Jump to content

Build Theme!
  •  
  • Unreplied Topics
  • Downloads
  • Infected?

WE'RE SURE THAT YOU'LL LOVE US!

Hey there! :wub: Looks like you're enjoying the discussion, but you're not signed up for an account. When you create an account, we remember exactly what you've read, so you always come right back where you left off. You also get notifications, here and via email, whenever new posts are made. You can like posts to share the love. :D Join 93083 other members! Anybody can ask, anybody can answer. Consistently helpful members may be invited to become staff. Here's how it works. Virus cleanup? Start here -> Malware Removal Forum.

Try What the Tech -- It's free!


Photo

[Resolved] No internet connectivity after virus removal

Started by Terrik , Oct 24 2009 08:55 PM

  • This topic is locked This topic is locked
30 replies to this topic

#1 Terrik

Terrik

    New Member

  • Authentic Member
  • Pip
  • 16 posts

Posted 24 October 2009 - 08:55 PM

Hello all! I had a nasty infection on my laptop the other day, but either I didn't remove the infections correctly, or something else is going on. I started to get alerts from Avast about infections and after taking care of them, I decided to run a boot scan. After removing the infections, I decided to take further precautions and ran a Trendmicro virus scan which found further infections. However I started to notice my computer would no longer fully boot up to windows..I usually got as far as seeing my desktop background (sans windows start bar and sans icons)--- or if it did boot up , the windows taskbar would be perpetually frozen. My only option was to restart in safe mode and try other things. In both normal and safe mode, I could not connect to the internet. Under some advice, I downloaded Malawarebytes on another computer and transferred it to my laptop, ran a scan, removed yet more infections and rebooted. Once the reboot finished, my desktop background was disabled and replaced by "Active Desktop Recovery". Clicking on "Restore my Active Desktop" gives me an Internet Explorer script error. I also tried running Winsock XP fix, but it didn't seem to have any effect either. Finally I downloaded HijackThis! and ran a scan. Below is the log file:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:26:14, on 10/25/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16850)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Dell Network Assistant\hnm_svc.exe
C:\Program Files\Hotspot Shield\bin\openvpnas.exe
C:\Program Files\Hotspot Shield\HssWPR\hsssrv.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Western Digital\WD Drive Manager\WDBtnMgrSvc.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Hotspot Shield\bin\openvpntray.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Dell\QuickSet\Quickset.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://thefreevpn.com/home.php
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us&ibd=5070908
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 127.0.0.1:8081
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1:8081;local;<local>
R3 - URLSearchHook: Yahoo! ??? - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: (no name) - {02478D37-C3F9-4EFB-9B51-7695ECA05670} - (no file)
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - C:\Program Files\BitComet\tools\BitCometBHO_1.3.7.16.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: Search Helper - {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - C:\Program Files\Microsoft\Search Enhancement Pack\Search Helper\SEPsearchhelperie.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: (no name) - {9AA6B2B3-9DC2-40E7-B784-3DCBC7E950DC} - (no file)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.0.926.3450\swg.dll
O2 - BHO: (no name) - {B70A1A54-6DFB-4AD8-9A62-2C00A3CC5BB4} - (no file)
O2 - BHO: CBrowserHelperObject Object - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files\Dell\BAE\BAE.dll
O2 - BHO: Windows Live Toolbar Helper - {E15A8DC0-8516-42A1-81EA-DC94EC1ACF10} - C:\Program Files\Windows Live\Toolbar\wltcore.dll
O2 - BHO: ZoneAlarm Spy Blocker BHO - {F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL
O2 - BHO: Hotspot Shield Class - {F9E4A054-E9B1-4BC3-83A3-76A1AE736170} - C:\Program Files\Hotspot Shield\hssie\HssIE.dll
O2 - BHO: Ask Toolbar BHO - {FE063DB1-4EC0-403e-8DD8-394C54984B2C} - C:\Program Files\AskTBar\bar\1.bin\ASKTBAR.DLL
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: Yahoo! ??? - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: ????? - {7B434A2A-9E4C-48F2-8373-5801F316A4D5} - C:\Program Files\Yodao\Toolbar\ydtbv1.01\YodaoToolbar.dll
O3 - Toolbar: Ask Toolbar - {FE063DB9-4EC0-403e-8DD8-394C54984B2C} - C:\Program Files\AskTBar\bar\1.bin\ASKTBAR.DLL
O3 - Toolbar: ZoneAlarm Spy Blocker - {F0D4B239-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL
O3 - Toolbar: &Windows Live Toolbar - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - C:\Program Files\Windows Live\Toolbar\wltcore.dll
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\Quickset.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: &D&ownload &with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddLink.htm
O8 - Extra context menu item: &D&ownload all video with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddVideo.htm
O8 - Extra context menu item: &D&ownload all with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddAllLink.htm
O8 - Extra context menu item: &使用超级旋风下载 - C:\Program Files\Tencent\QQDownload\geturl.htm
O8 - Extra context menu item: &使用超级旋风下载全部链接 - C:\Program Files\Tencent\QQDownload\getAllurl.htm
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.liv...m/quickadd.aspx
O8 - Extra context menu item: QQ - C:\Program Files\Tencent\TM2008\Bin\AddEmotion.htm
O8 - Extra context menu item: 添加到QQ表情 - C:\Program Files\Tencent\QQ\AddEmotion.htm
O9 - Extra button: ???? - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: BitComet - {D18A0B52-D63C-4ed0-AFC6-C1E3DC1AF43A} - res://C:\Program Files\BitComet\tools\BitCometBHO_1.3.7.16.dll/206 (file missing)
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebo...toUploader5.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://pcpitstop.com...p/PCPitStop.CAB
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://eu-housecall....ivex/hcImpl.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (CDownloadCtrl Object) - http://www.fileplane...C_2.3.7.109.cab
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photos.walmar...martActivia.cab
O16 - DPF: {488A4255-3236-44B3-8F27-FA1AECAA8844} (EditCtrl Class) - https://img.alipay.c...121/aliedit.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onec...wlscbase370.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.mi...b?1230754739000
O16 - DPF: {8D9E0B29-563C-4226-86C1-5FF2AE77E1D2} (AxSubmitControl Class) - https://mybank.icbc....afeControls.cab
O16 - DPF: {9BBB3919-F518-4D06-8209-299FC243FC30} (Encrypt Class) - https://gorgutz:4343...root/AtxEnc.cab
O16 - DPF: {9DCD8EB7-E925-45C9-9321-8CA843FBED40} (Security Server Management Console) - https://gorgutz:4343.../AtxConsole.cab
O16 - DPF: {AC414988-E5BB-4C2C-873B-EA53D2F3D23A} (CCTVUpdateInstall) - http://t.live.cctv.c...dateInstall.dll
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zon...nt.cab56907.cab
O16 - DPF: {CB5C683C-416A-4701-B018-0F1B21D64D6B} (SKCInst1 Class) - http://cyimg7.cyworl...age/skcinst.cab
O16 - DPF: {FFB3A759-98B1-446F-BDA9-909C6EB18CC7} (PCPitstop Exam) - http://utilities.pcp.../pcpitstop2.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: Advanced Networking Service (hnmsvc) - SingleClick Systems - C:\Program Files\Dell Network Assistant\hnm_svc.exe
O23 - Service: Hotspot Shield Service (HotspotShieldService) - Unknown owner - C:\Program Files\Hotspot Shield\bin\openvpnas.exe
O23 - Service: Hotspot Shield Routing Service (HssSrv) - AnchorFree Inc. - C:\Program Files\Hotspot Shield\HssWPR\hsssrv.exe
O23 - Service: Hotspot Shield Tray Service (HssTrayService) - Unknown owner - C:\Program Files\Hotspot Shield\bin\HssTrayService.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: WD Drive Manager Service (WDBtnMgrSvc.exe) - WDC - C:\Program Files\Western Digital\WD Drive Manager\WDBtnMgrSvc.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

--
End of file - 11369 bytes

    Advertisements

Register to Remove

#2 Tomk

Tomk

    Beguilement Monitor

  • Global Moderator
  • 20,451 posts

Posted 27 October 2009 - 07:36 PM

Hi Terrik,

:welcome:

My name is Tomk. I would be glad to take a look at your log and help you with solving any malware problems. Logs can take a while to research, so please be patient and I'd be grateful if you would note the following:

  • I will be working on your Malware issues, this may or may not, solve other issues you have with your machine.
  • The fixes are specific to your problem and should only be used for the issues on this machine.
  • Please continue to review my answers until I tell you your machine appears to be clear. Absence of symptoms does not mean that everything is clear.
  • It's often worth reading through these instructions and printing them for ease of reference.
  • If you don't know or understand something, please don't hesitate to say or ask!! It's better to be sure and safe than sorry.
  • Please reply to this thread. Do not start a new topic.

Let's give this a try:

Download Rooter.exe to your desktop

  • Then doubleclick it to start the tool
  • A Notepad file containing the report will open, also found at %systemdrive%\Rooter.txt. Post that here

Please download Malwarebytes' Anti-Malware to your desktop.

  • Double-click mbam-setup.exe and follow the prompts to install the program.
  • At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select Perform quick scan, then click Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Be sure that everything is checked, and click Remove Selected.
  • When completed, a log will open in Notepad. Please save it to a convenient location and post the results.
  • Note: If you receive a notice that some of the items couldn't be removed, that they have been added to the delete on reboot list, please reboot (shut down your computer then restart it).

Tomk
------------------------------------------------------------
Microsoft MVP 2010-2014
 

#3 Terrik

Terrik

    New Member

  • Authentic Member
  • Pip
  • 16 posts

Posted 27 October 2009 - 08:41 PM

I'll download the rooter program and transfer it to my laptop when I get home. I can run a malawarebytes scan but I wont be able to update the program from my laptop since I have zero connectivity to the internet on the laptop. I'll run the program as is when installed and post the log. Thanks again

#4 Tomk

Tomk

    Beguilement Monitor

  • Global Moderator
  • 20,451 posts

Posted 27 October 2009 - 08:47 PM

Terrik, Sounds good. I'll take what I get until we can get you back online.
Tomk
------------------------------------------------------------
Microsoft MVP 2010-2014
 

#5 Terrik

Terrik

    New Member

  • Authentic Member
  • Pip
  • 16 posts

Posted 28 October 2009 - 05:23 AM

Here's the Rooter log: Rooter.exe (v1.0.2) by Eric_71 . SeDebugPrivilege granted successfully ... . Windows XP Home Edition (5.1.2600) Service Pack 2 [32_bits] - x86 Family 6 Model 15 Stepping 13, GenuineIntel . [wscsvc] (Security Center) RUNNING (state:4) [SharedAccess] RUNNING (state:4) Windows Firewall -> Disabled ! . Internet Explorer 7.0.5730.13 . C:\ [Fixed-NTFS] .. ( Total:109 Go - Free:2 Go ) D:\ [CD_Rom] F:\ [Removable] . Scan : 18:05.55 Path : C:\Documents and Settings\Steve\Desktop\Rooter.exe User : Steve ( Administrator -> YES ) . ----------------------\\ Processes . Locked [System Process] (0) ______ System (4) ______ \SystemRoot\System32\smss.exe (1264) ______ \??\C:\WINDOWS\system32\csrss.exe (1340) ______ \??\C:\WINDOWS\system32\winlogon.exe (1372) ______ C:\WINDOWS\system32\services.exe (1416) ______ C:\WINDOWS\system32\lsass.exe (1428) ______ C:\WINDOWS\system32\svchost.exe (1588) ______ C:\WINDOWS\system32\svchost.exe (1668) ______ C:\WINDOWS\System32\svchost.exe (1812) ______ C:\WINDOWS\system32\svchost.exe (2000) Locked vsmon.exe (256) ______ C:\WINDOWS\Explorer.EXE (1076) ______ C:\WINDOWS\System32\WLTRYSVC.EXE (1728) ______ C:\WINDOWS\System32\bcmwltry.exe (1740) ______ C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe (1748) ______ C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe (1764) ______ C:\Program Files\Alwil Software\Avast4\ashServ.exe (1896) ______ C:\WINDOWS\system32\spoolsv.exe (436) ______ C:\WINDOWS\system32\svchost.exe (840) ______ C:\Program Files\Dell Network Assistant\hnm_svc.exe (888) ______ C:\Program Files\Hotspot Shield\bin\openvpnas.exe (924) ______ C:\Program Files\Hotspot Shield\HssWPR\hsssrv.exe (952) ______ C:\WINDOWS\system32\svchost.exe (1008) ______ C:\Program Files\Western Digital\WD Drive Manager\WDBtnMgrSvc.exe (1152) ______ C:\Program Files\Canon\CAL\CALMAIN.exe (2052) ______ C:\WINDOWS\system32\wbem\unsecapp.exe (2476) ______ C:\WINDOWS\System32\alg.exe (2756) ______ C:\WINDOWS\system32\wbem\wmiprvse.exe (2844) ______ C:\Program Files\Hotspot Shield\bin\openvpntray.exe (3492) ______ C:\WINDOWS\system32\ctfmon.exe (3680) ______ C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe (3764) ______ C:\Program Files\Dell\QuickSet\Quickset.exe (3980) ______ C:\WINDOWS\system32\wuauclt.exe (3040) ______ C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe (3360) ______ C:\Program Files\Trend Micro\HijackThis\HijackThis.exe (3896) ______ C:\WINDOWS\notepad.exe (3988) ______ C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE (3784) ______ C:\WINDOWS\system32\wscntfy.exe (3640) ______ C:\Program Files\RamBooster 2.0\Rambooster.exe (2840) ______ C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe (3596) ______ C:\WINDOWS\hh.exe (3188) ______ C:\Documents and Settings\Steve\Desktop\Rooter.exe (1160) . ----------------------\\ Device\Harddisk0\ . \Device\Harddisk0 [Sectors : 63 x 512 Bytes] . \Device\Harddisk0\Partition1 (Start_Offset:32256 | Length:90445824) \Device\Harddisk0\Partition2 --[ MBR ]-- (Start_Offset:90478080 | Length:117259591680) \Device\Harddisk0\Partition0 (Start_Offset:117350069760 | Length:2681441280) \Device\Harddisk0\Partition3 (Start_Offset:117350102016 | Length:2681409024) . ----------------------\\ Scheduled Tasks . C:\WINDOWS\Tasks\Ad-Aware Update (Weekly).job C:\WINDOWS\Tasks\desktop.ini C:\WINDOWS\Tasks\GoogleUpdateTaskUserS-1-5-21-727198811-1646750839-1009239276-1006Core.job C:\WINDOWS\Tasks\GoogleUpdateTaskUserS-1-5-21-727198811-1646750839-1009239276-1006UA.job C:\WINDOWS\Tasks\SA.DAT . ----------------------\\ Registry . . ----------------------\\ Files & Folders . ----------------------\\ Scan completed at 18:07.37 . C:\Rooter$\Rooter_2.txt - (28/10/2009 | 18:07.37) And here's the Malabytes log: Malwarebytes' Anti-Malware 1.41 Database version: 2775 Windows 5.1.2600 Service Pack 2 10/28/2009 7:19:43 PM mbam-log-2009-10-28 (19-19-28).txt Scan type: Full Scan (C:\|) Objects scanned: 270497 Time elapsed: 1 hour(s), 21 minute(s), 54 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 6 Registry Values Infected: 0 Registry Data Items Infected: 0 Folders Infected: 0 Files Infected: 2 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: HKEY_CURRENT_USER\SOFTWARE\Microsoft\contim (Trojan.Vundo) -> No action taken. HKEY_CURRENT_USER\SOFTWARE\NordBull (Malware.Trace) -> No action taken. HKEY_CURRENT_USER\SOFTWARE\RegistrySmart (Rogue.RegistrySmart) -> No action taken. HKEY_CURRENT_USER\SOFTWARE\RichVideoCodec (Trojan.FakeAlert) -> No action taken. HKEY_CURRENT_USER\SOFTWARE\XML (Trojan.FakeAlert) -> No action taken. HKEY_CURRENT_USER\SOFTWARE\poprock (Trojan.Downloader) -> No action taken. Registry Values Infected: (No malicious items detected) Registry Data Items Infected: (No malicious items detected) Folders Infected: (No malicious items detected) Files Infected: C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP762\A0225418.EXE (Malware.Packer.Morphine) -> No action taken. C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP762\A0225419.dll (Trojan.BHO) -> No action taken.

#6 Tomk

Tomk

    Beguilement Monitor

  • Global Moderator
  • 20,451 posts

Posted 28 October 2009 - 08:18 AM

Terrik,

Did you click Remove Selected?
Tomk
------------------------------------------------------------
Microsoft MVP 2010-2014
 

#7 Terrik

Terrik

    New Member

  • Authentic Member
  • Pip
  • 16 posts

Posted 28 October 2009 - 05:13 PM

Ah, no, it seems I forgot to but I just did and got the new log...but first let me post the log from a scan on the 25th, keeping in mind that from the 24th until present I have been unable to connect online. Log from the 25th: Malwarebytes' Anti-Malware 1.41 Database version: 2775 Windows 5.1.2600 Service Pack 2 10/25/2009 1:04:02 AM mbam-log-2009-10-25 (01-04-02).txt Scan type: Full Scan (C:\|) Objects scanned: 45553 Time elapsed: 13 minute(s), 22 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 4 Registry Values Infected: 1 Registry Data Items Infected: 0 Folders Infected: 0 Files Infected: 1 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{00009e9f-ddd7-aa59-aa7d-aa4b7d6be000} (Trojan.Vundo.H) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\CLSID\{00009e9f-ddd7-aa59-aa7d-aa4b7d6be000} (Trojan.Vundo.H) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\CLSID\{147a976f-eee1-4377-8ea7-4716e4cdd239} (Adware.MyWebSearch) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{00009e9f-ddd7-aa59-aa7d-aa4b7d6be000} (Spyware.Passwords) -> Quarantined and deleted successfully. Registry Values Infected: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\appilft_dlls (Spyware.Agent.H) -> Quarantined and deleted successfully. Registry Data Items Infected: (No malicious items detected) Folders Infected: (No malicious items detected) Files Infected: C:\WINDOWS\system32\mscorewr.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully. And this is the newest log from the most recent scan: Malwarebytes' Anti-Malware 1.41 Database version: 2775 Windows 5.1.2600 Service Pack 2 10/29/2009 7:00:09 AM mbam-log-2009-10-29 (07-00-09).txt Scan type: Full Scan (C:\|) Objects scanned: 270497 Time elapsed: 1 hour(s), 21 minute(s), 54 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 6 Registry Values Infected: 0 Registry Data Items Infected: 0 Folders Infected: 0 Files Infected: 2 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: HKEY_CURRENT_USER\SOFTWARE\Microsoft\contim (Trojan.Vundo) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\SOFTWARE\NordBull (Malware.Trace) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\SOFTWARE\RegistrySmart (Rogue.RegistrySmart) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\SOFTWARE\RichVideoCodec (Trojan.FakeAlert) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\SOFTWARE\XML (Trojan.FakeAlert) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\SOFTWARE\poprock (Trojan.Downloader) -> Quarantined and deleted successfully. Registry Values Infected: (No malicious items detected) Registry Data Items Infected: (No malicious items detected) Folders Infected: (No malicious items detected) Files Infected: C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP762\A0225418.EXE (Malware.Packer.Morphine) -> Quarantined and deleted successfully. C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP762\A0225419.dll (Trojan.BHO) -> Quarantined and deleted successfully. I restarted the computer after finishing the scan but there doesnt seem to be any change in the condition of the computer.

#8 Tomk

Tomk

    Beguilement Monitor

  • Global Moderator
  • 20,451 posts

Posted 28 October 2009 - 05:25 PM

Terrik,

One more program to transfer. You won't be able to install the Recovery Console without internet access so just go ahead and continue with the scan.

Download ComboFix from one of these locations:

Link 1
Link 2

* IMPORTANT !!! Save ComboFix.exe to your Desktop


  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link --> http://forums.whatth...ams_t96260.html

  • Double click on ComboFix.exe & follow the prompts.

  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.


Posted Image



Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image


Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.


Notes:

1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. Do not "re-run" Combofix. If you have a problem, reply back for further instructions.
3. ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.
4. Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell your helper.
5. CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.
Tomk
------------------------------------------------------------
Microsoft MVP 2010-2014
 

