View Full Version : Win32.TDSS.rtk
Otherjohn
2009-08-09, 14:06
I've tried removing this with assorted Spybot, AVG, and other programs yet it still comes back with every reboot.
Here is the log.
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:31:44 AM, on 8/9/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\PROGRA~1\LAUNCH~1\LManager.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Acer\Empowering Technology\ePower\ePower_DMC.exe
C:\Acer\Empowering Technology\ePerformance\MemCheck.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe
C:\Program Files\Microsoft Office\Office\OSA.EXE
C:\Program Files\Windows Desktop Search\WindowsSearch.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wbem\wmiapsrv.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\wbem\unsecapp.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.nhl.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - c:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: AVG Security Toolbar - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll
O4 - HKLM\..\Run: [AzMixerSel] C:\Program Files\Realtek\InstallShield\AzMixerSel.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [LManager] C:\PROGRA~1\LAUNCH~1\LManager.exe
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [ePower_DMC] C:\Acer\Empowering Technology\ePower\ePower_DMC.exe
O4 - HKLM\..\Run: [eRecoveryService] C:\Acer\Empowering Technology\eRecovery\eRAgent.exe
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [ISUSPM] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -scheduler
O4 - Global Startup: Adobe Reader Speed Launch.lnk.disabled
O4 - Global Startup: Acer Empowering Technology.lnk.disabled
O4 - Global Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Global Startup: Windows Desktop Search.lnk = C:\Program Files\Windows Desktop Search\WindowsSearch.exe
O4 - Global Startup: Desktop Manager.lnk.disabled
O4 - Global Startup: Microsoft Find Fast.lnk.disabled
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {493ACF15-5CD9-4474-82A6-91670C3DD66E} (LinkedIn ContactFinderControl) - http://www.linkedin.com/cab/LinkedInContactFinderControl.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: C:\WINDOWS\system32\avgrsstx.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: Memory Check Service (AcerMemUsageCheckService) - Acer Inc. - C:\Acer\Empowering Technology\ePerformance\MemCheck.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: LiveShare P2P Server 9 (RoxLiveShare9) - Unknown owner - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxLiveShare9.exe (file missing)
--
End of file - 8333 bytes
Bio-Hazard
2009-08-09, 15:30
Hello and Welcome to forums!
My name is Bio-Hazard and I will be helping you to remove any infection(s) that you may have.
Please observe these rules while we work:
I will be working on your Malware issues this may or may not solve other issues you have with your machine.
The fixes are specific to your problem and should only be used for this issue on this machine.
I f you don't know or understand something please don't hesitate to ask.
Please DO NOT run any other tools or scans whilst I am helping you.
It is important that you reply to this thread. Do not start a new topic.
Your security programs may give warnings for some of the tools I will ask you to use. Be assured, any links I give are safe.
Absence of symptoms does not mean that everything is clear.
No Reply Within 4 Days Will Result In Your Topic Being Closed!!
STEP 1
Download DDS
Please download DDS by sUBs from one of the links below and save it to your desktop:
http://img.photobucket.com/albums/v666/sUBs/dds_scr.gif
Download DDS and save it to your desktop from:
Link 1 (http://download.bleepingcomputer.com/sUBs/dds.scr)
Link 2 (http://www.forospyware.com/sUBs/dds)
Please disable any anti-malware program that will block scripts from running before running DDS.
Double-Click on dds.scr and a command window will appear. This is normal.
Shortly after two logs will appear:
DDS.txt
Attach.txt
A window will open instructing you save & post the logs
Save the logs to a convenient place such as your desktop
Copy the contents of both logs & post in your next reply
STEP 2
Gmer
Please download Gmer (http://www.gmer.net/gmer.zip) by Gmer and save it to your desktop.
Right click on gmer.zip and select Extract All....
Click Next on seeing the Welcome to the Compressed (zipped) Folders Extraction Wizard.
Click on the Browse button. Click on Desktop. Then click OK.
Click Next. It will start extracting.
Once done, check (tick) the Show extracted files box and click Finish.
Double click on gmer.exe to run it.
Select the Rootkit tab.
On the right hand side, check all the items to be scanned, but leave Show All box unchecked.
Select all drives that are connected to your system to be scanned.
Click on the Scan button.
When the scan is finished, click Copy to save the scan log to the Windows clipboard.
Open Notepad or a similar text editor.
Paste the clipboard contents into the text editor.
Save the Gmer scan log and post it in your next reply.
Close Gmer.
Note: Do not run any programs while Gmer is running.
Next Reply
Please reply with:
DDS.txt
Attach.txt
Gmer log
Otherjohn
2009-08-09, 15:50
DDS (Ver_09-07-30.01) - FAT32x86
Run by Karla at 9:39:55.90 on Sun 08/09/2009
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2430.1857 [GMT -4:00]
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
============== Running Processes ===============
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
SVCHOST.EXE
C:\WINDOWS\System32\svchost.exe -k netsvcs
SVCHOST.EXE
SVCHOST.EXE
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\PROGRA~1\LAUNCH~1\LManager.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Acer\Empowering Technology\ePower\ePower_DMC.exe
SVCHOST.EXE
C:\Acer\Empowering Technology\ePerformance\MemCheck.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe
C:\Program Files\Microsoft Office\Office\OSA.EXE
C:\Program Files\Windows Desktop Search\WindowsSearch.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
SVCHOST.EXE
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\SearchIndexer.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\wbem\unsecapp.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\internet explorer\iexplore.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Documents and Settings\Karla\Desktop\dds.pif
============== Pseudo HJT Report ===============
uStart Page = hxxp://www.nhl.com/
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
uURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg8\toolbar\IEToolbar.dll
mURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg8\toolbar\IEToolbar.dll
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
BHO: Java(tm) Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg8\toolbar\IEToolbar.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: AVG Security Toolbar: {ccc7a320-b3ca-4199-b1a6-9f516dd69829} - c:\program files\avg\avg8\toolbar\IEToolbar.dll
TB: {A057A204-BACC-4D26-9990-79A187E2698E} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [ISUSPM] "c:\program files\common files\installshield\updateservice\ISUSPM.exe" -scheduler
mRun: [AzMixerSel] c:\program files\realtek\installshield\AzMixerSel.exe
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [LManager] c:\progra~1\launch~1\LManager.exe
mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\bin\AppleSyncNotifier.exe
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [ePower_DMC] c:\acer\empowering technology\epower\ePower_DMC.exe
mRun: [eRecoveryService] c:\acer\empowering technology\erecovery\eRAgent.exe
mRun: [PHIME2002A] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /IMEName
mRun: [PHIME2002ASync] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /SYNC
mRun: [SkyTel] SkyTel.EXE
mRun: [MSPY2002] c:\windows\system32\ime\pintlgnt\ImScInst.exe /SYNC
mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
StartupFolder: c:\documents and settings\all users\start menu\programs\startup\Adobe Reader Speed Launch.lnk.disabled
StartupFolder: c:\documents and settings\all users\start menu\programs\startup\Acer Empowering Technology.lnk.disabled
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\office~1.lnk - c:\program files\microsoft office\office\OSA.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\window~1.lnk - c:\program files\windows desktop search\WindowsSearch.exe
StartupFolder: c:\documents and settings\all users\start menu\programs\startup\Desktop Manager.lnk.disabled
StartupFolder: c:\documents and settings\all users\start menu\programs\startup\Microsoft Find Fast.lnk.disabled
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office12\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~3\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office12\REFIEBAR.DLL
DPF: {493ACF15-5CD9-4474-82A6-91670C3DD66E} - hxxp://www.linkedin.com/cab/LinkedInContactFinderControl.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/swflash.cab
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
Notify: AtiExtEvent - Ati2evxx.dll
Notify: avgrsstarter - avgrsstx.dll
AppInit_DLLs: c:\windows\system32\avgrsstx.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll
============= SERVICES / DRIVERS ===============
R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2008-6-25 335752]
R1 AvgMfx86;AVG On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2007-2-19 27784]
R2 avg8wd;AVG8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2009-1-29 298776]
R2 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-5 99328]
R3 pelmouse;Mouse Suite Driver;c:\windows\system32\drivers\PELMOUSE.SYS [2009-3-19 18944]
R3 pelusblf;USB Mouse Low Filter Driver;c:\windows\system32\drivers\pelusblf.sys [2009-3-19 17920]
S2 eLock2BurnerLockDriver;eLock2BurnerLockDriver;\??\c:\windows\system32\elock2burnerlockdriver.sys --> c:\windows\system32\eLock2BurnerLockDriver.sys [?]
S2 eLock2FSCTLDriver;eLock2FSCTLDriver;\??\c:\windows\system32\elock2fsctldriver.sys --> c:\windows\system32\eLock2FSCTLDriver.sys [?]
S3 SKYSCOUT;Celestron SkyScout driver;c:\windows\system32\drivers\UsbScout.sys [2007-3-25 20480]
=============== Created Last 30 ================
2009-08-08 14:54 <DIR> --dsh--- C:\Recycled
2009-08-08 14:51 <DIR> --d----- c:\program files\Trend Micro
2009-08-08 14:26 <DIR> --ds---- C:\ComboFix
2009-08-08 10:43 <DIR> --d----- c:\docume~1\karla\applic~1\Malwarebytes
2009-08-08 10:43 38,160 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-08-08 10:43 19,096 a------- c:\windows\system32\drivers\mbam.sys
2009-08-08 10:43 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-08-08 10:43 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-08-08 09:19 <DIR> --d----- c:\windows\system32\dllcache\cache
2009-08-08 09:03 <DIR> a-dshr-- C:\cmdcons
2009-08-08 09:01 216,064 a------- c:\windows\PEV.exe
2009-08-08 09:01 161,792 a------- c:\windows\SWREG.exe
2009-08-08 09:01 98,816 a------- c:\windows\sed.exe
2009-07-13 07:59 <DIR> --d----- c:\windows\EQ09IR0AJS2BLU3C
==================== Find3M ====================
2009-07-19 18:48 11,067,392 -------- c:\windows\system32\dllcache\ieframe.dll
2009-07-19 09:19 5,937,152 a------- c:\windows\system32\dllcache\cache\mshtml.dll
2009-07-19 09:19 5,937,152 -------- c:\windows\system32\dllcache\mshtml.dll
2009-07-04 15:46 335,752 a------- c:\windows\system32\drivers\avgldx86.sys
2009-07-03 07:01 173,056 -------- c:\windows\system32\dllcache\ie4uinit.exe
2009-06-26 18:53 11,952 a------- c:\windows\system32\avgrsstx.dll
2009-06-16 10:36 119,808 a------- c:\windows\system32\t2embed.dll
2009-06-16 10:36 81,920 a------- c:\windows\system32\fontsub.dll
2009-06-16 10:36 119,808 -------- c:\windows\system32\dllcache\t2embed.dll
2009-06-16 10:36 81,920 -------- c:\windows\system32\dllcache\fontsub.dll
2009-06-03 15:09 1,291,264 a------- c:\windows\system32\quartz.dll
2009-06-03 15:09 1,291,264 -------- c:\windows\system32\dllcache\quartz.dll
2009-05-12 01:11 102,912 -------- c:\windows\system32\dllcache\iecompat.dll
2007-12-18 14:03 56,912 a------- c:\documents and settings\karla\g2mdlhlpx.exe
2008-08-28 23:01 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008082820080829\index.dat
============= FINISH: 9:40:58.84 ===============
Otherjohn
2009-08-09, 15:52
Thank you for you help. I meant to say thank you in the first post but I got a bit too focused on doing what I was told to do.
GMER 1.0.15.15020 [gmer.exe] - http://www.gmer.net
Rootkit scan 2009-08-09 09:49:28
Windows 5.1.2600 Service Pack 3
---- System - GMER 1.0.15 ----
Code 8A8B7C10 ZwEnumerateKey
Code 8A565BD0 ZwFlushInstructionCache
Code 8A8A7A06 ZwSaveKey
Code 8A8A3306 ZwSaveKeyEx
Code 8A8A21D6 IofCallDriver
Code 8A5661AE IofCompleteRequest
---- Kernel code sections - GMER 1.0.15 ----
.text ntkrnlpa.exe!IofCallDriver 804EF1A6 5 Bytes JMP 8A8A21DB
.text ntkrnlpa.exe!IofCompleteRequest 804EF236 5 Bytes JMP 8A5661B3
PAGE ntkrnlpa.exe!ZwFlushInstructionCache 805B6812 5 Bytes JMP 8A565BD4
PAGE ntkrnlpa.exe!ZwEnumerateKey 80623FF0 4 Bytes JMP 8A8B7C14
PAGE ntkrnlpa.exe!ZwSaveKey 80625264 5 Bytes JMP 8A8A7A0A
PAGE ntkrnlpa.exe!ZwSaveKeyEx 8062534A 5 Bytes JMP 8A8A330A
? System32\Drivers\hiber_WMILIB.SYS The system cannot find the path specified. !
---- User code sections - GMER 1.0.15 ----
.text C:\WINDOWS\system32\SearchIndexer.exe[2524] kernel32.dll!WriteFile 7C810E27 7 Bytes JMP 00F41B19 C:\WINDOWS\system32\mssrch.dll (mssrch.lib/Microsoft Corporation)
.text C:\Program Files\internet explorer\iexplore.exe[2880] USER32.dll!DialogBoxParamW 7E4247AB 5 Bytes JMP 3E2151FD C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\internet explorer\iexplore.exe[2880] USER32.dll!CreateWindowExW 7E42D0A3 5 Bytes JMP 3E2ED3AC C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\internet explorer\iexplore.exe[2880] USER32.dll!DialogBoxIndirectParamW 7E432072 5 Bytes JMP 3E3E3C10 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\internet explorer\iexplore.exe[2880] USER32.dll!MessageBoxIndirectA 7E43A082 5 Bytes JMP 3E3E3B42 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\internet explorer\iexplore.exe[2880] USER32.dll!DialogBoxParamA 7E43B144 5 Bytes JMP 3E3E3BAD C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\internet explorer\iexplore.exe[2880] USER32.dll!MessageBoxExW 7E450838 5 Bytes JMP 3E3E3A13 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\internet explorer\iexplore.exe[2880] USER32.dll!MessageBoxExA 7E45085C 5 Bytes JMP 3E3E3A75 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\internet explorer\iexplore.exe[2880] USER32.dll!DialogBoxIndirectParamA 7E456D7D 5 Bytes JMP 3E3E3C73 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\internet explorer\iexplore.exe[2880] USER32.dll!MessageBoxIndirectW 7E4664D5 5 Bytes JMP 3E3E3AD7 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\internet explorer\iexplore.exe[3280] USER32.dll!DialogBoxParamW 7E4247AB 5 Bytes JMP 3E2151FD C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\internet explorer\iexplore.exe[3280] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 3E2E9521 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\internet explorer\iexplore.exe[3280] USER32.dll!CallNextHookEx 7E42B3C6 5 Bytes JMP 3E2DCB69 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\internet explorer\iexplore.exe[3280] USER32.dll!CreateWindowExW 7E42D0A3 5 Bytes JMP 3E2ED3AC C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\internet explorer\iexplore.exe[3280] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 3E2543F6 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\internet explorer\iexplore.exe[3280] USER32.dll!DialogBoxIndirectParamW 7E432072 5 Bytes JMP 3E3E3C10 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\internet explorer\iexplore.exe[3280] USER32.dll!MessageBoxIndirectA 7E43A082 5 Bytes JMP 3E3E3B42 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\internet explorer\iexplore.exe[3280] USER32.dll!DialogBoxParamA 7E43B144 5 Bytes JMP 3E3E3BAD C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\internet explorer\iexplore.exe[3280] USER32.dll!MessageBoxExW 7E450838 5 Bytes JMP 3E3E3A13 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\internet explorer\iexplore.exe[3280] USER32.dll!MessageBoxExA 7E45085C 5 Bytes JMP 3E3E3A75 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\internet explorer\iexplore.exe[3280] USER32.dll!DialogBoxIndirectParamA 7E456D7D 5 Bytes JMP 3E3E3C73 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\internet explorer\iexplore.exe[3280] USER32.dll!MessageBoxIndirectW 7E4664D5 5 Bytes JMP 3E3E3AD7 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\internet explorer\iexplore.exe[3280] ole32.dll!CoCreateInstance 7750057E 5 Bytes JMP 3E2ED408 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\internet explorer\iexplore.exe[3280] ole32.dll!OleLoadFromStream 77529C85 5 Bytes JMP 3E3E3F78 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
---- User IAT/EAT - GMER 1.0.15 ----
IAT C:\Program Files\internet explorer\iexplore.exe[3280] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!LoadLibraryExW] [451F1ACB] C:\Program Files\internet explorer\xpshims.dll (Internet Explorer Compatibility Shims for XP/Microsoft Corporation)
---- Devices - GMER 1.0.15 ----
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)
AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
---- EOF - GMER 1.0.15 ----
Bio-Hazard
2009-08-09, 16:45
Hello!
You are welcome.
Spybot-S&D Previous Reports
Go into Spybot
Click Mode
Click Advanced mode
Click Tools
Click View Reports
Click View Pervious reports
Look for the Fixes.yymmdd-hhmm.log file that was produced when you found and fixed the detection you are questioning
Open it
To copy it to the Clipboard, right click on the listing and select Select All > Right click again and select Copy.
Paste (Ctrl+V) the contents of the Clipboard into a new post in this thread
ATF-Cleaner
Please download ATF Cleaner (http://www.atribune.org/ccount/click.php?id=1) by Atribune.
Save it to your desktop
Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.
If you use Firefox browser
Click Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords please click No at the prompt.
Click Exit on the Main menu to close the program.
Malwarebytes' Anti-Malware
I see that you have Malwarebytes' Anti-Malware installed on your computer could you please do a scan using these settings:
Open Malwarebytes' Anti-Malware
Select the Update tab
Click Check for Updates
After the update have been completed, Select the Scanner tab.
Select Perform full scan, then click on Scan
Leave the default options as it is and click on Start Scan
When done, you will be prompted. Click OK, then click on Show Results
Checked (ticked) all items and click on Remove Selected
After it has removed the items, Notepad will open. Please post this log in your next reply. You can also find the log in the Logs tab. The bottom most log is the latest
Kaspersky Online Scan
You can use either Internet Explorer or Mozilla FireFox for this scan.
Note: If you are using Windows Vista, open your browser by right-clicking on its icon and select 'Run as administrator' to perform this scan.
Please go to Kaspersky website (http://www.kaspersky.com/kos/eng/partner/default/kavwebscan.html) and perform an online antivirus scan.
Read through the requirements and privacy statement and click on Accept button.
It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
When the downloads have finished, click on Settings.
Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:
Spyware, Adware, Dialers, and other potentially dangerous programs
Archives
Click on My Computer under Scan.
Once the scan is complete, it will display the results. Click on View Scan Report.
You will see a list of infected items there. Click on Save Report As....
Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button.
Please post this log in your next reply along with a fresh HijackThis log.
Logs/Information to Post in Next Reply
Please post the following logs/Information in your reply:
Spybot log
Malwarebytes Antimalware log
Kaspersky Log
A fresh HijackThis Log ( after all the above has been done)
A description of how your computer is behaving
Otherjohn
2009-08-09, 17:04
Here is the Spybot log from the first time this problem was detected and fixed.
--- Report generated: 2009-08-07 09:54 ---
Win32.TDSS.rtk: [SBI $1473B578] File (File, fixed)
C:\WINDOWS\system32\drivers\geyekrtivmlkya.sys
Properties.size=0
Properties.md5=571F2EAA4A7488C33A786A7E56917FA7
Win32.TDSS.rtk: [SBI $5CC20837] File (File, fixed)
C:\WINDOWS\system32\geyekrbuhylhmn.dll
Properties.size=0
Properties.md5=C51243FA8F70570A881D35790D8BB310
Win32.TDSS.rtk: [SBI $5CC20837] File (File, fixed)
C:\WINDOWS\system32\geyekrxfenxvmc.dll
Properties.size=0
Properties.md5=F10EAE5B4D181BD1656EF67B8398CF93
Win32.TDSS.rtk: [SBI $0419F0A4] File (File, fixed)
C:\WINDOWS\system32\geyekrapjdskvl.dat
Properties.size=0
Properties.md5=22C4193BBD3E986AB091555972CE4A22
Win32.TDSS.rtk: [SBI $0419F0A4] File (File, fixed)
C:\WINDOWS\system32\geyekrnrndxrqt.dat
Properties.size=0
Properties.md5=D1F9B5AE88CAC902CBD9A958ACCA909D
Right Media: Tracking cookie (Internet Explorer: Karla) (Cookie, fixed)
--- Spybot - Search & Destroy version: 1.6.2 (build: 20090126) ---
2009-03-09 unins000.exe (51.49.0.0)
2009-01-26 blindman.exe (1.0.0.8)
2009-01-26 SDMain.exe (1.0.0.6)
2009-01-26 Update.exe (1.6.0.7)
2009-01-26 SDFiles.exe (1.6.1.7)
2009-01-26 SDUpdate.exe (1.6.0.12)
2009-01-26 SpybotSD.exe (1.6.2.46)
2009-01-26 SDShred.exe (1.0.2.5)
2009-03-05 TeaTimer.exe (1.6.6.32)
2009-01-16 UninsSrv.dll (1.0.0.0)
2009-01-26 SDHelper.dll (1.6.2.14)
2009-01-26 Tools.dll (2.1.6.10)
2008-06-14 DelZip179.dll (1.79.11.1)
2007-04-02 aports.dll (2.1.0.0)
2008-06-19 sqlite3.dll
2009-07-28 advcheck.dll (1.6.3.17)
2004-11-29 Includes\LSP.sbi (*)
2009-01-13 Includes\Security.sbi (*)
2009-03-25 Includes\PUPS.sbi (*)
2009-05-19 Includes\Dialer.sbi (*)
2008-06-03 Includes\Spybots.sbi (*)
2009-04-07 Includes\Spyware.sbi (*)
2009-05-19 Includes\Adware.sbi (*)
2009-05-26 Includes\Hijackers.sbi (*)
2009-06-23 Includes\Keyloggers.sbi (*)
2009-07-14 Includes\Malware.sbi (*)
2009-07-22 Includes\Trojans.sbi (*)
2009-01-22 Includes\Cookies.sbi (*)
2009-01-22 Includes\Revision.sbi (*)
2009-06-08 Includes\Tracks.uti
2009-08-05 Includes\TrojansC.sbi (*)
2008-06-03 Includes\SpybotsC.sbi (*)
2009-07-30 Includes\SecurityC.sbi (*)
2009-08-04 Includes\PUPSC.sbi (*)
2009-08-05 Includes\MalwareC.sbi (*)
2009-07-30 Includes\KeyloggersC.sbi (*)
2009-08-04 Includes\HijackersC.sbi (*)
2009-08-04 Includes\DialerC.sbi (*)
2009-01-22 Includes\HeavyDuty.sbi (*)
2009-07-30 Includes\AdwareC.sbi (*)
2009-08-04 Includes\SpywareC.sbi (*)
2007-12-24 Plugins\TCPIPAddress.dll
2008-03-04 Plugins\Chai.dll
2008-03-05 Plugins\Fennel.dll
2008-02-26 Plugins\Mate.dll
This is the log from my last try at this.
--- Report generated: 2009-08-08 19:45 ---
Win32.TDSS.rtk: [SBI $1473B578] File (File, fixed)
C:\WINDOWS\system32\drivers\geyekrtivmlkya.sys
Properties.size=0
Properties.md5=571F2EAA4A7488C33A786A7E56917FA7
Win32.TDSS.rtk: [SBI $5CC20837] File (File, fixed)
C:\WINDOWS\system32\geyekrbuhylhmn.dll
Properties.size=0
Properties.md5=C51243FA8F70570A881D35790D8BB310
Win32.TDSS.rtk: [SBI $5CC20837] File (File, fixed)
C:\WINDOWS\system32\geyekrxfenxvmc.dll
Properties.size=0
Properties.md5=F10EAE5B4D181BD1656EF67B8398CF93
Win32.TDSS.rtk: [SBI $5CC20837] File (File, fixed)
C:\WINDOWS\system32\geyekrornmbpxe.dll
Properties.size=0
Properties.md5=C51243FA8F70570A881D35790D8BB310
Win32.TDSS.rtk: [SBI $0419F0A4] File (File, fixed)
C:\WINDOWS\system32\geyekrapjdskvl.dat
Properties.size=0
Properties.md5=22C4193BBD3E986AB091555972CE4A22
Win32.TDSS.rtk: [SBI $0419F0A4] File (File, fixed)
C:\WINDOWS\system32\geyekrnrndxrqt.dat
Properties.size=0
Properties.md5=D1F9B5AE88CAC902CBD9A958ACCA909D
--- Spybot - Search & Destroy version: 1.6.2 (build: 20090126) ---
2009-03-09 unins000.exe (51.49.0.0)
2009-01-26 blindman.exe (1.0.0.8)
2009-01-26 SDMain.exe (1.0.0.6)
2009-01-26 Update.exe (1.6.0.7)
2009-01-26 SDFiles.exe (1.6.1.7)
2009-01-26 SDUpdate.exe (1.6.0.12)
2009-01-26 SpybotSD.exe (1.6.2.46)
2009-01-26 SDShred.exe (1.0.2.5)
2009-03-05 TeaTimer.exe (1.6.6.32)
2009-01-16 UninsSrv.dll (1.0.0.0)
2009-01-26 SDHelper.dll (1.6.2.14)
2009-01-26 Tools.dll (2.1.6.10)
2008-06-14 DelZip179.dll (1.79.11.1)
2007-04-02 aports.dll (2.1.0.0)
2008-06-19 sqlite3.dll
2009-07-28 advcheck.dll (1.6.3.17)
2004-11-29 Includes\LSP.sbi (*)
2009-01-13 Includes\Security.sbi (*)
2009-03-25 Includes\PUPS.sbi (*)
2009-05-19 Includes\Dialer.sbi (*)
2008-06-03 Includes\Spybots.sbi (*)
2009-04-07 Includes\Spyware.sbi (*)
2009-05-19 Includes\Adware.sbi (*)
2009-05-26 Includes\Hijackers.sbi (*)
2009-06-23 Includes\Keyloggers.sbi (*)
2009-07-14 Includes\Malware.sbi (*)
2009-07-22 Includes\Trojans.sbi (*)
2009-01-22 Includes\Cookies.sbi (*)
2009-01-22 Includes\Revision.sbi (*)
2009-06-08 Includes\Tracks.uti
2009-08-05 Includes\TrojansC.sbi (*)
2008-06-03 Includes\SpybotsC.sbi (*)
2009-07-30 Includes\SecurityC.sbi (*)
2009-08-04 Includes\PUPSC.sbi (*)
2009-08-05 Includes\MalwareC.sbi (*)
2009-07-30 Includes\KeyloggersC.sbi (*)
2009-08-04 Includes\HijackersC.sbi (*)
2009-08-04 Includes\DialerC.sbi (*)
2009-01-22 Includes\HeavyDuty.sbi (*)
2009-07-30 Includes\AdwareC.sbi (*)
2009-08-04 Includes\SpywareC.sbi (*)
2007-12-24 Plugins\TCPIPAddress.dll
2008-03-04 Plugins\Chai.dll
2008-03-05 Plugins\Fennel.dll
2008-02-26 Plugins\Mate.dll
Otherjohn
2009-08-09, 17:36
I ran ATF-Cleaner and Malwarebytes. Malwarebytes didn't detect anything. Here is the log from that scan. I'm starting the Kaspersky scan now. I'll post those logs when it is done.
Malwarebytes' Anti-Malware 1.40
Database version: 2585
Windows 5.1.2600 Service Pack 3
8/9/2009 11:32:58 AM
mbam-log-2009-08-09 (11-32-58).txt
Scan type: Full Scan (C:\|D:\|E:\|)
Objects scanned: 240963
Time elapsed: 27 minute(s), 7 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
(No malicious items detected)
Otherjohn
2009-08-09, 18:34
I tried the Kaspersky scanner but it won't load. I downloads the app but not the updates. During the update downloads the amount remaining keeps going up. It started at about 60000k and before it aborted it was 120000k.
I'll give it another try and see what happens.
Otherjohn
2009-08-09, 18:49
Kaspersky won't load. This is the message I get.
Program is starting. Please wait...
Update source selected: http://www.kaspersky.com
Downloading file: packages/kos-bin-winnt-redist.jar
Downloading file: packages/kos-bin-winnt-engine.jar
Downloading file: packages/kos-bin-winnt.jar
Downloading file: packages/kos-extras.jar
Program has started.
Program database is being updated. Please wait...
Update has failed. Program has failed to start. Close the Kaspersky Online Scanner 7.0 window and open it again to install the program. You must be online to update the Kaspersky Online Scanner 7.0 database. With the latest database updates, you can find new viruses and other threats. Please go online to use Kaspersky Online Scanner 7.0. [ERROR: Key is expired]
Bio-Hazard
2009-08-09, 19:11
Download and Run ComboFix
Download ComboFix from one of these locations:
Link 1 (http://download.bleepingcomputer.com/sUBs/ComboFix.exe)
Link 2 (http://www.forospyware.com/sUBs/ComboFix.exe)
Here you can find a tutorial about Combofix: HOW TO USE COMBOFIX (http://www.bleepingcomputer.com/combofix/how-to-use-combofix)
You must download it to and run it from your Desktop
ComboFix SHOULD NOT be used unless requested by a forum helper.
Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix. A guide to do this can be found HERE (http://www.bleepingcomputer.com/forums/topic114351.html)
Double click on ComboFix.exe and follow the prompts.
As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.
Do not mouseclick combofix's window whilst it's running. That may cause it to stall.
Combofix should never take more that 20 minutes including the reboot if malware is detected.
IMPORTANT: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix on your own.This tool is not a toy and not for everyday use.
Eset online scannner
You can use either Internet Explorer or Mozilla FireFox for this scan.
Note: If you are using Windows Vista, open your browser by right-clicking on its icon and select 'Run as administrator' to perform this scan.
Please go here (http://www.eset.com/onlinescan/) then click on: http://i280.photobucket.com/albums/kk173/Dakeyras_album2/EOLS1.gif
Note: If using Mozilla Firefox you will need to download esetsmartinstaller_enu.exe when prompted then double click on it to install.
All of the below instructions are compatible with either Internet Explorer or Mozilla FireFox.
Select the option YES, I accept the Terms of Use then click on: http://i280.photobucket.com/albums/kk173/Dakeyras_album2/EOLS2.gif
When prompted allow the Add-On/Active X to install.
Make sure that the option Remove found threats is NOT checked, and the option Scan archives is checked.
Now click on Advanced Settings and select the following:
Scan for potentially unwanted applications
Scan for potentially unsafe applications
Enable Anti-Stealth Technology
Now click on: http://i280.photobucket.com/albums/kk173/Dakeyras_album2/EOLS3.gif
The virus signature database... will begin to download. Be patient this make take some time depending on the speed of your Internet Connection.
When completed the Online Scan will begin automatically.
Do not touch either the Mouse or keyboard during the scan otherwise it may stall.
When completed select Uninstall application on close if you so wish, make sure you copy the logfile first!
Now click on: http://i280.photobucket.com/albums/kk173/Dakeyras_album2/EOLS4.gif
Use notepad to open the logfile located at C:\Program Files\ESET\EsetOnlineScanner\log.txt.
Copy and paste that log as a reply to this topic.
Note: Do not forget to re-enable your Anti-Virus application after running the above scan!
Logs/Information to Post in Next Reply
Please post the following logs/Information in your reply:
ComboFix log (found at C:\Combofix.txt)
ESET Log
A fresh HijackThis Log ( after all the above has been done)
A description of how your computer is behaving
Otherjohn
2009-08-09, 21:57
Combofix log
ComboFix 09-08-08.04 - Karla 08/09/2009 14:37.4.2 - FAT32x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2430.1915 [GMT -4:00]
Running from: c:\documents and settings\Karla\Desktop\ComboFix.exe
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.
((((((((((((((((((((((((( Files Created from 2009-07-09 to 2009-08-09 )))))))))))))))))))))))))))))))
.
2009-08-09 18:35 . 2009-08-09 18:35 273672 ----a-w- c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
2009-08-09 18:11 . 2009-08-09 18:11 -------- d-----w- c:\program files\ESET
2009-08-08 21:00 . 2009-08-08 21:00 -------- d-----w- C:\rsit
2009-08-08 18:51 . 2009-08-08 18:51 -------- d-----w- c:\program files\Trend Micro
2009-08-08 14:43 . 2009-08-08 14:43 -------- d-----w- c:\documents and settings\Karla\Application Data\Malwarebytes
2009-08-08 14:43 . 2009-08-03 17:36 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-08-08 14:43 . 2009-08-08 14:43 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-08-08 14:43 . 2009-08-08 14:43 -------- d-----w- c:\docume~1\ALLUSE~1\APPLIC~1\Malwarebytes
2009-08-08 14:43 . 2009-08-03 17:36 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-07-21 01:22 . 2009-07-21 01:22 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache
2009-07-13 11:59 . 2009-07-13 11:59 -------- d-----w- c:\windows\EQ09IR0AJS2BLU3C
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-07-20 19:01 . 2008-08-11 01:32 256 ----a-w- c:\windows\system32\pool.bin
2009-07-04 19:46 . 2008-06-26 01:26 335752 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-07-03 17:09 . 2006-01-09 15:02 915456 ----a-w- c:\windows\system32\wininet.dll
2009-06-26 22:55 . 2009-06-26 22:55 -------- d-----w- c:\docume~1\ALLUSE~1\APPLIC~1\AVG Security Toolbar
2009-06-26 22:55 . 2009-06-26 22:55 -------- d-----w- c:\documents and settings\LocalService\Application Data\AVGTOOLBAR
2009-06-26 22:53 . 2009-01-30 02:32 11952 ----a-w- c:\windows\system32\avgrsstx.dll
2009-06-26 22:53 . 2007-02-20 01:24 27784 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2009-06-20 04:09 . 2006-06-01 21:59 150912 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-06-16 14:36 . 2004-08-11 00:00 81920 ----a-w- c:\windows\system32\fontsub.dll
2009-06-16 14:36 . 2004-08-11 00:00 119808 ----a-w- c:\windows\system32\t2embed.dll
2009-06-03 19:09 . 2005-06-28 22:55 1291264 ----a-w- c:\windows\system32\quartz.dll
.
((((((((((((((((((((((((((((( SnapShot@2009-08-08_13.15.40 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-08-09 18:37 . 2009-08-09 18:37 16384 c:\windows\Temp\Perflib_Perfdata_ac.dat
+ 2009-08-09 18:37 . 2009-08-09 18:37 16384 c:\windows\Temp\Perflib_Perfdata_5f0.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{A3BC75A2-1F87-4686-AA43-5347D756017C}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-06-26 1008896]
[HKEY_CLASSES_ROOT\clsid\{a3bc75a2-1f87-4686-aa43-5347d756017c}]
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A3BC75A2-1F87-4686-AA43-5347D756017C}]
2009-06-26 14:36 1008896 ----a-w- c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-06-26 1008896]
[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-06-26 1008896]
[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ISUSPM"="c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2006-09-11 218032]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AzMixerSel"="c:\program files\Realtek\InstallShield\AzMixerSel.exe" [2006-04-15 53248]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-03-03 761946]
"LManager"="c:\progra~1\LAUNCH~1\LManager.exe" [2006-06-23 602112]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2007-08-24 33648]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-06-26 1948440]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-11-07 111936]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-03-13 342312]
"ePower_DMC"="c:\acer\Empowering Technology\ePower\ePower_DMC.exe" [2006-05-30 421888]
"eRecoveryService"="c:\acer\Empowering Technology\eRecovery\eRAgent.exe" [2006-06-01 413696]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-11 455168]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-11 455168]
"MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-11 59392]
"RTHDCPL"="RTHDCPL.EXE" - c:\windows\RTHDCPL.exe [2006-05-18 16207872]
"SkyTel"="SkyTel.EXE" - c:\windows\SkyTel.exe [2006-05-16 2879488]
c:\docume~1\ALLUSE~1\STARTM~1\Programs\Startup\
Adobe Reader Speed Launch.lnk.disabled [2006-6-1 1665]
Acer Empowering Technology.lnk.disabled [2006-6-1 1585]
Office Startup.lnk - c:\program files\Microsoft Office\Office\OSA.EXE [1997-8-14 51984]
Windows Desktop Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2007-2-5 118784]
Desktop Manager.lnk.disabled [2008-8-12 1649]
Microsoft Find Fast.lnk.disabled [2006-11-1 669]
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2007-02-05 294400]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-06-26 22:53 11952 ----a-w- c:\windows\system32\avgrsstx.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\windows\system32\avgrsstx.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"KernelFaultCheck"=%systemroot%\system32\dumprep 0 -k
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
"ntiMUI"=c:\program files\NewTech Infosystems\NTI CD & DVD-Maker 7\ntiMUI.exe
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe"
"ehTray"=c:\windows\ehome\ehtray.exe
"Boot"=c:\acer\Empowering Technology\ePower\Boot.exe
"ATICCC"="c:\program files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
"Alcmtr"=ALCMTR.EXE
"Acer ePresentation HPD"=c:\acer\Empowering Technology\ePresentation\ePresentation.exe
"LaunchApp"=
"Mouse Suite 98 Daemon"=ICO.EXE
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\WINDOWS\\System32\\taskmgr.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [6/25/2008 9:26 PM 335752]
R2 avg8wd;AVG8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [1/29/2009 10:32 PM 298776]
R3 pelmouse;Mouse Suite Driver;c:\windows\system32\drivers\PELMOUSE.SYS [3/19/2009 4:36 PM 18944]
R3 pelusblf;USB Mouse Low Filter Driver;c:\windows\system32\drivers\pelusblf.sys [3/19/2009 4:36 PM 17920]
S2 eLock2BurnerLockDriver;eLock2BurnerLockDriver;\??\c:\windows\system32\eLock2BurnerLockDriver.sys --> c:\windows\system32\eLock2BurnerLockDriver.sys [?]
S2 eLock2FSCTLDriver;eLock2FSCTLDriver;\??\c:\windows\system32\eLock2FSCTLDriver.sys --> c:\windows\system32\eLock2FSCTLDriver.sys [?]
S3 SKYSCOUT;Celestron SkyScout driver;c:\windows\system32\drivers\UsbScout.sys [3/25/2007 2:42 PM 20480]
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.nhl.com/
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-08-09 14:42
Windows 5.1.2600 Service Pack 3 FAT NTAPI
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(568)
c:\windows\system32\Ati2evxx.dll
.
Completion time: 2009-08-09 14:43
ComboFix-quarantined-files.txt 2009-08-09 18:43
ComboFix2.txt 2009-08-08 18:36
ComboFix3.txt 2009-08-08 13:56
ComboFix4.txt 2009-08-08 13:20
Pre-Run: 18,847,760,384 bytes free
Post-Run: 18,984,632,320 bytes free
148 --- E O F --- 2009-07-28 23:04
eset log
ESETSmartInstaller@High as CAB hook log:
OnlineScanner.ocx - registred OK
# version=6
# iexplore.exe=8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339)
# OnlineScanner.ocx=1.0.0.5889
# api_version=3.0.2
# EOSSerial=72a085a9966fdc4b9341c822c2e1c363
# end=stopped
# remove_checked=true
# archives_checked=false
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2009-08-09 06:31:47
# local_time=2009-08-09 02:31:47 (-0500, Eastern Daylight Time)
# country="United States"
# lang=1033
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=1026 37 66 100 19177370468750
# scanned=45904
# found=1
# cleaned=1
# scan_time=858
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumonde.zip Win32/Bagle.gen.zip worm (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
# version=6
# iexplore.exe=8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339)
# OnlineScanner.ocx=1.0.0.5889
# api_version=3.0.2
# EOSSerial=72a085a9966fdc4b9341c822c2e1c363
# end=finished
# remove_checked=false
# archives_checked=true
# unwanted_checked=true
# unsafe_checked=true
# antistealth_checked=true
# utc_time=2009-08-09 07:52:43
# local_time=2009-08-09 03:52:43 (-0500, Eastern Daylight Time)
# country="United States"
# lang=1033
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=1026 37 66 100 19225936093750
# scanned=115552
# found=0
# cleaned=0
# scan_time=3869
Otherjohn
2009-08-09, 21:58
New hijack this log.
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:57:38 PM, on 8/9/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Acer\Empowering Technology\ePerformance\MemCheck.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\wbem\wmiapsrv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\explorer.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\internet explorer\iexplore.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\internet explorer\iexplore.exe
C:\WINDOWS\system32\SearchProtocolHost.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.nhl.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll
R3 - URLSearchHook: (no name) - *{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - c:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: AVG Security Toolbar - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll
O4 - HKLM\..\Run: [AzMixerSel] C:\Program Files\Realtek\InstallShield\AzMixerSel.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [LManager] C:\PROGRA~1\LAUNCH~1\LManager.exe
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [ePower_DMC] C:\Acer\Empowering Technology\ePower\ePower_DMC.exe
O4 - HKLM\..\Run: [eRecoveryService] C:\Acer\Empowering Technology\eRecovery\eRAgent.exe
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKCU\..\Run: [ISUSPM] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -scheduler
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk.disabled
O4 - Global Startup: Acer Empowering Technology.lnk.disabled
O4 - Global Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Global Startup: Windows Desktop Search.lnk = C:\Program Files\Windows Desktop Search\WindowsSearch.exe
O4 - Global Startup: Desktop Manager.lnk.disabled
O4 - Global Startup: Microsoft Find Fast.lnk.disabled
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {493ACF15-5CD9-4474-82A6-91670C3DD66E} (LinkedIn ContactFinderControl) - http://www.linkedin.com/cab/LinkedInContactFinderControl.cab
O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} (OnlineScanner Control) - http://download.eset.com/special/eos/OnlineScanner.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: C:\WINDOWS\system32\avgrsstx.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: Memory Check Service (AcerMemUsageCheckService) - Acer Inc. - C:\Acer\Empowering Technology\ePerformance\MemCheck.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: LiveShare P2P Server 9 (RoxLiveShare9) - Unknown owner - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxLiveShare9.exe (file missing)
--
End of file - 8110 bytes
Otherjohn
2009-08-09, 22:01
Right now the computer seems to be running fine. I found the problem during a routine scan so I don't have any known problems that are easy to notice if they're fixed.
What is next?
Bio-Hazard
2009-08-10, 09:24
What is next?
Hello!
It is looking good. I need to see those Combofix logs before we can continue.
I would like to see any information that might be available from the other times Combofix has been run.
Using Windows Explore by right-clicking the Start button and left clicking Explore navigate to and find the following folders:
C:\qoobox In that folder you will find the ComboFix log files.
ComboFix2.txt 2009-08-08 18:36
ComboFix3.txt 2009-08-08 13:56
ComboFix4.txt 2009-08-08 13:20
Please post the contents of each of those log files in your next reply.
Otherjohn
2009-08-10, 12:28
ComboFix 09-08-07.09 - Karla 08/08/2009 14:30.3.2 - FAT32x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2430.1919 [GMT -4:00]
Running from: c:\documents and settings\Karla\Desktop\ComboFix.exe
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.
((((((((((((((((((((((((( Files Created from 2009-07-08 to 2009-08-08 )))))))))))))))))))))))))))))))
.
2009-08-08 14:43 . 2009-08-08 14:43 -------- d-----w- c:\documents and settings\Karla\Application Data\Malwarebytes
2009-08-08 14:43 . 2009-08-03 17:36 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-08-08 14:43 . 2009-08-08 14:43 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-08-08 14:43 . 2009-08-08 14:43 -------- d-----w- c:\docume~1\ALLUSE~1\APPLIC~1\Malwarebytes
2009-08-08 14:43 . 2009-08-03 17:36 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-07-21 01:22 . 2009-07-21 01:22 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache
2009-07-13 11:59 . 2009-07-13 11:59 -------- d-----w- c:\windows\EQ09IR0AJS2BLU3C
2009-07-10 11:51 . 2009-07-10 11:51 -------- d-sh--w- c:\documents and settings\Karla\IECompatCache
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-07-20 19:01 . 2008-08-11 01:32 256 ----a-w- c:\windows\system32\pool.bin
2009-07-04 19:46 . 2008-06-26 01:26 335752 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-07-03 17:09 . 2006-01-09 15:02 915456 ----a-w- c:\windows\system32\wininet.dll
2009-06-26 22:55 . 2009-06-26 22:55 -------- d-----w- c:\docume~1\ALLUSE~1\APPLIC~1\AVG Security Toolbar
2009-06-26 22:55 . 2009-06-26 22:55 -------- d-----w- c:\documents and settings\LocalService\Application Data\AVGTOOLBAR
2009-06-26 22:53 . 2009-01-30 02:32 11952 ----a-w- c:\windows\system32\avgrsstx.dll
2009-06-26 22:53 . 2007-02-20 01:24 27784 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2009-06-20 04:09 . 2006-06-01 21:59 150912 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-06-16 14:36 . 2004-08-11 00:00 81920 ----a-w- c:\windows\system32\fontsub.dll
2009-06-16 14:36 . 2004-08-11 00:00 119808 ----a-w- c:\windows\system32\t2embed.dll
2009-06-03 19:09 . 2005-06-28 22:55 1291264 ----a-w- c:\windows\system32\quartz.dll
.
