PDA

View Full Version : Backdoor.Win32.Sinowal.dkc -> system crashing on malware scans



mikkim
2009-06-29, 23:50
COMODO & WinPatrol constantly find & attempt to disable/quarantine this malware, without success. RUBotted reports "detected DNS query of malicious domain" 3 times over the past week.

WinPatrol says new shortcut added: C:\Documents and Settings\mik\Start Menu\Programs\Startup\uninstall.exe. COMODO says this file is "Backdoor.Win32.Sinowal.dkc".

Now while running malware sweeps using Spybot S&D, the system unexpectedly powers off after a few minutes, ie during the sweep. This happens in Safe mode also.

I had the same thing happen with a COMODO virus scan. Any assistance will be very much appreciated.


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:10:08 PM, on 6/29/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16850)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
C:\Program Files\Microsoft IntelliType Pro\itype.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Trend Micro\RUBotted\TMRUBottedTray.exe
C:\Program Files\COMODO\SafeSurf\cssurf.exe
C:\Program Files\COMODO\COMODO Internet Security\cfp.exe
C:\Program Files\OCZ Technology\Mouse\Amoumain.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\MozyPro\mozyprostat.exe
C:\Program Files\PrintKey2000\Printkey2000.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\YCIII\YankClip.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\MozyPro\mozyprobackup.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Trend Micro\RUBotted\TMRUBotted.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Linksys Wireless-G PCI Network Adapter with SpeedBooster\WLService.exe
C:\Program Files\Linksys Wireless-G PCI Network Adapter with SpeedBooster\WMP54GSv1_1.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Windows Live\Messenger\usnsvc.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Microsoft Office\Office\EXCEL.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://mp.siriuscanada.ca/sirius/ca/servlet/MediaPlayer
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [WinPatrol] C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
O4 - HKLM\..\Run: [itype] "c:\Program Files\Microsoft IntelliType Pro\itype.exe"
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [TMRUBottedTray] "C:\Program Files\Trend Micro\RUBotted\TMRUBottedTray.exe"
O4 - HKLM\..\Run: [COMODO SafeSurf] "C:\Program Files\COMODO\SafeSurf\cssurf.exe" -s
O4 - HKLM\..\Run: [COMODO Internet Security] "C:\Program Files\COMODO\COMODO Internet Security\cfp.exe" -h
O4 - HKLM\..\Run: [WheelMouse] C:\Program Files\OCZ Technology\Mouse\Amoumain.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [uTorrent] "C:\Program Files\uTorrent\uTorrent.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: ERUNT AutoBackup.lnk = C:\Program Files\ERUNT\AUTOBACK.EXE
O4 - Startup: uninstall.exe
O4 - Startup: Yankee Clipper III.lnk = C:\Program Files\YCIII\YankClip.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: MozyPro Status.lnk = C:\Program Files\MozyPro\mozyprostat.exe
O4 - Global Startup: Printkey2000.lnk = C:\Program Files\PrintKey2000\Printkey2000.exe
O4 - Global Startup: WordWeb.lnk = C:\Program Files\WordWeb\wweb32.exe
O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\WINDOWS\system32\GPhotos.scr/200
O8 - Extra context menu item: Download with ImTOO Download YouTube Video - C:\Program Files\ImTOO\Download YouTube Video\upod_link.HTM
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_Print.html
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O15 - Trusted Zone: http://housecall65.trendmicro.com
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5) - http://upload.facebook.com/controls/FacebookPhotoUploader5.cab
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (CDownloadCtrl Object) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.3.7.109.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/flashplayer/current/swflash.cab
O16 - DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} (Performance Viewer Activex Control) - https://secure.logmein.com/activex/RACtrl.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll (file missing)
O20 - AppInit_DLLs: C:\WINDOWS\system32\cssdll32.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: COMODO Internet Security Helper Service (cmdAgent) - Unknown owner - C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: MozyPro Backup Service (mozyprobackup) - Mozy, Inc. - C:\Program Files\MozyPro\mozyprobackup.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe
O23 - Service: Trend Micro RUBotted Service (RUBotted) - Trend Micro Inc. - C:\Program Files\Trend Micro\RUBotted\TMRUBotted.exe
O23 - Service: WMP54GSSVC - GEMTEKS - C:\Program Files\Linksys Wireless-G PCI Network Adapter with SpeedBooster\WLService.exe

--
End of file - 9301 bytes

shelf life
2009-07-01, 03:39
hi mikkim,

At a glance hjt log looks ok as far as malware goes. You could upload the file Comodo is flagging (C:\Documents and Settings\mik\Start Menu\Programs\Startup\uninstall.exe.) here. (http://www.virustotal.com/)
Browse for the file and click send to upload the file, when its down you can copy/paste the URL (http//) in your reply.
Cant say why Spybot is having problems. You are using comodo and AVG as your antivirus? If so only need one active AV on a machine.

mikkim
2009-07-02, 07:34
Thanks for the reply SL :)

Unfortunately virustotal.com wasn't able to grab that Comodo-flagged file uninstall.exe for analysis. 3 separate upload attempts resulted in the same message : " 0 bytes received. " [testing the connection with another file went fine]. The file is obviously a problem since it has no damn business in my Startup folder and resists being quarantined, moved or uploaded; it also blocks any context menu action (right-click), cannot be deleted directly or by "delete on boot" actions with Spybot or WinPatrol. Btw the file info from my Explorer status bar is : [Creation date info +] 412 KB.

