Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

searches and windows update redirected


  • This topic is locked This topic is locked
35 replies to this topic

#1 bweb

bweb

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:07:06 AM

Posted 27 March 2010 - 01:25 PM

Hi,

After removing several viruses from a friend's computer search results still redirect to random pages and windows update link redirects to 'cannot display web page/diagnose connection'. XP SP3 installation from auto updates also falls.

Viruses were result of Norton's trial expiring and not automatically or manually installing MS updates. Installed AVGfree and SpybotS&D. To clean we ran many removers repeatedly, including in safe mode. SAS, MBAM, MS MSRT, Clamwin, Cureit and Anti-Rootkits by Sophos and Blacklight.

No proxy settings visable in LAN settings, or if there were we removed at some point.

Some of the pages searches redirect to include:
hxxp://www.apartmentfinder.com/search.aspx?ecid=PS|ADM|21189S114209140

hxxp://www.informationgetter.com/search-results.aspx?keywords=Combof

hxxp://dc1e.89e1ra2.com/click.php?s=1&k=859121287&pub=28

Those are from clicking the following search result 3 times:
hxxp://rds.yahoo.com/_ylt=A0geu.OMT61LiU8BqyBXNyoA;_ylu=X3oDMTEzYTBoZ2s3BHNlYwNzcgRwb3MDMQRjb2xvA2FjMgR2dGlkA1IyMDZfMTMy/SIG=12g9q00pn/EXP=1269735692/**http%3a//www.bleepingcomputer.com/combofix/how-to-use-combofix

(After reading did nothng with Combofix yet)

Thanks for being there!

--- DDS GMER and SOPHOS logs ---

DDS (Ver_10-03-17.01) - NTFSx86
Run by remi batchelor at 21:22:36.21 on Fri 03/26/2010
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_17
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.510.265 [GMT -4:00]

AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
SVCHOST.EXE
C:\WINDOWS\System32\svchost.exe -k netsvcs
SVCHOST.EXE
C:\Program Files\AVG\AVG9\avgchsvx.exe
C:\Program Files\AVG\AVG9\avgrsx.exe
SVCHOST.EXE
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\AVG\AVG9\avgtray.exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Sony\Sony Picture Utility\PMBCore\SPUVolumeWatcher.exe
SVCHOST.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\AVG\AVG9\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Program Files\AVG\AVG9\avgnsx.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Documents and Settings\remi batchelor\Desktop\dds.pif

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.yahoo.com/
uDefault_Page_URL = hxxp://www.dell4me.com/myway
mStart Page = about:blank
mSearch Bar = hxxp://red.clientapps.yahoo.com/customize/ie/defaults/sb/yme/*http://www.yahoo.com/ext/search/search.html
uInternet Connection Wizard,ShellNext = iexplore
mSearchAssistant = hxxp://as.weatherstudio.com/dp/search?x=wKX1ILEOi+Vh7AfA98Gm4Me69ZMbubcDsHkhWqtO3esR/2Yc7mDQs7FQlzqjTVcECLIJMXxcG4eWlYXfFYFvz9wvqIb4d/sBdJoN0O5aoauhUf8Pk7ZoRibFjZfDaDHRSCe51JeZQarHv9t03V5+N3yV1TA7K66ARpiVf86mRFmk2sUDhAIPLGhiqDqG037u
uURLSearchHooks: H - No File
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 6.0\reader\activex\AcroIEHelper.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg9\avgssie.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\tfswshx.dll
BHO: {849CC480-5983-4D30-A12C-774E8E8D8291} - No File
BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: {AE8EF38E-64E0-472c-B9B4-E29643D152C1} - No File
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: {BA52B914-B692-46c4-B683-905236F6F655} - No File
TB: {40D41A8B-D79B-43d7-99A7-9EE0F344C385} - No File
TB: {C6139A57-16FB-4FA4-8045-A847FBFFD695} - No File
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
TB: {08FCF7E3-5F7D-444E-8554-76A516EB3C6C} - No File
EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll
uRun: [DellSupport] "c:\program files\dellsupport\DSAgnt.exe" /startup
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
mRun: [SoundMAXPnP] c:\program files\analog devices\core\smax4pnp.exe
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [IntelMeM] c:\program files\intel\modem event monitor\IntelMEM.exe
mRun: [dla] c:\windows\system32\dla\tfswctrl.exe
mRun: [Ink Monitor] c:\program files\epson\ink monitor\InkMonitor.exe
mRun: [igfxtray] c:\windows\system32\igfxtray.exe
mRun: [igfxhkcmd] c:\windows\system32\hkcmd.exe
mRun: [igfxpers] c:\windows\system32\igfxpers.exe
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [AVG9_TRAY] c:\progra~1\avg\avg9\avgtray.exe
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
StartupFolder: c:\docume~1\remiba~1\startm~1\programs\startup\pictur~1.lnk - c:\program files\sony\sony picture utility\pmbcore\SPUVolumeWatcher.exe
IE: &AIM Search - c:\program files\aim toolbar\AIMBar.dll/aimsearch.htm
IE: &Search
IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office11\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html
IE: {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - http://wwws.musicmatch.com/mmz/openWebRadio.html
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~4\office11\REFIEBAR.DLL
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?LinkId=39204&clcid=0x409
DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {9C23D886-43CB-43DE-B2DB-112A68D7E10A} - hxxp://lads.myspace.com/upload/MySpaceUploader2.cab
DPF: {A8683C98-5341-421B-B23C-8514C05354F1} - hxxp://photo.walmart.com/photo/uploads/FujifilmUploadClient.cab
DPF: {CAFEEFAC-0014-0002-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_03-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0010-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_10-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg9\avgpp.dll
Notify: avgrsstarter - avgrsstx.dll
Notify: igfxcui - igfxdev.dll
LSA: Notification Packages = scecli SRSCINL.dll
Hosts: 127.0.0.1 www.spywareinfo.com

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\remiba~1\applic~1\mozilla\firefox\profiles\o6xc36ln.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.bing.com/search?FORM=VUZTDF&PC=VUZE&q=
FF - prefs.js: browser.startup.homepage - hxxp://www.ask.com/?o=20011&l=dis
FF - prefs.js: keyword.URL - hxxp://www.bing.com/search?FORM=VUZTDF&PC=VUZE&q=
FF - HiddenExtension: XUL Cache: {00CC4C79-B44F-4A8D-970E-B75CADCCDCC7} - c:\documents and settings\remi batchelor\local settings\application data\{00CC4C79-B44F-4A8D-970E-B75CADCCDCC7}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}

============= SERVICES / DRIVERS ===============

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2010-3-15 216200]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2010-3-15 29512]
R1 AvgTdiX;AVG Free Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2010-3-15 242696]
R1 SASDIFSV;SASDIFSV;c:\docume~1\remiba~1\locals~1\temp\sas_selfextract\SASDIFSV.SYS [2010-3-5 9968]
R2 avg9wd;AVG Free WatchDog;c:\program files\avg\avg9\avgwdsvc.exe [2010-3-15 308064]
R3 s3legacy;s3legacy;c:\windows\system32\drivers\s3legacy.sys [2010-3-26 65664]
S1 SASKUTIL;SASKUTIL; [x]
S3 MEMSWEEP2;MEMSWEEP2;\??\c:\windows\system32\4.tmp --> c:\windows\system32\4.tmp [?]
S3 SASENUM;SASENUM;\??\c:\docume~1\remiba~1\locals~1\temp\sas_selfextract\sasenum.sys --> c:\docume~1\remiba~1\locals~1\temp\sas_selfextract\SASENUM.SYS [?]

=============== Created Last 30 ================

2010-03-26 23:03:16 65664 ----a-w- c:\windows\system32\drivers\s3legacy.sys
2010-03-26 23:02:48 66048 ----a-w- c:\windows\system32\s3legacy.dll
2010-03-24 01:53:08 0 d-----w- c:\program files\Spybot - Search & Destroy
2010-03-24 01:53:08 0 d-----w- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2010-03-24 01:42:38 331805736 ----a-w- C:\WindowsXP-KB936929-SP3-x86-ENU.exe
2010-03-18 14:46:16 5760 ------w- c:\windows\system32\B1.tmp
2010-03-17 23:37:11 0 d-----w- c:\docume~1\remiba~1\applic~1\Malwarebytes
2010-03-17 23:36:36 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-03-17 23:36:30 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2010-03-17 23:36:26 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-03-17 23:36:23 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-03-17 01:30:36 0 d-----w- c:\windows\EHome
2010-03-16 13:37:19 3555328 ------w- c:\windows\system32\dllcache\moviemk.exe
2010-03-16 13:29:06 95024 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2010-03-16 12:37:23 73728 ----a-w- c:\windows\system32\javacpl.cpl
2010-03-16 12:37:20 411368 ----a-w- c:\windows\system32\deploytk.dll
2010-03-16 01:52:23 3248 ----a-w- c:\windows\system32\wbem\Outlook_01cac4ab52286a34.mof
2010-03-16 01:37:13 0 d--h--w- C:\$AVG
2010-03-16 00:38:20 12464 ----a-w- c:\windows\system32\avgrsstx.dll
2010-03-16 00:38:19 242696 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2010-03-16 00:38:13 216200 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2010-03-16 00:37:55 0 d-----w- c:\windows\system32\drivers\Avg
2010-03-16 00:37:33 0 d-----w- c:\program files\AVG
2010-03-16 00:37:31 0 d-----w- c:\docume~1\alluse~1\applic~1\avg9
2010-03-14 21:48:51 0 d-----w- c:\program files\Support Tools
2010-03-12 22:30:45 26496 ----a-w- c:\windows\system32\dllcache\usbstor.sys
2010-03-09 09:03:29 444 ----a-w- c:\windows\system32\d3d8caps.dat
2010-03-09 05:27:50 0 d-----w- c:\docume~1\remiba~1\applic~1\SUPERAntiSpyware.com
2010-03-09 05:27:50 0 d-----w- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2010-03-09 05:26:03 5760 ------w- c:\windows\system32\1.tmp

==================== Find3M ====================

2010-03-24 23:45:11 95360 ----a-w- c:\windows\system32\drivers\atapi.sys
2010-01-26 21:21:52 69612 ---ha-w- c:\windows\system32\mlfcache.dat
2009-12-31 16:14:12 352640 ------w- c:\windows\system32\dllcache\srv.sys
2009-05-05 10:34:57 0 --sha-w- c:\windows\system32\_itmp_744.exe
2009-04-25 19:54:56 2464 --sha-w- c:\windows\system32\_itmp_791.exe

============= FINISH: 21:24:04.20 ===============




GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-03-27 13:20:32
Windows 5.1.2600 Service Pack 2
Running: m8s80iv1.exe; Driver: C:\DOCUME~1\REMIBA~1\LOCALS~1\Temp\kxloapod.sys


---- Kernel code sections - GMER 1.0.15 ----

.rsrc C:\WINDOWS\system32\drivers\atapi.sys entry point in ".rsrc" section [0xF849F394]
init C:\WINDOWS\system32\DRIVERS\mohfilt.sys entry point in "init" section [0xF88CB760]
init C:\WINDOWS\system32\drivers\senfilt.sys entry point in "init" section [0xF4E05F80]

---- User code sections - GMER 1.0.15 ----

.text C:\WINDOWS\system32\wuauclt.exe[944] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00B8000A
.text C:\WINDOWS\system32\wuauclt.exe[944] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 00B9000A
.text C:\WINDOWS\system32\wuauclt.exe[944] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 00B7000C
.text C:\WINDOWS\System32\svchost.exe[1312] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 0090000A
.text C:\WINDOWS\System32\svchost.exe[1312] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 3 Bytes JMP 0091000A
.text C:\WINDOWS\System32\svchost.exe[1312] ntdll.dll!NtWriteVirtualMemory + 4 7C90DFB2 1 Byte [84]
.text C:\WINDOWS\System32\svchost.exe[1312] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 008F000C
.text C:\WINDOWS\System32\svchost.exe[1312] USER32.dll!GetCursorPos 7E41BD76 5 Bytes JMP 0214000A
.text C:\WINDOWS\System32\svchost.exe[1312] ole32.dll!CoCreateInstance 774FFAC3 5 Bytes JMP 0201000A
.text C:\WINDOWS\Explorer.EXE[1912] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00B5000A
.text C:\WINDOWS\Explorer.EXE[1912] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 00BB000A
.text C:\WINDOWS\Explorer.EXE[1912] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 00B4000C

---- Devices - GMER 1.0.15 ----

Device Ntfs.sys (NT File System Driver/Microsoft Corporation)
Device Fastfat.SYS (Fast FAT File System Driver/Microsoft Corporation)

AttachedDevice \Driver\Tcpip \Device\Ip avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\Tcp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\Udp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\RawIp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)

Device mrxsmb.sys (Windows NT SMB Minirdr/Microsoft Corporation)

AttachedDevice fltMgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

Device \FileSystem\Fs_Rec \FileSystem\UdfsCdRomRecognizer tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)
Device \FileSystem\Fs_Rec \FileSystem\CdfsRecognizer tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)
Device \FileSystem\Fs_Rec \FileSystem\FatCdRomRecognizer tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)
Device \FileSystem\Fs_Rec \FileSystem\FatDiskRecognizer tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)
Device \FileSystem\Fs_Rec \FileSystem\UdfsDiskRecognizer tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)
Device \FileSystem\Cdfs \Cdfs tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)
Device -> \Driver\atapi \Device\Harddisk0\DR0 822EFB4C

---- Files - GMER 1.0.15 ----

File C:\WINDOWS\system32\drivers\atapi.sys suspicious modification

---- EOF - GMER 1.0.15 ----



-----
sophos anti rootkit results after other cleaner

Area: Windows registry
Description: Hidden registry value
Location: \HKEY_LOCAL_MACHINE\SOFTWARE\464E4D028170628CB86B09C4B91FD260\viyjbutj
Removable: No
Notes: (type 1, length 335944) "G B o [ O L W ? O ] k O U T K a P @ s n @ N v K J O s ` = V ^ K A F n Z " ... "A ! ! "

Area: Windows registry
Description: Hidden registry value
Location: \HKEY_USERS\S-1-5-21-1864049697-355751861-2860070815-1006\Software\BitComet\BitComet\IEHtmlText
Removable: No
Notes: (type 3, length 61708) "< H E A D > < T I T L E > D e v i l T u b e - F r e e P o r n " ... "O D Y > "


Area: Windows registry
Description: Hidden registry value
Location: \HKEY_USERS\S-1-5-21-1864049697-355751861-2860070815-1006\Software\Microsoft\Internet Explorer\Security\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F\UserFile
Removable: No
Notes: (type 3, length 79044) "\x01 \xd0\x8c\x9d\xdf\x01\x15\xd1\x11\x8cz \xc0O\xc2\x97\xeb\x01 \xa6\xbf\xeb\x14\x12i\xceB\xbe\x16c\x0c\xfd!J\xd1 $ S m a r t S c r e e n " ... "\x85\xc9\x91\xe9\xecc\xd7\x98"


---

Searching in Regedit I can not find any portion of the text strings from the Sophos results directly above.

Thanks again!
bweb

Attached Files


Edited by Orange Blossom, 27 March 2010 - 07:38 PM.
Deactivate links. ~ OB


BC AdBot (Login to Remove)

 


#2 km2357

km2357

  • Malware Response Team
  • 1,784 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:04:06 AM

Posted 31 March 2010 - 01:16 PM

Hello and welcome to Bleeping Computer.

My name is km2357 and I will be helping you to remove any infection(s) that you may have.

I will be giving you a series of instructions that need to be followed in the order in which I give them to you.

If for any reason you do not understand an instruction or are just unsure then please do not guess, simply post back with your questions/concerns and we will go through it again.

Please do not start another thread or topic, I will assist you at this thread until we solve your problems.

Lastly the fix may take several attempts and my replies may take some time but I will stick with it if you do the same.

Sorry for the delay in replying, the forum is very busy. If you still need help, please post two fresh DDS Logs (DDS and Attach.txt) and a fresh GMER Log

MalWare Removal University Master

Member of ASAP
unite_Invision.png


#3 km2357

km2357

  • Malware Response Team
  • 1,784 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:04:06 AM

Posted 03 April 2010 - 11:48 AM

bweb? Do you still need you need help?

MalWare Removal University Master

Member of ASAP
unite_Invision.png


#4 bweb

bweb
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:07:06 AM

Posted 03 April 2010 - 10:12 PM

Yes! Also sorry for delay... checked daily until just before your reply.
That computer has been off since the logs were posted.
Are fresh scans still needed if the computer has been off?
I can access the computer Sunday and post fresh scans if needed.
Thanks!

#5 km2357

km2357

  • Malware Response Team
  • 1,784 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:04:06 AM

Posted 04 April 2010 - 12:13 PM

Since the computer hasn't been on since you first started the thread, then no need for fresh logs. We'll continue on with the fix. smile.gif



IMPORTANT I notice there are signs of one or more P2P (Person to Person) File Sharing Programs on your computer.

Vuze

I'd like you to read the Guidelines for P2P Programs where we explain why it's not a good idea to have them.

Also available here.

My recommendation is you go to Control Panel > Add/Remove Programs and uninstall the programs listed above (in red).


Step # 1: Disable Teatimer

Spybot S&D's tea timer normally provides real-time protection from spyware, however it may interfere with what we need to do. We will disable it until the machine is clean when it can be re-enabled.

This is a two step process.
First step:
  • Right-click the Spybot Icon in the System Tray (looks like a blue/white calendar with a padlock symbol)
  • If you have the version 1.5 or 1.6, Click once on Resident Protection, then Right click the Spybot icon again and make sure Resident Protection is now Unchecked. The Spybot icon in the System tray should now be now colorless.
  • If you have Version 1.4, Click on Exit Spybot S&D Resident


Second step, For Either Version :
  • Open Spybot S&D
  • Click Mode, choose Advanced Mode
  • Go To the bottom of the Vertical Panel on the Left, Click Tools
  • then, also in left panel, click Resident shows a red/white shield.
  • If your firewall raises a question, say OK
  • In the Resident protection status frame, Uncheck the box labeled Resident "Tea-Timer"(Protection of over-all system settings) active
  • OK any prompts.
  • Use File, Exit to terminate Spybot
  • Reboot your machine for the changes to take effect.


If you have downloaded ComboFix in the past please delete ComboFix.exe from the computer, then follow the step below:

Step # 2: Download and Run ComboFix

We will begin with ComboFix.exe. Please visit this webpage for download links, and instructions for running the tool:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

*Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

* IMPORTANT !!! Save ComboFix.exe to your Desktop

When finished, it shall produce a log for you. Please include C:\ComboFix.txt in your next reply.

MalWare Removal University Master

Member of ASAP
unite_Invision.png


#6 bweb

bweb
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:07:06 AM

Posted 05 April 2010 - 08:42 AM

Thanks for your support!
Vuze uninstalled (not my machine but all such judgements permitted)
still redirecting searches and msupdate
might be faster but S&D teatimer is still off

ComboFix 10-04-04.01 - remi batchelor 04/05/2010 8:54.1.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.510.215 [GMT -4:00]
Running from: c:\documents and settings\remi batchelor\Desktop\bwebcf.exe
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\program files\Common Files\System\Uninstall
c:\program files\Common Files\Uninstall
c:\program files\Common Files\Uninstall\PAV\Uninstall.lnk
c:\program files\License_Manager
c:\windows\Downloaded Program Files\popcaploader.inf
c:\windows\system32\1.tmp

.
((((((((((((((((((((((((( Files Created from 2010-03-05 to 2010-04-05 )))))))))))))))))))))))))))))))
.

