PDA

View Full Version : Random websites opening in tabs in Firefox. Possible remnant from removed w32.unruy!?



Corran
2010-09-21, 18:26
I got infected on the 17th. Thanks to Desktop Armor I caught it immediately and after quite a few steps I managed to remove it all, or so I thought...

Background: a file called dloa4.dll appeared in my system32 directory and according to VirusTotal is was w32.unruy!gen2 / backdoor.tidserv!gen5 (depending on the vendor).

It was a pretty nasty piece of work which managed to infect Desktop Armor (of all things). It placed a copy with the same .exe but with a space behind the name.

Anyway, I thought I removed it all. PrevX keeps saying cmenu.exe is still infected even though I uninstalled it and downloaded a new version from the original website (http://www.msfn.org/board/topic/47645-cmenu/). Before all this happenend PrevX never found any faults with cmenu.

So even though no other scanners (Malwarebytes' Anti-Malware, SUPERAntiSpyware, Symantec's online scan) can find anything I am getting tabs opened in Firefox without me doing anything.

It doesn't happen very often (less than once per hour) and I can't really find a common theme. I'm usually just reading a webpage and all of a sudden a new tab will open with a random website, which often gets replaced by a different one before even showing anything. One of the sites opened was a clickstill.org URL (which is an unsafe website according to Google).

I hope it's possible to find out what's causing this. My DDS log is below.


DDS (Ver_10-03-17.01) - NTFSx86
Run by Administrator at 17:04:35.75 on di 21-09-2010
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_21
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3582.3184 [GMT 2:00]


============== Running Processes ===============

C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\system32\svchost.exe -k netsvcs
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Desktop Armor\DesktopArmor.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Desktop Armor\DesktopArmor.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\wuauclt.exe
C:\DL\dds.com

============== Pseudo HJT Report ===============

uStart Page = about:blank
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
uInternet Connection Wizard,ShellNext = hxxp://www.babylon.com
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.google.com/ie
mWinlogon: SfcDisable=-99 (0xffffff9d)
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: IE to GetRight Helper: {31ff080d-12a3-439a-a2ef-4ba95a3148e8} - c:\program files\getright\xx2gr.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.5.5126.1836\swg.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [Desktop Armor] c:\program files\desktop armor\DesktopArmor.exe
mRun: [AlcWzrd] ALCWZRD.EXE
mRun: [Alcmtr] ALCMTR.EXE
mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mPolicies-system: ShellState = 2400000038080000000000000000000000000000010000000d0000000000000000000000
IE: E&xporteren naar Microsoft Excel - c:\progra~1\micros~3\office11\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_2EC7709873947E87.dll/cmsidewiki.html
IE: {d9288080-1baa-4bc4-9cf8-a92d743db949} - c:\documents and settings\administrator\start menu\programs\imvu\Run IMVU.lnk
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office11\REFIEBAR.DLL
IE: {dfb852a3-47f8-48c4-a200-58cab36fd2a2} - {53707962-6F74-2D53-2644-206D7942484F}
LSP: c:\program files\vmware\vmware workstation\vsocklib.dll
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/C/0/C/C0CBBA88-A6F2-48D9-9B0E-1719D1177202/LegitCheckControl.cab
DPF: {233C1507-6A77-46A4-9443-F871F945D258} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} - hxxp://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
DPF: {33564D57-0000-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1260588341656
DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} - hxxp://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1260491978250
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL
Notify: cbXPhFUK - cbXPhFUK.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Eudora's Shell Extension: {edb0e980-90bd-11d4-8599-0008c7d3b6f8} - c:\program files\qualcomm\eudora\EuShlExt.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
LSA: Authentication Packages = msv1_0 c:\windows\system32\qoMcdBrp
IFEO: notepad.exe - c:\program files\notepad2\Notepad2.exe
Hosts: 127.0.0.1 www.spywareinfo.com (http://www.spywareinfo.com)

