Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

System almost useless after Security Tool / Red X Dot attack


  • This topic is locked This topic is locked
14 replies to this topic

#1 lstatner

lstatner

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:01:58 AM

Posted 26 November 2009 - 12:46 AM

About 30 days ago system was attacked by "Security Tool" malware. Was running AVG Free at the time. Various forums said to use MalwareByte to remove. Nasty malware disabled things and would not let me load MalwareByte on to my ststem. With some difficulty and many iterations Security Tool was removed. But for following weeks browser was constantly redirected to various commerce sights. Ran AVG and Malabyte scans/updates daily--constantly found trojans, etc. Around the 22nd the system came on with another malware program that looked like Security Tool (different name), This thing even ran in Safe Mode and then there was the red dot/white X in the panel. Ran AVG scans, Malabyte scans--no good. Used HJT and Safe Mode AVG command line scan to identify files. Removed with HJT. More stuff came up. Malabyte's update yesterday got rid of that. Switched to Avast! today. Did complete scan--it found 6 different trojans, etc.

My system is almost useless unless in Safe Mode. In normal boot, it is so slow--completely unresponsive. I don't know if the registry's been damaged or if a system file's been removed, or what--that's why I'm asking for HELP!

DDS (Ver_09-11-24.02) - NTFSx86 NETWORK
Run by Administrator at 20:17:22.45 on Wed 11/25/2009
Internet Explorer: 7.0.5730.11
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.767.473 [GMT -8:00]

AV: System Defender *On-access scanning enabled* (Updated) {B187DB82-9459-4EAD-B165-1F4BCFE78B51}
AV: avast! antivirus 4.8.1367 [VPS 091125-1] *On-access scanning enabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
FW: System Defender *enabled* {C9469744-F927-4EC4-AB3E-4111A5139219}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\WRCFUTU1\dds[1].scr

============== Pseudo HJT Report ===============

uInternet Connection Wizard,ShellNext = hxxp://www.trendmicro.com/go/hjt/error/?function%3DmodMain%5FFixUNIXHostsFile%26params%3D%26errorno%3D75%26errortxtPath%2FFile+access+error%26winver%3DWindows+NT+5%2E01%2E2600%26iever%3D7%2E0%2E5730%2E11%26hjtver%3D2%2E0%2E2
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [RegistryMechanic] c:\program files\registry mechanic\RegMech.exe /H
mRun: [<NO NAME>]
mRun: [GoToMyPC] "c:\program files\citrix\gotomypc\g2svc.exe" -logon
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\bin\AppleSyncNotifier.exe
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [Malwarebytes Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [avast!] c:\progra~1\alwils~1\avast4\ashDisp.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office10\OSA.EXE
dPolicies-explorer: NoSetActiveDesktop = 1 (0x1)
dPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
dPolicies-explorer: NoFolderOptions = 1 (0x1)
dPolicies-system: DisableTaskMgr = 1 (0x1)
dPolicies-system: DisableRegistryTools = 1 (0x1)
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} - hxxp://download.microsoft.com/download/d/c/8/dc8362b3-f410-4e7d-b672-209d6bd8fcea/OGAControl.cab
DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} - hxxp://www.musicnotes.com/download/mnviewer.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/8/b/d/8bd77752-5704-4d68-a152-f7252adaa4f2/LegitCheckControl.cab
DPF: {233C1507-6A77-46A4-9443-F871F945D258} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {32505657-9980-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/0/A/9/0A9F8B32-9F8C-4D74-A130-E4CAB36EB01F/wmvadvd.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1172629451045
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1172630233671
DPF: {73ECB3AA-4717-450C-A2AB-D00DAD9EE203} - hxxp://h20270.www2.hp.com/ediags/gmn2/install/HPProductDetection.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {C02226EB-A5D7-4B1F-BD7E-635E46C2288D} - hxxp://a.download.toontown.com/sv1.0.38.34/ttinst.cab
DPF: {C7DB51B4-BCF7-4923-8874-7F1A0DC92277} - hxxp://office.microsoft.com/officeupdate/content/opuc4.cab
DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Notify: AtiExtEvent - Ati2evxx.dll
Notify: GoToMyPC - c:\program files\citrix\gotomypc\G2WinLogon.dll
LSA: Notification Packages = scecli nodedeje.dll MFMFC70.dll
IFEO: image file execution options - svchost.exe
IFEO: brastk.exe - svchost.exe
Hosts: 192.168.1.104 HP000D9D23CE6E
Hosts: 74.125.45.100 4-open-davinci.com
Hosts: 74.125.45.100 securitysoftwarepayments.com
Hosts: 74.125.45.100 privatesecuredpayments.com
Hosts: 74.125.45.100 secure.privatesecuredpayments.com

Note: multiple HOSTS entries found. Please refer to Attach.txt

============= SERVICES / DRIVERS ===============

S1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2009-11-25 114768]
S2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2009-11-25 20560]
S2 bhesdytg;bhesdytg;c:\windows\system32\drivers\tznlwuij.sys [2009-11-24 71424]
S2 npf;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2007-11-15 34064]

=============== Created Last 30 ================

2009-11-26 04:06:24 0 d-----w- c:\windows\pss
2009-11-26 03:43:43 12800 ----a-w- c:\windows\system32\tdlclk.dll
2009-11-25 08:34:55 0 d-sh--w- C:\found.000
2009-11-25 08:03:45 237600 ------w- c:\windows\system32\drivers\str.sys
2009-11-25 01:39:39 712704 ----a-w- c:\documents and settings\administrator\s-1-5-21-1202660629-790525478-839522115-500.rrr
2009-11-25 01:37:07 0 d-----w- c:\docume~1\admini~1\applic~1\Registry Mechanic
2009-11-25 00:00:57 23040 ----a-w- c:\windows\system32\tdlcmd.dll
2009-11-24 14:53:55 0 ----a-w- c:\windows\system32\12316.exe
2009-11-24 14:48:22 71424 ----a-w- c:\windows\system32\drivers\tznlwuij.sys
2009-11-24 14:33:54 0 ----a-w- c:\windows\system32\778.exe
2009-11-24 14:13:54 0 ----a-w- c:\windows\system32\27529.exe
2009-11-24 13:53:53 0 ----a-w- c:\windows\system32\9741.exe
2009-11-24 13:33:53 0 ----a-w- c:\windows\system32\8723.exe
2009-11-24 13:13:52 0 ----a-w- c:\windows\system32\12859.exe
2009-11-24 12:53:52 0 ----a-w- c:\windows\system32\20037.exe
2009-11-24 12:33:51 0 ----a-w- c:\windows\system32\32757.exe
2009-11-24 12:13:51 0 ----a-w- c:\windows\system32\32662.exe
2009-11-24 11:53:51 0 ----a-w- c:\windows\system32\27644.exe
2009-11-24 11:33:50 0 ----a-w- c:\windows\system32\25547.exe
2009-11-24 11:13:50 0 ----a-w- c:\windows\system32\6868.exe
2009-11-24 10:53:49 0 ----a-w- c:\windows\system32\28253.exe
2009-11-24 10:33:49 0 ----a-w- c:\windows\system32\7711.exe
2009-11-24 10:13:48 0 ----a-w- c:\windows\system32\15141.exe
2009-11-24 09:53:48 0 ----a-w- c:\windows\system32\4664.exe
2009-11-24 09:33:47 0 ----a-w- c:\windows\system32\17673.exe
2009-11-24 09:13:47 0 ----a-w- c:\windows\system32\30333.exe
2009-11-24 08:53:47 0 ----a-w- c:\windows\system32\31322.exe
2009-11-24 08:33:46 0 ----a-w- c:\windows\system32\23811.exe
2009-11-24 08:13:46 0 ----a-w- c:\windows\system32\28703.exe
2009-11-24 07:53:45 0 ----a-w- c:\windows\system32\9894.exe
2009-11-24 07:33:45 0 ----a-w- c:\windows\system32\17035.exe
2009-11-24 07:13:44 0 ----a-w- c:\windows\system32\26299.exe
2009-11-24 06:53:44 0 ----a-w- c:\windows\system32\25667.exe
2009-11-24 06:33:43 0 ----a-w- c:\windows\system32\19912.exe
2009-11-24 06:13:43 0 ----a-w- c:\windows\system32\1869.exe
2009-11-24 05:53:43 0 ----a-w- c:\windows\system32\11538.exe
2009-11-24 05:33:42 0 ----a-w- c:\windows\system32\14771.exe
2009-11-24 05:13:42 0 ----a-w- c:\windows\system32\21726.exe
2009-11-24 04:53:41 0 ----a-w- c:\windows\system32\5447.exe
2009-11-24 04:33:41 0 ----a-w- c:\windows\system32\19895.exe
2009-11-24 04:13:40 0 ----a-w- c:\windows\system32\19718.exe
2009-11-24 03:53:40 0 ----a-w- c:\windows\system32\18716.exe
2009-11-24 03:33:39 0 ----a-w- c:\windows\system32\17421.exe
2009-11-24 03:13:39 0 ----a-w- c:\windows\system32\12382.exe
2009-11-24 02:53:38 0 ----a-w- c:\windows\system32\292.exe
2009-11-24 02:33:38 0 ----a-w- c:\windows\system32\153.exe
2009-11-24 02:13:38 0 ----a-w- c:\windows\system32\3902.exe
2009-11-24 01:53:37 0 ----a-w- c:\windows\system32\14604.exe
2009-11-24 01:33:36 0 ----a-w- c:\windows\system32\32391.exe
2009-11-24 01:13:36 0 ----a-w- c:\windows\system32\5436.exe
2009-11-24 00:53:35 0 ----a-w- c:\windows\system32\4827.exe
2009-11-24 00:33:35 0 ----a-w- c:\windows\system32\11942.exe
2009-11-24 00:13:34 0 ----a-w- c:\windows\system32\2995.exe
2009-11-23 23:53:34 0 ----a-w- c:\windows\system32\491.exe
2009-11-23 23:33:33 0 ----a-w- c:\windows\system32\9961.exe
2009-11-23 23:13:33 0 ----a-w- c:\windows\system32\16827.exe
2009-11-23 22:53:23 0 ----a-w- c:\windows\system32\23281.exe
2009-11-23 22:33:22 0 ----a-w- c:\windows\system32\28145.exe
2009-11-23 22:13:19 0 ----a-w- c:\windows\system32\5705.exe
2009-11-23 21:53:18 0 ----a-w- c:\windows\system32\24464.exe
2009-11-23 21:33:17 0 ----a-w- c:\windows\system32\26962.exe
2009-11-23 21:13:16 0 ----a-w- c:\windows\system32\29358.exe
2009-11-23 20:53:16 0 ----a-w- c:\windows\system32\11478.exe
2009-11-23 20:33:15 0 ----a-w- c:\windows\system32\15724.exe
2009-11-23 20:13:15 0 ----a-w- c:\windows\system32\19169.exe
2009-11-23 19:53:14 0 ----a-w- c:\windows\system32\26500.exe
2009-11-23 19:33:14 0 ----a-w- c:\windows\system32\6334.exe
2009-11-23 19:13:13 0 ----a-w- c:\windows\system32\18467.exe
2009-11-18 21:22:19 0 d-----w- c:\docume~1\alluse~1\applic~1\2e035
2009-11-18 21:21:23 0 d-sh--w- c:\documents and settings\all users\809ae2c
2009-11-09 18:08:13 73728 ----a-w- c:\windows\system32\javacpl.cpl
2009-11-09 18:08:13 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-11-08 01:11:42 0 d-----w- c:\docume~1\admini~1\applic~1\Malwarebytes
2009-11-05 05:56:31 0 ----a-w- c:\windows\ViewNX.INI
2009-11-04 21:30:39 0 d-----w- c:\program files\common files\Nikon
2009-11-04 21:30:36 0 d-----w- c:\program files\Nikon
2009-11-04 21:30:11 0 ---h--w- c:\docume~1\alluse~1\applic~1\PKP_DLdw.DAT
2009-11-03 06:24:32 0 d-----w- c:\program files\iPod

==================== Find3M ====================

2009-10-15 05:50:19 37624 ---ha-w- c:\windows\system32\mlfcache.dat
2009-09-20 16:39:28 107888 ----a-w- c:\windows\system32\CmdLineExt.dll
2009-09-11 14:18:39 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-04 21:03:36 58880 ----a-w- c:\windows\system32\msasn1.dll
2009-09-01 07:36:15 131928 ----a-w- c:\windows\fonts\WOODBADG.TTF
2009-08-29 07:36:27 832512 ----a-w- c:\windows\system32\wininet.dll
2009-08-29 07:36:24 78336 ----a-w- c:\windows\system32\ieencode.dll
2009-08-29 07:36:24 17408 ----a-w- c:\windows\system32\corpol.dll
2009-08-29 02:42:52 2065696 ----a-w- c:\windows\system32\usbaaplrc.dll

============= FINISH: 20:19:20.25 =============== :(

Attached Files



BC AdBot (Login to Remove)

 


#2 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,689 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:11:58 AM

Posted 27 November 2009 - 09:53 AM

Hi lstatner,

Welcome to BC HijackThis forum. I am farbar. I am going to assist you with your problem.

Please refrain from making any changes to your system (scanning or running other tools, updating Windows, installing applications, removing files, etc.) from now on as it might interfere with our fixes. Please let me know in your next reply if you agree with this.
  • Download and run Win32kDiag:
  • Download GMER Rootkit Scanner from here or here.
    • Extract the contents of the zipped file to desktop.
    • Temporarily disable any real-time active protection so your security program drivers will not conflict with gmer's driver.
    • Click on this link to see a list of programs that should be disabled.
    • Disconnect from the Internet and close all running programs.
    • Double click GMER.exe. If asked to allow gmer.sys driver to load, please consent .
    • If it gives you a warning about rootkit activity and asks if you want to run scan...click on NO.
    • In the right panel, you will see several boxes that have been checked. Make sure the following are unchecked:
      • Sections
      • IAT/EAT
      • Drives/Partition other than C:\ drive (C:\ drive should remain checked)
      • Show All (don't miss this one)
    • Then click the Scan button & wait for it to begin. (Please be patient as it can take some time to complete).
    • When the scan is finished, you will see the scan button appears again. Click Save to save the scan results to your Desktop.
    • Save the file as gmer.log and copy/paste the contents in your next reply.
  • Also post a fresh DDS.txt log. No need for Attack.txt unless you have installed new software.


#3 lstatner

lstatner
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:01:58 AM

Posted 28 November 2009 - 01:47 AM

Farbar--

Thank you so much for your response.

I'm attaching the requested files, plus a new zipped attach file since I may have added something in the day that went by before I got your response.


