Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Rootkit/Malware Removal Request


  • This topic is locked This topic is locked
12 replies to this topic

#1 realrm

realrm

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:06:33 PM

Posted 07 June 2010 - 11:35 AM

Opening new topic per instructions from Orange Blossom , Link to previous Thread: http://www.bleepingcomputer.com/forums/topic321540.html

My desktop got infected with rootkit virus a week ago. After a lot of pain, I was able to remove the fake security pop ups but it kept coming back in different form. It has hijacked my IE and Firefox and it opens pop-ups on it's own and takes me to some strange sites. Now it has completely disabled my internet connection and sound card. I can not start various services such as Windows Firewall or as simple as Help & Support service of XP.

Malware Byte's scan with defn as of 6/1/2010 DB version 4161 scan completes successfully.

PC Details: Windows XP Pro SP3

Here is the DDS Log from infected machine:


DDS (Ver_10-03-17.01) - NTFSx86
Run by malgaonr at 9:45:22.09 on Mon 06/07/2010
Internet Explorer: 6.0.2900.5512
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3567.2997 [GMT -5:00]

AV: Symantec AntiVirus Corporate Edition *On-access scanning enabled* (Outdated) {FB06448E-52B8-493A-90F3-E43226D3305C}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\PROGRA~1\PHAROS~1\BLUEPR~1\Bin\CTskMstr.exe
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Microsoft Virtual Server\vmh.exe
C:\program files\marimba\tuner\Tuner.exe
C:\WINDOWS\Explorer.EXE
C:\program files\marimba\tuner\lib\minituner.exe
C:\WINDOWS\system32\svchost.exe -k netsvcs
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Roxio\Drag-to-Disc\DrgToDsc.exe
C:\Program Files\LogMeIn\x86\LogMeInSystray.exe
C:\Program Files\Apoint\ApMsgFwd.exe
C:\Program Files\Apoint\HidFind.exe
C:\Program Files\UnHackMe\gwebupdate.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\LogMeIn\x86\LMIGuardian.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Documents and Settings\malgaonr\Desktop\PCCleanup\Defogger.exe
C:\Documents and Settings\malgaonr\Desktop\PCCleanup\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.wolters-kluwer.com/
uInternet Settings,ProxyServer = http=127.0.0.1:5555
uInternet Settings,ProxyOverride = <local>
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
mRun: [vptray] c:\progra~1\symant~1\VPTray.exe
mRun: [Apoint] c:\program files\apoint\Apoint.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [SoundMAXPnP] c:\program files\analog devices\core\smax4pnp.exe
mRun: [RoxioDragToDisc] "c:\program files\roxio\drag-to-disc\DrgToDsc.exe"
mRun: [WKPopup] "c:\program files\wkinvtool\wkpopup.exe" /startup
mRun: [DWPersistentQueuedReporting] c:\progra~1\common~1\micros~1\dw\DWTRIG20.EXE -a
mRun: [LogMeIn GUI] "c:\program files\logmein\x86\LogMeInSystray.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
dRunOnce: [TSClientMSIUninstaller] cmd.exe /C "cscript %systemroot%\Installer\TSClientMsiTrans\tscuinst.vbs"
dRunOnce: [TSClientAXDisabler] cmd.exe /C "%systemroot%\Installer\TSClientMsiTrans\tscdsbl.bat"
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_02\bin\ssv.dll
IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: igfxcui - igfxdev.dll
Notify: LMIinit - LMIinit.dll
Notify: NavLogon - c:\windows\system32\NavLogon.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
LSA: Authentication Packages = msv1_0 nwprovau

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\malgaonr\applic~1\mozilla\firefox\profiles\nhs5bbxz.default\
FF - prefs.js: keyword.URL - hxxp://www.google.com/search?sourceid=navclient&hl=en&q=
FF - component: c:\documents and settings\malgaonr\application data\mozilla\firefox\profiles\nhs5bbxz.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\frozen.dll

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R1 SAVRT;SAVRT;c:\program files\symantec antivirus\savrt.sys [2006-9-6 337592]
R1 SAVRTPEL;SAVRTPEL;c:\program files\symantec antivirus\Savrtpel.sys [2006-9-6 54968]
R1 vcdrom;Virtual CD-ROM Device Driver;c:\documents and settings\robert.chandler\desktop\VCdRom.sys [2009-2-20 8576]
R2 ccEvtMgr;Symantec Event Manager;c:\program files\common files\symantec shared\ccEvtMgr.exe [2006-11-21 192104]
R2 ccSetMgr;Symantec Settings Manager;c:\program files\common files\symantec shared\ccSetMgr.exe [2006-11-21 169576]
R2 LMIInfo;LogMeIn Kernel Information Provider;c:\program files\logmein\x86\rainfo.sys [2008-8-11 12856]
R2 LMIRfsDriver;LogMeIn Remote File System Driver;c:\windows\system32\drivers\LMIRfsDriver.sys [2009-11-11 47640]
R2 SavRoam;SAVRoam;c:\program files\symantec antivirus\SavRoam.exe [2007-3-14 116416]
R2 Symantec AntiVirus;Symantec AntiVirus;c:\program files\symantec antivirus\Rtvscan.exe [2007-3-14 1816768]
R2 Virtual Server;Virtual Server;c:\program files\microsoft virtual server\vssrvc.exe [2005-10-21 3315064]
R2 WKEndpoint;WK Endpoint;c:\program files\marimba\tuner\Tuner.exe [2007-10-31 36957]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2009-10-4 102448]
R3 IFXTPM;IFXTPM;c:\windows\system32\drivers\ifxtpm.sys [2007-7-26 35968]
R3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20100518.004\naveng.sys [2010-5-19 85552]
R3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20100518.004\navex15.sys [2010-5-19 1347504]
R3 vmh;Virtual Machine Helper;c:\program files\microsoft virtual server\vmh.exe [2005-10-21 175872]
R4 RegGuard;RegGuard;\??\c:\windows\system32\drivers\regguard.sys --> c:\windows\system32\drivers\regguard.sys [?]
S4 LMIRfsClientNP;LMIRfsClientNP; [x]

=============== Created Last 30 ================

2010-06-07 14:42:28 0 ----a-w- c:\documents and settings\malgaonr\defogger_reenable
2010-06-07 14:32:39 167936 -c--a-w- c:\windows\system32\dllcache\appmgmts.dll
2010-06-07 14:32:39 167936 ----a-w- c:\windows\system32\appmgmts.dll
2010-06-07 14:32:24 44 ----a-w- c:\windows\system32\Partizan.RRI
2010-06-03 16:17:45 11776 ----atw- c:\windows\system32\PSS5400F.DLL
2010-06-03 15:21:32 2 --shatr- c:\windows\winstart.bat
2010-06-03 15:21:12 0 d-----w- c:\program files\UnHackMe
2010-05-27 19:38:40 77312 ----a-w- c:\windows\MBR.exe
2010-05-27 19:36:59 389120 ----a-w- c:\windows\system32\CF32555.exe
2010-05-27 14:27:26 0 d-----w- C:\Training CDs
2010-05-21 18:18:31 0 d-----w- c:\program files\Spybot - Search & Destroy
2010-05-21 18:18:31 0 d-----w- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2010-05-21 16:17:24 0 d-----w- c:\docume~1\malgaonr\applic~1\Malwarebytes
2010-05-21 14:58:03 6153352 ----a-w- C:\mbam-setup-1.46.exe
2010-05-21 14:58:03 401720 ----a-w- C:\HijackThis.exe
2010-05-21 14:52:38 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-05-21 14:52:36 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-05-21 14:52:36 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2010-05-21 14:52:35 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-05-21 04:35:18 34688 -c--a-w- c:\windows\system32\dllcache\lbrtfdc.sys
2010-05-21 04:35:18 34688 ----a-w- c:\windows\system32\drivers\lbrtfdc.sys
2010-05-21 04:35:17 8192 -c--a-w- c:\windows\system32\dllcache\changer.sys
2010-05-21 04:35:17 8192 ----a-w- c:\windows\system32\drivers\changer.sys
2010-05-21 04:35:06 2304 ----a-w- c:\windows\system32\isaxbox.sys
2010-05-21 04:35:02 73216 --sha-r- c:\windows\system32\tracert6T.dll

==================== Find3M ====================

2010-04-26 20:58:12 256512 ----a-w- c:\windows\PEV.exe

============= FINISH: 9:45:53.81 ===============



Attached Files



BC AdBot (Login to Remove)

 


#2 thcbytes

thcbytes

  • Malware Response Team
  • 14,790 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:33 PM

Posted 07 June 2010 - 02:55 PM

Hi and welcome to the Virus/Trojan/Spyware/Malware Removal forum,

I am thcbytes and I am here to help you!

I ask that you refrain from running tools other than those I suggest to you while I am cleaning up your computer. The reason for this is so I know what is going on with the machine at any time. Some programs can interfere with others and hamper the recovery process.

Please perform all steps in the order received and do not proceed if you need clarification.

Please copy and paste all logs into your post unless directed otherwise. Please do not re-run any programs I suggest. If you encounter problems please stop and tell me about it. When your computer is clean I will alert you of such. I will also provide you with detailed suggestions for prevention.

In the upper right hand corner of the topic you will see a button called Options. If you click on this in the drop-down menu you can choose Track this topic. By doing this and then choosing Immediate E-Mail notification and then clicking on Proceed you will be advised when we respond to your topic and facilitate the cleaning of your machine.

After 5 days if your topic is not replied I we assume it has been abandoned and I will close it.

I would also like to inform you that most of us here at Bleeping Computer offer our expert assistance out of the goodness of our hearts. Please be courteous and appreciative for the assistance provided!

Again I would like to remind you to make no further changes to your computer unless I direct you to do so. Your computer fix will be based on the current condition of your computer! Any changes might delay my ability to help you.

==========

Download ComboFix (by sUBs)

You must rename it before saving it.





Please download ComboFix from one of these locations:

Link 1
Link 2

Save thcbytes.exe to your Desktop <-- Important!!!

--------------------------------------------------------------------

With malware infections being as they are today, it's strongly recommended to have the Windows Recovery Console pre-installed on your machine before doing any malware removal.

The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.


Go to Microsoft's website => http://support.microsoft.com/kb/310994

Scroll down to Step 1, and select the download that's appropriate for your Operating System. Download the file & save it as it's originally named.

Note: If you have SP3, use the SP2 package.


---------------------------------------------------------------------

Transfer all files you just downloaded, to the desktop of the infected computer.

--------------------------------------------------------------------
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. Please refer to this link for instructions.



  • Drag the setup package onto "thcbytes.exe" and drop it.

  • Follow the prompts to start ComboFix and when prompted, agree to the End-User License Agreement to install the Microsoft Recovery Console.




  • At the next prompt, click 'Yes' to run the full ComboFix scan.

  • When the tool is finished, it will produce a report for you.
Please post the C:\ComboFix.txt in your next reply.

==========

1. Download the file TDSSKiller.zip and extract it to your desktop.
2. Click start->run->copy-paste "%userprofile%\desktop\TDSSKiller.exe" -l report.txt -v into the textbox and press enter.
3. report.txt should be generated into same location with TDSSKiller.exe. Post contents of that report, please.

==========

We need to create an OTL Report
  1. Please download OTL from one of the following mirrors:
  2. Save it to your desktop.
  3. Double click on the icon on your desktop.
  4. Click the "Scan All Users" checkbox.
  5. Under "Extra Registry" please check "Use Safelist" and also check "LOP Check" and "Purity Check" as pictured.
  6. Copy and Paste the following code into the textbox. Do not include the word "Code"


    CODE
    netsvcs
    msconfig
    safebootminimal
    safebootnetwork
    activex
    drivers32
    %ALLUSERSPROFILE%\Application Data\*.
    %ALLUSERSPROFILE%\Application Data\*.exe /s
    %APPDATA%\*.
    %APPDATA%\*.exe /s
    %SYSTEMDRIVE%\*.exe
    /md5start
    userinit.exe
    eventlog.dll
    scecli.dll
    netlogon.dll
    cngaudit.dll
    sceclt.dll
    ntelogon.dll
    logevent.dll
    iaStor.sys
    nvstor.sys
    atapi.sys
    IdeChnDr.sys
    viasraid.sys
    AGP440.sys
    vaxscsi.sys
    nvatabus.sys
    viamraid.sys
    nvata.sys
    nvgts.sys
    iastorv.sys
    ViPrt.sys
    eNetHook.dll
    ahcix86.sys
    KR10N.sys
    nvstor32.sys
    ahcix86s.sys
    dac960nt.sy*
    /md5stop
    %systemroot%\system32\drivers\*.sys /lockedfiles
    %systemroot%\System32\config\*.sav
    %systemroot%\*. /mp /s
    %systemroot%\system32\*.dll /lockedfiles
    CREATERESTOREPOINT

  7. Push
  8. A report will open. Copy and Paste that report in your next reply.
  9. Two reports will open, copy and paste them in a reply here:
    • OTListIt.txt <-- Will be opened
    • Extra.txt <-- Will be minimized

==========

With your next post please provide:

* Combofix.txt
* TDSSKiller.txt
* OTL.txt
* Extra.txt
* Are you still unable to connect to the internet?
* Are you still redirected/popups?

Kind regards,
~t
Proud member - Unified Network of Instructors and Trained Eliminators
Posted Image

I do not accept personal donations for assistance provided. I would ask that you instead consider donating the greatest gift - Organ Donation. Your organs are of no use to you when your gone. You will save a life that would otherwise be lost!

http://donatelife.net/register-now/

#3 realrm

realrm
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:06:33 PM

Posted 07 June 2010 - 05:45 PM

Hello thcbytes,

Thank you for your help! The solution you provided has worked. I'm now able to connect to the Internet and sound card is working along with other services. I have not seen any pop-ups that I was seeing before in past half an hour.

Here are the logs:

ComboFix.txt:

ComboFix 10-06-07.03 - malgaonr 06/07/2010 16:25:30.8.4 - x86
Running from: c:\documents and settings\malgaonr\Desktop\thcbytes.exe
Command switches used :: c:\documents and settings\malgaonr\Desktop\WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
* Created a new restore point
.
PEV Error: CookiesFile

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

Infected copy of c:\windows\system32\drivers\dac960nt.sys was found and disinfected
Restored copy from - Kitty had a snack tongue.gif
.
((((((((((((((((((((((((( Files Created from 2010-05-07 to 2010-06-07 )))))))))))))))))))))))))))))))
.

2010-06-07 14:32 . 2008-11-26 04:01 167936 -c--a-w- c:\windows\system32\dllcache\appmgmts.dll
2010-06-07 14:32 . 2008-11-26 04:01 167936 ----a-w- c:\windows\system32\appmgmts.dll
2010-06-03 16:17 . 2010-06-03 16:17 11776 ----atw- c:\windows\system32\PSS5400F.DLL
2010-06-03 15:21 . 2010-06-03 15:21 2 --shatr- c:\windows\winstart.bat
2010-06-03 15:21 . 2010-06-07 14:35 -------- d-----w- c:\program files\UnHackMe
2010-05-27 19:36 . 2010-05-27 19:36 389120 ----a-w- c:\windows\system32\CF32555.exe
2010-05-27 14:27 . 2010-06-01 14:01 -------- d-----w- C:\Training CDs
2010-05-26 17:02 . 2010-05-26 17:02 -------- d-----w- c:\documents and settings\malgaonr\Local Settings\Application Data\Google
2010-05-26 17:02 . 2010-04-08 07:50 1496064 ----a-w- c:\documents and settings\malgaonr\Application Data\Mozilla\Firefox\Profiles\nhs5bbxz.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\frozen.dll
2010-05-26 17:02 . 2010-04-08 07:50 43008 ----a-w- c:\documents and settings\malgaonr\Application Data\Mozilla\Firefox\Profiles\nhs5bbxz.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\googletoolbarloader.dll
2010-05-26 17:02 . 2010-04-08 07:50 338944 ----a-w- c:\documents and settings\malgaonr\Application Data\Mozilla\Firefox\Profiles\nhs5bbxz.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\libraries\googletoolbar-ff2.dll
2010-05-26 17:02 . 2010-04-08 07:50 346112 ----a-w- c:\documents and settings\malgaonr\Application Data\Mozilla\Firefox\Profiles\nhs5bbxz.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\libraries\googletoolbar-ff3.dll
2010-05-25 18:12 . 2010-05-25 18:12 1924976 ----a-w- c:\documents and settings\All Users\Application Data\NOS\Adobe_Downloads\install_flash_player.exe
2010-05-25 18:12 . 2010-05-26 16:45 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS
2010-05-21 18:18 . 2010-05-21 18:20 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-05-21 18:18 . 2010-05-21 18:20 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-05-21 18:07 . 2010-05-21 18:07 0 ----a-w- c:\windows\nsreg.dat
2010-05-21 18:07 . 2010-05-21 18:07 -------- d-----w- c:\documents and settings\malgaonr\Local Settings\Application Data\Mozilla
2010-05-21 16:33 . 2010-05-21 16:33 -------- d-----w- c:\documents and settings\handj\Local Settings\Application Data\LogMeIn
2010-05-21 16:33 . 2010-05-21 16:33 -------- d-----w- c:\documents and settings\handj\Local Settings\Application Data\LogMeIn Hamachi
2010-05-21 16:33 . 2010-05-21 16:33 -------- d-----w- c:\documents and settings\handj\Local Settings\Application Data\Roxio
2010-05-21 16:17 . 2010-05-21 16:17 -------- d-----w- c:\documents and settings\malgaonr\Application Data\Malwarebytes
2010-05-21 14:58 . 2010-05-21 14:36 6153352 ----a-w- C:\mbam-setup-1.46.exe
2010-05-21 14:58 . 2010-01-15 19:30 401720 ----a-w- C:\HijackThis.exe
2010-05-21 14:52 . 2010-05-21 14:52 -------- d-----w- c:\documents and settings\handj\Application Data\Malwarebytes
2010-05-21 14:52 . 2010-04-29 20:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-05-21 14:52 . 2010-05-21 14:52 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-05-21 14:52 . 2010-04-29 20:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-05-21 14:52 . 2010-05-21 17:19 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-05-21 04:35 . 2008-04-14 05:10 34688 -c--a-w- c:\windows\system32\dllcache\lbrtfdc.sys
2010-05-21 04:35 . 2008-04-14 05:10 34688 ----a-w- c:\windows\system32\drivers\lbrtfdc.sys
2010-05-21 04:35 . 2008-04-14 05:11 8192 -c--a-w- c:\windows\system32\dllcache\changer.sys
2010-05-21 04:35 . 2008-04-14 05:11 8192 ----a-w- c:\windows\system32\drivers\changer.sys
2010-05-21 04:35 . 2010-05-21 04:35 2304 ----a-w- c:\windows\system32\isaxbox.sys
2010-05-21 04:35 . 2010-05-21 04:35 73216 --sha-r- c:\windows\system32\tracert6T.dll
2010-05-18 18:01 . 2010-05-18 18:01 -------- d-----w- c:\documents and settings\malgaonr\Local Settings\Application Data\Help

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-06-07 21:10 . 2007-07-27 15:46 -------- d-----w- c:\program files\Symantec AntiVirus
2010-06-03 15:31 . 2010-04-01 15:01 -------- d-----w- c:\program files\LogMeIn Hamachi
2010-05-11 14:31 . 2009-11-11 19:52 -------- d-----w- c:\program files\LogMeIn
2010-04-27 16:19 . 2010-04-27 16:00 -------- d-----w- c:\documents and settings\malgaonr\Application Data\vlc
2010-04-27 15:58 . 2010-04-27 15:58 -------- d-----w- c:\program files\VideoLAN
2010-04-27 15:40 . 2008-10-24 18:27 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-04-27 15:39 . 2010-04-27 15:37 106942640 ----a-w- c:\documents and settings\malgaonr\Application Data\SanDisk\Sansa Updater\Sansa Media Converter.EXE
2010-04-27 15:36 . 2010-04-27 15:36 354744 ----a-w- c:\documents and settings\malgaonr\Application Data\SanDisk\Sansa Updater\SansaUpdaterInstall.exe
2010-04-27 15:36 . 2010-04-27 15:36 79872 ----a-w- c:\documents and settings\malgaonr\Application Data\SanDisk\Sansa Updater\SansaDispatch.exe
2010-04-27 15:36 . 2010-04-27 15:36 574344 ----a-w- c:\documents and settings\malgaonr\Application Data\SanDisk\Sansa Updater\SansaUpdater.exe
2010-04-27 15:36 . 2010-04-27 15:36 -------- d-----w- c:\documents and settings\malgaonr\Application Data\SanDisk
2010-04-21 22:24 . 2010-04-21 22:24 -------- d-----w- c:\program files\Microsoft Silverlight
2010-04-06 19:52 . 2010-03-29 17:59 164880 ---ha-w- c:\documents and settings\malgaonr\Application Data\Microsoft\Virtual PC\VPCKeyboard.dll
2010-04-02 18:40 . 2010-04-02 18:40 56 ---ha-w- c:\windows\system32\ezsidmv.dat
.

------- Sigcheck -------

[-] 2008-11-26 . 9F3A2F5AA6875C72BF062C712CFA2674 . 96512 . . [5.1.2600.5512] . . c:\windows\ERDNT\cache\atapi.sys
[-] 2008-11-26 . 9F3A2F5AA6875C72BF062C712CFA2674 . 96512 . . [5.1.2600.5512] . . c:\windows\system32\drivers\atapi.sys
[-] 2004-08-04 . CDFE4411A69C224BD1D11B2DA92DAC51 . 95360 . . [5.1.2600.2180] . . c:\windows\$NtServicePackUninstall$\atapi.sys

[-] 2008-11-26 . B153AFFAC761E7F5FCFA822B9C4E97BC . 14336 . . [5.1.2600.5512] . . c:\windows\ERDNT\cache\asyncmac.sys
[-] 2008-11-26 . B153AFFAC761E7F5FCFA822B9C4E97BC . 14336 . . [5.1.2600.5512] . . c:\windows\system32\dllcache\asyncmac.sys
[-] 2008-11-26 . B153AFFAC761E7F5FCFA822B9C4E97BC . 14336 . . [5.1.2600.5512] . . c:\windows\system32\drivers\asyncmac.sys
[-] 2004-08-04 . 02000ABF34AF4C218C35D257024807D6 . 14336 . . [5.1.2600.2180] . . c:\windows\$NtServicePackUninstall$\asyncmac.sys

[-] 2003-03-31 . DA1F27D85E0D1525F6621372E7B685E9 . 4224 . . [5.1.2600.0] . . c:\windows\ERDNT\cache\beep.sys
[-] 2003-03-31 . DA1F27D85E0D1525F6621372E7B685E9 . 4224 . . [5.1.2600.0] . . c:\windows\system32\dllcache\beep.sys
[-] 2003-03-31 . DA1F27D85E0D1525F6621372E7B685E9 . 4224 . . [5.1.2600.0] . . c:\windows\system32\drivers\beep.sys

[-] 2008-11-26 . 463C1EC80CD17420A542B7F36A36F128 . 24576 . . [5.1.2600.5512] . . c:\windows\system32\dllcache\kbdclass.sys
[-] 2008-11-26 . 463C1EC80CD17420A542B7F36A36F128 . 24576 . . [5.1.2600.5512] . . c:\windows\ERDNT\cache\kbdclass.sys
[-] 2008-11-26 . 463C1EC80CD17420A542B7F36A36F128 . 24576 . . [5.1.2600.5512] . . c:\windows\system32\drivers\kbdclass.sys
[-] 2004-08-04 . EBDEE8A2EE5393890A1ACEE971C4C246 . 24576 . . [5.1.2600.2180] . . c:\windows\$NtServicePackUninstall$\kbdclass.sys

[-] 2008-11-26 . 1DF7F42665C94B825322FAE71721130D . 182656 . . [5.1.2600.5512] . . c:\windows\ERDNT\cache\ndis.sys
[-] 2008-11-26 . 1DF7F42665C94B825322FAE71721130D . 182656 . . [5.1.2600.5512] . . c:\windows\system32\dllcache\ndis.sys
[-] 2008-11-26 . 1DF7F42665C94B825322FAE71721130D . 182656 . . [5.1.2600.5512] . . c:\windows\system32\drivers\ndis.sys
[-] 2004-08-04 . 558635D3AF1C7546D26067D5D9B6959E . 182912 . . [5.1.2600.2180] . . c:\windows\$NtServicePackUninstall$\ndis.sys

[-] 2008-11-26 . 78A08DD6A8D65E697C18E1DB01C5CDCA . 574976 . . [5.1.2600.5512] . . c:\windows\ERDNT\cache\ntfs.sys
[-] 2008-11-26 . 78A08DD6A8D65E697C18E1DB01C5CDCA . 574976 . . [5.1.2600.5512] . . c:\windows\system32\dllcache\ntfs.sys
[-] 2008-11-26 . 78A08DD6A8D65E697C18E1DB01C5CDCA . 574976 . . [5.1.2600.5512] . . c:\windows\system32\drivers\ntfs.sys
[-] 2007-02-09 . 05AB81909514BFD69CBB1F2C147CF6B9 . 574976 . . [5.1.2600.3081] . . c:\windows\$hf_mig$\KB930916\SP2QFE\ntfs.sys
[-] 2007-02-09 . 19A811EF5F1ED5C926A028CE107FF1AF . 574464 . . [5.1.2600.3081] . . c:\windows\$NtServicePackUninstall$\ntfs.sys
[-] 2007-02-09 . 19A811EF5F1ED5C926A028CE107FF1AF . 574464 . . [5.1.2600.3081] . . c:\windows\i386\NTFS.SYS

[-] 2003-03-31 . 73C1E1F395918BC2C6DD67AF7591A3AD . 2944 . . [5.1.2600.0] . . c:\windows\ERDNT\cache\null.sys
[-] 2003-03-31 . 73C1E1F395918BC2C6DD67AF7591A3AD . 2944 . . [5.1.2600.0] . . c:\windows\system32\dllcache\null.sys
[-] 2003-03-31 . 73C1E1F395918BC2C6DD67AF7591A3AD . 2944 . . [5.1.2600.0] . . c:\windows\system32\drivers\null.sys

[-] 2008-11-26 . 93EA8D04EC73A85DB02EB8805988F733 . 361344 . . [5.1.2600.5512] . . c:\windows\$NtUninstallKB951748$\tcpip.sys
[-] 2008-06-20 . AD978A1B783B5719720CFF204B666C8E . 361600 . . [5.1.2600.5625] . . c:\windows\$hf_mig$\KB951748\SP3QFE\tcpip.sys
[-] 2008-06-20 . 9AEFA14BD6B182D61E3119FA5F436D3D . 361600 . . [5.1.2600.5625] . . c:\windows\ERDNT\cache\tcpip.sys
[-] 2008-06-20 . 9AEFA14BD6B182D61E3119FA5F436D3D . 361600 . . [5.1.2600.5625] . . c:\windows\system32\dllcache\tcpip.sys
[-] 2008-06-20 . 9AEFA14BD6B182D61E3119FA5F436D3D . 361600 . . [5.1.2600.5625] . . c:\windows\system32\drivers\tcpip.sys
[-] 2006-04-20 . B2220C618B42A2212A59D91EBD6FC4B4 . 360576 . . [5.1.2600.2892] . . c:\windows\$hf_mig$\KB917953\SP2QFE\tcpip.sys
[-] 2006-04-20 . 1DBF125862891817F374F407626967F4 . 359808 . . [5.1.2600.2892] . . c:\windows\$NtServicePackUninstall$\tcpip.sys
[-] 2006-04-20 . 1DBF125862891817F374F407626967F4 . 359808 . . [5.1.2600.2892] . . c:\windows\i386\tcpip.sys

[-] 2008-11-26 . A06CE3399D16DB864F55FAEB1F1927A9 . 77824 . . [5.1.2600.5512] . . c:\windows\ERDNT\cache\browser.dll
[-] 2008-11-26 . A06CE3399D16DB864F55FAEB1F1927A9 . 77824 . . [5.1.2600.5512] . . c:\windows\system32\browser.dll
[-] 2008-11-26 . A06CE3399D16DB864F55FAEB1F1927A9 . 77824 . . [5.1.2600.5512] . . c:\windows\system32\dllcache\browser.dll
[-] 2004-08-04 . E3CFCCDDA4EDD1D0DC9168B2E18F27B8 . 77312 . . [5.1.2600.2180] . . c:\windows\$NtServicePackUninstall$\browser.dll

[-] 2008-11-26 . BF2466B3E18E970D8A976FB95FC1CA85 . 13312 . . [5.1.2600.5512] . . c:\windows\ERDNT\cache\lsass.exe
[-] 2008-11-26 . BF2466B3E18E970D8A976FB95FC1CA85 . 13312 . . [5.1.2600.5512] . . c:\windows\system32\lsass.exe
[-] 2008-11-26 . BF2466B3E18E970D8A976FB95FC1CA85 . 13312 . . [5.1.2600.5512] . . c:\windows\system32\dllcache\lsass.exe
[-] 2004-08-04 . 84885F9B82F4D55C6146EBF6065D75D2 . 13312 . . [5.1.2600.2180] . . c:\windows\$NtServicePackUninstall$\lsass.exe

[-] 2008-11-26 . 13E67B55B3ABD7BF3FE7AAE5A0F9A9DE . 198144 . . [5.1.2600.5512] . . c:\windows\ERDNT\cache\netman.dll
[-] 2008-11-26 . 13E67B55B3ABD7BF3FE7AAE5A0F9A9DE . 198144 . . [5.1.2600.5512] . . c:\windows\system32\netman.dll
[-] 2008-11-26 . 13E67B55B3ABD7BF3FE7AAE5A0F9A9DE . 198144 . . [5.1.2600.5512] . . c:\windows\system32\dllcache\netman.dll
[-] 2005-08-22 . 36739B39267914BA69AD0610A0299732 . 197632 . . [5.1.2600.2743] . . c:\windows\$NtServicePackUninstall$\netman.dll
[-] 2005-08-22 . 36739B39267914BA69AD0610A0299732 . 197632 . . [5.1.2600.2743] . . c:\windows\i386\netman.dll
[-] 2005-08-22 . 3516D8A18B36784B1005B950B84232E1 . 197632 . . [5.1.2600.2743] . . c:\windows\$hf_mig$\KB905414\SP2QFE\netman.dll