#9 Terrik

Terrik

    New Member

  • Authentic Member
  • Pip
  • 16 posts

Posted 28 October 2009 - 06:15 PM

Here's the combofix log

ComboFix 09-10-27.08 - Steve 10/29/2009 7:43.1.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.2046.1480 [GMT 8:00]
Running from: c:\documents and settings\Steve\Desktop\ComboFix.exe
AV: avast! antivirus 4.8.1351 [VPS 091023-0] *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
FW: ZoneAlarm Firewall *enabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\docume~1\Steve\LOCALS~1\Temp\0.EXE
c:\documents and settings\Steve\Local Settings\Temporary Internet Files\SKBGM.cfg
c:\documents and settings\Steve\Local Settings\Temporary Internet Files\SKBGM0.che
c:\documents and settings\Steve\Local Settings\Temporary Internet Files\SKBGM1.che
c:\documents and settings\Steve\Local Settings\Temporary Internet Files\SKBGM2.che
c:\documents and settings\Steve\Local Settings\Temporary Internet Files\SKBGM3.che
c:\documents and settings\Steve\Local Settings\Temporary Internet Files\SKBGM4.che
c:\documents and settings\Steve\Local Settings\Temporary Internet Files\SKBGM5.che
c:\documents and settings\Steve\Local Settings\Temporary Internet Files\SKBGM6.che
c:\documents and settings\Steve\Local Settings\Temporary Internet Files\SKBGM7.che
c:\documents and settings\Steve\Local Settings\Temporary Internet Files\SKBGM8.che
c:\documents and settings\Steve\Local Settings\Temporary Internet Files\SKBGM9.che
c:\program files\StormII
c:\program files\StormII\codec\264be.dll
c:\program files\StormII\codec\264dmmx.dll
c:\program files\StormII\codec\264dsse.dll
c:\program files\StormII\codec\264dsse2.dll
c:\program files\StormII\codec\264dsse3.dll
c:\program files\StormII\codec\aasc32.dll
c:\program files\StormII\codec\ac3filter.ax
c:\program files\StormII\codec\acelpdec.ax
c:\program files\StormII\codec\asusasv1.dll
c:\program files\StormII\codec\asusasv2.dll
c:\program files\StormII\codec\ativcr2.dll
c:\program files\StormII\codec\avcodec.dll
c:\program files\StormII\codec\avformat.dll
c:\program files\StormII\codec\avidavicodec.dll
c:\program files\StormII\codec\AviSplitter.ax
c:\program files\StormII\codec\avutil.dll
c:\program files\StormII\codec\bass.dll
c:\program files\StormII\codec\bass_aac.dll
c:\program files\StormII\codec\bass_alac.dll
c:\program files\StormII\codec\bass_ape.dll
c:\program files\StormII\codec\bass_flac.dll
c:\program files\StormII\codec\bass_mpc.dll
c:\program files\StormII\codec\bass_tta.dll
c:\program files\StormII\codec\bass_wv.dll
c:\program files\StormII\codec\binkw32.dll
c:\program files\StormII\codec\BSPVDEC.dll
c:\program files\StormII\codec\bsrsrc.ax
c:\program files\StormII\codec\BsrVideoDec.ax
c:\program files\StormII\codec\bw10.dll
c:\program files\StormII\codec\cddareader.ax
c:\program files\StormII\codec\cdxareader.ax
c:\program files\StormII\codec\ChpSrcFilter.ax
c:\program files\StormII\codec\CinemasterAudio.DLL
c:\program files\StormII\codec\cl264dec.ax
c:\program files\StormII\codec\CLNavX.ax
c:\program files\StormII\codec\CLRVIDDC.DLL
c:\program files\StormII\codec\clrviddd.dll
c:\program files\StormII\codec\CLVc1Dec.ax
c:\program files\StormII\codec\CLVSD.ax
c:\program files\StormII\codec\clvsdx.ax
c:\program files\StormII\codec\coreavc.ax
c:\program files\StormII\codec\CUVCcodc.dll
c:\program files\StormII\codec\DCBassSource.ax
c:\program files\StormII\codec\DECVW_32.DLL
c:\program files\StormII\codec\divxdec.ax
c:\program files\StormII\codec\DmoDec.dll
c:\program files\StormII\codec\DSMSplitter.ax
c:\program files\StormII\codec\empgdmx.ax
c:\program files\StormII\codec\ff_kernelDeint.dll
c:\program files\StormII\codec\ff_liba52.dll
c:\program files\StormII\codec\ff_libavcodec.dll
c:\program files\StormII\codec\ff_libdts.dll
c:\program files\StormII\codec\ff_libfaad2.dll
c:\program files\StormII\codec\ff_libmad.dll
c:\program files\StormII\codec\ff_libmpeg2.dll
c:\program files\StormII\codec\ff_libmplayer.dll
c:\program files\StormII\codec\ff_realaac.dll
c:\program files\StormII\codec\ff_samplerate.dll
c:\program files\StormII\codec\ff_theora.dll
c:\program files\StormII\codec\ff_TomsMoComp.dll
c:\program files\StormII\codec\ff_tremor.dll
c:\program files\StormII\codec\ff_unrar.dll
c:\program files\StormII\codec\ff_wmv9.dll
c:\program files\StormII\codec\ff_xvidcore.dll
c:\program files\StormII\codec\ffdshow.ax
c:\program files\StormII\codec\ffdshow.ax.manifest
c:\program files\StormII\codec\ffmpeg.dll
c:\program files\StormII\codec\ffsource.ax
c:\program files\StormII\codec\Flash.ocx
c:\program files\StormII\codec\FLT_ffdshow.dll
c:\program files\StormII\codec\FLVSplitter.ax
c:\program files\StormII\codec\frapsvid.dll
c:\program files\StormII\codec\G722ADEC.dll
c:\program files\StormII\codec\GeoCodec.dll
c:\program files\StormII\codec\H264VDEC.dll
c:\program files\StormII\codec\HBGKDec.ax
c:\program files\StormII\codec\HBGKSrc.ax
c:\program files\StormII\codec\HikAudioDec.ax
c:\program files\StormII\codec\HikFileSource.ax
c:\program files\StormII\codec\HikFileSplitter.ax
c:\program files\StormII\codec\HIKM4DEC.dll
c:\program files\StormII\codec\HikVideoDec.ax
c:\program files\StormII\codec\i263_32.drv
c:\program files\StormII\codec\icmw_32.dll
c:\program files\StormII\codec\iconv.dll
c:\program files\StormII\codec\kdh4.dll
c:\program files\StormII\codec\kdm4.dll
c:\program files\StormII\codec\keys.dat
c:\program files\StormII\codec\l3codecx.ax
c:\program files\StormII\codec\LCodcCMP.dll
c:\program files\StormII\codec\libavcodec.dll
c:\program files\StormII\codec\libmpeg2_ff.dll
c:\program files\StormII\codec\libmplayer.dll
c:\program files\StormII\codec\LMVRGBxf.dll
c:\program files\StormII\codec\LMVYUVxf.dll
c:\program files\StormII\codec\lsvxdec.dll
c:\program files\StormII\codec\mfplat.dll
c:\program files\StormII\codec\mkunicode.dll
c:\program files\StormII\codec\mkx.dll
c:\program files\StormII\codec\mkzlib.dll
c:\program files\StormII\codec\mmamrdmx.ax
c:\program files\StormII\codec\Mp3Decdll.dll
c:\program files\StormII\codec\MP3DMOD.DLL
c:\program files\StormII\codec\mp4.dll
c:\program files\StormII\codec\mp43dmod.dll
c:\program files\StormII\codec\mp4sdmod.dll
c:\program files\StormII\codec\MP4Splitter.ax
c:\program files\StormII\codec\MpaDecFilter.ax
c:\program files\StormII\codec\MpaSplitter.ax
c:\program files\StormII\codec\mpcvideodec.ax
c:\program files\StormII\codec\Mpeg2DecFilter.ax
c:\program files\StormII\codec\mpeg2dmx.ax
c:\program files\StormII\codec\MpegSplitter.ax
c:\program files\StormII\codec\mpg2splt.ax
c:\program files\StormII\codec\mpg4dmod.dll
c:\program files\StormII\codec\msdmo.dll
c:\program files\StormII\codec\msms001.vwp
c:\program files\StormII\codec\msvcp71.dll
c:\program files\StormII\codec\msvcr71.dll
c:\program files\StormII\codec\MZP4_DEC.DLL
c:\program files\StormII\codec\NDParser.ax
c:\program files\StormII\codec\NeMP4Splitter.ax
c:\program files\StormII\codec\nvviddec.ax
c:\program files\StormII\codec\OggSplitter.ax
c:\program files\StormII\codec\Plugins\nppl3260.dll
c:\program files\StormII\codec\Plugins\nppl3260.xpt
c:\program files\StormII\codec\Plugins\npqtplugin.dll
c:\program files\StormII\codec\Plugins\nprpjplug.dll
c:\program files\StormII\codec\Plugins\nsIQTScriptablePlugin.xpt
c:\program files\StormII\codec\Plugins\nsJSRealPlayerPlugin.xpt
c:\program files\StormII\codec\Plugins\QuickTimePlugin.class
c:\program files\StormII\codec\PmpSplt.ax
c:\program files\StormII\codec\pncrt.dll
c:\program files\StormII\codec\pndx5016.dll
c:\program files\StormII\codec\pndx5032.dll
c:\program files\StormII\codec\pthreadVC2.dll
c:\program files\StormII\codec\pvmjpg21.dll
c:\program files\StormII\codec\PVWV220.DLL
c:\program files\StormII\codec\qasf.dll
c:\program files\StormII\codec\QTSystem\CFCharacterSetBitmaps.bitmap
c:\program files\StormII\codec\QTSystem\CoreVideo.qtx
c:\program files\StormII\codec\QTSystem\CoreVideo.Resources\CoreVideo.qtr
c:\program files\StormII\codec\QTSystem\CoreVideo.Resources\en.lproj\CoreVideoLocalized.qtr
c:\program files\StormII\codec\QTSystem\QuickTime.qts
c:\program files\StormII\codec\QTSystem\QuickTime.Resources\en.lproj\QuickTimeLocalized.dll
c:\program files\StormII\codec\QTSystem\QuickTime.Resources\en.lproj\QuickTimeLocalized.qtr
c:\program files\StormII\codec\QTSystem\QuickTime.Resources\QuickTime.dll
c:\program files\StormII\codec\QTSystem\QuickTime.Resources\QuickTime.qtr
c:\program files\StormII\codec\QTSystem\QuickTime.Resources\QuickTime.qtxs
c:\program files\StormII\codec\QTSystem\QuickTime3GPP.qtx
c:\program files\StormII\codec\QTSystem\QuickTime3GPP.Resources\en.lproj\QuickTime3GPPLocalized.qtr
c:\program files\StormII\codec\QTSystem\QuickTime3GPP.Resources\QuickTime3GPP.qtr
c:\program files\StormII\codec\QTSystem\QuickTimeAudioSupport.qtx
c:\program files\StormII\codec\QTSystem\QuickTimeAudioSupport.Resources\en.lproj\QuickTimeAudioSupportLocalized.dll
c:\program files\StormII\codec\QTSystem\QuickTimeAudioSupport.Resources\en.lproj\QuickTimeAudioSupportLocalized.qtr
c:\program files\StormII\codec\QTSystem\QuickTimeAudioSupport.Resources\QuickTimeAudioSupport.qtr
c:\program files\StormII\codec\QTSystem\QuickTimeEssentials.qtx
c:\program files\StormII\codec\QTSystem\QuickTimeEssentials.Resources\en.lproj\QuickTimeEssentialsLocalized.qtr
c:\program files\StormII\codec\QTSystem\QuickTimeEssentials.Resources\QuickTimeEssentials.qtr
c:\program files\StormII\codec\QTSystem\QuickTimeH264.qtx
c:\program files\StormII\codec\QTSystem\QuickTimeH264.Resources\en.lproj\QuickTimeH264Localized.qtr
c:\program files\StormII\codec\QTSystem\QuickTimeH264.Resources\QuickTimeH264.qtr
c:\program files\StormII\codec\QTSystem\QuickTimeInternetExtras.qtx
c:\program files\StormII\codec\QTSystem\QuickTimeInternetExtras.Resources\en.lproj\QuickTimeInternetExtrasLocalized.qtr
c:\program files\StormII\codec\QTSystem\QuickTimeInternetExtras.Resources\QuickTimeInternetExtras.qtr
c:\program files\StormII\codec\QTSystem\QuickTimeMPEG4.qtx
c:\program files\StormII\codec\QTSystem\QuickTimeMPEG4.Resources\en.lproj\QuickTimeMPEG4Localized.qtr
c:\program files\StormII\codec\QTSystem\QuickTimeMPEG4.Resources\QuickTimeMPEG4.qtr
c:\program files\StormII\codec\QTSystem\QuickTimeMusic.qtx
c:\program files\StormII\codec\QTSystem\QuickTimeMusic.Resources\en.lproj\QuickTimeMusicLocalized.qtr
c:\program files\StormII\codec\QTSystem\QuickTimeMusic.Resources\QuickTimeMusic.qtr
c:\program files\StormII\codec\QTSystem\QuickTimeStreaming.qtx
c:\program files\StormII\codec\QTSystem\QuickTimeStreaming.Resources\en.lproj\QuickTimeStreamingLocalized.dll
c:\program files\StormII\codec\QTSystem\QuickTimeStreaming.Resources\en.lproj\QuickTimeStreamingLocalized.qtr
c:\program files\StormII\codec\QTSystem\QuickTimeStreaming.Resources\QuickTimeStreaming.qtr
c:\program files\StormII\codec\QTSystem\QuickTimeStreamingExtras.qtx
c:\program files\StormII\codec\QTSystem\QuickTimeStreamingExtras.Resources\en.lproj\QuickTimeStreamingExtrasLocalized.qtr
c:\program files\StormII\codec\QTSystem\QuickTimeStreamingExtras.Resources\QuickTimeStreamingExtras.qtr
c:\program files\StormII\codec\QTSystem\QuickTimeVR.qtx
c:\program files\StormII\codec\QTSystem\QuickTimeVR.Resources\en.lproj\QuickTimeVRLocalized.qtr
c:\program files\StormII\codec\QTSystem\QuickTimeVR.Resources\QuickTimeVR.qtr
c:\program files\StormII\codec\QuickTime.qts
c:\program files\StormII\codec\QuickTimeVR.qtx
c:\program files\StormII\codec\RadGtSplitter.ax
c:\program files\StormII\codec\Real\Codecs\14_43260.dll
c:\program files\StormII\codec\Real\Codecs\28_83260.dll
c:\program files\StormII\codec\Real\Codecs\atrc.dll
c:\program files\StormII\codec\Real\Codecs\cook.dll
c:\program files\StormII\codec\Real\Codecs\ddnt3260.dll
c:\program files\StormII\codec\Real\Codecs\dnet3260.dll
c:\program files\StormII\codec\Real\Codecs\drv1.dll
c:\program files\StormII\codec\Real\Codecs\drv2.dll
c:\program files\StormII\codec\Real\Codecs\drvc.dll
c:\program files\StormII\codec\Real\Codecs\hxltcolor.dll
c:\program files\StormII\codec\Real\Codecs\raac.dll
c:\program files\StormII\codec\Real\Codecs\ralf.dll
c:\program files\StormII\codec\Real\Codecs\rv10.dll
c:\program files\StormII\codec\Real\Codecs\rv20.dll
c:\program files\StormII\codec\Real\Codecs\rv30.dll
c:\program files\StormII\codec\Real\Codecs\rv40.dll
c:\program files\StormII\codec\Real\Codecs\sipr.dll
c:\program files\StormII\codec\Real\Common\objb3201.dll
c:\program files\StormII\codec\Real\Common\pnen3260.dll
c:\program files\StormII\codec\Real\Common\pngu3267.dll
c:\program files\StormII\codec\Real\Common\pnrs3260.dll
c:\program files\StormII\codec\Real\Common\rppr3260.dll
c:\program files\StormII\codec\Real\Common\security.dll
c:\program files\StormII\codec\Real\Plugins\audplin.dll
c:\program files\StormII\codec\Real\Plugins\authmgr.dll
c:\program files\StormII\codec\Real\Plugins\clbascauth.dll
c:\program files\StormII\codec\Real\Plugins\clntxres.dll
c:\program files\StormII\codec\Real\Plugins\ExtResources\coreres.xrs
c:\program files\StormII\codec\Real\Plugins\fpsechnd.dll
c:\program files\StormII\codec\Real\Plugins\httpfsys.dll
c:\program files\StormII\codec\Real\Plugins\hxsdp.dll
c:\program files\StormII\codec\Real\Plugins\hxxml.dll
c:\program files\StormII\codec\Real\Plugins\imgrender.dll
c:\program files\StormII\codec\Real\Plugins\memfsys.dll
c:\program files\StormII\codec\Real\Plugins\mp3fformat.dll
c:\program files\StormII\codec\Real\Plugins\mp3render.dll
c:\program files\StormII\codec\Real\Plugins\mp4arender.dll
c:\program files\StormII\codec\Real\Plugins\ntlmauth.dll
c:\program files\StormII\codec\Real\Plugins\oggfformat.dll
c:\program files\StormII\codec\Real\Plugins\pacplin.dll
c:\program files\StormII\codec\Real\Plugins\plusplin.dll
c:\program files\StormII\codec\Real\Plugins\pxcb3210.dll
c:\program files\StormII\codec\Real\Plugins\ramfformat.dll
c:\program files\StormII\codec\Real\Plugins\ramrender.dll
c:\program files\StormII\codec\Real\Plugins\rarender.dll
c:\program files\StormII\codec\Real\Plugins\rmfformat.dll
c:\program files\StormII\codec\Real\Plugins\rmxfpln.dll
c:\program files\StormII\codec\Real\Plugins\rmxrend.dll
c:\program files\StormII\codec\Real\Plugins\rn5auth.dll
c:\program files\StormII\codec\Real\Plugins\rtfformat.dll
c:\program files\StormII\codec\Real\Plugins\rtrender.dll
c:\program files\StormII\codec\Real\Plugins\rvrender.dll
c:\program files\StormII\codec\Real\Plugins\sdpplin.dll
c:\program files\StormII\codec\Real\Plugins\security.dll
c:\program files\StormII\codec\Real\Plugins\smlfformat.dll
c:\program files\StormII\codec\Real\Plugins\smlrender.dll
c:\program files\StormII\codec\Real\Plugins\smmrender.dll
c:\program files\StormII\codec\Real\Plugins\smplfsys.dll
c:\program files\StormII\codec\Real\Plugins\stubdrm.dll
c:\program files\StormII\codec\Real\Plugins\tfilesys.dll
c:\program files\StormII\codec\Real\Plugins\vidplin.dll
c:\program files\StormII\codec\Real\Plugins\vidsite.dll
c:\program files\StormII\codec\Real\Plugins\vorbisrend.dll
c:\program files\StormII\codec\Real\Plugins\vsrlocal.dll
c:\program files\StormII\codec\Real\rpplugins\cn\embed_cn.dll
c:\program files\StormII\codec\Real\rpplugins\cn\rpclsvc_cn.dll
c:\program files\StormII\codec\Real\rpplugins\embd3260.dll
c:\program files\StormII\codec\Real\rpplugins\rpcl3260.dll
c:\program files\StormII\codec\Real\rpplugins\rput3260.dll
c:\program files\StormII\codec\RLMPCDec.ax
c:\program files\StormII\codec\rmoc3260.dll
c:\program files\StormII\codec\RMSplt.ax
c:\program files\StormII\codec\Sc726dec.ax
c:\program files\StormII\codec\scmpack.dll
c:\program files\StormII\codec\scsource.ax
c:\program files\StormII\codec\smackw32.dll
c:\program files\StormII\codec\SonicLicenseManager9.dll
c:\program files\StormII\codec\splitter.ax
c:\program files\StormII\codec\TomsMoComp_ff.dll
c:\program files\StormII\codec\ts.dll
c:\program files\StormII\codec\tsccvid.dll
c:\program files\StormII\codec\TTL2Dec.dll
c:\program files\StormII\codec\v2k2_dec.dll
c:\program files\StormII\codec\v2kdspde.dll
c:\program files\StormII\codec\vc1dc.dll
c:\program files\StormII\codec\vc1dmmx.dll
c:\program files\StormII\codec\vc1dsse.dll
c:\program files\StormII\codec\vc1dsse2.dll
c:\program files\StormII\codec\vc1wp.ax
c:\program files\StormII\codec\VDODEC32.dll
c:\program files\StormII\codec\vdowave.drv
c:\program files\StormII\codec\VgmAudio.ax
c:\program files\StormII\codec\vgmbgr.ax
c:\program files\StormII\codec\VgmSplt.ax
c:\program files\StormII\codec\vgmv2k2.ax
c:\program files\StormII\codec\Vid1Dec.dll
c:\program files\StormII\codec\vmnc.dll
c:\program files\StormII\codec\voxmsdec.ax
c:\program files\StormII\codec\vp6vfw.dll
c:\program files\StormII\codec\vp7vfw.dll
c:\program files\StormII\codec\vssver2.scc
c:\program files\StormII\codec\WMADMOD.dll
c:\program files\StormII\codec\wmpasf.dll
c:\program files\StormII\codec\wmsdmod.dll
c:\program files\StormII\codec\WMVDECOD.dll
c:\program files\StormII\codec\wmvdmod.dll
c:\program files\StormII\codec\xvid.ax
c:\program files\StormII\codec\xvidcore.dll
c:\program files\StormII\codec\yv12vfw.dll
c:\program files\StormII\current.ecs
c:\program files\StormII\jscript.dll
c:\program files\StormII\keys.dat
c:\program files\StormII\media\def\def.flv
c:\program files\StormII\media\def\def.ini
c:\program files\StormII\media\empty.swf
c:\program files\StormII\media\media4in1.swf
c:\program files\StormII\media\mediabp.swf
c:\program files\StormII\media\others.xml
c:\program files\StormII\media\others.xml.ini
c:\program files\StormII\media\toff.ini
c:\program files\StormII\media\video_material_list.xml
c:\program files\StormII\media\video_material_list.xml.ini
c:\program files\StormII\media\video_style_list.xml
c:\program files\StormII\media\video_style_list.xml.ini
c:\program files\StormII\Media2.dll
c:\program files\StormII\mee.db
c:\program files\StormII\MovieInfo.dll
c:\program files\StormII\mps.dll
c:\program files\StormII\msscript.ocx
c:\program files\StormII\msvcp60.dll
c:\program files\StormII\rndrmgr.dll
c:\program files\StormII\score.dll
c:\program files\StormII\sexpert.dll
c:\program files\StormII\Skin\????.zip
c:\program files\StormII\Skin\??1??.zip
c:\program files\StormII\Skin\??2??.zip
c:\program files\StormII\spfa.dll
c:\program files\StormII\splayers.dll
c:\program files\StormII\sprobe.dll
c:\program files\StormII\Storm.exe
c:\program files\StormII\stormliv.exe
c:\program files\StormII\stormply.exe
c:\program files\StormII\StormRes.dll
c:\program files\StormII\subdecoder.dll
c:\program files\StormII\uninst.exe
c:\windows\struct~.ini
c:\windows\system32\BDGuardS.DAT
c:\windows\system32\tmp.reg

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_ccosm
-------\Service_ccosm


((((((((((((((((((((((((( Files Created from 2009-09-28 to 2009-10-29 )))))))))))))))))))))))))))))))
.

2009-10-28 09:36 . 2009-10-28 10:07 -------- d-----w- C:\Rooter$
2009-10-25 00:26 . 2009-10-25 00:26 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2009-10-24 16:49 . 2009-10-24 16:49 -------- d-----w- c:\documents and settings\Steve\Application Data\Malwarebytes
2009-10-24 16:49 . 2009-09-10 06:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-10-24 16:49 . 2009-10-24 16:49 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-10-24 16:49 . 2009-10-24 16:49 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-10-24 16:49 . 2009-09-10 06:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-10-24 16:27 . 2009-10-24 16:27 -------- d-----w- C:\Regbackup
2009-10-24 15:12 . 2009-10-24 15:12 -------- d-----w- c:\documents and settings\Administrator\Application Data\SogouPY
2009-10-24 15:12 . 2009-10-24 15:12 -------- d-----w- c:\documents and settings\Administrator\Application Data\SogouPY.users
2009-10-23 11:11 . 2009-10-23 11:11 215552 ----a-w- c:\windows\system32\dllcache\termsrv.dll
2009-10-11 14:25 . 2009-10-25 01:58 -------- d-----w- c:\program files\FreeVPN
2009-10-04 09:03 . 2009-10-04 09:03 -------- d-----w- c:\program files\Windows Media Connect 2
2009-10-04 08:59 . 2009-10-04 09:00 -------- d-----w- c:\windows\system32\drivers\UMDF
2009-10-01 00:11 . 2009-10-01 00:14 -------- d-----w- c:\program files\PhotoScape
2009-09-29 12:05 . 2009-09-29 12:05 -------- d-----w- c:\documents and settings\All Users\Application Data\Youdao

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-10-29 00:00 . 2008-11-26 22:32 81360928 --sha-w- c:\windows\system32\drivers\fidbox.dat
2009-10-28 23:59 . 2008-10-06 03:36 -------- d-----w- c:\documents and settings\Steve\Application Data\SogouPY
2009-10-28 23:57 . 2008-10-08 23:19 -------- d-----w- c:\documents and settings\NetworkService\Application Data\SogouPY
2009-10-28 23:57 . 2008-11-26 22:32 957584 --sha-w- c:\windows\system32\drivers\fidbox.idx
2009-10-28 23:40 . 2008-11-16 00:54 -------- d-----w- c:\documents and settings\LocalService\Application Data\SogouPY
2009-10-26 10:58 . 2008-12-24 16:18 -------- d-----w- c:\program files\RamBooster 2.0
2009-10-25 13:09 . 2007-09-21 23:54 84272 -c--a-w- c:\documents and settings\Steve\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-10-25 02:25 . 2007-09-24 16:38 -------- d-----w- c:\program files\Trend Micro
2009-10-25 02:16 . 2009-08-18 23:58 1730176 ----a-w- c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
2009-10-25 02:09 . 2007-09-08 08:33 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-10-25 01:36 . 2007-10-21 02:57 1324 ----a-w- c:\windows\system32\d3d9caps.dat
2009-10-24 11:31 . 2007-09-23 14:10 -------- d-----w- c:\program files\BitComet
2009-10-24 08:33 . 2009-08-19 10:39 -------- d-----w- c:\documents and settings\All Users\Application Data\PCPitstop
2009-10-23 15:46 . 2007-09-22 02:31 -------- d-----w- c:\documents and settings\Steve\Application Data\Skype
2009-10-23 11:11 . 2004-08-10 17:51 577536 ----a-w- c:\windows\system32\user32.DLL
2009-10-23 11:11 . 2004-08-10 18:01 215552 ----a-w- c:\windows\system32\termsrv.dll
2009-10-20 00:03 . 2009-05-03 13:08 -------- d-----w- c:\documents and settings\Steve\Application Data\mIRC
2009-10-18 22:50 . 2009-05-03 13:08 -------- d-----w- c:\program files\mIRC
2009-10-10 11:20 . 2007-09-08 08:03 256289 ----a-w- c:\windows\system32\nvModes.dat
2009-10-04 09:22 . 2008-03-10 14:21 -------- d-----w- c:\program files\Microsoft Silverlight
2009-10-04 04:52 . 2009-08-02 04:57 36928 ----a-w- c:\windows\system32\drivers\pssdk41.sys
2009-10-02 01:52 . 2008-06-17 06:31 -------- d-----w- c:\program files\Warcraft III
2009-10-01 17:18 . 2009-07-20 03:29 25984 ----a-w- c:\windows\system32\drivers\tap0901.sys
2009-09-28 06:36 . 2009-02-08 21:31 15688 ----a-w- c:\windows\system32\lsdelete.exe
2009-09-20 04:42 . 2009-08-18 13:00 -------- d-----w- c:\documents and settings\Steve\Application Data\Hamachi
2009-09-18 13:03 . 2009-09-18 13:03 -------- d-----w- c:\program files\Hotspot Shield
2009-09-18 12:57 . 2009-09-18 12:52 -------- d-----w- c:\documents and settings\Steve\Application Data\GTunnel
2009-09-18 12:50 . 2009-09-18 12:50 -------- d-----w- c:\documents and settings\Steve\Application Data\GPass
2009-09-16 07:37 . 2007-10-03 14:09 -------- d-----w- c:\program files\Steam
2009-09-15 20:04 . 2009-09-15 20:04 32768 ----a-w- c:\windows\system32\drivers\taphss.sys
2009-09-15 20:04 . 2009-07-02 02:34 37376 ----a-w- c:\windows\system32\drivers\hssdrv.sys
2009-09-11 09:33 . 2009-09-11 09:29 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS
2009-09-11 09:29 . 2009-09-11 09:29 -------- d-----w- c:\program files\NOS
2009-09-05 01:55 . 2007-09-29 13:27 -------- d-----w- c:\program files\Java
2009-09-02 12:36 . 2009-09-02 12:36 -------- d-----w- c:\program files\Hamachi
2009-09-02 12:36 . 2007-10-27 01:41 25280 ----a-w- c:\windows\system32\drivers\hamachi.sys
2009-08-25 13:01 . 2007-11-24 02:55 39 -c--a-w- c:\windows\popcinfot.dat
2009-08-17 16:10 . 2008-09-28 07:41 1279456 ----a-w- c:\windows\system32\aswBoot.exe
2009-08-17 16:06 . 2008-09-28 07:41 93392 ----a-w- c:\windows\system32\drivers\aswmon.sys
2009-08-17 16:06 . 2008-09-28 07:41 94160 ----a-w- c:\windows\system32\drivers\aswmon2.sys
2009-08-17 16:05 . 2008-09-28 07:41 114768 ----a-w- c:\windows\system32\drivers\aswSP.sys
2009-08-17 16:05 . 2008-09-28 07:41 20560 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2009-08-17 16:04 . 2008-09-28 07:42 51376 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2009-08-17 16:04 . 2008-09-28 07:42 23152 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2009-08-17 16:03 . 2008-09-28 07:42 26944 ----a-w- c:\windows\system32\drivers\aavmker4.sys
2009-08-17 16:02 . 2008-09-28 07:42 97480 ----a-w- c:\windows\system32\AvastSS.scr
2008-04-25 08:20 . 2008-04-25 08:20 122880 ----a-w- c:\program files\mozilla firefox\components\GoogleDesktopMozilla.dll
.