DDS (Ver_09-11-24.02) - NTFSx86 NETWORK
Run by Administrator at 22:25:58.68 on Fri 11/27/2009
Internet Explorer: 7.0.5730.11
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.767.584 [GMT -8:00]

AV: avast! antivirus 4.8.1367 [VPS 091125-1] *On-access scanning enabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Documents and Settings\Administrator\Desktop\dds.scr

============== Pseudo HJT Report ===============

uInternet Connection Wizard,ShellNext = hxxp://www.trendmicro.com/go/hjt/error/?function%3DmodMain%5FFixUNIXHostsFile%26params%3D%26errorno%3D75%26errortxtPath%2FFile+access+error%26winver%3DWindows+NT+5%2E01%2E2600%26iever%3D7%2E0%2E5730%2E11%26hjtver%3D2%2E0%2E2
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [RegistryMechanic] c:\program files\registry mechanic\RegMech.exe /H
mRun: [<NO NAME>]
mRun: [GoToMyPC] "c:\program files\citrix\gotomypc\g2svc.exe" -logon
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\bin\AppleSyncNotifier.exe
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [Malwarebytes Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [avast!] c:\progra~1\alwils~1\avast4\ashDisp.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office10\OSA.EXE
dPolicies-explorer: NoSetActiveDesktop = 1 (0x1)
dPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
dPolicies-explorer: NoFolderOptions = 1 (0x1)
dPolicies-system: DisableTaskMgr = 1 (0x1)
dPolicies-system: DisableRegistryTools = 1 (0x1)
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} - hxxp://download.microsoft.com/download/d/c/8/dc8362b3-f410-4e7d-b672-209d6bd8fcea/OGAControl.cab
DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} - hxxp://www.musicnotes.com/download/mnviewer.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/8/b/d/8bd77752-5704-4d68-a152-f7252adaa4f2/LegitCheckControl.cab
DPF: {233C1507-6A77-46A4-9443-F871F945D258} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {32505657-9980-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/0/A/9/0A9F8B32-9F8C-4D74-A130-E4CAB36EB01F/wmvadvd.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1172629451045
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1172630233671
DPF: {73ECB3AA-4717-450C-A2AB-D00DAD9EE203} - hxxp://h20270.www2.hp.com/ediags/gmn2/install/HPProductDetection.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {C02226EB-A5D7-4B1F-BD7E-635E46C2288D} - hxxp://a.download.toontown.com/sv1.0.38.34/ttinst.cab
DPF: {C7DB51B4-BCF7-4923-8874-7F1A0DC92277} - hxxp://office.microsoft.com/officeupdate/content/opuc4.cab
DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Notify: AtiExtEvent - Ati2evxx.dll
Notify: GoToMyPC - c:\program files\citrix\gotomypc\G2WinLogon.dll
LSA: Notification Packages = scecli nodedeje.dll MFMFC70.dll
IFEO: image file execution options - svchost.exe
IFEO: brastk.exe - svchost.exe
Hosts: 192.168.1.104 HP000D9D23CE6E

============= SERVICES / DRIVERS ===============

S1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2009-11-25 114768]
S2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2009-11-25 20560]
S2 bhesdytg;bhesdytg;\??\c:\windows\system32\drivers\tznlwuij.sys --> c:\windows\system32\drivers\tznlwuij.sys [?]
S2 npf;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2007-11-15 34064]

=============== Created Last 30 ================

2009-11-26 09:51:19 24064 ----a-w- c:\windows\system32\tdlcmd.dll
2009-11-26 09:29:07 12800 ----a-w- c:\windows\system32\tdlclk.dll
2009-11-26 08:15:21 161296 ----a-w- c:\windows\system32\drivers\tmcomm.sys
2009-11-26 08:15:21 0 d-----w- c:\documents and settings\administrator\log
2009-11-26 04:06:24 0 d-----w- c:\windows\pss
2009-11-25 08:34:55 0 d-sh--w- C:\found.000
2009-11-25 08:03:45 237600 ------w- c:\windows\system32\drivers\str.sys
2009-11-25 01:39:39 712704 ----a-w- c:\documents and settings\administrator\s-1-5-21-1202660629-790525478-839522115-500.rrr
2009-11-25 01:37:07 0 d-----w- c:\docume~1\admini~1\applic~1\Registry Mechanic
2009-11-24 14:53:55 0 ----a-w- c:\windows\system32\12316.exe
2009-11-24 14:33:54 0 ----a-w- c:\windows\system32\778.exe
2009-11-24 14:13:54 0 ----a-w- c:\windows\system32\27529.exe
2009-11-24 13:53:53 0 ----a-w- c:\windows\system32\9741.exe
2009-11-24 13:33:53 0 ----a-w- c:\windows\system32\8723.exe
2009-11-24 13:13:52 0 ----a-w- c:\windows\system32\12859.exe
2009-11-24 12:53:52 0 ----a-w- c:\windows\system32\20037.exe
2009-11-24 12:33:51 0 ----a-w- c:\windows\system32\32757.exe
2009-11-24 12:13:51 0 ----a-w- c:\windows\system32\32662.exe
2009-11-24 11:53:51 0 ----a-w- c:\windows\system32\27644.exe
2009-11-24 11:33:50 0 ----a-w- c:\windows\system32\25547.exe
2009-11-24 11:13:50 0 ----a-w- c:\windows\system32\6868.exe
2009-11-24 10:53:49 0 ----a-w- c:\windows\system32\28253.exe
2009-11-24 10:33:49 0 ----a-w- c:\windows\system32\7711.exe
2009-11-24 10:13:48 0 ----a-w- c:\windows\system32\15141.exe
2009-11-24 09:53:48 0 ----a-w- c:\windows\system32\4664.exe
2009-11-24 09:33:47 0 ----a-w- c:\windows\system32\17673.exe
2009-11-24 09:13:47 0 ----a-w- c:\windows\system32\30333.exe
2009-11-24 08:53:47 0 ----a-w- c:\windows\system32\31322.exe
2009-11-24 08:33:46 0 ----a-w- c:\windows\system32\23811.exe
2009-11-24 08:13:46 0 ----a-w- c:\windows\system32\28703.exe
2009-11-24 07:53:45 0 ----a-w- c:\windows\system32\9894.exe
2009-11-24 07:33:45 0 ----a-w- c:\windows\system32\17035.exe
2009-11-24 07:13:44 0 ----a-w- c:\windows\system32\26299.exe
2009-11-24 06:53:44 0 ----a-w- c:\windows\system32\25667.exe
2009-11-24 06:33:43 0 ----a-w- c:\windows\system32\19912.exe
2009-11-24 06:13:43 0 ----a-w- c:\windows\system32\1869.exe
2009-11-24 05:53:43 0 ----a-w- c:\windows\system32\11538.exe
2009-11-24 05:33:42 0 ----a-w- c:\windows\system32\14771.exe
2009-11-24 05:13:42 0 ----a-w- c:\windows\system32\21726.exe
2009-11-24 04:53:41 0 ----a-w- c:\windows\system32\5447.exe
2009-11-24 04:33:41 0 ----a-w- c:\windows\system32\19895.exe
2009-11-24 04:13:40 0 ----a-w- c:\windows\system32\19718.exe
2009-11-24 03:53:40 0 ----a-w- c:\windows\system32\18716.exe
2009-11-24 03:33:39 0 ----a-w- c:\windows\system32\17421.exe
2009-11-24 03:13:39 0 ----a-w- c:\windows\system32\12382.exe
2009-11-24 02:53:38 0 ----a-w- c:\windows\system32\292.exe
2009-11-24 02:33:38 0 ----a-w- c:\windows\system32\153.exe
2009-11-24 02:13:38 0 ----a-w- c:\windows\system32\3902.exe
2009-11-24 01:53:37 0 ----a-w- c:\windows\system32\14604.exe
2009-11-24 01:33:36 0 ----a-w- c:\windows\system32\32391.exe
2009-11-24 01:13:36 0 ----a-w- c:\windows\system32\5436.exe
2009-11-24 00:53:35 0 ----a-w- c:\windows\system32\4827.exe
2009-11-24 00:33:35 0 ----a-w- c:\windows\system32\11942.exe
2009-11-24 00:13:34 0 ----a-w- c:\windows\system32\2995.exe
2009-11-23 23:53:34 0 ----a-w- c:\windows\system32\491.exe
2009-11-23 23:33:33 0 ----a-w- c:\windows\system32\9961.exe
2009-11-23 23:13:33 0 ----a-w- c:\windows\system32\16827.exe
2009-11-23 22:53:23 0 ----a-w- c:\windows\system32\23281.exe
2009-11-23 22:33:22 0 ----a-w- c:\windows\system32\28145.exe
2009-11-23 22:13:19 0 ----a-w- c:\windows\system32\5705.exe
2009-11-23 21:53:18 0 ----a-w- c:\windows\system32\24464.exe
2009-11-23 21:33:17 0 ----a-w- c:\windows\system32\26962.exe
2009-11-23 21:13:16 0 ----a-w- c:\windows\system32\29358.exe
2009-11-23 20:53:16 0 ----a-w- c:\windows\system32\11478.exe
2009-11-23 20:33:15 0 ----a-w- c:\windows\system32\15724.exe
2009-11-23 20:13:15 0 ----a-w- c:\windows\system32\19169.exe
2009-11-23 19:53:14 0 ----a-w- c:\windows\system32\26500.exe
2009-11-23 19:33:14 0 ----a-w- c:\windows\system32\6334.exe
2009-11-23 19:13:13 0 ----a-w- c:\windows\system32\18467.exe
2009-11-18 21:22:19 0 d-----w- c:\docume~1\alluse~1\applic~1\2e035
2009-11-18 21:21:23 0 d-sh--w- c:\documents and settings\all users\809ae2c
2009-11-09 18:08:13 73728 ----a-w- c:\windows\system32\javacpl.cpl
2009-11-09 18:08:13 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-11-08 01:11:42 0 d-----w- c:\docume~1\admini~1\applic~1\Malwarebytes
2009-11-05 05:56:31 0 ----a-w- c:\windows\ViewNX.INI
2009-11-04 21:30:39 0 d-----w- c:\program files\common files\Nikon
2009-11-04 21:30:36 0 d-----w- c:\program files\Nikon
2009-11-04 21:30:11 0 ---h--w- c:\docume~1\alluse~1\applic~1\PKP_DLdw.DAT
2009-11-03 06:24:32 0 d-----w- c:\program files\iPod

==================== Find3M ====================

2009-10-15 05:50:19 37624 ---ha-w- c:\windows\system32\mlfcache.dat
2009-09-20 16:39:28 107888 ----a-w- c:\windows\system32\CmdLineExt.dll
2009-09-11 14:18:39 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-04 21:03:36 58880 ----a-w- c:\windows\system32\msasn1.dll
2009-09-01 07:36:15 131928 ----a-w- c:\windows\fonts\WOODBADG.TTF

============= FINISH: 22:27:47.73 ===============

GMER 1.0.15.15252 - http://www.gmer.net
Rootkit scan 2009-11-27 17:32:25
Windows 5.1.2600 Service Pack 3
Running: gmer.exe; Driver: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\pwryyuog.sys


---- Devices - GMER 1.0.15 ----

AttachedDevice \Driver\Tcpip \Device\Ip aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\Tcp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)

Device \Driver\atapi \Device\Ide\IdePort0 [F75BBB3A] atapi.sys[unknown section] {MOV EAX, [0xffdf0308]; JMP [EAX+0xfc]}
Device \Driver\atapi \Device\Ide\IdePort1 [F75BBB3A] atapi.sys[unknown section] {MOV EAX, [0xffdf0308]; JMP [EAX+0xfc]}
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-4 [F75BBB3A] atapi.sys[unknown section] {MOV EAX, [0xffdf0308]; JMP [EAX+0xfc]}
Device \Driver\atapi \Device\Ide\IdeDeviceP0T1L0-c [F75BBB3A] atapi.sys[unknown section] {MOV EAX, [0xffdf0308]; JMP [EAX+0xfc]}
Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-18 [F75BBB3A] atapi.sys[unknown section] {MOV EAX, [0xffdf0308]; JMP [EAX+0xfc]}
Device \Driver\atapi \Device\Ide\IdeDeviceP1T1L0-20 [F75BBB3A] atapi.sys[unknown section] {MOV EAX, [0xffdf0308]; JMP [EAX+0xfc]}

AttachedDevice \Driver\Tcpip \Device\Udp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\RawIp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)

---- Files - GMER 1.0.15 ----

File C:\WINDOWS\system32\drivers\atapi.sys suspicious modification

---- EOF - GMER 1.0.15 ----


Running from: C:\Documents and Settings\Administrator\Desktop\Win32kDiag.exe

Log file at : C:\Documents and Settings\Administrator\Desktop\Win32kDiag.txt

WARNING: Could not get backup privileges!

Searching 'C:\WINDOWS'...



Cannot access: C:\WINDOWS\$NtUninstallKB828741$\catsrv.dll

[1] 2005-07-25 20:20:23 225792 C:\WINDOWS\$hf_mig$\KB902400\SP2QFE\catsrv.dll (Microsoft Corporation)

[1] 2005-07-25 20:39:42 225792 C:\WINDOWS\$NtServicePackUninstall$\catsrv.dll (Microsoft Corporation)

[1] 2002-06-25 11:00:08 215040 C:\WINDOWS\$NtUninstallKB828741$\catsrv.dll ()

[1] 2004-08-03 23:56:41 229888 C:\WINDOWS\$NtUninstallKB902400$\catsrv.dll (Microsoft Corporation)

[1] 2004-03-05 18:16:10 225280 C:\WINDOWS\$xpsp1hfm$\KB828741\catsrv.dll (Microsoft Corporation)

[1] 2008-04-13 16:11:50 226304 C:\WINDOWS\ServicePackFiles\i386\catsrv.dll (Microsoft Corporation)

[1] 2008-04-13 16:11:50 226304 C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\catsrv.dll (Microsoft Corporation)

[1] 2008-04-13 16:11:50 226304 C:\WINDOWS\system32\catsrv.dll (Microsoft Corporation)



Cannot access: C:\WINDOWS\$NtUninstallKB828741$\catsrvut.dll

[1] 2005-07-25 20:20:23 625152 C:\WINDOWS\$hf_mig$\KB902400\SP2QFE\catsrvut.dll (Microsoft Corporation)

[1] 2005-07-25 20:39:43 625152 C:\WINDOWS\$NtServicePackUninstall$\catsrvut.dll (Microsoft Corporation)

[1] 2002-06-25 11:00:08 583168 C:\WINDOWS\$NtUninstallKB828741$\catsrvut.dll ()

[1] 2004-08-03 23:56:41 628224 C:\WINDOWS\$NtUninstallKB902400$\catsrvut.dll (Microsoft Corporation)

[1] 2004-03-05 18:16:10 594944 C:\WINDOWS\$xpsp1hfm$\KB828741\catsrvut.dll (Microsoft Corporation)

[1] 2008-04-13 16:11:50 625664 C:\WINDOWS\ServicePackFiles\i386\catsrvut.dll (Microsoft Corporation)

[1] 2008-04-13 16:11:50 625664 C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\catsrvut.dll (Microsoft Corporation)

[1] 2008-04-13 16:11:50 625664 C:\WINDOWS\system32\catsrvut.dll (Microsoft Corporation)



Cannot access: C:\WINDOWS\$NtUninstallKB828741$\clbcatex.dll

[1] 2005-07-25 20:20:23 110080 C:\WINDOWS\$hf_mig$\KB902400\SP2QFE\clbcatex.dll (Microsoft Corporation)

[1] 2005-07-25 20:39:43 110080 C:\WINDOWS\$NtServicePackUninstall$\clbcatex.dll (Microsoft Corporation)

[1] 2002-06-25 11:00:30 100864 C:\WINDOWS\$NtUninstallKB828741$\clbcatex.dll ()

