Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Google and Yahoo searches redirected


  • This topic is locked This topic is locked
31 replies to this topic

#1 jwhaile

jwhaile

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:06:31 AM

Posted 31 January 2010 - 09:12 PM

I can do a Google search and when I click on one of the links in my results I briefly see "Toolanalytics.com" before I'm redirected to another site. Some ramdom examples of where I've been redirected to, and nothing to do with my original search, are www.smarter.com, www.safecompare.com, hotjobs.yahoo.com, www.ononeworld.com, and www.kbb.com. Sometimes after I have clicked on a few results from my search and have been redirected, it will stop redirecting me as long as I'm still dealing with the same results of the original Google search. Thanks in advance.

Here is my hijack log - dds.txt:

DDS (Ver_09-12-01.01) - NTFSx86
Run by Bill at 19:33:13.10 on Sun 01/31/2010
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3071.2224 [GMT -6:00]

AV: avast! antivirus 4.8.1368 [VPS 100131-1] *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
FW: ZoneAlarm Firewall *disabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Adobe\Photoshop Elements 7.0\PhotoshopElementsFileAgent.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\SearchIndexer.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTMon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Realtek\Diagnostics Utility\8169Diag.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe
C:\Program Files\ATI Technologies\ATI.ACE\CLI.EXE
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Canon\MyPrinter\BJMyPrt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Windows Desktop Search\WindowsSearch.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Documents and Settings\Bill\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.yahoo.com/
uSearch Page = hxxp://www.live.com
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - c:\program files\microsoft\search enhancement pack\search helper\SearchHelper.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Windows Live Toolbar Helper: {e15a8dc0-8516-42a1-81ea-dc94ec1acf10} - c:\program files\windows live\toolbar\wltcore.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: &Windows Live Toolbar: {21fa44ef-376d-4d53-9b0f-8a89d3229068} - c:\program files\windows live\toolbar\wltcore.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [8169Diag] c:\program files\realtek\diagnostics utility\8169Diag.exe /hw
mRun: [IAAnotif] c:\program files\intel\intel matrix storage manager\iaanotif.exe
mRun: [ATICCC] "c:\program files\ati technologies\ati.ace\CLIStart.exe"
mRun: [PDVDDXSrv] "c:\program files\cyberlink\powerdvd dx\PDVDDXSrv.exe"
mRun: [ZoneAlarm Client] "c:\program files\zone labs\zonealarm\zlclient.exe"
mRun: [avast!] c:\progra~1\alwils~1\avast4\ashDisp.exe
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [CanonSolutionMenu] c:\program files\canon\solutionmenu\CNSLMAIN.exe /logon
mRun: [CanonMyPrinter] c:\program files\canon\myprinter\BJMyPrt.exe /logon
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\window~1.lnk - c:\program files\windows desktop search\WindowsSearch.exe
IE: E&xport to Microsoft Excel - c:\progra~1\mi1933~1\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\mi1933~1\office11\REFIEBAR.DLL
DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} - hxxp://office.microsoft.com/templates/ieawsdc.cab
DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} - hxxp://dlm.tools.akamai.com/dlmanager/versions/activex/dlm-activex-2.2.5.0.cab
DPF: {5D637FAD-E202-48D1-8F18-5B9C459BD1E3} - hxxp://cdn.smugmug.com/photos/activex/ImageUploader5-5.5.1.0-082608.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1241905157796
DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
Notify: AtiExtEvent - Ati2evxx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll

============= SERVICES / DRIVERS ===============

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-7-3 64288]
R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2009-5-10 114768]
R1 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2009-5-10 353672]
R2 AdobeActiveFileMonitor7.0;Adobe Active File Monitor V7;c:\program files\adobe\photoshop elements 7.0\PhotoshopElementsFileAgent.exe [2008-9-16 169312]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2009-5-10 20560]
R2 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast4\ashServ.exe [2009-5-10 138680]
R2 LANPkt;Realtek LANPkt Protocol Driver;c:\windows\system32\drivers\LANPkt.sys [2009-4-30 8960]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2009-9-24 1181328]
R3 Diag69xp;Diag69xp;c:\windows\system32\drivers\diag69xp.sys [2009-4-30 11264]
S2 vsmon;TrueVector Internet Monitor;c:\windows\system32\zonelabs\vsmon.exe -service --> c:\windows\system32\zonelabs\vsmon.exe -service [?]
S3 avast! Mail Scanner;avast! Mail Scanner;c:\program files\alwil software\avast4\ashMaiSv.exe [2009-5-10 254040]
S3 avast! Web Scanner;avast! Web Scanner;c:\program files\alwil software\avast4\ashWebSv.exe [2009-5-10 352920]
S3 RTLVLAN;Realtek VLAN Intermediate Driver;c:\windows\system32\drivers\RTLVLAN.SYS [2009-4-30 16640]

=============== Created Last 30 ================

2010-01-30 20:48:09 0 d-----w- c:\docume~1\bill\applic~1\Malwarebytes
2010-01-30 20:48:06 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-01-30 20:48:05 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2010-01-30 20:48:04 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-01-30 20:48:04 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-01-13 01:21:03 471552 -c----w- c:\windows\system32\dllcache\aclayers.dll
2010-01-10 23:42:59 0 d-----w- C:\New Folder

==================== Find3M ====================

2010-01-23 05:46:14 19000 ---ha-w- c:\windows\system32\mlfcache.dat
2010-01-09 21:03:53 512 ----a-w- C:\drmHeader.bin
2009-12-21 19:14:05 916480 ----a-w- c:\windows\system32\wininet.dll
2009-11-08 19:56:49 15880 ----a-w- c:\windows\system32\lsdelete.exe

============= FINISH: 19:33:26.54 ===============




Here is the Root Repeal file - ark.txt:




ROOTREPEAL © AD, 2007-2009
==================================================
Scan Start Time: 2010/01/31 19:34
Program Version: Version 1.3.5.0
Windows Version: Windows XP SP3
==================================================

Drivers
-------------------
Name: disk.sys
Image Path: disk.sys
Address: 0xBA0D8000 Size: 36352 File Visible: - Signed: -
Status: Hidden from the Windows API!

Name: dump_iaStor.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_iaStor.sys
Address: 0xA0350000 Size: 888832 File Visible: No Signed: -
Status: -

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0x9A81B000 Size: 49152 File Visible: No Signed: -
Status: -

Name: srescan.sys
Image Path: srescan.sys
Address: 0xB9CD4000 Size: 81920 File Visible: No Signed: -
Status: -

Hidden/Locked Files
-------------------
Path: C:\hiberfil.sys
Status: Locked to the Windows API!