[-] 2008-11-26 . 574738F61FCA2935F5265DC4E5691314 . 409088 . . [6.7.2600.5512] . . c:\windows\ERDNT\cache\qmgr.dll
[-] 2008-11-26 . 574738F61FCA2935F5265DC4E5691314 . 409088 . . [6.7.2600.5512] . . c:\windows\system32\qmgr.dll
[-] 2008-11-26 . 574738F61FCA2935F5265DC4E5691314 . 409088 . . [6.7.2600.5512] . . c:\windows\system32\bits\qmgr.dll
[-] 2008-11-26 . 574738F61FCA2935F5265DC4E5691314 . 409088 . . [6.7.2600.5512] . . c:\windows\system32\dllcache\qmgr.dll
[-] 2004-08-04 . 2C69EC7E5A311334D10DD95F338FCCEA . 382464 . . [6.6.2600.2180] . . c:\windows\$NtServicePackUninstall$\qmgr.dll

[-] 2009-02-09 . 6B27A5C03DFB94B4245739065431322C . 401408 . . [5.1.2600.5755] . . c:\windows\ERDNT\cache\rpcss.dll
[-] 2009-02-09 . 6B27A5C03DFB94B4245739065431322C . 401408 . . [5.1.2600.5755] . . c:\windows\system32\rpcss.dll
[-] 2009-02-09 . 6B27A5C03DFB94B4245739065431322C . 401408 . . [5.1.2600.5755] . . c:\windows\system32\dllcache\rpcss.dll
[-] 2009-02-09 . 9222562D44021B988B9F9F62207FB6F2 . 401408 . . [5.1.2600.5755] . . c:\windows\$hf_mig$\KB956572\SP3QFE\rpcss.dll
[-] 2008-11-26 . 2589FE6015A316C0F5D5112B4DA7B509 . 399360 . . [5.1.2600.5512] . . c:\windows\$NtUninstallKB956572$\rpcss.dll
[-] 2005-07-26 . CE94A2BD25E3E9F4D46A7373FF455C6D . 397824 . . [5.1.2600.2726] . . c:\windows\$NtServicePackUninstall$\rpcss.dll
[-] 2005-07-26 . CE94A2BD25E3E9F4D46A7373FF455C6D . 397824 . . [5.1.2600.2726] . . c:\windows\i386\rpcss.dll
[-] 2005-07-26 . C369DF215D352B6F3A0B8C3469AA34F8 . 398336 . . [5.1.2600.2726] . . c:\windows\$hf_mig$\KB902400\SP2QFE\rpcss.dll
[-] 2005-04-28 . DA383FB39A6F1C445F3AFC94B3EB1248 . 396288 . . [5.1.2600.2665] . . c:\windows\$hf_mig$\KB894391\SP2QFE\rpcss.dll

[-] 2009-02-06 . 65DF52F5B8B6E9BBD183505225C37315 . 110592 . . [5.1.2600.5755] . . c:\windows\ERDNT\cache\services.exe
[-] 2009-02-06 . 65DF52F5B8B6E9BBD183505225C37315 . 110592 . . [5.1.2600.5755] . . c:\windows\system32\services.exe
[-] 2009-02-06 . 65DF52F5B8B6E9BBD183505225C37315 . 110592 . . [5.1.2600.5755] . . c:\windows\system32\dllcache\services.exe
[-] 2009-02-06 . 020CEAAEDC8EB655B6506B8C70D53BB6 . 110592 . . [5.1.2600.5755] . . c:\windows\$hf_mig$\KB956572\SP3QFE\services.exe
[-] 2008-11-26 . 0E776ED5F7CC9F94299E70461B7B8185 . 108544 . . [5.1.2600.5512] . . c:\windows\$NtUninstallKB956572$\services.exe
[-] 2004-08-04 . C6CE6EEC82F187615D1002BB3BB50ED4 . 108032 . . [5.1.2600.2180] . . c:\windows\$NtServicePackUninstall$\services.exe

[-] 2008-11-26 . D8E14A61ACC1D4A6CD0D38AEBAC7FA3B . 57856 . . [5.1.2600.5512] . . c:\windows\ERDNT\cache\spoolsv.exe
[-] 2008-11-26 . D8E14A61ACC1D4A6CD0D38AEBAC7FA3B . 57856 . . [5.1.2600.5512] . . c:\windows\system32\spoolsv.exe
[-] 2008-11-26 . D8E14A61ACC1D4A6CD0D38AEBAC7FA3B . 57856 . . [5.1.2600.5512] . . c:\windows\system32\dllcache\spoolsv.exe
[-] 2005-06-11 . AD3D9D191AEA7B5445FE1D82FFBB4788 . 57856 . . [5.1.2600.2696] . . c:\windows\$hf_mig$\KB896423\SP2QFE\spoolsv.exe
[-] 2005-06-10 . DA81EC57ACD4CDC3D4C51CF3D409AF9F . 57856 . . [5.1.2600.2696] . . c:\windows\$NtServicePackUninstall$\spoolsv.exe
[-] 2005-06-10 . DA81EC57ACD4CDC3D4C51CF3D409AF9F . 57856 . . [5.1.2600.2696] . . c:\windows\i386\spoolsv.exe

[-] 2008-11-26 . ED0EF0A136DEC83DF69F04118870003E . 507904 . . [5.1.2600.5512] . . c:\windows\ERDNT\cache\winlogon.exe
[-] 2008-11-26 . ED0EF0A136DEC83DF69F04118870003E . 507904 . . [5.1.2600.5512] . . c:\windows\system32\winlogon.exe
[-] 2008-11-26 . ED0EF0A136DEC83DF69F04118870003E . 507904 . . [5.1.2600.5512] . . c:\windows\system32\dllcache\winlogon.exe
[-] 2004-08-04 . 01C3346C241652F43AED8E2149881BFE . 502272 . . [5.1.2600.2180] . . c:\windows\$NtServicePackUninstall$\winlogon.exe

[-] 2008-11-26 . 06F247492BC786CE5C24A23E178C711A . 617472 . . [5.82] . . c:\windows\ERDNT\cache\comctl32.dll
[-] 2008-11-26 . 06F247492BC786CE5C24A23E178C711A . 617472 . . [5.82] . . c:\windows\system32\comctl32.dll
[-] 2008-11-26 . 06F247492BC786CE5C24A23E178C711A . 617472 . . [5.82] . . c:\windows\system32\dllcache\comctl32.dll
[-] 2006-08-25 . B0124CB21D28B1C9F678B566B6B57D92 . 617472 . . [5.82] . . c:\windows\$NtServicePackUninstall$\comctl32.dll
[-] 2006-08-25 . B0124CB21D28B1C9F678B566B6B57D92 . 617472 . . [5.82] . . c:\windows\i386\comctl32.dll
[-] 2004-08-04 . 5AF68A5E44734A082442668E9C787743 . 1050624 . . [6.0] . . c:\windows\i386\ASMS\60\msft\windows\common\controls\comctl32.dll
[-] 2003-03-31 . AEF3D788DBF40C7C4D204EA45EB0C505 . 921088 . . [6.0] . . c:\windows\i386\ASMS\6000\MSFT\WINDOWS\COMMON\CONTROLS\COMCTL32.DLL

[-] 2008-11-26 . 3D4E199942E29207970E04315D02AD3B . 62464 . . [5.1.2600.5512] . . c:\windows\ERDNT\cache\cryptsvc.dll
[-] 2008-11-26 . 3D4E199942E29207970E04315D02AD3B . 62464 . . [5.1.2600.5512] . . c:\windows\system32\cryptsvc.dll
[-] 2008-11-26 . 3D4E199942E29207970E04315D02AD3B . 62464 . . [5.1.2600.5512] . . c:\windows\system32\dllcache\cryptsvc.dll
[-] 2004-08-04 . 10654F9DDCEA9C46CFB77554231BE73B . 60416 . . [5.1.2600.2180] . . c:\windows\$NtServicePackUninstall$\cryptsvc.dll

[-] 2008-11-26 04:01 . 19A799805B24990867B00C120D300C3A . 246272 . . [2001.12.4414.701] . . c:\windows\$NtUninstallKB950974$\es.dll
[-] 2008-07-07 20:26 . D4991D98F2DB73C60D042F1AEF79EFAE . 253952 . . [2001.12.4414.706] . . c:\windows\ERDNT\cache\es.dll
[-] 2008-07-07 20:26 . D4991D98F2DB73C60D042F1AEF79EFAE . 253952 . . [2001.12.4414.706] . . c:\windows\system32\es.dll
[-] 2008-07-07 20:26 . D4991D98F2DB73C60D042F1AEF79EFAE . 253952 . . [2001.12.4414.706] . . c:\windows\system32\dllcache\es.dll
[-] 2008-07-07 20:23 . F17F6226BDC0CD5F0BEF0DAF84D29BEC . 253952 . . [2001.12.4414.706] . . c:\windows\$hf_mig$\KB950974\SP3QFE\es.dll
[-] 2005-07-26 04:39 . 34BBD9ACC1538818F2C878898C64E793 . 243200 . . [2001.12.4414.308] . . c:\windows\$NtServicePackUninstall$\es.dll
[-] 2005-07-26 04:39 . 34BBD9ACC1538818F2C878898C64E793 . 243200 . . [2001.12.4414.308] . . c:\windows\i386\es.dll
[-] 2005-07-26 04:20 . 95F5FEA4C6DE2C3F28784D0DCC8F0DD3 . 243200 . . [2001.12.4414.308] . . c:\windows\$hf_mig$\KB902400\SP2QFE\es.dll

[-] 2008-11-26 . 0DA85218E92526972A821587E6A8BF8F . 110080 . . [5.1.2600.5512] . . c:\windows\ERDNT\cache\imm32.dll
[-] 2008-11-26 . 0DA85218E92526972A821587E6A8BF8F . 110080 . . [5.1.2600.5512] . . c:\windows\system32\imm32.dll
[-] 2008-11-26 . 0DA85218E92526972A821587E6A8BF8F . 110080 . . [5.1.2600.5512] . . c:\windows\system32\dllcache\imm32.dll
[-] 2004-08-04 . 87CA7CE6469577F059297B9D6556D66D . 110080 . . [5.1.2600.2180] . . c:\windows\$NtServicePackUninstall$\imm32.dll

[-] 2009-03-22 . DA11D9D6ECBDF0F93436A4B7C13F7BEC . 991744 . . [5.1.2600.5781] . . c:\windows\$hf_mig$\KB959426\SP3QFE\kernel32.dll
[-] 2009-03-21 . B921FB870C9AC0D509B2CCABBBBE95F3 . 989696 . . [5.1.2600.5781] . . c:\windows\ERDNT\cache\kernel32.dll
[-] 2009-03-21 . B921FB870C9AC0D509B2CCABBBBE95F3 . 989696 . . [5.1.2600.5781] . . c:\windows\system32\kernel32.dll
[-] 2009-03-21 . B921FB870C9AC0D509B2CCABBBBE95F3 . 989696 . . [5.1.2600.5781] . . c:\windows\system32\dllcache\kernel32.dll
[-] 2008-11-26 . C24B983D211C34DA8FCC1AC38477971D . 989696 . . [5.1.2600.5512] . . c:\windows\$NtUninstallKB959426$\kernel32.dll
[-] 2007-04-16 . 09F7CB3687F86EDAA4CA081F7AB66C03 . 986112 . . [5.1.2600.3119] . . c:\windows\$hf_mig$\KB935839\SP2QFE\kernel32.dll
[-] 2007-04-16 . A01F9CA902A88F7CED06884174D6419D . 984576 . . [5.1.2600.3119] . . c:\windows\$NtServicePackUninstall$\kernel32.dll
[-] 2007-04-16 . A01F9CA902A88F7CED06884174D6419D . 984576 . . [5.1.2600.3119] . . c:\windows\i386\kernel32.dll
[-] 2006-07-05 . 0FDD84928A5DDE2510761B7EC76CCEC9 . 985088 . . [5.1.2600.2945] . . c:\windows\$hf_mig$\KB917422\SP2QFE\kernel32.dll

[-] 2008-11-26 . 2DC5A8019E2387987905F77C664E4BE2 . 19968 . . [5.1.2600.5512] . . c:\windows\ERDNT\cache\linkinfo.dll
[-] 2008-11-26 . 2DC5A8019E2387987905F77C664E4BE2 . 19968 . . [5.1.2600.5512] . . c:\windows\system32\linkinfo.dll
[-] 2008-11-26 . 2DC5A8019E2387987905F77C664E4BE2 . 19968 . . [5.1.2600.5512] . . c:\windows\system32\dllcache\linkinfo.dll
[-] 2005-09-01 . 648BF0B4DDE4F7A1156DAE7174D36EFA . 19968 . . [5.1.2600.2751] . . c:\windows\$hf_mig$\KB900725\SP2QFE\linkinfo.dll
[-] 2005-09-01 . A1A688EE56CF3BBD24EDEB815D48E9BA . 19968 . . [5.1.2600.2751] . . c:\windows\$NtServicePackUninstall$\linkinfo.dll
[-] 2005-09-01 . A1A688EE56CF3BBD24EDEB815D48E9BA . 19968 . . [5.1.2600.2751] . . c:\windows\i386\linkinfo.dll

[-] 2008-11-26 . 012DF358CEBAA23ACB26D82077820817 . 22016 . . [5.1.2600.5512] . . c:\windows\ERDNT\cache\lpk.dll
[-] 2008-11-26 . 012DF358CEBAA23ACB26D82077820817 . 22016 . . [5.1.2600.5512] . . c:\windows\system32\lpk.dll
[-] 2008-11-26 . 012DF358CEBAA23ACB26D82077820817 . 22016 . . [5.1.2600.5512] . . c:\windows\system32\dllcache\lpk.dll
[-] 2004-08-04 . 74D66B3DE265E8789153414E75175F26 . 22016 . . [5.1.2600.2180] . . c:\windows\$NtServicePackUninstall$\lpk.dll

[-] 2010-02-26 . 063D664850A16932F60E7F8830BDF2E1 . 3073024 . . [6.00.2900.5945] . . c:\windows\ERDNT\cache\mshtml.dll
[-] 2010-02-26 . 063D664850A16932F60E7F8830BDF2E1 . 3073024 . . [6.00.2900.5945] . . c:\windows\system32\mshtml.dll
[-] 2010-02-26 . 063D664850A16932F60E7F8830BDF2E1 . 3073024 . . [6.00.2900.5945] . . c:\windows\system32\dllcache\mshtml.dll
[-] 2010-02-26 . EE6B9880933172AE78A1146BE15D6D21 . 3073536 . . [6.00.2900.5945] . . c:\windows\$hf_mig$\KB980182\SP3QFE\mshtml.dll
[-] 2009-12-22 . AD17006339C1934D86449F335C241FF1 . 3073536 . . [6.00.2900.5921] . . c:\windows\$hf_mig$\KB978207\SP3QFE\mshtml.dll
[-] 2009-12-22 . A758F0891A87EE005848A0BC740A5B96 . 3071488 . . [6.00.2900.5921] . . c:\windows\$NtUninstallKB980182$\mshtml.dll
[-] 2009-09-25 . 37F578776552FA076EA6085F0365209C . 3072512 . . [6.00.2900.5880] . . c:\windows\$hf_mig$\KB974455\SP3QFE\mshtml.dll
[-] 2009-09-25 . 601E18A9A8F0D0ED39692B593212378F . 3070976 . . [6.00.2900.5880] . . c:\windows\$NtUninstallKB978207$\mshtml.dll
[-] 2009-07-18 . 7467941BE64DFC5F8E9F3DC1DE920806 . 3069440 . . [6.00.2900.5848] . . c:\windows\$NtUninstallKB974455$\mshtml.dll
[-] 2009-07-18 . F3EE47F296295D08A97CB50EF57244D9 . 3069952 . . [6.00.2900.5848] . . c:\windows\$hf_mig$\KB972260\SP3QFE\mshtml.dll
[-] 2009-04-29 . ABD8093E43E53AEA5898D2214B92E9BA . 3068928 . . [6.00.2900.5803] . . c:\windows\$NtUninstallKB972260$\mshtml.dll
[-] 2009-04-29 . 06CF679E3D24C3DF270556456A0F1EDA . 3069440 . . [6.00.2900.5803] . . c:\windows\$hf_mig$\KB969897\SP3QFE\mshtml.dll
[-] 2009-02-20 . 2F70F2F74C40397D031016FA162981C2 . 3068416 . . [6.00.2900.5764] . . c:\windows\$NtUninstallKB969897$\mshtml.dll
[-] 2009-02-20 . 1618A4A2C5DD8164B8295190C8EA6544 . 3068416 . . [6.00.2900.5764] . . c:\windows\$hf_mig$\KB963027\SP3QFE\mshtml.dll
[-] 2008-12-12 . B6DAA74E2ED36C71B502945589A683AE . 3067904 . . [6.00.2900.5726] . . c:\windows\$hf_mig$\KB960714\SP3QFE\mshtml.dll
[-] 2008-12-12 . C828AA1C5469E72251F3D367005E589F . 3067904 . . [6.00.2900.5726] . . c:\windows\$NtUninstallKB963027$\mshtml.dll
[-] 2008-11-26 . A706E122B398FE1AB85CB9B75D044223 . 3066880 . . [6.00.2900.5512] . . c:\windows\$NtUninstallKB958215$\mshtml.dll
[-] 2008-10-16 . CC5A2205D37AE67CE23AB7FD3E1FDACA . 3067904 . . [6.00.2900.5694] . . c:\windows\$hf_mig$\KB958215\SP3QFE\mshtml.dll
[-] 2008-10-16 . B846C2DE341CF32B42AD297437233742 . 3067904 . . [6.00.2900.5694] . . c:\windows\$NtUninstallKB960714$\mshtml.dll
[-] 2007-05-04 . 00ADCB32832A10ED9419493BCEA97526 . 3064320 . . [6.00.2900.3132] . . c:\windows\$hf_mig$\KB933566\SP2QFE\mshtml.dll
[-] 2007-05-04 . 4D92717B5BBCE85F1254BAD23B0D357C . 3058688 . . [6.00.2900.3132] . . c:\windows\$NtServicePackUninstall$\mshtml.dll
[-] 2007-05-04 . 4D92717B5BBCE85F1254BAD23B0D357C . 3058688 . . [6.00.2900.3132] . . c:\windows\i386\mshtml.dll
[-] 2006-10-23 . 88E1C15BB1A9ED3CBA4D6F2F408D5010 . 3061248 . . [6.00.2900.3020] . . c:\windows\$hf_mig$\KB925454\SP2QFE\mshtml.dll
[-] 2006-07-28 . D251679BD9EF0250201FB899EC40FD32 . 3058176 . . [6.00.2900.2963] . . c:\windows\$hf_mig$\KB918899\SP2QFE\mshtml.dll

[-] 2008-11-26 . 355EDBB4D412B01F1740C17E3F50FA00 . 343040 . . [7.0.2600.5512] . . c:\windows\ERDNT\cache\msvcrt.dll
[-] 2008-11-26 . 355EDBB4D412B01F1740C17E3F50FA00 . 343040 . . [7.0.2600.5512] . . c:\windows\system32\msvcrt.dll
[-] 2008-11-26 . 355EDBB4D412B01F1740C17E3F50FA00 . 343040 . . [7.0.2600.5512] . . c:\windows\system32\dllcache\msvcrt.dll
[-] 2004-08-04 . 98EC447E00229AFD88D5161A25D065DA . 343040 . . [7.0.2600.2180] . . c:\windows\i386\ASMS\70\msft\windows\mswincrt\msvcrt.dll
[-] 2004-08-04 . B0FEFA816D61EC66AA765DDF534EAB5E . 343040 . . [7.0.2600.2180] . . c:\windows\$NtServicePackUninstall$\msvcrt.dll
[-] 2004-07-17 16:47 . E826A484EDE25C3AE19F1B8086511F4B . 267536 . . [4.20.6201] . . c:\windows\i386\WIN9XUPG\MSVCRT.DLL
[-] 2003-03-31 . 4200BE3808F6406DBE45A7B88DAE5035 . 322560 . . [7.0.2600.0] . . c:\windows\i386\ASMS\7000\MSFT\WINDOWS\MSWINCRT\MSVCRT.DLL
[-] 2000-04-07 01:10 . 4300D1A092B91E7C8DFA6F1E5E7973B2 . 278581 . . [6.00.8797.0] . . c:\windows\system32\PNP2\N6\msvcrt.dll

[-] 2008-11-26 . B4138E99236F0F57D4CF49BAE98A0746 . 245248 . . [5.1.2600.5512] . . c:\windows\$NtUninstallKB951748$\mswsock.dll
[-] 2008-06-20 . 832E4DD8964AB7ACC880B2837CB1ED20 . 245248 . . [5.1.2600.5625] . . c:\windows\ERDNT\cache\mswsock.dll
[-] 2008-06-20 . 832E4DD8964AB7ACC880B2837CB1ED20 . 245248 . . [5.1.2600.5625] . . c:\windows\system32\mswsock.dll
[-] 2008-06-20 . 832E4DD8964AB7ACC880B2837CB1ED20 . 245248 . . [5.1.2600.5625] . . c:\windows\system32\dllcache\mswsock.dll
[-] 2008-06-20 . FCEE5FCB99F7C724593365C706D28388 . 245248 . . [5.1.2600.5625] . . c:\windows\$hf_mig$\KB951748\SP3QFE\mswsock.dll
[-] 2004-08-04 . 4E74AF063C3271FBEA20DD940CFD1184 . 245248 . . [5.1.2600.2180] . . c:\windows\$NtServicePackUninstall$\mswsock.dll

[-] 2008-11-26 . 1B7F071C51B77C272875C3A23E1E4550 . 407040 . . [5.1.2600.5512] . . c:\windows\ERDNT\cache\netlogon.dll
[-] 2008-11-26 . 1B7F071C51B77C272875C3A23E1E4550 . 407040 . . [5.1.2600.5512] . . c:\windows\system32\netlogon.dll
[-] 2008-11-26 . 1B7F071C51B77C272875C3A23E1E4550 . 407040 . . [5.1.2600.5512] . . c:\windows\system32\dllcache\netlogon.dll
[-] 2004-08-04 . 96353FCECBA774BB8DA74A1C6507015A . 407040 . . [5.1.2600.2180] . . c:\windows\$NtServicePackUninstall$\netlogon.dll

[-] 2010-02-17 . D41C3CBAD0E1C0728D1CDFD541F60CFA . 2189952 . . [5.1.2600.5938] . . c:\windows\Driver Cache\i386\ntoskrnl.exe
[-] 2010-02-17 . D41C3CBAD0E1C0728D1CDFD541F60CFA . 2189952 . . [5.1.2600.5938] . . c:\windows\system32\dllcache\ntoskrnl.exe
[-] 2010-02-16 . 048DB3459FAB4CA741DCC84E1F374D65 . 2146304 . . [5.1.2600.5938] . . c:\windows\ERDNT\cache\ntoskrnl.exe
[-] 2010-02-16 . 048DB3459FAB4CA741DCC84E1F374D65 . 2146304 . . [5.1.2600.5938] . . c:\windows\system32\ntoskrnl.exe
[-] 2010-02-16 . E1F653A542449D54FA2D27463D99B6B6 . 2190080 . . [5.1.2600.5938] . . c:\windows\$hf_mig$\KB979683\SP3QFE\ntoskrnl.exe
[-] 2009-12-09 . 05BE3D9A71972223AFF6A3C823BA51B1 . 2189312 . . [5.1.2600.5913] . . c:\windows\$hf_mig$\KB977165\SP3QFE\ntoskrnl.exe
[-] 2009-12-08 . 9696C553F994340CD6AA5C5A724C3A19 . 2145280 . . [5.1.2600.5913] . . c:\windows\$NtUninstallKB979683$\ntoskrnl.exe
[-] 2009-08-04 . 78FCC97CD878D4CF5B5D2158A5A7CF92 . 2145280 . . [5.1.2600.5857] . . c:\windows\$NtUninstallKB977165$\ntoskrnl.exe
[-] 2009-08-04 . FDE779EA1A564EBFE16F4E0F82B61BAD . 2189312 . . [5.1.2600.5857] . . c:\windows\$hf_mig$\KB971486\SP3QFE\ntoskrnl.exe
[-] 2009-02-08 . EFE8EACE83EAAD5849A7A548FB75B584 . 2189184 . . [5.1.2600.5755] . . c:\windows\$hf_mig$\KB956572\SP3QFE\ntoskrnl.exe
[-] 2009-02-06 . 0CBA44D0938D57F334C0862424148B70 . 2145280 . . [5.1.2600.5755] . . c:\windows\$NtUninstallKB971486$\ntoskrnl.exe
[-] 2008-11-26 . 40F8880122A030A7E9E1FEDEA833B33D . 2145280 . . [5.1.2600.5512] . . c:\windows\$NtUninstallKB956841$\ntoskrnl.exe
[-] 2008-08-14 . 31914172342BFF330063F343AC6958FE . 2189184 . . [5.1.2600.5657] . . c:\windows\$hf_mig$\KB956841\SP3QFE\ntoskrnl.exe
[-] 2008-08-14 . F6F8245B3A2E9CA834DD318E7AE0C6D0 . 2145280 . . [5.1.2600.5657] . . c:\windows\$NtUninstallKB956572$\ntoskrnl.exe
[-] 2007-02-28 . 5A5C8DB4AA962C714C8371FBDF189FC9 . 2182144 . . [5.1.2600.3093] . . c:\windows\$hf_mig$\KB931784\SP2QFE\ntoskrnl.exe
[-] 2007-02-28 . 582A8DBAA58C3B1F176EB2817DAEE77C . 2180352 . . [5.1.2600.3093] . . c:\windows\i386\ntoskrnl.exe
[-] 2007-02-28 . 1220FAF071DEA8653EE21DE7DCDA8BFD . 2136064 . . [5.1.2600.3093] . . c:\windows\$NtServicePackUninstall$\ntoskrnl.exe
[-] 2005-03-02 . 28187802B7C368C0D3AEF7D4C382AABB . 2179456 . . [5.1.2600.2622] . . c:\windows\$hf_mig$\KB890859\SP2QFE\ntoskrnl.exe

[-] 2008-11-26 . 50A166237A0FA771261275A405646CC0 . 17408 . . [6.00.2900.5512] . . c:\windows\ERDNT\cache\powrprof.dll
[-] 2008-11-26 . 50A166237A0FA771261275A405646CC0 . 17408 . . [6.00.2900.5512] . . c:\windows\system32\powrprof.dll
[-] 2008-11-26 . 50A166237A0FA771261275A405646CC0 . 17408 . . [6.00.2900.5512] . . c:\windows\system32\dllcache\powrprof.dll
[-] 2004-08-04 . 1B5F6923ABB450692E9FE0672C897AED . 17408 . . [6.00.2900.2180] . . c:\windows\$NtServicePackUninstall$\powrprof.dll

[-] 2008-11-26 . A86BB5E61BF3E39B62AB4C7E7085A084 . 181248 . . [5.1.2600.5512] . . c:\windows\ERDNT\cache\scecli.dll
[-] 2008-11-26 . A86BB5E61BF3E39B62AB4C7E7085A084 . 181248 . . [5.1.2600.5512] . . c:\windows\system32\scecli.dll
[-] 2008-11-26 . A86BB5E61BF3E39B62AB4C7E7085A084 . 181248 . . [5.1.2600.5512] . . c:\windows\system32\dllcache\scecli.dll
[-] 2004-08-04 . 0F78E27F563F2AAF74B91A49E2ABF19A . 180224 . . [5.1.2600.2180] . . c:\windows\$NtServicePackUninstall$\scecli.dll

[-] 2008-11-26 . 96E1C926F22EE1BFBAE82901A35F6BF3 . 5120 . . [5.1.2600.5512] . . c:\windows\ERDNT\cache\sfc.dll
[-] 2008-11-26 . 96E1C926F22EE1BFBAE82901A35F6BF3 . 5120 . . [5.1.2600.5512] . . c:\windows\system32\sfc.dll
[-] 2008-11-26 . 96E1C926F22EE1BFBAE82901A35F6BF3 . 5120 . . [5.1.2600.5512] . . c:\windows\system32\dllcache\sfc.dll
[-] 2004-08-04 . E8A12A12EA9088B4327D49EDCA3ADD3E . 5120 . . [5.1.2600.2180] . . c:\windows\$NtServicePackUninstall$\sfc.dll

[-] 2008-11-26 . 27C6D03BCDB8CFEB96B716F3D8BE3E18 . 14336 . . [5.1.2600.5512] . . c:\windows\ERDNT\cache\svchost.exe
[-] 2008-11-26 . 27C6D03BCDB8CFEB96B716F3D8BE3E18 . 14336 . . [5.1.2600.5512] . . c:\windows\system32\svchost.exe
[-] 2008-11-26 . 27C6D03BCDB8CFEB96B716F3D8BE3E18 . 14336 . . [5.1.2600.5512] . . c:\windows\system32\dllcache\svchost.exe
[-] 2004-08-04 . 8F078AE4ED187AAABC0A305146DE6716 . 14336 . . [5.1.2600.2180] . . c:\windows\$NtServicePackUninstall$\svchost.exe