------- Sigcheck -------

[7] 2008-06-20 . AD978A1B783B5719720CFF204B666C8E . 361600 . . [5.1.2600.5625] . . c:\windows\$hf_mig$\KB951748\SP3QFE\tcpip.sys
[7] 2008-06-20 . 9AEFA14BD6B182D61E3119FA5F436D3D . 361600 . . [5.1.2600.5625] . . c:\windows\$hf_mig$\KB951748\SP3GDR\tcpip.sys
[7] 2008-06-20 . 2A5554FC5B1E04E131230E3CE035C3F9 . 360320 . . [5.1.2600.3394] . . c:\windows\system32\dllcache\tcpip.sys
[-] 2008-06-20 . 01D5EAAFF224415A7FF513E4C882BE30 . 360320 . . [5.1.2600.3394] . . c:\windows\system32\drivers\tcpip.sys
[7] 2008-06-20 . 744E57C99232201AE98C49168B918F48 . 360960 . . [5.1.2600.3394] . . c:\windows\$hf_mig$\KB951748\SP2QFE\tcpip.sys
[-] 2008-04-13 . 93EA8D04EC73A85DB02EB8805988F733 . 361344 . . [5.1.2600.5512] . . c:\windows\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\tcpip.sys
[7] 2007-10-30 . 90CAFF4B094573449A0872A0F919B178 . 360064 . . [5.1.2600.3244] . . c:\windows\$NtUninstallKB951748$\tcpip.sys
[7] 2007-10-30 . 64798ECFA43D78C7178375FCDD16D8C8 . 360832 . . [5.1.2600.3244] . . c:\windows\$hf_mig$\KB941644\SP2QFE\tcpip.sys
[7] 2006-04-20 . B2220C618B42A2212A59D91EBD6FC4B4 . 360576 . . [5.1.2600.2892] . . c:\windows\$hf_mig$\KB917953\SP2QFE\tcpip.sys
[7] 2006-04-20 . 1DBF125862891817F374F407626967F4 . 359808 . . [5.1.2600.2892] . . c:\windows\$NtUninstallKB941644$\tcpip.sys
[7] 2004-08-04 . 9F4B36614A0FC234525BA224957DE55C . 359040 . . [5.1.2600.2180] . . c:\windows\$NtUninstallKB917953$\tcpip.sys

[7] 2009-10-24 . B409909F6E2E8A7067076ED748ABF1E7 . 577536 . . [5.1.2600.3099] . . c:\windows\system32\dllcache\user32.dll
[-] 2009-10-23 . !HASH: COULD NOT OPEN FILE !!!!! . 577536 . . [5.1.2600.3099] . . c:\windows\system32\user32.DLL
[-] 2008-04-14 . B26B135FF1B9F60C9388B4A7D16F600B . 578560 . . [5.1.2600.5512] . . c:\windows\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\user32.dll
[7] 2007-03-08 . 7AA4F6C00405DFC4B70ED4214E7D687B . 578048 . . [5.1.2600.3099] . . c:\windows\$hf_mig$\KB925902\SP2QFE\user32.dll
[7] 2005-03-02 . 1800F293BCCC8EDE8A70E12B88D80036 . 577024 . . [5.1.2600.2622] . . c:\windows\$hf_mig$\KB890859\SP2QFE\user32.dll

[-] 2009-10-23 . A77219A971029DC2FB683E8513713803 . 215552 . . [5.1.2600.2055] . . c:\windows\system32\dllcache\termsrv.dll
[-] 2009-10-23 . A77219A971029DC2FB683E8513713803 . 215552 . . [5.1.2600.2055] . . c:\windows\system32\termsrv.dll
[-] 2008-04-14 . FF3477C03BE7201C294C35F684B3479F . 295424 . . [5.1.2600.5512] . . c:\windows\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\termsrv.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{F9E4A054-E9B1-4BC3-83A3-76A1AE736170}]
2009-09-18 13:03 218160 ----a-w- c:\program files\Hotspot Shield\hssie\HssIE.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2009-08-17 81000]
"Dell QuickSet"="c:\program files\Dell\QuickSet\Quickset.exe" [2007-05-14 1191936]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080]
"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2009-04-30 1657376]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice]
@=""

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Dell Network Assistant.lnk]
backup=c:\windows\pss\Dell Network Assistant.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Digital Line Detect.lnk]
backup=c:\windows\pss\Digital Line Detect.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Google Updater.lnk]
backup=c:\windows\pss\Google Updater.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Steve^Start Menu^Programs^Startup^hamachi.lnk]
backup=c:\windows\pss\hamachi.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Steve^Start Menu^Programs^Startup^QQ????????.lnk]
backup=c:\windows\pss\QQ????????.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Steve^Start Menu^Programs^Startup^Yahoo! Widgets.lnk]
backup=c:\windows\pss\Yahoo! Widgets.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Steve^Start Menu^Programs^Startup^腾讯QQ.lnk]
backup=c:\windows\pss\腾讯QQ.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Steve^Start Menu^Programs^Startup^??QQ.lnk]
backup=c:\windows\pss\??QQ.lnkStartup
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AVG8_TRAY
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BMff0a052c
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ProxyWay

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"usnjsvc"=3 (0x3)
"Symantec Core LC"=3 (0x3)
"SPBBCSvc"=3 (0x3)
"SNDSrvc"=3 (0x3)
"SAVScan"=3 (0x3)
"PnkBstrB"=2 (0x2)
"PnkBstrA"=2 (0x2)
"ose"=3 (0x3)
"NVSvc"=2 (0x2)
"NSCService"=3 (0x3)
"navapsvc"=2 (0x2)
"LVSrvLauncher"=2 (0x2)
"LVPrcSrv"=2 (0x2)
"LVCOMSer"=2 (0x2)
"iPod Service"=3 (0x3)
"gusvc"=2 (0x2)
"GoogleDesktopManager"=3 (0x3)
"comHost"=3 (0x3)
"ccSetMgr"=2 (0x2)
"ccProxy"=2 (0x2)
"ccISPwdSvc"=3 (0x3)
"ccEvtMgr"=2 (0x2)
"Bonjour Service"=2 (0x2)
"Avg7UpdSvc"=2 (0x2)
"Avg7Alrt"=2 (0x2)
"Apple Mobile Device"=2 (0x2)
"aawservice"=2 (0x2)
"WLSetupSvc"=3 (0x3)
"vsmon"=2 (0x2)
"SeaPort"=2 (0x2)
"sdCoreService"=3 (0x3)
"sdAuxService"=3 (0x3)
"HssTrayService"=3 (0x3)
"GoogleDesktopManager-022208-143751"=3 (0x3)
"ccosm"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Dell\\MediaDirect\\PCMService.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\Dell Network Assistant\\ezi_hnm2.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"c:\\WINDOWS\\system32\\skcbgm.exe"=
"c:\\WINDOWS\\system32\\PnkBstrA.exe"=
"c:\\WINDOWS\\system32\\PnkBstrB.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\VideoLAN\\VLC\\vlc.exe"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"c:\\Program Files\\Tencent\\TM2008\\Bin\\TM.exe"=
"c:\\Program Files\\Steam\\steamapps\\terrikus\\team fortress 2\\hl2.exe"=
"c:\\Documents and Settings\\Steve\\Desktop\\other stuff to transfer\\THE FOLDER TO END ALL FOLDERS\\Warcraft III\\lancraft.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\??????\\TV.exe"=
"c:\\Program Files\\uusee\\UUSeePlayer.exe"=
"c:\\Program Files\\Common Files\\uusee\\UUSeeMediaCenter.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\peggle deluxe\\Peggle.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\peggle extreme\\PeggleExtreme.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Google\\Google Talk\\googletalk.exe"=
"c:\\Program Files\\xiaonei\\xntalk.exe"=
"c:\\Documents and Settings\\Steve\\Local Settings\\Application Data\\Microsoft\\CD Burning\\New Folder\\PPStream\\PPStream.exe"=
"c:\\Documents and Settings\\Steve\\Local Settings\\Application Data\\Microsoft\\CD Burning\\New Folder\\PPStream\\PPSAP.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\left 4 dead\\left4dead.exe"=
"c:\\Program Files\\BitComet\\BitComet.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"10421:UDP"= 10421:UDP:SingleClick Discovery Protocol
"10426:UDP"= 10426:UDP:SingleClick ICC
"24544:TCP"= 24544:TCP:BitComet 24544 TCP
"24544:UDP"= 24544:UDP:BitComet 24544 UDP

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2/9/2009 3:35 AM 64160]
R1 ADProt;ADProt;c:\windows\system32\drivers\AdProt.sys [10/4/2007 8:28 PM 41472]
R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [9/28/2008 3:41 PM 114768]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [9/28/2008 3:41 PM 20560]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [1/19/2009 5:34 AM 1028432]
R2 WDBtnMgrSvc.exe;WD Drive Manager Service;c:\program files\Western Digital\WD Drive Manager\WDBtnMgrSvc.exe [5/17/2008 6:12 AM 102400]
R3 Alidevice;Alidevice;c:\windows\system32\drivers\alidevice.sys [7/14/2008 10:42 PM 6656]
S3 getPlusHelper;getPlus® Helper;c:\windows\System32\svchost.exe -k getPlusHelper [8/11/2004 1:51 AM 14336]
S3 LinksysFVNETusbl(AR)®;Linksys FVNETusbl(AR)® Service for Instant Wireless USB Network Adapter ver.2.6;c:\windows\system32\drivers\vnetusbl.sys [3/10/2004 8:48 AM 108032]
S3 PsSdk41;PsSdk41;c:\windows\system32\drivers\pssdk41.sys [8/2/2009 12:57 PM 36928]
S3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\drivers\wdcsam.sys [12/26/2008 3:33 PM 11520]
S4 GoogleDesktopManager-022208-143751;Google Desktop Manager 5.7.802.22438;c:\program files\Google\Google Desktop Search\GoogleDesktop.exe [9/8/2007 4:25 PM 29744]
S4 PCPitstop Scheduling;PCPitstop Scheduling;c:\program files\PCPitstop\PCPitstopScheduleService.exe [8/19/2009 6:39 PM 90352]
S4 sdAuxService;PC Tools Auxiliary Service;c:\program files\Spyware Doctor\pctsAuxs.exe [7/24/2008 6:22 AM 356920]

--- Other Services/Drivers In Memory ---

*Deregistered* - mbr

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
getPlusHelper REG_MULTI_SZ getPlusHelper
.
Contents of the 'Scheduled Tasks' folder

2009-10-25 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-01-18 06:35]

2009-10-28 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-727198811-1646750839-1009239276-1006Core.job
- c:\documents and settings\Steve\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-09-05 02:27]

2009-10-28 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-727198811-1646750839-1009239276-1006UA.job
- c:\documents and settings\Steve\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-09-05 02:27]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://thefreevpn.com/home.php
uInternet Connection Wizard,ShellNext = hxxp://www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us&ibd=5070908
uInternet Settings,ProxyServer = 127.0.0.1:8081
uInternet Settings,ProxyOverride = 127.0.0.1:8081;local;<local>
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: &D&ownload &with BitComet - c:\program files\BitComet\BitComet.exe/AddLink.htm
IE: &D&ownload all video with BitComet - c:\program files\BitComet\BitComet.exe/AddVideo.htm
IE: &D&ownload all with BitComet - c:\program files\BitComet\BitComet.exe/AddAllLink.htm
IE: &Yodao?? - c:\program files\Yodao\Toolbar\ydtbv1.01\YodaoToolbar.dll/158.htm
IE: &使用超级旋风下载 - c:\program files\Tencent\QQDownload\geturl.htm
IE: &使用超级旋风下载全部链接 - c:\program files\Tencent\QQDownload\getAllurl.htm
IE: &????????
IE: &????????????
IE: Add to Windows &Live Favorites - http://favorites.liv...m/quickadd.aspx
IE: QQ - c:\program files\Tencent\TM2008\Bin\AddEmotion.htm
IE: 添加到QQ表情 - c:\program files\Tencent\QQ\AddEmotion.htm
IE: ??UUSee?? - c:\program files\uusee\geturltodown.htm
IE: ??UUSee???? - c:\program files\uusee\geturltoplay.htm
IE: ??? Microsoft Office Excel(&X) - c:\progra~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
IE: ???QQ??
DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} - hxxp://eu-housecall.trendmicro-europe.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
DPF: {488A4255-3236-44B3-8F27-FA1AECAA8844} - hxxps://img.alipay.com/download/2121/aliedit.cab
DPF: {8D9E0B29-563C-4226-86C1-5FF2AE77E1D2} - hxxps://mybank.icbc.com.cn/icbc/newperbank/AxSafeControls.cab
DPF: {9BBB3919-F518-4D06-8209-299FC243FC30} - hxxps://gorgutz:4343/SMB/console/html/root/AtxEnc.cab
DPF: {9DCD8EB7-E925-45C9-9321-8CA843FBED40} - hxxps://gorgutz:4343/SMB/console/html/root/AtxConsole.cab
DPF: {AC414988-E5BB-4C2C-873B-EA53D2F3D23A} - hxxp://t.live.cctv.com/ieocx/CCTVUpdateInstall.dll
DPF: {CB5C683C-416A-4701-B018-0F1B21D64D6B} - hxxp://cyimg7.cyworld.com/cymusic/package/skcinst.cab
FF - ProfilePath - c:\documents and settings\Steve\Application Data\Mozilla\Firefox\Profiles\2hrpxots.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://en-US.start3.mozilla.com/firefox?client=firefox-a&rls=org.mozilla:en-US:official
FF - component: c:\documents and settings\Steve\Application Data\Mozilla\Firefox\Profiles\2hrpxots.default\extensions\{B042753D-F57E-4e8e-A01B-7379A6D4CEFB}\components\IBitCometExtension.dll
FF - component: c:\program files\Mozilla Firefox\components\GoogleDesktopMozilla.dll
FF - plugin: c:\documents and settings\Steve\Application Data\Mozilla\Firefox\Profiles\2hrpxots.default\extensions\{E2883E8F-472F-4fb0-9522-AC9BF37916A7}\plugins\np_gp.dll
FF - plugin: c:\documents and settings\Steve\Local Settings\Application Data\Google\Update\1.2.183.7\npGoogleOneClick8.dll
FF - plugin: c:\progra~1\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\progra~1\Mozilla Firefox\plugins\np_gp.dll
FF - plugin: c:\progra~1\Mozilla Firefox\plugins\npBitCometAgent.dll
FF - plugin: c:\progra~1\Mozilla Firefox\plugins\npcyworld.dll
FF - plugin: c:\progra~1\Mozilla Firefox\plugins\npdivx32.dll
FF - plugin: c:\progra~1\Mozilla Firefox\plugins\npDivxPlayerPlugin.dll
FF - plugin: c:\progra~1\Mozilla Firefox\plugins\npGoogleGadgetPluginFirefoxWin.dll
FF - plugin: c:\progra~1\Mozilla Firefox\plugins\npLegitCheckPlugin.dll
FF - plugin: c:\progra~1\Mozilla Firefox\plugins\npnul32.dll
FF - plugin: c:\progra~1\Mozilla Firefox\plugins\NPOFFICE.DLL
FF - plugin: c:\progra~1\Mozilla Firefox\plugins\nppdf32.dll
FF - plugin: c:\progra~1\Mozilla Firefox\plugins\nppl3260.dll
FF - plugin: c:\progra~1\Mozilla Firefox\plugins\npqtplugin.dll
FF - plugin: c:\progra~1\Mozilla Firefox\plugins\npqtplugin2.dll
FF - plugin: c:\progra~1\Mozilla Firefox\plugins\npqtplugin3.dll
FF - plugin: c:\progra~1\Mozilla Firefox\plugins\npqtplugin4.dll
FF - plugin: c:\progra~1\Mozilla Firefox\plugins\npqtplugin5.dll
FF - plugin: c:\progra~1\Mozilla Firefox\plugins\npqtplugin6.dll
FF - plugin: c:\progra~1\Mozilla Firefox\plugins\npqtplugin7.dll
FF - plugin: c:\progra~1\Mozilla Firefox\plugins\nprjplug.dll
FF - plugin: c:\progra~1\Mozilla Firefox\plugins\nprpjplug.dll
FF - plugin: c:\progra~1\Mozilla Firefox\plugins\npsnapfish.dll
FF - plugin: c:\progra~1\Mozilla Firefox\plugins\NPTURNMED.dll
FF - plugin: c:\progra~1\Mozilla Firefox\plugins\npyaxmpb.dll
FF - plugin: c:\progra~1\Mozilla Firefox\plugins\NPZoneSB.dll
FF - plugin: c:\program files\Download Manager\npfpdlm.dll
FF - plugin: c:\program files\Google\Google Updater\2.4.1399.3742\npCIDetect13.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npcyworld.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npGoogleGadgetPluginFirefoxWin.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPTURNMED.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npyaxmpb.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPZoneSB.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
FF - plugin: c:\program files\Windows Live\Photo Gallery\NPWLPG.dll
.
.
------- File Associations -------
.
txtfile=c:\windows\notepad.exe %1
.
- - - - ORPHANS REMOVED - - - -

BHO-{9AA6B2B3-9DC2-40E7-B784-3DCBC7E950DC} - (no file)
AddRemove-QQ2007正式版 - c:\program files\Tencent\QQ\uninst.exe
AddRemove-storm2 - c:\program files\StormII\uninst.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-10-29 07:59
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


c:\windows\TEMP\_av_proI.tm~a03504\onefile.dld 0 bytes

scan completed successfully
hidden files: 1

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-727198811-1646750839-1009239276-1006\Software\Microsoft\Internet Explorer\MenuExt\&*O(u厤薳螛 N}廬
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
"Contexts"=dword:00000022

[HKEY_USERS\S-1-5-21-727198811-1646750839-1009239276-1006\Software\Microsoft\Internet Explorer\MenuExt\&*O(u厤薳螛 N}廻Q钀]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
"Contexts"=dword:000000f3

[HKEY_USERS\S-1-5-21-727198811-1646750839-1009239276-1006\Software\Microsoft\Internet Explorer\MenuExt\鹠燫0RQ*Q*h埮`]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
"contexts"=dword:00000002

[HKEY_USERS\S-1-5-21-727198811-1646750839-1009239276-1006\Software\Microsoft\Office\11.0\Common\Open Find\Microsoft Office PowerPoint\Settings\Sb*_]
"PositionInfo-Monitor1"=hex:a7,01,00,00,0b,01,00,00,00,00,00,00,00,00,00,00

[HKEY_USERS\S-1-5-21-727198811-1646750839-1009239276-1006\Software\Microsoft\Office\11.0\Common\Open Find\Microsoft Office PowerPoint\Settings\Sb*_\File Name MRU]
"Value"=multi:"\00\00"
"Maximum Entries"=dword:0000000a

[HKEY_USERS\S-1-5-21-727198811-1646750839-1009239276-1006\Software\Microsoft\Office\11.0\Common\Open Find\Microsoft Office PowerPoint\Settings\Sb*_\View]
"Data"=hex:04,16,00,17,28,14,14,14,0d,01,02,01,00,18,41,00,0d,00,fa,08,00,00,
90,90,0d,00,fa,08,00,00,90,90,0d,00,fa,08,00,00,90,90,0d,00,fa,08,00,00,90,\

[HKEY_USERS\S-1-5-21-727198811-1646750839-1009239276-1006\Software\Microsoft\Office\11.0\Common\Open Find\Microsoft Office Word\Settings\Sb*_]
"PositionInfo-Monitor1"=hex:a7,01,00,00,0b,01,00,00,00,00,00,00,00,00,00,00

[HKEY_USERS\S-1-5-21-727198811-1646750839-1009239276-1006\Software\Microsoft\Office\11.0\Common\Open Find\Microsoft Office Word\Settings\Sb*_\File Name MRU]
"Value"=multi:"\00\00"
"Maximum Entries"=dword:0000000a

[HKEY_USERS\S-1-5-21-727198811-1646750839-1009239276-1006\Software\Microsoft\Office\11.0\Common\Open Find\Microsoft Office Word\Settings\Sb*_\View]
"Data"=hex:04,16,00,47,28,14,14,14,0d,01,02,01,00,18,41,00,0d,00,fa,08,00,00,
90,90,0d,00,fa,08,00,00,90,90,0d,00,fa,08,00,00,90,90,0d,00,fa,08,00,00,90,\

[HKEY_USERS\S-1-5-21-727198811-1646750839-1009239276-1006\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Start Menu2\Programs\Q*Q*X]
"Order"=hex:08,00,00,00,02,00,00,00,0c,00,00,00,01,00,00,00,00,00,00,00

[HKEY_USERS\S-1-5-21-727198811-1646750839-1009239276-1006\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Start Menu2\Programs\Q*Q*鵞bs^餝]
"Order"=hex:08,00,00,00,02,00,00,00,0c,00,00,00,01,00,00,00,00,00,00,00

[HKEY_USERS\S-1-5-21-727198811-1646750839-1009239276-1006\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Start Menu2\Programs\Q*Q*8nb]
"Order"=hex:08,00,00,00,02,00,00,00,82,00,00,00,01,00,00,00,01,00,00,00,76,00,
00,00,00,00,00,00,68,00,00,00,41,75,67,4d,02,00,00,00,01,00,00,00,56,00,36,\

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\App Management\ARPCache\Q*Q*X]
"SlowInfoCache"=hex:28,02,00,00,00,00,00,00,ff,ff,ff,ff,ff,ff,ff,ff,00,00,00,
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
"Changed"=dword:00000000

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\App Management\ARPCache\Q*Q*鵞bs^餝]
"SlowInfoCache"=hex:28,02,00,00,00,00,00,00,ff,ff,ff,ff,ff,ff,ff,ff,00,00,00,
00,00,00,00,00,ff,ff,ff,ff,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
"Changed"=dword:00000000

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\App Management\ARPCache\Q*Q*8nb]
"SlowInfoCache"=hex:28,02,00,00,01,00,00,00,ff,ff,ff,ff,ff,ff,ff,ff,32,4b,32,
21,a8,08,c8,01,00,00,00,00,43,00,3a,00,5c,00,50,00,72,00,6f,00,67,00,72,00,\
"Changed"=dword:00000000

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\App Management\ARPCache\)Y絧R*M*5u茐銐xhV]
"SlowInfoCache"=hex:28,02,00,00,00,00,00,00,ff,ff,ff,ff,ff,ff,ff,ff,00,00,00,
00,00,00,00,00,ff,ff,ff,ff,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
"Changed"=dword:00000000
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1340)
c:\windows\System32\BCMLogon.dll
c:\windows\system32\SOGOUPY.IME
c:\program files\SogouInput\4.2.3.2810\Resource.dll

- - - - - - - > 'explorer.exe'(2528)
c:\windows\system32\SOGOUPY.IME
c:\program files\SogouInput\4.2.3.2810\Resource.dll
c:\windows\system32\mshtml.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\System32\bcmwltry.exe
c:\program files\Alwil Software\Avast4\aswUpdSv.exe
c:\program files\Alwil Software\Avast4\ashServ.exe
c:\program files\Dell Network Assistant\hnm_svc.exe
c:\program files\Hotspot Shield\bin\openvpnas.exe
c:\program files\Hotspot Shield\HssWPR\hsssrv.exe
c:\combofix\CF18760.exe
c:\program files\Canon\CAL\CALMAIN.exe
c:\program files\Alwil Software\Avast4\ashMaiSv.exe
c:\windows\system32\wbem\unsecapp.exe
c:\program files\Alwil Software\Avast4\ashWebSv.exe
c:\program files\Hotspot Shield\bin\openvpntray.exe
c:\program files\Lavasoft\Ad-Aware\AAWTray.exe
c:\combofix\PEV.cfxxe
.
**************************************************************************
.
Completion time: 2009-10-29 8:08 - machine was rebooted
ComboFix-quarantined-files.txt 2009-10-29 00:08
ComboFix2.txt 2008-07-23 12:24

Pre-Run: 2,961,055,744 bytes free
Post-Run: 3,155,738,624 bytes free

- - End Of File - - 14F352521E442D2373F63BBABDEF81D2

#10 Tomk

Tomk

    Beguilement Monitor

  • Global Moderator
  • 20,451 posts

Posted 28 October 2009 - 07:13 PM

COMBOFIX-Script

  • Please open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the code box below:

    rootkit::
c:\windows\TEMP\_av_proI.tm~a03504\onefile.dld
  • Save this as CFScript.txt and change the "Save as type" to "All Files" and place it on your desktop.

