Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected with TR/FraudPack.aunu [trojan]


  • This topic is locked This topic is locked
42 replies to this topic

#1 bigteks

bigteks

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Local time:02:21 AM

Posted 04 May 2010 - 01:04 PM

This began popping up in my Avira AntiVir Personal with an alert but the only option is remove or cancel. I discovered when I click on the Avira remove link, a fraudulent antivirus program starts scanning and when I stop it it invites me to make a credit card payment on a web site.

My initial response (because I did not know better) was to run ComboFix by myself. When that did not fix the problem I came here and found out that was not a good first step, so now I am going through the guide and doing it the right way.

I was not able to get a log from Gmer because it locks up the mouse and keyboard when I run it. Is there some option to run it where it will automatically log? Because once it runs I cannot click on it any more to tell it to save the log, I have to powercycle after that.

Here is the DDS output:

DDS (Ver_10-03-17.01) - NTFSx86
Run by Me at 12:59:04.62 on Tue 05/04/2010
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_17
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3327.2175 [GMT -5:00]

AV: AntiVir Desktop *On-access scanning enabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}

============== Running Processes ===============

C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
C:\WINDOWS\system32\svchost -k rpcss
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
C:\WINDOWS\system32\svchost.exe -k NetworkService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
C:\Program Files\Avira\AntiVir Desktop\avshadow.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\LogMeIn\x86\RaMaint.exe
C:\Program Files\LogMeIn\x86\LogMeIn.exe
C:\Program Files\LogMeIn\x86\LMIGuardian.exe
c:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\VMware\VMware vCenter Converter Standalone\vmware-converter-a.exe
C:\Program Files\VMware\VMware vCenter Converter Standalone\vmware-converter.exe
C:\Program Files\VMware\VMware Server\tomcat\bin\Tomcat6.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\WINDOWS\system32\SearchIndexer.exe
C:\Program Files\VMware\VMware Server\vmware-authd.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\system32\vmnetdhcp.exe
C:\Program Files\VMware\VMware Server\vmware-hostd.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\VIA\VIAudioi\HDADeck\HDeck.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\WINDOWS\Samsung\PanelMgr\SSMMgr.exe
C:\Program Files\Sprint\Sprint SmartView\RDVCHG.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\LogMeIn\x86\LogMeInSystray.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\LogMeIn\x86\LMIGuardian.exe
C:\Program Files\The Weather Channel FW\Desktop\DesktopWeather.exe
C:\Program Files\SuperCopier2\SuperCopier2.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Documents and Settings\All Users\Application Data\{34474EFD-D329-4A99-A967-410E40B3419A}\DietPowerSetup.exe
C:\Program Files\Copernic Desktop Search - Home\DesktopSearchService.exe
C:\Program Files\NBC Direct\DirectPlayerCore.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
C:\Program Files\Windows Desktop Search\WindowsSearch.exe
C:\Program Files\iPod\bin\iPodService.exe
c:\program files\avira\antivir desktop\avcenter.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Me\Desktop\dds.scr

============== Pseudo HJT Report ===============

uInternet Settings,ProxyOverride = <local>
uInternet Settings,ProxyServer = http=127.0.0.1:5555
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\ie\rpbrowserrecordplugin.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Copernic Desktop Search - Home Toolbar: {4a1c6093-14f9-44d7-860e-5d265cfca9d9} - c:\program files\copernic desktop search - home\toolbar\ToolbarContainer101000315.dll
TB: {71576546-354D-41C9-AAE8-31F2EC22BF0D} - No File
EB: Copernic Desktop Search - Home Toolbar: {4a1c6093-14f9-44d7-860e-5d265cfca9d9} - c:\program files\copernic desktop search - home\toolbar\ToolbarContainer101000315.dll
EB: Copernic Desktop Search - Home: {9c3fca1f-99e3-48f2-a7f4-dd3931b2f99a} - c:\program files\copernic desktop search - home\DeskbandIntegration302020009.dll
uRun: [DW6] "c:\program files\the weather channel fw\desktop\DesktopWeather.exe"
uRun: [SuperCopier2.exe] c:\program files\supercopier2\SuperCopier2.exe
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
uRun: [DietPower 4.4 Update Setup for All Users] c:\documents and settings\all users\application data\{34474efd-d329-4a99-a967-410e40b3419a}\DietPowerSetup.exe /updatesetup
uRun: [uTorrent] "c:\program files\utorrent\uTorrent.exe"
uRun: [Copernic Desktop Search - Home] "c:\program files\copernic desktop search - home\DesktopSearchService.exe" /tray
uRun: [DirectPlayerCore] "c:\program files\nbc direct\DirectPlayerCore.exe"
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [HDAudDeck] c:\program files\via\viaudioi\hdadeck\HDeck.exe 1
mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"
mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min
mRun: [Samsung PanelMgr] c:\windows\samsung\panelmgr\SSMMgr.exe /autorun
mRun: [AmazonGSDownloaderTray] c:\program files\amazon\amazon games & software downloader\AmazonGSDownloaderTray.exe
mRun: [Intuit SyncManager] c:\program files\common files\intuit\sync\IntuitSyncManager.exe startup
mRun: [Sprint SmartView] "c:\program files\sprint\sprint smartview\SprintSV.exe" -a
mRun: [RDVCHG] "c:\program files\sprint\sprint smartview\RDVCHG.exe"
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [LogMeIn GUI] "c:\program files\logmein\x86\LogMeInSystray.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [nwiz] nwiz.exe /installquiet
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\interv~1.lnk - c:\program files\intervideo\common\bin\WinCinemaMgr.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\quickb~1.lnk - c:\program files\common files\intuit\quickbooks\qbupdate\qbupdate.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\window~1.lnk - c:\program files\windows desktop search\WindowsSearch.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
LSP: bmnet.dll
LSP: c:\program files\vmware\vmware server\vsocklib.dll
Trusted Zone: intuit.com\ttlc
DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - hxxp://appldnld.apple.com.edgesuite.net/content.info.apple.com/QuickTime/qtactivex/qtplugin.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
DPF: {1E54D648-B804-468d-BC78-4AFFED8E262F} - hxxp://www.nvidia.com/content/DriverDownload/srl/3.0.0.4/srl_bin/sysreqlab_nvd.cab
DPF: {38AB6A6C-CC4C-4F9E-A3DD-3C5681EF18A1} - hxxp://www-cdn.freerealms.com/gamedata/plugins/1.0.3.84/FreeRealmsInstaller.cab?v=1034
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1246903650750
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1246903706468
DPF: {82774781-8F4E-11D1-AB1C-0000F8773BF0} - hxxps://transfers.ds.microsoft.com/FTM/TransferSource/grTransferCtrl.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {B94C2238-346E-4C5E-9B36-8CC627F35574}
DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} - hxxps://premconf.webex.com/client/T25L10NSP41EP2-premconf/webex/ieatgpc.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} - hxxps://secure.logmein.com/activex/ractrl.cab?lmi=100
Handler: belarc - {6318E0AB-2E93-11D1-B8ED-00608CC9A71F} - c:\program files\belarc\advisor\system\BAVoilaX.dll
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
Handler: intu-help-qb3 - {c5e479ea-0a65-4b05-8c6c-2fc8cc682eb4} - c:\program files\intuit\quickbooks 2010\HelpAsyncPluggableProtocol.dll
Handler: lbxfile - {56831180-F115-11d2-B6AA-00104B2B9943} - c:\program files\libronix dls\system\FileProt.dll
Handler: lbxres - {24508F1B-9E94-40EE-9759-9AF5795ADF52} - c:\program files\libronix dls\system\ResProt.dll
Handler: qbwc - {FC598A64-626C-4447-85B8-53150405FD57} - c:\windows\system32\mscoree.dll
Notify: LMIinit - LMIinit.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll
Hosts: 127.0.0.1 www.spywareinfo.com

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\Me\applic~1\mozilla\firefox\profiles\o2g8grpc.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.msnbc.com/
FF - component: c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\firefox\ext\components\nprpffbrowserrecordext.dll
FF - component: c:\program files\copernic desktop search - home\firefoxconnector\components\CSPXPCOMBridge.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R0 hotcore3;hc3ServiceName;c:\windows\system32\drivers\hotcore3.sys [2009-9-30 40560]
R1 avgio;avgio;c:\program files\avira\antivir desktop\avgio.sys [2009-7-5 11608]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\avira\antivir desktop\sched.exe [2009-7-5 135336]
R2 AntiVirService;Avira AntiVir Guard;c:\program files\avira\antivir desktop\avguard.exe [2009-7-5 267432]
R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2009-7-5 60936]
R2 fssfltr;FssFltr;c:\windows\system32\drivers\fssfltr_tdi.sys [2009-7-6 55152]
R2 LMIInfo;LogMeIn Kernel Information Provider;c:\program files\logmein\x86\rainfo.sys [2008-8-11 12856]
R2 LMIRfsDriver;LogMeIn Remote File System Driver;c:\windows\system32\drivers\LMIRfsDriver.sys [2010-4-18 47640]
R2 vmci;VMware vmci;c:\windows\system32\drivers\vmci.sys [2009-10-20 54960]
R2 vmware-converter-agent;VMware vCenter Converter Agent;c:\program files\vmware\vmware vcenter converter standalone\vmware-converter-a.exe [2009-4-17 428592]
R2 vmware-converter-server;VMware vCenter Converter Server;c:\program files\vmware\vmware vcenter converter standalone\vmware-converter.exe [2009-4-17 428592]
R2 VMwareHostd;VMware Host Agent;c:\program files\vmware\vmware server\vmware-hostd.exe [2009-10-20 322096]
R2 VMwareServerWebAccess;VMware Server Web Access;c:\program files\vmware\vmware server\tomcat\bin\tomcat6.exe [2009-10-20 57344]
R2 vstor2-mntapi10;Vstor2 MntApi 1.0 Driver;c:\program files\vmware\vmware vcenter converter standalone\vstor2-mntapi10.sys [2009-4-17 22448]
R3 dfmirage;dfmirage;c:\windows\system32\drivers\dfmirage.sys [2009-3-28 31896]
R3 VIAHdAudAddService;VIA High Definition Audio Driver Service;c:\windows\system32\drivers\viahduaa.sys [2009-7-5 1057024]
S3 A5AGU;D-Link USB Wireless Network Adapter Service;c:\windows\system32\drivers\a5agu.sys [2009-7-5 386784]
S3 Amazon Download Agent;Amazon Download Agent;c:\program files\amazon\amazon games & software downloader\AmazonGSDownloaderService.exe [2009-11-20 297472]
S3 bmdrvr;Modified Clusters Tracking Driver;c:\windows\system32\drivers\bmdrvr.sys [2009-4-17 27312]
S3 fsssvc;Windows Live Family Safety;c:\program files\windows live\family safety\fsssvc.exe [2009-2-6 533360]
S3 RTL8187B;Realtek RTL8187B Wireless 802.11b/g 54Mbps USB 2.0 Network Adapter;c:\windows\system32\drivers\rtl8187b.sys --> c:\windows\system32\drivers\RTL8187B.sys [?]
S3 SjyPkt;SjyPkt;\??\c:\windows\system32\drivers\sjypkt.sys --> c:\windows\system32\drivers\SjyPkt.sys [?]
S3 vmwriter;VMware VSS Writer;c:\program files\vmware\vmware server\vmVssWriter.exe [2009-10-20 29744]
S4 LMIRfsClientNP;LMIRfsClientNP; [x]

=============== Created Last 30 ================

2010-05-04 17:45:04 0 d-----w- c:\docume~1\Me\applic~1\Avira
2010-05-04 12:06:51 0 ----a-w- c:\documents and settings\Me\defogger_reenable
2010-05-04 05:06:51 0 d-----w- c:\docume~1\Me\applic~1\Office Genuine Advantage
2010-05-04 04:53:58 0 d-----w- c:\docume~1\alluse~1\applic~1\NVIDIA Corporation
2010-05-04 04:53:47 0 d-----w- c:\program files\NVIDIA Corporation
2010-05-04 03:33:03 0 d-sha-r- C:\cmdcons
2010-05-04 03:31:27 98816 ----a-w- c:\windows\sed.exe
2010-05-04 03:31:27 77312 ----a-w- c:\windows\MBR.exe
2010-05-04 03:31:27 256512 ----a-w- c:\windows\PEV.exe
2010-05-04 03:31:27 161792 ----a-w- c:\windows\SWREG.exe
2010-05-04 03:30:08 0 d-----w- C:\ComboFix
2010-05-03 03:19:02 823808 ----a-w- c:\windows\system32\drivers\iunphv.sys
2010-04-30 23:13:38 0 d-----w- C:\0CHDs
2010-04-30 22:25:43 0 d-----r- C:\MameUI32
2010-04-27 12:56:53 0 d-----w- c:\program files\iPod
2010-04-27 12:56:39 0 d-----w- c:\program files\iTunes
2010-04-27 12:56:39 0 d-----w- c:\docume~1\alluse~1\applic~1\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
2010-04-27 12:49:49 0 d-----w- c:\program files\Bonjour
2010-04-18 18:54:30 0 d-----w- c:\docume~1\alluse~1\applic~1\LogMeIn
2010-04-18 18:54:27 83288 ----a-w- c:\windows\system32\LMIRfsClientNP.dll
2010-04-18 18:54:27 47640 ----a-w- c:\windows\system32\drivers\LMIRfsDriver.sys
2010-04-18 18:54:27 28984 ----a-w- c:\windows\system32\LMIport.dll
2010-04-18 18:54:23 87352 ----a-w- c:\windows\system32\LMIinit.dll
2010-04-18 18:54:08 0 d-----w- c:\program files\LogMeIn
2010-04-18 18:51:28 9079 ----a-w- c:\windows\system32\aca432.cpl

==================== Find3M ====================

2010-04-04 00:23:18 278120 ----a-w- c:\windows\system32\nvmccs.dll
2010-04-04 00:23:16 154216 ----a-w- c:\windows\system32\nvsvc32.exe
2010-04-04 00:23:16 145000 ----a-w- c:\windows\system32\nvcolor.exe
2010-04-04 00:23:16 13670504 ----a-w- c:\windows\system32\nvcpl.dll
2010-04-04 00:23:16 110696 ----a-w- c:\windows\system32\nvmctray.dll
2010-04-04 00:22:54 81920 ----a-w- c:\windows\system32\nvwddi.dll
2010-03-10 06:15:52 420352 ----a-w- c:\windows\system32\vbscript.dll
2010-03-02 22:38:32 499712 ----a-w- c:\windows\system32\msvcp71.dll
2010-02-25 06:24:37 916480 ----a-w- c:\windows\system32\wininet.dll
2010-02-16 14:08:49 2146304 ----a-w- c:\windows\system32\ntoskrnl.exe
2010-02-16 13:25:04 2024448 ----a-w- c:\windows\system32\ntkrnlpa.exe
2010-02-12 16:46:14 91424 ----a-w- c:\windows\system32\dnssd.dll
2010-02-12 16:46:14 107808 ----a-w- c:\windows\system32\dns-sd.exe
2010-02-12 04:33:11 100864 ----a-w- c:\windows\system32\6to4svc.dll

============= FINISH: 12:59:49.12 ===============

Edited by bigteks, 04 May 2010 - 01:05 PM.


BC AdBot (Login to Remove)

 


#2 etavares

etavares

    Bleepin' Remover


  • Malware Response Team
  • 15,514 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:21 AM

Posted 06 May 2010 - 05:42 PM

Hello and welcome to Bleeping Computer

Please refrain from running tools or applying updates other than those we suggest while we are cleaning up your computer. The reason for this is so we know what is going on with the machine at any time. Some programs can interfere with others and hamper the recovery process. Please also continue to work with me until I give you the all clear. Even if your computer appears to act better, you may still be infected.

Even if you have already provided information about your PC, we need a new log to see what has changed since you originally posted your problem.

Once we start working together, please reply back within 3 days or this thread may be closed so we can help others who are waiting.



I need two things to get started.

First, please copy and paste the contents of C:\combofix.txt in your reply.

Next, please run GMER in safe mode. If it still locks up, try it in safe mode but uncheck 'devices'. If it still locks up, just select 'files' and 'sections' and run it in safe mode. Please post it if you get it to work, if not, let me know. It's really critical to have this log for the diagnosis.


If I don't respond within 2 days, please feel free to PM me.
Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

Posted Image
Unified Network of Instructors and Trusted Eliminators
 


#3 bigteks

bigteks
  • Topic Starter

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Local time:02:21 AM

Posted 06 May 2010 - 07:18 PM

Here is the Combofix output, I will attempt the gmer in safe mode next.

ComboFix 10-05-03.03 - Me 05/03/2010 22:40:28.1.4 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3327.2009 [GMT -5:00]
Running from: G:\ComboFix.exe
AV: AntiVir Desktop *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}
.
The following files were disabled during the run:
c:\program files\SuperCopier2\SC2Hook.dll


((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Favorites\_favdata.dat
c:\documents and settings\Me\Local Settings\Application Data\vtxcarpkk\uqyorjwtssd.exe
c:\program files\WindowsUpdate
c:\windows\system32\vmnat.exe
d:\my documents\ARP.EXE
d:\my documents\CALC.EXE
d:\my documents\CHARMAP.EXE
d:\my documents\CLEANMGR.EXE
d:\my documents\CLIPBRD.EXE
d:\my documents\CONTROL.EXE
d:\my documents\DEFRAG.EXE
d:\my documents\DRWATSON.EXE
d:\my documents\DVDPLAY.EXE
d:\my documents\EXPLORER.EXE
d:\my documents\EXTRAC32.EXE
d:\my documents\FONTVIEW.EXE
d:\my documents\FREECELL.EXE
d:\my documents\java.exe
d:\my documents\javaw.exe
d:\my documents\MSHEARTS.EXE
d:\my documents\NET.EXE
d:\my documents\NETDDE.EXE
d:\my documents\NETSTAT.EXE
d:\my documents\PING.EXE
d:\my documents\PROGMAN.EXE
d:\my documents\REGEDIT.EXE
d:\my documents\ROUTE.EXE
d:\my documents\RUNDLL32.EXE
d:\my documents\SNDREC32.EXE
d:\my documents\SNDVOL32.EXE
d:\my documents\SOL.EXE
d:\my documents\TASKMAN.EXE
d:\my documents\TWUNK_16.EXE
d:\my documents\TWUNK_32.EXE
d:\my documents\WINHELP.EXE
d:\my documents\WINHLP32.EXE
d:\my documents\WININIT.EXE
d:\my documents\WINMINE.EXE
d:\my documents\WINVER.EXE
d:\my documents\WRITE.EXE
d:\my documents\WUPDMGR.EXE

.
((((((((((((((((((((((((( Files Created from 2010-04-04 to 2010-05-04 )))))))))))))))))))))))))))))))
.

