Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

w32.netsky


  • This topic is locked This topic is locked
67 replies to this topic

#1 kellypmk1

kellypmk1

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Local time:04:54 AM

Posted 01 January 2010 - 11:14 PM

Hello, and thanks for having such a great group of informed people that are willing to help out!!

I was asked to help my computer illiterate mother with a new notebook that had gotten infected with the win32.Netsky worm. I had brought over some anti-virus software, and did some research on the internet to see what all the pop-ups were, and to try to identify the virus. Unfortunately, while looking at the different tools available, one of the links was apparently a bad one, as the next thing I knew, I had command windows popping like popcorn, and my virus software went crazy. I seem to have inherited her problem... lucky me. Anyways, her machine has been cleaned and installed, I've gotten mine almost back up to par, but I'm missing something, as every time I shut down, and start back up, something has disabled the Windows Firewall, and I get the warning for that.

I've currently got Command Anti-Virus running, as well as Spybot's tea-timer, and Super Anti-Spyware. I've run full scans with Command, Spybot, Super Anti-Spyware, Combo Fix, SmitFraudFix, SDFix, and fixed the problems that they've identified as bad things. I've gotten control back of my machine, but I still think that I'm missing something.

I'm attaching a Hijack This log, as well as the recommendations from your site for the DDS and RootRepeal logs. Thanks in advance for any help that you can give me!!

Pat

Hijack This

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 06:15:35, on 12/30/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Authentium\Command AntiVirus\avinitnt.exe
C:\Program Files\Common Files\Authentium\AntiVirus\dvpapi.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Authentium\Command AntiVirus\schscnt.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Dell\MediaDirect\PCMService.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\SigmaTel\C-Major Audio\WDM\stsystra.exe
C:\Program Files\DellTPad\Apoint.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\PROGRA~1\AUTHEN~1\COMMAN~1\avtray.exe
C:\PROGRA~1\AUTHEN~1\COMMAN~1\untray.exe
C:\PROGRA~1\AUTHEN~1\COMMAN~1\dvprpt.exe
C:\Program Files\Common Files\AOL\1224881797\ee\AOLSoftware.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\DellTPad\ApMsgFwd.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\DellTPad\HidFind.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\DellTPad\Apntex.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Documents and Settings\Pat Kelly\Desktop\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\ntos.exe,
O2 - BHO: C:\WINDOWS\system32\km92oev5.dll - {A5BF49A2-94F1-42BD-F434-3604812C807D} - C:\WINDOWS\system32\km92oev5.dll
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 5.0\aoltb.dll
O3 - Toolbar: Snagit - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Program Files\TechSmith\Snagit 9\SnagitIEAddin.dll
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\MediaDirect\PCMService.exe"
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
O4 - HKLM\..\Run: [NVHotkey] rundll32.exe nvHotkey.dll,Start
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SigmatelSysTrayApp] %ProgramFiles%\SigmaTel\C-Major Audio\WDM\stsystra.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\DellTPad\Apoint.exe
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [avtray] C:\PROGRA~1\AUTHEN~1\COMMAN~1\avtray.exe
O4 - HKLM\..\Run: [untray] C:\PROGRA~1\AUTHEN~1\COMMAN~1\untray.exe
O4 - HKLM\..\Run: [dvprpt] C:\PROGRA~1\AUTHEN~1\COMMAN~1\dvprpt.exe
O4 - HKLM\..\Run: [CSAV_CheckViruses] C:\PROGRA~1\AUTHEN~1\COMMAN~1\vchk.exe
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1224881797\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [Ad-Watch] C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [Messenger (Yahoo!)] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [ygua8e7yhuiesfha876yfauy8fe] C:\WINDOWS\TEMP\mnwvr.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [asg984jgkfmgasi8ug98jgkfgfb] C:\WINDOWS\TEMP\avp.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [ygua8e7yhuiesfha876yfauy8fe] C:\WINDOWS\TEMP\mnwvr.exe (User 'Default user')
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aol toolbar 5.0\resources\en-US\local\search.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 5.0\aoltb.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} (DLM Control) - http://dlm.tools.akamai.com/dlmanager/vers...vex-2.2.4.3.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1257080682250
O16 - DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2009.0...oUploader55.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: GoToAssist - C:\Program Files\Citrix\GoToAssist\514\G2AWinLogon.dll
O22 - SharedTaskScheduler: ujhsf879fiosdfhgs98fudifmnddfdfd - {A5BF49A2-94F1-42BD-F434-3604812C807D} - C:\WINDOWS\system32\km92oev5.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: avinitnt - Authentium, Inc. - C:\Program Files\Authentium\Command AntiVirus\avinitnt.exe
O23 - Service: DvpApi (dvpapi) - Authentium, Inc. - C:\Program Files\Common Files\Authentium\AntiVirus\dvpapi.exe
O23 - Service: GoToAssist - Citrix Online, a division of Citrix Systems, Inc. - C:\Program Files\Citrix\GoToAssist\514\g2aservice.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: schscnt - Authentium, Inc. - C:\Program Files\Authentium\Command AntiVirus\schscnt.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

--
End of file - 8510 bytes



DDS Text




DDS (Ver_09-12-01.01) - NTFSx86
Run by Pat Kelly at 21:03:29.23 on Fri 01/01/2010
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2046.1349 [GMT -6:00]

AV: Command AntiVirus for Windows *On-access scanning enabled* (Updated) {FEC5E682-ED0A-49C9-8BA8-63374386B103}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
C:\WINDOWS\system32\svchost -k rpcss
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k NetworkService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Authentium\Command AntiVirus\avinitnt.exe
C:\Program Files\Common Files\Authentium\AntiVirus\dvpapi.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Authentium\Command AntiVirus\schscnt.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Dell\MediaDirect\PCMService.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\SigmaTel\C-Major Audio\WDM\stsystra.exe
C:\Program Files\DellTPad\Apoint.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\PROGRA~1\AUTHEN~1\COMMAN~1\avtray.exe
C:\PROGRA~1\AUTHEN~1\COMMAN~1\untray.exe
C:\PROGRA~1\AUTHEN~1\COMMAN~1\dvprpt.exe
C:\Program Files\Common Files\AOL\1224881797\ee\AOLSoftware.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\DellTPad\ApMsgFwd.exe
C:\Program Files\DellTPad\HidFind.exe
C:\Program Files\DellTPad\Apntex.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\Mozilla Firefox\firefox.exe
svchost.exe
svchost.exe
svchost.exe
svchost.exe
C:\Documents and Settings\Pat Kelly\Desktop\dds.scr
C:\WINDOWS\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.aol.com
mWinlogon: Userinit=c:\windows\system32\userinit.exe,c:\windows\system32\ntos.exe,
BHO: c:\windows\system32\km92oev5.dll: {a5bf49a2-94f1-42bd-f434-3604812c807d} - c:\windows\system32\km92oev5.dll
TB: AOL Toolbar: {de9c389f-3316-41a7-809b-aa305ed9d922} - c:\program files\aol\aol toolbar 5.0\aoltb.dll
TB: Snagit: {8ff5e183-abde-46eb-b09e-d2aab95cabe3} - c:\program files\techsmith\snagit 9\SnagitIEAddin.dll
uRun: [Messenger (Yahoo!)] "c:\program files\yahoo!\messenger\YahooMessenger.exe" -quiet
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [PCMService] "c:\program files\dell\mediadirect\PCMService.exe"
mRun: [Broadcom Wireless Manager UI] c:\windows\system32\WLTRAY.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /installquiet
mRun: [NVHotkey] rundll32.exe nvHotkey.dll,Start
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [SigmatelSysTrayApp] %ProgramFiles%\SigmaTel\C-Major Audio\WDM\stsystra.exe
mRun: [Apoint] c:\program files\delltpad\Apoint.exe
mRun: [Dell QuickSet] c:\program files\dell\quickset\quickset.exe
mRun: [NeroFilterCheck] c:\windows\system32\NeroCheck.exe
mRun: [avtray] c:\progra~1\authen~1\comman~1\avtray.exe
mRun: [untray] c:\progra~1\authen~1\comman~1\untray.exe
mRun: [dvprpt] c:\progra~1\authen~1\comman~1\dvprpt.exe
mRun: [CSAV_CheckViruses] c:\progra~1\authen~1\comman~1\vchk.exe
mRun: [HostManager] c:\program files\common files\aol\1224881797\ee\AOLSoftware.exe
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [ISUSPM Startup] c:\progra~1\common~1\instal~1\update~1\ISUSPM.exe -startup
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [Ad-Watch] c:\program files\lavasoft\ad-aware\AAWTray.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
dRun: [ygua8e7yhuiesfha876yfauy8fe] c:\windows\temp\mnwvr.exe
dRun: [asg984jgkfmgasi8ug98jgkfgfb] c:\windows\temp\avp.exe
StartupFolder: c:\docume~1\patkel~1\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office10\OSA.EXE
dPolicies-explorer: NoSetActiveDesktop = 1 (0x1)
dPolicies-explorer: NoFolderOptions = 1 (0x1)
dPolicies-system: DisableRegistryTools = 1 (0x1)
IE: &AOL Toolbar Search - c:\program files\aol\aol toolbar 5.0\resources\en-us\local\search.html
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office10\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {3369AF0D-62E9-4bda-8103-B4C75499B578} - {DE9C389F-3316-41A7-809B-AA305ED9D922} - c:\program files\aol\aol toolbar 5.0\aoltb.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} - hxxp://dlm.tools.akamai.com/dlmanager/versions/activex/dlm-activex-2.2.4.3.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1257080682250
DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
Notify: GoToAssist - c:\program files\citrix\gotoassist\514\G2AWinLogon.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
STS: c:\windows\system32\km92oev5.dll: {a5bf49a2-94f1-42bd-f434-3604812c807d} - c:\windows\system32\km92oev5.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\patkel~1\applic~1\mozilla\firefox\profiles\3zee26fw.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.aol.com/
FF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll

============= SERVICES / DRIVERS ===============

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-3-9 64160]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2009-12-16 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2009-12-16 74480]
R3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2009-12-16 7408]
S3 CBUSB;MARX CryptoTech LP;c:\windows\system32\drivers\CBUSB.SYS [2008-11-3 45056]
S3 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2009-3-9 1029456]

=============== Created Last 30 ================

2009-12-27 17:27:12 38 ----a-w- C:\11.tmp
2009-12-27 17:27:09 15000 ----a-w- c:\windows\system32\km92oev5.dll
2009-12-27 17:27:06 66560 ----a-w- C:\F.tmp
2009-12-27 05:38:41 0 d-----w- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2009-12-27 05:37:58 0 d-----w- c:\program files\SUPERAntiSpyware
2009-12-27 05:37:58 0 d-----w- c:\docume~1\patkel~1\applic~1\SUPERAntiSpyware.com
2009-12-27 05:21:21 38 ----a-w- C:\E.tmp
2009-12-27 05:21:18 26112 ----a-w- C:\D.tmp
2009-12-27 05:21:16 66560 ----a-w- C:\B.tmp
2009-12-26 22:36:48 38 ----a-w- C:\C.tmp
2009-12-26 22:36:43 66560 ----a-w- C:\8.tmp
2009-12-26 22:17:55 38 ----a-w- C:\A.tmp
2009-12-26 22:17:49 66560 ----a-w- C:\3.tmp
2009-12-26 22:06:34 98816 ----a-w- c:\windows\sed.exe
2009-12-26 22:06:34 77312 ----a-w- c:\windows\MBR.exe
2009-12-26 22:06:34 261632 ----a-w- c:\windows\PEV.exe
2009-12-26 22:06:34 161792 ----a-w- c:\windows\SWREG.exe

==================== Find3M ====================

2009-12-30 12:13:47 305937 ----a-w- c:\windows\system32\nvModes.dat
2009-11-25 02:05:14 50688 ----a-w- C:\rtducn.exe
2009-11-25 02:05:08 199168 ----a-w- C:\ivas.exe
2009-11-25 02:05:01 31232 ----a-w- C:\qwghr.exe
2009-11-25 01:58:07 182656 ----a-w- c:\windows\system32\drivers\ndis.sys
2009-10-29 07:45:38 916480 ------w- c:\windows\system32\wininet.dll
2009-10-21 05:38:36 75776 ----a-w- c:\windows\system32\strmfilt.dll
2009-10-21 05:38:36 25088 ----a-w- c:\windows\system32\httpapi.dll
2009-10-13 10:30:16 270336 ----a-w- c:\windows\system32\oakley.dll
2009-10-12 13:38:19 149504 ----a-w- c:\windows\system32\rastls.dll
2009-10-12 13:38:18 79872 ----a-w- c:\windows\system32\raschap.dll

============= FINISH: 21:04:52.54 ===============



Thanks!!
Pat
Kellypmk1

Attached Files



BC AdBot (Login to Remove)

 


#2 thewall

thewall

  • Malware Response Team
  • 6,425 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:06:54 AM

Posted 04 January 2010 - 06:54 PM

Hello Pat :( Welcome to the BC HijackThis Log and Analysis forum. I will be assisting you in cleaning up your system.


I ask that you refrain from running tools other than those we suggest while we are cleaning up your computer. The reason for this is so we know what is going on with the machine at any time. Some programs can interfere with others and hamper the recovery process.



In the upper right hand corner of the topic you will see a button called Options. If you click on this in the drop-down menu you can choose Track this topic. By doing this and then choosing Immediate E-Mail notification and then clicking on Proceed you will be advised when we respond the your topic and facilitate the cleaning of your machine.

After 5 days if a topic is not replied to we assume it has been abandoned and it is closed.





It appears you have ran ComboFix already. The log for that should be located at C:/Combofix.txt please post that in your next reply.







Please do not post any logs as an attachment unless asked to do so.





Thanks,



thewall
If I have helped you then please consider donating so I can continue the fight against malware Posted Image
All donations go directly to the helper

Posted Image

Due to the large amount of backlogs we have I cannot respond to PMs for help unless I am already working with you

#3 kellypmk1

kellypmk1
  • Topic Starter

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Local time:04:54 AM

Posted 05 January 2010 - 10:14 AM

Hello TheWall, and thanks for helping.

I had run combofix previously, but not successfully (I couldn't keep the internet connection open, kept shutting down, and the System Recovery Console wasn't able to be accessed) I tried it again, and was able to run it, but it gave a 'limited functionality' message, but it did run.

Here is the log (the windows firewall was shut off again when the machine rebooted during the combofix run)




ComboFix 09-12-26.01 - Pat Kelly 01/05/2010 8:54.4.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2046.1508 [GMT -6:00]
Running from: c:\documents and settings\Pat Kelly\Desktop\ComboFix.exe
AV: Command AntiVirus for Windows *On-access scanning disabled* (Updated) {FEC5E682-ED0A-49C9-8BA8-63374386B103}
.
- REDUCED FUNCTIONALITY MODE -
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\wsnpoem\audio.dll.cla
c:\windows\system32\wsnpoem\audio.dll . . . . failed to delete
c:\windows\system32\wsnpoem\video.dll . . . . failed to delete

.
((((((((((((((((((((((((( Files Created from 2009-12-05 to 2010-01-05 )))))))))))))))))))))))))))))))
.

