] C6168B00
IAT \SystemRoot\System32\Drivers\acqhfc5o.SYS[ntoskrnl.exe!IofCallDriver] 001CB986
IAT \SystemRoot\System32\Drivers\acqhfc5o.SYS[ntoskrnl.exe!MmAllocateMappingAddress] 428A0A00
IAT \SystemRoot\System32\Drivers\acqhfc5o.SYS[ntoskrnl.exe!IoAllocateErrorLogEntry] BA86880C
IAT \SystemRoot\System32\Drivers\acqhfc5o.SYS[ntoskrnl.exe!IoConnectInterrupt] 8B00001C
IAT \SystemRoot\System32\Drivers\acqhfc5o.SYS[ntoskrnl.exe!IoDetachDevice] 24A48DFA
IAT \SystemRoot\System32\Drivers\acqhfc5o.SYS[ntoskrnl.exe!KeWaitForSingleObject] 00000000
IAT \SystemRoot\System32\Drivers\acqhfc5o.SYS[ntoskrnl.exe!KeInitializeEvent] 4B8BDF8B
IAT \SystemRoot\System32\Drivers\acqhfc5o.SYS[ntoskrnl.exe!KeCancelTimer] 8D3F0304
IAT \SystemRoot\System32\Drivers\acqhfc5o.SYS[ntoskrnl.exe!RtlAnsiStringToUnicodeString] CB033043
IAT \SystemRoot\System32\Drivers\acqhfc5o.SYS[ntoskrnl.exe!RtlInitAnsiString] 0673C13B
IAT \SystemRoot\System32\Drivers\acqhfc5o.SYS[ntoskrnl.exe!IoBuildDeviceIoControlRequest] C13B0003
IAT \SystemRoot\System32\Drivers\acqhfc5o.SYS[ntoskrnl.exe!IoQueueWorkItem] 8366FA72
IAT \SystemRoot\System32\Drivers\acqhfc5o.SYS[ntoskrnl.exe!MmMapIoSpace] 75000E7B
IAT \SystemRoot\System32\Drivers\acqhfc5o.SYS[ntoskrnl.exe!IoInvalidateDeviceRelations] 0B7D80E3
IAT \SystemRoot\System32\Drivers\acqhfc5o.SYS[ntoskrnl.exe!IoReportDetectedDevice] 307B8D00
IAT \SystemRoot\System32\Drivers\acqhfc5o.SYS[ntoskrnl.exe!IoReportResourceForDetection] 00AA840F
IAT \SystemRoot\System32\Drivers\acqhfc5o.SYS[ntoskrnl.exe!RtlxAnsiStringToUnicodeSize] 83660000
IAT \SystemRoot\System32\Drivers\acqhfc5o.SYS[ntoskrnl.exe!NlsMbCodePageTag] 6A000E7A
IAT \SystemRoot\System32\Drivers\acqhfc5o.SYS[ntoskrnl.exe!PoRequestPowerIrp] C6647400
IAT \SystemRoot\System32\Drivers\acqhfc5o.SYS[ntoskrnl.exe!KeInsertByKeyDeviceQueue] 001CBB86
IAT \SystemRoot\System32\Drivers\acqhfc5o.SYS[ntoskrnl.exe!PoRegisterDeviceForIdleDetection] 4F8B0200
IAT \SystemRoot\System32\Drivers\acqhfc5o.SYS[ntoskrnl.exe!sprintf] 968D5140
IAT \SystemRoot\System32\Drivers\acqhfc5o.SYS[ntoskrnl.exe!MmMapLockedPagesSpecifyCache] 00001C90
IAT \SystemRoot\System32\Drivers\acqhfc5o.SYS[ntoskrnl.exe!ObfDereferenceObject] 2266E852
IAT \SystemRoot\System32\Drivers\acqhfc5o.SYS[ntoskrnl.exe!IoGetAttachedDeviceReference] 478B0000
IAT \SystemRoot\System32\Drivers\acqhfc5o.SYS[ntoskrnl.exe!IoInvalidateDeviceState] 50016A40
IAT \SystemRoot\System32\Drivers\acqhfc5o.SYS[ntoskrnl.exe!ZwClose] 1CAC8E8D
IAT \SystemRoot\System32\Drivers\acqhfc5o.SYS[ntoskrnl.exe!ObReferenceObjectByHandle] E8510000
IAT \SystemRoot\System32\Drivers\acqhfc5o.SYS[ntoskrnl.exe!ZwCreateDirectoryObject] 00002254
IAT \SystemRoot\System32\Drivers\acqhfc5o.SYS[ntoskrnl.exe!IoBuildSynchronousFsdRequest] 6A18538B
IAT \SystemRoot\System32\Drivers\acqhfc5o.SYS[ntoskrnl.exe!PoStartNextPowerIrp] 868D5200
IAT \SystemRoot\System32\Drivers\acqhfc5o.SYS[ntoskrnl.exe!IoCreateDevice] 00001C98
IAT \SystemRoot\System32\Drivers\acqhfc5o.SYS[ntoskrnl.exe!RtlCopyUnicodeString] 2242E850
IAT \SystemRoot\System32\Drivers\acqhfc5o.SYS[ntoskrnl.exe!IoAllocateDriverObjectExtension] 4B8B0000
IAT \SystemRoot\System32\Drivers\acqhfc5o.SYS[ntoskrnl.exe!RtlQueryRegistryValues] 51016A18
IAT \SystemRoot\System32\Drivers\acqhfc5o.SYS[ntoskrnl.exe!ZwOpenKey] 1CB4968D
IAT \SystemRoot\System32\Drivers\acqhfc5o.SYS[ntoskrnl.exe!RtlFreeUnicodeString] E8520000
IAT \SystemRoot\System32\Drivers\acqhfc5o.SYS[ntoskrnl.exe!IoStartTimer] 00002230
IAT \SystemRoot\System32\Drivers\acqhfc5o.SYS[ntoskrnl.exe!KeInitializeTimer] 8A05478A
IAT \SystemRoot\System32\Drivers\acqhfc5o.SYS[ntoskrnl.exe!IoInitializeTimer] 001CBB8E
IAT \SystemRoot\System32\Drivers\acqhfc5o.SYS[ntoskrnl.exe!KeInitializeDpc] 30C48300
IAT \SystemRoot\System32\Drivers\acqhfc5o.SYS[ntoskrnl.exe!KeInitializeSpinLock] 1CBD8688
IAT \SystemRoot\System32\Drivers\acqhfc5o.SYS[ntoskrnl.exe!IoInitializeIrp] 80E90000
IAT \SystemRoot\System32\Drivers\acqhfc5o.SYS[ntoskrnl.exe!ZwCreateKey] C6000000
IAT \SystemRoot\System32\Drivers\acqhfc5o.SYS[ntoskrnl.exe!RtlAppendUnicodeStringToString] 001CBB86
IAT \SystemRoot\System32\Drivers\acqhfc5o.SYS[ntoskrnl.exe!RtlIntegerToUnicodeString] 438B0100
IAT \SystemRoot\System32\Drivers\acqhfc5o.SYS[ntoskrnl.exe!ZwSetValueKey] 8E8D5018
IAT \SystemRoot\System32\Drivers\acqhfc5o.SYS[ntoskrnl.exe!KeInsertQueueDpc] 00001C90
IAT \SystemRoot\System32\Drivers\acqhfc5o.SYS[ntoskrnl.exe!KefAcquireSpinLockAtDpcLevel] 2202E851
IAT \SystemRoot\System32\Drivers\acqhfc5o.SYS[ntoskrnl.exe!IoStartPacket] 538B0000
IAT \SystemRoot\System32\Drivers\acqhfc5o.SYS[ntoskrnl.exe!KefReleaseSpinLockFromDpcLevel] 52016A18
IAT \SystemRoot\System32\Drivers\acqhfc5o.SYS[ntoskrnl.exe!IoBuildAsynchronousFsdRequest] 1CAC868D
IAT \SystemRoot\System32\Drivers\acqhfc5o.SYS[ntoskrnl.exe!IoFreeMdl] E8500000
IAT \SystemRoot\System32\Drivers\acqhfc5o.SYS[ntoskrnl.exe!MmUnlockPages] 000021F0
IAT \SystemRoot\System32\Drivers\acqhfc5o.SYS[ntoskrnl.exe!IoWriteErrorLogEntry] 8A05478A
IAT \SystemRoot\System32\Drivers\acqhfc5o.SYS[ntoskrnl.exe!KeRemoveByKeyDeviceQueue] 001CBB8E
IAT \SystemRoot\System32\Drivers\acqhfc5o.SYS[ntoskrnl.exe!MmMapLockedPagesWithReservedMapping] 18C48300
IAT \SystemRoot\System32\Drivers\acqhfc5o.SYS[ntoskrnl.exe!MmUnmapReservedMapping] 1CBD8688
IAT \SystemRoot\System32\Drivers\acqhfc5o.SYS[ntoskrnl.exe!KeSynchronizeExecution] 43EB0000
IAT \SystemRoot\System32\Drivers\acqhfc5o.SYS[ntoskrnl.exe!IoStartNextPacket] 320C538A
IAT \SystemRoot\System32\Drivers\acqhfc5o.SYS[ntoskrnl.exe!KeBugCheckEx] 88F93BC0
IAT \SystemRoot\System32\Drivers\acqhfc5o.SYS[ntoskrnl.exe!KeRemoveDeviceQueue] 001CBB96
IAT \SystemRoot\System32\Drivers\acqhfc5o.SYS[ntoskrnl.exe!KeSetTimer] F6317300
IAT \SystemRoot\System32\Drivers\acqhfc5o.SYS[ntoskrnl.exe!_allmul] 74070647
IAT \SystemRoot\System32\Drivers\acqhfc5o.SYS[ntoskrnl.exe!MmProbeAndLockPages] 75C0841A
IAT \SystemRoot\System32\Drivers\acqhfc5o.SYS[ntoskrnl.exe!_except_handler3] 05578A0B
IAT \SystemRoot\System32\Drivers\acqhfc5o.SYS[ntoskrnl.exe!PoSetPowerState] 968801B0
IAT \SystemRoot\System32\Drivers\acqhfc5o.SYS[ntoskrnl.exe!IoOpenDeviceRegistryKey] 00001CBD
IAT \SystemRoot\System32\Drivers\acqhfc5o.SYS[ntoskrnl.exe!RtlWriteRegistryValue] 57B60F66
IAT \SystemRoot\System32\Drivers\acqhfc5o.SYS[ntoskrnl.exe!RtlDeleteRegistryValue] 533B6604
IAT \SystemRoot\System32\Drivers\acqhfc5o.SYS[ntoskrnl.exe!_aulldiv] 03087408
IAT \SystemRoot\System32\Drivers\acqhfc5o.SYS[ntoskrnl.exe!strstr] 72F93B3F
IAT \SystemRoot\System32\Drivers\acqhfc5o.SYS[ntoskrnl.exe!_strupr] 8A09EBDA
IAT \SystemRoot\System32\Drivers\acqhfc5o.SYS[ntoskrnl.exe!KeQuerySystemTime] 86880547
IAT \SystemRoot\System32\Drivers\acqhfc5o.SYS[ntoskrnl.exe!IoWMIRegistrationControl] 00001CBD
IAT \SystemRoot\System32\Drivers\acqhfc5o.SYS[ntoskrnl.exe!KeTickCount] 88084B8A
IAT \SystemRoot\System32\Drivers\acqhfc5o.SYS[ntoskrnl.exe!IoAttachDeviceToDeviceStack] 001CBE8E
IAT \SystemRoot\System32\Drivers\acqhfc5o.SYS[ntoskrnl.exe!IoDeleteDevice] 40578B00
IAT \SystemRoot\System32\Drivers\acqhfc5o.SYS[ntoskrnl.exe!ExAllocatePoolWithTag] 8D52006A
IAT \SystemRoot\System32\Drivers\acqhfc5o.SYS[ntoskrnl.exe!IoAllocateWorkItem] 001CC086
IAT \SystemRoot\System32\Drivers\acqhfc5o.SYS[ntoskrnl.exe!IoAllocateIrp] 81E85000
IAT \SystemRoot\System32\Drivers\acqhfc5o.SYS[ntoskrnl.exe!IoAllocateMdl] 8B000021
IAT \SystemRoot\System32\Drivers\acqhfc5o.SYS[ntoskrnl.exe!MmBuildMdlForNonPagedPool] 001CB88E
IAT \SystemRoot\System32\Drivers\acqhfc5o.SYS[ntoskrnl.exe!MmLockPagableDataSection] BC968B00
IAT \SystemRoot\System32\Drivers\acqhfc5o.SYS[ntoskrnl.exe!IoGetDriverObjectExtension] 8900001C
IAT \SystemRoot\System32\Drivers\acqhfc5o.SYS[ntoskrnl.exe!MmUnlockPagableImageSection] 001CC48E
IAT \SystemRoot\System32\Drivers\acqhfc5o.SYS[ntoskrnl.exe!ExFreePoolWithTag] C8968900
IAT \SystemRoot\System32\Drivers\acqhfc5o.SYS[ntoskrnl.exe!IoFreeIrp] 8B00001C
IAT \SystemRoot\System32\Drivers\acqhfc5o.SYS[ntoskrnl.exe!IoFreeWorkItem] 016A4047
IAT \SystemRoot\System32\Drivers\acqhfc5o.SYS[ntoskrnl.exe!InitSafeBootMode] CCC68150
IAT \SystemRoot\System32\Drivers\acqhfc5o.SYS[ntoskrnl.exe!RtlCompareMemory] 5600001C
IAT \SystemRoot\System32\Drivers\acqhfc5o.SYS[ntoskrnl.exe!PoCallDriver] 002157E8
IAT \SystemRoot\System32\Drivers\acqhfc5o.SYS[ntoskrnl.exe!memmove] 18C48300
IAT \SystemRoot\System32\Drivers\acqhfc5o.SYS[ntoskrnl.exe!MmHighestUserAddress] 5D5B5E5F
IAT \SystemRoot\System32\Drivers\acqhfc5o.SYS[HAL.dll!KfAcquireSpinLock] 18C4830E
IAT \SystemRoot\System32\Drivers\acqhfc5o.SYS[HAL.dll!READ_PORT_UCHAR] 1C8D9E88
IAT \SystemRoot\System32\Drivers\acqhfc5o.SYS[HAL.dll!KeGetCurrentIrql] 9E880000
IAT \SystemRoot\System32\Drivers\acqhfc5o.SYS[HAL.dll!KfRaiseIrql] 00001CA9
IAT \SystemRoot\System32\Drivers\acqhfc5o.SYS[HAL.dll!KfLowerIrql] 0E798366
IAT \SystemRoot\System32\Drivers\acqhfc5o.SYS[HAL.dll!HalGetInterruptVector] 74AAB000
IAT \SystemRoot\System32\Drivers\acqhfc5o.SYS[HAL.dll!HalTranslateBusAddress] 8186C636
IAT \SystemRoot\System32\Drivers\acqhfc5o.SYS[HAL.dll!KeStallExecutionProcessor] 1A00001C
IAT \SystemRoot\System32\Drivers\acqhfc5o.SYS[HAL.dll!KfReleaseSpinLock] 1C8386C6
IAT \SystemRoot\System32\Drivers\acqhfc5o.SYS[HAL.dll!READ_PORT_BUFFER_USHORT] C6020000
IAT \SystemRoot\System32\Drivers\acqhfc5o.SYS[HAL.dll!READ_PORT_USHORT] 001C8E86
IAT \SystemRoot\System32\Drivers\acqhfc5o.SYS[HAL.dll!WRITE_PORT_BUFFER_USHORT] 86C60200
IAT \SystemRoot\System32\Drivers\acqhfc5o.SYS[HAL.dll!WRITE_PORT_UCHAR] 00001CAA
IAT \SystemRoot\System32\Drivers\acqhfc5o.SYS[WMILIB.SYS!WmiSystemControl] 8800001C
IAT \SystemRoot\System32\Drivers\acqhfc5o.SYS[WMILIB.SYS!WmiCompleteRequest] 001CB19E

---- Devices - GMER 1.0.15 ----

Device \FileSystem\Ntfs \Ntfs 833DD1F8
Device \FileSystem\Fastfat \FatCdrom FF699500
Device \Driver\NetBT \Device\NetBT_Tcpip_{011F70E3-5CE8-444B-A2E9-4C9E0150180A} FF6FA1F8
Device \Driver\usbuhci \Device\USBPDO-0 FFAF0500
Device \Driver\PCI_PNP9948 \Device\00000044 spel.sys
Device \Driver\usbuhci \Device\USBPDO-1 FFAF0500
Device \Driver\dmio \Device\DmControl\DmIoDaemon 833DF1F8
Device \Driver\dmio \Device\DmControl\DmConfig 833DF1F8
Device \Driver\dmio \Device\DmControl\DmPnP 833DF1F8
Device \Driver\dmio \Device\DmControl\DmInfo 833DF1F8
Device \Driver\usbuhci \Device\USBPDO-2 FFAF0500
Device \Driver\usbehci \Device\USBPDO-3 FFAD01F8
Device \Driver\sptd \Device\2161311198 spel.sys
Device \Driver\Ftdisk \Device\HarddiskVolume1 833711F8
Device \Driver\Ftdisk \Device\HarddiskVolume2 833711F8
Device \Driver\Cdrom \Device\CdRom0 FFAE1500
Device \Driver\Cdrom \Device\CdRom1 FFAE1500
Device \Driver\IdeChnDr \Device\Ide\IdeDeviceP1T0L0 833DE1F8
Device \Driver\IdeChnDr \Device\Ide\IdeDeviceP1T1L0 833DE1F8
Device \Driver\IdeChnDr \Device\Ide\IdeDeviceP0T0L0 833DE1F8
Device \Driver\IdeChnDr \Device\Ide\IdeChnDr0 833DE1F8
Device \Driver\IdeChnDr \Device\Ide\IdeChnDr1 833DE1F8
Device \Driver\IdeChnDr \Device\Ide\IdeDeviceP0T1L0 833DE1F8
Device \Driver\Cdrom \Device\CdRom2 FFAE1500
Device \Driver\USBSTOR \Device\00000069 FF6C0500
Device \Driver\NetBT \Device\NetBt_Wins_Export FF6FA1F8
Device \Driver\NetBT \Device\NetbiosSmb FF6FA1F8
Device \Driver\USBSTOR \Device\0000006a FF6C0500
Device \Driver\usbuhci \Device\USBFDO-0 FFAF0500
Device \Driver\usbuhci \Device\USBFDO-1 FFAF0500
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver FF9661F8
Device \Driver\usbuhci \Device\USBFDO-2 FFAF0500
Device \FileSystem\MRxSmb \Device\LanmanRedirector FF9661F8
Device \Driver\usbehci \Device\USBFDO-3 FFAD01F8
Device \Driver\Ftdisk \Device\FtControl 833711F8
Device \Driver\acqhfc5o \Device\Scsi\acqhfc5o1 FF9B11F8
Device \Driver\acqhfc5o \Device\Scsi\acqhfc5o1Port2Path0Target0Lun0 FF9B11F8
Device \FileSystem\Fastfat \Fat FF699500
Device \FileSystem\Cdfs \Cdfs FF6B9500

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s1 771343423
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s2 285507792
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@h0 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 E:\Program Files\DAEMON Tools Lite\
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x0D 0x6A 0x5D 0x07 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0xE5 0xEC 0xB5 0x78 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0x1E 0x15 0x8F 0x63 ...
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 E:\Program Files\DAEMON Tools Lite\
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x0D 0x6A 0x5D 0x07 ...
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0xE5 0xEC 0xB5 0x78 ...
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0x1E 0x15 0x8F 0x63 ...

---- EOF - GMER 1.0.15 ----


Log file #3 (ComboFix):

ComboFix 09-09-20.04 - St. Thomas 09/21/2009 18:32.1.1 - NTFSx86
Running from: H:\Combo-Fix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

e:\docume~1\STE39F~1.THO\LOCALS~1\Temp\winlogon.exe
e:\documents and settings\St. Thomas\Application Data\wiaserva.log
e:\windows\system32\Data
e:\windows\system32\drivers\Sonyhcp.dll
e:\windows\system32\wbem\grpconv.exe

e:\windows\system32\grpconv.exe was missing
Restored copy from - e:\system volume information\_restore{90787D6B-2521-43ED-96F6-AAF21B4200C5}\RP1003\A0190881.exe

.
((((((((((((((((((((((((( Files Created from 2009-08-21 to 2009-09-21 )))))))))))))))))))))))))))))))
.

2009-09-21 23:37 . 2008-04-14 00:12 39424 ----a-w- e:\windows\system32\grpconv.exe
2009-09-21 23:20 . 2009-09-10 19:54 38224 ----a-w- e:\windows\system32\drivers\mbamswissarmy.sys
2009-09-21 23:20 . 2009-09-21 23:20 -------- d-----w- e:\program files\Malwarebytes' Anti-Malware
2009-09-21 23:20 . 2009-09-21 23:20 -------- d-----w- e:\documents and settings\All Users\Application Data\Malwarebytes
2009-09-21 23:20 . 2009-09-10 19:53 19160 ----a-w- e:\windows\system32\drivers\mbam.sys
2009-09-21 23:16 . 2009-09-21 23:16 -------- dc-h--w- e:\documents and settings\All Users\Application Data\{EF63305C-BAD7-4144-9208-D65528260864}
2009-09-21 21:15 . 2009-09-21 21:15 -------- d-----w- e:\documents and settings\St. Thomas\Local Settings\Application Data\TouchStoneSoftware
2009-09-21 21:15 . 2009-09-21 21:15 -------- d-----w- e:\program files\TouchStoneSoftware
2009-09-21 20:59 . 2009-09-21 20:59 286720 --sha-r- e:\windows\system32\8gfwg5qqfvsk.dll
2009-09-21 20:59 . 2009-09-21 20:59 28160 ---h--w- e:\documents and settings\St. Thomas\lawwbyp.exe
2009-09-21 20:27 . 2009-06-19 08:20 67208 ----a-w- e:\windows\UnDeploy.exe
2009-09-21 20:20 . 2009-09-21 20:20 -------- d-----w- e:\documents and settings\All Users\Application Data\TEMP
2009-09-21 19:54 . 2009-09-21 19:54 -------- d-----w- e:\program files\OfficeRecovery
2009-09-21 08:57 . 2009-09-21 08:57 -------- d-----w- e:\windows\MjM Free Photo Recovery Software
2009-09-21 07:09 . 2009-09-21 07:09 -------- d-----w- e:\documents and settings\St. Thomas\Application Data\PandoraRecovery
2009-09-21 07:09 . 2009-09-21 07:16 -------- d-----w- e:\program files\Pandora Recovery
2009-09-21 07:02 . 2009-09-21 07:02 -------- d-----w- e:\program files\Recuva
2009-09-21 06:25 . 2009-09-21 06:25 -------- d-----w- e:\documents and settings\All Users\Application Data\Cached Installations
2009-09-15 03:54 . 2009-06-21 21:44 153088 -c----w- e:\windows\system32\dllcache\triedit.dll
2009-09-02 01:48 . 2009-09-02 01:48 -------- d--h--w- e:\documents and settings\All Users\Application Data\CanonBJ
2009-09-02 01:48 . 2007-10-22 05:00 223744 ----a-w- e:\windows\system32\CNMLM97.DLL
2009-09-02 01:48 . 2009-09-02 01:48 -------- d--h--w- e:\windows\system32\CanonIJ Uninstaller Information
2009-09-02 01:48 . 2009-09-02 01:48 -------- d--h--w- e:\program files\CanonBJ
2009-09-02 01:42 . 2008-04-13 18:47 25856 -c--a-w- e:\windows\system32\dllcache\usbprint.sys
2009-09-02 01:42 . 2008-04-13 18:47 25856 ----a-w- e:\windows\system32\drivers\usbprint.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-09-21 03:29 . 2008-07-18 23:18 -------- d-----w- e:\documents and settings\All Users\Application Data\Google Updater
2009-09-17 14:46 . 2004-08-24 18:30 -------- d-----w- e:\program files\Soulseek
2009-09-16 04:20 . 2004-08-04 05:39 -------- d-----w- e:\documents and settings\St. Thomas\Application Data\Canon
2009-09-02 01:50 . 2004-08-04 05:36 -------- d-----w- e:\program files\Canon
2009-08-05 09:01 . 2004-08-28 00:31 204800 ----a-w- e:\windows\system32\mswebdvd.dll
2009-08-04 23:54 . 2004-12-21 01:25 -------- d-----w- e:\documents and settings\St. Thomas\Application Data\Active Disk
2009-07-17 19:01 . 2003-03-31 12:00 58880 ----a-w- e:\windows\system32\atl.dll
2009-07-13 15:08 . 2004-08-04 07:56 286720 ----a-w- e:\windows\system32\wmpdxm.dll
2009-06-26 16:50 . 2004-02-07 00:05 666624 ----a-w- e:\windows\system32\wininet.dll
2009-06-26 16:50 . 2004-08-04 07:56 81920 ------w- e:\windows\system32\ieencode.dll
2009-06-25 08:25 . 2003-03-31 12:00 730112 ----a-w- e:\windows\system32\lsasrv.dll
2009-06-25 08:25 . 2003-03-31 12:00 56832 ----a-w- e:\windows\system32\secur32.dll
2009-06-25 08:25 . 2003-03-31 12:00 54272 ----a-w- e:\windows\system32\wdigest.dll
2009-06-25 08:25 . 2003-03-31 12:00 301568 ----a-w- e:\windows\system32\kerberos.dll
2009-06-25 08:25 . 2003-03-31 12:00 147456 ----a-w- e:\windows\system32\schannel.dll
2009-06-25 08:25 . 2003-03-31 12:00 136192 ----a-w- e:\windows\system32\msv1_0.dll
2009-06-24 11:18 . 2003-03-31 12:00 92928 ----a-w- e:\windows\system32\drivers\ksecdd.sys
.

