Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected with hidden rookit?


  • This topic is locked This topic is locked
36 replies to this topic

#1 yoori

yoori

  • Members
  • 149 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:In Your Dreams
  • Local time:04:30 PM

Posted 21 November 2009 - 08:48 PM

Hi HJT Team,
I was directed here from Am I Infected section. My computer has been infected since late May (forgot what virus it was but it came from Myspace) and had no access to the internet till late Oct. the only time I could go online was when I used my sisters laptop over the summer. I got rid of most of the viruses, the computer works fine the internet works fine (even though I'm not using it yet), except when I scan with SUPERAntiSpyware, it restarts the computer. I'm pretty sure it's a hidden rootkit dat disguises as userinit and svhost. I have the hardest time getting rid of it, your help will be so much appreciated. Thank you for your time :(

Edit: Okay, I was looking through the News section here and found what virus started it all Antivirus XP Pro
cuz I remember the desktop and security warning.


here are the logs

DDS (Ver_09-10-26.01) - NTFSx86
Run by HP_Administrator at 14:05:51.15 on Sat 11/21/2009
Internet Explorer: 7.0.5730.11
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.958.437 [GMT -10:00]

AV: AVG 7.5.516 *On-access scanning enabled* (Outdated) {41564737-3200-1071-989B-0000E87B4FB1}

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\arservice.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\ARPWRMSG.EXE
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\HP\HP Software Update\HPwuSchd2.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\CyberLink\PCM4Everio\EverioService.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Updates from HP\9972322\Program\Updates from HP.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
svchost.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
c:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\HP\KBD\KBD.EXE
C:\WINDOWS\ALCXMNTR.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
c:\windows\system\hpsysdrv.exe
C:\Program Files\Java\jre1.5.0_05\bin\jusched.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Documents and Settings\HP_Administrator\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.daum.net/
uSearch Page =
uSearchMigratedDefaultURL = hxxp://search.live.com/results.aspx?q={searchTerms}&src={referrer:source?}
uSearch Bar =
mStart Page = hxxp://www.google.com
uInternet Settings,ProxyOverride = *.local;
uInternet Settings,ProxyServer = http=localhost:7171
mSearchAssistant =
BHO: Windows Live Toolbar Helper: {bdbd1dad-c946-4a17-adc1-64b5b4ff55d0} - c:\program files\windows live toolbar\msntb.dll
BHO: 1 (0x1) - No File
TB: FlashGet Bar: {e0e899ab-f487-11d5-8d29-0050ba6940e3} - c:\progra~1\flashget\fgiebar.dll
TB: Megaupload Toolbar: {4e7bd74f-2b8d-469e-ccb0-b130eedbe97c} - c:\progra~1\megaup~2\MEGAUP~1.DLL
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
TB: &Google: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\googletoolbar5.dll
TB: Windows Live Toolbar: {bdad1dad-c946-4a17-adc1-64b5b4ff55d0} - c:\program files\windows live toolbar\msntb.dll
TB: Grab Pro: {c55bbcd6-41ad-48ad-9953-3609c48eacc7} - c:\program files\orbitdownloader\GrabPro.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [OM_Monitor] c:\program files\olympus\olympus master\Monitor.exe -NoStart
uRun: [updateMgr] "c:\program files\adobe\acrobat 7.0\reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1
uRun: [msnmsgr] "c:\program files\windows live\messenger\msnmsgr.exe" /background
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
mRun: [ehTray] c:\windows\ehome\ehtray.exe
mRun: [AlwaysReady Power Message APP] ARPWRMSG.EXE
mRun: [HPHUPD08] c:\program files\hp\digital imaging\{33d6cc28-9f75-4d1b-a11d-98895b3a3729}\hphupd08.exe
mRun: [HPBootOp] "c:\program files\hewlett-packard\hp boot optimizer\HPBootOp.exe" /run
mRun: [HP Software Update] c:\program files\hp\hp software update\HPwuSchd2.exe
mRun: [IMJPMIG8.1] "c:\windows\ime\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
mRun: [IMEKRMIG6.1] c:\windows\ime\imkr6_1\IMEKRMIG.EXE
mRun: [MSPY2002] c:\windows\system32\ime\pintlgnt\ImScInst.exe /SYNC
mRun: [PHIME2002ASync] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /SYNC
mRun: [PHIME2002A] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /IMEName
mRun: [OM_Monitor] c:\program files\olympus\olympus master\FirstStart.exe
mRun: [AVG7_CC] c:\progra~1\grisoft\avgfre~1\avgcc.exe /STARTUP
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [EverioService] "c:\program files\cyberlink\pcm4everio\EverioService.exe"
mRun: [Malwarebytes Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript
dRun: [AVG7_Run] c:\progra~1\grisoft\avgfre~1\avgw.exe /RUNONCE
dRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\update~1.lnk - c:\program files\updates from hp\9972322\program\Updates from HP.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\winzip~1.lnk - c:\program files\winzip\WZQKPICK.EXE
dPolicies-explorer: NoFolderOptions = 1 (0x1)
dPolicies-system: DisableRegistryTools = 1 (0x1)
IE: &D&ownload &with BitComet - c:\program files\bitcomet\BitComet.exe/AddLink.htm
IE: &D&ownload all video with BitComet - c:\program files\bitcomet\BitComet.exe/AddVideo.htm
IE: &D&ownload all with BitComet - c:\program files\bitcomet\BitComet.exe/AddAllLink.htm
IE: &Download by Orbit - c:\program files\orbitdownloader\orbitmxt.dll/201
IE: &Grab video by Orbit - c:\program files\orbitdownloader\orbitmxt.dll/204
IE: &Windows Live Search - c:\program files\windows live toolbar\msntb.dll/search.htm
IE: Do&wnload selected by Orbit - c:\program files\orbitdownloader\orbitmxt.dll/203
IE: Down&load all by Orbit - c:\program files\orbitdownloader\orbitmxt.dll/202
IE: Download All by FlashGet - c:\documents and settings\hp_administrator\favorites\flashget\jc_all.htm
IE: Download Link Using Mega Manager... - c:\program files\megaupload\mega manager\mm_file.htm
IE: Download using FlashGet - c:\documents and settings\hp_administrator\favorites\flashget\jc_link.htm
IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office11\EXCEL.EXE/3000
IE: {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - c:\progra~1\flashget\flashget.exe
IE: {E2D4D26B-0180-43a4-B05F-462D6D54C789} - c:\windows\pchealth\helpctr\vendors\cn=hewlett-packard,l=cupertino,s=ca,c=us\iebutton\support.htm
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0015-0000-0005-ABCDEFFEDCBC} - c:\program files\java\jre1.5.0_05\bin\npjpi150_05.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~4\office11\REFIEBAR.DLL
DPF: {01111C00-3E00-11D2-8470-0060089874ED} - hxxp://help.rr.com/Foundrysdccommon/download/tgctlar.cab
DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - hxxp://www.apple.com/qtactivex/qtplugin.cab
DPF: {0AE0F5F9-8233-49A4-A3C8-004CE190787B} - hxxp://www.pdbox.co.kr/boxmedia/ctrl_down/BMSpeedCheck.cab
DPF: {0B72CCA4-5F11-11D0-9CB5-0000C0EC9FDB} - hxxp://www2.stlu.com/plugins/Plugin5.0.0219//streetnoagent7.cab
DPF: {21FDDE58-51A6-402A-8040-39DA033DC196} - hxxp://image.pullbbang.com/newTop/Pull0Control.ocx
DPF: {2FDAF918-389E-4402-9DA1-F5348615BC30} - hxxp://www.dosirak.com/Commons/Activex/MROpen.cab
DPF: {3270EED1-B285-4828-A0A7-F55913A9B724} - hxxp://listen.daum.net/52st/52street/S2MusicPlayer.dll
DPF: {36F46B1E-11B7-4221-B4F7-F1FC9687E7F7} - hxxp://kr.music.yahoo.com/Components/YMusicPack.cab
DPF: {3942BD43-B5CE-465F-9AC3-16BA93994273} - hxxp://www.dosirak.com/Commons/Activex/DosirakControl.ocx
DPF: {3DCEC959-378A-4922-AD7E-FD5C925D927F} - hxxp://disney.go.com/pirates/online/testActiveX/built/signed/DisneyOnlineGames.cab
DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} - hxxp://www.costcophotocenter.com/CostcoActivia.cab
DPF: {40A217E1-BDDA-44DE-9BBC-D678C7B48603} - hxxp://www.bluemountainsoft.com/agent/EspressoAgent.ocx
DPF: {55027008-315F-4F45-BBC3-8BE119764741} - hxxp://www.slide.com/uploader/SlideImageUploader.cab
DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} - hxxp://www.eset.eu/buxus/docs/OnlineScanner.cab
DPF: {68253470-5D4F-4CDF-8D9C-353C14A2F013} - hxxp://imgcdn.pandora.tv/pan_img/liveupdate/SVPorsche.cab
DPF: {6A2E758A-028B-46BB-A11D-0608AB5A4ED3} - hxxp://listen.daum.net/52st/bgmplayer/Daum52stBGMPlayer.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1143507627125
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
DPF: {7606693A-C18D-4567-AF85-6194FF70761E} - hxxp://app.gomtv.com/gom/GomWeb.cab
DPF: {868AB0F0-C411-4DB5-8279-E38AE3CDA3FD} - hxxp://listen.daum.net/52st/OiMPlayer/52MPlayer.cab
DPF: {882A7CC6-0163-4BC1-8BC1-505E36C9FFA2} - hxxp://www.mnet.com/Ver2/App/totalApp/maxhelper/maxhelper.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_05-windows-i586.cab
DPF: {8C165CC2-E50D-4D99-9D32-DAF6AB15AA32} - hxxp://www.mnet.com/Ver2/App/totalApp/mnethelper/MnetHelper2.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {913BF18F-672D-4676-9855-F9A192A88886} - hxxp://touch.imbc.com/ocx/Online.cab
DPF: {938527D1-CDB7-4147-998A-B20FCA5CC976} - hxxp://cafeimg.hanmail.net/cab9_1/dmcc2.cab?Version=1,0,0,10
DPF: {939612C6-DB72-4788-8BD1-6ED77E3EC4A9} - hxxp://dl.sayclub.com/sayclub/sayctl/sayradio.cab
DPF: {9B75502C-BBED-4BBD-8FE2-822E5E0AD32C} - hxxp://www.diodeo.com/DioDeoPlayer.cab
DPF: {A0E7D0C1-9854-497E-8645-38C19AA00724} - hxxp://www.teenkorean.net/Penta/KoreanSecurity.cab
DPF: {AF60D574-F249-4243-8040-5521AAA5BB5E} - hxxp://imgcdn.pandora.tv/pan_img/p3player/package/pdrtvset.cab
DPF: {B8C4B31D-6DCE-4DF0-BF73-44686849F67D} - hxxp://imgcdn.pandora.tv/pan_img/p3player/package/pdrinst.cab
DPF: {B9B38E70-EEF6-4E3A-AE84-DDE59A053B7C} - hxxp://cafeimg.hanmail.net/cto/xman.cab?ver=1,2,3,3
DPF: {BBFD2D10-EC6E-4259-91D1-1E38C826E5E2} - hxxp://app.gomtv.com/gomtv/gomtvx.cab
DPF: {BCA935CA-7E41-4F73-BA9C-FAB4393DBAC0} - hxxp://www.csafer.net/ActiveX/MAStreamCtrl.cab
DPF: {BCEF5CDE-BAD4-4532-A30B-9D16D502DE69} - hxxp://install.bugs.co.kr/install/BugsInstallerEx.cab
DPF: {BD6BB450-7C69-43B8-96F3-689CAE57AB51} - hxxp://netv.sbs.co.kr/object/player/SBSWebPlayer.cab
DPF: {BD6F8792-B90E-4431-B0AB-08CF414E9D35} - hxxp://bgm.iple.com/Cab/SMMusicPlayerX.cab
DPF: {C394A9A2-C51D-4C26-BB2C-6DEB30A890F4} - hxxp://www.diodeo.com/ActiveDiodeoPlayer.cab
DPF: {CAFEEFAC-0015-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_05-windows-i586.cab
DPF: {CEE326E8-7571-4086-B347-3C0ACA9A9DE8} - hxxp://player.muz.co.kr/package/installer2007_02/p3Instal.cab
DPF: {CF362BDB-4EA2-11D5-AB47-000102913414} - hxxp://touch.imbc.com/ocx/SetGlb.cab
DPF: {CFCBEE6F-BE54-4682-84F6-0E3FCDFAE3E2} - hxxp://www.clubbox.co.kr/neo.fld/NowCAFE.cab
DPF: {D1160D6F-214B-4B4E-A361-977817ACC516} - hxxp://www.websafe.co.kr/websafe_player.cab
DPF: {D26A941D-7E89-4098-B583-43291FC14218} - hxxp://image.pullbbang.com/images/Pull0Control.ocx
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {F4A1D5E2-AF49-47A7-A945-23038106F3A4} - hxxp://imgcdn.pandora.tv/pan_img/launcher/codebase/Pandora_SetUpAX.cab
DPF: {F6E361B4-40F3-4C90-8A95-D95E0D8CBCD4} - hxxp://www.clubbox.co.kr/neo.fld/MultiUpload.cab
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL
Notify: AtiExtEvent - Ati2evxx.dll
AppInit_DLLs: dtguru.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\hp_adm~1\applic~1\mozilla\firefox\profiles\lxrbayv1.default\
FF - prefs.js: browser.search.selectedEngine - Yahoo
FF - prefs.js: browser.startup.homepage - hxxp://www.daum.net/
FF - plugin: c:\documents and settings\hp_administrator\application data\mozilla\plugins\npAbacast.dll
FF - plugin: c:\documents and settings\hp_administrator\application data\mozilla\plugins\NPAbacheck.dll
FF - plugin: c:\program files\java\jre1.5.0_05\bin\NPJava11.dll
FF - plugin: c:\program files\java\jre1.5.0_05\bin\NPJava12.dll
FF - plugin: c:\program files\java\jre1.5.0_05\bin\NPJava13.dll
FF - plugin: c:\program files\java\jre1.5.0_05\bin\NPJava14.dll
FF - plugin: c:\program files\java\jre1.5.0_05\bin\NPJava32.dll
FF - plugin: c:\program files\java\jre1.5.0_05\bin\NPJPI150_05.dll
FF - plugin: c:\program files\java\jre1.5.0_05\bin\NPOJI610.dll

============= SERVICES / DRIVERS ===============

R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2009-8-5 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2009-8-5 74480]
R3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2009-8-5 7408]
S2 melvdvey;PnP ISA/EISA Bus Controller;c:\windows\system32\svchost.exe -k netsvcs [2004-8-10 14336]
S3 CXFALCON;Conexant Falcon II NTSC Video Capture;c:\windows\system32\drivers\cxfalcon.sys [2005-12-8 100480]
S3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2008-5-21 34576]
S3 win32x;win32x;\??\c:\windows\system32\drivers\win32x.sys --> c:\windows\system32\drivers\win32x.sys [?]
S3 WN5301;LIteon Wireless PCI Network Adapter Service;c:\windows\system32\drivers\wn5301.sys [2005-12-8 468768]

=============== Created Last 30 ================

2009-11-21 03:54:56 0 d-----w- c:\program files\ESET
2009-11-13 12:53:23 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-11-13 12:53:21 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-11-13 12:53:21 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-11-13 02:01:13 0 d-----w- c:\program files\CDBurnerXP Pro 3
2009-11-11 10:01:04 0 d-----w- c:\documents and settings\hp_administrator\DoctorWeb

==================== Find3M ====================

2009-11-11 16:38:40 1033216 ----a-w- c:\windows\system32\dllcache\explorer.exe
2009-11-11 16:38:40 1033216 ----a-w- c:\windows\explorer.exe
2009-10-24 09:36:28 1102 ----a-w- c:\docume~1\hp_adm~1\applic~1\wklnhst.dat
2005-06-27 01:32:28 616448 --sha-r- c:\windows\system32\cygwin1.dll
2005-06-22 08:37:42 45568 --sha-r- c:\windows\system32\cygz.dll
2004-01-25 10:00:00 70656 --sha-r- c:\windows\system32\i420vfw.dll
2005-02-28 23:16:22 240128 --sha-r- c:\windows\system32\x.264.exe
2004-01-25 10:00:00 70656 --sha-r- c:\windows\system32\yv12vfw.dll
2009-05-25 14:23:49 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012009052520090526\index.dat
2009-05-25 14:23:47 65536 --sha-w- c:\windows\system32\config\systemprofile\local settings\temporary internet files\content.ie5\index.dat

============= FINISH: 14:06:50.98 ===============

Attached Files


Edited by yoori, 21 November 2009 - 09:45 PM.


BC AdBot (Login to Remove)

 


#2 thcbytes

thcbytes

  • Malware Response Team
  • 14,790 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:30 PM

Posted 28 November 2009 - 10:36 AM

Hello,
Do you still desire help? Please outline your current problems and inform me of what you have done since your last post.
Kind regards,
~ t
Proud member - Unified Network of Instructors and Trained Eliminators
Posted Image

I do not accept personal donations for assistance provided. I would ask that you instead consider donating the greatest gift - Organ Donation. Your organs are of no use to you when your gone. You will save a life that would otherwise be lost!

http://donatelife.net/register-now/

#3 yoori

yoori
  • Topic Starter

  • Members
  • 149 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:In Your Dreams
  • Local time:04:30 PM

Posted 28 November 2009 - 05:39 PM

Yes please. I'm still not able to update or scan with my anti- malare and spyware programs, the virus would restart my computer if I scan from SUPERAntiSpyware and there are times where I can update Malwarebytes and times I can't, cuz I'd get and error pop up. I haven't done anything since my post except transfer, pics and videos from digital cam and from the laptop I'm using to the infected computer. Because I know there is a hidden virus in the computer I don't use the internet and won't till I know it's out.

Thanks~
Yoori

#4 thcbytes

thcbytes

  • Malware Response Team
  • 14,790 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:30 PM

Posted 28 November 2009 - 07:21 PM

Hi,

Let's begin....

:( P2P Warning :(

Your log indicates that you have uTorrent & Bitcomet installed.