((((((((((((((((((((((((((((( SnapShot@2009-08-08_13.15.40 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-08-08 18:29 . 2009-08-08 18:29 16384 c:\windows\Temp\Perflib_Perfdata_a4.dat
+ 2009-08-08 18:29 . 2009-08-08 18:29 16384 c:\windows\Temp\Perflib_Perfdata_60c.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{A3BC75A2-1F87-4686-AA43-5347D756017C}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-06-26 1008896]
[HKEY_CLASSES_ROOT\clsid\{a3bc75a2-1f87-4686-aa43-5347d756017c}]
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A3BC75A2-1F87-4686-AA43-5347D756017C}]
2009-06-26 14:36 1008896 ----a-w- c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-06-26 1008896]
[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-06-26 1008896]
[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AzMixerSel"="c:\program files\Realtek\InstallShield\AzMixerSel.exe" [2006-04-15 53248]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-03-03 761946]
"LManager"="c:\progra~1\LAUNCH~1\LManager.exe" [2006-06-23 602112]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2007-08-24 33648]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-06-26 1948440]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-11-07 111936]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-03-13 342312]
"ePower_DMC"="c:\acer\Empowering Technology\ePower\ePower_DMC.exe" [2006-05-30 421888]
"eRecoveryService"="c:\acer\Empowering Technology\eRecovery\eRAgent.exe" [2006-06-01 413696]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-11 455168]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-11 455168]
"MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-11 59392]
"RTHDCPL"="RTHDCPL.EXE" - c:\windows\RTHDCPL.exe [2006-05-18 16207872]
"SkyTel"="SkyTel.EXE" - c:\windows\SkyTel.exe [2006-05-16 2879488]
c:\docume~1\ALLUSE~1\STARTM~1\Programs\Startup\
Adobe Reader Speed Launch.lnk.disabled [2006-6-1 1665]
Acer Empowering Technology.lnk.disabled [2006-6-1 1585]
Office Startup.lnk - c:\program files\Microsoft Office\Office\OSA.EXE [1997-8-14 51984]
Windows Desktop Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2007-2-5 118784]
Desktop Manager.lnk.disabled [2008-8-12 1649]
Microsoft Find Fast.lnk.disabled [2006-11-1 669]
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2007-02-05 294400]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-06-26 22:53 11952 ----a-w- c:\windows\system32\avgrsstx.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\windows\system32\avgrsstx.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"KernelFaultCheck"=%systemroot%\system32\dumprep 0 -k
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
"ntiMUI"=c:\program files\NewTech Infosystems\NTI CD & DVD-Maker 7\ntiMUI.exe
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe"
"ehTray"=c:\windows\ehome\ehtray.exe
"Boot"=c:\acer\Empowering Technology\ePower\Boot.exe
"ATICCC"="c:\program files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
"Alcmtr"=ALCMTR.EXE
"Acer ePresentation HPD"=c:\acer\Empowering Technology\ePresentation\ePresentation.exe
"LaunchApp"=
"Mouse Suite 98 Daemon"=ICO.EXE
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\WINDOWS\\System32\\taskmgr.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [6/25/2008 9:26 PM 335752]
R2 avg8wd;AVG8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [1/29/2009 10:32 PM 298776]
R3 pelmouse;Mouse Suite Driver;c:\windows\system32\drivers\PELMOUSE.SYS [3/19/2009 4:36 PM 18944]
R3 pelusblf;USB Mouse Low Filter Driver;c:\windows\system32\drivers\pelusblf.sys [3/19/2009 4:36 PM 17920]
S2 eLock2BurnerLockDriver;eLock2BurnerLockDriver;\??\c:\windows\system32\eLock2BurnerLockDriver.sys --> c:\windows\system32\eLock2BurnerLockDriver.sys [?]
S2 eLock2FSCTLDriver;eLock2FSCTLDriver;\??\c:\windows\system32\eLock2FSCTLDriver.sys --> c:\windows\system32\eLock2FSCTLDriver.sys [?]
S3 SKYSCOUT;Celestron SkyScout driver;c:\windows\system32\drivers\UsbScout.sys [3/25/2007 2:42 PM 20480]
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.nhl.com/
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-08-08 14:35
Windows 5.1.2600 Service Pack 3 FAT NTAPI
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(568)
c:\windows\system32\Ati2evxx.dll
.
Completion time: 2009-08-08 14:35
ComboFix-quarantined-files.txt 2009-08-08 18:35
ComboFix2.txt 2009-08-08 13:56
ComboFix3.txt 2009-08-08 13:20
Pre-Run: 18,224,742,400 bytes free
Post-Run: 18,225,725,440 bytes free
141 --- E O F --- 2009-07-28 23:04
Otherjohn
2009-08-10, 12:29
ComboFix 09-08-07.09 - Karla 08/08/2009 9:49.2.2 - FAT32x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2430.1919 [GMT -4:00]
Running from: c:\documents and settings\Karla\Desktop\ComboFix.exe
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.
((((((((((((((((((((((((( Files Created from 2009-07-08 to 2009-08-08 )))))))))))))))))))))))))))))))
.
2009-07-21 01:22 . 2009-07-21 01:22 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache
2009-07-13 11:59 . 2009-07-13 11:59 -------- d-----w- c:\windows\EQ09IR0AJS2BLU3C
2009-07-10 11:51 . 2009-07-10 11:51 -------- d-sh--w- c:\documents and settings\Karla\IECompatCache
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-07-20 19:01 . 2008-08-11 01:32 256 ----a-w- c:\windows\system32\pool.bin
2009-07-04 19:46 . 2008-06-26 01:26 335752 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-07-03 17:09 . 2006-01-09 15:02 915456 ----a-w- c:\windows\system32\wininet.dll
2009-06-26 22:55 . 2009-06-26 22:55 -------- d-----w- c:\docume~1\ALLUSE~1\APPLIC~1\AVG Security Toolbar
2009-06-26 22:55 . 2009-06-26 22:55 -------- d-----w- c:\documents and settings\LocalService\Application Data\AVGTOOLBAR
2009-06-26 22:53 . 2009-01-30 02:32 11952 ----a-w- c:\windows\system32\avgrsstx.dll
2009-06-26 22:53 . 2007-02-20 01:24 27784 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2009-06-20 04:09 . 2006-06-01 21:59 150912 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-06-16 14:36 . 2004-08-11 00:00 81920 ----a-w- c:\windows\system32\fontsub.dll
2009-06-16 14:36 . 2004-08-11 00:00 119808 ----a-w- c:\windows\system32\t2embed.dll
2009-06-03 19:09 . 2005-06-28 22:55 1291264 ----a-w- c:\windows\system32\quartz.dll
2009-05-23 16:00 . 2009-05-23 16:00 180 ----a-w- c:\documents and settings\Karla\Application Data\asd.bat
2009-05-23 16:00 . 2009-05-23 16:00 180 ----a-w- c:\documents and settings\Karla\Application Data\asd.bat
.
((((((((((((((((((((((((((((( SnapShot@2009-08-08_13.15.40 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-08-08 13:48 . 2009-08-08 13:49 16384 c:\windows\Temp\Perflib_Perfdata_510.dat
+ 2009-08-08 13:49 . 2009-08-08 13:49 16384 c:\windows\Temp\Perflib_Perfdata_1c0.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{A3BC75A2-1F87-4686-AA43-5347D756017C}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-06-26 1008896]
[HKEY_CLASSES_ROOT\clsid\{a3bc75a2-1f87-4686-aa43-5347d756017c}]
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A3BC75A2-1F87-4686-AA43-5347D756017C}]
2009-06-26 14:36 1008896 ----a-w- c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-06-26 1008896]
[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-06-26 1008896]
[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AzMixerSel"="c:\program files\Realtek\InstallShield\AzMixerSel.exe" [2006-04-15 53248]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-03-03 761946]
"LManager"="c:\progra~1\LAUNCH~1\LManager.exe" [2006-06-23 602112]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2007-08-24 33648]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-06-26 1948440]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-11-07 111936]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-03-13 342312]
"ePower_DMC"="c:\acer\Empowering Technology\ePower\ePower_DMC.exe" [2006-05-30 421888]
"eRecoveryService"="c:\acer\Empowering Technology\eRecovery\eRAgent.exe" [2006-06-01 413696]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-11 455168]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-11 455168]
"MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-11 59392]
"RTHDCPL"="RTHDCPL.EXE" - c:\windows\RTHDCPL.exe [2006-05-18 16207872]
"SkyTel"="SkyTel.EXE" - c:\windows\SkyTel.exe [2006-05-16 2879488]
c:\docume~1\ALLUSE~1\STARTM~1\Programs\Startup\
Adobe Reader Speed Launch.lnk.disabled [2006-6-1 1665]
Acer Empowering Technology.lnk.disabled [2006-6-1 1585]
Office Startup.lnk - c:\program files\Microsoft Office\Office\OSA.EXE [1997-8-14 51984]
Windows Desktop Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2007-2-5 118784]
Desktop Manager.lnk.disabled [2008-8-12 1649]
Microsoft Find Fast.lnk.disabled [2006-11-1 669]
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2007-02-05 294400]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-06-26 22:53 11952 ----a-w- c:\windows\system32\avgrsstx.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\windows\system32\avgrsstx.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"KernelFaultCheck"=%systemroot%\system32\dumprep 0 -k
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
"ntiMUI"=c:\program files\NewTech Infosystems\NTI CD & DVD-Maker 7\ntiMUI.exe
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe"
"ehTray"=c:\windows\ehome\ehtray.exe
"Boot"=c:\acer\Empowering Technology\ePower\Boot.exe
"ATICCC"="c:\program files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
"Alcmtr"=ALCMTR.EXE
"Acer ePresentation HPD"=c:\acer\Empowering Technology\ePresentation\ePresentation.exe
"LaunchApp"=
"Mouse Suite 98 Daemon"=ICO.EXE
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\WINDOWS\\System32\\taskmgr.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [6/25/2008 9:26 PM 335752]
R2 avg8wd;AVG8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [1/29/2009 10:32 PM 298776]
R3 pelmouse;Mouse Suite Driver;c:\windows\system32\drivers\PELMOUSE.SYS [3/19/2009 4:36 PM 18944]
R3 pelusblf;USB Mouse Low Filter Driver;c:\windows\system32\drivers\pelusblf.sys [3/19/2009 4:36 PM 17920]
S2 eLock2BurnerLockDriver;eLock2BurnerLockDriver;\??\c:\windows\system32\eLock2BurnerLockDriver.sys --> c:\windows\system32\eLock2BurnerLockDriver.sys [?]
S2 eLock2FSCTLDriver;eLock2FSCTLDriver;\??\c:\windows\system32\eLock2FSCTLDriver.sys --> c:\windows\system32\eLock2FSCTLDriver.sys [?]
S3 SKYSCOUT;Celestron SkyScout driver;c:\windows\system32\drivers\UsbScout.sys [3/25/2007 2:42 PM 20480]
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.nhl.com/
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-08-08 09:55
Windows 5.1.2600 Service Pack 3 FAT NTAPI
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(560)
c:\windows\system32\Ati2evxx.dll
.
Completion time: 2009-08-08 9:56
ComboFix-quarantined-files.txt 2009-08-08 13:56
ComboFix2.txt 2009-08-08 13:20
Pre-Run: 18,166,841,344 bytes free
Post-Run: 18,168,184,832 bytes free
139 --- E O F --- 2009-07-28 23:04
Otherjohn
2009-08-10, 12:30
ComboFix 09-08-07.09 - Karla 08/08/2009 9:07.1.2 - FAT32x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2430.1914 [GMT -4:00]
Running from: c:\documents and settings\Karla\Desktop\ComboFix.exe
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.
Overlay aborted ... Please run ComboFix once more
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\windows\kb913800.exe
c:\windows\system32\xwreg32.dll
.
((((((((((((((((((((((((( Files Created from 2009-07-08 to 2009-08-08 )))))))))))))))))))))))))))))))
.
2009-07-21 01:22 . 2009-07-21 01:22 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache
2009-07-13 11:59 . 2009-07-13 11:59 -------- d-----w- c:\windows\EQ09IR0AJS2BLU3C
2009-07-10 11:51 . 2009-07-10 11:51 -------- d-sh--w- c:\documents and settings\Karla\IECompatCache
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-07-20 19:01 . 2008-08-11 01:32 256 ----a-w- c:\windows\system32\pool.bin
2009-07-04 19:46 . 2008-06-26 01:26 335752 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-07-03 17:09 . 2006-01-09 15:02 915456 ----a-w- c:\windows\system32\wininet.dll
2009-06-26 22:55 . 2009-06-26 22:55 -------- d-----w- c:\docume~1\ALLUSE~1\APPLIC~1\AVG Security Toolbar
2009-06-26 22:55 . 2009-06-26 22:55 -------- d-----w- c:\documents and settings\LocalService\Application Data\AVGTOOLBAR
2009-06-26 22:53 . 2009-01-30 02:32 11952 ----a-w- c:\windows\system32\avgrsstx.dll
2009-06-26 22:53 . 2007-02-20 01:24 27784 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2009-06-20 04:09 . 2006-06-01 21:59 150912 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-06-16 14:36 . 2004-08-11 00:00 81920 ----a-w- c:\windows\system32\fontsub.dll
2009-06-16 14:36 . 2004-08-11 00:00 119808 ----a-w- c:\windows\system32\t2embed.dll
2009-06-03 19:09 . 2005-06-28 22:55 1291264 ----a-w- c:\windows\system32\quartz.dll
2009-05-23 16:00 . 2009-05-23 16:00 180 ----a-w- c:\documents and settings\Karla\Application Data\asd.bat
2009-05-23 16:00 . 2009-05-23 16:00 180 ----a-w- c:\documents and settings\Karla\Application Data\asd.bat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{A3BC75A2-1F87-4686-AA43-5347D756017C}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-06-26 1008896]
[HKEY_CLASSES_ROOT\clsid\{a3bc75a2-1f87-4686-aa43-5347d756017c}]
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A3BC75A2-1F87-4686-AA43-5347D756017C}]
2009-06-26 14:36 1008896 ----a-w- c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-06-26 1008896]
[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-06-26 1008896]
[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AzMixerSel"="c:\program files\Realtek\InstallShield\AzMixerSel.exe" [2006-04-15 53248]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-03-03 761946]
"LManager"="c:\progra~1\LAUNCH~1\LManager.exe" [2006-06-23 602112]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2007-08-24 33648]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-06-26 1948440]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-11-07 111936]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-03-13 342312]
"ePower_DMC"="c:\acer\Empowering Technology\ePower\ePower_DMC.exe" [2006-05-30 421888]
"eRecoveryService"="c:\acer\Empowering Technology\eRecovery\eRAgent.exe" [2006-06-01 413696]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-11 455168]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-11 455168]
"MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-11 59392]
"RTHDCPL"="RTHDCPL.EXE" - c:\windows\RTHDCPL.exe [2006-05-18 16207872]
"SkyTel"="SkyTel.EXE" - c:\windows\SkyTel.exe [2006-05-16 2879488]
c:\docume~1\ALLUSE~1\STARTM~1\Programs\Startup\
Adobe Reader Speed Launch.lnk.disabled [2006-6-1 1665]
Acer Empowering Technology.lnk.disabled [2006-6-1 1585]
Office Startup.lnk - c:\program files\Microsoft Office\Office\OSA.EXE [1997-8-14 51984]
Windows Desktop Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2007-2-5 118784]
Desktop Manager.lnk.disabled [2008-8-12 1649]
Microsoft Find Fast.lnk.disabled [2006-11-1 669]
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2007-02-05 294400]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-06-26 22:53 11952 ----a-w- c:\windows\system32\avgrsstx.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\windows\system32\avgrsstx.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"KernelFaultCheck"=%systemroot%\system32\dumprep 0 -k
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
"ntiMUI"=c:\program files\NewTech Infosystems\NTI CD & DVD-Maker 7\ntiMUI.exe
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe"
"ehTray"=c:\windows\ehome\ehtray.exe
"Boot"=c:\acer\Empowering Technology\ePower\Boot.exe
"ATICCC"="c:\program files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
"Alcmtr"=ALCMTR.EXE
"Acer ePresentation HPD"=c:\acer\Empowering Technology\ePresentation\ePresentation.exe
"LaunchApp"=
"Mouse Suite 98 Daemon"=ICO.EXE
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\WINDOWS\\System32\\taskmgr.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [6/25/2008 9:26 PM 335752]
R2 avg8wd;AVG8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [1/29/2009 10:32 PM 298776]
R3 pelmouse;Mouse Suite Driver;c:\windows\system32\drivers\PELMOUSE.SYS [3/19/2009 4:36 PM 18944]
R3 pelusblf;USB Mouse Low Filter Driver;c:\windows\system32\drivers\pelusblf.sys [3/19/2009 4:36 PM 17920]
S2 eLock2BurnerLockDriver;eLock2BurnerLockDriver;\??\c:\windows\system32\eLock2BurnerLockDriver.sys --> c:\windows\system32\eLock2BurnerLockDriver.sys [?]
S2 eLock2FSCTLDriver;eLock2FSCTLDriver;\??\c:\windows\system32\eLock2FSCTLDriver.sys --> c:\windows\system32\eLock2FSCTLDriver.sys [?]
S3 SKYSCOUT;Celestron SkyScout driver;c:\windows\system32\drivers\UsbScout.sys [3/25/2007 2:42 PM 20480]
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.nhl.com/
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-08-08 09:15
Windows 5.1.2600 Service Pack 3 FAT NTAPI
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(560)
c:\windows\system32\Ati2evxx.dll
- - - - - - - > 'explorer.exe'(1976)
c:\windows\system32\WININET.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.1433_x-ww_5cf844d2\MSVCR80.dll
c:\program files\Windows Desktop Search\deskbar.dll
c:\program files\Windows Desktop Search\en-us\dbres.dll.mui
c:\program files\Windows Desktop Search\dbres.dll
c:\program files\Windows Desktop Search\wordwheel.dll
c:\program files\Windows Desktop Search\en-us\msnlExtRes.dll.mui
c:\program files\Windows Desktop Search\msnlExtRes.dll
c:\acer\Empowering Technology\ePower\SysHook.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\windows\system32\Ati2evxx.exe
c:\acer\Empowering Technology\ePerformance\MemCheck.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\AVG\AVG8\avgrsx.exe
c:\windows\eHome\ehRecvr.exe
c:\windows\eHome\ehSched.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\windows\system32\SearchIndexer.exe
c:\windows\ehome\mcrdsvc.exe
c:\windows\system32\wscntfy.exe
c:\windows\system32\dllhost.exe
c:\windows\system32\wbem\wmiapsrv.exe
c:\program files\iPod\bin\iPodService.exe
c:\windows\system32\wbem\unsecapp.exe
.
**************************************************************************
.
Completion time: 2009-08-08 9:20 - machine was rebooted
ComboFix-quarantined-files.txt 2009-08-08 13:20
Pre-Run: 17,441,161,216 bytes free
Post-Run: 18,157,699,072 bytes free
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Windows XP Media Center Edition" /noexecute=optin /fastdetect /usepmtimer
180 --- E O F --- 2009-07-28 23:04
Bio-Hazard
2009-08-10, 14:42
Run CFScript
Close any open browsers.
Open Notepad by click start
Click Run
Type notepad into the box and click enter
Notepad will open
Copy and Paste everything from the Code box into Notepad:
DirLook::
c:\windows\EQ09IR0AJS2BLU3C
File::
c:\documents and settings\Karla\Application Data\asd.bat
Registry::
[HKEY_CLASSES_ROOT\clsid\{a3bc75a2-1f87-4686-aa43-5347d756017c}]
[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]
[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]
Save this as CFScript.txt, in the same location as ComboFix.exe (on your desktop)
http://i219.photobucket.com/albums/cc99/BioHazard_030/CFScriptExample.jpg
Refering to the picture below, drag CFScript into ComboFix.exe
http://img.photobucket.com/albums/v706/ried7/CFScriptB-4.gif
When finished, it shall produce a log for you at C:\ComboFix.txt
NOTE: Do not mouseclick combofix's window whilst it's running. That may cause it to stall it.
Next Reply
Please reply with:
ComboFix log (found at C:\Combofix.txt)
New HijackThis log
A description of how your computer is behaving
Otherjohn
2009-08-10, 15:34
ComboFix 09-08-09.04 - Karla 08/10/2009 9:14.5.2 - FAT32x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2430.1929 [GMT -4:00]
Running from: c:\documents and settings\Karla\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Karla\Desktop\CFScript.txt
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
FILE ::
"c:\documents and settings\Karla\Application Data\asd.bat"
.
((((((((((((((((((((((((( Files Created from 2009-07-10 to 2009-08-10 )))))))))))))))))))))))))))))))
.
2009-08-10 00:32 . 2009-08-10 00:32 -------- d-----w- c:\windows\SxsCaPendDel
2009-08-09 23:14 . 2009-08-09 23:15 -------- d-----w- c:\documents and settings\Karla\.idlerc
2009-08-09 18:11 . 2009-08-09 18:11 -------- d-----w- c:\program files\ESET
2009-08-08 21:00 . 2009-08-08 21:00 -------- d-----w- C:\rsit
2009-08-08 18:51 . 2009-08-08 18:51 -------- d-----w- c:\program files\Trend Micro
2009-08-08 14:43 . 2009-08-08 14:43 -------- d-----w- c:\documents and settings\Karla\Application Data\Malwarebytes
2009-08-08 14:43 . 2009-08-03 17:36 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-08-08 14:43 . 2009-08-08 14:43 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-08-08 14:43 . 2009-08-08 14:43 -------- d-----w- c:\docume~1\ALLUSE~1\APPLIC~1\Malwarebytes
2009-08-08 14:43 . 2009-08-03 17:36 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-07-21 01:22 . 2009-07-21 01:22 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache
2009-07-13 11:59 . 2009-07-13 11:59 -------- d-----w- c:\windows\EQ09IR0AJS2BLU3C
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-08-10 01:01 . 2006-06-01 21:59 150912 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-07-20 19:01 . 2008-08-11 01:32 256 ----a-w- c:\windows\system32\pool.bin
2009-07-04 19:46 . 2008-06-26 01:26 335752 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-07-03 17:09 . 2006-01-09 15:02 915456 ----a-w- c:\windows\system32\wininet.dll
2009-06-26 22:55 . 2009-06-26 22:55 -------- d-----w- c:\docume~1\ALLUSE~1\APPLIC~1\AVG Security Toolbar
2009-06-26 22:55 . 2009-06-26 22:55 -------- d-----w- c:\documents and settings\LocalService\Application Data\AVGTOOLBAR
2009-06-26 22:53 . 2009-01-30 02:32 11952 ----a-w- c:\windows\system32\avgrsstx.dll
2009-06-26 22:53 . 2007-02-20 01:24 27784 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2009-06-16 14:36 . 2004-08-11 00:00 81920 ----a-w- c:\windows\system32\fontsub.dll
2009-06-16 14:36 . 2004-08-11 00:00 119808 ----a-w- c:\windows\system32\t2embed.dll
2009-06-03 19:09 . 2005-06-28 22:55 1291264 ----a-w- c:\windows\system32\quartz.dll
.
(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
---- Directory of c:\windows\EQ09IR0AJS2BLU3C ----
((((((((((((((((((((((((((((( SnapShot@2009-08-08_13.15.40 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-08-10 13:13 . 2009-08-10 13:13 16384 c:\windows\Temp\Perflib_Perfdata_4f0.dat
+ 2009-08-10 13:13 . 2009-08-10 13:13 16384 c:\windows\Temp\Perflib_Perfdata_19c.dat
+ 2008-07-30 01:10 . 2008-07-30 01:10 26112 c:\windows\system32\TsWpfWrp.exe
+ 2009-03-16 15:00 . 2008-07-06 12:06 89088 c:\windows\system32\spool\prtprocs\w32x86\filterpipelineprintproc.dll
+ 2008-07-29 23:59 . 2008-07-29 23:59 43544 c:\windows\system32\PresentationHostProxy.dll
+ 2006-06-01 20:51 . 2009-08-10 00:40 80032 c:\windows\system32\perfc009.dat
- 2007-10-24 05:47 . 2007-10-24 05:47 15360 c:\windows\system32\mui\0409\mscorees.dll
+ 2008-07-25 15:17 . 2008-07-25 15:17 15360 c:\windows\system32\mui\0409\mscorees.dll
+ 2008-07-25 15:16 . 2008-07-25 15:16 83968 c:\windows\system32\mscories.dll
+ 2008-07-29 23:24 . 2008-07-29 23:24 97800 c:\windows\system32\infocardapi.dll
+ 2008-07-29 23:24 . 2008-07-29 23:24 11264 c:\windows\system32\icardres.dll
+ 2008-07-30 01:10 . 2008-07-30 01:10 73720 c:\windows\system32\dxva2.dll
+ 2006-10-14 20:43 . 2008-07-06 12:06 89088 c:\windows\system32\dllcache\filterpipelineprintproc.dll
- 2007-10-24 05:47 . 2007-10-24 05:47 96760 c:\windows\system32\dfshim.dll
+ 2008-07-25 15:16 . 2008-07-25 15:16 96760 c:\windows\system32\dfshim.dll
+ 2008-07-30 03:40 . 2008-07-30 03:40 70648 c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll
+ 2008-07-30 03:40 . 2008-07-30 03:40 91136 c:\windows\Microsoft.NET\Framework\v3.5\MSBuild.exe
+ 2008-07-30 03:40 . 2008-07-30 03:40 41984 c:\windows\Microsoft.NET\Framework\v3.5\Microsoft.VisualC.STLCLR.dll
+ 2008-07-30 03:40 . 2008-07-30 03:40 40960 c:\windows\Microsoft.NET\Framework\v3.5\Microsoft.Data.Entity.Build.Tasks.dll
+ 2008-07-29 22:47 . 2008-07-29 22:47 89080 c:\windows\Microsoft.NET\Framework\v3.5\Microsoft .NET Framework 3.5 SP1\WapRes.2052.dll
+ 2008-07-29 22:47 . 2008-07-29 22:47 92664 c:\windows\Microsoft.NET\Framework\v3.5\Microsoft .NET Framework 3.5 SP1\WapRes.1042.dll
+ 2008-07-29 22:47 . 2008-07-29 22:47 95224 c:\windows\Microsoft.NET\Framework\v3.5\Microsoft .NET Framework 3.5 SP1\WapRes.1041.dll
+ 2008-07-29 22:47 . 2008-07-29 22:47 89592 c:\windows\Microsoft.NET\Framework\v3.5\Microsoft .NET Framework 3.5 SP1\WapRes.1028.dll
+ 2008-07-29 22:47 . 2008-07-29 22:47 84480 c:\windows\Microsoft.NET\Framework\v3.5\Microsoft .NET Framework 3.5 SP1\setupres.2052.dll
+ 2008-07-29 22:47 . 2008-07-29 22:47 94720 c:\windows\Microsoft.NET\Framework\v3.5\Microsoft .NET Framework 3.5 SP1\setupres.1042.dll
+ 2008-07-29 22:47 . 2008-07-29 22:47 97792 c:\windows\Microsoft.NET\Framework\v3.5\Microsoft .NET Framework 3.5 SP1\setupres.1041.dll
+ 2008-07-29 22:47 . 2008-07-29 22:47 84992 c:\windows\Microsoft.NET\Framework\v3.5\Microsoft .NET Framework 3.5 SP1\setupres.1028.dll
+ 2008-07-29 22:47 . 2008-07-29 22:47 97280 c:\windows\Microsoft.NET\Framework\v3.5\Microsoft .NET Framework 3.5 SP1\DeleteTemp.exe
+ 2008-07-30 03:40 . 2008-07-30 03:40 95224 c:\windows\Microsoft.NET\Framework\v3.5\EdmGen.exe
+ 2008-07-30 03:40 . 2008-07-30 03:40 78856 c:\windows\Microsoft.NET\Framework\v3.5\DataSvcUtil.exe
+ 2008-07-30 03:40 . 2008-07-30 03:40 41984 c:\windows\Microsoft.NET\Framework\v3.5\AddInUtil.exe
+ 2008-07-30 03:40 . 2008-07-30 03:40 41992 c:\windows\Microsoft.NET\Framework\v3.5\AddInProcess32.exe
+ 2008-07-30 03:40 . 2008-07-30 03:40 41992 c:\windows\Microsoft.NET\Framework\v3.5\AddInProcess.exe
+ 2008-07-30 01:10 . 2008-07-30 01:10 46104 c:\windows\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe
+ 2008-07-29 23:59 . 2008-07-29 23:59 32768 c:\windows\Microsoft.NET\Framework\v3.0\WPF\PresentationCFFRasterizer.dll
- 2006-10-21 01:21 . 2006-10-21 01:21 32768 c:\windows\Microsoft.NET\Framework\v3.0\WPF\PresentationCFFRasterizer.dll
+ 2008-07-30 01:10 . 2008-07-30 01:10 71160 c:\windows\Microsoft.NET\Framework\v3.0\WPF\PenIMC.dll
+ 2008-07-29 23:32 . 2008-07-29 23:32 17448 c:\windows\Microsoft.NET\Framework\v3.0\Windows Workflow Foundation\PerformanceCounterInstaller.exe
+ 2008-07-29 23:16 . 2008-07-29 23:16 32768 c:\windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\System.ServiceModel.WasHosting.dll
+ 2008-07-29 23:16 . 2008-07-29 23:16 73728 c:\windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\System.ServiceModel.Install.dll
+ 2008-07-29 23:16 . 2008-07-29 23:16 20504 c:\windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\ServiceMonikerSupport.dll
+ 2008-07-29 23:16 . 2008-07-29 23:16 11280 c:\windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\ServiceModelEvents.dll
+ 2008-07-25 15:17 . 2008-07-25 15:17 37896 c:\windows\Microsoft.NET\Framework\v2.0.50727\WMINet_Utils.dll
- 2007-10-24 05:47 . 2007-10-24 05:47 37896 c:\windows\Microsoft.NET\Framework\v2.0.50727\WMINet_Utils.dll
+ 2008-07-25 15:17 . 2008-07-25 15:17 81400 c:\windows\Microsoft.NET\Framework\v2.0.50727\TLBREF.DLL
- 2007-10-24 05:47 . 2007-10-24 05:47 81400 c:\windows\Microsoft.NET\Framework\v2.0.50727\TLBREF.DLL
+ 2008-07-25 15:17 . 2008-07-25 15:17 77824 c:\windows\Microsoft.NET\Framework\v2.0.50727\System.Web.RegularExpressions.dll
+ 2008-07-25 15:17 . 2008-07-25 15:17 57392 c:\windows\Microsoft.NET\Framework\v2.0.50727\System.EnterpriseServices.Thunk.dll
- 2007-10-24 05:47 . 2007-10-24 05:47 57392 c:\windows\Microsoft.NET\Framework\v2.0.50727\System.EnterpriseServices.Thunk.dll
- 2007-10-24 05:47 . 2007-10-24 05:47 81920 c:\windows\Microsoft.NET\Framework\v2.0.50727\System.Drawing.Design.dll
+ 2008-07-25 15:17 . 2008-07-25 15:17 81920 c:\windows\Microsoft.NET\Framework\v2.0.50727\System.Drawing.Design.dll
- 2007-10-24 05:47 . 2007-10-24 05:47 81920 c:\windows\Microsoft.NET\Framework\v2.0.50727\System.Configuration.Install.dll
+ 2008-07-25 15:17 . 2008-07-25 15:17 81920 c:\windows\Microsoft.NET\Framework\v2.0.50727\System.Configuration.Install.dll
- 2007-10-24 05:47 . 2007-10-24 05:47 95232 c:\windows\Microsoft.NET\Framework\v2.0.50727\ShFusRes.dll
+ 2008-07-25 15:17 . 2008-07-25 15:17 95232 c:\windows\Microsoft.NET\Framework\v2.0.50727\ShFusRes.dll
- 2007-10-24 05:47 . 2007-10-24 05:47 16896 c:\windows\Microsoft.NET\Framework\v2.0.50727\sbscmp20_mscorlib.dll
+ 2008-07-25 15:17 . 2008-07-25 15:17 16896 c:\windows\Microsoft.NET\Framework\v2.0.50727\sbscmp20_mscorlib.dll
- 2007-10-24 05:47 . 2007-10-24 05:47 61952 c:\windows\Microsoft.NET\Framework\v2.0.50727\regtlibv12.exe
+ 2008-07-25 15:17 . 2008-07-25 15:17 61952 c:\windows\Microsoft.NET\Framework\v2.0.50727\regtlibv12.exe
+ 2008-07-25 15:17 . 2008-07-25 15:17 32768 c:\windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
- 2007-10-24 05:47 . 2007-10-24 05:47 32768 c:\windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
+ 2008-07-25 15:17 . 2008-07-25 15:17 53248 c:\windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
- 2007-10-24 05:47 . 2007-10-24 05:47 53248 c:\windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
+ 2008-07-25 15:17 . 2008-07-25 15:17 88584 c:\windows\Microsoft.NET\Framework\v2.0.50727\PerfCounter.dll
- 2007-10-24 05:47 . 2007-10-24 05:47 24584 c:\windows\Microsoft.NET\Framework\v2.0.50727\normalization.dll
+ 2008-07-25 15:17 . 2008-07-25 15:17 24584 c:\windows\Microsoft.NET\Framework\v2.0.50727\normalization.dll
+ 2008-07-25 15:17 . 2008-07-25 15:17 31744 c:\windows\Microsoft.NET\Framework\v2.0.50727\MUI\0409\mscorsecr.dll
- 2007-10-24 05:47 . 2007-10-24 05:47 31744 c:\windows\Microsoft.NET\Framework\v2.0.50727\MUI\0409\mscorsecr.dll
+ 2008-07-25 15:17 . 2008-07-25 15:17 19456 c:\windows\Microsoft.NET\Framework\v2.0.50727\mscortim.dll
- 2007-10-24 05:47 . 2007-10-24 05:47 19456 c:\windows\Microsoft.NET\Framework\v2.0.50727\mscortim.dll
+ 2008-07-25 15:17 . 2008-07-25 15:17 69632 c:\windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
- 2007-10-24 05:47 . 2007-10-24 05:47 18944 c:\windows\Microsoft.NET\Framework\v2.0.50727\mscorsn.dll
+ 2008-07-25 15:16 . 2008-07-25 15:16 18944 c:\windows\Microsoft.NET\Framework\v2.0.50727\mscorsn.dll
- 2007-10-24 05:47 . 2007-10-24 05:47 77312 c:\windows\Microsoft.NET\Framework\v2.0.50727\mscorsec.dll
+ 2008-07-25 15:17 . 2008-07-25 15:17 77312 c:\windows\Microsoft.NET\Framework\v2.0.50727\mscorsec.dll
+ 2008-07-25 15:17 . 2008-07-25 15:17 94208 c:\windows\Microsoft.NET\Framework\v2.0.50727\mscorld.dll
- 2007-10-24 05:47 . 2007-10-24 05:47 94208 c:\windows\Microsoft.NET\Framework\v2.0.50727\mscorld.dll
+ 2008-07-25 15:17 . 2008-07-25 15:17 46592 c:\windows\Microsoft.NET\Framework\v2.0.50727\mscorie.dll
+ 2008-07-25 15:17 . 2008-07-25 15:17 83456 c:\windows\Microsoft.NET\Framework\v2.0.50727\mscordbc.dll
- 2007-10-24 05:47 . 2007-10-24 05:47 83456 c:\windows\Microsoft.NET\Framework\v2.0.50727\mscordbc.dll
+ 2008-07-25 15:16 . 2008-07-25 15:16 69632 c:\windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe
- 2007-10-24 05:47 . 2007-10-24 05:47 69632 c:\windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe
- 2007-10-24 05:47 . 2007-10-24 05:47 97792 c:\windows\Microsoft.NET\Framework\v2.0.50727\MmcAspExt.dll
+ 2008-07-25 15:16 . 2008-07-25 15:16 97792 c:\windows\Microsoft.NET\Framework\v2.0.50727\MmcAspExt.dll
- 2007-10-24 05:47 . 2007-10-24 05:47 12800 c:\windows\Microsoft.NET\Framework\v2.0.50727\Microsoft.Vsa.Vb.CodeDOMProcessor.dll
+ 2008-07-25 15:16 . 2008-07-25 15:16 12800 c:\windows\Microsoft.NET\Framework\v2.0.50727\Microsoft.Vsa.Vb.CodeDOMProcessor.dll
- 2007-10-24 05:47 . 2007-10-24 05:47 32768 c:\windows\Microsoft.NET\Framework\v2.0.50727\Microsoft.Vsa.dll
+ 2008-07-25 15:16 . 2008-07-25 15:16 32768 c:\windows\Microsoft.NET\Framework\v2.0.50727\Microsoft.Vsa.dll
+ 2008-07-25 15:16 . 2008-07-25 15:16 28672 c:\windows\Microsoft.NET\Framework\v2.0.50727\Microsoft.VisualBasic.Vsa.dll
- 2007-10-24 05:47 . 2007-10-24 05:47 28672 c:\windows\Microsoft.NET\Framework\v2.0.50727\Microsoft.VisualBasic.Vsa.dll
+ 2008-07-25 15:16 . 2008-07-25 15:16 77824 c:\windows\Microsoft.NET\Framework\v2.0.50727\Microsoft.Build.Utilities.dll
- 2007-10-24 05:47 . 2007-10-24 05:47 77824 c:\windows\Microsoft.NET\Framework\v2.0.50727\Microsoft.Build.Utilities.dll
+ 2008-07-25 15:16 . 2008-07-25 15:16 36864 c:\windows\Microsoft.NET\Framework\v2.0.50727\Microsoft.Build.Framework.dll
- 2007-10-24 05:47 . 2007-10-24 05:47 36864 c:\windows\Microsoft.NET\Framework\v2.0.50727\Microsoft.Build.Framework.dll
- 2007-10-24 05:47 . 2007-10-24 05:47 40960 c:\windows\Microsoft.NET\Framework\v2.0.50727\jsc.exe
+ 2008-07-25 15:16 . 2008-07-25 15:16 40960 c:\windows\Microsoft.NET\Framework\v2.0.50727\jsc.exe
- 2007-10-24 05:47 . 2007-10-24 05:47 72192 c:\windows\Microsoft.NET\Framework\v2.0.50727\ISymWrapper.dll
+ 2008-07-25 15:17 . 2008-07-25 15:17 72192 c:\windows\Microsoft.NET\Framework\v2.0.50727\ISymWrapper.dll
- 2007-10-24 05:47 . 2007-10-24 05:47 65032 c:\windows\Microsoft.NET\Framework\v2.0.50727\InstallUtilLib.dll
+ 2008-07-25 15:17 . 2008-07-25 15:17 65032 c:\windows\Microsoft.NET\Framework\v2.0.50727\InstallUtilLib.dll
+ 2008-07-25 15:17 . 2008-07-25 15:17 28672 c:\windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe
- 2007-10-24 05:47 . 2007-10-24 05:47 28672 c:\windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe
- 2007-10-24 05:47 . 2007-10-24 05:47 77824 c:\windows\Microsoft.NET\Framework\v2.0.50727\IEHost.dll
+ 2008-07-25 15:17 . 2008-07-25 15:17 77824 c:\windows\Microsoft.NET\Framework\v2.0.50727\IEHost.dll
+ 2008-07-25 15:16 . 2008-07-25 15:16 18936 c:\windows\Microsoft.NET\Framework\v2.0.50727\fusion.dll
- 2007-10-24 05:47 . 2007-10-24 05:47 18936 c:\windows\Microsoft.NET\Framework\v2.0.50727\fusion.dll
+ 2008-07-25 15:16 . 2008-07-25 15:16 62968 c:\windows\Microsoft.NET\Framework\v2.0.50727\dfdll.dll
- 2007-10-24 05:47 . 2007-10-24 05:47 35320 c:\windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
+ 2008-07-25 15:16 . 2008-07-25 15:16 35320 c:\windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
- 2007-10-24 05:47 . 2007-10-24 05:47 69120 c:\windows\Microsoft.NET\Framework\v2.0.50727\CustomMarshalers.dll
+ 2008-07-25 15:17 . 2008-07-25 15:17 69120 c:\windows\Microsoft.NET\Framework\v2.0.50727\CustomMarshalers.dll
- 2007-10-24 05:47 . 2007-10-24 05:47 27136 c:\windows\Microsoft.NET\Framework\v2.0.50727\Culture.dll
+ 2008-07-25 15:17 . 2008-07-25 15:17 27136 c:\windows\Microsoft.NET\Framework\v2.0.50727\Culture.dll
+ 2008-07-25 15:16 . 2008-07-25 15:16 13312 c:\windows\Microsoft.NET\Framework\v2.0.50727\cscompmgd.dll
- 2007-10-24 05:47 . 2007-10-24 05:47 13312 c:\windows\Microsoft.NET\Framework\v2.0.50727\cscompmgd.dll
- 2007-10-24 05:47 . 2007-10-24 05:47 80376 c:\windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
+ 2008-07-25 15:16 . 2008-07-25 15:16 80376 c:\windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
+ 2008-07-25 15:17 . 2008-07-25 15:17 89608 c:\windows\Microsoft.NET\Framework\v2.0.50727\CORPerfMonExt.dll
+ 2008-11-25 08:59 . 2008-11-25 08:59 31560 c:\windows\Microsoft.NET\Framework\v2.0.50727\aspnet_wp.exe
+ 2008-07-25 15:16 . 2008-07-25 15:16 34312 c:\windows\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe
+ 2008-07-25 15:16 . 2008-07-25 15:16 33288 c:\windows\Microsoft.NET\Framework\v2.0.50727\aspnet_regiis.exe
+ 2008-07-25 15:16 . 2008-07-25 15:16 24576 c:\windows\Microsoft.NET\Framework\v2.0.50727\aspnet_regbrowsers.exe
- 2007-10-24 05:47 . 2007-10-24 05:47 24576 c:\windows\Microsoft.NET\Framework\v2.0.50727\aspnet_regbrowsers.exe
+ 2008-07-25 15:16 . 2008-07-25 15:16 84480 c:\windows\Microsoft.NET\Framework\v2.0.50727\aspnet_rc.dll
- 2007-10-24 05:47 . 2007-10-24 05:47 84480 c:\windows\Microsoft.NET\Framework\v2.0.50727\aspnet_rc.dll
+ 2008-07-25 15:16 . 2008-07-25 15:16 33800 c:\windows\Microsoft.NET\Framework\v2.0.50727\Aspnet_perf.dll
+ 2008-07-25 15:16 . 2008-07-25 15:16 17416 c:\windows\Microsoft.NET\Framework\v2.0.50727\aspnet_isapi.dll
+ 2008-07-25 15:16 . 2008-07-25 15:16 22024 c:\windows\Microsoft.NET\Framework\v2.0.50727\aspnet_filter.dll
- 2007-10-24 05:47 . 2007-10-24 05:47 22024 c:\windows\Microsoft.NET\Framework\v2.0.50727\aspnet_filter.dll
- 2007-10-24 05:47 . 2007-10-24 05:47 36864 c:\windows\Microsoft.NET\Framework\v2.0.50727\aspnet_compiler.exe
+ 2008-07-25 15:16 . 2008-07-25 15:16 36864 c:\windows\Microsoft.NET\Framework\v2.0.50727\aspnet_compiler.exe
+ 2008-07-25 15:17 . 2008-07-25 15:17 58880 c:\windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe
+ 2008-07-25 15:16 . 2008-07-25 15:16 98808 c:\windows\Microsoft.NET\Framework\v2.0.50727\alink.dll
- 2007-10-24 05:47 . 2007-10-24 05:47 10752 c:\windows\Microsoft.NET\Framework\v2.0.50727\Accessibility.dll
+ 2008-07-25 15:17 . 2008-07-25 15:17 10752 c:\windows\Microsoft.NET\Framework\v2.0.50727\Accessibility.dll