------- Sigcheck -------

[-] 2008-04-14 . A06CE3399D16DB864F55FAEB1F1927A9 . 77824 . . [5.1.2600.5512] . . e:\windows\ServicePackFiles\i386\browser.dll
[-] 2008-04-14 . A06CE3399D16DB864F55FAEB1F1927A9 . 77824 . . [5.1.2600.5512] . . e:\windows\system32\browser.dll
[-] 2004-08-04 . E3CFCCDDA4EDD1D0DC9168B2E18F27B8 . 77312 . . [5.1.2600.2180] . . e:\windows\$NtServicePackUninstall$\browser.dll

[-] 2008-04-14 . BD38D1EBE24A46BD3EDA059560AFBA12 . 1054208 . . [6.0] . . e:\windows\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83\comctl32.dll
[-] 2008-04-14 . 06F247492BC786CE5C24A23E178C711A . 617472 . . [5.82] . . e:\windows\ServicePackFiles\i386\comctl32.dll
[-] 2008-04-14 . 06F247492BC786CE5C24A23E178C711A . 617472 . . [5.82] . . e:\windows\system32\comctl32.dll
[-] 2006-08-25 . B0124CB21D28B1C9F678B566B6B57D92 . 617472 . . [5.82] . . e:\windows\$NtServicePackUninstall$\comctl32.dll
[-] 2006-08-25 . C4E80875C1CF1222FC5EFD0314AE5C01 . 1054208 . . [6.0] . . e:\windows\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2982_x-ww_ac3f9c03\comctl32.dll
[-] 2004-08-04 . 5AF68A5E44734A082442668E9C787743 . 1050624 . . [6.0] . . e:\windows\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2180_x-ww_a84f1ff9\comctl32.dll
[-] 2004-08-04 . A77DFB85FAEE49D66C74DA6024EBC69B . 611328 . . [5.82] . . e:\windows\$NtUninstallKB923191$\comctl32.dll
[-] 2004-04-16 . A7B3F3FB365B8B3B29C7C7322392C765 . 921600 . . [6.0] . . e:\windows\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.1515_x-ww_7bb98b8a\comctl32.dll
[-] 2003-03-31 . AEF3D788DBF40C7C4D204EA45EB0C505 . 921088 . . [6.0] . . e:\windows\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a\comctl32.dll
[-] 2003-03-31 . 76B90BD220F1B1CC9E183C6B1AE9FBB4 . 921600 . . [6.0] . . e:\windows\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.10.0_x-ww_f7fb5805\comctl32.dll

[-] 2008-04-14 . 3D4E199942E29207970E04315D02AD3B . 62464 . . [5.1.2600.5512] . . e:\windows\ServicePackFiles\i386\cryptsvc.dll
[-] 2008-04-14 . 3D4E199942E29207970E04315D02AD3B . 62464 . . [5.1.2600.5512] . . e:\windows\system32\cryptsvc.dll
[-] 2004-08-04 . 10654F9DDCEA9C46CFB77554231BE73B . 60416 . . [5.1.2600.2180] . . e:\windows\$NtServicePackUninstall$\cryptsvc.dll
[-] 2003-03-31 . 41C70161BFCB17E7E12ED89BADD2AEF4 . 53248 . . [5.1.2600.1106] . . e:\windows\$NtUninstallQ817287$\cryptsvc.dll

[-] 2008-04-13 . B153AFFAC761E7F5FCFA822B9C4E97BC . 14336 . . [5.1.2600.5512] . . e:\windows\ServicePackFiles\i386\asyncmac.sys
[-] 2008-04-13 . B153AFFAC761E7F5FCFA822B9C4E97BC . 14336 . . [5.1.2600.5512] . . e:\windows\system32\drivers\asyncmac.sys
[-] 2004-08-04 . 02000ABF34AF4C218C35D257024807D6 . 14336 . . [5.1.2600.2180] . . e:\windows\$NtServicePackUninstall$\asyncmac.sys

[-] 2003-03-31 . DA1F27D85E0D1525F6621372E7B685E9 . 4224 . . [5.1.2600.0] . . e:\windows\system32\dllcache\beep.sys
[-] 2003-03-31 . DA1F27D85E0D1525F6621372E7B685E9 . 4224 . . [5.1.2600.0] . . e:\windows\system32\drivers\beep.sys

[-] 2008-04-13 . 463C1EC80CD17420A542B7F36A36F128 . 24576 . . [5.1.2600.5512] . . e:\windows\ServicePackFiles\i386\kbdclass.sys
[-] 2008-04-13 . 463C1EC80CD17420A542B7F36A36F128 . 24576 . . [5.1.2600.5512] . . e:\windows\system32\drivers\kbdclass.sys
[-] 2004-08-04 . EBDEE8A2EE5393890A1ACEE971C4C246 . 24576 . . [5.1.2600.2180] . . e:\windows\$NtServicePackUninstall$\kbdclass.sys

[-] 2008-04-13 . 1DF7F42665C94B825322FAE71721130D . 182656 . . [5.1.2600.5512] . . e:\windows\ServicePackFiles\i386\ndis.sys
[-] 2008-04-13 . 1DF7F42665C94B825322FAE71721130D . 182656 . . [5.1.2600.5512] . . e:\windows\system32\drivers\ndis.sys
[-] 2004-08-04 . 558635D3AF1C7546D26067D5D9B6959E . 182912 . . [5.1.2600.2180] . . e:\windows\$NtServicePackUninstall$\ndis.sys

[-] 2008-04-13 . 78A08DD6A8D65E697C18E1DB01C5CDCA . 574976 . . [5.1.2600.5512] . . e:\windows\ServicePackFiles\i386\ntfs.sys
[-] 2008-04-13 . 78A08DD6A8D65E697C18E1DB01C5CDCA . 574976 . . [5.1.2600.5512] . . e:\windows\system32\drivers\ntfs.sys
[-] 2007-02-09 . 05AB81909514BFD69CBB1F2C147CF6B9 . 574976 . . [5.1.2600.3081] . . e:\windows\$hf_mig$\KB930916\SP2QFE\ntfs.sys
[-] 2007-02-09 . 19A811EF5F1ED5C926A028CE107FF1AF . 574464 . . [5.1.2600.3081] . . e:\windows\$NtServicePackUninstall$\ntfs.sys
[-] 2004-08-04 . B78BE402C3F63DD55521F73876951CDD . 574592 . . [5.1.2600.2180] . . e:\windows\$NtUninstallKB930916$\ntfs.sys

[-] 2003-03-31 . 73C1E1F395918BC2C6DD67AF7591A3AD . 2944 . . [5.1.2600.0] . . e:\windows\system32\dllcache\null.sys
[-] 2003-03-31 . 73C1E1F395918BC2C6DD67AF7591A3AD . 2944 . . [5.1.2600.0] . . e:\windows\system32\drivers\null.sys

[-] 2008-06-20 . AD978A1B783B5719720CFF204B666C8E . 361600 . . [5.1.2600.5625] . . e:\windows\$hf_mig$\KB951748\SP3QFE\tcpip.sys
[-] 2008-06-20 . 9AEFA14BD6B182D61E3119FA5F436D3D . 361600 . . [5.1.2600.5625] . . e:\windows\$hf_mig$\KB951748\SP3GDR\tcpip.sys
[-] 2008-06-20 . 9AEFA14BD6B182D61E3119FA5F436D3D . 361600 . . [5.1.2600.5625] . . e:\windows\system32\dllcache\tcpip.sys
[-] 2008-06-20 . 9AEFA14BD6B182D61E3119FA5F436D3D . 361600 . . [5.1.2600.5625] . . e:\windows\system32\drivers\tcpip.sys
[-] 2008-06-20 . 2A5554FC5B1E04E131230E3CE035C3F9 . 360320 . . [5.1.2600.3394] . . e:\windows\$NtServicePackUninstall$\tcpip.sys
[-] 2008-06-20 . 744E57C99232201AE98C49168B918F48 . 360960 . . [5.1.2600.3394] . . e:\windows\$hf_mig$\KB951748\SP2QFE\tcpip.sys
[-] 2008-04-13 . 93EA8D04EC73A85DB02EB8805988F733 . 361344 . . [5.1.2600.5512] . . e:\windows\$NtUninstallKB951748$\tcpip.sys
[-] 2008-04-13 . 93EA8D04EC73A85DB02EB8805988F733 . 361344 . . [5.1.2600.5512] . . e:\windows\ServicePackFiles\i386\tcpip.sys
[-] 2007-10-30 . 90CAFF4B094573449A0872A0F919B178 . 360064 . . [5.1.2600.3244] . . e:\windows\$NtUninstallKB951748_0$\tcpip.sys
[-] 2007-10-30 . 64798ECFA43D78C7178375FCDD16D8C8 . 360832 . . [5.1.2600.3244] . . e:\windows\$hf_mig$\KB941644\SP2QFE\tcpip.sys
[-] 2006-04-20 . B2220C618B42A2212A59D91EBD6FC4B4 . 360576 . . [5.1.2600.2892] . . e:\windows\$hf_mig$\KB917953\SP2QFE\tcpip.sys
[-] 2006-04-20 . 1DBF125862891817F374F407626967F4 . 359808 . . [5.1.2600.2892] . . e:\windows\$NtUninstallKB941644$\tcpip.sys
[-] 2006-01-13 . 5562CC0A47B2AEF06D3417B733F3C195 . 360448 . . [5.1.2600.2827] . . e:\windows\$hf_mig$\KB913446\SP2QFE\tcpip.sys
[-] 2006-01-13 . 583E063FDC888CA30D05C2724B0D7EF4 . 359808 . . [5.1.2600.2827] . . e:\windows\$NtUninstallKB917953$\tcpip.sys
[-] 2005-05-25 . 63FDFEA54EB53DE2D863EE454937CE1E . 359936 . . [5.1.2600.2685] . . e:\windows\$hf_mig$\KB893066\SP2QFE\tcpip.sys
[-] 2005-05-25 . 88763A98A4C26C409741B4AA162720C9 . 359808 . . [5.1.2600.2685] . . e:\windows\$NtUninstallKB913446$\tcpip.sys
[-] 2004-08-04 . 9F4B36614A0FC234525BA224957DE55C . 359040 . . [5.1.2600.2180] . . e:\windows\$NtUninstallKB893066$\tcpip.sys

[-] 2008-07-07 20:32 . 60D1A6342238378BFB7545C81EE3606C . 253952 . . [2001.12.4414.320] . . e:\windows\$NtServicePackUninstall$\es.dll
[-] 2008-07-07 20:26 . D4991D98F2DB73C60D042F1AEF79EFAE . 253952 . . [2001.12.4414.706] . . e:\windows\$hf_mig$\KB950974\SP3GDR\es.dll
[-] 2008-07-07 20:26 . D4991D98F2DB73C60D042F1AEF79EFAE . 253952 . . [2001.12.4414.706] . . e:\windows\system32\es.dll
[-] 2008-07-07 20:26 . D4991D98F2DB73C60D042F1AEF79EFAE . 253952 . . [2001.12.4414.706] . . e:\windows\system32\dllcache\es.dll
[-] 2008-07-07 20:23 . F17F6226BDC0CD5F0BEF0DAF84D29BEC . 253952 . . [2001.12.4414.706] . . e:\windows\$hf_mig$\KB950974\SP3QFE\es.dll
[-] 2008-07-07 20:06 . A4AB3DCA4A383F0DF4988ABDEB84F9A4 . 253952 . . [2001.12.4414.320] . . e:\windows\$hf_mig$\KB950974\SP2QFE\es.dll
[-] 2008-04-14 00:11 . 19A799805B24990867B00C120D300C3A . 246272 . . [2001.12.4414.701] . . e:\windows\$NtUninstallKB950974$\es.dll
[-] 2008-04-14 00:11 . 19A799805B24990867B00C120D300C3A . 246272 . . [2001.12.4414.701] . . e:\windows\ServicePackFiles\i386\es.dll
[-] 2005-07-26 04:39 . 34BBD9ACC1538818F2C878898C64E793 . 243200 . . [2001.12.4414.308] . . e:\windows\$NtUninstallKB950974_0$\es.dll
[-] 2005-07-26 04:20 . 95F5FEA4C6DE2C3F28784D0DCC8F0DD3 . 243200 . . [2001.12.4414.308] . . e:\windows\$hf_mig$\KB902400\SP2QFE\es.dll
[-] 2004-08-04 07:56 . ACD36A2DD7D1E9D8A060AA651DC07E63 . 243200 . . [2001.12.4414.258] . . e:\windows\$NtUninstallKB902400$\es.dll
[-] 2003-03-31 12:00 . C9702DDD814C39DC1254CF757C31C6E4 . 225280 . . [2001.12.4414.46] . . e:\windows\$NtUninstallKB828741$\es.dll

[-] 2008-04-14 . 0DA85218E92526972A821587E6A8BF8F . 110080 . . [5.1.2600.5512] . . e:\windows\ServicePackFiles\i386\imm32.dll
[-] 2008-04-14 . 0DA85218E92526972A821587E6A8BF8F . 110080 . . [5.1.2600.5512] . . e:\windows\system32\imm32.dll
[-] 2004-08-04 . 87CA7CE6469577F059297B9D6556D66D . 110080 . . [5.1.2600.2180] . . e:\windows\$NtServicePackUninstall$\imm32.dll

[-] 2009-03-21 . B921FB870C9AC0D509B2CCABBBBE95F3 . 989696 . . [5.1.2600.5781] . . e:\windows\system32\kernel32.dll
[-] 2009-03-21 . B921FB870C9AC0D509B2CCABBBBE95F3 . 989696 . . [5.1.2600.5781] . . e:\windows\system32\dllcache\kernel32.dll
[-] 2009-03-21 . DA11D9D6ECBDF0F93436A4B7C13F7BEC . 991744 . . [5.1.2600.5781] . . e:\windows\$hf_mig$\KB959426\SP3QFE\kernel32.dll
[-] 2008-04-14 . C24B983D211C34DA8FCC1AC38477971D . 989696 . . [5.1.2600.5512] . . e:\windows\$NtUninstallKB959426$\kernel32.dll
[-] 2008-04-14 . C24B983D211C34DA8FCC1AC38477971D . 989696 . . [5.1.2600.5512] . . e:\windows\ServicePackFiles\i386\kernel32.dll
[-] 2007-04-16 . 09F7CB3687F86EDAA4CA081F7AB66C03 . 986112 . . [5.1.2600.3119] . . e:\windows\$hf_mig$\KB935839\SP2QFE\kernel32.dll
[-] 2007-04-16 . A01F9CA902A88F7CED06884174D6419D . 984576 . . [5.1.2600.3119] . . e:\windows\$NtServicePackUninstall$\kernel32.dll
[-] 2006-07-05 . 0FDD84928A5DDE2510761B7EC76CCEC9 . 985088 . . [5.1.2600.2945] . . e:\windows\$hf_mig$\KB917422\SP2QFE\kernel32.dll
[-] 2006-07-05 . D8DB5397DE07577C1CB50BA6D23B3AD4 . 984064 . . [5.1.2600.2945] . . e:\windows\$NtUninstallKB935839$\kernel32.dll
[-] 2004-08-04 . 888190E31455FAD793312F8D087146EB . 983552 . . [5.1.2600.2180] . . e:\windows\$NtUninstallKB917422$\kernel32.dll

[-] 2008-04-14 . 2DC5A8019E2387987905F77C664E4BE2 . 19968 . . [5.1.2600.5512] . . e:\windows\ServicePackFiles\i386\linkinfo.dll
[-] 2008-04-14 . 2DC5A8019E2387987905F77C664E4BE2 . 19968 . . [5.1.2600.5512] . . e:\windows\system32\linkinfo.dll
[-] 2005-09-01 . 648BF0B4DDE4F7A1156DAE7174D36EFA . 19968 . . [5.1.2600.2751] . . e:\windows\$hf_mig$\KB900725\SP2QFE\linkinfo.dll
[-] 2005-09-01 . A1A688EE56CF3BBD24EDEB815D48E9BA . 19968 . . [5.1.2600.2751] . . e:\windows\$NtServicePackUninstall$\linkinfo.dll
[-] 2004-08-04 . C2BBD044C741EA4292016C36F718D2E4 . 18944 . . [5.1.2600.2180] . . e:\windows\$NtUninstallKB900725$\linkinfo.dll

[-] 2008-04-14 . 012DF358CEBAA23ACB26D82077820817 . 22016 . . [5.1.2600.5512] . . e:\windows\ServicePackFiles\i386\lpk.dll
[-] 2008-04-14 . 012DF358CEBAA23ACB26D82077820817 . 22016 . . [5.1.2600.5512] . . e:\windows\system32\lpk.dll
[-] 2004-08-04 . 74D66B3DE265E8789153414E75175F26 . 22016 . . [5.1.2600.2180] . . e:\windows\$NtServicePackUninstall$\lpk.dll

[-] 2008-04-14 . BF2466B3E18E970D8A976FB95FC1CA85 . 13312 . . [5.1.2600.5512] . . e:\windows\ServicePackFiles\i386\lsass.exe
[-] 2008-04-14 . D41D8CD98F00B204E9800998ECF8427E . 14848 . . [5.1.2600.5512] . . e:\windows\system32\lsass.exe
[-] 2004-08-04 . 84885F9B82F4D55C6146EBF6065D75D2 . 13312 . . [5.1.2600.2180] . . e:\windows\$NtServicePackUninstall$\lsass.exe

[-] 2009-07-18 . 7467941BE64DFC5F8E9F3DC1DE920806 . 3069440 . . [6.00.2900.5848] . . e:\windows\system32\mshtml.dll
[-] 2009-07-18 . 7467941BE64DFC5F8E9F3DC1DE920806 . 3069440 . . [6.00.2900.5848] . . e:\windows\system32\dllcache\mshtml.dll
[-] 2009-07-18 . F3EE47F296295D08A97CB50EF57244D9 . 3069952 . . [6.00.2900.5848] . . e:\windows\$hf_mig$\KB972260\SP3QFE\mshtml.dll
[-] 2009-04-29 . ABD8093E43E53AEA5898D2214B92E9BA . 3068928 . . [6.00.2900.5803] . . e:\windows\$NtUninstallKB972260$\mshtml.dll
[-] 2009-04-29 . 06CF679E3D24C3DF270556456A0F1EDA . 3069440 . . [6.00.2900.5803] . . e:\windows\$hf_mig$\KB969897\SP3QFE\mshtml.dll
[-] 2009-02-20 . 2F70F2F74C40397D031016FA162981C2 . 3068416 . . [6.00.2900.5764] . . e:\windows\$NtUninstallKB969897$\mshtml.dll
[-] 2009-02-20 . 1618A4A2C5DD8164B8295190C8EA6544 . 3068416 . . [6.00.2900.5764] . . e:\windows\$hf_mig$\KB963027\SP3QFE\mshtml.dll
[-] 2008-12-12 . B6DAA74E2ED36C71B502945589A683AE . 3067904 . . [6.00.2900.5726] . . e:\windows\$hf_mig$\KB960714\SP3QFE\mshtml.dll
[-] 2008-12-12 . C828AA1C5469E72251F3D367005E589F . 3067904 . . [6.00.2900.5726] . . e:\windows\$NtUninstallKB963027$\mshtml.dll
[-] 2008-10-16 . CC5A2205D37AE67CE23AB7FD3E1FDACA . 3067904 . . [6.00.2900.5694] . . e:\windows\$hf_mig$\KB958215\SP3QFE\mshtml.dll
[-] 2008-10-16 . B846C2DE341CF32B42AD297437233742 . 3067904 . . [6.00.2900.5694] . . e:\windows\$NtUninstallKB960714$\mshtml.dll
[-] 2008-08-20 . 507BDA42F7DB8209C0F0B3556A043491 . 3067904 . . [6.00.2900.5659] . . e:\windows\$NtUninstallKB958215$\mshtml.dll
[-] 2008-08-20 . BD45470B132A0F98596277323D9F2E5A . 3067904 . . [6.00.2900.5659] . . e:\windows\$hf_mig$\KB956390\SP3QFE\mshtml.dll
[-] 2008-06-25 . 04EEC0FF4DD3C7041628973CA6832C33 . 3067904 . . [6.00.2900.5626] . . e:\windows\$hf_mig$\KB953838\SP3QFE\mshtml.dll
[-] 2008-06-23 . 1FC693A4EE1D9D9CD78DDA6C87232F6F . 3067392 . . [6.00.2900.3395] . . e:\windows\$hf_mig$\KB953838\SP2QFE\mshtml.dll
[-] 2008-06-23 . 74B5A84AC8FCF52C249B74C3D2A3E7B8 . 3059712 . . [6.00.2900.3395] . . e:\windows\$NtServicePackUninstall$\mshtml.dll
[-] 2008-06-23 . F433136C23D13B120412B300D1324A7E . 3067392 . . [6.00.2900.5626] . . e:\windows\$hf_mig$\KB953838\SP3GDR\mshtml.dll
[-] 2008-06-23 . F433136C23D13B120412B300D1324A7E . 3067392 . . [6.00.2900.5626] . . e:\windows\$NtUninstallKB956390$\mshtml.dll
[-] 2008-04-21 . C75C6AD32C28BCE0D14E1CA2AB4862DC . 3059712 . . [6.00.2900.3354] . . e:\windows\$NtUninstallKB953838_0$\mshtml.dll
[-] 2008-04-21 . 083B967E6B0B2BB539CE6B08D45D631F . 3066880 . . [6.00.2900.3354] . . e:\windows\$hf_mig$\KB950759\SP2QFE\mshtml.dll
[-] 2008-04-21 . FE406DE0651C9E8201DCB0460609D739 . 3066880 . . [6.00.2900.5583] . . e:\windows\$hf_mig$\KB950759\SP3GDR\mshtml.dll
[-] 2008-04-21 . FE406DE0651C9E8201DCB0460609D739 . 3066880 . . [6.00.2900.5583] . . e:\windows\$NtUninstallKB953838$\mshtml.dll
[-] 2008-04-21 . 46A61BA430110F00DD990D058AA3D054 . 3067392 . . [6.00.2900.5583] . . e:\windows\$hf_mig$\KB950759\SP3QFE\mshtml.dll
[-] 2008-04-14 . A706E122B398FE1AB85CB9B75D044223 . 3066880 . . [6.00.2900.5512] . . e:\windows\$NtUninstallKB950759$\mshtml.dll
[-] 2008-04-14 . A706E122B398FE1AB85CB9B75D044223 . 3066880 . . [6.00.2900.5512] . . e:\windows\ServicePackFiles\i386\mshtml.dll
[-] 2008-02-16 . 77DBF6075405494AD6B6A99E2C732F86 . 3059712 . . [6.00.2900.3314] . . e:\windows\$NtUninstallKB950759_0$\mshtml.dll
[-] 2008-02-16 . 701A6798DDF875CAA3A5099EE75FD57F . 3066880 . . [6.00.2900.3314] . . e:\windows\$hf_mig$\KB947864\SP2QFE\mshtml.dll
[-] 2007-12-07 . DA9377A57A277170C78095C0E8BD8C85 . 3059200 . . [6.00.2900.3268] . . e:\windows\$NtUninstallKB947864$\mshtml.dll
[-] 2007-12-07 . 8A4DD074DEC1B0C063C8493ABF654CBC . 3066368 . . [6.00.2900.3268] . . e:\windows\$hf_mig$\KB944533\SP2QFE\mshtml.dll
[-] 2007-10-30 . DA077E334961230C12E3E4D62626286E . 3058688 . . [6.00.2900.3243] . . e:\windows\$NtUninstallKB944533$\mshtml.dll
[-] 2007-10-30 . 79314A0A6B0DA78AFE491FF2D8B117BA . 3065856 . . [6.00.2900.3243] . . e:\windows\$hf_mig$\KB942615\SP2QFE\mshtml.dll
[-] 2007-08-22 . 591449BD8F2C8090B9259E88C78AE61D . 3058176 . . [6.00.2900.3199] . . e:\windows\$NtUninstallKB942615$\mshtml.dll
[-] 2007-08-22 . 885E3BF99EA4B2213901EBC35B34CF12 . 3064832 . . [6.00.2900.3199] . . e:\windows\$hf_mig$\KB939653\SP2QFE\mshtml.dll
[-] 2007-06-15 . 53F3FD772C010622346C39284C4A863B . 3064320 . . [6.00.2900.3157] . . e:\windows\$hf_mig$\KB937143\SP2QFE\mshtml.dll
[-] 2007-06-14 . F049C52772FC86FD5F6C16D77A2A6204 . 3058688 . . [6.00.2900.3157] . . e:\windows\$NtUninstallKB939653$\mshtml.dll
[-] 2007-05-04 . 00ADCB32832A10ED9419493BCEA97526 . 3064320 . . [6.00.2900.3132] . . e:\windows\$hf_mig$\KB933566\SP2QFE\mshtml.dll
[-] 2007-05-04 . 4D92717B5BBCE85F1254BAD23B0D357C . 3058688 . . [6.00.2900.3132] . . e:\windows\$NtUninstallKB937143$\mshtml.dll
[-] 2007-01-04 . 1C45525574EF206346FBAFCAAC7CC4A5 . 3062272 . . [6.00.2900.3059] . . e:\windows\$hf_mig$\KB928090\SP2QFE\mshtml.dll
[-] 2007-01-04 . F31274D7667D83E73C6EE16D2206B76C . 3056640 . . [6.00.2900.3059] . . e:\windows\$NtUninstallKB933566$\mshtml.dll
[-] 2006-09-14 . BE45460D1453B7342E01EAE79BFBC681 . 3054592 . . [6.00.2900.2995] . . e:\windows\$NtUninstallKB928090$\mshtml.dll
[-] 2006-09-14 . CEFEA1C301139A817931BE132F0359FE . 3058688 . . [6.00.2900.2995] . . e:\windows\$hf_mig$\KB922760\SP2QFE\mshtml.dll
[-] 2006-07-28 . D251679BD9EF0250201FB899EC40FD32 . 3058176 . . [6.00.2900.2963] . . e:\windows\$hf_mig$\KB918899\SP2QFE\mshtml.dll
[-] 2006-07-28 . C7074DA3D8F8C0F6C03874BA0B05069C . 3054080 . . [6.00.2900.2963] . . e:\windows\$NtUninstallKB922760$\mshtml.dll
[-] 2006-05-19 . 284CE76B71DD5260B42A3CCF0135AF67 . 3052544 . . [6.00.2900.2912] . . e:\windows\$NtUninstallKB918899$\mshtml.dll
[-] 2006-05-19 . 8687E029BE63C77D4919485068C54D77 . 3055104 . . [6.00.2900.2912] . . e:\windows\$hf_mig$\KB916281\SP2QFE\mshtml.dll
[-] 2006-03-23 . DEAA438EA31095E14A196FF647E38D13 . 3053568 . . [6.00.2900.2873] . . e:\windows\$NtUninstallKB916281$\mshtml.dll
[-] 2006-03-23 . ABCD123F888E4E97C8751378CCCC4F26 . 3055616 . . [6.00.2900.2873] . . e:\windows\$hf_mig$\KB912812\SP2QFE\mshtml.dll
[-] 2005-11-24 . D3F037F5DA702AE9DDD7663EC9D78BA7 . 3018240 . . [6.00.2900.2802] . . e:\windows\$hf_mig$\KB905915\SP2QFE\mshtml.dll
[-] 2005-11-24 . 5E7A39950EA133BB54719A6E08C544A7 . 3015680 . . [6.00.2900.2802] . . e:\windows\$NtUninstallKB912812$\mshtml.dll
[-] 2005-10-05 . 3394299FBF1CD0B24089FC762611360B . 3017728 . . [6.00.2900.2769] . . e:\windows\$hf_mig$\KB896688\SP2QFE\mshtml.dll
[-] 2005-10-04 . 042AC20E084D21DD6BEE99B89CC30FB7 . 3015168 . . [6.00.2900.2769] . . e:\windows\$NtUninstallKB905915$\mshtml.dll
[-] 2005-07-20 . A14A7A206AE22DE4FE563E44CFC7DDF5 . 3016192 . . [6.00.2900.2722] . . e:\windows\$hf_mig$\KB896727\SP2QFE\mshtml.dll
[-] 2005-07-20 . 31E7520E58E5E4DFA93215A6D5603AF2 . 3014144 . . [6.00.2900.2722] . . e:\windows\$NtUninstallKB896688$\mshtml.dll
[-] 2005-05-02 . DCC5C79B99F02EEF8C826B074DBFC222 . 3014144 . . [6.00.2900.2668] . . e:\windows\$hf_mig$\KB883939\SP2QFE\mshtml.dll
[-] 2005-05-02 . DCFAC5470EE0A159EC4222BC28AE3EE6 . 3012608 . . [6.00.2900.2668] . . e:\windows\$NtUninstallKB896727$\mshtml.dll
[-] 2005-03-10 . 84A1B9B0C362051E68BB131F14C6DAAD . 3010560 . . [6.00.2900.2627] . . e:\windows\$NtUninstallKB883939$\mshtml.dll
[-] 2005-03-10 . 255C2CE965543ABDC3E0A25A5DA1874A . 3011072 . . [6.00.2900.2627] . . e:\windows\$hf_mig$\KB890923\SP2QFE\mshtml.dll
[-] 2005-01-27 . FAE3CA9B2459581C45B3A8845BE3077C . 3006976 . . [6.00.2900.2604] . . e:\windows\$NtUninstallKB890923$\mshtml.dll
[-] 2005-01-27 . 91C5ADE25BC4E3322577854FA2E7B58B . 3008000 . . [6.00.2900.2604] . . e:\windows\$hf_mig$\KB867282\SP2QFE\mshtml.dll
[-] 2004-09-29 . D94E6405E420373161467ACD3DA65640 . 3004928 . . [6.00.2900.2523] . . e:\windows\$NtUninstallKB867282$\mshtml.dll
[-] 2004-09-29 . 087FF7C54E7EBE4A59BD4DFC1D0EE9B8 . 3004928 . . [6.00.2900.2524] . . e:\windows\$hf_mig$\KB834707\SP2QFE\mshtml.dll
[-] 2004-08-04 . 376E0843B2356CA91CEC8D9837A56FF7 . 3003392 . . [6.00.2900.2180] . . e:\windows\$NtUninstallKB834707$\mshtml.dll

