Win32:VB-KQC [Trj] + slow PC + other issues? (Resolved)

armuk · Jun 27, 2009

Hello,

Only recently found out that had malware on my PC. I have Avast! Antivirus and usually just let it run in its default setting of 'Resident Protection', but recently decided to run a full-system scan.

It first came up with 2 instances of some 'WinLogin' virus (can't remember exactly what it was) and prompted for action, for which I (rather foolishly, in hindsight) chose 'Delete' rather than the recommended action of 'Move to Virus Vault'. I'm not sure what exactly it caused, but the PC and all my applications froze and I had to shut down. After turning back on, I noticed a drop in speed, so think in trying to delete it, I may have activated the trojan (?).

A further scan also came up with 3 cases of 'Win32:VB-KQC' which I moved to virus vault this time. However the PC slowness continued, so I suspect I may still have some malware on my system, unresolved or unknown to me.

My HJT log is below. Though the date says 14 Jun, it is the latest, as I have not since turned on the PC and have disconnected it from the Internet too. (This is from a friend's PC).

Any help/advice would be much appreciated. - Dan

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:16:57 PM, on 6/14/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\brsvc01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\brss01a.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\atiptaxx.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.mytalktalk.co.uk
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [ATIPTA] atiptaxx.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [Cpqset] c:\compaq\cpqsetup\cpqset.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra button: Advisor - {546EF2E6-E29B-46C0-8FF7-04DAA301A4D8} - C:\Program Files\COMPAQ\Compaq Advisor\bin\rbaLauncher.exe (file missing) (HKCU)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {8B1BC605-C593-4865-8F5B-05517F0CD0BB} (MSSecurityAdvisorCD Class) - file://D:\Content\include\msSecUcd.cab
O23 - Service: AOL Spyware Protection Service (AOLService) - Unknown owner - C:\PROGRA~1\AOLSPY~1\\aolserv.exe (file missing)
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\system32\brsvc01a.exe

--
End of file - 3922 bytes

katana · Jun 28, 2009

Please note that all instructions given are customised for this computer only,
the tools used may cause damage if used on a computer with different infections.

If you think you have similar problems, please post a log in the HJT forum and wait for help.

Hello and welcome to the forums

My name is Katana and I will be helping you to remove any infection(s) that you may have.

Please observe these rules while we work:

Please Read All Instructions Carefully
If you don't understand something, stop and ask! Don't keep going on.
Please do not run any other tools or scans whilst I am helping you
Failure to reply within 5 days will result in the topic being closed.
Please continue to respond until I give you the "All Clear"
(Just because you can't see a problem doesn't mean it isn't there)

If you can do those few things, everything should go smoothly

Please Note, your security programs may give warnings for some of the tools I will ask you to use.
Be assured, any links I give are safe
----------------------------------------------------------------------------------------

Download and Run RSIT

Please download Random's System Information Tool by random/random from here and save it to your desktop.
Double click on RSIT.exe to run RSIT.
Click Continue at the disclaimer screen.
Once it has finished, two logs will open:
- log.txt will be opened maximized.
- info.txt will be opened minimized.
Please post the contents of both log.txt and info.txt.

Please Download GMER to your desktop

Download GMER and extract it to your desktop.

***Please close any open programs ***

Double-click gmer.exe. The program will begin to run.

**Caution**
These types of scans can produce false positives. Do NOT take any action on any "<--- ROOKIT" entries unless advised by a trained Security Analyst

If possible rootkit activity is found, you will be asked if you would like to perform a full scan.

Click Yes.
Once the scan is complete, you may receive another notice about rootkit activity.
Click OK.
GMER will produce a log. Click on the Save button, and save the log as gmer.txt somewhere you can easily find it, such as your desktop.

If you do not receive notice about possible rootkit activity remain on the Rootkit/Malware tab & make sure the 'Show All' button is unticked.

Click the Scan button and let the program do its work. GMER will produce a log.
Click on the Save button, and save the log as gmer.txt somewhere you can easily find it, such as your desktop.

DO NOT touch the PC at ALL for Whatever reason/s until it has 100% completed its scan, or attempted scan in case of some error etc !

Please post the results from the GMER scan in your reply.

armuk · Jun 30, 2009

Many thanks for the response. The requested logs are below.

= RSIT =

INFO.TXT

info.txt logfile of random's system information tool 1.06 2009-06-29 10:56:04

======Uninstall list======

-->C:\WINDOWS\IsUninst.exe -fC:\WINDOWS\orun32.isu
-->RunDll32 C:\WINDOWS\system32\WSBar.dll,VoilaBarUnInstall
-->rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
7-Zip 4.42-->"C:\Program Files\7-Zip\Uninstall.exe"
Adobe Acrobat 5.0-->C:\WINDOWS\ISUNINST.EXE -f"C:\Program Files\Common Files\Adobe\Acrobat 5.0\NT\Uninst.isu" -c"C:\Program Files\Common Files\Adobe\Acrobat 5.0\NT\Uninst.dll"
Adobe Flash Player 9 ActiveX-->C:\WINDOWS\system32\Macromed\Flash\FlashUtil9b.exe -uninstallDelete
ATI Display Driver-->rundll32 C:\WINDOWS\System32\atiiiexx.dll,_InfEngUnInstallINFFile_RunDLL@16 -force_restart -flags:0x2010001 -inf_class

ISPLAY -clean
avast! Antivirus-->C:\Program Files\Alwil Software\Avast4\aswRunDll.exe "C:\Program Files\Alwil Software\Avast4\Setup\setiface.dll",RunSetup
HijackThis 2.0.2-->"C:\Program Files\Trend Micro\HijackThis\HijackThis.exe" /uninstall
Java(TM) 6 Update 2-->MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160020}
Macromedia Shockwave Player-->C:\WINDOWS\system32\Macromed\SHOCKW~2\UNWISE.EXE C:\WINDOWS\system32\Macromed\SHOCKW~2\Install.log
Microsoft Data Access Components KB870669-->C:\WINDOWS\muninst.exe C:\WINDOWS\INF\KB870669.inf
Microsoft Office FrontPage 2003-->MsiExec.exe /I{90170409-6000-11D3-8CFE-0150048383C9}
Microsoft Office Professional Edition 2003-->MsiExec.exe /I{90110409-6000-11D3-8CFE-0150048383C9}
Microsoft Speech API 3.0-->RunDll32 advpack.dll,LaunchINFSection C:\WINDOWS\INF\spchapi.inf, Uninstall
Microsoft Web Publishing Wizard 1.52-->RunDll32 ADVPACK.DLL,LaunchINFSection C:\WINDOWS\INF\wpie4x86.inf,WebPostUninstall
ML-1510_700 Series-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{CC411126-8CDE-4B7C-950F-4197C931B0C8}\setup.exe"
Mozilla Firefox (3.0.8)-->C:\Program Files\Mozilla Firefox\uninstall\helper.exe
MSXML 4.0 SP2 (KB936181)-->MsiExec.exe /I{C04E32E0-0416-434D-AFB9-6969D703A9EF}
MSXML 4.0 SP2 (KB954430)-->MsiExec.exe /I{86493ADD-824D-4B8E-BD72-8C5DCDC52A71}
QuickTime-->C:\WINDOWS\unvise32qt.exe C:\WINDOWS\system32\QuickTime\Uninstall.log
RTLSetup-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{97AA0C55-AFAD-4126-B21C-F1318FB6DADA}\setup.exe" -l0x9 REMOVE
Security Update for Windows Media Player (KB952069)-->"C:\WINDOWS\$NtUninstallKB952069_WM9$\spuninst\spuninst.exe"
Security Update for Windows XP (KB938464)-->"C:\WINDOWS\$NtUninstallKB938464$\spuninst\spuninst.exe"
Security Update for Windows XP (KB950974)-->"C:\WINDOWS\$NtUninstallKB950974$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951066)-->"C:\WINDOWS\$NtUninstallKB951066$\spuninst\spuninst.exe"
Security Update for Windows XP (KB952004)-->"C:\WINDOWS\$NtUninstallKB952004$\spuninst\spuninst.exe"
Security Update for Windows XP (KB952954)-->"C:\WINDOWS\$NtUninstallKB952954$\spuninst\spuninst.exe"
Security Update for Windows XP (KB953155)-->"C:\WINDOWS\$NtUninstallKB953155$\spuninst\spuninst.exe"
Security Update for Windows XP (KB953839)-->"C:\WINDOWS\$NtUninstallKB953839$\spuninst\spuninst.exe"
Security Update for Windows XP (KB954211)-->"C:\WINDOWS\$NtUninstallKB954211$\spuninst\spuninst.exe"
Security Update for Windows XP (KB954600)-->"C:\WINDOWS\$NtUninstallKB954600$\spuninst\spuninst.exe"
Security Update for Windows XP (KB955069)-->"C:\WINDOWS\$NtUninstallKB955069$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956390)-->"C:\WINDOWS\$NtUninstallKB956390$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956391)-->"C:\WINDOWS\$NtUninstallKB956391$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956572)-->"C:\WINDOWS\$NtUninstallKB956572$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956802)-->"C:\WINDOWS\$NtUninstallKB956802$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956803)-->"C:\WINDOWS\$NtUninstallKB956803$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956841)-->"C:\WINDOWS\$NtUninstallKB956841$\spuninst\spuninst.exe"
Security Update for Windows XP (KB957095)-->"C:\WINDOWS\$NtUninstallKB957095$\spuninst\spuninst.exe"
Security Update for Windows XP (KB957097)-->"C:\WINDOWS\$NtUninstallKB957097$\spuninst\spuninst.exe"
Security Update for Windows XP (KB958215)-->"C:\WINDOWS\$NtUninstallKB958215$\spuninst\spuninst.exe"
Security Update for Windows XP (KB958644)-->"C:\WINDOWS\$NtUninstallKB958644$\spuninst\spuninst.exe"
Security Update for Windows XP (KB958687)-->"C:\WINDOWS\$NtUninstallKB958687$\spuninst\spuninst.exe"
Security Update for Windows XP (KB958690)-->"C:\WINDOWS\$NtUninstallKB958690$\spuninst\spuninst.exe"
Security Update for Windows XP (KB959426)-->"C:\WINDOWS\$NtUninstallKB959426$\spuninst\spuninst.exe"
Security Update for Windows XP (KB960225)-->"C:\WINDOWS\$NtUninstallKB960225$\spuninst\spuninst.exe"
Security Update for Windows XP (KB960714)-->"C:\WINDOWS\$NtUninstallKB960714$\spuninst\spuninst.exe"
Security Update for Windows XP (KB960715)-->"C:\WINDOWS\$NtUninstallKB960715$\spuninst\spuninst.exe"
Security Update for Windows XP (KB960803)-->"C:\WINDOWS\$NtUninstallKB960803$\spuninst\spuninst.exe"
Security Update for Windows XP (KB961373)-->"C:\WINDOWS\$NtUninstallKB961373$\spuninst\spuninst.exe"
Security Update for Windows XP (KB963027)-->"C:\WINDOWS\$NtUninstallKB963027$\spuninst\spuninst.exe"
Shockwave-->C:\WINDOWS\system32\Macromed\SHOCKW~1\UNWISE.EXE C:\WINDOWS\system32\Macromed\SHOCKW~1\INSTALL.LOG
Spybot - Search & Destroy-->"C:\Program Files\Spybot - Search & Destroy\unins000.exe"
Synaptics TouchPad-->rundll32.exe "C:\Program Files\Synaptics\SynTP\SynISDLL.dll",standAloneUninstall
Update for Windows XP (KB951072-v2)-->"C:\WINDOWS\$NtUninstallKB951072-v2$\spuninst\spuninst.exe"
Update for Windows XP (KB955839)-->"C:\WINDOWS\$NtUninstallKB955839$\spuninst\spuninst.exe"
Update for Windows XP (KB967715)-->"C:\WINDOWS\$NtUninstallKB967715$\spuninst\spuninst.exe"
Windows Backup Utility-->MsiExec.exe /I{76EFFC7C-17A6-479D-9E47-8E658C1695AE}
Windows Media Format Runtime-->"C:\Program Files\Windows Media Player\wmsetsdk.exe" /UninstallAll
Windows Media Player 10-->"C:\Program Files\Windows Media Player\Setup_wm.exe" /Uninstall
Windows XP Service Pack 2-->C:\WINDOWS\$NtServicePackUninstall$\spuninst\spuninst.exe

======Hosts File======

127.0.0.1 bkav.com.vn
127.0.0.1 www.bkav.com.vn
127.0.0.1 download.com.vn
127.0.0.1 www.download.com.vn
127.0.0.1 9down.com
127.0.0.1 www.9down.com
127.0.0.1 download.eset.com
127.0.0.1 www.download.com
127.0.0.1 download.f-secure.com
127.0.0.1 mirror02.gdata.de

======Security center information======

AV: avast! antivirus 4.8.1335 [VPS 090428-0] (outdated)

======System event log======

Computer Name: DTS
Event Code: 7000
Message: The AOL Spyware Protection Service service failed to start due to the following error:
The system cannot find the path specified.

Record Number: 204232
Source Name: Service Control Manager
Time Written: 20080921222321.000000+120
Event Type: error
User:

Computer Name: DTS
Event Code: 7001
Message: The Infrared Monitor service depends on the IrDA Protocol service which failed to start because of the following error:
The system cannot find the file specified.

Record Number: 204231
Source Name: Service Control Manager
Time Written: 20080921222321.000000+120
Event Type: error
User:

Computer Name: DTS
Event Code: 7000
Message: The IrDA Protocol service failed to start due to the following error:
The system cannot find the file specified.

Record Number: 204230
Source Name: Service Control Manager
Time Written: 20080921222321.000000+120
Event Type: error
User:

Computer Name: DTS
Event Code: 877
Message: There was error [DATABASE OPEN FAILED] processing the driver database.

Record Number: 204226
Source Name: Application Popup
Time Written: 20080921222046.000000+120
Event Type: error
User:

Computer Name: DTS
Event Code: 877
Message: There was error [DATABASE NOT LOADED] processing the driver database.

Record Number: 204225
Source Name: Application Popup
Time Written: 20080921222046.000000+120
Event Type: error
User:

=====Application event log=====

Computer Name: DTS
Event Code: 1000
Message: Faulting application firefox.exe, version 1.8.20070.6982, faulting module npswf32.dll, version 9.0.16.0, fault address 0x000016ef.

Record Number: 17
Source Name: Application Error
Time Written: 20070902171901.000000+120
Event Type: error
User:

Computer Name: DTS
Event Code: 1517
Message: Windows saved user DTS\see registry while an application or service was still using the registry during log off. The memory used by the user's registry has not been freed. The registry will be unloaded when it is no longer in use.

This is often caused by services running as a user account, try configuring the services to run in either the LocalService or NetworkService account.

Record Number: 13
Source Name: Userenv
Time Written: 20070901170958.000000+120
Event Type: warning
User: NT AUTHORITY\SYSTEM

Computer Name: DTS
Event Code: 1524
Message: Windows cannot unload your classes registry file - it is still in use by other applications or services. The file will be unloaded when it is no longer in use.

Record Number: 12
Source Name: Userenv
Time Written: 20070901170840.000000+120
Event Type: warning
User: DTS\see

Computer Name: DTS
Event Code: 1517
Message: Windows saved user DTS\see registry while an application or service was still using the registry during log off. The memory used by the user's registry has not been freed. The registry will be unloaded when it is no longer in use.

This is often caused by services running as a user account, try configuring the services to run in either the LocalService or NetworkService account.

Record Number: 5
Source Name: Userenv
Time Written: 20070829115727.000000+120
Event Type: warning
User: NT AUTHORITY\SYSTEM

Computer Name: DTS
Event Code: 1524
Message: Windows cannot unload your classes registry file - it is still in use by other applications or services. The file will be unloaded when it is no longer in use.

