Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Mom's machine has Issues.


  • This topic is locked This topic is locked
16 replies to this topic

#1 Mark Of Portland

Mark Of Portland

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:05:01 AM

Posted 26 April 2011 - 08:26 PM

Google being redirected while using Firefox.

SO I ran a scan with Spybot S&D and it came up with some detections. Some of them were removable, so they were removed. However, spybot was not able to remove everything, so I did some reading and was brought to this forum. Read through some post and figured I was at the point were I'm going to need a little direction because I'm not the most skilled with virus removal, nor have I had any viruses on my machines for years because I do not download music and movies(torrent), nor do I visit websites that might be harmful, as I'm mindful about going places I don't need to go!

Some visible issues; all of the folders and applications under 'Start>All Programs' are not visible. To see anything in system drive "C:" I have to enable "show hidden files and folders" as all C: drive folders were marked in 'properties' as "Hidden". Otherwise only folder showing in "My Computer" is a "Windows Restore" folder. Also seems that Firefox is being redirected via a proxy that re-enables itself when the machine is rebooted.'

Please help me get my mothers PC running right again so I can lock down her system so people can't do this her machine again!

Thank you,
Mark

.
DDS (Ver_11-03-05.01) - NTFSx86
Run by Owner at 18:38:14.81 on Tue 04/26/2011
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.894.429 [GMT -7:00]
.
.
============== Running Processes ===============
.
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\Documents and Settings\Owner\Application Data\dwm.exe
C:\Documents and Settings\Owner\Application Data\Microsoft\conhost.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\Logitech\iTouch\iTouch.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Documents and Settings\Owner\My Documents\Downloads\dds.scr
.
============== Pseudo HJT Report ===============
.
uSearch Bar = hxxp://www.google.com/ie
uStart Page = hxxp://flyingincognitosleep.com/cgi-bin/h.pl
uSearch Page = hxxp://www.google.com
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyServer = http=127.0.0.1:51636
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
mSearchAssistant = hxxp://www.google.com/ie
mWinlogon: Userinit=userinit.exe
uWinlogon: Shell=explorer.exe,c:\documents and settings\owner\application data\dwm.exe
uWindows: Load=c:\docume~1\owner\locals~1\temp\csrss.exe
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: EWPBrowseObject Class: {68f9551e-0411-48e4-9aaf-4bc42a6a46be} - c:\program files\canon\easy-webprint\EWPBrowseLoader.dll
TB: Easy-WebPrint: {327c2873-e90d-4c37-aa9d-10ac9baba46c} - c:\program files\canon\easy-webprint\Toolband.dll
TB: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File
TB: {A057A204-BACC-4D26-9990-79A187E2698E} - No File
EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll
uRun: [updateMgr] "c:\program files\adobe\acrobat 7.0\reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1
mRun: [Recguard] %WINDIR%\SMINST\RECGUARD.EXE
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [zBrowser Launcher] c:\program files\logitech\itouch\iTouch.exe
mRun: [StartCCC] "c:\program files\ati technologies\ati.ace\core-static\CLIStart.exe" MSRun
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [RemoteControl] "c:\program files\cyberlink\powerdvd\PDVDServ.exe"
mRun: [Reminder] %WINDIR%\Creator\Remind_XP.exe
mRun: [Microsoft Works Update Detection] c:\program files\common files\microsoft shared\works shared\WkUFind.exe
mRun: [Logitech Utility] Logi_MwX.Exe
mRun: [HP Software Update] "c:\program files\hp\hp software update\HPWuSchd2.exe"
mRun: [CanonMyPrinter] c:\program files\canon\myprinter\BJMyPrt.exe /logon
mRun: [Alcmtr] ALCMTR.EXE
mRun: [conhost] c:\documents and settings\owner\application data\microsoft\conhost.exe
mRunOnce: [AvgUninstallURL] cmd.exe /c start http://www.avg.com/ww.special-uninstallation-feedback-app?lic=OQBBAFYARgBSAEUARQAtAFYASwBQAEMAQgAtADYAQgBXAEYATQAtAFQAUgBMAFEAUgAtAEIAUgBVAEgAUAAtAEMAUAA4ADYARwA"&"inst=NwA3AC0ANAAwADIANAA1ADMAMQA2ADIALQBGAFAAOQArADYALQBUAEIAOQArADIALQBGAEwAKwA5AC0AWABPADMANgArADEALQBGADkATQA3AEMAKwA1AC0ARgA5AE0AMQAwAEIAKwAyAC0AWABPADkAKwAxAC0ARgA5AE0AMgArADEA"&"prod=90"&"ver=9.0.894
dRun: [Power2GoExpress] NA
dRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
dRun: [lpc] rundll32.exe"c:\documents and settings\owner\application data\sun\vnv4.dll", RegisterDll
dRun: [rjuLpKAlCJjkc] c:\documents and settings\all users\application data\rjuLpKAlCJjkc.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpimag~1.lnk - c:\program files\hp\digital imaging\bin\hpqthb08.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: Easy-WebPrint Add To Print List - c:\program files\canon\easy-webprint\Toolband.dll/RC_AddToList.html
IE: Easy-WebPrint High Speed Print - c:\program files\canon\easy-webprint\Toolband.dll/RC_HSPrint.html
IE: Easy-WebPrint Preview - c:\program files\canon\easy-webprint\Toolband.dll/RC_Preview.html
IE: Easy-WebPrint Print - c:\program files\canon\easy-webprint\Toolband.dll/RC_Print.html
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
TCP: {AE34EA11-B4B5-4E22-B31D-6029780491CF} = 68.87.69.150,68.87.85.102
Notify: AtiExtEvent - Ati2evxx.dll
Hosts: 127.0.0.1 www.spywareinfo.com
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\docume~1\owner\applic~1\mozilla\firefox\profiles\e890xllq.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.yahoo.com/search?fr=ffsp1&p=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?fr=ffds1&p=
FF - prefs.js: network.proxy.http - 127.0.0.1
FF - prefs.js: network.proxy.http_port - 51636
FF - prefs.js: network.proxy.type - 0
FF - plugin: c:\documents and settings\owner\application data\move networks\plugins\npqmp071505000011.dll
FF - plugin: c:\documents and settings\owner\application data\move networks\plugins\npqmp071701000002.dll
FF - plugin: c:\program files\java\jre1.5.0_02\bin\NPJPI150_02.dll
FF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Adblock Plus: {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d} - %profile%\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}
FF - Ext: Yahoo! Toolbar: {635abd67-4fe9-1b23-4f01-e679fa7484c1} - %profile%\extensions\{635abd67-4fe9-1b23-4f01-e679fa7484c1}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtension
.
---- FIREFOX POLICIES ----
FF - user.js: network.cookie.cookieBehavior - 0
FF - user.js: privacy.clearOnShutdown.cookies - false
FF - user.js: security.warn_viewing_mixed - false
FF - user.js: security.warn_viewing_mixed.show_once - false
FF - user.js: security.warn_submit_insecure - false
FF - user.js: security.warn_submit_insecure.show_once - false
.
============= SERVICES / DRIVERS ===============
.
R2 aawservice;Ad-Aware 2007 Service;c:\program files\lavasoft\ad-aware 2007\aawservice.exe [2007-9-25 587096]
.
=============== Created Last 30 ================
.
2011-04-27 01:24:40 388096 ----a-r- c:\docume~1\owner\applic~1\microsoft\installer\{45a66726-69bc-466b-a7a4-12fcba4883d7}\HiJackThis.exe
2011-04-27 00:36:55 181248 ----a-w- c:\docume~1\owner\applic~1\dwm.exe
2011-04-23 14:30:04 -------- d-----w- c:\windows\system32\LogFiles
2011-04-06 18:15:58 -------- d-----w- C:\Windows Restore
2011-04-06 12:18:56 548864 ----a-w- c:\docume~1\alluse~1\applic~1\rjuLpKAlCJjkc.exe
.
==================== Find3M ====================
.
.
=================== ROOTKIT ====================
.
Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 5.1.2600 Disk: ST3100011A rev.3.02 -> Harddisk0\DR0 -> \Device\Ide\IdePort4 P4T0L0-16
.
device: opened successfully
user: MBR read successfully
.
Disk trace:
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x85546555]<<
_asm { PUSH EBP; MOV EBP, ESP; PUSH ECX; MOV EAX, [EBP+0x8]; CMP EAX, [0x8554c7b0]; MOV EAX, [0x8554c82c]; PUSH EBX; PUSH ESI; MOV ESI, [EBP+0xc]; MOV EBX, [ESI+0x60]; PUSH EDI; JNZ 0x20; MOV [EBP+0x8], EAX; }
1 ntkrnlpa!IofCallDriver[0x804EE130] -> \Device\Harddisk0\DR0[0x8552EAB8]
3 CLASSPNP[0xF75C2FD7] -> ntkrnlpa!IofCallDriver[0x804EE130] -> \Device\0000007b[0x8557B4E8]
5 ACPI[0xF73D9620] -> ntkrnlpa!IofCallDriver[0x804EE130] -> [0x85530D98]
\Driver\atapi[0x85561338] -> IRP_MJ_CREATE -> 0x85546555
kernel: MBR read successfully
_asm { XOR DI, DI; MOV SI, 0x200; MOV SS, DI; MOV SP, 0x7a00; MOV BX, 0x7a0; MOV CX, SI; MOV DS, BX; MOV ES, BX; REP MOVSB ; JMP FAR 0x7a0:0x5f; }
detected disk devices:
\Device\Ide\IdeDeviceP4T0L0-16 -> \??\IDE#DiskST3100011A______________________________3.02____#5&34d4b32b&0&0.0.0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found
detected hooks:
\Driver\atapi DriverStartIo -> 0x8554639B
user & kernel MBR OK
Warning: possible TDL3 rootkit infection !
.
============= FINISH: 18:39:47.01 ===============





.
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
.
DDS (Ver_11-03-05.01)
.
Microsoft Windows XP Home Edition
Boot Device: \Device\HarddiskVolume1
Install Date: 9/17/2006 5:43:31 PM
System Uptime: 4/26/2011 5:45:59 PM (1 hours ago)
.
Motherboard: Intel Corporation | | D101GGC
Processor: Intel® Celeron® D CPU 3.20GHz | | 3200/133mhz
.
==== Disk Partitions =========================
.
C: is FIXED (NTFS) - 89 GiB total, 71.653 GiB free.
D: is FIXED (FAT32) - 4 GiB total, 2.712 GiB free.
E: is CDROM ()
.
==== Disabled Device Manager Items =============
.
Class GUID: {4D36E96B-E325-11CE-BFC1-08002BE10318}
Description: Easy Internet Keyboard
Device ID: ACPI\PNP0303\4&29C049B9&0
Manufacturer: Logitech
Name: Easy Internet Keyboard
PNP Device ID: ACPI\PNP0303\4&29C049B9&0
Service: i8042prt
.
Class GUID: {4D36E96F-E325-11CE-BFC1-08002BE10318}
Description: PS/2 Compatible Mouse
Device ID: ACPI\PNP0F13\4&29C049B9&0
Manufacturer: Microsoft
Name: PS/2 Compatible Mouse
PNP Device ID: ACPI\PNP0F13\4&29C049B9&0
Service: i8042prt
.
==== System Restore Points ===================
.
RP1143: 12/19/2010 4:44:50 PM - System Checkpoint
RP1144: 12/21/2010 5:24:06 PM - System Checkpoint
RP1145: 12/22/2010 6:03:11 PM - System Checkpoint
RP1146: 12/25/2010 9:04:27 PM - System Checkpoint
RP1147: 12/27/2010 7:32:48 PM - System Checkpoint
RP1148: 12/29/2010 8:28:37 PM - System Checkpoint
RP1149: 12/31/2010 3:52:52 PM - System Checkpoint
RP1150: 1/3/2011 11:08:25 PM - System Checkpoint
RP1151: 1/7/2011 8:09:06 PM - System Checkpoint
RP1152: 1/10/2011 11:23:50 AM - System Checkpoint
RP1153: 1/12/2011 8:13:06 PM - System Checkpoint
RP1154: 1/17/2011 10:10:18 AM - System Checkpoint
RP1155: 1/18/2011 5:14:04 PM - System Checkpoint
RP1156: 1/23/2011 7:13:56 PM - System Checkpoint
RP1157: 1/25/2011 8:52:40 AM - System Checkpoint
RP1158: 1/26/2011 9:26:25 PM - System Checkpoint
RP1159: 2/11/2011 8:54:19 PM - System Checkpoint
RP1160: 2/14/2011 8:53:15 AM - System Checkpoint
RP1161: 2/15/2011 9:26:28 AM - System Checkpoint
RP1162: 2/18/2011 7:18:19 PM - System Checkpoint
RP1163: 2/22/2011 11:30:48 AM - System Checkpoint
RP1164: 2/27/2011 6:47:30 PM - System Checkpoint
RP1165: 3/2/2011 12:39:00 AM - System Checkpoint
RP1166: 3/6/2011 6:30:17 PM - System Checkpoint
RP1167: 3/7/2011 10:02:14 PM - System Checkpoint
RP1168: 3/10/2011 3:27:00 AM - System Checkpoint
RP1169: 3/11/2011 8:13:11 AM - System Checkpoint
RP1170: 3/13/2011 4:32:57 PM - System Checkpoint
RP1171: 3/16/2011 12:32:29 AM - Avg Update
RP1172: 3/16/2011 12:33:02 AM - Avg Update
RP1173: 3/17/2011 10:34:18 AM - System Checkpoint
RP1174: 3/18/2011 7:44:25 PM - System Checkpoint
RP1175: 3/22/2011 11:11:50 PM - System Checkpoint
RP1176: 4/4/2011 3:31:03 PM - System Checkpoint
.
==== Installed Programs ======================
.
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Reader 7.0.9
Apple Application Support
Apple Software Update
ATI - Software Uninstall Utility
ATI Catalyst Control Center
ATI Display Driver
BufferChm
CameraDrivers
Canon iP1700 User Registration
Canon iP1800 series
Canon iP1800 series User Registration
Canon My Printer
Canon Utilities Easy-LayoutPrint
Canon Utilities Easy-PhotoPrint
Catalyst Control Center - Branding
Catalyst Control Center Core Implementation
Catalyst Control Center Graphics Full Existing
Catalyst Control Center Graphics Full New
Catalyst Control Center Graphics Light
Catalyst Control Center Graphics Previews Common
Catalyst Control Center HydraVision Full
Catalyst Control Center Localization All
ccc-core-preinstall
ccc-core-static
ccc-utility
CCC Help Chinese Standard
CCC Help Chinese Traditional
CCC Help Czech
CCC Help Danish
CCC Help Dutch
CCC Help English
CCC Help Finnish
CCC Help French
CCC Help German
CCC Help Greek
CCC Help Hungarian
CCC Help Italian
CCC Help Japanese
CCC Help Korean
CCC Help Norwegian
CCC Help Polish
CCC Help Portuguese
CCC Help Russian
CCC Help Spanish
CCC Help Swedish
CCC Help Thai
CCC Help Turkish
CCleaner (remove only)
Create and Print Greeting Cards 1.0
CreativeProjects
CreativeProjectsTemplates
CueTour
Destinations
Director
Easy-WebPrint
Eusing Free Registry Cleaner
High Definition Audio Driver Package - KB888111
HiJackThis
HijackThis 2.0.2
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows Internet Explorer 7 (KB947864)
Hotfix for Windows XP (KB2158563)
Hotfix for Windows XP (KB2443685)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB954550-v5)
Hotfix for Windows XP (KB961118)
Hotfix for Windows XP (KB970653-v3)
Hotfix for Windows XP (KB976098-v2)
Hotfix for Windows XP (KB979306)
Hotfix for Windows XP (KB981793)
HP Image Zone 4.5
HP Photosmart Cameras 4.5
HP Product Assistant
HP Software Update
HPSystemDiagnostics
InstantShare
Logitech iTouch Software
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Security Update (KB2416447)
Microsoft .NET Framework 1.1 Security Update (KB979906)
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft Digital Image Library 9 - Blocker
Microsoft Digital Image Starter Edition 2006
Microsoft Digital Image Starter Edition 2006 Editor
Microsoft Digital Image Starter Edition 2006 Library
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft Money 2006
Microsoft National Language Support Downlevel APIs
Microsoft Office Standard Edition 2003
Microsoft Picture It! Express 7.0
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
Microsoft Visual C++ 2005 Redistributable
Microsoft Works
Mozilla Firefox (3.6.16)
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
PanoStandAlone
PhotoGallery
Power2Go 4.0
PowerDVD
QFolder
QuickTime
RealPlayer Basic
REALTEK GbE & FE Ethernet PCI NIC Driver
Realtek High Definition Audio Driver
Recovery Software Suite eMachines
Security Update for CAPICOM (KB931906)
Security Update for Microsoft .NET Framework 3.5 SP1 (KB2416473)
Security Update for Step By Step Interactive Training (KB898458)
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB939653)
Security Update for Windows Internet Explorer 7 (KB942615)
Security Update for Windows Internet Explorer 7 (KB974455)
Security Update for Windows Internet Explorer 8 (KB2183461)
Security Update for Windows Internet Explorer 8 (KB2360131)
Security Update for Windows Internet Explorer 8 (KB2416400)
Security Update for Windows Internet Explorer 8 (KB971961)
Security Update for Windows Internet Explorer 8 (KB974455)
Security Update for Windows Internet Explorer 8 (KB976325)
Security Update for Windows Internet Explorer 8 (KB978207)
Security Update for Windows Internet Explorer 8 (KB981332)
Security Update for Windows Internet Explorer 8 (KB982381)
Security Update for Windows Media Player (KB2378111)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB954155)
Security Update for Windows Media Player (KB968816)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Media Player (KB975558)
Security Update for Windows Media Player (KB978695)
Security Update for Windows Media Player 10 (KB911565)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows Media Player 10 (KB936782)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows XP (KB2079403)
Security Update for Windows XP (KB2115168)
Security Update for Windows XP (KB2121546)
Security Update for Windows XP (KB2160329)
Security Update for Windows XP (KB2229593)
Security Update for Windows XP (KB2259922)
Security Update for Windows XP (KB2279986)
Security Update for Windows XP (KB2286198)
Security Update for Windows XP (KB2296011)
Security Update for Windows XP (KB2296199)
Security Update for Windows XP (KB2347290)
Security Update for Windows XP (KB2360937)
Security Update for Windows XP (KB2387149)
Security Update for Windows XP (KB2423089)
Security Update for Windows XP (KB2436673)
Security Update for Windows XP (KB2440591)
Security Update for Windows XP (KB2443105)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956744)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958869)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961371-v2)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB969059)
Security Update for Windows XP (KB969947)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB970430)
Security Update for Windows XP (KB971468)
Security Update for Windows XP (KB971486)
Security Update for Windows XP (KB971557)
Security Update for Windows XP (KB971633)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB971961)
Security Update for Windows XP (KB972270)
Security Update for Windows XP (KB973354)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973525)
Security Update for Windows XP (KB973869)
Security Update for Windows XP (KB973904)
Security Update for Windows XP (KB974112)
Security Update for Windows XP (KB974318)
Security Update for Windows XP (KB974392)
Security Update for Windows XP (KB974571)
Security Update for Windows XP (KB975025)
Security Update for Windows XP (KB975467)
Security Update for Windows XP (KB975560)
Security Update for Windows XP (KB975561)
Security Update for Windows XP (KB975562)
Security Update for Windows XP (KB975713)
Security Update for Windows XP (KB977165-v2)
Security Update for Windows XP (KB977816)
Security Update for Windows XP (KB977914)
Security Update for Windows XP (KB978037)
Security Update for Windows XP (KB978251)
Security Update for Windows XP (KB978262)
Security Update for Windows XP (KB978338)
Security Update for Windows XP (KB978542)
Security Update for Windows XP (KB978601)
Security Update for Windows XP (KB978706)
Security Update for Windows XP (KB979309)
Security Update for Windows XP (KB979482)
Security Update for Windows XP (KB979559)
Security Update for Windows XP (KB979683)
Security Update for Windows XP (KB979687)
Security Update for Windows XP (KB980195)
Security Update for Windows XP (KB980218)
Security Update for Windows XP (KB980232)
Security Update for Windows XP (KB980436)
Security Update for Windows XP (KB981322)
Security Update for Windows XP (KB981852)
Security Update for Windows XP (KB981957)
Security Update for Windows XP (KB981997)
Security Update for Windows XP (KB982132)
Security Update for Windows XP (KB982214)
Security Update for Windows XP (KB982665)
Security Update for Windows XP (KB982802)
ShareIns
Skins
SkinsHP1
TrayApp
Unload
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Windows Internet Explorer 8 (KB975364)
Update for Windows Internet Explorer 8 (KB976662)
Update for Windows Internet Explorer 8 (KB976749)
Update for Windows Internet Explorer 8 (KB980182)
Update for Windows XP (KB2141007)
Update for Windows XP (KB2345886)
Update for Windows XP (KB2467659)
Update for Windows XP (KB951978)
Update for Windows XP (KB955759)
Update for Windows XP (KB967715)
Update for Windows XP (KB968389)
Update for Windows XP (KB971737)
Update for Windows XP (KB973687)
Update for Windows XP (KB973815)
Viewpoint Media Player
WebFldrs XP
WebReg
Windows Backup Utility
Windows Genuine Advantage Validation Tool (KB892130)
Windows Internet Explorer 7
Windows Internet Explorer 8
Windows Media Format Runtime
Windows Media Player 10
Windows Media Player Firefox Plugin
Windows XP Service Pack 3
Yahoo! Messenger
.
==== Event Viewer Messages From Past Week ========
.
4/26/2011 5:51:14 PM, error: Service Control Manager [7023] - The Application Management service terminated with the following error: The specified module could not be found.
4/26/2011 5:47:03 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: i8042prt
4/26/2011 5:46:55 PM, error: Service Control Manager [7023] - The System Restore Service service terminated with the following error: Access is denied.
4/26/2011 5:46:55 PM, error: Service Control Manager [7000] - The Print Spooler service failed to start due to the following error: The system cannot find the file specified.
4/26/2011 5:46:52 PM, error: SRService [104] - The System Restore initialization process failed.
.
==== End Of File ===========================





GMER 1.0.15.15570 - http://www.gmer.net
Rootkit scan 2011-04-26 19:10:09
Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdePort4 ST3100011A rev.3.02
Running: gmer.exe; Driver: C:\DOCUME~1\Owner\LOCALS~1\Temp\pfwdqaow.sys


---- Kernel code sections - GMER 1.0.15 ----

.text C:\WINDOWS\system32\DRIVERS\ati2mtag.sys section is writeable [0xF5947000, 0x1C5D38, 0xE8000020]
? C:\DOCUME~1\Owner\LOCALS~1\Temp\mbr.sys The system cannot find the file specified. !