2010-05-03 03:19 . 2010-05-04 03:46 -------- d-----w- c:\documents and settings\Me\Local Settings\Application Data\vtxcarpkk
2010-05-03 03:19 . 2010-05-04 00:50 823808 ----a-w- c:\windows\system32\drivers\iunphv.sys
2010-05-03 03:18 . 2010-05-03 03:18 107520 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\b00004639.dll
2010-04-30 23:13 . 2010-04-30 23:13 -------- d-----w- C:\0CHDs
2010-04-30 22:25 . 2010-05-01 01:05 -------- d-----r- C:\MameUI32
2010-04-28 03:58 . 2010-04-28 03:58 38411 ----a-w- c:\documents and settings\Me\Application Data\IDM\bin\idm_flash_uninstaller.exe
2010-04-28 03:58 . 2010-04-28 03:58 -------- dc-h--w- c:\documents and settings\Me\Local Settings\Application Data\{2853BFD5-3865-45EB-A4E3-967D4A9B969A}
2010-04-27 12:56 . 2010-04-27 12:56 -------- d-----w- c:\program files\iPod
2010-04-27 12:56 . 2010-04-27 12:57 -------- d-----w- c:\program files\iTunes
2010-04-27 12:56 . 2010-04-27 12:57 -------- d-----w- c:\documents and settings\All Users\Application Data\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
2010-04-27 12:53 . 2010-04-27 12:53 -------- d-----w- c:\program files\QuickTime
2010-04-27 12:49 . 2010-04-27 12:49 -------- d-----w- c:\program files\Bonjour
2010-04-27 12:46 . 2010-04-27 12:46 73000 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 9.1.0.79\SetupAdmin.exe
2010-04-18 18:54 . 2010-04-18 18:54 -------- d-----w- c:\documents and settings\Me\Local Settings\Application Data\LogMeIn
2010-04-18 18:54 . 2010-04-18 18:54 -------- d-----w- c:\documents and settings\All Users\Application Data\LogMeIn
2010-04-18 18:54 . 2009-09-29 00:34 83288 ----a-w- c:\windows\system32\LMIRfsClientNP.dll
2010-04-18 18:54 . 2009-09-29 00:34 47416 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\LMIproc.dll
2010-04-18 18:54 . 2009-09-29 00:34 28984 ----a-w- c:\windows\system32\LMIport.dll
2010-04-18 18:54 . 2008-08-11 17:41 47640 ----a-w- c:\windows\system32\drivers\LMIRfsDriver.sys
2010-04-18 18:54 . 2009-09-29 00:34 87352 ----a-w- c:\windows\system32\LMIinit.dll
2010-04-18 18:54 . 2010-05-04 01:30 -------- d-----w- c:\program files\LogMeIn
2010-04-18 18:24 . 2010-04-18 18:53 -------- d-----w- c:\documents and settings\Me\Local Settings\Application Data\Deployment

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-05-04 03:37 . 2009-12-26 05:44 -------- d-----w- c:\documents and settings\All Users\Application Data\VMware
2010-05-04 03:37 . 2009-12-26 05:46 -------- d-----w- c:\documents and settings\LocalService\Application Data\VMware
2010-05-04 03:36 . 2009-07-28 20:06 -------- d-----w- c:\program files\SuperCopier2
2010-05-04 03:34 . 2009-07-23 21:15 -------- d-----w- c:\documents and settings\Me\Application Data\uTorrent
2010-05-02 07:16 . 2010-02-09 02:45 -------- d-----w- c:\documents and settings\Me\Application Data\NBC Direct
2010-05-01 04:07 . 2010-03-08 22:19 -------- d--h--w- c:\documents and settings\All Users\Application Data\{34474EFD-D329-4A99-A967-410E40B3419A}
2010-05-01 00:08 . 2009-07-22 15:51 -------- d-----w- c:\program files\7-Zip
2010-04-28 03:58 . 2010-02-09 02:45 -------- d---a-w- c:\program files\NBC Direct
2010-04-28 03:58 . 2010-02-09 02:45 -------- d-----w- c:\documents and settings\All Users\Application Data\NBC Direct
2010-04-28 02:53 . 2009-11-23 04:18 779056 ----a-w- c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
2010-04-27 12:56 . 2009-10-16 22:08 -------- d-----w- c:\program files\Common Files\Apple
2010-04-26 18:17 . 2009-09-13 00:46 -------- d-----w- c:\program files\Mobysaurus Thesaurus
2010-04-20 15:06 . 2010-02-05 23:10 -------- d-----w- c:\program files\The Logo Creator v5
2010-04-15 08:05 . 2009-07-05 07:55 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2010-03-30 12:46 . 2009-11-28 15:13 -------- d-----w- c:\program files\WinSCP
2010-03-24 07:38 . 2010-03-24 07:38 -------- d-----w- c:\program files\Belarc
2010-03-22 15:35 . 2009-07-23 21:15 -------- d-----w- c:\program files\uTorrent
2010-03-22 15:35 . 2009-07-21 13:46 -------- d-----w- c:\program files\Copernic Desktop Search - Home
2010-03-22 14:45 . 2010-03-22 14:45 -------- d-----w- c:\program files\Restorer Ultimate
2010-03-20 17:37 . 2010-03-20 17:37 -------- d-----w- c:\program files\Audacity
2010-03-20 06:03 . 2010-03-20 06:03 -------- d-----w- c:\program files\VOB
2010-03-19 15:58 . 2009-07-23 12:32 -------- d-----w- c:\program files\Java
2010-03-19 15:57 . 2010-03-19 15:57 152576 ----a-w- c:\documents and settings\Me\Application Data\Sun\Java\jre1.6.0_17\lzma.dll
2010-03-19 15:54 . 2010-02-16 20:40 79488 ----a-w- c:\documents and settings\Me\Application Data\Sun\Java\jre1.6.0_17\gtapi.dll
2010-03-10 14:33 . 2010-03-08 22:19 -------- d-----w- c:\documents and settings\All Users\Application Data\DietPower4.4
2010-03-10 06:15 . 2008-04-14 12:00 420352 ----a-w- c:\windows\system32\vbscript.dll
2010-03-08 22:19 . 2010-03-08 22:19 -------- d-----w- c:\program files\DietPower 4.4
2010-03-05 17:41 . 2009-07-05 07:12 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-03-02 22:39 . 2010-03-02 22:39 300616 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\Common\rpmainbrowserrecordplugin.dll
2010-03-02 22:39 . 2010-03-02 22:39 118784 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\ThinShims\rpnpshimwmp.dll
2010-03-02 22:39 . 2010-03-02 22:39 118784 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\ThinShims\rpnpshimswf.dll
2010-03-02 22:39 . 2010-03-02 22:39 118784 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\ThinShims\rpnpshimrp.dll
2010-03-02 22:39 . 2010-03-02 22:39 118784 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\ThinShims\rpnpshimqt.dll
2010-03-02 22:39 . 2010-03-02 22:39 118784 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\Firefox\Ext\Components\nprpffbrowserrecordext.dll
2010-03-02 22:39 . 2010-03-02 22:39 118784 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\Chrome\Hook\rpchromebrowserrecordhelper.dll
2010-03-02 22:39 . 2010-03-02 22:39 329312 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\IE\rpbrowserrecordplugin.dll
2010-03-02 22:38 . 2003-03-19 02:14 499712 ----a-w- c:\windows\system32\msvcp71.dll
2010-03-01 22:29 . 2009-07-05 16:29 84776 ----a-w- c:\documents and settings\Me\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-03-01 14:05 . 2009-07-05 11:19 124784 ----a-w- c:\windows\system32\drivers\avipbb.sys
2010-02-25 06:24 . 2008-04-14 12:00 916480 ----a-w- c:\windows\system32\wininet.dll
2010-02-24 13:11 . 2008-04-14 12:00 455680 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2010-02-17 20:20 . 2010-02-17 20:20 1923768 ----a-w- c:\documents and settings\All Users\Application Data\NOS\Adobe_Downloads\install_flash_player.exe
2010-02-17 20:20 . 2010-02-17 20:20 1025992 ----a-w- c:\documents and settings\All Users\Application Data\NOS\Adobe_Downloads\SecurityScan_Release.exe
2010-02-17 19:19 . 2010-02-17 19:19 0 ----a-w- c:\windows\nsreg.dat
2010-02-16 18:24 . 2009-07-05 11:19 60936 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2010-02-16 14:08 . 2008-04-14 12:00 2146304 ----a-w- c:\windows\system32\ntoskrnl.exe
2010-02-16 13:25 . 2008-04-14 00:01 2024448 ----a-w- c:\windows\system32\ntkrnlpa.exe
2010-02-13 15:17 . 2009-07-05 07:44 1324 ----a-w- c:\windows\system32\d3d9caps.dat
2010-02-12 16:46 . 2010-02-12 16:46 91424 ----a-w- c:\windows\system32\dnssd.dll
2010-02-12 16:46 . 2010-02-12 16:46 107808 ----a-w- c:\windows\system32\dns-sd.exe
2010-02-12 04:33 . 2008-04-14 12:00 100864 ----a-w- c:\windows\system32\6to4svc.dll
2010-02-11 12:02 . 2008-04-14 12:00 226880 ----a-w- c:\windows\system32\drivers\tcpip6.sys
2010-02-05 06:08 . 2009-11-20 17:57 211720 ----a-w- c:\documents and settings\All Users\Application Data\Intuit\QuickBooks 2010\Components\SyncMgr\OCD\IntuitSyncManagerPatch.exe
2010-02-05 06:08 . 2009-11-20 17:57 1337608 ----a-w- c:\documents and settings\All Users\Application Data\Intuit\QuickBooks 2010\Components\SyncMgr\OCD\IntuitSyncManager.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DW6"="c:\program files\The Weather Channel FW\Desktop\DesktopWeather.exe" [2009-10-08 818288]
"SuperCopier2.exe"="c:\program files\SuperCopier2\SuperCopier2.exe" [2006-07-07 1052672]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]
"DietPower 4.4 Update Setup for All Users"="c:\documents and settings\All Users\Application Data\{34474EFD-D329-4A99-A967-410E40B3419A}\DietPowerSetup.exe" [2009-08-19 2397776]
"uTorrent"="c:\program files\uTorrent\uTorrent.exe" [2010-03-19 319792]
"Copernic Desktop Search - Home"="c:\program files\Copernic Desktop Search - Home\DesktopSearchService.exe" [2010-02-04 1594368]
"DirectPlayerCore"="c:\program files\NBC Direct\DirectPlayerCore.exe" [2009-11-11 1150016]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HDAudDeck"="c:\program files\VIA\VIAudioi\HDADeck\HDeck.exe" [2009-02-17 33595392]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072]
"nwiz"="nwiz.exe" [2009-06-10 1657376]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2009-06-10 86016]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-06-10 13758464]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2010-03-02 282792]
"Samsung PanelMgr"="c:\windows\Samsung\PanelMgr\SSMMgr.exe" [2008-08-15 536576]
"AmazonGSDownloaderTray"="c:\program files\Amazon\Amazon Games & Software Downloader\AmazonGSDownloaderTray.exe" [2009-05-20 223744]
"Intuit SyncManager"="c:\program files\Common Files\Intuit\Sync\IntuitSyncManager.exe" [2009-11-26 1087752]
"Sprint SmartView"="c:\program files\Sprint\Sprint SmartView\SprintSV.exe" [2009-12-02 75072]
"RDVCHG"="c:\program files\Sprint\Sprint SmartView\RDVCHG.exe" [2009-12-02 316736]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2010-03-02 202256]
"IW Controlcenter"="c:\progra~1\VOB\INSTAN~1\IWCTRL.EXE" [2001-08-25 656701]
"LogMeIn GUI"="c:\program files\LogMeIn\x86\LogMeInSystray.exe" [2008-08-11 63048]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-03-18 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-03-26 142120]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
InterVideo WinCinema Manager.lnk - c:\program files\InterVideo\Common\Bin\WinCinemaMgr.exe [2009-12-23 303104]
QuickBooks Update Agent.lnk - c:\program files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2009-12-16 1153824]
Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2008-5-26 123904]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LMIinit]
2009-09-29 00:34 87352 ----a-w- c:\windows\system32\LMIinit.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Java\\jre6\\bin\\java.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Intuit\\QuickBooks 2010\\QBDBMgrN.exe"=
"c:\\Program Files\\Pando Networks\\Media Booster\\PMB.exe"=
"c:\\Program Files\\VMware\\VMware Server\\vmware-authd.exe"=
"c:\\Program Files\\VMware\\VMware Server\\vmware-hostd.exe"=
"c:\\Program Files\\Sprint\\Sprint SmartView\\SwiApiMux.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\NBC Direct\\DirectPlayerCore.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"57240:TCP"= 57240:TCP:Pando Media Booster
"57240:UDP"= 57240:UDP:Pando Media Booster
"9089:TCP"= 9089:TCP:VMware vCenter Converter Standalone - Agent

R0 hotcore3;hc3ServiceName;c:\windows\system32\drivers\hotcore3.sys [9/30/2009 11:10 PM 40560]
R1 Asapi;ASAPI;c:\windows\system32\drivers\asapi.sys [3/20/2010 1:03 AM 10240]
R1 cdrdrv;cdrdrv;c:\windows\system32\drivers\Cdrdrv.sys [3/20/2010 1:03 AM 47616]
R1 vobcom;vobcom;c:\windows\system32\drivers\vobcom.sys [3/20/2010 1:03 AM 9728]
R1 vobiw;vobiw;c:\windows\system32\drivers\vobIW.sys [3/20/2010 1:03 AM 266002]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [7/5/2009 6:19 AM 135336]
R2 LMIInfo;LogMeIn Kernel Information Provider;c:\program files\LogMeIn\x86\rainfo.sys [8/11/2008 12:41 PM 12856]
R2 vmci;VMware vmci;c:\windows\system32\drivers\vmci.sys [10/20/2009 4:22 PM 54960]
R2 vmware-converter-agent;VMware vCenter Converter Agent;c:\program files\VMware\VMware vCenter Converter Standalone\vmware-converter-a.exe [4/17/2009 9:42 PM 428592]
R2 vmware-converter-server;VMware vCenter Converter Server;c:\program files\VMware\VMware vCenter Converter Standalone\vmware-converter.exe [4/17/2009 9:59 PM 428592]
R2 VMwareHostd;VMware Host Agent;c:\program files\VMware\VMware Server\vmware-hostd.exe [10/20/2009 4:21 PM 322096]
R2 VMwareServerWebAccess;VMware Server Web Access;c:\program files\VMware\VMware Server\tomcat\bin\tomcat6.exe [10/20/2009 4:27 PM 57344]
R2 vstor2-mntapi10;Vstor2 MntApi 1.0 Driver;c:\program files\VMware\VMware vCenter Converter Standalone\vstor2-mntapi10.sys [4/17/2009 9:42 PM 22448]
R3 dfmirage;dfmirage;c:\windows\system32\drivers\dfmirage.sys [3/28/2009 3:45 PM 31896]
R3 VIAHdAudAddService;VIA High Definition Audio Driver Service;c:\windows\system32\drivers\viahduaa.sys [7/5/2009 2:17 AM 1057024]
S3 A5AGU;D-Link USB Wireless Network Adapter Service;c:\windows\system32\drivers\a5agu.sys [7/5/2009 2:33 AM 386784]
S3 Amazon Download Agent;Amazon Download Agent;c:\program files\Amazon\Amazon Games & Software Downloader\AmazonGSDownloaderService.exe [11/20/2009 11:31 AM 297472]
S3 bmdrvr;Modified Clusters Tracking Driver;c:\windows\system32\drivers\bmdrvr.sys [4/17/2009 9:42 PM 27312]
S3 RTL8187B;Realtek RTL8187B Wireless 802.11b/g 54Mbps USB 2.0 Network Adapter;c:\windows\system32\DRIVERS\RTL8187B.sys --> c:\windows\system32\DRIVERS\RTL8187B.sys [?]
S3 SjyPkt;SjyPkt;\??\c:\windows\System32\Drivers\SjyPkt.sys --> c:\windows\System32\Drivers\SjyPkt.sys [?]
S3 vmwriter;VMware VSS Writer;c:\program files\VMware\VMware Server\vmVssWriter.exe [10/20/2009 4:22 PM 29744]

--- Other Services/Drivers In Memory ---

*Deregistered* - BMLoad
.
Contents of the 'Scheduled Tasks' folder

2010-04-27 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34]

2010-05-04 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-1935655697-362288127-682003330-1003.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-25 04:09]

2010-05-03 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-1935655697-362288127-682003330-1003.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-25 04:09]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.msnbc.com/
uInternet Settings,ProxyOverride = <local>
uInternet Settings,ProxyServer = http=127.0.0.1:5555
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
LSP: bmnet.dll
LSP: c:\program files\VMware\VMware Server\vsocklib.dll
Trusted Zone: intuit.com\ttlc
Handler: intu-help-qb3 - {c5e479ea-0a65-4b05-8c6c-2fc8cc682eb4} - c:\program files\Intuit\QuickBooks 2010\HelpAsyncPluggableProtocol.dll
DPF: {B94C2238-346E-4C5E-9B36-8CC627F35574}
FF - ProfilePath - c:\documents and settings\Me\Application Data\Mozilla\Firefox\Profiles\o2g8grpc.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.msnbc.com/
FF - component: c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\Firefox\Ext\components\nprpffbrowserrecordext.dll
FF - component: c:\program files\Copernic Desktop Search - Home\FirefoxConnector\components\CSPXPCOMBridge.dll
FF - plugin: c:\documents and settings\Me\Application Data\IDM\bin\flash\platform\WINNT\plugins\npidmdcp.dll
FF - plugin: c:\documents and settings\Me\Application Data\Move Networks\plugins\npqmp071503000010.dll
FF - plugin: c:\documents and settings\Me\Application Data\Move Networks\plugins\npqmp071505000011.dll
FF - plugin: c:\program files\Microsoft\Office Live\npOLW.dll
FF - plugin: c:\program files\NBC Direct\npDirectPlayerMozilla.dll
FF - plugin: c:\program files\Sony Online Entertainment\npsoe.dll
FF - plugin: c:\program files\Unity\WebPlayer\loader\npUnity3D32.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-Personal SmartCheck - c:\program files\Personal SmartCheck\PSC.exe
HKCU-Run-DietPower 4.4 Update Setup - c:\documents and settings\Me\Local Settings\Application Data\{34474EFD-D329-4A99-A967-410E40B3419A}\DietPowerSetup.exe
HKCU-Run-ydcvkgvb - c:\documents and settings\Me\Local Settings\Application Data\vtxcarpkk\uqyorjwtssd.exe
HKLM-Run-ydcvkgvb - c:\documents and settings\Me\Local Settings\Application Data\vtxcarpkk\uqyorjwtssd.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-05-03 22:48
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
HDAudDeck = c:\program files\VIA\VIAudioi\HDADeck\HDeck.exe 1????????????????????????????????????????????????