2010-04-05 12:30 . 2010-04-05 12:30 1685784 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgupd.dll
2010-04-05 12:30 . 2010-04-05 12:30 1035032 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgupd.exe
2010-03-26 23:03 . 2001-08-17 17:57 65664 ----a-w- c:\windows\system32\drivers\s3legacy.sys
2010-03-26 23:02 . 2001-08-17 18:56 66048 ----a-w- c:\windows\system32\s3legacy.dll
2010-03-25 02:13 . 2010-03-25 02:13 -------- d-----w- c:\documents and settings\Administrator\Application Data\AdobeUM
2010-03-18 01:18 . 2010-03-18 01:18 -------- d-sh--w- c:\documents and settings\Administrator\PrivacIE
2010-03-18 01:16 . 2010-03-18 01:16 -------- d-sh--w- c:\documents and settings\Administrator\IETldCache
2010-03-17 23:37 . 2010-03-17 23:37 -------- d-----w- c:\documents and settings\remi batchelor\Application Data\Malwarebytes
2010-03-17 23:36 . 2010-01-07 20:07 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-03-17 23:36 . 2010-03-17 23:36 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-03-17 23:36 . 2010-01-07 20:07 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-03-17 23:36 . 2010-03-17 23:37 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-03-17 01:30 . 2010-03-18 19:30 -------- d-----w- c:\windows\EHome
2010-03-16 21:09 . 2010-03-16 21:09 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache
2010-03-16 13:37 . 2009-10-23 14:27 3555328 ------w- c:\windows\system32\dllcache\moviemk.exe
2010-03-16 13:29 . 2010-03-16 13:28 95024 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2010-03-16 12:37 . 2010-03-16 12:34 411368 ----a-w- c:\windows\system32\deploytk.dll
2010-03-16 12:21 . 2010-03-16 12:21 152576 ----a-w- c:\documents and settings\remi batchelor\Application Data\Sun\Java\jre1.6.0_17\lzma.dll
2010-03-16 12:19 . 2010-03-16 12:19 79488 ----a-w- c:\documents and settings\remi batchelor\Application Data\Sun\Java\jre1.6.0_17\gtapi.dll
2010-03-16 01:37 . 2010-03-16 01:37 -------- d-----w- C:\$AVG
2010-03-16 00:42 . 2010-03-24 01:49 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
2010-03-16 00:38 . 2010-03-16 00:38 12464 ----a-w- c:\windows\system32\avgrsstx.dll
2010-03-16 00:38 . 2010-03-16 00:38 242696 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2010-03-16 00:38 . 2010-03-16 00:38 216200 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2010-03-16 00:38 . 2010-03-16 00:38 29512 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2010-03-16 00:37 . 2010-04-05 12:28 -------- d-----w- c:\windows\system32\drivers\Avg
2010-03-16 00:37 . 2010-03-16 00:37 -------- d-----w- c:\program files\AVG
2010-03-16 00:37 . 2010-03-16 01:40 -------- d-----w- c:\documents and settings\All Users\Application Data\avg9
2010-03-14 21:48 . 2010-03-14 21:48 -------- d-----w- c:\program files\Support Tools
2010-03-12 22:30 . 2004-08-04 04:08 26496 ----a-w- c:\windows\system32\dllcache\usbstor.sys
2010-03-09 09:03 . 2010-03-27 04:26 1208 ----a-w- c:\windows\system32\d3d8caps.dat
2010-03-09 05:27 . 2010-03-09 05:27 -------- d-----w- c:\documents and settings\remi batchelor\Application Data\SUPERAntiSpyware.com
2010-03-09 05:27 . 2010-03-09 05:27 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-04-05 12:33 . 2010-03-24 01:53 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-03-26 22:43 . 2004-11-09 17:36 1324 ----a-w- c:\windows\system32\d3d9caps.dat
2010-03-24 23:45 . 1980-01-01 06:00 95360 ------w- c:\windows\system32\drivers\atapi.sys
2010-03-24 23:45 . 2010-03-24 01:53 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-03-24 13:14 . 2010-01-26 21:49 -------- d-----w- c:\documents and settings\remi batchelor\Application Data\Azureus
2010-03-24 01:44 . 2010-03-24 01:42 331805736 ----a-w- C:\WindowsXP-KB936929-SP3-x86-ENU.exe
2010-03-18 02:49 . 2010-03-18 02:49 -------- d-----w- c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com
2010-03-18 01:25 . 2010-03-18 01:25 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2010-03-16 12:32 . 2005-03-03 13:36 -------- d-----w- c:\program files\Java
2010-03-14 21:21 . 2009-08-10 04:56 -------- d-----w- c:\program files\PopCap Games
2010-03-14 21:18 . 2010-01-26 21:53 -------- d-----w- c:\program files\Microsoft
2010-03-14 21:04 . 2009-02-26 16:23 -------- d-----w- c:\program files\Google
2010-02-26 07:28 . 2010-02-26 07:28 -------- d-----w- c:\documents and settings\NetworkService\Application Data\AdobeUM
2010-02-16 18:10 . 2010-02-16 18:10 10686001 ----a-w- c:\documents and settings\remi batchelor\Application Data\Azureus\plugins\azump\mplayer.exe
2010-02-13 08:30 . 2005-03-08 01:47 85184 ----a-w- c:\documents and settings\remi batchelor\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-02-12 05:03 . 2010-02-12 05:03 -------- d-----w- c:\documents and settings\LocalService\Application Data\McAfee
2010-02-11 08:54 . 2010-01-26 21:51 -------- d-----w- c:\program files\Microsoft Silverlight
2010-02-10 08:02 . 2010-02-10 08:02 -------- d-----w- c:\program files\Microsoft.NET
2010-02-10 04:54 . 2010-02-10 04:37 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS
2010-02-10 04:51 . 2010-02-10 04:51 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee
2010-01-26 21:58 . 2010-01-26 21:58 4141117 ----a-w- c:\documents and settings\remi batchelor\Application Data\Azureus\plugins\vuzexcode\mediainfo.exe
2010-01-26 21:58 . 2010-01-26 21:58 6516755 ----a-w- c:\documents and settings\remi batchelor\Application Data\Azureus\plugins\vuzexcode\ffmpeg.exe
2010-01-26 21:21 . 2010-01-26 21:21 69612 ---ha-w- c:\windows\system32\mlfcache.dat
2009-03-03 21:09 . 2007-04-06 22:43 67688 ----a-w- c:\program files\mozilla firefox\components\jar50.dll
2009-03-03 21:09 . 2007-04-06 22:43 54368 ----a-w- c:\program files\mozilla firefox\components\jsd3250.dll
2009-03-03 21:09 . 2007-04-06 22:43 34944 ----a-w- c:\program files\mozilla firefox\components\myspell.dll
2009-03-03 21:09 . 2007-04-06 22:43 46712 ----a-w- c:\program files\mozilla firefox\components\spellchk.dll
2009-03-03 21:09 . 2007-04-06 22:43 172136 ----a-w- c:\program files\mozilla firefox\components\xpinstal.dll
2009-05-05 10:34 . 2009-05-05 10:34 0 --sha-w- c:\windows\SYSTEM32\_itmp_744.exe
2009-04-25 19:54 . 2009-04-25 19:54 2464 --sha-w- c:\windows\SYSTEM32\_itmp_791.exe
.

------- Sigcheck -------

[-] 2010-03-24 . CDFE4411A69C224BD1D11B2DA92DAC51 . 95360 . . [5.1.2600.2180] . . c:\windows\SYSTEM32\DRIVERS\atapi.sys
[-] 2008-04-13 . 9F3A2F5AA6875C72BF062C712CFA2674 . 96512 . . [5.1.2600.5512] . . c:\windows\SoftwareDistribution\Download\cf8ec753e88561d2ddb53e183dc05c3e\atapi.sys
[-] 2004-08-04 . CDFE4411A69C224BD1D11B2DA92DAC51 . 95360 . . [5.1.2600.2180] . . c:\windows\SYSTEM32\DLLCACHE\atapi.sys
[-] 2004-08-04 . CDFE4411A69C224BD1D11B2DA92DAC51 . 95360 . . [5.1.2600.2180] . . c:\windows\SYSTEM32\ReinstallBackups\0005\DriverFiles\i386\atapi.sys

[-] 2008-04-13 . B153AFFAC761E7F5FCFA822B9C4E97BC . 14336 . . [5.1.2600.5512] . . c:\windows\SoftwareDistribution\Download\cf8ec753e88561d2ddb53e183dc05c3e\asyncmac.sys
[-] 2004-08-04 . 02000ABF34AF4C218C35D257024807D6 . 14336 . . [5.1.2600.2180] . . c:\windows\SYSTEM32\DRIVERS\ASYNCMAC.SYS

[-] 2004-08-04 . DA1F27D85E0D1525F6621372E7B685E9 . 4224 . . [5.1.2600.0] . . c:\windows\SYSTEM32\DRIVERS\BEEP.SYS

[-] 2008-04-13 . 463C1EC80CD17420A542B7F36A36F128 . 24576 . . [5.1.2600.5512] . . c:\windows\SoftwareDistribution\Download\cf8ec753e88561d2ddb53e183dc05c3e\kbdclass.sys
[-] 2004-08-04 . EBDEE8A2EE5393890A1ACEE971C4C246 . 24576 . . [5.1.2600.2180] . . c:\windows\SYSTEM32\DRIVERS\KBDCLASS.SYS

[-] 2008-04-13 . 1DF7F42665C94B825322FAE71721130D . 182656 . . [5.1.2600.5512] . . c:\windows\SoftwareDistribution\Download\cf8ec753e88561d2ddb53e183dc05c3e\ndis.sys
[-] 2004-08-04 . 558635D3AF1C7546D26067D5D9B6959E . 182912 . . [5.1.2600.2180] . . c:\windows\SYSTEM32\DRIVERS\NDIS.SYS

[-] 2008-04-13 . 78A08DD6A8D65E697C18E1DB01C5CDCA . 574976 . . [5.1.2600.5512] . . c:\windows\SoftwareDistribution\Download\cf8ec753e88561d2ddb53e183dc05c3e\ntfs.sys
[-] 2007-02-09 . 05AB81909514BFD69CBB1F2C147CF6B9 . 574976 . . [5.1.2600.3081] . . c:\windows\$hf_mig$\KB930916\SP2QFE\ntfs.sys
[-] 2007-02-09 . 19A811EF5F1ED5C926A028CE107FF1AF . 574464 . . [5.1.2600.3081] . . c:\windows\SYSTEM32\DLLCACHE\ntfs.sys
[-] 2007-02-09 . 19A811EF5F1ED5C926A028CE107FF1AF . 574464 . . [5.1.2600.3081] . . c:\windows\SYSTEM32\DRIVERS\ntfs.sys
[-] 2004-08-04 . B78BE402C3F63DD55521F73876951CDD . 574592 . . [5.1.2600.2180] . . c:\windows\$NtUninstallKB930916$\ntfs.sys

[-] 2004-08-04 . 73C1E1F395918BC2C6DD67AF7591A3AD . 2944 . . [5.1.2600.0] . . c:\windows\SYSTEM32\DRIVERS\NULL.SYS

[-] 2008-06-20 . AD978A1B783B5719720CFF204B666C8E . 361600 . . [5.1.2600.5625] . . c:\windows\$hf_mig$\KB951748\SP3QFE\tcpip.sys
[-] 2008-06-20 . 9AEFA14BD6B182D61E3119FA5F436D3D . 361600 . . [5.1.2600.5625] . . c:\windows\$hf_mig$\KB951748\SP3GDR\tcpip.sys
[-] 2008-06-20 . 2A5554FC5B1E04E131230E3CE035C3F9 . 360320 . . [5.1.2600.3394] . . c:\windows\SYSTEM32\DLLCACHE\tcpip.sys
[-] 2008-06-20 . 2A5554FC5B1E04E131230E3CE035C3F9 . 360320 . . [5.1.2600.3394] . . c:\windows\SYSTEM32\DRIVERS\tcpip.sys
[-] 2008-06-20 . 744E57C99232201AE98C49168B918F48 . 360960 . . [5.1.2600.3394] . . c:\windows\$hf_mig$\KB951748\SP2QFE\tcpip.sys
[-] 2008-04-13 . 93EA8D04EC73A85DB02EB8805988F733 . 361344 . . [5.1.2600.5512] . . c:\windows\SoftwareDistribution\Download\cf8ec753e88561d2ddb53e183dc05c3e\tcpip.sys
[-] 2006-04-20 . B2220C618B42A2212A59D91EBD6FC4B4 . 360576 . . [5.1.2600.2892] . . c:\windows\$hf_mig$\KB917953\SP2QFE\tcpip.sys
[-] 2006-04-20 . 1DBF125862891817F374F407626967F4 . 359808 . . [5.1.2600.2892] . . c:\windows\$NtUninstallKB951748$\tcpip.sys
[-] 2006-01-13 . 5562CC0A47B2AEF06D3417B733F3C195 . 360448 . . [5.1.2600.2827] . . c:\windows\$hf_mig$\KB913446\SP2QFE\tcpip.sys
[-] 2006-01-13 . 583E063FDC888CA30D05C2724B0D7EF4 . 359808 . . [5.1.2600.2827] . . c:\windows\$NtUninstallKB917953$\tcpip.sys
[-] 2005-05-25 . 63FDFEA54EB53DE2D863EE454937CE1E . 359936 . . [5.1.2600.2685] . . c:\windows\$hf_mig$\KB893066\SP2QFE\tcpip.sys
[-] 2005-05-25 . 88763A98A4C26C409741B4AA162720C9 . 359808 . . [5.1.2600.2685] . . c:\windows\$NtUninstallKB913446$\tcpip.sys
[-] 2004-08-04 . 9F4B36614A0FC234525BA224957DE55C . 359040 . . [5.1.2600.2180] . . c:\windows\$NtUninstallKB893066$\tcpip.sys

[-] 2008-04-14 . A06CE3399D16DB864F55FAEB1F1927A9 . 77824 . . [5.1.2600.5512] . . c:\windows\SoftwareDistribution\Download\cf8ec753e88561d2ddb53e183dc05c3e\browser.dll
[-] 2004-08-04 . E3CFCCDDA4EDD1D0DC9168B2E18F27B8 . 77312 . . [5.1.2600.2180] . . c:\windows\SYSTEM32\BROWSER.DLL

[-] 2008-04-14 . BF2466B3E18E970D8A976FB95FC1CA85 . 13312 . . [5.1.2600.5512] . . c:\windows\SoftwareDistribution\Download\cf8ec753e88561d2ddb53e183dc05c3e\lsass.exe
[-] 2004-08-04 . 84885F9B82F4D55C6146EBF6065D75D2 . 13312 . . [5.1.2600.2180] . . c:\windows\SYSTEM32\LSASS.EXE

[-] 2008-04-14 . 13E67B55B3ABD7BF3FE7AAE5A0F9A9DE . 198144 . . [5.1.2600.5512] . . c:\windows\SoftwareDistribution\Download\cf8ec753e88561d2ddb53e183dc05c3e\netman.dll
[-] 2005-08-22 . 36739B39267914BA69AD0610A0299732 . 197632 . . [5.1.2600.2743] . . c:\windows\SYSTEM32\netman.dll
[-] 2005-08-22 . 3516D8A18B36784B1005B950B84232E1 . 197632 . . [5.1.2600.2743] . . c:\windows\$hf_mig$\KB905414\SP2QFE\netman.dll
[-] 2004-08-04 . DAB9E6C7105D2EF49876FE92C524F565 . 198144 . . [5.1.2600.2180] . . c:\windows\$NtUninstallKB905414$\netman.dll

[-] 2008-04-14 . 574738F61FCA2935F5265DC4E5691314 . 409088 . . [6.7.2600.5512] . . c:\windows\SoftwareDistribution\Download\cf8ec753e88561d2ddb53e183dc05c3e\qmgr.dll
[-] 2004-08-04 . 2C69EC7E5A311334D10DD95F338FCCEA . 382464 . . [6.6.2600.2180] . . c:\windows\SYSTEM32\QMGR.DLL

[-] 2009-02-09 . 6B27A5C03DFB94B4245739065431322C . 401408 . . [5.1.2600.5755] . . c:\windows\$hf_mig$\KB956572\SP3GDR\rpcss.dll
[-] 2009-02-09 . 9222562D44021B988B9F9F62207FB6F2 . 401408 . . [5.1.2600.5755] . . c:\windows\$hf_mig$\KB956572\SP3QFE\rpcss.dll
[-] 2009-02-09 . 01095FEBF33BEEA00C2A0730B9B3EC28 . 399360 . . [5.1.2600.3520] . . c:\windows\SYSTEM32\rpcss.dll
[-] 2009-02-09 . 01095FEBF33BEEA00C2A0730B9B3EC28 . 399360 . . [5.1.2600.3520] . . c:\windows\SYSTEM32\DLLCACHE\rpcss.dll
[-] 2009-02-09 . 24B5D53B9ACCC1E2EDCF0A878D6659D4 . 401408 . . [5.1.2600.3520] . . c:\windows\$hf_mig$\KB956572\SP2QFE\rpcss.dll
[-] 2008-04-14 . 2589FE6015A316C0F5D5112B4DA7B509 . 399360 . . [5.1.2600.5512] . . c:\windows\SoftwareDistribution\Download\cf8ec753e88561d2ddb53e183dc05c3e\rpcss.dll
[-] 2005-07-26 . CE94A2BD25E3E9F4D46A7373FF455C6D . 397824 . . [5.1.2600.2726] . . c:\windows\$NtUninstallKB956572$\rpcss.dll
[-] 2005-07-26 . C369DF215D352B6F3A0B8C3469AA34F8 . 398336 . . [5.1.2600.2726] . . c:\windows\$hf_mig$\KB902400\SP2QFE\rpcss.dll
[-] 2005-04-28 . DA383FB39A6F1C445F3AFC94B3EB1248 . 396288 . . [5.1.2600.2665] . . c:\windows\$hf_mig$\KB894391\SP2QFE\rpcss.dll
[-] 2005-04-28 . C8061F289E000703E7672916B7FE1571 . 395776 . . [5.1.2600.2665] . . c:\windows\$NtUninstallKB902400$\rpcss.dll
[-] 2005-01-14 . 419899803CA479B73B02390318C787C0 . 395776 . . [5.1.2600.2595] . . c:\windows\$NtUninstallKB894391$\rpcss.dll
[-] 2005-01-14 . 94456045BEB4545B5EBE1DCC85951AFA . 395776 . . [5.1.2600.2595] . . c:\windows\$hf_mig$\KB873333\SP2QFE\rpcss.dll
[-] 2004-08-04 . 5C83A4408604F737717AB96371201680 . 395776 . . [5.1.2600.2180] . . c:\windows\$NtUninstallKB873333$\rpcss.dll