---- User code sections - GMER 1.0.15 ----

.text C:\WINDOWS\System32\svchost.exe[816] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00DA000A
.text C:\WINDOWS\System32\svchost.exe[816] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 00DB000A
.text C:\WINDOWS\System32\svchost.exe[816] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 00D9000C
.text C:\WINDOWS\System32\svchost.exe[816] USER32.dll!GetCursorPos 7E42974E 5 Bytes JMP 0206000A
.text C:\WINDOWS\System32\svchost.exe[816] USER32.dll!WindowFromPoint 7E429766 5 Bytes JMP 0207000A
.text C:\WINDOWS\System32\svchost.exe[816] USER32.dll!GetForegroundWindow 7E429823 5 Bytes JMP 0208000A
.text C:\WINDOWS\System32\svchost.exe[816] ole32.dll!CoCreateInstance 774FF1AC 5 Bytes JMP 00EB000A
.text C:\WINDOWS\Explorer.EXE[1208] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00C0000A
.text C:\WINDOWS\Explorer.EXE[1208] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 00C1000A
.text C:\WINDOWS\Explorer.EXE[1208] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 00BF000C
? C:\DOCUME~1\Owner\LOCALS~1\Temp\csrss.exe[1596] number of sections mismatch; time/date stamp mismatch; unknown module: OLEAUT32.dllunknown module: RASAPI32.dllunknown module: WINHTTP.dll
.tls C:\DOCUME~1\Owner\LOCALS~1\Temp\csrss.exe[1596] C:\DOCUME~1\Owner\LOCALS~1\Temp\csrss.exe unknown last section [0x0042F000, 0x1F000, 0x40000040]
.text C:\Program Files\Mozilla Firefox\firefox.exe[2100] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 0133000A
.text C:\Program Files\Mozilla Firefox\firefox.exe[2100] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 0134000A
.text C:\Program Files\Mozilla Firefox\firefox.exe[2100] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 0132000C

---- User IAT/EAT - GMER 1.0.15 ----

IAT C:\DOCUME~1\Owner\LOCALS~1\Temp\csrss.exe[1596] @ C:\DOCUME~1\Owner\LOCALS~1\Temp\csrss.exe [SHELL32.dll!SHGetSpecialFolderPathA] 50FFFFFF
IAT C:\DOCUME~1\Owner\LOCALS~1\Temp\csrss.exe[1596] @ C:\DOCUME~1\Owner\LOCALS~1\Temp\csrss.exe [AVIFIL32.dll!AVISaveOptions] 04C48300
IAT C:\DOCUME~1\Owner\LOCALS~1\Temp\csrss.exe[1596] @ C:\DOCUME~1\Owner\LOCALS~1\Temp\csrss.exe [AVIFIL32.dll!AVIMakeCompressedStream] 0FA85D39
IAT C:\DOCUME~1\Owner\LOCALS~1\Temp\csrss.exe[1596] @ C:\DOCUME~1\Owner\LOCALS~1\Temp\csrss.exe [ADVAPI32.dll!RegCloseKey] 649D8B00
IAT C:\DOCUME~1\Owner\LOCALS~1\Temp\csrss.exe[1596] @ C:\DOCUME~1\Owner\LOCALS~1\Temp\csrss.exe [ADVAPI32.dll!RegCreateKeyA] 8BFFFFFF
IAT C:\DOCUME~1\Owner\LOCALS~1\Temp\csrss.exe[1596] @ C:\DOCUME~1\Owner\LOCALS~1\Temp\csrss.exe [ADVAPI32.dll!RegSetValueA] 04468B33
IAT C:\DOCUME~1\Owner\LOCALS~1\Temp\csrss.exe[1596] @ C:\DOCUME~1\Owner\LOCALS~1\Temp\csrss.exe [ADVAPI32.dll!RegQueryValueExW] 8DC44D8B
IAT C:\DOCUME~1\Owner\LOCALS~1\Temp\csrss.exe[1596] @ C:\DOCUME~1\Owner\LOCALS~1\Temp\csrss.exe [ADVAPI32.dll!RegOpenKeyExA] 50529855
IAT C:\DOCUME~1\Owner\LOCALS~1\Temp\csrss.exe[1596] @ C:\DOCUME~1\Owner\LOCALS~1\Temp\csrss.exe [ADVAPI32.dll!RegOpenKeyExW] 8956CF03
IAT C:\DOCUME~1\Owner\LOCALS~1\Temp\csrss.exe[1596] @ C:\DOCUME~1\Owner\LOCALS~1\Temp\csrss.exe [ADVAPI32.dll!RegQueryValueExA] FFFF748D
IAT C:\DOCUME~1\Owner\LOCALS~1\Temp\csrss.exe[1596] @ C:\DOCUME~1\Owner\LOCALS~1\Temp\csrss.exe [ADVAPI32.dll!RegEnumKeyExA] 6C85C7FF
IAT C:\DOCUME~1\Owner\LOCALS~1\Temp\csrss.exe[1596] @ C:\DOCUME~1\Owner\LOCALS~1\Temp\csrss.exe [ADVAPI32.dll!RegCreateKeyExA] 01FFFFFF
IAT C:\DOCUME~1\Owner\LOCALS~1\Temp\csrss.exe[1596] @ C:\DOCUME~1\Owner\LOCALS~1\Temp\csrss.exe [ADVAPI32.dll!RegDeleteKeyA] E8000000
IAT C:\DOCUME~1\Owner\LOCALS~1\Temp\csrss.exe[1596] @ C:\DOCUME~1\Owner\LOCALS~1\Temp\csrss.exe [ADVAPI32.dll!RegSetValueExA] 000001F0
IAT C:\DOCUME~1\Owner\LOCALS~1\Temp\csrss.exe[1596] @ C:\DOCUME~1\Owner\LOCALS~1\Temp\csrss.exe [SHLWAPI.dll!PathFileExistsA] 09249248
IAT C:\DOCUME~1\Owner\LOCALS~1\Temp\csrss.exe[1596] @ C:\DOCUME~1\Owner\LOCALS~1\Temp\csrss.exe [SHLWAPI.dll!PathFileExistsW] FA83D12B
IAT C:\DOCUME~1\Owner\LOCALS~1\Temp\csrss.exe[1596] @ C:\DOCUME~1\Owner\LOCALS~1\Temp\csrss.exe [SHLWAPI.dll!StrStrIW] F9820F01
IAT C:\DOCUME~1\Owner\LOCALS~1\Temp\csrss.exe[1596] @ C:\DOCUME~1\Owner\LOCALS~1\Temp\csrss.exe [GDI32.dll!GetStockObject] 89044B89
IAT C:\DOCUME~1\Owner\LOCALS~1\Temp\csrss.exe[1596] @ C:\DOCUME~1\Owner\LOCALS~1\Temp\csrss.exe [GDI32.dll!CreateDIBSection] 488B0446
IAT C:\DOCUME~1\Owner\LOCALS~1\Temp\csrss.exe[1596] @ C:\DOCUME~1\Owner\LOCALS~1\Temp\csrss.exe [GDI32.dll!BitBlt] 1CEC8304
IAT C:\DOCUME~1\Owner\LOCALS~1\Temp\csrss.exe[1596] @ C:\DOCUME~1\Owner\LOCALS~1\Temp\csrss.exe [GDI32.dll!CreateCompatibleDC] CC8B0189
IAT C:\DOCUME~1\Owner\LOCALS~1\Temp\csrss.exe[1596] @ C:\DOCUME~1\Owner\LOCALS~1\Temp\csrss.exe [GDI32.dll!GetObjectA] FF60A589
IAT C:\DOCUME~1\Owner\LOCALS~1\Temp\csrss.exe[1596] @ C:\DOCUME~1\Owner\LOCALS~1\Temp\csrss.exe [GDI32.dll!CreateCompatibleBitmap] FF6AFFFF
IAT C:\DOCUME~1\Owner\LOCALS~1\Temp\csrss.exe[1596] @ C:\DOCUME~1\Owner\LOCALS~1\Temp\csrss.exe [GDI32.dll!CreateDCA] 8D57FF33
IAT C:\DOCUME~1\Owner\LOCALS~1\Temp\csrss.exe[1596] @ C:\DOCUME~1\Owner\LOCALS~1\Temp\csrss.exe [GDI32.dll!DeleteObject] 0FBBB445
IAT C:\DOCUME~1\Owner\LOCALS~1\Temp\csrss.exe[1596] @ C:\DOCUME~1\Owner\LOCALS~1\Temp\csrss.exe [GDI32.dll!SetStretchBltMode] 89000000
IAT C:\DOCUME~1\Owner\LOCALS~1\Temp\csrss.exe[1596] @ C:\DOCUME~1\Owner\LOCALS~1\Temp\csrss.exe [GDI32.dll!DeleteDC] 79891459
IAT C:\DOCUME~1\Owner\LOCALS~1\Temp\csrss.exe[1596] @ C:\DOCUME~1\Owner\LOCALS~1\Temp\csrss.exe [GDI32.dll!PatBlt] 01C65010
IAT C:\DOCUME~1\Owner\LOCALS~1\Temp\csrss.exe[1596] @ C:\DOCUME~1\Owner\LOCALS~1\Temp\csrss.exe [GDI32.dll!SelectObject] 74F9E800
IAT C:\DOCUME~1\Owner\LOCALS~1\Temp\csrss.exe[1596] @ C:\DOCUME~1\Owner\LOCALS~1\Temp\csrss.exe [GDI32.dll!StretchBlt] 8D8DFFFE
IAT C:\DOCUME~1\Owner\LOCALS~1\Temp\csrss.exe[1596] @ C:\DOCUME~1\Owner\LOCALS~1\Temp\csrss.exe [GDI32.dll!SetDIBits] FFFFFF7C
IAT C:\DOCUME~1\Owner\LOCALS~1\Temp\csrss.exe[1596] @ C:\DOCUME~1\Owner\LOCALS~1\Temp\csrss.exe [USER32.dll!GetDC] C483FFFF
IAT C:\DOCUME~1\Owner\LOCALS~1\Temp\csrss.exe[1596] @ C:\DOCUME~1\Owner\LOCALS~1\Temp\csrss.exe [USER32.dll!IsWindow] 8DF08B20
IAT C:\DOCUME~1\Owner\LOCALS~1\Temp\csrss.exe[1596] @ C:\DOCUME~1\Owner\LOCALS~1\Temp\csrss.exe [USER32.dll!BringWindowToTop] D63BB455
IAT C:\DOCUME~1\Owner\LOCALS~1\Temp\csrss.exe[1596] @ C:\DOCUME~1\Owner\LOCALS~1\Temp\csrss.exe [USER32.dll!PeekMessageA] 7D834F74
IAT C:\DOCUME~1\Owner\LOCALS~1\Temp\csrss.exe[1596] @ C:\DOCUME~1\Owner\LOCALS~1\Temp\csrss.exe [USER32.dll!GetDesktopWindow] 0C7210C8
IAT C:\DOCUME~1\Owner\LOCALS~1\Temp\csrss.exe[1596] @ C:\DOCUME~1\Owner\LOCALS~1\Temp\csrss.exe [USER32.dll!InflateRect] 50B4458B
IAT C:\DOCUME~1\Owner\LOCALS~1\Temp\csrss.exe[1596] @ C:\DOCUME~1\Owner\LOCALS~1\Temp\csrss.exe [USER32.dll!DefWindowProcA] 0023FDE8
IAT C:\DOCUME~1\Owner\LOCALS~1\Temp\csrss.exe[1596] @ C:\DOCUME~1\Owner\LOCALS~1\Temp\csrss.exe [USER32.dll!CopyRect] 04C48300
IAT C:\DOCUME~1\Owner\LOCALS~1\Temp\csrss.exe[1596] @ C:\DOCUME~1\Owner\LOCALS~1\Temp\csrss.exe [USER32.dll!RegisterClassA] 89C85D89
IAT C:\DOCUME~1\Owner\LOCALS~1\Temp\csrss.exe[1596] @ C:\DOCUME~1\Owner\LOCALS~1\Temp\csrss.exe [USER32.dll!AttachThreadInput] 45C6C47D
IAT C:\DOCUME~1\Owner\LOCALS~1\Temp\csrss.exe[1596] @ C:\DOCUME~1\Owner\LOCALS~1\Temp\csrss.exe [USER32.dll!TranslateMessage] 7E8300B4
IAT C:\DOCUME~1\Owner\LOCALS~1\Temp\csrss.exe[1596] @ C:\DOCUME~1\Owner\LOCALS~1\Temp\csrss.exe [USER32.dll!GetClientRect] 14731014
IAT C:\DOCUME~1\Owner\LOCALS~1\Temp\csrss.exe[1596] @ C:\DOCUME~1\Owner\LOCALS~1\Temp\csrss.exe [USER32.dll!PostMessageA] 4010468B
IAT C:\DOCUME~1\Owner\LOCALS~1\Temp\csrss.exe[1596] @ C:\DOCUME~1\Owner\LOCALS~1\Temp\csrss.exe [USER32.dll!ReleaseDC] B44D8D50
IAT C:\DOCUME~1\Owner\LOCALS~1\Temp\csrss.exe[1596] @ C:\DOCUME~1\Owner\LOCALS~1\Temp\csrss.exe [USER32.dll!SetRect] 51E85156
IAT C:\DOCUME~1\Owner\LOCALS~1\Temp\csrss.exe[1596] @ C:\DOCUME~1\Owner\LOCALS~1\Temp\csrss.exe [USER32.dll!EnableWindow] 8300002A
IAT C:\DOCUME~1\Owner\LOCALS~1\Temp\csrss.exe[1596] @ C:\DOCUME~1\Owner\LOCALS~1\Temp\csrss.exe [USER32.dll!SetParent] 07EB0CC4
IAT C:\DOCUME~1\Owner\LOCALS~1\Temp\csrss.exe[1596] @ C:\DOCUME~1\Owner\LOCALS~1\Temp\csrss.exe [USER32.dll!InvalidateRect] 5589168B
IAT C:\DOCUME~1\Owner\LOCALS~1\Temp\csrss.exe[1596] @ C:\DOCUME~1\Owner\LOCALS~1\Temp\csrss.exe [USER32.dll!EqualRect] 8B3E89B4
IAT C:\DOCUME~1\Owner\LOCALS~1\Temp\csrss.exe[1596] @ C:\DOCUME~1\Owner\LOCALS~1\Temp\csrss.exe [USER32.dll!wsprintfA] 45891046
IAT C:\DOCUME~1\Owner\LOCALS~1\Temp\csrss.exe[1596] @ C:\DOCUME~1\Owner\LOCALS~1\Temp\csrss.exe [USER32.dll!SendMessageA] 144E8BC4
IAT C:\DOCUME~1\Owner\LOCALS~1\Temp\csrss.exe[1596] @ C:\DOCUME~1\Owner\LOCALS~1\Temp\csrss.exe [USER32.dll!FillRect] 89C84D89
IAT C:\DOCUME~1\Owner\LOCALS~1\Temp\csrss.exe[1596] @ C:\DOCUME~1\Owner\LOCALS~1\Temp\csrss.exe [USER32.dll!DispatchMessageA] 7E89107E
IAT C:\DOCUME~1\Owner\LOCALS~1\Temp\csrss.exe[1596] @ C:\DOCUME~1\Owner\LOCALS~1\Temp\csrss.exe [USER32.dll!UnregisterClassA] FC45C614
IAT C:\DOCUME~1\Owner\LOCALS~1\Temp\csrss.exe[1596] @ C:\DOCUME~1\Owner\LOCALS~1\Temp\csrss.exe [ole32.dll!CoCreateInstance] 8B0F7210
IAT C:\DOCUME~1\Owner\LOCALS~1\Temp\csrss.exe[1596] @ C:\DOCUME~1\Owner\LOCALS~1\Temp\csrss.exe [ole32.dll!CoInitialize] FFFF7C95
IAT C:\DOCUME~1\Owner\LOCALS~1\Temp\csrss.exe[1596] @ C:\DOCUME~1\Owner\LOCALS~1\Temp\csrss.exe [ole32.dll!CreateItemMoniker] A7E852FF
IAT C:\DOCUME~1\Owner\LOCALS~1\Temp\csrss.exe[1596] @ C:\DOCUME~1\Owner\LOCALS~1\Temp\csrss.exe [ole32.dll!StgCreateDocfile] 83000023
IAT C:\DOCUME~1\Owner\LOCALS~1\Temp\csrss.exe[1596] @ C:\DOCUME~1\Owner\LOCALS~1\Temp\csrss.exe [ole32.dll!GetRunningObjectTable] 9D8B04C4
IAT C:\DOCUME~1\Owner\LOCALS~1\Temp\csrss.exe[1596] @ C:\DOCUME~1\Owner\LOCALS~1\Temp\csrss.exe [ole32.dll!CoUninitialize] FFFFFF68
IAT C:\DOCUME~1\Owner\LOCALS~1\Temp\csrss.exe[1596] @ C:\DOCUME~1\Owner\LOCALS~1\Temp\csrss.exe [ole32.dll!CoFreeUnusedLibraries] 4E8B338B
IAT C:\DOCUME~1\Owner\LOCALS~1\Temp\csrss.exe[1596] @ C:\DOCUME~1\Owner\LOCALS~1\Temp\csrss.exe [ole32.dll!StgOpenStorage] B4458D04
IAT C:\DOCUME~1\Owner\LOCALS~1\Temp\csrss.exe[1596] @ C:\DOCUME~1\Owner\LOCALS~1\Temp\csrss.exe [ole32.dll!CoTaskMemAlloc] E8565150
IAT C:\DOCUME~1\Owner\LOCALS~1\Temp\csrss.exe[1596] @ C:\DOCUME~1\Owner\LOCALS~1\Temp\csrss.exe [ole32.dll!StringFromGUID2] 00000114
IAT C:\DOCUME~1\Owner\LOCALS~1\Temp\csrss.exe[1596] @ C:\DOCUME~1\Owner\LOCALS~1\Temp\csrss.exe [ole32.dll!CoSetProxyBlanket] BA044B8B
IAT C:\DOCUME~1\Owner\LOCALS~1\Temp\csrss.exe[1596] @ C:\DOCUME~1\Owner\LOCALS~1\Temp\csrss.exe [ole32.dll!CoTaskMemFree] 09249248
IAT C:\DOCUME~1\Owner\LOCALS~1\Temp\csrss.exe[1596] @ C:\DOCUME~1\Owner\LOCALS~1\Temp\csrss.exe [KERNEL32.dll!WaitForMultipleObjectsEx] 41217201
IAT C:\DOCUME~1\Owner\LOCALS~1\Temp\csrss.exe[1596] @ C:\DOCUME~1\Owner\LOCALS~1\Temp\csrss.exe [KERNEL32.dll!GetModuleFileNameA] 89044B89
IAT C:\DOCUME~1\Owner\LOCALS~1\Temp\csrss.exe[1596] @ C:\DOCUME~1\Owner\LOCALS~1\Temp\csrss.exe [KERNEL32.dll!lstrlenA] 488B0446
IAT C:\DOCUME~1\Owner\LOCALS~1\Temp\csrss.exe[1596] @ C:\DOCUME~1\Owner\LOCALS~1\Temp\csrss.exe [KERNEL32.dll!GetVersionExA] 39018904
IAT C:\DOCUME~1\Owner\LOCALS~1\Temp\csrss.exe[1596] @ C:\DOCUME~1\Owner\LOCALS~1\Temp\csrss.exe [KERNEL32.dll!CloseHandle] FFFF74BD
IAT C:\DOCUME~1\Owner\LOCALS~1\Temp\csrss.exe[1596] @ C:\DOCUME~1\Owner\LOCALS~1\Temp\csrss.exe [KERNEL32.dll!GetTempPathA] 8B1774FF
IAT C:\DOCUME~1\Owner\LOCALS~1\Temp\csrss.exe[1596] @ C:\DOCUME~1\Owner\LOCALS~1\Temp\csrss.exe [KERNEL32.dll!GlobalFree] FFFF7085
IAT C:\DOCUME~1\Owner\LOCALS~1\Temp\csrss.exe[1596] @ C:\DOCUME~1\Owner\LOCALS~1\Temp\csrss.exe [KERNEL32.dll!InterlockedDecrement] E9C933FF
IAT C:\DOCUME~1\Owner\LOCALS~1\Temp\csrss.exe[1596] @ C:\DOCUME~1\Owner\LOCALS~1\Temp\csrss.exe [KERNEL32.dll!GetSystemTime] FFFFFC74
IAT C:\DOCUME~1\Owner\LOCALS~1\Temp\csrss.exe[1596] @ C:\DOCUME~1\Owner\LOCALS~1\Temp\csrss.exe [KERNEL32.dll!MultiByteToWideChar] 44080C68
IAT C:\DOCUME~1\Owner\LOCALS~1\Temp\csrss.exe[1596] @ C:\DOCUME~1\Owner\LOCALS~1\Temp\csrss.exe [KERNEL32.dll!CreateDirectoryA] 5AD8E800
IAT C:\DOCUME~1\Owner\LOCALS~1\Temp\csrss.exe[1596] @ C:\DOCUME~1\Owner\LOCALS~1\Temp\csrss.exe [KERNEL32.dll!DisableThreadLibraryCalls] 7D830001
IAT C:\DOCUME~1\Owner\LOCALS~1\Temp\csrss.exe[1596] @ C:\DOCUME~1\Owner\LOCALS~1\Temp\csrss.exe [KERNEL32.dll!SetFilePointer] 0C7210C8
IAT C:\DOCUME~1\Owner\LOCALS~1\Temp\csrss.exe[1596] @ C:\DOCUME~1\Owner\LOCALS~1\Temp\csrss.exe [KERNEL32.dll!GetProcessId] 52B4558B
IAT C:\DOCUME~1\Owner\LOCALS~1\Temp\csrss.exe[1596] @ C:\DOCUME~1\Owner\LOCALS~1\Temp\csrss.exe [KERNEL32.dll!GlobalUnlock] 002345E8
IAT C:\DOCUME~1\Owner\LOCALS~1\Temp\csrss.exe[1596] @ C:\DOCUME~1\Owner\LOCALS~1\Temp\csrss.exe [KERNEL32.dll!GlobalLock] 04C48300
IAT C:\DOCUME~1\Owner\LOCALS~1\Temp\csrss.exe[1596] @ C:\DOCUME~1\Owner\LOCALS~1\Temp\csrss.exe [KERNEL32.dll!SetFileAttributesA] 7D83C933
IAT C:\DOCUME~1\Owner\LOCALS~1\Temp\csrss.exe[1596] @ C:\DOCUME~1\Owner\LOCALS~1\Temp\csrss.exe [KERNEL32.dll!CreateFileA] 45C710AC
IAT C:\DOCUME~1\Owner\LOCALS~1\Temp\csrss.exe[1596] @ C:\DOCUME~1\Owner\LOCALS~1\Temp\csrss.exe [KERNEL32.dll!GetTickCount] 00000FC8
IAT C:\DOCUME~1\Owner\LOCALS~1\Temp\csrss.exe[1596] @ C:\DOCUME~1\Owner\LOCALS~1\Temp\csrss.exe [KERNEL32.dll!WaitForSingleObject] C44D8900
IAT C:\DOCUME~1\Owner\LOCALS~1\Temp\csrss.exe[1596] @ C:\DOCUME~1\Owner\LOCALS~1\Temp\csrss.exe [KERNEL32.dll!VirtualFree] 00B445C6
IAT C:\DOCUME~1\Owner\LOCALS~1\Temp\csrss.exe[1596] @ C:\DOCUME~1\Owner\LOCALS~1\Temp\csrss.exe [KERNEL32.dll!Sleep] 458B0C72
IAT C:\DOCUME~1\Owner\LOCALS~1\Temp\csrss.exe[1596] @ C:\DOCUME~1\Owner\LOCALS~1\Temp\csrss.exe [KERNEL32.dll!EnumResourceTypesW] 23E85098
IAT C:\DOCUME~1\Owner\LOCALS~1\Temp\csrss.exe[1596] @ C:\DOCUME~1\Owner\LOCALS~1\Temp\csrss.exe [KERNEL32.dll!ReleaseMutex] 83000023
IAT C:\DOCUME~1\Owner\LOCALS~1\Temp\csrss.exe[1596] @ C:\DOCUME~1\Owner\LOCALS~1\Temp\csrss.exe [KERNEL32.dll!QueryPerformanceCounter] 858B04C4
IAT C:\DOCUME~1\Owner\LOCALS~1\Temp\csrss.exe[1596] @ C:\DOCUME~1\Owner\LOCALS~1\Temp\csrss.exe [KERNEL32.dll!GetModuleFileNameW] 64F44D8B
IAT C:\DOCUME~1\Owner\LOCALS~1\Temp\csrss.exe[1596] @ C:\DOCUME~1\Owner\LOCALS~1\Temp\csrss.exe [KERNEL32.dll!GetCurrentProcessId] 00000D89
IAT C:\DOCUME~1\Owner\LOCALS~1\Temp\csrss.exe[1596] @ C:\DOCUME~1\Owner\LOCALS~1\Temp\csrss.exe [KERNEL32.dll!InitializeCriticalSection] 5F590000
IAT C:\DOCUME~1\Owner\LOCALS~1\Temp\csrss.exe[1596] @ C:\DOCUME~1\Owner\LOCALS~1\Temp\csrss.exe [KERNEL32.dll!VirtualAlloc] 4D8B5B5E
IAT C:\DOCUME~1\Owner\LOCALS~1\Temp\csrss.exe[1596] @ C:\DOCUME~1\Owner\LOCALS~1\Temp\csrss.exe [KERNEL32.dll!GetTempFileNameA] E8CD33F0
IAT C:\DOCUME~1\Owner\LOCALS~1\Temp\csrss.exe[1596] @ C:\DOCUME~1\Owner\LOCALS~1\Temp\csrss.exe [KERNEL32.dll!InterlockedIncrement] 00003159
IAT C:\DOCUME~1\Owner\LOCALS~1\Temp\csrss.exe[1596] @ C:\DOCUME~1\Owner\LOCALS~1\Temp\csrss.exe [KERNEL32.dll!GetSystemTimeAsFileTime] C35DE58B
IAT C:\DOCUME~1\Owner\LOCALS~1\Temp\csrss.exe[1596] @ C:\DOCUME~1\Owner\LOCALS~1\Temp\csrss.exe [KERNEL32.dll!DeviceIoControl] CCCCCCCC
IAT C:\DOCUME~1\Owner\LOCALS~1\Temp\csrss.exe[1596] @ C:\DOCUME~1\Owner\LOCALS~1\Temp\csrss.exe [KERNEL32.dll!GetCurrentThreadId] 018B0E8B
IAT C:\DOCUME~1\Owner\LOCALS~1\Temp\csrss.exe[1596] @ C:\DOCUME~1\Owner\LOCALS~1\Temp\csrss.exe [KERNEL32.dll!ExitProcess] 0E8B0989
IAT C:\DOCUME~1\Owner\LOCALS~1\Temp\csrss.exe[1596] @ C:\DOCUME~1\Owner\LOCALS~1\Temp\csrss.exe [KERNEL32.dll!LocalFree] C7044989
IAT C:\DOCUME~1\Owner\LOCALS~1\Temp\csrss.exe[1596] @ C:\DOCUME~1\Owner\LOCALS~1\Temp\csrss.exe [KERNEL32.dll!GetVolumeInformationA] 00000446
IAT C:\DOCUME~1\Owner\LOCALS~1\Temp\csrss.exe[1596] @ C:\DOCUME~1\Owner\LOCALS~1\Temp\csrss.exe [KERNEL32.dll!DeleteFileA] 063B0000
IAT C:\DOCUME~1\Owner\LOCALS~1\Temp\csrss.exe[1596] @ C:\DOCUME~1\Owner\LOCALS~1\Temp\csrss.exe [KERNEL32.dll!LocalAlloc] 8B571374
IAT C:\DOCUME~1\Owner\LOCALS~1\Temp\csrss.exe[1596] @ C:\DOCUME~1\Owner\LOCALS~1\Temp\csrss.exe [KERNEL32.dll!CreateMutexA] DBE85038
IAT C:\DOCUME~1\Owner\LOCALS~1\Temp\csrss.exe[1596] @ C:\DOCUME~1\Owner\LOCALS~1\Temp\csrss.exe [KERNEL32.dll!CopyFileA] 83000022
IAT C:\DOCUME~1\Owner\LOCALS~1\Temp\csrss.exe[1596] @ C:\DOCUME~1\Owner\LOCALS~1\Temp\csrss.exe [KERNEL32.dll!CreateFileW] C78B04C4
IAT C:\DOCUME~1\Owner\LOCALS~1\Temp\csrss.exe[1596] @ C:\DOCUME~1\Owner\LOCALS~1\Temp\csrss.exe [KERNEL32.dll!ReadFile] EF753E3B
IAT C:\DOCUME~1\Owner\LOCALS~1\Temp\csrss.exe[1596] @ C:\DOCUME~1\Owner\LOCALS~1\Temp\csrss.exe [KERNEL32.dll!GetFileSize] 50068B5F
IAT C:\DOCUME~1\Owner\LOCALS~1\Temp\csrss.exe[1596] @ C:\DOCUME~1\Owner\LOCALS~1\Temp\csrss.exe [KERNEL32.dll!WideCharToMultiByte] 0022C9E8
IAT C:\DOCUME~1\Owner\LOCALS~1\Temp\csrss.exe[1596] @ C:\DOCUME~1\Owner\LOCALS~1\Temp\csrss.exe [KERNEL32.dll!GetFileAttributesA] CCC35900
IAT C:\DOCUME~1\Owner\LOCALS~1\Temp\csrss.exe[1596] @ C:\DOCUME~1\Owner\LOCALS~1\Temp\csrss.exe [KERNEL32.dll!FreeLibrary] CCCCCCCC