Avoid gaming sites, pirated software, cracking tools, keygens, and peer-to-peer (P2P) file sharing programs.

- They are a security risk which can make your computer susceptible to a smörgåsbord of malware infections, remote attacks, exposure of personal information, and identity theft. Many malicious worms and Trojans spread across P2P file sharing networks, gaming and underground sites.

- Users visiting such pages may see innocuous-looking banner ads containing code which can trigger pop-up ads and malicious Flash ads that install viruses, Trojans and spyware. Ads are a target for hackers because they offer a stealthy way to distribute malware to a wide range of Internet users.

- The best way to reduce the risk of infection is to avoid these types of web sites and not use any P2P applications. Read P2P Software User Advisories and Risks of File-Sharing Technology.

Note: It is pretty much certain that if you continue to use P2P programs, then you will get infected again.
I would recommend that you uninstall uTorrent & Bitcomet, however that choice is up to you. If you choose to remove these programs, you can do so via Control Panel>> Add / Remove Programs.

If you wish to keep it, please do not use it until your computer is cleaned.

==========

RKill by Grinler

Link #1
Link #2
Link #3
Link #4

  • Before we begin, you should disable your anti-malware softwares you have installed so they do not interfere RKill running as some anti-malware softwares detect RKill as malicious. Please refer to this page if you are not sure how.
  • Download Link #1.
  • Save it to your Desktop.
  • Double click the RKill desktop icon.
    If you are using Vista please right click and run as Admin!
  • A black screen will briefly flash indicating a successful run.
  • If this does not occur please delete that application and download Link #2.
  • Continue process until the tool runs.
  • If the tool does not run from any of the links tell me about it.
==========

Please download exeHelper to your desktop.
Double-click on exeHelper.com to run the fix.
A black window should pop up, press any key to close once the fix is completed.
Post the contents of exehelperlog.txt (Will be created in the directory where you ran exeHelper.com, and should open at the end of the scan)
Note: If the window shows a message that says "Error deleting file", please re-run the program before posting a log - and post the two logs together (they will both be in the one file).

==========

Download and Run ComboFix (by sUBs)

You must rename it before saving it.

Posted Image

Posted Image

Please download ComboFix from one of these locations:

Link 1
Link 2

Save thcbytes.exe to your Desktop <-- Important!!!
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. Please refer to this link for instructions.

  • Double click on thcbytes.exe & follow the prompts.

  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image

Click on Yes, to continue scanning for malware.

When finished, it will produce a log for you. Please include the C:\ComboFix.txt in your next reply

A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix on your own.
This tool is not a toy and not for everyday use.
ComboFix SHOULD NOT be used unless requested by a forum helper


==========

With your next post please provide:

* Exehelper log
* Combofix.txt
* Copy and paste all logs please.
* Make no changes in your computer unless I direct you to do so and have given you the "All Clear".

Kind regards,
~t
Proud member - Unified Network of Instructors and Trained Eliminators
Posted Image

I do not accept personal donations for assistance provided. I would ask that you instead consider donating the greatest gift - Organ Donation. Your organs are of no use to you when your gone. You will save a life that would otherwise be lost!

http://donatelife.net/register-now/

#5 yoori

yoori
  • Topic Starter

  • Members
  • 149 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:In Your Dreams
  • Local time:04:30 PM

Posted 29 November 2009 - 04:36 AM

Hi I'm stuck on thcbytes
When I double clicked on the icon
I got a Error message "Some installation files are corrupt. Please download a fresh copy and retry the installation"
The ComboFix loading bar won't go away and I'm not able to take off thcbytes cuz it'll say the program is in use.
I'm scared to do anything, what should I do?

Edited by yoori, 29 November 2009 - 05:22 AM.


#6 thcbytes

thcbytes

  • Malware Response Team
  • 14,790 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:30 PM

Posted 29 November 2009 - 01:33 PM

Hello,

Follow all the steps again but in Safe Mode.

Safe Mode.
This can be done tapping the F8 key as soon as you start your computer
You will be brought to a menu where you can choose to boot into safe mode.
Make sure you choose the option with networking support.
Please see here for additional details.

Thanks,
~ t
Proud member - Unified Network of Instructors and Trained Eliminators
Posted Image

I do not accept personal donations for assistance provided. I would ask that you instead consider donating the greatest gift - Organ Donation. Your organs are of no use to you when your gone. You will save a life that would otherwise be lost!

http://donatelife.net/register-now/

#7 yoori

yoori
  • Topic Starter

  • Members
  • 149 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:In Your Dreams
  • Local time:04:30 PM

Posted 29 November 2009 - 06:08 PM

how long does it take to load/restart after puting the computer to safemode with network? I did the msconfig way. The screen is still black and it hasn't taken me to the login window. It's my first time doing safemode with network on, so I don't know if it's so suppose to take this long to go to the log in screen -___-;


Edit: I just turned off the computer and turned it back on and it went straight to safemode. I did the steps again and the same problem happens again with thcbytes... O___O

Edited by yoori, 29 November 2009 - 08:33 PM.


#8 yoori

yoori
  • Topic Starter

  • Members
  • 149 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:In Your Dreams
  • Local time:04:30 PM

Posted 29 November 2009 - 09:17 PM

here's the logs.


exeHelper by Raktor
Build 20091122
Run at 15:25:21 on 11/29/09
Now searching...
Checking for numerical processes...
Checking for sysguard processes...
Checking for bad processes...
Checking for bad files...
Checking for bad registry entries...
Resetting filetype association for .exe
Resetting filetype association for .com
Resetting userinit and shell values...
Resetting policies...
--Finished--



ComboFix 09-11-29.03 - HP_Administrator 11/29/2009 15:46.5.2 - x86 NETWORK
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.958.633 [GMT -10:00]
Running from: c:\documents and settings\HP_Administrator\Desktop\thcbytes.exe
AV: AVG 7.5.516 *On-access scanning disabled* (Outdated) {41564737-3200-1071-989B-0000E87B4FB1}
.
ADS - explorer.exe: deleted 23178 bytes in 7 streams.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\94332496.ini
c:\documents and settings\HP_Administrator\Application Data\inst.exe
c:\documents and settings\HP_Administrator\Local Settings\Temporary Internet Files\MNETV.cfg
c:\documents and settings\HP_Administrator\Local Settings\Temporary Internet Files\MNETV0.che
c:\documents and settings\HP_Administrator\Local Settings\Temporary Internet Files\MNETV1.che
c:\documents and settings\HP_Administrator\Local Settings\Temporary Internet Files\MNETV2.che
c:\documents and settings\HP_Administrator\Local Settings\Temporary Internet Files\MNETV3.che
c:\documents and settings\HP_Administrator\Local Settings\Temporary Internet Files\MNETV4.che
c:\documents and settings\HP_Administrator\Local Settings\Temporary Internet Files\MNETV5.che
c:\documents and settings\HP_Administrator\Local Settings\Temporary Internet Files\MNETV6.che
c:\documents and settings\HP_Administrator\Local Settings\Temporary Internet Files\MNETV7.che
c:\documents and settings\HP_Administrator\Local Settings\Temporary Internet Files\MNETV8.che
c:\documents and settings\HP_Administrator\Local Settings\Temporary Internet Files\MNETV9.che
c:\documents and settings\HP_Administrator\Local Settings\Temporary Internet Files\SKBGM.cfg
c:\documents and settings\HP_Administrator\Local Settings\Temporary Internet Files\SKBGM0.che
c:\documents and settings\HP_Administrator\Local Settings\Temporary Internet Files\SKBGM1.che
c:\documents and settings\HP_Administrator\Local Settings\Temporary Internet Files\SKBGM2.che
c:\documents and settings\HP_Administrator\Local Settings\Temporary Internet Files\SKBGM3.che
c:\documents and settings\HP_Administrator\Local Settings\Temporary Internet Files\SKBGM4.che
c:\documents and settings\HP_Administrator\Local Settings\Temporary Internet Files\SKBGM5.che
c:\documents and settings\HP_Administrator\Local Settings\Temporary Internet Files\SKBGM6.che
c:\documents and settings\HP_Administrator\Local Settings\Temporary Internet Files\SKBGM7.che
c:\documents and settings\HP_Administrator\Local Settings\Temporary Internet Files\SKBGM8.che
c:\documents and settings\HP_Administrator\Local Settings\Temporary Internet Files\SKBGM9.che
C:\log.udt
c:\recycler\S-1-5-21-6652421690-6804860485-926543993-7560
c:\windows\kb913800.exe
c:\windows\system32\ps2.bat
c:\windows\system32\SYSInfo.ocx
c:\windows\system32\zip32.dll
c:\windows\Tasks\wiggmoqk.job
C:\xcrashdump.dat

c:\windows\system32\drivers\ndis.sys . . . is infected!!

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_WIN32X
-------\Service_win32x


((((((((((((((((((((((((( Files Created from 2009-10-28 to 2009-11-30 )))))))))))))))))))))))))))))))
.

2009-11-21 03:54 . 2009-11-21 03:54 -------- d-----w- c:\program files\ESET
2009-11-13 12:53 . 2009-09-11 00:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-11-13 12:53 . 2009-11-13 12:53 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-11-13 12:53 . 2009-09-11 00:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-11-13 02:01 . 2009-11-13 02:01 69632 ----a-r- c:\documents and settings\HP_Administrator\Application Data\Microsoft\Installer\{896D642C-7125-44F0-AC49-A23ABF82209C}\Uninstall_CDBurnerXP_A2B8C891E8B94C26975E193A62033974.exe
2009-11-13 02:01 . 2009-11-13 02:01 135168 ----a-r- c:\documents and settings\HP_Administrator\Application Data\Microsoft\Installer\{896D642C-7125-44F0-AC49-A23ABF82209C}\cdbxp.exe1_A2B8C891E8B94C26975E193A62033974.exe
2009-11-13 02:01 . 2009-11-13 02:01 135168 ----a-r- c:\documents and settings\HP_Administrator\Application Data\Microsoft\Installer\{896D642C-7125-44F0-AC49-A23ABF82209C}\cdbxp.exe_A2B8C891E8B94C26975E193A62033974.exe
2009-11-13 02:01 . 2009-11-13 02:01 135168 ----a-r- c:\documents and settings\HP_Administrator\Application Data\Microsoft\Installer\{896D642C-7125-44F0-AC49-A23ABF82209C}\ARPPRODUCTICON.exe
2009-11-13 02:01 . 2009-11-13 02:01 -------- d-----w- c:\program files\CDBurnerXP Pro 3
2009-11-11 10:01 . 2009-11-11 12:12 -------- d-----w- c:\documents and settings\HP_Administrator\DoctorWeb

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-11-30 01:36 . 2006-12-26 05:16 -------- d-----w- c:\documents and settings\HP_Administrator\Application Data\AVG7
2009-11-28 23:43 . 2008-10-25 23:40 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-11-28 23:42 . 2008-10-25 23:40 -------- d-----w- c:\program files\SpywareBlaster
2009-11-24 04:40 . 2009-08-13 11:37 -------- d-----w- c:\documents and settings\All Users\Application Data\Cyberlink
2009-11-21 23:41 . 2007-02-25 05:06 -------- d-----w- c:\documents and settings\HP_Administrator\Application Data\Kontiki
2009-11-21 23:35 . 2008-05-10 03:15 -------- d-----w- c:\program files\URLSnooper2
2009-11-21 23:30 . 2007-02-25 13:43 -------- d-----w- c:\program files\Soulseek
2009-11-21 06:31 . 2009-03-17 02:03 117760 ----a-w- c:\documents and settings\HP_Administrator\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2009-11-21 06:30 . 2008-03-19 00:12 -------- d-----w- c:\program files\SUPERAntiSpyware
2009-11-19 07:48 . 2008-12-01 02:24 -------- d-----w- c:\documents and settings\HP_Administrator\Application Data\Vso
2009-11-17 01:44 . 2008-01-07 13:17 -------- d-----w- c:\documents and settings\HP_Administrator\Application Data\gtk-2.0
2009-11-13 12:53 . 2008-03-18 12:07 -------- d-----w- c:\documents and settings\HP_Administrator\Application Data\Malwarebytes
2009-11-13 12:53 . 2008-03-18 12:06 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-11-11 16:38 . 2004-08-10 12:00 1033216 ----a-w- c:\windows\explorer.exe
2009-10-27 21:19 . 2009-03-10 10:09 -------- d-----w- c:\documents and settings\HP_Administrator\Application Data\U3
2009-10-24 09:36 . 2006-03-09 05:15 1102 ----a-w- c:\documents and settings\HP_Administrator\Application Data\wklnhst.dat
2009-10-06 09:30 . 2008-01-07 13:15 -------- d-----w- c:\program files\Avidemux 2.4
2005-06-27 01:32 . 2005-06-27 01:32 616448 --sha-r- c:\windows\system32\cygwin1.dll
2005-06-22 08:37 . 2005-06-22 08:37 45568 --sha-r- c:\windows\system32\cygz.dll
2004-01-25 10:00 . 2004-01-25 10:00 70656 --sha-r- c:\windows\system32\i420vfw.dll
2005-02-28 23:16 . 2005-02-28 23:16 240128 --sha-r- c:\windows\system32\x.264.exe
2004-01-25 10:00 . 2004-01-25 10:00 70656 --sha-r- c:\windows\system32\yv12vfw.dll
.

------- Sigcheck -------

[-] 2009-05-25 . 558635D3AF1C7546D26067D5D9B6959E . 212480 . . [5.1.2600.2180] . . c:\windows\system32\dllcache\ndis.sys
[-] 2009-05-25 . 558635D3AF1C7546D26067D5D9B6959E . 212480 . . [5.1.2600.2180] . . c:\windows\system32\drivers\ndis.sys
[-] 2008-04-13 . 558635D3AF1C7546D26067D5D9B6959E . 182656 . . [5.1.2600.2180] . . c:\windows\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\ndis.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"updateMgr"="c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_9 -reboot 1" [X]
"OM_Monitor"="c:\program files\OLYMPUS\OLYMPUS Master\Monitor.exe" [2005-11-30 57344]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2007-10-18 5724184]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2009-11-21 2001648]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-08-06 64512]
"HPHUPD08"="c:\program files\HP\Digital Imaging\{33D6CC28-9F75-4d1b-A11D-98895B3A3729}\hphupd08.exe" [2005-06-02 49152]
"HPBootOp"="c:\program files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" [2005-09-21 1605740]
"HP Software Update"="c:\program files\HP\HP Software Update\HPwuSchd2.exe" [2005-05-12 49152]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-10 208952]
"IMEKRMIG6.1"="c:\windows\ime\imkr6_1\IMEKRMIG.EXE" [2004-08-10 44032]
"MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-10 59392]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-10 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-10 455168]
"OM_Monitor"="c:\program files\OLYMPUS\OLYMPUS Master\FirstStart.exe" [2005-11-30 40960]
"AVG7_CC"="c:\progra~1\Grisoft\AVGFRE~1\avgcc.exe" [2007-12-21 579072]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-11-04 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-11-20 290088]
"EverioService"="c:\program files\CyberLink\PCM4Everio\EverioService.exe" [2007-11-02 151552]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-11 1312080]
"AlwaysReady Power Message APP"="ARPWRMSG.EXE" - c:\windows\arpwrmsg.exe [2005-08-03 77312]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="c:\progra~1\Grisoft\AVGFRE~1\avgw.exe" [2007-10-24 219136]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-10 15360]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-9-23 29696]
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2005-5-12 282624]
Updates from HP.lnk - c:\program files\Updates from HP\9972322\Program\Updates from HP.exe [2005-12-8 36903]
WinZip Quick Pick.lnk - c:\program files\WinZip\WZQKPICK.EXE [2006-3-7 106560]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-11-21 06:30 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\Updates from HP\\9972322\\Program\\Updates from HP.exe"=
"c:\\WINDOWS\\system32\\fscagent.exe"=
"c:\\WINDOWS\\system32\\clubbox.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\Common Files\\AOL\\1141644703\\ee\\aolsoftware.exe"=
"c:\\Program Files\\Common Files\\AOL\\1141644703\\ee\\aim6.exe"=
"c:\\WINDOWS\\system32\\pdrtvsvr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Grisoft\\AVG Free\\avginet.exe"=
"c:\\Program Files\\Grisoft\\AVG Free\\avgamsvr.exe"=
"c:\\Program Files\\Grisoft\\AVG Free\\avgcc.exe"=
"c:\\Program Files\\Grisoft\\AVG Free\\avgemc.exe"=
"c:\\WINDOWS\\kdx\\KHost.exe"=
"c:\\WINDOWS\\system32\\P3MxSvr.exe"=
"c:\\WINDOWS\\system32\\p3mxvsvr.exe"=
"c:\\WINDOWS\\system32\\muzmvsvr.exe"=
"c:\\Program Files\\Orbitdownloader\\orbitdm.exe"=
"c:\\Program Files\\Orbitdownloader\\orbitnet.exe"=
"c:\\WINDOWS\\system32\\BugsSvr.exe"=
"c:\\WINDOWS\\system32\\p3bvsvr.exe"=
"c:\\WINDOWS\\system32\\skcbgm.exe"=
"c:\\Program Files\\DISC\\DISCover.exe"=
"c:\\Program Files\\DISC\\DiscStreamHub.exe"=
"c:\\Program Files\\pandora.tv\\minilite\\MiniStream.exe"=
"c:\\WINDOWS\\system32\\mnetasvr.exe"=
"c:\\WINDOWS\\system32\\mnetvsvr.exe"=
"c:\\Program Files\\pandora.tv\\minilite\\MiniLite.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"c:\\WINDOWS\\system32\\SayRadio.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"%windir%\\explorer.exe"=
"c:\\Program Files\\CyberLink\\PCM4Everio\\PCM4Everio.exe"=
"c:\\Program Files\\CyberLink\\PCM4Everio\\EverioService.exe"=
"c:\\Program Files\\CyberLink\\PowerDirector Express\\PDX.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"10259:TCP"= 10259:TCP:BitComet 10259 TCP
"10259:UDP"= 10259:UDP:BitComet 10259 UDP

