Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Spyware infection (iexplorer.exe?) - hijacking browsers


  • This topic is locked This topic is locked
20 replies to this topic

#1 NYCRockstar

NYCRockstar

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:07:13 PM

Posted 25 July 2010 - 04:28 PM

Hi there... I've been struggling to remove some particularly nasty spyware from my computer this weekend -- with no real results.

Both IE and Firefox keep getting hijacked and rerouted when I use any search engine, and click on the results, the browser drives to unwanted websites. Usually it's something like asklots.com or something like that.

Tried AdAware and Anti-Malware (with RKill), MULTIPLE times, in Safe Mode and in Standard Mode. This is my "last-ditch option", so many thanks in advance if you can help. I've followed the "Prep Guide" as carefully as possible, but please let me know if you need any more info from my end. Also, please feel free to tell me if there's anything else showing in these files that you'd recommend I take care of to keep my system running tip-top.

Thanks again!

-Roger

DDS (Ver_10-03-17.01) - NTFSx86 NETWORK
Run by Roger at 18:04:10.07 on Sat 07/24/2010
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_13
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.503.104 [GMT -4:00]

FW: Norton Internet Worm Protection *disabled* {990F9400-4CEE-43EA-A83A-D013ADD8EA6E}

============== Running Processes ===============

svchost.exe 4
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
svchost.exe 4
C:\WINDOWS\system32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Roger\My Documents\Downloads\dds.scr

============== Pseudo HJT Report ===============

mSearchAssistant = hxxp://www.google.com/ie
BHO: SafeOnline BHO: {69d72956-317c-44bd-b369-8e44d4ef9801} - c:\windows\system32\PxSecure.dll
TB: {0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} - No File
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - e:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
EB: Adobe PDF: {182ec0be-5110-49c8-a062-beb1d02a220b} - e:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [Cpqset] c:\program files\hpq\default settings\cpqset.exe
mRun: [Venturi Configurator] c:\program files\venturi2\configurator\ventcfg.exe
mRun: [IntelliType] "c:\program files\microsoft hardware\keyboard\type32.exe"
mRun: [SynTPLpr] c:\program files\synaptics\syntp\SynTPLpr.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [PTHOSTTR] c:\program files\hpq\hp protecttools security manager\PTHOSTTR.EXE /Start
Trusted Zone: intuit.com\ttlc
DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} - hxxp://download.microsoft.com/download/e/4/9/e494c802-dd90-4c6b-a074-469358f075a6/OGAControl.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?LinkID=39204
DPF: {1851174C-97BD-4217-A0CC-E908F60D5B7A} - hxxp://h50203.www5.hp.com/HPISWeb/Customer/cabs/HPISDataManager.CAB
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1141508434421
DPF: {73ECB3AA-4717-450C-A2AB-D00DAD9EE203} - hxxp://h20270.www2.hp.com/ediags/gmn2/install/HPProductDetection2.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0010-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_10-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_11-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
Notify: igfxcui - igfxdev.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SecurityProviders: msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll,

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\roger\applic~1\mozilla\firefox\profiles\hw17pgw4.default\
FF - plugin: c:\documents and settings\roger\application data\facebook\npfbplugin_1_0_1.dll
FF - plugin: c:\documents and settings\roger\application data\facebook\npfbplugin_1_0_3.dll
FF - plugin: c:\documents and settings\roger\application data\mozilla\plugins\npgoogletalk.dll
FF - plugin: c:\program files\google\update\1.2.133.37\npGoogleOneClick7.dll
FF - plugin: c:\program files\google\update\1.2.141.5\npGoogleOneClick7.dll
FF - plugin: c:\program files\google\update\1.2.183.29\npGoogleOneClick8.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npatgpc.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npbittorrent.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npCouponPrinter.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npMozCouponPrinter.dll
FF - plugin: c:\program files\viewpoint\viewpoint media player\npViewpoint.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.proxy.type", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.buffer.cache.count", 24);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.buffer.cache.size", 4096);
c:\program files\mozilla firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45);
c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("accelerometer.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R0 $sys$cor;$sys$cor;c:\windows\system32\drivers\$sys$cor.sys [2004-10-6 18432]
R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-10-7 64288]
R0 pxscan;pxscan;c:\windows\system32\drivers\pxscan.sys [2010-7-24 30320]
R1 $sys$crater;$sys$crater;c:\windows\system32\$sys$filesystem\crater.sys [2004-10-7 11904]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2010-7-12 1352832]
R3 pxkbf;pxkbf;c:\windows\system32\drivers\pxkbf.sys [2010-7-24 24400]
S2 $sys$DRMServer;Plug and Play Device Manager;c:\windows\system32\$sys$filesystem\$sys$drmserver.exe --> c:\windows\system32\$sys$filesystem\$sys$DRMServer.exe [?]
S2 CD_Proxy;XCP CD Proxy;c:\windows\CDProxyServ.exe [2004-6-22 167936]
S2 CSIScanner;CSIScanner;c:\program files\prevx\prevx.exe [2010-7-24 6384592]
S2 gupdate1c984a1504838a2;Google Update Service (gupdate1c984a1504838a2);c:\program files\google\update\GoogleUpdate.exe [2009-2-1 133104]
S2 pciinfo;HP Pci Information;\??\c:\docume~1\ashley~1\locals~1\temp\hpispz\hpdom\pciinfo.sys --> c:\docume~1\ashley~1\locals~1\temp\hpispz\hpdom\pciinfo.sys [?]
S2 pxrts;pxrts;c:\windows\system32\drivers\pxrts.sys [2010-7-24 61752]
S2 RoxLiveShare10;LiveShare P2P Server 10;"c:\program files\common files\roxio shared\10.0\sharedcom\roxliveshare10.exe" --> c:\program files\common files\roxio shared\10.0\sharedcom\RoxLiveShare10.exe [?]
S2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\viewpoint\common\ViewpointService.exe [2007-1-11 24652]
S2 WDDMService;WD SmartWare Drive Manager;c:\program files\western digital\wd smartware\wd drive manager\WDDMService.exe [2009-10-14 98304]
S2 WDSmartWareBackgroundService;WD SmartWare Background Service;c:\program files\western digital\wd smartware\front parlor\WDSmartWareBackgroundService.exe [2009-6-16 20480]
S3 apusbsnt;AirPrime USB Modem Device Driver;c:\windows\system32\drivers\apusbsnt.sys [2005-3-25 40064]
S3 Dot4Usb HPH09;Dot4Usb HPH09;c:\windows\system32\drivers\hphius09.sys [2001-10-25 18864]
S3 GTIPCI21;GTIPCI21;c:\windows\system32\drivers\gtipci21.sys [2004-5-3 80384]
S3 NPF;Netgroup Packet Filter;c:\windows\system32\drivers\npf.sys --> c:\windows\system32\drivers\npf.sys [?]
S3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\drivers\wdcsam.sys [2009-11-3 11520]
S4 SessionLauncher;SessionLauncher;c:\docume~1\roger\locals~1\temp\dx9\sessionlauncher.exe --> c:\docume~1\roger\locals~1\temp\dx9\SessionLauncher.exe [?]

============== File Associations ===============

scrfile="%1" %*

=============== Created Last 30 ================

2010-07-25 01:14:13 0 dc-h--w- c:\docume~1\alluse~1\applic~1\{BD986C1B-72EC-4B82-B47B-6CAC4E6F494E}
2010-07-24 21:12:56 98816 ----a-w- c:\windows\sed.exe
2010-07-24 21:12:56 77312 ----a-w- c:\windows\MBR.exe
2010-07-24 21:12:56 256512 ----a-w- c:\windows\PEV.exe
2010-07-24 21:12:56 161792 ----a-w- c:\windows\SWREG.exe
2010-07-24 21:12:31 0 d-s---w- C:\ComboFix
2010-07-24 20:52:34 68120 ----a-w- c:\windows\system32\PxSecure.dll
2010-07-24 20:52:29 61752 ----a-w- c:\windows\system32\drivers\pxrts.sys
2010-07-24 20:52:29 30320 ----a-w- c:\windows\system32\drivers\pxscan.sys
2010-07-24 20:52:27 24400 ----a-w- c:\windows\system32\drivers\pxkbf.sys
2010-07-24 20:52:26 0 d-----w- c:\program files\Prevx
2010-07-24 20:52:12 0 d-----w- c:\docume~1\alluse~1\applic~1\PrevxCSI
2010-07-24 07:34:29 95024 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2010-07-21 18:02:39 0 d-----w- c:\program files\LucasArts
2010-07-21 18:02:26 299520 ----a-w- c:\windows\uninst.exe
2010-07-21 18:02:22 0 d-----w- c:\documents and settings\roger\WINDOWS
2010-07-21 15:52:40 0 dc-h--w- c:\windows\ie8
2010-07-20 18:35:52 0 d-----w- c:\program files\iPod
2010-07-19 15:56:15 2385 ----a-w- c:\documents and settings\roger\.recently-used.xbel

==================== Find3M ====================

2010-07-13 22:31:18 100536 ---ha-w- c:\windows\system32\mlfcache.dat
2010-07-12 08:55:39 64288 ----a-w- c:\windows\system32\drivers\Lbd.sys
2010-07-12 08:55:38 15880 ----a-w- c:\windows\system32\lsdelete.exe
2010-05-18 20:35:16 91424 ----a-w- c:\windows\system32\dnssd.dll
2010-05-18 20:35:16 75040 ----a-w- c:\windows\system32\jdns_sd.dll
2010-05-18 20:35:16 107808 ----a-w- c:\windows\system32\dns-sd.exe
2004-08-04 08:00:00 94784 --sh--w- c:\windows\twain.dll
2008-04-14 00:12:07 50688 --sh--w- c:\windows\twain_32.dll

============= FINISH: 18:06:06.82 ===============


-Roger

Attached Files


Edited by NYCRockstar, 25 July 2010 - 05:15 PM.


BC AdBot (Login to Remove)

 


#2 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:11:13 PM

Posted 03 August 2010 - 06:35 PM

Hi,

Welcome to Bleeping Computer. My name is m0le and I will be helping you with your log.
  • Please subscribe to this topic, if you haven't already. You can subscribe by clicking the Options box to the right of your topic title and selecting Track This Topic.

  • Please avoid installing/uninstalling or updating any programs and attempting any unsupervised fixes or scans. This can make helping you impossible.

  • Please reply to this post so I know you are there.
The forum is busy and we need to have replies as soon as possible. If I haven't had a reply after 3 days I will bump the topic and if you do not reply by the following day after that then I will close the topic.

Once I receive a reply then I will return with your first instructions.

Thanks thumbup2.gif
Posted Image
m0le is a proud member of UNITE

#3 NYCRockstar

NYCRockstar
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:07:13 PM

Posted 04 August 2010 - 09:46 AM

Hi there! Thanks for getting back to me... I am indeed here, and awaiting your instructions.

#4 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:11:13 PM

Posted 04 August 2010 - 05:31 PM

Let's begin with a check on your system.

Please download MBRCheck to your desktop.

1. Double click MBRCheck.exe to run it (Right click and run as Administrator for Vista).
2. It will open a black window, please do not fix anything (if it gives you an option).
3. Exit that window and it will produce a log (MBRCheck_date_time).
4. Please post that log when you reply.
Posted Image
m0le is a proud member of UNITE

#5 NYCRockstar

NYCRockstar
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:07:13 PM

Posted 04 August 2010 - 06:21 PM

Log Attached and posted -- looks like it picked up a problem:

MBRCheck, version 1.2.3
© 2010, AD

Command-line:
Windows Version: Windows XP Professional
Windows Information: Service Pack 3 (build 2600)
Logical Drives Mask: 0x0002005c