[-] 2008-06-20 . 832E4DD8964AB7ACC880B2837CB1ED20 . 245248 . . [5.1.2600.5625] . . e:\windows\$hf_mig$\KB951748\SP3GDR\mswsock.dll
[-] 2008-06-20 . 832E4DD8964AB7ACC880B2837CB1ED20 . 245248 . . [5.1.2600.5625] . . e:\windows\system32\mswsock.dll
[-] 2008-06-20 . 832E4DD8964AB7ACC880B2837CB1ED20 . 245248 . . [5.1.2600.5625] . . e:\windows\system32\dllcache\mswsock.dll
[-] 2008-06-20 . FCEE5FCB99F7C724593365C706D28388 . 245248 . . [5.1.2600.5625] . . e:\windows\$hf_mig$\KB951748\SP3QFE\mswsock.dll
[-] 2008-06-20 . 097722F235A1FB698BF9234E01B52637 . 245248 . . [5.1.2600.3394] . . e:\windows\$NtServicePackUninstall$\mswsock.dll
[-] 2008-06-20 . 1DFCA7713EA5A70D5D93B436AEA0317A . 245248 . . [5.1.2600.3394] . . e:\windows\$hf_mig$\KB951748\SP2QFE\mswsock.dll
[-] 2008-04-14 . B4138E99236F0F57D4CF49BAE98A0746 . 245248 . . [5.1.2600.5512] . . e:\windows\$NtUninstallKB951748$\mswsock.dll
[-] 2008-04-14 . B4138E99236F0F57D4CF49BAE98A0746 . 245248 . . [5.1.2600.5512] . . e:\windows\ServicePackFiles\i386\mswsock.dll
[-] 2004-08-04 . 4E74AF063C3271FBEA20DD940CFD1184 . 245248 . . [5.1.2600.2180] . . e:\windows\$NtUninstallKB951748_0$\mswsock.dll

[-] 2008-04-14 . 1B7F071C51B77C272875C3A23E1E4550 . 407040 . . [5.1.2600.5512] . . e:\windows\ServicePackFiles\i386\netlogon.dll
[-] 2008-04-14 . 1B7F071C51B77C272875C3A23E1E4550 . 407040 . . [5.1.2600.5512] . . e:\windows\system32\netlogon.dll
[-] 2004-08-04 . 96353FCECBA774BB8DA74A1C6507015A . 407040 . . [5.1.2600.2180] . . e:\windows\$NtServicePackUninstall$\netlogon.dll

[-] 2008-04-14 . 13E67B55B3ABD7BF3FE7AAE5A0F9A9DE . 198144 . . [5.1.2600.5512] . . e:\windows\ServicePackFiles\i386\netman.dll
[-] 2008-04-14 . 13E67B55B3ABD7BF3FE7AAE5A0F9A9DE . 198144 . . [5.1.2600.5512] . . e:\windows\system32\netman.dll
[-] 2005-08-22 . 36739B39267914BA69AD0610A0299732 . 197632 . . [5.1.2600.2743] . . e:\windows\$NtServicePackUninstall$\netman.dll
[-] 2005-08-22 . 3516D8A18B36784B1005B950B84232E1 . 197632 . . [5.1.2600.2743] . . e:\windows\$hf_mig$\KB905414\SP2QFE\netman.dll
[-] 2004-08-04 . DAB9E6C7105D2EF49876FE92C524F565 . 198144 . . [5.1.2600.2180] . . e:\windows\$NtUninstallKB905414$\netman.dll

[-] 2009-02-08 . EFE8EACE83EAAD5849A7A548FB75B584 . 2189184 . . [5.1.2600.5755] . . e:\windows\$hf_mig$\KB956572\SP3QFE\ntoskrnl.exe
[-] 2009-02-06 . 7A95B10A73737EBF24139AAA63F5212B . 2189056 . . [5.1.2600.5755] . . e:\windows\Driver Cache\i386\ntoskrnl.exe
[-] 2009-02-06 . 7A95B10A73737EBF24139AAA63F5212B . 2189056 . . [5.1.2600.5755] . . e:\windows\system32\ntoskrnl.exe
[-] 2009-02-06 . 7A95B10A73737EBF24139AAA63F5212B . 2189056 . . [5.1.2600.5755] . . e:\windows\system32\dllcache\ntoskrnl.exe
[-] 2008-08-14 . 31914172342BFF330063F343AC6958FE . 2189184 . . [5.1.2600.5657] . . e:\windows\$hf_mig$\KB956841\SP3QFE\ntoskrnl.exe
[-] 2008-08-14 . EEAF32F8E15A24F62BECB1BD403BB5C5 . 2189184 . . [5.1.2600.5657] . . e:\windows\$NtUninstallKB956572$\ntoskrnl.exe
[-] 2008-04-13 . 0C89243C7C3EE199B96FCC16990E0679 . 2188928 . . [5.1.2600.5512] . . e:\windows\$NtUninstallKB956841$\ntoskrnl.exe
[-] 2008-04-13 . 0C89243C7C3EE199B96FCC16990E0679 . 2188928 . . [5.1.2600.5512] . . e:\windows\ServicePackFiles\i386\ntoskrnl.exe
[-] 2007-02-28 . 5A5C8DB4AA962C714C8371FBDF189FC9 . 2182144 . . [5.1.2600.3093] . . e:\windows\$hf_mig$\KB931784\SP2QFE\ntoskrnl.exe
[-] 2007-02-28 . 582A8DBAA58C3B1F176EB2817DAEE77C . 2180352 . . [5.1.2600.3093] . . e:\windows\$NtServicePackUninstall$\ntoskrnl.exe
[-] 2005-03-02 . 28187802B7C368C0D3AEF7D4C382AABB . 2179456 . . [5.1.2600.2622] . . e:\windows\$hf_mig$\KB890859\SP2QFE\ntoskrnl.exe
[-] 2005-03-02 . 4D4CF2C14550A4B7718E94A6E581856E . 2179328 . . [5.1.2600.2622] . . e:\windows\$NtUninstallKB931784$\ntoskrnl.exe
[-] 2004-08-04 . CE218BC7088681FAA06633E218596CA7 . 2180992 . . [5.1.2600.2180] . . e:\windows\$NtUninstallKB890859$\ntoskrnl.exe
[-] 2003-03-31 . B9080D97DBD631AADF9128F7316958D2 . 2042240 . . [5.1.2600.1106] . . e:\windows\$NtUninstallQ811493$\ntoskrnl.exe

[-] 2008-04-14 . 50A166237A0FA771261275A405646CC0 . 17408 . . [6.00.2900.5512] . . e:\windows\ServicePackFiles\i386\powrprof.dll
[-] 2008-04-14 . 50A166237A0FA771261275A405646CC0 . 17408 . . [6.00.2900.5512] . . e:\windows\system32\powrprof.dll
[-] 2004-08-04 . 1B5F6923ABB450692E9FE0672C897AED . 17408 . . [6.00.2900.2180] . . e:\windows\$NtServicePackUninstall$\powrprof.dll

[-] 2008-04-14 . 574738F61FCA2935F5265DC4E5691314 . 409088 . . [6.7.2600.5512] . . e:\windows\ServicePackFiles\i386\qmgr.dll
[-] 2008-04-14 . 574738F61FCA2935F5265DC4E5691314 . 409088 . . [6.7.2600.5512] . . e:\windows\system32\qmgr.dll
[-] 2008-04-14 . 574738F61FCA2935F5265DC4E5691314 . 409088 . . [6.7.2600.5512] . . e:\windows\system32\bits\qmgr.dll
[-] 2004-08-04 . 2C69EC7E5A311334D10DD95F338FCCEA . 382464 . . [6.6.2600.2180] . . e:\windows\$NtServicePackUninstall$\qmgr.dll
[-] 2003-03-31 . 6A1CF14D0E7D0B2241F552223769C8A7 . 221696 . . [6.2.2600.1106] . . e:\windows\$NtUninstallKB842773$\qmgr.dll

[-] 2009-02-09 . 6B27A5C03DFB94B4245739065431322C . 401408 . . [5.1.2600.5755] . . e:\windows\system32\rpcss.dll
[-] 2009-02-09 . 6B27A5C03DFB94B4245739065431322C . 401408 . . [5.1.2600.5755] . . e:\windows\system32\dllcache\rpcss.dll
[-] 2009-02-09 . 9222562D44021B988B9F9F62207FB6F2 . 401408 . . [5.1.2600.5755] . . e:\windows\$hf_mig$\KB956572\SP3QFE\rpcss.dll
[-] 2008-04-14 . 2589FE6015A316C0F5D5112B4DA7B509 . 399360 . . [5.1.2600.5512] . . e:\windows\$NtUninstallKB956572$\rpcss.dll
[-] 2008-04-14 . 2589FE6015A316C0F5D5112B4DA7B509 . 399360 . . [5.1.2600.5512] . . e:\windows\ServicePackFiles\i386\rpcss.dll
[-] 2005-07-26 . CE94A2BD25E3E9F4D46A7373FF455C6D . 397824 . . [5.1.2600.2726] . . e:\windows\$NtServicePackUninstall$\rpcss.dll
[-] 2005-07-26 . C369DF215D352B6F3A0B8C3469AA34F8 . 398336 . . [5.1.2600.2726] . . e:\windows\$hf_mig$\KB902400\SP2QFE\rpcss.dll
[-] 2005-04-28 . DA383FB39A6F1C445F3AFC94B3EB1248 . 396288 . . [5.1.2600.2665] . . e:\windows\$hf_mig$\KB894391\SP2QFE\rpcss.dll
[-] 2005-04-28 . C8061F289E000703E7672916B7FE1571 . 395776 . . [5.1.2600.2665] . . e:\windows\$NtUninstallKB902400$\rpcss.dll
[-] 2005-01-14 . 419899803CA479B73B02390318C787C0 . 395776 . . [5.1.2600.2595] . . e:\windows\$NtUninstallKB894391$\rpcss.dll
[-] 2005-01-14 . 94456045BEB4545B5EBE1DCC85951AFA . 395776 . . [5.1.2600.2595] . . e:\windows\$hf_mig$\KB873333\SP2QFE\rpcss.dll
[-] 2004-08-04 . 5C83A4408604F737717AB96371201680 . 395776 . . [5.1.2600.2180] . . e:\windows\$NtUninstallKB873333$\rpcss.dll
[-] 2003-03-31 . 493FCBED180DCACF0B5D4C8C29949CA9 . 260608 . . [5.1.2600.1106] . . e:\windows\$NtUninstallKB828741$\rpcss.dll

[-] 2008-04-14 . A86BB5E61BF3E39B62AB4C7E7085A084 . 181248 . . [5.1.2600.5512] . . e:\windows\ServicePackFiles\i386\scecli.dll
[-] 2008-04-14 . A86BB5E61BF3E39B62AB4C7E7085A084 . 181248 . . [5.1.2600.5512] . . e:\windows\system32\scecli.dll
[-] 2004-08-04 . 0F78E27F563F2AAF74B91A49E2ABF19A . 180224 . . [5.1.2600.2180] . . e:\windows\$NtServicePackUninstall$\scecli.dll

[-] 2009-02-06 . D41D8CD98F00B204E9800998ECF8427E . 113152 . . [5.1.2600.5755] . . e:\windows\system32\services.exe
[-] 2009-02-06 . 020CEAAEDC8EB655B6506B8C70D53BB6 . 110592 . . [5.1.2600.5755] . . e:\windows\$hf_mig$\KB956572\SP3QFE\services.exe
[-] 2008-04-14 . 0E776ED5F7CC9F94299E70461B7B8185 . 108544 . . [5.1.2600.5512] . . e:\windows\$NtUninstallKB956572$\services.exe
[-] 2008-04-14 . 0E776ED5F7CC9F94299E70461B7B8185 . 108544 . . [5.1.2600.5512] . . e:\windows\ServicePackFiles\i386\services.exe
[-] 2004-08-04 . C6CE6EEC82F187615D1002BB3BB50ED4 . 108032 . . [5.1.2600.2180] . . e:\windows\$NtServicePackUninstall$\services.exe

[-] 2008-04-14 . 96E1C926F22EE1BFBAE82901A35F6BF3 . 5120 . . [5.1.2600.5512] . . e:\windows\ServicePackFiles\i386\sfc.dll
[-] 2008-04-14 . 96E1C926F22EE1BFBAE82901A35F6BF3 . 5120 . . [5.1.2600.5512] . . e:\windows\system32\sfc.dll
[-] 2004-08-04 . E8A12A12EA9088B4327D49EDCA3ADD3E . 5120 . . [5.1.2600.2180] . . e:\windows\$NtServicePackUninstall$\sfc.dll

[-] 2008-04-14 . D8E14A61ACC1D4A6CD0D38AEBAC7FA3B . 57856 . . [5.1.2600.5512] . . e:\windows\ServicePackFiles\i386\spoolsv.exe
[-] 2008-04-14 . 45B2F63F56AA13C0DD66D070CBEBCB2D . 58880 . . [5.1.2600.5512] . . e:\windows\system32\spoolsv.exe
[-] 2005-06-11 . AD3D9D191AEA7B5445FE1D82FFBB4788 . 57856 . . [5.1.2600.2696] . . e:\windows\$hf_mig$\KB896423\SP2QFE\spoolsv.exe
[-] 2005-06-10 . DA81EC57ACD4CDC3D4C51CF3D409AF9F . 57856 . . [5.1.2600.2696] . . e:\windows\$NtServicePackUninstall$\spoolsv.exe
[-] 2004-08-04 . 7435B108B935E42EA92CA94F59C8E717 . 57856 . . [5.1.2600.2180] . . e:\windows\$NtUninstallKB896423$\spoolsv.exe

[-] 2008-04-14 . 27C6D03BCDB8CFEB96B716F3D8BE3E18 . 14336 . . [5.1.2600.5512] . . e:\windows\ServicePackFiles\i386\svchost.exe
[-] 2004-08-04 . 8F078AE4ED187AAABC0A305146DE6716 . 14336 . . [5.1.2600.2180] . . e:\windows\$NtServicePackUninstall$\svchost.exe

[-] 2008-04-14 . 3CB78C17BB664637787C9A1C98F79C38 . 249856 . . [5.1.2600.5512] . . e:\windows\ServicePackFiles\i386\tapisrv.dll
[-] 2008-04-14 . 3CB78C17BB664637787C9A1C98F79C38 . 249856 . . [5.1.2600.5512] . . e:\windows\system32\tapisrv.dll
[-] 2005-07-08 . 1418A3A6E76E5A2E3F5E43866E793A8B . 249344 . . [5.1.2600.2716] . . e:\windows\$hf_mig$\KB893756\SP2QFE\tapisrv.dll
[-] 2005-07-08 . FB78839B36025AA286A51289ED28B73E . 249344 . . [5.1.2600.2716] . . e:\windows\$NtServicePackUninstall$\tapisrv.dll
[-] 2004-08-04 . EB4A4187D74A8EFDCBEA3EA2CB1BDFBD . 246272 . . [5.1.2600.2180] . . e:\windows\$NtUninstallKB893756$\tapisrv.dll

[-] 2008-04-14 . B26B135FF1B9F60C9388B4A7D16F600B . 578560 . . [5.1.2600.5512] . . e:\windows\ServicePackFiles\i386\user32.dll
[-] 2008-04-14 . B26B135FF1B9F60C9388B4A7D16F600B . 578560 . . [5.1.2600.5512] . . e:\windows\system32\user32.dll
[-] 2007-03-08 . 7AA4F6C00405DFC4B70ED4214E7D687B . 578048 . . [5.1.2600.3099] . . e:\windows\$hf_mig$\KB925902\SP2QFE\user32.dll
[-] 2007-03-08 . B409909F6E2E8A7067076ED748ABF1E7 . 577536 . . [5.1.2600.3099] . . e:\windows\$NtServicePackUninstall$\user32.dll
[-] 2005-03-02 . 1800F293BCCC8EDE8A70E12B88D80036 . 577024 . . [5.1.2600.2622] . . e:\windows\$hf_mig$\KB890859\SP2QFE\user32.dll
[-] 2005-03-02 . DE2DB164BBB35DB061AF0997E4499054 . 577024 . . [5.1.2600.2622] . . e:\windows\$NtUninstallKB925902$\user32.dll
[-] 2004-08-04 . C72661F8552ACE7C5C85E16A3CF505C4 . 577024 . . [5.1.2600.2180] . . e:\windows\$NtUninstallKB890859$\user32.dll
[-] 2003-03-31 . DD9269230C21EE8FB7FD3FCCC3B1CFCB . 560128 . . [5.1.2600.1106] . . e:\windows\$NtUninstallKB824141$\user32.dll

[-] 2008-04-14 . A93AEE1928A9D7CE3E16D24EC7380F89 . 26112 . . [5.1.2600.5512] . . e:\windows\ServicePackFiles\i386\userinit.exe
[-] 2008-04-14 . A93AEE1928A9D7CE3E16D24EC7380F89 . 26112 . . [5.1.2600.5512] . . e:\windows\system32\userinit.exe
[-] 2004-08-04 . 39B1FFB03C2296323832ACBAE50D2AFF . 24576 . . [5.1.2600.2180] . . e:\windows\$NtServicePackUninstall$\userinit.exe

[-] 2009-06-26 . 70FFEA4793D7139A447B169CB0E500BC . 666624 . . [6.00.2900.5835] . . e:\windows\system32\wininet.dll
[-] 2009-06-26 . 70FFEA4793D7139A447B169CB0E500BC . 666624 . . [6.00.2900.5835] . . e:\windows\system32\dllcache\wininet.dll
[-] 2009-06-26 . 8553E6D4EC1563277323E6B2D6FBB954 . 668160 . . [6.00.2900.5835] . . e:\windows\$hf_mig$\KB972260\SP3QFE\wininet.dll
[-] 2009-04-29 . 6002073519FA478BF89977369CDFD156 . 666624 . . [6.00.2900.5803] . . e:\windows\$NtUninstallKB972260$\wininet.dll
[-] 2009-04-29 . 04BCB4F87B35502568F6CF33433543A5 . 668160 . . [6.00.2900.5803] . . e:\windows\$hf_mig$\KB969897\SP3QFE\wininet.dll
[-] 2009-02-20 . 5B6A3EB7BB2F338BC2CB9F2FA4AAEA9E . 666112 . . [6.00.2900.5764] . . e:\windows\$NtUninstallKB969897$\wininet.dll
[-] 2009-02-20 . 711FEABED387B29FF7ED61BC6806A06C . 667648 . . [6.00.2900.5764] . . e:\windows\$hf_mig$\KB963027\SP3QFE\wininet.dll
[-] 2008-10-16 . E8FCE58A470999350F64C591557F9E42 . 667136 . . [6.00.2900.5694] . . e:\windows\$hf_mig$\KB958215\SP3QFE\wininet.dll
[-] 2008-10-16 . 1576318BF08D28CC61D1278114AD8D5B . 666112 . . [6.00.2900.5694] . . e:\windows\$NtUninstallKB963027$\wininet.dll
[-] 2008-08-20 . 9AF5F25124FBDC36E2B510729CBA2674 . 666112 . . [6.00.2900.5659] . . e:\windows\$NtUninstallKB958215$\wininet.dll
[-] 2008-08-20 . 94418F53D2612C26DBADC04DAFBC197C . 666624 . . [6.00.2900.5659] . . e:\windows\$hf_mig$\KB956390\SP3QFE\wininet.dll
[-] 2008-06-23 . 611ACE3F4201E9610AF8452F7C268995 . 667136 . . [6.00.2900.3395] . . e:\windows\$hf_mig$\KB953838\SP2QFE\wininet.dll
[-] 2008-06-23 . 9EEA04BC4C3FA521D256D89940FAB4DB . 659456 . . [6.00.2900.3395] . . e:\windows\$NtServicePackUninstall$\wininet.dll
[-] 2008-06-23 . F12FBB673DE9CC802C5DC518FE99AA2F . 666112 . . [6.00.2900.5626] . . e:\windows\$hf_mig$\KB953838\SP3GDR\wininet.dll
[-] 2008-06-23 . F12FBB673DE9CC802C5DC518FE99AA2F . 666112 . . [6.00.2900.5626] . . e:\windows\$NtUninstallKB956390$\wininet.dll
[-] 2008-06-23 . 972299B7241EC325D8C7E5638C884925 . 666624 . . [6.00.2900.5626] . . e:\windows\$hf_mig$\KB953838\SP3QFE\wininet.dll
[-] 2008-04-21 . 1EFB8A3EA8454AEC1BB8A240A2845598 . 659456 . . [6.00.2900.3354] . . e:\windows\$NtUninstallKB953838_0$\wininet.dll
[-] 2008-04-21 . 2E7DE1BF9418B071799EB53DE8CC22F5 . 666624 . . [6.00.2900.3354] . . e:\windows\$hf_mig$\KB950759\SP2QFE\wininet.dll
[-] 2008-04-21 . 2B0C24AA747A93A28987B6D65A4A74BC . 666112 . . [6.00.2900.5583] . . e:\windows\$hf_mig$\KB950759\SP3GDR\wininet.dll
[-] 2008-04-21 . 2B0C24AA747A93A28987B6D65A4A74BC . 666112 . . [6.00.2900.5583] . . e:\windows\$NtUninstallKB953838$\wininet.dll
[-] 2008-04-21 . 26F240C250E5B4B395CB4B178BA75437 . 666624 . . [6.00.2900.5583] . . e:\windows\$hf_mig$\KB950759\SP3QFE\wininet.dll
[-] 2008-04-14 . 7A4F775ABB2F1C97DEF3E73AFA2FAEDD . 666112 . . [6.00.2900.5512] . . e:\windows\$NtUninstallKB950759$\wininet.dll
[-] 2008-04-14 . 7A4F775ABB2F1C97DEF3E73AFA2FAEDD . 666112 . . [6.00.2900.5512] . . e:\windows\ServicePackFiles\i386\wininet.dll
[-] 2008-02-16 . BB1EACD6AB47E78EBCA02EB781550D55 . 666112 . . [6.00.2900.3314] . . e:\windows\$hf_mig$\KB947864\SP2QFE\wininet.dll
[-] 2008-02-16 . 0C690E77C0E924C45B4D7045B182FFF1 . 659456 . . [6.00.2900.3314] . . e:\windows\$NtUninstallKB950759_0$\wininet.dll
[-] 2007-12-07 . 57D1B5150CF6331FAC6B3E04C1FCB966 . 659456 . . [6.00.2900.3268] . . e:\windows\$NtUninstallKB947864$\wininet.dll
[-] 2007-12-07 . 085A7C37F9C6EDE1BA870B7DBEC06399 . 666112 . . [6.00.2900.3268] . . e:\windows\$hf_mig$\KB944533\SP2QFE\wininet.dll
[-] 2007-10-11 . 2005AD86A22AEE68E21EE59F9CCB77F2 . 659456 . . [6.00.2900.3231] . . e:\windows\$NtUninstallKB944533$\wininet.dll
[-] 2007-10-11 . 80D660A49E0D118144423099B2A9F5DA . 666112 . . [6.00.2900.3231] . . e:\windows\$hf_mig$\KB942615\SP2QFE\wininet.dll
[-] 2007-08-22 . 1901AD51DA8BE9F8B38D5D526E5D1788 . 658944 . . [6.00.2900.3199] . . e:\windows\$NtUninstallKB942615$\wininet.dll
[-] 2007-08-22 . A1BC17EB3758D73C3938B2318820F5B4 . 665600 . . [6.00.2900.3199] . . e:\windows\$hf_mig$\KB939653\SP2QFE\wininet.dll
[-] 2007-06-26 . E1A3DD68B5380B360A7310A64D9BB188 . 665600 . . [6.00.2900.3164] . . e:\windows\$hf_mig$\KB937143\SP2QFE\wininet.dll
[-] 2007-06-26 . 184E47C8F7B331025E6DC92740DB188F . 658944 . . [6.00.2900.3164] . . e:\windows\$NtUninstallKB939653$\wininet.dll
[-] 2007-04-18 . 4261BA03AFD659DE04F0A17DFBDD454D . 665600 . . [6.00.2900.3121] . . e:\windows\$hf_mig$\KB933566\SP2QFE\wininet.dll
[-] 2007-04-18 . B7156CD97E739F3014BC4D61758F868A . 658944 . . [6.00.2900.3121] . . e:\windows\$NtUninstallKB937143$\wininet.dll
[-] 2007-01-04 . 3FFA1573FC274E5AA7467D03941C45EE . 665088 . . [6.00.2900.3059] . . e:\windows\$hf_mig$\KB928090\SP2QFE\wininet.dll
[-] 2007-01-04 . 8C393DF5234CBCBFF1EE31902D6B40AE . 658944 . . [6.00.2900.3059] . . e:\windows\$NtUninstallKB933566$\wininet.dll
[-] 2006-09-14 . 621AF3F6174A3F60677F5230E28BCC07 . 658944 . . [6.00.2900.2995] . . e:\windows\$NtUninstallKB928090$\wininet.dll
[-] 2006-09-14 . D207370287CF769AEBEBF03837784963 . 664576 . . [6.00.2900.2995] . . e:\windows\$hf_mig$\KB922760\SP2QFE\wininet.dll
[-] 2006-06-23 . 64CE26DB72810B30F7855EA51E1DF836 . 664576 . . [6.00.2900.2937] . . e:\windows\$hf_mig$\KB918899\SP2QFE\wininet.dll
[-] 2006-06-23 . 2B4DB890936430C71419037039502752 . 658944 . . [6.00.2900.2937] . . e:\windows\$NtUninstallKB922760$\wininet.dll
[-] 2006-05-10 . D94CFFDB53E7AC867438E2DFD50E7CBC . 663552 . . [6.00.2900.2904] . . e:\windows\$hf_mig$\KB916281\SP2QFE\wininet.dll
[-] 2006-05-10 . 38AB7A56F566D9AAAD31812494944824 . 658432 . . [6.00.2900.2904] . . e:\windows\$NtUninstallKB918899$\wininet.dll
[-] 2006-03-04 . C0845ECBF4F9164E618EE381B79C9032 . 663552 . . [6.00.2900.2861] . . e:\windows\$hf_mig$\KB912812\SP2QFE\wininet.dll
[-] 2006-03-04 . 1C0979C7A489BEE573CD0BF4AD94BB06 . 658432 . . [6.00.2900.2861] . . e:\windows\$NtUninstallKB916281$\wininet.dll
[-] 2005-10-21 . E7B27B6B6E06CE34EA019FD8B858C613 . 658432 . . [6.00.2900.2781] . . e:\windows\$NtUninstallKB912812$\wininet.dll
[-] 2005-10-21 . AF785C4947676A7FC1673FDC5C8D0B5B . 661504 . . [6.00.2900.2781] . . e:\windows\$hf_mig$\KB905915\SP2QFE\wininet.dll
[-] 2005-09-02 . 97A6FD7CAFD688CF2C78939EBAF0CD0C . 660480 . . [6.00.2900.2753] . . e:\windows\$hf_mig$\KB896688\SP2QFE\wininet.dll
[-] 2005-09-02 . AF61EBB1F550175EFF406D545D6AB086 . 658432 . . [6.00.2900.2753] . . e:\windows\$NtUninstallKB905915$\wininet.dll
[-] 2005-07-03 . 5B5FF992C0FA762CCF8655FC290E6E52 . 658432 . . [6.00.2900.2713] . . e:\windows\$NtUninstallKB896688$\wininet.dll
[-] 2005-07-03 . 6E533D155B259EB2363D3E04B5BE309F . 659456 . . [6.00.2900.2713] . . e:\windows\$hf_mig$\KB896727\SP2QFE\wininet.dll
[-] 2005-05-02 . E1E18136F9DD3DF1AD9C82193A5898A6 . 658944 . . [6.00.2900.2668] . . e:\windows\$hf_mig$\KB883939\SP2QFE\wininet.dll
[-] 2005-05-02 . 1A078AF3F85D10BA56444C23B3A18E74 . 657920 . . [6.00.2900.2668] . . e:\windows\$NtUninstallKB896727$\wininet.dll
[-] 2005-03-10 . 6F018D6319BE4F96426EA829B79E05D5 . 656896 . . [6.00.2900.2627] . . e:\windows\$NtUninstallKB883939$\wininet.dll
[-] 2005-03-10 . C8663B488996E89A84C3D17C1D12B79E . 657920 . . [6.00.2900.2627] . . e:\windows\$hf_mig$\KB890923\SP2QFE\wininet.dll
[-] 2005-01-27 . B5E043E440B210014E021B24CF0A72E3 . 656896 . . [6.00.2900.2577] . . e:\windows\$NtUninstallKB890923$\wininet.dll
[-] 2005-01-27 . A8EAC5330876548E9966A7D13025D196 . 657920 . . [6.00.2900.2598] . . e:\windows\$hf_mig$\KB867282\SP2QFE\wininet.dll
[-] 2004-09-29 . CBA65B573C66FE23F647FF96E3A10994 . 656896 . . [6.00.2900.2518] . . e:\windows\$NtUninstallKB867282$\wininet.dll
[-] 2004-09-29 . 2C07195588D69A067C2AFDAA31759295 . 656896 . . [6.00.2900.2518] . . e:\windows\$hf_mig$\KB834707\SP2QFE\wininet.dll
[-] 2004-08-04 . C0823FC5469663BA63E7DB88F9919D70 . 656384 . . [6.00.2900.2180] . . e:\windows\$NtUninstallKB834707$\wininet.dll