[-] 2009-02-06 . 37561F8D4160D62DA86D24AE41FAE8DE . 110592 . . [5.1.2600.3520] . . c:\windows\SYSTEM32\services.exe
[-] 2009-02-06 . 37561F8D4160D62DA86D24AE41FAE8DE . 110592 . . [5.1.2600.3520] . . c:\windows\SYSTEM32\DLLCACHE\services.exe
[-] 2009-02-06 . 65DF52F5B8B6E9BBD183505225C37315 . 110592 . . [5.1.2600.5755] . . c:\windows\$hf_mig$\KB956572\SP3GDR\services.exe
[-] 2009-02-06 . 020CEAAEDC8EB655B6506B8C70D53BB6 . 110592 . . [5.1.2600.5755] . . c:\windows\$hf_mig$\KB956572\SP3QFE\services.exe
[-] 2009-02-06 . 4712531AB7A01B7EE059853CA17D39BD . 110592 . . [5.1.2600.3520] . . c:\windows\$hf_mig$\KB956572\SP2QFE\services.exe
[-] 2008-04-14 . 0E776ED5F7CC9F94299E70461B7B8185 . 108544 . . [5.1.2600.5512] . . c:\windows\SoftwareDistribution\Download\cf8ec753e88561d2ddb53e183dc05c3e\services.exe
[-] 2004-08-04 . C6CE6EEC82F187615D1002BB3BB50ED4 . 108032 . . [5.1.2600.2180] . . c:\windows\$NtUninstallKB956572$\services.exe

[-] 2008-04-14 . D8E14A61ACC1D4A6CD0D38AEBAC7FA3B . 57856 . . [5.1.2600.5512] . . c:\windows\SoftwareDistribution\Download\cf8ec753e88561d2ddb53e183dc05c3e\spoolsv.exe
[-] 2005-06-11 . AD3D9D191AEA7B5445FE1D82FFBB4788 . 57856 . . [5.1.2600.2696] . . c:\windows\$hf_mig$\KB896423\SP2QFE\spoolsv.exe
[-] 2005-06-10 . DA81EC57ACD4CDC3D4C51CF3D409AF9F . 57856 . . [5.1.2600.2696] . . c:\windows\SYSTEM32\spoolsv.exe
[-] 2004-08-04 . 7435B108B935E42EA92CA94F59C8E717 . 57856 . . [5.1.2600.2180] . . c:\windows\$NtUninstallKB896423$\spoolsv.exe

[-] 2008-04-14 . ED0EF0A136DEC83DF69F04118870003E . 507904 . . [5.1.2600.5512] . . c:\windows\SoftwareDistribution\Download\cf8ec753e88561d2ddb53e183dc05c3e\winlogon.exe
[-] 2004-08-04 . 01C3346C241652F43AED8E2149881BFE . 502272 . . [5.1.2600.2180] . . c:\windows\SYSTEM32\WINLOGON.EXE

[-] 2008-04-14 . BD38D1EBE24A46BD3EDA059560AFBA12 . 1054208 . . [6.0] . . c:\windows\SoftwareDistribution\Download\cf8ec753e88561d2ddb53e183dc05c3e\asms\60\msft\windows\common\controls\comctl32.dll
[-] 2008-04-14 . 06F247492BC786CE5C24A23E178C711A . 617472 . . [5.82] . . c:\windows\SoftwareDistribution\Download\cf8ec753e88561d2ddb53e183dc05c3e\comctl32.dll
[-] 2006-08-25 . B0124CB21D28B1C9F678B566B6B57D92 . 617472 . . [5.82] . . c:\windows\SYSTEM32\comctl32.dll
[-] 2006-08-25 . B0124CB21D28B1C9F678B566B6B57D92 . 617472 . . [5.82] . . c:\windows\SYSTEM32\DLLCACHE\comctl32.dll
[-] 2004-08-04 . A77DFB85FAEE49D66C74DA6024EBC69B . 611328 . . [5.82] . . c:\windows\$NtUninstallKB923191$\comctl32.dll

[-] 2008-04-14 . 3D4E199942E29207970E04315D02AD3B . 62464 . . [5.1.2600.5512] . . c:\windows\SoftwareDistribution\Download\cf8ec753e88561d2ddb53e183dc05c3e\cryptsvc.dll
[-] 2004-08-04 . 10654F9DDCEA9C46CFB77554231BE73B . 60416 . . [5.1.2600.2180] . . c:\windows\SYSTEM32\CRYPTSVC.DLL

[-] 2008-07-07 20:32 . 60D1A6342238378BFB7545C81EE3606C . 253952 . . [2001.12.4414.320] . . c:\windows\SYSTEM32\es.dll
[-] 2008-07-07 20:32 . 60D1A6342238378BFB7545C81EE3606C . 253952 . . [2001.12.4414.320] . . c:\windows\SYSTEM32\DLLCACHE\es.dll
[-] 2008-07-07 20:26 . D4991D98F2DB73C60D042F1AEF79EFAE . 253952 . . [2001.12.4414.706] . . c:\windows\$hf_mig$\KB950974\SP3GDR\es.dll
[-] 2008-07-07 20:23 . F17F6226BDC0CD5F0BEF0DAF84D29BEC . 253952 . . [2001.12.4414.706] . . c:\windows\$hf_mig$\KB950974\SP3QFE\es.dll
[-] 2008-07-07 20:06 . A4AB3DCA4A383F0DF4988ABDEB84F9A4 . 253952 . . [2001.12.4414.320] . . c:\windows\$hf_mig$\KB950974\SP2QFE\es.dll
[-] 2008-04-14 00:11 . 19A799805B24990867B00C120D300C3A . 246272 . . [2001.12.4414.701] . . c:\windows\SoftwareDistribution\Download\cf8ec753e88561d2ddb53e183dc05c3e\es.dll
[-] 2005-07-26 04:39 . 34BBD9ACC1538818F2C878898C64E793 . 243200 . . [2001.12.4414.308] . . c:\windows\$NtUninstallKB950974$\es.dll
[-] 2005-07-26 04:20 . 95F5FEA4C6DE2C3F28784D0DCC8F0DD3 . 243200 . . [2001.12.4414.308] . . c:\windows\$hf_mig$\KB902400\SP2QFE\es.dll
[-] 2004-08-04 11:00 . ACD36A2DD7D1E9D8A060AA651DC07E63 . 243200 . . [2001.12.4414.258] . . c:\windows\$NtUninstallKB902400$\es.dll

[-] 2008-04-14 . 0DA85218E92526972A821587E6A8BF8F . 110080 . . [5.1.2600.5512] . . c:\windows\SoftwareDistribution\Download\cf8ec753e88561d2ddb53e183dc05c3e\imm32.dll
[-] 2004-08-04 . 87CA7CE6469577F059297B9D6556D66D . 110080 . . [5.1.2600.2180] . . c:\windows\SYSTEM32\IMM32.DLL

[-] 2009-03-21 . B6ACAED7588295129791E0E6A2B0FADE . 986112 . . [5.1.2600.3541] . . c:\windows\SYSTEM32\kernel32.dll
[-] 2009-03-21 . B6ACAED7588295129791E0E6A2B0FADE . 986112 . . [5.1.2600.3541] . . c:\windows\SYSTEM32\DLLCACHE\kernel32.dll
[-] 2009-03-21 . B921FB870C9AC0D509B2CCABBBBE95F3 . 989696 . . [5.1.2600.5781] . . c:\windows\$hf_mig$\KB959426\SP3GDR\kernel32.dll
[-] 2009-03-21 . DA11D9D6ECBDF0F93436A4B7C13F7BEC . 991744 . . [5.1.2600.5781] . . c:\windows\$hf_mig$\KB959426\SP3QFE\kernel32.dll
[-] 2009-03-21 . 80202858D245FF07DAA1739C57A3E19B . 989184 . . [5.1.2600.3541] . . c:\windows\$hf_mig$\KB959426\SP2QFE\kernel32.dll
[-] 2008-04-14 . C24B983D211C34DA8FCC1AC38477971D . 989696 . . [5.1.2600.5512] . . c:\windows\SoftwareDistribution\Download\cf8ec753e88561d2ddb53e183dc05c3e\kernel32.dll
[-] 2007-04-16 . 09F7CB3687F86EDAA4CA081F7AB66C03 . 986112 . . [5.1.2600.3119] . . c:\windows\$hf_mig$\KB935839\SP2QFE\kernel32.dll
[-] 2007-04-16 . A01F9CA902A88F7CED06884174D6419D . 984576 . . [5.1.2600.3119] . . c:\windows\$NtUninstallKB959426$\kernel32.dll
[-] 2006-07-05 . 0FDD84928A5DDE2510761B7EC76CCEC9 . 985088 . . [5.1.2600.2945] . . c:\windows\$hf_mig$\KB917422\SP2QFE\kernel32.dll
[-] 2006-07-05 . D8DB5397DE07577C1CB50BA6D23B3AD4 . 984064 . . [5.1.2600.2945] . . c:\windows\$NtUninstallKB935839$\kernel32.dll
[-] 2004-08-04 . 888190E31455FAD793312F8D087146EB . 983552 . . [5.1.2600.2180] . . c:\windows\$NtUninstallKB917422$\kernel32.dll

[-] 2008-04-14 . 2DC5A8019E2387987905F77C664E4BE2 . 19968 . . [5.1.2600.5512] . . c:\windows\SoftwareDistribution\Download\cf8ec753e88561d2ddb53e183dc05c3e\linkinfo.dll
[-] 2005-09-01 . 648BF0B4DDE4F7A1156DAE7174D36EFA . 19968 . . [5.1.2600.2751] . . c:\windows\$hf_mig$\KB900725\SP2QFE\linkinfo.dll
[-] 2005-09-01 . A1A688EE56CF3BBD24EDEB815D48E9BA . 19968 . . [5.1.2600.2751] . . c:\windows\SYSTEM32\linkinfo.dll
[-] 2004-08-04 . C2BBD044C741EA4292016C36F718D2E4 . 18944 . . [5.1.2600.2180] . . c:\windows\$NtUninstallKB900725$\linkinfo.dll

[-] 2008-04-14 . 012DF358CEBAA23ACB26D82077820817 . 22016 . . [5.1.2600.5512] . . c:\windows\SoftwareDistribution\Download\cf8ec753e88561d2ddb53e183dc05c3e\lpk.dll
[-] 2004-08-04 . 74D66B3DE265E8789153414E75175F26 . 22016 . . [5.1.2600.2180] . . c:\windows\SYSTEM32\LPK.DLL

[-] 2010-02-25 . 7054F6ADC9B670887659F1561603B0D0 . 5944832 . . [8.00.6001.18904] . . c:\windows\SoftwareDistribution\Download\4de233d8d67cd9916ac28a2d43724f55\SP3GDR\mshtml.dll
[-] 2010-02-25 . 974772C74DA7C7A8E7C813A9908A845F . 5946880 . . [8.00.6001.22995] . . c:\windows\SoftwareDistribution\Download\4de233d8d67cd9916ac28a2d43724f55\SP3QFE\mshtml.dll
[-] 2009-12-21 . BE6EEBEF636773A8E7A82214E81C563A . 5942784 . . [8.00.6001.18876] . . c:\windows\SYSTEM32\mshtml.dll
[-] 2009-12-21 . BE6EEBEF636773A8E7A82214E81C563A . 5942784 . . [8.00.6001.18876] . . c:\windows\SYSTEM32\DLLCACHE\mshtml.dll
[-] 2009-12-21 . E6B64C6C729BBC38AB7CC92CE33F97A5 . 5945856 . . [8.00.6001.22967] . . c:\windows\$hf_mig$\KB978207-IE8\SP3QFE\mshtml.dll
[-] 2009-10-29 . C0F9AC6FAB2C788FFEE3E69585A0E93F . 5944320 . . [8.00.6001.22945] . . c:\windows\$hf_mig$\KB976325-IE8\SP3QFE\mshtml.dll
[-] 2009-10-29 . CBB1EF54B86EDB78649909DD1699E5CA . 5940736 . . [8.00.6001.18854] . . c:\windows\ie8updates\KB978207-IE8\mshtml.dll
[-] 2009-08-29 . E52A845DCE011D56B12B8F3F4606F956 . 3598336 . . [7.00.6000.16915] . . c:\windows\ie8\mshtml.dll
[-] 2009-08-29 . EDAD55105DDD067AE3906011F297267C . 3600384 . . [7.00.6000.21115] . . c:\windows\$hf_mig$\KB974455-IE7\SP3QFE\mshtml.dll
[-] 2009-07-19 . 758C8BEDAB7CE5F9070C85E2E57CBD80 . 3597824 . . [7.00.6000.16890] . . c:\windows\ie7updates\KB974455-IE7\mshtml.dll
[-] 2009-07-19 . F6098CC1B1C3858D53F20F3CB5774F3B . 3600384 . . [7.00.6000.21089] . . c:\windows\$hf_mig$\KB972260-IE7\SP3QFE\mshtml.dll
[-] 2009-04-29 . 2B4315EC9E3124408A2A5074C4B97700 . 3596288 . . [7.00.6000.16850] . . c:\windows\ie7updates\KB972260-IE7\mshtml.dll
[-] 2009-04-29 . C6FD770D518FB024245A0EE217D72BC1 . 3598336 . . [7.00.6000.21045] . . c:\windows\$hf_mig$\KB969897-IE7\SP3QFE\mshtml.dll
[-] 2009-03-08 . D469A0EBA2EF5C6BEE8065B7E3196E5E . 5937152 . . [8.00.6001.18702] . . c:\windows\ie8updates\KB976325-IE8\mshtml.dll
[-] 2009-02-21 . 1BB754AB47B327DE8DBF2FA18C36357C . 3596800 . . [7.00.6000.21015] . . c:\windows\$hf_mig$\KB963027-IE7\SP3QFE\mshtml.dll
[-] 2009-02-20 . C7C3E41CC2F6EB4A629FE2184136C098 . 3595264 . . [7.00.6000.16825] . . c:\windows\ie7updates\KB969897-IE7\mshtml.dll
[-] 2009-01-17 . 3B413267DA8AE71C20E5EF3E54F74728 . 3594752 . . [7.00.6000.16809] . . c:\windows\ie7updates\KB963027-IE7\mshtml.dll
[-] 2009-01-17 . 3B413267DA8AE71C20E5EF3E54F74728 . 3594752 . . [7.00.6000.16809] . . c:\windows\SoftwareDistribution\Download\2e4e820fa4f0714d84e95e04fd4b348e\SP2GDR\mshtml.dll
[-] 2009-01-16 . CC9D001B7370B292C35B366CA05B12B4 . 3596288 . . [7.00.6000.20996] . . c:\windows\$hf_mig$\KB961260-IE7\SP2QFE\mshtml.dll
[-] 2009-01-16 . CC9D001B7370B292C35B366CA05B12B4 . 3596288 . . [7.00.6000.20996] . . c:\windows\SoftwareDistribution\Download\2e4e820fa4f0714d84e95e04fd4b348e\SP2QFE\mshtml.dll
[-] 2008-12-12 . C8169B4320AC0CB8D1ED20454322E839 . 3060224 . . [6.00.2900.3492] . . c:\windows\ie7\mshtml.dll
[-] 2008-12-12 . 6D1D493622EA050DBAABD0C4C1DFADB5 . 3067392 . . [6.00.2900.3492] . . c:\windows\$hf_mig$\KB960714\SP2QFE\mshtml.dll
[-] 2008-12-12 . B6DAA74E2ED36C71B502945589A683AE . 3067904 . . [6.00.2900.5726] . . c:\windows\$hf_mig$\KB960714\SP3QFE\mshtml.dll
[-] 2008-12-12 . C828AA1C5469E72251F3D367005E589F . 3067904 . . [6.00.2900.5726] . . c:\windows\$hf_mig$\KB960714\SP3GDR\mshtml.dll
[-] 2008-10-16 . CC5A2205D37AE67CE23AB7FD3E1FDACA . 3067904 . . [6.00.2900.5694] . . c:\windows\$hf_mig$\KB958215\SP3QFE\mshtml.dll
[-] 2008-10-16 . C99D8B48FC245D98E1A2BAB6594458C9 . 3067392 . . [6.00.2900.3462] . . c:\windows\$hf_mig$\KB958215\SP2QFE\mshtml.dll
[-] 2008-10-16 . B846C2DE341CF32B42AD297437233742 . 3067904 . . [6.00.2900.5694] . . c:\windows\$hf_mig$\KB958215\SP3GDR\mshtml.dll
[-] 2008-08-27 . 1AD035E04A7068EC2820B055A3131ED8 . 3593216 . . [7.00.6000.16735] . . c:\windows\ie7updates\KB961260-IE7\mshtml.dll
[-] 2008-08-27 . 1AD035E04A7068EC2820B055A3131ED8 . 3593216 . . [7.00.6000.16735] . . c:\windows\SoftwareDistribution\Download\5d9d48823dca01f9929a959c29f5edc4\SP2GDR\mshtml.dll
[-] 2008-08-26 . 25CC085720EE3617FD1F8AB9E2F7CAB2 . 3594752 . . [7.00.6000.20900] . . c:\windows\$hf_mig$\KB956390-IE7\SP2QFE\mshtml.dll
[-] 2008-08-26 . 25CC085720EE3617FD1F8AB9E2F7CAB2 . 3594752 . . [7.00.6000.20900] . . c:\windows\SoftwareDistribution\Download\5d9d48823dca01f9929a959c29f5edc4\SP2QFE\mshtml.dll
[-] 2008-04-21 . C75C6AD32C28BCE0D14E1CA2AB4862DC . 3059712 . . [6.00.2900.3354] . . c:\windows\$NtUninstallKB960714$\mshtml.dll
[-] 2008-04-21 . 083B967E6B0B2BB539CE6B08D45D631F . 3066880 . . [6.00.2900.3354] . . c:\windows\$hf_mig$\KB950759\SP2QFE\mshtml.dll
[-] 2008-04-21 . FE406DE0651C9E8201DCB0460609D739 . 3066880 . . [6.00.2900.5583] . . c:\windows\$hf_mig$\KB950759\SP3GDR\mshtml.dll
[-] 2008-04-21 . 46A61BA430110F00DD990D058AA3D054 . 3067392 . . [6.00.2900.5583] . . c:\windows\$hf_mig$\KB950759\SP3QFE\mshtml.dll
[-] 2008-04-14 . A706E122B398FE1AB85CB9B75D044223 . 3066880 . . [6.00.2900.5512] . . c:\windows\SoftwareDistribution\Download\cf8ec753e88561d2ddb53e183dc05c3e\mshtml.dll
[-] 2007-08-13 . C6EC2493346ED8888A549F59210A8ED3 . 3578368 . . [7.00.5730.13] . . c:\windows\ie7updates\KB956390-IE7\mshtml.dll
[-] 2007-06-15 . 53F3FD772C010622346C39284C4A863B . 3064320 . . [6.00.2900.3157] . . c:\windows\$hf_mig$\KB937143\SP2QFE\mshtml.dll
[-] 2007-06-14 . F049C52772FC86FD5F6C16D77A2A6204 . 3058688 . . [6.00.2900.3157] . . c:\windows\$NtUninstallKB950759$\mshtml.dll
[-] 2007-05-04 . 00ADCB32832A10ED9419493BCEA97526 . 3064320 . . [6.00.2900.3132] . . c:\windows\$hf_mig$\KB933566\SP2QFE\mshtml.dll
[-] 2007-05-04 . 4D92717B5BBCE85F1254BAD23B0D357C . 3058688 . . [6.00.2900.3132] . . c:\windows\$NtUninstallKB937143$\mshtml.dll
[-] 2007-02-20 . 6B9D083C0D4C4555FE011B01A98872DA . 3056640 . . [6.00.2900.3086] . . c:\windows\$NtUninstallKB933566$\mshtml.dll
[-] 2007-02-20 . 2991727809C7AC3A33E4178CC73244D8 . 3063296 . . [6.00.2900.3086] . . c:\windows\$hf_mig$\KB931768\SP2QFE\mshtml.dll
[-] 2007-01-04 . 1C45525574EF206346FBAFCAAC7CC4A5 . 3062272 . . [6.00.2900.3059] . . c:\windows\$hf_mig$\KB928090\SP2QFE\mshtml.dll
[-] 2007-01-04 . F31274D7667D83E73C6EE16D2206B76C . 3056640 . . [6.00.2900.3059] . . c:\windows\$NtUninstallKB931768$\mshtml.dll
[-] 2006-10-23 . 88E1C15BB1A9ED3CBA4D6F2F408D5010 . 3061248 . . [6.00.2900.3020] . . c:\windows\$hf_mig$\KB925454\SP2QFE\mshtml.dll
[-] 2006-10-23 . 5FC7DE1195C8E9B5360FD65DBE95E5B0 . 3055104 . . [6.00.2900.3020] . . c:\windows\$NtUninstallKB928090$\mshtml.dll
[-] 2006-09-14 . BE45460D1453B7342E01EAE79BFBC681 . 3054592 . . [6.00.2900.2995] . . c:\windows\$NtUninstallKB925454$\mshtml.dll
[-] 2006-09-14 . CEFEA1C301139A817931BE132F0359FE . 3058688 . . [6.00.2900.2995] . . c:\windows\$hf_mig$\KB922760\SP2QFE\mshtml.dll
[-] 2006-07-28 . D251679BD9EF0250201FB899EC40FD32 . 3058176 . . [6.00.2900.2963] . . c:\windows\$hf_mig$\KB918899\SP2QFE\mshtml.dll
[-] 2006-07-28 . C7074DA3D8F8C0F6C03874BA0B05069C . 3054080 . . [6.00.2900.2963] . . c:\windows\$NtUninstallKB922760$\mshtml.dll
[-] 2006-05-19 . 284CE76B71DD5260B42A3CCF0135AF67 . 3052544 . . [6.00.2900.2912] . . c:\windows\$NtUninstallKB918899$\mshtml.dll
[-] 2006-05-19 . 8687E029BE63C77D4919485068C54D77 . 3055104 . . [6.00.2900.2912] . . c:\windows\$hf_mig$\KB916281\SP2QFE\mshtml.dll
[-] 2006-03-23 . DEAA438EA31095E14A196FF647E38D13 . 3053568 . . [6.00.2900.2873] . . c:\windows\$NtUninstallKB916281$\mshtml.dll
[-] 2006-03-23 . ABCD123F888E4E97C8751378CCCC4F26 . 3055616 . . [6.00.2900.2873] . . c:\windows\$hf_mig$\KB912812\SP2QFE\mshtml.dll
[-] 2005-11-24 . D3F037F5DA702AE9DDD7663EC9D78BA7 . 3018240 . . [6.00.2900.2802] . . c:\windows\$hf_mig$\KB905915\SP2QFE\mshtml.dll
[-] 2005-11-24 . 5E7A39950EA133BB54719A6E08C544A7 . 3015680 . . [6.00.2900.2802] . . c:\windows\$NtUninstallKB912812$\mshtml.dll
[-] 2005-05-02 . DCC5C79B99F02EEF8C826B074DBFC222 . 3014144 . . [6.00.2900.2668] . . c:\windows\$hf_mig$\KB883939\SP2QFE\mshtml.dll
[-] 2005-05-02 . DCFAC5470EE0A159EC4222BC28AE3EE6 . 3012608 . . [6.00.2900.2668] . . c:\windows\$NtUninstallKB905915$\mshtml.dll
[-] 2005-03-10 . 84A1B9B0C362051E68BB131F14C6DAAD . 3010560 . . [6.00.2900.2627] . . c:\windows\$NtUninstallKB883939$\mshtml.dll
[-] 2005-03-10 . 255C2CE965543ABDC3E0A25A5DA1874A . 3011072 . . [6.00.2900.2627] . . c:\windows\$hf_mig$\KB890923\SP2QFE\mshtml.dll
[-] 2005-01-27 . FAE3CA9B2459581C45B3A8845BE3077C . 3006976 . . [6.00.2900.2604] . . c:\windows\$NtUninstallKB890923$\mshtml.dll
[-] 2005-01-27 . 91C5ADE25BC4E3322577854FA2E7B58B . 3008000 . . [6.00.2900.2604] . . c:\windows\$hf_mig$\KB867282\SP2QFE\mshtml.dll
[-] 2004-09-29 . D94E6405E420373161467ACD3DA65640 . 3004928 . . [6.00.2900.2523] . . c:\windows\$NtUninstallKB867282$\mshtml.dll
[-] 2004-09-29 . 087FF7C54E7EBE4A59BD4DFC1D0EE9B8 . 3004928 . . [6.00.2900.2524] . . c:\windows\$hf_mig$\KB834707\SP2QFE\mshtml.dll
[-] 2004-08-04 . 376E0843B2356CA91CEC8D9837A56FF7 . 3003392 . . [6.00.2900.2180] . . c:\windows\$NtUninstallKB834707$\mshtml.dll