S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [8/5/2009 4:06 PM 9968]
S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [8/5/2009 4:06 PM 74480]
S2 melvdvey;PnP ISA/EISA Bus Controller;c:\windows\System32\svchost.exe -k netsvcs [8/10/2004 2:00 AM 14336]
S3 CXFALCON;Conexant Falcon II NTSC Video Capture;c:\windows\system32\drivers\cxfalcon.sys [12/8/2005 6:47 AM 100480]
S3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [5/21/2008 1:57 PM 34576]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [8/5/2009 4:06 PM 7408]
S3 WN5301;LIteon Wireless PCI Network Adapter Service;c:\windows\system32\drivers\wn5301.sys [12/8/2005 6:46 AM 468768]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
melvdvey
.
Contents of the 'Scheduled Tasks' folder

2008-11-28 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 22:34]

2009-05-25 c:\windows\Tasks\Check Updates for Windows Live Toolbar.job
- c:\program files\Windows Live Toolbar\MSNTBUP.EXE [2007-10-19 21:20]

2006-05-01 c:\windows\Tasks\Easy Internet Sign-up.job
- c:\program files\Hewlett-Packard\SDP\HPSdpApp.exe [2005-09-09 03:23]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.daum.net/
uSearchMigratedDefaultURL = hxxp://search.live.com/results.aspx?q={searchTerms}&src={referrer:source?}
mStart Page = hxxp://www.google.com
uInternet Settings,ProxyOverride = *.local;<local>
uInternet Settings,ProxyServer = http=localhost:7171
IE: &D&ownload &with BitComet - c:\program files\BitComet\BitComet.exe/AddLink.htm
IE: &D&ownload all video with BitComet - c:\program files\BitComet\BitComet.exe/AddVideo.htm
IE: &D&ownload all with BitComet - c:\program files\BitComet\BitComet.exe/AddAllLink.htm
IE: &Download by Orbit - c:\program files\Orbitdownloader\orbitmxt.dll/201
IE: &Grab video by Orbit - c:\program files\Orbitdownloader\orbitmxt.dll/204
IE: &Windows Live Search - c:\program files\Windows Live Toolbar\msntb.dll/search.htm
IE: Do&wnload selected by Orbit - c:\program files\Orbitdownloader\orbitmxt.dll/203
IE: Down&load all by Orbit - c:\program files\Orbitdownloader\orbitmxt.dll/202
IE: Download All by FlashGet - c:\documents and settings\HP_Administrator\Favorites\FlashGet\jc_all.htm
IE: Download Link Using Mega Manager... - c:\program files\Megaupload\Mega Manager\mm_file.htm
IE: Download using FlashGet - c:\documents and settings\HP_Administrator\Favorites\FlashGet\jc_link.htm
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
DPF: {0AE0F5F9-8233-49A4-A3C8-004CE190787B} - hxxp://www.pdbox.co.kr/boxmedia/ctrl_down/BMSpeedCheck.cab
DPF: {0B72CCA4-5F11-11D0-9CB5-0000C0EC9FDB} - hxxp://www2.stlu.com/plugins/Plugin5.0.0219//streetnoagent7.cab
DPF: {21FDDE58-51A6-402A-8040-39DA033DC196} - hxxp://image.pullbbang.com/newTop/Pull0Control.ocx
DPF: {2FDAF918-389E-4402-9DA1-F5348615BC30} - hxxp://www.dosirak.com/Commons/Activex/MROpen.cab
DPF: {40A217E1-BDDA-44DE-9BBC-D678C7B48603} - hxxp://www.bluemountainsoft.com/agent/EspressoAgent.ocx
DPF: {68253470-5D4F-4CDF-8D9C-353C14A2F013} - hxxp://imgcdn.pandora.tv/pan_img/liveupdate/SVPorsche.cab
DPF: {6A2E758A-028B-46BB-A11D-0608AB5A4ED3} - hxxp://listen.daum.net/52st/bgmplayer/Daum52stBGMPlayer.cab
DPF: {7606693A-C18D-4567-AF85-6194FF70761E} - hxxp://app.gomtv.com/gom/GomWeb.cab
DPF: {868AB0F0-C411-4DB5-8279-E38AE3CDA3FD} - hxxp://listen.daum.net/52st/OiMPlayer/52MPlayer.cab
DPF: {882A7CC6-0163-4BC1-8BC1-505E36C9FFA2} - hxxp://www.mnet.com/Ver2/App/totalApp/maxhelper/maxhelper.cab
DPF: {8C165CC2-E50D-4D99-9D32-DAF6AB15AA32} - hxxp://www.mnet.com/Ver2/App/totalApp/mnethelper/MnetHelper2.cab
DPF: {913BF18F-672D-4676-9855-F9A192A88886} - hxxp://touch.imbc.com/ocx/Online.cab
DPF: {938527D1-CDB7-4147-998A-B20FCA5CC976} - hxxp://cafeimg.hanmail.net/cab9_1/dmcc2.cab?Version=1,0,0,10
DPF: {939612C6-DB72-4788-8BD1-6ED77E3EC4A9} - hxxp://dl.sayclub.com/sayclub/sayctl/sayradio.cab
DPF: {9B75502C-BBED-4BBD-8FE2-822E5E0AD32C} - hxxp://www.diodeo.com/DioDeoPlayer.cab
DPF: {A0E7D0C1-9854-497E-8645-38C19AA00724} - hxxp://www.teenkorean.net/Penta/KoreanSecurity.cab
DPF: {AF60D574-F249-4243-8040-5521AAA5BB5E} - hxxp://imgcdn.pandora.tv/pan_img/p3player/package/pdrtvset.cab
DPF: {B8C4B31D-6DCE-4DF0-BF73-44686849F67D} - hxxp://imgcdn.pandora.tv/pan_img/p3player/package/pdrinst.cab
DPF: {B9B38E70-EEF6-4E3A-AE84-DDE59A053B7C} - hxxp://cafeimg.hanmail.net/cto/xman.cab?ver=1,2,3,3
DPF: {BBFD2D10-EC6E-4259-91D1-1E38C826E5E2} - hxxp://app.gomtv.com/gomtv/gomtvx.cab
DPF: {BCA935CA-7E41-4F73-BA9C-FAB4393DBAC0} - hxxp://www.csafer.net/ActiveX/MAStreamCtrl.cab
DPF: {BCEF5CDE-BAD4-4532-A30B-9D16D502DE69} - hxxp://install.bugs.co.kr/install/BugsInstallerEx.cab
DPF: {BD6BB450-7C69-43B8-96F3-689CAE57AB51} - hxxp://netv.sbs.co.kr/object/player/SBSWebPlayer.cab
DPF: {BD6F8792-B90E-4431-B0AB-08CF414E9D35} - hxxp://bgm.iple.com/Cab/SMMusicPlayerX.cab
DPF: {C394A9A2-C51D-4C26-BB2C-6DEB30A890F4} - hxxp://www.diodeo.com/ActiveDiodeoPlayer.cab
DPF: {CEE326E8-7571-4086-B347-3C0ACA9A9DE8} - hxxp://player.muz.co.kr/package/installer2007_02/p3Instal.cab
DPF: {CF362BDB-4EA2-11D5-AB47-000102913414} - hxxp://touch.imbc.com/ocx/SetGlb.cab
DPF: {CFCBEE6F-BE54-4682-84F6-0E3FCDFAE3E2} - hxxp://www.clubbox.co.kr/neo.fld/NowCAFE.cab
DPF: {D1160D6F-214B-4B4E-A361-977817ACC516} - hxxp://www.websafe.co.kr/websafe_player.cab
DPF: {D26A941D-7E89-4098-B583-43291FC14218} - hxxp://image.pullbbang.com/images/Pull0Control.ocx
DPF: {F4A1D5E2-AF49-47A7-A945-23038106F3A4} - hxxp://imgcdn.pandora.tv/pan_img/launcher/codebase/Pandora_SetUpAX.cab
DPF: {F6E361B4-40F3-4C90-8A95-D95E0D8CBCD4} - hxxp://www.clubbox.co.kr/neo.fld/MultiUpload.cab
FF - ProfilePath - c:\documents and settings\HP_Administrator\Application Data\Mozilla\Firefox\Profiles\lxrbayv1.default\
FF - prefs.js: browser.search.selectedEngine - Yahoo
FF - prefs.js: browser.startup.homepage - hxxp://www.daum.net/
FF - plugin: c:\documents and settings\HP_Administrator\Application Data\Mozilla\plugins\npAbacast.dll
FF - plugin: c:\documents and settings\HP_Administrator\Application Data\Mozilla\plugins\NPAbacheck.dll
FF - plugin: c:\program files\Java\jre1.5.0_05\bin\NPJava11.dll
FF - plugin: c:\program files\Java\jre1.5.0_05\bin\NPJava12.dll
FF - plugin: c:\program files\Java\jre1.5.0_05\bin\NPJava13.dll
FF - plugin: c:\program files\Java\jre1.5.0_05\bin\NPJava14.dll
FF - plugin: c:\program files\Java\jre1.5.0_05\bin\NPJava32.dll
FF - plugin: c:\program files\Java\jre1.5.0_05\bin\NPJPI150_05.dll
FF - plugin: c:\program files\Java\jre1.5.0_05\bin\NPOJI610.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
.
- - - - ORPHANS REMOVED - - - -

AddRemove-IntelliMover Data Transfer Demo - c:\hp\bin\cloaker.exe c:\hp\bin\commands.exe
AddRemove-internet_webplayer - c:\program files\internet_webplayer\internet_webplayer.exe
AddRemove-mIRC - c:\program files\mIRC\mirc.exe
AddRemove-pointgo - c:\program files\pointgo\uninstall.exe
AddRemove-PS2 - c:\windows\system32\ps2.exe uninstall
AddRemove-Shop-Point - c:\program files\SPoint\bin\UnInstallTool.exe
AddRemove-ShopPoint - c:\program files\ShopPoint\ShopPoint.exe
AddRemove-Windows Driver for Cashontool - c:\program files\CashOn\bin\uninToolbar.exe
AddRemove-Windows Live Toolbar - c:\program files\Windows Live Toolbar\UnInstall.exe {D5A145FC-D00C-4F1A-9119-EB4D9D659750}
AddRemove-{91810AFC-A4F8-4EBA-A5AA-B198BBC81144} - c:\program files\InstallShield Installation Information\{91810AFC-A4F8-4EBA-A5AA-B198BBC81144}\setup.exe REMOVEALL



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-11-29 15:57
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntoskrnl.exe >>UNKNOWN [0x86071500]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xf783ffc3
\Driver\ACPI -> ACPI.sys @ 0xf7792cb8
\Driver\atapi -> atapi.sys @ 0xf764f7b4
\Driver\iaStor -> iaStor.sys @ 0xf7673b10
IoDeviceObjectType -> ParseProcedure -> ntoskrnl.exe @ 0x8057c745
SecurityProcedure -> ntoskrnl.exe @ 0x805b0092
\Device\Harddisk0\DR0 -> ParseProcedure -> ntoskrnl.exe @ 0x8057c745
SecurityProcedure -> ntoskrnl.exe @ 0x805b0092
NDIS: Realtek RTL8139/810x Family Fast Ethernet NIC -> SendCompleteHandler -> NDIS.sys @ 0x86059bc3
PacketIndicateHandler -> NDIS.sys @ 0x86065b21
SendHandler -> NDIS.sys @ 0x86059d33
user & kernel MBR OK

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(524)
c:\program files\SUPERAntiSpyware\SASWINLO.DLL
c:\windows\system32\Ati2evxx.dll
.
Completion time: 2009-11-29 16:03 - machine was rebooted
ComboFix-quarantined-files.txt 2009-11-30 02:03
ComboFix2.txt 2008-11-03 02:59

Pre-Run: 6,098,075,648 bytes free
Post-Run: 6,977,052,672 bytes free

- - End Of File - - 741EA45D2762135AEB803E2317519226

#9 thcbytes

thcbytes

  • Malware Response Team
  • 14,790 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:30 PM

Posted 29 November 2009 - 09:52 PM

Good work. :(

You have a critical system file that is infected. We need to be very careful!! Do you have a Windows XP install disc? We might need it to replace the infected file. You can borrow one from a friend if needed. You will not need a Product Key. I will 1st see if you have a clean copy somewhere in your computer.

=========

Re-run RKill

=========

:( Warning: This script was specifically written and designed for this user only. Unsupervised use of this tool could render your computer unbootable permanently!! :)

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

Mia::
c:\windows\system32\drivers\ndis.sys

SRPeek::
c:\windows\system32\drivers\ndis.sys

Registry::
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\system32\\fscagent.exe"=-
"c:\\WINDOWS\\system32\\clubbox.exe"=-

DDS::
uInternet Settings,ProxyOverride = *.local;
uInternet Settings,ProxyServer = http=localhost:7171


Save this as CFScript.txt, in the same location as ComboFix.exe


Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

==========

Please download GMER from one of the following locations and save it to your desktop:
  • Main Mirror
    This version will download a randomly named file (Recommended)
  • Zipped Mirror
    This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
  • Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
  • Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.

    Posted Image
  • GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
  • If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
  • Now click the Scan button. If you see a rootkit warning window, click OK.
  • When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
  • Click the Copy button and paste the results into your next reply.
  • Exit GMER and re-enable all active protection when done.
-- If you encounter any problems, try running GMER in Safe Mode.

==========

With your next post please provide:

* Answer to question
* Combofix.txt
* Gmer log

Kind regards,
~t
Proud member - Unified Network of Instructors and Trained Eliminators
Posted Image

I do not accept personal donations for assistance provided. I would ask that you instead consider donating the greatest gift - Organ Donation. Your organs are of no use to you when your gone. You will save a life that would otherwise be lost!

http://donatelife.net/register-now/

#10 yoori

yoori
  • Topic Starter

  • Members
  • 149 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:In Your Dreams
  • Local time:04:30 PM

Posted 01 December 2009 - 01:51 AM

No I don't have Windows XP install disc nor knows anybody that has one :(


Here are my logs


ComboFix 09-11-30.02 - HP_Administrator 11/30/2009 18:29.6.2 - x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.958.591 [GMT -10:00]
Running from: c:\documents and settings\HP_Administrator\Desktop\thcbytes.exe
Command switches used :: c:\documents and settings\HP_Administrator\Desktop\CFScript.txt
AV: AVG 7.5.516 *On-access scanning disabled* (Outdated) {41564737-3200-1071-989B-0000E87B4FB1}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\drivers\ndis.sys . . . is infected!!

.
((((((((((((((((((((((((( Files Created from 2009-11-01 to 2009-12-01 )))))))))))))))))))))))))))))))
.

2009-12-01 04:10 . 2009-12-01 04:15 -------- d-----w- C:\e8f0c7eda214ae264a
2009-11-30 02:40 . 2009-11-30 02:40 -------- d-----w- c:\windows\ServicePackFiles
2009-11-21 03:54 . 2009-11-21 03:54 -------- d-----w- c:\program files\ESET
2009-11-13 12:53 . 2009-09-11 00:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-11-13 12:53 . 2009-11-13 12:53 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-11-13 12:53 . 2009-09-11 00:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-11-13 02:01 . 2009-11-13 02:01 69632 ----a-r- c:\documents and settings\HP_Administrator\Application Data\Microsoft\Installer\{896D642C-7125-44F0-AC49-A23ABF82209C}\Uninstall_CDBurnerXP_A2B8C891E8B94C26975E193A62033974.exe
2009-11-13 02:01 . 2009-11-13 02:01 135168 ----a-r- c:\documents and settings\HP_Administrator\Application Data\Microsoft\Installer\{896D642C-7125-44F0-AC49-A23ABF82209C}\cdbxp.exe1_A2B8C891E8B94C26975E193A62033974.exe
2009-11-13 02:01 . 2009-11-13 02:01 135168 ----a-r- c:\documents and settings\HP_Administrator\Application Data\Microsoft\Installer\{896D642C-7125-44F0-AC49-A23ABF82209C}\cdbxp.exe_A2B8C891E8B94C26975E193A62033974.exe
2009-11-13 02:01 . 2009-11-13 02:01 135168 ----a-r- c:\documents and settings\HP_Administrator\Application Data\Microsoft\Installer\{896D642C-7125-44F0-AC49-A23ABF82209C}\ARPPRODUCTICON.exe
2009-11-13 02:01 . 2009-11-13 02:01 -------- d-----w- c:\program files\CDBurnerXP Pro 3
2009-11-11 10:01 . 2009-11-11 12:12 -------- d-----w- c:\documents and settings\HP_Administrator\DoctorWeb

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-12-01 04:08 . 2006-12-26 05:16 -------- d-----w- c:\documents and settings\HP_Administrator\Application Data\AVG7
2009-12-01 04:07 . 2008-08-16 11:12 -------- d-----w- c:\program files\Microsoft Silverlight
2009-11-28 23:43 . 2008-10-25 23:40 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-11-28 23:42 . 2008-10-25 23:40 -------- d-----w- c:\program files\SpywareBlaster
2009-11-24 04:40 . 2009-08-13 11:37 -------- d-----w- c:\documents and settings\All Users\Application Data\Cyberlink
2009-11-21 23:41 . 2007-02-25 05:06 -------- d-----w- c:\documents and settings\HP_Administrator\Application Data\Kontiki
2009-11-21 23:35 . 2008-05-10 03:15 -------- d-----w- c:\program files\URLSnooper2
2009-11-21 23:30 . 2007-02-25 13:43 -------- d-----w- c:\program files\Soulseek
2009-11-21 06:31 . 2009-03-17 02:03 117760 ----a-w- c:\documents and settings\HP_Administrator\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2009-11-21 06:30 . 2008-03-19 00:12 -------- d-----w- c:\program files\SUPERAntiSpyware
2009-11-19 07:48 . 2008-12-01 02:24 -------- d-----w- c:\documents and settings\HP_Administrator\Application Data\Vso
2009-11-17 01:44 . 2008-01-07 13:17 -------- d-----w- c:\documents and settings\HP_Administrator\Application Data\gtk-2.0
2009-11-13 12:53 . 2008-03-18 12:07 -------- d-----w- c:\documents and settings\HP_Administrator\Application Data\Malwarebytes
2009-11-13 12:53 . 2008-03-18 12:06 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-11-11 16:38 . 2004-08-10 12:00 1033216 ------w- c:\windows\explorer.exe
2009-10-27 21:19 . 2009-03-10 10:09 -------- d-----w- c:\documents and settings\HP_Administrator\Application Data\U3
2009-10-24 09:36 . 2006-03-09 05:15 1102 ----a-w- c:\documents and settings\HP_Administrator\Application Data\wklnhst.dat
2009-10-06 09:30 . 2008-01-07 13:15 -------- d-----w- c:\program files\Avidemux 2.4
2005-06-27 01:32 . 2005-06-27 01:32 616448 --sha-r- c:\windows\system32\cygwin1.dll
2005-06-22 08:37 . 2005-06-22 08:37 45568 --sha-r- c:\windows\system32\cygz.dll
2004-01-25 10:00 . 2004-01-25 10:00 70656 --sha-r- c:\windows\system32\i420vfw.dll
2005-02-28 23:16 . 2005-02-28 23:16 240128 --sha-r- c:\windows\system32\x.264.exe
2004-01-25 10:00 . 2004-01-25 10:00 70656 --sha-r- c:\windows\system32\yv12vfw.dll
.