Kernel Drivers (total 139):
0x804D7000 \WINDOWS\system32\ntkrnlpa.exe
0x806D0000 \WINDOWS\system32\hal.dll
0xF8972000 \WINDOWS\system32\KDCOM.DLL
0xF8882000 \WINDOWS\system32\BOOTVID.dll
0xF8343000 ACPI.sys
0xF8974000 \WINDOWS\system32\DRIVERS\WMILIB.SYS
0xF8332000 pci.sys
0xF8472000 isapnp.sys
0xF8482000 ohci1394.sys
0xF8492000 \WINDOWS\system32\DRIVERS\1394BUS.SYS
0xF8886000 compbatt.sys
0xF888A000 \WINDOWS\system32\DRIVERS\BATTC.SYS
0xF8A3A000 pciide.sys
0xF86F2000 \WINDOWS\system32\DRIVERS\PCIIDEX.SYS
0xF8976000 intelide.sys
0xF8978000 viaide.sys
0xF897A000 aliide.sys
0xF8314000 pcmcia.sys
0xF84A2000 MountMgr.sys
0xF82F5000 ftdisk.sys
0xF897C000 dmload.sys
0xF82CF000 dmio.sys
0xF888E000 ACPIEC.sys
0xF8A3B000 \WINDOWS\system32\DRIVERS\OPRGHDLR.SYS
0xF86FA000 PartMgr.sys
0xF8702000 pxscan.sys
0xF84B2000 VolSnap.sys
0xF82B7000 atapi.sys
0xF84C2000 disk.sys
0xF84D2000 \WINDOWS\system32\DRIVERS\CLASSPNP.SYS
0xF8297000 fltmgr.sys
0xF8285000 sr.sys
0xF84E2000 Lbd.sys
0xF84F2000 PxHelp20.sys
0xF826E000 KSecDD.sys
0xF825B000 WudfPf.sys
0xF81CE000 Ntfs.sys
0xF81A1000 NDIS.sys
0xF8187000 Mup.sys
0xF870A000 $sys$cor.sys
0xF8532000 \SystemRoot\system32\DRIVERS\nic1394.sys
0xF7815000 \SystemRoot\system32\DRIVERS\intelppm.sys
0xF773B000 \SystemRoot\system32\DRIVERS\ialmnt5.sys
0xF7727000 \SystemRoot\system32\DRIVERS\VIDEOPRT.SYS
0xF87CA000 \SystemRoot\system32\DRIVERS\usbuhci.sys
0xF7703000 \SystemRoot\system32\DRIVERS\USBPORT.SYS
0xF87D2000 \SystemRoot\system32\DRIVERS\usbehci.sys
0xF74E8000 \SystemRoot\system32\DRIVERS\w29n51.sys
0xF8552000 \SystemRoot\system32\DRIVERS\bcm4sbxp.sys
0xF74A8000 \SystemRoot\system32\drivers\smwdm.sys
0xF7484000 \SystemRoot\system32\drivers\portcls.sys
0xF8562000 \SystemRoot\system32\drivers\drmk.sys
0xF7461000 \SystemRoot\system32\drivers\ks.sys
0xF7441000 \SystemRoot\system32\drivers\aeaudio.sys
0xF733C000 \SystemRoot\system32\DRIVERS\AGRSM.sys
0xF87DA000 \SystemRoot\System32\Drivers\Modem.SYS
0xF8572000 \SystemRoot\system32\DRIVERS\i8042prt.sys
0xF87E2000 \SystemRoot\System32\drivers\pxkbf.sys
0xF87EA000 \SystemRoot\system32\DRIVERS\kbdclass.sys
0xF730E000 \SystemRoot\system32\DRIVERS\SynTP.sys
0xF89FC000 \SystemRoot\system32\DRIVERS\USBD.SYS
0xF87F2000 \SystemRoot\system32\DRIVERS\mouclass.sys
0xF893E000 \??\C:\WINDOWS\system32\$sys$filesystem\crater.sys
0xF8582000 \SystemRoot\system32\DRIVERS\imapi.sys
0xF8592000 \SystemRoot\system32\DRIVERS\cdrom.sys
0xF85A2000 \SystemRoot\system32\DRIVERS\redbook.sys
0xF87FA000 \SystemRoot\System32\Drivers\GEARAspiWDM.sys
0xF8946000 \SystemRoot\system32\DRIVERS\CmBatt.sys
0xF894A000 \SystemRoot\system32\DRIVERS\wmiacpi.sys
0xF8ABB000 \SystemRoot\system32\DRIVERS\audstub.sys
0xF8802000 \SystemRoot\system32\DRIVERS\rasirda.sys
0xF880A000 \SystemRoot\system32\DRIVERS\TDI.SYS
0xF85B2000 \SystemRoot\system32\DRIVERS\rasl2tp.sys
0xF8952000 \SystemRoot\system32\DRIVERS\ndistapi.sys
0xF72F7000 \SystemRoot\system32\DRIVERS\ndiswan.sys
0xF85C2000 \SystemRoot\system32\DRIVERS\raspppoe.sys
0xF85E2000 \SystemRoot\system32\DRIVERS\raspptp.sys
0xF72E6000 \SystemRoot\system32\DRIVERS\psched.sys
0xF85F2000 \SystemRoot\system32\DRIVERS\msgpc.sys
0xF8812000 \SystemRoot\system32\DRIVERS\ptilink.sys
0xF881A000 \SystemRoot\system32\DRIVERS\raspti.sys
0xF8602000 \SystemRoot\System32\Drivers\pcouffin.sys
0xF72B6000 \SystemRoot\system32\DRIVERS\rdpdr.sys
0xF8612000 \SystemRoot\system32\DRIVERS\termdd.sys
0xF89FE000 \SystemRoot\system32\DRIVERS\swenum.sys
0xF7258000 \SystemRoot\system32\DRIVERS\update.sys
0xF896A000 \SystemRoot\system32\DRIVERS\mssmbios.sys
0xF8622000 \SystemRoot\System32\Drivers\NDProxy.SYS
0xF7C97000 \SystemRoot\system32\DRIVERS\usbhub.sys
0xF899A000 \SystemRoot\System32\Drivers\Fs_Rec.SYS
0xA9873000 \SystemRoot\System32\Drivers\Null.SYS
0xF899C000 \SystemRoot\System32\Drivers\Beep.SYS
0xF87BA000 \SystemRoot\system32\DRIVERS\HIDPARSE.SYS
0xF87C2000 \SystemRoot\System32\drivers\vga.sys
0xF899E000 \SystemRoot\System32\Drivers\mnmdd.SYS
0xF89A0000 \SystemRoot\System32\DRIVERS\RDPCDD.sys
0xAA2EE000 \SystemRoot\System32\Drivers\Msfs.SYS
0xAA2E6000 \SystemRoot\System32\Drivers\Npfs.SYS
0xF7238000 \SystemRoot\system32\DRIVERS\rasacd.sys
0xA84FA000 \SystemRoot\system32\DRIVERS\ipsec.sys
0xA84A1000 \SystemRoot\system32\DRIVERS\tcpip.sys
0xA8479000 \SystemRoot\system32\DRIVERS\netbt.sys
0xF7230000 \SystemRoot\System32\drivers\ws2ifsl.sys
0xA8457000 \SystemRoot\System32\drivers\afd.sys
0xAA745000 \SystemRoot\system32\DRIVERS\netbios.sys
0xA9CF7000 \SystemRoot\System32\Drivers\SCDEmu.SYS
0xA83DC000 \SystemRoot\system32\DRIVERS\rdbss.sys
0xA8344000 \SystemRoot\system32\DRIVERS\mrxsmb.sys
0xA9CE7000 \SystemRoot\System32\Drivers\Fips.SYS
0xA831E000 \SystemRoot\system32\DRIVERS\ipnat.sys
0xA6D3C000 \SystemRoot\system32\DRIVERS\wanarp.sys
0xA6D2C000 \SystemRoot\system32\DRIVERS\arp1394.sys
0xF89E4000 \??\C:\WINDOWS\system32\drivers\EABFiltr.sys
0xA59C3000 \SystemRoot\System32\Drivers\ClntMgmt.sys
0x9EAF4000 \SystemRoot\System32\Drivers\Cdfs.SYS
0xBF800000 \SystemRoot\System32\win32k.sys
0x9E7A9000 \SystemRoot\System32\drivers\Dxapi.sys
0x9EA10000 \SystemRoot\System32\watchdog.sys
0xBF9C4000 \SystemRoot\System32\drivers\dxg.sys
0xF8B68000 \SystemRoot\System32\drivers\dxgthk.sys
0xBF9E4000 \SystemRoot\System32\ialmdnt5.dll
0xBF9D6000 \SystemRoot\System32\ialmrnt5.dll
0xBFA06000 \SystemRoot\System32\ialmdev5.DLL
0xBFA37000 \SystemRoot\System32\ialmdd5.DLL
0xBFFA0000 \SystemRoot\System32\ATMFD.DLL
0xF7CE7000 \SystemRoot\System32\drivers\pxrts.sys
0x9DC86000 \SystemRoot\system32\DRIVERS\irda.sys
0x9F502000 \SystemRoot\system32\DRIVERS\ndisuio.sys
0x9DB81000 \SystemRoot\system32\drivers\wdmaud.sys
0xA9C67000 \SystemRoot\system32\drivers\sysaudio.sys
0x9D9E6000 \SystemRoot\system32\DRIVERS\mrxdav.sys
0xA5364000 \SystemRoot\System32\drivers\aspi32.sys
0x9D905000 \SystemRoot\System32\Drivers\HTTP.sys
0x9D836000 \SystemRoot\system32\DRIVERS\srv.sys
0xA58DC000 \SystemRoot\system32\DRIVERS\USBSTOR.SYS
0x9D14E000 \SystemRoot\system32\DRIVERS\wdcsam.sys
0x9CDFD000 \SystemRoot\System32\Drivers\Udfs.SYS
0x9CB9C000 \SystemRoot\system32\drivers\kmixer.sys
0x7C900000 \WINDOWS\system32\ntdll.dll

Processes (total 49):
0 System Idle Process
4 System
916 C:\WINDOWS\system32\smss.exe
976 csrss.exe
1000 C:\WINDOWS\system32\winlogon.exe
1048 C:\WINDOWS\system32\services.exe
1060 C:\WINDOWS\system32\lsass.exe
1240 C:\WINDOWS\system32\svchost.exe
1324 svchost.exe
1472 C:\WINDOWS\system32\svchost.exe
1608 C:\WINDOWS\system32\svchost.exe
1652 C:\WINDOWS\system32\svchost.exe
1724 svchost.exe
1884 C:\WINDOWS\system32\svchost.exe
1944 svchost.exe
260 C:\WINDOWS\explorer.exe
756 C:\WINDOWS\system32\spoolsv.exe
808 scardsvr.exe
1380 C:\Program Files\Google\Update\1.2.183.29\GoogleCrashHandler.exe
1716 svchost.exe
1816 C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
1832 C:\Program Files\Bonjour\mDNSResponder.exe
1876 C:\WINDOWS\CDProxyServ.exe
592 C:\WINDOWS\system32\svchost.exe
880 C:\WINDOWS\system32\svchost.exe
1132 C:\Program Files\Java\jre6\bin\jqs.exe
1760 C:\WINDOWS\system32\svchost.exe
1960 C:\Program Files\Digiarty\WinX DVD Author 5.5\NMSAccessU.exe
2116 C:\WINDOWS\system32\svchost.exe
2252 C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
2380 C:\WINDOWS\system32\svchost.exe
2460 C:\Program Files\Viewpoint\Common\ViewpointService.exe
2500 C:\Program Files\Western Digital\WD SmartWare\WD Drive Manager\WDDMService.exe
2576 C:\Program Files\Western Digital\WD SmartWare\Front Parlor\WDSmartWareBackgroundService.exe
3212 unsecapp.exe
3344 alg.exe
3432 C:\WINDOWS\system32\ctfmon.exe
3456 C:\WINDOWS\system32\wscntfy.exe
3572 C:\Program Files\Venturi2\Configurator\ventcfg.exe
3612 C:\Program Files\Microsoft Hardware\Keyboard\type32.exe
3620 C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
3628 C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
3788 wmiprvse.exe
4084 C:\Program Files\Venturi2\Client\VentC.exe
1172 C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
2884 C:\Program Files\Common Files\Real\Update_OB\realsched.exe
3400 C:\Program Files\iPod\bin\iPodService.exe
1744 C:\Documents and Settings\Roger\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
3388 C:\Documents and Settings\Roger\My Documents\Downloads\MBRCheck.exe

\\.\C: --> \\.\PhysicalDrive0 at offset 0x00000000`00007e00 (NTFS)
\\.\R: --> \\.\PhysicalDrive1 at offset 0x00000000`00007e00 (NTFS)

PhysicalDrive0 Model Number: HTS541060G9AT00, Rev: MB3OA60A
PhysicalDrive1 Model Number: WDMy Book 1111, Rev: 1030

Size Device Name MBR Status
--------------------------------------------
55 GB \\.\PhysicalDrive0 Known-bad MBR code detected (Whistler / Black Internet)!
SHA1: 4973D7019145FF4B8F768E312288EA01106B0E8F
930 GB \\.\PhysicalDrive1 RE: Windows XP MBR code detected
SHA1: DA38B874B7713D1B51CBC449F4EF809B0DEC644A


Found non-standard or infected MBR.
Enter 'Y' and hit ENTER for more options, or 'N' to exit:

Attached Files



#6 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:11:13 PM

Posted 04 August 2010 - 06:24 PM

Yes, bad, bad, bad.

The MBR has been rewritten.

Please print out or make a copy in notpad of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.

Important Note: While fixing the Master Boot Record (MBR) is generally safe, there is a small risk of damaging the operating system so that it will not boot up or the partitions may become corrupted. I recommend you have your Windows CD available which will allow recovering the boot code via the Windows Recovery Console in case of any problems or install the XP Recovery Console before proceeding with the above fix. Then if any problems occur, the links below explain how to use and repair the MBR:If you do not have a recovery disk then please burn one as shown here


Run MBRCheck.exe
  • Run MBRCheck.exe
  • Wait until you see the following line: Enter 'Y' and hit ENTER for more options, or 'N' to exit:
  • Please push the 'Y' key and then press Enter
  • When program ask you Enter your choice: enter 2and press the Enter key
  • Now the program will ask you "Enter the physical disk number to fix (0-99, -1 to cancel):"
  • Enter 0 and press the Enter key.
  • The program will show Available MBR codes:, followed by a list of operating systems. Please enter the correct number for your operating system, and then press Enter.
  • when asked Do you want to fix the MRB code? type in YES and press enter
  • Restart your PC.
After you restart the PC
  • Double click MBRCheck.exe to run (vista and Win 7 right click and select Run as Administrator)
  • It will show a Black screen with some data on it
  • a report called MBRcheck will be on your desktop
  • open this report
  • Right click on the screen and select > Select All
  • Press Control+C
  • now please copy that report to this thread

Posted Image
m0le is a proud member of UNITE

#7 NYCRockstar

NYCRockstar
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:07:13 PM

Posted 04 August 2010 - 09:36 PM

I've attached both reports - the initial fix, and post-reboot. Unfortunately, I don't think it got fixed.