2010-01-05 14:10 . 2010-01-05 14:18 -------- d-----w- c:\program files\Microsoft Streets & Trips 2009
2009-12-27 17:27 . 2009-12-27 17:27 15000 ----a-w- c:\windows\system32\km92oev5.dll
2009-12-27 05:39 . 2010-01-04 21:33 52224 ----a-w- c:\documents and settings\Pat Kelly\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
2009-12-27 05:39 . 2010-01-04 21:33 117760 ----a-w- c:\documents and settings\Pat Kelly\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2009-12-27 05:38 . 2009-12-27 05:38 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-12-27 05:37 . 2009-12-27 05:38 -------- d-----w- c:\program files\SUPERAntiSpyware
2009-12-27 05:37 . 2009-12-27 05:37 -------- d-----w- c:\documents and settings\Pat Kelly\Application Data\SUPERAntiSpyware.com

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-01-05 14:09 . 2008-10-24 18:22 -------- d-----w- c:\program files\MSECache
2010-01-04 21:22 . 2008-10-24 21:53 -------- d-----w- c:\program files\Common Files\Adobe
2009-12-30 12:13 . 2008-10-24 19:54 305937 ----a-w- c:\windows\system32\nvModes.dat
2009-12-27 17:27 . 2008-10-24 18:22 1324 ----a-w- c:\windows\system32\d3d9caps.dat
2009-12-27 17:27 . 2009-12-27 17:27 38 ----a-w- C:\11.tmp
2009-12-27 17:27 . 2009-12-27 17:27 66560 ----a-w- C:\F.tmp
2009-12-27 05:21 . 2009-12-27 05:21 38 ----a-w- C:\E.tmp
2009-12-27 05:21 . 2009-12-27 05:21 26112 ----a-w- C:\D.tmp
2009-12-27 05:21 . 2009-12-27 05:21 66560 ----a-w- C:\B.tmp
2009-12-27 05:04 . 2009-10-17 23:16 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-12-26 22:36 . 2009-12-26 22:36 38 ----a-w- C:\C.tmp
2009-12-26 22:36 . 2009-12-26 22:36 66560 ----a-w- C:\8.tmp
2009-12-26 22:17 . 2009-12-26 22:17 38 ----a-w- C:\A.tmp
2009-12-26 22:17 . 2009-12-26 22:17 66560 ----a-w- C:\3.tmp
2009-11-25 20:02 . 2009-11-25 20:02 38 ----a-w- C:\9.tmp
2009-11-25 20:02 . 2009-11-25 20:02 66560 ----a-w- C:\6.tmp
2009-11-25 19:43 . 2009-03-09 09:13 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-11-25 19:01 . 2009-11-25 19:01 38 ----a-w- C:\7.tmp
2009-11-25 19:01 . 2009-11-25 19:01 66560 ----a-w- C:\4.tmp
2009-11-25 02:05 . 2009-11-25 01:58 50688 ----a-w- C:\rtducn.exe
2009-11-25 02:05 . 2009-11-25 01:58 199168 ----a-w- C:\ivas.exe
2009-11-25 02:05 . 2009-11-25 02:04 38 ----a-w- C:\5.tmp
2009-11-25 02:05 . 2009-11-25 01:58 31232 ----a-w- C:\qwghr.exe
2009-11-25 01:58 . 2004-08-04 10:00 212224 ----a-w- c:\windows\system32\drivers\ndis.sys
2009-11-21 15:51 . 2004-08-04 10:00 471552 ----a-w- c:\windows\AppPatch\aclayers.dll
2009-11-09 02:31 . 2008-12-01 23:25 -------- d-----w- c:\documents and settings\All Users\Application Data\DVD Shrink
2009-10-29 07:45 . 2006-03-04 03:33 916480 ------w- c:\windows\system32\wininet.dll
2009-10-21 05:38 . 2004-08-04 10:00 75776 ----a-w- c:\windows\system32\strmfilt.dll
2009-10-21 05:38 . 2004-08-04 10:00 25088 ----a-w- c:\windows\system32\httpapi.dll
2009-10-20 16:20 . 2004-08-04 10:00 265728 ----a-w- c:\windows\system32\drivers\http.sys
2009-10-13 10:30 . 2004-08-04 10:00 270336 ----a-w- c:\windows\system32\oakley.dll
2009-10-12 13:38 . 2004-08-04 10:00 149504 ----a-w- c:\windows\system32\rastls.dll
2009-10-12 13:38 . 2004-08-04 10:00 79872 ----a-w- c:\windows\system32\raschap.dll
.

