Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected with Trojan Horse Vundo.KA


  • This topic is locked This topic is locked
10 replies to this topic

#1 aminah

aminah

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:02:23 AM

Posted 11 February 2010 - 12:51 AM

I have been experiencing some problems with my computer. My internet browser is constantly being redirected to another site. I also receive pop-up ads
from different sites occasionally. I ran a full system scan with AVG Internet Security and it said that I have 12 infections of the Trojan Horse Vundo.KA virus. Heres my DDS log and HiJack this log. I tried to run a scan with gmer.exe but the scan won't complete!



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:38:24 AM, on 2/11/2010
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\AVG\AVG9\avgchsvx.exe
C:\Program Files\AVG\AVG9\avgrsx.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\AVG\AVG9\Identity Protection\Agent\Bin\AVGIDSAgent.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\HP\QuickPlay\QPService.exe
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe
C:\Program Files\Common Files\AOL\1162476339\ee\AOLSoftware.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe
C:\Program Files\Logitech\QuickCam10\QuickCam10.exe
C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
C:\PROGRA~1\AVG\AVG9\avgtray.exe
C:\Program Files\Common Files\Corel\Corel PhotoDownloader\Corel Photo Downloader.exe
C:\Program Files\Corel\Corel Paint Shop Pro Photo X2\CorelIOMonitor.exe
C:\Program Files\IObit\IObit Security 360\IS360tray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Vongo\Tray.exe
c:\program files\common files\logishrd\lvmvfm\LVPrcSrv.exe
C:\Program Files\AVG\AVG9\Identity Protection\agent\bin\avgidsmonitor.exe
C:\Program Files\Common Files\LogiShrd\LComMgr\LVComSX.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\AVG\AVG9\avgwdsvc.exe
C:\Program Files\AVG\AVG9\avgfws9.exe
C:\Program Files\AVG\AVG9\avgam.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\AVG\AVG9\avgnsx.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\IObit\IObit Security 360\IS360srv.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Protexis\License Service\PsiService_2.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Vongo\VongoService.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\Program Files\Common Files\Logishrd\LQCVFX\COCIManager.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\WINDOWS\system32\dllhost.exe
c:\program files\common files\aol\1162476339\ee\aolsoftware.exe
C:\Program Files\Java\jre1.5.0_06\bin\jucheck.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\drwtsn32.exe
C:\WINDOWS\system32\drwtsn32.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://rdr.wildtangent.com/wire/moregames....Name=familyfeud
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O1 - Hosts: ::1 localhost
O2 - BHO: (no name) - AutorunsDisabled - (no file)
O2 - BHO: IObitCom Toolbar - {31c7d459-9cc3-44f2-9dca-fc11795309b4} - C:\Program Files\IObitCom\tbIObi.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG9\avgssie.dll
O3 - Toolbar: (no name) - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
O3 - Toolbar: IObitCom Toolbar - {31c7d459-9cc3-44f2-9dca-fc11795309b4} - C:\Program Files\IObitCom\tbIObi.dll
O4 - HKLM\..\Run: [hpWirelessAssistant] C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [QPService] "C:\Program Files\HP\QuickPlay\QPService.exe"
O4 - HKLM\..\Run: [QlbCtrl] %ProgramFiles%\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\Hewlett-Packard\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [RecGuard] C:\Windows\SMINST\RecGuard.exe
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1162476339\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [LogitechCommunicationsManager] "C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe"
O4 - HKLM\..\Run: [LogitechQuickCamRibbon] "C:\Program Files\Logitech\QuickCam10\QuickCam10.exe" /hide
O4 - HKLM\..\Run: [SynTPStart] C:\Program Files\Synaptics\SynTP\SynTPStart.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [AVG9_TRAY] C:\PROGRA~1\AVG\AVG9\avgtray.exe
O4 - HKLM\..\Run: [Corel Photo Downloader] "C:\Program Files\Common Files\Corel\Corel PhotoDownloader\Corel Photo Downloader.exe" -startup
O4 - HKLM\..\Run: [Corel File Shell Monitor] C:\Program Files\Corel\Corel Paint Shop Pro Photo X2\CorelIOMonitor.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [IObit Security 360] "C:\Program Files\IObit\IObit Security 360\IS360tray.exe" /autostart
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [AntiVirus Plus] "C:\WINDOWS\system32\rundll32.exe" "C:\Documents and Settings\Aminah Harris\Application Data\AntiVirus Plus\AntiVirus Plus.70367201.dll", start 70367201 (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [Advanced SystemCare 3] "C:\Program Files\IObit\Advanced SystemCare 3\AWC.exe" /startup (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AntiVirus Plus] "C:\WINDOWS\system32\rundll32.exe" "C:\Documents and Settings\Aminah Harris\Application Data\AntiVirus Plus\AntiVirus Plus.70367201.dll", start 70367201 (User 'Default user')
O4 - S-1-5-18 Startup: Vongo Tray.lnk = C:\Program Files\Vongo\Tray.exe (User 'SYSTEM')
O4 - .DEFAULT Startup: Vongo Tray.lnk = C:\Program Files\Vongo\Tray.exe (User 'Default user')
O4 - .DEFAULT User Startup: Vongo Tray.lnk = C:\Program Files\Vongo\Tray.exe (User 'Default user')
O4 - Startup: Vongo Tray.lnk = C:\Program Files\Vongo\Tray.exe
O4 - Global Startup: AutorunsDisabled
O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\WINDOWS\system32\GPhotos.scr/200
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\Office12\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=64&bd=presario&pf=laptop
O16 - DPF: {1851174C-97BD-4217-A0CC-E908F60D5B7A} (Hewlett-Packard Online Support Services) - http://h50203.www5.hp.com/HPISWeb/Customer...DataManager.CAB
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {44990301-3C9D-426D-81DF-AAB636FA4345} - https://www-secure.symantec.com/techsupp/as...abs/tgctlsr.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1238543152437
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx.com/player/DivXBrowserPlugin.cab
O16 - DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} (Symantec Download Manager) - https://webdl.symantec.com/activex/symdlmgr.cab
O16 - DPF: {8714912E-380D-11D5-B8AA-00D0B78F3D48} (Yahoo! Webcam Upload Wrapper) - http://chat.yahoo.com/cab/yuplapp.cab
O16 - DPF: {E9A7F56F-C40F-4928-8C6F-7A72F2A25222} (AxRUploadControl Object) - http://www.imagestation.com/common/classes....cab?v=1,0,0,38
O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG9\avgpp.dll
O18 - Filter: AutorunsDisabled - (no CLSID) - (no file)
O20 - Winlogon Notify: AutorunsDisabled - C:\WINDOWS\
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: AddFiltr - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\AddFiltr.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG8 WatchDog (avg8wd) - Unknown owner - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe (file missing)
O23 - Service: AVG WatchDog (avg9wd) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG9\avgwdsvc.exe
O23 - Service: AVG8 Firewall (avgfws8) - Unknown owner - C:\PROGRA~1\AVG\AVG8\avgfws8.exe (file missing)
O23 - Service: AVG Firewall (avgfws9) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG9\avgfws9.exe
O23 - Service: AVG9IDSAgent (AVGIDSAgent) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG9\Identity Protection\Agent\Bin\AVGIDSAgent.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: IS360service - IObit - C:\Program Files\IObit\IObit Security 360\IS360srv.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: Process Monitor (LVPrcSrv) - Logitech Inc. - c:\program files\common files\logishrd\lvmvfm\LVPrcSrv.exe
O23 - Service: LVSrvLauncher - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\SrvLnch\SrvLnch.exe
O23 - Service: Protexis Licensing V2 (PSI_SVC_2) - Protexis Inc. - C:\Program Files\Common Files\Protexis\License Service\PsiService_2.exe
O23 - Service: Vongo Service - Starz Entertainment Group LLC - C:\Program Files\Vongo\VongoService.exe
O23 - Service: Security Center (wscsvc) - Unknown owner - C:\WINDOWS\C:\WINDOWS\System32\svchost.exe (file missing)

DDS Log

DDS (Ver_09-12-01.01) - NTFSx86
Run by Aminah Harris at 0:04:02.03 on Wed 02/10/2010
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.502.74 [GMT -5:00]


============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
C:\Program Files\AVG\AVG9\avgchsvx.exe
C:\Program Files\AVG\AVG9\avgrsx.exe
svchost.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\AVG\AVG9\Identity Protection\Agent\Bin\AVGIDSAgent.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\HP\QuickPlay\QPService.exe
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe
C:\Program Files\Common Files\AOL\1162476339\ee\AOLSoftware.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe
C:\Program Files\Logitech\QuickCam10\QuickCam10.exe
C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
C:\PROGRA~1\AVG\AVG9\avgtray.exe
C:\Program Files\Common Files\Corel\Corel PhotoDownloader\Corel Photo Downloader.exe
C:\Program Files\Corel\Corel Paint Shop Pro Photo X2\CorelIOMonitor.exe
C:\Program Files\IObit\IObit Security 360\IS360tray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Vongo\Tray.exe
C:\Program Files\AVG\AVG9\Identity Protection\agent\bin\avgidsmonitor.exe
c:\program files\common files\logishrd\lvmvfm\LVPrcSrv.exe
C:\Program Files\Common Files\LogiShrd\LComMgr\LVComSX.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\AVG\AVG9\avgwdsvc.exe
C:\Program Files\AVG\AVG9\avgfws9.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\Program Files\AVG\AVG9\avgam.exe
C:\Program Files\AVG\AVG9\avgnsx.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\IObit\IObit Security 360\IS360srv.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Protexis\License Service\PsiService_2.exe
svchost.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Vongo\VongoService.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
c:\program files\common files\aol\1162476339\ee\aolsoftware.exe
C:\Program Files\Java\jre1.5.0_06\bin\jucheck.exe
C:\Program Files\Cobian Backup 8\Cobian.exe
C:\Program Files\Cobian Backup 8\cbInterface.exe
C:\Program Files\IObit\IObit Security 360\is360.exe
C:\Documents and Settings\Aminah Harris\My Documents\Downloads\dds.scr

============== Pseudo HJT Report ===============

uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
uStart Page = hxxp://www.google.com
uDefault_Search_URL = hxxp://www.google.com/ie
uInternet Connection Wizard,ShellNext = hxxp://rdr.wildtangent.com/wire/moregames.aspx?dp=hplaptop&itemName=familyfeud
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mURLSearchHooks: IObitCom Toolbar: {31c7d459-9cc3-44f2-9dca-fc11795309b4} - c:\program files\iobitcom\tbIObi.dll
BHO: AutorunsDisabled - No File
BHO: IObitCom Toolbar: {31c7d459-9cc3-44f2-9dca-fc11795309b4} - c:\program files\iobitcom\tbIObi.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg9\avgssie.dll
TB: {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - No File
TB: IObitCom Toolbar: {31c7d459-9cc3-44f2-9dca-fc11795309b4} - c:\program files\iobitcom\tbIObi.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\progra~1\yahoo!\companion\installs\cpn0\yt.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [hpWirelessAssistant] c:\program files\hpq\hp wireless assistant\HP Wireless Assistant.exe
mRun: [SunJavaUpdateSched] c:\program files\java\jre1.5.0_06\bin\jusched.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [QPService] "c:\program files\hp\quickplay\QPService.exe"
mRun: [QlbCtrl] %ProgramFiles%\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start
mRun: [Cpqset] c:\program files\hewlett-packard\default settings\cpqset.exe
mRun: [RecGuard] c:\windows\sminst\RecGuard.exe
mRun: [HostManager] c:\program files\common files\aol\1162476339\ee\AOLSoftware.exe
mRun: [RealTray] c:\program files\real\realplayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
mRun: [LogitechCommunicationsManager] "c:\program files\common files\logishrd\lcommgr\Communications_Helper.exe"
mRun: [LogitechQuickCamRibbon] "c:\program files\logitech\quickcam10\QuickCam10.exe" /hide
mRun: [SynTPStart] c:\program files\synaptics\syntp\SynTPStart.exe
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [AVG9_TRAY] c:\progra~1\avg\avg9\avgtray.exe
mRun: [Corel Photo Downloader] "c:\program files\common files\corel\corel photodownloader\Corel Photo Downloader.exe" -startup
mRun: [Corel File Shell Monitor] c:\program files\corel\corel paint shop pro photo x2\CorelIOMonitor.exe
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [IObit Security 360] "c:\program files\iobit\iobit security 360\IS360tray.exe" /autostart
dRun: [AntiVirus Plus] "c:\windows\system32\rundll32.exe" "c:\documents and settings\aminah harris\application data\antivirus plus\AntiVirus Plus.70367201.dll", start 70367201
dRun: [Advanced SystemCare 3] "c:\program files\iobit\advanced systemcare 3\AWC.exe" /startup
StartupFolder: c:\docume~1\aminah~1\startm~1\programs\startup\vongot~1.lnk - c:\program files\vongo\Tray.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\autoru~1\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\autoru~1\hpphot~1.lnk - c:\program files\hp\digital imaging\bin\hpqthb08.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\autoru~1\logite~1.lnk - c:\program files\logitech\desktop messenger\8876480\program\LogitechDesktopMessenger.exe
uPolicies-system: EnableProfileQuota = 1 (0x1)
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBC} - c:\program files\java\jre1.5.0_06\bin\ssv.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~4\office12\ONBttnIE.dll
IE: {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - c:\program files\yahoo!\common\yiesrvc.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~4\office12\REFIEBAR.DLL
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
DPF: {1851174C-97BD-4217-A0CC-E908F60D5B7A} - hxxp://h50203.www5.hp.com/HPISWeb/Customer/cabs/HPISDataManager.CAB
DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\Yinsthelper.dll
DPF: {44990301-3C9D-426D-81DF-AAB636FA4345} - hxxps://www-secure.symantec.com/techsupp/asa/ss/sa/sa_cabs/tgctlsr.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1238543152437
DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} - hxxp://download.divx.com/player/DivXBrowserPlugin.cab
DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} - hxxps://webdl.symantec.com/activex/symdlmgr.cab
DPF: {8714912E-380D-11D5-B8AA-00D0B78F3D48} - hxxp://chat.yahoo.com/cab/yuplapp.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/swflash.cab
DPF: {E9A7F56F-C40F-4928-8C6F-7A72F2A25222} - hxxp://www.imagestation.com/common/classes/SonyISUpload.cab?v=1,0,0,38
Filter: AutorunsDisabled\text/html - {6f0fb0b6-ccca-4778-916b-4876d8a8cf52} -
Handler: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - c:\program files\logitech\desktop messenger\8876480\program\GAPlugProtocol-8876480.dll
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg9\avgpp.dll
Notify: avgrsstarter - avgrsstx.dll
Notify: igfxcui - igfxdev.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
LSA: Notification Packages = scecli mpirev40.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\aminah~1\applic~1\mozilla\firefox\profiles\4de2xpn3.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT2384137&SearchSource=3&q={searchTerms}
FF - prefs.js: browser.search.selectedEngine - Search Powered by Google
FF - prefs.js: browser.startup.homepage - hxxp://search.conduit.com/?ctid=CT2384137&SearchSource=13
FF - prefs.js: keyword.URL - hxxp://us.yhs.search.yahoo.com/avg/search?fr=yhs-avg&type=yahoo_avg_hs2-tb-web_us&p=
FF - component: c:\documents and settings\aminah harris\application data\mozilla\firefox\profiles\4de2xpn3.default\extensions\{31c7d459-9cc3-44f2-9dca-fc11795309b4}\components\FFExternalAlert.dll
FF - component: c:\documents and settings\aminah harris\application data\mozilla\firefox\profiles\4de2xpn3.default\extensions\{31c7d459-9cc3-44f2-9dca-fc11795309b4}\components\RadioWMPCore.dll
FF - component: c:\program files\avg\avg9\firefox\components\avgssff.dll
FF - plugin: c:\documents and settings\aminah harris\application data\mozilla\firefox\profiles\4de2xpn3.default\extensions\moveplayer@movenetworks.com\platform\winnt_x86-msvc\plugins\npmnqmp071303000006.dll
FF - plugin: c:\program files\google\picasa3\npPicasa3.dll
FF - plugin: c:\program files\java\jre1.5.0_06\bin\NPJava11.dll
FF - plugin: c:\program files\java\jre1.5.0_06\bin\NPJava12.dll
FF - plugin: c:\program files\java\jre1.5.0_06\bin\NPJava13.dll
FF - plugin: c:\program files\java\jre1.5.0_06\bin\NPJava14.dll
FF - plugin: c:\program files\java\jre1.5.0_06\bin\NPJava32.dll
FF - plugin: c:\program files\java\jre1.5.0_06\bin\NPJPI150_06.dll
FF - plugin: c:\program files\java\jre1.5.0_06\bin\NPOJI610.dll
FF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll
FF - HiddenExtension: XULRunner: {55FF60DB-41C7-4184-9D9A-BCED53D4B0AE} - c:\documents and settings\aminah harris\local settings\application data\{55FF60DB-41C7-4184-9D9A-BCED53D4B0AE}