    Posted Image
  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before following the steps below. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
  • Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
  • ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
  • When finished, it shall produce a log for you. Copy and paste the contents of the log in your next reply.
CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.

We need to repair some of windows' internal registration settings
  • Please download Dial-A-Fix from one of the following mirrors:
  • Extract the zip file to your desktop.
  • Double click Dial-a-Fix.exe to start the program.
  • Press the green double checkmark box (Looks like this: Posted Image)
  • UNcheck "Empty Temp Folders", as well as "Adjust Time/Date" in the prep section.
  • Press the GO button in the bottom of the window.
  • Exit/Close Dial-A-Fix

Tomk
------------------------------------------------------------
Microsoft MVP 2010-2014
 

    Advertisements

Register to Remove

#11 Terrik

Terrik

    New Member

  • Authentic Member
  • Pip
  • 16 posts

Posted 29 October 2009 - 03:47 AM

Here's another combofix log

ComboFix 09-10-27.08 - Steve 10/29/2009 12:40.3.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.2046.1523 [GMT 8:00]
Running from: c:\documents and settings\Steve\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Steve\Desktop\CFScript.txt
FW: ZoneAlarm Firewall *enabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((( Files Created from 2009-09-28 to 2009-10-29 )))))))))))))))))))))))))))))))
.

2009-10-28 09:36 . 2009-10-28 10:07 -------- d-----w- C:\Rooter$
2009-10-25 00:26 . 2009-10-25 00:26 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2009-10-24 16:49 . 2009-10-24 16:49 -------- d-----w- c:\documents and settings\Steve\Application Data\Malwarebytes
2009-10-24 16:49 . 2009-09-10 06:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-10-24 16:49 . 2009-10-24 16:49 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-10-24 16:49 . 2009-10-24 16:49 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-10-24 16:49 . 2009-09-10 06:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-10-24 16:27 . 2009-10-24 16:27 -------- d-----w- C:\Regbackup
2009-10-24 15:12 . 2009-10-24 15:12 -------- d-----w- c:\documents and settings\Administrator\Application Data\SogouPY
2009-10-24 15:12 . 2009-10-24 15:12 -------- d-----w- c:\documents and settings\Administrator\Application Data\SogouPY.users
2009-10-23 11:11 . 2009-10-23 11:11 215552 ----a-w- c:\windows\system32\dllcache\termsrv.dll
2009-10-11 14:25 . 2009-10-25 01:58 -------- d-----w- c:\program files\FreeVPN
2009-10-04 09:03 . 2009-10-04 09:03 -------- d-----w- c:\program files\Windows Media Connect 2
2009-10-04 08:59 . 2009-10-04 09:00 -------- d-----w- c:\windows\system32\drivers\UMDF
2009-10-01 00:11 . 2009-10-01 00:14 -------- d-----w- c:\program files\PhotoScape
2009-09-29 12:05 . 2009-09-29 12:05 -------- d-----w- c:\documents and settings\All Users\Application Data\Youdao

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-10-29 04:52 . 2008-11-26 22:32 81494048 --sha-w- c:\windows\system32\drivers\fidbox.dat
2009-10-29 04:50 . 2008-10-06 03:36 -------- d-----w- c:\documents and settings\Steve\Application Data\SogouPY
2009-10-29 04:48 . 2008-11-26 22:32 959144 --sha-w- c:\windows\system32\drivers\fidbox.idx
2009-10-29 03:46 . 2007-10-21 02:57 1324 ----a-w- c:\windows\system32\d3d9caps.dat
2009-10-29 03:30 . 2008-10-08 23:19 -------- d-----w- c:\documents and settings\NetworkService\Application Data\SogouPY
2009-10-29 03:28 . 2008-11-16 00:54 -------- d-----w- c:\documents and settings\LocalService\Application Data\SogouPY
2009-10-26 10:58 . 2008-12-24 16:18 -------- d-----w- c:\program files\RamBooster 2.0
2009-10-25 13:09 . 2007-09-21 23:54 84272 -c--a-w- c:\documents and settings\Steve\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-10-25 02:25 . 2007-09-24 16:38 -------- d-----w- c:\program files\Trend Micro
2009-10-25 02:16 . 2009-08-18 23:58 1730176 ----a-w- c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
2009-10-25 02:09 . 2007-09-08 08:33 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-10-24 11:31 . 2007-09-23 14:10 -------- d-----w- c:\program files\BitComet
2009-10-24 08:33 . 2009-08-19 10:39 -------- d-----w- c:\documents and settings\All Users\Application Data\PCPitstop
2009-10-23 15:46 . 2007-09-22 02:31 -------- d-----w- c:\documents and settings\Steve\Application Data\Skype
2009-10-23 11:11 . 2004-08-10 17:51 577536 ----a-w- c:\windows\system32\user32.DLL
2009-10-23 11:11 . 2004-08-10 18:01 215552 ----a-w- c:\windows\system32\termsrv.dll
2009-10-20 00:03 . 2009-05-03 13:08 -------- d-----w- c:\documents and settings\Steve\Application Data\mIRC
2009-10-18 22:50 . 2009-05-03 13:08 -------- d-----w- c:\program files\mIRC
2009-10-10 11:20 . 2007-09-08 08:03 256289 ----a-w- c:\windows\system32\nvModes.dat
2009-10-04 09:22 . 2008-03-10 14:21 -------- d-----w- c:\program files\Microsoft Silverlight
2009-10-04 04:52 . 2009-08-02 04:57 36928 ----a-w- c:\windows\system32\drivers\pssdk41.sys
2009-10-02 01:52 . 2008-06-17 06:31 -------- d-----w- c:\program files\Warcraft III
2009-10-01 17:18 . 2009-07-20 03:29 25984 ----a-w- c:\windows\system32\drivers\tap0901.sys
2009-09-28 06:36 . 2009-02-08 21:31 15688 ----a-w- c:\windows\system32\lsdelete.exe
2009-09-20 04:42 . 2009-08-18 13:00 -------- d-----w- c:\documents and settings\Steve\Application Data\Hamachi
2009-09-18 13:03 . 2009-09-18 13:03 -------- d-----w- c:\program files\Hotspot Shield
2009-09-18 12:57 . 2009-09-18 12:52 -------- d-----w- c:\documents and settings\Steve\Application Data\GTunnel
2009-09-18 12:50 . 2009-09-18 12:50 -------- d-----w- c:\documents and settings\Steve\Application Data\GPass
2009-09-16 07:37 . 2007-10-03 14:09 -------- d-----w- c:\program files\Steam
2009-09-15 20:04 . 2009-09-15 20:04 32768 ----a-w- c:\windows\system32\drivers\taphss.sys
2009-09-15 20:04 . 2009-07-02 02:34 37376 ----a-w- c:\windows\system32\drivers\hssdrv.sys
2009-09-11 09:33 . 2009-09-11 09:29 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS
2009-09-11 09:29 . 2009-09-11 09:29 -------- d-----w- c:\program files\NOS
2009-09-05 01:55 . 2007-09-29 13:27 -------- d-----w- c:\program files\Java
2009-09-02 12:36 . 2009-09-02 12:36 -------- d-----w- c:\program files\Hamachi
2009-09-02 12:36 . 2007-10-27 01:41 25280 ----a-w- c:\windows\system32\drivers\hamachi.sys
2009-08-25 13:01 . 2007-11-24 02:55 39 -c--a-w- c:\windows\popcinfot.dat
2008-04-25 08:20 . 2008-04-25 08:20 122880 ----a-w- c:\program files\mozilla firefox\components\GoogleDesktopMozilla.dll
.

------- Sigcheck -------

[7] 2008-06-20 . AD978A1B783B5719720CFF204B666C8E . 361600 . . [5.1.2600.5625] . . c:\windows\$hf_mig$\KB951748\SP3QFE\tcpip.sys
[7] 2008-06-20 . 9AEFA14BD6B182D61E3119FA5F436D3D . 361600 . . [5.1.2600.5625] . . c:\windows\$hf_mig$\KB951748\SP3GDR\tcpip.sys
[7] 2008-06-20 . 2A5554FC5B1E04E131230E3CE035C3F9 . 360320 . . [5.1.2600.3394] . . c:\windows\system32\dllcache\tcpip.sys
[-] 2008-06-20 . 01D5EAAFF224415A7FF513E4C882BE30 . 360320 . . [5.1.2600.3394] . . c:\windows\system32\drivers\tcpip.sys
[7] 2008-06-20 . 744E57C99232201AE98C49168B918F48 . 360960 . . [5.1.2600.3394] . . c:\windows\$hf_mig$\KB951748\SP2QFE\tcpip.sys
[-] 2008-04-13 . 93EA8D04EC73A85DB02EB8805988F733 . 361344 . . [5.1.2600.5512] . . c:\windows\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\tcpip.sys
[7] 2007-10-30 . 90CAFF4B094573449A0872A0F919B178 . 360064 . . [5.1.2600.3244] . . c:\windows\$NtUninstallKB951748$\tcpip.sys
[7] 2007-10-30 . 64798ECFA43D78C7178375FCDD16D8C8 . 360832 . . [5.1.2600.3244] . . c:\windows\$hf_mig$\KB941644\SP2QFE\tcpip.sys
[7] 2006-04-20 . B2220C618B42A2212A59D91EBD6FC4B4 . 360576 . . [5.1.2600.2892] . . c:\windows\$hf_mig$\KB917953\SP2QFE\tcpip.sys
[7] 2006-04-20 . 1DBF125862891817F374F407626967F4 . 359808 . . [5.1.2600.2892] . . c:\windows\$NtUninstallKB941644$\tcpip.sys
[7] 2004-08-04 . 9F4B36614A0FC234525BA224957DE55C . 359040 . . [5.1.2600.2180] . . c:\windows\$NtUninstallKB917953$\tcpip.sys

[7] 2009-10-24 . B409909F6E2E8A7067076ED748ABF1E7 . 577536 . . [5.1.2600.3099] . . c:\windows\system32\dllcache\user32.dll
[-] 2009-10-23 . B6403839F2FA482994A0F9E9AAEF1327 . 577536 . . [5.1.2600.3099] . . c:\windows\system32\user32.DLL
[-] 2008-04-14 . B26B135FF1B9F60C9388B4A7D16F600B . 578560 . . [5.1.2600.5512] . . c:\windows\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\user32.dll
[7] 2007-03-08 . 7AA4F6C00405DFC4B70ED4214E7D687B . 578048 . . [5.1.2600.3099] . . c:\windows\$hf_mig$\KB925902\SP2QFE\user32.dll
[7] 2005-03-02 . 1800F293BCCC8EDE8A70E12B88D80036 . 577024 . . [5.1.2600.2622] . . c:\windows\$hf_mig$\KB890859\SP2QFE\user32.dll

[-] 2009-10-23 . A77219A971029DC2FB683E8513713803 . 215552 . . [5.1.2600.2055] . . c:\windows\system32\dllcache\termsrv.dll
[-] 2009-10-23 . A77219A971029DC2FB683E8513713803 . 215552 . . [5.1.2600.2055] . . c:\windows\system32\termsrv.dll
[-] 2008-04-14 . FF3477C03BE7201C294C35F684B3479F . 295424 . . [5.1.2600.5512] . . c:\windows\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\termsrv.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{F9E4A054-E9B1-4BC3-83A3-76A1AE736170}]
2009-09-18 13:03 218160 ----a-w- c:\program files\Hotspot Shield\hssie\HssIE.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Dell QuickSet"="c:\program files\Dell\QuickSet\Quickset.exe" [2007-05-14 1191936]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080]
"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2009-04-30 1657376]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice]
@=""

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Dell Network Assistant.lnk]
backup=c:\windows\pss\Dell Network Assistant.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Digital Line Detect.lnk]
backup=c:\windows\pss\Digital Line Detect.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Google Updater.lnk]
backup=c:\windows\pss\Google Updater.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Steve^Start Menu^Programs^Startup^hamachi.lnk]
backup=c:\windows\pss\hamachi.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Steve^Start Menu^Programs^Startup^QQ????????.lnk]
backup=c:\windows\pss\QQ????????.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Steve^Start Menu^Programs^Startup^Yahoo! Widgets.lnk]
backup=c:\windows\pss\Yahoo! Widgets.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Steve^Start Menu^Programs^Startup^腾讯QQ.lnk]
backup=c:\windows\pss\腾讯QQ.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Steve^Start Menu^Programs^Startup^??QQ.lnk]
backup=c:\windows\pss\??QQ.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"usnjsvc"=3 (0x3)
"Symantec Core LC"=3 (0x3)
"SPBBCSvc"=3 (0x3)
"SNDSrvc"=3 (0x3)
"SAVScan"=3 (0x3)
"PnkBstrB"=2 (0x2)
"PnkBstrA"=2 (0x2)
"ose"=3 (0x3)
"NVSvc"=2 (0x2)
"NSCService"=3 (0x3)
"navapsvc"=2 (0x2)
"LVSrvLauncher"=2 (0x2)
"LVPrcSrv"=2 (0x2)
"LVCOMSer"=2 (0x2)
"iPod Service"=3 (0x3)
"gusvc"=2 (0x2)
"GoogleDesktopManager"=3 (0x3)
"comHost"=3 (0x3)
"ccSetMgr"=2 (0x2)
"ccProxy"=2 (0x2)
"ccISPwdSvc"=3 (0x3)
"ccEvtMgr"=2 (0x2)
"Bonjour Service"=2 (0x2)
"Avg7UpdSvc"=2 (0x2)
"Avg7Alrt"=2 (0x2)
"Apple Mobile Device"=2 (0x2)
"aawservice"=2 (0x2)
"WLSetupSvc"=3 (0x3)
"vsmon"=2 (0x2)
"SeaPort"=2 (0x2)
"sdCoreService"=3 (0x3)
"sdAuxService"=3 (0x3)
"HssTrayService"=3 (0x3)
"GoogleDesktopManager-022208-143751"=3 (0x3)
"ccosm"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Dell\\MediaDirect\\PCMService.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\Dell Network Assistant\\ezi_hnm2.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"c:\\WINDOWS\\system32\\skcbgm.exe"=
"c:\\WINDOWS\\system32\\PnkBstrA.exe"=
"c:\\WINDOWS\\system32\\PnkBstrB.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\VideoLAN\\VLC\\vlc.exe"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"c:\\Program Files\\Tencent\\TM2008\\Bin\\TM.exe"=
"c:\\Program Files\\Steam\\steamapps\\terrikus\\team fortress 2\\hl2.exe"=
"c:\\Documents and Settings\\Steve\\Desktop\\other stuff to transfer\\THE FOLDER TO END ALL FOLDERS\\Warcraft III\\lancraft.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\??????\\TV.exe"=
"c:\\Program Files\\uusee\\UUSeePlayer.exe"=
"c:\\Program Files\\Common Files\\uusee\\UUSeeMediaCenter.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\peggle deluxe\\Peggle.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\peggle extreme\\PeggleExtreme.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Google\\Google Talk\\googletalk.exe"=
"c:\\Program Files\\xiaonei\\xntalk.exe"=
"c:\\Documents and Settings\\Steve\\Local Settings\\Application Data\\Microsoft\\CD Burning\\New Folder\\PPStream\\PPStream.exe"=
"c:\\Documents and Settings\\Steve\\Local Settings\\Application Data\\Microsoft\\CD Burning\\New Folder\\PPStream\\PPSAP.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\left 4 dead\\left4dead.exe"=
"c:\\Program Files\\BitComet\\BitComet.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"10421:UDP"= 10421:UDP:SingleClick Discovery Protocol
"10426:UDP"= 10426:UDP:SingleClick ICC
"24544:TCP"= 24544:TCP:BitComet 24544 TCP
"24544:UDP"= 24544:UDP:BitComet 24544 UDP

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2/9/2009 3:35 AM 64160]
R1 ADProt;ADProt;c:\windows\system32\drivers\AdProt.sys [10/4/2007 8:28 PM 41472]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [1/19/2009 5:34 AM 1028432]
R2 WDBtnMgrSvc.exe;WD Drive Manager Service;c:\program files\Western Digital\WD Drive Manager\WDBtnMgrSvc.exe [5/17/2008 6:12 AM 102400]
R3 Alidevice;Alidevice;c:\windows\system32\drivers\alidevice.sys [7/14/2008 10:42 PM 6656]
S3 getPlusHelper;getPlus® Helper;c:\windows\System32\svchost.exe -k getPlusHelper [8/11/2004 1:51 AM 14336]
S3 LinksysFVNETusbl(AR)®;Linksys FVNETusbl(AR)® Service for Instant Wireless USB Network Adapter ver.2.6;c:\windows\system32\drivers\vnetusbl.sys [3/10/2004 8:48 AM 108032]
S3 PsSdk41;PsSdk41;c:\windows\system32\drivers\pssdk41.sys [8/2/2009 12:57 PM 36928]
S3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\drivers\wdcsam.sys [12/26/2008 3:33 PM 11520]
S4 GoogleDesktopManager-022208-143751;Google Desktop Manager 5.7.802.22438;c:\program files\Google\Google Desktop Search\GoogleDesktop.exe [9/8/2007 4:25 PM 29744]
S4 PCPitstop Scheduling;PCPitstop Scheduling;c:\program files\PCPitstop\PCPitstopScheduleService.exe [8/19/2009 6:39 PM 90352]
S4 sdAuxService;PC Tools Auxiliary Service;c:\program files\Spyware Doctor\pctsAuxs.exe [7/24/2008 6:22 AM 356920]

--- Other Services/Drivers In Memory ---

*Deregistered* - mbr

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
getPlusHelper REG_MULTI_SZ getPlusHelper
.
Contents of the 'Scheduled Tasks' folder

2009-10-25 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-01-18 06:35]

2009-10-29 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-727198811-1646750839-1009239276-1006Core.job
- c:\documents and settings\Steve\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-09-05 02:27]

2009-10-29 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-727198811-1646750839-1009239276-1006UA.job
- c:\documents and settings\Steve\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-09-05 02:27]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://thefreevpn.com/home.php
uInternet Connection Wizard,ShellNext = hxxp://www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us&ibd=5070908
uInternet Settings,ProxyServer = 127.0.0.1:8081
uInternet Settings,ProxyOverride = 127.0.0.1:8081;local;<local>
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: &D&ownload &with BitComet - c:\program files\BitComet\BitComet.exe/AddLink.htm
IE: &D&ownload all video with BitComet - c:\program files\BitComet\BitComet.exe/AddVideo.htm
IE: &D&ownload all with BitComet - c:\program files\BitComet\BitComet.exe/AddAllLink.htm
IE: &Yodao?? - c:\program files\Yodao\Toolbar\ydtbv1.01\YodaoToolbar.dll/158.htm
IE: &使用超级旋风下载 - c:\program files\Tencent\QQDownload\geturl.htm
IE: &使用超级旋风下载全部链接 - c:\program files\Tencent\QQDownload\getAllurl.htm
IE: &????????
IE: &????????????
IE: Add to Windows &Live Favorites - http://favorites.liv...m/quickadd.aspx
IE: QQ - c:\program files\Tencent\TM2008\Bin\AddEmotion.htm
IE: 添加到QQ表情 - c:\program files\Tencent\QQ\AddEmotion.htm
IE: ??UUSee?? - c:\program files\uusee\geturltodown.htm
IE: ??UUSee???? - c:\program files\uusee\geturltoplay.htm
IE: ??? Microsoft Office Excel(&X) - c:\progra~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
IE: ???QQ??
DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} - hxxp://eu-housecall.trendmicro-europe.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
DPF: {488A4255-3236-44B3-8F27-FA1AECAA8844} - hxxps://img.alipay.com/download/2121/aliedit.cab
DPF: {8D9E0B29-563C-4226-86C1-5FF2AE77E1D2} - hxxps://mybank.icbc.com.cn/icbc/newperbank/AxSafeControls.cab
DPF: {9BBB3919-F518-4D06-8209-299FC243FC30} - hxxps://gorgutz:4343/SMB/console/html/root/AtxEnc.cab
DPF: {9DCD8EB7-E925-45C9-9321-8CA843FBED40} - hxxps://gorgutz:4343/SMB/console/html/root/AtxConsole.cab
DPF: {AC414988-E5BB-4C2C-873B-EA53D2F3D23A} - hxxp://t.live.cctv.com/ieocx/CCTVUpdateInstall.dll
DPF: {CB5C683C-416A-4701-B018-0F1B21D64D6B} - hxxp://cyimg7.cyworld.com/cymusic/package/skcinst.cab
FF - ProfilePath -
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-10-29 12:50
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-727198811-1646750839-1009239276-1006\Software\Microsoft\Internet Explorer\MenuExt\&*O(u厤薳螛 N}廬
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
"Contexts"=dword:00000022

[HKEY_USERS\S-1-5-21-727198811-1646750839-1009239276-1006\Software\Microsoft\Internet Explorer\MenuExt\&*O(u厤薳螛 N}廻Q钀]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
"Contexts"=dword:000000f3

[HKEY_USERS\S-1-5-21-727198811-1646750839-1009239276-1006\Software\Microsoft\Internet Explorer\MenuExt\鹠燫0RQ*Q*h埮`]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
"contexts"=dword:00000002

[HKEY_USERS\S-1-5-21-727198811-1646750839-1009239276-1006\Software\Microsoft\Office\11.0\Common\Open Find\Microsoft Office PowerPoint\Settings\Sb*_]
"PositionInfo-Monitor1"=hex:a7,01,00,00,0b,01,00,00,00,00,00,00,00,00,00,00

[HKEY_USERS\S-1-5-21-727198811-1646750839-1009239276-1006\Software\Microsoft\Office\11.0\Common\Open Find\Microsoft Office PowerPoint\Settings\Sb*_\File Name MRU]
"Value"=multi:"\00\00"
"Maximum Entries"=dword:0000000a

[HKEY_USERS\S-1-5-21-727198811-1646750839-1009239276-1006\Software\Microsoft\Office\11.0\Common\Open Find\Microsoft Office PowerPoint\Settings\Sb*_\View]
"Data"=hex:04,16,00,17,28,14,14,14,0d,01,02,01,00,18,41,00,0d,00,fa,08,00,00,
90,90,0d,00,fa,08,00,00,90,90,0d,00,fa,08,00,00,90,90,0d,00,fa,08,00,00,90,\