Next steps?

-Roger

Attached Files



#8 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:11:13 PM

Posted 05 August 2010 - 11:20 AM

Locate your XP disk. If you can't find it then folow the instructions to burn one below.

Please download the Recovery Console Bootable CD iso
Unzip the file and user your favourite burning application to burn the iso to a CD. Note, this is not the same as just burning the iso file on a CD.
  • Insert the CD-ROM into the CD-ROM drive, and then restart the computer.


    When you have the disk do the following:
  • If your PC is not booting from the CD, you need to change the boot order:
    • Restart your PC
    • As soon as you get an image, press the Setup key. This is usually F2, or Del. On some machines the key can also be a different one. It should, however, be stated on the screen which key is the setup key.
    • Once you enter the computer's BIOS, use the arrow keys and tab key to move between elements. Press enter to select an item to change.
    • Navigate to the tab, where you can set the boot order. It should be called Boot or Boot order
    • The tab should now show your current boot order.
      If the CD-drive is not at the top, please navigate to the CD-Rom drive with the keys arrows. Then move it to the top of the list. The keys for switching boot position are usually + to move up and - to move down. However they can be different, but they should be stated in the help, so that you can find them easily.
    • Once the CD-drive is on top of the boot order, navigate to Exit and select Exit saving changes.
  • Your PC should now boot from your CD.
    Click to select any options that are required to start the computer from the CD-ROM drive if you are prompted.

  • When the "Welcome to Setup" screen appears, press R to start the Recovery Console.

  • When you are prompted, type the Administrator password. If the administrator password is blank, just press ENTER.

  • A command prompt will open
Once in Recovery Console, please type fixmbr and hit enter.

Type exit to exit and restart your PC.


Now please rerun MBRCheck and let's see if that's shifted it.
Posted Image
m0le is a proud member of UNITE

#9 NYCRockstar

NYCRockstar
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:07:13 PM

Posted 05 August 2010 - 12:44 PM

Okay, I've done that -- it appears that something's changed, but not completely clear yet. What's next?

-Roger

Attached Files



#10 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:11:13 PM

Posted 05 August 2010 - 04:05 PM

That has done the trick and the bootkit has been overwritten with the correct code. Good job, that isn't an easy step thumbup2.gif

Please run Combofix next

Please download ComboFix from one of these locations:* IMPORTANT !!! Save ComboFix.exe to your Desktop making sure you rename it comfix.exe
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Click on this link to see a list of programs that should be disabled. The list is not all inclusive.)
  • Double click on Comfix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.



Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:



Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.
Posted Image
m0le is a proud member of UNITE

#11 NYCRockstar

NYCRockstar
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:07:13 PM

Posted 06 August 2010 - 03:33 PM

Hi there-

I did as you instructed, but neglected to save the log. Because of this, I ran ComboFix again, and this time made sure to save the log. It follows, and is attached.

-Roger

ComboFix 10-08-06.01 - Roger 08/06/2010 16:01:07.2.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.503.67 [GMT -4:00]
Running from: c:\documents and settings\Roger\Desktop\ComFix.exe
FW: Norton Internet Worm Protection *disabled* {990F9400-4CEE-43EA-A83A-D013ADD8EA6E}
.

((((((((((((((((((((((((( Files Created from 2010-07-06 to 2010-08-06 )))))))))))))))))))))))))))))))
.

2010-07-28 19:01 . 2010-07-28 19:01 -------- d-----w- c:\program files\Common Files\SWF Studio
2010-07-28 19:01 . 2010-07-28 19:01 -------- d-----w- c:\program files\theRenamer
2010-07-24 23:17 . 2010-07-24 23:17 -------- d-sh--w- c:\windows\system32\config\systemprofile\PrivacIE
2010-07-24 23:01 . 2010-07-24 23:01 -------- d-sh--w- c:\documents and settings\LocalService\PrivacIE
2010-07-24 07:34 . 2010-07-24 07:34 95024 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2010-07-24 07:17 . 2010-07-24 07:17 -------- d-----w- c:\documents and settings\Roger\Local Settings\Application Data\Sunbelt Software
2010-07-21 18:02 . 2010-07-21 18:12 -------- d-----w- c:\program files\LucasArts
2010-07-21 18:02 . 1997-01-18 14:40 299520 ----a-w- c:\windows\uninst.exe
2010-07-21 18:02 . 2010-07-21 18:02 -------- d-----w- c:\documents and settings\Roger\WINDOWS
2010-07-21 16:10 . 2010-07-21 16:10 -------- d-sh--w- c:\documents and settings\NetworkService\PrivacIE
2010-07-21 15:52 . 2010-07-21 15:55 -------- dc-h--w- c:\windows\ie8
2010-07-20 20:50 . 2010-07-21 15:33 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\aqcjpogcx
2010-07-20 18:35 . 2010-07-20 18:35 -------- d-----w- c:\program files\iPod

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-08-05 02:11 . 2006-10-17 15:26 -------- d-----w- c:\program files\Lavasoft
2010-08-05 02:11 . 2008-07-02 18:22 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
2010-08-05 02:08 . 2006-10-05 21:23 -------- d-----w- c:\program files\Common Files\Research In Motion
2010-08-05 00:55 . 2010-04-13 16:06 -------- d-----w- c:\documents and settings\Roger\Application Data\uTorrent
2010-07-28 15:26 . 2010-02-12 15:11 -------- d-----w- c:\documents and settings\Roger\Application Data\vlc
2010-07-25 01:04 . 2006-10-26 23:26 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-07-25 01:04 . 2008-06-18 03:50 -------- d-----w- c:\documents and settings\Roger\Application Data\Azureus
2010-07-23 22:30 . 2009-09-17 15:55 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS
2010-07-21 14:06 . 2008-08-06 15:38 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-07-20 18:37 . 2008-07-11 20:01 -------- d-----w- c:\program files\iTunes
2010-07-20 18:35 . 2008-06-15 21:31 -------- d-----w- c:\program files\Common Files\Apple
2010-07-19 15:56 . 2008-08-06 16:42 -------- d-----w- c:\documents and settings\Roger\Application Data\gtk-2.0
2010-07-16 00:50 . 2010-03-08 23:27 -------- d-----w- c:\documents and settings\Roger\Application Data\TeamViewer
2010-07-13 22:31 . 2008-07-14 22:42 100536 ---ha-w- c:\windows\system32\mlfcache.dat
2010-07-09 23:43 . 2006-03-05 02:50 -------- d-----w- c:\program files\Common Files\Adobe
2010-07-06 18:30 . 2009-03-17 16:48 -------- d-----w- c:\program files\Bonjour
2010-07-06 18:27 . 2009-11-04 17:10 -------- d-----w- c:\program files\Safari
2010-06-26 04:59 . 2009-05-21 17:55 -------- d-----w- c:\program files\Coupons
2010-06-16 02:53 . 2010-06-16 02:46 -------- d-----w- c:\documents and settings\Roger\Application Data\HandBrake
2010-06-16 02:45 . 2010-06-16 02:45 -------- d-----w- c:\program files\Handbrake
2010-06-02 22:21 . 2008-06-11 17:25 137128 ----a-w- c:\documents and settings\Roger\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-05-18 20:35 . 2010-05-18 20:35 91424 ----a-w- c:\windows\system32\dnssd.dll
2010-05-18 20:35 . 2010-05-18 20:35 75040 ----a-w- c:\windows\system32\jdns_sd.dll
2010-05-18 20:35 . 2010-05-18 20:35 107808 ----a-w- c:\windows\system32\dns-sd.exe
2009-03-09 18:20 . 2009-03-09 18:20 27976 ----a-w- c:\program files\mozilla firefox\plugins\atgpcdec.dll
2009-03-09 18:20 . 2009-03-09 18:20 126360 ----a-w- c:\program files\mozilla firefox\plugins\atgpcext.dll
2009-09-25 16:41 . 2009-09-25 16:41 1044480 ----a-w- c:\program files\mozilla firefox\plugins\libdivx.dll
2009-09-25 16:41 . 2009-09-25 16:41 200704 ----a-w- c:\program files\mozilla firefox\plugins\ssldivx.dll
2004-08-04 08:00 . 2004-08-04 08:00 94784 --sh--w- c:\windows\twain.dll
2008-04-14 00:12 . 2004-08-04 08:00 50688 --sh--w- c:\windows\twain_32.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Cpqset"="c:\program files\HPQ\Default Settings\cpqset.exe" [2004-09-07 213054]
"Venturi Configurator"="c:\program files\Venturi2\Configurator\ventcfg.exe" [2004-03-08 680063]
"IntelliType"="c:\program files\Microsoft Hardware\Keyboard\type32.exe" [2002-03-22 94208]
"SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2004-11-04 98394]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2004-11-04 688218]
"PTHOSTTR"="c:\program files\HPQ\HP ProtectTools Security Manager\PTHOSTTR.EXE" [2005-04-08 73728]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-06-27 185896]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"mixer"=DrvTrNTm.dll
"wave"=DrvTrNTm.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2010-06-09 08:06 976832 ----a-r- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2010-06-20 02:04 35760 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AppleSyncNotifier]
2010-07-13 19:10 47904 ----a-w- c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2010-07-16 11:41 141608 ----a-w- c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2008-04-14 00:12 1695232 ----a-w- c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2010-03-18 01:53 421888 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"DisableNotifications"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\DNA\\btdna.exe"=
"c:\\Program Files\\BitTorrent\\bittorrent.exe"=
"c:\\Program Files\\MusicBrainz Picard\\picard.exe"=
"c:\\Documents and Settings\\Roger\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.dll"=
"c:\\Documents and Settings\\Roger\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Deusty\\Mojo\\Mojo.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\java.exe"=
"c:\\Program Files\\Common Files\\Adobe\\Adobe Version Cue CS3\\Server\\bin\\VersionCueCS3.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqcopy2.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfcCopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpiscnapp.exe"=
"c:\\Program Files\\Common Files\\HP\\Digital Imaging\\bin\\hpqPhotoCrm.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqsudi.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqpsapp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxs08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqfxt08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqpse.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqgplgtupl.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqgpc01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqusgm.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqusgh.exe"=
"c:\\Program Files\\HP\\HP Software Update\\hpwucli.exe"=
"c:\\Program Files\\Logitech Touch Mouse Server\\iTouch-Server-Win.exe"=
"c:\\Program Files\\Vuze\\Azureus.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\TeamViewer\\Version5\\TeamViewer.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3703:TCP"= 3703:TCP:*:Disabled:Adobe Version Cue CS3 Server
"3704:TCP"= 3704:TCP:*:Disabled:Adobe Version Cue CS3 Server
"50900:TCP"= 50900:TCP:*:Disabled:Adobe Version Cue CS3 Server
"50901:TCP"= 50901:TCP:*:Disabled:Adobe Version Cue CS3 Server

R0 $sys$cor;$sys$cor;c:\windows\system32\drivers\$sys$cor.sys [10/6/2004 10:11 AM 18432]
R1 $sys$crater;$sys$crater;c:\windows\system32\$sys$filesystem\crater.sys [10/7/2004 3:57 AM 11904]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [1/11/2007 2:32 PM 24652]
R2 WDDMService;WD SmartWare Drive Manager;c:\program files\Western Digital\WD SmartWare\WD Drive Manager\WDDMService.exe [10/14/2009 3:31 PM 98304]
R2 WDSmartWareBackgroundService;WD SmartWare Background Service;c:\program files\Western Digital\WD SmartWare\Front Parlor\WDSmartWareBackgroundService.exe [6/16/2009 10:58 AM 20480]
S0 Lbd;Lbd;c:\windows\system32\DRIVERS\Lbd.sys --> c:\windows\system32\DRIVERS\Lbd.sys [?]
S2 gupdate1c984a1504838a2;Google Update Service (gupdate1c984a1504838a2);c:\program files\Google\Update\GoogleUpdate.exe [2/1/2009 3:14 PM 133104]
S2 pciinfo;HP Pci Information;\??\c:\docume~1\ASHLEY~1\LOCALS~1\Temp\HPISPz\hpdom\pciinfo.sys --> c:\docume~1\ASHLEY~1\LOCALS~1\Temp\HPISPz\hpdom\pciinfo.sys [?]
S2 RoxLiveShare10;LiveShare P2P Server 10;"c:\program files\Common Files\Roxio Shared\10.0\SharedCOM\RoxLiveShare10.exe" --> c:\program files\Common Files\Roxio Shared\10.0\SharedCOM\RoxLiveShare10.exe [?]
S3 apusbsnt;AirPrime USB Modem Device Driver;c:\windows\system32\drivers\apusbsnt.sys [3/25/2005 1:11 PM 40064]
S3 Dot4Usb HPH09;Dot4Usb HPH09;c:\windows\system32\drivers\hphius09.sys [10/25/2001 10:54 AM 18864]
S3 GTIPCI21;GTIPCI21;c:\windows\system32\drivers\gtipci21.sys [5/3/2004 1:26 PM 80384]
S3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\drivers\wdcsam.sys [11/3/2009 6:17 PM 11520]
S4 SessionLauncher;SessionLauncher;c:\docume~1\Roger\LOCALS~1\Temp\DX9\SessionLauncher.exe --> c:\docume~1\Roger\LOCALS~1\Temp\DX9\SessionLauncher.exe [?]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
Contents of the 'Scheduled Tasks' folder

2010-08-06 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-02-01 19:14]

2010-08-06 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-02-01 19:14]

2010-08-06 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3922070885-39105403-2408477782-1006.job
- c:\documents and settings\Roger\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-09-03 18:55]

2010-08-05 c:\windows\Tasks\User_Feed_Synchronization-{A71BCB10-DEDE-4083-B3CB-B3796A469CDC}.job
- c:\windows\system32\msfeedssync.exe [2006-10-17 08:31]
.
.
------- Supplementary Scan -------
.
Trusted Zone: intuit.com\ttlc
FF - ProfilePath - c:\documents and settings\Roger\Application Data\Mozilla\Firefox\Profiles\hw17pgw4.default\
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.proxy.type", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.buffer.cache.count", 24);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.buffer.cache.size", 4096);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accelerometer.enabled", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-08-06 16:16
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Cpqset = c:\program files\HPQ\Default Settings\cpqset.exe????????????h????????? ???B???????????????B? ??????