---- Devices - GMER 1.0.15 ----

Device \Driver\atapi -> DriverStartIo \Device\Ide\IdePort0 8554639B
Device \Driver\atapi -> DriverStartIo \Device\Ide\IdePort1 8554639B
Device \Driver\atapi -> DriverStartIo \Device\Ide\IdePort2 8554639B
Device \Driver\atapi -> DriverStartIo \Device\Ide\IdePort3 8554639B
Device \Driver\atapi -> DriverStartIo \Device\Ide\IdePort4 8554639B
Device \Driver\atapi -> DriverStartIo \Device\Ide\IdePort5 8554639B
Device \Driver\atapi -> DriverStartIo \Device\Ide\IdeDeviceP5T0L0-b 8554639B
Device \Device\Ide\IdeDeviceP4T0L0-16 -> \??\IDE#DiskST3100011A______________________________3.02____#5&34d4b32b&0&0.0.0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found

---- Disk sectors - GMER 1.0.15 ----

Disk \Device\Harddisk0\DR0 TDL4@MBR code has been found <-- ROOTKIT !!!
Disk \Device\Harddisk0\DR0 sector 00: rootkit-like behavior

---- EOF - GMER 1.0.15 ----






GMER 1.0.15.15570 - http://www.gmer.net
Rootkit quick scan 2011-04-26 18:46:40
Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdePort4 ST3100011A rev.3.02
Running: gmer.exe; Driver: C:\DOCUME~1\Owner\LOCALS~1\Temp\pfwdqaow.sys


---- Disk sectors - GMER 1.0.15 ----

Disk \Device\Harddisk0\DR0 TDL4@MBR code has been found <-- ROOTKIT !!!
Disk \Device\Harddisk0\DR0 sector 00: rootkit-like behavior

---- Devices - GMER 1.0.15 ----

Device \Driver\atapi -> DriverStartIo \Device\Ide\IdePort0 8554639B
Device \Driver\atapi -> DriverStartIo \Device\Ide\IdePort1 8554639B
Device \Driver\atapi -> DriverStartIo \Device\Ide\IdePort2 8554639B
Device \Driver\atapi -> DriverStartIo \Device\Ide\IdePort3 8554639B
Device \Driver\atapi -> DriverStartIo \Device\Ide\IdePort4 8554639B
Device \Driver\atapi -> DriverStartIo \Device\Ide\IdePort5 8554639B
Device \Driver\atapi -> DriverStartIo \Device\Ide\IdeDeviceP5T0L0-b 8554639B
Device \Device\Ide\IdeDeviceP4T0L0-16 -> \??\IDE#DiskST3100011A______________________________3.02____#5&34d4b32b&0&0.0.0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found

---- EOF - GMER 1.0.15 ----


Edited by Mark Of Portland, 27 April 2011 - 03:07 PM.


BC AdBot (Login to Remove)

 


#2 Mark Of Portland

Mark Of Portland
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:05:01 AM

Posted 27 April 2011 - 11:56 AM

Please Help!

===========

Hello

While we understand your frustration at having to wait, please note that Bleeping Computer deals with several hundred requests for assistance such as yours on a daily basis. As a result, our backlog is quite large as are other comparable sites that help others with malware issues. Although our MRT Team members work on hundreds of requests each day, they are all volunteers who work logs when they can and are able to do so. No one is paid by Bleeping Computer for their assistance to our members.

Further, our malware removal staff is comprised of team members with various levels of skill and expertise to deal with thousands of malware variants, some more complex than others. Although we try to take DDS/HJT logs in order (starting with the oldest), it is often the skill level of the particular helper and sometimes the operating system that dictates which logs get selected first. Some infections are more complicated than others and require a higher skill level to remove. Without that skill level attempted removal could result in disastrous results. In other instances, the helper may not be familiar with the operating system that you are using, since they use another. In either case, neither of us want someone to assist you who is not familiar with your issue and attempt to fix it.

We ask that once you have posted your log and are waiting, please DO NOT "bump" your thread or make further replies until it has been responded to by a member of the MRT Team. The reason we ask this or do not respond to your requests is because that would remove you from the active queue that Techs and Staff have access to. The malware staff checks the forum for postings that have 0 replies as this makes it easier for them to identify those who have not been helped. If you post another response, there will be 1 reply. A team member, looking for a new log to work may assume another MRT Team member is already assisting you and not open the thread to respond.

That is why I have made an edit to your last post, instead of a reply. Please do not multiple post here, as that only pushes you further down the queue and causes confusion to the staff.

Please be patient. It may take several days to get a response but your log will be reviewed and answered as soon as possible. I advise checking your topic once a day for responses as the e-mail notification system is unreliable.

Thank you for understanding.

Orange Blossom ~ forum moderator

Edited by Orange Blossom, 27 April 2011 - 03:31 PM.


#3 rigacci

rigacci

    Fiorentino


  • Members
  • 2,604 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:01 AM

Posted 29 April 2011 - 07:42 AM

Hello and welcome to the forum. :welcome:

I apologize for the delay in responding to your request for help but it is very busy here and we can get overwhelmed at times.

If you have since resolved the original problem you were having, we would appreciate you letting us know.

If you continue to need our help, please take note of what I have posted below.

  • Please include a clear description of the problems you're having.
  • Please also refrain from running tools or applying updates other than those we suggest while we are cleaning your computer. The reason for this is so we know what is going on with the machine at any time. Some programs can interfere with others and hamper the recovery process.
  • Please be patient while I analyze your logs, as you post them.
  • Note also that all of my fixes are checked by higher level forum members before posting.
  • After 5 days if your topic is not replied to, I will assume it has been abandoned and will close it.

I will return momentarily with your first instructions.

Thank you.

DR :thumbup2:

#4 rigacci

rigacci

    Fiorentino


  • Members
  • 2,604 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:01 AM

Posted 30 April 2011 - 07:50 AM

OK Mark Of Portland: :clapping:

Before we start cleaning I need to inform you of what is on your computer and what it could do.

One or more of the identified infections is a backdoor trojan.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
When Should I Format, How Should I Reinstall

We can still clean this machine but I can't guarantee that it will be 100% secure afterwards. If you decide to clean it, let's start with the following.



Let's get rid of this Rootkit first. :thumbup2:

  • Download TDSSKiller and save it to your Desktop.
  • Extract its contents to your Desktop.
  • Once extracted, open the TDSSKiller folder and doubleclick on TDSSKiller.exe to run the application, then on Start Scan.
  • If an infected file is detected, the default action will be Cure, click on Continue.
  • If a suspicious file is detected, the default action will be Skip, click on Continue.
  • It may ask you to reboot the computer to complete the process. Click on Reboot Now.
  • If no reboot is required, click on Report. A log file should appear. Please copy and paste the contents of that file here.
  • If a reboot is required, the report can also be found in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste the contents of that file here.

Thanks.

DR

#5 Mark Of Portland

Mark Of Portland
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:05:01 AM

Posted 30 April 2011 - 01:42 PM

Thanks for the reply, been at work the lasts couple days so sorry my reply has been slow. It seems that the browser has been 'search jacked'[?] and all the files were hidden on the system drive, "show hidden files" brought back the content(files) of "C:", but the files are still ghosted-clear from the virus hiding them. Any searches and I get redirected to a proxy. That's really all I can detail for you as I am not so understanding of what services have been compromised?

"I would counsel you to disconnect this PC from the Internet immediately."

Done

If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Will advise user to do so!

Though the trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

I've advised the user on reformating because of concern that the virus may not be completely removed, as the person uses the PC for financial reasons, the user is going to take your advice and reformat. Yet, before we do, I'm going to get a little virus removal practice, if this is ok with you?

Let's get rid of this Rootkit first. :thumbup2:

* Download TDSSKiller and save it to your Desktop.
* Extract its contents to your Desktop.
* Once extracted, open the TDSSKiller folder and doubleclick on TDSSKiller.exe to run the application, then on Start Scan.
* If an infected file is detected, the default action will be Cure, click on Continue.
* If a suspicious file is detected, the default action will be Skip, click on Continue.
* It may ask you to reboot the computer to complete the process. Click on Reboot Now.
* If no reboot is required, click on Report. A log file should appear. Please copy and paste the contents of that file here.
* If a reboot is required, the report can also be found in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste the contents of that file here.