Path: c:\windows\temp\perflib_perfdata_324.dat
Status: Allocation size mismatch (API: 16384, Raw: 0)

SSDT
-------------------
#: 025 Function Name: NtClose
Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0xa04316b8

#: 031 Function Name: NtConnectPort
Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xa0528fc0

#: 037 Function Name: NtCreateFile
Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xa0525c80

#: 041 Function Name: NtCreateKey
Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0xa0431574

#: 046 Function Name: NtCreatePort
Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xa0529580

#: 047 Function Name: NtCreateProcess
Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xa053d900

#: 048 Function Name: NtCreateProcessEx
Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xa053db10

#: 050 Function Name: NtCreateSection
Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xa0541b10

#: 056 Function Name: NtCreateWaitablePort
Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xa0529670

#: 062 Function Name: NtDeleteFile
Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xa0526210

#: 063 Function Name: NtDeleteKey
Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xa05409f0

#: 065 Function Name: NtDeleteValueKey
Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0xa0431a52

#: 068 Function Name: NtDuplicateObject
Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xa053d280

#: 098 Function Name: NtLoadKey
Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xa0540f10

#: 099 Function Name: NtLoadKey2
Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xa0540f90

#: 116 Function Name: NtOpenFile
Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xa0526070

#: 119 Function Name: NtOpenKey
Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0xa043164e

#: 122 Function Name: NtOpenProcess
Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xa053f180

#: 128 Function Name: NtOpenThread
Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xa053ef40

#: 177 Function Name: NtQueryValueKey
Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0xa043176e

#: 192 Function Name: NtRenameKey
Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xa05416f0

#: 193 Function Name: NtReplaceKey
Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xa0541150

#: 200 Function Name: NtRequestWaitReplyPort
Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xa0528be0

#: 204 Function Name: NtRestoreKey
Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0xa043172e

#: 210 Function Name: NtSecureConnectPort
Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xa0529190

#: 224 Function Name: NtSetInformationFile
Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xa0526440

#: 247 Function Name: NtSetValueKey
Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0xa04318ae

#: 255 Function Name: NtSystemDebugControl
Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xa053e200

#: 257 Function Name: NtTerminateProcess
Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xa053e080

Stealth Objects
-------------------
Object: Hidden Code [ETHREAD: 0x898a1948]
Process: System Address: 0xba42b93a Size: 200

==EOF==


I've attached ATTACH.TXT

Attached Files



BC AdBot (Login to Remove)

 


#2 thewall

thewall

  • Malware Response Team
  • 6,425 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:08:31 AM

Posted 02 February 2010 - 08:05 PM


Hello jwhaile smile.gif Welcome to the BC HijackThis Log and Analysis forum. I will be assisting you in cleaning up your system.


I ask that you refrain from running tools other than those we suggest while we are cleaning up your computer. The reason for this is so we know what is going on with the machine at any time. Some programs can interfere with others and hamper the recovery process.



In the upper right hand corner of the topic you will see a button called Options. If you click on this in the drop-down menu you can choose Track this topic. By doing this and then choosing Immediate E-Mail notification and then clicking on Proceed you will be advised when we respond the your topic and facilitate the cleaning of your machine.


Please keep in mind that we have a large backlog of users just like yourself waiting to be helped so try to be as timely as possible in your replies. Since we do this on a part-time voluntary basis we are limited on how many logs we can respond to and keep open due to time restraints. If you have to be away or can't answer for some other reason just let me know. Thank you for your understanding.



After 5 days if a topic is not replied to we assume it has been abandoned and it is closed.





I will need for you to run another rootkit scan for me:


Download GMER Rootkit Scanner from here to your desktop.
  • Double click the exe file.
  • If it gives you a warning about rootkit activity and asks if you want to run scan...click on NO, then use the following settings for a more complete scan.



    Click the image to enlarge it


  • In the right panel, you will see several boxes that have been checked. Uncheck the following ...
    • Sections
    • IAT/EAT
    • Drives/Partition other than Systemdrive (typically C:\)
    • Show All (don't miss this one)
  • Then click the Scan button & wait for it to finish.
  • Once done click on the [Save..] button, and in the File name area, type in "Gmer.txt" or it will save as a .log file which cannot be uploaded to your post.
Save it where you can easily find it, such as your desktop, and post it in reply.

**Caution**
Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries




If GMER does not want to run add the following to those that you unchecked and try it again:

  • Registry
  • Files











Note: Please post the log in the reply window and do not make it an attachment. Do this with all subsequent replies unless I ask otherwise.







Thanks,



thewall





If I have helped you then please consider donating so I can continue the fight against malware Posted Image
All donations go directly to the helper

Posted Image

Due to the large amount of backlogs we have I cannot respond to PMs for help unless I am already working with you

#3 jwhaile

jwhaile
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:06:31 AM

Posted 02 February 2010 - 11:54 PM

I ran the Gmer rootkit scanner. I took about 2 hours. When I tried to save the log as Gmer.txt it never finished saving it. I finally had to cancel the process. I restarted my computer and tried to run a scan again. It started like it did before and then stopped. It's not scanning everything like it did the first time. I'll try again tomorrow night. Thanks for your help.

#4 thewall

thewall

  • Malware Response Team
  • 6,425 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:08:31 AM

Posted 03 February 2010 - 12:18 AM

You might want to close any browsers and even disconnect from the Internet and then disable your Avast. That may help. If you can't get it to run at all then just let me know and we'll go another way.
If I have helped you then please consider donating so I can continue the fight against malware Posted Image
All donations go directly to the helper

Posted Image

Due to the large amount of backlogs we have I cannot respond to PMs for help unless I am already working with you

#5 jwhaile

jwhaile
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:06:31 AM

Posted 03 February 2010 - 12:41 AM

Will do. Thanks

#6 jwhaile

jwhaile
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:06:31 AM

Posted 03 February 2010 - 10:59 PM

Well I disconnected the internet connection and turned off Avast and ran Gmer. Took about 2 hours and ended with a warning of a Rootkit issue. I clicked OK on the warning to close that window. Then I clicked "Save". It took about a minute for the Window to open and stabilize so I could type in Gmer.txt and try to save it. About 35 minutes later I gave up and ended the file save operation. Could I have copied the text out of the program window and just saved that?

Anyway, what do you recommend for a next step?

Edited by jwhaile, 03 February 2010 - 11:14 PM.


#7 jwhaile

jwhaile
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:06:31 AM

Posted 03 February 2010 - 11:10 PM

I'm posting from a different computer by the way. After I ended the Save File operation, my computer now is very slow to respond to anything, or not at all. I just tried to turn it off. I click the Start button, and then Turn off Computer, but the next window doesn't come up so I can turn it off. I turned it off last night by holding down the power button. When I do click Turn off Computer, the only window that does finally come up only gives me the options of "Log off" or "Switch Users".

#8 thewall

thewall

  • Malware Response Team
  • 6,425 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:08:31 AM

Posted 03 February 2010 - 11:55 PM

With the new rootkits we have been seeing the last week or so I could really use the GMER scan. Any chance when you looked at the log while trying to save it that you saw a reference in there to Max++? It would have been in some of the lines of text and usually there would be several lines with that included in it. I know that's a lot to ask because of the amount of info which can be on there at times but it's worth asking.
If I have helped you then please consider donating so I can continue the fight against malware Posted Image
All donations go directly to the helper

Posted Image

Due to the large amount of backlogs we have I cannot respond to PMs for help unless I am already working with you

#9 jwhaile

jwhaile
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:06:31 AM

Posted 04 February 2010 - 12:32 AM

Yes, I'm pretty sure I did see Max++ a few times.