[1] 2004-08-03 23:56:41 110080 C:\WINDOWS\$NtUninstallKB902400$\clbcatex.dll (Microsoft Corporation)

[1] 2004-03-05 18:16:10 110080 C:\WINDOWS\$xpsp1hfm$\KB828741\clbcatex.dll (Microsoft Corporation)

[1] 2008-04-13 16:11:50 110592 C:\WINDOWS\ServicePackFiles\i386\clbcatex.dll (Microsoft Corporation)

[1] 2008-04-13 16:11:50 110592 C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\clbcatex.dll (Microsoft Corporation)

[1] 2008-04-13 16:11:50 110592 C:\WINDOWS\system32\clbcatex.dll (Microsoft Corporation)



Cannot access: C:\WINDOWS\$NtUninstallKB828741$\clbcatq.dll

[1] 2005-07-25 20:20:24 498688 C:\WINDOWS\$hf_mig$\KB902400\SP2QFE\clbcatq.dll (Microsoft Corporation)

[1] 2005-07-25 20:39:43 498688 C:\WINDOWS\$NtServicePackUninstall$\clbcatq.dll (Microsoft Corporation)

[1] 2002-06-25 11:00:30 468480 C:\WINDOWS\$NtUninstallKB828741$\clbcatq.dll ()

[1] 2004-08-03 23:56:41 501248 C:\WINDOWS\$NtUninstallKB902400$\clbcatq.dll (Microsoft Corporation)

[1] 2004-03-05 18:16:11 499712 C:\WINDOWS\$xpsp1hfm$\KB828741\clbcatq.dll (Microsoft Corporation)

[1] 2008-04-13 16:11:50 498688 C:\WINDOWS\ServicePackFiles\i386\clbcatq.dll (Microsoft Corporation)

[1] 2008-04-13 16:11:50 498688 C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\clbcatq.dll (Microsoft Corporation)

[1] 2008-04-13 16:11:50 498688 C:\WINDOWS\system32\clbcatq.dll (Microsoft Corporation)



Cannot access: C:\WINDOWS\$NtUninstallKB828741$\colbact.dll

[1] 2005-07-25 20:20:24 60416 C:\WINDOWS\$hf_mig$\KB902400\SP2QFE\colbact.dll (Microsoft Corporation)

[1] 2005-07-25 20:20:24 60416 C:\WINDOWS\$hf_mig$\KB956572\SP2QFE\colbact.dll (Microsoft Corporation)

[1] 2005-07-25 20:39:43 60416 C:\WINDOWS\$NtServicePackUninstall$\colbact.dll (Microsoft Corporation)

[1] 2002-06-25 11:00:41 56832 C:\WINDOWS\$NtUninstallKB828741$\colbact.dll ()

[1] 2004-08-03 23:56:41 62464 C:\WINDOWS\$NtUninstallKB902400$\colbact.dll (Microsoft Corporation)

[1] 2004-03-05 18:16:10 64512 C:\WINDOWS\$xpsp1hfm$\KB828741\colbact.dll (Microsoft Corporation)

[1] 2008-04-13 16:11:51 60416 C:\WINDOWS\ServicePackFiles\i386\colbact.dll (Microsoft Corporation)

[1] 2008-04-13 16:11:51 60416 C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\colbact.dll (Microsoft Corporation)

[1] 2008-04-13 16:11:51 60416 C:\WINDOWS\system32\colbact.dll (Microsoft Corporation)



Cannot access: C:\WINDOWS\$NtUninstallKB828741$\comadmin.dll

[1] 2005-07-25 20:20:24 195072 C:\WINDOWS\$hf_mig$\KB902400\SP2QFE\comadmin.dll (Microsoft Corporation)

[1] 2005-07-25 20:39:44 195072 C:\WINDOWS\$NtServicePackUninstall$\comadmin.dll (Microsoft Corporation)

[1] 2002-06-25 11:00:42 186880 C:\WINDOWS\$NtUninstallKB828741$\comadmin.dll ()

[1] 2004-08-03 23:56:41 195584 C:\WINDOWS\$NtUninstallKB902400$\comadmin.dll (Microsoft Corporation)

[1] 2004-03-05 18:16:10 187904 C:\WINDOWS\$xpsp1hfm$\KB828741\comadmin.dll (Microsoft Corporation)

[1] 2008-04-13 16:11:51 195072 C:\WINDOWS\ServicePackFiles\i386\comadmin.dll (Microsoft Corporation)

[1] 2008-04-13 16:11:51 195072 C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\comadmin.dll (Microsoft Corporation)

[1] 2008-04-13 16:11:51 195072 C:\WINDOWS\system32\Com\comadmin.dll (Microsoft Corporation)



Cannot access: C:\WINDOWS\$NtUninstallKB828741$\comrepl.exe

[1] 2004-08-03 23:56:48 9728 C:\WINDOWS\$NtServicePackUninstall$\comrepl.exe (Microsoft Corporation)

[1] 2002-06-25 11:02:55 8192 C:\WINDOWS\$NtUninstallKB828741$\comrepl.exe ()

[1] 2004-02-17 10:49:58 8192 C:\WINDOWS\$xpsp1hfm$\KB828741\comrepl.exe (Microsoft Corporation)

[1] 2008-04-13 16:12:15 9728 C:\WINDOWS\ServicePackFiles\i386\comrepl.exe (Microsoft Corporation)

[1] 2008-04-13 16:12:15 9728 C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\comrepl.exe (Microsoft Corporation)

[1] 2008-04-13 16:12:15 9728 C:\WINDOWS\system32\Com\comrepl.exe (Microsoft Corporation)



Cannot access: C:\WINDOWS\$NtUninstallKB828741$\comsvcs.dll

[1] 2005-07-25 20:20:27 1267200 C:\WINDOWS\$hf_mig$\KB902400\SP2QFE\comsvcs.dll (Microsoft Corporation)

[1] 2005-07-25 20:39:44 1267200 C:\WINDOWS\$NtServicePackUninstall$\comsvcs.dll (Microsoft Corporation)

[1] 2002-06-25 11:02:56 1139200 C:\WINDOWS\$NtUninstallKB828741$\comsvcs.dll ()

[1] 2004-08-03 23:56:41 1251840 C:\WINDOWS\$NtUninstallKB902400$\comsvcs.dll (Microsoft Corporation)

[1] 2004-03-05 18:16:11 1194496 C:\WINDOWS\$xpsp1hfm$\KB828741\comsvcs.dll (Microsoft Corporation)

[1] 2008-04-13 16:11:51 1267200 C:\WINDOWS\ServicePackFiles\i386\comsvcs.dll (Microsoft Corporation)

[1] 2008-04-13 16:11:51 1267200 C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\comsvcs.dll (Microsoft Corporation)

[1] 2008-04-13 16:11:51 1267200 C:\WINDOWS\system32\comsvcs.dll (Microsoft Corporation)



Cannot access: C:\WINDOWS\$NtUninstallKB828741$\comuid.dll

[1] 2005-07-25 20:20:28 540160 C:\WINDOWS\$hf_mig$\KB902400\SP2QFE\comuid.dll (Microsoft Corporation)

[1] 2005-07-25 20:39:45 540160 C:\WINDOWS\$NtServicePackUninstall$\comuid.dll (Microsoft Corporation)

[1] 2002-06-25 11:02:57 495616 C:\WINDOWS\$NtUninstallKB828741$\comuid.dll ()

[1] 2004-08-03 23:56:41 540160 C:\WINDOWS\$NtUninstallKB902400$\comuid.dll (Microsoft Corporation)

[1] 2004-03-05 18:16:10 499200 C:\WINDOWS\$xpsp1hfm$\KB828741\comuid.dll (Microsoft Corporation)

[1] 2008-04-13 16:11:51 539648 C:\WINDOWS\ServicePackFiles\i386\comuid.dll (Microsoft Corporation)

[1] 2008-04-13 16:11:51 539648 C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\comuid.dll (Microsoft Corporation)

[1] 2008-04-13 16:11:51 539648 C:\WINDOWS\system32\comuid.dll (Microsoft Corporation)



Cannot access: C:\WINDOWS\$NtUninstallKB828741$\es.dll

[1] 2005-07-25 20:20:28 243200 C:\WINDOWS\$hf_mig$\KB902400\SP2QFE\es.dll (Microsoft Corporation)

[1] 2008-07-07 12:06:43 253952 C:\WINDOWS\$hf_mig$\KB950974\SP2QFE\es.dll (Microsoft Corporation)

[1] 2008-07-07 12:26:58 253952 C:\WINDOWS\$hf_mig$\KB950974\SP3GDR\es.dll (Microsoft Corporation)

[1] 2008-07-07 12:23:18 253952 C:\WINDOWS\$hf_mig$\KB950974\SP3QFE\es.dll (Microsoft Corporation)

[1] 2008-07-07 12:32:22 253952 C:\WINDOWS\$NtServicePackUninstall$\es.dll (Microsoft Corporation)

[1] 2002-06-25 11:05:47 224768 C:\WINDOWS\$NtUninstallKB828741$\es.dll ()

[1] 2004-08-03 23:56:42 243200 C:\WINDOWS\$NtUninstallKB902400$\es.dll (Microsoft Corporation)

[1] 2008-04-13 16:11:53 246272 C:\WINDOWS\$NtUninstallKB950974$\es.dll (Microsoft Corporation)

[1] 2005-07-25 20:39:45 243200 C:\WINDOWS\$NtUninstallKB950974_0$\es.dll (Microsoft Corporation)

[1] 2004-03-05 18:16:11 226816 C:\WINDOWS\$xpsp1hfm$\KB828741\es.dll (Microsoft Corporation)

[1] 2008-04-13 16:11:53 246272 C:\WINDOWS\ServicePackFiles\i386\es.dll (Microsoft Corporation)

[1] 2008-04-13 16:11:53 246272 C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\es.dll (Microsoft Corporation)

[1] 2008-07-07 12:26:58 253952 C:\WINDOWS\system32\dllcache\es.dll (Microsoft Corporation)

[1] 2008-07-07 12:26:58 253952 C:\WINDOWS\system32\es.dll (Microsoft Corporation)



Cannot access: C:\WINDOWS\$NtUninstallKB828741$\migregdb.exe

[1] 2005-07-25 15:42:35 8704 C:\WINDOWS\$hf_mig$\KB902400\SP2QFE\migregdb.exe (Microsoft Corporation)

[1] 2004-08-03 23:56:51 7680 C:\WINDOWS\$NtServicePackUninstall$\migregdb.exe (Microsoft Corporation)

[1] 2002-06-25 11:13:46 6656 C:\WINDOWS\$NtUninstallKB828741$\migregdb.exe ()

[1] 2004-02-17 10:50:10 6656 C:\WINDOWS\$xpsp1hfm$\KB828741\migregdb.exe (Microsoft Corporation)

[1] 2008-04-13 16:12:25 7680 C:\WINDOWS\ServicePackFiles\i386\migregdb.exe (Microsoft Corporation)

[1] 2008-04-13 16:12:25 7680 C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\migregdb.exe (Microsoft Corporation)



Cannot access: C:\WINDOWS\$NtUninstallKB828741$\msdtcprx.dll

[1] 2005-07-25 20:20:29 425472 C:\WINDOWS\$hf_mig$\KB902400\SP2QFE\msdtcprx.dll (Microsoft Corporation)

[1] 2006-03-01 11:34:20 426496 C:\WINDOWS\$hf_mig$\KB913580\SP2QFE\msdtcprx.dll (Microsoft Corporation)

[1] 2008-06-12 05:47:12 428032 C:\WINDOWS\$hf_mig$\KB952004\SP2QFE\msdtcprx.dll (Microsoft Corporation)

[1] 2008-06-12 06:23:32 428032 C:\WINDOWS\$hf_mig$\KB952004\SP3GDR\msdtcprx.dll (Microsoft Corporation)

[1] 2008-06-12 06:09:35 428032 C:\WINDOWS\$hf_mig$\KB952004\SP3QFE\msdtcprx.dll (Microsoft Corporation)

[1] 2008-06-12 06:16:46 428032 C:\WINDOWS\$NtServicePackUninstall$\msdtcprx.dll (Microsoft Corporation)

[1] 2002-06-25 11:15:34 360960 C:\WINDOWS\$NtUninstallKB828741$\msdtcprx.dll ()

[1] 2004-08-03 23:56:43 425472 C:\WINDOWS\$NtUninstallKB902400$\msdtcprx.dll (Microsoft Corporation)

[1] 2005-07-25 20:39:46 425472 C:\WINDOWS\$NtUninstallKB913580$\msdtcprx.dll (Microsoft Corporation)

[1] 2008-04-13 16:11:59 427008 C:\WINDOWS\$NtUninstallKB952004$\msdtcprx.dll (Microsoft Corporation)

[1] 2006-03-01 11:42:42 426496 C:\WINDOWS\$NtUninstallKB952004_0$\msdtcprx.dll (Microsoft Corporation)

[1] 2004-03-05 18:16:10 367616 C:\WINDOWS\$xpsp1hfm$\KB828741\msdtcprx.dll (Microsoft Corporation)

[1] 2008-04-13 16:11:59 427008 C:\WINDOWS\ServicePackFiles\i386\msdtcprx.dll (Microsoft Corporation)

[1] 2008-04-13 16:11:59 427008 C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\msdtcprx.dll (Microsoft Corporation)

[1] 2008-06-12 06:23:32 428032 C:\WINDOWS\system32\dllcache\msdtcprx.dll (Microsoft Corporation)

[1] 2008-06-12 06:23:32 428032 C:\WINDOWS\system32\msdtcprx.dll (Microsoft Corporation)



Cannot access: C:\WINDOWS\$NtUninstallKB828741$\msdtctm.dll

[1] 2005-07-25 20:20:31 945152 C:\WINDOWS\$hf_mig$\KB902400\SP2QFE\msdtctm.dll (Microsoft Corporation)

[1] 2006-03-01 11:34:20 956416 C:\WINDOWS\$hf_mig$\KB913580\SP2QFE\msdtctm.dll (Microsoft Corporation)

[1] 2008-06-12 05:47:13 956928 C:\WINDOWS\$hf_mig$\KB952004\SP2QFE\msdtctm.dll (Microsoft Corporation)

[1] 2008-06-12 06:23:32 956928 C:\WINDOWS\$hf_mig$\KB952004\SP3GDR\msdtctm.dll (Microsoft Corporation)

[1] 2008-06-12 06:09:35 956928 C:\WINDOWS\$hf_mig$\KB952004\SP3QFE\msdtctm.dll (Microsoft Corporation)

[1] 2008-06-12 06:16:46 956928 C:\WINDOWS\$NtServicePackUninstall$\msdtctm.dll (Microsoft Corporation)

[1] 2002-06-25 11:15:35 869376 C:\WINDOWS\$NtUninstallKB828741$\msdtctm.dll ()

[1] 2004-08-03 23:56:43 949248 C:\WINDOWS\$NtUninstallKB902400$\msdtctm.dll (Microsoft Corporation)

[1] 2005-07-25 20:39:47 945152 C:\WINDOWS\$NtUninstallKB913580$\msdtctm.dll (Microsoft Corporation)

[1] 2008-04-13 16:11:59 956928 C:\WINDOWS\$NtUninstallKB952004$\msdtctm.dll (Microsoft Corporation)

