Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Torpig reported by ISP (Computer 1-Dell Desktop XP)


  • This topic is locked This topic is locked
26 replies to this topic

#1 bcoleinaz

bcoleinaz

  • Members
  • 50 posts
  • OFFLINE
  •  
  • Local time:10:34 AM

Posted 11 June 2010 - 10:27 PM

My ISP (Qwest) has repeatedly blocked my internet access due to malware/bot detection over the past 3 months.

I have 5 computers on my network, but Qwest is not able to tell me which one it is coming from. I will submit a separate topic for each computer. This one is for a Dell desktop running windows XP Home SP2 hard wired to the router.

When this started happening, I was using ZoneAlarm Extreme Security only for my computer security.
My ISP (Qwest) has suggested many different software solutions, which I have implemented and scanned with. They include Microsoft Malicious Software Removal Tool, TrendMicro RUBotted, BotHunter, Microsoft Security Essentials. I have also received information from several local computer techs to use MalwareBytes, SuperAntiSpyware, AVG free and Avast Anti-virus. The last one I spoke with said everything Qwest has suggested is useless as is AVG free and ZoneAlarm (except maybe the firewall). He recommends MalwareBytes, SuperAntiSpyware and Avast. I have been unable to install and run Avast on this computer, as the computer will not run, but freezes when I install it. As soon as I uninstall it again, the computer runs.
Quick scans by any of these programs find nothing. Full scans produce adware cookies, but nothing else for the past month+. I pretty much run a full scan by one of them each day and remove anything that they find.

Here is the most recent log Qwest sent me of the detected Bot activity. This is the first time I have heard that it is Torpig, which I guess is an infection of the master boot record, which can cause all the other programs to not be able to detect it.

Date & Time (GMT) Source Port MW Type
Date/Time Seen (GMT) Infection Data (*)
--------------- -------------------- ------------------------------
date: 2010-05-27 list: bots
2010-05-26 18:02:15 srcport 13466 mwtype Torpig destaddr 91.20.208.178
2010-05-26 18:02:49 srcport 13467 mwtype Torpig destaddr 91.20.208.178
2010-05-26 21:03:49 srcport 22708 mwtype Torpig destaddr 91.20.208.178
2010-05-26 21:04:25 srcport 22709 mwtype Torpig destaddr 91.20.208.178

Here is the most recent email Qwest sent me to resolve the problem.

--------------Begin Email-------------
Mebroot is a rootkit, which means that the master boot record itself is infected. Trend Micro suggests performing a system recovery in addition to updating and running the latest antivirus:
http://www.trendmicro.com/vinfo/virusencyc...AD&VSect=Sn
Looks like McAfee suggests similar steps:
http://vil.nai.com/vil/content/v_143908.htm#tab5
It looks like Torpig/Anserin removal isn't complete until registry keys are removed.
Symantec:
http://www.symantec.com/security_response/...-99&tabid=3
Torpig is also on the list of signatures that the Microsoft Malicious Software Removal Tool has:
http://www.microsoft.com/security/malwareremove/default.mspx
--------------End of Email---------------

I first downloaded and scanned with the Microsoft Malicious Software Removal Tool, which found nothing.

When I attempted to use the Windows Recovery Console and use "fixmbr", I got the following message:
** CAUTION **
This computer appears to have a non-standard or invalid master boot record.

FIXMBR could cause all the partitions on the current hard disk to become inaccessible.

If you are not having problems accessing your drive, do not continue.

Are you sure you want to write a new MBR?

----------------------------------------------
Since I am not having problems accessing my drive, it does not seem that I should continue.
Therefore, I answered N and exited the process.

That is when I did more research and found your website.

I have run the steps as specified in the Preparation Guide.

Following is DDS.txt


DDS (Ver_10-03-17.01) - NTFSx86
Run by Bob at 19:03:58.53 on Thu 06/10/2010
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.767.337 [GMT -7:00]

AV: ZoneAlarm Extreme Security Antivirus *On-access scanning enabled* (Updated) {5D467B10-818C-4CAB-9FF7-6893B5B8F3CF}
AV: Microsoft Security Essentials *On-access scanning enabled* (Updated) {BCF43643-A118-4432-AEDE-D861FCBCFCDF}
FW: ZoneAlarm Extreme Security Firewall *enabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\Program Files\Microsoft Security Essentials\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\CheckPoint\ZAForceField\IswSvc.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Memeo\AutoBackup\MemeoService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Canon\MultiPASS4\MPSERVIC.EXE
C:\Program Files\Norton Utilities\NPROTECT.EXE
C:\Program Files\Trend Micro\RUBotted\TMRUBotted.exe
C:\Program Files\Speed Disk\nopdb.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Canon\MultiPASS4\monitr32.exe
C:\Program Files\Seagate\SystemTray\StxMenuMgr.exe
C:\PROGRA~1\NORTON~2\WinFax\WFXSWTCH.exe
C:\WINDOWS\system32\wfxsnt40.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Microsoft Security Essentials\msseces.exe
C:\Program Files\Trend Micro\RUBotted\TMRUBottedTray.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Norton Utilities\SYSDOC32.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Bob\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.primericaonline.com/Login
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
EB: &Research: {ff059e31-cc5a-4e2e-bf3b-96e929d65503} - c:\progra~1\micros~3\office11\REFIEBAR.DLL
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
uRun: [Google Update] "c:\documents and settings\bob\local settings\application data\google\update\GoogleUpdate.exe" /c
mRun: [monitr32] "c:\program files\canon\multipass4\monitr32.exe"
mRun: [StxTrayMenu] "c:\program files\seagate\systemtray\StxMenuMgr.exe"
mRun: [<NO NAME>]
mRun: [WFXSwtch] "c:\progra~1\norton~2\winfax\WFXSWTCH.exe"
mRun: [WinFaxAppPortStarter] "wfxsnt40.exe"
mRun: [QD FastAndSafe] "c:\program files\norton cleansweep\QDCSFS.exe" /startup
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\AppleSyncNotifier.exe
mRun: [ZoneAlarm Client] "c:\program files\zone labs\zonealarm\zlclient.exe"
mRun: [MSSE] "c:\program files\microsoft security essentials\msseces.exe" -hide -runkey
mRun: [TMRUBottedTray] "c:\program files\trend micro\rubotted\TMRUBottedTray.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRunOnce: [Uninstall Adobe Download Manager] "c:\windows\system32\rundll32.exe" "c:\program files\nos\bin\getPlus_Helper.dll",Uninstall /IE2883E8F-472F-4fb0-9522-AC9BF37916A7 /Get1noarp
dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
StartupFolder: c:\docume~1\bob\startm~1\programs\startup\norton~1.lnk - c:\program files\norton utilities\SYSDOC32.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\mcafee~1.lnk - c:\program files\mcafee security scan\2.0.181\SSScheduler.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\norton~1.lnk - c:\program files\norton utilities\SYSDOC32.EXE
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office11\EXCEL.EXE/3000
IE: {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office11\REFIEBAR.DLL
Trusted Zone: turbotax.com
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/5/b/0/5b0d4654-aa20-495c-b89f-c1c34c691085/LegitCheckControl.cab
DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} - hxxp://download.bitdefender.com/resources/scanner/sources/en/scan8/oscan8.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1208271999546
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
Handler: CDS300 - {AD43AA67-6860-4531-AC8A-0E68F9CF023E} -
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
AppInit_DLLs: apitrap.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\bob\applic~1\mozilla\firefox\profiles\5x36j14c.alt\

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R0 kl1;kl1;c:\windows\system32\drivers\kl1.sys [2009-11-18 128016]
R1 KLIF;Kaspersky Lab Driver;c:\windows\system32\drivers\klif.sys [2009-11-18 317072]
R1 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2009-12-2 149040]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2010-2-17 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2010-4-27 67656]
R2 ISWKL;ZoneAlarm ForceField ISWKL;c:\program files\checkpoint\zaforcefield\ISWKL.sys [2009-10-14 25208]
R2 IswSvc;ZoneAlarm ForceField IswSvc;c:\program files\checkpoint\zaforcefield\ISWSVC.exe [2009-10-14 476528]
R2 NProtectService;Norton Unerase Protection;c:\program files\norton utilities\NPROTECT.EXE [2008-3-31 135168]
R2 RUBotted;Trend Micro RUBotted Service;c:\program files\trend micro\rubotted\TMRUBotted.exe [2010-3-19 582992]
R3 TMPassthruMP;TMPassthruMP;c:\windows\system32\drivers\TMPassthru.sys [2010-3-11 206608]
S3 1a1daa2b-b24f-489e-be4b-7ac1335746d5;1a1daa2b-b24f-489e-be4b-7ac1335746d5;\??\f:\cds300\cds300.dll --> f:\cds300\cds300.dll [?]
S3 icsak;icsak;c:\program files\checkpoint\zaforcefield\ak\icsak.sys [2009-10-14 35448]
S3 McComponentHostService;McAfee Security Scan Component Host Service;c:\program files\mcafee security scan\2.0.181\McCHSvc.exe [2010-1-15 227232]
S3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2007-11-6 34064]
S3 TMPassthru;Trend Micro Passthru Ndis Service;c:\windows\system32\drivers\TMPassthru.sys [2010-3-11 206608]
S3 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2009-11-18 486280]
S3 vsmon;TrueVector Internet Monitor;c:\windows\system32\zonelabs\vsmon.exe -service --> c:\windows\system32\zonelabs\vsmon.exe -service [?]

=============== Created Last 30 ================

2010-06-10 18:22:04 0 ----a-w- c:\documents and settings\bob\defogger_reenable
2010-06-09 18:35:47 0 d-----w- c:\windows\system32\NtmsData
2010-05-28 23:02:56 0 d-----w- c:\program files\WebSudokuDeluxe
2010-05-25 14:33:36 0 d-----w- c:\program files\iPod
2010-05-25 14:33:13 0 d-----w- c:\program files\iTunes
2010-05-25 14:33:13 0 d-----w- c:\docume~1\alluse~1\applic~1\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
2010-05-25 14:18:37 0 d-----w- c:\program files\Bonjour

==================== Find3M ====================

2010-05-06 17:36:38 221568 ------w- c:\windows\system32\MpSigStub.exe
2010-04-29 22:39:38 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-29 22:39:26 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-04-08 20:20:02 91424 ----a-w- c:\windows\system32\dnssd.dll
2010-04-08 20:20:02 107808 ----a-w- c:\windows\system32\dns-sd.exe
2010-02-22 20:23:35 245760 --sha-w- c:\windows\system32\config\systemprofile\ietldcache\index.dat

============= FINISH: 19:06:00.06 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:01:34 PM

Posted 16 June 2010 - 04:31 AM

Hello and Welcome to the forums!

My name is Gringo and I'll be glad to help you with your computer problems.

Somethings to remember while we are working together.

  1. Do not run any other tool untill instructed to do so!
  2. Do not Attach logs unless I ask you to.
  3. Tell me about any problems that have occurred during the fix.
  4. Tell me of any other symptoms you may be having as these can help also.
  5. Do not run anything while running a fix.
  6. Do not run any other tool untill instructed to do so!


In the upper right hand corner of the topic you will see a button called Options. If you click on this in the drop-down menu you can choose Track this topic. By doing this and then choosing Immediate E-Mail notification and then clicking on Proceed you will be advised when we respond to your topic and facilitate the cleaning of your machine.