#10 thewall

thewall

  • Malware Response Team
  • 6,425 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:08:31 AM

Posted 04 February 2010 - 12:54 AM

Good that you saw it but bad that you got it so to speak. That's a new version of a rootkit which is not very nice. Do you have your Windows CD? We are going to need the Recovery Console but if you don't have it I can give you instructions on burning a CD with it on there.
If I have helped you then please consider donating so I can continue the fight against malware Posted Image
All donations go directly to the helper

Posted Image

Due to the large amount of backlogs we have I cannot respond to PMs for help unless I am already working with you

#11 jwhaile

jwhaile
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:06:31 AM

Posted 04 February 2010 - 08:37 PM

I ran Gmer again briefly and watched to see what it said. I saw this about 17 times:

\\74.117.114.86\max++.x86.dll(***hidden***) followed by more locatin info, but you get the gist

It's a fairly new Dell, and I have the XP Pro Service Pack 3 Reinstallation CD. Will that do?

#12 thewall

thewall

  • Malware Response Team
  • 6,425 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:08:31 AM

Posted 04 February 2010 - 10:06 PM

That's what I needed to know, good job. Bad infection but we'll work to get it out.

You must first verify that you can logon to the Windows Recovery Console.
To do so, you must have the Recovery Console installed or use the Windows XP installation cd.

How to install and use the Windows XP Recovery Console


Next, please download maxlook, saving the file to your desktop.
Double click maxlook.exe to run it. Note - you must run it only once!
As instructed when the tool runs, restart the computer and logon to the Recovery Console.
Execute the following bolded command at the x:\windows> prompt <--- the red x represents your operating system drive letter, usually C

batch look.bat




You will see 1 file copied many times then return to the x:\windows> prompt.
Type Exit to restart your computer then logon in normal mode.
Please run maxlook.exe again now. Note - you must run it only once!
It will produce looklog.txt on the desktop and open it.
Please post the results here.



If I have helped you then please consider donating so I can continue the fight against malware Posted Image
All donations go directly to the helper

Posted Image

Due to the large amount of backlogs we have I cannot respond to PMs for help unless I am already working with you

#13 jwhaile

jwhaile
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:06:31 AM

Posted 04 February 2010 - 10:50 PM

Guess I should have turned Avast off before running maxlook the second time. It set off a warning, but I checked to do nothing and it still produced the looklog.txt file.

Here it is:

Run from C:\Documents and Settings\Bill\Desktop\maxlook.exe on Thu 02/04/2010 at 21:45:06.42

C:\WINDOWS\system32\drivers\update.sys is infected!

2008-04-25 16:16:37 . 2008-04-14 12:00:00 - 384768 - 402DDC88356B1BAC0EE3DD1580C76A31 ----a-w- C:\WINDOWS\system32\drivers\update.sys

Rogue configuration file = C:\WINDOWS\system32\config\nnyymhia.sav



#14 thewall

thewall

  • Malware Response Team
  • 6,425 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:08:31 AM

Posted 04 February 2010 - 11:08 PM

Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1
Download Mirror #2
  • Double-click SystemLook.exe to run it.
  • Copy the content of the following codebox into the main textfield:
    CODE
    :filefind
    update.*

  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
Note: The log can also be found on your Desktop entitled SystemLook.txt





If I have helped you then please consider donating so I can continue the fight against malware Posted Image
All donations go directly to the helper

Posted Image

Due to the large amount of backlogs we have I cannot respond to PMs for help unless I am already working with you

#15 jwhaile

jwhaile
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:06:31 AM

Posted 04 February 2010 - 11:18 PM

SystemLook v1.0 by jpshortstuff (11.01.10)
Log created at 22:17 on 04/02/2010 by Bill (Administrator - Elevation successful)