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

============= SERVICES / DRIVERS ===============

R0 AVGIDSErHrxpx;AVG9IDSErHr;c:\windows\system32\drivers\AVGIDSxx.sys [2009-11-20 25608]
R0 AvgRkx86;avgrkx86.sys;c:\windows\system32\drivers\avgrkx86.sys [2009-11-20 161800]
R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-11-20 333192]
R1 AvgMfx86;AVG On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2009-11-20 28424]
R1 AvgTdiX;AVG Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-11-20 360584]
R2 avg9wd;AVG WatchDog;c:\program files\avg\avg9\avgwdsvc.exe [2009-11-20 285392]
R2 avgfws9;AVG Firewall;c:\program files\avg\avg9\avgfws9.exe [2009-11-20 2304192]
R2 AVGIDSAgent;AVG9IDSAgent;c:\program files\avg\avg9\identity protection\agent\bin\AVGIDSAgent.exe [2009-11-20 5832712]
R2 IS360service;IS360service;c:\program files\iobit\iobit security 360\is360srv.exe [2010-2-5 311568]
R3 Avgfwdx;Avgfwdx;c:\windows\system32\drivers\avgfwdx.sys [2009-11-20 30104]
R3 AVGIDSDriverxpx;AVG9IDSDriver;c:\program files\avg\avg9\identity protection\agent\driver\platform_xp\AVGIDSDriver.sys [2009-11-20 122376]
R3 AVGIDSFilterxpx;AVG9IDSFilter;c:\program files\avg\avg9\identity protection\agent\driver\platform_xp\AVGIDSFilter.sys [2009-11-20 30216]
R3 AVGIDSShimxpx;AVG9IDSShim;c:\program files\avg\avg9\identity protection\agent\driver\platform_xp\AVGIDSShim.sys [2009-11-20 25736]
S2 avg8wd;AVG8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe --> c:\progra~1\avg\avg8\avgwdsvc.exe [?]
S2 avgfws8;AVG8 Firewall;c:\progra~1\avg\avg8\avgfws8.exe --> c:\progra~1\avg\avg8\avgfws8.exe [?]
S3 Avgfwfd;AVG network filter service;c:\windows\system32\drivers\avgfwdx.sys [2009-11-20 30104]
S3 ssrangdr;ssrangdr;c:\windows\system32\drivers\ssrangdr.sys [2009-11-6 2560]

=============== Created Last 30 ================

2010-02-10 04:39:37 0 d-----w- c:\program files\Cobian Backup 8
2010-02-09 03:06:42 0 d-----w- c:\program files\Conduit
2010-02-09 03:06:16 0 d-----w- c:\program files\IObitCom
2010-02-09 03:05:27 0 d-----w- c:\docume~1\aminah~1\applic~1\IObit
2010-02-05 23:22:50 0 d-----w- c:\docume~1\alluse~1\applic~1\IObit
2010-02-05 23:22:19 0 d-----w- c:\program files\IObit
2010-01-22 03:07:03 0 d-----w- C:\0309dd8448527c488b076de6

==================== Find3M ====================

2010-02-04 04:02:41 4078 ----a-w- c:\docume~1\aminah~1\applic~1\wklnhst.dat
2009-12-11 05:59:14 2828 --sha-w- c:\docume~1\alluse~1\applic~1\KGyGaAvL.sys
2009-12-11 05:58:24 88 --sh--r- c:\docume~1\alluse~1\applic~1\E6F444FD5C.sys
2009-11-21 03:22:36 12464 ----a-w- c:\windows\system32\avgrsstx.dll
2009-11-21 03:21:18 50968 ----a-w- c:\windows\system32\avgfwdx.dll
2009-11-21 02:51:47 70548 ----a-w- C:\regbak.reg
2009-08-07 15:42:13 16384 --sha-w- c:\windows\system32\config\systemprofile\temporary internet files\content.ie5\index.dat
[/size][/size]


--

Attached Files



BC AdBot (Login to Remove)

 


#2 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:02:23 AM

Posted 11 February 2010 - 08:37 AM

Hello! smile.gif
My name is Sam and I will be helping you.

In order to see what's going on with your computer I'll ask for you to post various logs from the tools that we will use to resolve your issue. Please also share with me any information about how your computer is reacting and behaving each step of the way as we work through this process.

Please download ComboFix from one of these locations:

Link 1
Link 2
Link 3

Important!
You should NOT use Combofix unless you have been instructed to do so by a Malware Removal Expert.
It is intended by its creator to be used under the guidance and supervision of an Malware Removal Expert, not for private use.
Using this tool incorrectly could lead to disastrous problems with your operating system such as preventing it from ever starting again.



Make sure that you save ComboFix.exe to your Desktop
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools

  • Double click on ComboFix.exe & follow the prompts.

  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.





Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:




Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please copy and paste the contents of C:\ComboFix.txt in your next reply.


Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#3 aminah

aminah
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:02:23 AM

Posted 11 February 2010 - 03:25 PM

Here is my Combofix Log.


ComboFix 10-02-11.02 - Aminah Harris 02/11/2010 14:05:59.1.1 - x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.502.74 [GMT -5:00]
Running from: c:\documents and settings\Aminah Harris\Desktop\ComboFix.exe
AV: AVG Internet Security *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
FW: AVG Firewall *enabled* {8decf618-9569-4340-b34a-d78d28969b66}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\97644996.ini
c:\documents and settings\All Users\Application Data\sysReserve.ini
c:\documents and settings\Aminah Harris\Application Data\iniasd.txt
C:\p2hhr.bat
c:\program files\driver
c:\windows\system32\lowsec
c:\windows\system32\lowsec\local.ds
c:\windows\system32\lowsec\user.ds
c:\windows\system32\sdra64.exe
c:\windows\system32\twain_32.dll
c:\windows\xobglu16.dll
D:\Autorun.inf

c:\windows\system32\DRIVERS\atapi.sys . . . is infected!!

c:\windows\system32\DRIVERS\iaStor.sys . . . is infected!!

c:\windows\system32\proquota.exe . . . is missing!!

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_6TO4
-------\Legacy_ISASDK


((((((((((((((((((((((((( Files Created from 2010-01-11 to 2010-02-11 )))))))))))))))))))))))))))))))
.

2010-02-11 19:47 . 2010-02-11 19:47 -------- d-----w- c:\windows\LastGood
2010-02-11 19:06 . 2010-02-11 19:06 12568 ----a-w- c:\windows\system32\drivers\PROCEXP113.SYS
2010-02-11 00:08 . 2010-02-11 00:08 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\IObitCom
2010-02-11 00:01 . 2010-02-11 00:01 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\IObitCom
2010-02-10 04:39 . 2010-02-10 04:40 -------- d-----w- c:\program files\Cobian Backup 8
2010-02-09 03:06 . 2010-02-09 03:06 -------- d-----w- c:\documents and settings\Aminah Harris\Local Settings\Application Data\Conduit
2010-02-09 03:06 . 2010-02-09 03:06 -------- d-----w- c:\program files\Conduit
2010-02-09 03:06 . 2010-02-10 00:10 -------- d-----w- c:\documents and settings\Aminah Harris\Local Settings\Application Data\IObitCom
2010-02-09 03:06 . 2010-02-09 03:06 -------- d-----w- c:\program files\IObitCom
2010-02-09 03:06 . 2009-12-20 03:34 101376 ----a-w- c:\documents and settings\Aminah Harris\Application Data\Mozilla\Firefox\Profiles\4de2xpn3.default\extensions\{31c7d459-9cc3-44f2-9dca-fc11795309b4}\components\RadioWMPCore.dll
2010-02-09 03:06 . 2009-12-20 03:34 52224 ----a-w- c:\documents and settings\Aminah Harris\Application Data\Mozilla\Firefox\Profiles\4de2xpn3.default\extensions\{31c7d459-9cc3-44f2-9dca-fc11795309b4}\components\FFExternalAlert.dll
2010-02-09 03:05 . 2010-02-09 03:38 -------- d-----w- c:\documents and settings\Aminah Harris\Application Data\IObit
2010-02-09 03:05 . 2009-11-04 21:49 635664 ----a-w- c:\documents and settings\Aminah Harris\Application Data\IObit\Common\TB_Helper.exe
2010-02-05 23:22 . 2010-02-05 23:22 -------- d-----w- c:\documents and settings\All Users\Application Data\IObit
2010-02-05 23:22 . 2010-02-09 03:05 -------- d-----w- c:\program files\IObit
2010-01-27 21:41 . 2010-01-15 03:00 1260800 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgfrw.exe
2010-01-27 21:41 . 2010-01-15 03:00 3777280 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\setup.exe
2010-01-22 03:07 . 2010-01-22 07:30 -------- d-----w- C:\0309dd8448527c488b076de6

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-02-11 05:45 . 2009-09-02 04:00 0 ----a-w- c:\documents and settings\Aminah Harris\Local Settings\Application Data\prvlcl.dat
2010-02-11 05:11 . 2007-01-02 01:48 4078 ----a-w- c:\documents and settings\Aminah Harris\Application Data\wklnhst.dat
2010-02-10 23:56 . 2009-11-20 21:50 -------- d-----w- c:\documents and settings\All Users\Application Data\avg9
2010-01-22 07:12 . 2006-09-12 08:05 103840 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-01-19 03:30 . 2008-04-28 19:05 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2009-12-29 01:06 . 2007-09-15 17:28 -------- d-----w- c:\program files\iTunes
2009-12-29 01:06 . 2007-09-15 17:26 -------- d-----w- c:\program files\Common Files\Apple
2009-12-29 01:00 . 2006-09-12 06:59 -------- d-----w- c:\program files\Common Files\Sonic Shared
2009-12-29 01:00 . 2006-09-12 06:59 -------- d-----w- c:\program files\Sonic
2009-12-29 00:56 . 2009-12-29 00:56 -------- d-----w- c:\documents and settings\Aminah Harris\Application Data\Sonic
2009-12-29 00:56 . 2009-12-29 00:56 -------- d-----w- c:\documents and settings\Aminah Harris\Application Data\Leadertech
2009-12-27 23:27 . 2007-02-11 01:40 -------- d-----w- c:\program files\Rhapsody
2009-12-27 22:49 . 2007-09-15 17:28 -------- d-----w- c:\documents and settings\Aminah Harris\Application Data\Apple Computer
2009-12-26 02:35 . 2007-09-15 17:27 -------- d-----w- c:\program files\QuickTime
2009-12-25 16:46 . 2009-12-25 16:45 -------- d-----w- c:\documents and settings\All Users\Application Data\{755AC846-7372-4AC8-8550-C52491DAA8BD}
2009-12-25 16:42 . 2007-06-28 12:16 -------- d-----w- c:\program files\Bonjour
2009-12-25 16:37 . 2009-12-25 16:37 -------- d-----w- c:\program files\Apple Software Update
2009-12-16 02:15 . 2009-11-22 01:43 -------- d-----w- c:\documents and settings\Aminah Harris\Application Data\GetRightToGo
2009-12-11 05:59 . 2009-11-23 04:31 2828 --sha-w- c:\documents and settings\All Users\Application Data\KGyGaAvL.sys
2009-12-11 05:59 . 2009-11-23 04:31 2828 --sha-w- c:\documents and settings\All Users\Application Data\KGyGaAvL.sys
2009-12-11 05:58 . 2009-11-23 04:31 88 --sh--r- c:\documents and settings\All Users\Application Data\E6F444FD5C.sys
2009-12-11 05:58 . 2009-11-23 04:31 88 --sh--r- c:\documents and settings\All Users\Application Data\E6F444FD5C.sys
2009-11-21 03:22 . 2009-11-21 03:22 25608 ----a-w- c:\windows\system32\drivers\AVGIDSxx.sys
2009-11-21 03:22 . 2009-11-21 03:22 161800 ----a-w- c:\windows\system32\drivers\avgrkx86.sys
2009-11-21 03:22 . 2009-11-21 03:22 12464 ----a-w- c:\windows\system32\avgrsstx.dll
2009-11-21 03:22 . 2009-11-21 03:22 360584 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2009-11-21 03:22 . 2009-11-21 03:22 333192 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-11-21 03:22 . 2009-11-21 03:22 28424 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2009-11-21 03:21 . 2009-11-21 03:21 50968 ----a-w- c:\windows\system32\avgfwdx.dll
2009-11-21 03:21 . 2009-11-21 03:21 30104 ----a-w- c:\windows\system32\drivers\avgfwdx.sys
2009-11-21 02:51 . 2009-11-21 02:51 70548 ----a-w- C:\regbak.reg
2009-11-20 23:30 . 2009-10-02 05:13 120 ----a-w- c:\windows\Wbogum.dat
2009-11-20 21:30 . 2009-10-02 05:13 0 ----a-w- c:\windows\Omifegubel.bin
.

