Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Browser Redirect - Unable to remove


  • This topic is locked This topic is locked
25 replies to this topic

#1 Vae Victis

Vae Victis

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:08:29 AM

Posted 28 February 2010 - 09:23 AM

Good morning panelists...

I've tried to follow all of the directions posted in the "preparation guide" and would appreciate any help you might be able to offer. I'm actually trying to fix a browser redirect problem on my friend's computer and the mechanism to do so appears way beyond my skill level. I've had this same issue on my own laptop a couple of years ago and after several hours on the web and several printed pages of instruction, I was able to figure it out and remove it myself. But either times have changed and the malware's just that more insidious, or my patience for reviewing hundreds of websites in the hope of finding just that right one has waned. I suspect it's a bit of both.

So please find below and attached the information that I was able to collect as requested in the "preparation guide." The only specific knowledge I have of this particular problem is the description from my friend that when he opens a new browser window or clicks a hyperlink, at least 50% of the time the website get's redirected to a different website, usually something that's trying to sell him something. When he gave me the laptop yesterday, I opened up an IE window and got the same thing. Having seen this in the past, I tried Hijackthis, but must admit to not being smart enough to make head or tails of the output. My friend said he tried a couple of different malware-removal tools (although the only one I see on the computer is Malwarebytes), but he said he was unable to find anything (not surprising).

I wish I had more details for you, but will certainly be happy to perform any additional data collection that you might need. I told my friend that I would likely need his laptop for several days, and he was fine with that. I do not intend to mess with the laptop unless I get some advice from this forum on what to do, so you can be sure that the laptop will stay in the state it's currently in unless this forum directs me to do something.

Thank you so much for your help. It is very much appreciated. The contents of the DDS.txt are included, below, and the files attach.txt and ark.txt are attached per the directions.

Regards.

Jay (You'll notice "Run by Chuck" in the DDS output, because I'm logged in as Chuck on Chuck's laptop, just in case you're wondering...)

----------


DDS (Ver_09-12-01.01) - NTFSx86
Run by Chuck at 16:32:21.90 on Sat 02/27/2010
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.894.426 [GMT -5:00]

FW: Webroot Desktop Firewall *enabled* {AF0CFAAE-AAB5-450a-8C74-0DEEB429DF50}

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\PnkBstrB.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Webroot\Webroot Desktop Firewall\wdfsvc.exe
C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\HP\QuickPlay\QPService.exe
C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe
C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\Program Files\Webroot\Webroot Desktop Firewall\WDF.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb07.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\hpq\Shared\HPQTOA~1.EXE
C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Chuck\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.yahoo.com/?fr=fp-yie8
uSearch Page = hxxp://www.google.com
uWindow Title = Windows Internet Explorer provided by Yahoo!
uDefault_Page_URL = hxxp://www.yahoo.com/?fr=fp-yie8
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
uInternet Connection Wizard,ShellNext = hxxp://pccreg.antivirus.com/11/PCC/110/PccReg/wcoRegister.asp?SN=AWEF-0019-3577-1042-6942&GUID=F1F3F3F4F3F2F3F6F2F5F1F0F7F2C3&VID=USP1010002&PID=CBB0
uInternet Settings,ProxyOverride = *.local
mSearchAssistant = hxxp://www.google.com/ie
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.0.926.3450\swg.dll
BHO: Google Dictionary Compression sdch: {c84d72fe-e17d-4195-bb24-76c02e2e7c4e} - c:\program files\google\google toolbar\component\fastsearch_219B3E1547538286.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: NetAssistantBHO Class: {e38fa08e-f56a-4169-abf5-5c71e3c153a1} - c:\program files\my.freeze.com toolbar with netassistant\NetAssistant.dll
TB: &Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar.dll
TB: {C4069E3A-68F1-403E-B40E-20066696354B} - No File
TB: My.Freeze.com Toolbar: {d0523bb4-21e7-11dd-9ab7-415b56d89593} - c:\program files\my.freeze.com toolbar with netassistant\freeze_us.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [msnmsgr] "c:\program files\msn messenger\msnmsgr.exe" /background
uRun: [Search Protection] c:\program files\yahoo!\search protection\SearchProtection.exe
uRun: [YSearchProtection] c:\program files\yahoo!\search protection\SearchProtection.exe
mRun: [HP Software Update] "c:\program files\hp\hp software update\HPWuSchd2.exe"
mRun: [SynTPEnh] "c:\program files\synaptics\syntp\SynTPEnh.exe"
mRun: [QPService] "c:\program files\hp\quickplay\QPService.exe"
mRun: [eabconfg.cpl] "c:\program files\hpq\quick launch buttons\EabServr.exe" /Start
mRun: [Cpqset] c:\program files\hpq\default settings\cpqset.exe
mRun: [RecGuard] c:\windows\sminst\RecGuard.exe
mRun: [hpWirelessAssistant] "c:\program files\hpq\hp wireless assistant\HP Wireless Assistant.exe"
mRun: [YSearchProtection] "c:\program files\yahoo!\search protection\SearchProtection.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [<NO NAME>]
mRun: [Webroot Desktop Firewall] c:\program files\webroot\webroot desktop firewall\WDF.exe
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\bin\AppleSyncNotifier.exe
mRun: [HPDJ Taskbar Utility] c:\windows\system32\spool\drivers\w32x86\3\hpztsb07.exe
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpphot~1.lnk - c:\program files\hp\digital imaging\bin\hpqthb08.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\vpncli~1.lnk - c:\windows\installer\{d25122bc-a60e-4663-b602-b01718f12044}\Icon3E5562ED7.ico
IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~4\office11\REFIEBAR.DLL
DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/C/0/C/C0CBBA88-A6F2-48D9-9B0E-1719D1177202/LegitCheckControl.cab
DPF: {784797A8-342D-4072-9486-03C8D0F2F0A1} - hxxps://www.battlefieldheroes.com/static/updater/BFHUpdater_4.0.27.0.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Notify: AtiExtEvent - Ati2evxx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
mASetup: {A509B1FF-37FF-4bFF-8CFF-4F3A747040FF} - c:\windows\system32\rundll32.exe c:\windows\system32\advpack.dll,launchinfsectionex c:\program files\internet explorer\clrtour.inf,DefaultInstall.ResetTour,,12

============= SERVICES / DRIVERS ===============

R1 pwipf6;pwipf6;c:\windows\system32\drivers\pwipf6.sys [2008-7-31 103304]
R2 WDFNet;Webroot Desktop Firewall network service;c:\program files\webroot\webroot desktop firewall\wdfsvc.exe [2008-7-31 353672]
R3 HSFHWATI;HSFHWATI;c:\windows\system32\drivers\HSFHWATI.sys [2005-8-22 231424]
S3 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2005-1-26 280344]

=============== Created Last 30 ================

2409-05-09 17:53:55 0 d-----w- c:\docume~1\alluse~1\applic~1\PMB Files
2409-05-09 17:53:47 204 ----a-w- C:\Plugins
2409-05-09 17:53:17 0 d-----w- c:\program files\Pando Networks
2010-02-27 17:29:35 0 ----a-w- c:\documents and settings\chuck\defogger_reenable
2010-02-27 17:04:25 552 ----a-w- c:\windows\system32\d3d8caps.dat
2010-02-06 14:44:56 0 d-----w- c:\program files\iPod
2010-02-06 14:44:36 0 d-----w- c:\program files\iTunes

==================== Find3M ====================

2010-01-27 11:33:08 38808920 ----a-w- C:\FileFormatConverters.exe
2009-12-31 16:50:03 353792 ----a-w- c:\windows\system32\drivers\srv.sys
2009-12-31 16:50:03 353792 ------w- c:\windows\system32\dllcache\srv.sys
2009-12-21 13:19:18 173056 ------w- c:\windows\system32\dllcache\ie4uinit.exe
2009-12-16 18:43:27 343040 ----a-w- c:\windows\system32\mspaint.exe
2009-12-16 18:43:27 343040 ------w- c:\windows\system32\dllcache\mspaint.exe
2009-12-14 07:08:23 33280 ----a-w- c:\windows\system32\csrsrv.dll
2009-12-14 07:08:23 33280 ------w- c:\windows\system32\dllcache\csrsrv.dll
2009-12-09 05:53:44 726528 ----a-w- c:\windows\system32\dllcache\jscript.dll
2009-12-08 19:27:51 2189184 ----a-w- c:\windows\system32\ntoskrnl.exe
2009-12-08 19:27:51 2189184 ------w- c:\windows\system32\dllcache\ntoskrnl.exe
2009-12-08 19:26:15 2145280 ------w- c:\windows\system32\dllcache\ntkrnlmp.exe
2009-12-08 18:43:51 2023936 ------w- c:\windows\system32\dllcache\ntkrpamp.exe
2009-12-08 18:43:50 2066048 ----a-w- c:\windows\system32\ntkrnlpa.exe
2009-12-08 18:43:50 2066048 ------w- c:\windows\system32\dllcache\ntkrnlpa.exe
2009-12-08 09:23:28 474112 ------w- c:\windows\system32\dllcache\shlwapi.dll
2009-12-08 01:59:13 189248 ----a-w- c:\windows\system32\PnkBstrB.exe
2009-12-08 01:59:04 75064 ----a-w- c:\windows\system32\PnkBstrA.exe
2009-12-08 01:59:04 2395944 ----a-w- c:\windows\system32\pbsvc_heroes.exe
2009-12-04 18:22:22 455424 ------w- c:\windows\system32\dllcache\mrxsmb.sys
2006-09-03 05:38:10 22 --sha-w- c:\windows\sminst\HPCD.SYS
2008-12-08 13:53:04 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008120820081209\index.dat

============= FINISH: 16:33:34.35 ===============

Attached Files


Edited by Vae Victis, 28 February 2010 - 09:24 AM.


BC AdBot (Login to Remove)

 


#2 Shannon2012

Shannon2012

  • Security Colleague
  • 3,657 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina, USA
  • Local time:08:29 AM

Posted 05 March 2010 - 02:19 PM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.

Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE

We also need a new log from the GMER anti-rootkit scanner. Please first disable any CD emulation programs using the steps found in this topic:

Why we request you disable CD Emulation when receiving Malware Removal Advice

Then create another GMER log and post it as an attachment to the reply where you post your new DDS log. Instructions on how to properly create a GMER log can be found here:

How to create a GMER log


Shannon

#3 Vae Victis

Vae Victis
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:08:29 AM

Posted 07 March 2010 - 11:10 AM

Bleeping Computer:

Please find attached the GMER ark_V2.txt file (V2 since it is the second version of the file). Also attached is the attach_V2.txt file. And pasted below is the text from the DDS_V2.txt file. This computer has sat unused since the original posting, so I suspect there's little changes in the files, but what do I know...?

Once again, thanks so very much for your assistance. I'd rather not have to use this service at all, but when the bad guys are smarter than me, I need to turn to even smarter guys...

Regards,

Jay


______________________


DDS (Ver_09-12-01.01) - NTFSx86
Run by Chuck at 9:32:44.88 on Sun 03/07/2010
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.894.226 [GMT -5:00]

FW: Webroot Desktop Firewall *enabled* {AF0CFAAE-AAB5-450a-8C74-0DEEB429DF50}

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\PnkBstrB.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Webroot\Webroot Desktop Firewall\wdfsvc.exe
C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\HP\QuickPlay\QPService.exe
C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe
C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
C:\Program Files\Webroot\Webroot Desktop Firewall\WDF.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb07.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\PROGRA~1\hpq\Shared\HPQTOA~1.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Adobe\Reader 8.0\Reader\AcroRd32.exe
C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Chuck\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.yahoo.com/?fr=fp-yie8
uSearch Page = hxxp://www.google.com
uWindow Title = Windows Internet Explorer provided by Yahoo!
uDefault_Page_URL = hxxp://www.yahoo.com/?fr=fp-yie8
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
uInternet Connection Wizard,ShellNext = hxxp://pccreg.antivirus.com/11/PCC/110/PccReg/wcoRegister.asp?SN=AWEF-0019-3577-1042-6942&GUID=F1F3F3F4F3F2F3F6F2F5F1F0F7F2C3&VID=USP1010002&PID=CBB0
uInternet Settings,ProxyOverride = *.local
mSearchAssistant = hxxp://www.google.com/ie
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.0.926.3450\swg.dll
BHO: Google Dictionary Compression sdch: {c84d72fe-e17d-4195-bb24-76c02e2e7c4e} - c:\program files\google\google toolbar\component\fastsearch_219B3E1547538286.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: NetAssistantBHO Class: {e38fa08e-f56a-4169-abf5-5c71e3c153a1} - c:\program files\my.freeze.com toolbar with netassistant\NetAssistant.dll
TB: &Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar.dll
TB: {C4069E3A-68F1-403E-B40E-20066696354B} - No File
TB: My.Freeze.com Toolbar: {d0523bb4-21e7-11dd-9ab7-415b56d89593} - c:\program files\my.freeze.com toolbar with netassistant\freeze_us.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [msnmsgr] "c:\program files\msn messenger\msnmsgr.exe" /background
uRun: [Search Protection] c:\program files\yahoo!\search protection\SearchProtection.exe
uRun: [YSearchProtection] c:\program files\yahoo!\search protection\SearchProtection.exe
mRun: [HP Software Update] "c:\program files\hp\hp software update\HPWuSchd2.exe"
mRun: [SynTPEnh] "c:\program files\synaptics\syntp\SynTPEnh.exe"
mRun: [QPService] "c:\program files\hp\quickplay\QPService.exe"
mRun: [eabconfg.cpl] "c:\program files\hpq\quick launch buttons\EabServr.exe" /Start
mRun: [Cpqset] c:\program files\hpq\default settings\cpqset.exe
mRun: [RecGuard] c:\windows\sminst\RecGuard.exe
mRun: [hpWirelessAssistant] "c:\program files\hpq\hp wireless assistant\HP Wireless Assistant.exe"
mRun: [YSearchProtection] "c:\program files\yahoo!\search protection\SearchProtection.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [<NO NAME>]
mRun: [Webroot Desktop Firewall] c:\program files\webroot\webroot desktop firewall\WDF.exe
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\bin\AppleSyncNotifier.exe
mRun: [HPDJ Taskbar Utility] c:\windows\system32\spool\drivers\w32x86\3\hpztsb07.exe
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpphot~1.lnk - c:\program files\hp\digital imaging\bin\hpqthb08.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\vpncli~1.lnk - c:\windows\installer\{d25122bc-a60e-4663-b602-b01718f12044}\Icon3E5562ED7.ico
IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~4\office11\REFIEBAR.DLL
DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/C/0/C/C0CBBA88-A6F2-48D9-9B0E-1719D1177202/LegitCheckControl.cab
DPF: {784797A8-342D-4072-9486-03C8D0F2F0A1} - hxxps://www.battlefieldheroes.com/static/updater/BFHUpdater_4.0.27.0.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Notify: AtiExtEvent - Ati2evxx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
mASetup: {A509B1FF-37FF-4bFF-8CFF-4F3A747040FF} - c:\windows\system32\rundll32.exe c:\windows\system32\advpack.dll,launchinfsectionex c:\program files\internet explorer\clrtour.inf,DefaultInstall.ResetTour,,12

============= SERVICES / DRIVERS ===============

R1 pwipf6;pwipf6;c:\windows\system32\drivers\pwipf6.sys [2008-7-31 103304]
R2 WDFNet;Webroot Desktop Firewall network service;c:\program files\webroot\webroot desktop firewall\wdfsvc.exe [2008-7-31 353672]
R3 HSFHWATI;HSFHWATI;c:\windows\system32\drivers\HSFHWATI.sys [2005-8-22 231424]
S3 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2005-1-26 280344]

=============== Created Last 30 ================

2409-05-09 17:53:55 0 d-----w- c:\docume~1\alluse~1\applic~1\PMB Files
2409-05-09 17:53:47 204 ----a-w- C:\Plugins
2409-05-09 17:53:17 0 d-----w- c:\program files\Pando Networks
2010-02-27 17:29:35 0 ----a-w- c:\documents and settings\chuck\defogger_reenable
2010-02-27 17:04:25 552 ----a-w- c:\windows\system32\d3d8caps.dat
2010-02-06 14:44:56 0 d-----w- c:\program files\iPod
2010-02-06 14:44:36 0 d-----w- c:\program files\iTunes

==================== Find3M ====================

2010-02-28 15:02:59 96512 ----a-w- c:\windows\system32\drivers\atapi.sys
2010-01-27 11:33:08 38808920 ----a-w- C:\FileFormatConverters.exe
2009-12-31 16:50:03 353792 ------w- c:\windows\system32\dllcache\srv.sys
2009-12-21 13:19:18 173056 ------w- c:\windows\system32\dllcache\ie4uinit.exe
2009-12-16 18:43:27 343040 ----a-w- c:\windows\system32\mspaint.exe
2009-12-16 18:43:27 343040 ------w- c:\windows\system32\dllcache\mspaint.exe
2009-12-14 07:08:23 33280 ----a-w- c:\windows\system32\csrsrv.dll
2009-12-14 07:08:23 33280 ------w- c:\windows\system32\dllcache\csrsrv.dll
2009-12-09 05:53:44 726528 ----a-w- c:\windows\system32\dllcache\jscript.dll
2009-12-08 19:27:51 2189184 ----a-w- c:\windows\system32\ntoskrnl.exe
2009-12-08 19:27:51 2189184 ------w- c:\windows\system32\dllcache\ntoskrnl.exe
2009-12-08 19:26:15 2145280 ------w- c:\windows\system32\dllcache\ntkrnlmp.exe
2009-12-08 18:43:51 2023936 ------w- c:\windows\system32\dllcache\ntkrpamp.exe
2009-12-08 18:43:50 2066048 ----a-w- c:\windows\system32\ntkrnlpa.exe
2009-12-08 18:43:50 2066048 ------w- c:\windows\system32\dllcache\ntkrnlpa.exe
2009-12-08 09:23:28 474112 ------w- c:\windows\system32\dllcache\shlwapi.dll
2009-12-08 01:59:13 189248 ----a-w- c:\windows\system32\PnkBstrB.exe
2009-12-08 01:59:04 75064 ----a-w- c:\windows\system32\PnkBstrA.exe
2009-12-08 01:59:04 2395944 ----a-w- c:\windows\system32\pbsvc_heroes.exe
2006-09-03 05:38:10 22 --sha-w- c:\windows\sminst\HPCD.SYS
2008-12-08 13:53:04 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008120820081209\index.dat

============= FINISH: 9:33:58.48 ===============


Attached Files



#4 Shannon2012

Shannon2012

  • Security Colleague
  • 3,657 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina, USA
  • Local time:08:29 AM

Posted 07 March 2010 - 05:33 PM

Hi, Vae Victis-

Welcome to Bleeping Computer.

My name is Shannon and I will be working with you to remove the malware that is on your machine.

I apologize for the delay in replying to your post, but this forum is extremely busy.

There may be a delay in my response to your posts as I am still currently in training. I will be helping you with supervision of the teachers and they will approve every posts before I present them to you.

Please don't make any further changes or run any other tools unless instructed to. Additional changes may hinder the cleaning of your machine.

Please give me some time to look over your log. I will post the reply as soon as possible.

Shannon

#5 Vae Victis

Vae Victis
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:08:29 AM

Posted 07 March 2010 - 08:26 PM

Shannon:

Thank you for your assistance. I realize this forum is extremely busy and understand you're still in training - no problem with either. I appreciate any help you can offer.

Regards,

Jay

#6 Shannon2012

Shannon2012

  • Security Colleague
  • 3,657 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina, USA
  • Local time:08:29 AM

Posted 08 March 2010 - 05:37 AM

Hi, Vae Victis

Let's start treating the computer's infection and then take a different look at the computer.

Download Combofix from any of the links below, and save it to your desktop. For information regarding this download, please visit this webpage: how-to-use-combofix

Link 1
Link 2

**Note: It is important that it is saved directly to your desktop**

--------------------------------------------------------------------

1. Close any open browsers.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

--------------------------------------------------------------------

Double click on combofix.exe & follow the prompts.
  • When finished, it will produce a report for you.
  • Please post the "C:\ComboFix.txt" for further review.
Note:
Do not mouseclick combofix's window while it's running. That may cause it to stall


Next, we need to create an OTL Report
  • Please download OTL from here if you have not done so already -
  • Main Mirror
  • Save it to your desktop.
  • Double click on the icon on your desktop.
  • Click the "Scan All Users" checkbox.
  • Under the Custom Scan box paste in the contents of the CODE box.
    CODE
    netsvcs
    %SYSTEMDRIVE%\*.exe
    %ALLUSERSPROFILE%\Application Data\*.exe /s
    /md5start
    eventlog.dll
    scecli.dll
    netlogon.dll
    cngaudit.dll
    sceclt.dll
    ntelogon.dll
    logevent.dll
    ole32.dll
    iaStor.sys
    nvstor.sys
    atapi.sys
    IdeChnDr.sys
    viasraid.sys
    AGP440.sys
    vaxscsi.sys
    nvatabus.sys
    viamraid.sys
    nvata.sys
    nvgts.sys
    iastorv.sys
    ViPrt.sys
    eNetHook.dll
    ahcix86.sys
    KR10N.sys
    nvstor32.sys
    ahcix86s.sys
    nvrd32.sys
    /md5stop
    %systemroot%\system32\*.dll /lockedfiles
    %systemroot%\Tasks\*.job /lockedfiles
  • Push the button.
  • Two reports will open, copy and paste them into your reply:
  • OTL.txt <-- Will be opened
  • Extra.txt <-- Will be minimized
In your reply, please copy in the ComboFix, OTL, and Extra logs.


Shannon

#7 Vae Victis

Vae Victis
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:08:29 AM

Posted 08 March 2010 - 09:45 PM

Shannon: Thanks for the help. However, having followed the directions you provided, I now find that I can't use IE anymore at all. Everything gets redirected and security alerts pop constantly. I've tried to post this response several times only to have the system kick me out over and over. Many and many other windows keep popping up as well. So rather than cut-and-pasting, I'm attaching the three files you're requesting and then shutting down the computer.

Regards,

Jay

Attached Files



#8 Shannon2012

Shannon2012

  • Security Colleague
  • 3,657 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina, USA
  • Local time:08:29 AM

Posted 11 March 2010 - 01:39 PM

Hi-

Sorry for the delay. Combofix was not able to delete your main infection so we will try something else and then run Combofix again
  • Download TDSSKiller and save it to your Desktop.
  • Extract its contents to your desktop and make sure TDSSKiller.exe (the contents of the zipped file) is on the Desktop itself, not within a folder on the desktop.
  • Go to Start > Run (Or you can hold down your Windows key and press R) and copy and paste the following into the text field. (make sure you include the quote marks) Then press OK.
    "%userprofile%\Desktop\TDSSKiller.exe" -l C:\TDSSKiller.txt -v
  • If it says "Hidden service detected" DO NOT type anything in. Just press Enter on your keyboard to not do anything to the file.
  • When it is done, a log file should be created on your C: drive called "TDSSKiller.txt" please copy and paste the contents of that file here.

Now, rerun Combofix.

In your next reply, please include the TDSSKiller log and the Combofix log


Shannon

#9 Vae Victis

Vae Victis
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:08:29 AM

Posted 11 March 2010 - 07:34 PM

Shannon: TDSSKiller and ComboFix logs pasted here and attached for your review...

Thanks, as always.

