Virus Rootkit.Win32.TDSS.d [Solved/Closed]

Posts
21
Registration date
Wednesday March 31, 2010
Last seen
June 27, 2010
- Mar 31, 2010 at 04:23 PM - Latest reply:
Posts
55840
Registration date
Monday February 1, 2010
Status
Moderator
Last seen
November 20, 2018
- Sep 14, 2010 at 04:32 PM

My kaspersky antivirus found this virus and it tried 2 times to remove it, it restarted computer 2 times, but still no change and virus is still here, btw I found out about that virus and someone sent some post about tool from kaspersky "rescue disk" or something, i have that tool but dont know what I have to do?

i read about that virus on wiki and i am pretty scared abaot what it can do to my system , pls help me , thanks
See more 

31 replies

Best answer
Posts
55840
Registration date
Monday February 1, 2010
Status
Moderator
Last seen
November 20, 2018
- Mar 31, 2010 at 04:45 PM
2
Thank you
Hello,

With all do respect, you certainly do not need the Kaspersky rescue disk or anything of that nature.

A rootkit is much more maligne than Kaspersky.

1. Please download on your desktop Combox Fix:

http://download.bleepingcomputer.com/sUBs/ComboFix.exe

Before you run ComboxFix, please:

2. Close all open Windows including this one.

3. Close or disable all running Antivirus, Antispyware, and Firewall programs as they may interfere with the proper running of ComboFix.

4. Disconnect your modem.

5. Double click on the Combofix icon.

Windows is issuing this prompt because ComboFix does not have a digital signature. This is perfectly normal and safe and you can click on the Run button to continue.

6. Agree with the disclaimer and the creation of the recovery.

While the program is scanning your computer, it will change your clock format, so do not be concerned when you see this happen. When ComboFix is finished it will restore your clock settings to their previous settings. You will also see the text in the ComboFix window being updated as it goes through the various stages of its scan.

At the end of the scan a log will be saved in: C:\ComboFix.txt

Tell me how your system is performing.

Please do give me your feedback.

Thank you

Thank you, Ambucias 2

Something to say? Add comment

CCM has helped 1695 users this month

Posts
21
Registration date
Wednesday March 31, 2010
Last seen
June 27, 2010
- Apr 1, 2010 at 02:54 AM
ComboFix 10-03-29.04 - Administrator 01.04.2010 9:15.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1250.385.1033.18.1023.703 [GMT 2:00]
Running from: c:\documents and settings\Administrator.ORG-3E4926DA8B3\My Documents\Preuzimanja\ComboFix.exe
AV: Kaspersky Internet Security *On-access scanning disabled* (Updated) {2C4D4BC6-0793-4956-A9F9-E252435469C0}
FW: Kaspersky Internet Security *disabled* {2C4D4BC6-0793-4956-A9F9-E252435469C0}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\DIRECT.TMP
c:\documents and settings\Administrator.KORISNIK-69A197\real.txt
c:\documents and settings\Administrator.ORG-3E4926DA8B3\Application Data\Desktopicon
c:\documents and settings\Administrator.ORG-3E4926DA8B3\Application Data\Desktopicon\eBay.ico
c:\documents and settings\Administrator.ORG-3E4926DA8B3\Application Data\Desktopicon\uninst.exe
c:\documents and settings\Administrator.ORG-3E4926DA8B3\Local Settings\Temporary Internet Files\4rD8UCrg.jpg
c:\documents and settings\Administrator.ORG-3E4926DA8B3\Local Settings\Temporary Internet Files\5oSOpa8.jpg
c:\documents and settings\Administrator.ORG-3E4926DA8B3\Local Settings\Temporary Internet Files\jp8xc2.jpg
c:\documents and settings\Administrator.ORG-3E4926DA8B3\Local Settings\Temporary Internet Files\p8uUw.jpg
c:\documents and settings\Administrator\Application Data\Install.dat
c:\documents and settings\All Users.WINDOWS.\documents\settings
C:\install.exe
c:\recycler\S-1-5-21-1935655697-963894560-839522115-500
c:\recycler\S-1-5-21-1960408961-527237240-725345543-500
c:\recycler\Sysprint
C:\Thumbs.db

Infected copy of c:\windows\system32\DRIVERS\atapi.sys was found and disinfected
Restored copy from - Kitty ate it :p
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_SSHNAS


((((((((((((((((((((((((( Files Created from 2010-03-01 to 2010-04-01 )))))))))))))))))))))))))))))))
.

2010-03-31 19:50 . 2010-03-31 19:50 604140 --sha-w- c:\windows\system32\drivers\ISwift3.dat
2010-03-31 19:46 . 2010-03-31 20:00 95259 ----a-w- c:\windows\system32\drivers\klick.dat
2010-03-31 19:46 . 2010-03-31 20:00 108059 ----a-w- c:\windows\system32\drivers\klin.dat
2010-03-31 19:44 . 2010-04-01 07:37 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\Kaspersky Lab
2010-03-31 19:44 . 2010-03-31 19:44 -------- d-----w- c:\program files\Kaspersky Lab
2010-03-31 19:42 . 2010-03-31 19:42 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\Kaspersky Lab Setup Files
2010-03-31 12:14 . 2010-03-31 12:14 -------- d-----w- c:\documents and settings\Administrator.ORG-3E4926DA8B3\Application Data\Malwarebytes
2010-03-31 12:13 . 2010-03-29 13:24 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-03-31 12:13 . 2010-03-31 12:13 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\Malwarebytes
2010-03-31 12:13 . 2010-03-29 13:24 20824 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-03-31 12:13 . 2010-03-31 12:14 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-03-31 11:55 . 2010-03-31 11:55 -------- d-----w- c:\documents and settings\Administrator.ORG-3E4926DA8B3\Local Settings\Application Data\Conduit
2010-03-31 11:55 . 2010-03-31 12:39 -------- d-----w- c:\documents and settings\Administrator.ORG-3E4926DA8B3\Local Settings\Application Data\ToggleEN
2010-03-31 11:55 . 2010-03-31 11:55 -------- d-----w- c:\program files\Conduit
2010-03-31 11:55 . 2010-03-31 19:06 -------- d-----w- c:\program files\ToggleEN
2010-03-30 17:37 . 2010-03-31 11:56 195584 --sha-w- c:\documents and settings\Administrator.ORG-3E4926DA8B3\Local Settings\Application Data\3771543548.dll
2010-03-30 16:41 . 2010-03-30 16:41 -------- d-----w- c:\documents and settings\LocalService.NT AUTHORITY.000\Application Data\GrabPro
2010-03-27 14:34 . 2010-03-27 14:35 -------- d-----w- c:\program files\Unlocker
2010-03-18 07:51 . 2010-03-18 07:51 -------- d-----w- c:\documents and settings\NetworkService.NT AUTHORITY.000\Local Settings\Application Data\Apple
2010-03-11 10:26 . 2010-02-12 10:03 293376 ------w- c:\windows\system32\browserchoice.exe
2010-03-10 09:58 . 2009-10-23 15:28 3558912 -c----w- c:\windows\system32\dllcache\moviemk.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-04-01 07:38 . 2009-12-16 18:49 -------- d-----w- c:\documents and settings\Administrator.ORG-3E4926DA8B3\Application Data\Skype
2010-03-31 20:02 . 2010-03-31 20:02 932368 ----a-w- c:\documents and settings\All Users.WINDOWS\Application Data\Kaspersky Lab\AVP9\Data\KasFlt\Plugins\profiles-1-6.dll
2010-03-31 20:02 . 2010-03-31 20:02 678416 ----a-w- c:\documents and settings\All Users.WINDOWS\Application Data\Kaspersky Lab\AVP9\Data\KasFlt\Plugins\content_interpreter-1-1.dll
2010-03-31 20:02 . 2010-03-31 20:02 604688 ----a-w- c:\documents and settings\All Users.WINDOWS\Application Data\Kaspersky Lab\AVP9\Data\KasFlt\Plugins\gsg-3-9.dll
2010-03-31 20:02 . 2010-03-31 20:02 1096208 ----a-w- c:\documents and settings\All Users.WINDOWS\Application Data\Kaspersky Lab\AVP9\Data\KasFlt\Plugins\filtration-4-6.dll
2010-03-31 20:02 . 2010-03-31 20:02 522768 ----a-w- c:\documents and settings\All Users.WINDOWS\Application Data\Kaspersky Lab\AVP9\Data\KasFlt\Plugins\database-1-5.dll
2010-03-31 20:00 . 2009-05-24 13:30 128016 ----a-w- c:\windows\system32\drivers\kl1.sys
2010-03-31 20:00 . 2010-03-31 20:00 80400 ----a-w- c:\documents and settings\All Users.WINDOWS\Application Data\Kaspersky Lab\AVP9\Data\Updater\Temporary Files\rollback\patch\AutoPatches\kav9exec\9.0.0.459\mzvkbd3.dll
2010-03-31 20:00 . 2010-03-31 20:00 80400 ----a-w- c:\documents and settings\All Users.WINDOWS\Application Data\Kaspersky Lab\AVP9\Data\Updater\Temporary Files\rollback\patch\AutoPatches\kav9exec\9.0.0.459\mzvkbd.dll
2010-03-31 20:00 . 2010-03-31 20:00 296976 ----a-w- c:\documents and settings\All Users.WINDOWS\Application Data\Kaspersky Lab\AVP9\Data\Updater\Temporary Files\rollback\patch\AutoPatches\kav9exec\9.0.0.459\sys\i386\5.1\klif.sys
2010-03-31 20:00 . 2010-03-31 20:00 264720 ----a-w- c:\documents and settings\All Users.WINDOWS\Application Data\Kaspersky Lab\AVP9\Data\Updater\Temporary Files\rollback\patch\AutoPatches\kav9exec\9.0.0.459\klwtbbho.dll
2010-03-31 20:00 . 2010-03-31 20:00 128016 ----a-w- c:\documents and settings\All Users.WINDOWS\Application Data\Kaspersky Lab\AVP9\Data\Updater\Temporary Files\rollback\patch\AutoPatches\kav9exec\9.0.0.459\sys\i386\kl1.sys
2010-03-31 20:00 . 2010-03-31 20:00 59920 ----a-w- c:\documents and settings\All Users.WINDOWS\Application Data\Kaspersky Lab\AVP9\Data\Updater\Temporary Files\temporaryFolder\AutoPatches\kav9exec\9.0.0.459\mzvkbd.dll
2010-03-31 20:00 . 2010-03-31 20:00 264720 ----a-w- c:\documents and settings\All Users.WINDOWS\Application Data\Kaspersky Lab\AVP9\Data\Updater\Temporary Files\temporaryFolder\AutoPatches\kav9exec\9.0.0.459\klwtbbho.dll
2010-03-31 20:00 . 2010-03-31 20:00 109072 ----a-w- c:\documents and settings\All Users.WINDOWS\Application Data\Kaspersky Lab\AVP9\Data\Updater\Temporary Files\temporaryFolder\AutoPatches\kav9exec\9.0.0.459\mzvkbd3.dll
2010-03-31 20:00 . 2010-03-31 20:00 296976 ----a-w- c:\documents and settings\All Users.WINDOWS\Application Data\Kaspersky Lab\AVP9\Data\Updater\Temporary Files\temporaryFolder\AutoPatches\kav9exec\9.0.0.459\sys\i386\5.1\klif.sys
2010-03-31 20:00 . 2010-03-31 20:00 128016 ----a-w- c:\documents and settings\All Users.WINDOWS\Application Data\Kaspersky Lab\AVP9\Data\Updater\Temporary Files\temporaryFolder\AutoPatches\kav9exec\9.0.0.459\sys\i386\kl1.sys
2010-03-31 12:39 . 2009-09-05 15:40 -------- d-----w- c:\program files\Orbitdownloader
2010-03-31 11:40 . 2009-09-05 15:40 -------- d-----w- c:\documents and settings\Administrator.ORG-3E4926DA8B3\Application Data\Orbit
2010-03-29 13:23 . 2010-02-11 19:44 -------- d-----w- c:\documents and settings\Administrator.ORG-3E4926DA8B3\Application Data\Apple Computer
2010-03-11 08:40 . 2009-08-10 10:49 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\Microsoft Help
2010-03-10 11:06 . 2009-11-09 13:45 -------- d-----w- c:\program files\Help
2010-02-12 23:02 . 2009-12-16 18:50 -------- d-----w- c:\documents and settings\Administrator.ORG-3E4926DA8B3\Application Data\skypePM
2010-02-11 19:47 . 2010-02-11 19:47 77060 ---ha-w- c:\windows\system32\mlfcache.dat
2010-02-11 19:43 . 2010-02-11 19:42 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\{755AC846-7372-4AC8-8550-C52491DAA8BD}
2010-02-11 19:43 . 2009-02-04 18:28 -------- d-----w- c:\program files\iTunes
2010-02-11 19:42 . 2009-02-04 18:28 -------- d-----w- c:\program files\iPod
2010-02-11 19:42 . 2010-02-11 19:39 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\Apple Computer
2010-02-11 19:41 . 2009-02-04 18:26 -------- d-----w- c:\program files\Bonjour
2010-02-11 19:40 . 2007-04-21 12:17 -------- d-----w- c:\program files\QuickTime
2010-02-11 19:35 . 2010-02-11 19:35 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\Apple
2010-02-11 19:35 . 2008-05-10 19:00 -------- d-----w- c:\program files\Common Files\Apple
2010-02-08 21:51 . 2010-02-08 21:51 -------- d-----w- c:\documents and settings\Administrator.ORG-3E4926DA8B3\Application Data\Arario
2010-02-08 21:45 . 2010-02-08 21:45 -------- d-----w- c:\program files\Arario
2010-02-06 19:32 . 2009-12-16 18:32 -------- d-----w- c:\documents and settings\Administrator.ORG-3E4926DA8B3\Application Data\GSC 2.00
2010-01-22 18:51 . 2010-01-22 18:51 72488 ----a-w- c:\documents and settings\All Users.WINDOWS\Application Data\Apple Computer\Installer Cache\iTunes 9.0.3.15\SetupAdmin.exe
2010-01-20 10:13 . 2010-03-31 11:56 52224 ----a-w- c:\documents and settings\Administrator.ORG-3E4926DA8B3\Application Data\Mozilla\Firefox\Profiles\k5t0mzjz.default\extensions\{038cb5c7-48ea-4af9-94e0-a1646542e62b}\components\FFExternalAlert.dll
2010-01-20 10:13 . 2010-03-31 11:56 101376 ----a-w- c:\documents and settings\Administrator.ORG-3E4926DA8B3\Application Data\Mozilla\Firefox\Profiles\k5t0mzjz.default\extensions\{038cb5c7-48ea-4af9-94e0-a1646542e62b}\components\RadioWMPCore.dll
2010-01-07 00:38 . 2010-01-07 00:38 2367488 ----a-w- c:\documents and settings\Administrator.ORG-3E4926DA8B3\Application Data\Arario\crossfire\AraGameLauncher2.exe
2010-01-05 09:57 . 2007-03-21 10:10 841216 ----a-w- c:\windows\system32\wininet.dll
2010-01-05 09:57 . 2007-03-21 10:11 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-01-05 09:57 . 2007-03-21 10:11 17408 ----a-w- c:\windows\system32\corpol.dll
2009-11-09 13:46 . 2009-11-09 13:46 89 ----a-w- c:\program files\identity.ini
2005-03-09 02:24 . 2005-03-09 02:24 8624248 ----a-w- c:\program files\acad.exe
2005-03-05 15:48 . 2005-03-05 15:48 795768 ----a-w- c:\program files\acadficn.dll
2005-03-05 15:18 . 2005-03-05 15:18 3068024 ----a-w- c:\program files\axdb16.dll
2005-03-05 15:18 . 2005-03-05 15:18 22648 ----a-w- c:\program files\acurlutl16.dll
2005-03-05 15:08 . 2005-03-05 15:08 140408 ----a-w- c:\program files\tmptbl.dll
2005-03-05 15:08 . 2005-03-05 15:08 861304 ----a-w- c:\program files\sqleng.dll
2005-03-05 15:08 . 2005-03-05 15:08 590968 ----a-w- c:\program files\sqldata.dll
2005-03-05 15:08 . 2005-03-05 15:08 492664 ----a-w- c:\program files\csp16.dll
2005-03-05 15:08 . 2005-03-05 15:08 1176696 ----a-w- c:\program files\ase.arx
2005-03-05 15:08 . 2005-03-05 15:08 132216 ----a-w- c:\program files\aclbed.dll
2005-03-05 14:59 . 2005-03-05 14:59 119928 ----a-w- c:\program files\WSCommCntrUI1Res.dll
2005-03-05 14:59 . 2005-03-05 14:59 18552 ----a-w- c:\program files\WSCommCntrAcConRes.dll
2005-03-05 14:59 . 2005-03-05 14:59 8824 ----a-w- c:\program files\whohasRes.dll
2005-03-05 14:59 . 2005-03-05 14:59 233592 ----a-w- c:\program files\vlmsg.dll
2005-03-05 14:59 . 2005-03-05 14:59 36984 ----a-w- c:\program files\vldlg.dll
2005-03-05 14:59 . 2005-03-05 14:59 488568 ----a-w- c:\program files\vlaboutRes.dll
2005-03-05 14:59 . 2005-03-05 14:59 686712 ----a-w- c:\program files\vl.arx
2005-03-05 14:59 . 2005-03-05 14:59 33912 ----a-w- c:\program files\unitsRes.dll
2005-03-05 14:59 . 2005-03-05 14:59 25720 ----a-w- c:\program files\textfindRes.dll
2005-03-05 14:59 . 2005-03-05 14:59 8824 ----a-w- c:\program files\texteditRes.dll
2005-03-05 14:59 . 2005-03-05 14:59 238712 ----a-w- c:\program files\styshwizRes.dll
2005-03-05 14:57 . 2005-03-05 14:57 164984 ----a-w- c:\program files\pc3EditRes.dll
2005-03-05 14:57 . 2005-03-05 14:57 8312 ----a-w- c:\program files\passwordUIRes.dll
2005-03-05 14:57 . 2005-03-05 14:57 38008 ----a-w- c:\program files\LaytransRes.dll
2005-03-05 14:57 . 2005-03-05 14:57 24184 ----a-w- c:\program files\HPSETUPRes.dll
2005-03-05 14:57 . 2005-03-05 14:57 9336 ----a-w- c:\program files\hideRes.dll
2005-03-05 14:57 . 2005-03-05 14:57 1139832 ----a-w- c:\program files\heidi8.dll
2005-03-05 14:57 . 2005-03-05 14:57 25208 ----a-w- c:\program files\hcreg8Res.dll
2005-03-05 14:57 . 2005-03-05 14:57 87160 ----a-w- c:\program files\GsTest.arx
2005-03-05 14:57 . 2005-03-05 14:57 113272 ----a-w- c:\program files\gridres.dll
2005-03-05 14:56 . 2005-03-05 14:56 22648 ----a-w- c:\program files\fontcapres.dll
2005-03-05 14:56 . 2005-03-05 14:56 47736 ----a-w- c:\program files\erren.dll
2005-03-05 14:56 . 2005-03-05 14:56 47736 ----a-w- c:\program files\errenu.dll
2005-03-05 14:56 . 2005-03-05 14:56 18040 ----a-w- c:\program files\EregRes.dll
2005-03-05 14:56 . 2005-03-05 14:56 345208 ----a-w- c:\program files\DwgCheckStandardsRes.dll
2005-03-05 14:56 . 2005-03-05 14:56 201848 ----a-w- c:\program files\dwgaidsRes.dll
2005-03-05 14:56 . 2005-03-05 14:56 22648 ----a-w- c:\program files\dswhipRes.dll
2005-03-05 14:56 . 2005-03-05 14:56 175736 ----a-w- c:\program files\dlint8.dll
2005-03-05 14:56 . 2005-03-05 14:56 10360 ----a-w- c:\program files\coreerr.dll
2005-03-05 14:56 . 2005-03-05 14:56 31864 ----a-w- c:\program files\colorRes.dll
2005-03-05 14:56 . 2005-03-05 14:56 22136 ----a-w- c:\program files\BzPSLang.dll
2005-03-05 14:56 . 2005-03-05 14:56 38008 ----a-w- c:\program files\BattmanRes.dll
2005-03-05 14:54 . 2005-03-05 14:54 42104 ----a-w- c:\program files\AcVpPlaceRes.dll
2005-03-05 14:53 . 2005-03-05 14:53 197752 ----a-w- c:\program files\AcSignAppRes.dll
2005-03-05 14:52 . 2005-03-05 14:52 91256 ----a-w- c:\program files\acmtedRes.dll
2005-03-05 14:51 . 2005-03-05 14:51 25720 ----a-w- c:\program files\AcEAtteditRes.dll
2005-03-05 14:50 . 2005-03-05 14:50 7800 ----a-w- c:\program files\AcDblClkEditRes.dll
2005-03-05 14:27 . 2005-03-05 14:27 140408 ----a-w- c:\program files\WSCommCntrUI1.dll
2005-03-05 14:27 . 2005-03-05 14:27 74872 ----a-w- c:\program files\WSCommCntrAcCon.arx
2005-03-05 14:27 . 2005-03-05 14:27 30840 ----a-w- c:\program files\whohas.arx
2005-03-05 14:27 . 2005-03-05 14:27 27256 ----a-w- c:\program files\vlres.dll
2005-03-05 14:27 . 2005-03-05 14:27 73848 ----a-w- c:\program files\vlreac.dll
2005-03-05 14:27 . 2005-03-05 14:27 1145976 ----a-w- c:\program files\vllib.dll
2005-03-05 14:26 . 2005-03-05 14:26 326264 ----a-w- c:\program files\vlide.dll
2005-03-05 14:26 . 2005-03-05 14:26 118392 ----a-w- c:\program files\vlcom.dll
2005-03-05 14:26 . 2005-03-05 14:26 24696 ----a-w- c:\program files\vlabout.dll
2005-03-05 14:26 . 2005-03-05 14:26 46712 ----a-w- c:\program files\userdata.dll
2009-11-18 07:50 . 2009-11-17 21:57 2 --shatr- c:\windows\winstart.bat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{038cb5c7-48ea-4af9-94e0-a1646542e62b}"= "c:\program files\ToggleEN\tbTogg.dll" [2009-12-31 2349080]