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe catchme.sys CLASSPNP.SYS disk.sys ACPI.sys hal.dll atapi.sys >>UNKNOWN [0x8B0978C8]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xb80fcf28
\Driver\ACPI -> ACPI.sys @ 0xb7f7fcb8
\Driver\atapi -> atapi.sys @ 0xb7efcb3a
IoDeviceObjectType -> DeleteProcedure -> ntkrnlpa.exe @ 0x805836a8
ParseProcedure -> ntkrnlpa.exe @ 0x805827e8
\Device\Harddisk0\DR0 -> DeleteProcedure -> ntkrnlpa.exe @ 0x805836a8
ParseProcedure -> ntkrnlpa.exe @ 0x805827e8
NDIS: Realtek RTL8168C(P)/8111C(P) PCI-E Gigabit Ethernet NIC -> SendCompleteHandler -> NDIS.sys @ 0xb7df2bb0
PacketIndicateHandler -> NDIS.sys @ 0xb7dffa21
SendHandler -> NDIS.sys @ 0xb7ddd87b
user & kernel MBR OK
copy of MBR has been found in sector 0x0AEA82880
malicious code @ sector 0x0AEA82883 !
PE file found in sector at 0x0AEA82899 !

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(852)
c:\windows\system32\VMGINA.DLL
c:\windows\system32\LMIinit.dll

- - - - - - - > 'lsass.exe'(908)
c:\windows\system32\bmnet.dll
.
Completion time: 2010-05-03 22:50:50
ComboFix-quarantined-files.txt 2010-05-04 03:50
ComboFix2.txt 2009-04-07 15:09
ComboFix3.txt 2008-10-08 04:27
ComboFix4.txt 2008-09-16 04:21
ComboFix5.txt 2009-06-29 20:48

Pre-Run: 659,204,366,336 bytes free
Post-Run: 659,590,496,256 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect /usepmtimer

- - End Of File - - 7DE09E23865DA715714764EF7F2BFD0C

Edited by bigteks, 06 May 2010 - 07:21 PM.


#4 bigteks

bigteks
  • Topic Starter

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Local time:02:21 AM

Posted 06 May 2010 - 07:48 PM

Unfortunately I can't boot in safe mode, it hangs on the driver load screen. The last driver on the list when it hangs is:

multi(0)disk(0)rdisk(0)partition(1)\windows\system32\drivers\BMLoad.sys

What next?

#5 bigteks

bigteks
  • Topic Starter

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Local time:02:21 AM

Posted 06 May 2010 - 08:18 PM

I tried again to run gmer not in safe mode since I cannot boot in safe mode, and I only selected files and sections, but it rebooted during the scan.

#6 etavares

etavares

    Bleepin' Remover


  • Malware Response Team
  • 15,514 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:21 AM

Posted 08 May 2010 - 08:00 AM

Hello, bigteks.

Sorry for the delay. You are likely infected with a backdoor rootkit, but I need to dig further since we can't get GMER to run. What file gets picked up by AntiVir?



Backdoor Warning
One or more of the identified infections is a backdoor trojan.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
When Should I Format, How Should I Reinstall

We can still clean this machine but I can't guarantee that it will be 100% secure afterwards. Let me know what you decide to do. If you do decide to proceed, please continue with the fix below.
P2P Warning and Request
The log shows that you have been using so called peer-to-peer or file-sharing programmes (in your case uTorrent). These programmes allow to share files between users as the name(s) suggest. In today's world the cyber crime has come a long way and any means is used to infect personal computers to make use of their stored data or machine power for further propagation of their malware files. A popular means is the use of file-sharing tools as a tremendous amount of prospective victims can be reached through it.

It is therefore possible to be infected by downloading manipulated files via peer-to-peer tools and thus suggested to be used with intense care. I recommend that you uninstall this program. That is optional, however. If you decide to not uninstall, please refrain from using it until I let you know your computer is clean.






Trusted Zone Warning

Having trusted sites may not be a good idea. The reason why I say it's not a good idea is because the security settings for the internet is not extremely high and once you put a site in your trusted zone, basically almost anymore or thing, including hackers or other malicious software have full access to that site which can lead to hijacking that site and may even have access to your computer. Are you sure you trust a site to that degree?

It is recommended NOT to have ANY sites in your Trusted Zone unless the site requires it to function properly and you trust it very well. Other than that, it is not necessary for you to add any sites into the trusted zone. If you're not sure, and/or you do not need these in your trusted zone to facilitate access or you did not knowingly permit this access yourself, then please remove those sites from your trusted zone.

They can be accessed in Internet Explorer via Tools>>Internet Options>>Security>>Trusted Zone>>Sites. Remove if there are any there.



Step 1

Open notepad and copy/paste the text in the quotebox below into it:

QUOTE
http://www.bleepingcomputer.com/forums/t/314689/infected-with-trfraudpackaunu-trojan/

DDS::
uInternet Settings,ProxyServer = http=127.0.0.1:5555
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
TB: {71576546-354D-41C9-AAE8-31F2EC22BF0D} - No File
Collect::
c:\windows\system32\drivers\iunphv.sys
c:\windows\system32\Spool\prtprocs\w32x86\b00004639.dll
DirLook::
c:\documents and settings\Me\Local Settings\Application Data\vtxcarpkk


Save this as CFScript.txt





Refering to the picture above, drag CFScript.txt into ComboFix.exe

When finished, it shall produce a log for you. Post that log in your next reply.

**Note**

When CF finishes running, the ComboFix log will open along with a message box--do not be alarmed. With the above script, ComboFix will capture files to submit for analysis.
  • Ensure you are connected to the internet and click OK on the message box.



Step 2

You must first verify that you can logon to the Windows Recovery Console.
To do so, you must have the Recovery Console installed or use the Windows XP installation cd.

How to install and use the Windows XP Recovery Console


Next, please download maxlook, saving the file to your desktop.
Double click maxlook.exe to run it. Note - you must run it only once!
As instructed when the tool runs, restart the computer and logon to the Recovery Console.
Execute the following bolded command at the x:\windows> prompt <--- the red x represents your operating system drive letter, usually C

batch look.bat




You will see 1 file copied many times then return to the x:\windows> prompt.
Type Exit to restart your computer then logon in normal mode.
Please run maxlook.exe again now. Note - you must run it only once!
It will produce looklog.txt on the desktop and open it.
Please post the results here.

etavares


If I don't respond within 2 days, please feel free to PM me.
Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

Posted Image
Unified Network of Instructors and Trusted Eliminators
 


#7 bigteks

bigteks
  • Topic Starter

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Local time:02:21 AM

Posted 08 May 2010 - 09:35 AM

Thank you.

The file being reported by AntiVir is:

'C:\System Volume Information\_restore{72B5B062-9D7B-4AF8-B67D-E81B3DF253F9}\RP360\A0046866.exe.

It reports it in multiple locations though.

I ran combofix as directed and uploaded the quarantine zipfile. Next I will follow the step 2 directions. Here is the combofix output:

ComboFix 10-05-07.07 - Me 05/08/2010 9:10.2.4 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3327.2641 [GMT -5:00]
Running from: c:\documents and settings\Me\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Me\Desktop\CFScript.txt
AV: AntiVir Desktop *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}

file zipped: c:\windows\system32\drivers\iunphv.sys
file zipped: c:\windows\system32\Spool\prtprocs\w32x86\b00004639.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\drivers\iunphv.sys
c:\windows\system32\Spool\prtprocs\w32x86\b00004639.dll

.
((((((((((((((((((((((((( Files Created from 2010-04-08 to 2010-05-08 )))))))))))))))))))))))))))))))
.

2010-05-04 17:45 . 2010-05-04 17:45 -------- d-----w- c:\documents and settings\Me\Application Data\Avira
2010-05-04 05:06 . 2010-05-04 05:06 -------- d-----w- c:\documents and settings\All Users\Application Data\Office Genuine Advantage
2010-05-04 05:06 . 2010-05-04 05:06 -------- d-----w- c:\documents and settings\Me\Application Data\Office Genuine Advantage
2010-05-04 04:53 . 2010-05-04 04:53 -------- d-----w- c:\documents and settings\All Users\Application Data\NVIDIA Corporation
2010-05-04 04:53 . 2010-05-04 04:54 -------- d-----w- c:\program files\NVIDIA Corporation
2010-05-03 03:19 . 2010-05-04 03:46 -------- d-----w- c:\documents and settings\Me\Local Settings\Application Data\vtxcarpkk
2010-04-30 23:13 . 2010-04-30 23:13 -------- d-----w- C:\0CHDs
2010-04-30 22:25 . 2010-05-01 01:05 -------- d-----r- C:\MameUI32
2010-04-28 03:58 . 2010-04-28 03:58 38411 ----a-w- c:\documents and settings\Me\Application Data\IDM\bin\idm_flash_uninstaller.exe
2010-04-28 03:58 . 2010-04-28 03:58 -------- dc-h--w- c:\documents and settings\Me\Local Settings\Application Data\{2853BFD5-3865-45EB-A4E3-967D4A9B969A}
2010-04-27 12:56 . 2010-04-27 12:56 -------- d-----w- c:\program files\iPod
2010-04-27 12:56 . 2010-04-27 12:57 -------- d-----w- c:\program files\iTunes
2010-04-27 12:56 . 2010-04-27 12:57 -------- d-----w- c:\documents and settings\All Users\Application Data\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
2010-04-27 12:53 . 2010-04-27 12:53 -------- d-----w- c:\program files\QuickTime
2010-04-27 12:49 . 2010-04-27 12:49 -------- d-----w- c:\program files\Bonjour
2010-04-27 12:46 . 2010-04-27 12:46 73000 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 9.1.0.79\SetupAdmin.exe
2010-04-18 18:54 . 2010-04-18 18:54 -------- d-----w- c:\documents and settings\Me\Local Settings\Application Data\LogMeIn
2010-04-18 18:54 . 2010-04-18 18:54 -------- d-----w- c:\documents and settings\All Users\Application Data\LogMeIn
2010-04-18 18:54 . 2009-09-29 00:34 83288 ----a-w- c:\windows\system32\LMIRfsClientNP.dll
2010-04-18 18:54 . 2009-09-29 00:34 47416 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\LMIproc.dll
2010-04-18 18:54 . 2009-09-29 00:34 28984 ----a-w- c:\windows\system32\LMIport.dll
2010-04-18 18:54 . 2008-08-11 17:41 47640 ----a-w- c:\windows\system32\drivers\LMIRfsDriver.sys
2010-04-18 18:54 . 2009-09-29 00:34 87352 ----a-w- c:\windows\system32\LMIinit.dll
2010-04-18 18:54 . 2010-05-08 14:08 -------- d-----w- c:\program files\LogMeIn
2010-04-18 18:24 . 2010-04-18 18:53 -------- d-----w- c:\documents and settings\Me\Local Settings\Application Data\Deployment

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-05-08 14:08 . 2009-12-26 05:44 -------- d-----w- c:\documents and settings\All Users\Application Data\VMware
2010-05-08 14:08 . 2009-12-26 05:46 -------- d-----w- c:\documents and settings\LocalService\Application Data\VMware
2010-05-08 07:12 . 2010-02-09 02:45 -------- d-----w- c:\documents and settings\Me\Application Data\NBC Direct
2010-05-07 01:13 . 2010-03-08 22:19 -------- d--h--w- c:\documents and settings\All Users\Application Data\{34474EFD-D329-4A99-A967-410E40B3419A}
2010-05-07 01:13 . 2009-07-23 21:15 -------- d-----w- c:\documents and settings\Me\Application Data\uTorrent
2010-05-04 05:03 . 2010-03-20 06:03 -------- d-----w- c:\program files\VOB
2010-05-04 05:03 . 2009-07-23 21:15 -------- d-----w- c:\program files\uTorrent
2010-05-04 04:46 . 2009-07-05 07:55 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2010-05-04 03:36 . 2009-07-28 20:06 -------- d-----w- c:\program files\SuperCopier2
2010-05-01 00:08 . 2009-07-22 15:51 -------- d-----w- c:\program files\7-Zip
2010-04-28 03:58 . 2010-02-09 02:45 -------- d---a-w- c:\program files\NBC Direct
2010-04-28 03:58 . 2010-02-09 02:45 -------- d-----w- c:\documents and settings\All Users\Application Data\NBC Direct
2010-04-27 12:56 . 2009-10-16 22:08 -------- d-----w- c:\program files\Common Files\Apple
2010-04-26 18:17 . 2009-09-13 00:46 -------- d-----w- c:\program files\Mobysaurus Thesaurus
2010-04-20 15:06 . 2010-02-05 23:10 -------- d-----w- c:\program files\The Logo Creator v5
2010-04-04 00:23 . 2010-04-04 00:23 278120 ----a-w- c:\windows\system32\nvmccs.dll
2010-04-04 00:23 . 2010-04-04 00:23 154216 ----a-w- c:\windows\system32\nvsvc32.exe
2010-04-04 00:23 . 2010-04-04 00:23 145000 ----a-w- c:\windows\system32\nvcolor.exe
2010-04-04 00:23 . 2010-04-04 00:23 13670504 ----a-w- c:\windows\system32\nvcpl.dll
2010-04-04 00:23 . 2010-04-04 00:23 110696 ----a-w- c:\windows\system32\nvmctray.dll
2010-04-04 00:22 . 2010-04-04 00:22 81920 ----a-w- c:\windows\system32\nvwddi.dll
2010-03-30 12:46 . 2009-11-28 15:13 -------- d-----w- c:\program files\WinSCP
2010-03-24 07:38 . 2010-03-24 07:38 -------- d-----w- c:\program files\Belarc
2010-03-22 15:35 . 2009-07-21 13:46 -------- d-----w- c:\program files\Copernic Desktop Search - Home
2010-03-22 14:45 . 2010-03-22 14:45 -------- d-----w- c:\program files\Restorer Ultimate
2010-03-20 17:37 . 2010-03-20 17:37 -------- d-----w- c:\program files\Audacity
2010-03-19 15:58 . 2009-07-23 12:32 -------- d-----w- c:\program files\Java
2010-03-19 15:57 . 2010-03-19 15:57 152576 ----a-w- c:\documents and settings\Me\Application Data\Sun\Java\jre1.6.0_17\lzma.dll
2010-03-19 15:54 . 2010-02-16 20:40 79488 ----a-w- c:\documents and settings\Me\Application Data\Sun\Java\jre1.6.0_17\gtapi.dll
2010-03-10 14:33 . 2010-03-08 22:19 -------- d-----w- c:\documents and settings\All Users\Application Data\DietPower4.4
2010-03-10 06:15 . 2008-04-14 12:00 420352 ----a-w- c:\windows\system32\vbscript.dll
2010-03-02 22:39 . 2010-03-02 22:39 300616 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\Common\rpmainbrowserrecordplugin.dll
2010-03-02 22:39 . 2010-03-02 22:39 118784 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\ThinShims\rpnpshimwmp.dll
2010-03-02 22:39 . 2010-03-02 22:39 118784 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\ThinShims\rpnpshimswf.dll
2010-03-02 22:39 . 2010-03-02 22:39 118784 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\ThinShims\rpnpshimrp.dll
2010-03-02 22:39 . 2010-03-02 22:39 118784 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\ThinShims\rpnpshimqt.dll
2010-03-02 22:39 . 2010-03-02 22:39 118784 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\Firefox\Ext\Components\nprpffbrowserrecordext.dll
2010-03-02 22:39 . 2010-03-02 22:39 118784 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\Chrome\Hook\rpchromebrowserrecordhelper.dll
2010-03-02 22:39 . 2010-03-02 22:39 329312 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\IE\rpbrowserrecordplugin.dll
2010-03-02 22:38 . 2003-03-19 02:14 499712 ----a-w- c:\windows\system32\msvcp71.dll
2010-03-01 22:29 . 2009-07-05 16:29 84776 ----a-w- c:\documents and settings\Me\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-03-01 14:05 . 2009-07-05 11:19 124784 ----a-w- c:\windows\system32\drivers\avipbb.sys
2010-02-25 06:24 . 2008-04-14 12:00 916480 ----a-w- c:\windows\system32\wininet.dll
2010-02-24 13:11 . 2008-04-14 12:00 455680 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2010-02-17 20:20 . 2010-02-17 20:20 1923768 ----a-w- c:\documents and settings\All Users\Application Data\NOS\Adobe_Downloads\install_flash_player.exe
2010-02-17 20:20 . 2010-02-17 20:20 1025992 ----a-w- c:\documents and settings\All Users\Application Data\NOS\Adobe_Downloads\SecurityScan_Release.exe
2010-02-17 19:19 . 2010-02-17 19:19 0 ----a-w- c:\windows\nsreg.dat
2010-02-16 18:24 . 2009-07-05 11:19 60936 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2010-02-16 14:08 . 2008-04-14 12:00 2146304 ----a-w- c:\windows\system32\ntoskrnl.exe
2010-02-16 13:25 . 2008-04-14 00:01 2024448 ----a-w- c:\windows\system32\ntkrnlpa.exe
2010-02-13 15:17 . 2009-07-05 07:44 1324 ----a-w- c:\windows\system32\d3d9caps.dat
2010-02-12 16:46 . 2010-02-12 16:46 91424 ----a-w- c:\windows\system32\dnssd.dll
2010-02-12 16:46 . 2010-02-12 16:46 107808 ----a-w- c:\windows\system32\dns-sd.exe
2010-02-12 04:33 . 2008-04-14 12:00 100864 ----a-w- c:\windows\system32\6to4svc.dll
2010-02-11 12:02 . 2008-04-14 12:00 226880 ----a-w- c:\windows\system32\drivers\tcpip6.sys
.