[-] 2008-04-14 . ED0EF0A136DEC83DF69F04118870003E . 507904 . . [5.1.2600.5512] . . e:\windows\ServicePackFiles\i386\winlogon.exe
[-] 2008-04-14 . D41D8CD98F00B204E9800998ECF8427E . 512000 . . [5.1.2600.5512] . . e:\windows\system32\winlogon.exe
[-] 2004-08-04 . 01C3346C241652F43AED8E2149881BFE . 502272 . . [5.1.2600.2180] . . e:\windows\$NtServicePackUninstall$\winlogon.exe

[-] 2008-04-14 . 2CCC474EB85CEAA3E1FA1726580A3E5A . 82432 . . [5.1.2600.5512] . . e:\windows\ServicePackFiles\i386\ws2_32.dll
[-] 2008-04-14 . 2CCC474EB85CEAA3E1FA1726580A3E5A . 82432 . . [5.1.2600.5512] . . e:\windows\system32\ws2_32.dll
[-] 2004-08-04 . 2ED0B7F12A60F90092081C50FA0EC2B2 . 82944 . . [5.1.2600.2180] . . e:\windows\$NtServicePackUninstall$\ws2_32.dll

[-] 2008-04-14 . 40E38462A91C0A92574F44D491E97EF0 . 1036288 . . [6.00.2900.5512] . . e:\windows\explorer.exe
[-] 2008-04-14 . 12896823FB95BFB3DC9B46BCAEDC9923 . 1033728 . . [6.00.2900.5512] . . e:\windows\ServicePackFiles\i386\explorer.exe
[-] 2007-06-13 . 7712DF0CDDE3A5AC89843E61CD5B3658 . 1033216 . . [6.00.2900.3156] . . e:\windows\$hf_mig$\KB938828\SP2QFE\explorer.exe
[-] 2007-06-13 . 97BD6515465659FF8F3B7BE375B2EA87 . 1033216 . . [6.00.2900.3156] . . e:\windows\$NtServicePackUninstall$\explorer.exe
[-] 2004-08-04 . A0732187050030AE399B241436565E64 . 1032192 . . [6.00.2900.2180] . . e:\windows\$NtUninstallKB938828$\explorer.exe

[-] 2008-04-14 . 3805DF0AC4296A34BA4BF93B346CC378 . 171008 . . [5.1.2600.5512] . . e:\windows\ServicePackFiles\i386\srsvc.dll
[-] 2008-04-14 . 3805DF0AC4296A34BA4BF93B346CC378 . 171008 . . [5.1.2600.5512] . . e:\windows\system32\srsvc.dll
[-] 2004-08-04 . 92BDF74F12D6CBEC43C94D4B7F804838 . 170496 . . [5.1.2600.2180] . . e:\windows\$NtServicePackUninstall$\srsvc.dll

[-] 2008-04-14 . F92E1076C42FCD6DB3D72D8CFE9816D5 . 13824 . . [5.1.2600.5512] . . e:\windows\ServicePackFiles\i386\wscntfy.exe
[-] 2008-04-14 . F92E1076C42FCD6DB3D72D8CFE9816D5 . 13824 . . [5.1.2600.5512] . . e:\windows\system32\wscntfy.exe
[-] 2004-08-04 . 49911DD39E023BB6C45E4E436CFBD297 . 13824 . . [5.1.2600.2180] . . e:\windows\$NtServicePackUninstall$\wscntfy.exe

[-] 2008-04-14 . 295D21F14C335B53CB8154E5B1F892B9 . 129024 . . [5.1.2600.5512] . . e:\windows\ServicePackFiles\i386\xmlprov.dll
[-] 2008-04-14 . 295D21F14C335B53CB8154E5B1F892B9 . 129024 . . [5.1.2600.5512] . . e:\windows\system32\xmlprov.dll
[-] 2004-08-04 . EEF46DAB68229A14DA3D8E73C99E2959 . 129536 . . [5.1.2600.2180] . . e:\windows\$NtServicePackUninstall$\xmlprov.dll

[-] 2008-04-14 . 6D4FEB43EE538FC5428CC7F0565AA656 . 56320 . . [5.1.2600.5512] . . e:\windows\ServicePackFiles\i386\eventlog.dll
[-] 2008-04-14 . 6D4FEB43EE538FC5428CC7F0565AA656 . 56320 . . [5.1.2600.5512] . . e:\windows\system32\eventlog.dll
[-] 2004-08-04 . 82B24CB70E5944E6E34662205A2A5B78 . 55808 . . [5.1.2600.2180] . . e:\windows\$NtServicePackUninstall$\eventlog.dll

[-] 2008-04-14 . 9DD07AF82244867CA36681EA2D29CE79 . 1614848 . . [5.1.2600.5512] . . e:\windows\ServicePackFiles\i386\sfcfiles.dll
[-] 2008-04-14 . 9DD07AF82244867CA36681EA2D29CE79 . 1614848 . . [5.1.2600.5512] . . e:\windows\system32\sfcfiles.dll
[-] 2004-08-04 . 30A609E00BD1D4FFC49D6B5A432BE7F2 . 1580544 . . [5.1.2600.2180] . . e:\windows\$NtServicePackUninstall$\sfcfiles.dll

[-] 2008-04-14 . 5F1D5F88303D4A4DBC8E5F97BA967CC3 . 15360 . . [5.1.2600.5512] . . e:\windows\ServicePackFiles\i386\ctfmon.exe
[-] 2008-04-14 . 5F1D5F88303D4A4DBC8E5F97BA967CC3 . 15360 . . [5.1.2600.5512] . . e:\windows\system32\ctfmon.exe
[-] 2004-08-04 . 24232996A38C0B0CF151C2140AE29FC8 . 15360 . . [5.1.2600.2180] . . e:\windows\$NtServicePackUninstall$\ctfmon.exe

[-] 2008-04-14 . 5B19B557B0C188210A56A6B699D90B8F . 59904 . . [5.1.2600.5512] . . e:\windows\ServicePackFiles\i386\regsvc.dll
[-] 2008-04-14 . 5B19B557B0C188210A56A6B699D90B8F . 59904 . . [5.1.2600.5512] . . e:\windows\system32\regsvc.dll
[-] 2004-08-04 . 3151427DB7D87107D1C5BE58FAC53960 . 59904 . . [5.1.2600.2180] . . e:\windows\$NtServicePackUninstall$\regsvc.dll

[-] 2008-04-14 . 0A9A7365A1CA4319AA7C1D6CD8E4EAFA . 192512 . . [5.1.2600.5512] . . e:\windows\ServicePackFiles\i386\schedsvc.dll
[-] 2008-04-14 . 0A9A7365A1CA4319AA7C1D6CD8E4EAFA . 192512 . . [5.1.2600.5512] . . e:\windows\system32\schedsvc.dll
[-] 2004-08-04 . 92360854316611F6CC471612213C3D92 . 190976 . . [5.1.2600.2180] . . e:\windows\$NtServicePackUninstall$\schedsvc.dll
[-] 2003-03-31 . 719B05113003A1934EA25EA1FED68C85 . 159232 . . [5.1.2600.1106] . . e:\windows\$NtUninstallKB841873$\schedsvc.dll

[-] 2008-04-14 . 1926899BF9FFE2602B63074971700412 . 135168 . . [6.00.2900.5512] . . e:\windows\ServicePackFiles\i386\shsvcs.dll
[-] 2008-04-14 . 1926899BF9FFE2602B63074971700412 . 135168 . . [6.00.2900.5512] . . e:\windows\system32\shsvcs.dll
[-] 2006-12-19 . 6815DEF9B810AEFAC107EEAF72DA6F82 . 134656 . . [6.00.2900.3051] . . e:\windows\$NtServicePackUninstall$\shsvcs.dll
[-] 2006-12-19 . 53D9184A21C5CBF600D918E51EF3A7E5 . 135168 . . [6.00.2900.3051] . . e:\windows\$hf_mig$\KB928255\SP2QFE\shsvcs.dll
[-] 2004-08-04 . E7518DC542D3EBDCB80EDD98462C7821 . 134656 . . [6.00.2900.2180] . . e:\windows\$NtUninstallKB928255$\shsvcs.dll

[-] 2008-04-14 . 0A5679B3714EDAB99E357057EE88FCA6 . 71680 . . [5.1.2600.5512] . . e:\windows\ServicePackFiles\i386\ssdpsrv.dll
[-] 2008-04-14 . 0A5679B3714EDAB99E357057EE88FCA6 . 71680 . . [5.1.2600.5512] . . e:\windows\system32\ssdpsrv.dll
[-] 2004-08-04 . 4B8D61792F7175BED48859CC18CE4E38 . 71680 . . [5.1.2600.2180] . . e:\windows\$NtServicePackUninstall$\ssdpsrv.dll

[-] 2008-04-14 . FF3477C03BE7201C294C35F684B3479F . 295424 . . [5.1.2600.5512] . . e:\windows\ServicePackFiles\i386\termsrv.dll
[-] 2008-04-14 . FF3477C03BE7201C294C35F684B3479F . 295424 . . [5.1.2600.5512] . . e:\windows\system32\termsrv.dll
[-] 2004-08-04 . B60C877D16D9C880B952FDA04ADF16E6 . 295424 . . [5.1.2600.2180] . . e:\windows\$NtServicePackUninstall$\termsrv.dll

[-] 2008-04-14 . D8849F77C0B66226335A59D26CB4EDC6 . 167936 . . [5.1.2600.5512] . . e:\windows\ServicePackFiles\i386\appmgmts.dll
[-] 2008-04-14 . D8849F77C0B66226335A59D26CB4EDC6 . 167936 . . [5.1.2600.5512] . . e:\windows\system32\appmgmts.dll
[-] 2004-08-04 . 9C3C12975C97119412802B181FBEEFFE . 167936 . . [5.1.2600.2180] . . e:\windows\$NtServicePackUninstall$\appmgmts.dll

[-] 2008-04-13 . 08FD04AA961BDC77FB983F328334E3D7 . 42368 . . [5.1.2600.5512] . . e:\windows\ServicePackFiles\i386\agp440.sys
[-] 2008-04-13 . 08FD04AA961BDC77FB983F328334E3D7 . 42368 . . [5.1.2600.5512] . . e:\windows\system32\drivers\agp440.sys
[-] 2004-08-04 . 2C428FA0C3E3A01ED93C9B2A27D8D4BB . 42368 . . [5.1.2600.2180] . . e:\windows\$NtServicePackUninstall$\agp440.sys

[-] 2003-03-31 . 9859C0F6936E723E4892D7141B1327D5 . 11648 . . [5.1.2600.0] . . e:\windows\system32\dllcache\acpiec.sys
[-] 2003-03-31 . 9859C0F6936E723E4892D7141B1327D5 . 11648 . . [5.1.2600.0] . . e:\windows\system32\drivers\acpiec.sys

[-] 2008-04-13 16:39 . 8BED39E3C35D6A489438B8141717A557 . 142592 . . [5.1.2601.3142] . . e:\windows\ServicePackFiles\i386\aec.sys
[-] 2008-04-13 16:39 . 8BED39E3C35D6A489438B8141717A557 . 142592 . . [5.1.2601.3142] . . e:\windows\system32\drivers\aec.sys
[-] 2006-02-15 00:30 . 1EE7B434BA961EF845DE136224C30FEC . 142464 . . [5.1.2601.2180] . . e:\windows\$hf_mig$\KB900485\SP2QFE\aec.sys
[-] 2006-02-15 00:22 . 1EE7B434BA961EF845DE136224C30FEC . 142464 . . [5.1.2601.2180] . . e:\windows\$NtServicePackUninstall$\aec.sys
[-] 2004-08-04 05:39 . 841F385C6CFAF66B58FBD898722BB4F0 . 142464 . . [5.1.2601.2078] . . e:\windows\$NtUninstallKB900485$\aec.sys

[-] 2008-04-13 . 3BB22519A194418D5FEC05D800A19AD0 . 36608 . . [5.1.2600.5512] . . e:\windows\ServicePackFiles\i386\ip6fw.sys
[-] 2008-04-13 . 3BB22519A194418D5FEC05D800A19AD0 . 36608 . . [5.1.2600.5512] . . e:\windows\system32\drivers\ip6fw.sys
[-] 2004-08-04 . 4448006B6BC60E6C027932CFC38D6855 . 29056 . . [5.1.2600.2180] . . e:\windows\$NtServicePackUninstall$\ip6fw.sys

[-] 2008-04-14 00:11 . CDDD4416B2B4C7295FE3FDB6DDE57E4E . 927504 . . [4.1.0.61] . . e:\windows\ServicePackFiles\i386\mfc40u.dll
[-] 2008-04-14 00:11 . CDDD4416B2B4C7295FE3FDB6DDE57E4E . 927504 . . [4.1.0.61] . . e:\windows\system32\mfc40u.dll
[-] 2006-11-01 19:17 . 925F8B61ED301A317BA850EBEECBDAA0 . 927504 . . [4.1.0.61] . . e:\windows\$NtServicePackUninstall$\mfc40u.dll
[-] 2003-03-31 12:00 . DDF8D47ACF8FC3FE5F7F2B95C4D4D136 . 924432 . . [4.1.6140] . . e:\windows\$NtUninstallKB924667$\mfc40u.dll

[-] 2008-04-14 . 986B1FF5814366D71E0AC5755C88F2D3 . 33792 . . [5.1.2600.5512] . . e:\windows\ServicePackFiles\i386\msgsvc.dll
[-] 2008-04-14 . 986B1FF5814366D71E0AC5755C88F2D3 . 33792 . . [5.1.2600.5512] . . e:\windows\system32\msgsvc.dll
[-] 2004-08-04 . 95FD808E4AC22ABA025A7B3EAC0375D2 . 33792 . . [5.1.2600.2180] . . e:\windows\$NtServicePackUninstall$\msgsvc.dll
[-] 2003-03-31 . A81487520F11F65BF270D50EE29887B2 . 34304 . . [5.1.2600.0] . . e:\windows\$NtUninstallKB828035$\msgsvc.dll

[-] 2005-01-28 18:44 . 140EF97B64F560FD78643CAE2CDAD838 . 25088 . . [10.0.3790.3802] . . e:\windows\RegisteredPackages\{30C7234B-6482-4A55-A11D-ECD9030313F2}\MsPMSNSv.dll
[-] 2005-01-28 18:44 . 140EF97B64F560FD78643CAE2CDAD838 . 25088 . . [10.0.3790.3802] . . e:\windows\system32\MsPMSNSv.dll
[-] 2005-01-28 18:44 . 140EF97B64F560FD78643CAE2CDAD838 . 25088 . . [10.0.3790.3802] . . e:\windows\system32\dllcache\mspmsnsv.dll
[-] 2004-08-04 07:56 . C086483E3DBA8C1C0A687EC8D5B3D4C1 . 52224 . . [9.0.1.56] . . e:\windows\RegisteredPackages\{30C7234B-6482-4A55-A11D-ECD9030313F2}$BACKUP$\System\MsPMSNSv.dll
[-] 2004-08-04 07:56 . C086483E3DBA8C1C0A687EC8D5B3D4C1 . 52224 . . [9.0.1.56] . . e:\windows\ServicePackFiles\i386\mspmsnsv.dll

[-] 2009-02-08 . 5BA7F2141BC6DB06100D0E5A732C617A . 2066048 . . [5.1.2600.5755] . . e:\windows\Driver Cache\i386\ntkrnlpa.exe
[-] 2009-02-08 . 5BA7F2141BC6DB06100D0E5A732C617A . 2066048 . . [5.1.2600.5755] . . e:\windows\system32\ntkrnlpa.exe
[-] 2009-02-08 . 5BA7F2141BC6DB06100D0E5A732C617A . 2066048 . . [5.1.2600.5755] . . e:\windows\system32\dllcache\ntkrnlpa.exe
[-] 2009-02-06 . 607352B9CB3D708C67F6039097801B5A . 2066176 . . [5.1.2600.5755] . . e:\windows\$hf_mig$\KB956572\SP3QFE\ntkrnlpa.exe
[-] 2008-08-14 . A25E9B86EFFB2AF33BF51E676B68BFB0 . 2066048 . . [5.1.2600.5657] . . e:\windows\$hf_mig$\KB956841\SP3QFE\ntkrnlpa.exe
[-] 2008-08-14 . 4AC58F03EB94A72809949D757FC39D80 . 2066048 . . [5.1.2600.5657] . . e:\windows\$NtUninstallKB956572$\ntkrnlpa.exe
[-] 2008-04-13 . 109F8E3E3C82E337BB71B6BC9B895D61 . 2065792 . . [5.1.2600.5512] . . e:\windows\$NtUninstallKB956841$\ntkrnlpa.exe
[-] 2008-04-13 . 109F8E3E3C82E337BB71B6BC9B895D61 . 2065792 . . [5.1.2600.5512] . . e:\windows\ServicePackFiles\i386\ntkrnlpa.exe
[-] 2007-02-28 . 4D3DBDCCBF97F5BA1E74F322B155C3BA . 2059392 . . [5.1.2600.3093] . . e:\windows\$hf_mig$\KB931784\SP2QFE\ntkrnlpa.exe
[-] 2007-02-28 . 515D30E2C90A3665A2739309334C9283 . 2057600 . . [5.1.2600.3093] . . e:\windows\$NtServicePackUninstall$\ntkrnlpa.exe
[-] 2005-03-02 . D8ABA3EAB509627E707A3B14F00FBB6B . 2056832 . . [5.1.2600.2622] . . e:\windows\$hf_mig$\KB890859\SP2QFE\ntkrnlpa.exe
[-] 2005-03-02 . 81013F36B21C7F72CF784CC6731E0002 . 2056832 . . [5.1.2600.2622] . . e:\windows\$NtUninstallKB931784$\ntkrnlpa.exe
[-] 2004-08-04 . 947FB1D86D14AFCFFDB54BF837EC25D0 . 2056832 . . [5.1.2600.2180] . . e:\windows\$NtUninstallKB890859$\ntkrnlpa.exe
[-] 2003-03-31 . 0E8EFB15746878A9B256E75267337233 . 1947904 . . [5.1.2600.1106] . . e:\windows\$NtUninstallQ811493$\ntkrnlpa.exe

[-] 2008-04-14 00:12 . 156F64A3345BD23C600655FB4D10BC08 . 435200 . . [5.1.2400.5512] . . e:\windows\ServicePackFiles\i386\ntmssvc.dll
[-] 2008-04-14 00:12 . 156F64A3345BD23C600655FB4D10BC08 . 435200 . . [5.1.2400.5512] . . e:\windows\system32\ntmssvc.dll
[-] 2004-08-04 07:56 . B62F29C00AC55A761B2E45877D85EA0F . 435200 . . [5.1.2400.2180] . . e:\windows\$NtServicePackUninstall$\ntmssvc.dll

[-] 2008-04-14 . 1EBAFEB9A3FBDC41B8D9C7F0F687AD91 . 185856 . . [5.1.2600.5512] . . e:\windows\ServicePackFiles\i386\upnphost.dll
[-] 2008-04-14 . 1EBAFEB9A3FBDC41B8D9C7F0F687AD91 . 185856 . . [5.1.2600.5512] . . e:\windows\system32\upnphost.dll
[-] 2007-02-05 . 36ACA6CDC19C95FF468A1426EB7F32F0 . 185344 . . [5.1.2600.3077] . . e:\windows\$hf_mig$\KB931261\SP2QFE\upnphost.dll
[-] 2007-02-05 . ACA5D98663D879C6BAAFCEA7E2F1B710 . 185344 . . [5.1.2600.3077] . . e:\windows\$NtServicePackUninstall$\upnphost.dll
[-] 2004-08-04 . 0546477BDE979E33294FE97F6B3DE84A . 185344 . . [5.1.2600.2180] . . e:\windows\$NtUninstallKB931261$\upnphost.dll

e:\windows\system32\svchost.exe ... is missing !!
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvMediaCenter"="e:\windows\System32\NVMCTRAY.DLL" [2003-10-06 49152]
"NBJ"="e:\program files\Ahead\Nero BackItUp\NBJ.exe" [2004-07-27 1867776]
"swg"="e:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-08-04 68856]
"DAEMON Tools Lite"="e:\program files\DAEMON Tools Lite\daemon.exe" [2009-04-23 691656]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="e:\windows\System32\NvCpl.dll" [2003-10-06 5058560]
"NeroFilterCheck"="e:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"ADUserMon"="e:\program files\Iomega\AutoDisk\ADUserMon.exe" [2002-09-24 147456]
"Iomega Drive Icons"="e:\program files\Iomega\DriveIcons\ImgIcon.exe" [2002-08-13 86016]
"Deskup"="e:\program files\Iomega\DriveIcons\deskup.exe" [2002-07-16 32768]
"CTSysVol"="e:\program files\Creative\Sound Blaster\Surround Mixer\CTSysVol.exe" [2003-02-17 53248]
"UpdReg"="e:\windows\UpdReg.EXE" [2000-05-11 90112]
"SunJavaUpdateSched"="e:\program files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 144784]
"iTunesHelper"="e:\program files\iTunes\iTunesHelper.exe" [2009-04-02 342312]
"QuickTime Task"="e:\program files\QuickTime\QTTask.exe" [2007-10-20 286720]
"CanonSolutionMenu"="e:\program files\Canon\SolutionMenu\CNSLMAIN.exe" [2007-10-26 652624]
"CanonMyPrinter"="e:\program files\Canon\MyPrinter\BJMyPrt.exe" [2007-09-14 1603152]
"SoundMan"="SOUNDMAN.EXE" - e:\windows\SOUNDMAN.EXE [2003-04-24 54784]
"nwiz"="nwiz.exe" - e:\windows\system32\nwiz.exe [2003-10-06 741376]
"SbUsb AudCtrl"="sbusbdll.dll" - e:\windows\system32\sbusbdll.dll [2003-03-12 64000]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"pBotni"= {303D8D40-9A97-27EA-1118-5E8061B4C972} - e:\windows\system32\smba.dll [2009-03-21 32768]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"e:\\Program Files\\Real\\RealOne Player\\realplay.exe"=
"e:\\Program Files\\Soulseek\\slsk.exe"=
"e:\\Program Files\\QuickTime\\QuickTimePlayer.exe"=
"e:\\Program Files\\Yahoo!\\Messenger\\YPager.exe"=
"e:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"e:\\Program Files\\AIM\\aim.exe"=
"e:\\Program Files\\SecondLife\\SecondLife.exe"=
"e:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"e:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"e:\\Program Files\\DC++\\DCPlusPlus.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"e:\\Program Files\\AIM6\\aim6.exe"=
"e:\\Program Files\\Free FTP\\FreeFTP.exe"=
"e:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"e:\\Program Files\\iTunes\\iTunes.exe"=