[-] 2008-11-26 . 3CB78C17BB664637787C9A1C98F79C38 . 249856 . . [5.1.2600.5512] . . c:\windows\ERDNT\cache\tapisrv.dll
[-] 2008-11-26 . 3CB78C17BB664637787C9A1C98F79C38 . 249856 . . [5.1.2600.5512] . . c:\windows\system32\tapisrv.dll
[-] 2008-11-26 . 3CB78C17BB664637787C9A1C98F79C38 . 249856 . . [5.1.2600.5512] . . c:\windows\system32\dllcache\tapisrv.dll
[-] 2005-07-08 . 1418A3A6E76E5A2E3F5E43866E793A8B . 249344 . . [5.1.2600.2716] . . c:\windows\$hf_mig$\KB893756\SP2QFE\tapisrv.dll
[-] 2005-07-08 . FB78839B36025AA286A51289ED28B73E . 249344 . . [5.1.2600.2716] . . c:\windows\$NtServicePackUninstall$\tapisrv.dll
[-] 2005-07-08 . FB78839B36025AA286A51289ED28B73E . 249344 . . [5.1.2600.2716] . . c:\windows\i386\tapisrv.dll

[-] 2008-11-26 . B26B135FF1B9F60C9388B4A7D16F600B . 578560 . . [5.1.2600.5512] . . c:\windows\ERDNT\cache\user32.dll
[-] 2008-11-26 . B26B135FF1B9F60C9388B4A7D16F600B . 578560 . . [5.1.2600.5512] . . c:\windows\system32\user32.dll
[-] 2008-11-26 . B26B135FF1B9F60C9388B4A7D16F600B . 578560 . . [5.1.2600.5512] . . c:\windows\system32\dllcache\user32.dll
[-] 2007-03-08 . 7AA4F6C00405DFC4B70ED4214E7D687B . 578048 . . [5.1.2600.3099] . . c:\windows\$hf_mig$\KB925902\SP2QFE\user32.dll
[-] 2007-03-08 . B409909F6E2E8A7067076ED748ABF1E7 . 577536 . . [5.1.2600.3099] . . c:\windows\$NtServicePackUninstall$\user32.dll
[-] 2007-03-08 . B409909F6E2E8A7067076ED748ABF1E7 . 577536 . . [5.1.2600.3099] . . c:\windows\i386\user32.dll
[-] 2005-03-02 . 1800F293BCCC8EDE8A70E12B88D80036 . 577024 . . [5.1.2600.2622] . . c:\windows\$hf_mig$\KB890859\SP2QFE\user32.dll

[-] 2008-11-26 . A93AEE1928A9D7CE3E16D24EC7380F89 . 26112 . . [5.1.2600.5512] . . c:\windows\ERDNT\cache\userinit.exe
[-] 2008-11-26 . A93AEE1928A9D7CE3E16D24EC7380F89 . 26112 . . [5.1.2600.5512] . . c:\windows\system32\userinit.exe
[-] 2008-11-26 . A93AEE1928A9D7CE3E16D24EC7380F89 . 26112 . . [5.1.2600.5512] . . c:\windows\system32\dllcache\userinit.exe
[-] 2004-08-04 . 39B1FFB03C2296323832ACBAE50D2AFF . 24576 . . [5.1.2600.2180] . . c:\windows\$NtServicePackUninstall$\userinit.exe

[-] 2010-02-26 . 6F0C67BA6837D82E2366AEAD046FAF4C . 667136 . . [6.00.2900.5945] . . c:\windows\ERDNT\cache\wininet.dll
[-] 2010-02-26 . 6F0C67BA6837D82E2366AEAD046FAF4C . 667136 . . [6.00.2900.5945] . . c:\windows\system32\wininet.dll
[-] 2010-02-26 . 6F0C67BA6837D82E2366AEAD046FAF4C . 667136 . . [6.00.2900.5945] . . c:\windows\system32\dllcache\wininet.dll
[-] 2010-02-26 . AEB15B107E1C6543F99D9104BE0DD800 . 668672 . . [6.00.2900.5945] . . c:\windows\$hf_mig$\KB980182\SP3QFE\wininet.dll
[-] 2009-12-22 . 814C265012ED921443C515A591D5BFE1 . 667136 . . [6.00.2900.5921] . . c:\windows\$NtUninstallKB980182$\wininet.dll
[-] 2009-12-22 . BD27AF5C72D2FBFE491D3A3A8429B974 . 668672 . . [6.00.2900.5921] . . c:\windows\$hf_mig$\KB978207\SP3QFE\wininet.dll
[-] 2009-09-25 . 178CF0F58C9907633AAB633860B68973 . 667136 . . [6.00.2900.5880] . . c:\windows\$NtUninstallKB978207$\wininet.dll
[-] 2009-09-25 . 406D33F9B30FFC0EEFC7C55562839931 . 668672 . . [6.00.2900.5880] . . c:\windows\$hf_mig$\KB974455\SP3QFE\wininet.dll
[-] 2009-06-26 . 70FFEA4793D7139A447B169CB0E500BC . 666624 . . [6.00.2900.5835] . . c:\windows\$NtUninstallKB974455$\wininet.dll
[-] 2009-06-26 . 8553E6D4EC1563277323E6B2D6FBB954 . 668160 . . [6.00.2900.5835] . . c:\windows\$hf_mig$\KB972260\SP3QFE\wininet.dll
[-] 2009-04-29 . 6002073519FA478BF89977369CDFD156 . 666624 . . [6.00.2900.5803] . . c:\windows\$NtUninstallKB972260$\wininet.dll
[-] 2009-04-29 . 04BCB4F87B35502568F6CF33433543A5 . 668160 . . [6.00.2900.5803] . . c:\windows\$hf_mig$\KB969897\SP3QFE\wininet.dll
[-] 2009-02-20 . 5B6A3EB7BB2F338BC2CB9F2FA4AAEA9E . 666112 . . [6.00.2900.5764] . . c:\windows\$NtUninstallKB969897$\wininet.dll
[-] 2009-02-20 . 711FEABED387B29FF7ED61BC6806A06C . 667648 . . [6.00.2900.5764] . . c:\windows\$hf_mig$\KB963027\SP3QFE\wininet.dll
[-] 2008-11-26 . 7A4F775ABB2F1C97DEF3E73AFA2FAEDD . 666112 . . [6.00.2900.5512] . . c:\windows\$NtUninstallKB958215$\wininet.dll
[-] 2008-10-16 . E8FCE58A470999350F64C591557F9E42 . 667136 . . [6.00.2900.5694] . . c:\windows\$hf_mig$\KB958215\SP3QFE\wininet.dll
[-] 2008-10-16 . 1576318BF08D28CC61D1278114AD8D5B . 666112 . . [6.00.2900.5694] . . c:\windows\$NtUninstallKB963027$\wininet.dll
[-] 2007-04-18 . 4261BA03AFD659DE04F0A17DFBDD454D . 665600 . . [6.00.2900.3121] . . c:\windows\$hf_mig$\KB933566\SP2QFE\wininet.dll
[-] 2007-04-18 . B7156CD97E739F3014BC4D61758F868A . 658944 . . [6.00.2900.3121] . . c:\windows\$NtServicePackUninstall$\wininet.dll
[-] 2007-04-18 . B7156CD97E739F3014BC4D61758F868A . 658944 . . [6.00.2900.3121] . . c:\windows\i386\wininet.dll
[-] 2006-10-23 . 231EF4179ACABE486376B5CA893F1076 . 664576 . . [6.00.2900.3020] . . c:\windows\$hf_mig$\KB925454\SP2QFE\wininet.dll
[-] 2006-06-23 . 64CE26DB72810B30F7855EA51E1DF836 . 664576 . . [6.00.2900.2937] . . c:\windows\$hf_mig$\KB918899\SP2QFE\wininet.dll

[-] 2008-11-26 . 2CCC474EB85CEAA3E1FA1726580A3E5A . 82432 . . [5.1.2600.5512] . . c:\windows\ERDNT\cache\ws2_32.dll
[-] 2008-11-26 . 2CCC474EB85CEAA3E1FA1726580A3E5A . 82432 . . [5.1.2600.5512] . . c:\windows\system32\ws2_32.dll
[-] 2008-11-26 . 2CCC474EB85CEAA3E1FA1726580A3E5A . 82432 . . [5.1.2600.5512] . . c:\windows\system32\dllcache\ws2_32.dll
[-] 2004-08-04 . 2ED0B7F12A60F90092081C50FA0EC2B2 . 82944 . . [5.1.2600.2180] . . c:\windows\$NtServicePackUninstall$\ws2_32.dll

[-] 2008-11-26 . 12896823FB95BFB3DC9B46BCAEDC9923 . 1033728 . . [6.00.2900.5512] . . c:\windows\explorer.exe
[-] 2008-11-26 . 12896823FB95BFB3DC9B46BCAEDC9923 . 1033728 . . [6.00.2900.5512] . . c:\windows\ERDNT\cache\explorer.exe
[-] 2008-11-26 . 12896823FB95BFB3DC9B46BCAEDC9923 . 1033728 . . [6.00.2900.5512] . . c:\windows\system32\dllcache\explorer.exe
[-] 2004-08-04 . A0732187050030AE399B241436565E64 . 1032192 . . [6.00.2900.2180] . . c:\windows\$NtServicePackUninstall$\explorer.exe

[-] 2008-11-26 . 3805DF0AC4296A34BA4BF93B346CC378 . 171008 . . [5.1.2600.5512] . . c:\windows\ERDNT\cache\srsvc.dll
[-] 2008-11-26 . 3805DF0AC4296A34BA4BF93B346CC378 . 171008 . . [5.1.2600.5512] . . c:\windows\system32\srsvc.dll
[-] 2008-11-26 . 3805DF0AC4296A34BA4BF93B346CC378 . 171008 . . [5.1.2600.5512] . . c:\windows\system32\dllcache\srsvc.dll
[-] 2004-08-04 . 92BDF74F12D6CBEC43C94D4B7F804838 . 170496 . . [5.1.2600.2180] . . c:\windows\$NtServicePackUninstall$\srsvc.dll

[-] 2008-11-26 . F92E1076C42FCD6DB3D72D8CFE9816D5 . 13824 . . [5.1.2600.5512] . . c:\windows\ERDNT\cache\wscntfy.exe
[-] 2008-11-26 . F92E1076C42FCD6DB3D72D8CFE9816D5 . 13824 . . [5.1.2600.5512] . . c:\windows\system32\wscntfy.exe
[-] 2008-11-26 . F92E1076C42FCD6DB3D72D8CFE9816D5 . 13824 . . [5.1.2600.5512] . . c:\windows\system32\dllcache\wscntfy.exe
[-] 2004-08-04 . 49911DD39E023BB6C45E4E436CFBD297 . 13824 . . [5.1.2600.2180] . . c:\windows\$NtServicePackUninstall$\wscntfy.exe

[-] 2008-11-26 . 295D21F14C335B53CB8154E5B1F892B9 . 129024 . . [5.1.2600.5512] . . c:\windows\ERDNT\cache\xmlprov.dll
[-] 2008-11-26 . 295D21F14C335B53CB8154E5B1F892B9 . 129024 . . [5.1.2600.5512] . . c:\windows\system32\xmlprov.dll
[-] 2008-11-26 . 295D21F14C335B53CB8154E5B1F892B9 . 129024 . . [5.1.2600.5512] . . c:\windows\system32\dllcache\xmlprov.dll
[-] 2004-08-04 . EEF46DAB68229A14DA3D8E73C99E2959 . 129536 . . [5.1.2600.2180] . . c:\windows\$NtServicePackUninstall$\xmlprov.dll

[-] 2008-11-26 . 6D4FEB43EE538FC5428CC7F0565AA656 . 56320 . . [5.1.2600.5512] . . c:\windows\ERDNT\cache\eventlog.dll
[-] 2008-11-26 . 6D4FEB43EE538FC5428CC7F0565AA656 . 56320 . . [5.1.2600.5512] . . c:\windows\system32\eventlog.dll
[-] 2008-11-26 . 6D4FEB43EE538FC5428CC7F0565AA656 . 56320 . . [5.1.2600.5512] . . c:\windows\system32\dllcache\eventlog.dll
[-] 2004-08-04 . 82B24CB70E5944E6E34662205A2A5B78 . 55808 . . [5.1.2600.2180] . . c:\windows\$NtServicePackUninstall$\eventlog.dll

[-] 2008-11-26 . 9DD07AF82244867CA36681EA2D29CE79 . 1614848 . . [5.1.2600.5512] . . c:\windows\ERDNT\cache\sfcfiles.dll
[-] 2008-11-26 . 9DD07AF82244867CA36681EA2D29CE79 . 1614848 . . [5.1.2600.5512] . . c:\windows\system32\sfcfiles.dll
[-] 2008-11-26 . 9DD07AF82244867CA36681EA2D29CE79 . 1614848 . . [5.1.2600.5512] . . c:\windows\system32\dllcache\sfcfiles.dll
[-] 2004-08-04 . 30A609E00BD1D4FFC49D6B5A432BE7F2 . 1580544 . . [5.1.2600.2180] . . c:\windows\$NtServicePackUninstall$\sfcfiles.dll

[-] 2008-11-26 . 5F1D5F88303D4A4DBC8E5F97BA967CC3 . 15360 . . [5.1.2600.5512] . . c:\windows\ERDNT\cache\ctfmon.exe
[-] 2008-11-26 . 5F1D5F88303D4A4DBC8E5F97BA967CC3 . 15360 . . [5.1.2600.5512] . . c:\windows\system32\ctfmon.exe
[-] 2008-11-26 . 5F1D5F88303D4A4DBC8E5F97BA967CC3 . 15360 . . [5.1.2600.5512] . . c:\windows\system32\dllcache\ctfmon.exe
[-] 2004-08-04 . 24232996A38C0B0CF151C2140AE29FC8 . 15360 . . [5.1.2600.2180] . . c:\windows\$NtServicePackUninstall$\ctfmon.exe

[-] 2008-11-26 . 1926899BF9FFE2602B63074971700412 . 135168 . . [6.00.2900.5512] . . c:\windows\ERDNT\cache\shsvcs.dll
[-] 2008-11-26 . 1926899BF9FFE2602B63074971700412 . 135168 . . [6.00.2900.5512] . . c:\windows\system32\shsvcs.dll
[-] 2008-11-26 . 1926899BF9FFE2602B63074971700412 . 135168 . . [6.00.2900.5512] . . c:\windows\system32\dllcache\shsvcs.dll
[-] 2006-12-19 . 6815DEF9B810AEFAC107EEAF72DA6F82 . 134656 . . [6.00.2900.3051] . . c:\windows\$NtServicePackUninstall$\shsvcs.dll
[-] 2006-12-19 . 6815DEF9B810AEFAC107EEAF72DA6F82 . 134656 . . [6.00.2900.3051] . . c:\windows\i386\shsvcs.dll
[-] 2006-12-19 . 53D9184A21C5CBF600D918E51EF3A7E5 . 135168 . . [6.00.2900.3051] . . c:\windows\$hf_mig$\KB928255\SP2QFE\shsvcs.dll

[-] 2008-11-26 . 5B19B557B0C188210A56A6B699D90B8F . 59904 . . [5.1.2600.5512] . . c:\windows\ERDNT\cache\regsvc.dll
[-] 2008-11-26 . 5B19B557B0C188210A56A6B699D90B8F . 59904 . . [5.1.2600.5512] . . c:\windows\system32\regsvc.dll
[-] 2008-11-26 . 5B19B557B0C188210A56A6B699D90B8F . 59904 . . [5.1.2600.5512] . . c:\windows\system32\dllcache\regsvc.dll
[-] 2004-08-04 . 3151427DB7D87107D1C5BE58FAC53960 . 59904 . . [5.1.2600.2180] . . c:\windows\$NtServicePackUninstall$\regsvc.dll

[-] 2008-11-26 . 0A9A7365A1CA4319AA7C1D6CD8E4EAFA . 192512 . . [5.1.2600.5512] . . c:\windows\ERDNT\cache\schedsvc.dll
[-] 2008-11-26 . 0A9A7365A1CA4319AA7C1D6CD8E4EAFA . 192512 . . [5.1.2600.5512] . . c:\windows\system32\schedsvc.dll
[-] 2008-11-26 . 0A9A7365A1CA4319AA7C1D6CD8E4EAFA . 192512 . . [5.1.2600.5512] . . c:\windows\system32\dllcache\schedsvc.dll
[-] 2004-08-04 . 92360854316611F6CC471612213C3D92 . 190976 . . [5.1.2600.2180] . . c:\windows\$NtServicePackUninstall$\schedsvc.dll

[-] 2008-11-26 . 0A5679B3714EDAB99E357057EE88FCA6 . 71680 . . [5.1.2600.5512] . . c:\windows\ERDNT\cache\ssdpsrv.dll
[-] 2008-11-26 . 0A5679B3714EDAB99E357057EE88FCA6 . 71680 . . [5.1.2600.5512] . . c:\windows\system32\ssdpsrv.dll
[-] 2008-11-26 . 0A5679B3714EDAB99E357057EE88FCA6 . 71680 . . [5.1.2600.5512] . . c:\windows\system32\dllcache\ssdpsrv.dll
[-] 2004-08-04 . 4B8D61792F7175BED48859CC18CE4E38 . 71680 . . [5.1.2600.2180] . . c:\windows\$NtServicePackUninstall$\ssdpsrv.dll

[-] 2008-11-26 . FF3477C03BE7201C294C35F684B3479F . 295424 . . [5.1.2600.5512] . . c:\windows\ERDNT\cache\termsrv.dll
[-] 2008-11-26 . FF3477C03BE7201C294C35F684B3479F . 295424 . . [5.1.2600.5512] . . c:\windows\system32\termsrv.dll
[-] 2008-11-26 . FF3477C03BE7201C294C35F684B3479F . 295424 . . [5.1.2600.5512] . . c:\windows\system32\dllcache\termsrv.dll
[-] 2004-08-04 . B60C877D16D9C880B952FDA04ADF16E6 . 295424 . . [5.1.2600.2180] . . c:\windows\$NtServicePackUninstall$\termsrv.dll

[-] 2008-11-26 . D8849F77C0B66226335A59D26CB4EDC6 . 167936 . . [5.1.2600.5512] . . c:\windows\ERDNT\cache\appmgmts.dll
[-] 2008-11-26 . D8849F77C0B66226335A59D26CB4EDC6 . 167936 . . [5.1.2600.5512] . . c:\windows\system32\appmgmts.dll
[-] 2008-11-26 . D8849F77C0B66226335A59D26CB4EDC6 . 167936 . . [5.1.2600.5512] . . c:\windows\system32\dllcache\appmgmts.dll
[-] 2004-08-04 . 9C3C12975C97119412802B181FBEEFFE . 167936 . . [5.1.2600.2180] . . c:\windows\$NtServicePackUninstall$\appmgmts.dll

[-] 2003-03-31 . 9859C0F6936E723E4892D7141B1327D5 . 11648 . . [5.1.2600.0] . . c:\windows\ERDNT\cache\acpiec.sys
[-] 2003-03-31 . 9859C0F6936E723E4892D7141B1327D5 . 11648 . . [5.1.2600.0] . . c:\windows\system32\drivers\acpiec.sys

[-] 2008-11-26 04:01 . 8BED39E3C35D6A489438B8141717A557 . 142592 . . [5.1.2601.3142] . . c:\windows\ERDNT\cache\aec.sys
[-] 2008-11-26 04:01 . 8BED39E3C35D6A489438B8141717A557 . 142592 . . [5.1.2601.3142] . . c:\windows\system32\dllcache\aec.sys
[-] 2008-11-26 04:01 . 8BED39E3C35D6A489438B8141717A557 . 142592 . . [5.1.2601.3142] . . c:\windows\system32\drivers\aec.sys
[-] 2006-02-15 00:22 . 1EE7B434BA961EF845DE136224C30FEC . 142464 . . [5.1.2601.2180] . . c:\windows\$hf_mig$\KB900485\SP2QFE\aec.sys
[-] 2006-02-15 00:22 . 1EE7B434BA961EF845DE136224C30FEC . 142464 . . [5.1.2601.2180] . . c:\windows\$NtServicePackUninstall$\aec.sys
[-] 2006-02-15 00:22 . 1EE7B434BA961EF845DE136224C30FEC . 142464 . . [5.1.2601.2180] . . c:\windows\i386\aec.sys

[-] 2008-11-26 . 08FD04AA961BDC77FB983F328334E3D7 . 42368 . . [5.1.2600.5512] . . c:\windows\system32\dllcache\agp440.sys
[-] 2008-11-26 . 08FD04AA961BDC77FB983F328334E3D7 . 42368 . . [5.1.2600.5512] . . c:\windows\ERDNT\cache\agp440.sys
[-] 2008-11-26 . 08FD04AA961BDC77FB983F328334E3D7 . 42368 . . [5.1.2600.5512] . . c:\windows\system32\drivers\agp440.sys
[-] 2004-08-04 . 2C428FA0C3E3A01ED93C9B2A27D8D4BB . 42368 . . [5.1.2600.2180] . . c:\windows\$NtServicePackUninstall$\agp440.sys

[-] 2008-11-26 . 3BB22519A194418D5FEC05D800A19AD0 . 36608 . . [5.1.2600.5512] . . c:\windows\ERDNT\cache\ip6fw.sys
[-] 2008-11-26 . 3BB22519A194418D5FEC05D800A19AD0 . 36608 . . [5.1.2600.5512] . . c:\windows\system32\dllcache\ip6fw.sys
[-] 2008-11-26 . 3BB22519A194418D5FEC05D800A19AD0 . 36608 . . [5.1.2600.5512] . . c:\windows\system32\drivers\ip6fw.sys
[-] 2004-08-04 . 4448006B6BC60E6C027932CFC38D6855 . 29056 . . [5.1.2600.2180] . . c:\windows\$NtServicePackUninstall$\ip6fw.sys

[-] 2008-11-26 04:01 . CDDD4416B2B4C7295FE3FDB6DDE57E4E . 927504 . . [4.1.0.61] . . c:\windows\ERDNT\cache\mfc40u.dll
[-] 2008-11-26 04:01 . CDDD4416B2B4C7295FE3FDB6DDE57E4E . 927504 . . [4.1.0.61] . . c:\windows\system32\mfc40u.dll
[-] 2008-11-26 04:01 . CDDD4416B2B4C7295FE3FDB6DDE57E4E . 927504 . . [4.1.0.61] . . c:\windows\system32\dllcache\mfc40u.dll
[-] 2006-11-01 19:17 . 925F8B61ED301A317BA850EBEECBDAA0 . 927504 . . [4.1.0.61] . . c:\windows\$NtServicePackUninstall$\mfc40u.dll
[-] 2006-11-01 19:17 . 925F8B61ED301A317BA850EBEECBDAA0 . 927504 . . [4.1.0.61] . . c:\windows\i386\mfc40u.dll

[-] 2008-11-26 . 986B1FF5814366D71E0AC5755C88F2D3 . 33792 . . [5.1.2600.5512] . . c:\windows\ERDNT\cache\msgsvc.dll
[-] 2008-11-26 . 986B1FF5814366D71E0AC5755C88F2D3 . 33792 . . [5.1.2600.5512] . . c:\windows\system32\msgsvc.dll
[-] 2008-11-26 . 986B1FF5814366D71E0AC5755C88F2D3 . 33792 . . [5.1.2600.5512] . . c:\windows\system32\dllcache\msgsvc.dll
[-] 2004-08-04 . 95FD808E4AC22ABA025A7B3EAC0375D2 . 33792 . . [5.1.2600.2180] . . c:\windows\$NtServicePackUninstall$\msgsvc.dll

[-] 2006-10-19 02:47 . C51B4A5C05A5475708E3C81C7765B71D . 27136 . . [11.0.5721.5145] . . c:\windows\ERDNT\cache\mspmsnsv.dll
[-] 2006-10-19 02:47 . C51B4A5C05A5475708E3C81C7765B71D . 27136 . . [11.0.5721.5145] . . c:\windows\system32\mspmsnsv.dll
[-] 2006-10-19 02:47 . C51B4A5C05A5475708E3C81C7765B71D . 27136 . . [11.0.5721.5145] . . c:\windows\system32\dllcache\mspmsnsv.dll
[-] 2004-08-04 05:56 . C086483E3DBA8C1C0A687EC8D5B3D4C1 . 52224 . . [9.0.1.56] . . c:\windows\$NtUninstallWMFDist11$\mspmsnsv.dll

[-] 2010-02-16 . A046C627EC20456E2959B7BD628E1FD0 . 2066816 . . [5.1.2600.5938] . . c:\windows\Driver Cache\i386\ntkrnlpa.exe
[-] 2010-02-16 . E8B8801DE921912EBDEEFC76662F7EAD . 2024448 . . [5.1.2600.5938] . . c:\windows\ERDNT\cache\ntkrnlpa.exe
[-] 2010-02-16 . E8B8801DE921912EBDEEFC76662F7EAD . 2024448 . . [5.1.2600.5938] . . c:\windows\system32\ntkrnlpa.exe
[-] 2010-02-16 . A046C627EC20456E2959B7BD628E1FD0 . 2066816 . . [5.1.2600.5938] . . c:\windows\system32\dllcache\ntkrnlpa.exe
[-] 2010-02-16 . DED8B5A89B085284634502E9D75AC78C . 2066944 . . [5.1.2600.5938] . . c:\windows\$hf_mig$\KB979683\SP3QFE\ntkrnlpa.exe
[-] 2009-12-09 . FFDCE1EEA79C678C40237D4E031E5B51 . 2066176 . . [5.1.2600.5913] . . c:\windows\$hf_mig$\KB977165\SP3QFE\ntkrnlpa.exe
[-] 2009-12-08 . 089F1E207B067A4DDEB2EEC37BBB1AA7 . 2023936 . . [5.1.2600.5913] . . c:\windows\$NtUninstallKB979683$\ntkrnlpa.exe
[-] 2009-08-04 . 363B2BBEE0AEDC9E5433616D0AD0236A . 2066176 . . [5.1.2600.5857] . . c:\windows\$hf_mig$\KB971486\SP3QFE\ntkrnlpa.exe
[-] 2009-08-04 . 32B1A971183EC22DD91EEDA61C499E7C . 2023936 . . [5.1.2600.5857] . . c:\windows\$NtUninstallKB977165$\ntkrnlpa.exe
[-] 2009-02-06 . 65D4220799E6FC2CB079070A6393CC0E . 2023936 . . [5.1.2600.5755] . . c:\windows\$NtUninstallKB971486$\ntkrnlpa.exe
[-] 2009-02-06 . 607352B9CB3D708C67F6039097801B5A . 2066176 . . [5.1.2600.5755] . . c:\windows\$hf_mig$\KB956572\SP3QFE\ntkrnlpa.exe
[-] 2008-11-26 . 7F653A89F6E89E3AE0D49830EECE35D4 . 2023936 . . [5.1.2600.5512] . . c:\windows\$NtUninstallKB956841$\ntkrnlpa.exe
[-] 2008-08-14 . A25E9B86EFFB2AF33BF51E676B68BFB0 . 2066048 . . [5.1.2600.5657] . . c:\windows\$hf_mig$\KB956841\SP3QFE\ntkrnlpa.exe
[-] 2008-08-14 . 8206B5F94A6A9450E934029420C1693F . 2023936 . . [5.1.2600.5657] . . c:\windows\$NtUninstallKB956572$\ntkrnlpa.exe
[-] 2007-02-28 . A58AC1C6199EF34228ABEE7FC057AE09 . 2015744 . . [5.1.2600.3093] . . c:\windows\$NtServicePackUninstall$\ntkrnlpa.exe
[-] 2007-02-28 . 515D30E2C90A3665A2739309334C9283 . 2057600 . . [5.1.2600.3093] . . c:\windows\i386\ntkrnlpa.exe
[-] 2007-02-28 . 4D3DBDCCBF97F5BA1E74F322B155C3BA . 2059392 . . [5.1.2600.3093] . . c:\windows\$hf_mig$\KB931784\SP2QFE\ntkrnlpa.exe
[-] 2005-03-01 . D8ABA3EAB509627E707A3B14F00FBB6B . 2056832 . . [5.1.2600.2622] . . c:\windows\$hf_mig$\KB890859\SP2QFE\ntkrnlpa.exe

[-] 2008-11-26 04:01 . 156F64A3345BD23C600655FB4D10BC08 . 435200 . . [5.1.2400.5512] . . c:\windows\ERDNT\cache\ntmssvc.dll
[-] 2008-11-26 04:01 . 156F64A3345BD23C600655FB4D10BC08 . 435200 . . [5.1.2400.5512] . . c:\windows\system32\ntmssvc.dll
[-] 2008-11-26 04:01 . 156F64A3345BD23C600655FB4D10BC08 . 435200 . . [5.1.2400.5512] . . c:\windows\system32\dllcache\ntmssvc.dll
[-] 2004-08-04 05:56 . B62F29C00AC55A761B2E45877D85EA0F . 435200 . . [5.1.2400.2180] . . c:\windows\$NtServicePackUninstall$\ntmssvc.dll

[-] 2008-11-26 . 1EBAFEB9A3FBDC41B8D9C7F0F687AD91 . 185856 . . [5.1.2600.5512] . . c:\windows\ERDNT\cache\upnphost.dll
[-] 2008-11-26 . 1EBAFEB9A3FBDC41B8D9C7F0F687AD91 . 185856 . . [5.1.2600.5512] . . c:\windows\system32\upnphost.dll
[-] 2008-11-26 . 1EBAFEB9A3FBDC41B8D9C7F0F687AD91 . 185856 . . [5.1.2600.5512] . . c:\windows\system32\dllcache\upnphost.dll
[-] 2007-02-05 . 36ACA6CDC19C95FF468A1426EB7F32F0 . 185344 . . [5.1.2600.3077] . . c:\windows\$hf_mig$\KB931261\SP2QFE\upnphost.dll
[-] 2007-02-05 . ACA5D98663D879C6BAAFCEA7E2F1B710 . 185344 . . [5.1.2600.3077] . . c:\windows\$NtServicePackUninstall$\upnphost.dll
[-] 2007-02-05 . ACA5D98663D879C6BAAFCEA7E2F1B710 . 185344 . . [5.1.2600.3077] . . c:\windows\i386\upnphost.dll