[-] 2008-04-14 . D7075E95AA599EE77B7A89D39296BD3D . 343040 . . [7.0.2600.5512] . . c:\windows\SoftwareDistribution\Download\cf8ec753e88561d2ddb53e183dc05c3e\asms\70\msft\windows\mswincrt\msvcrt.dll
[-] 2008-04-14 . 355EDBB4D412B01F1740C17E3F50FA00 . 343040 . . [7.0.2600.5512] . . c:\windows\SoftwareDistribution\Download\cf8ec753e88561d2ddb53e183dc05c3e\msvcrt.dll
[-] 2004-08-04 . B0FEFA816D61EC66AA765DDF534EAB5E . 343040 . . [7.0.2600.2180] . . c:\windows\SYSTEM32\MSVCRT.DLL

[-] 2008-06-20 . 832E4DD8964AB7ACC880B2837CB1ED20 . 245248 . . [5.1.2600.5625] . . c:\windows\$hf_mig$\KB951748\SP3GDR\mswsock.dll
[-] 2008-06-20 . FCEE5FCB99F7C724593365C706D28388 . 245248 . . [5.1.2600.5625] . . c:\windows\$hf_mig$\KB951748\SP3QFE\mswsock.dll
[-] 2008-06-20 . 097722F235A1FB698BF9234E01B52637 . 245248 . . [5.1.2600.3394] . . c:\windows\SYSTEM32\mswsock.dll
[-] 2008-06-20 . 097722F235A1FB698BF9234E01B52637 . 245248 . . [5.1.2600.3394] . . c:\windows\SYSTEM32\DLLCACHE\mswsock.dll
[-] 2008-06-20 . 1DFCA7713EA5A70D5D93B436AEA0317A . 245248 . . [5.1.2600.3394] . . c:\windows\$hf_mig$\KB951748\SP2QFE\mswsock.dll
[-] 2008-04-14 . B4138E99236F0F57D4CF49BAE98A0746 . 245248 . . [5.1.2600.5512] . . c:\windows\SoftwareDistribution\Download\cf8ec753e88561d2ddb53e183dc05c3e\mswsock.dll
[-] 2004-08-04 . 4E74AF063C3271FBEA20DD940CFD1184 . 245248 . . [5.1.2600.2180] . . c:\windows\$NtUninstallKB951748$\mswsock.dll

[-] 2009-02-06 . 6C476D33D82F1054849790181E8F7772 . 408064 . . [5.1.2600.3520] . . c:\windows\$hf_mig$\KB968389\SP2QFE\netlogon.dll
[-] 2009-02-06 . 6C476D33D82F1054849790181E8F7772 . 408064 . . [5.1.2600.3520] . . c:\windows\$hf_mig$\KB975467\SP2QFE\netlogon.dll
[-] 2008-04-14 . 1B7F071C51B77C272875C3A23E1E4550 . 407040 . . [5.1.2600.5512] . . c:\windows\SoftwareDistribution\Download\cf8ec753e88561d2ddb53e183dc05c3e\netlogon.dll
[-] 2004-08-04 . 96353FCECBA774BB8DA74A1C6507015A . 407040 . . [5.1.2600.2180] . . c:\windows\SYSTEM32\NETLOGON.DLL

[-] 2009-12-09 . 05BE3D9A71972223AFF6A3C823BA51B1 . 2189312 . . [5.1.2600.5913] . . c:\windows\$hf_mig$\KB977165\SP3QFE\ntoskrnl.exe
[-] 2009-12-08 . 78EC47F9B9A3A1D539262D8834C896CE . 2189184 . . [5.1.2600.5913] . . c:\windows\$hf_mig$\KB977165\SP3GDR\ntoskrnl.exe
[-] 2009-12-08 . 5648297DBF1C631164F779863DF9D5BF . 2180352 . . [5.1.2600.3654] . . c:\windows\Driver Cache\I386\ntoskrnl.exe
[-] 2009-12-08 . 5648297DBF1C631164F779863DF9D5BF . 2180352 . . [5.1.2600.3654] . . c:\windows\SYSTEM32\ntoskrnl.exe
[-] 2009-12-08 . 5648297DBF1C631164F779863DF9D5BF . 2180352 . . [5.1.2600.3654] . . c:\windows\SYSTEM32\DLLCACHE\ntoskrnl.exe
[-] 2009-12-08 . 128D88B3176E70B2E3088ECEB842B673 . 2185984 . . [5.1.2600.3654] . . c:\windows\$hf_mig$\KB977165\SP2QFE\ntoskrnl.exe
[-] 2009-08-05 . 8415D9C7C050E7022AED8ABF281BE4A6 . 2189184 . . [5.1.2600.5857] . . c:\windows\$hf_mig$\KB971486\SP3GDR\ntoskrnl.exe
[-] 2009-08-04 . D6B537A639D623ED85B73AF3E3BE4B94 . 2180352 . . [5.1.2600.3610] . . c:\windows\$NtUninstallKB977165$\ntoskrnl.exe
[-] 2009-08-04 . FDE779EA1A564EBFE16F4E0F82B61BAD . 2189312 . . [5.1.2600.5857] . . c:\windows\$hf_mig$\KB971486\SP3QFE\ntoskrnl.exe
[-] 2009-08-04 . 8DF112C341425F29DB4566B8D2A96A7F . 2185984 . . [5.1.2600.3610] . . c:\windows\$hf_mig$\KB971486\SP2QFE\ntoskrnl.exe
[-] 2009-02-07 . EFE8EACE83EAAD5849A7A548FB75B584 . 2189184 . . [5.1.2600.5755] . . c:\windows\$hf_mig$\KB956572\SP3QFE\ntoskrnl.exe
[-] 2009-02-06 . FACEBB0CA3154F77009CDFEE78A00BBB . 2180480 . . [5.1.2600.3520] . . c:\windows\$NtUninstallKB971486$\ntoskrnl.exe
[-] 2009-02-06 . 7A95B10A73737EBF24139AAA63F5212B . 2189056 . . [5.1.2600.5755] . . c:\windows\$hf_mig$\KB956572\SP3GDR\ntoskrnl.exe
[-] 2009-02-06 . 6A936E9D7BADAF3CAAEED1E1966EC1B0 . 2186112 . . [5.1.2600.3520] . . c:\windows\$hf_mig$\KB956572\SP2QFE\ntoskrnl.exe
[-] 2008-08-14 . 31914172342BFF330063F343AC6958FE . 2189184 . . [5.1.2600.5657] . . c:\windows\$hf_mig$\KB956841\SP3QFE\ntoskrnl.exe
[-] 2008-08-14 . EEAF32F8E15A24F62BECB1BD403BB5C5 . 2189184 . . [5.1.2600.5657] . . c:\windows\$hf_mig$\KB956841\SP3GDR\ntoskrnl.exe
[-] 2008-08-14 . 21C91DA9CB53AA8A37041BA9684A8458 . 2180352 . . [5.1.2600.3427] . . c:\windows\$NtUninstallKB956572$\ntoskrnl.exe
[-] 2008-08-14 . CE69DBD54221F2D40E49FF6DB77C6507 . 2185984 . . [5.1.2600.3427] . . c:\windows\$hf_mig$\KB956841\SP2QFE\ntoskrnl.exe
[-] 2008-04-13 . 0C89243C7C3EE199B96FCC16990E0679 . 2188928 . . [5.1.2600.5512] . . c:\windows\SoftwareDistribution\Download\cf8ec753e88561d2ddb53e183dc05c3e\ntoskrnl.exe
[-] 2007-02-28 . 5A5C8DB4AA962C714C8371FBDF189FC9 . 2182144 . . [5.1.2600.3093] . . c:\windows\$hf_mig$\KB931784\SP2QFE\ntoskrnl.exe
[-] 2007-02-28 . 582A8DBAA58C3B1F176EB2817DAEE77C . 2180352 . . [5.1.2600.3093] . . c:\windows\$NtUninstallKB956841$\ntoskrnl.exe
[-] 2006-12-19 . CEF243F6DEFD20BE4ADDE26C7ECACB54 . 2182016 . . [5.1.2600.3051] . . c:\windows\$hf_mig$\KB929338\SP2QFE\ntoskrnl.exe
[-] 2006-12-19 . 8F0DEAB1F81FB83F9C5995853CE48B9F . 2180352 . . [5.1.2600.3051] . . c:\windows\$NtUninstallKB931784$\ntoskrnl.exe
[-] 2005-03-02 . 28187802B7C368C0D3AEF7D4C382AABB . 2179456 . . [5.1.2600.2622] . . c:\windows\$hf_mig$\KB890859\SP2QFE\ntoskrnl.exe
[-] 2005-03-02 . 4D4CF2C14550A4B7718E94A6E581856E . 2179328 . . [5.1.2600.2622] . . c:\windows\$NtUninstallKB929338$\ntoskrnl.exe
[-] 2004-08-04 . CE218BC7088681FAA06633E218596CA7 . 2180992 . . [5.1.2600.2180] . . c:\windows\$NtUninstallKB890859$\ntoskrnl.exe

[-] 2008-04-14 . 50A166237A0FA771261275A405646CC0 . 17408 . . [6.00.2900.5512] . . c:\windows\SoftwareDistribution\Download\cf8ec753e88561d2ddb53e183dc05c3e\powrprof.dll
[-] 2004-08-04 . 1B5F6923ABB450692E9FE0672C897AED . 17408 . . [6.00.2900.2180] . . c:\windows\SYSTEM32\POWRPROF.DLL

[-] 2008-04-14 . A86BB5E61BF3E39B62AB4C7E7085A084 . 181248 . . [5.1.2600.5512] . . c:\windows\SoftwareDistribution\Download\cf8ec753e88561d2ddb53e183dc05c3e\scecli.dll
[-] 2004-08-04 . 0F78E27F563F2AAF74B91A49E2ABF19A . 180224 . . [5.1.2600.2180] . . c:\windows\SYSTEM32\SCECLI.DLL

[-] 2008-04-14 . 96E1C926F22EE1BFBAE82901A35F6BF3 . 5120 . . [5.1.2600.5512] . . c:\windows\SoftwareDistribution\Download\cf8ec753e88561d2ddb53e183dc05c3e\sfc.dll
[-] 2004-08-04 . E8A12A12EA9088B4327D49EDCA3ADD3E . 5120 . . [5.1.2600.2180] . . c:\windows\SYSTEM32\SFC.DLL

[-] 2008-04-14 . 27C6D03BCDB8CFEB96B716F3D8BE3E18 . 14336 . . [5.1.2600.5512] . . c:\windows\SoftwareDistribution\Download\cf8ec753e88561d2ddb53e183dc05c3e\svchost.exe
[-] 2004-08-04 . 8F078AE4ED187AAABC0A305146DE6716 . 14336 . . [5.1.2600.2180] . . c:\windows\SYSTEM32\SVCHOST.EXE

[-] 2008-04-14 . 3CB78C17BB664637787C9A1C98F79C38 . 249856 . . [5.1.2600.5512] . . c:\windows\SoftwareDistribution\Download\cf8ec753e88561d2ddb53e183dc05c3e\tapisrv.dll
[-] 2005-07-08 . 1418A3A6E76E5A2E3F5E43866E793A8B . 249344 . . [5.1.2600.2716] . . c:\windows\$hf_mig$\KB893756\SP2QFE\tapisrv.dll
[-] 2005-07-08 . FB78839B36025AA286A51289ED28B73E . 249344 . . [5.1.2600.2716] . . c:\windows\SYSTEM32\tapisrv.dll
[-] 2004-08-04 . EB4A4187D74A8EFDCBEA3EA2CB1BDFBD . 246272 . . [5.1.2600.2180] . . c:\windows\$NtUninstallKB893756$\tapisrv.dll

[-] 2008-04-14 . B26B135FF1B9F60C9388B4A7D16F600B . 578560 . . [5.1.2600.5512] . . c:\windows\SoftwareDistribution\Download\cf8ec753e88561d2ddb53e183dc05c3e\user32.dll
[-] 2007-03-08 . 7AA4F6C00405DFC4B70ED4214E7D687B . 578048 . . [5.1.2600.3099] . . c:\windows\$hf_mig$\KB925902\SP2QFE\user32.dll
[-] 2007-03-08 . B409909F6E2E8A7067076ED748ABF1E7 . 577536 . . [5.1.2600.3099] . . c:\windows\SYSTEM32\user32.dll
[-] 2007-03-08 . B409909F6E2E8A7067076ED748ABF1E7 . 577536 . . [5.1.2600.3099] . . c:\windows\SYSTEM32\DLLCACHE\user32.dll
[-] 2005-03-02 . 1800F293BCCC8EDE8A70E12B88D80036 . 577024 . . [5.1.2600.2622] . . c:\windows\$hf_mig$\KB890859\SP2QFE\user32.dll
[-] 2005-03-02 . DE2DB164BBB35DB061AF0997E4499054 . 577024 . . [5.1.2600.2622] . . c:\windows\$NtUninstallKB925902$\user32.dll
[-] 2004-08-04 . C72661F8552ACE7C5C85E16A3CF505C4 . 577024 . . [5.1.2600.2180] . . c:\windows\$NtUninstallKB890859$\user32.dll

[-] 2008-04-14 . A93AEE1928A9D7CE3E16D24EC7380F89 . 26112 . . [5.1.2600.5512] . . c:\windows\SoftwareDistribution\Download\cf8ec753e88561d2ddb53e183dc05c3e\userinit.exe
[-] 2004-08-04 . 39B1FFB03C2296323832ACBAE50D2AFF . 24576 . . [5.1.2600.2180] . . c:\windows\SYSTEM32\USERINIT.EXE