[HKEY_CLASSES_ROOT\clsid\{038cb5c7-48ea-4af9-94e0-a1646542e62b}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{038cb5c7-48ea-4af9-94e0-a1646542e62b}]
2009-12-31 09:53 2349080 ----a-w- c:\program files\ToggleEN\tbTogg.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{201f27d4-3704-41d6-89c1-aa35e39143ed}]
2008-08-06 13:20 279944 ----a-w- c:\program files\AskBarDis\bar\bin\askBar1.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{3041d03e-fd4b-44e0-b742-2d9b88305f98}"= "c:\program files\AskBarDis\bar\bin\askBar1.dll" [2008-08-06 279944]
"{038cb5c7-48ea-4af9-94e0-a1646542e62b}"= "c:\program files\ToggleEN\tbTogg.dll" [2009-12-31 2349080]

[HKEY_CLASSES_ROOT\clsid\{3041d03e-fd4b-44e0-b742-2d9b88305f98}]
[HKEY_CLASSES_ROOT\TypeLib\{4b1c1e16-6b34-430e-b074-5928eca4c150}]

[HKEY_CLASSES_ROOT\clsid\{038cb5c7-48ea-4af9-94e0-a1646542e62b}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{3041D03E-FD4B-44E0-B742-2D9B88305F98}"= "c:\program files\AskBarDis\bar\bin\askBar1.dll" [2008-08-06 279944]

[HKEY_CLASSES_ROOT\clsid\{3041d03e-fd4b-44e0-b742-2d9b88305f98}]
[HKEY_CLASSES_ROOT\TypeLib\{4b1c1e16-6b34-430e-b074-5928eca4c150}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2009-10-09 25623336]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RTHDCPL"="RTHDCPL.EXE" [2006-09-12 16264192]
"SkyTel"="SkyTel.EXE" [2006-05-16 2879488]
"D-Link AirPlus G"="c:\program files\D-Link\AirPlus G\AirGCFG.exe" [2006-11-17 1552384]
"ANIWZCS2Service"="c:\program files\ANI\ANIWZCS2 Service\WZCSLDR2.exe" [2006-06-29 49152]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-10-03 35696]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-09-04 935288]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-11-10 417792]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-01-22 141608]
"UnlockerAssistant"="c:\program files\Unlocker\UnlockerAssistant.exe" [2010-03-09 15872]
"AVP"="c:\program files\Kaspersky Lab\Kaspersky Internet Security 2010\avp.exe" [2009-05-25 303376]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"ShowDeskFix"="shell32" [X]
"IE7-11"="advpack.dll" [2010-01-05 124928]

c:\documents and settings\All Users.WINDOWS\Start Menu\Programs\Startup\
AutoCAD Startup Accelerator.lnk - c:\program files\Common Files\Autodesk Shared\acstart16.exe [2005-3-5 10872]

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=

R0 klbg;Kaspersky Lab Boot Guard Driver;c:\windows\system32\drivers\klbg.sys [15.12.2008 20:41 33808]
R3 klim5;Kaspersky Anti-Virus NDIS Filter;c:\windows\system32\drivers\klim5.sys [13.5.2009 17:46 31760]
R3 klmouflt;Kaspersky Lab KLMOUFLT;c:\windows\system32\drivers\klmouflt.sys [16.5.2009 20:59 19472]
S3 AtcL001;NDIS Miniport Driver for Attansic L1 Gigabit Ethernet Controller;c:\windows\system32\drivers\atl01_xp.sys [31.10.2006 11:10 35840]
S3 npggsvc;nProtect GameGuard Service;c:\windows\system32\GameMon.des -service --> c:\windows\system32\GameMon.des -service [?]
S3 XDva310;XDva310;\??\c:\windows\system32\XDva310.sys --> c:\windows\system32\XDva310.sys [?]
S3 XDva317;XDva317;\??\c:\windows\system32\XDva317.sys --> c:\windows\system32\XDva317.sys [?]
S3 XDva321;XDva321;\??\c:\windows\system32\XDva321.sys --> c:\windows\system32\XDva321.sys [?]
S3 XDva323;XDva323;\??\c:\windows\system32\XDva323.sys --> c:\windows\system32\XDva323.sys [?]
S3 XDva327;XDva327;\??\c:\windows\system32\XDva327.sys --> c:\windows\system32\XDva327.sys [?]
S3 XDva337;XDva337;\??\c:\windows\system32\XDva337.sys --> c:\windows\system32\XDva337.sys [?]
S3 XDva342;XDva342;\??\c:\windows\system32\XDva342.sys --> c:\windows\system32\XDva342.sys [?]
S3 XDva343;XDva343;\??\c:\windows\system32\XDva343.sys --> c:\windows\system32\XDva343.sys [?]
.
Contents of the 'Scheduled Tasks' folder

2010-03-18 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 11:34]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://search.conduit.com?SearchSource=10&ctid=CT2077543
uInternet Settings,ProxyOverride = *.local
IE: &Download by Orbit - c:\program files\Orbitdownloader\orbitmxt.dll/201
IE: &Grab video by Orbit - c:\program files\Orbitdownloader\orbitmxt.dll/204
IE: Add to Anti-Banner - c:\program files\Kaspersky Lab\Kaspersky Internet Security 2010\ie_banner_deny.htm
IE: Do&wnload selected by Orbit - c:\program files\Orbitdownloader\orbitmxt.dll/203
IE: Down&load all by Orbit - c:\program files\Orbitdownloader\orbitmxt.dll/202
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: Easy-WebPrint Add To Print List - c:\program files\Canon\Easy-WebPrint\Toolband.dll/RC_AddToList.html
IE: Easy-WebPrint High Speed Print - c:\program files\Canon\Easy-WebPrint\Toolband.dll/RC_HSPrint.html
IE: Easy-WebPrint Preview - c:\program files\Canon\Easy-WebPrint\Toolband.dll/RC_Preview.html
IE: Easy-WebPrint Print - c:\program files\Canon\Easy-WebPrint\Toolband.dll/RC_Print.html
TCP: {C301D356-0E81-4062-AA3C-638C18ACCEF3} = 195.29.150.3,195.29.150.4
TCP: {FB2A725C-E94C-472F-A11B-BCB8D329DBA0} = 195.29.150.3,195.29.150.4
FF - ProfilePath - c:\documents and settings\Administrator.ORG-3E4926DA8B3\Application Data\Mozilla\Firefox\Profiles\k5t0mzjz.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT2077543&SearchSource=3&q={searchTerms}
FF - prefs.js: browser.search.selectedEngine - ToggleEN Customized Web Search
FF - prefs.js: browser.startup.homepage - www.google.hr
FF - prefs.js: keyword.URL - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT2077543&q=
FF - component: c:\documents and settings\Administrator.ORG-3E4926DA8B3\Application Data\Mozilla\Firefox\Profiles\k5t0mzjz.default\extensions\{038cb5c7-48ea-4af9-94e0-a1646542e62b}\components\FFExternalAlert.dll
FF - component: c:\documents and settings\Administrator.ORG-3E4926DA8B3\Application Data\Mozilla\Firefox\Profiles\k5t0mzjz.default\extensions\{038cb5c7-48ea-4af9-94e0-a1646542e62b}\components\RadioWMPCore.dll
FF - component: c:\documents and settings\Administrator.ORG-3E4926DA8B3\Application Data\Mozilla\Firefox\Profiles\k5t0mzjz.default\extensions\{31c7d459-9cc3-44f2-9dca-fc11795309b4}\components\FFExternalAlert.dll
FF - component: c:\documents and settings\Administrator.ORG-3E4926DA8B3\Application Data\Mozilla\Firefox\Profiles\k5t0mzjz.default\extensions\{31c7d459-9cc3-44f2-9dca-fc11795309b4}\components\RadioWMPCore.dll
FF - component: c:\program files\BS.Player ControlBar\FirefoxDTT\components\BSToolbarFF.dll
FF - component: c:\program files\Mozilla Firefox\extensions\{B13721C7-F507-4982-B2E5-502A71474FED}\components\NPComponent.dll
FF - component: c:\program files\Mozilla Firefox\extensions\linkfilter@kaspersky.ru\components\KavLinkFilter.dll
FF - plugin: c:\documents and settings\Administrator.ORG-3E4926DA8B3\Local Settings\Application Data\Yahoo!\BrowserPlus\2.4.21\Plugins\npybrowserplus_2.4.21.dll
FF - plugin: c:\documents and settings\All Users.WINDOWS\Application Data\NexonEU\NGM\npNxGameeu.dll

---- FIREFOX POLICIES ----
FF - user.js: browser.cache.memory.capacity - 16000
FF - user.js: browser.chrome.favicons - false
FF - user.js: browser.display.show_image_placeholders - true
FF - user.js: browser.turbo.enabled - true
FF - user.js: browser.urlbar.autocomplete.enabled - true
FF - user.js: browser.urlbar.autofill - true
FF - user.js: content.max.tokenizing.time - 3000000
FF - user.js: content.maxtextrun - 4095
FF - user.js: content.notify.backoffcount - 5
FF - user.js: content.notify.interval - 1000000
FF - user.js: content.notify.ontimer - true
FF - user.js: content.switch.threshold - 1000000
FF - user.js: dom.disable_window_status_change - true
FF - user.js: network.http.max-connections - 48
FF - user.js: network.http.max-connections-per-server - 16
FF - user.js: network.http.max-persistent-connections-per-proxy - 16
FF - user.js: network.http.max-persistent-connections-per-server - 8
FF - user.js: network.http.pipelining - true
FF - user.js: network.http.pipelining.firstrequest - true
FF - user.js: network.http.pipelining.maxrequests - 8
FF - user.js: network.http.proxy.pipelining - true
FF - user.js: network.http.request.max-start-delay - 0
FF - user.js: nglayout.initialpaint.delay - 1000
FF - user.js: plugin.expose_full_path - true
FF - user.js: ui.submenuDelay - 0
.
.
------- File Associations -------
.
.scr=AutoCADScriptFile
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-muuux - c:\documents and settings\Administrator.ORG-3E4926DA8B3\muuux.exe
AddRemove-eBay Icon - c:\documents and settings\Administrator.ORG-3E4926DA8B3\Application Data\Desktopicon\uninst.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-04-01 09:37
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\npggsvc]
"ImagePath"="c:\windows\system32\GameMon.des -service"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1036)
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'explorer.exe'(2700)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\wpdshserviceobj.dll
c:\windows\system32\portabledevicetypes.dll
c:\windows\system32\portabledeviceapi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\windows\system32\Ati2evxx.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\RTHDCPL.EXE
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2010-04-01 09:47:49 - machine was rebooted
ComboFix-quarantined-files.txt 2010-04-01 07:47

Pre-Run: 28.622.643.200 bytes free
Post-Run: 29.768.261.632 bytes free

- - End Of File - - 644B849D8C26EB6A962A0077234AEA5D
Posts
1
Registration date
Saturday June 19, 2010
Last seen
June 19, 2010
- Jun 19, 2010 at 03:41 PM
Many thanks for this my freind! Your advice has saved me at least the cost of a £30 re-install!

(add note)

Worked fine thanks, but for those with Kaspersky you will still see it (the virus) as a threat until you 'Disinfect' (POSSIBLE NOW)

Infected copy of c:\windows\system32\drivers\redbook.sys was found and disinfected
Restored copy from - Kitty had a snack :p
.
((((((((((((((((((((((((( Files Created from 2010-05-19 to 2010-06-19 )))))))))))))))))))))))))))))))
.

2010-06-19 16:51 . 2010-06-19 16:55 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-06-19 16:37 . 2010-06-19 16:37 -------- d-----w- c:\windows\system32\wbem\Repository
2010-06-17 20:11 . 2010-06-17 20:12 -------- d-----w- c:\program files\CleanUp!
2010-06-17 19:43 . 2010-06-17 19:54 -------- d-----w- c:\program files\Windows Live Safety Center
2010-06-16 14:36 . 2010-06-16 14:36 -------- d-----w- c:\documents and settings\Owner\Application Data\Media Player Classic
2010-06-15 22:11 . 2010-06-17 21:10 -------- d-----w- c:\windows\Downloaded Program Files
2010-06-15 15:22 . 2010-06-15 17:28 -------- d-----w- c:\program files\Pothos
2010-06-12 14:14 . 2006-03-04 17:47 262144 ----a-w- c:\program files\unst0_0.exe
2010-06-12 13:40 . 2010-06-12 14:24 -------- d-----w- c:\program files\Uninstall Plus v4.1
2010-06-12 04:12 . 2003-06-25 15:05 266360 ----a-w- c:\windows\system32\TweakUI.exe
2010-06-12 03:58 . 2010-06-12 03:58 -------- d-----w- c:\windows\CD95F661A5C444F5A6AAECDD91C240BD.TMP
2010-06-11 14:50 . 2010-06-11 14:50 56 ---ha-w- c:\windows\system32\ezsidmv.dat
2010-06-11 14:50 . 2010-06-16 16:40 -------- d-----w- c:\documents and settings\Owner\Application Data\skypePM
2010-06-11 14:45 . 2010-06-16 16:52 -------- d-----w- c:\documents and settings\Owner\Application Data\Skype
2010-06-11 14:43 . 2010-06-11 14:43 -------- d-----w- c:\program files\Common Files\Skype
2010-06-11 14:43 . 2010-06-11 14:45 -------- d-----w- c:\program files\Skype
2010-06-11 14:31 . 2010-06-11 14:43 -------- d-----w- c:\documents and settings\All Users\Application Data\Skype
2010-06-11 12:54 . 2004-01-10 19:56 122880 ----a-w- c:\windows\system32\pdfmont.dll
2010-06-10 03:21 . 2010-05-06 10:41 743424 -c----w- c:\windows\system32\dllcache\iedvtool.dll
2010-06-05 11:49 . 2010-06-05 12:08 -------- d-----w- c:\program files\YouTube Downloader
2010-06-04 22:47 . 2009-07-21 13:02 105088 ----a-w- c:\windows\system32\drivers\ZTEusbser6k.sys
2010-06-04 22:47 . 2009-07-21 13:02 105088 ----a-w- c:\windows\system32\drivers\ZTEusbnmea.sys
2010-06-04 22:47 . 2009-07-21 13:02 105088 ----a-w- c:\windows\system32\drivers\ZTEusbmdm6k.sys
2010-06-04 22:47 . 2009-07-21 08:15 114688 ----a-w- c:\windows\system32\drivers\ZTEusbnet.sys
2010-06-04 22:47 . 2009-04-27 13:00 9728 ----a-w- c:\windows\system32\drivers\massfilter.sys
2010-06-04 22:47 . 2008-11-06 07:49 13824 ----a-w- c:\windows\system32\drivers\ZTEusbccid.sys
2010-06-04 22:47 . 2010-06-04 22:47 -------- d-----w- c:\windows\massfilter
2010-06-04 00:47 . 2010-06-04 00:47 -------- d-----w- c:\program files\Combined Community Codec Pack
2010-06-03 18:40 . 2010-06-03 18:40 33808 ----a-w- c:\documents and settings\All Users\Application Data\Kaspersky Lab\AVP8\Data\Updater\Temporary Files\temporaryFolder\AutoPatches\kav8exec\8.0.0.357\klbg.sys
2010-06-03 18:40 . 2010-06-03 18:40 213520 ----a-w- c:\documents and settings\All Users\Application Data\Kaspersky Lab\AVP8\Data\Updater\Temporary Files\temporaryFolder\AutoPatches\kav8exec\8.0.0.357\XP\klif.sys
2010-06-03 18:40 . 2010-06-03 18:40 21256 ----a-w- c:\documents and settings\All Users\Application Data\Kaspersky Lab\AVP8\Data\Updater\Temporary Files\temporaryFolder\AutoPatches\kav8exec\8.0.0.357\vkbd.dll
2010-06-03 18:40 . 2010-06-03 18:40 861448 ----a-w- c:\documents and settings\All Users\Application Data\Kaspersky Lab\AVP8\Data\Updater\Temporary Files\temporaryFolder\AutoPatches\kav8exec\8.0.0.357\updater.dll
2010-06-03 18:40 . 2010-06-03 18:40 83208 ----a-w- c:\documents and settings\All Users\Application Data\Kaspersky Lab\AVP8\Data\Updater\Temporary Files\temporaryFolder\AutoPatches\kav8exec\8.0.0.357\mzvkbd.dll
2010-06-03 18:40 . 2010-06-03 18:40 62728 ----a-w- c:\documents and settings\All Users\Application Data\Kaspersky Lab\AVP8\Data\Updater\Temporary Files\temporaryFolder\AutoPatches\kav8exec\8.0.0.357\ievkbd.dll
2010-06-03 18:40 . 2010-06-03 18:40 43784 ----a-w- c:\documents and settings\All Users\Application Data\Kaspersky Lab\AVP8\Data\Updater\Temporary Files\temporaryFolder\AutoPatches\kav8exec\8.0.0.357\fssync.dll
2010-06-03 18:40 . 2010-06-03 18:40 365832 ----a-w- c:\documents and settings\All Users\Application Data\Kaspersky Lab\AVP8\Data\Updater\Temporary Files\temporaryFolder\AutoPatches\kav8exec\8.0.0.357\ckahum.dll
2010-06-03 18:40 . 2010-06-03 18:40 201992 ----a-w- c:\documents and settings\All Users\Application Data\Kaspersky Lab\AVP8\Data\Updater\Temporary Files\temporaryFolder\AutoPatches\kav8exec\8.0.0.357\avp.exe
2010-06-03 17:51 . 2010-06-03 18:40 97549 ----a-w- c:\windows\system32\drivers\klick.dat
2010-06-03 17:51 . 2010-06-03 18:40 113933 ----a-w- c:\windows\system32\drivers\klin.dat
2010-06-03 17:50 . 2010-06-19 18:20 360480 --sha-w- c:\windows\system32\drivers\fidbox2.dat
2010-06-03 17:50 . 2010-06-19 18:20 1602080 --sha-w- c:\windows\system32\drivers\fidbox.dat
2010-06-03 17:50 . 2010-06-03 17:50 -------- d-----w- c:\program files\Kaspersky Lab
2010-06-03 17:50 . 2010-06-19 18:23 -------- d-----w- c:\documents and settings\All Users\Application Data\Kaspersky Lab

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-06-19 18:22 . 2010-03-13 20:09 -------- d-----w- c:\program files\Audio Sliders
2010-06-19 18:20 . 2010-06-03 17:50 2312 --sha-w- c:\windows\system32\drivers\fidbox2.idx
2010-06-19 18:20 . 2010-06-03 17:50 13568 --sha-w- c:\windows\system32\drivers\fidbox.idx
2010-06-15 15:55 . 2010-03-13 19:38 -------- d-----w- c:\program files\Microsoft Works
2010-06-15 15:55 . 2010-04-18 21:02 -------- d-----w- c:\program files\'Full Speed' Internet Booster + Performance Tests
2010-06-12 14:15 . 2010-06-12 14:14 283 ----a-w- c:\program files\Program Files.ini
2010-06-12 13:45 . 2010-03-14 00:57 -------- d-----w- c:\program files\QuickTime
2010-06-08 10:13 . 2010-03-13 23:17 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS
2010-06-04 22:47 . 2010-03-13 19:21 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-06-04 11:47 . 2010-03-13 23:14 -------- d-----w- c:\program files\Microsoft Silverlight
2010-06-03 18:41 . 2008-01-29 17:29 33808 ----a-w- c:\windows\system32\drivers\klbg.sys
2010-06-03 18:29 . 2010-03-14 04:01 -------- d-----w- c:\documents and settings\Owner\Application Data\MSN6
2010-05-06 10:41 . 2003-07-16 20:51 916480 ----a-w- c:\windows\system32\wininet.dll
2010-05-02 05:22 . 2003-07-16 20:51 1851264 ----a-w- c:\windows\system32\win32k.sys
2010-04-25 19:00 . 2010-04-25 18:16 -------- d-----w- c:\documents and settings\All Users\Application Data\Birdstep Technology
2010-04-25 18:34 . 2010-04-25 18:34 -------- d-----w- c:\documents and settings\LocalService\Application Data\Birdstep Technology
2010-04-25 18:13 . 2010-03-13 19:21 -------- d-----w- c:\program files\Common Files\InstallShield
2010-04-20 05:30 . 2003-07-16 20:24 285696 ----a-w- c:\windows\system32\atmfd.dll
2010-03-26 14:29 . 2010-03-26 14:30 720896 ----a-w- c:\windows\iun6002.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-07-26 3883856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2004-02-10 155648]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2004-02-10 118784]
"Audio Sliders Launch"="c:\program files\Audio Sliders\volume.exe" [2006-04-06 231424]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-04-04 36272]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-03-24 952768]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2010-03-14 198160]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-03-17 421888]
"AVP"="c:\program files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe" [2010-06-03 201992]
"O2Start"="c:\program files\O2CM-CE\O2 Connection Manager\tscui.exe" [2010-01-04 2998272]