========== filefind ==========

Searching for "update.*"
C:\392b166edf4ec8c8a147\update\update.exe --a--- 716000 bytes [23:11 16/05/2006] [23:11 16/05/2006] 0B630C8656B1EA82C82B929D51FA351B
C:\50a31ba2eda2eae5ef\update\update.exe --a--- 716000 bytes [23:11 16/05/2006] [23:11 16/05/2006] 0B630C8656B1EA82C82B929D51FA351B
C:\Documents and Settings\All Users\Application Data\InstallShield\UpdateService\Database\update.ini --a--- 251 bytes [01:59 07/05/2009] [04:55 24/01/2010] E69D09FFEAF9D86DBD56297C49693607
C:\Documents and Settings\All Users\Application Data\Lavasoft\Ad-Aware\Logs\Update.log --a--- 229360 bytes [05:47 04/07/2009] [01:56 05/02/2010] 1CFC1DC8BCA595AEA3E068610DF6A91D
C:\Documents and Settings\Bill\My Documents\DVDFab\Temp\Update\Update.ini --a--- 0 bytes [03:26 16/11/2009] [03:26 16/11/2009] D41D8CD98F00B204E9800998ECF8427E
C:\e092488e05fccd88da\update\update.exe --a--- 742192 bytes [06:05 16/09/2006] [06:05 16/09/2006] B9FA27BEA6B6FB59CD79AA46E58F9176
C:\I386\UPDATE.CN_ --a--- 293 bytes [16:13 25/04/2008] [12:00 14/04/2008] E450B047BBFF9735E46770F9B34767B2
C:\I386\UPDATE.SY_ --a--- 244367 bytes [16:13 25/04/2008] [12:00 14/04/2008] 0ADDDBA5CB1A7A36DA00E46FFD133716
C:\Program Files\Alwil Software\Avast4\images\update.gif --a--- 3110 bytes [04:30 11/05/2009] [06:12 27/08/2004] EE5C3B511CA0F5ABBDF4B07F8C687F7C
C:\Program Files\Spybot - Search & Destroy\Update.exe --a--- 464728 bytes [05:53 04/07/2009] [20:31 26/01/2009] 00071AF6D95C1002E5F9B63EA00A37A3
C:\WINDOWS\$hf_mig$\KB898461\update\update.exe --a--- 718048 bytes [21:41 09/05/2009] [03:35 25/02/2005] 3B5EAAEDB8A9D3F98DEBBDB0CFD214D5
C:\WINDOWS\$hf_mig$\KB898461\update\update.ver --a--- 517 bytes [21:41 09/05/2009] [19:27 17/05/2005] 635A30BFACF80D0C6C2FA148D09E4C5C
C:\WINDOWS\$hf_mig$\KB923561\update\update.exe --a--- 755576 bytes [22:12 09/05/2009] [17:18 15/11/2008] 0FF4E4E0DD01E7872D9C2013560FD4A7
C:\WINDOWS\$hf_mig$\KB923561\update\update.ver --a--- 1575 bytes [22:12 09/05/2009] [08:27 27/03/2009] 92149F575C7FF0208C8D016CF043AA75
C:\WINDOWS\$hf_mig$\KB946648\update\update.exe --a--- 755576 bytes [03:06 01/05/2009] [11:20 30/11/2007] 0FF4E4E0DD01E7872D9C2013560FD4A7
C:\WINDOWS\$hf_mig$\KB946648\update\update.ver --a--- 378 bytes [03:06 01/05/2009] [15:31 02/05/2008] 494021496FC565F2BC2F1D7F71DB1A76
C:\WINDOWS\$hf_mig$\KB950762\update\update.exe --a--- 755576 bytes [03:06 01/05/2009] [12:39 30/11/2007] 0FF4E4E0DD01E7872D9C2013560FD4A7
C:\WINDOWS\$hf_mig$\KB950762\update\update.ver --a--- 386 bytes [03:06 01/05/2009] [22:12 08/05/2008] EB91E8DDA95B6C7390D9E654FD9B67EF
C:\WINDOWS\$hf_mig$\KB950974\update\update.exe --a--- 755576 bytes [03:06 01/05/2009] [12:39 30/11/2007] 0FF4E4E0DD01E7872D9C2013560FD4A7
C:\WINDOWS\$hf_mig$\KB950974\update\update.ver --a--- 370 bytes [03:06 01/05/2009] [21:49 07/07/2008] 091CD51E747EADE3BCA96B95838DFC3B
C:\WINDOWS\$hf_mig$\KB951066\update\update.exe --a--- 755576 bytes [03:06 01/05/2009] [15:25 03/12/2007] 0FF4E4E0DD01E7872D9C2013560FD4A7
C:\WINDOWS\$hf_mig$\KB951066\update\update.ver --a--- 394 bytes [03:06 01/05/2009] [19:49 11/04/2008] 38C1D8D18ADCD33940D60C692500C53B
C:\WINDOWS\$hf_mig$\KB951376-v2\update\update.exe --a--- 755576 bytes [03:06 01/05/2009] [11:18 30/11/2007] 0FF4E4E0DD01E7872D9C2013560FD4A7
C:\WINDOWS\$hf_mig$\KB951376-v2\update\update.ver --a--- 390 bytes [03:06 01/05/2009] [20:19 16/06/2008] A21825A9CF8D3AF972A1AF5AD24DAC99
C:\WINDOWS\$hf_mig$\KB951618-v2\update\update.exe --a--- 755576 bytes [03:06 01/05/2009] [11:18 30/11/2007] 0FF4E4E0DD01E7872D9C2013560FD4A7
C:\WINDOWS\$hf_mig$\KB951618-v2\update\update.ver --a--- 2147 bytes [03:06 01/05/2009] [04:03 23/07/2008] 16504759849C57205129A1AC3BCD9504
C:\WINDOWS\$hf_mig$\KB951698\update\update.exe --a--- 755576 bytes [03:06 01/05/2009] [11:18 30/11/2007] 0FF4E4E0DD01E7872D9C2013560FD4A7
C:\WINDOWS\$hf_mig$\KB951698\update\update.ver --a--- 390 bytes [03:06 01/05/2009] [06:59 07/05/2008] F201CD29D4E67C9E516D73F5E1CC55F2
C:\WINDOWS\$hf_mig$\KB951748\update\update.exe --a--- 755576 bytes [22:08 09/05/2009] [12:39 30/11/2007] 0FF4E4E0DD01E7872D9C2013560FD4A7
C:\WINDOWS\$hf_mig$\KB951748\update\update.ver --a--- 2032 bytes [22:08 09/05/2009] [11:00 21/06/2008] 4B8E7C0A80ACC061CD23555AEA03C009
C:\WINDOWS\$hf_mig$\KB951978\update\update.exe --a--- 755576 bytes [03:06 01/05/2009] [12:39 30/11/2007] 0FF4E4E0DD01E7872D9C2013560FD4A7
C:\WINDOWS\$hf_mig$\KB951978\update\update.ver --a--- 1472 bytes [03:06 01/05/2009] [11:33 19/06/2008] 551CD34439133B3C48A3EE0CB598DCE6
C:\WINDOWS\$hf_mig$\KB952004\update\update.exe --a--- 755576 bytes [22:13 09/05/2009] [12:39 30/11/2007] 0FF4E4E0DD01E7872D9C2013560FD4A7
C:\WINDOWS\$hf_mig$\KB952004\update\update.ver --a--- 2242 bytes [22:13 09/05/2009] [16:32 12/06/2008] BE98F6B21848E924A629CFDFCE3708F6
C:\WINDOWS\$hf_mig$\KB952287\update\update.exe --a--- 755576 bytes [03:06 01/05/2009] [11:18 30/11/2007] 0FF4E4E0DD01E7872D9C2013560FD4A7
C:\WINDOWS\$hf_mig$\KB952287\update\update.ver --a--- 386 bytes [03:06 01/05/2009] [16:02 01/05/2008] 880BFFA8CA7A90E61F2640794CE5B92B