Note** If you are having problems posting the complete log into this thread upload them here http://www.rapidshare.com/ and post the links in this thread

Please print out or make a copy in notpad of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.

:multiple Anti Virus programs:
    It looks like you are operating your computer with multiple Anti Virus programs running in memory at once:

    ZoneAlarm Extreme Security Antivirus
    Microsoft Security Essentials


    Anti-virus programs take up an enormous amount of your computer's resources when they are actively scanning your computer. Having two anti-virus programs running at the same time can cause your computer to run very slow, become unstable and even, in rare cases, crash.

    Please remove one of them. Note** Go ahead and check the other computers if they also have more than one antivirus remove all but one

If you would like I will help with all 5 computers but we will only do one at a time - plus you should only work on one at a time so as not to become confused with which instructions for which computer

:run combofix:
    Please visit this webpage for download links, and instructions for running the tool:

    http://www.bleepingcomputer.com/combofix/how-to-use-combofix

    Please ensure you read this guide carefully and install the Recovery Console first.

    The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode.
    This allows us to more easily help you should your computer have a problem after an attempted removal of malware.
    It is a simple procedure that will only take a few moments of your time.


    Once installed, you should see a blue screen prompt that says:
      The Recovery Console was successfully installed.
    Please continue as follows:
    • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
    • Click Yes to allow ComboFix to continue scanning for malware.

    When the tool is finished, it will produce a report for you.

    Please include the report in your next post:

    C:\ComboFix.txt

"information and logs"
    In your next post I need the following
    1. Log From Combofix
    2. let me know of any problems you may have had
    3. How is the computer doing now?

Gringo


I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#3 bcoleinaz

bcoleinaz
  • Topic Starter

  • Members
  • 50 posts
  • OFFLINE
  •  
  • Local time:10:34 AM

Posted 16 June 2010 - 07:36 PM

I would actually like to remove both of the current AV programs and replace them with Avast free AV and install the Zonealarm free firewall. I have not been happy with the ZoneAlarm Extreme Security. Would that be ok to do that before I do combofix, or should I wait until we are done with the rest of this?

I also had someone else respond to my topic for computer 3. I would like to work with only 1 person for all 5 computers, one at a time.
Thanks,
Bob

#4 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:01:34 PM

Posted 16 June 2010 - 07:53 PM

remove both AV now and we will install avast when we are clean


Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#5 bcoleinaz

bcoleinaz
  • Topic Starter

  • Members
  • 50 posts
  • OFFLINE
  •  
  • Local time:10:34 AM

Posted 17 June 2010 - 01:00 AM

All anti- virus, malware & spyware programs have been disabled.

During combofix, I encountered the following message:
------------------start of message-----------------
Rootkit!!
ComboFix has detected the presence of rootkit activity and needs to reboot the machine.
[Ok]
------------------end of message-----------------
I clicked [Ok] and the machine rebooted and picked up autoscan.
I then received the following message:
------------------start of message------------------
PEV.cfxxe
PEV.cfxxe has encountered a problem and needs to close. We are sorry for the inconvenience.
If you were in the middle of something, the information you were working on might be lost.
[Debug] [Close]
--------------end of message-------------
The AutoScan had displayed:
Completed Stage_31
but it seems to be continuing - up to Stage_41 at this point.

What should I do with the error message from PEV.cfxxe?
Now up to Stage_48, just that fast.

#6 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:01:34 PM

Posted 17 June 2010 - 01:07 AM

let it finish

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#7 bcoleinaz

bcoleinaz
  • Topic Starter

  • Members
  • 50 posts
  • OFFLINE
  •  
  • Local time:10:34 AM

Posted 17 June 2010 - 01:22 AM

Autoscan completed. The PEV.cfxxe error window closed without being answered.
ComboFix is now preparing the log report.

Edited by bcoleinaz, 17 June 2010 - 01:22 AM.


#8 bcoleinaz

bcoleinaz
  • Topic Starter

  • Members
  • 50 posts
  • OFFLINE
  •  
  • Local time:10:34 AM

Posted 17 June 2010 - 01:36 AM

Ok. ComboFix is done.
Here is the log attached.

Attached Files



#9 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:01:34 PM

Posted 17 June 2010 - 01:41 AM

Greetings

What made you pick this computer to clean first?

It had it on there

HelpAsst_mebroot_fix
  • Please download HelpAsst_mebroot_fix.exe and save it to your desktop.
  • Close out all other open programs and windows.
  • Double click the file to run it and follow any prompts.
  • If the tool detects an mbr infection, please allow it to run mbr -f and shutdown your computer.
  • Upon restarting, please wait about 5 minutes, click Start>Run and type the following bolded command, then hit Enter.
    • helpasst -mbrt
  • Make sure you leave a space between helpasst and -mbrt !
  • When it completes, a log will open.
  • Please post the contents of that log.

*Note*In the event the tool does not detect an mbr infection and completes, click Start>Run and type the following bolded command, then hit Enter.
  • mbr -f
  • Now, please do the Start>Run>mbr -f command a second time.
  • Now shut down the computer (do not restart, but shut it down), wait a few minutes then start it back up.
  • Give it about 5 minutes, then click Start>Run and type the following bolded command, then hit Enter.
    • helpasst -mbrt
  • Make sure you leave a space between helpasst and -mbrt !
  • When it completes, a log will open.
  • Please post the contents of that log.

**Important note to Dell users - fixing the mbr may prevent access the the Dell Restore Utility, which allows you to press a key on startup and revert your computer to a factory delivered state. There are a couple of known fixes for said condition, though the methods are somewhat advanced. If you are unwilling to take such a risk, you should not allow the tool to execute mbr -f nor execute the command manually, and you will either need to restore your computer to a factory state or allow your computer to remain having an infected mbr (the latter not recommended).

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#10 bcoleinaz

bcoleinaz
  • Topic Starter

  • Members
  • 50 posts
  • OFFLINE
  •  
  • Local time:10:34 AM

Posted 17 June 2010 - 10:40 AM

HelpAsst detected an infection.
The log is attached.

Attached Files



#11 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:01:34 PM

Posted 17 June 2010 - 11:01 AM

Please do not attach the reports It makes it harder to research

d:\Documents and Settings\Bob\My Documents\Downloads\HelpAsst_mebroot_fix.exe
Thu 06/17/2010 at 7:05:58.54

HelpAssistant account is Active ~ attempting to de-activate

Account active Yes
Local Group Memberships *Administrators

HelpAssistant successfully set Inactive

~~ Checking for termsrv32.dll ~~

termsrv32.dll present! ~ attempting to remove
termsrv32.dll successfully removed

~~ Checking firewall ports ~~

backing up DomainProfile\GloballyOpenPorts\List registry key
closing rogue ports

HKLM\~\services\sharedaccess\parameters\firewallpolicy\domainprofile\globallyopenports\list
"65533:TCP"=-
"52344:TCP"=-
"2479:TCP"=-
"3246:TCP"=-
"3389:TCP"=-
"8213:TCP"=-
"8214:TCP"=-
"3991:TCP"=-
"6482:TCP"=-

backing up StandardProfile\GloballyOpenPorts\List registry key
closing rogue ports

HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\globallyopenports\list
"65533:TCP"=-
"52344:TCP"=-
"2479:TCP"=-
"3246:TCP"=-
"3389:TCP"=-
"8213:TCP"=-
"8214:TCP"=-
"3991:TCP"=-
"6482:TCP"=-

~~ Checking profile list ~~

HelpAssistant profile found in registry ~ backing up and removing S-1-5-21-1275210071-1482476501-839522115-1000
HelpAssistant profile directory exists at C:\Documents and Settings\HelpAssistant ~ attempting to remove
~ All C:\Documents and Settings\HelpAssistant files successfully removed ~

~~ Checking mbr ~~

mbr infection detected! ~ running mbr -f

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
kernel: MBR read successfully
copy of MBR has been found in sector 0x04A891C1
malicious code @ sector 0x04A891C4 !
PE file found in sector at 0x04A891DA !
MBR rootkit infection detected ! Use: "mbr.exe -f" to fix.
original MBR restored successfully !

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
kernel: MBR read successfully
user & kernel MBR OK
copy of MBR has been found in sector 0x04A891C1
malicious code @ sector 0x04A891C4 !
PE file found in sector at 0x04A891DA !

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Status check on Thu 06/17/2010 at 8:35:56.21

Account active No
Local Group Memberships

~~ Checking mbr ~~

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll sdcplh.sys atapi.sys intelide.sys PCIIDEX.SYS
kernel: MBR read successfully
user & kernel MBR OK
copy of MBR has been found in sector 0x04A891C1
malicious code @ sector 0x04A891C4 !
PE file found in sector at 0x04A891DA !

~~ Checking for termsrv32.dll ~~

termsrv32.dll present!


HKEY_LOCAL_MACHINE\system\currentcontrolset\services\termservice\parameters
ServiceDll REG_EXPAND_SZ %SystemRoot%\System32\termsrv32.dll

~~ Checking profile list ~~

No HelpAssistant profile in registry

~~ Checking for HelpAssistant directories ~~

none found

~~ Checking firewall ports ~~

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\domainprofile\GloballyOpenPorts\List]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]


~~ EOF ~~

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#12 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:01:34 PM

Posted 17 June 2010 - 11:03 AM

That looks very good

lets do this next

update combofix

I would like you to download an updated virsion of combofix.
    Delete the version of combofix you have now on your desktop and download a new one from here

    **Note: It is important that it is saved directly to your desktop**

    1. Close any open browsers.
    2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

    Double click on combofix.exe & follow the prompts.
    When finished, it will produce a report for you.

    Note:Do not mouseclick combofix's window while it's running. That may cause it to stall



gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#13 bcoleinaz

bcoleinaz
  • Topic Starter

  • Members
  • 50 posts
  • OFFLINE
  •  
  • Local time:10:34 AM

Posted 17 June 2010 - 12:14 PM

Finished. Here's the log.

ComboFix 10-06-16.04 - Bob 06/17/2010 9:34.2.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.767.495 [GMT -7:00]
Running from: c:\documents and settings\Bob\Desktop\ComboFix.exe
FW: ZoneAlarm Extreme Security Firewall *enabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\win.com

.
((((((((((((((((((((((((( Files Created from 2010-05-17 to 2010-06-17 )))))))))))))))))))))))))))))))
.