Record Number: 4
Source Name: Userenv
Time Written: 20070829115620.000000+120
Event Type: warning
User: DTS\see

======Environment variables======

"ComSpec"=%SystemRoot%\system32\cmd.exe
"Path"=%SystemRoot%\system32;%SystemRoot%;%SystemRoot%\system32\WBEM;;;
"windir"=%SystemRoot%
"OS"=Windows_NT
"PROCESSOR_ARCHITECTURE"=x86
"PROCESSOR_LEVEL"=6
"PROCESSOR_IDENTIFIER"=x86 Family 6 Model 8 Stepping 0, AuthenticAMD
"PROCESSOR_REVISION"=0800
"NUMBER_OF_PROCESSORS"=1
"PATHEXT"=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
"TEMP"=%SystemRoot%\TEMP
"TMP"=%SystemRoot%\TEMP
"FP_NO_HOST_CHECK"=NO

-----------------EOF-----------------

LOG.TXT

Logfile of random's system information tool 1.06 (written by random/random)
Run by see at 2009-06-29 10:55:11
Microsoft Windows XP Home Edition Service Pack 2
System drive C: has 3 GB (10%) free of 29 GB
Total RAM: 239 MB (29% free)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:55:58 AM, on 6/29/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\brsvc01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\brss01a.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\atiptaxx.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Documents and Settings\see\Desktop\RSIT.exe
C:\Program Files\Trend Micro\HijackThis\see.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.mytalktalk.co.uk
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [ATIPTA] atiptaxx.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [Cpqset] c:\compaq\cpqsetup\cpqset.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra button: Advisor - {546EF2E6-E29B-46C0-8FF7-04DAA301A4D8} - C:\Program Files\COMPAQ\Compaq Advisor\bin\rbaLauncher.exe (file missing) (HKCU)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {8B1BC605-C593-4865-8F5B-05517F0CD0BB} (MSSecurityAdvisorCD Class) - file://D:\Content\include\msSecUcd.cab
O23 - Service: AOL Spyware Protection Service (AOLService) - Unknown owner - C:\PROGRA~1\AOLSPY~1\\aolserv.exe (file missing)
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\system32\brsvc01a.exe

--
End of file - 3931 bytes

======Registry dump======

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]
AcroIEHlprObj Class - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx [2001-03-02 37808]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}]
SSVHelper Class - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll [2007-07-12 501136]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"SynTPLpr"=C:\Program Files\Synaptics\SynTP\SynTPLpr.exe [2002-05-17 126976]
"SynTPEnh"=C:\Program Files\Synaptics\SynTP\SynTPEnh.exe [2002-05-17 540672]
"ATIModeChange"=C:\WINDOWS\system32\Ati2mdxx.exe [2002-04-08 28672]
"ATIPTA"=C:\WINDOWS\system32\atiptaxx.exe [2002-04-08 286720]
"KernelFaultCheck"=C:\WINDOWS\system32\dumprep 0 -k []
"Cpqset"=c:\compaq\cpqsetup\cpqset.exe [2002-05-09 172101]
"avast!"=C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe [2009-02-05 81000]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WgaLogon]
C:\WINDOWS\system32\WgaLogon.dll [2006-06-19 702768]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\SYMTDI]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\UploadMgr]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\vsmon]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDriveTypeAutoRun"=145
"NoDriveAutoRun"=8

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"HonorAutoRunSetting"=

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled

xpsp2res.dll,-22019"
"C:\Program Files\Messenger\msmsgs.exe"="C:\Program Files\Messenger\msmsgs.exe:*:Enabled:Windows Messenger"
"C:\Program Files\Mozilla Firefox\firefox.exe"="C:\Program Files\Mozilla Firefox\firefox.exe:*:Enabled:Firefox"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled

xpsp2res.dll,-22019"
"C:\Program Files\Common Files\AOL\ACS\AOLDial.exe"="C:\Program Files\Common Files\AOL\ACS\AOLDial.exe:*:Enabled:AOL"
"C:\Program Files\Common Files\AOL\ACS\AOLacsd.exe"="C:\Program Files\Common Files\AOL\ACS\AOLacsd.exe:*:Enabled:AOL"
"C:\Program Files\MSN Messenger\msncall.exe"="C:\Program Files\MSN Messenger\msncall.exe:*:Enabled:Windows Live Messenger 8.0 (Phone)"
"C:\Program Files\MSN Messenger\msnmsgr.exe"="C:\Program Files\MSN Messenger\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1"
"C:\Program Files\MSN Messenger\livecall.exe"="C:\Program Files\MSN Messenger\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)"

======List of files/folders created in the last 1 months======

2009-06-29 10:55:11 ----D---- C:\rsit

======List of files/folders modified in the last 1 months======

2009-06-29 10:54:42 ----D---- C:\WINDOWS\Prefetch
2009-06-14 20:30:13 ----D---- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2009-06-14 19:11:09 ----D---- C:\WINDOWS\Temp
2009-06-05 13:51:02 ----A---- C:\WINDOWS\SchedLgU.Txt

======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R1 Aavmker4;avast! Asynchronous Virus Monitor; C:\WINDOWS\system32\drivers\Aavmker4.sys [2009-02-05 26944]
R1 AmdK7;AMD K7 Processor Driver; C:\WINDOWS\System32\DRIVERS\amdk7.sys [2004-08-03 37376]
R1 aswSP;avast! Self Protection; C:\WINDOWS\system32\drivers\aswSP.sys [2009-02-05 114768]
R1 aswTdi;avast! Network Shield Support; C:\WINDOWS\system32\drivers\aswTdi.sys [2009-02-05 51376]
R2 aswFsBlk;aswFsBlk; C:\WINDOWS\system32\DRIVERS\aswFsBlk.sys [2009-02-05 20560]
R2 aswMon2;avast! Standard Shield Support; C:\WINDOWS\system32\drivers\aswMon2.sys [2009-02-05 94032]
R2 Cnxtdiag;Cnxtdiag; C:\WINDOWS\System32\DRIVERS\cnxtdiag.sys [2001-10-04 17776]
R2 Fallback;Fallback; C:\WINDOWS\System32\DRIVERS\fallback.sys [2001-10-04 308403]
R2 Fsks;Fsks; C:\WINDOWS\System32\DRIVERS\fsksnt.sys [2001-10-04 124189]
R2 K56;K56; C:\WINDOWS\System32\DRIVERS\k56nt.sys [2001-10-04 427215]
R2 SoftFax;SoftFax; C:\WINDOWS\System32\DRIVERS\faxnt.sys [2001-10-04 215195]
R2 tmcomm;tmcomm; \??\C:\WINDOWS\system32\drivers\tmcomm.sys []
R2 Tones;Tones; C:\WINDOWS\System32\DRIVERS\tonesnt.sys [2001-10-04 59375]
R2 V124;V124; C:\WINDOWS\System32\DRIVERS\v124nt.sys [2001-10-04 539917]
R3 aliadwdm;ALi Audio Accelerator WDM driver; C:\WINDOWS\system32\drivers\ac97ali.sys [2004-08-04 231552]
R3 ALiIRDA;ALi Infrared Device Driver; C:\WINDOWS\System32\DRIVERS\alifir.sys [2001-08-17 26624]
R3 Arp1394;1394 ARP Client Protocol; C:\WINDOWS\System32\DRIVERS\arp1394.sys [2004-08-03 60800]
R3 aswRdr;aswRdr; C:\WINDOWS\system32\drivers\aswRdr.sys [2009-02-05 23152]
R3 ati2mtag;ati2mtag; C:\WINDOWS\System32\DRIVERS\ati2mtag.sys [2002-04-08 418944]
R3 CmBatt;Microsoft AC Adapter Driver; C:\WINDOWS\System32\DRIVERS\CmBatt.sys [2004-08-04 14080]
R3 NIC1394;1394 Net Driver; C:\WINDOWS\System32\DRIVERS\nic1394.sys [2004-08-03 61824]
R3 NZLMirror1;NZLMirror1; C:\WINDOWS\System32\DRIVERS\NZLMirror1.sys [2003-02-05 2998]
R3 Rasirda;WAN Miniport (IrDA); C:\WINDOWS\System32\DRIVERS\rasirda.sys [2001-08-17 19584]
R3 rtl8139;Realtek RTL8139/810X Family Fast Ethernet NIC NT Driver; C:\WINDOWS\System32\DRIVERS\R8139n51.SYS [2002-06-03 45312]
R3 SynTP;Synaptics TouchPad Driver; C:\WINDOWS\System32\DRIVERS\SynTP.sys [2002-05-17 256304]
R3 usbhub;Microsoft USB Standard Hub Driver; C:\WINDOWS\System32\DRIVERS\usbhub.sys [2004-08-04 57600]
R3 usbohci;Microsoft USB Open Host Controller Miniport Driver; C:\WINDOWS\System32\DRIVERS\usbohci.sys [2004-08-04 17024]
S1 ClntMgmt.sys;ClntMgmt.sys; C:\WINDOWS\System32\Drivers\ClntMgmt.sys []
S1 P3;Intel PentiumIII Processor Driver; C:\WINDOWS\System32\DRIVERS\p3.sys [2004-08-03 42496]
S2 irda;IrDA Protocol; C:\WINDOWS\System32\DRIVERS\irda.sys []
S2 npkcrypt;npkcrypt; \??\C:\H - Back-ups\Other Stuff\L2\Lineage 2 C4\Lineage.][.C4.retail.updated.5.sep.06_by_KrVoLoK\Lineage II C4\system\npkcrypt.sys []
S3 aeaudio;aeaudio; C:\WINDOWS\system32\drivers\aeaudio.sys []
S3 allegro;ESS Allegro Audio Driver (WDM); C:\WINDOWS\system32\drivers\es198x.sys [2001-08-17 174464]
S3 ATICDSDr;ATICDSDr; \??\C:\DOCUME~1\see\LOCALS~1\Temp\ATICDSDr.sys []
S3 atimpab;atimpab; C:\WINDOWS\System32\DRIVERS\atimpab.sys [2001-08-17 289664]
S3 ATWPKT2;ATWPKT2; \??\C:\Program Files\Common Files\AOL\ACS\ATWPKT2.SYS []
S3 basic2;basic2; C:\WINDOWS\System32\DRIVERS\basic2.sys [2001-10-04 76610]
S3 BrScnUsb;Brother USB Still Image driver; C:\WINDOWS\System32\Drivers\BrScnUsb.sys [2004-10-15 15295]
S3 CCDECODE;Closed Caption Decoder; C:\WINDOWS\System32\DRIVERS\CCDECODE.sys [2004-08-04 17024]
S3 DCamUSBSQTECH;Dual-Mode DSC(2770); C:\WINDOWS\System32\Drivers\SQcaptur.sys [2003-01-10 30921]
S3 dot4;MS IEEE-1284.4 Driver; C:\WINDOWS\System32\DRIVERS\Dot4.sys [2004-08-03 207360]
S3 Dot4Print;Print Class Driver for IEEE-1284.4; C:\WINDOWS\System32\DRIVERS\Dot4Prt.sys [2001-08-17 12928]
S3 dot4usb;Dot4USB Filter Dot4USB Filter; C:\WINDOWS\System32\DRIVERS\dot4usb.sys [2001-08-17 23808]
S3 E100B;Intel(R) PRO Adapter Driver; C:\WINDOWS\System32\DRIVERS\e100b325.sys [2001-08-17 117760]
S3 HidUsb;Microsoft HID Class Driver; C:\WINDOWS\system32\DRIVERS\hidusb.sys [2001-08-17 9600]
S3 ltmodem5;LT Modem Driver; C:\WINDOWS\System32\DRIVERS\ltmdmnt.sys [2004-08-03 606684]
S3 mouhid;Mouse HID Driver; C:\WINDOWS\System32\DRIVERS\mouhid.sys [2001-08-17 12160]
S3 MSTEE;Microsoft Streaming Tee/Sink-to-Sink Converter; C:\WINDOWS\system32\drivers\MSTEE.sys [2004-08-03 5504]
S3 NABTSFEC;NABTS/FEC VBI Codec; C:\WINDOWS\System32\DRIVERS\NABTSFEC.sys [2004-08-04 85376]
S3 NdisIP;Microsoft TV/Video Connection; C:\WINDOWS\System32\DRIVERS\NdisIP.sys [2004-08-04 10880]
S3 PCANDIS5;PCANDIS5 Protocol Driver; \??\C:\WINDOWS\system32\PCANDIS5.SYS []
S3 Rksample;Rksample; C:\WINDOWS\System32\DRIVERS\rksample.sys [2001-10-04 67222]
S3 SLIP;BDA Slip De-Framer; C:\WINDOWS\System32\DRIVERS\SLIP.sys [2004-08-04 11136]
S3 SMCIRDA;SMC IrCC Miniport Device Driver; C:\WINDOWS\System32\DRIVERS\smcirda.sys [2001-08-17 35913]
S3 smwdm;smwdm; C:\WINDOWS\system32\drivers\smwdm.sys []
S3 streamip;BDA IPSink; C:\WINDOWS\System32\DRIVERS\StreamIP.sys [2004-08-04 15360]
S3 usbccgp;Microsoft USB Generic Parent Driver; C:\WINDOWS\System32\DRIVERS\usbccgp.sys [2004-08-04 31616]
S3 usbcm;USB Cable Modem 351000 NDIS Driver; C:\WINDOWS\system32\DRIVERS\usbcm.sys [2002-04-11 13335]
S3 usbprint;Microsoft USB PRINTER Class; C:\WINDOWS\System32\DRIVERS\usbprint.sys [2004-08-04 25856]
S3 usbscan;USB Scanner Driver; C:\WINDOWS\System32\DRIVERS\usbscan.sys [2004-08-03 15104]
S3 USBSTOR;USB Mass Storage Driver; C:\WINDOWS\System32\DRIVERS\USBSTOR.SYS [2004-08-03 26496]
S3 usbuhci;Microsoft USB Universal Host Controller Miniport Driver; C:\WINDOWS\System32\DRIVERS\usbuhci.sys [2004-08-04 20480]
S3 wanatw;WAN Miniport (ATW); C:\WINDOWS\System32\DRIVERS\wanatw4.sys []
S3 winachsf;winachsf; C:\WINDOWS\System32\DRIVERS\HSF_CNXT.sys [2001-10-04 585200]
S3 WSTCODEC;World Standard Teletext Codec; C:\WINDOWS\System32\DRIVERS\WSTCODEC.SYS [2004-08-04 19328]
S4 IntelIde;IntelIde; C:\WINDOWS\System32\DRIVERS\intelide.sys [2004-08-03 5504]

======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R2 aswUpdSv;avast! iAVS4 Control Service; C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe [2009-02-05 18752]
R2 avast! Antivirus;avast! Antivirus; C:\Program Files\Alwil Software\Avast4\ashServ.exe [2009-02-05 138680]
R2 Brother XP spl Service;BrSplService; C:\WINDOWS\system32\brsvc01a.exe [2002-04-12 57344]
R3 avast! Mail Scanner;avast! Mail Scanner; C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe [2009-02-05 254040]
R3 avast! Web Scanner;avast! Web Scanner; C:\Program Files\Alwil Software\Avast4\ashWebSv.exe [2009-02-05 352920]
S2 AOLService;AOL Spyware Protection Service; C:\PROGRA~1\AOLSPY~1\\aolserv.exe []
S2 Ati HotKey Poller;Ati HotKey Poller; C:\WINDOWS\System32\atievxx.exe [2001-08-18 37376]
S2 Irmon;Infrared Monitor; C:\WINDOWS\System32\svchost.exe [2004-08-04 14336]
S3 ose;Office Source Engine; C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE [2003-07-28 89136]
S3 UMWdf;Windows User Mode Driver Framework; C:\WINDOWS\System32\wdfmgr.exe [2004-09-22 38912]
S3 usprserv;User Privilege Service; C:\WINDOWS\System32\svchost.exe [2004-08-04 14336]

-----------------EOF-----------------

= GMER =

GMER 1.0.15.14972 - http://www.gmer.net
Rootkit scan 2009-07-01 00:37:30
Windows 5.1.2600 Service Pack 2

---- System - GMER 1.0.15 ----

SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwClose [0xF5ED86B8]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwCreateKey [0xF5ED8574]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwDeleteValueKey [0xF5ED8A52]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwDuplicateObject [0xF5ED814C]
SSDT sptd.sys ZwEnumerateKey [0xF975EA92]
SSDT sptd.sys ZwEnumerateValueKey [0xF975EE20]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwOpenKey [0xF5ED864E]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwOpenProcess [0xF5ED808C]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwOpenThread [0xF5ED80F0]
SSDT sptd.sys ZwQueryKey [0xF975EEF8]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwQueryValueKey [0xF5ED876E]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwRestoreKey [0xF5ED872E]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwSetValueKey [0xF5ED88AE]

INT 0x33 ? FBD8D044

---- Kernel code sections - GMER 1.0.15 ----

? C:\WINDOWS\system32\drivers\sptd.sys The process cannot access the file because it is being used by another process.
.text USBPORT.SYS!DllUnload F947162C 5 Bytes JMP 8119C508
? System32\Drivers\hiber_WMILIB.SYS The system cannot find the path specified. !