I was able to get a response from the Menu bar with the file selected - something I hadn't tried before. Its Properties window looks just like an MS-DOS app. As with deleting, any attempted changes to properties resulted in an Access Denied alert once the Apply button was clicked. There are unusually long response times to every step, beginning with the click on the File tab of the menu bar.

As to AVG - I have uninstalled it, disabled every AVG service I can identify, and still the darn thing pops up. Searching now, I've found 2 files remaining which will not let me delete them:
- C:\WINDOWS\system32\avgrsstx.dll [current Winlogon Notify]
- C:\Program Files\AVG\AVG8\avgse.dll
They both check out ok with virustotal.com. I have set them to delete on boot with the GiPo@FileUtilities context-menu option as a clean-up measure.

I have run ComboFix a few times but can't find log reports other than the first one from a few months ago. I am running it from a root subdirectory.

RUBotted is reporting more malicious domain inquiries. This is happening on at least 3 of my home LAN PCs. I'm going a bit crazy with this. What should I do next?

-- History ---

My malware problem started last March 18 @ 3:08pm when my ISP ["Jolly" Rogers] shut down my cable modem without notice. When I called them about it I was referred to their "Security" dept and the horror truly began. The agent informed me that a DOS attack had originated from my IP and had "caught their server side on port 63869". He ID'd a TorPig malware assault and said I needed to be sure all PCs in my home LAN were clean before calling them back to reinstate service. Any repetition of the perceived DOS action would result in an immediate 7-day suspension of internet access.

Now I will say this about Rogers: their Wireless (cellphone) division is so horrendously incompetent it could easily qualify as the 8th level of Hell in Dante's Inferno. Their Home Phone (landline & internet-based telephony) division will cheerfully tell you the most incredible lies and constantly bollix as basic a thing as telephone service billing. Over a 6 month period, our phone service was suspended 3 (!) times without warning as they persistently misplaced our cheques (which were always mailed in on time, hoping to avoid such problems).

HOWEVER .. since 2001, Rogers High-Speed Internet tech support has been consistently and continually the best tech support ever! This 24-hour, very well informed, courteous, patient, well-mannered and helpful tech support has never let me down. Until, of course .. the "malware attack" incident mentioned. But that's because I was dealing with a new Dept: Security.

Rogers Security: the Goon Squad
--------------------------------
While frantically suspending all normal life activities to comb my available IT resources to solve the immediate problem asap, I spoke with 3 different Security agents over the course of the next 2 days. Each one used very different language about the problem and the 3rd agent revealed to me that:

a) Agent 1 & 2 should not have said that they knew what the problem was, because their actual data was very general;
b) the description of the malware attack was based on what it "looked like to the operator" and definitely not anything like a positive ID;
c) Rogers Security have absolutely no resources, ability or responsibility to help an infected client.

So - while Rogers techs will go out of their way to help you solve connection problems or to set up your email at any hour of the day or night -- if you happen to get a malicious GIF in said email you are completely on your own. There will be no advice, no tech support, no indication from Security of what to do next ... nothing. "Call Best Buy," Goon Squad Agent #2 said. "They might be able to answer your questions."
-------------------------------------------------

My brother, a busy systems analyst, suggested Comodo AV and a few other utilities including RUBotted & ComboFix. This helped initially but apparently my LAN is still infected.

If upgrading from freeware is necessary I'm ok with that, but choices are not clear. I hate spending $$ on stuff that doesn't work. Suggestions are welcome. And of course freeware that works is always nice!

Thanks for your assistance.

shelf life
2009-07-03, 22:46
hi,

ok lets get a better look for any malware that may (still) be on board.
We will start with combofix. There is a guide to read first. Read through the guide, download combofix to your desktop, disable antivirus etc as explained in the guide, double click the icon and follow the prompts. Post the log in your reply:

Guide to using Combofix (http://www.bleepingcomputer.com/combofix/how-to-use-combofix)

mikkim
2009-07-07, 09:44
ComboFix 09-07-05.01 - mik 07/06/2009 1:38.6 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2046.1282 [GMT -4:00]
Running from: c:\documents and settings\mik\Desktop\ComboFix.exe
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
AV: COMODO Antivirus *On-access scanning disabled* (Updated) {043803A5-4F86-4ef7-AFC5-F6E02A79969B}
FW: COMODO Firewall *disabled* {043803A3-4F86-4ef6-AFC5-F6E02A79969B}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\Installer\11d80bde.msi

.
((((((((((((((((((((((((( Files Created from 2009-06-06 to 2009-07-06 )))))))))))))))))))))))))))))))
.