2010-06-17 14:06 . 2010-06-17 14:06 -------- d-----w- C:\HelpAsst_backup
2010-06-17 13:53 . 2010-06-17 15:42 -------- d-----w- c:\windows\Internet Logs
2010-06-11 23:09 . 2010-05-06 10:41 743424 -c----w- c:\windows\system32\dllcache\iedvtool.dll
2010-06-10 06:47 . 2010-06-10 06:47 -------- d-----w- c:\documents and settings\Bob\Local Settings\Application Data\Mozilla
2010-06-09 18:35 . 2010-06-10 01:43 -------- d-----w- c:\windows\system32\NtmsData
2010-06-01 15:08 . 2010-06-01 15:08 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\PCHealth
2010-05-29 01:48 . 2010-06-11 00:52 -------- d-----w- c:\documents and settings\Bob\Local Settings\Application Data\Temp
2010-05-29 01:47 . 2010-05-29 01:54 -------- d-----w- c:\documents and settings\Bob\Local Settings\Application Data\Google
2010-05-28 23:02 . 2010-05-28 23:02 -------- d-----w- c:\program files\WebSudokuDeluxe
2010-05-25 14:33 . 2010-05-25 14:33 -------- d-----w- c:\program files\iPod
2010-05-25 14:33 . 2010-05-25 14:35 -------- d-----w- c:\program files\iTunes
2010-05-25 14:33 . 2010-05-25 14:35 -------- d-----w- c:\documents and settings\All Users\Application Data\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
2010-05-25 14:27 . 2010-05-25 14:28 -------- d-----w- c:\program files\QuickTime
2010-05-25 14:18 . 2010-05-25 14:18 -------- d-----w- c:\program files\Bonjour

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-06-11 15:03 . 2010-05-06 22:39 -------- d-----w- c:\program files\SUPERAntiSpyware
2010-06-11 02:31 . 2010-05-06 22:50 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS
2010-06-08 21:58 . 2010-05-06 22:44 63488 ------w- c:\documents and settings\Bob\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10006.dll
2010-06-08 21:58 . 2010-05-06 22:43 117760 ------w- c:\documents and settings\Bob\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2010-05-29 04:03 . 2008-05-19 17:25 -------- d-----w- c:\documents and settings\Bob\Application Data\Apple Computer
2010-05-25 14:33 . 2008-05-19 17:08 -------- d-----w- c:\program files\Common Files\Apple
2010-05-25 14:10 . 2010-05-25 14:10 73000 ------w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 9.1.1.12\SetupAdmin.exe
2010-05-07 00:23 . 2010-05-07 00:18 -------- d-----w- c:\program files\Common Files\Adobe
2010-05-06 22:56 . 2010-05-06 22:55 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee
2010-05-06 22:55 . 2010-05-06 22:55 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee Security Scan
2010-05-06 22:53 . 2010-05-06 22:53 -------- d-----w- c:\program files\McAfee Security Scan
2010-05-06 22:52 . 2010-05-06 22:52 86016 ------w- c:\documents and settings\All Users\Application Data\NOS\Adobe_Downloads\arh.exe
2010-05-06 22:43 . 2010-05-06 22:43 52224 ------w- c:\documents and settings\Bob\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
2010-05-06 22:41 . 2010-05-06 22:41 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2010-05-06 22:39 . 2010-05-06 22:39 -------- d-----w- c:\documents and settings\Bob\Application Data\SUPERAntiSpyware.com
2010-05-06 22:33 . 2010-05-06 22:33 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2010-05-06 22:18 . 2010-05-06 22:18 -------- d-----w- c:\documents and settings\Bob\Application Data\Malwarebytes
2010-05-06 22:17 . 2010-05-06 22:17 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-05-06 22:17 . 2010-05-06 22:17 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-05-06 17:36 . 2010-03-12 00:56 221568 ------w- c:\windows\system32\MpSigStub.exe
2010-05-06 10:41 . 2006-02-28 12:00 916480 ----a-w- c:\windows\system32\wininet.dll
2010-05-02 05:56 . 2006-02-28 12:00 1850880 ----a-w- c:\windows\system32\win32k.sys
2010-05-01 22:19 . 2008-03-14 03:52 -------- d-----w- c:\documents and settings\Bob\Application Data\Webroot
2010-04-29 22:39 . 2010-05-06 22:17 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-29 22:39 . 2010-05-06 22:17 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-04-20 05:51 . 2006-02-28 12:00 285696 ----a-w- c:\windows\system32\atmfd.dll
2010-04-08 20:20 . 2010-04-08 20:20 91424 ----a-w- c:\windows\system32\dnssd.dll
2010-04-08 20:20 . 2010-04-08 20:20 107808 ----a-w- c:\windows\system32\dns-sd.exe
.