[-] 2010-02-25 . 7A42CFED96CDA7F2FB1A26D1F9F65775 . 916480 . . [8.00.6001.18904] . . c:\windows\SoftwareDistribution\Download\4de233d8d67cd9916ac28a2d43724f55\SP3GDR\wininet.dll
[-] 2010-02-25 . 4458D59F2B0369F4D3B137541D284041 . 919040 . . [8.00.6001.22995] . . c:\windows\SoftwareDistribution\Download\4de233d8d67cd9916ac28a2d43724f55\SP3QFE\wininet.dll
[-] 2009-12-21 . FF4241C74E0C0A5AFFFE05F584213ECB . 916480 . . [8.00.6001.18876] . . c:\windows\SYSTEM32\wininet.dll
[-] 2009-12-21 . FF4241C74E0C0A5AFFFE05F584213ECB . 916480 . . [8.00.6001.18876] . . c:\windows\SYSTEM32\DLLCACHE\wininet.dll
[-] 2009-12-21 . 5E1F666B8955FD77E65D65C4C4D882A3 . 916480 . . [8.00.6001.22967] . . c:\windows\$hf_mig$\KB978207-IE8\SP3QFE\wininet.dll
[-] 2009-10-29 . 6AF52998B90F72FF2325D84D90EDA1CC . 916480 . . [8.00.6001.22945] . . c:\windows\$hf_mig$\KB976325-IE8\SP3QFE\wininet.dll
[-] 2009-10-29 . 75240F6EDBCE7B85DF66874407D38A4F . 916480 . . [8.00.6001.18854] . . c:\windows\ie8updates\KB978207-IE8\wininet.dll
[-] 2009-08-29 . DB111200015F08DDDB8857E11C6A80E3 . 832512 . . [7.00.6000.16915] . . c:\windows\ie8\wininet.dll
[-] 2009-08-29 . A5885AF9BFBD942B828E6020AD326517 . 840704 . . [7.00.6000.21115] . . c:\windows\$hf_mig$\KB974455-IE7\SP3QFE\wininet.dll
[-] 2009-06-29 . 4C6B4138165A4C53FE8A5B1D809526C3 . 828928 . . [7.00.6000.21073] . . c:\windows\$hf_mig$\KB972260-IE7\SP3QFE\wininet.dll
[-] 2009-06-29 . A39B7BA7AB9B1CC2A0009F59772DB83C . 827392 . . [7.00.6000.16876] . . c:\windows\ie7updates\KB974455-IE7\wininet.dll
[-] 2009-04-29 . 8E2D471157B0DF329D8D0EA5D83B0DDB . 827392 . . [7.00.6000.16850] . . c:\windows\ie7updates\KB972260-IE7\wininet.dll
[-] 2009-04-29 . 62CCA075F44015147B8971DAFFBCFF76 . 828928 . . [7.00.6000.21045] . . c:\windows\$hf_mig$\KB969897-IE7\SP3QFE\wininet.dll
[-] 2009-03-08 . 6CE32F7778061CCC5814D5E0F282D369 . 914944 . . [8.00.6001.18702] . . c:\windows\ie8updates\KB976325-IE8\wininet.dll
[-] 2009-03-03 . 28775945CCD53DEE280EF58DEA1A94C4 . 826368 . . [7.00.6000.16827] . . c:\windows\ie7updates\KB969897-IE7\wininet.dll
[-] 2009-03-03 . C8667854873938CA13C986F16B0CD183 . 828416 . . [7.00.6000.21020] . . c:\windows\$hf_mig$\KB963027-IE7\SP3QFE\wininet.dll
[-] 2008-12-20 . 044E0A4E9FE97C0FB9AFE9C89E2A82E6 . 827904 . . [7.00.6000.20978] . . c:\windows\$hf_mig$\KB961260-IE7\SP2QFE\wininet.dll
[-] 2008-12-20 . 044E0A4E9FE97C0FB9AFE9C89E2A82E6 . 827904 . . [7.00.6000.20978] . . c:\windows\SoftwareDistribution\Download\2e4e820fa4f0714d84e95e04fd4b348e\SP2QFE\wininet.dll
[-] 2008-12-20 . A82935D32D0672E8FF4E91AE398E901C . 826368 . . [7.00.6000.16791] . . c:\windows\ie7updates\KB963027-IE7\wininet.dll
[-] 2008-12-20 . A82935D32D0672E8FF4E91AE398E901C . 826368 . . [7.00.6000.16791] . . c:\windows\SoftwareDistribution\Download\2e4e820fa4f0714d84e95e04fd4b348e\SP2GDR\wininet.dll
[-] 2008-10-16 . 6F1E4BFD78C4E0D05FF3725D59B72925 . 659456 . . [6.00.2900.3462] . . c:\windows\ie7\wininet.dll
[-] 2008-10-16 . 93C9D0A216498EE14EB9B26119BB95EE . 667648 . . [6.00.2900.3462] . . c:\windows\$hf_mig$\KB958215\SP2QFE\wininet.dll
[-] 2008-10-16 . E8FCE58A470999350F64C591557F9E42 . 667136 . . [6.00.2900.5694] . . c:\windows\$hf_mig$\KB958215\SP3QFE\wininet.dll
[-] 2008-10-16 . 1576318BF08D28CC61D1278114AD8D5B . 666112 . . [6.00.2900.5694] . . c:\windows\$hf_mig$\KB958215\SP3GDR\wininet.dll
[-] 2008-08-26 . 77C192FE56A70D7FA0247BA0A6201C32 . 827904 . . [7.00.6000.20900] . . c:\windows\$hf_mig$\KB956390-IE7\SP2QFE\wininet.dll
[-] 2008-08-26 . 77C192FE56A70D7FA0247BA0A6201C32 . 827904 . . [7.00.6000.20900] . . c:\windows\SoftwareDistribution\Download\5d9d48823dca01f9929a959c29f5edc4\SP2QFE\wininet.dll
[-] 2008-08-26 . EF8EBA98145BFA44E80D17A3B3453300 . 826368 . . [7.00.6000.16735] . . c:\windows\ie7updates\KB961260-IE7\wininet.dll
[-] 2008-08-26 . EF8EBA98145BFA44E80D17A3B3453300 . 826368 . . [7.00.6000.16735] . . c:\windows\SoftwareDistribution\Download\5d9d48823dca01f9929a959c29f5edc4\SP2GDR\wininet.dll
[-] 2008-04-21 . 1EFB8A3EA8454AEC1BB8A240A2845598 . 659456 . . [6.00.2900.3354] . . c:\windows\$NtUninstallKB958215$\wininet.dll
[-] 2008-04-21 . 2E7DE1BF9418B071799EB53DE8CC22F5 . 666624 . . [6.00.2900.3354] . . c:\windows\$hf_mig$\KB950759\SP2QFE\wininet.dll
[-] 2008-04-21 . 2B0C24AA747A93A28987B6D65A4A74BC . 666112 . . [6.00.2900.5583] . . c:\windows\$hf_mig$\KB950759\SP3GDR\wininet.dll
[-] 2008-04-21 . 26F240C250E5B4B395CB4B178BA75437 . 666624 . . [6.00.2900.5583] . . c:\windows\$hf_mig$\KB950759\SP3QFE\wininet.dll
[-] 2008-04-14 . 7A4F775ABB2F1C97DEF3E73AFA2FAEDD . 666112 . . [6.00.2900.5512] . . c:\windows\SoftwareDistribution\Download\cf8ec753e88561d2ddb53e183dc05c3e\wininet.dll
[-] 2007-08-13 . A4A0FC92358F39538A6494C42EF99FE9 . 818688 . . [7.00.5730.13] . . c:\windows\ie7updates\KB956390-IE7\wininet.dll
[-] 2007-06-26 . E1A3DD68B5380B360A7310A64D9BB188 . 665600 . . [6.00.2900.3164] . . c:\windows\$hf_mig$\KB937143\SP2QFE\wininet.dll
[-] 2007-06-26 . 184E47C8F7B331025E6DC92740DB188F . 658944 . . [6.00.2900.3164] . . c:\windows\$NtUninstallKB950759$\wininet.dll
[-] 2007-04-18 . 4261BA03AFD659DE04F0A17DFBDD454D . 665600 . . [6.00.2900.3121] . . c:\windows\$hf_mig$\KB933566\SP2QFE\wininet.dll
[-] 2007-04-18 . B7156CD97E739F3014BC4D61758F868A . 658944 . . [6.00.2900.3121] . . c:\windows\$NtUninstallKB937143$\wininet.dll
[-] 2007-02-20 . B258C922D22DEEC880B60720531D7627 . 665600 . . [6.00.2900.3086] . . c:\windows\$hf_mig$\KB931768\SP2QFE\wininet.dll
[-] 2007-02-20 . 30D1C47E40EFBB792FF8D3C3B51CE507 . 658944 . . [6.00.2900.3086] . . c:\windows\$NtUninstallKB933566$\wininet.dll
[-] 2007-01-04 . 3FFA1573FC274E5AA7467D03941C45EE . 665088 . . [6.00.2900.3059] . . c:\windows\$hf_mig$\KB928090\SP2QFE\wininet.dll
[-] 2007-01-04 . 8C393DF5234CBCBFF1EE31902D6B40AE . 658944 . . [6.00.2900.3059] . . c:\windows\$NtUninstallKB931768$\wininet.dll
[-] 2006-10-23 . 231EF4179ACABE486376B5CA893F1076 . 664576 . . [6.00.2900.3020] . . c:\windows\$hf_mig$\KB925454\SP2QFE\wininet.dll
[-] 2006-10-23 . 6B2735ADFF5A5D3B9130CA4A794722F0 . 658944 . . [6.00.2900.3020] . . c:\windows\$NtUninstallKB928090$\wininet.dll
[-] 2006-09-14 . 621AF3F6174A3F60677F5230E28BCC07 . 658944 . . [6.00.2900.2995] . . c:\windows\$NtUninstallKB925454$\wininet.dll
[-] 2006-09-14 . D207370287CF769AEBEBF03837784963 . 664576 . . [6.00.2900.2995] . . c:\windows\$hf_mig$\KB922760\SP2QFE\wininet.dll
[-] 2006-06-23 . 64CE26DB72810B30F7855EA51E1DF836 . 664576 . . [6.00.2900.2937] . . c:\windows\$hf_mig$\KB918899\SP2QFE\wininet.dll
[-] 2006-06-23 . 2B4DB890936430C71419037039502752 . 658944 . . [6.00.2900.2937] . . c:\windows\$NtUninstallKB922760$\wininet.dll
[-] 2006-05-10 . D94CFFDB53E7AC867438E2DFD50E7CBC . 663552 . . [6.00.2900.2904] . . c:\windows\$hf_mig$\KB916281\SP2QFE\wininet.dll
[-] 2006-05-10 . 38AB7A56F566D9AAAD31812494944824 . 658432 . . [6.00.2900.2904] . . c:\windows\$NtUninstallKB918899$\wininet.dll
[-] 2006-03-04 . C0845ECBF4F9164E618EE381B79C9032 . 663552 . . [6.00.2900.2861] . . c:\windows\$hf_mig$\KB912812\SP2QFE\wininet.dll
[-] 2006-03-04 . 1C0979C7A489BEE573CD0BF4AD94BB06 . 658432 . . [6.00.2900.2861] . . c:\windows\$NtUninstallKB916281$\wininet.dll
[-] 2005-10-21 . E7B27B6B6E06CE34EA019FD8B858C613 . 658432 . . [6.00.2900.2781] . . c:\windows\$NtUninstallKB912812$\wininet.dll
[-] 2005-10-21 . AF785C4947676A7FC1673FDC5C8D0B5B . 661504 . . [6.00.2900.2781] . . c:\windows\$hf_mig$\KB905915\SP2QFE\wininet.dll
[-] 2005-05-02 . E1E18136F9DD3DF1AD9C82193A5898A6 . 658944 . . [6.00.2900.2668] . . c:\windows\$hf_mig$\KB883939\SP2QFE\wininet.dll
[-] 2005-05-02 . 1A078AF3F85D10BA56444C23B3A18E74 . 657920 . . [6.00.2900.2668] . . c:\windows\$NtUninstallKB905915$\wininet.dll
[-] 2005-03-10 . 6F018D6319BE4F96426EA829B79E05D5 . 656896 . . [6.00.2900.2627] . . c:\windows\$NtUninstallKB883939$\wininet.dll
[-] 2005-03-10 . C8663B488996E89A84C3D17C1D12B79E . 657920 . . [6.00.2900.2627] . . c:\windows\$hf_mig$\KB890923\SP2QFE\wininet.dll
[-] 2005-01-27 . B5E043E440B210014E021B24CF0A72E3 . 656896 . . [6.00.2900.2577] . . c:\windows\$NtUninstallKB890923$\wininet.dll
[-] 2005-01-27 . A8EAC5330876548E9966A7D13025D196 . 657920 . . [6.00.2900.2598] . . c:\windows\$hf_mig$\KB867282\SP2QFE\wininet.dll
[-] 2004-09-29 . CBA65B573C66FE23F647FF96E3A10994 . 656896 . . [6.00.2900.2518] . . c:\windows\$NtUninstallKB867282$\wininet.dll
[-] 2004-09-29 . 2C07195588D69A067C2AFDAA31759295 . 656896 . . [6.00.2900.2518] . . c:\windows\$hf_mig$\KB834707\SP2QFE\wininet.dll
[-] 2004-08-04 . C0823FC5469663BA63E7DB88F9919D70 . 656384 . . [6.00.2900.2180] . . c:\windows\$NtUninstallKB834707$\wininet.dll

[-] 2008-04-14 . 2CCC474EB85CEAA3E1FA1726580A3E5A . 82432 . . [5.1.2600.5512] . . c:\windows\SoftwareDistribution\Download\cf8ec753e88561d2ddb53e183dc05c3e\ws2_32.dll
[-] 2004-08-04 . 2ED0B7F12A60F90092081C50FA0EC2B2 . 82944 . . [5.1.2600.2180] . . c:\windows\SYSTEM32\WS2_32.DLL

[-] 2008-04-14 . 12896823FB95BFB3DC9B46BCAEDC9923 . 1033728 . . [6.00.2900.5512] . . c:\windows\SoftwareDistribution\Download\cf8ec753e88561d2ddb53e183dc05c3e\explorer.exe
[-] 2007-06-13 . 7712DF0CDDE3A5AC89843E61CD5B3658 . 1033216 . . [6.00.2900.3156] . . c:\windows\$hf_mig$\KB938828\SP2QFE\explorer.exe
[-] 2007-06-13 . 97BD6515465659FF8F3B7BE375B2EA87 . 1033216 . . [6.00.2900.3156] . . c:\windows\explorer.exe
[-] 2007-06-13 . 97BD6515465659FF8F3B7BE375B2EA87 . 1033216 . . [6.00.2900.3156] . . c:\windows\SYSTEM32\DLLCACHE\explorer.exe
[-] 2004-08-04 . A0732187050030AE399B241436565E64 . 1032192 . . [6.00.2900.2180] . . c:\windows\$NtUninstallKB938828$\explorer.exe

[-] 2008-04-14 . 3805DF0AC4296A34BA4BF93B346CC378 . 171008 . . [5.1.2600.5512] . . c:\windows\SoftwareDistribution\Download\cf8ec753e88561d2ddb53e183dc05c3e\srsvc.dll
[-] 2004-08-04 . 92BDF74F12D6CBEC43C94D4B7F804838 . 170496 . . [5.1.2600.2180] . . c:\windows\SYSTEM32\SRSVC.DLL

[-] 2008-04-14 . F92E1076C42FCD6DB3D72D8CFE9816D5 . 13824 . . [5.1.2600.5512] . . c:\windows\SoftwareDistribution\Download\cf8ec753e88561d2ddb53e183dc05c3e\wscntfy.exe
[-] 2004-08-04 . 49911DD39E023BB6C45E4E436CFBD297 . 13824 . . [5.1.2600.2180] . . c:\windows\SYSTEM32\WSCNTFY.EXE

[-] 2008-04-14 . 295D21F14C335B53CB8154E5B1F892B9 . 129024 . . [5.1.2600.5512] . . c:\windows\SoftwareDistribution\Download\cf8ec753e88561d2ddb53e183dc05c3e\xmlprov.dll
[-] 2004-08-04 . EEF46DAB68229A14DA3D8E73C99E2959 . 129536 . . [5.1.2600.2180] . . c:\windows\SYSTEM32\XMLPROV.DLL

[-] 2008-04-14 . 6D4FEB43EE538FC5428CC7F0565AA656 . 56320 . . [5.1.2600.5512] . . c:\windows\SoftwareDistribution\Download\cf8ec753e88561d2ddb53e183dc05c3e\eventlog.dll
[-] 2004-08-04 . 82B24CB70E5944E6E34662205A2A5B78 . 55808 . . [5.1.2600.2180] . . c:\windows\SYSTEM32\EVENTLOG.DLL

[-] 2008-04-14 . 9DD07AF82244867CA36681EA2D29CE79 . 1614848 . . [5.1.2600.5512] . . c:\windows\SoftwareDistribution\Download\cf8ec753e88561d2ddb53e183dc05c3e\sfcfiles.dll
[-] 2004-08-04 . 30A609E00BD1D4FFC49D6B5A432BE7F2 . 1580544 . . [5.1.2600.2180] . . c:\windows\SYSTEM32\SFCFILES.DLL

[-] 2008-04-14 . 5F1D5F88303D4A4DBC8E5F97BA967CC3 . 15360 . . [5.1.2600.5512] . . c:\windows\SoftwareDistribution\Download\cf8ec753e88561d2ddb53e183dc05c3e\ctfmon.exe
[-] 2004-08-04 . 24232996A38C0B0CF151C2140AE29FC8 . 15360 . . [5.1.2600.2180] . . c:\windows\SYSTEM32\CTFMON.EXE

[-] 2008-04-14 . 1926899BF9FFE2602B63074971700412 . 135168 . . [6.00.2900.5512] . . c:\windows\SoftwareDistribution\Download\cf8ec753e88561d2ddb53e183dc05c3e\shsvcs.dll
[-] 2006-12-19 . 6815DEF9B810AEFAC107EEAF72DA6F82 . 134656 . . [6.00.2900.3051] . . c:\windows\SYSTEM32\shsvcs.dll
[-] 2006-12-19 . 6815DEF9B810AEFAC107EEAF72DA6F82 . 134656 . . [6.00.2900.3051] . . c:\windows\SYSTEM32\DLLCACHE\shsvcs.dll
[-] 2006-12-19 . 53D9184A21C5CBF600D918E51EF3A7E5 . 135168 . . [6.00.2900.3051] . . c:\windows\$hf_mig$\KB928255\SP2QFE\shsvcs.dll
[-] 2004-08-04 . E7518DC542D3EBDCB80EDD98462C7821 . 134656 . . [6.00.2900.2180] . . c:\windows\$NtUninstallKB928255$\shsvcs.dll

[-] 2008-04-14 . 5B19B557B0C188210A56A6B699D90B8F . 59904 . . [5.1.2600.5512] . . c:\windows\SoftwareDistribution\Download\cf8ec753e88561d2ddb53e183dc05c3e\regsvc.dll
[-] 2004-08-04 . 3151427DB7D87107D1C5BE58FAC53960 . 59904 . . [5.1.2600.2180] . . c:\windows\SYSTEM32\REGSVC.DLL

[-] 2008-04-14 . 0A9A7365A1CA4319AA7C1D6CD8E4EAFA . 192512 . . [5.1.2600.5512] . . c:\windows\SoftwareDistribution\Download\cf8ec753e88561d2ddb53e183dc05c3e\schedsvc.dll
[-] 2004-08-04 . 92360854316611F6CC471612213C3D92 . 190976 . . [5.1.2600.2180] . . c:\windows\SYSTEM32\SCHEDSVC.DLL

[-] 2008-04-14 . 0A5679B3714EDAB99E357057EE88FCA6 . 71680 . . [5.1.2600.5512] . . c:\windows\SoftwareDistribution\Download\cf8ec753e88561d2ddb53e183dc05c3e\ssdpsrv.dll
[-] 2004-08-04 . 4B8D61792F7175BED48859CC18CE4E38 . 71680 . . [5.1.2600.2180] . . c:\windows\SYSTEM32\SSDPSRV.DLL

[-] 2008-04-14 . FF3477C03BE7201C294C35F684B3479F . 295424 . . [5.1.2600.5512] . . c:\windows\SoftwareDistribution\Download\cf8ec753e88561d2ddb53e183dc05c3e\termsrv.dll
[-] 2004-08-04 . B60C877D16D9C880B952FDA04ADF16E6 . 295424 . . [5.1.2600.2180] . . c:\windows\SYSTEM32\TERMSRV.DLL