In process... brb

Here's that log from tdsskiller-

2011/04/30 11:39:55.0515 3500 TDSS rootkit removing tool 2.4.21.0 Mar 10 2011 12:26:28
2011/04/30 11:39:55.0531 3500 ================================================================================
2011/04/30 11:39:55.0531 3500 SystemInfo:
2011/04/30 11:39:55.0531 3500
2011/04/30 11:39:55.0531 3500 OS Version: 5.1.2600 ServicePack: 3.0
2011/04/30 11:39:55.0531 3500 Product type: Workstation
2011/04/30 11:39:55.0531 3500 ComputerName: YOUR-8A28764415
2011/04/30 11:39:55.0531 3500 UserName: Owner
2011/04/30 11:39:55.0531 3500 Windows directory: C:\WINDOWS
2011/04/30 11:39:55.0531 3500 System windows directory: C:\WINDOWS
2011/04/30 11:39:55.0531 3500 Processor architecture: Intel x86
2011/04/30 11:39:55.0531 3500 Number of processors: 1
2011/04/30 11:39:55.0531 3500 Page size: 0x1000
2011/04/30 11:39:55.0531 3500 Boot type: Normal boot
2011/04/30 11:39:55.0531 3500 ================================================================================
2011/04/30 11:39:55.0781 3500 Initialize success
2011/04/30 11:39:57.0875 3520 ================================================================================
2011/04/30 11:39:57.0875 3520 Scan started
2011/04/30 11:39:57.0875 3520 Mode: Manual;
2011/04/30 11:39:57.0875 3520 ================================================================================
2011/04/30 11:39:59.0140 3520 abp480n5 (6abb91494fe6c59089b9336452ab2ea3) C:\WINDOWS\system32\DRIVERS\ABP480N5.SYS
2011/04/30 11:39:59.0375 3520 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys
2011/04/30 11:39:59.0562 3520 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys
2011/04/30 11:39:59.0703 3520 adpu160m (9a11864873da202c996558b2106b0bbc) C:\WINDOWS\system32\DRIVERS\adpu160m.sys
2011/04/30 11:39:59.0921 3520 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys
2011/04/30 11:40:00.0125 3520 AegisP (2c5c22990156a1063e19ad162191dc1d) C:\WINDOWS\system32\DRIVERS\AegisP.sys
2011/04/30 11:40:00.0343 3520 AFD (7e775010ef291da96ad17ca4b17137d7) C:\WINDOWS\System32\drivers\afd.sys
2011/04/30 11:40:00.0812 3520 agp440 (08fd04aa961bdc77fb983f328334e3d7) C:\WINDOWS\system32\DRIVERS\agp440.sys
2011/04/30 11:40:01.0343 3520 agpCPQ (03a7e0922acfe1b07d5db2eeb0773063) C:\WINDOWS\system32\DRIVERS\agpCPQ.sys
2011/04/30 11:40:01.0546 3520 Aha154x (c23ea9b5f46c7f7910db3eab648ff013) C:\WINDOWS\system32\DRIVERS\aha154x.sys
2011/04/30 11:40:01.0703 3520 aic78u2 (19dd0fb48b0c18892f70e2e7d61a1529) C:\WINDOWS\system32\DRIVERS\aic78u2.sys
2011/04/30 11:40:01.0875 3520 aic78xx (b7fe594a7468aa0132deb03fb8e34326) C:\WINDOWS\system32\DRIVERS\aic78xx.sys
2011/04/30 11:40:02.0046 3520 AliIde (1140ab9938809700b46bb88e46d72a96) C:\WINDOWS\system32\DRIVERS\aliide.sys
2011/04/30 11:40:02.0234 3520 alim1541 (cb08aed0de2dd889a8a820cd8082d83c) C:\WINDOWS\system32\DRIVERS\alim1541.sys
2011/04/30 11:40:02.0453 3520 amdagp (95b4fb835e28aa1336ceeb07fd5b9398) C:\WINDOWS\system32\DRIVERS\amdagp.sys
2011/04/30 11:40:02.0656 3520 amsint (79f5add8d24bd6893f2903a3e2f3fad6) C:\WINDOWS\system32\DRIVERS\amsint.sys
2011/04/30 11:40:02.0875 3520 AR5211 (08e03e8ab837dc9dd2737930ecd19fbc) C:\WINDOWS\system32\DRIVERS\WG311T13.sys
2011/04/30 11:40:03.0078 3520 asc (62d318e9a0c8fc9b780008e724283707) C:\WINDOWS\system32\DRIVERS\asc.sys
2011/04/30 11:40:03.0281 3520 asc3350p (69eb0cc7714b32896ccbfd5edcbea447) C:\WINDOWS\system32\DRIVERS\asc3350p.sys
2011/04/30 11:40:03.0484 3520 asc3550 (5d8de112aa0254b907861e9e9c31d597) C:\WINDOWS\system32\DRIVERS\asc3550.sys
2011/04/30 11:40:03.0703 3520 ASCTRM (d880831279ed91f9a4190a2db9539ea9) C:\WINDOWS\system32\drivers\ASCTRM.sys
2011/04/30 11:40:03.0921 3520 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
2011/04/30 11:40:04.0125 3520 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys
2011/04/30 11:40:04.0625 3520 ati2mtag (e9375396f55b58c2042c7c9844d297e3) C:\WINDOWS\system32\DRIVERS\ati2mtag.sys
2011/04/30 11:40:04.0843 3520 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
2011/04/30 11:40:05.0046 3520 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
2011/04/30 11:40:05.0234 3520 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
2011/04/30 11:40:05.0453 3520 cbidf (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\DRIVERS\cbidf2k.sys
2011/04/30 11:40:05.0656 3520 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
2011/04/30 11:40:05.0875 3520 cd20xrnt (f3ec03299634490e97bbce94cd2954c7) C:\WINDOWS\system32\DRIVERS\cd20xrnt.sys
2011/04/30 11:40:06.0078 3520 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
2011/04/30 11:40:06.0265 3520 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys
2011/04/30 11:40:06.0484 3520 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys
2011/04/30 11:40:06.0859 3520 CmdIde (e5dcb56c533014ecbc556a8357c929d5) C:\WINDOWS\system32\DRIVERS\cmdide.sys
2011/04/30 11:40:07.0078 3520 Cpqarray (3ee529119eed34cd212a215e8c40d4b6) C:\WINDOWS\system32\DRIVERS\cpqarray.sys
2011/04/30 11:40:07.0296 3520 dac2w2k (e550e7418984b65a78299d248f0a7f36) C:\WINDOWS\system32\DRIVERS\dac2w2k.sys
2011/04/30 11:40:07.0531 3520 dac960nt (683789caa3864eb46125ae86ff677d34) C:\WINDOWS\system32\DRIVERS\dac960nt.sys
2011/04/30 11:40:07.0750 3520 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys
2011/04/30 11:40:07.0968 3520 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys
2011/04/30 11:40:08.0171 3520 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys
2011/04/30 11:40:08.0375 3520 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
2011/04/30 11:40:08.0593 3520 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys
2011/04/30 11:40:08.0812 3520 dpti2o (40f3b93b4e5b0126f2f5c0a7a5e22660) C:\WINDOWS\system32\DRIVERS\dpti2o.sys
2011/04/30 11:40:09.0015 3520 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys
2011/04/30 11:40:09.0250 3520 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys
2011/04/30 11:40:09.0484 3520 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\DRIVERS\fdc.sys
2011/04/30 11:40:09.0671 3520 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys
2011/04/30 11:40:09.0875 3520 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\DRIVERS\flpydisk.sys
2011/04/30 11:40:10.0062 3520 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\drivers\fltmgr.sys
2011/04/30 11:40:10.0390 3520 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
2011/04/30 11:40:10.0625 3520 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
2011/04/30 11:40:10.0828 3520 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys
2011/04/30 11:40:11.0015 3520 HDAudBus (573c7d0a32852b48f3058cfd8026f511) C:\WINDOWS\system32\DRIVERS\HDAudBus.sys
2011/04/30 11:40:11.0234 3520 HidUsb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys
2011/04/30 11:40:11.0453 3520 hpn (b028377dea0546a5fcfba928a8aefae0) C:\WINDOWS\system32\DRIVERS\hpn.sys
2011/04/30 11:40:11.0687 3520 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys
2011/04/30 11:40:11.0906 3520 i2omgmt (9368670bd426ebea5e8b18a62416ec28) C:\WINDOWS\system32\drivers\i2omgmt.sys
2011/04/30 11:40:12.0093 3520 i2omp (f10863bf1ccc290babd1a09188ae49e0) C:\WINDOWS\system32\DRIVERS\i2omp.sys
2011/04/30 11:40:12.0296 3520 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
2011/04/30 11:40:12.0531 3520 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys
2011/04/30 11:40:12.0750 3520 ini910u (4a40e045faee58631fd8d91afc620719) C:\WINDOWS\system32\DRIVERS\ini910u.sys
2011/04/30 11:40:13.0093 3520 IntcAzAudAddService (2389f12f0ed506176b7c29c8144cea09) C:\WINDOWS\system32\drivers\RtkHDAud.sys
2011/04/30 11:40:13.0312 3520 IntelIde (b5466a9250342a7aa0cd1fba13420678) C:\WINDOWS\system32\DRIVERS\intelide.sys
2011/04/30 11:40:13.0515 3520 intelppm (8c953733d8f36eb2133f5bb58808b66b) C:\WINDOWS\system32\DRIVERS\intelppm.sys
2011/04/30 11:40:13.0734 3520 Ip6Fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\drivers\ip6fw.sys
2011/04/30 11:40:13.0906 3520 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys
2011/04/30 11:40:14.0109 3520 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys
2011/04/30 11:40:14.0312 3520 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys
2011/04/30 11:40:14.0515 3520 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys
2011/04/30 11:40:14.0750 3520 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys
2011/04/30 11:40:14.0953 3520 itchfltr (f905a2e4a3a8db0f8c41d90cf830b4ca) C:\WINDOWS\system32\DRIVERS\itchfltr.sys
2011/04/30 11:40:15.0140 3520 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
2011/04/30 11:40:15.0343 3520 kbdhid (9ef487a186dea361aa06913a75b3fa99) C:\WINDOWS\system32\DRIVERS\kbdhid.sys
2011/04/30 11:40:15.0593 3520 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys
2011/04/30 11:40:15.0828 3520 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys
2011/04/30 11:40:16.0203 3520 LCcfltr (2b81de27d63a2de5876eac1bc34ece9b) C:\WINDOWS\system32\Drivers\LCcFltr.Sys
2011/04/30 11:40:16.0406 3520 LHidUsb (826aacb98a2ca5c51e982c748a60d645) C:\WINDOWS\system32\Drivers\LHidUsb.Sys
2011/04/30 11:40:16.0640 3520 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
2011/04/30 11:40:16.0859 3520 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys
2011/04/30 11:40:17.0046 3520 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys
2011/04/30 11:40:17.0265 3520 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys
2011/04/30 11:40:17.0468 3520 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys
2011/04/30 11:40:17.0703 3520 mraid35x (3f4bb95e5a44f3be34824e8e7caf0737) C:\WINDOWS\system32\DRIVERS\mraid35x.sys
2011/04/30 11:40:17.0921 3520 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
2011/04/30 11:40:18.0156 3520 MRxSmb (f3aefb11abc521122b67095044169e98) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
2011/04/30 11:40:18.0375 3520 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys
2011/04/30 11:40:18.0578 3520 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys
2011/04/30 11:40:18.0781 3520 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
2011/04/30 11:40:18.0953 3520 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys
2011/04/30 11:40:19.0125 3520 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
2011/04/30 11:40:19.0328 3520 Mup (2f625d11385b1a94360bfc70aaefdee1) C:\WINDOWS\system32\drivers\Mup.sys
2011/04/30 11:40:19.0546 3520 mxnic (e1cdf20697d992cf83ff86dd04df1285) C:\WINDOWS\system32\DRIVERS\mxnic.sys
2011/04/30 11:40:19.0812 3520 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys
2011/04/30 11:40:20.0015 3520 NdisTapi (1ab3d00c991ab086e69db84b6c0ed78f) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
2011/04/30 11:40:20.0218 3520 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
2011/04/30 11:40:20.0406 3520 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
2011/04/30 11:40:20.0625 3520 NDProxy (9282bd12dfb069d3889eb3fcc1000a9b) C:\WINDOWS\system32\drivers\NDProxy.sys
2011/04/30 11:40:20.0843 3520 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys
2011/04/30 11:40:21.0000 3520 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys
2011/04/30 11:40:21.0203 3520 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys
2011/04/30 11:40:21.0421 3520 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys
2011/04/30 11:40:21.0671 3520 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
2011/04/30 11:40:21.0953 3520 nv (2b298519edbfcf451d43e0f1e8f1006d) C:\WINDOWS\system32\DRIVERS\nv4_mini.sys
2011/04/30 11:40:22.0187 3520 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
2011/04/30 11:40:22.0375 3520 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
2011/04/30 11:40:22.0593 3520 P3 (c90018bafdc7098619a4a95b046b30f3) C:\WINDOWS\system32\DRIVERS\p3.sys
2011/04/30 11:40:22.0859 3520 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\DRIVERS\parport.sys
2011/04/30 11:40:23.0046 3520 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys
2011/04/30 11:40:23.0250 3520 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
2011/04/30 11:40:23.0468 3520 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys
2011/04/30 11:40:23.0843 3520 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys
2011/04/30 11:40:24.0046 3520 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\drivers\Pcmcia.sys
2011/04/30 11:40:24.0890 3520 perc2 (6c14b9c19ba84f73d3a86dba11133101) C:\WINDOWS\system32\DRIVERS\perc2.sys
2011/04/30 11:40:25.0109 3520 perc2hib (f50f7c27f131afe7beba13e14a3b9416) C:\WINDOWS\system32\DRIVERS\perc2hib.sys
2011/04/30 11:40:25.0343 3520 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys
2011/04/30 11:40:25.0562 3520 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys
2011/04/30 11:40:25.0765 3520 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
2011/04/30 11:40:25.0984 3520 ql1080 (0a63fb54039eb5662433caba3b26dba7) C:\WINDOWS\system32\DRIVERS\ql1080.sys
2011/04/30 11:40:26.0171 3520 Ql10wnt (6503449e1d43a0ff0201ad5cb1b8c706) C:\WINDOWS\system32\DRIVERS\ql10wnt.sys
2011/04/30 11:40:26.0375 3520 ql12160 (156ed0ef20c15114ca097a34a30d8a01) C:\WINDOWS\system32\DRIVERS\ql12160.sys
2011/04/30 11:40:26.0593 3520 ql1240 (70f016bebde6d29e864c1230a07cc5e6) C:\WINDOWS\system32\DRIVERS\ql1240.sys
2011/04/30 11:40:26.0781 3520 ql1280 (907f0aeea6bc451011611e732bd31fcf) C:\WINDOWS\system32\DRIVERS\ql1280.sys
2011/04/30 11:40:26.0984 3520 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
2011/04/30 11:40:27.0187 3520 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
2011/04/30 11:40:27.0406 3520 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
2011/04/30 11:40:27.0625 3520 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
2011/04/30 11:40:27.0875 3520 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys
2011/04/30 11:40:28.0062 3520 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
2011/04/30 11:40:28.0281 3520 rdpdr (15cabd0f7c00c47c70124907916af3f1) C:\WINDOWS\system32\DRIVERS\rdpdr.sys
2011/04/30 11:40:28.0484 3520 RDPWD (6728e45b66f93c08f11de2e316fc70dd) C:\WINDOWS\system32\drivers\RDPWD.sys
2011/04/30 11:40:28.0703 3520 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys
2011/04/30 11:40:29.0000 3520 RTL8023xp (7988bfe882bcd94199225b5c3482f1bd) C:\WINDOWS\system32\DRIVERS\Rtnicxp.sys
2011/04/30 11:40:29.0187 3520 rtl8139 (d507c1400284176573224903819ffda3) C:\WINDOWS\system32\DRIVERS\RTL8139.SYS
2011/04/30 11:40:29.0406 3520 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys
2011/04/30 11:40:29.0609 3520 serenum (0f29512ccd6bead730039fb4bd2c85ce) C:\WINDOWS\system32\DRIVERS\serenum.sys
2011/04/30 11:40:29.0812 3520 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\DRIVERS\serial.sys
2011/04/30 11:40:30.0046 3520 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys
2011/04/30 11:40:30.0406 3520 sisagp (6b33d0ebd30db32e27d1d78fe946a754) C:\WINDOWS\system32\DRIVERS\sisagp.sys
2011/04/30 11:40:30.0625 3520 Sparrow (83c0f71f86d3bdaf915685f3d568b20e) C:\WINDOWS\system32\DRIVERS\sparrow.sys
2011/04/30 11:40:30.0812 3520 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys
2011/04/30 11:40:31.0046 3520 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys
2011/04/30 11:40:31.0250 3520 Srv (0f6aefad3641a657e18081f52d0c15af) C:\WINDOWS\system32\DRIVERS\srv.sys
2011/04/30 11:40:31.0468 3520 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys
2011/04/30 11:40:31.0687 3520 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys
2011/04/30 11:40:31.0890 3520 symc810 (1ff3217614018630d0a6758630fc698c) C:\WINDOWS\system32\DRIVERS\symc810.sys
2011/04/30 11:40:32.0078 3520 symc8xx (070e001d95cf725186ef8b20335f933c) C:\WINDOWS\system32\DRIVERS\symc8xx.sys
2011/04/30 11:40:32.0281 3520 sym_hi (80ac1c4abbe2df3b738bf15517a51f2c) C:\WINDOWS\system32\DRIVERS\sym_hi.sys
2011/04/30 11:40:32.0500 3520 sym_u3 (bf4fab949a382a8e105f46ebb4937058) C:\WINDOWS\system32\DRIVERS\sym_u3.sys
2011/04/30 11:40:32.0703 3520 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys
2011/04/30 11:40:32.0984 3520 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys
2011/04/30 11:40:33.0187 3520 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys
2011/04/30 11:40:33.0375 3520 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys
2011/04/30 11:40:33.0562 3520 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys
2011/04/30 11:40:33.0750 3520 TosIde (f2790f6af01321b172aa62f8e1e187d9) C:\WINDOWS\system32\DRIVERS\toside.sys
2011/04/30 11:40:33.0968 3520 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys
2011/04/30 11:40:34.0171 3520 ultra (1b698a51cd528d8da4ffaed66dfc51b9) C:\WINDOWS\system32\DRIVERS\ultra.sys
2011/04/30 11:40:34.0390 3520 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys
2011/04/30 11:40:34.0671 3520 usbccgp (173f317ce0db8e21322e71b7e60a27e8) C:\WINDOWS\system32\DRIVERS\usbccgp.sys
2011/04/30 11:40:34.0875 3520 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys
2011/04/30 11:40:35.0078 3520 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys
2011/04/30 11:40:35.0281 3520 usbohci (0daecce65366ea32b162f85f07c6753b) C:\WINDOWS\system32\DRIVERS\usbohci.sys
2011/04/30 11:40:35.0468 3520 usbprint (a717c8721046828520c9edf31288fc00) C:\WINDOWS\system32\DRIVERS\usbprint.sys
2011/04/30 11:40:35.0656 3520 usbscan (a0b8cf9deb1184fbdd20784a58fa75d4) C:\WINDOWS\system32\DRIVERS\usbscan.sys
2011/04/30 11:40:35.0843 3520 USBSTOR (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
2011/04/30 11:40:36.0046 3520 usbuhci (26496f9dee2d787fc3e61ad54821ffe6) C:\WINDOWS\system32\DRIVERS\usbuhci.sys
2011/04/30 11:40:36.0218 3520 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys
2011/04/30 11:40:36.0421 3520 viaagp (754292ce5848b3738281b4f3607eaef4) C:\WINDOWS\system32\DRIVERS\viaagp.sys
2011/04/30 11:40:36.0656 3520 ViaIde (3b3efcda263b8ac14fdf9cbdd0791b2e) C:\WINDOWS\system32\DRIVERS\viaide.sys
2011/04/30 11:40:36.0859 3520 VolSnap (7c38f81f40d61d1607ddb62fe5817bb9) C:\WINDOWS\system32\drivers\VolSnap.sys
2011/04/30 11:40:36.0875 3520 VolSnap - detected Rootkit.Win32.TDSS.tdl3 (0)
2011/04/30 11:40:37.0109 3520 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys
2011/04/30 11:40:37.0281 3520 wanatw (0a716c08cb13c3a8f4f51e882dbf7416) C:\WINDOWS\system32\DRIVERS\wanatw4.sys
2011/04/30 11:40:37.0640 3520 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys
2011/04/30 11:40:37.0937 3520 WS2IFSL (6abe6e225adb5a751622a9cc3bc19ce8) C:\WINDOWS\System32\drivers\ws2ifsl.sys
2011/04/30 11:40:38.0015 3520 \HardDisk0 - detected Rootkit.Win32.TDSS.tdl4 (0)
2011/04/30 11:40:38.0015 3520 ================================================================================
2011/04/30 11:40:38.0015 3520 Scan finished
2011/04/30 11:40:38.0015 3520 ================================================================================
2011/04/30 11:40:38.0046 3512 Detected object count: 2
2011/04/30 11:41:09.0453 3512 VolSnap (7c38f81f40d61d1607ddb62fe5817bb9) C:\WINDOWS\system32\drivers\VolSnap.sys
2011/04/30 11:41:10.0984 3512 Backup copy found, using it..
2011/04/30 11:41:10.0984 3512 C:\WINDOWS\system32\drivers\VolSnap.sys - will be cured after reboot
2011/04/30 11:41:10.0984 3512 Rootkit.Win32.TDSS.tdl3(VolSnap) - User select action: Cure
2011/04/30 11:41:11.0046 3512 \HardDisk0 (Rootkit.Win32.TDSS.tdl4) - will be cured after reboot
2011/04/30 11:41:11.0046 3512 \HardDisk0 - ok
2011/04/30 11:41:11.0046 3512 Rootkit.Win32.TDSS.tdl4(\HardDisk0) - User select action: Cure
2011/04/30 11:41:19.0859 3492 Deinitialize success


It did remove[?] 2 trojans, however, after reboot and opening the browser, I noticed the redirect-proxy was still assigned inside my browsers options. However, I was not redirected to any nefarious sites like before when I would do a search! All of the files in "C:" are still ghosted from being hidden.