((((((((((((((((((((((((((((( SnapShot@2010-06-17_06.19.59 )))))))))))))))))))))))))))))))))))))))))
.
+ 2001-08-17 22:36 . 2006-02-28 12:00 13824 c:\windows\system32\wowfaxui.dll
+ 1999-11-25 01:40 . 1999-11-25 01:40 40960 c:\windows\system32\VBAME.DLL
+ 2001-08-17 22:36 . 2006-02-28 12:00 49211 c:\windows\system32\usrvpa.dll
+ 2001-08-17 22:36 . 2006-02-28 12:00 45116 c:\windows\system32\usrvoica.dll
+ 2001-08-17 22:36 . 2006-02-28 12:00 49209 c:\windows\system32\usrv80a.dll
+ 2001-08-17 22:36 . 2006-02-28 12:00 41019 c:\windows\system32\usrsvpia.dll
+ 2001-08-17 22:37 . 2006-02-28 12:00 69700 c:\windows\system32\usrshuta.exe
+ 2001-08-17 22:36 . 2006-02-28 12:00 49211 c:\windows\system32\usrsdpia.dll
+ 2001-08-17 22:36 . 2006-02-28 12:00 77883 c:\windows\system32\usrrtosa.dll
+ 2001-08-17 22:37 . 2006-02-28 12:00 61508 c:\windows\system32\usrprbda.exe
+ 2001-08-17 22:37 . 2006-02-28 12:00 77891 c:\windows\system32\usrmlnka.exe
+ 2001-08-17 22:36 . 2006-02-28 12:00 53305 c:\windows\system32\usrlbva.dll
+ 2001-08-17 22:36 . 2006-02-28 12:00 86073 c:\windows\system32\usrfaxa.dll
+ 2001-08-17 22:36 . 2006-02-28 12:00 77890 c:\windows\system32\usrdpa.dll
+ 2001-08-17 22:36 . 2006-02-28 12:00 69699 c:\windows\system32\usrcoina.dll
+ 2001-08-17 22:36 . 2006-02-28 12:00 61500 c:\windows\system32\usrcntra.dll
+ 2003-02-21 12:16 . 2003-02-21 12:16 49152 c:\windows\system32\URTTemp\regtlib.exe
+ 2001-08-17 22:36 . 2006-02-28 12:00 72192 c:\windows\system32\sprio800.dll
+ 2001-08-17 22:36 . 2006-02-28 12:00 70656 c:\windows\system32\sprio600.dll
+ 2004-06-08 23:08 . 2003-07-30 05:00 75264 c:\windows\system32\spool\drivers\w32x86\3\CNMSR56.DLL
+ 2004-06-08 23:08 . 2003-07-30 05:00 67584 c:\windows\system32\spool\drivers\w32x86\3\CNMPV56.EXE
+ 2004-06-08 23:08 . 2003-07-30 05:00 30320 c:\windows\system32\spool\drivers\w32x86\3\CNMP256.DAT
+ 2004-06-08 23:08 . 2003-07-30 05:00 27140 c:\windows\system32\spool\drivers\w32x86\3\CNMP156.DAT
+ 2004-06-08 23:08 . 2003-07-30 05:00 23280 c:\windows\system32\spool\drivers\w32x86\3\CNMP056.DAT
+ 2004-06-08 23:08 . 2003-07-30 05:00 18944 c:\windows\system32\spool\drivers\w32x86\3\CNMOP56.DLL
+ 2004-06-08 23:08 . 2003-07-30 05:00 17920 c:\windows\system32\spool\drivers\w32x86\3\CNMFU56.DLL
+ 2004-06-08 23:08 . 2003-07-30 05:00 62464 c:\windows\system32\spool\drivers\w32x86\3\CNMCP56.DLL
+ 2001-08-17 22:36 . 2006-02-28 12:00 69632 c:\windows\system32\spnike.dll
+ 1998-03-25 04:54 . 1998-03-25 04:54 15872 c:\windows\system32\SCP32.DLL
+ 2003-02-21 02:16 . 2003-02-21 02:16 32768 c:\windows\system32\netfxperf.dll
+ 2003-04-18 23:29 . 2003-04-18 23:29 82432 c:\windows\system32\msxml4r.dll
+ 1998-06-18 02:08 . 1998-06-18 02:08 53248 c:\windows\system32\MFC42ENU.DLL
+ 1996-10-15 16:53 . 1996-10-15 16:53 78848 c:\windows\system32\INLOADER.DLL
+ 2001-12-15 13:01 . 2001-12-15 13:01 68096 c:\windows\system32\hdk3an32.dll
+ 2001-08-17 22:36 . 2006-02-28 12:00 55296 c:\windows\system32\dvdplay.exe
+ 2001-08-17 14:02 . 2006-02-28 12:00 58112 c:\windows\system32\drivers\vdmindvd.sys
+ 2001-08-17 14:03 . 2006-02-28 12:00 23936 c:\windows\system32\drivers\usbcamd2.sys
+ 2001-08-17 14:03 . 2006-02-28 12:00 23808 c:\windows\system32\drivers\usbcamd.sys
+ 2001-08-17 14:06 . 2006-02-28 12:00 21376 c:\windows\system32\drivers\tsbvcap.sys
+ 2001-08-17 14:01 . 2006-02-28 12:00 51712 c:\windows\system32\drivers\tosdvd.sys
+ 2001-08-17 13:24 . 2006-02-28 12:00 12032 c:\windows\system32\drivers\riodrv.sys
+ 2001-08-17 13:24 . 2006-02-28 12:00 12032 c:\windows\system32\drivers\rio8drv.sys
+ 2001-08-17 13:24 . 2006-02-28 12:00 12032 c:\windows\system32\drivers\nikedrv.sys
+ 2004-08-03 22:58 . 2006-02-28 12:00 61824 c:\windows\system32\drivers\nic1394.sys
+ 2001-08-17 13:48 . 2006-02-28 12:00 12160 c:\windows\system32\drivers\mouhid.sys
+ 2004-08-03 22:58 . 2006-02-28 12:00 23040 c:\windows\system32\drivers\mouclass.sys
+ 2001-08-17 13:57 . 2006-02-28 12:00 12160 c:\windows\system32\drivers\fsvga.sys
+ 2001-08-17 13:24 . 2006-02-28 12:00 11776 c:\windows\system32\drivers\cpqdap01.sys
+ 2001-08-17 13:52 . 2006-02-28 12:00 18688 c:\windows\system32\drivers\cdaudio.sys
+ 2004-08-03 22:58 . 2006-02-28 12:00 60800 c:\windows\system32\drivers\arp1394.sys
+ 2001-12-15 13:01 . 2001-12-15 13:01 65024 c:\windows\system32\bivbx30n.exe
+ 2003-03-19 02:05 . 2003-03-19 02:05 89088 c:\windows\system32\atl71.dll
+ 2001-12-15 13:01 . 2001-12-15 13:01 68096 c:\windows\system\hdk3an16.dll
+ 2001-12-15 13:01 . 2001-12-15 13:01 22016 c:\windows\system\bivbx30c.dll
+ 2004-07-15 09:11 . 2004-07-15 09:11 31744 c:\windows\Microsoft.NET\Framework\v1.1.4322\WMINet_Utils.dll
+ 2004-07-15 21:28 . 2004-07-15 21:28 57344 c:\windows\Microsoft.NET\Framework\v1.1.4322\System.Web.RegularExpressions.dll
+ 2004-07-15 07:35 . 2004-07-15 07:35 66560 c:\windows\Microsoft.NET\Framework\v1.1.4322\System.EnterpriseServices.Thunk.dll
+ 2003-02-21 14:26 . 2003-02-21 14:26 65536 c:\windows\Microsoft.NET\Framework\v1.1.4322\System.Drawing.Design.dll
+ 2004-07-15 21:28 . 2004-07-15 21:28 90112 c:\windows\Microsoft.NET\Framework\v1.1.4322\System.DirectoryServices.dll
+ 2003-02-21 14:26 . 2003-02-21 14:26 77824 c:\windows\Microsoft.NET\Framework\v1.1.4322\System.Configuration.Install.dll
+ 2004-07-15 07:34 . 2004-07-15 07:34 94208 c:\windows\Microsoft.NET\Framework\v1.1.4322\SHADOW2680\_PerfCounter.dll
+ 2003-02-21 02:09 . 2003-02-21 02:09 77824 c:\windows\Microsoft.NET\Framework\v1.1.4322\SHADOW2680\_mscorsn.dll
+ 2004-07-15 07:32 . 2004-07-15 07:32 81920 c:\windows\Microsoft.NET\Framework\v1.1.4322\SHADOW2680\_CORPerfMonExt.dll
+ 2004-07-15 07:34 . 2004-07-15 07:34 94208 c:\windows\Microsoft.NET\Framework\v1.1.4322\SHADOW2204\_PerfCounter.dll
+ 2003-02-21 02:09 . 2003-02-21 02:09 77824 c:\windows\Microsoft.NET\Framework\v1.1.4322\SHADOW2204\_mscorsn.dll
+ 2004-07-15 07:32 . 2004-07-15 07:32 81920 c:\windows\Microsoft.NET\Framework\v1.1.4322\SHADOW2204\_CORPerfMonExt.dll
+ 2003-02-21 14:25 . 2003-02-21 14:25 12288 c:\windows\Microsoft.NET\Framework\v1.1.4322\RegSvcs.exe
+ 2004-07-15 21:28 . 2004-07-15 21:28 32768 c:\windows\Microsoft.NET\Framework\v1.1.4322\RegCode.dll
+ 2003-02-21 14:25 . 2003-02-21 14:25 28672 c:\windows\Microsoft.NET\Framework\v1.1.4322\RegAsm.exe
+ 2004-07-15 07:34 . 2004-07-15 07:34 94208 c:\windows\Microsoft.NET\Framework\v1.1.4322\PerfCounter.dll
+ 2003-02-21 02:09 . 2003-02-21 02:09 73728 c:\windows\Microsoft.NET\Framework\v1.1.4322\ngen.exe
+ 2003-02-21 01:43 . 2003-02-21 01:43 22528 c:\windows\Microsoft.NET\Framework\v1.1.4322\MUI\0409\mscorsecr.dll
+ 2003-02-21 02:18 . 2003-02-21 02:18 20480 c:\windows\Microsoft.NET\Framework\v1.1.4322\mtxoci8.dll
+ 2004-07-15 07:33 . 2004-07-15 07:33 81920 c:\windows\Microsoft.NET\Framework\v1.1.4322\mscorsec.dll
+ 2003-02-21 02:06 . 2003-02-21 02:06 65536 c:\windows\Microsoft.NET\Framework\v1.1.4322\mscorpe.dll
+ 2004-07-15 07:32 . 2004-07-15 07:32 86016 c:\windows\Microsoft.NET\Framework\v1.1.4322\mscordbc.dll
+ 2004-07-15 21:28 . 2004-07-15 21:28 49152 c:\windows\Microsoft.NET\Framework\v1.1.4322\MigPolWin.exe
+ 2004-07-15 21:28 . 2004-07-15 21:28 49152 c:\windows\Microsoft.NET\Framework\v1.1.4322\MigPol.exe
+ 2003-02-21 14:25 . 2003-02-21 14:25 11264 c:\windows\Microsoft.NET\Framework\v1.1.4322\Microsoft.Vsa.Vb.CodeDOMProcessor.dll
+ 2003-02-21 14:24 . 2003-02-21 14:24 32768 c:\windows\Microsoft.NET\Framework\v1.1.4322\Microsoft.Vsa.dll
+ 2003-02-21 14:24 . 2003-02-21 14:24 28672 c:\windows\Microsoft.NET\Framework\v1.1.4322\Microsoft.VisualBasic.Vsa.dll
+ 2003-02-21 14:24 . 2003-02-21 14:24 40960 c:\windows\Microsoft.NET\Framework\v1.1.4322\jsc.exe
+ 2003-02-21 14:24 . 2003-02-21 14:24 26112 c:\windows\Microsoft.NET\Framework\v1.1.4322\ISymWrapper.dll
+ 2003-02-21 02:22 . 2003-02-21 02:22 40960 c:\windows\Microsoft.NET\Framework\v1.1.4322\InstallUtilLib.dll
+ 2003-02-21 14:24 . 2003-02-21 14:24 15872 c:\windows\Microsoft.NET\Framework\v1.1.4322\InstallUtil.exe
+ 2004-07-15 21:31 . 2004-07-15 21:31 32768 c:\windows\Microsoft.NET\Framework\v1.1.4322\IEHost.dll
+ 2003-10-08 21:30 . 2003-10-08 21:30 81920 c:\windows\Microsoft.NET\Framework\v1.1.4322\gacutil.exe
+ 2003-02-21 11:12 . 2003-02-21 11:12 28672 c:\windows\Microsoft.NET\Framework\v1.1.4322\cvtres.exe
+ 2003-02-21 14:24 . 2003-02-21 14:24 33792 c:\windows\Microsoft.NET\Framework\v1.1.4322\CustomMarshalers.dll
+ 2003-02-21 14:24 . 2003-02-21 14:24 12288 c:\windows\Microsoft.NET\Framework\v1.1.4322\cscompmgd.dll
+ 2004-07-15 18:23 . 2004-07-15 18:23 49152 c:\windows\Microsoft.NET\Framework\v1.1.4322\csc.exe
+ 2003-02-21 14:24 . 2003-02-21 14:24 49152 c:\windows\Microsoft.NET\Framework\v1.1.4322\ConfigWizards.exe
+ 2003-02-21 14:24 . 2003-02-21 14:24 94208 c:\windows\Microsoft.NET\Framework\v1.1.4322\CasPol.exe
+ 2004-07-15 08:49 . 2004-07-15 08:49 32768 c:\windows\Microsoft.NET\Framework\v1.1.4322\aspnet_state.exe
+ 2004-07-15 08:49 . 2004-07-15 08:49 20480 c:\windows\Microsoft.NET\Framework\v1.1.4322\aspnet_regiis.exe
+ 2003-02-21 02:19 . 2003-02-21 02:19 40960 c:\windows\Microsoft.NET\Framework\v1.1.4322\aspnet_rc.dll
+ 2003-02-21 12:00 . 2003-02-21 12:00 98304 c:\windows\Microsoft.NET\Framework\v1.1.4322\alink.dll
+ 2003-02-21 10:55 . 2003-02-21 10:55 94208 c:\windows\Microsoft.NET\Framework\v1.1.4322\1033\cscompui.dll
+ 2003-02-21 09:59 . 2003-02-21 09:59 16896 c:\windows\Microsoft.NET\Framework\v1.1.4322\1033\alinkui.dll
+ 2003-01-17 21:03 . 2003-01-17 21:03 59466 c:\windows\Installer\$PatchCache$\Managed\9040211900063D11C8EF10054038389C\11.0.5614\XSCAN32.DAT
+ 2003-07-15 05:57 . 2003-07-15 05:57 59960 c:\windows\Installer\$PatchCache$\Managed\9040211900063D11C8EF10054038389C\11.0.5614\UNBIND.EXE
+ 2002-10-07 16:49 . 2002-10-07 16:49 81983 c:\windows\Installer\$PatchCache$\Managed\9040211900063D11C8EF10054038389C\11.0.5614\TWRECS.DLL
+ 2003-07-15 06:00 . 2003-07-15 06:00 99904 c:\windows\Installer\$PatchCache$\Managed\9040211900063D11C8EF10054038389C\11.0.5614\TRANSMGR.DLL
+ 2003-07-15 05:53 . 2003-07-15 05:53 11848 c:\windows\Installer\$PatchCache$\Managed\9040211900063D11C8EF10054038389C\11.0.5614\SMARTTAGINSTALL.EXE
+ 2003-07-15 05:57 . 2003-07-15 05:57 58944 c:\windows\Installer\$PatchCache$\Managed\9040211900063D11C8EF10054038389C\11.0.5614\SEQCHK10.DLL