[-] 2004-08-04 . 9859C0F6936E723E4892D7141B1327D5 . 11648 . . [5.1.2600.0] . . c:\windows\SYSTEM32\DRIVERS\ACPIEC.SYS

[-] 2008-04-13 16:39 . 8BED39E3C35D6A489438B8141717A557 . 142592 . . [5.1.2601.3142] . . c:\windows\SoftwareDistribution\Download\cf8ec753e88561d2ddb53e183dc05c3e\aec.sys
[-] 2006-02-15 00:30 . 1EE7B434BA961EF845DE136224C30FEC . 142464 . . [5.1.2601.2180] . . c:\windows\$hf_mig$\KB900485\SP2QFE\aec.sys
[-] 2006-02-15 00:22 . 1EE7B434BA961EF845DE136224C30FEC . 142464 . . [5.1.2601.2180] . . c:\windows\Driver Cache\I386\aec.sys
[-] 2006-02-15 00:22 . 1EE7B434BA961EF845DE136224C30FEC . 142464 . . [5.1.2601.2180] . . c:\windows\SYSTEM32\DLLCACHE\aec.sys
[-] 2006-02-15 00:22 . 1EE7B434BA961EF845DE136224C30FEC . 142464 . . [5.1.2601.2180] . . c:\windows\SYSTEM32\DRIVERS\aec.sys
[-] 2004-08-04 04:39 . 841F385C6CFAF66B58FBD898722BB4F0 . 142464 . . [5.1.2601.2078] . . c:\windows\$NtUninstallKB900485$\aec.sys

[-] 2008-04-13 . 08FD04AA961BDC77FB983F328334E3D7 . 42368 . . [5.1.2600.5512] . . c:\windows\SoftwareDistribution\Download\cf8ec753e88561d2ddb53e183dc05c3e\agp440.sys
[-] 2004-08-04 . 2C428FA0C3E3A01ED93C9B2A27D8D4BB . 42368 . . [5.1.2600.2180] . . c:\windows\SYSTEM32\DRIVERS\AGP440.SYS

[-] 2008-04-13 . 3BB22519A194418D5FEC05D800A19AD0 . 36608 . . [5.1.2600.5512] . . c:\windows\SoftwareDistribution\Download\cf8ec753e88561d2ddb53e183dc05c3e\ip6fw.sys
[-] 2004-08-04 . 4448006B6BC60E6C027932CFC38D6855 . 29056 . . [5.1.2600.2180] . . c:\windows\SYSTEM32\DLLCACHE\ip6fw.sys
[-] 2004-08-04 . 4448006B6BC60E6C027932CFC38D6855 . 29056 . . [5.1.2600.2180] . . c:\windows\SYSTEM32\DRIVERS\ip6fw.sys

[-] 2008-04-14 00:11 . CDDD4416B2B4C7295FE3FDB6DDE57E4E . 927504 . . [4.1.0.61] . . c:\windows\SoftwareDistribution\Download\cf8ec753e88561d2ddb53e183dc05c3e\mfc40u.dll
[-] 2006-11-01 19:17 . 925F8B61ED301A317BA850EBEECBDAA0 . 927504 . . [4.1.0.61] . . c:\windows\SYSTEM32\mfc40u.dll
[-] 2006-11-01 19:17 . 925F8B61ED301A317BA850EBEECBDAA0 . 927504 . . [4.1.0.61] . . c:\windows\SYSTEM32\DLLCACHE\mfc40u.dll
[-] 2004-08-04 11:00 . DDF8D47ACF8FC3FE5F7F2B95C4D4D136 . 924432 . . [4.1.6140] . . c:\windows\$NtUninstallKB924667$\mfc40u.dll

[-] 2008-04-14 . 986B1FF5814366D71E0AC5755C88F2D3 . 33792 . . [5.1.2600.5512] . . c:\windows\SoftwareDistribution\Download\cf8ec753e88561d2ddb53e183dc05c3e\msgsvc.dll
[-] 2004-08-04 . 95FD808E4AC22ABA025A7B3EAC0375D2 . 33792 . . [5.1.2600.2180] . . c:\windows\SYSTEM32\MSGSVC.DLL

[-] 2005-01-28 18:44 . 140EF97B64F560FD78643CAE2CDAD838 . 25088 . . [10.0.3790.3802] . . c:\windows\RegisteredPackages\{30C7234B-6482-4A55-A11D-ECD9030313F2}\MsPMSNSv.dll
[-] 2005-01-28 18:44 . 140EF97B64F560FD78643CAE2CDAD838 . 25088 . . [10.0.3790.3802] . . c:\windows\SYSTEM32\MsPMSNSv.dll
[-] 2005-01-28 18:44 . 140EF97B64F560FD78643CAE2CDAD838 . 25088 . . [10.0.3790.3802] . . c:\windows\SYSTEM32\DLLCACHE\mspmsnsv.dll
[-] 2004-08-04 11:00 . C086483E3DBA8C1C0A687EC8D5B3D4C1 . 52224 . . [9.0.1.56] . . c:\windows\RegisteredPackages\{30C7234B-6482-4A55-A11D-ECD9030313F2}$BACKUP$\System\MsPMSNSv.dll

[-] 2009-12-09 . FFDCE1EEA79C678C40237D4E031E5B51 . 2066176 . . [5.1.2600.5913] . . c:\windows\$hf_mig$\KB977165\SP3QFE\ntkrnlpa.exe
[-] 2009-12-08 . A6683E23468776F75EB2D8C6A02AAD3B . 2066048 . . [5.1.2600.5913] . . c:\windows\$hf_mig$\KB977165\SP3GDR\ntkrnlpa.exe
[-] 2009-12-08 . 384B15FBDCE2A54089A922886DED4EA0 . 2057728 . . [5.1.2600.3654] . . c:\windows\Driver Cache\I386\ntkrnlpa.exe
[-] 2009-12-08 . 384B15FBDCE2A54089A922886DED4EA0 . 2057728 . . [5.1.2600.3654] . . c:\windows\SYSTEM32\ntkrnlpa.exe
[-] 2009-12-08 . 384B15FBDCE2A54089A922886DED4EA0 . 2057728 . . [5.1.2600.3654] . . c:\windows\SYSTEM32\DLLCACHE\ntkrnlpa.exe
[-] 2009-12-08 . BC123D9238A0C9BB3D853E407EE77254 . 2063104 . . [5.1.2600.3654] . . c:\windows\$hf_mig$\KB977165\SP2QFE\ntkrnlpa.exe
[-] 2009-08-04 . 363B2BBEE0AEDC9E5433616D0AD0236A . 2066176 . . [5.1.2600.5857] . . c:\windows\$hf_mig$\KB971486\SP3QFE\ntkrnlpa.exe
[-] 2009-08-04 . 7437BA6F538E89381A2E3643AED296C7 . 2066048 . . [5.1.2600.5857] . . c:\windows\$hf_mig$\KB971486\SP3GDR\ntkrnlpa.exe
[-] 2009-08-04 . B0BD27AA04C1B8E857C1DADEF4EF2159 . 2057728 . . [5.1.2600.3610] . . c:\windows\$NtUninstallKB977165$\ntkrnlpa.exe
[-] 2009-08-04 . 97E912E94CCED4064F5DEEE5C25A9278 . 2062976 . . [5.1.2600.3610] . . c:\windows\$hf_mig$\KB971486\SP2QFE\ntkrnlpa.exe
[-] 2009-02-07 . 5BA7F2141BC6DB06100D0E5A732C617A . 2066048 . . [5.1.2600.5755] . . c:\windows\$hf_mig$\KB956572\SP3GDR\ntkrnlpa.exe
[-] 2009-02-06 . 3006410E24772CC6953F0B5C01BEB35F . 2057728 . . [5.1.2600.3520] . . c:\windows\$NtUninstallKB971486$\ntkrnlpa.exe
[-] 2009-02-06 . 607352B9CB3D708C67F6039097801B5A . 2066176 . . [5.1.2600.5755] . . c:\windows\$hf_mig$\KB956572\SP3QFE\ntkrnlpa.exe
[-] 2009-02-06 . 9D832AF3FD1917DB0E1E8B2F000A2E3A . 2062976 . . [5.1.2600.3520] . . c:\windows\$hf_mig$\KB956572\SP2QFE\ntkrnlpa.exe
[-] 2008-08-14 . A25E9B86EFFB2AF33BF51E676B68BFB0 . 2066048 . . [5.1.2600.5657] . . c:\windows\$hf_mig$\KB956841\SP3QFE\ntkrnlpa.exe
[-] 2008-08-14 . 4AC58F03EB94A72809949D757FC39D80 . 2066048 . . [5.1.2600.5657] . . c:\windows\$hf_mig$\KB956841\SP3GDR\ntkrnlpa.exe
[-] 2008-08-14 . BA002228743B6824D87F0551DBC86D45 . 2057728 . . [5.1.2600.3427] . . c:\windows\$NtUninstallKB956572$\ntkrnlpa.exe
[-] 2008-08-14 . 63EC865DFF6CCFC7BEF94B5C50297CAD . 2062976 . . [5.1.2600.3427] . . c:\windows\$hf_mig$\KB956841\SP2QFE\ntkrnlpa.exe
[-] 2008-04-13 . 109F8E3E3C82E337BB71B6BC9B895D61 . 2065792 . . [5.1.2600.5512] . . c:\windows\SoftwareDistribution\Download\cf8ec753e88561d2ddb53e183dc05c3e\ntkrnlpa.exe
[-] 2007-02-28 . 4D3DBDCCBF97F5BA1E74F322B155C3BA . 2059392 . . [5.1.2600.3093] . . c:\windows\$hf_mig$\KB931784\SP2QFE\ntkrnlpa.exe
[-] 2007-02-28 . 515D30E2C90A3665A2739309334C9283 . 2057600 . . [5.1.2600.3093] . . c:\windows\$NtUninstallKB956841$\ntkrnlpa.exe
[-] 2006-12-19 . BA4B97C00A437C1CC3DA365D93EE1E9D . 2059392 . . [5.1.2600.3051] . . c:\windows\$hf_mig$\KB929338\SP2QFE\ntkrnlpa.exe
[-] 2006-12-19 . 1D659BFB788ED2BA45075624B748D249 . 2057600 . . [5.1.2600.3051] . . c:\windows\$NtUninstallKB931784$\ntkrnlpa.exe
[-] 2005-03-02 . D8ABA3EAB509627E707A3B14F00FBB6B . 2056832 . . [5.1.2600.2622] . . c:\windows\$hf_mig$\KB890859\SP2QFE\ntkrnlpa.exe
[-] 2005-03-02 . 81013F36B21C7F72CF784CC6731E0002 . 2056832 . . [5.1.2600.2622] . . c:\windows\$NtUninstallKB929338$\ntkrnlpa.exe
[-] 2004-08-04 . 947FB1D86D14AFCFFDB54BF837EC25D0 . 2056832 . . [5.1.2600.2180] . . c:\windows\$NtUninstallKB890859$\ntkrnlpa.exe

[-] 2008-04-14 00:12 . 156F64A3345BD23C600655FB4D10BC08 . 435200 . . [5.1.2400.5512] . . c:\windows\SoftwareDistribution\Download\cf8ec753e88561d2ddb53e183dc05c3e\ntmssvc.dll
[-] 2004-08-04 11:00 . B62F29C00AC55A761B2E45877D85EA0F . 435200 . . [5.1.2400.2180] . . c:\windows\SYSTEM32\NTMSSVC.DLL

[-] 2008-04-14 . 1EBAFEB9A3FBDC41B8D9C7F0F687AD91 . 185856 . . [5.1.2600.5512] . . c:\windows\SoftwareDistribution\Download\cf8ec753e88561d2ddb53e183dc05c3e\upnphost.dll
[-] 2007-02-05 . 36ACA6CDC19C95FF468A1426EB7F32F0 . 185344 . . [5.1.2600.3077] . . c:\windows\$hf_mig$\KB931261\SP2QFE\upnphost.dll
[-] 2007-02-05 . ACA5D98663D879C6BAAFCEA7E2F1B710 . 185344 . . [5.1.2600.3077] . . c:\windows\SYSTEM32\upnphost.dll
[-] 2007-02-05 . ACA5D98663D879C6BAAFCEA7E2F1B710 . 185344 . . [5.1.2600.3077] . . c:\windows\SYSTEM32\DLLCACHE\upnphost.dll
[-] 2004-08-04 . 0546477BDE979E33294FE97F6B3DE84A . 185344 . . [5.1.2600.2180] . . c:\windows\$NtUninstallKB931261$\upnphost.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DellSupport"="c:\program files\DellSupport\DSAgnt.exe" [2007-03-15 460784]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2004-10-14 1404928]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2010-03-16 149280]
"IntelMeM"="c:\program files\Intel\Modem Event Monitor\IntelMEM.exe" [2003-09-04 221184]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2004-12-06 127035]
"Ink Monitor"="c:\program files\EPSON\Ink Monitor\InkMonitor.exe" [2001-10-16 258118]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-09-20 94208]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-09-20 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-09-20 114688]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-11-12 141600]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-11-11 417792]

c:\documents and settings\remi batchelor\Start Menu\Programs\Startup\
Picture Motion Browser Media Check Tool.lnk - c:\program files\Sony\Sony Picture Utility\PMBCore\SPUVolumeWatcher.exe [2008-11-25 385024]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2010-03-16 00:38 12464 ----a-w- c:\windows\SYSTEM32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ \0

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCMService]
2004-04-12 02:15 290816 ------w- c:\program files\Dell\Media Experience\PCMService.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2009-11-11 04:08 417792 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
2006-01-18 03:31 180269 ----a-w- c:\program files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdateManager]
2004-01-07 07:01 110592 ----a-w- c:\program files\Common Files\Sonic\Update Manager\sgtray.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Dell Inc\\Dell Picture Studio v3.0\\launch.exe"=
"c:\\StubInstaller.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgnsx.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"9378:TCP"= 9378:TCP:BitComet 9378 TCP
"9378:UDP"= 9378:UDP:BitComet 9378 UDP

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\SYSTEM32\DRIVERS\avgldx86.sys [3/15/2010 8:38 PM 216200]
R1 AvgTdiX;AVG Free Network Redirector;c:\windows\SYSTEM32\DRIVERS\avgtdix.sys [3/15/2010 8:38 PM 242696]
R2 avg9wd;AVG Free WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [3/15/2010 8:37 PM 308064]
R3 s3legacy;s3legacy;c:\windows\SYSTEM32\DRIVERS\s3legacy.sys [3/26/2010 7:03 PM 65664]
S1 SASDIFSV;SASDIFSV;\??\c:\docume~1\REMIBA~1\LOCALS~1\Temp\SAS_SelfExtract\SASDIFSV.SYS --> c:\docume~1\REMIBA~1\LOCALS~1\Temp\SAS_SelfExtract\SASDIFSV.SYS [?]
S1 SASKUTIL;SASKUTIL; [x]
S3 MEMSWEEP2;MEMSWEEP2;\??\c:\windows\system32\4.tmp --> c:\windows\system32\4.tmp [?]
S3 SASENUM;SASENUM;\??\c:\docume~1\REMIBA~1\LOCALS~1\Temp\SAS_SelfExtract\SASENUM.SYS --> c:\docume~1\REMIBA~1\LOCALS~1\Temp\SAS_SelfExtract\SASENUM.SYS [?]
.
Contents of the 'Scheduled Tasks' folder

2010-03-16 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
mStart Page = about:blank
mSearch Bar = hxxp://red.clientapps.yahoo.com/customize/ie/defaults/sb/yme/*http://www.yahoo.com/ext/search/search.html
uInternet Connection Wizard,ShellNext = iexplore
IE: &AIM Search - c:\program files\AIM Toolbar\AIMBar.dll/aimsearch.htm
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html
DPF: {9C23D886-43CB-43DE-B2DB-112A68D7E10A} - hxxp://lads.myspace.com/upload/MySpaceUploader2.cab
FF - ProfilePath - c:\documents and settings\remi batchelor\Application Data\Mozilla\Firefox\Profiles\o6xc36ln.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.bing.com/search?FORM=VUZTDF&PC=VUZE&q=
FF - prefs.js: browser.startup.homepage - hxxp://www.ask.com/?o=20011&l=dis
FF - prefs.js: keyword.URL - hxxp://www.bing.com/search?FORM=VUZTDF&PC=VUZE&q=
FF - component: c:\program files\Mozilla Firefox\components\xpinstal.dll
FF - HiddenExtension: XUL Cache: {00CC4C79-B44F-4A8D-970E-B75CADCCDCC7} - c:\documents and settings\remi batchelor\Local Settings\Application Data\{00CC4C79-B44F-4A8D-970E-B75CADCCDCC7}
.
- - - - ORPHANS REMOVED - - - -

WebBrowser-{08FCF7E3-5F7D-444E-8554-76A516EB3C6C} - (no file)



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-04-05 09:13
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntoskrnl.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x822F5B4C]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xf85fcfc3
\Driver\ACPI -> ACPI.sys @ 0xf84efcb8
\Driver\atapi -> atapi.sys @ 0xf848f7b4
IoDeviceObjectType -> DeleteProcedure -> ntoskrnl.exe @ 0x805a0084
\Device\Harddisk0\DR0 -> DeleteProcedure -> ntoskrnl.exe @ 0x805a0084
NDIS: Intel® PRO/100 VE Network Connection -> SendCompleteHandler -> NDIS.sys @ 0xf8341ba0
PacketIndicateHandler -> NDIS.sys @ 0xf834eb21
SendHandler -> NDIS.sys @ 0xf832c87b
user & kernel MBR OK

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\MEMSWEEP2]
"ImagePath"="\??\c:\windows\system32\4.tmp"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(900)
c:\windows\system32\WININET.dll

- - - - - - - > 'lsass.exe'(960)
c:\windows\system32\WININET.dll

- - - - - - - > 'explorer.exe'(2488)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\AVG\AVG9\avgchsvx.exe
c:\program files\AVG\AVG9\avgrsx.exe
c:\program files\AVG\AVG9\avgcsrvx.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Common Files\EPSON\EBAPI\SAgent2.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\wdfmgr.exe
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
c:\program files\AVG\AVG9\avgnsx.exe
c:\windows\system32\wscntfy.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\Java\jre6\bin\jucheck.exe
.
**************************************************************************
.
Completion time: 2010-04-05 09:26:23 - machine was rebooted
ComboFix-quarantined-files.txt 2010-04-05 13:26

Pre-Run: 2,370,228,224 bytes free
Post-Run: 2,546,622,464 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

- - End Of File - - FC35A740E43A4E4FC2B5B1A127330AD9


#7 km2357

km2357

  • Malware Response Team
  • 1,784 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:04:06 AM

Posted 05 April 2010 - 03:14 PM

I need to check on something with my fellow malware fighters. I'll be back ASAP. smile.gif

MalWare Removal University Master

Member of ASAP
unite_Invision.png


#8 km2357

km2357

  • Malware Response Team
  • 1,784 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:04:06 AM

Posted 06 April 2010 - 01:53 PM

Thanks to oldman960 for his help. smile.gif


Please run the following:

Extract TDSSKiller.exe to your Desktop.

Run TDSSKiller.exe. You may be prompted to restart your machine. Type Y at the prompt

Once complete, a log will be produced at root. It will be named

UtilityName.Version_Date_Time_log.txt.

for example, C:\TDSSKiller.2.2.0_27.1.2010_15.31.43_log.txt.

If TDSSKiller does not reboot your computer, please reboot it.