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\admini~1\applic~1\mozilla\firefox\profiles\administrator\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - about:blank
FF - component: c:\documents and settings\administrator\application data\mozilla\firefox\profiles\administrator\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\frozen.dll
FF - component: c:\documents and settings\administrator\application data\mozilla\firefox\profiles\administrator\extensions\{3b56bcc7-54e5-44a2-9b44-66c3ef58c13e}\components\nstidy.dll
FF - plugin: c:\documents and settings\administrator\local settings\application data\google\update\1.2.183.7\npGoogleOneClick8.dll
FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\google\google updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\google\update\1.2.183.13\npGoogleOneClick8.dll
FF - plugin: c:\program files\google\update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\program files\google\update\1.2.183.29\npGoogleOneClick8.dll
FF - plugin: c:\program files\google\update\1.2.183.7\npGoogleOneClick8.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\k-lite codec pack\real\browser\plugins\nppl3260.dll
FF - plugin: c:\program files\k-lite codec pack\real\browser\plugins\nprpjplug.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
FF - user.js: network.protocol-handler.warn-external.dnupdate - false);user_pref(network.protocol-handler.warn-external.dnupdate, falsec:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.proxy.type", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.buffer.cache.count", 24);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.buffer.cache.size", 4096);
c:\program files\mozilla firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45);
c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("accelerometer.enabled", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);
c:\program files\mozilla firefox\defaults\pref\googlebar.js - user_pref("googlebar.ActionNone", "0");
c:\program files\mozilla firefox\defaults\pref\googlebar.js - user_pref("googlebar.ActionCtrl", "0");
c:\program files\mozilla firefox\defaults\pref\googlebar.js - user_pref("googlebar.ActionCtrlShift", "0");
c:\program files\mozilla firefox\defaults\pref\googlebar.js - user_pref("googlebar.ActionAlt", "0");
c:\program files\mozilla firefox\defaults\pref\googlebar.js - user_pref("googlebar.ActionAltShift", "0");
c:\program files\mozilla firefox\defaults\pref\googlebar.js - user_pref("googlebar.ActionShift", "0");
c:\program files\mozilla firefox\defaults\pref\googlebar.js - user_pref("googlebar.ActionAltCtrl", "0");
c:\program files\mozilla firefox\defaults\pref\googlebar.js - user_pref("googlebar.LocationNone", "0");
c:\program files\mozilla firefox\defaults\pref\googlebar.js - user_pref("googlebar.LocationCtrl", "1");
c:\program files\mozilla firefox\defaults\pref\googlebar.js - user_pref("googlebar.LocationCtrlShift", "1");
c:\program files\mozilla firefox\defaults\pref\googlebar.js - user_pref("googlebar.LocationAlt", "0");
c:\program files\mozilla firefox\defaults\pref\googlebar.js - user_pref("googlebar.LocationAltShift", "0");
c:\program files\mozilla firefox\defaults\pref\googlebar.js - user_pref("googlebar.LocationShift", "2");
c:\program files\mozilla firefox\defaults\pref\googlebar.js - user_pref("googlebar.LocationAltCtrl", "0");
c:\program files\mozilla firefox\defaults\pref\googlebar.js - user_pref("googlebar.contextmenuoption", true);
c:\program files\mozilla firefox\defaults\pref\googlebar.js - user_pref("googlebar.country2Search", 80);
c:\program files\mozilla firefox\defaults\pref\googlebar.js - user_pref("googlebar.hotkeySelectionToggles", false);
c:\program files\mozilla firefox\defaults\pref\googlebar.js - user_pref("googlebar.searchoption", false);
c:\program files\mozilla firefox\defaults\pref\googlebar.js - user_pref("googlebar.historyoption", true);
c:\program files\mozilla firefox\defaults\pref\googlebar.js - user_pref("googlebar.history", "googlebar");
c:\program files\mozilla firefox\defaults\pref\googlebar.js - user_pref("googlebar.maxHistCnt", 10);
c:\program files\mozilla firefox\defaults\pref\googlebar.js - user_pref("googlebar.savelastoption", false);
c:\program files\mozilla firefox\defaults\pref\googlebar.js - user_pref("googlebar.hidemenuoption", false);