------- Sigcheck -------

[-] 2009-11-25 . 1DF7F42665C94B825322FAE71721130D . 212224 . . [5.1.2600.5512] . . c:\windows\system32\drivers\ndis.sys
[-] 2009-11-25 . 1DF7F42665C94B825322FAE71721130D . 212224 . . [5.1.2600.5512] . . c:\windows\system32\dllcache\ndis.sys
[7] 2008-04-14 . 1DF7F42665C94B825322FAE71721130D . 182656 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\ndis.sys
[-] 2004-08-04 . 1DF7F42665C94B825322FAE71721130D . 182912 . . [5.1.2600.5512] . . c:\windows\$NtServicePackUninstall$\ndis.sys
.
((((((((((((((((((((((((((((( SnapShot@2009-12-26_22.37.40 )))))))))))))))))))))))))))))))))))))))))
.
+ 1601-01-01 00:00 . 1601-01-01 00:00 0 c:\windows\temp\Perflib_Perfdata_194.dat
+ 2004-08-04 10:00 . 2010-01-05 14:08 58998 c:\windows\system32\perfc009.dat
+ 2005-09-23 13:28 . 2005-09-23 13:28 32768 c:\windows\system32\netfxperf.dll
+ 2005-09-23 13:28 . 2005-09-23 13:28 74240 c:\windows\system32\mscories.dll
+ 2005-09-23 13:28 . 2005-09-23 13:28 83456 c:\windows\system32\dfshim.dll
+ 2009-11-25 02:06 . 2009-12-27 17:33 49152 c:\windows\system32\config\systemprofile\PrivacIE\index.dat
+ 2009-12-26 22:45 . 2009-12-26 23:26 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012009122620091227\index.dat
+ 2008-10-22 11:58 . 2010-01-05 14:56 81920 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2009-12-26 22:37 . 2009-12-26 23:26 10240 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\RecoveryStore.{35DC18CA-F26F-11DE-9990-00038A000015}.dat
+ 2009-12-26 22:55 . 2009-12-26 22:57 11264 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\{B563C038-F271-11DE-9990-00038A000015}.dat
+ 2009-12-26 22:47 . 2009-12-26 22:52 20480 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\{AC2AE86D-F270-11DE-9990-00038A000015}.dat
+ 2009-12-26 23:15 . 2009-12-26 23:19 13312 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\{9AD0C81C-F274-11DE-9990-00038A000015}.dat
+ 2009-12-26 23:07 . 2009-12-26 23:08 21504 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\{631EDA05-F273-11DE-9990-00038A000015}.dat
+ 2009-12-26 22:57 . 2009-12-26 23:01 12288 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\{0D153E88-F272-11DE-9990-00038A000015}.dat
+ 2009-12-26 22:56 . 2009-12-26 22:55 32768 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\DOMStore\index.dat
- 2009-11-25 19:02 . 2009-12-26 22:37 16384 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Feeds Cache\index.dat
+ 2009-11-25 19:02 . 2009-12-27 17:35 16384 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Feeds Cache\index.dat
+ 2009-12-27 17:27 . 2010-01-05 14:56 32768 c:\windows\system32\config\systemprofile\Cookies\index.dat
- 2008-10-22 11:58 . 2009-12-26 22:37 32768 c:\windows\system32\config\systemprofile\Cookies\index.dat
+ 2005-09-23 13:28 . 2005-09-23 13:28 28160 c:\windows\Microsoft.NET\Framework\v2.0.50727\WMINet_Utils.dll
+ 2005-09-23 13:28 . 2005-09-23 13:28 71680 c:\windows\Microsoft.NET\Framework\v2.0.50727\TLBREF.DLL
+ 2005-09-23 13:28 . 2005-09-23 13:28 86016 c:\windows\Microsoft.NET\Framework\v2.0.50727\System.Web.RegularExpressions.dll
+ 2005-09-23 13:28 . 2005-09-23 13:28 47616 c:\windows\Microsoft.NET\Framework\v2.0.50727\System.EnterpriseServices.Thunk.dll
+ 2005-09-23 13:28 . 2005-09-23 13:28 81920 c:\windows\Microsoft.NET\Framework\v2.0.50727\System.Drawing.Design.dll
+ 2005-09-23 13:28 . 2005-09-23 13:28 81920 c:\windows\Microsoft.NET\Framework\v2.0.50727\System.Configuration.Install.dll
+ 2005-09-23 13:29 . 2005-09-23 13:29 85504 c:\windows\Microsoft.NET\Framework\v2.0.50727\ShFusRes.dll
+ 2005-09-23 13:29 . 2005-09-23 13:29 59072 c:\windows\Microsoft.NET\Framework\v2.0.50727\regtlibv12.exe
+ 2005-09-23 13:28 . 2005-09-23 13:28 32768 c:\windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
+ 2005-09-23 13:28 . 2005-09-23 13:28 53248 c:\windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
+ 2005-09-23 13:28 . 2005-09-23 13:28 78336 c:\windows\Microsoft.NET\Framework\v2.0.50727\PerfCounter.dll
+ 2005-09-23 13:28 . 2005-09-23 13:28 14848 c:\windows\Microsoft.NET\Framework\v2.0.50727\normalization.dll
+ 2005-09-23 13:28 . 2005-09-23 13:28 96440 c:\windows\Microsoft.NET\Framework\v2.0.50727\ngen.exe
+ 2005-09-23 13:29 . 2005-09-23 13:29 22528 c:\windows\Microsoft.NET\Framework\v2.0.50727\MUI\0409\mscorsecr.dll
+ 2005-09-23 13:28 . 2005-09-23 13:28 10240 c:\windows\Microsoft.NET\Framework\v2.0.50727\mscortim.dll
+ 2005-09-23 13:28 . 2005-09-23 13:28 66240 c:\windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
+ 2005-09-23 13:28 . 2005-09-23 13:28 67072 c:\windows\Microsoft.NET\Framework\v2.0.50727\mscorsec.dll
+ 2005-09-23 13:28 . 2005-09-23 13:28 81408 c:\windows\Microsoft.NET\Framework\v2.0.50727\mscorld.dll
+ 2005-09-23 13:28 . 2005-09-23 13:28 36864 c:\windows\Microsoft.NET\Framework\v2.0.50727\mscorie.dll
+ 2005-09-23 13:28 . 2005-09-23 13:28 73216 c:\windows\Microsoft.NET\Framework\v2.0.50727\mscordbc.dll
+ 2005-09-23 13:28 . 2005-09-23 13:28 69632 c:\windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe
+ 2005-09-23 13:28 . 2005-09-23 13:28 87552 c:\windows\Microsoft.NET\Framework\v2.0.50727\MmcAspExt.dll
+ 2005-09-23 13:28 . 2005-09-23 13:28 12800 c:\windows\Microsoft.NET\Framework\v2.0.50727\Microsoft.Vsa.Vb.CodeDOMProcessor.dll
+ 2005-09-23 13:28 . 2005-09-23 13:28 32768 c:\windows\Microsoft.NET\Framework\v2.0.50727\Microsoft.Vsa.dll
+ 2005-09-23 13:28 . 2005-09-23 13:28 28672 c:\windows\Microsoft.NET\Framework\v2.0.50727\Microsoft.VisualBasic.Vsa.dll
+ 2005-09-23 13:28 . 2005-09-23 13:28 73728 c:\windows\Microsoft.NET\Framework\v2.0.50727\Microsoft.Build.Utilities.dll
+ 2005-09-23 13:28 . 2005-09-23 13:28 36864 c:\windows\Microsoft.NET\Framework\v2.0.50727\Microsoft.Build.Framework.dll
+ 2005-09-23 12:36 . 2005-09-23 12:36 85504 c:\windows\Microsoft.NET\Framework\v2.0.50727\Microsoft .NET Framework 2.0\install.res.3082.dll
+ 2005-09-23 12:29 . 2005-09-23 12:29 80896 c:\windows\Microsoft.NET\Framework\v2.0.50727\Microsoft .NET Framework 2.0\install.res.3076.dll
+ 2005-09-23 12:47 . 2005-09-23 12:47 84480 c:\windows\Microsoft.NET\Framework\v2.0.50727\Microsoft .NET Framework 2.0\install.res.2070.dll
+ 2005-09-23 12:30 . 2005-09-23 12:30 80896 c:\windows\Microsoft.NET\Framework\v2.0.50727\Microsoft .NET Framework 2.0\install.res.2052.dll
+ 2005-09-23 12:47 . 2005-09-23 12:47 80896 c:\windows\Microsoft.NET\Framework\v2.0.50727\Microsoft .NET Framework 2.0\install.res.1055.dll
+ 2005-09-23 12:47 . 2005-09-23 12:47 81920 c:\windows\Microsoft.NET\Framework\v2.0.50727\Microsoft .NET Framework 2.0\install.res.1053.dll
+ 2005-09-23 12:47 . 2005-09-23 12:47 82432 c:\windows\Microsoft.NET\Framework\v2.0.50727\Microsoft .NET Framework 2.0\install.res.1049.dll
+ 2005-09-23 12:47 . 2005-09-23 12:47 82432 c:\windows\Microsoft.NET\Framework\v2.0.50727\Microsoft .NET Framework 2.0\install.res.1046.dll
+ 2005-09-23 12:46 . 2005-09-23 12:46 83456 c:\windows\Microsoft.NET\Framework\v2.0.50727\Microsoft .NET Framework 2.0\install.res.1045.dll
+ 2005-09-23 12:46 . 2005-09-23 12:46 81920 c:\windows\Microsoft.NET\Framework\v2.0.50727\Microsoft .NET Framework 2.0\install.res.1044.dll
+ 2005-09-23 12:46 . 2005-09-23 12:46 83456 c:\windows\Microsoft.NET\Framework\v2.0.50727\Microsoft .NET Framework 2.0\install.res.1043.dll
+ 2005-09-23 12:44 . 2005-09-23 12:44 80896 c:\windows\Microsoft.NET\Framework\v2.0.50727\Microsoft .NET Framework 2.0\install.res.1042.dll
+ 2005-09-23 12:42 . 2005-09-23 12:42 80896 c:\windows\Microsoft.NET\Framework\v2.0.50727\Microsoft .NET Framework 2.0\install.res.1041.dll
+ 2005-09-23 12:40 . 2005-09-23 12:40 84480 c:\windows\Microsoft.NET\Framework\v2.0.50727\Microsoft .NET Framework 2.0\install.res.1040.dll
+ 2005-09-23 12:40 . 2005-09-23 12:40 83968 c:\windows\Microsoft.NET\Framework\v2.0.50727\Microsoft .NET Framework 2.0\install.res.1038.dll
+ 2005-09-23 12:40 . 2005-09-23 12:40 80896 c:\windows\Microsoft.NET\Framework\v2.0.50727\Microsoft .NET Framework 2.0\install.res.1037.dll
+ 2005-09-23 12:38 . 2005-09-23 12:38 86016 c:\windows\Microsoft.NET\Framework\v2.0.50727\Microsoft .NET Framework 2.0\install.res.1036.dll
+ 2005-09-23 12:38 . 2005-09-23 12:38 81408 c:\windows\Microsoft.NET\Framework\v2.0.50727\Microsoft .NET Framework 2.0\install.res.1035.dll
+ 2005-09-23 09:46 . 2005-09-23 09:46 80896 c:\windows\Microsoft.NET\Framework\v2.0.50727\Microsoft .NET Framework 2.0\install.res.1033.dll
+ 2005-09-23 12:36 . 2005-09-23 12:36 87552 c:\windows\Microsoft.NET\Framework\v2.0.50727\Microsoft .NET Framework 2.0\install.res.1032.dll
+ 2005-09-23 12:34 . 2005-09-23 12:34 85504 c:\windows\Microsoft.NET\Framework\v2.0.50727\Microsoft .NET Framework 2.0\install.res.1031.dll
+ 2005-09-23 12:34 . 2005-09-23 12:34 81920 c:\windows\Microsoft.NET\Framework\v2.0.50727\Microsoft .NET Framework 2.0\install.res.1030.dll
+ 2005-09-23 12:34 . 2005-09-23 12:34 82944 c:\windows\Microsoft.NET\Framework\v2.0.50727\Microsoft .NET Framework 2.0\install.res.1029.dll
+ 2005-09-23 12:32 . 2005-09-23 12:32 80896 c:\windows\Microsoft.NET\Framework\v2.0.50727\Microsoft .NET Framework 2.0\install.res.1028.dll
+ 2005-09-23 12:29 . 2005-09-23 12:29 80896 c:\windows\Microsoft.NET\Framework\v2.0.50727\Microsoft .NET Framework 2.0\install.res.1025.dll
+ 2005-09-23 13:28 . 2005-09-23 13:28 40960 c:\windows\Microsoft.NET\Framework\v2.0.50727\jsc.exe
+ 2005-09-23 13:28 . 2005-09-23 13:28 72192 c:\windows\Microsoft.NET\Framework\v2.0.50727\ISymWrapper.dll
+ 2005-09-23 13:28 . 2005-09-23 13:28 55296 c:\windows\Microsoft.NET\Framework\v2.0.50727\InstallUtilLib.dll
+ 2005-09-23 13:28 . 2005-09-23 13:28 28672 c:\windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe
+ 2005-09-23 13:28 . 2005-09-23 13:28 36864 c:\windows\Microsoft.NET\Framework\v2.0.50727\IEHost.dll
+ 2005-09-23 13:28 . 2005-09-23 13:28 52736 c:\windows\Microsoft.NET\Framework\v2.0.50727\dfdll.dll
+ 2005-09-23 13:28 . 2005-09-23 13:28 31936 c:\windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
+ 2005-09-23 13:28 . 2005-09-23 13:28 68608 c:\windows\Microsoft.NET\Framework\v2.0.50727\CustomMarshalers.dll
+ 2005-09-23 13:28 . 2005-09-23 13:28 17920 c:\windows\Microsoft.NET\Framework\v2.0.50727\Culture.dll
+ 2005-09-23 13:28 . 2005-09-23 13:28 13312 c:\windows\Microsoft.NET\Framework\v2.0.50727\cscompmgd.dll
+ 2005-09-23 13:28 . 2005-09-23 13:28 76984 c:\windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
+ 2005-09-23 13:28 . 2005-09-23 13:28 88576 c:\windows\Microsoft.NET\Framework\v2.0.50727\CORPerfMonExt.dll
+ 2005-09-23 13:28 . 2005-09-23 13:28 29888 c:\windows\Microsoft.NET\Framework\v2.0.50727\aspnet_wp.exe
+ 2005-09-23 13:28 . 2005-09-23 13:28 29896 c:\windows\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe
+ 2005-09-23 13:28 . 2005-09-23 13:28 26824 c:\windows\Microsoft.NET\Framework\v2.0.50727\aspnet_regiis.exe
+ 2005-09-23 13:28 . 2005-09-23 13:28 13824 c:\windows\Microsoft.NET\Framework\v2.0.50727\aspnet_regbrowsers.exe
+ 2005-09-23 13:28 . 2005-09-23 13:28 70656 c:\windows\Microsoft.NET\Framework\v2.0.50727\aspnet_rc.dll
+ 2005-09-23 13:28 . 2005-09-23 13:28 23552 c:\windows\Microsoft.NET\Framework\v2.0.50727\Aspnet_perf.dll
+ 2005-09-23 13:28 . 2005-09-23 13:28 10752 c:\windows\Microsoft.NET\Framework\v2.0.50727\aspnet_filter.dll
+ 2005-09-23 13:28 . 2005-09-23 13:28 36864 c:\windows\Microsoft.NET\Framework\v2.0.50727\aspnet_compiler.exe
+ 2005-09-23 13:28 . 2005-09-23 13:28 55488 c:\windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe
+ 2005-09-23 13:28 . 2005-09-23 13:28 87552 c:\windows\Microsoft.NET\Framework\v2.0.50727\alink.dll
+ 2005-09-23 13:28 . 2005-09-23 13:28 10752 c:\windows\Microsoft.NET\Framework\v2.0.50727\Accessibility.dll
+ 2005-09-23 13:28 . 2005-09-23 13:28 18944 c:\windows\Microsoft.NET\Framework\v2.0.50727\1033\alinkui.dll
+ 2005-09-23 13:28 . 2005-09-23 13:28 86528 c:\windows\Microsoft.NET\Framework\v1.0.3705\mscormmc.dll
+ 2005-09-23 13:28 . 2005-09-23 13:28 72704 c:\windows\Microsoft.NET\Framework\NETFXSBS10.exe
+ 2010-01-05 14:08 . 2010-01-05 14:08 23040 c:\windows\Installer\75b5c.msi
+ 2010-01-05 14:08 . 2010-01-05 14:08 23040 c:\windows\Installer\75b44.msi
+ 2009-12-27 05:38 . 2009-12-27 05:38 65024 c:\windows\Installer\{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}\IconCDDCBBF15.exe
+ 2009-12-27 05:38 . 2009-12-27 05:38 18944 c:\windows\Installer\{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}\IconCDDCBBF13.exe
+ 2010-01-05 14:18 . 2010-01-05 14:18 25214 c:\windows\Installer\{C82185E8-C27B-4EF4-2009-4444BC2C2B6D}\ST_NA_16_Main_Application_icon.exe
+ 2010-01-05 14:09 . 2010-01-05 14:09 81920 c:\windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Build.Fra#\eec12b66f202544885fddba2319aadc2\Microsoft.Build.Framework.ni.dll
+ 2010-01-05 14:09 . 2010-01-05 14:09 15360 c:\windows\assembly\NativeImages_v2.0.50727_32\dfsvc\1b47ce327caaa3429189f88f0b165195\dfsvc.ni.exe
+ 2010-01-05 14:09 . 2010-01-05 14:09 26624 c:\windows\assembly\NativeImages_v2.0.50727_32\Accessibility\f2fcafb0d0cfcf459ba33fb54a9c1a39\Accessibility.ni.dll
+ 2010-01-05 14:06 . 2010-01-05 14:06 86016 c:\windows\assembly\GAC_MSIL\System.Web.RegularExpressions\2.0.0.0__b03f5f7f11d50a3a\System.Web.RegularExpressions.dll
+ 2010-01-05 14:06 . 2010-01-05 14:06 81920 c:\windows\assembly\GAC_MSIL\System.Drawing.Design\2.0.0.0__b03f5f7f11d50a3a\System.Drawing.Design.dll
+ 2010-01-05 14:06 . 2010-01-05 14:06 81920 c:\windows\assembly\GAC_MSIL\System.Configuration.Install\2.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll
+ 2010-01-05 14:06 . 2010-01-05 14:06 32768 c:\windows\assembly\GAC_MSIL\Microsoft.Vsa\8.0.0.0__b03f5f7f11d50a3a\Microsoft.Vsa.dll
+ 2010-01-05 14:06 . 2010-01-05 14:06 12800 c:\windows\assembly\GAC_MSIL\Microsoft.Vsa.Vb.CodeDOMProcessor\8.0.0.0__b03f5f7f11d50a3a\Microsoft.Vsa.Vb.CodeDOMProcessor.dll