---- Kernel IAT/EAT - GMER 1.0.15 ----

IAT \WINDOWS\System32\Drivers\SCSIPORT.SYS[ntoskrnl.exe!IoConnectInterrupt] [F976D97E] sptd.sys
IAT pci.sys[ntoskrnl.exe!IoDetachDevice] [F976D92A] sptd.sys
IAT pci.sys[ntoskrnl.exe!IoAttachDeviceToDeviceStack] [F9788B4E] sptd.sys
IAT atapi.sys[ntoskrnl.exe!IoConnectInterrupt] [F976D97E] sptd.sys
IAT atapi.sys[HAL.dll!READ_PORT_UCHAR] [F9759AB4] sptd.sys
IAT atapi.sys[HAL.dll!READ_PORT_BUFFER_USHORT] [F9759BFA] sptd.sys
IAT atapi.sys[HAL.dll!READ_PORT_USHORT] [F9759B7C] sptd.sys
IAT atapi.sys[HAL.dll!WRITE_PORT_BUFFER_USHORT] [F975A728] sptd.sys
IAT atapi.sys[HAL.dll!WRITE_PORT_UCHAR] [F975A5FE] sptd.sys
IAT \SystemRoot\System32\DRIVERS\i8042prt.sys[HAL.dll!READ_PORT_UCHAR] [F976CC5A] sptd.sys

---- User IAT/EAT - GMER 1.0.15 ----

IAT C:\WINDOWS\system32\services.exe[656] @ C:\WINDOWS\system32\services.exe [ADVAPI32.dll!CreateProcessAsUserW] 00510002
IAT C:\WINDOWS\system32\services.exe[656] @ C:\WINDOWS\system32\services.exe [KERNEL32.dll!CreateProcessW] 00510000

---- Devices - GMER 1.0.15 ----

Device \FileSystem\Ntfs \Ntfs 812D71E8

AttachedDevice \FileSystem\Ntfs \Ntfs aswMon2.SYS (avast! File System Filter Driver for Windows XP/ALWIL Software)

Device \FileSystem\Fastfat \FatCdrom 811F11E8

AttachedDevice \Driver\Tcpip \Device\Ip aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 mouclass.sys (Mouse Class Driver/Microsoft Corporation)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)

Device \Driver\NetBT \Device\NetBT_Tcpip_{B13570C5-4A3E-4B05-B09B-D8D1705E6F7B} FF9251E8
Device \Driver\usbohci \Device\USBPDO-0 8119B1E8
Device \Driver\usbohci \Device\USBPDO-1 8119B1E8

AttachedDevice \Driver\Tcpip \Device\Tcp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)

Device \Driver\Ftdisk \Device\HarddiskVolume1 813441E8
Device \Driver\Cdrom \Device\CdRom0 FFB94878
Device \Driver\atapi \Device\Ide\IdePort0 812D81E8
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 812D81E8
Device \Driver\atapi \Device\Ide\IdePort1 812D81E8
Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-e 812D81E8
Device \Driver\Ftdisk \Device\HarddiskVolume6 813441E8
Device \Driver\NetBT \Device\NetBt_Wins_Export FF9251E8
Device \Driver\USBSTOR \Device\00000092 FFA66980
Device \Driver\NetBT \Device\NetbiosSmb FF9251E8
Device \Driver\USBSTOR \Device\00000093 FFA66980

AttachedDevice \Driver\Tcpip \Device\Udp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\RawIp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)

Device \Driver\usbohci \Device\USBFDO-0 8119B1E8
Device \Driver\usbohci \Device\USBFDO-1 8119B1E8
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver FF8781E8
Device \FileSystem\MRxSmb \Device\LanmanRedirector FF8781E8
Device \Driver\Ftdisk \Device\FtControl 813441E8
Device \FileSystem\Fastfat \Fat 811F11E8

AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
AttachedDevice \FileSystem\Fastfat \Fat aswMon2.SYS (avast! File System Filter Driver for Windows XP/ALWIL Software)

Device \FileSystem\Cdfs \Cdfs FFAB23C0

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s1 -1102593953
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s2 -956433337
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@h0 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0xFC 0x52 0xF8 0xAF ...
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0xFC 0x52 0xF8 0xAF ...
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\System
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\System@OODEFRAG10.00.00.01WORKSTATION 5E822A2777780AA116DC5889961C06A614E06BA6160D2A0F1D319B73472EBB5011F5A8967EAFA0C42993229878D70FAD
---- EOF - GMER 1.0.15 ----

katana · Jul 1, 2009

Step 1

Malwarebytes' Anti-Malware

Please download Malwarebytes' Anti-Malware to your desktop.

Double-click mbam-setup.exe and follow the prompts to install the program.
At the end, be sure a checkmark is placed next to
- Update Malwarebytes' Anti-Malware
- and Launch Malwarebytes' Anti-Malware
then click Finish.
If an update is found, it will download and install the latest version.
Once the program has loaded, select Perform full scan, then click Scan.
When the scan is complete, click OK, then Show Results to view the results.
Be sure that everything is checked, and click Remove Selected.
When completed, a log will open in Notepad. please copy and paste the log into your next reply
If requested, please reboot
- If you accidently close it, the log file is saved here and will be named like this:
- C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt

----------------------------------------------------------------------------------------
Step 2

Download and Run ComboFix (by sUBs)
Please visit this webpage for instructions for downloading and running ComboFix:

Bleeping Computer ComboFix Tutorial

You must download it to and run it from your Desktop
Now STOP all your monitoring programs (Antivirus/Antispyware, Guards and Shields) as they could easily interfere with ComboFix.
Double click combofix.exe & follow the prompts.
When finished, it will produce a log. Please save that log to post in your next reply
Re-enable all the programs that were disabled during the running of ComboFix..

A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix on your own.
This tool is not a toy and not for everyday use.
ComboFix SHOULD NOT be used unless requested by a forum helper

----------------------------------------------------------------------------------------
Step 3

Kaspersky Online Scanner .
Your Antivirus and/or Antispyware may give a warning during the scan. This is perfectly normal
NOTE:- This scan is best done from IE (Internet Explorer)
NOTE:- Vista users should start IE by Start(Vista Orb) >> Internet Explorer >> Right-Click Run As Admin
Go Here http://www.kaspersky.com/kos/eng/partner/default/kavwebscan.html

Read the Requirements and limitations before you click Accept.
Once the database has downloaded, click My Computer in the left pane
Now go and put the kettle on !
When the scan has completed, click Save Report As...
Enter a name for the file in the Filename: text box and then click the down arrow to the right of Save as type: and select text file (*.txt)
Click Save - by default the file will be saved to your Desktop, but you can change this if you wish.

**Note**

To optimize scanning time and produce a more sensible report for review:

Close any open programs.
Turn off the real-time scanner of all antivirus or antispyware programs while performing the online scan.

Note for Internet Explorer 7 users: If at any time you have trouble viewing the accept button of the license, click on the Zoom tool located at the bottom right of the IE window and set the zoom to 75%. Once the license is accepted, reset to 100%.

----------------------------------------------------------------------------------------
Logs/Information to Post in Reply
Please post the following logs/Information in your reply
Some of the logs I request will be quite large, You may need to split them over a couple of replies.

MalwareBytes Log
Combofix Log
Kaspersky Log
How are things running now ?

armuk · Jul 6, 2009

Thanks for the advice. I followed it and all the logs are below.

Yes my PC does seem to be running quicker now, and I haven't had any strange occurrences, freezes/crashes, etc, so it does seem to be better now.

But one thing I'm a bit uncertain is that the Combofix log seems to say (I think) that MS Paint and Calculator in 'Accessories' are infected, but doesn't seem to have removed them. Would this be a concern and require any action?

= Malwarebytes' Anti-Malware =

Malwarebytes' Anti-Malware 1.38
Database version: 2377
Windows 5.1.2600 Service Pack 2

7/5/2009 11:29:17 PM
mbam-log-2009-07-05 (23-29-17).txt

Scan type: Full Scan (C:\|)
Objects scanned: 142176
Time elapsed: 52 minute(s), 10 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 3
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\swin32.sdwin32 (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\swin32.sdwin32.1 (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{5fa6752a-c4a0-4222-88c2-928ae5ab4966} (Fake.Dropped.Malware) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

= COMBOFIX =

ComboFix 09-07-05.01 - see 07/06/2009 1:01.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.239.137 [GMT 2:00]
Running from: c:\documents and settings\see\Desktop\ComboFix.exe
AV: avast! antivirus 4.8.1335 [VPS 090705-0] *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\Installer\168daa7.msp
c:\windows\Installer\28bcfe.msi
c:\windows\kdcoms.dll
c:\windows\pi.exe
c:\windows\system32\_000006_.tmp.dll
c:\windows\system32\drivers\etc\lmhosts

c:\windows\system32\calc.exe . . . is infected!!

c:\windows\system32\mspaint.exe . . . is infected!!

.
((((((((((((((((((((((((( Files Created from 2009-06-05 to 2009-07-05 )))))))))))))))))))))))))))))))
.

2009-07-05 19:17 . 2009-07-05 19:17 -------- d-----w- c:\windows\LastGood
2009-07-05 18:45 . 2009-07-05 18:45 -------- d-----w- c:\documents and settings\see\Application Data\Malwarebytes
2009-07-05 18:43 . 2009-06-17 09:27 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-07-05 18:43 . 2009-07-05 18:43 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-07-05 18:42 . 2009-06-17 09:27 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-07-05 18:42 . 2009-07-05 18:45 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-06-29 08:55 . 2009-06-29 08:56 -------- d-----w- C:\rsit

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-06-14 18:30 . 2004-07-15 15:48 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-04-14 10:19 . 2009-04-14 10:20 102664 ----a-w- c:\windows\system32\drivers\tmcomm.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2002-05-16 126976]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2002-05-16 540672]
"Cpqset"="c:\compaq\cpqsetup\cpqset.exe" [2002-05-09 172101]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2009-02-05 81000]
"ATIModeChange"="Ati2mdxx.exe" - c:\windows\system32\Ati2mdxx.exe [2002-04-08 28672]
"ATIPTA"="atiptaxx.exe" - c:\windows\system32\atiptaxx.exe [2002-04-08 286720]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-03-22 39264]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0OODBS

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"SynTPLpr"=c:\program files\Synaptics\SynTP\SynTPLpr.exe
"SynTPEnh"=c:\program files\Synaptics\SynTP\SynTPEnh.exe
"RealTray"=c:\program files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
"eabconfg.cpl"=c:\program files\Compaq\EAB\EabServr.exe /Start
"Cpqset"=c:\compaq\cpqsetup\cpqset.exe
"ATIModeChange"=Ati2mdxx.exe
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" -osboot
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_02\bin\jusched.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runservices-]
"CPQDFWAG"=c:\windows\Cpqdiag\CpqDfwAg.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"9392:TCP"= 9392:TCP:9392 TCP
"9392:UDP"= 9392:UDP:9392 UDP
"15946:TCP"= 15946:TCP:15946 TCP
"15946:UDP"= 15946:UDP:15946 UDP
"14327:TCP"= 14327:TCP:14327 TCP
"14327:UDP"= 14327:UDP:14327 UDP
"55132:TCP"= 55132:TCP

R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [4/13/2009 1:21 PM 114768]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [4/13/2009 1:21 PM 20560]
R3 ALiIRDA;ALi Infrared Device Driver;c:\windows\system32\drivers\alifir.sys [9/19/2002 4:30 AM 26624]
R3 NZLMirror1;NZLMirror1;c:\windows\system32\drivers\NZLMirror1.sys [2/5/2003 12:53 AM 2998]
S3 ATICDSDr;ATICDSDr;\??\c:\docume~1\see\LOCALS~1\Temp\ATICDSDr.sys --> c:\docume~1\see\LOCALS~1\Temp\ATICDSDr.sys [?]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.mytalktalk.co.uk
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
Trusted Zone: ntl.com\register-tesco.qa.business
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
DPF: {8B1BC605-C593-4865-8F5B-05517F0CD0BB} - file://d:\content\include\msSecUcd.cab
FF - ProfilePath - c:\documents and settings\see\Application Data\Mozilla\Firefox\Profiles\tj470amp.Default User\
FF - prefs.js: browser.startup.homepage - hxxp://en-US.start2.mozilla.com/firefox?client=firefox-a&rls=org.mozilla:en-US

fficial
FF - prefs.js: network.proxy.type - 4
FF - plugin: c:\program files\Mozilla Firefox\plugins\npmozax.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npViewpoint.dll
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
FF - user.js: network.http.max-persistent-connections-per-server - 4
FF - user.js: content.max.tokenizing.time - 1800000
FF - user.js: content.notify.interval - 600000
FF - user.js: content.switch.threshold - 1000000
FF - user.js: nglayout.initialpaint.delay - 600
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-07-06 01:09
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
"ImagePath"="\??\c:\h - back-ups\Other Stuff\L2\Lineage 2 C4\Lineage.]
[.C4.retail.updated.5.sep.06_by_KrVoLoK\Lineage II C4\system\npkcrypt.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\npkcrypt]
"ImagePath"="\??\c:\h - back-ups\Other Stuff\L2\Lineage 2 C4\Lineage.]
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\System*]
"OODEFRAG10.00.00.01WORKSTATION"="5E822A2777780AA116DC5889961C06A614E06BA61

Completion time: 2009-07-05 1:15
ComboFix-quarantined-files.txt 2009-07-05 23:15

Pre-Run: 3,825,254,400 bytes free
Post-Run: 3,829,518,336 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect /NoExecute=OptIn

130 --- E O F --- 2009-07-05 22:24

= KASPERSKY ONLINE SCANNER =

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7.0 REPORT
Monday, July 6, 2009
Operating System: Microsoft Windows XP Home Edition Service Pack 2 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Program database last update: Sunday, July 05, 2009 21:12:41
Records in database: 2430157
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
A:\
C:\
D:\

Scan statistics:
Files scanned: 47282
Threat name: 0
Infected objects: 0
Suspicious objects: 0
Duration of the scan: 04:10:13

No malware has been detected. The scan area is clean.

The selected area was scanned.

katana · Jul 6, 2009

Information

But one thing I'm a bit uncertain is that the Combofix log seems to say (I think) that MS Paint and Calculator in 'Accessories' are infected, but doesn't seem to have removed them.

I suspect that may be a false positive, but let's upload them and check to make sure.

Custom CFScript

Please open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the code box below:

Code:

http://forums.spybot.info/showthread.php?p=321132#post321132
Suspect::[4]
c:\windows\system32\calc.exe
c:\windows\system32\mspaint.exe
c:\windows\system32\drivers\NZLMirror1.sys
Driver::
ATICDSDr

ADS::

Save this as CFScript.txt and place it on your desktop.
Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
**Note**
When CF finishes running, the ComboFix log will open along with a message box--do not be alarmed. With the above script, ComboFix will capture files to submit for analysis.
- Ensure you are connected to the internet and click OK on the message box.
Copy and paste the contents of the log in your next reply.

CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.
Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

armuk · Jul 6, 2009

Made the CFScript ans ran the Combofix as you advised; log is below.

It seems that MS Paint and Calculator were infected after all, strangely. So does this mean they have been deleted and/or I won't be able to use them (or shouldn't use them) anymore?

Thanks again for all your help so far, much appreciated.

ComboFix 09-07-05.04 - see 07/06/2009 20:13.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.239.84 [GMT 2:00]
Running from: c:\documents and settings\see\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\see\Desktop\CFScript.txt
AV: avast! antivirus 4.8.1335 [VPS 090705-0] *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}

file zipped: c:\windows\system32\Suspect_calc.exe.vir
file zipped: c:\windows\system32\drivers\Suspect_NZLMirror1.sys.vir
file zipped: c:\windows\system32\Suspect_mspaint.exe.vir
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\calc.exe . . . is infected!!

c:\windows\system32\mspaint.exe . . . is infected!!

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_ATICDSDr

((((((((((((((((((((((((( Files Created from 2009-06-06 to 2009-07-06 )))))))))))))))))))))))))))))))
.

2009-07-05 23:59 . 2009-07-05 23:58 410984 ----a-w- c:\windows\system32\deploytk.dll
2009-07-05 23:57 . 2009-07-05 23:57 152576 ----a-w- c:\documents and settings\see\Application Data\Sun\Java\jre1.6.0_14\lzma.dll
2009-07-05 18:45 . 2009-07-05 18:45 -------- d-----w- c:\documents and settings\see\Application Data\Malwarebytes
2009-07-05 18:43 . 2009-06-17 09:27 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-07-05 18:43 . 2009-07-05 18:43 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-07-05 18:42 . 2009-06-17 09:27 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-07-05 18:42 . 2009-07-05 18:45 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-06-29 08:55 . 2009-06-29 08:56 -------- d-----w- C:\rsit

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-07-05 23:58 . 2007-08-15 11:32 -------- d-----w- c:\program files\Java
2009-06-14 18:30 . 2004-07-15 15:48 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-05-07 15:44 . 2001-08-18 14:00 344064 ----a-w- c:\windows\system32\localspl.dll
2009-04-29 04:52 . 2001-08-18 14:00 659456 ----a-w- c:\windows\system32\wininet.dll
2009-04-29 04:52 . 2004-08-04 07:56 81920 ----a-w- c:\windows\system32\ieencode.dll
2009-04-17 09:58 . 2001-08-18 14:00 1846656 ----a-w- c:\windows\system32\win32k.sys
2009-04-15 15:11 . 2001-08-18 14:00 584192 ----a-w- c:\windows\system32\rpcrt4.dll
2009-04-14 10:19 . 2009-04-14 10:20 102664 ----a-w- c:\windows\system32\drivers\tmcomm.sys
.

------- Sigcheck -------

[-] 2001-08-18 14:00 12800 0F7D9C87B0CE1FA520473119752C6F79 c:\windows\$NtServicePackUninstall$\svchost.exe
[-] 2004-08-03 23:56 14336 8F078AE4ED187AAABC0A305146DE6716 c:\windows\ServicePackFiles\i386\svchost.exe
[-] 2008-04-14 00:12 14336 27C6D03BCDB8CFEB96B716F3D8BE3E18 c:\windows\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\svchost.exe
[-] 2004-08-03 23:56 14336 8F078AE4ED187AAABC0A305146DE6716 c:\windows\system32\svchost.exe

[7] 2005-03-02 18:19 577024 1800F293BCCC8EDE8A70E12B88D80036 c:\windows\$hf_mig$\KB890859\SP2QFE\user32.dll
[7] 2007-03-08 15:48 578048 7AA4F6C00405DFC4B70ED4214E7D687B c:\windows\$hf_mig$\KB925902\SP2QFE\user32.dll
[-] 2001-08-18 14:00 561152 BE57A5C3ABD240514B98F6BCA872FB21 c:\windows\$NtServicePackUninstall$\user32.dll
[-] 2004-08-03 23:56 577024 C72661F8552ACE7C5C85E16A3CF505C4 c:\windows\ServicePackFiles\i386\user32.dll
[-] 2008-04-14 00:12 578560 B26B135FF1B9F60C9388B4A7D16F600B c:\windows\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\user32.dll
[7] 2007-03-08 15:36 577536 B409909F6E2E8A7067076ED748ABF1E7 c:\windows\system32\user32.dll
[7] 2007-03-08 15:36 577536 B409909F6E2E8A7067076ED748ABF1E7 c:\windows\system32\dllcache\user32.dll

[-] 2001-08-18 14:00 75264 8529C295DF59B564D37A73B5629162B1 c:\windows\$NtServicePackUninstall$\ws2_32.dll
[-] 2004-08-03 23:56 82944 2ED0B7F12A60F90092081C50FA0EC2B2 c:\windows\ServicePackFiles\i386\ws2_32.dll
[-] 2008-04-14 00:12 82432 2CCC474EB85CEAA3E1FA1726580A3E5A c:\windows\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\ws2_32.dll
[-] 2004-08-03 23:56 82944 2ED0B7F12A60F90092081C50FA0EC2B2 c:\windows\system32\ws2_32.dll

[7] 2004-09-29 18:27 656896 2C07195588D69A067C2AFDAA31759295 c:\windows\$hf_mig$\KB834707\SP2QFE\wininet.dll
[7] 2005-01-27 17:08 657920 A8EAC5330876548E9966A7D13025D196 c:\windows\$hf_mig$\KB867282\SP2QFE\wininet.dll
[7] 2005-05-02 20:57 658944 E1E18136F9DD3DF1AD9C82193A5898A6 c:\windows\$hf_mig$\KB883939\SP2QFE\wininet.dll
[7] 2005-03-10 07:43 657920 C8663B488996E89A84C3D17C1D12B79E c:\windows\$hf_mig$\KB890923\SP2QFE\wininet.dll
[7] 2005-09-02 23:53 660480 97A6FD7CAFD688CF2C78939EBAF0CD0C c:\windows\$hf_mig$\KB896688\SP2QFE\wininet.dll
[7] 2005-07-03 02:09 659456 6E533D155B259EB2363D3E04B5BE309F c:\windows\$hf_mig$\KB896727\SP2QFE\wininet.dll
[7] 2005-10-21 03:38 661504 AF785C4947676A7FC1673FDC5C8D0B5B c:\windows\$hf_mig$\KB905915\SP2QFE\wininet.dll
[7] 2006-03-04 03:58 663552 C0845ECBF4F9164E618EE381B79C9032 c:\windows\$hf_mig$\KB912812\SP2QFE\wininet.dll
[7] 2006-05-10 05:25 663552 D94CFFDB53E7AC867438E2DFD50E7CBC c:\windows\$hf_mig$\KB916281\SP2QFE\wininet.dll
[7] 2006-06-23 11:25 664576 64CE26DB72810B30F7855EA51E1DF836 c:\windows\$hf_mig$\KB918899\SP2QFE\wininet.dll
[7] 2006-09-14 08:31 664576 D207370287CF769AEBEBF03837784963 c:\windows\$hf_mig$\KB922760\SP2QFE\wininet.dll
[7] 2006-10-23 15:34 664576 231EF4179ACABE486376B5CA893F1076 c:\windows\$hf_mig$\KB925454\SP2QFE\wininet.dll
[7] 2007-01-04 14:05 665088 3FFA1573FC274E5AA7467D03941C45EE c:\windows\$hf_mig$\KB928090\SP2QFE\wininet.dll
[7] 2007-02-20 09:52 665600 B258C922D22DEEC880B60720531D7627 c:\windows\$hf_mig$\KB931768\SP2QFE\wininet.dll
[7] 2007-06-26 14:35 665600 E1A3DD68B5380B360A7310A64D9BB188 c:\windows\$hf_mig$\KB937143\SP2QFE\wininet.dll
[7] 2007-08-22 12:55 665600 A1BC17EB3758D73C3938B2318820F5B4 c:\windows\$hf_mig$\KB939653\SP2QFE\wininet.dll
[7] 2007-10-11 05:57 666112 80D660A49E0D118144423099B2A9F5DA c:\windows\$hf_mig$\KB942615\SP2QFE\wininet.dll
[7] 2007-12-07 00:44 666112 085A7C37F9C6EDE1BA870B7DBEC06399 c:\windows\$hf_mig$\KB944533\SP2QFE\wininet.dll
[7] 2008-02-16 09:32 666112 BB1EACD6AB47E78EBCA02EB781550D55 c:\windows\$hf_mig$\KB947864\SP2QFE\wininet.dll
[7] 2008-04-21 06:56 666624 2E7DE1BF9418B071799EB53DE8CC22F5 c:\windows\$hf_mig$\KB950759\SP2QFE\wininet.dll
[7] 2008-04-21 06:44 666112 2B0C24AA747A93A28987B6D65A4A74BC c:\windows\$hf_mig$\KB950759\SP3GDR\wininet.dll
[7] 2008-04-21 06:24 666624 26F240C250E5B4B395CB4B178BA75437 c:\windows\$hf_mig$\KB950759\SP3QFE\wininet.dll
[7] 2008-06-23 16:12 667136 611ACE3F4201E9610AF8452F7C268995 c:\windows\$hf_mig$\KB953838\SP2QFE\wininet.dll
[7] 2008-06-23 15:09 666112 F12FBB673DE9CC802C5DC518FE99AA2F c:\windows\$hf_mig$\KB953838\SP3GDR\wininet.dll
[7] 2008-06-23 14:54 666624 972299B7241EC325D8C7E5638C884925 c:\windows\$hf_mig$\KB953838\SP3QFE\wininet.dll
[7] 2008-08-20 05:33 667648 C91E3A6EF094202F6B5CA8960DFCF243 c:\windows\$hf_mig$\KB956390\SP2QFE\wininet.dll
[7] 2008-08-20 05:30 666112 9AF5F25124FBDC36E2B510729CBA2674 c:\windows\$hf_mig$\KB956390\SP3GDR\wininet.dll
[7] 2008-08-20 04:58 666624 94418F53D2612C26DBADC04DAFBC197C c:\windows\$hf_mig$\KB956390\SP3QFE\wininet.dll
[7] 2008-10-16 10:20 667648 93C9D0A216498EE14EB9B26119BB95EE c:\windows\$hf_mig$\KB958215\SP2QFE\wininet.dll
[7] 2008-10-16 01:00 666112 1576318BF08D28CC61D1278114AD8D5B c:\windows\$hf_mig$\KB958215\SP3GDR\wininet.dll
[7] 2008-10-16 01:04 667136 E8FCE58A470999350F64C591557F9E42 c:\windows\$hf_mig$\KB958215\SP3QFE\wininet.dll
[7] 2009-02-20 08:14 668160 1EA0E6DD74199209D60991FD46CE8643 c:\windows\$hf_mig$\KB963027\SP2QFE\wininet.dll
[7] 2009-02-20 08:10 666112 5B6A3EB7BB2F338BC2CB9F2FA4AAEA9E c:\windows\$hf_mig$\KB963027\SP3GDR\wininet.dll
[7] 2009-02-20 07:50 667648 711FEABED387B29FF7ED61BC6806A06C c:\windows\$hf_mig$\KB963027\SP3QFE\wininet.dll
[7] 2009-04-29 04:31 668160 9E36A148748C5DE4EA1F47B9B625F412 c:\windows\$hf_mig$\KB969897\SP2QFE\wininet.dll
[7] 2009-04-29 04:46 666624 6002073519FA478BF89977369CDFD156 c:\windows\$hf_mig$\KB969897\SP3GDR\wininet.dll
[7] 2009-04-29 04:21 668160 04BCB4F87B35502568F6CF33433543A5 c:\windows\$hf_mig$\KB969897\SP3QFE\wininet.dll
[-] 2001-08-18 14:00 593920 CF9F1EEF71F42EDE71B6F4AA05D5CA1A c:\windows\$NtServicePackUninstall$\wininet.dll
[7] 2009-02-20 08:30 659456 F1DBF177AA0DB2150E626595D0EFF604 c:\windows\$NtUninstallKB969897$\wininet.dll
[-] 2004-08-03 23:56 656384 C0823FC5469663BA63E7DB88F9919D70 c:\windows\ServicePackFiles\i386\wininet.dll
[7] 2007-04-18 12:31 658944 B7156CD97E739F3014BC4D61758F868A c:\windows\SoftwareDistribution\Download\493760be868721503b9abd615f71e312\sp2gdr\wininet.dll
[7] 2007-04-18 12:46 665600 4261BA03AFD659DE04F0A17DFBDD454D c:\windows\SoftwareDistribution\Download\493760be868721503b9abd615f71e312\sp2qfe\wininet.dll
[7] 2009-04-29 04:52 659456 9D6E5AEB8F237E03D5892951EB3D6A7E c:\windows\SoftwareDistribution\Download\a9c8e00397fe4457a25305c397dc3358\sp2gdr\wininet.dll
[7] 2009-04-29 04:31 668160 9E36A148748C5DE4EA1F47B9B625F412 c:\windows\SoftwareDistribution\Download\a9c8e00397fe4457a25305c397dc3358\sp2qfe\wininet.dll
[7] 2009-04-29 04:46 666624 6002073519FA478BF89977369CDFD156 c:\windows\SoftwareDistribution\Download\a9c8e00397fe4457a25305c397dc3358\sp3gdr\wininet.dll
[7] 2009-04-29 04:21 668160 04BCB4F87B35502568F6CF33433543A5 c:\windows\SoftwareDistribution\Download\a9c8e00397fe4457a25305c397dc3358\sp3qfe\wininet.dll
[-] 2008-04-14 00:12 666112 7A4F775ABB2F1C97DEF3E73AFA2FAEDD c:\windows\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\wininet.dll
[7] 2009-04-29 04:52 659456 9D6E5AEB8F237E03D5892951EB3D6A7E c:\windows\system32\wininet.dll
[7] 2009-04-29 04:52 659456 9D6E5AEB8F237E03D5892951EB3D6A7E c:\windows\system32\dllcache\wininet.dll

[7] 2005-05-25 19:07 359936 63FDFEA54EB53DE2D863EE454937CE1E c:\windows\$hf_mig$\KB893066\SP2QFE\tcpip.sys
[7] 2006-01-13 17:07 360448 5562CC0A47B2AEF06D3417B733F3C195 c:\windows\$hf_mig$\KB913446\SP2QFE\tcpip.sys
[7] 2006-04-20 12:18 360576 B2220C618B42A2212A59D91EBD6FC4B4 c:\windows\$hf_mig$\KB917953\SP2QFE\tcpip.sys
[7] 2007-10-30 16:53 360832 64798ECFA43D78C7178375FCDD16D8C8 c:\windows\$hf_mig$\KB941644\SP2QFE\tcpip.sys
[7] 2008-06-20 10:44 360960 744E57C99232201AE98C49168B918F48 c:\windows\$hf_mig$\KB951748\SP2QFE\tcpip.sys
[7] 2008-06-20 11:51 361600 9AEFA14BD6B182D61E3119FA5F436D3D c:\windows\$hf_mig$\KB951748\SP3GDR\tcpip.sys
[7] 2008-06-20 11:59 361600 AD978A1B783B5719720CFF204B666C8E c:\windows\$hf_mig$\KB951748\SP3QFE\tcpip.sys
[-] 2001-08-18 14:00 327168 E7774698BB0D14B0710A9A31E209F9B6 c:\windows\$NtServicePackUninstall$\tcpip.sys
[-] 2004-08-03 22:14 359040 9F4B36614A0FC234525BA224957DE55C c:\windows\ServicePackFiles\i386\tcpip.sys
[-] 2008-04-13 19:20 361344 93EA8D04EC73A85DB02EB8805988F733 c:\windows\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\tcpip.sys
[7] 2008-06-20 10:45 360320 2A5554FC5B1E04E131230E3CE035C3F9 c:\windows\system32\dllcache\tcpip.sys
[7] 2008-06-20 10:45 360320 2A5554FC5B1E04E131230E3CE035C3F9 c:\windows\system32\drivers\tcpip.sys