+ 2008-07-25 15:16 . 2008-07-25 15:16 13824 c:\windows\Microsoft.NET\Framework\v2.0.50727\1033\CvtResUI.dll
- 2007-10-24 05:47 . 2007-10-24 05:47 13824 c:\windows\Microsoft.NET\Framework\v2.0.50727\1033\CvtResUI.dll
+ 2008-07-25 15:16 . 2008-07-25 15:16 28672 c:\windows\Microsoft.NET\Framework\v2.0.50727\1033\alinkui.dll
- 2007-10-24 05:47 . 2007-10-24 05:47 28672 c:\windows\Microsoft.NET\Framework\v2.0.50727\1033\alinkui.dll
+ 2008-07-25 15:16 . 2008-07-25 15:16 96768 c:\windows\Microsoft.NET\Framework\v1.0.3705\mscormmc.dll
- 2007-10-24 05:47 . 2007-10-24 05:47 16896 c:\windows\Microsoft.NET\Framework\SharedReg12.dll
+ 2008-07-25 15:17 . 2008-07-25 15:17 16896 c:\windows\Microsoft.NET\Framework\SharedReg12.dll
+ 2008-07-25 15:17 . 2008-07-25 15:17 16896 c:\windows\Microsoft.NET\Framework\sbscmp20_perfcounter.dll
- 2007-10-24 05:47 . 2007-10-24 05:47 16896 c:\windows\Microsoft.NET\Framework\sbscmp20_perfcounter.dll
+ 2008-07-25 15:17 . 2008-07-25 15:17 16896 c:\windows\Microsoft.NET\Framework\sbscmp20_mscorwks.dll
- 2007-10-24 05:47 . 2007-10-24 05:47 16896 c:\windows\Microsoft.NET\Framework\sbscmp20_mscorwks.dll
+ 2008-07-25 15:16 . 2008-07-25 15:16 16896 c:\windows\Microsoft.NET\Framework\sbscmp10.dll
- 2007-10-24 05:47 . 2007-10-24 05:47 16896 c:\windows\Microsoft.NET\Framework\sbscmp10.dll
+ 2008-07-25 15:16 . 2008-07-25 15:16 82944 c:\windows\Microsoft.NET\Framework\NETFXSBS10.exe
- 2007-10-24 05:47 . 2007-10-24 05:47 82944 c:\windows\Microsoft.NET\Framework\NETFXSBS10.exe
+ 2008-07-30 01:07 . 2008-07-30 01:07 23040 c:\windows\Installer\9ebf6.msp
+ 2009-08-10 00:30 . 2009-08-10 00:30 88576 c:\windows\Installer\44dcf.msi
+ 2009-08-10 00:45 . 2009-08-10 00:45 60928 c:\windows\assembly\NativeImages_v2.0.50727_32\UIAutomationProvider\a715aa442ef87ae99b3ade185599249d\UIAutomationProvider.ni.dll
+ 2009-08-10 11:40 . 2009-08-10 11:40 37888 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Windows.Pres#\423f794d1f4ed6e120fbb02e436491cb\System.Windows.Presentation.ni.dll
+ 2009-08-10 11:40 . 2009-08-10 11:40 36864 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Web.DynamicD#\19ca1747c1ea18a3b639b302bca8df93\System.Web.DynamicData.Design.ni.dll
+ 2009-08-10 00:54 . 2009-08-10 00:54 94208 c:\windows\assembly\NativeImages_v2.0.50727_32\System.ComponentMod#\532438e2acfcadc469a4d468c51f8451\System.ComponentModel.DataAnnotations.ni.dll
+ 2009-08-10 00:54 . 2009-08-10 00:54 82944 c:\windows\assembly\NativeImages_v2.0.50727_32\System.AddIn.Contra#\597b20e1b053d6a510cfe033c07a63e6\System.AddIn.Contract.ni.dll
+ 2009-08-10 00:46 . 2009-08-10 00:46 47104 c:\windows\assembly\NativeImages_v2.0.50727_32\PresentationFontCac#\2d7408a0232f2e2efd0d7adf5dfa733a\PresentationFontCache.ni.exe
+ 2009-08-10 00:44 . 2009-08-10 00:44 39424 c:\windows\assembly\NativeImages_v2.0.50727_32\PresentationCFFRast#\c8fd2d9233f8ea3031fb16f697635231\PresentationCFFRasterizer.ni.dll
+ 2009-08-10 00:57 . 2009-08-10 00:57 55296 c:\windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Vsa\790cf1edb17ee41b59be62ecbd59613b\Microsoft.Vsa.ni.dll
+ 2009-08-10 00:45 . 2009-08-10 00:45 15872 c:\windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualC\ec83ec80653eb20ccc6ed42075c90aee\Microsoft.VisualC.ni.dll
+ 2009-08-10 00:44 . 2009-08-10 00:44 65024 c:\windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Build.Fra#\e9aba2eab90d647356f65e66053da02b\Microsoft.Build.Framework.ni.dll
+ 2009-08-10 00:54 . 2009-08-10 00:54 74752 c:\windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Build.Fra#\28343d470d992f169ca0e7cdb3cc3117\Microsoft.Build.Framework.ni.dll
+ 2009-08-10 00:54 . 2009-08-10 00:54 14336 c:\windows\assembly\NativeImages_v2.0.50727_32\dfsvc\f4e38208e88cb4cc314a1d6543b9fcc6\dfsvc.ni.exe
+ 2009-08-10 00:46 . 2009-08-10 00:46 25600 c:\windows\assembly\NativeImages_v2.0.50727_32\Accessibility\11eb4f6606ba01e5128805759121ea6c\Accessibility.ni.dll
+ 2009-08-10 00:34 . 2009-08-10 00:34 94208 c:\windows\assembly\GAC_MSIL\WindowsFormsIntegration\3.0.0.0__31bf3856ad364e35\WindowsFormsIntegration.dll
+ 2009-08-10 00:34 . 2009-08-10 00:34 98304 c:\windows\assembly\GAC_MSIL\UIAutomationTypes\3.0.0.0__31bf3856ad364e35\UIAutomationTypes.dll
+ 2009-08-10 00:34 . 2009-08-10 00:34 40960 c:\windows\assembly\GAC_MSIL\UIAutomationProvider\3.0.0.0__31bf3856ad364e35\UIAutomationProvider.dll
+ 2009-08-10 00:36 . 2009-08-10 00:36 12288 c:\windows\assembly\GAC_MSIL\System.Windows.Presentation\3.5.0.0__b77a5c561934e089\System.Windows.Presentation.dll
+ 2009-08-10 00:36 . 2009-08-10 00:36 61440 c:\windows\assembly\GAC_MSIL\System.Web.Routing\3.5.0.0__31bf3856ad364e35\System.Web.Routing.dll
+ 2009-08-10 00:40 . 2009-08-10 00:40 77824 c:\windows\assembly\GAC_MSIL\System.Web.RegularExpressions\2.0.0.0__b03f5f7f11d50a3a\System.Web.RegularExpressions.dll
+ 2009-08-10 00:36 . 2009-08-10 00:36 32768 c:\windows\assembly\GAC_MSIL\System.Web.DynamicData.Design\3.5.0.0__31bf3856ad364e35\System.Web.DynamicData.Design.dll
+ 2009-08-10 00:36 . 2009-08-10 00:36 77824 c:\windows\assembly\GAC_MSIL\System.Web.Abstractions\3.5.0.0__31bf3856ad364e35\System.Web.Abstractions.dll
+ 2009-08-10 00:34 . 2009-08-10 00:34 32768 c:\windows\assembly\GAC_MSIL\System.ServiceModel.WasHosting\3.0.0.0__b77a5c561934e089\System.ServiceModel.WasHosting.dll
+ 2009-08-10 00:34 . 2009-08-10 00:34 73728 c:\windows\assembly\GAC_MSIL\System.ServiceModel.Install\3.0.0.0__b77a5c561934e089\System.ServiceModel.Install.dll
- 2008-04-15 02:24 . 2008-04-15 02:24 81920 c:\windows\assembly\GAC_MSIL\System.Drawing.Design\2.0.0.0__b03f5f7f11d50a3a\System.Drawing.Design.dll
+ 2009-08-10 00:40 . 2009-08-10 00:40 81920 c:\windows\assembly\GAC_MSIL\System.Drawing.Design\2.0.0.0__b03f5f7f11d50a3a\System.Drawing.Design.dll
+ 2009-08-10 00:36 . 2009-08-10 00:36 53248 c:\windows\assembly\GAC_MSIL\System.Data.DataSetExtensions\3.5.0.0__b77a5c561934e089\System.Data.DataSetExtensions.dll
+ 2009-08-10 00:40 . 2009-08-10 00:40 81920 c:\windows\assembly\GAC_MSIL\System.Configuration.Install\2.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll
- 2008-04-15 02:24 . 2008-04-15 02:24 81920 c:\windows\assembly\GAC_MSIL\System.Configuration.Install\2.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll
+ 2009-08-10 00:36 . 2009-08-10 00:36 57344 c:\windows\assembly\GAC_MSIL\System.ComponentModel.DataAnnotations\3.5.0.0__31bf3856ad364e35\System.ComponentModel.DataAnnotations.dll
+ 2009-08-10 00:36 . 2009-08-10 00:36 45056 c:\windows\assembly\GAC_MSIL\System.AddIn.Contract\2.0.0.0__b03f5f7f11d50a3a\System.AddIn.Contract.dll
+ 2009-08-10 00:34 . 2009-08-10 00:34 46104 c:\windows\assembly\GAC_MSIL\PresentationFontCache\3.0.0.0__31bf3856ad364e35\PresentationFontCache.exe
- 2009-03-16 15:01 . 2009-03-16 15:01 32768 c:\windows\assembly\GAC_MSIL\PresentationCFFRasterizer\3.0.0.0__31bf3856ad364e35\PresentationCFFRasterizer.dll
+ 2009-08-10 00:34 . 2009-08-10 00:34 32768 c:\windows\assembly\GAC_MSIL\PresentationCFFRasterizer\3.0.0.0__31bf3856ad364e35\PresentationCFFRasterizer.dll
- 2008-04-15 02:24 . 2008-04-15 02:24 32768 c:\windows\assembly\GAC_MSIL\Microsoft.Vsa\8.0.0.0__b03f5f7f11d50a3a\Microsoft.Vsa.dll
+ 2009-08-10 00:40 . 2009-08-10 00:40 32768 c:\windows\assembly\GAC_MSIL\Microsoft.Vsa\8.0.0.0__b03f5f7f11d50a3a\Microsoft.Vsa.dll
+ 2009-08-10 00:40 . 2009-08-10 00:40 12800 c:\windows\assembly\GAC_MSIL\Microsoft.Vsa.Vb.CodeDOMProcessor\8.0.0.0__b03f5f7f11d50a3a\Microsoft.Vsa.Vb.CodeDOMProcessor.dll
- 2008-04-15 02:24 . 2008-04-15 02:24 12800 c:\windows\assembly\GAC_MSIL\Microsoft.Vsa.Vb.CodeDOMProcessor\8.0.0.0__b03f5f7f11d50a3a\Microsoft.Vsa.Vb.CodeDOMProcessor.dll
+ 2009-08-10 00:36 . 2009-08-10 00:36 41984 c:\windows\assembly\GAC_MSIL\Microsoft.VisualC.STLCLR\1.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualC.STLCLR.dll
- 2008-04-15 02:24 . 2008-04-15 02:24 28672 c:\windows\assembly\GAC_MSIL\Microsoft.VisualBasic.Vsa\8.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.Vsa.dll
+ 2009-08-10 00:40 . 2009-08-10 00:40 28672 c:\windows\assembly\GAC_MSIL\Microsoft.VisualBasic.Vsa\8.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.Vsa.dll
- 2008-04-15 02:24 . 2008-04-15 02:24 77824 c:\windows\assembly\GAC_MSIL\Microsoft.Build.Utilities\2.0.0.0__b03f5f7f11d50a3a\Microsoft.Build.Utilities.dll
+ 2009-08-10 00:40 . 2009-08-10 00:40 77824 c:\windows\assembly\GAC_MSIL\Microsoft.Build.Utilities\2.0.0.0__b03f5f7f11d50a3a\Microsoft.Build.Utilities.dll
+ 2009-08-10 00:36 . 2009-08-10 00:36 94208 c:\windows\assembly\GAC_MSIL\Microsoft.Build.Utilities.v3.5\3.5.0.0__b03f5f7f11d50a3a\Microsoft.Build.Utilities.v3.5.dll
+ 2009-08-10 00:36 . 2009-08-10 00:36 36864 c:\windows\assembly\GAC_MSIL\Microsoft.Build.Framework\3.5.0.0__b03f5f7f11d50a3a\Microsoft.Build.Framework.dll
+ 2009-08-10 00:40 . 2009-08-10 00:40 36864 c:\windows\assembly\GAC_MSIL\Microsoft.Build.Framework\2.0.0.0__b03f5f7f11d50a3a\Microsoft.Build.Framework.dll
- 2008-04-15 02:24 . 2008-04-15 02:24 36864 c:\windows\assembly\GAC_MSIL\Microsoft.Build.Framework\2.0.0.0__b03f5f7f11d50a3a\Microsoft.Build.Framework.dll
- 2008-04-15 02:24 . 2008-04-15 02:24 77824 c:\windows\assembly\GAC_MSIL\IEHost\2.0.0.0__b03f5f7f11d50a3a\IEHost.dll
+ 2009-08-10 00:40 . 2009-08-10 00:40 77824 c:\windows\assembly\GAC_MSIL\IEHost\2.0.0.0__b03f5f7f11d50a3a\IEHost.dll
+ 2009-08-10 00:40 . 2009-08-10 00:40 13312 c:\windows\assembly\GAC_MSIL\cscompmgd\8.0.0.0__b03f5f7f11d50a3a\cscompmgd.dll
- 2008-04-15 02:24 . 2008-04-15 02:24 13312 c:\windows\assembly\GAC_MSIL\cscompmgd\8.0.0.0__b03f5f7f11d50a3a\cscompmgd.dll
- 2008-04-15 02:24 . 2008-04-15 02:24 10752 c:\windows\assembly\GAC_MSIL\Accessibility\2.0.0.0__b03f5f7f11d50a3a\Accessibility.dll
+ 2009-08-10 00:40 . 2009-08-10 00:40 10752 c:\windows\assembly\GAC_MSIL\Accessibility\2.0.0.0__b03f5f7f11d50a3a\Accessibility.dll
+ 2009-08-10 00:40 . 2009-08-10 00:40 72192 c:\windows\assembly\GAC_32\ISymWrapper\2.0.0.0__b03f5f7f11d50a3a\ISymWrapper.dll
- 2008-04-15 02:24 . 2008-04-15 02:24 72192 c:\windows\assembly\GAC_32\ISymWrapper\2.0.0.0__b03f5f7f11d50a3a\ISymWrapper.dll
+ 2009-08-10 00:40 . 2009-08-10 00:40 69120 c:\windows\assembly\GAC_32\CustomMarshalers\2.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll
- 2008-04-15 02:24 . 2008-04-15 02:24 69120 c:\windows\assembly\GAC_32\CustomMarshalers\2.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll
+ 2008-07-30 03:40 . 2008-07-30 03:40 5632 c:\windows\Microsoft.NET\Framework\v3.5\Sentinel.v3.5Client.dll
- 2007-10-24 05:47 . 2007-10-24 05:47 7168 c:\windows\Microsoft.NET\Framework\v2.0.50727\Microsoft_VsaVb.dll
+ 2008-07-25 15:16 . 2008-07-25 15:16 7168 c:\windows\Microsoft.NET\Framework\v2.0.50727\Microsoft_VsaVb.dll
- 2007-10-24 05:47 . 2007-10-24 05:47 5632 c:\windows\Microsoft.NET\Framework\v2.0.50727\Microsoft.VisualC.Dll
+ 2008-07-25 15:17 . 2008-07-25 15:17 5632 c:\windows\Microsoft.NET\Framework\v2.0.50727\Microsoft.VisualC.Dll
- 2007-10-24 05:47 . 2007-10-24 05:47 6656 c:\windows\Microsoft.NET\Framework\v2.0.50727\IIEHost.dll
+ 2008-07-25 15:17 . 2008-07-25 15:17 6656 c:\windows\Microsoft.NET\Framework\v2.0.50727\IIEHost.dll
- 2007-10-24 05:47 . 2007-10-24 05:47 8192 c:\windows\Microsoft.NET\Framework\v2.0.50727\IEExecRemote.dll
+ 2008-07-25 15:17 . 2008-07-25 15:17 8192 c:\windows\Microsoft.NET\Framework\v2.0.50727\IEExecRemote.dll
+ 2008-07-25 15:17 . 2008-07-25 15:17 9728 c:\windows\Microsoft.NET\Framework\v2.0.50727\IEExec.exe
- 2007-10-24 05:47 . 2007-10-24 05:47 9728 c:\windows\Microsoft.NET\Framework\v2.0.50727\IEExec.exe
- 2007-10-24 05:47 . 2007-10-24 05:47 5120 c:\windows\Microsoft.NET\Framework\v2.0.50727\dfsvc.exe
+ 2008-07-25 15:16 . 2008-07-25 15:16 5120 c:\windows\Microsoft.NET\Framework\v2.0.50727\dfsvc.exe
+ 2009-08-10 00:36 . 2009-08-10 00:36 5632 c:\windows\assembly\GAC_MSIL\Sentinel.v3.5Client\3.5.0.0__b03f5f7f11d50a3a\Sentinel.v3.5Client.dll
- 2008-04-15 02:24 . 2008-04-15 02:24 7168 c:\windows\assembly\GAC_MSIL\Microsoft_VsaVb\8.0.0.0__b03f5f7f11d50a3a\Microsoft_VsaVb.dll
+ 2009-08-10 00:40 . 2009-08-10 00:40 7168 c:\windows\assembly\GAC_MSIL\Microsoft_VsaVb\8.0.0.0__b03f5f7f11d50a3a\Microsoft_VsaVb.dll
+ 2009-08-10 00:40 . 2009-08-10 00:40 5632 c:\windows\assembly\GAC_MSIL\Microsoft.VisualC\8.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualC.Dll
- 2008-04-15 02:24 . 2008-04-15 02:24 5632 c:\windows\assembly\GAC_MSIL\Microsoft.VisualC\8.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualC.Dll
- 2008-04-15 02:24 . 2008-04-15 02:24 6656 c:\windows\assembly\GAC_MSIL\IIEHost\2.0.0.0__b03f5f7f11d50a3a\IIEHost.dll
+ 2009-08-10 00:40 . 2009-08-10 00:40 6656 c:\windows\assembly\GAC_MSIL\IIEHost\2.0.0.0__b03f5f7f11d50a3a\IIEHost.dll
- 2008-04-15 02:24 . 2008-04-15 02:24 8192 c:\windows\assembly\GAC_MSIL\IEExecRemote\2.0.0.0__b03f5f7f11d50a3a\IEExecRemote.dll
+ 2009-08-10 00:40 . 2009-08-10 00:40 8192 c:\windows\assembly\GAC_MSIL\IEExecRemote\2.0.0.0__b03f5f7f11d50a3a\IEExecRemote.dll
+ 2007-11-07 06:19 . 2007-11-07 06:19 655872 c:\windows\WinSxS\x86_Microsoft.VC90.CRT_1fc8b3b9a1e18e3b_9.0.21022.8_x-ww_d08d0375\msvcr90.dll
+ 2007-11-07 06:19 . 2007-11-07 06:19 568832 c:\windows\WinSxS\x86_Microsoft.VC90.CRT_1fc8b3b9a1e18e3b_9.0.21022.8_x-ww_d08d0375\msvcp90.dll
+ 2007-11-07 01:23 . 2007-11-07 01:23 224768 c:\windows\WinSxS\x86_Microsoft.VC90.CRT_1fc8b3b9a1e18e3b_9.0.21022.8_x-ww_d08d0375\msvcm90.dll
+ 2008-07-25 15:17 . 2008-07-25 15:17 635904 c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.3053_x-ww_b80fa8ca\msvcr80.dll
+ 2008-07-25 15:17 . 2008-07-25 15:17 558080 c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.3053_x-ww_b80fa8ca\msvcp80.dll
+ 2008-07-25 15:17 . 2008-07-25 15:17 479232 c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.3053_x-ww_b80fa8ca\msvcm80.dll
+ 2008-07-30 01:26 . 2008-07-30 01:26 301568 c:\windows\system32\XPSViewer\XPSViewer.exe
+ 2006-10-15 00:21 . 2008-07-06 12:06 575488 c:\windows\system32\xpsshhdr.dll
+ 2008-07-29 23:59 . 2008-07-29 23:59 161296 c:\windows\system32\UIAutomationCore.dll
+ 2009-03-16 15:00 . 2008-07-06 12:06 765440 c:\windows\system32\spool\XPSEP\i386\mxdwdrv.dll
+ 2009-03-16 15:00 . 2008-07-06 12:06 765440 c:\windows\system32\spool\XPSEP\i386\i386\mxdwdrv.dll
+ 2009-03-16 15:00 . 2008-07-06 12:06 748032 c:\windows\system32\spool\XPSEP\amd64\mxdwdrv.dll
+ 2009-03-16 15:00 . 2008-07-06 12:06 748032 c:\windows\system32\spool\XPSEP\amd64\amd64\mxdwdrv.dll
+ 2009-03-16 15:00 . 2008-07-06 12:06 147456 c:\windows\system32\spool\prtprocs\x64\filterpipelineprintproc.dll
+ 2006-10-14 20:44 . 2008-07-06 10:50 597504 c:\windows\system32\spool\prtprocs\w32x86\printfilterpipelinesvc.exe
- 2006-10-08 21:55 . 2007-05-15 08:08 761344 c:\windows\system32\spool\drivers\w32x86\3\unires.dll
+ 2006-10-08 21:55 . 2008-03-13 04:52 761344 c:\windows\system32\spool\drivers\w32x86\3\unires.dll
+ 2006-10-08 21:55 . 2008-07-06 12:06 744960 c:\windows\system32\spool\drivers\w32x86\3\unidrvui.dll
- 2006-10-08 21:55 . 2008-04-14 00:12 373248 c:\windows\system32\spool\drivers\w32x86\3\unidrv.dll
+ 2006-10-08 21:55 . 2008-07-06 12:06 373248 c:\windows\system32\spool\drivers\w32x86\3\unidrv.dll
+ 2006-10-14 20:42 . 2008-07-06 12:06 198656 c:\windows\system32\spool\drivers\w32x86\3\mxdwdui.dll
+ 2006-10-14 20:43 . 2008-07-06 12:06 765440 c:\windows\system32\spool\drivers\w32x86\3\mxdwdrv.dll
+ 2006-10-14 20:43 . 2008-07-06 12:06 117760 c:\windows\system32\prntvpt.dll
+ 2008-07-29 23:59 . 2008-07-29 23:59 781344 c:\windows\system32\PresentationNative_v0300.dll
+ 2008-07-30 00:35 . 2008-07-30 00:35 326160 c:\windows\system32\PresentationHost.exe
+ 2008-07-29 23:59 . 2008-07-29 23:59 105016 c:\windows\system32\PresentationCFFRasterizerNative_v0300.dll
+ 2006-06-01 20:51 . 2009-08-10 00:40 466982 c:\windows\system32\perfh009.dat
- 2007-10-24 05:47 . 2007-10-24 05:47 158720 c:\windows\system32\mscorier.dll
+ 2008-07-25 15:16 . 2008-07-25 15:16 158720 c:\windows\system32\mscorier.dll
- 2007-10-24 05:47 . 2007-10-24 05:47 282112 c:\windows\system32\mscoree.dll
+ 2008-07-25 15:16 . 2008-07-25 15:16 282112 c:\windows\system32\mscoree.dll
+ 2008-07-29 23:24 . 2008-07-29 23:24 622080 c:\windows\system32\icardagt.exe
+ 2006-06-01 22:19 . 2009-08-10 00:59 473968 c:\windows\system32\FNTCACHE.DAT
- 2006-06-01 22:19 . 2009-06-20 04:06 473968 c:\windows\system32\FNTCACHE.DAT
+ 2008-07-30 01:10 . 2008-07-30 01:10 493048 c:\windows\system32\evr.dll
+ 2006-10-15 00:21 . 2008-07-06 12:06 575488 c:\windows\system32\dllcache\xpsshhdr.dll
+ 2006-10-14 20:44 . 2008-07-06 10:50 597504 c:\windows\system32\dllcache\printfilterpipelinesvc.exe
+ 2008-07-30 03:40 . 2008-07-30 03:40 196104 c:\windows\Microsoft.NET\Framework\v3.5\WFServicesReg.exe
+ 2008-07-30 03:40 . 2008-07-30 03:40 802816 c:\windows\Microsoft.NET\Framework\v3.5\Microsoft.Build.Tasks.v3.5.dll
+ 2008-07-29 22:47 . 2008-07-29 22:47 984056 c:\windows\Microsoft.NET\Framework\v3.5\Microsoft .NET Framework 3.5 SP1\WapUI.dll
+ 2008-07-29 22:47 . 2008-07-29 22:47 107512 c:\windows\Microsoft.NET\Framework\v3.5\Microsoft .NET Framework 3.5 SP1\WapRes.dll
+ 2008-07-29 22:47 . 2008-07-29 22:47 111096 c:\windows\Microsoft.NET\Framework\v3.5\Microsoft .NET Framework 3.5 SP1\WapRes.3082.dll
+ 2008-07-29 22:47 . 2008-07-29 22:47 110072 c:\windows\Microsoft.NET\Framework\v3.5\Microsoft .NET Framework 3.5 SP1\WapRes.2070.dll
+ 2008-07-29 22:47 . 2008-07-29 22:47 106488 c:\windows\Microsoft.NET\Framework\v3.5\Microsoft .NET Framework 3.5 SP1\WapRes.1055.dll
+ 2008-07-29 22:47 . 2008-07-29 22:47 105976 c:\windows\Microsoft.NET\Framework\v3.5\Microsoft .NET Framework 3.5 SP1\WapRes.1053.dll
+ 2008-07-29 22:47 . 2008-07-29 22:47 107000 c:\windows\Microsoft.NET\Framework\v3.5\Microsoft .NET Framework 3.5 SP1\WapRes.1049.dll
+ 2008-07-29 22:47 . 2008-07-29 22:47 107512 c:\windows\Microsoft.NET\Framework\v3.5\Microsoft .NET Framework 3.5 SP1\WapRes.1046.dll
+ 2008-07-29 22:47 . 2008-07-29 22:47 109048 c:\windows\Microsoft.NET\Framework\v3.5\Microsoft .NET Framework 3.5 SP1\WapRes.1045.dll
+ 2008-07-29 22:47 . 2008-07-29 22:47 106488 c:\windows\Microsoft.NET\Framework\v3.5\Microsoft .NET Framework 3.5 SP1\WapRes.1044.dll
+ 2008-07-29 22:47 . 2008-07-29 22:47 108536 c:\windows\Microsoft.NET\Framework\v3.5\Microsoft .NET Framework 3.5 SP1\WapRes.1043.dll
+ 2008-07-29 22:47 . 2008-07-29 22:47 110072 c:\windows\Microsoft.NET\Framework\v3.5\Microsoft .NET Framework 3.5 SP1\WapRes.1040.dll
+ 2008-07-29 22:47 . 2008-07-29 22:47 111096 c:\windows\Microsoft.NET\Framework\v3.5\Microsoft .NET Framework 3.5 SP1\WapRes.1038.dll
+ 2008-07-29 22:47 . 2008-07-29 22:47 101368 c:\windows\Microsoft.NET\Framework\v3.5\Microsoft .NET Framework 3.5 SP1\WapRes.1037.dll
+ 2008-07-29 22:47 . 2008-07-29 22:47 112120 c:\windows\Microsoft.NET\Framework\v3.5\Microsoft .NET Framework 3.5 SP1\WapRes.1036.dll
+ 2008-07-29 22:47 . 2008-07-29 22:47 106488 c:\windows\Microsoft.NET\Framework\v3.5\Microsoft .NET Framework 3.5 SP1\WapRes.1035.dll
+ 2008-07-29 22:47 . 2008-07-29 22:47 113656 c:\windows\Microsoft.NET\Framework\v3.5\Microsoft .NET Framework 3.5 SP1\WapRes.1032.dll
+ 2008-07-29 22:47 . 2008-07-29 22:47 111608 c:\windows\Microsoft.NET\Framework\v3.5\Microsoft .NET Framework 3.5 SP1\WapRes.1031.dll
+ 2008-07-29 22:47 . 2008-07-29 22:47 108536 c:\windows\Microsoft.NET\Framework\v3.5\Microsoft .NET Framework 3.5 SP1\WapRes.1030.dll
+ 2008-07-29 22:47 . 2008-07-29 22:47 108536 c:\windows\Microsoft.NET\Framework\v3.5\Microsoft .NET Framework 3.5 SP1\WapRes.1029.dll
+ 2008-07-29 22:47 . 2008-07-29 22:47 102904 c:\windows\Microsoft.NET\Framework\v3.5\Microsoft .NET Framework 3.5 SP1\WapRes.1025.dll
+ 2008-07-29 22:47 . 2008-07-29 22:47 689152 c:\windows\Microsoft.NET\Framework\v3.5\Microsoft .NET Framework 3.5 SP1\vsscenario.dll
+ 2008-07-29 22:47 . 2008-07-29 22:47 413184 c:\windows\Microsoft.NET\Framework\v3.5\Microsoft .NET Framework 3.5 SP1\vsbasereqs.dll
+ 2008-07-29 22:47 . 2008-07-29 22:47 632320 c:\windows\Microsoft.NET\Framework\v3.5\Microsoft .NET Framework 3.5 SP1\vs70uimgr.dll
+ 2009-08-10 00:36 . 2009-08-10 00:36 652800 c:\windows\Microsoft.NET\Framework\v3.5\Microsoft .NET Framework 3.5 SP1\vs_setup.msi
+ 2008-07-29 22:47 . 2008-07-29 22:47 110080 c:\windows\Microsoft.NET\Framework\v3.5\Microsoft .NET Framework 3.5 SP1\setupres.dll
+ 2008-07-29 22:47 . 2008-07-29 22:47 131584 c:\windows\Microsoft.NET\Framework\v3.5\Microsoft .NET Framework 3.5 SP1\setupres.3082.dll
+ 2008-07-29 22:47 . 2008-07-29 22:47 131072 c:\windows\Microsoft.NET\Framework\v3.5\Microsoft .NET Framework 3.5 SP1\setupres.2070.dll
+ 2008-07-29 22:47 . 2008-07-29 22:47 121344 c:\windows\Microsoft.NET\Framework\v3.5\Microsoft .NET Framework 3.5 SP1\setupres.1055.dll
+ 2008-07-29 22:47 . 2008-07-29 22:47 121344 c:\windows\Microsoft.NET\Framework\v3.5\Microsoft .NET Framework 3.5 SP1\setupres.1053.dll
+ 2008-07-29 22:47 . 2008-07-29 22:47 123904 c:\windows\Microsoft.NET\Framework\v3.5\Microsoft .NET Framework 3.5 SP1\setupres.1049.dll
+ 2008-07-29 22:47 . 2008-07-29 22:47 122880 c:\windows\Microsoft.NET\Framework\v3.5\Microsoft .NET Framework 3.5 SP1\setupres.1046.dll
+ 2008-07-29 22:47 . 2008-07-29 22:47 128512 c:\windows\Microsoft.NET\Framework\v3.5\Microsoft .NET Framework 3.5 SP1\setupres.1045.dll
+ 2008-07-29 22:47 . 2008-07-29 22:47 121856 c:\windows\Microsoft.NET\Framework\v3.5\Microsoft .NET Framework 3.5 SP1\setupres.1044.dll
+ 2008-07-29 22:47 . 2008-07-29 22:47 129024 c:\windows\Microsoft.NET\Framework\v3.5\Microsoft .NET Framework 3.5 SP1\setupres.1043.dll
+ 2008-07-29 22:47 . 2008-07-29 22:47 128512 c:\windows\Microsoft.NET\Framework\v3.5\Microsoft .NET Framework 3.5 SP1\setupres.1040.dll
+ 2008-07-29 22:47 . 2008-07-29 22:47 132096 c:\windows\Microsoft.NET\Framework\v3.5\Microsoft .NET Framework 3.5 SP1\setupres.1038.dll
+ 2008-07-29 22:47 . 2008-07-29 22:47 111104 c:\windows\Microsoft.NET\Framework\v3.5\Microsoft .NET Framework 3.5 SP1\setupres.1037.dll
+ 2008-07-29 22:47 . 2008-07-29 22:47 133120 c:\windows\Microsoft.NET\Framework\v3.5\Microsoft .NET Framework 3.5 SP1\setupres.1036.dll
+ 2008-07-29 22:47 . 2008-07-29 22:47 122368 c:\windows\Microsoft.NET\Framework\v3.5\Microsoft .NET Framework 3.5 SP1\setupres.1035.dll
+ 2008-07-29 22:47 . 2008-07-29 22:47 137728 c:\windows\Microsoft.NET\Framework\v3.5\Microsoft .NET Framework 3.5 SP1\setupres.1032.dll
+ 2008-07-29 22:47 . 2008-07-29 22:47 130048 c:\windows\Microsoft.NET\Framework\v3.5\Microsoft .NET Framework 3.5 SP1\setupres.1031.dll
+ 2008-07-29 22:47 . 2008-07-29 22:47 126464 c:\windows\Microsoft.NET\Framework\v3.5\Microsoft .NET Framework 3.5 SP1\setupres.1030.dll
+ 2008-07-29 22:47 . 2008-07-29 22:47 125440 c:\windows\Microsoft.NET\Framework\v3.5\Microsoft .NET Framework 3.5 SP1\setupres.1029.dll
+ 2008-07-29 22:47 . 2008-07-29 22:47 113152 c:\windows\Microsoft.NET\Framework\v3.5\Microsoft .NET Framework 3.5 SP1\setupres.1025.dll
+ 2008-07-29 22:47 . 2008-07-29 22:47 269304 c:\windows\Microsoft.NET\Framework\v3.5\Microsoft .NET Framework 3.5 SP1\setup.exe
+ 2008-07-29 22:47 . 2008-07-29 22:47 177152 c:\windows\Microsoft.NET\Framework\v3.5\Microsoft .NET Framework 3.5 SP1\HtmlLite.dll
+ 2008-07-29 22:47 . 2008-07-29 22:47 276984 c:\windows\Microsoft.NET\Framework\v3.5\Microsoft .NET Framework 3.5 SP1\dlmgr.dll
+ 2008-07-30 03:15 . 2008-07-30 03:15 225490 c:\windows\Microsoft.NET\Framework\v3.5\Microsoft .NET Framework 3.5 SP1\baseline.dat
+ 2008-07-30 03:40 . 2008-07-30 03:40 233976 c:\windows\Microsoft.NET\Framework\v3.5\1033\vbc7ui.dll
+ 2008-07-30 03:40 . 2008-07-30 03:40 168448 c:\windows\Microsoft.NET\Framework\v3.5\1033\cscompui.dll
+ 2008-07-30 00:35 . 2008-07-30 00:35 864256 c:\windows\Microsoft.NET\Framework\v3.0\WPF\PresentationUI.dll
+ 2008-07-29 23:59 . 2008-07-29 23:59 132120 c:\windows\Microsoft.NET\Framework\v3.0\WPF\PresentationHostDLL.dll
+ 2008-07-29 23:16 . 2008-07-29 23:16 152576 c:\windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\WsatConfig.exe
+ 2008-07-29 23:16 . 2008-07-29 23:16 966656 c:\windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\System.Runtime.Serialization.dll
+ 2008-07-29 23:16 . 2008-07-29 23:16 132096 c:\windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe
+ 2008-07-29 23:16 . 2008-07-29 23:16 110592 c:\windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMdiagnostics.dll
+ 2008-07-29 23:16 . 2008-07-29 23:16 156688 c:\windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\ServiceModelReg.exe
+ 2008-07-29 23:16 . 2008-07-29 23:16 163840 c:\windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\Microsoft.Transactions.Bridge.Dtc.dll
+ 2008-07-29 23:16 . 2008-07-29 23:16 397312 c:\windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\Microsoft.Transactions.Bridge.dll
+ 2008-07-29 23:24 . 2008-07-29 23:24 881664 c:\windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe
+ 2008-07-29 23:16 . 2008-07-29 23:16 168968 c:\windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\ComSvcConfig.exe
+ 2008-11-25 08:59 . 2008-11-25 08:59 436040 c:\windows\Microsoft.NET\Framework\v2.0.50727\webengine.dll
- 2007-10-24 05:47 . 2007-10-24 05:47 839680 c:\windows\Microsoft.NET\Framework\v2.0.50727\System.Web.Services.dll
+ 2008-07-25 15:17 . 2008-07-25 15:17 839680 c:\windows\Microsoft.NET\Framework\v2.0.50727\System.Web.Services.dll
+ 2008-07-25 15:17 . 2008-07-25 15:17 835584 c:\windows\Microsoft.NET\Framework\v2.0.50727\System.Web.Mobile.dll
+ 2008-07-25 15:17 . 2008-07-25 15:17 261632 c:\windows\Microsoft.NET\Framework\v2.0.50727\System.Transactions.dll
+ 2008-07-25 15:17 . 2008-07-25 15:17 114688 c:\windows\Microsoft.NET\Framework\v2.0.50727\System.ServiceProcess.dll
- 2007-10-24 05:47 . 2007-10-24 05:47 114688 c:\windows\Microsoft.NET\Framework\v2.0.50727\System.ServiceProcess.dll
+ 2008-07-25 15:17 . 2008-07-25 15:17 258048 c:\windows\Microsoft.NET\Framework\v2.0.50727\System.Security.dll
- 2007-10-24 05:47 . 2007-10-24 05:47 258048 c:\windows\Microsoft.NET\Framework\v2.0.50727\System.Security.dll
+ 2008-07-25 15:17 . 2008-07-25 15:17 131072 c:\windows\Microsoft.NET\Framework\v2.0.50727\System.Runtime.Serialization.Formatters.Soap.dll
- 2007-10-24 05:47 . 2007-10-24 05:47 131072 c:\windows\Microsoft.NET\Framework\v2.0.50727\System.Runtime.Serialization.Formatters.Soap.dll
+ 2008-07-25 15:17 . 2008-07-25 15:17 303104 c:\windows\Microsoft.NET\Framework\v2.0.50727\System.Runtime.Remoting.dll
- 2007-10-24 05:47 . 2007-10-24 05:47 258048 c:\windows\Microsoft.NET\Framework\v2.0.50727\System.Messaging.dll
+ 2008-07-25 15:17 . 2008-07-25 15:17 258048 c:\windows\Microsoft.NET\Framework\v2.0.50727\System.Messaging.dll
+ 2008-07-25 15:17 . 2008-07-25 15:17 372736 c:\windows\Microsoft.NET\Framework\v2.0.50727\System.Management.dll
- 2007-10-24 05:47 . 2007-10-24 05:47 372736 c:\windows\Microsoft.NET\Framework\v2.0.50727\System.Management.dll
- 2007-10-24 05:47 . 2007-10-24 05:47 113664 c:\windows\Microsoft.NET\Framework\v2.0.50727\System.EnterpriseServices.Wrapper.dll
+ 2008-07-25 15:17 . 2008-07-25 15:17 113664 c:\windows\Microsoft.NET\Framework\v2.0.50727\System.EnterpriseServices.Wrapper.dll
+ 2008-07-25 15:17 . 2008-07-25 15:17 258048 c:\windows\Microsoft.NET\Framework\v2.0.50727\System.EnterpriseServices.dll
- 2007-10-24 05:47 . 2007-10-24 05:47 258048 c:\windows\Microsoft.NET\Framework\v2.0.50727\System.EnterpriseServices.dll
+ 2008-07-25 15:17 . 2008-07-25 15:17 626688 c:\windows\Microsoft.NET\Framework\v2.0.50727\System.Drawing.dll
- 2007-10-24 05:47 . 2007-10-24 05:47 188416 c:\windows\Microsoft.NET\Framework\v2.0.50727\System.DirectoryServices.Protocols.dll
+ 2008-07-25 15:17 . 2008-07-25 15:17 188416 c:\windows\Microsoft.NET\Framework\v2.0.50727\System.DirectoryServices.Protocols.dll
+ 2008-07-25 15:17 . 2008-07-25 15:17 401408 c:\windows\Microsoft.NET\Framework\v2.0.50727\System.DirectoryServices.dll
- 2007-10-24 05:47 . 2007-10-24 05:47 401408 c:\windows\Microsoft.NET\Framework\v2.0.50727\System.DirectoryServices.dll
+ 2008-07-25 15:16 . 2008-07-25 15:16 970752 c:\windows\Microsoft.NET\Framework\v2.0.50727\System.Deployment.dll
+ 2008-07-25 15:17 . 2008-07-25 15:17 745472 c:\windows\Microsoft.NET\Framework\v2.0.50727\System.Data.SqlXml.dll
+ 2008-11-25 08:59 . 2008-11-25 08:59 486400 c:\windows\Microsoft.NET\Framework\v2.0.50727\System.Data.OracleClient.dll
- 2007-10-24 05:47 . 2007-10-24 05:47 425984 c:\windows\Microsoft.NET\Framework\v2.0.50727\System.configuration.dll
+ 2008-07-25 15:17 . 2008-07-25 15:17 425984 c:\windows\Microsoft.NET\Framework\v2.0.50727\System.configuration.dll
+ 2008-07-25 15:17 . 2008-07-25 15:17 110592 c:\windows\Microsoft.NET\Framework\v2.0.50727\sysglobl.dll
- 2007-10-24 05:47 . 2007-10-24 05:47 110592 c:\windows\Microsoft.NET\Framework\v2.0.50727\sysglobl.dll
+ 2008-07-25 15:17 . 2008-07-25 15:17 392184 c:\windows\Microsoft.NET\Framework\v2.0.50727\SOS.dll
+ 2008-07-25 15:17 . 2008-07-25 15:17 118784 c:\windows\Microsoft.NET\Framework\v2.0.50727\shfusion.dll
+ 2008-07-25 15:16 . 2008-07-25 15:16 143360 c:\windows\Microsoft.NET\Framework\v2.0.50727\peverify.dll
+ 2008-07-25 15:17 . 2008-07-25 15:17 100856 c:\windows\Microsoft.NET\Framework\v2.0.50727\ngen.exe
+ 2008-07-25 15:17 . 2008-07-25 15:17 230912 c:\windows\Microsoft.NET\Framework\v2.0.50727\mscorsvc.dll
+ 2008-07-25 15:17 . 2008-07-25 15:17 345600 c:\windows\Microsoft.NET\Framework\v2.0.50727\mscorrc.dll
+ 2008-07-25 15:17 . 2008-07-25 15:17 114176 c:\windows\Microsoft.NET\Framework\v2.0.50727\mscorpe.dll
+ 2008-11-25 08:59 . 2008-11-25 08:59 364872 c:\windows\Microsoft.NET\Framework\v2.0.50727\mscorjit.dll
+ 2008-07-25 15:17 . 2008-07-25 15:17 308224 c:\windows\Microsoft.NET\Framework\v2.0.50727\mscordbi.dll
- 2007-10-24 05:47 . 2007-10-24 05:47 308224 c:\windows\Microsoft.NET\Framework\v2.0.50727\mscordbi.dll
+ 2008-11-25 08:59 . 2008-11-25 08:59 990032 c:\windows\Microsoft.NET\Framework\v2.0.50727\mscordacwks.dll
+ 2008-07-25 15:17 . 2008-07-25 15:17 659456 c:\windows\Microsoft.NET\Framework\v2.0.50727\Microsoft.VisualBasic.dll
+ 2008-07-25 15:17 . 2008-07-25 15:17 372736 c:\windows\Microsoft.NET\Framework\v2.0.50727\Microsoft.VisualBasic.Compatibility.dll
- 2007-10-24 05:47 . 2007-10-24 05:47 372736 c:\windows\Microsoft.NET\Framework\v2.0.50727\Microsoft.VisualBasic.Compatibility.dll
- 2007-10-24 05:47 . 2007-10-24 05:47 110592 c:\windows\Microsoft.NET\Framework\v2.0.50727\Microsoft.VisualBasic.Compatibility.Data.dll
+ 2008-07-25 15:17 . 2008-07-25 15:17 110592 c:\windows\Microsoft.NET\Framework\v2.0.50727\Microsoft.VisualBasic.Compatibility.Data.dll
+ 2008-07-25 15:16 . 2008-07-25 15:16 749568 c:\windows\Microsoft.NET\Framework\v2.0.50727\Microsoft.JScript.dll
- 2007-10-24 05:47 . 2007-10-24 05:47 749568 c:\windows\Microsoft.NET\Framework\v2.0.50727\Microsoft.JScript.dll
- 2007-10-24 05:47 . 2007-10-24 05:47 655360 c:\windows\Microsoft.NET\Framework\v2.0.50727\Microsoft.Build.Tasks.dll
+ 2008-07-25 15:16 . 2008-07-25 15:16 655360 c:\windows\Microsoft.NET\Framework\v2.0.50727\Microsoft.Build.Tasks.dll
+ 2008-07-25 15:16 . 2008-07-25 15:16 348160 c:\windows\Microsoft.NET\Framework\v2.0.50727\Microsoft.Build.Engine.dll
- 2007-10-24 05:47 . 2007-10-24 05:47 348160 c:\windows\Microsoft.NET\Framework\v2.0.50727\Microsoft.Build.Engine.dll
- 2007-10-24 05:47 . 2007-10-24 05:47 230904 c:\windows\Microsoft.NET\Framework\v2.0.50727\ilasm.exe
+ 2008-07-25 15:17 . 2008-07-25 15:17 230904 c:\windows\Microsoft.NET\Framework\v2.0.50727\ilasm.exe
- 2007-10-24 05:47 . 2007-10-24 05:47 798224 c:\windows\Microsoft.NET\Framework\v2.0.50727\EventLogMessages.dll
+ 2008-07-25 15:17 . 2008-07-25 15:17 798224 c:\windows\Microsoft.NET\Framework\v2.0.50727\EventLogMessages.dll
+ 2008-07-25 15:17 . 2008-07-25 15:17 575496 c:\windows\Microsoft.NET\Framework\v2.0.50727\diasymreader.dll
- 2007-10-24 05:47 . 2007-10-24 05:47 106496 c:\windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe
+ 2008-07-25 15:17 . 2008-07-25 15:17 106496 c:\windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe
+ 2008-07-25 15:16 . 2008-07-25 15:16 507904 c:\windows\Microsoft.NET\Framework\v2.0.50727\AspNetMMCExt.dll
- 2007-10-24 05:47 . 2007-10-24 05:47 507904 c:\windows\Microsoft.NET\Framework\v2.0.50727\AspNetMMCExt.dll
+ 2008-07-25 15:16 . 2008-07-25 15:16 106496 c:\windows\Microsoft.NET\Framework\v2.0.50727\aspnet_regsql.exe
- 2007-10-24 05:47 . 2007-10-24 05:47 106496 c:\windows\Microsoft.NET\Framework\v2.0.50727\aspnet_regsql.exe
- 2007-10-24 05:47 . 2007-10-24 05:47 147968 c:\windows\Microsoft.NET\Framework\v2.0.50727\AdoNetDiag.dll
+ 2008-07-25 15:17 . 2008-07-25 15:17 147968 c:\windows\Microsoft.NET\Framework\v2.0.50727\AdoNetDiag.dll
+ 2008-07-25 15:16 . 2008-07-25 15:16 218112 c:\windows\Microsoft.NET\Framework\v2.0.50727\1033\Vsavb7rtUI.dll
- 2007-10-24 05:47 . 2007-10-24 05:47 218112 c:\windows\Microsoft.NET\Framework\v2.0.50727\1033\Vsavb7rtUI.dll
+ 2008-07-25 15:17 . 2008-07-25 15:17 193016 c:\windows\Microsoft.NET\Framework\v2.0.50727\1033\vbc7ui.dll
- 2007-10-24 05:47 . 2007-10-24 05:47 193016 c:\windows\Microsoft.NET\Framework\v2.0.50727\1033\vbc7ui.dll
- 2007-10-24 05:47 . 2007-10-24 05:47 145408 c:\windows\Microsoft.NET\Framework\v2.0.50727\1033\cscompui.dll
+ 2008-07-25 15:16 . 2008-07-25 15:16 145408 c:\windows\Microsoft.NET\Framework\v2.0.50727\1033\cscompui.dll
+ 2008-12-13 13:58 . 2008-12-13 13:58 754688 c:\windows\Installer\c1bf5.msp
+ 2009-08-10 00:36 . 2009-08-10 00:36 648192 c:\windows\Installer\c1bcf.msi
+ 2008-07-30 01:23 . 2008-07-30 01:23 250880 c:\windows\Installer\9ebff.msp
+ 2008-07-30 01:28 . 2008-07-30 01:28 278016 c:\windows\Installer\9ebfd.msp
+ 2008-07-29 23:40 . 2008-07-29 23:40 291840 c:\windows\Installer\9ebfb.msp
+ 2009-08-10 00:34 . 2009-08-10 00:35 137728 c:\windows\Installer\9ebf5.msi
+ 2008-07-29 21:35 . 2008-07-29 21:35 553472 c:\windows\Installer\44dd4.msp
+ 2008-07-29 21:33 . 2008-07-29 21:33 506368 c:\windows\Installer\44dd2.msp
+ 2008-07-29 21:37 . 2008-07-29 21:37 911360 c:\windows\Installer\44dd1.msp
+ 2009-08-10 00:52 . 2009-08-10 00:53 321536 c:\windows\assembly\NativeImages_v2.0.50727_32\WsatConfig\2ef5bc3a2edd7570bb23886a4f32294a\WsatConfig.ni.exe
+ 2009-08-10 00:50 . 2009-08-10 00:50 240128 c:\windows\assembly\NativeImages_v2.0.50727_32\WindowsFormsIntegra#\6a818099f0386e2356ae94f886a2196f\WindowsFormsIntegration.ni.dll
+ 2009-08-10 00:45 . 2009-08-10 00:45 187904 c:\windows\assembly\NativeImages_v2.0.50727_32\UIAutomationTypes\a6d9503962d47c722231c1478f180695\UIAutomationTypes.ni.dll
+ 2009-08-10 00:49 . 2009-08-10 00:49 447488 c:\windows\assembly\NativeImages_v2.0.50727_32\UIAutomationClient\5c028c3d8db6c0f0277673ea4a2d89fb\UIAutomationClient.ni.dll
+ 2009-08-10 11:41 . 2009-08-10 11:41 400896 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Xml.Linq\c338a470b14851ce5987bb0f0869c310\System.Xml.Linq.ni.dll
+ 2009-08-10 00:57 . 2009-08-10 00:58 129536 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Web.Routing\bb77ea11f46ab438b2b7ed7c180011a1\System.Web.Routing.ni.dll
+ 2009-08-10 00:49 . 2009-08-10 00:49 202240 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Web.RegularE#\6ee255220d90dcbe80c990e443051cc5\System.Web.RegularExpressions.ni.dll
+ 2009-08-10 11:40 . 2009-08-10 11:40 859648 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Web.Extensio#\58f62044fa702ea6f936071aa5520baa\System.Web.Extensions.Design.ni.dll
+ 2009-08-10 11:40 . 2009-08-10 11:40 328704 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Web.Entity\79c29ac85dd57dd485ab60118ac292ff\System.Web.Entity.ni.dll
+ 2009-08-10 11:40 . 2009-08-10 11:40 301056 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Web.Entity.D#\d3d65e34fa60f0b6c72ca0d12ec89933\System.Web.Entity.Design.ni.dll
+ 2009-08-10 11:40 . 2009-08-10 11:40 547328 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Web.DynamicD#\b7891f5659db299dbd1b3c72db7edb9f\System.Web.DynamicData.ni.dll
+ 2009-08-10 00:57 . 2009-08-10 00:57 141312 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Web.Abstract#\00ec08741a765c707bd9169346064a81\System.Web.Abstractions.ni.dll
+ 2009-08-10 00:47 . 2009-08-10 00:48 627200 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Transactions\5a555c9ae6984c40157cf940bb519f7c\System.Transactions.ni.dll
+ 2009-08-10 00:49 . 2009-08-10 00:49 212992 c:\windows\assembly\NativeImages_v2.0.50727_32\System.ServiceProce#\ea3366939280c1715f1c620e33ee3c8a\System.ServiceProcess.ni.dll
+ 2009-08-10 00:44 . 2009-08-10 00:44 676352 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Security\1c8df2da33222c048d683017f2095f04\System.Security.ni.dll
+ 2009-08-10 00:46 . 2009-08-10 00:46 311296 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Runtime.Seri#\bfd6e16d8c3589cd2bd3f8d46f0a5402\System.Runtime.Serialization.Formatters.Soap.ni.dll
+ 2009-08-10 00:48 . 2009-08-10 00:48 771584 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Runtime.Remo#\2abd876a3c8a6b088fa6d8d39d901e3c\System.Runtime.Remoting.ni.dll
+ 2009-08-10 00:57 . 2009-08-10 00:57 621056 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Net\519d9c618341b136f9b963ffb7495308\System.Net.ni.dll
