Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Google Redirect on Firefox. Possbily TDL3 Rootkit.


  • This topic is locked This topic is locked
40 replies to this topic

#1 ajviper

ajviper

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Colorado
  • Local time:12:20 PM

Posted 24 April 2011 - 02:05 AM

My main issue is with redirects from Google to random sites. I am running No Script and No Redirect currently but when disabled I get the redirect. I have scanned with Avira, Spybot, Malwarebytes and SuperAntiSpyware Pro, but the problem still persists.
I'm fairly experienced with computers but this one has me stumped. Also, I normally run FF with AdBlockPlus. Thanks AJ

I am having issues with GMER causing my machine to run out of memory so I will just post the DDS logs for now. I will continue to try to get a GMER log.

.
DDS (Ver_11-03-05.01) - NTFSx86
Run by AJ at 17:35:40.14 on Sat 04/23/2011
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_16
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3579.2141 [GMT -6:00]
.
AV: AntiVir Desktop *Enabled/Updated* {AD166499-45F9-482A-A743-FDD3350758C7}
.
============== Running Processes ===============
.
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Creative\Shared Files\CTAudSvc.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
svchost.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\CDBurnerXP\NMSAccessU.exe
C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
C:\WINDOWS\system32\PnkBstrA.exe
svchost.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\iTunes\iTunes.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceHelper.exe
C:\Program Files\Common Files\Apple\Apple Application Support\distnoted.exe
C:\WINDOWS\explorer.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\wuauclt.exe
F:\My Documents\Downloads\Defogger.exe
F:\My Documents\Downloads\dds.scr
.
============== Pseudo HJT Report ===============
.============= SERVICES / DRIVERS ===============
.
R1 avgio;avgio;c:\program files\avira\antivir desktop\avgio.sys [2009-12-2 11608]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2010-2-17 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2010-5-10 67656]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\avira\antivir desktop\sched.exe [2009-12-2 108289]
R2 AntiVirService;Avira AntiVir Guard;c:\program files\avira\antivir desktop\avguard.exe [2009-12-2 185089]
R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2009-12-2 56816]
R2 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-5 99328]
R3 ct20xflt;ct20xflt;c:\windows\system32\drivers\ct20xflt.sys [2009-7-14 1811224]
R3 CT20XUT.SYS;CT20XUT.SYS;c:\windows\system32\drivers\CT20XUT.sys [2009-12-1 198168]
R3 CTEXFIFX.SYS;CTEXFIFX.SYS;c:\windows\system32\drivers\CTEXFIFX.sys [2009-12-1 1353240]
R3 CTHWIUT.SYS;CTHWIUT.SYS;c:\windows\system32\drivers\CTHWIUT.sys [2009-12-1 73752]
R3 ha20x22k;Creative 20X2 HAL Driver;c:\windows\system32\drivers\ha20x22k.sys [2009-12-1 1227800]
R3 WlanUIG;2Wire 802.11g USB Driver;c:\windows\system32\drivers\WlanUIG.sys [2009-12-3 347648]
S0 TfFsMon;TfFsMon;c:\windows\system32\drivers\tffsmon.sys --> c:\windows\system32\drivers\TfFsMon.sys [?]
S0 TFSysMon;TfSysMon;c:\windows\system32\drivers\tfsysmon.sys --> c:\windows\system32\drivers\TfSysMon.sys [?]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-2-1 135664]
S3 chdrvr01;CH Control Manager Driver 1;c:\windows\system32\drivers\chdrvr01.sys --> c:\windows\system32\drivers\chdrvr01.sys [?]
S3 chdrvr03;CH Control Manager Driver 3;c:\windows\system32\drivers\chdrvr03.sys --> c:\windows\system32\drivers\chdrvr03.sys [?]
S3 Creative Audio Engine Licensing Service;Creative Audio Engine Licensing Service;c:\program files\common files\creative labs shared\service\CTAELicensing.exe [2009-12-1 79360]
S3 CT20XUT;CT20XUT;c:\windows\system32\drivers\CT20XUT.sys [2009-12-1 198168]
S3 CTEXFIFX;CTEXFIFX;c:\windows\system32\drivers\CTEXFIFX.sys [2009-12-1 1353240]
S3 CTHWIUT;CTHWIUT;c:\windows\system32\drivers\CTHWIUT.sys [2009-12-1 73752]
S3 MEMSWEEP2;MEMSWEEP2;\??\c:\windows\system32\6f.tmp --> c:\windows\system32\6F.tmp [?]
S3 SCREAMINGBDRIVER;Screaming Bee Audio;c:\windows\system32\drivers\ScreamingBAudio.sys [2009-12-1 34384]
S3 TfNetMon;TfNetMon;\??\c:\windows\system32\drivers\tfnetmon.sys --> c:\windows\system32\drivers\TfNetMon.sys [?]
S4 zrgysg;zrgysg; [x]
.
=============== Created Last 30 ================
.
2011-04-23 22:23:02 -------- d-----w- c:\program files\Hitman Pro 3.5
2011-04-23 21:36:21 16968 ----a-w- c:\windows\system32\drivers\hitmanpro35.sys
2011-04-23 21:36:05 -------- d-----w- c:\docume~1\alluse~1\applic~1\Hitman Pro
2011-04-22 03:32:28 -------- d-----w- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2011-04-22 03:32:28 -------- d-----w- c:\docume~1\aj\applic~1\SUPERAntiSpyware.com
2011-04-22 03:32:22 -------- d-----w- c:\program files\SUPERAntiSpyware
2011-04-22 03:23:12 190032 ----a-w- c:\windows\system32\drivers\tmcomm.sys
2011-04-21 15:56:32 -------- d-----w- c:\docume~1\alluse~1\applic~1\MFAData
2011-04-21 15:02:33 -------- d-----w- c:\program files\Sophos
2011-04-20 22:53:57 -------- d-sha-r- C:\cmdcons
2011-04-20 12:34:39 -------- d-----w- c:\docume~1\aj\locals~1\applic~1\Help
2011-04-20 03:57:10 2 --shatr- c:\windows\winstart.bat
2011-04-20 03:57:06 -------- d-----w- c:\program files\UnHackMe
2011-04-20 01:52:41 7805 ----a-w- c:\program files\mozilla firefox\null0.39250089835776225.exe
2011-04-20 00:29:13 -------- d-----w- c:\program files\PC Tools Security
2011-04-19 22:49:32 -------- d-----w- c:\docume~1\alluse~1\applic~1\PC Tools
2011-04-19 14:41:54 142296 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
2011-04-19 14:41:53 781272 ----a-w- c:\program files\mozilla firefox\mozsqlite3.dll
2011-04-19 14:41:53 728024 ----a-w- c:\program files\mozilla firefox\libGLESv2.dll
2011-04-19 14:41:53 1975768 ----a-w- c:\program files\mozilla firefox\D3DCompiler_42.dll
2011-04-19 14:41:53 1893336 ----a-w- c:\program files\mozilla firefox\d3dx9_42.dll
2011-04-19 14:41:53 1874904 ----a-w- c:\program files\mozilla firefox\mozjs.dll
2011-04-19 14:41:53 15832 ----a-w- c:\program files\mozilla firefox\mozalloc.dll
2011-04-19 14:41:53 142296 ----a-w- c:\program files\mozilla firefox\libEGL.dll
2011-04-19 04:02:10 -------- d-----w- c:\windows\system32\wbem\repository\FS
2011-04-19 04:02:10 -------- d-----w- c:\windows\system32\wbem\Repository
2011-04-19 03:49:31 -------- d---a-w- C:\cmdcons(2)
2011-04-14 09:39:02 103864 ----a-w- c:\program files\mozilla firefox\plugins\nppdf32.dll
2011-04-14 09:39:02 103864 ----a-w- c:\program files\internet explorer\plugins\nppdf32.dll
2011-04-08 11:28:58 41872 ----a-w- c:\windows\system32\xfcodec.dll
.
==================== Find3M ====================
.
2011-03-07 05:33:50 692736 ----a-w- c:\windows\system32\inetcomm.dll
2011-03-05 19:39:40 323624 ----a-w- c:\windows\system32\wiaaut.dll
2011-03-04 06:37:06 420864 ----a-w- c:\windows\system32\vbscript.dll
2011-03-03 13:21:11 1857920 ----a-w- c:\windows\system32\win32k.sys
2011-02-22 23:06:29 916480 ----a-w- c:\windows\system32\wininet.dll
2011-02-22 23:06:29 43520 ----a-w- c:\windows\system32\licmgr10.dll
2011-02-22 23:06:29 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
2011-02-22 23:06:28 11080704 ----a-w- c:\windows\system32\ieframe(2).dll
2011-02-22 11:41:59 385024 ----a-w- c:\windows\system32\html.iec
2011-02-18 23:36:58 4184352 ----a-w- c:\windows\system32\usbaaplrc.dll
2011-02-17 12:32:12 5120 ----a-w- c:\windows\system32\xpsp4res.dll
2011-02-15 12:56:39 290432 ----a-w- c:\windows\system32\atmfd.dll
2011-02-08 13:33:55 978944 ----a-w- c:\windows\system32\mfc42.dll
2011-02-08 13:33:55 974848 ----a-w- c:\windows\system32\mfc42u.dll
2011-02-05 00:48:32 456192 ----a-w- c:\windows\system32\encdec.dll
2011-02-05 00:48:30 291840 ----a-w- c:\windows\system32\sbe.dll
2011-02-02 07:58:35 2067456 ----a-w- c:\windows\system32\mstscax.dll
2011-01-27 11:57:06 677888 ----a-w- c:\windows\system32\mstsc.exe
.
=================== ROOTKIT ====================
.
Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 5.1.2600 Disk: ST31000520AS rev.CC32 -> Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3
.
device: opened successfully
user: MBR read successfully
.
Disk trace:
called modules: ntkrnlpa.exe catchme.sys CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x8B8274F0]<<
c:\docume~1\aj\locals~1\temp\catchme.sys
_asm { PUSH EBP; MOV EBP, ESP; PUSH ECX; MOV EAX, [EBP+0x8]; CMP EAX, [0x8b82d7d0]; MOV EAX, [0x8b82d84c]; PUSH EBX; PUSH ESI; MOV ESI, [EBP+0xc]; MOV EBX, [ESI+0x60]; PUSH EDI; JNZ 0x20; MOV [EBP+0x8], EAX; }
1 ntkrnlpa!IofCallDriver[0x804EF1A6] -> \Device\Harddisk0\DR0[0x8B908AB8]
3 CLASSPNP[0xB8108FD7] -> ntkrnlpa!IofCallDriver[0x804EF1A6] -> \Device\0000007f[0x8B8709E8]
5 ACPI[0xB7F7F620] -> ntkrnlpa!IofCallDriver[0x804EF1A6] -> [0x8B855940]
\Driver\atapi[0x8B71B938] -> IRP_MJ_CREATE -> 0x8B8274F0
error: Read A device attached to the system is not functioning.
kernel: MBR read successfully
_asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; STI ; PUSH AX; POP ES; PUSH AX; POP DS; CLD ; MOV SI, 0x7c1b; MOV DI, 0x61b; PUSH AX; PUSH DI; MOV CX, 0x1e5; REP MOVSB ; RETF ; MOV BP, 0x7be; MOV CL, 0x4; CMP [BP+0x0], CH; JL 0x2e; JNZ 0x3a; }
detected disk devices:
detected hooks:
\Driver\atapi DriverStartIo -> 0x8B82733B
user & kernel MBR OK
Warning: possible TDL3 rootkit infection !
.
============= FINISH: 17:36:39.40 ===============

Attached Files


Edited by ajviper, 24 April 2011 - 11:40 AM.


BC AdBot (Login to Remove)

 


#2 ajviper

ajviper
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Colorado
  • Local time:12:20 PM

Posted 24 April 2011 - 11:40 AM

My GMER log is to large to fit attached or pasted in. These are the parts with ROOTKIT issues.

---- Services - GMER 1.0.15 ----

Service C:\Program Files\Java\jre6\bin\jqs.exe [MANUAL] JavaQuickStarterService <-- ROOTKIT !!!
Service C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe [MANUAL] IDriverT <-- ROOTKIT !!!
Service C:\Program Files\Common Files\Microsoft Shared\OFFICE12\ODSERV.EXE [MANUAL] odserv <-- ROOTKIT !!!
Service C:\Program Files\Google\Update\GoogleUpdate.exe [AUTO] gupdate <-- ROOTKIT !!!
Service C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe [MANUAL] aspnet_state <-- ROOTKIT !!!
Service c:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe [MANUAL] clr_optimization_v2.0.50727_32 <-- ROOTKIT !!!
Service c:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe [MANUAL] idsvc <-- ROOTKIT !!!
Service c:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe [DISABLED] NetTcpPortSharing <-- ROOTKIT !!!
Service c:\WINDOWS\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe [MANUAL] FontCache3.0.0.0 <-- ROOTKIT !!!

---- EOF - GMER 1.0.15 ----
[/size][/size]

Edited by ajviper, 24 April 2011 - 11:58 AM.


#3 heir

heir

  • Malware Response Team
  • 763 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:20 PM

Posted 24 April 2011 - 02:14 PM

:welcome: to BC

I'm heir and I'll be helping you with this.

Step 1.
TDSSKiller:

Please read carefully and follow these steps.
  • Download TDSSKiller and save it to your Desktop.
  • Extract its contents to your desktop.
  • Once extracted, open the TDSSKiller folder and doubleclick on TDSSKiller.exe to run the application, then on Start Scan.


    Posted Image

  • If an infected file is detected, the default action will be Cure, click on Continue.


    Posted Image

  • If a suspicious file is detected, the default action will be Skip, click on Continue.


    Posted Image

  • It may ask you to reboot the computer to complete the process. Click on Reboot Now.


    Posted Image

  • If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.
  • If a reboot is required, the report can also be found in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste the contents of that file here.

Step 2.
ComboFix:

We will begin with ComboFix.exe. Please visit this webpage for download links, and instructions for running the tool:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

* Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Please include the C:\ComboFix.txt in your next reply for further review.

Step 3.
Things I would like to see in your reply:

  • The content of the log from TDSSKiller in step 1.
  • The content of C:\ComboFix.txt from step 2.

Please do not PM me asking for support. Post on the forums instead.
Please post the final results, good or bad. We like to know!
Posted Image
Unified Network of Instructors and Trained Eliminators
My help is always free, but if you want to donate to help me continue my fight against malware then click Posted Image


#4 ajviper

ajviper
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Colorado
  • Local time:12:20 PM

Posted 24 April 2011 - 02:41 PM

Here is the TDSS Killer Log.
2011/04/24 13:21:12.0546 0268 TDSS rootkit removing tool 2.4.21.0 Mar 10 2011 12:26:28
2011/04/24 13:21:14.0546 0268 ================================================================================
2011/04/24 13:21:14.0546 0268 SystemInfo:
2011/04/24 13:21:14.0546 0268
2011/04/24 13:21:14.0546 0268 OS Version: 5.1.2600 ServicePack: 3.0
2011/04/24 13:21:14.0546 0268 Product type: Workstation
2011/04/24 13:21:14.0546 0268 ComputerName: AJ-21773AC2865B
2011/04/24 13:21:14.0546 0268 UserName: AJ
2011/04/24 13:21:14.0546 0268 Windows directory: C:\WINDOWS
2011/04/24 13:21:14.0546 0268 System windows directory: C:\WINDOWS
2011/04/24 13:21:14.0546 0268 Processor architecture: Intel x86
2011/04/24 13:21:14.0546 0268 Number of processors: 8
2011/04/24 13:21:14.0546 0268 Page size: 0x1000
2011/04/24 13:21:14.0546 0268 Boot type: Normal boot
2011/04/24 13:21:14.0546 0268 ================================================================================
2011/04/24 13:21:14.0921 0268 Initialize success
2011/04/24 13:21:19.0546 3096 ================================================================================
2011/04/24 13:21:19.0546 3096 Scan started
2011/04/24 13:21:19.0546 3096 Mode: Manual;
2011/04/24 13:21:19.0546 3096 ================================================================================
2011/04/24 13:21:21.0406 3096 ================================================================================
2011/04/24 13:21:21.0406 3096 Scan finished
2011/04/24 13:21:21.0406 3096 ================================================================================
2011/04/24 13:21:58.0734 2340 Deinitialize success

I had to attach the combofix log in a zip because it was too large. I hope that is ok with you. If not I can split it up in multiple posts.