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

R3 cpudrv;cpudrv;c:\program files\SystemRequirementsLab\cpudrv.sys [2009-12-18 11336]
R3 massfilter;ZTE Mass Storage Filter Driver;c:\windows\system32\drivers\massfilter.sys [2009-04-27 9728]
R3 TSWLAN;TsWlan Packet Driver;c:\windows\system32\drivers\TsWlan.sys [2009-08-25 33664]
R3 ZTEusbnet;ZTE USB-NDIS miniport;c:\windows\system32\DRIVERS\ZTEusbnet.sys [2009-07-21 114688]
S0 klbg;Kaspersky Lab Boot Guard Driver;c:\windows\system32\drivers\klbg.sys [2010-06-03 33808]
S3 KLFLTDEV;Kaspersky Lab KLFltDev;c:\windows\system32\DRIVERS\klfltdev.sys [2008-03-13 26640]
S3 klim5;Kaspersky Anti-Virus NDIS Filter;c:\windows\system32\DRIVERS\klim5.sys [2008-03-25 24592]


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{e783f9f6-7093-11df-983d-fce4bd0c3a8b}]
\Shell\AutoRun\command - E:\AutoRun.exe
.
Contents of the 'Scheduled Tasks' folder

2010-06-14 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34]
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
mStart Page = about:blank
uInternet Connection Wizard,ShellNext = hxxp://mobilebroadbandaccess.o2.co.uk/?DMPN=07955811215&NetworkID=23410&NetworkDescriptor=O2-UK
IE: Add to Banner Ad Blocker - c:\program files\Kaspersky Lab\Kaspersky Internet Security 2009\ie_banner_deny.htm
IE: {{898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - c:\program files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-06-19 19:30
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1004336348-1364589140-725345543-1003\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(592)
c:\windows\system32\klogon.dll

- - - - - - - > 'explorer.exe'(2616)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\LEXBCES.EXE
c:\windows\system32\LEXPPS.EXE
c:\program files\Windows Live\Contacts\wlcomm.exe
.
**************************************************************************
.
Completion time: 2010-06-19 19:37:16 - machine was rebooted
ComboFix-quarantined-files.txt 2010-06-19 18:36

Pre-Run: 74,102,267,904 bytes free
Post-Run: 74,051,350,528 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect /NoExecute=OptIn

- - End Of File - - DE09D30335FD3D266D288E6504FEB24C
Posts
55840
Registration date
Monday February 1, 2010
Status
Moderator
Last seen
November 20, 2018
- Jun 19, 2010 at 04:00 PM
Thanks you for your feedback, I am happy to have saved you all those pounds,

Now...pay to the next

Farewell
1
Thank you
it is working for me. greate thanks a LOT guys
Posts
21
Registration date
Sunday May 9, 2010
Last seen
May 11, 2010
- May 9, 2010 at 04:58 AM
0
Thank you
if you dont have a computer tools go to accessories and then go to system tools select the system restore...you need to choices what date if you gonna delete..make sure you have a back up of your files..
Posts
55840
Registration date
Monday February 1, 2010
Status
Moderator
Last seen
November 20, 2018
- May 17, 2010 at 04:34 PM
0
Thank you
Hello BigJohn,

Today is your lucky, I just happened to stop by and saw your message.

This Rootkit has taken a habit of replacing ligitimate files by other which I will not name for we want to maintain some decorum.

1. Boot in safe mode with networking.

2 Please command prompt and then run
3 Type sfc/scannow
4 Press okay
5. See if now if you can download and run Combofix, you can also try:

http://download.norman.no/public/Norman_TDSS_Cleaner.exe

Norman is a swell guy.

Good luck Big John and let me know.
- Aug 22, 2010 at 03:30 PM
0
Thank you
I have been having 5 different computers attacking various parts of my computer but Norton has been blocking the attempts... I noticed from their reports that Norton gave me that my Firefox was the cause. Most of them were Tid serve requests that Norton had blocked.

After doing some research I noticed that usually a root kit is behind the attacks. I acquired your Combofix that you have on this thread ran it as you have instructed it didn't take long. restarted once and now it starts as fast as I remember and so is the web page change on email.

Here is the report:



ComboFix 10-08-21.04 - Administrator 08/22/2010 0:31.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2046.1421 [GMT -7:00]
Running from: c:\documents and settings\Administrator\My Documents\ComboFix.exe
AV: Norton AntiVirus *On-access scanning disabled* (Updated) {E10A9785-9598-4754-B552-92431C1C35F8}
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\%appdata%
c:\windows\system32\st325602.dll

Infected copy of c:\windows\system32\drivers\redbook.sys was found and disinfected
Restored copy from - Kitty had a snack :p
.
((((((((((((((((((((((((( Files Created from 2010-07-22 to 2010-08-22 )))))))))))))))))))))))))))))))
.

2010-08-21 06:52 . 2010-08-21 06:52 -------- d-----w- c:\documents and settings\LocalService\Application Data\Yahoo!
2010-08-21 06:52 . 2010-08-21 06:52 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Apple
2010-08-21 02:09 . 2010-08-21 02:09 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache
2010-08-20 09:08 . 2010-05-06 04:01 47408 ----a-r- c:\windows\system32\drivers\SymIM.sys
2010-08-20 05:50 . 2010-08-20 08:35 13160 ----a-w- c:\windows\system32\Upgrd.exe
2010-08-03 19:28 . 2010-08-03 19:28 56 ---ha-w- c:\windows\system32\ezsidmv.dat
2010-08-03 19:28 . 2010-08-22 07:04 -------- d-----w- c:\documents and settings\Administrator\Application Data\skypePM
2010-08-03 19:21 . 2010-08-22 07:21 -------- d-----w- c:\documents and settings\Administrator\Application Data\Skype
2010-08-03 19:19 . 2010-08-03 19:19 -------- d-----w- c:\program files\Common Files\Skype
2010-08-03 19:19 . 2010-08-03 19:20 -------- d-----r- c:\program files\Skype
2010-08-03 19:19 . 2010-08-03 19:19 -------- d-----w- c:\documents and settings\All Users\Application Data\Skype
2010-08-01 09:32 . 2001-08-17 19:49 22848 -c--a-w- c:\windows\system32\dllcache\lwusbhid.sys
2010-08-01 09:32 . 2001-08-17 19:49 22848 ----a-w- c:\windows\system32\drivers\LwUsbHid.sys
2010-07-30 22:12 . 2010-07-30 22:12 77312 ----a-w- c:\documents and settings\Administrator\Application Data\SystemRequirementsLab\srlproxy_cyri_4.1.72.0A.dll
2010-07-30 01:32 . 2010-07-30 01:32 49152 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\Firefox\Ext\Components\nprpffbrowserrecordext.dll
2010-07-30 01:32 . 2010-07-30 01:32 45056 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\ThinShims\rpnpshimwmp.dll
2010-07-30 01:32 . 2010-07-30 01:32 45056 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\ThinShims\rpnpshimswf.dll
2010-07-30 01:32 . 2010-07-30 01:32 45056 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\ThinShims\rpnpshimrp.dll
2010-07-30 01:32 . 2010-07-30 01:32 45056 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\ThinShims\rpnpshimqt.dll
2010-07-30 01:32 . 2010-07-30 01:32 40960 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\Chrome\Hook\rpchromebrowserrecordhelper.dll
2010-07-30 01:32 . 2010-07-30 01:32 308808 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\Common\rpmainbrowserrecordplugin.dll
2010-07-30 01:32 . 2010-07-30 01:32 14848 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\MozillaPlugins\nprphtml5videoshim.dll
2010-07-30 01:31 . 2010-07-30 01:31 -------- d-----w- c:\program files\Common Files\xing shared
2010-07-30 01:26 . 2010-07-30 01:26 493064 ----a-w- c:\documents and settings\Administrator\Application Data\Real\RealPlayer\setup\AU_setup16.exe
2010-07-23 22:35 . 2010-07-23 22:36 2568656 ----a-w- c:\documents and settings\All Users\Application Data\NOS\Adobe_Downloads\install_flash_player.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-08-22 07:27 . 2009-07-10 04:59 -------- d-----w- c:\documents and settings\Administrator\Application Data\WTablet
2010-08-22 07:27 . 2007-06-14 06:13 17408 ----a-w- c:\windows\system32\rpcnetp.exe
2010-08-22 07:27 . 2007-06-14 06:14 57752 ----a-w- c:\windows\system32\rpcnet.dll
2010-08-22 07:25 . 2009-07-31 11:00 -------- d-----w- c:\documents and settings\Administrator\Application Data\DNA
2010-08-22 06:52 . 2009-07-31 11:00 -------- d-----w- c:\program files\DNA
2010-08-22 06:09 . 2009-07-12 14:02 -------- d-----w- c:\documents and settings\LocalService\Application Data\WTablet
2010-08-22 06:08 . 2007-06-14 06:13 17408 ----a-w- c:\windows\system32\rpcnetp.dll
2010-08-22 03:57 . 2007-06-14 06:21 99609 ----a-w- c:\windows\system32\nvModes.dat
2010-08-21 04:44 . 2010-05-18 16:52 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-08-20 08:35 . 2006-03-01 20:37 57752 ------w- c:\windows\system32\rpcnet.exe
2010-08-20 07:39 . 2009-07-10 05:03 117760 ----a-w- c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2010-08-20 05:48 . 2010-02-15 06:52 -------- d-----w- c:\program files\Gabest
2010-08-20 05:36 . 2006-10-03 23:00 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-08-20 05:04 . 2009-07-10 05:02 -------- d-----w- c:\program files\SUPERAntiSpyware
2010-08-11 10:05 . 2009-07-10 02:30 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2010-08-01 09:30 . 2009-09-23 03:56 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS
2010-07-30 22:13 . 2010-07-20 13:18 -------- d-----w- c:\program files\SystemRequirementsLab
2010-07-30 22:12 . 2010-07-20 13:18 -------- d-----w- c:\documents and settings\Administrator\Application Data\SystemRequirementsLab
2010-07-30 01:32 . 2010-03-26 09:58 341600 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\IE\rpbrowserrecordplugin.dll
2010-07-30 01:32 . 2009-12-27 01:56 -------- d-----w- c:\program files\Common Files\Real
2010-07-30 01:31 . 2009-12-27 01:56 -------- d-----w- c:\program files\Real
2010-07-20 13:18 . 2010-07-20 13:18 290816 ----a-w- c:\documents and settings\Administrator\Application Data\SystemRequirementsLab\SRLProxy_nvd_4.dll
2010-07-20 13:18 . 2010-07-20 13:18 290816 ----a-w- c:\documents and settings\Administrator\Application Data\SystemRequirementsLab\SRLProxy_nvd_3.dll
2010-07-20 13:18 . 2010-07-20 13:18 290816 ----a-w- c:\documents and settings\Administrator\Application Data\SystemRequirementsLab\SRLProxy_nvd_2.dll
2010-07-20 13:18 . 2010-07-20 13:18 290816 ----a-w- c:\documents and settings\Administrator\Application Data\SystemRequirementsLab\SRLProxy_nvd_1.dll
2010-07-08 11:21 . 2010-07-08 11:13 -------- d-----w- c:\documents and settings\Administrator\Application Data\TS3Client
2010-06-14 14:30 . 2006-07-10 22:07 743936 ----a-w- c:\windows\pchealth\helpctr\binaries\helpsvc.exe
2010-06-01 16:52 . 2010-06-01 16:52 503808 -c--a-w- c:\documents and settings\Administrator\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-53048264-n\msvcp71.dll
2010-06-01 16:52 . 2010-06-01 16:52 348160 -c--a-w- c:\documents and settings\Administrator\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-53048264-n\msvcr71.dll
2010-06-01 16:52 . 2010-06-01 16:52 499712 -c--a-w- c:\documents and settings\Administrator\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-53048264-n\jmc.dll
2010-06-01 16:52 . 2010-06-01 16:52 61440 -c--a-w- c:\documents and settings\Administrator\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-40723265-n\decora-sse.dll
2010-06-01 16:52 . 2010-06-01 16:52 12800 -c--a-w- c:\documents and settings\Administrator\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-40723265-n\decora-d3d.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BitTorrent DNA"="c:\program files\DNA\btdna.exe" [2009-11-12 323392]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2005-12-10 49152]
"DLA"="c:\windows\System32\DLA\DLACTRLW.EXE" [2005-09-08 122940]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 221184]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 81920]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-03-08 761947]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-11-17 8495104]
"NVHotkey"="nvHotkey.dll" [2007-11-17 86016]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-05-27 413696]
"nwiz"="nwiz.exe" [2007-11-17 1626112]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2007-11-17 81920]
"SigmatelSysTrayApp"="c:\program files\SigmaTel\C-Major Audio\WDM\stsystra.exe" [2007-05-10 405504]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2010-07-30 202256]

c:\documents and settings\Administrator\Start Menu\Programs\Startup\
Adobe Gamma.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-3-16 113664]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-15 21:43 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk /r \??\C:\0autocheck autochk *

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2009-02-28 00:10 35696 -c--a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
2007-11-17 10:03 1626112 ----a-w- c:\windows\system32\nwiz.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2009-05-27 00:18 413696 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
2010-07-30 01:30 202256 ----a-w- c:\program files\Common Files\Real\Update_OB\realsched.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Autodesk\\Backburner\\monitor.exe"=
"c:\\Program Files\\Autodesk\\Backburner\\manager.exe"=
"c:\\Program Files\\Autodesk\\Backburner\\server.exe"=
"c:\\Program Files\\Autodesk\\3ds Max 2009\\3dsmax.exe"=
"c:\\Program Files\\DNA\\btdna.exe"=
"f:\\Program Files\\uTorrent\\uTorrent.exe"=
"C:4\\Program Files\\uTorrent\\uTorrent.exe"=
"C:4\\Program Files\\Microsoft Games\\Age of Empires II\\empires2.exe"=
"C:4\\Program Files\\Microsoft Games\\Age of Empires II\\age2_x1\\age2_x1.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"f:\\Program Files\\Microsoft Games\\Mechwarrior Mercenaries\\MW4MERCS.ICD"=
"f:\\Program Files\\Microsoft Games\\Mechwarrior Mercenaries\\mw4\\MW4.exe"=
"f:\\Program Files\\Microsoft Games\\Mechwarrior Mercenaries\\mw4\\mw4x\\MW4x.EXE"=
"f:\\Program Files\\THQ\\Gas Powered Games\\Supreme Commander\\bin\\SupremeCommander.exe"=
"f:\\Program Files\\THQ\\Gas Powered Games\\GPGNet\\GPG.Multiplayer.Client.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\java.exe"=
"f:\\Program Files\\Turbine\\DDO Unlimited\\dndclient.exe"=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"45676:TCP"= 45676:TCP:Coh
"56311:TCP"= 56311:TCP:Pando Media Booster
"56311:UDP"= 56311:UDP:Pando Media Booster

R0 a320raid;a320raid;c:\windows\system32\drivers\A320RAID.SYS [10/3/2006 4:12 PM 218112]
R0 aac;PERC 320/DC SCSI RAID Miniport Driver;c:\windows\system32\drivers\AAC.SYS [10/3/2006 4:12 PM 48140]
R0 aarich;aarich;c:\windows\system32\drivers\AARICH.SYS [10/3/2006 4:12 PM 204800]
R0 megasas;DELL PERC RAID Driver;c:\windows\system32\drivers\MEGASAS.SYS [10/3/2006 4:12 PM 17664]
R0 SymDS;Symantec Data Store;c:\windows\system32\drivers\NAV\1107000.00C\symds.sys [5/24/2010 4:14 PM 328752]
R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\NAV\1107000.00C\symefa.sys [5/24/2010 4:14 PM 173104]
R1 BHDrvx86;BHDrvx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_17.5.0.127\Definitions\BASHDefs\20100810.004\BHDrvx86.sys [8/9/2010 6:11 PM 692272]
R1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\NAV\1107000.00C\cchpx86.sys [5/24/2010 4:14 PM 501888]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [5/26/2009 10:05 AM 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [5/26/2009 10:05 AM 74480]
R1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\NAV\1107000.00C\ironx86.sys [5/24/2010 4:14 PM 116784]
R2 NAV;Norton AntiVirus;c:\program files\Norton AntiVirus\Engine\17.7.0.12\ccsvchst.exe [5/24/2010 4:14 PM 126392]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [5/28/2010 4:52 AM 102448]
R3 IDSxpx86;IDSxpx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_17.5.0.127\Definitions\IPSDefs\20100820.001\IDSXpx86.sys [8/20/2010 6:53 PM 331640]
S0 vmscsi;vmscsi;c:\windows\system32\drivers\vmscsi.sys --> c:\windows\system32\drivers\vmscsi.sys [?]
S2 mi-raysat_3dsMax2009_32;mental ray 3.6 Satellite for Autodesk 3ds Max 2009 32-bit 32-bit;c:\program files\Autodesk\3ds Max 2009\mentalray\satellite\raysat_3dsMax2009_32server.exe [3/10/2008 12:04 AM 65536]
S3 npggsvc;nProtect GameGuard Service;c:\windows\system32\GameMon.des -service --> c:\windows\system32\GameMon.des -service [?]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [5/26/2009 10:05 AM 7408]
S3 XDva279;XDva279;\??\c:\windows\system32\XDva279.sys --> c:\windows\system32\XDva279.sys [?]
S3 XDva287;XDva287;\??\c:\windows\system32\XDva287.sys --> c:\windows\system32\XDva287.sys [?]
S3 XDva309;XDva309;\??\c:\windows\system32\XDva309.sys --> c:\windows\system32\XDva309.sys [?]
S3 XDva319;XDva319;\??\c:\windows\system32\XDva319.sys --> c:\windows\system32\XDva319.sys [?]
S3 XDva326;XDva326;\??\c:\windows\system32\XDva326.sys --> c:\windows\system32\XDva326.sys [?]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{A509B1FF-37FF-4bFF-8CFF-4F3A747040FF}]
2009-03-08 11:32 128512 ----a-w- c:\windows\system32\advpack.dll
.
Contents of the 'Scheduled Tasks' folder

2010-08-21 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 19:34]

2010-08-22 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-3054480091-1899633457-2647154202-500.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-06-03 10:02]

2010-08-22 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-3054480091-1899633457-2647154202-500.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-06-03 10:02]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
uInternet Settings,ProxyOverride = *.local
uSearchAssistant =
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
TCP: {0343EC7D-6B21-4DF9-B721-DBB1B69DCC40} = 68.105.28.12,68.105.28.11
FF - ProfilePath - c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\zfcuyq7a.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://red.clientapps.yahoo.com/customize/links/msgr8/*http://www.yahoo.com/
FF - component: c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_17.5.0.127\IPSFFPlgn\components\IPSFFPl.dll
FF - component: c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\Firefox\Ext\components\nprpffbrowserrecordext.dll
FF - component: c:\program files\Mozilla Firefox\extensions\{AB2CE124-6272-4b12-94A9-7303C7397BD1}\components\SkypeFfComponent.dll
FF - plugin: c:\documents and settings\Administrator\Application Data\Facebook\npfbplugin_1_0_1.dll
FF - plugin: c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\MozillaPlugins\nprphtml5videoshim.dll
FF - plugin: c:\program files\Unity\WebPlayer\loader\npUnity3D32.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
FF - user.js: yahoo.ytff.general.dontshowhpoffer - truec:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.proxy.type", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.buffer.cache.count", 24);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.buffer.cache.size", 4096);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accelerometer.enabled", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
.
- - - - ORPHANS REMOVED - - - -

WebBrowser-{D4027C7F-154A-4066-A1AD-4243D8127440} - (no file)
HKCU-Run-mstwain32.exe - c:\documents and settings\Administrator\Application Data\Microsoft\mstwain32.exe
AddRemove-PCSX2 0.9 R3 - c:\program files\PCSX2 0.9 R3\Uninstal.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-08-22 00:43
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\NAV]
"ImagePath"="\"c:\program files\Norton AntiVirus\Engine\17.7.0.12\ccSvcHst.exe\" /s \"NAV\" /m \"c:\program files\Norton AntiVirus\Engine\17.7.0.12\diMaster.dll\" /prefetch:1"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\npggsvc]
"ImagePath"="c:\windows\system32\GameMon.des -service"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-3054480091-1899633457-2647154202-500\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (Administrator)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,64,70,89,cc,b2,14,2c,43,be,fe,0a,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,64,70,89,cc,b2,14,2c,43,be,fe,0a,\