+ 2009-08-10 11:40 . 2009-08-10 11:40 593408 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Messaging\f48e3419fb2cb012fd160ae801600ae7\System.Messaging.ni.dll
+ 2009-08-10 00:57 . 2009-08-10 00:57 998400 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Management\8642fdfbf02a6cb6f01169fe6fdb5d11\System.Management.ni.dll
+ 2009-08-10 00:57 . 2009-08-10 00:57 330752 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Management.I#\1d3fbbd23ce1e8637ef4f40a8d23cd32\System.Management.Instrumentation.ni.dll
+ 2009-08-10 00:51 . 2009-08-10 00:51 381440 c:\windows\assembly\NativeImages_v2.0.50727_32\System.IO.Log\7c367a96b10d626ec8cbf8149272d845\System.IO.Log.ni.dll
Otherjohn
2009-08-10, 15:35
+ 2009-08-10 00:51 . 2009-08-10 00:51 212992 c:\windows\assembly\NativeImages_v2.0.50727_32\System.IdentityMode#\68e71147704ef0d34d9a4bece7767fc5\System.IdentityModel.Selectors.ni.dll
+ 2009-08-10 00:48 . 2009-08-10 00:48 280064 c:\windows\assembly\NativeImages_v2.0.50727_32\System.EnterpriseSe#\4267bd908175603006c6c90bb5d900c7\System.EnterpriseServices.Wrapper.dll
+ 2009-08-10 00:48 . 2009-08-10 00:48 627712 c:\windows\assembly\NativeImages_v2.0.50727_32\System.EnterpriseSe#\4267bd908175603006c6c90bb5d900c7\System.EnterpriseServices.ni.dll
+ 2009-08-10 00:48 . 2009-08-10 00:48 208384 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Drawing.Desi#\18bbe2b6717e7f1d1dd672526e9889ee\System.Drawing.Design.ni.dll
+ 2009-08-10 00:49 . 2009-08-10 00:49 455680 c:\windows\assembly\NativeImages_v2.0.50727_32\System.DirectorySer#\c434a07332ce490711c27fd0edb7562f\System.DirectoryServices.Protocols.ni.dll
+ 2009-08-10 00:57 . 2009-08-10 00:57 881152 c:\windows\assembly\NativeImages_v2.0.50727_32\System.DirectorySer#\8b3bb7a2c2f3ffe94c866283f1cd5957\System.DirectoryServices.AccountManagement.ni.dll
+ 2009-08-10 00:57 . 2009-08-10 00:57 939008 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Data.Service#\a4b887f476fa4b8746a93a9fc2208560\System.Data.Services.Client.ni.dll
+ 2009-08-10 00:57 . 2009-08-10 00:57 354816 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Data.Service#\1cf3acad6553d6c59df576794f4e8bd6\System.Data.Services.Design.ni.dll
+ 2009-08-10 00:56 . 2009-08-10 00:56 756736 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Data.Entity.#\392de34573f9f8ec885714f2f3e7f07f\System.Data.Entity.Design.ni.dll
+ 2009-08-10 00:54 . 2009-08-10 00:54 135680 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Data.DataSet#\1db495ff00bbd14df4af6680c4de0653\System.Data.DataSetExtensions.ni.dll
+ 2009-08-10 00:44 . 2009-08-10 00:44 971264 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Configuration\b82c00e2d24305ad6cb08556e3779b75\System.Configuration.ni.dll
+ 2009-08-10 00:49 . 2009-08-10 00:49 141312 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Configuratio#\de514e484e49b04b016949d57ffac03e\System.Configuration.Install.ni.dll
+ 2009-08-10 00:54 . 2009-08-10 00:54 633856 c:\windows\assembly\NativeImages_v2.0.50727_32\System.AddIn\ce984d754e3c0b6be4504b785cc43574\System.AddIn.ni.dll
+ 2009-08-10 00:49 . 2009-08-10 00:49 232448 c:\windows\assembly\NativeImages_v2.0.50727_32\sysglobl\45067d0793a09d3431d26bfa55c5a76a\sysglobl.ni.dll
+ 2009-08-10 00:52 . 2009-08-10 00:52 366080 c:\windows\assembly\NativeImages_v2.0.50727_32\SMSvcHost\045dd501b7257b1cc26083538ae69045\SMSvcHost.ni.exe
+ 2009-08-10 00:52 . 2009-08-10 00:52 256000 c:\windows\assembly\NativeImages_v2.0.50727_32\SMDiagnostics\9790551187e294b4ed3aaa1c221891c7\SMDiagnostics.ni.dll
+ 2009-08-10 00:52 . 2009-08-10 00:52 320512 c:\windows\assembly\NativeImages_v2.0.50727_32\ServiceModelReg\10a0c9707876fc1f65e64b811a28b020\ServiceModelReg.ni.exe
+ 2009-08-10 00:49 . 2009-08-10 00:49 224768 c:\windows\assembly\NativeImages_v2.0.50727_32\PresentationFramewo#\f475294d8c7dc2dd4febeef27bc0417e\PresentationFramework.Classic.ni.dll
+ 2009-08-10 00:49 . 2009-08-10 00:49 539648 c:\windows\assembly\NativeImages_v2.0.50727_32\PresentationFramewo#\8003abaf6bcf70f7eb620d06837e897b\PresentationFramework.Luna.ni.dll
+ 2009-08-10 00:49 . 2009-08-10 00:49 368128 c:\windows\assembly\NativeImages_v2.0.50727_32\PresentationFramewo#\59a67874d8d8475faa5be1d993083d12\PresentationFramework.Aero.ni.dll
+ 2009-08-10 00:49 . 2009-08-10 00:49 258048 c:\windows\assembly\NativeImages_v2.0.50727_32\PresentationFramewo#\2c980c9a5051d723c6ec2a78a3d0e2b3\PresentationFramework.Royale.ni.dll
+ 2009-08-10 00:54 . 2009-08-10 00:54 133632 c:\windows\assembly\NativeImages_v2.0.50727_32\MSBuild\6d38e317128608bc4516ea46ab94590e\MSBuild.ni.exe
+ 2009-08-10 00:52 . 2009-08-10 00:52 386560 c:\windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Transacti#\1820d6a012fc0e16c3e1d29d973cd2d0\Microsoft.Transactions.Bridge.Dtc.ni.dll
+ 2009-08-10 00:44 . 2009-08-10 00:44 144384 c:\windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Build.Uti#\55b9eff9e23359faed4351386c062238\Microsoft.Build.Utilities.ni.dll
+ 2009-08-10 00:54 . 2009-08-10 00:54 175104 c:\windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Build.Uti#\4217124db1ea5de5f1a1f3eea75e8d32\Microsoft.Build.Utilities.v3.5.ni.dll
+ 2009-08-10 00:54 . 2009-08-10 00:54 839680 c:\windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Build.Eng#\96825c34d7e1f7df1923ff2123bed8da\Microsoft.Build.Engine.ni.dll
+ 2009-08-10 00:54 . 2009-08-10 00:54 222720 c:\windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Build.Con#\9b321ebf67587237f576df6104a32588\Microsoft.Build.Conversion.v3.5.ni.dll
+ 2009-08-10 00:54 . 2009-08-10 00:54 220672 c:\windows\assembly\NativeImages_v2.0.50727_32\CustomMarshalers\9bea05938bee3555c5aa8763d89a68f9\CustomMarshalers.ni.dll
+ 2009-08-10 00:52 . 2009-08-10 00:52 410112 c:\windows\assembly\NativeImages_v2.0.50727_32\ComSvcConfig\12629e2f3e315459bee67cbbaac85cb2\ComSvcConfig.ni.exe
+ 2009-08-10 00:53 . 2009-08-10 00:53 842240 c:\windows\assembly\NativeImages_v2.0.50727_32\AspNetMMCExt\b5b2feadc3943e3976daebc0bcd2b5e2\AspNetMMCExt.ni.dll
+ 2009-08-10 00:54 . 2009-08-10 00:54 363520 c:\windows\assembly\NativeImages_v2.0.50727_32\AdWindowsWrapper\2835810a367595918f70294a56f1cfb0\AdWindowsWrapper.ni.dll
+ 2009-08-10 00:34 . 2009-08-10 00:34 385024 c:\windows\assembly\GAC_MSIL\UIAutomationClientsideProviders\3.0.0.0__31bf3856ad364e35\UIAutomationClientsideProviders.dll
+ 2009-08-10 00:34 . 2009-08-10 00:34 167936 c:\windows\assembly\GAC_MSIL\UIAutomationClient\3.0.0.0__31bf3856ad364e35\UIAutomationClient.dll
+ 2009-08-10 00:36 . 2009-08-10 00:36 139264 c:\windows\assembly\GAC_MSIL\System.Xml.Linq\3.5.0.0__b77a5c561934e089\System.Xml.Linq.dll
+ 2009-08-10 00:36 . 2009-08-10 00:36 507904 c:\windows\assembly\GAC_MSIL\System.WorkflowServices\3.5.0.0__31bf3856ad364e35\System.WorkflowServices.dll
+ 2009-08-10 00:34 . 2009-08-10 00:34 540672 c:\windows\assembly\GAC_MSIL\System.Workflow.Runtime\3.0.0.0__31bf3856ad364e35\System.Workflow.Runtime.dll
+ 2009-08-10 00:40 . 2009-08-10 00:40 839680 c:\windows\assembly\GAC_MSIL\System.Web.Services\2.0.0.0__b03f5f7f11d50a3a\System.Web.Services.dll
- 2008-04-15 02:24 . 2008-04-15 02:24 839680 c:\windows\assembly\GAC_MSIL\System.Web.Services\2.0.0.0__b03f5f7f11d50a3a\System.Web.Services.dll
+ 2009-08-10 00:40 . 2009-08-10 00:40 835584 c:\windows\assembly\GAC_MSIL\System.Web.Mobile\2.0.0.0__b03f5f7f11d50a3a\System.Web.Mobile.dll
+ 2009-08-10 00:36 . 2009-08-10 00:36 335872 c:\windows\assembly\GAC_MSIL\System.Web.Extensions.Design\3.5.0.0__31bf3856ad364e35\System.Web.Extensions.Design.dll
+ 2009-08-10 00:42 . 2009-08-10 00:42 139264 c:\windows\assembly\GAC_MSIL\System.Web.Entity\3.5.0.0__b77a5c561934e089\System.Web.Entity.dll
+ 2009-08-10 00:36 . 2009-08-10 00:36 131072 c:\windows\assembly\GAC_MSIL\System.Web.Entity.Design\3.5.0.0__b77a5c561934e089\System.Web.Entity.Design.dll
+ 2009-08-10 00:42 . 2009-08-10 00:42 229376 c:\windows\assembly\GAC_MSIL\System.Web.DynamicData\3.5.0.0__31bf3856ad364e35\System.Web.DynamicData.dll
+ 2009-08-10 00:34 . 2009-08-10 00:34 688128 c:\windows\assembly\GAC_MSIL\System.Speech\3.0.0.0__31bf3856ad364e35\System.Speech.dll
- 2009-03-16 15:01 . 2009-03-16 15:01 688128 c:\windows\assembly\GAC_MSIL\System.Speech\3.0.0.0__31bf3856ad364e35\System.Speech.dll
+ 2009-08-10 00:40 . 2009-08-10 00:40 114688 c:\windows\assembly\GAC_MSIL\System.ServiceProcess\2.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll
- 2008-04-15 02:24 . 2008-04-15 02:24 114688 c:\windows\assembly\GAC_MSIL\System.ServiceProcess\2.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll
+ 2009-08-10 00:36 . 2009-08-10 00:36 569344 c:\windows\assembly\GAC_MSIL\System.ServiceModel.Web\3.5.0.0__31bf3856ad364e35\System.ServiceModel.Web.dll
- 2008-04-15 02:24 . 2008-04-15 02:24 258048 c:\windows\assembly\GAC_MSIL\System.Security\2.0.0.0__b03f5f7f11d50a3a\System.Security.dll
+ 2009-08-10 00:40 . 2009-08-10 00:40 258048 c:\windows\assembly\GAC_MSIL\System.Security\2.0.0.0__b03f5f7f11d50a3a\System.Security.dll
+ 2009-08-10 00:34 . 2009-08-10 00:34 966656 c:\windows\assembly\GAC_MSIL\System.Runtime.Serialization\3.0.0.0__b77a5c561934e089\System.Runtime.Serialization.dll
+ 2009-08-10 00:40 . 2009-08-10 00:40 131072 c:\windows\assembly\GAC_MSIL\System.Runtime.Serialization.Formatters.Soap\2.0.0.0__b03f5f7f11d50a3a\System.Runtime.Serialization.Formatters.Soap.dll
- 2008-04-15 02:24 . 2008-04-15 02:24 131072 c:\windows\assembly\GAC_MSIL\System.Runtime.Serialization.Formatters.Soap\2.0.0.0__b03f5f7f11d50a3a\System.Runtime.Serialization.Formatters.Soap.dll
+ 2009-08-10 00:40 . 2009-08-10 00:40 303104 c:\windows\assembly\GAC_MSIL\System.Runtime.Remoting\2.0.0.0__b77a5c561934e089\System.Runtime.Remoting.dll
+ 2009-08-10 00:36 . 2009-08-10 00:36 233472 c:\windows\assembly\GAC_MSIL\System.Net\3.5.0.0__b03f5f7f11d50a3a\System.Net.dll
- 2008-04-15 02:24 . 2008-04-15 02:24 258048 c:\windows\assembly\GAC_MSIL\System.Messaging\2.0.0.0__b03f5f7f11d50a3a\System.Messaging.dll
+ 2009-08-10 00:40 . 2009-08-10 00:40 258048 c:\windows\assembly\GAC_MSIL\System.Messaging\2.0.0.0__b03f5f7f11d50a3a\System.Messaging.dll
- 2008-04-15 02:24 . 2008-04-15 02:24 372736 c:\windows\assembly\GAC_MSIL\System.Management\2.0.0.0__b03f5f7f11d50a3a\System.Management.dll
+ 2009-08-10 00:40 . 2009-08-10 00:40 372736 c:\windows\assembly\GAC_MSIL\System.Management\2.0.0.0__b03f5f7f11d50a3a\System.Management.dll
+ 2009-08-10 00:36 . 2009-08-10 00:36 143360 c:\windows\assembly\GAC_MSIL\System.Management.Instrumentation\3.5.0.0__b77a5c561934e089\System.Management.Instrumentation.dll
+ 2009-08-10 00:34 . 2009-08-10 00:34 131072 c:\windows\assembly\GAC_MSIL\System.IO.Log\3.0.0.0__b03f5f7f11d50a3a\System.IO.Log.dll
- 2009-03-16 15:00 . 2009-03-16 15:00 131072 c:\windows\assembly\GAC_MSIL\System.IO.Log\3.0.0.0__b03f5f7f11d50a3a\System.IO.Log.dll
+ 2009-08-10 00:34 . 2009-08-10 00:34 430080 c:\windows\assembly\GAC_MSIL\System.IdentityModel\3.0.0.0__b77a5c561934e089\System.IdentityModel.dll
- 2009-03-16 15:00 . 2009-03-16 15:00 126976 c:\windows\assembly\GAC_MSIL\System.IdentityModel.Selectors\3.0.0.0__b77a5c561934e089\System.IdentityModel.Selectors.dll
+ 2009-08-10 00:34 . 2009-08-10 00:34 126976 c:\windows\assembly\GAC_MSIL\System.IdentityModel.Selectors\3.0.0.0__b77a5c561934e089\System.IdentityModel.Selectors.dll
+ 2009-08-10 00:40 . 2009-08-10 00:40 626688 c:\windows\assembly\GAC_MSIL\System.Drawing\2.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll
+ 2009-08-10 00:40 . 2009-08-10 00:40 401408 c:\windows\assembly\GAC_MSIL\System.DirectoryServices\2.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll
- 2008-04-15 02:24 . 2008-04-15 02:24 401408 c:\windows\assembly\GAC_MSIL\System.DirectoryServices\2.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll
+ 2009-08-10 00:40 . 2009-08-10 00:40 188416 c:\windows\assembly\GAC_MSIL\System.DirectoryServices.Protocols\2.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.Protocols.dll
- 2008-04-15 02:24 . 2008-04-15 02:24 188416 c:\windows\assembly\GAC_MSIL\System.DirectoryServices.Protocols\2.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.Protocols.dll
+ 2009-08-10 00:36 . 2009-08-10 00:36 286720 c:\windows\assembly\GAC_MSIL\System.DirectoryServices.AccountManagement\3.5.0.0__b77a5c561934e089\System.DirectoryServices.AccountManagement.dll
+ 2009-08-10 00:40 . 2009-08-10 00:40 970752 c:\windows\assembly\GAC_MSIL\System.Deployment\2.0.0.0__b03f5f7f11d50a3a\System.Deployment.dll
+ 2009-08-10 00:40 . 2009-08-10 00:40 745472 c:\windows\assembly\GAC_MSIL\System.Data.SqlXml\2.0.0.0__b77a5c561934e089\System.Data.SqlXml.dll
+ 2009-08-10 00:42 . 2009-08-10 00:42 442368 c:\windows\assembly\GAC_MSIL\System.Data.Services\3.5.0.0__b77a5c561934e089\System.Data.Services.dll
+ 2009-08-10 00:36 . 2009-08-10 00:36 114688 c:\windows\assembly\GAC_MSIL\System.Data.Services.Design\3.5.0.0__b77a5c561934e089\System.Data.Services.Design.dll
+ 2009-08-10 00:42 . 2009-08-10 00:42 294912 c:\windows\assembly\GAC_MSIL\System.Data.Services.Client\3.5.0.0__b77a5c561934e089\System.Data.Services.Client.dll
+ 2009-08-10 00:36 . 2009-08-10 00:36 684032 c:\windows\assembly\GAC_MSIL\System.Data.Linq\3.5.0.0__b77a5c561934e089\System.Data.Linq.dll
+ 2009-08-10 00:36 . 2009-08-10 00:36 229376 c:\windows\assembly\GAC_MSIL\System.Data.Entity.Design\3.5.0.0__b77a5c561934e089\System.Data.Entity.Design.dll
+ 2009-08-10 00:36 . 2009-08-10 00:36 667648 c:\windows\assembly\GAC_MSIL\System.Core\3.5.0.0__b77a5c561934e089\System.Core.dll
+ 2009-08-10 00:40 . 2009-08-10 00:40 425984 c:\windows\assembly\GAC_MSIL\System.Configuration\2.0.0.0__b03f5f7f11d50a3a\System.configuration.dll
- 2008-04-15 02:24 . 2008-04-15 02:24 425984 c:\windows\assembly\GAC_MSIL\System.Configuration\2.0.0.0__b03f5f7f11d50a3a\System.configuration.dll
+ 2009-08-10 00:36 . 2009-08-10 00:36 163840 c:\windows\assembly\GAC_MSIL\System.AddIn\3.5.0.0__b77a5c561934e089\System.AddIn.dll
- 2008-04-15 02:24 . 2008-04-15 02:24 110592 c:\windows\assembly\GAC_MSIL\sysglobl\2.0.0.0__b03f5f7f11d50a3a\sysglobl.dll
+ 2009-08-10 00:40 . 2009-08-10 00:40 110592 c:\windows\assembly\GAC_MSIL\sysglobl\2.0.0.0__b03f5f7f11d50a3a\sysglobl.dll
+ 2009-08-10 00:34 . 2009-08-10 00:34 110592 c:\windows\assembly\GAC_MSIL\SMDiagnostics\3.0.0.0__b77a5c561934e089\SMdiagnostics.dll
+ 2009-08-10 00:34 . 2009-08-10 00:34 528384 c:\windows\assembly\GAC_MSIL\ReachFramework\3.0.0.0__31bf3856ad364e35\ReachFramework.dll
- 2009-03-16 15:01 . 2009-03-16 15:01 528384 c:\windows\assembly\GAC_MSIL\ReachFramework\3.0.0.0__31bf3856ad364e35\ReachFramework.dll
+ 2009-08-10 00:34 . 2009-08-10 00:34 864256 c:\windows\assembly\GAC_MSIL\PresentationUI\3.0.0.0__31bf3856ad364e35\PresentationUI.dll
+ 2009-08-10 00:34 . 2009-08-10 00:34 163840 c:\windows\assembly\GAC_MSIL\PresentationFramework.Royale\3.0.0.0__31bf3856ad364e35\PresentationFramework.Royale.dll
+ 2009-08-10 00:34 . 2009-08-10 00:34 397312 c:\windows\assembly\GAC_MSIL\PresentationFramework.Luna\3.0.0.0__31bf3856ad364e35\PresentationFramework.Luna.dll
+ 2009-08-10 00:34 . 2009-08-10 00:34 139264 c:\windows\assembly\GAC_MSIL\PresentationFramework.Classic\3.0.0.0__31bf3856ad364e35\PresentationFramework.Classic.dll
+ 2009-08-10 00:34 . 2009-08-10 00:34 196608 c:\windows\assembly\GAC_MSIL\PresentationFramework.Aero\3.0.0.0__31bf3856ad364e35\PresentationFramework.Aero.dll
+ 2009-08-10 00:34 . 2009-08-10 00:34 598016 c:\windows\assembly\GAC_MSIL\PresentationBuildTasks\3.0.0.0__31bf3856ad364e35\PresentationBuildTasks.dll
+ 2009-08-10 00:40 . 2009-08-10 00:40 659456 c:\windows\assembly\GAC_MSIL\Microsoft.VisualBasic\8.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll
- 2008-04-15 02:24 . 2008-04-15 02:24 372736 c:\windows\assembly\GAC_MSIL\Microsoft.VisualBasic.Compatibility\8.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.Compatibility.dll
+ 2009-08-10 00:40 . 2009-08-10 00:40 372736 c:\windows\assembly\GAC_MSIL\Microsoft.VisualBasic.Compatibility\8.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.Compatibility.dll
- 2008-04-15 02:24 . 2008-04-15 02:24 110592 c:\windows\assembly\GAC_MSIL\Microsoft.VisualBasic.Compatibility.Data\8.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.Compatibility.Data.dll
+ 2009-08-10 00:40 . 2009-08-10 00:40 110592 c:\windows\assembly\GAC_MSIL\Microsoft.VisualBasic.Compatibility.Data\8.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.Compatibility.Data.dll
+ 2009-08-10 00:34 . 2009-08-10 00:34 397312 c:\windows\assembly\GAC_MSIL\Microsoft.Transactions.Bridge\3.0.0.0__b03f5f7f11d50a3a\Microsoft.Transactions.Bridge.dll
- 2008-04-15 02:24 . 2008-04-15 02:24 749568 c:\windows\assembly\GAC_MSIL\Microsoft.JScript\8.0.0.0__b03f5f7f11d50a3a\Microsoft.JScript.dll
+ 2009-08-10 00:40 . 2009-08-10 00:40 749568 c:\windows\assembly\GAC_MSIL\Microsoft.JScript\8.0.0.0__b03f5f7f11d50a3a\Microsoft.JScript.dll
+ 2009-08-10 00:40 . 2009-08-10 00:40 655360 c:\windows\assembly\GAC_MSIL\Microsoft.Build.Tasks\2.0.0.0__b03f5f7f11d50a3a\Microsoft.Build.Tasks.dll
- 2008-04-15 02:24 . 2008-04-15 02:24 655360 c:\windows\assembly\GAC_MSIL\Microsoft.Build.Tasks\2.0.0.0__b03f5f7f11d50a3a\Microsoft.Build.Tasks.dll
+ 2009-08-10 00:36 . 2009-08-10 00:36 802816 c:\windows\assembly\GAC_MSIL\Microsoft.Build.Tasks.v3.5\3.5.0.0__b03f5f7f11d50a3a\Microsoft.Build.Tasks.v3.5.dll
+ 2009-08-10 00:36 . 2009-08-10 00:36 733184 c:\windows\assembly\GAC_MSIL\Microsoft.Build.Engine\3.5.0.0__b03f5f7f11d50a3a\Microsoft.Build.Engine.dll
+ 2009-08-10 00:40 . 2009-08-10 00:40 348160 c:\windows\assembly\GAC_MSIL\Microsoft.Build.Engine\2.0.0.0__b03f5f7f11d50a3a\Microsoft.Build.Engine.dll
- 2008-04-15 02:24 . 2008-04-15 02:24 348160 c:\windows\assembly\GAC_MSIL\Microsoft.Build.Engine\2.0.0.0__b03f5f7f11d50a3a\Microsoft.Build.Engine.dll
+ 2009-08-10 00:36 . 2009-08-10 00:36 106496 c:\windows\assembly\GAC_MSIL\Microsoft.Build.Conversion.v3.5\3.5.0.0__b03f5f7f11d50a3a\Microsoft.Build.Conversion.v3.5.dll
+ 2009-08-10 00:40 . 2009-08-10 00:40 507904 c:\windows\assembly\GAC_MSIL\AspNetMMCExt\2.0.0.0__b03f5f7f11d50a3a\AspNetMMCExt.dll
- 2008-04-15 02:24 . 2008-04-15 02:24 507904 c:\windows\assembly\GAC_MSIL\AspNetMMCExt\2.0.0.0__b03f5f7f11d50a3a\AspNetMMCExt.dll
+ 2009-08-10 00:40 . 2009-08-10 00:40 261632 c:\windows\assembly\GAC_32\System.Transactions\2.0.0.0__b77a5c561934e089\System.Transactions.dll
+ 2009-08-10 00:34 . 2009-08-10 00:34 368640 c:\windows\assembly\GAC_32\System.Printing\3.0.0.0__31bf3856ad364e35\System.Printing.dll
+ 2009-08-10 00:40 . 2009-08-10 00:40 113664 c:\windows\assembly\GAC_32\System.EnterpriseServices\2.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll
- 2008-04-15 02:24 . 2008-04-15 02:24 113664 c:\windows\assembly\GAC_32\System.EnterpriseServices\2.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll
+ 2009-08-10 00:40 . 2009-08-10 00:40 258048 c:\windows\assembly\GAC_32\System.EnterpriseServices\2.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.dll
- 2008-04-15 02:24 . 2008-04-15 02:24 258048 c:\windows\assembly\GAC_32\System.EnterpriseServices\2.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.dll
+ 2009-08-10 00:40 . 2009-08-10 00:40 486400 c:\windows\assembly\GAC_32\System.Data.OracleClient\2.0.0.0__b77a5c561934e089\System.Data.OracleClient.dll
+ 2009-08-10 00:34 . 2009-08-10 00:34 163840 c:\windows\assembly\GAC_32\Microsoft.Transactions.Bridge.Dtc\3.0.0.0__b03f5f7f11d50a3a\Microsoft.Transactions.Bridge.Dtc.dll
+ 2006-10-15 00:22 . 2008-07-06 12:06 1676288 c:\windows\system32\XpsSvcs.dll
+ 2009-03-16 15:00 . 2008-07-06 12:06 1676288 c:\windows\system32\spool\XPSEP\i386\xpssvcs.dll
+ 2009-03-16 15:00 . 2008-07-06 12:06 1676288 c:\windows\system32\spool\XPSEP\i386\i386\xpssvcs.dll
+ 2009-03-16 15:00 . 2008-07-06 21:36 2936832 c:\windows\system32\spool\XPSEP\amd64\xpssvcs.dll
+ 2009-03-16 15:00 . 2008-07-06 21:36 2936832 c:\windows\system32\spool\XPSEP\amd64\amd64\xpssvcs.dll
+ 2006-10-15 00:22 . 2008-07-06 12:06 1676288 c:\windows\system32\spool\drivers\w32x86\3\XpsSvcs.dll
+ 2006-10-15 00:22 . 2008-07-06 12:06 1676288 c:\windows\system32\dllcache\XpsSvcs.dll
+ 2008-07-30 03:40 . 2008-07-30 03:40 1720824 c:\windows\Microsoft.NET\Framework\v3.5\vbc.exe
+ 2008-07-29 22:47 . 2008-07-29 22:47 1054208 c:\windows\Microsoft.NET\Framework\v3.5\Microsoft .NET Framework 3.5 SP1\vs_setup.dll
+ 2008-07-29 22:47 . 2008-07-29 22:47 1364992 c:\windows\Microsoft.NET\Framework\v3.5\Microsoft .NET Framework 3.5 SP1\SITSetup.dll
+ 2008-07-29 22:47 . 2008-07-29 22:47 1064448 c:\windows\Microsoft.NET\Framework\v3.5\Microsoft .NET Framework 3.5 SP1\gencomp.dll
+ 2008-07-30 03:40 . 2008-07-30 03:40 1548280 c:\windows\Microsoft.NET\Framework\v3.5\csc.exe
+ 2008-12-05 23:35 . 2008-12-05 23:35 1736528 c:\windows\Microsoft.NET\Framework\v3.0\WPF\wpfgfx_v0300.dll
+ 2008-12-06 00:12 . 2008-12-06 00:12 5931008 c:\windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\System.ServiceModel.dll
+ 2008-07-25 15:16 . 2008-07-25 15:16 1344000 c:\windows\Microsoft.NET\Framework\v2.0.50727\VsaVb7rt.dll
- 2007-10-24 05:47 . 2007-10-24 05:47 1344000 c:\windows\Microsoft.NET\Framework\v2.0.50727\VsaVb7rt.dll
+ 2008-07-25 15:17 . 2008-07-25 15:17 1172472 c:\windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
- 2007-10-24 05:47 . 2007-10-24 05:47 1172472 c:\windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
+ 2008-11-25 08:59 . 2008-11-25 08:59 2048000 c:\windows\Microsoft.NET\Framework\v2.0.50727\System.XML.dll
+ 2008-07-25 15:17 . 2008-07-25 15:17 5025792 c:\windows\Microsoft.NET\Framework\v2.0.50727\System.Windows.Forms.dll
+ 2008-11-25 08:59 . 2008-11-25 08:59 5242880 c:\windows\Microsoft.NET\Framework\v2.0.50727\System.Web.dll
+ 2008-07-25 15:17 . 2008-07-25 15:17 3149824 c:\windows\Microsoft.NET\Framework\v2.0.50727\System.dll
+ 2008-07-25 15:17 . 2008-07-25 15:17 5062656 c:\windows\Microsoft.NET\Framework\v2.0.50727\System.Design.dll
+ 2008-07-25 15:17 . 2008-07-25 15:17 2933248 c:\windows\Microsoft.NET\Framework\v2.0.50727\System.Data.dll
+ 2008-11-25 08:59 . 2008-11-25 08:59 5813576 c:\windows\Microsoft.NET\Framework\v2.0.50727\mscorwks.dll
+ 2008-11-25 08:59 . 2008-11-25 08:59 4546560 c:\windows\Microsoft.NET\Framework\v2.0.50727\mscorlib.dll
+ 2008-07-25 15:16 . 2008-07-25 15:16 1163768 c:\windows\Microsoft.NET\Framework\v2.0.50727\cscomp.dll
+ 2008-12-13 13:57 . 2008-12-13 13:57 8397824 c:\windows\Installer\c1bde.msp
+ 2008-07-29 23:26 . 2008-07-29 23:26 1043456 c:\windows\Installer\9ebfe.msp
+ 2008-07-30 00:37 . 2008-07-30 00:37 2679808 c:\windows\Installer\9ebfc.msp
+ 2008-07-30 01:15 . 2008-07-30 01:15 3697664 c:\windows\Installer\9ebfa.msp
+ 2008-07-29 23:34 . 2008-07-29 23:34 1448448 c:\windows\Installer\9ebf9.msp
+ 2008-07-30 00:22 . 2008-07-30 00:22 4137984 c:\windows\Installer\9ebf8.msp
+ 2008-07-29 23:18 . 2008-07-29 23:18 3376640 c:\windows\Installer\9ebf7.msp
+ 2008-07-29 21:45 . 2008-07-29 21:45 2543616 c:\windows\Installer\44dd8.msp
+ 2008-07-29 21:29 . 2008-07-29 21:29 2926080 c:\windows\Installer\44dd7.msp
+ 2008-07-29 21:41 . 2008-07-29 21:41 6487040 c:\windows\Installer\44dd6.msp
+ 2008-07-29 21:39 . 2008-07-29 21:39 3403264 c:\windows\Installer\44dd5.msp
+ 2008-07-29 21:43 . 2008-07-29 21:43 1013248 c:\windows\Installer\44dd3.msp
+ 2008-07-29 21:31 . 2008-07-29 21:31 6083072 c:\windows\Installer\44dd0.msp
+ 2009-08-10 00:45 . 2009-08-10 00:45 3313664 c:\windows\assembly\NativeImages_v2.0.50727_32\WindowsBase\14cd5f4b61d35f9b76327d6be9853755\WindowsBase.ni.dll
+ 2009-08-10 00:49 . 2009-08-10 00:49 1049600 c:\windows\assembly\NativeImages_v2.0.50727_32\UIAutomationClients#\f3c7957351aec85f526a3350c9718b1e\UIAutomationClientsideProviders.ni.dll
+ 2009-08-10 00:44 . 2009-08-10 00:44 7868416 c:\windows\assembly\NativeImages_v2.0.50727_32\System\80978a322d7dd39f0a71be1251ae395a\System.ni.dll
+ 2009-08-10 00:44 . 2009-08-10 00:44 5450752 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Xml\773a9786013451d3baaeff003dc4230f\System.Xml.ni.dll
+ 2009-08-10 11:41 . 2009-08-10 11:41 1356288 c:\windows\assembly\NativeImages_v2.0.50727_32\System.WorkflowServ#\ac1750e78d79520dcf19195772eff1b6\System.WorkflowServices.ni.dll
+ 2009-08-10 11:40 . 2009-08-10 11:40 1908224 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Workflow.Run#\d265da36954fcb4cb7ad5adc693ea0f2\System.Workflow.Runtime.ni.dll
+ 2009-08-10 11:40 . 2009-08-10 11:40 4514304 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Workflow.Com#\693a8fbe6f7ad6e4e429052da4317e59\System.Workflow.ComponentModel.ni.dll
+ 2009-08-10 11:40 . 2009-08-10 11:40 2992640 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Workflow.Act#\cc99fbbac0b6e4e9ca62093e49b0c16b\System.Workflow.Activities.ni.dll
+ 2009-08-10 00:48 . 2009-08-10 00:48 1840640 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Web.Services\b57bb002a655920cbfa2bee29d1e22b7\System.Web.Services.ni.dll
+ 2009-08-10 11:40 . 2009-08-10 11:40 2209280 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Web.Mobile\81197e32ec931f439b3114e9031b65d6\System.Web.Mobile.ni.dll
+ 2009-08-10 11:39 . 2009-08-10 11:40 2403328 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Web.Extensio#\7f64c9d25471b72e1e957bdfe67947c8\System.Web.Extensions.ni.dll
+ 2009-08-10 00:49 . 2009-08-10 00:49 1917440 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Speech\63cf639b6e0a3c25c1643c85016e7422\System.Speech.ni.dll
+ 2009-08-10 00:57 . 2009-08-10 00:57 1706496 c:\windows\assembly\NativeImages_v2.0.50727_32\System.ServiceModel#\340cad17fe57947eacbc8fa2cea780da\System.ServiceModel.Web.ni.dll
+ 2009-08-10 00:51 . 2009-08-10 00:51 2338304 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Runtime.Seri#\034c91b133dee73d452652c52767b5ea\System.Runtime.Serialization.ni.dll
+ 2009-08-10 00:47 . 2009-08-10 00:47 1035264 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Printing\646ab52eef343380aa002c220dc31e13\System.Printing.ni.dll
+ 2009-08-10 00:51 . 2009-08-10 00:51 1056768 c:\windows\assembly\NativeImages_v2.0.50727_32\System.IdentityModel\c2de8479e54852f56996f79bc93acb13\System.IdentityModel.ni.dll
+ 2009-08-10 00:45 . 2009-08-10 00:46 1587200 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Drawing\3da96ee075bab9202626ae44c18d226c\System.Drawing.ni.dll
+ 2009-08-10 00:47 . 2009-08-10 00:47 1116672 c:\windows\assembly\NativeImages_v2.0.50727_32\System.DirectorySer#\543aced762f6b0c3f8e037955941afc6\System.DirectoryServices.ni.dll
+ 2009-08-10 00:45 . 2009-08-10 00:45 1801216 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Deployment\a6b58624486714fa71e5e35186850ff0\System.Deployment.ni.dll
+ 2009-08-10 00:47 . 2009-08-10 00:47 6616576 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Data\c70731047b0022638b3f9fb158948a03\System.Data.ni.dll
+ 2009-08-10 00:44 . 2009-08-10 00:44 2510336 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Data.SqlXml\826b09ab0d0e36f4d631b4cd335df511\System.Data.SqlXml.ni.dll
+ 2009-08-10 00:57 . 2009-08-10 00:57 1328128 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Data.Services\956a513dcbd44d5a6801840ef2b0b47b\System.Data.Services.ni.dll
+ 2009-08-10 00:49 . 2009-08-10 00:49 1115136 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Data.OracleC#\283ecfbaa6a6fab76c8b544a4a89d5ce\System.Data.OracleClient.ni.dll
+ 2009-08-10 00:49 . 2009-08-10 00:49 2516480 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Data.Linq\0bbec79460b1137df5313f9baf7b246f\System.Data.Linq.ni.dll
+ 2009-08-10 00:56 . 2009-08-10 00:56 9924096 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Data.Entity\6479f975b105808a8d9e7a7fdc762551\System.Data.Entity.ni.dll
+ 2009-08-10 00:49 . 2009-08-10 00:49 2295296 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Core\47d87251e93256c635eb73403b8db33e\System.Core.ni.dll
+ 2009-08-10 00:47 . 2009-08-10 00:47 2128896 c:\windows\assembly\NativeImages_v2.0.50727_32\ReachFramework\4bfb3048bf200a6a8592d1b4ba861a7f\ReachFramework.ni.dll
+ 2009-08-10 00:47 . 2009-08-10 00:47 1657856 c:\windows\assembly\NativeImages_v2.0.50727_32\PresentationUI\6bafb1a2a73794ddb9761cb321c9e7e2\PresentationUI.ni.dll
+ 2009-08-10 00:44 . 2009-08-10 00:44 1451008 c:\windows\assembly\NativeImages_v2.0.50727_32\PresentationBuildTa#\e634bc4c4a00635a0a254febab0e2e2c\PresentationBuildTasks.ni.dll
+ 2009-08-10 00:54 . 2009-08-10 00:54 1712128 c:\windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualBas#\1c86afc399d0fdd8e069266ffbe748d1\Microsoft.VisualBasic.ni.dll
+ 2009-08-10 00:52 . 2009-08-10 00:52 1093120 c:\windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Transacti#\6b2f62f5e981913fce1d223f645d9ddf\Microsoft.Transactions.Bridge.ni.dll
+ 2009-08-10 00:57 . 2009-08-10 00:57 2332160 c:\windows\assembly\NativeImages_v2.0.50727_32\Microsoft.JScript\b261961046545831aa60963e84905968\Microsoft.JScript.ni.dll
+ 2009-08-10 00:54 . 2009-08-10 00:54 1620992 c:\windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Build.Tas#\bd241492d96db39f20e758c13c845033\Microsoft.Build.Tasks.ni.dll
+ 2009-08-10 00:54 . 2009-08-10 00:54 1966080 c:\windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Build.Tas#\a47100d8f4574bed2d49d83d0ab8964e\Microsoft.Build.Tasks.v3.5.ni.dll
+ 2009-08-10 00:54 . 2009-08-10 00:54 1888768 c:\windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Build.Eng#\6cfe582681724965fb817e8ece5f0909\Microsoft.Build.Engine.ni.dll
+ 2009-08-10 00:54 . 2009-08-10 00:54 1861632 c:\windows\assembly\NativeImages_v2.0.50727_32\AdWindows\1acadc337eeeaf0961ab36aeea9c503b\AdWindows.ni.dll
+ 2009-08-10 00:53 . 2009-08-10 00:53 1620992 c:\windows\assembly\NativeImages_v2.0.50727_32\acmgdinternal\2ba815bdf2c8d7a673bfcf149e3c017d\acmgdinternal.ni.dll
+ 2009-08-10 00:53 . 2009-08-10 00:53 2417152 c:\windows\assembly\NativeImages_v2.0.50727_32\acmgd\5c49b8849105b6ce946d4d7de0bb89e7\acmgd.ni.dll
+ 2009-08-10 00:53 . 2009-08-10 00:53 1418240 c:\windows\assembly\NativeImages_v2.0.50727_32\AcLayer\57432e1ef06c771c51cb0e643c9fc663\AcLayer.ni.dll
+ 2009-08-10 00:53 . 2009-08-10 00:53 7633920 c:\windows\assembly\NativeImages_v2.0.50727_32\acdbmgd\5117915effb240eb2f5930e524defca3\acdbmgd.ni.dll
+ 2009-08-10 00:34 . 2009-08-10 00:34 1245184 c:\windows\assembly\GAC_MSIL\WindowsBase\3.0.0.0__31bf3856ad364e35\WindowsBase.dll
+ 2009-08-10 00:40 . 2009-08-10 00:40 3149824 c:\windows\assembly\GAC_MSIL\System\2.0.0.0__b77a5c561934e089\System.dll
+ 2009-08-10 00:40 . 2009-08-10 00:40 2048000 c:\windows\assembly\GAC_MSIL\System.Xml\2.0.0.0__b77a5c561934e089\System.XML.dll
+ 2009-08-10 00:34 . 2009-08-10 00:34 1630208 c:\windows\assembly\GAC_MSIL\System.Workflow.ComponentModel\3.0.0.0__31bf3856ad364e35\System.Workflow.ComponentModel.dll
+ 2009-08-10 00:34 . 2009-08-10 00:34 1138688 c:\windows\assembly\GAC_MSIL\System.Workflow.Activities\3.0.0.0__31bf3856ad364e35\System.Workflow.Activities.dll
+ 2009-08-10 00:40 . 2009-08-10 00:40 5025792 c:\windows\assembly\GAC_MSIL\System.Windows.Forms\2.0.0.0__b77a5c561934e089\System.Windows.Forms.dll
+ 2009-08-10 00:42 . 2009-08-10 00:42 1277952 c:\windows\assembly\GAC_MSIL\System.Web.Extensions\3.5.0.0__31bf3856ad364e35\System.Web.Extensions.dll
+ 2009-08-10 00:41 . 2009-08-10 00:41 5931008 c:\windows\assembly\GAC_MSIL\System.ServiceModel\3.0.0.0__b77a5c561934e089\System.ServiceModel.dll
+ 2009-08-10 00:40 . 2009-08-10 00:40 5062656 c:\windows\assembly\GAC_MSIL\System.Design\2.0.0.0__b03f5f7f11d50a3a\System.Design.dll
+ 2009-08-10 00:36 . 2009-08-10 00:36 2879488 c:\windows\assembly\GAC_MSIL\System.Data.Entity\3.5.0.0__b77a5c561934e089\System.Data.Entity.dll
+ 2009-08-10 00:41 . 2009-08-10 00:41 5283840 c:\windows\assembly\GAC_MSIL\PresentationFramework\3.0.0.0__31bf3856ad364e35\PresentationFramework.dll
+ 2009-08-10 00:40 . 2009-08-10 00:40 5242880 c:\windows\assembly\GAC_32\System.Web\2.0.0.0__b03f5f7f11d50a3a\System.Web.dll
+ 2009-08-10 00:40 . 2009-08-10 00:40 2933248 c:\windows\assembly\GAC_32\System.Data\2.0.0.0__b77a5c561934e089\System.Data.dll
+ 2009-08-10 00:34 . 2009-08-10 00:34 4210688 c:\windows\assembly\GAC_32\PresentationCore\3.0.0.0__31bf3856ad364e35\PresentationCore.dll
+ 2009-08-10 00:40 . 2009-08-10 00:40 4546560 c:\windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\mscorlib.dll
+ 2008-12-13 14:21 . 2008-12-13 14:21 10473472 c:\windows\Installer\c1be9.msp
+ 2009-08-10 00:46 . 2009-08-10 00:46 12430848 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Windows.Forms\63406259e94d5c0ff5b79401dfe113ce\System.Windows.Forms.ni.dll
+ 2009-08-10 00:48 . 2009-08-10 00:48 11796992 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Web\3963ce03d445a8619abbf388d590134b\System.Web.ni.dll
+ 2009-08-10 00:52 . 2009-08-10 00:52 17317888 c:\windows\assembly\NativeImages_v2.0.50727_32\System.ServiceModel\4146033013edebd7e0cb604e504ebfee\System.ServiceModel.ni.dll
+ 2009-08-10 00:48 . 2009-08-10 00:48 10683392 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Design\8ee220bc3cce4f7bbd7818946519ed7f\System.Design.ni.dll
+ 2009-08-10 00:47 . 2009-08-10 00:47 14327808 c:\windows\assembly\NativeImages_v2.0.50727_32\PresentationFramewo#\96e710f47c601cba3f2348a8d11ddede\PresentationFramework.ni.dll
+ 2009-08-10 00:45 . 2009-08-10 00:45 12216320 c:\windows\assembly\NativeImages_v2.0.50727_32\PresentationCore\956375d487cbef36165b3250030e3574\PresentationCore.ni.dll
+ 2009-08-10 00:43 . 2009-08-10 00:43 11486720 c:\windows\assembly\NativeImages_v2.0.50727_32\mscorlib\6d667f19d687361886990f3ca0f49816\mscorlib.ni.dll
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{A3BC75A2-1F87-4686-AA43-5347D756017C}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-06-26 1008896]
[HKEY_CLASSES_ROOT\clsid\{a3bc75a2-1f87-4686-aa43-5347d756017c}]
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A3BC75A2-1F87-4686-AA43-5347D756017C}]
2009-06-26 14:36 1008896 ----a-w- c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-06-26 1008896]
[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-06-26 1008896]
[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ISUSPM"="c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2006-09-11 218032]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AzMixerSel"="c:\program files\Realtek\InstallShield\AzMixerSel.exe" [2006-04-15 53248]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-03-03 761946]
"LManager"="c:\progra~1\LAUNCH~1\LManager.exe" [2006-06-23 602112]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2007-08-24 33648]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-06-26 1948440]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-11-07 111936]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-03-13 342312]
"ePower_DMC"="c:\acer\Empowering Technology\ePower\ePower_DMC.exe" [2006-05-30 421888]
"eRecoveryService"="c:\acer\Empowering Technology\eRecovery\eRAgent.exe" [2006-06-01 413696]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-11 455168]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-11 455168]
"MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-11 59392]
"RTHDCPL"="RTHDCPL.EXE" - c:\windows\RTHDCPL.exe [2006-05-18 16207872]
"SkyTel"="SkyTel.EXE" - c:\windows\SkyTel.exe [2006-05-16 2879488]
c:\docume~1\ALLUSE~1\STARTM~1\Programs\Startup\
Adobe Reader Speed Launch.lnk.disabled [2006-6-1 1665]
Acer Empowering Technology.lnk.disabled [2006-6-1 1585]
Office Startup.lnk - c:\program files\Microsoft Office\Office\OSA.EXE [1997-8-14 51984]
Windows Desktop Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2007-2-5 118784]
Desktop Manager.lnk.disabled [2008-8-12 1649]
Microsoft Find Fast.lnk.disabled [2006-11-1 669]
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2007-02-05 294400]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-06-26 22:53 11952 ----a-w- c:\windows\system32\avgrsstx.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\windows\system32\avgrsstx.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"KernelFaultCheck"=%systemroot%\system32\dumprep 0 -k
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
"ntiMUI"=c:\program files\NewTech Infosystems\NTI CD & DVD-Maker 7\ntiMUI.exe
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe"
"ehTray"=c:\windows\ehome\ehtray.exe
"Boot"=c:\acer\Empowering Technology\ePower\Boot.exe
"ATICCC"="c:\program files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
"Alcmtr"=ALCMTR.EXE
"Acer ePresentation HPD"=c:\acer\Empowering Technology\ePresentation\ePresentation.exe
"LaunchApp"=
"Mouse Suite 98 Daemon"=ICO.EXE
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\WINDOWS\\System32\\taskmgr.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [6/25/2008 9:26 PM 335752]
R2 avg8wd;AVG8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [1/29/2009 10:32 PM 298776]
R3 pelmouse;Mouse Suite Driver;c:\windows\system32\drivers\PELMOUSE.SYS [3/19/2009 4:36 PM 18944]
R3 pelusblf;USB Mouse Low Filter Driver;c:\windows\system32\drivers\pelusblf.sys [3/19/2009 4:36 PM 17920]
S2 eLock2BurnerLockDriver;eLock2BurnerLockDriver;\??\c:\windows\system32\eLock2BurnerLockDriver.sys --> c:\windows\system32\eLock2BurnerLockDriver.sys [?]