============= SERVICES / DRIVERS ===============

R0 iastor75;iastor75;c:\windows\system32\drivers\iaStor75.sys [2007-7-27 304920]
R0 pxscan;pxscan;c:\windows\system32\drivers\pxscan.sys [2009-3-2 30320]
R1 Ext2fs;Ext2fs;c:\windows\system32\drivers\ext2fs.sys [2007-8-7 131840]
R1 IfsDrives;IfsDrives;c:\windows\system32\drivers\IfsDrives.sys [2007-8-7 4608]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\SASDIFSV.SYS [2009-7-28 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2009-7-28 67656]
R2 pxrts;pxrts;c:\windows\system32\drivers\pxrts.sys [2010-9-18 73216]
R2 vmci;VMware vmci;c:\windows\system32\drivers\vmci.sys [2009-3-26 54960]
R3 dfmirage;dfmirage;c:\windows\system32\drivers\dfmirage.sys [2005-11-25 31896]
R3 pxkbf;pxkbf;c:\windows\system32\drivers\pxkbf.sys [2010-9-18 24400]
S1 c58da826;c58da826;c:\windows\system32\drivers\c58da826.sys --> c:\windows\system32\drivers\c58da826.sys [?]
S2 axjpawva;Microsoft IntelliPoint Filter Helper;c:\windows\system32\svchost.exe -k netsvcs [2004-8-4 14336]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S3 csiscanner;CSIScanner;c:\program files\prevx\prevx.exe [2009-3-2 6405168]
S3 hitmanpro3;Hitman Pro 3 Support Driver;\??\c:\windows\system32\drivers\hitmanpro3.sys --> c:\windows\system32\drivers\hitmanpro3.sys [?]
S3 OODefragAgent;O&O Defrag Agent;c:\program files\oo software\defrag\oodag.exe [2010-9-10 2320712]
S3 PSI;PSI;c:\windows\system32\drivers\psi_mf.sys [2009-6-17 12648]
S3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2009-7-28 12872]
S3 WinRM;Windows Remote Management (WS-Management);c:\windows\system32\svchost.exe -k WINRM [2004-8-4 14336]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
S4 gupdate1c9acbca60618c;Google Updateservice (gupdate1c9acbca60618c);c:\program files\google\update\GoogleUpdate.exe [2009-3-24 133104]
S4 tvnserver;TightVNC Server;c:\program files\tightvnc\tvnserver.exe [2010-7-8 815704]

=============== Created Last 30 ================

2010-09-21 11:23:34 73728 ----a-w- c:\windows\system32\javacpl.cpl
2010-09-21 05:55:15 10208 ----a-w- c:\windows\system32\oodbs.lor
2010-09-20 12:55:24 42 ----a-w- c:\windows\oodjobd.INI
2010-09-20 12:48:01 0 d-----w- c:\program files\OO Software
2010-09-18 20:11:08 73216 ----a-w- c:\windows\system32\drivers\pxrts.sys
2010-09-18 20:11:07 24400 ----a-w- c:\windows\system32\drivers\pxkbf.sys
2010-09-17 04:54:55 685972 ----a-w- c:\windows\umcat_01.db
2010-09-12 12:50:01 744448 ------w- c:\windows\system32\dllcache\helpsvc.exe
2010-09-11 14:20:47 0 d-----w- c:\docume~1\admini~1\applic~1\Chime
2010-09-11 14:20:41 0 d-----w- c:\program files\Microsoft XNA
2010-09-10 11:02:08 1556808 ----a-w- c:\windows\system32\ooscrsav.scr
2010-09-10 11:01:14 275272 ----a-w- c:\windows\system32\oodbs.exe
2010-09-10 10:59:50 535880 ----a-w- c:\windows\system32\oodssrs.dll
2010-09-10 10:59:26 9544 ----a-w- c:\windows\system32\oodbsrs.dll
2010-09-09 19:28:18 0 d-----w- c:\docume~1\admini~1\applic~1\Mumble
2010-09-09 19:28:08 0 d-----w- c:\program files\Mumble
2010-08-28 01:59:06 74072 ----a-w- c:\windows\system32\XAPOFX1_5.dll
2010-08-28 01:59:06 527192 ----a-w- c:\windows\system32\XAudio2_7.dll
2010-08-28 01:59:06 239960 ----a-w- c:\windows\system32\xactengine3_7.dll
2010-08-28 01:59:05 470880 ----a-w- c:\windows\system32\d3dx10_43.dll
2010-08-28 01:59:05 248672 ----a-w- c:\windows\system32\d3dx11_43.dll
2010-08-28 01:59:05 2106216 ----a-w- c:\windows\system32\D3DCompiler_43.dll
2010-08-28 01:59:05 1998168 ----a-w- c:\windows\system32\D3DX9_43.dll
2010-08-28 01:59:05 1868128 ----a-w- c:\windows\system32\d3dcsx_43.dll