[HKEY_USERS\S-1-5-21-3054480091-1899633457-2647154202-500\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)

[HKEY_USERS\S-1-5-21-3054480091-1899633457-2647154202-500\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"??"=hex:7d,69,3d,12,c6,30,d7,4f,08,fc,97,6c,12,79,c5,f4,8b,65,6f,c2,d9,a3,03,
cf,e5,32,97,f8,e7,bf,3b,81,a5,b5,fb,01,eb,de,e0,c0,f9,f0,f8,be,a1,e5,32,02,\
"??"=hex:cf,55,c7,95,2b,14,4d,f8,66,7b,0c,1b,19,52,fe,22

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{BEB3C0C7-B648-4257-96D9-B5D024816E27}\Version*Version]
"Version"=hex:7f,bf,b6,c7,fc,95,ab,96,53,32,dc,9c,47,48,40,ae,61,c7,ed,06,03,
52,0b,b7,9a,3a,0c,c6,c5,72,51,3d,fe,62,0c,4c,1e,85,37,4c,35,b3,95,9d,50,f2,\

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Installer\UserData\LocalSystem\Components\ð*€|ÿÿÿÿ.*€|ù*A~*]
"5E7CEC10DF0760D4F8DAFB12FDC06CCD"="02:\\Software\\Adobe\\FeatureSubscriptions\\DVAAdobeDocMeta\\{01CEC7E5-70FD-4D06-8FAD-BF21DF0CC6DC}\\Registered"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
@DACL=(02 0000)
"Installed"="1"
@=""

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
@DACL=(02 0000)
"NoChange"="1"
"Installed"="1"
@=""

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
@DACL=(02 0000)
"Installed"="1"
@=""

[HKEY_LOCAL_MACHINE\software\Minnetonka Audio Software\SurCode Dolby Digital Premiere\Version*Version]
"Version"=hex:7f,bf,b6,c7,fc,95,ab,96,53,32,dc,9c,47,48,40,ae,61,c7,ed,06,03,
52,0b,b7,9a,3a,0c,c6,c5,72,51,3d,fe,62,0c,4c,1e,85,37,4c,35,b3,95,9d,50,f2,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1408)
c:\program files\SUPERAntiSpyware\SASWINLO.DLL
c:\windows\system32\WININET.dll
.
Completion time: 2010-08-22 00:47:12
ComboFix-quarantined-files.txt 2010-08-22 07:47

Pre-Run: 5,668,724,736 bytes free
Post-Run: 15,509,078,016 bytes free

- - End Of File - - 1EFC78935FC0E5230EB60503063747D9
Posts
55840
Registration date
Monday February 1, 2010
Status
Moderator
Last seen
November 20, 2018
- Aug 22, 2010 at 04:25 PM
0
Thank you
Hello,

It looks as if the rootkit has been destroyed. Great!

Regards
0
Thank you
hello,
I was having similar problems,
and I followed procedure

and this is log file, and I'm interested if everything is fixed:

ComboFix 10-09-13.02 - XP Pro 14.09.2010 14:39:48.5.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1250.385.1033.18.502.226 [GMT 2:00]
Running from: F:\ComboFix.exe
AV: AVG Anti-Virus *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users.\documents\settings
c:\windows\system32\drivers\Setup.exe

.
((((((((((((((((((((((((( Files Created from 2010-08-14 to 2010-09-14 )))))))))))))))))))))))))))))))
.

No new files created in this timespan

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-09-14 12:47 . 2009-06-13 19:19 -------- d-----w- c:\documents and settings\XP Pro\Application Data\uTorrent
2010-09-14 12:38 . 2007-01-03 10:35 -------- d-----w- c:\documents and settings\XP Pro\Application Data\Skype
2010-09-14 10:14 . 2009-12-02 19:51 0 ----a-w- c:\documents and settings\XP Pro\Local Settings\Application Data\prvlcl.dat
2010-09-14 07:27 . 2010-01-21 18:29 -------- d-----w- c:\documents and settings\XP Pro\Application Data\skypePM
2010-09-14 07:24 . 2008-04-14 12:00 96512 ----a-w- c:\windows\system32\drivers\atapi.sys
2010-08-24 20:47 . 2009-11-03 08:59 -------- d-----w- c:\documents and settings\All Users\Application Data\avg9
2010-08-16 21:18 . 2010-04-09 16:51 -------- d-----w- c:\documents and settings\XP Pro\Application Data\vlc
2010-08-16 20:26 . 2009-04-21 18:18 -------- d-----w- c:\documents and settings\XP Pro\Application Data\dvdcss
2010-08-01 19:57 . 2010-08-01 19:57 -------- d-----w- c:\documents and settings\XP Pro\Application Data\AVG9
2010-07-30 20:04 . 2010-01-17 16:00 112 ----a-w- c:\documents and settings\All Users\Application Data\Ov6uC3jr3.dat
2010-07-16 16:59 . 2010-01-20 10:29 50354 ----a-w- c:\documents and settings\XP Pro\Application Data\Facebook\uninstall.exe
2009-01-05 14:26 . 2008-12-19 07:51 56 -csha-r- c:\windows\system32\F54C4E5511.sys
2010-05-13 05:51 . 2008-12-18 10:01 15960 --sha-w- c:\windows\system32\KGyGaAvL.sys
.
[code]<pre>
c:\program files\Microsoft Office\Office12\GrooveMonitor .exe
c:\program files\QuickTime\qttask .exe
c:\program files\Realtek\InstallShield\AzMixerSel .exe
c:\program files\Synaptics\SynTP\SynTPEnh .exe
</pre>/code

------- Sigcheck -------

[-] 2010-09-14 . 9F3A2F5AA6875C72BF062C712CFA2674 . 96512 . . [5.1.2600.5512] . . c:\windows\system32\drivers\atapi.sys
[-] 2008-04-13 . 9F3A2F5AA6875C72BF062C712CFA2674 . 96512 . . [5.1.2600.5512] . . c:\windows\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\atapi.sys

[-] 2008-04-14 . B153AFFAC761E7F5FCFA822B9C4E97BC . 14336 . . [5.1.2600.5512] . . c:\windows\system32\dllcache\asyncmac.sys
[-] 2008-04-14 . B153AFFAC761E7F5FCFA822B9C4E97BC . 14336 . . [5.1.2600.5512] . . c:\windows\system32\drivers\asyncmac.sys
[-] 2008-04-13 . B153AFFAC761E7F5FCFA822B9C4E97BC . 14336 . . [5.1.2600.5512] . . c:\windows\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\asyncmac.sys

[-] 2008-04-14 . DA1F27D85E0D1525F6621372E7B685E9 . 4224 . . [5.1.2600.0] . . c:\windows\system32\dllcache\beep.sys
[-] 2008-04-14 . DA1F27D85E0D1525F6621372E7B685E9 . 4224 . . [5.1.2600.0] . . c:\windows\system32\drivers\beep.sys

[-] 2008-04-14 . 463C1EC80CD17420A542B7F36A36F128 . 24576 . . [5.1.2600.5512] . . c:\windows\system32\drivers\kbdclass.sys
[-] 2008-04-13 . 463C1EC80CD17420A542B7F36A36F128 . 24576 . . [5.1.2600.5512] . . c:\windows\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\kbdclass.sys

[-] 2008-04-14 . 1DF7F42665C94B825322FAE71721130D . 182656 . . [5.1.2600.5512] . . c:\windows\system32\dllcache\ndis.sys
[-] 2008-04-14 . 1DF7F42665C94B825322FAE71721130D . 182656 . . [5.1.2600.5512] . . c:\windows\system32\drivers\ndis.sys
[-] 2008-04-13 . 1DF7F42665C94B825322FAE71721130D . 182656 . . [5.1.2600.5512] . . c:\windows\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\ndis.sys

[-] 2008-04-14 . 78A08DD6A8D65E697C18E1DB01C5CDCA . 574976 . . [5.1.2600.5512] . . c:\windows\system32\dllcache\ntfs.sys
[-] 2008-04-14 . 78A08DD6A8D65E697C18E1DB01C5CDCA . 574976 . . [5.1.2600.5512] . . c:\windows\system32\drivers\ntfs.sys
[-] 2008-04-13 . 78A08DD6A8D65E697C18E1DB01C5CDCA . 574976 . . [5.1.2600.5512] . . c:\windows\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\ntfs.sys
[-] 2007-02-09 . 05AB81909514BFD69CBB1F2C147CF6B9 . 574976 . . [5.1.2600.3081] . . c:\windows\$hf_mig$\KB930916\SP2QFE\ntfs.sys

[-] 2008-04-14 . 73C1E1F395918BC2C6DD67AF7591A3AD . 2944 . . [5.1.2600.0] . . c:\windows\system32\dllcache\null.sys
[-] 2008-04-14 . 73C1E1F395918BC2C6DD67AF7591A3AD . 2944 . . [5.1.2600.0] . . c:\windows\system32\drivers\null.sys

[-] 2008-06-20 . AD978A1B783B5719720CFF204B666C8E . 361600 . . [5.1.2600.5625] . . c:\windows\$hf_mig$\KB951748\SP3QFE\tcpip.sys
[-] 2008-06-20 . 9AEFA14BD6B182D61E3119FA5F436D3D . 361600 . . [5.1.2600.5625] . . c:\windows\$hf_mig$\KB951748\SP3GDR\tcpip.sys
[-] 2008-06-20 . 9AEFA14BD6B182D61E3119FA5F436D3D . 361600 . . [5.1.2600.5625] . . c:\windows\system32\dllcache\tcpip.sys
[-] 2008-06-20 . 9AEFA14BD6B182D61E3119FA5F436D3D . 361600 . . [5.1.2600.5625] . . c:\windows\system32\drivers\tcpip.sys
[-] 2008-06-20 . 744E57C99232201AE98C49168B918F48 . 360960 . . [5.1.2600.3394] . . c:\windows\$hf_mig$\KB951748\SP2QFE\tcpip.sys
[-] 2008-04-14 . 93EA8D04EC73A85DB02EB8805988F733 . 361344 . . [5.1.2600.5512] . . c:\windows\$NtUninstallKB951748$\tcpip.sys
[-] 2008-04-13 . 93EA8D04EC73A85DB02EB8805988F733 . 361344 . . [5.1.2600.5512] . . c:\windows\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\tcpip.sys
[-] 2007-10-30 . 64798ECFA43D78C7178375FCDD16D8C8 . 360832 . . [5.1.2600.3244] . . c:\windows\$hf_mig$\KB941644\SP2QFE\tcpip.sys
[-] 2006-04-20 . B2220C618B42A2212A59D91EBD6FC4B4 . 360576 . . [5.1.2600.2892] . . c:\windows\$hf_mig$\KB917953\SP2QFE\tcpip.sys

[-] 2008-04-14 . A06CE3399D16DB864F55FAEB1F1927A9 . 77824 . . [5.1.2600.5512] . . c:\windows\system32\browser.dll
[-] 2008-04-14 . A06CE3399D16DB864F55FAEB1F1927A9 . 77824 . . [5.1.2600.5512] . . c:\windows\system32\dllcache\browser.dll
[-] 2008-04-14 . A06CE3399D16DB864F55FAEB1F1927A9 . 77824 . . [5.1.2600.5512] . . c:\windows\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\browser.dll

[-] 2008-04-14 . BF2466B3E18E970D8A976FB95FC1CA85 . 13312 . . [5.1.2600.5512] . . c:\windows\system32\lsass.exe
[-] 2008-04-14 . BF2466B3E18E970D8A976FB95FC1CA85 . 13312 . . [5.1.2600.5512] . . c:\windows\system32\dllcache\lsass.exe
[-] 2008-04-14 . BF2466B3E18E970D8A976FB95FC1CA85 . 13312 . . [5.1.2600.5512] . . c:\windows\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\lsass.exe

[-] 2008-04-14 . 13E67B55B3ABD7BF3FE7AAE5A0F9A9DE . 198144 . . [5.1.2600.5512] . . c:\windows\system32\netman.dll
[-] 2008-04-14 . 13E67B55B3ABD7BF3FE7AAE5A0F9A9DE . 198144 . . [5.1.2600.5512] . . c:\windows\system32\dllcache\netman.dll
[-] 2008-04-14 . 13E67B55B3ABD7BF3FE7AAE5A0F9A9DE . 198144 . . [5.1.2600.5512] . . c:\windows\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\netman.dll
[-] 2005-08-22 . 3516D8A18B36784B1005B950B84232E1 . 197632 . . [5.1.2600.2743] . . c:\windows\$hf_mig$\KB905414\SP2QFE\netman.dll

[-] 2008-04-14 . 574738F61FCA2935F5265DC4E5691314 . 409088 . . [6.7.2600.5512] . . c:\windows\system32\qmgr.dll
[-] 2008-04-14 . 574738F61FCA2935F5265DC4E5691314 . 409088 . . [6.7.2600.5512] . . c:\windows\system32\dllcache\qmgr.dll
[-] 2008-04-14 . 574738F61FCA2935F5265DC4E5691314 . 409088 . . [6.7.2600.5512] . . c:\windows\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\qmgr.dll

[-] 2009-02-09 . 6B27A5C03DFB94B4245739065431322C . 401408 . . [5.1.2600.5755] . . c:\windows\system32\rpcss.dll
[-] 2009-02-09 . 6B27A5C03DFB94B4245739065431322C . 401408 . . [5.1.2600.5755] . . c:\windows\system32\dllcache\rpcss.dll
[-] 2009-02-09 . 9222562D44021B988B9F9F62207FB6F2 . 401408 . . [5.1.2600.5755] . . c:\windows\$hf_mig$\KB956572\SP3QFE\rpcss.dll
[-] 2008-04-14 . 2589FE6015A316C0F5D5112B4DA7B509 . 399360 . . [5.1.2600.5512] . . c:\windows\$NtUninstallKB956572$\rpcss.dll
[-] 2008-04-14 . 2589FE6015A316C0F5D5112B4DA7B509 . 399360 . . [5.1.2600.5512] . . c:\windows\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\rpcss.dll
[-] 2005-07-26 . C369DF215D352B6F3A0B8C3469AA34F8 . 398336 . . [5.1.2600.2726] . . c:\windows\$hf_mig$\KB902400\SP2QFE\rpcss.dll
[-] 2005-04-28 . DA383FB39A6F1C445F3AFC94B3EB1248 . 396288 . . [5.1.2600.2665] . . c:\windows\$hf_mig$\KB894391\SP2QFE\rpcss.dll

[-] 2009-02-06 . 65DF52F5B8B6E9BBD183505225C37315 . 110592 . . [5.1.2600.5755] . . c:\windows\system32\services.exe
[-] 2009-02-06 . 65DF52F5B8B6E9BBD183505225C37315 . 110592 . . [5.1.2600.5755] . . c:\windows\system32\dllcache\services.exe
[-] 2009-02-06 . 020CEAAEDC8EB655B6506B8C70D53BB6 . 110592 . . [5.1.2600.5755] . . c:\windows\$hf_mig$\KB956572\SP3QFE\services.exe
[-] 2008-04-14 . 0E776ED5F7CC9F94299E70461B7B8185 . 108544 . . [5.1.2600.5512] . . c:\windows\$NtUninstallKB956572$\services.exe
[-] 2008-04-14 . 0E776ED5F7CC9F94299E70461B7B8185 . 108544 . . [5.1.2600.5512] . . c:\windows\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\services.exe

[-] 2008-04-14 . D8E14A61ACC1D4A6CD0D38AEBAC7FA3B . 57856 . . [5.1.2600.5512] . . c:\windows\system32\spoolsv.exe
[-] 2008-04-14 . D8E14A61ACC1D4A6CD0D38AEBAC7FA3B . 57856 . . [5.1.2600.5512] . . c:\windows\system32\dllcache\spoolsv.exe
[-] 2008-04-14 . D8E14A61ACC1D4A6CD0D38AEBAC7FA3B . 57856 . . [5.1.2600.5512] . . c:\windows\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\spoolsv.exe
[-] 2005-06-11 . AD3D9D191AEA7B5445FE1D82FFBB4788 . 57856 . . [5.1.2600.2696] . . c:\windows\$hf_mig$\KB896423\SP2QFE\spoolsv.exe

[-] 2008-04-14 . ED0EF0A136DEC83DF69F04118870003E . 507904 . . [5.1.2600.5512] . . c:\windows\system32\winlogon.exe
[-] 2008-04-14 . ED0EF0A136DEC83DF69F04118870003E . 507904 . . [5.1.2600.5512] . . c:\windows\system32\dllcache\winlogon.exe
[-] 2008-04-14 . ED0EF0A136DEC83DF69F04118870003E . 507904 . . [5.1.2600.5512] . . c:\windows\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\winlogon.exe

[-] 2008-04-14 . 06F247492BC786CE5C24A23E178C711A . 617472 . . [5.82] . . c:\windows\system32\comctl32.dll
[-] 2008-04-14 . 06F247492BC786CE5C24A23E178C711A . 617472 . . [5.82] . . c:\windows\system32\dllcache\comctl32.dll
[-] 2008-04-14 . BD38D1EBE24A46BD3EDA059560AFBA12 . 1054208 . . [6.0] . . c:\windows\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\asms\60\msft\windows\common\controls\comctl32.dll
[-] 2008-04-14 . 06F247492BC786CE5C24A23E178C711A . 617472 . . [5.82] . . c:\windows\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\comctl32.dll

[-] 2008-04-14 . 3D4E199942E29207970E04315D02AD3B . 62464 . . [5.1.2600.5512] . . c:\windows\system32\cryptsvc.dll
[-] 2008-04-14 . 3D4E199942E29207970E04315D02AD3B . 62464 . . [5.1.2600.5512] . . c:\windows\system32\dllcache\cryptsvc.dll
[-] 2008-04-14 . 3D4E199942E29207970E04315D02AD3B . 62464 . . [5.1.2600.5512] . . c:\windows\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\cryptsvc.dll

[-] 2008-07-07 20:26 . D4991D98F2DB73C60D042F1AEF79EFAE . 253952 . . [2001.12.4414.706] . . c:\windows\$hf_mig$\KB950974\SP3GDR\es.dll
[-] 2008-07-07 20:26 . D4991D98F2DB73C60D042F1AEF79EFAE . 253952 . . [2001.12.4414.706] . . c:\windows\system32\es.dll
[-] 2008-07-07 20:26 . D4991D98F2DB73C60D042F1AEF79EFAE . 253952 . . [2001.12.4414.706] . . c:\windows\system32\dllcache\es.dll
[-] 2008-07-07 20:23 . F17F6226BDC0CD5F0BEF0DAF84D29BEC . 253952 . . [2001.12.4414.706] . . c:\windows\$hf_mig$\KB950974\SP3QFE\es.dll
[-] 2008-07-07 20:06 . A4AB3DCA4A383F0DF4988ABDEB84F9A4 . 253952 . . [2001.12.4414.320] . . c:\windows\$hf_mig$\KB950974\SP2QFE\es.dll
[-] 2008-04-14 12:00 . 19A799805B24990867B00C120D300C3A . 246272 . . [2001.12.4414.701] . . c:\windows\$NtUninstallKB950974$\es.dll
[-] 2008-04-14 00:11 . 19A799805B24990867B00C120D300C3A . 246272 . . [2001.12.4414.701] . . c:\windows\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\es.dll
[-] 2005-07-26 04:20 . 95F5FEA4C6DE2C3F28784D0DCC8F0DD3 . 243200 . . [2001.12.4414.308] . . c:\windows\$hf_mig$\KB902400\SP2QFE\es.dll

[-] 2008-04-14 . 0DA85218E92526972A821587E6A8BF8F . 110080 . . [5.1.2600.5512] . . c:\windows\system32\imm32.dll
[-] 2008-04-14 . 0DA85218E92526972A821587E6A8BF8F . 110080 . . [5.1.2600.5512] . . c:\windows\system32\dllcache\imm32.dll
[-] 2008-04-14 . 0DA85218E92526972A821587E6A8BF8F . 110080 . . [5.1.2600.5512] . . c:\windows\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\imm32.dll