------- Sigcheck -------

[-] 2008-04-13 . 9F3A2F5AA6875C72BF062C712CFA2674 . 96512 . . [5.1.2600.5512] . . c:\windows\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\atapi.sys
[-] 2004-08-04 . CDFE4411A69C224BD1D11B2DA92DAC51 . 95360 . . [5.1.2600.2180] . . c:\windows\system32\drivers\atapi.sys

[-] 2008-04-13 . B153AFFAC761E7F5FCFA822B9C4E97BC . 14336 . . [5.1.2600.5512] . . c:\windows\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\asyncmac.sys
[-] 2006-03-16 . 02000ABF34AF4C218C35D257024807D6 . 14336 . . [5.1.2600.2180] . . c:\windows\system32\drivers\asyncmac.sys


[-] 2008-04-13 . 463C1EC80CD17420A542B7F36A36F128 . 24576 . . [5.1.2600.5512] . . c:\windows\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\kbdclass.sys
[-] 2004-08-04 . EBDEE8A2EE5393890A1ACEE971C4C246 . 24576 . . [5.1.2600.2180] . . c:\windows\system32\drivers\kbdclass.sys

[-] 2008-04-13 . 1DF7F42665C94B825322FAE71721130D . 182656 . . [5.1.2600.5512] . . c:\windows\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\ndis.sys
[-] 2006-01-10 . AA898F84D2B59129FB92E143A2C73434 . 182528 . . [5.1.2600.2824] . . c:\windows\system32\drivers\ndis.sys

[-] 2008-04-13 . 78A08DD6A8D65E697C18E1DB01C5CDCA . 574976 . . [5.1.2600.5512] . . c:\windows\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\ntfs.sys
[-] 2007-02-09 . 05AB81909514BFD69CBB1F2C147CF6B9 . 574976 . . [5.1.2600.3081] . . c:\windows\$hf_mig$\KB930916\SP2QFE\ntfs.sys
[-] 2007-02-09 . 19A811EF5F1ED5C926A028CE107FF1AF . 574464 . . [5.1.2600.3081] . . c:\windows\system32\dllcache\ntfs.sys
[-] 2007-02-09 . 19A811EF5F1ED5C926A028CE107FF1AF . 574464 . . [5.1.2600.3081] . . c:\windows\system32\drivers\ntfs.sys

[-] 2006-03-16 . 73C1E1F395918BC2C6DD67AF7591A3AD . 2944 . . [5.1.2600.0] . . c:\windows\system32\drivers\null.sys

[-] 2008-06-20 . AD978A1B783B5719720CFF204B666C8E . 361600 . . [5.1.2600.5625] . . c:\windows\$hf_mig$\KB951748\SP3QFE\tcpip.sys
[-] 2008-06-20 . 9AEFA14BD6B182D61E3119FA5F436D3D . 361600 . . [5.1.2600.5625] . . c:\windows\$hf_mig$\KB951748\SP3GDR\tcpip.sys
[-] 2008-06-20 . 2A5554FC5B1E04E131230E3CE035C3F9 . 360320 . . [5.1.2600.3394] . . c:\windows\system32\dllcache\tcpip.sys
[-] 2008-06-20 . 2A5554FC5B1E04E131230E3CE035C3F9 . 360320 . . [5.1.2600.3394] . . c:\windows\system32\drivers\tcpip.sys
[-] 2008-06-20 . 744E57C99232201AE98C49168B918F48 . 360960 . . [5.1.2600.3394] . . c:\windows\$hf_mig$\KB951748\SP2QFE\tcpip.sys
[-] 2008-04-13 . 93EA8D04EC73A85DB02EB8805988F733 . 361344 . . [5.1.2600.5512] . . c:\windows\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\tcpip.sys
[-] 2007-10-30 . 64798ECFA43D78C7178375FCDD16D8C8 . 360832 . . [5.1.2600.3244] . . c:\windows\$hf_mig$\KB941644\SP2QFE\tcpip.sys
[-] 2006-04-20 . B2220C618B42A2212A59D91EBD6FC4B4 . 360576 . . [5.1.2600.2892] . . c:\windows\$hf_mig$\KB917953\SP2QFE\tcpip.sys
[-] 2006-01-14 . 5562CC0A47B2AEF06D3417B733F3C195 . 360448 . . [5.1.2600.2827] . . c:\windows\$hf_mig$\KB913446\SP2QFE\tcpip.sys
[-] 2005-05-26 . 63FDFEA54EB53DE2D863EE454937CE1E . 359936 . . [5.1.2600.2685] . . c:\windows\$hf_mig$\KB893066\SP2QFE\tcpip.sys

[-] 2008-04-14 . A06CE3399D16DB864F55FAEB1F1927A9 . 77824 . . [5.1.2600.5512] . . c:\windows\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\browser.dll
[-] 2006-03-16 . E3CFCCDDA4EDD1D0DC9168B2E18F27B8 . 77312 . . [5.1.2600.2180] . . c:\windows\system32\browser.dll

[-] 2008-04-14 . BF2466B3E18E970D8A976FB95FC1CA85 . 13312 . . [5.1.2600.5512] . . c:\windows\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\lsass.exe
[-] 2006-03-16 . 84885F9B82F4D55C6146EBF6065D75D2 . 13312 . . [5.1.2600.2180] . . c:\windows\system32\lsass.exe

[-] 2008-04-14 . 13E67B55B3ABD7BF3FE7AAE5A0F9A9DE . 198144 . . [5.1.2600.5512] . . c:\windows\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\netman.dll
[-] 2005-08-22 . 36739B39267914BA69AD0610A0299732 . 197632 . . [5.1.2600.2743] . . c:\windows\system32\netman.dll
[-] 2005-08-22 . 3516D8A18B36784B1005B950B84232E1 . 197632 . . [5.1.2600.2743] . . c:\windows\$hf_mig$\KB905414\SP2QFE\netman.dll

[-] 2008-04-14 . 574738F61FCA2935F5265DC4E5691314 . 409088 . . [6.7.2600.5512] . . c:\windows\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\qmgr.dll
[-] 2006-03-16 . 2C69EC7E5A311334D10DD95F338FCCEA . 382464 . . [6.6.2600.2180] . . c:\windows\system32\qmgr.dll

[-] 2009-02-09 . 6B27A5C03DFB94B4245739065431322C . 401408 . . [5.1.2600.5755] . . c:\windows\$hf_mig$\KB956572\SP3GDR\rpcss.dll
[-] 2009-02-09 . 9222562D44021B988B9F9F62207FB6F2 . 401408 . . [5.1.2600.5755] . . c:\windows\$hf_mig$\KB956572\SP3QFE\rpcss.dll
[-] 2009-02-09 . 24B5D53B9ACCC1E2EDCF0A878D6659D4 . 401408 . . [5.1.2600.3520] . . c:\windows\system32\rpcss.dll
[-] 2009-02-09 . 24B5D53B9ACCC1E2EDCF0A878D6659D4 . 401408 . . [5.1.2600.3520] . . c:\windows\system32\dllcache\rpcss.dll
[-] 2008-04-14 . 2589FE6015A316C0F5D5112B4DA7B509 . 399360 . . [5.1.2600.5512] . . c:\windows\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\rpcss.dll
[-] 2005-07-26 . C369DF215D352B6F3A0B8C3469AA34F8 . 398336 . . [5.1.2600.2726] . . c:\windows\$hf_mig$\KB902400\SP2QFE\rpcss.dll
[-] 2005-04-29 . DA383FB39A6F1C445F3AFC94B3EB1248 . 396288 . . [5.1.2600.2665] . . c:\windows\$hf_mig$\KB894391\SP2QFE\rpcss.dll
[-] 2005-01-14 . 94456045BEB4545B5EBE1DCC85951AFA . 395776 . . [5.1.2600.2595] . . c:\windows\$hf_mig$\KB873333\SP2QFE\rpcss.dll

[-] 2009-02-06 . 65DF52F5B8B6E9BBD183505225C37315 . 110592 . . [5.1.2600.5755] . . c:\windows\$hf_mig$\KB956572\SP3GDR\services.exe
[-] 2009-02-06 . 020CEAAEDC8EB655B6506B8C70D53BB6 . 110592 . . [5.1.2600.5755] . . c:\windows\$hf_mig$\KB956572\SP3QFE\services.exe
[-] 2009-02-06 . 4712531AB7A01B7EE059853CA17D39BD . 110592 . . [5.1.2600.3520] . . c:\windows\system32\services.exe
[-] 2009-02-06 . 4712531AB7A01B7EE059853CA17D39BD . 110592 . . [5.1.2600.3520] . . c:\windows\system32\dllcache\services.exe
[-] 2008-04-14 . 0E776ED5F7CC9F94299E70461B7B8185 . 108544 . . [5.1.2600.5512] . . c:\windows\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\services.exe

[-] 2008-04-14 . D8E14A61ACC1D4A6CD0D38AEBAC7FA3B . 57856 . . [5.1.2600.5512] . . c:\windows\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\spoolsv.exe
[-] 2005-06-11 . AD3D9D191AEA7B5445FE1D82FFBB4788 . 57856 . . [5.1.2600.2696] . . c:\windows\$hf_mig$\KB896423\SP2QFE\spoolsv.exe
[-] 2005-06-11 . DA81EC57ACD4CDC3D4C51CF3D409AF9F . 57856 . . [5.1.2600.2696] . . c:\windows\system32\spoolsv.exe

[-] 2008-04-14 . ED0EF0A136DEC83DF69F04118870003E . 507904 . . [5.1.2600.5512] . . c:\windows\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\winlogon.exe
[-] 2006-03-16 . 01C3346C241652F43AED8E2149881BFE . 502272 . . [5.1.2600.2180] . . c:\windows\system32\winlogon.exe

[-] 2008-04-14 . BD38D1EBE24A46BD3EDA059560AFBA12 . 1054208 . . [6.0] . . c:\windows\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\asms\60\msft\windows\common\controls\comctl32.dll
[-] 2008-04-14 . 06F247492BC786CE5C24A23E178C711A . 617472 . . [5.82] . . c:\windows\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\comctl32.dll
[-] 2006-08-25 . B0124CB21D28B1C9F678B566B6B57D92 . 617472 . . [5.82] . . c:\windows\system32\comctl32.dll
[-] 2006-08-25 . B0124CB21D28B1C9F678B566B6B57D92 . 617472 . . [5.82] . . c:\windows\system32\dllcache\comctl32.dll

[-] 2008-04-14 . 3D4E199942E29207970E04315D02AD3B . 62464 . . [5.1.2600.5512] . . c:\windows\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\cryptsvc.dll
[-] 2006-03-16 . 10654F9DDCEA9C46CFB77554231BE73B . 60416 . . [5.1.2600.2180] . . c:\windows\system32\cryptsvc.dll

[-] 2008-07-07 20:32 . 60D1A6342238378BFB7545C81EE3606C . 253952 . . [2001.12.4414.320] . . c:\windows\system32\es.dll
[-] 2008-07-07 20:32 . 60D1A6342238378BFB7545C81EE3606C . 253952 . . [2001.12.4414.320] . . c:\windows\system32\dllcache\es.dll
[-] 2008-07-07 20:26 . D4991D98F2DB73C60D042F1AEF79EFAE . 253952 . . [2001.12.4414.706] . . c:\windows\$hf_mig$\KB950974\SP3GDR\es.dll
[-] 2008-07-07 20:23 . F17F6226BDC0CD5F0BEF0DAF84D29BEC . 253952 . . [2001.12.4414.706] . . c:\windows\$hf_mig$\KB950974\SP3QFE\es.dll
[-] 2008-07-07 20:06 . A4AB3DCA4A383F0DF4988ABDEB84F9A4 . 253952 . . [2001.12.4414.320] . . c:\windows\$hf_mig$\KB950974\SP2QFE\es.dll
[-] 2008-04-14 00:11 . 19A799805B24990867B00C120D300C3A . 246272 . . [2001.12.4414.701] . . c:\windows\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\es.dll
[-] 2005-07-26 04:20 . 95F5FEA4C6DE2C3F28784D0DCC8F0DD3 . 243200 . . [2001.12.4414.308] . . c:\windows\$hf_mig$\KB902400\SP2QFE\es.dll

[-] 2008-04-14 . 0DA85218E92526972A821587E6A8BF8F . 110080 . . [5.1.2600.5512] . . c:\windows\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\imm32.dll
[-] 2006-03-16 . 87CA7CE6469577F059297B9D6556D66D . 110080 . . [5.1.2600.2180] . . c:\windows\system32\imm32.dll

[-] 2009-03-21 . B6ACAED7588295129791E0E6A2B0FADE . 986112 . . [5.1.2600.3541] . . c:\windows\system32\kernel32.dll
[-] 2009-03-21 . B6ACAED7588295129791E0E6A2B0FADE . 986112 . . [5.1.2600.3541] . . c:\windows\system32\dllcache\kernel32.dll
[-] 2009-03-21 . B921FB870C9AC0D509B2CCABBBBE95F3 . 989696 . . [5.1.2600.5781] . . c:\windows\$hf_mig$\KB959426\SP3GDR\kernel32.dll
[-] 2009-03-21 . DA11D9D6ECBDF0F93436A4B7C13F7BEC . 991744 . . [5.1.2600.5781] . . c:\windows\$hf_mig$\KB959426\SP3QFE\kernel32.dll
[-] 2009-03-21 . 80202858D245FF07DAA1739C57A3E19B . 989184 . . [5.1.2600.3541] . . c:\windows\$hf_mig$\KB959426\SP2QFE\kernel32.dll
[-] 2008-04-14 . C24B983D211C34DA8FCC1AC38477971D . 989696 . . [5.1.2600.5512] . . c:\windows\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\kernel32.dll
[-] 2007-04-16 . 09F7CB3687F86EDAA4CA081F7AB66C03 . 986112 . . [5.1.2600.3119] . . c:\windows\$hf_mig$\KB935839\SP2QFE\kernel32.dll
[-] 2006-07-05 . 0FDD84928A5DDE2510761B7EC76CCEC9 . 985088 . . [5.1.2600.2945] . . c:\windows\$hf_mig$\KB917422\SP2QFE\kernel32.dll

[-] 2008-04-14 . 2DC5A8019E2387987905F77C664E4BE2 . 19968 . . [5.1.2600.5512] . . c:\windows\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\linkinfo.dll
[-] 2005-09-01 . 648BF0B4DDE4F7A1156DAE7174D36EFA . 19968 . . [5.1.2600.2751] . . c:\windows\$hf_mig$\KB900725\SP2QFE\linkinfo.dll
[-] 2005-09-01 . A1A688EE56CF3BBD24EDEB815D48E9BA . 19968 . . [5.1.2600.2751] . . c:\windows\system32\linkinfo.dll

[-] 2008-04-14 . 012DF358CEBAA23ACB26D82077820817 . 22016 . . [5.1.2600.5512] . . c:\windows\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\lpk.dll
[-] 2006-03-16 . 74D66B3DE265E8789153414E75175F26 . 22016 . . [5.1.2600.2180] . . c:\windows\system32\lpk.dll