[1] 2006-03-01 11:42:42 956416 C:\WINDOWS\$NtUninstallKB952004_0$\msdtctm.dll (Microsoft Corporation)

[1] 2004-03-05 18:16:11 977920 C:\WINDOWS\$xpsp1hfm$\KB828741\msdtctm.dll (Microsoft Corporation)

[1] 2008-04-13 16:11:59 956928 C:\WINDOWS\ServicePackFiles\i386\msdtctm.dll (Microsoft Corporation)

[1] 2008-04-13 16:11:59 956928 C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\msdtctm.dll (Microsoft Corporation)

[1] 2008-06-12 06:23:32 956928 C:\WINDOWS\system32\dllcache\msdtctm.dll (Microsoft Corporation)

[1] 2008-06-12 06:23:32 956928 C:\WINDOWS\system32\msdtctm.dll (Microsoft Corporation)



Cannot access: C:\WINDOWS\$NtUninstallKB828741$\msdtcuiu.dll

[1] 2005-07-25 20:20:31 161280 C:\WINDOWS\$hf_mig$\KB902400\SP2QFE\msdtcuiu.dll (Microsoft Corporation)

[1] 2006-03-01 11:34:20 161280 C:\WINDOWS\$hf_mig$\KB913580\SP2QFE\msdtcuiu.dll (Microsoft Corporation)

[1] 2008-06-12 05:47:13 161792 C:\WINDOWS\$hf_mig$\KB952004\SP2QFE\msdtcuiu.dll (Microsoft Corporation)

[1] 2008-06-12 06:23:32 161792 C:\WINDOWS\$hf_mig$\KB952004\SP3GDR\msdtcuiu.dll (Microsoft Corporation)

[1] 2008-06-12 06:09:35 161792 C:\WINDOWS\$hf_mig$\KB952004\SP3QFE\msdtcuiu.dll (Microsoft Corporation)

[1] 2008-06-12 06:16:46 161792 C:\WINDOWS\$NtServicePackUninstall$\msdtcuiu.dll (Microsoft Corporation)

[1] 2002-06-25 11:15:36 151040 C:\WINDOWS\$NtUninstallKB828741$\msdtcuiu.dll ()

[1] 2004-08-03 23:56:43 161280 C:\WINDOWS\$NtUninstallKB902400$\msdtcuiu.dll (Microsoft Corporation)

[1] 2005-07-25 20:39:47 161280 C:\WINDOWS\$NtUninstallKB913580$\msdtcuiu.dll (Microsoft Corporation)

[1] 2008-04-13 16:11:59 161792 C:\WINDOWS\$NtUninstallKB952004$\msdtcuiu.dll (Microsoft Corporation)

[1] 2006-03-01 11:42:42 161280 C:\WINDOWS\$NtUninstallKB952004_0$\msdtcuiu.dll (Microsoft Corporation)

[1] 2004-03-05 18:16:10 150528 C:\WINDOWS\$xpsp1hfm$\KB828741\msdtcuiu.dll (Microsoft Corporation)

[1] 2008-04-13 16:11:59 161792 C:\WINDOWS\ServicePackFiles\i386\msdtcuiu.dll (Microsoft Corporation)

[1] 2008-04-13 16:11:59 161792 C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\msdtcuiu.dll (Microsoft Corporation)

[1] 2008-06-12 06:23:32 161792 C:\WINDOWS\system32\dllcache\msdtcuiu.dll (Microsoft Corporation)

[1] 2008-06-12 06:23:32 161792 C:\WINDOWS\system32\msdtcuiu.dll (Microsoft Corporation)



Cannot access: C:\WINDOWS\$NtUninstallKB828741$\mtxclu.dll

[1] 2005-07-25 20:20:39 66560 C:\WINDOWS\$hf_mig$\KB902400\SP2QFE\mtxclu.dll (Microsoft Corporation)

[1] 2006-03-01 11:34:20 66560 C:\WINDOWS\$hf_mig$\KB913580\SP2QFE\mtxclu.dll (Microsoft Corporation)

[1] 2008-06-12 05:47:13 66560 C:\WINDOWS\$hf_mig$\KB952004\SP2QFE\mtxclu.dll (Microsoft Corporation)

[1] 2008-06-12 06:23:32 66560 C:\WINDOWS\$hf_mig$\KB952004\SP3GDR\mtxclu.dll (Microsoft Corporation)

[1] 2008-06-12 06:09:35 66560 C:\WINDOWS\$hf_mig$\KB952004\SP3QFE\mtxclu.dll (Microsoft Corporation)

[1] 2008-06-12 06:16:46 66560 C:\WINDOWS\$NtServicePackUninstall$\mtxclu.dll (Microsoft Corporation)

[1] 2002-06-25 11:17:12 61440 C:\WINDOWS\$NtUninstallKB828741$\mtxclu.dll ()

[1] 2004-08-03 23:56:44 66560 C:\WINDOWS\$NtUninstallKB902400$\mtxclu.dll (Microsoft Corporation)

[1] 2005-07-25 20:39:47 66560 C:\WINDOWS\$NtUninstallKB913580$\mtxclu.dll (Microsoft Corporation)

[1] 2008-04-13 16:12:01 66560 C:\WINDOWS\$NtUninstallKB952004$\mtxclu.dll (Microsoft Corporation)

[1] 2006-03-01 11:42:42 66560 C:\WINDOWS\$NtUninstallKB952004_0$\mtxclu.dll (Microsoft Corporation)

[1] 2004-03-05 18:16:10 64512 C:\WINDOWS\$xpsp1hfm$\KB828741\mtxclu.dll (Microsoft Corporation)

[1] 2008-04-13 16:12:01 66560 C:\WINDOWS\ServicePackFiles\i386\mtxclu.dll (Microsoft Corporation)

[1] 2008-04-13 16:12:01 66560 C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\mtxclu.dll (Microsoft Corporation)

[1] 2008-06-12 06:23:32 66560 C:\WINDOWS\system32\dllcache\mtxclu.dll (Microsoft Corporation)

[1] 2008-06-12 06:23:32 66560 C:\WINDOWS\system32\mtxclu.dll (Microsoft Corporation)



Cannot access: C:\WINDOWS\$NtUninstallKB828741$\mtxoci.dll

[1] 2005-07-25 20:20:40 91136 C:\WINDOWS\$hf_mig$\KB902400\SP2QFE\mtxoci.dll (Microsoft Corporation)

[1] 2006-03-01 11:34:20 91136 C:\WINDOWS\$hf_mig$\KB913580\SP2QFE\mtxoci.dll (Microsoft Corporation)

[1] 2008-06-12 05:47:13 91648 C:\WINDOWS\$hf_mig$\KB952004\SP2QFE\mtxoci.dll (Microsoft Corporation)

[1] 2008-06-12 06:23:32 91648 C:\WINDOWS\$hf_mig$\KB952004\SP3GDR\mtxoci.dll (Microsoft Corporation)

[1] 2008-06-12 06:09:35 91648 C:\WINDOWS\$hf_mig$\KB952004\SP3QFE\mtxoci.dll (Microsoft Corporation)

[1] 2008-06-12 06:16:46 91648 C:\WINDOWS\$NtServicePackUninstall$\mtxoci.dll (Microsoft Corporation)

[1] 2002-06-25 11:17:13 83968 C:\WINDOWS\$NtUninstallKB828741$\mtxoci.dll ()

[1] 2004-08-03 23:56:44 90112 C:\WINDOWS\$NtUninstallKB902400$\mtxoci.dll (Microsoft Corporation)

[1] 2005-07-25 20:39:47 91136 C:\WINDOWS\$NtUninstallKB913580$\mtxoci.dll (Microsoft Corporation)

[1] 2008-04-13 16:12:01 91648 C:\WINDOWS\$NtUninstallKB952004$\mtxoci.dll (Microsoft Corporation)

[1] 2006-03-01 11:42:42 91136 C:\WINDOWS\$NtUninstallKB952004_0$\mtxoci.dll (Microsoft Corporation)

[1] 2004-03-05 18:16:10 82432 C:\WINDOWS\$xpsp1hfm$\KB828741\mtxoci.dll (Microsoft Corporation)

[1] 2008-04-13 16:12:01 91648 C:\WINDOWS\ServicePackFiles\i386\mtxoci.dll (Microsoft Corporation)

[1] 2008-04-13 16:12:01 91648 C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\mtxoci.dll (Microsoft Corporation)

[1] 2008-06-12 06:23:32 91648 C:\WINDOWS\system32\dllcache\mtxoci.dll (Microsoft Corporation)

[1] 2008-06-12 06:23:32 91648 C:\WINDOWS\system32\mtxoci.dll (Microsoft Corporation)



Cannot access: C:\WINDOWS\$NtUninstallKB828741$\ole32.dll

[1] 2005-04-28 11:35:02 1286144 C:\WINDOWS\$hf_mig$\KB894391\SP2QFE\ole32.dll (Microsoft Corporation)

[1] 2005-07-25 20:20:40 1285632 C:\WINDOWS\$hf_mig$\KB902400\SP2QFE\ole32.dll (Microsoft Corporation)

[1] 2005-07-25 20:39:48 1285120 C:\WINDOWS\$NtServicePackUninstall$\ole32.dll (Microsoft Corporation)

[1] 2002-06-25 11:20:30 1141248 C:\WINDOWS\$NtUninstallKB828741$\ole32.dll ()

[1] 2004-08-03 23:56:44 1281536 C:\WINDOWS\$NtUninstallKB894391$\ole32.dll (Microsoft Corporation)

[1] 2005-04-28 11:31:11 1285120 C:\WINDOWS\$NtUninstallKB902400$\ole32.dll (Microsoft Corporation)

[1] 2004-03-05 18:16:11 1183744 C:\WINDOWS\$xpsp1hfm$\KB828741\ole32.dll (Microsoft Corporation)

[1] 2008-04-13 16:12:02 1287168 C:\WINDOWS\ServicePackFiles\i386\ole32.dll (Microsoft Corporation)

[1] 2008-04-13 16:12:02 1287168 C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\ole32.dll (Microsoft Corporation)

[1] 2008-04-13 16:12:02 1287168 C:\WINDOWS\system32\ole32.dll (Microsoft Corporation)



Cannot access: C:\WINDOWS\$NtUninstallKB828741$\rpcrt4.dll

[1] 2009-04-15 07:24:20 585216 C:\WINDOWS\$hf_mig$\KB970238\SP3QFE\rpcrt4.dll (Microsoft Corporation)

[1] 2007-07-09 05:16:16 582656 C:\WINDOWS\$NtServicePackUninstall$\rpcrt4.dll (Microsoft Corporation)

[1] 2002-06-25 11:23:35 463872 C:\WINDOWS\$NtUninstallKB828741$\rpcrt4.dll ()

[1] 2004-08-03 23:56:44 581120 C:\WINDOWS\$NtUninstallKB933729$\rpcrt4.dll (Microsoft Corporation)

[1] 2008-04-13 16:12:04 584704 C:\WINDOWS\$NtUninstallKB970238$\rpcrt4.dll (Microsoft Corporation)

[1] 2004-03-05 18:16:11 535552 C:\WINDOWS\$xpsp1hfm$\KB828741\rpcrt4.dll (Microsoft Corporation)

[1] 2008-04-13 16:12:04 584704 C:\WINDOWS\ServicePackFiles\i386\rpcrt4.dll (Microsoft Corporation)

[1] 2008-04-13 16:12:04 584704 C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\rpcrt4.dll (Microsoft Corporation)

[1] 2009-04-15 06:51:25 585216 C:\WINDOWS\system32\dllcache\rpcrt4.dll (Microsoft Corporation)

[1] 2009-04-15 06:51:25 585216 C:\WINDOWS\system32\rpcrt4.dll (Microsoft Corporation)



Cannot access: C:\WINDOWS\$NtUninstallKB828741$\rpcss.dll

[1] 2005-04-28 11:35:01 396288 C:\WINDOWS\$hf_mig$\KB894391\SP2QFE\rpcss.dll (Microsoft Corporation)

[1] 2005-07-25 20:20:40 398336 C:\WINDOWS\$hf_mig$\KB902400\SP2QFE\rpcss.dll (Microsoft Corporation)

[1] 2009-02-09 02:01:53 401408 C:\WINDOWS\$hf_mig$\KB956572\SP2QFE\rpcss.dll (Microsoft Corporation)

[1] 2009-02-09 04:10:48 401408 C:\WINDOWS\$hf_mig$\KB956572\SP3GDR\rpcss.dll (Microsoft Corporation)

[1] 2009-02-09 02:56:36 401408 C:\WINDOWS\$hf_mig$\KB956572\SP3QFE\rpcss.dll (Microsoft Corporation)

[1] 2009-02-09 02:20:34 399360 C:\WINDOWS\$NtServicePackUninstall$\rpcss.dll (Microsoft Corporation)

[1] 2002-06-25 11:23:36 259072 C:\WINDOWS\$NtUninstallKB828741$\rpcss.dll ()

[1] 2004-08-03 23:56:44 395776 C:\WINDOWS\$NtUninstallKB894391$\rpcss.dll (Microsoft Corporation)

[1] 2005-04-28 11:31:11 395776 C:\WINDOWS\$NtUninstallKB902400$\rpcss.dll (Microsoft Corporation)

[1] 2008-04-13 16:12:04 399360 C:\WINDOWS\$NtUninstallKB956572$\rpcss.dll (Microsoft Corporation)

[1] 2005-07-25 20:39:49 397824 C:\WINDOWS\$NtUninstallKB956572_0$\rpcss.dll (Microsoft Corporation)

[1] 2004-03-05 18:16:11 263680 C:\WINDOWS\$xpsp1hfm$\KB828741\rpcss.dll (Microsoft Corporation)

[1] 2008-04-13 16:12:04 399360 C:\WINDOWS\ServicePackFiles\i386\rpcss.dll (Microsoft Corporation)

[1] 2008-04-13 16:12:04 399360 C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\rpcss.dll (Microsoft Corporation)

[1] 2009-02-09 04:10:48 401408 C:\WINDOWS\system32\dllcache\rpcss.dll (Microsoft Corporation)

[1] 2009-02-09 04:10:48 401408 C:\WINDOWS\system32\rpcss.dll (Microsoft Corporation)



Cannot access: C:\WINDOWS\$NtUninstallKB828741$\txflog.dll

[1] 2005-07-25 20:20:40 101376 C:\WINDOWS\$hf_mig$\KB902400\SP2QFE\txflog.dll (Microsoft Corporation)

[1] 2005-07-25 20:39:49 101376 C:\WINDOWS\$NtServicePackUninstall$\txflog.dll (Microsoft Corporation)

[1] 2002-06-25 11:29:43 90624 C:\WINDOWS\$NtUninstallKB828741$\txflog.dll ()

[1] 2004-08-03 23:56:46 101376 C:\WINDOWS\$NtUninstallKB902400$\txflog.dll (Microsoft Corporation)

[1] 2004-03-05 18:16:10 97280 C:\WINDOWS\$xpsp1hfm$\KB828741\txflog.dll (Microsoft Corporation)

[1] 2008-04-13 16:12:07 101376 C:\WINDOWS\ServicePackFiles\i386\txflog.dll (Microsoft Corporation)