C:\WINDOWS\$hf_mig$\KB952954\update\update.exe --a--- 755576 bytes [03:06 01/05/2009] [11:18 30/11/2007] 0FF4E4E0DD01E7872D9C2013560FD4A7
C:\WINDOWS\$hf_mig$\KB952954\update\update.ver --a--- 378 bytes [03:06 01/05/2009] [17:48 24/06/2008] 829A32355B07D490691CCF79F1B2674A
C:\WINDOWS\$hf_mig$\KB953155\update\update.exe --a--- 755576 bytes [00:49 05/02/2010] [12:39 30/11/2007] 0FF4E4E0DD01E7872D9C2013560FD4A7
C:\WINDOWS\$hf_mig$\KB953155\update\update.ver --a--- 762 bytes [00:49 05/02/2010] [09:35 28/08/2008] D5354C327D53A1741F91A08782438A34
C:\WINDOWS\$hf_mig$\KB954211\update\update.exe --a--- 755576 bytes [03:06 01/05/2009] [07:38 09/07/2008] 0FF4E4E0DD01E7872D9C2013560FD4A7
C:\WINDOWS\$hf_mig$\KB954211\update\update.ver --a--- 477 bytes [03:06 01/05/2009] [16:21 15/09/2008] 1EC93ED5C8D860B7F0EEAD0AE8726E45
C:\WINDOWS\$hf_mig$\KB954434\update\update.exe --a--- 755576 bytes [03:07 01/05/2009] [12:39 30/11/2007] 0FF4E4E0DD01E7872D9C2013560FD4A7
C:\WINDOWS\$hf_mig$\KB954434\update\update.ver --a--- 1878 bytes [03:07 01/05/2009] [21:50 11/07/2008] 39062DF70DC997F0C8F30337B31A6FEC
C:\WINDOWS\$hf_mig$\KB954459\update\update.exe --a--- 755576 bytes [03:07 01/05/2009] [11:18 30/11/2007] 0FF4E4E0DD01E7872D9C2013560FD4A7
C:\WINDOWS\$hf_mig$\KB954459\update\update.ver --a--- 204 bytes [03:07 01/05/2009] [12:52 10/09/2008] 62994A021028E5F26E90A9FDA1780A21
C:\WINDOWS\$hf_mig$\KB954600\update\update.exe --a--- 755576 bytes [03:07 01/05/2009] [11:18 30/11/2007] 0FF4E4E0DD01E7872D9C2013560FD4A7
C:\WINDOWS\$hf_mig$\KB954600\update\update.ver --a--- 390 bytes [03:07 01/05/2009] [11:41 03/10/2008] 9455C049C5F6809BE43F2A00CE79F4A7
C:\WINDOWS\$hf_mig$\KB955069\update\update.exe --a--- 755576 bytes [03:07 01/05/2009] [11:18 30/11/2007] 0FF4E4E0DD01E7872D9C2013560FD4A7
C:\WINDOWS\$hf_mig$\KB955069\update\update.ver --a--- 390 bytes [03:07 01/05/2009] [04:34 10/09/2008] 3A64A2888CE028EB9AA41C149B2A2C85
C:\WINDOWS\$hf_mig$\KB955759\update\update.exe --a--- 755576 bytes [05:49 13/01/2010] [11:40 26/05/2009] 0FF4E4E0DD01E7872D9C2013560FD4A7
C:\WINDOWS\$hf_mig$\KB955759\update\update.ver --a--- 863 bytes [05:49 13/01/2010] [17:27 21/11/2009] CDE2FF592E5A62F2F2937FABABA4C749
C:\WINDOWS\$hf_mig$\KB955839\update\update.exe --a--- 755576 bytes [03:06 01/05/2009] [11:18 30/11/2007] 0FF4E4E0DD01E7872D9C2013560FD4A7
C:\WINDOWS\$hf_mig$\KB955839\update\update.ver --a--- 390 bytes [03:06 01/05/2009] [21:00 23/10/2008] E38DC3C61B1FB893BA936BD9410274E3
C:\WINDOWS\$hf_mig$\KB956572\update\update.exe --a--- 755576 bytes [22:13 09/05/2009] [07:38 09/07/2008] 0FF4E4E0DD01E7872D9C2013560FD4A7
C:\WINDOWS\$hf_mig$\KB956572\update\update.ver --a--- 5402 bytes [22:13 09/05/2009] [06:19 07/03/2009] 12EDE64DA62DD349A0FDE93E11052DCA
C:\WINDOWS\$hf_mig$\KB956744\update\update.exe --a--- 755576 bytes [03:45 12/08/2009] [11:40 26/05/2009] 0FF4E4E0DD01E7872D9C2013560FD4A7
C:\WINDOWS\$hf_mig$\KB956744\update\update.ver --a--- 1184 bytes [03:45 12/08/2009] [06:19 19/06/2009] C0F931459A7AEEA187D9AE3E4826D545
C:\WINDOWS\$hf_mig$\KB956802\update\update.exe --a--- 755576 bytes [03:07 01/05/2009] [13:02 08/07/2008] 0FF4E4E0DD01E7872D9C2013560FD4A7
C:\WINDOWS\$hf_mig$\KB956802\update\update.ver --a--- 382 bytes [03:07 01/05/2009] [14:23 23/10/2008] F19E14955943648C1EB42388CB30EDA1
C:\WINDOWS\$hf_mig$\KB956803\update\update.exe --a--- 755576 bytes [03:06 01/05/2009] [11:18 30/11/2007] 0FF4E4E0DD01E7872D9C2013560FD4A7
C:\WINDOWS\$hf_mig$\KB956803\update\update.ver --a--- 374 bytes [03:06 01/05/2009] [17:02 14/08/2008] 40FD858B5AB8DF173CD44C37095BF375
C:\WINDOWS\$hf_mig$\KB956841\update\update.exe --a--- 755576 bytes [03:06 01/05/2009] [11:18 30/11/2007] 0FF4E4E0DD01E7872D9C2013560FD4A7
C:\WINDOWS\$hf_mig$\KB956841\update\update.ver --a--- 1538 bytes [03:06 01/05/2009] [02:57 15/08/2008] 183A86E8AE3DD54236DAFC626C94E7A0
C:\WINDOWS\$hf_mig$\KB956844\update\update.exe --a--- 755576 bytes [08:00 10/09/2009] [13:02 08/07/2008] 0FF4E4E0DD01E7872D9C2013560FD4A7
C:\WINDOWS\$hf_mig$\KB956844\update\update.ver --a--- 390 bytes [08:00 10/09/2009] [22:01 23/06/2009] 2A015AC0D14CADBF52C43DB23B4FDB59
C:\WINDOWS\$hf_mig$\KB957095\update\update.exe --a--- 755576 bytes [03:06 01/05/2009] [11:18 30/11/2007] 0FF4E4E0DD01E7872D9C2013560FD4A7
C:\WINDOWS\$hf_mig$\KB957095\update\update.ver --a--- 374 bytes [03:06 01/05/2009] [15:18 08/09/2008] 562AE7C3A02057F374153AF83DEDF318
C:\WINDOWS\$hf_mig$\KB957097\update\update.exe --a--- 755576 bytes [03:07 01/05/2009] [13:02 08/07/2008] 0FF4E4E0DD01E7872D9C2013560FD4A7
C:\WINDOWS\$hf_mig$\KB957097\update\update.ver --a--- 386 bytes [03:07 01/05/2009] [15:32 24/10/2008] 0CCD7541E60425A4797B983C62AA8A59
C:\WINDOWS\$hf_mig$\KB958215\update\update.exe --a--- 755576 bytes [03:05 01/05/2009] [12:39 30/11/2007] 0FF4E4E0DD01E7872D9C2013560FD4A7
C:\WINDOWS\$hf_mig$\KB958215\update\update.ver --a--- 4456 bytes [03:05 01/05/2009] [21:29 16/10/2008] 3E1731509DEDD5FAE2834EB725F874A1
C:\WINDOWS\$hf_mig$\KB958644\update\update.exe --a--- 755576 bytes [03:05 01/05/2009] [11:18 30/11/2007] 0FF4E4E0DD01E7872D9C2013560FD4A7