Thank you for helping me on this, what's next?

EDIT: Looked in directory "C:\WINDOWS\system32\drivers\" and Volsnap.sys still exist!?

Edited by Mark Of Portland, 30 April 2011 - 02:20 PM.


#6 rigacci

rigacci

    Fiorentino


  • Members
  • 2,604 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:01 AM

Posted 01 May 2011 - 06:56 AM

OK, that is good so far. We will address the volsnap.sys file afterrunning ComboFix.


Viewpoint Manager is considered as foistware instead of malware since it is installed without users approval but doesn't spy or do anything "bad". You might want to check out these two entries:
Wikipedia on Viewpoint Media Player
Clickz article of Viewpoint Media Player

I suggest you remove the program now. Click on Start>Control Panel>Add or Remove Programs and uninstall the following if they exist: Viewpoint, Viewpoint Manager, Viewpoint Media Player.


I see that you do not have an AV program installed. It looks as though AVG might have been installed at one time.

I want to also mention that AVG has been known to have issues with the running of ComboFix, so please do not install that one, for now.

AVIRA is a nice FREE Anti-Virus program, as is AVAST.

I would recommend you install one of these as soon as ComboFix has finished running.

If you prefer to purchase an AV program, your choices are much more varied.



Now Download ComboFix from one of these locations:

Link 1
Link 2

* IMPORTANT !!! Save ComboFix to your Desktop

Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. Note: If you are having difficulty properly disabling your protective programs, or are unsure as to what programs need to be disabled, please refer to the information available through this link : How to Disable Security Programs

•Double click on ComboFix.exe & follow the prompts.


Posted Image

If running XP, Click on YES and allow the Recovery Console to install. If running Vista or 7, click on NO to continue the scanning for malware.


When finished, it shall produce a log for you. Please include the C:\ComboFix.txt using Copy/Paste in your next reply.

Notes:

1.Do not mouse-click ComboFix's window while it is running. That may cause it to stall.
2. ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.
3. ComboFix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell your helper.
4. ComboFix disconnects your machine from the internet. The connection is automatically restored before ComboFix completes its run.

Give it at least 20-30 minutes to finish if needed.

Please do not attach the scan results from ComboFix. Use copy/paste.

Also please describe how your computer behaves at the moment.

Thanks.

DR

#7 Mark Of Portland

Mark Of Portland
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:05:01 AM

Posted 02 May 2011 - 06:02 PM

After runnign CF my archive files are no longer ghosted and my FF browser is no longer redirecting via a proxy. Here are the CF results-

ComboFix 11-05-01.02 - Owner 05/02/2011 3:17.1.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.894.561 [GMT -7:00]
Running from: c:\documents and settings\Owner\My Documents\Downloads\ComboFix.exe
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\Administrator\WINDOWS
c:\documents and settings\All Users\Application Data\rjuLpKAlCJjkc.exe
c:\documents and settings\Default User\WINDOWS
c:\documents and settings\Owner\Application Data\dwm.exe
c:\documents and settings\Owner\Application Data\Microsoft\conhost.exe
c:\documents and settings\Owner\Application Data\Sun\vnv4.dll
c:\documents and settings\Owner\WINDOWS
C:\Windows Restore
c:\windows restore\Uninstall Windows Restore.lnk
c:\windows restore\Windows Restore.lnk
c:\windows\system32\config\systemprofile\WINDOWS
D:\Autorun.inf
.
.
((((((((((((((((((((((((( Files Created from 2011-04-02 to 2011-05-02 )))))))))))))))))))))))))))))))
.
.
2011-04-30 19:03 . 2011-05-02 10:21 -------- d-----w- c:\documents and settings\Administrator
2011-04-27 01:24 . 2011-04-27 01:24 388096 ----a-r- c:\documents and settings\Owner\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2011-04-23 14:30 . 2011-04-23 14:30 -------- d-----w- c:\windows\system32\LogFiles
2011-04-11 21:54 . 2011-04-11 21:54 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Apple
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
.
------- Sigcheck -------
.
[7] 2010-08-17 . 258DD5D4283FD9F9A7166BE9AE45CE73 . 58880 . . [5.1.2600.6024] . . c:\windows\$hf_mig$\KB2347290\SP3QFE\spoolsv.exe
[7] 2010-08-17 . 60784F891563FB1B767F70117FC2428F . 58880 . . [5.1.2600.6024] . . c:\windows\system32\dllcache\spoolsv.exe
[7] 2008-04-14 . D8E14A61ACC1D4A6CD0D38AEBAC7FA3B . 57856 . . [5.1.2600.5512] . . c:\windows\$NtUninstallKB2347290$\spoolsv.exe
[7] 2008-04-14 . D8E14A61ACC1D4A6CD0D38AEBAC7FA3B . 57856 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\spoolsv.exe
[7] 2005-06-11 . AD3D9D191AEA7B5445FE1D82FFBB4788 . 57856 . . [5.1.2600.2696] . . c:\windows\$hf_mig$\KB896423\SP2QFE\spoolsv.exe
[7] 2005-06-10 . DA81EC57ACD4CDC3D4C51CF3D409AF9F . 57856 . . [5.1.2600.2696] . . c:\windows\$NtServicePackUninstall$\spoolsv.exe
[7] 2004-08-04 . 7435B108B935E42EA92CA94F59C8E717 . 57856 . . [5.1.2600.2180] . . c:\windows\$NtUninstallKB896423$\spoolsv.exe
.
c:\windows\System32\spoolsv.exe ... is missing !!
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"updateMgr"="c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 313472]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2002-09-14 212992]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-03-18 421888]
"zBrowser Launcher"="c:\program files\Logitech\iTouch\iTouch.exe" [2003-12-01 892928]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2009-07-21 61440]
"RTHDCPL"="RTHDCPL.EXE" [2006-04-04 16120832]
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2005-01-12 32768]
"Reminder"="c:\windows\Creator\Remind_XP.exe" [2005-02-26 966656]
"Microsoft Works Update Detection"="c:\program files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe" [2002-07-17 28672]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2004-09-13 49152]
"CanonMyPrinter"="c:\program files\Canon\MyPrinter\BJMyPrt.exe" [2006-10-17 1197648]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"AvgUninstallURL"="start http:" [X]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Power2GoExpress"="NA" [X]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2004-11-4 258048]
HP Image Zone Fast Start.lnk - c:\program files\HP\Digital Imaging\bin\hpqthb08.exe [2004-11-4 53248]
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Logitech Desktop Messenger.lnk]
backup=c:\windows\pss\Logitech Desktop Messenger.lnkCommon Startup
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\WINDOWS\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
.
.
Contents of the 'Scheduled Tasks' folder
.
2011-04-11 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 20:34]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://flyingincognitosleep.com/cgi-bin/h.pl
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyServer = http=127.0.0.1:51636
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: Easy-WebPrint Add To Print List - c:\program files\Canon\Easy-WebPrint\Toolband.dll/RC_AddToList.html
IE: Easy-WebPrint High Speed Print - c:\program files\Canon\Easy-WebPrint\Toolband.dll/RC_HSPrint.html
IE: Easy-WebPrint Preview - c:\program files\Canon\Easy-WebPrint\Toolband.dll/RC_Preview.html
IE: Easy-WebPrint Print - c:\program files\Canon\Easy-WebPrint\Toolband.dll/RC_Print.html
TCP: {AE34EA11-B4B5-4E22-B31D-6029780491CF} = 68.87.69.150,68.87.85.102
FF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\e890xllq.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.yahoo.com/search?fr=ffsp1&p=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?fr=ffds1&p=
FF - prefs.js: network.proxy.http - 127.0.0.1
FF - prefs.js: network.proxy.http_port - 51636
FF - prefs.js: network.proxy.type - 0
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Adblock Plus: {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d} - %profile%\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}
FF - Ext: Yahoo! Toolbar: {635abd67-4fe9-1b23-4f01-e679fa7484c1} - %profile%\extensions\{635abd67-4fe9-1b23-4f01-e679fa7484c1}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF - user.js: network.cookie.cookieBehavior - 0
FF - user.js: privacy.clearOnShutdown.cookies - false
FF - user.js: security.warn_viewing_mixed - false
FF - user.js: security.warn_viewing_mixed.show_once - false
FF - user.js: security.warn_submit_insecure - false
FF - user.js: security.warn_submit_insecure.show_once - false
.
- - - - ORPHANS REMOVED - - - -
.
HKLM-Run-Logitech Utility - Logi_MwX.Exe
HKLM-Run-conhost - c:\documents and settings\Owner\Application Data\Microsoft\conhost.exe
HKU-Default-Run-lpc - rundll32.exec:\documents and settings\Owner\Application Data\Sun\vnv4.dll
HKU-Default-Run-rjuLpKAlCJjkc - c:\documents and settings\All Users\Application Data\rjuLpKAlCJjkc.exe
SafeBoot-klmdb.sys
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-05-02 03:29
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(448)
c:\windows\system32\Ati2evxx.dll
.
Completion time: 2011-05-02 03:34:17
ComboFix-quarantined-files.txt 2011-05-02 10:34
.
Pre-Run: 77,672,128,512 bytes free
Post-Run: 78,764,650,496 bytes free
.
WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect
[spybotsd]
timeout.old=30
.
- - End Of File - - F316A14C3E968FEA9C1CEDA09AB42825


What's next?

Again, your help is very appriciated!
Mark-

#8 rigacci

rigacci

    Fiorentino


  • Members
  • 2,604 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:01 AM

Posted 03 May 2011 - 12:00 PM

Things are looking better! :thumbup2:

I see you still do not have an Anti-Virus. I hope you have installed one since running the scan. Hopefully it is not AVG as we still need to run CF again.

Did you know also that your Firewall is disabled? You should enable it by going to Start>Control Panel>Security Center>Firewall and select to enable it.

Let's now:

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open Notepad and copy/paste the text in the quotebox below into it:

Registry::
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"AvgUninstallURL"=-

FCopy::
c:\windows\system32\dllcache\spoolsv.exe | c:\windows\system32\spoolsv.exe

Firefox::
FF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\e890xllq.default\
FF - prefs.js: network.proxy.http_port - 51636

Save this as CFScript.txt, on your Desktop.

Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

Thanks.

DR

#9 Mark Of Portland

Mark Of Portland
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:05:01 AM

Posted 03 May 2011 - 01:29 PM

I see you still do not have an Anti-Virus.

I don't have the infected PC connected to the net, I've been getting all downloads through a VM via a USB on my main PC. This way I'm not using the USB stick on my main OS. I then transfer the USB content to the infected PC. After you and your colleagues say we are finished and before I allow it back on the net I wil get one of the recommended AV suites. If it is a must that I get an AV right now for getting you logs/readings, then I'll do that!

Did you know also that your Firewall is disabled?

Yes

Let's now:

BRB...