[HKEY_USERS\S-1-5-21-727198811-1646750839-1009239276-1006\Software\Microsoft\Office\11.0\Common\Open Find\Microsoft Office Word\Settings\Sb*_]
"PositionInfo-Monitor1"=hex:a7,01,00,00,0b,01,00,00,00,00,00,00,00,00,00,00

[HKEY_USERS\S-1-5-21-727198811-1646750839-1009239276-1006\Software\Microsoft\Office\11.0\Common\Open Find\Microsoft Office Word\Settings\Sb*_\File Name MRU]
"Value"=multi:"\00\00"
"Maximum Entries"=dword:0000000a

[HKEY_USERS\S-1-5-21-727198811-1646750839-1009239276-1006\Software\Microsoft\Office\11.0\Common\Open Find\Microsoft Office Word\Settings\Sb*_\View]
"Data"=hex:04,16,00,47,28,14,14,14,0d,01,02,01,00,18,41,00,0d,00,fa,08,00,00,
90,90,0d,00,fa,08,00,00,90,90,0d,00,fa,08,00,00,90,90,0d,00,fa,08,00,00,90,\

[HKEY_USERS\S-1-5-21-727198811-1646750839-1009239276-1006\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Start Menu2\Programs\Q*Q*X]
"Order"=hex:08,00,00,00,02,00,00,00,0c,00,00,00,01,00,00,00,00,00,00,00

[HKEY_USERS\S-1-5-21-727198811-1646750839-1009239276-1006\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Start Menu2\Programs\Q*Q*鵞bs^餝]
"Order"=hex:08,00,00,00,02,00,00,00,0c,00,00,00,01,00,00,00,00,00,00,00

[HKEY_USERS\S-1-5-21-727198811-1646750839-1009239276-1006\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Start Menu2\Programs\Q*Q*8nb]
"Order"=hex:08,00,00,00,02,00,00,00,82,00,00,00,01,00,00,00,01,00,00,00,76,00,
00,00,00,00,00,00,68,00,00,00,41,75,67,4d,02,00,00,00,01,00,00,00,56,00,36,\

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\App Management\ARPCache\Q*Q*X]
"SlowInfoCache"=hex:28,02,00,00,00,00,00,00,ff,ff,ff,ff,ff,ff,ff,ff,00,00,00,
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
"Changed"=dword:00000000

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\App Management\ARPCache\Q*Q*鵞bs^餝]
"SlowInfoCache"=hex:28,02,00,00,00,00,00,00,ff,ff,ff,ff,ff,ff,ff,ff,00,00,00,
00,00,00,00,00,ff,ff,ff,ff,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
"Changed"=dword:00000000

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\App Management\ARPCache\Q*Q*8nb]
"SlowInfoCache"=hex:28,02,00,00,01,00,00,00,ff,ff,ff,ff,ff,ff,ff,ff,32,4b,32,
21,a8,08,c8,01,00,00,00,00,43,00,3a,00,5c,00,50,00,72,00,6f,00,67,00,72,00,\
"Changed"=dword:00000000

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\App Management\ARPCache\)Y絧R*M*5u茐銐xhV]
"SlowInfoCache"=hex:28,02,00,00,00,00,00,00,ff,ff,ff,ff,ff,ff,ff,ff,00,00,00,
00,00,00,00,00,ff,ff,ff,ff,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
"Changed"=dword:00000000
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1336)
c:\windows\System32\BCMLogon.dll
c:\windows\system32\SOGOUPY.IME
c:\program files\SogouInput\4.2.3.2810\Resource.dll

- - - - - - - > 'explorer.exe'(3536)
c:\windows\system32\SOGOUPY.IME
c:\program files\SogouInput\4.2.3.2810\Resource.dll
c:\windows\system32\mshtml.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\System32\bcmwltry.exe
c:\program files\Dell Network Assistant\hnm_svc.exe
c:\program files\Hotspot Shield\bin\openvpnas.exe
c:\program files\Hotspot Shield\HssWPR\hsssrv.exe
c:\combofix\CF5198.exe
c:\program files\Canon\CAL\CALMAIN.exe
c:\windows\system32\wscntfy.exe
c:\windows\system32\wbem\unsecapp.exe
c:\program files\Hotspot Shield\bin\openvpntray.exe
c:\program files\Lavasoft\Ad-Aware\AAWTray.exe
c:\combofix\PEV.cfxxe
.
**************************************************************************
.
Completion time: 2009-10-29 12:58 - machine was rebooted
ComboFix-quarantined-files.txt 2009-10-29 04:58
ComboFix2.txt 2009-10-29 04:04
ComboFix3.txt 2009-10-29 00:08
ComboFix4.txt 2008-07-23 12:24

Pre-Run: 3,094,208,512 bytes free
Post-Run: 3,035,893,760 bytes free

- - End Of File - - 598551D10F8EA3F6399A7C37379E8DDA



as for Dial-a-fix...it seems to be stuck at "Stopping CRYPTSVC"...it's been sitting on that for at least 30 minutes now without proceeding further.

#12 Tomk

Tomk

    Beguilement Monitor

  • Global Moderator
  • 20,451 posts

Posted 29 October 2009 - 07:44 AM

Terrik,

COMBOFIX-Script

  • Please open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the code box below:

    FCopy::
c:\windows\system32\dllcache\tcpip.sys | c:\windows\system32\drivers\tcpip.sys
c:\windows\system32\dllcache\user32.dll | c:\windows\system32\user32.DLL
  • Save this as CFScript.txt and change the "Save as type" to "All Files" and place it on your desktop.

    Posted Image
  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before following the steps below. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
  • Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
  • ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
  • When finished, it shall produce a log for you. Copy and paste the contents of the log in your next reply.
CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.
Tomk
------------------------------------------------------------
Microsoft MVP 2010-2014
 

#13 Terrik

Terrik

    New Member

  • Authentic Member
  • Pip
  • 16 posts

Posted 29 October 2009 - 05:34 PM

Here ‘s the log:

ComboFix 09-10-27.08 - Steve 10/30/2009 7:17.4.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.2046.1491 [GMT 8:00]
Running from: c:\documents and settings\Steve\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Steve\Desktop\CFScript.txt
FW: ZoneAlarm Firewall *enabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

.
--------------- FCopy ---------------

c:\windows\system32\dllcache\tcpip.sys --> c:\windows\system32\drivers\tcpip.sys
c:\windows\system32\dllcache\user32.dll --> c:\windows\system32\user32.DLL
.
((((((((((((((((((((((((( Files Created from 2009-09-28 to 2009-10-29 )))))))))))))))))))))))))))))))
.

2009-10-28 09:36 . 2009-10-28 10:07 -------- d-----w- C:\Rooter$
2009-10-25 00:26 . 2009-10-25 00:26 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2009-10-24 16:49 . 2009-10-24 16:49 -------- d-----w- c:\documents and settings\Steve\Application Data\Malwarebytes
2009-10-24 16:49 . 2009-09-10 06:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-10-24 16:49 . 2009-10-24 16:49 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-10-24 16:49 . 2009-10-24 16:49 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-10-24 16:49 . 2009-09-10 06:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-10-24 16:27 . 2009-10-24 16:27 -------- d-----w- C:\Regbackup
2009-10-24 15:12 . 2009-10-24 15:12 -------- d-----w- c:\documents and settings\Administrator\Application Data\SogouPY
2009-10-24 15:12 . 2009-10-24 15:12 -------- d-----w- c:\documents and settings\Administrator\Application Data\SogouPY.users
2009-10-23 11:11 . 2009-10-23 11:11 215552 ----a-w- c:\windows\system32\dllcache\termsrv.dll
2009-10-11 14:25 . 2009-10-25 01:58 -------- d-----w- c:\program files\FreeVPN
2009-10-04 09:03 . 2009-10-04 09:03 -------- d-----w- c:\program files\Windows Media Connect 2
2009-10-04 08:59 . 2009-10-04 09:00 -------- d-----w- c:\windows\system32\drivers\UMDF
2009-10-01 00:11 . 2009-10-01 00:14 -------- d-----w- c:\program files\PhotoScape

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-10-29 23:25 . 2008-10-06 03:36 -------- d-----w- c:\documents and settings\Steve\Application Data\SogouPY
2009-10-29 23:25 . 2008-11-26 22:32 81569824 --sha-w- c:\windows\system32\drivers\fidbox.dat
2009-10-29 23:13 . 2008-10-08 23:19 -------- d-----w- c:\documents and settings\NetworkService\Application Data\SogouPY
2009-10-29 04:48 . 2008-11-26 22:32 959144 --sha-w- c:\windows\system32\drivers\fidbox.idx
2009-10-29 03:46 . 2007-10-21 02:57 1324 ----a-w- c:\windows\system32\d3d9caps.dat
2009-10-29 03:28 . 2008-11-16 00:54 -------- d-----w- c:\documents and settings\LocalService\Application Data\SogouPY
2009-10-26 10:58 . 2008-12-24 16:18 -------- d-----w- c:\program files\RamBooster 2.0
2009-10-25 13:09 . 2007-09-21 23:54 84272 -c--a-w- c:\documents and settings\Steve\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-10-25 02:25 . 2007-09-24 16:38 -------- d-----w- c:\program files\Trend Micro
2009-10-25 02:16 . 2009-08-18 23:58 1730176 ----a-w- c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
2009-10-25 02:09 . 2007-09-08 08:33 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-10-24 14:50 . 2004-08-10 17:51 577536 ----a-w- c:\windows\system32\user32.DLL
2009-10-24 11:31 . 2007-09-23 14:10 -------- d-----w- c:\program files\BitComet
2009-10-24 08:33 . 2009-08-19 10:39 -------- d-----w- c:\documents and settings\All Users\Application Data\PCPitstop
2009-10-23 15:46 . 2007-09-22 02:31 -------- d-----w- c:\documents and settings\Steve\Application Data\Skype
2009-10-23 11:11 . 2004-08-10 18:01 215552 ----a-w- c:\windows\system32\termsrv.dll
2009-10-20 00:03 . 2009-05-03 13:08 -------- d-----w- c:\documents and settings\Steve\Application Data\mIRC
2009-10-18 22:50 . 2009-05-03 13:08 -------- d-----w- c:\program files\mIRC
2009-10-10 11:20 . 2007-09-08 08:03 256289 ----a-w- c:\windows\system32\nvModes.dat
2009-10-04 09:22 . 2008-03-10 14:21 -------- d-----w- c:\program files\Microsoft Silverlight
2009-10-04 04:52 . 2009-08-02 04:57 36928 ----a-w- c:\windows\system32\drivers\pssdk41.sys
2009-10-02 01:52 . 2008-06-17 06:31 -------- d-----w- c:\program files\Warcraft III
2009-10-01 17:18 . 2009-07-20 03:29 25984 ----a-w- c:\windows\system32\drivers\tap0901.sys
2009-09-29 12:05 . 2009-09-29 12:05 -------- d-----w- c:\documents and settings\All Users\Application Data\Youdao
2009-09-28 06:36 . 2009-02-08 21:31 15688 ----a-w- c:\windows\system32\lsdelete.exe
2009-09-20 04:42 . 2009-08-18 13:00 -------- d-----w- c:\documents and settings\Steve\Application Data\Hamachi
2009-09-18 13:03 . 2009-09-18 13:03 -------- d-----w- c:\program files\Hotspot Shield
2009-09-18 12:57 . 2009-09-18 12:52 -------- d-----w- c:\documents and settings\Steve\Application Data\GTunnel
2009-09-18 12:50 . 2009-09-18 12:50 -------- d-----w- c:\documents and settings\Steve\Application Data\GPass
2009-09-16 07:37 . 2007-10-03 14:09 -------- d-----w- c:\program files\Steam
2009-09-15 20:04 . 2009-09-15 20:04 32768 ----a-w- c:\windows\system32\drivers\taphss.sys
2009-09-15 20:04 . 2009-07-02 02:34 37376 ----a-w- c:\windows\system32\drivers\hssdrv.sys
2009-09-11 09:33 . 2009-09-11 09:29 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS
2009-09-11 09:29 . 2009-09-11 09:29 -------- d-----w- c:\program files\NOS
2009-09-05 01:55 . 2007-09-29 13:27 -------- d-----w- c:\program files\Java
2009-09-02 12:36 . 2009-09-02 12:36 -------- d-----w- c:\program files\Hamachi
2009-09-02 12:36 . 2007-10-27 01:41 25280 ----a-w- c:\windows\system32\drivers\hamachi.sys
2009-08-25 13:01 . 2007-11-24 02:55 39 -c--a-w- c:\windows\popcinfot.dat
2008-04-25 08:20 . 2008-04-25 08:20 122880 ----a-w- c:\program files\mozilla firefox\components\GoogleDesktopMozilla.dll
.

------- Sigcheck -------

[-] 2008-04-13 . B153AFFAC761E7F5FCFA822B9C4E97BC . 14336 . . [5.1.2600.5512] . . c:\windows\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\asyncmac.sys
[-] 2004-08-04 . 02000ABF34AF4C218C35D257024807D6 . 14336 . . [5.1.2600.2180] . . c:\windows\erdnt\cache\asyncmac.sys
[-] 2004-08-04 . 02000ABF34AF4C218C35D257024807D6 . 14336 . . [5.1.2600.2180] . . c:\windows\system32\drivers\asyncmac.sys

[-] 2004-08-04 . DA1F27D85E0D1525F6621372E7B685E9 . 4224 . . [5.1.2600.0] . . c:\windows\erdnt\cache\beep.sys
[-] 2004-08-04 . DA1F27D85E0D1525F6621372E7B685E9 . 4224 . . [5.1.2600.0] . . c:\windows\system32\drivers\beep.sys

[-] 2008-04-13 . 463C1EC80CD17420A542B7F36A36F128 . 24576 . . [5.1.2600.5512] . . c:\windows\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\kbdclass.sys
[-] 2004-08-04 . EBDEE8A2EE5393890A1ACEE971C4C246 . 24576 . . [5.1.2600.2180] . . c:\windows\erdnt\cache\kbdclass.sys
[-] 2004-08-04 . EBDEE8A2EE5393890A1ACEE971C4C246 . 24576 . . [5.1.2600.2180] . . c:\windows\system32\drivers\kbdclass.sys

[-] 2008-04-13 . 1DF7F42665C94B825322FAE71721130D . 182656 . . [5.1.2600.5512] . . c:\windows\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\ndis.sys
[-] 2004-08-04 . 558635D3AF1C7546D26067D5D9B6959E . 182912 . . [5.1.2600.2180] . . c:\windows\erdnt\cache\ndis.sys
[-] 2004-08-04 . 558635D3AF1C7546D26067D5D9B6959E . 182912 . . [5.1.2600.2180] . . c:\windows\system32\drivers\ndis.sys

[-] 2008-04-13 . 78A08DD6A8D65E697C18E1DB01C5CDCA . 574976 . . [5.1.2600.5512] . . c:\windows\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\ntfs.sys
[-] 2007-02-09 . 05AB81909514BFD69CBB1F2C147CF6B9 . 574976 . . [5.1.2600.3081] . . c:\windows\$hf_mig$\KB930916\SP2QFE\ntfs.sys
[-] 2007-02-09 . 19A811EF5F1ED5C926A028CE107FF1AF . 574464 . . [5.1.2600.3081] . . c:\windows\erdnt\cache\ntfs.sys
[-] 2007-02-09 . 19A811EF5F1ED5C926A028CE107FF1AF . 574464 . . [5.1.2600.3081] . . c:\windows\system32\dllcache\ntfs.sys
[-] 2007-02-09 . 19A811EF5F1ED5C926A028CE107FF1AF . 574464 . . [5.1.2600.3081] . . c:\windows\system32\drivers\ntfs.sys
[-] 2004-08-04 . B78BE402C3F63DD55521F73876951CDD . 574592 . . [5.1.2600.2180] . . c:\windows\$NtUninstallKB930916$\ntfs.sys

[-] 2004-08-04 . 73C1E1F395918BC2C6DD67AF7591A3AD . 2944 . . [5.1.2600.0] . . c:\windows\erdnt\cache\null.sys
[-] 2004-08-04 . 73C1E1F395918BC2C6DD67AF7591A3AD . 2944 . . [5.1.2600.0] . . c:\windows\system32\drivers\null.sys

[-] 2008-06-20 . AD978A1B783B5719720CFF204B666C8E . 361600 . . [5.1.2600.5625] . . c:\windows\$hf_mig$\KB951748\SP3QFE\tcpip.sys
[-] 2008-06-20 . 9AEFA14BD6B182D61E3119FA5F436D3D . 361600 . . [5.1.2600.5625] . . c:\windows\$hf_mig$\KB951748\SP3GDR\tcpip.sys
[-] 2008-06-20 . 2A5554FC5B1E04E131230E3CE035C3F9 . 360320 . . [5.1.2600.3394] . . c:\windows\system32\dllcache\tcpip.sys
[-] 2008-06-20 . 2A5554FC5B1E04E131230E3CE035C3F9 . 360320 . . [5.1.2600.3394] . . c:\windows\system32\drivers\tcpip.sys
[-] 2008-06-20 . 744E57C99232201AE98C49168B918F48 . 360960 . . [5.1.2600.3394] . . c:\windows\$hf_mig$\KB951748\SP2QFE\tcpip.sys
[-] 2008-04-13 . 93EA8D04EC73A85DB02EB8805988F733 . 361344 . . [5.1.2600.5512] . . c:\windows\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\tcpip.sys
[-] 2007-10-30 . 90CAFF4B094573449A0872A0F919B178 . 360064 . . [5.1.2600.3244] . . c:\windows\$NtUninstallKB951748$\tcpip.sys
[-] 2007-10-30 . 64798ECFA43D78C7178375FCDD16D8C8 . 360832 . . [5.1.2600.3244] . . c:\windows\$hf_mig$\KB941644\SP2QFE\tcpip.sys
[-] 2006-04-20 . B2220C618B42A2212A59D91EBD6FC4B4 . 360576 . . [5.1.2600.2892] . . c:\windows\$hf_mig$\KB917953\SP2QFE\tcpip.sys
[-] 2006-04-20 . 1DBF125862891817F374F407626967F4 . 359808 . . [5.1.2600.2892] . . c:\windows\$NtUninstallKB941644$\tcpip.sys
[-] 2004-08-04 . 9F4B36614A0FC234525BA224957DE55C . 359040 . . [5.1.2600.2180] . . c:\windows\$NtUninstallKB917953$\tcpip.sys

[-] 2008-04-14 . A06CE3399D16DB864F55FAEB1F1927A9 . 77824 . . [5.1.2600.5512] . . c:\windows\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\browser.dll
[-] 2004-08-04 . E3CFCCDDA4EDD1D0DC9168B2E18F27B8 . 77312 . . [5.1.2600.2180] . . c:\windows\erdnt\cache\browser.dll
[-] 2004-08-04 . E3CFCCDDA4EDD1D0DC9168B2E18F27B8 . 77312 . . [5.1.2600.2180] . . c:\windows\system32\browser.dll

[-] 2008-04-14 . BF2466B3E18E970D8A976FB95FC1CA85 . 13312 . . [5.1.2600.5512] . . c:\windows\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\lsass.exe
[-] 2004-08-04 . 84885F9B82F4D55C6146EBF6065D75D2 . 13312 . . [5.1.2600.2180] . . c:\windows\erdnt\cache\lsass.exe
[-] 2004-08-04 . 84885F9B82F4D55C6146EBF6065D75D2 . 13312 . . [5.1.2600.2180] . . c:\windows\system32\lsass.exe

[-] 2008-04-14 . 13E67B55B3ABD7BF3FE7AAE5A0F9A9DE . 198144 . . [5.1.2600.5512] . . c:\windows\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\netman.dll
[-] 2005-08-22 . 36739B39267914BA69AD0610A0299732 . 197632 . . [5.1.2600.2743] . . c:\windows\erdnt\cache\netman.dll
[-] 2005-08-22 . 36739B39267914BA69AD0610A0299732 . 197632 . . [5.1.2600.2743] . . c:\windows\system32\netman.dll
[-] 2005-08-22 . 3516D8A18B36784B1005B950B84232E1 . 197632 . . [5.1.2600.2743] . . c:\windows\$hf_mig$\KB905414\SP2QFE\netman.dll
[-] 2004-08-04 . DAB9E6C7105D2EF49876FE92C524F565 . 198144 . . [5.1.2600.2180] . . c:\windows\$NtUninstallKB905414$\netman.dll

[-] 2008-04-14 . 574738F61FCA2935F5265DC4E5691314 . 409088 . . [6.7.2600.5512] . . c:\windows\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\qmgr.dll
[-] 2004-08-04 . 2C69EC7E5A311334D10DD95F338FCCEA . 382464 . . [6.6.2600.2180] . . c:\windows\erdnt\cache\qmgr.dll
[-] 2004-08-04 . 2C69EC7E5A311334D10DD95F338FCCEA . 382464 . . [6.6.2600.2180] . . c:\windows\system32\qmgr.dll

[-] 2009-02-09 . 6B27A5C03DFB94B4245739065431322C . 401408 . . [5.1.2600.5755] . . c:\windows\$hf_mig$\KB956572\SP3GDR\rpcss.dll
[-] 2009-02-09 . 9222562D44021B988B9F9F62207FB6F2 . 401408 . . [5.1.2600.5755] . . c:\windows\$hf_mig$\KB956572\SP3QFE\rpcss.dll
[-] 2009-02-09 . 24B5D53B9ACCC1E2EDCF0A878D6659D4 . 401408 . . [5.1.2600.3520] . . c:\windows\erdnt\cache\rpcss.dll
[-] 2009-02-09 . 24B5D53B9ACCC1E2EDCF0A878D6659D4 . 401408 . . [5.1.2600.3520] . . c:\windows\system32\rpcss.dll
[-] 2009-02-09 . 24B5D53B9ACCC1E2EDCF0A878D6659D4 . 401408 . . [5.1.2600.3520] . . c:\windows\system32\dllcache\rpcss.dll
[-] 2008-04-14 . 2589FE6015A316C0F5D5112B4DA7B509 . 399360 . . [5.1.2600.5512] . . c:\windows\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\rpcss.dll
[-] 2005-07-26 . CE94A2BD25E3E9F4D46A7373FF455C6D . 397824 . . [5.1.2600.2726] . . c:\windows\$NtUninstallKB956572$\rpcss.dll
[-] 2005-07-26 . C369DF215D352B6F3A0B8C3469AA34F8 . 398336 . . [5.1.2600.2726] . . c:\windows\$hf_mig$\KB902400\SP2QFE\rpcss.dll
[-] 2005-04-28 . DA383FB39A6F1C445F3AFC94B3EB1248 . 396288 . . [5.1.2600.2665] . . c:\windows\$hf_mig$\KB894391\SP2QFE\rpcss.dll
[-] 2005-04-28 . C8061F289E000703E7672916B7FE1571 . 395776 . . [5.1.2600.2665] . . c:\windows\$NtUninstallKB902400$\rpcss.dll
[-] 2004-08-04 . 5C83A4408604F737717AB96371201680 . 395776 . . [5.1.2600.2180] . . c:\windows\$NtUninstallKB894391$\rpcss.dll

[-] 2009-02-06 . 65DF52F5B8B6E9BBD183505225C37315 . 110592 . . [5.1.2600.5755] . . c:\windows\$hf_mig$\KB956572\SP3GDR\services.exe
[-] 2009-02-06 . 020CEAAEDC8EB655B6506B8C70D53BB6 . 110592 . . [5.1.2600.5755] . . c:\windows\$hf_mig$\KB956572\SP3QFE\services.exe
[-] 2009-02-06 . 4712531AB7A01B7EE059853CA17D39BD . 110592 . . [5.1.2600.3520] . . c:\windows\erdnt\cache\services.exe
[-] 2009-02-06 . 4712531AB7A01B7EE059853CA17D39BD . 110592 . . [5.1.2600.3520] . . c:\windows\system32\services.exe
[-] 2009-02-06 . 4712531AB7A01B7EE059853CA17D39BD . 110592 . . [5.1.2600.3520] . . c:\windows\system32\dllcache\services.exe
[-] 2008-04-14 . 0E776ED5F7CC9F94299E70461B7B8185 . 108544 . . [5.1.2600.5512] . . c:\windows\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\services.exe
[-] 2004-08-04 . C6CE6EEC82F187615D1002BB3BB50ED4 . 108032 . . [5.1.2600.2180] . . c:\windows\$NtUninstallKB956572$\services.exe