C:\WINDOWS\$hf_mig$\KB958644\update\update.ver --a--- 394 bytes [03:05 01/05/2009] [17:55 15/10/2008] 16B511354E3788325C957040620BC1DA
C:\WINDOWS\$hf_mig$\KB958687\update\update.exe --a--- 755576 bytes [03:05 01/05/2009] [11:18 30/11/2007] 0FF4E4E0DD01E7872D9C2013560FD4A7
C:\WINDOWS\$hf_mig$\KB958687\update\update.ver --a--- 374 bytes [03:05 01/05/2009] [17:55 11/12/2008] 7BA21379A98E684B32E35982CEF1BD87
C:\WINDOWS\$hf_mig$\KB959426\update\update.exe --a--- 755576 bytes [22:13 09/05/2009] [12:39 30/11/2007] 0FF4E4E0DD01E7872D9C2013560FD4A7
C:\WINDOWS\$hf_mig$\KB959426\update\update.ver --a--- 762 bytes [22:13 09/05/2009] [17:31 21/03/2009] A8022E470CC826C05481D5D280EBE181
C:\WINDOWS\$hf_mig$\KB960225\update\update.exe --a--- 755576 bytes [22:12 09/05/2009] [12:39 30/11/2007] 0FF4E4E0DD01E7872D9C2013560FD4A7
C:\WINDOWS\$hf_mig$\KB960225\update\update.ver --a--- 394 bytes [22:12 09/05/2009] [12:42 05/12/2008] 588FC79F36BEA2939958826407482112
C:\WINDOWS\$hf_mig$\KB960714\update\update.exe --a--- 755576 bytes [03:05 01/05/2009] [07:38 09/07/2008] 0FF4E4E0DD01E7872D9C2013560FD4A7
C:\WINDOWS\$hf_mig$\KB960714\update\update.ver --a--- 390 bytes [03:05 01/05/2009] [08:46 13/12/2008] F4E04A43BFA9F49ED18198ED5B5C3C8E
C:\WINDOWS\$hf_mig$\KB960715\update\update.exe --a--- 755576 bytes [03:06 01/05/2009] [17:18 15/11/2008] 0FF4E4E0DD01E7872D9C2013560FD4A7
C:\WINDOWS\$hf_mig$\KB960715\update\update.ver --a--- 18 bytes [03:06 01/05/2009] [06:06 16/01/2009] C2B4984F4F3D38A3111846776A2E5312
C:\WINDOWS\$hf_mig$\KB960803\update\update.exe --a--- 755576 bytes [22:13 09/05/2009] [12:39 30/11/2007] 0FF4E4E0DD01E7872D9C2013560FD4A7
C:\WINDOWS\$hf_mig$\KB960803\update\update.ver --a--- 390 bytes [22:13 09/05/2009] [14:05 16/12/2008] 649D988CD60849C8FCFFAC518420C347
C:\WINDOWS\$hf_mig$\KB960859\update\update.exe --a--- 755576 bytes [03:45 12/08/2009] [11:40 26/05/2009] 0FF4E4E0DD01E7872D9C2013560FD4A7
C:\WINDOWS\$hf_mig$\KB960859\update\update.ver --a--- 754 bytes [03:45 12/08/2009] [09:37 01/07/2009] E38AAF47577AE8593244FC4D10782E5B
C:\WINDOWS\$hf_mig$\KB961371\update\update.exe --a--- 755576 bytes [04:42 15/07/2009] [11:40 26/05/2009] 0FF4E4E0DD01E7872D9C2013560FD4A7
C:\WINDOWS\$hf_mig$\KB961371\update\update.ver --a--- 758 bytes [04:42 15/07/2009] [15:18 16/06/2009] 9FA01EFC15D4F402AC2BFE772F608ABC
C:\WINDOWS\$hf_mig$\KB961373\update\update.exe --a--- 755576 bytes [22:12 09/05/2009] [12:39 30/11/2007] 0FF4E4E0DD01E7872D9C2013560FD4A7
C:\WINDOWS\$hf_mig$\KB961373\update\update.ver --a--- 390 bytes [22:12 09/05/2009] [01:01 21/12/2008] 19F9AAD0FF2F4D91C3D458249108BD57
C:\WINDOWS\$hf_mig$\KB961501\update\update.exe --a--- 755576 bytes [04:39 10/06/2009] [07:38 09/07/2008] 0FF4E4E0DD01E7872D9C2013560FD4A7
C:\WINDOWS\$hf_mig$\KB961501\update\update.ver --a--- 394 bytes [04:39 10/06/2009] [16:02 07/05/2009] 5EABF43C7C5111B03136FC365A9E7A41
C:\WINDOWS\$hf_mig$\KB963027\update\update.exe --a--- 755576 bytes [22:13 09/05/2009] [07:38 09/07/2008] 0FF4E4E0DD01E7872D9C2013560FD4A7
C:\WINDOWS\$hf_mig$\KB963027\update\update.ver --a--- 5188 bytes [22:13 09/05/2009] [04:01 03/03/2009] 19CD1073A4106B0EC40424E946CADAED
C:\WINDOWS\$hf_mig$\KB967715\update\update.exe --a--- 755576 bytes [22:12 09/05/2009] [07:38 09/07/2008] 0FF4E4E0DD01E7872D9C2013560FD4A7
C:\WINDOWS\$hf_mig$\KB967715\update\update.ver --a--- 488 bytes [22:12 09/05/2009] [21:02 10/02/2009] 9324D1C47A2ED43D51FB3D84BEF233E1
C:\WINDOWS\$hf_mig$\KB968389\update\update.exe --a--- 755576 bytes [07:12 17/10/2009] [11:40 26/05/2009] 0FF4E4E0DD01E7872D9C2013560FD4A7
C:\WINDOWS\$hf_mig$\KB968389\update\update.ver --a--- 2700 bytes [07:12 17/10/2009] [13:47 02/07/2009] 7BA2FB659577BE0EA4A0302D9E3BC424
C:\WINDOWS\$hf_mig$\KB969059\update\update.exe --a--- 755576 bytes [07:13 17/10/2009] [11:40 26/05/2009] 0FF4E4E0DD01E7872D9C2013560FD4A7
C:\WINDOWS\$hf_mig$\KB969059\update\update.ver --a--- 386 bytes [07:13 17/10/2009] [17:01 17/07/2009] 3E693086088A76BF0DFE53E15DC7B7C2
C:\WINDOWS\$hf_mig$\KB969497-IE8\update\update.exe --a--- 755576 bytes [22:15 09/05/2009] [13:02 08/07/2008] 0FF4E4E0DD01E7872D9C2013560FD4A7
C:\WINDOWS\$hf_mig$\KB969497-IE8\update\update.ver --a--- 206 bytes [22:15 09/05/2009] [02:13 28/04/2009] FC00B6BA226FB11091060BA6CC9E2011
C:\WINDOWS\$hf_mig$\KB969897-IE8\update\update.exe --a--- 755576 bytes [04:39 10/06/2009] [12:39 30/11/2007] 0FF4E4E0DD01E7872D9C2013560FD4A7
C:\WINDOWS\$hf_mig$\KB969897-IE8\update\update.ver --a--- 2074 bytes [04:39 10/06/2009] [08:00 13/05/2009] A779F3E10AB689539F624255DD9C2071
C:\WINDOWS\$hf_mig$\KB969898\update\update.exe --a--- 755576 bytes [04:39 10/06/2009] [12:39 30/11/2007] 0FF4E4E0DD01E7872D9C2013560FD4A7
C:\WINDOWS\$hf_mig$\KB969898\update\update.ver --a--- 18 bytes [04:39 10/06/2009] [08:49 09/05/2009] C2B4984F4F3D38A3111846776A2E5312
C:\WINDOWS\$hf_mig$\KB970238\update\update.exe --a--- 755576 bytes [04:38 10/06/2009] [12:39 30/11/2007] 0FF4E4E0DD01E7872D9C2013560FD4A7
C:\WINDOWS\$hf_mig$\KB970238\update\update.ver --a--- 562 bytes [04:38 10/06/2009] [16:01 15/04/2009] CD2E404FB107704581F2A04532F6EC92