+ 2003-07-15 05:44 . 2003-07-15 05:44 66616 c:\windows\Installer\$PatchCache$\Managed\9040211900063D11C8EF10054038389C\11.0.5614\SENDTO.DLL
+ 2003-07-15 05:43 . 2003-07-15 05:43 74288 c:\windows\Installer\$PatchCache$\Managed\9040211900063D11C8EF10054038389C\11.0.5614\RM.DLL
+ 2002-10-07 16:49 . 2002-10-07 16:49 81984 c:\windows\Installer\$PatchCache$\Managed\9040211900063D11C8EF10054038389C\11.0.5614\REVERSE.DLL
+ 2003-07-15 05:57 . 2003-07-15 05:57 40512 c:\windows\Installer\$PatchCache$\Managed\9040211900063D11C8EF10054038389C\11.0.5614\REFIEBAR.DLL
+ 2003-05-09 04:54 . 2003-05-09 04:54 77824 c:\windows\Installer\$PatchCache$\Managed\9040211900063D11C8EF10054038389C\11.0.5614\REFEDIT.DLL
+ 2003-07-15 05:42 . 2003-07-15 05:42 37432 c:\windows\Installer\$PatchCache$\Managed\9040211900063D11C8EF10054038389C\11.0.5614\RECALL.DLL
+ 2003-07-15 10:18 . 2003-07-15 10:18 93752 c:\windows\Installer\$PatchCache$\Managed\9040211900063D11C8EF10054038389C\11.0.5614\PP7X32.DLL
+ 2003-07-15 05:43 . 2003-07-15 05:43 49208 c:\windows\Installer\$PatchCache$\Managed\9040211900063D11C8EF10054038389C\11.0.5614\OUTLWAB.DLL
+ 2003-07-15 05:43 . 2003-07-15 05:43 64056 c:\windows\Installer\$PatchCache$\Managed\9040211900063D11C8EF10054038389C\11.0.5614\OUTLRPC.DLL
+ 2003-07-15 05:44 . 2003-07-15 05:44 88128 c:\windows\Installer\$PatchCache$\Managed\9040211900063D11C8EF10054038389C\11.0.5614\OUTLMIME.DLL
+ 2003-07-15 05:41 . 2003-07-15 05:41 24640 c:\windows\Installer\$PatchCache$\Managed\9040211900063D11C8EF10054038389C\11.0.5614\OUTLACCT.DLL
+ 2003-07-15 05:53 . 2003-07-15 05:53 95792 c:\windows\Installer\$PatchCache$\Managed\9040211900063D11C8EF10054038389C\11.0.5614\OSA.EXE
+ 2003-07-15 10:14 . 2003-07-15 10:14 27192 c:\windows\Installer\$PatchCache$\Managed\9040211900063D11C8EF10054038389C\11.0.5614\OISCTRL.DLL
+ 2003-07-15 05:56 . 2003-07-15 05:56 13888 c:\windows\Installer\$PatchCache$\Managed\9040211900063D11C8EF10054038389C\11.0.5614\NPOFFICE.DLL
+ 2003-07-15 05:57 . 2003-07-15 05:57 56888 c:\windows\Installer\$PatchCache$\Managed\9040211900063D11C8EF10054038389C\11.0.5614\NAME.DLL
+ 2003-07-15 05:52 . 2003-07-15 05:52 41528 c:\windows\Installer\$PatchCache$\Managed\9040211900063D11C8EF10054038389C\11.0.5614\MSSH.DLL
+ 2003-06-19 00:31 . 2003-06-19 00:31 16384 c:\windows\Installer\$PatchCache$\Managed\9040211900063D11C8EF10054038389C\11.0.5614\MSPGIMME.DLL
+ 2003-07-15 05:45 . 2003-07-15 05:45 39488 c:\windows\Installer\$PatchCache$\Managed\9040211900063D11C8EF10054038389C\11.0.5614\MSOXMLMF.DLL
+ 2003-07-15 05:45 . 2003-07-15 05:45 55360 c:\windows\Installer\$PatchCache$\Managed\9040211900063D11C8EF10054038389C\11.0.5614\MSOXMLED.EXE
+ 2003-07-15 05:46 . 2003-07-15 05:46 42040 c:\windows\Installer\$PatchCache$\Managed\9040211900063D11C8EF10054038389C\11.0.5614\MSOXEV.DLL
+ 2003-07-15 05:53 . 2003-07-15 05:53 39488 c:\windows\Installer\$PatchCache$\Managed\9040211900063D11C8EF10054038389C\11.0.5614\MSOSVFBR.DLL
+ 2003-07-15 05:53 . 2003-07-15 05:53 55872 c:\windows\Installer\$PatchCache$\Managed\9040211900063D11C8EF10054038389C\11.0.5614\MSOSVABW.DLL
+ 2003-07-15 05:52 . 2003-07-15 05:52 35896 c:\windows\Installer\$PatchCache$\Managed\9040211900063D11C8EF10054038389C\11.0.5614\MSOSV.DLL
+ 2003-07-15 05:52 . 2003-07-15 05:52 28224 c:\windows\Installer\$PatchCache$\Managed\9040211900063D11C8EF10054038389C\11.0.5614\MSOSTYLE.DLL
+ 2003-07-15 05:56 . 2003-07-15 05:56 54328 c:\windows\Installer\$PatchCache$\Managed\9040211900063D11C8EF10054038389C\11.0.5614\MSOMSE.DLL
+ 2003-07-15 05:52 . 2003-07-15 05:52 55360 c:\windows\Installer\$PatchCache$\Managed\9040211900063D11C8EF10054038389C\11.0.5614\MSOHTMED.EXE
+ 2003-07-15 05:44 . 2003-07-15 05:44 25144 c:\windows\Installer\$PatchCache$\Managed\9040211900063D11C8EF10054038389C\11.0.5614\MSOEURO.DLL
+ 2003-07-15 05:52 . 2003-07-15 05:52 27704 c:\windows\Installer\$PatchCache$\Managed\9040211900063D11C8EF10054038389C\11.0.5614\MSODCW.DLL
+ 2003-07-15 05:52 . 2003-07-15 05:52 17464 c:\windows\Installer\$PatchCache$\Managed\9040211900063D11C8EF10054038389C\11.0.5614\MSMH.DLL
+ 2003-07-15 05:51 . 2003-07-15 05:51 87104 c:\windows\Installer\$PatchCache$\Managed\9040211900063D11C8EF10054038389C\11.0.5614\MSENCODE.DLL
+ 2003-07-15 05:56 . 2003-07-15 05:56 40504 c:\windows\Installer\$PatchCache$\Managed\9040211900063D11C8EF10054038389C\11.0.5614\MSE7.EXE
+ 2003-07-15 06:12 . 2003-07-15 06:12 47872 c:\windows\Installer\$PatchCache$\Managed\9040211900063D11C8EF10054038389C\11.0.5614\MSB1XTOR.DLL
+ 2003-06-19 00:31 . 2003-06-19 00:31 35328 c:\windows\Installer\$PatchCache$\Managed\9040211900063D11C8EF10054038389C\11.0.5614\MDIUI.DLL
+ 2003-06-19 00:31 . 2003-06-19 00:31 18944 c:\windows\Installer\$PatchCache$\Managed\9040211900063D11C8EF10054038389C\11.0.5614\MDIPPR.DLL
+ 2003-06-19 00:31 . 2003-06-19 00:31 17920 c:\windows\Installer\$PatchCache$\Managed\9040211900063D11C8EF10054038389C\11.0.5614\MDIMON.DLL
+ 2003-07-15 05:57 . 2003-07-15 05:57 87096 c:\windows\Installer\$PatchCache$\Managed\9040211900063D11C8EF10054038389C\11.0.5614\IEAWSDC.DLL
+ 2003-07-15 05:41 . 2003-07-15 05:41 13368 c:\windows\Installer\$PatchCache$\Managed\9040211900063D11C8EF10054038389C\11.0.5614\FINDER.EXE
+ 2003-07-15 05:53 . 2003-07-15 05:53 34880 c:\windows\Installer\$PatchCache$\Managed\9040211900063D11C8EF10054038389C\11.0.5614\DWTRIG20.EXE
+ 2003-07-15 05:52 . 2003-07-15 05:52 39992 c:\windows\Installer\$PatchCache$\Managed\9040211900063D11C8EF10054038389C\11.0.5614\DWDCW20.DLL
+ 2003-07-15 05:57 . 2003-07-15 05:57 98360 c:\windows\Installer\$PatchCache$\Managed\9040211900063D11C8EF10054038389C\11.0.5614\DSSM.EXE
+ 2003-07-15 05:56 . 2003-07-15 05:56 14904 c:\windows\Installer\$PatchCache$\Managed\9040211900063D11C8EF10054038389C\11.0.5614\DSITF.DLL
+ 2003-07-26 01:57 . 2003-07-26 01:57 75832 c:\windows\Installer\$PatchCache$\Managed\9040211900063D11C8EF10054038389C\11.0.5614\DLGSETP.DLL
+ 2003-07-15 10:18 . 2003-07-15 10:18 47160 c:\windows\Installer\$PatchCache$\Managed\9040211900063D11C8EF10054038389C\11.0.5614\DFUICOM.EXE
+ 2003-07-15 05:53 . 2003-07-15 05:53 46144 c:\windows\Installer\$PatchCache$\Managed\9040211900063D11C8EF10054038389C\11.0.5614\BLNMGRPS.DLL
+ 2003-07-15 05:53 . 2003-07-15 05:53 60984 c:\windows\Installer\$PatchCache$\Managed\9040211900063D11C8EF10054038389C\11.0.5614\BLNMGR.DLL
+ 2003-07-15 05:53 . 2003-07-15 05:53 94768 c:\windows\Installer\$PatchCache$\Managed\9040211900063D11C8EF10054038389C\11.0.5614\AW.DLL
+ 2003-07-15 05:57 . 2003-07-15 05:57 38968 c:\windows\Installer\$PatchCache$\Managed\9040211900063D11C8EF10054038389C\11.0.5614\AUTHZAX.DLL
+ 2003-07-15 05:43 . 2003-07-15 05:43 87616 c:\windows\Installer\$PatchCache$\Managed\9040211900063D11C8EF10054038389C\11.0.5614\ADDRPARS.DLL
+ 2001-08-17 22:36 . 2006-02-28 12:00 3200 c:\windows\system32\wowfax.dll
+ 2001-08-17 22:36 . 2009-11-27 16:37 8704 c:\windows\system32\tsbyuv.dll
+ 2001-08-17 22:36 . 2006-02-28 12:00 8192 c:\windows\system32\streamci.dll
+ 2004-06-08 23:08 . 2003-07-30 05:00 6144 c:\windows\system32\spool\drivers\w32x86\3\CNMSQ56.EXE
+ 2004-06-08 23:08 . 2003-07-30 05:00 9728 c:\windows\system32\spool\drivers\w32x86\3\CNMSD56.EXE
+ 2004-06-08 23:08 . 2003-07-30 05:00 6144 c:\windows\system32\spool\drivers\w32x86\3\CNMPI56.DLL
+ 2003-02-21 01:43 . 2003-02-21 01:43 4096 c:\windows\system32\mui\0409\mscoreer.dll
+ 2003-02-21 02:09 . 2003-02-21 02:09 9216 c:\windows\Microsoft.NET\Framework\v1.1.4322\mscortim.dll
+ 2003-02-21 14:25 . 2003-02-21 14:25 6656 c:\windows\Microsoft.NET\Framework\v1.1.4322\Microsoft_VsaVb.dll
+ 2003-02-21 14:25 . 2003-02-21 14:25 6144 c:\windows\Microsoft.NET\Framework\v1.1.4322\Microsoft.VisualC.Dll
+ 2003-02-21 14:24 . 2003-02-21 14:24 4608 c:\windows\Microsoft.NET\Framework\v1.1.4322\IIEHost.dll
+ 2004-07-15 21:31 . 2004-07-15 21:31 8192 c:\windows\Microsoft.NET\Framework\v1.1.4322\IEExecRemote.dll
+ 2003-02-21 14:24 . 2003-02-21 14:24 7680 c:\windows\Microsoft.NET\Framework\v1.1.4322\IEExec.exe
+ 2003-02-21 14:24 . 2003-02-21 14:24 7680 c:\windows\Microsoft.NET\Framework\v1.1.4322\Accessibility.dll
+ 2002-05-14 16:42 . 2002-05-14 16:42 5120 c:\windows\Microsoft.NET\Framework\sbs_wminet_utils.dll
+ 2002-06-27 19:45 . 2002-06-27 19:45 5120 c:\windows\Microsoft.NET\Framework\sbs_VsaVb7rt.dll
+ 2002-05-14 16:42 . 2002-05-14 16:42 5120 c:\windows\Microsoft.NET\Framework\sbs_system.enterpriseservices.dll
+ 2002-05-14 16:42 . 2002-05-14 16:42 5120 c:\windows\Microsoft.NET\Framework\sbs_system.data.dll
+ 2002-05-14 16:42 . 2002-05-14 16:42 5120 c:\windows\Microsoft.NET\Framework\sbs_system.configuration.install.dll
+ 2002-05-14 16:42 . 2002-05-14 16:42 5120 c:\windows\Microsoft.NET\Framework\sbs_mscorsec.dll
+ 2002-07-19 18:52 . 2002-07-19 18:52 5120 c:\windows\Microsoft.NET\Framework\sbs_mscorrc.dll
+ 2002-05-14 16:42 . 2002-05-14 16:42 5120 c:\windows\Microsoft.NET\Framework\sbs_mscordbi.dll
+ 2002-05-14 16:42 . 2002-05-14 16:42 5632 c:\windows\Microsoft.NET\Framework\sbs_microsoft.vsa.vb.codedomprocessor.dll
+ 2002-05-14 16:42 . 2002-05-14 16:42 5120 c:\windows\Microsoft.NET\Framework\sbs_microsoft.jscript.dll
+ 2002-05-14 16:42 . 2002-05-14 16:42 5120 c:\windows\Microsoft.NET\Framework\sbs_iehost.dll
+ 2002-05-14 16:42 . 2002-05-14 16:42 5120 c:\windows\Microsoft.NET\Framework\sbs_diasymreader.dll
+ 2003-06-19 00:31 . 2003-06-19 00:31 6144 c:\windows\Installer\$PatchCache$\Managed\9040211900063D11C8EF10054038389C\11.0.5614\OCRPS.DLL
+ 2002-08-21 12:13 . 2002-08-21 12:13 189952 c:\windows\system32\WISPTIS.EXE
+ 2001-08-17 22:36 . 2006-02-28 12:00 102457 c:\windows\system32\usrv42a.dll
+ 2001-08-17 22:36 . 2006-02-28 12:00 323641 c:\windows\system32\usrdtea.dll
+ 2004-06-08 23:08 . 2003-07-30 05:00 178176 c:\windows\system32\spool\drivers\w32x86\3\CNMUR56.DLL
+ 2004-06-08 23:08 . 2003-07-30 05:00 134656 c:\windows\system32\spool\drivers\w32x86\3\CNMUB56.DLL
+ 2004-06-08 23:08 . 2003-07-30 05:00 119808 c:\windows\system32\spool\drivers\w32x86\3\CNMSM56.EXE
+ 2004-06-08 23:08 . 2003-07-30 05:00 931328 c:\windows\system32\spool\drivers\w32x86\3\CNMSB56.DLL
+ 2004-06-08 23:08 . 2003-07-30 05:00 404480 c:\windows\system32\spool\drivers\w32x86\3\CNMDR56.DLL