[-] 2008-11-26 . 4D83ED8BDDEC431FC8AD907B47CFB6E3 . 367616 . . [5.3.2600.5512] . . c:\windows\ERDNT\cache\dsound.dll
[-] 2008-11-26 . 4D83ED8BDDEC431FC8AD907B47CFB6E3 . 367616 . . [5.3.2600.5512] . . c:\windows\system32\dsound.dll
[-] 2008-11-26 . 4D83ED8BDDEC431FC8AD907B47CFB6E3 . 367616 . . [5.3.2600.5512] . . c:\windows\system32\dllcache\dsound.dll
[-] 2004-08-04 . 55E148C01296696588EAFA425782C3E8 . 367616 . . [5.3.2600.2180] . . c:\windows\$NtServicePackUninstall$\dsound.dll
.
((((((((((((((((((((((((((((( SnapShot@2010-05-21_17.00.27 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-06-03 14:51 . 2010-06-03 14:52 69340 c:\windows\system32\Restore\rstrlog.dat
+ 2007-07-26 19:01 . 2010-06-07 16:34 88806 c:\windows\system32\perfc009.dat
- 2007-07-26 19:01 . 2010-04-23 16:07 88806 c:\windows\system32\perfc009.dat
+ 2010-05-25 18:12 . 2010-05-25 18:12 84661 c:\windows\system32\macromed\Flash\uninstall_plugin.exe
- 2007-07-26 19:01 . 2010-04-23 16:07 491846 c:\windows\system32\perfh009.dat
+ 2007-07-26 19:01 . 2010-06-07 16:34 491846 c:\windows\system32\perfh009.dat
+ 2010-01-27 01:07 . 2010-01-27 01:07 256280 c:\windows\system32\macromed\Flash\NPSWF32_FlashUtil.exe
+ 2009-02-23 14:41 . 2010-06-07 21:24 224878 c:\windows\system32\inetsrv\MetaBase.bin
- 2007-07-26 19:00 . 2008-04-11 19:04 691712 c:\windows\system32\inetcomm.dll
+ 2007-07-26 19:00 . 2010-01-29 15:01 691712 c:\windows\system32\inetcomm.dll
- 2007-07-26 19:00 . 2008-04-11 19:04 691712 c:\windows\system32\dllcache\inetcomm.dll
+ 2007-07-26 19:00 . 2010-01-29 15:01 691712 c:\windows\system32\dllcache\inetcomm.dll
+ 2010-01-27 01:07 . 2010-01-27 01:07 3884312 c:\windows\system32\macromed\Flash\NPSWF32.dll
- 2007-07-26 19:00 . 2009-07-10 13:27 1315328 c:\windows\system32\dllcache\msoe.dll
+ 2007-07-26 19:00 . 2010-01-30 01:31 1315328 c:\windows\system32\dllcache\msoe.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Persistence"="c:\windows\system32\igfxpers.exe" [2007-01-13 135168]
"Apoint"="c:\program files\Apoint\Apoint.exe" [2007-01-25 159744]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-08-28 8466432]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2007-07-10 1036288]
"RoxioDragToDisc"="c:\program files\Roxio\Drag-to-Disc\DrgToDsc.exe" [2006-10-30 1116920]
"WKPopup"="c:\program files\wkinvtool\wkpopup.exe" [2008-10-23 114688]
"DWPersistentQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\DWTRIG20.EXE" [2007-03-13 39264]
"LogMeIn GUI"="c:\program files\LogMeIn\x86\LogMeInSystray.exe" [2008-08-11 63048]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"TSClientMSIUninstaller"="c:\windows\Installer\TSClientMsiTrans\tscuinst.vbs" [2008-11-26 13801]
"TSClientAXDisabler"="c:\windows\Installer\TSClientMsiTrans\tscdsbl.bat" [2008-11-26 2247]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LMIinit]
2009-09-29 01:34 87352 ----a-w- c:\windows\system32\LMIinit.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 nwprovau

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-702074188-2833732907-241959117-30752\Scripts\Logon\0\0]
"Script"=windowsz.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-702074188-2833732907-241959117-30752\Scripts\Logon\1\0]
"Script"=tuner.bat

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-702074188-2833732907-241959117-30752\Scripts\Logon\2\0]
"Script"=MAPI-STD.bat

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-702074188-2833732907-241959117-30753\Scripts\Logon\0\0]
"Script"=windowsz.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-702074188-2833732907-241959117-30753\Scripts\Logon\1\0]
"Script"=tuner.bat

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-702074188-2833732907-241959117-30753\Scripts\Logon\2\0]
"Script"=MAPI-STD.bat

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-702074188-2833732907-241959117-33917\Scripts\Logon\0\0]
"Script"=windowsz.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-702074188-2833732907-241959117-33917\Scripts\Logon\1\0]
"Script"=tuner.bat

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-702074188-2833732907-241959117-33917\Scripts\Logon\2\0]
"Script"=MAPI-STD.bat

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%programfiles%\\AR System\\alert.exe"=
"%programfiles%\\AR System\\aruser.exe"=
"%programfiles%\\Remedy\\aruser.exe"=
"%programfiles%\\Checkpoint\\SecurRemote\\bin\\SR_GUI.exe"= %programfiles%\\Checkpoint\\SecuRemote\\bin\\SR_GUI.exe
"%programfiles%\\Citrix\\ICA Client\\pn.exe"=
"%programfiles%\\e!pc\\extra.exe"=
"%programfiles%\\Hummingbird\\Connectivity\\7.00\\Exceed\\exceed.exe"=
"%programfiles%\\Hummingbird\\Connectivity\\8.00\\Exceed\\exceed.exe"=
"%programfiles%\\VERITAS\\Backup Exec\\NT\\beserver.exe"=
"%programfiles%\\Netmeeting\\conf.exe"=
"%programfiles%\\IBM\\OnDemand32\\ODClient.exe"=
"%programfiles%\\Symantec\\pcAnywhere\\awhost32.exe"=
"%programfiles%\\Symantec\\pcAnywhere\\winaw32.exe"=
"%programfiles%\\Symantec\\pcAnywhere\\awrem32.exe"=
"%programfiles%\\Reflection\\r1win.exe"=
"%programfiles%\\Reflection\\r2win.exe"=
"%windir%\\dmremote.exe"=
"%programfiles%\\Messenger\\msmsgs.exe"=
"%programfiles%\\WinSCP3\\WinSCP.exe"= %programfiles%\\WinSCP3\\WinSCP3.exe
"%programfiles%\\Yahoo!\\Messenger\\ypager.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\program files\\marimba\\tuner\\lib\\jre\\bin\\java.exe"=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"21:UDP"= 21:UDP:FTP (UDP 21)
"23:TCP"= 23:TCP:TELNET (TCP 23)
"23:UDP"= 23:UDP:TELNET (UDP 23)
"5282:TCP"= 5282:TCP:MARIMBA (TCP 5282)
"5282:UDP"= 5282:UDP:MARIMBA (UDP 5282)
"7717:TCP"= 7717:TCP:MARIMBA (TCP 7717)
"7717:UDP"= 7717:UDP:MARIMBA (UDP 7717)
"8888:TCP"= 8888:TCP:MARIMBA (TCP 8888)
"8888:UDP"= 8888:UDP:MARIMBA (UDP 8888)
"1433:TCP"= 1433:TCP:SQL (TCP 1433)
"1433:UDP"= 1433:UDP:SQL (UDP 1433)
"3389:TCP"= 3389:TCP:Remote Desktop (TCP)
"3389:UDP"= 3389:UDP:Remote Desktop (UDP)
"139:TCP"= 139:TCP:File and Printer Sharing
"445:TCP"= 445:TCP:File and Printer Sharing
"137:UDP"= 137:UDP:File and Printer Sharing
"138:UDP"= 138:UDP:File and Printer Sharing
"2967:TCP"= 2967:TCP:10.204.34.100,10.204.34.101,10.204.34.102,10.200.34.101,10.200.34.102:enabled:Symantec AntiVirus
"11115:TCP"= 11115:TCP:spport
"18724:TCP"= 18724:TCP:spport

R4 SavRoam;SavRoam;c:\program files\Symantec AntiVirus\SavRoam.exe [2007-03-15 116416]
S1 vcdrom;Virtual CD-ROM Device Driver;c:\documents and settings\robert.chandler\Desktop\VCdRom.sys [2001-12-19 8576]
S2 LMIInfo;LogMeIn Kernel Information Provider;c:\program files\LogMeIn\x86\RaInfo.sys [2008-08-11 12856]
S2 Virtual Server;Virtual Server;c:\program files\Microsoft Virtual Server\vssrvc.exe [2009-05-01 3315064]
S2 WKEndpoint;WK Endpoint;c:\program files\marimba\tuner\Tuner.exe [2010-03-22 36957]
S3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2009-08-18 102448]
S3 IFXTPM;IFXTPM;c:\windows\system32\DRIVERS\IFXTPM.SYS [2005-06-10 35968]
S3 vmh;Virtual Machine Helper;c:\program files\Microsoft Virtual Server\vmh.exe [2005-10-21 175872]

.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.wolters-kluwer.com/
uInternet Settings,ProxyServer = http=127.0.0.1:5555
uInternet Settings,ProxyOverride = <local>
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: {{898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - c:\program files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
FF - ProfilePath - c:\documents and settings\malgaonr\Application Data\Mozilla\Firefox\Profiles\nhs5bbxz.default\
FF - prefs.js: keyword.URL - hxxp://www.google.com/search?sourceid=navclient&hl=en&q=
FF - component: c:\documents and settings\malgaonr\Application Data\Mozilla\Firefox\Profiles\nhs5bbxz.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\frozen.dll

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-06-07 16:30
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe catchme.sys CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x8AEE4D01]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xba16cf28
\Driver\ACPI -> ACPI.sys @ 0xb9f7fcb8
\Driver\atapi -> atapi.sys @ 0xb9e32852
\Driver\iaStor -> iaStor.sys @ 0xb9e7e918
IoDeviceObjectType ->\Device\Harddisk0\DR0 ->NDIS: Intel® 82566DM-2 Gigabit Network Connection -> SendCompleteHandler -> NDIS.sys @ 0xb9cd0bb0
PacketIndicateHandler -> NDIS.sys @ 0xb9cbfa0d
SendHandler -> NDIS.sys @ 0xb9cd3b40
user & kernel MBR OK

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(996)
c:\windows\system32\LMIinit.dll
.
Completion time: 2010-06-07 16:33:17
ComboFix-quarantined-files.txt 2010-06-07 21:33
ComboFix2.txt 2010-06-03 15:17
ComboFix3.txt 2010-06-02 21:09
ComboFix4.txt 2010-06-01 14:25
ComboFix5.txt 2010-06-07 21:18

Pre-Run: 342,351,912,960 bytes free
Post-Run: 342,339,788,800 bytes free

- - End Of File - - 491C428BF3B60F3CE194A1B08CD6AD28


TDSKiller.txt
16:44:45:843 0816 TDSS rootkit removing tool 2.3.2.0 May 31 2010 10:39:48
16:44:45:843 0816 ================================================================================
16:44:45:843 0816 SystemInfo:

16:44:45:843 0816 OS Version: 5.1.2600 ServicePack: 3.0
16:44:45:843 0816 Product type: Workstation
16:44:45:843 0816 ComputerName: IL47WS030861
16:44:45:843 0816 UserName: malgaonr
16:44:45:843 0816 Windows directory: C:\WINDOWS
16:44:45:843 0816 Processor architecture: Intel x86
16:44:45:843 0816 Number of processors: 4
16:44:45:843 0816 Page size: 0x1000
16:44:45:843 0816 Boot type: Normal boot
16:44:45:843 0816 ================================================================================
16:44:46:031 0816 Initialize success
16:44:46:031 0816
16:44:46:031 0816 Scanning Services ...
16:44:46:453 0816 Raw services enum returned 378 services
16:44:46:468 0816
16:44:46:468 0816 Scanning Drivers ...
16:44:47:015 0816 abp480n5 (6abb91494fe6c59089b9336452ab2ea3) C:\WINDOWS\system32\DRIVERS\ABP480N5.SYS
16:44:47:046 0816 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys
16:44:47:093 0816 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys
16:44:47:125 0816 ADIHdAudAddService (53b29a84f5105a6d887b662188c93503) C:\WINDOWS\system32\drivers\ADIHdAud.sys
16:44:47:187 0816 adpu160m (9a11864873da202c996558b2106b0bbc) C:\WINDOWS\system32\DRIVERS\adpu160m.sys
16:44:47:187 0816 aeaudio (b4afcc2f911939a1c16a26e7eba7f36b) C:\WINDOWS\system32\drivers\aeaudio.sys
16:44:47:234 0816 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys
16:44:47:421 0816 AFD (7e775010ef291da96ad17ca4b17137d7) C:\WINDOWS\System32\drivers\afd.sys
16:44:47:453 0816 agp440 (08fd04aa961bdc77fb983f328334e3d7) C:\WINDOWS\system32\DRIVERS\agp440.sys
16:44:47:468 0816 agpCPQ (03a7e0922acfe1b07d5db2eeb0773063) C:\WINDOWS\system32\DRIVERS\agpCPQ.sys
16:44:47:484 0816 Aha154x (c23ea9b5f46c7f7910db3eab648ff013) C:\WINDOWS\system32\DRIVERS\aha154x.sys
16:44:47:531 0816 aic78u2 (19dd0fb48b0c18892f70e2e7d61a1529) C:\WINDOWS\system32\DRIVERS\aic78u2.sys
16:44:47:593 0816 aic78xx (b7fe594a7468aa0132deb03fb8e34326) C:\WINDOWS\system32\DRIVERS\aic78xx.sys
16:44:47:687 0816 AliIde (1140ab9938809700b46bb88e46d72a96) C:\WINDOWS\system32\DRIVERS\aliide.sys
16:44:47:750 0816 alim1541 (cb08aed0de2dd889a8a820cd8082d83c) C:\WINDOWS\system32\DRIVERS\alim1541.sys
16:44:47:781 0816 amdagp (95b4fb835e28aa1336ceeb07fd5b9398) C:\WINDOWS\system32\DRIVERS\amdagp.sys
16:44:47:796 0816 amsint (79f5add8d24bd6893f2903a3e2f3fad6) C:\WINDOWS\system32\DRIVERS\amsint.sys
16:44:47:859 0816 ApfiltrService (b8d65da679a4a8d048783ede2691b5d4) C:\WINDOWS\system32\DRIVERS\Apfiltr.sys
16:44:47:890 0816 asc (62d318e9a0c8fc9b780008e724283707) C:\WINDOWS\system32\DRIVERS\asc.sys
16:44:47:921 0816 asc3350p (69eb0cc7714b32896ccbfd5edcbea447) C:\WINDOWS\system32\DRIVERS\asc3350p.sys
16:44:48:031 0816 asc3550 (5d8de112aa0254b907861e9e9c31d597) C:\WINDOWS\system32\DRIVERS\asc3550.sys
16:44:48:093 0816 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
16:44:48:125 0816 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys
16:44:48:156 0816 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
16:44:48:218 0816 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
16:44:48:234 0816 b57w2k (133ad3794572bce689763a8356c7ed06) C:\WINDOWS\system32\DRIVERS\b57xp32.sys
16:44:48:296 0816 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
16:44:48:515 0816 cbidf (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\DRIVERS\cbidf2k.sys
16:44:48:531 0816 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
16:44:48:546 0816 cd20xrnt (f3ec03299634490e97bbce94cd2954c7) C:\WINDOWS\system32\DRIVERS\cd20xrnt.sys
16:44:48:546 0816 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
16:44:48:578 0816 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys
16:44:48:640 0816 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys
16:44:48:640 0816 Changer (2a5815ca6fff24b688c01f828b96819c) C:\WINDOWS\system32\drivers\Changer.sys
16:44:48:656 0816 CmdIde (e5dcb56c533014ecbc556a8357c929d5) C:\WINDOWS\system32\DRIVERS\cmdide.sys
16:44:48:671 0816 Cpqarray (3ee529119eed34cd212a215e8c40d4b6) C:\WINDOWS\system32\DRIVERS\cpqarray.sys
16:44:48:703 0816 dac2w2k (e550e7418984b65a78299d248f0a7f36) C:\WINDOWS\system32\DRIVERS\dac2w2k.sys
16:44:48:828 0816 dac960nt (282802c010a1f349091add73a478779f) C:\WINDOWS\system32\DRIVERS\dac960nt.sys
16:44:48:828 0816 Suspicious file (Forged): C:\WINDOWS\system32\DRIVERS\dac960nt.sys. Real md5: 282802c010a1f349091add73a478779f, Fake md5: 683789caa3864eb46125ae86ff677d34
16:44:48:828 0816 File "C:\WINDOWS\system32\DRIVERS\dac960nt.sys" infected by TDSS rootkit ... 16:44:49:406 0816 Backup copy not found, trying to cure infected file..
16:44:49:406 0816 Cure success, using it..
16:44:49:421 0816 will be cured on next reboot
16:44:49:546 0816 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys
16:44:49:593 0816 DLABMFSM (a53723176d0002feb486eff8e17812f2) C:\WINDOWS\system32\DLA\DLABMFSM.SYS
16:44:49:593 0816 DLABOIOM (d4587063acea776699251e177d719586) C:\WINDOWS\system32\DLA\DLABOIOM.SYS
16:44:49:609 0816 DLACDBHM (5230cdb7e715f3a3b4a882e254cdd35d) C:\WINDOWS\system32\Drivers\DLACDBHM.SYS
16:44:49:609 0816 DLADResM (c950c2e7b9ed1a4fc4a2ac7ec044f1d6) C:\WINDOWS\system32\DLA\DLADResM.SYS
16:44:49:609 0816 DLAIFS_M (24400137e387a24410c52a591f3cfb4d) C:\WINDOWS\system32\DLA\DLAIFS_M.SYS
16:44:49:625 0816 DLAOPIOM (29a303feceb28641ecebdae89eb71c63) C:\WINDOWS\system32\DLA\DLAOPIOM.SYS
16:44:49:625 0816 DLAPoolM (c93e33a22a1ae0c5508f3fb1f6d0a50c) C:\WINDOWS\system32\DLA\DLAPoolM.SYS
16:44:49:656 0816 DLARTL_M (77fe51f0f8d86804cb81f6ef6bfb86dd) C:\WINDOWS\system32\Drivers\DLARTL_M.SYS
16:44:49:656 0816 DLAUDFAM (b953498c35a31e5ac98f49adbcf3e627) C:\WINDOWS\system32\DLA\DLAUDFAM.SYS
16:44:49:671 0816 DLAUDF_M (4897704c093c1f59ce58fc65e1e1ef1e) C:\WINDOWS\system32\DLA\DLAUDF_M.SYS
16:44:49:750 0816 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys
16:44:49:921 0816 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys
16:44:49:968 0816 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
16:44:50:000 0816 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys
16:44:50:031 0816 dpti2o (40f3b93b4e5b0126f2f5c0a7a5e22660) C:\WINDOWS\system32\DRIVERS\dpti2o.sys
16:44:50:046 0816 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys
16:44:50:093 0816 DRVMCDB (c00440385cf9f3d142917c63f989e244) C:\WINDOWS\system32\Drivers\DRVMCDB.SYS
16:44:50:140 0816 DRVNDDM (ffc371525aa55d1bae18715ebcb8797c) C:\WINDOWS\system32\Drivers\DRVNDDM.SYS
16:44:50:296 0816 e1express (34aaa3b298a852b3663e6e0d94d12945) C:\WINDOWS\system32\DRIVERS\e1e5132.sys
16:44:50:421 0816 eeCtrl (96bcd90ed9235a21629effde5e941fb1) C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys
16:44:50:468 0816 EraserUtilRebootDrv (392c86f6b45c0bc696c32c27f51e749f) C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys
16:44:50:515 0816 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys
16:44:50:562 0816 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\DRIVERS\fdc.sys
16:44:50:578 0816 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys
16:44:50:593 0816 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\DRIVERS\flpydisk.sys
16:44:50:781 0816 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\drivers\fltmgr.sys
16:44:50:828 0816 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
16:44:50:890 0816 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
16:44:50:937 0816 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys
16:44:50:968 0816 hamachi (833051c6c6c42117191935f734cfbd97) C:\WINDOWS\system32\DRIVERS\hamachi.sys
16:44:51:109 0816 HDAudBus (573c7d0a32852b48f3058cfd8026f511) C:\WINDOWS\system32\DRIVERS\HDAudBus.sys
16:44:51:171 0816 HECI (c865d1f6d03595df213dc3c67e4e4c58) C:\WINDOWS\system32\DRIVERS\HECI.sys
16:44:51:218 0816 HidUsb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys
16:44:51:281 0816 hpn (b028377dea0546a5fcfba928a8aefae0) C:\WINDOWS\system32\DRIVERS\hpn.sys
16:44:51:312 0816 HTTP (f6aacf5bce2893e0c1754afeb672e5c9) C:\WINDOWS\system32\Drivers\HTTP.sys
16:44:51:359 0816 i2omgmt (9368670bd426ebea5e8b18a62416ec28) C:\WINDOWS\system32\drivers\i2omgmt.sys
16:44:51:390 0816 i2omp (f10863bf1ccc290babd1a09188ae49e0) C:\WINDOWS\system32\DRIVERS\i2omp.sys
16:44:51:515 0816 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
16:44:51:671 0816 ialm (2aae7be67911f4aec9ad28e9cfb9096f) C:\WINDOWS\system32\DRIVERS\igxpmp32.sys
16:44:51:890 0816 iaStor (997e8f5939f2d12cd9f2e6b395724c16) C:\WINDOWS\system32\drivers\iaStor.sys
16:44:51:953 0816 IFXTPM (0b556e950404d90d097c687e65238730) C:\WINDOWS\system32\DRIVERS\IFXTPM.SYS
16:44:52:000 0816 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys
16:44:52:000 0816 ini910u (4a40e045faee58631fd8d91afc620719) C:\WINDOWS\system32\DRIVERS\ini910u.sys
16:44:52:015 0816 IntelIde (b5466a9250342a7aa0cd1fba13420678) C:\WINDOWS\system32\DRIVERS\intelide.sys
16:44:52:046 0816 intelppm (8c953733d8f36eb2133f5bb58808b66b) C:\WINDOWS\system32\DRIVERS\intelppm.sys
16:44:52:187 0816 Ip6Fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\drivers\ip6fw.sys
16:44:52:234 0816 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
16:44:52:281 0816 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys
16:44:52:296 0816 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys
16:44:52:375 0816 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys
16:44:52:390 0816 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys
16:44:52:453 0816 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys
16:44:52:468 0816 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
16:44:52:593 0816 klmd23 (67e1faa88fb397b3d56909d7e04f4dd3) C:\WINDOWS\system32\drivers\klmd.sys
16:44:52:625 0816 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys
16:44:52:671 0816 KSecDD (1705745d900dabf2d89f90ebaddc7517) C:\WINDOWS\system32\drivers\KSecDD.sys
16:44:52:718 0816 lbrtfdc (406598827a1b5f77954de11dde115ced) C:\WINDOWS\system32\drivers\lbrtfdc.sys
16:44:52:843 0816 LMIInfo (4f69faaabb7db0d43e327c0b6aab40fc) C:\Program Files\LogMeIn\x86\RaInfo.sys
16:44:52:906 0816 lmimirr (4477689e2d8ae6b78ba34c9af4cc1ed1) C:\WINDOWS\system32\DRIVERS\lmimirr.sys
16:44:52:921 0816 LMIRfsDriver (3faa563ddf853320f90259d455a01d79) C:\WINDOWS\system32\drivers\LMIRfsDriver.sys
16:44:52:968 0816 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
16:44:53:078 0816 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys
16:44:53:125 0816 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys
16:44:53:171 0816 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys
16:44:53:203 0816 mraid35x (3f4bb95e5a44f3be34824e8e7caf0737) C:\WINDOWS\system32\DRIVERS\mraid35x.sys
16:44:53:218 0816 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
16:44:53:265 0816 MRxSmb (421f7b922cec5a5f340e7574a98f7b7c) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
16:44:53:281 0816 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys
16:44:53:296 0816 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys
16:44:53:406 0816 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
16:44:53:453 0816 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys
16:44:53:500 0816 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
16:44:53:531 0816 Mup (2f625d11385b1a94360bfc70aaefdee1) C:\WINDOWS\system32\drivers\Mup.sys
16:44:53:671 0816 NAVENG (83518e6cc82bdc3c3db0c12d1c9a2275) C:\PROGRA~1\COMMON~1\SYMANT~1\VIRUSD~1\20100518.004\naveng.sys
16:44:53:734 0816 NAVEX15 (85cf37740fe06c7a2eaa7f6c81f0819c) C:\PROGRA~1\COMMON~1\SYMANT~1\VIRUSD~1\20100518.004\navex15.sys
16:44:53:859 0816 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys
16:44:53:906 0816 NdisTapi (1ab3d00c991ab086e69db84b6c0ed78f) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
16:44:53:968 0816 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
16:44:53:968 0816 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
16:44:53:984 0816 NDProxy (6215023940cfd3702b46abc304e1d45a) C:\WINDOWS\system32\drivers\NDProxy.sys
16:44:54:031 0816 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys
16:44:54:078 0816 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys
16:44:54:109 0816 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys
16:44:54:218 0816 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys
16:44:54:375 0816 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
16:44:54:968 0816 nv (fee170f182d5167b6e06e490dd7b42d7) C:\WINDOWS\system32\DRIVERS\nv4_mini.sys
16:44:55:734 0816 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
16:44:55:750 0816 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
16:44:55:796 0816 NwlnkIpx (8b8b1be2dba4025da6786c645f77f123) C:\WINDOWS\system32\DRIVERS\nwlnkipx.sys
16:44:55:812 0816 NwlnkNb (56d34a67c05e94e16377c60609741ff8) C:\WINDOWS\system32\DRIVERS\nwlnknb.sys
16:44:55:828 0816 NwlnkSpx (c0bb7d1615e1acbdc99757f6ceaf8cf0) C:\WINDOWS\system32\DRIVERS\nwlnkspx.sys
16:44:55:859 0816 NWRDR (36b9b950e3d2e100970a48d8bad86740) C:\WINDOWS\system32\DRIVERS\nwrdr.sys
16:44:55:906 0816 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\DRIVERS\parport.sys
16:44:55:921 0816 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys
16:44:55:968 0816 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
16:44:56:125 0816 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys
16:44:56:156 0816 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys
16:44:56:218 0816 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\drivers\Pcmcia.sys
16:44:56:265 0816 perc2 (6c14b9c19ba84f73d3a86dba11133101) C:\WINDOWS\system32\DRIVERS\perc2.sys
16:44:56:281 0816 perc2hib (f50f7c27f131afe7beba13e14a3b9416) C:\WINDOWS\system32\DRIVERS\perc2hib.sys
16:44:56:312 0816 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys
16:44:56:406 0816 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys
16:44:56:453 0816 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
16:44:56:484 0816 PxHelp20 (feffcfdc528764a04c8ed63d5fa6e711) C:\WINDOWS\system32\Drivers\PxHelp20.sys
16:44:56:515 0816 ql1080 (0a63fb54039eb5662433caba3b26dba7) C:\WINDOWS\system32\DRIVERS\ql1080.sys
16:44:56:562 0816 Ql10wnt (6503449e1d43a0ff0201ad5cb1b8c706) C:\WINDOWS\system32\DRIVERS\ql10wnt.sys
16:44:56:578 0816 ql12160 (156ed0ef20c15114ca097a34a30d8a01) C:\WINDOWS\system32\DRIVERS\ql12160.sys
16:44:56:593 0816 ql1240 (70f016bebde6d29e864c1230a07cc5e6) C:\WINDOWS\system32\DRIVERS\ql1240.sys
16:44:56:609 0816 ql1280 (907f0aeea6bc451011611e732bd31fcf) C:\WINDOWS\system32\DRIVERS\ql1280.sys
16:44:56:640 0816 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
16:44:56:765 0816 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
16:44:56:781 0816 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
16:44:56:812 0816 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
16:44:56:875 0816 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys
16:44:56:921 0816 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
16:44:56:984 0816 rdpdr (15cabd0f7c00c47c70124907916af3f1) C:\WINDOWS\system32\DRIVERS\rdpdr.sys
16:44:57:000 0816 RDPWD (6728e45b66f93c08f11de2e316fc70dd) C:\WINDOWS\system32\drivers\RDPWD.sys
16:44:57:031 0816 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys
16:44:57:171 0816 SAVRT (12b6e269ef8ac8ea36122544c8a1b6d8) C:\Program Files\Symantec AntiVirus\savrt.sys
16:44:57:171 0816 SAVRTPEL (97e5b6f3f95465e1f59360b59d8ec64e) C:\Program Files\Symantec AntiVirus\Savrtpel.sys
16:44:57:312 0816 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys
16:44:57:328 0816 serenum (0f29512ccd6bead730039fb4bd2c85ce) C:\WINDOWS\system32\DRIVERS\serenum.sys
16:44:57:390 0816 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\DRIVERS\serial.sys
16:44:57:390 0816 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys
16:44:57:437 0816 sisagp (6b33d0ebd30db32e27d1d78fe946a754) C:\WINDOWS\system32\DRIVERS\sisagp.sys
16:44:57:484 0816 smwdm (86d17b6760dd2b09e932ff101714e0dc) C:\WINDOWS\system32\drivers\smwdm.sys
16:44:57:531 0816 Sparrow (83c0f71f86d3bdaf915685f3d568b20e) C:\WINDOWS\system32\DRIVERS\sparrow.sys
16:44:57:703 0816 SPBBCDrv (ef9760a364d836a0ce6149ebdf71524d) C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCDrv.sys
16:44:57:828 0816 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys
16:44:57:890 0816 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys
16:44:57:937 0816 Srv (89220b427890aa1dffd1a02648ae51c3) C:\WINDOWS\system32\DRIVERS\srv.sys
16:44:57:953 0816 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys
16:44:57:968 0816 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys
16:44:58:000 0816 symc810 (1ff3217614018630d0a6758630fc698c) C:\WINDOWS\system32\DRIVERS\symc810.sys
16:44:58:000 0816 symc8xx (070e001d95cf725186ef8b20335f933c) C:\WINDOWS\system32\DRIVERS\symc8xx.sys
16:44:58:031 0816 SymEvent (49b20b430a4f219173f823536944474a) C:\WINDOWS\system32\Drivers\SYMEVENT.SYS
16:44:58:093 0816 SYMREDRV (626f733be7f951116c5c0804b068666c) C:\WINDOWS\System32\Drivers\SYMREDRV.SYS
16:44:58:250 0816 SYMTDI (cb7cc4ddbe09e224d4cd876760ba982c) C:\WINDOWS\System32\Drivers\SYMTDI.SYS
16:44:58:281 0816 sym_hi (80ac1c4abbe2df3b738bf15517a51f2c) C:\WINDOWS\system32\DRIVERS\sym_hi.sys
16:44:58:281 0816 sym_u3 (bf4fab949a382a8e105f46ebb4937058) C:\WINDOWS\system32\DRIVERS\sym_u3.sys
16:44:58:328 0816 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys
16:44:58:406 0816 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys
16:44:58:578 0816 Tcpip6 (4e53bbcc4be37d7a4bd6ef1098c89ff7) C:\WINDOWS\system32\DRIVERS\tcpip6.sys
16:44:58:609 0816 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys
16:44:58:625 0816 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys
16:44:58:656 0816 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys
16:44:58:656 0816 TosIde (f2790f6af01321b172aa62f8e1e187d9) C:\WINDOWS\system32\DRIVERS\toside.sys
16:44:58:703 0816 tunmp (8f861eda21c05857eb8197300a92501c) C:\WINDOWS\system32\DRIVERS\tunmp.sys
16:44:58:734 0816 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys
16:44:58:875 0816 ultra (1b698a51cd528d8da4ffaed66dfc51b9) C:\WINDOWS\system32\DRIVERS\ultra.sys
16:44:58:906 0816 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys
16:44:58:953 0816 usbaudio (e919708db44ed8543a7c017953148330) C:\WINDOWS\system32\drivers\usbaudio.sys
16:44:58:968 0816 usbccgp (173f317ce0db8e21322e71b7e60a27e8) C:\WINDOWS\system32\DRIVERS\usbccgp.sys
16:44:58:984 0816 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys
16:44:58:984 0816 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys
16:44:59:000 0816 USBSTOR (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
16:44:59:015 0816 usbuhci (26496f9dee2d787fc3e61ad54821ffe6) C:\WINDOWS\system32\DRIVERS\usbuhci.sys
16:44:59:156 0816 vcdrom (bfa4ae30b3ac10e9223830bf103f5a3f) C:\Documents and Settings\robert.chandler\Desktop\VCdRom.sys
16:44:59:296 0816 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys
16:44:59:312 0816 viaagp (754292ce5848b3738281b4f3607eaef4) C:\WINDOWS\system32\DRIVERS\viaagp.sys
16:44:59:312 0816 ViaIde (3b3efcda263b8ac14fdf9cbdd0791b2e) C:\WINDOWS\system32\DRIVERS\viaide.sys
16:44:59:359 0816 vmm (817da66b1b889fad1dbf669e0e2f3228) C:\WINDOWS\system32\Drivers\vmm.sys
16:44:59:375 0816 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys
16:44:59:406 0816 VPCNetS2 (2abe8281db609d8bb1bd1b2f93800d5f) C:\WINDOWS\system32\DRIVERS\VMNetSrv.sys
16:44:59:421 0816 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys
16:44:59:437 0816 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys
16:44:59:468 0816 WmiAcpi (c42584fd66ce9e17403aebca199f7bdb) C:\WINDOWS\system32\DRIVERS\wmiacpi.sys
16:44:59:593 0816 WpdUsb (cf4def1bf66f06964dc0d91844239104) C:\WINDOWS\system32\DRIVERS\wpdusb.sys
16:44:59:640 0816 WudfPf (f15feafffbb3644ccc80c5da584e6311) C:\WINDOWS\system32\DRIVERS\WudfPf.sys
16:44:59:671 0816 WudfRd (28b524262bce6de1f7ef9f510ba3985b) C:\WINDOWS\system32\DRIVERS\wudfrd.sys
16:44:59:671 0816 Reboot required for cure complete..
16:45:00:078 0816 Cure on reboot scheduled successfully
16:45:00:078 0816
16:45:00:078 0816 Completed
16:45:00:078 0816
16:45:00:078 0816 Results:
16:45:00:078 0816 Registry objects infected / cured / cured on reboot: 0 / 0 / 0
16:45:00:078 0816 File objects infected / cured / cured on reboot: 1 / 0 / 1
16:45:00:078 0816
16:45:00:078 0816 KLMD(ARK) unloaded successfully