[-] 2009-07-19 . 5A32B43A48D6DCA339BF24105D9A028F . 5937152 . . [8.00.6001.18812] . . c:\windows\system32\mshtml.dll
[-] 2009-07-19 . 5A32B43A48D6DCA339BF24105D9A028F . 5937152 . . [8.00.6001.18812] . . c:\windows\system32\dllcache\mshtml.dll
[-] 2009-07-19 . F25D866DD486AD30E05E5596CB363C3E . 5938176 . . [8.00.6001.22902] . . c:\windows\$hf_mig$\KB972260-IE8\SP3QFE\mshtml.dll
[-] 2009-03-08 . D469A0EBA2EF5C6BEE8065B7E3196E5E . 5937152 . . [8.00.6001.18702] . . c:\windows\ie8updates\KB972260-IE8\mshtml.dll
[-] 2009-02-21 . 1BB754AB47B327DE8DBF2FA18C36357C . 3596800 . . [7.00.6000.21015] . . c:\windows\$hf_mig$\KB963027-IE7\SP3QFE\mshtml.dll
[-] 2009-02-20 . C7C3E41CC2F6EB4A629FE2184136C098 . 3595264 . . [7.00.6000.16825] . . c:\windows\ie8\mshtml.dll
[-] 2009-01-17 . 3B413267DA8AE71C20E5EF3E54F74728 . 3594752 . . [7.00.6000.16809] . . c:\windows\ie7updates\KB963027-IE7\mshtml.dll
[-] 2009-01-16 . CC9D001B7370B292C35B366CA05B12B4 . 3596288 . . [7.00.6000.20996] . . c:\windows\$hf_mig$\KB961260-IE7\SP2QFE\mshtml.dll
[-] 2008-04-24 . 8976CAB317105F7431B08EA32AB73C65 . 3591680 . . [7.00.6000.16674] . . c:\windows\ie7updates\KB961260-IE7\mshtml.dll
[-] 2008-04-23 . 4D612FF5D3B7EEF200595AE6F95D5E68 . 3593728 . . [7.00.6000.20815] . . c:\windows\$hf_mig$\KB950759-IE7\SP2QFE\mshtml.dll
[-] 2008-04-14 . A706E122B398FE1AB85CB9B75D044223 . 3066880 . . [6.00.2900.5512] . . c:\windows\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\mshtml.dll
[-] 2008-03-01 . AB2C88167D78D71D93558ACECB24CC7A . 3591680 . . [7.00.6000.16640] . . c:\windows\ie7updates\KB950759-IE7\mshtml.dll
[-] 2008-03-01 . 4EE273E2B09317C1217EF0DB91F93534 . 3593216 . . [7.00.6000.20772] . . c:\windows\$hf_mig$\KB947864-IE7\SP2QFE\mshtml.dll
[-] 2007-12-08 . A097C36412455F0C7E42377FAF8809B7 . 3592192 . . [7.00.6000.16608] . . c:\windows\ie7updates\KB947864-IE7\mshtml.dll
[-] 2007-12-07 . 976C46ED4A75FC66D9C596778898CE1E . 3593216 . . [7.00.6000.20733] . . c:\windows\$hf_mig$\KB944533-IE7\SP2QFE\mshtml.dll
[-] 2007-10-30 . 54D8B404F17AA74C666F7F3AEF2AE459 . 3593216 . . [7.00.6000.20710] . . c:\windows\$hf_mig$\KB942615-IE7\SP2QFE\mshtml.dll
[-] 2007-10-30 . 8AB7ECF59D6EBBE986277B65ED4A40A1 . 3590656 . . [7.00.6000.16587] . . c:\windows\ie7updates\KB944533-IE7\mshtml.dll
[-] 2007-08-20 . E267EE248CDA7667C19001C069DE867B . 3584512 . . [7.00.6000.16544] . . c:\windows\ie7updates\KB942615-IE7\mshtml.dll
[-] 2007-08-20 . AA8A4BD78D24FCDB96DDAEE3756AA372 . 3592192 . . [7.00.6000.20661] . . c:\windows\$hf_mig$\KB939653-IE7\SP2QFE\mshtml.dll
[-] 2007-07-19 . BD609A26B683332A0E0E1445C5724851 . 3583488 . . [7.00.6000.16525] . . c:\windows\ie7updates\KB939653-IE7\mshtml.dll
[-] 2007-07-18 . 7CE243CFD47AD0DC431586CB8C542A11 . 3584000 . . [7.00.6000.20641] . . c:\windows\$hf_mig$\KB937143-IE7\SP2QFE\mshtml.dll
[-] 2007-05-08 . 1D4E3B86C601A2497C99790CC4D7DF26 . 3584000 . . [7.00.6000.20591] . . c:\windows\$hf_mig$\KB933566-IE7\SP2QFE\mshtml.dll
[-] 2007-05-08 . 5D90A7200F72DACE663EE78DE234FCC7 . 3583488 . . [7.00.6000.16481] . . c:\windows\ie7updates\KB937143-IE7\mshtml.dll
[-] 2007-03-07 . 190E1AE9B973049B12A67BAD478C770C . 3581952 . . [7.00.6000.16441] . . c:\windows\ie7updates\KB933566-IE7\mshtml.dll
[-] 2007-03-07 . DA297A862E5F093A07D37C05F608C686 . 3582976 . . [7.00.6000.20544] . . c:\windows\$hf_mig$\KB931768-IE7\SP2QFE\mshtml.dll
[-] 2007-01-12 . 5D45318804A30CE9D6EA83066E84B4A7 . 3580416 . . [7.00.6000.16414] . . c:\windows\ie7updates\KB931768-IE7\mshtml.dll
[-] 2006-11-08 . CBF04597F9CF7739E572276A2698FDD3 . 3577856 . . [7.00.5730.11] . . c:\windows\ie7updates\KB928090-IE7\mshtml.dll
[-] 2006-10-23 . 88E1C15BB1A9ED3CBA4D6F2F408D5010 . 3061248 . . [6.00.2900.3020] . . c:\windows\ie7\mshtml.dll
[-] 2006-02-21 . C6E663C066E3BEA5B0BB70D87D0701E9 . 3052032 . . [6.00.2900.2853] . . c:\windows\$hf_mig$\KB911164\SP2QFE\mshtml.dll
[-] 2005-07-20 . A14A7A206AE22DE4FE563E44CFC7DDF5 . 3016192 . . [6.00.2900.2722] . . c:\windows\$hf_mig$\KB896727\SP2QFE\mshtml.dll

[-] 2008-04-14 . D7075E95AA599EE77B7A89D39296BD3D . 343040 . . [7.0.2600.5512] . . c:\windows\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\asms\70\msft\windows\mswincrt\msvcrt.dll
[-] 2008-04-14 . 355EDBB4D412B01F1740C17E3F50FA00 . 343040 . . [7.0.2600.5512] . . c:\windows\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\msvcrt.dll
[-] 2006-03-16 . B0FEFA816D61EC66AA765DDF534EAB5E . 343040 . . [7.0.2600.2180] . . c:\windows\system32\msvcrt.dll

[-] 2008-06-20 . 832E4DD8964AB7ACC880B2837CB1ED20 . 245248 . . [5.1.2600.5625] . . c:\windows\$hf_mig$\KB951748\SP3GDR\mswsock.dll
[-] 2008-06-20 . FCEE5FCB99F7C724593365C706D28388 . 245248 . . [5.1.2600.5625] . . c:\windows\$hf_mig$\KB951748\SP3QFE\mswsock.dll
[-] 2008-06-20 . 097722F235A1FB698BF9234E01B52637 . 245248 . . [5.1.2600.3394] . . c:\windows\system32\mswsock.dll
[-] 2008-06-20 . 097722F235A1FB698BF9234E01B52637 . 245248 . . [5.1.2600.3394] . . c:\windows\system32\dllcache\mswsock.dll
[-] 2008-06-20 . 1DFCA7713EA5A70D5D93B436AEA0317A . 245248 . . [5.1.2600.3394] . . c:\windows\$hf_mig$\KB951748\SP2QFE\mswsock.dll
[-] 2008-04-14 . B4138E99236F0F57D4CF49BAE98A0746 . 245248 . . [5.1.2600.5512] . . c:\windows\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\mswsock.dll

[-] 2008-04-14 . 1B7F071C51B77C272875C3A23E1E4550 . 407040 . . [5.1.2600.5512] . . c:\windows\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\netlogon.dll
[-] 2006-03-16 . 96353FCECBA774BB8DA74A1C6507015A . 407040 . . [5.1.2600.2180] . . c:\windows\system32\netlogon.dll

[-] 2009-02-07 . EFE8EACE83EAAD5849A7A548FB75B584 . 2189184 . . [5.1.2600.5755] . . c:\windows\$hf_mig$\KB956572\SP3QFE\ntoskrnl.exe
[-] 2009-02-06 . 7A95B10A73737EBF24139AAA63F5212B . 2189056 . . [5.1.2600.5755] . . c:\windows\$hf_mig$\KB956572\SP3GDR\ntoskrnl.exe
[-] 2009-02-06 . 6A936E9D7BADAF3CAAEED1E1966EC1B0 . 2186112 . . [5.1.2600.3520] . . c:\windows\Driver Cache\i386\ntoskrnl.exe
[-] 2009-02-06 . 6A936E9D7BADAF3CAAEED1E1966EC1B0 . 2186112 . . [5.1.2600.3520] . . c:\windows\system32\ntoskrnl.exe
[-] 2009-02-06 . 6A936E9D7BADAF3CAAEED1E1966EC1B0 . 2186112 . . [5.1.2600.3520] . . c:\windows\system32\dllcache\ntoskrnl.exe
[-] 2008-08-14 . 31914172342BFF330063F343AC6958FE . 2189184 . . [5.1.2600.5657] . . c:\windows\$hf_mig$\KB956841\SP3QFE\ntoskrnl.exe
[-] 2008-08-14 . EEAF32F8E15A24F62BECB1BD403BB5C5 . 2189184 . . [5.1.2600.5657] . . c:\windows\$hf_mig$\KB956841\SP3GDR\ntoskrnl.exe
[-] 2008-04-13 . 0C89243C7C3EE199B96FCC16990E0679 . 2188928 . . [5.1.2600.5512] . . c:\windows\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\ntoskrnl.exe
[-] 2005-03-02 . 28187802B7C368C0D3AEF7D4C382AABB . 2179456 . . [5.1.2600.2622] . . c:\windows\$hf_mig$\KB890859\SP2QFE\ntoskrnl.exe

[-] 2008-04-14 . 50A166237A0FA771261275A405646CC0 . 17408 . . [6.00.2900.5512] . . c:\windows\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\powrprof.dll
[-] 2006-03-16 . 1B5F6923ABB450692E9FE0672C897AED . 17408 . . [6.00.2900.2180] . . c:\windows\system32\powrprof.dll

[-] 2008-04-14 . A86BB5E61BF3E39B62AB4C7E7085A084 . 181248 . . [5.1.2600.5512] . . c:\windows\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\scecli.dll
[-] 2006-03-16 . 0F78E27F563F2AAF74B91A49E2ABF19A . 180224 . . [5.1.2600.2180] . . c:\windows\system32\scecli.dll

[-] 2008-04-14 . 96E1C926F22EE1BFBAE82901A35F6BF3 . 5120 . . [5.1.2600.5512] . . c:\windows\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\sfc.dll
[-] 2006-03-16 . E8A12A12EA9088B4327D49EDCA3ADD3E . 5120 . . [5.1.2600.2180] . . c:\windows\system32\sfc.dll

[-] 2008-04-14 . 27C6D03BCDB8CFEB96B716F3D8BE3E18 . 14336 . . [5.1.2600.5512] . . c:\windows\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\svchost.exe
[-] 2006-03-16 . 8F078AE4ED187AAABC0A305146DE6716 . 14336 . . [5.1.2600.2180] . . c:\windows\system32\svchost.exe

[-] 2008-04-14 . 3CB78C17BB664637787C9A1C98F79C38 . 249856 . . [5.1.2600.5512] . . c:\windows\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\tapisrv.dll
[-] 2005-07-08 . 1418A3A6E76E5A2E3F5E43866E793A8B . 249344 . . [5.1.2600.2716] . . c:\windows\$hf_mig$\KB893756\SP2QFE\tapisrv.dll
[-] 2005-07-08 . FB78839B36025AA286A51289ED28B73E . 249344 . . [5.1.2600.2716] . . c:\windows\system32\tapisrv.dll

[-] 2008-04-14 . B26B135FF1B9F60C9388B4A7D16F600B . 578560 . . [5.1.2600.5512] . . c:\windows\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\user32.dll
[-] 2007-03-08 . 7AA4F6C00405DFC4B70ED4214E7D687B . 578048 . . [5.1.2600.3099] . . c:\windows\$hf_mig$\KB925902\SP2QFE\user32.dll
[-] 2007-03-08 . B409909F6E2E8A7067076ED748ABF1E7 . 577536 . . [5.1.2600.3099] . . c:\windows\system32\user32.dll
[-] 2007-03-08 . B409909F6E2E8A7067076ED748ABF1E7 . 577536 . . [5.1.2600.3099] . . c:\windows\system32\dllcache\user32.dll
[-] 2005-03-02 . 1800F293BCCC8EDE8A70E12B88D80036 . 577024 . . [5.1.2600.2622] . . c:\windows\$hf_mig$\KB890859\SP2QFE\user32.dll

[-] 2008-04-14 . A93AEE1928A9D7CE3E16D24EC7380F89 . 26112 . . [5.1.2600.5512] . . c:\windows\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\userinit.exe
[-] 2006-03-16 . 39B1FFB03C2296323832ACBAE50D2AFF . 24576 . . [5.1.2600.2180] . . c:\windows\system32\userinit.exe

[-] 2009-07-03 . 7E8A47A2E6561274B83E257CE74803FD . 915456 . . [8.00.6001.18806] . . c:\windows\system32\wininet.dll
[-] 2009-07-03 . 7E8A47A2E6561274B83E257CE74803FD . 915456 . . [8.00.6001.18806] . . c:\windows\system32\dllcache\wininet.dll
[-] 2009-07-03 . 38114DAB42FB2EB84D1726C42B8D80C5 . 915456 . . [8.00.6001.22896] . . c:\windows\$hf_mig$\KB972260-IE8\SP3QFE\wininet.dll
[-] 2009-03-08 . 6CE32F7778061CCC5814D5E0F282D369 . 914944 . . [8.00.6001.18702] . . c:\windows\ie8updates\KB972260-IE8\wininet.dll
[-] 2009-03-03 . 28775945CCD53DEE280EF58DEA1A94C4 . 826368 . . [7.00.6000.16827] . . c:\windows\ie8\wininet.dll
[-] 2009-03-03 . C8667854873938CA13C986F16B0CD183 . 828416 . . [7.00.6000.21020] . . c:\windows\$hf_mig$\KB963027-IE7\SP3QFE\wininet.dll
[-] 2008-12-20 . 044E0A4E9FE97C0FB9AFE9C89E2A82E6 . 827904 . . [7.00.6000.20978] . . c:\windows\$hf_mig$\KB961260-IE7\SP2QFE\wininet.dll
[-] 2008-12-20 . A82935D32D0672E8FF4E91AE398E901C . 826368 . . [7.00.6000.16791] . . c:\windows\ie7updates\KB963027-IE7\wininet.dll
[-] 2008-04-23 . F6589BE784647CFDBC22EA51CCB1A57A . 826368 . . [7.00.6000.16674] . . c:\windows\ie7updates\KB961260-IE7\wininet.dll
[-] 2008-04-23 . 41546B396A526918DA7995A02EA04E51 . 827392 . . [7.00.6000.20815] . . c:\windows\$hf_mig$\KB950759-IE7\SP2QFE\wininet.dll
[-] 2008-04-14 . 7A4F775ABB2F1C97DEF3E73AFA2FAEDD . 666112 . . [6.00.2900.5512] . . c:\windows\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\wininet.dll
[-] 2008-03-01 . AD21461AEF8244EDEC2EF18E55E1DCF3 . 826368 . . [7.00.6000.16640] . . c:\windows\ie7updates\KB950759-IE7\wininet.dll
[-] 2008-03-01 . 6316C2F0C61271C8ABDFF7429174879E . 827392 . . [7.00.6000.20772] . . c:\windows\$hf_mig$\KB947864-IE7\SP2QFE\wininet.dll
[-] 2007-12-07 . 806D274C9A6C3AAEA5EAE8E4AF841E04 . 824832 . . [7.00.6000.16608] . . c:\windows\ie7updates\KB947864-IE7\wininet.dll
[-] 2007-12-07 . B5B411BB229AE6EAD7652A32ED47BFB9 . 825344 . . [7.00.6000.20733] . . c:\windows\$hf_mig$\KB944533-IE7\SP2QFE\wininet.dll
[-] 2007-10-10 . 30C1E0F34AD2972C72A01DB5C74AB065 . 824832 . . [7.00.6000.16574] . . c:\windows\ie7updates\KB944533-IE7\wininet.dll
[-] 2007-10-10 . 0E5D918F87EFA7D2424D66B499C7EB04 . 825344 . . [7.00.6000.20696] . . c:\windows\$hf_mig$\KB942615-IE7\SP2QFE\wininet.dll
[-] 2007-08-20 . 774435E499D8E9643EC961A6103C361F . 824832 . . [7.00.6000.16544] . . c:\windows\ie7updates\KB942615-IE7\wininet.dll
[-] 2007-08-20 . 357D54BF94FE9D6D8505A96B5C2A3BCA . 825344 . . [7.00.6000.20661] . . c:\windows\$hf_mig$\KB939653-IE7\SP2QFE\wininet.dll
[-] 2007-06-27 . D6ED5E042C5207553E7F5E842918137F . 824320 . . [7.00.6000.20627] . . c:\windows\$hf_mig$\KB937143-IE7\SP2QFE\wininet.dll
[-] 2007-06-27 . 8068CBB58FE60CC95AEB2CFF70178208 . 823808 . . [7.00.6000.16512] . . c:\windows\ie7updates\KB939653-IE7\wininet.dll
[-] 2007-04-25 . 431DEFBB4A3D7B0DC062C1B064623A2F . 823808 . . [7.00.6000.20583] . . c:\windows\$hf_mig$\KB933566-IE7\SP2QFE\wininet.dll
[-] 2007-04-25 . 0586A7F0B2FDB94D624F399D4728E7C8 . 822784 . . [7.00.6000.16473] . . c:\windows\ie7updates\KB937143-IE7\wininet.dll
[-] 2007-03-07 . 5B35DAE6E4886F64D1DA58C4E3E01EB9 . 822784 . . [7.00.6000.16441] . . c:\windows\ie7updates\KB933566-IE7\wininet.dll
[-] 2007-03-07 . B8F4DB39CA7353752F245379D285C80E . 823296 . . [7.00.6000.20544] . . c:\windows\$hf_mig$\KB931768-IE7\SP2QFE\wininet.dll
[-] 2007-01-12 . BE43D00D802C92F01C8CC952C6F483F8 . 822784 . . [7.00.6000.16414] . . c:\windows\ie7updates\KB931768-IE7\wininet.dll
[-] 2006-11-08 . 92995334F993E6E49C25C6D02EC04401 . 818688 . . [7.00.5730.11] . . c:\windows\ie7updates\KB928090-IE7\wininet.dll
[-] 2006-10-23 . 231EF4179ACABE486376B5CA893F1076 . 664576 . . [6.00.2900.3020] . . c:\windows\ie7\wininet.dll
[-] 2005-07-03 . 6E533D155B259EB2363D3E04B5BE309F . 659456 . . [6.00.2900.2713] . . c:\windows\$hf_mig$\KB896727\SP2QFE\wininet.dll