S2 eLock2FSCTLDriver;eLock2FSCTLDriver;\??\c:\windows\system32\eLock2FSCTLDriver.sys --> c:\windows\system32\eLock2FSCTLDriver.sys [?]
S3 SKYSCOUT;Celestron SkyScout driver;c:\windows\system32\drivers\UsbScout.sys [3/25/2007 2:42 PM 20480]
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.nhl.com/
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-08-10 09:20
Windows 5.1.2600 Service Pack 3 FAT NTAPI
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(568)
c:\windows\system32\Ati2evxx.dll
.
Completion time: 2009-08-10 9:22
ComboFix-quarantined-files.txt 2009-08-10 13:22
ComboFix2.txt 2009-08-09 18:43
ComboFix3.txt 2009-08-08 18:36
ComboFix4.txt 2009-08-08 13:56
ComboFix5.txt 2009-08-10 13:11
Pre-Run: 20,308,688,896 bytes free
Post-Run: 20,368,523,264 bytes free
812 --- E O F --- 2009-08-10 00:42
Otherjohn
2009-08-10, 15:36
The latest hijack this log. The computer seems to be running normally. I have not noticed any slowdowns, redirects or any other signs of trouble.
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:23:35 AM, on 8/10/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Acer\Empowering Technology\ePerformance\MemCheck.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\wbem\wmiapsrv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.nhl.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll
R3 - URLSearchHook: (no name) - *{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - c:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: AVG Security Toolbar - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll
O4 - HKLM\..\Run: [AzMixerSel] C:\Program Files\Realtek\InstallShield\AzMixerSel.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [LManager] C:\PROGRA~1\LAUNCH~1\LManager.exe
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [ePower_DMC] C:\Acer\Empowering Technology\ePower\ePower_DMC.exe
O4 - HKLM\..\Run: [eRecoveryService] C:\Acer\Empowering Technology\eRecovery\eRAgent.exe
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKCU\..\Run: [ISUSPM] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -scheduler
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk.disabled
O4 - Global Startup: Acer Empowering Technology.lnk.disabled
O4 - Global Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Global Startup: Windows Desktop Search.lnk = C:\Program Files\Windows Desktop Search\WindowsSearch.exe
O4 - Global Startup: Desktop Manager.lnk.disabled
O4 - Global Startup: Microsoft Find Fast.lnk.disabled
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {493ACF15-5CD9-4474-82A6-91670C3DD66E} (LinkedIn ContactFinderControl) - http://www.linkedin.com/cab/LinkedInContactFinderControl.cab
O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} (OnlineScanner Control) - http://download.eset.com/special/eos/OnlineScanner.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: C:\WINDOWS\system32\avgrsstx.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: Memory Check Service (AcerMemUsageCheckService) - Acer Inc. - C:\Acer\Empowering Technology\ePerformance\MemCheck.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: LiveShare P2P Server 9 (RoxLiveShare9) - Unknown owner - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxLiveShare9.exe (file missing)
--
End of file - 7920 bytes
Bio-Hazard
2009-08-10, 16:11
Remove HijackThis entries
Run HijackThis
Click on the Scan button
Put a check beside all of the items listed below (if present):
R3 - URLSearchHook: (no name) - *{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
Close all open windows and browsers/email etc...
Click on the Fix Checked button
When completed close the application.
Show All Files And Folders Windows XP
Click Start.
Open My Computer.
Select the Tools menu and click Folder Options.
Select the View Tab.
Under the Hidden files and folders heading select Show hidden files and folders.
Uncheck Hide file extensions for known file types
Uncheck the Hide protected operating system files (recommended) option.
Click Apply to confirm.
Click OK.
Can you go to this folder:
c:\windows\EQ09IR0AJS2BLU3C
Could you tell me what is inside?
Otherjohn
2009-08-10, 16:29
The folder appears to be empty.
Bio-Hazard
2009-08-10, 16:47
Delete the folder.
Do you have any problems.
Can you post one more HijackThis log for me to see.
Otherjohn
2009-08-10, 16:52
The folder deleted without resistance. here is the new hijack this log. I did notice that the "R3 - URLSearchHook: (no name) - *{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file) " that I fixed earlier is back.
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:49:42 AM, on 8/10/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Acer\Empowering Technology\ePerformance\MemCheck.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\wbem\wmiapsrv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\SearchProtocolHost.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.nhl.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll
R3 - URLSearchHook: (no name) - *{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - c:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: AVG Security Toolbar - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll
O4 - HKLM\..\Run: [AzMixerSel] C:\Program Files\Realtek\InstallShield\AzMixerSel.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [LManager] C:\PROGRA~1\LAUNCH~1\LManager.exe
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [ePower_DMC] C:\Acer\Empowering Technology\ePower\ePower_DMC.exe
O4 - HKLM\..\Run: [eRecoveryService] C:\Acer\Empowering Technology\eRecovery\eRAgent.exe
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKCU\..\Run: [ISUSPM] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -scheduler
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk.disabled
O4 - Global Startup: Acer Empowering Technology.lnk.disabled
O4 - Global Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Global Startup: Windows Desktop Search.lnk = C:\Program Files\Windows Desktop Search\WindowsSearch.exe
O4 - Global Startup: Desktop Manager.lnk.disabled
O4 - Global Startup: Microsoft Find Fast.lnk.disabled
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {493ACF15-5CD9-4474-82A6-91670C3DD66E} (LinkedIn ContactFinderControl) - http://www.linkedin.com/cab/LinkedInContactFinderControl.cab
O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} (OnlineScanner Control) - http://download.eset.com/special/eos/OnlineScanner.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: C:\WINDOWS\system32\avgrsstx.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: Memory Check Service (AcerMemUsageCheckService) - Acer Inc. - C:\Acer\Empowering Technology\ePerformance\MemCheck.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: LiveShare P2P Server 9 (RoxLiveShare9) - Unknown owner - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxLiveShare9.exe (file missing)
--
End of file - 7965 bytes
Bio-Hazard
2009-08-10, 17:13
Hello!
It is a orphan entry, so it doesnt do anything.
Your log now appears to be clean. Congratulations!
You can get rid of the tools we used:
DDS - (You can just delete the exe file from your desktop)
ATF cleaner - (You can just delete the exe file from your desktop)
Delete ComboFix and Clean Up
Click Start > Run > type combofix /u > OK (Note the space between combofix and /u)
http://i147.photobucket.com/albums/r301/DFW_photos/CF_Cleanup.png
Please advise if this step is missed for any reason as it performs some important actions.
OTC
Download OTC (http://oldtimer.geekstogo.com/OTC.exe) by Old Timer and save it to your Desktop.
Double-click OTC.exe
Click the CleanUp! button
Select Yes when the Begin cleanup Process? Prompt appears
If you are prompted to Reboot during the cleanup, select Yes
The tool will delete itself once it finishes, if not delete it by yourself
Note: If you receive a warning from your firewall or other security programs regarding OTC attempting to contact the internet, please allow it to do so.
General Security and Computer Health
Below are some steps to follow in order to dramatically lower the chances of reinfection. You may have already implemented some of the steps below, however you should follow any steps that you have not already implemented.
Make sure that you keep your antivirus updated
New viruses come out every minute, so it is essential that you have the latest signatures for your antivirus program to provide you with the best possible protection from malicious software.
NOTE: You should only have one antivirus installed at a time. Having more than one antivirus program installed at once is likely to cause conflicts and may well decrease your overall protection as well as impairing the performance of your PC.
Security Updates for Windows, Internet Explorer & Microsoft Office
Whenever a security problem in its software is found, Microsoft will usually create a patch so that after the patch is installed, attackers can't use the vulnerability to install malicious software on your PC. Keeping up with these patches will help to prevent malicious software being installed on your PC. Ensure you are registered for Windows updates via Start > right-click on My Computer > Properties > Automatic Updates tab or visit the Microsoft Update site (http://update.microsoft.com/microsoftupdate) on a regular basis.
NOTE: The update process uses ActiveX, so you will need to use internet explorer for it and allow the ActiveX control to install.
Update Non-Microsoft Programs
Microsoft isn't the only company whose products can contain security vulnerabilities. To check whether other programs running on your PC are in need of an update, you can use the Secunia Software Inspector (http://secunia.com/software_inspector) or F-secure Health Check (http://www.f-secure.com/weblog/archives/00001356.html). I suggest that you run one of them at least once a month.
Recommended Programs
I would recommend the download and installation of some or all of the following programs (if not already present), and the updating of them on a regular basis.
WinPatrol
As a robust security monitor, WinPatrol will alert you to hijackings, malware attacks and critical changes made to your computer without your permission. WinPatrol takes snapshot of your critical system resources and alerts you to any changes that may occur without your knowledge. For more information, please visit HERE (http://www.winpatrol.com/).
SpywareBlaster
SpywareBlaster sets killbits in the registry to prevent known malicious ActiveX controls from installing on your computer. If you don't know what ActiveX controls are, see HERE (http://www.webopedia.com/TERM/A/ActiveX_control.html). You can download SpywareBlaster from HERE (http://www.javacoolsoftware.com/sbdownload.html).
Malwarebytes' Anti-Malware
Malwarebytes' Anti-Malware is an anti-malware application that can thoroughly remove even the most advanced malware. It includes a number of features, including a built in protection monitor that blocks malicious processes before they even start.You can download Malwarebytes' Anti-Malware from HERE (http://www.malwarebytes.org/mbam.php). Here are two tutorials: Malwarebytes' Anti-Malware Setup Guide (http://www.lognrock.com/forum/index.php?showtopic=6926) and Malwarebytes' Anti-Malware Scanning Guide (http://www.lognrock.com/forum/index.php?showtopic=6913).
Hosts File
For added protection you may also like to add a host file. A simple explanation of what a Hosts file does is HERE (http://forum.malwareremoval.com/viewtopic.php?t=22187) and for more information regarding host files read HERE (http://www.mvps.org/winhelp2002/hosts.htm).
Use an alternative Internet Browser
Many of the exploits are directed to users of Internet Explorer. Try using a different browser instead: Firefox (http://www.mozilla.com/en-US/firefox/) or Opera (http://www.opera.com/download/) or Google Chrome (http://www.google.com/chrome)
Here is a great article by miekiemoes How to prevent Malware (http://users.telenet.be/bluepatchy/miekiemoes/prevention.html).
Finally I am trying to make one point very clear. It is ABSOLUTELY ESSENTIAL to keep all of your security programs up to date.
Please take the time to tell us what you would like to be done about the people who are behind all the problems you have had. We can only get something done about this if the people that we help, like you, are prepared to complain. We have a dedicated forum for collecting these complaints Malware Complaints (http://www.malwarecomplaints.info/index.php). You need to be registered to post as, unfortunately, we were hit with too many spam posts to allow guest posting to continue. Just find your country room and register your complaint.
I'd be grateful if you could reply to this post so that I know you have read it and, if you've no other questions, the thread can be closed.
Happy surfing and stay clean!
Bio-Hazard
Otherjohn
2009-08-10, 22:47
I did the uninstalls and started updating my virus & spyware scanners. AVG came up clean. Malwarebytes came up clean. Spybot detected the same group of infected files plus one. Either this is a false positive of someone, somewhere really deserves to have his compter inserted rectally. Sideways.
Here is a fresh hijack this log.
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:38:42 PM, on 8/10/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Acer\Empowering Technology\ePerformance\MemCheck.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\PROGRA~1\LAUNCH~1\LManager.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Acer\Empowering Technology\ePower\ePower_DMC.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Microsoft Office\Office\OSA.EXE
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Desktop Search\WindowsSearch.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\WINDOWS\system32\wbem\wmiapsrv.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\wbem\unsecapp.exe
C:\WINDOWS\System32\svchost.exe
C:\Python24\Doc\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.nhl.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll
R3 - URLSearchHook: (no name) - *{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - c:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Python24\Doc\SPYBOT~1\SDHelper.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: AVG Security Toolbar - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll
O4 - HKLM\..\Run: [AzMixerSel] C:\Program Files\Realtek\InstallShield\AzMixerSel.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [LManager] C:\PROGRA~1\LAUNCH~1\LManager.exe
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [ePower_DMC] C:\Acer\Empowering Technology\ePower\ePower_DMC.exe
O4 - HKLM\..\Run: [eRecoveryService] C:\Acer\Empowering Technology\eRecovery\eRAgent.exe
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\RunOnce: [SpybotDeletingA481] command.com /c del "C:\WINDOWS\system32\drivers\geyekrtivmlkya.sys"
O4 - HKLM\..\RunOnce: [SpybotDeletingC4484] cmd.exe /c del "C:\WINDOWS\system32\drivers\geyekrtivmlkya.sys"
O4 - HKLM\..\RunOnce: [SpybotDeletingA1570] command.com /c del "C:\WINDOWS\system32\geyekrbuhylhmn.dll"
O4 - HKLM\..\RunOnce: [SpybotDeletingC1358] cmd.exe /c del "C:\WINDOWS\system32\geyekrbuhylhmn.dll"
O4 - HKLM\..\RunOnce: [SpybotDeletingA3970] command.com /c del "C:\WINDOWS\system32\geyekrxfenxvmc.dll"
O4 - HKLM\..\RunOnce: [SpybotDeletingC788] cmd.exe /c del "C:\WINDOWS\system32\geyekrxfenxvmc.dll"
O4 - HKLM\..\RunOnce: [SpybotDeletingA2246] command.com /c del "C:\WINDOWS\system32\geyekrornmbpxe.dll"
O4 - HKLM\..\RunOnce: [SpybotDeletingC4202] cmd.exe /c del "C:\WINDOWS\system32\geyekrornmbpxe.dll"
O4 - HKLM\..\RunOnce: [SpybotDeletingA5567] command.com /c del "C:\WINDOWS\system32\geyekrjwmeoxta.dll"
O4 - HKLM\..\RunOnce: [SpybotDeletingC7403] cmd.exe /c del "C:\WINDOWS\system32\geyekrjwmeoxta.dll"
O4 - HKLM\..\RunOnce: [SpybotDeletingA4648] command.com /c del "C:\WINDOWS\system32\geyekrapjdskvl.dat"
O4 - HKLM\..\RunOnce: [SpybotDeletingC8970] cmd.exe /c del "C:\WINDOWS\system32\geyekrapjdskvl.dat"
O4 - HKLM\..\RunOnce: [SpybotDeletingA5495] command.com /c del "C:\WINDOWS\system32\geyekrnrndxrqt.dat"
O4 - HKLM\..\RunOnce: [SpybotDeletingC924] cmd.exe /c del "C:\WINDOWS\system32\geyekrnrndxrqt.dat"
O4 - HKCU\..\Run: [ISUSPM] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -scheduler
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Python24\Doc\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\RunOnce: [SpybotDeletingB1578] command.com /c del "C:\WINDOWS\system32\drivers\geyekrtivmlkya.sys"
O4 - HKCU\..\RunOnce: [SpybotDeletingD8031] cmd.exe /c del "C:\WINDOWS\system32\drivers\geyekrtivmlkya.sys"
O4 - HKCU\..\RunOnce: [SpybotDeletingB8775] command.com /c del "C:\WINDOWS\system32\geyekrbuhylhmn.dll"
O4 - HKCU\..\RunOnce: [SpybotDeletingD7493] cmd.exe /c del "C:\WINDOWS\system32\geyekrbuhylhmn.dll"
O4 - HKCU\..\RunOnce: [SpybotDeletingB5696] command.com /c del "C:\WINDOWS\system32\geyekrxfenxvmc.dll"
O4 - HKCU\..\RunOnce: [SpybotDeletingD4815] cmd.exe /c del "C:\WINDOWS\system32\geyekrxfenxvmc.dll"
O4 - HKCU\..\RunOnce: [SpybotDeletingB2929] command.com /c del "C:\WINDOWS\system32\geyekrornmbpxe.dll"
O4 - HKCU\..\RunOnce: [SpybotDeletingD2988] cmd.exe /c del "C:\WINDOWS\system32\geyekrornmbpxe.dll"
O4 - HKCU\..\RunOnce: [SpybotDeletingB3710] command.com /c del "C:\WINDOWS\system32\geyekrjwmeoxta.dll"
O4 - HKCU\..\RunOnce: [SpybotDeletingD7612] cmd.exe /c del "C:\WINDOWS\system32\geyekrjwmeoxta.dll"
O4 - HKCU\..\RunOnce: [SpybotDeletingB7014] command.com /c del "C:\WINDOWS\system32\geyekrapjdskvl.dat"
O4 - HKCU\..\RunOnce: [SpybotDeletingD930] cmd.exe /c del "C:\WINDOWS\system32\geyekrapjdskvl.dat"
O4 - HKCU\..\RunOnce: [SpybotDeletingB1334] command.com /c del "C:\WINDOWS\system32\geyekrnrndxrqt.dat"
O4 - HKCU\..\RunOnce: [SpybotDeletingD2141] cmd.exe /c del "C:\WINDOWS\system32\geyekrnrndxrqt.dat"
O4 - Global Startup: Adobe Reader Speed Launch.lnk.disabled
O4 - Global Startup: Acer Empowering Technology.lnk.disabled
O4 - Global Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Global Startup: Windows Desktop Search.lnk = C:\Program Files\Windows Desktop Search\WindowsSearch.exe
O4 - Global Startup: Desktop Manager.lnk.disabled
O4 - Global Startup: Microsoft Find Fast.lnk.disabled
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Python24\Doc\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Python24\Doc\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {493ACF15-5CD9-4474-82A6-91670C3DD66E} (LinkedIn ContactFinderControl) - http://www.linkedin.com/cab/LinkedInContactFinderControl.cab
O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} (OnlineScanner Control) - http://download.eset.com/special/eos/OnlineScanner.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: C:\WINDOWS\system32\avgrsstx.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: Memory Check Service (AcerMemUsageCheckService) - Acer Inc. - C:\Acer\Empowering Technology\ePerformance\MemCheck.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: LiveShare P2P Server 9 (RoxLiveShare9) - Unknown owner - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxLiveShare9.exe (file missing)
--
End of file - 11886 bytes
Here is the latest log from Spybot.
--- Report generated: 2009-08-10 16:36 ---
Win32.TDSS.rtk: [SBI $1473B578] File (File, fixed)
C:\WINDOWS\system32\drivers\geyekrtivmlkya.sys
Properties.size=0
Properties.md5=571F2EAA4A7488C33A786A7E56917FA7
Win32.TDSS.rtk: [SBI $5CC20837] File (File, fixed)
C:\WINDOWS\system32\geyekrbuhylhmn.dll
Properties.size=0
Properties.md5=C51243FA8F70570A881D35790D8BB310
Win32.TDSS.rtk: [SBI $5CC20837] File (File, fixed)
C:\WINDOWS\system32\geyekrxfenxvmc.dll
Properties.size=0
Properties.md5=F10EAE5B4D181BD1656EF67B8398CF93
Win32.TDSS.rtk: [SBI $5CC20837] File (File, fixed)
C:\WINDOWS\system32\geyekrornmbpxe.dll
Properties.size=0
Properties.md5=C51243FA8F70570A881D35790D8BB310
Win32.TDSS.rtk: [SBI $5CC20837] File (File, fixed)
C:\WINDOWS\system32\geyekrjwmeoxta.dll
Properties.size=0
Properties.md5=C51243FA8F70570A881D35790D8BB310
Win32.TDSS.rtk: [SBI $0419F0A4] File (File, fixed)
C:\WINDOWS\system32\geyekrapjdskvl.dat
Properties.size=0
Properties.md5=22C4193BBD3E986AB091555972CE4A22
Win32.TDSS.rtk: [SBI $0419F0A4] File (File, fixed)
C:\WINDOWS\system32\geyekrnrndxrqt.dat
Properties.size=0
Properties.md5=D1F9B5AE88CAC902CBD9A958ACCA909D
Right Media: Tracking cookie (Internet Explorer: Karla) (Cookie, fixed)
--- Spybot - Search & Destroy version: 1.6.2 (build: 20090126) ---
2009-03-09 unins000.exe (51.49.0.0)
2009-01-26 blindman.exe (1.0.0.8)
2009-01-26 SDMain.exe (1.0.0.6)
2009-01-26 Update.exe (1.6.0.7)
2009-01-26 SDFiles.exe (1.6.1.7)
2009-01-26 SDUpdate.exe (1.6.0.12)
2009-01-26 SpybotSD.exe (1.6.2.46)
2009-01-26 SDShred.exe (1.0.2.5)
2009-03-05 TeaTimer.exe (1.6.6.32)
2009-01-16 UninsSrv.dll (1.0.0.0)
2009-01-26 SDHelper.dll (1.6.2.14)
2009-01-26 Tools.dll (2.1.6.10)
2008-06-14 DelZip179.dll (1.79.11.1)
2007-04-02 aports.dll (2.1.0.0)
2008-06-19 sqlite3.dll
2009-07-28 advcheck.dll (1.6.3.17)
2004-11-29 Includes\LSP.sbi (*)
2009-01-13 Includes\Security.sbi (*)
2009-03-25 Includes\PUPS.sbi (*)
2009-05-19 Includes\Dialer.sbi (*)
2008-06-03 Includes\Spybots.sbi (*)
2009-04-07 Includes\Spyware.sbi (*)
2009-05-19 Includes\Adware.sbi (*)
2009-05-26 Includes\Hijackers.sbi (*)
2009-06-23 Includes\Keyloggers.sbi (*)
2009-07-14 Includes\Malware.sbi (*)
2009-07-22 Includes\Trojans.sbi (*)
2009-01-22 Includes\Cookies.sbi (*)
2009-01-22 Includes\Revision.sbi (*)
2009-06-08 Includes\Tracks.uti
2009-08-05 Includes\TrojansC.sbi (*)
2008-06-03 Includes\SpybotsC.sbi (*)
2009-07-30 Includes\SecurityC.sbi (*)
2009-08-04 Includes\PUPSC.sbi (*)
2009-08-05 Includes\MalwareC.sbi (*)
2009-07-30 Includes\KeyloggersC.sbi (*)
2009-08-04 Includes\HijackersC.sbi (*)
2009-08-04 Includes\DialerC.sbi (*)
2009-01-22 Includes\HeavyDuty.sbi (*)
2009-07-30 Includes\AdwareC.sbi (*)
2009-08-04 Includes\SpywareC.sbi (*)
2007-12-24 Plugins\TCPIPAddress.dll
2008-03-04 Plugins\Chai.dll
2008-03-05 Plugins\Fennel.dll
2008-02-26 Plugins\Mate.dll
Otherjohn
2009-08-10, 23:57
Just to be clear, all of my angry comments are directed toward the people who write and distribute malware and such. Not you or any of the other helpers on this forum.
Bio-Hazard
2009-08-11, 07:05
Hello!
Well lets what is going on.
I would like you to uninstall Spybot and then reboot. After reboot run combofix.
Download and Run ComboFix
Download ComboFix from one of these locations:
Link 1 (http://download.bleepingcomputer.com/sUBs/ComboFix.exe)
Link 2 (http://www.forospyware.com/sUBs/ComboFix.exe)
Here you can find a tutorial about Combofix: HOW TO USE COMBOFIX (http://www.bleepingcomputer.com/combofix/how-to-use-combofix)
You must download it to and run it from your Desktop
ComboFix SHOULD NOT be used unless requested by a forum helper.
Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix. A guide to do this can be found HERE (http://www.bleepingcomputer.com/forums/topic114351.html)
Double click on ComboFix.exe and follow the prompts.
As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.
Do not mouseclick combofix's window whilst it's running. That may cause it to stall.
Combofix should never take more that 20 minutes including the reboot if malware is detected.
IMPORTANT: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix on your own.This tool is not a toy and not for everyday use.
Logs/Information to Post in Next Reply
Please post the following logs/Information in your reply:
ComboFix log (found at C:\Combofix.txt)
A fresh HijackThis Log ( after all the above has been done)
A description of how your computer is behaving
Otherjohn
2009-08-11, 13:18
I uninstaled spybot and reboted. I tried to run combofix and got the blue screen of death. The system rebooted itself before I could copy any if the bsod info. Do you want me to try combofix again?
In the meantime here is a fresh hijackthis log.
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:14:54 AM, on 8/11/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\PROGRA~1\LAUNCH~1\LManager.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Acer\Empowering Technology\ePerformance\MemCheck.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Acer\Empowering Technology\ePower\ePower_DMC.exe
C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Microsoft Office\Office\OSA.EXE
C:\Program Files\Windows Desktop Search\WindowsSearch.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wbem\wmiapsrv.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\wbem\unsecapp.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.nhl.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll
R3 - URLSearchHook: (no name) - *{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - c:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: AVG Security Toolbar - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll
O4 - HKLM\..\Run: [AzMixerSel] C:\Program Files\Realtek\InstallShield\AzMixerSel.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [LManager] C:\PROGRA~1\LAUNCH~1\LManager.exe
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [ePower_DMC] C:\Acer\Empowering Technology\ePower\ePower_DMC.exe
O4 - HKLM\..\Run: [eRecoveryService] C:\Acer\Empowering Technology\eRecovery\eRAgent.exe
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [ISUSPM] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -scheduler
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk.disabled
O4 - Global Startup: Acer Empowering Technology.lnk.disabled
O4 - Global Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Global Startup: Windows Desktop Search.lnk = C:\Program Files\Windows Desktop Search\WindowsSearch.exe
O4 - Global Startup: Desktop Manager.lnk.disabled
O4 - Global Startup: Microsoft Find Fast.lnk.disabled
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {493ACF15-5CD9-4474-82A6-91670C3DD66E} (LinkedIn ContactFinderControl) - http://www.linkedin.com/cab/LinkedInContactFinderControl.cab
O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} (OnlineScanner Control) - http://download.eset.com/special/eos/OnlineScanner.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: Memory Check Service (AcerMemUsageCheckService) - Acer Inc. - C:\Acer\Empowering Technology\ePerformance\MemCheck.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: PEVSystemStart - Unknown owner - cmd /k start /i "/dC:" "C:\ComboFix\HIDEC.exe" "C:\ComboFix\SWREG.EXE" ACL "HKEY_LOCAL_MACHINE\System\CurrentControlSet\Enum\Root\LEGACY_Beep" /RESET /Q (file missing)
O23 - Service: LiveShare P2P Server 9 (RoxLiveShare9) - Unknown owner - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxLiveShare9.exe (file missing)
--
End of file - 8681 bytes
Otherjohn
2009-08-11, 13:57
Just found a third copy of spybot lurking about. This one apears to be 1.0.0.6
It didn't show in the add/remove programs control panel so I don't know that it was actually installed or just not deleted after updating to a newer version.
I have deleted this one as well. You want a fresh hjt log?
Bio-Hazard
2009-08-11, 23:51
SysProt Antirootkit
Download SysProt Antirootkit from HERE (http://sites.google.com/site/sysprotantirootkit/) (you will find it at the bottom of the page under attachments, or you can get it from one of the mirrors). Unzip it into a folder on your desktop.
Double click Sysprot.exe to start the program.
Click on the Log tab.
In the Write to log box select all items.
Click on the Create Log button on the bottom right.
After a few seconds a new window should appear.
Select Scan Root Drive.
Click on the Start button.
When it is complete a new window will appear to indicate that the scan is finished.
The log will be saved automatically in the same folder Sysprot.exe was extracted to. Open the text file and copy/paste the log here.
Lets see if there is any Combofix logs present, if there isn't. Dont worry about it, just let me know.
Post Combofix log
Click Start > Run > type notepad C:\combofix.txt > OK
When Notepad opens, click Edit > Select all then Edit > Copy
Reply to this post and press Ctrl+V to paste the log in your reply.
Note: Please let me know if you get an error, and what is says, after typing the command in the Run box.
Using Windows Explore by right-clicking the Start button and left clicking Explore navigate to and find the following folders:
C:\qoobox In that folder you will find the ComboFix log files.
Please post the contents of each of those log files in your next reply.
Using Windows Explore by right-clicking the Start button and left clicking Explore navigate to and find the following folders:
C:\QooBox\LastRun
If there are any log files in that folder, please post them in your next reply as well.
Thank you.