OTL.txt:

OTL logfile created on: 6/7/2010 4:56:05 PM - Run 1
OTL by OldTimer - Version 3.2.5.3 Folder = C:\Documents and Settings\malgaonr\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 6.0.2900.5512)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

3.00 Gb Total Physical Memory | 3.00 Gb Available Physical Memory | 86.00% Memory free
5.00 Gb Paging File | 5.00 Gb Available in Paging File | 96.00% Paging File free
Paging file location(s): C:\pagefile.sys 2046 4092 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 465.76 Gb Total Space | 318.85 Gb Free Space | 68.46% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
Drive E: | 499.72 Mb Total Space | 256.23 Mb Free Space | 51.28% Space Free | Partition Type: FAT
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: IL47WS030861
Current User Name: malgaonr
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard

========== Processes (SafeList) ==========

PRC - [2010/06/07 15:37:56 | 000,571,904 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\malgaonr\Desktop\OTL.exe
PRC - [2010/03/22 11:27:27 | 000,036,957 | ---- | M] (BMC Software, Inc.) -- C:\Program Files\marimba\tuner\Tuner.exe
PRC - [2010/03/22 11:27:23 | 000,069,729 | ---- | M] (BMC Software, Inc.) -- C:\Program Files\marimba\tuner\lib\minituner.exe
PRC - [2009/09/28 20:34:16 | 000,378,176 | ---- | M] (LogMeIn, Inc.) -- C:\Program Files\LogMeIn\x86\LMIGuardian.exe
PRC - [2009/05/01 05:15:03 | 003,315,064 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft Virtual Server\vssrvc.exe
PRC - [2008/11/25 23:01:23 | 000,015,360 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\inetsrv\inetinfo.exe
PRC - [2008/11/25 23:01:16 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2008/08/11 13:41:00 | 000,063,048 | ---- | M] (LogMeIn, Inc.) -- C:\Program Files\LogMeIn\x86\LogMeInSystray.exe
PRC - [2007/12/19 19:38:40 | 000,290,816 | ---- | M] (Pharos Systems International) -- C:\Program Files\PharosSystems\Blueprint\Bin\CTskMstr.exe
PRC - [2007/07/10 06:39:32 | 001,036,288 | ---- | M] (Analog Devices, Inc.) -- C:\Program Files\Analog Devices\Core\smax4pnp.exe
PRC - [2007/03/14 19:48:40 | 000,031,424 | ---- | M] (Symantec Corporation) -- C:\Program Files\Symantec AntiVirus\DefWatch.exe
PRC - [2007/01/29 19:07:18 | 000,050,736 | ---- | M] (Alps Electric Co., Ltd.) -- C:\Program Files\Apoint\ApMsgFwd.exe
PRC - [2007/01/25 17:34:22 | 000,159,744 | ---- | M] (Alps Electric Co., Ltd.) -- C:\Program Files\Apoint\Apoint.exe
PRC - [2007/01/04 19:48:52 | 000,112,152 | R--- | M] (InterVideo) -- C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
PRC - [2006/10/30 09:00:00 | 001,116,920 | ---- | M] (Roxio) -- C:\Program Files\Roxio\Drag-to-Disc\DrgToDsc.exe
PRC - [2006/09/08 15:10:22 | 000,040,960 | ---- | M] (Alps Electric Co., Ltd.) -- C:\Program Files\Apoint\hidfind.exe
PRC - [2006/09/08 15:06:08 | 000,040,960 | ---- | M] (Alps Electric Co., Ltd.) -- C:\Program Files\Apoint\ApntEx.exe
PRC - [2005/10/21 02:50:30 | 000,175,872 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft Virtual Server\vmh.exe


========== Modules (SafeList) ==========

MOD - [2010/06/07 15:37:56 | 000,571,904 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\malgaonr\Desktop\OTL.exe
MOD - [2008/11/25 23:01:36 | 000,110,592 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\msscript.ocx


========== Win32 Services (SafeList) ==========

SRV - [2010/03/22 11:27:27 | 000,036,957 | ---- | M] (BMC Software, Inc.) [Auto | Running] -- C:\Program Files\marimba\tuner\Tuner.exe -- (WKEndpoint)
SRV - [2009/09/28 20:34:22 | 000,116,032 | ---- | M] (LogMeIn, Inc.) [Disabled | Stopped] -- C:\Program Files\LogMeIn\x86\RaMaint.exe -- (LMIMaint)
SRV - [2009/05/01 05:15:03 | 003,315,064 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Program Files\Microsoft Virtual Server\vssrvc.exe -- (Virtual Server)
SRV - [2008/11/25 23:01:23 | 000,015,360 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINDOWS\system32\inetsrv\inetinfo.exe -- (W3SVC)
SRV - [2008/11/25 23:01:23 | 000,015,360 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINDOWS\system32\inetsrv\inetinfo.exe -- (SMTPSVC) Simple Mail Transfer Protocol (SMTP)
SRV - [2008/11/25 23:01:23 | 000,015,360 | ---- | M] (Microsoft Corporation) [On_Demand | Running] -- C:\WINDOWS\system32\inetsrv\inetinfo.exe -- (IISADMIN)
SRV - [2008/08/11 13:41:00 | 000,063,040 | ---- | M] (LogMeIn, Inc.) [Disabled | Stopped] -- C:\Program Files\LogMeIn\x86\LogMeIn.exe -- (LogMeIn)
SRV - [2007/12/19 19:38:40 | 000,290,816 | ---- | M] (Pharos Systems International) [Auto | Running] -- C:\Program Files\PharosSystems\Blueprint\Bin\CTskMstr.exe -- (Pharos Systems ComTaskMaster)
SRV - [2007/03/14 19:48:56 | 000,116,416 | ---- | M] (symantec) [Disabled | Stopped] -- C:\Program Files\Symantec AntiVirus\SavRoam.exe -- (SavRoam)
SRV - [2007/03/14 19:48:50 | 001,816,768 | ---- | M] (Symantec Corporation) [Disabled | Stopped] -- C:\Program Files\Symantec AntiVirus\Rtvscan.exe -- (Symantec AntiVirus)
SRV - [2007/03/14 19:48:40 | 000,031,424 | ---- | M] (Symantec Corporation) [Auto | Running] -- C:\Program Files\Symantec AntiVirus\DefWatch.exe -- (DefWatch)
SRV - [2007/02/12 17:23:10 | 000,214,672 | ---- | M] (Symantec Corporation) [On_Demand | Stopped] -- C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe -- (SNDSrvc)
SRV - [2007/01/10 16:27:38 | 001,160,792 | ---- | M] (Symantec Corporation) [Disabled | Stopped] -- C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe -- (SPBBCSvc)
SRV - [2007/01/04 19:48:52 | 000,112,152 | R--- | M] (InterVideo) [Auto | Running] -- C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe -- (IviRegMgr)
SRV - [2006/11/21 17:38:40 | 000,169,576 | ---- | M] (Symantec Corporation) [Disabled | Stopped] -- C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe -- (ccSetMgr)
SRV - [2006/11/21 17:38:32 | 000,192,104 | ---- | M] (Symantec Corporation) [Disabled | Stopped] -- C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe -- (ccEvtMgr)
SRV - [2006/09/02 16:36:33 | 002,528,960 | ---- | M] (Symantec Corporation) [On_Demand | Stopped] -- C:\Program Files\Symantec\LiveUpdate\LuComServer_3_1.EXE -- (LiveUpdate)
SRV - [2005/10/21 02:50:30 | 000,175,872 | ---- | M] (Microsoft Corporation) [On_Demand | Running] -- C:\Program Files\Microsoft Virtual Server\vmh.exe -- (vmh)


========== Driver Services (SafeList) ==========

DRV - [2010/06/07 16:46:56 | 000,014,720 | ---- | M] () [Kernel | Boot | Stopped] -- C:\WINDOWS\system32\DRIVERS\dac960nt.sys -- (dac960nt)
DRV - [2010/05/17 03:00:00 | 001,347,504 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\Program Files\Common Files\Symantec Shared\VirusDefs\20100518.004\NAVEX15.SYS -- (NAVEX15)
DRV - [2010/05/17 03:00:00 | 000,085,552 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\Program Files\Common Files\Symantec Shared\VirusDefs\20100518.004\NAVENG.SYS -- (NAVENG)
DRV - [2010/02/16 09:30:28 | 000,371,248 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys -- (eeCtrl)
DRV - [2010/02/11 07:02:15 | 000,226,880 | ---- | M] (Microsoft Corporation) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\tcpip6.sys -- (Tcpip6)
DRV - [2009/09/28 20:34:48 | 000,083,288 | ---- | M] (LogMeIn, Inc.) [File_System | Disabled | Stopped] -- C:\WINDOWS\system32\LMIRfsClientNP.dll -- (LMIRfsClientNP)
DRV - [2009/09/23 10:41:58 | 000,026,176 | -H-- | M] (LogMeIn, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\hamachi.sys -- (hamachi)
DRV - [2009/08/17 19:15:34 | 000,102,448 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys -- (EraserUtilRebootDrv)
DRV - [2009/07/25 00:46:27 | 000,229,224 | ---- | M] (Microsoft Corporation) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\VMM.sys -- (vmm)
DRV - [2008/11/25 23:01:41 | 000,040,960 | ---- | M] (Silicon Integrated Systems Corporation) [Kernel | Boot | Stopped] -- C:\WINDOWS\system32\DRIVERS\sisagp.sys -- (sisagp)
DRV - [2008/11/25 23:01:38 | 000,088,320 | ---- | M] (Microsoft Corporation) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\nwlnkipx.sys -- (NwlnkIpx)
DRV - [2008/11/25 23:01:19 | 000,144,384 | ---- | M] (Windows ® Server 2003 DDK provider) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\hdaudbus.sys -- (HDAudBus)
DRV - [2008/11/25 23:01:06 | 000,043,008 | ---- | M] (Advanced Micro Devices, Inc.) [Kernel | Boot | Stopped] -- C:\WINDOWS\system32\DRIVERS\amdagp.sys -- (amdagp)
DRV - [2008/08/11 13:41:00 | 000,047,640 | ---- | M] (LogMeIn, Inc.) [File_System | Auto | Running] -- C:\WINDOWS\system32\drivers\LMIRfsDriver.sys -- (LMIRfsDriver)
DRV - [2008/08/11 13:41:00 | 000,012,856 | ---- | M] (LogMeIn, Inc.) [Kernel | Auto | Running] -- C:\Program Files\LogMeIn\x86\rainfo.sys -- (LMIInfo)
DRV - [2008/04/14 00:15:14 | 000,060,032 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\usbaudio.sys -- (usbaudio) USB Audio Driver (WDM)
DRV - [2008/04/14 00:11:00 | 000,008,192 | ---- | M] (Microsoft Corporation) [Kernel | System | Stopped] -- C:\WINDOWS\system32\drivers\changer.sys -- (Changer)
DRV - [2008/04/14 00:10:28 | 000,034,688 | ---- | M] (Toshiba Corp.) [Kernel | System | Stopped] -- C:\WINDOWS\system32\drivers\lbrtfdc.sys -- (lbrtfdc)
DRV - [2008/02/05 01:50:44 | 000,059,960 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\VMNetSrv.sys -- (VPCNetS2)
DRV - [2007/08/28 08:29:00 | 006,811,168 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\nv4_mini.sys -- (nv)
DRV - [2007/07/27 10:49:01 | 000,110,952 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\SYMEVENT.SYS -- (SymEvent)
DRV - [2007/07/10 13:08:24 | 000,307,712 | ---- | M] (Analog Devices, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ADIHdAud.sys -- (ADIHdAudAddService)
DRV - [2007/05/11 20:00:14 | 000,045,056 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\HECI.sys -- (HECI) Intel®
DRV - [2007/04/13 13:33:34 | 000,254,872 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\e1e5132.sys -- (e1express) Intel®
DRV - [2007/03/21 12:58:56 | 000,304,920 | ---- | M] (Intel Corporation) [Kernel | Boot | Stopped] -- C:\WINDOWS\system32\drivers\iaStor.sys -- (iaStor)
DRV - [2007/02/17 21:00:42 | 000,132,608 | ---- | M] (Alps Electric Co., Ltd.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\Apfiltr.sys -- (ApfiltrService)
DRV - [2007/02/12 17:22:40 | 000,196,752 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\WINDOWS\System32\Drivers\SYMTDI.SYS -- (SYMTDI)
DRV - [2007/02/12 17:22:36 | 000,024,720 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\System32\Drivers\SYMREDRV.SYS -- (SYMREDRV)
DRV - [2007/02/09 12:34:16 | 000,051,768 | ---- | M] (Roxio) [File_System | Auto | Running] -- C:\WINDOWS\system32\drivers\DRVNDDM.SYS -- (DRVNDDM)
DRV - [2007/02/08 20:05:30 | 000,028,120 | ---- | M] (Roxio) [File_System | System | Running] -- C:\WINDOWS\system32\drivers\DLARTL_M.SYS -- (DLARTL_M)
DRV - [2007/02/08 20:05:30 | 000,012,856 | ---- | M] (Roxio) [File_System | System | Running] -- C:\WINDOWS\system32\drivers\DLACDBHM.SYS -- (DLACDBHM)
DRV - [2007/01/30 10:49:18 | 000,160,256 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\b57xp32.sys -- (b57w2k)
DRV - [2007/01/13 10:33:18 | 005,672,032 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\igxpmp32.sys -- (ialm)
DRV - [2007/01/10 16:27:26 | 000,390,744 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Stopped] -- C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCDrv.sys -- (SPBBCDrv)
DRV - [2006/10/26 16:22:02 | 000,009,400 | ---- | M] (Roxio) [File_System | Auto | Running] -- C:\WINDOWS\system32\DLA\DLADResM.SYS -- (DLADResM)
DRV - [2006/10/26 16:21:34 | 000,094,648 | ---- | M] (Roxio) [File_System | Auto | Running] -- C:\WINDOWS\system32\DLA\DLAUDFAM.SYS -- (DLAUDFAM)
DRV - [2006/10/26 16:21:34 | 000,035,096 | ---- | M] (Roxio) [File_System | Auto | Running] -- C:\WINDOWS\system32\DLA\DLABMFSM.SYS -- (DLABMFSM)
DRV - [2006/10/26 16:21:32 | 000,097,848 | ---- | M] (Roxio) [File_System | Auto | Running] -- C:\WINDOWS\system32\DLA\DLAUDF_M.SYS -- (DLAUDF_M)
DRV - [2006/10/26 16:21:30 | 000,026,296 | ---- | M] (Roxio) [File_System | Auto | Running] -- C:\WINDOWS\system32\DLA\DLAOPIOM.SYS -- (DLAOPIOM)
DRV - [2006/10/26 16:21:28 | 000,032,472 | ---- | M] (Roxio) [File_System | Auto | Running] -- C:\WINDOWS\system32\DLA\DLABOIOM.SYS -- (DLABOIOM)
DRV - [2006/10/26 16:21:26 | 000,014,520 | ---- | M] (Roxio) [File_System | Auto | Running] -- C:\WINDOWS\system32\DLA\DLAPoolM.SYS -- (DLAPoolM)
DRV - [2006/10/26 16:21:24 | 000,104,536 | ---- | M] (Roxio) [File_System | Auto | Running] -- C:\WINDOWS\system32\DLA\DLAIFS_M.SYS -- (DLAIFS_M)
DRV - [2006/09/06 14:41:20 | 000,337,592 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\Program Files\Symantec AntiVirus\savrt.sys -- (SAVRT)
DRV - [2006/09/06 14:41:20 | 000,054,968 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\Program Files\Symantec AntiVirus\Savrtpel.sys -- (SAVRTPEL)
DRV - [2006/07/21 11:21:26 | 000,099,176 | ---- | M] (Sonic Solutions) [Kernel | Boot | Running] -- C:\WINDOWS\System32\Drivers\DRVMCDB.SYS -- (DRVMCDB)
DRV - [2005/06/10 14:26:00 | 000,035,968 | ---- | M] (Infineon Technologies AG) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ifxtpm.sys -- (IFXTPM)
DRV - [2003/03/31 07:00:00 | 000,063,232 | ---- | M] (Microsoft Corporation) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\nwlnknb.sys -- (NwlnkNb)
DRV - [2003/03/31 07:00:00 | 000,055,936 | ---- | M] (Microsoft Corporation) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\nwlnkspx.sys -- (NwlnkSpx)
DRV - [2001/12/19 11:45:00 | 000,008,576 | ---- | M] (Microsoft Corporation) [File_System | System | Running] -- C:\Documents and Settings\robert.chandler\Desktop\VCdRom.sys -- (vcdrom)
DRV - [2001/08/17 14:07:44 | 000,019,072 | ---- | M] (Adaptec, Inc.) [Kernel | Boot | Stopped] -- C:\WINDOWS\system32\DRIVERS\sparrow.sys -- (Sparrow)
DRV - [2001/08/17 14:07:42 | 000,030,688 | ---- | M] (LSI Logic) [Kernel | Boot | Stopped] -- C:\WINDOWS\system32\DRIVERS\sym_u3.sys -- (sym_u3)
DRV - [2001/08/17 14:07:40 | 000,028,384 | ---- | M] (LSI Logic) [Kernel | Boot | Stopped] -- C:\WINDOWS\system32\DRIVERS\sym_hi.sys -- (sym_hi)
DRV - [2001/08/17 14:07:36 | 000,032,640 | ---- | M] (LSI Logic) [Kernel | Boot | Stopped] -- C:\WINDOWS\system32\DRIVERS\symc8xx.sys -- (symc8xx)
DRV - [2001/08/17 14:07:34 | 000,016,256 | ---- | M] (Symbios Logic Inc.) [Kernel | Boot | Stopped] -- C:\WINDOWS\system32\DRIVERS\symc810.sys -- (symc810)
DRV - [2001/08/17 13:52:22 | 000,036,736 | ---- | M] (Promise Technology, Inc.) [Kernel | Boot | Stopped] -- C:\WINDOWS\system32\DRIVERS\ultra.sys -- (ultra)
DRV - [2001/08/17 13:52:20 | 000,045,312 | ---- | M] (QLogic Corporation) [Kernel | Boot | Stopped] -- C:\WINDOWS\system32\DRIVERS\ql12160.sys -- (ql12160)
DRV - [2001/08/17 13:52:20 | 000,040,320 | ---- | M] (QLogic Corporation) [Kernel | Boot | Stopped] -- C:\WINDOWS\system32\DRIVERS\ql1080.sys -- (ql1080)
DRV - [2001/08/17 13:52:18 | 000,049,024 | ---- | M] (QLogic Corporation) [Kernel | Boot | Stopped] -- C:\WINDOWS\system32\DRIVERS\ql1280.sys -- (ql1280)
DRV - [2001/08/17 13:52:16 | 000,179,584 | ---- | M] (Mylex Corporation) [Kernel | Boot | Stopped] -- C:\WINDOWS\system32\DRIVERS\dac2w2k.sys -- (dac2w2k)
DRV - [2001/08/17 13:52:12 | 000,017,280 | ---- | M] (American Megatrends Inc.) [Kernel | Boot | Stopped] -- C:\WINDOWS\system32\DRIVERS\mraid35x.sys -- (mraid35x)
DRV - [2001/08/17 13:52:00 | 000,026,496 | ---- | M] (Advanced System Products, Inc.) [Kernel | Boot | Stopped] -- C:\WINDOWS\system32\DRIVERS\asc.sys -- (asc)
DRV - [2001/08/17 13:51:58 | 000,014,848 | ---- | M] (Advanced System Products, Inc.) [Kernel | Boot | Stopped] -- C:\WINDOWS\system32\DRIVERS\asc3550.sys -- (asc3550)
DRV - [2001/08/17 13:51:56 | 000,005,248 | ---- | M] (Acer Laboratories Inc.) [Kernel | Boot | Stopped] -- C:\WINDOWS\system32\DRIVERS\aliide.sys -- (AliIde)
DRV - [2001/08/17 13:51:54 | 000,006,656 | ---- | M] (CMD Technology, Inc.) [Kernel | Boot | Stopped] -- C:\WINDOWS\system32\DRIVERS\cmdide.sys -- (CmdIde)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm


IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-19\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.wolters-kluwer.com
IE - HKU\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-20\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.wolters-kluwer.com
IE - HKU\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-21-1849001254-2726021490-3962836702-1033\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.wolters-kluwer.com/
IE - HKU\S-1-5-21-1849001254-2726021490-3962836702-1033\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKU\S-1-5-21-1849001254-2726021490-3962836702-1033\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = <local>
IE - HKU\S-1-5-21-1849001254-2726021490-3962836702-1033\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" = http=127.0.0.1:5555

========== FireFox ==========

FF - prefs.js..browser.search.defaultenginename: "Google"
FF - prefs.js..keyword.URL: "http://www.google.com/search?sourceid=navclient&hl=en&q="

FF - HKLM\software\mozilla\Mozilla Firefox 3.6.3\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2010/05/21 13:07:56 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.6.3\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2010/05/26 11:45:12 | 000,000,000 | ---D | M]

[2010/05/21 13:08:07 | 000,000,000 | ---D | M] -- C:\Documents and Settings\malgaonr\Application Data\Mozilla\Extensions
[2010/06/01 09:36:17 | 000,000,000 | ---D | M] -- C:\Documents and Settings\malgaonr\Application Data\Mozilla\Firefox\Profiles\nhs5bbxz.default\extensions
[2010/05/26 12:02:09 | 000,000,000 | ---D | M] (Google Toolbar for Firefox) -- C:\Documents and Settings\malgaonr\Application Data\Mozilla\Firefox\Profiles\nhs5bbxz.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}
[2010/05/21 13:07:41 | 000,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions

O1 HOSTS File: ([2010/06/02 14:11:06 | 000,000,027 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O4 - HKLM..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe (Alps Electric Co., Ltd.)
O4 - HKLM..\Run: [DWPersistentQueuedReporting] C:\Program Files\Common Files\Microsoft Shared\DW\DWTRIG20.EXE (Microsoft Corporation)
O4 - HKLM..\Run: [LogMeIn GUI] C:\Program Files\LogMeIn\x86\LogMeInSystray.exe (LogMeIn, Inc.)
O4 - HKLM..\Run: [NvCplDaemon] C:\WINDOWS\System32\NvCpl.DLL (NVIDIA Corporation)
O4 - HKLM..\Run: [RoxioDragToDisc] c:\Program Files\Roxio\Drag-to-Disc\DrgToDsc.exe (Roxio)
O4 - HKLM..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe (Analog Devices, Inc.)
O4 - HKLM..\Run: [WKPopup] C:\Program Files\wkinvtool\wkpopup.exe (Perot Systems)
O4 - HKU\.DEFAULT..\RunOnce: [TSClientAXDisabler] C:\WINDOWS\System32\cmd.exe (Microsoft Corporation)
O4 - HKU\.DEFAULT..\RunOnce: [TSClientMSIUninstaller] C:\WINDOWS\System32\cmd.exe (Microsoft Corporation)
O4 - HKU\S-1-5-18..\RunOnce: [TSClientAXDisabler] C:\WINDOWS\System32\cmd.exe (Microsoft Corporation)
O4 - HKU\S-1-5-18..\RunOnce: [TSClientMSIUninstaller] C:\WINDOWS\System32\cmd.exe (Microsoft Corporation)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: disablecad = 0
O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: LockTaskbar = 0
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: LockTaskbar = 0
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: LockTaskbar = 0
O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: LockTaskbar = 0
O7 - HKU\S-1-5-21-1849001254-2726021490-3962836702-1033\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-21-1849001254-2726021490-3962836702-1033\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: LockTaskbar = 0
O7 - HKU\S-1-5-21-1849001254-2726021490-3962836702-1033\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-21-1849001254-2726021490-3962836702-1033\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\S-1-5-21-1849001254-2726021490-3962836702-1033\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O9 - Extra 'Tools' menuitem : Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\npjpi160_02.dll (Sun Microsystems, Inc.)
O9 - Extra Button: Skype add-on for Internet Explorer - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
O9 - Extra 'Tools' menuitem : Skype add-on for Internet Explorer - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [] - C:\WINDOWS\system32\nwprovau.dll (Microsoft Corporation)
O15 - HKU\S-1-5-21-1849001254-2726021490-3962836702-1033\..Trusted Domains: wolterskluwer.com ([connect] https in Local intranet)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_02)
O16 - DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_02)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://download.macromedia.com/pub/shockwa...ash/swflash.cab (Shockwave Flash Object)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = na.wkglobal.com
O18 - Protocol\Handler\skype4com {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files\Common Files\Skype\Skype4COM.dll (Skype Technologies)
O18 - Protocol\Handler\skype-ie-addon-data {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\igfxcui: DllName - igfxdev.dll - C:\WINDOWS\System32\igfxdev.dll (Intel Corporation)
O20 - Winlogon\Notify\LMIinit: DllName - LMIinit.dll - C:\WINDOWS\System32\LMIinit.dll (LogMeIn, Inc.)
O20 - Winlogon\Notify\NavLogon: DllName - C:\WINDOWS\system32\NavLogon.dll - C:\WINDOWS\system32\NavLogon.dll (Symantec Corporation)
O24 - Desktop BackupWallPaper:
O30 - LSA: Authentication Packages - (nwprovau) - C:\WINDOWS\System32\nwprovau.dll (Microsoft Corporation)
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2007/07/27 10:33:09 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O32 - AutoRun File - [2006/06/10 23:12:04 | 000,000,000 | ---D | M] - E:\AutomatedTrading_Live -- [ FAT ]
O32 - AutoRun File - [2006/06/10 00:27:12 | 000,000,000 | ---D | M] - E:\AutomatedTrading -- [ FAT ]
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = ComFile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