C:\WINDOWS\$hf_mig$\KB970430\update\update.exe --a--- 755576 bytes [06:04 09/12/2009] [11:40 26/05/2009] 0FF4E4E0DD01E7872D9C2013560FD4A7
C:\WINDOWS\$hf_mig$\KB970430\update\update.ver --a--- 1118 bytes [06:04 09/12/2009] [06:30 21/10/2009] 0E7D9B9617A67ED266A4EF86E1B1FF3E
C:\WINDOWS\$hf_mig$\KB970483\update\update.exe --a--- 755576 bytes [00:51 05/02/2010] [13:02 08/07/2008] 0FF4E4E0DD01E7872D9C2013560FD4A7
C:\WINDOWS\$hf_mig$\KB970483\update\update.ver --a--- 390 bytes [00:51 05/02/2010] [19:23 21/05/2009] 2F34C7C719B52E5BE93365803F1C429F
C:\WINDOWS\$hf_mig$\KB971486\update\update.exe --a--- 755576 bytes [07:13 17/10/2009] [11:40 26/05/2009] 0FF4E4E0DD01E7872D9C2013560FD4A7
C:\WINDOWS\$hf_mig$\KB971486\update\update.ver --a--- 1538 bytes [07:13 17/10/2009] [05:02 05/08/2009] 62B5F02175777E14FA8F35798A521037
C:\WINDOWS\$hf_mig$\KB971557\update\update.exe --a--- 755576 bytes [03:45 12/08/2009] [11:40 26/05/2009] 0FF4E4E0DD01E7872D9C2013560FD4A7
C:\WINDOWS\$hf_mig$\KB971557\update\update.ver --a--- 390 bytes [03:45 12/08/2009] [15:10 10/06/2009] D1E0B9B7DF269DDFD47FA33A3AC535A6
C:\WINDOWS\$hf_mig$\KB971633\update\update.exe --a--- 755576 bytes [04:43 15/07/2009] [07:38 09/07/2008] 0FF4E4E0DD01E7872D9C2013560FD4A7
C:\WINDOWS\$hf_mig$\KB971633\update\update.ver --a--- 390 bytes [04:43 15/07/2009] [19:48 03/06/2009] 8DFEB8A3769A609425B4A60EC03B71C4
C:\WINDOWS\$hf_mig$\KB971657\update\update.exe --a--- 755576 bytes [03:45 12/08/2009] [11:40 26/05/2009] 0FF4E4E0DD01E7872D9C2013560FD4A7
C:\WINDOWS\$hf_mig$\KB971657\update\update.ver --a--- 386 bytes [03:45 12/08/2009] [06:52 10/06/2009] 0B5669343E285DDB4F4C72781A5EDB64
C:\WINDOWS\$hf_mig$\KB971737\update\update.exe --a--- 755576 bytes [06:04 09/12/2009] [11:40 26/05/2009] 0FF4E4E0DD01E7872D9C2013560FD4A7
C:\WINDOWS\$hf_mig$\KB971737\update\update.ver --a--- 390 bytes [06:04 09/12/2009] [10:05 25/08/2009] 27AA53DB511D3B1A3E17A07C9DF3906C
C:\WINDOWS\$hf_mig$\KB971961-IE8\update\update.exe --a--- 755576 bytes [08:00 10/09/2009] [13:02 08/07/2008] 0FF4E4E0DD01E7872D9C2013560FD4A7
C:\WINDOWS\$hf_mig$\KB971961-IE8\update\update.ver --a--- 204 bytes [08:00 10/09/2009] [17:52 22/06/2009] 5587C99794DB41729DC41D2E1EE79535
C:\WINDOWS\$hf_mig$\KB972260-IE8\update\update.exe --a--- 755576 bytes [04:26 29/07/2009] [11:40 26/05/2009] 0FF4E4E0DD01E7872D9C2013560FD4A7
C:\WINDOWS\$hf_mig$\KB972260-IE8\update\update.ver --a--- 2960 bytes [04:26 29/07/2009] [03:54 20/07/2009] 3AEABD3E968F09796115B4C046961B5A
C:\WINDOWS\$hf_mig$\KB972270\update\update.exe --a--- 755576 bytes [05:49 13/01/2010] [13:02 08/07/2008] 0FF4E4E0DD01E7872D9C2013560FD4A7
C:\WINDOWS\$hf_mig$\KB972270\update\update.ver --a--- 758 bytes [05:49 13/01/2010] [18:51 15/10/2009] 85CC159B5FEFEDF0EDBAFDF359A2E826
C:\WINDOWS\$hf_mig$\KB973346\update\update.exe --a--- 755576 bytes [04:43 15/07/2009] [13:02 08/07/2008] 0FF4E4E0DD01E7872D9C2013560FD4A7
C:\WINDOWS\$hf_mig$\KB973346\update\update.ver --a--- 18 bytes [04:43 15/07/2009] [16:27 07/07/2009] C2B4984F4F3D38A3111846776A2E5312
C:\WINDOWS\$hf_mig$\KB973354\update\update.exe --a--- 755576 bytes [03:45 12/08/2009] [11:40 26/05/2009] 0FF4E4E0DD01E7872D9C2013560FD4A7
C:\WINDOWS\$hf_mig$\KB973354\update\update.ver --a--- 382 bytes [03:45 12/08/2009] [15:21 10/07/2009] BAC3C4F711BADBD3D79BD1E952632405
C:\WINDOWS\$hf_mig$\KB973507\update\update.exe --a--- 755576 bytes [03:45 12/08/2009] [11:40 26/05/2009] 0FF4E4E0DD01E7872D9C2013560FD4A7
C:\WINDOWS\$hf_mig$\KB973507\update\update.ver --a--- 370 bytes [03:45 12/08/2009] [22:05 17/07/2009] 871956E681DEBB5507C0FA661FA6988E
C:\WINDOWS\$hf_mig$\KB973525\update\update.exe --a--- 755576 bytes [07:13 17/10/2009] [11:40 26/05/2009] 0FF4E4E0DD01E7872D9C2013560FD4A7
C:\WINDOWS\$hf_mig$\KB973525\update\update.ver --a--- 18 bytes [07:13 17/10/2009] [11:38 10/09/2009] C2B4984F4F3D38A3111846776A2E5312
C:\WINDOWS\$hf_mig$\KB973687\update\update.exe --a--- 755576 bytes [07:56 25/11/2009] [13:02 08/07/2008] 0FF4E4E0DD01E7872D9C2013560FD4A7
C:\WINDOWS\$hf_mig$\KB973687\update\update.ver --a--- 576 bytes [07:56 25/11/2009] [05:21 31/07/2009] F28397E2E812811A1B04D119ED2ECE7B
C:\WINDOWS\$hf_mig$\KB973815\update\update.exe --a--- 755576 bytes [03:44 12/08/2009] [11:40 26/05/2009] 0FF4E4E0DD01E7872D9C2013560FD4A7
C:\WINDOWS\$hf_mig$\KB973815\update\update.ver --a--- 394 bytes [03:44 12/08/2009] [09:35 05/08/2009] 8FD03F174142F8A0223B0713DFD549EF
C:\WINDOWS\$hf_mig$\KB973869\update\update.exe --a--- 755576 bytes [03:45 12/08/2009] [13:02 08/07/2008] 0FF4E4E0DD01E7872D9C2013560FD4A7
C:\WINDOWS\$hf_mig$\KB973869\update\update.ver --a--- 390 bytes [03:45 12/08/2009] [00:33 28/07/2009] 289725DC79205F2ED54C2A81B25BD7A4
C:\WINDOWS\$hf_mig$\KB973904\update\update.exe --a--- 755576 bytes [06:04 09/12/2009] [11:40 26/05/2009] 0FF4E4E0DD01E7872D9C2013560FD4A7
C:\WINDOWS\$hf_mig$\KB973904\update\update.ver --a--- 1438 bytes [06:04 09/12/2009] [22:14 21/11/2009] 780C9E7F4823E23BEC00F0100735B403
C:\WINDOWS\$hf_mig$\KB974112\update\update.exe --a--- 755576 bytes [07:13 17/10/2009] [11:40 26/05/2009] 0FF4E4E0DD01E7872D9C2013560FD4A7