Otherjohn
2009-08-12, 00:12
SysProt AntiRootkit v1.0.1.0
by swatkat
******************************************************************************************
******************************************************************************************
Process:
Name: [System Idle Process]
PID: 0
Hidden: No
Window Visible: No
Name: System
PID: 4
Hidden: No
Window Visible: No
Name: C:\WINDOWS\System32\smss.exe
PID: 472
Hidden: No
Window Visible: No
Name: C:\WINDOWS\System32\csrss.exe
PID: 528
Hidden: No
Window Visible: No
Name: C:\WINDOWS\System32\winlogon.exe
PID: 564
Hidden: No
Window Visible: No
Name: C:\WINDOWS\System32\SERVICES.EXE
PID: 608
Hidden: No
Window Visible: No
Name: C:\WINDOWS\System32\LSASS.EXE
PID: 620
Hidden: No
Window Visible: No
Name: C:\WINDOWS\System32\Ati2evxx.exe
PID: 772
Hidden: No
Window Visible: No
Name: C:\WINDOWS\System32\SVCHOST.EXE
PID: 788
Hidden: No
Window Visible: No
Name: C:\WINDOWS\System32\SVCHOST.EXE
PID: 868
Hidden: No
Window Visible: No
Name: C:\WINDOWS\System32\SVCHOST.EXE
PID: 940
Hidden: No
Window Visible: No
Name: C:\WINDOWS\System32\SVCHOST.EXE
PID: 988
Hidden: No
Window Visible: No
Name: C:\WINDOWS\System32\SVCHOST.EXE
PID: 1092
Hidden: No
Window Visible: No
Name: C:\WINDOWS\System32\spoolsv.exe
PID: 1436
Hidden: No
Window Visible: No
Name: C:\WINDOWS\System32\Ati2evxx.exe
PID: 1604
Hidden: No
Window Visible: No
Name: C:\WINDOWS\System32\SVCHOST.EXE
PID: 1128
Hidden: No
Window Visible: No
Name: C:\Acer\Empowering Technology\ePerformance\MemCheck.exe
PID: 1304
Hidden: No
Window Visible: No
Name: C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
PID: 1592
Hidden: No
Window Visible: No
Name: C:\Program Files\AVG\AVG8\avgwdsvc.exe
PID: 1624
Hidden: No
Window Visible: No
Name: C:\Program Files\Bonjour\mDNSResponder.exe
PID: 1524
Hidden: No
Window Visible: No
Name: C:\WINDOWS\ehome\ehRecvr.exe
PID: 1812
Hidden: No
Window Visible: No
Name: C:\Program Files\AVG\AVG8\avgrsx.exe
PID: 1668
Hidden: No
Window Visible: No
Name: C:\WINDOWS\ehome\ehSched.exe
PID: 120
Hidden: No
Window Visible: No
Name: C:\Program Files\Java\jre6\bin\jqs.exe
PID: 400
Hidden: No
Window Visible: No
Name: C:\Program Files\Common Files\LightScribe\LSSrvc.exe
PID: 540
Hidden: No
Window Visible: No
Name: C:\WINDOWS\System32\SVCHOST.EXE
PID: 1268
Hidden: No
Window Visible: No
Name: C:\WINDOWS\System32\SVCHOST.EXE
PID: 1284
Hidden: No
Window Visible: No
Name: C:\WINDOWS\System32\searchindexer.exe
PID: 980
Hidden: No
Window Visible: No
Name: C:\WINDOWS\ehome\mcrdsvc.exe
PID: 2220
Hidden: No
Window Visible: No
Name: C:\WINDOWS\System32\dllhost.exe
PID: 2668
Hidden: No
Window Visible: No
Name: C:\WINDOWS\System32\wscntfy.exe
PID: 2792
Hidden: No
Window Visible: No
Name: C:\WINDOWS\System32\wbem\wmiapsrv.exe
PID: 2800
Hidden: No
Window Visible: No
Name: C:\WINDOWS\System32\alg.exe
PID: 2912
Hidden: No
Window Visible: No
Name: C:\WINDOWS\System32\SVCHOST.EXE
PID: 252
Hidden: No
Window Visible: No
Name: C:\WINDOWS\Explorer.EXE
PID: 1380
Hidden: No
Window Visible: No
Name: C:\WINDOWS\System32\notepad.exe
PID: 3452
Hidden: No
Window Visible: Yes
Name: C:\Program Files\Internet Explorer\iexplore.exe
PID: 960
Hidden: No
Window Visible: No
Name: C:\Program Files\Internet Explorer\iexplore.exe
PID: 3352
Hidden: No
Window Visible: No
Name: C:\WINDOWS\System32\ctfmon.exe
PID: 3540
Hidden: No
Window Visible: No
Name: C:\Documents and Settings\Karla\Desktop\SysProt\SysProt\SysProt.exe
PID: 3156
Hidden: No
Window Visible: Yes
******************************************************************************************
******************************************************************************************
Kernel Modules:
Module Name: \systemroot\system32\drivers\geyekrtivmlkya.sys
Service Name: geyekrttvogrql
Module Base: ---
Module End: ---
Hidden: Yes
Module Name: \??\C:\Documents and Settings\Karla\Desktop\SysProt\SysProt\SysProtDrv.sys
Service Name: SysProtDrv.sys
Module Base: AEDDC000
Module End: AEDE7000
Hidden: No
Module Name: \WINDOWS\system32\ntkrnlpa.exe
Service Name: ---
Module Base: 804D7000
Module End: 806E4000
Hidden: No
Module Name: \WINDOWS\system32\hal.dll
Service Name: ---
Module Base: 806E4000
Module End: 80704D00
Hidden: No
Module Name: \WINDOWS\system32\KDCOM.DLL
Service Name: ---
Module Base: BADA8000
Module End: BADAA000
Hidden: No
Module Name: \WINDOWS\system32\BOOTVID.dll
Service Name: ---
Module Base: BACB8000
Module End: BACBB000
Hidden: No
Module Name: C:\WINDOWS\system32\drivers\ACPI.sys
Service Name: ACPI
Module Base: BA779000
Module End: BA7A7000
Hidden: No
Module Name: \WINDOWS\system32\DRIVERS\WMILIB.SYS
Service Name: ---
Module Base: BADAA000
Module End: BADAC000
Hidden: No
Module Name: C:\WINDOWS\system32\drivers\pci.sys
Service Name: PCI
Module Base: BA768000
Module End: BA779000
Hidden: No
Module Name: C:\WINDOWS\system32\drivers\isapnp.sys
Service Name: isapnp
Module Base: BA8A8000
Module End: BA8B2000
Hidden: No
Module Name: C:\WINDOWS\system32\drivers\ohci1394.sys
Service Name: ohci1394
Module Base: BA8B8000
Module End: BA8C8000
Hidden: No
Module Name: \WINDOWS\system32\DRIVERS\1394BUS.SYS
Service Name: ---
Module Base: BA8C8000
Module End: BA8D6000
Hidden: No
Module Name: C:\WINDOWS\system32\drivers\compbatt.sys
Service Name: Compbatt
Module Base: BACBC000
Module End: BACBF000
Hidden: No
Module Name: \WINDOWS\system32\DRIVERS\BATTC.SYS
Service Name: BattC
Module Base: BACC0000
Module End: BACC4000
Hidden: No
Module Name: C:\WINDOWS\system32\drivers\pciide.sys
Service Name: PCIIde
Module Base: BAE70000
Module End: BAE71000
Hidden: No
Module Name: \WINDOWS\system32\DRIVERS\PCIIDEX.SYS
Service Name: ---
Module Base: BAB28000
Module End: BAB2F000
Hidden: No
Module Name: C:\WINDOWS\system32\drivers\aliide.sys
Service Name: AliIde
Module Base: BADAC000
Module End: BADAE000
Hidden: No
Module Name: C:\WINDOWS\system32\drivers\intelide.sys
Service Name: IntelIde
Module Base: BADAE000
Module End: BADB0000
Hidden: No
Module Name: C:\WINDOWS\system32\drivers\toside.sys
Service Name: TosIde
Module Base: BADB0000
Module End: BADB2000
Hidden: No
Module Name: C:\WINDOWS\system32\drivers\viaide.sys
Service Name: ViaIde
Module Base: BADB2000
Module End: BADB4000
Hidden: No
Module Name: C:\WINDOWS\system32\drivers\cmdide.sys
Service Name: CmdIde
Module Base: BADB4000
Module End: BADB6000
Hidden: No
Module Name: C:\WINDOWS\system32\drivers\MountMgr.sys
Service Name: MountMgr
Module Base: BA8D8000
Module End: BA8E3000
Hidden: No
Module Name: C:\WINDOWS\system32\drivers\ftdisk.sys
Service Name: Disk
Module Base: BA72B000
Module End: BA74A000
Hidden: No
Module Name: C:\WINDOWS\system32\drivers\dmload.sys
Service Name: dmload
Module Base: BADB6000
Module End: BADB8000
Hidden: No
Module Name: C:\WINDOWS\system32\drivers\dmio.sys
Service Name: dmio
Module Base: BA705000
Module End: BA72B000
Hidden: No
Module Name: C:\WINDOWS\system32\drivers\ACPIEC.sys
Service Name: ACPIEC
Module Base: BACC4000
Module End: BACC7000
Hidden: No
Module Name: \WINDOWS\system32\DRIVERS\OPRGHDLR.SYS
Service Name: ---
Module Base: BAE71000
Module End: BAE72000
Hidden: No
Module Name: C:\WINDOWS\system32\drivers\PartMgr.sys
Service Name: PartMgr
Module Base: BAB30000
Module End: BAB35000
Hidden: No
Module Name: C:\WINDOWS\system32\drivers\UBHelper.sys
Service Name: UBHelper
Module Base: BACC8000
Module End: BACCC000
Hidden: No
Module Name: C:\WINDOWS\system32\drivers\VolSnap.sys
Service Name: VolSnap
Module Base: BA8E8000
Module End: BA8F5000
Hidden: No
Module Name: C:\WINDOWS\system32\drivers\cpqarray.sys
Service Name: Cpqarray
Module Base: BACCC000
Module End: BACD0000
Hidden: No
Module Name: \WINDOWS\system32\DRIVERS\SCSIPORT.SYS
Service Name: ScsiPort
Module Base: BA6ED000
Module End: BA705000
Hidden: No
Module Name: C:\WINDOWS\system32\drivers\atapi.sys
Service Name: atapi
Module Base: BA6D5000
Module End: BA6ED000
Hidden: No
Module Name: C:\WINDOWS\system32\drivers\aha154x.sys
Service Name: Aha154x
Module Base: BACD0000
Module End: BACD4000
Hidden: No
Module Name: C:\WINDOWS\system32\drivers\sparrow.sys
Service Name: Sparrow
Module Base: BAB38000
Module End: BAB3D000
Hidden: No
Module Name: C:\WINDOWS\system32\drivers\symc810.sys
Service Name: symc810
Module Base: BACD4000
Module End: BACD8000
Hidden: No
Module Name: C:\WINDOWS\system32\drivers\aic78xx.sys
Service Name: aic78xx
Module Base: BA8F8000
Module End: BA906000
Hidden: No
Module Name: C:\WINDOWS\system32\drivers\dac960nt.sys
Service Name: dac960nt
Module Base: BACD8000
Module End: BACDC000
Hidden: No
Module Name: C:\WINDOWS\system32\drivers\ql10wnt.sys
Service Name: Ql10wnt
Module Base: BA908000
Module End: BA911000
Hidden: No
Module Name: C:\WINDOWS\system32\drivers\amsint.sys
Service Name: amsint
Module Base: BACDC000
Module End: BACDF000
Hidden: No
Module Name: C:\WINDOWS\system32\drivers\asc.sys
Service Name: asc
Module Base: BAB40000
Module End: BAB47000
Hidden: No
Module Name: C:\WINDOWS\system32\drivers\asc3550.sys
Service Name: asc3550
Module Base: BACE0000
Module End: BACE4000
Hidden: No
Module Name: C:\WINDOWS\system32\drivers\mraid35x.sys
Service Name: mraid35x
Module Base: BAB48000
Module End: BAB4D000
Hidden: No
Module Name: C:\WINDOWS\system32\drivers\i2omp.sys
Service Name: i2omp
Module Base: BAB50000
Module End: BAB55000
Hidden: No
Module Name: C:\WINDOWS\system32\drivers\ini910u.sys
Service Name: ini910u
Module Base: BACE4000
Module End: BACE8000
Hidden: No
Module Name: C:\WINDOWS\system32\drivers\ql1240.sys
Service Name: ql1240
Module Base: BA918000
Module End: BA922000
Hidden: No
Module Name: C:\WINDOWS\system32\drivers\aic78u2.sys
Service Name: aic78u2
Module Base: BA928000
Module End: BA936000
Hidden: No
Module Name: C:\WINDOWS\system32\drivers\symc8xx.sys
Service Name: symc8xx
Module Base: BAB58000
Module End: BAB60000
Hidden: No
Module Name: C:\WINDOWS\system32\drivers\sym_hi.sys
Service Name: sym_hi
Module Base: BAB60000
Module End: BAB67000
Hidden: No
Module Name: C:\WINDOWS\system32\drivers\sym_u3.sys
Service Name: sym_u3
Module Base: BAB68000
Module End: BAB70000
Hidden: No
Module Name: C:\WINDOWS\system32\drivers\ABP480N5.SYS
Service Name: abp480n5
Module Base: BAB70000
Module End: BAB76000
Hidden: No
Module Name: C:\WINDOWS\system32\drivers\asc3350p.sys
Service Name: asc3350p
Module Base: BAB78000
Module End: BAB7E000
Hidden: No
Module Name: C:\WINDOWS\system32\drivers\cd20xrnt.sys
Service Name: cd20xrnt
Module Base: BADB8000
Module End: BADBA000
Hidden: No
Module Name: C:\WINDOWS\system32\drivers\ultra.sys
Service Name: ultra
Module Base: BA938000
Module End: BA941000
Hidden: No
Module Name: C:\WINDOWS\system32\drivers\adpu160m.sys
Service Name: adpu160m
Module Base: BA6BC000
Module End: BA6D5000
Hidden: No
Module Name: C:\WINDOWS\system32\drivers\dpti2o.sys
Service Name: dpti2o
Module Base: BAB80000
Module End: BAB85000
Hidden: No
Module Name: C:\WINDOWS\system32\drivers\ql1080.sys
Service Name: ql1080
Module Base: BA948000
Module End: BA952000
Hidden: No
Module Name: C:\WINDOWS\system32\drivers\ql1280.sys
Service Name: ql1280
Module Base: BA958000
Module End: BA964000
Hidden: No
Module Name: C:\WINDOWS\system32\drivers\ql12160.sys
Service Name: ql12160
Module Base: BA968000
Module End: BA974000
Hidden: No
Module Name: C:\WINDOWS\system32\drivers\perc2.sys
Service Name: perc2
Module Base: BAB88000
Module End: BAB8F000
Hidden: No
Module Name: C:\WINDOWS\system32\drivers\perc2hib.sys
Service Name: perc2hib
Module Base: BADBA000
Module End: BADBC000
Hidden: No
Module Name: C:\WINDOWS\system32\drivers\hpn.sys
Service Name: hpn
Module Base: BAB90000
Module End: BAB97000
Hidden: No
Module Name: C:\WINDOWS\system32\drivers\cbidf2k.sys
Service Name: cbidf
Module Base: BACE8000
Module End: BACEC000
Hidden: No
Module Name: C:\WINDOWS\system32\drivers\dac2w2k.sys
Service Name: dac2w2k
Module Base: BA690000
Module End: BA6BC000
Hidden: No
Module Name: C:\WINDOWS\system32\drivers\disk.sys
Service Name: ---
Module Base: BA978000
Module End: BA981000
Hidden: No
Module Name: \WINDOWS\system32\DRIVERS\CLASSPNP.SYS
Service Name: ---
Module Base: BA988000
Module End: BA995000
Hidden: No
Module Name: C:\WINDOWS\system32\drivers\fltmgr.sys
Service Name: FltMgr
Module Base: BA670000
Module End: BA690000
Hidden: No
Module Name: C:\WINDOWS\system32\drivers\sr.sys
Service Name: sr
Module Base: BA65E000
Module End: BA670000
Hidden: No
Module Name: C:\WINDOWS\system32\drivers\PxHelp20.sys
Service Name: PxHelp20
Module Base: BA998000
Module End: BA9A1000
Hidden: No
Module Name: C:\WINDOWS\system32\drivers\Fastfat.sys
Service Name: Fastfat
Module Base: BA63A000
Module End: BA65E000
Hidden: No
Module Name: C:\WINDOWS\system32\drivers\KSecDD.sys
Service Name: KSecDD
Module Base: BA623000
Module End: BA63A000
Hidden: No
Module Name: C:\WINDOWS\system32\drivers\NDIS.sys
Service Name: NDIS
Module Base: BA5F6000
Module End: BA623000
Hidden: No
Module Name: C:\WINDOWS\system32\drivers\sisagp.sys
Service Name: sisagp
Module Base: BA9A8000
Module End: BA9B2000
Hidden: No
Module Name: C:\WINDOWS\system32\drivers\viaagp.sys
Service Name: viaagp
Module Base: BA9B8000
Module End: BA9C3000
Hidden: No
Module Name: C:\WINDOWS\system32\drivers\Mup.sys
Service Name: Mup
Module Base: BA5DC000
Module End: BA5F6000
Hidden: No
Module Name: C:\WINDOWS\system32\drivers\alim1541.sys
Service Name: alim1541
Module Base: BA9C8000
Module End: BA9D3000
Hidden: No
Module Name: C:\WINDOWS\system32\drivers\amdagp.sys
Service Name: amdagp
Module Base: BA9D8000
Module End: BA9E3000
Hidden: No
Module Name: C:\WINDOWS\system32\drivers\agp440.sys
Service Name: agp440
Module Base: BA9E8000
Module End: BA9F3000
Hidden: No
Module Name: C:\WINDOWS\system32\drivers\agpCPQ.sys
Service Name: agpCPQ
Module Base: BA9F8000
Module End: BAA03000
Hidden: No
Module Name: C:\WINDOWS\system32\DRIVERS\AmdK8.sys
Service Name: AmdK8
Module Base: BAA08000
Module End: BAA16000
Hidden: No
Module Name: C:\WINDOWS\system32\DRIVERS\wmiacpi.sys
Service Name: WmiAcpi
Module Base: BAD68000
Module End: BAD6B000
Hidden: No
Module Name: C:\WINDOWS\system32\DRIVERS\ati2mtag.sys
Service Name: ati2mtag
Module Base: BA345000
Module End: BA4CC000
Hidden: No
Module Name: C:\WINDOWS\system32\DRIVERS\VIDEOPRT.SYS
Service Name: ---
Module Base: BA331000
Module End: BA345000
Hidden: No
Module Name: C:\WINDOWS\system32\DRIVERS\usbohci.sys
Service Name: usbohci
Module Base: BAC00000
Module End: BAC05000
Hidden: No
Module Name: C:\WINDOWS\system32\DRIVERS\USBPORT.SYS
Service Name: ---
Module Base: BA30D000
Module End: BA331000
Hidden: No
Module Name: C:\WINDOWS\system32\DRIVERS\usbehci.sys
Service Name: usbehci
Module Base: BAC08000
Module End: BAC10000
Hidden: No
Module Name: C:\WINDOWS\system32\DRIVERS\imapi.sys
Service Name: Imapi
Module Base: BAA18000
Module End: BAA23000
Hidden: No
Module Name: C:\WINDOWS\system32\DRIVERS\cdrom.sys
Service Name: Cdrom
Module Base: BAA28000
Module End: BAA38000
Hidden: No
Module Name: C:\WINDOWS\system32\DRIVERS\redbook.sys
Service Name: redbook
Module Base: BAA38000
Module End: BAA47000
Hidden: No
Module Name: C:\WINDOWS\system32\DRIVERS\ks.sys
Service Name: ---
Module Base: BA2EA000
Module End: BA30D000
Hidden: No
Module Name: C:\WINDOWS\system32\DRIVERS\NTIDrvr.sys
Service Name: NTIDrvr
Module Base: BADBC000
Module End: BADBE000
Hidden: No
Module Name: C:\WINDOWS\System32\Drivers\GEARAspiWDM.sys
Service Name: GEARAspiWDM
Module Base: BAC10000
Module End: BAC15000
Hidden: No
Module Name: C:\WINDOWS\system32\DRIVERS\HDAudBus.sys
Service Name: HDAudBus
Module Base: BA2C2000
Module End: BA2EA000
Hidden: No
Module Name: C:\WINDOWS\system32\DRIVERS\i8042prt.sys
Service Name: i8042prt
Module Base: BAA48000
Module End: BAA55000
Hidden: No
Module Name: C:\WINDOWS\system32\DRIVERS\DKbFltr.sys
Service Name: DKbFltr
Module Base: BAC18000
Module End: BAC1D000
Hidden: No
Module Name: C:\WINDOWS\system32\DRIVERS\kbdclass.sys
Service Name: Kbdclass
Module Base: BAC20000
Module End: BAC26000
Hidden: No
Module Name: C:\WINDOWS\system32\DRIVERS\SynTP.sys
Service Name: SynTP
Module Base: BA292000
Module End: BA2C2000
Hidden: No
Module Name: C:\WINDOWS\system32\DRIVERS\USBD.SYS
Service Name: ---
Module Base: BADBE000
Module End: BADC0000
Hidden: No
Module Name: C:\WINDOWS\system32\DRIVERS\mouclass.sys
Service Name: Mouclass
Module Base: BAC28000
Module End: BAC2E000
Hidden: No
Module Name: C:\WINDOWS\system32\DRIVERS\CmBatt.sys
Service Name: CmBatt
Module Base: BAD70000
Module End: BAD74000
Hidden: No
Module Name: C:\WINDOWS\system32\DRIVERS\ar5211.sys
Service Name: AR5211
Module Base: BA21A000
Module End: BA292000
Hidden: No
Module Name: C:\WINDOWS\system32\DRIVERS\EMS7SK.sys
Service Name: EMSCR
Module Base: BAA58000
Module End: BAA67000
Hidden: No
Module Name: C:\WINDOWS\system32\DRIVERS\sdbus.sys
Service Name: sdbus
Module Base: BA206000
Module End: BA21A000
Hidden: No
Module Name: C:\WINDOWS\system32\DRIVERS\ESM7SK.sys
Service Name: ESMCR
Module Base: BA1F3000
Module End: BA206000
Hidden: No
Module Name: C:\WINDOWS\system32\DRIVERS\ESD7SK.sys
Service Name: ESDCR
Module Base: BAA68000
Module End: BAA72000
Hidden: No
Module Name: C:\WINDOWS\system32\DRIVERS\audstub.sys
Service Name: audstub
Module Base: BAF18000
Module End: BAF19000
Hidden: No
Module Name: C:\WINDOWS\System32\Drivers\RootMdm.sys
Service Name: ROOTMODEM
Module Base: BADC0000
Module End: BADC2000
Hidden: No
Module Name: C:\WINDOWS\System32\Drivers\Modem.SYS
Service Name: Modem
Module Base: BAC30000
Module End: BAC38000
Hidden: No
Module Name: C:\WINDOWS\system32\DRIVERS\rasirda.sys
Service Name: irda
Module Base: BAC38000
Module End: BAC3D000
Hidden: No
Module Name: C:\WINDOWS\system32\DRIVERS\TDI.SYS
Service Name: ---
Module Base: BAC40000
Module End: BAC45000
Hidden: No
Module Name: C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
Service Name: Rasl2tp
Module Base: BAA78000
Module End: BAA85000
Hidden: No
Module Name: C:\WINDOWS\system32\DRIVERS\ndistapi.sys
Service Name: NdisTapi
Module Base: BAD78000
Module End: BAD7B000
Hidden: No
Module Name: C:\WINDOWS\system32\DRIVERS\ndiswan.sys
Service Name: NdisWan
Module Base: BA1DC000
Module End: BA1F3000
Hidden: No
Module Name: C:\WINDOWS\system32\DRIVERS\raspppoe.sys
Service Name: RasPppoe
Module Base: BAA88000
Module End: BAA93000
Hidden: No
Module Name: C:\WINDOWS\system32\DRIVERS\raspptp.sys
Service Name: PptpMiniport
Module Base: BAA98000
Module End: BAAA4000
Hidden: No
Module Name: C:\WINDOWS\system32\DRIVERS\psched.sys
Service Name: PSched
Module Base: BA12B000
Module End: BA13C000
Hidden: No
Module Name: C:\WINDOWS\system32\DRIVERS\msgpc.sys
Service Name: Gpc
Module Base: BAAA8000
Module End: BAAB1000
Hidden: No
Module Name: C:\WINDOWS\system32\DRIVERS\ptilink.sys
Service Name: Ptilink
Module Base: BAC48000
Module End: BAC4D000
Hidden: No
Module Name: C:\WINDOWS\system32\DRIVERS\raspti.sys
Service Name: Raspti
Module Base: BAC50000
Module End: BAC55000
Hidden: No
Module Name: C:\WINDOWS\system32\DRIVERS\RimSerial.sys
Service Name: RimVSerPort
Module Base: BAC58000
Module End: BAC5F000
Hidden: No
Module Name: C:\WINDOWS\system32\DRIVERS\rdpdr.sys
Service Name: rdpdr
Module Base: BA0FB000
Module End: BA12B000
Hidden: No
Module Name: C:\WINDOWS\system32\DRIVERS\termdd.sys
Service Name: TermDD
Module Base: BAAB8000
Module End: BAAC2000
Hidden: No
Module Name: C:\WINDOWS\system32\DRIVERS\swenum.sys
Service Name: swenum
Module Base: BADC2000
Module End: BADC4000
Hidden: No
Module Name: C:\WINDOWS\system32\DRIVERS\update.sys
Service Name: Update
Module Base: BA075000
Module End: BA0D3000
Hidden: No
Module Name: C:\WINDOWS\system32\DRIVERS\mssmbios.sys
Service Name: mssmbios
Module Base: BAD8C000
Module End: BAD90000
Hidden: No
Module Name: C:\WINDOWS\System32\Drivers\NDProxy.SYS
Service Name: NDProxy
Module Base: BAAC8000
Module End: BAAD2000
Hidden: No
Module Name: C:\WINDOWS\system32\DRIVERS\usbhub.sys
Service Name: usbhub
Module Base: BAAF8000
Module End: BAB07000
Hidden: No
Module Name: C:\WINDOWS\system32\drivers\RtkHDAud.sys
Service Name: IntcAzAudAddService
Module Base: B1B71000
Module End: B1FAC000
Hidden: No
Module Name: C:\WINDOWS\system32\drivers\portcls.sys
Service Name: ---
Module Base: B1B4D000
Module End: B1B71000
Hidden: No
Module Name: C:\WINDOWS\system32\drivers\drmk.sys
Service Name: ---
Module Base: BAB08000
Module End: BAB17000
Hidden: No
Module Name: C:\WINDOWS\system32\DRIVERS\HSXHWAZL.sys
Service Name: HSXHWAZL
Module Base: B1B13000
Module End: B1B4D000
Hidden: No
Module Name: C:\WINDOWS\system32\DRIVERS\HSX_DPV.sys
Service Name: HSF_DPV
Module Base: B1A1C000
Module End: B1B13000
Hidden: No
Module Name: C:\WINDOWS\system32\DRIVERS\HSX_CNXT.sys
Service Name: winachsf
Module Base: B1965000
Module End: B1A1C000
Hidden: No
Module Name: C:\WINDOWS\System32\Drivers\i2omgmt.SYS
Service Name: i2omgmt
Module Base: BA500000
Module End: BA503000
Hidden: No
Module Name: C:\WINDOWS\System32\Drivers\Fs_Rec.SYS
Service Name: Fs_Rec
Module Base: BADC6000
Module End: BADC8000
Hidden: No
Module Name: C:\WINDOWS\System32\Drivers\Null.SYS
Service Name: Null
Module Base: BAF6B000
Module End: BAF6C000
Hidden: No
Module Name: C:\WINDOWS\System32\Drivers\Beep.SYS
Service Name: Beep
Module Base: BADC8000
Module End: BADCA000
Hidden: No
Module Name: C:\WINDOWS\system32\DRIVERS\HIDPARSE.SYS
Service Name: ---
Module Base: BAC80000
Module End: BAC87000
Hidden: No
Module Name: C:\WINDOWS\System32\drivers\vga.sys
Service Name: VgaSave
Module Base: BAC88000
Module End: BAC8E000
Hidden: No
Module Name: C:\WINDOWS\System32\Drivers\mnmdd.SYS
Service Name: mnmdd
Module Base: BADCA000
Module End: BADCC000
Hidden: No
Module Name: C:\WINDOWS\System32\DRIVERS\RDPCDD.sys
Service Name: RDPCDD
Module Base: BADCC000
Module End: BADCE000
Hidden: No
Module Name: C:\WINDOWS\System32\Drivers\BisonCam.sys
Service Name: Cam5603D
Module Base: B1750000
Module End: B1815000
Hidden: No
Module Name: C:\WINDOWS\System32\Drivers\STREAM.SYS
Service Name: ---
Module Base: BA5BC000
Module End: BA5C9000
Hidden: No
Module Name: C:\WINDOWS\System32\Drivers\Msfs.SYS
Service Name: Msfs
Module Base: BAC90000
Module End: BAC95000
Hidden: No
Module Name: C:\WINDOWS\System32\Drivers\Npfs.SYS
Service Name: Npfs
Module Base: BAC98000
Module End: BACA0000
Hidden: No
Module Name: C:\WINDOWS\system32\DRIVERS\rasacd.sys
Service Name: RasAcd
Module Base: BA4F8000
Module End: BA4FB000
Hidden: No
Module Name: C:\WINDOWS\system32\DRIVERS\ipsec.sys
Service Name: IPSec
Module Base: B173D000
Module End: B1750000
Hidden: No
Module Name: C:\WINDOWS\system32\DRIVERS\tcpip.sys
Service Name: Tcpip
Module Base: B16E4000
Module End: B173D000
Hidden: No
Module Name: C:\WINDOWS\system32\DRIVERS\netbt.sys
Service Name: NetBT
Module Base: B1694000
Module End: B16BC000
Hidden: No
Module Name: C:\WINDOWS\system32\DRIVERS\ipnat.sys
Service Name: IpNat
Module Base: B166E000
Module End: B1694000
Hidden: No
Module Name: C:\WINDOWS\System32\drivers\afd.sys
Service Name: AFD
Module Base: B164C000
Module End: B166E000
Hidden: No
Module Name: C:\WINDOWS\system32\DRIVERS\netbios.sys
Service Name: NetBIOS
Module Base: BA5AC000
Module End: BA5B5000
Hidden: No
Module Name: C:\WINDOWS\system32\DRIVERS\wanarp.sys
Service Name: Wanarp
Module Base: BA59C000
Module End: BA5A5000
Hidden: No
Module Name: C:\WINDOWS\system32\DRIVERS\rdbss.sys
Service Name: Rdbss
Module Base: B1621000
Module End: B164C000
Hidden: No
Module Name: C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
Service Name: MRxSmb
Module Base: B15B1000
Module End: B1621000
Hidden: No
Module Name: C:\WINDOWS\System32\Drivers\Fips.SYS
Service Name: Fips
Module Base: BA57C000
Module End: BA587000
Hidden: No
Module Name: C:\WINDOWS\System32\Drivers\avgmfx86.sys
Service Name: AvgMfx86
Module Base: BACA0000
Module End: BACA6000
Hidden: No
Module Name: C:\WINDOWS\System32\Drivers\avgldx86.sys
Service Name: AvgLdx86
Module Base: B1560000
Module End: B15B1000
Hidden: No
Module Name: C:\WINDOWS\System32\Drivers\Cdfs.SYS
Service Name: Cdfs
Module Base: BA55C000
Module End: BA56C000
Hidden: No
Module Name: \SystemRoot\System32\Drivers\dump_atapi.sys
Service Name: ---
Module Base: B1507000
Module End: B151F000
Hidden: Yes
Module Name: \SystemRoot\System32\Drivers\dump_WMILIB.SYS
Service Name: ---
Module Base: BADCE000
Module End: BADD0000
Hidden: Yes
Module Name: C:\WINDOWS\System32\drivers\Dxapi.sys
Service Name: ---
Module Base: BA0E7000
Module End: BA0EA000
Hidden: No
Module Name: C:\WINDOWS\System32\watchdog.sys
Service Name: ---
Module Base: BACA8000
Module End: BACAD000
Hidden: No
Module Name: C:\WINDOWS\System32\drivers\dxgthk.sys
Service Name: ---
Module Base: BAFF0000
Module End: BAFF1000
Hidden: No
Module Name: C:\WINDOWS\system32\DRIVERS\irda.sys
Service Name: ---
Module Base: AF199000
Module End: AF1AF000
Hidden: No
Module Name: C:\WINDOWS\system32\DRIVERS\ndisuio.sys
Service Name: Ndisuio
Module Base: AF2DF000
Module End: AF2E3000
Hidden: No
Module Name: C:\WINDOWS\system32\drivers\wdmaud.sys
Service Name: wdmaud
Module Base: AEF54000
Module End: AEF69000
Hidden: No
Module Name: C:\WINDOWS\system32\drivers\sysaudio.sys
Service Name: sysaudio
Module Base: AF119000
Module End: AF128000
Hidden: No
Module Name: C:\WINDOWS\system32\DRIVERS\mrxdav.sys
Service Name: MRxDAV
Module Base: AECCF000
Module End: AECFC000
Hidden: No
Module Name: \??\C:\PROGRA~1\LAUNCH~1\DPortIO.sys
Service Name: DritekPortIO
Module Base: AF01D000
Module End: AF021000
Hidden: No
Module Name: C:\WINDOWS\System32\Drivers\HTTP.sys
Service Name: HTTP
Module Base: AEA5E000
Module End: AEA9F000
Hidden: No
Module Name: \??\C:\WINDOWS\system32\drivers\int15.sys
Service Name: int15
Module Base: AEA25000
Module End: AEA36000
Hidden: No
Module Name: C:\WINDOWS\system32\DRIVERS\srv.sys
Service Name: Srv
Module Base: AE983000
Module End: AE9D5000
Hidden: No
Module Name: C:\WINDOWS\system32\DRIVERS\mdmxsdk.sys
Service Name: mdmxsdk
Module Base: AEA3A000
Module End: AEA3E000
Hidden: No
Module Name: C:\WINDOWS\system32\DRIVERS\secdrv.sys
Service Name: Secdrv
Module Base: AF159000
Module End: AF163000
Hidden: No
Module Name: \??\C:\WINDOWS\system32\drivers\tvicport.sys
Service Name: tvicport
Module Base: AE9F5000
Module End: AE9F8000
Hidden: No
Module Name: \??\C:\WINDOWS\system32\drivers\zntport.sys
Service Name: zntport
Module Base: BAF05000
Module End: BAF06000
Hidden: No
Module Name: \??\C:\WINDOWS\system32\Drivers\PROCEXP90.SYS
Service Name: ---
Module Base: BAE3E000
Module End: BAE40000
Hidden: Yes
Module Name: \??\C:\DOCUME~1\Karla\LOCALS~1\Temp\catchme.sys
Service Name: catchme
Module Base: B189D000
Module End: B18A5000
Hidden: Yes
Module Name: C:\WINDOWS\system32\drivers\kmixer.sys
Service Name: kmixer
Module Base: AE2F0000
Module End: AE31B000
Hidden: No
******************************************************************************************
******************************************************************************************
No SSDT Hooks found
******************************************************************************************
******************************************************************************************
Kernel Hooks:
Hooked Function: ZwSaveKeyEx
At Address: 8062534A
Jump To: 8A5630F2
Module Name: _unknown_
Hooked Function: ZwSaveKey
At Address: 80625264
Jump To: 8A56B67A
Module Name: _unknown_
Hooked Function: ZwFlushInstructionCache
At Address: 805B6812
Jump To: 8A8A8694
Module Name: _unknown_
Hooked Function: ZwEnumerateKey
At Address: 80623FF0
Jump To: 8A5630BC
Module Name: _unknown_
Hooked Function: IofCompleteRequest
At Address: 804EF236
Jump To: 8A6FBAF3
Module Name: _unknown_
Hooked Function: IofCallDriver
At Address: 804EF1A6
Jump To: 8A56B6B3
Module Name: _unknown_
******************************************************************************************
******************************************************************************************
No IRP Hooks found
******************************************************************************************
******************************************************************************************
Ports:
Local Address: COMPUTADORA.SERENITY:2869
Remote Address: 192.168.0.1:1307
Type: TCP
Process: System
State: CLOSE_WAIT
Local Address: COMPUTADORA.SERENITY:1113
Remote Address: 192.168.0.1:5678
Type: TCP
Process: C:\WINDOWS\System32\SVCHOST.EXE
State: ESTABLISHED
Local Address: COMPUTADORA.SERENITY:NETBIOS-SSN
Remote Address: 0.0.0.0:0
Type: TCP
Process: System
State: LISTENING
Local Address: COMPUTADORA:27015
Remote Address: 0.0.0.0:0
Type: TCP
Process: C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
State: LISTENING
Local Address: COMPUTADORA:5354
Remote Address: 0.0.0.0:0
Type: TCP
Process: C:\Program Files\Bonjour\mDNSResponder.exe
State: LISTENING
Local Address: COMPUTADORA:5152
Remote Address: LOCALHOST:1092
Type: TCP
Process: C:\Program Files\Java\jre6\bin\jqs.exe
State: CLOSE_WAIT
Local Address: COMPUTADORA:5152
Remote Address: 0.0.0.0:0
Type: TCP
Process: C:\Program Files\Java\jre6\bin\jqs.exe
State: LISTENING
Local Address: COMPUTADORA:1028
Remote Address: 0.0.0.0:0
Type: TCP
Process: C:\WINDOWS\System32\alg.exe
State: LISTENING
Local Address: COMPUTADORA:9999
Remote Address: 0.0.0.0:0
Type: TCP
Process: C:\Acer\Empowering Technology\ePerformance\MemCheck.exe
State: LISTENING
Local Address: COMPUTADORA:2869
Remote Address: 0.0.0.0:0
Type: TCP
Process: C:\WINDOWS\System32\SVCHOST.EXE
State: LISTENING
Local Address: COMPUTADORA:MICROSOFT-DS
Remote Address: 0.0.0.0:0
Type: TCP
Process: System
State: LISTENING
Local Address: COMPUTADORA:EPMAP
Remote Address: 0.0.0.0:0
Type: TCP
Process: C:\WINDOWS\System32\SVCHOST.EXE
State: LISTENING
Local Address: COMPUTADORA.SERENITY:5353
Remote Address: NA
Type: UDP
Process: C:\Program Files\Bonjour\mDNSResponder.exe
State: NA
Local Address: COMPUTADORA.SERENITY:1900
Remote Address: NA
Type: UDP
Process: C:\WINDOWS\System32\SVCHOST.EXE
State: NA
Local Address: COMPUTADORA.SERENITY:138
Remote Address: NA
Type: UDP
Process: System
State: NA
Local Address: COMPUTADORA.SERENITY:NETBIOS-NS
Remote Address: NA
Type: UDP
Process: System
State: NA
Local Address: COMPUTADORA.SERENITY:123
Remote Address: NA
Type: UDP
Process: C:\WINDOWS\System32\SVCHOST.EXE
State: NA
Local Address: COMPUTADORA:1900
Remote Address: NA
Type: UDP
Process: C:\WINDOWS\System32\SVCHOST.EXE
State: NA
Local Address: COMPUTADORA:1046
Remote Address: NA
Type: UDP
Process: C:\Program Files\Internet Explorer\iexplore.exe
State: NA
Local Address: COMPUTADORA:123
Remote Address: NA
Type: UDP
Process: C:\WINDOWS\System32\SVCHOST.EXE
State: NA
Local Address: COMPUTADORA:63057
Remote Address: NA
Type: UDP
Process: C:\Program Files\Bonjour\mDNSResponder.exe
State: NA
Local Address: COMPUTADORA:4500
Remote Address: NA
Type: UDP
Process: C:\WINDOWS\System32\LSASS.EXE
State: NA
Local Address: COMPUTADORA:3776
Remote Address: NA
Type: UDP
Process: C:\WINDOWS\ehome\mcrdsvc.exe
State: NA
Local Address: COMPUTADORA:1027
Remote Address: NA
Type: UDP
Process: C:\WINDOWS\System32\spoolsv.exe
State: NA
Local Address: COMPUTADORA:1025
Remote Address: NA
Type: UDP
Process: C:\Program Files\Bonjour\mDNSResponder.exe
State: NA
Local Address: COMPUTADORA:500
Remote Address: NA
Type: UDP
Process: C:\WINDOWS\System32\LSASS.EXE
State: NA
Local Address: COMPUTADORA:MICROSOFT-DS
Remote Address: NA
Type: UDP
Process: System
State: NA
******************************************************************************************
******************************************************************************************
Hidden files/folders:
Object: C:\WINDOWS\system32\drivers\geyekrtivmlkya.sys
Status: Hidden
Object: C:\WINDOWS\system32\geyekrbuhylhmn.dll
Status: Hidden
Object: C:\WINDOWS\system32\geyekrapjdskvl.dat
Status: Hidden
Object: C:\WINDOWS\system32\geyekrxfenxvmc.dll
Status: Hidden
Object: C:\WINDOWS\system32\geyekrnrndxrqt.dat
Status: Hidden
Object: C:\WINDOWS\system32\geyekrornmbpxe.dll
Status: Hidden
Object: C:\WINDOWS\system32\geyekrjwmeoxta.dll
Status: Hidden
Object: C:\Documents and Settings\Karla\Local Settings\Temp\geyekr000
Status: Hidden
Otherjohn
2009-08-12, 00:14
ComboFix 09-08-10.06 - Karla 08/11/2009 17:54.6.2 - FAT32x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2430.1912 [GMT -4:00]
Running from: c:\documents and settings\Karla\Desktop\ComboFix.exe
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.
((((((((((((((((((((((((( Files Created from 2009-07-11 to 2009-08-11 )))))))))))))))))))))))))))))))
.
2009-08-10 00:32 . 2009-08-10 00:32 -------- d-----w- c:\windows\SxsCaPendDel
2009-08-09 23:14 . 2009-08-09 23:15 -------- d-----w- c:\documents and settings\Karla\.idlerc
2009-08-09 18:11 . 2009-08-09 18:11 -------- d-----w- c:\program files\ESET
2009-08-08 18:51 . 2009-08-08 18:51 -------- d-----w- c:\program files\Trend Micro
2009-08-08 14:43 . 2009-08-08 14:43 -------- d-----w- c:\documents and settings\Karla\Application Data\Malwarebytes
2009-08-08 14:43 . 2009-08-08 14:43 -------- d-----w- c:\docume~1\Karla\APPLIC~1\Malwarebytes
2009-08-08 14:43 . 2009-08-03 17:36 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-08-08 14:43 . 2009-08-08 14:43 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-08-08 14:43 . 2009-08-08 14:43 -------- d-----w- c:\docume~1\ALLUSE~1\APPLIC~1\Malwarebytes
2009-08-08 14:43 . 2009-08-03 17:36 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-07-21 01:22 . 2009-07-21 01:22 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-08-10 01:01 . 2006-06-01 21:59 150912 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-07-20 19:01 . 2008-08-11 01:32 256 ----a-w- c:\windows\system32\pool.bin
2009-07-04 19:46 . 2008-06-26 01:26 335752 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-07-03 17:09 . 2006-01-09 15:02 915456 ----a-w- c:\windows\system32\wininet.dll
2009-06-26 22:55 . 2009-06-26 22:55 -------- d-----w- c:\docume~1\ALLUSE~1\APPLIC~1\AVG Security Toolbar
2009-06-26 22:55 . 2009-06-26 22:55 -------- d-----w- c:\documents and settings\LocalService\Application Data\AVGTOOLBAR
2009-06-26 22:53 . 2009-01-30 02:32 11952 ----a-w- c:\windows\system32\avgrsstx.dll
2009-06-26 22:53 . 2007-02-20 01:24 27784 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2009-06-16 14:36 . 2004-08-11 00:00 81920 ----a-w- c:\windows\system32\fontsub.dll
2009-06-16 14:36 . 2004-08-11 00:00 119808 ----a-w- c:\windows\system32\t2embed.dll
2009-06-03 19:09 . 2005-06-28 22:55 1291264 ----a-w- c:\windows\system32\quartz.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{A3BC75A2-1F87-4686-AA43-5347D756017C}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-06-26 1008896]
[HKEY_CLASSES_ROOT\clsid\{a3bc75a2-1f87-4686-aa43-5347d756017c}]
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A3BC75A2-1F87-4686-AA43-5347D756017C}]
2009-06-26 14:36 1008896 ----a-w- c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-06-26 1008896]
[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-06-26 1008896]
[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ISUSPM"="c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2006-09-11 218032]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AzMixerSel"="c:\program files\Realtek\InstallShield\AzMixerSel.exe" [2006-04-15 53248]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-03-03 761946]
"LManager"="c:\progra~1\LAUNCH~1\LManager.exe" [2006-06-23 602112]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2007-08-24 33648]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-06-26 1948440]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-11-07 111936]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-03-13 342312]
"ePower_DMC"="c:\acer\Empowering Technology\ePower\ePower_DMC.exe" [2006-05-30 421888]
"eRecoveryService"="c:\acer\Empowering Technology\eRecovery\eRAgent.exe" [2006-06-01 413696]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-11 455168]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-11 455168]
"MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-11 59392]
"RTHDCPL"="RTHDCPL.EXE" - c:\windows\RTHDCPL.exe [2006-05-18 16207872]
"SkyTel"="SkyTel.EXE" - c:\windows\SkyTel.exe [2006-05-16 2879488]
c:\docume~1\ALLUSE~1\STARTM~1\Programs\Startup\
Adobe Reader Speed Launch.lnk.disabled [2006-6-1 1665]
Acer Empowering Technology.lnk.disabled [2006-6-1 1585]
Office Startup.lnk - c:\program files\Microsoft Office\Office\OSA.EXE [1997-8-14 51984]
Windows Desktop Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2007-2-5 118784]
Desktop Manager.lnk.disabled [2008-8-12 1649]
Microsoft Find Fast.lnk.disabled [2006-11-1 669]
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2007-02-05 294400]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-06-26 22:53 11952 ----a-w- c:\windows\system32\avgrsstx.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\windows\system32\avgrsstx.dll
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk /p \??\C:\0autocheck autochk *
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"KernelFaultCheck"=%systemroot%\system32\dumprep 0 -k
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
"ntiMUI"=c:\program files\NewTech Infosystems\NTI CD & DVD-Maker 7\ntiMUI.exe
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe"
"ehTray"=c:\windows\ehome\ehtray.exe
"Boot"=c:\acer\Empowering Technology\ePower\Boot.exe
"ATICCC"="c:\program files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
"Alcmtr"=ALCMTR.EXE
"Acer ePresentation HPD"=c:\acer\Empowering Technology\ePresentation\ePresentation.exe
"LaunchApp"=
"Mouse Suite 98 Daemon"=ICO.EXE
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\WINDOWS\\System32\\taskmgr.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [6/25/2008 9:26 PM 335752]
R2 avg8wd;AVG8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [1/29/2009 10:32 PM 298776]
S2 eLock2BurnerLockDriver;eLock2BurnerLockDriver;\??\c:\windows\system32\eLock2BurnerLockDriver.sys --> c:\windows\system32\eLock2BurnerLockDriver.sys [?]
S2 eLock2FSCTLDriver;eLock2FSCTLDriver;\??\c:\windows\system32\eLock2FSCTLDriver.sys --> c:\windows\system32\eLock2FSCTLDriver.sys [?]