[-] 2008-04-14 . 2CCC474EB85CEAA3E1FA1726580A3E5A . 82432 . . [5.1.2600.5512] . . c:\windows\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\ws2_32.dll
[-] 2006-03-16 . 2ED0B7F12A60F90092081C50FA0EC2B2 . 82944 . . [5.1.2600.2180] . . c:\windows\system32\ws2_32.dll

[-] 2008-04-14 . 12896823FB95BFB3DC9B46BCAEDC9923 . 1033728 . . [6.00.2900.5512] . . c:\windows\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\explorer.exe
[-] 2007-06-13 . 7712DF0CDDE3A5AC89843E61CD5B3658 . 1033216 . . [6.00.2900.3156] . . c:\windows\$hf_mig$\KB938828\SP2QFE\explorer.exe
[-] 2007-06-13 . 97BD6515465659FF8F3B7BE375B2EA87 . 1033216 . . [6.00.2900.3156] . . c:\windows\explorer.exe
[-] 2007-06-13 . 97BD6515465659FF8F3B7BE375B2EA87 . 1033216 . . [6.00.2900.3156] . . c:\windows\system32\dllcache\explorer.exe

[-] 2008-04-14 . 3805DF0AC4296A34BA4BF93B346CC378 . 171008 . . [5.1.2600.5512] . . c:\windows\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\srsvc.dll
[-] 2006-03-16 . 92BDF74F12D6CBEC43C94D4B7F804838 . 170496 . . [5.1.2600.2180] . . c:\windows\system32\srsvc.dll

[-] 2008-04-14 . F92E1076C42FCD6DB3D72D8CFE9816D5 . 13824 . . [5.1.2600.5512] . . c:\windows\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\wscntfy.exe
[-] 2006-03-16 . 49911DD39E023BB6C45E4E436CFBD297 . 13824 . . [5.1.2600.2180] . . c:\windows\system32\wscntfy.exe

[-] 2008-04-14 . 295D21F14C335B53CB8154E5B1F892B9 . 129024 . . [5.1.2600.5512] . . c:\windows\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\xmlprov.dll
[-] 2006-03-16 . EEF46DAB68229A14DA3D8E73C99E2959 . 129536 . . [5.1.2600.2180] . . c:\windows\system32\xmlprov.dll

[-] 2008-04-14 . 6D4FEB43EE538FC5428CC7F0565AA656 . 56320 . . [5.1.2600.5512] . . c:\windows\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\eventlog.dll
[-] 2006-03-16 . 82B24CB70E5944E6E34662205A2A5B78 . 55808 . . [5.1.2600.2180] . . c:\windows\system32\eventlog.dll

[-] 2008-04-14 . 9DD07AF82244867CA36681EA2D29CE79 . 1614848 . . [5.1.2600.5512] . . c:\windows\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\sfcfiles.dll
[-] 2006-03-16 . 30A609E00BD1D4FFC49D6B5A432BE7F2 . 1580544 . . [5.1.2600.2180] . . c:\windows\system32\sfcfiles.dll

[-] 2008-04-14 . 5F1D5F88303D4A4DBC8E5F97BA967CC3 . 15360 . . [5.1.2600.5512] . . c:\windows\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\ctfmon.exe
[-] 2006-03-16 . 24232996A38C0B0CF151C2140AE29FC8 . 15360 . . [5.1.2600.2180] . . c:\windows\system32\ctfmon.exe

[-] 2008-04-14 . 1926899BF9FFE2602B63074971700412 . 135168 . . [6.00.2900.5512] . . c:\windows\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\shsvcs.dll
[-] 2006-12-19 . 6815DEF9B810AEFAC107EEAF72DA6F82 . 134656 . . [6.00.2900.3051] . . c:\windows\system32\shsvcs.dll
[-] 2006-12-19 . 6815DEF9B810AEFAC107EEAF72DA6F82 . 134656 . . [6.00.2900.3051] . . c:\windows\system32\dllcache\shsvcs.dll
[-] 2006-12-19 . 53D9184A21C5CBF600D918E51EF3A7E5 . 135168 . . [6.00.2900.3051] . . c:\windows\$hf_mig$\KB928255\SP2QFE\shsvcs.dll

[-] 2008-04-14 . 5B19B557B0C188210A56A6B699D90B8F . 59904 . . [5.1.2600.5512] . . c:\windows\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\regsvc.dll
[-] 2006-03-16 . 3151427DB7D87107D1C5BE58FAC53960 . 59904 . . [5.1.2600.2180] . . c:\windows\system32\regsvc.dll

[-] 2008-04-14 . 0A9A7365A1CA4319AA7C1D6CD8E4EAFA . 192512 . . [5.1.2600.5512] . . c:\windows\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\schedsvc.dll
[-] 2006-03-16 . 92360854316611F6CC471612213C3D92 . 190976 . . [5.1.2600.2180] . . c:\windows\system32\schedsvc.dll

[-] 2008-04-14 . 0A5679B3714EDAB99E357057EE88FCA6 . 71680 . . [5.1.2600.5512] . . c:\windows\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\ssdpsrv.dll
[-] 2006-03-16 . 4B8D61792F7175BED48859CC18CE4E38 . 71680 . . [5.1.2600.2180] . . c:\windows\system32\ssdpsrv.dll

[-] 2008-04-14 . FF3477C03BE7201C294C35F684B3479F . 295424 . . [5.1.2600.5512] . . c:\windows\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\termsrv.dll
[-] 2005-03-10 . C29A5286E64D97385178452D5F307B98 . 295424 . . [5.1.2600.2627] . . c:\windows\system32\termsrv.dll

[-] 2008-04-14 . D8849F77C0B66226335A59D26CB4EDC6 . 167936 . . [5.1.2600.5512] . . c:\windows\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\appmgmts.dll
[-] 2006-03-16 . 9C3C12975C97119412802B181FBEEFFE . 167936 . . [5.1.2600.2180] . . c:\windows\system32\appmgmts.dll

[-] 2006-03-16 . 9859C0F6936E723E4892D7141B1327D5 . 11648 . . [5.1.2600.0] . . c:\windows\system32\drivers\acpiec.sys

[-] 2008-04-13 . 08FD04AA961BDC77FB983F328334E3D7 . 42368 . . [5.1.2600.5512] . . c:\windows\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\agp440.sys
[-] 2004-08-04 . 2C428FA0C3E3A01ED93C9B2A27D8D4BB . 42368 . . [5.1.2600.2180] . . c:\windows\system32\drivers\AGP440.SYS

[-] 2008-04-13 . 3BB22519A194418D5FEC05D800A19AD0 . 36608 . . [5.1.2600.5512] . . c:\windows\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\ip6fw.sys
[-] 2006-03-16 . 4448006B6BC60E6C027932CFC38D6855 . 29056 . . [5.1.2600.2180] . . c:\windows\system32\drivers\ip6fw.sys

[-] 2008-04-14 00:11 . CDDD4416B2B4C7295FE3FDB6DDE57E4E . 927504 . . [4.1.0.61] . . c:\windows\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\mfc40u.dll
[-] 2006-11-01 19:17 . 925F8B61ED301A317BA850EBEECBDAA0 . 927504 . . [4.1.0.61] . . c:\windows\system32\mfc40u.dll
[-] 2006-11-01 19:17 . 925F8B61ED301A317BA850EBEECBDAA0 . 927504 . . [4.1.0.61] . . c:\windows\system32\dllcache\mfc40u.dll

[-] 2008-04-14 . 986B1FF5814366D71E0AC5755C88F2D3 . 33792 . . [5.1.2600.5512] . . c:\windows\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\msgsvc.dll
[-] 2006-03-16 . 95FD808E4AC22ABA025A7B3EAC0375D2 . 33792 . . [5.1.2600.2180] . . c:\windows\system32\msgsvc.dll

[-] 2006-10-19 02:47 . C51B4A5C05A5475708E3C81C7765B71D . 27136 . . [11.0.5721.5145] . . c:\windows\system32\mspmsnsv.dll
[-] 2006-03-16 04:00 . 6EAA72FD9EF993EC1FA9A06DE65105DA . 25088 . . [10.0.3790.3646] . . c:\windows\RegisteredPackages\{30C7234B-6482-4A55-A11D-ECD9030313F2}$BACKUP$\System\MsPMSNSv.dll
[-] 2005-08-04 09:29 . B9715B9C18BC6C8F4B66733D208CC9F7 . 25088 . . [10.0.3790.4332] . . c:\windows\RegisteredPackages\{30C7234B-6482-4A55-A11D-ECD9030313F2}\MsPMSNSv.dll

[-] 2009-02-07 . 5BA7F2141BC6DB06100D0E5A732C617A . 2066048 . . [5.1.2600.5755] . . c:\windows\$hf_mig$\KB956572\SP3GDR\ntkrnlpa.exe
[-] 2009-02-06 . 607352B9CB3D708C67F6039097801B5A . 2066176 . . [5.1.2600.5755] . . c:\windows\$hf_mig$\KB956572\SP3QFE\ntkrnlpa.exe
[-] 2009-02-06 . 9D832AF3FD1917DB0E1E8B2F000A2E3A . 2062976 . . [5.1.2600.3520] . . c:\windows\Driver Cache\i386\ntkrnlpa.exe
[-] 2009-02-06 . 9D832AF3FD1917DB0E1E8B2F000A2E3A . 2062976 . . [5.1.2600.3520] . . c:\windows\system32\ntkrnlpa.exe
[-] 2009-02-06 . 9D832AF3FD1917DB0E1E8B2F000A2E3A . 2062976 . . [5.1.2600.3520] . . c:\windows\system32\dllcache\ntkrnlpa.exe
[-] 2008-08-14 . A25E9B86EFFB2AF33BF51E676B68BFB0 . 2066048 . . [5.1.2600.5657] . . c:\windows\$hf_mig$\KB956841\SP3QFE\ntkrnlpa.exe
[-] 2008-08-14 . 4AC58F03EB94A72809949D757FC39D80 . 2066048 . . [5.1.2600.5657] . . c:\windows\$hf_mig$\KB956841\SP3GDR\ntkrnlpa.exe
[-] 2008-04-13 . 109F8E3E3C82E337BB71B6BC9B895D61 . 2065792 . . [5.1.2600.5512] . . c:\windows\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\ntkrnlpa.exe
[-] 2005-03-02 . D8ABA3EAB509627E707A3B14F00FBB6B . 2056832 . . [5.1.2600.2622] . . c:\windows\$hf_mig$\KB890859\SP2QFE\ntkrnlpa.exe

[-] 2008-04-14 00:12 . 156F64A3345BD23C600655FB4D10BC08 . 435200 . . [5.1.2400.5512] . . c:\windows\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\ntmssvc.dll
[-] 2006-03-16 04:00 . B62F29C00AC55A761B2E45877D85EA0F . 435200 . . [5.1.2400.2180] . . c:\windows\system32\ntmssvc.dll

[-] 2008-04-14 . 1EBAFEB9A3FBDC41B8D9C7F0F687AD91 . 185856 . . [5.1.2600.5512] . . c:\windows\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\upnphost.dll
[-] 2007-02-05 . 36ACA6CDC19C95FF468A1426EB7F32F0 . 185344 . . [5.1.2600.3077] . . c:\windows\$hf_mig$\KB931261\SP2QFE\upnphost.dll
[-] 2007-02-05 . ACA5D98663D879C6BAAFCEA7E2F1B710 . 185344 . . [5.1.2600.3077] . . c:\windows\system32\upnphost.dll
[-] 2007-02-05 . ACA5D98663D879C6BAAFCEA7E2F1B710 . 185344 . . [5.1.2600.3077] . . c:\windows\system32\dllcache\upnphost.dll

c:\windows\System32\drivers\beep.sys ... is missing !!
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{31c7d459-9cc3-44f2-9dca-fc11795309b4}]
2009-11-09 23:38 2331672 ----a-w- c:\program files\IObitCom\tbIObi.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{31c7d459-9cc3-44f2-9dca-fc11795309b4}"= "c:\program files\IObitCom\tbIObi.dll" [2009-11-09 2331672]

[HKEY_CLASSES_ROOT\clsid\{31c7d459-9cc3-44f2-9dca-fc11795309b4}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{31C7D459-9CC3-44F2-9DCA-FC11795309B4}"= "c:\program files\IObitCom\tbIObi.dll" [2009-11-09 2331672]