ComboFix 11-05-02.04 - Owner 05/03/2011 12:13:18.3.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.894.611 [GMT -7:00]
Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Owner\Desktop\CFScript.txt
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
.
--------------- FCopy ---------------
.
c:\windows\system32\dllcache\spoolsv.exe --> c:\windows\system32\spoolsv.exe
.
((((((((((((((((((((((((( Files Created from 2011-04-03 to 2011-05-03 )))))))))))))))))))))))))))))))
.
.
2011-05-03 18:57 . 2010-08-17 13:17 58880 -c--a-w- c:\windows\system32\dllcache\spoolsv.exe
2011-05-03 18:57 . 2010-08-17 13:17 58880 ----a-w- c:\windows\system32\spoolsv.exe
2011-04-30 19:03 . 2011-05-02 10:21 -------- d-----w- c:\documents and settings\Administrator
2011-04-27 01:24 . 2011-04-27 01:24 388096 ----a-r- c:\documents and settings\Owner\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2011-04-23 14:30 . 2011-04-23 14:30 -------- d-----w- c:\windows\system32\LogFiles
2011-04-11 21:54 . 2011-04-11 21:54 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Apple
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-03-07 05:33 . 2004-08-26 18:01 692736 ----a-w- c:\windows\system32\inetcomm.dll
2011-03-04 06:37 . 2004-08-26 16:12 420864 ----a-w- c:\windows\system32\vbscript.dll
2011-03-03 13:21 . 2004-08-26 16:12 1857920 ----a-w- c:\windows\system32\win32k.sys
2011-02-22 23:06 . 2004-08-26 16:12 916480 ----a-w- c:\windows\system32\wininet.dll
2011-02-22 23:06 . 2004-08-26 16:11 43520 ----a-w- c:\windows\system32\licmgr10.dll
2011-02-22 23:06 . 2004-08-26 16:11 1469440 ------w- c:\windows\system32\inetcpl.cpl
2011-02-22 11:41 . 2004-08-26 16:11 385024 ----a-w- c:\windows\system32\html.iec
2011-02-17 13:18 . 2004-08-26 16:12 455936 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2011-02-17 13:18 . 2004-08-26 16:12 357888 ----a-w- c:\windows\system32\drivers\srv.sys
2011-02-17 12:32 . 2009-11-20 21:12 5120 ----a-w- c:\windows\system32\xpsp4res.dll
2011-02-15 12:56 . 2004-08-26 16:11 290432 ----a-w- c:\windows\system32\atmfd.dll
2011-02-09 13:53 . 2004-08-26 16:12 270848 ----a-w- c:\windows\system32\sbe.dll
2011-02-09 13:53 . 2004-08-26 16:11 186880 ----a-w- c:\windows\system32\encdec.dll
2011-02-08 13:33 . 2004-08-26 16:11 978944 ----a-w- c:\windows\system32\mfc42.dll
2011-02-08 13:33 . 2004-08-26 16:11 974848 ----a-w- c:\windows\system32\mfc42u.dll
.
.
((((((((((((((((((((((((((((( SnapShot@2011-05-02_10.29.04 )))))))))))))))))))))))))))))))))))))))))
.
+ 2004-08-26 16:12 . 2011-05-03 18:38 71642 c:\windows\system32\perfc009.dat
+ 2004-08-26 16:12 . 2011-02-22 23:06 66560 c:\windows\system32\mshtmled.dll
- 2004-08-26 16:12 . 2010-11-06 00:26 66560 c:\windows\system32\mshtmled.dll
+ 2007-08-14 02:54 . 2011-02-22 23:06 55296 c:\windows\system32\msfeedsbs.dll
- 2007-08-14 02:54 . 2010-11-06 00:26 55296 c:\windows\system32\msfeedsbs.dll
- 2004-08-26 16:11 . 2010-11-06 00:26 25600 c:\windows\system32\jsproxy.dll
+ 2004-08-26 16:11 . 2011-02-22 23:06 25600 c:\windows\system32\jsproxy.dll
+ 2004-08-26 16:11 . 2009-04-20 17:17 45568 c:\windows\system32\dnsrslvr.dll
- 2004-08-26 16:11 . 2008-04-14 00:11 45568 c:\windows\system32\dnsrslvr.dll
+ 2009-11-20 22:58 . 2011-02-22 23:06 12800 c:\windows\system32\dllcache\xpshims.dll
- 2009-11-20 22:58 . 2010-11-06 00:26 12800 c:\windows\system32\dllcache\xpshims.dll
- 2004-08-26 16:12 . 2010-11-06 00:26 66560 c:\windows\system32\dllcache\mshtmled.dll
+ 2004-08-26 16:12 . 2011-02-22 23:06 66560 c:\windows\system32\dllcache\mshtmled.dll
+ 2007-11-23 19:41 . 2011-02-22 23:06 55296 c:\windows\system32\dllcache\msfeedsbs.dll
- 2007-11-23 19:41 . 2010-11-06 00:26 55296 c:\windows\system32\dllcache\msfeedsbs.dll
+ 2004-08-26 16:11 . 2011-02-22 23:06 43520 c:\windows\system32\dllcache\licmgr10.dll
- 2004-08-26 16:11 . 2010-11-06 00:26 43520 c:\windows\system32\dllcache\licmgr10.dll
- 2004-08-26 16:11 . 2010-11-06 00:26 25600 c:\windows\system32\dllcache\jsproxy.dll
+ 2004-08-26 16:11 . 2011-02-22 23:06 25600 c:\windows\system32\dllcache\jsproxy.dll
+ 2009-04-20 17:17 . 2009-04-20 17:17 45568 c:\windows\system32\dllcache\dnsrslvr.dll
+ 2009-12-14 07:08 . 2010-12-09 14:30 33280 c:\windows\system32\dllcache\csrsrv.dll
- 2009-12-14 07:08 . 2009-12-14 07:08 33280 c:\windows\system32\dllcache\csrsrv.dll
+ 2009-11-20 20:38 . 2008-04-13 23:11 32768 c:\windows\system32\dllcache\ativtmxx.dll
- 2004-08-26 16:11 . 2009-12-14 07:08 33280 c:\windows\system32\csrsrv.dll
+ 2004-08-26 16:11 . 2010-12-09 14:30 33280 c:\windows\system32\csrsrv.dll
- 2009-11-20 20:38 . 2008-04-14 00:11 32768 c:\windows\system32\ativtmxx.dll
+ 2009-11-20 20:38 . 2008-04-13 23:11 32768 c:\windows\system32\ativtmxx.dll
+ 2006-06-06 11:03 . 2011-05-03 18:47 23040 c:\windows\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\unbndico.exe
- 2006-06-06 11:03 . 2010-12-15 10:07 23040 c:\windows\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\unbndico.exe
+ 2006-06-06 11:03 . 2011-05-03 18:47 27136 c:\windows\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\oisicon.exe
- 2006-06-06 11:03 . 2010-12-15 10:07 27136 c:\windows\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\oisicon.exe
- 2006-06-06 11:03 . 2010-12-15 10:07 11264 c:\windows\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\mspicons.exe
+ 2006-06-06 11:03 . 2011-05-03 18:47 11264 c:\windows\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\mspicons.exe
+ 2006-06-06 11:03 . 2011-05-03 18:47 12288 c:\windows\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\cagicon.exe
- 2006-06-06 11:03 . 2010-12-15 10:07 12288 c:\windows\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\cagicon.exe
+ 2011-05-03 18:42 . 2010-11-06 00:26 12800 c:\windows\ie8updates\KB2497640-IE8\xpshims.dll
+ 2011-05-03 18:42 . 2010-11-06 00:26 66560 c:\windows\ie8updates\KB2497640-IE8\mshtmled.dll
+ 2011-05-03 18:42 . 2010-11-06 00:26 55296 c:\windows\ie8updates\KB2497640-IE8\msfeedsbs.dll
+ 2011-05-03 18:42 . 2010-11-06 00:26 43520 c:\windows\ie8updates\KB2497640-IE8\licmgr10.dll
+ 2011-05-03 18:42 . 2010-11-06 00:26 25600 c:\windows\ie8updates\KB2497640-IE8\jsproxy.dll
+ 2011-05-03 18:46 . 2011-05-03 18:46 60928 c:\windows\assembly\NativeImages_v2.0.50727_32\UIAutomationProvider\368187bcb570d202a019fc7c53b1df4c\UIAutomationProvider.ni.dll
+ 2011-05-03 18:41 . 2011-05-03 18:41 47104 c:\windows\assembly\NativeImages_v2.0.50727_32\PresentationFontCac#\2740ba673b1040f1995f13c6044da64c\PresentationFontCache.ni.exe
+ 2011-05-03 18:40 . 2011-05-03 18:40 39424 c:\windows\assembly\NativeImages_v2.0.50727_32\PresentationCFFRast#\8514e7de63d46b6f8232ef70d93a1650\PresentationCFFRasterizer.ni.dll
- 2010-10-08 10:04 . 2010-10-08 10:04 77824 c:\windows\assembly\GAC_MSIL\System.Web.RegularExpressions\2.0.0.0__b03f5f7f11d50a3a\System.Web.RegularExpressions.dll
+ 2011-05-03 18:38 . 2011-05-03 18:38 77824 c:\windows\assembly\GAC_MSIL\System.Web.RegularExpressions\2.0.0.0__b03f5f7f11d50a3a\System.Web.RegularExpressions.dll
+ 2011-05-03 18:38 . 2011-05-03 18:38 81920 c:\windows\assembly\GAC_MSIL\System.Drawing.Design\2.0.0.0__b03f5f7f11d50a3a\System.Drawing.Design.dll
- 2010-10-08 10:04 . 2010-10-08 10:04 81920 c:\windows\assembly\GAC_MSIL\System.Drawing.Design\2.0.0.0__b03f5f7f11d50a3a\System.Drawing.Design.dll
- 2010-10-08 10:04 . 2010-10-08 10:04 81920 c:\windows\assembly\GAC_MSIL\System.Configuration.Install\2.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll
+ 2011-05-03 18:38 . 2011-05-03 18:38 81920 c:\windows\assembly\GAC_MSIL\System.Configuration.Install\2.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll
- 2010-10-08 10:04 . 2010-10-08 10:04 32768 c:\windows\assembly\GAC_MSIL\Microsoft.Vsa\8.0.0.0__b03f5f7f11d50a3a\Microsoft.Vsa.dll
+ 2011-05-03 18:38 . 2011-05-03 18:38 32768 c:\windows\assembly\GAC_MSIL\Microsoft.Vsa\8.0.0.0__b03f5f7f11d50a3a\Microsoft.Vsa.dll
+ 2011-05-03 18:38 . 2011-05-03 18:38 12800 c:\windows\assembly\GAC_MSIL\Microsoft.Vsa.Vb.CodeDOMProcessor\8.0.0.0__b03f5f7f11d50a3a\Microsoft.Vsa.Vb.CodeDOMProcessor.dll
- 2010-10-08 10:04 . 2010-10-08 10:04 12800 c:\windows\assembly\GAC_MSIL\Microsoft.Vsa.Vb.CodeDOMProcessor\8.0.0.0__b03f5f7f11d50a3a\Microsoft.Vsa.Vb.CodeDOMProcessor.dll
- 2010-10-08 10:04 . 2010-10-08 10:04 28672 c:\windows\assembly\GAC_MSIL\Microsoft.VisualBasic.Vsa\8.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.Vsa.dll
+ 2011-05-03 18:38 . 2011-05-03 18:38 28672 c:\windows\assembly\GAC_MSIL\Microsoft.VisualBasic.Vsa\8.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.Vsa.dll
+ 2011-05-03 18:38 . 2011-05-03 18:38 77824 c:\windows\assembly\GAC_MSIL\Microsoft.Build.Utilities\2.0.0.0__b03f5f7f11d50a3a\Microsoft.Build.Utilities.dll
- 2010-10-08 10:04 . 2010-10-08 10:04 77824 c:\windows\assembly\GAC_MSIL\Microsoft.Build.Utilities\2.0.0.0__b03f5f7f11d50a3a\Microsoft.Build.Utilities.dll
+ 2011-05-03 18:38 . 2011-05-03 18:38 36864 c:\windows\assembly\GAC_MSIL\Microsoft.Build.Framework\2.0.0.0__b03f5f7f11d50a3a\Microsoft.Build.Framework.dll
- 2010-10-08 10:04 . 2010-10-08 10:04 36864 c:\windows\assembly\GAC_MSIL\Microsoft.Build.Framework\2.0.0.0__b03f5f7f11d50a3a\Microsoft.Build.Framework.dll
+ 2011-05-03 18:38 . 2011-05-03 18:38 77824 c:\windows\assembly\GAC_MSIL\IEHost\2.0.0.0__b03f5f7f11d50a3a\IEHost.dll
- 2010-10-08 10:04 . 2010-10-08 10:04 77824 c:\windows\assembly\GAC_MSIL\IEHost\2.0.0.0__b03f5f7f11d50a3a\IEHost.dll
- 2010-10-08 10:04 . 2010-10-08 10:04 13312 c:\windows\assembly\GAC_MSIL\cscompmgd\8.0.0.0__b03f5f7f11d50a3a\cscompmgd.dll
+ 2011-05-03 18:38 . 2011-05-03 18:38 13312 c:\windows\assembly\GAC_MSIL\cscompmgd\8.0.0.0__b03f5f7f11d50a3a\cscompmgd.dll
+ 2011-05-03 18:38 . 2011-05-03 18:38 10752 c:\windows\assembly\GAC_MSIL\Accessibility\2.0.0.0__b03f5f7f11d50a3a\Accessibility.dll
- 2010-10-08 10:04 . 2010-10-08 10:04 10752 c:\windows\assembly\GAC_MSIL\Accessibility\2.0.0.0__b03f5f7f11d50a3a\Accessibility.dll
- 2010-10-08 10:04 . 2010-10-08 10:04 72192 c:\windows\assembly\GAC_32\ISymWrapper\2.0.0.0__b03f5f7f11d50a3a\ISymWrapper.dll
+ 2011-05-03 18:38 . 2011-05-03 18:38 72192 c:\windows\assembly\GAC_32\ISymWrapper\2.0.0.0__b03f5f7f11d50a3a\ISymWrapper.dll
+ 2011-05-03 18:38 . 2011-05-03 18:38 69120 c:\windows\assembly\GAC_32\CustomMarshalers\2.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll
- 2010-10-08 10:04 . 2010-10-08 10:04 69120 c:\windows\assembly\GAC_32\CustomMarshalers\2.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll
- 2010-10-08 10:04 . 2010-10-08 10:04 8192 c:\windows\WinSxS\MSIL_IEExecRemote_b03f5f7f11d50a3a_2.0.0.0_x-ww_6e57c34e\IEExecRemote.dll
+ 2011-05-03 18:38 . 2011-05-03 18:38 8192 c:\windows\WinSxS\MSIL_IEExecRemote_b03f5f7f11d50a3a_2.0.0.0_x-ww_6e57c34e\IEExecRemote.dll
- 2006-06-06 11:03 . 2010-12-15 10:07 4096 c:\windows\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\opwicon.exe
+ 2006-06-06 11:03 . 2011-05-03 18:47 4096 c:\windows\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\opwicon.exe
+ 2011-05-03 18:38 . 2011-05-03 18:38 7168 c:\windows\assembly\GAC_MSIL\Microsoft_VsaVb\8.0.0.0__b03f5f7f11d50a3a\Microsoft_VsaVb.dll
- 2010-10-08 10:04 . 2010-10-08 10:04 7168 c:\windows\assembly\GAC_MSIL\Microsoft_VsaVb\8.0.0.0__b03f5f7f11d50a3a\Microsoft_VsaVb.dll
- 2010-10-08 10:04 . 2010-10-08 10:04 5632 c:\windows\assembly\GAC_MSIL\Microsoft.VisualC\8.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualC.Dll
+ 2011-05-03 18:38 . 2011-05-03 18:38 5632 c:\windows\assembly\GAC_MSIL\Microsoft.VisualC\8.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualC.Dll
- 2010-10-08 10:04 . 2010-10-08 10:04 6656 c:\windows\assembly\GAC_MSIL\IIEHost\2.0.0.0__b03f5f7f11d50a3a\IIEHost.dll
+ 2011-05-03 18:38 . 2011-05-03 18:38 6656 c:\windows\assembly\GAC_MSIL\IIEHost\2.0.0.0__b03f5f7f11d50a3a\IIEHost.dll
+ 2011-05-03 18:38 . 2011-05-03 18:38 8192 c:\windows\assembly\GAC_MSIL\IEExecRemote\2.0.0.0__b03f5f7f11d50a3a\IEExecRemote.dll
- 2010-10-08 10:04 . 2010-10-08 10:04 8192 c:\windows\assembly\GAC_MSIL\IEExecRemote\2.0.0.0__b03f5f7f11d50a3a\IEExecRemote.dll
- 2010-10-08 10:04 . 2010-10-08 10:04 113664 c:\windows\WinSxS\x86_System.EnterpriseServices_b03f5f7f11d50a3a_2.0.0.0_x-ww_7d5f3790\System.EnterpriseServices.Wrapper.dll
+ 2011-05-03 18:38 . 2011-05-03 18:38 113664 c:\windows\WinSxS\x86_System.EnterpriseServices_b03f5f7f11d50a3a_2.0.0.0_x-ww_7d5f3790\System.EnterpriseServices.Wrapper.dll
+ 2011-05-03 18:38 . 2011-05-03 18:38 258048 c:\windows\WinSxS\x86_System.EnterpriseServices_b03f5f7f11d50a3a_2.0.0.0_x-ww_7d5f3790\System.EnterpriseServices.dll
- 2010-10-08 10:04 . 2010-10-08 10:04 258048 c:\windows\WinSxS\x86_System.EnterpriseServices_b03f5f7f11d50a3a_2.0.0.0_x-ww_7d5f3790\System.EnterpriseServices.dll
+ 2004-08-26 16:12 . 2009-07-27 23:17 135168 c:\windows\system32\shsvcs.dll
- 2004-08-26 16:12 . 2008-04-14 00:12 135168 c:\windows\system32\shsvcs.dll
+ 2004-08-26 16:12 . 2011-01-21 14:44 439296 c:\windows\system32\shimgvw.dll
+ 2004-08-26 16:12 . 2011-05-03 18:38 441450 c:\windows\system32\perfh009.dat
- 2004-08-26 16:12 . 2008-04-14 00:12 249856 c:\windows\system32\odbc32.dll
+ 2004-08-26 16:12 . 2010-11-09 14:52 249856 c:\windows\system32\odbc32.dll
+ 2004-08-26 16:12 . 2011-02-22 23:06 206848 c:\windows\system32\occache.dll
- 2004-08-26 16:12 . 2010-11-06 00:26 206848 c:\windows\system32\occache.dll
+ 2004-08-26 16:12 . 2010-12-09 15:15 718336 c:\windows\system32\ntdll.dll
+ 2004-08-26 16:12 . 2008-06-20 16:02 245248 c:\windows\system32\mswsock.dll
- 2004-08-26 16:12 . 2008-06-20 17:46 245248 c:\windows\system32\mswsock.dll
+ 2004-08-26 18:00 . 2011-01-27 11:57 677888 c:\windows\system32\mstsc.exe
- 2004-08-26 18:00 . 2008-04-14 00:12 677888 c:\windows\system32\mstsc.exe
+ 2004-08-26 16:12 . 2011-02-22 23:06 611840 c:\windows\system32\mstime.dll
- 2004-08-26 16:12 . 2010-11-06 00:26 611840 c:\windows\system32\mstime.dll
+ 2007-08-14 02:54 . 2011-02-22 23:06 602112 c:\windows\system32\msfeeds.dll
- 2007-08-14 02:54 . 2010-11-06 00:26 602112 c:\windows\system32\msfeeds.dll
+ 2004-08-26 16:11 . 2010-12-20 17:26 730112 c:\windows\system32\lsasrv.dll
- 2004-08-26 16:11 . 2009-06-25 08:25 730112 c:\windows\system32\lsasrv.dll
+ 2004-08-26 16:11 . 2010-12-22 12:34 301568 c:\windows\system32\kerberos.dll
- 2004-08-26 16:11 . 2009-06-25 08:25 301568 c:\windows\system32\kerberos.dll
+ 2004-08-26 16:11 . 2011-03-04 06:37 726528 c:\windows\system32\jscript.dll
- 2004-08-26 16:11 . 2009-12-09 05:53 726528 c:\windows\system32\jscript.dll
+ 2004-08-26 16:11 . 2011-02-22 23:06 184320 c:\windows\system32\iepeers.dll
- 2004-08-26 16:11 . 2010-11-06 00:26 184320 c:\windows\system32\iepeers.dll
+ 2004-08-26 16:11 . 2011-02-22 23:06 387584 c:\windows\system32\iedkcs32.dll
- 2004-08-26 16:11 . 2010-11-06 00:26 387584 c:\windows\system32\iedkcs32.dll
- 2004-08-26 16:11 . 2010-11-03 12:26 173568 c:\windows\system32\ie4uinit.exe
+ 2004-08-26 16:11 . 2011-02-18 11:49 173568 c:\windows\system32\ie4uinit.exe
- 2004-08-26 10:54 . 2010-12-17 06:34 182632 c:\windows\system32\FNTCACHE.DAT
+ 2004-08-26 10:54 . 2011-05-03 19:00 182632 c:\windows\system32\FNTCACHE.DAT
- 2004-08-26 16:11 . 2008-08-14 10:04 138496 c:\windows\system32\drivers\afd.sys
+ 2004-08-26 16:11 . 2008-10-16 14:43 138496 c:\windows\system32\drivers\afd.sys
+ 2004-08-26 16:11 . 2011-03-03 06:55 149504 c:\windows\system32\dnsapi.dll
- 2004-08-26 16:12 . 2010-11-06 00:26 916480 c:\windows\system32\dllcache\wininet.dll
+ 2004-08-26 16:12 . 2011-02-22 23:06 916480 c:\windows\system32\dllcache\wininet.dll
+ 2009-03-08 12:33 . 2011-03-04 06:37 420864 c:\windows\system32\dllcache\vbscript.dll
+ 2009-11-20 20:07 . 2011-02-17 13:18 357888 c:\windows\system32\dllcache\srv.sys
+ 2009-07-27 23:17 . 2009-07-27 23:17 135168 c:\windows\system32\dllcache\shsvcs.dll
+ 2011-01-21 14:44 . 2011-01-21 14:44 439296 c:\windows\system32\dllcache\shimgvw.dll
+ 2011-02-09 13:53 . 2011-02-09 13:53 270848 c:\windows\system32\dllcache\sbe.dll
+ 2010-11-09 14:52 . 2010-11-09 14:52 249856 c:\windows\system32\dllcache\odbc32.dll
+ 2004-08-26 16:12 . 2011-02-22 23:06 206848 c:\windows\system32\dllcache\occache.dll
- 2004-08-26 16:12 . 2010-11-06 00:26 206848 c:\windows\system32\dllcache\occache.dll
+ 2009-11-20 20:17 . 2010-12-09 15:15 718336 c:\windows\system32\dllcache\ntdll.dll
+ 2008-06-20 17:46 . 2008-06-20 16:02 245248 c:\windows\system32\dllcache\mswsock.dll
- 2008-06-20 17:46 . 2008-06-20 17:46 245248 c:\windows\system32\dllcache\mswsock.dll
- 2004-08-26 16:12 . 2010-11-06 00:26 611840 c:\windows\system32\dllcache\mstime.dll
+ 2004-08-26 16:12 . 2011-02-22 23:06 611840 c:\windows\system32\dllcache\mstime.dll
+ 2010-11-09 14:52 . 2010-11-09 14:52 102400 c:\windows\system32\dllcache\msjro.dll
- 2007-11-23 19:41 . 2010-11-06 00:26 602112 c:\windows\system32\dllcache\msfeeds.dll
+ 2007-11-23 19:41 . 2011-02-22 23:06 602112 c:\windows\system32\dllcache\msfeeds.dll
+ 2010-11-09 14:52 . 2010-11-09 14:52 200704 c:\windows\system32\dllcache\msadox.dll
+ 2010-11-09 14:52 . 2010-11-09 14:52 180224 c:\windows\system32\dllcache\msadomd.dll
+ 2010-11-09 14:52 . 2010-11-09 14:52 536576 c:\windows\system32\dllcache\msado15.dll
+ 2010-11-09 14:52 . 2010-11-09 14:52 143360 c:\windows\system32\dllcache\msadco.dll
+ 2009-11-20 20:08 . 2011-02-17 13:18 455936 c:\windows\system32\dllcache\mrxsmb.sys
+ 2004-08-26 16:11 . 2011-02-08 13:33 974848 c:\windows\system32\dllcache\mfc42u.dll
- 2004-08-26 16:11 . 2010-09-18 19:23 974848 c:\windows\system32\dllcache\mfc42u.dll
+ 2010-10-13 21:36 . 2011-02-08 13:33 978944 c:\windows\system32\dllcache\mfc42.dll
+ 2009-06-25 08:25 . 2010-12-20 17:26 730112 c:\windows\system32\dllcache\lsasrv.dll
- 2009-06-25 08:25 . 2009-06-25 08:25 730112 c:\windows\system32\dllcache\lsasrv.dll
+ 2011-01-27 11:57 . 2011-01-27 11:57 677888 c:\windows\system32\dllcache\lhmstsc.exe
+ 2009-06-25 08:25 . 2010-12-22 12:34 301568 c:\windows\system32\dllcache\kerberos.dll
- 2009-06-25 08:25 . 2009-06-25 08:25 301568 c:\windows\system32\dllcache\kerberos.dll
+ 2009-11-20 19:58 . 2011-03-04 06:37 726528 c:\windows\system32\dllcache\jscript.dll
- 2009-11-20 19:58 . 2009-12-09 05:53 726528 c:\windows\system32\dllcache\jscript.dll
- 2009-11-20 20:06 . 2010-06-09 07:43 692736 c:\windows\system32\dllcache\inetcomm.dll
+ 2009-11-20 20:06 . 2011-03-07 05:33 692736 c:\windows\system32\dllcache\inetcomm.dll
- 2009-11-20 22:58 . 2010-11-06 00:26 247808 c:\windows\system32\dllcache\ieproxy.dll
+ 2009-11-20 22:58 . 2011-02-22 23:06 247808 c:\windows\system32\dllcache\ieproxy.dll
- 2004-08-26 16:11 . 2010-11-06 00:26 184320 c:\windows\system32\dllcache\iepeers.dll
+ 2004-08-26 16:11 . 2011-02-22 23:06 184320 c:\windows\system32\dllcache\iepeers.dll
+ 2010-06-15 18:52 . 2011-02-22 23:06 743424 c:\windows\system32\dllcache\iedvtool.dll
- 2010-06-15 18:52 . 2010-11-06 00:26 743424 c:\windows\system32\dllcache\iedvtool.dll
+ 2004-08-26 16:11 . 2011-02-22 23:06 387584 c:\windows\system32\dllcache\iedkcs32.dll
- 2004-08-26 16:11 . 2010-11-06 00:26 387584 c:\windows\system32\dllcache\iedkcs32.dll
+ 2004-08-26 16:11 . 2011-02-18 11:49 173568 c:\windows\system32\dllcache\ie4uinit.exe
- 2004-08-26 16:11 . 2010-11-03 12:26 173568 c:\windows\system32\dllcache\ie4uinit.exe
+ 2011-02-09 13:53 . 2011-02-09 13:53 186880 c:\windows\system32\dllcache\encdec.dll
+ 2008-06-20 17:46 . 2011-03-03 06:55 149504 c:\windows\system32\dllcache\dnsapi.dll
+ 2010-04-20 05:30 . 2011-02-15 12:56 290432 c:\windows\system32\dllcache\atmfd.dll
+ 2009-11-20 20:38 . 2008-04-13 23:11 870784 c:\windows\system32\dllcache\ati3d1ag.dll
+ 2009-11-20 20:37 . 2008-04-13 23:11 377984 c:\windows\system32\dllcache\ati2dvaa.dll
- 2008-06-20 11:40 . 2008-08-14 10:04 138496 c:\windows\system32\dllcache\afd.sys
+ 2008-06-20 11:40 . 2008-10-16 14:43 138496 c:\windows\system32\dllcache\afd.sys
- 2009-11-20 20:38 . 2008-04-14 00:11 870784 c:\windows\system32\ati3d1ag.dll
+ 2009-11-20 20:38 . 2008-04-13 23:11 870784 c:\windows\system32\ati3d1ag.dll
- 2009-11-20 20:37 . 2008-04-14 00:11 377984 c:\windows\system32\ati2dvaa.dll
+ 2009-11-20 20:37 . 2008-04-13 23:11 377984 c:\windows\system32\ati2dvaa.dll
- 2010-05-11 13:40 . 2010-05-11 13:40 388936 c:\windows\Microsoft.NET\Framework\v2.0.50727\SOS.dll
+ 2011-01-18 11:39 . 2011-01-18 11:39 388936 c:\windows\Microsoft.NET\Framework\v2.0.50727\SOS.dll
+ 2011-01-18 11:39 . 2011-01-18 11:39 363856 c:\windows\Microsoft.NET\Framework\v2.0.50727\mscorjit.dll
+ 2011-01-18 11:39 . 2011-01-18 11:39 989016 c:\windows\Microsoft.NET\Framework\v2.0.50727\mscordacwks.dll
- 2010-05-11 13:40 . 2010-05-11 13:40 989016 c:\windows\Microsoft.NET\Framework\v2.0.50727\mscordacwks.dll
- 2006-06-06 11:03 . 2010-12-15 10:07 409600 c:\windows\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\xlicons.exe
+ 2006-06-06 11:03 . 2011-05-03 18:47 409600 c:\windows\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\xlicons.exe
+ 2006-06-06 11:03 . 2011-05-03 18:47 286720 c:\windows\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\wordicon.exe
- 2006-06-06 11:03 . 2010-12-15 10:07 286720 c:\windows\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\wordicon.exe
+ 2006-06-06 11:03 . 2011-05-03 18:47 249856 c:\windows\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\pptico.exe
- 2006-06-06 11:03 . 2010-12-15 10:07 249856 c:\windows\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\pptico.exe
- 2006-06-06 11:03 . 2010-12-15 10:07 794624 c:\windows\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\outicon.exe
+ 2006-06-06 11:03 . 2011-05-03 18:47 794624 c:\windows\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\outicon.exe
- 2006-06-06 11:03 . 2010-12-15 10:07 135168 c:\windows\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\misc.exe
+ 2006-06-06 11:03 . 2011-05-03 18:47 135168 c:\windows\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\misc.exe
+ 2011-05-03 18:33 . 2010-03-10 06:15 420352 c:\windows\ie8updates\KB2510531-IE8\vbscript.dll
+ 2011-05-03 18:33 . 2010-07-05 13:16 382840 c:\windows\ie8updates\KB2510531-IE8\spuninst\updspapi.dll