S3 pelmouse;Mouse Suite Driver;c:\windows\system32\drivers\PELMOUSE.SYS [3/19/2009 4:36 PM 18944]
S3 pelusblf;USB Mouse Low Filter Driver;c:\windows\system32\drivers\pelusblf.sys [3/19/2009 4:36 PM 17920]
S3 SKYSCOUT;Celestron SkyScout driver;c:\windows\system32\drivers\UsbScout.sys [3/25/2007 2:42 PM 20480]
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
- - - - ORPHANS REMOVED - - - -
Notify-cscdll - (no file)
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.nhl.com/
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-08-11 18:00
Windows 5.1.2600 Service Pack 3 FAT NTAPI
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(564)
c:\windows\system32\Ati2evxx.dll
.
Completion time: 2009-08-11 18:02
ComboFix-quarantined-files.txt 2009-08-11 22:02
Pre-Run: 21,429,616,640 bytes free
Post-Run: 21,599,191,040 bytes free
144 --- E O F --- 2009-08-10 23:04
Otherjohn
2009-08-12, 11:55
SysProt AntiRootkit v1.0.1.0
by swatkat
******************************************************************************************
******************************************************************************************
Hidden files/folders:
Object: C:\WINDOWS\system32\drivers\geyekrtivmlkya.sys
Status: Hidden
Object: C:\WINDOWS\system32\geyekrbuhylhmn.dll
Status: Hidden
Object: C:\WINDOWS\system32\geyekrapjdskvl.dat
Status: Hidden
Object: C:\WINDOWS\system32\geyekrxfenxvmc.dll
Status: Hidden
Object: C:\WINDOWS\system32\geyekrnrndxrqt.dat
Status: Hidden
Object: C:\WINDOWS\system32\geyekrornmbpxe.dll
Status: Hidden
Object: C:\WINDOWS\system32\geyekrjwmeoxta.dll
Status: Hidden
Object: C:\Documents and Settings\Karla\Local Settings\Temp\geyekr000
Status: Hidden
These are the files that spybot kept flagging as the win32.tdss.rtk trojan. Sysprot and spybot have been the only utilities that have been able to find these files. I cannot see them browsing through the folders. Even with show hidden and system files options set. I can not see them browsing usinging the dos command prompt.
Bio-Hazard
2009-08-12, 12:16
Hello!
It is rootkit know as TDDS and combofix should have taken care of it. I am going to do script for you to when i get back home today.
In the meanwhile you can do this: delete the copy of Combofix and re download it and before you ave it. Save it as otherjohn.exe.
Otherjohn
2009-08-14, 23:49
Is that script ready? The wife is ready for me to just wipe the drive and start over so she can have her computer back.
Bio-Hazard
2009-08-15, 08:49
Hello!
Sorry for the delay. I had few family life problems. I do apologize for the delay. Make sure you have combofix on the desktop before you continue.
Run CFScript
Close any open browsers.
Open Notepad by click start
Click Run
Type notepad into the box and click enter
Notepad will open
Copy and Paste everything from the Code box into Notepad:
File::
C:\WINDOWS\system32\drivers\geyekrtivmlkya.sys
C:\WINDOWS\system32\geyekrbuhylhmn.dll
C:\WINDOWS\system32\geyekrapjdskvl.dat
C:\WINDOWS\system32\geyekrxfenxvmc.dll
C:\WINDOWS\system32\geyekrnrndxrqt.dat
C:\WINDOWS\system32\geyekrornmbpxe.dll
C:\WINDOWS\system32\geyekrjwmeoxta.dll
Rootkit::
C:\WINDOWS\system32\drivers\geyekrtivmlkya.sys
C:\WINDOWS\system32\geyekrbuhylhmn.dll
C:\WINDOWS\system32\geyekrapjdskvl.dat
C:\WINDOWS\system32\geyekrxfenxvmc.dll
C:\WINDOWS\system32\geyekrnrndxrqt.dat
C:\WINDOWS\system32\geyekrornmbpxe.dll
C:\WINDOWS\system32\geyekrjwmeoxta.dll
Driver::
geyekrttvogrql
Save this as CFScript.txt, in the same location as ComboFix.exe (on your desktop)
http://i219.photobucket.com/albums/cc99/BioHazard_030/CFScriptExample.jpg
Refering to the picture below, drag CFScript into ComboFix.exe
http://img.photobucket.com/albums/v706/ried7/CFScriptB-4.gif
When finished, it shall produce a log for you at C:\ComboFix.txt
NOTE: Do not mouseclick combofix's window whilst it's running. That may cause it to stall it.
Next Reply
Please reply with:
ComboFix log (found at C:\Combofix.txt)
New HijackThis log
A description of how your computer is behaving
Otherjohn
2009-08-15, 15:42
New combofix log
ComboFix 09-08-10.06 - Karla 08/15/2009 9:20.8.2 - FAT32x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2430.2023 [GMT -4:00]
Running from: c:\documents and settings\Karla\Desktop\otherjohn.exe
Command switches used :: c:\documents and settings\Karla\Desktop\CFScript.txt
FILE ::
"c:\windows\system32\drivers\geyekrtivmlkya.sys"
"c:\windows\system32\geyekrapjdskvl.dat"
"c:\windows\system32\geyekrbuhylhmn.dll"
"c:\windows\system32\geyekrjwmeoxta.dll"
"c:\windows\system32\geyekrnrndxrqt.dat"
"c:\windows\system32\geyekrornmbpxe.dll"
"c:\windows\system32\geyekrxfenxvmc.dll"
.
((((((((((((((((((((((((( Files Created from 2009-07-15 to 2009-08-15 )))))))))))))))))))))))))))))))
.
2009-08-15 13:29 . 2009-08-15 13:29 -------- d-sh--w- C:\FOUND.007
2009-08-15 02:31 . 2009-08-15 02:31 -------- d-----w- c:\windows\system32\NtmsData
2009-08-15 01:41 . 2009-08-15 01:41 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-08-14 19:32 . 2009-08-14 19:32 -------- d-----w- c:\docume~1\ALLUSE~1\APPLIC~1\Downloaded Installations
2009-08-12 09:40 . 2009-07-10 13:27 1315328 ------w- c:\windows\system32\dllcache\msoe.dll
2009-08-10 00:32 . 2009-08-10 00:32 -------- d-----w- c:\windows\SxsCaPendDel
2009-08-09 23:14 . 2009-08-09 23:15 -------- d-----w- c:\documents and settings\Karla\.idlerc
2009-08-09 02:58 . 2009-08-15 13:24 40960 ----a-w- c:\windows\system32\geyekrjwmeoxta.dll
2009-08-08 23:04 . 2009-08-15 13:24 40960 ----a-w- c:\windows\system32\geyekrornmbpxe.dll
2009-08-08 18:51 . 2009-08-08 18:51 -------- d-----w- c:\program files\Trend Micro
2009-08-08 14:43 . 2009-08-08 14:43 -------- d-----w- c:\documents and settings\Karla\Application Data\Malwarebytes
2009-08-08 14:43 . 2009-08-08 14:43 -------- d-----w- c:\docume~1\Karla\APPLIC~1\Malwarebytes
2009-08-08 14:43 . 2009-08-08 14:43 -------- d-----w- c:\docume~1\ALLUSE~1\APPLIC~1\Malwarebytes
2009-08-05 09:01 . 2009-08-05 09:01 204800 ------w- c:\windows\system32\dllcache\mswebdvd.dll
2009-07-21 01:22 . 2009-07-21 01:22 91 ------w- c:\windows\system32\geyekrnrndxrqt.dat
2009-07-21 01:22 . 2009-07-21 01:22 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache
2009-07-21 01:12 . 2009-08-15 13:24 17408 ----a-w- c:\windows\system32\geyekrxfenxvmc.dll
2009-07-21 01:11 . 2009-07-21 01:22 1384 ------w- c:\windows\system32\geyekrapjdskvl.dat
2009-07-21 01:11 . 2009-08-15 13:24 40960 ----a-w- c:\windows\system32\geyekrbuhylhmn.dll
2009-07-21 01:11 . 2009-08-15 13:24 66048 ----a-w- c:\windows\system32\drivers\geyekrtivmlkya.sys
2009-07-17 19:01 . 2009-07-17 19:01 58880 ------w- c:\windows\system32\dllcache\atl.dll
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-08-15 03:02 . 2006-06-01 21:59 118896 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-08-15 00:15 . 2009-08-15 00:15 251 ----a-w- c:\program files\wt3d.ini
2009-08-05 09:01 . 2004-08-11 00:00 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-07-20 19:01 . 2008-08-11 01:32 256 ----a-w- c:\windows\system32\pool.bin
2009-07-17 19:01 . 2004-08-11 00:00 58880 ----a-w- c:\windows\system32\atl.dll
2009-07-13 14:08 . 2004-08-11 00:00 286720 ----a-w- c:\windows\system32\wmpdxm.dll
2009-07-03 17:09 . 2006-01-09 15:02 915456 ----a-w- c:\windows\system32\wininet.dll
2009-06-25 08:25 . 2004-08-11 00:00 730112 ----a-w- c:\windows\system32\lsasrv.dll
2009-06-25 08:25 . 2004-08-11 00:00 56832 ----a-w- c:\windows\system32\secur32.dll
2009-06-25 08:25 . 2004-08-11 00:00 54272 ----a-w- c:\windows\system32\wdigest.dll
2009-06-25 08:25 . 2004-08-11 00:00 301568 ----a-w- c:\windows\system32\kerberos.dll
2009-06-25 08:25 . 2004-08-11 00:00 147456 ----a-w- c:\windows\system32\schannel.dll
2009-06-25 08:25 . 2004-08-11 00:00 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-06-24 11:18 . 2004-08-11 00:00 92928 ------w- c:\windows\system32\drivers\ksecdd.sys
2009-06-16 14:36 . 2004-08-11 00:00 81920 ----a-w- c:\windows\system32\fontsub.dll
2009-06-16 14:36 . 2004-08-11 00:00 119808 ----a-w- c:\windows\system32\t2embed.dll
2009-06-12 12:31 . 2004-08-11 00:00 80896 ----a-w- c:\windows\system32\tlntsess.exe
2009-06-12 12:31 . 2004-08-11 00:00 76288 ----a-w- c:\windows\system32\telnet.exe
2009-06-10 14:13 . 2004-08-11 00:00 84992 ----a-w- c:\windows\system32\avifil32.dll
2009-06-10 13:19 . 2004-08-11 00:00 2066432 ----a-w- c:\windows\system32\mstscax.dll
2009-06-10 06:14 . 2004-08-11 00:00 132096 ----a-w- c:\windows\system32\wkssvc.dll
2009-06-03 19:09 . 2005-06-28 22:55 1291264 ----a-w- c:\windows\system32\quartz.dll
.
((((((((((((((((((((((((((((( SnapShot@2009-08-13_22.14.54 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-08-15 13:30 . 2009-08-15 13:30 16384 c:\windows\temp\Perflib_Perfdata_a2c.dat
+ 2008-01-15 22:43 . 2008-11-10 15:41 67472 c:\windows\system32\spool\drivers\w32x86\msonpui.dll
+ 2008-01-15 22:43 . 2008-11-10 15:41 67472 c:\windows\system32\spool\drivers\w32x86\3\msonpui.dll
+ 2006-06-01 20:51 . 2009-08-15 00:20 76342 c:\windows\system32\perfc009.dat
+ 2008-01-15 22:43 . 2008-11-10 15:41 32656 c:\windows\system32\msonpmon.dll
+ 2009-06-25 08:25 . 2009-06-25 08:25 54272 c:\windows\system32\dllcache\wdigest.dll
+ 2009-02-03 19:59 . 2009-06-25 08:25 56832 c:\windows\system32\dllcache\secur32.dll
- 2009-02-03 19:59 . 2009-02-03 19:59 56832 c:\windows\system32\dllcache\secur32.dll
+ 2009-06-24 11:18 . 2009-06-24 11:18 92928 c:\windows\system32\dllcache\ksecdd.sys
- 2008-01-15 22:44 . 2009-08-12 23:05 35088 c:\windows\Installer\{91120000-002E-0000-0000-0000000FF1CE}\oisicon.exe
+ 2008-01-15 22:44 . 2009-08-15 02:58 35088 c:\windows\Installer\{91120000-002E-0000-0000-0000000FF1CE}\oisicon.exe
- 2008-01-15 22:44 . 2009-08-12 23:05 18704 c:\windows\Installer\{91120000-002E-0000-0000-0000000FF1CE}\mspicons.exe
+ 2008-01-15 22:44 . 2009-08-15 02:58 18704 c:\windows\Installer\{91120000-002E-0000-0000-0000000FF1CE}\mspicons.exe
- 2008-01-15 22:44 . 2009-08-12 23:05 20240 c:\windows\Installer\{91120000-002E-0000-0000-0000000FF1CE}\cagicon.exe
+ 2008-01-15 22:44 . 2009-08-15 02:58 20240 c:\windows\Installer\{91120000-002E-0000-0000-0000000FF1CE}\cagicon.exe
+ 2006-07-24 14:50 . 2006-07-24 14:50 47920 c:\windows\Installer\$PatchCache$\Managed\00002119E20000000000000000F01FEC\12.0.6425\VBAME.DLL
+ 2006-07-24 14:50 . 2006-07-24 14:50 92976 c:\windows\Installer\$PatchCache$\Managed\00002119E20000000000000000F01FEC\12.0.6425\MSADDNDR.DLL
+ 2008-01-15 22:41 . 2008-01-15 22:41 12096 c:\windows\Installer\$PatchCache$\Managed\00002119E20000000000000000F01FEC\12.0.4518\WORDPOL.DLL
+ 2008-01-15 22:40 . 2008-01-15 22:40 12080 c:\windows\Installer\$PatchCache$\Managed\00002119E20000000000000000F01FEC\12.0.4518\VBIDEPOL.DLL
+ 2008-01-15 22:40 . 2008-01-15 22:40 64288 c:\windows\Installer\$PatchCache$\Managed\00002119E20000000000000000F01FEC\12.0.4518\VBIDEPIA.DLL
+ 2006-10-26 23:59 . 2006-10-26 23:59 15672 c:\windows\Installer\$PatchCache$\Managed\00002119E20000000000000000F01FEC\12.0.4518\SMARTTAGINSTALL.EXE
+ 2006-10-26 23:49 . 2006-10-26 23:49 34104 c:\windows\Installer\$PatchCache$\Managed\00002119E20000000000000000F01FEC\12.0.4518\SETLANG.EXE
+ 2006-10-27 00:12 . 2006-10-27 00:12 40424 c:\windows\Installer\$PatchCache$\Managed\00002119E20000000000000000F01FEC\12.0.4518\REFIEBAR.DLL
+ 2008-01-15 22:40 . 2008-01-15 22:40 12112 c:\windows\Installer\$PatchCache$\Managed\00002119E20000000000000000F01FEC\12.0.4518\PPTPOL.DLL
+ 2006-10-26 23:59 . 2006-10-26 23:59 46936 c:\windows\Installer\$PatchCache$\Managed\00002119E20000000000000000F01FEC\12.0.4518\OSETUPPS.DLL
+ 2006-10-26 23:59 . 2006-10-26 23:59 18760 c:\windows\Installer\$PatchCache$\Managed\00002119E20000000000000000F01FEC\12.0.4518\OPHPROXY.DLL
+ 2006-10-26 23:59 . 2006-10-26 23:59 16728 c:\windows\Installer\$PatchCache$\Managed\00002119E20000000000000000F01FEC\12.0.4518\OMUOPTINPS.DLL
+ 2006-10-27 00:00 . 2006-10-27 00:00 23392 c:\windows\Installer\$PatchCache$\Managed\00002119E20000000000000000F01FEC\12.0.4518\OISCTRL.DLL
+ 2006-10-27 19:11 . 2006-10-27 19:11 54680 c:\windows\Installer\$PatchCache$\Managed\00002119E20000000000000000F01FEC\12.0.4518\OFFRHD.DLL
+ 2008-01-15 22:40 . 2008-01-15 22:40 11544 c:\windows\Installer\$PatchCache$\Managed\00002119E20000000000000000F01FEC\12.0.4518\OFFICEPL.DLL
+ 2008-01-15 22:40 . 2008-01-15 22:40 12104 c:\windows\Installer\$PatchCache$\Managed\00002119E20000000000000000F01FEC\12.0.4518\MSTAGPOL.DLL
+ 2008-01-15 22:40 . 2008-01-15 22:40 20280 c:\windows\Installer\$PatchCache$\Managed\00002119E20000000000000000F01FEC\12.0.4518\MSTAGPIA.DLL
+ 2006-10-26 23:59 . 2006-10-26 23:59 43832 c:\windows\Installer\$PatchCache$\Managed\00002119E20000000000000000F01FEC\12.0.4518\MSSH.DLL
+ 2006-10-27 19:26 . 2006-10-27 19:26 35152 c:\windows\Installer\$PatchCache$\Managed\00002119E20000000000000000F01FEC\12.0.4518\MSOSTYLE.DLL
+ 2006-10-26 23:56 . 2006-10-26 23:56 67408 c:\windows\Installer\$PatchCache$\Managed\00002119E20000000000000000F01FEC\12.0.4518\MSONPUI.DLL
+ 2006-10-26 23:56 . 2006-10-26 23:56 32592 c:\windows\Installer\$PatchCache$\Managed\00002119E20000000000000000F01FEC\12.0.4518\MSONPMON.DLL
+ 2006-10-26 23:52 . 2006-10-26 23:52 66368 c:\windows\Installer\$PatchCache$\Managed\00002119E20000000000000000F01FEC\12.0.4518\MSOMSE.DLL
+ 2006-10-27 00:12 . 2006-10-27 00:12 67896 c:\windows\Installer\$PatchCache$\Managed\00002119E20000000000000000F01FEC\12.0.4518\MSOHTMED.EXE
+ 2006-10-27 19:01 . 2006-10-27 19:01 76088 c:\windows\Installer\$PatchCache$\Managed\00002119E20000000000000000F01FEC\12.0.4518\MSOHEV.DLL
+ 2006-10-26 23:59 . 2006-10-26 23:59 19768 c:\windows\Installer\$PatchCache$\Managed\00002119E20000000000000000F01FEC\12.0.4518\MSMH.DLL
+ 2006-10-26 23:52 . 2006-10-26 23:52 48424 c:\windows\Installer\$PatchCache$\Managed\00002119E20000000000000000F01FEC\12.0.4518\MSE7.EXE
+ 2006-10-27 00:12 . 2006-10-27 00:12 89400 c:\windows\Installer\$PatchCache$\Managed\00002119E20000000000000000F01FEC\12.0.4518\METCONV.DLL
+ 2006-10-27 01:41 . 2006-10-27 01:41 66368 c:\windows\Installer\$PatchCache$\Managed\00002119E20000000000000000F01FEC\12.0.4518\INLAUNCH.DLL
+ 2008-01-15 22:40 . 2008-01-15 22:40 12096 c:\windows\Installer\$PatchCache$\Managed\00002119E20000000000000000F01FEC\12.0.4518\GRAPHPOL.DLL
+ 2008-01-15 22:39 . 2008-01-15 22:39 12096 c:\windows\Installer\$PatchCache$\Managed\00002119E20000000000000000F01FEC\12.0.4518\EXCELPOL.DLL
+ 2006-10-27 00:12 . 2006-10-27 00:12 53576 c:\windows\Installer\$PatchCache$\Managed\00002119E20000000000000000F01FEC\12.0.4518\AUTHZAX.DLL
+ 2006-10-27 01:18 . 2006-10-27 01:18 94016 c:\windows\Installer\$PatchCache$\Managed\00002119E20000000000000000F01FEC\12.0.4518\ACCOLK.DLL
+ 2009-08-15 02:57 . 2009-08-15 02:57 10576 c:\windows\assembly\GAC\Policy.11.0.office\12.0.0.0__71e9bce111e9429c\Policy.11.0.Office.dll
+ 2009-08-15 02:57 . 2009-08-15 02:57 11112 c:\windows\assembly\GAC\Policy.11.0.Microsoft.Vbe.Interop\12.0.0.0__71e9bce111e9429c\Policy.11.0.Microsoft.Vbe.Interop.dll
+ 2009-08-15 02:57 . 2009-08-15 02:57 11128 c:\windows\assembly\GAC\Policy.11.0.Microsoft.Office.Interop.Word\12.0.0.0__71e9bce111e9429c\Policy.11.0.Microsoft.Office.Interop.Word.dll
+ 2009-08-15 02:57 . 2009-08-15 02:57 11136 c:\windows\assembly\GAC\Policy.11.0.Microsoft.Office.Interop.SmartTag\12.0.0.0__71e9bce111e9429c\Policy.11.0.Microsoft.Office.Interop.SmartTag.dll
+ 2009-08-15 02:57 . 2009-08-15 02:57 11152 c:\windows\assembly\GAC\Policy.11.0.Microsoft.Office.Interop.PowerPoint\12.0.0.0__71e9bce111e9429c\Policy.11.0.Microsoft.Office.Interop.PowerPoint.dll
+ 2009-08-15 02:57 . 2009-08-15 02:57 11128 c:\windows\assembly\GAC\Policy.11.0.Microsoft.Office.Interop.Graph\12.0.0.0__71e9bce111e9429c\Policy.11.0.Microsoft.Office.Interop.Graph.dll
+ 2009-08-15 02:57 . 2009-08-15 02:57 11144 c:\windows\assembly\GAC\Policy.11.0.Microsoft.Office.Interop.Excel\12.0.0.0__71e9bce111e9429c\Policy.11.0.Microsoft.Office.Interop.Excel.dll
+ 2009-08-15 02:57 . 2009-08-15 02:57 63336 c:\windows\assembly\GAC\Microsoft.Vbe.Interop\12.0.0.0__71e9bce111e9429c\Microsoft.Vbe.Interop.dll
+ 2009-08-15 02:57 . 2009-08-15 02:57 19320 c:\windows\assembly\GAC\Microsoft.Office.Interop.SmartTag\12.0.0.0__71e9bce111e9429c\Microsoft.Office.Interop.SmartTag.dll
+ 2008-01-15 22:43 . 2008-11-10 15:41 864144 c:\windows\system32\spool\drivers\w32x86\msonpdrv.dll
+ 2008-01-15 22:43 . 2008-11-10 15:41 864144 c:\windows\system32\spool\drivers\w32x86\3\msonpdrv.dll
+ 2006-06-01 20:51 . 2009-08-15 00:20 458654 c:\windows\system32\perfh009.dat
+ 2006-06-01 22:19 . 2009-08-15 03:00 391184 c:\windows\system32\FNTCACHE.DAT
+ 2008-12-05 06:54 . 2009-06-25 08:25 147456 c:\windows\system32\dllcache\schannel.dll
+ 2009-06-25 08:25 . 2009-06-25 08:25 136192 c:\windows\system32\dllcache\msv1_0.dll
+ 2009-04-15 19:23 . 2009-06-25 08:25 730112 c:\windows\system32\dllcache\lsasrv.dll
+ 2009-06-25 08:25 . 2009-06-25 08:25 301568 c:\windows\system32\dllcache\kerberos.dll
+ 2009-03-20 15:48 . 2009-03-20 15:48 183808 c:\windows\Installer\bf155.msp
- 2008-01-15 22:44 . 2009-08-12 23:05 888080 c:\windows\Installer\{91120000-002E-0000-0000-0000000FF1CE}\wordicon.exe
+ 2008-01-15 22:44 . 2009-08-15 02:58 888080 c:\windows\Installer\{91120000-002E-0000-0000-0000000FF1CE}\wordicon.exe
+ 2008-01-15 22:44 . 2009-08-15 02:58 272648 c:\windows\Installer\{91120000-002E-0000-0000-0000000FF1CE}\pubs.exe
- 2008-01-15 22:44 . 2009-08-12 23:05 272648 c:\windows\Installer\{91120000-002E-0000-0000-0000000FF1CE}\pubs.exe
- 2008-01-15 22:44 . 2009-08-12 23:05 922384 c:\windows\Installer\{91120000-002E-0000-0000-0000000FF1CE}\pptico.exe
+ 2008-01-15 22:44 . 2009-08-15 02:58 922384 c:\windows\Installer\{91120000-002E-0000-0000-0000000FF1CE}\pptico.exe
+ 2008-01-15 22:44 . 2009-08-15 02:58 845584 c:\windows\Installer\{91120000-002E-0000-0000-0000000FF1CE}\outicon.exe
- 2008-01-15 22:44 . 2009-08-12 23:05 845584 c:\windows\Installer\{91120000-002E-0000-0000-0000000FF1CE}\outicon.exe
+ 2008-01-15 22:44 . 2009-08-15 02:58 217864 c:\windows\Installer\{91120000-002E-0000-0000-0000000FF1CE}\misc.exe
- 2008-01-15 22:44 . 2009-08-12 23:05 217864 c:\windows\Installer\{91120000-002E-0000-0000-0000000FF1CE}\misc.exe
- 2008-01-15 22:44 . 2009-08-12 23:05 184080 c:\windows\Installer\{91120000-002E-0000-0000-0000000FF1CE}\joticon.exe
+ 2008-01-15 22:44 . 2009-08-15 02:58 184080 c:\windows\Installer\{91120000-002E-0000-0000-0000000FF1CE}\joticon.exe
+ 2008-01-15 22:44 . 2009-08-15 02:58 159504 c:\windows\Installer\{91120000-002E-0000-0000-0000000FF1CE}\inficon.exe
- 2008-01-15 22:44 . 2009-08-12 23:05 159504 c:\windows\Installer\{91120000-002E-0000-0000-0000000FF1CE}\inficon.exe
+ 2009-08-15 02:55 . 2009-08-15 02:55 217864 c:\windows\Installer\{90120000-006E-0409-0000-0000000FF1CE}\misc.exe
- 2009-06-20 03:56 . 2009-06-20 03:56 217864 c:\windows\Installer\{90120000-006E-0409-0000-0000000FF1CE}\misc.exe
+ 2007-06-07 23:51 . 2007-06-07 23:51 125320 c:\windows\Installer\$PatchCache$\Managed\00002119E20000000000000000F01FEC\12.0.6425\SSGEN.DLL
+ 2007-06-07 23:51 . 2007-06-07 23:51 465800 c:\windows\Installer\$PatchCache$\Managed\00002119E20000000000000000F01FEC\12.0.6425\OUTLFLTR.DLL
+ 2006-10-27 00:49 . 2006-10-27 00:49 509200 c:\windows\Installer\$PatchCache$\Managed\00002119E20000000000000000F01FEC\12.0.4518\WRD12CVR.DLL
+ 2006-10-27 01:07 . 2006-10-27 01:07 368968 c:\windows\Installer\$PatchCache$\Managed\00002119E20000000000000000F01FEC\12.0.4518\PPSLAX.DLL
+ 2006-10-20 12:37 . 2006-10-20 12:37 637744 c:\windows\Installer\$PatchCache$\Managed\00002119E20000000000000000F01FEC\12.0.4518\OGALEGIT.DLL
+ 2008-01-15 22:40 . 2008-01-15 22:40 416544 c:\windows\Installer\$PatchCache$\Managed\00002119E20000000000000000F01FEC\12.0.4518\OFFICE.DLL
+ 2006-10-26 23:55 . 2006-10-26 23:55 145688 c:\windows\Installer\$PatchCache$\Managed\00002119E20000000000000000F01FEC\12.0.4518\MSTORE.EXE
+ 2006-10-26 18:47 . 2006-10-26 18:47 727840 c:\windows\Installer\$PatchCache$\Managed\00002119E20000000000000000F01FEC\12.0.4518\MSPROOF6.DLL
+ 2006-10-26 23:56 . 2006-10-26 23:56 864080 c:\windows\Installer\$PatchCache$\Managed\00002119E20000000000000000F01FEC\12.0.4518\MSONPDRV.DLL
+ 2006-10-26 17:58 . 2006-10-26 17:58 290576 c:\windows\Installer\$PatchCache$\Managed\00002119E20000000000000000F01FEC\12.0.4518\MSCDM.DLL
+ 2006-10-26 23:52 . 2006-10-26 23:52 460616 c:\windows\Installer\$PatchCache$\Managed\00002119E20000000000000000F01FEC\12.0.4518\MODHELP.DLL
+ 2006-10-27 00:00 . 2006-10-27 00:00 178488 c:\windows\Installer\$PatchCache$\Managed\00002119E20000000000000000F01FEC\12.0.4518\IETAG.DLL
+ 2008-01-15 22:40 . 2008-01-15 22:40 150320 c:\windows\Installer\$PatchCache$\Managed\00002119E20000000000000000F01FEC\12.0.4518\GRAPHPIA.DLL
+ 2006-10-27 00:12 . 2006-10-27 00:12 106824 c:\windows\Installer\$PatchCache$\Managed\00002119E20000000000000000F01FEC\12.0.4518\DSSM.EXE
+ 2009-08-15 02:57 . 2009-08-15 02:57 609160 c:\windows\assembly\GAC_MSIL\Microsoft.Office.InfoPath.Client.Internal.Host\12.0.0.0__71e9bce111e9429c\Microsoft.Office.Infopath.Client.Internal.Host.dll
+ 2009-08-15 02:57 . 2009-08-15 02:57 118176 c:\windows\assembly\GAC_32\Microsoft.Office.InfoPath.Client.Internal.Host.Interop\12.0.0.0__71e9bce111e9429c\Microsoft.Office.Infopath.Client.Internal.Host.Interop.dll
+ 2009-08-15 02:57 . 2009-08-15 02:57 423784 c:\windows\assembly\GAC\office\12.0.0.0__71e9bce111e9429c\OFFICE.DLL
+ 2009-08-15 02:57 . 2009-08-15 02:57 870256 c:\windows\assembly\GAC\Microsoft.Office.Interop.Word\12.0.0.0__71e9bce111e9429c\Microsoft.Office.Interop.Word.dll
+ 2009-08-15 02:57 . 2009-08-15 02:57 149352 c:\windows\assembly\GAC\Microsoft.Office.Interop.Graph\12.0.0.0__71e9bce111e9429c\Microsoft.Office.Interop.Graph.dll
+ 2008-11-21 03:06 . 2008-11-21 03:06 1194848 c:\windows\system32\FM20.DLL
+ 2009-04-04 21:10 . 2009-04-04 21:10 1282560 c:\windows\Installer\bf14a.msp
+ 2009-04-04 21:10 . 2009-04-04 21:10 7888384 c:\windows\Installer\bf142.msp
+ 2009-04-04 21:10 . 2009-04-04 21:10 9926144 c:\windows\Installer\bf138.msp
+ 2009-04-04 14:14 . 2009-04-04 14:14 1094656 c:\windows\Installer\bef65.msp
+ 2008-01-15 22:44 . 2009-08-15 02:58 1172240 c:\windows\Installer\{91120000-002E-0000-0000-0000000FF1CE}\xlicons.exe
- 2008-01-15 22:44 . 2009-08-12 23:05 1172240 c:\windows\Installer\{91120000-002E-0000-0000-0000000FF1CE}\xlicons.exe
+ 2008-01-15 22:44 . 2009-08-15 02:58 1165584 c:\windows\Installer\{91120000-002E-0000-0000-0000000FF1CE}\accicons.exe
- 2008-01-15 22:44 . 2009-08-12 23:05 1165584 c:\windows\Installer\{91120000-002E-0000-0000-0000000FF1CE}\accicons.exe
+ 2006-10-26 18:47 . 2006-10-26 18:47 1512304 c:\windows\Installer\$PatchCache$\Managed\00002119E20000000000000000F01FEC\12.0.4518\NLSD0000.DLL
+ 2008-01-15 22:40 . 2008-01-15 22:40 1276720 c:\windows\Installer\$PatchCache$\Managed\00002119E20000000000000000F01FEC\12.0.4518\EXCELPIA.DLL
+ 2009-08-15 02:57 . 2009-08-15 02:57 1279848 c:\windows\assembly\GAC\Microsoft.Office.Interop.Excel\12.0.0.0__71e9bce111e9429c\Microsoft.Office.Interop.Excel.dll
+ 2009-04-04 21:09 . 2009-04-04 21:09 15190016 c:\windows\Installer\bef86.msp
+ 2009-04-04 15:36 . 2009-04-04 15:36 21390848 c:\windows\Installer\bef66.msp
+ 2009-04-04 21:08 . 2009-04-04 21:08 343058432 c:\windows\Installer\bf12d.msp
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ISUSPM"="c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2006-09-11 218032]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AzMixerSel"="c:\program files\Realtek\InstallShield\AzMixerSel.exe" [2006-04-15 53248]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-03-03 761946]
"LManager"="c:\progra~1\LAUNCH~1\LManager.exe" [2006-06-23 602112]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-11-07 111936]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-03-13 342312]
"ePower_DMC"="c:\acer\Empowering Technology\ePower\ePower_DMC.exe" [2006-05-30 421888]
"eRecoveryService"="c:\acer\Empowering Technology\eRecovery\eRAgent.exe" [2006-06-01 413696]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-11 455168]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-11 455168]
"MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-11 59392]
"RTHDCPL"="RTHDCPL.EXE" - c:\windows\RTHDCPL.exe [2006-05-18 16207872]
"SkyTel"="SkyTel.EXE" - c:\windows\SkyTel.exe [2006-05-16 2879488]
c:\docume~1\ALLUSE~1\STARTM~1\Programs\Startup\
Adobe Reader Speed Launch.lnk.disabled [2006-6-1 1665]
Acer Empowering Technology.lnk - c:\acer\Empowering Technology\Acer.Empowering.Framework.Launcher.exe [2006-3-27 45056]
Office Startup.lnk - c:\program files\Microsoft Office\Office\OSA.EXE [1997-8-14 51984]
Windows Desktop Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2007-2-5 118784]
Desktop Manager.lnk.disabled [2008-8-12 1649]
Microsoft Find Fast.lnk.disabled [2006-11-1 669]
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2007-02-05 294400]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"KernelFaultCheck"=%systemroot%\system32\dumprep 0 -k
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
"ntiMUI"=c:\program files\NewTech Infosystems\NTI CD & DVD-Maker 7\ntiMUI.exe
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe"
"ehTray"=c:\windows\ehome\ehtray.exe
"Boot"=c:\acer\Empowering Technology\ePower\Boot.exe
"ATICCC"="c:\program files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
"Alcmtr"=ALCMTR.EXE
"Acer ePresentation HPD"=c:\acer\Empowering Technology\ePresentation\ePresentation.exe
"LaunchApp"=
"Mouse Suite 98 Daemon"=ICO.EXE
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\WINDOWS\\System32\\taskmgr.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
S2 eLock2BurnerLockDriver;eLock2BurnerLockDriver;\??\c:\windows\system32\eLock2BurnerLockDriver.sys --> c:\windows\system32\eLock2BurnerLockDriver.sys [?]
S2 eLock2FSCTLDriver;eLock2FSCTLDriver;\??\c:\windows\system32\eLock2FSCTLDriver.sys --> c:\windows\system32\eLock2FSCTLDriver.sys [?]
S3 pelmouse;Mouse Suite Driver;c:\windows\system32\drivers\PELMOUSE.SYS [3/19/2009 4:36 PM 18944]
S3 pelusblf;USB Mouse Low Filter Driver;c:\windows\system32\drivers\pelusblf.sys [3/19/2009 4:36 PM 17920]
S3 SKYSCOUT;Celestron SkyScout driver;c:\windows\system32\drivers\UsbScout.sys [3/25/2007 2:42 PM 20480]
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
- - - - ORPHANS REMOVED - - - -
Toolbar-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
WebBrowser-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.nhl.com/
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-08-15 09:30
Windows 5.1.2600 Service Pack 3 FAT NTAPI
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\geyekrttvogrql]
"imagepath"="\systemroot\system32\drivers\geyekrtivmlkya.sys"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\geyekrttvogrql]
@DACL=(02 0000)
"start"=dword:00000001
"type"=dword:00000001
"group"="file system"
"imagepath"=expand:"\\systemroot\\system32\\drivers\\geyekrtivmlkya.sys"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(560)
c:\windows\system32\Ati2evxx.dll
- - - - - - - > 'explorer.exe'(2760)
c:\windows\system32\WININET.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.3053_x-ww_b80fa8ca\MSVCR80.dll
c:\program files\Windows Desktop Search\deskbar.dll
c:\program files\Windows Desktop Search\en-us\dbres.dll.mui
c:\program files\Windows Desktop Search\dbres.dll
c:\program files\Windows Desktop Search\wordwheel.dll
c:\program files\Windows Desktop Search\en-us\msnlExtRes.dll.mui
c:\program files\Windows Desktop Search\msnlExtRes.dll
c:\acer\Empowering Technology\ePower\SysHook.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\windows\system32\Ati2evxx.exe
c:\acer\Empowering Technology\ePerformance\MemCheck.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\eHome\ehRecvr.exe
c:\windows\eHome\ehSched.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\windows\system32\SearchIndexer.exe
c:\windows\ehome\mcrdsvc.exe
c:\windows\system32\wscntfy.exe
c:\program files\iPod\bin\iPodService.exe
c:\windows\system32\wbem\unsecapp.exe
.
**************************************************************************
.
Completion time: 2009-08-15 9:34 - machine was rebooted
ComboFix-quarantined-files.txt 2009-08-15 13:34
ComboFix2.txt 2009-08-13 22:16
ComboFix3.txt 2009-08-11 22:02
Pre-Run: 30,040,981,504 bytes free
Post-Run: 30,144,987,136 bytes free
315 --- E O F --- 2009-08-12 23:06
Otherjohn
2009-08-15, 15:44
New HJT log
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:43:21 AM, on 8/15/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Acer\Empowering Technology\ePerformance\MemCheck.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\PROGRA~1\LAUNCH~1\LManager.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\Acer\Empowering Technology\ePower\ePower_DMC.exe
C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe
C:\Program Files\Microsoft Office\Office\OSA.EXE
C:\Program Files\Windows Desktop Search\WindowsSearch.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wbem\unsecapp.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\SearchProtocolHost.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.nhl.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
O4 - HKLM\..\Run: [AzMixerSel] C:\Program Files\Realtek\InstallShield\AzMixerSel.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [LManager] C:\PROGRA~1\LAUNCH~1\LManager.exe
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [ePower_DMC] C:\Acer\Empowering Technology\ePower\ePower_DMC.exe
O4 - HKLM\..\Run: [eRecoveryService] C:\Acer\Empowering Technology\eRecovery\eRAgent.exe
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKCU\..\Run: [ISUSPM] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -scheduler
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk.disabled
O4 - Global Startup: Acer Empowering Technology.lnk = ?
O4 - Global Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Global Startup: Windows Desktop Search.lnk = C:\Program Files\Windows Desktop Search\WindowsSearch.exe
O4 - Global Startup: Desktop Manager.lnk.disabled
O4 - Global Startup: Microsoft Find Fast.lnk.disabled
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {493ACF15-5CD9-4474-82A6-91670C3DD66E} (LinkedIn ContactFinderControl) - http://www.linkedin.com/cab/LinkedInContactFinderControl.cab
O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - http://download.eset.com/special/eos/OnlineScanner.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O23 - Service: Memory Check Service (AcerMemUsageCheckService) - Acer Inc. - C:\Acer\Empowering Technology\ePerformance\MemCheck.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: LiveShare P2P Server 9 (RoxLiveShare9) - Unknown owner - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxLiveShare9.exe (file missing)
--
End of file - 6501 bytes
Otherjohn
2009-08-15, 15:52
Thanks for you help. I hope your real life problems were easier to fix then this piece of malware has been.
The system is running mostly normal. The restore from backup utilities won't load anymore. I don't know if that was the virus or something that got hosed while trying to remove it.
I noticed that you had combofix send a sample of the infected file out for analysis. Who exactly gets the file and which utility will be updated to kill it in the future? It is a bit unnerving that at least three different antivirus programs failed to detect this thing.
Otherjohn
2009-08-15, 16:07
Sysprot is still finding something. Here is the log. I'm ready to format and start over.