R1 tdisp.sys;tdisp.sys;e:\windows\system32\tdisp.sys [x]
R2 gupdate1c9d3163caae506;Google Update Service (gupdate1c9d3163caae506);e:\program files\Google\Update\GoogleUpdate.exe [2009-05-12 133104]
R2 Viewpoint Manager Service;Viewpoint Manager Service;e:\program files\Viewpoint\Common\ViewpointService.exe [2007-01-04 24652]
R3 sbusb;Sound Blaster USB Audio Driver;e:\windows\system32\DRIVERS\sbusb.sys [2003-03-25 632576]
S3 W8100PCI;D-Link AirPlus G Wireless Driver;e:\windows\system32\DRIVERS\mrv8k51.sys [2004-01-09 256896]

.
Contents of the 'Scheduled Tasks' folder

2009-05-19 e:\windows\Tasks\AppleSoftwareUpdate.job
- e:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34]

2009-09-21 e:\windows\Tasks\Google Software Updater.job
- e:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2007-08-04 01:34]

2009-09-21 e:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- e:\program files\Google\Update\GoogleUpdate.exe [2009-05-12 15:27]

2009-09-21 e:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- e:\program files\Google\Update\GoogleUpdate.exe [2009-05-12 15:27]
.
.
------- Supplementary Scan -------
.
uStart Page = https://gmail.google.com/?dest=http%3A%2F%2...gle.com%2Fgmail
mStart Page = about:blank
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
LSP: e:\windows\system32\8gfwg5qqfvsk.dll
Trusted Zone: aol.com\free
FF - ProfilePath - e:\documents and settings\St. Thomas\Application Data\Mozilla\Firefox\Profiles\mz40samm.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxps://www.google.com/accounts/ServiceLogin?service=mail&passive=true&rm=false&continue=http%3A%2F%2Fmail.google.com%2Fmail%2F%3Fui%3Dhtml%26zy%3Dl&bsv=1k96igf4806cy&ltmpl=default&ltmplcache=2
FF - plugin: e:\program files\Google\Google Earth Plugin\npgeplugin.dll
FF - plugin: e:\program files\Google\Google Updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: e:\program files\Google\Update\1.2.183.7\npGoogleOneClick8.dll
FF - plugin: e:\program files\Mozilla Firefox\plugins\npunagi2.dll
FF - plugin: e:\program files\Mozilla Firefox\plugins\npViewpoint.dll
FF - plugin: e:\program files\Real\RealOne Player\Netscape6\nppl3260.dll
FF - plugin: e:\program files\Real\RealOne Player\Netscape6\nprjplug.dll
FF - plugin: e:\program files\Real\RealOne Player\Netscape6\nprpjplug.dll
FF - plugin: e:\program files\Viewpoint\Viewpoint Media Player\npViewpoint.dll
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-Aim6 - (no file)
HKLM-Run-txiimpx - e:\windows\system32\txiimpx.exe
AddRemove-DAEMON Tools Toolbar - e:\program files\DAEMON Tools Toolbar\uninst.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-09-21 18:37
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\Iomega Activity Disk2]
"ImagePath"="\"\""
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1214440339-1417001333-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.*<%*^%]
@Class="Shell"

[HKEY_USERS\S-1-5-21-1214440339-1417001333-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.*<%*^%\OpenWithList]
@Class="Shell"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Installer\UserData\LocalSystem\Components\ؕ||w*]
"5E7CEC10DF0760D4F8DAFB12FDC06CCD"="02:\\Software\\Adobe\\FeatureSubscriptions\\DVAAdobeDocMeta\\{01CEC7E5-70FD-4D06-8FAD-BF21DF0CC6DC}\\Registered"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(692)
e:\program files\Bonjour\mdnsNSP.dll
.
Completion time: 2009-09-21 18:44
ComboFix-quarantined-files.txt 2009-09-21 23:44

Pre-Run: 9,883,258,880 bytes free
Post-Run: 15,700,570,112 bytes free

577 --- E O F --- 2009-09-15 06:39

#6 schrauber

schrauber

    Mr.Mechanic


  • Malware Response Team
  • 24,794 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Munich,Germany
  • Local time:06:24 PM

Posted 11 October 2009 - 08:55 AM

Hi,


At the noninfected system please open notepad and copy/paste the content of the codebox below into notepad and save it as CFScript.txt on your desktop.

FCopy::
e:\windows\ServicePackFiles\i386\svchost.exe | e:\windows\system32\svchost.exe

Please put this textfile onto your flashdrive and place it at the desktop from the infected system.

Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.



Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at E:\ComboFix.txt which I will require in your next reply.
regards,
schrauber

Posted Image
Posted Image

If I've not posted back within 48 hrs., feel free to send a PM with your topic link. Thank you!

If I have helped you then please consider donating to continue the fight against malware Posted Image

#7 mr. fang

mr. fang
  • Topic Starter

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Local time:12:24 PM

Posted 12 October 2009 - 03:04 PM

On the infected machine, no icons can be dragged, so I wasn't able to drag the script file onto ComboFix.

However, I was able to make a zip file of svchost.exe, and then I extracted a copy of it into the system32 folder.

After restarting, I now have a start button and task bar again, can now drag, copy, and paste files, and can connect to the Internet! It looks like the problems I was having were caused by svchost.exe being deleted, as theorized in my original post.

Let me know what to do next to make sure my computer is clean.

#8 schrauber

schrauber

    Mr.Mechanic


  • Malware Response Team
  • 24,794 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Munich,Germany
  • Local time:06:24 PM

Posted 12 October 2009 - 04:03 PM

Hi,

sounds good :(


Please delete your copy from Combofix from your Desktop.




Step 1

Download LSPFix and save to your desktop.
alternate download site
alternate download site
  • Disconnect from the Internet, go to the LSPfix file and extract (unzip) LSP-Fix into its own folder such as C:\lspfix. (Click here for information on how to do this if not sure. Win 9x/2000 users click here.
  • Open the lspfix folder and double-click on LSPFix.exe to start the program.
  • Check the "I know what I am doing" checkbox.
  • Select (highlight) all instances of 8gfwg5qqfvsk.dll in the left column under "Keep".
  • Click the arrow >> so it goes over to the right column under "Remove".
  • Click "Finish" and LSPfix will remove references to the file and restore the chain numbers.
  • Now please reboot your system!
For instructions with screen shots, see the "Using LSP-Fix Tutorial".







Step 2

Please go here and have a look how you can disable your security software.

Download Combofix from any of the links below but rename it to before saving it to your desktop.

Link 1
Link 2



--------------------------------------------------------------------

Double click on the renamed Combofix.exe & follow the prompts.
  • When finished, it will produce a report for you.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image


Click on Yes, to continue scanning for malware.

When finished, it will produce a log for you. Please include the C:\ComboFix.txt in your next reply.

This tool is not a toy and not for everyday use.
ComboFix SHOULD NOT be used unless requested by a forum helper


If you need help, see this link:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix
regards,
schrauber

Posted Image
Posted Image

If I've not posted back within 48 hrs., feel free to send a PM with your topic link. Thank you!

If I have helped you then please consider donating to continue the fight against malware Posted Image

#9 mr. fang

mr. fang
  • Topic Starter

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Local time:12:24 PM

Posted 12 October 2009 - 05:01 PM

Followed all steps as directed.

ComboFix 09-10-11.03 - St. Thomas 10/12/2009 16:53.2.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.511.176 [GMT -5:00]
Running from: e:\documents and settings\St. Thomas\Desktop\schrauber.exe
.

((((((((((((((((((((((((( Files Created from 2009-09-12 to 2009-10-12 )))))))))))))))))))))))))))))))
.

2009-10-12 19:57 . 2008-04-14 00:12 14336 -c--a-w- e:\windows\system32\dllcache\svchost.exe
2009-10-12 19:57 . 2008-04-14 00:12 14336 ----a-w- e:\windows\system32\svchost.exe
2009-10-11 01:22 . 2009-10-11 03:52 -------- d-----w- e:\documents and settings\St. Thomas\Application Data\vlc
2009-10-11 01:22 . 2009-10-11 01:22 -------- d-----w- e:\program files\VideoLAN
2009-09-22 02:02 . 2009-09-22 02:02 -------- d-----w- e:\windows\system32\CatRoot_bak
2009-09-22 00:05 . 2009-09-22 00:05 -------- d-----w- e:\program files\Trend Micro
2009-09-21 23:37 . 2008-04-14 00:12 39424 ----a-w- e:\windows\system32\grpconv.exe
2009-09-21 23:30 . 2009-09-21 23:44 -------- d-----w- E:\Combo-Fix
2009-09-21 23:20 . 2009-09-10 19:54 38224 ----a-w- e:\windows\system32\drivers\mbamswissarmy.sys
2009-09-21 23:20 . 2009-09-21 23:20 -------- d-----w- e:\program files\Malwarebytes' Anti-Malware
2009-09-21 23:20 . 2009-09-21 23:20 -------- d-----w- e:\documents and settings\All Users\Application Data\Malwarebytes
2009-09-21 23:20 . 2009-09-10 19:53 19160 ----a-w- e:\windows\system32\drivers\mbam.sys
2009-09-21 23:16 . 2009-09-21 23:16 -------- dc-h--w- e:\documents and settings\All Users\Application Data\{EF63305C-BAD7-4144-9208-D65528260864}
2009-09-21 21:15 . 2009-09-21 21:15 -------- d-----w- e:\documents and settings\St. Thomas\Local Settings\Application Data\TouchStoneSoftware
2009-09-21 21:15 . 2009-09-21 21:15 -------- d-----w- e:\program files\TouchStoneSoftware
2009-09-21 20:59 . 2009-09-21 20:59 286720 --sha-r- e:\windows\system32\8gfwg5qqfvsk.dll
2009-09-21 20:27 . 2009-06-19 08:20 67208 ----a-w- e:\windows\UnDeploy.exe
2009-09-21 20:20 . 2009-09-21 20:20 -------- d-----w- e:\documents and settings\All Users\Application Data\TEMP
2009-09-21 08:57 . 2009-09-21 08:57 -------- d-----w- e:\windows\MjM Free Photo Recovery Software
2009-09-21 07:09 . 2009-09-21 07:09 -------- d-----w- e:\documents and settings\St. Thomas\Application Data\PandoraRecovery
2009-09-21 07:09 . 2009-09-21 07:16 -------- d-----w- e:\program files\Pandora Recovery
2009-09-21 07:02 . 2009-09-21 07:02 -------- d-----w- e:\program files\Recuva
2009-09-21 06:25 . 2009-09-21 06:25 -------- d-----w- e:\documents and settings\All Users\Application Data\Cached Installations

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-10-12 20:15 . 2004-07-29 23:43 -------- d-----w- e:\program files\Google
2009-10-12 20:00 . 2008-07-18 23:18 -------- d-----w- e:\documents and settings\All Users\Application Data\Google Updater
2009-10-10 18:07 . 2005-06-28 23:52 -------- d-----w- e:\documents and settings\All Users\Application Data\Viewpoint
2009-09-17 14:46 . 2004-08-24 18:30 -------- d-----w- e:\program files\Soulseek
2009-09-16 04:20 . 2004-08-04 05:39 -------- d-----w- e:\documents and settings\St. Thomas\Application Data\Canon
2009-09-02 01:50 . 2004-08-04 05:36 -------- d-----w- e:\program files\Canon
2009-09-02 01:48 . 2009-09-02 01:48 -------- d--h--w- e:\documents and settings\All Users\Application Data\CanonBJ
2009-09-02 01:48 . 2009-09-02 01:48 -------- d--h--w- e:\program files\CanonBJ
2009-08-05 09:01 . 2004-08-28 00:31 204800 ----a-w- e:\windows\system32\mswebdvd.dll
2009-07-17 19:01 . 2003-03-31 12:00 58880 ----a-w- e:\windows\system32\atl.dll
.

------- Sigcheck -------

[7] 2008-04-14 . BF2466B3E18E970D8A976FB95FC1CA85 . 13312 . . [5.1.2600.5512] . . e:\windows\ServicePackFiles\i386\lsass.exe
[-] 2008-04-14 . D41D8CD98F00B204E9800998ECF8427E . 14848 . . [5.1.2600.5512] . . e:\windows\system32\lsass.exe
[7] 2004-08-04 . 84885F9B82F4D55C6146EBF6065D75D2 . 13312 . . [5.1.2600.2180] . . e:\windows\$NtServicePackUninstall$\lsass.exe

[-] 2009-02-06 . D41D8CD98F00B204E9800998ECF8427E . 113152 . . [5.1.2600.5755] . . e:\windows\system32\services.exe
[7] 2009-02-06 . 020CEAAEDC8EB655B6506B8C70D53BB6 . 110592 . . [5.1.2600.5755] . . e:\windows\$hf_mig$\KB956572\SP3QFE\services.exe
[7] 2008-04-14 . 0E776ED5F7CC9F94299E70461B7B8185 . 108544 . . [5.1.2600.5512] . . e:\windows\$NtUninstallKB956572$\services.exe
[7] 2008-04-14 . 0E776ED5F7CC9F94299E70461B7B8185 . 108544 . . [5.1.2600.5512] . . e:\windows\ServicePackFiles\i386\services.exe
[7] 2004-08-04 . C6CE6EEC82F187615D1002BB3BB50ED4 . 108032 . . [5.1.2600.2180] . . e:\windows\$NtServicePackUninstall$\services.exe

[7] 2008-04-14 . D8E14A61ACC1D4A6CD0D38AEBAC7FA3B . 57856 . . [5.1.2600.5512] . . e:\windows\ServicePackFiles\i386\spoolsv.exe
[-] 2008-04-14 . D41D8CD98F00B204E9800998ECF8427E . 58880 . . [5.1.2600.5512] . . e:\windows\system32\spoolsv.exe
[-] 2005-06-11 . AD3D9D191AEA7B5445FE1D82FFBB4788 . 57856 . . [5.1.2600.2696] . . e:\windows\$hf_mig$\KB896423\SP2QFE\spoolsv.exe
[-] 2005-06-10 . DA81EC57ACD4CDC3D4C51CF3D409AF9F . 57856 . . [5.1.2600.2696] . . e:\windows\$NtServicePackUninstall$\spoolsv.exe
[7] 2004-08-04 . 7435B108B935E42EA92CA94F59C8E717 . 57856 . . [5.1.2600.2180] . . e:\windows\$NtUninstallKB896423$\spoolsv.exe

[7] 2008-04-14 . ED0EF0A136DEC83DF69F04118870003E . 507904 . . [5.1.2600.5512] . . e:\windows\ServicePackFiles\i386\winlogon.exe
[-] 2008-04-14 . D41D8CD98F00B204E9800998ECF8427E . 512000 . . [5.1.2600.5512] . . e:\windows\system32\winlogon.exe
[7] 2004-08-04 . 01C3346C241652F43AED8E2149881BFE . 502272 . . [5.1.2600.2180] . . e:\windows\$NtServicePackUninstall$\winlogon.exe

[-] 2008-04-14 . D41D8CD98F00B204E9800998ECF8427E . 1036288 . . [6.00.2900.5512] . . e:\windows\explorer.exe
[7] 2008-04-14 . 12896823FB95BFB3DC9B46BCAEDC9923 . 1033728 . . [6.00.2900.5512] . . e:\windows\ServicePackFiles\i386\explorer.exe
[-] 2007-06-13 . 7712DF0CDDE3A5AC89843E61CD5B3658 . 1033216 . . [6.00.2900.3156] . . e:\windows\$hf_mig$\KB938828\SP2QFE\explorer.exe
[-] 2007-06-13 . 97BD6515465659FF8F3B7BE375B2EA87 . 1033216 . . [6.00.2900.3156] . . e:\windows\$NtServicePackUninstall$\explorer.exe
[7] 2004-08-04 . A0732187050030AE399B241436565E64 . 1032192 . . [6.00.2900.2180] . . e:\windows\$NtUninstallKB938828$\explorer.exe
.
((((((((((((((((((((((((((((( SnapShot@2009-09-21_23.37.53 )))))))))))))))))))))))))))))))))))))))))
.
- 2007-12-06 05:18 . 2009-03-24 01:27 84661 e:\windows\system32\Macromed\Flash\uninstall_plugin.exe
+ 2007-12-06 05:18 . 2009-10-12 21:45 84661 e:\windows\system32\Macromed\Flash\uninstall_plugin.exe
+ 2003-03-31 12:00 . 2008-04-13 18:40 36352 e:\windows\system32\drivers\disk.sys
- 2003-03-31 12:00 . 2008-04-13 18:40 36352 e:\windows\system32\drivers\disk.sys
+ 2004-07-28 07:07 . 2009-10-12 19:59 32768 e:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
- 2004-07-28 07:07 . 2009-09-21 22:53 32768 e:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
- 2004-07-28 07:07 . 2009-09-21 22:53 32768 e:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2004-07-28 07:07 . 2009-10-12 19:59 32768 e:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2009-09-22 00:00 . 2009-10-12 19:59 16384 e:\windows\system32\config\systemprofile\Cookies\index.dat
- 2004-07-28 07:07 . 2009-09-21 22:53 16384 e:\windows\system32\config\systemprofile\Cookies\index.dat
+ 2009-10-12 20:15 . 2009-10-12 20:15 25214 e:\windows\Installer\{FE24D361-A3E8-11DE-88F3-005056806466}\UNINST_Uninstall_G_F6A848FB884248E6A4CDCBDCF41F6A74_1.exe
+ 2009-10-12 20:15 . 2009-10-12 20:15 25214 e:\windows\Installer\{FE24D361-A3E8-11DE-88F3-005056806466}\ARPPRODUCTICON.exe
+ 2009-07-18 03:21 . 2009-07-18 03:21 257440 e:\windows\system32\Macromed\Flash\NPSWF32_FlashUtil.exe
+ 2009-10-12 20:15 . 2009-10-12 20:15 914944 e:\windows\Installer\eb91d.msi
+ 2009-07-18 03:21 . 2009-07-18 03:21 3883424 e:\windows\system32\Macromed\Flash\NPSWF32.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvMediaCenter"="e:\windows\System32\NVMCTRAY.DLL" [2003-10-06 49152]
"NBJ"="e:\program files\Ahead\Nero BackItUp\NBJ.exe" [2004-07-27 1867776]
"swg"="e:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-08-04 68856]
"DAEMON Tools Lite"="e:\program files\DAEMON Tools Lite\daemon.exe" [2009-04-23 691656]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="e:\windows\System32\NvCpl.dll" [2003-10-06 5058560]
"NeroFilterCheck"="e:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"ADUserMon"="e:\program files\Iomega\AutoDisk\ADUserMon.exe" [2002-09-24 147456]
"Iomega Drive Icons"="e:\program files\Iomega\DriveIcons\ImgIcon.exe" [2002-08-13 86016]
"Deskup"="e:\program files\Iomega\DriveIcons\deskup.exe" [2002-07-16 32768]
"CTSysVol"="e:\program files\Creative\Sound Blaster\Surround Mixer\CTSysVol.exe" [2003-02-17 53248]
"UpdReg"="e:\windows\UpdReg.EXE" [2000-05-11 90112]
"SunJavaUpdateSched"="e:\program files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 144784]
"iTunesHelper"="e:\program files\iTunes\iTunesHelper.exe" [2009-04-02 342312]
"QuickTime Task"="e:\program files\QuickTime\QTTask.exe" [2007-10-20 286720]
"CanonSolutionMenu"="e:\program files\Canon\SolutionMenu\CNSLMAIN.exe" [2007-10-26 652624]
"CanonMyPrinter"="e:\program files\Canon\MyPrinter\BJMyPrt.exe" [2007-09-14 1603152]
"SoundMan"="SOUNDMAN.EXE" - e:\windows\SOUNDMAN.EXE [2003-04-24 54784]
"nwiz"="nwiz.exe" - e:\windows\system32\nwiz.exe [2003-10-06 741376]
"SbUsb AudCtrl"="sbusbdll.dll" - e:\windows\system32\sbusbdll.dll [2003-03-12 64000]

e:\documents and settings\St. Thomas\Start Menu\Programs\Startup\
Adobe Gamma.lnk - e:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2004-7-30 113664]

e:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - e:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2004-7-30 113664]
D-Link AirPlus G Configuration Utility.lnk - e:\program files\D-Link AirPlus G\AirPlus.exe [2005-3-12 294912]
Microsoft Office.lnk - e:\program files\Microsoft Office\Office\OSA9.EXE [1999-2-17 65588]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"pBotni"= {303D8D40-9A97-27EA-1118-5E8061B4C972} - e:\windows\system32\smba.dll [2009-03-21 32768]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"e:\\Program Files\\Real\\RealOne Player\\realplay.exe"=
"e:\\Program Files\\Soulseek\\slsk.exe"=
"e:\\Program Files\\QuickTime\\QuickTimePlayer.exe"=
"e:\\Program Files\\Yahoo!\\Messenger\\YPager.exe"=
"e:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"e:\\Program Files\\AIM\\aim.exe"=
"e:\\Program Files\\SecondLife\\SecondLife.exe"=
"e:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"e:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"e:\\Program Files\\DC++\\DCPlusPlus.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"e:\\Program Files\\AIM6\\aim6.exe"=
"e:\\Program Files\\Free FTP\\FreeFTP.exe"=
"e:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"e:\\Program Files\\iTunes\\iTunes.exe"=

R3 W8100PCI;D-Link AirPlus G Wireless Driver;e:\windows\system32\drivers\mrv8k51.sys [3/12/2005 4:09 PM 256896]
S1 tdisp.sys;tdisp.sys;\??\e:\windows\system32\tdisp.sys --> e:\windows\system32\tdisp.sys [?]
S2 gupdate1c9d3163caae506;Google Update Service (gupdate1c9d3163caae506);e:\program files\Google\Update\GoogleUpdate.exe [5/12/2009 10:28 AM 133104]
S3 sbusb;Sound Blaster USB Audio Driver;e:\windows\system32\drivers\sbusb.sys [2/13/2005 3:01 PM 632576]
.
Contents of the 'Scheduled Tasks' folder

2009-05-19 e:\windows\Tasks\AppleSoftwareUpdate.job
- e:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34]

2009-10-12 e:\windows\Tasks\Google Software Updater.job
- e:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2007-08-04 01:34]

2009-10-12 e:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- e:\program files\Google\Update\GoogleUpdate.exe [2009-05-12 15:27]

2009-10-12 e:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- e:\program files\Google\Update\GoogleUpdate.exe [2009-05-12 15:27]
.
.
------- Supplementary Scan -------
.
uStart Page = https://gmail.google.com/?dest=http%3A%2F%2...gle.com%2Fgmail
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
mStart Page = about:blank
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
Trusted Zone: aol.com\free
FF - ProfilePath - e:\documents and settings\St. Thomas\Application Data\Mozilla\Firefox\Profiles\mz40samm.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxps://www.google.com/accounts/ServiceLogin?service=mail&passive=true&rm=false&continue=http%3A%2F%2Fmail.google.com%2Fmail%2F%3Fui%3Dhtml%26zy%3Dl&bsv=1k96igf4806cy&ltmpl=default&ltmplcache=2
FF - plugin: e:\program files\Google\Google Earth\plugin\npgeplugin.dll
FF - plugin: e:\program files\Google\Google Updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: e:\program files\Google\Update\1.2.183.7\npGoogleOneClick8.dll
FF - plugin: e:\program files\Mozilla Firefox\plugins\npunagi2.dll
FF - plugin: e:\program files\Real\RealOne Player\Netscape6\nppl3260.dll
FF - plugin: e:\program files\Real\RealOne Player\Netscape6\nprjplug.dll
FF - plugin: e:\program files\Real\RealOne Player\Netscape6\nprpjplug.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-10-12 16:57
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\Iomega Activity Disk2]
"ImagePath"="\"\""
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1214440339-1417001333-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.*<%*^%]
@Class="Shell"

[HKEY_USERS\S-1-5-21-1214440339-1417001333-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.*<%*^%\OpenWithList]
@Class="Shell"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Installer\UserData\LocalSystem\Components\ؕ||w*]
"5E7CEC10DF0760D4F8DAFB12FDC06CCD"="02:\\Software\\Adobe\\FeatureSubscriptions\\DVAAdobeDocMeta\\{01CEC7E5-70FD-4D06-8FAD-BF21DF0CC6DC}\\Registered"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(1220)
e:\program files\Iomega\DriveIcons\IMGHOOK.DLL
.
Completion time: 2009-10-12 16:59
ComboFix-quarantined-files.txt 2009-10-12 21:59
ComboFix2.txt 2009-09-21 23:44

Pre-Run: 15,243,522,048 bytes free
Post-Run: 15,212,036,096 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
e:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect

208 --- E O F --- 2009-09-15 06:39

#10 schrauber

schrauber

    Mr.Mechanic


  • Malware Response Team
  • 24,794 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Munich,Germany
  • Local time:06:24 PM

Posted 13 October 2009 - 11:27 PM

Hi,



1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

File::
e:\windows\system32\8gfwg5qqfvsk.dll
e:\documents and settings\St. Thomas\lawwbyp.exe
e:\windows\system32\tdisp.sys


FCopy::
e:\windows\$hf_mig$\KB956572\SP3QFE\services.exe | e:\windows\system32\services.exe
e:\windows\ServicePackFiles\i386\winlogon.exe | e:\windows\system32\winlogon.exe
e:\windows\ServicePackFiles\i386\explorer.exe | e:\windows\explorer.exe
e:\windows\ServicePackFiles\i386\lsass.exe | e:\windows\system32\lsass.exe
e:\windows\ServicePackFiles\i386\spoolsv.exe | e:\windows\system32\spoolsv.exe

RegLockDel::
[HKEY_USERS\S-1-5-21-1214440339-1417001333-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.*<%*^%]

Driver::
tdisp.sys

Save this as CFScript.txt, in the same location as schrauber.exe


Posted Image

Refering to the picture above, drag CFScript into schrauber.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.








Step 2

Please update your version of Malwarebytes and run a quickscan, post back with the content of the logfile.








Step 3
  • Download random's system information tool (RSIT) by random/random from here and save it to your desktop.
  • Double click on RSIT.exe to run RSIT.
  • Click Continue at the disclaimer screen.
  • Once it has finished, two logs will open. Please post the contents of both log.txt (<<will be maximized) and info.txt (<<will be minimized)





Please post back with:
  • Combofix-Logfile
  • Malwarebytes-Logfile
  • Both RSIT-Logfiles

Edited by schrauber, 13 October 2009 - 11:28 PM.

regards,
schrauber

Posted Image
Posted Image

If I've not posted back within 48 hrs., feel free to send a PM with your topic link. Thank you!