+ 2004-06-08 23:08 . 2003-07-30 05:00 147456 c:\windows\system32\spool\drivers\w32x86\3\CNMD556.DLL
+ 2000-04-04 00:52 . 2000-04-04 00:52 151552 c:\windows\system32\RDOCURS.DLL
+ 2001-08-08 20:23 . 2001-08-08 20:23 417792 c:\windows\system32\plussand.scr
+ 2001-08-08 20:23 . 2001-08-08 20:23 438272 c:\windows\system32\plusmcry.scr
+ 2001-08-08 20:23 . 2001-08-08 20:23 413696 c:\windows\system32\pluscirc.scr
+ 2001-08-17 22:36 . 2006-02-28 12:00 157696 c:\windows\system32\paqsp.dll
+ 2003-03-19 03:14 . 2003-03-19 03:14 499712 c:\windows\system32\msvcp71.dll
+ 2000-04-04 03:05 . 2000-04-04 03:05 118784 c:\windows\system32\msstdfmt.dll
+ 2000-05-11 20:06 . 2000-05-11 20:06 397312 c:\windows\system32\MSRDO20.DLL
+ 2002-01-05 11:36 . 2002-01-05 11:36 964608 c:\windows\system32\mfc70u.dll
+ 2002-01-05 11:48 . 2002-01-05 11:48 974848 c:\windows\system32\mfc70.dll
+ 2001-08-17 22:36 . 2006-02-28 12:00 147968 c:\windows\system32\mdwmdmsp.dll
+ 2002-08-21 12:10 . 2002-08-21 12:10 204800 c:\windows\system32\INKED.DLL
+ 2004-02-26 20:46 . 2004-02-26 20:46 446464 c:\windows\system32\HHActiveX.dll
+ 2001-12-15 13:01 . 2001-12-15 13:01 180992 c:\windows\system32\hdk3ct32.dll
+ 2001-08-17 14:02 . 2006-02-28 12:00 262528 c:\windows\system32\drivers\cinemst2.sys
+ 2001-12-15 13:01 . 2001-12-15 13:01 180992 c:\windows\system\hdk3ct16.dll
+ 2001-12-15 13:01 . 2001-12-15 13:01 105984 c:\windows\system\bivbx30.dll
+ 2004-07-15 18:23 . 2004-07-15 18:23 737280 c:\windows\Microsoft.NET\Framework\v1.1.4322\vbc.exe
+ 2004-07-15 21:31 . 2004-07-15 21:31 573440 c:\windows\Microsoft.NET\Framework\v1.1.4322\System.Web.Services.dll
+ 2004-07-15 21:28 . 2004-07-15 21:28 819200 c:\windows\Microsoft.NET\Framework\v1.1.4322\System.Web.Mobile.dll
+ 2004-07-15 21:28 . 2004-07-15 21:28 126976 c:\windows\Microsoft.NET\Framework\v1.1.4322\System.ServiceProcess.dll
+ 2004-07-15 21:31 . 2004-07-15 21:31 131072 c:\windows\Microsoft.NET\Framework\v1.1.4322\System.Runtime.Serialization.Formatters.Soap.dll
+ 2004-07-15 21:28 . 2004-07-15 21:28 323584 c:\windows\Microsoft.NET\Framework\v1.1.4322\System.Runtime.Remoting.dll
+ 2004-07-15 21:31 . 2004-07-15 21:31 241664 c:\windows\Microsoft.NET\Framework\v1.1.4322\System.Messaging.dll
+ 2004-07-15 21:31 . 2004-07-15 21:31 372736 c:\windows\Microsoft.NET\Framework\v1.1.4322\System.Management.dll
+ 2004-07-15 21:28 . 2004-07-15 21:28 241664 c:\windows\Microsoft.NET\Framework\v1.1.4322\System.EnterpriseServices.dll
+ 2004-07-15 21:28 . 2004-07-15 21:28 466944 c:\windows\Microsoft.NET\Framework\v1.1.4322\System.Drawing.dll
+ 2004-07-15 21:31 . 2004-07-15 21:31 303104 c:\windows\Microsoft.NET\Framework\v1.1.4322\System.Data.OracleClient.dll
+ 2004-07-15 07:35 . 2004-07-15 07:35 319488 c:\windows\Microsoft.NET\Framework\v1.1.4322\SOS.dll
+ 2003-02-21 02:09 . 2003-02-21 02:09 122880 c:\windows\Microsoft.NET\Framework\v1.1.4322\shfusres.dll
+ 2003-02-21 02:09 . 2003-02-21 02:09 253952 c:\windows\Microsoft.NET\Framework\v1.1.4322\shfusion.dll
+ 2003-02-21 11:42 . 2003-02-21 11:42 348160 c:\windows\Microsoft.NET\Framework\v1.1.4322\SHADOW2680\_msvcr71.dll
+ 2004-07-15 07:25 . 2004-07-15 07:25 315392 c:\windows\Microsoft.NET\Framework\v1.1.4322\SHADOW2680\_mscorjit.dll
+ 2004-07-15 07:24 . 2004-07-15 07:24 282624 c:\windows\Microsoft.NET\Framework\v1.1.4322\SHADOW2680\_fusion.dll
+ 2004-07-15 08:49 . 2004-07-15 08:49 258048 c:\windows\Microsoft.NET\Framework\v1.1.4322\SHADOW2680\_aspnet_isapi.dll
+ 2003-02-21 11:42 . 2003-02-21 11:42 348160 c:\windows\Microsoft.NET\Framework\v1.1.4322\SHADOW2204\_msvcr71.dll
+ 2004-07-15 07:25 . 2004-07-15 07:25 315392 c:\windows\Microsoft.NET\Framework\v1.1.4322\SHADOW2204\_mscorjit.dll
+ 2004-07-15 07:24 . 2004-07-15 07:24 282624 c:\windows\Microsoft.NET\Framework\v1.1.4322\SHADOW2204\_fusion.dll
+ 2004-07-15 08:49 . 2004-07-15 08:49 258048 c:\windows\Microsoft.NET\Framework\v1.1.4322\SHADOW2204\_aspnet_isapi.dll
+ 2003-02-21 11:42 . 2003-02-21 11:42 348160 c:\windows\Microsoft.NET\Framework\v1.1.4322\msvcr71.dll
+ 2004-07-15 07:33 . 2004-07-15 07:33 143360 c:\windows\Microsoft.NET\Framework\v1.1.4322\mscorrc.dll
+ 2003-02-21 01:43 . 2003-02-21 01:43 131072 c:\windows\Microsoft.NET\Framework\v1.1.4322\mscormmc.dll
+ 2004-07-15 07:32 . 2004-07-15 07:32 233472 c:\windows\Microsoft.NET\Framework\v1.1.4322\mscordbi.dll
+ 2004-07-15 21:28 . 2004-07-15 21:28 299008 c:\windows\Microsoft.NET\Framework\v1.1.4322\Microsoft.VisualBasic.dll
+ 2004-07-15 21:28 . 2004-07-15 21:28 720896 c:\windows\Microsoft.NET\Framework\v1.1.4322\Microsoft.JScript.dll
+ 2004-07-15 07:35 . 2004-07-15 07:35 196608 c:\windows\Microsoft.NET\Framework\v1.1.4322\ilasm.exe
+ 2004-07-15 07:24 . 2004-07-15 07:24 282624 c:\windows\Microsoft.NET\Framework\v1.1.4322\fusion.dll
+ 2003-02-21 02:16 . 2003-02-21 02:16 798720 c:\windows\Microsoft.NET\Framework\v1.1.4322\EventLogMessages.dll
+ 2003-02-21 17:21 . 2003-02-21 17:21 524288 c:\windows\Microsoft.NET\Framework\v1.1.4322\diasymreader.dll
+ 2004-07-15 18:23 . 2004-07-15 18:23 626688 c:\windows\Microsoft.NET\Framework\v1.1.4322\cscomp.dll
+ 2002-07-29 18:11 . 2002-07-29 18:11 219136 c:\windows\Microsoft.NET\Framework\v1.1.4322\c_g18030.dll
+ 2003-02-21 12:04 . 2003-02-21 12:04 155648 c:\windows\Microsoft.NET\Framework\v1.1.4322\1033\Vsavb7rtUI.dll
+ 2003-02-21 10:02 . 2003-02-21 10:02 131072 c:\windows\Microsoft.NET\Framework\v1.1.4322\1033\vbc7ui.dll
+ 2002-10-07 16:51 . 2002-10-07 16:51 221252 c:\windows\Installer\$PatchCache$\Managed\9040211900063D11C8EF10054038389C\11.0.5614\TWSTRUCT.DLL
+ 2002-10-07 16:50 . 2002-10-07 16:50 118847 c:\windows\Installer\$PatchCache$\Managed\9040211900063D11C8EF10054038389C\11.0.5614\TWRECE.DLL
+ 2002-10-07 16:51 . 2002-10-07 16:51 102467 c:\windows\Installer\$PatchCache$\Managed\9040211900063D11C8EF10054038389C\11.0.5614\TWORIENT.DLL
+ 2002-10-07 16:51 . 2002-10-07 16:51 147520 c:\windows\Installer\$PatchCache$\Managed\9040211900063D11C8EF10054038389C\11.0.5614\TWLAY32.DLL
+ 2002-10-07 16:51 . 2002-10-07 16:51 180289 c:\windows\Installer\$PatchCache$\Managed\9040211900063D11C8EF10054038389C\11.0.5614\TWCUTLIN.DLL
+ 2002-10-07 16:50 . 2002-10-07 16:50 241729 c:\windows\Installer\$PatchCache$\Managed\9040211900063D11C8EF10054038389C\11.0.5614\TWCUTCHR.DLL
+ 2002-10-07 16:53 . 2002-10-07 16:53 106561 c:\windows\Installer\$PatchCache$\Managed\9040211900063D11C8EF10054038389C\11.0.5614\THOCRAPI.DLL
+ 2003-08-06 20:31 . 2003-08-06 20:31 362552 c:\windows\Installer\$PatchCache$\Managed\9040211900063D11C8EF10054038389C\11.0.5614\SETLANG.EXE
+ 2003-07-15 05:57 . 2003-07-15 05:57 349248 c:\windows\Installer\$PatchCache$\Managed\9040211900063D11C8EF10054038389C\11.0.5614\SELFCERT.EXE
+ 2003-07-21 18:46 . 2003-07-21 18:46 390712 c:\windows\Installer\$PatchCache$\Managed\9040211900063D11C8EF10054038389C\11.0.5614\RTFHTML.DLL
+ 2002-10-07 17:11 . 2002-10-07 17:11 167997 c:\windows\Installer\$PatchCache$\Managed\9040211900063D11C8EF10054038389C\11.0.5614\PSOM.DLL
+ 2003-07-15 10:18 . 2003-07-15 10:18 430136 c:\windows\Installer\$PatchCache$\Managed\9040211900063D11C8EF10054038389C\11.0.5614\PP4X322.DLL
+ 2003-07-15 05:43 . 2003-07-15 05:43 139320 c:\windows\Installer\$PatchCache$\Managed\9040211900063D11C8EF10054038389C\11.0.5614\OUTLPH.DLL
+ 2003-07-15 05:45 . 2003-07-15 05:45 196152 c:\windows\Installer\$PatchCache$\Managed\9040211900063D11C8EF10054038389C\11.0.5614\OUTLOOK.EXE
+ 2003-07-08 18:48 . 2003-07-08 18:48 115288 c:\windows\Installer\$PatchCache$\Managed\9040211900063D11C8EF10054038389C\11.0.5614\OUTLFLTR.DLL
+ 2003-07-15 05:44 . 2003-07-15 05:44 102968 c:\windows\Installer\$PatchCache$\Managed\9040211900063D11C8EF10054038389C\11.0.5614\OUTLCTL.DLL
+ 2003-07-15 10:14 . 2003-07-15 10:14 242240 c:\windows\Installer\$PatchCache$\Managed\9040211900063D11C8EF10054038389C\11.0.5614\OISGRAPH.DLL
+ 2003-07-15 10:14 . 2003-07-15 10:14 828472 c:\windows\Installer\$PatchCache$\Managed\9040211900063D11C8EF10054038389C\11.0.5614\OISAPP.DLL
+ 2003-07-15 10:14 . 2003-07-15 10:14 283696 c:\windows\Installer\$PatchCache$\Managed\9040211900063D11C8EF10054038389C\11.0.5614\OIS.EXE
+ 2003-07-15 06:00 . 2003-07-15 06:00 145984 c:\windows\Installer\$PatchCache$\Managed\9040211900063D11C8EF10054038389C\11.0.5614\MSWEBCAP.DLL
+ 2003-07-24 05:40 . 2003-07-24 05:40 482872 c:\windows\Installer\$PatchCache$\Managed\9040211900063D11C8EF10054038389C\11.0.5614\MSTORES.DLL
+ 2003-07-15 05:56 . 2003-07-15 05:56 124984 c:\windows\Installer\$PatchCache$\Managed\9040211900063D11C8EF10054038389C\11.0.5614\MSTORE.EXE
+ 2003-07-15 06:02 . 2003-07-15 06:02 627256 c:\windows\Installer\$PatchCache$\Managed\9040211900063D11C8EF10054038389C\11.0.5614\MSTORDB.EXE
+ 2003-07-15 06:02 . 2003-07-15 06:02 637496 c:\windows\Installer\$PatchCache$\Managed\9040211900063D11C8EF10054038389C\11.0.5614\MSQRY32.EXE
+ 2003-06-19 23:05 . 2003-06-19 23:05 364648 c:\windows\Installer\$PatchCache$\Managed\9040211900063D11C8EF10054038389C\11.0.5614\MSPVIEW.EXE
+ 2003-06-19 23:05 . 2003-06-19 23:05 128104 c:\windows\Installer\$PatchCache$\Managed\9040211900063D11C8EF10054038389C\11.0.5614\MSPSCAN.EXE
+ 2003-06-19 00:31 . 2003-06-19 00:31 788480 c:\windows\Installer\$PatchCache$\Managed\9040211900063D11C8EF10054038389C\11.0.5614\MSPFILT.DLL
+ 2003-07-15 10:18 . 2003-07-15 10:18 376888 c:\windows\Installer\$PatchCache$\Managed\9040211900063D11C8EF10054038389C\11.0.5614\MSORUN.DLL
+ 2003-07-24 05:35 . 2003-07-24 05:35 127032 c:\windows\Installer\$PatchCache$\Managed\9040211900063D11C8EF10054038389C\11.0.5614\MSOCFU.DLL
+ 2003-07-15 10:14 . 2003-07-15 10:14 106552 c:\windows\Installer\$PatchCache$\Managed\9040211900063D11C8EF10054038389C\11.0.5614\MSOCF.DLL
+ 2003-07-15 05:57 . 2003-07-15 05:57 120888 c:\windows\Installer\$PatchCache$\Managed\9040211900063D11C8EF10054038389C\11.0.5614\MSOAUTH.DLL
+ 2002-04-10 03:14 . 2002-04-10 03:14 187560 c:\windows\Installer\$PatchCache$\Managed\9040211900063D11C8EF10054038389C\11.0.5614\MSMDUN80.DLL
+ 2002-12-18 02:08 . 2002-12-18 02:08 359600 c:\windows\Installer\$PatchCache$\Managed\9040211900063D11C8EF10054038389C\11.0.5614\MSDMENG.DLL
+ 2003-07-15 05:51 . 2003-07-15 05:51 116288 c:\windows\Installer\$PatchCache$\Managed\9040211900063D11C8EF10054038389C\11.0.5614\MSCONV97.DLL