(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
---- Directory of c:\documents and settings\Me\Local Settings\Application Data\vtxcarpkk ----



((((((((((((((((((((((((((((( SnapShot@2010-05-04_03.49.13 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-05-08 14:09 . 2010-05-08 14:09 16384 c:\windows\Temp\Perflib_Perfdata_d80.dat
+ 2010-05-08 14:08 . 2010-05-08 14:08 16384 c:\windows\Temp\Perflib_Perfdata_a10.dat
+ 2010-05-08 14:08 . 2010-05-08 14:08 16384 c:\windows\Temp\Perflib_Perfdata_128.dat
- 2008-04-14 12:00 . 2010-04-14 16:29 80720 c:\windows\system32\perfc009.dat
+ 2008-04-14 12:00 . 2010-05-04 04:51 80720 c:\windows\system32\perfc009.dat
+ 2010-04-04 03:55 . 2010-04-04 03:55 61440 c:\windows\system32\OpenCL.dll
+ 2008-04-14 12:00 . 2009-10-08 19:56 20480 c:\windows\system32\oleaccrc.dll
+ 2008-04-14 12:00 . 2009-10-08 19:56 20480 c:\windows\system32\dllcache\oleaccrc.dll
+ 2009-07-07 00:12 . 2010-02-16 04:50 64000 c:\windows\system32\dllcache\iecompat.dll
- 2009-07-05 07:58 . 2010-04-15 08:05 35088 c:\windows\Installer\{91120000-002E-0000-0000-0000000FF1CE}\oisicon.exe
+ 2009-07-05 07:58 . 2010-05-04 04:46 35088 c:\windows\Installer\{91120000-002E-0000-0000-0000000FF1CE}\oisicon.exe
- 2009-07-05 07:58 . 2010-04-15 08:05 18704 c:\windows\Installer\{91120000-002E-0000-0000-0000000FF1CE}\mspicons.exe
+ 2009-07-05 07:58 . 2010-05-04 04:46 18704 c:\windows\Installer\{91120000-002E-0000-0000-0000000FF1CE}\mspicons.exe
- 2009-07-05 07:58 . 2010-04-15 08:05 20240 c:\windows\Installer\{91120000-002E-0000-0000-0000000FF1CE}\cagicon.exe
+ 2009-07-05 07:58 . 2010-05-04 04:46 20240 c:\windows\Installer\{91120000-002E-0000-0000-0000000FF1CE}\cagicon.exe
+ 2010-05-04 04:53 . 2009-12-11 08:38 69120 c:\windows\ie8updates\KB980302-IE8\iecompat.dll
+ 2010-05-04 04:54 . 2010-05-04 04:54 60928 c:\windows\assembly\NativeImages_v2.0.50727_32\UIAutomationProvider\7a873f47ac1752c41fcb89ad9c8fbad3\UIAutomationProvider.ni.dll
+ 2010-05-04 05:39 . 2010-05-04 05:39 21504 c:\windows\assembly\NativeImages_v2.0.50727_32\TVM\5c4993bf0d2e9d66565b4119b46e042f\TVM.ni.dll
+ 2010-05-04 05:48 . 2010-05-04 05:48 37888 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Windows.Pres#\87a11190cb0c9ecfd20b607bff6690fb\System.Windows.Presentation.ni.dll
+ 2010-05-04 05:48 . 2010-05-04 05:48 36864 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Web.DynamicD#\6a6a72d2ee8849a5ad7a80af36563ed5\System.Web.DynamicData.Design.ni.dll
+ 2010-05-04 05:41 . 2010-05-04 05:41 94208 c:\windows\assembly\NativeImages_v2.0.50727_32\System.ComponentMod#\1c25e1eb925bf9c0b526ead78e3e1abc\System.ComponentModel.DataAnnotations.ni.dll
+ 2010-05-04 05:41 . 2010-05-04 05:41 82944 c:\windows\assembly\NativeImages_v2.0.50727_32\System.AddIn.Contra#\96443722953c690747a82d31bd1c549f\System.AddIn.Contract.ni.dll
+ 2010-05-04 04:52 . 2010-05-04 04:52 47104 c:\windows\assembly\NativeImages_v2.0.50727_32\PresentationFontCac#\cc03ee82d7b7524882920ae7c37c2f9f\PresentationFontCache.ni.exe
+ 2010-05-04 04:51 . 2010-05-04 04:51 39424 c:\windows\assembly\NativeImages_v2.0.50727_32\PresentationCFFRast#\2ab0f8728d72db601f1b806c5ba9fd8c\PresentationCFFRasterizer.ni.dll
+ 2010-05-04 05:40 . 2010-05-04 05:40 55296 c:\windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Vsa\6c4bf544cfa75f913df49142acab1b7c\Microsoft.Vsa.ni.dll
+ 2010-05-04 05:39 . 2010-05-04 05:39 15872 c:\windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualC\40575d1feefd37cdfd213fc51f26a194\Microsoft.VisualC.ni.dll
+ 2010-05-04 05:41 . 2010-05-04 05:41 15872 c:\windows\assembly\NativeImages_v2.0.50727_32\Microsoft.PowerShel#\f557a86223e3622629cce620e5d5615c\Microsoft.PowerShell.Security.resources.ni.dll
+ 2010-05-04 05:41 . 2010-05-04 05:41 17920 c:\windows\assembly\NativeImages_v2.0.50727_32\Microsoft.PowerShel#\e8004f4d8ec8a1bd131d10826939c3d4\Microsoft.PowerShell.Security.resources.ni.dll
+ 2010-05-04 05:41 . 2010-05-04 05:41 36352 c:\windows\assembly\NativeImages_v2.0.50727_32\Microsoft.PowerShel#\e7c09f2f6031744dbf8c87c9e482fac7\Microsoft.PowerShell.ConsoleHost.resources.ni.dll
+ 2010-05-04 05:41 . 2010-05-04 05:41 35328 c:\windows\assembly\NativeImages_v2.0.50727_32\Microsoft.PowerShel#\d91557a8d7da1b1377ff12bf695d2977\Microsoft.PowerShell.ConsoleHost.resources.ni.dll
+ 2010-05-04 05:41 . 2010-05-04 05:41 36352 c:\windows\assembly\NativeImages_v2.0.50727_32\Microsoft.PowerShel#\d7e3f822df90750bbbd5397ea0829cf6\Microsoft.PowerShell.ConsoleHost.resources.ni.dll
+ 2010-05-04 05:41 . 2010-05-04 05:41 16384 c:\windows\assembly\NativeImages_v2.0.50727_32\Microsoft.PowerShel#\d531e1ad1f8278ede189614618978ee3\Microsoft.PowerShell.Security.resources.ni.dll
+ 2010-05-04 05:41 . 2010-05-04 05:41 18432 c:\windows\assembly\NativeImages_v2.0.50727_32\Microsoft.PowerShel#\bcebf038559d2b61a953caa6efb335ac\Microsoft.PowerShell.Commands.Management.resources.ni.dll
+ 2010-05-04 05:41 . 2010-05-04 05:41 19456 c:\windows\assembly\NativeImages_v2.0.50727_32\Microsoft.PowerShel#\ba5cb8e68159a50a1aee54dd0a632c70\Microsoft.PowerShell.Commands.Management.resources.ni.dll
+ 2010-05-04 05:41 . 2010-05-04 05:41 30208 c:\windows\assembly\NativeImages_v2.0.50727_32\Microsoft.PowerShel#\b3842fe4b155ccb8ad47b7caa05c4efb\Microsoft.PowerShell.Commands.Utility.resources.ni.dll
+ 2010-05-04 05:41 . 2010-05-04 05:41 30720 c:\windows\assembly\NativeImages_v2.0.50727_32\Microsoft.PowerShel#\b19d9c792c910a6839c6822d9a5c9a5b\Microsoft.PowerShell.Commands.Utility.resources.ni.dll
+ 2010-05-04 05:41 . 2010-05-04 05:41 16384 c:\windows\assembly\NativeImages_v2.0.50727_32\Microsoft.PowerShel#\b1132beff74f67ef0f971de2c93ccc13\Microsoft.PowerShell.Security.resources.ni.dll
+ 2010-05-04 05:41 . 2010-05-04 05:41 36864 c:\windows\assembly\NativeImages_v2.0.50727_32\Microsoft.PowerShel#\ab724083569ad4df4366e22a63b3cac0\Microsoft.PowerShell.ConsoleHost.resources.ni.dll
+ 2010-05-04 05:41 . 2010-05-04 05:41 32768 c:\windows\assembly\NativeImages_v2.0.50727_32\Microsoft.PowerShel#\a7ac84e0437ddc69da3a3c7217443bb1\Microsoft.PowerShell.Commands.Utility.resources.ni.dll
+ 2010-05-04 05:41 . 2010-05-04 05:41 16896 c:\windows\assembly\NativeImages_v2.0.50727_32\Microsoft.PowerShel#\a59e1585973c1bd445f50faf1f1da607\Microsoft.PowerShell.Security.resources.ni.dll
+ 2010-05-04 05:41 . 2010-05-04 05:41 15872 c:\windows\assembly\NativeImages_v2.0.50727_32\Microsoft.PowerShel#\a347a3aeed43e8c79ff0d1c6f1274c77\Microsoft.PowerShell.Security.resources.ni.dll
+ 2010-05-04 05:41 . 2010-05-04 05:41 33280 c:\windows\assembly\NativeImages_v2.0.50727_32\Microsoft.PowerShel#\98654704b6ee75d176a2b7c615daa842\Microsoft.PowerShell.ConsoleHost.resources.ni.dll
+ 2010-05-04 05:41 . 2010-05-04 05:41 16896 c:\windows\assembly\NativeImages_v2.0.50727_32\Microsoft.PowerShel#\925dda0ce843a83384437e362ea376c9\Microsoft.PowerShell.Security.resources.ni.dll
+ 2010-05-04 05:41 . 2010-05-04 05:41 16896 c:\windows\assembly\NativeImages_v2.0.50727_32\Microsoft.PowerShel#\91d1bc8f07a1249c54e2a8be8fd0bd00\Microsoft.PowerShell.Security.resources.ni.dll
+ 2010-05-04 05:41 . 2010-05-04 05:41 17408 c:\windows\assembly\NativeImages_v2.0.50727_32\Microsoft.PowerShel#\8c02349f1eddb48ec8c45f4d1e3fa457\Microsoft.PowerShell.Security.resources.ni.dll
+ 2010-05-04 05:41 . 2010-05-04 05:41 37888 c:\windows\assembly\NativeImages_v2.0.50727_32\Microsoft.PowerShel#\80eca55dd9d1ae96594685b7f98616b4\Microsoft.PowerShell.ConsoleHost.resources.ni.dll
+ 2010-05-04 05:41 . 2010-05-04 05:41 28672 c:\windows\assembly\NativeImages_v2.0.50727_32\Microsoft.PowerShel#\7e257052484fc73e496c94d6faad8ef8\Microsoft.PowerShell.Commands.Utility.resources.ni.dll
+ 2010-05-04 05:41 . 2010-05-04 05:41 18944 c:\windows\assembly\NativeImages_v2.0.50727_32\Microsoft.PowerShel#\71e8e8835fd50399055c7b5716a96081\Microsoft.PowerShell.Commands.Management.resources.ni.dll
+ 2010-05-04 05:41 . 2010-05-04 05:41 39936 c:\windows\assembly\NativeImages_v2.0.50727_32\Microsoft.PowerShel#\6e89046881efddc52c4bea4ced1e8b16\Microsoft.PowerShell.ConsoleHost.resources.ni.dll
+ 2010-05-04 05:41 . 2010-05-04 05:41 31232 c:\windows\assembly\NativeImages_v2.0.50727_32\Microsoft.PowerShel#\65a30ad9fcd0f5ab2632e792aa553ad8\Microsoft.PowerShell.Commands.Utility.resources.ni.dll
+ 2010-05-04 05:41 . 2010-05-04 05:41 20992 c:\windows\assembly\NativeImages_v2.0.50727_32\Microsoft.PowerShel#\5e8c72ed9c23ad6a556bd5b1ceda7eac\Microsoft.PowerShell.Commands.Management.resources.ni.dll
+ 2010-05-04 05:41 . 2010-05-04 05:41 17920 c:\windows\assembly\NativeImages_v2.0.50727_32\Microsoft.PowerShel#\5d99fbbefe8c7cb89d220c92a3f3c97e\Microsoft.PowerShell.Commands.Management.resources.ni.dll
+ 2010-05-04 05:41 . 2010-05-04 05:41 33792 c:\windows\assembly\NativeImages_v2.0.50727_32\Microsoft.PowerShel#\563aeda031c8c73dfdeeee258d4e53bd\Microsoft.PowerShell.ConsoleHost.resources.ni.dll
+ 2010-05-04 05:41 . 2010-05-04 05:41 18944 c:\windows\assembly\NativeImages_v2.0.50727_32\Microsoft.PowerShel#\51c11a1c28aea32c39d24c10e2c4ae73\Microsoft.PowerShell.Commands.Management.resources.ni.dll
+ 2010-05-04 05:41 . 2010-05-04 05:41 35840 c:\windows\assembly\NativeImages_v2.0.50727_32\Microsoft.PowerShel#\4ea3d0dd77c25ae3d6f5d7531fec135b\Microsoft.PowerShell.ConsoleHost.resources.ni.dll
+ 2010-05-04 05:41 . 2010-05-04 05:41 19456 c:\windows\assembly\NativeImages_v2.0.50727_32\Microsoft.PowerShel#\4ac467ec4aacc9f357bf9dbf0461389f\Microsoft.PowerShell.Commands.Management.resources.ni.dll
+ 2010-05-04 05:41 . 2010-05-04 05:41 18944 c:\windows\assembly\NativeImages_v2.0.50727_32\Microsoft.PowerShel#\45330074194c2ce3f788e26d85d3a580\Microsoft.PowerShell.Commands.Management.resources.ni.dll
+ 2010-05-04 05:41 . 2010-05-04 05:41 18944 c:\windows\assembly\NativeImages_v2.0.50727_32\Microsoft.PowerShel#\39a00c2b298cdb91e233d03769fba0f7\Microsoft.PowerShell.Commands.Management.resources.ni.dll
+ 2010-05-04 05:41 . 2010-05-04 05:41 30208 c:\windows\assembly\NativeImages_v2.0.50727_32\Microsoft.PowerShel#\347c32079ed04f5cd475bc1854ec50b7\Microsoft.PowerShell.Commands.Utility.resources.ni.dll
+ 2010-05-04 05:41 . 2010-05-04 05:41 45568 c:\windows\assembly\NativeImages_v2.0.50727_32\Microsoft.PowerShel#\33cef4305c2ab1762004af88efff77f8\Microsoft.PowerShell.ConsoleHost.resources.ni.dll
+ 2010-05-04 05:41 . 2010-05-04 05:41 28672 c:\windows\assembly\NativeImages_v2.0.50727_32\Microsoft.PowerShel#\2f402df8b47ae125c06a4c81f5f2c0ac\Microsoft.PowerShell.Commands.Utility.resources.ni.dll
+ 2010-05-04 05:41 . 2010-05-04 05:41 37376 c:\windows\assembly\NativeImages_v2.0.50727_32\Microsoft.PowerShel#\2d3b9f2b161b0ad1157ac115412d7ca7\Microsoft.PowerShell.ConsoleHost.resources.ni.dll
+ 2010-05-04 05:41 . 2010-05-04 05:41 31232 c:\windows\assembly\NativeImages_v2.0.50727_32\Microsoft.PowerShel#\287f4976b4ea35f373f696121d24027a\Microsoft.PowerShell.Commands.Utility.resources.ni.dll
+ 2010-05-04 05:41 . 2010-05-04 05:41 18944 c:\windows\assembly\NativeImages_v2.0.50727_32\Microsoft.PowerShel#\185284868454771aec8c5c4874d4dacb\Microsoft.PowerShell.Commands.Management.resources.ni.dll
+ 2010-05-04 05:41 . 2010-05-04 05:41 19456 c:\windows\assembly\NativeImages_v2.0.50727_32\Microsoft.PowerShel#\173d2d4d9ea9b8b6a2e8dd9cd632ac30\Microsoft.PowerShell.Commands.Management.resources.ni.dll
+ 2010-05-04 05:41 . 2010-05-04 05:41 30720 c:\windows\assembly\NativeImages_v2.0.50727_32\Microsoft.PowerShel#\158a2580ced9f9a3fee754396e54f020\Microsoft.PowerShell.Commands.Utility.resources.ni.dll
+ 2010-05-04 05:41 . 2010-05-04 05:41 16384 c:\windows\assembly\NativeImages_v2.0.50727_32\Microsoft.PowerShel#\13d02cb87a472ae281e095ec9c715120\Microsoft.PowerShell.Security.resources.ni.dll
+ 2010-05-04 05:41 . 2010-05-04 05:41 16384 c:\windows\assembly\NativeImages_v2.0.50727_32\Microsoft.PowerShel#\07aef82c3d4b06be126d58af4a9a8125\Microsoft.PowerShell.Security.resources.ni.dll
+ 2010-05-04 05:41 . 2010-05-04 05:41 31232 c:\windows\assembly\NativeImages_v2.0.50727_32\Microsoft.PowerShel#\0663de6addbe6cd7497f2f4c34b0cd29\Microsoft.PowerShell.Commands.Utility.resources.ni.dll
+ 2010-05-04 05:41 . 2010-05-04 05:41 35840 c:\windows\assembly\NativeImages_v2.0.50727_32\Microsoft.PowerShel#\0372e727bfa18a36be641facccc3ce5e\Microsoft.PowerShell.Commands.Utility.resources.ni.dll
+ 2010-05-04 05:40 . 2010-05-04 05:40 74752 c:\windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Build.Fra#\5754fc85021b2f65836ba422521631eb\Microsoft.Build.Framework.ni.dll
+ 2010-05-04 05:40 . 2010-05-04 05:40 65024 c:\windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Build.Fra#\0cb37ad30660eed74e9f8e28640c019f\Microsoft.Build.Framework.ni.dll
+ 2010-05-04 05:39 . 2010-05-04 05:39 68608 c:\windows\assembly\NativeImages_v2.0.50727_32\Intuit.Ctg.Wte.Inte#\a50a0940bf4df2da3c68a48da9397ce9\Intuit.Ctg.Wte.InterviewControlLibrary.ni.dll
+ 2010-05-04 05:40 . 2010-05-04 05:40 14336 c:\windows\assembly\NativeImages_v2.0.50727_32\dfsvc\36bb2dd711974ad0bce057d2bc9c4592\dfsvc.ni.exe
+ 2010-05-04 05:37 . 2010-05-04 05:37 25600 c:\windows\assembly\NativeImages_v2.0.50727_32\Accessibility\16548a271b624211b7d1bd2956faed85\Accessibility.ni.dll
+ 2010-05-04 04:49 . 2010-05-04 04:49 77824 c:\windows\assembly\GAC_MSIL\System.Web.RegularExpressions\2.0.0.0__b03f5f7f11d50a3a\System.Web.RegularExpressions.dll
- 2009-10-14 08:06 . 2009-10-14 08:06 77824 c:\windows\assembly\GAC_MSIL\System.Web.RegularExpressions\2.0.0.0__b03f5f7f11d50a3a\System.Web.RegularExpressions.dll
+ 2010-05-04 04:49 . 2010-05-04 04:49 81920 c:\windows\assembly\GAC_MSIL\System.Drawing.Design\2.0.0.0__b03f5f7f11d50a3a\System.Drawing.Design.dll
- 2009-10-14 08:06 . 2009-10-14 08:06 81920 c:\windows\assembly\GAC_MSIL\System.Drawing.Design\2.0.0.0__b03f5f7f11d50a3a\System.Drawing.Design.dll
- 2009-10-14 08:06 . 2009-10-14 08:06 81920 c:\windows\assembly\GAC_MSIL\System.Configuration.Install\2.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll
+ 2010-05-04 04:50 . 2010-05-04 04:50 81920 c:\windows\assembly\GAC_MSIL\System.Configuration.Install\2.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll
- 2009-10-14 08:06 . 2009-10-14 08:06 32768 c:\windows\assembly\GAC_MSIL\Microsoft.Vsa\8.0.0.0__b03f5f7f11d50a3a\Microsoft.Vsa.dll
+ 2010-05-04 04:50 . 2010-05-04 04:50 32768 c:\windows\assembly\GAC_MSIL\Microsoft.Vsa\8.0.0.0__b03f5f7f11d50a3a\Microsoft.Vsa.dll
- 2009-10-14 08:06 . 2009-10-14 08:06 12800 c:\windows\assembly\GAC_MSIL\Microsoft.Vsa.Vb.CodeDOMProcessor\8.0.0.0__b03f5f7f11d50a3a\Microsoft.Vsa.Vb.CodeDOMProcessor.dll
+ 2010-05-04 04:50 . 2010-05-04 04:50 12800 c:\windows\assembly\GAC_MSIL\Microsoft.Vsa.Vb.CodeDOMProcessor\8.0.0.0__b03f5f7f11d50a3a\Microsoft.Vsa.Vb.CodeDOMProcessor.dll
- 2009-10-14 08:06 . 2009-10-14 08:06 28672 c:\windows\assembly\GAC_MSIL\Microsoft.VisualBasic.Vsa\8.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.Vsa.dll
+ 2010-05-04 04:50 . 2010-05-04 04:50 28672 c:\windows\assembly\GAC_MSIL\Microsoft.VisualBasic.Vsa\8.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.Vsa.dll
- 2009-10-14 08:06 . 2009-10-14 08:06 77824 c:\windows\assembly\GAC_MSIL\Microsoft.Build.Utilities\2.0.0.0__b03f5f7f11d50a3a\Microsoft.Build.Utilities.dll
+ 2010-05-04 04:50 . 2010-05-04 04:50 77824 c:\windows\assembly\GAC_MSIL\Microsoft.Build.Utilities\2.0.0.0__b03f5f7f11d50a3a\Microsoft.Build.Utilities.dll
- 2009-10-14 08:06 . 2009-10-14 08:06 36864 c:\windows\assembly\GAC_MSIL\Microsoft.Build.Framework\2.0.0.0__b03f5f7f11d50a3a\Microsoft.Build.Framework.dll
+ 2010-05-04 04:50 . 2010-05-04 04:50 36864 c:\windows\assembly\GAC_MSIL\Microsoft.Build.Framework\2.0.0.0__b03f5f7f11d50a3a\Microsoft.Build.Framework.dll
+ 2010-05-04 04:50 . 2010-05-04 04:50 77824 c:\windows\assembly\GAC_MSIL\IEHost\2.0.0.0__b03f5f7f11d50a3a\IEHost.dll
- 2009-10-14 08:06 . 2009-10-14 08:06 77824 c:\windows\assembly\GAC_MSIL\IEHost\2.0.0.0__b03f5f7f11d50a3a\IEHost.dll
- 2009-10-14 08:06 . 2009-10-14 08:06 13312 c:\windows\assembly\GAC_MSIL\cscompmgd\8.0.0.0__b03f5f7f11d50a3a\cscompmgd.dll
+ 2010-05-04 04:49 . 2010-05-04 04:49 13312 c:\windows\assembly\GAC_MSIL\cscompmgd\8.0.0.0__b03f5f7f11d50a3a\cscompmgd.dll
- 2009-10-14 08:06 . 2009-10-14 08:06 10752 c:\windows\assembly\GAC_MSIL\Accessibility\2.0.0.0__b03f5f7f11d50a3a\Accessibility.dll
+ 2010-05-04 04:50 . 2010-05-04 04:50 10752 c:\windows\assembly\GAC_MSIL\Accessibility\2.0.0.0__b03f5f7f11d50a3a\Accessibility.dll
+ 2010-05-04 04:50 . 2010-05-04 04:50 72192 c:\windows\assembly\GAC_32\ISymWrapper\2.0.0.0__b03f5f7f11d50a3a\ISymWrapper.dll
- 2009-10-14 08:06 . 2009-10-14 08:06 72192 c:\windows\assembly\GAC_32\ISymWrapper\2.0.0.0__b03f5f7f11d50a3a\ISymWrapper.dll
+ 2010-05-04 04:49 . 2010-05-04 04:49 69120 c:\windows\assembly\GAC_32\CustomMarshalers\2.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll
- 2009-10-14 08:06 . 2009-10-14 08:06 69120 c:\windows\assembly\GAC_32\CustomMarshalers\2.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll
+ 2010-05-04 04:50 . 2010-05-04 04:50 8192 c:\windows\WinSxS\MSIL_IEExecRemote_b03f5f7f11d50a3a_2.0.0.0_x-ww_6e57c34e\IEExecRemote.dll
- 2009-10-14 08:06 . 2009-10-14 08:06 8192 c:\windows\WinSxS\MSIL_IEExecRemote_b03f5f7f11d50a3a_2.0.0.0_x-ww_6e57c34e\IEExecRemote.dll
+ 2010-03-22 15:40 . 2009-05-04 04:00 6643 c:\windows\system32\wsaack.dll
+ 2010-03-22 15:40 . 2009-05-04 04:00 8656 c:\windows\system32\dsauin12.dll
- 2009-10-14 08:06 . 2009-10-14 08:06 7168 c:\windows\assembly\GAC_MSIL\Microsoft_VsaVb\8.0.0.0__b03f5f7f11d50a3a\Microsoft_VsaVb.dll
+ 2010-05-04 04:50 . 2010-05-04 04:50 7168 c:\windows\assembly\GAC_MSIL\Microsoft_VsaVb\8.0.0.0__b03f5f7f11d50a3a\Microsoft_VsaVb.dll
- 2009-10-14 08:06 . 2009-10-14 08:06 5632 c:\windows\assembly\GAC_MSIL\Microsoft.VisualC\8.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualC.Dll
+ 2010-05-04 04:50 . 2010-05-04 04:50 5632 c:\windows\assembly\GAC_MSIL\Microsoft.VisualC\8.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualC.Dll
- 2009-10-14 08:06 . 2009-10-14 08:06 6656 c:\windows\assembly\GAC_MSIL\IIEHost\2.0.0.0__b03f5f7f11d50a3a\IIEHost.dll
+ 2010-05-04 04:50 . 2010-05-04 04:50 6656 c:\windows\assembly\GAC_MSIL\IIEHost\2.0.0.0__b03f5f7f11d50a3a\IIEHost.dll
+ 2010-05-04 04:50 . 2010-05-04 04:50 8192 c:\windows\assembly\GAC_MSIL\IEExecRemote\2.0.0.0__b03f5f7f11d50a3a\IEExecRemote.dll
- 2009-10-14 08:06 . 2009-10-14 08:06 8192 c:\windows\assembly\GAC_MSIL\IEExecRemote\2.0.0.0__b03f5f7f11d50a3a\IEExecRemote.dll
- 2009-10-14 08:06 . 2009-10-14 08:06 113664 c:\windows\WinSxS\x86_System.EnterpriseServices_b03f5f7f11d50a3a_2.0.0.0_x-ww_7d5f3790\System.EnterpriseServices.Wrapper.dll
+ 2010-05-04 04:50 . 2010-05-04 04:50 113664 c:\windows\WinSxS\x86_System.EnterpriseServices_b03f5f7f11d50a3a_2.0.0.0_x-ww_7d5f3790\System.EnterpriseServices.Wrapper.dll
+ 2010-05-04 04:50 . 2010-05-04 04:50 258048 c:\windows\WinSxS\x86_System.EnterpriseServices_b03f5f7f11d50a3a_2.0.0.0_x-ww_7d5f3790\System.EnterpriseServices.dll
- 2009-10-14 08:06 . 2009-10-14 08:06 258048 c:\windows\WinSxS\x86_System.EnterpriseServices_b03f5f7f11d50a3a_2.0.0.0_x-ww_7d5f3790\System.EnterpriseServices.dll
+ 2008-07-30 00:59 . 2009-10-08 19:57 611328 c:\windows\system32\uiautomationcore.dll
+ 2010-05-04 04:53 . 2009-06-10 11:03 671744 c:\windows\system32\ReinstallBackups\0013\DriverFiles\nvcuvid.dll
+ 2010-05-04 04:53 . 2009-06-10 11:03 151552 c:\windows\system32\ReinstallBackups\0013\DriverFiles\nvcod.dll
+ 2010-05-04 04:53 . 2009-06-10 11:03 815104 c:\windows\system32\ReinstallBackups\0013\DriverFiles\nvapi.dll
- 2008-04-14 12:00 . 2010-04-14 16:29 468418 c:\windows\system32\perfh009.dat
+ 2008-04-14 12:00 . 2010-05-04 04:51 468418 c:\windows\system32\perfh009.dat
+ 2008-04-14 12:00 . 2009-10-08 19:57 220160 c:\windows\system32\oleacc.dll
+ 2009-08-03 20:07 . 2009-08-03 20:07 230768 c:\windows\system32\OGAEXEC.exe
+ 2009-08-03 20:07 . 2009-08-03 20:07 403816 c:\windows\system32\OGACheckControl.dll
+ 2009-08-03 20:07 . 2009-08-03 20:07 322928 c:\windows\system32\OGAAddin.dll