NetSvcs: Ias - C:\WINDOWS\system32\ias [2010/06/07 16:49:19 | 000,000,000 | ---D | M]
NetSvcs: Iprip - File not found
NetSvcs: Irmon - File not found
NetSvcs: Nwsapagent - File not found
NetSvcs: WmdmPmSp - File not found


SafeBootMin: Base - Driver Group
SafeBootMin: Boot Bus Extender - Driver Group
SafeBootMin: Boot file system - Driver Group
SafeBootMin: File system - Driver Group
SafeBootMin: Filter - Driver Group
SafeBootMin: klmdb.sys - Driver
SafeBootMin: PCI Configuration - Driver Group
SafeBootMin: PNP Filter - Driver Group
SafeBootMin: Primary disk - Driver Group
SafeBootMin: SCSI Class - Driver Group
SafeBootMin: sermouse.sys - Driver
SafeBootMin: System Bus Extender - Driver Group
SafeBootMin: vds - Service
SafeBootMin: vga.sys - Driver
SafeBootMin: {36FC9E60-C465-11CF-8056-444553540000} - Universal Serial Bus controllers
SafeBootMin: {4D36E965-E325-11CE-BFC1-08002BE10318} - CD-ROM Drive
SafeBootMin: {4D36E967-E325-11CE-BFC1-08002BE10318} - DiskDrive
SafeBootMin: {4D36E969-E325-11CE-BFC1-08002BE10318} - Standard floppy disk controller
SafeBootMin: {4D36E96A-E325-11CE-BFC1-08002BE10318} - Hdc
SafeBootMin: {4D36E96B-E325-11CE-BFC1-08002BE10318} - Keyboard
SafeBootMin: {4D36E96F-E325-11CE-BFC1-08002BE10318} - Mouse
SafeBootMin: {4D36E977-E325-11CE-BFC1-08002BE10318} - PCMCIA Adapters
SafeBootMin: {4D36E97B-E325-11CE-BFC1-08002BE10318} - SCSIAdapter
SafeBootMin: {4D36E97D-E325-11CE-BFC1-08002BE10318} - System
SafeBootMin: {4D36E980-E325-11CE-BFC1-08002BE10318} - Floppy disk drive
SafeBootMin: {533C5B84-EC70-11D2-9505-00C04F79DEAF} - Volume shadow copy
SafeBootMin: {71A27CDD-812A-11D0-BEC7-08002BE2092F} - Volume
SafeBootMin: {745A17A0-74D3-11D0-B6FE-00A0C90F57DA} - Human Interface Devices

SafeBootNet: Base - Driver Group
SafeBootNet: Boot Bus Extender - Driver Group
SafeBootNet: Boot file system - Driver Group
SafeBootNet: File system - Driver Group
SafeBootNet: Filter - Driver Group
SafeBootNet: klmdb.sys - Driver
SafeBootNet: NDIS Wrapper - Driver Group
SafeBootNet: NetBIOSGroup - Driver Group
SafeBootNet: NetDDEGroup - Driver Group
SafeBootNet: Network - Driver Group
SafeBootNet: NetworkProvider - Driver Group
SafeBootNet: PCI Configuration - Driver Group
SafeBootNet: PNP Filter - Driver Group
SafeBootNet: PNP_TDI - Driver Group
SafeBootNet: Primary disk - Driver Group
SafeBootNet: SCSI Class - Driver Group
SafeBootNet: sermouse.sys - Driver
SafeBootNet: Streams Drivers - Driver Group
SafeBootNet: System Bus Extender - Driver Group
SafeBootNet: TDI - Driver Group
SafeBootNet: vga.sys - Driver
SafeBootNet: {36FC9E60-C465-11CF-8056-444553540000} - Universal Serial Bus controllers
SafeBootNet: {4D36E965-E325-11CE-BFC1-08002BE10318} - CD-ROM Drive
SafeBootNet: {4D36E967-E325-11CE-BFC1-08002BE10318} - DiskDrive
SafeBootNet: {4D36E969-E325-11CE-BFC1-08002BE10318} - Standard floppy disk controller
SafeBootNet: {4D36E96A-E325-11CE-BFC1-08002BE10318} - Hdc
SafeBootNet: {4D36E96B-E325-11CE-BFC1-08002BE10318} - Keyboard
SafeBootNet: {4D36E96F-E325-11CE-BFC1-08002BE10318} - Mouse
SafeBootNet: {4D36E972-E325-11CE-BFC1-08002BE10318} - Net
SafeBootNet: {4D36E973-E325-11CE-BFC1-08002BE10318} - NetClient
SafeBootNet: {4D36E974-E325-11CE-BFC1-08002BE10318} - NetService
SafeBootNet: {4D36E975-E325-11CE-BFC1-08002BE10318} - NetTrans
SafeBootNet: {4D36E977-E325-11CE-BFC1-08002BE10318} - PCMCIA Adapters
SafeBootNet: {4D36E97B-E325-11CE-BFC1-08002BE10318} - SCSIAdapter
SafeBootNet: {4D36E97D-E325-11CE-BFC1-08002BE10318} - System
SafeBootNet: {4D36E980-E325-11CE-BFC1-08002BE10318} - Floppy disk drive
SafeBootNet: {71A27CDD-812A-11D0-BEC7-08002BE2092F} - Volume
SafeBootNet: {745A17A0-74D3-11D0-B6FE-00A0C90F57DA} - Human Interface Devices

ActiveX: {08B0E5C0-4FCB-11CF-AAA5-00401C608500} - Java (Sun)
ActiveX: {10072CEC-8CC1-11D1-986E-00A0C955B42F} - Vector Graphics Rendering (VML)
ActiveX: {166B1BCA-3F9C-11CF-8075-444553540000} - Adobe Shockwave Director 10.1
ActiveX: {2179C5D3-EBFF-11CF-B6FD-00AA00B4E220} - NetShow
ActiveX: {22d6f312-b0f6-11d0-94ab-0080c74c7e95} - Microsoft Windows Media Player 6.4
ActiveX: {283807B5-2C60-11D0-A31D-00AA00B92C03} - DirectAnimation
ActiveX: {2A202491-F00D-11cf-87CC-0020AFEECF20} - Adobe Shockwave Director 10.1
ActiveX: {2C7339CF-2B09-4501-B3F3-F3508C9228ED} - %SystemRoot%\system32\regsvr32.exe /s /n /i:/UserInstall %SystemRoot%\system32\themeui.dll
ActiveX: {36f8ec70-c29a-11d1-b5c7-0000f8051515} - Dynamic HTML Data Binding for Java
ActiveX: {3af36230-a269-11d1-b5bf-0000f8051515} - Offline Browsing Pack
ActiveX: {3bf42070-b3b1-11d1-b5c5-0000f8051515} - Uniscribe
ActiveX: {411EDCF7-755D-414E-A74B-3DCD6583F589} - Microsoft .NET Framework 1.1 Service Pack 1 (KB867460)
ActiveX: {4278c270-a269-11d1-b5bf-0000f8051515} - Advanced Authoring
ActiveX: {44BBA840-CC51-11CF-AAFA-00AA00B6015C} - Microsoft Outlook Express 6
ActiveX: {44BBA842-CC51-11CF-AAFA-00AA00B6015B} - rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msnetmtg.inf,NetMtg.Install.PerUser.NT
ActiveX: {44BBA848-CC51-11CF-AAFA-00AA00B6015C} - DirectShow
ActiveX: {44BBA855-CC51-11CF-AAFA-00AA00B6015F} - DirectDrawEx
ActiveX: {45ea75a0-a269-11d1-b5bf-0000f8051515} - Internet Explorer Help
ActiveX: {4b218e3e-bc98-4770-93d3-2731b9329278} - %SystemRoot%\System32\rundll32.exe setupapi,InstallHinfSection MarketplaceLinkInstall 896 %systemroot%\inf\ie.inf
ActiveX: {4f216970-c90c-11d1-b5c7-0000f8051515} - DirectAnimation Java Classes
ActiveX: {4f645220-306d-11d2-995d-00c04f98bbc9} - Microsoft Windows Script 5.7
ActiveX: {5056b317-8d4c-43ee-8543-b9d1e234b8f4} - Security Update for Windows XP (KB923789)
ActiveX: {5945c046-1e7d-11d1-bc44-00c04fd912be} - rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msmsgs.inf,BLC.QuietInstall.PerUser
ActiveX: {5A8D6EE0-3E18-11D0-821E-444553540000} - ICW
ActiveX: {5fd399c0-a70a-11d1-9948-00c04f98bbc9} - Internet Explorer Setup Tools
ActiveX: {630b1da0-b465-11d1-9948-00c04f98bbc9} - Browsing Enhancements
ActiveX: {6BF52A52-394A-11d3-B153-00C04F79FAA6} - Microsoft Windows Media Player
ActiveX: {6fab99d0-bab8-11d1-994a-00c04f98bbc9} - MSN Site Access
ActiveX: {7131646D-CD3C-40F4-97B9-CD9E4E6262EF} - .NET Framework
ActiveX: {72AD53CC-CCC0-3757-8480-9EE176866A7C} - .NET Framework
ActiveX: {73FA19D0-2D75-11D2-995D-00C04F98BBC9} - Web Folders
ActiveX: {7790769C-0471-11d2-AF11-00C04FA35D02} - "%ProgramFiles%\Outlook Express\setup50.exe" /APP:WAB /CALLER:WINNT /user /install
ActiveX: {89820200-ECBD-11cf-8B85-00AA005B4340} - regsvr32.exe /s /n /i:U shell32.dll
ActiveX: {89820200-ECBD-11cf-8B85-00AA005B4383} - %SystemRoot%\system32\ie4uinit.exe
ActiveX: {89B4C1CD-B018-4511-B0A1-5476DBF70820} - c:\WINDOWS\system32\Rundll32.exe c:\WINDOWS\system32\mscories.dll,Install
ActiveX: {9381D8F2-0288-11D0-9501-00AA00B911A5} - Dynamic HTML Data Binding
ActiveX: {C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F} - .NET Framework
ActiveX: {C9E9A340-D1F1-11D0-821E-444553540600} - Internet Explorer Core Fonts
ActiveX: {CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1} - .NET Framework
ActiveX: {CC2A9BA0-3BDD-11D0-821E-444553540000} - Task Scheduler
ActiveX: {CDD7975E-60F8-41d5-8149-19E51D6F71D0} - Windows Movie Maker v2.1
ActiveX: {D27CDB6E-AE6D-11cf-96B8-444553540000} - Adobe Flash Player
ActiveX: {DAA94A2A-2A8D-4D3B-9DB8-56FBECED082D} - Microsoft .NET Framework 1.1 Security Update (KB953297)
ActiveX: {de5aed00-a4bf-11d1-9948-00c04f98bbc9} - HTML Help
ActiveX: {E92B03AB-B707-11d2-9CBD-0000F87A369E} - Active Directory Service Interface
ActiveX: >{22d6f312-b0f6-11d0-94ab-0080c74c7e95} - C:\WINDOWS\inf\unregmp2.exe /ShowWMP
ActiveX: >{26923b43-4d38-484f-9b9e-de460746276c} - %systemroot%\system32\shmgrate.exe OCInstallUserConfigIE
ActiveX: >{881dd1c5-3dcf-431b-b061-f3f88e8be88a} - %systemroot%\system32\shmgrate.exe OCInstallUserConfigOE

Drivers32: msacm.iac2 - C:\WINDOWS\system32\iac25_32.ax (Intel Corporation)
Drivers32: msacm.l3acm - C:\WINDOWS\system32\l3codeca.acm (Fraunhofer Institut Integrierte Schaltungen IIS)
Drivers32: msacm.sl_anet - C:\WINDOWS\System32\sl_anet.acm (Sipro Lab Telecom Inc.)
Drivers32: msacm.trspch - C:\WINDOWS\System32\tssoft32.acm (DSP GROUP, INC.)
Drivers32: vidc.cvid - C:\WINDOWS\System32\iccvid.dll (Radius Inc.)
Drivers32: vidc.iv31 - C:\WINDOWS\System32\ir32_32.dll ()
Drivers32: vidc.iv32 - C:\WINDOWS\System32\ir32_32.dll ()
Drivers32: vidc.iv41 - C:\WINDOWS\System32\ir41_32.ax (Intel Corporation)
Drivers32: vidc.iv50 - C:\WINDOWS\System32\ir50_32.dll (Intel Corporation)

CREATERESTOREPOINT
Restore point Set: OTL Restore Point (16902109354000384)

========== Files/Folders - Created Within 30 Days ==========

[2010/06/07 16:49:52 | 000,571,904 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\malgaonr\Desktop\OTL.exe
[2010/06/07 16:33:22 | 000,000,000 | ---D | C] -- C:\WINDOWS\temp
[2010/06/07 16:03:15 | 004,608,744 | ---- | C] (Microsoft Corporation) -- C:\Documents and Settings\malgaonr\Desktop\WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[2010/06/07 10:11:14 | 000,000,000 | ---D | C] -- C:\Documents and Settings\malgaonr\Desktop\gmer
[2010/06/07 09:41:55 | 000,000,000 | ---D | C] -- C:\Documents and Settings\malgaonr\Desktop\PCCleanup
[2010/06/07 09:32:39 | 000,167,936 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\appmgmts.dll
[2010/06/03 11:17:45 | 000,011,776 | ---- | C] (Pharos Systems International) -- C:\WINDOWS\System32\PSS5400F.DLL
[2010/06/03 10:21:15 | 000,000,000 | ---D | C] -- C:\Documents and Settings\malgaonr\My Documents\RegRun2
[2010/06/03 10:21:12 | 000,000,000 | ---D | C] -- C:\Program Files\UnHackMe
[2010/06/03 10:20:36 | 009,497,448 | ---- | C] (Greatis Software, LLC. ) -- C:\Documents and Settings\malgaonr\Desktop\unhackme_setup.exe
[2010/05/31 10:41:12 | 000,998,736 | ---- | C] (Kaspersky Lab) -- C:\Documents and Settings\malgaonr\Desktop\TDSSKiller.exe
[2010/05/27 14:36:59 | 000,389,120 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\CF32555.exe
[2010/05/27 09:27:26 | 000,000,000 | ---D | C] -- C:\Training CDs
[2010/05/26 12:02:11 | 000,000,000 | ---D | C] -- C:\Documents and Settings\malgaonr\Local Settings\Application Data\Google
[2010/05/26 12:02:11 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Google
[2010/05/25 13:12:16 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\NOS
[2010/05/24 17:39:25 | 000,000,000 | ---D | C] -- C:\Documents and Settings\malgaonr\My Documents\Downloads
[2010/05/21 13:18:31 | 000,000,000 | ---D | C] -- C:\Program Files\Spybot - Search & Destroy
[2010/05/21 13:18:31 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
[2010/05/21 13:07:55 | 000,000,000 | ---D | C] -- C:\Documents and Settings\malgaonr\Local Settings\Application Data\Mozilla
[2010/05/21 13:07:55 | 000,000,000 | ---D | C] -- C:\Documents and Settings\malgaonr\Application Data\Mozilla
[2010/05/21 13:07:41 | 000,000,000 | ---D | C] -- C:\Program Files\Mozilla Firefox
[2010/05/21 13:01:20 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Macromedia
[2010/05/21 11:55:54 | 000,000,000 | ---D | C] -- C:\WINDOWS\ERDNT
[2010/05/21 11:55:32 | 000,000,000 | ---D | C] -- C:\Qoobox
[2010/05/21 11:35:00 | 000,000,000 | ---D | C] -- C:\Program Files\HijackThis
[2010/05/21 11:17:24 | 000,000,000 | ---D | C] -- C:\Documents and Settings\malgaonr\Application Data\Malwarebytes
[2010/05/21 09:58:03 | 006,153,352 | ---- | C] (Malwarebytes Corporation ) -- C:\mbam-setup-1.46.exe
[2010/05/21 09:58:03 | 000,401,720 | ---- | C] (Trend Micro Inc.) -- C:\HijackThis.exe
[2010/05/21 09:52:38 | 000,038,224 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2010/05/21 09:52:36 | 000,020,952 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2010/05/21 09:52:36 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Malwarebytes
[2010/05/21 09:52:35 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2010/05/21 09:27:17 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Adobe
[2010/05/20 23:35:18 | 000,034,688 | ---- | C] (Toshiba Corp.) -- C:\WINDOWS\System32\drivers\lbrtfdc.sys
[2010/05/20 23:35:18 | 000,034,688 | ---- | C] (Toshiba Corp.) -- C:\WINDOWS\System32\dllcache\lbrtfdc.sys
[2010/05/20 23:35:17 | 000,008,192 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\drivers\changer.sys
[2010/05/20 23:35:17 | 000,008,192 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\changer.sys
[2010/05/20 23:35:02 | 000,073,216 | RHS- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\tracert6T.dll
[2010/05/18 13:01:53 | 000,000,000 | ---D | C] -- C:\Documents and Settings\malgaonr\Local Settings\Application Data\Help
[2010/05/18 13:01:53 | 000,000,000 | ---D | C] -- C:\Documents and Settings\malgaonr\Application Data\Help
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
[1 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2010/06/07 16:51:38 | 000,589,306 | ---- | M] () -- C:\WINDOWS\System32\PerfStringBackup.INI
[2010/06/07 16:51:38 | 000,491,846 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2010/06/07 16:51:38 | 000,088,806 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2010/06/07 16:50:09 | 000,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2010/06/07 16:47:19 | 000,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2010/06/07 16:47:17 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2010/06/07 16:46:56 | 000,014,720 | ---- | M] () -- C:\WINDOWS\System32\drivers\dac960nt.sys
[2010/06/07 16:46:15 | 001,572,864 | -H-- | M] () -- C:\Documents and Settings\malgaonr\NTUSER.DAT
[2010/06/07 16:46:15 | 000,000,178 | -HS- | M] () -- C:\Documents and Settings\malgaonr\ntuser.ini
[2010/06/07 16:46:14 | 005,359,524 | -H-- | M] () -- C:\Documents and Settings\malgaonr\Local Settings\Application Data\IconCache.db
[2010/06/07 16:30:38 | 000,000,246 | ---- | M] () -- C:\WINDOWS\system.ini
[2010/06/07 15:37:56 | 000,571,904 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\malgaonr\Desktop\OTL.exe
[2010/06/07 15:30:36 | 004,608,744 | ---- | M] (Microsoft Corporation) -- C:\Documents and Settings\malgaonr\Desktop\WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[2010/06/07 15:25:54 | 003,704,271 | R--- | M] () -- C:\Documents and Settings\malgaonr\Desktop\thcbytes.exe
[2010/06/07 09:54:50 | 000,284,915 | ---- | M] () -- C:\Documents and Settings\malgaonr\Desktop\gmer.zip
[2010/06/07 09:48:48 | 000,003,893 | ---- | M] () -- C:\Documents and Settings\malgaonr\Desktop\Attach.zip
[2010/06/07 09:42:28 | 000,000,000 | ---- | M] () -- C:\Documents and Settings\malgaonr\defogger_reenable
[2010/06/07 09:32:24 | 000,000,044 | ---- | M] () -- C:\WINDOWS\System32\Partizan.RRI
[2010/06/03 11:17:45 | 000,011,776 | ---- | M] (Pharos Systems International) -- C:\WINDOWS\System32\PSS5400F.DLL
[2010/06/03 11:17:38 | 000,001,789 | ---- | M] () -- C:\WINDOWS\System32\AUTOEXEC.NT
[2010/06/03 10:21:32 | 000,002,577 | ---- | M] () -- C:\WINDOWS\System32\CONFIG.NT
[2010/06/03 10:21:32 | 000,000,002 | RHS- | M] () -- C:\WINDOWS\winstart.bat
[2010/06/02 14:11:06 | 000,000,027 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts
[2010/06/01 14:42:01 | 000,000,346 | ---- | M] () -- C:\Documents and Settings\malgaonr\Desktop\Roth IRA Conversion Evaluator™.appref-ms
[2010/05/31 10:41:12 | 000,998,736 | ---- | M] (Kaspersky Lab) -- C:\Documents and Settings\malgaonr\Desktop\TDSSKiller.exe
[2010/05/27 14:37:42 | 003,699,963 | R--- | M] () -- C:\Documents and Settings\malgaonr\Desktop\Combo-Fix.exe.old
[2010/05/27 14:36:23 | 000,389,120 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\CF32555.exe
[2010/05/21 13:18:34 | 000,000,939 | ---- | M] () -- C:\Documents and Settings\malgaonr\Desktop\Spybot - Search & Destroy.lnk
[2010/05/21 13:07:57 | 000,000,000 | ---- | M] () -- C:\WINDOWS\nsreg.dat
[2010/05/21 13:07:43 | 000,001,608 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Mozilla Firefox.lnk
[2010/05/21 12:32:40 | 000,363,520 | ---- | M] () -- C:\Documents and Settings\malgaonr\Desktop\iExplore.exe
[2010/05/21 12:19:21 | 000,000,702 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2010/05/21 12:17:46 | 009,497,448 | ---- | M] (Greatis Software, LLC. ) -- C:\Documents and Settings\malgaonr\Desktop\unhackme_setup.exe
[2010/05/21 12:15:50 | 000,363,520 | ---- | M] () -- C:\Documents and Settings\malgaonr\Desktop\rkill.com
[2010/05/21 09:36:52 | 006,153,352 | ---- | M] (Malwarebytes Corporation ) -- C:\mbam-setup-1.46.exe
[2010/05/20 23:35:06 | 000,002,304 | ---- | M] () -- C:\WINDOWS\System32\isaxbox.sys
[2010/05/20 23:35:02 | 000,073,216 | RHS- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\tracert6T.dll
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
[1 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]

========== Files Created - No Company Name ==========

[2010/06/07 16:03:15 | 003,704,271 | R--- | C] () -- C:\Documents and Settings\malgaonr\Desktop\thcbytes.exe
[2010/06/07 10:10:59 | 000,284,915 | ---- | C] () -- C:\Documents and Settings\malgaonr\Desktop\gmer.zip
[2010/06/07 09:48:48 | 000,003,893 | ---- | C] () -- C:\Documents and Settings\malgaonr\Desktop\Attach.zip
[2010/06/07 09:42:28 | 000,000,000 | ---- | C] () -- C:\Documents and Settings\malgaonr\defogger_reenable
[2010/06/07 09:32:24 | 000,000,044 | ---- | C] () -- C:\WINDOWS\System32\Partizan.RRI
[2010/06/03 10:21:32 | 000,000,002 | RHS- | C] () -- C:\WINDOWS\winstart.bat
[2010/06/01 13:13:04 | 000,000,346 | ---- | C] () -- C:\Documents and Settings\malgaonr\Desktop\Roth IRA Conversion Evaluator™.appref-ms
[2010/05/27 14:38:40 | 000,077,312 | ---- | C] () -- C:\WINDOWS\MBR.exe
[2010/05/21 13:18:34 | 000,000,939 | ---- | C] () -- C:\Documents and Settings\malgaonr\Desktop\Spybot - Search & Destroy.lnk
[2010/05/21 13:07:57 | 000,000,000 | ---- | C] () -- C:\WINDOWS\nsreg.dat
[2010/05/21 13:07:43 | 000,001,608 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Mozilla Firefox.lnk
[2010/05/21 12:33:15 | 000,363,520 | ---- | C] () -- C:\Documents and Settings\malgaonr\Desktop\iExplore.exe
[2010/05/21 12:18:05 | 000,363,520 | ---- | C] () -- C:\Documents and Settings\malgaonr\Desktop\rkill.com
[2010/05/21 11:55:19 | 003,699,963 | R--- | C] () -- C:\Documents and Settings\malgaonr\Desktop\Combo-Fix.exe.old
[2010/05/21 09:52:42 | 000,000,702 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2010/05/20 23:35:06 | 000,002,304 | ---- | C] () -- C:\WINDOWS\System32\isaxbox.sys
[2009/02/23 09:41:21 | 000,021,791 | ---- | C] () -- C:\WINDOWS\System32\smtpctrs.ini
[2009/02/23 09:41:21 | 000,001,037 | ---- | C] () -- C:\WINDOWS\System32\ntfsdrct.ini
[2009/02/23 09:41:06 | 000,038,576 | ---- | C] () -- C:\WINDOWS\System32\w3ctrs.ini
[2009/02/23 09:41:06 | 000,011,435 | ---- | C] () -- C:\WINDOWS\System32\infoctrs.ini
[2009/02/23 09:41:06 | 000,010,225 | ---- | C] () -- C:\WINDOWS\System32\axperf.ini
[2008/10/24 13:28:58 | 000,056,056 | ---- | C] () -- C:\WINDOWS\System32\DLAAPI_W.DLL
[2008/10/24 13:28:57 | 000,000,120 | ---- | C] () -- C:\WINDOWS\wininit.ini
[2008/10/24 13:28:01 | 000,204,800 | ---- | C] () -- C:\WINDOWS\System32\IVIresizeW7.dll
[2008/10/24 13:28:00 | 000,200,704 | ---- | C] () -- C:\WINDOWS\System32\IVIresizeA6.dll
[2008/10/24 13:28:00 | 000,192,512 | ---- | C] () -- C:\WINDOWS\System32\IVIresizeP6.dll
[2008/10/24 13:28:00 | 000,192,512 | ---- | C] () -- C:\WINDOWS\System32\IVIresizeM6.dll
[2008/10/24 13:28:00 | 000,188,416 | ---- | C] () -- C:\WINDOWS\System32\IVIresizePX.dll
[2008/10/24 13:28:00 | 000,020,480 | ---- | C] () -- C:\WINDOWS\System32\IVIresize.dll
[2008/10/23 16:34:30 | 001,703,936 | ---- | C] () -- C:\WINDOWS\System32\nvwdmcpl.dll
[2008/10/23 16:34:30 | 001,478,656 | ---- | C] () -- C:\WINDOWS\System32\nview.dll
[2008/10/23 16:34:30 | 001,019,904 | ---- | C] () -- C:\WINDOWS\System32\nvwimg.dll
[2008/10/23 16:34:30 | 000,466,944 | ---- | C] () -- C:\WINDOWS\System32\nvshell.dll
[2007/07/27 17:33:13 | 000,000,061 | ---- | C] () -- C:\WINDOWS\smscfg.ini
[2007/07/27 17:30:22 | 000,014,720 | ---- | C] () -- C:\WINDOWS\System32\drivers\dac960nt.sys
[2007/07/27 14:55:10 | 000,000,000 | ---- | C] () -- C:\WINDOWS\vpc32.INI
[2007/07/27 11:17:13 | 000,000,376 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2007/07/26 14:08:02 | 000,204,800 | ---- | C] () -- C:\WINDOWS\System32\igfxCoIn_v4764.dll
[2007/07/03 14:22:28 | 000,000,000 | ---- | C] () -- C:\WINDOWS\System32\px.ini
[2007/03/05 13:34:28 | 000,676,224 | ---- | C] () -- C:\WINDOWS\System32\OGACheckControl.DLL
[2006/09/24 23:02:34 | 000,520,192 | ---- | C] () -- C:\WINDOWS\System32\CddbPlaylist2Roxio.dll
[2006/09/24 23:02:34 | 000,204,800 | ---- | C] () -- C:\WINDOWS\System32\CddbFileTaggerRoxio.dll
[2003/01/07 15:05:08 | 000,002,695 | ---- | C] () -- C:\WINDOWS\System32\OUTLPERF.INI

========== LOP Check ==========

[2007/07/27 14:19:57 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\OfficeUpdate12
[2009/11/11 14:52:58 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\LogMeIn
[2008/10/30 13:05:28 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\PharosSystems
[2007/07/27 14:19:57 | 000,000,000 | ---D | M] -- C:\Documents and Settings\CedarRapids\Application Data\OfficeUpdate12
[2007/07/27 14:19:57 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Default User\Application Data\OfficeUpdate12
[2007/07/27 14:19:57 | 000,000,000 | ---D | M] -- C:\Documents and Settings\handj\Application Data\OfficeUpdate12
[2007/07/27 14:19:57 | 000,000,000 | ---D | M] -- C:\Documents and Settings\JMatthews\Application Data\OfficeUpdate12
[2007/07/27 14:19:57 | 000,000,000 | ---D | M] -- C:\Documents and Settings\jorge.ruiz\Application Data\OfficeUpdate12
[2007/07/27 14:19:57 | 000,000,000 | ---D | M] -- C:\Documents and Settings\malgaonr\Application Data\OfficeUpdate12
[2010/04/27 10:36:05 | 000,000,000 | ---D | M] -- C:\Documents and Settings\malgaonr\Application Data\SanDisk
[2007/07/27 14:19:57 | 000,000,000 | ---D | M] -- C:\Documents and Settings\RChandler\Application Data\OfficeUpdate12
[2007/07/27 14:19:57 | 000,000,000 | ---D | M] -- C:\Documents and Settings\robert.chandler\Application Data\OfficeUpdate12
[2007/07/27 14:19:57 | 000,000,000 | ---D | M] -- C:\Documents and Settings\tom.ehlen\Application Data\OfficeUpdate12