ComboFix 11-04-24.01 - AJ 04/24/2011 13:30:51.4.8 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3579.2858 [GMT -6:00]
Running from: f:\my documents\Downloads\ComboFix.exe
AV: AntiVir Desktop *Disabled/Updated* {AD166499-45F9-482A-A743-FDD3350758C7}
.
.
((((((((((((((((((((((((( Files Created from 2011-03-24 to 2011-04-24 )))))))))))))))))))))))))))))))
.
.
2011-04-23 22:23 . 2011-04-23 22:23 -------- d-----w- c:\program files\Hitman Pro 3.5
2011-04-23 21:36 . 2011-04-23 22:23 16968 ----a-w- c:\windows\system32\drivers\hitmanpro35.sys
2011-04-22 03:32 . 2011-04-22 03:32 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2011-04-22 03:32 . 2011-04-22 03:32 -------- d-----w- c:\documents and settings\AJ\Application Data\SUPERAntiSpyware.com
2011-04-22 03:32 . 2011-04-22 03:32 -------- d-----w- c:\program files\SUPERAntiSpyware
2011-04-22 03:23 . 2011-04-22 03:23 190032 ----a-w- c:\windows\system32\drivers\tmcomm.sys
2011-04-21 15:02 . 2011-04-21 15:02 -------- d-----w- c:\program files\Sophos
2011-04-20 12:34 . 2011-04-20 12:34 -------- d-----w- c:\documents and settings\AJ\Local Settings\Application Data\Help
2011-04-20 03:57 . 2011-04-23 23:03 2 --shatr- c:\windows\winstart.bat
2011-04-20 03:57 . 2011-04-23 23:03 -------- d-----w- c:\program files\UnHackMe
2011-04-20 01:52 . 2011-04-20 01:52 7805 ----a-w- c:\program files\Mozilla Firefox\null0.39250089835776225.exe
2011-04-20 00:29 . 2011-04-20 03:34 -------- d-----w- c:\program files\PC Tools Security
2011-04-19 18:42 . 2011-04-19 18:42 -------- d-----w- c:\documents and settings\NetworkService\Application Data\Apple Computer
2011-04-19 18:42 . 2011-04-19 18:42 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Apple Computer
2011-04-19 18:42 . 2011-04-19 18:42 -------- d-----w- c:\documents and settings\Default User\Application Data\Apple Computer
2011-04-19 18:41 . 2011-04-19 18:42 -------- d-----w- c:\documents and settings\Default User\Local Settings\Application Data\Apple Computer
2011-04-19 14:41 . 2011-03-18 17:53 142296 ----a-w- c:\program files\Mozilla Firefox\components\browsercomps.dll
2011-04-19 14:41 . 2011-03-18 17:53 781272 ----a-w- c:\program files\Mozilla Firefox\mozsqlite3.dll
2011-04-19 14:41 . 2011-03-18 17:53 1874904 ----a-w- c:\program files\Mozilla Firefox\mozjs.dll
2011-04-19 14:41 . 2011-03-18 17:53 15832 ----a-w- c:\program files\Mozilla Firefox\mozalloc.dll
2011-04-19 14:41 . 2011-03-18 17:53 728024 ----a-w- c:\program files\Mozilla Firefox\libGLESv2.dll
2011-04-19 14:41 . 2011-03-18 17:53 142296 ----a-w- c:\program files\Mozilla Firefox\libEGL.dll
2011-04-19 14:41 . 2011-03-18 17:53 1893336 ----a-w- c:\program files\Mozilla Firefox\d3dx9_42.dll
2011-04-19 14:41 . 2011-03-18 17:53 1975768 ----a-w- c:\program files\Mozilla Firefox\D3DCompiler_42.dll
2011-04-19 04:02 . 2011-04-19 04:02 -------- d-----w- c:\windows\system32\wbem\Repository
2011-04-14 09:39 . 2011-04-14 09:39 103864 ----a-w- c:\program files\Mozilla Firefox\plugins\nppdf32.dll
2011-04-14 09:39 . 2011-04-14 09:39 103864 ----a-w- c:\program files\Internet Explorer\PLUGINS\nppdf32.dll
2011-04-08 11:28 . 2011-04-08 11:28 41872 ----a-w- c:\windows\system32\xfcodec.dll
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-04-08 02:04 . 2009-12-15 03:43 138520 ----a-w- c:\windows\system32\drivers\PnkBstrK.sys
2011-03-07 05:33 . 2009-12-01 23:37 692736 ----a-w- c:\windows\system32\inetcomm.dll
2011-03-05 19:39 . 2011-03-05 19:39 323624 ----a-w- c:\windows\system32\wiaaut.dll
2011-03-04 06:37 . 2004-08-10 12:00 420864 ----a-w- c:\windows\system32\vbscript.dll
2011-03-03 13:21 . 2004-08-10 12:00 1857920 ----a-w- c:\windows\system32\win32k.sys
2011-02-22 23:06 . 2004-08-10 12:00 916480 ----a-w- c:\windows\system32\wininet.dll
2011-02-22 23:06 . 2004-08-10 12:00 43520 ----a-w- c:\windows\system32\licmgr10.dll
2011-02-22 23:06 . 2004-08-10 12:00 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
2011-02-22 23:06 . 2009-03-08 11:39 11080704 ----a-w- c:\windows\system32\ieframe(2).dll
2011-02-22 11:41 . 2004-08-10 12:00 385024 ----a-w- c:\windows\system32\html.iec
2011-02-18 23:36 . 2009-12-02 20:43 41984 ----a-w- c:\windows\system32\drivers\usbaapl.sys
2011-02-18 23:36 . 2009-12-02 20:43 4184352 ----a-w- c:\windows\system32\usbaaplrc.dll
2011-02-17 13:18 . 2004-08-10 12:00 455936 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2011-02-17 13:18 . 2004-08-10 12:00 357888 ----a-w- c:\windows\system32\drivers\srv.sys
2011-02-17 12:32 . 2009-12-02 02:15 5120 ----a-w- c:\windows\system32\xpsp4res.dll
2011-02-15 12:56 . 2004-08-10 12:00 290432 ----a-w- c:\windows\system32\atmfd.dll
2011-02-08 13:33 . 2004-08-10 12:00 978944 ----a-w- c:\windows\system32\mfc42.dll
2011-02-08 13:33 . 2004-08-10 12:00 974848 ----a-w- c:\windows\system32\mfc42u.dll
2011-02-05 00:48 . 2004-08-10 12:00 456192 ----a-w- c:\windows\system32\encdec.dll
2011-02-05 00:48 . 2004-08-10 12:00 291840 ----a-w- c:\windows\system32\sbe.dll
2011-02-02 07:58 . 2009-12-01 23:31 2067456 ----a-w- c:\windows\system32\mstscax.dll
2011-01-27 11:57 . 2009-12-01 23:31 677888 ----a-w- c:\windows\system32\mstsc.exe
2011-03-18 17:53 . 2011-04-19 14:41 142296 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((( SnapShot@2011-04-23_21.48.33 )))))))))))))))))))))))))))))))))))))))))
.
+ 2011-04-24 18:29 . 2011-04-24 18:29 16384 c:\windows\temp\Perflib_Perfdata_660.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NVIDIA nTune"="c:\program files\NVIDIA Corporation\nTune\nTuneCmd.exe" [2007-07-03 81920]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2011-04-20 2423752]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"UpdReg"="c:\windows\UpdReg.EXE" [2000-05-11 90112]
"CTxfiHlp"="CTXFIHLP.EXE" [2009-07-14 24576]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe" [2010-09-22 47904]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2011-01-31 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-21 932288]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-11-30 421888]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2010-10-16 110696]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2010-10-16 13851752]
"nwiz"="c:\program files\NVIDIA Corporation\nView\nwiz.exe" [2010-08-26 1753192]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-03-07 421160]
.
c:\documents and settings\AJ\Start Menu\Programs\Startup\
Xfire.lnk - c:\program files\Xfire\Xfire.exe [2011-4-8 3510160]
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 22:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NVIDIA nTune]
2007-07-03 19:32 81920 ----a-w- c:\program files\NVIDIA Corporation\nTune\nTuneCmd.exe
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"DisableNotifications"= 1 (0x1)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\EA GAMES\\Battlefield 2\\BF2.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\WINDOWS\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\TeamSpeak 3 Client\\ts3client_win32.exe"=
"c:\\WINDOWS\\system32\\PnkBstrA.exe"=
"c:\\Program Files\\Activision\\Call of Duty 4 - Modern Warfare\\iw3mp.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:*:Disabled:@xpsp2res.dll,-22009
.
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2/17/2010 12:25 PM 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [5/10/2010 12:41 PM 67656]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [12/2/2009 2:45 PM 108289]
R3 ct20xflt;ct20xflt;c:\windows\system32\drivers\ct20xflt.sys [7/14/2009 3:53 AM 1811224]
R3 CT20XUT.SYS;CT20XUT.SYS;c:\windows\system32\drivers\CT20XUT.sys [12/1/2009 6:35 PM 198168]
R3 CTEXFIFX.SYS;CTEXFIFX.SYS;c:\windows\system32\drivers\CTEXFIFX.sys [12/1/2009 6:35 PM 1353240]
R3 CTHWIUT.SYS;CTHWIUT.SYS;c:\windows\system32\drivers\CTHWIUT.sys [12/1/2009 6:35 PM 73752]
R3 ha20x22k;Creative 20X2 HAL Driver;c:\windows\system32\drivers\ha20x22k.sys [12/1/2009 6:35 PM 1227800]
R3 WlanUIG;2Wire 802.11g USB Driver;c:\windows\system32\drivers\WlanUIG.sys [12/3/2009 7:10 PM 347648]
S0 TfFsMon;TfFsMon;c:\windows\system32\drivers\TfFsMon.sys --> c:\windows\system32\drivers\TfFsMon.sys [?]
S0 TFSysMon;TfSysMon;c:\windows\system32\drivers\TfSysMon.sys --> c:\windows\system32\drivers\TfSysMon.sys [?]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2/1/2010 8:50 PM 135664]
S3 chdrvr01;CH Control Manager Driver 1;c:\windows\system32\DRIVERS\chdrvr01.sys --> c:\windows\system32\DRIVERS\chdrvr01.sys [?]
S3 chdrvr03;CH Control Manager Driver 3;c:\windows\system32\DRIVERS\chdrvr03.sys --> c:\windows\system32\DRIVERS\chdrvr03.sys [?]
S3 Creative Audio Engine Licensing Service;Creative Audio Engine Licensing Service;c:\program files\Common Files\Creative Labs Shared\Service\CTAELicensing.exe [12/1/2009 6:34 PM 79360]
S3 CT20XUT;CT20XUT;c:\windows\system32\drivers\CT20XUT.sys [12/1/2009 6:35 PM 198168]
S3 CTEXFIFX;CTEXFIFX;c:\windows\system32\drivers\CTEXFIFX.sys [12/1/2009 6:35 PM 1353240]
S3 CTHWIUT;CTHWIUT;c:\windows\system32\drivers\CTHWIUT.sys [12/1/2009 6:35 PM 73752]
S3 MEMSWEEP2;MEMSWEEP2;\??\c:\windows\system32\6F.tmp --> c:\windows\system32\6F.tmp [?]
S3 SCREAMINGBDRIVER;Screaming Bee Audio;c:\windows\system32\drivers\ScreamingBAudio.sys [12/1/2009 4:49 PM 34384]
S3 TfNetMon;TfNetMon;\??\c:\windows\system32\drivers\TfNetMon.sys --> c:\windows\system32\drivers\TfNetMon.sys [?]
S4 zrgysg;zrgysg; [x]
.
--- Other Services/Drivers In Memory ---
.
*Deregistered* - klmd25
.
Contents of the 'Scheduled Tasks' folder
.
2011-03-01 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2009-10-22 17:50]
.
2010-10-16 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-02 02:50]
.
2010-10-16 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-02 02:50]
.
.
------- Supplementary Scan -------
.
uInternet Settings,ProxyOverride = *.local
Trusted Zone: microsoft.com\*.update
Trusted Zone: techinline.net
Trusted Zone: windowsupdate.com\download
Trusted Zone: microsoft.com\*.update
Trusted Zone: techinline.net
Trusted Zone: windowsupdate.com\download
FF - ProfilePath - c:\documents and settings\AJ\Application Data\Mozilla\Firefox\Profiles\jfrk7i11.default\
FF - prefs.js: network.proxy.type - 4
FF - user.js: yahoo.homepage.dontask - true
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-04-24 13:36
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
CTxfiHlp = CTXFIHLP.EXE?
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 5.1.2600 Disk: ST31000520AS rev.CC32 -> Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3
.
device: opened successfully
user: MBR read successfully
error: Read A device attached to the system is not functioning.
kernel: MBR read successfully
detected disk devices:
detected hooks:
\Driver\atapi DriverStartIo -> 0x8B83033B
user & kernel MBR OK
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\System\ControlSet004\Services\MEMSWEEP2]
"ImagePath"="\??\c:\windows\system32\6F.tmp"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(908)
c:\windows\system32\WININET.dll
c:\program files\SUPERAntiSpyware\SASWINLO.DLL
.
- - - - - - - > 'lsass.exe'(968)
c:\windows\system32\WININET.dll
.
- - - - - - - > 'explorer.exe'(3672)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2011-04-24 13:38:54
ComboFix-quarantined-files.txt 2011-04-24 19:38
.
Pre-Run: 953,952,862,208 bytes free
Post-Run: 954,128,838,656 bytes free
.
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Windows XP Media Center Edition" /noexecute=optin /fastdetect
.
- - End Of File - - 9F49D2B90594576A46989F639D5088A6


Attached File  log.zip   4.52KB   1 downloads

Edited by heir, 25 April 2011 - 04:36 PM.
pasted in log


#5 heir

heir

  • Malware Response Team
  • 763 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:20 PM

Posted 25 April 2011 - 04:42 PM

Step 1.
Bootcheck:

Please download BootCheck.exe to your desktop.

  • Double click BootCheck.exe to run the check
  • When complete, a Notepad window will open with some text in it
  • Save the Notepad file to your desktop as BootCheck.txt
  • Copy the contents of BootCheck.txt and post it in your next reply

Step 2.
MBRCheck:

Please download MBRCheck.exe to your Desktop. Run the application.

If no infection is found, it will produce a report on the desktop. Post that report in your next reply.

If an infection is found, you will be presented with the following dialog:

Enter 'Y' and hit ENTER for more options, or 'N' to exit:


Type N and press Enter. A report will be produced on the desktop. Post that report in your next reply.

Step 3.
Things I would like to see in your reply:


  • The content of Bootcheck.txt from step 1.
  • The content of the report from MBRCheck in step 2.

Please do not PM me asking for support. Post on the forums instead.
Please post the final results, good or bad. We like to know!
Posted Image
Unified Network of Instructors and Trained Eliminators
My help is always free, but if you want to donate to help me continue my fight against malware then click Posted Image


#6 ajviper

ajviper
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Colorado
  • Local time:12:20 PM

Posted 25 April 2011 - 07:32 PM

CMDCONS Folder exists!

Contents of C:\boot.ini:

[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Windows XP Media Center Edition" /noexecute=optin /fastdetect

MBRCheck, version 1.2.3
© 2010, AD

Command-line:
Windows Version: Windows XP Professional
Windows Information: Service Pack 3 (build 2600)
Logical Drives Mask: 0x0000003c

Kernel Drivers (total 129):
0x804D7000 \WINDOWS\system32\ntkrnlpa.exe
0x806E5000 \WINDOWS\system32\hal.dll
0x8B815000 \WINDOWS\system32\KDCOM.DLL
0xB84BC000 \WINDOWS\system32\BOOTVID.dll
0xB7F79000 ACPI.sys
0xB85A8000 \WINDOWS\system32\DRIVERS\WMILIB.SYS
0xB7F68000 pci.sys
0xB80A8000 isapnp.sys
0xB80B8000 ohci1394.sys
0xB80C8000 \WINDOWS\system32\DRIVERS\1394BUS.SYS
0xB8670000 pciide.sys
0xB8328000 \WINDOWS\system32\DRIVERS\PCIIDEX.SYS
0xB80D8000 MountMgr.sys
0xB7F49000 ftdisk.sys
0xB85AA000 dmload.sys
0xB7F23000 dmio.sys
0xB8330000 PartMgr.sys
0xB80E8000 VolSnap.sys
0xB7F0B000 atapi.sys
0xB7EF1000 jraid.sys
0xB7ED9000 \WINDOWS\system32\DRIVERS\SCSIPORT.SYS
0xB80F8000 disk.sys
0xB8108000 \WINDOWS\system32\DRIVERS\CLASSPNP.SYS
0xB7EB9000 fltmgr.sys
0xB7EA7000 sr.sys
0xB8118000 PxHelp20.sys
0xB7E90000 KSecDD.sys
0xB7E03000 Ntfs.sys
0xB7DD6000 NDIS.sys
0xB7DBC000 Mup.sys
0xB81B8000 \SystemRoot\system32\DRIVERS\intelppm.sys
0xB5F59000 \SystemRoot\system32\DRIVERS\nv4_mini.sys
0xB5F45000 \SystemRoot\system32\DRIVERS\VIDEOPRT.SYS
0xB8470000 \SystemRoot\system32\DRIVERS\usbuhci.sys
0xB5F21000 \SystemRoot\system32\DRIVERS\USBPORT.SYS
0xB8478000 \SystemRoot\system32\DRIVERS\usbehci.sys
0xB5E9F000 \SystemRoot\system32\drivers\ctaud2k.sys
0xB5E7B000 \SystemRoot\system32\drivers\portcls.sys
0xB81C8000 \SystemRoot\system32\drivers\drmk.sys
0xB5E58000 \SystemRoot\system32\drivers\ks.sys
0xB5E23000 \SystemRoot\system32\drivers\ctoss2k.sys
0xB8480000 \SystemRoot\system32\drivers\ctprxy2k.sys
0xB5C6A000 \SystemRoot\system32\drivers\ct20xflt.sys
0xB81D8000 \SystemRoot\system32\DRIVERS\cdrom.sys
0xB81E8000 \SystemRoot\system32\DRIVERS\redbook.sys
0xB8488000 \SystemRoot\system32\DRIVERS\GEARAspiWDM.sys
0xB81F8000 \SystemRoot\system32\DRIVERS\imapi.sys
0xB5C47000 \SystemRoot\system32\DRIVERS\Rtenicxp.sys
0xB8218000 \SystemRoot\system32\DRIVERS\serial.sys
0xB7AEE000 \SystemRoot\system32\DRIVERS\serenum.sys
0xB8740000 \SystemRoot\system32\DRIVERS\audstub.sys
0xB8228000 \SystemRoot\system32\DRIVERS\rasl2tp.sys
0xB7AEA000 \SystemRoot\system32\DRIVERS\ndistapi.sys
0xB5C30000 \SystemRoot\system32\DRIVERS\ndiswan.sys
0xB8238000 \SystemRoot\system32\DRIVERS\raspppoe.sys
0xB6E74000 \SystemRoot\system32\DRIVERS\raspptp.sys
0xB8490000 \SystemRoot\system32\DRIVERS\TDI.SYS
0xB5C1F000 \SystemRoot\system32\DRIVERS\psched.sys
0xB6E64000 \SystemRoot\system32\DRIVERS\msgpc.sys
0xB8498000 \SystemRoot\system32\DRIVERS\ptilink.sys
0xB84A0000 \SystemRoot\system32\DRIVERS\raspti.sys
0xB5BEF000 \SystemRoot\system32\DRIVERS\rdpdr.sys
0xB6E54000 \SystemRoot\system32\DRIVERS\termdd.sys
0xB84A8000 \SystemRoot\system32\DRIVERS\kbdclass.sys
0xB84B0000 \SystemRoot\system32\DRIVERS\mouclass.sys
0xB85E8000 \SystemRoot\system32\DRIVERS\swenum.sys
0xB5B91000 \SystemRoot\system32\DRIVERS\update.sys
0xB8584000 \SystemRoot\system32\DRIVERS\mssmbios.sys
0xAE573000 \SystemRoot\system32\DRIVERS\usbhub.sys
0xB8652000 \SystemRoot\system32\DRIVERS\USBD.SYS
0xAE563000 \SystemRoot\System32\Drivers\NDProxy.SYS
0xA9E14000 \SystemRoot\system32\drivers\ha20x22k.sys
0xA38C9000 \SystemRoot\system32\drivers\emupia2k.sys
0xA389F000 \SystemRoot\system32\drivers\ctsfm2k.sys
0xA388A000 \SystemRoot\System32\drivers\CTHWIUT.SYS
0xA3855000 \SystemRoot\System32\drivers\CT20XUT.SYS
0xA3707000 \SystemRoot\System32\drivers\CTEXFIFX.SYS
0xB864E000 \SystemRoot\System32\Drivers\Fs_Rec.SYS
0xA38FB000 \SystemRoot\System32\Drivers\Null.SYS
0xB8650000 \SystemRoot\System32\Drivers\Beep.SYS
0xAE009000 \SystemRoot\system32\DRIVERS\HIDPARSE.SYS
0xAE001000 \SystemRoot\System32\drivers\vga.sys
0xA6B7A000 \SystemRoot\System32\Drivers\mnmdd.SYS
0xA6B78000 \SystemRoot\System32\DRIVERS\RDPCDD.sys
0xADFF9000 \SystemRoot\System32\Drivers\Msfs.SYS
0xADFF1000 \SystemRoot\System32\Drivers\Npfs.SYS
0xAE618000 \SystemRoot\system32\DRIVERS\rasacd.sys
0xA36D4000 \SystemRoot\system32\DRIVERS\ipsec.sys
0xA367B000 \SystemRoot\system32\DRIVERS\tcpip.sys
0xA3653000 \SystemRoot\system32\DRIVERS\netbt.sys
0xA362D000 \SystemRoot\system32\DRIVERS\ipnat.sys
0xA360B000 \SystemRoot\System32\drivers\afd.sys
0xA4403000 \SystemRoot\system32\DRIVERS\netbios.sys
0xADFE9000 \SystemRoot\system32\DRIVERS\ssmdrv.sys
0xA35E9000 \??\C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS
0xAD5D6000 \??\C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS
0xA35BE000 \SystemRoot\system32\DRIVERS\rdbss.sys
0xA354E000 \SystemRoot\system32\DRIVERS\mrxsmb.sys
0xA43F3000 \SystemRoot\System32\Drivers\Fips.SYS
0xA3532000 \SystemRoot\system32\DRIVERS\avipbb.sys
0xA6B74000 \??\C:\Program Files\Avira\AntiVir Desktop\avgio.sys
0xAD25B000 \SystemRoot\system32\DRIVERS\hidusb.sys
0xA43C3000 \SystemRoot\system32\DRIVERS\HIDCLASS.SYS
0xA3F6E000 \SystemRoot\system32\DRIVERS\wanarp.sys
0xA3521000 \SystemRoot\System32\Drivers\Udfs.SYS
0xAD5B6000 \SystemRoot\system32\DRIVERS\usbccgp.sys
0xAD243000 \SystemRoot\system32\DRIVERS\mouhid.sys
0xA3F5E000 \SystemRoot\System32\Drivers\Cdfs.SYS
0xB858C000 \SystemRoot\system32\DRIVERS\kbdhid.sys
0xA3F3E000 \SystemRoot\system32\drivers\usbaudio.sys
0xA34B4000 \SystemRoot\System32\Drivers\dump_atapi.sys
0xA3B94000 \SystemRoot\System32\Drivers\dump_WMILIB.SYS
0xBF800000 \SystemRoot\System32\win32k.sys
0xB5B85000 \SystemRoot\System32\drivers\Dxapi.sys
0xB8418000 \SystemRoot\System32\watchdog.sys
0xBD000000 \SystemRoot\System32\drivers\dxg.sys
0xAD272000 \SystemRoot\System32\drivers\dxgthk.sys
0xBD012000 \SystemRoot\System32\nv4_disp.dll
0xBD623000 \SystemRoot\System32\ATMFD.DLL
0xA294A000 \SystemRoot\system32\DRIVERS\avgntflt.sys
0xB7D6C000 \SystemRoot\system32\DRIVERS\ndisuio.sys
0xA2895000 \SystemRoot\system32\drivers\wdmaud.sys
0xB6E44000 \SystemRoot\system32\drivers\sysaudio.sys
0xA2868000 \SystemRoot\system32\DRIVERS\mrxdav.sys
0xA2489000 \SystemRoot\System32\Drivers\HTTP.sys
0xA23B9000 \SystemRoot\system32\DRIVERS\srv.sys
0xB8646000 \??\C:\WINDOWS\nvoclock.sys
0xA127C000 \SystemRoot\system32\DRIVERS\WlanUIG.sys
0x7C900000 \WINDOWS\system32\ntdll.dll