2009-07-04 07:23 . 2009-07-05 04:06 -------- d-----w- C:\MJ
2009-06-29 19:59 . 2009-06-29 19:59 -------- d-----w- c:\program files\ERUNT
2009-06-29 17:32 . 2001-08-17 17:48 12160 ----a-w- c:\windows\system32\drivers\mouhid.sys
2009-06-29 17:32 . 2004-08-04 02:58 23040 ----a-w- c:\windows\system32\drivers\mouclass.sys
2009-06-29 17:07 . 2009-06-29 17:30 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-06-28 03:59 . 2009-06-28 03:59 -------- d-----w- C:\32788R22FWJFW.0.tmp
2009-06-27 19:12 . 2009-04-22 01:34 102664 ----a-w- c:\windows\system32\drivers\tmcomm.sys
2009-06-24 22:30 . 2009-06-24 22:30 -------- d-----w- c:\program files\iPod
2009-06-24 22:30 . 2009-06-24 22:30 -------- d-----w- c:\program files\iTunes
2009-06-24 22:24 . 2009-06-24 22:25 -------- d-----w- c:\program files\QuickTime
2009-06-24 22:15 . 2009-06-24 22:15 75048 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 8.2.0.23\SetupAdmin.exe
2009-06-19 07:04 . 2009-06-19 07:04 949 ----a-w- c:\windows\unins000.dat

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-07-02 06:08 . 2008-01-19 09:25 -------- d-----w- c:\documents and settings\mik\Application Data\dvdcss
2009-06-29 20:05 . 2009-03-20 05:33 -------- d-----w- c:\program files\Trend Micro
2009-06-29 17:08 . 2007-12-22 00:02 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-06-29 16:58 . 2008-03-01 22:44 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-06-29 16:57 . 2008-06-21 18:38 -------- d-----w- c:\program files\SpywareBlaster
2009-06-25 03:15 . 2007-12-26 08:00 -------- d-----w- c:\documents and settings\mik\Application Data\Apple Computer
2009-06-24 22:35 . 2008-06-14 16:49 -------- d-----w- c:\program files\Safari
2009-06-24 22:30 . 2009-01-22 00:52 -------- d-----w- c:\program files\Common Files\Apple
2009-06-21 02:27 . 2007-12-21 20:22 -------- d-----w- c:\documents and settings\mik\Application Data\FileZilla
2009-06-17 18:12 . 2008-09-02 16:42 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2009-05-27 09:19 . 2008-12-11 23:43 -------- d-----w- c:\program files\MozyPro
2009-05-26 00:16 . 2009-05-26 00:16 -------- d-----w- c:\program files\OCZ Technology
2009-05-25 23:24 . 2009-05-25 23:24 -------- d-----w- c:\program files\Common Files\Gibinsoft Shared
2009-05-25 23:24 . 2009-05-25 23:24 -------- d-----w- c:\program files\GiPo@Utilities
2009-05-25 06:11 . 2007-12-20 17:25 -------- d-----w- c:\program files\HDD Recovery Pro
2009-05-25 04:54 . 2009-05-25 04:54 -------- d-----w- c:\program files\FLVPlayer
2009-05-25 01:59 . 2009-05-25 01:59 272 ----a-w- c:\windows\system32\drivers\sfi.dat
2009-05-19 16:34 . 2009-03-20 05:39 168208 ----a-w- c:\windows\system32\guard32.dll
2009-05-19 16:34 . 2009-03-20 05:39 82080 ----a-w- c:\windows\system32\drivers\inspect.sys
2009-05-19 16:34 . 2009-03-20 05:39 24096 ----a-w- c:\windows\system32\drivers\cmdhlp.sys
2009-05-19 16:34 . 2009-03-20 05:39 132640 ----a-w- c:\windows\system32\drivers\cmdguard.sys
2009-05-08 20:11 . 2009-05-08 20:11 -------- d-----w- c:\program files\Common Files\Stardock
2009-05-08 20:10 . 2009-05-08 20:10 -------- d-----w- c:\program files\Stardock
2009-05-07 15:44 . 2006-02-28 12:00 344064 ----a-w- c:\windows\system32\localspl.dll
2009-04-30 04:11 . 2008-06-22 19:50 44556 ---ha-w- c:\windows\system32\mlfcache.dat
2009-04-29 04:56 . 2006-02-28 12:00 827392 ----a-w- c:\windows\system32\wininet.dll
2009-04-29 04:55 . 2006-02-28 12:00 78336 ----a-w- c:\windows\system32\ieencode.dll
2009-04-28 00:21 . 2007-12-20 04:32 56384 ----a-w- c:\documents and settings\mik\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-04-20 04:10 . 2009-04-20 04:10 0 ------w- c:\documents and settings\mik\ntuser.tmp
2009-04-17 09:58 . 2006-02-28 12:00 1846656 ----a-w- c:\windows\system32\win32k.sys
2009-04-15 15:11 . 2006-02-28 12:00 584192 ----a-w- c:\windows\system32\rpcrt4.dll
2008-11-21 01:15 . 2008-11-21 01:15 2788800 ------w- c:\program files\FLV PlayerFCSetup.exe
.