========== Purity Check ==========



========== Custom Scans ==========


< %ALLUSERSPROFILE%\Application Data\*. >
[2010/06/02 11:14:33 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Adobe
[2007/07/27 12:01:48 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Apple Computer
[2010/05/26 12:02:11 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Google
[2009/11/11 14:52:58 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\LogMeIn
[2010/05/21 09:52:36 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Malwarebytes
[2009/02/23 09:44:04 | 000,000,000 | --SD | M] -- C:\Documents and Settings\All Users\Application Data\Microsoft
[2010/05/26 11:45:14 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\NOS
[2008/10/27 13:33:53 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\nView_Profiles
[2007/07/27 14:17:47 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Office Genuine Advantage
[2008/10/30 13:05:28 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\PharosSystems
[2010/04/02 13:38:37 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Skype
[2010/05/21 13:20:09 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
[2007/07/27 10:47:32 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Symantec
[2007/07/27 10:35:27 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Windows Genuine Advantage

< %ALLUSERSPROFILE%\Application Data\*.exe /s >
[2010/05/25 13:12:22 | 001,924,976 | ---- | M] (Adobe Systems Incorporated) -- C:\Documents and Settings\All Users\Application Data\NOS\Adobe_Downloads\install_flash_player.exe

< %APPDATA%\*. >
[2010/03/29 14:01:08 | 000,000,000 | ---D | M] -- C:\Documents and Settings\malgaonr\Application Data\Adobe
[2010/05/18 13:01:53 | 000,000,000 | ---D | M] -- C:\Documents and Settings\malgaonr\Application Data\Help
[2007/07/27 10:44:52 | 000,000,000 | ---D | M] -- C:\Documents and Settings\malgaonr\Application Data\Identities
[2007/07/27 12:01:40 | 000,000,000 | ---D | M] -- C:\Documents and Settings\malgaonr\Application Data\Macromedia
[2010/05/21 11:17:24 | 000,000,000 | ---D | M] -- C:\Documents and Settings\malgaonr\Application Data\Malwarebytes
[2010/05/17 13:54:03 | 000,000,000 | --SD | M] -- C:\Documents and Settings\malgaonr\Application Data\Microsoft
[2010/05/21 13:08:07 | 000,000,000 | ---D | M] -- C:\Documents and Settings\malgaonr\Application Data\Mozilla
[2007/07/27 14:19:57 | 000,000,000 | ---D | M] -- C:\Documents and Settings\malgaonr\Application Data\OfficeUpdate12
[2010/04/27 10:36:05 | 000,000,000 | ---D | M] -- C:\Documents and Settings\malgaonr\Application Data\SanDisk
[2010/04/05 09:05:55 | 000,000,000 | ---D | M] -- C:\Documents and Settings\malgaonr\Application Data\Skype
[2010/04/05 09:05:07 | 000,000,000 | ---D | M] -- C:\Documents and Settings\malgaonr\Application Data\skypePM
[2007/07/27 12:02:06 | 000,000,000 | ---D | M] -- C:\Documents and Settings\malgaonr\Application Data\Sun
[2010/04/27 11:19:05 | 000,000,000 | ---D | M] -- C:\Documents and Settings\malgaonr\Application Data\vlc

< %APPDATA%\*.exe /s >
[2010/04/27 10:39:06 | 106,942,640 | ---- | M] (InterVideo Inc. ) -- C:\Documents and Settings\malgaonr\Application Data\SanDisk\Sansa Updater\Sansa Media Converter.EXE
[2010/04/27 10:36:15 | 000,079,872 | ---- | M] (SanDisk Corporation) -- C:\Documents and Settings\malgaonr\Application Data\SanDisk\Sansa Updater\SansaDispatch.exe
[2010/04/27 10:36:15 | 000,574,344 | ---- | M] (SanDisk Corporation) -- C:\Documents and Settings\malgaonr\Application Data\SanDisk\Sansa Updater\SansaUpdater.exe
[2010/04/27 10:36:16 | 000,354,744 | ---- | M] (SanDisk Corporation) -- C:\Documents and Settings\malgaonr\Application Data\SanDisk\Sansa Updater\SansaUpdaterInstall.exe

< %SYSTEMDRIVE%\*.exe >
[2009/03/06 09:39:57 | 000,939,956 | ---- | M] () -- C:\7z465.exe
[2010/01/15 14:30:54 | 000,401,720 | ---- | M] (Trend Micro Inc.) -- C:\HijackThis.exe
[2010/05/21 09:36:52 | 006,153,352 | ---- | M] (Malwarebytes Corporation ) -- C:\mbam-setup-1.46.exe


< MD5 for: AGP440.SYS >
[2008/11/25 23:01:41 | 020,056,462 | ---- | M] () .cab file -- C:\Program Files\marimba\tuner\.marimba\WK Endpoint\ch.13\data\scripts\i386\sp3.cab:AGP440.sys
[2004/08/04 01:05:44 | 018,738,937 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp2.cab:AGP440.sys
[2008/11/25 23:01:41 | 020,056,462 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp3.cab:AGP440.sys
[2004/08/04 01:05:44 | 018,738,937 | ---- | M] () .cab file -- C:\WINDOWS\i386\sp2.cab:AGP440.sys
[2008/11/25 23:01:06 | 000,042,368 | ---- | M] (Microsoft Corporation) MD5=08FD04AA961BDC77FB983F328334E3D7 -- C:\WINDOWS\ERDNT\cache\agp440.sys
[2008/11/25 23:01:06 | 000,042,368 | ---- | M] (Microsoft Corporation) MD5=08FD04AA961BDC77FB983F328334E3D7 -- C:\WINDOWS\system32\dllcache\agp440.sys
[2008/11/25 23:01:06 | 000,042,368 | ---- | M] (Microsoft Corporation) MD5=08FD04AA961BDC77FB983F328334E3D7 -- C:\WINDOWS\system32\drivers\agp440.sys
[2004/08/03 23:07:42 | 000,042,368 | ---- | M] (Microsoft Corporation) MD5=2C428FA0C3E3A01ED93C9B2A27D8D4BB -- C:\WINDOWS\$NtServicePackUninstall$\agp440.sys

< MD5 for: ATAPI.SYS >
[2008/11/25 23:01:41 | 020,056,462 | ---- | M] () .cab file -- C:\Program Files\marimba\tuner\.marimba\WK Endpoint\ch.13\data\scripts\i386\sp3.cab:atapi.sys
[2004/08/04 01:05:44 | 018,738,937 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp2.cab:atapi.sys
[2008/11/25 23:01:41 | 020,056,462 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp3.cab:atapi.sys
[2003/03/31 07:00:00 | 010,158,890 | ---- | M] () .cab file -- C:\WINDOWS\i386\sp1.cab:atapi.sys
[2004/08/04 01:05:44 | 018,738,937 | ---- | M] () .cab file -- C:\WINDOWS\i386\sp2.cab:atapi.sys
[2008/11/25 23:01:08 | 000,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\WINDOWS\ERDNT\cache\atapi.sys
[2008/11/25 23:01:08 | 000,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\WINDOWS\system32\drivers\atapi.sys
[2004/08/03 22:59:44 | 000,095,360 | ---- | M] (Microsoft Corporation) MD5=CDFE4411A69C224BD1D11B2DA92DAC51 -- C:\WINDOWS\$NtServicePackUninstall$\atapi.sys

< MD5 for: DAC960NT.SY_ >
[2003/03/31 07:00:00 | 000,014,720 | ---- | M] (Microsoft Corporation) MD5=683789CAA3864EB46125AE86FF677D34 -- C:\cmdcons\dac960nt.sy_
[2003/03/31 07:00:00 | 000,014,720 | ---- | M] (Microsoft Corporation) MD5=683789CAA3864EB46125AE86FF677D34 -- C:\WINDOWS\i386\DAC960NT.SY_

< MD5 for: DAC960NT.SYS >
[2001/08/17 13:52:16 | 000,014,720 | ---- | M] (Microsoft Corporation) MD5=683789CAA3864EB46125AE86FF677D34 -- C:\WINDOWS\system32\dllcache\dac960nt.sys
[2010/06/07 16:46:56 | 000,014,720 | ---- | M] () MD5=998B82A804182E954442F1108E3DF7C0 -- C:\WINDOWS\system32\drivers\dac960nt.sys

< MD5 for: DAC960NT.SYS.VIR >
[2001/08/17 13:52:16 | 000,014,720 | ---- | M] () MD5=282802C010A1F349091ADD73A478779F -- C:\Qoobox\Quarantine\C\WINDOWS\system32\Drivers\dac960nt.sys.vir

< MD5 for: EVENTLOG.DLL >
[2008/11/25 23:01:16 | 000,056,320 | ---- | M] (Microsoft Corporation) MD5=6D4FEB43EE538FC5428CC7F0565AA656 -- C:\WINDOWS\ERDNT\cache\eventlog.dll
[2008/11/25 23:01:16 | 000,056,320 | ---- | M] (Microsoft Corporation) MD5=6D4FEB43EE538FC5428CC7F0565AA656 -- C:\WINDOWS\system32\dllcache\eventlog.dll
[2008/11/25 23:01:16 | 000,056,320 | ---- | M] (Microsoft Corporation) MD5=6D4FEB43EE538FC5428CC7F0565AA656 -- C:\WINDOWS\system32\eventlog.dll
[2004/08/04 00:56:44 | 000,055,808 | ---- | M] (Microsoft Corporation) MD5=82B24CB70E5944E6E34662205A2A5B78 -- C:\WINDOWS\$NtServicePackUninstall$\eventlog.dll

< MD5 for: IASTOR.SYS >
[2007/03/21 12:58:56 | 000,304,920 | ---- | M] (Intel Corporation) MD5=997E8F5939F2D12CD9F2E6B395724C16 -- C:\WINDOWS\OemDir\iaStor.sys
[2007/03/21 12:58:56 | 000,304,920 | ---- | M] (Intel Corporation) MD5=997E8F5939F2D12CD9F2E6B395724C16 -- C:\WINDOWS\system32\drivers\iaStor.sys
[2007/03/21 12:58:56 | 000,304,920 | ---- | M] (Intel Corporation) MD5=997E8F5939F2D12CD9F2E6B395724C16 -- C:\WINDOWS\system32\PNP2\D1\IaStor.sys

< MD5 for: NETLOGON.DLL >
[2008/11/25 23:01:37 | 000,407,040 | ---- | M] (Microsoft Corporation) MD5=1B7F071C51B77C272875C3A23E1E4550 -- C:\WINDOWS\ERDNT\cache\netlogon.dll
[2008/11/25 23:01:37 | 000,407,040 | ---- | M] (Microsoft Corporation) MD5=1B7F071C51B77C272875C3A23E1E4550 -- C:\WINDOWS\system32\dllcache\netlogon.dll
[2008/11/25 23:01:37 | 000,407,040 | ---- | M] (Microsoft Corporation) MD5=1B7F071C51B77C272875C3A23E1E4550 -- C:\WINDOWS\system32\netlogon.dll
[2004/08/04 00:56:46 | 000,407,040 | ---- | M] (Microsoft Corporation) MD5=96353FCECBA774BB8DA74A1C6507015A -- C:\WINDOWS\$NtServicePackUninstall$\netlogon.dll

< MD5 for: SCECLI.DLL >
[2004/08/04 00:56:46 | 000,180,224 | ---- | M] (Microsoft Corporation) MD5=0F78E27F563F2AAF74B91A49E2ABF19A -- C:\WINDOWS\$NtServicePackUninstall$\scecli.dll
[2008/11/25 23:01:41 | 000,181,248 | ---- | M] (Microsoft Corporation) MD5=A86BB5E61BF3E39B62AB4C7E7085A084 -- C:\WINDOWS\ERDNT\cache\scecli.dll
[2008/11/25 23:01:41 | 000,181,248 | ---- | M] (Microsoft Corporation) MD5=A86BB5E61BF3E39B62AB4C7E7085A084 -- C:\WINDOWS\system32\dllcache\scecli.dll
[2008/11/25 23:01:41 | 000,181,248 | ---- | M] (Microsoft Corporation) MD5=A86BB5E61BF3E39B62AB4C7E7085A084 -- C:\WINDOWS\system32\scecli.dll

< MD5 for: USERINIT.EXE >
[2004/08/04 00:56:58 | 000,024,576 | ---- | M] (Microsoft Corporation) MD5=39B1FFB03C2296323832ACBAE50D2AFF -- C:\WINDOWS\$NtServicePackUninstall$\userinit.exe
[2008/11/25 23:01:43 | 000,026,112 | ---- | M] (Microsoft Corporation) MD5=A93AEE1928A9D7CE3E16D24EC7380F89 -- C:\WINDOWS\ERDNT\cache\userinit.exe
[2008/11/25 23:01:43 | 000,026,112 | ---- | M] (Microsoft Corporation) MD5=A93AEE1928A9D7CE3E16D24EC7380F89 -- C:\WINDOWS\system32\dllcache\userinit.exe
[2008/11/25 23:01:43 | 000,026,112 | ---- | M] (Microsoft Corporation) MD5=A93AEE1928A9D7CE3E16D24EC7380F89 -- C:\WINDOWS\system32\userinit.exe

< %systemroot%\system32\drivers\*.sys /lockedfiles >

< %systemroot%\System32\config\*.sav >
[2007/07/27 05:19:32 | 000,094,208 | ---- | M] () -- C:\WINDOWS\system32\config\default.sav
[2007/07/27 05:19:32 | 000,663,552 | ---- | M] () -- C:\WINDOWS\system32\config\software.sav
[2007/07/27 05:19:32 | 000,888,832 | ---- | M] () -- C:\WINDOWS\system32\config\system.sav

< %systemroot%\*. /mp /s >

< %systemroot%\system32\*.dll /lockedfiles >
[1 C:\WINDOWS\system32\*.tmp files -> C:\WINDOWS\system32\*.tmp -> ]
< End of report >


Extras.Txt

OTL Extras logfile created on: 6/7/2010 4:56:05 PM - Run 1
OTL by OldTimer - Version 3.2.5.3 Folder = C:\Documents and Settings\malgaonr\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 6.0.2900.5512)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

3.00 Gb Total Physical Memory | 3.00 Gb Available Physical Memory | 86.00% Memory free
5.00 Gb Paging File | 5.00 Gb Available in Paging File | 96.00% Paging File free
Paging file location(s): C:\pagefile.sys 2046 4092 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 465.76 Gb Total Space | 318.85 Gb Free Space | 68.46% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
Drive E: | 499.72 Mb Total Space | 256.23 Mb Free Space | 51.28% Space Free | Partition Type: FAT
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: IL47WS030861
Current User Name: malgaonr
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
exefile [open] -- "%1" %*
htmlfile [edit] -- "C:\Program Files\Microsoft Office\OFFICE11\msohtmed.exe" %1 (Microsoft Corporation)
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation)
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"FirstRunDisabled" = 1
"AntiVirusOverride" = 0
"FirewallOverride" = 0
"FirewallDisableNotify" = 0
"UpdatesDisableNotify" = 0
"AntiVirusDisableNotify" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]
"DisableMonitoring" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List]
"21:TCP" = 21:TCP:*:enabled:FTP (TCP 21)
"21:UDP" = 21:UDP:*:enabled:FTP (UDP 21)
"23:TCP" = 23:TCP:*:enabled:TELNET (TCP 23)
"23:UDP" = 23:UDP:*:enabled:TELNET (UDP 23)
"5282:TCP" = 5282:TCP:*:Enabled:MARIMBA (TCP 5282)
"5252:UDP" = 5282:UDP:*:enabled:MARIMBA (UDP 5282)
"7717:TCP" = 7717:TCP:*:Enabled:MARIMBA (TCP 7717)
"7717:UDP" = 7717:UDP:*:Enabled:MARIMBA (UDP 7717)
"8888:TCP" = 8888:TCP:*:Enabled:MARIMBA (TCP 8888)
"8888:UDP" = 8888:UDP:*:Enabled:MARIMBA (UDP 8888)
"1433:TCP" = 1433:TCP:*:enabled:SQL (TCP 1433)
"1433:UDP" = 1433:UDP:*:enabled:SQL (UDP 1433)
"3389:TCP" = 3389:TCP:*:enabled:Remote Desktop (TCP)
"3389:UDP" = 3389:UDP:*:enabled:Remote Desktop (UDP)
"139:TCP" = 139:TCP:*:enabled:File and Printer Sharing
"445:TCP" = 445:TCP:*:enabled:File and Printer Sharing
"137:UDP" = 137:UDP:*:enabled:File and Printer Sharing
"138:UDP" = 138:UDP:*:enabled:File and Printer Sharing
"2967:TCP" = 2967:TCP:10.204.34.100,10.204.34.101,10.204.34.102,10.200.34.101,10.200.34.102:enabled:Symantec AntiVirus
"5282:UDP" = 5282:UDP:*:Enabled:MARIMBA (UDP 5282)
"135:TCP" = 135:TCP:*:Enabled:Remote Procedure Call

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 1
"DoNotAllowExceptions" = 0
"DisableNotifications" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
"21:UDP" = 21:UDP:*:enabled:FTP (UDP 21)
"23:TCP" = 23:TCP:*:enabled:TELNET (TCP 23)
"23:UDP" = 23:UDP:*:enabled:TELNET (UDP 23)
"5282:TCP" = 5282:TCP:*:Enabled:MARIMBA (TCP 5282)
"5282:UDP" = 5282:UDP:*:Enabled:MARIMBA (UDP 5282)
"7717:TCP" = 7717:TCP:*:Enabled:MARIMBA (TCP 7717)
"7717:UDP" = 7717:UDP:*:Enabled:MARIMBA (UDP 7717)
"8888:TCP" = 8888:TCP:*:Enabled:MARIMBA (TCP 8888)
"8888:UDP" = 8888:UDP:*:Enabled:MARIMBA (UDP 8888)
"1433:TCP" = 1433:TCP:*:enabled:SQL (TCP 1433)
"1433:UDP" = 1433:UDP:*:enabled:SQL (UDP 1433)
"3389:TCP" = 3389:TCP:*:enabled:Remote Desktop (TCP)
"3389:UDP" = 3389:UDP:*:enabled:Remote Desktop (UDP)
"139:TCP" = 139:TCP:*:enabled:File and Printer Sharing
"445:TCP" = 445:TCP:*:enabled:File and Printer Sharing
"137:UDP" = 137:UDP:*:enabled:File and Printer Sharing
"138:UDP" = 138:UDP:*:enabled:File and Printer Sharing
"2967:TCP" = 2967:TCP:10.204.34.100,10.204.34.101,10.204.34.102,10.200.34.101,10.200.34.102:enabled:Symantec AntiVirus
"1900:TCP" = 1900:TCP:LocalSubNet:Enabled:UDP 1900
"11115:TCP" = 11115:TCP:*:Enabled:spport
"18724:TCP" = 18724:TCP:*:Enabled:spport

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%programfiles%\AR System\alert.exe" = %programfiles%\AR System\alert.exe:*:enabled:Remedy Alert -- File not found
"%programfiles%\AR System\aruser.exe" = %programfiles%\AR System\aruser.exe:*:enabled:Remedy User -- File not found
"%programfiles%\Remedy\aruser.exe" = %programfiles%\Remedy\aruser.exe:*:enabled:Remedy User -- File not found
"%programfiles%\Checkpoint\SecurRemote\bin\SR_GUI.exe" = %programfiles%\Checkpoint\SecuRemote\bin\SR_GUI.exe:*:enabled:Secure Remote -- File not found
"%programfiles%\Citrix\ICA Client\pn.exe" = %programfiles%\Citrix\ICA Client\pn.exe:*:enabled:Citrix ICA Client -- File not found
"C:\Program Files\AIM\aim.exe" = C:\Program Files\AIM\aim.exe:*:Enabled:AOL Instant Messenger -- File not found
"%programfiles%\e!pc\extra.exe" = %programfiles%\e!pc\extra.exe:*:Enabled:EP!C -- File not found
"%programfiles%\Hummingbird\Connectivity\7.00\Exceed\exceed.exe" = %programfiles%\Hummingbird\Connectivity\7.00\Exceed\exceed.exe:*:enabled:Exceed 7.0 -- File not found
"%programfiles%\Hummingbird\Connectivity\8.00\Exceed\exceed.exe" = %programfiles%\Hummingbird\Connectivity\8.00\Exceed\exceed.exe:*:enabled:Exceed 8.0 -- File not found
"%programfiles%\VERITAS\Backup Exec\NT\beserver.exe" = %programfiles%\VERITAS\Backup Exec\NT\beserver.exe:*:enabled:Backup Exec -- File not found
"%programfiles%\Netmeeting\conf.exe" = %programfiles%\Netmeeting\conf.exe:*:enabled:NetMeeting -- (Microsoft Corporation)
"%programfiles%\IBM\OnDemand32\ODClient.exe" = %programfiles%\IBM\OnDemand32\ODClient.exe:*:enabled:OnDemand Client -- File not found
"%programfiles%\Symantec\pcAnywhere\awhost32.exe" = %programfiles%\Symantec\pcAnywhere\awhost32.exe:*:enabled:pcAnywhere Host Service -- File not found
"%programfiles%\Symantec\pcAnywhere\winaw32.exe" = %programfiles%\Symantec\pcAnywhere\winaw32.exe:*:enabled:pcAnywhere Main Program -- File not found
"%programfiles%\Symantec\pcAnywhere\awrem32.exe" = %programfiles%\Symantec\pcAnywhere\awrem32.exe:*:enabled:pcAnywhere Remote service -- File not found
"%programfiles%\Reflection\r1win.exe" = %programfiles%\Reflection\r1win.exe:*:enabled:Reflections 10 -- File not found
"%programfiles%\Reflection\r2win.exe" = %programfiles%\Reflection\r2win.exe:*:enabled:Reflections 11 -- File not found
"%windir%\dmremote.exe" = %windir%\dmremote.exe:*:enabled:Remote Disk Management -- File not found
"%programfiles%\WinSCP3\WinSCP.exe" = %programfiles%\WinSCP3\WinSCP3.exe:*:enabled:WinSCP -- File not found
"%programfiles%\Yahoo!\Messenger\ypager.exe" = %programfiles%\Yahoo!\Messenger\ypager.exe:*:enabled:Yahoo Messenger -- File not found
"C:\Program Files\Microsoft Virtual Server\vssrvc.exe" = C:\Program Files\Microsoft Virtual Server\vssrvc.exe:*:Enabled:Virtual Server -- (Microsoft Corporation)
"c:\program files\marimba\tuner\lib\jre\bin\java.exe" = c:\program files\marimba\tuner\lib\jre\bin\java.exe:*:Enabled:MARIMBA 32-BIT (JAVA) -- (Sun Microsystems, Inc.)
"C:\WINDOWS\explorer.exe" = C:\WINDOWS\explorer.exe:*:Enabled:Windows Shell -- (Microsoft Corporation)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"%programfiles%\AR System\alert.exe" = %programfiles%\AR System\alert.exe:*:enabled:Remedy Alert -- File not found
"%programfiles%\AR System\aruser.exe" = %programfiles%\AR System\aruser.exe:*:enabled:Remedy User -- File not found
"%programfiles%\Remedy\aruser.exe" = %programfiles%\Remedy\aruser.exe:*:enabled:Remedy User -- File not found
"%programfiles%\Checkpoint\SecurRemote\bin\SR_GUI.exe" = %programfiles%\Checkpoint\SecuRemote\bin\SR_GUI.exe:*:enabled:Secure Remote -- File not found
"%programfiles%\Citrix\ICA Client\pn.exe" = %programfiles%\Citrix\ICA Client\pn.exe:*:enabled:Citrix ICA Client -- File not found
"%programfiles%\e!pc\extra.exe" = %programfiles%\e!pc\extra.exe:*:Enabled:EP!C -- File not found
"%programfiles%\Hummingbird\Connectivity\7.00\Exceed\exceed.exe" = %programfiles%\Hummingbird\Connectivity\7.00\Exceed\exceed.exe:*:enabled:Exceed 7.0 -- File not found
"%programfiles%\Hummingbird\Connectivity\8.00\Exceed\exceed.exe" = %programfiles%\Hummingbird\Connectivity\8.00\Exceed\exceed.exe:*:enabled:Exceed 8.0 -- File not found
"%programfiles%\VERITAS\Backup Exec\NT\beserver.exe" = %programfiles%\VERITAS\Backup Exec\NT\beserver.exe:*:enabled:Backup Exec -- File not found
"%programfiles%\Netmeeting\conf.exe" = %programfiles%\Netmeeting\conf.exe:*:enabled:NetMeeting -- (Microsoft Corporation)
"%programfiles%\IBM\OnDemand32\ODClient.exe" = %programfiles%\IBM\OnDemand32\ODClient.exe:*:enabled:OnDemand Client -- File not found
"%programfiles%\Symantec\pcAnywhere\awhost32.exe" = %programfiles%\Symantec\pcAnywhere\awhost32.exe:*:enabled:pcAnywhere Host Service -- File not found
"%programfiles%\Symantec\pcAnywhere\winaw32.exe" = %programfiles%\Symantec\pcAnywhere\winaw32.exe:*:enabled:pcAnywhere Main Program -- File not found
"%programfiles%\Symantec\pcAnywhere\awrem32.exe" = %programfiles%\Symantec\pcAnywhere\awrem32.exe:*:enabled:pcAnywhere Remote service -- File not found
"%programfiles%\Reflection\r1win.exe" = %programfiles%\Reflection\r1win.exe:*:enabled:Reflections 10 -- File not found
"%programfiles%\Reflection\r2win.exe" = %programfiles%\Reflection\r2win.exe:*:enabled:Reflections 11 -- File not found
"%windir%\dmremote.exe" = %windir%\dmremote.exe:*:enabled:Remote Disk Management -- File not found
"%programfiles%\WinSCP3\WinSCP.exe" = %programfiles%\WinSCP3\WinSCP3.exe:*:enabled:WinSCP -- File not found
"%programfiles%\Yahoo!\Messenger\ypager.exe" = %programfiles%\Yahoo!\Messenger\ypager.exe:*:enabled:Yahoo Messenger -- File not found
"c:\program files\marimba\tuner\lib\jre\bin\java.exe" = c:\program files\marimba\tuner\lib\jre\bin\java.exe:*:Enabled:MARIMBA 32-BIT (JAVA) -- (Sun Microsystems, Inc.)


========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{0394CDC8-FABD-4ed8-B104-03393876DFDF}" = Roxio Creator Tools
"{08094E03-AFE4-4853-9D31-6D0743DF5328}" = QuickTime
"{0BD83598-C2EF-3343-847B-7D2E84599128}" = Microsoft .NET Framework 3.0 Service Pack 2 Language Pack - FRA
"{0D397393-9B50-4c52-84D5-77E344289F87}" = Roxio Creator Data
"{1BDC9633-895B-4842-BCB6-8FA1EC2A3C5A}" = Adobe Shockwave Player
"{2F4C24E6-CBD4-4AAC-B56F-C9FD44DE5668}" = Roxio Drag-to-Disc
"{3248F0A8-6813-11D6-A77B-00B0D0160020}" = Java™ 6 Update 2
"{34F93E31-E1A0-421C-8E86-BCF7C4193A91}" = LogMeIn
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{3E31821C-7917-367E-938E-E65FC413EA31}" = Microsoft .NET Framework 3.5 Language Pack SP1 - fra
"{4E951F0A-C53B-4AD6-A6DA-0D0A009073A9}" = Microsoft Office Live Meeting 2005
"{50E125D1-88E5-48CE-80AE-98EC9698E639}" = Symantec AntiVirus
"{619CDD8A-14B6-43a1-AB6C-0F4EE48CE048}" = Roxio Creator Copy
"{6675CA7F-E51B-4F6A-99D4-F8F0124C6EAA}" = Roxio Express Labeler 3
"{69333A04-5134-40A5-A055-9166A7AA1EC8}" =
"{72AD53CC-CCC0-3757-8480-9EE176866A7C}" = Microsoft .NET Framework 2.0 Service Pack 2 Language Pack - FRA
"{83FFCFC7-88C6-41c6-8752-958A45325C82}" = Roxio Creator Audio
"{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}" = Microsoft Silverlight
"{90110409-6000-11D3-8CFE-0150048383C9}" = Microsoft Office Professional Edition 2003
"{90120000-0020-0409-0000-0000000FF1CE}" = Compatibility Pack for the 2007 Office system
"{901E040C-6000-11D3-8CFE-0150048383C9}" = Microsoft Office 2003 French User Interface Pack
"{91810AFC-A4F8-4EBA-A5AA-B198BBC81144}" = InterVideo WinDVD
"{981029E0-7FC9-4CF3-AB39-6F133621921A}" = Skype Toolbars
"{9E913135-3DE4-5DA5-28E8-E0CCEC3428D0}" = WK Endpoint
"{9F72EF8B-AEC9-4CA5-B483-143980AFD6FD}" = Dell Touchpad
"{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}" = Microsoft .NET Framework 3.0 Service Pack 2
"{A49F249F-0C91-497F-86DF-B2585E8E76B7}" = Microsoft Visual C++ 2005 Redistributable
"{AC76BA86-7AD7-1033-7B44-A80000000002}" = Adobe Reader 8
"{AD483998-2E9A-4405-83FF-6E503AF49CBB}" = Microsoft Virtual PC 2007 SP1
"{B3B2FC69-5513-4C99-9A7E-C5584A928508}" = Microsoft Virtual Server 2005 R2
"{B4092C6D-E886-4CB2-BA68-FE5A88D31DE6}_is1" = Spybot - Search & Destroy
"{BAF78226-3200-4DB4-BE33-4D922A799840}" = Windows Presentation Foundation
"{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}" = Microsoft .NET Framework 2.0 Service Pack 2
"{C8B0680B-CDAE-4809-9F91-387B6DE00F7C}" = Roxio Creator Basic v9
"{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}" = Microsoft .NET Framework 1.1
"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
"{D103C4BA-F905-437A-8049-DB24763BBE36}" = Skype™ 4.2
"{E8033C46-957B-4C8C-A323-E502C98B3FD8}" = Microsoft Office Live Meeting Add-in Pack
"{F18DB86D-BC16-4E01-BCCE-63F62B931D82}" = InterVideo Register Manager
"7-Zip" = 7-Zip 4.65
"Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX
"Adobe Flash Player Plugin" = Adobe Flash Player 10 Plugin
"HDMI" = Intel® Graphics Media Accelerator Driver
"HijackThis" = HijackThis 2.0.2
"LiveUpdate" = LiveUpdate 3.1 (Symantec Corporation)
"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware
"Microsoft .NET Framework 1.1 (1033)" = Microsoft .NET Framework 1.1
"Microsoft .NET Framework 3.5 Language Pack SP1 - fra" = Module linguistique Microsoft .NET Framework 3.5 SP1- fra
"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
"Mozilla Firefox (3.6.3)" = Mozilla Firefox (3.6.3)
"MSCompPackV1" = Microsoft Compression Client Pack 1.0 for Windows XP
"NVIDIA Drivers" = NVIDIA Drivers
"PROSet" = Intel® PRO Network Connections Drivers
"VLC media player" = VLC media player 1.0.5
"WIC" = Windows Imaging Component
"Windows Media Format Runtime" = Windows Media Format 11 runtime
"Windows Media Player" = Windows Media Player 11
"Windows XP Service Pack" = Windows XP Service Pack 3
"WMFDist11" = Windows Media Format 11 runtime
"wmp11" = Windows Media Player 11
"Wudf01000" = Microsoft User-Mode Driver Framework Feature Pack 1.0
"XpsEPSC" = XML Paper Specification Shared Components Pack 1.0
"XPSEPSCLP" = XML Paper Specification Shared Components Language Pack 1.0

========== HKEY_USERS Uninstall List ==========

[HKEY_USERS\S-1-5-21-1849001254-2726021490-3962836702-1033\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"42458e4d25a5e3b6" = Roth IRA Conversion Evaluator™
"Sansa Updater" = Sansa Updater

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 3/22/2010 12:40:27 PM | Computer Name = IL47WS030861 | Source = UserInit | ID = 1000
Description = Could not execute the following script \\na.wkglobal.com\SysVol\na.wkglobal.com\scripts\cmslogon.bat.
The network path was not found. .