Jay

18:21:37:187 0208 TDSS rootkit removing tool 2.2.8 Mar 10 2010 15:53:20
18:21:37:187 0208 ================================================================================
18:21:37:187 0208 SystemInfo:

18:21:37:187 0208 OS Version: 5.1.2600 ServicePack: 3.0
18:21:37:187 0208 Product type: Workstation
18:21:37:187 0208 ComputerName: HP-LAPTOP
18:21:37:187 0208 UserName: Chuck
18:21:37:187 0208 Windows directory: C:\WINDOWS
18:21:37:187 0208 Processor architecture: Intel x86
18:21:37:187 0208 Number of processors: 1
18:21:37:187 0208 Page size: 0x1000
18:21:37:187 0208 Boot type: Normal boot
18:21:37:187 0208 ================================================================================
18:21:37:218 0208 UnloadDriverW: NtUnloadDriver error 2
18:21:37:218 0208 ForceUnloadDriverW: UnloadDriverW(klmd21) error 2
18:21:37:281 0208 wfopen_ex: Trying to open file C:\WINDOWS\system32\config\system
18:21:37:281 0208 wfopen_ex: MyNtCreateFileW error 32 (C0000043)
18:21:37:281 0208 wfopen_ex: Trying to KLMD file open
18:21:37:281 0208 wfopen_ex: File opened ok (Flags 2)
18:21:37:281 0208 wfopen_ex: Trying to open file C:\WINDOWS\system32\config\software
18:21:37:281 0208 wfopen_ex: MyNtCreateFileW error 32 (C0000043)
18:21:37:281 0208 wfopen_ex: Trying to KLMD file open
18:21:37:281 0208 wfopen_ex: File opened ok (Flags 2)
18:21:37:281 0208 Initialize success
18:21:37:281 0208
18:21:37:281 0208 Scanning Services ...
18:21:38:046 0208 GetAdvancedServicesInfo: Raw services enum returned 349 services
18:21:38:046 0208
18:21:38:046 0208 Scanning Kernel memory ...
18:21:38:046 0208 Devices to scan: 4
18:21:38:046 0208
18:21:38:046 0208 Driver Name: Disk
18:21:38:046 0208 IRP_MJ_CREATE : F7638BB0
18:21:38:046 0208 IRP_MJ_CREATE_NAMED_PIPE : 804F355A
18:21:38:046 0208 IRP_MJ_CLOSE : F7638BB0
18:21:38:046 0208 IRP_MJ_READ : F7632D1F
18:21:38:046 0208 IRP_MJ_WRITE : F7632D1F
18:21:38:046 0208 IRP_MJ_QUERY_INFORMATION : 804F355A
18:21:38:046 0208 IRP_MJ_SET_INFORMATION : 804F355A
18:21:38:046 0208 IRP_MJ_QUERY_EA : 804F355A
18:21:38:046 0208 IRP_MJ_SET_EA : 804F355A
18:21:38:046 0208 IRP_MJ_FLUSH_BUFFERS : F76332E2
18:21:38:046 0208 IRP_MJ_QUERY_VOLUME_INFORMATION : 804F355A
18:21:38:046 0208 IRP_MJ_SET_VOLUME_INFORMATION : 804F355A
18:21:38:046 0208 IRP_MJ_DIRECTORY_CONTROL : 804F355A
18:21:38:046 0208 IRP_MJ_FILE_SYSTEM_CONTROL : 804F355A
18:21:38:046 0208 IRP_MJ_DEVICE_CONTROL : F76333BB
18:21:38:046 0208 IRP_MJ_INTERNAL_DEVICE_CONTROL : F7636F28
18:21:38:046 0208 IRP_MJ_SHUTDOWN : F76332E2
18:21:38:046 0208 IRP_MJ_LOCK_CONTROL : 804F355A
18:21:38:046 0208 IRP_MJ_CLEANUP : 804F355A
18:21:38:046 0208 IRP_MJ_CREATE_MAILSLOT : 804F355A
18:21:38:046 0208 IRP_MJ_QUERY_SECURITY : 804F355A
18:21:38:046 0208 IRP_MJ_SET_SECURITY : 804F355A
18:21:38:046 0208 IRP_MJ_POWER : F7634C82
18:21:38:046 0208 IRP_MJ_SYSTEM_CONTROL : F763999E
18:21:38:046 0208 IRP_MJ_DEVICE_CHANGE : 804F355A
18:21:38:046 0208 IRP_MJ_QUERY_QUOTA : 804F355A
18:21:38:046 0208 IRP_MJ_SET_QUOTA : 804F355A
18:21:38:125 0208 C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: 1
18:21:38:125 0208
18:21:38:125 0208 Driver Name: Disk
18:21:38:125 0208 IRP_MJ_CREATE : F7638BB0
18:21:38:125 0208 IRP_MJ_CREATE_NAMED_PIPE : 804F355A
18:21:38:125 0208 IRP_MJ_CLOSE : F7638BB0
18:21:38:125 0208 IRP_MJ_READ : F7632D1F
18:21:38:125 0208 IRP_MJ_WRITE : F7632D1F
18:21:38:125 0208 IRP_MJ_QUERY_INFORMATION : 804F355A
18:21:38:125 0208 IRP_MJ_SET_INFORMATION : 804F355A
18:21:38:125 0208 IRP_MJ_QUERY_EA : 804F355A
18:21:38:125 0208 IRP_MJ_SET_EA : 804F355A
18:21:38:125 0208 IRP_MJ_FLUSH_BUFFERS : F76332E2
18:21:38:125 0208 IRP_MJ_QUERY_VOLUME_INFORMATION : 804F355A
18:21:38:125 0208 IRP_MJ_SET_VOLUME_INFORMATION : 804F355A
18:21:38:125 0208 IRP_MJ_DIRECTORY_CONTROL : 804F355A
18:21:38:125 0208 IRP_MJ_FILE_SYSTEM_CONTROL : 804F355A
18:21:38:125 0208 IRP_MJ_DEVICE_CONTROL : F76333BB
18:21:38:125 0208 IRP_MJ_INTERNAL_DEVICE_CONTROL : F7636F28
18:21:38:125 0208 IRP_MJ_SHUTDOWN : F76332E2
18:21:38:125 0208 IRP_MJ_LOCK_CONTROL : 804F355A
18:21:38:125 0208 IRP_MJ_CLEANUP : 804F355A
18:21:38:125 0208 IRP_MJ_CREATE_MAILSLOT : 804F355A
18:21:38:125 0208 IRP_MJ_QUERY_SECURITY : 804F355A
18:21:38:125 0208 IRP_MJ_SET_SECURITY : 804F355A
18:21:38:125 0208 IRP_MJ_POWER : F7634C82
18:21:38:125 0208 IRP_MJ_SYSTEM_CONTROL : F763999E
18:21:38:125 0208 IRP_MJ_DEVICE_CHANGE : 804F355A
18:21:38:125 0208 IRP_MJ_QUERY_QUOTA : 804F355A
18:21:38:125 0208 IRP_MJ_SET_QUOTA : 804F355A
18:21:38:140 0208 C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: 1
18:21:38:140 0208
18:21:38:140 0208 Driver Name: Disk
18:21:38:140 0208 IRP_MJ_CREATE : F7638BB0
18:21:38:140 0208 IRP_MJ_CREATE_NAMED_PIPE : 804F355A
18:21:38:140 0208 IRP_MJ_CLOSE : F7638BB0
18:21:38:140 0208 IRP_MJ_READ : F7632D1F
18:21:38:140 0208 IRP_MJ_WRITE : F7632D1F
18:21:38:140 0208 IRP_MJ_QUERY_INFORMATION : 804F355A
18:21:38:140 0208 IRP_MJ_SET_INFORMATION : 804F355A
18:21:38:140 0208 IRP_MJ_QUERY_EA : 804F355A
18:21:38:140 0208 IRP_MJ_SET_EA : 804F355A
18:21:38:140 0208 IRP_MJ_FLUSH_BUFFERS : F76332E2
18:21:38:140 0208 IRP_MJ_QUERY_VOLUME_INFORMATION : 804F355A
18:21:38:140 0208 IRP_MJ_SET_VOLUME_INFORMATION : 804F355A
18:21:38:140 0208 IRP_MJ_DIRECTORY_CONTROL : 804F355A
18:21:38:140 0208 IRP_MJ_FILE_SYSTEM_CONTROL : 804F355A
18:21:38:140 0208 IRP_MJ_DEVICE_CONTROL : F76333BB
18:21:38:140 0208 IRP_MJ_INTERNAL_DEVICE_CONTROL : F7636F28
18:21:38:140 0208 IRP_MJ_SHUTDOWN : F76332E2
18:21:38:140 0208 IRP_MJ_LOCK_CONTROL : 804F355A
18:21:38:140 0208 IRP_MJ_CLEANUP : 804F355A
18:21:38:140 0208 IRP_MJ_CREATE_MAILSLOT : 804F355A
18:21:38:140 0208 IRP_MJ_QUERY_SECURITY : 804F355A
18:21:38:140 0208 IRP_MJ_SET_SECURITY : 804F355A
18:21:38:140 0208 IRP_MJ_POWER : F7634C82
18:21:38:140 0208 IRP_MJ_SYSTEM_CONTROL : F763999E
18:21:38:140 0208 IRP_MJ_DEVICE_CHANGE : 804F355A
18:21:38:140 0208 IRP_MJ_QUERY_QUOTA : 804F355A
18:21:38:140 0208 IRP_MJ_SET_QUOTA : 804F355A
18:21:38:140 0208 C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: 1
18:21:38:140 0208
18:21:38:140 0208 Driver Name: atapi
18:21:38:140 0208 IRP_MJ_CREATE : 854D6A9A
18:21:38:140 0208 IRP_MJ_CREATE_NAMED_PIPE : 854D6A9A
18:21:38:140 0208 IRP_MJ_CLOSE : 854D6A9A
18:21:38:140 0208 IRP_MJ_READ : 854D6A9A
18:21:38:140 0208 IRP_MJ_WRITE : 854D6A9A
18:21:38:140 0208 IRP_MJ_QUERY_INFORMATION : 854D6A9A
18:21:38:140 0208 IRP_MJ_SET_INFORMATION : 854D6A9A
18:21:38:140 0208 IRP_MJ_QUERY_EA : 854D6A9A
18:21:38:140 0208 IRP_MJ_SET_EA : 854D6A9A
18:21:38:140 0208 IRP_MJ_FLUSH_BUFFERS : 854D6A9A
18:21:38:140 0208 IRP_MJ_QUERY_VOLUME_INFORMATION : 854D6A9A
18:21:38:140 0208 IRP_MJ_SET_VOLUME_INFORMATION : 854D6A9A
18:21:38:140 0208 IRP_MJ_DIRECTORY_CONTROL : 854D6A9A
18:21:38:140 0208 IRP_MJ_FILE_SYSTEM_CONTROL : 854D6A9A
18:21:38:140 0208 IRP_MJ_DEVICE_CONTROL : 854D6A9A
18:21:38:140 0208 IRP_MJ_INTERNAL_DEVICE_CONTROL : 854D6A9A
18:21:38:140 0208 IRP_MJ_SHUTDOWN : 854D6A9A
18:21:38:140 0208 IRP_MJ_LOCK_CONTROL : 854D6A9A
18:21:38:140 0208 IRP_MJ_CLEANUP : 854D6A9A
18:21:38:140 0208 IRP_MJ_CREATE_MAILSLOT : 854D6A9A
18:21:38:140 0208 IRP_MJ_QUERY_SECURITY : 854D6A9A
18:21:38:140 0208 IRP_MJ_SET_SECURITY : 854D6A9A
18:21:38:140 0208 IRP_MJ_POWER : 854D6A9A
18:21:38:140 0208 IRP_MJ_SYSTEM_CONTROL : 854D6A9A
18:21:38:140 0208 IRP_MJ_DEVICE_CHANGE : 854D6A9A
18:21:38:140 0208 IRP_MJ_QUERY_QUOTA : 854D6A9A
18:21:38:140 0208 IRP_MJ_SET_QUOTA : 854D6A9A
18:21:38:140 0208 Driver "atapi" infected by TDSS rootkit!
18:21:38:140 0208 C:\WINDOWS\system32\DRIVERS\atapi.sys - Verdict: 1
18:21:38:140 0208 File "C:\WINDOWS\system32\DRIVERS\atapi.sys" infected by TDSS rootkit ... 18:21:38:140 0208 Processing driver file: C:\WINDOWS\system32\DRIVERS\atapi.sys
18:21:38:140 0208 ProcessDirEnumEx: FindFirstFile(C:\WINDOWS\system32\DriverStore\FileRepository\*) error 3
18:21:38:453 0208 vfvi6
18:21:38:578 0208 !dsvbh1
18:21:38:640 0208 !vdf7
18:21:38:640 0208 !cbck3
18:21:38:640 0208 ProcessDirEnumEx: FindFirstFile(C:\WINDOWS\OemDir\*) error 3
18:21:38:906 0208 vfvi6
18:21:38:906 0208 !dsvbh1
18:21:38:906 0208 !vdf7
18:21:38:906 0208 !fck2
18:21:39:078 0208 !fdfb7
18:21:39:078 0208 vfvi6
18:21:39:078 0208 !dsvbh1
18:21:39:078 0208 !vdf7
18:21:39:078 0208 Backup copy not found, trying to cure infected file..
18:21:39:078 0208 C:\WINDOWS\system32\DRIVERS\atapi.sys - Verdict: Cure failed (0)
18:21:39:078 0208 cure failed
18:21:39:078 0208
18:21:39:078 0208 Completed
18:21:39:078 0208
18:21:39:078 0208 Results:
18:21:39:078 0208 Memory objects infected / cured / cured on reboot: 1 / 0 / 0
18:21:39:078 0208 Registry objects infected / cured / cured on reboot: 0 / 0 / 0
18:21:39:078 0208 File objects infected / cured / cured on reboot: 1 / 0 / 0
18:21:39:078 0208
18:21:39:078 0208 fclose_ex: Trying to close file C:\WINDOWS\system32\config\system
18:21:39:078 0208 fclose_ex: Trying to close file C:\WINDOWS\system32\config\software
18:21:39:093 0208 KLMD(ARK) unloaded successfully






ComboFix 10-03-08.01 - Chuck 03/11/2010 18:51:02.2.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.894.613 [GMT -5:00]
Running from: c:\documents and settings\Chuck\Desktop\ComboFix.exe
FW: Webroot Desktop Firewall *enabled* {AF0CFAAE-AAB5-450a-8C74-0DEEB429DF50}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Chuck\Application Data\wiaserva.log
c:\documents and settings\Chuck\Local Settings\Application Data\{7DFDCA3B-6E55-42D0-A58E-64844CE9C1FD}
c:\documents and settings\Chuck\Local Settings\Application Data\{7DFDCA3B-6E55-42D0-A58E-64844CE9C1FD}\chrome.manifest
c:\documents and settings\Chuck\Local Settings\Application Data\{7DFDCA3B-6E55-42D0-A58E-64844CE9C1FD}\chrome\content\_cfg.js
c:\documents and settings\Chuck\Local Settings\Application Data\{7DFDCA3B-6E55-42D0-A58E-64844CE9C1FD}\chrome\content\overlay.xul
c:\documents and settings\Chuck\Local Settings\Application Data\{7DFDCA3B-6E55-42D0-A58E-64844CE9C1FD}\install.rdf
c:\documents and settings\Chuck\Local Settings\Application Data\av.exe
c:\documents and settings\Chuck\Local Settings\Temporary Internet Files\4pm8Mk3n.jpg
c:\documents and settings\Chuck\Local Settings\Temporary Internet Files\7JBYx.jpg
c:\documents and settings\Chuck\Local Settings\Temporary Internet Files\AY8m5.jpg
c:\documents and settings\Chuck\Local Settings\Temporary Internet Files\JKpyamB.jpg
c:\documents and settings\Chuck\nah_cpxa.exe
c:\windows\ekacanarigapuq.dll
c:\windows\MFChcn.dll
c:\windows\system32\wbem\proquota.exe

c:\windows\system32\proquota.exe was missing
Restored copy from - c:\system volume information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP690\A0193204.exe

.
((((((((((((((((((((((((( Files Created from 2010-02-12 to 2010-03-12 )))))))))))))))))))))))))))))))
.

2409-05-09 17:54 . 2409-05-09 19:11 -------- d-----w- c:\documents and settings\Jenn\Local Settings\Application Data\PMB Files
2409-05-09 17:53 . 2009-05-30 12:20 -------- d-----w- c:\documents and settings\All Users\Application Data\PMB Files
2409-05-09 17:53 . 2409-05-09 17:53 -------- d-----w- c:\program files\Pando Networks
2010-03-12 00:03 . 2008-04-14 00:12 39936 ----a-w- c:\windows\system32\proquota.exe
2010-03-09 02:39 . 2010-03-09 02:39 0 ----a-w- c:\windows\nsreg.dat
2010-03-09 02:39 . 2010-03-09 02:39 -------- d-----w- c:\documents and settings\Chuck\Local Settings\Application Data\Mozilla
2010-03-09 02:33 . 2010-03-11 23:13 120 ----a-w- c:\windows\Bquwuwamoheyeval.dat
2010-03-09 02:33 . 2010-03-11 23:13 0 ----a-w- c:\windows\Sjatahazuyos.bin
2010-02-27 21:09 . 2010-02-27 21:09 -------- d-sh--w- c:\documents and settings\Zack\IECompatCache
2010-02-27 21:07 . 2010-02-27 21:07 -------- d-sh--w- c:\documents and settings\Jenn\IECompatCache
2010-02-27 17:04 . 2010-02-27 17:04 552 ----a-w- c:\windows\system32\d3d8caps.dat
2010-02-27 17:03 . 2010-02-27 17:04 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-02-28 15:02 . 2004-08-04 00:59 96512 ------w- c:\windows\system32\drivers\atapi.sys
2010-02-28 14:00 . 2007-01-05 22:35 -------- d-----w- c:\program files\Yahoo!
2010-02-27 17:04 . 2007-06-21 00:47 1324 ----a-w- c:\windows\system32\d3d9caps.dat
2010-02-27 16:49 . 2007-01-05 16:23 -------- d-----w- c:\program files\Trend Micro
2010-02-26 22:24 . 2007-01-05 20:28 108336 ----a-w- c:\documents and settings\Jenn\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-02-25 21:50 . 2007-11-27 23:39 108336 ----a-w- c:\documents and settings\Zack\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-02-25 00:21 . 2007-01-05 16:09 108336 ----a-w- c:\documents and settings\Chuck\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-02-06 14:46 . 2010-02-06 14:44 -------- d-----w- c:\program files\iTunes
2010-02-06 14:44 . 2010-02-06 14:44 -------- d-----w- c:\program files\iPod
2010-02-06 14:44 . 2007-12-25 13:05 -------- d-----w- c:\program files\Common Files\Apple
2010-02-06 14:40 . 2009-07-12 21:22 -------- d-----w- c:\program files\QuickTime
2010-02-06 14:34 . 2010-02-06 14:34 72488 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 9.0.3.15\SetupAdmin.exe
2010-02-06 14:30 . 2010-02-06 14:30 -------- d-----w- c:\program files\Safari
2010-02-06 14:27 . 2010-02-06 14:27 79144 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\Safari 5.31.21.10\SetupAdmin.exe
2010-01-27 11:46 . 2010-01-27 11:46 -------- d-----w- c:\program files\MSECache
2010-01-27 11:33 . 2010-01-27 11:33 38808920 ----a-w- C:\FileFormatConverters.exe
2010-01-21 01:03 . 2009-05-30 16:27 -------- d-----w- c:\program files\Microsoft Silverlight
2010-01-10 20:29 . 2010-01-10 20:29 144160 ----a-w- c:\documents and settings\Chuck\Application Data\Move Networks\uninstall.exe
2010-01-10 20:29 . 2009-12-10 21:23 4183416 ----a-w- c:\documents and settings\Chuck\Application Data\Move Networks\plugins\npqmp071503000010.dll
2009-12-31 16:50 . 2004-08-04 08:00 353792 ----a-w- c:\windows\system32\drivers\srv.sys
2009-12-21 19:14 . 2004-08-04 08:00 916480 ------w- c:\windows\system32\wininet.dll
2009-12-16 18:43 . 2004-08-04 08:00 343040 ----a-w- c:\windows\system32\mspaint.exe
2009-12-14 07:08 . 2004-08-04 08:00 33280 ----a-w- c:\windows\system32\csrsrv.dll
2006-09-03 05:38 . 2007-01-05 15:28 22 --sha-w- c:\windows\SMINST\HPCD.SYS
.