((((((((((((((((((((((((((((( SnapShot_2009-06-28_04.20.17 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-06-29 18:31 . 2009-06-29 18:31 16384 c:\windows\Temp\Perflib_Perfdata_784.dat
+ 2009-06-29 18:31 . 2009-06-29 18:31 16384 c:\windows\Temp\Perflib_Perfdata_678.dat
- 2006-02-28 12:00 . 2009-06-23 06:51 59120 c:\windows\system32\perfc009.dat
+ 2006-02-28 12:00 . 2009-06-29 18:35 59120 c:\windows\system32\perfc009.dat
+ 2008-09-02 16:43 . 2008-09-02 16:43 48128 c:\windows\Installer\a40e3c6f.msi
+ 2008-11-11 22:56 . 2008-11-11 22:56 20992 c:\windows\Installer\7f2dcd4b.msi
+ 2008-11-11 22:56 . 2008-11-11 22:56 24576 c:\windows\Installer\7f2dcd44.msi
+ 2007-12-27 19:26 . 2007-12-27 19:26 88064 c:\windows\Installer\2e0c77e.msi
- 2006-02-28 12:00 . 2009-06-23 06:51 393264 c:\windows\system32\perfh009.dat
+ 2006-02-28 12:00 . 2009-06-29 18:35 393264 c:\windows\system32\perfh009.dat
+ 2007-12-27 06:00 . 2007-12-27 06:00 100352 c:\windows\Installer\fa13559.msi
+ 2008-04-04 01:58 . 2008-04-04 01:58 264704 c:\windows\Installer\e7abfec2.msi
+ 2008-04-04 01:58 . 2008-04-04 01:58 475648 c:\windows\Installer\e7abfebb.msi
+ 2007-12-21 21:58 . 2007-12-21 21:58 804352 c:\windows\Installer\c6938e.msi
+ 2007-12-21 21:55 . 2007-12-21 21:55 467456 c:\windows\Installer\c69386.msi
+ 2008-09-04 00:59 . 2008-09-04 00:59 267776 c:\windows\Installer\aafba1bb.msi
+ 2008-09-02 16:44 . 2008-09-02 16:44 501248 c:\windows\Installer\a40e3c8d.msi
+ 2008-09-02 16:44 . 2008-09-02 16:44 506880 c:\windows\Installer\a40e3c86.msi
+ 2008-09-02 16:43 . 2008-09-02 16:43 516608 c:\windows\Installer\a40e3c7e.msi
+ 2008-09-02 16:43 . 2008-09-02 16:43 513024 c:\windows\Installer\a40e3c76.msi
+ 2008-09-02 16:43 . 2008-09-02 16:43 501248 c:\windows\Installer\a40e3c50.msi
+ 2007-12-22 02:39 . 2007-12-22 02:39 282624 c:\windows\Installer\a1dc0.msi
+ 2007-12-28 19:00 . 2007-12-28 19:00 386560 c:\windows\Installer\7ee5d88.msi
+ 2008-03-09 05:23 . 2008-03-09 05:23 692224 c:\windows\Installer\6283404f.msi
+ 2007-12-28 19:46 . 2007-12-28 19:46 431104 c:\windows\Installer\51579.msi
+ 2009-03-09 20:22 . 2009-03-09 20:22 140288 c:\windows\Installer\4d434e93.msi
+ 2009-02-09 04:50 . 2009-02-09 04:50 876544 c:\windows\Installer\49ad7f88.msi
+ 2009-05-25 23:24 . 2009-05-25 23:24 658432 c:\windows\Installer\48c08a0.msi
+ 2007-12-22 22:54 . 2007-12-22 22:54 892416 c:\windows\Installer\462ce8c.msi
+ 2008-01-11 01:36 . 2008-01-11 01:36 470528 c:\windows\Installer\4430050b.msi
+ 2009-02-22 20:05 . 2009-02-22 20:05 972800 c:\windows\Installer\3692e7ab.msi
+ 2009-02-22 20:02 . 2009-02-22 20:02 432640 c:\windows\Installer\3692e77e.msi
+ 2007-10-15 03:44 . 2007-10-15 03:44 324608 c:\windows\Installer\2f70c91b.msp
+ 2007-10-15 03:46 . 2007-10-15 03:46 324608 c:\windows\Installer\2f70c913.msp
+ 2009-03-02 22:39 . 2009-03-02 22:39 562176 c:\windows\Installer\29b40e39.msi
+ 2009-03-17 03:10 . 2009-03-17 03:10 506368 c:\windows\Installer\25800aca.msi
+ 2009-04-24 04:09 . 2009-04-24 04:09 513536 c:\windows\Installer\23aa1d8.msi
+ 2008-06-18 23:43 . 2008-06-18 23:43 337408 c:\windows\Installer\232cef83.msi
+ 2007-12-20 04:24 . 2007-12-20 04:24 264704 c:\windows\Installer\1c6eb.msi
+ 2008-06-27 02:14 . 2008-06-27 02:14 532992 c:\windows\Installer\1b594fa8.msi
+ 2007-12-22 02:14 . 2007-12-22 02:14 990720 c:\windows\Installer\1a5b80c.msi
+ 2007-12-22 01:20 . 2007-12-22 01:20 282624 c:\windows\Installer\181c1db.msi
+ 2008-06-05 21:55 . 2008-06-05 21:55 805376 c:\windows\Installer\1587ff6f.msi
+ 2009-04-05 23:51 . 2009-04-05 23:51 834560 c:\windows\Installer\103b960a.msi
+ 2009-06-29 20:00 . 2005-10-20 16:02 163328 c:\windows\ERDNT\6-29-2009\ERDNT.EXE
+ 2006-02-28 12:00 . 2006-02-28 12:00 1326080 c:\windows\system32\webfldrs.msi
+ 2008-04-04 01:58 . 2008-04-04 01:58 1446400 c:\windows\Installer\e7abfec9.msi
+ 2008-04-04 01:58 . 2008-04-04 01:58 1069568 c:\windows\Installer\e7abfeb4.msi
+ 2008-09-02 16:46 . 2008-09-02 16:46 9613312 c:\windows\Installer\a40e3cb9.msi
+ 2008-09-02 16:44 . 2008-09-02 16:44 1652736 c:\windows\Installer\a40e3c94.msi
+ 2008-09-02 16:43 . 2008-09-02 16:43 1640960 c:\windows\Installer\a40e3c65.msi
+ 2008-09-02 16:43 . 2008-09-02 16:43 1640960 c:\windows\Installer\a40e3c5e.msi
+ 2008-09-02 16:43 . 2008-09-02 16:43 1713152 c:\windows\Installer\a40e3c57.msi
+ 2008-09-02 16:43 . 2008-09-02 16:43 2397184 c:\windows\Installer\a40e3c49.msi
+ 2008-11-15 20:09 . 2008-11-15 20:09 1549312 c:\windows\Installer\9331139f.msi
+ 2008-11-15 05:34 . 2008-11-15 05:34 1405952 c:\windows\Installer\9010d38a.msi
+ 2009-04-29 20:50 . 2009-04-29 20:50 1659392 c:\windows\Installer\87d54f8.msi
+ 2009-06-24 22:35 . 2009-06-24 22:35 2478080 c:\windows\Installer\87a913b.msi
+ 2009-06-24 22:31 . 2009-06-24 22:31 4074496 c:\windows\Installer\87a9068.msi
+ 2009-06-24 22:25 . 2009-06-24 22:25 8992256 c:\windows\Installer\87a8d30.msi
+ 2009-06-24 22:19 . 2009-06-24 22:19 3295232 c:\windows\Installer\87a8a99.msi
+ 2007-12-28 19:18 . 2007-12-28 19:18 4006400 c:\windows\Installer\7ff6d16.msi
+ 2008-11-11 22:55 . 2008-11-11 22:55 1780736 c:\windows\Installer\7f2dcd3d.msi
+ 2007-12-20 21:47 . 2007-12-20 21:47 1010688 c:\windows\Installer\75bfa0.msi
+ 2009-05-27 09:19 . 2009-05-27 09:19 1220096 c:\windows\Installer\736d08d.msi
+ 2009-05-04 11:46 . 2009-05-04 11:46 8299008 c:\windows\Installer\643a08.msp
+ 2008-05-16 18:42 . 2008-05-16 18:42 4537344 c:\windows\Installer\5d1fcb7f.msi
+ 2006-09-13 16:28 . 2006-09-13 16:28 3345408 c:\windows\Installer\452dacd.msp
+ 2006-04-18 17:48 . 2006-04-18 17:48 1629184 c:\windows\Installer\452dac3.msp
+ 2008-08-14 01:04 . 2008-08-14 01:04 1948672 c:\windows\Installer\3edaeb67.msi
+ 2008-01-10 00:26 . 2008-01-10 00:26 7200768 c:\windows\Installer\3ec92e39.msi
+ 2008-11-26 16:01 . 2008-11-26 16:01 3667456 c:\windows\Installer\3692e790.msp
+ 2008-10-20 15:18 . 2008-10-20 15:18 6474240 c:\windows\Installer\3692e775.msp
+ 2009-02-25 23:08 . 2009-02-25 23:08 8311808 c:\windows\Installer\32ba84.msp
+ 2008-02-15 12:54 . 2008-02-15 12:54 9736192 c:\windows\Installer\2f70c9a4.msp
+ 2008-04-11 22:48 . 2008-04-11 22:48 6774272 c:\windows\Installer\2f70c930.msp
+ 2007-10-15 03:43 . 2007-10-15 03:43 5749760 c:\windows\Installer\2f70c8eb.msp
+ 2008-05-21 04:45 . 2008-05-21 04:45 5246976 c:\windows\Installer\2f70c83a.msp
+ 2008-08-18 16:37 . 2008-08-18 16:37 3561984 c:\windows\Installer\2f70c823.msp
+ 2008-04-18 18:56 . 2008-04-18 18:56 6215680 c:\windows\Installer\2f70c80c.msp
+ 2007-06-01 19:54 . 2007-06-01 19:54 9626624 c:\windows\Installer\2f70c7f8.msp
+ 2008-10-18 05:40 . 2008-10-18 05:40 1098752 c:\windows\Installer\2f0d93bc.msi
+ 2007-12-27 06:06 . 2007-12-27 06:06 7117824 c:\windows\Installer\2ec81.msi
+ 2008-06-08 22:03 . 2008-06-08 22:03 2109440 c:\windows\Installer\25018a19.msi
+ 2009-04-24 04:09 . 2009-04-24 04:09 1198592 c:\windows\Installer\23aa1d0.msi
+ 2007-12-28 20:12 . 2007-12-28 20:12 4624384 c:\windows\Installer\1457d8.msi
+ 2009-05-25 23:23 . 2009-05-25 23:23 1486848 c:\windows\Downloaded Installations\Gibinsoft Installations\fileutil.msi
+ 2008-03-09 05:23 . 2008-03-09 05:23 9393048 c:\windows\Downloaded Installations\{4BBBC0B6-6420-4B02-BB53-78318DC7E5BA}\Free Natural Text to Speech Reader 2007.msi
+ 2005-09-23 11:48 . 2005-09-23 11:48 24863744 c:\windows\Microsoft.NET\Framework\v2.0.50727\Microsoft .NET Framework 2.0\netfx.msi
+ 2009-02-25 23:05 . 2009-02-25 23:05 11840000 c:\windows\Installer\57a325e.msp
+ 2009-02-25 23:07 . 2009-02-25 23:07 11646464 c:\windows\Installer\57a324a.msp
+ 2008-10-20 15:22 . 2008-10-20 15:22 11758592 c:\windows\Installer\3692e7e9.msp
+ 2008-10-20 15:21 . 2008-10-20 15:21 11937280 c:\windows\Installer\3692e7d6.msp
+ 2008-10-20 15:16 . 2008-10-20 15:16 13211648 c:\windows\Installer\3692e7c3.msp
+ 2008-09-24 17:05 . 2008-09-24 17:05 16381440 c:\windows\Installer\3692e7a2.msp
+ 2009-02-22 07:48 . 2009-02-22 07:48 84289536 c:\windows\Installer\33e6302c.msi
+ 2008-07-03 15:36 . 2008-07-03 15:36 11937792 c:\windows\Installer\2f70c992.msp
+ 2008-08-11 15:51 . 2008-08-11 15:51 15916544 c:\windows\Installer\2f70c97e.msp
+ 2008-04-11 22:07 . 2008-04-11 22:07 13257728 c:\windows\Installer\2f70c96b.msp
+ 2008-07-03 15:37 . 2008-07-03 15:37 11759104 c:\windows\Installer\2f70c956.msp
+ 2008-08-11 15:49 . 2008-08-11 15:49 22457344 c:\windows\Installer\2f70c943.msp
+ 2007-10-15 03:43 . 2007-10-15 03:43 12743168 c:\windows\Installer\2f70c8fe.msp
+ 2007-10-15 03:43 . 2007-10-15 03:43 21981184 c:\windows\Installer\2f70c8c7.msp
+ 2008-07-30 03:20 . 2008-07-30 03:20 11767296 c:\windows\Installer\2df957fb.msp
+ 2008-07-30 03:18 . 2008-07-30 03:18 11933184 c:\windows\Installer\2df957e8.msp
+ 2008-05-02 05:01 . 2008-05-02 05:01 44360704 c:\windows\Installer\1217e424.msi
+ 2008-05-02 03:55 . 2008-05-02 03:55 34032128 c:\windows\Installer\11d80bd7.msi
+ 2007-10-15 03:43 . 2007-10-15 03:43 229852160 c:\windows\Installer\2f70c8be.msp
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\mozypro]
@="{71B8CED8-5D67-4f57-89B1-F64CE6302A1E}"
[HKEY_CLASSES_ROOT\CLSID\{71B8CED8-5D67-4f57-89B1-F64CE6302A1E}]
2009-05-15 17:02 2833208 ----a-w- c:\program files\MozyPro\mozyproshell.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\mozypro2]
@="{CBAFE103-79DA-46ca-BD9A-63CBF6282882}"
[HKEY_CLASSES_ROOT\CLSID\{CBAFE103-79DA-46ca-BD9A-63CBF6282882}]
2009-05-15 17:02 2833208 ----a-w- c:\program files\MozyPro\mozyproshell.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\mozypro3]
@="{8B99EA55-1AFF-4539-80A0-A71C6011CD84}"
[HKEY_CLASSES_ROOT\CLSID\{8B99EA55-1AFF-4539-80A0-A71C6011CD84}]
2009-05-15 17:02 2833208 ----a-w- c:\program files\MozyPro\mozyproshell.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2007-10-18 5724184]
"uTorrent"="c:\program files\uTorrent\uTorrent.exe" [2008-10-09 270128]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-10-07 13574144]
"WinPatrol"="c:\program files\BillP Studios\WinPatrol\winpatrol.exe" [2007-10-26 292152]
"itype"="c:\program files\Microsoft IntelliType Pro\itype.exe" [2006-11-21 813912]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-10-07 86016]
"TMRUBottedTray"="c:\program files\Trend Micro\RUBotted\TMRUBottedTray.exe" [2008-11-06 288088]
"COMODO SafeSurf"="c:\program files\COMODO\SafeSurf\cssurf.exe" [2009-03-20 278264]
"COMODO Internet Security"="c:\program files\COMODO\COMODO Internet Security\cfp.exe" [2009-05-16 1794320]
"WheelMouse"="c:\program files\OCZ Technology\Mouse\Amoumain.exe" [2006-12-28 196608]
"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2007-10-04 1626112]
"SkyTel"="SkyTel.EXE" - c:\windows\SkyTel.exe [2006-05-17 2879488]
"RTHDCPL"="RTHDCPL.EXE" - c:\windows\RTHDCPL.exe [2006-09-12 16264192]