Error - 3/22/2010 12:40:34 PM | Computer Name = IL47WS030861 | Source = UserInit | ID = 1000
Description = Could not execute the following script addlocaladmins.bat. The system
cannot find the file specified. .

Error - 3/22/2010 12:40:34 PM | Computer Name = IL47WS030861 | Source = AutoEnrollment | ID = 15
Description = Automatic certificate enrollment for local system failed to contact
the active directory (0x8007054b). The specified domain either does not exist
or could not be contacted. Enrollment will not be performed.

Error - 3/22/2010 10:47:50 PM | Computer Name = IL47WS030861 | Source = AutoEnrollment | ID = 15
Description = Automatic certificate enrollment for local system failed to contact
the active directory (0x8007054b). The specified domain either does not exist
or could not be contacted. Enrollment will not be performed.

Error - 3/23/2010 6:47:41 AM | Computer Name = IL47WS030861 | Source = AutoEnrollment | ID = 15
Description = Automatic certificate enrollment for local system failed to contact
the active directory (0x8007054b). The specified domain either does not exist
or could not be contacted. Enrollment will not be performed.

Error - 3/23/2010 2:49:46 PM | Computer Name = IL47WS030861 | Source = AutoEnrollment | ID = 15
Description = Automatic certificate enrollment for local system failed to contact
the active directory (0x8007054b). The specified domain either does not exist
or could not be contacted. Enrollment will not be performed.

Error - 3/25/2010 10:22:12 AM | Computer Name = IL47WS030861 | Source = Userenv | ID = 1054
Description = Windows cannot obtain the domain controller name for your computer
network. (The specified domain either does not exist or could not be contacted.
). Group Policy processing aborted.

Error - 3/25/2010 10:22:29 AM | Computer Name = IL47WS030861 | Source = UserInit | ID = 1000
Description = Could not execute the following script \\na.wkglobal.com\SysVol\na.wkglobal.com\scripts\cmslogon.bat.
The network path was not found. .

Error - 3/25/2010 10:22:29 AM | Computer Name = IL47WS030861 | Source = UserInit | ID = 1000
Description = Could not execute the following script addlocaladmins.bat. The system
cannot find the file specified. .

Error - 3/25/2010 10:22:29 AM | Computer Name = IL47WS030861 | Source = AutoEnrollment | ID = 15
Description = Automatic certificate enrollment for local system failed to contact
the active directory (0x8007054b). The specified domain either does not exist
or could not be contacted. Enrollment will not be performed.

[ System Events ]
Error - 6/7/2010 5:25:05 PM | Computer Name = IL47WS030861 | Source = DCOM | ID = 10005
Description = DCOM got error "%1053" attempting to start the service winmgmt with
arguments "" in order to run the server: {8BC3F05E-D86B-11D0-A075-00C04FB68820}

Error - 6/7/2010 5:25:07 PM | Computer Name = IL47WS030861 | Source = DCOM | ID = 10005
Description = DCOM got error "%1053" attempting to start the service winmgmt with
arguments "" in order to run the server: {8BC3F05E-D86B-11D0-A075-00C04FB68820}

Error - 6/7/2010 5:25:45 PM | Computer Name = IL47WS030861 | Source = DCOM | ID = 10005
Description = DCOM got error "%1053" attempting to start the service winmgmt with
arguments "" in order to run the server: {8BC3F05E-D86B-11D0-A075-00C04FB68820}

Error - 6/7/2010 5:32:24 PM | Computer Name = IL47WS030861 | Source = DCOM | ID = 10005
Description = DCOM got error "%1053" attempting to start the service winmgmt with
arguments "" in order to run the server: {8BC3F05E-D86B-11D0-A075-00C04FB68820}

Error - 6/7/2010 5:33:29 PM | Computer Name = IL47WS030861 | Source = DCOM | ID = 10005
Description = DCOM got error "%1053" attempting to start the service netman with
arguments "" in order to run the server: {BA126AE5-2166-11D1-B1D0-00805FC1270E}

Error - 6/7/2010 5:33:29 PM | Computer Name = IL47WS030861 | Source = DCOM | ID = 10005
Description = DCOM got error "%1053" attempting to start the service netman with
arguments "" in order to run the server: {BA126AD1-2166-11D1-B1D0-00805FC1270E}

Error - 6/7/2010 5:46:14 PM | Computer Name = IL47WS030861 | Source = DCOM | ID = 10005
Description = DCOM got error "%1053" attempting to start the service EventSystem
with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}

Error - 6/7/2010 5:47:27 PM | Computer Name = IL47WS030861 | Source = NETLOGON | ID = 5719
Description = No Domain Controller is available for domain NA due to the following:
%%1311. Make sure that the computer is connected to the network and try again. If
the problem persists, please contact your domain administrator.

Error - 6/7/2010 5:49:14 PM | Computer Name = IL47WS030861 | Source = Service Control Manager | ID = 7022
Description = The Virtual Server service hung on starting.

Error - 6/7/2010 5:49:14 PM | Computer Name = IL47WS030861 | Source = Service Control Manager | ID = 7026
Description = The following boot-start or system-start driver(s) failed to load:
abp480n5 adpu160m agp440 agpCPQ Aha154x aic78u2 aic78xx AliIde alim1541 amdagp amsint asc asc3350p
asc3550
cbidf
cd20xrnt
CmdIde
Cpqarray
dac2w2k
dac960nt
dpti2o
hpn
i2omp
iaStor
ini910u
IntelIde
mraid35x
perc2
perc2hib
ql1080
Ql10wnt
ql12160
ql1240
ql1280
sisagp
Sparrow
symc810
symc8xx
sym_hi
sym_u3
TosIde
ultra
viaagp
ViaIde


< End of report >


-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Thank you for promoting the noble cause of organ donation!

Thanks & Regards,
relarm


#4 thcbytes

thcbytes

  • Malware Response Team
  • 14,790 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:33 PM

Posted 07 June 2010 - 07:39 PM

Very well done. thumbup2.gif

Let's continue...

Remote Control Program WARNING
You appear to have a Remote Control application installed. In your case, this is refering to LogMeIn.
Remote Control programs allow complete control of your machine as if you are sitting in front of it, even if you are in some distant location. While this can be a good thing, we need to make sure that this software was installed for a benign purpose, and not for a malicious one. If an attacker installed one of these programs, it would allow them to remotely control your computer, steal critical system information and download and execute files.

If you have this application installed on purpose, than you can safely ignore this warning but if you wish you may wish to uninstall it as it is a risk. If you didn't install this application, please remove (uninstall) it from Add or Remove Programs now.

==========


We need to run an OTL Fix
  1. Please reopen on your desktop.
  2. Copy and Paste the following code into the textbox. Do not include the word "Code"
    CODE
    :OTL
    IE - HKU\S-1-5-21-1849001254-2726021490-3962836702-1033\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" = http=127.0.0.1:5555
    [1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
    [1 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]

    :Files
    C:\WINDOWS\system32\drivers\dac960nt.sys|C:\WINDOWS\system32\dllcache\dac960nt.sys /replace

    :Commands
    [resethosts]
    [emptytemp]
    [Reboot]
  3. Push
  4. OTL may ask to reboot the machine. Please do so if asked.
  5. Click .
  6. A report will open. Copy and Paste that report in your next reply.


==========

We need to run an OTL Custom Scan
  1. Please reopen on your desktop.
  2. Choose "None" <--Important!!
  3. Copy and Paste the following code into the textbox. Do not include the word "Code"

    CODE
    /md5start
    dac960nt.sys
    /md5stop

  4. Push
  5. A report will open. Copy and Paste that report in your next reply.

==========

You must first verify that you can logon to the Windows Recovery Console.

It got installed when you ran Combofix.

Make sure you can boot into the RC.
  1. Restart your computer
  2. Before Windows loads, you will be prompted to choose which Operating System to start
  3. Use the up and down arrow key to select Microsoft Windows Recovery Console
  4. You must enter which Windows installation to log onto. Type 1 and press enter.
  5. At the C:\Windows prompt, type the following bolded text, and press Enter:

    exit

Normal Windows will now begin loading...........

Next, please download maxlook, saving the file to your desktop.
Double click maxlook.exe to run it. Note - you must run it only once!
As instructed when the tool runs, restart the computer and logon to the Recovery Console.
Execute the following bolded command at the x:\windows> prompt <--- the red x represents your operating system drive letter, usually C

batch look.bat




You will see 1 file copied many times then return to the x:\windows> prompt.
Type Exit to restart your computer then logon in normal mode.
Please run maxlook.exe again now. Note - you must run it only once!
It will produce looklog.txt on the desktop and open it.
Please post the results here.

==========

Do you purposely have these firewall ports open?

QUOTE
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List]
"21:TCP" = 21:TCP:*:enabled:FTP (TCP 21)
"21:UDP" = 21:UDP:*:enabled:FTP (UDP 21)
"23:TCP" = 23:TCP:*:enabled:TELNET (TCP 23)
"23:UDP" = 23:UDP:*:enabled:TELNET (UDP 23)
"5282:TCP" = 5282:TCP:*:Enabled:MARIMBA (TCP 5282)
"5252:UDP" = 5282:UDP:*:enabled:MARIMBA (UDP 5282)
"7717:TCP" = 7717:TCP:*:Enabled:MARIMBA (TCP 7717)
"7717:UDP" = 7717:UDP:*:Enabled:MARIMBA (UDP 7717)
"8888:TCP" = 8888:TCP:*:Enabled:MARIMBA (TCP 8888)
"8888:UDP" = 8888:UDP:*:Enabled:MARIMBA (UDP 8888)
"1433:TCP" = 1433:TCP:*:enabled:SQL (TCP 1433)
"1433:UDP" = 1433:UDP:*:enabled:SQL (UDP 1433)
"3389:TCP" = 3389:TCP:*:enabled:Remote Desktop (TCP)
"3389:UDP" = 3389:UDP:*:enabled:Remote Desktop (UDP)
"139:TCP" = 139:TCP:*:enabled:File and Printer Sharing
"445:TCP" = 445:TCP:*:enabled:File and Printer Sharing
"137:UDP" = 137:UDP:*:enabled:File and Printer Sharing
"138:UDP" = 138:UDP:*:enabled:File and Printer Sharing
"2967:TCP" = 2967:TCP:10.204.34.100,10.204.34.101,10.204.34.102,10.200.34.101,10.200.34.102:enabled:Symantec AntiVirus
"5282:UDP" = 5282:UDP:*:Enabled:MARIMBA (UDP 5282)
"135:TCP" = 135:TCP:*:Enabled:Remote Procedure Call


==========

With your next post please provide:

* OTL.txt (fix)
* OTL.txt (scan)
* Looklog.txt
* Answer to FW question
* Still running alright?

Kind regards,
~t


Proud member - Unified Network of Instructors and Trained Eliminators
Posted Image

I do not accept personal donations for assistance provided. I would ask that you instead consider donating the greatest gift - Organ Donation. Your organs are of no use to you when your gone. You will save a life that would otherwise be lost!

http://donatelife.net/register-now/

#5 realrm

realrm
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:06:33 PM

Posted 08 June 2010 - 10:46 AM

Hello thcbytes!

LogMeIn was installed knowingly and on purpose.

I was not able to get into recovery console after running the maxlook.exe and rebooting. When I select the "Windows Recovery Console" I get "Disk read error" message with option to reboot. My apologies as I ran the tool first without making sure that I can get to recovery console. This post does not contain the text from looklog.txt


Here are the logs:

OTL Fix Log:

All processes killed
========== OTL ==========
HKU\S-1-5-21-1849001254-2726021490-3962836702-1033\Software\Microsoft\Windows\CurrentVersion\Internet Settings\\ProxyServer| /E : value set successfully!
C:\WINDOWS\System32\CONFIG.TMP deleted successfully.
C:\WINDOWS\003210_.tmp deleted successfully.
========== FILES ==========
File C:\WINDOWS\system32\drivers\dac960nt.sys successfully replaced with C:\WINDOWS\system32\dllcache\dac960nt.sys
========== COMMANDS ==========
C:\WINDOWS\System32\drivers\etc\Hosts moved successfully.
HOSTS file reset successfully

[EMPTYTEMP]

User: Administrator
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 67 bytes

User: All Users

User: CedarRapids
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 67 bytes

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 147590 bytes

User: handj
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 67 bytes

User: JMatthews
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 67 bytes

User: jorge.ruiz
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 67 bytes

User: LocalService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 32902 bytes

User: malgaonr
->Temp folder emptied: 77398 bytes
->Temporary Internet Files folder emptied: 748490 bytes
->Java cache emptied: 31043 bytes
->FireFox cache emptied: 63562874 bytes
->Flash cache emptied: 11236 bytes

User: NetworkService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 67 bytes
->Flash cache emptied: 11948 bytes

User: RChandler
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 67 bytes

User: robert.chandler
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 785887 bytes
->Flash cache emptied: 1342 bytes

User: tom.ehlen
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 67 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32\dllcache .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 772 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 32902 bytes
RecycleBin emptied: 0 bytes

Total Files Cleaned = 62.00 mb


OTL by OldTimer - Version 3.2.5.3 log created on 06082010_092035

Files\Folders moved on Reboot...

Registry entries deleted on Reboot...


OTL Scan Log:
Note: I was not sure which "None" you were referring to. I selected "None" for "Processes", "Modules", "Services", "Drivers", "Standard Registry", "Extra Registry", "Files Created Within", and "Files Modified Within" groups on OTL tool.

Log Text....

OTL logfile created on: 6/8/2010 9:29:46 AM - Run 2
OTL by OldTimer - Version 3.2.5.3 Folder = C:\Documents and Settings\malgaonr\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 6.0.2900.5512)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

3.00 Gb Total Physical Memory | 3.00 Gb Available Physical Memory | 80.00% Memory free
5.00 Gb Paging File | 5.00 Gb Available in Paging File | 92.00% Paging File free
Paging file location(s): C:\pagefile.sys 2046 4092 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 465.76 Gb Total Space | 318.79 Gb Free Space | 68.45% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: IL47WS030861
Current User Name: malgaonr
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard

========== Custom Scans ==========



< MD5 for: DAC960NT.SYS >
[2001/08/17 13:52:16 | 000,014,720 | ---- | M] (Microsoft Corporation) MD5=683789CAA3864EB46125AE86FF677D34 -- C:\WINDOWS\system32\dllcache\dac960nt.sys
[2001/08/17 13:52:16 | 000,014,720 | ---- | M] (Microsoft Corporation) MD5=683789CAA3864EB46125AE86FF677D34 -- C:\WINDOWS\system32\drivers\dac960nt.sys
< End of report >


For the firewall ports, I've marked the ones that I know are kept open for purposes with an X mark in red font in the beginning.

QUOTE
X "21:TCP" = 21:TCP:*:enabled:FTP (TCP 21)
X "21:UDP" = 21:UDP:*:enabled:FTP (UDP 21)
X "23:TCP" = 23:TCP:*:enabled:TELNET (TCP 23)
X "23:UDP" = 23:UDP:*:enabled:TELNET (UDP 23)
X "5282:TCP" = 5282:TCP:*:Enabled:MARIMBA (TCP 5282)
X "5252:UDP" = 5282:UDP:*:enabled:MARIMBA (UDP 5282)
X "7717:TCP" = 7717:TCP:*:Enabled:MARIMBA (TCP 7717)
X "7717:UDP" = 7717:UDP:*:Enabled:MARIMBA (UDP 7717)
X "8888:TCP" = 8888:TCP:*:Enabled:MARIMBA (TCP 8888)
X "8888:UDP" = 8888:UDP:*:Enabled:MARIMBA (UDP 8888)
X "1433:TCP" = 1433:TCP:*:enabled:SQL (TCP 1433)
X "1433:UDP" = 1433:UDP:*:enabled:SQL (UDP 1433)
X "3389:TCP" = 3389:TCP:*:enabled:Remote Desktop (TCP)
X "3389:UDP" = 3389:UDP:*:enabled:Remote Desktop (UDP)
"139:TCP" = 139:TCP:*:enabled:File and Printer Sharing
"445:TCP" = 445:TCP:*:enabled:File and Printer Sharing
"137:UDP" = 137:UDP:*:enabled:File and Printer Sharing
"138:UDP" = 138:UDP:*:enabled:File and Printer Sharing
X "2967:TCP" = 2967:TCP:10.204.34.100,10.204.34.101,10.204.34.102,10.200.34.101,10.200.34.102:enabled:Symantec AntiVirus
X "5282:UDP" = 5282:UDP:*:Enabled:MARIMBA (UDP 5282)
"135:TCP" = 135:TCP:*:Enabled:Remote Procedure Call


I'm happy to report that PC is still running alright and have not seen any suspicious pop-ups while browsing the net. thumbup.gif

Thanks & Regards,
realrm

Edited by realrm, 08 June 2010 - 10:49 AM.


#6 thcbytes

thcbytes

  • Malware Response Team
  • 14,790 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:33 PM

Posted 08 June 2010 - 12:50 PM

Alright. That worked. thumbup2.gif

Do this instead of Maxlook...

Please download MBR.EXE by GMER. Save the file in your root directory. (C:\)
  • Open Notepad and copy and paste the text in the codebox below (excluding the word Code) into Notepad.
    CODE
    @echo off
    cd\
    mbr.exe -t
    start mbr.log
  • Next, select File --> Save As, change file type to All Files (*.*), and save it as fixme.bat in your c:\ folder.
  • Open your c:\folder right-click on fixme.bat and select Run as Administrator. A logfile will open (C:\mbr.log). Please paste the contents in your next reply.

==========

Re-run Gmer and post a log

==========

Please rerun MBAM.

MBAM may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you. Temporarily disable such programs or permit them to allow the changes.
  • Make sure you are connected to the Internet.
    • Update Malwarebytes' Anti-Malware <--- Important!!
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
MBAM will automatically start and you will be asked to update the program before performing a scan.
  • If an update is found, the program will automatically update itself. Press the OK button to close that box and continue.
  • If you encounter any problems while downloading the definition updates, manually download them from here and just double-click on mbam-rules.exe to install.
On the Scanner tab:
  • Make sure the "Perform Quick Scan" option is selected.
  • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen:
  • Click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows MBAM's database version and your operating system.
  • Exit MBAM when done.
Note: If MBAM encounters a file that is difficult to remove, you will be asked to reboot your computer so MBAM can proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware.

==========

I'd like us to scan your machine with ESET OnlineScan
  1. Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  2. Click the button.
  3. For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    1. Click on to download the ESET Smart Installer. Save it to your desktop.
    2. Double click on the icon on your desktop.
  4. Check
  5. Click the button.
  6. Accept any security warnings from your browser.
  7. Check
  8. Push the Start button.
  9. ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  10. When the scan completes, push
  11. Push , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  12. Push the button.
  13. Push

==========

With your next post please provide:

* Mbr.txt
* Gmer log
* MBAM log
* ESET log
* Any further troubles?

Kind regards,
~t



Proud member - Unified Network of Instructors and Trained Eliminators
Posted Image

I do not accept personal donations for assistance provided. I would ask that you instead consider donating the greatest gift - Organ Donation. Your organs are of no use to you when your gone. You will save a life that would otherwise be lost!

http://donatelife.net/register-now/

#7 realrm

realrm
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:06:33 PM

Posted 09 June 2010 - 09:08 AM

Here are the contents MBR.log
=================================================================
Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll atapi.sys pciide.sys PCIIDEX.SYS
kernel: MBR read successfully
user & kernel MBR OK

=================================================================

Machine stopped responding after an hour when I started the gmer scan. I left it running overnight thinking it must be scan that is consuming resources. I've rebooted the machine this morning and will post the gmer log and logs from rest of steps in next post.

Thanks,
realrm


#8 thcbytes

thcbytes

  • Malware Response Team
  • 14,790 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:33 PM

Posted 09 June 2010 - 09:10 AM

thumbup2.gif
Proud member - Unified Network of Instructors and Trained Eliminators
Posted Image

I do not accept personal donations for assistance provided. I would ask that you instead consider donating the greatest gift - Organ Donation. Your organs are of no use to you when your gone. You will save a life that would otherwise be lost!

http://donatelife.net/register-now/

#9 realrm

realrm
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:06:33 PM

Posted 09 June 2010 - 02:33 PM

Finally all the scans have completed. The logs are below:

GMER Log:
GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-06-09 11:00:28
Windows 5.1.2600 Service Pack 3
Running: gmer.exe; Driver: C:\DOCUME~1\malgaonr\LOCALS~1\Temp\kwlorpob.sys


---- System - GMER 1.0.15 ----

SSDT 8ABC9BA0 ZwConnectPort
SSDT \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwDeleteValueKey [0xB596A350]
SSDT 8ADE13D8 ZwQueryValueKey
SSDT 8AEB25F8 ZwResumeThread
SSDT \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwSetValueKey [0xB596A580]

---- Kernel code sections - GMER 1.0.15 ----

.text C:\WINDOWS\system32\DRIVERS\nv4_mini.sys section is writeable [0xB8FD4360, 0x300037, 0xE8000020]

---- User code sections - GMER 1.0.15 ----

.text C:\Program Files\Mozilla Firefox\firefox.exe[3444] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 004013F0 C:\Program Files\Mozilla Firefox\firefox.exe (Firefox/Mozilla Corporation)

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs SYMEVENT.SYS (Symantec Event Library/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\Ip SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\Tcp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\Udp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\RawIp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)

Device \FileSystem\Cdfs \Cdfs DLAIFS_M.SYS (Drive Letter Access Component/Roxio)

---- EOF - GMER 1.0.15 ----

MBAM Log:
Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4183

Windows 5.1.2600 Service Pack 3
Internet Explorer 6.0.2900.5512

6/9/2010 11:11:10 AM
mbam-log-2010-06-09 (11-11-10).txt

Scan type: Quick scan
Objects scanned: 190622
Time elapsed: 5 minute(s), 8 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


ESET Log:
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WinAgentsvc.zip Win32/Bagle.gen.zip worm cleaned by deleting - quarantined
C:\WINDOWS\system32\isaxbox.sys a variant of Win32/Wimpixo.AE trojan cleaned by deleting - quarantined



Still no troubles with the PC.

Thanks,
realrm

#10 thcbytes

thcbytes

  • Malware Response Team
  • 14,790 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:33 PM

Posted 09 June 2010 - 06:25 PM

Hello,

Congratulations! You now appear clean!

**********

Please pay particularly close attention to the instructions that follow. To neglect these steps risk needless reinfection!!

**********

Are things running okay? Do you have any more questions?

**********

Uninstall Combofix
  • Press the Windows Key + R on your keyboard.
  • Now copy & paste the green bolded text in the run-box and click OK.

    ComboFix /Uninstall

    <Notice the space between the "x" and "/".>

  • The following will implement some very important cleanup procedures as well as reset System Restore points.

**********
  1. Please reopen on your desktop.
  2. Copy and Paste the following code into the textbox. Do not include the word "Code"
    CODE
    :OTL
    :Commands
    [CLEARALLRESTOREPOINTS]
    [resethosts]
    [emptytemp]
    [Reboot]
  3. Push
  4. OTL may ask to reboot the machine. Please do so if asked.
  5. Click .


**********

Run OTL again

We will now remove the tools we used during this fix using OTL.
  • Double click the OTL icon to start the program.
  • Then Click the big button.
  • You will get a prompt saying "Being Cleanup Process". Please select Yes.
  • Restart your computer when prompted.

**********

Recommendations


Below are some recommendations to lower your chances of (re)infection.

  1. Install an Anti-Spyware program, and update it regularly
    Malwarebytes' Anti-Malware is an excellent Anti-Spyware scanner. It's scan times are usually under ten minutes, and has excellent detection and removal rates.

    SUPERAntiSpyware is another good scanner with high detection and removal rates.
    Both programs are free for non commercial home use but provide a resident and do not nag if you purchase the paid versions.

  2. Prevention article : To find out more information about how you got infected in the first place and some great guidelines to follow to prevent future infections please read the Prevention artice by Miekiemoes.

  3. Keep Windows (and your other Microsoft software) up to date!
    I cannot stress how important this is enough. Often holes are found in Internet Explorer or Windows itself that require patching. Sometimes these holes will allow an attacker unrestricted access to your computer.


    Windows XP


    Visit the Microsoft Update Website and follow the on screen instructions to setup Microsoft Update. Also follow the instructions to update your system. Please REBOOT and repeat this process until there are no more updates to install!!

  4. Keep your other software up to date as well. Software does not need to be made by Microsoft to be insecure. Download Secunia Software Inspector to keep all your software up to date.

  5. Consider Firefox as your primary browser. Its safer, fast and secure!

  6. Install WOT. Never inadvertently surf to a dangerous website again.

  7. Consider running your browser Sandboxed with Sandboxie. You decide what actually get's into your OS!!

  8. Install NoScript. Pre-emptively blocks malicious scripts and allows JavaScript, Java and other potentially dangerous content only from sites you trust.

  9. Stay up to date!
    The MOST IMPORTANT part of any security setup is keeping the software up to date. Malware writers release new variants every single day. If your software updates don't keep up, then the malware will always be one step ahead. Not a good thing sad.gif.


**********

Good luck & safe surfing,
Kind Regards,
~ t


Proud member - Unified Network of Instructors and Trained Eliminators
Posted Image

I do not accept personal donations for assistance provided. I would ask that you instead consider donating the greatest gift - Organ Donation. Your organs are of no use to you when your gone. You will save a life that would otherwise be lost!

http://donatelife.net/register-now/

#11 realrm

realrm
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:06:33 PM

Posted 10 June 2010 - 11:50 AM

Hello thcbyte!

I've performed all the listed steps successfully. Computer is running dandy and I have not seen anything out of the ordinary.

Thank you very much for taking the time to help me over last couple of days!! I always try to surf only the known sites but this one caught us by surprise. My wife was surfing some nursing related sites and suddenly the computer got hijacked.

I'll go over the recommendations and install needed applications.

Since I'm already a registered organ donor (on my driver's license). Would it be OK with you if I go for personal donation?

Best Regards,
realrm


#12 thcbytes

thcbytes

  • Malware Response Team
  • 14,790 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:33 PM

Posted 10 June 2010 - 02:22 PM

My pleasure assisting you. I do this because I like helping people and sharing my knowledge. I applaud you for your selfless commitment to organ donation!!!! I simply do not accept personal donations. Please either donate to someone in need or pass a good deed onto another. thumbup2.gif


Proud member - Unified Network of Instructors and Trained Eliminators
Posted Image

I do not accept personal donations for assistance provided. I would ask that you instead consider donating the greatest gift - Organ Donation. Your organs are of no use to you when your gone. You will save a life that would otherwise be lost!

http://donatelife.net/register-now/

#13 thcbytes

thcbytes

  • Malware Response Team
  • 14,790 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:33 PM

Posted 11 June 2010 - 09:55 PM

Since this topic appears to be resolved, I will now close it.
If you need this topic re-opened please send me a PM.

Everyone else, please start a new topic.

Proud member - Unified Network of Instructors and Trained Eliminators
Posted Image

I do not accept personal donations for assistance provided. I would ask that you instead consider donating the greatest gift - Organ Donation. Your organs are of no use to you when your gone. You will save a life that would otherwise be lost!

http://donatelife.net/register-now/




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users