(((((((((((((((((((((((((((((((((((((((((( SR_Search ))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
------- Sigcheck -------

[-] 2009-05-25 10:44 . 1DDCD4F10C093B87A59A0FBA97E8462D . 212480 . . [------] . . c:\windows\system32\dllcache\ndis.sys
[-] 2009-05-25 10:44 . 1DDCD4F10C093B87A59A0FBA97E8462D . 212480 . . [------] . . c:\windows\system32\drivers\ndis.sys
[-] 2008-04-13 . 1DF7F42665C94B825322FAE71721130D . 182656 . . [5.1.2600.5512] . . c:\windows\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\ndis.sys
.
((((((((((((((((((((((((((((( SnapShot@2009-11-30_01.57.19 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-07-12 05:41 . 2009-07-12 05:41 97280 c:\windows\WinSxS\x86_Microsoft.VC80.ATL_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_473666fd\ATL80.dll
+ 2005-05-26 12:16 . 2009-08-07 05:24 44768 c:\windows\system32\wups2.dll
+ 2004-08-10 12:00 . 2009-08-07 05:24 35552 c:\windows\system32\wups.dll
+ 2004-08-10 12:00 . 2009-08-07 05:24 53472 c:\windows\system32\wuauclt.exe
+ 2005-12-08 16:31 . 2008-05-07 02:16 26488 c:\windows\system32\spupdsvc.exe
+ 2007-03-26 06:33 . 2008-07-08 13:02 17272 c:\windows\system32\spmsg.dll
- 2007-03-26 06:33 . 2008-07-09 07:38 17272 c:\windows\system32\spmsg.dll
+ 2009-11-30 02:08 . 2009-08-07 05:24 44768 c:\windows\system32\SoftwareDistribution\Setup\ServiceStartup\wups2.dll\7.4.7600.226\wups2.dll
+ 2009-11-30 02:08 . 2009-08-07 05:24 35552 c:\windows\system32\SoftwareDistribution\Setup\ServiceStartup\wups.dll\7.4.7600.226\wups.dll
+ 2005-08-31 12:07 . 2009-12-01 04:18 72932 c:\windows\system32\perfc009.dat
- 2005-08-31 12:07 . 2008-04-12 03:03 72932 c:\windows\system32\perfc009.dat
+ 2004-08-10 12:00 . 2009-08-07 05:24 35552 c:\windows\system32\dllcache\wups.dll
+ 2004-08-10 12:00 . 2009-08-07 05:24 53472 c:\windows\system32\dllcache\wuauclt.exe
+ 2004-08-10 12:00 . 2009-08-07 05:24 96480 c:\windows\system32\dllcache\cdm.dll
+ 2004-08-10 12:00 . 2009-08-07 05:24 96480 c:\windows\system32\cdm.dll
+ 2009-06-25 05:56 . 2009-06-25 05:56 73728 c:\windows\Microsoft.NET\Framework\v1.1.4322\Updates\hotfix.exe
+ 2008-05-28 10:49 . 2008-05-28 10:49 77824 c:\windows\Microsoft.NET\Framework\v1.1.4322\mscorsn.dll
- 2007-04-14 06:58 . 2007-04-14 06:58 77824 c:\windows\Microsoft.NET\Framework\v1.1.4322\mscorsn.dll
+ 2008-05-28 10:49 . 2008-05-28 10:49 86016 c:\windows\Microsoft.NET\Framework\v1.1.4322\mscorie.dll
- 2007-04-14 06:57 . 2007-04-14 06:57 86016 c:\windows\Microsoft.NET\Framework\v1.1.4322\mscorie.dll
+ 2008-05-28 10:49 . 2008-05-28 10:49 81920 c:\windows\Microsoft.NET\Framework\v1.1.4322\CORPerfMonExt.dll
- 2007-04-14 06:57 . 2007-04-14 06:57 81920 c:\windows\Microsoft.NET\Framework\v1.1.4322\CORPerfMonExt.dll
- 2007-04-14 07:30 . 2007-04-14 07:30 32768 c:\windows\Microsoft.NET\Framework\v1.1.4322\aspnet_wp.exe
+ 2008-05-28 11:30 . 2008-05-28 11:30 32768 c:\windows\Microsoft.NET\Framework\v1.1.4322\aspnet_wp.exe
+ 2004-09-30 04:11 . 2009-06-24 22:56 86016 c:\windows\Microsoft.NET\Framework\v1.0.3705\ToGac.exe
+ 2004-10-08 03:36 . 2009-06-24 22:56 73728 c:\windows\Microsoft.NET\Framework\v1.0.3705\SetRegNI.exe
+ 2004-08-04 12:12 . 2009-06-24 08:01 86016 c:\windows\Microsoft.NET\Framework\v1.0.3705\mscorld.dll
- 2004-08-04 12:12 . 2007-01-03 02:29 86016 c:\windows\Microsoft.NET\Framework\v1.0.3705\mscorld.dll
+ 2004-08-04 12:12 . 2009-06-24 08:01 73728 c:\windows\Microsoft.NET\Framework\v1.0.3705\mscorie.dll
- 2004-08-04 12:12 . 2007-01-03 02:29 73728 c:\windows\Microsoft.NET\Framework\v1.0.3705\mscorie.dll
+ 2004-08-04 12:11 . 2009-06-24 08:12 32768 c:\windows\Microsoft.NET\Framework\v1.0.3705\aspnet_wp.exe
- 2004-08-04 12:11 . 2007-01-03 02:34 32768 c:\windows\Microsoft.NET\Framework\v1.0.3705\aspnet_wp.exe
+ 2002-06-22 07:31 . 2009-06-24 08:12 32768 c:\windows\Microsoft.NET\Framework\v1.0.3705\aspnet_state.exe
- 2002-06-22 07:31 . 2002-06-22 07:31 32768 c:\windows\Microsoft.NET\Framework\v1.0.3705\aspnet_state.exe
+ 2009-11-30 02:40 . 2009-11-30 02:40 32768 c:\windows\Installer\{F662A8E6-F4DC-41A2-901E-8C11F044BDEC}\icon.exe
+ 2005-12-08 17:13 . 2009-11-30 02:43 23040 c:\windows\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\unbndico.exe
- 2005-12-08 17:13 . 2009-02-11 03:02 23040 c:\windows\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\unbndico.exe
- 2005-12-08 17:13 . 2009-02-11 03:02 27136 c:\windows\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\oisicon.exe
+ 2005-12-08 17:13 . 2009-11-30 02:43 27136 c:\windows\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\oisicon.exe
- 2005-12-08 17:13 . 2009-02-11 03:02 11264 c:\windows\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\mspicons.exe
+ 2005-12-08 17:13 . 2009-11-30 02:43 11264 c:\windows\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\mspicons.exe
- 2005-12-08 17:13 . 2009-02-11 03:02 12288 c:\windows\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\cagicon.exe
+ 2005-12-08 17:13 . 2009-11-30 02:43 12288 c:\windows\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\cagicon.exe
+ 2009-11-30 02:42 . 2009-11-30 02:42 90112 c:\windows\assembly\NativeImages1_v1.1.4322\System.Drawing.Design\1.0.5000.0__b03f5f7f11d50a3a_45038331\System.Drawing.Design.dll
+ 2009-11-30 02:42 . 2009-11-30 02:42 61440 c:\windows\assembly\NativeImages1_v1.1.4322\CustomMarshalers\1.0.5000.0__b03f5f7f11d50a3a_37848b90\CustomMarshalers.dll
+ 2009-11-30 02:40 . 2009-11-30 02:40 90112 c:\windows\assembly\NativeImages1_v1.0.3705\System.Drawing.Design\1.0.3300.0__b03f5f7f11d50a3a_ec6edb9f\System.Drawing.Design.dll
+ 2009-11-30 02:40 . 2009-11-30 02:40 61440 c:\windows\assembly\NativeImages1_v1.0.3705\CustomMarshalers\1.0.3300.0__b03f5f7f11d50a3a_41f93fde\CustomMarshalers.dll
+ 2009-12-01 04:35 . 2009-12-01 04:35 81920 c:\windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Build.Fra#\e299fd71b4c71854673c47f85b4cf180\Microsoft.Build.Framework.ni.dll
+ 2009-12-01 04:35 . 2009-12-01 04:35 15360 c:\windows\assembly\NativeImages_v2.0.50727_32\dfsvc\662febc2f309e92a880682f527f4e426\dfsvc.ni.exe
+ 2009-12-01 04:34 . 2009-12-01 04:34 77824 c:\windows\assembly\NativeImages_v2.0.50727_32\DecklinkVideoProper#\e1c22dadeeb33355d4f141ccb23fdeee\DecklinkVideoProperties.ni.dll
+ 2009-12-01 04:34 . 2009-12-01 04:34 69632 c:\windows\assembly\NativeImages_v2.0.50727_32\AjaVideoProperties\9d6cb03a872f4be4917b6aa251d8cc2a\AjaVideoProperties.ni.dll
+ 2009-12-01 04:34 . 2009-12-01 04:34 27136 c:\windows\assembly\NativeImages_v2.0.50727_32\Accessibility\1a67452bf4558b2574698b6008e7af74\Accessibility.ni.dll
- 2008-04-12 03:03 . 2008-04-12 03:03 90112 c:\windows\assembly\GAC_MSIL\System.Web.RegularExpressions\2.0.0.0__b03f5f7f11d50a3a\System.Web.RegularExpressions.dll
+ 2009-12-01 04:15 . 2009-12-01 04:15 90112 c:\windows\assembly\GAC_MSIL\System.Web.RegularExpressions\2.0.0.0__b03f5f7f11d50a3a\System.Web.RegularExpressions.dll
+ 2009-12-01 04:16 . 2009-12-01 04:16 81920 c:\windows\assembly\GAC_MSIL\System.Drawing.Design\2.0.0.0__b03f5f7f11d50a3a\System.Drawing.Design.dll
- 2008-04-12 03:03 . 2008-04-12 03:03 81920 c:\windows\assembly\GAC_MSIL\System.Drawing.Design\2.0.0.0__b03f5f7f11d50a3a\System.Drawing.Design.dll
+ 2009-12-01 04:16 . 2009-12-01 04:16 81920 c:\windows\assembly\GAC_MSIL\System.Configuration.Install\2.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll
- 2008-04-12 03:03 . 2008-04-12 03:03 81920 c:\windows\assembly\GAC_MSIL\System.Configuration.Install\2.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll
+ 2009-12-01 04:15 . 2009-12-01 04:15 32768 c:\windows\assembly\GAC_MSIL\Microsoft.Vsa\8.0.0.0__b03f5f7f11d50a3a\Microsoft.Vsa.dll
- 2008-04-12 03:03 . 2008-04-12 03:03 32768 c:\windows\assembly\GAC_MSIL\Microsoft.Vsa\8.0.0.0__b03f5f7f11d50a3a\Microsoft.Vsa.dll
- 2008-04-12 03:03 . 2008-04-12 03:03 12800 c:\windows\assembly\GAC_MSIL\Microsoft.Vsa.Vb.CodeDOMProcessor\8.0.0.0__b03f5f7f11d50a3a\Microsoft.Vsa.Vb.CodeDOMProcessor.dll
+ 2009-12-01 04:16 . 2009-12-01 04:16 12800 c:\windows\assembly\GAC_MSIL\Microsoft.Vsa.Vb.CodeDOMProcessor\8.0.0.0__b03f5f7f11d50a3a\Microsoft.Vsa.Vb.CodeDOMProcessor.dll
+ 2009-12-01 04:16 . 2009-12-01 04:16 28672 c:\windows\assembly\GAC_MSIL\Microsoft.VisualBasic.Vsa\8.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.Vsa.dll
- 2008-04-12 03:03 . 2008-04-12 03:03 28672 c:\windows\assembly\GAC_MSIL\Microsoft.VisualBasic.Vsa\8.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.Vsa.dll
+ 2009-12-01 04:16 . 2009-12-01 04:16 77824 c:\windows\assembly\GAC_MSIL\Microsoft.Build.Utilities\2.0.0.0__b03f5f7f11d50a3a\Microsoft.Build.Utilities.dll
- 2008-04-12 03:03 . 2008-04-12 03:03 77824 c:\windows\assembly\GAC_MSIL\Microsoft.Build.Utilities\2.0.0.0__b03f5f7f11d50a3a\Microsoft.Build.Utilities.dll
- 2008-04-12 03:03 . 2008-04-12 03:03 36864 c:\windows\assembly\GAC_MSIL\Microsoft.Build.Framework\2.0.0.0__b03f5f7f11d50a3a\Microsoft.Build.Framework.dll
+ 2009-12-01 04:16 . 2009-12-01 04:16 36864 c:\windows\assembly\GAC_MSIL\Microsoft.Build.Framework\2.0.0.0__b03f5f7f11d50a3a\Microsoft.Build.Framework.dll
- 2008-04-12 03:03 . 2008-04-12 03:03 77824 c:\windows\assembly\GAC_MSIL\IEHost\2.0.0.0__b03f5f7f11d50a3a\IEHost.dll
+ 2009-12-01 04:15 . 2009-12-01 04:15 77824 c:\windows\assembly\GAC_MSIL\IEHost\2.0.0.0__b03f5f7f11d50a3a\IEHost.dll
- 2008-04-12 03:03 . 2008-04-12 03:03 13312 c:\windows\assembly\GAC_MSIL\cscompmgd\8.0.0.0__b03f5f7f11d50a3a\cscompmgd.dll
+ 2009-12-01 04:15 . 2009-12-01 04:15 13312 c:\windows\assembly\GAC_MSIL\cscompmgd\8.0.0.0__b03f5f7f11d50a3a\cscompmgd.dll
- 2008-04-12 03:03 . 2008-04-12 03:03 10752 c:\windows\assembly\GAC_MSIL\Accessibility\2.0.0.0__b03f5f7f11d50a3a\Accessibility.dll
+ 2009-12-01 04:15 . 2009-12-01 04:15 10752 c:\windows\assembly\GAC_MSIL\Accessibility\2.0.0.0__b03f5f7f11d50a3a\Accessibility.dll
- 2008-04-12 03:03 . 2008-04-12 03:03 72192 c:\windows\assembly\GAC_32\ISymWrapper\2.0.0.0__b03f5f7f11d50a3a\ISymWrapper.dll
+ 2009-12-01 04:16 . 2009-12-01 04:16 72192 c:\windows\assembly\GAC_32\ISymWrapper\2.0.0.0__b03f5f7f11d50a3a\ISymWrapper.dll
+ 2009-12-01 04:15 . 2009-12-01 04:15 69120 c:\windows\assembly\GAC_32\CustomMarshalers\2.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll
- 2008-04-12 03:03 . 2008-04-12 03:03 69120 c:\windows\assembly\GAC_32\CustomMarshalers\2.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll
+ 2009-12-01 04:08 . 2009-12-01 04:08 77824 c:\windows\assembly\GAC\SonicMCEBurnEngine\0.9.0.0__17c52700e9a64fd0\SonicMCEBurnEngine.dll
- 2005-12-08 16:38 . 2005-12-08 16:38 77824 c:\windows\assembly\GAC\SonicMCEBurnEngine\0.9.0.0__17c52700e9a64fd0\SonicMCEBurnEngine.dll
- 2005-12-08 16:38 . 2005-12-08 16:38 45056 c:\windows\assembly\GAC\Microsoft.MediaCenter\6.0.3100.0__31bf3856ad364e35\Microsoft.MediaCenter.dll
+ 2009-12-01 04:08 . 2009-12-01 04:08 45056 c:\windows\assembly\GAC\Microsoft.MediaCenter\6.0.3100.0__31bf3856ad364e35\Microsoft.MediaCenter.dll
+ 2009-12-01 04:08 . 2009-12-01 04:08 53248 c:\windows\assembly\GAC\ehiWUapi\6.0.3000.0__31bf3856ad364e35\ehiWUapi.dll
- 2005-12-08 16:38 . 2005-12-08 16:38 53248 c:\windows\assembly\GAC\ehiWUapi\6.0.3000.0__31bf3856ad364e35\ehiWUapi.dll
- 2005-12-08 16:38 . 2005-12-08 16:38 18944 c:\windows\assembly\GAC\ehiUserXp\6.0.3000.0__31bf3856ad364e35\ehiuserxp.dll
+ 2009-12-01 04:08 . 2009-12-01 04:08 18944 c:\windows\assembly\GAC\ehiUserXp\6.0.3000.0__31bf3856ad364e35\ehiuserxp.dll
+ 2009-12-01 04:08 . 2009-12-01 04:08 73728 c:\windows\assembly\GAC\ehiExtens\6.0.3000.0__31bf3856ad364e35\ehiExtens.dll
- 2005-12-08 16:38 . 2005-12-08 16:38 73728 c:\windows\assembly\GAC\ehiExtens\6.0.3000.0__31bf3856ad364e35\ehiExtens.dll
- 2008-04-12 03:03 . 2008-04-12 03:03 8192 c:\windows\WinSxS\MSIL_IEExecRemote_b03f5f7f11d50a3a_2.0.0.0_x-ww_6e57c34e\IEExecRemote.dll
+ 2009-12-01 04:15 . 2009-12-01 04:15 8192 c:\windows\WinSxS\MSIL_IEExecRemote_b03f5f7f11d50a3a_2.0.0.0_x-ww_6e57c34e\IEExecRemote.dll
- 2004-07-20 08:54 . 2007-01-03 02:29 8192 c:\windows\Microsoft.NET\Framework\v1.0.3705\IEExec.exe
+ 2004-07-20 08:54 . 2009-06-29 21:57 8192 c:\windows\Microsoft.NET\Framework\v1.0.3705\IEExec.exe
+ 2005-12-08 17:13 . 2009-11-30 02:43 4096 c:\windows\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\opwicon.exe
- 2005-12-08 17:13 . 2009-02-11 03:02 4096 c:\windows\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\opwicon.exe
+ 2009-12-01 04:15 . 2009-12-01 04:15 7168 c:\windows\assembly\GAC_MSIL\Microsoft_VsaVb\8.0.0.0__b03f5f7f11d50a3a\Microsoft_VsaVb.dll
- 2008-04-12 03:03 . 2008-04-12 03:03 7168 c:\windows\assembly\GAC_MSIL\Microsoft_VsaVb\8.0.0.0__b03f5f7f11d50a3a\Microsoft_VsaVb.dll
- 2008-04-12 03:03 . 2008-04-12 03:03 5632 c:\windows\assembly\GAC_MSIL\Microsoft.VisualC\8.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualC.Dll
+ 2009-12-01 04:14 . 2009-12-01 04:14 5632 c:\windows\assembly\GAC_MSIL\Microsoft.VisualC\8.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualC.Dll
+ 2009-12-01 04:15 . 2009-12-01 04:15 6656 c:\windows\assembly\GAC_MSIL\IIEHost\2.0.0.0__b03f5f7f11d50a3a\IIEHost.dll
- 2008-04-12 03:03 . 2008-04-12 03:03 6656 c:\windows\assembly\GAC_MSIL\IIEHost\2.0.0.0__b03f5f7f11d50a3a\IIEHost.dll
- 2008-04-12 03:03 . 2008-04-12 03:03 8192 c:\windows\assembly\GAC_MSIL\IEExecRemote\2.0.0.0__b03f5f7f11d50a3a\IEExecRemote.dll
+ 2009-12-01 04:15 . 2009-12-01 04:15 8192 c:\windows\assembly\GAC_MSIL\IEExecRemote\2.0.0.0__b03f5f7f11d50a3a\IEExecRemote.dll
- 2005-12-08 16:38 . 2005-12-08 16:38 8192 c:\windows\assembly\GAC\ehiExtCOM\6.0.3000.0__31bf3856ad364e35\ehiExtCOM.dll
+ 2009-12-01 04:08 . 2009-12-01 04:08 8192 c:\windows\assembly\GAC\ehiExtCOM\6.0.3000.0__31bf3856ad364e35\ehiExtCOM.dll
+ 2009-12-01 04:16 . 2009-12-01 04:16 113664 c:\windows\WinSxS\x86_System.EnterpriseServices_b03f5f7f11d50a3a_2.0.0.0_x-ww_7d5f3790\System.EnterpriseServices.Wrapper.dll
- 2008-04-12 03:03 . 2008-04-12 03:03 113664 c:\windows\WinSxS\x86_System.EnterpriseServices_b03f5f7f11d50a3a_2.0.0.0_x-ww_7d5f3790\System.EnterpriseServices.Wrapper.dll
- 2008-04-12 03:03 . 2008-04-12 03:03 258048 c:\windows\WinSxS\x86_System.EnterpriseServices_b03f5f7f11d50a3a_2.0.0.0_x-ww_7d5f3790\System.EnterpriseServices.dll
+ 2009-12-01 04:16 . 2009-12-01 04:16 258048 c:\windows\WinSxS\x86_System.EnterpriseServices_b03f5f7f11d50a3a_2.0.0.0_x-ww_7d5f3790\System.EnterpriseServices.dll
+ 2005-12-08 16:31 . 2008-02-15 09:06 351744 c:\windows\system32\xpsp3res.dll
+ 2004-08-10 12:00 . 2009-08-07 05:24 209632 c:\windows\system32\wuweb.dll
+ 2004-08-10 12:00 . 2009-08-07 05:24 327896 c:\windows\system32\wucltui.dll
+ 2004-08-10 12:00 . 2009-08-07 05:23 575704 c:\windows\system32\wuapi.dll
+ 2005-08-31 12:07 . 2009-12-01 04:18 428734 c:\windows\system32\perfh009.dat
- 2005-08-31 12:07 . 2008-04-12 03:03 428734 c:\windows\system32\perfh009.dat
+ 2005-05-26 14:19 . 2009-08-07 05:23 215920 c:\windows\system32\muweb.dll
+ 2006-03-28 04:39 . 2009-08-07 05:23 274288 c:\windows\system32\mucltui.dll
+ 2004-08-10 12:00 . 2009-06-05 07:42 655872 c:\windows\system32\mstscax.dll
+ 2004-08-10 12:00 . 2009-08-13 15:16 512000 c:\windows\system32\jscript.dll
+ 2004-08-10 12:00 . 2009-08-07 05:24 209632 c:\windows\system32\dllcache\wuweb.dll
+ 2004-08-10 12:00 . 2009-08-07 05:24 327896 c:\windows\system32\dllcache\wucltui.dll
+ 2004-08-10 12:00 . 2009-08-07 05:23 575704 c:\windows\system32\dllcache\wuapi.dll
+ 2004-08-10 12:00 . 2008-04-21 10:02 215552 c:\windows\system32\dllcache\wordpad.exe
+ 2004-08-10 12:00 . 2009-06-05 07:42 655872 c:\windows\system32\dllcache\mstscax.dll
+ 2004-08-10 12:00 . 2009-08-13 15:16 512000 c:\windows\system32\dllcache\jscript.dll