------- Sigcheck -------

[-] 2010-02-28 . 9F3A2F5AA6875C72BF062C712CFA2674 . 96512 . . [5.1.2600.5512] . . c:\windows\system32\drivers\atapi.sys
[-] 2008-04-13 . 9F3A2F5AA6875C72BF062C712CFA2674 . 96512 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\atapi.sys
[-] 2004-08-04 . CDFE4411A69C224BD1D11B2DA92DAC51 . 95360 . . [5.1.2600.2180] . . c:\windows\$NtServicePackUninstall$\atapi.sys

[-] 2008-04-13 . B153AFFAC761E7F5FCFA822B9C4E97BC . 14336 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\asyncmac.sys
[-] 2008-04-13 . B153AFFAC761E7F5FCFA822B9C4E97BC . 14336 . . [5.1.2600.5512] . . c:\windows\system32\drivers\asyncmac.sys
[-] 2004-08-04 . 02000ABF34AF4C218C35D257024807D6 . 14336 . . [5.1.2600.2180] . . c:\windows\$NtServicePackUninstall$\asyncmac.sys

[-] 2004-08-04 . DA1F27D85E0D1525F6621372E7B685E9 . 4224 . . [5.1.2600.0] . . c:\windows\system32\drivers\beep.sys

[-] 2008-04-13 . 463C1EC80CD17420A542B7F36A36F128 . 24576 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\kbdclass.sys
[-] 2008-04-13 . 463C1EC80CD17420A542B7F36A36F128 . 24576 . . [5.1.2600.5512] . . c:\windows\system32\drivers\kbdclass.sys
[-] 2004-08-04 . EBDEE8A2EE5393890A1ACEE971C4C246 . 24576 . . [5.1.2600.2180] . . c:\windows\system32\ReinstallBackups\0003\DriverFiles\i386\kbdclass.sys
[-] 2004-08-04 . EBDEE8A2EE5393890A1ACEE971C4C246 . 24576 . . [5.1.2600.2180] . . c:\windows\$NtServicePackUninstall$\kbdclass.sys

[-] 2008-04-13 . 1DF7F42665C94B825322FAE71721130D . 182656 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\ndis.sys
[-] 2008-04-13 . 1DF7F42665C94B825322FAE71721130D . 182656 . . [5.1.2600.5512] . . c:\windows\system32\drivers\ndis.sys
[-] 2004-08-04 . 558635D3AF1C7546D26067D5D9B6959E . 182912 . . [5.1.2600.2180] . . c:\windows\$NtServicePackUninstall$\ndis.sys

[-] 2008-04-13 . 78A08DD6A8D65E697C18E1DB01C5CDCA . 574976 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\ntfs.sys
[-] 2008-04-13 . 78A08DD6A8D65E697C18E1DB01C5CDCA . 574976 . . [5.1.2600.5512] . . c:\windows\system32\drivers\ntfs.sys
[-] 2007-02-09 . 05AB81909514BFD69CBB1F2C147CF6B9 . 574976 . . [5.1.2600.3081] . . c:\windows\$hf_mig$\KB930916\SP2QFE\ntfs.sys
[-] 2007-02-09 . 19A811EF5F1ED5C926A028CE107FF1AF . 574464 . . [5.1.2600.3081] . . c:\windows\$NtServicePackUninstall$\ntfs.sys
[-] 2004-08-04 . B78BE402C3F63DD55521F73876951CDD . 574592 . . [5.1.2600.2180] . . c:\windows\$NtUninstallKB930916$\ntfs.sys

[-] 2004-08-04 . 73C1E1F395918BC2C6DD67AF7591A3AD . 2944 . . [5.1.2600.0] . . c:\windows\system32\drivers\null.sys

[-] 2008-06-20 . AD978A1B783B5719720CFF204B666C8E . 361600 . . [5.1.2600.5625] . . c:\windows\$hf_mig$\KB951748\SP3QFE\tcpip.sys
[-] 2008-06-20 . 9AEFA14BD6B182D61E3119FA5F436D3D . 361600 . . [5.1.2600.5625] . . c:\windows\$hf_mig$\KB951748\SP3GDR\tcpip.sys
[-] 2008-06-20 . 9AEFA14BD6B182D61E3119FA5F436D3D . 361600 . . [5.1.2600.5625] . . c:\windows\system32\dllcache\tcpip.sys
[-] 2008-06-20 . 9AEFA14BD6B182D61E3119FA5F436D3D . 361600 . . [5.1.2600.5625] . . c:\windows\system32\drivers\tcpip.sys
[-] 2008-06-20 . 2A5554FC5B1E04E131230E3CE035C3F9 . 360320 . . [5.1.2600.3394] . . c:\windows\$NtServicePackUninstall$\tcpip.sys
[-] 2008-06-20 . 744E57C99232201AE98C49168B918F48 . 360960 . . [5.1.2600.3394] . . c:\windows\$hf_mig$\KB951748\SP2QFE\tcpip.sys
[-] 2008-04-13 . 93EA8D04EC73A85DB02EB8805988F733 . 361344 . . [5.1.2600.5512] . . c:\windows\$NtUninstallKB951748$\tcpip.sys
[-] 2008-04-13 . 93EA8D04EC73A85DB02EB8805988F733 . 361344 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\tcpip.sys
[-] 2007-10-30 . 90CAFF4B094573449A0872A0F919B178 . 360064 . . [5.1.2600.3244] . . c:\windows\$NtUninstallKB951748_0$\tcpip.sys
[-] 2007-10-30 . 64798ECFA43D78C7178375FCDD16D8C8 . 360832 . . [5.1.2600.3244] . . c:\windows\$hf_mig$\KB941644\SP2QFE\tcpip.sys
[-] 2006-04-20 . B2220C618B42A2212A59D91EBD6FC4B4 . 360576 . . [5.1.2600.2892] . . c:\windows\$hf_mig$\KB917953\SP2QFE\tcpip.sys
[-] 2006-04-20 . 1DBF125862891817F374F407626967F4 . 359808 . . [5.1.2600.2892] . . c:\windows\$NtUninstallKB941644$\tcpip.sys
[-] 2006-01-13 . 5562CC0A47B2AEF06D3417B733F3C195 . 360448 . . [5.1.2600.2827] . . c:\windows\$hf_mig$\KB913446\SP2QFE\tcpip.sys
[-] 2006-01-13 . 583E063FDC888CA30D05C2724B0D7EF4 . 359808 . . [5.1.2600.2827] . . c:\windows\$NtUninstallKB917953$\tcpip.sys
[-] 2005-05-25 . 63FDFEA54EB53DE2D863EE454937CE1E . 359936 . . [5.1.2600.2685] . . c:\windows\$hf_mig$\KB893066\SP2QFE\tcpip.sys
[-] 2005-05-25 . 88763A98A4C26C409741B4AA162720C9 . 359808 . . [5.1.2600.2685] . . c:\windows\$NtUninstallKB913446$\tcpip.sys
[-] 2004-08-04 . 9F4B36614A0FC234525BA224957DE55C . 359040 . . [5.1.2600.2180] . . c:\windows\$NtUninstallKB893066$\tcpip.sys

[-] 2008-04-14 . A06CE3399D16DB864F55FAEB1F1927A9 . 77824 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\browser.dll
[-] 2008-04-14 . A06CE3399D16DB864F55FAEB1F1927A9 . 77824 . . [5.1.2600.5512] . . c:\windows\system32\browser.dll
[-] 2004-08-04 . E3CFCCDDA4EDD1D0DC9168B2E18F27B8 . 77312 . . [5.1.2600.2180] . . c:\windows\$NtServicePackUninstall$\browser.dll

[-] 2008-04-14 . BF2466B3E18E970D8A976FB95FC1CA85 . 13312 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\lsass.exe
[-] 2008-04-14 . BF2466B3E18E970D8A976FB95FC1CA85 . 13312 . . [5.1.2600.5512] . . c:\windows\system32\lsass.exe
[-] 2004-08-04 . 84885F9B82F4D55C6146EBF6065D75D2 . 13312 . . [5.1.2600.2180] . . c:\windows\$NtServicePackUninstall$\lsass.exe

[-] 2008-04-14 . 13E67B55B3ABD7BF3FE7AAE5A0F9A9DE . 198144 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\netman.dll
[-] 2008-04-14 . 13E67B55B3ABD7BF3FE7AAE5A0F9A9DE . 198144 . . [5.1.2600.5512] . . c:\windows\system32\netman.dll
[-] 2005-08-22 . 36739B39267914BA69AD0610A0299732 . 197632 . . [5.1.2600.2743] . . c:\windows\$NtServicePackUninstall$\netman.dll
[-] 2005-08-22 . 3516D8A18B36784B1005B950B84232E1 . 197632 . . [5.1.2600.2743] . . c:\windows\$hf_mig$\KB905414\SP2QFE\netman.dll
[-] 2004-08-04 . DAB9E6C7105D2EF49876FE92C524F565 . 198144 . . [5.1.2600.2180] . . c:\windows\$NtUninstallKB905414$\netman.dll

[-] 2008-04-14 . 574738F61FCA2935F5265DC4E5691314 . 409088 . . [6.7.2600.5512] . . c:\windows\ServicePackFiles\i386\qmgr.dll
[-] 2008-04-14 . 574738F61FCA2935F5265DC4E5691314 . 409088 . . [6.7.2600.5512] . . c:\windows\system32\qmgr.dll
[-] 2008-04-14 . 574738F61FCA2935F5265DC4E5691314 . 409088 . . [6.7.2600.5512] . . c:\windows\system32\bits\qmgr.dll
[-] 2004-08-04 . 2C69EC7E5A311334D10DD95F338FCCEA . 382464 . . [6.6.2600.2180] . . c:\windows\$NtServicePackUninstall$\qmgr.dll

[-] 2008-04-14 . D8E14A61ACC1D4A6CD0D38AEBAC7FA3B . 57856 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\spoolsv.exe
[-] 2008-04-14 . D8E14A61ACC1D4A6CD0D38AEBAC7FA3B . 57856 . . [5.1.2600.5512] . . c:\windows\system32\spoolsv.exe
[-] 2005-06-11 . AD3D9D191AEA7B5445FE1D82FFBB4788 . 57856 . . [5.1.2600.2696] . . c:\windows\$hf_mig$\KB896423\SP2QFE\spoolsv.exe
[-] 2005-06-10 . DA81EC57ACD4CDC3D4C51CF3D409AF9F . 57856 . . [5.1.2600.2696] . . c:\windows\$NtServicePackUninstall$\spoolsv.exe
[-] 2004-08-04 . 7435B108B935E42EA92CA94F59C8E717 . 57856 . . [5.1.2600.2180] . . c:\windows\$NtUninstallKB896423$\spoolsv.exe

[-] 2008-04-14 . ED0EF0A136DEC83DF69F04118870003E . 507904 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\winlogon.exe
[-] 2008-04-14 . ED0EF0A136DEC83DF69F04118870003E . 507904 . . [5.1.2600.5512] . . c:\windows\system32\winlogon.exe
[-] 2004-08-04 . 01C3346C241652F43AED8E2149881BFE . 502272 . . [5.1.2600.2180] . . c:\windows\$NtServicePackUninstall$\winlogon.exe

[-] 2008-04-14 . 06F247492BC786CE5C24A23E178C711A . 617472 . . [5.82] . . c:\windows\ServicePackFiles\i386\comctl32.dll
[-] 2008-04-14 . 06F247492BC786CE5C24A23E178C711A . 617472 . . [5.82] . . c:\windows\system32\comctl32.dll
[-] 2006-08-25 . B0124CB21D28B1C9F678B566B6B57D92 . 617472 . . [5.82] . . c:\windows\$NtServicePackUninstall$\comctl32.dll
[-] 2004-08-04 . A77DFB85FAEE49D66C74DA6024EBC69B . 611328 . . [5.82] . . c:\windows\$NtUninstallKB923191$\comctl32.dll

[-] 2008-04-14 . 3D4E199942E29207970E04315D02AD3B . 62464 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\cryptsvc.dll
[-] 2008-04-14 . 3D4E199942E29207970E04315D02AD3B . 62464 . . [5.1.2600.5512] . . c:\windows\system32\cryptsvc.dll
[-] 2004-08-04 . 10654F9DDCEA9C46CFB77554231BE73B . 60416 . . [5.1.2600.2180] . . c:\windows\$NtServicePackUninstall$\cryptsvc.dll

[-] 2008-07-07 20:32 . 60D1A6342238378BFB7545C81EE3606C . 253952 . . [2001.12.4414.320] . . c:\windows\$NtServicePackUninstall$\es.dll
[-] 2008-07-07 20:26 . D4991D98F2DB73C60D042F1AEF79EFAE . 253952 . . [2001.12.4414.706] . . c:\windows\$hf_mig$\KB950974\SP3GDR\es.dll
[-] 2008-07-07 20:26 . D4991D98F2DB73C60D042F1AEF79EFAE . 253952 . . [2001.12.4414.706] . . c:\windows\system32\es.dll
[-] 2008-07-07 20:26 . D4991D98F2DB73C60D042F1AEF79EFAE . 253952 . . [2001.12.4414.706] . . c:\windows\system32\dllcache\es.dll
[-] 2008-07-07 20:23 . F17F6226BDC0CD5F0BEF0DAF84D29BEC . 253952 . . [2001.12.4414.706] . . c:\windows\$hf_mig$\KB950974\SP3QFE\es.dll
[-] 2008-07-07 20:06 . A4AB3DCA4A383F0DF4988ABDEB84F9A4 . 253952 . . [2001.12.4414.320] . . c:\windows\$hf_mig$\KB950974\SP2QFE\es.dll
[-] 2008-04-14 00:11 . 19A799805B24990867B00C120D300C3A . 246272 . . [2001.12.4414.701] . . c:\windows\$NtUninstallKB950974$\es.dll
[-] 2008-04-14 00:11 . 19A799805B24990867B00C120D300C3A . 246272 . . [2001.12.4414.701] . . c:\windows\ServicePackFiles\i386\es.dll
[-] 2005-07-26 04:39 . 34BBD9ACC1538818F2C878898C64E793 . 243200 . . [2001.12.4414.308] . . c:\windows\$NtUninstallKB950974_0$\es.dll
[-] 2005-07-26 04:20 . 95F5FEA4C6DE2C3F28784D0DCC8F0DD3 . 243200 . . [2001.12.4414.308] . . c:\windows\$hf_mig$\KB902400\SP2QFE\es.dll
[-] 2004-08-04 08:00 . ACD36A2DD7D1E9D8A060AA651DC07E63 . 243200 . . [2001.12.4414.258] . . c:\windows\$NtUninstallKB902400$\es.dll

[-] 2008-04-14 . 0DA85218E92526972A821587E6A8BF8F . 110080 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\imm32.dll
[-] 2008-04-14 . 0DA85218E92526972A821587E6A8BF8F . 110080 . . [5.1.2600.5512] . . c:\windows\system32\imm32.dll
[-] 2004-08-04 . 87CA7CE6469577F059297B9D6556D66D . 110080 . . [5.1.2600.2180] . . c:\windows\$NtServicePackUninstall$\imm32.dll

[-] 2008-04-14 . 2DC5A8019E2387987905F77C664E4BE2 . 19968 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\linkinfo.dll
[-] 2008-04-14 . 2DC5A8019E2387987905F77C664E4BE2 . 19968 . . [5.1.2600.5512] . . c:\windows\system32\linkinfo.dll
[-] 2005-09-01 . 648BF0B4DDE4F7A1156DAE7174D36EFA . 19968 . . [5.1.2600.2751] . . c:\windows\$hf_mig$\KB900725\SP2QFE\linkinfo.dll
[-] 2005-09-01 . A1A688EE56CF3BBD24EDEB815D48E9BA . 19968 . . [5.1.2600.2751] . . c:\windows\$NtServicePackUninstall$\linkinfo.dll
[-] 2004-08-04 . C2BBD044C741EA4292016C36F718D2E4 . 18944 . . [5.1.2600.2180] . . c:\windows\$NtUninstallKB900725$\linkinfo.dll

[-] 2008-04-14 . 012DF358CEBAA23ACB26D82077820817 . 22016 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\lpk.dll
[-] 2008-04-14 . 012DF358CEBAA23ACB26D82077820817 . 22016 . . [5.1.2600.5512] . . c:\windows\system32\lpk.dll
[-] 2004-08-04 . 74D66B3DE265E8789153414E75175F26 . 22016 . . [5.1.2600.2180] . . c:\windows\$NtServicePackUninstall$\lpk.dll

[-] 2008-04-14 . 355EDBB4D412B01F1740C17E3F50FA00 . 343040 . . [7.0.2600.5512] . . c:\windows\ServicePackFiles\i386\msvcrt.dll
[-] 2008-04-14 . 355EDBB4D412B01F1740C17E3F50FA00 . 343040 . . [7.0.2600.5512] . . c:\windows\system32\msvcrt.dll
[-] 2004-08-04 . B0FEFA816D61EC66AA765DDF534EAB5E . 343040 . . [7.0.2600.2180] . . c:\windows\$NtServicePackUninstall$\msvcrt.dll

[-] 2008-06-20 . 832E4DD8964AB7ACC880B2837CB1ED20 . 245248 . . [5.1.2600.5625] . . c:\windows\$hf_mig$\KB951748\SP3GDR\mswsock.dll
[-] 2008-06-20 . 832E4DD8964AB7ACC880B2837CB1ED20 . 245248 . . [5.1.2600.5625] . . c:\windows\system32\mswsock.dll
[-] 2008-06-20 . 832E4DD8964AB7ACC880B2837CB1ED20 . 245248 . . [5.1.2600.5625] . . c:\windows\system32\dllcache\mswsock.dll
[-] 2008-06-20 . FCEE5FCB99F7C724593365C706D28388 . 245248 . . [5.1.2600.5625] . . c:\windows\$hf_mig$\KB951748\SP3QFE\mswsock.dll
[-] 2008-06-20 . 097722F235A1FB698BF9234E01B52637 . 245248 . . [5.1.2600.3394] . . c:\windows\$NtServicePackUninstall$\mswsock.dll
[-] 2008-06-20 . 1DFCA7713EA5A70D5D93B436AEA0317A . 245248 . . [5.1.2600.3394] . . c:\windows\$hf_mig$\KB951748\SP2QFE\mswsock.dll
[-] 2008-04-14 . B4138E99236F0F57D4CF49BAE98A0746 . 245248 . . [5.1.2600.5512] . . c:\windows\$NtUninstallKB951748$\mswsock.dll
[-] 2008-04-14 . B4138E99236F0F57D4CF49BAE98A0746 . 245248 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\mswsock.dll
[-] 2004-08-04 . 4E74AF063C3271FBEA20DD940CFD1184 . 245248 . . [5.1.2600.2180] . . c:\windows\$NtUninstallKB951748_0$\mswsock.dll

[-] 2008-04-14 . 1B7F071C51B77C272875C3A23E1E4550 . 407040 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\netlogon.dll
[-] 2008-04-14 . 1B7F071C51B77C272875C3A23E1E4550 . 407040 . . [5.1.2600.5512] . . c:\windows\system32\netlogon.dll
[-] 2004-08-04 . 96353FCECBA774BB8DA74A1C6507015A . 407040 . . [5.1.2600.2180] . . c:\windows\$NtServicePackUninstall$\netlogon.dll

[-] 2008-04-14 . 50A166237A0FA771261275A405646CC0 . 17408 . . [6.00.2900.5512] . . c:\windows\ServicePackFiles\i386\powrprof.dll
[-] 2008-04-14 . 50A166237A0FA771261275A405646CC0 . 17408 . . [6.00.2900.5512] . . c:\windows\system32\powrprof.dll
[-] 2004-08-04 . 1B5F6923ABB450692E9FE0672C897AED . 17408 . . [6.00.2900.2180] . . c:\windows\$NtServicePackUninstall$\powrprof.dll

[-] 2008-04-14 . A86BB5E61BF3E39B62AB4C7E7085A084 . 181248 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\scecli.dll
[-] 2008-04-14 . A86BB5E61BF3E39B62AB4C7E7085A084 . 181248 . . [5.1.2600.5512] . . c:\windows\system32\scecli.dll
[-] 2004-08-04 . 0F78E27F563F2AAF74B91A49E2ABF19A . 180224 . . [5.1.2600.2180] . . c:\windows\$NtServicePackUninstall$\scecli.dll

[-] 2008-04-14 . 96E1C926F22EE1BFBAE82901A35F6BF3 . 5120 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\sfc.dll
[-] 2008-04-14 . 96E1C926F22EE1BFBAE82901A35F6BF3 . 5120 . . [5.1.2600.5512] . . c:\windows\system32\sfc.dll
[-] 2004-08-04 . E8A12A12EA9088B4327D49EDCA3ADD3E . 5120 . . [5.1.2600.2180] . . c:\windows\$NtServicePackUninstall$\sfc.dll

[-] 2008-04-14 . 27C6D03BCDB8CFEB96B716F3D8BE3E18 . 14336 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\svchost.exe
[-] 2008-04-14 . 27C6D03BCDB8CFEB96B716F3D8BE3E18 . 14336 . . [5.1.2600.5512] . . c:\windows\system32\svchost.exe
[-] 2004-08-04 . 8F078AE4ED187AAABC0A305146DE6716 . 14336 . . [5.1.2600.2180] . . c:\windows\$NtServicePackUninstall$\svchost.exe

[-] 2008-04-14 . 3CB78C17BB664637787C9A1C98F79C38 . 249856 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\tapisrv.dll
[-] 2008-04-14 . 3CB78C17BB664637787C9A1C98F79C38 . 249856 . . [5.1.2600.5512] . . c:\windows\system32\tapisrv.dll
[-] 2005-07-08 . 1418A3A6E76E5A2E3F5E43866E793A8B . 249344 . . [5.1.2600.2716] . . c:\windows\$hf_mig$\KB893756\SP2QFE\tapisrv.dll
[-] 2005-07-08 . FB78839B36025AA286A51289ED28B73E . 249344 . . [5.1.2600.2716] . . c:\windows\$NtServicePackUninstall$\tapisrv.dll
[-] 2004-08-04 . EB4A4187D74A8EFDCBEA3EA2CB1BDFBD . 246272 . . [5.1.2600.2180] . . c:\windows\$NtUninstallKB893756$\tapisrv.dll

[-] 2008-04-14 . B26B135FF1B9F60C9388B4A7D16F600B . 578560 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\user32.dll
[-] 2008-04-14 . B26B135FF1B9F60C9388B4A7D16F600B . 578560 . . [5.1.2600.5512] . . c:\windows\system32\user32.dll
[-] 2007-03-08 . 7AA4F6C00405DFC4B70ED4214E7D687B . 578048 . . [5.1.2600.3099] . . c:\windows\$hf_mig$\KB925902\SP2QFE\user32.dll
[-] 2007-03-08 . B409909F6E2E8A7067076ED748ABF1E7 . 577536 . . [5.1.2600.3099] . . c:\windows\$NtServicePackUninstall$\user32.dll
[-] 2005-03-02 . 1800F293BCCC8EDE8A70E12B88D80036 . 577024 . . [5.1.2600.2622] . . c:\windows\$hf_mig$\KB890859\SP2QFE\user32.dll
[-] 2005-03-02 . DE2DB164BBB35DB061AF0997E4499054 . 577024 . . [5.1.2600.2622] . . c:\windows\$NtUninstallKB925902$\user32.dll
[-] 2004-08-04 . C72661F8552ACE7C5C85E16A3CF505C4 . 577024 . . [5.1.2600.2180] . . c:\windows\$NtUninstallKB890859$\user32.dll

[-] 2008-04-14 . A93AEE1928A9D7CE3E16D24EC7380F89 . 26112 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\userinit.exe
[-] 2008-04-14 . A93AEE1928A9D7CE3E16D24EC7380F89 . 26112 . . [5.1.2600.5512] . . c:\windows\system32\userinit.exe
[-] 2004-08-04 . 39B1FFB03C2296323832ACBAE50D2AFF . 24576 . . [5.1.2600.2180] . . c:\windows\$NtServicePackUninstall$\userinit.exe

[-] 2008-04-14 . 2CCC474EB85CEAA3E1FA1726580A3E5A . 82432 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\ws2_32.dll
[-] 2008-04-14 . 2CCC474EB85CEAA3E1FA1726580A3E5A . 82432 . . [5.1.2600.5512] . . c:\windows\system32\ws2_32.dll
[-] 2004-08-04 . 2ED0B7F12A60F90092081C50FA0EC2B2 . 82944 . . [5.1.2600.2180] . . c:\windows\$NtServicePackUninstall$\ws2_32.dll

[-] 2008-04-14 . 12896823FB95BFB3DC9B46BCAEDC9923 . 1033728 . . [6.00.2900.5512] . . c:\windows\explorer.exe
[-] 2008-04-14 . 12896823FB95BFB3DC9B46BCAEDC9923 . 1033728 . . [6.00.2900.5512] . . c:\windows\ServicePackFiles\i386\explorer.exe
[-] 2007-06-13 . 7712DF0CDDE3A5AC89843E61CD5B3658 . 1033216 . . [6.00.2900.3156] . . c:\windows\$hf_mig$\KB938828\SP2QFE\explorer.exe
[-] 2007-06-13 . 97BD6515465659FF8F3B7BE375B2EA87 . 1033216 . . [6.00.2900.3156] . . c:\windows\$NtServicePackUninstall$\explorer.exe
[-] 2004-08-04 . A0732187050030AE399B241436565E64 . 1032192 . . [6.00.2900.2180] . . c:\windows\$NtUninstallKB938828$\explorer.exe

[-] 2008-04-14 . 3805DF0AC4296A34BA4BF93B346CC378 . 171008 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\srsvc.dll
[-] 2008-04-14 . 3805DF0AC4296A34BA4BF93B346CC378 . 171008 . . [5.1.2600.5512] . . c:\windows\system32\srsvc.dll
[-] 2004-11-17 . 902CF9595F640E53F33C0F1637F464F9 . 171008 . . [5.1.2600.2567] . . c:\windows\$NtServicePackUninstall$\srsvc.dll
[-] 2004-08-04 . 92BDF74F12D6CBEC43C94D4B7F804838 . 170496 . . [5.1.2600.2180] . . c:\windows\$NtUninstallKB888402$\srsvc.dll