[-] 2001-08-18 14:00 430080 2B0E480E975EE51F2D5CE5F068FED6E2 c:\windows\$NtServicePackUninstall$\winlogon.exe
[-] 2004-08-03 23:56 502272 01C3346C241652F43AED8E2149881BFE c:\windows\ServicePackFiles\i386\winlogon.exe
[-] 2008-04-14 00:12 507904 ED0EF0A136DEC83DF69F04118870003E c:\windows\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\winlogon.exe
[-] 2004-08-03 23:56 502272 01C3346C241652F43AED8E2149881BFE c:\windows\system32\winlogon.exe

[-] 2001-08-18 14:00 161536 3EFD4F59BA0A340DE0A3AB984001DBF7 c:\windows\$NtServicePackUninstall$\ndis.sys
[-] 2004-08-03 22:14 182912 558635D3AF1C7546D26067D5D9B6959E c:\windows\ServicePackFiles\i386\ndis.sys
[-] 2008-04-13 19:20 182656 1DF7F42665C94B825322FAE71721130D c:\windows\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\ndis.sys
[-] 2004-08-03 22:14 182912 558635D3AF1C7546D26067D5D9B6959E c:\windows\system32\drivers\ndis.sys

[-] 2004-08-03 22:00 29056 4448006B6BC60E6C027932CFC38D6855 c:\windows\ServicePackFiles\i386\ip6fw.sys
[-] 2008-04-13 18:53 36608 3BB22519A194418D5FEC05D800A19AD0 c:\windows\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\ip6fw.sys
[-] 2004-08-04 06:00 29056 4448006B6BC60E6C027932CFC38D6855 c:\windows\system32\drivers\ip6fw.sys

[7] 2005-03-02 00:36 2056832 D8ABA3EAB509627E707A3B14F00FBB6B c:\windows\$hf_mig$\KB890859\SP2QFE\ntkrnlpa.exe
[7] 2006-12-19 16:12 2059392 BA4B97C00A437C1CC3DA365D93EE1E9D c:\windows\$hf_mig$\KB929338\SP2QFE\ntkrnlpa.exe
[7] 2007-02-28 09:15 2059392 4D3DBDCCBF97F5BA1E74F322B155C3BA c:\windows\$hf_mig$\KB931784\SP2QFE\ntkrnlpa.exe
[7] 2009-02-06 09:49 2062976 9D832AF3FD1917DB0E1E8B2F000A2E3A c:\windows\$hf_mig$\KB956572\SP2QFE\ntkrnlpa.exe
[7] 2009-02-07 17:02 2066048 5BA7F2141BC6DB06100D0E5A732C617A c:\windows\$hf_mig$\KB956572\SP3GDR\ntkrnlpa.exe
[7] 2009-02-06 10:30 2066176 607352B9CB3D708C67F6039097801B5A c:\windows\$hf_mig$\KB956572\SP3QFE\ntkrnlpa.exe
[7] 2008-08-14 09:18 2062976 63EC865DFF6CCFC7BEF94B5C50297CAD c:\windows\$hf_mig$\KB956841\SP2QFE\ntkrnlpa.exe
[7] 2008-08-14 09:33 2066048 4AC58F03EB94A72809949D757FC39D80 c:\windows\$hf_mig$\KB956841\SP3GDR\ntkrnlpa.exe
[7] 2008-08-14 14:39 2066048 A25E9B86EFFB2AF33BF51E676B68BFB0 c:\windows\$hf_mig$\KB956841\SP3QFE\ntkrnlpa.exe
[-] 2001-08-18 14:00 1896704 46E2E3DCF54B819CFB2EBFE48A22B5C9 c:\windows\$NtServicePackUninstall$\ntkrnlpa.exe
[-] 2001-08-18 12:00 1896704 46E2E3DCF54B819CFB2EBFE48A22B5C9 c:\windows\$NtUninstallQ317277$\ntkrnlpa.exe
[-] 2002-08-29 08:04 1947904 0E8EFB15746878A9B256E75267337233 c:\windows\$NtUninstallQ811493$\ntkrnlpa.exe
[7] 2009-02-06 16:49 2057728 3006410E24772CC6953F0B5C01BEB35F c:\windows\Driver Cache\i386\ntkrnlpa.exe
[-] 2004-08-03 21:59 2056832 947FB1D86D14AFCFFDB54BF837EC25D0 c:\windows\ServicePackFiles\i386\ntkrnlpa.exe
[-] 2008-04-13 18:31 2065792 109F8E3E3C82E337BB71B6BC9B895D61 c:\windows\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\ntkrnlpa.exe
[7] 2009-02-06 16:49 2057728 3006410E24772CC6953F0B5C01BEB35F c:\windows\system32\ntkrnlpa.exe
[7] 2009-02-06 16:49 2057728 3006410E24772CC6953F0B5C01BEB35F c:\windows\system32\dllcache\ntkrnlpa.exe

[7] 2005-03-02 01:04 2179456 28187802B7C368C0D3AEF7D4C382AABB c:\windows\$hf_mig$\KB890859\SP2QFE\ntoskrnl.exe
[7] 2006-12-19 16:51 2182016 CEF243F6DEFD20BE4ADDE26C7ECACB54 c:\windows\$hf_mig$\KB929338\SP2QFE\ntoskrnl.exe
[7] 2007-02-28 09:55 2182144 5A5C8DB4AA962C714C8371FBDF189FC9 c:\windows\$hf_mig$\KB931784\SP2QFE\ntoskrnl.exe
[7] 2009-02-06 10:32 2186112 6A936E9D7BADAF3CAAEED1E1966EC1B0 c:\windows\$hf_mig$\KB956572\SP2QFE\ntoskrnl.exe
[7] 2009-02-06 11:08 2189056 7A95B10A73737EBF24139AAA63F5212B c:\windows\$hf_mig$\KB956572\SP3GDR\ntoskrnl.exe
[7] 2009-02-07 17:35 2189184 EFE8EACE83EAAD5849A7A548FB75B584 c:\windows\$hf_mig$\KB956572\SP3QFE\ntoskrnl.exe
[7] 2008-08-14 09:57 2185984 CE69DBD54221F2D40E49FF6DB77C6507 c:\windows\$hf_mig$\KB956841\SP2QFE\ntoskrnl.exe
[7] 2008-08-14 10:11 2189184 EEAF32F8E15A24F62BECB1BD403BB5C5 c:\windows\$hf_mig$\KB956841\SP3GDR\ntoskrnl.exe
[7] 2008-08-14 15:11 2189184 31914172342BFF330063F343AC6958FE c:\windows\$hf_mig$\KB956841\SP3QFE\ntoskrnl.exe
[-] 2001-08-18 14:00 1982208 A29222D5281056E497408FCC9062F749 c:\windows\$NtServicePackUninstall$\ntoskrnl.exe
[-] 2001-08-18 12:00 1982208 A29222D5281056E497408FCC9062F749 c:\windows\$NtUninstallQ317277$\ntoskrnl.exe
[-] 2002-08-29 09:03 2042240 B9080D97DBD631AADF9128F7316958D2 c:\windows\$NtUninstallQ811493$\ntoskrnl.exe
[7] 2009-02-06 17:24 2180480 FACEBB0CA3154F77009CDFEE78A00BBB c:\windows\Driver Cache\i386\ntoskrnl.exe
[-] 2004-08-03 22:20 2180992 CE218BC7088681FAA06633E218596CA7 c:\windows\ServicePackFiles\i386\ntoskrnl.exe
[-] 2008-04-13 19:27 2188928 0C89243C7C3EE199B96FCC16990E0679 c:\windows\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\ntoskrnl.exe
[7] 2009-02-06 17:24 2180480 FACEBB0CA3154F77009CDFEE78A00BBB c:\windows\system32\ntoskrnl.exe
[7] 2009-02-06 17:24 2180480 FACEBB0CA3154F77009CDFEE78A00BBB c:\windows\system32\dllcache\ntoskrnl.exe

[7] 2007-06-13 10:23 1033216 97BD6515465659FF8F3B7BE375B2EA87 c:\windows\explorer.exe
[7] 2007-06-13 11:26 1033216 7712DF0CDDE3A5AC89843E61CD5B3658 c:\windows\$hf_mig$\KB938828\SP2QFE\explorer.exe
[-] 2001-08-18 14:00 1000960 5A26FC6010886D25B3E412493DD95ED8 c:\windows\$NtServicePackUninstall$\explorer.exe
[-] 2004-08-03 23:56 1032192 A0732187050030AE399B241436565E64 c:\windows\ServicePackFiles\i386\explorer.exe
[-] 2008-04-14 00:12 1033728 12896823FB95BFB3DC9B46BCAEDC9923 c:\windows\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\explorer.exe
[7] 2007-06-13 10:23 1033216 97BD6515465659FF8F3B7BE375B2EA87 c:\windows\system32\dllcache\explorer.exe

[7] 2009-02-06 10:22 110592 4712531AB7A01B7EE059853CA17D39BD c:\windows\$hf_mig$\KB956572\SP2QFE\services.exe
[7] 2009-02-06 11:11 110592 65DF52F5B8B6E9BBD183505225C37315 c:\windows\$hf_mig$\KB956572\SP3GDR\services.exe
[7] 2009-02-06 11:06 110592 020CEAAEDC8EB655B6506B8C70D53BB6 c:\windows\$hf_mig$\KB956572\SP3QFE\services.exe
[-] 2001-08-18 14:00 101376 E3DF4A0252D287C44606EE55355E1623 c:\windows\$NtServicePackUninstall$\services.exe
[-] 2004-08-03 23:56 108032 C6CE6EEC82F187615D1002BB3BB50ED4 c:\windows\ServicePackFiles\i386\services.exe
[-] 2008-04-14 00:12 108544 0E776ED5F7CC9F94299E70461B7B8185 c:\windows\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\services.exe
[7] 2009-02-06 17:14 110592 37561F8D4160D62DA86D24AE41FAE8DE c:\windows\system32\services.exe
[7] 2009-02-06 17:14 110592 37561F8D4160D62DA86D24AE41FAE8DE c:\windows\system32\dllcache\services.exe

[-] 2001-08-18 14:00 11776 8A590EA109B5E0C7629E022F8A6B17C5 c:\windows\$NtServicePackUninstall$\lsass.exe
[-] 2004-08-03 23:56 13312 84885F9B82F4D55C6146EBF6065D75D2 c:\windows\ServicePackFiles\i386\lsass.exe
[-] 2008-04-14 00:12 13312 BF2466B3E18E970D8A976FB95FC1CA85 c:\windows\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\lsass.exe
[-] 2004-08-03 23:56 13312 84885F9B82F4D55C6146EBF6065D75D2 c:\windows\system32\lsass.exe

[-] 2001-08-18 14:00 13312 85B1054DB58D13AA42D7DCA778C30F57 c:\windows\$NtServicePackUninstall$\ctfmon.exe
[-] 2004-08-03 23:56 15360 24232996A38C0B0CF151C2140AE29FC8 c:\windows\ServicePackFiles\i386\ctfmon.exe
[-] 2008-04-14 00:12 15360 5F1D5F88303D4A4DBC8E5F97BA967CC3 c:\windows\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\ctfmon.exe
[-] 2004-08-03 23:56 15360 24232996A38C0B0CF151C2140AE29FC8 c:\windows\system32\ctfmon.exe

[7] 2005-06-11 00:17 57856 AD3D9D191AEA7B5445FE1D82FFBB4788 c:\windows\$hf_mig$\KB896423\SP2QFE\spoolsv.exe
[-] 2001-08-18 14:00 51200 9B4155BA58192D4073082B8FC5D42612 c:\windows\$NtServicePackUninstall$\spoolsv.exe
[-] 2004-08-03 23:56 57856 7435B108B935E42EA92CA94F59C8E717 c:\windows\ServicePackFiles\i386\spoolsv.exe
[-] 2008-04-14 00:12 57856 D8E14A61ACC1D4A6CD0D38AEBAC7FA3B c:\windows\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\spoolsv.exe
[7] 2005-06-10 23:53 57856 DA81EC57ACD4CDC3D4C51CF3D409AF9F c:\windows\system32\spoolsv.exe

[-] 2004-08-03 23:56 111104 4126D27CECE4471E00E425411F7306B5 c:\windows\ServicePackFiles\i386\wuauclt.exe
[-] 2008-04-14 00:12 111104 ED7262E52C31CF1625B65039102BC16C c:\windows\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\wuauclt.exe
[7] 2008-10-16 12:09 51224 E654B78D2F1D791B30D0ED9A8195EC22 c:\windows\system32\wuauclt.exe
[7] 2008-10-16 12:09 51224 E654B78D2F1D791B30D0ED9A8195EC22 c:\windows\system32\dllcache\wuauclt.exe

[-] 2001-08-18 14:00 21504 585398603F570F9705774D65D292E5D1 c:\windows\$NtServicePackUninstall$\userinit.exe
[-] 2004-08-03 23:56 24576 39B1FFB03C2296323832ACBAE50D2AFF c:\windows\ServicePackFiles\i386\userinit.exe
[-] 2008-04-14 00:12 26112 A93AEE1928A9D7CE3E16D24EC7380F89 c:\windows\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\userinit.exe
[-] 2004-08-03 23:56 24576 39B1FFB03C2296323832ACBAE50D2AFF c:\windows\system32\userinit.exe

[-] 2001-08-18 14:00 197632 458635D2E4559526CF9C895340A38702 c:\windows\$NtServicePackUninstall$\termsrv.dll
[-] 2001-08-18 12:00 197632 458635D2E4559526CF9C895340A38702 c:\windows\$NtUninstallQ311889$\termsrv.dll
[-] 2004-08-03 23:56 295424 B60C877D16D9C880B952FDA04ADF16E6 c:\windows\ServicePackFiles\i386\termsrv.dll
[-] 2008-04-14 00:12 295424 FF3477C03BE7201C294C35F684B3479F c:\windows\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\termsrv.dll
[-] 2004-08-03 23:56 295424 B60C877D16D9C880B952FDA04ADF16E6 c:\windows\system32\termsrv.dll

[7] 2006-07-05 10:57 985088 0FDD84928A5DDE2510761B7EC76CCEC9 c:\windows\$hf_mig$\KB917422\SP2QFE\kernel32.dll
[7] 2007-04-16 16:07 986112 09F7CB3687F86EDAA4CA081F7AB66C03 c:\windows\$hf_mig$\KB935839\SP2QFE\kernel32.dll
[7] 2009-03-21 13:54 989184 80202858D245FF07DAA1739C57A3E19B c:\windows\$hf_mig$\KB959426\SP2QFE\kernel32.dll
[7] 2009-03-21 14:06 989696 B921FB870C9AC0D509B2CCABBBBE95F3 c:\windows\$hf_mig$\KB959426\SP3GDR\kernel32.dll
[7] 2009-03-21 13:59 991744 DA11D9D6ECBDF0F93436A4B7C13F7BEC c:\windows\$hf_mig$\KB959426\SP3QFE\kernel32.dll
[-] 2001-08-18 14:00 926720 379B0B31D7F8D2C9F7FF302B454A6C54 c:\windows\$NtServicePackUninstall$\kernel32.dll
[-] 2004-08-03 23:56 983552 888190E31455FAD793312F8D087146EB c:\windows\ServicePackFiles\i386\kernel32.dll
[-] 2008-04-14 00:11 989696 C24B983D211C34DA8FCC1AC38477971D c:\windows\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\kernel32.dll
[7] 2009-03-21 14:18 986112 B6ACAED7588295129791E0E6A2B0FADE c:\windows\system32\kernel32.dll
[7] 2009-03-21 14:18 986112 B6ACAED7588295129791E0E6A2B0FADE c:\windows\system32\dllcache\kernel32.dll