[HKEY_CLASSES_ROOT\clsid\{31c7d459-9cc3-44f2-9dca-fc11795309b4}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2006-03-16 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"UserFaultCheck"="c:\windows\system32\dumprep 0 -u" [X]
"hpWirelessAssistant"="c:\program files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe" [2006-05-04 458752]
"SunJavaUpdateSched"="c:\program files\Java\jre1.5.0_06\bin\jusched.exe" [2005-11-11 36975]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2007-09-14 1015808]
"QPService"="c:\program files\HP\QuickPlay\QPService.exe" [2006-07-19 102400]
"QlbCtrl"="c:\program files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [2006-06-19 163840]
"Cpqset"="c:\program files\Hewlett-Packard\Default Settings\cpqset.exe" [2006-06-19 40960]
"RecGuard"="c:\windows\SMINST\RecGuard.exe" [2005-10-11 1187840]
"HostManager"="c:\program files\Common Files\AOL\1162476339\ee\AOLSoftware.exe" [2006-09-26 50736]
"RealTray"="c:\program files\Real\RealPlayer\RealPlay.exe" [2006-11-02 26112]
"LogitechCommunicationsManager"="c:\program files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe" [2007-02-08 488984]
"LogitechQuickCamRibbon"="c:\program files\Logitech\QuickCam10\QuickCam10.exe" [2007-02-08 774168]
"SynTPStart"="c:\program files\Synaptics\SynTP\SynTPStart.exe" [2007-09-14 102400]
"HP Software Update"="c:\program files\Hp\HP Software Update\HPWuSchd2.exe" [2008-12-08 54576]
"Corel Photo Downloader"="c:\program files\Common Files\Corel\Corel PhotoDownloader\Corel Photo Downloader.exe" [2008-08-18 532808]
"Corel File Shell Monitor"="c:\program files\Corel\Corel Paint Shop Pro Photo X2\CorelIOMonitor.exe" [2008-08-18 16712]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-11-11 417792]
"IObit Security 360"="c:\program files\IObit\IObit Security 360\IS360tray.exe" [2009-12-24 1280272]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Advanced SystemCare 3"="c:\program files\IObit\Advanced SystemCare 3\AWC.exe" [2010-01-06 2335952]

c:\documents and settings\Aminah Harris\Start Menu\Programs\Startup\
Vongo Tray.lnk - c:\program files\Vongo\Tray.exe [2006-5-9 73728]

c:\documents and settings\Administrator\Start Menu\Programs\Startup\
Vongo Tray.lnk - c:\program files\Vongo\Tray.exe [2006-5-9 73728]

c:\documents and settings\All Users\Start Menu\Programs\Startup\AutorunsDisabled
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-9-24 29696]
HP Photosmart Premier Fast Start.lnk - c:\program files\HP\Digital Imaging\bin\hpqthb08.exe [2005-9-24 73728]
Logitech Desktop Messenger.lnk - c:\program files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe [2007-10-5 67128]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-11-21 03:22 12464 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ehTray]
2005-08-06 04:56 64512 ----a-w- c:\windows\ehome\ehtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\High Definition Audio Property Page Shortcut]
2006-06-02 15:02 61952 ----a-w- c:\windows\system32\CHDAudPropShortcut.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
2006-09-06 03:34 114688 ----a-w- c:\windows\system32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
2006-09-06 03:34 98304 ----a-w- c:\windows\system32\igfxtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsmqIntCert]
2009-06-25 18:36 177152 ----a-w- c:\windows\system32\mqrt.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Persistence]
2006-09-06 03:34 94208 ----a-w- c:\windows\system32\igfxpers.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2009-11-11 04:08 417792 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\system32\\mqsvc.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\Common Files\\AOL\\1162476339\\EE\\AOLServiceHost.exe"=
"c:\\Program Files\\Common Files\\AolCoach\\en_en\\player\\AOLNySEV.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Common Files\\AOL\\1162476339\\EE\\aolsoftware.exe"=
"c:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\LogitechDesktopMessenger.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgam.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgdiagex.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgnsx.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"11959:TCP"= 11959:TCP:PORT_11959
"53:UDP"= 53:UDP:Promo

R0 AVGIDSErHrxpx;AVG9IDSErHr;c:\windows\system32\drivers\AVGIDSxx.sys [11/20/2009 10:22 PM 25608]
R0 AvgRkx86;avgrkx86.sys;c:\windows\system32\drivers\avgrkx86.sys [11/20/2009 10:22 PM 161800]
R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [11/20/2009 10:22 PM 333192]
R1 AvgTdiX;AVG Network Redirector;c:\windows\system32\drivers\avgtdix.sys [11/20/2009 10:22 PM 360584]
R2 avg9wd;AVG WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [11/20/2009 10:21 PM 285392]
R2 avgfws9;AVG Firewall;c:\program files\AVG\AVG9\avgfws9.exe [11/20/2009 10:21 PM 2304192]
R2 AVGIDSAgent;AVG9IDSAgent;c:\program files\AVG\AVG9\Identity Protection\Agent\Bin\AVGIDSAgent.exe [11/20/2009 10:21 PM 5832712]
R2 IS360service;IS360service;c:\program files\IObit\IObit Security 360\is360srv.exe [2/5/2010 6:22 PM 311568]
R3 Avgfwdx;Avgfwdx;c:\windows\system32\drivers\avgfwdx.sys [11/20/2009 10:21 PM 30104]
R3 AVGIDSDriverxpx;AVG9IDSDriver;c:\program files\AVG\AVG9\Identity Protection\Agent\Driver\Platform_XP\AVGIDSDriver.sys [11/20/2009 10:21 PM 122376]
R3 AVGIDSFilterxpx;AVG9IDSFilter;c:\program files\AVG\AVG9\Identity Protection\Agent\Driver\Platform_XP\AVGIDSFilter.sys [11/20/2009 10:21 PM 30216]
R3 AVGIDSShimxpx;AVG9IDSShim;c:\program files\AVG\AVG9\Identity Protection\Agent\Driver\Platform_XP\AVGIDSShim.sys [11/20/2009 10:21 PM 25736]
S2 avg8wd;AVG8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe --> c:\progra~1\AVG\AVG8\avgwdsvc.exe [?]
S2 avgfws8;AVG8 Firewall;c:\progra~1\AVG\AVG8\avgfws8.exe --> c:\progra~1\AVG\AVG8\avgfws8.exe [?]
S3 Avgfwfd;AVG network filter service;c:\windows\system32\drivers\avgfwdx.sys [11/20/2009 10:21 PM 30104]
S3 ssrangdr;ssrangdr;c:\windows\system32\drivers\ssrangdr.sys [11/6/2009 6:55 AM 2560]
.
Contents of the 'Scheduled Tasks' folder
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com
uDefault_Search_URL = hxxp://www.google.com/ie
uInternet Connection Wizard,ShellNext = hxxp://rdr.wildtangent.com/wire/moregames.aspx?dp=hplaptop&itemName=familyfeud
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
Filter: AutorunsDisabled\text/html - {6f0fb0b6-ccca-4778-916b-4876d8a8cf52} -
Handler: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - c:\program files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
FF - ProfilePath - c:\documents and settings\Aminah Harris\Application Data\Mozilla\Firefox\Profiles\4de2xpn3.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT2384137&SearchSource=3&q={searchTerms}
FF - prefs.js: browser.search.selectedEngine - Search Powered by Google
FF - prefs.js: browser.startup.homepage - hxxp://search.conduit.com/?ctid=CT2384137&SearchSource=13
FF - prefs.js: keyword.URL - hxxp://us.yhs.search.yahoo.com/avg/search?fr=yhs-avg&type=yahoo_avg_hs2-tb-web_us&p=
FF - component: c:\documents and settings\Aminah Harris\Application Data\Mozilla\Firefox\Profiles\4de2xpn3.default\extensions\{31c7d459-9cc3-44f2-9dca-fc11795309b4}\components\FFExternalAlert.dll
FF - component: c:\documents and settings\Aminah Harris\Application Data\Mozilla\Firefox\Profiles\4de2xpn3.default\extensions\{31c7d459-9cc3-44f2-9dca-fc11795309b4}\components\RadioWMPCore.dll
FF - component: c:\program files\AVG\AVG9\Firefox\components\avgssff.dll
FF - plugin: c:\documents and settings\Aminah Harris\Application Data\Mozilla\Firefox\Profiles\4de2xpn3.default\extensions\moveplayer@movenetworks.com\platform\WINNT_x86-msvc\plugins\npmnqmp071303000006.dll
FF - plugin: c:\program files\Google\Picasa3\npPicasa3.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava11.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava12.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava13.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava14.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava32.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJPI150_06.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPOJI610.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
FF - HiddenExtension: XULRunner: {55FF60DB-41C7-4184-9D9A-BCED53D4B0AE} - c:\documents and settings\Aminah Harris\Local Settings\Application Data\{55FF60DB-41C7-4184-9D9A-BCED53D4B0AE}
.
- - - - ORPHANS REMOVED - - - -

Toolbar-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
WebBrowser-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
HKU-Default-Run-AntiVirus Plus - c:\documents and settings\Aminah Harris\Application Data\AntiVirus Plus\AntiVirus Plus.70367201.dll
Notify-AutorunsDisabled - (no file)
MSConfigStartUp-33cdf7b1 - c:\windows\system32\wspjmhre.dll
MSConfigStartUp-iTunesHelper - c:\program files\iTunes\iTunesHelper.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-02-11 14:45
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Cpqset = c:\program files\Hewlett-Packard\Default Settings\cpqset.exe????????????L?@? ???h???????`?@?????L?@

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: error reading MBR
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x82AA9856]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xf8547fc3
\Driver\ACPI -> ACPI.sys @ 0xf83bacb8
\Driver\atapi -> atapi.sys @ 0xf832e7b4
\Driver\iaStor -> iaStor.sys @ 0xf8264b58
IoDeviceObjectType ->\Device\Harddisk0\DR0 ->NDIS: Broadcom 802.11b/g WLAN -> SendCompleteHandler -> NDIS.sys @ 0xf8164b30
PacketIndicateHandler -> NDIS.sys @ 0xf8153a0d
SendHandler -> NDIS.sys @ 0xf8167ac0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (LocalSystem)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,a5,e1,c9,7f,17,fe,7f,41,ac,06,f4,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,a5,e1,c9,7f,17,fe,7f,41,ac,06,f4,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1292)
c:\windows\system32\WININET.dll

- - - - - - - > 'lsass.exe'(1352)
c:\windows\system32\WININET.dll

- - - - - - - > 'explorer.exe'(11728)
c:\windows\system32\WININET.dll
c:\program files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\AVG\AVG9\avgchsvx.exe
c:\program files\AVG\AVG9\avgrsx.exe
c:\program files\AVG\AVG9\avgcsrvx.exe
c:\program files\common files\logishrd\lvmvfm\LVPrcSrv.exe
c:\windows\system32\msdtc.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\eHome\ehRecvr.exe
c:\windows\eHome\ehSched.exe
c:\program files\AVG\AVG9\avgnsx.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\program files\Common Files\LogiShrd\LComMgr\LVComSX.exe
c:\program files\Common Files\Protexis\License Service\PsiService_2.exe
c:\program files\Common Files\Logishrd\LQCVFX\COCIManager.exe
c:\program files\Vongo\VongoService.exe
c:\windows\ehome\mcrdsvc.exe
c:\program files\Hewlett-Packard\Shared\hpqwmiex.exe
c:\windows\system32\dllhost.exe
c:\windows\system32\wscntfy.exe
c:\program files\IObit\IObit Security 360\is360.exe
c:\program files\Java\jre1.5.0_06\bin\jucheck.exe
c:\program files\common files\aol\1162476339\ee\anotify.exe
.
**************************************************************************
.
Completion time: 2010-02-11 15:18:49 - machine was rebooted
ComboFix-quarantined-files.txt 2010-02-11 20:18

Pre-Run: 55,977,811,968 bytes free
Post-Run: 56,178,188,288 bytes free



#4 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:02:23 AM

Posted 11 February 2010 - 05:17 PM

Yikes!


We need to run this special tool.
  • Download TDSSKiller and save it to your Desktop.
  • Extract its contents to your desktop and make sure TDSSKiller.exe (the contents of the zipped file) is on the Desktop itself, not within a folder on the desktop.
  • Go to Start > Run (Or you can hold down your Windows key and press R) and copy and paste the following into the text field. (make sure you include the quote marks) Then press OK.

    "%userprofile%\Desktop\TDSSKiller.exe" -l TDSSKiller.txt -v

  • If it says "Hidden service detected" DO NOT type anything in. Just press Enter on your keyboard to not do anything to the file.
  • If prompted to reboot, please do so.
  • When it is done, a log file should be created on your desktop called "TDSSKiller.txt" please copy and paste the contents of that file here.

Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#5 aminah

aminah
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:02:23 AM

Posted 11 February 2010 - 11:30 PM

23:28:57:785 4368 TDSS rootkit removing tool 2.2.3 Feb 4 2010 14:34:00
23:28:57:785 4368 ================================================================================
23:28:57:785 4368 SystemInfo:

23:28:57:785 4368 OS Version: 5.1.2600 ServicePack: 2.0
23:28:57:785 4368 Product type: Workstation
23:28:57:785 4368 ComputerName: AMINAH
23:28:57:785 4368 UserName: Aminah Harris
23:28:57:785 4368 Windows directory: C:\WINDOWS
23:28:57:785 4368 Processor architecture: Intel x86
23:28:57:785 4368 Number of processors: 1
23:28:57:785 4368 Page size: 0x1000
23:28:57:785 4368 Boot type: Normal boot
23:28:57:785 4368 ================================================================================
23:28:57:785 4368 UnloadDriverW: NtUnloadDriver error 2
23:28:57:785 4368 ForceUnloadDriverW: UnloadDriverW(klmd21) error 2
23:28:57:785 4368 MyNtCreateFileW: NtCreateFile(\??\C:\WINDOWS\system32\drivers\klmd.sys) returned status 00000000
23:28:57:832 4368 UtilityInit: KLMD drop and load success
23:28:57:832 4368 KLMD_OpenDevice: Trying to open KLMD Device(KLMD201010)
23:28:57:832 4368 UtilityInit: KLMD open success
23:28:57:832 4368 UtilityInit: Initialize success
23:28:57:832 4368
23:28:57:832 4368 Scanning Services ...
23:28:57:832 4368 CreateRegParser: Registry parser init started
23:28:57:848 4368 DisableWow64Redirection: GetProcAddress(Wow64DisableWow64FsRedirection) error 127
23:28:57:848 4368 CreateRegParser: DisableWow64Redirection error
23:28:57:848 4368 wfopen_ex: Trying to open file C:\WINDOWS\system32\config\system
23:28:57:848 4368 MyNtCreateFileW: NtCreateFile(\??\C:\WINDOWS\system32\config\system) returned status C0000043
23:28:57:848 4368 wfopen_ex: MyNtCreateFileW error 32 (C0000043)
23:28:57:848 4368 wfopen_ex: Trying to KLMD file open
23:28:57:848 4368 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\config\system
23:28:57:848 4368 wfopen_ex: File opened ok (Flags 2)
23:28:57:848 4368 CreateRegParser: HIVE_ADAPTER(C:\WINDOWS\system32\config\system) init success: 334958
23:28:57:848 4368 wfopen_ex: Trying to open file C:\WINDOWS\system32\config\software
23:28:57:848 4368 MyNtCreateFileW: NtCreateFile(\??\C:\WINDOWS\system32\config\software) returned status C0000043
23:28:57:848 4368 wfopen_ex: MyNtCreateFileW error 32 (C0000043)
23:28:57:848 4368 wfopen_ex: Trying to KLMD file open
23:28:57:848 4368 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\config\software
23:28:57:848 4368 wfopen_ex: File opened ok (Flags 2)
23:28:57:848 4368 CreateRegParser: HIVE_ADAPTER(C:\WINDOWS\system32\config\software) init success: 334A00
23:28:57:848 4368 EnableWow64Redirection: GetProcAddress(Wow64RevertWow64FsRedirection) error 127
23:28:57:848 4368 CreateRegParser: EnableWow64Redirection error
23:28:57:848 4368 CreateRegParser: RegParser init completed
23:28:57:942 4368 GetAdvancedServicesInfo: Raw services enum returned 365 services
23:28:57:942 4368 fclose_ex: Trying to close file C:\WINDOWS\system32\config\system
23:28:57:942 4368 fclose_ex: Trying to close file C:\WINDOWS\system32\config\software
23:28:57:957 4368
23:28:57:957 4368 Scanning Kernel memory ...
23:28:57:957 4368 KLMD_GetSystemObjectAddressByNameW: Trying to get system object address by name \Driver\Disk
23:28:57:957 4368 DetectCureTDL3: \Driver\Disk PDRIVER_OBJECT: 82BE4208
23:28:57:957 4368 DetectCureTDL3: KLMD_GetDeviceObjectList returned 4 DevObjects
23:28:57:957 4368
23:28:57:957 4368 DetectCureTDL3: DEVICE_OBJECT: 82B3C030
23:28:57:957 4368 KLMD_GetLowerDeviceObject: Trying to get lower device object for 82B3C030
23:28:57:957 4368 KLMD_ReadMem: Trying to ReadMemory 0x82B3C030[0x38]
23:28:57:957 4368 DetectCureTDL3: DRIVER_OBJECT: 82BE4208
23:28:57:957 4368 KLMD_ReadMem: Trying to ReadMemory 0x82BE4208[0xA8]
23:28:57:957 4368 KLMD_ReadMem: Trying to ReadMemory 0xE184FFE0[0x18]
23:28:57:957 4368 DetectCureTDL3: DRIVER_OBJECT name: \Driver\Disk, Driver Name: Disk
23:28:57:957 4368 DetectCureTDL3: IrpHandler (0) addr: F851BC30
23:28:57:957 4368 DetectCureTDL3: IrpHandler (1) addr: 804F3538
23:28:57:957 4368 DetectCureTDL3: IrpHandler (2) addr: F851BC30
23:28:57:957 4368 DetectCureTDL3: IrpHandler (3) addr: F8515D9B
23:28:57:957 4368 DetectCureTDL3: IrpHandler (4) addr: F8515D9B
23:28:57:957 4368 DetectCureTDL3: IrpHandler (5) addr: 804F3538
23:28:57:957 4368 DetectCureTDL3: IrpHandler (6) addr: 804F3538
23:28:57:957 4368 DetectCureTDL3: IrpHandler (7) addr: 804F3538
23:28:57:957 4368 DetectCureTDL3: IrpHandler (8) addr: 804F3538
23:28:57:957 4368 DetectCureTDL3: IrpHandler (9) addr: F8516366
23:28:57:957 4368 DetectCureTDL3: IrpHandler (10) addr: 804F3538
23:28:57:957 4368 DetectCureTDL3: IrpHandler (11) addr: 804F3538
23:28:57:957 4368 DetectCureTDL3: IrpHandler (12) addr: 804F3538
23:28:57:957 4368 DetectCureTDL3: IrpHandler (13) addr: 804F3538
23:28:57:957 4368 DetectCureTDL3: IrpHandler (14) addr: F851644D
23:28:57:957 4368 DetectCureTDL3: IrpHandler (15) addr: F8519FC3
23:28:57:957 4368 DetectCureTDL3: IrpHandler (16) addr: F8516366
23:28:57:957 4368 DetectCureTDL3: IrpHandler (17) addr: 804F3538
23:28:57:957 4368 DetectCureTDL3: IrpHandler (18) addr: 804F3538
23:28:57:957 4368 DetectCureTDL3: IrpHandler (19) addr: 804F3538
23:28:57:957 4368 DetectCureTDL3: IrpHandler (20) addr: 804F3538
23:28:57:957 4368 DetectCureTDL3: IrpHandler (21) addr: 804F3538
23:28:57:957 4368 DetectCureTDL3: IrpHandler (22) addr: F8517EF3
23:28:57:957 4368 DetectCureTDL3: IrpHandler (23) addr: F851CA24
23:28:57:957 4368 DetectCureTDL3: IrpHandler (24) addr: 804F3538
23:28:57:957 4368 DetectCureTDL3: IrpHandler (25) addr: 804F3538
23:28:57:957 4368 DetectCureTDL3: IrpHandler (26) addr: 804F3538
23:28:57:957 4368 TDL3_FileDetect: Processing driver: Disk
23:28:57:957 4368 TDL3_FileDetect: Processing driver file: C:\WINDOWS\system32\DRIVERS\disk.sys
23:28:57:957 4368 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\DRIVERS\disk.sys
23:28:57:989 4368 TDL3_FileDetect: C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: Clean
23:28:57:989 4368
23:28:57:989 4368 DetectCureTDL3: DEVICE_OBJECT: 82B3D8A0
23:28:57:989 4368 KLMD_GetLowerDeviceObject: Trying to get lower device object for 82B3D8A0
23:28:57:989 4368 KLMD_ReadMem: Trying to ReadMemory 0x82B3D8A0[0x38]
23:28:57:989 4368 DetectCureTDL3: DRIVER_OBJECT: 82BE4208
23:28:57:989 4368 KLMD_ReadMem: Trying to ReadMemory 0x82BE4208[0xA8]
23:28:57:989 4368 KLMD_ReadMem: Trying to ReadMemory 0xE184FFE0[0x18]
23:28:57:989 4368 DetectCureTDL3: DRIVER_OBJECT name: \Driver\Disk, Driver Name: Disk
23:28:57:989 4368 DetectCureTDL3: IrpHandler (0) addr: F851BC30
23:28:57:989 4368 DetectCureTDL3: IrpHandler (1) addr: 804F3538
23:28:57:989 4368 DetectCureTDL3: IrpHandler (2) addr: F851BC30
23:28:57:989 4368 DetectCureTDL3: IrpHandler (3) addr: F8515D9B
23:28:57:989 4368 DetectCureTDL3: IrpHandler (4) addr: F8515D9B
23:28:57:989 4368 DetectCureTDL3: IrpHandler (5) addr: 804F3538
23:28:57:989 4368 DetectCureTDL3: IrpHandler (6) addr: 804F3538
23:28:57:989 4368 DetectCureTDL3: IrpHandler (7) addr: 804F3538
23:28:57:989 4368 DetectCureTDL3: IrpHandler (8) addr: 804F3538
23:28:57:989 4368 DetectCureTDL3: IrpHandler (9) addr: F8516366
23:28:57:989 4368 DetectCureTDL3: IrpHandler (10) addr: 804F3538
23:28:57:989 4368 DetectCureTDL3: IrpHandler (11) addr: 804F3538
23:28:57:989 4368 DetectCureTDL3: IrpHandler (12) addr: 804F3538
23:28:57:989 4368 DetectCureTDL3: IrpHandler (13) addr: 804F3538
23:28:57:989 4368 DetectCureTDL3: IrpHandler (14) addr: F851644D
23:28:57:989 4368 DetectCureTDL3: IrpHandler (15) addr: F8519FC3
23:28:57:989 4368 DetectCureTDL3: IrpHandler (16) addr: F8516366
23:28:57:989 4368 DetectCureTDL3: IrpHandler (17) addr: 804F3538
23:28:57:989 4368 DetectCureTDL3: IrpHandler (18) addr: 804F3538
23:28:57:989 4368 DetectCureTDL3: IrpHandler (19) addr: 804F3538
23:28:57:989 4368 DetectCureTDL3: IrpHandler (20) addr: 804F3538
23:28:57:989 4368 DetectCureTDL3: IrpHandler (21) addr: 804F3538
23:28:57:989 4368 DetectCureTDL3: IrpHandler (22) addr: F8517EF3
23:28:57:989 4368 DetectCureTDL3: IrpHandler (23) addr: F851CA24
23:28:57:989 4368 DetectCureTDL3: IrpHandler (24) addr: 804F3538
23:28:57:989 4368 DetectCureTDL3: IrpHandler (25) addr: 804F3538
23:28:57:989 4368 DetectCureTDL3: IrpHandler (26) addr: 804F3538
23:28:57:989 4368 TDL3_FileDetect: Processing driver: Disk
23:28:57:989 4368 TDL3_FileDetect: Processing driver file: C:\WINDOWS\system32\DRIVERS\disk.sys
23:28:57:989 4368 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\DRIVERS\disk.sys
23:28:57:989 4368 TDL3_FileDetect: C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: Clean
23:28:57:989 4368
23:28:57:989 4368 DetectCureTDL3: DEVICE_OBJECT: 82B3DC68
23:28:57:989 4368 KLMD_GetLowerDeviceObject: Trying to get lower device object for 82B3DC68
23:28:57:989 4368 KLMD_ReadMem: Trying to ReadMemory 0x82B3DC68[0x38]
23:28:57:989 4368 DetectCureTDL3: DRIVER_OBJECT: 82BE4208
23:28:57:989 4368 KLMD_ReadMem: Trying to ReadMemory 0x82BE4208[0xA8]
23:28:57:989 4368 KLMD_ReadMem: Trying to ReadMemory 0xE184FFE0[0x18]
23:28:57:989 4368 DetectCureTDL3: DRIVER_OBJECT name: \Driver\Disk, Driver Name: Disk
23:28:57:989 4368 DetectCureTDL3: IrpHandler (0) addr: F851BC30
23:28:57:989 4368 DetectCureTDL3: IrpHandler (1) addr: 804F3538
23:28:57:989 4368 DetectCureTDL3: IrpHandler (2) addr: F851BC30
23:28:57:989 4368 DetectCureTDL3: IrpHandler (3) addr: F8515D9B
23:28:57:989 4368 DetectCureTDL3: IrpHandler (4) addr: F8515D9B
23:28:57:989 4368 DetectCureTDL3: IrpHandler (5) addr: 804F3538
23:28:57:989 4368 DetectCureTDL3: IrpHandler (6) addr: 804F3538
23:28:57:989 4368 DetectCureTDL3: IrpHandler (7) addr: 804F3538
23:28:57:989 4368 DetectCureTDL3: IrpHandler (8) addr: 804F3538
23:28:57:989 4368 DetectCureTDL3: IrpHandler (9) addr: F8516366
23:28:57:989 4368 DetectCureTDL3: IrpHandler (10) addr: 804F3538
23:28:57:989 4368 DetectCureTDL3: IrpHandler (11) addr: 804F3538
23:28:57:989 4368 DetectCureTDL3: IrpHandler (12) addr: 804F3538
23:28:57:989 4368 DetectCureTDL3: IrpHandler (13) addr: 804F3538
23:28:57:989 4368 DetectCureTDL3: IrpHandler (14) addr: F851644D
23:28:57:989 4368 DetectCureTDL3: IrpHandler (15) addr: F8519FC3
23:28:57:989 4368 DetectCureTDL3: IrpHandler (16) addr: F8516366
23:28:57:989 4368 DetectCureTDL3: IrpHandler (17) addr: 804F3538
23:28:57:989 4368 DetectCureTDL3: IrpHandler (18) addr: 804F3538
23:28:57:989 4368 DetectCureTDL3: IrpHandler (19) addr: 804F3538
23:28:57:989 4368 DetectCureTDL3: IrpHandler (20) addr: 804F3538
23:28:57:989 4368 DetectCureTDL3: IrpHandler (21) addr: 804F3538
23:28:57:989 4368 DetectCureTDL3: IrpHandler (22) addr: F8517EF3
23:28:57:989 4368 DetectCureTDL3: IrpHandler (23) addr: F851CA24
23:28:57:989 4368 DetectCureTDL3: IrpHandler (24) addr: 804F3538
23:28:57:989 4368 DetectCureTDL3: IrpHandler (25) addr: 804F3538
23:28:57:989 4368 DetectCureTDL3: IrpHandler (26) addr: 804F3538
23:28:57:989 4368 TDL3_FileDetect: Processing driver: Disk
23:28:57:989 4368 TDL3_FileDetect: Processing driver file: C:\WINDOWS\system32\DRIVERS\disk.sys
23:28:57:989 4368 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\DRIVERS\disk.sys
23:28:57:989 4368 TDL3_FileDetect: C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: Clean
23:28:57:989 4368
23:28:57:989 4368 DetectCureTDL3: DEVICE_OBJECT: 82BE2030
23:28:57:989 4368 KLMD_GetLowerDeviceObject: Trying to get lower device object for 82BE2030
23:28:57:989 4368 DetectCureTDL3: DEVICE_OBJECT: 82BD9898
23:28:57:989 4368 KLMD_GetLowerDeviceObject: Trying to get lower device object for 82BD9898
23:28:57:989 4368 DetectCureTDL3: DEVICE_OBJECT: 82BE3030
23:28:57:989 4368 KLMD_GetLowerDeviceObject: Trying to get lower device object for 82BE3030
23:28:57:989 4368 KLMD_ReadMem: Trying to ReadMemory 0x82BE3030[0x38]
23:28:57:989 4368 DetectCureTDL3: DRIVER_OBJECT: 82BDF218
23:28:57:989 4368 KLMD_ReadMem: Trying to ReadMemory 0x82BDF218[0xA8]
23:28:57:989 4368 KLMD_ReadMem: Trying to ReadMemory 0xE1851240[0x1C]
23:28:57:989 4368 DetectCureTDL3: DRIVER_OBJECT name: \Driver\iaStor, Driver Name: iaStor
23:28:57:989 4368 DetectCureTDL3: IrpHandler (0) addr: F8233186
23:28:57:989 4368 DetectCureTDL3: IrpHandler (1) addr: 804F3538
23:28:57:989 4368 DetectCureTDL3: IrpHandler (2) addr: F8233186
23:28:57:989 4368 DetectCureTDL3: IrpHandler (3) addr: 804F3538
23:28:57:989 4368 DetectCureTDL3: IrpHandler (4) addr: 804F3538
23:28:57:989 4368 DetectCureTDL3: IrpHandler (5) addr: 804F3538
23:28:57:989 4368 DetectCureTDL3: IrpHandler (6) addr: 804F3538
23:28:57:989 4368 DetectCureTDL3: IrpHandler (7) addr: 804F3538
23:28:57:989 4368 DetectCureTDL3: IrpHandler (8) addr: 804F3538
23:28:57:989 4368 DetectCureTDL3: IrpHandler (9) addr: 804F3538
23:28:57:989 4368 DetectCureTDL3: IrpHandler (10) addr: 804F3538
23:28:57:989 4368 DetectCureTDL3: IrpHandler (11) addr: 804F3538
23:28:57:989 4368 DetectCureTDL3: IrpHandler (12) addr: 804F3538
23:28:57:989 4368 DetectCureTDL3: IrpHandler (13) addr: 804F3538
23:28:57:989 4368 DetectCureTDL3: IrpHandler (14) addr: F8236896
23:28:57:989 4368 DetectCureTDL3: IrpHandler (15) addr: F8236B58
23:28:57:989 4368 DetectCureTDL3: IrpHandler (16) addr: 804F3538
23:28:57:989 4368 DetectCureTDL3: IrpHandler (17) addr: 804F3538
23:28:57:989 4368 DetectCureTDL3: IrpHandler (18) addr: 804F3538
23:28:57:989 4368 DetectCureTDL3: IrpHandler (19) addr: 804F3538
23:28:57:989 4368 DetectCureTDL3: IrpHandler (20) addr: 804F3538
23:28:57:989 4368 DetectCureTDL3: IrpHandler (21) addr: 804F3538
23:28:57:989 4368 DetectCureTDL3: IrpHandler (22) addr: F823BE66
23:28:57:989 4368 DetectCureTDL3: IrpHandler (23) addr: F823BFC6
23:28:57:989 4368 DetectCureTDL3: IrpHandler (24) addr: 804F3538
23:28:57:989 4368 DetectCureTDL3: IrpHandler (25) addr: 804F3538
23:28:57:989 4368 DetectCureTDL3: IrpHandler (26) addr: 804F3538
23:28:57:989 4368 TDL3_FileDetect: Processing driver: iaStor
23:28:57:989 4368 TDL3_FileDetect: Processing driver file: C:\WINDOWS\system32\drivers\iaStor.sys
23:28:57:989 4368 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\drivers\iaStor.sys
23:28:58:098 4368 TDL3_FileDetect: C:\WINDOWS\system32\drivers\iaStor.sys - Verdict: Clean
23:28:58:098 4368
23:28:58:098 4368 Completed
23:28:58:098 4368
23:28:58:098 4368 Results:
23:28:58:098 4368 Memory objects infected / cured / cured on reboot: 0 / 0 / 0
23:28:58:098 4368 Registry objects infected / cured / cured on reboot: 0 / 0 / 0
23:28:58:098 4368 File objects infected / cured / cured on reboot: 0 / 0 / 0
23:28:58:098 4368
23:28:58:098 4368 MyNtCreateFileW: NtCreateFile(\??\C:\WINDOWS\system32\drivers\klmd.sys) returned status 00000000
23:28:58:098 4368 UtilityDeinit: KLMD(ARK) unloaded successfully

#6 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:02:23 AM

Posted 12 February 2010 - 08:12 AM


Download Dr.Web CureIt to the desktop:
ftp://ftp.drweb.com/pub/drweb/cureit/drweb-cureit.exe
  • Doubleclick the drweb-cureit.exe file and Allow to run the express scan
  • This will scan the files currently running in memory and when something is found, click the yes button when it asks you if you want to cure it. This is only a short scan.
  • Once the short scan has finished, mark the drives that you want to scan.
  • Select all drives. A red dot shows which drives have been chosen.
  • Click the green arrow at the right, and the scan will start.
  • Click 'Yes to all' if it asks if you want to cure/move the file.
  • When the scan has finished, in the menu, click file and choose save report list
  • Save the report to your desktop. The report will be called DrWeb.csv
  • Close Dr.Web Cureit.