[-] 2008-04-14 . F92E1076C42FCD6DB3D72D8CFE9816D5 . 13824 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\wscntfy.exe
[-] 2008-04-14 . F92E1076C42FCD6DB3D72D8CFE9816D5 . 13824 . . [5.1.2600.5512] . . c:\windows\system32\wscntfy.exe
[-] 2004-08-04 . 49911DD39E023BB6C45E4E436CFBD297 . 13824 . . [5.1.2600.2180] . . c:\windows\$NtServicePackUninstall$\wscntfy.exe

[-] 2008-04-14 . 295D21F14C335B53CB8154E5B1F892B9 . 129024 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\xmlprov.dll
[-] 2008-04-14 . 295D21F14C335B53CB8154E5B1F892B9 . 129024 . . [5.1.2600.5512] . . c:\windows\system32\xmlprov.dll
[-] 2004-08-04 . EEF46DAB68229A14DA3D8E73C99E2959 . 129536 . . [5.1.2600.2180] . . c:\windows\$NtServicePackUninstall$\xmlprov.dll

[-] 2008-04-14 . 6D4FEB43EE538FC5428CC7F0565AA656 . 56320 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\eventlog.dll
[-] 2008-04-14 . 6D4FEB43EE538FC5428CC7F0565AA656 . 56320 . . [5.1.2600.5512] . . c:\windows\system32\eventlog.dll
[-] 2004-08-04 . 82B24CB70E5944E6E34662205A2A5B78 . 55808 . . [5.1.2600.2180] . . c:\windows\$NtServicePackUninstall$\eventlog.dll

[-] 2008-04-14 . 9DD07AF82244867CA36681EA2D29CE79 . 1614848 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\sfcfiles.dll
[-] 2008-04-14 . 9DD07AF82244867CA36681EA2D29CE79 . 1614848 . . [5.1.2600.5512] . . c:\windows\system32\sfcfiles.dll
[-] 2004-08-04 . 30A609E00BD1D4FFC49D6B5A432BE7F2 . 1580544 . . [5.1.2600.2180] . . c:\windows\$NtServicePackUninstall$\sfcfiles.dll

[-] 2008-04-14 . 5F1D5F88303D4A4DBC8E5F97BA967CC3 . 15360 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\ctfmon.exe
[-] 2008-04-14 . 5F1D5F88303D4A4DBC8E5F97BA967CC3 . 15360 . . [5.1.2600.5512] . . c:\windows\system32\ctfmon.exe
[-] 2004-08-04 . 24232996A38C0B0CF151C2140AE29FC8 . 15360 . . [5.1.2600.2180] . . c:\windows\$NtServicePackUninstall$\ctfmon.exe

[-] 2008-04-14 . 1926899BF9FFE2602B63074971700412 . 135168 . . [6.00.2900.5512] . . c:\windows\ServicePackFiles\i386\shsvcs.dll
[-] 2008-04-14 . 1926899BF9FFE2602B63074971700412 . 135168 . . [6.00.2900.5512] . . c:\windows\system32\shsvcs.dll
[-] 2006-12-19 . 6815DEF9B810AEFAC107EEAF72DA6F82 . 134656 . . [6.00.2900.3051] . . c:\windows\$NtServicePackUninstall$\shsvcs.dll
[-] 2006-12-19 . 53D9184A21C5CBF600D918E51EF3A7E5 . 135168 . . [6.00.2900.3051] . . c:\windows\$hf_mig$\KB928255\SP2QFE\shsvcs.dll
[-] 2004-08-04 . E7518DC542D3EBDCB80EDD98462C7821 . 134656 . . [6.00.2900.2180] . . c:\windows\$NtUninstallKB928255$\shsvcs.dll

[-] 2008-04-14 . 5B19B557B0C188210A56A6B699D90B8F . 59904 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\regsvc.dll
[-] 2008-04-14 . 5B19B557B0C188210A56A6B699D90B8F . 59904 . . [5.1.2600.5512] . . c:\windows\system32\regsvc.dll
[-] 2004-08-04 . 3151427DB7D87107D1C5BE58FAC53960 . 59904 . . [5.1.2600.2180] . . c:\windows\$NtServicePackUninstall$\regsvc.dll

[-] 2008-04-14 . 0A9A7365A1CA4319AA7C1D6CD8E4EAFA . 192512 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\schedsvc.dll
[-] 2008-04-14 . 0A9A7365A1CA4319AA7C1D6CD8E4EAFA . 192512 . . [5.1.2600.5512] . . c:\windows\system32\schedsvc.dll
[-] 2004-08-04 . 92360854316611F6CC471612213C3D92 . 190976 . . [5.1.2600.2180] . . c:\windows\$NtServicePackUninstall$\schedsvc.dll

[-] 2008-04-14 . 0A5679B3714EDAB99E357057EE88FCA6 . 71680 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\ssdpsrv.dll
[-] 2008-04-14 . 0A5679B3714EDAB99E357057EE88FCA6 . 71680 . . [5.1.2600.5512] . . c:\windows\system32\ssdpsrv.dll
[-] 2004-08-04 . 4B8D61792F7175BED48859CC18CE4E38 . 71680 . . [5.1.2600.2180] . . c:\windows\$NtServicePackUninstall$\ssdpsrv.dll

[-] 2008-04-14 . FF3477C03BE7201C294C35F684B3479F . 295424 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\termsrv.dll
[-] 2008-04-14 . FF3477C03BE7201C294C35F684B3479F . 295424 . . [5.1.2600.5512] . . c:\windows\system32\termsrv.dll
[-] 2004-08-04 . B60C877D16D9C880B952FDA04ADF16E6 . 295424 . . [5.1.2600.2180] . . c:\windows\$NtServicePackUninstall$\termsrv.dll

[-] 2004-08-04 . 9859C0F6936E723E4892D7141B1327D5 . 11648 . . [5.1.2600.0] . . c:\windows\system32\drivers\acpiec.sys

[-] 2008-04-13 16:39 . 8BED39E3C35D6A489438B8141717A557 . 142592 . . [5.1.2601.3142] . . c:\windows\ServicePackFiles\i386\aec.sys
[-] 2008-04-13 16:39 . 8BED39E3C35D6A489438B8141717A557 . 142592 . . [5.1.2601.3142] . . c:\windows\system32\drivers\aec.sys
[-] 2006-02-15 00:30 . 1EE7B434BA961EF845DE136224C30FEC . 142464 . . [5.1.2601.2180] . . c:\windows\$hf_mig$\KB900485\SP2QFE\aec.sys
[-] 2006-02-15 00:22 . 1EE7B434BA961EF845DE136224C30FEC . 142464 . . [5.1.2601.2180] . . c:\windows\$NtServicePackUninstall$\aec.sys
[-] 2004-08-04 05:39 . 841F385C6CFAF66B58FBD898722BB4F0 . 142464 . . [5.1.2601.2078] . . c:\windows\$NtUninstallKB900485$\aec.sys

[-] 2008-04-13 . 08FD04AA961BDC77FB983F328334E3D7 . 42368 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\agp440.sys
[-] 2008-04-13 . 08FD04AA961BDC77FB983F328334E3D7 . 42368 . . [5.1.2600.5512] . . c:\windows\system32\drivers\agp440.sys

[-] 2008-04-13 . 3BB22519A194418D5FEC05D800A19AD0 . 36608 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\ip6fw.sys
[-] 2008-04-13 . 3BB22519A194418D5FEC05D800A19AD0 . 36608 . . [5.1.2600.5512] . . c:\windows\system32\drivers\ip6fw.sys
[-] 2004-08-04 . 4448006B6BC60E6C027932CFC38D6855 . 29056 . . [5.1.2600.2180] . . c:\windows\$NtServicePackUninstall$\ip6fw.sys

[-] 2008-04-14 00:11 . CDDD4416B2B4C7295FE3FDB6DDE57E4E . 927504 . . [4.1.0.61] . . c:\windows\ServicePackFiles\i386\mfc40u.dll
[-] 2008-04-14 00:11 . CDDD4416B2B4C7295FE3FDB6DDE57E4E . 927504 . . [4.1.0.61] . . c:\windows\system32\mfc40u.dll
[-] 2006-11-01 19:17 . 925F8B61ED301A317BA850EBEECBDAA0 . 927504 . . [4.1.0.61] . . c:\windows\$NtServicePackUninstall$\mfc40u.dll
[-] 2004-08-04 08:00 . DDF8D47ACF8FC3FE5F7F2B95C4D4D136 . 924432 . . [4.1.6140] . . c:\windows\$NtUninstallKB924667$\mfc40u.dll

[-] 2008-04-14 . 986B1FF5814366D71E0AC5755C88F2D3 . 33792 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\msgsvc.dll
[-] 2008-04-14 . 986B1FF5814366D71E0AC5755C88F2D3 . 33792 . . [5.1.2600.5512] . . c:\windows\system32\msgsvc.dll
[-] 2004-08-04 . 95FD808E4AC22ABA025A7B3EAC0375D2 . 33792 . . [5.1.2600.2180] . . c:\windows\$NtServicePackUninstall$\msgsvc.dll

[-] 2006-10-19 02:47 . C51B4A5C05A5475708E3C81C7765B71D . 27136 . . [11.0.5721.5145] . . c:\windows\system32\mspmsnsv.dll
[-] 2006-10-19 02:47 . C51B4A5C05A5475708E3C81C7765B71D . 27136 . . [11.0.5721.5145] . . c:\windows\system32\dllcache\mspmsnsv.dll
[-] 2005-01-28 20:44 . 140EF97B64F560FD78643CAE2CDAD838 . 25088 . . [10.0.3790.3802] . . c:\windows\$NtUninstallWMFDist11$\mspmsnsv.dll
[-] 2005-01-28 20:44 . 140EF97B64F560FD78643CAE2CDAD838 . 25088 . . [10.0.3790.3802] . . c:\windows\RegisteredPackages\{30C7234B-6482-4A55-A11D-ECD9030313F2}\MsPMSNSv.dll
[-] 2004-08-04 08:00 . C086483E3DBA8C1C0A687EC8D5B3D4C1 . 52224 . . [9.0.1.56] . . c:\windows\RegisteredPackages\{30C7234B-6482-4A55-A11D-ECD9030313F2}$BACKUP$\System\MsPMSNSv.dll

[-] 2008-04-14 00:12 . 156F64A3345BD23C600655FB4D10BC08 . 435200 . . [5.1.2400.5512] . . c:\windows\ServicePackFiles\i386\ntmssvc.dll
[-] 2008-04-14 00:12 . 156F64A3345BD23C600655FB4D10BC08 . 435200 . . [5.1.2400.5512] . . c:\windows\system32\ntmssvc.dll
[-] 2004-08-04 08:00 . B62F29C00AC55A761B2E45877D85EA0F . 435200 . . [5.1.2400.2180] . . c:\windows\$NtServicePackUninstall$\ntmssvc.dll

[-] 2008-04-14 . 1EBAFEB9A3FBDC41B8D9C7F0F687AD91 . 185856 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\upnphost.dll
[-] 2008-04-14 . 1EBAFEB9A3FBDC41B8D9C7F0F687AD91 . 185856 . . [5.1.2600.5512] . . c:\windows\system32\upnphost.dll
[-] 2007-02-05 . 36ACA6CDC19C95FF468A1426EB7F32F0 . 185344 . . [5.1.2600.3077] . . c:\windows\$hf_mig$\KB931261\SP2QFE\upnphost.dll
[-] 2007-02-05 . ACA5D98663D879C6BAAFCEA7E2F1B710 . 185344 . . [5.1.2600.3077] . . c:\windows\$NtServicePackUninstall$\upnphost.dll
[-] 2004-08-04 . 0546477BDE979E33294FE97F6B3DE84A . 185344 . . [5.1.2600.2180] . . c:\windows\$NtUninstallKB931261$\upnphost.dll
.
((((((((((((((((((((((((((((( SnapShot@2010-03-09_01.44.51 )))))))))))))))))))))))))))))))))))))))))
.
- 2004-08-07 13:10 . 2010-03-09 01:33 72306 c:\windows\system32\perfc009.dat
+ 2004-08-07 13:10 . 2010-03-12 00:09 72306 c:\windows\system32\perfc009.dat
+ 2004-08-07 13:10 . 2010-03-12 00:09 444596 c:\windows\system32\perfh009.dat
- 2004-08-07 13:10 . 2010-03-09 01:33 444596 c:\windows\system32\perfh009.dat
+ 2010-02-06 14:30 . 2010-03-09 02:33 307200 c:\windows\Installer\{D6E4E5D6-7693-4BB4-95BA-21F38FAFEE90}\SafariIco.exe
- 2010-02-06 14:30 . 2010-02-06 14:30 307200 c:\windows\Installer\{D6E4E5D6-7693-4BB4-95BA-21F38FAFEE90}\SafariIco.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Search Protection"="c:\program files\Yahoo!\Search Protection\SearchProtection.exe" [2009-02-03 111856]
"YSearchProtection"="c:\program files\Yahoo!\Search Protection\SearchProtection.exe" [2009-02-03 111856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HP Software Update"="c:\program files\Hp\HP Software Update\HPWuSchd2.exe" [2005-02-17 49152]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2005-06-19 729178]
"QPService"="c:\program files\HP\QuickPlay\QPService.exe" [2005-12-12 94208]
"eabconfg.cpl"="c:\program files\HPQ\Quick Launch Buttons\EabServr.exe" [2005-12-22 405504]
"Cpqset"="c:\program files\HPQ\Default Settings\cpqset.exe" [2005-08-01 233534]
"RecGuard"="c:\windows\SMINST\RecGuard.exe" [2005-10-11 1187840]
"hpWirelessAssistant"="c:\program files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe" [2005-12-13 507904]
"YSearchProtection"="c:\program files\Yahoo!\Search Protection\SearchProtection.exe" [2009-02-03 111856]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-12 39792]
"Webroot Desktop Firewall"="c:\program files\Webroot\Webroot Desktop Firewall\WDF.exe" [2008-07-31 2401672]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2009-08-13 177440]
"HPDJ Taskbar Utility"="c:\windows\system32\spool\drivers\w32x86\3\hpztsb07.exe" [2003-03-09 188416]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-11-11 417792]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-01-23 141608]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
HP Photosmart Premier Fast Start.lnk - c:\program files\HP\Digital Imaging\bin\hpqthb08.exe [2005-9-24 73728]
VPN Client.lnk - c:\windows\Installer\{D25122BC-A60E-4663-B602-B01718F12044}\Icon3E5562ED7.ico [2008-12-19 6144]

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableNotifications"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Documents and Settings\\All Users\\Application Data\\NexonUS\\NGM\\NGM.exe"=
"c:\\NGM\\NGM.exe"=
"c:\\Program Files\\Pando Networks\\Media Booster\\PMB.exe"=
"c:\\WINDOWS\\system32\\PnkBstrA.exe"=
"c:\\WINDOWS\\system32\\PnkBstrB.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"135:TCP"= 135:TCP:DCOM(135)
"56857:TCP"= 56857:TCP:Pando Media Booster
"56857:UDP"= 56857:UDP:Pando Media Booster

R1 pwipf6;pwipf6;c:\windows\system32\drivers\pwipf6.sys [7/31/2008 3:19 PM 103304]
R2 WDFNet;Webroot Desktop Firewall network service;c:\program files\Webroot\Webroot Desktop Firewall\wdfsvc.exe [7/31/2008 3:19 PM 353672]
R3 HSFHWATI;HSFHWATI;c:\windows\system32\drivers\HSFHWATI.sys [8/22/2005 4:06 AM 231424]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{A509B1FF-37FF-4bFF-8CFF-4F3A747040FF}]
2009-03-08 08:32 128512 ----a-w- c:\windows\system32\advpack.dll
.
Contents of the 'Scheduled Tasks' folder

2010-02-28 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/?fr=fp-yie8
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
uInternet Connection Wizard,ShellNext = hxxp://pccreg.antivirus.com/11/PCC/110/PccReg/wcoRegister.asp?SN=AWEF-0019-3577-1042-6942&GUID=F1F3F3F4F3F2F3F6F2F5F1F0F7F2C3&VID=USP1010002&PID=CBB0
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
DPF: {784797A8-342D-4072-9486-03C8D0F2F0A1} - hxxps://www.battlefieldheroes.com/static/updater/BFHUpdater_4.0.27.0.cab
FF - ProfilePath - c:\documents and settings\Chuck\Application Data\Mozilla\Firefox\Profiles\it3u3o5o.default\
FF - plugin: c:\documents and settings\Chuck\Application Data\Move Networks\plugins\npqmp071503000010.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-Ofofilesolas - c:\windows\ekacanarigapuq.dll



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-03-11 19:06
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Cpqset = c:\program files\HPQ\Default Settings\cpqset.exe????????????n??|?????? ???B?????????????hLC? ??????

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x854D6A9A]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xf7647f28
\Driver\ACPI -> ACPI.sys @ 0xf74bacb8
\Driver\atapi -> atapi.sys @ 0xf7454852
IoDeviceObjectType -> SecurityProcedure -> ntkrnlpa.exe @ 0x80579208
\Device\Harddisk0\DR0 -> SecurityProcedure -> ntkrnlpa.exe @ 0x80579208
NDIS: Broadcom 802.11b/g WLAN -> SendCompleteHandler -> NDIS.sys @ 0xf7360bb0
PacketIndicateHandler -> NDIS.sys @ 0xf736da21
SendHandler -> NDIS.sys @ 0xf734b87b
user & kernel MBR OK

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\DeterministicNetworks\DNE\Parameters]
"SymbolicLinkValue"=hex(6):5c,00,52,00,65,00,67,00,69,00,73,00,74,00,72,00,79,
00,5c,00,4d,00,61,00,63,00,68,00,69,00,6e,00,65,00,5c,00,53,00,79,00,73,00,\

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]
@DACL=(02 0000)

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\dimsntfy]
@DACL=(02 0000)
"Asynchronous"=dword:00000001
"DllName"=expand:"%SystemRoot%\\System32\\dimsntfy.dll"
"Startup"="WlDimsStartup"
"Shutdown"="WlDimsShutdown"
"Logon"="WlDimsLogon"
"Logoff"="WlDimsLogoff"
"StartShell"="WlDimsStartShell"
"Lock"="WlDimsLock"
"Unlock"="WlDimsUnlock"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1208)
c:\windows\system32\WININET.dll
c:\windows\system32\Ati2evxx.dll
c:\windows\system32\wdfproc.dll

- - - - - - - > 'lsass.exe'(1268)
c:\windows\system32\WININET.dll
c:\windows\system32\wdfproc.dll

- - - - - - - > 'explorer.exe'(3224)
c:\windows\system32\WININET.dll
c:\windows\system32\wdfproc.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Cisco Systems\VPN Client\cvpnd.exe
c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\windows\system32\PnkBstrA.exe
c:\windows\system32\PnkBstrB.exe
c:\program files\Yahoo!\SoftwareUpdate\YahooAUService.exe
c:\program files\Hewlett-Packard\Shared\hpqwmiex.exe
c:\windows\system32\Ati2evxx.exe
c:\program files\HP\Digital Imaging\bin\hpqimzone.exe
c:\program files\iPod\bin\iPodService.exe
c:\progra~1\hpq\Shared\HPQTOA~1.EXE
.
**************************************************************************
.
Completion time: 2010-03-11 19:16:24 - machine was rebooted
ComboFix-quarantined-files.txt 2010-03-12 00:16

Pre-Run: 42,127,429,632 bytes free
Post-Run: 42,013,593,600 bytes free

- - End Of File - - AECDF39C429658D8BB70DF695B0CC01D

Attached Files



#10 Shannon2012

Shannon2012

  • Security Colleague
  • 3,657 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina, USA
  • Local time:08:29 AM

Posted 13 March 2010 - 07:48 AM

Hi-

TDSSKiller identified the rootkit file but was unable to find a clean copy of it to replace it with so we will have to do that. Before we start, print these instructions.
  • Run Notepad.exe.
  • Copy the lines within the CODE block below into the Notepad window
  • Click on File and Save AS
  • Save the file to C:\kean.txt
  • Close Notepad.exe
CODE
ren c:\windows\system32\drivers\atapi.sys atapi.old
expand C:\WINDOWS\ServicePackFiles\i386\sp3.cab /F:atapi.sys c:\windows\system32\drivers

We will need to use the Recovery Console to replace the corrupted file. If you do not have the Receovery Console installed, go to Recovery Console Tutorial.
  • Once installed, reboot.
  • On the way back up, you will be given the option of bringing up Windows XP or the Recovery Console.
  • Click on Recovery Console
  • Press the Enter key.
When the Recovery Console is up-
  • Key in the following-

    Batch c:\kean.txt

  • Press the Return key
  • Reboot into Normal mode
Delete C:\kean.txt

Rerun TDSSKiller, ComboFix, and OTL.

Copy the three logs into your next reply.

Thanks,
Shannon

#11 Vae Victis

Vae Victis
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:08:29 AM

Posted 13 March 2010 - 04:02 PM

Shannon:

The computer is now totally dead. I followed your last instructions and now the computer will not boot at all. It tries to come up, and then wants to know if I want to peform a normal boot, last known good configuration, safe boot, safe boot with networking, or safe boot with command prompt. I choose normal boot and the Windows logo flashes for 1/10th of a second and then the whole process starts over again, back to the same prompts. No matter how many times I choose normal boot, it does the same thing.

So I tried to boot into safe mode. Safe mode starts like it normally should, and then dies after or during the loading of mup.sys. It goes right back to the normal/safe/safe with networking/safe with command prompt screen. Selecting safe with command prompt doesn't make any difference, nor do the oyher two.

Nothing I do gets me back into Windows. The only thing that I can do is to get into the Recovery Console.

If you don't have any other ideas, I'm pretty much screwed at this point. (I'm typing this from another laptop.)

Jay

#12 Shannon2012

Shannon2012

  • Security Colleague
  • 3,657 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina, USA
  • Local time:08:29 AM

Posted 14 March 2010 - 06:52 AM

Hi-

The last run did not work as planned so we will do it the manual way this time.

We will need to use the Recovery Console again.
  • Reboot.
  • On the way back up, you will be given the option of bringing up Windows XP or the Recovery Console.
  • Select Recovery Console
  • Press the Enter key.
When the Recovery Console is up-
  • Key in the following-

    expand C:\WINDOWS\ServicePackFiles\i386\sp3.cab /f:atapi.sys c:\windows\system32\drivers

  • Press the Enter key
  • Reboot into Normal mode
Rerun TDSSKiller, ComboFix, and OTL.

Copy the three logs into your next reply.

Thanks,
Shannon

#13 Vae Victis

Vae Victis
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:08:29 AM

Posted 14 March 2010 - 10:54 AM

Shannon: That seemed to do the trick. The computer is up and running after manually typing in the expand command. I will rerun the three apps you've identified later today and will post the results.

Thanks much. Have a good Sunday.

Jay

#14 Vae Victis

Vae Victis
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:08:29 AM

Posted 14 March 2010 - 03:45 PM

Shannon: Here are the contents of the log files (which I've attached as well). The TDSSKiller and ComboFix logs had different names than they did before. I don't know if that's good, bad, or otherwise - but they ran without problems so I'm assuming that they are what you're looking for.

Thanks much.