If I have helped you then please consider donating to continue the fight against malware Posted Image

#11 mr. fang

mr. fang
  • Topic Starter

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Local time:12:24 PM

Posted 13 October 2009 - 11:49 PM

Before I do this, I need clarification about this line:

RegLockDel::
[HKEY_USERS\S-1-5-21-1214440339-1417001333-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.*<%*^%]

I'm not sure my browser is displaying the proper character after \FileExts\.*<%

This character is something I don't know how to type.

#12 schrauber

schrauber

    Mr.Mechanic


  • Malware Response Team
  • 24,794 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Munich,Germany
  • Local time:06:24 PM

Posted 14 October 2009 - 12:02 AM

Hi,

No need to type it, only Copy and Paste it into your notepad :(.
regards,
schrauber

Posted Image
Posted Image

If I've not posted back within 48 hrs., feel free to send a PM with your topic link. Thank you!

If I have helped you then please consider donating to continue the fight against malware Posted Image

#13 mr. fang

mr. fang
  • Topic Starter

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Local time:12:24 PM

Posted 14 October 2009 - 12:49 AM

#1 (ComboFix log):

ComboFix 09-10-13.01 - St. Thomas 10/14/2009 0:13.3.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.511.231 [GMT -5:00]
Running from: e:\documents and settings\St. Thomas\Desktop\schrauber.exe
Command switches used :: e:\documents and settings\St. Thomas\Desktop\CFScript.txt
* Created a new restore point

FILE ::
"e:\documents and settings\St. Thomas\lawwbyp.exe"
"e:\windows\system32\8gfwg5qqfvsk.dll"
"e:\windows\system32\tdisp.sys"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

e:\windows\system32\8gfwg5qqfvsk.dll

.
--------------- FCopy ---------------

e:\windows\$hf_mig$\KB956572\SP3QFE\services.exe --> e:\windows\system32\services.exe
e:\windows\ServicePackFiles\i386\winlogon.exe --> e:\windows\system32\winlogon.exe
e:\windows\ServicePackFiles\i386\explorer.exe --> e:\windows\explorer.exe
e:\windows\ServicePackFiles\i386\lsass.exe --> e:\windows\system32\lsass.exe
e:\windows\ServicePackFiles\i386\spoolsv.exe --> e:\windows\system32\spoolsv.exe
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_TDISP.SYS
-------\Service_tdisp.sys


((((((((((((((((((((((((( Files Created from 2009-09-14 to 2009-10-14 )))))))))))))))))))))))))))))))
.

2009-10-14 05:01 . 2009-10-14 05:01 -------- d-----w- e:\program files\Stellar Phoenix Photo Recovery
2009-10-12 19:57 . 2008-04-14 00:12 14336 -c--a-w- e:\windows\system32\dllcache\svchost.exe
2009-10-12 19:57 . 2008-04-14 00:12 14336 ------w- e:\windows\system32\svchost.exe
2009-10-11 01:22 . 2009-10-11 03:52 -------- d-----w- e:\documents and settings\St. Thomas\Application Data\vlc
2009-10-11 01:22 . 2009-10-11 01:22 -------- d-----w- e:\program files\VideoLAN
2009-09-22 02:02 . 2009-09-22 02:02 -------- d-----w- e:\windows\system32\CatRoot_bak
2009-09-22 00:05 . 2009-09-22 00:05 -------- d-----w- e:\program files\Trend Micro
2009-09-21 23:37 . 2008-04-14 00:12 39424 ----a-w- e:\windows\system32\grpconv.exe
2009-09-21 23:30 . 2009-09-21 23:44 -------- d-----w- E:\Combo-Fix
2009-09-21 23:20 . 2009-09-10 19:54 38224 ----a-w- e:\windows\system32\drivers\mbamswissarmy.sys
2009-09-21 23:20 . 2009-09-21 23:20 -------- d-----w- e:\program files\Malwarebytes' Anti-Malware
2009-09-21 23:20 . 2009-09-21 23:20 -------- d-----w- e:\documents and settings\All Users\Application Data\Malwarebytes
2009-09-21 23:20 . 2009-09-10 19:53 19160 ----a-w- e:\windows\system32\drivers\mbam.sys
2009-09-21 23:16 . 2009-09-21 23:16 -------- dc-h--w- e:\documents and settings\All Users\Application Data\{EF63305C-BAD7-4144-9208-D65528260864}
2009-09-21 21:15 . 2009-09-21 21:15 -------- d-----w- e:\documents and settings\St. Thomas\Local Settings\Application Data\TouchStoneSoftware
2009-09-21 21:15 . 2009-09-21 21:15 -------- d-----w- e:\program files\TouchStoneSoftware
2009-09-21 20:27 . 2009-06-19 08:20 67208 ----a-w- e:\windows\UnDeploy.exe
2009-09-21 20:20 . 2009-10-14 05:01 -------- d---a-w- e:\documents and settings\All Users\Application Data\TEMP
2009-09-21 08:57 . 2009-09-21 08:57 -------- d-----w- e:\windows\MjM Free Photo Recovery Software
2009-09-21 07:09 . 2009-09-21 07:09 -------- d-----w- e:\documents and settings\St. Thomas\Application Data\PandoraRecovery
2009-09-21 07:09 . 2009-09-21 07:16 -------- d-----w- e:\program files\Pandora Recovery
2009-09-21 07:02 . 2009-09-21 07:02 -------- d-----w- e:\program files\Recuva
2009-09-21 06:25 . 2009-09-21 06:25 -------- d-----w- e:\documents and settings\All Users\Application Data\Cached Installations

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-10-14 04:59 . 2008-07-18 23:18 -------- d-----w- e:\documents and settings\All Users\Application Data\Google Updater
2009-10-12 20:15 . 2004-07-29 23:43 -------- d-----w- e:\program files\Google
2009-10-10 18:07 . 2005-06-28 23:52 -------- d-----w- e:\documents and settings\All Users\Application Data\Viewpoint
2009-09-17 14:46 . 2004-08-24 18:30 -------- d-----w- e:\program files\Soulseek
2009-09-16 04:20 . 2004-08-04 05:39 -------- d-----w- e:\documents and settings\St. Thomas\Application Data\Canon
2009-09-02 01:50 . 2004-08-04 05:36 -------- d-----w- e:\program files\Canon
2009-09-02 01:48 . 2009-09-02 01:48 -------- d--h--w- e:\documents and settings\All Users\Application Data\CanonBJ
2009-09-02 01:48 . 2009-09-02 01:48 -------- d--h--w- e:\program files\CanonBJ
2009-08-05 09:01 . 2004-08-28 00:31 204800 ----a-w- e:\windows\system32\mswebdvd.dll
2009-07-17 19:01 . 2003-03-31 12:00 58880 ----a-w- e:\windows\system32\atl.dll
.

------- Sigcheck -------

[7] 2008-04-14 . BF2466B3E18E970D8A976FB95FC1CA85 . 13312 . . [5.1.2600.5512] . . e:\windows\ServicePackFiles\i386\lsass.exe
[-] 2008-04-14 . D41D8CD98F00B204E9800998ECF8427E . 14848 . . [5.1.2600.5512] . . e:\windows\system32\lsass.exe
[7] 2004-08-04 . 84885F9B82F4D55C6146EBF6065D75D2 . 13312 . . [5.1.2600.2180] . . e:\windows\$NtServicePackUninstall$\lsass.exe

[-] 2009-02-06 . D41D8CD98F00B204E9800998ECF8427E . 113152 . . [5.1.2600.5755] . . e:\windows\system32\services.exe
[7] 2009-02-06 . 020CEAAEDC8EB655B6506B8C70D53BB6 . 110592 . . [5.1.2600.5755] . . e:\windows\$hf_mig$\KB956572\SP3QFE\services.exe
[7] 2008-04-14 . 0E776ED5F7CC9F94299E70461B7B8185 . 108544 . . [5.1.2600.5512] . . e:\windows\$NtUninstallKB956572$\services.exe
[7] 2008-04-14 . 0E776ED5F7CC9F94299E70461B7B8185 . 108544 . . [5.1.2600.5512] . . e:\windows\ServicePackFiles\i386\services.exe
[7] 2004-08-04 . C6CE6EEC82F187615D1002BB3BB50ED4 . 108032 . . [5.1.2600.2180] . . e:\windows\$NtServicePackUninstall$\services.exe

[7] 2008-04-14 . D8E14A61ACC1D4A6CD0D38AEBAC7FA3B . 57856 . . [5.1.2600.5512] . . e:\windows\ServicePackFiles\i386\spoolsv.exe
[-] 2008-04-14 . D41D8CD98F00B204E9800998ECF8427E . 58880 . . [5.1.2600.5512] . . e:\windows\system32\spoolsv.exe
[-] 2005-06-11 . AD3D9D191AEA7B5445FE1D82FFBB4788 . 57856 . . [5.1.2600.2696] . . e:\windows\$hf_mig$\KB896423\SP2QFE\spoolsv.exe
[-] 2005-06-10 . DA81EC57ACD4CDC3D4C51CF3D409AF9F . 57856 . . [5.1.2600.2696] . . e:\windows\$NtServicePackUninstall$\spoolsv.exe
[7] 2004-08-04 . 7435B108B935E42EA92CA94F59C8E717 . 57856 . . [5.1.2600.2180] . . e:\windows\$NtUninstallKB896423$\spoolsv.exe

[7] 2008-04-14 . ED0EF0A136DEC83DF69F04118870003E . 507904 . . [5.1.2600.5512] . . e:\windows\ServicePackFiles\i386\winlogon.exe
[-] 2008-04-14 . D41D8CD98F00B204E9800998ECF8427E . 512000 . . [5.1.2600.5512] . . e:\windows\system32\winlogon.exe
[7] 2004-08-04 . 01C3346C241652F43AED8E2149881BFE . 502272 . . [5.1.2600.2180] . . e:\windows\$NtServicePackUninstall$\winlogon.exe

[-] 2008-04-14 . D41D8CD98F00B204E9800998ECF8427E . 1033728 . . [6.00.2900.5512] . . e:\windows\explorer.exe
[7] 2008-04-14 . 12896823FB95BFB3DC9B46BCAEDC9923 . 1033728 . . [6.00.2900.5512] . . e:\windows\ServicePackFiles\i386\explorer.exe
[7] 2008-04-14 . 12896823FB95BFB3DC9B46BCAEDC9923 . 1033728 . . [6.00.2900.5512] . . e:\windows\system32\dllcache\explorer.exe
[-] 2007-06-13 . 7712DF0CDDE3A5AC89843E61CD5B3658 . 1033216 . . [6.00.2900.3156] . . e:\windows\$hf_mig$\KB938828\SP2QFE\explorer.exe
[-] 2007-06-13 . 97BD6515465659FF8F3B7BE375B2EA87 . 1033216 . . [6.00.2900.3156] . . e:\windows\$NtServicePackUninstall$\explorer.exe
[7] 2004-08-04 . A0732187050030AE399B241436565E64 . 1032192 . . [6.00.2900.2180] . . e:\windows\$NtUninstallKB938828$\explorer.exe
.
((((((((((((((((((((((((((((( SnapShot@2009-09-21_23.37.53 )))))))))))))))))))))))))))))))))))))))))
.
+ 2007-12-06 05:18 . 2009-10-12 21:45 84661 e:\windows\system32\Macromed\Flash\uninstall_plugin.exe
- 2007-12-06 05:18 . 2009-03-24 01:27 84661 e:\windows\system32\Macromed\Flash\uninstall_plugin.exe
+ 2003-03-31 12:00 . 2008-04-13 18:40 36352 e:\windows\system32\drivers\disk.sys
- 2003-03-31 12:00 . 2008-04-13 18:40 36352 e:\windows\system32\drivers\disk.sys
+ 2004-07-28 07:07 . 2009-10-12 19:59 32768 e:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
- 2004-07-28 07:07 . 2009-09-21 22:53 32768 e:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2004-07-28 07:07 . 2009-10-12 19:59 32768 e:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2004-07-28 07:07 . 2009-09-21 22:53 32768 e:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2009-10-12 20:15 . 2009-10-12 20:15 25214 e:\windows\Installer\{FE24D361-A3E8-11DE-88F3-005056806466}\UNINST_Uninstall_G_F6A848FB884248E6A4CDCBDCF41F6A74_1.exe
+ 2009-10-12 20:15 . 2009-10-12 20:15 25214 e:\windows\Installer\{FE24D361-A3E8-11DE-88F3-005056806466}\ARPPRODUCTICON.exe
+ 2009-07-18 03:21 . 2009-07-18 03:21 257440 e:\windows\system32\Macromed\Flash\NPSWF32_FlashUtil.exe
+ 2009-10-12 20:15 . 2009-10-12 20:15 914944 e:\windows\Installer\eb91d.msi
+ 2009-07-18 03:21 . 2009-07-18 03:21 3883424 e:\windows\system32\Macromed\Flash\NPSWF32.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvMediaCenter"="e:\windows\System32\NVMCTRAY.DLL" [2003-10-06 49152]
"NBJ"="e:\program files\Ahead\Nero BackItUp\NBJ.exe" [2004-07-27 1867776]
"swg"="e:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-08-04 68856]
"DAEMON Tools Lite"="e:\program files\DAEMON Tools Lite\daemon.exe" [2009-04-23 691656]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="e:\windows\System32\NvCpl.dll" [2003-10-06 5058560]
"NeroFilterCheck"="e:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"ADUserMon"="e:\program files\Iomega\AutoDisk\ADUserMon.exe" [2002-09-24 147456]
"Iomega Drive Icons"="e:\program files\Iomega\DriveIcons\ImgIcon.exe" [2002-08-13 86016]
"Deskup"="e:\program files\Iomega\DriveIcons\deskup.exe" [2002-07-16 32768]
"CTSysVol"="e:\program files\Creative\Sound Blaster\Surround Mixer\CTSysVol.exe" [2003-02-17 53248]
"UpdReg"="e:\windows\UpdReg.EXE" [2000-05-11 90112]
"SunJavaUpdateSched"="e:\program files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 144784]
"iTunesHelper"="e:\program files\iTunes\iTunesHelper.exe" [2009-04-02 342312]
"QuickTime Task"="e:\program files\QuickTime\QTTask.exe" [2007-10-20 286720]
"CanonSolutionMenu"="e:\program files\Canon\SolutionMenu\CNSLMAIN.exe" [2007-10-26 652624]
"CanonMyPrinter"="e:\program files\Canon\MyPrinter\BJMyPrt.exe" [2007-09-14 1603152]
"SoundMan"="SOUNDMAN.EXE" - e:\windows\SOUNDMAN.EXE [2003-04-24 54784]
"nwiz"="nwiz.exe" - e:\windows\system32\nwiz.exe [2003-10-06 741376]
"SbUsb AudCtrl"="sbusbdll.dll" - e:\windows\system32\sbusbdll.dll [2003-03-12 64000]

e:\documents and settings\St. Thomas\Start Menu\Programs\Startup\
Adobe Gamma.lnk - e:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2004-7-30 113664]

e:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - e:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2004-7-30 113664]
D-Link AirPlus G Configuration Utility.lnk - e:\program files\D-Link AirPlus G\AirPlus.exe [2005-3-12 294912]
Microsoft Office.lnk - e:\program files\Microsoft Office\Office\OSA9.EXE [1999-2-17 65588]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"pBotni"= {303D8D40-9A97-27EA-1118-5E8061B4C972} - e:\windows\system32\smba.dll [2009-03-21 32768]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"e:\\Program Files\\Real\\RealOne Player\\realplay.exe"=
"e:\\Program Files\\Soulseek\\slsk.exe"=
"e:\\Program Files\\QuickTime\\QuickTimePlayer.exe"=
"e:\\Program Files\\Yahoo!\\Messenger\\YPager.exe"=
"e:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"e:\\Program Files\\AIM\\aim.exe"=
"e:\\Program Files\\SecondLife\\SecondLife.exe"=
"e:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"e:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"e:\\Program Files\\DC++\\DCPlusPlus.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"e:\\Program Files\\AIM6\\aim6.exe"=
"e:\\Program Files\\Free FTP\\FreeFTP.exe"=
"e:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"e:\\Program Files\\iTunes\\iTunes.exe"=

R3 W8100PCI;D-Link AirPlus G Wireless Driver;e:\windows\system32\drivers\mrv8k51.sys [3/12/2005 4:09 PM 256896]
S2 gupdate1c9d3163caae506;Google Update Service (gupdate1c9d3163caae506);e:\program files\Google\Update\GoogleUpdate.exe [5/12/2009 10:28 AM 133104]
S3 sbusb;Sound Blaster USB Audio Driver;e:\windows\system32\drivers\sbusb.sys [2/13/2005 3:01 PM 632576]
.
Contents of the 'Scheduled Tasks' folder

2009-05-19 e:\windows\Tasks\AppleSoftwareUpdate.job
- e:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34]

2009-10-14 e:\windows\Tasks\Google Software Updater.job
- e:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2007-08-04 01:34]

2009-10-14 e:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- e:\program files\Google\Update\GoogleUpdate.exe [2009-05-12 15:27]

2009-10-12 e:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- e:\program files\Google\Update\GoogleUpdate.exe [2009-05-12 15:27]
.
.
------- Supplementary Scan -------
.
uStart Page = https://gmail.google.com/?dest=http%3A%2F%2...gle.com%2Fgmail
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
mDefault_Search_URL = hxxp://www.google.com/ie
mStart Page = about:blank
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.google.com/ie
Trusted Zone: aol.com\free
FF - ProfilePath - e:\documents and settings\St. Thomas\Application Data\Mozilla\Firefox\Profiles\mz40samm.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxps://www.google.com/accounts/ServiceLogin?service=mail&passive=true&rm=false&continue=http%3A%2F%2Fmail.google.com%2Fmail%2F%3Fui%3Dhtml%26zy%3Dl&bsv=1k96igf4806cy&ltmpl=default&ltmplcache=2
FF - plugin: e:\program files\Google\Google Earth\plugin\npgeplugin.dll
FF - plugin: e:\program files\Google\Google Updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: e:\program files\Google\Update\1.2.183.7\npGoogleOneClick8.dll
FF - plugin: e:\program files\Mozilla Firefox\plugins\npunagi2.dll
FF - plugin: e:\program files\Real\RealOne Player\Netscape6\nppl3260.dll
FF - plugin: e:\program files\Real\RealOne Player\Netscape6\nprjplug.dll
FF - plugin: e:\program files\Real\RealOne Player\Netscape6\nprpjplug.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-10-14 00:20
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\Iomega Activity Disk2]
"ImagePath"="\"\""
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1214440339-1417001333-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.*<%*^%]
@Class="Shell"

[HKEY_USERS\S-1-5-21-1214440339-1417001333-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.*<%*^%\OpenWithList]
@Class="Shell"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Installer\UserData\LocalSystem\Components\ؕ||w*]
"5E7CEC10DF0760D4F8DAFB12FDC06CCD"="02:\\Software\\Adobe\\FeatureSubscriptions\\DVAAdobeDocMeta\\{01CEC7E5-70FD-4D06-8FAD-BF21DF0CC6DC}\\Registered"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(3676)
e:\program files\Iomega\DriveIcons\IMGHOOK.DLL
.
------------------------ Other Running Processes ------------------------
.
e:\windows\system32\rundll32.exe
e:\windows\system32\rundll32.exe
e:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
e:\program files\Bonjour\mDNSResponder.exe
e:\windows\system32\CTSVCCDA.EXE
e:\progra~1\Iomega\System32\AppServices.exe
e:\windows\system32\nvsvc32.exe
e:\windows\system32\wdfmgr.exe
e:\windows\system32\MsPMSPSv.exe
e:\program files\Iomega\AutoDisk\ADService.exe
e:\program files\iPod\bin\iPodService.exe
e:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2009-10-14 0:25 - machine was rebooted
ComboFix-quarantined-files.txt 2009-10-14 05:24
ComboFix2.txt 2009-10-12 21:59
ComboFix3.txt 2009-09-21 23:44

Pre-Run: 15,172,255,744 bytes free
Post-Run: 15,052,099,584 bytes free

241 --- E O F --- 2009-09-15 06:39

#2 (Malwarebytes' Anti-Malware log):

Malwarebytes' Anti-Malware 1.41
Database version: 2955
Windows 5.1.2600 Service Pack 3

10/14/2009 12:45:00 AM
mbam-log-2009-10-14 (00-44-56).txt

Scan type: Quick Scan
Objects scanned: 94097
Time elapsed: 3 minute(s), 1 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\CLSID\{303d8d40-9a97-27ea-1118-5e8061b4c972} (Trojan.Downloader) -> No action taken.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\pbotni (Trojan.Downloader) -> No action taken.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
E:\WINDOWS\system32\smba.dll (Trojan.Downloader) -> No action taken.

#3 (RSIT log.txt):
Logfile of random's system information tool 1.06 (written by random/random)
Run by St. Thomas at 2009-10-14 00:45:40
Microsoft Windows XP Professional Service Pack 3
System drive E: has 14 GB (6%) free of 238 GB
Total RAM: 511 MB (32% free)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:45:42 AM, on 10/14/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
E:\WINDOWS\System32\smss.exe
E:\WINDOWS\system32\winlogon.exe
E:\WINDOWS\system32\services.exe
E:\WINDOWS\system32\lsass.exe
E:\WINDOWS\system32\svchost.exe
E:\WINDOWS\System32\svchost.exe
E:\WINDOWS\system32\spoolsv.exe
E:\WINDOWS\SOUNDMAN.EXE
E:\Program Files\Iomega\AutoDisk\ADUserMon.exe
E:\Program Files\Iomega\DriveIcons\ImgIcon.exe
E:\Program Files\Creative\Sound Blaster\Surround Mixer\CTSysVol.exe
E:\WINDOWS\system32\RunDll32.exe
E:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
E:\Program Files\iTunes\iTunesHelper.exe
E:\Program Files\Canon\MyPrinter\BJMyPrt.exe
E:\WINDOWS\system32\RUNDLL32.EXE
E:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
E:\Program Files\DAEMON Tools Lite\daemon.exe
E:\Program Files\D-Link AirPlus G\AirPlus.exe
E:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
E:\Program Files\Bonjour\mDNSResponder.exe
E:\WINDOWS\system32\CTsvcCDA.exe
E:\PROGRA~1\Iomega\System32\AppServices.exe
E:\WINDOWS\System32\nvsvc32.exe
E:\WINDOWS\System32\svchost.exe
E:\WINDOWS\system32\MsPMSPSv.exe
E:\Program Files\Iomega\AutoDisk\ADService.exe
E:\Program Files\iPod\bin\iPodService.exe
E:\WINDOWS\system32\wscntfy.exe
E:\WINDOWS\System32\svchost.exe
E:\WINDOWS\explorer.exe
E:\Program Files\Java\jre1.6.0_05\bin\jucheck.exe
E:\Program Files\Mozilla Firefox\firefox.exe
E:\Documents and Settings\St. Thomas\Desktop\RSIT.exe
E:\Program Files\Trend Micro\HijackThis\St. Thomas.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://gmail.google.com/?dest=http%3A%2F%2...gle.com%2Fgmail
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - E:\Program Files\Google\GoogleToolbarNotifier\5.3.4501.1418\swg.dll
O3 - Toolbar: &Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - E:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE E:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NeroFilterCheck] E:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [ADUserMon] E:\Program Files\Iomega\AutoDisk\ADUserMon.exe
O4 - HKLM\..\Run: [Iomega Drive Icons] E:\Program Files\Iomega\DriveIcons\ImgIcon.exe
O4 - HKLM\..\Run: [Deskup] E:\Program Files\Iomega\DriveIcons\deskup.exe /IMGSTART
O4 - HKLM\..\Run: [CTSysVol] E:\Program Files\Creative\Sound Blaster\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [SbUsb AudCtrl] RunDll32 sbusbdll.dll,RCMonitor
O4 - HKLM\..\Run: [UpdReg] E:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "E:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [iTunesHelper] "E:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "E:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [CanonSolutionMenu] E:\Program Files\Canon\SolutionMenu\CNSLMAIN.exe /logon
O4 - HKLM\..\Run: [CanonMyPrinter] E:\Program Files\Canon\MyPrinter\BJMyPrt.exe /logon
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE E:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU\..\Run: [NBJ] "E:\Program Files\Ahead\Nero BackItUp\NBJ.exe"
O4 - HKCU\..\Run: [swg] "E:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
O4 - HKCU\..\Run: [DAEMON Tools Lite] "E:\Program Files\DAEMON Tools Lite\daemon.exe" -autorun
O4 - Startup: Adobe Gamma.lnk = E:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = E:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: D-Link AirPlus G Configuration Utility.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = E:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - E:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - E:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - E:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - E:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - E:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - E:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - E:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program Files\Messenger\msmsgs.exe
O21 - SSODL: pBotni - {303D8D40-9A97-27EA-1118-5E8061B4C972} - E:\WINDOWS\system32\smba.dll
O23 - Service: Adobe LM Service - Adobe Systems - E:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple Inc. - E:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - E:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - E:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: Google Update Service (gupdate1c9d3163caae506) (gupdate1c9d3163caae506) - Google Inc. - E:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - E:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - E:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Iomega App Services - Iomega Corporation - E:\PROGRA~1\Iomega\System32\AppServices.exe
O23 - Service: iPod Service - Apple Inc. - E:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - E:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Iomega Active Disk (_IOMEGA_ACTIVE_DISK_SERVICE_) - Iomega Corporation - E:\Program Files\Iomega\AutoDisk\ADService.exe

--
End of file - 7134 bytes

======Scheduled tasks folder======

E:\WINDOWS\tasks\AppleSoftwareUpdate.job
E:\WINDOWS\tasks\Google Software Updater.job
E:\WINDOWS\tasks\GoogleUpdateTaskMachineCore.job
E:\WINDOWS\tasks\GoogleUpdateTaskMachineUA.job