Processes (total 43):
0 System Idle Process
4 System
484 C:\WINDOWS\system32\smss.exe
880 csrss.exe
904 C:\WINDOWS\system32\winlogon.exe
952 C:\WINDOWS\system32\services.exe
964 C:\WINDOWS\system32\lsass.exe
1172 C:\WINDOWS\system32\nvsvc32.exe
1196 C:\WINDOWS\system32\svchost.exe
1248 svchost.exe
1292 C:\WINDOWS\system32\svchost.exe
1416 svchost.exe
1488 svchost.exe
1880 C:\WINDOWS\system32\spoolsv.exe
1928 C:\Program Files\Creative\Shared Files\CTAudSvc.exe
1944 C:\Program Files\Avira\AntiVir Desktop\sched.exe
132 svchost.exe
472 C:\WINDOWS\explorer.exe
524 C:\Program Files\Avira\AntiVir Desktop\avguard.exe
540 C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
620 C:\Program Files\Bonjour\mDNSResponder.exe
668 C:\WINDOWS\system32\CTSVCCDA.EXE
700 C:\WINDOWS\ehome\ehrecvr.exe
808 C:\WINDOWS\ehome\ehSched.exe
824 C:\WINDOWS\system32\Ctxfihlp.exe
832 C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
884 C:\WINDOWS\system32\rundll32.exe
1104 C:\Program Files\iTunes\iTunesHelper.exe
1304 C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
1328 C:\WINDOWS\system32\ctfmon.exe
2072 C:\Program Files\CDBurnerXP\NMSAccessU.exe
2104 C:\Program Files\Google\Update\GoogleUpdate.exe
2252 C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
2672 C:\WINDOWS\system32\PnkBstrA.exe
3052 svchost.exe
3332 mcrdsvc.exe
288 C:\WINDOWS\system32\dllhost.exe
2556 C:\Program Files\iPod\bin\iPodService.exe
2812 alg.exe
2848 C:\WINDOWS\system32\CTxfispi.exe
772 C:\Program Files\Mozilla Firefox\firefox.exe
3520 C:\WINDOWS\explorer.exe
3432 F:\My Documents\Downloads\MBRCheck.exe

\\.\C: --> \\.\PhysicalDrive0 at offset 0x00000000`00007e00 (NTFS)
\\.\F: --> \\.\PhysicalDrive1 at offset 0x00000000`00007e00 (NTFS)

PhysicalDrive0 Model Number: ST31000520AS, Rev: CC32
PhysicalDrive1 Model Number: ST3500320AS, Rev: SD1A

Size Device Name MBR Status
--------------------------------------------
931 GB \\.\PhysicalDrive0 Windows XP MBR code detected
SHA1: DA38B874B7713D1B51CBC449F4EF809B0DEC644A
465 GB \\.\PhysicalDrive1 Windows XP MBR code detected
SHA1: DA38B874B7713D1B51CBC449F4EF809B0DEC644A


Done!

#7 heir

heir

  • Malware Response Team
  • 763 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:20 PM

Posted 26 April 2011 - 07:29 AM

It looks as there has been an operating system installed on your F: as well.
Looking at your boot options, it's not accessible.

Has there?

I need to verify that your mbr is infected. To do this I need answer to some questions.
Do you have a computer with a working CD-burner fitted? (and empty CD's)
Can your compter be booted from an USB-flash drive? (try tapping F12 when you boot - there should be an option to set which device to boot from)
Do you have an USB-flashdrive we can use?

Please do not PM me asking for support. Post on the forums instead.
Please post the final results, good or bad. We like to know!
Posted Image
Unified Network of Instructors and Trained Eliminators
My help is always free, but if you want to donate to help me continue my fight against malware then click Posted Image


#8 ajviper

ajviper
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Colorado
  • Local time:12:20 PM

Posted 26 April 2011 - 12:22 PM

When I had my machine upgraded my old 500GB HD went to a backup and the shop just left the old OS there. I have a working CD Burner and tons of blanks. The only flash drive I had is a 1GB. I can boot from a flash drive or CD.

Edited by ajviper, 26 April 2011 - 12:27 PM.


#9 heir

heir

  • Malware Response Team
  • 763 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:20 PM

Posted 26 April 2011 - 12:43 PM

We need to create a bootable CD with MBRTool on it. Goto this page to find out about MBRTool

Download MBRTool.exe and save it to your desktop.
Double-click MBRTool.exe to install it.
When you click Finish at the end of the installation "MBRTool Boootable Media Builder" will start.

  • Put a blank CD in your CD-ROM.
  • Select create Boot CD/DVD
  • Click Go >>
  • The CD will be created.

Put the CD in the CD-ROM on the infected computer.
Reboot the infected computer from the CD

You will be presented with this menu.
Posted Image


Select the Command Prompt
Then type in - MBRTool.exe /bck /dsk:0 /sec:10



Posted Image



Power down the machine, remove the CD and boot back to normal mode.


Open notepad and copy/paste the text in the codebox below into it:

@ECHO OFF
MBR -c 0 1 MBR0.dat
MBR -c 9 1 MBR9.dat
CLS
FC.EXE MBR0.dat MBR9.dat >NULL 2>&1 &&(
ECHO.MBR is identical - That's Good
DEL MBR0.dat MBR9.dat
)||ECHO.MBR is different - That's Bad
PAUSE


Save this as mbc.bat
Choose to "Save type as - All Files"
Save it on your desktop.
It should look like this: Posted Image
Double click on mbc.bat & allow it to run

Did it report it as Bad or Good?


If it's bad then. >>>>>


Please go to: VirusTotal

  • On the page you'll find a Browse - button.
  • Click on the Browse button.
  • In the Choose File to Upload window which opens, Find the file below (it should reside on your desktop)

    mbr9.dat


  • Next, click the Open button.
  • Then click the Send File - button just below.
  • This will scan the file. Please be patient.
  • If you get a message saying File has already been analyzed: click Reanalyze file now
  • Once scanned, copy and paste the link to the results page in your next reply.


Please repeat for the following file: (which also should reside on your desktop)

mbr0.dat



Please also zip mbr9.dat and mbr0.dat and attach them in your reply.

Please do not PM me asking for support. Post on the forums instead.
Please post the final results, good or bad. We like to know!
Posted Image
Unified Network of Instructors and Trained Eliminators
My help is always free, but if you want to donate to help me continue my fight against malware then click Posted Image


#10 ajviper

ajviper
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Colorado
  • Local time:12:20 PM

Posted 27 April 2011 - 06:48 PM

MBR9 Link
http://www.virustotal.com/file-scan/report.html?id=2f44afa6aa6606a7bd2faab8ac2c738b0d37d945f42e88225ddcd3998f65cd66-1303947869

MBR0 Link
http://www.virustotal.com/file-scan/report.html?id=624e12dd1b2810362fc29e23cbd03903f8b83a92a58400e5f03c3f344fafae4b-1303947676

Sorry for the delay in responding.

Attached Files

  • Attached File  MBR0.zip   499bytes   0 downloads
  • Attached File  MBR9.zip   540bytes   0 downloads


#11 heir

heir

  • Malware Response Team
  • 763 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:20 PM

Posted 28 April 2011 - 03:09 PM

Let's fix this.

Step 1.
FIXMBR in RC:


Reboot your computer.

When the blackscreen with the option to choose operatingsystem appears (se below), use the arrow-keys and choose Microsoft Windows Recovery Console then hit the Enter.
(You'll only have a couple of seconds to do this, else it will proceed with a normal startup.)

Posted Image

You'll be presented with a screen similar to this one.

Posted Image

Press 1 to select your Windows installation. If you are asked for the Administrator password, if it is set type it in else leave it blank and press Enter.

You'll be presented with the command-prompt C:\WINDOWS >

Type in FIXMBR and hit Enter
There will be a question: Are you sure you want to write a new MBR?
Type y and hit Enter
Posted Image


Type EXIT and hit Enter to reboot. Let it boot normally.


Step 2.
DDS:

Run DDS and post its logs in your reply

Please do not PM me asking for support. Post on the forums instead.
Please post the final results, good or bad. We like to know!
Posted Image
Unified Network of Instructors and Trained Eliminators
My help is always free, but if you want to donate to help me continue my fight against malware then click Posted Image


#12 ajviper

ajviper
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Colorado
  • Local time:12:20 PM

Posted 28 April 2011 - 04:46 PM

Here is everything as requested heir. Thank you for the help. It appears that my redirects are gone and all is well again.

.
DDS (Ver_11-03-05.01) - NTFSx86
Run by AJ at 15:43:47.17 on Thu 04/28/2011
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_16
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3579.2942 [GMT -6:00]
.
AV: AntiVir Desktop *Enabled/Updated* {AD166499-45F9-482A-A743-FDD3350758C7}
.
============== Running Processes ===============
.
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Creative\Shared Files\CTAudSvc.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
svchost.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\CDBurnerXP\NMSAccessU.exe
C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
C:\WINDOWS\system32\PnkBstrA.exe
svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Google\Update\GoogleUpdate.exe
C:\WINDOWS\system32\CTXFIHLP.EXE
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\SYSTEM32\CTXFISPI.EXE
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\iPod\bin\iPodService.exe
F:\My Documents\Downloads\dds.scr
.
============== Pseudo HJT Report ===============
.
uInternet Settings,ProxyOverride = *.local
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
TB: {472734EA-242A-422B-ADF8-83D1E48CC825} - No File
uRun: [NVIDIA nTune] "c:\program files\nvidia corporation\ntune\nTuneCmd.exe" clear
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [UpdReg] c:\windows\UpdReg.EXE
mRun: [CTxfiHlp] CTXFIHLP.EXE
mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\AppleSyncNotifier.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] c:\program files\nvidia corporation\nview\nwiz.exe /installquiet
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
StartupFolder: c:\docume~1\aj\startm~1\programs\startup\xfire.lnk - c:\program files\xfire\Xfire.exe
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~4\office12\ONBttnIE.dll
Trusted Zone: microsoft.com\*.update
Trusted Zone: techinline.net
Trusted Zone: windowsupdate.com\download
Trusted Zone: microsoft.com\*.update
Trusted Zone: techinline.net
Trusted Zone: windowsupdate.com\download
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\docume~1\aj\applic~1\mozilla\firefox\profiles\jfrk7i11.default\
FF - prefs.js: network.proxy.type - 4
FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\google\update\1.2.183.39\npGoogleOneClick8.dll
FF - plugin: c:\program files\microsoft silverlight\4.0.60129.0\npctrlui.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npFoxitReaderPlugin.dll
.
---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - true
.
============= SERVICES / DRIVERS ===============
.
R1 avgio;avgio;c:\program files\avira\antivir desktop\avgio.sys [2009-12-2 11608]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2010-2-17 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2010-5-10 67656]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\avira\antivir desktop\sched.exe [2009-12-2 108289]
R2 AntiVirService;Avira AntiVir Guard;c:\program files\avira\antivir desktop\avguard.exe [2009-12-2 185089]
R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2009-12-2 56816]
R2 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-5 99328]
R3 ct20xflt;ct20xflt;c:\windows\system32\drivers\ct20xflt.sys [2009-7-14 1811224]
R3 CT20XUT.SYS;CT20XUT.SYS;c:\windows\system32\drivers\CT20XUT.sys [2009-12-1 198168]
R3 CTEXFIFX.SYS;CTEXFIFX.SYS;c:\windows\system32\drivers\CTEXFIFX.sys [2009-12-1 1353240]
R3 CTHWIUT.SYS;CTHWIUT.SYS;c:\windows\system32\drivers\CTHWIUT.sys [2009-12-1 73752]
R3 ha20x22k;Creative 20X2 HAL Driver;c:\windows\system32\drivers\ha20x22k.sys [2009-12-1 1227800]
R3 WlanUIG;2Wire 802.11g USB Driver;c:\windows\system32\drivers\WlanUIG.sys [2009-12-3 347648]
S0 TfFsMon;TfFsMon;c:\windows\system32\drivers\tffsmon.sys --> c:\windows\system32\drivers\TfFsMon.sys [?]
S0 TFSysMon;TfSysMon;c:\windows\system32\drivers\tfsysmon.sys --> c:\windows\system32\drivers\TfSysMon.sys [?]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-2-1 135664]
S3 chdrvr01;CH Control Manager Driver 1;c:\windows\system32\drivers\chdrvr01.sys --> c:\windows\system32\drivers\chdrvr01.sys [?]
S3 chdrvr03;CH Control Manager Driver 3;c:\windows\system32\drivers\chdrvr03.sys --> c:\windows\system32\drivers\chdrvr03.sys [?]
S3 Creative Audio Engine Licensing Service;Creative Audio Engine Licensing Service;c:\program files\common files\creative labs shared\service\CTAELicensing.exe [2009-12-1 79360]
S3 CT20XUT;CT20XUT;c:\windows\system32\drivers\CT20XUT.sys [2009-12-1 198168]
S3 CTEXFIFX;CTEXFIFX;c:\windows\system32\drivers\CTEXFIFX.sys [2009-12-1 1353240]
S3 CTHWIUT;CTHWIUT;c:\windows\system32\drivers\CTHWIUT.sys [2009-12-1 73752]
S3 MEMSWEEP2;MEMSWEEP2;\??\c:\windows\system32\6f.tmp --> c:\windows\system32\6F.tmp [?]
S3 SCREAMINGBDRIVER;Screaming Bee Audio;c:\windows\system32\drivers\ScreamingBAudio.sys [2009-12-1 34384]
S3 TfNetMon;TfNetMon;\??\c:\windows\system32\drivers\tfnetmon.sys --> c:\windows\system32\drivers\TfNetMon.sys [?]
S4 zrgysg;zrgysg; [x]
.
=============== Created Last 30 ================
.
2011-04-26 21:35:49 -------- d-----w- c:\program files\DIY DataRecovery MBRtool
2011-04-25 14:42:36 -------- d-----w- c:\program files\iPod
2011-04-25 14:42:34 -------- d-----w- c:\program files\iTunes
2011-04-25 14:40:42 -------- d-----w- c:\program files\Bonjour
2011-04-25 00:53:48 234536 ----a-w- c:\windows\system32\PnkBstrB.exe
2011-04-25 00:53:48 234536 ----a-w- c:\windows\system32\PnkBstrB.ex0
2011-04-25 00:53:47 234536 ----a-w- c:\windows\system32\PnkBstrB.xtr
2011-04-24 19:29:36 -------- d-sha-r- C:\cmdcons
2011-04-23 22:23:02 -------- d-----w- c:\program files\Hitman Pro 3.5
2011-04-23 21:36:21 16968 ----a-w- c:\windows\system32\drivers\hitmanpro35.sys
2011-04-22 03:32:28 -------- d-----w- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2011-04-22 03:32:28 -------- d-----w- c:\docume~1\aj\applic~1\SUPERAntiSpyware.com
2011-04-22 03:32:22 -------- d-----w- c:\program files\SUPERAntiSpyware
2011-04-22 03:23:12 190032 ----a-w- c:\windows\system32\drivers\tmcomm.sys
2011-04-21 15:02:33 -------- d-----w- c:\program files\Sophos
2011-04-20 12:34:39 -------- d-----w- c:\docume~1\aj\locals~1\applic~1\Help
2011-04-20 03:57:10 2 --shatr- c:\windows\winstart.bat
2011-04-20 03:57:06 -------- d-----w- c:\program files\UnHackMe
2011-04-20 01:52:41 7805 ----a-w- c:\program files\mozilla firefox\null0.39250089835776225.exe
2011-04-20 00:29:13 -------- d-----w- c:\program files\PC Tools Security
2011-04-19 14:41:54 142296 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
2011-04-19 14:41:53 781272 ----a-w- c:\program files\mozilla firefox\mozsqlite3.dll
2011-04-19 14:41:53 728024 ----a-w- c:\program files\mozilla firefox\libGLESv2.dll
2011-04-19 14:41:53 1975768 ----a-w- c:\program files\mozilla firefox\D3DCompiler_42.dll
2011-04-19 14:41:53 1893336 ----a-w- c:\program files\mozilla firefox\d3dx9_42.dll
2011-04-19 14:41:53 1874904 ----a-w- c:\program files\mozilla firefox\mozjs.dll
2011-04-19 14:41:53 15832 ----a-w- c:\program files\mozilla firefox\mozalloc.dll
2011-04-19 14:41:53 142296 ----a-w- c:\program files\mozilla firefox\libEGL.dll
2011-04-19 04:02:10 -------- d-----w- c:\windows\system32\wbem\repository\FS
2011-04-19 04:02:10 -------- d-----w- c:\windows\system32\wbem\Repository
2011-04-19 03:49:31 -------- d---a-w- C:\cmdcons(2)
2011-04-14 09:39:02 103864 ----a-w- c:\program files\mozilla firefox\plugins\nppdf32.dll
2011-04-14 09:39:02 103864 ----a-w- c:\program files\internet explorer\plugins\nppdf32.dll
2011-04-08 11:28:58 41872 ----a-w- c:\windows\system32\xfcodec.dll
2011-04-06 22:20:16 91424 ----a-w- c:\windows\system32\dnssd.dll
2011-04-06 22:20:16 107808 ----a-w- c:\windows\system32\dns-sd.exe
.
==================== Find3M ====================
.
2011-03-07 05:33:50 692736 ----a-w- c:\windows\system32\inetcomm.dll
2011-03-05 19:39:40 323624 ----a-w- c:\windows\system32\wiaaut.dll
2011-03-04 06:37:06 420864 ----a-w- c:\windows\system32\vbscript.dll
2011-03-03 13:21:11 1857920 ----a-w- c:\windows\system32\win32k.sys
2011-02-22 23:06:29 916480 ----a-w- c:\windows\system32\wininet.dll
2011-02-22 23:06:29 43520 ----a-w- c:\windows\system32\licmgr10.dll
2011-02-22 23:06:29 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
2011-02-22 23:06:28 11080704 ----a-w- c:\windows\system32\ieframe(2).dll
2011-02-22 11:41:59 385024 ----a-w- c:\windows\system32\html.iec
2011-02-18 23:36:58 4184352 ----a-w- c:\windows\system32\usbaaplrc.dll
2011-02-17 12:32:12 5120 ----a-w- c:\windows\system32\xpsp4res.dll
2011-02-15 12:56:39 290432 ----a-w- c:\windows\system32\atmfd.dll
2011-02-08 13:33:55 978944 ----a-w- c:\windows\system32\mfc42.dll
2011-02-08 13:33:55 974848 ----a-w- c:\windows\system32\mfc42u.dll
2011-02-05 00:48:32 456192 ----a-w- c:\windows\system32\encdec.dll
2011-02-05 00:48:30 291840 ----a-w- c:\windows\system32\sbe.dll
2011-02-02 07:58:35 2067456 ----a-w- c:\windows\system32\mstscax.dll
.
============= FINISH: 15:44:29.82 ===============