[-] 2008-04-14 . D8E14A61ACC1D4A6CD0D38AEBAC7FA3B . 57856 . . [5.1.2600.5512] . . c:\windows\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\spoolsv.exe
[-] 2005-06-11 . AD3D9D191AEA7B5445FE1D82FFBB4788 . 57856 . . [5.1.2600.2696] . . c:\windows\$hf_mig$\KB896423\SP2QFE\spoolsv.exe
[-] 2005-06-10 . DA81EC57ACD4CDC3D4C51CF3D409AF9F . 57856 . . [5.1.2600.2696] . . c:\windows\erdnt\cache\spoolsv.exe
[-] 2005-06-10 . DA81EC57ACD4CDC3D4C51CF3D409AF9F . 57856 . . [5.1.2600.2696] . . c:\windows\system32\spoolsv.exe

[-] 2008-04-14 . ED0EF0A136DEC83DF69F04118870003E . 507904 . . [5.1.2600.5512] . . c:\windows\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\winlogon.exe
[-] 2004-08-04 . 01C3346C241652F43AED8E2149881BFE . 502272 . . [5.1.2600.2180] . . c:\windows\erdnt\cache\winlogon.exe
[-] 2004-08-04 . 01C3346C241652F43AED8E2149881BFE . 502272 . . [5.1.2600.2180] . . c:\windows\system32\winlogon.exe

[-] 2008-04-14 . BD38D1EBE24A46BD3EDA059560AFBA12 . 1054208 . . [6.0] . . c:\windows\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\asms\60\msft\windows\common\controls\comctl32.dll
[-] 2008-04-14 . 06F247492BC786CE5C24A23E178C711A . 617472 . . [5.82] . . c:\windows\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\comctl32.dll
[-] 2006-08-25 . B0124CB21D28B1C9F678B566B6B57D92 . 617472 . . [5.82] . . c:\windows\erdnt\cache\comctl32.dll
[-] 2006-08-25 . B0124CB21D28B1C9F678B566B6B57D92 . 617472 . . [5.82] . . c:\windows\system32\comctl32.dll
[-] 2006-08-25 . B0124CB21D28B1C9F678B566B6B57D92 . 617472 . . [5.82] . . c:\windows\system32\dllcache\comctl32.dll

[-] 2008-04-14 . 3D4E199942E29207970E04315D02AD3B . 62464 . . [5.1.2600.5512] . . c:\windows\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\cryptsvc.dll
[-] 2004-08-04 . 10654F9DDCEA9C46CFB77554231BE73B . 60416 . . [5.1.2600.2180] . . c:\windows\erdnt\cache\cryptsvc.dll
[-] 2004-08-04 . 10654F9DDCEA9C46CFB77554231BE73B . 60416 . . [5.1.2600.2180] . . c:\windows\system32\cryptsvc.dll

[-] 2008-07-07 20:32 . 60D1A6342238378BFB7545C81EE3606C . 253952 . . [2001.12.4414.320] . . c:\windows\erdnt\cache\es.dll
[-] 2008-07-07 20:32 . 60D1A6342238378BFB7545C81EE3606C . 253952 . . [2001.12.4414.320] . . c:\windows\system32\es.dll
[-] 2008-07-07 20:32 . 60D1A6342238378BFB7545C81EE3606C . 253952 . . [2001.12.4414.320] . . c:\windows\system32\dllcache\es.dll
[-] 2008-07-07 20:26 . D4991D98F2DB73C60D042F1AEF79EFAE . 253952 . . [2001.12.4414.706] . . c:\windows\$hf_mig$\KB950974\SP3GDR\es.dll
[-] 2008-07-07 20:23 . F17F6226BDC0CD5F0BEF0DAF84D29BEC . 253952 . . [2001.12.4414.706] . . c:\windows\$hf_mig$\KB950974\SP3QFE\es.dll
[-] 2008-07-07 20:06 . A4AB3DCA4A383F0DF4988ABDEB84F9A4 . 253952 . . [2001.12.4414.320] . . c:\windows\$hf_mig$\KB950974\SP2QFE\es.dll
[-] 2008-04-14 00:11 . 19A799805B24990867B00C120D300C3A . 246272 . . [2001.12.4414.701] . . c:\windows\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\es.dll
[-] 2005-07-26 04:39 . 34BBD9ACC1538818F2C878898C64E793 . 243200 . . [2001.12.4414.308] . . c:\windows\$NtUninstallKB950974$\es.dll
[-] 2005-07-26 04:20 . 95F5FEA4C6DE2C3F28784D0DCC8F0DD3 . 243200 . . [2001.12.4414.308] . . c:\windows\$hf_mig$\KB902400\SP2QFE\es.dll
[-] 2004-08-04 10:00 . ACD36A2DD7D1E9D8A060AA651DC07E63 . 243200 . . [2001.12.4414.258] . . c:\windows\$NtUninstallKB902400$\es.dll

[-] 2008-04-14 . 0DA85218E92526972A821587E6A8BF8F . 110080 . . [5.1.2600.5512] . . c:\windows\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\imm32.dll
[-] 2004-08-04 . 87CA7CE6469577F059297B9D6556D66D . 110080 . . [5.1.2600.2180] . . c:\windows\erdnt\cache\imm32.dll
[-] 2004-08-04 . 87CA7CE6469577F059297B9D6556D66D . 110080 . . [5.1.2600.2180] . . c:\windows\system32\imm32.dll

[-] 2009-03-21 . B6ACAED7588295129791E0E6A2B0FADE . 986112 . . [5.1.2600.3541] . . c:\windows\erdnt\cache\kernel32.dll
[-] 2009-03-21 . B6ACAED7588295129791E0E6A2B0FADE . 986112 . . [5.1.2600.3541] . . c:\windows\system32\kernel32.dll
[-] 2009-03-21 . B6ACAED7588295129791E0E6A2B0FADE . 986112 . . [5.1.2600.3541] . . c:\windows\system32\dllcache\kernel32.dll
[-] 2009-03-21 . B921FB870C9AC0D509B2CCABBBBE95F3 . 989696 . . [5.1.2600.5781] . . c:\windows\$hf_mig$\KB959426\SP3GDR\kernel32.dll
[-] 2009-03-21 . DA11D9D6ECBDF0F93436A4B7C13F7BEC . 991744 . . [5.1.2600.5781] . . c:\windows\$hf_mig$\KB959426\SP3QFE\kernel32.dll
[-] 2009-03-21 . 80202858D245FF07DAA1739C57A3E19B . 989184 . . [5.1.2600.3541] . . c:\windows\$hf_mig$\KB959426\SP2QFE\kernel32.dll
[-] 2008-04-14 . C24B983D211C34DA8FCC1AC38477971D . 989696 . . [5.1.2600.5512] . . c:\windows\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\kernel32.dll
[-] 2007-04-16 . 09F7CB3687F86EDAA4CA081F7AB66C03 . 986112 . . [5.1.2600.3119] . . c:\windows\$hf_mig$\KB935839\SP2QFE\kernel32.dll
[-] 2007-04-16 . A01F9CA902A88F7CED06884174D6419D . 984576 . . [5.1.2600.3119] . . c:\windows\$NtUninstallKB959426$\kernel32.dll
[-] 2006-07-05 . 0FDD84928A5DDE2510761B7EC76CCEC9 . 985088 . . [5.1.2600.2945] . . c:\windows\$hf_mig$\KB917422\SP2QFE\kernel32.dll

[-] 2008-04-14 . 2DC5A8019E2387987905F77C664E4BE2 . 19968 . . [5.1.2600.5512] . . c:\windows\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\linkinfo.dll
[-] 2005-09-01 . 648BF0B4DDE4F7A1156DAE7174D36EFA . 19968 . . [5.1.2600.2751] . . c:\windows\$hf_mig$\KB900725\SP2QFE\linkinfo.dll
[-] 2005-09-01 . A1A688EE56CF3BBD24EDEB815D48E9BA . 19968 . . [5.1.2600.2751] . . c:\windows\erdnt\cache\linkinfo.dll
[-] 2005-09-01 . A1A688EE56CF3BBD24EDEB815D48E9BA . 19968 . . [5.1.2600.2751] . . c:\windows\system32\linkinfo.dll
[-] 2004-08-04 . C2BBD044C741EA4292016C36F718D2E4 . 18944 . . [5.1.2600.2180] . . c:\windows\$NtUninstallKB900725$\linkinfo.dll

[-] 2008-04-14 . 012DF358CEBAA23ACB26D82077820817 . 22016 . . [5.1.2600.5512] . . c:\windows\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\lpk.dll
[-] 2004-08-04 . 74D66B3DE265E8789153414E75175F26 . 22016 . . [5.1.2600.2180] . . c:\windows\erdnt\cache\lpk.dll
[-] 2004-08-04 . 74D66B3DE265E8789153414E75175F26 . 22016 . . [5.1.2600.2180] . . c:\windows\system32\lpk.dll

[-] 2009-07-19 . 758C8BEDAB7CE5F9070C85E2E57CBD80 . 3597824 . . [7.00.6000.16890] . . c:\windows\SoftwareDistribution\Download\cfdf673d5f64980a67e3f1a551949306\sp3gdr\mshtml.dll
[-] 2009-07-19 . F6098CC1B1C3858D53F20F3CB5774F3B . 3600384 . . [7.00.6000.21089] . . c:\windows\SoftwareDistribution\Download\cfdf673d5f64980a67e3f1a551949306\sp3qfe\mshtml.dll
[-] 2009-04-29 . 2B4315EC9E3124408A2A5074C4B97700 . 3596288 . . [7.00.6000.16850] . . c:\windows\erdnt\cache\mshtml.dll
[-] 2009-04-29 . 2B4315EC9E3124408A2A5074C4B97700 . 3596288 . . [7.00.6000.16850] . . c:\windows\system32\mshtml.dll
[-] 2009-04-29 . 2B4315EC9E3124408A2A5074C4B97700 . 3596288 . . [7.00.6000.16850] . . c:\windows\system32\dllcache\mshtml.dll
[-] 2009-04-29 . C6FD770D518FB024245A0EE217D72BC1 . 3598336 . . [7.00.6000.21045] . . c:\windows\$hf_mig$\KB969897-IE7\SP3QFE\mshtml.dll
[-] 2009-02-21 . 1BB754AB47B327DE8DBF2FA18C36357C . 3596800 . . [7.00.6000.21015] . . c:\windows\$hf_mig$\KB963027-IE7\SP3QFE\mshtml.dll
[-] 2009-02-20 . C7C3E41CC2F6EB4A629FE2184136C098 . 3595264 . . [7.00.6000.16825] . . c:\windows\ie7updates\KB969897-IE7\mshtml.dll
[-] 2009-01-17 . 3B413267DA8AE71C20E5EF3E54F74728 . 3594752 . . [7.00.6000.16809] . . c:\windows\ie7updates\KB963027-IE7\mshtml.dll
[-] 2009-01-16 . CC9D001B7370B292C35B366CA05B12B4 . 3596288 . . [7.00.6000.20996] . . c:\windows\$hf_mig$\KB961260-IE7\SP2QFE\mshtml.dll
[-] 2008-12-13 . 121EC39A64D64205A88C2C45B034B455 . 3593216 . . [7.00.6000.16788] . . c:\windows\ie7updates\KB961260-IE7\mshtml.dll
[-] 2008-12-13 . C79FAD61CD4A26ED5AA8C16D991C6FBD . 3594752 . . [7.00.6000.20973] . . c:\windows\$hf_mig$\KB960714-IE7\SP2QFE\mshtml.dll
[-] 2008-12-12 . 6D1D493622EA050DBAABD0C4C1DFADB5 . 3067392 . . [6.00.2900.3492] . . c:\windows\$hf_mig$\KB960714\SP2QFE\mshtml.dll
[-] 2008-12-12 . B6DAA74E2ED36C71B502945589A683AE . 3067904 . . [6.00.2900.5726] . . c:\windows\$hf_mig$\KB960714\SP3QFE\mshtml.dll
[-] 2008-12-12 . C828AA1C5469E72251F3D367005E589F . 3067904 . . [6.00.2900.5726] . . c:\windows\$hf_mig$\KB960714\SP3GDR\mshtml.dll
[-] 2008-10-17 . EACAEDEF6FA2A969DE5B36190D45396F . 3593216 . . [7.00.6000.16762] . . c:\windows\ie7updates\KB960714-IE7\mshtml.dll
[-] 2008-10-17 . EACAEDEF6FA2A969DE5B36190D45396F . 3593216 . . [7.00.6000.16762] . . c:\windows\SoftwareDistribution\Download\c74979a750f473b6d9d8ef0bba9b356c\SP2GDR\mshtml.dll
[-] 2008-10-16 . B74F31A4BD83797D7A083F922169287D . 3595264 . . [7.00.6000.20935] . . c:\windows\$hf_mig$\KB958215-IE7\SP2QFE\mshtml.dll
[-] 2008-10-16 . B74F31A4BD83797D7A083F922169287D . 3595264 . . [7.00.6000.20935] . . c:\windows\SoftwareDistribution\Download\c74979a750f473b6d9d8ef0bba9b356c\SP2QFE\mshtml.dll
[-] 2008-10-16 . CC5A2205D37AE67CE23AB7FD3E1FDACA . 3067904 . . [6.00.2900.5694] . . c:\windows\$hf_mig$\KB958215\SP3QFE\mshtml.dll
[-] 2008-10-16 . CC5A2205D37AE67CE23AB7FD3E1FDACA . 3067904 . . [6.00.2900.5694] . . c:\windows\SoftwareDistribution\Download\7bc58354ca50aa200544caaef7677c8a\SP3QFE\mshtml.dll
[-] 2008-10-16 . 9C2C058E341E6B627789EF88D3B98445 . 3059712 . . [6.00.2900.3462] . . c:\windows\SoftwareDistribution\Download\7bc58354ca50aa200544caaef7677c8a\SP2GDR\mshtml.dll
[-] 2008-10-16 . C99D8B48FC245D98E1A2BAB6594458C9 . 3067392 . . [6.00.2900.3462] . . c:\windows\SoftwareDistribution\Download\7bc58354ca50aa200544caaef7677c8a\SP2QFE\mshtml.dll
[-] 2008-10-16 . B846C2DE341CF32B42AD297437233742 . 3067904 . . [6.00.2900.5694] . . c:\windows\$hf_mig$\KB958215\SP3GDR\mshtml.dll
[-] 2008-10-16 . B846C2DE341CF32B42AD297437233742 . 3067904 . . [6.00.2900.5694] . . c:\windows\SoftwareDistribution\Download\7bc58354ca50aa200544caaef7677c8a\SP3GDR\mshtml.dll
[-] 2008-08-27 . 1AD035E04A7068EC2820B055A3131ED8 . 3593216 . . [7.00.6000.16735] . . c:\windows\ie7updates\KB958215-IE7\mshtml.dll
[-] 2008-08-27 . 1AD035E04A7068EC2820B055A3131ED8 . 3593216 . . [7.00.6000.16735] . . c:\windows\SoftwareDistribution\Download\5d9d48823dca01f9929a959c29f5edc4\SP2GDR\mshtml.dll
[-] 2008-08-26 . 25CC085720EE3617FD1F8AB9E2F7CAB2 . 3594752 . . [7.00.6000.20900] . . c:\windows\$hf_mig$\KB956390-IE7\SP2QFE\mshtml.dll
[-] 2008-08-26 . 25CC085720EE3617FD1F8AB9E2F7CAB2 . 3594752 . . [7.00.6000.20900] . . c:\windows\SoftwareDistribution\Download\5d9d48823dca01f9929a959c29f5edc4\SP2QFE\mshtml.dll
[-] 2008-04-21 . 083B967E6B0B2BB539CE6B08D45D631F . 3066880 . . [6.00.2900.3354] . . c:\windows\ie7\mshtml.dll
[-] 2008-04-21 . FE406DE0651C9E8201DCB0460609D739 . 3066880 . . [6.00.2900.5583] . . c:\windows\$hf_mig$\KB950759\SP3GDR\mshtml.dll
[-] 2008-04-21 . 46A61BA430110F00DD990D058AA3D054 . 3067392 . . [6.00.2900.5583] . . c:\windows\$hf_mig$\KB950759\SP3QFE\mshtml.dll
[-] 2008-04-14 . A706E122B398FE1AB85CB9B75D044223 . 3066880 . . [6.00.2900.5512] . . c:\windows\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\mshtml.dll
[-] 2008-02-16 . 701A6798DDF875CAA3A5099EE75FD57F . 3066880 . . [6.00.2900.3314] . . c:\windows\$NtUninstallKB950759$\mshtml.dll
[-] 2007-12-07 . 8A4DD074DEC1B0C063C8493ABF654CBC . 3066368 . . [6.00.2900.3268] . . c:\windows\$NtUninstallKB947864$\mshtml.dll
[-] 2007-10-30 . 79314A0A6B0DA78AFE491FF2D8B117BA . 3065856 . . [6.00.2900.3243] . . c:\windows\$NtUninstallKB944533$\mshtml.dll
[-] 2007-08-22 . 885E3BF99EA4B2213901EBC35B34CF12 . 3064832 . . [6.00.2900.3199] . . c:\windows\$NtUninstallKB942615$\mshtml.dll
[-] 2007-08-13 . C6EC2493346ED8888A549F59210A8ED3 . 3578368 . . [7.00.5730.13] . . c:\windows\ie7updates\KB956390-IE7\mshtml.dll
[-] 2007-06-15 . 53F3FD772C010622346C39284C4A863B . 3064320 . . [6.00.2900.3157] . . c:\windows\$NtUninstallKB939653$\mshtml.dll
[-] 2007-05-04 . 00ADCB32832A10ED9419493BCEA97526 . 3064320 . . [6.00.2900.3132] . . c:\windows\$hf_mig$\KB933566\SP2QFE\mshtml.dll
[-] 2007-05-04 . 00ADCB32832A10ED9419493BCEA97526 . 3064320 . . [6.00.2900.3132] . . c:\windows\$NtUninstallKB937143$\mshtml.dll
[-] 2007-05-04 . 4D92717B5BBCE85F1254BAD23B0D357C . 3058688 . . [6.00.2900.3132] . . c:\windows\$NtUninstallKB933566$\mshtml.dll
[-] 2006-02-01 . 51C91AC189321A320FC4BC90B56255A3 . 3073024 . . [6.00.2900.2838] . . c:\windows\$hf_mig$\KB912945\SP2QFE\mshtml.dll

[-] 2008-04-14 . D7075E95AA599EE77B7A89D39296BD3D . 343040 . . [7.0.2600.5512] . . c:\windows\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\asms\70\msft\windows\mswincrt\msvcrt.dll
[-] 2008-04-14 . 355EDBB4D412B01F1740C17E3F50FA00 . 343040 . . [7.0.2600.5512] . . c:\windows\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\msvcrt.dll
[-] 2004-08-04 . B0FEFA816D61EC66AA765DDF534EAB5E . 343040 . . [7.0.2600.2180] . . c:\windows\erdnt\cache\msvcrt.dll
[-] 2004-08-04 . B0FEFA816D61EC66AA765DDF534EAB5E . 343040 . . [7.0.2600.2180] . . c:\windows\system32\msvcrt.dll

[-] 2008-06-20 . 832E4DD8964AB7ACC880B2837CB1ED20 . 245248 . . [5.1.2600.5625] . . c:\windows\$hf_mig$\KB951748\SP3GDR\mswsock.dll
[-] 2008-06-20 . FCEE5FCB99F7C724593365C706D28388 . 245248 . . [5.1.2600.5625] . . c:\windows\$hf_mig$\KB951748\SP3QFE\mswsock.dll
[-] 2008-06-20 . 097722F235A1FB698BF9234E01B52637 . 245248 . . [5.1.2600.3394] . . c:\windows\erdnt\cache\mswsock.dll
[-] 2008-06-20 . 097722F235A1FB698BF9234E01B52637 . 245248 . . [5.1.2600.3394] . . c:\windows\system32\mswsock.dll
[-] 2008-06-20 . 097722F235A1FB698BF9234E01B52637 . 245248 . . [5.1.2600.3394] . . c:\windows\system32\dllcache\mswsock.dll
[-] 2008-06-20 . 1DFCA7713EA5A70D5D93B436AEA0317A . 245248 . . [5.1.2600.3394] . . c:\windows\$hf_mig$\KB951748\SP2QFE\mswsock.dll
[-] 2008-04-14 . B4138E99236F0F57D4CF49BAE98A0746 . 245248 . . [5.1.2600.5512] . . c:\windows\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\mswsock.dll
[-] 2004-08-04 . 4E74AF063C3271FBEA20DD940CFD1184 . 245248 . . [5.1.2600.2180] . . c:\windows\$NtUninstallKB951748$\mswsock.dll

[-] 2008-04-14 . 1B7F071C51B77C272875C3A23E1E4550 . 407040 . . [5.1.2600.5512] . . c:\windows\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\netlogon.dll
[-] 2004-08-04 . 96353FCECBA774BB8DA74A1C6507015A . 407040 . . [5.1.2600.2180] . . c:\windows\erdnt\cache\netlogon.dll
[-] 2004-08-04 . 96353FCECBA774BB8DA74A1C6507015A . 407040 . . [5.1.2600.2180] . . c:\windows\SoftwareDistribution\Download\7e2110c803604799bad6cc14ba892658\backup\sp2qfe\netlogon.dll
[-] 2004-08-04 . 96353FCECBA774BB8DA74A1C6507015A . 407040 . . [5.1.2600.2180] . . c:\windows\system32\netlogon.dll

[-] 2009-02-07 . EFE8EACE83EAAD5849A7A548FB75B584 . 2189184 . . [5.1.2600.5755] . . c:\windows\$hf_mig$\KB956572\SP3QFE\ntoskrnl.exe
[-] 2009-02-06 . 7A95B10A73737EBF24139AAA63F5212B . 2189056 . . [5.1.2600.5755] . . c:\windows\$hf_mig$\KB956572\SP3GDR\ntoskrnl.exe
[-] 2009-02-06 . 6A936E9D7BADAF3CAAEED1E1966EC1B0 . 2186112 . . [5.1.2600.3520] . . c:\windows\Driver Cache\i386\ntoskrnl.exe
[-] 2009-02-06 . 6A936E9D7BADAF3CAAEED1E1966EC1B0 . 2186112 . . [5.1.2600.3520] . . c:\windows\system32\dllcache\ntoskrnl.exe
[-] 2009-02-06 . 19A791C5DFE59AA9BB1461C4957004F6 . 2142720 . . [5.1.2600.3520] . . c:\windows\erdnt\cache\ntoskrnl.exe
[-] 2009-02-06 . 19A791C5DFE59AA9BB1461C4957004F6 . 2142720 . . [5.1.2600.3520] . . c:\windows\system32\ntoskrnl.exe
[-] 2008-08-14 . 31914172342BFF330063F343AC6958FE . 2189184 . . [5.1.2600.5657] . . c:\windows\$hf_mig$\KB956841\SP3QFE\ntoskrnl.exe
[-] 2008-08-14 . EEAF32F8E15A24F62BECB1BD403BB5C5 . 2189184 . . [5.1.2600.5657] . . c:\windows\$hf_mig$\KB956841\SP3GDR\ntoskrnl.exe
[-] 2008-08-14 . 60794EA12961B7341AD54C731B50AE15 . 2142720 . . [5.1.2600.3427] . . c:\windows\$NtUninstallKB956572$\ntoskrnl.exe
[-] 2008-04-13 . 0C89243C7C3EE199B96FCC16990E0679 . 2188928 . . [5.1.2600.5512] . . c:\windows\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\ntoskrnl.exe
[-] 2007-02-28 . 5A5C8DB4AA962C714C8371FBDF189FC9 . 2182144 . . [5.1.2600.3093] . . c:\windows\$hf_mig$\KB931784\SP2QFE\ntoskrnl.exe
[-] 2007-02-28 . E6679C3023B17D8B78946BC5DF53FA20 . 2137600 . . [5.1.2600.3093] . . c:\windows\$NtUninstallKB956841$\ntoskrnl.exe
[-] 2007-02-28 . 1220FAF071DEA8653EE21DE7DCDA8BFD . 2136064 . . [5.1.2600.3093] . . c:\windows\$NtUninstallKB931784$\ntoskrnl.exe
[-] 2005-03-02 . 28187802B7C368C0D3AEF7D4C382AABB . 2179456 . . [5.1.2600.2622] . . c:\windows\$hf_mig$\KB890859\SP2QFE\ntoskrnl.exe