[-] 2009-03-21 . B921FB870C9AC0D509B2CCABBBBE95F3 . 989696 . . [5.1.2600.5781] . . c:\windows\system32\kernel32.dll
[-] 2009-03-21 . B921FB870C9AC0D509B2CCABBBBE95F3 . 989696 . . [5.1.2600.5781] . . c:\windows\system32\dllcache\kernel32.dll
[-] 2009-03-21 . DA11D9D6ECBDF0F93436A4B7C13F7BEC . 991744 . . [5.1.2600.5781] . . c:\windows\$hf_mig$\KB959426\SP3QFE\kernel32.dll
[-] 2008-04-14 . C24B983D211C34DA8FCC1AC38477971D . 989696 . . [5.1.2600.5512] . . c:\windows\$NtUninstallKB959426$\kernel32.dll
[-] 2008-04-14 . C24B983D211C34DA8FCC1AC38477971D . 989696 . . [5.1.2600.5512] . . c:\windows\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\kernel32.dll
[-] 2007-04-16 . 09F7CB3687F86EDAA4CA081F7AB66C03 . 986112 . . [5.1.2600.3119] . . c:\windows\$hf_mig$\KB935839\SP2QFE\kernel32.dll
[-] 2006-07-05 . 0FDD84928A5DDE2510761B7EC76CCEC9 . 985088 . . [5.1.2600.2945] . . c:\windows\$hf_mig$\KB917422\SP2QFE\kernel32.dll

[-] 2008-04-14 . 2DC5A8019E2387987905F77C664E4BE2 . 19968 . . [5.1.2600.5512] . . c:\windows\system32\linkinfo.dll
[-] 2008-04-14 . 2DC5A8019E2387987905F77C664E4BE2 . 19968 . . [5.1.2600.5512] . . c:\windows\system32\dllcache\linkinfo.dll
[-] 2008-04-14 . 2DC5A8019E2387987905F77C664E4BE2 . 19968 . . [5.1.2600.5512] . . c:\windows\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\linkinfo.dll
[-] 2005-09-01 . 648BF0B4DDE4F7A1156DAE7174D36EFA . 19968 . . [5.1.2600.2751] . . c:\windows\$hf_mig$\KB900725\SP2QFE\linkinfo.dll

[-] 2008-04-14 . 012DF358CEBAA23ACB26D82077820817 . 22016 . . [5.1.2600.5512] . . c:\windows\system32\lpk.dll
[-] 2008-04-14 . 012DF358CEBAA23ACB26D82077820817 . 22016 . . [5.1.2600.5512] . . c:\windows\system32\dllcache\lpk.dll
[-] 2008-04-14 . 012DF358CEBAA23ACB26D82077820817 . 22016 . . [5.1.2600.5512] . . c:\windows\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\lpk.dll

[-] 2008-04-14 . 355EDBB4D412B01F1740C17E3F50FA00 . 343040 . . [7.0.2600.5512] . . c:\windows\system32\msvcrt.dll
[-] 2008-04-14 . 355EDBB4D412B01F1740C17E3F50FA00 . 343040 . . [7.0.2600.5512] . . c:\windows\system32\dllcache\msvcrt.dll
[-] 2008-04-14 . D7075E95AA599EE77B7A89D39296BD3D . 343040 . . [7.0.2600.5512] . . c:\windows\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\asms\70\msft\windows\mswincrt\msvcrt.dll
[-] 2008-04-14 . 355EDBB4D412B01F1740C17E3F50FA00 . 343040 . . [7.0.2600.5512] . . c:\windows\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\msvcrt.dll

[-] 2008-06-20 . 832E4DD8964AB7ACC880B2837CB1ED20 . 245248 . . [5.1.2600.5625] . . c:\windows\$hf_mig$\KB951748\SP3GDR\mswsock.dll
[-] 2008-06-20 . 832E4DD8964AB7ACC880B2837CB1ED20 . 245248 . . [5.1.2600.5625] . . c:\windows\system32\mswsock.dll
[-] 2008-06-20 . 832E4DD8964AB7ACC880B2837CB1ED20 . 245248 . . [5.1.2600.5625] . . c:\windows\system32\dllcache\mswsock.dll
[-] 2008-06-20 . FCEE5FCB99F7C724593365C706D28388 . 245248 . . [5.1.2600.5625] . . c:\windows\$hf_mig$\KB951748\SP3QFE\mswsock.dll
[-] 2008-06-20 . 1DFCA7713EA5A70D5D93B436AEA0317A . 245248 . . [5.1.2600.3394] . . c:\windows\$hf_mig$\KB951748\SP2QFE\mswsock.dll
[-] 2008-04-14 . B4138E99236F0F57D4CF49BAE98A0746 . 245248 . . [5.1.2600.5512] . . c:\windows\$NtUninstallKB951748$\mswsock.dll
[-] 2008-04-14 . B4138E99236F0F57D4CF49BAE98A0746 . 245248 . . [5.1.2600.5512] . . c:\windows\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\mswsock.dll

[-] 2008-04-14 . 1B7F071C51B77C272875C3A23E1E4550 . 407040 . . [5.1.2600.5512] . . c:\windows\system32\netlogon.dll
[-] 2008-04-14 . 1B7F071C51B77C272875C3A23E1E4550 . 407040 . . [5.1.2600.5512] . . c:\windows\system32\dllcache\netlogon.dll
[-] 2008-04-14 . 1B7F071C51B77C272875C3A23E1E4550 . 407040 . . [5.1.2600.5512] . . c:\windows\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\netlogon.dll

[-] 2008-04-14 . 50A166237A0FA771261275A405646CC0 . 17408 . . [6.00.2900.5512] . . c:\windows\system32\powrprof.dll
[-] 2008-04-14 . 50A166237A0FA771261275A405646CC0 . 17408 . . [6.00.2900.5512] . . c:\windows\system32\dllcache\powrprof.dll
[-] 2008-04-14 . 50A166237A0FA771261275A405646CC0 . 17408 . . [6.00.2900.5512] . . c:\windows\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\powrprof.dll

[-] 2008-04-14 . A86BB5E61BF3E39B62AB4C7E7085A084 . 181248 . . [5.1.2600.5512] . . c:\windows\system32\scecli.dll
[-] 2008-04-14 . A86BB5E61BF3E39B62AB4C7E7085A084 . 181248 . . [5.1.2600.5512] . . c:\windows\system32\dllcache\scecli.dll
[-] 2008-04-14 . A86BB5E61BF3E39B62AB4C7E7085A084 . 181248 . . [5.1.2600.5512] . . c:\windows\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\scecli.dll

[-] 2008-04-14 . 96E1C926F22EE1BFBAE82901A35F6BF3 . 5120 . . [5.1.2600.5512] . . c:\windows\system32\sfc.dll
[-] 2008-04-14 . 96E1C926F22EE1BFBAE82901A35F6BF3 . 5120 . . [5.1.2600.5512] . . c:\windows\system32\dllcache\sfc.dll
[-] 2008-04-14 . 96E1C926F22EE1BFBAE82901A35F6BF3 . 5120 . . [5.1.2600.5512] . . c:\windows\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\sfc.dll

[-] 2008-04-14 . 27C6D03BCDB8CFEB96B716F3D8BE3E18 . 14336 . . [5.1.2600.5512] . . c:\windows\system32\svchost.exe
[-] 2008-04-14 . 27C6D03BCDB8CFEB96B716F3D8BE3E18 . 14336 . . [5.1.2600.5512] . . c:\windows\system32\dllcache\svchost.exe
[-] 2008-04-14 . 27C6D03BCDB8CFEB96B716F3D8BE3E18 . 14336 . . [5.1.2600.5512] . . c:\windows\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\svchost.exe

[-] 2008-04-14 . 3CB78C17BB664637787C9A1C98F79C38 . 249856 . . [5.1.2600.5512] . . c:\windows\system32\tapisrv.dll
[-] 2008-04-14 . 3CB78C17BB664637787C9A1C98F79C38 . 249856 . . [5.1.2600.5512] . . c:\windows\system32\dllcache\tapisrv.dll
[-] 2008-04-14 . 3CB78C17BB664637787C9A1C98F79C38 . 249856 . . [5.1.2600.5512] . . c:\windows\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\tapisrv.dll
[-] 2005-07-08 . 1418A3A6E76E5A2E3F5E43866E793A8B . 249344 . . [5.1.2600.2716] . . c:\windows\$hf_mig$\KB893756\SP2QFE\tapisrv.dll

[-] 2008-04-14 . B26B135FF1B9F60C9388B4A7D16F600B . 578560 . . [5.1.2600.5512] . . c:\windows\system32\user32.dll
[-] 2008-04-14 . B26B135FF1B9F60C9388B4A7D16F600B . 578560 . . [5.1.2600.5512] . . c:\windows\system32\dllcache\user32.dll
[-] 2008-04-14 . B26B135FF1B9F60C9388B4A7D16F600B . 578560 . . [5.1.2600.5512] . . c:\windows\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\user32.dll
[-] 2007-03-08 . 7AA4F6C00405DFC4B70ED4214E7D687B . 578048 . . [5.1.2600.3099] . . c:\windows\$hf_mig$\KB925902\SP2QFE\user32.dll
[-] 2005-03-02 . 1800F293BCCC8EDE8A70E12B88D80036 . 577024 . . [5.1.2600.2622] . . c:\windows\$hf_mig$\KB890859\SP2QFE\user32.dll

[-] 2008-04-14 . A93AEE1928A9D7CE3E16D24EC7380F89 . 26112 . . [5.1.2600.5512] . . c:\windows\system32\userinit.exe
[-] 2008-04-14 . A93AEE1928A9D7CE3E16D24EC7380F89 . 26112 . . [5.1.2600.5512] . . c:\windows\system32\dllcache\userinit.exe
[-] 2008-04-14 . A93AEE1928A9D7CE3E16D24EC7380F89 . 26112 . . [5.1.2600.5512] . . c:\windows\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\userinit.exe

[-] 2008-04-14 . 2CCC474EB85CEAA3E1FA1726580A3E5A . 82432 . . [5.1.2600.5512] . . c:\windows\system32\ws2_32.dll
[-] 2008-04-14 . 2CCC474EB85CEAA3E1FA1726580A3E5A . 82432 . . [5.1.2600.5512] . . c:\windows\system32\dllcache\ws2_32.dll
[-] 2008-04-14 . 2CCC474EB85CEAA3E1FA1726580A3E5A . 82432 . . [5.1.2600.5512] . . c:\windows\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\ws2_32.dll

[-] 2008-04-14 . 9789E95E1D88EEB4B922BF3EA7779C28 . 19968 . . [5.1.2600.5512] . . c:\windows\system32\ws2help.dll
[-] 2008-04-14 . 9789E95E1D88EEB4B922BF3EA7779C28 . 19968 . . [5.1.2600.5512] . . c:\windows\system32\dllcache\ws2help.dll
[-] 2008-04-14 . 9789E95E1D88EEB4B922BF3EA7779C28 . 19968 . . [5.1.2600.5512] . . c:\windows\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\ws2help.dll

[-] 2008-04-14 . 12896823FB95BFB3DC9B46BCAEDC9923 . 1033728 . . [6.00.2900.5512] . . c:\windows\explorer.exe
[-] 2008-04-14 . 12896823FB95BFB3DC9B46BCAEDC9923 . 1033728 . . [6.00.2900.5512] . . c:\windows\system32\dllcache\explorer.exe
[-] 2008-04-14 . 12896823FB95BFB3DC9B46BCAEDC9923 . 1033728 . . [6.00.2900.5512] . . c:\windows\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\explorer.exe
[-] 2007-06-13 . 7712DF0CDDE3A5AC89843E61CD5B3658 . 1033216 . . [6.00.2900.3156] . . c:\windows\$hf_mig$\KB938828\SP2QFE\explorer.exe

[-] 2008-04-14 . ECCE74BC6168375016450A86A164D976 . 1287168 . . [5.1.2600.5512] . . c:\windows\system32\ole32.dll
[-] 2008-04-14 . ECCE74BC6168375016450A86A164D976 . 1287168 . . [5.1.2600.5512] . . c:\windows\system32\dllcache\ole32.dll
[-] 2008-04-14 . ECCE74BC6168375016450A86A164D976 . 1287168 . . [5.1.2600.5512] . . c:\windows\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\ole32.dll
[-] 2005-07-26 . A2F755E237FA2CDD748A80BFBE6657F3 . 1285632 . . [5.1.2600.2726] . . c:\windows\$hf_mig$\KB902400\SP2QFE\ole32.dll
[-] 2005-04-28 . 7440D29F257B7E44329343F944F2142C . 1286144 . . [5.1.2600.2665] . . c:\windows\$hf_mig$\KB894391\SP2QFE\ole32.dll

[-] 2008-04-14 . 3805DF0AC4296A34BA4BF93B346CC378 . 171008 . . [5.1.2600.5512] . . c:\windows\system32\srsvc.dll
[-] 2008-04-14 . 3805DF0AC4296A34BA4BF93B346CC378 . 171008 . . [5.1.2600.5512] . . c:\windows\system32\dllcache\srsvc.dll
[-] 2008-04-14 . 3805DF0AC4296A34BA4BF93B346CC378 . 171008 . . [5.1.2600.5512] . . c:\windows\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\srsvc.dll

[-] 2008-04-14 . F92E1076C42FCD6DB3D72D8CFE9816D5 . 13824 . . [5.1.2600.5512] . . c:\windows\system32\wscntfy.exe
[-] 2008-04-14 . F92E1076C42FCD6DB3D72D8CFE9816D5 . 13824 . . [5.1.2600.5512] . . c:\windows\system32\dllcache\wscntfy.exe
[-] 2008-04-14 . F92E1076C42FCD6DB3D72D8CFE9816D5 . 13824 . . [5.1.2600.5512] . . c:\windows\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\wscntfy.exe

[-] 2008-04-14 . 295D21F14C335B53CB8154E5B1F892B9 . 129024 . . [5.1.2600.5512] . . c:\windows\system32\xmlprov.dll
[-] 2008-04-14 . 295D21F14C335B53CB8154E5B1F892B9 . 129024 . . [5.1.2600.5512] . . c:\windows\system32\dllcache\xmlprov.dll
[-] 2008-04-14 . 295D21F14C335B53CB8154E5B1F892B9 . 129024 . . [5.1.2600.5512] . . c:\windows\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\xmlprov.dll

[-] 2008-04-14 . 6D4FEB43EE538FC5428CC7F0565AA656 . 56320 . . [5.1.2600.5512] . . c:\windows\system32\eventlog.dll
[-] 2008-04-14 . 6D4FEB43EE538FC5428CC7F0565AA656 . 56320 . . [5.1.2600.5512] . . c:\windows\system32\dllcache\eventlog.dll
[-] 2008-04-14 . 6D4FEB43EE538FC5428CC7F0565AA656 . 56320 . . [5.1.2600.5512] . . c:\windows\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\eventlog.dll

[-] 2008-04-14 . 9DD07AF82244867CA36681EA2D29CE79 . 1614848 . . [5.1.2600.5512] . . c:\windows\system32\sfcfiles.dll
[-] 2008-04-14 . 9DD07AF82244867CA36681EA2D29CE79 . 1614848 . . [5.1.2600.5512] . . c:\windows\system32\dllcache\sfcfiles.dll
[-] 2008-04-14 . 9DD07AF82244867CA36681EA2D29CE79 . 1614848 . . [5.1.2600.5512] . . c:\windows\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\sfcfiles.dll

[-] 2008-04-14 . 5F1D5F88303D4A4DBC8E5F97BA967CC3 . 15360 . . [5.1.2600.5512] . . c:\windows\system32\ctfmon.exe
[-] 2008-04-14 . 5F1D5F88303D4A4DBC8E5F97BA967CC3 . 15360 . . [5.1.2600.5512] . . c:\windows\system32\dllcache\ctfmon.exe
[-] 2008-04-14 . 5F1D5F88303D4A4DBC8E5F97BA967CC3 . 15360 . . [5.1.2600.5512] . . c:\windows\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\ctfmon.exe

[-] 2008-04-14 . 1926899BF9FFE2602B63074971700412 . 135168 . . [6.00.2900.5512] . . c:\windows\system32\shsvcs.dll
[-] 2008-04-14 . 1926899BF9FFE2602B63074971700412 . 135168 . . [6.00.2900.5512] . . c:\windows\system32\dllcache\shsvcs.dll
[-] 2008-04-14 . 1926899BF9FFE2602B63074971700412 . 135168 . . [6.00.2900.5512] . . c:\windows\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\shsvcs.dll
[-] 2006-12-19 . 53D9184A21C5CBF600D918E51EF3A7E5 . 135168 . . [6.00.2900.3051] . . c:\windows\$hf_mig$\KB928255\SP2QFE\shsvcs.dll

[-] 2008-04-14 . 5B19B557B0C188210A56A6B699D90B8F . 59904 . . [5.1.2600.5512] . . c:\windows\system32\regsvc.dll
[-] 2008-04-14 . 5B19B557B0C188210A56A6B699D90B8F . 59904 . . [5.1.2600.5512] . . c:\windows\system32\dllcache\regsvc.dll
[-] 2008-04-14 . 5B19B557B0C188210A56A6B699D90B8F . 59904 . . [5.1.2600.5512] . . c:\windows\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\regsvc.dll

[-] 2008-04-14 . 0A9A7365A1CA4319AA7C1D6CD8E4EAFA . 192512 . . [5.1.2600.5512] . . c:\windows\system32\schedsvc.dll
[-] 2008-04-14 . 0A9A7365A1CA4319AA7C1D6CD8E4EAFA . 192512 . . [5.1.2600.5512] . . c:\windows\system32\dllcache\schedsvc.dll
[-] 2008-04-14 . 0A9A7365A1CA4319AA7C1D6CD8E4EAFA . 192512 . . [5.1.2600.5512] . . c:\windows\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\schedsvc.dll

[-] 2008-04-14 . 0A5679B3714EDAB99E357057EE88FCA6 . 71680 . . [5.1.2600.5512] . . c:\windows\system32\ssdpsrv.dll
[-] 2008-04-14 . 0A5679B3714EDAB99E357057EE88FCA6 . 71680 . . [5.1.2600.5512] . . c:\windows\system32\dllcache\ssdpsrv.dll
[-] 2008-04-14 . 0A5679B3714EDAB99E357057EE88FCA6 . 71680 . . [5.1.2600.5512] . . c:\windows\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\ssdpsrv.dll

[-] 2008-04-14 . FF3477C03BE7201C294C35F684B3479F . 295424 . . [5.1.2600.5512] . . c:\windows\system32\termsrv.dll
[-] 2008-04-14 . FF3477C03BE7201C294C35F684B3479F . 295424 . . [5.1.2600.5512] . . c:\windows\system32\dllcache\termsrv.dll
[-] 2008-04-14 . FF3477C03BE7201C294C35F684B3479F . 295424 . . [5.1.2600.5512] . . c:\windows\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\termsrv.dll

[-] 2008-04-14 . D8849F77C0B66226335A59D26CB4EDC6 . 167936 . . [5.1.2600.5512] . . c:\windows\system32\appmgmts.dll
[-] 2008-04-14 . D8849F77C0B66226335A59D26CB4EDC6 . 167936 . . [5.1.2600.5512] . . c:\windows\system32\dllcache\appmgmts.dll
[-] 2008-04-14 . D8849F77C0B66226335A59D26CB4EDC6 . 167936 . . [5.1.2600.5512] . . c:\windows\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\appmgmts.dll

[-] 2008-04-14 . 9859C0F6936E723E4892D7141B1327D5 . 11648 . . [5.1.2600.0] . . c:\windows\system32\drivers\acpiec.sys

[-] 2008-04-14 12:00 . 8BED39E3C35D6A489438B8141717A557 . 142592 . . [5.1.2601.3142] . . c:\windows\system32\drivers\aec.sys
[-] 2008-04-13 16:39 . 8BED39E3C35D6A489438B8141717A557 . 142592 . . [5.1.2601.3142] . . c:\windows\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\aec.sys
[-] 2006-02-15 00:30 . 1EE7B434BA961EF845DE136224C30FEC . 142464 . . [5.1.2601.2180] . . c:\windows\$hf_mig$\KB900485\SP2QFE\aec.sys

[-] 2008-04-14 . 08FD04AA961BDC77FB983F328334E3D7 . 42368 . . [5.1.2600.5512] . . c:\windows\system32\drivers\agp440.sys
[-] 2008-04-13 . 08FD04AA961BDC77FB983F328334E3D7 . 42368 . . [5.1.2600.5512] . . c:\windows\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\agp440.sys

[-] 2008-04-14 . 3BB22519A194418D5FEC05D800A19AD0 . 36608 . . [5.1.2600.5512] . . c:\windows\system32\dllcache\ip6fw.sys
[-] 2008-04-14 . 3BB22519A194418D5FEC05D800A19AD0 . 36608 . . [5.1.2600.5512] . . c:\windows\system32\drivers\ip6fw.sys
[-] 2008-04-13 . 3BB22519A194418D5FEC05D800A19AD0 . 36608 . . [5.1.2600.5512] . . c:\windows\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\ip6fw.sys

[-] 2008-04-14 12:00 . CDDD4416B2B4C7295FE3FDB6DDE57E4E . 927504 . . [4.1.0.61] . . c:\windows\system32\mfc40u.dll
[-] 2008-04-14 12:00 . CDDD4416B2B4C7295FE3FDB6DDE57E4E . 927504 . . [4.1.0.61] . . c:\windows\system32\dllcache\mfc40u.dll
[-] 2008-04-14 00:11 . CDDD4416B2B4C7295FE3FDB6DDE57E4E . 927504 . . [4.1.0.61] . . c:\windows\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\mfc40u.dll