Attached Files


Edited by ajviper, 28 April 2011 - 04:47 PM.


#13 heir

heir

  • Malware Response Team
  • 763 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:20 PM

Posted 28 April 2011 - 04:58 PM

But we're not done yet.

Something I should point out, regarding CCleaner,Glary Utilities, TuneUp Utilities and similar products

It's not recommended to use of registry cleaners. These often cause more problems than they fix. One of the Experts at Geekstogo, miekiemoes has an excellent writeup here
Another excellent article by Bill Castner is located here.

Step 1.
CFScript:

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the codebox below into it:

File::
c:\windows\system32\6F.tmp 
Driver::
zrgysg
MEMSWEEP2


Save this as CFScript.txt, in the same location as ComboFix.exe


Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

Step 2.
Things I would like to see in your reply:

  • The content of C:\ComboFix.txt from step 1.

Please do not PM me asking for support. Post on the forums instead.
Please post the final results, good or bad. We like to know!
Posted Image
Unified Network of Instructors and Trained Eliminators
My help is always free, but if you want to donate to help me continue my fight against malware then click Posted Image


#14 ajviper

ajviper
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Colorado
  • Local time:12:20 PM

Posted 28 April 2011 - 07:10 PM

ComboFix 11-04-28.01 - AJ 04/28/2011 17:52:46.5.8 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3579.3018 [GMT -6:00]
Running from: f:\my documents\Downloads\ComboFix.exe
Command switches used :: f:\my documents\Downloads\CFScript.txt
AV: AntiVir Desktop *Disabled/Updated* {AD166499-45F9-482A-A743-FDD3350758C7}
.
FILE ::
"c:\windows\system32\6F.tmp"
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\windows\regedit.exe . . . is infected!! . . .Failed to restore. Attempting to replace on reboot
.
Infected copy of c:\windows\regedit.exe was found and disinfected
Restored copy from - c:\system volume information\_restore{E034B538-07D8-48E6-9634-DCFB08133652}\RP263\A0140590.exe
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Legacy_MEMSWEEP2
-------\Legacy_ZRGYSG
-------\Service_MEMSWEEP2
-------\Service_zrgysg
.
.
((((((((((((((((((((((((( Files Created from 2011-03-28 to 2011-04-29 )))))))))))))))))))))))))))))))
.
.
2011-04-25 14:42 . 2011-04-25 14:42 -------- d-----w- c:\program files\iPod
2011-04-25 14:42 . 2011-04-25 14:43 -------- d-----w- c:\program files\iTunes
2011-04-25 14:40 . 2011-04-25 14:40 -------- d-----w- c:\program files\Bonjour
2011-04-25 00:53 . 2011-04-25 00:53 234536 ----a-w- c:\windows\system32\PnkBstrB.exe
2011-04-25 00:53 . 2011-04-25 00:53 234536 ----a-w- c:\windows\system32\PnkBstrB.ex0
2011-04-25 00:53 . 2011-04-25 00:53 234536 ----a-w- c:\windows\system32\PnkBstrB.xtr
2011-04-23 22:23 . 2011-04-23 22:23 -------- d-----w- c:\program files\Hitman Pro 3.5
2011-04-23 21:36 . 2011-04-23 22:23 16968 ----a-w- c:\windows\system32\drivers\hitmanpro35.sys
2011-04-22 03:32 . 2011-04-22 03:32 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2011-04-22 03:32 . 2011-04-22 03:32 -------- d-----w- c:\documents and settings\AJ\Application Data\SUPERAntiSpyware.com
2011-04-22 03:32 . 2011-04-22 03:32 -------- d-----w- c:\program files\SUPERAntiSpyware
2011-04-22 03:23 . 2011-04-22 03:23 190032 ----a-w- c:\windows\system32\drivers\tmcomm.sys
2011-04-21 15:02 . 2011-04-21 15:02 -------- d-----w- c:\program files\Sophos
2011-04-20 12:34 . 2011-04-20 12:34 -------- d-----w- c:\documents and settings\AJ\Local Settings\Application Data\Help
2011-04-20 03:57 . 2011-04-23 23:03 2 --shatr- c:\windows\winstart.bat
2011-04-20 03:57 . 2011-04-23 23:03 -------- d-----w- c:\program files\UnHackMe
2011-04-20 01:52 . 2011-04-20 01:52 7805 ----a-w- c:\program files\Mozilla Firefox\null0.39250089835776225.exe
2011-04-20 00:29 . 2011-04-20 03:34 -------- d-----w- c:\program files\PC Tools Security
2011-04-19 18:42 . 2011-04-19 18:42 -------- d-----w- c:\documents and settings\NetworkService\Application Data\Apple Computer
2011-04-19 18:42 . 2011-04-19 18:42 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Apple Computer
2011-04-19 18:42 . 2011-04-19 18:42 -------- d-----w- c:\documents and settings\Default User\Application Data\Apple Computer
2011-04-19 18:41 . 2011-04-19 18:42 -------- d-----w- c:\documents and settings\Default User\Local Settings\Application Data\Apple Computer
2011-04-19 14:41 . 2011-03-18 17:53 142296 ----a-w- c:\program files\Mozilla Firefox\components\browsercomps.dll
2011-04-19 14:41 . 2011-03-18 17:53 781272 ----a-w- c:\program files\Mozilla Firefox\mozsqlite3.dll
2011-04-19 14:41 . 2011-03-18 17:53 1874904 ----a-w- c:\program files\Mozilla Firefox\mozjs.dll
2011-04-19 14:41 . 2011-03-18 17:53 15832 ----a-w- c:\program files\Mozilla Firefox\mozalloc.dll
2011-04-19 14:41 . 2011-03-18 17:53 728024 ----a-w- c:\program files\Mozilla Firefox\libGLESv2.dll
2011-04-19 14:41 . 2011-03-18 17:53 142296 ----a-w- c:\program files\Mozilla Firefox\libEGL.dll
2011-04-19 14:41 . 2011-03-18 17:53 1893336 ----a-w- c:\program files\Mozilla Firefox\d3dx9_42.dll
2011-04-19 14:41 . 2011-03-18 17:53 1975768 ----a-w- c:\program files\Mozilla Firefox\D3DCompiler_42.dll
2011-04-19 04:02 . 2011-04-19 04:02 -------- d-----w- c:\windows\system32\wbem\Repository
2011-04-14 09:39 . 2011-04-14 09:39 103864 ----a-w- c:\program files\Mozilla Firefox\plugins\nppdf32.dll
2011-04-14 09:39 . 2011-04-14 09:39 103864 ----a-w- c:\program files\Internet Explorer\PLUGINS\nppdf32.dll
2011-04-08 11:28 . 2011-04-08 11:28 41872 ----a-w- c:\windows\system32\xfcodec.dll
2011-04-06 22:20 . 2011-04-06 22:20 91424 ----a-w- c:\windows\system32\dnssd.dll
2011-04-06 22:20 . 2011-04-06 22:20 107808 ----a-w- c:\windows\system32\dns-sd.exe
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-04-25 00:53 . 2009-12-15 03:43 138520 ----a-w- c:\windows\system32\drivers\PnkBstrK.sys
2011-03-07 05:33 . 2009-12-01 23:37 692736 ----a-w- c:\windows\system32\inetcomm.dll
2011-03-05 19:39 . 2011-03-05 19:39 323624 ----a-w- c:\windows\system32\wiaaut.dll
2011-03-04 06:37 . 2004-08-10 12:00 420864 ----a-w- c:\windows\system32\vbscript.dll
2011-03-03 13:21 . 2004-08-10 12:00 1857920 ----a-w- c:\windows\system32\win32k.sys
2011-02-22 23:06 . 2004-08-10 12:00 916480 ----a-w- c:\windows\system32\wininet.dll
2011-02-22 23:06 . 2004-08-10 12:00 43520 ----a-w- c:\windows\system32\licmgr10.dll
2011-02-22 23:06 . 2004-08-10 12:00 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
2011-02-22 23:06 . 2009-03-08 11:39 11080704 ----a-w- c:\windows\system32\ieframe(2).dll
2011-02-22 11:41 . 2004-08-10 12:00 385024 ----a-w- c:\windows\system32\html.iec
2011-02-18 23:36 . 2009-12-02 20:43 41984 ----a-w- c:\windows\system32\drivers\usbaapl.sys
2011-02-18 23:36 . 2009-12-02 20:43 4184352 ----a-w- c:\windows\system32\usbaaplrc.dll
2011-02-17 13:18 . 2004-08-10 12:00 455936 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2011-02-17 13:18 . 2004-08-10 12:00 357888 ----a-w- c:\windows\system32\drivers\srv.sys
2011-02-17 12:32 . 2009-12-02 02:15 5120 ----a-w- c:\windows\system32\xpsp4res.dll
2011-02-15 12:56 . 2004-08-10 12:00 290432 ----a-w- c:\windows\system32\atmfd.dll
2011-02-08 13:33 . 2004-08-10 12:00 978944 ----a-w- c:\windows\system32\mfc42.dll
2011-02-08 13:33 . 2004-08-10 12:00 974848 ----a-w- c:\windows\system32\mfc42u.dll
2011-02-05 00:48 . 2004-08-10 12:00 456192 ----a-w- c:\windows\system32\encdec.dll
2011-02-05 00:48 . 2004-08-10 12:00 291840 ----a-w- c:\windows\system32\sbe.dll
2011-02-02 07:58 . 2009-12-01 23:31 2067456 ----a-w- c:\windows\system32\mstscax.dll
2011-03-18 17:53 . 2011-04-19 14:41 142296 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
------- Sigcheck -------
.
[-] 2008-04-14 . 9F3A2F5AA6875C72BF062C712CFA2674 . 96512 . . [5.1.2600.5512] . . c:\windows\ERDNT\cache\atapi.sys
[-] 2008-04-14 . 9F3A2F5AA6875C72BF062C712CFA2674 . 96512 . . [5.1.2600.5512] . . c:\windows\system32\dllcache\atapi.sys
[-] 2008-04-14 . 9F3A2F5AA6875C72BF062C712CFA2674 . 96512 . . [5.1.2600.5512] . . c:\windows\system32\drivers\atapi.sys
[-] 2004-08-10 . CDFE4411A69C224BD1D11B2DA92DAC51 . 95360 . . [5.1.2600.2180] . . c:\windows\system32\ReinstallBackups\0006\DriverFiles\i386\atapi.sys
[-] 2004-08-04 . CDFE4411A69C224BD1D11B2DA92DAC51 . 95360 . . [5.1.2600.2180] . . c:\windows\system32\ReinstallBackups\0007\DriverFiles\i386\atapi.sys
.
[-] 2008-04-14 . B153AFFAC761E7F5FCFA822B9C4E97BC . 14336 . . [5.1.2600.5512] . . c:\windows\ERDNT\cache\asyncmac.sys
[-] 2008-04-14 . B153AFFAC761E7F5FCFA822B9C4E97BC . 14336 . . [5.1.2600.5512] . . c:\windows\system32\dllcache\asyncmac.sys
[-] 2008-04-14 . B153AFFAC761E7F5FCFA822B9C4E97BC . 14336 . . [5.1.2600.5512] . . c:\windows\system32\drivers\asyncmac.sys
.
[-] 2004-08-10 . DA1F27D85E0D1525F6621372E7B685E9 . 4224 . . [5.1.2600.0] . . c:\windows\ERDNT\cache\beep.sys
[-] 2004-08-10 . DA1F27D85E0D1525F6621372E7B685E9 . 4224 . . [5.1.2600.0] . . c:\windows\system32\dllcache\beep.sys
[-] 2004-08-10 . DA1F27D85E0D1525F6621372E7B685E9 . 4224 . . [5.1.2600.0] . . c:\windows\system32\drivers\beep.sys
.
[-] 2008-04-14 . 463C1EC80CD17420A542B7F36A36F128 . 24576 . . [5.1.2600.5512] . . c:\windows\ERDNT\cache\kbdclass.sys
[-] 2008-04-14 . 463C1EC80CD17420A542B7F36A36F128 . 24576 . . [5.1.2600.5512] . . c:\windows\system32\drivers\kbdclass.sys
.
[-] 2008-04-14 . 1DF7F42665C94B825322FAE71721130D . 182656 . . [5.1.2600.5512] . . c:\windows\ERDNT\cache\ndis.sys
[-] 2008-04-14 . 1DF7F42665C94B825322FAE71721130D . 182656 . . [5.1.2600.5512] . . c:\windows\system32\dllcache\ndis.sys
[-] 2008-04-14 . 1DF7F42665C94B825322FAE71721130D . 182656 . . [5.1.2600.5512] . . c:\windows\system32\drivers\ndis.sys
.
[-] 2008-04-14 . 78A08DD6A8D65E697C18E1DB01C5CDCA . 574976 . . [5.1.2600.5512] . . c:\windows\ERDNT\cache\ntfs.sys
[-] 2008-04-14 . 78A08DD6A8D65E697C18E1DB01C5CDCA . 574976 . . [5.1.2600.5512] . . c:\windows\system32\dllcache\ntfs.sys
[-] 2008-04-14 . 78A08DD6A8D65E697C18E1DB01C5CDCA . 574976 . . [5.1.2600.5512] . . c:\windows\system32\drivers\ntfs.sys
.
[-] 2004-08-10 . 73C1E1F395918BC2C6DD67AF7591A3AD . 2944 . . [5.1.2600.0] . . c:\windows\ERDNT\cache\null.sys
[-] 2004-08-10 . 73C1E1F395918BC2C6DD67AF7591A3AD . 2944 . . [5.1.2600.0] . . c:\windows\system32\dllcache\null.sys
[-] 2004-08-10 . 73C1E1F395918BC2C6DD67AF7591A3AD . 2944 . . [5.1.2600.0] . . c:\windows\system32\drivers\null.sys
.
[-] 2008-06-20 . AD978A1B783B5719720CFF204B666C8E . 361600 . . [5.1.2600.5625] . . c:\windows\$hf_mig$\KB2509553\SP3QFE\tcpip.sys
[-] 2008-06-20 . AD978A1B783B5719720CFF204B666C8E . 361600 . . [5.1.2600.5625] . . c:\windows\$hf_mig$\KB951748\SP3QFE\tcpip.sys
[-] 2008-06-20 . AD978A1B783B5719720CFF204B666C8E . 361600 . . [5.1.2600.5625] . . c:\windows\SoftwareDistribution\Download\ff0686f2f699fa07ed5ad0848fa3055b\sp3qfe\tcpip.sys
[-] 2008-06-20 . 9AEFA14BD6B182D61E3119FA5F436D3D . 361600 . . [5.1.2600.5625] . . c:\windows\ERDNT\cache\tcpip.sys
[-] 2008-06-20 . 9AEFA14BD6B182D61E3119FA5F436D3D . 361600 . . [5.1.2600.5625] . . c:\windows\system32\dllcache\tcpip.sys
[-] 2008-06-20 . 9AEFA14BD6B182D61E3119FA5F436D3D . 361600 . . [5.1.2600.5625] . . c:\windows\system32\drivers\tcpip.sys
[-] 2008-04-14 . 93EA8D04EC73A85DB02EB8805988F733 . 361344 . . [5.1.2600.5512] . . c:\windows\$NtUninstallKB951748$\tcpip.sys
.
[-] 2008-04-14 . A06CE3399D16DB864F55FAEB1F1927A9 . 77824 . . [5.1.2600.5512] . . c:\windows\ERDNT\cache\browser.dll
[-] 2008-04-14 . A06CE3399D16DB864F55FAEB1F1927A9 . 77824 . . [5.1.2600.5512] . . c:\windows\system32\browser.dll
[-] 2008-04-14 . A06CE3399D16DB864F55FAEB1F1927A9 . 77824 . . [5.1.2600.5512] . . c:\windows\system32\dllcache\browser.dll