+ 2010-01-05 14:06 . 2010-01-05 14:06 28672 c:\windows\assembly\GAC_MSIL\Microsoft.VisualBasic.Vsa\8.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.Vsa.dll
+ 2010-01-05 14:06 . 2010-01-05 14:06 73728 c:\windows\assembly\GAC_MSIL\Microsoft.Build.Utilities\2.0.0.0__b03f5f7f11d50a3a\Microsoft.Build.Utilities.dll
+ 2010-01-05 14:06 . 2010-01-05 14:06 36864 c:\windows\assembly\GAC_MSIL\Microsoft.Build.Framework\2.0.0.0__b03f5f7f11d50a3a\Microsoft.Build.Framework.dll
+ 2010-01-05 14:06 . 2010-01-05 14:06 36864 c:\windows\assembly\GAC_MSIL\IEHost\2.0.0.0__b03f5f7f11d50a3a\IEHost.dll
+ 2010-01-05 14:06 . 2010-01-05 14:06 13312 c:\windows\assembly\GAC_MSIL\cscompmgd\8.0.0.0__b03f5f7f11d50a3a\cscompmgd.dll
+ 2010-01-05 14:06 . 2010-01-05 14:06 10752 c:\windows\assembly\GAC_MSIL\Accessibility\2.0.0.0__b03f5f7f11d50a3a\Accessibility.dll
+ 2010-01-05 14:06 . 2010-01-05 14:06 72192 c:\windows\assembly\GAC_32\ISymWrapper\2.0.0.0__b03f5f7f11d50a3a\ISymWrapper.dll
+ 2010-01-05 14:06 . 2010-01-05 14:06 68608 c:\windows\assembly\GAC_32\CustomMarshalers\2.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll
+ 2010-01-05 14:09 . 2010-01-05 14:09 80696 c:\windows\assembly\GAC\Microsoft.Office.Interop.Access.Dao\12.0.0.0__71e9bce111e9429c\Microsoft.Office.interop.access.dao.dll
+ 2005-09-23 13:29 . 2005-09-23 13:29 6144 c:\windows\system32\mui\0409\mscorees.dll
- 2009-11-25 02:12 . 2009-11-25 02:12 3584 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Last Active\RecoveryStore.{F1BD82A2-D967-11DE-9988-00038A000015}.dat
+ 2009-11-25 02:12 . 2009-12-26 23:21 3584 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Last Active\RecoveryStore.{F1BD82A2-D967-11DE-9988-00038A000015}.dat
+ 2009-12-26 23:21 . 2009-12-26 23:21 6144 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Last Active\{5909C6C6-F275-11DE-9990-00038A000015}.dat
+ 2009-12-27 05:21 . 2009-12-27 05:21 3584 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\RecoveryStore.{B32ED18A-F2A7-11DE-9991-00038A000015}.dat
+ 2009-12-27 17:27 . 2009-12-27 17:35 6144 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\RecoveryStore.{1BD3DD10-F30D-11DE-9996-00038A000015}.dat
+ 2009-12-27 17:33 . 2009-12-27 17:33 4608 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\{EED197B3-F30D-11DE-9996-00038A000015}.dat
+ 2009-12-26 22:40 . 2009-12-26 22:41 4608 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\{B7897FEF-F26F-11DE-9990-00038A000015}.dat
+ 2009-12-27 05:21 . 2009-12-27 05:21 4096 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\{B32ED18B-F2A7-11DE-9991-00038A000015}.dat
+ 2009-12-27 17:31 . 2009-12-27 17:31 4608 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\{A97DB6AA-F30D-11DE-9996-00038A000015}.dat
+ 2009-12-26 23:01 . 2009-12-26 23:02 5120 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\{A7DC0727-F272-11DE-9990-00038A000015}.dat
+ 2009-12-26 22:47 . 2009-12-26 22:47 3584 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\{A2DD1B36-F270-11DE-9990-00038A000015}.dat
+ 2009-12-27 17:30 . 2009-12-27 17:30 4608 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\{7762CB43-F30D-11DE-9996-00038A000015}.dat
+ 2009-12-26 22:44 . 2009-12-26 22:46 9216 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\{4B8AFAF7-F270-11DE-9990-00038A000015}.dat
+ 2009-12-26 23:06 . 2009-12-26 23:07 6144 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\{46F2B08B-F273-11DE-9990-00038A000015}.dat
+ 2009-12-27 17:28 . 2009-12-27 17:28 4608 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\{403BA54F-F30D-11DE-9996-00038A000015}.dat
+ 2009-12-26 22:44 . 2009-12-26 22:44 5120 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\{3D466860-F270-11DE-9990-00038A000015}.dat
+ 2009-12-26 22:44 . 2009-12-26 22:44 5632 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\{3D46685E-F270-11DE-9990-00038A000015}.dat
+ 2009-12-26 23:20 . 2009-12-26 23:21 6144 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\{34A460DF-F275-11DE-9990-00038A000015}.dat
+ 2009-12-27 17:35 . 2009-12-27 17:35 4608 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\{2C0B3ADE-F30E-11DE-9996-00038A000015}.dat
+ 2009-12-26 23:05 . 2009-12-26 23:06 5120 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\{29D5B98E-F273-11DE-9990-00038A000015}.dat
+ 2009-12-27 17:27 . 2009-12-27 17:27 4608 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\{1BD3DD11-F30D-11DE-9996-00038A000015}.dat
+ 2009-12-26 23:19 . 2009-12-26 23:20 6144 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\{14EE39CD-F275-11DE-9990-00038A000015}.dat
+ 2009-12-26 23:26 . 2009-12-26 23:28 9216 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\{0C620AD0-F276-11DE-9990-00038A000015}.dat
+ 2009-12-26 22:42 . 2009-12-26 22:43 4608 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\{0008007F-F270-11DE-9990-00038A000015}.dat
+ 2005-09-23 13:28 . 2005-09-23 13:28 7680 c:\windows\Microsoft.NET\Framework\v2.0.50727\sbscmp20_mscorlib.dll
+ 2005-09-23 13:28 . 2005-09-23 13:28 9216 c:\windows\Microsoft.NET\Framework\v2.0.50727\mscorsn.dll
+ 2005-09-23 13:28 . 2005-09-23 13:28 7168 c:\windows\Microsoft.NET\Framework\v2.0.50727\Microsoft_VsaVb.dll
+ 2005-09-23 13:29 . 2005-09-23 13:29 5632 c:\windows\Microsoft.NET\Framework\v2.0.50727\Microsoft.VisualC.Dll
+ 2005-09-23 13:28 . 2005-09-23 13:28 5632 c:\windows\Microsoft.NET\Framework\v2.0.50727\IIEHost.dll
+ 2005-09-23 13:28 . 2005-09-23 13:28 8192 c:\windows\Microsoft.NET\Framework\v2.0.50727\IEExecRemote.dll
+ 2005-09-23 13:28 . 2005-09-23 13:28 9728 c:\windows\Microsoft.NET\Framework\v2.0.50727\IEExec.exe
+ 2005-09-23 13:28 . 2005-09-23 13:28 9216 c:\windows\Microsoft.NET\Framework\v2.0.50727\fusion.dll
+ 2005-09-23 13:28 . 2005-09-23 13:28 4608 c:\windows\Microsoft.NET\Framework\v2.0.50727\dfsvc.exe
+ 2005-09-23 13:28 . 2005-09-23 13:28 8192 c:\windows\Microsoft.NET\Framework\v2.0.50727\aspnet_isapi.dll
+ 2005-09-23 13:28 . 2005-09-23 13:28 4608 c:\windows\Microsoft.NET\Framework\v2.0.50727\1033\CvtResUI.dll
+ 2005-09-23 13:28 . 2005-09-23 13:28 7680 c:\windows\Microsoft.NET\Framework\SharedReg12.dll
+ 2005-09-23 13:28 . 2005-09-23 13:28 7680 c:\windows\Microsoft.NET\Framework\sbscmp20_perfcounter.dll
+ 2005-09-23 13:28 . 2005-09-23 13:28 7680 c:\windows\Microsoft.NET\Framework\sbscmp20_mscorwks.dll
+ 2005-09-23 13:28 . 2005-09-23 13:28 7680 c:\windows\Microsoft.NET\Framework\sbscmp10.dll
+ 2005-09-23 13:29 . 2005-09-23 13:29 5120 c:\windows\Microsoft.NET\Framework\sbs_wminet_utils.dll
+ 2005-09-23 13:29 . 2005-09-23 13:29 5120 c:\windows\Microsoft.NET\Framework\sbs_VsaVb7rt.dll
+ 2005-09-23 13:29 . 2005-09-23 13:29 5120 c:\windows\Microsoft.NET\Framework\sbs_system.enterpriseservices.dll
+ 2005-09-23 13:29 . 2005-09-23 13:29 5120 c:\windows\Microsoft.NET\Framework\sbs_system.data.dll
+ 2005-09-23 13:29 . 2005-09-23 13:29 5120 c:\windows\Microsoft.NET\Framework\sbs_system.configuration.install.dll
+ 2005-09-23 13:29 . 2005-09-23 13:29 5120 c:\windows\Microsoft.NET\Framework\sbs_mscorsec.dll
+ 2005-09-23 13:29 . 2005-09-23 13:29 5120 c:\windows\Microsoft.NET\Framework\sbs_mscorrc.dll
+ 2005-09-23 13:29 . 2005-09-23 13:29 5120 c:\windows\Microsoft.NET\Framework\sbs_mscordbi.dll
+ 2005-09-23 13:29 . 2005-09-23 13:29 5632 c:\windows\Microsoft.NET\Framework\sbs_microsoft.vsa.vb.codedomprocessor.dll
+ 2005-09-23 13:29 . 2005-09-23 13:29 5120 c:\windows\Microsoft.NET\Framework\sbs_microsoft.jscript.dll
+ 2005-09-23 13:29 . 2005-09-23 13:29 5120 c:\windows\Microsoft.NET\Framework\sbs_iehost.dll
+ 2005-09-23 13:29 . 2005-09-23 13:29 5120 c:\windows\Microsoft.NET\Framework\sbs_diasymreader.dll
+ 2009-12-27 05:38 . 2009-12-27 05:38 5120 c:\windows\Installer\{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}\IconCDDCBBF16.exe
+ 2010-01-05 14:06 . 2010-01-05 14:06 7168 c:\windows\assembly\GAC_MSIL\Microsoft_VsaVb\8.0.0.0__b03f5f7f11d50a3a\Microsoft_VsaVb.dll
+ 2010-01-05 14:06 . 2010-01-05 14:06 5632 c:\windows\assembly\GAC_MSIL\Microsoft.VisualC\8.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualC.Dll
+ 2010-01-05 14:06 . 2010-01-05 14:06 5632 c:\windows\assembly\GAC_MSIL\IIEHost\2.0.0.0__b03f5f7f11d50a3a\IIEHost.dll
+ 2010-01-05 14:06 . 2010-01-05 14:06 8192 c:\windows\assembly\GAC_MSIL\IEExecRemote\2.0.0.0__b03f5f7f11d50a3a\IEExecRemote.dll
+ 2010-01-05 14:06 . 2010-01-05 14:06 114176 c:\windows\WinSxS\x86_System.EnterpriseServices_b03f5f7f11d50a3a_2.0.0.0_x-ww_7d5f3790\System.EnterpriseServices.Wrapper.dll
+ 2010-01-05 14:06 . 2010-01-05 14:06 258048 c:\windows\WinSxS\x86_System.EnterpriseServices_b03f5f7f11d50a3a_2.0.0.0_x-ww_7d5f3790\System.EnterpriseServices.dll
+ 2004-08-04 10:00 . 2010-01-05 14:08 392864 c:\windows\system32\perfh009.dat
+ 2005-09-23 13:28 . 2005-09-23 13:28 150016 c:\windows\system32\mscorier.dll
+ 2005-09-23 13:28 . 2005-09-23 13:28 270848 c:\windows\system32\mscoree.dll
+ 2008-10-22 06:44 . 2010-01-05 14:56 303624 c:\windows\system32\FNTCACHE.DAT
+ 2008-10-22 11:58 . 2010-01-05 14:56 245760 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
- 2009-08-20 21:46 . 2009-12-26 22:37 245760 c:\windows\system32\config\systemprofile\IETldCache\index.dat
+ 2009-08-20 21:46 . 2010-01-05 14:56 245760 c:\windows\system32\config\systemprofile\IETldCache\index.dat
+ 2005-09-23 13:28 . 2005-09-23 13:28 298496 c:\windows\Microsoft.NET\Framework\v2.0.50727\webengine.dll
+ 2005-09-23 13:28 . 2005-09-23 13:28 823296 c:\windows\Microsoft.NET\Framework\v2.0.50727\System.Web.Services.dll
+ 2005-09-23 13:28 . 2005-09-23 13:28 835584 c:\windows\Microsoft.NET\Framework\v2.0.50727\System.Web.Mobile.dll
+ 2005-09-23 13:28 . 2005-09-23 13:28 260096 c:\windows\Microsoft.NET\Framework\v2.0.50727\System.Transactions.dll
+ 2005-09-23 13:28 . 2005-09-23 13:28 114688 c:\windows\Microsoft.NET\Framework\v2.0.50727\System.ServiceProcess.dll
+ 2005-09-23 13:28 . 2005-09-23 13:28 258048 c:\windows\Microsoft.NET\Framework\v2.0.50727\System.Security.dll
+ 2005-09-23 13:28 . 2005-09-23 13:28 131072 c:\windows\Microsoft.NET\Framework\v2.0.50727\System.Runtime.Serialization.Formatters.Soap.dll
+ 2005-09-23 13:28 . 2005-09-23 13:28 299008 c:\windows\Microsoft.NET\Framework\v2.0.50727\System.Runtime.Remoting.dll
+ 2005-09-23 13:28 . 2005-09-23 13:28 258048 c:\windows\Microsoft.NET\Framework\v2.0.50727\System.Messaging.dll
+ 2005-09-23 13:28 . 2005-09-23 13:28 368640 c:\windows\Microsoft.NET\Framework\v2.0.50727\System.Management.dll
+ 2005-09-23 13:28 . 2005-09-23 13:28 114176 c:\windows\Microsoft.NET\Framework\v2.0.50727\System.EnterpriseServices.Wrapper.dll
+ 2005-09-23 13:28 . 2005-09-23 13:28 258048 c:\windows\Microsoft.NET\Framework\v2.0.50727\System.EnterpriseServices.dll
+ 2005-09-23 13:28 . 2005-09-23 13:28 700416 c:\windows\Microsoft.NET\Framework\v2.0.50727\System.Drawing.dll
+ 2005-09-23 13:28 . 2005-09-23 13:28 188416 c:\windows\Microsoft.NET\Framework\v2.0.50727\System.DirectoryServices.Protocols.dll
+ 2005-09-23 13:28 . 2005-09-23 13:28 397312 c:\windows\Microsoft.NET\Framework\v2.0.50727\System.DirectoryServices.dll
+ 2005-09-23 13:28 . 2005-09-23 13:28 884736 c:\windows\Microsoft.NET\Framework\v2.0.50727\System.Deployment.dll
+ 2005-09-23 13:28 . 2005-09-23 13:28 716800 c:\windows\Microsoft.NET\Framework\v2.0.50727\System.Data.SqlXml.dll
+ 2005-09-23 13:28 . 2005-09-23 13:28 482304 c:\windows\Microsoft.NET\Framework\v2.0.50727\System.Data.OracleClient.dll
+ 2005-09-23 13:28 . 2005-09-23 13:28 389120 c:\windows\Microsoft.NET\Framework\v2.0.50727\System.configuration.dll
+ 2005-09-23 13:28 . 2005-09-23 13:28 110592 c:\windows\Microsoft.NET\Framework\v2.0.50727\sysglobl.dll
+ 2005-09-23 13:28 . 2005-09-23 13:28 377344 c:\windows\Microsoft.NET\Framework\v2.0.50727\SOS.dll
+ 2005-09-23 13:28 . 2005-09-23 13:28 107520 c:\windows\Microsoft.NET\Framework\v2.0.50727\shfusion.dll
+ 2005-09-23 13:28 . 2005-09-23 13:28 136192 c:\windows\Microsoft.NET\Framework\v2.0.50727\peverify.dll
+ 2005-09-23 13:28 . 2005-09-23 13:28 226816 c:\windows\Microsoft.NET\Framework\v2.0.50727\mscorsvc.dll
+ 2005-09-23 13:29 . 2005-09-23 13:29 330752 c:\windows\Microsoft.NET\Framework\v2.0.50727\mscorrc.dll
+ 2005-09-23 13:28 . 2005-09-23 13:28 102400 c:\windows\Microsoft.NET\Framework\v2.0.50727\mscorpe.dll
+ 2005-09-23 13:28 . 2005-09-23 13:28 326144 c:\windows\Microsoft.NET\Framework\v2.0.50727\mscorjit.dll
+ 2005-09-23 13:28 . 2005-09-23 13:28 288768 c:\windows\Microsoft.NET\Framework\v2.0.50727\mscordbi.dll
+ 2005-09-23 13:28 . 2005-09-23 13:28 800768 c:\windows\Microsoft.NET\Framework\v2.0.50727\mscordacwks.dll
+ 2005-09-23 13:29 . 2005-09-23 13:29 667648 c:\windows\Microsoft.NET\Framework\v2.0.50727\Microsoft.VisualBasic.dll
+ 2005-09-23 13:29 . 2005-09-23 13:29 372736 c:\windows\Microsoft.NET\Framework\v2.0.50727\Microsoft.VisualBasic.Compatibility.dll
+ 2005-09-23 13:29 . 2005-09-23 13:29 110592 c:\windows\Microsoft.NET\Framework\v2.0.50727\Microsoft.VisualBasic.Compatibility.Data.dll
+ 2005-09-23 13:28 . 2005-09-23 13:28 745472 c:\windows\Microsoft.NET\Framework\v2.0.50727\Microsoft.JScript.dll
+ 2005-09-23 13:28 . 2005-09-23 13:28 647168 c:\windows\Microsoft.NET\Framework\v2.0.50727\Microsoft.Build.Tasks.dll
+ 2005-09-23 13:28 . 2005-09-23 13:28 413696 c:\windows\Microsoft.NET\Framework\v2.0.50727\Microsoft.Build.Engine.dll
+ 2005-09-23 13:57 . 2005-09-23 13:57 245408 c:\windows\Microsoft.NET\Framework\v2.0.50727\Microsoft .NET Framework 2.0\unicows.dll
+ 2005-09-23 13:01 . 2005-09-23 13:01 609472 c:\windows\Microsoft.NET\Framework\v2.0.50727\Microsoft .NET Framework 2.0\install.exe
+ 2005-09-23 13:28 . 2005-09-23 13:28 224952 c:\windows\Microsoft.NET\Framework\v2.0.50727\ilasm.exe
+ 2005-09-23 13:28 . 2005-09-23 13:28 788992 c:\windows\Microsoft.NET\Framework\v2.0.50727\EventLogMessages.dll
+ 2005-09-23 13:29 . 2005-09-23 13:29 547840 c:\windows\Microsoft.NET\Framework\v2.0.50727\diasymreader.dll
+ 2005-09-23 13:28 . 2005-09-23 13:28 106496 c:\windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe
+ 2005-09-23 13:28 . 2005-09-23 13:28 503808 c:\windows\Microsoft.NET\Framework\v2.0.50727\AspNetMMCExt.dll
+ 2005-09-23 13:28 . 2005-09-23 13:28 106496 c:\windows\Microsoft.NET\Framework\v2.0.50727\aspnet_regsql.exe
+ 2005-09-23 13:28 . 2005-09-23 13:28 138240 c:\windows\Microsoft.NET\Framework\v2.0.50727\AdoNetDiag.dll
+ 2005-09-23 13:28 . 2005-09-23 13:28 208896 c:\windows\Microsoft.NET\Framework\v2.0.50727\1033\Vsavb7rtUI.dll
+ 2005-09-23 13:29 . 2005-09-23 13:29 183808 c:\windows\Microsoft.NET\Framework\v2.0.50727\1033\vbc7ui.dll
+ 2005-09-23 13:28 . 2005-09-23 13:28 136192 c:\windows\Microsoft.NET\Framework\v2.0.50727\1033\cscompui.dll
+ 2010-01-05 14:19 . 2010-01-05 14:19 804864 c:\windows\Installer\75b79.msp
+ 2010-01-05 14:18 . 2010-01-05 14:18 726016 c:\windows\Installer\75b69.msi
+ 2010-01-05 14:09 . 2010-01-05 14:09 928768 c:\windows\Installer\75b61.msi
+ 2010-01-05 14:08 . 2010-01-05 14:08 332800 c:\windows\Installer\75b5b.msi
+ 2010-01-05 14:08 . 2010-01-05 14:08 165888 c:\windows\Installer\75b54.msi
+ 2010-01-05 14:08 . 2010-01-05 14:08 176416 c:\windows\Installer\75b43.msi
+ 2010-01-05 14:16 . 2010-01-05 14:16 237568 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Web.RegularE#\81f7b10a28a69947bd7d33020b11dc8b\System.Web.RegularExpressions.ni.dll
+ 2010-01-05 14:15 . 2010-01-05 14:15 684032 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Transactions\ee70bdead3365a47a15377f213df9797\System.Transactions.ni.dll
+ 2010-01-05 14:15 . 2010-01-05 14:15 729088 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Security\2be08783e6dfa04fb18dc6a1aa9c8081\System.Security.ni.dll
+ 2010-01-05 14:15 . 2010-01-05 14:15 294912 c:\windows\assembly\NativeImages_v2.0.50727_32\System.EnterpriseSe#\a20323b66cfe3a41aa67c0de5fba2165\System.EnterpriseServices.Wrapper.dll
+ 2010-01-05 14:15 . 2010-01-05 14:15 659456 c:\windows\assembly\NativeImages_v2.0.50727_32\System.EnterpriseSe#\a20323b66cfe3a41aa67c0de5fba2165\System.EnterpriseServices.ni.dll
+ 2010-01-05 14:07 . 2010-01-05 14:07 229376 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Drawing.Desi#\fe7fab892a5c7c4aabf0fbded4d7f2ac\System.Drawing.Design.ni.dll
+ 2010-01-05 14:15 . 2010-01-05 14:15 512000 c:\windows\assembly\NativeImages_v2.0.50727_32\System.DirectorySer#\985ccb6152c01f438a1275840d30be89\System.DirectoryServices.Protocols.ni.dll
+ 2010-01-05 14:15 . 2010-01-05 14:15 962560 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Configuration\3a6a8d6e648a05499b63601b864f46f1\System.Configuration.ni.dll
+ 2010-01-05 14:15 . 2010-01-05 14:15 163840 c:\windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Build.Uti#\e56cea9aa404754088814e5e6a2783d9\Microsoft.Build.Utilities.ni.dll
+ 2010-01-05 14:09 . 2010-01-05 14:09 880640 c:\windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Build.Eng#\8d3f44025087ec48b6d6eac52f255435\Microsoft.Build.Engine.ni.dll
+ 2010-01-05 14:09 . 2010-01-05 14:09 237568 c:\windows\assembly\NativeImages_v2.0.50727_32\CustomMarshalers\028f510345856747ac80216602bc0544\CustomMarshalers.ni.dll
+ 2010-01-05 14:09 . 2010-01-05 14:09 860160 c:\windows\assembly\NativeImages_v2.0.50727_32\AspNetMMCExt\7607d4e7e1c3714db0d68ec50676a9c2\AspNetMMCExt.ni.dll
+ 2010-01-05 14:06 . 2010-01-05 14:06 823296 c:\windows\assembly\GAC_MSIL\System.Web.Services\2.0.0.0__b03f5f7f11d50a3a\System.Web.Services.dll
+ 2010-01-05 14:06 . 2010-01-05 14:06 835584 c:\windows\assembly\GAC_MSIL\System.Web.Mobile\2.0.0.0__b03f5f7f11d50a3a\System.Web.Mobile.dll
+ 2010-01-05 14:06 . 2010-01-05 14:06 114688 c:\windows\assembly\GAC_MSIL\System.ServiceProcess\2.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll
+ 2010-01-05 14:06 . 2010-01-05 14:06 258048 c:\windows\assembly\GAC_MSIL\System.Security\2.0.0.0__b03f5f7f11d50a3a\System.Security.dll
+ 2010-01-05 14:06 . 2010-01-05 14:06 131072 c:\windows\assembly\GAC_MSIL\System.Runtime.Serialization.Formatters.Soap\2.0.0.0__b03f5f7f11d50a3a\System.Runtime.Serialization.Formatters.Soap.dll
+ 2010-01-05 14:06 . 2010-01-05 14:06 299008 c:\windows\assembly\GAC_MSIL\System.Runtime.Remoting\2.0.0.0__b77a5c561934e089\System.Runtime.Remoting.dll
+ 2010-01-05 14:06 . 2010-01-05 14:06 258048 c:\windows\assembly\GAC_MSIL\System.Messaging\2.0.0.0__b03f5f7f11d50a3a\System.Messaging.dll
+ 2010-01-05 14:06 . 2010-01-05 14:06 368640 c:\windows\assembly\GAC_MSIL\System.Management\2.0.0.0__b03f5f7f11d50a3a\System.Management.dll
+ 2010-01-05 14:06 . 2010-01-05 14:06 700416 c:\windows\assembly\GAC_MSIL\System.Drawing\2.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll
+ 2010-01-05 14:06 . 2010-01-05 14:06 397312 c:\windows\assembly\GAC_MSIL\System.DirectoryServices\2.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll
+ 2010-01-05 14:06 . 2010-01-05 14:06 188416 c:\windows\assembly\GAC_MSIL\System.DirectoryServices.Protocols\2.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.Protocols.dll
+ 2010-01-05 14:06 . 2010-01-05 14:06 884736 c:\windows\assembly\GAC_MSIL\System.Deployment\2.0.0.0__b03f5f7f11d50a3a\System.Deployment.dll
+ 2010-01-05 14:06 . 2010-01-05 14:06 716800 c:\windows\assembly\GAC_MSIL\System.Data.SqlXml\2.0.0.0__b77a5c561934e089\System.Data.SqlXml.dll
+ 2010-01-05 14:06 . 2010-01-05 14:06 389120 c:\windows\assembly\GAC_MSIL\System.Configuration\2.0.0.0__b03f5f7f11d50a3a\System.configuration.dll
+ 2010-01-05 14:06 . 2010-01-05 14:06 110592 c:\windows\assembly\GAC_MSIL\sysglobl\2.0.0.0__b03f5f7f11d50a3a\sysglobl.dll
+ 2010-01-05 14:06 . 2010-01-05 14:06 667648 c:\windows\assembly\GAC_MSIL\Microsoft.VisualBasic\8.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll
+ 2010-01-05 14:06 . 2010-01-05 14:06 372736 c:\windows\assembly\GAC_MSIL\Microsoft.VisualBasic.Compatibility\8.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.Compatibility.dll
+ 2010-01-05 14:06 . 2010-01-05 14:06 110592 c:\windows\assembly\GAC_MSIL\Microsoft.VisualBasic.Compatibility.Data\8.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.Compatibility.Data.dll
+ 2010-01-05 14:06 . 2010-01-05 14:06 745472 c:\windows\assembly\GAC_MSIL\Microsoft.JScript\8.0.0.0__b03f5f7f11d50a3a\Microsoft.JScript.dll
+ 2010-01-05 14:06 . 2010-01-05 14:06 647168 c:\windows\assembly\GAC_MSIL\Microsoft.Build.Tasks\2.0.0.0__b03f5f7f11d50a3a\Microsoft.Build.Tasks.dll
+ 2010-01-05 14:06 . 2010-01-05 14:06 413696 c:\windows\assembly\GAC_MSIL\Microsoft.Build.Engine\2.0.0.0__b03f5f7f11d50a3a\Microsoft.Build.Engine.dll
+ 2010-01-05 14:06 . 2010-01-05 14:06 503808 c:\windows\assembly\GAC_MSIL\AspNetMMCExt\2.0.0.0__b03f5f7f11d50a3a\AspNetMMCExt.dll
+ 2010-01-05 14:06 . 2010-01-05 14:06 260096 c:\windows\assembly\GAC_32\System.Transactions\2.0.0.0__b77a5c561934e089\System.Transactions.dll
+ 2010-01-05 14:06 . 2010-01-05 14:06 114176 c:\windows\assembly\GAC_32\System.EnterpriseServices\2.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll
+ 2010-01-05 14:06 . 2010-01-05 14:06 258048 c:\windows\assembly\GAC_32\System.EnterpriseServices\2.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.dll
+ 2010-01-05 14:06 . 2010-01-05 14:06 482304 c:\windows\assembly\GAC_32\System.Data.OracleClient\2.0.0.0__b77a5c561934e089\System.Data.OracleClient.dll
+ 2005-09-23 13:28 . 2005-09-23 13:28 1306624 c:\windows\Microsoft.NET\Framework\v2.0.50727\VsaVb7rt.dll
+ 2005-09-23 13:29 . 2005-09-23 13:29 1140920 c:\windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
+ 2005-09-23 13:28 . 2005-09-23 13:28 2035712 c:\windows\Microsoft.NET\Framework\v2.0.50727\System.XML.dll
+ 2005-09-23 13:28 . 2005-09-23 13:28 5316608 c:\windows\Microsoft.NET\Framework\v2.0.50727\System.Windows.Forms.dll
+ 2005-09-23 13:28 . 2005-09-23 13:28 5025792 c:\windows\Microsoft.NET\Framework\v2.0.50727\System.Web.dll
+ 2005-09-23 13:28 . 2005-09-23 13:28 3018752 c:\windows\Microsoft.NET\Framework\v2.0.50727\System.dll
+ 2005-09-23 13:28 . 2005-09-23 13:28 5050368 c:\windows\Microsoft.NET\Framework\v2.0.50727\System.Design.dll
+ 2005-09-23 13:28 . 2005-09-23 13:28 2878976 c:\windows\Microsoft.NET\Framework\v2.0.50727\System.Data.dll
+ 2005-09-23 13:28 . 2005-09-23 13:28 5615616 c:\windows\Microsoft.NET\Framework\v2.0.50727\mscorwks.dll
+ 2005-09-23 13:28 . 2005-09-23 13:28 4308992 c:\windows\Microsoft.NET\Framework\v2.0.50727\mscorlib.dll
+ 2005-09-23 13:28 . 2005-09-23 13:28 1144832 c:\windows\Microsoft.NET\Framework\v2.0.50727\cscomp.dll
+ 2009-12-27 05:38 . 2009-12-27 05:38 1583616 c:\windows\Installer\669ac.msi
+ 2010-01-02 04:16 . 2010-01-02 04:16 1801216 c:\windows\Installer\59b360.msp
+ 2010-01-05 14:06 . 2010-01-05 14:06 2109440 c:\windows\Installer\49b46.msi
+ 2010-01-04 21:24 . 2010-01-04 21:24 1746944 c:\windows\Installer\192a608.msp
+ 2010-01-04 21:22 . 2010-01-04 21:22 3940352 c:\windows\Installer\192a5f8.msi
+ 2010-01-05 14:07 . 2010-01-05 14:07 8093696 c:\windows\assembly\NativeImages_v2.0.50727_32\System\81b7b4c38b091a49a28edf59ed4e9a9a\System.ni.dll
+ 2010-01-05 14:07 . 2010-01-05 14:07 5640192 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Xml\cf3499ce93b6c248bd299c5de3081c86\System.Xml.ni.dll
+ 2010-01-05 14:16 . 2010-01-05 14:16 1945600 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Web.Services\0ee55ed41098aa4ab8fdf15615528233\System.Web.Services.ni.dll
+ 2010-01-05 14:16 . 2010-01-05 14:16 2310144 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Web.Mobile\b601597b20776244b630ea063d4408f6\System.Web.Mobile.ni.dll
+ 2010-01-05 14:07 . 2010-01-05 14:07 1626112 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Drawing\c3b6737c0e595e4382bea84be7402cb9\System.Drawing.ni.dll
+ 2010-01-05 14:15 . 2010-01-05 14:15 1220608 c:\windows\assembly\NativeImages_v2.0.50727_32\System.DirectorySer#\0ea11f6cf5066c459f69bd51e9f892b2\System.DirectoryServices.ni.dll
+ 2010-01-05 14:15 . 2010-01-05 14:15 1712128 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Deployment\96dd40a9ae5b424196ea04f3eebc7708\System.Deployment.ni.dll
+ 2010-01-05 14:07 . 2010-01-05 14:07 6688768 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Data\0769897b4752024591001cf0fb224949\System.Data.ni.dll
+ 2010-01-05 14:15 . 2010-01-05 14:15 1724416 c:\windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualBas#\1549bd25ad63da43ae4707a234d613a2\Microsoft.VisualBasic.ni.dll
+ 2010-01-05 14:15 . 2010-01-05 14:15 1691648 c:\windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Build.Tas#\e1d779ce55f6324981ac32472439184d\Microsoft.Build.Tasks.ni.dll
+ 2010-01-05 14:06 . 2010-01-05 14:06 3018752 c:\windows\assembly\GAC_MSIL\System\2.0.0.0__b77a5c561934e089\System.dll
+ 2010-01-05 14:06 . 2010-01-05 14:06 2035712 c:\windows\assembly\GAC_MSIL\System.Xml\2.0.0.0__b77a5c561934e089\System.XML.dll
+ 2010-01-05 14:06 . 2010-01-05 14:06 5316608 c:\windows\assembly\GAC_MSIL\System.Windows.Forms\2.0.0.0__b77a5c561934e089\System.Windows.Forms.dll
+ 2010-01-05 14:06 . 2010-01-05 14:06 5050368 c:\windows\assembly\GAC_MSIL\System.Design\2.0.0.0__b03f5f7f11d50a3a\System.Design.dll
+ 2010-01-05 14:06 . 2010-01-05 14:06 5025792 c:\windows\assembly\GAC_32\System.Web\2.0.0.0__b03f5f7f11d50a3a\System.Web.dll
+ 2010-01-05 14:06 . 2010-01-05 14:06 2878976 c:\windows\assembly\GAC_32\System.Data\2.0.0.0__b77a5c561934e089\System.Data.dll
+ 2010-01-05 14:06 . 2010-01-05 14:06 4308992 c:\windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\mscorlib.dll
+ 2005-09-23 13:48 . 2005-09-23 13:48 24863744 c:\windows\Microsoft.NET\Framework\v2.0.50727\Microsoft .NET Framework 2.0\netfx.msi
+ 2010-01-05 14:07 . 2010-01-05 14:07 13107200 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Windows.Forms\ad238514cddc7845a351dca218ad7c67\System.Windows.Forms.ni.dll
+ 2010-01-05 14:15 . 2010-01-05 14:15 11808768 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Web\9db3541a77bda04da87292f63f508821\System.Web.ni.dll
+ 2010-01-05 14:08 . 2010-01-05 14:08 10723328 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Design\d879c2503dde0248be70424f111f0ee7\System.Design.ni.dll
+ 2010-01-05 14:06 . 2010-01-05 14:06 11411456 c:\windows\assembly\NativeImages_v2.0.50727_32\mscorlib\207463a228694b4499be18a975f9c6ba\mscorlib.ni.dll
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Messenger (Yahoo!)"="c:\program files\Yahoo!\Messenger\YahooMessenger.exe" [2008-10-17 4347120]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2009-12-16 2002160]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PCMService"="c:\program files\Dell\MediaDirect\PCMService.exe" [2007-11-01 189736]
"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2007-10-10 2183168]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-09-20 8491008]
"nwiz"="nwiz.exe" [2007-09-20 1626112]
"NVHotkey"="nvHotkey.dll" [2007-09-20 86016]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2007-09-20 81920]
"SigmatelSysTrayApp"="c:\program files\SigmaTel\C-Major Audio\WDM\stsystra.exe" [2007-05-10 405504]
"Apoint"="c:\program files\DellTPad\Apoint.exe" [2007-07-02 159744]
"Dell QuickSet"="c:\program files\Dell\QuickSet\quickset.exe" [2007-07-20 1228800]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"avtray"="c:\progra~1\AUTHEN~1\COMMAN~1\avtray.exe" [2008-06-01 144688]
"untray"="c:\progra~1\AUTHEN~1\COMMAN~1\untray.exe" [2008-06-01 140592]
"dvprpt"="c:\progra~1\AUTHEN~1\COMMAN~1\dvprpt.exe" [2008-06-01 206128]
"CSAV_CheckViruses"="c:\progra~1\AUTHEN~1\COMMAN~1\vchk.exe" [2008-06-01 75056]
"HostManager"="c:\program files\Common Files\AOL\1224881797\ee\AOLSoftware.exe" [2008-06-24 41824]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-09-06 413696]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-04-17 196608]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2004-04-13 69632]
"Ad-Watch"="c:\program files\Lavasoft\Ad-Aware\AAWTray.exe" [2009-08-20 520024]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-10-03 35696]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-09-04 935288]