[-] 2008-04-14 . 50A166237A0FA771261275A405646CC0 . 17408 . . [6.00.2900.5512] . . c:\windows\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\powrprof.dll
[-] 2004-08-04 . 1B5F6923ABB450692E9FE0672C897AED . 17408 . . [6.00.2900.2180] . . c:\windows\erdnt\cache\powrprof.dll
[-] 2004-08-04 . 1B5F6923ABB450692E9FE0672C897AED . 17408 . . [6.00.2900.2180] . . c:\windows\system32\powrprof.dll

[-] 2008-04-14 . A86BB5E61BF3E39B62AB4C7E7085A084 . 181248 . . [5.1.2600.5512] . . c:\windows\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\scecli.dll
[-] 2004-08-04 . 0F78E27F563F2AAF74B91A49E2ABF19A . 180224 . . [5.1.2600.2180] . . c:\windows\erdnt\cache\scecli.dll
[-] 2004-08-04 . 0F78E27F563F2AAF74B91A49E2ABF19A . 180224 . . [5.1.2600.2180] . . c:\windows\system32\scecli.dll

[-] 2008-04-14 . 96E1C926F22EE1BFBAE82901A35F6BF3 . 5120 . . [5.1.2600.5512] . . c:\windows\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\sfc.dll
[-] 2004-08-04 . E8A12A12EA9088B4327D49EDCA3ADD3E . 5120 . . [5.1.2600.2180] . . c:\windows\erdnt\cache\sfc.dll
[-] 2004-08-04 . E8A12A12EA9088B4327D49EDCA3ADD3E . 5120 . . [5.1.2600.2180] . . c:\windows\system32\sfc.dll

[-] 2008-04-14 . 27C6D03BCDB8CFEB96B716F3D8BE3E18 . 14336 . . [5.1.2600.5512] . . c:\windows\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\svchost.exe
[-] 2004-08-04 . 8F078AE4ED187AAABC0A305146DE6716 . 14336 . . [5.1.2600.2180] . . c:\windows\erdnt\cache\svchost.exe
[-] 2004-08-04 . 8F078AE4ED187AAABC0A305146DE6716 . 14336 . . [5.1.2600.2180] . . c:\windows\system32\svchost.exe

[-] 2008-04-14 . 3CB78C17BB664637787C9A1C98F79C38 . 249856 . . [5.1.2600.5512] . . c:\windows\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\tapisrv.dll
[-] 2005-07-08 . 1418A3A6E76E5A2E3F5E43866E793A8B . 249344 . . [5.1.2600.2716] . . c:\windows\$hf_mig$\KB893756\SP2QFE\tapisrv.dll
[-] 2005-07-08 . FB78839B36025AA286A51289ED28B73E . 249344 . . [5.1.2600.2716] . . c:\windows\erdnt\cache\tapisrv.dll
[-] 2005-07-08 . FB78839B36025AA286A51289ED28B73E . 249344 . . [5.1.2600.2716] . . c:\windows\system32\tapisrv.dll
[-] 2004-08-04 . EB4A4187D74A8EFDCBEA3EA2CB1BDFBD . 246272 . . [5.1.2600.2180] . . c:\windows\$NtUninstallKB893756$\tapisrv.dll

[-] 2009-10-24 . B409909F6E2E8A7067076ED748ABF1E7 . 577536 . . [5.1.2600.3099] . . c:\windows\system32\user32.DLL
[-] 2009-10-24 . B409909F6E2E8A7067076ED748ABF1E7 . 577536 . . [5.1.2600.3099] . . c:\windows\system32\dllcache\user32.dll
[-] 2008-04-14 . B26B135FF1B9F60C9388B4A7D16F600B . 578560 . . [5.1.2600.5512] . . c:\windows\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\user32.dll
[-] 2007-03-08 . 7AA4F6C00405DFC4B70ED4214E7D687B . 578048 . . [5.1.2600.3099] . . c:\windows\$hf_mig$\KB925902\SP2QFE\user32.dll
[-] 2005-03-02 . 1800F293BCCC8EDE8A70E12B88D80036 . 577024 . . [5.1.2600.2622] . . c:\windows\$hf_mig$\KB890859\SP2QFE\user32.dll

[-] 2008-04-14 . A93AEE1928A9D7CE3E16D24EC7380F89 . 26112 . . [5.1.2600.5512] . . c:\windows\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\userinit.exe
[-] 2004-08-04 . 39B1FFB03C2296323832ACBAE50D2AFF . 24576 . . [5.1.2600.2180] . . c:\windows\erdnt\cache\userinit.exe
[-] 2004-08-04 . 39B1FFB03C2296323832ACBAE50D2AFF . 24576 . . [5.1.2600.2180] . . c:\windows\system32\userinit.exe

[-] 2009-06-29 . 4C6B4138165A4C53FE8A5B1D809526C3 . 828928 . . [7.00.6000.21073] . . c:\windows\SoftwareDistribution\Download\cfdf673d5f64980a67e3f1a551949306\sp3qfe\wininet.dll
[-] 2009-06-29 . A39B7BA7AB9B1CC2A0009F59772DB83C . 827392 . . [7.00.6000.16876] . . c:\windows\SoftwareDistribution\Download\cfdf673d5f64980a67e3f1a551949306\sp3gdr\wininet.dll
[-] 2009-04-29 . 8E2D471157B0DF329D8D0EA5D83B0DDB . 827392 . . [7.00.6000.16850] . . c:\windows\erdnt\cache\wininet.dll
[-] 2009-04-29 . 8E2D471157B0DF329D8D0EA5D83B0DDB . 827392 . . [7.00.6000.16850] . . c:\windows\system32\wininet.dll
[-] 2009-04-29 . 8E2D471157B0DF329D8D0EA5D83B0DDB . 827392 . . [7.00.6000.16850] . . c:\windows\system32\dllcache\wininet.dll
[-] 2009-04-29 . 62CCA075F44015147B8971DAFFBCFF76 . 828928 . . [7.00.6000.21045] . . c:\windows\$hf_mig$\KB969897-IE7\SP3QFE\wininet.dll
[-] 2009-03-03 . 28775945CCD53DEE280EF58DEA1A94C4 . 826368 . . [7.00.6000.16827] . . c:\windows\ie7updates\KB969897-IE7\wininet.dll
[-] 2009-03-03 . C8667854873938CA13C986F16B0CD183 . 828416 . . [7.00.6000.21020] . . c:\windows\$hf_mig$\KB963027-IE7\SP3QFE\wininet.dll
[-] 2008-12-20 . 044E0A4E9FE97C0FB9AFE9C89E2A82E6 . 827904 . . [7.00.6000.20978] . . c:\windows\$hf_mig$\KB961260-IE7\SP2QFE\wininet.dll
[-] 2008-12-20 . A82935D32D0672E8FF4E91AE398E901C . 826368 . . [7.00.6000.16791] . . c:\windows\ie7updates\KB963027-IE7\wininet.dll
[-] 2008-10-16 . 6741EAF7B7F110E803A6E38F6E5FA6B0 . 826368 . . [7.00.6000.16762] . . c:\windows\ie7updates\KB961260-IE7\wininet.dll
[-] 2008-10-16 . 6741EAF7B7F110E803A6E38F6E5FA6B0 . 826368 . . [7.00.6000.16762] . . c:\windows\SoftwareDistribution\Download\c74979a750f473b6d9d8ef0bba9b356c\SP2GDR\wininet.dll
[-] 2008-10-16 . 0D5B75171FF51775B630A431B6C667E8 . 827904 . . [7.00.6000.20935] . . c:\windows\$hf_mig$\KB958215-IE7\SP2QFE\wininet.dll
[-] 2008-10-16 . 0D5B75171FF51775B630A431B6C667E8 . 827904 . . [7.00.6000.20935] . . c:\windows\SoftwareDistribution\Download\c74979a750f473b6d9d8ef0bba9b356c\SP2QFE\wininet.dll
[-] 2008-10-16 . 6F1E4BFD78C4E0D05FF3725D59B72925 . 659456 . . [6.00.2900.3462] . . c:\windows\SoftwareDistribution\Download\7bc58354ca50aa200544caaef7677c8a\SP2GDR\wininet.dll
[-] 2008-10-16 . 93C9D0A216498EE14EB9B26119BB95EE . 667648 . . [6.00.2900.3462] . . c:\windows\SoftwareDistribution\Download\7bc58354ca50aa200544caaef7677c8a\SP2QFE\wininet.dll
[-] 2008-10-16 . E8FCE58A470999350F64C591557F9E42 . 667136 . . [6.00.2900.5694] . . c:\windows\$hf_mig$\KB958215\SP3QFE\wininet.dll
[-] 2008-10-16 . E8FCE58A470999350F64C591557F9E42 . 667136 . . [6.00.2900.5694] . . c:\windows\SoftwareDistribution\Download\7bc58354ca50aa200544caaef7677c8a\SP3QFE\wininet.dll
[-] 2008-10-16 . 1576318BF08D28CC61D1278114AD8D5B . 666112 . . [6.00.2900.5694] . . c:\windows\$hf_mig$\KB958215\SP3GDR\wininet.dll
[-] 2008-10-16 . 1576318BF08D28CC61D1278114AD8D5B . 666112 . . [6.00.2900.5694] . . c:\windows\SoftwareDistribution\Download\7bc58354ca50aa200544caaef7677c8a\SP3GDR\wininet.dll
[-] 2008-08-26 . 77C192FE56A70D7FA0247BA0A6201C32 . 827904 . . [7.00.6000.20900] . . c:\windows\$hf_mig$\KB956390-IE7\SP2QFE\wininet.dll
[-] 2008-08-26 . 77C192FE56A70D7FA0247BA0A6201C32 . 827904 . . [7.00.6000.20900] . . c:\windows\SoftwareDistribution\Download\5d9d48823dca01f9929a959c29f5edc4\SP2QFE\wininet.dll
[-] 2008-08-26 . EF8EBA98145BFA44E80D17A3B3453300 . 826368 . . [7.00.6000.16735] . . c:\windows\ie7updates\KB958215-IE7\wininet.dll
[-] 2008-08-26 . EF8EBA98145BFA44E80D17A3B3453300 . 826368 . . [7.00.6000.16735] . . c:\windows\SoftwareDistribution\Download\5d9d48823dca01f9929a959c29f5edc4\SP2GDR\wininet.dll
[-] 2008-04-21 . 2E7DE1BF9418B071799EB53DE8CC22F5 . 666624 . . [6.00.2900.3354] . . c:\windows\ie7\wininet.dll
[-] 2008-04-21 . 2B0C24AA747A93A28987B6D65A4A74BC . 666112 . . [6.00.2900.5583] . . c:\windows\$hf_mig$\KB950759\SP3GDR\wininet.dll
[-] 2008-04-21 . 26F240C250E5B4B395CB4B178BA75437 . 666624 . . [6.00.2900.5583] . . c:\windows\$hf_mig$\KB950759\SP3QFE\wininet.dll
[-] 2008-04-14 . 7A4F775ABB2F1C97DEF3E73AFA2FAEDD . 666112 . . [6.00.2900.5512] . . c:\windows\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\wininet.dll
[-] 2008-02-16 . BB1EACD6AB47E78EBCA02EB781550D55 . 666112 . . [6.00.2900.3314] . . c:\windows\$NtUninstallKB950759$\wininet.dll
[-] 2007-12-07 . 085A7C37F9C6EDE1BA870B7DBEC06399 . 666112 . . [6.00.2900.3268] . . c:\windows\$NtUninstallKB947864$\wininet.dll
[-] 2007-10-11 . 80D660A49E0D118144423099B2A9F5DA . 666112 . . [6.00.2900.3231] . . c:\windows\$NtUninstallKB944533$\wininet.dll
[-] 2007-08-22 . A1BC17EB3758D73C3938B2318820F5B4 . 665600 . . [6.00.2900.3199] . . c:\windows\$NtUninstallKB942615$\wininet.dll
[-] 2007-08-13 . A4A0FC92358F39538A6494C42EF99FE9 . 818688 . . [7.00.5730.13] . . c:\windows\ie7updates\KB956390-IE7\wininet.dll
[-] 2007-06-26 . E1A3DD68B5380B360A7310A64D9BB188 . 665600 . . [6.00.2900.3164] . . c:\windows\$NtUninstallKB939653$\wininet.dll
[-] 2007-04-18 . 4261BA03AFD659DE04F0A17DFBDD454D . 665600 . . [6.00.2900.3121] . . c:\windows\$hf_mig$\KB933566\SP2QFE\wininet.dll
[-] 2007-04-18 . 4261BA03AFD659DE04F0A17DFBDD454D . 665600 . . [6.00.2900.3121] . . c:\windows\$NtUninstallKB937143$\wininet.dll
[-] 2007-04-18 . B7156CD97E739F3014BC4D61758F868A . 658944 . . [6.00.2900.3121] . . c:\windows\$NtUninstallKB933566$\wininet.dll
[-] 2006-01-09 . DDE9597A3311748C1519444E2BC147BD . 662016 . . [6.00.2900.2823] . . c:\windows\$hf_mig$\KB912945\SP2QFE\wininet.dll

[-] 2008-04-14 . 2CCC474EB85CEAA3E1FA1726580A3E5A . 82432 . . [5.1.2600.5512] . . c:\windows\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\ws2_32.dll
[-] 2004-08-04 . 2ED0B7F12A60F90092081C50FA0EC2B2 . 82944 . . [5.1.2600.2180] . . c:\windows\erdnt\cache\ws2_32.dll
[-] 2004-08-04 . 2ED0B7F12A60F90092081C50FA0EC2B2 . 82944 . . [5.1.2600.2180] . . c:\windows\system32\ws2_32.dll

[-] 2008-04-14 . 12896823FB95BFB3DC9B46BCAEDC9923 . 1033728 . . [6.00.2900.5512] . . c:\windows\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\explorer.exe
[-] 2007-06-13 . 7712DF0CDDE3A5AC89843E61CD5B3658 . 1033216 . . [6.00.2900.3156] . . c:\windows\$hf_mig$\KB938828\SP2QFE\explorer.exe
[-] 2007-06-13 . 97BD6515465659FF8F3B7BE375B2EA87 . 1033216 . . [6.00.2900.3156] . . c:\windows\explorer.exe
[-] 2007-06-13 . 97BD6515465659FF8F3B7BE375B2EA87 . 1033216 . . [6.00.2900.3156] . . c:\windows\erdnt\cache\explorer.exe
[-] 2007-06-13 . 97BD6515465659FF8F3B7BE375B2EA87 . 1033216 . . [6.00.2900.3156] . . c:\windows\system32\dllcache\explorer.exe
[-] 2004-08-04 . A0732187050030AE399B241436565E64 . 1032192 . . [6.00.2900.2180] . . c:\windows\$NtUninstallKB938828$\explorer.exe

[-] 2008-04-14 . 3805DF0AC4296A34BA4BF93B346CC378 . 171008 . . [5.1.2600.5512] . . c:\windows\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\srsvc.dll
[-] 2004-08-04 . 92BDF74F12D6CBEC43C94D4B7F804838 . 170496 . . [5.1.2600.2180] . . c:\windows\erdnt\cache\srsvc.dll
[-] 2004-08-04 . 92BDF74F12D6CBEC43C94D4B7F804838 . 170496 . . [5.1.2600.2180] . . c:\windows\system32\srsvc.dll

[-] 2008-04-14 . F92E1076C42FCD6DB3D72D8CFE9816D5 . 13824 . . [5.1.2600.5512] . . c:\windows\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\wscntfy.exe
[-] 2004-08-04 . 49911DD39E023BB6C45E4E436CFBD297 . 13824 . . [5.1.2600.2180] . . c:\windows\erdnt\cache\wscntfy.exe
[-] 2004-08-04 . 49911DD39E023BB6C45E4E436CFBD297 . 13824 . . [5.1.2600.2180] . . c:\windows\system32\wscntfy.exe

[-] 2008-04-14 . 295D21F14C335B53CB8154E5B1F892B9 . 129024 . . [5.1.2600.5512] . . c:\windows\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\xmlprov.dll
[-] 2004-08-04 . EEF46DAB68229A14DA3D8E73C99E2959 . 129536 . . [5.1.2600.2180] . . c:\windows\erdnt\cache\xmlprov.dll
[-] 2004-08-04 . EEF46DAB68229A14DA3D8E73C99E2959 . 129536 . . [5.1.2600.2180] . . c:\windows\system32\xmlprov.dll

[-] 2008-04-14 . 6D4FEB43EE538FC5428CC7F0565AA656 . 56320 . . [5.1.2600.5512] . . c:\windows\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\eventlog.dll
[-] 2004-08-04 . 82B24CB70E5944E6E34662205A2A5B78 . 55808 . . [5.1.2600.2180] . . c:\windows\erdnt\cache\eventlog.dll
[-] 2004-08-04 . 82B24CB70E5944E6E34662205A2A5B78 . 55808 . . [5.1.2600.2180] . . c:\windows\system32\eventlog.dll

[-] 2008-04-14 . 9DD07AF82244867CA36681EA2D29CE79 . 1614848 . . [5.1.2600.5512] . . c:\windows\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\sfcfiles.dll
[-] 2004-08-04 . 30A609E00BD1D4FFC49D6B5A432BE7F2 . 1580544 . . [5.1.2600.2180] . . c:\windows\erdnt\cache\sfcfiles.dll
[-] 2004-08-04 . 30A609E00BD1D4FFC49D6B5A432BE7F2 . 1580544 . . [5.1.2600.2180] . . c:\windows\system32\sfcfiles.dll

[-] 2008-04-14 . 5F1D5F88303D4A4DBC8E5F97BA967CC3 . 15360 . . [5.1.2600.5512] . . c:\windows\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\ctfmon.exe
[-] 2004-08-04 . 24232996A38C0B0CF151C2140AE29FC8 . 15360 . . [5.1.2600.2180] . . c:\windows\erdnt\cache\ctfmon.exe
[-] 2004-08-04 . 24232996A38C0B0CF151C2140AE29FC8 . 15360 . . [5.1.2600.2180] . . c:\windows\system32\ctfmon.exe

[-] 2008-04-14 . 1926899BF9FFE2602B63074971700412 . 135168 . . [6.00.2900.5512] . . c:\windows\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\shsvcs.dll
[-] 2006-12-19 . 6815DEF9B810AEFAC107EEAF72DA6F82 . 134656 . . [6.00.2900.3051] . . c:\windows\erdnt\cache\shsvcs.dll
[-] 2006-12-19 . 6815DEF9B810AEFAC107EEAF72DA6F82 . 134656 . . [6.00.2900.3051] . . c:\windows\system32\shsvcs.dll
[-] 2006-12-19 . 6815DEF9B810AEFAC107EEAF72DA6F82 . 134656 . . [6.00.2900.3051] . . c:\windows\system32\dllcache\shsvcs.dll
[-] 2006-12-19 . 53D9184A21C5CBF600D918E51EF3A7E5 . 135168 . . [6.00.2900.3051] . . c:\windows\$hf_mig$\KB928255\SP2QFE\shsvcs.dll

[-] 2008-04-14 . 5B19B557B0C188210A56A6B699D90B8F . 59904 . . [5.1.2600.5512] . . c:\windows\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\regsvc.dll
[-] 2004-08-04 . 3151427DB7D87107D1C5BE58FAC53960 . 59904 . . [5.1.2600.2180] . . c:\windows\erdnt\cache\regsvc.dll
[-] 2004-08-04 . 3151427DB7D87107D1C5BE58FAC53960 . 59904 . . [5.1.2600.2180] . . c:\windows\system32\regsvc.dll
[-] 2004-08-04 . 3151427DB7D87107D1C5BE58FAC53960 . 59904 . . [5.1.2600.2180] . . c:\windows\system32\dllcache\regsvc.dll

[-] 2008-04-14 . 0A9A7365A1CA4319AA7C1D6CD8E4EAFA . 192512 . . [5.1.2600.5512] . . c:\windows\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\schedsvc.dll
[-] 2004-08-04 . 92360854316611F6CC471612213C3D92 . 190976 . . [5.1.2600.2180] . . c:\windows\erdnt\cache\schedsvc.dll
[-] 2004-08-04 . 92360854316611F6CC471612213C3D92 . 190976 . . [5.1.2600.2180] . . c:\windows\system32\schedsvc.dll

[-] 2008-04-14 . 0A5679B3714EDAB99E357057EE88FCA6 . 71680 . . [5.1.2600.5512] . . c:\windows\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\ssdpsrv.dll
[-] 2004-08-04 . 4B8D61792F7175BED48859CC18CE4E38 . 71680 . . [5.1.2600.2180] . . c:\windows\erdnt\cache\ssdpsrv.dll
[-] 2004-08-04 . 4B8D61792F7175BED48859CC18CE4E38 . 71680 . . [5.1.2600.2180] . . c:\windows\system32\ssdpsrv.dll

[-] 2009-10-23 . A77219A971029DC2FB683E8513713803 . 215552 . . [5.1.2600.2055] . . c:\windows\system32\dllcache\termsrv.dll
[-] 2009-10-23 . A77219A971029DC2FB683E8513713803 . 215552 . . [5.1.2600.2055] . . c:\windows\system32\termsrv.dll
[-] 2008-04-14 . FF3477C03BE7201C294C35F684B3479F . 295424 . . [5.1.2600.5512] . . c:\windows\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\termsrv.dll

[-] 2004-08-04 . 9859C0F6936E723E4892D7141B1327D5 . 11648 . . [5.1.2600.0] . . c:\windows\erdnt\cache\acpiec.sys
[-] 2004-08-04 . 9859C0F6936E723E4892D7141B1327D5 . 11648 . . [5.1.2600.0] . . c:\windows\system32\drivers\acpiec.sys

[-] 2008-04-13 16:39 . 8BED39E3C35D6A489438B8141717A557 . 142592 . . [5.1.2601.3142] . . c:\windows\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\aec.sys
[-] 2006-02-15 00:30 . 1EE7B434BA961EF845DE136224C30FEC . 142464 . . [5.1.2601.2180] . . c:\windows\$hf_mig$\KB900485\SP2QFE\aec.sys
[-] 2006-02-15 00:22 . 1EE7B434BA961EF845DE136224C30FEC . 142464 . . [5.1.2601.2180] . . c:\windows\Driver Cache\i386\aec.sys
[-] 2006-02-15 00:22 . 1EE7B434BA961EF845DE136224C30FEC . 142464 . . [5.1.2601.2180] . . c:\windows\erdnt\cache\aec.sys
[-] 2006-02-15 00:22 . 1EE7B434BA961EF845DE136224C30FEC . 142464 . . [5.1.2601.2180] . . c:\windows\system32\dllcache\aec.sys
[-] 2006-02-15 00:22 . 1EE7B434BA961EF845DE136224C30FEC . 142464 . . [5.1.2601.2180] . . c:\windows\system32\drivers\aec.sys
[-] 2004-08-04 03:39 . 841F385C6CFAF66B58FBD898722BB4F0 . 142464 . . [5.1.2601.2078] . . c:\windows\$NtUninstallKB900485$\aec.sys

[-] 2008-04-13 . 08FD04AA961BDC77FB983F328334E3D7 . 42368 . . [5.1.2600.5512] . . c:\windows\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\agp440.sys
[-] 2004-08-04 . 2C428FA0C3E3A01ED93C9B2A27D8D4BB . 42368 . . [5.1.2600.2180] . . c:\windows\erdnt\cache\AGP440.SYS
[-] 2004-08-04 . 2C428FA0C3E3A01ED93C9B2A27D8D4BB . 42368 . . [5.1.2600.2180] . . c:\windows\system32\drivers\AGP440.SYS

[-] 2008-04-13 . 3BB22519A194418D5FEC05D800A19AD0 . 36608 . . [5.1.2600.5512] . . c:\windows\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\ip6fw.sys
[-] 2004-08-04 . 4448006B6BC60E6C027932CFC38D6855 . 29056 . . [5.1.2600.2180] . . c:\windows\erdnt\cache\ip6fw.sys
[-] 2004-08-04 . 4448006B6BC60E6C027932CFC38D6855 . 29056 . . [5.1.2600.2180] . . c:\windows\system32\drivers\ip6fw.sys