Jay


TDSSKiller:
15:52:50:515 3996 TDSS rootkit removing tool 2.2.8 Mar 10 2010 15:53:20
15:52:50:515 3996 ================================================================================
15:52:50:515 3996 SystemInfo:

15:52:50:515 3996 OS Version: 5.1.2600 ServicePack: 3.0
15:52:50:515 3996 Product type: Workstation
15:52:50:515 3996 ComputerName: HP-LAPTOP
15:52:50:515 3996 UserName: Chuck
15:52:50:515 3996 Windows directory: C:\WINDOWS
15:52:50:515 3996 Processor architecture: Intel x86
15:52:50:515 3996 Number of processors: 1
15:52:50:515 3996 Page size: 0x1000
15:52:50:515 3996 Boot type: Normal boot
15:52:50:515 3996 ================================================================================
15:52:50:531 3996 UnloadDriverW: NtUnloadDriver error 2
15:52:50:531 3996 ForceUnloadDriverW: UnloadDriverW(klmd21) error 2
15:52:50:546 3996 wfopen_ex: Trying to open file C:\WINDOWS\system32\config\system
15:52:50:546 3996 wfopen_ex: MyNtCreateFileW error 32 (C0000043)
15:52:50:546 3996 wfopen_ex: Trying to KLMD file open
15:52:50:546 3996 wfopen_ex: File opened ok (Flags 2)
15:52:50:546 3996 wfopen_ex: Trying to open file C:\WINDOWS\system32\config\software
15:52:50:546 3996 wfopen_ex: MyNtCreateFileW error 32 (C0000043)
15:52:50:546 3996 wfopen_ex: Trying to KLMD file open
15:52:50:546 3996 wfopen_ex: File opened ok (Flags 2)
15:52:50:546 3996 Initialize success
15:52:50:546 3996
15:52:50:546 3996 Scanning Services ...
15:52:51:187 3996 GetAdvancedServicesInfo: Raw services enum returned 349 services
15:52:51:187 3996
15:52:51:187 3996 Scanning Kernel memory ...
15:52:51:187 3996 Devices to scan: 4
15:52:51:187 3996
15:52:51:187 3996 Driver Name: Disk
15:52:51:187 3996 IRP_MJ_CREATE : F7638BB0
15:52:51:187 3996 IRP_MJ_CREATE_NAMED_PIPE : 804F355A
15:52:51:187 3996 IRP_MJ_CLOSE : F7638BB0
15:52:51:187 3996 IRP_MJ_READ : F7632D1F
15:52:51:187 3996 IRP_MJ_WRITE : F7632D1F
15:52:51:187 3996 IRP_MJ_QUERY_INFORMATION : 804F355A
15:52:51:187 3996 IRP_MJ_SET_INFORMATION : 804F355A
15:52:51:187 3996 IRP_MJ_QUERY_EA : 804F355A
15:52:51:187 3996 IRP_MJ_SET_EA : 804F355A
15:52:51:187 3996 IRP_MJ_FLUSH_BUFFERS : F76332E2
15:52:51:187 3996 IRP_MJ_QUERY_VOLUME_INFORMATION : 804F355A
15:52:51:187 3996 IRP_MJ_SET_VOLUME_INFORMATION : 804F355A
15:52:51:187 3996 IRP_MJ_DIRECTORY_CONTROL : 804F355A
15:52:51:187 3996 IRP_MJ_FILE_SYSTEM_CONTROL : 804F355A
15:52:51:187 3996 IRP_MJ_DEVICE_CONTROL : F76333BB
15:52:51:187 3996 IRP_MJ_INTERNAL_DEVICE_CONTROL : F7636F28
15:52:51:187 3996 IRP_MJ_SHUTDOWN : F76332E2
15:52:51:187 3996 IRP_MJ_LOCK_CONTROL : 804F355A
15:52:51:187 3996 IRP_MJ_CLEANUP : 804F355A
15:52:51:187 3996 IRP_MJ_CREATE_MAILSLOT : 804F355A
15:52:51:187 3996 IRP_MJ_QUERY_SECURITY : 804F355A
15:52:51:187 3996 IRP_MJ_SET_SECURITY : 804F355A
15:52:51:187 3996 IRP_MJ_POWER : F7634C82
15:52:51:187 3996 IRP_MJ_SYSTEM_CONTROL : F763999E
15:52:51:187 3996 IRP_MJ_DEVICE_CHANGE : 804F355A
15:52:51:187 3996 IRP_MJ_QUERY_QUOTA : 804F355A
15:52:51:187 3996 IRP_MJ_SET_QUOTA : 804F355A
15:52:51:218 3996 C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: 1
15:52:51:218 3996
15:52:51:218 3996 Driver Name: Disk
15:52:51:218 3996 IRP_MJ_CREATE : F7638BB0
15:52:51:218 3996 IRP_MJ_CREATE_NAMED_PIPE : 804F355A
15:52:51:218 3996 IRP_MJ_CLOSE : F7638BB0
15:52:51:218 3996 IRP_MJ_READ : F7632D1F
15:52:51:218 3996 IRP_MJ_WRITE : F7632D1F
15:52:51:218 3996 IRP_MJ_QUERY_INFORMATION : 804F355A
15:52:51:218 3996 IRP_MJ_SET_INFORMATION : 804F355A
15:52:51:218 3996 IRP_MJ_QUERY_EA : 804F355A
15:52:51:218 3996 IRP_MJ_SET_EA : 804F355A
15:52:51:218 3996 IRP_MJ_FLUSH_BUFFERS : F76332E2
15:52:51:218 3996 IRP_MJ_QUERY_VOLUME_INFORMATION : 804F355A
15:52:51:218 3996 IRP_MJ_SET_VOLUME_INFORMATION : 804F355A
15:52:51:218 3996 IRP_MJ_DIRECTORY_CONTROL : 804F355A
15:52:51:218 3996 IRP_MJ_FILE_SYSTEM_CONTROL : 804F355A
15:52:51:218 3996 IRP_MJ_DEVICE_CONTROL : F76333BB
15:52:51:218 3996 IRP_MJ_INTERNAL_DEVICE_CONTROL : F7636F28
15:52:51:218 3996 IRP_MJ_SHUTDOWN : F76332E2
15:52:51:218 3996 IRP_MJ_LOCK_CONTROL : 804F355A
15:52:51:218 3996 IRP_MJ_CLEANUP : 804F355A
15:52:51:218 3996 IRP_MJ_CREATE_MAILSLOT : 804F355A
15:52:51:218 3996 IRP_MJ_QUERY_SECURITY : 804F355A
15:52:51:218 3996 IRP_MJ_SET_SECURITY : 804F355A
15:52:51:218 3996 IRP_MJ_POWER : F7634C82
15:52:51:218 3996 IRP_MJ_SYSTEM_CONTROL : F763999E
15:52:51:218 3996 IRP_MJ_DEVICE_CHANGE : 804F355A
15:52:51:218 3996 IRP_MJ_QUERY_QUOTA : 804F355A
15:52:51:218 3996 IRP_MJ_SET_QUOTA : 804F355A
15:52:51:218 3996 C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: 1
15:52:51:218 3996
15:52:51:218 3996 Driver Name: Disk
15:52:51:218 3996 IRP_MJ_CREATE : F7638BB0
15:52:51:218 3996 IRP_MJ_CREATE_NAMED_PIPE : 804F355A
15:52:51:218 3996 IRP_MJ_CLOSE : F7638BB0
15:52:51:218 3996 IRP_MJ_READ : F7632D1F
15:52:51:218 3996 IRP_MJ_WRITE : F7632D1F
15:52:51:218 3996 IRP_MJ_QUERY_INFORMATION : 804F355A
15:52:51:218 3996 IRP_MJ_SET_INFORMATION : 804F355A
15:52:51:218 3996 IRP_MJ_QUERY_EA : 804F355A
15:52:51:218 3996 IRP_MJ_SET_EA : 804F355A
15:52:51:218 3996 IRP_MJ_FLUSH_BUFFERS : F76332E2
15:52:51:218 3996 IRP_MJ_QUERY_VOLUME_INFORMATION : 804F355A
15:52:51:218 3996 IRP_MJ_SET_VOLUME_INFORMATION : 804F355A
15:52:51:218 3996 IRP_MJ_DIRECTORY_CONTROL : 804F355A
15:52:51:218 3996 IRP_MJ_FILE_SYSTEM_CONTROL : 804F355A
15:52:51:218 3996 IRP_MJ_DEVICE_CONTROL : F76333BB
15:52:51:218 3996 IRP_MJ_INTERNAL_DEVICE_CONTROL : F7636F28
15:52:51:218 3996 IRP_MJ_SHUTDOWN : F76332E2
15:52:51:218 3996 IRP_MJ_LOCK_CONTROL : 804F355A
15:52:51:218 3996 IRP_MJ_CLEANUP : 804F355A
15:52:51:218 3996 IRP_MJ_CREATE_MAILSLOT : 804F355A
15:52:51:218 3996 IRP_MJ_QUERY_SECURITY : 804F355A
15:52:51:218 3996 IRP_MJ_SET_SECURITY : 804F355A
15:52:51:218 3996 IRP_MJ_POWER : F7634C82
15:52:51:218 3996 IRP_MJ_SYSTEM_CONTROL : F763999E
15:52:51:218 3996 IRP_MJ_DEVICE_CHANGE : 804F355A
15:52:51:218 3996 IRP_MJ_QUERY_QUOTA : 804F355A
15:52:51:218 3996 IRP_MJ_SET_QUOTA : 804F355A
15:52:51:234 3996 C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: 1
15:52:51:234 3996
15:52:51:234 3996 Driver Name: atapi
15:52:51:234 3996 IRP_MJ_CREATE : F74476F2
15:52:51:234 3996 IRP_MJ_CREATE_NAMED_PIPE : 804F355A
15:52:51:234 3996 IRP_MJ_CLOSE : F74476F2
15:52:51:234 3996 IRP_MJ_READ : 804F355A
15:52:51:234 3996 IRP_MJ_WRITE : 804F355A
15:52:51:234 3996 IRP_MJ_QUERY_INFORMATION : 804F355A
15:52:51:234 3996 IRP_MJ_SET_INFORMATION : 804F355A
15:52:51:234 3996 IRP_MJ_QUERY_EA : 804F355A
15:52:51:234 3996 IRP_MJ_SET_EA : 804F355A
15:52:51:234 3996 IRP_MJ_FLUSH_BUFFERS : 804F355A
15:52:51:234 3996 IRP_MJ_QUERY_VOLUME_INFORMATION : 804F355A
15:52:51:234 3996 IRP_MJ_SET_VOLUME_INFORMATION : 804F355A
15:52:51:234 3996 IRP_MJ_DIRECTORY_CONTROL : 804F355A
15:52:51:234 3996 IRP_MJ_FILE_SYSTEM_CONTROL : 804F355A
15:52:51:234 3996 IRP_MJ_DEVICE_CONTROL : F7447712
15:52:51:234 3996 IRP_MJ_INTERNAL_DEVICE_CONTROL : F7443852
15:52:51:234 3996 IRP_MJ_SHUTDOWN : 804F355A
15:52:51:234 3996 IRP_MJ_LOCK_CONTROL : 804F355A
15:52:51:234 3996 IRP_MJ_CLEANUP : 804F355A
15:52:51:234 3996 IRP_MJ_CREATE_MAILSLOT : 804F355A
15:52:51:234 3996 IRP_MJ_QUERY_SECURITY : 804F355A
15:52:51:234 3996 IRP_MJ_SET_SECURITY : 804F355A
15:52:51:234 3996 IRP_MJ_POWER : F744773C
15:52:51:234 3996 IRP_MJ_SYSTEM_CONTROL : F744E336
15:52:51:234 3996 IRP_MJ_DEVICE_CHANGE : 804F355A
15:52:51:234 3996 IRP_MJ_QUERY_QUOTA : 804F355A
15:52:51:234 3996 IRP_MJ_SET_QUOTA : 804F355A
15:52:51:281 3996 C:\WINDOWS\system32\DRIVERS\atapi.sys - Verdict: 1
15:52:51:281 3996
15:52:51:281 3996 Completed
15:52:51:281 3996
15:52:51:281 3996 Results:
15:52:51:281 3996 Memory objects infected / cured / cured on reboot: 0 / 0 / 0
15:52:51:281 3996 Registry objects infected / cured / cured on reboot: 0 / 0 / 0
15:52:51:281 3996 File objects infected / cured / cured on reboot: 0 / 0 / 0
15:52:51:281 3996
15:52:51:281 3996 fclose_ex: Trying to close file C:\WINDOWS\system32\config\system
15:52:51:281 3996 fclose_ex: Trying to close file C:\WINDOWS\system32\config\software
15:52:51:281 3996 KLMD(ARK) unloaded successfully


OTL:
OTL logfile created on: 3/14/2010 3:50:17 PM - Run 2
OTL by OldTimer - Version 3.1.35.0 Folder = C:\Documents and Settings\Chuck\Desktop
Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

894.00 Mb Total Physical Memory | 455.00 Mb Available Physical Memory | 51.00% Memory free
2.00 Gb Paging File | 2.00 Gb Available in Paging File | 83.00% Paging File free
Paging file location(s): C:\pagefile.sys 1344 2688 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 65.19 Gb Total Space | 38.95 Gb Free Space | 59.74% Space Free | Partition Type: NTFS
Drive D: | 8.31 Gb Total Space | 1.10 Gb Free Space | 13.19% Space Free | Partition Type: FAT32
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: HP-LAPTOP
Current User Name: Chuck
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard

========== Processes (SafeList) ==========

PRC - [2010/03/08 22:03:01 | 000,554,496 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Chuck\Desktop\OTL.exe
PRC - [2009/02/03 09:15:18 | 000,111,856 | ---- | M] (Yahoo! Inc) -- C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
PRC - [2008/11/09 16:48:14 | 000,602,392 | ---- | M] (Yahoo! Inc.) -- C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
PRC - [2008/07/31 16:19:40 | 000,353,672 | ---- | M] (Webroot Software Inc (www.webroot.com)) -- C:\Program Files\Webroot\Webroot Desktop Firewall\wdfsvc.exe
PRC - [2008/07/31 16:19:38 | 002,401,672 | ---- | M] (Webroot Software Inc (www.webroot.com)) -- C:\Program Files\Webroot\Webroot Desktop Firewall\WDF.exe
PRC - [2008/04/13 20:12:19 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2008/01/11 22:16:38 | 000,039,792 | ---- | M] (Adobe Systems Incorporated) -- C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
PRC - [2006/04/20 09:34:26 | 001,520,688 | ---- | M] (Cisco Systems, Inc.) -- C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
PRC - [2005/12/22 11:57:10 | 000,405,504 | ---- | M] (Hewlett-Packard ) -- C:\Program Files\HPQ\Quick Launch Buttons\eabservr.exe
PRC - [2005/12/08 16:45:12 | 000,516,182 | ---- | M] () -- C:\Program Files\HPQ\shared\HpqToaster.exe
PRC - [2005/09/24 03:42:32 | 000,475,136 | ---- | M] (Hewlett-Packard Development Company, L.P.) -- C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe
PRC - [2003/03/09 16:30:52 | 000,188,416 | ---- | M] (HP) -- C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb07.exe


========== Modules (SafeList) ==========

MOD - [2010/03/08 22:03:01 | 000,554,496 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Chuck\Desktop\OTL.exe
MOD - [2008/07/31 16:19:40 | 000,173,448 | ---- | M] (Webroot Software Inc (www.webroot.com)) -- C:\WINDOWS\system32\wdfproc.dll


========== Win32 Services (SafeList) ==========

SRV - [2008/11/09 16:48:14 | 000,602,392 | ---- | M] (Yahoo! Inc.) [Auto | Running] -- C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe -- (YahooAUService)
SRV - [2008/07/31 16:19:40 | 000,353,672 | ---- | M] (Webroot Software Inc (www.webroot.com)) [Auto | Running] -- C:\Program Files\Webroot\Webroot Desktop Firewall\wdfsvc.exe -- (WDFNet)
SRV - [2006/04/20 09:34:26 | 001,520,688 | ---- | M] (Cisco Systems, Inc.) [Auto | Running] -- C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe -- (CVPND)


========== Driver Services (SafeList) ==========

DRV - [2008/07/31 16:19:46 | 000,103,304 | ---- | M] (Webroot Software Inc (www.webroot.com)) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\pwipf6.sys -- (pwipf6)
DRV - [2006/10/13 00:26:56 | 000,604,928 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\BCMWL5.SYS -- (BCM43XX)
DRV - [2006/04/20 09:33:40 | 000,303,740 | ---- | M] (Cisco Systems, Inc.) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\CVPNDRVA.sys -- (CVPNDRVA)
DRV - [2005/12/01 19:49:20 | 001,412,608 | ---- | M] (ATI Technologies Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ati2mtag.sys -- (ati2mtag)
DRV - [2005/09/30 07:11:00 | 000,078,720 | ---- | M] (Realtek Semiconductor Corporation ) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\Rtnicxp.sys -- (RTL8023xp)
DRV - [2005/09/20 06:30:56 | 000,162,432 | ---- | M] (Texas Instruments) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\tifm21.sys -- (tifm21)
DRV - [2005/08/22 05:06:00 | 001,035,008 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\HSF_DP.sys -- (HSF_DP)
DRV - [2005/08/22 05:06:00 | 000,718,464 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\HSF_CNXT.sys -- (winachsf)
DRV - [2005/08/22 05:06:00 | 000,231,424 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\HSFHWATI.sys -- (HSFHWATI)
DRV - [2005/08/18 20:22:30 | 000,110,080 | ---- | M] (Deterministic Networks, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\dne2000.sys -- (DNE)
DRV - [2005/08/18 04:22:54 | 000,056,648 | ---- | M] (Broadcom Corporation.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\btwusb.sys -- (BTWUSB)
DRV - [2005/08/02 06:00:00 | 000,349,312 | ---- | M] (Conexant Systems Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\camc6hal.sys -- (CAMCHALA)
DRV - [2005/08/02 05:58:00 | 000,038,016 | ---- | M] (Conexant Systems Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\camc6aud.sys -- (CAMCAUD)
DRV - [2005/06/19 16:33:18 | 000,190,400 | ---- | M] (Synaptics, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\SynTP.sys -- (SynTP)
DRV - [2005/06/02 20:28:38 | 000,171,008 | ---- | M] (Pinnacle Systems GmbH) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\MarvinBus.sys -- (MarvinBus)
DRV - [2005/05/17 05:51:34 | 000,005,315 | ---- | M] (Cisco Systems, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\CVirtA.sys -- (CVirtA)
DRV - [2005/05/05 13:04:08 | 000,007,936 | ---- | M] (Hewlett-Packard Development Company, L.P.) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\eabfiltr.sys -- (eabfiltr)
DRV - [2005/05/05 13:04:04 | 000,005,760 | ---- | M] (Hewlett-Packard Development Company, L.P.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\EabUsb.sys -- (eabusb)
DRV - [2005/03/09 18:53:00 | 000,036,352 | ---- | M] (Advanced Micro Devices) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\AmdK8.sys -- (AmdK8)
DRV - [2005/02/09 12:59:00 | 000,014,165 | ---- | M] (Pinnacle Systems GmbH) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\Pclepci.sys -- (PCLEPCI)
DRV - [2005/01/26 07:22:20 | 000,280,344 | ---- | M] (Zone Labs LLC) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\vsdatant.sys -- (vsdatant)
DRV - [2001/08/17 15:10:28 | 000,035,913 | ---- | M] (SMC) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\smcirda.sys -- (SMCIRDA)
DRV - [2001/08/17 11:51:56 | 000,005,248 | ---- | M] (Acer Laboratories Inc.) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\aliide.sys -- (AliIde)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,CustomSearch = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html


IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0



IE - HKU\S-1-5-21-854415968-109802288-1654665219-1006\SOFTWARE\Microsoft\Internet Explorer\Main,SearchDefaultBranded = 1
IE - HKU\S-1-5-21-854415968-109802288-1654665219-1006\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/?fr=fp-yie8
IE - HKU\S-1-5-21-854415968-109802288-1654665219-1006\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKU\S-1-5-21-854415968-109802288-1654665219-1006\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local

========== FireFox ==========

FF - prefs.js..extensions.enabledItems: moveplayer@movenetworks.com:1.0.0.%(version)s

FF - HKLM\software\mozilla\Mozilla Firefox 3.6\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2010/03/08 22:39:11 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.6\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2010/03/08 22:38:59 | 000,000,000 | ---D | M]

[2010/03/08 22:39:24 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Chuck\Application Data\Mozilla\Extensions
[2010/03/11 19:15:54 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Chuck\Application Data\Mozilla\Firefox\Profiles\it3u3o5o.default\extensions
[2010/03/11 19:15:54 | 000,000,000 | ---D | M] (Microsoft .NET Framework Assistant) -- C:\Documents and Settings\Chuck\Application Data\Mozilla\Firefox\Profiles\it3u3o5o.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}
[2010/03/08 22:39:00 | 000,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions

O1 HOSTS File: ([2010/03/11 20:05:53 | 000,000,027 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - No CLSID value found.
O2 - BHO: (Adobe PDF Reader Link Helper) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
O2 - BHO: (Google Toolbar Helper) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll ()
O2 - BHO: (Google Toolbar Notifier BHO) - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.0.926.3450\swg.dll (Google Inc.)
O2 - BHO: (Google Dictionary Compression sdch) - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_219B3E1547538286.dll (Google Inc.)
O2 - BHO: (Java™ Plug-In 2 SSV Helper) - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll File not found
O3 - HKLM\..\Toolbar: (&Google Toolbar) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll ()
O3 - HKU\S-1-5-21-854415968-109802288-1654665219-1006\..\Toolbar\WebBrowser: (&Google Toolbar) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll ()
O4 - HKLM..\Run: [Adobe Reader Speed Launcher] C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe (Adobe Systems Incorporated)
O4 - HKLM..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe (Apple Inc.)
O4 - HKLM..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\Cpqset.exe ()
O4 - HKLM..\Run: [eabconfg.cpl] C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe (Hewlett-Packard )
O4 - HKLM..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb07.exe (HP)
O4 - HKLM..\Run: [RecGuard] C:\WINDOWS\SMINST\Recguard.exe ()
O4 - HKLM..\Run: [Webroot Desktop Firewall] C:\Program Files\Webroot\Webroot Desktop Firewall\WDF.exe (Webroot Software Inc (www.webroot.com))
O4 - HKLM..\Run: [YSearchProtection] C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe (Yahoo! Inc)
O4 - HKU\S-1-5-21-854415968-109802288-1654665219-1006..\Run: [Search Protection] C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe (Yahoo! Inc)
O4 - HKU\S-1-5-21-854415968-109802288-1654665219-1006..\Run: [YSearchProtection] C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe (Yahoo! Inc)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Photosmart Premier Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe (Hewlett-Packard Development Company, L.P.)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\VPN Client.lnk = C:\WINDOWS\Installer\{D25122BC-A60E-4663-B602-B01718F12044}\Icon3E5562ED7.ico ()
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoCDBurning = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-21-854415968-109802288-1654665219-1006\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-21-854415968-109802288-1654665219-1006\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\S-1-5-21-854415968-109802288-1654665219-1006\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-21-854415968-109802288-1654665219-1006\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} http://upload.facebook.com/controls/2008.1...toUploader5.cab (Facebook Photo Uploader 5 Control)
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} http://download.microsoft.com/download/C/0...heckControl.cab (Windows Genuine Advantage Validation Tool)
O16 - DPF: {784797A8-342D-4072-9486-03C8D0F2F0A1} https://www.battlefieldheroes.com/static/up...er_4.0.27.0.cab (Battlefield Heroes Updater)
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab (Reg Error: Key error.)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.254
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O24 - Desktop WallPaper: C:\Documents and Settings\Chuck\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O24 - Desktop BackupWallPaper: C:\Documents and Settings\Chuck\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2007/01/05 17:24:13 | 000,000,095 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O32 - AutoRun File - [2001/07/27 22:07:38 | 000,000,000 | -HS- | M] () - D:\AUTOEXEC.BAT -- [ FAT32 ]
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2409/05/09 13:53:55 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\PMB Files
[2409/05/09 13:53:17 | 000,000,000 | ---D | C] -- C:\Program Files\Pando Networks
[2010/03/14 15:47:12 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Chuck\Desktop\Output Files
[2010/03/11 20:18:30 | 000,000,000 | -HSD | C] -- C:\RECYCLER
[2010/03/11 20:16:39 | 000,000,000 | ---D | C] -- C:\WINDOWS\temp
[2010/03/11 20:07:25 | 003,558,912 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\moviemk.exe
[2010/03/11 20:03:11 | 000,039,936 | ---- | C] (NDigits) -- C:\WINDOWS\System32\proquota.exe
[2010/03/11 19:18:21 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Chuck\My Documents\Downloads
[2010/03/10 16:53:32 | 000,181,000 | ---- | C] (Kaspersky Lab) -- C:\Documents and Settings\Chuck\Desktop\TDSSKiller.exe
[2010/03/08 22:39:10 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Chuck\Local Settings\Application Data\Mozilla
[2010/03/08 22:39:10 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Chuck\Application Data\Mozilla
[2010/03/08 22:38:58 | 000,000,000 | ---D | C] -- C:\Program Files\Mozilla Firefox
[2010/03/08 22:02:59 | 000,554,496 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Chuck\Desktop\OTL.exe
[2010/03/08 21:23:33 | 000,000,000 | RHSD | C] -- C:\cmdcons
[2010/03/08 21:21:41 | 000,212,480 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWXCACLS.exe
[2010/03/08 21:21:41 | 000,161,792 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWREG.exe
[2010/03/08 21:21:41 | 000,136,704 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWSC.exe
[2010/03/08 21:21:41 | 000,031,232 | ---- | C] (NirSoft) -- C:\WINDOWS\NIRCMD.exe
[2010/03/08 21:21:25 | 000,000,000 | ---D | C] -- C:\WINDOWS\ERDNT
[2010/03/08 21:20:49 | 000,000,000 | ---D | C] -- C:\Qoobox
[2010/02/27 17:35:21 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Chuck\Desktop\gmer
[2010/02/27 13:11:02 | 000,532,480 | ---- | C] (Trend Micro Incorporated) -- C:\Documents and Settings\Chuck\Desktop\cwshredder.exe
[2010/02/27 13:04:11 | 000,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Adobe
[2010/02/27 13:03:18 | 000,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Application Data\Adobe
[2010/02/27 12:44:53 | 097,364,760 | ---- | C] (Lavasoft ) -- C:\Documents and Settings\Chuck\Desktop\Ad-AwareInstaller.exe
[2010/02/22 19:35:13 | 000,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Application Data\Macromedia
[2009/08/03 02:19:52 | 000,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft
[2008/12/08 09:53:26 | 000,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft
[2007/09/04 06:26:01 | 000,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Apple
[2007/01/05 12:32:01 | 000,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Application Data\Webroot
[2007/01/05 11:04:41 | 000,000,000 | --SD | M] -- C:\Documents and Settings\NetworkService\Application Data\Microsoft
[2007/01/05 11:04:41 | 000,000,000 | --SD | M] -- C:\Documents and Settings\LocalService\Application Data\Microsoft
[2005/09/24 03:49:16 | 000,012,288 | ---- | C] (Hewlett-Packard Development Company, L.P.) -- C:\WINDOWS\Fonts\RandFont.dll
[2 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
[2 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[1 C:\Documents and Settings\Chuck\My Documents\*.tmp files -> C:\Documents and Settings\Chuck\My Documents\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2409/05/09 13:53:33 | 000,000,204 | ---- | M] () -- C:\Plugins
[2010/03/14 15:49:44 | 000,525,770 | ---- | M] () -- C:\WINDOWS\System32\PerfStringBackup.INI
[2010/03/14 15:49:44 | 000,444,596 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2010/03/14 15:49:44 | 000,072,306 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2010/03/14 15:46:49 | 000,002,447 | ---- | M] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Startup\VPN Client.lnk
[2010/03/14 15:46:48 | 000,001,389 | -HS- | M] () -- C:\hpqp.ini
[2010/03/14 15:46:41 | 000,000,039 | ---- | M] () -- C:\XP_TV.ini
[2010/03/14 11:53:47 | 000,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2010/03/14 11:53:38 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2010/03/14 11:53:34 | 937,676,800 | -HS- | M] () -- C:\hiberfil.sys
[2010/03/13 16:32:07 | 003,670,016 | -H-- | M] () -- C:\Documents and Settings\Chuck\NTUSER.DAT
[2010/03/13 16:32:07 | 000,000,278 | -HS- | M] () -- C:\Documents and Settings\Chuck\ntuser.ini
[2010/03/13 16:22:48 | 005,320,970 | -H-- | M] () -- C:\Documents and Settings\Chuck\Local Settings\Application Data\IconCache.db
[2010/03/13 16:20:22 | 000,000,736 | ---- | M] () -- C:\WINDOWS\win.ini
[2010/03/11 20:10:11 | 000,000,259 | ---- | M] () -- C:\WINDOWS\system.ini
[2010/03/11 20:05:53 | 000,000,027 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts
[2010/03/11 20:05:43 | 000,001,158 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2010/03/11 19:27:39 | 000,017,058 | -HS- | M] () -- C:\Documents and Settings\Chuck\Local Settings\Application Data\jAqYco
[2010/03/11 19:19:39 | 000,181,000 | ---- | M] (Kaspersky Lab) -- C:\Documents and Settings\Chuck\Desktop\TDSSKiller.exe
[2010/03/11 19:15:29 | 000,002,187 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Safari.lnk
[2010/03/11 19:13:31 | 000,000,120 | ---- | M] () -- C:\WINDOWS\Bquwuwamoheyeval.dat
[2010/03/11 19:13:31 | 000,000,000 | ---- | M] () -- C:\WINDOWS\Sjatahazuyos.bin
[2010/03/08 22:39:13 | 000,000,000 | ---- | M] () -- C:\WINDOWS\nsreg.dat
[2010/03/08 22:39:04 | 000,001,602 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Mozilla Firefox.lnk
[2010/03/08 22:25:04 | 000,020,992 | ---- | M] () -- C:\WINDOWS\System32\ommo.pyo
[2010/03/08 22:03:01 | 000,554,496 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Chuck\Desktop\OTL.exe
[2010/03/08 21:23:49 | 000,000,281 | RHS- | M] () -- C:\boot.ini
[2010/03/08 21:19:23 | 003,882,589 | R--- | M] () -- C:\Documents and Settings\Chuck\Desktop\ComboFix.exe
[2010/02/28 11:02:59 | 000,096,512 | ---- | M] () -- C:\WINDOWS\atapi.old
[2010/02/27 21:59:00 | 000,000,284 | ---- | M] () -- C:\WINDOWS\tasks\AppleSoftwareUpdate.job
[2010/02/27 13:30:15 | 000,524,288 | ---- | M] () -- C:\Documents and Settings\Chuck\Desktop\dds.scr
[2010/02/27 13:29:35 | 000,000,000 | ---- | M] () -- C:\Documents and Settings\Chuck\defogger_reenable
[2010/02/27 13:29:04 | 000,050,477 | ---- | M] () -- C:\Documents and Settings\Chuck\Desktop\Defogger.exe
[2010/02/27 13:06:24 | 000,532,480 | ---- | M] (Trend Micro Incorporated) -- C:\Documents and Settings\Chuck\Desktop\cwshredder.exe
[2010/02/27 13:04:25 | 000,001,324 | ---- | M] () -- C:\WINDOWS\System32\d3d9caps.dat
[2010/02/27 13:04:25 | 000,000,552 | ---- | M] () -- C:\WINDOWS\System32\d3d8caps.dat
[2010/02/27 12:45:01 | 097,364,760 | ---- | M] (Lavasoft ) -- C:\Documents and Settings\Chuck\Desktop\Ad-AwareInstaller.exe
[2010/02/24 20:21:25 | 000,108,336 | ---- | M] () -- C:\Documents and Settings\Chuck\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
[2010/02/24 20:20:57 | 000,385,608 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2010/02/24 04:01:40 | 000,001,374 | ---- | M] () -- C:\WINDOWS\imsins.BAK
[2010/02/17 11:20:48 | 000,024,064 | ---- | M] () -- C:\Documents and Settings\Chuck\My Documents\New Microsoft Word Document.doc
[2010/02/13 09:26:21 | 000,034,304 | ---- | M] () -- C:\Documents and Settings\Chuck\My Documents\udm ticket receipt.doc
[2 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
[2 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[1 C:\Documents and Settings\Chuck\My Documents\*.tmp files -> C:\Documents and Settings\Chuck\My Documents\*.tmp -> ]

========== Files Created - No Company Name ==========

[2409/05/09 13:53:47 | 000,000,204 | ---- | C] () -- C:\Plugins
[2010/03/08 22:39:13 | 000,000,000 | ---- | C] () -- C:\WINDOWS\nsreg.dat
[2010/03/08 22:39:04 | 000,001,602 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Mozilla Firefox.lnk
[2010/03/08 22:33:31 | 000,000,120 | ---- | C] () -- C:\WINDOWS\Bquwuwamoheyeval.dat
[2010/03/08 22:33:31 | 000,000,000 | ---- | C] () -- C:\WINDOWS\Sjatahazuyos.bin
[2010/03/08 22:25:16 | 000,020,992 | ---- | C] () -- C:\WINDOWS\System32\ommo.pyo
[2010/03/08 22:25:06 | 000,017,058 | -HS- | C] () -- C:\Documents and Settings\Chuck\Local Settings\Application Data\jAqYco
[2010/03/08 21:23:48 | 000,000,211 | ---- | C] () -- C:\Boot.bak
[2010/03/08 21:23:41 | 000,260,272 | ---- | C] () -- C:\cmldr
[2010/03/08 21:21:41 | 000,261,632 | ---- | C] () -- C:\WINDOWS\PEV.exe
[2010/03/08 21:21:41 | 000,098,816 | ---- | C] () -- C:\WINDOWS\sed.exe
[2010/03/08 21:21:41 | 000,080,412 | ---- | C] () -- C:\WINDOWS\grep.exe
[2010/03/08 21:21:41 | 000,077,312 | ---- | C] () -- C:\WINDOWS\MBR.exe
[2010/03/08 21:21:41 | 000,068,096 | ---- | C] () -- C:\WINDOWS\zip.exe
[2010/03/08 21:19:19 | 003,882,589 | R--- | C] () -- C:\Documents and Settings\Chuck\Desktop\ComboFix.exe
[2010/02/27 13:30:14 | 000,524,288 | ---- | C] () -- C:\Documents and Settings\Chuck\Desktop\dds.scr
[2010/02/27 13:29:35 | 000,000,000 | ---- | C] () -- C:\Documents and Settings\Chuck\defogger_reenable
[2010/02/27 13:29:04 | 000,050,477 | ---- | C] () -- C:\Documents and Settings\Chuck\Desktop\Defogger.exe
[2010/02/27 13:04:25 | 000,000,552 | ---- | C] () -- C:\WINDOWS\System32\d3d8caps.dat
[2010/02/13 09:26:21 | 000,034,304 | ---- | C] () -- C:\Documents and Settings\Chuck\My Documents\udm ticket receipt.doc
[2009/12/07 21:59:25 | 000,138,056 | ---- | C] () -- C:\WINDOWS\System32\drivers\PnkBstrK.sys
[2007/06/29 17:37:13 | 000,002,992 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\QTSBandwidthCache
[2007/02/01 16:44:42 | 000,000,000 | ---- | C] () -- C:\WINDOWS\webica.ini
[2007/01/06 20:24:36 | 000,004,608 | ---- | C] () -- C:\Documents and Settings\Chuck\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2007/01/05 17:24:13 | 000,000,022 | ---- | C] () -- C:\WINDOWS\VFO.INI
[2007/01/05 15:33:00 | 000,000,494 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2007/01/05 12:31:56 | 000,684,032 | ---- | C] () -- C:\WINDOWS\System32\libeay32.dll
[2007/01/05 12:31:56 | 000,155,648 | ---- | C] () -- C:\WINDOWS\System32\ssleay32.dll
[2007/01/05 12:09:43 | 000,000,128 | ---- | C] () -- C:\Documents and Settings\Chuck\Local Settings\Application Data\fusioncache.dat
[2006/04/20 09:34:38 | 000,197,680 | ---- | C] () -- C:\WINDOWS\System32\vpnapi.dll
[2006/04/20 09:34:24 | 000,193,584 | ---- | C] () -- C:\WINDOWS\System32\CSGina.dll
[2006/04/11 10:24:23 | 000,000,031 | ---- | C] () -- C:\WINDOWS\QUICKEN.INI
[2006/04/11 10:20:19 | 000,000,698 | ---- | C] () -- C:\WINDOWS\NSSetDefaultBrowser.ini
[2006/04/11 09:59:58 | 000,000,056 | ---- | C] () -- C:\WINDOWS\WININIT.INI
[2006/04/11 09:45:34 | 000,028,836 | ---- | C] () -- C:\WINDOWS\System32\oeminfo.ini
[2006/04/11 09:38:10 | 000,003,440 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\hpzinstall.log
[2004/12/20 19:24:03 | 001,663,068 | ---- | C] () -- C:\WINDOWS\System32\libmmd.dll
[2004/08/07 09:16:44 | 000,000,061 | ---- | C] () -- C:\WINDOWS\smscfg.ini
[2004/08/07 09:10:08 | 000,000,780 | ---- | C] () -- C:\WINDOWS\orun32.ini
[2003/01/07 16:05:08 | 000,002,695 | ---- | C] () -- C:\WINDOWS\System32\OUTLPERF.INI
< End of report >


Catchme:
File "C:\ComboFix\MT_proquota.exe.tmp" added successfully


Log:
ComboFix 10-03-08.01 - Chuck 03/14/2010 15:55:39.3.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.894.516 [GMT -4:00]
Running from: c:\documents and settings\Chuck\Desktop\ComboFix.exe
FW: Webroot Desktop Firewall *enabled* {AF0CFAAE-AAB5-450a-8C74-0DEEB429DF50}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\proquota.exe . . . is infected!! . . .Failed to restore. Attempting to replace on reboot

Infected copy of c:\windows\system32\proquota.exe was found and disinfected
Restored copy from - c:\system volume information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP690\A0193204.exe
.
((((((((((((((((((((((((( Files Created from 2010-02-14 to 2010-03-14 )))))))))))))))))))))))))))))))
.

2409-05-09 17:54 . 2409-05-09 19:11 -------- d-----w- c:\documents and settings\Jenn\Local Settings\Application Data\PMB Files
2409-05-09 17:53 . 2009-05-30 12:20 -------- d-----w- c:\documents and settings\All Users\Application Data\PMB Files
2409-05-09 17:53 . 2409-05-09 17:53 -------- d-----w- c:\program files\Pando Networks
2010-03-14 10:52 . 2008-04-13 13:40 96512 ----a-w- c:\windows\system32\drivers\atapi.sys
2010-03-12 00:07 . 2009-10-23 15:28 3558912 ------w- c:\windows\system32\dllcache\moviemk.exe
2010-03-12 00:03 . 2008-04-14 00:12 39936 ----a-w- c:\windows\system32\proquota.exe
2010-03-09 02:39 . 2010-03-09 02:39 0 ----a-w- c:\windows\nsreg.dat
2010-03-09 02:39 . 2010-03-09 02:39 -------- d-----w- c:\documents and settings\Chuck\Local Settings\Application Data\Mozilla
2010-03-09 02:33 . 2010-03-11 23:13 120 ----a-w- c:\windows\Bquwuwamoheyeval.dat
2010-03-09 02:33 . 2010-03-11 23:13 0 ----a-w- c:\windows\Sjatahazuyos.bin
2010-02-27 21:09 . 2010-02-27 21:09 -------- d-sh--w- c:\documents and settings\Zack\IECompatCache
2010-02-27 21:07 . 2010-02-27 21:07 -------- d-sh--w- c:\documents and settings\Jenn\IECompatCache
2010-02-27 17:04 . 2010-02-27 17:04 552 ----a-w- c:\windows\system32\d3d8caps.dat
2010-02-27 17:03 . 2010-02-27 17:04 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-02-28 14:00 . 2007-01-05 22:35 -------- d-----w- c:\program files\Yahoo!
2010-02-27 17:04 . 2007-06-21 00:47 1324 ----a-w- c:\windows\system32\d3d9caps.dat
2010-02-27 16:49 . 2007-01-05 16:23 -------- d-----w- c:\program files\Trend Micro
2010-02-26 22:24 . 2007-01-05 20:28 108336 ----a-w- c:\documents and settings\Jenn\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-02-25 21:50 . 2007-11-27 23:39 108336 ----a-w- c:\documents and settings\Zack\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-02-25 00:21 . 2007-01-05 16:09 108336 ----a-w- c:\documents and settings\Chuck\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-02-06 14:46 . 2010-02-06 14:44 -------- d-----w- c:\program files\iTunes
2010-02-06 14:44 . 2010-02-06 14:44 -------- d-----w- c:\program files\iPod
2010-02-06 14:44 . 2007-12-25 13:05 -------- d-----w- c:\program files\Common Files\Apple
2010-02-06 14:40 . 2009-07-12 21:22 -------- d-----w- c:\program files\QuickTime
2010-02-06 14:34 . 2010-02-06 14:34 72488 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 9.0.3.15\SetupAdmin.exe
2010-02-06 14:30 . 2010-02-06 14:30 -------- d-----w- c:\program files\Safari
2010-02-06 14:27 . 2010-02-06 14:27 79144 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\Safari 5.31.21.10\SetupAdmin.exe
2010-01-27 11:46 . 2010-01-27 11:46 -------- d-----w- c:\program files\MSECache
2010-01-27 11:33 . 2010-01-27 11:33 38808920 ----a-w- C:\FileFormatConverters.exe
2010-01-21 01:03 . 2009-05-30 16:27 -------- d-----w- c:\program files\Microsoft Silverlight
2010-01-10 20:29 . 2010-01-10 20:29 144160 ----a-w- c:\documents and settings\Chuck\Application Data\Move Networks\uninstall.exe
2010-01-10 20:29 . 2009-12-10 21:23 4183416 ----a-w- c:\documents and settings\Chuck\Application Data\Move Networks\plugins\npqmp071503000010.dll
2009-12-31 16:50 . 2004-08-04 08:00 353792 ----a-w- c:\windows\system32\drivers\srv.sys
2009-12-21 19:14 . 2004-08-04 08:00 916480 ------w- c:\windows\system32\wininet.dll
2009-12-16 18:43 . 2004-08-04 08:00 343040 ----a-w- c:\windows\system32\mspaint.exe
2006-09-03 05:38 . 2007-01-05 15:28 22 --sha-w- c:\windows\SMINST\HPCD.SYS
.

------- Sigcheck -------

[-] 2008-04-13 . 9F3A2F5AA6875C72BF062C712CFA2674 . 96512 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\atapi.sys
[-] 2008-04-13 . 9F3A2F5AA6875C72BF062C712CFA2674 . 96512 . . [5.1.2600.5512] . . c:\windows\system32\drivers\atapi.sys
[-] 2004-08-04 . CDFE4411A69C224BD1D11B2DA92DAC51 . 95360 . . [5.1.2600.2180] . . c:\windows\$NtServicePackUninstall$\atapi.sys

[-] 2008-04-13 . B153AFFAC761E7F5FCFA822B9C4E97BC . 14336 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\asyncmac.sys
[-] 2008-04-13 . B153AFFAC761E7F5FCFA822B9C4E97BC . 14336 . . [5.1.2600.5512] . . c:\windows\system32\drivers\asyncmac.sys
[-] 2004-08-04 . 02000ABF34AF4C218C35D257024807D6 . 14336 . . [5.1.2600.2180] . . c:\windows\$NtServicePackUninstall$\asyncmac.sys

[-] 2004-08-04 . DA1F27D85E0D1525F6621372E7B685E9 . 4224 . . [5.1.2600.0] . . c:\windows\system32\drivers\beep.sys

[-] 2008-04-13 . 463C1EC80CD17420A542B7F36A36F128 . 24576 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\kbdclass.sys
[-] 2008-04-13 . 463C1EC80CD17420A542B7F36A36F128 . 24576 . . [5.1.2600.5512] . . c:\windows\system32\drivers\kbdclass.sys
[-] 2004-08-04 . EBDEE8A2EE5393890A1ACEE971C4C246 . 24576 . . [5.1.2600.2180] . . c:\windows\system32\ReinstallBackups\0003\DriverFiles\i386\kbdclass.sys
[-] 2004-08-04 . EBDEE8A2EE5393890A1ACEE971C4C246 . 24576 . . [5.1.2600.2180] . . c:\windows\$NtServicePackUninstall$\kbdclass.sys

[-] 2008-04-13 . 1DF7F42665C94B825322FAE71721130D . 182656 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\ndis.sys
[-] 2008-04-13 . 1DF7F42665C94B825322FAE71721130D . 182656 . . [5.1.2600.5512] . . c:\windows\system32\drivers\ndis.sys
[-] 2004-08-04 . 558635D3AF1C7546D26067D5D9B6959E . 182912 . . [5.1.2600.2180] . . c:\windows\$NtServicePackUninstall$\ndis.sys

[-] 2008-04-13 . 78A08DD6A8D65E697C18E1DB01C5CDCA . 574976 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\ntfs.sys
[-] 2008-04-13 . 78A08DD6A8D65E697C18E1DB01C5CDCA . 574976 . . [5.1.2600.5512] . . c:\windows\system32\drivers\ntfs.sys
[-] 2007-02-09 . 05AB81909514BFD69CBB1F2C147CF6B9 . 574976 . . [5.1.2600.3081] . . c:\windows\$hf_mig$\KB930916\SP2QFE\ntfs.sys
[-] 2007-02-09 . 19A811EF5F1ED5C926A028CE107FF1AF . 574464 . . [5.1.2600.3081] . . c:\windows\$NtServicePackUninstall$\ntfs.sys
[-] 2004-08-04 . B78BE402C3F63DD55521F73876951CDD . 574592 . . [5.1.2600.2180] . . c:\windows\$NtUninstallKB930916$\ntfs.sys

[-] 2004-08-04 . 73C1E1F395918BC2C6DD67AF7591A3AD . 2944 . . [5.1.2600.0] . . c:\windows\system32\drivers\null.sys