+ 2009-08-08 12:35 . 2009-08-08 12:35 819016 c:\windows\Microsoft.NET\Framework\v2.0.50727\mscordacwks.dll
+ 2008-05-28 10:49 . 2008-05-28 10:49 102400 c:\windows\Microsoft.NET\Framework\v1.1.4322\mscorld.dll
- 2007-04-14 06:58 . 2007-04-14 06:58 102400 c:\windows\Microsoft.NET\Framework\v1.1.4322\mscorld.dll
- 2007-04-14 06:56 . 2007-04-14 06:56 315392 c:\windows\Microsoft.NET\Framework\v1.1.4322\mscorjit.dll
+ 2008-05-28 10:48 . 2008-05-28 10:48 315392 c:\windows\Microsoft.NET\Framework\v1.1.4322\mscorjit.dll
+ 2008-05-28 11:30 . 2008-05-28 11:30 258048 c:\windows\Microsoft.NET\Framework\v1.1.4322\aspnet_isapi.dll
- 2007-04-14 07:30 . 2007-04-14 07:30 258048 c:\windows\Microsoft.NET\Framework\v1.1.4322\aspnet_isapi.dll
- 2004-07-20 08:54 . 2004-07-20 08:54 303104 c:\windows\Microsoft.NET\Framework\v1.0.3705\mscorjit.dll
+ 2004-07-20 08:54 . 2009-06-24 07:59 303104 c:\windows\Microsoft.NET\Framework\v1.0.3705\mscorjit.dll
- 2004-08-04 12:11 . 2007-01-03 02:34 200704 c:\windows\Microsoft.NET\Framework\v1.0.3705\aspnet_isapi.dll
+ 2004-08-04 12:11 . 2009-06-24 08:12 200704 c:\windows\Microsoft.NET\Framework\v1.0.3705\aspnet_isapi.dll
+ 2009-11-30 02:40 . 2009-11-30 02:40 429568 c:\windows\Installer\1eb022.msi
+ 2009-11-30 02:39 . 2009-11-30 02:39 248832 c:\windows\Installer\1eb019.msi
+ 2005-12-08 17:13 . 2009-11-30 02:43 409600 c:\windows\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\xlicons.exe
- 2005-12-08 17:13 . 2009-02-11 03:02 409600 c:\windows\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\xlicons.exe
+ 2005-12-08 17:13 . 2009-11-30 02:43 286720 c:\windows\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\wordicon.exe
- 2005-12-08 17:13 . 2009-02-11 03:02 286720 c:\windows\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\wordicon.exe
- 2005-12-08 17:13 . 2009-02-11 03:02 249856 c:\windows\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\pptico.exe
+ 2005-12-08 17:13 . 2009-11-30 02:43 249856 c:\windows\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\pptico.exe
+ 2005-12-08 17:13 . 2009-11-30 02:43 794624 c:\windows\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\outicon.exe
- 2005-12-08 17:13 . 2009-02-11 03:02 794624 c:\windows\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\outicon.exe
+ 2005-12-08 17:13 . 2009-11-30 02:43 135168 c:\windows\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\misc.exe
- 2005-12-08 17:13 . 2009-02-11 03:02 135168 c:\windows\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\misc.exe
+ 2004-08-10 18:11 . 2009-08-18 20:55 179712 c:\windows\ehome\ehkeyctl.dll
+ 2009-11-30 02:43 . 2009-11-30 02:43 835584 c:\windows\assembly\NativeImages1_v1.1.4322\System.Drawing\1.0.5000.0__b03f5f7f11d50a3a_4972f5a3\System.Drawing.dll
+ 2009-11-30 02:43 . 2009-11-30 02:43 192512 c:\windows\assembly\NativeImages1_v1.1.4322\System.Drawing.Design\1.0.5000.0__b03f5f7f11d50a3a_3a7c117c\System.Drawing.Design.dll
+ 2009-11-30 02:43 . 2009-11-30 02:43 118784 c:\windows\assembly\NativeImages1_v1.1.4322\CustomMarshalers\1.0.5000.0__b03f5f7f11d50a3a_870d8f24\CustomMarshalers.dll
+ 2009-11-30 02:40 . 2009-11-30 02:40 847872 c:\windows\assembly\NativeImages1_v1.0.3705\System.Drawing\1.0.3300.0__b03f5f7f11d50a3a_9b8999f1\System.Drawing.dll
+ 2009-12-01 04:37 . 2009-12-01 04:37 237568 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Web.RegularE#\6b8f2e778eba3931057217c2512b201c\System.Web.RegularExpressions.ni.dll
+ 2009-12-01 04:36 . 2009-12-01 04:36 684032 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Transactions\4bdd3ce8337c4619dfb09de5ab3f9b62\System.Transactions.ni.dll
+ 2009-12-01 04:36 . 2009-12-01 04:36 233472 c:\windows\assembly\NativeImages_v2.0.50727_32\System.ServiceProce#\47d862e0dc37c830cc3397decf6c0590\System.ServiceProcess.ni.dll
+ 2009-12-01 04:36 . 2009-12-01 04:36 733184 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Security\428a3be3d5be01f129e0effdc455d831\System.Security.ni.dll
+ 2009-12-01 04:36 . 2009-12-01 04:36 294912 c:\windows\assembly\NativeImages_v2.0.50727_32\System.EnterpriseSe#\ff85d9d54701c8cde7b513ff808fd5e3\System.EnterpriseServices.Wrapper.dll
+ 2009-12-01 04:36 . 2009-12-01 04:36 659456 c:\windows\assembly\NativeImages_v2.0.50727_32\System.EnterpriseSe#\ff85d9d54701c8cde7b513ff808fd5e3\System.EnterpriseServices.ni.dll
+ 2009-12-01 04:21 . 2009-12-01 04:21 229376 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Drawing.Desi#\4593151ab44d4f61e4cafaf9e77a8d25\System.Drawing.Design.ni.dll
+ 2009-12-01 04:36 . 2009-12-01 04:36 512000 c:\windows\assembly\NativeImages_v2.0.50727_32\System.DirectorySer#\135aa2f31c01565700d44313b925a205\System.DirectoryServices.Protocols.ni.dll
+ 2009-12-01 04:34 . 2009-12-01 04:34 630784 c:\windows\assembly\NativeImages_v2.0.50727_32\Sony.Vegas\ed19cebcb2a948922846dfb649de98db\Sony.Vegas.ni.dll
+ 2009-12-01 04:35 . 2009-12-01 04:35 262144 c:\windows\assembly\NativeImages_v2.0.50727_32\Sony.Vegas.NetRender\07dbfa2fe66eef0f2b804f9371d81c2f\Sony.Vegas.NetRender.ni.dll
+ 2009-12-01 04:34 . 2009-12-01 04:34 274432 c:\windows\assembly\NativeImages_v2.0.50727_32\Sony.MediaSoftware.#\e4000b5cc3ed414b39536ca4682e50ca\Sony.MediaSoftware.ExternalVideoDevice.ni.dll
+ 2009-12-01 04:34 . 2009-12-01 04:34 692224 c:\windows\assembly\NativeImages_v2.0.50727_32\Sony.Capture\eb7368119e3fe1508b9da3bffe81ff06\Sony.Capture.ni.dll
+ 2009-12-01 04:35 . 2009-12-01 04:35 167936 c:\windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Build.Uti#\ab1dd1079764acac4cbe55d6555f4ff7\Microsoft.Build.Utilities.ni.dll
+ 2009-12-01 04:35 . 2009-12-01 04:35 876544 c:\windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Build.Eng#\9e2334dbe9e76dd6fc2bde86c9b515b9\Microsoft.Build.Engine.ni.dll
+ 2009-12-01 04:35 . 2009-12-01 04:35 237568 c:\windows\assembly\NativeImages_v2.0.50727_32\CustomMarshalers\58ec7ce15fd463d65d3e45db4e0613cf\CustomMarshalers.ni.dll
+ 2009-12-01 04:34 . 2009-12-01 04:34 884736 c:\windows\assembly\NativeImages_v2.0.50727_32\AspNetMMCExt\2a66ea6b955eabdb437c6cfcac78c45e\AspNetMMCExt.ni.dll
+ 2009-12-01 04:15 . 2009-12-01 04:15 839680 c:\windows\assembly\GAC_MSIL\System.Web.Services\2.0.0.0__b03f5f7f11d50a3a\System.Web.Services.dll
- 2008-04-12 03:03 . 2008-04-12 03:03 839680 c:\windows\assembly\GAC_MSIL\System.Web.Services\2.0.0.0__b03f5f7f11d50a3a\System.Web.Services.dll
+ 2009-12-01 04:15 . 2009-12-01 04:15 884736 c:\windows\assembly\GAC_MSIL\System.Web.Mobile\2.0.0.0__b03f5f7f11d50a3a\System.Web.Mobile.dll
- 2008-04-12 03:03 . 2008-04-12 03:03 884736 c:\windows\assembly\GAC_MSIL\System.Web.Mobile\2.0.0.0__b03f5f7f11d50a3a\System.Web.Mobile.dll
- 2008-04-12 03:03 . 2008-04-12 03:03 114688 c:\windows\assembly\GAC_MSIL\System.ServiceProcess\2.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll
+ 2009-12-01 04:15 . 2009-12-01 04:15 114688 c:\windows\assembly\GAC_MSIL\System.ServiceProcess\2.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll
- 2008-04-12 03:03 . 2008-04-12 03:03 258048 c:\windows\assembly\GAC_MSIL\System.Security\2.0.0.0__b03f5f7f11d50a3a\System.Security.dll
+ 2009-12-01 04:15 . 2009-12-01 04:15 258048 c:\windows\assembly\GAC_MSIL\System.Security\2.0.0.0__b03f5f7f11d50a3a\System.Security.dll
- 2008-04-12 03:03 . 2008-04-12 03:03 131072 c:\windows\assembly\GAC_MSIL\System.Runtime.Serialization.Formatters.Soap\2.0.0.0__b03f5f7f11d50a3a\System.Runtime.Serialization.Formatters.Soap.dll
+ 2009-12-01 04:16 . 2009-12-01 04:16 131072 c:\windows\assembly\GAC_MSIL\System.Runtime.Serialization.Formatters.Soap\2.0.0.0__b03f5f7f11d50a3a\System.Runtime.Serialization.Formatters.Soap.dll
+ 2009-12-01 04:16 . 2009-12-01 04:16 299008 c:\windows\assembly\GAC_MSIL\System.Runtime.Remoting\2.0.0.0__b77a5c561934e089\System.Runtime.Remoting.dll
- 2008-04-12 03:03 . 2008-04-12 03:03 299008 c:\windows\assembly\GAC_MSIL\System.Runtime.Remoting\2.0.0.0__b77a5c561934e089\System.Runtime.Remoting.dll
- 2008-04-12 03:03 . 2008-04-12 03:03 258048 c:\windows\assembly\GAC_MSIL\System.Messaging\2.0.0.0__b03f5f7f11d50a3a\System.Messaging.dll
+ 2009-12-01 04:16 . 2009-12-01 04:16 258048 c:\windows\assembly\GAC_MSIL\System.Messaging\2.0.0.0__b03f5f7f11d50a3a\System.Messaging.dll
- 2008-04-12 03:03 . 2008-04-12 03:03 372736 c:\windows\assembly\GAC_MSIL\System.Management\2.0.0.0__b03f5f7f11d50a3a\System.Management.dll
+ 2009-12-01 04:16 . 2009-12-01 04:16 372736 c:\windows\assembly\GAC_MSIL\System.Management\2.0.0.0__b03f5f7f11d50a3a\System.Management.dll
- 2008-04-12 03:03 . 2008-04-12 03:03 630784 c:\windows\assembly\GAC_MSIL\System.Drawing\2.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll
+ 2009-12-01 04:15 . 2009-12-01 04:15 630784 c:\windows\assembly\GAC_MSIL\System.Drawing\2.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll
- 2008-04-12 03:03 . 2008-04-12 03:03 401408 c:\windows\assembly\GAC_MSIL\System.DirectoryServices\2.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll
+ 2009-12-01 04:15 . 2009-12-01 04:15 401408 c:\windows\assembly\GAC_MSIL\System.DirectoryServices\2.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll
+ 2009-12-01 04:15 . 2009-12-01 04:15 188416 c:\windows\assembly\GAC_MSIL\System.DirectoryServices.Protocols\2.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.Protocols.dll
- 2008-04-12 03:03 . 2008-04-12 03:03 188416 c:\windows\assembly\GAC_MSIL\System.DirectoryServices.Protocols\2.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.Protocols.dll
+ 2009-12-01 04:14 . 2009-12-01 04:14 933888 c:\windows\assembly\GAC_MSIL\System.Deployment\2.0.0.0__b03f5f7f11d50a3a\System.Deployment.dll
- 2008-04-12 03:03 . 2008-04-12 03:03 933888 c:\windows\assembly\GAC_MSIL\System.Deployment\2.0.0.0__b03f5f7f11d50a3a\System.Deployment.dll
+ 2009-12-01 04:14 . 2009-12-01 04:14 741376 c:\windows\assembly\GAC_MSIL\System.Data.SqlXml\2.0.0.0__b77a5c561934e089\System.Data.SqlXml.dll
- 2008-04-12 03:03 . 2008-04-12 03:03 741376 c:\windows\assembly\GAC_MSIL\System.Data.SqlXml\2.0.0.0__b77a5c561934e089\System.Data.SqlXml.dll
- 2008-04-12 03:03 . 2008-04-12 03:03 425984 c:\windows\assembly\GAC_MSIL\System.Configuration\2.0.0.0__b03f5f7f11d50a3a\System.configuration.dll
+ 2009-12-01 04:14 . 2009-12-01 04:14 425984 c:\windows\assembly\GAC_MSIL\System.Configuration\2.0.0.0__b03f5f7f11d50a3a\System.configuration.dll
+ 2009-12-01 04:16 . 2009-12-01 04:16 110592 c:\windows\assembly\GAC_MSIL\sysglobl\2.0.0.0__b03f5f7f11d50a3a\sysglobl.dll
- 2008-04-12 03:03 . 2008-04-12 03:03 110592 c:\windows\assembly\GAC_MSIL\sysglobl\2.0.0.0__b03f5f7f11d50a3a\sysglobl.dll
+ 2009-12-01 04:15 . 2009-12-01 04:15 671744 c:\windows\assembly\GAC_MSIL\Microsoft.VisualBasic\8.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll
- 2008-04-12 03:03 . 2008-04-12 03:03 671744 c:\windows\assembly\GAC_MSIL\Microsoft.VisualBasic\8.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll
+ 2009-12-01 04:15 . 2009-12-01 04:15 372736 c:\windows\assembly\GAC_MSIL\Microsoft.VisualBasic.Compatibility\8.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.Compatibility.dll
- 2008-04-12 03:03 . 2008-04-12 03:03 372736 c:\windows\assembly\GAC_MSIL\Microsoft.VisualBasic.Compatibility\8.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.Compatibility.dll
- 2008-04-12 03:03 . 2008-04-12 03:03 110592 c:\windows\assembly\GAC_MSIL\Microsoft.VisualBasic.Compatibility.Data\8.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.Compatibility.Data.dll
+ 2009-12-01 04:15 . 2009-12-01 04:15 110592 c:\windows\assembly\GAC_MSIL\Microsoft.VisualBasic.Compatibility.Data\8.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.Compatibility.Data.dll
- 2008-04-12 03:03 . 2008-04-12 03:03 749568 c:\windows\assembly\GAC_MSIL\Microsoft.JScript\8.0.0.0__b03f5f7f11d50a3a\Microsoft.JScript.dll
+ 2009-12-01 04:15 . 2009-12-01 04:15 749568 c:\windows\assembly\GAC_MSIL\Microsoft.JScript\8.0.0.0__b03f5f7f11d50a3a\Microsoft.JScript.dll
+ 2009-12-01 04:16 . 2009-12-01 04:16 655360 c:\windows\assembly\GAC_MSIL\Microsoft.Build.Tasks\2.0.0.0__b03f5f7f11d50a3a\Microsoft.Build.Tasks.dll
- 2008-04-12 03:03 . 2008-04-12 03:03 655360 c:\windows\assembly\GAC_MSIL\Microsoft.Build.Tasks\2.0.0.0__b03f5f7f11d50a3a\Microsoft.Build.Tasks.dll
+ 2009-12-01 04:16 . 2009-12-01 04:16 348160 c:\windows\assembly\GAC_MSIL\Microsoft.Build.Engine\2.0.0.0__b03f5f7f11d50a3a\Microsoft.Build.Engine.dll
- 2008-04-12 03:03 . 2008-04-12 03:03 348160 c:\windows\assembly\GAC_MSIL\Microsoft.Build.Engine\2.0.0.0__b03f5f7f11d50a3a\Microsoft.Build.Engine.dll
- 2008-04-12 03:03 . 2008-04-12 03:03 507904 c:\windows\assembly\GAC_MSIL\AspNetMMCExt\2.0.0.0__b03f5f7f11d50a3a\AspNetMMCExt.dll
+ 2009-12-01 04:15 . 2009-12-01 04:15 507904 c:\windows\assembly\GAC_MSIL\AspNetMMCExt\2.0.0.0__b03f5f7f11d50a3a\AspNetMMCExt.dll
+ 2009-12-01 04:16 . 2009-12-01 04:16 261120 c:\windows\assembly\GAC_32\System.Transactions\2.0.0.0__b77a5c561934e089\System.Transactions.dll
- 2008-04-12 03:03 . 2008-04-12 03:03 261120 c:\windows\assembly\GAC_32\System.Transactions\2.0.0.0__b77a5c561934e089\System.Transactions.dll
+ 2009-12-01 04:16 . 2009-12-01 04:16 113664 c:\windows\assembly\GAC_32\System.EnterpriseServices\2.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll
- 2008-04-12 03:03 . 2008-04-12 03:03 113664 c:\windows\assembly\GAC_32\System.EnterpriseServices\2.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll
+ 2009-12-01 04:16 . 2009-12-01 04:16 258048 c:\windows\assembly\GAC_32\System.EnterpriseServices\2.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.dll
- 2008-04-12 03:03 . 2008-04-12 03:03 258048 c:\windows\assembly\GAC_32\System.EnterpriseServices\2.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.dll
- 2008-04-12 03:03 . 2008-04-12 03:03 483840 c:\windows\assembly\GAC_32\System.Data.OracleClient\2.0.0.0__b77a5c561934e089\System.Data.OracleClient.dll
+ 2009-12-01 04:15 . 2009-12-01 04:15 483840 c:\windows\assembly\GAC_32\System.Data.OracleClient\2.0.0.0__b77a5c561934e089\System.Data.OracleClient.dll
- 2005-12-08 16:38 . 2005-12-08 16:38 389120 c:\windows\assembly\GAC\ehRecObj\6.0.3000.0__31bf3856ad364e35\ehRecObj.dll
+ 2009-12-01 04:08 . 2009-12-01 04:08 389120 c:\windows\assembly\GAC\ehRecObj\6.0.3000.0__31bf3856ad364e35\ehRecObj.dll
+ 2009-12-01 04:08 . 2009-12-01 04:08 122880 c:\windows\assembly\GAC\ehiwmp\6.0.3000.0__31bf3856ad364e35\ehiwmp.dll
- 2005-12-08 16:38 . 2005-12-08 16:38 122880 c:\windows\assembly\GAC\ehiwmp\6.0.3000.0__31bf3856ad364e35\ehiwmp.dll
+ 2009-12-01 04:08 . 2009-12-01 04:08 278528 c:\windows\assembly\GAC\ehiVidCtl\6.0.3000.0__31bf3856ad364e35\ehiVidCtl.dll
- 2005-12-08 16:38 . 2005-12-08 16:38 278528 c:\windows\assembly\GAC\ehiVidCtl\6.0.3000.0__31bf3856ad364e35\ehiVidCtl.dll
- 2005-12-08 16:38 . 2005-12-08 16:38 389120 c:\windows\assembly\GAC\ehiProxy\6.0.3000.0__31bf3856ad364e35\ehiProxy.dll
+ 2009-12-01 04:08 . 2009-12-01 04:08 389120 c:\windows\assembly\GAC\ehiProxy\6.0.3000.0__31bf3856ad364e35\ehiProxy.dll
- 2007-03-26 06:45 . 2007-03-26 06:45 204800 c:\windows\assembly\GAC\ehiPlay\6.0.3000.0__31bf3856ad364e35\ehiplay.dll
+ 2009-12-01 04:08 . 2009-12-01 04:08 204800 c:\windows\assembly\GAC\ehiPlay\6.0.3000.0__31bf3856ad364e35\ehiPlay.dll
- 2005-12-08 16:38 . 2005-12-08 16:38 167936 c:\windows\assembly\GAC\ehiMsgr\6.0.3000.0__31bf3856ad364e35\ehiMsgr.dll
+ 2009-12-01 04:08 . 2009-12-01 04:08 167936 c:\windows\assembly\GAC\ehiMsgr\6.0.3000.0__31bf3856ad364e35\ehiMsgr.dll
- 2005-12-08 16:38 . 2005-12-08 16:38 110592 c:\windows\assembly\GAC\ehExtCOM\6.0.3000.0__31bf3856ad364e35\ehExtCOM.dll
+ 2009-12-01 04:08 . 2009-12-01 04:08 110592 c:\windows\assembly\GAC\ehExtCOM\6.0.3000.0__31bf3856ad364e35\ehExtCOM.dll