Once it has booted back up, do the following:


Run Batchfile

Please copy (Ctrl+C) and paste (Ctrl+V) the following text in the codebox to Notepad. Save it as "All Files" and name it mbrlog.bat Please save it on your desktop.

CODE
@echo off
mbr.exe -t
start mbr.log
del %0


Double click mbrlog.bat. A window will open and close. This is normal.


In your next post/reply, I need to see the following:

1. TDSSKiller Log
2. The mbrlog.bat Log/Results

MalWare Removal University Master

Member of ASAP
unite_Invision.png


#9 bweb

bweb
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:07:06 AM

Posted 07 April 2010 - 12:51 PM

Good to know you and oldman960 are there
Please let me know if you want me to search for logs of the many things I first used to remove the tons of malware


===============

13:46:49:660 3944 TDSS rootkit removing tool 2.2.8.1 Mar 22 2010 10:43:04
13:46:49:660 3944 ================================================================================
13:46:49:660 3944 SystemInfo:

13:46:49:660 3944 OS Version: 5.1.2600 ServicePack: 2.0
13:46:49:660 3944 Product type: Workstation
13:46:49:660 3944 ComputerName: D7DL2X61
13:46:49:660 3944 UserName: remi batchelor
13:46:49:660 3944 Windows directory: C:\WINDOWS
13:46:49:660 3944 Processor architecture: Intel x86
13:46:49:660 3944 Number of processors: 1
13:46:49:660 3944 Page size: 0x1000
13:46:49:660 3944 Boot type: Normal boot
13:46:49:660 3944 ================================================================================
13:46:49:676 3944 UnloadDriverW: NtUnloadDriver error 2
13:46:49:676 3944 ForceUnloadDriverW: UnloadDriverW(klmd21) error 2
13:46:49:691 3944 wfopen_ex: Trying to open file C:\WINDOWS\system32\config\system
13:46:49:691 3944 wfopen_ex: MyNtCreateFileW error 32 (C0000043)
13:46:49:691 3944 wfopen_ex: Trying to KLMD file open
13:46:49:691 3944 wfopen_ex: File opened ok (Flags 2)
13:46:49:691 3944 wfopen_ex: Trying to open file C:\WINDOWS\system32\config\software
13:46:49:691 3944 wfopen_ex: MyNtCreateFileW error 32 (C0000043)
13:46:49:691 3944 wfopen_ex: Trying to KLMD file open
13:46:49:691 3944 wfopen_ex: File opened ok (Flags 2)
13:46:49:691 3944 Initialize success
13:46:49:691 3944
13:46:49:691 3944 Scanning Services ...
13:46:50:191 3944 Raw services enum returned 329 services
13:46:50:207 3944
13:46:50:207 3944 Scanning Kernel memory ...
13:46:50:207 3944 Devices to scan: 4
13:46:50:207 3944
13:46:50:207 3944 Driver Name: Disk
13:46:50:207 3944 IRP_MJ_CREATE : F85FEC30
13:46:50:207 3944 IRP_MJ_CREATE_NAMED_PIPE : 804FB8EE
13:46:50:207 3944 IRP_MJ_CLOSE : F85FEC30
13:46:50:207 3944 IRP_MJ_READ : F85F8D9B
13:46:50:207 3944 IRP_MJ_WRITE : F85F8D9B
13:46:50:207 3944 IRP_MJ_QUERY_INFORMATION : 804FB8EE
13:46:50:207 3944 IRP_MJ_SET_INFORMATION : 804FB8EE
13:46:50:207 3944 IRP_MJ_QUERY_EA : 804FB8EE
13:46:50:207 3944 IRP_MJ_SET_EA : 804FB8EE
13:46:50:207 3944 IRP_MJ_FLUSH_BUFFERS : F85F9366
13:46:50:207 3944 IRP_MJ_QUERY_VOLUME_INFORMATION : 804FB8EE
13:46:50:207 3944 IRP_MJ_SET_VOLUME_INFORMATION : 804FB8EE
13:46:50:207 3944 IRP_MJ_DIRECTORY_CONTROL : 804FB8EE
13:46:50:207 3944 IRP_MJ_FILE_SYSTEM_CONTROL : 804FB8EE
13:46:50:207 3944 IRP_MJ_DEVICE_CONTROL : F85F944D
13:46:50:207 3944 IRP_MJ_INTERNAL_DEVICE_CONTROL : F85FCFC3
13:46:50:207 3944 IRP_MJ_SHUTDOWN : F85F9366
13:46:50:207 3944 IRP_MJ_LOCK_CONTROL : 804FB8EE
13:46:50:207 3944 IRP_MJ_CLEANUP : 804FB8EE
13:46:50:207 3944 IRP_MJ_CREATE_MAILSLOT : 804FB8EE
13:46:50:207 3944 IRP_MJ_QUERY_SECURITY : 804FB8EE
13:46:50:207 3944 IRP_MJ_SET_SECURITY : 804FB8EE
13:46:50:207 3944 IRP_MJ_POWER : F85FAEF3
13:46:50:207 3944 IRP_MJ_SYSTEM_CONTROL : F85FFA24
13:46:50:207 3944 IRP_MJ_DEVICE_CHANGE : 804FB8EE
13:46:50:207 3944 IRP_MJ_QUERY_QUOTA : 804FB8EE
13:46:50:207 3944 IRP_MJ_SET_QUOTA : 804FB8EE
13:46:50:223 3944 C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: 1
13:46:50:223 3944
13:46:50:223 3944 Driver Name: Disk
13:46:50:223 3944 IRP_MJ_CREATE : F85FEC30
13:46:50:223 3944 IRP_MJ_CREATE_NAMED_PIPE : 804FB8EE
13:46:50:223 3944 IRP_MJ_CLOSE : F85FEC30
13:46:50:223 3944 IRP_MJ_READ : F85F8D9B
13:46:50:223 3944 IRP_MJ_WRITE : F85F8D9B
13:46:50:223 3944 IRP_MJ_QUERY_INFORMATION : 804FB8EE
13:46:50:223 3944 IRP_MJ_SET_INFORMATION : 804FB8EE
13:46:50:223 3944 IRP_MJ_QUERY_EA : 804FB8EE
13:46:50:223 3944 IRP_MJ_SET_EA : 804FB8EE
13:46:50:223 3944 IRP_MJ_FLUSH_BUFFERS : F85F9366
13:46:50:223 3944 IRP_MJ_QUERY_VOLUME_INFORMATION : 804FB8EE
13:46:50:223 3944 IRP_MJ_SET_VOLUME_INFORMATION : 804FB8EE
13:46:50:223 3944 IRP_MJ_DIRECTORY_CONTROL : 804FB8EE
13:46:50:223 3944 IRP_MJ_FILE_SYSTEM_CONTROL : 804FB8EE
13:46:50:223 3944 IRP_MJ_DEVICE_CONTROL : F85F944D
13:46:50:223 3944 IRP_MJ_INTERNAL_DEVICE_CONTROL : F85FCFC3
13:46:50:223 3944 IRP_MJ_SHUTDOWN : F85F9366
13:46:50:223 3944 IRP_MJ_LOCK_CONTROL : 804FB8EE
13:46:50:223 3944 IRP_MJ_CLEANUP : 804FB8EE
13:46:50:223 3944 IRP_MJ_CREATE_MAILSLOT : 804FB8EE
13:46:50:223 3944 IRP_MJ_QUERY_SECURITY : 804FB8EE
13:46:50:223 3944 IRP_MJ_SET_SECURITY : 804FB8EE
13:46:50:223 3944 IRP_MJ_POWER : F85FAEF3
13:46:50:223 3944 IRP_MJ_SYSTEM_CONTROL : F85FFA24
13:46:50:223 3944 IRP_MJ_DEVICE_CHANGE : 804FB8EE
13:46:50:223 3944 IRP_MJ_QUERY_QUOTA : 804FB8EE
13:46:50:223 3944 IRP_MJ_SET_QUOTA : 804FB8EE
13:46:50:223 3944 C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: 1
13:46:50:223 3944
13:46:50:223 3944 Driver Name: Disk
13:46:50:223 3944 IRP_MJ_CREATE : F85FEC30
13:46:50:223 3944 IRP_MJ_CREATE_NAMED_PIPE : 804FB8EE
13:46:50:223 3944 IRP_MJ_CLOSE : F85FEC30
13:46:50:223 3944 IRP_MJ_READ : F85F8D9B
13:46:50:223 3944 IRP_MJ_WRITE : F85F8D9B
13:46:50:223 3944 IRP_MJ_QUERY_INFORMATION : 804FB8EE
13:46:50:223 3944 IRP_MJ_SET_INFORMATION : 804FB8EE
13:46:50:223 3944 IRP_MJ_QUERY_EA : 804FB8EE
13:46:50:223 3944 IRP_MJ_SET_EA : 804FB8EE
13:46:50:223 3944 IRP_MJ_FLUSH_BUFFERS : F85F9366
13:46:50:223 3944 IRP_MJ_QUERY_VOLUME_INFORMATION : 804FB8EE
13:46:50:223 3944 IRP_MJ_SET_VOLUME_INFORMATION : 804FB8EE
13:46:50:223 3944 IRP_MJ_DIRECTORY_CONTROL : 804FB8EE
13:46:50:223 3944 IRP_MJ_FILE_SYSTEM_CONTROL : 804FB8EE
13:46:50:223 3944 IRP_MJ_DEVICE_CONTROL : F85F944D
13:46:50:223 3944 IRP_MJ_INTERNAL_DEVICE_CONTROL : F85FCFC3
13:46:50:223 3944 IRP_MJ_SHUTDOWN : F85F9366
13:46:50:223 3944 IRP_MJ_LOCK_CONTROL : 804FB8EE
13:46:50:223 3944 IRP_MJ_CLEANUP : 804FB8EE
13:46:50:223 3944 IRP_MJ_CREATE_MAILSLOT : 804FB8EE
13:46:50:223 3944 IRP_MJ_QUERY_SECURITY : 804FB8EE
13:46:50:223 3944 IRP_MJ_SET_SECURITY : 804FB8EE
13:46:50:223 3944 IRP_MJ_POWER : F85FAEF3
13:46:50:223 3944 IRP_MJ_SYSTEM_CONTROL : F85FFA24
13:46:50:223 3944 IRP_MJ_DEVICE_CHANGE : 804FB8EE
13:46:50:223 3944 IRP_MJ_QUERY_QUOTA : 804FB8EE
13:46:50:223 3944 IRP_MJ_SET_QUOTA : 804FB8EE
13:46:50:223 3944 C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: 1
13:46:50:223 3944
13:46:50:223 3944 Driver Name: atapi
13:46:50:223 3944 IRP_MJ_CREATE : 822F5B4C
13:46:50:223 3944 IRP_MJ_CREATE_NAMED_PIPE : 822F5B4C
13:46:50:223 3944 IRP_MJ_CLOSE : 822F5B4C
13:46:50:223 3944 IRP_MJ_READ : 822F5B4C
13:46:50:223 3944 IRP_MJ_WRITE : 822F5B4C
13:46:50:223 3944 IRP_MJ_QUERY_INFORMATION : 822F5B4C
13:46:50:223 3944 IRP_MJ_SET_INFORMATION : 822F5B4C
13:46:50:223 3944 IRP_MJ_QUERY_EA : 822F5B4C
13:46:50:223 3944 IRP_MJ_SET_EA : 822F5B4C
13:46:50:223 3944 IRP_MJ_FLUSH_BUFFERS : 822F5B4C
13:46:50:223 3944 IRP_MJ_QUERY_VOLUME_INFORMATION : 822F5B4C
13:46:50:223 3944 IRP_MJ_SET_VOLUME_INFORMATION : 822F5B4C
13:46:50:223 3944 IRP_MJ_DIRECTORY_CONTROL : 822F5B4C
13:46:50:223 3944 IRP_MJ_FILE_SYSTEM_CONTROL : 822F5B4C
13:46:50:223 3944 IRP_MJ_DEVICE_CONTROL : 822F5B4C
13:46:50:223 3944 IRP_MJ_INTERNAL_DEVICE_CONTROL : 822F5B4C
13:46:50:223 3944 IRP_MJ_SHUTDOWN : 822F5B4C
13:46:50:223 3944 IRP_MJ_LOCK_CONTROL : 822F5B4C
13:46:50:223 3944 IRP_MJ_CLEANUP : 822F5B4C
13:46:50:223 3944 IRP_MJ_CREATE_MAILSLOT : 822F5B4C
13:46:50:223 3944 IRP_MJ_QUERY_SECURITY : 822F5B4C
13:46:50:223 3944 IRP_MJ_SET_SECURITY : 822F5B4C
13:46:50:223 3944 IRP_MJ_POWER : 822F5B4C
13:46:50:223 3944 IRP_MJ_SYSTEM_CONTROL : 822F5B4C
13:46:50:223 3944 IRP_MJ_DEVICE_CHANGE : 822F5B4C
13:46:50:223 3944 IRP_MJ_QUERY_QUOTA : 822F5B4C
13:46:50:223 3944 IRP_MJ_SET_QUOTA : 822F5B4C
13:46:50:223 3944 Driver "atapi" infected by TDSS rootkit!
13:46:50:223 3944 C:\WINDOWS\system32\DRIVERS\atapi.sys - Verdict: 1
13:46:50:223 3944 File "C:\WINDOWS\system32\DRIVERS\atapi.sys" infected by TDSS rootkit ... 13:46:50:223 3944 Processing driver file: C:\WINDOWS\system32\DRIVERS\atapi.sys
13:46:50:223 3944 ProcessDirEnumEx: FindFirstFile(C:\WINDOWS\system32\DriverStore\FileRepository\*) error 3
13:46:50:223 3944 ProcessDirEnumEx: FindFirstFile(C:\WINDOWS\OemDir\*) error 3
13:46:50:238 3944 vfvi6
13:46:50:254 3944 !dsvbh1
13:46:50:254 3944 !vdf7
13:46:50:254 3944 !fck2
13:46:50:254 3944 vfvi6
13:46:50:270 3944 !dsvbh1
13:46:50:270 3944 !vdf7
13:46:50:270 3944 !fck2
13:46:50:270 3944 !fdfb7
13:46:50:270 3944 vfvi6
13:46:50:270 3944 !dsvbh1
13:46:50:270 3944 !vdf7
13:46:50:270 3944 Backup copy not found, trying to cure infected file..
13:46:50:270 3944 C:\WINDOWS\system32\DRIVERS\atapi.sys - Verdict: Cure failed (0)
13:46:50:270 3944 cure failed
13:46:50:270 3944
13:46:50:270 3944 Completed
13:46:50:270 3944
13:46:50:270 3944 Results:
13:46:50:270 3944 Memory objects infected / cured / cured on reboot: 1 / 0 / 0
13:46:50:270 3944 Registry objects infected / cured / cured on reboot: 0 / 0 / 0
13:46:50:270 3944 File objects infected / cured / cured on reboot: 1 / 0 / 0
13:46:50:270 3944
13:46:50:270 3944 fclose_ex: Trying to close file C:\WINDOWS\system32\config\system
13:46:50:270 3944 fclose_ex: Trying to close file C:\WINDOWS\system32\config\software
13:46:50:270 3944 KLMD(ARK) unloaded successfully


===============


Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntoskrnl.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x822F5B4C]<<
kernel: MBR read successfully
user & kernel MBR OK


#10 km2357

km2357

  • Malware Response Team
  • 1,784 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:04:06 AM

Posted 08 April 2010 - 12:04 AM

Step # 1 Download and Run SystemLook

Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1
Download Mirror #2
  • Double-click SystemLook.exe to run it.
  • Copy the content of the following codebox into the main textfield:

    CODE
    :filefind
    atapi.sys

  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
Note: The log can also be found at on your Desktop entitled SystemLook.txt

MalWare Removal University Master

Member of ASAP
unite_Invision.png


#11 bweb

bweb
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:07:06 AM

Posted 08 April 2010 - 01:02 PM

SystemLook v1.0 by jpshortstuff (11.01.10)
Log created at 14:00 on 08/04/2010 by remi batchelor (Administrator - Elevation successful)

========== filefind ==========

Searching for "atapi.sys"
C:\I386\atapi.sys --a--- 95360 bytes [19:55 14/03/2005] [04:59 04/08/2004] CDFE4411A69C224BD1D11B2DA92DAC51
C:\WINDOWS\SoftwareDistribution\Download\cf8ec753e88561d2ddb53e183dc05c3e\atapi.sys --a--- 96512 bytes [22:22 25/02/2009] [18:40 13/04/2008] 9F3A2F5AA6875C72BF062C712CFA2674
C:\WINDOWS\SYSTEM32\DLLCACHE\atapi.sys --a--- 95360 bytes [06:00 01/01/1980] [04:59 04/08/2004] CDFE4411A69C224BD1D11B2DA92DAC51
C:\WINDOWS\SYSTEM32\DRIVERS\atapi.sys ------ 95360 bytes [06:00 01/01/1980] [23:45 24/03/2010] CDFE4411A69C224BD1D11B2DA92DAC51
C:\WINDOWS\SYSTEM32\ReinstallBackups\0005\DriverFiles\i386\atapi.sys --a--- 95360 bytes [13:26 03/03/2005] [04:59 04/08/2004] CDFE4411A69C224BD1D11B2DA92DAC51

-=End Of File=-

#12 km2357

km2357

  • Malware Response Team
  • 1,784 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:04:06 AM

Posted 08 April 2010 - 01:47 PM

Please either print out the following instructions so that you'll have them on hand:

Starting the Recovery Console

there are a good set of instructions at http://www.bleepingcomputer.com/tutorials/how-to-install-the-windows-xp-recovery-console/ on how to enter the Recovery Console, starting at the line How to start the Recovery Console, which is about a third of the way down the page:


To start the Recovery Console when it is installed on your hard drive:

1. Reboot your computer and as Windows starts it will present you with your startup options which usually only show up for a couple of second. Your choices will be Microsoft Windows XP Home Edition or Microsoft Windows Recovery Console

2. With the arrows keys on your keyboard select the option listed as Microsoft Windows Recovery Console and press the enter key on your keyboard.

3. The Recovery Console will start and ask you which Windows installation you would like to log on to. If you have multiple Windows installations, it will list each one, and you would enter the number associated with the installation you would like to work on and press enter. If you have just one Windows installation, type 1 and press enter.

4. It will then prompt you for the Administrator's password. If there is no password, simply press enter. Otherwise type in the password and then press enter.

5. If you entered the correct password you will now be presented with a C:\Windows> prompt and you can start using the Recovery Console.

6.Once at the command prompt, type the following carefully, be sure to press Enter after each line:

cd system32\drivers
ren atapi.sys atapi.old
copy c:\windows\SYSTEM32\ReinstallBackups\0005\DriverFiles\i386\atapi.sys
exit



If prompted to overwrite the existing file, type Y and hit Enter

7. Next type exit at the command prompt, then press enter. That will exit the Recovery Console and attempt to restart your machine.


Once the computer has booted back up into normal mode, I would like for you to rerun mbrlog.bat and post the results in your next post.

If you need to recreate mbrlog.bat, use the instructions below:

Please copy (Ctrl+C) and paste (Ctrl+V) the following text in the codebox to Notepad. Save it as "All Files" and name it mbrlog.bat Please save it on your desktop.

CODE
@echo off
mbr.exe -t
start mbr.log
del %0


Double click mbrlog.bat. A window will open and close. This is normal.