+ 2009-07-05 08:10 . 2010-04-04 03:55 600680 c:\windows\system32\NVUNINST.EXE
+ 2009-07-05 08:10 . 2010-04-04 03:55 600680 c:\windows\system32\nvudisp.exe
+ 2009-06-10 11:03 . 2010-04-04 03:55 227944 c:\windows\system32\nvcodins.dll
+ 2009-06-10 11:03 . 2010-04-04 03:55 227944 c:\windows\system32\nvcod.dll
+ 2008-04-14 12:00 . 2009-10-08 19:57 220160 c:\windows\system32\dllcache\oleacc.dll
+ 2009-10-27 05:45 . 2009-10-27 05:45 970752 c:\windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\System.Runtime.Serialization.dll
+ 2009-10-20 22:21 . 2009-10-20 22:21 989000 c:\windows\Microsoft.NET\Framework\v2.0.50727\mscordacwks.dll
+ 2010-05-04 04:45 . 2010-05-04 04:45 119296 c:\windows\Installer\29c42d.msi
+ 2009-07-05 07:58 . 2010-05-04 04:46 888080 c:\windows\Installer\{91120000-002E-0000-0000-0000000FF1CE}\wordicon.exe
- 2009-07-05 07:58 . 2010-04-15 08:05 888080 c:\windows\Installer\{91120000-002E-0000-0000-0000000FF1CE}\wordicon.exe
+ 2009-07-05 07:58 . 2010-05-04 04:46 272648 c:\windows\Installer\{91120000-002E-0000-0000-0000000FF1CE}\pubs.exe
- 2009-07-05 07:58 . 2010-04-15 08:05 272648 c:\windows\Installer\{91120000-002E-0000-0000-0000000FF1CE}\pubs.exe
+ 2009-07-05 07:58 . 2010-05-04 04:46 922384 c:\windows\Installer\{91120000-002E-0000-0000-0000000FF1CE}\pptico.exe
- 2009-07-05 07:58 . 2010-04-15 08:05 922384 c:\windows\Installer\{91120000-002E-0000-0000-0000000FF1CE}\pptico.exe
- 2009-07-05 07:58 . 2010-04-15 08:05 845584 c:\windows\Installer\{91120000-002E-0000-0000-0000000FF1CE}\outicon.exe
+ 2009-07-05 07:58 . 2010-05-04 04:46 845584 c:\windows\Installer\{91120000-002E-0000-0000-0000000FF1CE}\outicon.exe
+ 2009-07-05 07:58 . 2010-05-04 04:46 217864 c:\windows\Installer\{91120000-002E-0000-0000-0000000FF1CE}\misc.exe
- 2009-07-05 07:58 . 2010-04-15 08:05 217864 c:\windows\Installer\{91120000-002E-0000-0000-0000000FF1CE}\misc.exe
+ 2009-07-05 07:58 . 2010-05-04 04:46 184080 c:\windows\Installer\{91120000-002E-0000-0000-0000000FF1CE}\joticon.exe
- 2009-07-05 07:58 . 2010-04-15 08:05 184080 c:\windows\Installer\{91120000-002E-0000-0000-0000000FF1CE}\joticon.exe
+ 2009-07-05 07:58 . 2010-05-04 04:46 159504 c:\windows\Installer\{91120000-002E-0000-0000-0000000FF1CE}\inficon.exe
- 2009-07-05 07:58 . 2010-04-15 08:05 159504 c:\windows\Installer\{91120000-002E-0000-0000-0000000FF1CE}\inficon.exe
+ 2010-05-04 04:53 . 2009-05-26 11:40 382840 c:\windows\ie8updates\KB980302-IE8\spuninst\updspapi.dll
+ 2010-05-04 04:53 . 2009-05-26 11:40 231288 c:\windows\ie8updates\KB980302-IE8\spuninst\spuninst.exe
+ 2009-10-14 08:06 . 2009-10-14 08:06 113664 c:\windows\assembly\temp\T17ELRY4U0\System.EnterpriseServices.Wrapper.dll
+ 2009-10-14 08:06 . 2009-10-14 08:06 258048 c:\windows\assembly\temp\T17ELRY4U0\System.EnterpriseServices.dll
+ 2009-10-14 08:06 . 2009-10-14 08:06 114688 c:\windows\assembly\temp\NV18ELRY4A\System.ServiceProcess.dll
+ 2009-10-14 08:06 . 2009-10-14 08:06 626688 c:\windows\assembly\temp\NV17EKRX4A\System.Drawing.dll
+ 2009-10-14 08:06 . 2009-10-14 08:06 425984 c:\windows\assembly\temp\IZ5CIPV18E\System.configuration.dll
+ 2009-10-14 08:06 . 2009-10-14 08:06 261632 c:\windows\assembly\temp\IQW39GMSZ6\System.Transactions.dll
+ 2009-10-14 08:06 . 2009-10-14 08:06 303104 c:\windows\assembly\temp\7ELRY4AHNU\System.Runtime.Remoting.dll
+ 2010-05-04 05:37 . 2010-05-04 05:37 321536 c:\windows\assembly\NativeImages_v2.0.50727_32\WsatConfig\76212f0eaf908ddc457b7c09fdc00013\WsatConfig.ni.exe
+ 2010-05-04 04:54 . 2010-05-04 04:54 240128 c:\windows\assembly\NativeImages_v2.0.50727_32\WindowsFormsIntegra#\40cba4b973c13c0713f14523d402cf38\WindowsFormsIntegration.ni.dll
+ 2010-05-04 04:54 . 2010-05-04 04:54 187904 c:\windows\assembly\NativeImages_v2.0.50727_32\UIAutomationTypes\0bdc62fb9894a13e0202e4d3cdcf5424\UIAutomationTypes.ni.dll
+ 2010-05-04 04:54 . 2010-05-04 04:54 447488 c:\windows\assembly\NativeImages_v2.0.50727_32\UIAutomationClient\41fb928bd2afe2c9e7af374cab99441b\UIAutomationClient.ni.dll
+ 2010-05-04 05:48 . 2010-05-04 05:48 400896 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Xml.Linq\43dff2d60cc1e2d83207d115d6ebd5da\System.Xml.Linq.ni.dll
+ 2010-05-04 05:48 . 2010-05-04 05:48 129536 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Web.Routing\bbbbee6aee8efc2a3fe36297df61558c\System.Web.Routing.ni.dll
+ 2010-05-04 05:39 . 2010-05-04 05:39 202240 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Web.RegularE#\4918daec30cc88a92e9089d6e6ddf65b\System.Web.RegularExpressions.ni.dll
+ 2010-05-04 05:48 . 2010-05-04 05:48 859648 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Web.Extensio#\1abbdbd4a1de53b702bae22e4714b95d\System.Web.Extensions.Design.ni.dll
+ 2010-05-04 05:48 . 2010-05-04 05:48 328704 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Web.Entity\adaa9f715be2debd2b11674077f3afda\System.Web.Entity.ni.dll
+ 2010-05-04 05:48 . 2010-05-04 05:48 301056 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Web.Entity.D#\23a843aedd80a0f43e0baa1986bcd83f\System.Web.Entity.Design.ni.dll
+ 2010-05-04 05:48 . 2010-05-04 05:48 547328 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Web.DynamicD#\a68617197d12be5a9a8bb91b4e7873ec\System.Web.DynamicData.ni.dll
+ 2010-05-04 05:48 . 2010-05-04 05:48 141312 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Web.Abstract#\8ff474534be27f40db5c17fee04a9fe7\System.Web.Abstractions.ni.dll
+ 2010-05-04 05:39 . 2010-05-04 05:39 627200 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Transactions\9aa6ef5e5d40a8b8fb2850ee4a3e7bb3\System.Transactions.ni.dll
+ 2010-05-04 05:39 . 2010-05-04 05:39 212992 c:\windows\assembly\NativeImages_v2.0.50727_32\System.ServiceProce#\b74d61184e254ac814bb3ceae5cc1095\System.ServiceProcess.ni.dll
+ 2010-05-04 05:39 . 2010-05-04 05:39 676352 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Security\3ef9383bddd7283406d0ba7303f38e46\System.Security.ni.dll
+ 2010-05-04 05:39 . 2010-05-04 05:39 311296 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Runtime.Seri#\aab1f5149537a106a50b1508d9b18eb5\System.Runtime.Serialization.Formatters.Soap.ni.dll
+ 2010-05-04 05:39 . 2010-05-04 05:39 771584 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Runtime.Remo#\bb055968cb987dffa2f558cc5a2713f7\System.Runtime.Remoting.ni.dll
+ 2010-05-04 05:39 . 2010-05-04 05:39 621056 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Net\90e7b21b6f94a25cb4470ac854999479\System.Net.ni.dll
+ 2010-05-04 05:40 . 2010-05-04 05:40 998400 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Management\d7ad7924159136fb7e13cfdf3d01cf21\System.Management.ni.dll
+ 2010-05-04 05:42 . 2010-05-04 05:42 330752 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Management.I#\7081191709ba39f5b18f2f52f61c6aab\System.Management.Instrumentation.ni.dll
+ 2010-05-04 05:42 . 2010-05-04 05:42 181248 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Management.A#\fafc03597676e65dfb8f4697ac647c62\System.Management.Automation.resources.ni.dll
+ 2010-05-04 05:42 . 2010-05-04 05:42 188928 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Management.A#\f32313a8dec56494438c80f5d54305f6\System.Management.Automation.resources.ni.dll
+ 2010-05-04 05:42 . 2010-05-04 05:42 169984 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Management.A#\ea77ee92b00cbefb83da28fce1b67019\System.Management.Automation.resources.ni.dll
+ 2010-05-04 05:42 . 2010-05-04 05:42 169472 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Management.A#\ddc0417f8addef49288190f918af1dac\System.Management.Automation.resources.ni.dll
+ 2010-05-04 05:42 . 2010-05-04 05:42 154624 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Management.A#\c6e875d1a64aea766fbdd75037851222\System.Management.Automation.resources.ni.dll
+ 2010-05-04 05:42 . 2010-05-04 05:42 154112 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Management.A#\c5de04699aa38a2dabea09019dea086d\System.Management.Automation.resources.ni.dll
+ 2010-05-04 05:42 . 2010-05-04 05:42 177664 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Management.A#\892b5420690274f0e84073f1e52428bf\System.Management.Automation.resources.ni.dll
+ 2010-05-04 05:42 . 2010-05-04 05:42 221184 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Management.A#\84b0a0d2a43a3e3d7a530b46bb49bdee\System.Management.Automation.resources.ni.dll
+ 2010-05-04 05:42 . 2010-05-04 05:42 160256 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Management.A#\646fab05d237a943021a9ceaa6c32c7b\System.Management.Automation.resources.ni.dll
+ 2010-05-04 05:42 . 2010-05-04 05:42 172544 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Management.A#\0d8ad65fa89646d47bfc0fd29a015f6e\System.Management.Automation.resources.ni.dll
+ 2010-05-04 05:42 . 2010-05-04 05:42 175104 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Management.A#\09c54e2aad75149a41492bd38567ae26\System.Management.Automation.resources.ni.dll
+ 2010-05-04 05:36 . 2010-05-04 05:36 381440 c:\windows\assembly\NativeImages_v2.0.50727_32\System.IO.Log\c88bdc0770617f2bec70e82b2877712e\System.IO.Log.ni.dll
+ 2010-05-04 05:38 . 2010-05-04 05:38 212992 c:\windows\assembly\NativeImages_v2.0.50727_32\System.IdentityMode#\9830b36108b5acc8bfecd4b523ae6422\System.IdentityModel.Selectors.ni.dll
+ 2010-05-04 05:39 . 2010-05-04 05:39 280064 c:\windows\assembly\NativeImages_v2.0.50727_32\System.EnterpriseSe#\34bd8d1c5589efe26dfd69cfef05888c\System.EnterpriseServices.Wrapper.dll
+ 2010-05-04 05:39 . 2010-05-04 05:39 627712 c:\windows\assembly\NativeImages_v2.0.50727_32\System.EnterpriseSe#\34bd8d1c5589efe26dfd69cfef05888c\System.EnterpriseServices.ni.dll
+ 2010-05-04 04:54 . 2010-05-04 04:54 208384 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Drawing.Desi#\c27d9b8fc90f4e86f272ec31748a9beb\System.Drawing.Design.ni.dll
+ 2010-05-04 05:42 . 2010-05-04 05:42 881152 c:\windows\assembly\NativeImages_v2.0.50727_32\System.DirectorySer#\2e171d3863d31c9760be4a76d7a41842\System.DirectoryServices.AccountManagement.ni.dll
+ 2010-05-04 05:39 . 2010-05-04 05:39 455680 c:\windows\assembly\NativeImages_v2.0.50727_32\System.DirectorySer#\26c2dd48768ead8ab6981c502c33a16b\System.DirectoryServices.Protocols.ni.dll
+ 2010-05-04 05:42 . 2010-05-04 05:42 939008 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Data.Service#\a157c98a0bd61c92cc324ccb085c0c2f\System.Data.Services.Client.ni.dll
+ 2010-05-04 05:42 . 2010-05-04 05:42 354816 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Data.Service#\43ebb69f9f13b4d50877a718fe7e2fec\System.Data.Services.Design.ni.dll
+ 2010-05-04 05:42 . 2010-05-04 05:42 756736 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Data.Entity.#\6f40c0b03a35585ad314a0459ebd3721\System.Data.Entity.Design.ni.dll
+ 2010-05-04 05:41 . 2010-05-04 05:41 135680 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Data.DataSet#\67b8b52a93087400d9c8efa36d28ba0f\System.Data.DataSetExtensions.ni.dll
+ 2010-05-04 05:38 . 2010-05-04 05:38 971264 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Configuration\33f46842f1687b027c3471ca1ba6e929\System.Configuration.ni.dll
+ 2010-05-04 05:39 . 2010-05-04 05:39 141312 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Configuratio#\d5f4012b6c896418365813c53c5e46ce\System.Configuration.Install.ni.dll
+ 2010-05-04 05:41 . 2010-05-04 05:41 633856 c:\windows\assembly\NativeImages_v2.0.50727_32\System.AddIn\338d4c7d84af692ae64bdee6e66bd04a\System.AddIn.ni.dll
+ 2010-05-04 05:37 . 2010-05-04 05:37 366080 c:\windows\assembly\NativeImages_v2.0.50727_32\SMSvcHost\57b773ae9a151b61e0d669e8bbc64275\SMSvcHost.ni.exe
+ 2010-05-04 05:37 . 2010-05-04 05:37 256000 c:\windows\assembly\NativeImages_v2.0.50727_32\SMDiagnostics\c047fb6624ebfd95bdbc916e0068e6e9\SMDiagnostics.ni.dll
+ 2010-05-04 05:37 . 2010-05-04 05:37 320512 c:\windows\assembly\NativeImages_v2.0.50727_32\ServiceModelReg\ce9e424d230401a889211771dec6b896\ServiceModelReg.ni.exe
+ 2010-05-04 04:53 . 2010-05-04 04:53 258048 c:\windows\assembly\NativeImages_v2.0.50727_32\PresentationFramewo#\7d163bfe827d562c116d3de590f36034\PresentationFramework.Royale.ni.dll
+ 2010-05-04 04:53 . 2010-05-04 04:53 539648 c:\windows\assembly\NativeImages_v2.0.50727_32\PresentationFramewo#\4e517fa6333a094176c3c4afbce79398\PresentationFramework.Luna.ni.dll
+ 2010-05-04 04:53 . 2010-05-04 04:53 224768 c:\windows\assembly\NativeImages_v2.0.50727_32\PresentationFramewo#\23e1cebd89e1847692bc385d5c6421f0\PresentationFramework.Classic.ni.dll
+ 2010-05-04 04:53 . 2010-05-04 04:53 368128 c:\windows\assembly\NativeImages_v2.0.50727_32\PresentationFramewo#\006252e8262786938392d9fb7b197d7e\PresentationFramework.Aero.ni.dll
+ 2010-05-04 05:40 . 2010-05-04 05:40 133632 c:\windows\assembly\NativeImages_v2.0.50727_32\MSBuild\9f2d92e6bde466705c09e3ecf53878a5\MSBuild.ni.exe
+ 2010-05-04 05:41 . 2010-05-04 05:41 466944 c:\windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\c901d0f80e7aea1652afde1055c9993f\Microsoft.VisualStudio.Tools.Applications.Runtime.ni.dll
+ 2010-05-04 05:37 . 2010-05-04 05:37 386560 c:\windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Transacti#\49805534376724ae137ff41cda393d19\Microsoft.Transactions.Bridge.Dtc.ni.dll
+ 2010-05-04 05:41 . 2010-05-04 05:41 433664 c:\windows\assembly\NativeImages_v2.0.50727_32\Microsoft.PowerShel#\9e64552e502e83ea9f36a635da673f2a\Microsoft.PowerShell.Commands.Management.ni.dll
+ 2010-05-04 05:41 . 2010-05-04 05:41 968192 c:\windows\assembly\NativeImages_v2.0.50727_32\Microsoft.PowerShel#\7a87e180c6853689a6962cfabf5a4a22\Microsoft.PowerShell.Commands.Utility.ni.dll
+ 2010-05-04 05:41 . 2010-05-04 05:41 492032 c:\windows\assembly\NativeImages_v2.0.50727_32\Microsoft.PowerShel#\263801f28bdfc6390257bfd325c791d4\Microsoft.PowerShell.ConsoleHost.ni.dll
+ 2010-05-04 05:41 . 2010-05-04 05:41 148480 c:\windows\assembly\NativeImages_v2.0.50727_32\Microsoft.PowerShel#\0b22303173840a037788ee88b4f664cc\Microsoft.PowerShell.Security.ni.dll
+ 2010-05-04 05:40 . 2010-05-04 05:40 144384 c:\windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Build.Uti#\caf2207b404aa5bcb77833e3302fc5b6\Microsoft.Build.Utilities.ni.dll
+ 2010-05-04 05:40 . 2010-05-04 05:40 175104 c:\windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Build.Uti#\74290c786353b8f4341550847169adb1\Microsoft.Build.Utilities.v3.5.ni.dll
+ 2010-05-04 05:40 . 2010-05-04 05:40 839680 c:\windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Build.Eng#\ecad09aa540d7011ff615077bba756c9\Microsoft.Build.Engine.ni.dll
+ 2010-05-04 05:40 . 2010-05-04 05:40 222720 c:\windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Build.Con#\d326c3841b68b469dc70eab552dc0764\Microsoft.Build.Conversion.v3.5.ni.dll
+ 2010-05-04 05:39 . 2010-05-04 05:39 696320 c:\windows\assembly\NativeImages_v2.0.50727_32\log4net\59d477e034cff2b0a5bccab4d04340ef\log4net.ni.dll
+ 2010-05-04 05:39 . 2010-05-04 05:39 657408 c:\windows\assembly\NativeImages_v2.0.50727_32\Intuit.Ctg.Wte.Serv#\0b63f1e2721b98f37dd85d48060e1da2\Intuit.Ctg.Wte.Service.Interface.ni.dll
+ 2010-05-04 05:40 . 2010-05-04 05:40 802304 c:\windows\assembly\NativeImages_v2.0.50727_32\Infragistics2.Share#\a146f92645c17e8a800ae989db13270f\Infragistics2.Shared.v8.2.ni.dll
+ 2010-05-04 05:40 . 2010-05-04 05:40 220672 c:\windows\assembly\NativeImages_v2.0.50727_32\CustomMarshalers\7966bb0eeae06d6e0a0999f7e57945c3\CustomMarshalers.ni.dll
+ 2010-05-04 05:37 . 2010-05-04 05:37 410112 c:\windows\assembly\NativeImages_v2.0.50727_32\ComSvcConfig\aa863a2ee18166e2c56f9b310352b160\ComSvcConfig.ni.exe
+ 2010-05-04 05:38 . 2010-05-04 05:38 842240 c:\windows\assembly\NativeImages_v2.0.50727_32\AspNetMMCExt\ab21507db0a8b7a8b8bd86f468bed2d4\AspNetMMCExt.ni.dll
- 2009-10-14 08:06 . 2009-10-14 08:06 839680 c:\windows\assembly\GAC_MSIL\System.Web.Services\2.0.0.0__b03f5f7f11d50a3a\System.Web.Services.dll
+ 2010-05-04 04:49 . 2010-05-04 04:49 839680 c:\windows\assembly\GAC_MSIL\System.Web.Services\2.0.0.0__b03f5f7f11d50a3a\System.Web.Services.dll
- 2009-10-14 08:06 . 2009-10-14 08:06 835584 c:\windows\assembly\GAC_MSIL\System.Web.Mobile\2.0.0.0__b03f5f7f11d50a3a\System.Web.Mobile.dll
+ 2010-05-04 04:49 . 2010-05-04 04:49 835584 c:\windows\assembly\GAC_MSIL\System.Web.Mobile\2.0.0.0__b03f5f7f11d50a3a\System.Web.Mobile.dll
+ 2010-05-04 04:50 . 2010-05-04 04:50 114688 c:\windows\assembly\GAC_MSIL\System.ServiceProcess\2.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll
- 2009-10-14 08:06 . 2009-10-14 08:06 114688 c:\windows\assembly\GAC_MSIL\System.ServiceProcess\2.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll
+ 2010-05-04 04:50 . 2010-05-04 04:50 258048 c:\windows\assembly\GAC_MSIL\System.Security\2.0.0.0__b03f5f7f11d50a3a\System.Security.dll
- 2009-10-14 08:06 . 2009-10-14 08:06 258048 c:\windows\assembly\GAC_MSIL\System.Security\2.0.0.0__b03f5f7f11d50a3a\System.Security.dll
+ 2010-05-04 04:52 . 2010-05-04 04:52 970752 c:\windows\assembly\GAC_MSIL\System.Runtime.Serialization\3.0.0.0__b77a5c561934e089\System.Runtime.Serialization.dll
- 2009-10-14 08:06 . 2009-10-14 08:06 131072 c:\windows\assembly\GAC_MSIL\System.Runtime.Serialization.Formatters.Soap\2.0.0.0__b03f5f7f11d50a3a\System.Runtime.Serialization.Formatters.Soap.dll
+ 2010-05-04 04:50 . 2010-05-04 04:50 131072 c:\windows\assembly\GAC_MSIL\System.Runtime.Serialization.Formatters.Soap\2.0.0.0__b03f5f7f11d50a3a\System.Runtime.Serialization.Formatters.Soap.dll
- 2009-10-14 08:06 . 2009-10-14 08:06 303104 c:\windows\assembly\GAC_MSIL\System.Runtime.Remoting\2.0.0.0__b77a5c561934e089\System.Runtime.Remoting.dll
+ 2010-05-04 04:50 . 2010-05-04 04:50 303104 c:\windows\assembly\GAC_MSIL\System.Runtime.Remoting\2.0.0.0__b77a5c561934e089\System.Runtime.Remoting.dll
+ 2010-05-04 04:50 . 2010-05-04 04:50 258048 c:\windows\assembly\GAC_MSIL\System.Messaging\2.0.0.0__b03f5f7f11d50a3a\System.Messaging.dll
- 2009-10-14 08:06 . 2009-10-14 08:06 258048 c:\windows\assembly\GAC_MSIL\System.Messaging\2.0.0.0__b03f5f7f11d50a3a\System.Messaging.dll
+ 2010-05-04 04:50 . 2010-05-04 04:50 372736 c:\windows\assembly\GAC_MSIL\System.Management\2.0.0.0__b03f5f7f11d50a3a\System.Management.dll
- 2009-10-14 08:06 . 2009-10-14 08:06 372736 c:\windows\assembly\GAC_MSIL\System.Management\2.0.0.0__b03f5f7f11d50a3a\System.Management.dll
+ 2010-05-04 04:50 . 2010-05-04 04:50 626688 c:\windows\assembly\GAC_MSIL\System.Drawing\2.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll
- 2009-10-14 08:06 . 2009-10-14 08:06 626688 c:\windows\assembly\GAC_MSIL\System.Drawing\2.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll
- 2009-10-14 08:06 . 2009-10-14 08:06 401408 c:\windows\assembly\GAC_MSIL\System.DirectoryServices\2.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll
+ 2010-05-04 04:50 . 2010-05-04 04:50 401408 c:\windows\assembly\GAC_MSIL\System.DirectoryServices\2.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll
- 2009-10-14 08:06 . 2009-10-14 08:06 188416 c:\windows\assembly\GAC_MSIL\System.DirectoryServices.Protocols\2.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.Protocols.dll
+ 2010-05-04 04:49 . 2010-05-04 04:49 188416 c:\windows\assembly\GAC_MSIL\System.DirectoryServices.Protocols\2.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.Protocols.dll
+ 2010-05-04 04:50 . 2010-05-04 04:50 970752 c:\windows\assembly\GAC_MSIL\System.Deployment\2.0.0.0__b03f5f7f11d50a3a\System.Deployment.dll
- 2009-10-14 08:06 . 2009-10-14 08:06 970752 c:\windows\assembly\GAC_MSIL\System.Deployment\2.0.0.0__b03f5f7f11d50a3a\System.Deployment.dll
- 2009-10-14 08:06 . 2009-10-14 08:06 745472 c:\windows\assembly\GAC_MSIL\System.Data.SqlXml\2.0.0.0__b77a5c561934e089\System.Data.SqlXml.dll
+ 2010-05-04 04:50 . 2010-05-04 04:50 745472 c:\windows\assembly\GAC_MSIL\System.Data.SqlXml\2.0.0.0__b77a5c561934e089\System.Data.SqlXml.dll
+ 2010-05-04 04:50 . 2010-05-04 04:50 425984 c:\windows\assembly\GAC_MSIL\System.Configuration\2.0.0.0__b03f5f7f11d50a3a\System.configuration.dll
- 2009-10-14 08:06 . 2009-10-14 08:06 425984 c:\windows\assembly\GAC_MSIL\System.Configuration\2.0.0.0__b03f5f7f11d50a3a\System.configuration.dll