+ 2003-07-15 05:58 . 2003-07-15 05:58 230968 c:\windows\Installer\$PatchCache$\Managed\9040211900063D11C8EF10054038389C\11.0.5614\MSCDM.DLL
+ 2003-07-15 05:57 . 2003-07-15 05:57 124480 c:\windows\Installer\$PatchCache$\Managed\9040211900063D11C8EF10054038389C\11.0.5614\MSB1CORE.DLL
+ 2003-07-15 06:01 . 2003-07-15 06:01 445496 c:\windows\Installer\$PatchCache$\Managed\9040211900063D11C8EF10054038389C\11.0.5614\MODHELP.DLL
+ 2003-07-15 05:46 . 2003-07-15 05:46 176696 c:\windows\Installer\$PatchCache$\Managed\9040211900063D11C8EF10054038389C\11.0.5614\MIMEDIR.DLL
+ 2003-06-19 00:31 . 2003-06-19 00:31 443904 c:\windows\Installer\$PatchCache$\Managed\9040211900063D11C8EF10054038389C\11.0.5614\MDIVWCTL.DLL
+ 2003-06-19 00:31 . 2003-06-19 00:31 252928 c:\windows\Installer\$PatchCache$\Managed\9040211900063D11C8EF10054038389C\11.0.5614\MDIINK.DLL
+ 2003-06-19 00:31 . 2003-06-19 00:31 758784 c:\windows\Installer\$PatchCache$\Managed\9040211900063D11C8EF10054038389C\11.0.5614\MDIGRAPH.DLL
+ 2003-07-24 05:32 . 2003-07-24 05:32 121400 c:\windows\Installer\$PatchCache$\Managed\9040211900063D11C8EF10054038389C\11.0.5614\IMPMAIL.DLL
+ 2003-07-15 05:53 . 2003-07-15 05:53 161336 c:\windows\Installer\$PatchCache$\Managed\9040211900063D11C8EF10054038389C\11.0.5614\IETAG.DLL
+ 2003-07-26 02:14 . 2003-07-26 02:14 799288 c:\windows\Installer\$PatchCache$\Managed\9040211900063D11C8EF10054038389C\11.0.5614\FPWEC.DLL
+ 2003-07-15 05:40 . 2003-07-15 05:40 165944 c:\windows\Installer\$PatchCache$\Managed\9040211900063D11C8EF10054038389C\11.0.5614\FPLACE.DLL
+ 2003-07-15 05:40 . 2003-07-15 05:40 179768 c:\windows\Installer\$PatchCache$\Managed\9040211900063D11C8EF10054038389C\11.0.5614\FPERSON.DLL
+ 2003-07-15 06:36 . 2003-07-15 06:36 186424 c:\windows\Installer\$PatchCache$\Managed\9040211900063D11C8EF10054038389C\11.0.5614\FPDTC.DLL
+ 2002-10-07 16:49 . 2002-10-07 16:49 192573 c:\windows\Installer\$PatchCache$\Managed\9040211900063D11C8EF10054038389C\11.0.5614\FORM.DLL
+ 2003-07-31 22:19 . 2003-07-31 22:19 131648 c:\windows\Installer\$PatchCache$\Managed\9040211900063D11C8EF10054038389C\11.0.5614\ENVELOPE.DLL
+ 2003-07-15 10:14 . 2003-07-15 10:14 350264 c:\windows\Installer\$PatchCache$\Managed\9040211900063D11C8EF10054038389C\11.0.5614\CDLMSO.DLL
+ 2003-07-15 10:18 . 2003-07-15 10:18 141360 c:\windows\Installer\$PatchCache$\Managed\9040211900063D11C8EF10054038389C\11.0.5614\ATP.DLL
+ 2004-06-08 23:08 . 2003-07-30 05:00 1470976 c:\windows\system32\spool\drivers\w32x86\3\CNMUI56.DLL
+ 2001-09-02 04:29 . 2001-09-02 04:29 7090176 c:\windows\system32\plusspac.scr
+ 2001-09-02 04:29 . 2001-09-02 04:29 3325952 c:\windows\system32\plusnatr.scr
+ 2001-09-02 04:29 . 2001-09-02 04:29 1687552 c:\windows\system32\plusmpix.scr
+ 2001-09-02 04:29 . 2001-09-02 04:29 5058560 c:\windows\system32\plusdavn.scr
+ 2001-07-10 20:35 . 2001-07-10 20:35 1126400 c:\windows\system32\plusaqar.scr
+ 2001-08-18 05:36 . 2001-08-18 05:36 1135616 c:\windows\system32\ntbackup.exe
+ 2003-03-19 04:12 . 2003-03-19 04:12 1047552 c:\windows\system32\mfc71u.dll
+ 2001-09-06 04:00 . 2001-09-06 04:00 1700352 c:\windows\system32\gdiplus.dll
+ 2004-07-15 15:15 . 2004-07-15 15:15 1032192 c:\windows\Microsoft.NET\Framework\v1.1.4322\VsaVb7rt.dll
+ 2004-07-15 21:29 . 2004-07-15 21:29 1339392 c:\windows\Microsoft.NET\Framework\v1.1.4322\System.XML.dll
+ 2004-07-15 21:32 . 2004-07-15 21:32 2052096 c:\windows\Microsoft.NET\Framework\v1.1.4322\System.Windows.Forms.dll
+ 2004-07-15 21:29 . 2004-07-15 21:29 1703936 c:\windows\Microsoft.NET\Framework\v1.1.4322\System.Design.dll
+ 2004-07-15 21:32 . 2004-07-15 21:32 1294336 c:\windows\Microsoft.NET\Framework\v1.1.4322\System.Data.dll
+ 2004-07-15 07:28 . 2004-07-15 07:28 2502656 c:\windows\Microsoft.NET\Framework\v1.1.4322\SHADOW2680\_mscorwks.dll
+ 2004-07-15 07:26 . 2004-07-15 07:26 2510848 c:\windows\Microsoft.NET\Framework\v1.1.4322\SHADOW2680\_mscorsvr.dll
+ 2004-07-15 21:29 . 2004-07-15 21:29 2138112 c:\windows\Microsoft.NET\Framework\v1.1.4322\SHADOW2680\_mscorlib.dll
+ 2004-07-15 07:28 . 2004-07-15 07:28 2502656 c:\windows\Microsoft.NET\Framework\v1.1.4322\SHADOW2204\_mscorwks.dll
+ 2004-07-15 07:26 . 2004-07-15 07:26 2510848 c:\windows\Microsoft.NET\Framework\v1.1.4322\SHADOW2204\_mscorsvr.dll
+ 2004-07-15 21:29 . 2004-07-15 21:29 2138112 c:\windows\Microsoft.NET\Framework\v1.1.4322\SHADOW2204\_mscorlib.dll
+ 2003-02-21 14:25 . 2003-02-21 14:25 1564672 c:\windows\Microsoft.NET\Framework\v1.1.4322\mscorcfg.dll
+ 2003-04-30 18:52 . 2003-04-30 18:52 1581120 c:\windows\Installer\$PatchCache$\Managed\9040211900063D11C8EF10054038389C\11.0.5614\XPAGE3C.DLL
+ 2002-10-07 17:03 . 2002-10-07 17:03 1794113 c:\windows\Installer\$PatchCache$\Managed\9040211900063D11C8EF10054038389C\11.0.5614\XIMAGE3B.DLL
+ 2003-07-03 22:19 . 2003-07-03 22:19 2502656 c:\windows\Installer\$PatchCache$\Managed\9040211900063D11C8EF10054038389C\11.0.5614\VBE6.DLL
+ 2003-08-03 17:52 . 2003-08-03 17:52 2808376 c:\windows\Installer\$PatchCache$\Managed\9040211900063D11C8EF10054038389C\11.0.5614\STSLIST.DLL
+ 2003-07-31 22:21 . 2003-07-31 22:21 1782840 c:\windows\Installer\$PatchCache$\Managed\9040211900063D11C8EF10054038389C\11.0.5614\PPTVIEW.EXE
+ 2003-07-30 19:40 . 2003-07-30 19:40 6133312 c:\windows\Installer\$PatchCache$\Managed\9040211900063D11C8EF10054038389C\11.0.5614\POWERPNT.EXE
+ 2003-08-01 22:09 . 2003-08-01 22:09 8086072 c:\windows\Installer\$PatchCache$\Managed\9040211900063D11C8EF10054038389C\11.0.5614\OWC11.DLL
+ 2003-08-10 06:06 . 2003-08-10 06:06 7522360 c:\windows\Installer\$PatchCache$\Managed\9040211900063D11C8EF10054038389C\11.0.5614\OUTLLIB.DLL
+ 2003-07-07 20:36 . 2003-07-07 20:36 2058343 c:\windows\Installer\$PatchCache$\Managed\9040211900063D11C8EF10054038389C\11.0.5614\OUTLFLTR.DAT
+ 2003-07-15 06:05 . 2003-07-15 06:05 1054264 c:\windows\Installer\$PatchCache$\Managed\9040211900063D11C8EF10054038389C\11.0.5614\OMFC.DLL
+ 2003-06-19 00:31 . 2003-06-19 00:31 1033216 c:\windows\Installer\$PatchCache$\Managed\9040211900063D11C8EF10054038389C\11.0.5614\MSPCORE.DLL
+ 2003-07-11 09:15 . 2003-07-11 09:15 1292872 c:\windows\Installer\$PatchCache$\Managed\9040211900063D11C8EF10054038389C\11.0.5614\MSONSEXT.DLL
+ 2002-12-18 02:09 . 2002-12-18 02:09 2071752 c:\windows\Installer\$PatchCache$\Managed\9040211900063D11C8EF10054038389C\11.0.5614\MSOLAP80.DLL
+ 2002-12-18 02:08 . 2002-12-18 02:08 1383592 c:\windows\Installer\$PatchCache$\Managed\9040211900063D11C8EF10054038389C\11.0.5614\MSDMINE.DLL
+ 2003-07-15 06:11 . 2003-07-15 06:11 2139192 c:\windows\Installer\$PatchCache$\Managed\9040211900063D11C8EF10054038389C\11.0.5614\GRAPH.EXE
+ 2003-07-26 02:00 . 2003-07-26 02:00 1157696 c:\windows\Installer\$PatchCache$\Managed\9040211900063D11C8EF10054038389C\11.0.5614\FPSRVUTL.DLL
+ 2003-07-24 06:01 . 2003-07-24 06:01 1949240 c:\windows\Installer\$PatchCache$\Managed\9040211900063D11C8EF10054038389C\11.0.5614\FPCUTL.DLL
+ 2003-08-03 17:56 . 2003-08-03 17:56 1146184 c:\windows\Installer\$PatchCache$\Managed\9040211900063D11C8EF10054038389C\11.0.5614\FM20.DLL
+ 2003-08-06 20:24 . 2003-08-06 20:24 12037688 c:\windows\Installer\$PatchCache$\Managed\9040211900063D11C8EF10054038389C\11.0.5614\WINWORD.EXE
+ 2003-08-08 07:23 . 2003-08-08 07:23 12172336 c:\windows\Installer\$PatchCache$\Managed\9040211900063D11C8EF10054038389C\11.0.5614\MSO.DLL
+ 2003-08-13 09:34 . 2003-08-13 09:34 10073144 c:\windows\Installer\$PatchCache$\Managed\9040211900063D11C8EF10054038389C\11.0.5614\EXCEL.EXE
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2010-06-11 2403568]
"Google Update"="c:\documents and settings\Bob\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2010-05-29 136176]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"monitr32"="c:\program files\Canon\MultiPASS4\monitr32.exe" [2001-08-22 311296]
"StxTrayMenu"="c:\program files\Seagate\SystemTray\StxMenuMgr.exe" [2007-01-18 190008]
"WFXSwtch"="c:\progra~1\NORTON~2\WinFax\WFXSWTCH.exe" [2001-08-08 26624]
"WinFaxAppPortStarter"="wfxsnt40.exe" [2001-08-08 43520]
"QD FastAndSafe"="c:\program files\Norton CleanSweep\QDCSFS.exe" [1999-04-15 32768]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe" [2010-04-13 47392]
"TMRUBottedTray"="c:\program files\Trend Micro\RUBotted\TMRUBottedTray.exe" [2008-11-06 288088]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-04-04 36272]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-03-24 952768]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-03-18 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-04-28 142120]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-02-26 437160]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 22:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\windows\system32\apitrap.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2/17/2010 11:25 AM 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [4/27/2010 5:30 PM 67656]
R2 ISWKL;ZoneAlarm ForceField ISWKL;c:\program files\CheckPoint\ZAForceField\ISWKL.sys [10/14/2009 6:30 AM 25208]
R2 IswSvc;ZoneAlarm ForceField IswSvc;c:\program files\CheckPoint\ZAForceField\ISWSVC.exe [10/14/2009 6:30 AM 476528]
R2 NProtectService;Norton Unerase Protection;c:\program files\Norton Utilities\NPROTECT.EXE [3/31/2008 12:29 PM 135168]
R3 TMPassthruMP;TMPassthruMP;c:\windows\system32\drivers\TMPassthru.sys [3/11/2010 7:07 PM 206608]
S2 RUBotted;Trend Micro RUBotted Service;c:\program files\Trend Micro\RUBotted\TMRUBotted.exe [3/19/2010 12:43 PM 582992]
S3 1a1daa2b-b24f-489e-be4b-7ac1335746d5;1a1daa2b-b24f-489e-be4b-7ac1335746d5;\??\f:\cds300\cds300.dll --> f:\cds300\cds300.dll [?]
S3 icsak;icsak;c:\program files\CheckPoint\ZAForceField\AK\icsak.sys [10/14/2009 6:29 AM 35448]
S3 McComponentHostService;McAfee Security Scan Component Host Service;c:\program files\McAfee Security Scan\2.0.181\McCHSvc.exe [1/15/2010 5:49 AM 227232]
S3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [11/6/2007 1:22 PM 34064]
S3 TMPassthru;Trend Micro Passthru Ndis Service;c:\windows\system32\drivers\TMPassthru.sys [3/11/2010 7:07 PM 206608]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
{B39F330D-4347-4AF3-BA8D7E3C9C5B73FF}
.
Contents of the 'Scheduled Tasks' folder