[-] 2001-08-18 14:00 14848 865AD7CCB20856727D5BD994B094DC5E c:\windows\$NtServicePackUninstall$\powrprof.dll
[-] 2004-08-03 23:56 17408 1B5F6923ABB450692E9FE0672C897AED c:\windows\ServicePackFiles\i386\powrprof.dll
[-] 2008-04-14 00:12 17408 50A166237A0FA771261275A405646CC0 c:\windows\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\powrprof.dll
[-] 2004-08-03 23:56 17408 1B5F6923ABB450692E9FE0672C897AED c:\windows\system32\powrprof.dll

[-] 2001-08-18 14:00 96768 E046037FD5BCDF92CE1A122B749B9B09 c:\windows\$NtServicePackUninstall$\imm32.dll
[-] 2004-08-03 23:56 110080 87CA7CE6469577F059297B9D6556D66D c:\windows\ServicePackFiles\i386\imm32.dll
[-] 2008-04-14 00:11 110080 0DA85218E92526972A821587E6A8BF8F c:\windows\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\imm32.dll
[-] 2004-08-03 23:56 110080 87CA7CE6469577F059297B9D6556D66D c:\windows\system32\imm32.dll

[-] 2001-08-18 14:00 1562112 9E415EFDF50F26BCBC97C80F4E6C30CC c:\windows\$NtServicePackUninstall$\sfcfiles.dll
[-] 2004-08-03 23:56 1580544 30A609E00BD1D4FFC49D6B5A432BE7F2 c:\windows\ServicePackFiles\i386\sfcfiles.dll
[-] 2008-04-14 00:12 1614848 9DD07AF82244867CA36681EA2D29CE79 c:\windows\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\sfcfiles.dll
[-] 2004-08-03 23:56 1580544 30A609E00BD1D4FFC49D6B5A432BE7F2 c:\windows\system32\sfcfiles.dll

[-] 2001-08-18 14:00 23424 9C30CD464D87102497FD7C32910E6253 c:\windows\$NtServicePackUninstall$\kbdclass.sys
[-] 2004-08-03 21:58 24576 EBDEE8A2EE5393890A1ACEE971C4C246 c:\windows\ServicePackFiles\i386\kbdclass.sys
[-] 2008-04-13 18:39 24576 463C1EC80CD17420A542B7F36A36F128 c:\windows\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\kbdclass.sys
[-] 2004-08-03 21:58 24576 EBDEE8A2EE5393890A1ACEE971C4C246 c:\windows\system32\drivers\kbdclass.sys
.
((((((((((((((((((((((((((((( SnapShot@2009-07-05_23.09.32 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-07-06 18:25 . 2009-07-06 18:25 16384 c:\windows\Temp\Perflib_Perfdata_6d4.dat
+ 2009-07-06 18:25 . 2009-07-06 18:25 16384 c:\windows\Temp\Perflib_Perfdata_568.dat
+ 2009-07-06 15:28 . 2009-07-06 15:28 16384 c:\windows\Temp\Perflib_Perfdata_544.dat
+ 2001-08-18 14:00 . 2009-04-29 04:52 39424 c:\windows\system32\pngfilt.dll
- 2001-08-18 14:00 . 2009-02-20 08:30 39424 c:\windows\system32\pngfilt.dll
+ 2009-07-06 15:25 . 2009-07-06 15:25 84661 c:\windows\system32\Macromed\Flash\uninstall_plugin.exe
- 2001-08-18 14:00 . 2009-02-20 08:30 16384 c:\windows\system32\jsproxy.dll
+ 2001-08-18 14:00 . 2009-04-29 04:52 16384 c:\windows\system32\jsproxy.dll
- 2001-08-18 14:00 . 2009-02-20 08:30 96256 c:\windows\system32\inseng.dll
+ 2001-08-18 14:00 . 2009-04-29 04:52 96256 c:\windows\system32\inseng.dll
+ 2004-08-04 07:56 . 2009-04-29 04:52 55808 c:\windows\system32\extmgr.dll
- 2004-08-04 07:56 . 2009-02-20 08:30 55808 c:\windows\system32\extmgr.dll
+ 2006-06-23 11:02 . 2009-04-29 04:52 39424 c:\windows\system32\dllcache\pngfilt.dll
- 2006-06-23 11:02 . 2009-02-20 08:30 39424 c:\windows\system32\dllcache\pngfilt.dll
- 2006-06-23 11:02 . 2009-02-20 08:30 16384 c:\windows\system32\dllcache\jsproxy.dll
+ 2006-06-23 11:02 . 2009-04-29 04:52 16384 c:\windows\system32\dllcache\jsproxy.dll
- 2006-06-23 11:02 . 2009-02-20 08:30 96256 c:\windows\system32\dllcache\inseng.dll
+ 2006-06-23 11:02 . 2009-04-29 04:52 96256 c:\windows\system32\dllcache\inseng.dll
+ 2009-02-20 08:30 . 2009-04-29 04:52 81920 c:\windows\system32\dllcache\ieencode.dll
- 2009-02-20 08:30 . 2009-02-20 08:30 81920 c:\windows\system32\dllcache\ieencode.dll
- 2006-09-07 08:55 . 2009-02-19 09:58 18432 c:\windows\system32\dllcache\iedw.exe
+ 2006-09-07 08:55 . 2009-04-27 09:17 18432 c:\windows\system32\dllcache\iedw.exe
- 2006-09-07 08:55 . 2009-02-20 08:30 55808 c:\windows\system32\dllcache\extmgr.dll
+ 2006-09-07 08:55 . 2009-04-29 04:52 55808 c:\windows\system32\dllcache\extmgr.dll
+ 2007-02-10 11:29 . 2009-07-06 14:25 23040 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\unbndico.exe
- 2007-02-10 11:29 . 2009-05-02 14:42 23040 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\unbndico.exe
- 2008-05-14 16:00 . 2009-05-02 14:42 61440 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\pubs.exe
+ 2008-05-14 16:00 . 2009-07-06 14:25 61440 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\pubs.exe
+ 2007-02-10 11:29 . 2009-07-06 14:25 27136 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\oisicon.exe
- 2007-02-10 11:29 . 2009-05-02 14:42 27136 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\oisicon.exe
- 2007-02-10 11:29 . 2009-05-02 14:42 11264 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\mspicons.exe
+ 2007-02-10 11:29 . 2009-07-06 14:25 11264 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\mspicons.exe
+ 2007-02-10 11:29 . 2009-07-06 14:25 86016 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\inficon.exe
- 2007-02-10 11:29 . 2009-05-02 14:42 86016 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\inficon.exe
- 2008-05-14 16:00 . 2009-05-02 14:42 12288 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\cagicon.exe
+ 2008-05-14 16:00 . 2009-07-06 14:25 12288 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\cagicon.exe
+ 2007-03-22 18:05 . 2007-03-22 18:05 97632 c:\windows\Installer\$PatchCache$\Managed\9040110900063D11C8EF10054038389C\11.0.8173\PP7X32.DLL
- 2007-02-10 11:29 . 2009-05-02 14:42 4096 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\opwicon.exe
+ 2007-02-10 11:29 . 2009-07-06 14:25 4096 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\opwicon.exe
- 2005-05-17 00:25 . 2009-02-19 09:47 351744 c:\windows\system32\xpsp3res.dll
+ 2005-05-17 00:25 . 2009-04-27 09:18 351744 c:\windows\system32\xpsp3res.dll
- 2001-08-18 14:00 . 2009-02-20 08:30 616448 c:\windows\system32\urlmon.dll
+ 2001-08-18 14:00 . 2009-04-29 04:52 616448 c:\windows\system32\urlmon.dll
- 2001-08-18 14:00 . 2009-02-20 08:30 474112 c:\windows\system32\shlwapi.dll
+ 2001-08-18 14:00 . 2009-04-29 04:52 474112 c:\windows\system32\shlwapi.dll
+ 2001-08-18 14:00 . 2009-04-29 04:52 532480 c:\windows\system32\mstime.dll
- 2001-08-18 14:00 . 2009-02-20 08:30 532480 c:\windows\system32\mstime.dll
- 2001-08-18 14:00 . 2009-02-20 08:30 146432 c:\windows\system32\msrating.dll
+ 2001-08-18 14:00 . 2009-04-29 04:52 146432 c:\windows\system32\msrating.dll
- 2001-08-18 14:00 . 2009-02-20 08:30 449024 c:\windows\system32\mshtmled.dll
+ 2001-08-18 14:00 . 2009-04-29 04:52 449024 c:\windows\system32\mshtmled.dll
+ 2009-02-03 02:15 . 2009-02-03 02:15 240544 c:\windows\system32\Macromed\Flash\NPSWF32_FlashUtil.exe
+ 2009-07-05 23:59 . 2009-07-05 23:58 148888 c:\windows\system32\javaws.exe
+ 2009-07-05 23:59 . 2009-07-05 23:58 144792 c:\windows\system32\javaw.exe
+ 2009-07-05 23:59 . 2009-07-05 23:58 144792 c:\windows\system32\java.exe
+ 2001-08-18 14:00 . 2009-04-29 04:52 251392 c:\windows\system32\iepeers.dll
- 2001-08-18 14:00 . 2009-02-20 08:30 251392 c:\windows\system32\iepeers.dll
+ 2001-09-17 04:21 . 2009-07-06 14:38 319544 c:\windows\system32\FNTCACHE.DAT
- 2001-09-17 04:21 . 2009-04-11 11:43 319544 c:\windows\system32\FNTCACHE.DAT
- 2001-08-18 14:00 . 2009-02-20 08:30 205312 c:\windows\system32\dxtrans.dll
+ 2001-08-18 14:00 . 2009-04-29 04:52 205312 c:\windows\system32\dxtrans.dll
+ 2001-08-18 14:00 . 2009-04-29 04:52 357888 c:\windows\system32\dxtmsft.dll
- 2001-08-18 14:00 . 2009-02-20 08:30 357888 c:\windows\system32\dxtmsft.dll
+ 2006-07-25 20:33 . 2009-04-29 04:52 616448 c:\windows\system32\dllcache\urlmon.dll
- 2006-07-25 20:33 . 2009-02-20 08:30 616448 c:\windows\system32\dllcache\urlmon.dll
+ 2006-06-23 11:02 . 2009-04-29 04:52 474112 c:\windows\system32\dllcache\shlwapi.dll
- 2006-06-23 11:02 . 2009-02-20 08:30 474112 c:\windows\system32\dllcache\shlwapi.dll
- 2007-10-11 10:10 . 2007-07-09 13:09 584192 c:\windows\system32\dllcache\rpcrt4.dll
+ 2007-10-11 10:10 . 2009-04-15 15:11 584192 c:\windows\system32\dllcache\rpcrt4.dll
+ 2006-06-23 11:02 . 2009-04-29 04:52 532480 c:\windows\system32\dllcache\mstime.dll
- 2006-06-23 11:02 . 2009-02-20 08:30 532480 c:\windows\system32\dllcache\mstime.dll
- 2006-06-23 11:02 . 2009-02-20 08:30 146432 c:\windows\system32\dllcache\msrating.dll
+ 2006-06-23 11:02 . 2009-04-29 04:52 146432 c:\windows\system32\dllcache\msrating.dll
+ 2006-06-23 11:02 . 2009-04-29 04:52 449024 c:\windows\system32\dllcache\mshtmled.dll
- 2006-06-23 11:02 . 2009-02-20 08:30 449024 c:\windows\system32\dllcache\mshtmled.dll
+ 2009-05-07 15:44 . 2009-05-07 15:44 344064 c:\windows\system32\dllcache\localspl.dll
- 2006-06-23 11:02 . 2009-02-20 08:30 251392 c:\windows\system32\dllcache\iepeers.dll
+ 2006-06-23 11:02 . 2009-04-29 04:52 251392 c:\windows\system32\dllcache\iepeers.dll
- 2006-06-23 11:02 . 2009-02-20 08:30 205312 c:\windows\system32\dllcache\dxtrans.dll
+ 2006-06-23 11:02 . 2009-04-29 04:52 205312 c:\windows\system32\dllcache\dxtrans.dll
+ 2006-06-23 11:02 . 2009-04-29 04:52 357888 c:\windows\system32\dllcache\dxtmsft.dll
- 2006-06-23 11:02 . 2009-02-20 08:30 357888 c:\windows\system32\dllcache\dxtmsft.dll
+ 2006-06-23 11:02 . 2009-04-29 04:52 151040 c:\windows\system32\dllcache\cdfview.dll
- 2006-06-23 11:02 . 2009-02-20 08:30 151040 c:\windows\system32\dllcache\cdfview.dll
- 2001-08-18 14:00 . 2009-02-20 08:30 151040 c:\windows\system32\cdfview.dll
+ 2001-08-18 14:00 . 2009-04-29 04:52 151040 c:\windows\system32\cdfview.dll
+ 2009-07-05 23:58 . 2009-07-05 23:58 536576 c:\windows\Installer\12b260f.msi
- 2008-05-14 16:00 . 2009-05-02 14:42 409600 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\xlicons.exe
+ 2008-05-14 16:00 . 2009-07-06 14:25 409600 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\xlicons.exe
- 2008-05-14 16:00 . 2009-05-02 14:42 286720 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\wordicon.exe
+ 2008-05-14 16:00 . 2009-07-06 14:25 286720 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\wordicon.exe
+ 2008-05-14 16:00 . 2009-07-06 14:25 249856 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\pptico.exe
- 2008-05-14 16:00 . 2009-05-02 14:42 249856 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\pptico.exe
- 2007-02-10 11:29 . 2009-05-02 14:42 794624 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\outicon.exe
+ 2007-02-10 11:29 . 2009-07-06 14:25 794624 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\outicon.exe
+ 2008-05-14 16:00 . 2009-07-06 14:25 135168 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\misc.exe
- 2008-05-14 16:00 . 2009-05-02 14:42 135168 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\misc.exe
- 2008-05-14 16:00 . 2009-05-02 14:42 593920 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\accicons.exe
+ 2008-05-14 16:00 . 2009-07-06 14:25 593920 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\accicons.exe
- 2001-08-18 14:00 . 2009-03-02 23:52 1495552 c:\windows\system32\shdocvw.dll
+ 2001-08-18 14:00 . 2009-04-29 04:52 1495552 c:\windows\system32\shdocvw.dll
+ 2001-08-18 14:00 . 2009-04-29 04:52 3060736 c:\windows\system32\mshtml.dll
+ 2009-02-03 02:15 . 2009-02-03 02:15 3771296 c:\windows\system32\Macromed\Flash\NPSWF32.dll
+ 2007-03-08 13:47 . 2009-04-17 09:58 1846656 c:\windows\system32\dllcache\win32k.sys
+ 2006-06-23 11:02 . 2009-04-29 04:52 1495552 c:\windows\system32\dllcache\shdocvw.dll
- 2006-06-23 11:02 . 2009-03-02 23:52 1495552 c:\windows\system32\dllcache\shdocvw.dll
+ 2006-07-28 11:28 . 2009-04-29 04:52 3060736 c:\windows\system32\dllcache\mshtml.dll
+ 2006-06-23 11:02 . 2009-04-29 04:52 1054208 c:\windows\system32\dllcache\danim.dll
- 2006-06-23 11:02 . 2009-02-20 08:30 1054208 c:\windows\system32\dllcache\danim.dll
- 2006-06-23 11:02 . 2009-02-20 08:30 1023488 c:\windows\system32\dllcache\browseui.dll
+ 2006-06-23 11:02 . 2009-04-29 04:52 1023488 c:\windows\system32\dllcache\browseui.dll
- 2001-08-18 14:00 . 2009-02-20 08:30 1054208 c:\windows\system32\danim.dll
+ 2001-08-18 14:00 . 2009-04-29 04:52 1054208 c:\windows\system32\danim.dll
+ 2001-08-18 14:00 . 2009-04-29 04:52 1023488 c:\windows\system32\browseui.dll
- 2001-08-18 14:00 . 2009-02-20 08:30 1023488 c:\windows\system32\browseui.dll
+ 2009-05-01 13:49 . 2009-05-01 13:49 4328960 c:\windows\Installer\431fe3a.msp
+ 2009-05-12 11:01 . 2009-05-12 11:01 6818816 c:\windows\Installer\431fe24.msp
+ 2009-05-28 10:32 . 2009-05-28 10:32 5518848 c:\windows\Installer\431fe0f.msp
+ 2009-04-23 15:57 . 2009-04-23 15:57 7672832 c:\windows\Installer\431fdfb.msp
+ 2005-05-11 19:22 . 2009-06-01 07:51 23635392 c:\windows\system32\MRT.exe
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2002-05-16 126976]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2002-05-16 540672]
"Cpqset"="c:\compaq\cpqsetup\cpqset.exe" [2002-05-09 172101]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2009-02-05 81000]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-07-05 148888]
"ATIModeChange"="Ati2mdxx.exe" - c:\windows\system32\Ati2mdxx.exe [2002-04-08 28672]
"ATIPTA"="atiptaxx.exe" - c:\windows\system32\atiptaxx.exe [2002-04-08 286720]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-03-22 39264]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0OODBS