+ 2010-05-04 04:50 . 2010-05-04 04:50 110592 c:\windows\assembly\GAC_MSIL\sysglobl\2.0.0.0__b03f5f7f11d50a3a\sysglobl.dll
- 2009-10-14 08:06 . 2009-10-14 08:06 110592 c:\windows\assembly\GAC_MSIL\sysglobl\2.0.0.0__b03f5f7f11d50a3a\sysglobl.dll
+ 2010-05-04 04:50 . 2010-05-04 04:50 659456 c:\windows\assembly\GAC_MSIL\Microsoft.VisualBasic\8.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll
- 2009-10-14 08:06 . 2009-10-14 08:06 659456 c:\windows\assembly\GAC_MSIL\Microsoft.VisualBasic\8.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll
- 2009-10-14 08:06 . 2009-10-14 08:06 372736 c:\windows\assembly\GAC_MSIL\Microsoft.VisualBasic.Compatibility\8.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.Compatibility.dll
+ 2010-05-04 04:50 . 2010-05-04 04:50 372736 c:\windows\assembly\GAC_MSIL\Microsoft.VisualBasic.Compatibility\8.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.Compatibility.dll
- 2009-10-14 08:06 . 2009-10-14 08:06 110592 c:\windows\assembly\GAC_MSIL\Microsoft.VisualBasic.Compatibility.Data\8.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.Compatibility.Data.dll
+ 2010-05-04 04:50 . 2010-05-04 04:50 110592 c:\windows\assembly\GAC_MSIL\Microsoft.VisualBasic.Compatibility.Data\8.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.Compatibility.Data.dll
- 2009-10-14 08:06 . 2009-10-14 08:06 749568 c:\windows\assembly\GAC_MSIL\Microsoft.JScript\8.0.0.0__b03f5f7f11d50a3a\Microsoft.JScript.dll
+ 2010-05-04 04:50 . 2010-05-04 04:50 749568 c:\windows\assembly\GAC_MSIL\Microsoft.JScript\8.0.0.0__b03f5f7f11d50a3a\Microsoft.JScript.dll
- 2009-10-14 08:06 . 2009-10-14 08:06 655360 c:\windows\assembly\GAC_MSIL\Microsoft.Build.Tasks\2.0.0.0__b03f5f7f11d50a3a\Microsoft.Build.Tasks.dll
+ 2010-05-04 04:50 . 2010-05-04 04:50 655360 c:\windows\assembly\GAC_MSIL\Microsoft.Build.Tasks\2.0.0.0__b03f5f7f11d50a3a\Microsoft.Build.Tasks.dll
+ 2010-05-04 04:50 . 2010-05-04 04:50 348160 c:\windows\assembly\GAC_MSIL\Microsoft.Build.Engine\2.0.0.0__b03f5f7f11d50a3a\Microsoft.Build.Engine.dll
- 2009-10-14 08:06 . 2009-10-14 08:06 348160 c:\windows\assembly\GAC_MSIL\Microsoft.Build.Engine\2.0.0.0__b03f5f7f11d50a3a\Microsoft.Build.Engine.dll
- 2009-10-14 08:06 . 2009-10-14 08:06 507904 c:\windows\assembly\GAC_MSIL\AspNetMMCExt\2.0.0.0__b03f5f7f11d50a3a\AspNetMMCExt.dll
+ 2010-05-04 04:49 . 2010-05-04 04:49 507904 c:\windows\assembly\GAC_MSIL\AspNetMMCExt\2.0.0.0__b03f5f7f11d50a3a\AspNetMMCExt.dll
+ 2010-05-04 04:50 . 2010-05-04 04:50 261632 c:\windows\assembly\GAC_32\System.Transactions\2.0.0.0__b77a5c561934e089\System.Transactions.dll
- 2009-10-14 08:06 . 2009-10-14 08:06 261632 c:\windows\assembly\GAC_32\System.Transactions\2.0.0.0__b77a5c561934e089\System.Transactions.dll
- 2009-10-14 08:06 . 2009-10-14 08:06 113664 c:\windows\assembly\GAC_32\System.EnterpriseServices\2.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll
+ 2010-05-04 04:50 . 2010-05-04 04:50 113664 c:\windows\assembly\GAC_32\System.EnterpriseServices\2.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll
+ 2010-05-04 04:50 . 2010-05-04 04:50 258048 c:\windows\assembly\GAC_32\System.EnterpriseServices\2.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.dll
- 2009-10-14 08:06 . 2009-10-14 08:06 258048 c:\windows\assembly\GAC_32\System.EnterpriseServices\2.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.dll
- 2009-10-14 08:06 . 2009-10-14 08:06 486400 c:\windows\assembly\GAC_32\System.Data.OracleClient\2.0.0.0__b77a5c561934e089\System.Data.OracleClient.dll
+ 2010-05-04 04:50 . 2010-05-04 04:50 486400 c:\windows\assembly\GAC_32\System.Data.OracleClient\2.0.0.0__b77a5c561934e089\System.Data.OracleClient.dll
+ 2010-05-04 04:53 . 2009-06-10 11:03 9998336 c:\windows\system32\ReinstallBackups\0013\DriverFiles\nvoglnt.dll
+ 2010-05-04 04:53 . 2009-06-10 11:03 1580550 c:\windows\system32\ReinstallBackups\0013\DriverFiles\nvdata.bin
+ 2010-05-04 04:53 . 2009-06-10 11:03 1310720 c:\windows\system32\ReinstallBackups\0013\DriverFiles\nvcuvenc.dll
+ 2010-05-04 04:53 . 2009-06-10 11:03 1720320 c:\windows\system32\ReinstallBackups\0013\DriverFiles\nvcuda.dll
+ 2010-05-04 04:53 . 2009-06-10 11:03 8087712 c:\windows\system32\ReinstallBackups\0013\DriverFiles\nv4_mini.sys
+ 2010-05-04 04:53 . 2009-06-10 11:03 5908608 c:\windows\system32\ReinstallBackups\0013\DriverFiles\nv4_disp.dll
+ 2009-06-10 11:03 . 2010-04-04 03:55 2183470 c:\windows\system32\nvdata.bin
+ 2009-06-10 11:03 . 2010-04-04 03:55 2030184 c:\windows\system32\nvcuvid.dll
+ 2009-06-10 11:03 . 2010-04-04 03:55 2646632 c:\windows\system32\nvcuvenc.dll
+ 2009-06-10 11:03 . 2010-04-04 03:55 4075520 c:\windows\system32\nvcuda.dll
+ 2009-06-10 11:03 . 2010-04-04 03:55 1097728 c:\windows\system32\nvapi.dll
+ 2009-06-10 11:03 . 2010-04-04 03:55 6432128 c:\windows\system32\nv4_disp.dll
- 2008-12-06 01:12 . 2008-12-06 01:12 5931008 c:\windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\System.ServiceModel.dll
+ 2009-10-27 05:45 . 2009-10-27 05:45 5931008 c:\windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\System.ServiceModel.dll
+ 2009-10-20 22:21 . 2009-10-20 22:21 5812544 c:\windows\Microsoft.NET\Framework\v2.0.50727\mscorwks.dll
+ 2009-10-20 22:21 . 2009-10-20 22:21 4550656 c:\windows\Microsoft.NET\Framework\v2.0.50727\mscorlib.dll
+ 2009-07-05 07:58 . 2010-05-04 04:46 1172240 c:\windows\Installer\{91120000-002E-0000-0000-0000000FF1CE}\xlicons.exe
- 2009-07-05 07:58 . 2010-04-15 08:05 1172240 c:\windows\Installer\{91120000-002E-0000-0000-0000000FF1CE}\xlicons.exe
+ 2009-07-05 07:58 . 2010-05-04 04:46 1165584 c:\windows\Installer\{91120000-002E-0000-0000-0000000FF1CE}\accicons.exe
- 2009-07-05 07:58 . 2010-04-15 08:05 1165584 c:\windows\Installer\{91120000-002E-0000-0000-0000000FF1CE}\accicons.exe
+ 2009-10-14 08:06 . 2009-10-14 08:06 2048000 c:\windows\assembly\temp\PW3AGNTZ6D\System.XML.dll
+ 2009-10-14 08:06 . 2009-10-14 08:06 5025792 c:\windows\assembly\temp\BIPV18ELRY\System.Windows.Forms.dll
+ 2009-10-14 08:06 . 2009-10-14 08:06 3149824 c:\windows\assembly\temp\6DKQX3AGMT\System.dll
+ 2009-10-14 08:06 . 2009-10-14 08:06 2933248 c:\windows\assembly\temp\3BIOV18ELR\System.Data.dll
+ 2010-05-04 04:52 . 2010-05-04 04:52 3313664 c:\windows\assembly\NativeImages_v2.0.50727_32\WindowsBase\f8a90ee99107973c2520332dd8b8ef9e\WindowsBase.ni.dll
+ 2010-05-04 04:54 . 2010-05-04 04:54 1049600 c:\windows\assembly\NativeImages_v2.0.50727_32\UIAutomationClients#\0a1860ffd2d4f04da447014299c6b28e\UIAutomationClientsideProviders.ni.dll
+ 2010-05-04 05:38 . 2010-05-04 05:38 4170240 c:\windows\assembly\NativeImages_v2.0.50727_32\ttax\b77cb48a98db11ce3f4a598edaebeed7\ttax.ni.dll
+ 2010-05-04 04:51 . 2010-05-04 04:51 7868416 c:\windows\assembly\NativeImages_v2.0.50727_32\System\37de8af38fc4fd7d868097a40f82c0bb\System.ni.dll
+ 2010-05-04 04:54 . 2010-05-04 04:54 5450752 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Xml\0090a51bb28fe4c9abb5604048501e57\System.Xml.ni.dll
+ 2010-05-04 05:48 . 2010-05-04 05:48 1356288 c:\windows\assembly\NativeImages_v2.0.50727_32\System.WorkflowServ#\ad2b413a977164493c9498e6eea9836a\System.WorkflowServices.ni.dll
+ 2010-05-04 05:48 . 2010-05-04 05:48 1908224 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Workflow.Run#\56f5b5b7fbb513b20a8c42d6ede20716\System.Workflow.Runtime.ni.dll
+ 2010-05-04 05:48 . 2010-05-04 05:48 4514304 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Workflow.Com#\4428b243d69bdd25c325fcf5a4d9f1eb\System.Workflow.ComponentModel.ni.dll
+ 2010-05-04 05:48 . 2010-05-04 05:48 2992640 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Workflow.Act#\1133d8b77e7e94edc069d95e93eb0531\System.Workflow.Activities.ni.dll
+ 2010-05-04 05:39 . 2010-05-04 05:39 1840640 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Web.Services\affca324d68452f7827a9be5e355e445\System.Web.Services.ni.dll
+ 2010-05-04 05:48 . 2010-05-04 05:48 2209280 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Web.Mobile\dec2660e1581be57dacf9c6104e8d252\System.Web.Mobile.ni.dll
+ 2010-05-04 05:48 . 2010-05-04 05:48 2403328 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Web.Extensio#\9c987fc21a6763c2bd5b1f7ec5b5b153\System.Web.Extensions.ni.dll
+ 2010-05-04 04:54 . 2010-05-04 04:54 1917440 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Speech\8597f82ee0c148065f85f41f610d9419\System.Speech.ni.dll
+ 2010-05-04 05:48 . 2010-05-04 05:48 1706496 c:\windows\assembly\NativeImages_v2.0.50727_32\System.ServiceModel#\9195677eb52d4545a918a70636cacaac\System.ServiceModel.Web.ni.dll
+ 2010-05-04 05:36 . 2010-05-04 05:36 2344960 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Runtime.Seri#\0f1d3fc0f9bd72295c053a66090472e1\System.Runtime.Serialization.ni.dll
+ 2010-05-04 04:54 . 2010-05-04 04:54 1035776 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Printing\0a5cc73a26c3c1a105dfc9c7f1412857\System.Printing.ni.dll
+ 2010-05-04 05:42 . 2010-05-04 05:42 4949504 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Management.A#\a61c36c0207c5c67294c2e53fb3f55c7\System.Management.Automation.ni.dll
+ 2010-05-04 05:36 . 2010-05-04 05:36 1056768 c:\windows\assembly\NativeImages_v2.0.50727_32\System.IdentityModel\3b589e5c7262c5564668e893ed5fa347\System.IdentityModel.ni.dll
+ 2010-05-04 04:54 . 2010-05-04 04:54 1587200 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Drawing\b106b43c1a464a009a72930a81204b35\System.Drawing.ni.dll
+ 2010-05-04 05:39 . 2010-05-04 05:39 1116672 c:\windows\assembly\NativeImages_v2.0.50727_32\System.DirectorySer#\3102dd31a0e81701ab4c3e3627210885\System.DirectoryServices.ni.dll
+ 2010-05-04 05:39 . 2010-05-04 05:39 1801216 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Deployment\299b46ce8a9cd708aad0b34a6817c3c9\System.Deployment.ni.dll
+ 2010-05-04 04:53 . 2010-05-04 04:53 6616576 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Data\37ddef291179db404821628bdd037cf0\System.Data.ni.dll
+ 2010-05-04 05:38 . 2010-05-04 05:38 2510336 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Data.SqlXml\0f4ca76e1a55a8b10a169e26fb5ae852\System.Data.SqlXml.ni.dll
+ 2010-05-04 05:42 . 2010-05-04 05:42 1328128 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Data.Services\6d3af39f54f52966f62c89d88ea2d106\System.Data.Services.ni.dll
+ 2010-05-04 05:39 . 2010-05-04 05:39 1115136 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Data.OracleC#\d97e96e4d4075c86d51ff133fd0dbd1c\System.Data.OracleClient.ni.dll
+ 2010-05-04 04:53 . 2010-05-04 04:53 2516480 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Data.Linq\bd0088ae2ca9506a05b5c6fc5ed2580b\System.Data.Linq.ni.dll
+ 2010-05-04 05:42 . 2010-05-04 05:42 9924096 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Data.Entity\f0ffa7c1091f11d9b3442926e44f2756\System.Data.Entity.ni.dll
+ 2010-05-04 04:53 . 2010-05-04 04:53 2295296 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Core\4ab24094be8e022a12520ca6cd010b7b\System.Core.ni.dll
+ 2010-05-04 04:53 . 2010-05-04 04:53 2128896 c:\windows\assembly\NativeImages_v2.0.50727_32\ReachFramework\9ba5ab0f501a0df0071be635e0a20432\ReachFramework.ni.dll
+ 2010-05-04 04:53 . 2010-05-04 04:53 1657856 c:\windows\assembly\NativeImages_v2.0.50727_32\PresentationUI\3d20a75014a565b2ee352a8ceb1f6636\PresentationUI.ni.dll
+ 2010-05-04 04:51 . 2010-05-04 04:51 1451008 c:\windows\assembly\NativeImages_v2.0.50727_32\PresentationBuildTa#\d2d645152f9892145d93d19da69cd716\PresentationBuildTasks.ni.dll
+ 2010-05-04 05:40 . 2010-05-04 05:40 1712128 c:\windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualBas#\16fc2faef3984a77e7ee02cafd94c5f4\Microsoft.VisualBasic.ni.dll
+ 2010-05-04 05:37 . 2010-05-04 05:37 1093120 c:\windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Transacti#\01bf250452829c199bdc583e3e007685\Microsoft.Transactions.Bridge.ni.dll
+ 2010-05-04 05:40 . 2010-05-04 05:40 2332160 c:\windows\assembly\NativeImages_v2.0.50727_32\Microsoft.JScript\1d4ab5c6748b01243403b915fb76e068\Microsoft.JScript.ni.dll
+ 2010-05-04 05:40 . 2010-05-04 05:40 1966080 c:\windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Build.Tas#\e5581e288bb26364dc6d4987251dfdf5\Microsoft.Build.Tasks.v3.5.ni.dll
+ 2010-05-04 05:40 . 2010-05-04 05:40 1620992 c:\windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Build.Tas#\19627bc5e3955d69e007b4c4f49489db\Microsoft.Build.Tasks.ni.dll
+ 2010-05-04 05:40 . 2010-05-04 05:40 1888768 c:\windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Build.Eng#\e25766aa55cbe4b36e3c6b1a498beb0d\Microsoft.Build.Engine.ni.dll
+ 2010-05-04 05:39 . 2010-05-04 05:39 1328128 c:\windows\assembly\NativeImages_v2.0.50727_32\Intuit.Ctg.Map\723a67144493e88eb2f54ec5cf54a3c9\Intuit.Ctg.Map.ni.dll
+ 2010-05-04 05:39 . 2010-05-04 05:40 2597376 c:\windows\assembly\NativeImages_v2.0.50727_32\Infragistics2.Win.M#\df7142b93758aef49c3c0ee103ffa011\Infragistics2.Win.Misc.v8.2.ni.dll
+ 2010-05-04 04:50 . 2010-05-04 04:50 3149824 c:\windows\assembly\GAC_MSIL\System\2.0.0.0__b77a5c561934e089\System.dll
- 2009-10-14 08:06 . 2009-10-14 08:06 3149824 c:\windows\assembly\GAC_MSIL\System\2.0.0.0__b77a5c561934e089\System.dll
- 2009-10-14 08:06 . 2009-10-14 08:06 2048000 c:\windows\assembly\GAC_MSIL\System.Xml\2.0.0.0__b77a5c561934e089\System.XML.dll
+ 2010-05-04 04:50 . 2010-05-04 04:50 2048000 c:\windows\assembly\GAC_MSIL\System.Xml\2.0.0.0__b77a5c561934e089\System.XML.dll
- 2009-10-14 08:06 . 2009-10-14 08:06 5025792 c:\windows\assembly\GAC_MSIL\System.Windows.Forms\2.0.0.0__b77a5c561934e089\System.Windows.Forms.dll
+ 2010-05-04 04:49 . 2010-05-04 04:49 5025792 c:\windows\assembly\GAC_MSIL\System.Windows.Forms\2.0.0.0__b77a5c561934e089\System.Windows.Forms.dll
- 2009-07-07 00:24 . 2009-07-07 00:24 5931008 c:\windows\assembly\GAC_MSIL\System.ServiceModel\3.0.0.0__b77a5c561934e089\System.ServiceModel.dll
+ 2010-05-04 04:52 . 2010-05-04 04:52 5931008 c:\windows\assembly\GAC_MSIL\System.ServiceModel\3.0.0.0__b77a5c561934e089\System.ServiceModel.dll
- 2009-10-14 08:06 . 2009-10-14 08:06 5062656 c:\windows\assembly\GAC_MSIL\System.Design\2.0.0.0__b03f5f7f11d50a3a\System.Design.dll
+ 2010-05-04 04:49 . 2010-05-04 04:49 5062656 c:\windows\assembly\GAC_MSIL\System.Design\2.0.0.0__b03f5f7f11d50a3a\System.Design.dll
+ 2010-05-04 04:49 . 2010-05-04 04:49 5242880 c:\windows\assembly\GAC_32\System.Web\2.0.0.0__b03f5f7f11d50a3a\System.Web.dll
- 2009-10-14 08:06 . 2009-10-14 08:06 5242880 c:\windows\assembly\GAC_32\System.Web\2.0.0.0__b03f5f7f11d50a3a\System.Web.dll
+ 2010-05-04 04:50 . 2010-05-04 04:50 2933248 c:\windows\assembly\GAC_32\System.Data\2.0.0.0__b77a5c561934e089\System.Data.dll
- 2009-10-14 08:06 . 2009-10-14 08:06 2933248 c:\windows\assembly\GAC_32\System.Data\2.0.0.0__b77a5c561934e089\System.Data.dll
+ 2010-05-04 04:50 . 2010-05-04 04:50 4550656 c:\windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\mscorlib.dll
+ 2010-05-04 04:53 . 2009-06-10 11:03 20887360 c:\windows\system32\ReinstallBackups\0013\DriverFiles\NvCplSetupEng.exe
+ 2009-06-10 11:03 . 2010-04-04 03:55 14757888 c:\windows\system32\nvoglnt.dll
+ 2010-04-04 03:55 . 2010-04-04 03:55 11647592 c:\windows\system32\nvcompiler.dll
+ 2009-06-10 11:03 . 2010-04-04 03:55 10232128 c:\windows\system32\drivers\nv4_mini.sys
+ 2009-06-10 11:03 . 2010-04-04 03:55 10232128 c:\windows\system32\dllcache\nv4_mini.sys
+ 2009-10-27 19:57 . 2009-10-27 19:57 14009856 c:\windows\Installer\29c47c.msp
+ 2009-10-27 22:11 . 2009-10-27 22:11 11146240 c:\windows\Installer\29c462.msp
+ 2009-08-18 18:19 . 2009-08-18 18:19 10098688 c:\windows\Installer\29c449.msp
+ 2010-05-04 04:54 . 2010-05-04 04:54 12430848 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Windows.Forms\f0c753f83940b5de037a16ba162ebdce\System.Windows.Forms.ni.dll
+ 2010-05-04 05:39 . 2010-05-04 05:39 11796992 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Web\3d959bc1e5bef926783107fd981701b6\System.Web.ni.dll
+ 2010-05-04 05:37 . 2010-05-04 05:37 17317888 c:\windows\assembly\NativeImages_v2.0.50727_32\System.ServiceModel\737db428238916034602919cb948166c\System.ServiceModel.ni.dll
+ 2010-05-04 04:53 . 2010-05-04 04:53 10683392 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Design\75dc107fbe5daac68eaf32c5050d7108\System.Design.ni.dll
+ 2010-05-04 04:52 . 2010-05-04 04:52 14327808 c:\windows\assembly\NativeImages_v2.0.50727_32\PresentationFramewo#\45ec5da8d65c84a6eaba0d6ef6da964c\PresentationFramework.ni.dll
+ 2010-05-04 04:52 . 2010-05-04 04:52 12216320 c:\windows\assembly\NativeImages_v2.0.50727_32\PresentationCore\663d2717d42068c8f6913ea56c4b8ff4\PresentationCore.ni.dll
+ 2010-05-04 04:51 . 2010-05-04 04:51 11490816 c:\windows\assembly\NativeImages_v2.0.50727_32\mscorlib\4e82a0b51b82ffb8127c48c7d13485d7\mscorlib.ni.dll
+ 2010-05-04 05:40 . 2010-05-04 05:40 10334208 c:\windows\assembly\NativeImages_v2.0.50727_32\Infragistics2.Win.v#\6e97151840fb0d2d9a11b32536e922a0\Infragistics2.Win.v8.2.ni.dll
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DW6"="c:\program files\The Weather Channel FW\Desktop\DesktopWeather.exe" [2009-10-08 818288]
"SuperCopier2.exe"="c:\program files\SuperCopier2\SuperCopier2.exe" [2006-07-07 1052672]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]
"DietPower 4.4 Update Setup for All Users"="c:\documents and settings\All Users\Application Data\{34474EFD-D329-4A99-A967-410E40B3419A}\DietPowerSetup.exe" [2009-08-19 2397776]
"uTorrent"="c:\program files\uTorrent\uTorrent.exe" [2010-05-04 321328]
"Copernic Desktop Search - Home"="c:\program files\Copernic Desktop Search - Home\DesktopSearchService.exe" [2010-02-04 1594368]
"DirectPlayerCore"="c:\program files\NBC Direct\DirectPlayerCore.exe" [2009-11-11 1150016]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HDAudDeck"="c:\program files\VIA\VIAudioi\HDADeck\HDeck.exe" [2009-02-17 33595392]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2010-03-02 282792]
"Samsung PanelMgr"="c:\windows\Samsung\PanelMgr\SSMMgr.exe" [2008-08-15 536576]
"AmazonGSDownloaderTray"="c:\program files\Amazon\Amazon Games & Software Downloader\AmazonGSDownloaderTray.exe" [2009-05-20 223744]
"Intuit SyncManager"="c:\program files\Common Files\Intuit\Sync\IntuitSyncManager.exe" [2009-11-26 1087752]
"Sprint SmartView"="c:\program files\Sprint\Sprint SmartView\SprintSV.exe" [2009-12-02 75072]
"RDVCHG"="c:\program files\Sprint\Sprint SmartView\RDVCHG.exe" [2009-12-02 316736]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2010-03-02 202256]
"LogMeIn GUI"="c:\program files\LogMeIn\x86\LogMeInSystray.exe" [2008-08-11 63048]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-03-18 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-03-26 142120]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2010-04-04 110696]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2010-04-04 13670504]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
InterVideo WinCinema Manager.lnk - c:\program files\InterVideo\Common\Bin\WinCinemaMgr.exe [2009-12-23 303104]
QuickBooks Update Agent.lnk - c:\program files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2009-12-16 1153824]
Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2008-5-26 123904]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LMIinit]
2009-09-29 00:34 87352 ----a-w- c:\windows\system32\LMIinit.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Java\\jre6\\bin\\java.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Intuit\\QuickBooks 2010\\QBDBMgrN.exe"=
"c:\\Program Files\\Pando Networks\\Media Booster\\PMB.exe"=
"c:\\Program Files\\VMware\\VMware Server\\vmware-authd.exe"=
"c:\\Program Files\\VMware\\VMware Server\\vmware-hostd.exe"=
"c:\\Program Files\\Sprint\\Sprint SmartView\\SwiApiMux.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\NBC Direct\\DirectPlayerCore.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"57240:TCP"= 57240:TCP:Pando Media Booster
"57240:UDP"= 57240:UDP:Pando Media Booster
"9089:TCP"= 9089:TCP:VMware vCenter Converter Standalone - Agent