c:\documents and settings\Pat Kelly\Start Menu\Programs\Startup\
Adobe Gamma.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-3-16 113664]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoSetActiveDesktop"= 1 (0x1)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"Userinit"="c:\windows\system32\userinit.exe,c:\windows\system32\ntos.exe,"

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 20:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\GoToAssist]
2008-10-24 19:35 10536 ----a-w- c:\program files\Citrix\GoToAssist\514\g2awinlogon.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager\appcertdlls]
appsecdll REG_SZ c:\windows\system32\mshlps.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Dell\\MediaDirect\\PCMService.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Common Files\\aol\\acs\\AOLDial.exe"=
"c:\\Program Files\\Common Files\\aol\\acs\\AOLacsd.exe"=
"c:\\Program Files\\Common Files\\aol\\1224881797\\ee\\aolsoftware.exe"=
"c:\\Program Files\\AOL 9.1\\waol.exe"=
"c:\\Program Files\\Common Files\\aol\\TopSpeed\\3.0\\aoltpsd3.exe"=
"c:\\Program Files\\Common Files\\aol\\Loader\\aolload.exe"=
"c:\\Program Files\\Common Files\\aol\\System Information\\sinf.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\123CopyDVD 2009\\123CopyDVD.exe"=

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [3/9/2009 3:15 AM 64160]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [12/16/2009 4:26 PM 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [12/16/2009 4:26 PM 74480]
R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [12/16/2009 4:27 PM 7408]
S3 CBUSB;MARX CryptoTech LP;c:\windows\system32\drivers\CBUSB.SYS [11/3/2008 9:07 PM 45056]
S3 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [3/9/2009 1:06 PM 1029456]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{4b463be5-a4a4-11dd-98e0-00038a000015}]
\Shell\AutoRun\command - RECYCLER\autorun.exe
\Shell\open\command - RECYCLER\autorun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{bed7ef2e-16e1-11de-991f-00038a000015}]
\Shell\AutoRun\command - WDSetup.exe
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.aol.com
IE: &AOL Toolbar Search - c:\program files\aol\aol toolbar 5.0\resources\en-US\local\search.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Pat Kelly\Application Data\Mozilla\Firefox\Profiles\3zee26fw.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.aol.com/
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
.
- - - - ORPHANS REMOVED - - - -

HKU-Default-Run-ygua8e7yhuiesfha876yfauy8fe - c:\windows\TEMP\mnwvr.exe
HKU-Default-Run-asg984jgkfmgasi8ug98jgkfgfb - c:\windows\TEMP\avp.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-01-05 08:57
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


c:\windows\system32\ntos.exe 188928 bytes executable
c:\windows\system32\wsnpoem

scan completed successfully
hidden files: 2

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe >>UNKNOWN [0x89DEA530]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xba90cf28
\Driver\ACPI -> ACPI.sys @ 0xba77fcb8
\Driver\atapi -> atapi.sys @ 0xba737852
IoDeviceObjectType -> DeleteProcedure -> ntkrnlpa.exe @ 0x805836a8
ParseProcedure -> ntkrnlpa.exe @ 0x805827e8
\Device\Harddisk0\DR0 -> DeleteProcedure -> ntkrnlpa.exe @ 0x805836a8
ParseProcedure -> ntkrnlpa.exe @ 0x805827e8
NDIS: Broadcom 440x 10/100 Integrated Controller -> SendCompleteHandler -> NDIS.sys @ 0x89d02bb0
PacketIndicateHandler -> NDIS.sys @ 0x89cf1a0d
SendHandler -> NDIS.sys @ 0x89d05b40
user & kernel MBR OK

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(868)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\WININET.dll
c:\program files\Citrix\GoToAssist\514\G2AWinLogon.dll

- - - - - - - > 'lsass.exe'(932)
c:\windows\system32\wininet.dll

- - - - - - - > 'explorer.exe'(3680)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\System32\WLTRYSVC.EXE
c:\windows\System32\bcmwltry.exe
c:\program files\Common Files\AOL\ACS\AOLAcsd.exe
c:\program files\Authentium\Command AntiVirus\avinitnt.exe
c:\program files\Common Files\Authentium\AntiVirus\dvpapi.exe
c:\windows\system32\nvsvc32.exe
c:\program files\Authentium\Command AntiVirus\schscnt.exe
c:\windows\system32\wscntfy.exe
c:\windows\system32\rundll32.exe
c:\windows\system32\RUNDLL32.EXE
c:\program files\DellTPad\ApMsgFwd.exe
c:\program files\DellTPad\HidFind.exe
c:\program files\DellTPad\Apntex.exe
c:\program files\Yahoo!\Messenger\ymsgr_tray.exe
.
**************************************************************************
.
Completion time: 2010-01-05 09:03:02 - machine was rebooted
ComboFix-quarantined-files.txt 2010-01-05 15:02
ComboFix2.txt 2009-12-27 17:22
ComboFix3.txt 2009-12-27 05:36
ComboFix4.txt 2009-12-26 22:43

Pre-Run: 147,365,285,888 bytes free
Post-Run: 147,367,256,064 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

- - End Of File - - 23D225DC813B5045AB78D0FB12ABDF87



Thanks!

Pat

#4 thewall

thewall

  • Malware Response Team
  • 6,425 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:06:54 AM

Posted 05 January 2010 - 10:23 AM

Are you running it in normal mode?
If I have helped you then please consider donating so I can continue the fight against malware Posted Image
All donations go directly to the helper

Posted Image

Due to the large amount of backlogs we have I cannot respond to PMs for help unless I am already working with you

#5 kellypmk1

kellypmk1
  • Topic Starter

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Local time:04:54 AM

Posted 05 January 2010 - 01:21 PM

Yes, when it launched, it said something like "today's date is 01-05-2010, this will be run in a reduced function mode", is there some type of update/def file that needs to be downloaded (I wasn't running it in safe mode, it was with Windows booted normally, and with Command Antivirus dynamic protection turned off)

Pat

#6 thewall

thewall

  • Malware Response Team
  • 6,425 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:06:54 AM

Posted 05 January 2010 - 01:33 PM

Let's try a newer version. Delete the one you have on your Desktop and download one from below then run it:


Please download ComboFix from one of these locations:

Link 1
Link 2

* IMPORTANT !!! Save ComboFix.exe to your Desktop
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. Instruction can be found HERE
  • Double click on ComboFix.exe & follow the prompts.

When finished, it will produce a log for you. Please include the C:\ComboFix.txt in your next reply.
If I have helped you then please consider donating so I can continue the fight against malware Posted Image
All donations go directly to the helper

Posted Image

Due to the large amount of backlogs we have I cannot respond to PMs for help unless I am already working with you

#7 kellypmk1

kellypmk1
  • Topic Starter

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Local time:04:54 AM

Posted 05 January 2010 - 04:06 PM

Here is the log.


ComboFix 10-01-04.01 - Pat Kelly 01/05/2010 14:46:57.5.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2046.1713 [GMT -6:00]
Running from: c:\documents and settings\Pat Kelly\Desktop\ComboFix.exe
AV: Command AntiVirus for Windows *On-access scanning disabled* (Updated) {FEC5E682-ED0A-49C9-8BA8-63374386B103}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\km92oev5.dll
c:\windows\system32\ntos.exe
c:\windows\system32\wsnpoem
c:\windows\system32\wsnpoem\audio.dll
c:\windows\system32\wsnpoem\video.dll

Infected copy of c:\windows\system32\drivers\ndis.sys was found and disinfected
Restored copy from - c:\windows\ServicePackFiles\i386\ndis.sys
.
((((((((((((((((((((((((( Files Created from 2009-12-05 to 2010-01-05 )))))))))))))))))))))))))))))))
.

2010-01-05 14:10 . 2010-01-05 14:18 -------- d-----w- c:\program files\Microsoft Streets & Trips 2009
2009-12-27 05:39 . 2010-01-04 21:33 52224 ----a-w- c:\documents and settings\Pat Kelly\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
2009-12-27 05:39 . 2010-01-04 21:33 117760 ----a-w- c:\documents and settings\Pat Kelly\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2009-12-27 05:38 . 2009-12-27 05:38 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-12-27 05:37 . 2009-12-27 05:38 -------- d-----w- c:\program files\SUPERAntiSpyware
2009-12-27 05:37 . 2009-12-27 05:37 -------- d-----w- c:\documents and settings\Pat Kelly\Application Data\SUPERAntiSpyware.com

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-01-05 15:20 . 2008-10-24 20:07 93176 ----a-w- c:\documents and settings\Pat Kelly\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-01-05 14:09 . 2008-10-24 18:22 -------- d-----w- c:\program files\MSECache
2010-01-04 21:22 . 2008-10-24 21:53 -------- d-----w- c:\program files\Common Files\Adobe
2009-12-30 12:13 . 2008-10-24 19:54 305937 ----a-w- c:\windows\system32\nvModes.dat
2009-12-27 17:27 . 2008-10-24 18:22 1324 ----a-w- c:\windows\system32\d3d9caps.dat
2009-12-27 17:27 . 2009-12-27 17:27 38 ----a-w- C:\11.tmp
2009-12-27 17:27 . 2009-12-27 17:27 66560 ----a-w- C:\F.tmp
2009-12-27 05:21 . 2009-12-27 05:21 38 ----a-w- C:\E.tmp
2009-12-27 05:21 . 2009-12-27 05:21 26112 ----a-w- C:\D.tmp
2009-12-27 05:21 . 2009-12-27 05:21 66560 ----a-w- C:\B.tmp
2009-12-27 05:04 . 2009-10-17 23:16 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-12-26 22:36 . 2009-12-26 22:36 38 ----a-w- C:\C.tmp
2009-12-26 22:36 . 2009-12-26 22:36 66560 ----a-w- C:\8.tmp
2009-12-26 22:17 . 2009-12-26 22:17 38 ----a-w- C:\A.tmp
2009-12-26 22:17 . 2009-12-26 22:17 66560 ----a-w- C:\3.tmp
2009-11-25 20:02 . 2009-11-25 20:02 38 ----a-w- C:\9.tmp
2009-11-25 20:02 . 2009-11-25 20:02 66560 ----a-w- C:\6.tmp
2009-11-25 19:43 . 2009-03-09 09:13 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-11-25 19:01 . 2009-11-25 19:01 38 ----a-w- C:\7.tmp
2009-11-25 19:01 . 2009-11-25 19:01 66560 ----a-w- C:\4.tmp
2009-11-25 02:05 . 2009-11-25 01:58 50688 ----a-w- C:\rtducn.exe
2009-11-25 02:05 . 2009-11-25 01:58 199168 ----a-w- C:\ivas.exe
2009-11-25 02:05 . 2009-11-25 02:04 38 ----a-w- C:\5.tmp
2009-11-25 02:05 . 2009-11-25 01:58 31232 ----a-w- C:\qwghr.exe
2009-11-25 01:58 . 2004-08-04 10:00 212224 ----a-w- c:\windows\system32\drivers\ndis.sys
2009-11-21 15:51 . 2004-08-04 10:00 471552 ----a-w- c:\windows\AppPatch\aclayers.dll
2009-11-09 02:31 . 2008-12-01 23:25 -------- d-----w- c:\documents and settings\All Users\Application Data\DVD Shrink
2009-10-29 07:45 . 2006-03-04 03:33 916480 ------w- c:\windows\system32\wininet.dll
2009-10-21 05:38 . 2004-08-04 10:00 75776 ----a-w- c:\windows\system32\strmfilt.dll
2009-10-21 05:38 . 2004-08-04 10:00 25088 ----a-w- c:\windows\system32\httpapi.dll
2009-10-20 16:20 . 2004-08-04 10:00 265728 ----a-w- c:\windows\system32\drivers\http.sys
2009-10-13 10:30 . 2004-08-04 10:00 270336 ----a-w- c:\windows\system32\oakley.dll
2009-10-12 13:38 . 2004-08-04 10:00 149504 ----a-w- c:\windows\system32\rastls.dll
2009-10-12 13:38 . 2004-08-04 10:00 79872 ----a-w- c:\windows\system32\raschap.dll
.

------- Sigcheck -------

[-] 2009-11-25 . 1DF7F42665C94B825322FAE71721130D . 212224 . . [5.1.2600.5512] . . c:\windows\system32\drivers\ndis.sys
[-] 2009-11-25 . 1DF7F42665C94B825322FAE71721130D . 212224 . . [5.1.2600.5512] . . c:\windows\system32\dllcache\ndis.sys
[7] 2008-04-14 . 1DF7F42665C94B825322FAE71721130D . 182656 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\ndis.sys
[-] 2004-08-04 . 1DF7F42665C94B825322FAE71721130D . 182912 . . [5.1.2600.5512] . . c:\windows\$NtServicePackUninstall$\ndis.sys
.
((((((((((((((((((((((((((((( SnapShot_2010-01-05_14.57.44 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-01-05 20:56 . 2010-01-05 20:56 16384 c:\windows\temp\Perflib_Perfdata_e28.dat
+ 2004-08-04 10:00 . 2010-01-05 20:57 58998 c:\windows\system32\perfc009.dat
- 2004-08-04 10:00 . 2010-01-05 14:08 58998 c:\windows\system32\perfc009.dat
+ 2008-10-22 11:58 . 2010-01-05 20:45 81920 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2008-10-22 11:58 . 2010-01-05 14:56 81920 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2009-12-27 17:27 . 2010-01-05 14:56 32768 c:\windows\system32\config\systemprofile\Cookies\index.dat
+ 2009-12-27 17:27 . 2010-01-05 20:45 32768 c:\windows\system32\config\systemprofile\Cookies\index.dat
+ 2004-08-04 10:00 . 2010-01-05 20:57 392864 c:\windows\system32\perfh009.dat
- 2004-08-04 10:00 . 2010-01-05 14:08 392864 c:\windows\system32\perfh009.dat
- 2008-10-22 11:58 . 2010-01-05 14:56 245760 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2008-10-22 11:58 . 2010-01-05 20:45 245760 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2009-08-20 21:46 . 2010-01-05 20:45 245760 c:\windows\system32\config\systemprofile\IETldCache\index.dat
- 2009-08-20 21:46 . 2010-01-05 14:56 245760 c:\windows\system32\config\systemprofile\IETldCache\index.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Messenger (Yahoo!)"="c:\program files\Yahoo!\Messenger\YahooMessenger.exe" [2008-10-17 4347120]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2009-12-16 2002160]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PCMService"="c:\program files\Dell\MediaDirect\PCMService.exe" [2007-11-01 189736]
"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2007-10-10 2183168]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-09-20 8491008]
"nwiz"="nwiz.exe" [2007-09-20 1626112]
"NVHotkey"="nvHotkey.dll" [2007-09-20 86016]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2007-09-20 81920]
"SigmatelSysTrayApp"="c:\program files\SigmaTel\C-Major Audio\WDM\stsystra.exe" [2007-05-10 405504]
"Apoint"="c:\program files\DellTPad\Apoint.exe" [2007-07-02 159744]
"Dell QuickSet"="c:\program files\Dell\QuickSet\quickset.exe" [2007-07-20 1228800]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"avtray"="c:\progra~1\AUTHEN~1\COMMAN~1\avtray.exe" [2008-06-01 144688]
"untray"="c:\progra~1\AUTHEN~1\COMMAN~1\untray.exe" [2008-06-01 140592]
"dvprpt"="c:\progra~1\AUTHEN~1\COMMAN~1\dvprpt.exe" [2008-06-01 206128]
"CSAV_CheckViruses"="c:\progra~1\AUTHEN~1\COMMAN~1\vchk.exe" [2008-06-01 75056]
"HostManager"="c:\program files\Common Files\AOL\1224881797\ee\AOLSoftware.exe" [2008-06-24 41824]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-09-06 413696]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-04-17 196608]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2004-04-13 69632]
"Ad-Watch"="c:\program files\Lavasoft\Ad-Aware\AAWTray.exe" [2009-08-20 520024]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-10-03 35696]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-09-04 935288]

c:\documents and settings\Pat Kelly\Start Menu\Programs\Startup\
Adobe Gamma.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-3-16 113664]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoSetActiveDesktop"= 1 (0x1)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 20:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\GoToAssist]
2008-10-24 19:35 10536 ----a-w- c:\program files\Citrix\GoToAssist\514\g2awinlogon.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Dell\\MediaDirect\\PCMService.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Common Files\\aol\\acs\\AOLDial.exe"=
"c:\\Program Files\\Common Files\\aol\\acs\\AOLacsd.exe"=
"c:\\Program Files\\Common Files\\aol\\1224881797\\ee\\aolsoftware.exe"=
"c:\\Program Files\\AOL 9.1\\waol.exe"=
"c:\\Program Files\\Common Files\\aol\\TopSpeed\\3.0\\aoltpsd3.exe"=
"c:\\Program Files\\Common Files\\aol\\Loader\\aolload.exe"=
"c:\\Program Files\\Common Files\\aol\\System Information\\sinf.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\123CopyDVD 2009\\123CopyDVD.exe"=