c:\documents and settings\mik\Start Menu\Programs\Startup\
ERUNT AutoBackup.lnk - c:\program files\ERUNT\AUTOBACK.EXE [2005-10-20 38912]
uninstall.exe [2009-7-6 421888]
uninstall.PIF [2009-7-1 2855]
Yankee Clipper III.lnk - c:\program files\YCIII\YankClip.exe [2007-12-21 1368064]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.exe.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2007-12-28 113664]
MozyPro Status.lnk - c:\program files\MozyPro\mozyprostat.exe [2009-5-15 2871608]
Printkey2000.lnk - c:\program files\PrintKey2000\Printkey2000.exe [2007-12-21 869376]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-02-06 11:12 10520 ------w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\windows\system32\cssdll32.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"c:\\Program Files\\CyberLink\\PCM4Everio\\PCM4Everio.exe"=
"c:\\Program Files\\CyberLink\\PCM4Everio\\EverioService.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Pando Networks\\Media Booster\\PMB.exe"=
"c:\\Program Files\\Games\\Spark Unlimited\\Legendary\\Binaries\\Legendary.exe"=
"c:\\Program Files\\Sierra Entertainment\\FEAR Perseus Mandate\\FEARXP2.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"56983:TCP"= 56983:TCP:Pando Media Booster
"56983:UDP"= 56983:UDP:Pando Media Booster