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (LocalSystem)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,b2,d9,3f,b9,55,54,2b,4f,9e,ea,5d,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,b2,d9,3f,b9,55,54,2b,4f,9e,ea,5d,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(1304)
c:\windows\system32\SynTPFcs.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\msls31.dll
c:\windows\system32\OneX.DLL
c:\windows\system32\eappprxy.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2010-08-06 16:26:07
ComboFix-quarantined-files.txt 2010-08-06 20:26
ComboFix2.txt 2010-08-06 17:53

Pre-Run: 4,716,695,552 bytes free
Post-Run: 4,686,356,480 bytes free

- - End Of File - - EBE159CAACBBFD614A5E42F54F91BEBC

Attached Files



#12 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:11:13 PM

Posted 07 August 2010 - 12:22 AM

Please run Combofix again using the following instructions

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the box below into it:

QUOTE
Folder::
c:\documents and settings\LocalService\Local Settings\Application Data\aqcjpogcx

RegLock::
[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]


Save this as CFScript.txt, in the same location as Comfix.exe (called ComboFix.exe in the below graphic)




Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.
Posted Image
m0le is a proud member of UNITE

#13 NYCRockstar

NYCRockstar
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:07:13 PM

Posted 08 August 2010 - 04:43 PM

Log below.. What's next?

===========================

ComboFix 10-08-06.01 - Roger 08/08/2010 17:05:56.3.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.503.208 [GMT -4:00]
Running from: c:\documents and settings\Roger\Desktop\ComFix.exe
Command switches used :: c:\documents and settings\Roger\Desktop\CFScript.txt
FW: Norton Internet Worm Protection *disabled* {990F9400-4CEE-43EA-A83A-D013ADD8EA6E}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\LocalService\Local Settings\Application Data\aqcjpogcx

.
((((((((((((((((((((((((( Files Created from 2010-07-08 to 2010-08-08 )))))))))))))))))))))))))))))))
.

2010-07-28 19:01 . 2010-07-28 19:01 -------- d-----w- c:\program files\Common Files\SWF Studio
2010-07-28 19:01 . 2010-07-28 19:01 -------- d-----w- c:\program files\theRenamer
2010-07-24 23:17 . 2010-07-24 23:17 -------- d-sh--w- c:\windows\system32\config\systemprofile\PrivacIE
2010-07-24 23:01 . 2010-07-24 23:01 -------- d-sh--w- c:\documents and settings\LocalService\PrivacIE
2010-07-24 07:34 . 2010-07-24 07:34 95024 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2010-07-24 07:17 . 2010-07-24 07:17 -------- d-----w- c:\documents and settings\Roger\Local Settings\Application Data\Sunbelt Software
2010-07-21 18:02 . 2010-07-21 18:12 -------- d-----w- c:\program files\LucasArts
2010-07-21 18:02 . 1997-01-18 14:40 299520 ----a-w- c:\windows\uninst.exe
2010-07-21 18:02 . 2010-07-21 18:02 -------- d-----w- c:\documents and settings\Roger\WINDOWS
2010-07-21 16:10 . 2010-07-21 16:10 -------- d-sh--w- c:\documents and settings\NetworkService\PrivacIE
2010-07-21 15:52 . 2010-07-21 15:55 -------- dc-h--w- c:\windows\ie8
2010-07-20 18:35 . 2010-07-20 18:35 -------- d-----w- c:\program files\iPod

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-08-05 02:11 . 2006-10-17 15:26 -------- d-----w- c:\program files\Lavasoft
2010-08-05 02:11 . 2008-07-02 18:22 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
2010-08-05 02:08 . 2006-10-05 21:23 -------- d-----w- c:\program files\Common Files\Research In Motion
2010-08-05 00:55 . 2010-04-13 16:06 -------- d-----w- c:\documents and settings\Roger\Application Data\uTorrent
2010-07-28 15:26 . 2010-02-12 15:11 -------- d-----w- c:\documents and settings\Roger\Application Data\vlc
2010-07-25 01:04 . 2006-10-26 23:26 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-07-25 01:04 . 2008-06-18 03:50 -------- d-----w- c:\documents and settings\Roger\Application Data\Azureus
2010-07-23 22:30 . 2009-09-17 15:55 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS
2010-07-21 14:06 . 2008-08-06 15:38 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-07-20 18:37 . 2008-07-11 20:01 -------- d-----w- c:\program files\iTunes
2010-07-20 18:35 . 2008-06-15 21:31 -------- d-----w- c:\program files\Common Files\Apple
2010-07-19 15:56 . 2008-08-06 16:42 -------- d-----w- c:\documents and settings\Roger\Application Data\gtk-2.0
2010-07-16 00:50 . 2010-03-08 23:27 -------- d-----w- c:\documents and settings\Roger\Application Data\TeamViewer
2010-07-13 22:31 . 2008-07-14 22:42 100536 ---ha-w- c:\windows\system32\mlfcache.dat
2010-07-09 23:43 . 2006-03-05 02:50 -------- d-----w- c:\program files\Common Files\Adobe
2010-07-06 18:30 . 2009-03-17 16:48 -------- d-----w- c:\program files\Bonjour
2010-07-06 18:27 . 2009-11-04 17:10 -------- d-----w- c:\program files\Safari
2010-06-26 04:59 . 2009-05-21 17:55 -------- d-----w- c:\program files\Coupons
2010-06-16 02:53 . 2010-06-16 02:46 -------- d-----w- c:\documents and settings\Roger\Application Data\HandBrake
2010-06-16 02:45 . 2010-06-16 02:45 -------- d-----w- c:\program files\Handbrake
2010-06-02 22:21 . 2008-06-11 17:25 137128 ----a-w- c:\documents and settings\Roger\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-05-18 20:35 . 2010-05-18 20:35 91424 ----a-w- c:\windows\system32\dnssd.dll
2010-05-18 20:35 . 2010-05-18 20:35 75040 ----a-w- c:\windows\system32\jdns_sd.dll
2010-05-18 20:35 . 2010-05-18 20:35 107808 ----a-w- c:\windows\system32\dns-sd.exe
2009-03-09 18:20 . 2009-03-09 18:20 27976 ----a-w- c:\program files\mozilla firefox\plugins\atgpcdec.dll
2009-03-09 18:20 . 2009-03-09 18:20 126360 ----a-w- c:\program files\mozilla firefox\plugins\atgpcext.dll
2009-09-25 16:41 . 2009-09-25 16:41 1044480 ----a-w- c:\program files\mozilla firefox\plugins\libdivx.dll
2009-09-25 16:41 . 2009-09-25 16:41 200704 ----a-w- c:\program files\mozilla firefox\plugins\ssldivx.dll
2004-08-04 08:00 . 2004-08-04 08:00 94784 --sh--w- c:\windows\twain.dll
2008-04-14 00:12 . 2004-08-04 08:00 50688 --sh--w- c:\windows\twain_32.dll
.