+ 2011-05-03 18:33 . 2010-07-05 13:15 231288 c:\windows\ie8updates\KB2510531-IE8\spuninst\spuninst.exe
+ 2011-05-03 18:33 . 2009-12-09 05:53 726528 c:\windows\ie8updates\KB2510531-IE8\jscript.dll
+ 2011-05-03 18:42 . 2010-11-06 00:26 916480 c:\windows\ie8updates\KB2497640-IE8\wininet.dll
+ 2011-05-03 18:42 . 2010-07-05 13:16 382840 c:\windows\ie8updates\KB2497640-IE8\spuninst\updspapi.dll
+ 2011-05-03 18:42 . 2010-07-05 13:15 231288 c:\windows\ie8updates\KB2497640-IE8\spuninst\spuninst.exe
+ 2011-05-03 18:42 . 2010-11-06 00:26 206848 c:\windows\ie8updates\KB2497640-IE8\occache.dll
+ 2011-05-03 18:42 . 2010-11-06 00:26 611840 c:\windows\ie8updates\KB2497640-IE8\mstime.dll
+ 2011-05-03 18:42 . 2010-11-06 00:26 602112 c:\windows\ie8updates\KB2497640-IE8\msfeeds.dll
+ 2011-05-03 18:42 . 2010-11-06 00:26 247808 c:\windows\ie8updates\KB2497640-IE8\ieproxy.dll
+ 2011-05-03 18:42 . 2010-11-06 00:26 184320 c:\windows\ie8updates\KB2497640-IE8\iepeers.dll
+ 2011-05-03 18:42 . 2010-11-06 00:26 743424 c:\windows\ie8updates\KB2497640-IE8\iedvtool.dll
+ 2011-05-03 18:42 . 2010-11-06 00:26 387584 c:\windows\ie8updates\KB2497640-IE8\iedkcs32.dll
+ 2011-05-03 18:42 . 2010-11-03 12:26 173568 c:\windows\ie8updates\KB2497640-IE8\ie4uinit.exe
+ 2009-11-20 20:08 . 2011-02-17 13:18 455936 c:\windows\Driver Cache\i386\mrxsmb.sys
+ 2011-05-03 18:46 . 2011-05-03 18:46 240128 c:\windows\assembly\NativeImages_v2.0.50727_32\WindowsFormsIntegra#\715710f5a31a494ed5c0ec0874dafe3e\WindowsFormsIntegration.ni.dll
+ 2011-05-03 18:46 . 2011-05-03 18:46 187904 c:\windows\assembly\NativeImages_v2.0.50727_32\UIAutomationTypes\017be0e6c5f1810f15a696157cd5e2c2\UIAutomationTypes.ni.dll
+ 2011-05-03 18:46 . 2011-05-03 18:46 447488 c:\windows\assembly\NativeImages_v2.0.50727_32\UIAutomationClient\bec5b0a93df12eb26c02c877a4eae678\UIAutomationClient.ni.dll
+ 2011-05-03 18:45 . 2011-05-03 18:45 208384 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Drawing.Desi#\e6b7128278d8c0e8382a5685f5b196c6\System.Drawing.Design.ni.dll
+ 2011-05-03 18:42 . 2011-05-03 18:42 368128 c:\windows\assembly\NativeImages_v2.0.50727_32\PresentationFramewo#\ffe13679e6b3e36e5cb6c47f8c4faf9c\PresentationFramework.Aero.ni.dll
+ 2011-05-03 18:42 . 2011-05-03 18:42 224768 c:\windows\assembly\NativeImages_v2.0.50727_32\PresentationFramewo#\dbb40299379f2009c140ddadb04231b4\PresentationFramework.Classic.ni.dll
+ 2011-05-03 18:42 . 2011-05-03 18:42 258048 c:\windows\assembly\NativeImages_v2.0.50727_32\PresentationFramewo#\a34cd33cec1bdfebe4a3910bceb8723b\PresentationFramework.Royale.ni.dll
+ 2011-05-03 18:42 . 2011-05-03 18:42 539648 c:\windows\assembly\NativeImages_v2.0.50727_32\PresentationFramewo#\689bb394bcb437ed085c22a43aba30c6\PresentationFramework.Luna.ni.dll
+ 2011-05-03 18:38 . 2011-05-03 18:38 839680 c:\windows\assembly\GAC_MSIL\System.Web.Services\2.0.0.0__b03f5f7f11d50a3a\System.Web.Services.dll
- 2010-10-08 10:04 . 2010-10-08 10:04 839680 c:\windows\assembly\GAC_MSIL\System.Web.Services\2.0.0.0__b03f5f7f11d50a3a\System.Web.Services.dll
- 2010-10-08 10:04 . 2010-10-08 10:04 835584 c:\windows\assembly\GAC_MSIL\System.Web.Mobile\2.0.0.0__b03f5f7f11d50a3a\System.Web.Mobile.dll
+ 2011-05-03 18:38 . 2011-05-03 18:38 835584 c:\windows\assembly\GAC_MSIL\System.Web.Mobile\2.0.0.0__b03f5f7f11d50a3a\System.Web.Mobile.dll
+ 2011-05-03 18:38 . 2011-05-03 18:38 114688 c:\windows\assembly\GAC_MSIL\System.ServiceProcess\2.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll
- 2010-10-08 10:04 . 2010-10-08 10:04 114688 c:\windows\assembly\GAC_MSIL\System.ServiceProcess\2.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll
+ 2011-05-03 18:38 . 2011-05-03 18:38 258048 c:\windows\assembly\GAC_MSIL\System.Security\2.0.0.0__b03f5f7f11d50a3a\System.Security.dll
- 2010-10-08 10:04 . 2010-10-08 10:04 258048 c:\windows\assembly\GAC_MSIL\System.Security\2.0.0.0__b03f5f7f11d50a3a\System.Security.dll
- 2010-10-08 10:04 . 2010-10-08 10:04 131072 c:\windows\assembly\GAC_MSIL\System.Runtime.Serialization.Formatters.Soap\2.0.0.0__b03f5f7f11d50a3a\System.Runtime.Serialization.Formatters.Soap.dll
+ 2011-05-03 18:38 . 2011-05-03 18:38 131072 c:\windows\assembly\GAC_MSIL\System.Runtime.Serialization.Formatters.Soap\2.0.0.0__b03f5f7f11d50a3a\System.Runtime.Serialization.Formatters.Soap.dll
- 2010-10-08 10:04 . 2010-10-08 10:04 303104 c:\windows\assembly\GAC_MSIL\System.Runtime.Remoting\2.0.0.0__b77a5c561934e089\System.Runtime.Remoting.dll
+ 2011-05-03 18:38 . 2011-05-03 18:38 303104 c:\windows\assembly\GAC_MSIL\System.Runtime.Remoting\2.0.0.0__b77a5c561934e089\System.Runtime.Remoting.dll
+ 2011-05-03 18:38 . 2011-05-03 18:38 258048 c:\windows\assembly\GAC_MSIL\System.Messaging\2.0.0.0__b03f5f7f11d50a3a\System.Messaging.dll
- 2010-10-08 10:04 . 2010-10-08 10:04 258048 c:\windows\assembly\GAC_MSIL\System.Messaging\2.0.0.0__b03f5f7f11d50a3a\System.Messaging.dll
+ 2011-05-03 18:38 . 2011-05-03 18:38 372736 c:\windows\assembly\GAC_MSIL\System.Management\2.0.0.0__b03f5f7f11d50a3a\System.Management.dll
- 2010-10-08 10:04 . 2010-10-08 10:04 372736 c:\windows\assembly\GAC_MSIL\System.Management\2.0.0.0__b03f5f7f11d50a3a\System.Management.dll
- 2010-10-08 10:04 . 2010-10-08 10:04 626688 c:\windows\assembly\GAC_MSIL\System.Drawing\2.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll
+ 2011-05-03 18:38 . 2011-05-03 18:38 626688 c:\windows\assembly\GAC_MSIL\System.Drawing\2.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll
- 2010-10-08 10:04 . 2010-10-08 10:04 401408 c:\windows\assembly\GAC_MSIL\System.DirectoryServices\2.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll
+ 2011-05-03 18:38 . 2011-05-03 18:38 401408 c:\windows\assembly\GAC_MSIL\System.DirectoryServices\2.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll
+ 2011-05-03 18:38 . 2011-05-03 18:38 188416 c:\windows\assembly\GAC_MSIL\System.DirectoryServices.Protocols\2.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.Protocols.dll
- 2010-10-08 10:04 . 2010-10-08 10:04 188416 c:\windows\assembly\GAC_MSIL\System.DirectoryServices.Protocols\2.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.Protocols.dll
+ 2011-05-03 18:38 . 2011-05-03 18:38 970752 c:\windows\assembly\GAC_MSIL\System.Deployment\2.0.0.0__b03f5f7f11d50a3a\System.Deployment.dll
- 2010-10-08 10:04 . 2010-10-08 10:04 970752 c:\windows\assembly\GAC_MSIL\System.Deployment\2.0.0.0__b03f5f7f11d50a3a\System.Deployment.dll
+ 2011-05-03 18:38 . 2011-05-03 18:38 745472 c:\windows\assembly\GAC_MSIL\System.Data.SqlXml\2.0.0.0__b77a5c561934e089\System.Data.SqlXml.dll
- 2010-10-08 10:04 . 2010-10-08 10:04 745472 c:\windows\assembly\GAC_MSIL\System.Data.SqlXml\2.0.0.0__b77a5c561934e089\System.Data.SqlXml.dll
- 2010-10-08 10:04 . 2010-10-08 10:04 425984 c:\windows\assembly\GAC_MSIL\System.Configuration\2.0.0.0__b03f5f7f11d50a3a\System.configuration.dll
+ 2011-05-03 18:38 . 2011-05-03 18:38 425984 c:\windows\assembly\GAC_MSIL\System.Configuration\2.0.0.0__b03f5f7f11d50a3a\System.configuration.dll
+ 2011-05-03 18:38 . 2011-05-03 18:38 110592 c:\windows\assembly\GAC_MSIL\sysglobl\2.0.0.0__b03f5f7f11d50a3a\sysglobl.dll
- 2010-10-08 10:04 . 2010-10-08 10:04 110592 c:\windows\assembly\GAC_MSIL\sysglobl\2.0.0.0__b03f5f7f11d50a3a\sysglobl.dll
+ 2011-05-03 18:38 . 2011-05-03 18:38 659456 c:\windows\assembly\GAC_MSIL\Microsoft.VisualBasic\8.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll
- 2010-10-08 10:04 . 2010-10-08 10:04 659456 c:\windows\assembly\GAC_MSIL\Microsoft.VisualBasic\8.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll
- 2010-10-08 10:04 . 2010-10-08 10:04 372736 c:\windows\assembly\GAC_MSIL\Microsoft.VisualBasic.Compatibility\8.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.Compatibility.dll
+ 2011-05-03 18:38 . 2011-05-03 18:38 372736 c:\windows\assembly\GAC_MSIL\Microsoft.VisualBasic.Compatibility\8.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.Compatibility.dll
+ 2011-05-03 18:38 . 2011-05-03 18:38 110592 c:\windows\assembly\GAC_MSIL\Microsoft.VisualBasic.Compatibility.Data\8.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.Compatibility.Data.dll
- 2010-10-08 10:04 . 2010-10-08 10:04 110592 c:\windows\assembly\GAC_MSIL\Microsoft.VisualBasic.Compatibility.Data\8.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.Compatibility.Data.dll
- 2010-10-08 10:04 . 2010-10-08 10:04 749568 c:\windows\assembly\GAC_MSIL\Microsoft.JScript\8.0.0.0__b03f5f7f11d50a3a\Microsoft.JScript.dll
+ 2011-05-03 18:38 . 2011-05-03 18:38 749568 c:\windows\assembly\GAC_MSIL\Microsoft.JScript\8.0.0.0__b03f5f7f11d50a3a\Microsoft.JScript.dll
- 2010-10-08 10:04 . 2010-10-08 10:04 655360 c:\windows\assembly\GAC_MSIL\Microsoft.Build.Tasks\2.0.0.0__b03f5f7f11d50a3a\Microsoft.Build.Tasks.dll
+ 2011-05-03 18:38 . 2011-05-03 18:38 655360 c:\windows\assembly\GAC_MSIL\Microsoft.Build.Tasks\2.0.0.0__b03f5f7f11d50a3a\Microsoft.Build.Tasks.dll
+ 2011-05-03 18:38 . 2011-05-03 18:38 348160 c:\windows\assembly\GAC_MSIL\Microsoft.Build.Engine\2.0.0.0__b03f5f7f11d50a3a\Microsoft.Build.Engine.dll
- 2010-10-08 10:04 . 2010-10-08 10:04 348160 c:\windows\assembly\GAC_MSIL\Microsoft.Build.Engine\2.0.0.0__b03f5f7f11d50a3a\Microsoft.Build.Engine.dll
+ 2011-05-03 18:38 . 2011-05-03 18:38 507904 c:\windows\assembly\GAC_MSIL\AspNetMMCExt\2.0.0.0__b03f5f7f11d50a3a\AspNetMMCExt.dll
- 2010-10-08 10:04 . 2010-10-08 10:04 507904 c:\windows\assembly\GAC_MSIL\AspNetMMCExt\2.0.0.0__b03f5f7f11d50a3a\AspNetMMCExt.dll
+ 2011-05-03 18:38 . 2011-05-03 18:38 261632 c:\windows\assembly\GAC_32\System.Transactions\2.0.0.0__b77a5c561934e089\System.Transactions.dll
- 2010-10-08 10:04 . 2010-10-08 10:04 261632 c:\windows\assembly\GAC_32\System.Transactions\2.0.0.0__b77a5c561934e089\System.Transactions.dll
- 2010-10-08 10:04 . 2010-10-08 10:04 113664 c:\windows\assembly\GAC_32\System.EnterpriseServices\2.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll
+ 2011-05-03 18:38 . 2011-05-03 18:38 113664 c:\windows\assembly\GAC_32\System.EnterpriseServices\2.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll
+ 2011-05-03 18:38 . 2011-05-03 18:38 258048 c:\windows\assembly\GAC_32\System.EnterpriseServices\2.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.dll
- 2010-10-08 10:04 . 2010-10-08 10:04 258048 c:\windows\assembly\GAC_32\System.EnterpriseServices\2.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.dll
+ 2011-05-03 18:38 . 2011-05-03 18:38 486400 c:\windows\assembly\GAC_32\System.Data.OracleClient\2.0.0.0__b77a5c561934e089\System.Data.OracleClient.dll
- 2010-10-08 10:04 . 2010-10-08 10:04 486400 c:\windows\assembly\GAC_32\System.Data.OracleClient\2.0.0.0__b77a5c561934e089\System.Data.OracleClient.dll
+ 2011-05-02 20:42 . 2010-10-23 00:51 1748992 c:\windows\WinSxS\x86_Microsoft.Windows.GdiPlus_6595b64144ccf1df_1.0.6002.22509_x-ww_c7dad023\GdiPlus.dll
- 2004-08-26 16:12 . 2010-11-06 00:26 1210880 c:\windows\system32\urlmon.dll
+ 2004-08-26 16:12 . 2011-02-22 23:06 1210880 c:\windows\system32\urlmon.dll
+ 2004-08-26 16:12 . 2011-01-21 14:44 8462336 c:\windows\system32\shell32.dll
- 2004-08-26 16:12 . 2010-07-27 06:30 8462336 c:\windows\system32\shell32.dll
+ 2004-08-26 16:12 . 2010-12-09 13:38 2192768 c:\windows\system32\ntoskrnl.exe
+ 2004-08-04 05:59 . 2010-12-09 13:07 2069376 c:\windows\system32\ntkrnlpa.exe
+ 2004-08-26 18:00 . 2011-02-02 07:58 2067456 c:\windows\system32\mstscax.dll
+ 2004-08-26 16:12 . 2011-02-22 23:06 5962240 c:\windows\system32\mshtml.dll
- 2007-08-14 02:34 . 2010-11-06 00:26 1991680 c:\windows\system32\iertutil.dll
+ 2007-08-14 02:34 . 2011-02-22 23:06 1991680 c:\windows\system32\iertutil.dll
+ 2009-08-14 13:21 . 2011-03-03 13:21 1857920 c:\windows\system32\dllcache\win32k.sys
+ 2004-08-26 16:12 . 2011-02-22 23:06 1210880 c:\windows\system32\dllcache\urlmon.dll
- 2004-08-26 16:12 . 2010-11-06 00:26 1210880 c:\windows\system32\dllcache\urlmon.dll
+ 2008-06-17 19:02 . 2011-01-21 14:44 8462336 c:\windows\system32\dllcache\shell32.dll
- 2008-06-17 19:02 . 2010-07-27 06:30 8462336 c:\windows\system32\dllcache\shell32.dll
+ 2009-08-05 04:44 . 2010-12-09 13:38 2192768 c:\windows\system32\dllcache\ntoskrnl.exe
+ 2009-11-20 20:03 . 2010-12-09 13:07 2027008 c:\windows\system32\dllcache\ntkrpamp.exe
+ 2009-11-20 20:03 . 2010-12-09 13:07 2069376 c:\windows\system32\dllcache\ntkrnlpa.exe
+ 2009-11-20 20:03 . 2010-12-09 13:42 2148864 c:\windows\system32\dllcache\ntkrnlmp.exe
+ 2004-08-26 16:12 . 2011-02-22 23:06 5962240 c:\windows\system32\dllcache\mshtml.dll
+ 2011-02-02 07:58 . 2011-02-02 07:58 2067456 c:\windows\system32\dllcache\lhmstscx.dll
- 2007-11-23 19:41 . 2010-11-06 00:26 1991680 c:\windows\system32\dllcache\iertutil.dll
+ 2007-11-23 19:41 . 2011-02-22 23:06 1991680 c:\windows\system32\dllcache\iertutil.dll
+ 2011-01-18 11:39 . 2011-01-18 11:39 5813072 c:\windows\Microsoft.NET\Framework\v2.0.50727\mscorwks.dll
- 2010-05-11 13:40 . 2010-05-11 13:40 4550656 c:\windows\Microsoft.NET\Framework\v2.0.50727\mscorlib.dll
+ 2011-01-18 11:39 . 2011-01-18 11:39 4550656 c:\windows\Microsoft.NET\Framework\v2.0.50727\mscorlib.dll
+ 2011-01-27 21:49 . 2011-01-27 21:49 6825472 c:\windows\Installer\3dee0.msp
+ 2011-04-05 19:52 . 2011-04-05 19:52 5519872 c:\windows\Installer\3deba.msp
+ 2011-03-03 18:25 . 2011-03-03 18:25 5051904 c:\windows\Installer\3de9b.msp
+ 2011-05-03 18:42 . 2010-11-06 00:26 1210880 c:\windows\ie8updates\KB2497640-IE8\urlmon.dll
+ 2011-05-03 18:42 . 2010-11-06 00:26 5959168 c:\windows\ie8updates\KB2497640-IE8\mshtml.dll
+ 2011-05-03 18:42 . 2010-11-06 00:26 1991680 c:\windows\ie8updates\KB2497640-IE8\iertutil.dll
+ 2009-08-05 04:44 . 2010-12-09 13:38 2192768 c:\windows\Driver Cache\i386\ntoskrnl.exe
+ 2009-11-20 20:03 . 2010-12-09 13:07 2027008 c:\windows\Driver Cache\i386\ntkrpamp.exe
+ 2009-11-20 20:03 . 2010-12-09 13:07 2069376 c:\windows\Driver Cache\i386\ntkrnlpa.exe
+ 2009-11-20 20:03 . 2010-12-09 13:42 2148864 c:\windows\Driver Cache\i386\ntkrnlmp.exe
+ 2011-05-03 18:40 . 2011-05-03 18:40 3325440 c:\windows\assembly\NativeImages_v2.0.50727_32\WindowsBase\76e431fde1b252312b331f7108259fda\WindowsBase.ni.dll
+ 2011-05-03 18:46 . 2011-05-03 18:46 1049600 c:\windows\assembly\NativeImages_v2.0.50727_32\UIAutomationClients#\9e022c95e79f2b6f383a501ad99f08a9\UIAutomationClientsideProviders.ni.dll
+ 2011-05-03 18:40 . 2011-05-03 18:40 7949824 c:\windows\assembly\NativeImages_v2.0.50727_32\System\f02cf6430a9fc77908a74ab6925cb73c\System.ni.dll
+ 2011-05-03 18:46 . 2011-05-03 18:46 5450752 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Xml\b06e49ed8cbe07dbb90e313fa634b27b\System.Xml.ni.dll
+ 2011-05-03 18:45 . 2011-05-03 18:45 1917952 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Speech\dd128c8e21e7fa14c12b71df9892d046\System.Speech.ni.dll
+ 2011-05-03 18:45 . 2011-05-03 18:45 1035776 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Printing\85a7a7aace114e78fc6c9b219bcd5551\System.Printing.ni.dll
+ 2011-05-03 18:44 . 2011-05-03 18:44 1587200 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Drawing\d912066086a59f09424c7c69f95e2c55\System.Drawing.ni.dll
+ 2011-05-03 18:43 . 2011-05-03 18:43 6616576 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Data\1337829e3df6888464a17aab78bb9b8f\System.Data.ni.dll
+ 2011-05-03 18:43 . 2011-05-03 18:43 2516480 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Data.Linq\11f1306e0e311a0d0cbd139fb2fa4c36\System.Data.Linq.ni.dll
+ 2011-05-03 18:43 . 2011-05-03 18:43 2295296 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Core\684fe21837d3cf3e5935bbd0a7f53141\System.Core.ni.dll
+ 2011-05-03 18:43 . 2011-05-03 18:43 2128896 c:\windows\assembly\NativeImages_v2.0.50727_32\ReachFramework\12efddabe6fe35be21246c88ed9bf8ab\ReachFramework.ni.dll
+ 2011-05-03 18:42 . 2011-05-03 18:42 1657856 c:\windows\assembly\NativeImages_v2.0.50727_32\PresentationUI\257c9327ba9cc5cd87f58de224aa2e0d\PresentationUI.ni.dll
+ 2011-05-03 18:40 . 2011-05-03 18:40 1451008 c:\windows\assembly\NativeImages_v2.0.50727_32\PresentationBuildTa#\b117bf63daa7e587f1bb2d975dccb4af\PresentationBuildTasks.ni.dll
+ 2011-05-03 18:38 . 2011-05-03 18:38 3182592 c:\windows\assembly\GAC_MSIL\System\2.0.0.0__b77a5c561934e089\System.dll
- 2010-10-08 10:04 . 2010-10-08 10:04 3182592 c:\windows\assembly\GAC_MSIL\System\2.0.0.0__b77a5c561934e089\System.dll
- 2010-10-08 10:04 . 2010-10-08 10:04 2048000 c:\windows\assembly\GAC_MSIL\System.Xml\2.0.0.0__b77a5c561934e089\System.XML.dll
+ 2011-05-03 18:38 . 2011-05-03 18:38 2048000 c:\windows\assembly\GAC_MSIL\System.Xml\2.0.0.0__b77a5c561934e089\System.XML.dll
+ 2011-05-03 18:38 . 2011-05-03 18:38 5025792 c:\windows\assembly\GAC_MSIL\System.Windows.Forms\2.0.0.0__b77a5c561934e089\System.Windows.Forms.dll
- 2010-10-08 10:04 . 2010-10-08 10:04 5025792 c:\windows\assembly\GAC_MSIL\System.Windows.Forms\2.0.0.0__b77a5c561934e089\System.Windows.Forms.dll
- 2010-10-08 10:04 . 2010-10-08 10:04 5062656 c:\windows\assembly\GAC_MSIL\System.Design\2.0.0.0__b03f5f7f11d50a3a\System.Design.dll
+ 2011-05-03 18:38 . 2011-05-03 18:38 5062656 c:\windows\assembly\GAC_MSIL\System.Design\2.0.0.0__b03f5f7f11d50a3a\System.Design.dll
+ 2011-05-03 18:38 . 2011-05-03 18:38 5242880 c:\windows\assembly\GAC_32\System.Web\2.0.0.0__b03f5f7f11d50a3a\System.Web.dll
- 2010-10-08 10:04 . 2010-10-08 10:04 5242880 c:\windows\assembly\GAC_32\System.Web\2.0.0.0__b03f5f7f11d50a3a\System.Web.dll
+ 2011-05-03 18:38 . 2011-05-03 18:38 2933248 c:\windows\assembly\GAC_32\System.Data\2.0.0.0__b77a5c561934e089\System.Data.dll
- 2010-10-08 10:04 . 2010-10-08 10:04 2933248 c:\windows\assembly\GAC_32\System.Data\2.0.0.0__b77a5c561934e089\System.Data.dll
- 2010-10-08 10:04 . 2010-10-08 10:04 4550656 c:\windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\mscorlib.dll
+ 2011-05-03 18:38 . 2011-05-03 18:38 4550656 c:\windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\mscorlib.dll
+ 2007-10-27 21:49 . 2011-04-18 22:46 42181064 c:\windows\system32\MRT.exe
+ 2007-08-14 02:54 . 2011-02-22 23:06 11080704 c:\windows\system32\ieframe.dll
- 2007-08-14 02:54 . 2010-11-06 00:26 11080704 c:\windows\system32\ieframe.dll
- 2007-11-23 19:41 . 2010-11-06 00:26 11080704 c:\windows\system32\dllcache\ieframe.dll
+ 2007-11-23 19:41 . 2011-02-22 23:06 11080704 c:\windows\system32\dllcache\ieframe.dll
+ 2011-02-24 16:38 . 2011-02-24 16:38 10984448 c:\windows\Installer\3decd.msp
+ 2011-02-12 03:47 . 2011-02-12 03:47 12028928 c:\windows\Installer\3dea7.msp
+ 2011-05-03 18:42 . 2010-11-06 00:26 11080704 c:\windows\ie8updates\KB2497640-IE8\ieframe.dll
+ 2011-05-03 18:45 . 2011-05-03 18:45 12430848 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Windows.Forms\ed2bf0d86229128c194a872f70fe15ee\System.Windows.Forms.ni.dll
+ 2011-05-03 18:44 . 2011-05-03 18:44 10683392 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Design\5aeadb9ff9a86f49130de5976a9f1744\System.Design.ni.dll
+ 2011-05-03 18:42 . 2011-05-03 18:42 14328320 c:\windows\assembly\NativeImages_v2.0.50727_32\PresentationFramewo#\1a5d89d569e2e12842daf4d87c57361a\PresentationFramework.ni.dll
+ 2011-05-03 18:41 . 2011-05-03 18:41 12215808 c:\windows\assembly\NativeImages_v2.0.50727_32\PresentationCore\46c57d845e55232a89e98101075cd455\PresentationCore.ni.dll
+ 2011-05-03 18:39 . 2011-05-03 18:39 11490816 c:\windows\assembly\NativeImages_v2.0.50727_32\mscorlib\62d5f089dd51f18472a7caf1593d9f6b\mscorlib.ni.dll
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2002-09-14 212992]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-03-18 421888]
"zBrowser Launcher"="c:\program files\Logitech\iTouch\iTouch.exe" [2003-12-01 892928]
"RTHDCPL"="RTHDCPL.EXE" [2006-04-04 16120832]
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2005-01-12 32768]
"Reminder"="c:\windows\Creator\Remind_XP.exe" [2005-02-26 966656]
"Microsoft Works Update Detection"="c:\program files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe" [2002-07-17 28672]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2004-09-13 49152]
"CanonMyPrinter"="c:\program files\Canon\MyPrinter\BJMyPrt.exe" [2006-10-17 1197648]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Power2GoExpress"="NA" [X]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2004-11-4 258048]
HP Image Zone Fast Start.lnk - c:\program files\HP\Digital Imaging\bin\hpqthb08.exe [2004-11-4 53248]
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Logitech Desktop Messenger.lnk]
backup=c:\windows\pss\Logitech Desktop Messenger.lnkCommon Startup
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\WINDOWS\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
.
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://flyingincognitosleep.com/cgi-bin/h.pl
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyServer = http=127.0.0.1:51636
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: Easy-WebPrint Add To Print List - c:\program files\Canon\Easy-WebPrint\Toolband.dll/RC_AddToList.html
IE: Easy-WebPrint High Speed Print - c:\program files\Canon\Easy-WebPrint\Toolband.dll/RC_HSPrint.html
IE: Easy-WebPrint Preview - c:\program files\Canon\Easy-WebPrint\Toolband.dll/RC_Preview.html
IE: Easy-WebPrint Print - c:\program files\Canon\Easy-WebPrint\Toolband.dll/RC_Print.html
TCP: {AE34EA11-B4B5-4E22-B31D-6029780491CF} = 68.87.69.150,68.87.85.102
.
- - - - ORPHANS REMOVED - - - -
.
Notify-AtiExtEvent - (no file)
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-05-03 12:17
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'explorer.exe'(772)
c:\windows\system32\WININET.dll
c:\program files\Logitech\iTouch\iTchHk.dll
c:\windows\system32\ieframe.dll
c:\program files\Common Files\Logitech\Scrolling\LgMsgHk.dll
c:\windows\system32\webcheck.dll
.
Completion time: 2011-05-03 12:19:43
ComboFix-quarantined-files.txt 2011-05-03 19:19
ComboFix2.txt 2011-05-02 10:34
.
Pre-Run: 78,673,567,744 bytes free
Post-Run: 78,674,395,136 bytes free
.
WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect
[spybotsd]
timeout.old=30
.
- - End Of File - - 723DAD137013E4D65D24A68408F137E3