C:\WINDOWS\$hf_mig$\KB974112\update\update.ver --a--- 390 bytes [07:13 17/10/2009] [08:38 26/08/2009] 54B5F064A84CAD8BF05B57FC7FBA86E5
C:\WINDOWS\$hf_mig$\KB974318\update\update.exe --a--- 755576 bytes [06:04 09/12/2009] [11:40 26/05/2009] 0FF4E4E0DD01E7872D9C2013560FD4A7
C:\WINDOWS\$hf_mig$\KB974318\update\update.ver --a--- 754 bytes [06:04 09/12/2009] [14:18 12/10/2009] A99C6F66E3F3F02C73EF21F1ACB85568
C:\WINDOWS\$hf_mig$\KB974392\update\update.exe --a--- 755576 bytes [06:04 09/12/2009] [11:40 26/05/2009] 0FF4E4E0DD01E7872D9C2013560FD4A7
C:\WINDOWS\$hf_mig$\KB974392\update\update.ver --a--- 386 bytes [06:04 09/12/2009] [11:33 13/10/2009] 712FABA3A9F6866F8AB69ADCA644315B
C:\WINDOWS\$hf_mig$\KB974455-IE8\update\update.exe --a--- 755576 bytes [07:14 17/10/2009] [13:02 08/07/2008] 0FF4E4E0DD01E7872D9C2013560FD4A7
C:\WINDOWS\$hf_mig$\KB974455-IE8\update\update.ver --a--- 2960 bytes [07:14 17/10/2009] [10:13 29/08/2009] BDD93DAB5D2C84122ED19A6CD7F7278C
C:\WINDOWS\$hf_mig$\KB974571\update\update.exe --a--- 755576 bytes [07:13 17/10/2009] [11:40 26/05/2009] 0FF4E4E0DD01E7872D9C2013560FD4A7
C:\WINDOWS\$hf_mig$\KB974571\update\update.ver --a--- 382 bytes [07:13 17/10/2009] [21:46 04/09/2009] 5B576C5031F2230D3DF687B0B956C5BC
C:\WINDOWS\$hf_mig$\KB975025\update\update.exe --a--- 755576 bytes [07:13 17/10/2009] [11:40 26/05/2009] 0FF4E4E0DD01E7872D9C2013560FD4A7
C:\WINDOWS\$hf_mig$\KB975025\update\update.ver --a--- 390 bytes [07:13 17/10/2009] [14:59 01/09/2009] 723AC0C47DA19DD1960A11BBA00C18F2
C:\WINDOWS\$hf_mig$\KB975467\update\update.exe --a--- 755576 bytes [07:12 17/10/2009] [11:40 26/05/2009] 0FF4E4E0DD01E7872D9C2013560FD4A7
C:\WINDOWS\$hf_mig$\KB975467\update\update.ver --a--- 480 bytes [07:12 17/10/2009] [15:21 11/09/2009] 6205C1A663B84C2C2B1D2707FCCF0B26
C:\WINDOWS\$hf_mig$\KB976325-IE8\update\update.exe --a--- 755576 bytes [06:04 09/12/2009] [11:40 26/05/2009] 0FF4E4E0DD01E7872D9C2013560FD4A7
C:\WINDOWS\$hf_mig$\KB976325-IE8\update\update.ver --a--- 2960 bytes [06:04 09/12/2009] [22:31 29/10/2009] E473FF593968CE6DB295F9174A07CE06
C:\WINDOWS\$hf_mig$\KB976749-IE8\update\update.exe --a--- 755576 bytes [04:50 04/11/2009] [13:02 08/07/2008] 0FF4E4E0DD01E7872D9C2013560FD4A7
C:\WINDOWS\$hf_mig$\KB976749-IE8\update\update.ver --a--- 204 bytes [04:50 04/11/2009] [21:31 22/10/2009] 3B4BA7CE91945BD6771BAFC68051EAA3
C:\WINDOWS\$hf_mig$\KB978207-IE8\update\update.exe --a--- 755576 bytes [05:17 22/01/2010] [13:02 08/07/2008] 0FF4E4E0DD01E7872D9C2013560FD4A7
C:\WINDOWS\$hf_mig$\KB978207-IE8\update\update.ver --a--- 2960 bytes [05:17 22/01/2010] [10:35 06/01/2010] 47A8814DC67DD3E5C27164FB4BA29594
C:\WINDOWS\Help\update.cnt --a--- 193 bytes [16:16 25/04/2008] [12:00 14/04/2008] 0A0DBEAFAB11FEB082CF7A0B5F9E091B
C:\WINDOWS\maxdriver\update.sys --a--- 384768 bytes [16:16 25/04/2008] [12:00 14/04/2008] 1181403811EBB88DDCD50CC6E50283DC
C:\WINDOWS\pchealth\helpctr\System\images\16x16\update.bmp --a--- 1078 bytes [03:03 01/05/2009] [03:03 01/05/2009] 7EFA9691B40515AE7BB0F6AB29147AAE
C:\WINDOWS\Prefetch\UPDATE.EXE-0F7E5EFD.pf --a--- 66732 bytes [00:51 05/02/2010] [00:51 05/02/2010] 97E2D2D852A8297F520FA2F0F17AF895
C:\WINDOWS\Prefetch\UPDATE.EXE-13258B6C.pf --a--- 74666 bytes [00:42 04/02/2010] [00:42 04/02/2010] B97826E47B066B6F0B249055B7BF3BDB
C:\WINDOWS\Prefetch\UPDATE.EXE-14AEB253.pf --a--- 58842 bytes [00:49 05/02/2010] [00:49 05/02/2010] 2D954A192BBCBC509FFC03FF3CDB2BE1
C:\WINDOWS\SoftwareDistribution\Download\7e08dede92a04e75c1faf75d2825e500\update\update.exe --a--- 755576 bytes [00:42 04/02/2010] [12:39 30/11/2007] 0FF4E4E0DD01E7872D9C2013560FD4A7
C:\WINDOWS\SoftwareDistribution\Download\7e08dede92a04e75c1faf75d2825e500\update\update.url --a--- 5324 bytes [00:42 04/02/2010] [10:44 26/05/2008] 45EC66626BDE6D6F190D3B3DB76CD9E4
C:\WINDOWS\SoftwareDistribution\Download\7e08dede92a04e75c1faf75d2825e500\update\update.ver --a--- 762 bytes [00:42 04/02/2010] [09:35 28/08/2008] D5354C327D53A1741F91A08782438A34
C:\WINDOWS\SoftwareDistribution\Download\defbb4f7b4be0d10108061e644c729f6\update\update.exe --a--- 755576 bytes [22:14 09/05/2009] [13:02 08/07/2008] 0FF4E4E0DD01E7872D9C2013560FD4A7
C:\WINDOWS\SoftwareDistribution\Download\defbb4f7b4be0d10108061e644c729f6\update\update.ver --a--- 206 bytes [02:13 28/04/2009] [02:13 28/04/2009] FC00B6BA226FB11091060BA6CC9E2011
C:\WINDOWS\SoftwareDistribution\Download\f2a5d3578c415083cf1f426d84ec9e28\update\update.exe --a--- 755576 bytes [00:42 04/02/2010] [13:02 08/07/2008] 0FF4E4E0DD01E7872D9C2013560FD4A7
C:\WINDOWS\SoftwareDistribution\Download\f2a5d3578c415083cf1f426d84ec9e28\update\update.ver --a--- 390 bytes [00:42 04/02/2010] [19:23 21/05/2009] 2F34C7C719B52E5BE93365803F1C429F
C:\WINDOWS\system32\drivers\update.sys --a--- 384768 bytes [16:16 25/04/2008] [12:00 14/04/2008] 402DDC88356B1BAC0EE3DD1580C76A31
C:\WINDOWS\system32\PreInstall\WinSE\wxp_x86_0409_v1\update.exe.ref ------ 718048 bytes [21:40 09/05/2009] [03:35 25/02/2005] 3B5EAAEDB8A9D3F98DEBBDB0CFD214D5

-=End Of File=-




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users