+ 2009-12-01 04:08 . 2009-12-01 04:08 126976 c:\windows\assembly\GAC\ehepgdat\6.0.3000.0__31bf3856ad364e35\ehepgdat.dll
- 2005-12-08 16:38 . 2005-12-08 16:38 126976 c:\windows\assembly\GAC\ehepgdat\6.0.3000.0__31bf3856ad364e35\ehepgdat.dll
- 2007-03-26 06:45 . 2007-03-26 06:45 868352 c:\windows\assembly\GAC\ehepg\6.0.3000.0__31bf3856ad364e35\ehepg.dll
+ 2009-12-01 04:08 . 2009-12-01 04:08 868352 c:\windows\assembly\GAC\ehepg\6.0.3000.0__31bf3856ad364e35\ehepg.dll
+ 2009-12-01 04:08 . 2009-12-01 04:08 192512 c:\windows\assembly\GAC\ehcommon\6.0.3000.0__31bf3856ad364e35\ehcommon.dll
- 2005-12-08 16:38 . 2005-12-08 16:38 192512 c:\windows\assembly\GAC\ehcommon\6.0.3000.0__31bf3856ad364e35\ehcommon.dll
+ 2009-12-01 04:08 . 2009-12-01 04:08 102400 c:\windows\assembly\GAC\ehCIR\6.0.3000.0__31bf3856ad364e35\ehCIR.dll
- 2005-12-08 16:38 . 2005-12-08 16:38 102400 c:\windows\assembly\GAC\ehCIR\6.0.3000.0__31bf3856ad364e35\ehCIR.dll
- 2005-12-08 16:38 . 2005-12-08 16:38 117248 c:\windows\assembly\GAC\BDATunePIA\6.0.3000.0__31bf3856ad364e35\bdatunepia.dll
+ 2009-12-01 04:08 . 2009-12-01 04:08 117248 c:\windows\assembly\GAC\BDATunePIA\6.0.3000.0__31bf3856ad364e35\bdatunepia.dll
+ 2009-07-21 10:03 . 2009-07-21 10:03 1348432 c:\windows\WinSxS\x86_Microsoft.MSXML2_6bd6b9abf345378f_4.20.9876.0_x-ww_a621d1d5\msxml4.dll
+ 2004-08-10 12:00 . 2009-08-07 05:23 1929952 c:\windows\system32\wuaueng.dll
- 2004-08-10 19:00 . 2008-08-14 09:58 2136064 c:\windows\system32\ntoskrnl.exe
+ 2004-08-10 19:00 . 2009-08-04 13:58 2136064 c:\windows\system32\ntoskrnl.exe
+ 2004-08-10 19:00 . 2009-08-04 13:13 2015744 c:\windows\system32\ntkrnlpa.exe
- 2004-08-10 19:00 . 2008-08-14 09:22 2015744 c:\windows\system32\ntkrnlpa.exe
+ 2009-07-21 10:05 . 2009-07-21 10:05 1348432 c:\windows\system32\msxml4.dll
+ 2004-08-10 12:00 . 2009-07-31 04:57 1172480 c:\windows\system32\msxml3.dll
+ 2004-08-10 12:00 . 2009-08-07 05:23 1929952 c:\windows\system32\dllcache\wuaueng.dll
+ 2006-12-19 14:17 . 2009-08-04 14:00 2180352 c:\windows\system32\dllcache\ntoskrnl.exe
- 2006-12-19 14:17 . 2008-08-14 10:00 2180352 c:\windows\system32\dllcache\ntoskrnl.exe
- 2006-12-19 12:55 . 2008-08-14 09:22 2015744 c:\windows\system32\dllcache\ntkrpamp.exe
+ 2006-12-19 12:55 . 2009-08-04 13:13 2015744 c:\windows\system32\dllcache\ntkrpamp.exe
- 2006-12-19 12:55 . 2008-08-14 09:22 2057728 c:\windows\system32\dllcache\ntkrnlpa.exe
+ 2006-12-19 12:55 . 2009-08-04 13:13 2057728 c:\windows\system32\dllcache\ntkrnlpa.exe
+ 2006-12-19 14:15 . 2009-08-04 13:58 2136064 c:\windows\system32\dllcache\ntkrnlmp.exe
- 2006-12-19 14:15 . 2008-08-14 09:58 2136064 c:\windows\system32\dllcache\ntkrnlmp.exe
+ 2004-08-10 12:00 . 2009-07-31 04:57 1172480 c:\windows\system32\dllcache\msxml3.dll
+ 2004-08-10 12:00 . 2009-07-10 13:42 1315328 c:\windows\system32\dllcache\msoe.dll
+ 2009-08-08 12:35 . 2009-08-08 12:35 5849920 c:\windows\Microsoft.NET\Framework\v2.0.50727\mscorwks.dll
+ 2009-08-08 12:35 . 2009-08-08 12:35 4345856 c:\windows\Microsoft.NET\Framework\v2.0.50727\mscorlib.dll
+ 2008-05-28 11:35 . 2008-05-28 11:35 1265664 c:\windows\Microsoft.NET\Framework\v1.1.4322\System.Web.dll
- 2007-04-14 07:35 . 2007-04-14 07:35 1265664 c:\windows\Microsoft.NET\Framework\v1.1.4322\System.Web.dll
- 2007-04-14 07:35 . 2007-04-14 07:35 1232896 c:\windows\Microsoft.NET\Framework\v1.1.4322\System.dll
+ 2008-05-28 11:35 . 2008-05-28 11:35 1232896 c:\windows\Microsoft.NET\Framework\v1.1.4322\System.dll
- 2007-04-14 06:57 . 2007-04-14 06:57 2514944 c:\windows\Microsoft.NET\Framework\v1.1.4322\mscorwks.dll
+ 2008-05-28 10:48 . 2008-05-28 10:48 2514944 c:\windows\Microsoft.NET\Framework\v1.1.4322\mscorwks.dll
+ 2008-05-28 10:48 . 2008-05-28 10:48 2523136 c:\windows\Microsoft.NET\Framework\v1.1.4322\mscorsvr.dll
- 2007-04-14 06:57 . 2007-04-14 06:57 2523136 c:\windows\Microsoft.NET\Framework\v1.1.4322\mscorsvr.dll
+ 2008-05-28 10:43 . 2008-05-28 10:43 2142208 c:\windows\Microsoft.NET\Framework\v1.1.4322\mscorlib.dll
- 2007-04-14 06:50 . 2007-04-14 06:50 2142208 c:\windows\Microsoft.NET\Framework\v1.1.4322\mscorlib.dll
- 2004-07-20 08:54 . 2007-01-03 02:40 1200128 c:\windows\Microsoft.NET\Framework\v1.0.3705\System.Web.dll
+ 2004-07-20 08:54 . 2009-06-29 21:58 1200128 c:\windows\Microsoft.NET\Framework\v1.0.3705\System.Web.dll
- 2004-07-20 08:54 . 2007-01-03 02:28 2281472 c:\windows\Microsoft.NET\Framework\v1.0.3705\mscorwks.dll
+ 2004-07-20 08:54 . 2009-06-24 08:00 2281472 c:\windows\Microsoft.NET\Framework\v1.0.3705\mscorwks.dll
+ 2004-07-20 08:54 . 2009-06-24 08:00 2273280 c:\windows\Microsoft.NET\Framework\v1.0.3705\mscorsvr.dll
- 2004-07-20 08:54 . 2007-01-03 02:28 2273280 c:\windows\Microsoft.NET\Framework\v1.0.3705\mscorsvr.dll
+ 2004-07-20 08:54 . 2009-06-29 21:58 1998848 c:\windows\Microsoft.NET\Framework\v1.0.3705\mscorlib.dll
- 2004-07-20 08:54 . 2007-01-03 02:21 1998848 c:\windows\Microsoft.NET\Framework\v1.0.3705\mscorlib.dll
+ 2009-08-10 09:32 . 2009-08-10 09:32 5288960 c:\windows\Installer\3dd1b.msp
+ 2009-09-29 19:08 . 2009-09-29 19:08 6747648 c:\windows\Installer\1eb05e.msp
+ 2009-10-22 22:28 . 2009-10-22 22:28 5521408 c:\windows\Installer\1eb034.msp
+ 2005-03-02 00:59 . 2009-08-04 14:00 2180352 c:\windows\Driver Cache\i386\ntoskrnl.exe
- 2005-03-02 00:59 . 2008-08-14 10:00 2180352 c:\windows\Driver Cache\i386\ntoskrnl.exe
+ 2005-03-02 00:34 . 2009-08-04 13:13 2015744 c:\windows\Driver Cache\i386\ntkrpamp.exe
- 2005-03-02 00:34 . 2008-08-14 09:22 2015744 c:\windows\Driver Cache\i386\ntkrpamp.exe
- 2005-03-02 00:34 . 2008-08-14 09:22 2057728 c:\windows\Driver Cache\i386\ntkrnlpa.exe
+ 2005-03-02 00:34 . 2009-08-04 13:13 2057728 c:\windows\Driver Cache\i386\ntkrnlpa.exe
+ 2005-03-02 00:57 . 2009-08-04 13:58 2136064 c:\windows\Driver Cache\i386\ntkrnlmp.exe
- 2005-03-02 00:57 . 2008-08-14 09:58 2136064 c:\windows\Driver Cache\i386\ntkrnlmp.exe
+ 2009-11-30 02:42 . 2009-11-30 02:42 1966080 c:\windows\assembly\NativeImages1_v1.1.4322\System\1.0.5000.0__b77a5c561934e089_b52dd0b5\System.dll
+ 2009-11-30 02:43 . 2009-11-30 02:43 4792320 c:\windows\assembly\NativeImages1_v1.1.4322\System\1.0.5000.0__b77a5c561934e089_8f98d55a\System.dll
+ 2009-11-30 02:43 . 2009-11-30 02:43 2088960 c:\windows\assembly\NativeImages1_v1.1.4322\System.Xml\1.0.5000.0__b77a5c561934e089_d5c85108\System.Xml.dll
+ 2009-11-30 02:43 . 2009-11-30 02:43 5513216 c:\windows\assembly\NativeImages1_v1.1.4322\System.Xml\1.0.5000.0__b77a5c561934e089_4cc25a03\System.Xml.dll
+ 2009-11-30 02:42 . 2009-11-30 02:42 3018752 c:\windows\assembly\NativeImages1_v1.1.4322\System.Windows.Forms\1.0.5000.0__b77a5c561934e089_9d05d5a9\System.Windows.Forms.dll
+ 2009-11-30 02:43 . 2009-11-30 02:43 7884800 c:\windows\assembly\NativeImages1_v1.1.4322\System.Windows.Forms\1.0.5000.0__b77a5c561934e089_58d2fcec\System.Windows.Forms.dll
+ 2009-11-30 02:43 . 2009-11-30 02:43 2244608 c:\windows\assembly\NativeImages1_v1.1.4322\System.Drawing\1.0.5000.0__b03f5f7f11d50a3a_1559c15b\System.Drawing.dll
+ 2009-11-30 02:43 . 2009-11-30 02:43 1470464 c:\windows\assembly\NativeImages1_v1.1.4322\System.Design\1.0.5000.0__b03f5f7f11d50a3a_9236e293\System.Design.dll
+ 2009-11-30 02:43 . 2009-11-30 02:43 3395584 c:\windows\assembly\NativeImages1_v1.1.4322\System.Design\1.0.5000.0__b03f5f7f11d50a3a_8974d030\System.Design.dll
+ 2009-11-30 02:43 . 2009-11-30 02:43 3391488 c:\windows\assembly\NativeImages1_v1.1.4322\mscorlib\1.0.5000.0__b77a5c561934e089_fb5ef4e1\mscorlib.dll
+ 2009-11-30 02:43 . 2009-11-30 02:43 8908800 c:\windows\assembly\NativeImages1_v1.1.4322\mscorlib\1.0.5000.0__b77a5c561934e089_2365979a\mscorlib.dll
+ 2009-11-30 02:40 . 2009-11-30 02:40 1855488 c:\windows\assembly\NativeImages1_v1.0.3705\System\1.0.3300.0__b77a5c561934e089_fc508df6\System.dll
+ 2009-11-30 02:40 . 2009-11-30 02:40 2027520 c:\windows\assembly\NativeImages1_v1.0.3705\System.Xml\1.0.3300.0__b77a5c561934e089_da4d0534\System.Xml.dll
+ 2009-11-30 02:40 . 2009-11-30 02:40 2953216 c:\windows\assembly\NativeImages1_v1.0.3705\System.Windows.Forms\1.0.3300.0__b77a5c561934e089_6aa7a434\System.Windows.Forms.dll
+ 2009-11-30 02:40 . 2009-11-30 02:40 1454080 c:\windows\assembly\NativeImages1_v1.0.3705\System.Design\1.0.3300.0__b03f5f7f11d50a3a_f0f8b2c6\System.Design.dll
+ 2009-11-30 02:40 . 2009-11-30 02:40 3301376 c:\windows\assembly\NativeImages1_v1.0.3705\mscorlib\1.0.3300.0__b77a5c561934e089_51560031\mscorlib.dll
+ 2009-12-01 04:20 . 2009-12-01 04:20 8310784 c:\windows\assembly\NativeImages_v2.0.50727_32\System\ccfeb59f4a9b75909eb2d1121232a769\System.ni.dll
+ 2009-12-01 04:22 . 2009-12-01 04:22 5771264 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Xml\717cce3690d643df19d6a4117283048e\System.Xml.ni.dll
+ 2009-12-01 04:37 . 2009-12-01 04:37 1986560 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Web.Services\aa319d767042e97c692041f76f123f2f\System.Web.Services.ni.dll
+ 2009-12-01 04:37 . 2009-12-01 04:37 2342912 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Web.Mobile\b7092e8403b56e3913488855e45a35ff\System.Web.Mobile.ni.dll
+ 2009-12-01 04:21 . 2009-12-01 04:21 1667072 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Drawing\e58e83951091f2616344c5d2a6787660\System.Drawing.ni.dll
+ 2009-12-01 04:36 . 2009-12-01 04:36 1224704 c:\windows\assembly\NativeImages_v2.0.50727_32\System.DirectorySer#\e96695c65a4104ee4687f3e5f0581d34\System.DirectoryServices.ni.dll
+ 2009-12-01 04:36 . 2009-12-01 04:36 1798144 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Deployment\f0a1895c7d475f156ed4cdd9f0bd2797\System.Deployment.ni.dll
+ 2009-12-01 04:21 . 2009-12-01 04:21 7102464 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Data\b39a611d2b2fc659d5472dd76b24d3b2\System.Data.ni.dll
+ 2009-12-01 04:35 . 2009-12-01 04:35 1011712 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Configuration\e2de26078a8c3d29dbfcf408e23aa2b1\System.Configuration.ni.dll
+ 2009-12-01 04:35 . 2009-12-01 04:35 1740800 c:\windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualBas#\ed0cdc51d89bb41a9ab760ca3cf52bf9\Microsoft.VisualBasic.ni.dll
+ 2009-12-01 04:35 . 2009-12-01 04:35 1695744 c:\windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Build.Tas#\b846f5c1b90e4222e79a420d92062f79\Microsoft.Build.Tasks.ni.dll
- 2008-04-12 03:03 . 2008-04-12 03:03 3076096 c:\windows\assembly\GAC_MSIL\System\2.0.0.0__b77a5c561934e089\System.dll
+ 2009-12-01 04:14 . 2009-12-01 04:14 3076096 c:\windows\assembly\GAC_MSIL\System\2.0.0.0__b77a5c561934e089\System.dll
- 2008-04-12 03:03 . 2008-04-12 03:03 2068480 c:\windows\assembly\GAC_MSIL\System.Xml\2.0.0.0__b77a5c561934e089\System.XML.dll
+ 2009-12-01 04:15 . 2009-12-01 04:15 2068480 c:\windows\assembly\GAC_MSIL\System.Xml\2.0.0.0__b77a5c561934e089\System.XML.dll
- 2008-04-12 03:03 . 2008-04-12 03:03 5013504 c:\windows\assembly\GAC_MSIL\System.Windows.Forms\2.0.0.0__b77a5c561934e089\System.Windows.Forms.dll
+ 2009-12-01 04:16 . 2009-12-01 04:16 5013504 c:\windows\assembly\GAC_MSIL\System.Windows.Forms\2.0.0.0__b77a5c561934e089\System.Windows.Forms.dll
- 2008-04-12 03:03 . 2008-04-12 03:03 5070848 c:\windows\assembly\GAC_MSIL\System.Design\2.0.0.0__b03f5f7f11d50a3a\System.Design.dll
+ 2009-12-01 04:16 . 2009-12-01 04:16 5070848 c:\windows\assembly\GAC_MSIL\System.Design\2.0.0.0__b03f5f7f11d50a3a\System.Design.dll
- 2008-04-12 03:03 . 2008-04-12 03:03 5431296 c:\windows\assembly\GAC_32\System.Web\2.0.0.0__b03f5f7f11d50a3a\System.Web.dll
+ 2009-12-01 04:15 . 2009-12-01 04:15 5431296 c:\windows\assembly\GAC_32\System.Web\2.0.0.0__b03f5f7f11d50a3a\System.Web.dll
+ 2009-12-01 04:14 . 2009-12-01 04:14 3036160 c:\windows\assembly\GAC_32\System.Data\2.0.0.0__b77a5c561934e089\System.Data.dll
- 2008-04-12 03:03 . 2008-04-12 03:03 3036160 c:\windows\assembly\GAC_32\System.Data\2.0.0.0__b77a5c561934e089\System.Data.dll
+ 2009-12-01 04:14 . 2009-12-01 04:14 4345856 c:\windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\mscorlib.dll
+ 2009-11-30 02:42 . 2009-11-30 02:42 1232896 c:\windows\assembly\GAC\System\1.0.5000.0__b77a5c561934e089\System.dll
- 2007-07-11 13:04 . 2007-07-11 13:04 1232896 c:\windows\assembly\GAC\System\1.0.5000.0__b77a5c561934e089\System.dll
- 2007-07-11 13:04 . 2007-07-11 13:04 1265664 c:\windows\assembly\GAC\System.Web\1.0.5000.0__b03f5f7f11d50a3a\System.Web.dll
+ 2009-11-30 02:42 . 2009-11-30 02:42 1265664 c:\windows\assembly\GAC\System.Web\1.0.5000.0__b03f5f7f11d50a3a\System.Web.dll
- 2007-07-11 13:02 . 2007-07-11 13:02 1200128 c:\windows\assembly\GAC\System.Web\1.0.3300.0__b03f5f7f11d50a3a\System.Web.dll
+ 2009-11-30 02:40 . 2009-11-30 02:40 1200128 c:\windows\assembly\GAC\System.Web\1.0.3300.0__b03f5f7f11d50a3a\System.Web.dll
+ 2009-12-01 04:08 . 2009-12-01 04:08 1863680 c:\windows\assembly\GAC\EhCM\6.0.3000.0__31bf3856ad364e35\EhCM.dll
- 2007-03-26 06:45 . 2007-03-26 06:45 1863680 c:\windows\assembly\GAC\EhCM\6.0.3000.0__31bf3856ad364e35\ehcm.dll
+ 2009-08-11 07:08 . 2009-08-11 07:08 11315712 c:\windows\Microsoft.NET\Framework\v1.1.4322\Updates\M953297\M953297Uninstall.msp
+ 2009-11-30 02:43 . 2009-11-30 02:43 15709696 c:\windows\Installer\1eb066.msp
+ 2009-08-11 00:09 . 2009-08-11 00:09 17254912 c:\windows\Installer\1eb04c.msp
+ 2009-12-01 04:21 . 2009-12-01 04:21 13193216 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Windows.Forms\9d25b8eabd8203e4d0490363140c4526\System.Windows.Forms.ni.dll
+ 2009-12-01 04:36 . 2009-12-01 04:37 12517376 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Web\16a34a274ee877b4cf03d1a1bb57eb82\System.Web.ni.dll
+ 2009-12-01 04:21 . 2009-12-01 04:21 10936320 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Design\2aab58cae4d998cf867f483302e94c27\System.Design.ni.dll
+ 2009-12-01 04:20 . 2009-12-01 04:20 11436032 c:\windows\assembly\NativeImages_v2.0.50727_32\mscorlib\fee8c8ba9b84a7832274adcbfc9d5ca4\mscorlib.ni.dll
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"updateMgr"="c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_9 -reboot 1" [X]
"OM_Monitor"="c:\program files\OLYMPUS\OLYMPUS Master\Monitor.exe" [2005-11-30 57344]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2007-10-18 5724184]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2009-11-21 2001648]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-08-06 64512]
"HPHUPD08"="c:\program files\HP\Digital Imaging\{33D6CC28-9F75-4d1b-A11D-98895B3A3729}\hphupd08.exe" [2005-06-02 49152]
"HPBootOp"="c:\program files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" [2005-09-21 1605740]
"HP Software Update"="c:\program files\HP\HP Software Update\HPwuSchd2.exe" [2005-05-12 49152]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-10 208952]
"IMEKRMIG6.1"="c:\windows\ime\imkr6_1\IMEKRMIG.EXE" [2004-08-10 44032]
"MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-10 59392]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-10 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-10 455168]
"OM_Monitor"="c:\program files\OLYMPUS\OLYMPUS Master\FirstStart.exe" [2005-11-30 40960]
"AVG7_CC"="c:\progra~1\Grisoft\AVGFRE~1\avgcc.exe" [2007-12-21 579072]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-11-04 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-11-20 290088]
"EverioService"="c:\program files\CyberLink\PCM4Everio\EverioService.exe" [2007-11-02 151552]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-11 1312080]
"AlwaysReady Power Message APP"="ARPWRMSG.EXE" - c:\windows\arpwrmsg.exe [2005-08-03 77312]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="c:\progra~1\Grisoft\AVGFRE~1\avgw.exe" [2007-10-24 219136]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-10 15360]