((((((((((((((((((((((((((((( SnapShot@2010-08-06_20.16.28 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-08-08 20:59 . 2010-08-08 20:59 16384 c:\windows\Temp\Perflib_Perfdata_780.dat
- 2004-08-07 13:14 . 2010-04-15 04:00 68616 c:\windows\system32\perfc009.dat
+ 2004-08-07 13:14 . 2010-08-08 20:54 68616 c:\windows\system32\perfc009.dat
+ 2008-11-25 08:59 . 2008-11-25 08:59 31560 c:\windows\Microsoft.NET\Framework\v2.0.50727\aspnet_wp.exe
+ 2010-08-08 21:02 . 2010-08-08 21:02 60928 c:\windows\assembly\NativeImages_v2.0.50727_32\UIAutomationProvider\b4a9e413d5cd6d6ec2d50aa05381e293\UIAutomationProvider.ni.dll
+ 2010-08-08 21:22 . 2010-08-08 21:22 37888 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Windows.Pres#\8acb476a0d4ee17a12881e17ae74a6af\System.Windows.Presentation.ni.dll
+ 2010-08-08 21:17 . 2010-08-08 21:17 36864 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Web.DynamicD#\4b87ca3482a3c0ee733e028ecee7de65\System.Web.DynamicData.Design.ni.dll
+ 2010-08-08 21:13 . 2010-08-08 21:13 94208 c:\windows\assembly\NativeImages_v2.0.50727_32\System.ComponentMod#\a0c71055364bd356971791284c3fb910\System.ComponentModel.DataAnnotations.ni.dll
+ 2010-08-08 21:12 . 2010-08-08 21:12 82944 c:\windows\assembly\NativeImages_v2.0.50727_32\System.AddIn.Contra#\f9a75bbdc2ce7db578b5977766a09b99\System.AddIn.Contract.ni.dll
+ 2010-08-08 20:57 . 2010-08-08 20:57 47104 c:\windows\assembly\NativeImages_v2.0.50727_32\PresentationFontCac#\3dd0f86c966c75755d62eab8ddf0634c\PresentationFontCache.ni.exe
+ 2010-08-08 20:56 . 2010-08-08 20:56 39424 c:\windows\assembly\NativeImages_v2.0.50727_32\PresentationCFFRast#\034d081fe294bab1ee1ecc98c1181424\PresentationCFFRasterizer.ni.dll
+ 2010-08-08 21:15 . 2010-08-08 21:15 55296 c:\windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Vsa\f2673aec397c52796aef05bb9d2668df\Microsoft.Vsa.ni.dll
+ 2010-08-08 21:12 . 2010-08-08 21:12 65024 c:\windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Build.Fra#\d513fe1a81c441e7656a9b062cff4e9f\Microsoft.Build.Framework.ni.dll
+ 2010-08-08 21:12 . 2010-08-08 21:12 74752 c:\windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Build.Fra#\c5d504724d7f351b1d034615dbb72a2a\Microsoft.Build.Framework.ni.dll
+ 2010-08-08 21:11 . 2010-08-08 21:11 14336 c:\windows\assembly\NativeImages_v2.0.50727_32\dfsvc\a664ccab020f93f1d533919f57131190\dfsvc.ni.exe
+ 2010-08-08 21:11 . 2010-08-08 21:11 25600 c:\windows\assembly\NativeImages_v2.0.50727_32\Accessibility\e63d6d26b8a664cfdfbd4ad75e03c14d\Accessibility.ni.dll
+ 2010-08-08 20:53 . 2010-08-08 20:53 77824 c:\windows\assembly\GAC_MSIL\System.Web.RegularExpressions\2.0.0.0__b03f5f7f11d50a3a\System.Web.RegularExpressions.dll
- 2010-04-15 03:59 . 2010-04-15 03:59 77824 c:\windows\assembly\GAC_MSIL\System.Web.RegularExpressions\2.0.0.0__b03f5f7f11d50a3a\System.Web.RegularExpressions.dll
- 2010-04-15 03:59 . 2010-04-15 03:59 81920 c:\windows\assembly\GAC_MSIL\System.Drawing.Design\2.0.0.0__b03f5f7f11d50a3a\System.Drawing.Design.dll
+ 2010-08-08 20:53 . 2010-08-08 20:53 81920 c:\windows\assembly\GAC_MSIL\System.Drawing.Design\2.0.0.0__b03f5f7f11d50a3a\System.Drawing.Design.dll
+ 2010-08-08 20:54 . 2010-08-08 20:54 81920 c:\windows\assembly\GAC_MSIL\System.Configuration.Install\2.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll
- 2010-04-15 04:00 . 2010-04-15 04:00 81920 c:\windows\assembly\GAC_MSIL\System.Configuration.Install\2.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll
+ 2010-08-08 20:53 . 2010-08-08 20:53 32768 c:\windows\assembly\GAC_MSIL\Microsoft.Vsa\8.0.0.0__b03f5f7f11d50a3a\Microsoft.Vsa.dll
- 2010-04-15 03:59 . 2010-04-15 03:59 32768 c:\windows\assembly\GAC_MSIL\Microsoft.Vsa\8.0.0.0__b03f5f7f11d50a3a\Microsoft.Vsa.dll
- 2010-04-15 04:00 . 2010-04-15 04:00 12800 c:\windows\assembly\GAC_MSIL\Microsoft.Vsa.Vb.CodeDOMProcessor\8.0.0.0__b03f5f7f11d50a3a\Microsoft.Vsa.Vb.CodeDOMProcessor.dll
+ 2010-08-08 20:53 . 2010-08-08 20:53 12800 c:\windows\assembly\GAC_MSIL\Microsoft.Vsa.Vb.CodeDOMProcessor\8.0.0.0__b03f5f7f11d50a3a\Microsoft.Vsa.Vb.CodeDOMProcessor.dll
+ 2010-08-08 20:53 . 2010-08-08 20:53 28672 c:\windows\assembly\GAC_MSIL\Microsoft.VisualBasic.Vsa\8.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.Vsa.dll
- 2010-04-15 04:00 . 2010-04-15 04:00 28672 c:\windows\assembly\GAC_MSIL\Microsoft.VisualBasic.Vsa\8.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.Vsa.dll
+ 2010-08-08 20:53 . 2010-08-08 20:53 77824 c:\windows\assembly\GAC_MSIL\Microsoft.Build.Utilities\2.0.0.0__b03f5f7f11d50a3a\Microsoft.Build.Utilities.dll
- 2010-04-15 04:00 . 2010-04-15 04:00 77824 c:\windows\assembly\GAC_MSIL\Microsoft.Build.Utilities\2.0.0.0__b03f5f7f11d50a3a\Microsoft.Build.Utilities.dll
+ 2010-08-08 20:53 . 2010-08-08 20:53 36864 c:\windows\assembly\GAC_MSIL\Microsoft.Build.Framework\2.0.0.0__b03f5f7f11d50a3a\Microsoft.Build.Framework.dll
- 2010-04-15 04:00 . 2010-04-15 04:00 36864 c:\windows\assembly\GAC_MSIL\Microsoft.Build.Framework\2.0.0.0__b03f5f7f11d50a3a\Microsoft.Build.Framework.dll
- 2010-04-15 03:59 . 2010-04-15 03:59 77824 c:\windows\assembly\GAC_MSIL\IEHost\2.0.0.0__b03f5f7f11d50a3a\IEHost.dll
+ 2010-08-08 20:53 . 2010-08-08 20:53 77824 c:\windows\assembly\GAC_MSIL\IEHost\2.0.0.0__b03f5f7f11d50a3a\IEHost.dll
- 2010-04-15 03:59 . 2010-04-15 03:59 13312 c:\windows\assembly\GAC_MSIL\cscompmgd\8.0.0.0__b03f5f7f11d50a3a\cscompmgd.dll
+ 2010-08-08 20:53 . 2010-08-08 20:53 13312 c:\windows\assembly\GAC_MSIL\cscompmgd\8.0.0.0__b03f5f7f11d50a3a\cscompmgd.dll
- 2010-04-15 03:59 . 2010-04-15 03:59 10752 c:\windows\assembly\GAC_MSIL\Accessibility\2.0.0.0__b03f5f7f11d50a3a\Accessibility.dll
+ 2010-08-08 20:53 . 2010-08-08 20:53 10752 c:\windows\assembly\GAC_MSIL\Accessibility\2.0.0.0__b03f5f7f11d50a3a\Accessibility.dll
+ 2010-08-08 20:53 . 2010-08-08 20:53 72192 c:\windows\assembly\GAC_32\ISymWrapper\2.0.0.0__b03f5f7f11d50a3a\ISymWrapper.dll
- 2010-04-15 03:59 . 2010-04-15 03:59 72192 c:\windows\assembly\GAC_32\ISymWrapper\2.0.0.0__b03f5f7f11d50a3a\ISymWrapper.dll
+ 2010-08-08 20:53 . 2010-08-08 20:53 69120 c:\windows\assembly\GAC_32\CustomMarshalers\2.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll
- 2010-04-15 03:59 . 2010-04-15 03:59 69120 c:\windows\assembly\GAC_32\CustomMarshalers\2.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll
- 2010-04-15 03:59 . 2010-04-15 03:59 8192 c:\windows\WinSxS\MSIL_IEExecRemote_b03f5f7f11d50a3a_2.0.0.0_x-ww_6e57c34e\IEExecRemote.dll
+ 2010-08-08 20:53 . 2010-08-08 20:53 8192 c:\windows\WinSxS\MSIL_IEExecRemote_b03f5f7f11d50a3a_2.0.0.0_x-ww_6e57c34e\IEExecRemote.dll
- 2010-04-15 03:59 . 2010-04-15 03:59 7168 c:\windows\assembly\GAC_MSIL\Microsoft_VsaVb\8.0.0.0__b03f5f7f11d50a3a\Microsoft_VsaVb.dll
+ 2010-08-08 20:53 . 2010-08-08 20:53 7168 c:\windows\assembly\GAC_MSIL\Microsoft_VsaVb\8.0.0.0__b03f5f7f11d50a3a\Microsoft_VsaVb.dll
- 2010-04-15 04:00 . 2010-04-15 04:00 5632 c:\windows\assembly\GAC_MSIL\Microsoft.VisualC\8.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualC.Dll
+ 2010-08-08 20:53 . 2010-08-08 20:53 5632 c:\windows\assembly\GAC_MSIL\Microsoft.VisualC\8.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualC.Dll
- 2010-04-15 03:59 . 2010-04-15 03:59 6656 c:\windows\assembly\GAC_MSIL\IIEHost\2.0.0.0__b03f5f7f11d50a3a\IIEHost.dll
+ 2010-08-08 20:53 . 2010-08-08 20:53 6656 c:\windows\assembly\GAC_MSIL\IIEHost\2.0.0.0__b03f5f7f11d50a3a\IIEHost.dll
+ 2010-08-08 20:53 . 2010-08-08 20:53 8192 c:\windows\assembly\GAC_MSIL\IEExecRemote\2.0.0.0__b03f5f7f11d50a3a\IEExecRemote.dll
- 2010-04-15 03:59 . 2010-04-15 03:59 8192 c:\windows\assembly\GAC_MSIL\IEExecRemote\2.0.0.0__b03f5f7f11d50a3a\IEExecRemote.dll
- 2010-04-15 04:00 . 2010-04-15 04:00 113664 c:\windows\WinSxS\x86_System.EnterpriseServices_b03f5f7f11d50a3a_2.0.0.0_x-ww_7d5f3790\System.EnterpriseServices.Wrapper.dll
+ 2010-08-08 20:53 . 2010-08-08 20:53 113664 c:\windows\WinSxS\x86_System.EnterpriseServices_b03f5f7f11d50a3a_2.0.0.0_x-ww_7d5f3790\System.EnterpriseServices.Wrapper.dll
+ 2010-08-08 20:53 . 2010-08-08 20:53 258048 c:\windows\WinSxS\x86_System.EnterpriseServices_b03f5f7f11d50a3a_2.0.0.0_x-ww_7d5f3790\System.EnterpriseServices.dll
- 2010-04-15 04:00 . 2010-04-15 04:00 258048 c:\windows\WinSxS\x86_System.EnterpriseServices_b03f5f7f11d50a3a_2.0.0.0_x-ww_7d5f3790\System.EnterpriseServices.dll
- 2004-08-07 13:14 . 2010-04-15 04:00 436268 c:\windows\system32\perfh009.dat
+ 2004-08-07 13:14 . 2010-08-08 20:54 436268 c:\windows\system32\perfh009.dat
+ 2008-11-25 08:59 . 2008-11-25 08:59 436040 c:\windows\Microsoft.NET\Framework\v2.0.50727\webengine.dll
- 2008-07-25 15:17 . 2008-07-25 15:17 486400 c:\windows\Microsoft.NET\Framework\v2.0.50727\System.Data.OracleClient.dll
+ 2008-11-25 08:59 . 2008-11-25 08:59 486400 c:\windows\Microsoft.NET\Framework\v2.0.50727\System.Data.OracleClient.dll
+ 2008-11-25 08:59 . 2008-11-25 08:59 364872 c:\windows\Microsoft.NET\Framework\v2.0.50727\mscorjit.dll
+ 2008-12-13 13:58 . 2008-12-13 13:58 754688 c:\windows\Installer\340b1.msp
+ 2010-04-15 04:00 . 2010-04-15 04:00 303104 c:\windows\assembly\temp\QZ6DKRY5CJ\System.Runtime.Remoting.dll
+ 2010-08-08 21:11 . 2010-08-08 21:11 321536 c:\windows\assembly\NativeImages_v2.0.50727_32\WsatConfig\e2098e43d115155d6ba91ba3a7e577cf\WsatConfig.ni.exe
+ 2010-08-08 21:02 . 2010-08-08 21:02 240128 c:\windows\assembly\NativeImages_v2.0.50727_32\WindowsFormsIntegra#\bf92bc207f927cbbd6dfc9dc0c3eae68\WindowsFormsIntegration.ni.dll
+ 2010-08-08 21:02 . 2010-08-08 21:02 187904 c:\windows\assembly\NativeImages_v2.0.50727_32\UIAutomationTypes\6f488b7644dc50a083868e91a4014466\UIAutomationTypes.ni.dll
+ 2010-08-08 21:02 . 2010-08-08 21:02 447488 c:\windows\assembly\NativeImages_v2.0.50727_32\UIAutomationClient\c2fbf25609b704061a93500efa6f241d\UIAutomationClient.ni.dll
+ 2010-08-08 21:24 . 2010-08-08 21:24 400896 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Xml.Linq\eb23b78564687badff1bd1f1d0a0ec97\System.Xml.Linq.ni.dll
+ 2010-08-08 21:16 . 2010-08-08 21:16 129536 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Web.Routing\e7666364bf9f3ba5f4833c9efedd8218\System.Web.Routing.ni.dll
+ 2010-08-08 21:17 . 2010-08-08 21:17 202240 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Web.RegularE#\b5f1b8791e6c47e5bd5e7018c346c586\System.Web.RegularExpressions.ni.dll
+ 2010-08-08 21:17 . 2010-08-08 21:17 859648 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Web.Extensio#\884eacddf339b8b342f66aedff5f8ef9\System.Web.Extensions.Design.ni.dll
+ 2010-08-08 21:17 . 2010-08-08 21:17 328704 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Web.Entity\9e199645bd26f1afe58ebe185d1e7f0f\System.Web.Entity.ni.dll
+ 2010-08-08 21:17 . 2010-08-08 21:17 301056 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Web.Entity.D#\652017ebe962ab2eb271c2524f31cd61\System.Web.Entity.Design.ni.dll
+ 2010-08-08 21:17 . 2010-08-08 21:17 547328 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Web.DynamicD#\d0070c1c1a642ae30394e00bc0d82336\System.Web.DynamicData.ni.dll
+ 2010-08-08 21:16 . 2010-08-08 21:16 141312 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Web.Abstract#\1896753d02d146be1988d32241300f51\System.Web.Abstractions.ni.dll
+ 2010-08-08 21:16 . 2010-08-08 21:16 627200 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Transactions\408e637346ef628a3f54fb1b9b83ac9f\System.Transactions.ni.dll
+ 2010-08-08 21:16 . 2010-08-08 21:16 212992 c:\windows\assembly\NativeImages_v2.0.50727_32\System.ServiceProce#\1f61bccb700d687775cf778dd77752e9\System.ServiceProcess.ni.dll
+ 2010-08-08 21:12 . 2010-08-08 21:12 676352 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Security\a9e9b885a6601469c4058375cc74d856\System.Security.ni.dll
+ 2010-08-08 21:15 . 2010-08-08 21:15 311296 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Runtime.Seri#\9bc34a79af9c3ed2cf17a0226c769b4c\System.Runtime.Serialization.Formatters.Soap.ni.dll
+ 2010-08-08 21:15 . 2010-08-08 21:15 621056 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Net\5f74a84e9d28c2332c51f6e30da0e125\System.Net.ni.dll
+ 2010-08-08 21:15 . 2010-08-08 21:15 998400 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Management\2c208e4c5521f31057ea7d6e93c6a567\System.Management.ni.dll
+ 2010-08-08 21:15 . 2010-08-08 21:15 330752 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Management.I#\818b20a7c6f3b2fe97bf008ca24080c1\System.Management.Instrumentation.ni.dll
+ 2010-08-08 21:09 . 2010-08-08 21:09 381440 c:\windows\assembly\NativeImages_v2.0.50727_32\System.IO.Log\6c273eb9d1ee8b66b5ecb073de4b785d\System.IO.Log.ni.dll
+ 2010-08-08 21:11 . 2010-08-08 21:11 212992 c:\windows\assembly\NativeImages_v2.0.50727_32\System.IdentityMode#\7222db518afb4eaaa138824278249bc7\System.IdentityModel.Selectors.ni.dll
+ 2010-08-08 21:15 . 2010-08-08 21:15 280064 c:\windows\assembly\NativeImages_v2.0.50727_32\System.EnterpriseSe#\8a7d0bd0057a8ed38291d5662248f7a1\System.EnterpriseServices.Wrapper.dll
+ 2010-08-08 21:15 . 2010-08-08 21:15 627712 c:\windows\assembly\NativeImages_v2.0.50727_32\System.EnterpriseSe#\8a7d0bd0057a8ed38291d5662248f7a1\System.EnterpriseServices.ni.dll
+ 2010-08-08 21:02 . 2010-08-08 21:02 208384 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Drawing.Desi#\ca6d7208c0fb72ff97429f2636ced321\System.Drawing.Design.ni.dll
+ 2010-08-08 21:14 . 2010-08-08 21:14 881152 c:\windows\assembly\NativeImages_v2.0.50727_32\System.DirectorySer#\c92fc19800e701c90f90ab7a2ab44c47\System.DirectoryServices.AccountManagement.ni.dll
+ 2010-08-08 21:15 . 2010-08-08 21:15 455680 c:\windows\assembly\NativeImages_v2.0.50727_32\System.DirectorySer#\a601f47a98ee67df424685c9a66ea449\System.DirectoryServices.Protocols.ni.dll
+ 2010-08-08 21:14 . 2010-08-08 21:14 939008 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Data.Service#\b91b44015859163646f210d284f7166a\System.Data.Services.Client.ni.dll
+ 2010-08-08 21:14 . 2010-08-08 21:14 354816 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Data.Service#\1b35297e07b85071daecdb06f96750a1\System.Data.Services.Design.ni.dll
+ 2010-08-08 21:14 . 2010-08-08 21:14 756736 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Data.Entity.#\cf906bf9146d1f0013451ec63b58e064\System.Data.Entity.Design.ni.dll
+ 2010-08-08 21:13 . 2010-08-08 21:13 135680 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Data.DataSet#\4ff4134b0d490c090e03d74e104517c4\System.Data.DataSetExtensions.ni.dll
+ 2010-08-08 21:12 . 2010-08-08 21:12 971264 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Configuration\7c743462baccf29b3567b0e3ec9ac134\System.Configuration.ni.dll
+ 2010-08-08 21:15 . 2010-08-08 21:15 141312 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Configuratio#\443e3a85c491b2de4a2ac654cb957484\System.Configuration.Install.ni.dll
+ 2010-08-08 21:12 . 2010-08-08 21:12 633856 c:\windows\assembly\NativeImages_v2.0.50727_32\System.AddIn\cba35f47925431a54d0e6ae147a292f1\System.AddIn.ni.dll
+ 2010-08-08 21:11 . 2010-08-08 21:11 366080 c:\windows\assembly\NativeImages_v2.0.50727_32\SMSvcHost\6af32fe5cbec0aa54e2efa6910c73651\SMSvcHost.ni.exe
+ 2010-08-08 21:11 . 2010-08-08 21:11 256000 c:\windows\assembly\NativeImages_v2.0.50727_32\SMDiagnostics\7602d7687fb9bd21cd9ae60d2b187c99\SMDiagnostics.ni.dll
+ 2010-08-08 21:11 . 2010-08-08 21:11 320512 c:\windows\assembly\NativeImages_v2.0.50727_32\ServiceModelReg\a23dc25782df04533a13e348203e4dc5\ServiceModelReg.ni.exe
+ 2010-08-08 21:00 . 2010-08-08 21:00 258048 c:\windows\assembly\NativeImages_v2.0.50727_32\PresentationFramewo#\96f74da5fc40b92f09069230bc0df4f0\PresentationFramework.Royale.ni.dll
+ 2010-08-08 21:00 . 2010-08-08 21:00 539648 c:\windows\assembly\NativeImages_v2.0.50727_32\PresentationFramewo#\3bb4d16b042b72c2c85a0f8ac9d48f28\PresentationFramework.Luna.ni.dll
+ 2010-08-08 21:00 . 2010-08-08 21:00 368128 c:\windows\assembly\NativeImages_v2.0.50727_32\PresentationFramewo#\30c5c2682d3c5bdaa83bb9a36ee48afa\PresentationFramework.Aero.ni.dll
+ 2010-08-08 21:00 . 2010-08-08 21:00 224768 c:\windows\assembly\NativeImages_v2.0.50727_32\PresentationFramewo#\07e952efd70f5608e221a008e6231ace\PresentationFramework.Classic.ni.dll
+ 2010-08-08 21:12 . 2010-08-08 21:12 133632 c:\windows\assembly\NativeImages_v2.0.50727_32\MSBuild\eade8c1c9c1e8e5ffb50e6c9b9af0f6a\MSBuild.ni.exe
+ 2010-08-08 21:11 . 2010-08-08 21:11 386560 c:\windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Transacti#\fc4d66e0a92b3767006a84f2519d2457\Microsoft.Transactions.Bridge.Dtc.ni.dll
+ 2010-08-08 21:12 . 2010-08-08 21:12 144384 c:\windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Build.Uti#\58ca3ecc52b7246b448c109817198a0b\Microsoft.Build.Utilities.ni.dll
+ 2010-08-08 21:12 . 2010-08-08 21:12 175104 c:\windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Build.Uti#\4dd43724dd92026577c6f588270137a0\Microsoft.Build.Utilities.v3.5.ni.dll
+ 2010-08-08 21:12 . 2010-08-08 21:12 839680 c:\windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Build.Eng#\8c651f75bb741330370986dcad8e9e5b\Microsoft.Build.Engine.ni.dll
+ 2010-08-08 21:12 . 2010-08-08 21:12 222720 c:\windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Build.Con#\a6dcbae619ccd938bfe808c54d6d3ae0\Microsoft.Build.Conversion.v3.5.ni.dll
+ 2010-08-08 21:12 . 2010-08-08 21:12 220672 c:\windows\assembly\NativeImages_v2.0.50727_32\CustomMarshalers\77688ce14f221ed94a9f442ae4736123\CustomMarshalers.ni.dll
+ 2010-08-08 21:11 . 2010-08-08 21:11 410112 c:\windows\assembly\NativeImages_v2.0.50727_32\ComSvcConfig\a17c65f0cffaa4f792dd38d50df9d526\ComSvcConfig.ni.exe
+ 2010-08-08 21:11 . 2010-08-08 21:11 842240 c:\windows\assembly\NativeImages_v2.0.50727_32\AspNetMMCExt\85d7c111956b478766d90625b35d963f\AspNetMMCExt.ni.dll
+ 2010-08-08 20:53 . 2010-08-08 20:53 839680 c:\windows\assembly\GAC_MSIL\System.Web.Services\2.0.0.0__b03f5f7f11d50a3a\System.Web.Services.dll
- 2010-04-15 03:59 . 2010-04-15 03:59 839680 c:\windows\assembly\GAC_MSIL\System.Web.Services\2.0.0.0__b03f5f7f11d50a3a\System.Web.Services.dll
+ 2010-08-08 20:53 . 2010-08-08 20:53 835584 c:\windows\assembly\GAC_MSIL\System.Web.Mobile\2.0.0.0__b03f5f7f11d50a3a\System.Web.Mobile.dll
- 2010-04-15 03:59 . 2010-04-15 03:59 835584 c:\windows\assembly\GAC_MSIL\System.Web.Mobile\2.0.0.0__b03f5f7f11d50a3a\System.Web.Mobile.dll
- 2010-04-14 16:37 . 2010-04-14 16:37 139264 c:\windows\assembly\GAC_MSIL\System.Web.Entity\3.5.0.0__b77a5c561934e089\System.Web.Entity.dll
+ 2010-08-08 20:56 . 2010-08-08 20:56 139264 c:\windows\assembly\GAC_MSIL\System.Web.Entity\3.5.0.0__b77a5c561934e089\System.Web.Entity.dll
+ 2010-08-08 20:56 . 2010-08-08 20:56 229376 c:\windows\assembly\GAC_MSIL\System.Web.DynamicData\3.5.0.0__31bf3856ad364e35\System.Web.DynamicData.dll
+ 2010-08-08 20:53 . 2010-08-08 20:53 114688 c:\windows\assembly\GAC_MSIL\System.ServiceProcess\2.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll
- 2010-04-15 03:59 . 2010-04-15 03:59 114688 c:\windows\assembly\GAC_MSIL\System.ServiceProcess\2.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll
+ 2010-08-08 20:53 . 2010-08-08 20:53 258048 c:\windows\assembly\GAC_MSIL\System.Security\2.0.0.0__b03f5f7f11d50a3a\System.Security.dll
- 2010-04-15 04:00 . 2010-04-15 04:00 258048 c:\windows\assembly\GAC_MSIL\System.Security\2.0.0.0__b03f5f7f11d50a3a\System.Security.dll
+ 2010-08-08 20:53 . 2010-08-08 20:53 131072 c:\windows\assembly\GAC_MSIL\System.Runtime.Serialization.Formatters.Soap\2.0.0.0__b03f5f7f11d50a3a\System.Runtime.Serialization.Formatters.Soap.dll
- 2010-04-15 04:00 . 2010-04-15 04:00 131072 c:\windows\assembly\GAC_MSIL\System.Runtime.Serialization.Formatters.Soap\2.0.0.0__b03f5f7f11d50a3a\System.Runtime.Serialization.Formatters.Soap.dll
- 2010-04-15 04:00 . 2010-04-15 04:00 303104 c:\windows\assembly\GAC_MSIL\System.Runtime.Remoting\2.0.0.0__b77a5c561934e089\System.Runtime.Remoting.dll
+ 2010-08-08 20:53 . 2010-08-08 20:53 303104 c:\windows\assembly\GAC_MSIL\System.Runtime.Remoting\2.0.0.0__b77a5c561934e089\System.Runtime.Remoting.dll
+ 2010-08-08 20:53 . 2010-08-08 20:53 258048 c:\windows\assembly\GAC_MSIL\System.Messaging\2.0.0.0__b03f5f7f11d50a3a\System.Messaging.dll