.
[-] 2008-04-14 . BF2466B3E18E970D8A976FB95FC1CA85 . 13312 . . [5.1.2600.5512] . . c:\windows\ERDNT\cache\lsass.exe
[-] 2008-04-14 . BF2466B3E18E970D8A976FB95FC1CA85 . 13312 . . [5.1.2600.5512] . . c:\windows\system32\lsass.exe
[-] 2008-04-14 . BF2466B3E18E970D8A976FB95FC1CA85 . 13312 . . [5.1.2600.5512] . . c:\windows\system32\dllcache\lsass.exe
.
[-] 2008-04-14 . 13E67B55B3ABD7BF3FE7AAE5A0F9A9DE . 198144 . . [5.1.2600.5512] . . c:\windows\ERDNT\cache\netman.dll
[-] 2008-04-14 . 13E67B55B3ABD7BF3FE7AAE5A0F9A9DE . 198144 . . [5.1.2600.5512] . . c:\windows\system32\netman.dll
[-] 2008-04-14 . 13E67B55B3ABD7BF3FE7AAE5A0F9A9DE . 198144 . . [5.1.2600.5512] . . c:\windows\system32\dllcache\netman.dll
.
[-] 2008-04-14 12:41 . 1280A158C722FA95A80FB7AEBE78FA7D . 792064 . . [2001.12.4414.700] . . c:\windows\ERDNT\cache\comres.dll
[-] 2008-04-14 12:41 . 1280A158C722FA95A80FB7AEBE78FA7D . 792064 . . [2001.12.4414.700] . . c:\windows\system32\comres.dll
[-] 2008-04-14 12:41 . 1280A158C722FA95A80FB7AEBE78FA7D . 792064 . . [2001.12.4414.700] . . c:\windows\system32\dllcache\comres.dll
.
[-] 2008-04-14 . 574738F61FCA2935F5265DC4E5691314 . 409088 . . [6.7.2600.5512] . . c:\windows\ERDNT\cache\qmgr.dll
[-] 2008-04-14 . 574738F61FCA2935F5265DC4E5691314 . 409088 . . [6.7.2600.5512] . . c:\windows\system32\qmgr.dll
[-] 2008-04-14 . 574738F61FCA2935F5265DC4E5691314 . 409088 . . [6.7.2600.5512] . . c:\windows\system32\bits\qmgr.dll
[-] 2008-04-14 . 574738F61FCA2935F5265DC4E5691314 . 409088 . . [6.7.2600.5512] . . c:\windows\system32\dllcache\qmgr.dll
.
[-] 2009-02-09 . 6B27A5C03DFB94B4245739065431322C . 401408 . . [5.1.2600.5755] . . c:\windows\ERDNT\cache\rpcss.dll
[-] 2009-02-09 . 6B27A5C03DFB94B4245739065431322C . 401408 . . [5.1.2600.5755] . . c:\windows\system32\rpcss.dll
[-] 2009-02-09 . 6B27A5C03DFB94B4245739065431322C . 401408 . . [5.1.2600.5755] . . c:\windows\system32\dllcache\rpcss.dll
[-] 2009-02-09 . 9222562D44021B988B9F9F62207FB6F2 . 401408 . . [5.1.2600.5755] . . c:\windows\$hf_mig$\KB956572\SP3QFE\rpcss.dll
[-] 2008-04-14 . 2589FE6015A316C0F5D5112B4DA7B509 . 399360 . . [5.1.2600.5512] . . c:\windows\$NtUninstallKB956572$\rpcss.dll
.
[-] 2009-02-06 . 65DF52F5B8B6E9BBD183505225C37315 . 110592 . . [5.1.2600.5755] . . c:\windows\ERDNT\cache\services.exe
[-] 2009-02-06 . 65DF52F5B8B6E9BBD183505225C37315 . 110592 . . [5.1.2600.5755] . . c:\windows\system32\services.exe
[-] 2009-02-06 . 65DF52F5B8B6E9BBD183505225C37315 . 110592 . . [5.1.2600.5755] . . c:\windows\system32\dllcache\services.exe
[-] 2009-02-06 . 020CEAAEDC8EB655B6506B8C70D53BB6 . 110592 . . [5.1.2600.5755] . . c:\windows\$hf_mig$\KB956572\SP3QFE\services.exe
[-] 2008-04-14 . 0E776ED5F7CC9F94299E70461B7B8185 . 108544 . . [5.1.2600.5512] . . c:\windows\$NtUninstallKB956572$\services.exe
.
[-] 2010-08-17 . 258DD5D4283FD9F9A7166BE9AE45CE73 . 58880 . . [5.1.2600.6024] . . c:\windows\$hf_mig$\KB2347290\SP3QFE\spoolsv.exe
[-] 2010-08-17 . 60784F891563FB1B767F70117FC2428F . 58880 . . [5.1.2600.6024] . . c:\windows\ERDNT\cache\spoolsv.exe
[-] 2010-08-17 . 60784F891563FB1B767F70117FC2428F . 58880 . . [5.1.2600.6024] . . c:\windows\system32\spoolsv.exe
[-] 2010-08-17 . 60784F891563FB1B767F70117FC2428F . 58880 . . [5.1.2600.6024] . . c:\windows\system32\dllcache\spoolsv.exe
[-] 2008-04-14 . D8E14A61ACC1D4A6CD0D38AEBAC7FA3B . 57856 . . [5.1.2600.5512] . . c:\windows\$NtUninstallKB2347290$\spoolsv.exe
.
[-] 2008-04-14 . ED0EF0A136DEC83DF69F04118870003E . 507904 . . [5.1.2600.5512] . . c:\windows\ERDNT\cache\winlogon.exe
[-] 2008-04-14 . ED0EF0A136DEC83DF69F04118870003E . 507904 . . [5.1.2600.5512] . . c:\windows\system32\winlogon.exe
[-] 2008-04-14 . ED0EF0A136DEC83DF69F04118870003E . 507904 . . [5.1.2600.5512] . . c:\windows\system32\dllcache\winlogon.exe
.
[-] 2010-08-23 . 93AFB83FBC1F9443CAC722FCA63D73BF . 617472 . . [5.82] . . c:\windows\ERDNT\cache\comctl32.dll
[-] 2010-08-23 . 93AFB83FBC1F9443CAC722FCA63D73BF . 617472 . . [5.82] . . c:\windows\system32\comctl32.dll
[-] 2010-08-23 . 93AFB83FBC1F9443CAC722FCA63D73BF . 617472 . . [5.82] . . c:\windows\system32\dllcache\comctl32.dll
[-] 2010-08-23 . 736B12B725AEB2B07F0241A9F680CB10 . 1054208 . . [6.0] . . c:\windows\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.6028_x-ww_61e65202\comctl32.dll
[-] 2008-04-14 . BD38D1EBE24A46BD3EDA059560AFBA12 . 1054208 . . [6.0] . . c:\windows\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83\comctl32.dll
[-] 2008-04-14 . 06F247492BC786CE5C24A23E178C711A . 617472 . . [5.82] . . c:\windows\$NtUninstallKB2296011$\comctl32.dll
[-] 2004-08-10 . AEF3D788DBF40C7C4D204EA45EB0C505 . 921088 . . [6.0] . . c:\windows\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a\comctl32.dll
[-] 2004-08-10 . 5AF68A5E44734A082442668E9C787743 . 1050624 . . [6.0] . . c:\windows\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2180_x-ww_a84f1ff9\comctl32.dll
.
[-] 2008-04-14 . 3D4E199942E29207970E04315D02AD3B . 62464 . . [5.1.2600.5512] . . c:\windows\ERDNT\cache\cryptsvc.dll
[-] 2008-04-14 . 3D4E199942E29207970E04315D02AD3B . 62464 . . [5.1.2600.5512] . . c:\windows\system32\cryptsvc.dll
[-] 2008-04-14 . 3D4E199942E29207970E04315D02AD3B . 62464 . . [5.1.2600.5512] . . c:\windows\system32\dllcache\cryptsvc.dll
.
[-] 2008-07-07 20:26 . D4991D98F2DB73C60D042F1AEF79EFAE . 253952 . . [2001.12.4414.706] . . c:\windows\ERDNT\cache\es.dll
[-] 2008-07-07 20:26 . D4991D98F2DB73C60D042F1AEF79EFAE . 253952 . . [2001.12.4414.706] . . c:\windows\system32\es.dll
[-] 2008-07-07 20:26 . D4991D98F2DB73C60D042F1AEF79EFAE . 253952 . . [2001.12.4414.706] . . c:\windows\system32\dllcache\es.dll
[-] 2008-07-07 20:23 . F17F6226BDC0CD5F0BEF0DAF84D29BEC . 253952 . . [2001.12.4414.706] . . c:\windows\$hf_mig$\KB950974\SP3QFE\es.dll
[-] 2008-04-14 12:41 . 19A799805B24990867B00C120D300C3A . 246272 . . [2001.12.4414.701] . . c:\windows\$NtUninstallKB950974$\es.dll
.
[-] 2008-04-14 . 0DA85218E92526972A821587E6A8BF8F . 110080 . . [5.1.2600.5512] . . c:\windows\ERDNT\cache\imm32.dll
[-] 2008-04-14 . 0DA85218E92526972A821587E6A8BF8F . 110080 . . [5.1.2600.5512] . . c:\windows\system32\imm32.dll
[-] 2008-04-14 . 0DA85218E92526972A821587E6A8BF8F . 110080 . . [5.1.2600.5512] . . c:\windows\system32\dllcache\imm32.dll
.
[-] 2009-03-21 . B921FB870C9AC0D509B2CCABBBBE95F3 . 989696 . . [5.1.2600.5781] . . c:\windows\ERDNT\cache\kernel32.dll
[-] 2009-03-21 . B921FB870C9AC0D509B2CCABBBBE95F3 . 989696 . . [5.1.2600.5781] . . c:\windows\system32\kernel32.dll
[-] 2009-03-21 . B921FB870C9AC0D509B2CCABBBBE95F3 . 989696 . . [5.1.2600.5781] . . c:\windows\system32\dllcache\kernel32.dll
[-] 2009-03-21 . DA11D9D6ECBDF0F93436A4B7C13F7BEC . 991744 . . [5.1.2600.5781] . . c:\windows\$hf_mig$\KB959426\SP3QFE\kernel32.dll
[-] 2008-04-14 . C24B983D211C34DA8FCC1AC38477971D . 989696 . . [5.1.2600.5512] . . c:\windows\$NtUninstallKB959426$\kernel32.dll
.
[-] 2008-04-14 . 2DC5A8019E2387987905F77C664E4BE2 . 19968 . . [5.1.2600.5512] . . c:\windows\ERDNT\cache\linkinfo.dll
[-] 2008-04-14 . 2DC5A8019E2387987905F77C664E4BE2 . 19968 . . [5.1.2600.5512] . . c:\windows\system32\linkinfo.dll
[-] 2008-04-14 . 2DC5A8019E2387987905F77C664E4BE2 . 19968 . . [5.1.2600.5512] . . c:\windows\system32\dllcache\linkinfo.dll
.
[-] 2008-04-14 . 012DF358CEBAA23ACB26D82077820817 . 22016 . . [5.1.2600.5512] . . c:\windows\ERDNT\cache\lpk.dll
[-] 2008-04-14 . 012DF358CEBAA23ACB26D82077820817 . 22016 . . [5.1.2600.5512] . . c:\windows\system32\lpk.dll
[-] 2008-04-14 . 012DF358CEBAA23ACB26D82077820817 . 22016 . . [5.1.2600.5512] . . c:\windows\system32\dllcache\lpk.dll
.
[-] 2011-02-22 . 3422847AA07E37076A87D0B7D5044DC6 . 5964800 . . [8.00.6001.23141] . . c:\windows\$hf_mig$\KB2497640-IE8\SP3QFE\mshtml.dll
[-] 2011-02-22 . 3422847AA07E37076A87D0B7D5044DC6 . 5964800 . . [8.00.6001.23141] . . c:\windows\SoftwareDistribution\Download\4a68e5ecf881bfdf9f622e39f79b4af0\SP3QFE\mshtml.dll
[-] 2011-02-22 . C2EF2335F1B6C2BE20A67D9098F6C9A1 . 5962240 . . [8.00.6001.19046] . . c:\windows\ERDNT\cache\mshtml.dll
[-] 2011-02-22 . C2EF2335F1B6C2BE20A67D9098F6C9A1 . 5962240 . . [8.00.6001.19046] . . c:\windows\SoftwareDistribution\Download\4a68e5ecf881bfdf9f622e39f79b4af0\SP3GDR\mshtml.dll
[-] 2011-02-22 . C2EF2335F1B6C2BE20A67D9098F6C9A1 . 5962240 . . [8.00.6001.19046] . . c:\windows\system32\mshtml.dll
[-] 2011-02-22 . C2EF2335F1B6C2BE20A67D9098F6C9A1 . 5962240 . . [8.00.6001.19046] . . c:\windows\system32\dllcache\mshtml.dll
[-] 2010-12-20 . 1EDCEC5D649DBAC37ED9FFB5A14CEB0C . 5961216 . . [8.00.6001.19019] . . c:\windows\ie8updates\KB2497640-IE8\mshtml.dll
[-] 2010-12-20 . 2A2C070EC691CE410533A1DA7AA3CD86 . 5962240 . . [8.00.6001.23111] . . c:\windows\$hf_mig$\KB2482017-IE8\SP3QFE\mshtml.dll
[-] 2010-11-06 . 864E69F32656A7121444BA0193D7B64B . 5960704 . . [8.00.6001.23091] . . c:\windows\$hf_mig$\KB2416400-IE8\SP3QFE\mshtml.dll
[-] 2010-11-06 . D7CCA87057901C87ED8CC40DDCC7FA1B . 5959168 . . [8.00.6001.18999] . . c:\windows\ie8updates\KB2482017-IE8\mshtml.dll
[-] 2010-09-10 . DE41132DA8E5A3CD57201C6F2175EC05 . 5957120 . . [8.00.6001.18975] . . c:\windows\ie8updates\KB2416400-IE8\mshtml.dll
[-] 2010-09-10 . 8A03CC037E6B7D1796192815231B0C3F . 5958656 . . [8.00.6001.23067] . . c:\windows\$hf_mig$\KB2360131-IE8\SP3QFE\mshtml.dll
[-] 2010-06-24 . 94DC7E938C57F3C3D1BC4A0F68FC5830 . 5954560 . . [8.00.6001.23037] . . c:\windows\$hf_mig$\KB2183461-IE8\SP3QFE\mshtml.dll
[-] 2010-06-24 . 4D7EF94795384CD2BBAAB078B7929FEA . 5951488 . . [8.00.6001.18939] . . c:\windows\ie8updates\KB2360131-IE8\mshtml.dll
[-] 2010-05-06 . C7B7A88CC7D7ABA5C395145BF92F46F7 . 5950976 . . [8.00.6001.18928] . . c:\windows\ie8updates\KB2183461-IE8\mshtml.dll
[-] 2010-05-06 . 9BE28F749A7FE7F8F177C6AA2E9DA609 . 5953024 . . [8.00.6001.23019] . . c:\windows\$hf_mig$\KB982381-IE8\SP3QFE\mshtml.dll
[-] 2010-02-25 . 7054F6ADC9B670887659F1561603B0D0 . 5944832 . . [8.00.6001.18904] . . c:\windows\ie8updates\KB982381-IE8\mshtml.dll
[-] 2010-02-25 . 974772C74DA7C7A8E7C813A9908A845F . 5946880 . . [8.00.6001.22995] . . c:\windows\$hf_mig$\KB980182-IE8\SP3QFE\mshtml.dll
[-] 2009-12-21 . BE6EEBEF636773A8E7A82214E81C563A . 5942784 . . [8.00.6001.18876] . . c:\windows\ie8updates\KB980182-IE8\mshtml.dll
[-] 2009-12-21 . E6B64C6C729BBC38AB7CC92CE33F97A5 . 5945856 . . [8.00.6001.22967] . . c:\windows\$hf_mig$\KB978207-IE8\SP3QFE\mshtml.dll
[-] 2009-10-29 . C0F9AC6FAB2C788FFEE3E69585A0E93F . 5944320 . . [8.00.6001.22945] . . c:\windows\$hf_mig$\KB976325-IE8\SP3QFE\mshtml.dll
[-] 2009-10-29 . CBB1EF54B86EDB78649909DD1699E5CA . 5940736 . . [8.00.6001.18854] . . c:\windows\ie8updates\KB978207-IE8\mshtml.dll
[-] 2009-10-22 . CDA69BC1C23B0EA033B989F67CB722FF . 5939712 . . [8.00.6001.18852] . . c:\windows\ie8updates\KB976325-IE8\mshtml.dll
[-] 2009-10-22 . A6CF28C6E0B6D10098AB601D85EE55E8 . 5943296 . . [8.00.6001.22942] . . c:\windows\$hf_mig$\KB976749-IE8\SP3QFE\mshtml.dll
[-] 2009-08-29 . 0E49677EE57A928765FC47FFBACD5326 . 5940224 . . [8.00.6001.18828] . . c:\windows\ie8updates\KB976749-IE8\mshtml.dll
[-] 2009-08-29 . B68F6E6C66D17D9EDABF3D5DA71046DA . 5942272 . . [8.00.6001.22918] . . c:\windows\$hf_mig$\KB974455-IE8\SP3QFE\mshtml.dll
[-] 2009-03-08 . D469A0EBA2EF5C6BEE8065B7E3196E5E . 5937152 . . [8.00.6001.18702] . . c:\windows\ie8updates\KB974455-IE8\mshtml.dll
[-] 2008-04-14 . A706E122B398FE1AB85CB9B75D044223 . 3066880 . . [6.00.2900.5512] . . c:\windows\ie8\mshtml.dll
.
[-] 2008-04-14 . D7075E95AA599EE77B7A89D39296BD3D . 343040 . . [7.0.2600.5512] . . c:\windows\WinSxS\x86_Microsoft.Windows.CPlusPlusRuntime_6595b64144ccf1df_7.0.2600.5512_x-ww_3fd60d63\msvcrt.dll
[-] 2008-04-14 . 355EDBB4D412B01F1740C17E3F50FA00 . 343040 . . [7.0.2600.5512] . . c:\windows\ERDNT\cache\msvcrt.dll