c:\documents and settings\Default User\Start Menu\Programs\Startup\
Pin.lnk - c:\hp\bin\CLOAKER.EXE [2005-12-8 27136]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-9-23 29696]
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2005-5-12 282624]
Updates from HP.lnk - c:\program files\Updates from HP\9972322\Program\Updates from HP.exe [2005-12-8 36903]
WinZip Quick Pick.lnk - c:\program files\WinZip\WZQKPICK.EXE [2006-3-7 106560]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-11-21 06:30 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\Updates from HP\\9972322\\Program\\Updates from HP.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\Common Files\\AOL\\1141644703\\ee\\aolsoftware.exe"=
"c:\\Program Files\\Common Files\\AOL\\1141644703\\ee\\aim6.exe"=
"c:\\WINDOWS\\system32\\pdrtvsvr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Grisoft\\AVG Free\\avginet.exe"=
"c:\\Program Files\\Grisoft\\AVG Free\\avgamsvr.exe"=
"c:\\Program Files\\Grisoft\\AVG Free\\avgcc.exe"=
"c:\\Program Files\\Grisoft\\AVG Free\\avgemc.exe"=
"c:\\WINDOWS\\kdx\\KHost.exe"=
"c:\\WINDOWS\\system32\\P3MxSvr.exe"=
"c:\\WINDOWS\\system32\\p3mxvsvr.exe"=
"c:\\WINDOWS\\system32\\muzmvsvr.exe"=
"c:\\Program Files\\Orbitdownloader\\orbitdm.exe"=
"c:\\Program Files\\Orbitdownloader\\orbitnet.exe"=
"c:\\WINDOWS\\system32\\BugsSvr.exe"=
"c:\\WINDOWS\\system32\\p3bvsvr.exe"=
"c:\\WINDOWS\\system32\\skcbgm.exe"=
"c:\\Program Files\\DISC\\DISCover.exe"=
"c:\\Program Files\\DISC\\DiscStreamHub.exe"=
"c:\\Program Files\\pandora.tv\\minilite\\MiniStream.exe"=
"c:\\WINDOWS\\system32\\mnetasvr.exe"=
"c:\\WINDOWS\\system32\\mnetvsvr.exe"=
"c:\\Program Files\\pandora.tv\\minilite\\MiniLite.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"c:\\WINDOWS\\system32\\SayRadio.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"%windir%\\explorer.exe"=
"c:\\Program Files\\CyberLink\\PCM4Everio\\PCM4Everio.exe"=
"c:\\Program Files\\CyberLink\\PCM4Everio\\EverioService.exe"=
"c:\\Program Files\\CyberLink\\PowerDirector Express\\PDX.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"10259:TCP"= 10259:TCP:BitComet 10259 TCP
"10259:UDP"= 10259:UDP:BitComet 10259 UDP