[1] 2008-04-13 16:12:07 101376 C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\txflog.dll (Microsoft Corporation)

[1] 2008-04-13 16:12:07 101376 C:\WINDOWS\system32\txflog.dll (Microsoft Corporation)



Cannot access: C:\WINDOWS\$NtUninstallKB835732$\browser.dll

[1] 2004-08-03 23:56:41 77312 C:\WINDOWS\$NtServicePackUninstall$\browser.dll (Microsoft Corporation)

[1] 2002-06-25 10:59:56 49152 C:\WINDOWS\$NtUninstallKB835732$\browser.dll ()

[1] 2008-04-13 16:11:50 77824 C:\WINDOWS\ServicePackFiles\i386\browser.dll (Microsoft Corporation)

[1] 2008-04-13 16:11:50 77824 C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\browser.dll (Microsoft Corporation)

[1] 2008-04-13 16:11:50 77824 C:\WINDOWS\system32\browser.dll (Microsoft Corporation)



Cannot access: C:\WINDOWS\$NtUninstallKB835732$\callcont.dll

[1] 2004-08-03 23:56:41 385024 C:\WINDOWS\$NtServicePackUninstall$\callcont.dll (Microsoft Corporation)

[1] 2002-06-25 11:00:05 360448 C:\WINDOWS\$NtUninstallKB835732$\callcont.dll ()

[1] 2004-03-29 17:48:36 364544 C:\WINDOWS\$xpsp1hfm$\KB835732\callcont.dll (Microsoft Corporation)

[1] 2008-04-13 16:11:50 385024 C:\WINDOWS\ServicePackFiles\i386\callcont.dll (Microsoft Corporation)

[1] 2008-04-13 16:11:50 385024 C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\callcont.dll (Microsoft Corporation)



Cannot access: C:\WINDOWS\$NtUninstallKB835732$\cmdevtgprov.dll

[1] 2004-08-03 23:56:42 45568 C:\WINDOWS\$NtServicePackUninstall$\cmdevtgprov.dll (Microsoft Corporation)

[1] 2002-06-25 11:05:56 34304 C:\WINDOWS\$NtUninstallKB835732$\cmdevtgprov.dll ()

[1] 2008-04-13 16:11:53 45056 C:\WINDOWS\system32\wbem\cmdevtgprov.dll (Microsoft Corporation)



Cannot access: C:\WINDOWS\$NtUninstallKB835732$\evtgprov.dll

[2] 2004-08-03 23:56:42 45568 C:\WINDOWS\$NtServicePackUninstall$\cmdevtgprov.dll (Microsoft Corporation)

[1] 2004-08-03 23:56:42 45568 C:\WINDOWS\$NtServicePackUninstall$\evtgprov.dll (Microsoft Corporation)

[1] 2002-06-25 11:05:56 34304 C:\WINDOWS\$NtUninstallKB835732$\evtgprov.dll ()

[1] 2004-03-29 17:48:36 40960 C:\WINDOWS\$xpsp1hfm$\KB835732\evtgprov.dll (Microsoft Corporation)

[1] 2008-04-13 16:11:53 45056 C:\WINDOWS\ServicePackFiles\i386\evtgprov.dll (Microsoft Corporation)

[1] 2008-04-13 16:11:53 45056 C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\evtgprov.dll (Microsoft Corporation)

[2] 2008-04-13 16:11:53 45056 C:\WINDOWS\system32\wbem\cmdevtgprov.dll (Microsoft Corporation)



Cannot access: C:\WINDOWS\$NtUninstallKB835732$\gdi32.dll

[1] 2005-10-05 19:18:28 280064 C:\WINDOWS\$hf_mig$\KB896424\SP2QFE\gdi32.dll (Microsoft Corporation)

[1] 2005-12-28 19:04:05 280064 C:\WINDOWS\$hf_mig$\KB912919\SP2QFE\gdi32.dll (Microsoft Corporation)

[1] 2007-03-08 07:48:36 282112 C:\WINDOWS\$hf_mig$\KB925902\SP2QFE\gdi32.dll (Microsoft Corporation)

[1] 2007-06-19 05:37:21 282112 C:\WINDOWS\$hf_mig$\KB938829\SP2QFE\gdi32.dll (Microsoft Corporation)

[1] 2008-02-19 22:52:43 282624 C:\WINDOWS\$hf_mig$\KB948590\SP2QFE\gdi32.dll (Microsoft Corporation)

[1] 2008-10-23 04:51:04 284160 C:\WINDOWS\$hf_mig$\KB956802\SP2QFE\gdi32.dll (Microsoft Corporation)

[1] 2008-10-23 04:36:14 286720 C:\WINDOWS\$hf_mig$\KB956802\SP3GDR\gdi32.dll (Microsoft Corporation)

[1] 2008-10-23 04:43:42 286720 C:\WINDOWS\$hf_mig$\KB956802\SP3QFE\gdi32.dll (Microsoft Corporation)

[1] 2008-10-23 05:01:36 283648 C:\WINDOWS\$NtServicePackUninstall$\gdi32.dll (Microsoft Corporation)

[1] 2002-06-25 11:06:44 250880 C:\WINDOWS\$NtUninstallKB835732$\gdi32.dll ()

[1] 2004-08-03 23:56:42 278016 C:\WINDOWS\$NtUninstallKB896424$\gdi32.dll (Microsoft Corporation)

[1] 2005-10-05 19:09:36 280064 C:\WINDOWS\$NtUninstallKB912919$\gdi32.dll (Microsoft Corporation)

[1] 2005-12-28 18:54:35 280064 C:\WINDOWS\$NtUninstallKB925902$\gdi32.dll (Microsoft Corporation)

[1] 2007-03-08 07:36:28 281600 C:\WINDOWS\$NtUninstallKB938829$\gdi32.dll (Microsoft Corporation)

[1] 2007-06-19 05:31:19 282112 C:\WINDOWS\$NtUninstallKB948590$\gdi32.dll (Microsoft Corporation)

[1] 2008-02-19 22:51:05 282624 C:\WINDOWS\$NtUninstallKB956802$\gdi32.dll (Microsoft Corporation)

[1] 2004-03-29 17:48:36 257536 C:\WINDOWS\$xpsp1hfm$\KB835732\gdi32.dll (Microsoft Corporation)

[1] 2008-04-13 16:11:54 285184 C:\WINDOWS\ServicePackFiles\i386\gdi32.dll (Microsoft Corporation)

[1] 2008-04-13 16:11:54 285184 C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\gdi32.dll (Microsoft Corporation)

[1] 2008-10-23 04:36:14 286720 C:\WINDOWS\system32\dllcache\gdi32.dll (Microsoft Corporation)

[1] 2008-10-23 04:36:14 286720 C:\WINDOWS\system32\gdi32.dll (Microsoft Corporation)



Cannot access: C:\WINDOWS\$NtUninstallKB835732$\h323.tsp

[1] 2004-08-03 23:56:57 265728 C:\WINDOWS\$NtServicePackUninstall$\h323.tsp ()

[1] 2002-06-25 11:07:05 252928 C:\WINDOWS\$NtUninstallKB835732$\h323.tsp ()

[1] 2004-03-29 17:48:36 253440 C:\WINDOWS\$xpsp1hfm$\KB835732\h323.tsp ()

[1] 2008-04-13 16:12:45 265728 C:\WINDOWS\ServicePackFiles\i386\h323.tsp ()

[1] 2008-04-13 16:12:45 265728 C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\h323.tsp ()

[1] 2008-04-13 16:12:45 265728 C:\WINDOWS\system32\h323.tsp ()



Cannot access: C:\WINDOWS\$NtUninstallKB835732$\h323msp.dll

[1] 2004-08-03 23:56:42 614912 C:\WINDOWS\$NtServicePackUninstall$\h323msp.dll (Microsoft Corporation)

[1] 2002-06-25 11:07:05 592896 C:\WINDOWS\$NtUninstallKB835732$\h323msp.dll ()

[1] 2004-03-29 17:48:36 593408 C:\WINDOWS\$xpsp1hfm$\KB835732\h323msp.dll (Microsoft Corporation)

[1] 2008-04-13 16:11:54 614912 C:\WINDOWS\ServicePackFiles\i386\h323msp.dll (Microsoft Corporation)

[1] 2008-04-13 16:11:54 614912 C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\h323msp.dll (Microsoft Corporation)

[1] 2008-04-13 16:11:54 614912 C:\WINDOWS\system32\h323msp.dll (Microsoft Corporation)



Cannot access: C:\WINDOWS\$NtUninstallKB835732$\helpctr.exe

[1] 2004-08-03 23:56:49 768512 C:\WINDOWS\$NtServicePackUninstall$\helpctr.exe (Microsoft Corporation)

[1] 2002-06-25 11:07:16 692224 C:\WINDOWS\$NtUninstallKB835732$\helpctr.exe ()

[1] 2004-03-29 17:34:15 741376 C:\WINDOWS\$xpsp1hfm$\KB835732\helpctr.exe (Microsoft Corporation)

[1] 2008-04-13 16:12:21 769024 C:\WINDOWS\PCHEALTH\HELPCTR\Binaries\helpctr.exe (Microsoft Corporation)

[1] 2008-04-13 16:12:21 769024 C:\WINDOWS\ServicePackFiles\i386\helpctr.exe (Microsoft Corporation)

[1] 2008-04-13 16:12:21 769024 C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\helpctr.exe (Microsoft Corporation)



Cannot access: C:\WINDOWS\$NtUninstallKB835732$\ipnathlp.dll

[1] 2004-08-03 23:56:42 331264 C:\WINDOWS\$NtServicePackUninstall$\ipnathlp.dll (Microsoft Corporation)

[1] 2002-06-25 11:08:50 453632 C:\WINDOWS\$NtUninstallKB835732$\ipnathlp.dll ()

[1] 2004-03-29 17:48:36 439808 C:\WINDOWS\$xpsp1hfm$\KB835732\ipnathlp.dll (Microsoft Corporation)

[1] 2008-04-13 16:11:55 331264 C:\WINDOWS\ServicePackFiles\i386\ipnathlp.dll (Microsoft Corporation)

[1] 2008-04-13 16:11:55 331264 C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\ipnathlp.dll (Microsoft Corporation)

[1] 2008-04-13 16:11:55 331264 C:\WINDOWS\system32\ipnathlp.dll (Microsoft Corporation)



Cannot access: C:\WINDOWS\$NtUninstallKB835732$\lsasrv.dll

[1] 2004-10-27 17:28:18 721920 C:\WINDOWS\$hf_mig$\KB885835\SP2QFE\lsasrv.dll (Microsoft Corporation)

[1] 2006-08-17 04:37:49 726528 C:\WINDOWS\$hf_mig$\KB924270\SP2QFE\lsasrv.dll (Microsoft Corporation)

[1] 2007-11-07 01:50:47 727040 C:\WINDOWS\$hf_mig$\KB943485\SP2QFE\lsasrv.dll (Microsoft Corporation)

[1] 2009-02-09 02:01:53 728576 C:\WINDOWS\$hf_mig$\KB956572\SP2QFE\lsasrv.dll (Microsoft Corporation)

[1] 2009-02-09 04:10:49 729088 C:\WINDOWS\$hf_mig$\KB956572\SP3GDR\lsasrv.dll (Microsoft Corporation)

[1] 2009-02-09 02:56:36 729088 C:\WINDOWS\$hf_mig$\KB956572\SP3QFE\lsasrv.dll (Microsoft Corporation)

[1] 2009-06-26 01:41:12 730112 C:\WINDOWS\$hf_mig$\KB968389\SP3QFE\lsasrv.dll (Microsoft Corporation)

[1] 2009-02-09 02:20:34 723456 C:\WINDOWS\$NtServicePackUninstall$\lsasrv.dll (Microsoft Corporation)

[1] 2002-06-25 11:12:15 669696 C:\WINDOWS\$NtUninstallKB835732$\lsasrv.dll ()

[1] 2004-08-03 23:56:42 721920 C:\WINDOWS\$NtUninstallKB885835$\lsasrv.dll (Microsoft Corporation)

[1] 2004-10-27 17:21:01 721920 C:\WINDOWS\$NtUninstallKB924270$\lsasrv.dll (Microsoft Corporation)

[1] 2006-08-17 04:28:27 721920 C:\WINDOWS\$NtUninstallKB943485$\lsasrv.dll (Microsoft Corporation)

[1] 2008-04-13 16:11:56 728064 C:\WINDOWS\$NtUninstallKB956572$\lsasrv.dll (Microsoft Corporation)

[1] 2007-11-07 01:26:56 721920 C:\WINDOWS\$NtUninstallKB956572_0$\lsasrv.dll (Microsoft Corporation)

[1] 2009-02-09 04:10:49 729088 C:\WINDOWS\$NtUninstallKB968389$\lsasrv.dll (Microsoft Corporation)

[1] 2004-03-29 17:48:36 667648 C:\WINDOWS\$xpsp1hfm$\KB835732\lsasrv.dll (Microsoft Corporation)

[1] 2008-04-13 16:11:56 728064 C:\WINDOWS\ServicePackFiles\i386\lsasrv.dll (Microsoft Corporation)

[1] 2008-04-13 16:11:56 728064 C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\lsasrv.dll (Microsoft Corporation)

[1] 2009-06-25 00:25:26 730112 C:\WINDOWS\system32\dllcache\lsasrv.dll (Microsoft Corporation)

[1] 2009-06-25 00:25:26 730112 C:\WINDOWS\system32\lsasrv.dll (Microsoft Corporation)



Cannot access: C:\WINDOWS\$NtUninstallKB835732$\mf3216.dll

[1] 2007-03-08 07:48:36 40960 C:\WINDOWS\$hf_mig$\KB925902\SP2QFE\mf3216.dll (Microsoft Corporation)

[1] 2007-03-08 07:36:28 40960 C:\WINDOWS\$NtServicePackUninstall$\mf3216.dll (Microsoft Corporation)

[1] 2002-06-25 11:13:33 35328 C:\WINDOWS\$NtUninstallKB835732$\mf3216.dll ()

[1] 2004-08-03 23:56:42 39936 C:\WINDOWS\$NtUninstallKB925902$\mf3216.dll (Microsoft Corporation)

[1] 2004-03-29 17:48:36 36864 C:\WINDOWS\$xpsp1hfm$\KB835732\mf3216.dll (Microsoft Corporation)

[1] 2008-04-13 16:11:56 40960 C:\WINDOWS\ServicePackFiles\i386\mf3216.dll (Microsoft Corporation)

[1] 2008-04-13 16:11:56 40960 C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\mf3216.dll (Microsoft Corporation)

[1] 2008-04-13 16:11:56 40960 C:\WINDOWS\system32\mf3216.dll (Microsoft Corporation)



Cannot access: C:\WINDOWS\$NtUninstallKB835732$\msasn1.dll

[1] 2009-09-04 12:57:48 58880 C:\WINDOWS\$hf_mig$\KB974571\SP3QFE\msasn1.dll (Microsoft Corporation)

[1] 2004-08-03 23:56:42 57344 C:\WINDOWS\$NtServicePackUninstall$\msasn1.dll (Microsoft Corporation)

[1] 2002-06-25 11:15:19 51200 C:\WINDOWS\$NtUninstallKB835732$\msasn1.dll ()