- 2010-04-15 04:00 . 2010-04-15 04:00 258048 c:\windows\assembly\GAC_MSIL\System.Messaging\2.0.0.0__b03f5f7f11d50a3a\System.Messaging.dll
- 2010-04-15 04:00 . 2010-04-15 04:00 372736 c:\windows\assembly\GAC_MSIL\System.Management\2.0.0.0__b03f5f7f11d50a3a\System.Management.dll
+ 2010-08-08 20:53 . 2010-08-08 20:53 372736 c:\windows\assembly\GAC_MSIL\System.Management\2.0.0.0__b03f5f7f11d50a3a\System.Management.dll
- 2010-04-15 04:00 . 2010-04-15 04:00 626688 c:\windows\assembly\GAC_MSIL\System.Drawing\2.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll
+ 2010-08-08 20:53 . 2010-08-08 20:53 626688 c:\windows\assembly\GAC_MSIL\System.Drawing\2.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll
- 2010-04-15 04:00 . 2010-04-15 04:00 401408 c:\windows\assembly\GAC_MSIL\System.DirectoryServices\2.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll
+ 2010-08-08 20:53 . 2010-08-08 20:53 401408 c:\windows\assembly\GAC_MSIL\System.DirectoryServices\2.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll
- 2010-04-15 03:59 . 2010-04-15 03:59 188416 c:\windows\assembly\GAC_MSIL\System.DirectoryServices.Protocols\2.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.Protocols.dll
+ 2010-08-08 20:53 . 2010-08-08 20:53 188416 c:\windows\assembly\GAC_MSIL\System.DirectoryServices.Protocols\2.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.Protocols.dll
- 2010-04-15 04:00 . 2010-04-15 04:00 970752 c:\windows\assembly\GAC_MSIL\System.Deployment\2.0.0.0__b03f5f7f11d50a3a\System.Deployment.dll
+ 2010-08-08 20:54 . 2010-08-08 20:54 970752 c:\windows\assembly\GAC_MSIL\System.Deployment\2.0.0.0__b03f5f7f11d50a3a\System.Deployment.dll
+ 2010-08-08 20:54 . 2010-08-08 20:54 745472 c:\windows\assembly\GAC_MSIL\System.Data.SqlXml\2.0.0.0__b77a5c561934e089\System.Data.SqlXml.dll
- 2010-04-15 04:00 . 2010-04-15 04:00 745472 c:\windows\assembly\GAC_MSIL\System.Data.SqlXml\2.0.0.0__b77a5c561934e089\System.Data.SqlXml.dll
- 2010-04-14 16:37 . 2010-04-14 16:37 442368 c:\windows\assembly\GAC_MSIL\System.Data.Services\3.5.0.0__b77a5c561934e089\System.Data.Services.dll
+ 2010-08-08 20:56 . 2010-08-08 20:56 442368 c:\windows\assembly\GAC_MSIL\System.Data.Services\3.5.0.0__b77a5c561934e089\System.Data.Services.dll
+ 2010-08-08 20:56 . 2010-08-08 20:56 294912 c:\windows\assembly\GAC_MSIL\System.Data.Services.Client\3.5.0.0__b77a5c561934e089\System.Data.Services.Client.dll
- 2010-04-14 16:37 . 2010-04-14 16:37 294912 c:\windows\assembly\GAC_MSIL\System.Data.Services.Client\3.5.0.0__b77a5c561934e089\System.Data.Services.Client.dll
+ 2010-08-08 20:54 . 2010-08-08 20:54 425984 c:\windows\assembly\GAC_MSIL\System.Configuration\2.0.0.0__b03f5f7f11d50a3a\System.configuration.dll
- 2010-04-15 04:00 . 2010-04-15 04:00 425984 c:\windows\assembly\GAC_MSIL\System.Configuration\2.0.0.0__b03f5f7f11d50a3a\System.configuration.dll
- 2010-04-15 04:00 . 2010-04-15 04:00 110592 c:\windows\assembly\GAC_MSIL\sysglobl\2.0.0.0__b03f5f7f11d50a3a\sysglobl.dll
+ 2010-08-08 20:53 . 2010-08-08 20:53 110592 c:\windows\assembly\GAC_MSIL\sysglobl\2.0.0.0__b03f5f7f11d50a3a\sysglobl.dll
+ 2010-08-08 20:53 . 2010-08-08 20:53 659456 c:\windows\assembly\GAC_MSIL\Microsoft.VisualBasic\8.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll
- 2010-04-15 03:59 . 2010-04-15 03:59 659456 c:\windows\assembly\GAC_MSIL\Microsoft.VisualBasic\8.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll
+ 2010-08-08 20:53 . 2010-08-08 20:53 372736 c:\windows\assembly\GAC_MSIL\Microsoft.VisualBasic.Compatibility\8.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.Compatibility.dll
- 2010-04-15 03:59 . 2010-04-15 03:59 372736 c:\windows\assembly\GAC_MSIL\Microsoft.VisualBasic.Compatibility\8.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.Compatibility.dll
- 2010-04-15 03:59 . 2010-04-15 03:59 110592 c:\windows\assembly\GAC_MSIL\Microsoft.VisualBasic.Compatibility.Data\8.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.Compatibility.Data.dll
+ 2010-08-08 20:53 . 2010-08-08 20:53 110592 c:\windows\assembly\GAC_MSIL\Microsoft.VisualBasic.Compatibility.Data\8.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.Compatibility.Data.dll
+ 2010-08-08 20:53 . 2010-08-08 20:53 749568 c:\windows\assembly\GAC_MSIL\Microsoft.JScript\8.0.0.0__b03f5f7f11d50a3a\Microsoft.JScript.dll
- 2010-04-15 04:00 . 2010-04-15 04:00 749568 c:\windows\assembly\GAC_MSIL\Microsoft.JScript\8.0.0.0__b03f5f7f11d50a3a\Microsoft.JScript.dll
- 2010-04-15 04:00 . 2010-04-15 04:00 655360 c:\windows\assembly\GAC_MSIL\Microsoft.Build.Tasks\2.0.0.0__b03f5f7f11d50a3a\Microsoft.Build.Tasks.dll
+ 2010-08-08 20:53 . 2010-08-08 20:53 655360 c:\windows\assembly\GAC_MSIL\Microsoft.Build.Tasks\2.0.0.0__b03f5f7f11d50a3a\Microsoft.Build.Tasks.dll
+ 2010-08-08 20:53 . 2010-08-08 20:53 348160 c:\windows\assembly\GAC_MSIL\Microsoft.Build.Engine\2.0.0.0__b03f5f7f11d50a3a\Microsoft.Build.Engine.dll
- 2010-04-15 04:00 . 2010-04-15 04:00 348160 c:\windows\assembly\GAC_MSIL\Microsoft.Build.Engine\2.0.0.0__b03f5f7f11d50a3a\Microsoft.Build.Engine.dll
- 2010-04-15 03:59 . 2010-04-15 03:59 507904 c:\windows\assembly\GAC_MSIL\AspNetMMCExt\2.0.0.0__b03f5f7f11d50a3a\AspNetMMCExt.dll
+ 2010-08-08 20:53 . 2010-08-08 20:53 507904 c:\windows\assembly\GAC_MSIL\AspNetMMCExt\2.0.0.0__b03f5f7f11d50a3a\AspNetMMCExt.dll
- 2010-04-15 04:00 . 2010-04-15 04:00 261632 c:\windows\assembly\GAC_32\System.Transactions\2.0.0.0__b77a5c561934e089\System.Transactions.dll
+ 2010-08-08 20:53 . 2010-08-08 20:53 261632 c:\windows\assembly\GAC_32\System.Transactions\2.0.0.0__b77a5c561934e089\System.Transactions.dll
+ 2010-08-08 20:53 . 2010-08-08 20:53 113664 c:\windows\assembly\GAC_32\System.EnterpriseServices\2.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll
- 2010-04-15 04:00 . 2010-04-15 04:00 113664 c:\windows\assembly\GAC_32\System.EnterpriseServices\2.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll
+ 2010-08-08 20:53 . 2010-08-08 20:53 258048 c:\windows\assembly\GAC_32\System.EnterpriseServices\2.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.dll
- 2010-04-15 04:00 . 2010-04-15 04:00 258048 c:\windows\assembly\GAC_32\System.EnterpriseServices\2.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.dll
+ 2010-08-08 20:54 . 2010-08-08 20:54 486400 c:\windows\assembly\GAC_32\System.Data.OracleClient\2.0.0.0__b77a5c561934e089\System.Data.OracleClient.dll
- 2010-04-15 04:00 . 2010-04-15 04:00 486400 c:\windows\assembly\GAC_32\System.Data.OracleClient\2.0.0.0__b77a5c561934e089\System.Data.OracleClient.dll
+ 2008-12-05 23:35 . 2008-12-05 23:35 1736528 c:\windows\Microsoft.NET\Framework\v3.0\WPF\wpfgfx_v0300.dll
+ 2008-12-06 00:12 . 2008-12-06 00:12 5931008 c:\windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\System.ServiceModel.dll
- 2008-07-29 23:16 . 2008-07-29 23:16 5931008 c:\windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\System.ServiceModel.dll
- 2008-07-25 15:17 . 2008-07-25 15:17 2048000 c:\windows\Microsoft.NET\Framework\v2.0.50727\System.XML.dll
+ 2008-11-25 08:59 . 2008-11-25 08:59 2048000 c:\windows\Microsoft.NET\Framework\v2.0.50727\System.XML.dll
+ 2008-11-25 08:59 . 2008-11-25 08:59 5242880 c:\windows\Microsoft.NET\Framework\v2.0.50727\System.Web.dll
+ 2010-08-08 20:56 . 2010-08-08 20:56 3313664 c:\windows\assembly\NativeImages_v2.0.50727_32\WindowsBase\204d6e5b335134f23ca37638b9227ecf\WindowsBase.ni.dll
+ 2010-08-08 21:02 . 2010-08-08 21:02 1049600 c:\windows\assembly\NativeImages_v2.0.50727_32\UIAutomationClients#\0f2ed6a204eb13841e99b77025464afc\UIAutomationClientsideProviders.ni.dll
+ 2010-08-08 20:56 . 2010-08-08 20:56 7868416 c:\windows\assembly\NativeImages_v2.0.50727_32\System\3de5bd01124463d7862bd173af90bc83\System.ni.dll
+ 2010-08-08 21:02 . 2010-08-08 21:02 5450752 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Xml\5913d3f81e77194ec833991b1047a532\System.Xml.ni.dll
+ 2010-08-08 21:23 . 2010-08-08 21:23 1356288 c:\windows\assembly\NativeImages_v2.0.50727_32\System.WorkflowServ#\fa48917b13629d8effa80dd4a2f2973d\System.WorkflowServices.ni.dll
+ 2010-08-08 21:23 . 2010-08-08 21:23 1908224 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Workflow.Run#\6fe66ee6f3c81996bc148f1ebe7ec030\System.Workflow.Runtime.ni.dll
+ 2010-08-08 21:23 . 2010-08-08 21:23 4514304 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Workflow.Com#\9d0b61f2f1ebdc300bd970f594c422ef\System.Workflow.ComponentModel.ni.dll
+ 2010-08-08 21:22 . 2010-08-08 21:22 2992640 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Workflow.Act#\65328898148a720d394f802f192fc2a0\System.Workflow.Activities.ni.dll
+ 2010-08-08 21:17 . 2010-08-08 21:17 1840640 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Web.Services\ea07ac791bb5cb9f83679e3dd1a0c0cc\System.Web.Services.ni.dll
+ 2010-08-08 21:17 . 2010-08-08 21:17 2209280 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Web.Mobile\29e2f8b1fb691ced973acf49fcee6ec1\System.Web.Mobile.ni.dll
+ 2010-08-08 21:16 . 2010-08-08 21:16 2403328 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Web.Extensio#\981dea02bc63c0c083e335adf9018788\System.Web.Extensions.ni.dll
+ 2010-08-08 21:02 . 2010-08-08 21:02 1917440 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Speech\99594bae1d022502925f5b9dfcdaae9a\System.Speech.ni.dll
+ 2010-08-08 21:15 . 2010-08-08 21:15 1706496 c:\windows\assembly\NativeImages_v2.0.50727_32\System.ServiceModel#\e182695d05ea57257568bc5f3208aca7\System.ServiceModel.Web.ni.dll
+ 2010-08-08 21:09 . 2010-08-08 21:09 2338304 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Runtime.Seri#\67ad55827f2542552b576170f0a7dc56\System.Runtime.Serialization.ni.dll
+ 2010-08-08 21:02 . 2010-08-08 21:02 1035264 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Printing\e5313735a40c0800f116e27fba4754db\System.Printing.ni.dll
+ 2010-08-08 21:09 . 2010-08-08 21:09 1056768 c:\windows\assembly\NativeImages_v2.0.50727_32\System.IdentityModel\c3b18fef5c6dc3bcdbe5df699fd21a55\System.IdentityModel.ni.dll
+ 2010-08-08 21:02 . 2010-08-08 21:02 1587200 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Drawing\abb2ac7e08bee026f857d8fa36f9fe6f\System.Drawing.ni.dll
+ 2010-08-08 21:14 . 2010-08-08 21:14 1116672 c:\windows\assembly\NativeImages_v2.0.50727_32\System.DirectorySer#\f47ebb9db460874b1bcbfc391dc970b1\System.DirectoryServices.ni.dll
+ 2010-08-08 21:14 . 2010-08-08 21:14 1801216 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Deployment\c94a427baa7683f4221b91f90c18461b\System.Deployment.ni.dll
+ 2010-08-08 21:01 . 2010-08-08 21:01 6616576 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Data\694c07365e0fd6bba0bc304d4d2404a7\System.Data.ni.dll
+ 2010-08-08 21:12 . 2010-08-08 21:12 2510336 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Data.SqlXml\272152f0cc139490729e215611a4b244\System.Data.SqlXml.ni.dll
+ 2010-08-08 21:14 . 2010-08-08 21:14 1328128 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Data.Services\112a48e34620a0210eb850040da8a31b\System.Data.Services.ni.dll
+ 2010-08-08 21:01 . 2010-08-08 21:01 2516480 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Data.Linq\32788c58ff9f8324460604cf1fe7681b\System.Data.Linq.ni.dll
+ 2010-08-08 21:13 . 2010-08-08 21:13 9924096 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Data.Entity\9012cac7819660f61f1c69cf8e4f2ccf\System.Data.Entity.ni.dll
+ 2010-08-08 21:00 . 2010-08-08 21:00 2295296 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Core\c0a42d2ad8a4078040b334f6770ea11f\System.Core.ni.dll
+ 2010-08-08 21:00 . 2010-08-08 21:00 2128896 c:\windows\assembly\NativeImages_v2.0.50727_32\ReachFramework\954685c29689d2a6126ceca1fd55e904\ReachFramework.ni.dll
+ 2010-08-08 21:00 . 2010-08-08 21:00 1657856 c:\windows\assembly\NativeImages_v2.0.50727_32\PresentationUI\a3a6f52ce1d09a7bdccc8e7fc664792d\PresentationUI.ni.dll
+ 2010-08-08 20:56 . 2010-08-08 20:56 1451008 c:\windows\assembly\NativeImages_v2.0.50727_32\PresentationBuildTa#\f906701365083c1473db31519147e263\PresentationBuildTasks.ni.dll
+ 2010-08-08 21:12 . 2010-08-08 21:12 1712128 c:\windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualBas#\6eee9b772b6d12d3dbd82f118c2ab2e5\Microsoft.VisualBasic.ni.dll
+ 2010-08-08 21:11 . 2010-08-08 21:11 1093120 c:\windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Transacti#\f19e9b439636d0744597fff1331cad04\Microsoft.Transactions.Bridge.ni.dll
+ 2010-08-08 21:15 . 2010-08-08 21:15 2332160 c:\windows\assembly\NativeImages_v2.0.50727_32\Microsoft.JScript\5b1af7b5be24c7ace065fe1c81c2b650\Microsoft.JScript.ni.dll
+ 2010-08-08 21:12 . 2010-08-08 21:12 1620992 c:\windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Build.Tas#\9eec1cc7ac37e0c7f3205e8156149c5a\Microsoft.Build.Tasks.ni.dll
+ 2010-08-08 21:12 . 2010-08-08 21:12 1966080 c:\windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Build.Tas#\28c0730288453d57d5dcd62903c4d31b\Microsoft.Build.Tasks.v3.5.ni.dll
+ 2010-08-08 21:12 . 2010-08-08 21:12 1888768 c:\windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Build.Eng#\5dd4f58999eed37c12aee7ea9f9863ac\Microsoft.Build.Engine.ni.dll
+ 2010-08-08 20:54 . 2010-08-08 20:54 3149824 c:\windows\assembly\GAC_MSIL\System\2.0.0.0__b77a5c561934e089\System.dll
- 2010-04-15 04:00 . 2010-04-15 04:00 3149824 c:\windows\assembly\GAC_MSIL\System\2.0.0.0__b77a5c561934e089\System.dll
+ 2010-08-08 20:54 . 2010-08-08 20:54 2048000 c:\windows\assembly\GAC_MSIL\System.Xml\2.0.0.0__b77a5c561934e089\System.XML.dll
- 2010-04-15 04:00 . 2010-04-15 04:00 2048000 c:\windows\assembly\GAC_MSIL\System.Xml\2.0.0.0__b77a5c561934e089\System.XML.dll
- 2010-04-15 03:59 . 2010-04-15 03:59 5025792 c:\windows\assembly\GAC_MSIL\System.Windows.Forms\2.0.0.0__b77a5c561934e089\System.Windows.Forms.dll
+ 2010-08-08 20:53 . 2010-08-08 20:53 5025792 c:\windows\assembly\GAC_MSIL\System.Windows.Forms\2.0.0.0__b77a5c561934e089\System.Windows.Forms.dll
+ 2010-08-08 20:56 . 2010-08-08 20:56 1277952 c:\windows\assembly\GAC_MSIL\System.Web.Extensions\3.5.0.0__31bf3856ad364e35\System.Web.Extensions.dll
- 2010-04-14 16:38 . 2010-04-14 16:38 1277952 c:\windows\assembly\GAC_MSIL\System.Web.Extensions\3.5.0.0__31bf3856ad364e35\System.Web.Extensions.dll
+ 2010-08-08 20:56 . 2010-08-08 20:56 5931008 c:\windows\assembly\GAC_MSIL\System.ServiceModel\3.0.0.0__b77a5c561934e089\System.ServiceModel.dll
- 2010-04-14 16:35 . 2010-04-14 16:35 5931008 c:\windows\assembly\GAC_MSIL\System.ServiceModel\3.0.0.0__b77a5c561934e089\System.ServiceModel.dll
+ 2010-08-08 20:53 . 2010-08-08 20:53 5062656 c:\windows\assembly\GAC_MSIL\System.Design\2.0.0.0__b03f5f7f11d50a3a\System.Design.dll
- 2010-04-15 03:59 . 2010-04-15 03:59 5062656 c:\windows\assembly\GAC_MSIL\System.Design\2.0.0.0__b03f5f7f11d50a3a\System.Design.dll
- 2010-04-14 16:36 . 2010-04-14 16:36 5283840 c:\windows\assembly\GAC_MSIL\PresentationFramework\3.0.0.0__31bf3856ad364e35\PresentationFramework.dll
+ 2010-08-08 20:56 . 2010-08-08 20:56 5283840 c:\windows\assembly\GAC_MSIL\PresentationFramework\3.0.0.0__31bf3856ad364e35\PresentationFramework.dll
+ 2010-08-08 20:53 . 2010-08-08 20:53 5242880 c:\windows\assembly\GAC_32\System.Web\2.0.0.0__b03f5f7f11d50a3a\System.Web.dll
- 2010-04-15 04:00 . 2010-04-15 04:00 2933248 c:\windows\assembly\GAC_32\System.Data\2.0.0.0__b77a5c561934e089\System.Data.dll
+ 2010-08-08 20:54 . 2010-08-08 20:54 2933248 c:\windows\assembly\GAC_32\System.Data\2.0.0.0__b77a5c561934e089\System.Data.dll
- 2010-04-15 04:00 . 2010-04-15 04:00 4546560 c:\windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\mscorlib.dll
+ 2010-08-08 20:53 . 2010-08-08 20:53 4546560 c:\windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\mscorlib.dll
+ 2008-12-13 14:21 . 2008-12-13 14:21 10473472 c:\windows\Installer\340a6.msp
+ 2010-08-08 21:02 . 2010-08-08 21:02 12430848 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Windows.Forms\d2ea8d76f015817db1607075812b555f\System.Windows.Forms.ni.dll
+ 2010-08-08 21:16 . 2010-08-08 21:16 11796992 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Web\5cea03cfb008f2eac1439a9905467f37\System.Web.ni.dll
+ 2010-08-08 21:10 . 2010-08-08 21:10 17317888 c:\windows\assembly\NativeImages_v2.0.50727_32\System.ServiceModel\06d6eab93282d2b136a377bd50b7c5a9\System.ServiceModel.ni.dll
+ 2010-08-08 21:01 . 2010-08-08 21:01 10683392 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Design\8b82e08c008924d51833cb0884bcbfc5\System.Design.ni.dll
+ 2010-08-08 21:00 . 2010-08-08 21:00 14327808 c:\windows\assembly\NativeImages_v2.0.50727_32\PresentationFramewo#\58c7ac6b6054038dc9346d7ec8e32b4c\PresentationFramework.ni.dll
+ 2010-08-08 20:57 . 2010-08-08 20:57 12216320 c:\windows\assembly\NativeImages_v2.0.50727_32\PresentationCore\94badbd64df59de7da249f71da38b1c2\PresentationCore.ni.dll
+ 2010-08-08 20:55 . 2010-08-08 20:55 11486720 c:\windows\assembly\NativeImages_v2.0.50727_32\mscorlib\7124a40b9998f7b63c86bd1a2125ce26\mscorlib.ni.dll
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Cpqset"="c:\program files\HPQ\Default Settings\cpqset.exe" [2004-09-07 213054]
"Venturi Configurator"="c:\program files\Venturi2\Configurator\ventcfg.exe" [2004-03-08 680063]
"IntelliType"="c:\program files\Microsoft Hardware\Keyboard\type32.exe" [2002-03-22 94208]
"SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2004-11-04 98394]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2004-11-04 688218]
"PTHOSTTR"="c:\program files\HPQ\HP ProtectTools Security Manager\PTHOSTTR.EXE" [2005-04-08 73728]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-06-27 185896]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"mixer"=DrvTrNTm.dll
"wave"=DrvTrNTm.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2010-06-09 08:06 976832 ----a-r- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2010-06-20 02:04 35760 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AppleSyncNotifier]
2010-07-13 19:10 47904 ----a-w- c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2010-07-16 11:41 141608 ----a-w- c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2008-04-14 00:12 1695232 ----a-w- c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2010-03-18 01:53 421888 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"DisableNotifications"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\DNA\\btdna.exe"=
"c:\\Program Files\\BitTorrent\\bittorrent.exe"=
"c:\\Program Files\\MusicBrainz Picard\\picard.exe"=
"c:\\Documents and Settings\\Roger\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.dll"=
"c:\\Documents and Settings\\Roger\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Deusty\\Mojo\\Mojo.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\java.exe"=
"c:\\Program Files\\Common Files\\Adobe\\Adobe Version Cue CS3\\Server\\bin\\VersionCueCS3.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqcopy2.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfcCopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpiscnapp.exe"=
"c:\\Program Files\\Common Files\\HP\\Digital Imaging\\bin\\hpqPhotoCrm.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqsudi.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqpsapp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxs08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqfxt08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqpse.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqgplgtupl.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqgpc01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqusgm.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqusgh.exe"=
"c:\\Program Files\\HP\\HP Software Update\\hpwucli.exe"=
"c:\\Program Files\\Logitech Touch Mouse Server\\iTouch-Server-Win.exe"=
"c:\\Program Files\\Vuze\\Azureus.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\TeamViewer\\Version5\\TeamViewer.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3703:TCP"= 3703:TCP:*:Disabled:Adobe Version Cue CS3 Server
"3704:TCP"= 3704:TCP:*:Disabled:Adobe Version Cue CS3 Server
"50900:TCP"= 50900:TCP:*:Disabled:Adobe Version Cue CS3 Server
"50901:TCP"= 50901:TCP:*:Disabled:Adobe Version Cue CS3 Server