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"SynTPLpr"=c:\program files\Synaptics\SynTP\SynTPLpr.exe
"SynTPEnh"=c:\program files\Synaptics\SynTP\SynTPEnh.exe
"RealTray"=c:\program files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
"eabconfg.cpl"=c:\program files\Compaq\EAB\EabServr.exe /Start
"Cpqset"=c:\compaq\cpqsetup\cpqset.exe
"ATIModeChange"=Ati2mdxx.exe
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" -osboot
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_02\bin\jusched.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runservices-]
"CPQDFWAG"=c:\windows\Cpqdiag\CpqDfwAg.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"55132:TCP"= 55132:TCP

R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [4/13/2009 1:21 PM 114768]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [4/13/2009 1:21 PM 20560]
R3 ALiIRDA;ALi Infrared Device Driver;c:\windows\system32\drivers\alifir.sys [9/19/2002 4:30 AM 26624]
R3 NZLMirror1;NZLMirror1;c:\windows\system32\drivers\NZLMirror1.sys [2/5/2003 12:53 AM 2998]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.mytalktalk.co.uk
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
Trusted Zone: ntl.com\register-tesco.qa.business
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
DPF: {8B1BC605-C593-4865-8F5B-05517F0CD0BB} - file://d:\content\include\msSecUcd.cab
FF - ProfilePath - c:\documents and settings\see\Application Data\Mozilla\Firefox\Profiles\tj470amp.Default User\
FF - prefs.js: browser.startup.homepage - hxxp://en-US.start2.mozilla.com/firefox?client=firefox-a&rls=org.mozilla:en-US

fficial
FF - prefs.js: network.proxy.type - 4
FF - plugin: c:\program files\Mozilla Firefox\plugins\npmozax.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npViewpoint.dll
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
FF - user.js: network.http.max-persistent-connections-per-server - 4
FF - user.js: content.max.tokenizing.time - 1800000
FF - user.js: content.notify.interval - 600000
FF - user.js: content.switch.threshold - 1000000
FF - user.js: nglayout.initialpaint.delay - 600
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.enforce_same_site_origin", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.cache_size", 51200);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.ogg.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.wave.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.autoplay.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.urlbar.autoplete.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.mailnews.*.wholeText", "noAccess");
c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.storage.default_quota", 5120);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("content.sink.event_probe_rate", 3);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.http.prompt-temp-redirect", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("layout.css.dpi", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("layout.css.devPixelsPerPx", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("gestures.enable_single_finger_input", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.max_chrome_script_run_time", 0);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.tcp.sendbuffer", 131072);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("geo.enabled", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.remember_cert_checkbox_default_setting", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr", "moz35");
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-cjkt", "moz35");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.blocklist.level", 2);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.urlbar.restrict.typed", "~");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.urlbar.default.behavior", 0);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.history", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.formdata", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.passwords", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.downloads", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cookies", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cache", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.sessions", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.offlineApps", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.siteSettings", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.history", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.formdata", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.passwords", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.downloads", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.cookies", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.cache", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.sessions", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.offlineApps", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.siteSettings", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.sanitize.migrateFx3Prefs", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.ssl_override_behavior", 2);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("security.alternate_certificate_error_page", "certerror");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.autostart", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.dont_prompt_on_enter", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("geo.wifi.uri", "https://www.google.com/loc/json");
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-07-06 20:28
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
"ImagePath"="\??\c:\h - back-ups\Other Stuff\L2\Lineage 2 C4\Lineage.]
[.C4.retail.updated.5.sep.06_by_KrVoLoK\Lineage II C4\system\npkcrypt.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\npkcrypt]
"ImagePath"="\??\c:\h - back-ups\Other Stuff\L2\Lineage 2 C4\Lineage.]
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\System*]
"OODEFRAG10.00.00.01WORKSTATION"="5E822A2777780AA116DC5889961C06A614E06BA616>Deleted to preserve page size<"
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Alwil Software\Avast4\aswUpdSv.exe
c:\program files\Alwil Software\Avast4\ashServ.exe
c:\windows\system32\brss01a.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Alwil Software\Avast4\ashMaiSv.exe
c:\program files\Alwil Software\Avast4\ashWebSv.exe
.
**************************************************************************
.
Completion time: 2009-07-06 20:38 - machine was rebooted
ComboFix-quarantined-files.txt 2009-07-06 18:38
ComboFix2.txt 2009-07-05 23:15

Pre-Run: 3,432,767,488 bytes free
Post-Run: 3,349,020,672 bytes free

496 --- E O F --- 2009-07-06 14:27

katana · Jul 6, 2009

armuk said:
It seems that MS Paint and Calculator were infected after all, strangely.

We don't know yet, the upload didn't work.

Have you performed any other scans between the two Combofix runs ?
There appear to have been a lot of files changed to older versions.

Please Submit a file

Please open LINK >>> THIS PAGE <<<LINK in a new window.

In the box marked Link to topic where this file was requested: please put this text

Code:

http://forums.spybot.info/showthread.php?p=321221#post321221

Click the Browse button and navigate to C:\Qoobox\Quarantine\
There should be a zip file there called [4]-Submit_****-**-**_**.**.**.zip ( the * denote Date and time stamp )
Select this file and click Open

In the Largest box please put

Code:

File Requested By Katana
Failed Submit

Finally click SendFile

armuk · Jul 7, 2009

I've submitted the file as you instructed.

katana said:
Have you performed any other scans between the two Combofix runs ?
There appear to have been a lot of files changed to older versions.

No, I didn't run any other scans between the two. However, I did update Java and Mozilla Firefox to the latest stable versions (after reading about the security improvements in newer versions). Was this ill-advised?

Also, when I did the 2nd Combofix scan (with CRScript.txt) it said that "a new version of Combofix is ready, would you like to update", to which I said 'OK'.

Apart from that, no other changes.

On a separate note, when I turned on the PC today, it ran VERY slow (i.e. applications took a long time to open, ran very slowly, etc). Not sure if this was just because I didn't allow enough time for it to boot-up fully (considering that my PC is fairly old and having launched Firefox pretty much as soon as the Desktop appeared without waiting for it to perhaps finish booting up), or a separate, new problem. I'm hoping it's not the latter.

:

katana · Jul 7, 2009

On a separate note, when I turned on the PC today, it ran VERY slow ~ Not sure if this was just because I didn't allow enough time for it to boot-up fully
or a separate, new problem. I'm hoping it's not the latter.

I have no idea what is wrong yet, your logs are very strange at the moment.
Those two files are very odd indeed ..... they aren't the ones that Microsoft released ?????

----------------------------------------------------------------------------------------
Step 1

Download and Run SystemLook

Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1
Download Mirror #2

Double-click SystemLook.exe to run it.
Copy the content of the following codebox into the main textfield:
Code:
```
:dir
:filefind
calc.exe
mspaint.exe
:comment
```
Click the Look button to start the scan.
When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.

Note: The log can also be found on your Desktop entitled SystemLook.txt

----------------------------------------------------------------------------------------
Step 2

Download and Run ComboFix
Please delete the copy of ComboFix that you have and download an updated copy from one of the links below

Please visit this webpage for instructions on using ComboFix:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix

ComboFix.exe 1
ComboFix.exe 2
ComboFix.exe 3
You must download it to and run it from your Desktop
Now STOP all your monitoring programs (Antivirus/Antispyware, Guards and Shields) as they could easily interfere with ComboFix.
Double click combofix.exe & follow the prompts.
When finished, it will produce a log. Please save that log to post in your next reply along with a fresh HJT log
Re-enable all the programs that were disabled during the running of ComboFix..

Note:
Do not mouse-click combofix's window while it is running. That may cause it to stall.

CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.
ComboFix SHOULD NOT be used unless requested by a forum helper

----------------------------------------------------------------------------------------
Logs/Information to Post in Reply
Please post the following logs/Information in your reply
Some of the logs I request will be quite large, You may need to split them over a couple of replies.

SystemLook log
Combofix log

armuk · Jul 8, 2009

katana said:
Those two files are very odd indeed ..... they aren't the ones that Microsoft released ?????

No they aren't the originals that came with the system - I accidentally deleted the originals and so installed/replaced them with replacement 'Paint' and 'Calculator' applications I found on some tech forum (not exactly sure where), a couple of years ago.

Just thought I'd clarify that before I posted the logs.

armuk · Jul 8, 2009

And here are the logs as requested.

= SYSTEM LOOK =

SystemLook v1.0 by jpshortstuff (22.05.09)
Log created at 12:04 on 08/07/2009 by see (Administrator - Elevation successful)

========== dir ==========

========== filefind ==========

Searching for "calc.exe"
C:\WINDOWS\system32\calc.exe --a--- 227840 bytes [16:17 12/09/2007] [10:00 02/10/2002] 44F63F70962CB24306716235C80DB26B
C:\WINDOWS\system32\dllcache\calc.exe --a--c 114688 bytes [12:00 18/08/2001] [12:00 18/08/2001] 829E4805B0E12B383EE09ABDC9E2DC3C

Searching for "mspaint.exe"
C:\WINDOWS\$NtServicePackUninstall$\mspaint.exe -----c 339968 bytes [06:11 06/09/2006] [14:00 18/08/2001] 6AC7DB999F986465046D8B2A73DF9C06
C:\WINDOWS\ServicePackFiles\i386\mspaint.exe ------ 343040 bytes [06:47 06/09/2006] [23:56 03/08/2004] 57ADB09ED3617B042D155449490A9F76
C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\mspaint.exe --a--- 343040 bytes [11:34 21/09/2008] [00:12 14/04/2008] 949BC05CEF66BCD68EB23F08EB4C2DFF
C:\WINDOWS\system32\mspaint.exe --a--- 437248 bytes [16:17 12/09/2007] [18:06 07/10/2002] 7835A680EC87C3067101DD3AE22B0593

-=End Of File=-

_________________________________________________________________
_________________________________________________________________

= COMBOFIX =

ComboFix 09-07-07.A4 - see 07/08/2009 12:12.3 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.239.47 [GMT 2:00]
Running from: c:\documents and settings\see\Desktop\ComboFix.exe
AV: avast! antivirus 4.8.1335 [VPS 090707-0] *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\calc.exe . . . is infected!!

c:\windows\system32\mspaint.exe . . . is infected!!

.
((((((((((((((((((((((((( Files Created from 2009-06-08 to 2009-07-08 )))))))))))))))))))))))))))))))
.

2009-07-05 23:59 . 2009-07-05 23:58 410984 ----a-w- c:\windows\system32\deploytk.dll
2009-07-05 23:57 . 2009-07-05 23:57 152576 ----a-w- c:\documents and settings\see\Application Data\Sun\Java\jre1.6.0_14\lzma.dll
2009-07-05 18:45 . 2009-07-05 18:45 -------- d-----w- c:\documents and settings\see\Application Data\Malwarebytes
2009-07-05 18:43 . 2009-06-17 09:27 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-07-05 18:43 . 2009-07-05 18:43 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-07-05 18:42 . 2009-06-17 09:27 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-07-05 18:42 . 2009-07-05 18:45 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-06-29 08:55 . 2009-06-29 08:56 -------- d-----w- C:\rsit

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-07-05 23:58 . 2007-08-15 11:32 -------- d-----w- c:\program files\Java
2009-06-14 18:30 . 2004-07-15 15:48 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-05-07 15:44 . 2001-08-18 14:00 344064 ----a-w- c:\windows\system32\localspl.dll
2009-04-29 04:52 . 2001-08-18 14:00 659456 ----a-w- c:\windows\system32\wininet.dll
2009-04-29 04:52 . 2004-08-04 07:56 81920 ----a-w- c:\windows\system32\ieencode.dll
2009-04-17 09:58 . 2001-08-18 14:00 1846656 ----a-w- c:\windows\system32\win32k.sys
2009-04-15 15:11 . 2001-08-18 14:00 584192 ----a-w- c:\windows\system32\rpcrt4.dll
2009-04-14 10:19 . 2009-04-14 10:20 102664 ----a-w- c:\windows\system32\drivers\tmcomm.sys
.

------- Sigcheck -------

[-] 2001-08-18 14:00 12800 0F7D9C87B0CE1FA520473119752C6F79 c:\windows\$NtServicePackUninstall$\svchost.exe
[-] 2004-08-03 23:56 14336 8F078AE4ED187AAABC0A305146DE6716 c:\windows\ServicePackFiles\i386\svchost.exe
[-] 2008-04-14 00:12 14336 27C6D03BCDB8CFEB96B716F3D8BE3E18 c:\windows\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\svchost.exe
[-] 2004-08-03 23:56 14336 8F078AE4ED187AAABC0A305146DE6716 c:\windows\system32\svchost.exe

[-] 2001-08-18 14:00 75264 8529C295DF59B564D37A73B5629162B1 c:\windows\$NtServicePackUninstall$\ws2_32.dll
[-] 2004-08-03 23:56 82944 2ED0B7F12A60F90092081C50FA0EC2B2 c:\windows\ServicePackFiles\i386\ws2_32.dll
[-] 2008-04-14 00:12 82432 2CCC474EB85CEAA3E1FA1726580A3E5A c:\windows\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\ws2_32.dll
[-] 2004-08-03 23:56 82944 2ED0B7F12A60F90092081C50FA0EC2B2 c:\windows\system32\ws2_32.dll

[-] 2001-08-18 14:00 430080 2B0E480E975EE51F2D5CE5F068FED6E2 c:\windows\$NtServicePackUninstall$\winlogon.exe
[-] 2004-08-03 23:56 502272 01C3346C241652F43AED8E2149881BFE c:\windows\ServicePackFiles\i386\winlogon.exe
[-] 2008-04-14 00:12 507904 ED0EF0A136DEC83DF69F04118870003E c:\windows\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\winlogon.exe
[-] 2004-08-03 23:56 502272 01C3346C241652F43AED8E2149881BFE c:\windows\system32\winlogon.exe

[-] 2001-08-18 14:00 161536 3EFD4F59BA0A340DE0A3AB984001DBF7 c:\windows\$NtServicePackUninstall$\ndis.sys
[-] 2004-08-03 22:14 182912 558635D3AF1C7546D26067D5D9B6959E c:\windows\ServicePackFiles\i386\ndis.sys
[-] 2008-04-13 19:20 182656 1DF7F42665C94B825322FAE71721130D c:\windows\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\ndis.sys
[-] 2004-08-03 22:14 182912 558635D3AF1C7546D26067D5D9B6959E c:\windows\system32\drivers\ndis.sys

[-] 2004-08-03 22:00 29056 4448006B6BC60E6C027932CFC38D6855 c:\windows\ServicePackFiles\i386\ip6fw.sys
[-] 2008-04-13 18:53 36608 3BB22519A194418D5FEC05D800A19AD0 c:\windows\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\ip6fw.sys
[-] 2004-08-04 06:00 29056 4448006B6BC60E6C027932CFC38D6855 c:\windows\system32\drivers\ip6fw.sys