R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [6/18/2008 7:44 PM 325128]
R1 AvgTdiX;AVG8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [6/18/2008 7:44 PM 107272]
R1 cmdGuard;COMODO Internet Security Sandbox Driver;c:\windows\system32\drivers\cmdguard.sys [3/20/2009 1:39 AM 132640]
R1 cmdHlp;COMODO Internet Security Helper Driver;c:\windows\system32\drivers\cmdhlp.sys [3/20/2009 1:39 AM 24096]
R1 mozyproFilter;mozyproFilter;c:\windows\system32\drivers\mozypro.sys [12/11/2008 7:43 PM 53752]
R1 vcdrom;Virtual CD-ROM Device Driver;c:\downloadsc\XP Mount\VCdRom.sys [12/19/2001 12:45 PM 8576]
R2 mozyprobackup;MozyPro Backup Service;c:\program files\MozyPro\mozyprobackup.exe [1/30/2009 3:00 PM 78136]
R2 RUBotted;Trend Micro RUBotted Service;c:\program files\Trend Micro\RUBotted\TMRUBotted.exe [3/20/2009 1:33 AM 582992]
R3 TMPassthruMP;TMPassthruMP;c:\windows\system32\drivers\TMPassthru.sys [3/20/2009 1:33 AM 206608]
S3 hamachi_oem;PlayLinc Adapter;c:\windows\system32\drivers\gan_adapter.sys [8/29/2006 12:54 AM 10664]
S3 TMPassthru;Trend Micro Passthru Ndis Service;c:\windows\system32\drivers\TMPassthru.sys [3/20/2009 1:33 AM 206608]
S4 avg8emc;AVG8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe --> c:\progra~1\AVG\AVG8\avgemc.exe [?]
S4 avg8wd;AVG8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe --> c:\progra~1\AVG\AVG8\avgwdsvc.exe [?]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - AMFILTER
.
Contents of the 'Scheduled Tasks' folder