[1] 2008-04-13 16:11:58 57344 C:\WINDOWS\$NtUninstallKB974571$\msasn1.dll (Microsoft Corporation)

[1] 2004-03-29 17:48:36 51712 C:\WINDOWS\$xpsp1hfm$\KB835732\msasn1.dll (Microsoft Corporation)

[1] 2008-04-13 16:11:58 57344 C:\WINDOWS\ServicePackFiles\i386\msasn1.dll (Microsoft Corporation)

[1] 2008-04-13 16:11:58 57344 C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\msasn1.dll (Microsoft Corporation)

[1] 2009-09-04 13:03:36 58880 C:\WINDOWS\system32\dllcache\msasn1.dll (Microsoft Corporation)

[1] 2009-09-04 13:03:36 58880 C:\WINDOWS\system32\msasn1.dll (Microsoft Corporation)



Cannot access: C:\WINDOWS\$NtUninstallKB835732$\msgina.dll

[1] 2004-08-03 23:56:43 994304 C:\WINDOWS\$NtServicePackUninstall$\msgina.dll (Microsoft Corporation)

[1] 2002-06-25 11:15:49 967680 C:\WINDOWS\$NtUninstallKB835732$\msgina.dll ()

[1] 2004-03-29 17:48:36 971264 C:\WINDOWS\$xpsp1hfm$\KB835732\msgina.dll (Microsoft Corporation)

[1] 2008-04-13 16:11:59 997376 C:\WINDOWS\ServicePackFiles\i386\msgina.dll (Microsoft Corporation)

[1] 2008-04-13 16:11:59 997376 C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\msgina.dll (Microsoft Corporation)

[1] 2008-04-13 16:11:59 997376 C:\WINDOWS\system32\msgina.dll (Microsoft Corporation)



Cannot access: C:\WINDOWS\$NtUninstallKB835732$\mst120.dll

[1] 2004-08-03 23:56:43 274432 C:\WINDOWS\$NtServicePackUninstall$\mst120.dll (Microsoft Corporation)

[1] 2002-06-25 11:16:51 249856 C:\WINDOWS\$NtUninstallKB835732$\mst120.dll ()

[1] 2004-03-29 17:48:36 253952 C:\WINDOWS\$xpsp1hfm$\KB835732\mst120.dll (Microsoft Corporation)

[1] 2008-04-13 16:12:00 274432 C:\WINDOWS\ServicePackFiles\i386\mst120.dll (Microsoft Corporation)

[1] 2008-04-13 16:12:00 274432 C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\mst120.dll (Microsoft Corporation)



Cannot access: C:\WINDOWS\$NtUninstallKB835732$\netapi32.dll

[1] 2006-08-17 04:37:49 337408 C:\WINDOWS\$hf_mig$\KB924270\SP2QFE\netapi32.dll (Microsoft Corporation)

[1] 2008-10-15 08:53:28 339456 C:\WINDOWS\$hf_mig$\KB958644\SP2QFE\netapi32.dll (Microsoft Corporation)

[1] 2008-10-15 08:34:24 337408 C:\WINDOWS\$hf_mig$\KB958644\SP3GDR\netapi32.dll (Microsoft Corporation)

[1] 2008-10-15 08:25:53 339456 C:\WINDOWS\$hf_mig$\KB958644\SP3QFE\netapi32.dll (Microsoft Corporation)

[1] 2008-10-15 08:57:55 332800 C:\WINDOWS\$NtServicePackUninstall$\netapi32.dll (Microsoft Corporation)

[1] 2002-06-25 11:17:44 309760 C:\WINDOWS\$NtUninstallKB835732$\netapi32.dll ()

[1] 2004-08-03 23:56:44 332288 C:\WINDOWS\$NtUninstallKB924270$\netapi32.dll (Microsoft Corporation)

[1] 2006-08-17 04:28:27 332288 C:\WINDOWS\$NtUninstallKB958644$\netapi32.dll (Microsoft Corporation)

[1] 2004-03-29 17:48:36 306176 C:\WINDOWS\$xpsp1hfm$\KB835732\netapi32.dll (Microsoft Corporation)

[1] 2008-04-13 16:12:01 337408 C:\WINDOWS\ServicePackFiles\i386\netapi32.dll (Microsoft Corporation)

[1] 2008-04-13 16:12:01 337408 C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\netapi32.dll (Microsoft Corporation)

[1] 2008-10-15 08:34:24 337408 C:\WINDOWS\system32\dllcache\netapi32.dll (Microsoft Corporation)

[1] 2008-10-15 08:34:24 337408 C:\WINDOWS\system32\netapi32.dll (Microsoft Corporation)



Cannot access: C:\WINDOWS\$NtUninstallKB835732$\nmcom.dll

[1] 2004-08-03 23:56:44 77824 C:\WINDOWS\$NtServicePackUninstall$\nmcom.dll (Microsoft Corporation)

[1] 2002-06-25 11:19:03 69632 C:\WINDOWS\$NtUninstallKB835732$\nmcom.dll ()

[1] 2004-03-29 17:48:36 73728 C:\WINDOWS\$xpsp1hfm$\KB835732\nmcom.dll (Microsoft Corporation)

[1] 2008-04-13 16:12:02 77824 C:\WINDOWS\ServicePackFiles\i386\nmcom.dll (Microsoft Corporation)

[1] 2008-04-13 16:12:02 77824 C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\nmcom.dll (Microsoft Corporation)



Cannot access: C:\WINDOWS\$NtUninstallKB835732$\rtcdll.dll

[1] 2002-06-25 11:23:48 550400 C:\WINDOWS\$NtUninstallKB835732$\rtcdll.dll ()

[1] 2004-03-29 17:48:36 548352 C:\WINDOWS\$xpsp1hfm$\KB835732\rtcdll.dll (Microsoft Corporation)

[1] 2008-04-13 16:12:50 991232 C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\asms\52\msft\windows\net\rtcdll\rtcdll.dll (Microsoft Corporation)

[1] 2008-04-13 16:12:50 991232 C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Networking.RtcDll_6595b64144ccf1df_5.2.2.3_x-ww_d6bd8b95\rtcdll.dll (Microsoft Corporation)



Cannot access: C:\WINDOWS\$NtUninstallKB835732$\schannel.dll

[1] 2007-04-25 12:32:22 144896 C:\WINDOWS\$hf_mig$\KB935840\SP2QFE\schannel.dll (Microsoft Corporation)

[1] 2008-12-04 22:41:26 144896 C:\WINDOWS\$hf_mig$\KB960225\SP2QFE\schannel.dll (Microsoft Corporation)

[1] 2008-12-04 22:54:55 144896 C:\WINDOWS\$hf_mig$\KB960225\SP3GDR\schannel.dll (Microsoft Corporation)

[1] 2008-12-04 22:58:08 144896 C:\WINDOWS\$hf_mig$\KB960225\SP3QFE\schannel.dll (Microsoft Corporation)

[1] 2009-06-25 00:41:11 147456 C:\WINDOWS\$hf_mig$\KB968389\SP3QFE\schannel.dll (Microsoft Corporation)

[1] 2008-12-04 23:12:45 144896 C:\WINDOWS\$NtServicePackUninstall$\schannel.dll (Microsoft Corporation)

[1] 2002-06-25 11:24:13 133632 C:\WINDOWS\$NtUninstallKB835732$\schannel.dll ()

[1] 2004-08-03 23:56:44 144896 C:\WINDOWS\$NtUninstallKB935840$\schannel.dll (Microsoft Corporation)

[1] 2007-04-25 06:21:15 144896 C:\WINDOWS\$NtUninstallKB960225$\schannel.dll (Microsoft Corporation)

[1] 2008-12-04 22:54:55 144896 C:\WINDOWS\$NtUninstallKB968389$\schannel.dll (Microsoft Corporation)

[1] 2004-03-29 17:48:36 136704 C:\WINDOWS\$xpsp1hfm$\KB835732\schannel.dll (Microsoft Corporation)

[1] 2008-04-13 16:12:05 144384 C:\WINDOWS\ServicePackFiles\i386\schannel.dll (Microsoft Corporation)

[1] 2008-04-13 16:12:05 144384 C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\schannel.dll (Microsoft Corporation)

[1] 2009-06-25 00:25:26 147456 C:\WINDOWS\system32\dllcache\schannel.dll (Microsoft Corporation)

[1] 2009-06-25 00:25:26 147456 C:\WINDOWS\system32\schannel.dll (Microsoft Corporation)



Cannot access: C:\WINDOWS\system32\hpzjrd01.dll

[1] 2007-05-30 08:04:22 139264 C:\WINDOWS\system32\hpzjrd01.dll ()





Finished!

Attached Files



#4 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,689 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:11:58 AM

Posted 28 November 2009 - 07:19 AM

Hi again lstatner,

Note 1: I see from the log you are have been using a registry cleaner. It is even scheduled to run at startup. Here at BC we do not recommend using registry cleaners as it might irreversibly damage your computer. I don't see Registry Mechanic on the Programs list. But the entries are still there. Tell me if they are just leftovers.

Note 2: I see you are running DDS in Safe Mode with Networking. Please bear in mind that in Safe Mode with Networking you are more vulnerable because you can connect to internet but have no antivirus protection. Tell me what is the reason you are not in normal mode. We prefer to run the tools in normal mode if we can.

Note 3: The to key running Malwarebytes is to update it and let it to reboot into normal mode if needed. You may run Malwarebytes in any mode but if it needed a reboot you should reboot to normal mode. Combofix should be run in normal mode and rebooted to normal mode.
  • Open your Malwarebytes' Anti-Malware.
    • First update it, to do that under the Update tab press "Check for Updates".
    • Under Scanner tab select "Perform Quick Scan", then click Scan.
    • When the scan is complete, click OK, then Show Results to view the results.
    • Make sure that everything is checked, and click Remove Selected.
    • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
    • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
    • Copy&Paste the MBAM log.
    Extra Note:
    If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediately.


  • Download ComboFix from one of these locations:

    Link 1
    Link 2
    Link 3

    * IMPORTANT !!! Save ComboFix.exe to your Desktop

    • Disable your AntiVirus and AntiSpyware applications. They may otherwise interfere with our tools. (Information on A/V control HERE)
    • Double click on ComboFix.exe & follow the prompts.
    • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
    • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
    **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

    Posted Image


    Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

    Posted Image


    Click on Yes, to continue scanning for malware.

    When finished, it shall produce a log for you. Please copy and paste the C:\ComboFix.txt in your next reply.


#5 lstatner

lstatner
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:01:58 AM

Posted 29 November 2009 - 04:02 AM

Thanks again for your help. Here's my response:

Note 1: That is a remnant left from an uninstalled program that I used in desperation at one point.

Note 2: The reason I was running in Safe Mode is that the system was unuseable in normal mode.

Note 3: MBAM was updated religously and run daily for weeks. It routinely found the same infected files which just kept coming back within minutes. Then the infected file found grew significantly, MBAM deleted them, but the 2 kept coming back.

I did as you asked with MBAM and Combo-fix. Combo-fix appears to have done some good--I can run the system in normal mode now.

Malwarebytes' Anti-Malware 1.41
Database version: 3250
Windows 5.1.2600 Service Pack 3 (Safe Mode)

11/28/2009 7:57:09 PM
mbam-log-2009-11-28 (19-57-04).txt

Scan type: Full Scan (C:\|F:\|)
Objects scanned: 408577
Time elapsed: 2 hour(s), 26 minute(s), 6 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 3

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\tdlclk.dll (Rootkit.TDSS) -> No action taken.
C:\WINDOWS\system32\tdlcmd.dll (Rootkit.TDSS) -> No action taken.
C:\WINDOWS\system32\drivers\str.sys (Rootkit.Agent) -> No action taken.


(NOTE: MBAM quarantined and deleted all of the above infected files)

ComboFix 09-11-28.03 - Layne 11/29/2009 0:20.1.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.767.428 [GMT -8:00]
Running from: c:\documents and settings\Layne\Desktop\ComboFix.exe
AV: avast! antivirus 4.8.1367 [VPS 091128-2] *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\4ff345dfbh521
c:\windows\system32\11478.exe
c:\windows\system32\11538.exe
c:\windows\system32\11942.exe
c:\windows\system32\12316.exe
c:\windows\system32\12382.exe
c:\windows\system32\12859.exe
c:\windows\system32\14604.exe
c:\windows\system32\14771.exe
c:\windows\system32\15141.exe
c:\windows\system32\153.exe
c:\windows\system32\15724.exe
c:\windows\system32\16827.exe
c:\windows\system32\17035.exe
c:\windows\system32\17421.exe
c:\windows\system32\17673.exe
c:\windows\system32\18467.exe
c:\windows\system32\1869.exe
c:\windows\system32\18716.exe
c:\windows\system32\19169.exe
c:\windows\system32\19718.exe
c:\windows\system32\19895.exe
c:\windows\system32\19912.exe
c:\windows\system32\20037.exe
c:\windows\system32\21726.exe
c:\windows\system32\23281.exe
c:\windows\system32\23811.exe
c:\windows\system32\24464.exe
c:\windows\system32\25547.exe
c:\windows\system32\25667.exe
c:\windows\system32\26299.exe
c:\windows\system32\26500.exe
c:\windows\system32\26962.exe
c:\windows\system32\27529.exe
c:\windows\system32\27644.exe
c:\windows\system32\28145.exe
c:\windows\system32\28253.exe
c:\windows\system32\28703.exe
c:\windows\system32\292.exe
c:\windows\system32\29358.exe
c:\windows\system32\2995.exe
c:\windows\system32\30333.exe
c:\windows\system32\31322.exe
c:\windows\system32\32391.exe
c:\windows\system32\32662.exe
c:\windows\system32\32757.exe
c:\windows\system32\3902.exe
c:\windows\system32\4664.exe
c:\windows\system32\4827.exe
c:\windows\system32\491.exe
c:\windows\system32\5436.exe
c:\windows\system32\5447.exe
c:\windows\system32\5705.exe
c:\windows\system32\6334.exe
c:\windows\system32\6868.exe
c:\windows\system32\7711.exe
c:\windows\system32\778.exe
c:\windows\system32\8723.exe
c:\windows\system32\9741.exe
c:\windows\system32\9894.exe
c:\windows\system32\9961.exe
c:\windows\system32\drivers\npf.sys
c:\windows\system32\Packet.dll
c:\windows\system32\pthreadVC.dll
c:\windows\system32\tdlclk.dll
c:\windows\system32\tdlcmd.dll
c:\windows\system32\WanPacket.dll
c:\windows\system32\wpcap.dll

Infected copy of c:\windows\System32\DRIVERS\atapi.sys was found and disinfected
Restored copy from - Kitty ate it :(
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_BROWSERCTL
-------\Legacy_BROWSERCTLDRV
-------\Legacy_NPF
-------\Service_npf


((((((((((((((((((((((((( Files Created from 2009-10-28 to 2009-11-29 )))))))))))))))))))))))))))))))
.