[-] 2008-04-14 . 986B1FF5814366D71E0AC5755C88F2D3 . 33792 . . [5.1.2600.5512] . . c:\windows\system32\msgsvc.dll
[-] 2008-04-14 . 986B1FF5814366D71E0AC5755C88F2D3 . 33792 . . [5.1.2600.5512] . . c:\windows\system32\dllcache\msgsvc.dll
[-] 2008-04-14 . 986B1FF5814366D71E0AC5755C88F2D3 . 33792 . . [5.1.2600.5512] . . c:\windows\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\msgsvc.dll

[-] 2004-08-10 23:45 . A477391B7A8B0A0DAABADB17CF533A4B . 25088 . . [10.0.3790.3646] . . c:\windows\$NtUninstallWMFDist11$\mspmsnsv.dll
[-] 2004-08-10 23:45 . A477391B7A8B0A0DAABADB17CF533A4B . 25088 . . [10.0.3790.3646] . . c:\windows\RegisteredPackages\{30C7234B-6482-4A55-A11D-ECD9030313F2}\MsPMSNSv.dll
[-] 2004-08-10 23:45 . A477391B7A8B0A0DAABADB17CF533A4B . 25088 . . [10.0.3790.3646] . . c:\windows\system32\MsPMSNSv.dll
[-] 2004-08-10 23:45 . A477391B7A8B0A0DAABADB17CF533A4B . 25088 . . [10.0.3790.3646] . . c:\windows\system32\dllcache\mspmsnsv.dll
[-] 2004-08-04 12:00 . C086483E3DBA8C1C0A687EC8D5B3D4C1 . 52224 . . [9.0.1.56] . . c:\windows\RegisteredPackages\{30C7234B-6482-4A55-A11D-ECD9030313F2}$BACKUP$\System\MsPMSNSv.dll

[-] 2008-04-14 12:00 . 156F64A3345BD23C600655FB4D10BC08 . 435200 . . [5.1.2400.5512] . . c:\windows\system32\ntmssvc.dll
[-] 2008-04-14 12:00 . 156F64A3345BD23C600655FB4D10BC08 . 435200 . . [5.1.2400.5512] . . c:\windows\system32\dllcache\ntmssvc.dll
[-] 2008-04-14 00:12 . 156F64A3345BD23C600655FB4D10BC08 . 435200 . . [5.1.2400.5512] . . c:\windows\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\ntmssvc.dll

[-] 2008-04-14 . 1EBAFEB9A3FBDC41B8D9C7F0F687AD91 . 185856 . . [5.1.2600.5512] . . c:\windows\system32\upnphost.dll
[-] 2008-04-14 . 1EBAFEB9A3FBDC41B8D9C7F0F687AD91 . 185856 . . [5.1.2600.5512] . . c:\windows\system32\dllcache\upnphost.dll
[-] 2008-04-14 . 1EBAFEB9A3FBDC41B8D9C7F0F687AD91 . 185856 . . [5.1.2600.5512] . . c:\windows\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\upnphost.dll
[-] 2007-02-05 . 36ACA6CDC19C95FF468A1426EB7F32F0 . 185344 . . [5.1.2600.3077] . . c:\windows\$hf_mig$\KB931261\SP2QFE\upnphost.dll

[-] 2008-04-14 . 4D83ED8BDDEC431FC8AD907B47CFB6E3 . 367616 . . [5.3.2600.5512] . . c:\windows\system32\dsound.dll
[-] 2008-04-14 . 4D83ED8BDDEC431FC8AD907B47CFB6E3 . 367616 . . [5.3.2600.5512] . . c:\windows\system32\dllcache\dsound.dll
[-] 2008-04-14 . 4D83ED8BDDEC431FC8AD907B47CFB6E3 . 367616 . . [5.3.2600.5512] . . c:\windows\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\dsound.dll

[-] 2008-04-14 . 0607CBC6FA20114CB491EFE4B2F9EFAD . 1689088 . . [5.03.2600.5512] . . c:\windows\system32\d3d9.dll
[-] 2008-04-14 . 0607CBC6FA20114CB491EFE4B2F9EFAD . 1689088 . . [5.03.2600.5512] . . c:\windows\system32\dllcache\d3d9.dll
[-] 2008-04-14 . 0607CBC6FA20114CB491EFE4B2F9EFAD . 1689088 . . [5.03.2600.5512] . . c:\windows\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\d3d9.dll

[-] 2008-04-14 . A340CD71EB535A3DD751B5F28723E50C . 279552 . . [5.03.2600.5512] . . c:\windows\system32\ddraw.dll
[-] 2008-04-14 . A340CD71EB535A3DD751B5F28723E50C . 279552 . . [5.03.2600.5512] . . c:\windows\system32\dllcache\ddraw.dll
[-] 2008-04-14 . A340CD71EB535A3DD751B5F28723E50C . 279552 . . [5.03.2600.5512] . . c:\windows\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\ddraw.dll

[-] 2008-04-14 12:00 . 5652F6CE1D9E9D8068B9D29BC21B5409 . 84992 . . [5.1.2600.5512] . . c:\windows\system32\olepro32.dll
[-] 2008-04-14 12:00 . 5652F6CE1D9E9D8068B9D29BC21B5409 . 84992 . . [5.1.2600.5512] . . c:\windows\system32\dllcache\olepro32.dll
[-] 2008-04-14 00:12 . 5652F6CE1D9E9D8068B9D29BC21B5409 . 84992 . . [5.1.2600.5512] . . c:\windows\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\olepro32.dll

[-] 2008-04-14 . DBE2B62353660ECCA0D75EA307A717E9 . 39936 . . [5.1.2600.5512] . . c:\windows\system32\perfctrs.dll
[-] 2008-04-14 . DBE2B62353660ECCA0D75EA307A717E9 . 39936 . . [5.1.2600.5512] . . c:\windows\system32\dllcache\perfctrs.dll
[-] 2008-04-14 . DBE2B62353660ECCA0D75EA307A717E9 . 39936 . . [5.1.2600.5512] . . c:\windows\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\perfctrs.dll