[-] 2008-04-14 00:11 . CDDD4416B2B4C7295FE3FDB6DDE57E4E . 927504 . . [4.1.0.61] . . c:\windows\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\mfc40u.dll
[-] 2006-11-01 19:17 . 925F8B61ED301A317BA850EBEECBDAA0 . 927504 . . [4.1.0.61] . . c:\windows\erdnt\cache\mfc40u.dll
[-] 2006-11-01 19:17 . 925F8B61ED301A317BA850EBEECBDAA0 . 927504 . . [4.1.0.61] . . c:\windows\system32\mfc40u.dll
[-] 2006-11-01 19:17 . 925F8B61ED301A317BA850EBEECBDAA0 . 927504 . . [4.1.0.61] . . c:\windows\system32\dllcache\mfc40u.dll

[-] 2008-04-14 . 986B1FF5814366D71E0AC5755C88F2D3 . 33792 . . [5.1.2600.5512] . . c:\windows\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\msgsvc.dll
[-] 2004-08-04 . 95FD808E4AC22ABA025A7B3EAC0375D2 . 33792 . . [5.1.2600.2180] . . c:\windows\erdnt\cache\msgsvc.dll
[-] 2004-08-04 . 95FD808E4AC22ABA025A7B3EAC0375D2 . 33792 . . [5.1.2600.2180] . . c:\windows\system32\msgsvc.dll

[-] 2006-10-18 13:47 . C51B4A5C05A5475708E3C81C7765B71D . 27136 . . [11.0.5721.5145] . . c:\windows\erdnt\cache\mspmsnsv.dll
[-] 2006-10-18 13:47 . C51B4A5C05A5475708E3C81C7765B71D . 27136 . . [11.0.5721.5145] . . c:\windows\system32\mspmsnsv.dll
[-] 2006-10-18 13:47 . C51B4A5C05A5475708E3C81C7765B71D . 27136 . . [11.0.5721.5145] . . c:\windows\system32\dllcache\mspmsnsv.dll
[-] 2004-08-11 05:45 . A477391B7A8B0A0DAABADB17CF533A4B . 25088 . . [10.0.3790.3646] . . c:\windows\$NtUninstallWMFDist11$\mspmsnsv.dll
[-] 2004-08-11 05:45 . A477391B7A8B0A0DAABADB17CF533A4B . 25088 . . [10.0.3790.3646] . . c:\windows\RegisteredPackages\{30C7234B-6482-4A55-A11D-ECD9030313F2}\MsPMSNSv.dll
[-] 2004-08-04 10:00 . C086483E3DBA8C1C0A687EC8D5B3D4C1 . 52224 . . [9.0.1.56] . . c:\windows\RegisteredPackages\{30C7234B-6482-4A55-A11D-ECD9030313F2}$BACKUP$\System\MsPMSNSv.dll

[-] 2009-02-07 . 5BA7F2141BC6DB06100D0E5A732C617A . 2066048 . . [5.1.2600.5755] . . c:\windows\$hf_mig$\KB956572\SP3GDR\ntkrnlpa.exe
[-] 2009-02-06 . 607352B9CB3D708C67F6039097801B5A . 2066176 . . [5.1.2600.5755] . . c:\windows\$hf_mig$\KB956572\SP3QFE\ntkrnlpa.exe
[-] 2009-02-06 . 243223E3FB74B68DFFBB41989F33DFB3 . 2020864 . . [5.1.2600.3520] . . c:\windows\erdnt\cache\ntkrnlpa.exe
[-] 2009-02-06 . 243223E3FB74B68DFFBB41989F33DFB3 . 2020864 . . [5.1.2600.3520] . . c:\windows\system32\ntkrnlpa.exe
[-] 2009-02-06 . 9D832AF3FD1917DB0E1E8B2F000A2E3A . 2062976 . . [5.1.2600.3520] . . c:\windows\Driver Cache\i386\ntkrnlpa.exe
[-] 2009-02-06 . 9D832AF3FD1917DB0E1E8B2F000A2E3A . 2062976 . . [5.1.2600.3520] . . c:\windows\system32\dllcache\ntkrnlpa.exe
[-] 2008-08-14 . A25E9B86EFFB2AF33BF51E676B68BFB0 . 2066048 . . [5.1.2600.5657] . . c:\windows\$hf_mig$\KB956841\SP3QFE\ntkrnlpa.exe
[-] 2008-08-14 . 4AC58F03EB94A72809949D757FC39D80 . 2066048 . . [5.1.2600.5657] . . c:\windows\$hf_mig$\KB956841\SP3GDR\ntkrnlpa.exe
[-] 2008-08-14 . 501FDE895F35DF1DAE49FD54BBF9D396 . 2020864 . . [5.1.2600.3427] . . c:\windows\$NtUninstallKB956572$\ntkrnlpa.exe
[-] 2008-04-13 . 109F8E3E3C82E337BB71B6BC9B895D61 . 2065792 . . [5.1.2600.5512] . . c:\windows\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\ntkrnlpa.exe
[-] 2007-02-28 . 2DFB215E291E3D9B1CF9A6739B3BF16C . 2017280 . . [5.1.2600.3093] . . c:\windows\$NtUninstallKB956841$\ntkrnlpa.exe
[-] 2007-02-28 . A58AC1C6199EF34228ABEE7FC057AE09 . 2015744 . . [5.1.2600.3093] . . c:\windows\$NtUninstallKB931784$\ntkrnlpa.exe
[-] 2007-02-28 . 4D3DBDCCBF97F5BA1E74F322B155C3BA . 2059392 . . [5.1.2600.3093] . . c:\windows\$hf_mig$\KB931784\SP2QFE\ntkrnlpa.exe
[-] 2005-03-02 . D8ABA3EAB509627E707A3B14F00FBB6B . 2056832 . . [5.1.2600.2622] . . c:\windows\$hf_mig$\KB890859\SP2QFE\ntkrnlpa.exe

[-] 2008-04-14 00:12 . 156F64A3345BD23C600655FB4D10BC08 . 435200 . . [5.1.2400.5512] . . c:\windows\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\ntmssvc.dll
[-] 2004-08-04 10:00 . B62F29C00AC55A761B2E45877D85EA0F . 435200 . . [5.1.2400.2180] . . c:\windows\erdnt\cache\ntmssvc.dll
[-] 2004-08-04 10:00 . B62F29C00AC55A761B2E45877D85EA0F . 435200 . . [5.1.2400.2180] . . c:\windows\system32\ntmssvc.dll

[-] 2008-04-14 . 1EBAFEB9A3FBDC41B8D9C7F0F687AD91 . 185856 . . [5.1.2600.5512] . . c:\windows\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\upnphost.dll
[-] 2007-02-05 . 36ACA6CDC19C95FF468A1426EB7F32F0 . 185344 . . [5.1.2600.3077] . . c:\windows\$hf_mig$\KB931261\SP2QFE\upnphost.dll
[-] 2007-02-05 . ACA5D98663D879C6BAAFCEA7E2F1B710 . 185344 . . [5.1.2600.3077] . . c:\windows\erdnt\cache\upnphost.dll
[-] 2007-02-05 . ACA5D98663D879C6BAAFCEA7E2F1B710 . 185344 . . [5.1.2600.3077] . . c:\windows\system32\upnphost.dll
[-] 2007-02-05 . ACA5D98663D879C6BAAFCEA7E2F1B710 . 185344 . . [5.1.2600.3077] . . c:\windows\system32\dllcache\upnphost.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{F9E4A054-E9B1-4BC3-83A3-76A1AE736170}]
2009-09-18 13:03 218160 ----a-w- c:\program files\Hotspot Shield\hssie\HssIE.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Dell QuickSet"="c:\program files\Dell\QuickSet\Quickset.exe" [2007-05-14 1191936]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080]
"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2009-04-30 1657376]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice]
@=""

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Dell Network Assistant.lnk]
backup=c:\windows\pss\Dell Network Assistant.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Digital Line Detect.lnk]
backup=c:\windows\pss\Digital Line Detect.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Google Updater.lnk]
backup=c:\windows\pss\Google Updater.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Steve^Start Menu^Programs^Startup^hamachi.lnk]
backup=c:\windows\pss\hamachi.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Steve^Start Menu^Programs^Startup^QQ????????.lnk]
backup=c:\windows\pss\QQ????????.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Steve^Start Menu^Programs^Startup^Yahoo! Widgets.lnk]
backup=c:\windows\pss\Yahoo! Widgets.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Steve^Start Menu^Programs^Startup^腾讯QQ.lnk]
backup=c:\windows\pss\腾讯QQ.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Steve^Start Menu^Programs^Startup^??QQ.lnk]
backup=c:\windows\pss\??QQ.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"usnjsvc"=3 (0x3)
"Symantec Core LC"=3 (0x3)
"SPBBCSvc"=3 (0x3)
"SNDSrvc"=3 (0x3)
"SAVScan"=3 (0x3)
"PnkBstrB"=2 (0x2)
"PnkBstrA"=2 (0x2)
"ose"=3 (0x3)
"NVSvc"=2 (0x2)
"NSCService"=3 (0x3)
"navapsvc"=2 (0x2)
"LVSrvLauncher"=2 (0x2)
"LVPrcSrv"=2 (0x2)
"LVCOMSer"=2 (0x2)
"iPod Service"=3 (0x3)
"gusvc"=2 (0x2)
"GoogleDesktopManager"=3 (0x3)
"comHost"=3 (0x3)
"ccSetMgr"=2 (0x2)
"ccProxy"=2 (0x2)
"ccISPwdSvc"=3 (0x3)
"ccEvtMgr"=2 (0x2)
"Bonjour Service"=2 (0x2)
"Avg7UpdSvc"=2 (0x2)
"Avg7Alrt"=2 (0x2)
"Apple Mobile Device"=2 (0x2)
"aawservice"=2 (0x2)
"WLSetupSvc"=3 (0x3)
"vsmon"=2 (0x2)
"SeaPort"=2 (0x2)
"sdCoreService"=3 (0x3)
"sdAuxService"=3 (0x3)
"HssTrayService"=3 (0x3)
"GoogleDesktopManager-022208-143751"=3 (0x3)
"ccosm"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Dell\\MediaDirect\\PCMService.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\Dell Network Assistant\\ezi_hnm2.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"c:\\WINDOWS\\system32\\skcbgm.exe"=
"c:\\WINDOWS\\system32\\PnkBstrA.exe"=
"c:\\WINDOWS\\system32\\PnkBstrB.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\VideoLAN\\VLC\\vlc.exe"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"c:\\Program Files\\Tencent\\TM2008\\Bin\\TM.exe"=
"c:\\Program Files\\Steam\\steamapps\\terrikus\\team fortress 2\\hl2.exe"=
"c:\\Documents and Settings\\Steve\\Desktop\\other stuff to transfer\\THE FOLDER TO END ALL FOLDERS\\Warcraft III\\lancraft.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\??????\\TV.exe"=
"c:\\Program Files\\uusee\\UUSeePlayer.exe"=
"c:\\Program Files\\Common Files\\uusee\\UUSeeMediaCenter.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\peggle deluxe\\Peggle.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\peggle extreme\\PeggleExtreme.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Google\\Google Talk\\googletalk.exe"=
"c:\\Program Files\\xiaonei\\xntalk.exe"=
"c:\\Documents and Settings\\Steve\\Local Settings\\Application Data\\Microsoft\\CD Burning\\New Folder\\PPStream\\PPStream.exe"=
"c:\\Documents and Settings\\Steve\\Local Settings\\Application Data\\Microsoft\\CD Burning\\New Folder\\PPStream\\PPSAP.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\left 4 dead\\left4dead.exe"=
"c:\\Program Files\\BitComet\\BitComet.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"10421:UDP"= 10421:UDP:SingleClick Discovery Protocol
"10426:UDP"= 10426:UDP:SingleClick ICC
"24544:TCP"= 24544:TCP:BitComet 24544 TCP
"24544:UDP"= 24544:UDP:BitComet 24544 UDP

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2/9/2009 3:35 AM 64160]
R1 ADProt;ADProt;c:\windows\system32\drivers\AdProt.sys [10/4/2007 8:28 PM 41472]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [1/19/2009 5:34 AM 1028432]
R2 WDBtnMgrSvc.exe;WD Drive Manager Service;c:\program files\Western Digital\WD Drive Manager\WDBtnMgrSvc.exe [5/17/2008 6:12 AM 102400]
R3 Alidevice;Alidevice;c:\windows\system32\drivers\alidevice.sys [7/14/2008 10:42 PM 6656]
S3 getPlusHelper;getPlus® Helper;c:\windows\System32\svchost.exe -k getPlusHelper [8/11/2004 1:51 AM 14336]
S3 LinksysFVNETusbl(AR)®;Linksys FVNETusbl(AR)® Service for Instant Wireless USB Network Adapter ver.2.6;c:\windows\system32\drivers\vnetusbl.sys [3/10/2004 8:48 AM 108032]
S3 PsSdk41;PsSdk41;c:\windows\system32\drivers\pssdk41.sys [8/2/2009 12:57 PM 36928]
S3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\drivers\wdcsam.sys [12/26/2008 3:33 PM 11520]
S4 GoogleDesktopManager-022208-143751;Google Desktop Manager 5.7.802.22438;c:\program files\Google\Google Desktop Search\GoogleDesktop.exe [9/8/2007 4:25 PM 29744]
S4 PCPitstop Scheduling;PCPitstop Scheduling;c:\program files\PCPitstop\PCPitstopScheduleService.exe [8/19/2009 6:39 PM 90352]
S4 sdAuxService;PC Tools Auxiliary Service;c:\program files\Spyware Doctor\pctsAuxs.exe [7/24/2008 6:22 AM 356920]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - MSISERVER
*NewlyCreated* - WUAUSERV
*Deregistered* - mbr

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
getPlusHelper REG_MULTI_SZ getPlusHelper
.
Contents of the 'Scheduled Tasks' folder

2009-10-25 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-01-18 06:35]

2009-10-29 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-727198811-1646750839-1009239276-1006Core.job
- c:\documents and settings\Steve\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-09-05 02:27]

2009-10-29 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-727198811-1646750839-1009239276-1006UA.job
- c:\documents and settings\Steve\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-09-05 02:27]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://thefreevpn.com/home.php
uInternet Connection Wizard,ShellNext = hxxp://www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us&ibd=5070908
uInternet Settings,ProxyServer = 127.0.0.1:8081
uInternet Settings,ProxyOverride = 127.0.0.1:8081;local;<local>
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: &D&ownload &with BitComet - c:\program files\BitComet\BitComet.exe/AddLink.htm
IE: &D&ownload all video with BitComet - c:\program files\BitComet\BitComet.exe/AddVideo.htm
IE: &D&ownload all with BitComet - c:\program files\BitComet\BitComet.exe/AddAllLink.htm
IE: &Yodao?? - c:\program files\Yodao\Toolbar\ydtbv1.01\YodaoToolbar.dll/158.htm
IE: &使用超级旋风下载 - c:\program files\Tencent\QQDownload\geturl.htm
IE: &使用超级旋风下载全部链接 - c:\program files\Tencent\QQDownload\getAllurl.htm
IE: &????????
IE: &????????????
IE: Add to Windows &Live Favorites - http://favorites.liv...m/quickadd.aspx
IE: QQ - c:\program files\Tencent\TM2008\Bin\AddEmotion.htm
IE: 添加到QQ表情 - c:\program files\Tencent\QQ\AddEmotion.htm
IE: ??UUSee?? - c:\program files\uusee\geturltodown.htm
IE: ??UUSee???? - c:\program files\uusee\geturltoplay.htm
IE: ??? Microsoft Office Excel(&X) - c:\progra~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
IE: ???QQ??
DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} - hxxp://eu-housecall.trendmicro-europe.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
DPF: {488A4255-3236-44B3-8F27-FA1AECAA8844} - hxxps://img.alipay.com/download/2121/aliedit.cab
DPF: {8D9E0B29-563C-4226-86C1-5FF2AE77E1D2} - hxxps://mybank.icbc.com.cn/icbc/newperbank/AxSafeControls.cab
DPF: {9BBB3919-F518-4D06-8209-299FC243FC30} - hxxps://gorgutz:4343/SMB/console/html/root/AtxEnc.cab
DPF: {9DCD8EB7-E925-45C9-9321-8CA843FBED40} - hxxps://gorgutz:4343/SMB/console/html/root/AtxConsole.cab
DPF: {AC414988-E5BB-4C2C-873B-EA53D2F3D23A} - hxxp://t.live.cctv.com/ieocx/CCTVUpdateInstall.dll
DPF: {CB5C683C-416A-4701-B018-0F1B21D64D6B} - hxxp://cyimg7.cyworld.com/cymusic/package/skcinst.cab
FF - ProfilePath -
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-10-30 07:25
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-727198811-1646750839-1009239276-1006\Software\Microsoft\Internet Explorer\MenuExt\&*O(u厤薳螛 N}廬
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
"Contexts"=dword:00000022

[HKEY_USERS\S-1-5-21-727198811-1646750839-1009239276-1006\Software\Microsoft\Internet Explorer\MenuExt\&*O(u厤薳螛 N}廻Q钀]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
"Contexts"=dword:000000f3

[HKEY_USERS\S-1-5-21-727198811-1646750839-1009239276-1006\Software\Microsoft\Internet Explorer\MenuExt\鹠燫0RQ*Q*h埮`]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
"contexts"=dword:00000002

[HKEY_USERS\S-1-5-21-727198811-1646750839-1009239276-1006\Software\Microsoft\Office\11.0\Common\Open Find\Microsoft Office PowerPoint\Settings\Sb*_]
"PositionInfo-Monitor1"=hex:a7,01,00,00,0b,01,00,00,00,00,00,00,00,00,00,00

[HKEY_USERS\S-1-5-21-727198811-1646750839-1009239276-1006\Software\Microsoft\Office\11.0\Common\Open Find\Microsoft Office PowerPoint\Settings\Sb*_\File Name MRU]
"Value"=multi:"\00\00"
"Maximum Entries"=dword:0000000a

[HKEY_USERS\S-1-5-21-727198811-1646750839-1009239276-1006\Software\Microsoft\Office\11.0\Common\Open Find\Microsoft Office PowerPoint\Settings\Sb*_\View]
"Data"=hex:04,16,00,17,28,14,14,14,0d,01,02,01,00,18,41,00,0d,00,fa,08,00,00,
90,90,0d,00,fa,08,00,00,90,90,0d,00,fa,08,00,00,90,90,0d,00,fa,08,00,00,90,\

[HKEY_USERS\S-1-5-21-727198811-1646750839-1009239276-1006\Software\Microsoft\Office\11.0\Common\Open Find\Microsoft Office Word\Settings\Sb*_]
"PositionInfo-Monitor1"=hex:a7,01,00,00,0b,01,00,00,00,00,00,00,00,00,00,00

[HKEY_USERS\S-1-5-21-727198811-1646750839-1009239276-1006\Software\Microsoft\Office\11.0\Common\Open Find\Microsoft Office Word\Settings\Sb*_\File Name MRU]
"Value"=multi:"\00\00"
"Maximum Entries"=dword:0000000a

[HKEY_USERS\S-1-5-21-727198811-1646750839-1009239276-1006\Software\Microsoft\Office\11.0\Common\Open Find\Microsoft Office Word\Settings\Sb*_\View]
"Data"=hex:04,16,00,47,28,14,14,14,0d,01,02,01,00,18,41,00,0d,00,fa,08,00,00,
90,90,0d,00,fa,08,00,00,90,90,0d,00,fa,08,00,00,90,90,0d,00,fa,08,00,00,90,\

[HKEY_USERS\S-1-5-21-727198811-1646750839-1009239276-1006\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Start Menu2\Programs\Q*Q*X]
"Order"=hex:08,00,00,00,02,00,00,00,0c,00,00,00,01,00,00,00,00,00,00,00

[HKEY_USERS\S-1-5-21-727198811-1646750839-1009239276-1006\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Start Menu2\Programs\Q*Q*鵞bs^餝]
"Order"=hex:08,00,00,00,02,00,00,00,0c,00,00,00,01,00,00,00,00,00,00,00

[HKEY_USERS\S-1-5-21-727198811-1646750839-1009239276-1006\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Start Menu2\Programs\Q*Q*8nb]
"Order"=hex:08,00,00,00,02,00,00,00,82,00,00,00,01,00,00,00,01,00,00,00,76,00,
00,00,00,00,00,00,68,00,00,00,41,75,67,4d,02,00,00,00,01,00,00,00,56,00,36,\

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\App Management\ARPCache\Q*Q*X]
"SlowInfoCache"=hex:28,02,00,00,00,00,00,00,ff,ff,ff,ff,ff,ff,ff,ff,00,00,00,
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
"Changed"=dword:00000000

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\App Management\ARPCache\Q*Q*鵞bs^餝]
"SlowInfoCache"=hex:28,02,00,00,00,00,00,00,ff,ff,ff,ff,ff,ff,ff,ff,00,00,00,
00,00,00,00,00,ff,ff,ff,ff,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
"Changed"=dword:00000000

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\App Management\ARPCache\Q*Q*8nb]
"SlowInfoCache"=hex:28,02,00,00,01,00,00,00,ff,ff,ff,ff,ff,ff,ff,ff,32,4b,32,
21,a8,08,c8,01,00,00,00,00,43,00,3a,00,5c,00,50,00,72,00,6f,00,67,00,72,00,\
"Changed"=dword:00000000

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\App Management\ARPCache\)Y絧R*M*5u茐銐xhV]
"SlowInfoCache"=hex:28,02,00,00,00,00,00,00,ff,ff,ff,ff,ff,ff,ff,ff,00,00,00,
00,00,00,00,00,ff,ff,ff,ff,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
"Changed"=dword:00000000
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1336)
c:\windows\System32\BCMLogon.dll
c:\windows\system32\SOGOUPY.IME
c:\program files\SogouInput\4.2.3.2810\Resource.dll

- - - - - - - > 'explorer.exe'(2188)
c:\windows\system32\SOGOUPY.IME
c:\program files\SogouInput\4.2.3.2810\Resource.dll
c:\windows\system32\mshtml.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
c:\program files\Yodao\DeskDict\TextExtractor2.dll
.
Completion time: 2009-10-29 7:29
ComboFix-quarantined-files.txt 2009-10-29 23:29
ComboFix2.txt 2009-10-29 04:58
ComboFix3.txt 2009-10-29 04:04
ComboFix4.txt 2009-10-29 00:08
ComboFix5.txt 2009-10-29 23:15

Pre-Run: 3,139,612,672 bytes free
Post-Run: 3,115,880,448 bytes free

- - End Of File - - BEAC8CC970A1128B347237AD3A61312A

#14 Tomk

Tomk

    Beguilement Monitor

  • Global Moderator
  • 20,451 posts

Posted 29 October 2009 - 05:59 PM

Terrik,

Please download the Win32kDiag.exe tool from the following location and save it to your desktop:

http://download.blee.../Win32kDiag.exe

Once downloaded, double-click on the program and let it finish. When it states Finished! Press any key to exit..., you can press any key on your keyboard to close the program. On your desktop should now be a file called Win32kDiag.txt.

Double-click on this file and post the contents as a reply to this topic.

Please download exeHelper to your desktop.
Double-click on exeHelper.com to run the fix.
A black window should pop up, press any key to close once the fix is completed.
Post the contents of exehelperlog.txt (Will be created in the directory where you ran exeHelper.com, and should open at the end of the scan)
Note: If the window shows a message that says "Error deleting file", please re-run the program before posting a log - and post the two logs together (they will both be in the one file).
Tomk
------------------------------------------------------------
Microsoft MVP 2010-2014
 

#15 Terrik

Terrik

    New Member

  • Authentic Member
  • Pip
  • 16 posts

Posted 29 October 2009 - 06:51 PM

Win32KDiag log Running from: C:\Documents and Settings\Steve\Desktop\Win32kDiag.exe Log file at : C:\Documents and Settings\Steve\Desktop\Win32kDiag.txt WARNING: Could not get backup privileges! Searching 'C:\WINDOWS'... Finished! Exehelper log exeHelper by Raktor Build 20091021 Run at 08:04:10 on 10/30/09 Now searching... Checking for numerical processes... Checking for bad processes... Checking for bad files... Checking for bad registry entries... Resetting filetype association for .exe Resetting filetype association for .com Resetting userinit and shell values... Resetting policies... --Finished--

Related Topics

Back to Virus, Spyware & Malware Removal · Next Unread Topic →

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. What the Tech
  2. Spyware / Malware / Virus Removal
  3. Virus, Spyware & Malware Removal
  4. Privacy Policy
  5. Terms of Use ·