======Registry dump======

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AF69DE43-7D58-4638-B6FA-CE66B5AD205D}]
Google Toolbar Notifier BHO - E:\Program Files\Google\GoogleToolbarNotifier\5.3.4501.1418\swg.dll [2009-10-13 762864]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
{2318C2B1-4965-11d4-9B18-009027A5CD4F} - &Google Toolbar - E:\Program Files\Google\Google Toolbar\GoogleToolbar.dll [2009-04-03 251504]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"SoundMan"=E:\WINDOWS\SOUNDMAN.EXE [2003-04-24 54784]
"NvCplDaemon"=E:\WINDOWS\System32\NvCpl.dll [2003-10-06 5058560]
"nwiz"=nwiz.exe /install []
"NeroFilterCheck"=E:\WINDOWS\system32\NeroCheck.exe [2001-07-09 155648]
"ADUserMon"=E:\Program Files\Iomega\AutoDisk\ADUserMon.exe [2002-09-24 147456]
"Iomega Drive Icons"=E:\Program Files\Iomega\DriveIcons\ImgIcon.exe [2002-08-13 86016]
"Deskup"=E:\Program Files\Iomega\DriveIcons\deskup.exe [2002-07-16 32768]
"CTSysVol"=E:\Program Files\Creative\Sound Blaster\Surround Mixer\CTSysVol.exe [2003-02-17 53248]
"SbUsb AudCtrl"=RunDll32 sbusbdll.dll,RCMonitor []
"UpdReg"=E:\WINDOWS\UpdReg.EXE [2000-05-11 90112]
"SunJavaUpdateSched"=E:\Program Files\Java\jre1.6.0_05\bin\jusched.exe [2008-02-22 144784]
"iTunesHelper"=E:\Program Files\iTunes\iTunesHelper.exe [2009-04-02 342312]
"QuickTime Task"=E:\Program Files\QuickTime\QTTask.exe [2007-10-19 286720]
"CanonSolutionMenu"=E:\Program Files\Canon\SolutionMenu\CNSLMAIN.exe [2007-10-25 652624]
"CanonMyPrinter"=E:\Program Files\Canon\MyPrinter\BJMyPrt.exe [2007-09-13 1603152]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"NvMediaCenter"=E:\WINDOWS\System32\NVMCTRAY.DLL [2003-10-06 49152]
"NBJ"=E:\Program Files\Ahead\Nero BackItUp\NBJ.exe [2004-07-26 1867776]
"swg"=E:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe [2007-08-04 68856]
"DAEMON Tools Lite"=E:\Program Files\DAEMON Tools Lite\daemon.exe [2009-04-23 691656]

E:\Documents and Settings\All Users\Start Menu\Programs\Startup
Adobe Gamma Loader.lnk - E:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
D-Link AirPlus G Configuration Utility.lnk - E:\Program Files\D-Link AirPlus G\AirPlus.exe
Microsoft Office.lnk - E:\Program Files\Microsoft Office\Office\OSA9.EXE

E:\Documents and Settings\St. Thomas\Start Menu\Programs\Startup
Adobe Gamma.lnk - E:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WgaLogon]
E:\WINDOWS\system32\WgaLogon.dll [2009-03-10 239496]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
pBotni - {303D8D40-9A97-27EA-1118-5E8061B4C972} - E:\WINDOWS\system32\smba.dll [2009-03-21 32768]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDriveTypeAutoRun"=323
"NoDriveAutoRun"=67108863
"NoDrives"=0

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"HonorAutoRunSetting"=
"NoDriveAutoRun"=
"NoDriveTypeAutoRun"=
"NoDrives"=

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"E:\Program Files\Real\RealOne Player\realplay.exe"="E:\Program Files\Real\RealOne Player\realplay.exe:*:Enabled:RealOne Player"
"E:\Program Files\Soulseek\slsk.exe"="E:\Program Files\Soulseek\slsk.exe:*:Enabled:SoulSeek"
"E:\Program Files\QuickTime\QuickTimePlayer.exe"="E:\Program Files\QuickTime\QuickTimePlayer.exe:*:Enabled:QuickTime Player"
"E:\Program Files\Yahoo!\Messenger\YPager.exe"="E:\Program Files\Yahoo!\Messenger\YPager.exe:*:Enabled:Yahoo! Messenger"
"E:\Program Files\Yahoo!\Messenger\YServer.exe"="E:\Program Files\Yahoo!\Messenger\YServer.exe:*:Enabled:Yahoo! FT Server"
"E:\Program Files\AIM\aim.exe"="E:\Program Files\AIM\aim.exe:*:Enabled:AOL Instant Messenger"
"E:\Program Files\BitTorrent\btdownloadgui.exe"="E:\Program Files\BitTorrent\btdownloadgui.exe:LocalSubNet:Enabled:btdownloadgui"
"E:\Program Files\SecondLife\SecondLife.exe"="E:\Program Files\SecondLife\SecondLife.exe:*:Enabled:Second Life"
"E:\Program Files\Mozilla Firefox\firefox.exe"="E:\Program Files\Mozilla Firefox\firefox.exe:*:Enabled:Firefox"
"E:\Program Files\Common Files\AOL\Loader\aolload.exe"="E:\Program Files\Common Files\AOL\Loader\aolload.exe:*:Enabled:AOL Loader"
"E:\Program Files\DC++\DCPlusPlus.exe"="E:\Program Files\DC++\DCPlusPlus.exe:*:Enabled:DC++"
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"E:\Program Files\AIM6\aim6.exe"="E:\Program Files\AIM6\aim6.exe:*:Enabled:AIM"
"E:\Program Files\Free FTP\FreeFTP.exe"="E:\Program Files\Free FTP\FreeFTP.exe:*:Enabled:Free FTP "
"E:\Program Files\Bonjour\mDNSResponder.exe"="E:\Program Files\Bonjour\mDNSResponder.exe:*:Enabled:Bonjour"
"E:\Program Files\iTunes\iTunes.exe"="E:\Program Files\iTunes\iTunes.exe:*:Enabled:iTunes"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"

======List of files/folders created in the last 1 months======

2009-10-14 00:45:40 ----D---- E:\rsit
2009-10-14 00:26:56 ----D---- E:\Documents and Settings\St. Thomas\Application Data\Malwarebytes
2009-10-14 00:25:12 ----D---- E:\WINDOWS\temp
2009-10-14 00:25:10 ----A---- E:\ComboFix.txt
2009-10-14 00:22:19 ----SHD---- E:\RECYCLER
2009-10-14 00:01:13 ----D---- E:\Program Files\Stellar Phoenix Photo Recovery
2009-10-12 16:51:38 ----A---- E:\Boot.bak
2009-10-12 16:51:31 ----RASHD---- E:\cmdcons
2009-10-12 16:50:15 ----A---- E:\WINDOWS\zip.exe
2009-10-12 16:50:15 ----A---- E:\WINDOWS\SWXCACLS.exe
2009-10-12 16:50:15 ----A---- E:\WINDOWS\SWSC.exe
2009-10-12 16:50:15 ----A---- E:\WINDOWS\SWREG.exe
2009-10-12 16:50:15 ----A---- E:\WINDOWS\sed.exe
2009-10-12 16:50:15 ----A---- E:\WINDOWS\PEV.exe
2009-10-12 16:50:15 ----A---- E:\WINDOWS\NIRCMD.exe
2009-10-12 16:50:15 ----A---- E:\WINDOWS\grep.exe
2009-10-12 14:57:01 ----N---- E:\WINDOWS\system32\svchost.exe
2009-10-10 20:22:58 ----D---- E:\Documents and Settings\St. Thomas\Application Data\vlc
2009-10-10 20:22:10 ----D---- E:\Program Files\VideoLAN
2009-10-10 13:15:41 ----A---- E:\WINDOWS\WORDPAD.INI
2009-09-21 22:26:16 ----A---- E:\RootRepeal report 09-21-09 (22-26-16).txt
2009-09-21 21:02:52 ----D---- E:\WINDOWS\system32\CatRoot_bak
2009-09-21 19:05:16 ----D---- E:\Program Files\Trend Micro
2009-09-21 18:37:39 ----A---- E:\WINDOWS\system32\grpconv.exe
2009-09-21 18:30:44 ----D---- E:\WINDOWS\ERDNT
2009-09-21 18:30:44 ----D---- E:\Combo-Fix
2009-09-21 18:30:23 ----D---- E:\Qoobox
2009-09-21 18:20:18 ----D---- E:\Program Files\Malwarebytes' Anti-Malware
2009-09-21 18:20:18 ----D---- E:\Documents and Settings\All Users\Application Data\Malwarebytes
2009-09-21 18:16:43 ----HDC---- E:\Documents and Settings\All Users\Application Data\{EF63305C-BAD7-4144-9208-D65528260864}
2009-09-21 16:15:18 ----D---- E:\Program Files\TouchStoneSoftware
2009-09-21 15:27:25 ----A---- E:\WINDOWS\UnDeploy.exe
2009-09-21 15:20:42 ----AD---- E:\Documents and Settings\All Users\Application Data\TEMP
2009-09-21 03:57:08 ----D---- E:\WINDOWS\MjM Free Photo Recovery Software
2009-09-21 03:56:52 ----A---- E:\WINDOWS\MjM Free Photo Recovery Software Setup Log.txt
2009-09-21 02:09:43 ----D---- E:\Documents and Settings\St. Thomas\Application Data\PandoraRecovery
2009-09-21 02:09:39 ----D---- E:\Program Files\Pandora Recovery
2009-09-21 02:02:43 ----D---- E:\Program Files\Recuva
2009-09-21 01:25:30 ----D---- E:\Documents and Settings\All Users\Application Data\Cached Installations
2009-09-21 01:14:17 ----A---- E:\WINDOWS\RECMGRUN.INI
2009-09-21 01:14:17 ----A---- E:\WINDOWS\ONFORMAT.INI
2009-09-21 01:13:53 ----A---- E:\WINDOWS\RECVCALL.INI
2009-09-15 01:37:51 ----HDC---- E:\WINDOWS\$NtUninstallKB968816_WM9$
2009-09-15 01:37:47 ----HDC---- E:\WINDOWS\$NtUninstallKB956844$
2009-09-15 01:37:40 ----HDC---- E:\WINDOWS\$NtUninstallKB971961$

======List of files/folders modified in the last 1 months======

2009-10-14 00:42:14 ----D---- E:\Program Files\Mozilla Firefox
2009-10-14 00:27:05 ----D---- E:\WINDOWS\Prefetch
2009-10-14 00:25:13 ----D---- E:\WINDOWS\system32\drivers
2009-10-14 00:25:13 ----D---- E:\WINDOWS\system32
2009-10-14 00:25:12 ----D---- E:\WINDOWS
2009-10-14 00:22:56 ----D---- E:\WINDOWS\system32\CatRoot2
2009-10-14 00:21:30 ----SD---- E:\WINDOWS\Tasks
2009-10-14 00:21:00 ----A---- E:\WINDOWS\system.ini
2009-10-14 00:19:10 ----D---- E:\WINDOWS\system32\config
2009-10-14 00:16:04 ----D---- E:\WINDOWS\AppPatch
2009-10-14 00:16:00 ----D---- E:\Program Files\Common Files
2009-10-14 00:13:18 ----RSHDC---- E:\WINDOWS\system32\dllcache
2009-10-14 00:11:58 ----A---- E:\WINDOWS\SchedLgU.Txt
2009-10-14 00:01:13 ----RD---- E:\Program Files
2009-10-13 23:59:17 ----D---- E:\Documents and Settings\All Users\Application Data\Google Updater
2009-10-12 16:51:38 ----RASH---- E:\boot.ini
2009-10-12 15:15:25 ----SHD---- E:\WINDOWS\Installer
2009-10-12 15:15:07 ----D---- E:\Program Files\Google
2009-10-10 14:38:12 ----A---- E:\WINDOWS\NeroDigital.ini
2009-10-10 13:07:13 ----D---- E:\Documents and Settings\All Users\Application Data\Viewpoint
2009-10-06 19:20:31 ----HD---- E:\WINDOWS\inf
2009-09-21 21:01:39 ----AC---- E:\WINDOWS\ntbtlog.txt
2009-09-21 18:37:24 ----D---- E:\WINDOWS\system32\wbem
2009-09-17 09:46:37 ----D---- E:\Program Files\Soulseek
2009-09-15 23:20:03 ----D---- E:\Documents and Settings\St. Thomas\Application Data\Canon
2009-09-15 01:37:53 ----A---- E:\WINDOWS\imsins.BAK
2009-09-15 01:37:46 ----HD---- E:\WINDOWS\$hf_mig$

======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R1 intelppm;Intel Processor Driver; E:\WINDOWS\System32\DRIVERS\intelppm.sys [2008-04-13 36352]
R1 WS2IFSL;Windows Socket 2.0 Non-IFS Service Provider Support Environment; E:\WINDOWS\System32\drivers\ws2ifsl.sys [2003-03-31 12032]
R2 PfModNT;PfModNT; \??\E:\WINDOWS\system32\PfModNT.sys []
R3 ALCXWDM;Service for Realtek AC97 Audio (WDM); E:\WINDOWS\system32\drivers\ALCXWDM.SYS [2003-04-25 730092]
R3 Arp1394;1394 ARP Client Protocol; E:\WINDOWS\System32\DRIVERS\arp1394.sys [2008-04-13 60800]
R3 catchme;catchme; \??\E:\schrauber\catchme.sys []
R3 GEARAspiWDM;GEAR ASPI Filter Driver; E:\WINDOWS\System32\Drivers\GEARAspiWDM.sys [2009-03-19 23400]
R3 NIC1394;1394 Net Driver; E:\WINDOWS\System32\DRIVERS\nic1394.sys [2008-04-13 61824]
R3 nv;nv; E:\WINDOWS\System32\DRIVERS\nv4_mini.sys [2003-10-06 1550043]
R3 pfc;Padus ASPI Shell; E:\WINDOWS\system32\drivers\pfc.sys [2004-04-01 10368]
R3 SMBios;Intel ® System Managment BIOS Service; E:\WINDOWS\System32\DRIVERS\SMBios.sys [2003-06-17 35012]
R3 usbehci;Microsoft USB 2.0 Enhanced Host Controller Miniport Driver; E:\WINDOWS\System32\DRIVERS\usbehci.sys [2008-04-13 30208]
R3 usbhub;USB2 Enabled Hub; E:\WINDOWS\System32\DRIVERS\usbhub.sys [2008-04-13 59520]
R3 usbuhci;Microsoft USB Universal Host Controller Miniport Driver; E:\WINDOWS\System32\DRIVERS\usbuhci.sys [2008-04-13 20608]
R3 W8100PCI;D-Link AirPlus G Wireless Driver; E:\WINDOWS\system32\DRIVERS\mrv8k51.sys [2004-01-08 256896]
S3 61883;61883 Unit Device; E:\WINDOWS\System32\DRIVERS\61883.sys [2008-04-13 48128]
S3 apfo6zoz;apfo6zoz; E:\WINDOWS\system32\drivers\apfo6zoz.sys []
S3 Avc;AVC Device; E:\WINDOWS\System32\DRIVERS\avc.sys [2008-04-13 38912]
S3 CCDECODE;Closed Caption Decoder; E:\WINDOWS\System32\DRIVERS\CCDECODE.sys [2008-04-13 17024]
S3 E100B;Intel® PRO Adapter Driver; E:\WINDOWS\System32\DRIVERS\e100b325.sys [2003-03-04 145408]
S3 HidUsb;Microsoft HID Class Driver; E:\WINDOWS\system32\DRIVERS\hidusb.sys [2008-04-13 10368]
S3 MSDV;Microsoft DV Camera and VCR; E:\WINDOWS\System32\DRIVERS\msdv.sys [2008-04-13 51200]
S3 MSTEE;Microsoft Streaming Tee/Sink-to-Sink Converter; E:\WINDOWS\system32\drivers\MSTEE.sys [2008-04-13 5504]
S3 NABTSFEC;NABTS/FEC VBI Codec; E:\WINDOWS\System32\DRIVERS\NABTSFEC.sys [2008-04-13 85248]
S3 NdisIP;Microsoft TV/Video Connection; E:\WINDOWS\System32\DRIVERS\NdisIP.sys [2008-04-13 10880]
S3 OVT511Plus;EZCam II OV6620 PC Camera; E:\WINDOWS\System32\Drivers\omcamvid.sys [2001-04-24 162969]
S3 sbusb;Sound Blaster USB Audio Driver; E:\WINDOWS\system32\DRIVERS\sbusb.sys [2003-03-25 632576]
S3 SLIP;BDA Slip De-Framer; E:\WINDOWS\System32\DRIVERS\SLIP.sys [2008-04-13 11136]
S3 SONYPVU1;Sony USB Filter Driver (SONYPVU1); E:\WINDOWS\System32\DRIVERS\SONYPVU1.SYS [2001-08-17 7552]
S3 streamip;BDA IPSink; E:\WINDOWS\System32\DRIVERS\StreamIP.sys [2008-04-13 15232]
S3 usbaudio;USB Audio Driver (WDM); E:\WINDOWS\system32\drivers\usbaudio.sys [2008-04-13 60032]
S3 usbccgp;Microsoft USB Generic Parent Driver; E:\WINDOWS\system32\DRIVERS\usbccgp.sys [2008-04-13 32128]
S3 usbprint;Microsoft USB PRINTER Class; E:\WINDOWS\system32\DRIVERS\usbprint.sys [2008-04-13 25856]
S3 usbscan;USB Scanner Driver; E:\WINDOWS\System32\DRIVERS\usbscan.sys [2008-04-13 15104]
S3 USBSTOR;USB Mass Storage Driver; E:\WINDOWS\System32\DRIVERS\USBSTOR.SYS [2008-04-13 26368]
S3 WSTCODEC;World Standard Teletext Codec; E:\WINDOWS\System32\DRIVERS\WSTCODEC.SYS [2008-04-13 19200]

======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R2 _IOMEGA_ACTIVE_DISK_SERVICE_;Iomega Active Disk; E:\Program Files\Iomega\AutoDisk\ADService.exe [2002-09-24 151552]
R2 Apple Mobile Device;Apple Mobile Device; E:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe [2009-03-26 132424]
R2 Bonjour Service;Bonjour Service; E:\Program Files\Bonjour\mDNSResponder.exe [2008-12-12 238888]
R2 Creative Service for CDROM Access;Creative Service for CDROM Access; E:\WINDOWS\system32\CTsvcCDA.exe [1999-12-13 44032]
R2 Iomega App Services;Iomega App Services; E:\PROGRA~1\Iomega\System32\AppServices.exe [2002-09-04 73728]
R2 NVSvc;NVIDIA Display Driver Service; E:\WINDOWS\System32\nvsvc32.exe [2003-10-06 81920]
R2 UMWdf;Windows User Mode Driver Framework; E:\WINDOWS\system32\wdfmgr.exe [2005-01-28 38912]
R2 WMDM PMSP Service;WMDM PMSP Service; E:\WINDOWS\system32\MsPMSPSv.exe [2000-06-26 53520]
R3 iPod Service;iPod Service; E:\Program Files\iPod\bin\iPodService.exe [2009-04-02 656168]
S2 gupdate1c9d3163caae506;Google Update Service (gupdate1c9d3163caae506); E:\Program Files\Google\Update\GoogleUpdate.exe [2009-05-12 133104]
S2 gusvc;Google Software Updater; E:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe [2009-03-23 183280]
S3 Adobe LM Service;Adobe LM Service; E:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe [2006-09-27 72704]
S3 IDriverT;InstallDriver Table Manager; E:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe [2005-04-04 69632]
S4 Iomega Activity Disk2;Iomega Activity Disk2; []

-----------------EOF-----------------

#4 (RSIT info.txt):