==================== Find3M ====================

2010-09-21 11:23:24 423656 ----a-w- c:\windows\system32\deployJava1.dll
2010-09-20 01:09:39 234280 ----a-w- c:\windows\system32\PnkBstrB.exe
2010-09-19 22:56:56 137976 ----a-w- c:\windows\system32\drivers\PnkBstrK.sys
2010-09-18 20:11:08 30320 ----a-w- c:\windows\system32\drivers\pxscan.sys
2010-09-17 04:25:27 10760 ----a-w- c:\windows\system32\drivers\PROCEXP90.SYS
2010-07-27 06:30:35 8462336 ------w- c:\windows\system32\dllcache\shell32.dll
2010-07-26 17:47:34 232968 ----a-w- c:\windows\system32\nvdrsdb0.bin
2010-07-26 17:47:32 232968 ----a-w- c:\windows\system32\nvdrsdb1.bin
2010-07-09 14:24:26 81920 ----a-w- c:\windows\system32\nvwddi.dll
2010-07-09 14:24:18 277608 ----a-w- c:\windows\system32\nvmccs.dll
2010-07-09 14:24:18 110696 ----a-w- c:\windows\system32\nvmctray.dll
2010-07-09 14:24:16 155752 ----a-w- c:\windows\system32\nvsvc32.exe
2010-07-09 14:24:16 145000 ----a-w- c:\windows\system32\nvcolor.exe
2010-07-09 14:24:16 13923432 ----a-w- c:\windows\system32\nvcpl.dll
2010-07-07 11:46:46 604776 ----a-w- c:\windows\system32\NVUNINST.EXE
2010-06-30 12:31:35 149504 ----a-w- c:\windows\system32\schannel.dll
2010-06-30 12:31:35 149504 ------w- c:\windows\system32\dllcache\schannel.dll
2010-06-24 15:51:58 11077120 ------w- c:\windows\system32\dllcache\ieframe.dll
2010-06-24 12:22:03 916480 ----a-w- c:\windows\system32\wininet.dll
2010-06-24 12:22:03 916480 ----a-w- c:\windows\system32\dllcache\wininet.dll
2010-06-24 12:22:03 12800 ------w- c:\windows\system32\dllcache\xpshims.dll
2010-06-24 12:22:02 1210368 ----a-w- c:\windows\system32\dllcache\urlmon.dll
2010-06-24 12:22:01 611840 ------w- c:\windows\system32\dllcache\mstime.dll
2010-06-24 12:22:01 5951488 ----a-w- c:\windows\system32\dllcache\mshtml.dll
2010-06-24 12:22:01 206848 ------w- c:\windows\system32\dllcache\occache.dll
2010-06-24 12:21:59 599040 ------w- c:\windows\system32\dllcache\msfeeds.dll
2010-06-24 12:21:59 55296 ------w- c:\windows\system32\dllcache\msfeedsbs.dll
2010-06-24 12:21:59 25600 ------w- c:\windows\system32\dllcache\jsproxy.dll
2010-06-24 12:21:58 247808 ------w- c:\windows\system32\dllcache\ieproxy.dll
2010-06-24 12:21:58 1986560 ------w- c:\windows\system32\dllcache\iertutil.dll
2010-06-24 12:21:58 184320 ------w- c:\windows\system32\dllcache\iepeers.dll
2010-06-24 12:21:56 743424 ------w- c:\windows\system32\dllcache\iedvtool.dll
2010-06-24 12:21:55 387584 ------w- c:\windows\system32\dllcache\iedkcs32.dll
2008-08-19 08:17:32 8 --sh--r- c:\windows\system32\21847BA199.sys
2009-12-21 14:57:29 1994 --sha-w- c:\windows\system32\KGyGaAvL.sys

============= FINISH: 17:05:53.06 ===============

Corran
2010-09-24, 07:34
The issue has been resolved.

tashi
2010-09-24, 09:37
Thank you for letting us know. :)