[-] 2008-04-14 . 355EDBB4D412B01F1740C17E3F50FA00 . 343040 . . [7.0.2600.5512] . . c:\windows\system32\msvcrt.dll
[-] 2008-04-14 . 355EDBB4D412B01F1740C17E3F50FA00 . 343040 . . [7.0.2600.5512] . . c:\windows\system32\dllcache\msvcrt.dll
[-] 2004-08-10 . 4200BE3808F6406DBE45A7B88DAE5035 . 322560 . . [7.0.2600.0] . . c:\windows\WinSxS\x86_Microsoft.Windows.CPlusPlusRuntime_6595b64144ccf1df_7.0.0.0_x-ww_2726e76a\msvcrt.dll
[-] 2004-08-10 . 98EC447E00229AFD88D5161A25D065DA . 343040 . . [7.0.2600.2180] . . c:\windows\WinSxS\x86_Microsoft.Windows.CPlusPlusRuntime_6595b64144ccf1df_7.0.2600.2180_x-ww_b2505ed9\msvcrt.dll
.
[-] 2008-06-20 . 832E4DD8964AB7ACC880B2837CB1ED20 . 245248 . . [5.1.2600.5625] . . c:\windows\$NtUninstallKB2509553$\mswsock.dll
[-] 2008-06-20 . FCEE5FCB99F7C724593365C706D28388 . 245248 . . [5.1.2600.5625] . . c:\windows\$hf_mig$\KB2509553\SP3QFE\mswsock.dll
[-] 2008-06-20 . FCEE5FCB99F7C724593365C706D28388 . 245248 . . [5.1.2600.5625] . . c:\windows\$hf_mig$\KB951748\SP3QFE\mswsock.dll
[-] 2008-06-20 . FCEE5FCB99F7C724593365C706D28388 . 245248 . . [5.1.2600.5625] . . c:\windows\SoftwareDistribution\Download\ff0686f2f699fa07ed5ad0848fa3055b\sp3qfe\mswsock.dll
[-] 2008-06-20 . 943337D786A56729263071623BBB9DE5 . 245248 . . [5.1.2600.5625] . . c:\windows\ERDNT\cache\mswsock.dll
[-] 2008-06-20 . 943337D786A56729263071623BBB9DE5 . 245248 . . [5.1.2600.5625] . . c:\windows\SoftwareDistribution\Download\ff0686f2f699fa07ed5ad0848fa3055b\sp3gdr\mswsock.dll
[-] 2008-06-20 . 943337D786A56729263071623BBB9DE5 . 245248 . . [5.1.2600.5625] . . c:\windows\system32\mswsock.dll
[-] 2008-06-20 . 943337D786A56729263071623BBB9DE5 . 245248 . . [5.1.2600.5625] . . c:\windows\system32\dllcache\mswsock.dll
[-] 2008-04-14 . B4138E99236F0F57D4CF49BAE98A0746 . 245248 . . [5.1.2600.5512] . . c:\windows\$NtUninstallKB951748$\mswsock.dll
.
[-] 2008-04-14 . 1B7F071C51B77C272875C3A23E1E4550 . 407040 . . [5.1.2600.5512] . . c:\windows\ERDNT\cache\netlogon.dll
[-] 2008-04-14 . 1B7F071C51B77C272875C3A23E1E4550 . 407040 . . [5.1.2600.5512] . . c:\windows\system32\netlogon.dll
[-] 2008-04-14 . 1B7F071C51B77C272875C3A23E1E4550 . 407040 . . [5.1.2600.5512] . . c:\windows\system32\dllcache\netlogon.dll
.
[-] 2008-04-14 . 50A166237A0FA771261275A405646CC0 . 17408 . . [6.00.2900.5512] . . c:\windows\ERDNT\cache\powrprof.dll
[-] 2008-04-14 . 50A166237A0FA771261275A405646CC0 . 17408 . . [6.00.2900.5512] . . c:\windows\system32\powrprof.dll
[-] 2008-04-14 . 50A166237A0FA771261275A405646CC0 . 17408 . . [6.00.2900.5512] . . c:\windows\system32\dllcache\powrprof.dll
.
[-] 2008-04-14 . A86BB5E61BF3E39B62AB4C7E7085A084 . 181248 . . [5.1.2600.5512] . . c:\windows\ERDNT\cache\scecli.dll
[-] 2008-04-14 . A86BB5E61BF3E39B62AB4C7E7085A084 . 181248 . . [5.1.2600.5512] . . c:\windows\system32\scecli.dll
[-] 2008-04-14 . A86BB5E61BF3E39B62AB4C7E7085A084 . 181248 . . [5.1.2600.5512] . . c:\windows\system32\dllcache\scecli.dll
.
[-] 2008-04-14 . 96E1C926F22EE1BFBAE82901A35F6BF3 . 5120 . . [5.1.2600.5512] . . c:\windows\ERDNT\cache\sfc.dll
[-] 2008-04-14 . 96E1C926F22EE1BFBAE82901A35F6BF3 . 5120 . . [5.1.2600.5512] . . c:\windows\system32\sfc.dll
[-] 2008-04-14 . 96E1C926F22EE1BFBAE82901A35F6BF3 . 5120 . . [5.1.2600.5512] . . c:\windows\system32\dllcache\sfc.dll
.
[-] 2008-04-14 . 27C6D03BCDB8CFEB96B716F3D8BE3E18 . 14336 . . [5.1.2600.5512] . . c:\windows\ERDNT\cache\svchost.exe
[-] 2008-04-14 . 27C6D03BCDB8CFEB96B716F3D8BE3E18 . 14336 . . [5.1.2600.5512] . . c:\windows\system32\svchost.exe
[-] 2008-04-14 . 27C6D03BCDB8CFEB96B716F3D8BE3E18 . 14336 . . [5.1.2600.5512] . . c:\windows\system32\dllcache\svchost.exe
.
[-] 2008-04-14 . 3CB78C17BB664637787C9A1C98F79C38 . 249856 . . [5.1.2600.5512] . . c:\windows\ERDNT\cache\tapisrv.dll
[-] 2008-04-14 . 3CB78C17BB664637787C9A1C98F79C38 . 249856 . . [5.1.2600.5512] . . c:\windows\system32\tapisrv.dll
[-] 2008-04-14 . 3CB78C17BB664637787C9A1C98F79C38 . 249856 . . [5.1.2600.5512] . . c:\windows\system32\dllcache\tapisrv.dll
.
[-] 2008-04-14 . B26B135FF1B9F60C9388B4A7D16F600B . 578560 . . [5.1.2600.5512] . . c:\windows\ERDNT\cache\user32.dll
[-] 2008-04-14 . B26B135FF1B9F60C9388B4A7D16F600B . 578560 . . [5.1.2600.5512] . . c:\windows\system32\user32.dll
[-] 2008-04-14 . B26B135FF1B9F60C9388B4A7D16F600B . 578560 . . [5.1.2600.5512] . . c:\windows\system32\dllcache\user32.dll
.
[-] 2008-04-14 . A93AEE1928A9D7CE3E16D24EC7380F89 . 26112 . . [5.1.2600.5512] . . c:\windows\ERDNT\cache\userinit.exe
[-] 2008-04-14 . A93AEE1928A9D7CE3E16D24EC7380F89 . 26112 . . [5.1.2600.5512] . . c:\windows\system32\userinit.exe
[-] 2008-04-14 . A93AEE1928A9D7CE3E16D24EC7380F89 . 26112 . . [5.1.2600.5512] . . c:\windows\system32\dllcache\userinit.exe
.
[-] 2011-02-22 . A9FA95F0D7F511959AC721E4843E5967 . 919552 . . [8.00.6001.23139] . . c:\windows\$hf_mig$\KB2497640-IE8\SP3QFE\wininet.dll
[-] 2011-02-22 . A9FA95F0D7F511959AC721E4843E5967 . 919552 . . [8.00.6001.23139] . . c:\windows\SoftwareDistribution\Download\4a68e5ecf881bfdf9f622e39f79b4af0\SP3QFE\wininet.dll
[-] 2011-02-22 . F192D49EEFE297FA858B2C774BA2291D . 916480 . . [8.00.6001.19044] . . c:\windows\ERDNT\cache\wininet.dll
[-] 2011-02-22 . F192D49EEFE297FA858B2C774BA2291D . 916480 . . [8.00.6001.19044] . . c:\windows\SoftwareDistribution\Download\4a68e5ecf881bfdf9f622e39f79b4af0\SP3GDR\wininet.dll
[-] 2011-02-22 . F192D49EEFE297FA858B2C774BA2291D . 916480 . . [8.00.6001.19044] . . c:\windows\system32\wininet.dll
[-] 2011-02-22 . F192D49EEFE297FA858B2C774BA2291D . 916480 . . [8.00.6001.19044] . . c:\windows\system32\dllcache\wininet.dll
[-] 2010-12-20 . 88014D62B5E3CDB0AC67948D86C926C8 . 916480 . . [8.00.6001.19019] . . c:\windows\ie8updates\KB2497640-IE8\wininet.dll
[-] 2010-12-20 . 5504B4ECCE892EB82CD2C5FA71940AC1 . 919552 . . [8.00.6001.23111] . . c:\windows\$hf_mig$\KB2482017-IE8\SP3QFE\wininet.dll
[-] 2010-11-06 . 9357C4249F4810FB0E49C13387A8A77C . 919552 . . [8.00.6001.23084] . . c:\windows\$hf_mig$\KB2416400-IE8\SP3QFE\wininet.dll
[-] 2010-11-06 . 306A2B05EA9846278113964DC6E2C940 . 916480 . . [8.00.6001.18992] . . c:\windows\ie8updates\KB2482017-IE8\wininet.dll
[-] 2010-09-10 . 36FE8ABC59AAFBE20CBE54BC372F9429 . 916480 . . [8.00.6001.18968] . . c:\windows\ie8updates\KB2416400-IE8\wininet.dll
[-] 2010-09-10 . 0555E190DCD06B8998E6DDCA42DAEB82 . 919552 . . [8.00.6001.23060] . . c:\windows\$hf_mig$\KB2360131-IE8\SP3QFE\wininet.dll
[-] 2010-06-24 . 60237E50D575FBA9BEC9BC043F157149 . 919040 . . [8.00.6001.23037] . . c:\windows\$hf_mig$\KB2183461-IE8\SP3QFE\wininet.dll
[-] 2010-06-24 . D3DEB6B2B424AC93DE3801EAEB21A9A5 . 916480 . . [8.00.6001.18939] . . c:\windows\ie8updates\KB2360131-IE8\wininet.dll
[-] 2010-05-06 . 2D9C7B010409372C34F725DA5CCED083 . 916480 . . [8.00.6001.18923] . . c:\windows\ie8updates\KB2183461-IE8\wininet.dll
[-] 2010-05-06 . C1490F68B44AF8B781F52F12F564625D . 919040 . . [8.00.6001.23014] . . c:\windows\$hf_mig$\KB982381-IE8\SP3QFE\wininet.dll
[-] 2010-02-25 . 7A42CFED96CDA7F2FB1A26D1F9F65775 . 916480 . . [8.00.6001.18904] . . c:\windows\ie8updates\KB982381-IE8\wininet.dll
[-] 2010-02-25 . 4458D59F2B0369F4D3B137541D284041 . 919040 . . [8.00.6001.22995] . . c:\windows\$hf_mig$\KB980182-IE8\SP3QFE\wininet.dll
[-] 2009-12-21 . FF4241C74E0C0A5AFFFE05F584213ECB . 916480 . . [8.00.6001.18876] . . c:\windows\ie8updates\KB980182-IE8\wininet.dll
[-] 2009-12-21 . 5E1F666B8955FD77E65D65C4C4D882A3 . 916480 . . [8.00.6001.22967] . . c:\windows\$hf_mig$\KB978207-IE8\SP3QFE\wininet.dll
[-] 2009-10-29 . 6AF52998B90F72FF2325D84D90EDA1CC . 916480 . . [8.00.6001.22945] . . c:\windows\$hf_mig$\KB976325-IE8\SP3QFE\wininet.dll
[-] 2009-10-29 . 75240F6EDBCE7B85DF66874407D38A4F . 916480 . . [8.00.6001.18854] . . c:\windows\ie8updates\KB978207-IE8\wininet.dll
[-] 2009-08-29 . CF0A5FE05BF614C24950D8FAEC1BC309 . 916480 . . [8.00.6001.18828] . . c:\windows\ie8updates\KB976325-IE8\wininet.dll
[-] 2009-08-29 . 972B226BDAD71C55F3CC9A72BBF8F1C1 . 916480 . . [8.00.6001.22918] . . c:\windows\$hf_mig$\KB974455-IE8\SP3QFE\wininet.dll
[-] 2009-03-08 . 6CE32F7778061CCC5814D5E0F282D369 . 914944 . . [8.00.6001.18702] . . c:\windows\ie8updates\KB974455-IE8\wininet.dll
[-] 2008-04-14 . 7A4F775ABB2F1C97DEF3E73AFA2FAEDD . 666112 . . [6.00.2900.5512] . . c:\windows\ie8\wininet.dll
.
[-] 2008-04-14 . 2CCC474EB85CEAA3E1FA1726580A3E5A . 82432 . . [5.1.2600.5512] . . c:\windows\ERDNT\cache\ws2_32.dll
[-] 2008-04-14 . 2CCC474EB85CEAA3E1FA1726580A3E5A . 82432 . . [5.1.2600.5512] . . c:\windows\system32\ws2_32.dll
[-] 2008-04-14 . 2CCC474EB85CEAA3E1FA1726580A3E5A . 82432 . . [5.1.2600.5512] . . c:\windows\system32\dllcache\ws2_32.dll
.
[-] 2008-04-14 . 9789E95E1D88EEB4B922BF3EA7779C28 . 19968 . . [5.1.2600.5512] . . c:\windows\ERDNT\cache\ws2help.dll
[-] 2008-04-14 . 9789E95E1D88EEB4B922BF3EA7779C28 . 19968 . . [5.1.2600.5512] . . c:\windows\system32\ws2help.dll
[-] 2008-04-14 . 9789E95E1D88EEB4B922BF3EA7779C28 . 19968 . . [5.1.2600.5512] . . c:\windows\system32\dllcache\ws2help.dll
.
[-] 2008-04-14 . 12896823FB95BFB3DC9B46BCAEDC9923 . 1033728 . . [6.00.2900.5512] . . c:\windows\explorer.exe
[-] 2008-04-14 . 12896823FB95BFB3DC9B46BCAEDC9923 . 1033728 . . [6.00.2900.5512] . . c:\windows\ERDNT\cache\explorer.exe
[-] 2008-04-14 . 12896823FB95BFB3DC9B46BCAEDC9923 . 1033728 . . [6.00.2900.5512] . . c:\windows\system32\dllcache\explorer.exe
.
[-] 2010-07-16 . 7A6A7900B5E322763430BA6FD9A31224 . 1288192 . . [5.1.2600.6010] . . c:\windows\ERDNT\cache\ole32.dll
[-] 2010-07-16 . 7A6A7900B5E322763430BA6FD9A31224 . 1288192 . . [5.1.2600.6010] . . c:\windows\system32\ole32.dll
[-] 2010-07-16 . 7A6A7900B5E322763430BA6FD9A31224 . 1288192 . . [5.1.2600.6010] . . c:\windows\system32\dllcache\ole32.dll
[-] 2010-07-16 . 8D51FB47062F2A1A9EFECCEF338A4C46 . 1289216 . . [5.1.2600.6010] . . c:\windows\$hf_mig$\KB979687\SP3QFE\ole32.dll
[-] 2008-04-14 . ECCE74BC6168375016450A86A164D976 . 1287168 . . [5.1.2600.5512] . . c:\windows\$NtUninstallKB979687$\ole32.dll
.
[-] 2010-04-16 . 9E03DC5AB51CFD0190541CE2038D819D . 406016 . . [1.0420.2600.5969] . . c:\windows\ERDNT\cache\usp10.dll
[-] 2010-04-16 . 9E03DC5AB51CFD0190541CE2038D819D . 406016 . . [1.0420.2600.5969] . . c:\windows\system32\usp10.dll
[-] 2010-04-16 . 9E03DC5AB51CFD0190541CE2038D819D . 406016 . . [1.0420.2600.5969] . . c:\windows\system32\dllcache\usp10.dll
[-] 2010-04-16 . F8894BCC961D461674002B4BAE7AECC1 . 406016 . . [1.0420.2600.5969] . . c:\windows\$hf_mig$\KB981322\SP3QFE\usp10.dll
[-] 2008-04-14 . 7D7D8501F3CB45D0408CDEFA08CDAEFF . 406016 . . [1.0420.2600.5512] . . c:\windows\$NtUninstallKB981322$\usp10.dll
.
[-] 2008-04-14 . 3805DF0AC4296A34BA4BF93B346CC378 . 171008 . . [5.1.2600.5512] . . c:\windows\ERDNT\cache\srsvc.dll
[-] 2008-04-14 . 3805DF0AC4296A34BA4BF93B346CC378 . 171008 . . [5.1.2600.5512] . . c:\windows\system32\srsvc.dll
[-] 2008-04-14 . 3805DF0AC4296A34BA4BF93B346CC378 . 171008 . . [5.1.2600.5512] . . c:\windows\system32\dllcache\srsvc.dll
.
[-] 2008-04-14 . F92E1076C42FCD6DB3D72D8CFE9816D5 . 13824 . . [5.1.2600.5512] . . c:\windows\ERDNT\cache\wscntfy.exe
[-] 2008-04-14 . F92E1076C42FCD6DB3D72D8CFE9816D5 . 13824 . . [5.1.2600.5512] . . c:\windows\system32\wscntfy.exe
[-] 2008-04-14 . F92E1076C42FCD6DB3D72D8CFE9816D5 . 13824 . . [5.1.2600.5512] . . c:\windows\system32\dllcache\wscntfy.exe
.
[-] 2008-04-14 . 295D21F14C335B53CB8154E5B1F892B9 . 129024 . . [5.1.2600.5512] . . c:\windows\ERDNT\cache\xmlprov.dll
[-] 2008-04-14 . 295D21F14C335B53CB8154E5B1F892B9 . 129024 . . [5.1.2600.5512] . . c:\windows\system32\xmlprov.dll
[-] 2008-04-14 . 295D21F14C335B53CB8154E5B1F892B9 . 129024 . . [5.1.2600.5512] . . c:\windows\system32\dllcache\xmlprov.dll
.
[-] 2008-04-14 . 6D4FEB43EE538FC5428CC7F0565AA656 . 56320 . . [5.1.2600.5512] . . c:\windows\ERDNT\cache\eventlog.dll