[-] 2008-06-20 . AD978A1B783B5719720CFF204B666C8E . 361600 . . [5.1.2600.5625] . . c:\windows\$hf_mig$\KB951748\SP3QFE\tcpip.sys
[-] 2008-06-20 . 9AEFA14BD6B182D61E3119FA5F436D3D . 361600 . . [5.1.2600.5625] . . c:\windows\$hf_mig$\KB951748\SP3GDR\tcpip.sys
[-] 2008-06-20 . 9AEFA14BD6B182D61E3119FA5F436D3D . 361600 . . [5.1.2600.5625] . . c:\windows\system32\dllcache\tcpip.sys
[-] 2008-06-20 . 9AEFA14BD6B182D61E3119FA5F436D3D . 361600 . . [5.1.2600.5625] . . c:\windows\system32\drivers\tcpip.sys
[-] 2008-06-20 . 2A5554FC5B1E04E131230E3CE035C3F9 . 360320 . . [5.1.2600.3394] . . c:\windows\$NtServicePackUninstall$\tcpip.sys
[-] 2008-06-20 . 744E57C99232201AE98C49168B918F48 . 360960 . . [5.1.2600.3394] . . c:\windows\$hf_mig$\KB951748\SP2QFE\tcpip.sys
[-] 2008-04-13 . 93EA8D04EC73A85DB02EB8805988F733 . 361344 . . [5.1.2600.5512] . . c:\windows\$NtUninstallKB951748$\tcpip.sys
[-] 2008-04-13 . 93EA8D04EC73A85DB02EB8805988F733 . 361344 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\tcpip.sys
[-] 2007-10-30 . 90CAFF4B094573449A0872A0F919B178 . 360064 . . [5.1.2600.3244] . . c:\windows\$NtUninstallKB951748_0$\tcpip.sys
[-] 2007-10-30 . 64798ECFA43D78C7178375FCDD16D8C8 . 360832 . . [5.1.2600.3244] . . c:\windows\$hf_mig$\KB941644\SP2QFE\tcpip.sys
[-] 2006-04-20 . B2220C618B42A2212A59D91EBD6FC4B4 . 360576 . . [5.1.2600.2892] . . c:\windows\$hf_mig$\KB917953\SP2QFE\tcpip.sys
[-] 2006-04-20 . 1DBF125862891817F374F407626967F4 . 359808 . . [5.1.2600.2892] . . c:\windows\$NtUninstallKB941644$\tcpip.sys
[-] 2006-01-13 . 5562CC0A47B2AEF06D3417B733F3C195 . 360448 . . [5.1.2600.2827] . . c:\windows\$hf_mig$\KB913446\SP2QFE\tcpip.sys
[-] 2006-01-13 . 583E063FDC888CA30D05C2724B0D7EF4 . 359808 . . [5.1.2600.2827] . . c:\windows\$NtUninstallKB917953$\tcpip.sys
[-] 2005-05-25 . 63FDFEA54EB53DE2D863EE454937CE1E . 359936 . . [5.1.2600.2685] . . c:\windows\$hf_mig$\KB893066\SP2QFE\tcpip.sys
[-] 2005-05-25 . 88763A98A4C26C409741B4AA162720C9 . 359808 . . [5.1.2600.2685] . . c:\windows\$NtUninstallKB913446$\tcpip.sys
[-] 2004-08-04 . 9F4B36614A0FC234525BA224957DE55C . 359040 . . [5.1.2600.2180] . . c:\windows\$NtUninstallKB893066$\tcpip.sys

[-] 2008-04-14 . A06CE3399D16DB864F55FAEB1F1927A9 . 77824 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\browser.dll
[-] 2008-04-14 . A06CE3399D16DB864F55FAEB1F1927A9 . 77824 . . [5.1.2600.5512] . . c:\windows\system32\browser.dll
[-] 2004-08-04 . E3CFCCDDA4EDD1D0DC9168B2E18F27B8 . 77312 . . [5.1.2600.2180] . . c:\windows\$NtServicePackUninstall$\browser.dll

[-] 2008-04-14 . BF2466B3E18E970D8A976FB95FC1CA85 . 13312 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\lsass.exe
[-] 2008-04-14 . BF2466B3E18E970D8A976FB95FC1CA85 . 13312 . . [5.1.2600.5512] . . c:\windows\system32\lsass.exe
[-] 2004-08-04 . 84885F9B82F4D55C6146EBF6065D75D2 . 13312 . . [5.1.2600.2180] . . c:\windows\$NtServicePackUninstall$\lsass.exe

[-] 2008-04-14 . 13E67B55B3ABD7BF3FE7AAE5A0F9A9DE . 198144 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\netman.dll
[-] 2008-04-14 . 13E67B55B3ABD7BF3FE7AAE5A0F9A9DE . 198144 . . [5.1.2600.5512] . . c:\windows\system32\netman.dll
[-] 2005-08-22 . 36739B39267914BA69AD0610A0299732 . 197632 . . [5.1.2600.2743] . . c:\windows\$NtServicePackUninstall$\netman.dll
[-] 2005-08-22 . 3516D8A18B36784B1005B950B84232E1 . 197632 . . [5.1.2600.2743] . . c:\windows\$hf_mig$\KB905414\SP2QFE\netman.dll
[-] 2004-08-04 . DAB9E6C7105D2EF49876FE92C524F565 . 198144 . . [5.1.2600.2180] . . c:\windows\$NtUninstallKB905414$\netman.dll

[-] 2008-04-14 . 574738F61FCA2935F5265DC4E5691314 . 409088 . . [6.7.2600.5512] . . c:\windows\ServicePackFiles\i386\qmgr.dll
[-] 2008-04-14 . 574738F61FCA2935F5265DC4E5691314 . 409088 . . [6.7.2600.5512] . . c:\windows\system32\qmgr.dll
[-] 2008-04-14 . 574738F61FCA2935F5265DC4E5691314 . 409088 . . [6.7.2600.5512] . . c:\windows\system32\bits\qmgr.dll
[-] 2004-08-04 . 2C69EC7E5A311334D10DD95F338FCCEA . 382464 . . [6.6.2600.2180] . . c:\windows\$NtServicePackUninstall$\qmgr.dll

[-] 2008-04-14 . D8E14A61ACC1D4A6CD0D38AEBAC7FA3B . 57856 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\spoolsv.exe
[-] 2008-04-14 . D8E14A61ACC1D4A6CD0D38AEBAC7FA3B . 57856 . . [5.1.2600.5512] . . c:\windows\system32\spoolsv.exe
[-] 2005-06-11 . AD3D9D191AEA7B5445FE1D82FFBB4788 . 57856 . . [5.1.2600.2696] . . c:\windows\$hf_mig$\KB896423\SP2QFE\spoolsv.exe
[-] 2005-06-10 . DA81EC57ACD4CDC3D4C51CF3D409AF9F . 57856 . . [5.1.2600.2696] . . c:\windows\$NtServicePackUninstall$\spoolsv.exe
[-] 2004-08-04 . 7435B108B935E42EA92CA94F59C8E717 . 57856 . . [5.1.2600.2180] . . c:\windows\$NtUninstallKB896423$\spoolsv.exe

[-] 2008-04-14 . ED0EF0A136DEC83DF69F04118870003E . 507904 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\winlogon.exe
[-] 2008-04-14 . ED0EF0A136DEC83DF69F04118870003E . 507904 . . [5.1.2600.5512] . . c:\windows\system32\winlogon.exe
[-] 2004-08-04 . 01C3346C241652F43AED8E2149881BFE . 502272 . . [5.1.2600.2180] . . c:\windows\$NtServicePackUninstall$\winlogon.exe

[-] 2008-04-14 . 06F247492BC786CE5C24A23E178C711A . 617472 . . [5.82] . . c:\windows\ServicePackFiles\i386\comctl32.dll
[-] 2008-04-14 . 06F247492BC786CE5C24A23E178C711A . 617472 . . [5.82] . . c:\windows\system32\comctl32.dll
[-] 2006-08-25 . B0124CB21D28B1C9F678B566B6B57D92 . 617472 . . [5.82] . . c:\windows\$NtServicePackUninstall$\comctl32.dll
[-] 2004-08-04 . A77DFB85FAEE49D66C74DA6024EBC69B . 611328 . . [5.82] . . c:\windows\$NtUninstallKB923191$\comctl32.dll

[-] 2008-04-14 . 3D4E199942E29207970E04315D02AD3B . 62464 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\cryptsvc.dll
[-] 2008-04-14 . 3D4E199942E29207970E04315D02AD3B . 62464 . . [5.1.2600.5512] . . c:\windows\system32\cryptsvc.dll
[-] 2004-08-04 . 10654F9DDCEA9C46CFB77554231BE73B . 60416 . . [5.1.2600.2180] . . c:\windows\$NtServicePackUninstall$\cryptsvc.dll

[-] 2008-07-07 20:32 . 60D1A6342238378BFB7545C81EE3606C . 253952 . . [2001.12.4414.320] . . c:\windows\$NtServicePackUninstall$\es.dll
[-] 2008-07-07 20:26 . D4991D98F2DB73C60D042F1AEF79EFAE . 253952 . . [2001.12.4414.706] . . c:\windows\$hf_mig$\KB950974\SP3GDR\es.dll
[-] 2008-07-07 20:26 . D4991D98F2DB73C60D042F1AEF79EFAE . 253952 . . [2001.12.4414.706] . . c:\windows\system32\es.dll
[-] 2008-07-07 20:26 . D4991D98F2DB73C60D042F1AEF79EFAE . 253952 . . [2001.12.4414.706] . . c:\windows\system32\dllcache\es.dll
[-] 2008-07-07 20:23 . F17F6226BDC0CD5F0BEF0DAF84D29BEC . 253952 . . [2001.12.4414.706] . . c:\windows\$hf_mig$\KB950974\SP3QFE\es.dll
[-] 2008-07-07 20:06 . A4AB3DCA4A383F0DF4988ABDEB84F9A4 . 253952 . . [2001.12.4414.320] . . c:\windows\$hf_mig$\KB950974\SP2QFE\es.dll
[-] 2008-04-14 00:11 . 19A799805B24990867B00C120D300C3A . 246272 . . [2001.12.4414.701] . . c:\windows\$NtUninstallKB950974$\es.dll
[-] 2008-04-14 00:11 . 19A799805B24990867B00C120D300C3A . 246272 . . [2001.12.4414.701] . . c:\windows\ServicePackFiles\i386\es.dll
[-] 2005-07-26 04:39 . 34BBD9ACC1538818F2C878898C64E793 . 243200 . . [2001.12.4414.308] . . c:\windows\$NtUninstallKB950974_0$\es.dll
[-] 2005-07-26 04:20 . 95F5FEA4C6DE2C3F28784D0DCC8F0DD3 . 243200 . . [2001.12.4414.308] . . c:\windows\$hf_mig$\KB902400\SP2QFE\es.dll
[-] 2004-08-04 08:00 . ACD36A2DD7D1E9D8A060AA651DC07E63 . 243200 . . [2001.12.4414.258] . . c:\windows\$NtUninstallKB902400$\es.dll

[-] 2008-04-14 . 0DA85218E92526972A821587E6A8BF8F . 110080 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\imm32.dll
[-] 2008-04-14 . 0DA85218E92526972A821587E6A8BF8F . 110080 . . [5.1.2600.5512] . . c:\windows\system32\imm32.dll
[-] 2004-08-04 . 87CA7CE6469577F059297B9D6556D66D . 110080 . . [5.1.2600.2180] . . c:\windows\$NtServicePackUninstall$\imm32.dll

[-] 2008-04-14 . 2DC5A8019E2387987905F77C664E4BE2 . 19968 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\linkinfo.dll
[-] 2008-04-14 . 2DC5A8019E2387987905F77C664E4BE2 . 19968 . . [5.1.2600.5512] . . c:\windows\system32\linkinfo.dll
[-] 2005-09-01 . 648BF0B4DDE4F7A1156DAE7174D36EFA . 19968 . . [5.1.2600.2751] . . c:\windows\$hf_mig$\KB900725\SP2QFE\linkinfo.dll
[-] 2005-09-01 . A1A688EE56CF3BBD24EDEB815D48E9BA . 19968 . . [5.1.2600.2751] . . c:\windows\$NtServicePackUninstall$\linkinfo.dll
[-] 2004-08-04 . C2BBD044C741EA4292016C36F718D2E4 . 18944 . . [5.1.2600.2180] . . c:\windows\$NtUninstallKB900725$\linkinfo.dll

[-] 2008-04-14 . 012DF358CEBAA23ACB26D82077820817 . 22016 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\lpk.dll
[-] 2008-04-14 . 012DF358CEBAA23ACB26D82077820817 . 22016 . . [5.1.2600.5512] . . c:\windows\system32\lpk.dll
[-] 2004-08-04 . 74D66B3DE265E8789153414E75175F26 . 22016 . . [5.1.2600.2180] . . c:\windows\$NtServicePackUninstall$\lpk.dll

[-] 2008-04-14 . 355EDBB4D412B01F1740C17E3F50FA00 . 343040 . . [7.0.2600.5512] . . c:\windows\ServicePackFiles\i386\msvcrt.dll
[-] 2008-04-14 . 355EDBB4D412B01F1740C17E3F50FA00 . 343040 . . [7.0.2600.5512] . . c:\windows\system32\msvcrt.dll
[-] 2004-08-04 . B0FEFA816D61EC66AA765DDF534EAB5E . 343040 . . [7.0.2600.2180] . . c:\windows\$NtServicePackUninstall$\msvcrt.dll

[-] 2008-06-20 . 832E4DD8964AB7ACC880B2837CB1ED20 . 245248 . . [5.1.2600.5625] . . c:\windows\$hf_mig$\KB951748\SP3GDR\mswsock.dll
[-] 2008-06-20 . 832E4DD8964AB7ACC880B2837CB1ED20 . 245248 . . [5.1.2600.5625] . . c:\windows\system32\mswsock.dll
[-] 2008-06-20 . 832E4DD8964AB7ACC880B2837CB1ED20 . 245248 . . [5.1.2600.5625] . . c:\windows\system32\dllcache\mswsock.dll
[-] 2008-06-20 . FCEE5FCB99F7C724593365C706D28388 . 245248 . . [5.1.2600.5625] . . c:\windows\$hf_mig$\KB951748\SP3QFE\mswsock.dll
[-] 2008-06-20 . 097722F235A1FB698BF9234E01B52637 . 245248 . . [5.1.2600.3394] . . c:\windows\$NtServicePackUninstall$\mswsock.dll
[-] 2008-06-20 . 1DFCA7713EA5A70D5D93B436AEA0317A . 245248 . . [5.1.2600.3394] . . c:\windows\$hf_mig$\KB951748\SP2QFE\mswsock.dll
[-] 2008-04-14 . B4138E99236F0F57D4CF49BAE98A0746 . 245248 . . [5.1.2600.5512] . . c:\windows\$NtUninstallKB951748$\mswsock.dll
[-] 2008-04-14 . B4138E99236F0F57D4CF49BAE98A0746 . 245248 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\mswsock.dll
[-] 2004-08-04 . 4E74AF063C3271FBEA20DD940CFD1184 . 245248 . . [5.1.2600.2180] . . c:\windows\$NtUninstallKB951748_0$\mswsock.dll

[-] 2008-04-14 . 1B7F071C51B77C272875C3A23E1E4550 . 407040 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\netlogon.dll
[-] 2008-04-14 . 1B7F071C51B77C272875C3A23E1E4550 . 407040 . . [5.1.2600.5512] . . c:\windows\system32\netlogon.dll
[-] 2004-08-04 . 96353FCECBA774BB8DA74A1C6507015A . 407040 . . [5.1.2600.2180] . . c:\windows\$NtServicePackUninstall$\netlogon.dll

[-] 2008-04-14 . 50A166237A0FA771261275A405646CC0 . 17408 . . [6.00.2900.5512] . . c:\windows\ServicePackFiles\i386\powrprof.dll
[-] 2008-04-14 . 50A166237A0FA771261275A405646CC0 . 17408 . . [6.00.2900.5512] . . c:\windows\system32\powrprof.dll
[-] 2004-08-04 . 1B5F6923ABB450692E9FE0672C897AED . 17408 . . [6.00.2900.2180] . . c:\windows\$NtServicePackUninstall$\powrprof.dll

[-] 2008-04-14 . A86BB5E61BF3E39B62AB4C7E7085A084 . 181248 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\scecli.dll
[-] 2008-04-14 . A86BB5E61BF3E39B62AB4C7E7085A084 . 181248 . . [5.1.2600.5512] . . c:\windows\system32\scecli.dll
[-] 2004-08-04 . 0F78E27F563F2AAF74B91A49E2ABF19A . 180224 . . [5.1.2600.2180] . . c:\windows\$NtServicePackUninstall$\scecli.dll

[-] 2008-04-14 . 96E1C926F22EE1BFBAE82901A35F6BF3 . 5120 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\sfc.dll
[-] 2008-04-14 . 96E1C926F22EE1BFBAE82901A35F6BF3 . 5120 . . [5.1.2600.5512] . . c:\windows\system32\sfc.dll
[-] 2004-08-04 . E8A12A12EA9088B4327D49EDCA3ADD3E . 5120 . . [5.1.2600.2180] . . c:\windows\$NtServicePackUninstall$\sfc.dll

[-] 2008-04-14 . 27C6D03BCDB8CFEB96B716F3D8BE3E18 . 14336 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\svchost.exe
[-] 2008-04-14 . 27C6D03BCDB8CFEB96B716F3D8BE3E18 . 14336 . . [5.1.2600.5512] . . c:\windows\system32\svchost.exe
[-] 2004-08-04 . 8F078AE4ED187AAABC0A305146DE6716 . 14336 . . [5.1.2600.2180] . . c:\windows\$NtServicePackUninstall$\svchost.exe

[-] 2008-04-14 . 3CB78C17BB664637787C9A1C98F79C38 . 249856 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\tapisrv.dll
[-] 2008-04-14 . 3CB78C17BB664637787C9A1C98F79C38 . 249856 . . [5.1.2600.5512] . . c:\windows\system32\tapisrv.dll
[-] 2005-07-08 . 1418A3A6E76E5A2E3F5E43866E793A8B . 249344 . . [5.1.2600.2716] . . c:\windows\$hf_mig$\KB893756\SP2QFE\tapisrv.dll
[-] 2005-07-08 . FB78839B36025AA286A51289ED28B73E . 249344 . . [5.1.2600.2716] . . c:\windows\$NtServicePackUninstall$\tapisrv.dll
[-] 2004-08-04 . EB4A4187D74A8EFDCBEA3EA2CB1BDFBD . 246272 . . [5.1.2600.2180] . . c:\windows\$NtUninstallKB893756$\tapisrv.dll

[-] 2008-04-14 . B26B135FF1B9F60C9388B4A7D16F600B . 578560 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\user32.dll
[-] 2008-04-14 . B26B135FF1B9F60C9388B4A7D16F600B . 578560 . . [5.1.2600.5512] . . c:\windows\system32\user32.dll
[-] 2007-03-08 . 7AA4F6C00405DFC4B70ED4214E7D687B . 578048 . . [5.1.2600.3099] . . c:\windows\$hf_mig$\KB925902\SP2QFE\user32.dll
[-] 2007-03-08 . B409909F6E2E8A7067076ED748ABF1E7 . 577536 . . [5.1.2600.3099] . . c:\windows\$NtServicePackUninstall$\user32.dll
[-] 2005-03-02 . 1800F293BCCC8EDE8A70E12B88D80036 . 577024 . . [5.1.2600.2622] . . c:\windows\$hf_mig$\KB890859\SP2QFE\user32.dll
[-] 2005-03-02 . DE2DB164BBB35DB061AF0997E4499054 . 577024 . . [5.1.2600.2622] . . c:\windows\$NtUninstallKB925902$\user32.dll
[-] 2004-08-04 . C72661F8552ACE7C5C85E16A3CF505C4 . 577024 . . [5.1.2600.2180] . . c:\windows\$NtUninstallKB890859$\user32.dll

[-] 2008-04-14 . A93AEE1928A9D7CE3E16D24EC7380F89 . 26112 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\userinit.exe
[-] 2008-04-14 . A93AEE1928A9D7CE3E16D24EC7380F89 . 26112 . . [5.1.2600.5512] . . c:\windows\system32\userinit.exe
[-] 2004-08-04 . 39B1FFB03C2296323832ACBAE50D2AFF . 24576 . . [5.1.2600.2180] . . c:\windows\$NtServicePackUninstall$\userinit.exe

[-] 2008-04-14 . 2CCC474EB85CEAA3E1FA1726580A3E5A . 82432 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\ws2_32.dll
[-] 2008-04-14 . 2CCC474EB85CEAA3E1FA1726580A3E5A . 82432 . . [5.1.2600.5512] . . c:\windows\system32\ws2_32.dll
[-] 2004-08-04 . 2ED0B7F12A60F90092081C50FA0EC2B2 . 82944 . . [5.1.2600.2180] . . c:\windows\$NtServicePackUninstall$\ws2_32.dll

[-] 2008-04-14 . 12896823FB95BFB3DC9B46BCAEDC9923 . 1033728 . . [6.00.2900.5512] . . c:\windows\explorer.exe
[-] 2008-04-14 . 12896823FB95BFB3DC9B46BCAEDC9923 . 1033728 . . [6.00.2900.5512] . . c:\windows\ServicePackFiles\i386\explorer.exe
[-] 2007-06-13 . 7712DF0CDDE3A5AC89843E61CD5B3658 . 1033216 . . [6.00.2900.3156] . . c:\windows\$hf_mig$\KB938828\SP2QFE\explorer.exe
[-] 2007-06-13 . 97BD6515465659FF8F3B7BE375B2EA87 . 1033216 . . [6.00.2900.3156] . . c:\windows\$NtServicePackUninstall$\explorer.exe
[-] 2004-08-04 . A0732187050030AE399B241436565E64 . 1032192 . . [6.00.2900.2180] . . c:\windows\$NtUninstallKB938828$\explorer.exe

[-] 2008-04-14 . 3805DF0AC4296A34BA4BF93B346CC378 . 171008 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\srsvc.dll
[-] 2008-04-14 . 3805DF0AC4296A34BA4BF93B346CC378 . 171008 . . [5.1.2600.5512] . . c:\windows\system32\srsvc.dll
[-] 2004-11-17 . 902CF9595F640E53F33C0F1637F464F9 . 171008 . . [5.1.2600.2567] . . c:\windows\$NtServicePackUninstall$\srsvc.dll
[-] 2004-08-04 . 92BDF74F12D6CBEC43C94D4B7F804838 . 170496 . . [5.1.2600.2180] . . c:\windows\$NtUninstallKB888402$\srsvc.dll

[-] 2008-04-14 . F92E1076C42FCD6DB3D72D8CFE9816D5 . 13824 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\wscntfy.exe
[-] 2008-04-14 . F92E1076C42FCD6DB3D72D8CFE9816D5 . 13824 . . [5.1.2600.5512] . . c:\windows\system32\wscntfy.exe
[-] 2004-08-04 . 49911DD39E023BB6C45E4E436CFBD297 . 13824 . . [5.1.2600.2180] . . c:\windows\$NtServicePackUninstall$\wscntfy.exe

[-] 2008-04-14 . 295D21F14C335B53CB8154E5B1F892B9 . 129024 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\xmlprov.dll
[-] 2008-04-14 . 295D21F14C335B53CB8154E5B1F892B9 . 129024 . . [5.1.2600.5512] . . c:\windows\system32\xmlprov.dll
[-] 2004-08-04 . EEF46DAB68229A14DA3D8E73C99E2959 . 129536 . . [5.1.2600.2180] . . c:\windows\$NtServicePackUninstall$\xmlprov.dll

[-] 2008-04-14 . 6D4FEB43EE538FC5428CC7F0565AA656 . 56320 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\eventlog.dll
[-] 2008-04-14 . 6D4FEB43EE538FC5428CC7F0565AA656 . 56320 . . [5.1.2600.5512] . . c:\windows\system32\eventlog.dll
[-] 2004-08-04 . 82B24CB70E5944E6E34662205A2A5B78 . 55808 . . [5.1.2600.2180] . . c:\windows\$NtServicePackUninstall$\eventlog.dll