2010-06-15 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 19:34]

2010-06-17 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1275210071-1482476501-839522115-1004Core.job
- c:\documents and settings\Bob\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-05-29 01:47]

2010-06-17 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1275210071-1482476501-839522115-1004UA.job
- c:\documents and settings\Bob\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-05-29 01:47]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.primericaonline.com/Login
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
Trusted Zone: turbotax.com
Handler: CDS300 - {AD43AA67-6860-4531-AC8A-0E68F9CF023E} -
FF - ProfilePath - c:\documents and settings\Bob\Application Data\Mozilla\Firefox\Profiles\3miunwz3.alt\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-ZoneAlarm Client - c:\program files\Zone Labs\ZoneAlarm\zlclient.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-06-17 09:50
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(856)
c:\windows\system32\apitrap.dll
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\WININET.dll

- - - - - - - > 'lsass.exe'(912)
c:\windows\system32\apitrap.dll
.
Completion time: 2010-06-17 10:00:16
ComboFix-quarantined-files.txt 2010-06-17 17:00
ComboFix2.txt 2010-06-17 06:30

Pre-Run: 6,980,263,936 bytes free
Post-Run: 7,130,411,008 bytes free

- - End Of File - - 358559F23625497430228E29F6F7B09B


#14 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:01:34 PM

Posted 17 June 2010 - 01:31 PM

Greetings

That looks very good but still somethings to clear up

clean-up help assest
  • push the "windows key" + "R" (between the "Ctrl" button and "Alt" Button)
  • please copy and past the following into the box
CODE
helpasst -cleanup
  • click ok

:Run CFScript:

Open Notepad and copy/paste the text in the box into the window:

CODE
Driver::
{B39F330D-4347-4AF3-BA8D7E3C9C5B73FF}

NetSvc::
{B39F330D-4347-4AF3-BA8D7E3C9C5B73FF}


Save it to your desktop as CFScript.txt

Refering to the picture above, drag CFScript.txt into ComboFix.exe

This will let ComboFix run again.
Restart if you have to.
Save the produced logfile to your desktop.

Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall

NOTE**
  • When ComboFix finishes running, the ComboFix log will open along with a message box--do not be alarmed. With the above script, ComboFix will upload files to submit for analysis.
  • Ensure you are connected to the internet and click OK on the message box.

"information and logs"
    In your next post I need the following
    1. report from Combofix
    2. let me know of any problems you may have had
    3. How is the computer doing now after running the script?

Gringo


I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#15 bcoleinaz

bcoleinaz
  • Topic Starter

  • Members
  • 50 posts
  • OFFLINE
  •  
  • Local time:10:34 AM

Posted 17 June 2010 - 03:07 PM

While ComboFix is running, I just received the following message:
-----------
There's a newer version of ComboFix available.
Would you like to update ComboFix?
[Yes] [No]
------------
Should I update it?




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users