2009-07-01 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://mp.siriuscanada.ca/sirius/ca/servlet/MediaPlayer
uSearchMigratedDefaultURL = hxxp://search.live.com/results.aspx?q={searchTerms}&src={referrer:source?}
uInternet Settings,ProxyOverride = *.local
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: Download with ImTOO Download YouTube Video - c:\program files\ImTOO\Download YouTube Video\upod_link.HTM
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: Easy-WebPrint Add To Print List - c:\program files\Canon\Easy-WebPrint\Toolband.dll/RC_AddToList.html
IE: Easy-WebPrint High Speed Print - c:\program files\Canon\Easy-WebPrint\Toolband.dll/RC_HSPrint.html
IE: Easy-WebPrint Preview - c:\program files\Canon\Easy-WebPrint\Toolband.dll/RC_Preview.html
IE: Easy-WebPrint Print - c:\program files\Canon\Easy-WebPrint\Toolband.dll/RC_Print.html
Trusted Zone: trendmicro.com\housecall65
FF - ProfilePath - c:\documents and settings\mik\Application Data\Mozilla\Firefox\Profiles\45xnypdu.default\
FF - prefs.js: browser.startup.homepage - file:///C:/Documents%20and%20Settings/mik/My%20Documents/Mike/HTML/my_homepage.html
FF - plugin: c:\documents and settings\mik\Application Data\Mozilla\Firefox\Profiles\45xnypdu.default\extensions\genipublisher@geni.com\platform\WINNT_x86-msvc\plugins\npgenipublisher.dll
FF - plugin: c:\program files\Download Manager\npfpdlm.dll
FF - plugin: c:\program files\Google\Google Updater\2.4.1368.5602\npCIDetect13.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npOGAPlugin.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npPandoWebInst.dll
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-07-06 01:48
Windows 5.1.2600 Service Pack 2 NTFS