MalWare Removal University Master

Member of ASAP
unite_Invision.png


#13 bweb

bweb
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:07:06 AM

Posted 09 April 2010 - 07:23 PM

Googled atapi malware.... scary
--
Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntoskrnl.exe CLASSPNP.SYS disk.sys atapi.sys hal.dll pciide.sys PCIIDEX.SYS
kernel: MBR read successfully
user & kernel MBR OK


#14 km2357

km2357

  • Malware Response Team
  • 1,784 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:04:06 AM

Posted 10 April 2010 - 12:11 PM

Looking at the mbrlog.bat, it looks like the replacing of the bad atapi.sys with a good one was successful. thumbup.gif

The next step is to upgrade the computer to SP3.

First, try going to Windows Update and downloading and installing SP3 from there.

If that doesn't work, you'll have to download and install the standalone version of SP3 (link below). Be sure to disable AVG before trying to install SP3.

http://www.microsoft.com/downloads/details...;displaylang=en


Once SP3 is installed, please do the following. If you have any troubles installing SP3, let me know and do not do what's
below:


First, delete ComboFix.exe, you'll be downloading the latest version from one of the links below:

Link 1
Link 2

Once you've downloaded ComboFix, run it and post the ComboFix Log in your next post.

MalWare Removal University Master

Member of ASAP
unite_Invision.png


#15 bweb

bweb
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:07:06 AM

Posted 11 April 2010 - 04:18 PM

Hurray!
Redirects stopped, MSupdate worked, and anitibotic is kicking the strep throat... wrong forum...
Final prognosis?
---------------------

ComboFix 10-04-10.02 - remi batchelor 04/11/2010 16:52:19.2.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.510.189 [GMT -4:00]
Running from: c:\documents and settings\remi batchelor\Desktop\bwebcf2.exe
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\remi batchelor\Local Settings\Application Data\{00CC4C79-B44F-4A8D-970E-B75CADCCDCC7}
c:\documents and settings\remi batchelor\Local Settings\Application Data\{00CC4C79-B44F-4A8D-970E-B75CADCCDCC7}\chrome.manifest
c:\documents and settings\remi batchelor\Local Settings\Application Data\{00CC4C79-B44F-4A8D-970E-B75CADCCDCC7}\chrome\content\_cfg.js
c:\documents and settings\remi batchelor\Local Settings\Application Data\{00CC4C79-B44F-4A8D-970E-B75CADCCDCC7}\chrome\content\c.js
c:\documents and settings\remi batchelor\Local Settings\Application Data\{00CC4C79-B44F-4A8D-970E-B75CADCCDCC7}\chrome\content\overlay.xul
c:\documents and settings\remi batchelor\Local Settings\Application Data\{00CC4C79-B44F-4A8D-970E-B75CADCCDCC7}\install.rdf
c:\windows\TEMP\3223657586.dll

.
((((((((((((((((((((((((( Files Created from 2010-03-11 to 2010-04-11 )))))))))))))))))))))))))))))))
.

2010-04-11 20:33 . 2010-04-11 20:33 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache
2010-04-11 18:01 . 2010-04-11 18:01 -------- d-----w- c:\windows\system32\scripting
2010-04-11 18:01 . 2010-04-11 18:01 -------- d-----w- c:\windows\l2schemas
2010-04-11 18:01 . 2010-04-11 18:01 -------- d-----w- c:\windows\system32\en
2010-04-11 18:01 . 2010-04-11 18:01 -------- d-----w- c:\windows\system32\bits
2010-04-08 21:47 . 2010-04-08 21:47 710424 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgcsrvx.exe
2010-04-08 21:47 . 2010-04-08 21:47 4255072 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgcorex.dll
2010-04-08 21:47 . 2010-04-08 21:47 460640 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgcclix.dll
2010-04-08 21:47 . 2010-04-08 21:47 395032 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgclitx.dll
2010-04-07 17:55 . 2010-04-07 17:55 503808 ----a-w- c:\documents and settings\remi batchelor\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-52889337-n\msvcp71.dll
2010-04-07 17:55 . 2010-04-07 17:55 499712 ----a-w- c:\documents and settings\remi batchelor\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-52889337-n\jmc.dll
2010-04-07 17:55 . 2010-04-07 17:55 348160 ----a-w- c:\documents and settings\remi batchelor\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-52889337-n\msvcr71.dll
2010-04-07 17:55 . 2010-04-07 17:55 61440 ----a-w- c:\documents and settings\remi batchelor\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-1bf9f42a-n\decora-sse.dll
2010-04-07 17:55 . 2010-04-07 17:55 12800 ----a-w- c:\documents and settings\remi batchelor\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-1bf9f42a-n\decora-d3d.dll
2010-04-05 12:31 . 2010-04-05 12:31 4076824 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgui.exe
2010-04-05 12:31 . 2010-04-05 12:31 2059544 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgtray.exe
2010-04-05 12:31 . 2010-04-05 12:31 1274136 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgfrw.exe
2010-04-05 12:31 . 2010-04-05 12:31 1598744 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgssie.dll
2010-04-05 12:31 . 2010-04-05 12:31 1515224 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgwd.dll
2010-04-05 12:31 . 2010-04-05 12:31 598296 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgsrmx.dll
2010-04-05 12:31 . 2010-04-05 12:31 341272 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgxch32.dll
2010-04-05 12:31 . 2010-04-05 12:31 313112 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avglogx.dll
2010-04-05 12:31 . 2010-04-05 12:31 1086744 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgchsvx.exe
2010-04-05 12:31 . 2010-04-05 12:31 556824 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgchjwx.dll
2010-04-05 12:31 . 2010-04-05 12:31 301336 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgchclx.dll
2010-04-05 12:30 . 2010-04-05 12:30 1685784 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgupd.dll
2010-04-05 12:30 . 2010-04-05 12:30 1035032 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgupd.exe
2010-03-26 23:03 . 2001-08-17 17:57 65664 ----a-w- c:\windows\system32\drivers\s3legacy.sys
2010-03-26 23:02 . 2001-08-17 18:56 66048 ----a-w- c:\windows\system32\s3legacy.dll
2010-03-25 02:13 . 2010-03-25 02:13 -------- d-----w- c:\documents and settings\Administrator\Application Data\AdobeUM
2010-03-18 01:18 . 2010-03-18 01:18 -------- d-sh--w- c:\documents and settings\Administrator\PrivacIE
2010-03-18 01:16 . 2010-03-18 01:16 -------- d-sh--w- c:\documents and settings\Administrator\IETldCache
2010-03-17 23:37 . 2010-03-17 23:37 -------- d-----w- c:\documents and settings\remi batchelor\Application Data\Malwarebytes
2010-03-17 23:36 . 2010-01-07 20:07 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-03-17 23:36 . 2010-03-17 23:36 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-03-17 23:36 . 2010-01-07 20:07 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-03-17 23:36 . 2010-03-17 23:37 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-03-17 01:30 . 2010-04-11 17:52 -------- d-----w- c:\windows\EHome
2010-03-16 21:09 . 2010-03-16 21:09 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache
2010-03-16 13:37 . 2009-10-23 15:28 3558912 ------w- c:\windows\system32\dllcache\moviemk.exe
2010-03-16 13:29 . 2010-03-16 13:28 95024 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2010-03-16 12:37 . 2010-03-09 08:28 411368 ----a-w- c:\windows\system32\deploytk.dll
2010-03-16 12:21 . 2010-03-16 12:21 152576 ----a-w- c:\documents and settings\remi batchelor\Application Data\Sun\Java\jre1.6.0_17\lzma.dll
2010-03-16 12:19 . 2010-03-16 12:19 79488 ----a-w- c:\documents and settings\remi batchelor\Application Data\Sun\Java\jre1.6.0_17\gtapi.dll
2010-03-16 01:37 . 2010-03-16 01:37 -------- d-----w- C:\$AVG
2010-03-16 00:42 . 2010-03-24 01:49 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
2010-03-16 00:38 . 2010-03-16 00:38 12464 ----a-w- c:\windows\system32\avgrsstx.dll
2010-03-16 00:38 . 2010-03-16 00:38 242696 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2010-03-16 00:38 . 2010-03-16 00:38 216200 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2010-03-16 00:38 . 2010-03-16 00:38 29512 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2010-03-16 00:37 . 2010-04-11 17:44 -------- d-----w- c:\windows\system32\drivers\Avg
2010-03-16 00:37 . 2010-03-16 00:37 -------- d-----w- c:\program files\AVG
2010-03-16 00:37 . 2010-03-16 01:40 -------- d-----w- c:\documents and settings\All Users\Application Data\avg9
2010-03-14 21:48 . 2010-03-14 21:48 -------- d-----w- c:\program files\Support Tools

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-04-11 18:05 . 2004-08-10 19:13 77915 ----a-w- c:\windows\PCHEALTH\HELPCTR\OfflineCache\index.dat
2010-04-08 21:10 . 2010-03-09 09:03 1208 ----a-w- c:\windows\system32\d3d8caps.dat
2010-04-07 17:54 . 2005-03-03 13:36 -------- d-----w- c:\program files\Java
2010-04-05 12:33 . 2010-03-24 01:53 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-03-26 22:43 . 2004-11-09 17:36 1324 ----a-w- c:\windows\system32\d3d9caps.dat
2010-03-24 23:45 . 1980-01-01 06:00 95360 ----a-w- c:\windows\system32\drivers\atapi.old
2010-03-24 23:45 . 2010-03-24 01:53 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-03-24 13:14 . 2010-01-26 21:49 -------- d-----w- c:\documents and settings\remi batchelor\Application Data\Azureus
2010-03-24 01:44 . 2010-03-24 01:42 331805736 ----a-w- C:\WindowsXP-KB936929-SP3-x86-ENU.exe
2010-03-18 02:49 . 2010-03-18 02:49 -------- d-----w- c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com
2010-03-18 01:25 . 2010-03-18 01:25 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2010-03-14 21:21 . 2009-08-10 04:56 -------- d-----w- c:\program files\PopCap Games
2010-03-14 21:18 . 2010-01-26 21:53 -------- d-----w- c:\program files\Microsoft
2010-03-14 21:04 . 2009-02-26 16:23 -------- d-----w- c:\program files\Google
2010-03-09 05:27 . 2010-03-09 05:27 -------- d-----w- c:\documents and settings\remi batchelor\Application Data\SUPERAntiSpyware.com
2010-03-09 05:27 . 2010-03-09 05:27 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2010-02-26 07:28 . 2010-02-26 07:28 -------- d-----w- c:\documents and settings\NetworkService\Application Data\AdobeUM
2010-02-25 06:24 . 2010-02-25 06:24 849440 ----a-w- c:\windows\system32\beedo.dll
2010-02-25 06:24 . 2010-02-25 06:24 1138794 ----a-w- c:\windows\system32\pniwinerr.dll
2010-02-25 06:24 . 2010-02-25 06:24 1044226 ----a-w- c:\windows\system32\ripapitodo.dll
2010-02-25 06:24 . 2004-08-04 11:00 916480 ----a-w- c:\windows\system32\wininet.dll
2010-02-16 18:10 . 2010-02-16 18:10 10686001 ----a-w- c:\documents and settings\remi batchelor\Application Data\Azureus\plugins\azump\mplayer.exe
2010-02-13 08:30 . 2005-03-08 01:47 85184 ----a-w- c:\documents and settings\remi batchelor\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-02-12 05:03 . 2010-02-12 05:03 -------- d-----w- c:\documents and settings\LocalService\Application Data\McAfee
2010-02-11 08:54 . 2010-01-26 21:51 -------- d-----w- c:\program files\Microsoft Silverlight
2010-01-26 21:58 . 2010-01-26 21:58 4141117 ----a-w- c:\documents and settings\remi batchelor\Application Data\Azureus\plugins\vuzexcode\mediainfo.exe
2010-01-26 21:58 . 2010-01-26 21:58 6516755 ----a-w- c:\documents and settings\remi batchelor\Application Data\Azureus\plugins\vuzexcode\ffmpeg.exe
2010-01-26 21:21 . 2010-01-26 21:21 69612 ---ha-w- c:\windows\system32\mlfcache.dat
2009-03-03 21:09 . 2007-04-06 22:43 67688 ----a-w- c:\program files\mozilla firefox\components\jar50.dll
2009-03-03 21:09 . 2007-04-06 22:43 54368 ----a-w- c:\program files\mozilla firefox\components\jsd3250.dll
2009-03-03 21:09 . 2007-04-06 22:43 34944 ----a-w- c:\program files\mozilla firefox\components\myspell.dll
2009-03-03 21:09 . 2007-04-06 22:43 46712 ----a-w- c:\program files\mozilla firefox\components\spellchk.dll
2009-03-03 21:09 . 2007-04-06 22:43 172136 ----a-w- c:\program files\mozilla firefox\components\xpinstal.dll
2009-05-05 10:34 . 2009-05-05 10:34 0 --sha-w- c:\windows\SYSTEM32\_itmp_744.exe
2009-04-25 19:54 . 2009-04-25 19:54 2464 --sha-w- c:\windows\SYSTEM32\_itmp_791.exe
.

------- Sigcheck -------

[7] 2008-04-13 . 9F3A2F5AA6875C72BF062C712CFA2674 . 96512 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\atapi.sys
[7] 2008-04-13 . 9F3A2F5AA6875C72BF062C712CFA2674 . 96512 . . [5.1.2600.5512] . . c:\windows\SoftwareDistribution\Download\cf8ec753e88561d2ddb53e183dc05c3e\atapi.sys
[-] 2004-08-04 . CDFE4411A69C224BD1D11B2DA92DAC51 . 95360 . . [5.1.2600.2180] . . c:\windows\$NtServicePackUninstall$\atapi.sys
[-] 2004-08-04 . CDFE4411A69C224BD1D11B2DA92DAC51 . 95360 . . [5.1.2600.2180] . . c:\windows\SYSTEM32\DRIVERS\ATAPI.SYS
[-] 2004-08-04 . CDFE4411A69C224BD1D11B2DA92DAC51 . 95360 . . [5.1.2600.2180] . . c:\windows\SYSTEM32\ReinstallBackups\0005\DriverFiles\i386\atapi.sys

[-] 2005-01-28 18:44 . 140EF97B64F560FD78643CAE2CDAD838 . 25088 . . [10.0.3790.3802] . . c:\windows\RegisteredPackages\{30C7234B-6482-4A55-A11D-ECD9030313F2}\MsPMSNSv.dll
[-] 2005-01-28 18:44 . 140EF97B64F560FD78643CAE2CDAD838 . 25088 . . [10.0.3790.3802] . . c:\windows\SYSTEM32\MsPMSNSv.dll
[-] 2005-01-28 18:44 . 140EF97B64F560FD78643CAE2CDAD838 . 25088 . . [10.0.3790.3802] . . c:\windows\SYSTEM32\DLLCACHE\mspmsnsv.dll
[-] 2004-08-04 11:00 . C086483E3DBA8C1C0A687EC8D5B3D4C1 . 52224 . . [9.0.1.56] . . c:\windows\RegisteredPackages\{30C7234B-6482-4A55-A11D-ECD9030313F2}$BACKUP$\System\MsPMSNSv.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DellSupport"="c:\program files\DellSupport\DSAgnt.exe" [2007-03-15 460784]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2004-10-14 1404928]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]
"IntelMeM"="c:\program files\Intel\Modem Event Monitor\IntelMEM.exe" [2003-09-04 221184]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2004-12-06 127035]
"Ink Monitor"="c:\program files\EPSON\Ink Monitor\InkMonitor.exe" [2001-10-16 258118]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-09-20 94208]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-09-20 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-09-20 114688]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-11-12 141600]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-11-11 417792]

c:\documents and settings\remi batchelor\Start Menu\Programs\Startup\
Picture Motion Browser Media Check Tool.lnk - c:\program files\Sony\Sony Picture Utility\PMBCore\SPUVolumeWatcher.exe [2008-11-25 385024]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2010-03-16 00:38 12464 ----a-w- c:\windows\SYSTEM32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ \0

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCMService]
2004-04-12 02:15 290816 ------w- c:\program files\Dell\Media Experience\PCMService.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2009-11-11 04:08 417792 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
2006-01-18 03:31 180269 ----a-w- c:\program files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdateManager]
2004-01-07 07:01 110592 ----a-w- c:\program files\Common Files\Sonic\Update Manager\sgtray.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Dell Inc\\Dell Picture Studio v3.0\\launch.exe"=
"c:\\StubInstaller.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgnsx.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"9378:TCP"= 9378:TCP:BitComet 9378 TCP
"9378:UDP"= 9378:UDP:BitComet 9378 UDP

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\SYSTEM32\DRIVERS\avgldx86.sys [3/15/2010 8:38 PM 216200]
R1 AvgTdiX;AVG Free Network Redirector;c:\windows\SYSTEM32\DRIVERS\avgtdix.sys [3/15/2010 8:38 PM 242696]
R2 avg9wd;AVG Free WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [3/15/2010 8:37 PM 308064]
R3 s3legacy;s3legacy;c:\windows\SYSTEM32\DRIVERS\s3legacy.sys [3/26/2010 7:03 PM 65664]
S1 SASDIFSV;SASDIFSV;\??\c:\docume~1\REMIBA~1\LOCALS~1\Temp\SAS_SelfExtract\SASDIFSV.SYS --> c:\docume~1\REMIBA~1\LOCALS~1\Temp\SAS_SelfExtract\SASDIFSV.SYS [?]
S1 SASKUTIL;SASKUTIL; [x]
S3 MEMSWEEP2;MEMSWEEP2;\??\c:\windows\system32\4.tmp --> c:\windows\system32\4.tmp [?]
S3 SASENUM;SASENUM;\??\c:\docume~1\REMIBA~1\LOCALS~1\Temp\SAS_SelfExtract\SASENUM.SYS --> c:\docume~1\REMIBA~1\LOCALS~1\Temp\SAS_SelfExtract\SASENUM.SYS [?]
.
Contents of the 'Scheduled Tasks' folder

2010-03-16 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
mStart Page = about:blank
mSearch Bar = hxxp://red.clientapps.yahoo.com/customize/ie/defaults/sb/yme/*http://www.yahoo.com/ext/search/search.html
uInternet Connection Wizard,ShellNext = iexplore
IE: &AIM Search - c:\program files\AIM Toolbar\AIMBar.dll/aimsearch.htm
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html
DPF: {9C23D886-43CB-43DE-B2DB-112A68D7E10A} - hxxp://lads.myspace.com/upload/MySpaceUploader2.cab
FF - ProfilePath - c:\documents and settings\remi batchelor\Application Data\Mozilla\Firefox\Profiles\o6xc36ln.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.bing.com/search?FORM=VUZTDF&PC=VUZE&q=
FF - prefs.js: browser.startup.homepage - hxxp://www.ask.com/?o=20011&l=dis
FF - prefs.js: keyword.URL - hxxp://www.bing.com/search?FORM=VUZTDF&PC=VUZE&q=
FF - component: c:\documents and settings\remi batchelor\Application Data\Mozilla\Firefox\Profiles\o6xc36ln.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\frozen.dll
FF - component: c:\program files\Mozilla Firefox\components\xpinstal.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-04-11 17:00
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\MEMSWEEP2]
"ImagePath"="\??\c:\windows\system32\4.tmp"
.
Completion time: 2010-04-11 17:05:33
ComboFix-quarantined-files.txt 2010-04-11 21:05
ComboFix2.txt 2010-04-05 13:26

Pre-Run: 957,427,712 bytes free
Post-Run: 935,501,824 bytes free

- - End Of File - - B2FA0F3C2855BF80B05E484F60390E14





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users