[-] 2008-04-14 . 9DD07AF82244867CA36681EA2D29CE79 . 1614848 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\sfcfiles.dll
[-] 2008-04-14 . 9DD07AF82244867CA36681EA2D29CE79 . 1614848 . . [5.1.2600.5512] . . c:\windows\system32\sfcfiles.dll
[-] 2004-08-04 . 30A609E00BD1D4FFC49D6B5A432BE7F2 . 1580544 . . [5.1.2600.2180] . . c:\windows\$NtServicePackUninstall$\sfcfiles.dll

[-] 2008-04-14 . 5F1D5F88303D4A4DBC8E5F97BA967CC3 . 15360 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\ctfmon.exe
[-] 2008-04-14 . 5F1D5F88303D4A4DBC8E5F97BA967CC3 . 15360 . . [5.1.2600.5512] . . c:\windows\system32\ctfmon.exe
[-] 2004-08-04 . 24232996A38C0B0CF151C2140AE29FC8 . 15360 . . [5.1.2600.2180] . . c:\windows\$NtServicePackUninstall$\ctfmon.exe

[-] 2008-04-14 . 1926899BF9FFE2602B63074971700412 . 135168 . . [6.00.2900.5512] . . c:\windows\ServicePackFiles\i386\shsvcs.dll
[-] 2008-04-14 . 1926899BF9FFE2602B63074971700412 . 135168 . . [6.00.2900.5512] . . c:\windows\system32\shsvcs.dll
[-] 2006-12-19 . 6815DEF9B810AEFAC107EEAF72DA6F82 . 134656 . . [6.00.2900.3051] . . c:\windows\$NtServicePackUninstall$\shsvcs.dll
[-] 2006-12-19 . 53D9184A21C5CBF600D918E51EF3A7E5 . 135168 . . [6.00.2900.3051] . . c:\windows\$hf_mig$\KB928255\SP2QFE\shsvcs.dll
[-] 2004-08-04 . E7518DC542D3EBDCB80EDD98462C7821 . 134656 . . [6.00.2900.2180] . . c:\windows\$NtUninstallKB928255$\shsvcs.dll

[-] 2008-04-14 . 5B19B557B0C188210A56A6B699D90B8F . 59904 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\regsvc.dll
[-] 2008-04-14 . 5B19B557B0C188210A56A6B699D90B8F . 59904 . . [5.1.2600.5512] . . c:\windows\system32\regsvc.dll
[-] 2004-08-04 . 3151427DB7D87107D1C5BE58FAC53960 . 59904 . . [5.1.2600.2180] . . c:\windows\$NtServicePackUninstall$\regsvc.dll

[-] 2008-04-14 . 0A9A7365A1CA4319AA7C1D6CD8E4EAFA . 192512 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\schedsvc.dll
[-] 2008-04-14 . 0A9A7365A1CA4319AA7C1D6CD8E4EAFA . 192512 . . [5.1.2600.5512] . . c:\windows\system32\schedsvc.dll
[-] 2004-08-04 . 92360854316611F6CC471612213C3D92 . 190976 . . [5.1.2600.2180] . . c:\windows\$NtServicePackUninstall$\schedsvc.dll

[-] 2008-04-14 . 0A5679B3714EDAB99E357057EE88FCA6 . 71680 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\ssdpsrv.dll
[-] 2008-04-14 . 0A5679B3714EDAB99E357057EE88FCA6 . 71680 . . [5.1.2600.5512] . . c:\windows\system32\ssdpsrv.dll
[-] 2004-08-04 . 4B8D61792F7175BED48859CC18CE4E38 . 71680 . . [5.1.2600.2180] . . c:\windows\$NtServicePackUninstall$\ssdpsrv.dll

[-] 2008-04-14 . FF3477C03BE7201C294C35F684B3479F . 295424 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\termsrv.dll
[-] 2008-04-14 . FF3477C03BE7201C294C35F684B3479F . 295424 . . [5.1.2600.5512] . . c:\windows\system32\termsrv.dll
[-] 2004-08-04 . B60C877D16D9C880B952FDA04ADF16E6 . 295424 . . [5.1.2600.2180] . . c:\windows\$NtServicePackUninstall$\termsrv.dll

[-] 2004-08-04 . 9859C0F6936E723E4892D7141B1327D5 . 11648 . . [5.1.2600.0] . . c:\windows\system32\drivers\acpiec.sys

[-] 2008-04-13 16:39 . 8BED39E3C35D6A489438B8141717A557 . 142592 . . [5.1.2601.3142] . . c:\windows\ServicePackFiles\i386\aec.sys
[-] 2008-04-13 16:39 . 8BED39E3C35D6A489438B8141717A557 . 142592 . . [5.1.2601.3142] . . c:\windows\system32\drivers\aec.sys
[-] 2006-02-15 00:30 . 1EE7B434BA961EF845DE136224C30FEC . 142464 . . [5.1.2601.2180] . . c:\windows\$hf_mig$\KB900485\SP2QFE\aec.sys
[-] 2006-02-15 00:22 . 1EE7B434BA961EF845DE136224C30FEC . 142464 . . [5.1.2601.2180] . . c:\windows\$NtServicePackUninstall$\aec.sys
[-] 2004-08-04 05:39 . 841F385C6CFAF66B58FBD898722BB4F0 . 142464 . . [5.1.2601.2078] . . c:\windows\$NtUninstallKB900485$\aec.sys

[-] 2008-04-13 . 08FD04AA961BDC77FB983F328334E3D7 . 42368 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\agp440.sys
[-] 2008-04-13 . 08FD04AA961BDC77FB983F328334E3D7 . 42368 . . [5.1.2600.5512] . . c:\windows\system32\drivers\agp440.sys

[-] 2008-04-13 . 3BB22519A194418D5FEC05D800A19AD0 . 36608 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\ip6fw.sys
[-] 2008-04-13 . 3BB22519A194418D5FEC05D800A19AD0 . 36608 . . [5.1.2600.5512] . . c:\windows\system32\drivers\ip6fw.sys
[-] 2004-08-04 . 4448006B6BC60E6C027932CFC38D6855 . 29056 . . [5.1.2600.2180] . . c:\windows\$NtServicePackUninstall$\ip6fw.sys

[-] 2008-04-14 00:11 . CDDD4416B2B4C7295FE3FDB6DDE57E4E . 927504 . . [4.1.0.61] . . c:\windows\ServicePackFiles\i386\mfc40u.dll
[-] 2008-04-14 00:11 . CDDD4416B2B4C7295FE3FDB6DDE57E4E . 927504 . . [4.1.0.61] . . c:\windows\system32\mfc40u.dll
[-] 2006-11-01 19:17 . 925F8B61ED301A317BA850EBEECBDAA0 . 927504 . . [4.1.0.61] . . c:\windows\$NtServicePackUninstall$\mfc40u.dll
[-] 2004-08-04 08:00 . DDF8D47ACF8FC3FE5F7F2B95C4D4D136 . 924432 . . [4.1.6140] . . c:\windows\$NtUninstallKB924667$\mfc40u.dll

[-] 2008-04-14 . 986B1FF5814366D71E0AC5755C88F2D3 . 33792 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\msgsvc.dll
[-] 2008-04-14 . 986B1FF5814366D71E0AC5755C88F2D3 . 33792 . . [5.1.2600.5512] . . c:\windows\system32\msgsvc.dll
[-] 2004-08-04 . 95FD808E4AC22ABA025A7B3EAC0375D2 . 33792 . . [5.1.2600.2180] . . c:\windows\$NtServicePackUninstall$\msgsvc.dll

[-] 2006-10-19 02:47 . C51B4A5C05A5475708E3C81C7765B71D . 27136 . . [11.0.5721.5145] . . c:\windows\system32\mspmsnsv.dll
[-] 2006-10-19 02:47 . C51B4A5C05A5475708E3C81C7765B71D . 27136 . . [11.0.5721.5145] . . c:\windows\system32\dllcache\mspmsnsv.dll
[-] 2005-01-28 20:44 . 140EF97B64F560FD78643CAE2CDAD838 . 25088 . . [10.0.3790.3802] . . c:\windows\$NtUninstallWMFDist11$\mspmsnsv.dll
[-] 2005-01-28 20:44 . 140EF97B64F560FD78643CAE2CDAD838 . 25088 . . [10.0.3790.3802] . . c:\windows\RegisteredPackages\{30C7234B-6482-4A55-A11D-ECD9030313F2}\MsPMSNSv.dll
[-] 2004-08-04 08:00 . C086483E3DBA8C1C0A687EC8D5B3D4C1 . 52224 . . [9.0.1.56] . . c:\windows\RegisteredPackages\{30C7234B-6482-4A55-A11D-ECD9030313F2}$BACKUP$\System\MsPMSNSv.dll

[-] 2008-04-14 00:12 . 156F64A3345BD23C600655FB4D10BC08 . 435200 . . [5.1.2400.5512] . . c:\windows\ServicePackFiles\i386\ntmssvc.dll
[-] 2008-04-14 00:12 . 156F64A3345BD23C600655FB4D10BC08 . 435200 . . [5.1.2400.5512] . . c:\windows\system32\ntmssvc.dll
[-] 2004-08-04 08:00 . B62F29C00AC55A761B2E45877D85EA0F . 435200 . . [5.1.2400.2180] . . c:\windows\$NtServicePackUninstall$\ntmssvc.dll

[-] 2008-04-14 . 1EBAFEB9A3FBDC41B8D9C7F0F687AD91 . 185856 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\upnphost.dll
[-] 2008-04-14 . 1EBAFEB9A3FBDC41B8D9C7F0F687AD91 . 185856 . . [5.1.2600.5512] . . c:\windows\system32\upnphost.dll
[-] 2007-02-05 . 36ACA6CDC19C95FF468A1426EB7F32F0 . 185344 . . [5.1.2600.3077] . . c:\windows\$hf_mig$\KB931261\SP2QFE\upnphost.dll
[-] 2007-02-05 . ACA5D98663D879C6BAAFCEA7E2F1B710 . 185344 . . [5.1.2600.3077] . . c:\windows\$NtServicePackUninstall$\upnphost.dll
[-] 2004-08-04 . 0546477BDE979E33294FE97F6B3DE84A . 185344 . . [5.1.2600.2180] . . c:\windows\$NtUninstallKB931261$\upnphost.dll
.
((((((((((((((((((((((((((((( SnapShot@2010-03-09_01.44.51 )))))))))))))))))))))))))))))))))))))))))
.
- 2004-08-07 13:10 . 2010-03-09 01:33 72306 c:\windows\system32\perfc009.dat
+ 2004-08-07 13:10 . 2010-03-14 20:11 72306 c:\windows\system32\perfc009.dat
- 2010-01-27 11:47 . 2010-01-27 11:47 34632 c:\windows\Installer\{90120000-0020-0409-0000-0000000FF1CE}\O12ConvIcon.exe
+ 2010-03-13 20:15 . 2010-03-13 20:15 34632 c:\windows\Installer\{90120000-0020-0409-0000-0000000FF1CE}\O12ConvIcon.exe
+ 2007-01-05 19:32 . 2010-03-13 20:21 23040 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\unbndico.exe
- 2007-01-05 19:32 . 2010-02-10 16:15 23040 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\unbndico.exe
+ 2007-01-05 19:32 . 2010-03-13 20:21 61440 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\pubs.exe
- 2007-01-05 19:32 . 2010-02-10 16:15 61440 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\pubs.exe
+ 2007-01-05 19:32 . 2010-03-13 20:21 27136 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\oisicon.exe
- 2007-01-05 19:32 . 2010-02-10 16:15 27136 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\oisicon.exe
+ 2007-01-05 19:32 . 2010-03-13 20:21 11264 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\mspicons.exe
- 2007-01-05 19:32 . 2010-02-10 16:15 11264 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\mspicons.exe
+ 2007-01-05 19:32 . 2010-03-13 20:21 86016 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\inficon.exe
- 2007-01-05 19:32 . 2010-02-10 16:15 86016 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\inficon.exe
- 2007-01-05 19:32 . 2010-02-10 16:15 12288 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\cagicon.exe
+ 2007-01-05 19:32 . 2010-03-13 20:21 12288 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\cagicon.exe
+ 2007-01-05 19:32 . 2010-03-13 20:21 4096 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\opwicon.exe
- 2007-01-05 19:32 . 2010-02-10 16:15 4096 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\opwicon.exe
+ 2004-08-07 13:10 . 2010-03-14 20:11 444596 c:\windows\system32\perfh009.dat
- 2004-08-07 13:10 . 2010-03-09 01:33 444596 c:\windows\system32\perfh009.dat
+ 2010-02-06 14:30 . 2010-03-09 02:33 307200 c:\windows\Installer\{D6E4E5D6-7693-4BB4-95BA-21F38FAFEE90}\SafariIco.exe
- 2010-02-06 14:30 . 2010-02-06 14:30 307200 c:\windows\Installer\{D6E4E5D6-7693-4BB4-95BA-21F38FAFEE90}\SafariIco.exe
- 2007-01-05 19:32 . 2010-02-10 16:15 409600 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\xlicons.exe
+ 2007-01-05 19:32 . 2010-03-13 20:21 409600 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\xlicons.exe
- 2007-01-05 19:32 . 2010-02-10 16:15 286720 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\wordicon.exe
+ 2007-01-05 19:32 . 2010-03-13 20:21 286720 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\wordicon.exe
+ 2007-01-05 19:32 . 2010-03-13 20:21 249856 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\pptico.exe
- 2007-01-05 19:32 . 2010-02-10 16:15 249856 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\pptico.exe
- 2007-01-05 19:32 . 2010-02-10 16:15 794624 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\outicon.exe
+ 2007-01-05 19:32 . 2010-03-13 20:21 794624 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\outicon.exe
+ 2007-01-05 19:32 . 2010-03-13 20:21 135168 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\misc.exe
- 2007-01-05 19:32 . 2010-02-10 16:15 135168 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\misc.exe
+ 2007-01-05 19:32 . 2010-03-13 20:21 593920 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\accicons.exe
- 2007-01-05 19:32 . 2010-02-10 16:15 593920 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\accicons.exe
+ 2010-02-04 23:11 . 2010-02-04 23:11 5526528 c:\windows\Installer\97a1086.msp
+ 2010-01-27 22:53 . 2010-01-27 22:53 6820864 c:\windows\Installer\97a1070.msp
+ 2010-02-21 06:00 . 2010-02-21 06:00 8480768 c:\windows\Installer\97a105a.msp
+ 2007-01-05 18:16 . 2010-03-02 05:30 31648712 c:\windows\system32\MRT.exe
+ 2009-08-17 22:39 . 2009-08-17 22:39 15119720 c:\windows\Installer\$PatchCache$\Managed\00002109020090400000000000F01FEC\12.0.6514\XL12CNV.EXE
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Search Protection"="c:\program files\Yahoo!\Search Protection\SearchProtection.exe" [2009-02-03 111856]
"YSearchProtection"="c:\program files\Yahoo!\Search Protection\SearchProtection.exe" [2009-02-03 111856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HP Software Update"="c:\program files\Hp\HP Software Update\HPWuSchd2.exe" [2005-02-17 49152]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2005-06-19 729178]
"QPService"="c:\program files\HP\QuickPlay\QPService.exe" [2005-12-12 94208]
"eabconfg.cpl"="c:\program files\HPQ\Quick Launch Buttons\EabServr.exe" [2005-12-22 405504]
"Cpqset"="c:\program files\HPQ\Default Settings\cpqset.exe" [2005-08-01 233534]
"RecGuard"="c:\windows\SMINST\RecGuard.exe" [2005-10-11 1187840]
"hpWirelessAssistant"="c:\program files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe" [2005-12-13 507904]
"YSearchProtection"="c:\program files\Yahoo!\Search Protection\SearchProtection.exe" [2009-02-03 111856]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-12 39792]
"Webroot Desktop Firewall"="c:\program files\Webroot\Webroot Desktop Firewall\WDF.exe" [2008-07-31 2401672]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2009-08-13 177440]
"HPDJ Taskbar Utility"="c:\windows\system32\spool\drivers\w32x86\3\hpztsb07.exe" [2003-03-09 188416]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-11-11 417792]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-01-23 141608]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
HP Photosmart Premier Fast Start.lnk - c:\program files\HP\Digital Imaging\bin\hpqthb08.exe [2005-9-24 73728]
VPN Client.lnk - c:\windows\Installer\{D25122BC-A60E-4663-B602-B01718F12044}\Icon3E5562ED7.ico [2008-12-19 6144]

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableNotifications"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Documents and Settings\\All Users\\Application Data\\NexonUS\\NGM\\NGM.exe"=
"c:\\NGM\\NGM.exe"=
"c:\\Program Files\\Pando Networks\\Media Booster\\PMB.exe"=
"c:\\WINDOWS\\system32\\PnkBstrA.exe"=
"c:\\WINDOWS\\system32\\PnkBstrB.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"135:TCP"= 135:TCP:DCOM(135)
"56857:TCP"= 56857:TCP:Pando Media Booster
"56857:UDP"= 56857:UDP:Pando Media Booster

R1 pwipf6;pwipf6;c:\windows\system32\drivers\pwipf6.sys [7/31/2008 4:19 PM 103304]
R2 WDFNet;Webroot Desktop Firewall network service;c:\program files\Webroot\Webroot Desktop Firewall\wdfsvc.exe [7/31/2008 4:19 PM 353672]
R3 HSFHWATI;HSFHWATI;c:\windows\system32\drivers\HSFHWATI.sys [8/22/2005 5:06 AM 231424]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{A509B1FF-37FF-4bFF-8CFF-4F3A747040FF}]
2009-03-08 08:32 128512 ----a-w- c:\windows\system32\advpack.dll
.
Contents of the 'Scheduled Tasks' folder

2010-02-28 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/?fr=fp-yie8
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
uInternet Connection Wizard,ShellNext = hxxp://pccreg.antivirus.com/11/PCC/110/PccReg/wcoRegister.asp?SN=AWEF-0019-3577-1042-6942&GUID=F1F3F3F4F3F2F3F6F2F5F1F0F7F2C3&VID=USP1010002&PID=CBB0
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
DPF: {784797A8-342D-4072-9486-03C8D0F2F0A1} - hxxps://www.battlefieldheroes.com/static/updater/BFHUpdater_4.0.27.0.cab
FF - ProfilePath - c:\documents and settings\Chuck\Application Data\Mozilla\Firefox\Profiles\it3u3o5o.default\
FF - plugin: c:\documents and settings\Chuck\Application Data\Move Networks\plugins\npqmp071503000010.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-03-14 16:09
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Cpqset = c:\program files\HPQ\Default Settings\cpqset.exe????????a?u?l?t??????? ???B?????????????hLC? ??????

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\DeterministicNetworks\DNE\Parameters]
"SymbolicLinkValue"=hex(6):5c,00,52,00,65,00,67,00,69,00,73,00,74,00,72,00,79,
00,5c,00,4d,00,61,00,63,00,68,00,69,00,6e,00,65,00,5c,00,53,00,79,00,73,00,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1212)
c:\windows\system32\Ati2evxx.dll
c:\windows\system32\wdfproc.dll

- - - - - - - > 'lsass.exe'(1268)
c:\windows\system32\wdfproc.dll

- - - - - - - > 'explorer.exe'(2812)
c:\windows\system32\WININET.dll
c:\windows\system32\wdfproc.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Cisco Systems\VPN Client\cvpnd.exe
c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\windows\system32\PnkBstrA.exe
c:\windows\system32\PnkBstrB.exe
c:\program files\Yahoo!\SoftwareUpdate\YahooAUService.exe
c:\program files\Hewlett-Packard\Shared\hpqwmiex.exe
c:\windows\system32\Ati2evxx.exe
c:\program files\HP\Digital Imaging\bin\hpqimzone.exe
c:\program files\iPod\bin\iPodService.exe
c:\progra~1\hpq\Shared\HPQTOA~1.EXE
.
**************************************************************************
.
Completion time: 2010-03-14 16:22:22 - machine was rebooted
ComboFix-quarantined-files.txt 2010-03-14 20:22

Pre-Run: 41,801,973,760 bytes free
Post-Run: 41,782,083,584 bytes free

- - End Of File - - 70C303F6AC03A47FFE69E56B653625B9

Attached Files



#15 Shannon2012

Shannon2012

  • Security Colleague
  • 3,657 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina, USA
  • Local time:08:29 AM

Posted 15 March 2010 - 12:36 PM

Hi-

How are the redirects? Are they gone? How is the computer acting?

Looking at your logs, I don't see an Anti Virus Program running on your machine and one is needed to help prevent more infections
  • Download and install an antivirus program, and make sure that you keep it updated.
    New viruses come out every minute, so it is essential that you have the latest signatures for your antivirus program to provide you with the best possible protection from malicious software.
    Two good antivirus programs, free for non-commercial home use, are Avast! and Antivir
    Note: You should only have one antivirus installed at a time. Having more than one antivirus program installed at once is likely to cause conflicts and may well decrease your overall protection as well as impair the performance of your PC.

We need to do some more cleanup and checking.

First, we need to delete some items.

We need to run an OTL Fix
  • Please reopen on your desktop.
  • Copy and Paste the following code into the textbox. Do not include the word "Code"
    CODE
    :OTL
    O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - No CLSID value found.
    [2010/03/08 22:33:31 | 000,000,120 | ---- | C] () -- C:\WINDOWS\Bquwuwamoheyeval.dat
    [2010/03/08 22:33:31 | 000,000,000 | ---- | C] () -- C:\WINDOWS\Sjatahazuyos.bin
    [2010/03/08 22:25:16 | 000,020,992 | ---- | C] () -- C:\WINDOWS\System32\ommo.pyo
    [2010/03/08 22:25:06 | 000,017,058 | -HS- | C] () -- C:\Documents and Settings\Chuck\Local Settings\Application Data\jAqYco
    [2010/02/28 11:02:59 | 000,096,512 | ---- | M] () -- C:\WINDOWS\atapi.old
  • Push
  • OTL may ask to reboot the machine. Please do so if asked.
  • Click .
  • A report will open. Copy and Paste that report in your next reply.

Second, I notice you have MalwareBytes' Anti-Malware (MBAM) installed. Please run it
  • Click on the Update tab and click the Check for Updates button.
  • When the update is finished, click on the Scanner tab.
  • Select "Perform Full Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy & Paste the entire report in your next reply.

Note: If you are unable to get MBAM to run, download one of the following Rkill programs to your desktop, run it, and then try MBAM again. If you are unable run the Rkill you downloaded, download another one, and try it.
Rkill.exe
Rkill.com
Rkill.scr
Rkill.pif

Next, I'd like for you to scan your machine with ESET OnlineScan
  • Hold down Control key and click on the following link to open ESET OnlineScan in a new window.
  • ESET OnlineScan
  • Click the button.
  • For alternate browsers only: (Microsoft Internet Explorer users can skip the next two steps)
  • Click on to download the ESET Smart Installer. Save it to your desktop.
  • Double click on the icon on your desktop.
  • Check
  • Click the button.
  • Accept any security warnings from your browser.
  • Check
  • Push the Start button.
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes, push
  • Push , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  • Push the button.
  • Push

In your next reply, please copy in the OTL, MBAM and ESET logs.

Thanks

Shannon




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users