R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [8/5/2009 4:06 PM 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [8/5/2009 4:06 PM 74480]
S2 melvdvey;PnP ISA/EISA Bus Controller;c:\windows\System32\svchost.exe -k netsvcs [8/10/2004 2:00 AM 14336]
S3 CXFALCON;Conexant Falcon II NTSC Video Capture;c:\windows\system32\drivers\cxfalcon.sys [12/8/2005 6:47 AM 100480]
S3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [5/21/2008 1:57 PM 34576]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [8/5/2009 4:06 PM 7408]
S3 WN5301;LIteon Wireless PCI Network Adapter Service;c:\windows\system32\drivers\wn5301.sys [12/8/2005 6:46 AM 468768]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
melvdvey
.
Contents of the 'Scheduled Tasks' folder

2008-11-28 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 22:34]

2009-11-30 c:\windows\Tasks\Check Updates for Windows Live Toolbar.job
- c:\program files\Windows Live Toolbar\MSNTBUP.EXE [2007-10-19 21:20]

2006-05-01 c:\windows\Tasks\Easy Internet Sign-up.job
- c:\program files\Hewlett-Packard\SDP\HPSdpApp.exe [2005-09-09 03:23]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.daum.net/
uSearchMigratedDefaultURL = hxxp://search.live.com/results.aspx?q={searchTerms}&src={referrer:source?}
mStart Page = hxxp://www.google.com
IE: &D&ownload &with BitComet - c:\program files\BitComet\BitComet.exe/AddLink.htm
IE: &D&ownload all video with BitComet - c:\program files\BitComet\BitComet.exe/AddVideo.htm
IE: &D&ownload all with BitComet - c:\program files\BitComet\BitComet.exe/AddAllLink.htm
IE: &Download by Orbit - c:\program files\Orbitdownloader\orbitmxt.dll/201
IE: &Grab video by Orbit - c:\program files\Orbitdownloader\orbitmxt.dll/204
IE: &Windows Live Search - c:\program files\Windows Live Toolbar\msntb.dll/search.htm
IE: Do&wnload selected by Orbit - c:\program files\Orbitdownloader\orbitmxt.dll/203
IE: Down&load all by Orbit - c:\program files\Orbitdownloader\orbitmxt.dll/202
IE: Download All by FlashGet - c:\documents and settings\HP_Administrator\Favorites\FlashGet\jc_all.htm
IE: Download Link Using Mega Manager... - c:\program files\Megaupload\Mega Manager\mm_file.htm
IE: Download using FlashGet - c:\documents and settings\HP_Administrator\Favorites\FlashGet\jc_link.htm
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
DPF: {0AE0F5F9-8233-49A4-A3C8-004CE190787B} - hxxp://www.pdbox.co.kr/boxmedia/ctrl_down/BMSpeedCheck.cab
DPF: {0B72CCA4-5F11-11D0-9CB5-0000C0EC9FDB} - hxxp://www2.stlu.com/plugins/Plugin5.0.0219//streetnoagent7.cab
DPF: {21FDDE58-51A6-402A-8040-39DA033DC196} - hxxp://image.pullbbang.com/newTop/Pull0Control.ocx
DPF: {2FDAF918-389E-4402-9DA1-F5348615BC30} - hxxp://www.dosirak.com/Commons/Activex/MROpen.cab
DPF: {40A217E1-BDDA-44DE-9BBC-D678C7B48603} - hxxp://www.bluemountainsoft.com/agent/EspressoAgent.ocx
DPF: {68253470-5D4F-4CDF-8D9C-353C14A2F013} - hxxp://imgcdn.pandora.tv/pan_img/liveupdate/SVPorsche.cab
DPF: {6A2E758A-028B-46BB-A11D-0608AB5A4ED3} - hxxp://listen.daum.net/52st/bgmplayer/Daum52stBGMPlayer.cab
DPF: {7606693A-C18D-4567-AF85-6194FF70761E} - hxxp://app.gomtv.com/gom/GomWeb.cab
DPF: {868AB0F0-C411-4DB5-8279-E38AE3CDA3FD} - hxxp://listen.daum.net/52st/OiMPlayer/52MPlayer.cab
DPF: {882A7CC6-0163-4BC1-8BC1-505E36C9FFA2} - hxxp://www.mnet.com/Ver2/App/totalApp/maxhelper/maxhelper.cab
DPF: {8C165CC2-E50D-4D99-9D32-DAF6AB15AA32} - hxxp://www.mnet.com/Ver2/App/totalApp/mnethelper/MnetHelper2.cab
DPF: {913BF18F-672D-4676-9855-F9A192A88886} - hxxp://touch.imbc.com/ocx/Online.cab
DPF: {938527D1-CDB7-4147-998A-B20FCA5CC976} - hxxp://cafeimg.hanmail.net/cab9_1/dmcc2.cab?Version=1,0,0,10
DPF: {939612C6-DB72-4788-8BD1-6ED77E3EC4A9} - hxxp://dl.sayclub.com/sayclub/sayctl/sayradio.cab
DPF: {9B75502C-BBED-4BBD-8FE2-822E5E0AD32C} - hxxp://www.diodeo.com/DioDeoPlayer.cab
DPF: {A0E7D0C1-9854-497E-8645-38C19AA00724} - hxxp://www.teenkorean.net/Penta/KoreanSecurity.cab
DPF: {AF60D574-F249-4243-8040-5521AAA5BB5E} - hxxp://imgcdn.pandora.tv/pan_img/p3player/package/pdrtvset.cab
DPF: {B8C4B31D-6DCE-4DF0-BF73-44686849F67D} - hxxp://imgcdn.pandora.tv/pan_img/p3player/package/pdrinst.cab
DPF: {B9B38E70-EEF6-4E3A-AE84-DDE59A053B7C} - hxxp://cafeimg.hanmail.net/cto/xman.cab?ver=1,2,3,3
DPF: {BBFD2D10-EC6E-4259-91D1-1E38C826E5E2} - hxxp://app.gomtv.com/gomtv/gomtvx.cab
DPF: {BCA935CA-7E41-4F73-BA9C-FAB4393DBAC0} - hxxp://www.csafer.net/ActiveX/MAStreamCtrl.cab
DPF: {BCEF5CDE-BAD4-4532-A30B-9D16D502DE69} - hxxp://install.bugs.co.kr/install/BugsInstallerEx.cab
DPF: {BD6BB450-7C69-43B8-96F3-689CAE57AB51} - hxxp://netv.sbs.co.kr/object/player/SBSWebPlayer.cab
DPF: {BD6F8792-B90E-4431-B0AB-08CF414E9D35} - hxxp://bgm.iple.com/Cab/SMMusicPlayerX.cab
DPF: {C394A9A2-C51D-4C26-BB2C-6DEB30A890F4} - hxxp://www.diodeo.com/ActiveDiodeoPlayer.cab
DPF: {CEE326E8-7571-4086-B347-3C0ACA9A9DE8} - hxxp://player.muz.co.kr/package/installer2007_02/p3Instal.cab
DPF: {CF362BDB-4EA2-11D5-AB47-000102913414} - hxxp://touch.imbc.com/ocx/SetGlb.cab
DPF: {CFCBEE6F-BE54-4682-84F6-0E3FCDFAE3E2} - hxxp://www.clubbox.co.kr/neo.fld/NowCAFE.cab
DPF: {D1160D6F-214B-4B4E-A361-977817ACC516} - hxxp://www.websafe.co.kr/websafe_player.cab
DPF: {D26A941D-7E89-4098-B583-43291FC14218} - hxxp://image.pullbbang.com/images/Pull0Control.ocx
DPF: {F4A1D5E2-AF49-47A7-A945-23038106F3A4} - hxxp://imgcdn.pandora.tv/pan_img/launcher/codebase/Pandora_SetUpAX.cab
DPF: {F6E361B4-40F3-4C90-8A95-D95E0D8CBCD4} - hxxp://www.clubbox.co.kr/neo.fld/MultiUpload.cab
FF - ProfilePath - c:\documents and settings\HP_Administrator\Application Data\Mozilla\Firefox\Profiles\lxrbayv1.default\
FF - prefs.js: browser.search.selectedEngine - Yahoo
FF - prefs.js: browser.startup.homepage - hxxp://www.daum.net/
FF - plugin: c:\documents and settings\HP_Administrator\Application Data\Mozilla\plugins\npAbacast.dll
FF - plugin: c:\documents and settings\HP_Administrator\Application Data\Mozilla\plugins\NPAbacheck.dll
FF - plugin: c:\program files\Java\jre1.5.0_05\bin\NPJava11.dll
FF - plugin: c:\program files\Java\jre1.5.0_05\bin\NPJava12.dll
FF - plugin: c:\program files\Java\jre1.5.0_05\bin\NPJava13.dll
FF - plugin: c:\program files\Java\jre1.5.0_05\bin\NPJava14.dll
FF - plugin: c:\program files\Java\jre1.5.0_05\bin\NPJava32.dll
FF - plugin: c:\program files\Java\jre1.5.0_05\bin\NPJPI150_05.dll
FF - plugin: c:\program files\Java\jre1.5.0_05\bin\NPOJI610.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-11-30 18:43
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(656)
c:\program files\SUPERAntiSpyware\SASWINLO.DLL
c:\windows\system32\Ati2evxx.dll
.
Completion time: 2009-11-30 18:46
ComboFix-quarantined-files.txt 2009-12-01 04:46
ComboFix2.txt 2009-11-30 02:03
ComboFix3.txt 2008-11-03 02:59

Pre-Run: 5,170,253,824 bytes free
Post-Run: 5,061,316,608 bytes free

- - End Of File - - CC7232DC97FDCE7BE680670E1A8CE5AF



GMER 1.0.15.15252 - http://www.gmer.net
Rootkit scan 2009-11-30 20:34:00
Windows 5.1.2600 Service Pack 2
Running: 5j54385i.exe; Driver: C:\DOCUME~1\HP_ADM~1\LOCALS~1\Temp\kxldapob.sys


---- System - GMER 1.0.15 ----

Code \??\C:\DOCUME~1\HP_ADM~1\LOCALS~1\Temp\catchme.sys pIofCallDriver

---- Kernel code sections - GMER 1.0.15 ----

.reloc C:\WINDOWS\system32\drivers\NDIS.sys section is executable [0x8604D200, 0x32BAA, 0xE0000060]
? C:\DOCUME~1\HP_ADM~1\LOCALS~1\Temp\catchme.sys The system cannot find the file specified. !
? C:\WINDOWS\system32\Drivers\PROCEXP113.SYS The system cannot find the file specified. !

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs bb-run.sys (Promise Disk Accelerator/Promise Technology, Inc.)
AttachedDevice \FileSystem\Ntfs \Ntfs avg7rsw.sys (AVG Resident Shield Unload Helper/GRISOFT, s.r.o.)

Device \Driver\NDIS \Device\Ndis [86054982] NDIS.sys[.reloc]
Device \Driver\Tcpip \Device\Ip avgtdi.sys (AVG Network connection watcher/GRISOFT, s.r.o.)

AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 arkbcfltr.sys (Microsoft AR PS/2 Keyboard Filter Driver (Beta 2 Release 2)/Microsoft Corporation)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 arkbcfltr.sys (Microsoft AR PS/2 Keyboard Filter Driver (Beta 2 Release 2)/Microsoft Corporation)

Device \Driver\Tcpip \Device\Tcp avgtdi.sys (AVG Network connection watcher/GRISOFT, s.r.o.)
Device \Driver\Tcpip \Device\Udp avgtdi.sys (AVG Network connection watcher/GRISOFT, s.r.o.)
Device \Driver\Tcpip \Device\RawIp avgtdi.sys (AVG Network connection watcher/GRISOFT, s.r.o.)
Device \Driver\Tcpip \Device\IPMULTICAST avgtdi.sys (AVG Network connection watcher/GRISOFT, s.r.o.)

AttachedDevice \FileSystem\Fastfat \Fat bb-run.sys (Promise Disk Accelerator/Promise Technology, Inc.)
AttachedDevice \FileSystem\Fastfat \Fat avg7rsw.sys (AVG Resident Shield Unload Helper/GRISOFT, s.r.o.)

---- EOF - GMER 1.0.15 ----

#11 thcbytes

thcbytes

  • Malware Response Team
  • 14,790 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:30 PM

Posted 01 December 2009 - 07:46 PM

Here is the deal. I may not be able to help you if you can't borrow someones Windows XP install disc. You have a critical system file that is infected and the replacements on your computer are suspicious. This might work if were lucky!

Try this please....

Follow the directions very carefully!!!

Go to Start > My Computer
Go to Tools > Folder Options
Click on the View tab
Untick the following:
  • Hide extensions for known file types
  • Hide protected operating system files (Recommended)
You will get a message warning you about showing protected operating system files, click Yes
Make sure this option is selected:
  • Show hidden files and folders
Click Apply and then click OK

1. Go to c:\windows\system32\drivers

2. Locate the file - ndis.sys

3. Drag and move the file to Desktop

4. Wait 5 secs and press F5 to see if the operating system regenerated a fresh copy in the c:\windows\system32\drivers folder

5a. If a fresh copy is regenerated, Reboot the machine

5b. If a fresh copy IS NOT regenerated, move the copy from Desktop back to itd original location. <--- Important!! If you neglect this step you will render your computer unbootable!!

If 5a was carried out, run GMER and post back the report.

==========

Click "start" on the taskbar and then click on the "Control Panel" icon.
Please doubleclick the "Add or Remove Programs" icon
A list of programs installed will be "populated" this may take a bit of time.
If they exist, uninstall the following by clicking on the following entries and selecting "remove":

AVG 7
Its outdated!!

Additional instructions can be found here if needed.

==========

Send me a copy of a suspicious file for analysis

1. Please go to here.
2. Where it asks for the "Link to topic where this file was requested" copy and paste in
http://www.bleepingcomputer.com/forums/t/273070/infected-with-hidden-rookit/
3. Where it says "Browse to the file you want to submit", browse to
c:\windows\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\ndis.sys
4. Press the Send File button.

==========

:( Warning: This script was specifically written and designed for this user only. Unsupervised use of this tool could render your computer unbootable permanently!! :(

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

File::
c:\documents and settings\HP_Administrator\Application Data\Microsoft\Installer\{896D642C-7125-44F0-AC49-A23ABF82209C}\Uninstall_CDBurnerXP_A2B8C891E8B94C26975E193A62033974.exe
c:\documents and settings\HP_Administrator\Application Data\Microsoft\Installer\{896D642C-7125-44F0-AC49-A23ABF82209C}\cdbxp.exe1_A2B8C891E8B94C26975E193A62033974.exe
c:\documents and settings\HP_Administrator\Application Data\Microsoft\Installer\{896D642C-7125-44F0-AC49-A23ABF82209C}\cdbxp.exe_A2B8C891E8B94C26975E193A62033974.exe
c:\documents and settings\HP_Administrator\Application Data\Microsoft\Installer\{896D642C-7125-44F0-AC49-A23ABF82209C}\ARPPRODUCTICON.exe

Folder::
C:\e8f0c7eda214ae264a


Save this as CFScript.txt, in the same location as ComboFix.exe


Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

==========

Please rerun MBAM.

MBAM may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you. Temporarily disable such programs or permit them to allow the changes.
  • Make sure you are connected to the Internet.
    • Update Malwarebytes' Anti-Malware <--- Important!!
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
MBAM will automatically start and you will be asked to update the program before performing a scan.
  • If an update is found, the program will automatically update itself. Press the OK button to close that box and continue.
  • If you encounter any problems while downloading the definition updates, manually download them from here and just double-click on mbam-rules.exe to install.
On the Scanner tab:
  • Make sure the "Perform Quick Scan" option is selected.
  • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen:
  • Click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows MBAM's database version and your operating system.
  • Exit MBAM when done.
Note: If MBAM encounters a file that is difficult to remove, you will be asked to reboot your computer so MBAM can proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware.

==========

Install AVG free antivirus
  • Visit http://free.avg.com/download?prd=afe to download AVG Free setup file to your desktop.
  • Double click the downloaded setup file to Install AVG Free then update it.
  • On the left side click Computer scanner and select Scan whole computer.
  • When the scan finished under Result Overview tap at the end of scan result click Export overview to file
  • Select File Type: All files Name:scan.txt and save it on your desktop.
  • Under Warnings tap press Remove all unhealed infections. Then close the application.
  • Copy/paste the content of scan.txt located on your desktop to your reply.
==========

With your next post please provide:

* Did the drag and drop regenerate the file?
* Gmer log
* Did the file upload ok?
* Combofix.txt
* MBAM log
* AVG log
* How is your computer running

Kind regards,
~t
Proud member - Unified Network of Instructors and Trained Eliminators
Posted Image

I do not accept personal donations for assistance provided. I would ask that you instead consider donating the greatest gift - Organ Donation. Your organs are of no use to you when your gone. You will save a life that would otherwise be lost!

http://donatelife.net/register-now/

#12 yoori

yoori
  • Topic Starter

  • Members
  • 149 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:In Your Dreams
  • Local time:04:30 PM

Posted 02 December 2009 - 10:53 PM

Hi,
I got an error message on step 3. Drag and move the file to Desktop

"Error Moving File or Folder
Cannot move ndis: Access is denied.
Make sure the disk is not full or write-protected
and that the file is not currently in use."


#13 thcbytes

thcbytes

  • Malware Response Team
  • 14,790 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:30 PM

Posted 02 December 2009 - 11:17 PM

Complete the rest of the steps. I think I might have a way of digging you out of this mess without an XP install disc! :(
Proud member - Unified Network of Instructors and Trained Eliminators
Posted Image

I do not accept personal donations for assistance provided. I would ask that you instead consider donating the greatest gift - Organ Donation. Your organs are of no use to you when your gone. You will save a life that would otherwise be lost!

http://donatelife.net/register-now/

#14 yoori

yoori
  • Topic Starter

  • Members
  • 149 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:In Your Dreams
  • Local time:04:30 PM

Posted 02 December 2009 - 11:23 PM

Yay! that's good to hear :(
okay so which step do I continue on?

#15 thcbytes

thcbytes

  • Malware Response Team
  • 14,790 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:30 PM

Posted 03 December 2009 - 12:14 AM

Please take your time and follow these instructions very carefully!!!

Go ahead and hold off on the rest of my prior post.

We need to get that System File replaced. I am going to have you create a BootCD. We will boot up your computer in this alternative OS then copy the System File from there to your Windows OS.

Do this...

*** Please print these instructions ***
  • Download Hiren's BootCD Iso to the desktop of a clean computer.
  • Extract the zipped HirensBootCD.zip to your desktop.
  • Open the extracted HirensBootCD folder and extract the zipped HirensBootCD.iso.
  • Double click the BurnToCD.cmd bat file contained in the HirensBootCD folder. This will launch BurnCDCC.
  • Insert a blank CD in your drive.
  • Press Start. This will burn the image to disc. After it has completed...
  • Restart your sick computer and boot from the HBCD you created.
    • If your PC is not booting from the CD, you need to change the boot order:
      • Restart your PC
      • As soon as you get an image, press the Setup key. This is usually F2, F10, F12 or Del. On some machines the key can also be a different one. It should, however, be stated on the screen which key is the setup key.
      • Once you enter the computer's BIOS, use the arrow keys and tab key to move between elements. Press enter to select an item to change.
      • Navigate to the tab, where you can set the boot order. It should be called Boot or Boot order
      • The tab should now show your current boot order.
      • If the CD-drive is not at the top, please navigate to the CD-Rom drive with the keys arrows. Then move it to the top of the list. The keys for switching boot position are usually + to move up and - to move down. However they can be different, but they should be stated in the help, so that you can find them easily.
      • Once the CD-drive is on top of the boot order, navigate to Exit and select Exit saving changes.
    • Your PC should now boot from your CD.
    • Click to select any options that are required to start the computer from the CD-ROM drive if you are prompted.
  • When the CD boots choose "Start MiniWindowsXP". Allow Windows to load. You will see a typical Windows Desktop.
    • Create an ethernet (wired) Internet Connection
    • Double click the Network Support icon on the HBCD desktop
    • A computer screen will appear in the lower right corner system tray
    • Double click HBCD Menu on your HDCD desktop
    • Choose Menu
    • Then Browsers
    • Then Opera
    • You should now be connected to the internet. You can open up our topic and follow the instructions. If you are unable to make the connection then you can manually enter the bolded command described below.
  • Double click the Command Prompt desktop icon.
  • Copy & paste the bolded command into the box and press enter

    copy "x:\i386\system32\drivers\ndis.sys" "c:\windows\system32\drivers\ndis.sys"

  • You will get a "1 file copied" prompt.
  • Reboot into Normal Windows and I will guide you from there.
Kind regards,
~ t
Proud member - Unified Network of Instructors and Trained Eliminators
Posted Image

I do not accept personal donations for assistance provided. I would ask that you instead consider donating the greatest gift - Organ Donation. Your organs are of no use to you when your gone. You will save a life that would otherwise be lost!

http://donatelife.net/register-now/




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users