R0 hotcore3;hc3ServiceName;c:\windows\system32\drivers\hotcore3.sys [9/30/2009 11:10 PM 40560]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [7/5/2009 6:19 AM 135336]
R2 LMIInfo;LogMeIn Kernel Information Provider;c:\program files\LogMeIn\x86\rainfo.sys [8/11/2008 12:41 PM 12856]
R2 vmci;VMware vmci;c:\windows\system32\drivers\vmci.sys [10/20/2009 4:22 PM 54960]
R2 vmware-converter-agent;VMware vCenter Converter Agent;c:\program files\VMware\VMware vCenter Converter Standalone\vmware-converter-a.exe [4/17/2009 9:42 PM 428592]
R2 vmware-converter-server;VMware vCenter Converter Server;c:\program files\VMware\VMware vCenter Converter Standalone\vmware-converter.exe [4/17/2009 9:59 PM 428592]
R2 VMwareHostd;VMware Host Agent;c:\program files\VMware\VMware Server\vmware-hostd.exe [10/20/2009 4:21 PM 322096]
R2 VMwareServerWebAccess;VMware Server Web Access;c:\program files\VMware\VMware Server\tomcat\bin\tomcat6.exe [10/20/2009 4:27 PM 57344]
R2 vstor2-mntapi10;Vstor2 MntApi 1.0 Driver;c:\program files\VMware\VMware vCenter Converter Standalone\vstor2-mntapi10.sys [4/17/2009 9:42 PM 22448]
R3 dfmirage;dfmirage;c:\windows\system32\drivers\dfmirage.sys [3/28/2009 3:45 PM 31896]
R3 VIAHdAudAddService;VIA High Definition Audio Driver Service;c:\windows\system32\drivers\viahduaa.sys [7/5/2009 2:17 AM 1057024]
S3 A5AGU;D-Link USB Wireless Network Adapter Service;c:\windows\system32\drivers\a5agu.sys [7/5/2009 2:33 AM 386784]
S3 Amazon Download Agent;Amazon Download Agent;c:\program files\Amazon\Amazon Games & Software Downloader\AmazonGSDownloaderService.exe [11/20/2009 11:31 AM 297472]
S3 bmdrvr;Modified Clusters Tracking Driver;c:\windows\system32\drivers\bmdrvr.sys [4/17/2009 9:42 PM 27312]
S3 RTL8187B;Realtek RTL8187B Wireless 802.11b/g 54Mbps USB 2.0 Network Adapter;c:\windows\system32\DRIVERS\RTL8187B.sys --> c:\windows\system32\DRIVERS\RTL8187B.sys [?]
S3 SjyPkt;SjyPkt;\??\c:\windows\System32\Drivers\SjyPkt.sys --> c:\windows\System32\Drivers\SjyPkt.sys [?]
S3 vmwriter;VMware VSS Writer;c:\program files\VMware\VMware Server\vmVssWriter.exe [10/20/2009 4:22 PM 29744]