R0 $sys$cor;$sys$cor;c:\windows\system32\drivers\$sys$cor.sys [10/6/2004 10:11 AM 18432]
R1 $sys$crater;$sys$crater;c:\windows\system32\$sys$filesystem\crater.sys [10/7/2004 3:57 AM 11904]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [1/11/2007 2:32 PM 24652]
R2 WDDMService;WD SmartWare Drive Manager;c:\program files\Western Digital\WD SmartWare\WD Drive Manager\WDDMService.exe [10/14/2009 3:31 PM 98304]
R2 WDSmartWareBackgroundService;WD SmartWare Background Service;c:\program files\Western Digital\WD SmartWare\Front Parlor\WDSmartWareBackgroundService.exe [6/16/2009 10:58 AM 20480]
S0 Lbd;Lbd;c:\windows\system32\DRIVERS\Lbd.sys --> c:\windows\system32\DRIVERS\Lbd.sys [?]
S2 gupdate1c984a1504838a2;Google Update Service (gupdate1c984a1504838a2);c:\program files\Google\Update\GoogleUpdate.exe [2/1/2009 3:14 PM 133104]
S2 pciinfo;HP Pci Information;\??\c:\docume~1\ASHLEY~1\LOCALS~1\Temp\HPISPz\hpdom\pciinfo.sys --> c:\docume~1\ASHLEY~1\LOCALS~1\Temp\HPISPz\hpdom\pciinfo.sys [?]
S2 RoxLiveShare10;LiveShare P2P Server 10;"c:\program files\Common Files\Roxio Shared\10.0\SharedCOM\RoxLiveShare10.exe" --> c:\program files\Common Files\Roxio Shared\10.0\SharedCOM\RoxLiveShare10.exe [?]
S3 apusbsnt;AirPrime USB Modem Device Driver;c:\windows\system32\drivers\apusbsnt.sys [3/25/2005 1:11 PM 40064]
S3 Dot4Usb HPH09;Dot4Usb HPH09;c:\windows\system32\drivers\hphius09.sys [10/25/2001 10:54 AM 18864]
S3 GTIPCI21;GTIPCI21;c:\windows\system32\drivers\gtipci21.sys [5/3/2004 1:26 PM 80384]
S3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\drivers\wdcsam.sys [11/3/2009 6:17 PM 11520]
S4 SessionLauncher;SessionLauncher;c:\docume~1\Roger\LOCALS~1\Temp\DX9\SessionLauncher.exe --> c:\docume~1\Roger\LOCALS~1\Temp\DX9\SessionLauncher.exe [?]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
Contents of the 'Scheduled Tasks' folder