Please post the contents of the log from DrWeb in your next reply.

Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#7 aminah

aminah
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:02:23 AM

Posted 12 February 2010 - 10:05 PM

DrWeb Log



AP1FF195B1.dll\data001;C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\Quarantine\AP1FF195B1.dll;Trojan.Packed.375;;
AP1FF195B1.dll;C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\Quarantine;Container contains infected objects;Moved.;
AP2621A9D2.dll\data001;C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\Quarantine\AP2621A9D2.dll;Probably Trojan.Packed.151;;
AP2621A9D2.dll;C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\Quarantine;Container contains infected objects;Moved.;
AP2B16EE7F.dll\data001;C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\Quarantine\AP2B16EE7F.dll;Probably Trojan.Packed.375;;
AP2B16EE7F.dll;C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\Quarantine;Container contains infected objects;Moved.;
AP2E44D1E4.dll\data001;C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\Quarantine\AP2E44D1E4.dll;Probably Trojan.Packed.375;;
AP2E44D1E4.dll;C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\Quarantine;Container contains infected objects;Moved.;
AP2ECA887F.dll\data001;C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\Quarantine\AP2ECA887F.dll;Trojan.Virtumod.650;;
AP2ECA887F.dll;C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\Quarantine;Container contains infected objects;Moved.;
AP3A53F73C.dll\data001;C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\Quarantine\AP3A53F73C.dll;Probably Trojan.Packed.150;;
AP3A53F73C.dll;C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\Quarantine;Container contains infected objects;Moved.;
AP3CEFBAD1.dll\data001;C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\Quarantine\AP3CEFBAD1.dll;Probably Trojan.Packed.375;;
AP3CEFBAD1.dll;C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\Quarantine;Container contains infected objects;Moved.;
AP4D5FAE32.dll\data001;C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\Quarantine\AP4D5FAE32.dll;Probably Trojan.Packed.302;;
AP4D5FAE32.dll;C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\Quarantine;Container contains infected objects;Moved.;
AP602E8101.dll\data001;C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\Quarantine\AP602E8101.dll;Probably Trojan.Packed.151;;
AP602E8101.dll;C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\Quarantine;Container contains infected objects;Moved.;
APA37128AF.dll\data001;C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\Quarantine\APA37128AF.dll;Probably Trojan.Packed.151;;
APA37128AF.dll;C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\Quarantine;Container contains infected objects;Moved.;
APB0494D69.dll\data001;C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\Quarantine\APB0494D69.dll;Probably Trojan.Packed.375;;
APB0494D69.dll;C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\Quarantine;Container contains infected objects;Moved.;
APB138EBDD.dll\data001;C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\Quarantine\APB138EBDD.dll;Trojan.Virtumod.based.18;;
APB138EBDD.dll;C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\Quarantine;Container contains infected objects;Moved.;
APB34B6320.dll\data001;C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\Quarantine\APB34B6320.dll;Probably Trojan.Packed.151;;
APB34B6320.dll;C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\Quarantine;Container contains infected objects;Moved.;
APD0E70C31.dll\data001;C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\Quarantine\APD0E70C31.dll;Probably Trojan.Packed.375;;
APD0E70C31.dll;C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\Quarantine;Container contains infected objects;Moved.;
APE0C4F44F.dll\data001;C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\Quarantine\APE0C4F44F.dll;Probably Trojan.Packed.151;;
APE0C4F44F.dll;C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\Quarantine;Container contains infected objects;Moved.;
APE419ADCC.exe\data001;C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\Quarantine\APE419ADCC.exe;Trojan.Starter.561;;
APE419ADCC.exe;C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\Quarantine;Container contains infected objects;Moved.;
APEC1C65BA.dll\data001;C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\Quarantine\APEC1C65BA.dll;Probably Trojan.Packed.375;;
APEC1C65BA.dll;C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\Quarantine;Container contains infected objects;Moved.;
APFC5C8DC8.dll\data001;C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\Quarantine\APFC5C8DC8.dll;Probably Trojan.Packed.375;;
APFC5C8DC8.dll;C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\Quarantine;Container contains infected objects;Moved.;
setup.exe;C:\Program Files\AOL\Installers\ASP 2.0;Probably BACKDOOR.Trojan;Incurable.Deleted.;
ppctl.dll;C:\Program Files\Common Files\AOL\1162476339\EE\services\antiSpyware\ver2_4_6_1\resources;Probably DLOADER.Trojan;Incurable.Deleted.;
GTDownAO_106.ocx;C:\Program Files\Common Files\AolCoach\en_en;Adware.Gdown;Incurable.Deleted.;
ppctl.dll;C:\Program Files\Common Files\Scanner;Probably DLOADER.Trojan;Incurable.Deleted.;
inetchk.exe;C:\Program Files\music_now;Trojan.Click.2093;Deleted.;
PPCInstall.dll;C:\Program Files\Online Services\PeoplePC;Probably STPAGE.Trojan;Incurable.Deleted.;
brandit.exe;C:\SWSetup\BrandIt\Disk1;Probably STPAGE.Trojan;Incurable.Deleted.;
A0029700.dll;C:\System Volume Information\_restore{3A579F61-82CF-4117-919A-DB7B394CD5BC}\RP78;Probably DLOADER.Trojan;Incurable.Deleted.;
A0030702.dll\data001;C:\System Volume Information\_restore{3A579F61-82CF-4117-919A-DB7B394CD5BC}\RP78\A0030702.dll;Trojan.Packed.375;;
A0030702.dll;C:\System Volume Information\_restore{3A579F61-82CF-4117-919A-DB7B394CD5BC}\RP78;Container contains infected objects;Moved.;
A0030703.dll\data001;C:\System Volume Information\_restore{3A579F61-82CF-4117-919A-DB7B394CD5BC}\RP78\A0030703.dll;Probably Trojan.Packed.151;;
A0030703.dll;C:\System Volume Information\_restore{3A579F61-82CF-4117-919A-DB7B394CD5BC}\RP78;Container contains infected objects;Moved.;
A0030704.dll\data001;C:\System Volume Information\_restore{3A579F61-82CF-4117-919A-DB7B394CD5BC}\RP78\A0030704.dll;Probably Trojan.Packed.375;;
A0030704.dll;C:\System Volume Information\_restore{3A579F61-82CF-4117-919A-DB7B394CD5BC}\RP78;Container contains infected objects;Moved.;
A0030705.dll\data001;C:\System Volume Information\_restore{3A579F61-82CF-4117-919A-DB7B394CD5BC}\RP78\A0030705.dll;Probably Trojan.Packed.375;;
A0030705.dll;C:\System Volume Information\_restore{3A579F61-82CF-4117-919A-DB7B394CD5BC}\RP78;Container contains infected objects;Moved.;
A0030706.dll\data001;C:\System Volume Information\_restore{3A579F61-82CF-4117-919A-DB7B394CD5BC}\RP78\A0030706.dll;Trojan.Virtumod.650;;
A0030706.dll;C:\System Volume Information\_restore{3A579F61-82CF-4117-919A-DB7B394CD5BC}\RP78;Container contains infected objects;Moved.;
A0030707.dll\data001;C:\System Volume Information\_restore{3A579F61-82CF-4117-919A-DB7B394CD5BC}\RP78\A0030707.dll;Probably Trojan.Packed.150;;
A0030707.dll;C:\System Volume Information\_restore{3A579F61-82CF-4117-919A-DB7B394CD5BC}\RP78;Container contains infected objects;Moved.;
A0030708.dll\data001;C:\System Volume Information\_restore{3A579F61-82CF-4117-919A-DB7B394CD5BC}\RP78\A0030708.dll;Probably Trojan.Packed.375;;
A0030708.dll;C:\System Volume Information\_restore{3A579F61-82CF-4117-919A-DB7B394CD5BC}\RP78;Container contains infected objects;Moved.;
A0030709.dll\data001;C:\System Volume Information\_restore{3A579F61-82CF-4117-919A-DB7B394CD5BC}\RP78\A0030709.dll;Probably Trojan.Packed.302;;
A0030709.dll;C:\System Volume Information\_restore{3A579F61-82CF-4117-919A-DB7B394CD5BC}\RP78;Container contains infected objects;Moved.;
A0030710.dll\data001;C:\System Volume Information\_restore{3A579F61-82CF-4117-919A-DB7B394CD5BC}\RP78\A0030710.dll;Probably Trojan.Packed.151;;
A0030710.dll;C:\System Volume Information\_restore{3A579F61-82CF-4117-919A-DB7B394CD5BC}\RP78;Container contains infected objects;Moved.;
A0030711.dll\data001;C:\System Volume Information\_restore{3A579F61-82CF-4117-919A-DB7B394CD5BC}\RP78\A0030711.dll;Probably Trojan.Packed.151;;
A0030711.dll;C:\System Volume Information\_restore{3A579F61-82CF-4117-919A-DB7B394CD5BC}\RP78;Container contains infected objects;Moved.;
A0030712.dll\data001;C:\System Volume Information\_restore{3A579F61-82CF-4117-919A-DB7B394CD5BC}\RP78\A0030712.dll;Probably Trojan.Packed.375;;
A0030712.dll;C:\System Volume Information\_restore{3A579F61-82CF-4117-919A-DB7B394CD5BC}\RP78;Container contains infected objects;Moved.;
A0030713.dll\data001;C:\System Volume Information\_restore{3A579F61-82CF-4117-919A-DB7B394CD5BC}\RP78\A0030713.dll;Trojan.Virtumod.based.18;;
A0030713.dll;C:\System Volume Information\_restore{3A579F61-82CF-4117-919A-DB7B394CD5BC}\RP78;Container contains infected objects;Moved.;
A0030714.dll\data001;C:\System Volume Information\_restore{3A579F61-82CF-4117-919A-DB7B394CD5BC}\RP78\A0030714.dll;Probably Trojan.Packed.151;;
A0030714.dll;C:\System Volume Information\_restore{3A579F61-82CF-4117-919A-DB7B394CD5BC}\RP78;Container contains infected objects;Moved.;
A0030715.dll\data001;C:\System Volume Information\_restore{3A579F61-82CF-4117-919A-DB7B394CD5BC}\RP78\A0030715.dll;Probably Trojan.Packed.375;;
A0030715.dll;C:\System Volume Information\_restore{3A579F61-82CF-4117-919A-DB7B394CD5BC}\RP78;Container contains infected objects;Moved.;
A0030716.dll\data001;C:\System Volume Information\_restore{3A579F61-82CF-4117-919A-DB7B394CD5BC}\RP78\A0030716.dll;Probably Trojan.Packed.151;;
A0030716.dll;C:\System Volume Information\_restore{3A579F61-82CF-4117-919A-DB7B394CD5BC}\RP78;Container contains infected objects;Moved.;
A0030717.exe\data001;C:\System Volume Information\_restore{3A579F61-82CF-4117-919A-DB7B394CD5BC}\RP78\A0030717.exe;Trojan.Starter.561;;
A0030717.exe;C:\System Volume Information\_restore{3A579F61-82CF-4117-919A-DB7B394CD5BC}\RP78;Container contains infected objects;Moved.;
A0030718.dll\data001;C:\System Volume Information\_restore{3A579F61-82CF-4117-919A-DB7B394CD5BC}\RP78\A0030718.dll;Probably Trojan.Packed.375;;
A0030718.dll;C:\System Volume Information\_restore{3A579F61-82CF-4117-919A-DB7B394CD5BC}\RP78;Container contains infected objects;Moved.;
A0030719.dll\data001;C:\System Volume Information\_restore{3A579F61-82CF-4117-919A-DB7B394CD5BC}\RP78\A0030719.dll;Probably Trojan.Packed.375;;
A0030719.dll;C:\System Volume Information\_restore{3A579F61-82CF-4117-919A-DB7B394CD5BC}\RP78;Container contains infected objects;Moved.;
A0030720.exe;C:\System Volume Information\_restore{3A579F61-82CF-4117-919A-DB7B394CD5BC}\RP78;Trojan.Click.2093;Deleted.;


#8 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:02:23 AM

Posted 14 February 2010 - 08:24 AM

How is your computer behaving now?
Are you still being redirected?
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#9 aminah

aminah
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:02:23 AM

Posted 14 February 2010 - 02:54 PM

My computer is okay now. When I use the internet, my browser is no longer being redirected. Thank you for your help!

#10 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:02:23 AM

Posted 15 February 2010 - 02:02 AM

Sounds good! If you're not having any other issues, here are some final steps and recommendations for you.


We need to remove Combofix now that we're done with it.
  • Click Start -> Run
  • Now type Combofix /uninstall in the runbox and click OK


==================



Now that you are clean, please follow these simple steps in order to keep your computer clean and secure:
  1. Disable and Enable System Restore. - You should disable and reenable system restore to make sure there are no infected files found in a restore point left over from what we have just cleaned.

    You can find instructions on how to enable and reenable system restore here:

    Windows XP System Restore Guide

    Renable system restore with instructions from tutorial above

  2. Use an AntiVirus Software - It is very important that your computer has an anti-virus software running on your machine. This alone can save you a lot of trouble with malware in the future.

    See this link for a listing of some online & their stand-alone antivirus programs:

    Virus, Spyware, and Malware Protection and Removal Resources

  3. Update your AntiVirus Software - It is imperitive that you update your Antivirus software at least once a week (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out.

  4. Use a Firewall - I can not stress how important it is that you use a Firewall on your computer. Without a firewall your computer is succeptible to being hacked and taken over. I am very serious about this and see it happen almost every day with my clients. Simply using a Firewall in its default configuration can lower your risk greatly.

    For a tutorial on Firewalls and a listing of some available ones see the link below:

    Understanding and Using Firewalls

  5. Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.

  6. Install Spybot - Search and Destroy - Install and download Spybot - Search and Destroy with its TeaTimer option. This will provide realtime spyware & hijacker protection on your computer alongside your virus protection. You should also scan your computer with program on a regular basis just as you would an antivirus software.

    A tutorial on installing & using this product can be found here:

    Using Spybot - Search & Destroy to remove Spyware , Malware, and Hijackers

  7. Install SpywareBlaster - SpywareBlaster will added a large list of programs and sites into your Internet Explorer settings that will protect you from running and downloading known malicious programs.

    A tutorial on installing & using this product can be found here:

    Using SpywareBlaster to protect your computer from Spyware and Malware

  8. Update all these programs regularly - Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.
Follow this list and your potential for being infected again will reduce dramatically.

thumbup.gif smile.gif



Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#11 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:02:23 AM

Posted 24 February 2010 - 08:26 AM

Now that your malware problem appears to be resolved, this topic will be closed.
If you need this topic reopened, please contact a member of the Malware Response Team and we will reopen it for you.
Include the address of this topic in your request.


Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users