Edited by Mark Of Portland, 03 May 2011 - 02:21 PM.


#10 rigacci

rigacci

    Fiorentino


  • Members
  • 2,604 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:01 AM

Posted 03 May 2011 - 06:05 PM

OK Mark of Portland:

Things look pretty good. :thumbup2:

These next instructions may require you connect to the internet, in order to download these programs/updates. It might be a good time to choose an Anti-Virus.

Backup Your Registry with ERUNT
  • Please use the following link and scroll down to ERUNT and download it.
    http://aumha.org/freeware/freeware.php
  • For version with the Installer:
    Use the setup program to install ERUNT on your computer
  • For the zipped version:
    Unzip all the files into a folder of your choice.
Click Erunt.exe to backup your registry to the folder of your choice.

Note: to restore your registry, go to the folder and start ERDNT.exe


Please go to Start>Run and type in Notepad and then hit OK.

Copy and paste the following into Notepad:

Windows Registry Editor Version 5.00

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyServer"=-
"ProxyEnable"=dword:00000000

Click File, click Save As, and then type Proxy.reg.
In the Save As Type Box, click All files.

In the Save in box, click Desktop and then click Save
On the File Menu, click Exit
Double-click the Proxy.reg file and allow it to merge the data.



You are using an outdated version of Adobe Reader. Adobe has since been updated and the update closes many security holes and provides new features.

First, uninstall earlier versions of Adobe Reader.
  • Go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove all versions of Adobe Reader.
  • Check (highlight) any item with Adobe Reader in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Adobe Reader version.

    Please download the latest version from:
    http://get.adobe.com/reader/download/

    And install it. Once installed, launch it, select Help --> Check for Updates and install any updates.


    You may also try the free Foxit PDF reader if you prefer:
    http://www.foxitsoftware.com/pdf/reader/


    Your version of Java is out of date. Older versions have vulnerabilities that malicious sites can use to exploit and infect your system. Please follow these steps to remove older version Java components and update:
    [list]
  • Download the latest version of Java Runtime Environment (JRE) Version 6 and save it to your desktop.
  • This page should check your installed version and determine if you need an update.
  • Look for "JDK 6 Update 25 (JDK or JRE)" (may not be necessary if it does it automatically).
  • Click the "Download JRE".
  • Select your Platform: "Windows".
  • Select your Language: "Multi-language".
  • Read the License Agreement, and then check the box that says: "Accept License Agreement".
  • Click Continue and the page will refresh.
  • Under Required Files, check the box for Windows Offline Installation, click the link below it and save the file to your desktop.
  • Close any programs you may have running - especially your web browser.
Go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove all older versions of Java.
  • Check (highlight) any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button and follow the onscreen instructions for the Java uninstaller.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u25-windows-i586.exe to install the newest version.
  • If using Windows Vista and the installer refuses to launch due to insufficient user permissions, then Run As Administrator.
  • When the Java Setup - Welcome window opens, click the Install > button.
  • If offered to install a Toolbar, just uncheck the box before continuing unless you want it.
-- Starting with Java 6u10, the uninstaller incorporated in each new release uses Enhanced Auto update to automatically remove the previous version when updating to a later update release. It will not remove older versions, so they will need to be removed manually.
-- Java is updated frequently. If you want to be automatically notified of future updates, just turn on the Java Automatic Update feature and you will not have to remember to update when Java releases a new version.


Note: The Java Quick Starter (JQS.exe) adds a service to improve the initial startup time of Java applets and applications. To disable the JQS service if you don't want to use it, go to Start > Control Panel > Java > Advanced > Miscellaneous and uncheck the box for Java Quick Starter. Click Ok and reboot your computer.



Let's clean out your temp folders and files.
  • Download TFC to your Desktop
  • Close any open windows and then Double-click on TFC to allow it to run.
  • Make sure to let it run uninterrupted.
  • Click the Start button to begin the process. The program should not take long to finish its job
  • Once its finished it should reboot your machine, if not, do this yourself to ensure a complete clean.



I'd like you to scan your machine with ESET OnlineScan
  • Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  • Click the Posted Image button.
  • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)[list=1]
  • Click on Posted Image to download the ESET Smart Installer. Save it to your desktop.
  • Double click on the Posted Image icon on your desktop.
  • Check Posted Image
  • Click the Posted Image button.
  • Accept any security warnings from your browser.
  • Check Posted Image
  • Push the Start button.
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes, push Posted Image
  • Push Posted Image, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  • Push the Posted Image button.
  • Push Posted Image


And please tell me how your computer is running at the moment.

Thanks.

DR

#11 Mark Of Portland

Mark Of Portland
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:05:01 AM

Posted 04 May 2011 - 11:31 AM

I no lomger see the proxy trying to load when I load the browser. I do not get redirected during searches. machine is still a little slow, but I think that might be age of the architecture. My CPU is no longer running at 90% continuous.

C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WinFakeAlertttam.zip Win32/Bagle.gen.zip worm cleaned by deleting - quarantined
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WinFakeAlertttam1.zip Win32/Bagle.gen.zip worm cleaned by deleting - quarantined
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WinPalevo1.zip Win32/Bagle.gen.zip worm cleaned by deleting - quarantined
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WinPalevo3.zip Win32/Bagle.gen.zip worm cleaned by deleting - quarantined
C:\Qoobox\Quarantine\C\Documents and Settings\All Users\Application Data\rjuLpKAlCJjkc.exe.vir a variant of Win32/Kryptik.MIS trojan cleaned by deleting - quarantined
C:\Qoobox\Quarantine\C\Documents and Settings\Owner\Application Data\dwm.exe.vir a variant of Win32/Kryptik.NFX trojan cleaned by deleting - quarantined
C:\Qoobox\Quarantine\C\Documents and Settings\Owner\Application Data\Microsoft\conhost.exe.vir a variant of Win32/Kryptik.NFX trojan cleaned by deleting - quarantined
C:\Qoobox\Quarantine\C\Documents and Settings\Owner\Application Data\Sun\vnv4.dll.vir a variant of Win32/AutoRun.Spy.Ambler.CO worm cleaned by deleting - quarantined
C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP1176\A0149529.exe a variant of Win32/Kryptik.MIA trojan cleaned by deleting - quarantined
C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP1176\A0151628.exe a variant of Win32/Kryptik.MNO trojan cleaned by deleting - quarantined
C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP1176\A0152613.exe a variant of Win32/Kryptik.MPX trojan cleaned by deleting - quarantined
C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP1176\A0153888.exe a variant of Win32/Kryptik.MIS trojan cleaned by deleting - quarantined
C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP1176\A0153890.exe a variant of Win32/Kryptik.MNO trojan cleaned by deleting - quarantined
C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP1176\A0153898.exe a variant of Win32/Kryptik.NBX trojan cleaned by deleting - quarantined
C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP1176\A0154069.exe a variant of Win32/Kryptik.NBX trojan cleaned by deleting - quarantined
C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP1176\A0154210.exe Win32/Adware.180Solutions application cleaned by deleting - quarantined
C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP1176\A0154258.exe a variant of Win32/Kryptik.MPX trojan cleaned by deleting - quarantined
C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP1176\A0154259.exe a variant of Win32/Kryptik.NCW trojan cleaned by deleting - quarantined
C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP1176\A0154287.exe a variant of Win32/Kryptik.MIS trojan cleaned by deleting - quarantined
C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP1176\A0154288.exe a variant of Win32/Kryptik.NFX trojan cleaned by deleting - quarantined
C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP1176\A0154289.exe a variant of Win32/Kryptik.NFX trojan cleaned by deleting - quarantined
C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP1176\A0154290.dll a variant of Win32/AutoRun.Spy.Ambler.CO worm cleaned by deleting - quarantined


What next?

Your help is much appriciated,
Mark-

#12 Mark Of Portland

Mark Of Portland
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:05:01 AM

Posted 06 May 2011 - 02:32 PM

I've found some garbage in my C: drive, things like; AUDIT_INSTALL_IN_PROGRESS, IPH.PH & net_save.dna. Then in C:\Qoobox\Quarantine has files in it. What should be done with all these files?

Thanks,
Mark

Edited by Mark Of Portland, 06 May 2011 - 02:32 PM.


#13 rigacci

rigacci

    Fiorentino


  • Members
  • 2,604 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:01 AM

Posted 06 May 2011 - 02:35 PM

Sorry for the delay Mark. I will get back to you asap.

Those files are not any problem. We are very close to finishing I believe.

Thanks.

DR

#14 rigacci

rigacci

    Fiorentino


  • Members
  • 2,604 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:01 AM

Posted 07 May 2011 - 06:51 AM

Sorry for the delay Mark of Portland. I got wrapped up in a couple of emergencies.

So now it is time to do some Cleanup.


  • Turn System Restore off
  • On the Desktop, right click on the My Computer icon.
  • Left Click Properties.
  • Click the System Restore tab.
  • Check Turn off System Restore.
  • Click Apply, and then click OK.
Restart
  • Turn System Restore on
  • On the Desktop, right click on the My Computer icon.
  • Click Properties.
  • Click the System Restore tab.
  • Uncheck *Turn off System Restore*.
  • Click Apply, and then click OK.
Note: only do this once, and not on a regular basis



Click START then RUN.
Now type Combofix /uninstall in the runbox and click OK. Note the space between the X and the Uninstall, it needs to be there.


=======Next==========

Download and Run OTC

We will now remove the tools we used during this fix using OTC.
  • Download OTC by OldTimer and save it to your desktop.
  • Double click Posted Image icon to start the program. If you are using Vista, please right-click and choose run as administrator•Then Click the big button.
  • Then Click the big Posted Image button.
  • You will get a prompt saying "Being Cleanup Process". Please select Yes.
  • Restart your computer when prompted.




Please read the following, in order to prevent reinfecting your PC:

1. Install and update the following programs regularly:
  • an outbound firewall
    A comprehensive tutorial and a list of possible firewalls can be found here.
  • an AntiVirus Software
    It is imperative that you update your AntiVirus Software on regular basis.If you do not update your AntiVirus Software then it will not be able to catch the latest threats.
  • an Anti-Spyware program
    Malware Byte's Anti Malware
    is an excellent Anti-Spyware scanner. It's scan times are usually under ten minutes, and has excellent detection and removal rates.
    SUPERAntiSpyware is another good scanner with high detection and removal rates.
    Both programs are free for non commercial home use but provide a resident and do not nag if you purchase the paid versions.
  • Spyware Blaster
    A tutorial for Spywareblaster can be found here. The commercial version provides automatic updating.
  • MVPs hosts file
    A tutorial for MVPs hosts file can be found here. For more information on the hosts file, and what it can do for you, please consult the Tutorial on the Hosts file
2. Keep Windows (and your other Microsoft software) up to date!
This is EXTREMELY important. Holes are often found in Internet Explorer or Windows itself that require patching. Sometimes these holes will allow an attacker unrestricted access to your computer.
Therefore, please, visit the Microsoft Update Website and follow the on screen instructions to setup Microsoft Update. Also follow the instructions to update your system. Please REBOOT and repeat this process until there are no more updates to install!!

3. Keep your other software up to date as well
Software does not need to be made by Microsoft to be insecure.

4. Stay up to date!
The MOST IMPORTANT part of any security setup is keeping the software up to date. Malware writers release new variants every single day. If your software updates don't keep up, then the malware will always be one step ahead.

I hope this experience has been insightful and that you stay clean.

Thanks.

DR


#15 Mark Of Portland

Mark Of Portland
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:05:01 AM

Posted 07 May 2011 - 04:51 PM

The above has been done. What next?

Thank you for all your help! If I notice anything odd, I'll post up about it in the form of a question. I've installed Avast and am now looking for an outbound firewall per your suggestions. I'm using TCPview and cannot find any redirects via proxies as was what was the issue before.

Again, your help has been much appreciated and this will make a fine addition to a Mothers Day present.

Thank you,
Mark-

Edited by Mark Of Portland, 07 May 2011 - 05:09 PM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users