info.txt logfile of random's system information tool 1.06 2009-10-14 00:45:45

======Uninstall list======

-->"E:\Program Files\Creative\Sound Blaster\Program\Ctzapxx.EXE" SBUSB.INI /U /S
-->E:\Program Files\Common Files\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0
-->RunDll32 E:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "E:\Program Files\InstallShield Installation Information\{1A6AAC11-0860-11D7-908C-00A0C98173F1}\setup.exe" -l0x9
-->RunDll32 E:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "E:\Program Files\InstallShield Installation Information\{1A6AAC11-0860-11D7-908C-00A0C98173F1}\setup.exe" -l0x9 /remove
-->RunDll32 E:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "E:\Program Files\InstallShield Installation Information\{435E969D-867E-4364-8E74-3DC8A69C5BDB}\setup.exe" -l0x9
-->RunDll32 E:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "E:\Program Files\InstallShield Installation Information\{435E969D-867E-4364-8E74-3DC8A69C5BDB}\setup.exe" -l0x9 /remove
-->RunDll32 E:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "E:\Program Files\InstallShield Installation Information\{5210ED6D-52A9-11D6-A285-00A0CC51B2FE}\setup.exe" -l0x9
-->RunDll32 E:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "E:\Program Files\InstallShield Installation Information\{5210ED6D-52A9-11D6-A285-00A0CC51B2FE}\setup.exe" -l0x9 /remove
-->RunDll32 E:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "E:\Program Files\InstallShield Installation Information\{5CDDF96A-BC34-4D72-9ABA-E1FFF0C39977}\setup.exe" -l0x9
-->RunDll32 E:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "E:\Program Files\InstallShield Installation Information\{7A900EAB-DA37-4554-AF19-9C337476D05D}\setup.exe" -l0x9
-->RunDll32 E:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "E:\Program Files\InstallShield Installation Information\{7A900EAB-DA37-4554-AF19-9C337476D05D}\setup.exe" -l0x9 /remove
-->RunDll32 E:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "E:\Program Files\InstallShield Installation Information\{A1185190-514F-11D6-A285-00A0CC51B2FE}\setup.exe" -l0x9
-->RunDll32 E:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "E:\Program Files\InstallShield Installation Information\{A1185190-514F-11D6-A285-00A0CC51B2FE}\setup.exe" -l0x9 /remove
-->RunDll32 E:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "E:\Program Files\InstallShield Installation Information\{AC157741-3285-4D6A-B934-9174587A3493}\setup.exe" -l0x9
-->RunDll32 E:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "E:\Program Files\InstallShield Installation Information\{AC157741-3285-4D6A-B934-9174587A3493}\setup.exe" -l0x9 /remove
-->RunDll32 E:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "E:\Program Files\InstallShield Installation Information\{C6866B7D-ACFD-4C49-B77B-3B2F8CF54B96}\setup.exe" -l0x9
-->RunDll32 E:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "E:\Program Files\InstallShield Installation Information\{C6866B7D-ACFD-4C49-B77B-3B2F8CF54B96}\setup.exe" -l0x9 /remove
-->RunDll32 E:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "E:\Program Files\InstallShield Installation Information\{DEBD7BF3-5856-11D6-A285-00A0CC51B2FE}\setup.exe" -l0x9
-->RunDll32 E:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "E:\Program Files\InstallShield Installation Information\{DEBD7BF3-5856-11D6-A285-00A0CC51B2FE}\setup.exe" -l0x9 /remove
-->RunDll32 E:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "E:\Program Files\InstallShield Installation Information\{EE6699B3-E5AD-4E59-8F2B-207DF630670C}\setup.exe" -l0x9
-->RunDll32 E:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "E:\Program Files\InstallShield Installation Information\{EE6699B3-E5AD-4E59-8F2B-207DF630670C}\setup.exe" -l0x9 /remove
-->RunDll32 E:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "E:\Program Files\InstallShield Installation Information\{FB2292C6-1F0A-11D7-AB2D-0090271A23A2}\setup.exe" -l0x9
-->RunDll32 E:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "E:\Program Files\InstallShield Installation Information\{FB2292C6-1F0A-11D7-AB2D-0090271A23A2}\setup.exe" -l0x9 /remove
-->RunDll32 E:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "E:\Program Files\InstallShield Installation Information\{FC0DD8AE-3DC0-11D7-AB2D-0090271A23A2}\setup.exe" -l0x9
-->RunDll32 E:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "E:\Program Files\InstallShield Installation Information\{FC0DD8AE-3DC0-11D7-AB2D-0090271A23A2}\setup.exe" -l0x9 /remove
-->RunDll32 E:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "E:\Program Files\InstallShield Installation Information\{FD549B7B-3532-4160-80D4-3E3DD39A9AE5}\setup.exe" -l0x9
-->RunDll32 E:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "E:\Program Files\InstallShield Installation Information\{FD549B7B-3532-4160-80D4-3E3DD39A9AE5}\setup.exe" -l0x9 /remove
-->rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 E:\WINDOWS\INF\PCHealth.inf
Ableton Live v5.0.3-->E:\PROGRA~1\Ableton\LIVE50~1.3\UNWISE.EXE E:\PROGRA~1\Ableton\LIVE50~1.3\INSTALL.LOG
Active Disk-->E:\WINDOWS\unvise32.exe E:\Program Files\Iomega\AutoDisk\uninstal.log
Ad-Aware SE Personal-->E:\PROGRA~1\Lavasoft\AD-AWA~1\UNWISE.EXE E:\PROGRA~1\Lavasoft\AD-AWA~1\INSTALL.LOG
Adobe Audition 2.0-->msiexec /I {01CEC7E5-70FD-4D06-8FAD-BF21DF0CC6DC}
Adobe Bridge 1.0-->MsiExec.exe /I{AE3D38A6-13B1-40B3-9423-D1FA9982FB6A}
Adobe Common File Installer-->MsiExec.exe /I{8EDBA74D-0686-4C99-BFDD-F894678E5102}
Adobe Encore DVD 1.0-->RunDll32 "E:\Program Files\Common Files\InstallShield\Professional\RunTime\0701\Intel32\ctor.dll",LaunchSetup "E:\Program Files\InstallShield Installation Information\{F2CF483C-7EEE-4B64-A730-14F83CD5AFFE}\setup.exe"
Adobe Flash Player 10 Plugin-->E:\WINDOWS\system32\Macromed\Flash\uninstall_plugin.exe
Adobe Help Center 2.0-->MsiExec.exe /I{8FFC924C-ED06-44CB-8867-3CA778ECE903}
Adobe Photoshop 7.0-->E:\WINDOWS\ISUNINST.EXE -f"E:\Program Files\Adobe\Photoshop 7.0\Uninst.isu" -c"E:\Program Files\Adobe\Photoshop 7.0\Uninst.dll"
Adobe Premiere 6.0-->E:\WINDOWS\UNINST.EXE -f"E:\Program Files\Adobe\Premiere 6.0\DeIsL1.isu" -c"E:\Program Files\Adobe\Premiere 6.0\Uninst.dll"
Advanced RealMedia Export Plug-in for Premiere 6.0-->E:\Program Files\Adobe\Premiere 6.0\Plug-ins\RNCompiler\rnuninst.exe RealNetworks|RNCompiler|6.0
AIM 6-->E:\Program Files\AIM6\uninst.exe
AOL Instant Messenger-->E:\Program Files\AIM\uninstll.exe -LOG= E:\Program Files\AIM\install.log -OEM=
Apple Mobile Device Support-->MsiExec.exe /I{AFA20D47-69C3-4030-8DF8-D37466E70F13}
Apple Software Update-->MsiExec.exe /I{6956856F-B6B3-4BE0-BA0B-8F495BE32033}
BitTorrent 4.0.1-->"E:\Program Files\BitTorrent\uninstall.exe"
Bonjour-->MsiExec.exe /I{07287123-B8AC-41CE-8346-3D777245C35B}
Canon Camera Support Core Library-->E:\Program Files\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exe /M{5662C158-CA24-4228-BF6C-596FADA08682} /l1033
Canon Camera Window DS for ZoomBrowser EX-->E:\Program Files\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exe /M{7B847C9D-6758-45E6-B598-3BD8F43EAE9E}
Canon Camera Window DVC for ZoomBrowser EX-->E:\Program Files\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exe /M{A70D14C6-FF2C-4B8E-A643-7E74EC607614}
Canon Camera Window for ZoomBrowser EX-->E:\Program Files\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exe /M{E73534D5-CC93-4C63-9072-5A9734255C74}
Canon CanoScan Toolbox 4.1-->RunDll32 E:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "E:\Program Files\InstallShield Installation Information\{BCE46757-7674-4416-BEDB-68205A60409E}\setup.exe" -l0x9
Canon EOS Kiss_N REBEL_XT 350D WIA Driver-->E:\Program Files\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exe /M{33CF7CDF-9805-4500-9CC7-D19D52AD63C4}
Canon iP2600 series User Registration-->E:\Program Files\Canon\IJEREG\iP2600 series\UNINST.EXE
Canon iP2600 series-->"E:\WINDOWS\system32\CanonIJ Uninstaller Information\{1199FAD5-9546-44f3-81CF-FFDB8040B7BF}_Canon_iP2600_series\DelDrv.exe" /U:{1199FAD5-9546-44f3-81CF-FFDB8040B7BF}_Canon_iP2600_series /L0x0009
Canon My Printer-->E:\Program Files\Canon\MyPrinter\uninst.exe uninst.ini
Canon PhotoRecord-->MsiExec.exe /X{862983D7-FA08-493E-A9ED-6B7859E069D3}
Canon RAW Image Task for ZoomBrowser EX-->E:\Program Files\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exe /M{A0F34E4E-25F0-4B68-AE8F-EF0C15CB1FED}
Canon RemoteCapture Task for ZoomBrowser EX-->E:\Program Files\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exe /M{28291BD5-92D2-4685-82DC-CCA925C53CCA}
Canon Utilities Digital Photo Professional 1.6-->E:\Program Files\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exe /M{1261B07E-88EB-42ED-B356-3D921EE91D90}
Canon Utilities Easy-PhotoPrint EX-->E:\Program Files\Canon\Easy-PhotoPrint EX\uninst.exe uninst.ini
Canon Utilities EOS Capture 1.3-->E:\Program Files\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exe /M{16480125-0428-4097-9A2A-74464004D169}
Canon Utilities PhotoStitch 3.1-->E:\Program Files\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exe /M{218BBBE3-FE63-4BB2-81A8-7435575A84FA}
Canon Utilities Solution Menu-->E:\Program Files\Canon\SolutionMenu\uninst.exe uninst.ini
Canon ZoomBrowser EX-->MsiExec.exe /X{C1D76D7A-F3BB-47EA-A746-5B1E2FFC1DF2}
CDex extraction audio-->"E:\Program Files\CDex_150\uninstall.exe"
Cleaner 5 EZ-->E:\WINDOWS\unvise32.exe E:\Program Files\Cleaner 5 EZ\uninstal.log
Creative MediaSource-->RunDll32 E:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "E:\Program Files\InstallShield Installation Information\{56F3E1FF-54FE-4384-A153-6CCABA097814}\SETUP.EXE" -l0x9 /remove
CuteFTP 5.0 XP-->RunDll32 E:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "E:\Program Files\InstallShield Installation Information\{18DF995F-2ACC-47E4-A33B-A703F4D39E92}\IS6.exe" -l0x9 /l0009 UNINSTALL
DC++ 0.706-->"E:\Program Files\DC++\uninstall.exe"
DiscWizard for Windows-->RunDll32 E:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "E:\Program Files\InstallShield Installation Information\{A1BC8E02-6B5B-4B4A-A75F-B27A16918C2B}\Setup.exe"
D-Link AirPlus G Wireless LAN Adapter-->RunDll32 E:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "E:\Program Files\InstallShield Installation Information\{B5749E57-AD4A-4B1B-ABC5-885FDBC286C9}\Setup.exe" -l0x9
DVD Decrypter (Remove Only)-->"E:\Program Files\DVD Decrypter\uninstall.exe"
EZCam II OV6620 PC Camera-->MsiExec.exe /X{3AAE03DE-6154-4D91-93EF-F6922A79581F}
FLAC Installer 1.1.1a (remove only)-->E:\Program Files\FLAC\uninstall.exe
Free FTP-->RunDll32 syssetup.dll,SetupInfObjectInstallAction DefaultUninstall 132 E:\WINDOWS\INF\freeftp.inf
Gallery Remote-->"E:\Program Files\Gallery Remote\UninstallerData\Uninstall gallery_remote.exe"
Google Earth Plug-in-->MsiExec.exe /X{FE24D361-A3E8-11DE-88F3-005056806466}
Google Earth-->MsiExec.exe /I{1D14373E-7970-4F2F-A467-ACA4F0EA21E3}
Google Toolbar for Internet Explorer-->"E:\Program Files\Google\Google Toolbar\Component\GoogleToolbarManager_0531C63A913CC9D1.exe" /uninstall
Google Update Helper-->MsiExec.exe /I{A92DAB39-4E2C-4304-9AB6-BC44E68B55E2}
Google Updater-->"E:\Program Files\Google\Google Updater\GoogleUpdater.exe" -uninstall
Google Video Uploader-->"E:\Program Files\Google Video\Uninstall.exe"
HijackThis 2.0.2-->"E:\Program Files\Trend Micro\HijackThis\HijackThis.exe" /uninstall
Hotfix for Windows XP (KB952287)-->"E:\WINDOWS\$NtUninstallKB952287$\spuninst\spuninst.exe"
Hotfix for Windows XP (KB970653-v3)-->"E:\WINDOWS\$NtUninstallKB970653-v3$\spuninst\spuninst.exe"
Intel Application Accelerator-->RunDll32 E:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "E:\Program Files\InstallShield Installation Information\{9984DF60-1C5B-11D3-ACA1-908A4FC10801}\Setup.exe" -INTELUNINST
Intel® PRO Network Adapters and Drivers-->Prounstl.exe
IomegaWare 4.0.2-->E:\WINDOWS\unvise32.exe E:\Program Files\Iomega\uninstal.log
iTunes-->MsiExec.exe /I{5EFCBB42-36AB-4FF9-B90C-E78C7B9EE7B3}
J2SE Runtime Environment 5.0 Update 1-->MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0150010}
J2SE Runtime Environment 5.0 Update 2-->MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0150020}
J2SE Runtime Environment 5.0 Update 4-->MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0150040}
J2SE Runtime Environment 5.0 Update 6-->MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0150060}
J2SE Runtime Environment 5.0 Update 9-->MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0150090}
Java™ 6 Update 2-->MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160020}
Java™ 6 Update 3-->MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160030}
Java™ 6 Update 5-->MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160050}
Macromedia Shockwave Player-->E:\WINDOWS\system32\Macromed\SHOCKW~1\UNWISE.EXE E:\WINDOWS\system32\Macromed\SHOCKW~1\Install.log
Malwarebytes' Anti-Malware-->"E:\Program Files\Malwarebytes' Anti-Malware\unins000.exe"
Microsoft Data Access Components KB870669-->E:\WINDOWS\muninst.exe E:\WINDOWS\INF\KB870669.inf
Microsoft Office 2000 Professional-->MsiExec.exe /I{00010409-78E1-11D2-B60F-006097C998E7}
MjM Free Photo Recovery Software-->"E:\WINDOWS\MjM Free Photo Recovery Software\uninstall.exe" "/U:E:\Program Files\MjM Free Photo Recovery Software\Uninstall\uninstall.xml"
Mozilla Firefox (3.0.14)-->E:\Program Files\Mozilla Firefox\uninstall\helper.exe
MSXML 4.0 SP2 (KB927978)-->MsiExec.exe /I{37477865-A3F1-4772-AD43-AAFC6BCFF99F}
MSXML 4.0 SP2 (KB936181)-->MsiExec.exe /I{C04E32E0-0416-434D-AFB9-6969D703A9EF}
MSXML 4.0 SP2 (KB954430)-->MsiExec.exe /I{86493ADD-824D-4B8E-BD72-8C5DCDC52A71}
Native Instruments Traktor DJ Studio v3.0.2.098-->E:\PROGRA~1\NATIVE~1\TRAKTO~1\UNWISE.EXE E:\PROGRA~1\NATIVE~1\TRAKTO~1\INSTALL.LOG
Nero 6 Ultra Edition-->E:\Program Files\Ahead\nero\uninstall\UNNERO.exe /UNINSTALL
NeroVision Express 2-->E:\WINDOWS\UNNeroVision.exe /UNINSTALL
NVIDIA Display Driver-->E:\WINDOWS\System32\nvudisp.exe Uninstall E:\WINDOWS\System32\nvdisp.nvu,NVIDIA Display Driver
PandoraRecovery (Remove Only)-->"E:\Program Files\Pandora Recovery\Uninstall.exe"
PC Inspector smart recovery-->RunDll32 E:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "E:\Program Files\InstallShield Installation Information\{C9A87D86-FDFD-418B-BF96-EF09320973B3}\Setup.exe" -l0x9
Photo-Saver-->"E:\Program Files\Photo-Saver\unins000.exe"
QuickTime-->MsiExec.exe /I{5B09BD67-4C99-46A1-8161-B7208CE18121}
RealPlayer-->E:\Program Files\Common Files\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0
Realtek AC'97 Audio-->RunDll32 E:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "E:\Program Files\InstallShield Installation Information\{FB08F381-6533-4108-B7DD-039E11FBC27E}\setup.exe" REMOVE
Recuva (remove only)-->"E:\Program Files\Recuva\uninst.exe"
SecondLife (remove only)-->"E:\Program Files\SecondLife\uninst.exe" /P="SecondLife"
Security Update for Windows Media Player (KB952069)-->"E:\WINDOWS\$NtUninstallKB952069_WM9$\spuninst\spuninst.exe"
Security Update for Windows Media Player (KB968816)-->"E:\WINDOWS\$NtUninstallKB968816_WM9$\spuninst\spuninst.exe"
Security Update for Windows Media Player (KB973540)-->"E:\WINDOWS\$NtUninstallKB973540_WM9$\spuninst\spuninst.exe"
Security Update for Windows Media Player 10 (KB911565)-->"E:\WINDOWS\$NtUninstallKB911565$\spuninst\spuninst.exe"
Security Update for Windows Media Player 10 (KB917734)-->"E:\WINDOWS\$NtUninstallKB917734_WMP10$\spuninst\spuninst.exe"
Security Update for Windows Media Player 10 (KB936782)-->"E:\WINDOWS\$NtUninstallKB936782_WMP10$\spuninst\spuninst.exe"
Security Update for Windows XP (KB923561)-->"E:\WINDOWS\$NtUninstallKB923561$\spuninst\spuninst.exe"
Security Update for Windows XP (KB938464)-->"E:\WINDOWS\$NtUninstallKB938464$\spuninst\spuninst.exe"
Security Update for Windows XP (KB938464-v2)-->"E:\WINDOWS\$NtUninstallKB938464-v2$\spuninst\spuninst.exe"
Security Update for Windows XP (KB941569)-->"E:\WINDOWS\$NtUninstallKB941569$\spuninst\spuninst.exe"
Security Update for Windows XP (KB946648)-->"E:\WINDOWS\$NtUninstallKB946648$\spuninst\spuninst.exe"
Security Update for Windows XP (KB950759)-->"E:\WINDOWS\$NtUninstallKB950759$\spuninst\spuninst.exe"
Security Update for Windows XP (KB950760)-->"E:\WINDOWS\$NtUninstallKB950760$\spuninst\spuninst.exe"
Security Update for Windows XP (KB950762)-->"E:\WINDOWS\$NtUninstallKB950762$\spuninst\spuninst.exe"
Security Update for Windows XP (KB950974)-->"E:\WINDOWS\$NtUninstallKB950974$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951066)-->"E:\WINDOWS\$NtUninstallKB951066$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951376)-->"E:\WINDOWS\$NtUninstallKB951376$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951376-v2)-->"E:\WINDOWS\$NtUninstallKB951376-v2$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951698)-->"E:\WINDOWS\$NtUninstallKB951698$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951748)-->"E:\WINDOWS\$NtUninstallKB951748$\spuninst\spuninst.exe"
Security Update for Windows XP (KB952004)-->"E:\WINDOWS\$NtUninstallKB952004$\spuninst\spuninst.exe"
Security Update for Windows XP (KB952954)-->"E:\WINDOWS\$NtUninstallKB952954$\spuninst\spuninst.exe"
Security Update for Windows XP (KB953838)-->"E:\WINDOWS\$NtUninstallKB953838$\spuninst\spuninst.exe"
Security Update for Windows XP (KB953839)-->"E:\WINDOWS\$NtUninstallKB953839$\spuninst\spuninst.exe"
Security Update for Windows XP (KB954211)-->"E:\WINDOWS\$NtUninstallKB954211$\spuninst\spuninst.exe"
Security Update for Windows XP (KB954459)-->"E:\WINDOWS\$NtUninstallKB954459$\spuninst\spuninst.exe"
Security Update for Windows XP (KB954600)-->"E:\WINDOWS\$NtUninstallKB954600$\spuninst\spuninst.exe"
Security Update for Windows XP (KB955069)-->"E:\WINDOWS\$NtUninstallKB955069$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956390)-->"E:\WINDOWS\$NtUninstallKB956390$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956391)-->"E:\WINDOWS\$NtUninstallKB956391$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956572)-->"E:\WINDOWS\$NtUninstallKB956572$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956744)-->"E:\WINDOWS\$NtUninstallKB956744$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956802)-->"E:\WINDOWS\$NtUninstallKB956802$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956803)-->"E:\WINDOWS\$NtUninstallKB956803$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956841)-->"E:\WINDOWS\$NtUninstallKB956841$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956844)-->"E:\WINDOWS\$NtUninstallKB956844$\spuninst\spuninst.exe"
Security Update for Windows XP (KB957095)-->"E:\WINDOWS\$NtUninstallKB957095$\spuninst\spuninst.exe"
Security Update for Windows XP (KB957097)-->"E:\WINDOWS\$NtUninstallKB957097$\spuninst\spuninst.exe"
Security Update for Windows XP (KB958215)-->"E:\WINDOWS\$NtUninstallKB958215$\spuninst\spuninst.exe"
Security Update for Windows XP (KB958644)-->"E:\WINDOWS\$NtUninstallKB958644$\spuninst\spuninst.exe"
Security Update for Windows XP (KB958687)-->"E:\WINDOWS\$NtUninstallKB958687$\spuninst\spuninst.exe"
Security Update for Windows XP (KB958690)-->"E:\WINDOWS\$NtUninstallKB958690$\spuninst\spuninst.exe"
Security Update for Windows XP (KB959426)-->"E:\WINDOWS\$NtUninstallKB959426$\spuninst\spuninst.exe"
Security Update for Windows XP (KB960225)-->"E:\WINDOWS\$NtUninstallKB960225$\spuninst\spuninst.exe"
Security Update for Windows XP (KB960714)-->"E:\WINDOWS\$NtUninstallKB960714$\spuninst\spuninst.exe"
Security Update for Windows XP (KB960715)-->"E:\WINDOWS\$NtUninstallKB960715$\spuninst\spuninst.exe"
Security Update for Windows XP (KB960803)-->"E:\WINDOWS\$NtUninstallKB960803$\spuninst\spuninst.exe"
Security Update for Windows XP (KB960859)-->"E:\WINDOWS\$NtUninstallKB960859$\spuninst\spuninst.exe"
Security Update for Windows XP (KB961371)-->"E:\WINDOWS\$NtUninstallKB961371$\spuninst\spuninst.exe"
Security Update for Windows XP (KB961373)-->"E:\WINDOWS\$NtUninstallKB961373$\spuninst\spuninst.exe"
Security Update for Windows XP (KB961501)-->"E:\WINDOWS\$NtUninstallKB961501$\spuninst\spuninst.exe"
Security Update for Windows XP (KB963027)-->"E:\WINDOWS\$NtUninstallKB963027$\spuninst\spuninst.exe"
Security Update for Windows XP (KB968537)-->"E:\WINDOWS\$NtUninstallKB968537$\spuninst\spuninst.exe"
Security Update for Windows XP (KB969897)-->"E:\WINDOWS\$NtUninstallKB969897$\spuninst\spuninst.exe"
Security Update for Windows XP (KB969898)-->"E:\WINDOWS\$NtUninstallKB969898$\spuninst\spuninst.exe"
Security Update for Windows XP (KB970238)-->"E:\WINDOWS\$NtUninstallKB970238$\spuninst\spuninst.exe"
Security Update for Windows XP (KB971557)-->"E:\WINDOWS\$NtUninstallKB971557$\spuninst\spuninst.exe"
Security Update for Windows XP (KB971633)-->"E:\WINDOWS\$NtUninstallKB971633$\spuninst\spuninst.exe"
Security Update for Windows XP (KB971657)-->"E:\WINDOWS\$NtUninstallKB971657$\spuninst\spuninst.exe"
Security Update for Windows XP (KB971961)-->"E:\WINDOWS\$NtUninstallKB971961$\spuninst\spuninst.exe"
Security Update for Windows XP (KB972260)-->"E:\WINDOWS\$NtUninstallKB972260$\spuninst\spuninst.exe"
Security Update for Windows XP (KB973346)-->"E:\WINDOWS\$NtUninstallKB973346$\spuninst\spuninst.exe"
Security Update for Windows XP (KB973354)-->"E:\WINDOWS\$NtUninstallKB973354$\spuninst\spuninst.exe"
Security Update for Windows XP (KB973507)-->"E:\WINDOWS\$NtUninstallKB973507$\spuninst\spuninst.exe"
Security Update for Windows XP (KB973869)-->"E:\WINDOWS\$NtUninstallKB973869$\spuninst\spuninst.exe"
Smart Media Data Recovery-->"E:\Program Files\GetData\Smart Media Data Recovery\unins000.exe"
Sonic Foundry Sound Forge 6.0a-->MsiExec.exe /I{6CDC68BB-C997-4ADC-9BA0-6293FB88521E}
Sony USB Driver-->RunDll32 E:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "E:\Program Files\InstallShield Installation Information\{5C29CB8B-AC1E-4114-8D68-9CD080140D4A}\Setup.exe" UNINSTALL
Soulseek Client 152-->E:\WINDOWS\UnGins.exe "E:\Program Files\Soulseek\install.log"
SoulSeek Client 156c-->"E:\Program Files\Soulseek\uninstall.exe"
Sound Blaster-->RunDll32 E:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "E:\Program Files\InstallShield Installation Information\{412300C0-2A03-11D7-908C-00A0C98173F1}\SETUP.EXE" -l0x9
Stellar Phoenix Photo Recovery v3.2-->"E:\Program Files\Stellar Phoenix Photo Recovery\unins000.exe"
Undelete Plus 2.98-->"E:\Program Files\TouchStoneSoftware\UndeletePlus\unins000.exe"
Update for Windows XP (KB951072-v2)-->"E:\WINDOWS\$NtUninstallKB951072-v2$\spuninst\spuninst.exe"
Update for Windows XP (KB951978)-->"E:\WINDOWS\$NtUninstallKB951978$\spuninst\spuninst.exe"
Update for Windows XP (KB955839)-->"E:\WINDOWS\$NtUninstallKB955839$\spuninst\spuninst.exe"
Update for Windows XP (KB967715)-->"E:\WINDOWS\$NtUninstallKB967715$\spuninst\spuninst.exe"
Update for Windows XP (KB968389)-->"E:\WINDOWS\$NtUninstallKB968389$\spuninst\spuninst.exe"
Update for Windows XP (KB973815)-->"E:\WINDOWS\$NtUninstallKB973815$\spuninst\spuninst.exe"
VAIOSoft Recovery Manager-->E:\WINDOWS\IsUninst.exe -f"C:\Program Files\RecvMngr\Recuninst.isu"
VLC media player 1.0.2-->E:\Program Files\VideoLAN\VLC\uninstall.exe
Winamp-->"E:\Program Files\Winamp\UninstWA.exe"
Windows Media Format Runtime-->"E:\Program Files\Windows Media Player\wmsetsdk.exe" /UninstallAll
Windows Media Player 10-->"E:\Program Files\Windows Media Player\Setup_wm.exe" /Uninstall
Windows XP Service Pack 3-->"E:\WINDOWS\$NtServicePackUninstall$\spuninst\spuninst.exe"
WinRAR archiver-->E:\Program Files\WinRAR\uninstall.exe
Yahoo! Internet Mail-->E:\WINDOWS\system32\regsvr32 /u /s E:\PROGRA~1\Yahoo!\Common\ymmapi.dll
Yahoo! Messenger Explorer Bar-->E:\WINDOWS\system32\regsvr32 /u /s E:\PROGRA~1\Yahoo!\MESSEN~1\YHEXBM~1.DLL
Yahoo! Messenger-->E:\PROGRA~1\Yahoo!\MESSEN~1\UNWISE.EXE E:\PROGRA~1\Yahoo!\MESSEN~1\INSTALL.LOG

======System event log======

Computer Name: FN0RD
Event Code: 1000
Message: Attempt to execute Windows Script Host while it is disabled.

Record Number: 23563
Source Name: Windows Script Host
Time Written: 20090921183055.000000-300
Event Type: audit failure
User: FN0RD\St. Thomas

Computer Name: FN0RD
Event Code: 1000
Message: Attempt to execute Windows Script Host while it is disabled.

Record Number: 23562
Source Name: Windows Script Host
Time Written: 20090921183052.000000-300
Event Type: audit failure
User: FN0RD\St. Thomas

Computer Name: FN0RD
Event Code: 1000
Message: Attempt to execute Windows Script Host while it is disabled.

Record Number: 23561
Source Name: Windows Script Host
Time Written: 20090921183043.000000-300
Event Type: audit failure
User: FN0RD\St. Thomas

Computer Name: FN0RD
Event Code: 11050
Message: The DNS Client service could not contact any DNS servers for
a repeated number of attempts. For the next 30 seconds the
DNS Client service will not use the network to avoid further
network performance problems. It will resume its normal behavior
after that. If this problem persists, verify your TCP/IP
configuration, specifically check that you have a preferred
(and possibly an alternate) DNS server configured. If the problem
continues, verify network conditions to these DNS servers or contact
your network administrator.

Record Number: 23516
Source Name: dnscache
Time Written: 20090921160250.000000-300
Event Type: warning
User:

Computer Name: FN0RD
Event Code: 4226
Message: TCP/IP has reached the security limit imposed on the number of concurrent TCP connect attempts.

Record Number: 23514
Source Name: Tcpip
Time Written: 20090921160135.000000-300
Event Type: warning
User:

=====Application event log=====

Computer Name: FN0RD
Event Code: 1002
Message: Hanging application winamp.exe, version 5.0.0.9, hang module hungapp, version 0.0.0.0, hang address 0x00000000.

Record Number: 6690
Source Name: Application Hang
Time Written: 20060601235620.000000-300
Event Type: error
User:

Computer Name: FN0RD
Event Code: 1517
Message: Windows saved user FN0RD\St. Thomas registry while an application or service was still using the registry during log off. The memory used by the user's registry has not been freed. The registry will be unloaded when it is no longer in use.


This is often caused by services running as a user account, try configuring the services to run in either the LocalService or NetworkService account.

Record Number: 6668
Source Name: Userenv
Time Written: 20060521075316.000000-300
Event Type: warning
User: NT AUTHORITY\SYSTEM

Computer Name: FN0RD
Event Code: 1002
Message: Hanging application winamp.exe, version 5.0.0.9, hang module hungapp, version 0.0.0.0, hang address 0x00000000.

Record Number: 6667
Source Name: Application Hang
Time Written: 20060519021658.000000-300
Event Type: error
User:

Computer Name: FN0RD
Event Code: 1002
Message: Hanging application winamp.exe, version 5.0.0.9, hang module hungapp, version 0.0.0.0, hang address 0x00000000.

Record Number: 6666
Source Name: Application Hang
Time Written: 20060519003637.000000-300
Event Type: error
User:

Computer Name: FN0RD
Event Code: 1002
Message: Hanging application winamp.exe, version 5.0.0.9, hang module hungapp, version 0.0.0.0, hang address 0x00000000.

Record Number: 6665
Source Name: Application Hang
Time Written: 20060519002641.000000-300
Event Type: error
User:

======Environment variables======

"ComSpec"=%SystemRoot%\system32\cmd.exe
"Path"=%systemroot%\system32;%systemroot%;%systemroot%\system32\wbem;E:\Program Files\Common Files\Adobe\AGL;E:\Program Files\QuickTime\QTSystem
"windir"=%SystemRoot%
"OS"=Windows_NT
"PROCESSOR_ARCHITECTURE"=x86
"PROCESSOR_LEVEL"=15
"PROCESSOR_IDENTIFIER"=x86 Family 15 Model 2 Stepping 9, GenuineIntel
"PROCESSOR_REVISION"=0209
"NUMBER_OF_PROCESSORS"=1
"PATHEXT"=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
"TEMP"=%SystemRoot%\TEMP
"TMP"=%SystemRoot%\TEMP
"FP_NO_HOST_CHECK"=NO
"CLASSPATH"=.;E:\Program Files\Java\jre1.6.0_05\lib\ext\QTJava.zip
"QTJAVA"=E:\Program Files\Java\jre1.6.0_05\lib\ext\QTJava.zip

-----------------EOF-----------------

#14 schrauber

schrauber

    Mr.Mechanic


  • Malware Response Team
  • 24,794 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Munich,Germany
  • Local time:06:24 PM

Posted 14 October 2009 - 11:41 PM

Hi,

Sorry for the delay, I am still working with your logs and will be back shortly. Sorry again :(.
regards,
schrauber

Posted Image
Posted Image

If I've not posted back within 48 hrs., feel free to send a PM with your topic link. Thank you!

If I have helped you then please consider donating to continue the fight against malware Posted Image

#15 schrauber

schrauber

    Mr.Mechanic


  • Malware Response Team
  • 24,794 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Munich,Germany
  • Local time:06:24 PM

Posted 15 October 2009 - 01:31 PM

Hi,


Please Copy and Paste the content of the codebox below into notepad and save it as fmove.txt into e:\windows.

copy e:\windows\$hf_mig$\KB956572\SP3QFE\services.exe e:\windows\system32\services.exe
copy e:\windows\ServicePackFiles\i386\winlogon.exe e:\windows\system32\winlogon.exe
copy e:\windows\ServicePackFiles\i386\explorer.exe e:\windows\explorer.exe
copy e:\windows\ServicePackFiles\i386\lsass.exe e:\windows\system32\lsass.exe
copy e:\windows\ServicePackFiles\i386\spoolsv.exe e:\windows\system32\spoolsv.exe


Now please check if the file fmove.txt is correctly saved as e:\windows\fmove.txt.



Please reboot your system and at bootup, choose Recovery Console. When you get asked about the windows installation press 1.
Now you get asked for your admin passwort, please type it in and hit enter, if the passwort is blank, just click enter.


You will now see a command line, please type in the following line by line and after each line hit enter.

type set NoCopyPrompt = TRUE and hit enter

type set AllowRemovableMedia = TRUE and hit enter

type batch fmove.txt e:\windows\fmoveresult.txt and hit enter.

Now you can type exit and hit enter, the system will reboot.



Back in normal mode, please run Combofix one more time by doubleclicking it and post back with the content of the logfile, also please post the content of e:\windows\fmoveresult.txt.
regards,
schrauber

Posted Image
Posted Image

If I've not posted back within 48 hrs., feel free to send a PM with your topic link. Thank you!

If I have helped you then please consider donating to continue the fight against malware Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users