--- Other Services/Drivers In Memory ---

*Deregistered* - BMLoad
.
Contents of the 'Scheduled Tasks' folder

2010-05-04 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34]

2010-05-08 c:\windows\Tasks\OGALogon.job
- c:\windows\system32\OGAEXEC.exe [2009-08-03 20:07]

2010-05-08 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-1935655697-362288127-682003330-1003.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-25 04:09]

2010-05-08 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-1935655697-362288127-682003330-1003.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-25 04:09]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.msnbc.com/
uInternet Settings,ProxyOverride = <local>
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
LSP: bmnet.dll
LSP: c:\program files\VMware\VMware Server\vsocklib.dll
Trusted Zone: intuit.com\ttlc
Handler: intu-help-qb3 - {c5e479ea-0a65-4b05-8c6c-2fc8cc682eb4} - c:\program files\Intuit\QuickBooks 2010\HelpAsyncPluggableProtocol.dll
DPF: {B94C2238-346E-4C5E-9B36-8CC627F35574}
FF - ProfilePath - c:\documents and settings\Me\Application Data\Mozilla\Firefox\Profiles\o2g8grpc.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.calvarydenton.com/
FF - component: c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\Firefox\Ext\components\nprpffbrowserrecordext.dll
FF - component: c:\program files\Copernic Desktop Search - Home\FirefoxConnector\components\CSPXPCOMBridge.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-nwiz - nwiz.exe
AddRemove-NVIDIA Display Control Panel - c:\program files\NVIDIA Corporation\Uninstall\nvuninst.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-05-08 09:17
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
HDAudDeck = c:\program files\VIA\VIAudioi\HDADeck\HDeck.exe 1????????????????????????????????????????????????

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe catchme.sys CLASSPNP.SYS disk.sys ACPI.sys hal.dll atapi.sys >>UNKNOWN [0x8B1898C8]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xb80fcf28
\Driver\ACPI -> ACPI.sys @ 0xb7f7fcb8
\Driver\atapi -> atapi.sys @ 0xb7efcb3a
IoDeviceObjectType -> DeleteProcedure -> ntkrnlpa.exe @ 0x805836a8
ParseProcedure -> ntkrnlpa.exe @ 0x805827e8
\Device\Harddisk0\DR0 -> DeleteProcedure -> ntkrnlpa.exe @ 0x805836a8
ParseProcedure -> ntkrnlpa.exe @ 0x805827e8
NDIS: -> SendCompleteHandler -> 0x0
PacketIndicateHandler -> 0x0
SendHandler -> 0x0
user & kernel MBR OK
copy of MBR has been found in sector 0x0AEA82880
malicious code @ sector 0x0AEA82883 !
PE file found in sector at 0x0AEA82899 !

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(656)
c:\windows\system32\VMGINA.DLL
c:\windows\system32\LMIinit.dll

- - - - - - - > 'lsass.exe'(712)
c:\windows\system32\bmnet.dll
.
Completion time: 2010-05-08 09:19:30
ComboFix-quarantined-files.txt 2010-05-08 14:19
ComboFix2.txt 2010-05-04 03:50
ComboFix3.txt 2009-04-07 15:09
ComboFix4.txt 2008-10-08 04:27
ComboFix5.txt 2010-05-08 14:04

Pre-Run: 658,671,652,864 bytes free
Post-Run: 658,662,916,096 bytes free

- - End Of File - - 276FD8F673796A377AA3BAF8B37F84E9

Edited by bigteks, 08 May 2010 - 09:36 AM.


#8 bigteks

bigteks
  • Topic Starter

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Local time:02:21 AM

Posted 08 May 2010 - 09:54 AM

Here is the output of maxlook.exe:

Run from C:\Documents and Settings\Me\Desktop\maxlook.exe on Sat 05/08/2010 at 9:51:22.87

No infected file found


Meanwhile I am getting a new malware report from AntiVir:

Virus or unwanted program 'TR/Patched.Gen [trojan]'
detected in file 'C:\WINDOWS\maxdriver\atapi.sys.
Action performed: Deny access


#9 etavares

etavares

    Bleepin' Remover


  • Malware Response Team
  • 15,514 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:21 AM

Posted 08 May 2010 - 10:16 AM

Hello, bigteks.

OK, you're getting detections in the System Restore...old, inactive malware. We'll purge System Restore when we're done.

The new detection is interesting, since MaxLook called it clean, but it's getting picked up. Let's replace that file...first we need to find a clean copy.

Download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1
Download Mirror #2
  • Double-click SystemLook.exe to run it.
  • A blank Windows shall open with the title "SystemLook v1.0-by Jpshortstuff".
  • Copy and Paste the content of the following codebox into the main textfield under "File":
    CODE
    :filefind
    atapi.sys
  • Please Confirm everything is copied and Pasted as I have provided above
  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan.
  • Please post this log in your next reply.


Note: The log can also be found on your Desktop entitled SystemLook.txt
2nd Note: The scan may take a while from several seconds to a minute or more depending on the number of files you have and how fast your computer can perform the task


etavares


If I don't respond within 2 days, please feel free to PM me.
Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

Posted Image
Unified Network of Instructors and Trusted Eliminators
 


#10 bigteks

bigteks
  • Topic Starter

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Local time:02:21 AM

Posted 08 May 2010 - 10:32 AM

SystemLook v1.0 by jpshortstuff (11.01.10)
Log created at 10:27 on 08/05/2010 by Me (Administrator - Elevation successful)

========== filefind ==========

Searching for "atapi.sys"
C:\WINDOWS\ERDNT\cache\atapi.sys --a--- 96512 bytes [03:49 04/05/2010] [12:00 14/04/2008] 9F3A2F5AA6875C72BF062C712CFA2674
C:\WINDOWS\maxdriver\atapi.sys --a--- 96512 bytes [12:00 14/04/2008] [12:00 14/04/2008] (Unable to calculate MD5)
C:\WINDOWS\system32\drivers\atapi.sys --a--- 96512 bytes [12:00 14/04/2008] [12:00 14/04/2008] 9F3A2F5AA6875C72BF062C712CFA2674

-=End Of File=-

#11 bigteks

bigteks
  • Topic Starter

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Local time:02:21 AM

Posted 08 May 2010 - 10:33 AM

I also have a full volume copy of my system drive on another drive letter from about 9 months ago if that helps.

#12 bigteks

bigteks
  • Topic Starter

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Local time:02:21 AM

Posted 08 May 2010 - 10:34 AM

But it won't boot because it is from before I upgraded my motherboard

#13 etavares

etavares

    Bleepin' Remover


  • Malware Response Team
  • 15,514 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:21 AM

Posted 08 May 2010 - 10:46 AM

None of those are good candidates. Do you have a Windows CD handy?

hmm, that may work, but let's use the windows CD first.


If I don't respond within 2 days, please feel free to PM me.
Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

Posted Image
Unified Network of Instructors and Trusted Eliminators
 


#14 bigteks

bigteks
  • Topic Starter

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Local time:02:21 AM

Posted 08 May 2010 - 11:05 AM

Yes, just tell me what to do

#15 etavares

etavares

    Bleepin' Remover


  • Malware Response Team
  • 15,514 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:21 AM

Posted 08 May 2010 - 11:29 AM

OK, put the Windows CD in the drive.

Click Start --> Run and type the bold text exactly as shown:
expand d:\i386\atapi.sy_ c:\atapi.sys

Next, please confirm that atapi.sys is in your C:\ folder.

Let me know if that worked.


If I don't respond within 2 days, please feel free to PM me.
Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

Posted Image
Unified Network of Instructors and Trusted Eliminators
 





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users