2009-11-26 08:15 . 2009-11-26 08:15 161296 ----a-w- c:\windows\system32\drivers\tmcomm.sys
2009-11-26 08:15 . 2009-11-26 08:15 -------- d-----w- c:\documents and settings\Administrator\log
2009-11-25 19:08 . 2009-11-24 23:49 48560 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2009-11-25 19:08 . 2009-11-24 23:48 23120 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2009-11-25 19:08 . 2009-11-24 23:47 27408 ----a-w- c:\windows\system32\drivers\aavmker4.sys
2009-11-25 19:08 . 2009-11-24 23:47 97480 ----a-w- c:\windows\system32\AvastSS.scr
2009-11-25 19:08 . 2009-11-24 23:51 93424 ----a-w- c:\windows\system32\drivers\aswmon.sys
2009-11-25 19:08 . 2009-11-24 23:50 94160 ----a-w- c:\windows\system32\drivers\aswmon2.sys
2009-11-25 19:08 . 2009-11-24 23:50 114768 ----a-w- c:\windows\system32\drivers\aswSP.sys
2009-11-25 19:08 . 2009-11-24 23:50 20560 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2009-11-25 19:08 . 2009-11-24 23:54 1280480 ----a-w- c:\windows\system32\aswBoot.exe
2009-11-25 19:08 . 2009-11-25 19:08 -------- d-----w- c:\program files\Alwil Software
2009-11-25 08:34 . 2009-11-25 08:34 -------- d-----w- C:\found.000
2009-11-25 01:37 . 2009-11-25 01:37 -------- d-----w- c:\documents and settings\Administrator\Application Data\Registry Mechanic
2009-11-18 21:22 . 2009-11-18 22:31 -------- d-----w- c:\documents and settings\All Users\Application Data\2e035
2009-11-18 21:22 . 2009-11-18 21:22 -------- d-sh--w- c:\windows\system32\config\systemprofile\Application Data\System Defender
2009-11-18 21:21 . 2009-11-20 18:02 -------- d-sh--w- c:\documents and settings\All Users\809ae2c
2009-11-18 18:04 . 2009-11-18 18:04 6725632 ----a-w- c:\documents and settings\All Users\Application Data\Intuit\Quicken\Inet\Common\patch\Update\181625-18178.dll
2009-11-17 15:36 . 2009-11-17 15:36 79144 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\Safari 5.31.21.10\SetupAdmin.exe
2009-11-09 18:08 . 2009-11-09 18:07 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-11-09 18:07 . 2009-11-09 18:07 152576 ----a-w- c:\documents and settings\Layne\Application Data\Sun\Java\jre1.6.0_17\lzma.dll
2009-11-08 01:11 . 2009-11-08 01:11 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2009-11-04 21:33 . 2009-11-04 21:33 -------- d-----w- c:\documents and settings\Layne\Application Data\Nikon
2009-11-04 21:32 . 2009-11-04 21:32 335872 ----a-r- c:\documents and settings\Layne\Application Data\Microsoft\Installer\{237CD223-1B9D-47E8-A76C-E478B83CCEA2}\ARPPRODUCTICON.exe
2009-11-04 21:30 . 2009-11-08 00:48 -------- d-----w- c:\program files\Common Files\Nikon
2009-11-04 21:30 . 2009-11-04 21:30 -------- d-----w- c:\program files\Nikon
2009-11-04 21:30 . 2009-11-04 21:30 -------- d-----w- c:\documents and settings\All Users\Application Data\Ultima_T15
2009-11-04 21:30 . 2009-11-04 21:30 -------- d-----w- c:\documents and settings\All Users\Application Data\EnterNHelp
2009-11-03 06:24 . 2009-11-03 06:24 -------- d-----w- c:\program files\iPod
2009-11-03 06:14 . 2009-11-03 06:14 79144 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 9.0.2.25\SetupAdmin.exe
2009-11-03 06:11 . 2009-11-17 15:40 -------- d-----w- c:\program files\Safari

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-11-29 03:59 . 2008-07-09 20:39 -------- d-----w- c:\documents and settings\All Users\Application Data\Google Updater
2009-11-25 08:29 . 2008-03-22 20:17 1324 ----a-w- c:\windows\system32\d3d9caps.dat
2009-11-25 08:29 . 2008-10-19 17:14 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-11-25 08:24 . 2008-09-08 04:32 -------- d-----w- c:\documents and settings\All Users\Application Data\avg8
2009-11-20 04:44 . 2009-11-20 04:43 -------- d-----w- c:\documents and settings\Missy\Application Data\Apple Computer
2009-11-20 04:43 . 2009-11-20 04:43 40352 ----a-w- c:\documents and settings\Missy\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-11-20 04:41 . 2009-11-20 04:41 -------- d-----w- c:\documents and settings\Missy\Application Data\Malwarebytes
2009-11-18 18:55 . 2007-02-28 07:50 -------- d-----w- c:\program files\Quicken
2009-11-18 18:02 . 2009-05-08 07:14 245760 ----a-w- c:\documents and settings\All Users\Application Data\Intuit\Quicken\Inet\Common\patch\Update\QWPATCH.EXE
2009-11-09 18:55 . 2009-10-12 18:17 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-11-09 18:53 . 2009-10-12 18:17 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-11-09 18:07 . 2008-06-10 15:46 -------- d-----w- c:\program files\Java
2009-11-08 00:47 . 2009-11-04 21:30 0 ---h--w- c:\documents and settings\All Users\Application Data\PKP_DLdw.DAT
2009-11-03 06:25 . 2008-01-19 15:33 -------- d-----w- c:\program files\iTunes
2009-11-03 06:24 . 2007-12-06 03:37 -------- d-----w- c:\program files\Common Files\Apple
2009-10-30 01:48 . 2009-10-30 01:48 -------- d-----w- c:\documents and settings\killer\Application Data\Malwarebytes
2009-10-26 05:21 . 2007-02-28 06:03 563712 ----a-w- c:\windows\java\gotomypc_370.exe
2009-10-21 15:02 . 2009-10-21 15:02 -------- d-----w- c:\documents and settings\kenedy\Application Data\Malwarebytes
2009-10-20 02:41 . 2007-02-28 17:52 -------- d-----w- c:\program files\Common Files\Adobe
2009-10-19 16:26 . 2009-10-19 16:26 -------- d-----w- c:\documents and settings\Lisa\Application Data\Malwarebytes
2009-10-17 21:21 . 2009-10-17 21:21 -------- d-----w- c:\documents and settings\kenedy\Application Data\SPORE
2009-10-17 21:21 . 2009-10-17 21:21 -------- d--h--r- c:\documents and settings\kenedy\Application Data\SecuROM
2009-10-17 18:23 . 2009-10-17 18:22 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-10-15 05:50 . 2009-02-26 03:34 37624 ---ha-w- c:\windows\system32\mlfcache.dat
2009-10-15 02:38 . 2009-10-15 02:38 40352 ----a-w- c:\documents and settings\killer\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-10-12 07:23 . 2009-06-15 18:27 -------- d-----w- c:\program files\AudioLabel
2009-10-12 05:39 . 2009-10-12 05:39 -------- d-----w- c:\documents and settings\Layne\Application Data\Malwarebytes
2009-10-12 05:39 . 2009-10-12 05:39 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-10-12 02:15 . 2007-08-14 06:29 -------- d-----w- c:\program files\PDF Password Remover v3.0
2009-10-12 00:16 . 2009-10-10 06:18 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
2009-10-11 23:50 . 2009-10-11 23:50 -------- d-----w- c:\program files\Trend Micro
2009-10-09 23:41 . 2009-10-09 23:41 -------- d-----w- c:\documents and settings\kenedy\Application Data\HotSync
2009-10-01 07:54 . 2007-06-05 06:52 -------- d-----w- c:\documents and settings\All Users\Application Data\pdf995
2009-10-01 07:54 . 2007-06-05 06:52 59 ----a-w- c:\windows\wpd99.drv
2009-09-20 16:39 . 2009-09-20 16:39 107888 ----a-w- c:\windows\system32\CmdLineExt.dll
2009-09-11 14:18 . 2002-06-25 19:16 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-10 21:54 . 2009-10-17 18:23 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-09-10 21:53 . 2009-10-17 18:23 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-09-04 21:03 . 2002-06-25 19:15 58880 ----a-w- c:\windows\system32\msasn1.dll
2009-09-01 17:34 . 2007-02-28 03:00 40352 ----a-w- c:\documents and settings\Layne\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
.

((((((((((((((((((((((((((((((((((((((((((((( AWF ))))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-09 16:20 . 2007-10-11 03:51 39792 c:\program files\Adobe\Reader 8.0\Reader\bak\Reader_sl.exe
2008-01-12 05:16 . 2008-01-12 05:16 39792 c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe

2008-02-03 18:29 . 2008-04-01 15:28 1146 c:\program files\Citrix\GoToMyPC\bak\g2ldr.log
2008-04-23 20:05 . 2009-11-29 08:34 496 c:\program files\Citrix\GoToMyPC\g2ldr.log

2007-06-25 19:24 . 2007-01-13 00:45 249904 c:\program files\Citrix\GoToMyPC\bak\g2svc.exe
2008-04-23 20:05 . 2007-06-20 18:09 258856 c:\program files\Citrix\GoToMyPC\g2svc.exe

2008-01-31 05:44 . 2008-04-09 16:14 764 c:\program files\Citrix\GoToMyPC\bak\g2svc.log
2008-04-23 20:05 . 2009-11-29 08:33 1380 c:\program files\Citrix\GoToMyPC\g2svc.log

2007-03-01 17:37 . 2007-03-01 17:37 2321600 c:\program files\Common Files\Adobe\Updater5\bak\AdobeUpdater.exe
2007-03-01 17:37 . 2009-10-28 05:00 2356088 c:\program files\Common Files\Adobe\Updater5\AdobeUpdater.exe

2007-03-19 18:10 . 2007-03-19 18:10 156584 c:\program files\Common Files\Bluebeam Software\Brewery\V45\Printer Support\bak\BBPrint.exe

2005-02-17 06:11 . 2005-02-17 06:11 49152 c:\program files\HP\HP Software Update\bak\HPWuSchd2.exe
2007-05-09 00:24 . 2007-05-09 00:24 54840 c:\program files\HP\HP Software Update\hpwuSchd2.exe

2007-03-09 23:42 . 2007-02-22 23:50 1698304 c:\program files\iNet Protector\bak\iprotect.exe

2008-01-15 11:22 . 2008-01-15 11:22 267048 c:\program files\iTunes\bak\iTunesHelper.exe
2009-10-29 04:21 . 2009-10-29 04:21 141600 c:\program files\iTunes\iTunesHelper.exe

2006-07-07 23:15 . 2006-07-07 23:15 600896 c:\program files\Microsoft IntelliPoint\bak\ipoint.exe

2006-07-07 23:14 . 2006-07-07 23:14 576320 c:\program files\Microsoft IntelliType Pro\bak\itype.exe

2008-01-10 23:27 . 2008-01-10 23:27 385024 c:\program files\QuickTime\bak\bak\qttask.exe
2009-09-05 08:54 . 2009-09-05 08:54 417792 c:\program files\QuickTime\QTTask.exe

2008-01-10 23:27 . 2008-01-10 23:27 385024 c:\program files\QuickTime\bak\bak\qttask.exe

2002-06-25 19:03 . 2004-08-04 07:56 15360 c:\windows\system32\bak\ctfmon.exe
2002-06-25 19:03 . 2008-04-14 00:12 15360 c:\windows\system32\ctfmon.exe

2004-02-06 16:29 . 2004-02-06 16:29 0 f:\program files\321Studios\Platinum\bak\makedir

.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"GoToMyPC"="c:\program files\Citrix\GoToMyPC\g2svc.exe" [2007-06-20 258856]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2009-08-13 177440]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-05-09 54840]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-09-05 417792]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-12 39792]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-10-29 141600]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-11-09 149280]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2009-11-24 81000]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2004-11-4 258048]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoSetActiveDesktop"= 1 (0x1)
"NoActiveDesktopChanges"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\GoToMyPC]
2007-06-20 18:09 10536 ----a-w- c:\program files\Citrix\GoToMyPC\G2WinLogon.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"c:\\Palm\\Hotsync.exe"=
"c:\\Program Files\\Microsoft Games\\Halo\\halo.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\WINDOWS\\system32\\mmc.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"53:TCP"= 53:TCP:websrvx

R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [11/25/2009 11:08 AM 114768]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [11/25/2009 11:08 AM 20560]
S2 bhesdytg;bhesdytg;\??\c:\windows\system32\drivers\tznlwuij.sys --> c:\windows\system32\drivers\tznlwuij.sys [?]
.
Contents of the 'Scheduled Tasks' folder

2009-11-29 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2008-07-09 00:38]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
uInternet Settings,ProxyOverride = *.local
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
.
- - - - ORPHANS REMOVED - - - -

AddRemove-MVApplication1 - c:\windows\mvuninst\App1\mvuninst.exe Memorex exPressit Label Design Studio
AddRemove-Pdf995 - c:\pdf995\setup.exe uninstall



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-11-29 00:34
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1202660629-790525478-839522115-1003\Software\SecuROM\License information*]
"datasecu"=hex:3f,42,f8,f4,d8,da,ba,f7,d1,b2,64,b1,46,43,de,27,8d,6a,58,56,0d,
a3,ae,2e,7a,28,d0,52,91,fc,ff,7b,2f,a2,5f,17,d1,16,a9,b5,7d,be,d7,5b,d0,e3,\
"rkeysecu"=hex:cb,bd,f2,61,5a,4e,c6,95,f2,29,8b,82,ba,6b,3d,44
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(664)
c:\windows\system32\Ati2evxx.dll
c:\program files\Citrix\GoToMyPC\G2WinLogon.dll

- - - - - - - > 'explorer.exe'(3476)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\windows\system32\Ati2evxx.exe
c:\program files\Alwil Software\Avast4\aswUpdSv.exe
c:\program files\Alwil Software\Avast4\ashServ.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Citrix\GoToMyPC\g2comm.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\program files\Citrix\GoToMyPC\g2pre.exe
c:\windows\system32\HPZipm12.exe
c:\program files\Citrix\GoToMyPC\g2tray.exe
c:\program files\Alwil Software\Avast4\ashMaiSv.exe
c:\program files\Alwil Software\Avast4\ashWebSv.exe
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2009-11-29 00:43 - machine was rebooted
ComboFix-quarantined-files.txt 2009-11-29 08:43

Pre-Run: 80,088,649,728 bytes free
Post-Run: 80,008,802,304 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /NoExecute=OptIn

- - End Of File - - C8D61F598D7ED9E01C384D3FD8A42A8C

#6 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,689 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:11:58 AM

Posted 29 November 2009 - 01:13 PM

Well done. :(

ComboFix took care of what MBAM found but not removed. For the future use:

C:\WINDOWS\system32\tdlclk.dll (Rootkit.TDSS) -> No action taken.

When MBAM found something, it should be selected for removal. No action taken means just scanning but no deletion.
  • Go to start > Run copy/paste the following lines one by one in the run box and click OK after each line.

    sc delete bhesdytg

    A window flashes, it is normal.

  • Click on this link--> virustotal

    Click the browse button. Copy and paste the line in bold in the open box, then click Send File.

    c:\windows\java\gotomypc_370.exe

    If the file is analyzed before, click Reanalyse File Now button.
    Please copy and paste the results of the scan in your next post.