2010-08-08 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-02-01 19:14]

2010-08-06 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-02-01 19:14]

2010-08-06 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3922070885-39105403-2408477782-1006.job
- c:\documents and settings\Roger\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-09-03 18:55]

2010-08-08 c:\windows\Tasks\User_Feed_Synchronization-{A71BCB10-DEDE-4083-B3CB-B3796A469CDC}.job
- c:\windows\system32\msfeedssync.exe [2006-10-17 08:31]
.
.
------- Supplementary Scan -------
.
Trusted Zone: intuit.com\ttlc
FF - ProfilePath - c:\documents and settings\Roger\Application Data\Mozilla\Firefox\Profiles\hw17pgw4.default\
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.proxy.type", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.buffer.cache.count", 24);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.buffer.cache.size", 4096);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accelerometer.enabled", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-08-08 17:26
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Cpqset = c:\program files\HPQ\Default Settings\cpqset.exe????????????h????????? ???B???????????????B? ??????

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(2740)
c:\windows\system32\SynTPFcs.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\msls31.dll
c:\windows\system32\OneX.DLL
c:\windows\system32\eappprxy.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2010-08-08 17:37:44
ComboFix-quarantined-files.txt 2010-08-08 21:37
ComboFix2.txt 2010-08-06 20:26
ComboFix3.txt 2010-08-06 17:53

Pre-Run: 4,474,474,496 bytes free
Post-Run: 4,359,065,600 bytes free

- - End Of File - - 5C795F8D3E9D09EE47E07B5F85333BD6


#14 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:11:13 PM

Posted 08 August 2010 - 05:30 PM

Next please run ESET's online scanner
  1. Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  2. Click the button.
  3. For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    1. Click on to download the ESET Smart Installer. Save it to your desktop.
    2. Double click on the icon on your desktop.
  4. Check
  5. Click the button.
  6. Accept any security warnings from your browser.
  7. Leave the top box checked and then check
  8. Push the Start button.
  9. ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  10. When the scan completes, push
  11. Push , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  12. Push the button.
  13. Push
NOTE: If no malware is found then no log will be produced. Let me know if this is the case.
Posted Image
m0le is a proud member of UNITE

#15 NYCRockstar

NYCRockstar
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:07:13 PM

Posted 08 August 2010 - 10:17 PM

There was some malware that found and quarantined... I've attached the log, and copied below.

ALSO, Windows wants to install some updated software, but I haven't let it yet, as per your earlier instructions. Please let me know if I can let it update.

---------------------------
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WinZBot.zip Win32/Bagle.gen.zip worm cleaned by deleting - quarantined
C:\Qoobox\Quarantine\C\WINDOWS\system32\Drivers\atapi.sys.vir Win32/Olmarik.ZC trojan cleaned - quarantined
C:\System Volume Information\_restore{A80475B6-CF6D-4B3A-BD21-B16C67DB5304}\RP1289\A0157988.sys Win32/Olmarik.ZC trojan cleaned - quarantined

Attached Files






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users