detected NTDLL code modification:
ZwClose, ZwOpenFile

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-299502267-583907252-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{F8891BC8-1C13-584C-CA8D-844CD12F58DE}*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)

[HKEY_USERS\S-1-5-21-299502267-583907252-725345543-1003\Software\SecuROM\License information*]
"datasecu"=hex:70,78,2c,62,d2,dd,38,38,6f,1d,28,85,64,a6,49,6a,00,3d,d9,24,ec,
c8,0b,be,5b,71,84,4e,bb,47,d4,44,1f,45,a5,d9,97,78,40,76,36,ff,d5,05,c3,06,\
"rkeysecu"=hex:df,7e,8b,9b,f7,ac,dd,4c,29,88,3c,99,44,6d,22,61
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1040)
c:\windows\system32\cssdll32.dll

- - - - - - - > 'lsass.exe'(1096)
c:\windows\system32\cssdll32.dll
c:\windows\system32\guard32.dll
.
Completion time: 2009-07-06 1:55
ComboFix-quarantined-files.txt 2009-07-06 05:55
ComboFix2.txt 2009-06-28 04:28
ComboFix2009-03.20.txt 2009-03-20 05:19

Pre-Run: 179,298,463,744 bytes free
Post-Run: 179,606,159,360 bytes free

326 --- E O F --- 2009-06-17 18:12

shelf life
2009-07-11, 04:25
hi,

sorry for the delay. the good new is based on the logs, I dont see any malware in them.
We can get one more tool to use, its still in beta, if it gives any problems just delete it from your desktop.

Please download: RootRepeal

http://rootrepeal.googlepages.com/RootRepeal.zip

Extract the file to your desktop.
Click the icon on your desktop to start.
Click on the Report tab at the bottom of the window
Next, Click on the Scan button
In the Select Scan Window check everything:

Drivers
Files
Processes
SSDT
Stealth Objects
Hidden Services

Click the OK button
In the next dialog window select all the drives that are listed
Click OK to start the scan

May take some time to complete.
When done click the Save Report button.
Save the report to your desktop
To Exit RootRepeal: click File>Exit
Post the report in your reply

tashi
2009-07-15, 17:47
mikkim do you still need help?