[-] 2008-04-14 . C7CE131408739B0B3A318BE2D0032719 . 18944 . . [5.1.2600.5512] . . c:\windows\system32\version.dll
[-] 2008-04-14 . C7CE131408739B0B3A318BE2D0032719 . 18944 . . [5.1.2600.5512] . . c:\windows\system32\dllcache\version.dll
[-] 2008-04-14 . C7CE131408739B0B3A318BE2D0032719 . 18944 . . [5.1.2600.5512] . . c:\windows\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\version.dll
.
((((((((((((((((((((((((((((( SnapShot@2010-02-23_09.36.32 )))))))))))))))))))))))))))))))))))))))))
.
+ 2006-12-01 22:46 . 2006-12-01 22:46 65536 c:\windows\WinSxS\x86_Microsoft.VC80.OpenMP_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_6c18549a\vcomp.dll
+ 2010-03-28 19:25 . 2004-06-10 14:34 53693 c:\windows\UNDPX2A.sys
+ 2010-06-13 20:17 . 2004-07-07 14:02 22272 c:\windows\udtablet\AIPTEKTP.SYS
+ 2010-06-13 20:17 . 2003-11-14 08:45 36864 c:\windows\udtablet\AIPTEKTP.EXE
+ 2010-06-13 18:43 . 2005-09-21 13:37 69632 c:\windows\system32\WINTAB32.DLL
+ 2010-06-13 18:43 . 2001-05-23 09:58 36864 c:\windows\system32\UTBLFILT.DLL
- 2008-04-14 12:00 . 2009-10-28 15:07 46080 c:\windows\system32\tzchange.exe
+ 2008-04-14 12:00 . 2010-01-23 08:11 46080 c:\windows\system32\tzchange.exe
+ 2010-06-13 18:43 . 2005-06-17 17:09 61440 c:\windows\system32\TBLMOUSE.EXE
+ 2010-06-13 18:43 . 2005-09-21 13:54 61440 c:\windows\system32\Tblfunc.dll
+ 2010-05-04 17:53 . 2008-06-15 08:01 60273 c:\windows\system32\pthreadGC2.dll
- 2004-08-04 12:00 . 2009-12-10 08:19 75834 c:\windows\system32\perfc009.dat
+ 2004-08-04 12:00 . 2010-09-14 12:32 75834 c:\windows\system32\perfc009.dat
+ 2006-11-07 20:03 . 2010-02-25 06:24 55296 c:\windows\system32\msfeedsbs.dll
- 2006-11-07 20:03 . 2009-12-21 19:14 55296 c:\windows\system32\msfeedsbs.dll
+ 2008-04-14 12:00 . 2010-02-25 06:24 25600 c:\windows\system32\jsproxy.dll
- 2008-04-14 12:00 . 2009-12-21 19:14 25600 c:\windows\system32\jsproxy.dll
+ 2010-06-13 18:43 . 2004-01-20 07:00 49152 c:\windows\system32\Funckey.dll
+ 2010-05-04 17:53 . 2008-12-17 23:22 57344 c:\windows\system32\ff_vfw.dll
+ 2001-05-23 13:42 . 2001-05-23 13:42 12084 c:\windows\system32\drivers\UTBLFILT.sys
+ 2001-08-21 13:18 . 2001-08-21 13:18 11264 c:\windows\system32\drivers\SETUPDIR\0816\_SETUP.DLL
+ 2001-08-21 13:18 . 2001-08-21 13:18 11264 c:\windows\system32\drivers\SETUPDIR\0804\_setup.dll
+ 2001-08-21 13:18 . 2001-08-21 13:18 11264 c:\windows\system32\drivers\SETUPDIR\040C\_SETUP.DLL
+ 2001-08-21 13:18 . 2001-08-21 13:18 11264 c:\windows\system32\drivers\SETUPDIR\0404\_SETUP.DLL
+ 2001-08-21 13:18 . 2001-08-21 13:18 11264 c:\windows\system32\drivers\SETUPDIR\0013\_SETUP.DLL
+ 2001-08-21 13:18 . 2001-08-21 13:18 11776 c:\windows\system32\drivers\SETUPDIR\0011\_setup.dll
+ 2001-08-21 13:18 . 2001-08-21 13:18 11776 c:\windows\system32\drivers\SETUPDIR\0010\_SETUP.DLL
+ 2001-08-21 13:18 . 2001-08-21 13:18 11776 c:\windows\system32\drivers\SETUPDIR\000A\_SETUP.DLL
+ 2001-08-21 13:18 . 2001-08-21 13:18 11264 c:\windows\system32\drivers\SETUPDIR\0009\_SETUP.DLL
+ 2001-08-21 13:18 . 2001-08-21 13:18 11776 c:\windows\system32\drivers\SETUPDIR\0008\_SETUP.DLL
+ 2001-08-21 13:18 . 2001-08-21 13:18 11264 c:\windows\system32\drivers\SETUPDIR\0007\_SETUP.DLL
+ 2001-08-17 13:48 . 2001-08-17 12:48 12160 c:\windows\system32\drivers\mouhid.sys
- 2001-08-17 13:48 . 2008-04-14 12:00 12160 c:\windows\system32\drivers\mouhid.sys
+ 2008-04-14 00:09 . 2008-04-13 23:09 23040 c:\windows\system32\drivers\mouclass.sys
- 2008-04-14 00:09 . 2008-04-14 12:00 23040 c:\windows\system32\drivers\mouclass.sys
+ 2010-02-22 19:05 . 2010-04-29 14:39 38224 c:\windows\system32\drivers\mbamswissarmy.sys
- 2010-02-22 19:05 . 2010-01-07 15:07 38224 c:\windows\system32\drivers\mbamswissarmy.sys
+ 2010-02-22 19:05 . 2010-04-29 14:39 20952 c:\windows\system32\drivers\mbam.sys
+ 2008-04-14 12:00 . 2008-04-13 22:15 10368 c:\windows\system32\drivers\hidusb.sys
- 2008-04-14 12:00 . 2008-04-14 12:00 10368 c:\windows\system32\drivers\hidusb.sys
+ 2008-04-14 12:00 . 2008-04-13 22:15 24960 c:\windows\system32\drivers\hidparse.sys
- 2008-04-14 12:00 . 2008-04-14 12:00 24960 c:\windows\system32\drivers\hidparse.sys
- 2008-04-14 12:00 . 2008-04-14 12:00 36864 c:\windows\system32\drivers\hidclass.sys
+ 2008-04-14 12:00 . 2008-04-13 22:15 36864 c:\windows\system32\drivers\hidclass.sys
+ 2001-04-10 12:43 . 2001-04-10 12:43 49152 c:\windows\system32\drivers\FINDUSB.EXE
+ 2009-11-03 08:59 . 2010-03-05 09:50 52872 c:\windows\system32\drivers\avgrkx86.sys
+ 2009-09-29 09:29 . 2010-06-01 07:42 29584 c:\windows\system32\drivers\avgmfx86.sys
+ 2010-06-13 20:17 . 2004-07-07 14:02 22272 c:\windows\system32\drivers\aiptektp.sys
+ 2010-01-13 20:00 . 2009-10-22 12:54 37392 c:\windows\system32\drivers\62469752.sys
+ 2009-06-12 08:42 . 2010-02-25 06:24 12800 c:\windows\system32\dllcache\xpshims.dll
- 2009-06-12 08:42 . 2009-12-21 19:14 12800 c:\windows\system32\dllcache\xpshims.dll
+ 2009-08-13 11:57 . 2010-02-25 06:24 55296 c:\windows\system32\dllcache\msfeedsbs.dll
- 2009-08-13 11:57 . 2009-12-21 19:14 55296 c:\windows\system32\dllcache\msfeedsbs.dll
- 2008-04-14 12:00 . 2009-12-21 19:14 25600 c:\windows\system32\dllcache\jsproxy.dll
+ 2008-04-14 12:00 . 2010-02-25 06:24 25600 c:\windows\system32\dllcache\jsproxy.dll
+ 2008-04-14 12:00 . 2010-01-13 14:01 86016 c:\windows\system32\dllcache\cabview.dll
+ 2008-04-14 12:00 . 2010-01-13 14:01 86016 c:\windows\system32\cabview.dll
+ 2010-01-22 11:23 . 2010-01-22 11:23 12536 c:\windows\system32\avgrsstx.dll
+ 2010-06-13 20:17 . 2005-06-17 16:51 49152 c:\windows\system32\ATWinLog.dll
+ 2010-06-13 20:17 . 2005-07-20 10:12 90112 c:\windows\RmTablet.exe
+ 2010-01-15 16:23 . 2010-01-15 16:23 21504 c:\windows\Installer\38b77.msi
- 2007-05-26 11:39 . 2010-02-11 09:30 35088 c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\oisicon.exe
+ 2007-05-26 11:39 . 2010-04-30 08:31 35088 c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\oisicon.exe
+ 2007-05-26 11:39 . 2010-04-30 08:31 18704 c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\mspicons.exe
- 2007-05-26 11:39 . 2010-02-11 09:30 18704 c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\mspicons.exe
- 2007-05-26 11:39 . 2010-02-11 09:30 20240 c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\cagicon.exe
+ 2007-05-26 11:39 . 2010-04-30 08:31 20240 c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\cagicon.exe
+ 2008-10-25 07:18 . 2008-10-25 07:18 72568 c:\windows\Installer\$PatchCache$\Managed\00002109030000000000000000F01FEC\12.0.6425\ONFILTER.DLL
+ 2008-10-25 07:18 . 2008-10-25 07:18 98696 c:\windows\Installer\$PatchCache$\Managed\00002109030000000000000000F01FEC\12.0.6425\ONENOTEM.EXE
+ 2010-04-11 23:08 . 2009-12-21 19:14 12800 c:\windows\ie8updates\KB980182-IE8\xpshims.dll
+ 2010-04-11 23:08 . 2009-12-21 19:14 55296 c:\windows\ie8updates\KB980182-IE8\msfeedsbs.dll
+ 2010-04-11 23:08 . 2009-12-21 19:14 25600 c:\windows\ie8updates\KB980182-IE8\jsproxy.dll
- 2008-12-08 23:11 . 2008-12-08 23:11 19527 c:\windows\DFD4A822111845CA8222B7C8E3480370.TMP\WiseCustomCall.6B092422_27B2_4C55_9A09_5BDE522CA8C6.dll
+ 2010-05-12 21:52 . 2010-05-12 21:52 19527 c:\windows\DFD4A822111845CA8222B7C8E3480370.TMP\WiseCustomCall.6B092422_27B2_4C55_9A09_5BDE522CA8C6.dll
+ 2010-04-19 04:12 . 2008-04-14 12:00 84480 c:\windows\$NtUninstallKB979309$\cabview.dll
+ 2010-02-25 09:00 . 2009-10-28 15:07 46080 c:\windows\$NtUninstallKB979306$\tzchange.exe
+ 2010-02-25 09:00 . 2010-01-23 10:40 16896 c:\windows\$NtUninstallKB979306$\spuninst\tzchange.dll
+ 2010-04-19 04:13 . 2009-05-26 11:40 26488 c:\windows\$hf_mig$\KB981332-IE8\update\spcustom.dll
+ 2010-04-19 04:13 . 2009-05-26 11:40 17272 c:\windows\$hf_mig$\KB981332-IE8\spmsg.dll
+ 2010-04-29 07:05 . 2009-05-26 09:01 26488 c:\windows\$hf_mig$\KB980232\update\spcustom.dll
+ 2010-04-29 07:05 . 2009-05-26 09:01 17272 c:\windows\$hf_mig$\KB980232\spmsg.dll
+ 2010-04-11 23:09 . 2009-05-26 11:40 26488 c:\windows\$hf_mig$\KB980182-IE8\update\spcustom.dll
+ 2010-04-11 23:09 . 2009-05-26 11:40 17272 c:\windows\$hf_mig$\KB980182-IE8\spmsg.dll
+ 2010-04-11 08:32 . 2010-02-25 06:19 12800 c:\windows\$hf_mig$\KB980182-IE8\SP3QFE\xpshims.dll
+ 2010-04-11 08:33 . 2010-02-25 06:19 55296 c:\windows\$hf_mig$\KB980182-IE8\SP3QFE\msfeedsbs.dll
+ 2010-04-11 08:34 . 2010-02-25 06:19 25600 c:\windows\$hf_mig$\KB980182-IE8\SP3QFE\jsproxy.dll
+ 2010-04-29 07:06 . 2009-05-26 11:40 26488 c:\windows\$hf_mig$\KB979683\update\spcustom.dll
+ 2010-04-28 16:53 . 2010-03-05 14:54 16896 c:\windows\$hf_mig$\KB979683\update\mpsyschk.dll
+ 2010-04-29 07:06 . 2009-05-26 11:40 17272 c:\windows\$hf_mig$\KB979683\spmsg.dll
+ 2010-04-19 04:12 . 2008-07-08 13:02 26488 c:\windows\$hf_mig$\KB979309\update\spcustom.dll
+ 2010-04-19 04:12 . 2008-07-08 13:02 17272 c:\windows\$hf_mig$\KB979309\spmsg.dll
+ 2010-01-13 13:48 . 2010-01-13 13:48 86016 c:\windows\$hf_mig$\KB979309\SP3QFE\cabview.dll
+ 2010-04-30 08:29 . 2008-07-08 13:02 26488 c:\windows\$hf_mig$\KB978601\update\spcustom.dll
+ 2010-04-30 08:29 . 2008-07-08 13:02 17272 c:\windows\$hf_mig$\KB978601\spmsg.dll
+ 2010-04-29 06:55 . 2009-05-26 11:40 26488 c:\windows\$hf_mig$\KB978338\update\spcustom.dll
+ 2010-04-29 06:55 . 2009-05-26 11:40 17272 c:\windows\$hf_mig$\KB978338\spmsg.dll
+ 2010-04-30 08:29 . 2009-05-26 11:40 26488 c:\windows\$hf_mig$\KB977816\update\spcustom.dll
+ 2010-04-30 08:29 . 2009-05-26 11:40 17272 c:\windows\$hf_mig$\KB977816\spmsg.dll
+ 2010-02-25 09:01 . 2008-07-08 13:02 26488 c:\windows\$hf_mig$\KB976662-IE8\update\spcustom.dll
+ 2010-02-25 09:01 . 2008-07-08 13:02 17272 c:\windows\$hf_mig$\KB976662-IE8\spmsg.dll
+ 2010-03-18 21:57 . 2008-07-08 13:02 26488 c:\windows\$hf_mig$\KB975561\update\spcustom.dll
+ 2010-03-18 21:57 . 2008-07-08 13:02 17272 c:\windows\$hf_mig$\KB975561\spmsg.dll
+ 2001-08-21 13:18 . 2001-08-21 13:18 4525 c:\windows\system32\drivers\LANG.DAT
+ 2001-08-21 13:18 . 2001-08-21 13:18 8704 c:\windows\system32\drivers\_ISDEL.EXE
+ 2010-03-28 19:25 . 2004-06-10 14:31 135168 c:\windows\UNDPX2A.exe
+ 2008-04-14 12:00 . 2009-12-24 06:59 177664 c:\windows\system32\wintrust.dll
- 2008-04-14 12:00 . 2009-12-21 19:14 916480 c:\windows\system32\wininet.dll
+ 2008-04-14 12:00 . 2010-02-25 06:24 916480 c:\windows\system32\wininet.dll
+ 2008-04-14 12:00 . 2010-03-10 06:15 420352 c:\windows\system32\vbscript.dll
- 2008-04-14 12:00 . 2009-03-08 02:33 420352 c:\windows\system32\vbscript.dll
+ 2004-10-26 22:11 . 2008-06-15 08:01 258352 c:\windows\system32\unicows.dll
+ 2004-08-04 12:00 . 2010-09-14 12:32 453424 c:\windows\system32\perfh009.dat
- 2004-08-04 12:00 . 2009-12-10 08:19 453424 c:\windows\system32\perfh009.dat
+ 2008-04-14 12:00 . 2010-02-25 06:24 206848 c:\windows\system32\occache.dll
- 2008-04-14 12:00 . 2009-12-21 19:14 206848 c:\windows\system32\occache.dll
- 2008-04-14 12:00 . 2009-03-08 02:32 611840 c:\windows\system32\mstime.dll
+ 2008-04-14 12:00 . 2010-02-25 06:24 611840 c:\windows\system32\mstime.dll
+ 2006-11-07 20:03 . 2010-02-25 06:24 594432 c:\windows\system32\msfeeds.dll
- 2006-11-07 20:03 . 2009-12-21 19:14 594432 c:\windows\system32\msfeeds.dll
+ 2010-07-29 10:15 . 2010-07-29 10:15 231888 c:\windows\system32\Macromed\Flash\FlashUtil10h_Plugin.exe
+ 2008-04-14 12:00 . 2009-12-09 05:53 726528 c:\windows\system32\jscript.dll
- 2008-04-14 12:00 . 2009-06-22 06:44 726528 c:\windows\system32\jscript.dll
+ 2008-04-14 12:00 . 2010-02-25 06:24 184320 c:\windows\system32\iepeers.dll
- 2008-04-14 12:00 . 2009-12-21 19:14 184320 c:\windows\system32\iepeers.dll
- 2008-04-14 12:00 . 2009-12-21 19:14 387584 c:\windows\system32\iedkcs32.dll
+ 2008-04-14 12:00 . 2010-02-25 06:24 387584 c:\windows\system32\iedkcs32.dll
- 2008-04-14 12:00 . 2009-12-21 13:19 173056 c:\windows\system32\ie4uinit.exe
+ 2008-04-14 12:00 . 2010-02-24 09:54 173056 c:\windows\system32\ie4uinit.exe
+ 2008-04-14 12:00 . 2010-02-11 12:02 226880 c:\windows\system32\drivers\tcpip6.sys
+ 2008-04-14 12:00 . 2010-02-24 13:11 455680 c:\windows\system32\drivers\mrxsmb.sys
+ 2009-09-29 09:29 . 2010-01-22 11:23 243024 c:\windows\system32\drivers\avgtdix.sys
+ 2009-09-29 09:29 . 2010-01-22 11:23 216400 c:\windows\system32\drivers\avgldx86.sys
+ 2010-01-13 20:00 . 2009-09-25 16:59 128016 c:\windows\system32\drivers\62469751.sys
+ 2010-01-13 20:00 . 2009-10-09 22:31 315408 c:\windows\system32\drivers\6246975.sys
+ 2008-04-14 12:00 . 2009-12-24 06:59 177664 c:\windows\system32\dllcache\wintrust.dll
+ 2008-04-14 12:00 . 2010-02-25 06:24 916480 c:\windows\system32\dllcache\wininet.dll
- 2008-04-14 12:00 . 2009-12-21 19:14 916480 c:\windows\system32\dllcache\wininet.dll
- 2008-04-14 12:00 . 2009-03-08 02:33 420352 c:\windows\system32\dllcache\vbscript.dll
+ 2008-04-14 12:00 . 2010-03-10 06:15 420352 c:\windows\system32\dllcache\vbscript.dll
+ 2008-04-14 12:00 . 2010-02-11 12:02 226880 c:\windows\system32\dllcache\tcpip6.sys
+ 2008-04-14 12:00 . 2010-02-25 06:24 206848 c:\windows\system32\dllcache\occache.dll
- 2008-04-14 12:00 . 2009-12-21 19:14 206848 c:\windows\system32\dllcache\occache.dll
+ 2008-04-14 12:00 . 2010-02-25 06:24 611840 c:\windows\system32\dllcache\mstime.dll
- 2008-04-14 12:00 . 2009-03-08 02:32 611840 c:\windows\system32\dllcache\mstime.dll
+ 2009-08-13 11:57 . 2010-02-25 06:24 594432 c:\windows\system32\dllcache\msfeeds.dll
- 2009-08-13 11:57 . 2009-12-21 19:14 594432 c:\windows\system32\dllcache\msfeeds.dll
+ 2009-02-09 14:18 . 2010-02-24 13:11 455680 c:\windows\system32\dllcache\mrxsmb.sys
+ 2008-04-14 12:00 . 2009-12-09 05:53 726528 c:\windows\system32\dllcache\jscript.dll
- 2008-04-14 12:00 . 2009-06-22 06:44 726528 c:\windows\system32\dllcache\jscript.dll
+ 2009-06-12 08:42 . 2010-02-25 06:24 247808 c:\windows\system32\dllcache\ieproxy.dll
- 2008-04-14 12:00 . 2009-12-21 19:14 184320 c:\windows\system32\dllcache\iepeers.dll
+ 2008-04-14 12:00 . 2010-02-25 06:24 184320 c:\windows\system32\dllcache\iepeers.dll
- 2008-04-14 12:00 . 2009-12-21 19:14 387584 c:\windows\system32\dllcache\iedkcs32.dll
+ 2008-04-14 12:00 . 2010-02-25 06:24 387584 c:\windows\system32\dllcache\iedkcs32.dll
+ 2008-04-14 12:00 . 2010-02-24 09:54 173056 c:\windows\system32\dllcache\ie4uinit.exe
- 2008-04-14 12:00 . 2009-12-21 13:19 173056 c:\windows\system32\dllcache\ie4uinit.exe
+ 2008-04-14 12:00 . 2010-02-12 04:33 100864 c:\windows\system32\dllcache\6to4svc.dll
+ 2010-06-01 07:19 . 2007-05-16 14:45 443752 c:\windows\system32\d3dx10_34.dll
+ 2010-06-13 20:17 . 2005-07-27 14:55 290816 c:\windows\system32\atwtusbL.exe
+ 2010-06-13 18:43 . 2005-09-21 16:08 290816 c:\windows\system32\ATWTUSB.EXE
+ 2008-04-14 12:00 . 2010-02-12 04:33 100864 c:\windows\system32\6to4svc.dll
+ 2010-01-21 18:27 . 2010-01-21 18:27 700416 c:\windows\Installer\be02e6e.msi
+ 2010-06-01 07:17 . 2010-06-01 07:17 331264 c:\windows\Installer\75be56c.msi
+ 2010-01-21 18:27 . 2010-01-21 18:27 371272 c:\windows\Installer\{D103C4BA-F905-437A-8049-DB24763BBE36}\SkypeIcon.exe
- 2007-05-26 11:39 . 2010-02-11 09:30 888080 c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\wordicon.exe
+ 2007-05-26 11:39 . 2010-04-30 08:31 888080 c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\wordicon.exe
+ 2007-05-26 11:39 . 2010-04-30 08:31 272648 c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\pubs.exe
- 2007-05-26 11:39 . 2010-02-11 09:30 272648 c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\pubs.exe
+ 2007-05-26 11:39 . 2010-04-30 08:31 922384 c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\pptico.exe
- 2007-05-26 11:39 . 2010-02-11 09:30 922384 c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\pptico.exe
+ 2007-05-26 11:39 . 2010-04-30 08:31 845584 c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\outicon.exe
- 2007-05-26 11:39 . 2010-02-11 09:30 845584 c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\outicon.exe
+ 2007-05-26 11:39 . 2010-04-30 08:31 217864 c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\misc.exe
- 2007-05-26 11:39 . 2010-02-11 09:30 217864 c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\misc.exe
- 2007-05-26 11:39 . 2010-02-11 09:30 184080 c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\joticon.exe
+ 2007-05-26 11:39 . 2010-04-30 08:31 184080 c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\joticon.exe
- 2007-05-26 11:39 . 2010-02-11 09:30 159504 c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\inficon.exe
+ 2007-05-26 11:39 . 2010-04-30 08:31 159504 c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\inficon.exe
+ 2008-10-25 06:52 . 2008-10-25 06:52 664968 c:\windows\Installer\$PatchCache$\Managed\00002109030000000000000000F01FEC\12.0.6425\ONBTTNOL.DLL
+ 2008-10-25 06:52 . 2008-10-25 06:52 604056 c:\windows\Installer\$PatchCache$\Managed\00002109030000000000000000F01FEC\12.0.6425\ONBTTNIE.DLL
+ 2010-04-19 04:13 . 2009-03-08 02:33 420352 c:\windows\ie8updates\KB981332-IE8\vbscript.dll
+ 2010-04-19 04:13 . 2009-05-26 11:40 382840 c:\windows\ie8updates\KB981332-IE8\spuninst\updspapi.dll
+ 2010-04-19 04:13 . 2009-05-26 11:40 231288 c:\windows\ie8updates\KB981332-IE8\spuninst\spuninst.exe
+ 2010-04-11 23:08 . 2009-12-21 19:14 916480 c:\windows\ie8updates\KB980182-IE8\wininet.dll
+ 2010-04-11 23:08 . 2009-05-26 11:40 382840 c:\windows\ie8updates\KB980182-IE8\spuninst\updspapi.dll
+ 2010-04-11 23:08 . 2009-05-26 11:40 231288 c:\windows\ie8updates\KB980182-IE8\spuninst\spuninst.exe
+ 2010-04-11 23:08 . 2009-12-21 19:14 206848 c:\windows\ie8updates\KB980182-IE8\occache.dll
+ 2010-04-11 23:08 . 2009-03-08 02:32 611840 c:\windows\ie8updates\KB980182-IE8\mstime.dll
+ 2010-04-11 23:08 . 2009-12-21 19:14 594432 c:\windows\ie8updates\KB980182-IE8\msfeeds.dll
+ 2010-04-11 23:08 . 2009-12-21 19:14 246272 c:\windows\ie8updates\KB980182-IE8\ieproxy.dll
+ 2010-04-11 23:08 . 2009-12-21 19:14 184320 c:\windows\ie8updates\KB980182-IE8\iepeers.dll
+ 2010-04-11 23:08 . 2009-12-21 19:14 387584 c:\windows\ie8updates\KB980182-IE8\iedkcs32.dll
+ 2010-04-11 23:08 . 2009-12-21 13:19 173056 c:\windows\ie8updates\KB980182-IE8\ie4uinit.exe
+ 2010-02-25 09:01 . 2008-07-08 13:02 382840 c:\windows\ie8updates\KB976662-IE8\spuninst\updspapi.dll
+ 2010-02-25 09:01 . 2008-07-08 13:02 231288 c:\windows\ie8updates\KB976662-IE8\spuninst\spuninst.exe
+ 2010-02-25 09:01 . 2009-06-22 06:44 726528 c:\windows\ie8updates\KB976662-IE8\jscript.dll
+ 2009-02-09 14:18 . 2010-02-24 13:11 455680 c:\windows\Driver Cache\i386\mrxsmb.sys
- 2008-12-08 23:11 . 2008-12-08 23:11 111353 c:\windows\DFD4A822111845CA8222B7C8E3480370.TMP\WiseCustomCalla8.dll
+ 2010-05-12 21:52 . 2010-05-12 21:52 111353 c:\windows\DFD4A822111845CA8222B7C8E3480370.TMP\WiseCustomCalla8.dll
- 2008-12-08 23:11 . 2008-12-08 23:11 111364 c:\windows\DFD4A822111845CA8222B7C8E3480370.TMP\WiseCustomCalla4.dll
+ 2010-05-12 21:52 . 2010-05-12 21:52 111364 c:\windows\DFD4A822111845CA8222B7C8E3480370.TMP\WiseCustomCalla4.dll
- 2008-12-08 23:11 . 2008-12-08 23:11 111491 c:\windows\DFD4A822111845CA8222B7C8E3480370.TMP\WiseCustomCalla34.dll
+ 2010-05-12 21:52 . 2010-05-12 21:52 111491 c:\windows\DFD4A822111845CA8222B7C8E3480370.TMP\WiseCustomCalla34.dll
+ 2010-05-12 21:52 . 2010-05-12 21:52 738304 c:\windows\DFD4A822111845CA8222B7C8E3480370.TMP\WiseCustomCalla33.dll
- 2008-12-08 23:11 . 2008-12-08 23:11 738304 c:\windows\DFD4A822111845CA8222B7C8E3480370.TMP\WiseCustomCalla33.dll
- 2008-12-08 23:11 . 2008-12-08 23:11 111063 c:\windows\DFD4A822111845CA8222B7C8E3480370.TMP\WiseCustomCalla32.dll
+ 2010-05-12 21:52 . 2010-05-12 21:52 111063 c:\windows\DFD4A822111845CA8222B7C8E3480370.TMP\WiseCustomCalla32.dll
- 2008-12-08 23:11 . 2008-12-08 23:11 111705 c:\windows\DFD4A822111845CA8222B7C8E3480370.TMP\WiseCustomCalla31.dll
+ 2010-05-12 21:52 . 2010-05-12 21:52 111705 c:\windows\DFD4A822111845CA8222B7C8E3480370.TMP\WiseCustomCalla31.dll
- 2008-12-08 23:11 . 2008-12-08 23:11 632832 c:\windows\DFD4A822111845CA8222B7C8E3480370.TMP\WiseCustomCalla30.dll
+ 2010-05-12 21:52 . 2010-05-12 21:52 632832 c:\windows\DFD4A822111845CA8222B7C8E3480370.TMP\WiseCustomCalla30.dll
- 2008-12-08 23:11 . 2008-12-08 23:11 111789 c:\windows\DFD4A822111845CA8222B7C8E3480370.TMP\WiseCustomCalla29.dll
+ 2010-05-12 21:52 . 2010-05-12 21:52 111789 c:\windows\DFD4A822111845CA8222B7C8E3480370.TMP\WiseCustomCalla29.dll
- 2008-12-08 23:11 . 2008-12-08 23:11 111255 c:\windows\DFD4A822111845CA8222B7C8E3480370.TMP\WiseCustomCalla27.dll
+ 2010-05-12 21:52 . 2010-05-12 21:52 111255 c:\windows\DFD4A822111845CA8222B7C8E3480370.TMP\WiseCustomCalla27.dll
- 2008-12-08 23:11 . 2008-12-08 23:11 111910 c:\windows\DFD4A822111845CA8222B7C8E3480370.TMP\WiseCustomCalla26.dll
+ 2010-05-12 21:52 . 2010-05-12 21:52 111910 c:\windows\DFD4A822111845CA8222B7C8E3480370.TMP\WiseCustomCalla26.dll
+ 2010-05-12 21:52 . 2010-05-12 21:52 111883 c:\windows\DFD4A822111845CA8222B7C8E3480370.TMP\WiseCustomCalla23.dll
- 2008-12-08 23:11 . 2008-12-08 23:11 111883 c:\windows\DFD4A822111845CA8222B7C8E3480370.TMP\WiseCustomCalla23.dll
- 2008-12-08 23:11 . 2008-12-08 23:11 633856 c:\windows\DFD4A822111845CA8222B7C8E3480370.TMP\WiseCustomCalla14.dll
+ 2010-05-12 21:52 . 2010-05-12 21:52 633856 c:\windows\DFD4A822111845CA8222B7C8E3480370.TMP\WiseCustomCalla14.dll
+ 2010-05-12 21:52 . 2010-05-12 21:52 111943 c:\windows\DFD4A822111845CA8222B7C8E3480370.TMP\WiseCustomCalla.dll
- 2008-12-08 23:11 . 2008-12-08 23:11 111943 c:\windows\DFD4A822111845CA8222B7C8E3480370.TMP\WiseCustomCalla.dll
+ 2010-05-12 21:52 . 2010-05-12 21:52 126538 c:\windows\DFD4A822111845CA8222B7C8E3480370.TMP\WiseCustomCalla.6B092422_27B2_4C55_9A09_5BDE522CA8C6.exe
- 2008-12-08 23:11 . 2008-12-08 23:11 126538 c:\windows\DFD4A822111845CA8222B7C8E3480370.TMP\WiseCustomCalla.6B092422_27B2_4C55_9A09_5BDE522CA8C6.exe
- 2008-12-08 23:11 . 2008-12-08 23:11 126538 c:\windows\DFD4A822111845CA8222B7C8E3480370.TMP\WiseCustomCalla.6B092422_27B2_4C55_9A09_5BDE522CA8C6.dll
+ 2010-05-12 21:52 . 2010-05-12 21:52 126538 c:\windows\DFD4A822111845CA8222B7C8E3480370.TMP\WiseCustomCalla.6B092422_27B2_4C55_9A09_5BDE522CA8C6.dll
+ 2010-04-29 07:05 . 2009-05-26 09:01 382840 c:\windows\$NtUninstallKB980232$\spuninst\updspapi.dll
+ 2010-04-29 07:05 . 2009-05-26 09:01 231288 c:\windows\$NtUninstallKB980232$\spuninst\spuninst.exe
+ 2010-04-29 07:05 . 2009-12-04 18:22 455424 c:\windows\$NtUninstallKB980232$\mrxsmb.sys
+ 2010-04-29 07:06 . 2009-05-26 11:40 382840 c:\windows\$NtUninstallKB979683$\spuninst\updspapi.dll
+ 2010-04-29 07:06 . 2009-05-26 11:40 231288 c:\windows\$NtUninstallKB979683$\spuninst\spuninst.exe
+ 2010-04-19 04:12 . 2009-05-26 11:40 382840 c:\windows\$NtUninstallKB979309$\spuninst\updspapi.dll
+ 2010-04-19 04:12 . 2008-07-08 13:02 231288 c:\windows\$NtUninstallKB979309$\spuninst\spuninst.exe
+ 2010-02-25 09:00 . 2009-05-26 11:40 382840 c:\windows\$NtUninstallKB979306$\spuninst\updspapi.dll
+ 2010-02-25 09:00 . 2009-05-26 11:40 231288 c:\windows\$NtUninstallKB979306$\spuninst\spuninst.exe
+ 2010-04-30 08:29 . 2008-04-14 12:00 176640 c:\windows\$NtUninstallKB978601$\wintrust.dll
+ 2010-04-30 08:29 . 2009-05-26 11:40 382840 c:\windows\$NtUninstallKB978601$\spuninst\updspapi.dll
+ 2010-04-30 08:29 . 2008-07-08 13:02 231288 c:\windows\$NtUninstallKB978601$\spuninst\spuninst.exe
+ 2010-04-29 06:55 . 2008-06-20 11:08 225856 c:\windows\$NtUninstallKB978338$\tcpip6.sys
+ 2010-04-29 06:55 . 2009-05-26 11:40 382840 c:\windows\$NtUninstallKB978338$\spuninst\updspapi.dll
+ 2010-04-29 06:55 . 2009-05-26 11:40 231288 c:\windows\$NtUninstallKB978338$\spuninst\spuninst.exe
+ 2010-04-29 06:55 . 2008-04-14 12:00 100352 c:\windows\$NtUninstallKB978338$\6to4svc.dll
+ 2010-04-30 08:29 . 2009-05-26 11:40 382840 c:\windows\$NtUninstallKB977816$\spuninst\updspapi.dll
+ 2010-04-30 08:29 . 2009-05-26 11:40 231288 c:\windows\$NtUninstallKB977816$\spuninst\spuninst.exe
+ 2010-03-18 21:57 . 2009-05-26 16:10 382840 c:\windows\$NtUninstallKB975561$\spuninst\updspapi.dll
+ 2010-03-18 21:57 . 2008-07-08 13:02 231288 c:\windows\$NtUninstallKB975561$\spuninst\spuninst.exe
+ 2010-04-19 04:13 . 2009-05-26 11:40 382840 c:\windows\$hf_mig$\KB981332-IE8\update\updspapi.dll
+ 2010-04-19 04:13 . 2009-05-26 11:40 755576 c:\windows\$hf_mig$\KB981332-IE8\update\update.exe
+ 2010-04-19 04:13 . 2009-05-26 11:40 231288 c:\windows\$hf_mig$\KB981332-IE8\spuninst.exe
+ 2010-04-18 05:50 . 2010-03-10 06:18 420352 c:\windows\$hf_mig$\KB981332-IE8\SP3QFE\vbscript.dll
+ 2010-04-29 07:05 . 2009-05-26 09:01 382840 c:\windows\$hf_mig$\KB980232\update\updspapi.dll
+ 2010-04-29 07:05 . 2009-05-26 09:01 755576 c:\windows\$hf_mig$\KB980232\update\update.exe
+ 2010-04-29 07:05 . 2009-05-26 09:01 231288 c:\windows\$hf_mig$\KB980232\spuninst.exe
+ 2010-04-28 16:52 . 2010-02-24 11:57 457216 c:\windows\$hf_mig$\KB980232\SP3QFE\mrxsmb.sys
+ 2010-04-11 23:09 . 2009-05-26 11:40 382840 c:\windows\$hf_mig$\KB980182-IE8\update\updspapi.dll
+ 2010-04-11 23:09 . 2009-05-26 11:40 755576 c:\windows\$hf_mig$\KB980182-IE8\update\update.exe
+ 2010-04-11 23:09 . 2009-05-26 11:40 231288 c:\windows\$hf_mig$\KB980182-IE8\spuninst.exe
+ 2010-04-11 08:32 . 2010-02-25 06:19 919040 c:\windows\$hf_mig$\KB980182-IE8\SP3QFE\wininet.dll
+ 2010-04-11 08:32 . 2010-02-25 06:19 206848
Posts
55840
Registration date
Monday February 1, 2010
Status
Moderator
Last seen
November 20, 2018
- Sep 14, 2010 at 04:32 PM
0
Thank you
Hello Denchibald,

This was an impressive clean-up!