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [3/9/2009 3:15 AM 64160]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [12/16/2009 4:26 PM 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [12/16/2009 4:26 PM 74480]
R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [12/16/2009 4:27 PM 7408]
S3 CBUSB;MARX CryptoTech LP;c:\windows\system32\drivers\CBUSB.SYS [11/3/2008 9:07 PM 45056]
S3 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [3/9/2009 1:06 PM 1029456]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.aol.com
IE: &AOL Toolbar Search - c:\program files\aol\aol toolbar 5.0\resources\en-US\local\search.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Pat Kelly\Application Data\Mozilla\Firefox\Profiles\3zee26fw.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.aol.com/
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-01-05 14:55
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe >>UNKNOWN [0x89D20530]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xba90cf28
\Driver\ACPI -> ACPI.sys @ 0xba77fcb8
\Driver\atapi -> atapi.sys @ 0xba737852
IoDeviceObjectType -> DeleteProcedure -> ntkrnlpa.exe @ 0x805836a8
ParseProcedure -> ntkrnlpa.exe @ 0x805827e8
\Device\Harddisk0\DR0 -> DeleteProcedure -> ntkrnlpa.exe @ 0x805836a8
ParseProcedure -> ntkrnlpa.exe @ 0x805827e8
NDIS: Broadcom 440x 10/100 Integrated Controller -> SendCompleteHandler -> NDIS.sys @ 0x89d82bb0
PacketIndicateHandler -> NDIS.sys @ 0x89d71a0d
SendHandler -> NDIS.sys @ 0x89d85b40
user & kernel MBR OK

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(868)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\WININET.dll
c:\program files\Citrix\GoToAssist\514\G2AWinLogon.dll

- - - - - - - > 'explorer.exe'(3656)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\System32\WLTRYSVC.EXE
c:\windows\System32\bcmwltry.exe
c:\program files\Common Files\AOL\ACS\AOLAcsd.exe
c:\program files\Authentium\Command AntiVirus\avinitnt.exe
c:\program files\Common Files\Authentium\AntiVirus\dvpapi.exe
c:\windows\system32\nvsvc32.exe
c:\program files\Authentium\Command AntiVirus\schscnt.exe
c:\windows\system32\wscntfy.exe
c:\windows\system32\rundll32.exe
c:\windows\system32\RUNDLL32.EXE
c:\program files\DellTPad\ApMsgFwd.exe
c:\program files\DellTPad\HidFind.exe
c:\program files\DellTPad\Apntex.exe
c:\program files\Yahoo!\Messenger\ymsgr_tray.exe
.
**************************************************************************
.
Completion time: 2010-01-05 15:00:12 - machine was rebooted
ComboFix-quarantined-files.txt 2010-01-05 21:00
ComboFix2.txt 2010-01-05 15:03
ComboFix3.txt 2009-12-27 17:22
ComboFix4.txt 2009-12-27 05:36
ComboFix5.txt 2010-01-05 20:43

Pre-Run: 147,324,338,176 bytes free
Post-Run: 147,299,573,760 bytes free

- - End Of File - - EF771F416AF3C0D4F62C25EC3CE2BD51







The Windows Firewall was turned off again when it rebooted.

Pat

#8 thewall

thewall

  • Malware Response Team
  • 6,425 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:06:54 AM

Posted 05 January 2010 - 05:10 PM

We'll see if this solves the firewall issue. Let me know after you run this script.



Special ComboFix script made for this computer only

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs including TeaTimer if you have it so they do not interfere with the running of ComboFix. Instructions for doing so are located here

3. Open notepad and copy/paste the text in the quotebox below into it:

File::
C:\11.tmp
C:\F.tmp
C:\E.tmp
C:\D.tmp
C:\B.tmp
C:\C.tmp
C:\8.tmp
C:\A.tmp
C:\3.tmp
C:\9.tmp
C:\6.tmp
C:\7.tmp
C:\4.tmp
C:\rtducn.exe
C:\ivas.exe
C:\5.tmp
C:\qwghr.exe
Registry::
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 1


Save this as CFScript.txt, in the same location as ComboFix.exe


Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.
If I have helped you then please consider donating so I can continue the fight against malware Posted Image
All donations go directly to the helper

Posted Image

Due to the large amount of backlogs we have I cannot respond to PMs for help unless I am already working with you

#9 kellypmk1

kellypmk1
  • Topic Starter

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Local time:04:54 AM

Posted 05 January 2010 - 09:31 PM

Put the script in, ComboFix ran again. It gave a message "detected rootkit activity" and said to reboot. It also gave a message "write down C:\windows\system32\ntos.exe , and then rebooted and ran.

Right before I ran it, I started getting a pop-up in the center of the screen, saying that it was from Internet Explorer "due to errors on the page, some items might not display correctly" with a "Click here for more information" button. Won't go away...

Here is the log


ComboFix 10-01-04.01 - Pat Kelly 01/05/2010 20:16:21.6.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2046.1729 [GMT -6:00]
Running from: c:\documents and settings\Pat Kelly\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Pat Kelly\Desktop\CFScript.txt.txt
AV: Command AntiVirus for Windows *On-access scanning disabled* (Updated) {FEC5E682-ED0A-49C9-8BA8-63374386B103}

FILE ::
"C:\11.tmp"
"C:\3.tmp"
"C:\4.tmp"
"C:\5.tmp"
"C:\6.tmp"
"C:\7.tmp"
"C:\8.tmp"
"C:\9.tmp"
"C:\A.tmp"
"C:\B.tmp"
"C:\C.tmp"
"C:\D.tmp"
"C:\E.tmp"
"C:\F.tmp"
"C:\ivas.exe"
"C:\qwghr.exe"
"C:\rtducn.exe"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\11.tmp
C:\3.tmp
C:\4.tmp
C:\5.tmp
C:\6.tmp
C:\7.tmp
C:\8.tmp
C:\9.tmp
C:\A.tmp
C:\B.tmp
C:\C.tmp
C:\D.tmp
C:\E.tmp
C:\F.tmp
C:\ivas.exe
C:\qwghr.exe
C:\rtducn.exe
c:\windows\system32\b9e3keqf.dll
c:\windows\system32\ntos.exe
c:\windows\system32\wsnpoem
c:\windows\system32\wsnpoem\audio.dll
c:\windows\system32\wsnpoem\video.dll
c:\windows\temp\1317170456.exe

.
((((((((((((((((((((((((( Files Created from 2009-12-06 to 2010-01-06 )))))))))))))))))))))))))))))))
.

2010-01-06 01:28 . 2010-01-06 01:28 -------- d-----w- C:\Superbad Unrated
2010-01-05 14:10 . 2010-01-05 14:18 -------- d-----w- c:\program files\Microsoft Streets & Trips 2009
2009-12-27 05:39 . 2010-01-04 21:33 52224 ----a-w- c:\documents and settings\Pat Kelly\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
2009-12-27 05:39 . 2010-01-04 21:33 117760 ----a-w- c:\documents and settings\Pat Kelly\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2009-12-27 05:38 . 2009-12-27 05:38 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-12-27 05:37 . 2009-12-27 05:38 -------- d-----w- c:\program files\SUPERAntiSpyware
2009-12-27 05:37 . 2009-12-27 05:37 -------- d-----w- c:\documents and settings\Pat Kelly\Application Data\SUPERAntiSpyware.com

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-01-05 21:02 . 2008-10-24 18:22 1324 ----a-w- c:\windows\system32\d3d9caps.dat
2010-01-05 21:01 . 2010-01-05 21:01 38 ----a-w- C:\13.tmp
2010-01-05 21:01 . 2010-01-05 21:01 66560 ----a-w- C:\10.tmp
2010-01-05 15:20 . 2008-10-24 20:07 93176 ----a-w- c:\documents and settings\Pat Kelly\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-01-05 14:09 . 2008-10-24 18:22 -------- d-----w- c:\program files\MSECache
2010-01-04 21:22 . 2008-10-24 21:53 -------- d-----w- c:\program files\Common Files\Adobe
2009-12-30 12:13 . 2008-10-24 19:54 305937 ----a-w- c:\windows\system32\nvModes.dat
2009-12-27 05:04 . 2009-10-17 23:16 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-11-25 19:43 . 2009-03-09 09:13 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-11-25 01:58 . 2004-08-04 10:00 212224 ----a-w- c:\windows\system32\drivers\ndis.sys
2009-11-21 15:51 . 2004-08-04 10:00 471552 ----a-w- c:\windows\AppPatch\aclayers.dll
2009-11-09 02:31 . 2008-12-01 23:25 -------- d-----w- c:\documents and settings\All Users\Application Data\DVD Shrink
2009-10-29 07:45 . 2006-03-04 03:33 916480 ------w- c:\windows\system32\wininet.dll
2009-10-21 05:38 . 2004-08-04 10:00 75776 ----a-w- c:\windows\system32\strmfilt.dll
2009-10-21 05:38 . 2004-08-04 10:00 25088 ----a-w- c:\windows\system32\httpapi.dll
2009-10-20 16:20 . 2004-08-04 10:00 265728 ----a-w- c:\windows\system32\drivers\http.sys
2009-10-13 10:30 . 2004-08-04 10:00 270336 ----a-w- c:\windows\system32\oakley.dll
2009-10-12 13:38 . 2004-08-04 10:00 149504 ----a-w- c:\windows\system32\rastls.dll
2009-10-12 13:38 . 2004-08-04 10:00 79872 ----a-w- c:\windows\system32\raschap.dll
.

------- Sigcheck -------

[-] 2009-11-25 01:58 . 1DF7F42665C94B825322FAE71721130D . 212224 . . [------] . . c:\windows\system32\drivers\ndis.sys
[-] 2009-11-25 . 1DF7F42665C94B825322FAE71721130D . 212224 . . [5.1.2600.5512] . . c:\windows\system32\dllcache\ndis.sys
[7] 2008-04-14 . 1DF7F42665C94B825322FAE71721130D . 182656 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\ndis.sys
[-] 2004-08-04 . 1DF7F42665C94B825322FAE71721130D . 182912 . . [5.1.2600.5512] . . c:\windows\$NtServicePackUninstall$\ndis.sys
.
((((((((((((((((((((((((((((( SnapShot_2010-01-05_14.57.44 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-01-06 02:22 . 2010-01-06 02:22 16384 c:\windows\temp\Perflib_Perfdata_f9c.dat
+ 2004-08-04 10:00 . 2010-01-06 02:23 58998 c:\windows\system32\perfc009.dat
- 2004-08-04 10:00 . 2010-01-05 14:08 58998 c:\windows\system32\perfc009.dat
- 2009-11-25 02:06 . 2009-12-27 17:33 49152 c:\windows\system32\config\systemprofile\PrivacIE\index.dat
+ 2009-11-25 02:06 . 2010-01-05 21:11 49152 c:\windows\system32\config\systemprofile\PrivacIE\index.dat
+ 2008-10-22 11:58 . 2010-01-06 01:26 81920 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2008-10-22 11:58 . 2010-01-05 14:56 81920 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2009-11-25 19:02 . 2010-01-05 21:11 16384 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Feeds Cache\index.dat
- 2009-11-25 19:02 . 2009-12-27 17:35 16384 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Feeds Cache\index.dat
- 2009-12-27 17:27 . 2010-01-05 14:56 32768 c:\windows\system32\config\systemprofile\Cookies\index.dat
+ 2010-01-05 21:01 . 2010-01-06 01:26 32768 c:\windows\system32\config\systemprofile\Cookies\index.dat
+ 2010-01-05 21:02 . 2010-01-05 21:11 5120 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\RecoveryStore.{944DFB86-FA3D-11DE-999F-00038A000015}.dat
+ 2010-01-05 21:11 . 2010-01-05 21:11 6144 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\{DD2EBC3C-FA3E-11DE-999F-00038A000015}.dat
+ 2010-01-05 21:02 . 2010-01-05 21:02 5632 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\{944DFB87-FA3D-11DE-999F-00038A000015}.dat
+ 2010-01-05 21:07 . 2010-01-05 21:07 6144 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\{59B2CCE1-FA3E-11DE-999F-00038A000015}.dat
+ 2010-01-05 21:05 . 2010-01-05 21:05 6144 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\{1069A46F-FA3E-11DE-999F-00038A000015}.dat
+ 2004-08-04 10:00 . 2010-01-06 02:23 392864 c:\windows\system32\perfh009.dat
- 2004-08-04 10:00 . 2010-01-05 14:08 392864 c:\windows\system32\perfh009.dat
+ 2008-10-22 11:58 . 2010-01-06 01:26 262144 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2009-08-20 21:46 . 2010-01-06 01:26 245760 c:\windows\system32\config\systemprofile\IETldCache\index.dat
- 2009-08-20 21:46 . 2010-01-05 14:56 245760 c:\windows\system32\config\systemprofile\IETldCache\index.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Messenger (Yahoo!)"="c:\program files\Yahoo!\Messenger\YahooMessenger.exe" [2008-10-17 4347120]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2009-12-16 2002160]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PCMService"="c:\program files\Dell\MediaDirect\PCMService.exe" [2007-11-01 189736]
"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2007-10-10 2183168]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-09-20 8491008]
"nwiz"="nwiz.exe" [2007-09-20 1626112]
"NVHotkey"="nvHotkey.dll" [2007-09-20 86016]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2007-09-20 81920]
"SigmatelSysTrayApp"="c:\program files\SigmaTel\C-Major Audio\WDM\stsystra.exe" [2007-05-10 405504]
"Apoint"="c:\program files\DellTPad\Apoint.exe" [2007-07-02 159744]
"Dell QuickSet"="c:\program files\Dell\QuickSet\quickset.exe" [2007-07-20 1228800]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"avtray"="c:\progra~1\AUTHEN~1\COMMAN~1\avtray.exe" [2008-06-01 144688]
"untray"="c:\progra~1\AUTHEN~1\COMMAN~1\untray.exe" [2008-06-01 140592]
"dvprpt"="c:\progra~1\AUTHEN~1\COMMAN~1\dvprpt.exe" [2008-06-01 206128]
"CSAV_CheckViruses"="c:\progra~1\AUTHEN~1\COMMAN~1\vchk.exe" [2008-06-01 75056]
"HostManager"="c:\program files\Common Files\AOL\1224881797\ee\AOLSoftware.exe" [2008-06-24 41824]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-09-06 413696]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-04-17 196608]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2004-04-13 69632]
"Ad-Watch"="c:\program files\Lavasoft\Ad-Aware\AAWTray.exe" [2009-08-20 520024]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-10-03 35696]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-09-04 935288]