[-] 2008-04-14 . 6D4FEB43EE538FC5428CC7F0565AA656 . 56320 . . [5.1.2600.5512] . . c:\windows\system32\eventlog.dll
[-] 2008-04-14 . 6D4FEB43EE538FC5428CC7F0565AA656 . 56320 . . [5.1.2600.5512] . . c:\windows\system32\dllcache\eventlog.dll
.
[-] 2008-04-14 . 9DD07AF82244867CA36681EA2D29CE79 . 1614848 . . [5.1.2600.5512] . . c:\windows\ERDNT\cache\sfcfiles.dll
[-] 2008-04-14 . 9DD07AF82244867CA36681EA2D29CE79 . 1614848 . . [5.1.2600.5512] . . c:\windows\system32\sfcfiles.dll
[-] 2008-04-14 . 9DD07AF82244867CA36681EA2D29CE79 . 1614848 . . [5.1.2600.5512] . . c:\windows\system32\dllcache\sfcfiles.dll
.
[-] 2008-04-14 . 5F1D5F88303D4A4DBC8E5F97BA967CC3 . 15360 . . [5.1.2600.5512] . . c:\windows\ERDNT\cache\ctfmon.exe
[-] 2008-04-14 . 5F1D5F88303D4A4DBC8E5F97BA967CC3 . 15360 . . [5.1.2600.5512] . . c:\windows\system32\ctfmon.exe
[-] 2008-04-14 . 5F1D5F88303D4A4DBC8E5F97BA967CC3 . 15360 . . [5.1.2600.5512] . . c:\windows\system32\dllcache\ctfmon.exe
.
[-] 2009-07-27 . 99BC0B50F511924348BE19C7C7313BBF . 135168 . . [6.00.2900.5853] . . c:\windows\ERDNT\cache\shsvcs.dll
[-] 2009-07-27 . 99BC0B50F511924348BE19C7C7313BBF . 135168 . . [6.00.2900.5853] . . c:\windows\system32\shsvcs.dll
[-] 2009-07-27 . 99BC0B50F511924348BE19C7C7313BBF . 135168 . . [6.00.2900.5853] . . c:\windows\system32\dllcache\shsvcs.dll
[-] 2009-07-27 . 888CD7B39C37E13A2419BECFAAF0A28C . 135168 . . [6.00.2900.5853] . . c:\windows\$hf_mig$\KB971029\SP3QFE\shsvcs.dll
[-] 2008-04-14 . 1926899BF9FFE2602B63074971700412 . 135168 . . [6.00.2900.5512] . . c:\windows\$NtUninstallKB971029$\shsvcs.dll
.
[-] 2008-04-14 . 5B19B557B0C188210A56A6B699D90B8F . 59904 . . [5.1.2600.5512] . . c:\windows\ERDNT\cache\regsvc.dll
[-] 2008-04-14 . 5B19B557B0C188210A56A6B699D90B8F . 59904 . . [5.1.2600.5512] . . c:\windows\system32\regsvc.dll
[-] 2008-04-14 . 5B19B557B0C188210A56A6B699D90B8F . 59904 . . [5.1.2600.5512] . . c:\windows\system32\dllcache\regsvc.dll
.
[-] 2008-04-14 . 0A9A7365A1CA4319AA7C1D6CD8E4EAFA . 192512 . . [5.1.2600.5512] . . c:\windows\ERDNT\cache\schedsvc.dll
[-] 2008-04-14 . 0A9A7365A1CA4319AA7C1D6CD8E4EAFA . 192512 . . [5.1.2600.5512] . . c:\windows\system32\schedsvc.dll
[-] 2008-04-14 . 0A9A7365A1CA4319AA7C1D6CD8E4EAFA . 192512 . . [5.1.2600.5512] . . c:\windows\system32\dllcache\schedsvc.dll
.
[-] 2008-04-14 . 0A5679B3714EDAB99E357057EE88FCA6 . 71680 . . [5.1.2600.5512] . . c:\windows\ERDNT\cache\ssdpsrv.dll
[-] 2008-04-14 . 0A5679B3714EDAB99E357057EE88FCA6 . 71680 . . [5.1.2600.5512] . . c:\windows\system32\ssdpsrv.dll
[-] 2008-04-14 . 0A5679B3714EDAB99E357057EE88FCA6 . 71680 . . [5.1.2600.5512] . . c:\windows\system32\dllcache\ssdpsrv.dll
.
[-] 2008-04-14 . FF3477C03BE7201C294C35F684B3479F . 295424 . . [5.1.2600.5512] . . c:\windows\ERDNT\cache\termsrv.dll
[-] 2008-04-14 . FF3477C03BE7201C294C35F684B3479F . 295424 . . [5.1.2600.5512] . . c:\windows\system32\termsrv.dll
[-] 2008-04-14 . FF3477C03BE7201C294C35F684B3479F . 295424 . . [5.1.2600.5512] . . c:\windows\system32\dllcache\termsrv.dll
.
[-] 2008-04-14 . 3CB32D3B8CBE79899D63280BB7A83CD9 . 344064 . . [5.1.2600.5512] . . c:\windows\ERDNT\cache\hnetcfg.dll
[-] 2008-04-14 . 3CB32D3B8CBE79899D63280BB7A83CD9 . 344064 . . [5.1.2600.5512] . . c:\windows\system32\hnetcfg.dll
[-] 2008-04-14 . 3CB32D3B8CBE79899D63280BB7A83CD9 . 344064 . . [5.1.2600.5512] . . c:\windows\system32\dllcache\hnetcfg.dll
.
[-] 2008-04-14 . D8849F77C0B66226335A59D26CB4EDC6 . 167936 . . [5.1.2600.5512] . . c:\windows\ERDNT\cache\appmgmts.dll
[-] 2008-04-14 . D8849F77C0B66226335A59D26CB4EDC6 . 167936 . . [5.1.2600.5512] . . c:\windows\system32\appmgmts.dll
[-] 2008-04-14 . D8849F77C0B66226335A59D26CB4EDC6 . 167936 . . [5.1.2600.5512] . . c:\windows\system32\dllcache\appmgmts.dll
.
[-] 2004-08-10 . 9859C0F6936E723E4892D7141B1327D5 . 11648 . . [5.1.2600.0] . . c:\windows\ERDNT\cache\acpiec.sys
[-] 2004-08-10 . 9859C0F6936E723E4892D7141B1327D5 . 11648 . . [5.1.2600.0] . . c:\windows\system32\drivers\acpiec.sys
.
[-] 2008-04-14 05:09 . 8BED39E3C35D6A489438B8141717A557 . 142592 . . [5.1.2601.3142] . . c:\windows\ERDNT\cache\aec.sys
[-] 2008-04-14 05:09 . 8BED39E3C35D6A489438B8141717A557 . 142592 . . [5.1.2601.3142] . . c:\windows\system32\dllcache\aec.sys
[-] 2008-04-14 05:09 . 8BED39E3C35D6A489438B8141717A557 . 142592 . . [5.1.2601.3142] . . c:\windows\system32\drivers\aec.sys
.
[-] 2008-04-14 . 08FD04AA961BDC77FB983F328334E3D7 . 42368 . . [5.1.2600.5512] . . c:\windows\ERDNT\cache\agp440.sys
[-] 2008-04-14 . 08FD04AA961BDC77FB983F328334E3D7 . 42368 . . [5.1.2600.5512] . . c:\windows\system32\drivers\agp440.sys
.
[-] 2008-04-14 . 3BB22519A194418D5FEC05D800A19AD0 . 36608 . . [5.1.2600.5512] . . c:\windows\ERDNT\cache\ip6fw.sys
[-] 2008-04-14 . 3BB22519A194418D5FEC05D800A19AD0 . 36608 . . [5.1.2600.5512] . . c:\windows\system32\dllcache\ip6fw.sys
[-] 2008-04-14 . 3BB22519A194418D5FEC05D800A19AD0 . 36608 . . [5.1.2600.5512] . . c:\windows\system32\drivers\ip6fw.sys
.
[-] 2010-09-18 07:18 . 842900DEDBC8E3E8DBCCCB298FD88F65 . 953856 . . [4.1.6151] . . c:\windows\$hf_mig$\KB2387149\SP3QFE\mfc40u.dll
[-] 2010-09-18 06:53 . E76A5C202E68AF5A322D16B5A78F48B9 . 953856 . . [4.1.6151] . . c:\windows\ERDNT\cache\mfc40u.dll
[-] 2010-09-18 06:53 . E76A5C202E68AF5A322D16B5A78F48B9 . 953856 . . [4.1.6151] . . c:\windows\system32\mfc40u.dll
[-] 2010-09-18 06:53 . E76A5C202E68AF5A322D16B5A78F48B9 . 953856 . . [4.1.6151] . . c:\windows\system32\dllcache\mfc40u.dll
[-] 2008-04-14 12:41 . CDDD4416B2B4C7295FE3FDB6DDE57E4E . 927504 . . [4.1.0.61] . . c:\windows\$NtUninstallKB2387149$\mfc40u.dll
.
[-] 2008-04-14 . 986B1FF5814366D71E0AC5755C88F2D3 . 33792 . . [5.1.2600.5512] . . c:\windows\ERDNT\cache\msgsvc.dll
[-] 2008-04-14 . 986B1FF5814366D71E0AC5755C88F2D3 . 33792 . . [5.1.2600.5512] . . c:\windows\system32\msgsvc.dll
[-] 2008-04-14 . 986B1FF5814366D71E0AC5755C88F2D3 . 33792 . . [5.1.2600.5512] . . c:\windows\system32\dllcache\msgsvc.dll
.
[-] 2006-10-19 04:47 . C51B4A5C05A5475708E3C81C7765B71D . 27136 . . [11.0.5721.5145] . . c:\windows\ERDNT\cache\mspmsnsv.dll
[-] 2006-10-19 04:47 . C51B4A5C05A5475708E3C81C7765B71D . 27136 . . [11.0.5721.5145] . . c:\windows\system32\mspmsnsv.dll
[-] 2006-10-19 04:47 . C51B4A5C05A5475708E3C81C7765B71D . 27136 . . [11.0.5721.5145] . . c:\windows\system32\dllcache\mspmsnsv.dll
[-] 2005-08-04 01:29 . B9715B9C18BC6C8F4B66733D208CC9F7 . 25088 . . [10.0.3790.4332] . . c:\windows\$NtUninstallWMFDist11$\mspmsnsv.dll
[-] 2005-08-04 01:29 . B9715B9C18BC6C8F4B66733D208CC9F7 . 25088 . . [10.0.3790.4332] . . c:\windows\RegisteredPackages\{30C7234B-6482-4A55-A11D-ECD9030313F2}\MsPMSNSv.dll
[-] 2004-08-10 12:00 . 6EAA72FD9EF993EC1FA9A06DE65105DA . 25088 . . [10.0.3790.3646] . . c:\windows\RegisteredPackages\{30C7234B-6482-4A55-A11D-ECD9030313F2}$BACKUP$\System\MsPMSNSv.dll
.
[-] 2010-12-10 . F67CD97282E0ABFAF91A9A1359B16F2D . 2069376 . . [5.1.2600.6055] . . c:\windows\$hf_mig$\KB2393802\SP3QFE\ntkrnlpa.exe
[-] 2010-12-09 . 9ED77E2307F6EC6F174C063C15AA3B8C . 2027008 . . [5.1.2600.6055] . . c:\windows\ERDNT\cache\ntkrnlpa.exe
[-] 2010-12-09 . 9ED77E2307F6EC6F174C063C15AA3B8C . 2027008 . . [5.1.2600.6055] . . c:\windows\system32\ntkrnlpa.exe
[-] 2010-12-09 . 84FF488E249DBD2050EB39EA81C6F5C2 . 2069376 . . [5.1.2600.6055] . . c:\windows\Driver Cache\i386\ntkrnlpa.exe
[-] 2010-12-09 . 84FF488E249DBD2050EB39EA81C6F5C2 . 2069376 . . [5.1.2600.6055] . . c:\windows\system32\dllcache\ntkrnlpa.exe
[-] 2010-04-28 . 756362706DE8BC92F11E197C98A73844 . 2066944 . . [5.1.2600.5973] . . c:\windows\$hf_mig$\KB981852\SP3QFE\ntkrnlpa.exe
[-] 2010-04-27 . 49E936E1398D1A536E84CD5D068F0F09 . 2024448 . . [5.1.2600.5973] . . c:\windows\$NtUninstallKB2393802$\ntkrnlpa.exe
[-] 2010-02-16 . E8B8801DE921912EBDEEFC76662F7EAD . 2024448 . . [5.1.2600.5938] . . c:\windows\$NtUninstallKB981852$\ntkrnlpa.exe
[-] 2010-02-16 . DED8B5A89B085284634502E9D75AC78C . 2066944 . . [5.1.2600.5938] . . c:\windows\$hf_mig$\KB979683\SP3QFE\ntkrnlpa.exe
[-] 2009-12-09 . FFDCE1EEA79C678C40237D4E031E5B51 . 2066176 . . [5.1.2600.5913] . . c:\windows\$hf_mig$\KB977165\SP3QFE\ntkrnlpa.exe
[-] 2009-12-08 . 089F1E207B067A4DDEB2EEC37BBB1AA7 . 2023936 . . [5.1.2600.5913] . . c:\windows\$NtUninstallKB979683$\ntkrnlpa.exe
[-] 2009-08-05 . 363B2BBEE0AEDC9E5433616D0AD0236A . 2066176 . . [5.1.2600.5857] . . c:\windows\$hf_mig$\KB971486\SP3QFE\ntkrnlpa.exe
[-] 2009-08-04 . 32B1A971183EC22DD91EEDA61C499E7C . 2023936 . . [5.1.2600.5857] . . c:\windows\$NtUninstallKB977165$\ntkrnlpa.exe
[-] 2009-02-06 . 65D4220799E6FC2CB079070A6393CC0E . 2023936 . . [5.1.2600.5755] . . c:\windows\$NtUninstallKB971486$\ntkrnlpa.exe
[-] 2009-02-06 . 607352B9CB3D708C67F6039097801B5A . 2066176 . . [5.1.2600.5755] . . c:\windows\$hf_mig$\KB956572\SP3QFE\ntkrnlpa.exe
[-] 2008-04-14 . 7F653A89F6E89E3AE0D49830EECE35D4 . 2023936 . . [5.1.2600.5512] . . c:\windows\$NtUninstallKB956572$\ntkrnlpa.exe
.
[-] 2008-04-14 12:42 . 156F64A3345BD23C600655FB4D10BC08 . 435200 . . [5.1.2400.5512] . . c:\windows\ERDNT\cache\ntmssvc.dll
[-] 2008-04-14 12:42 . 156F64A3345BD23C600655FB4D10BC08 . 435200 . . [5.1.2400.5512] . . c:\windows\system32\ntmssvc.dll
[-] 2008-04-14 12:42 . 156F64A3345BD23C600655FB4D10BC08 . 435200 . . [5.1.2400.5512] . . c:\windows\system32\dllcache\ntmssvc.dll
.
[-] 2008-04-14 . 1EBAFEB9A3FBDC41B8D9C7F0F687AD91 . 185856 . . [5.1.2600.5512] . . c:\windows\ERDNT\cache\upnphost.dll
[-] 2008-04-14 . 1EBAFEB9A3FBDC41B8D9C7F0F687AD91 . 185856 . . [5.1.2600.5512] . . c:\windows\system32\upnphost.dll
[-] 2008-04-14 . 1EBAFEB9A3FBDC41B8D9C7F0F687AD91 . 185856 . . [5.1.2600.5512] . . c:\windows\system32\dllcache\upnphost.dll
.
[-] 2008-04-14 . 4D83ED8BDDEC431FC8AD907B47CFB6E3 . 367616 . . [5.3.2600.5512] . . c:\windows\ERDNT\cache\dsound.dll
[-] 2008-04-14 . 4D83ED8BDDEC431FC8AD907B47CFB6E3 . 367616 . . [5.3.2600.5512] . . c:\windows\system32\dsound.dll
[-] 2008-04-14 . 4D83ED8BDDEC431FC8AD907B47CFB6E3 . 367616 . . [5.3.2600.5512] . . c:\windows\system32\dllcache\dsound.dll
.
[-] 2008-04-14 . 0607CBC6FA20114CB491EFE4B2F9EFAD . 1689088 . . [5.03.2600.5512] . . c:\windows\ERDNT\cache\d3d9.dll
[-] 2008-04-14 . 0607CBC6FA20114CB491EFE4B2F9EFAD . 1689088 . . [5.03.2600.5512] . . c:\windows\system32\d3d9.dll
[-] 2008-04-14 . 0607CBC6FA20114CB491EFE4B2F9EFAD . 1689088 . . [5.03.2600.5512] . . c:\windows\system32\dllcache\d3d9.dll
.
[-] 2008-04-14 . A340CD71EB535A3DD751B5F28723E50C . 279552 . . [5.03.2600.5512] . . c:\windows\ERDNT\cache\ddraw.dll
[-] 2008-04-14 . A340CD71EB535A3DD751B5F28723E50C . 279552 . . [5.03.2600.5512] . . c:\windows\system32\ddraw.dll
[-] 2008-04-14 . A340CD71EB535A3DD751B5F28723E50C . 279552 . . [5.03.2600.5512] . . c:\windows\system32\dllcache\ddraw.dll
.
[-] 2008-04-14 12:42 . 5652F6CE1D9E9D8068B9D29BC21B5409 . 84992 . . [5.1.2600.5512] . . c:\windows\ERDNT\cache\olepro32.dll
[-] 2008-04-14 12:42 . 5652F6CE1D9E9D8068B9D29BC21B5409 . 84992 . . [5.1.2600.5512] . . c:\windows\system32\olepro32.dll
[-] 2008-04-14 12:42 . 5652F6CE1D9E9D8068B9D29BC21B5409 . 84992 . . [5.1.2600.5512] . . c:\windows\system32\dllcache\olepro32.dll
.
[-] 2008-04-14 . DBE2B62353660ECCA0D75EA307A717E9 . 39936 . . [5.1.2600.5512] . . c:\windows\ERDNT\cache\perfctrs.dll
[-] 2008-04-14 . DBE2B62353660ECCA0D75EA307A717E9 . 39936 . . [5.1.2600.5512] . . c:\windows\system32\perfctrs.dll
[-] 2008-04-14 . DBE2B62353660ECCA0D75EA307A717E9 . 39936 . . [5.1.2600.5512] . . c:\windows\system32\dllcache\perfctrs.dll
.
[-] 2008-04-14 . C7CE131408739B0B3A318BE2D0032719 . 18944 . . [5.1.2600.5512] . . c:\windows\ERDNT\cache\version.dll
[-] 2008-04-14 . C7CE131408739B0B3A318BE2D0032719 . 18944 . . [5.1.2600.5512] . . c:\windows\system32\version.dll