SysProt AntiRootkit v1.0.1.0
by swatkat
******************************************************************************************
******************************************************************************************
Process:
Name: [System Idle Process]
PID: 0
Hidden: No
Window Visible: No
Name: System
PID: 4
Hidden: No
Window Visible: No
Name: C:\WINDOWS\System32\smss.exe
PID: 468
Hidden: No
Window Visible: No
Name: C:\WINDOWS\System32\csrss.exe
PID: 532
Hidden: No
Window Visible: No
Name: C:\WINDOWS\System32\winlogon.exe
PID: 560
Hidden: No
Window Visible: No
Name: C:\WINDOWS\System32\SERVICES.EXE
PID: 604
Hidden: No
Window Visible: No
Name: C:\WINDOWS\System32\LSASS.EXE
PID: 616
Hidden: No
Window Visible: No
Name: C:\WINDOWS\System32\Ati2evxx.exe
PID: 792
Hidden: No
Window Visible: No
Name: C:\WINDOWS\System32\SVCHOST.EXE
PID: 804
Hidden: No
Window Visible: No
Name: C:\WINDOWS\System32\SVCHOST.EXE
PID: 864
Hidden: No
Window Visible: No
Name: C:\WINDOWS\System32\SVCHOST.EXE
PID: 936
Hidden: No
Window Visible: No
Name: C:\WINDOWS\System32\SVCHOST.EXE
PID: 988
Hidden: No
Window Visible: No
Name: C:\WINDOWS\System32\SVCHOST.EXE
PID: 1072
Hidden: No
Window Visible: No
Name: C:\WINDOWS\System32\spoolsv.exe
PID: 1368
Hidden: No
Window Visible: No
Name: C:\WINDOWS\System32\Ati2evxx.exe
PID: 1536
Hidden: No
Window Visible: No
Name: C:\WINDOWS\System32\SVCHOST.EXE
PID: 436
Hidden: No
Window Visible: No
Name: C:\Acer\Empowering Technology\ePerformance\MemCheck.exe
PID: 756
Hidden: No
Window Visible: No
Name: C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
PID: 920
Hidden: No
Window Visible: No
Name: C:\Program Files\Bonjour\mDNSResponder.exe
PID: 1084
Hidden: No
Window Visible: No
Name: C:\WINDOWS\ehome\ehRecvr.exe
PID: 1220
Hidden: No
Window Visible: No
Name: C:\WINDOWS\ehome\ehSched.exe
PID: 1312
Hidden: No
Window Visible: No
Name: C:\Program Files\Common Files\LightScribe\LSSrvc.exe
PID: 1548
Hidden: No
Window Visible: No
Name: C:\WINDOWS\RTHDCPL.EXE
PID: 1636
Hidden: No
Window Visible: No
Name: C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
PID: 1908
Hidden: No
Window Visible: No
Name: C:\WINDOWS\System32\SVCHOST.EXE
PID: 1936
Hidden: No
Window Visible: No
Name: C:\Program Files\Launch Manager\LManager.exe
PID: 1948
Hidden: No
Window Visible: No
Name: C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
PID: 1992
Hidden: No
Window Visible: No
Name: C:\WINDOWS\System32\SVCHOST.EXE
PID: 1980
Hidden: No
Window Visible: No
Name: C:\Program Files\iTunes\iTunesHelper.exe
PID: 184
Hidden: No
Window Visible: No
Name: C:\WINDOWS\System32\searchindexer.exe
PID: 196
Hidden: No
Window Visible: No
Name: C:\Acer\Empowering Technology\ePower\ePower_DMC.exe
PID: 216
Hidden: No
Window Visible: No
Name: C:\WINDOWS\ehome\mcrdsvc.exe
PID: 1116
Hidden: No
Window Visible: No
Name: C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe
PID: 1600
Hidden: No
Window Visible: No
Name: C:\Program Files\Microsoft Office\Office\OSA.EXE
PID: 2188
Hidden: No
Window Visible: No
Name: C:\Program Files\Windows Desktop Search\WindowsSearch.exe
PID: 2248
Hidden: No
Window Visible: No
Name: C:\WINDOWS\System32\wscntfy.exe
PID: 2588
Hidden: No
Window Visible: No
Name: C:\WINDOWS\System32\wbem\wmiprvse.exe
PID: 2604
Hidden: No
Window Visible: No
Name: C:\WINDOWS\System32\wbem\wmiprvse.exe
PID: 2784
Hidden: No
Window Visible: No
Name: C:\Program Files\iPod\bin\iPodService.exe
PID: 2956
Hidden: No
Window Visible: No
Name: C:\WINDOWS\System32\alg.exe
PID: 3228
Hidden: No
Window Visible: No
Name: C:\WINDOWS\System32\wbem\unsecapp.exe
PID: 3236
Hidden: No
Window Visible: No
Name: C:\WINDOWS\System32\SVCHOST.EXE
PID: 4016
Hidden: No
Window Visible: No
Name: C:\WINDOWS\EXPLORER.EXE
PID: 2760
Hidden: No
Window Visible: No
Name: C:\WINDOWS\System32\ctfmon.exe
PID: 2508
Hidden: No
Window Visible: No
Name: C:\Documents and Settings\Karla\Desktop\SysProt\SysProt\SysProt.exe
PID: 3880
Hidden: No
Window Visible: Yes
******************************************************************************************
******************************************************************************************
Kernel Modules:
Module Name: C:\WINDOWS\system32\drivers\geyekrtivmlkya.sys
Service Name: geyekrttvogrql
Module Base: ---
Module End: ---
Hidden: Yes
Module Name: \??\C:\Documents and Settings\Karla\Desktop\SysProt\SysProt\SysProtDrv.sys
Service Name: SysProtDrv.sys
Module Base: AE3C4000
Module End: AE3CF000
Hidden: No
Module Name: \WINDOWS\system32\ntkrnlpa.exe
Service Name: ---
Module Base: 804D7000
Module End: 806E4000
Hidden: No
Module Name: \WINDOWS\system32\hal.dll
Service Name: ---
Module Base: 806E4000
Module End: 80704D00
Hidden: No
Module Name: \WINDOWS\system32\KDCOM.DLL
Service Name: ---
Module Base: BADA8000
Module End: BADAA000
Hidden: No
Module Name: \WINDOWS\system32\BOOTVID.dll
Service Name: ---
Module Base: BACB8000
Module End: BACBB000
Hidden: No
Module Name: C:\WINDOWS\system32\drivers\ACPI.sys
Service Name: ACPI
Module Base: BA779000
Module End: BA7A7000
Hidden: No
Module Name: \WINDOWS\system32\DRIVERS\WMILIB.SYS
Service Name: ---
Module Base: BADAA000
Module End: BADAC000
Hidden: No
Module Name: C:\WINDOWS\system32\drivers\pci.sys
Service Name: PCI
Module Base: BA768000
Module End: BA779000
Hidden: No
Module Name: C:\WINDOWS\system32\drivers\isapnp.sys
Service Name: isapnp
Module Base: BA8A8000
Module End: BA8B2000
Hidden: No
Module Name: C:\WINDOWS\system32\drivers\ohci1394.sys
Service Name: ohci1394
Module Base: BA8B8000
Module End: BA8C8000
Hidden: No
Module Name: \WINDOWS\system32\DRIVERS\1394BUS.SYS
Service Name: ---
Module Base: BA8C8000
Module End: BA8D6000
Hidden: No
Module Name: C:\WINDOWS\system32\drivers\compbatt.sys
Service Name: Compbatt
Module Base: BACBC000
Module End: BACBF000
Hidden: No
Module Name: \WINDOWS\system32\DRIVERS\BATTC.SYS
Service Name: BattC
Module Base: BACC0000
Module End: BACC4000
Hidden: No
Module Name: C:\WINDOWS\system32\drivers\pciide.sys
Service Name: PCIIde
Module Base: BAE70000
Module End: BAE71000
Hidden: No
Module Name: \WINDOWS\system32\DRIVERS\PCIIDEX.SYS
Service Name: ---
Module Base: BAB28000
Module End: BAB2F000
Hidden: No
Module Name: C:\WINDOWS\system32\drivers\aliide.sys
Service Name: AliIde
Module Base: BADAC000
Module End: BADAE000
Hidden: No
Module Name: C:\WINDOWS\system32\drivers\intelide.sys
Service Name: IntelIde
Module Base: BADAE000
Module End: BADB0000
Hidden: No
Module Name: C:\WINDOWS\system32\drivers\toside.sys
Service Name: TosIde
Module Base: BADB0000
Module End: BADB2000
Hidden: No
Module Name: C:\WINDOWS\system32\drivers\viaide.sys
Service Name: ViaIde
Module Base: BADB2000
Module End: BADB4000
Hidden: No
Module Name: C:\WINDOWS\system32\drivers\cmdide.sys
Service Name: CmdIde
Module Base: BADB4000
Module End: BADB6000
Hidden: No
Module Name: C:\WINDOWS\system32\drivers\MountMgr.sys
Service Name: MountMgr
Module Base: BA8D8000
Module End: BA8E3000
Hidden: No
Module Name: C:\WINDOWS\system32\drivers\ftdisk.sys
Service Name: Disk
Module Base: BA72B000
Module End: BA74A000
Hidden: No
Module Name: C:\WINDOWS\system32\drivers\dmload.sys
Service Name: dmload
Module Base: BADB6000
Module End: BADB8000
Hidden: No
Module Name: C:\WINDOWS\system32\drivers\dmio.sys
Service Name: dmio
Module Base: BA705000
Module End: BA72B000
Hidden: No
Module Name: C:\WINDOWS\system32\drivers\ACPIEC.sys
Service Name: ACPIEC
Module Base: BACC4000
Module End: BACC7000
Hidden: No
Module Name: \WINDOWS\system32\DRIVERS\OPRGHDLR.SYS
Service Name: ---
Module Base: BAE71000
Module End: BAE72000
Hidden: No
Module Name: C:\WINDOWS\system32\drivers\PartMgr.sys
Service Name: PartMgr
Module Base: BAB30000
Module End: BAB35000
Hidden: No
Module Name: C:\WINDOWS\system32\drivers\UBHelper.sys
Service Name: UBHelper
Module Base: BACC8000
Module End: BACCC000
Hidden: No
Module Name: C:\WINDOWS\system32\drivers\VolSnap.sys
Service Name: VolSnap
Module Base: BA8E8000
Module End: BA8F5000
Hidden: No
Module Name: C:\WINDOWS\system32\drivers\cpqarray.sys
Service Name: Cpqarray
Module Base: BACCC000
Module End: BACD0000
Hidden: No
Module Name: \WINDOWS\system32\DRIVERS\SCSIPORT.SYS
Service Name: ScsiPort
Module Base: BA6ED000
Module End: BA705000
Hidden: No
Module Name: C:\WINDOWS\system32\drivers\atapi.sys
Service Name: atapi
Module Base: BA6D5000
Module End: BA6ED000
Hidden: No
Module Name: C:\WINDOWS\system32\drivers\aha154x.sys
Service Name: Aha154x
Module Base: BACD0000
Module End: BACD4000
Hidden: No
Module Name: C:\WINDOWS\system32\drivers\sparrow.sys
Service Name: Sparrow
Module Base: BAB38000
Module End: BAB3D000
Hidden: No
Module Name: C:\WINDOWS\system32\drivers\symc810.sys
Service Name: symc810
Module Base: BACD4000
Module End: BACD8000
Hidden: No
Module Name: C:\WINDOWS\system32\drivers\aic78xx.sys
Service Name: aic78xx
Module Base: BA8F8000
Module End: BA906000
Hidden: No
Module Name: C:\WINDOWS\system32\drivers\dac960nt.sys
Service Name: dac960nt
Module Base: BACD8000
Module End: BACDC000
Hidden: No
Module Name: C:\WINDOWS\system32\drivers\ql10wnt.sys
Service Name: Ql10wnt
Module Base: BA908000
Module End: BA911000
Hidden: No
Module Name: C:\WINDOWS\system32\drivers\amsint.sys
Service Name: amsint
Module Base: BACDC000
Module End: BACDF000
Hidden: No
Module Name: C:\WINDOWS\system32\drivers\asc.sys
Service Name: asc
Module Base: BAB40000
Module End: BAB47000
Hidden: No
Module Name: C:\WINDOWS\system32\drivers\asc3550.sys
Service Name: asc3550
Module Base: BACE0000
Module End: BACE4000
Hidden: No
Module Name: C:\WINDOWS\system32\drivers\mraid35x.sys
Service Name: mraid35x
Module Base: BAB48000
Module End: BAB4D000
Hidden: No
Module Name: C:\WINDOWS\system32\drivers\i2omp.sys
Service Name: i2omp
Module Base: BAB50000
Module End: BAB55000
Hidden: No
Module Name: C:\WINDOWS\system32\drivers\ini910u.sys
Service Name: ini910u
Module Base: BACE4000
Module End: BACE8000
Hidden: No
Module Name: C:\WINDOWS\system32\drivers\ql1240.sys
Service Name: ql1240
Module Base: BA918000
Module End: BA922000
Hidden: No
Module Name: C:\WINDOWS\system32\drivers\aic78u2.sys
Service Name: aic78u2
Module Base: BA928000
Module End: BA936000
Hidden: No
Module Name: C:\WINDOWS\system32\drivers\symc8xx.sys
Service Name: symc8xx
Module Base: BAB58000
Module End: BAB60000
Hidden: No
Module Name: C:\WINDOWS\system32\drivers\sym_hi.sys
Service Name: sym_hi
Module Base: BAB60000
Module End: BAB67000
Hidden: No
Module Name: C:\WINDOWS\system32\drivers\sym_u3.sys
Service Name: sym_u3
Module Base: BAB68000
Module End: BAB70000
Hidden: No
Module Name: C:\WINDOWS\system32\drivers\ABP480N5.SYS
Service Name: abp480n5
Module Base: BAB70000
Module End: BAB76000
Hidden: No
Module Name: C:\WINDOWS\system32\drivers\asc3350p.sys
Service Name: asc3350p
Module Base: BAB78000
Module End: BAB7E000
Hidden: No
Module Name: C:\WINDOWS\system32\drivers\cd20xrnt.sys
Service Name: cd20xrnt
Module Base: BADB8000
Module End: BADBA000
Hidden: No
Module Name: C:\WINDOWS\system32\drivers\ultra.sys
Service Name: ultra
Module Base: BA938000
Module End: BA941000
Hidden: No
Module Name: C:\WINDOWS\system32\drivers\adpu160m.sys
Service Name: adpu160m
Module Base: BA6BC000
Module End: BA6D5000
Hidden: No
Module Name: C:\WINDOWS\system32\drivers\dpti2o.sys
Service Name: dpti2o
Module Base: BAB80000
Module End: BAB85000
Hidden: No
Module Name: C:\WINDOWS\system32\drivers\ql1080.sys
Service Name: ql1080
Module Base: BA948000
Module End: BA952000
Hidden: No
Module Name: C:\WINDOWS\system32\drivers\ql1280.sys
Service Name: ql1280
Module Base: BA958000
Module End: BA964000
Hidden: No
Module Name: C:\WINDOWS\system32\drivers\ql12160.sys
Service Name: ql12160
Module Base: BA968000
Module End: BA974000
Hidden: No
Module Name: C:\WINDOWS\system32\drivers\perc2.sys
Service Name: perc2
Module Base: BAB88000
Module End: BAB8F000
Hidden: No
Module Name: C:\WINDOWS\system32\drivers\perc2hib.sys
Service Name: perc2hib
Module Base: BADBA000
Module End: BADBC000
Hidden: No
Module Name: C:\WINDOWS\system32\drivers\hpn.sys
Service Name: hpn
Module Base: BAB90000
Module End: BAB97000
Hidden: No
Module Name: C:\WINDOWS\system32\drivers\cbidf2k.sys
Service Name: cbidf
Module Base: BACE8000
Module End: BACEC000
Hidden: No
Module Name: C:\WINDOWS\system32\drivers\dac2w2k.sys
Service Name: dac2w2k
Module Base: BA690000
Module End: BA6BC000
Hidden: No
Module Name: C:\WINDOWS\system32\drivers\disk.sys
Service Name: ---
Module Base: BA978000
Module End: BA981000
Hidden: No
Module Name: \WINDOWS\system32\DRIVERS\CLASSPNP.SYS
Service Name: ---
Module Base: BA988000
Module End: BA995000
Hidden: No
Module Name: C:\WINDOWS\system32\drivers\fltmgr.sys
Service Name: FltMgr
Module Base: BA670000
Module End: BA690000
Hidden: No
Module Name: C:\WINDOWS\system32\drivers\sr.sys
Service Name: sr
Module Base: BA65E000
Module End: BA670000
Hidden: No
Module Name: C:\WINDOWS\system32\drivers\PxHelp20.sys
Service Name: PxHelp20
Module Base: BA998000
Module End: BA9A1000
Hidden: No
Module Name: C:\WINDOWS\system32\drivers\Fastfat.sys
Service Name: Fastfat
Module Base: BA63A000
Module End: BA65E000
Hidden: No
Module Name: C:\WINDOWS\system32\drivers\KSecDD.sys
Service Name: KSecDD
Module Base: BA623000
Module End: BA63A000
Hidden: No
Module Name: C:\WINDOWS\system32\drivers\NDIS.sys
Service Name: NDIS
Module Base: BA5F6000
Module End: BA623000
Hidden: No
Module Name: C:\WINDOWS\system32\drivers\sisagp.sys
Service Name: sisagp
Module Base: BA9A8000
Module End: BA9B2000
Hidden: No
Module Name: C:\WINDOWS\system32\drivers\viaagp.sys
Service Name: viaagp
Module Base: BA9B8000
Module End: BA9C3000
Hidden: No
Module Name: C:\WINDOWS\system32\drivers\Mup.sys
Service Name: Mup
Module Base: BA5DC000
Module End: BA5F6000
Hidden: No
Module Name: C:\WINDOWS\system32\drivers\alim1541.sys
Service Name: alim1541
Module Base: BA9C8000
Module End: BA9D3000
Hidden: No
Module Name: C:\WINDOWS\system32\drivers\amdagp.sys
Service Name: amdagp
Module Base: BA9D8000
Module End: BA9E3000
Hidden: No
Module Name: C:\WINDOWS\system32\drivers\agp440.sys
Service Name: agp440
Module Base: BA9E8000
Module End: BA9F3000
Hidden: No
Module Name: C:\WINDOWS\system32\drivers\agpCPQ.sys
Service Name: agpCPQ
Module Base: BA9F8000
Module End: BAA03000
Hidden: No
Module Name: C:\WINDOWS\system32\DRIVERS\AmdK8.sys
Service Name: AmdK8
Module Base: BAA08000
Module End: BAA16000
Hidden: No
Module Name: C:\WINDOWS\system32\DRIVERS\wmiacpi.sys
Service Name: WmiAcpi
Module Base: BAD68000
Module End: BAD6B000
Hidden: No
Module Name: C:\WINDOWS\system32\DRIVERS\ati2mtag.sys
Service Name: ati2mtag
Module Base: BA345000
Module End: BA4CC000
Hidden: No
Module Name: C:\WINDOWS\system32\DRIVERS\VIDEOPRT.SYS
Service Name: ---
Module Base: BA331000
Module End: BA345000
Hidden: No
Module Name: C:\WINDOWS\system32\DRIVERS\usbohci.sys
Service Name: usbohci
Module Base: BAC00000
Module End: BAC05000
Hidden: No
Module Name: C:\WINDOWS\system32\DRIVERS\USBPORT.SYS
Service Name: ---
Module Base: BA30D000
Module End: BA331000
Hidden: No
Module Name: C:\WINDOWS\system32\DRIVERS\usbehci.sys
Service Name: usbehci
Module Base: BAC08000
Module End: BAC10000
Hidden: No
Module Name: C:\WINDOWS\system32\DRIVERS\imapi.sys
Service Name: Imapi
Module Base: BAA18000
Module End: BAA23000
Hidden: No
Module Name: C:\WINDOWS\system32\DRIVERS\cdrom.sys
Service Name: Cdrom
Module Base: BAA28000
Module End: BAA38000
Hidden: No
Module Name: C:\WINDOWS\system32\DRIVERS\redbook.sys
Service Name: redbook
Module Base: BAA38000
Module End: BAA47000
Hidden: No
Module Name: C:\WINDOWS\system32\DRIVERS\ks.sys
Service Name: ---
Module Base: BA2EA000
Module End: BA30D000
Hidden: No
Module Name: C:\WINDOWS\system32\DRIVERS\NTIDrvr.sys
Service Name: NTIDrvr
Module Base: BADBC000
Module End: BADBE000
Hidden: No
Module Name: C:\WINDOWS\System32\Drivers\GEARAspiWDM.sys
Service Name: GEARAspiWDM
Module Base: BAC10000
Module End: BAC15000
Hidden: No
Module Name: C:\WINDOWS\system32\DRIVERS\HDAudBus.sys
Service Name: HDAudBus
Module Base: BA2C2000
Module End: BA2EA000
Hidden: No
Module Name: C:\WINDOWS\system32\DRIVERS\i8042prt.sys
Service Name: i8042prt
Module Base: BAA48000
Module End: BAA55000
Hidden: No
Module Name: C:\WINDOWS\system32\DRIVERS\DKbFltr.sys
Service Name: DKbFltr
Module Base: BAC18000
Module End: BAC1D000
Hidden: No
Module Name: C:\WINDOWS\system32\DRIVERS\kbdclass.sys
Service Name: Kbdclass
Module Base: BAC20000
Module End: BAC26000
Hidden: No
Module Name: C:\WINDOWS\system32\DRIVERS\SynTP.sys
Service Name: SynTP
Module Base: BA292000
Module End: BA2C2000
Hidden: No
Module Name: C:\WINDOWS\system32\DRIVERS\USBD.SYS
Service Name: ---
Module Base: BADBE000
Module End: BADC0000
Hidden: No
Module Name: C:\WINDOWS\system32\DRIVERS\mouclass.sys
Service Name: Mouclass
Module Base: BAC28000
Module End: BAC2E000
Hidden: No
Module Name: C:\WINDOWS\system32\DRIVERS\CmBatt.sys
Service Name: CmBatt
Module Base: BAD70000
Module End: BAD74000
Hidden: No
Module Name: C:\WINDOWS\system32\DRIVERS\ar5211.sys
Service Name: AR5211
Module Base: BA21A000
Module End: BA292000
Hidden: No
Module Name: C:\WINDOWS\system32\DRIVERS\EMS7SK.sys
Service Name: EMSCR
Module Base: BAA58000
Module End: BAA67000
Hidden: No
Module Name: C:\WINDOWS\system32\DRIVERS\sdbus.sys
Service Name: sdbus
Module Base: BA206000
Module End: BA21A000
Hidden: No
Module Name: C:\WINDOWS\system32\DRIVERS\ESM7SK.sys
Service Name: ESMCR
Module Base: BA1F3000
Module End: BA206000
Hidden: No
Module Name: C:\WINDOWS\system32\DRIVERS\ESD7SK.sys
Service Name: ESDCR
Module Base: BAA68000
Module End: BAA72000
Hidden: No
Module Name: C:\WINDOWS\system32\DRIVERS\audstub.sys
Service Name: audstub
Module Base: BAF18000
Module End: BAF19000
Hidden: No
Module Name: C:\WINDOWS\System32\Drivers\RootMdm.sys
Service Name: ROOTMODEM
Module Base: BADC0000
Module End: BADC2000
Hidden: No
Module Name: C:\WINDOWS\System32\Drivers\Modem.SYS
Service Name: Modem
Module Base: BAC30000
Module End: BAC38000
Hidden: No
Module Name: C:\WINDOWS\system32\DRIVERS\rasirda.sys
Service Name: irda
Module Base: BAC38000
Module End: BAC3D000
Hidden: No
Module Name: C:\WINDOWS\system32\DRIVERS\TDI.SYS
Service Name: ---
Module Base: BAC40000
Module End: BAC45000
Hidden: No
Module Name: C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
Service Name: Rasl2tp
Module Base: BAA78000
Module End: BAA85000
Hidden: No
Module Name: C:\WINDOWS\system32\DRIVERS\ndistapi.sys
Service Name: NdisTapi
Module Base: BAD78000
Module End: BAD7B000
Hidden: No
Module Name: C:\WINDOWS\system32\DRIVERS\ndiswan.sys
Service Name: NdisWan
Module Base: BA1DC000
Module End: BA1F3000
Hidden: No
Module Name: C:\WINDOWS\system32\DRIVERS\raspppoe.sys
Service Name: RasPppoe
Module Base: BAA88000
Module End: BAA93000
Hidden: No
Module Name: C:\WINDOWS\system32\DRIVERS\raspptp.sys
Service Name: PptpMiniport
Module Base: BAA98000
Module End: BAAA4000
Hidden: No
Module Name: C:\WINDOWS\system32\DRIVERS\psched.sys
Service Name: PSched
Module Base: BA12B000
Module End: BA13C000
Hidden: No
Module Name: C:\WINDOWS\system32\DRIVERS\msgpc.sys
Service Name: Gpc
Module Base: BAAA8000
Module End: BAAB1000
Hidden: No
Module Name: C:\WINDOWS\system32\DRIVERS\ptilink.sys
Service Name: Ptilink
Module Base: BAC48000
Module End: BAC4D000
Hidden: No
Module Name: C:\WINDOWS\system32\DRIVERS\raspti.sys
Service Name: Raspti
Module Base: BAC50000
Module End: BAC55000
Hidden: No
Module Name: C:\WINDOWS\system32\DRIVERS\RimSerial.sys
Service Name: RimVSerPort
Module Base: BAC58000
Module End: BAC5F000
Hidden: No
Module Name: C:\WINDOWS\system32\DRIVERS\rdpdr.sys
Service Name: rdpdr
Module Base: BA0FB000
Module End: BA12B000
Hidden: No
Module Name: C:\WINDOWS\system32\DRIVERS\termdd.sys
Service Name: TermDD
Module Base: BAAB8000
Module End: BAAC2000
Hidden: No
Module Name: C:\WINDOWS\system32\DRIVERS\swenum.sys
Service Name: swenum
Module Base: BADC2000
Module End: BADC4000
Hidden: No
Module Name: C:\WINDOWS\system32\DRIVERS\update.sys
Service Name: Update
Module Base: BA075000
Module End: BA0D3000
Hidden: No
Module Name: C:\WINDOWS\system32\DRIVERS\mssmbios.sys
Service Name: mssmbios
Module Base: BAD8C000
Module End: BAD90000
Hidden: No
Module Name: C:\WINDOWS\System32\Drivers\NDProxy.SYS
Service Name: NDProxy
Module Base: BAAC8000
Module End: BAAD2000
Hidden: No
Module Name: C:\WINDOWS\system32\DRIVERS\usbhub.sys
Service Name: usbhub
Module Base: BAAF8000
Module End: BAB07000
Hidden: No
Module Name: C:\WINDOWS\system32\drivers\RtkHDAud.sys
Service Name: IntcAzAudAddService
Module Base: B1B71000
Module End: B1FAC000
Hidden: No
Module Name: C:\WINDOWS\system32\drivers\portcls.sys
Service Name: ---
Module Base: B1B4D000
Module End: B1B71000
Hidden: No
Module Name: C:\WINDOWS\system32\drivers\drmk.sys
Service Name: ---
Module Base: BAB08000
Module End: BAB17000
Hidden: No
Module Name: C:\WINDOWS\system32\DRIVERS\HSXHWAZL.sys
Service Name: HSXHWAZL
Module Base: B1B13000
Module End: B1B4D000
Hidden: No
Module Name: C:\WINDOWS\system32\DRIVERS\HSX_DPV.sys
Service Name: HSF_DPV
Module Base: B1A1C000
Module End: B1B13000
Hidden: No
Module Name: C:\WINDOWS\system32\DRIVERS\HSX_CNXT.sys
Service Name: winachsf
Module Base: B1965000
Module End: B1A1C000
Hidden: No
Module Name: C:\WINDOWS\System32\Drivers\i2omgmt.SYS
Service Name: i2omgmt
Module Base: BA500000
Module End: BA503000
Hidden: No
Module Name: C:\WINDOWS\System32\Drivers\Fs_Rec.SYS
Service Name: Fs_Rec
Module Base: BADC6000
Module End: BADC8000
Hidden: No
Module Name: C:\WINDOWS\System32\Drivers\Null.SYS
Service Name: Null
Module Base: BAF6B000
Module End: BAF6C000
Hidden: No
Module Name: C:\WINDOWS\System32\Drivers\Beep.SYS
Service Name: Beep
Module Base: BADC8000
Module End: BADCA000
Hidden: No
Module Name: C:\WINDOWS\system32\DRIVERS\HIDPARSE.SYS
Service Name: ---
Module Base: BAC80000
Module End: BAC87000
Hidden: No
Module Name: C:\WINDOWS\System32\drivers\vga.sys
Service Name: VgaSave
Module Base: BAC88000
Module End: BAC8E000
Hidden: No
Module Name: C:\WINDOWS\System32\Drivers\mnmdd.SYS
Service Name: mnmdd
Module Base: BADCA000
Module End: BADCC000
Hidden: No
Module Name: C:\WINDOWS\System32\DRIVERS\RDPCDD.sys
Service Name: RDPCDD
Module Base: BADCC000
Module End: BADCE000
Hidden: No
Module Name: C:\WINDOWS\System32\Drivers\Msfs.SYS
Service Name: Msfs
Module Base: BAC90000
Module End: BAC95000
Hidden: No
Module Name: C:\WINDOWS\System32\Drivers\Npfs.SYS
Service Name: Npfs
Module Base: BAC98000
Module End: BACA0000
Hidden: No
Module Name: C:\WINDOWS\system32\DRIVERS\rasacd.sys
Service Name: RasAcd
Module Base: BA4F8000
Module End: BA4FB000
Hidden: No
Module Name: C:\WINDOWS\system32\DRIVERS\ipsec.sys
Service Name: IPSec
Module Base: B182A000
Module End: B183D000
Hidden: No
Module Name: C:\WINDOWS\system32\DRIVERS\tcpip.sys
Service Name: Tcpip
Module Base: B17D1000
Module End: B182A000
Hidden: No
Module Name: C:\WINDOWS\system32\DRIVERS\netbt.sys
Service Name: NetBT
Module Base: B1781000
Module End: B17A9000
Hidden: No
Module Name: C:\WINDOWS\system32\DRIVERS\ipnat.sys
Service Name: IpNat
Module Base: B175B000
Module End: B1781000
Hidden: No
Module Name: C:\WINDOWS\system32\DRIVERS\wanarp.sys
Service Name: Wanarp
Module Base: BA5BC000
Module End: BA5C5000
Hidden: No
Module Name: C:\WINDOWS\System32\drivers\afd.sys
Service Name: AFD
Module Base: B1739000
Module End: B175B000
Hidden: No
Module Name: C:\WINDOWS\system32\DRIVERS\netbios.sys
Service Name: NetBIOS
Module Base: BA5AC000
Module End: BA5B5000
Hidden: No
Module Name: C:\WINDOWS\system32\DRIVERS\rdbss.sys
Service Name: Rdbss
Module Base: B170E000
Module End: B1739000
Hidden: No
Module Name: C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
Service Name: MRxSmb
Module Base: B169E000
Module End: B170E000
Hidden: No
Module Name: C:\WINDOWS\System32\Drivers\Fips.SYS
Service Name: Fips
Module Base: BA58C000
Module End: BA597000
Hidden: No
Module Name: C:\WINDOWS\System32\Drivers\BisonCam.sys
Service Name: Cam5603D
Module Base: B15D9000
Module End: B169E000
Hidden: No
Module Name: C:\WINDOWS\System32\Drivers\STREAM.SYS
Service Name: ---
Module Base: BA56C000
Module End: BA579000
Hidden: No
Module Name: C:\WINDOWS\System32\Drivers\Cdfs.SYS
Service Name: Cdfs
Module Base: BA55C000
Module End: BA56C000
Hidden: No
Module Name: \SystemRoot\System32\Drivers\dump_atapi.sys
Service Name: ---
Module Base: B1580000
Module End: B1598000
Hidden: Yes
Module Name: \SystemRoot\System32\Drivers\dump_WMILIB.SYS
Service Name: ---
Module Base: BADCE000
Module End: BADD0000
Hidden: Yes
Module Name: C:\WINDOWS\System32\drivers\Dxapi.sys
Service Name: ---
Module Base: BA0EF000
Module End: BA0F2000
Hidden: No
Module Name: C:\WINDOWS\System32\watchdog.sys
Service Name: ---
Module Base: BACA0000
Module End: BACA5000
Hidden: No
Module Name: C:\WINDOWS\System32\drivers\dxgthk.sys
Service Name: ---
Module Base: BAE84000
Module End: BAE85000
Hidden: No
Module Name: C:\WINDOWS\system32\DRIVERS\irda.sys
Service Name: ---
Module Base: AF212000
Module End: AF228000
Hidden: No
Module Name: C:\WINDOWS\system32\DRIVERS\ndisuio.sys
Service Name: Ndisuio
Module Base: AF35C000
Module End: AF360000
Hidden: No
Module Name: C:\WINDOWS\system32\drivers\wdmaud.sys
Service Name: wdmaud
Module Base: AEFF5000
Module End: AF00A000
Hidden: No
Module Name: C:\WINDOWS\system32\drivers\sysaudio.sys
Service Name: sysaudio
Module Base: AF14A000
Module End: AF159000
Hidden: No
Module Name: C:\WINDOWS\system32\DRIVERS\mrxdav.sys
Service Name: MRxDAV
Module Base: AED70000
Module End: AED9D000
Hidden: No
Module Name: \??\C:\PROGRA~1\LAUNCH~1\DPortIO.sys
Service Name: DritekPortIO
Module Base: AEDCD000
Module End: AEDD1000
Hidden: No
Module Name: C:\WINDOWS\System32\Drivers\HTTP.sys
Service Name: HTTP
Module Base: AEB77000
Module End: AEBB8000
Hidden: No
Module Name: \??\C:\WINDOWS\system32\drivers\int15.sys
Service Name: int15
Module Base: AEB3E000
Module End: AEB4F000
Hidden: No
Module Name: C:\WINDOWS\system32\DRIVERS\mdmxsdk.sys
Service Name: mdmxsdk
Module Base: AED54000
Module End: AED58000
Hidden: No
Module Name: C:\WINDOWS\system32\DRIVERS\srv.sys
Service Name: Srv
Module Base: AEAEC000
Module End: AEB3E000
Hidden: No
Module Name: C:\WINDOWS\system32\DRIVERS\secdrv.sys
Service Name: Secdrv
Module Base: AECB8000
Module End: AECC2000
Hidden: No
Module Name: \??\C:\WINDOWS\system32\drivers\tvicport.sys
Service Name: tvicport
Module Base: AEB4F000
Module End: AEB52000
Hidden: No
Module Name: \??\C:\WINDOWS\system32\drivers\zntport.sys
Service Name: zntport
Module Base: BAF0C000
Module End: BAF0D000
Hidden: No
Module Name: \??\C:\otherjohn\catchme.sys
Service Name: catchme
Module Base: B18AD000
Module End: B18B5000
Hidden: Yes
Module Name: \??\C:\WINDOWS\system32\Drivers\PROCEXP90.SYS
Service Name: ---
Module Base: BAE0A000
Module End: BAE0C000
Hidden: Yes
Module Name: C:\WINDOWS\system32\drivers\kmixer.sys
Service Name: kmixer
Module Base: ADFD1000
Module End: ADFFC000
Hidden: No
******************************************************************************************
******************************************************************************************
No SSDT Hooks found
******************************************************************************************
******************************************************************************************
No Kernel Hooks found
******************************************************************************************
******************************************************************************************
No IRP Hooks found
******************************************************************************************
******************************************************************************************
Ports:
Local Address: COMPUTADORA.SERENITY:2869
Remote Address: 192.168.0.1:1092
Type: TCP
Process: C:\WINDOWS\System32\SVCHOST.EXE
State: CLOSE_WAIT
Local Address: COMPUTADORA.SERENITY:NETBIOS-SSN
Remote Address: 0.0.0.0:0
Type: TCP
Process: System
State: LISTENING
Local Address: COMPUTADORA:27015
Remote Address: LOCALHOST:1029
Type: TCP
Process: C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
State: ESTABLISHED
Local Address: COMPUTADORA:27015
Remote Address: 0.0.0.0:0
Type: TCP
Process: C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
State: LISTENING
Local Address: COMPUTADORA:5354
Remote Address: 0.0.0.0:0
Type: TCP
Process: C:\Program Files\Bonjour\mDNSResponder.exe
State: LISTENING
Local Address: COMPUTADORA:1032
Remote Address: 0.0.0.0:0
Type: TCP
Process: C:\WINDOWS\System32\alg.exe
State: LISTENING
Local Address: COMPUTADORA:1029
Remote Address: LOCALHOST:27015
Type: TCP
Process: C:\Program Files\iTunes\iTunesHelper.exe
State: ESTABLISHED
Local Address: COMPUTADORA:9999
Remote Address: 0.0.0.0:0
Type: TCP
Process: C:\Acer\Empowering Technology\ePerformance\MemCheck.exe
State: LISTENING
Local Address: COMPUTADORA:2869
Remote Address: 0.0.0.0:0
Type: TCP
Process: C:\WINDOWS\System32\SVCHOST.EXE
State: LISTENING
Local Address: COMPUTADORA:MICROSOFT-DS
Remote Address: 0.0.0.0:0
Type: TCP
Process: System
State: LISTENING
Local Address: COMPUTADORA:EPMAP
Remote Address: 0.0.0.0:0
Type: TCP
Process: C:\WINDOWS\System32\SVCHOST.EXE
State: LISTENING
Local Address: COMPUTADORA.SERENITY:5353
Remote Address: NA
Type: UDP
Process: C:\Program Files\Bonjour\mDNSResponder.exe
State: NA
Local Address: COMPUTADORA.SERENITY:1900
Remote Address: NA
Type: UDP
Process: C:\WINDOWS\System32\SVCHOST.EXE
State: NA
Local Address: COMPUTADORA.SERENITY:138
Remote Address: NA
Type: UDP
Process: System
State: NA
Local Address: COMPUTADORA.SERENITY:NETBIOS-NS
Remote Address: NA
Type: UDP
Process: System
State: NA
Local Address: COMPUTADORA.SERENITY:123
Remote Address: NA
Type: UDP
Process: C:\WINDOWS\System32\SVCHOST.EXE
State: NA
Local Address: COMPUTADORA:1900
Remote Address: NA
Type: UDP
Process: C:\WINDOWS\System32\SVCHOST.EXE
State: NA
Local Address: COMPUTADORA:1038
Remote Address: NA
Type: UDP
Process: C:\WINDOWS\System32\SVCHOST.EXE
State: NA
Local Address: COMPUTADORA:123
Remote Address: NA
Type: UDP
Process: C:\WINDOWS\System32\SVCHOST.EXE
State: NA
Local Address: COMPUTADORA:56324
Remote Address: NA
Type: UDP
Process: C:\Program Files\Bonjour\mDNSResponder.exe
State: NA
Local Address: COMPUTADORA:4500
Remote Address: NA
Type: UDP
Process: C:\WINDOWS\System32\LSASS.EXE
State: NA
Local Address: COMPUTADORA:3776
Remote Address: NA
Type: UDP
Process: C:\WINDOWS\ehome\mcrdsvc.exe
State: NA
Local Address: COMPUTADORA:1030
Remote Address: NA
Type: UDP
Process: C:\WINDOWS\System32\spoolsv.exe
State: NA
Local Address: COMPUTADORA:1025
Remote Address: NA
Type: UDP
Process: C:\Program Files\Bonjour\mDNSResponder.exe
State: NA
Local Address: COMPUTADORA:500
Remote Address: NA
Type: UDP
Process: C:\WINDOWS\System32\LSASS.EXE
State: NA
Local Address: COMPUTADORA:MICROSOFT-DS
Remote Address: NA
Type: UDP
Process: System
State: NA
******************************************************************************************
******************************************************************************************
No hidden files/folders found
Bio-Hazard
2009-08-15, 20:52
Hello!
Thanks for you help. I hope your real life problems were easier to fix then this piece of malware has been.You are welcome. I am truly sorry for the delay. Yes it was easily solved.
The system is running mostly normal. The restore from backup utilities won't load anymore. I don't know if that was the virus or something that got hosed while trying to remove it.That could be the case.
I noticed that you had combofix send a sample of the infected file out for analysis. Who exactly gets the file and which utility will be updated to kill it in the future? It is a bit unnerving that at least three different antivirus programs failed to detect this thing.Thes files will go to the author of Combofix so he can add them to Combofix. Some files also be shared with antivirus companies. Well no antivirus program is 100% secure unfornately.
I'm ready to format and start over.If you want to do this i fully understand. Sometimes it is best way. let me know what you want to do?
Run CFScript
Close any open browsers.
Open Notepad by click start
Click Run
Type notepad into the box and click enter
Notepad will open
Copy and Paste everything from the Code box into Notepad:
File::
C:\FOUND.007
c:\windows\system32\geyekrjwmeoxta.dll
c:\windows\system32\geyekrornmbpxe.dll
c:\windows\system32\geyekrnrndxrqt.dat
c:\windows\system32\geyekrxfenxvmc.dll
c:\windows\system32\geyekrapjdskvl.dat
c:\windows\system32\geyekrbuhylhmn.dll
c:\windows\system32\drivers\geyekrtivmlkya.sys
Driver::
geyekrttvogrql
Registry::
[-HKEY_LOCAL_MACHINE\System\ControlSet001\Services\geyekrttvogrql]
RegLockDel::
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\geyekrttvogrql]
Save this as CFScript.txt, in the same location as ComboFix.exe (on your desktop)
http://i219.photobucket.com/albums/cc99/BioHazard_030/CFScriptExample.jpg
Refering to the picture below, drag CFScript into ComboFix.exe
http://img.photobucket.com/albums/v706/ried7/CFScriptB-4.gif
When finished, it shall produce a log for you at C:\ComboFix.txt
NOTE: Do not mouseclick combofix's window whilst it's running. That may cause it to stall it.
Next Reply
Please reply with:
ComboFix log (found at C:\Combofix.txt)
New HijackThis log
Otherjohn
2009-08-16, 02:11
I decided to go with the format and reinstall of Windows. This thing has been too resistant to treatment for me not to always be wondering if we got it all.
I've done the format (not the quick format) and used the restore disks to get it back to the original factory condition. Now I'm working
on the windows updates to get all the service packs and security patches in place.
Thank you for your help. I hope the samples from the last combofix run are enough to crack that thing and get the fixes built in to all the anti malware programs out there.
Can you recommend a good package of security programs to prevent this from happening again? The AVG/ Spybot combo I was using wasn't up to the task.
John
Bio-Hazard
2009-08-16, 22:02
Re-format and Reinstall
I'll respect you decision to do a Re-format and Reinstall.
Please make sure that you know what to do before beginning the operation.
Here are a few links that propably help:
When should I re-format? How should I reinstall? (http://www.dslreports.com/faq/10063)
Windows XP Clean install (http://windowsxp.mvps.org/XPClean.htm)
Then there are a couple of things you should do immediately after installing Windows and before surfing the net.
General Security and Computer Health
Below are some steps to follow in order to dramatically lower the chances of reinfection. You may have already implemented some of the steps below, however you should follow any steps that you have not already implemented.
Set correct settings for files
Click Start > My Computer > Tools menu (at top of page) > Folder Options > View tab.
Under Hidden files and folders if necessary select Do not show hidden files and folders.
If unchecked please check Hide protected operating system files (Recommended)
If necessary check Display content of system folders
If necessary Uncheck Hide file extensions for known file types.
Click OK
Make sure that you keep your antivirus updated
New viruses come out every minute, so it is essential that you have the latest signatures for your antivirus program to provide you with the best possible protection from malicious software.
NOTE: You should only have one antivirus installed at a time. Having more than one antivirus program installed at once is likely to cause conflicts and may well decrease your overall protection as well as impairing the performance of your PC.
Here are few FREE alternatives:
Avira AntiVir Personal (http://www.free-av.de/en/download/1/avira_antivir_personal__free_antivirus.html)- Free anti-virus software for Windows. Detects and removes more than 50000 viruses. Free support.
avast! 4 Home Edition (http://www.avast.com/eng/avast_4_home.html) - Anti-virus program for Windows. The home edition is freeware for noncommercial users.
AVG Anti-Virus Free Edition (http://free.avg.com/223204) - Free edition of the AVG anti-virus program for Windows.
Install and use a firewall with outbound protection
The Windows firewall only monitors incoming traffic, NOT outgoing. Using a software firewall in its default configuration to replace the Windows firewall greatly reduces the risk of your computer being hacked. Make sure your firewall is always enabled while your computer is connected to the internet.
NOTE: You should only have one firewall installed at a time. Having more than one firewall installed at once is likely to cause conflicts and may well decrease your overall protection as well as seriously impairing the performance of your PC.
Here are few FREE alternatives:
Online-Armor Free (http://www.tallemu.com/downloads.html)
PC Tools Firewall Plus (http://www.pctools.com/firewall/download/) (If you choose the PC Tools Firewall Plus and you are asked to install ThreatFire do not do so, unless you want it.)
Sunbelt/Kerio (http://www.sunbelt-software.com/Kerio-Download.cfm) (Free version after 30 days.)
Security Updates for Windows, Internet Explorer & Microsoft Office
Whenever a security problem in its software is found, Microsoft will usually create a patch so that after the patch is installed, attackers can't use the vulnerability to install malicious software on your PC. Keeping up with these patches will help to prevent malicious software being installed on your PC. Ensure you are registered for Windows updates via Start > right-click on My Computer > Properties > Automatic Updates tab or visit the Microsoft Update site (http://update.microsoft.com/microsoftupdate) on a regular basis.
NOTE: The update process uses ActiveX, so you will need to use internet explorer for it and allow the ActiveX control to install.
Update Non-Microsoft Programs
Microsoft isn't the only company whose products can contain security vulnerabilities. To check whether other programs running on your PC are in need of an update, you can use the Secunia Software Inspector (http://secunia.com/software_inspector) - I suggest that you run it at least once a month.
Make Internet Explorer More Secure
You are using Internet Explorer v. 7. Therefore please read and follow the recommendations at this SITE (http://surfthenetsafely.com/ieseczone8.htm)
Recommended Programs
I would recommend the download and installation of some or all of the following programs (if not already present), and the updating of them on a regular basis.
WinPatrol
As a robust security monitor, WinPatrol will alert you to hijackings, malware attacks and critical changes made to your computer without your permission. WinPatrol takes snapshot of your critical system resources and alerts you to any changes that may occur without your knowledge. For more information, please visit HERE (http://www.winpatrol.com/).
SpywareBlaster
SpywareBlaster sets killbits in the registry to prevent known malicious ActiveX controls from installing on your computer. If you don't know what ActiveX controls are, see HERE (http://www.webopedia.com/TERM/A/ActiveX_control.html). You can download SpywareBlaster from HERE (http://www.javacoolsoftware.com/sbdownload.html).
Malwarebytes' Anti-Malware
Malwarebytes' Anti-Malware is an anti-malware application that can thoroughly remove even the most advanced malware. It includes a number of features, including a built in protection monitor that blocks malicious processes before they even start.You can download Malwarebytes' Anti-Malware from HERE (http://www.malwarebytes.org/mbam.php). Here are two tutorials: Malwarebytes' Anti-Malware Setup Guide (http://www.lognrock.com/forum/index.php?showtopic=6926) and Malwarebytes' Anti-Malware Scanning Guide (http://www.lognrock.com/forum/index.php?showtopic=6913).
Hosts File
For added protection you may also like to add a host file. A simple explanation of what a Hosts file does is HERE (http://forum.malwareremoval.com/viewtopic.php?t=22187) and for more information regarding host files read HERE (http://www.mvps.org/winhelp2002/hosts.htm).
Use an alternative Internet Browser
Many of the exploits are directed to users of Internet Explorer. Try using a different browser instead:Firefox (http://www.mozilla.com/en-US/firefox/) or Opera (http://www.opera.com/download/)
Finally I am trying to make one point very clear. It is ABSOLUTELY ESSENTIAL to keep all of your security programs up to date.
Please take the time to tell us what you would like to be done about the people who are behind all the problems you have had. We can only get something done about this if the people that we help, like you, are prepared to complain. We have a dedicated forum for collecting these complaints >Malware Complaints< (http://www.malwarecomplaints.info/index.php). You need to be registered to post as, unfortunately, we were hit with too many spam posts to allow guest posting to continue. Just find your country room and register your complaint.
I'd be grateful if you could reply to this post so that I know you have read it and, if you've no other questions, the thread can be closed.
Happy surfing and stay clean!
Bio-Hazard
Otherjohn
2009-08-17, 13:38
Thanks again for your help.
Bio-Hazard
2009-08-17, 15:05
Since this issue appears to be resolved ... this Topic has been closed. Glad I could help.
Note: If it has been four days or more since your last post, and the helper assisting you posted a response to that post to which you did not reply, your topic will not be reopened. At that point, if you still require help, please start a new topic and include a fresh HijackThis log and a link to your previous thread.
If it has been less than four days since your last response and you need the thread re-opened, please send me or your helper a private message (pm). A valid, working link to the closed topic is required.