c:\documents and settings\Pat Kelly\Start Menu\Programs\Startup\
Adobe Gamma.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-3-16 113664]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoSetActiveDesktop"= 1 (0x1)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 20:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\GoToAssist]
2008-10-24 19:35 10536 ----a-w- c:\program files\Citrix\GoToAssist\514\g2awinlogon.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Dell\\MediaDirect\\PCMService.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Common Files\\aol\\acs\\AOLDial.exe"=
"c:\\Program Files\\Common Files\\aol\\acs\\AOLacsd.exe"=
"c:\\Program Files\\Common Files\\aol\\1224881797\\ee\\aolsoftware.exe"=
"c:\\Program Files\\AOL 9.1\\waol.exe"=
"c:\\Program Files\\Common Files\\aol\\TopSpeed\\3.0\\aoltpsd3.exe"=
"c:\\Program Files\\Common Files\\aol\\Loader\\aolload.exe"=
"c:\\Program Files\\Common Files\\aol\\System Information\\sinf.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\123CopyDVD 2009\\123CopyDVD.exe"=

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [3/9/2009 3:15 AM 64160]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [12/16/2009 4:26 PM 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [12/16/2009 4:26 PM 74480]
R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [12/16/2009 4:27 PM 7408]
S3 CBUSB;MARX CryptoTech LP;c:\windows\system32\drivers\CBUSB.SYS [11/3/2008 9:07 PM 45056]
S3 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [3/9/2009 1:06 PM 1029456]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.aol.com
IE: &AOL Toolbar Search - c:\program files\aol\aol toolbar 5.0\resources\en-US\local\search.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Pat Kelly\Application Data\Mozilla\Firefox\Profiles\3zee26fw.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.aol.com/
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
.
- - - - ORPHANS REMOVED - - - -

BHO-{A5BF49A2-94F1-42BD-F434-3604812C807D} - (no file)



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-01-05 20:21
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe >>UNKNOWN [0x89DB2530]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xba90cf28
\Driver\ACPI -> ACPI.sys @ 0xba77fcb8
\Driver\atapi -> atapi.sys @ 0xba737852
IoDeviceObjectType -> DeleteProcedure -> ntkrnlpa.exe @ 0x805836a8
ParseProcedure -> ntkrnlpa.exe @ 0x805827e8
\Device\Harddisk0\DR0 -> DeleteProcedure -> ntkrnlpa.exe @ 0x805836a8
ParseProcedure -> ntkrnlpa.exe @ 0x805827e8
NDIS: Broadcom 440x 10/100 Integrated Controller -> SendCompleteHandler -> NDIS.sys @ 0x89d99bb0
PacketIndicateHandler -> NDIS.sys @ 0x89d88a0d
SendHandler -> NDIS.sys @ 0x89d9cb40
user & kernel MBR OK

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(868)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\WININET.dll
c:\program files\Citrix\GoToAssist\514\G2AWinLogon.dll

- - - - - - - > 'explorer.exe'(2236)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\System32\WLTRYSVC.EXE
c:\windows\System32\bcmwltry.exe
c:\program files\Common Files\AOL\ACS\AOLAcsd.exe
c:\program files\Authentium\Command AntiVirus\avinitnt.exe
c:\program files\Common Files\Authentium\AntiVirus\dvpapi.exe
c:\windows\system32\nvsvc32.exe
c:\program files\Authentium\Command AntiVirus\schscnt.exe
c:\windows\system32\wscntfy.exe
c:\windows\system32\rundll32.exe
c:\windows\system32\RUNDLL32.EXE
c:\program files\DellTPad\ApMsgFwd.exe
c:\program files\DellTPad\HidFind.exe
c:\program files\DellTPad\Apntex.exe
c:\program files\Yahoo!\Messenger\ymsgr_tray.exe
c:\\?\c:\windows\system32\WBEM\WMIADAP.EXE
.
**************************************************************************
.
Completion time: 2010-01-05 20:25:23 - machine was rebooted
ComboFix-quarantined-files.txt 2010-01-06 02:25
ComboFix2.txt 2010-01-05 21:00
ComboFix3.txt 2010-01-05 15:03
ComboFix4.txt 2009-12-27 17:22
ComboFix5.txt 2010-01-06 02:11

Pre-Run: 139,198,980,096 bytes free
Post-Run: 139,196,428,288 bytes free

- - End Of File - - 186F89C66AB836661C9369950F74B5EB



The warning in the menu bar popped back up that the Windows Firewall was shut off again.

Pat

#10 thewall

thewall

  • Malware Response Team
  • 6,425 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:06:54 AM

Posted 05 January 2010 - 09:40 PM

Download GMER Rootkit Scanner from here to your desktop.
  • Double click the exe file.
  • If it gives you a warning about rootkit activity and asks if you want to run scan...click on NO, then use the following settings for a more complete scan.


    Posted Image
    Click the image to enlarge it


  • In the right panel, you will see several boxes that have been checked. Uncheck the following ...
    • Sections
    • IAT/EAT
    • Drives/Partition other than Systemdrive (typically C:\)
    • Show All (don't miss this one)
  • Then click the Scan button & wait for it to finish.
  • Once done click on the [Save..] button, and in the File name area, type in "Gmer.txt" or it will save as a .log file which cannot be uploaded to your post.
Save it where you can easily find it, such as your desktop, and post it in reply.

**Caution**
Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries

If I have helped you then please consider donating so I can continue the fight against malware Posted Image
All donations go directly to the helper

Posted Image

Due to the large amount of backlogs we have I cannot respond to PMs for help unless I am already working with you

#11 kellypmk1

kellypmk1
  • Topic Starter

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Local time:04:54 AM

Posted 06 January 2010 - 12:05 AM

OK, here is that log, I had a hard freeze after it ran, and I saved the log, had to do a hard shut down.

Pat


GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-01-05 22:59:16
Windows 5.1.2600 Service Pack 3
Running: 82w5j3vm.exe; Driver: C:\DOCUME~1\PATKEL~1\LOCALS~1\Temp\kfrdraod.sys


---- System - GMER 1.0.15 ----

SSDT Lbd.sys (Boot Driver/Lavasoft AB) ZwCreateKey [0xBA91887E]
SSDT Lbd.sys (Boot Driver/Lavasoft AB) ZwSetValueKey [0xBA918C10]
SSDT \??\C:\Program Files\SUPERAntiSpyware\SASKUTIL.sys (SASKUTIL.SYS/SUPERAdBlocker.com and SUPERAntiSpyware.com) ZwTerminateProcess [0xB7FBA0B0]

Code 89834EE8 ZwDuplicateObject
Code 898351A0 ZwSetInformationFile
Code 898357A0 ZwSetSystemInformation
Code 89835308 ZwWriteFile
Code 89DB2530 pIofCallDriver
Code 89834EE7 NtDuplicateObject
Code 8983519F NtSetInformationFile
Code 89835307 NtWriteFile

---- Devices - GMER 1.0.15 ----

Device \FileSystem\Fastfat \FatCdrom Code 89834018
Device \Driver\NDIS \Device\Ndis [89D8C984] NDIS.sys[.reloc]

---- Disk sectors - GMER 1.0.15 ----

Disk \Device\Harddisk0\DR0 sector 01: copy of MBR
Disk \Device\Harddisk0\DR0 sector 02: copy of MBR
Disk \Device\Harddisk0\DR0 sector 03: copy of MBR
Disk \Device\Harddisk0\DR0 sector 04: copy of MBR
Disk \Device\Harddisk0\DR0 sector 05: copy of MBR
Disk \Device\Harddisk0\DR0 sector 06: copy of MBR
Disk \Device\Harddisk0\DR0 sector 07: copy of MBR
Disk \Device\Harddisk0\DR0 sector 08: copy of MBR
Disk \Device\Harddisk0\DR0 sector 09: copy of MBR
Disk \Device\Harddisk0\DR0 sector 10: rootkit-like behavior; copy of MBR
Disk \Device\Harddisk0\DR0 sector 11: copy of MBR
Disk \Device\Harddisk0\DR0 sector 12: copy of MBR
Disk \Device\Harddisk0\DR0 sector 13: copy of MBR
Disk \Device\Harddisk0\DR0 sector 14: copy of MBR
Disk \Device\Harddisk0\DR0 sector 15: copy of MBR
Disk \Device\Harddisk0\DR0 sector 16: copy of MBR
Disk \Device\Harddisk0\DR0 sector 17: copy of MBR
Disk \Device\Harddisk0\DR0 sector 18: copy of MBR
Disk \Device\Harddisk0\DR0 sector 19: copy of MBR
Disk \Device\Harddisk0\DR0 sector 20: copy of MBR
Disk \Device\Harddisk0\DR0 sector 21: copy of MBR
Disk \Device\Harddisk0\DR0 sector 22: copy of MBR
Disk \Device\Harddisk0\DR0 sector 23: copy of MBR
Disk \Device\Harddisk0\DR0 sector 24: copy of MBR
Disk \Device\Harddisk0\DR0 sector 25: copy of MBR
Disk \Device\Harddisk0\DR0 sector 26: copy of MBR
Disk \Device\Harddisk0\DR0 sector 27: copy of MBR
Disk \Device\Harddisk0\DR0 sector 28: copy of MBR
Disk \Device\Harddisk0\DR0 sector 29: copy of MBR
Disk \Device\Harddisk0\DR0 sector 30: copy of MBR
Disk \Device\Harddisk0\DR0 sector 31: copy of MBR
Disk \Device\Harddisk0\DR0 sector 32: copy of MBR
Disk \Device\Harddisk0\DR0 sector 33: copy of MBR
Disk \Device\Harddisk0\DR0 sector 34: copy of MBR
Disk \Device\Harddisk0\DR0 sector 35: copy of MBR
Disk \Device\Harddisk0\DR0 sector 36: copy of MBR
Disk \Device\Harddisk0\DR0 sector 37: copy of MBR
Disk \Device\Harddisk0\DR0 sector 38: copy of MBR
Disk \Device\Harddisk0\DR0 sector 39: copy of MBR
Disk \Device\Harddisk0\DR0 sector 40: copy of MBR
Disk \Device\Harddisk0\DR0 sector 41: copy of MBR
Disk \Device\Harddisk0\DR0 sector 42: copy of MBR
Disk \Device\Harddisk0\DR0 sector 43: copy of MBR
Disk \Device\Harddisk0\DR0 sector 44: copy of MBR
Disk \Device\Harddisk0\DR0 sector 45: copy of MBR
Disk \Device\Harddisk0\DR0 sector 46: copy of MBR
Disk \Device\Harddisk0\DR0 sector 47: copy of MBR
Disk \Device\Harddisk0\DR0 sector 48: copy of MBR
Disk \Device\Harddisk0\DR0 sector 49: copy of MBR
Disk \Device\Harddisk0\DR0 sector 50: copy of MBR
Disk \Device\Harddisk0\DR0 sector 51: copy of MBR
Disk \Device\Harddisk0\DR0 sector 52: copy of MBR
Disk \Device\Harddisk0\DR0 sector 53: copy of MBR
Disk \Device\Harddisk0\DR0 sector 54: copy of MBR
Disk \Device\Harddisk0\DR0 sector 55: copy of MBR
Disk \Device\Harddisk0\DR0 sector 56: copy of MBR
Disk \Device\Harddisk0\DR0 sector 57: rootkit-like behavior; copy of MBR
Disk \Device\Harddisk0\DR0 sector 58: copy of MBR
Disk \Device\Harddisk0\DR0 sector 59: copy of MBR
Disk \Device\Harddisk0\DR0 sector 60: copy of MBR
Disk \Device\Harddisk0\DR0 sector 61: copy of MBR
Disk \Device\Harddisk0\DR0 sector 62: copy of MBR
Disk \Device\Harddisk0\DR0 sector 63: rootkit-like behavior; copy of MBR

---- EOF - GMER 1.0.15 ----

#12 thewall

thewall

  • Malware Response Team
  • 6,425 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:06:54 AM

Posted 06 January 2010 - 12:17 AM

Are you getting redirected when you try to open sites?
If I have helped you then please consider donating so I can continue the fight against malware Posted Image
All donations go directly to the helper

Posted Image

Due to the large amount of backlogs we have I cannot respond to PMs for help unless I am already working with you

#13 kellypmk1

kellypmk1
  • Topic Starter

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Local time:04:54 AM

Posted 06 January 2010 - 01:01 AM

Nope, not at the moment, just the Windows firewall is taken down every time I boot into Windows, and I had that pop-up keep coming up saying that Internet Explorer might be displaying some errors, click here, when I didn't even have a browser window open.

Pat

#14 kellypmk1

kellypmk1
  • Topic Starter

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Local time:04:54 AM

Posted 06 January 2010 - 01:02 AM

Oh yeah, and at some point early along, it wacked my desktop picture, and shuffled all of my icons.

#15 thewall

thewall

  • Malware Response Team
  • 6,425 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:06:54 AM

Posted 06 January 2010 - 11:11 AM

Please run the following:

  • Download TDSSKiller and save it to your Desktop.
  • Extract its contents to your desktop and make sure TDSSKiller.exe (the contents of the zipped file) is on the Desktop itself, not within a folder on the desktop.
  • Go to Start > Run (Or you can hold down your Windows key and press R) and copy and paste the following into the text field. (make sure you include the quote marks) Then press OK.

    "%userprofile%\Desktop\TDSSKiller.exe" -l C:\TDSSKiller.txt -v

  • If it says "Hidden service detected" DO NOT type anything in. Just press Enter on your keyboard to not do anything to the file.
  • When it is done, a log file should be created on your C: drive called "TDSSKiller.txt" please copy and paste the contents of that file here.

If I have helped you then please consider donating so I can continue the fight against malware Posted Image
All donations go directly to the helper

Posted Image

Due to the large amount of backlogs we have I cannot respond to PMs for help unless I am already working with you




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users