[-] 2008-04-14 . C7CE131408739B0B3A318BE2D0032719 . 18944 . . [5.1.2600.5512] . . c:\windows\system32\dllcache\version.dll
.
[-] 2010-12-09 . A531BBD3DE13121C1380ED7DC99082DB . 2192768 . . [5.1.2600.6055] . . c:\windows\$hf_mig$\KB2393802\SP3QFE\ntoskrnl.exe
[-] 2010-12-09 . 60E16152D847D7A7B7D3DA4C4B8E2120 . 2148864 . . [5.1.2600.6055] . . c:\windows\ERDNT\cache\ntoskrnl.exe
[-] 2010-12-09 . 60E16152D847D7A7B7D3DA4C4B8E2120 . 2148864 . . [5.1.2600.6055] . . c:\windows\system32\ntoskrnl.exe
[-] 2010-12-09 . 64C1ADF6DF629F340C5A439FE0EF8ED1 . 2192768 . . [5.1.2600.6055] . . c:\windows\Driver Cache\i386\ntoskrnl.exe
[-] 2010-12-09 . 64C1ADF6DF629F340C5A439FE0EF8ED1 . 2192768 . . [5.1.2600.6055] . . c:\windows\system32\dllcache\ntoskrnl.exe
[-] 2010-04-27 . 466A3E1239F4A9428797730E81A7A865 . 2146304 . . [5.1.2600.5973] . . c:\windows\$NtUninstallKB2393802$\ntoskrnl.exe
[-] 2010-04-27 . A2ABBEC40CDB57454645D06B7EBD22F5 . 2190080 . . [5.1.2600.5973] . . c:\windows\$hf_mig$\KB981852\SP3QFE\ntoskrnl.exe
[-] 2010-02-16 . 048DB3459FAB4CA741DCC84E1F374D65 . 2146304 . . [5.1.2600.5938] . . c:\windows\$NtUninstallKB981852$\ntoskrnl.exe
[-] 2010-02-16 . E1F653A542449D54FA2D27463D99B6B6 . 2190080 . . [5.1.2600.5938] . . c:\windows\$hf_mig$\KB979683\SP3QFE\ntoskrnl.exe
[-] 2009-12-09 . 05BE3D9A71972223AFF6A3C823BA51B1 . 2189312 . . [5.1.2600.5913] . . c:\windows\$hf_mig$\KB977165\SP3QFE\ntoskrnl.exe
[-] 2009-12-08 . 9696C553F994340CD6AA5C5A724C3A19 . 2145280 . . [5.1.2600.5913] . . c:\windows\$NtUninstallKB979683$\ntoskrnl.exe
[-] 2009-08-04 . 78FCC97CD878D4CF5B5D2158A5A7CF92 . 2145280 . . [5.1.2600.5857] . . c:\windows\$NtUninstallKB977165$\ntoskrnl.exe
[-] 2009-08-04 . FDE779EA1A564EBFE16F4E0F82B61BAD . 2189312 . . [5.1.2600.5857] . . c:\windows\$hf_mig$\KB971486\SP3QFE\ntoskrnl.exe
[-] 2009-02-08 . EFE8EACE83EAAD5849A7A548FB75B584 . 2189184 . . [5.1.2600.5755] . . c:\windows\$hf_mig$\KB956572\SP3QFE\ntoskrnl.exe
[-] 2009-02-06 . 0CBA44D0938D57F334C0862424148B70 . 2145280 . . [5.1.2600.5755] . . c:\windows\$NtUninstallKB971486$\ntoskrnl.exe
[-] 2008-04-14 . 40F8880122A030A7E9E1FEDEA833B33D . 2145280 . . [5.1.2600.5512] . . c:\windows\$NtUninstallKB956572$\ntoskrnl.exe
.
[-] 2008-04-14 . 3805DF0AC4296A34BA4BF93B346CC378 . 171008 . . [5.1.2600.5512] . . c:\windows\ERDNT\cache\srsvc.dll
[-] 2008-04-14 . 3805DF0AC4296A34BA4BF93B346CC378 . 171008 . . [5.1.2600.5512] . . c:\windows\system32\srsvc.dll
[-] 2008-04-14 . 3805DF0AC4296A34BA4BF93B346CC378 . 171008 . . [5.1.2600.5512] . . c:\windows\system32\dllcache\srsvc.dll
.
[-] 2008-04-14 . 54AF4B1D5459500EF0937F6D33B1914F . 175104 . . [5.1.2600.5512] . . c:\windows\ERDNT\cache\w32time.dll
[-] 2008-04-14 . 54AF4B1D5459500EF0937F6D33B1914F . 175104 . . [5.1.2600.5512] . . c:\windows\system32\w32time.dll
[-] 2008-04-14 . 54AF4B1D5459500EF0937F6D33B1914F . 175104 . . [5.1.2600.5512] . . c:\windows\system32\dllcache\w32time.dll
.
[-] 2008-04-14 . 8BAD69CBAC032D4BBACFCE0306174C30 . 333824 . . [5.1.2600.5512] . . c:\windows\ERDNT\cache\wiaservc.dll
[-] 2008-04-14 . 8BAD69CBAC032D4BBACFCE0306174C30 . 333824 . . [5.1.2600.5512] . . c:\windows\system32\wiaservc.dll
[-] 2008-04-14 . 8BAD69CBAC032D4BBACFCE0306174C30 . 333824 . . [5.1.2600.5512] . . c:\windows\system32\dllcache\wiaservc.dll
.
[-] 2008-04-14 . 5C12660A97822F6E61576943B49AAAD6 . 18944 . . [5.1.2600.5512] . . c:\windows\ERDNT\cache\midimap.dll
[-] 2008-04-14 . 5C12660A97822F6E61576943B49AAAD6 . 18944 . . [5.1.2600.5512] . . c:\windows\system32\midimap.dll
[-] 2008-04-14 . 5C12660A97822F6E61576943B49AAAD6 . 18944 . . [5.1.2600.5512] . . c:\windows\system32\dllcache\midimap.dll
.
[-] 2008-04-14 . 6F9BEF24C578D5D6740E080BEDD6A448 . 7680 . . [5.1.2600.5512] . . c:\windows\ERDNT\cache\rasadhlp.dll
[-] 2008-04-14 . 6F9BEF24C578D5D6740E080BEDD6A448 . 7680 . . [5.1.2600.5512] . . c:\windows\system32\rasadhlp.dll
[-] 2008-04-14 . 6F9BEF24C578D5D6740E080BEDD6A448 . 7680 . . [5.1.2600.5512] . . c:\windows\system32\dllcache\rasadhlp.dll
.
((((((((((((((((((((((((((((( SnapShot@2011-04-23_21.48.33 )))))))))))))))))))))))))))))))))))))))))
.
+ 2011-04-29 00:16 . 2011-04-29 00:16 16384 c:\windows\temp\Perflib_Perfdata_570.dat
+ 2011-04-28 21:43 . 2011-04-28 21:43 16384 c:\windows\temp\Perflib_Perfdata_334.dat
+ 2004-08-10 12:00 . 2011-04-28 17:38 83304 c:\windows\system32\perfc009.dat
+ 2011-04-28 22:56 . 2011-04-28 22:56 21504 c:\windows\Installer\43bae3.msi
+ 2004-08-10 12:00 . 2011-04-28 17:38 471442 c:\windows\system32\perfh009.dat
+ 2011-04-26 01:51 . 2011-04-26 01:51 235168 c:\windows\system32\Macromed\Flash\FlashUtil10p_Plugin.exe
+ 2011-04-25 14:40 . 2011-04-25 14:40 811520 c:\windows\Installer\14268c.msi
+ 2011-04-25 14:43 . 2011-04-25 14:43 380928 c:\windows\Installer\{353FE16B-30FE-469A-BF55-B978F4218003}\iTunesIco.exe
- 2010-01-27 01:07 . 2011-03-28 14:49 6053536 c:\windows\system32\Macromed\Flash\NPSWF32.dll
+ 2010-01-27 01:07 . 2011-04-26 01:51 6053536 c:\windows\system32\Macromed\Flash\NPSWF32.dll
+ 2011-04-25 14:43 . 2011-04-25 14:43 6523904 c:\windows\Installer\143097.msi
+ 2011-04-25 14:40 . 2011-04-25 14:40 1984000 c:\windows\Installer\1426b2.msi
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NVIDIA nTune"="c:\program files\NVIDIA Corporation\nTune\nTuneCmd.exe" [2007-07-03 81920]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2011-04-20 2423752]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"UpdReg"="c:\windows\UpdReg.EXE" [2000-05-11 90112]
"CTxfiHlp"="CTXFIHLP.EXE" [2009-07-14 24576]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe" [2010-09-22 47904]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2011-01-31 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-21 932288]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-11-30 421888]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2010-10-16 110696]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2010-10-16 13851752]
"nwiz"="c:\program files\NVIDIA Corporation\nView\nwiz.exe" [2010-08-26 1753192]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-04-14 421160]
.
c:\documents and settings\AJ\Start Menu\Programs\Startup\
Xfire.lnk - c:\program files\Xfire\Xfire.exe [2011-4-8 3510160]
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 22:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NVIDIA nTune]
2007-07-03 19:32 81920 ----a-w- c:\program files\NVIDIA Corporation\nTune\nTuneCmd.exe
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"DisableNotifications"= 1 (0x1)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\EA GAMES\\Battlefield 2\\BF2.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\WINDOWS\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\TeamSpeak 3 Client\\ts3client_win32.exe"=
"c:\\WINDOWS\\system32\\PnkBstrA.exe"=
"c:\\Program Files\\Activision\\Call of Duty 4 - Modern Warfare\\iw3mp.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:*:Disabled:@xpsp2res.dll,-22009
.
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2/17/2010 12:25 PM 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [5/10/2010 12:41 PM 67656]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [12/2/2009 2:45 PM 108289]
R3 ct20xflt;ct20xflt;c:\windows\system32\drivers\ct20xflt.sys [7/14/2009 3:53 AM 1811224]
R3 CT20XUT.SYS;CT20XUT.SYS;c:\windows\system32\drivers\CT20XUT.sys [12/1/2009 6:35 PM 198168]
R3 CTEXFIFX.SYS;CTEXFIFX.SYS;c:\windows\system32\drivers\CTEXFIFX.sys [12/1/2009 6:35 PM 1353240]
R3 CTHWIUT.SYS;CTHWIUT.SYS;c:\windows\system32\drivers\CTHWIUT.sys [12/1/2009 6:35 PM 73752]
R3 ha20x22k;Creative 20X2 HAL Driver;c:\windows\system32\drivers\ha20x22k.sys [12/1/2009 6:35 PM 1227800]
R3 WlanUIG;2Wire 802.11g USB Driver;c:\windows\system32\drivers\WlanUIG.sys [12/3/2009 7:10 PM 347648]
S0 TfFsMon;TfFsMon;c:\windows\system32\drivers\TfFsMon.sys --> c:\windows\system32\drivers\TfFsMon.sys [?]
S0 TFSysMon;TfSysMon;c:\windows\system32\drivers\TfSysMon.sys --> c:\windows\system32\drivers\TfSysMon.sys [?]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2/1/2010 8:50 PM 135664]
S3 chdrvr01;CH Control Manager Driver 1;c:\windows\system32\DRIVERS\chdrvr01.sys --> c:\windows\system32\DRIVERS\chdrvr01.sys [?]
S3 chdrvr03;CH Control Manager Driver 3;c:\windows\system32\DRIVERS\chdrvr03.sys --> c:\windows\system32\DRIVERS\chdrvr03.sys [?]
S3 Creative Audio Engine Licensing Service;Creative Audio Engine Licensing Service;c:\program files\Common Files\Creative Labs Shared\Service\CTAELicensing.exe [12/1/2009 6:34 PM 79360]
S3 CT20XUT;CT20XUT;c:\windows\system32\drivers\CT20XUT.sys [12/1/2009 6:35 PM 198168]
S3 CTEXFIFX;CTEXFIFX;c:\windows\system32\drivers\CTEXFIFX.sys [12/1/2009 6:35 PM 1353240]
S3 CTHWIUT;CTHWIUT;c:\windows\system32\drivers\CTHWIUT.sys [12/1/2009 6:35 PM 73752]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [2/1/2010 8:50 PM 135664]
S3 SCREAMINGBDRIVER;Screaming Bee Audio;c:\windows\system32\drivers\ScreamingBAudio.sys [12/1/2009 4:49 PM 34384]
S3 TfNetMon;TfNetMon;\??\c:\windows\system32\drivers\TfNetMon.sys --> c:\windows\system32\drivers\TfNetMon.sys [?]
.
Contents of the 'Scheduled Tasks' folder
.
2011-03-01 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2009-10-22 17:50]
.
2011-04-28 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-02 02:50]
.
2011-04-28 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-02 02:50]
.
.
------- Supplementary Scan -------
.
uInternet Settings,ProxyOverride = *.local
Trusted Zone: microsoft.com\*.update
Trusted Zone: techinline.net
Trusted Zone: windowsupdate.com\download
Trusted Zone: microsoft.com\*.update
Trusted Zone: techinline.net
Trusted Zone: windowsupdate.com\download
FF - ProfilePath - c:\documents and settings\AJ\Application Data\Mozilla\Firefox\Profiles\jfrk7i11.default\
FF - prefs.js: network.proxy.type - 4
FF - user.js: yahoo.homepage.dontask - true
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-04-28 18:16
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
CTxfiHlp = CTXFIHLP.EXE?
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(908)
c:\program files\SUPERAntiSpyware\SASWINLO.DLL
c:\windows\system32\WININET.dll
.
- - - - - - - > 'explorer.exe'(3060)
c:\windows\system32\WININET.dll
c:\program files\Xfire\xfire_toucan_44183.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\nvsvc32.exe
c:\program files\Creative\Shared Files\CTAudSvc.exe
c:\program files\Avira\AntiVir Desktop\avguard.exe
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\system32\CTsvcCDA.exe
c:\windows\eHome\ehRecvr.exe
c:\windows\eHome\ehSched.exe
c:\program files\CDBurnerXP\NMSAccessU.exe
c:\program files\NVIDIA Corporation\nTune\nTuneService.exe
c:\windows\system32\PnkBstrA.exe
c:\windows\ehome\mcrdsvc.exe
c:\windows\system32\dllhost.exe
c:\windows\system32\RUNDLL32.EXE
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2011-04-28 18:19:37 - machine was rebooted
ComboFix-quarantined-files.txt 2011-04-29 00:19
ComboFix2.txt 2011-04-24 19:38
.
Pre-Run: 953,662,038,016 bytes free
Post-Run: 953,782,841,344 bytes free
.
- - End Of File - - C1529B35DBF63559106B7F4CF8EE4415

Edited by ajviper, 28 April 2011 - 07:26 PM.


#15 heir

heir

  • Malware Response Team
  • 763 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:20 PM

Posted 29 April 2011 - 05:07 AM

Please double-click on ComboFix.exe to run ComboFix once again and post the content of C:\ComboFix.txt in your reply. Remeber to disable Antivir.

Please do not PM me asking for support. Post on the forums instead.
Please post the final results, good or bad. We like to know!
Posted Image
Unified Network of Instructors and Trained Eliminators
My help is always free, but if you want to donate to help me continue my fight against malware then click Posted Image





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users