#7 lstatner

lstatner
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:01:58 AM

Posted 30 November 2009 - 01:40 AM

The MBAM log I sent you did say no action taken--but MBAM did quarantine and remove thatose files, just as it had done many times before. I saved the scan results to that file before I authorized the removal action--then I just deleted the other scan results window thinking it was duplicative.

Here's the results from the previou8s instructions you sent:

File gotomypc_370.exe received on 2009.11.30 06:30:15 (UTC)
Current status: Loading ... queued waiting scanning finished NOT FOUND STOPPED


Result: 0/41 (0%)
Loading server information...
Your file is queued in position: 1.
Estimated start time is between 40 and 57 seconds.
Do not close the window until scan is complete.
The scanner that was processing your file is stopped at this moment, we are going to wait a few seconds to try to recover your result.
If you are waiting for more than five minutes you have to resend your file.
Your file is being scanned by VirusTotal in this moment,
results will be shown as they're generated.
Compact Print results
Your file has expired or does not exists.
Service is stopped in this moments, your file is waiting to be scanned (position: ) for an undefined time.

You can wait for web response (automatic reload) or type your email in the form below and click "request" so the system sends you a notification when the scan is finished.
Email:


Antivirus Version Last Update Result
a-squared 4.5.0.43 2009.11.30 -
AhnLab-V3 5.0.0.2 2009.11.28 -
AntiVir 7.9.1.79 2009.11.29 -
Antiy-AVL 2.0.3.7 2009.11.30 -
Authentium 5.2.0.5 2009.11.29 -
Avast 4.8.1351.0 2009.11.29 -
AVG 8.5.0.426 2009.11.29 -
BitDefender 7.2 2009.11.30 -
CAT-QuickHeal 10.00 2009.11.30 -
ClamAV 0.94.1 2009.11.30 -
Comodo 3085 2009.11.30 -
DrWeb 5.0.0.12182 2009.11.30 -
eSafe 7.0.17.0 2009.11.29 -
eTrust-Vet 35.1.7146 2009.11.27 -
F-Prot 4.5.1.85 2009.11.29 -
F-Secure 9.0.15370.0 2009.11.29 -
Fortinet 4.0.14.0 2009.11.29 -
GData 19 2009.11.30 -
Ikarus T3.1.1.74.0 2009.11.30 -
Jiangmin 11.0.800 2009.11.29 -
K7AntiVirus 7.10.906 2009.11.27 -
Kaspersky 7.0.0.125 2009.11.30 -
McAfee 5817 2009.11.29 -
McAfee+Artemis 5817 2009.11.29 -
McAfee-GW-Edition 6.8.5 2009.11.30 -
Microsoft 1.5302 2009.11.29 -
NOD32 4647 2009.11.29 -
Norman 6.03.02 2009.11.27 -
nProtect 2009.1.8.0 2009.11.28 -
Panda 10.0.2.2 2009.11.29 -
PCTools 7.0.3.5 2009.11.30 -
Prevx 3.0 2009.11.30 -
Rising 22.24.00.03 2009.11.30 -
Sophos 4.48.0 2009.11.30 -
Sunbelt 3.2.1858.2 2009.11.29 -
Symantec 1.4.4.12 2009.11.30 -
TheHacker 6.5.0.2.081 2009.11.28 -
TrendMicro 9.100.0.1001 2009.11.30 -
VBA32 3.12.12.0 2009.11.30 -
ViRobot 2009.11.30.2061 2009.11.30 -
VirusBuster 5.0.21.0 2009.11.29 -
Additional information
File size: 563712 bytes
MD5...: 8c9a59e57f3bab09b41c298d917dc029
SHA1..: 024a9821fead1cdcd1dabbf53e5b636c7413d8c9
SHA256: dbbc757075c36df6527cb08d3142f84ee9011c20fdb8edfe8cc9c015a7307061
ssdeep: 12288:3w6/myDsP4G/aVTZ5DlaeIgdEbF/IsMpprl3SfFuSRtdWWMqbZZ9:33umU
4GilDgbYvlCfISFuqbZZ

PEiD..: -
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0x139b20
timedatestamp.....: 0x48c95d8d (Thu Sep 11 18:03:57 2008)
machinetype.......: 0x14c (I386)

( 3 sections )
name viradd virsiz rawdsiz ntrpy md5
UPX0 0x1000 0xb1000 0x0 0.00 d41d8cd98f00b204e9800998ecf8427e
UPX1 0xb2000 0x88000 0x87e00 7.95 88f1327d988c138abadc34572f4e1113
.rsrc 0x13a000 0x2000 0x1800 4.92 4731555e98c6e51c59b2b52eb13ab7fe

( 2 imports )
> KERNEL32.DLL: LoadLibraryA, GetProcAddress, ExitProcess
> USER32.dll: wsprintfA

( 0 exports )

RDS...: NSRL Reference Data Set
-
pdfid.: -
trid..: UPX compressed Win32 Executable (33.8%)
Win32 EXE Yoda's Crypter (29.4%)
Windows Screen Saver (14.5%)
Win32 Executable Generic (9.4%)
Win32 Dynamic Link Library (generic) (8.3%)
sigcheck:
publisher....: Citrix Online
copyright....: Copyright © 1997-2004 Citrix Online LLC
product......: GoToMyPC
description..: GoLoader
original name: gotomypc.exe
internal name: GoLoader
file version.: 5.0 Build 370a
comments.....: n/a
signers......: -
signing date.: -
verified.....: Unsigned

packers (Kaspersky): UPX
packers (F-Prot): UPX

System running good and clean so far.

#8 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,689 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:11:58 AM

Posted 30 November 2009 - 01:46 AM

We have removed all the active baddies and those that were on the logs. Let's have a full system scan at last.
  • Please use Internet Explorer to perform a BitDefender Online Virus and Malware Scan
    • Click on I Agree.
    • If an Active X warning box will appear Click on Install.
      Note: If you got the message:"Could not load the Online Scanner! Click here for other possible fixes", it means Internet Explorer has blocked the Active X being installed. Just above the page under the Internet Explorer toolbar you see this message:
      "This website wants to install the following add-on: "Bitdefender OnlineScanner v8' from 'BITDEFENDER LLC'. If you trust the website and the add-on and want to install it, click here..."
      Click on that and select: Install Active x.
    • Now Click On Start Scan. Please wait as it might take some time.
    • If it found anything when it finished click Click here to export the scan report
    • Give the report a name and save it. The file will be a .HTML file.
    • Please attach the file to your reply.
    • To attach the file press ADDREPLY, under the reply window press Browse... show the path to the file on your computer.
    • Highlight the file and click Open then press the green UPLOAD button.
  • Please post a fresh DDS.txt log. No need for Attach.txt and tell me how is your computer running.


#9 lstatner

lstatner
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:01:58 AM

Posted 01 December 2009 - 01:15 AM

Here's the info you requested:


DDS (Ver_09-11-29.01) - NTFSx86
Run by Layne at 22:09:18.60 on Mon 11/30/2009
Internet Explorer: 7.0.5730.11
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.767.416 [GMT -8:00]

AV: avast! antivirus 4.8.1367 [VPS 091130-1] *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Citrix\GoToMyPC\g2svc.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Citrix\GoToMyPC\g2comm.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\Program Files\Citrix\GoToMyPC\g2pre.exe
C:\Program Files\Citrix\GoToMyPC\g2tray.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Documents and Settings\Layne\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.yahoo.com/
uInternet Settings,ProxyOverride = *.local
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [GoToMyPC] "c:\program files\citrix\gotomypc\g2svc.exe" -logon
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\bin\AppleSyncNotifier.exe
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [Malwarebytes Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [avast!] c:\progra~1\alwils~1\avast4\ashDisp.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office10\OSA.EXE
dPolicies-explorer: NoSetActiveDesktop = 1 (0x1)
dPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
IE: {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} - hxxp://download.microsoft.com/download/d/c/8/dc8362b3-f410-4e7d-b672-209d6bd8fcea/OGAControl.cab
DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} - hxxp://www.musicnotes.com/download/mnviewer.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/8/b/d/8bd77752-5704-4d68-a152-f7252adaa4f2/LegitCheckControl.cab
DPF: {233C1507-6A77-46A4-9443-F871F945D258} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {32505657-9980-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/0/A/9/0A9F8B32-9F8C-4D74-A130-E4CAB36EB01F/wmvadvd.cab
DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} - hxxp://download.bitdefender.com/resources/scanner/sources/en/scan8/oscan8.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1172629451045
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1172630233671
DPF: {73ECB3AA-4717-450C-A2AB-D00DAD9EE203} - hxxp://h20270.www2.hp.com/ediags/gmn2/install/HPProductDetection.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {C02226EB-A5D7-4B1F-BD7E-635E46C2288D} - hxxp://a.download.toontown.com/sv1.0.38.34/ttinst.cab
DPF: {C7DB51B4-BCF7-4923-8874-7F1A0DC92277} - hxxp://office.microsoft.com/officeupdate/content/opuc4.cab
DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Notify: AtiExtEvent - Ati2evxx.dll
Notify: GoToMyPC - c:\program files\citrix\gotomypc\G2WinLogon.dll

============= SERVICES / DRIVERS ===============

R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2009-11-25 114768]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2009-11-25 20560]
R2 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast4\ashServ.exe [2009-11-25 138680]
S3 avast! Mail Scanner;avast! Mail Scanner;c:\program files\alwil software\avast4\ashMaiSv.exe [2009-11-25 254040]
S3 avast! Web Scanner;avast! Web Scanner;c:\program files\alwil software\avast4\ashWebSv.exe [2009-11-25 352920]

=============== Created Last 30 ================

2009-11-29 08:15:08 0 d-sha-r- C:\cmdcons
2009-11-29 08:12:58 98816 ----a-w- c:\windows\sed.exe
2009-11-29 08:12:58 77312 ----a-w- c:\windows\MBR.exe
2009-11-29 08:12:58 260608 ----a-w- c:\windows\PEV.exe
2009-11-29 08:12:58 161792 ----a-w- c:\windows\SWREG.exe
2009-11-26 08:15:21 161296 ----a-w- c:\windows\system32\drivers\tmcomm.sys
2009-11-26 04:06:24 0 d-----w- c:\windows\pss
2009-11-25 08:34:55 0 d-----w- C:\found.000
2009-11-25 01:39:40 5238784 ----a-w- c:\documents and settings\layne\s-1-5-21-1202660629-790525478-839522115-1003.rrr
2009-11-18 21:22:19 0 d-----w- c:\docume~1\alluse~1\applic~1\2e035
2009-11-18 21:21:23 0 d-sh--w- c:\documents and settings\all users\809ae2c
2009-11-09 18:08:13 73728 ----a-w- c:\windows\system32\javacpl.cpl
2009-11-09 18:08:13 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-11-05 05:56:31 0 ----a-w- c:\windows\ViewNX.INI
2009-11-04 21:30:39 0 d-----w- c:\program files\common files\Nikon
2009-11-04 21:30:36 0 d-----w- c:\program files\Nikon
2009-11-04 21:30:11 0 ---h--w- c:\docume~1\alluse~1\applic~1\PKP_DLdw.DAT
2009-11-03 06:24:32 0 d-----w- c:\program files\iPod

==================== Find3M ====================

2009-10-15 05:50:19 37624 ---ha-w- c:\windows\system32\mlfcache.dat
2009-09-20 16:39:28 107888 ----a-w- c:\windows\system32\CmdLineExt.dll
2009-09-11 14:18:39 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-04 21:03:36 58880 ----a-w- c:\windows\system32\msasn1.dll
2009-09-03 02:21:05 40352 ----a-w- c:\docume~1\layne\applic~1\GDIPFONTCACHEV1.DAT

============= FINISH: 22:09:46.39 ===============


THe system is running very good--best it's been in a long time!

Attached Files



#10 lstatner

lstatner
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:01:58 AM

Posted 01 December 2009 - 10:29 AM

HI there--also, Avast! and Malabyte both found and alarmed me on these two files that appear to be in quarantine from Combofix.

Malwarebytes' Anti-Malware 1.41
Database version: 3266
Windows 5.1.2600 Service Pack 3

12/1/2009 7:17:56 AM
mbam-log-2009-12-01 (07-17-56).txt

Scan type: Full Scan (C:\|F:\|)
Objects scanned: 414281
Time elapsed: 2 hour(s), 47 minute(s), 55 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Qoobox\Quarantine\C\WINDOWS\system32\tdlclk.dll.vir (Rootkit.TDSS) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\tdlcmd.dll.vir (Rootkit.TDSS) -> Quarantined and deleted successfully.

#11 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,689 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:11:58 AM

Posted 01 December 2009 - 03:02 PM

Yes, Avast and MBAM found malware files already removed and quarantined by ComboFix (C:\Qoobox\Quarantine folder), nothing to worry about. We always remove the folder at the end.

Everything looks good. :(

Go to Start => Run => copy and paste next command in the field then hit enter:

ComboFix /Uninstall

This will uninstall Combofix, delete its related folders and files, reset your clock settings, hide file extensions, hide the system/hidden files and resets System Restore again.

It makes a clean Restore Point and clears all the old restore points in order to prevent possible reinfection from an old one through system restore.

Also remove any other too we used.

****

Optional Recommendations:
  • I recommend using Site Advisor for safe surfing. It is a free extension both for Internet Explorer and Firefox. When you search a site it gives you an indication of how safe a site is.

  • Install Javacoolsİ SpywareBlaster
    SpywareBlaster will added a large list of programs and sites into your Internet Explorer and Firefox settings and that will protect you from running and downloading known malicious programs. What you need is updating it once in 2-3 weeks and enabling the restriction. You can find more information and a download link.
    After each update click on Protection Status in the left pane. Then click on Enable All Protection (bottom left of the right pane).

  • The rule of thumb: One AntiVirus with real-time protection, one firewall (other than Windows firewall) and one antispyware with real-time protection. Any additional anti-malware shouldn't be running. You might have two or three antispyware but they should not be running at the same time and should be set not to start with Windows.
Happy Surfing!

#12 lstatner

lstatner
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:01:58 AM

Posted 02 December 2009 - 01:41 AM

Hi there Farbar

The ComboFix uninstall command did not work. Windows came back with the error "can't find ComboFix". I may have inadvertently disposed of it from my desktop after I used it along with most of the other diagnostic tools that were sitting on my desktop. One copy is still sitting on my desktop under my admin account in safe mode, but it responds the same way. Any advice?

Also, any recommendations for the additional firewall you mentioned?

Thanks again--system runs great.

#13 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,689 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:11:58 AM

Posted 02 December 2009 - 05:42 AM

It is important to uninstall ComboFix. Download a fresh copy of ComboFix to your desktop in normal mode and apply the command. you might need to temporarily disable your antivirus and apply the command.

If you are not behind a router I recommend the following firewall (you may use the free version of it).

http://www.sunbeltsoftware.com/home-home-o...sonal-firewall/

#14 lstatner

lstatner
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:01:58 AM

Posted 02 December 2009 - 11:51 AM

Farbar--

Thanks--that took care of it!

Amazing job getting this thing disinfected! :(

#15 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,689 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:11:58 AM

Posted 02 December 2009 - 04:46 PM

You are very welcome. :(

This thread will now be closed since the issue seems to be resolved.

If you need this topic reopened, please send me a PM and I will reopen it for you.

If you should have a new issue, please start a new topic.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users