Everything looks just fine from this side.

Farewell.
Posts
55840
Registration date
Monday February 1, 2010
Status
Moderator
Last seen
November 20, 2018
- Apr 1, 2010 at 04:53 AM
-1
Thank you
Hello,

Thank you for the log.

It looks as if you had infected drivers which have now been cleaned.

How is you system performing now?

Anymore problem?
Posts
55840
Registration date
Monday February 1, 2010
Status
Moderator
Last seen
November 20, 2018
- Apr 27, 2010 at 04:20 PM
Hello Somebody

Well thank you ever so much for your feedback, I am glad everything is working for you.

Regards
Is there a combofix for windows 2k3?
It works for me on parallel on mac Thanks :

ComboFix 10-05-08.02 - Administrator 05/09/2010 1:34.1.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1027.775 [GMT -4:00]
Running from: \\.psf\Home\Desktop\ComboFix.exe
AV: Parallels Internet Security *On-access scanning disabled* (Updated) {2C4D4BC6-0793-4956-A9F9-E252435469C0}
FW: Parallels Internet Security *disabled* {2C4D4BC6-0793-4956-A9F9-E252435469C0}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

Infected copy of c:\windows\system32\drivers\prl_boot.sys was found and disinfected
Restored copy from - Kitty had a snack :p
.
((((((((((((((((((((((((( Files Created from 2010-04-09 to 2010-05-09 )))))))))))))))))))))))))))))))
.

2010-05-09 05:25 . 2010-05-09 05:25 -------- d-----w- C:\XDelBox
2010-05-09 02:43 . 2010-05-09 02:43 -------- d-----w- c:\documents and settings\Administrator\Application Data\Uniblue
2010-05-09 02:22 . 2010-05-09 02:36 15944 ----a-w- c:\windows\system32\drivers\hitmanpro35.sys
2010-05-09 02:22 . 2010-05-09 02:23 -------- d-----w- c:\documents and settings\All Users\Application Data\Hitman Pro
2010-05-09 02:22 . 2010-05-09 02:22 -------- d-----w- c:\program files\Hitman Pro 3.5
2010-05-09 02:13 . 2010-05-09 02:13 -------- d-----w- c:\program files\Enigma Software Group
2010-05-09 02:12 . 2010-05-09 02:26 -------- d-----w- c:\windows\61D3AAE1D5214CD7939B37813DE8F955.TMP
2010-05-09 02:12 . 2010-05-09 02:12 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2010-05-09 01:55 . 2010-03-22 14:43 178000 ----a-w- C:\TDSSKiller.exe
2010-05-09 01:28 . 2010-05-09 01:28 228864 ----a-w- c:\documents and settings\Administrator\Application Data\Parallels\Shared Applications\Adobe Acrobat Pro (Mac).exe
2010-05-09 01:28 . 2010-05-09 01:28 228864 ----a-w- c:\documents and settings\Administrator\Application Data\Parallels\Shared Applications\Acrobat Distiller (Mac).exe
2010-04-24 00:23 . 2010-04-24 00:23 503808 ----a-w- c:\documents and settings\Administrator\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-273ced5e-n\msvcp71.dll
2010-04-24 00:23 . 2010-04-24 00:23 499712 ----a-w- c:\documents and settings\Administrator\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-273ced5e-n\jmc.dll
2010-04-24 00:23 . 2010-04-24 00:23 348160 ----a-w- c:\documents and settings\Administrator\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-273ced5e-n\msvcr71.dll
2010-04-24 00:23 . 2010-04-24 00:23 61440 ----a-w- c:\documents and settings\Administrator\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-2a51653e-n\decora-sse.dll
2010-04-24 00:23 . 2010-04-24 00:23 12800 ----a-w- c:\documents and settings\Administrator\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-2a51653e-n\decora-d3d.dll
2010-04-24 00:22 . 2010-04-12 21:29 411368 ----a-w- c:\windows\system32\deployJava1.dll
2010-04-23 16:49 . 2010-05-09 05:28 5612576 --sha-w- c:\windows\system32\drivers\fidbox.dat
2010-04-23 16:49 . 2010-05-09 05:28 253984 --sha-w- c:\windows\system32\drivers\fidbox2.dat
2010-04-23 16:49 . 2010-05-08 21:34 97549 ----a-w- c:\windows\system32\drivers\klick.dat
2010-04-23 16:49 . 2010-05-08 21:34 113933 ----a-w- c:\windows\system32\drivers\klin.dat
2010-04-23 16:48 . 2010-05-09 05:21 -------- d-----w- c:\documents and settings\All Users\Application Data\Parallels
2010-04-20 15:43 . 2010-04-20 15:43 228864 ----a-w- c:\documents and settings\Administrator\Application Data\Parallels\Shared Applications\Backup (Mac).exe
2010-04-14 20:56 . 2010-04-14 21:51 -------- d-----w- c:\windows\system32\MpEngineStore

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-05-09 05:28 . 2010-04-23 16:49 47024 --sha-w- c:\windows\system32\drivers\fidbox.idx
2010-05-09 05:28 . 2010-04-23 16:49 1948 --sha-w- c:\windows\system32\drivers\fidbox2.idx
2010-05-09 05:14 . 2009-08-07 04:43 -------- d-----w- c:\documents and settings\All Users\Application Data\Babylon
2010-05-09 05:03 . 2009-10-18 04:17 -------- d-----w- c:\documents and settings\Administrator\Application Data\NBC Direct
2010-05-09 05:03 . 2009-10-18 04:17 -------- d-----w- c:\documents and settings\All Users\Application Data\NBC Direct
2010-05-09 05:03 . 2009-10-18 04:17 -------- d---a-w- c:\program files\NBC Direct
2010-05-09 04:51 . 2009-10-18 04:17 -------- d-----w- c:\program files\Pando Networks
2010-05-09 02:46 . 2004-08-04 12:00 96512 ----a-w- c:\windows\system32\drivers\atapi.sys
2010-04-24 00:23 . 2009-08-14 17:39 -------- d-----w- c:\program files\Common Files\Java
2010-04-24 00:22 . 2009-08-14 17:39 -------- d-----w- c:\program files\Java
2010-04-23 16:48 . 2009-07-13 15:29 -------- d-----w- c:\program files\Parallels
2010-04-08 16:43 . 2009-08-07 02:41 -------- d-----w- c:\program files\Common Files\Adobe
2010-03-28 20:55 . 2010-03-28 20:55 552 ----a-w- c:\windows\system32\d3d8caps.dat
2010-03-28 20:55 . 2010-03-28 20:55 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-03-28 05:39 . 2010-02-04 03:19 -------- d-----w- c:\documents and settings\All Users\Application Data\Skype
2010-03-28 05:38 . 2010-02-04 03:21 -------- d-----w- c:\documents and settings\Administrator\Application Data\skypePM
2010-03-25 00:43 . 2010-03-25 00:43 228864 ----a-w- c:\documents and settings\Administrator\Application Data\Parallels\Shared Applications\Device Central (Mac).exe
2010-03-25 00:43 . 2010-03-25 00:43 228864 ----a-w- c:\documents and settings\Administrator\Application Data\Parallels\Shared Applications\Adobe Bridge CS4 (Mac).exe
2010-03-25 00:43 . 2010-03-25 00:43 228864 ----a-w- c:\documents and settings\Administrator\Application Data\Parallels\Shared Applications\ExtendScript Toolkit (Mac).exe
2010-03-25 00:43 . 2010-03-25 00:43 228864 ----a-w- c:\documents and settings\Administrator\Application Data\Parallels\Shared Applications\Adobe Extension Manager CS4 (Mac).exe
2010-03-25 00:43 . 2010-03-25 00:43 228864 ----a-w- c:\documents and settings\Administrator\Application Data\Parallels\Shared Applications\Toast Titanium (Mac).exe
2010-03-25 00:43 . 2010-03-25 00:43 228864 ----a-w- c:\documents and settings\Administrator\Application Data\Parallels\Shared Applications\Streamer (Mac).exe
2010-03-25 00:43 . 2010-03-25 00:43 228864 ----a-w- c:\documents and settings\Administrator\Application Data\Parallels\Shared Applications\Mac2Tivo (Mac).exe
2010-03-25 00:43 . 2010-03-25 00:43 228864 ----a-w- c:\documents and settings\Administrator\Application Data\Parallels\Shared Applications\Get Backup 2 RE (Mac).exe
2010-03-25 00:43 . 2010-03-25 00:43 228864 ----a-w- c:\documents and settings\Administrator\Application Data\Parallels\Shared Applications\DiscCatalogMaker RE (Mac).exe
2010-03-25 00:43 . 2010-03-25 00:43 228864 ----a-w- c:\documents and settings\Administrator\Application Data\Parallels\Shared Applications\Disc Cover 2 RE (Mac).exe
2010-03-25 00:43 . 2010-03-25 00:43 228864 ----a-w- c:\documents and settings\Administrator\Application Data\Parallels\Shared Applications\CD Spin Doctor (Mac).exe
2010-03-25 00:43 . 2010-03-25 00:43 228864 ----a-w- c:\documents and settings\Administrator\Application Data\Parallels\Shared Applications\Adobe Photoshop CS4 (Mac).exe
2010-03-24 23:35 . 2010-03-24 23:35 -------- d-----w- c:\program files\OriginLab
2010-03-20 15:23 . 2009-11-04 19:12 -------- d-----w- c:\program files\Common Files\Stardock
2010-03-10 06:15 . 2004-08-04 12:00 420352 ----a-w- c:\windows\system32\vbscript.dll
2010-03-05 17:08 . 2009-07-13 15:29 24392 ----a-w- c:\windows\system32\drivers\prl_vamp.sys
2010-03-05 17:08 . 2009-07-13 15:29 153928 ----a-w- c:\windows\system32\prl_vadd.dll
2010-03-05 17:08 . 2010-01-26 16:48 15816 ----a-w- c:\windows\system32\drivers\prl_time.sys
2010-03-05 17:08 . 2009-07-13 15:29 23240 ----a-w- c:\windows\system32\drivers\prl_tg.sys
2010-03-05 17:08 . 2009-05-05 17:46 30024 ----a-w- c:\windows\system32\drivers\prl_pv32.sys
2010-03-05 17:08 . 2009-07-13 15:29 15688 ----a-w- c:\windows\system32\drivers\prl_mouf.sys
2010-03-05 17:08 . 2010-03-20 15:21 15176 ----a-w- c:\windows\system32\drivers\prl_memdev.sys
2010-03-05 17:08 . 2009-05-05 23:22 148552 ----a-w- c:\windows\system32\drivers\prl_fs.sys
2010-03-05 17:08 . 2009-07-13 15:29 18120 ----a-w- c:\windows\system32\drivers\prl_eth5.sys
2010-03-05 17:08 . 2010-03-05 17:08 33864 ----a-w- c:\windows\system32\drivers\prl_boot.sys
2010-03-05 17:01 . 2009-05-05 23:17 100864 ----a-w- c:\windows\system32\prl_np.dll
2010-03-05 17:01 . 2009-07-13 15:29 176640 ----a-w- c:\windows\system32\prl_gl.dll
2010-02-25 06:24 . 2004-08-04 12:00 916480 ----a-w- c:\windows\system32\wininet.dll
2010-02-24 13:11 . 2004-08-04 12:00 455680 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2010-02-12 04:33 . 2004-08-04 12:00 100864 ----a-w- c:\windows\system32\6to4svc.dll
2010-02-11 12:02 . 2004-08-04 12:00 226880 ----a-w- c:\windows\system32\drivers\tcpip6.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\PrlToolsShellExt]
@="{456C7CE2-DAAA-4333-A715-898D4671BBD4}"
[HKEY_CLASSES_ROOT\CLSID\{456C7CE2-DAAA-4333-A715-898D4671BBD4}]
2010-03-05 17:08 318280 ----a-w- c:\program files\Parallels\Parallels Tools\ShellExtentions\PrlToolsShellExt.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2010-02-04 39408]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]
"Parallels Shared Internet Applications"="c:\program files\Parallels\Parallels Tools\SIA\SharedIntApp.exe" [2010-03-05 131912]
"Parallels Tools Center"="c:\program files\Parallels\Parallels Tools\prl_cc.exe" [2010-03-05 200520]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-04-04 36272]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-03-24 952768]
"HitmanPro35"="c:\program files\Hitman Pro 3.5\HitmanPro35.exe" [2010-05-06 5937984]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoSimpleNetIDList"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\WB]
2009-06-09 13:55 30000 ----a-w- c:\program files\Stardock\MyColors\fastload.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Invitrogen\\Vector NTI Advance 11\\Vector NTI 10.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Invitrogen\\Vector NTI Advance 11\\AnalysesMonitor.exe"=
"c:\\WINDOWS\\system32\\winver.exe"=

R0 klbg;Kaspersky Lab Boot Guard Driver;c:\windows\system32\drivers\klbg.sys [1/29/2008 6:29 PM 32784]
R0 prl_pv32;prl_pv32;c:\windows\system32\drivers\prl_pv32.sys [5/5/2009 1:46 PM 30024]
R0 prl_tg;Parallels Tool Device;c:\windows\system32\drivers\prl_tg.sys [7/13/2009 11:29 AM 23240]
R1 prl_boot;prl_boot;c:\windows\system32\drivers\prl_boot.sys [3/5/2010 1:08 PM 33864]
R1 prl_fs;Parallels Shared Folders;c:\windows\system32\drivers\prl_fs.sys [5/5/2009 7:22 PM 148552]
R2 Parallels Coherence Service;Parallels Coherence Service;c:\program files\Parallels\Parallels Tools\Services\coherence.exe [3/5/2010 1:09 PM 27976]
R2 Parallels Tools Service;Parallels Tools Service;c:\program files\Parallels\Parallels Tools\Services\prl_tools_service.exe [3/5/2010 1:08 PM 202568]
R2 prl_memdev;Parallels Memdev Driver;c:\program files\Parallels\Parallels Tools\Drivers\prl_memdev\prl_memdev.sys [3/5/2010 1:08 PM 15176]
R2 prl_time;Parallels Time Synchronization Helper;c:\windows\system32\drivers\prl_time.sys [1/26/2010 12:48 PM 15816]
R3 KLFLTDEV;Kaspersky Lab KLFltDev;c:\windows\system32\drivers\klfltdev.sys [3/13/2008 7:02 PM 26640]
R3 klim5;Kaspersky Anti-Virus NDIS Filter;c:\windows\system32\drivers\klim5.sys [4/30/2008 6:06 PM 24592]
R3 prl_eth5;Parallels Ethernet Adapter;c:\windows\system32\drivers\prl_eth5.sys [7/13/2009 11:29 AM 18120]
R3 prl_mouf;Parallels Mouse Synchronization Device;c:\windows\system32\drivers\prl_mouf.sys [7/13/2009 11:29 AM 15688]
R3 prl_va;Parallels Video Adapter;c:\windows\system32\drivers\prl_vamp.sys [7/13/2009 11:29 AM 24392]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2/15/2010 7:50 PM 135664]
S3 STVqx5;Digital Blue QX5(tm) Microscope;c:\windows\system32\drivers\STVqx5.sys [3/9/2010 9:41 PM 64512]
S3 STVqx5m;Digital Blue QX5(tm) Microscopem;c:\windows\system32\drivers\STVqx5m.sys [3/9/2010 9:41 PM 6144]
.
Contents of the 'Scheduled Tasks' folder

2010-05-09 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-15 23:50]

2010-05-09 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-15 23:50]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
IE: &??? ?- Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html
IE: Translate with &Babylon - c:\program files\Babylon\Babylon-Pro\Utils\BabylonIEPI.dll/Translate.htm
Handler: ncbi8 - {2B576DD3-0B3E-4718-BCBF-B15E4FB8009D} - c:\program files\Invitrogen\Vector NTI Advance 11\Ncbi.dll
.
- - - - ORPHANS REMOVED - - - -

Notify-winhyo32 - winhyo32.dll
Notify-winjqa32 - winjqa32.dll
SafeBoot-klmdb.sys
AddRemove-{F46BF5EA-0B4E-4A41-8C4B-3B127346E30F} - c:\documents and settings\Administrator\Local Settings\Application Data\{EE3F443B-183B-4764-9F63-0CB18736ED34}\NBCDirectInstaller.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-05-09 01:40
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0xBAB50C00]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xba8fcf28
\Driver\ACPI -> ACPI.sys @ 0xba85fcb8
\Driver\atapi -> atapi.sys @ 0xba7f1852
IoDeviceObjectType -> DeleteProcedure -> ntoskrnl.exe @ 0x805a0598
ParseProcedure -> ntoskrnl.exe @ 0x8056ea15
\Device\Harddisk0\DR0 -> DeleteProcedure -> ntoskrnl.exe @ 0x805a0598
ParseProcedure -> ntoskrnl.exe @ 0x8056ea15
NDIS: Parallels Ethernet Adapter -> SendCompleteHandler -> NDIS.sys @ 0xba6fdbb0
PacketIndicateHandler -> NDIS.sys @ 0xba70aa21
SendHandler -> NDIS.sys @ 0xba6e887b
user & kernel MBR OK

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-507921405-1788223648-839522115-500\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (Administrator)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,5e,2f,cd,58,1c,d1,b2,49,ba,10,4a,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,5e,2f,cd,58,1c,d1,b2,49,ba,10,4a,\

[HKEY_USERS\S-1-5-21-507921405-1788223648-839522115-500\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID]
@Denied: (Full) (LocalSystem)
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(948)
c:\program files\Stardock\MyColors\fastload.dll

- - - - - - - > 'explorer.exe'(3380)
c:\windows\system32\WININET.dll
c:\program files\Parallels\Parallels Tools\ShellExtentions\PrlToolsShellExt.dll
c:\windows\System32\prl_np.dll
c:\windows\system32\ieframe.dll
c:\program files\Parallels\Parallels Tools\ShellIntHook.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Parallels\Parallels Internet Security 2009\avp.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Parallels\Parallels Tools\Services\prl_tools.exe
c:\windows\system32\imapi.exe
.
**************************************************************************
.
Completion time: 2010-05-09 01:41:32 - machine was rebooted
ComboFix-quarantined-files.txt 2010-05-09 05:41

Pre-Run: 18,703,437,824 bytes free
Post-Run: 19,060,555,776 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

- - End Of File - - 324131CA5C571F05DB34113A266CE520
Posts
55840
Registration date
Monday February 1, 2010
Status
Moderator
Last seen
November 20, 2018
- May 9, 2010 at 04:35 AM
Hello Iftach79,

You log looks great! Thank you for your feedback. Now that your system is clean, do me a favor. Turn off you system restore for 45 seconds, turn it back on and create a new restore point, a safe place to return to in case of a problem

Regards
Posts
1
Registration date
Monday May 17, 2010
Last seen
May 17, 2010
- May 17, 2010 at 03:42 PM
Hi Ambucias (or anyone else who can help). I have the Rootkit.Win32.TDSS.d virus even though Kaspersky has been running. I am a bit stumped as the virus has cut off my internet connectivity, won't allow Kaspersky to remove it (it makes it ignore it everytime) and cannot even format the drive as none are visible in the disk managment page.

Any suggestions? I have a work laptop which I have downloaded the files to but it is locked down to copy files off so is no use. I can't even mail them over to the infected desktop.
-1
Thank you
Not working to fix my rootkit.win32.tdss.a :( Its still there and even Kaspersky 2010 is unable to treat it
Posts
55840
Registration date
Monday February 1, 2010
Status
Moderator
Last seen
November 20, 2018
- Apr 30, 2010 at 05:34 AM
Hello Submit

I assumed you used Combofix and it was not successful.

Please download:

http://www.esagelab.com/files/tdss_remover_latest.rar

On your destop, create a new folder and decompress the downloaded file into the folder.

Launch the programme by double clicking "Remover.exe". If the infection is detected, hidden items will then be shown.

Check them off and click on repair/delete selected.

A message will appear to reboot to finish the clean-up, type Y

Let me know how this worked for you. There are other means to remove the virus.

Regards