[-] 2001-08-18 14:00 11776 8A590EA109B5E0C7629E022F8A6B17C5 c:\windows\$NtServicePackUninstall$\lsass.exe
[-] 2004-08-03 23:56 13312 84885F9B82F4D55C6146EBF6065D75D2 c:\windows\ServicePackFiles\i386\lsass.exe
[-] 2008-04-14 00:12 13312 BF2466B3E18E970D8A976FB95FC1CA85 c:\windows\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\lsass.exe
[-] 2004-08-03 23:56 13312 84885F9B82F4D55C6146EBF6065D75D2 c:\windows\system32\lsass.exe

[-] 2001-08-18 14:00 13312 85B1054DB58D13AA42D7DCA778C30F57 c:\windows\$NtServicePackUninstall$\ctfmon.exe
[-] 2004-08-03 23:56 15360 24232996A38C0B0CF151C2140AE29FC8 c:\windows\ServicePackFiles\i386\ctfmon.exe
[-] 2008-04-14 00:12 15360 5F1D5F88303D4A4DBC8E5F97BA967CC3 c:\windows\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\ctfmon.exe
[-] 2004-08-03 23:56 15360 24232996A38C0B0CF151C2140AE29FC8 c:\windows\system32\ctfmon.exe

[-] 2001-08-18 14:00 21504 585398603F570F9705774D65D292E5D1 c:\windows\$NtServicePackUninstall$\userinit.exe
[-] 2004-08-03 23:56 24576 39B1FFB03C2296323832ACBAE50D2AFF c:\windows\ServicePackFiles\i386\userinit.exe
[-] 2008-04-14 00:12 26112 A93AEE1928A9D7CE3E16D24EC7380F89 c:\windows\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\userinit.exe
[-] 2004-08-03 23:56 24576 39B1FFB03C2296323832ACBAE50D2AFF c:\windows\system32\userinit.exe

[-] 2001-08-18 14:00 197632 458635D2E4559526CF9C895340A38702 c:\windows\$NtServicePackUninstall$\termsrv.dll
[-] 2001-08-18 12:00 197632 458635D2E4559526CF9C895340A38702 c:\windows\$NtUninstallQ311889$\termsrv.dll
[-] 2004-08-03 23:56 295424 B60C877D16D9C880B952FDA04ADF16E6 c:\windows\ServicePackFiles\i386\termsrv.dll
[-] 2008-04-14 00:12 295424 FF3477C03BE7201C294C35F684B3479F c:\windows\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\termsrv.dll
[-] 2004-08-03 23:56 295424 B60C877D16D9C880B952FDA04ADF16E6 c:\windows\system32\termsrv.dll

[-] 2001-08-18 14:00 14848 865AD7CCB20856727D5BD994B094DC5E c:\windows\$NtServicePackUninstall$\powrprof.dll
[-] 2004-08-03 23:56 17408 1B5F6923ABB450692E9FE0672C897AED c:\windows\ServicePackFiles\i386\powrprof.dll
[-] 2008-04-14 00:12 17408 50A166237A0FA771261275A405646CC0 c:\windows\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\powrprof.dll
[-] 2004-08-03 23:56 17408 1B5F6923ABB450692E9FE0672C897AED c:\windows\system32\powrprof.dll

[-] 2001-08-18 14:00 96768 E046037FD5BCDF92CE1A122B749B9B09 c:\windows\$NtServicePackUninstall$\imm32.dll
[-] 2004-08-03 23:56 110080 87CA7CE6469577F059297B9D6556D66D c:\windows\ServicePackFiles\i386\imm32.dll
[-] 2008-04-14 00:11 110080 0DA85218E92526972A821587E6A8BF8F c:\windows\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\imm32.dll
[-] 2004-08-03 23:56 110080 87CA7CE6469577F059297B9D6556D66D c:\windows\system32\imm32.dll

[-] 2001-08-18 14:00 1562112 9E415EFDF50F26BCBC97C80F4E6C30CC c:\windows\$NtServicePackUninstall$\sfcfiles.dll
[-] 2004-08-03 23:56 1580544 30A609E00BD1D4FFC49D6B5A432BE7F2 c:\windows\ServicePackFiles\i386\sfcfiles.dll
[-] 2008-04-14 00:12 1614848 9DD07AF82244867CA36681EA2D29CE79 c:\windows\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\sfcfiles.dll
[-] 2004-08-03 23:56 1580544 30A609E00BD1D4FFC49D6B5A432BE7F2 c:\windows\system32\sfcfiles.dll

[-] 2001-08-18 14:00 23424 9C30CD464D87102497FD7C32910E6253 c:\windows\$NtServicePackUninstall$\kbdclass.sys
[-] 2004-08-03 21:58 24576 EBDEE8A2EE5393890A1ACEE971C4C246 c:\windows\ServicePackFiles\i386\kbdclass.sys
[-] 2008-04-13 18:39 24576 463C1EC80CD17420A542B7F36A36F128 c:\windows\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\kbdclass.sys
[-] 2004-08-03 21:58 24576 EBDEE8A2EE5393890A1ACEE971C4C246 c:\windows\system32\drivers\kbdclass.sys
.
((((((((((((((((((((((((((((( SnapShot_2009-07-06_18.28.18 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-07-08 09:50 . 2009-07-08 09:50 16384 c:\windows\Temp\Perflib_Perfdata_5ac.dat
+ 2009-07-08 09:50 . 2009-07-08 09:50 16384 c:\windows\Temp\Perflib_Perfdata_1b4.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2002-05-16 126976]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2002-05-16 540672]
"Cpqset"="c:\compaq\cpqsetup\cpqset.exe" [2002-05-09 172101]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2009-02-05 81000]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-07-05 148888]
"ATIModeChange"="Ati2mdxx.exe" - c:\windows\system32\Ati2mdxx.exe [2002-04-08 28672]
"ATIPTA"="atiptaxx.exe" - c:\windows\system32\atiptaxx.exe [2002-04-08 286720]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-03-22 39264]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0OODBS

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"SynTPLpr"=c:\program files\Synaptics\SynTP\SynTPLpr.exe
"SynTPEnh"=c:\program files\Synaptics\SynTP\SynTPEnh.exe
"RealTray"=c:\program files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
"eabconfg.cpl"=c:\program files\Compaq\EAB\EabServr.exe /Start
"Cpqset"=c:\compaq\cpqsetup\cpqset.exe
"ATIModeChange"=Ati2mdxx.exe
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" -osboot
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_02\bin\jusched.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runservices-]
"CPQDFWAG"=c:\windows\Cpqdiag\CpqDfwAg.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"55132:TCP"= 55132:TCP

R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [4/13/2009 1:21 PM 114768]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [4/13/2009 1:21 PM 20560]
R3 ALiIRDA;ALi Infrared Device Driver;c:\windows\system32\drivers\alifir.sys [9/19/2002 4:30 AM 26624]
R3 NZLMirror1;NZLMirror1;c:\windows\system32\drivers\NZLMirror1.sys [2/5/2003 12:53 AM 2998]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.mytalktalk.co.uk
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
Trusted Zone: ntl.com\register-tesco.qa.business
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
DPF: {8B1BC605-C593-4865-8F5B-05517F0CD0BB} - file://d:\content\include\msSecUcd.cab
FF - ProfilePath - c:\documents and settings\see\Application Data\Mozilla\Firefox\Profiles\tj470amp.Default User\
FF - prefs.js: browser.startup.homepage - hxxp://en-US.start2.mozilla.com/firefox?client=firefox-a&rls=org.mozilla:en-US

fficial
FF - prefs.js: network.proxy.type - 4
FF - plugin: c:\program files\Mozilla Firefox\plugins\npmozax.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npViewpoint.dll
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
FF - user.js: network.http.max-persistent-connections-per-server - 4
FF - user.js: content.max.tokenizing.time - 1800000
FF - user.js: content.notify.interval - 600000
FF - user.js: content.switch.threshold - 1000000
FF - user.js: nglayout.initialpaint.delay - 600
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.enforce_same_site_origin", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.cache_size", 51200);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.ogg.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.wave.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.autoplay.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.urlbar.autocomplete.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.mailnews.*.wholeText", "noAccess");
c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.storage.default_quota", 5120);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("content.sink.event_probe_rate", 3);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.http.prompt-temp-redirect", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("layout.css.dpi", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("layout.css.devPixelsPerPx", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("gestures.enable_single_finger_input", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.max_chrome_script_run_time", 0);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.tcp.sendbuffer", 131072);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("geo.enabled", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.remember_cert_checkbox_default_setting", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr", "moz35");
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-cjkt", "moz35");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.blocklist.level", 2);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.urlbar.restrict.typed", "~");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.urlbar.default.behavior", 0);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.history", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.formdata", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.passwords", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.downloads", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cookies", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cache", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.sessions", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.offlineApps", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.siteSettings", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.history", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.formdata", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.passwords", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.downloads", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.cookies", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.cache", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.sessions", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.offlineApps", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.siteSettings", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.sanitize.migrateFx3Prefs", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.ssl_override_behavior", 2);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("security.alternate_certificate_error_page", "certerror");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.autostart", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.dont_prompt_on_enter", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("geo.wifi.uri", "https://www.google.com/loc/json");
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-07-08 12:20
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

**************************************************************************
"ImagePath"="\??\c:\h - back-ups\Other Stuff\L2\Lineage 2 C4\Lineage.]
[.C4.retail.updated.5.sep.06_by_KrVoLoK\Lineage II C4\system\npkcrypt.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\npkcrypt]
"ImagePath"="\??\c:\h - back-ups\Other Stuff\L2\Lineage 2 C4\Lineage.]
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\System*]
"OODEFRAG10.00.00.01WORKSTATION"="5E822A2777780AA116DC5889961C06A614E06BA6160 <removed

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(4048)
c:\docume~1\see\LOCALS~1\Temp\catchme.dll
.
Completion time: 2009-07-08 12:27
ComboFix-quarantined-files.txt 2009-07-08 10:26
ComboFix2.txt 2009-07-06 18:38
ComboFix3.txt 2009-07-05 23:15

Pre-Run: 3,299,086,336 bytes free
Post-Run: 3,280,519,168 bytes free

229 --- E O F --- 2009-07-06 14:27

_________________________________________________________________
_________________________________________________________________

= HIJACKTHIS =

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:46:53 PM, on 7/8/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\atiptaxx.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\brss01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.mytalktalk.co.uk
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [ATIPTA] atiptaxx.exe
O4 - HKLM\..\Run: [Cpqset] c:\compaq\cpqsetup\cpqset.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra button: Advisor - {546EF2E6-E29B-46C0-8FF7-04DAA301A4D8} - C:\Program Files\COMPAQ\Compaq Advisor\bin\rbaLauncher.exe (file missing) (HKCU)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {8B1BC605-C593-4865-8F5B-05517F0CD0BB} (MSSecurityAdvisorCD Class) - file://D:\Content\include\msSecUcd.cab
O23 - Service: AOL Spyware Protection Service (AOLService) - Unknown owner - C:\PROGRA~1\AOLSPY~1\\aolserv.exe (file missing)
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\system32\brsvc01a.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe

--
End of file - 4343 bytes

katana · Jul 8, 2009

armuk said:
No they aren't the originals that came with the system

The choice is yours, I can replace them with one of the other copies or leave them as they are.
Combofix is flagging them because they aren't Microsoft files.

Now, as for the other files that have been replaced.....

Please can you update to SP3 and then run Combofix again.
I suspect that will clear up a lot of problems.

armuk · Jul 8, 2009

katana said:
The choice is yours, I can replace them with one of the other copies or leave them as they are.

Yes that would be very much appreciated if you could; I only installed these replacements because I couldn't find the proper Microsoft ones.

I also installed SP3 as advised.

However, the new Combofix log is very large - about 658000 characters - and far exceeds the post limit here of 64000 characters. Should I just break it down and post in multiple posts (though I think it would take about 11 posts to fit it all in) or is there some alternative method that I should use?

katana · Jul 8, 2009

armuk said:
However, the new Combofix log is very large - about 658000 characters

Good point, I forgot about that :lol:

please run Combofix once more, the new log should be more realistic.

armuk · Jul 9, 2009

I see, yes this one is of a more reasonable size.

= COMBOFIX =

ComboFix 09-07-08.06 - see 07/09/2009 11:50.5 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.239.108 [GMT 2:00]
Running from: c:\documents and settings\see\Desktop\ComboFix.exe
AV: avast! antivirus 4.8.1335 [VPS 090708-0] *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
.

((((((((((((((((((((((((( Files Created from 2009-06-09 to 2009-07-09 )))))))))))))))))))))))))))))))
.

2009-07-09 09:27 . 2009-07-09 09:27 -------- d-----w- c:\windows\LastGood
2009-07-08 19:52 . 2008-06-13 11:05 272128 -c----w- c:\windows\system32\dllcache\bthport.sys
2009-07-08 19:50 . 2008-12-11 10:57 333952 -c----w- c:\windows\system32\dllcache\srv.sys
2009-07-08 19:50 . 2008-04-11 19:04 691712 -c----w- c:\windows\system32\dllcache\inetcomm.dll
2009-07-08 19:48 . 2008-10-15 16:34 337408 -c----w- c:\windows\system32\dllcache\netapi32.dll
2009-07-08 18:59 . 2009-07-08 18:59 -------- d-----w- c:\windows\system32\scripting
2009-07-08 18:58 . 2009-07-08 18:58 -------- d-----w- c:\windows\l2schemas
2009-07-08 18:58 . 2009-07-08 18:58 -------- d-----w- c:\windows\system32\en
2009-07-05 23:59 . 2009-07-05 23:58 410984 ----a-w- c:\windows\system32\deploytk.dll
2009-07-05 23:57 . 2009-07-05 23:57 152576 ----a-w- c:\documents and settings\see\Application Data\Sun\Java\jre1.6.0_14\lzma.dll
2009-07-05 18:45 . 2009-07-05 18:45 -------- d-----w- c:\documents and settings\see\Application Data\Malwarebytes
2009-07-05 18:43 . 2009-06-17 09:27 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-07-05 18:43 . 2009-07-05 18:43 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-07-05 18:42 . 2009-06-17 09:27 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-07-05 18:42 . 2009-07-05 18:45 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-06-29 08:55 . 2009-06-29 08:56 -------- d-----w- C:\rsit

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-07-08 19:08 . 2006-08-31 20:47 77945 ----a-w- c:\windows\PCHEALTH\HELPCTR\OfflineCache\index.dat
2009-07-05 23:58 . 2007-08-15 11:32 -------- d-----w- c:\program files\Java
2009-06-14 18:30 . 2004-07-15 15:48 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-05-07 15:32 . 2001-08-18 14:00 345600 ----a-w- c:\windows\system32\localspl.dll
2009-04-29 04:46 . 2001-08-18 14:00 666624 ----a-w- c:\windows\system32\wininet.dll
2009-04-29 04:46 . 2004-08-04 07:56 81920 ----a-w- c:\windows\system32\ieencode.dll
2009-04-17 12:26 . 2001-08-18 14:00 1847168 ----a-w- c:\windows\system32\win32k.sys
2009-04-15 14:51 . 2001-08-18 14:00 585216 ----a-w- c:\windows\system32\rpcrt4.dll
2009-04-14 10:19 . 2009-04-14 10:20 102664 ----a-w- c:\windows\system32\drivers\tmcomm.sys
.

((((((((((((((((((((((((((((( SnapShot_2009-07-08_20.15.35 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-07-09 09:08 . 2009-07-09 09:08 16384 c:\windows\Temp\Perflib_Perfdata_718.dat
+ 2009-07-09 09:07 . 2009-07-09 09:07 16384 c:\windows\Temp\Perflib_Perfdata_510.dat
+ 2004-11-04 17:02 . 2008-07-09 07:38 26488 c:\windows\system32\spupdsvc.exe
- 2004-11-04 17:02 . 2007-08-10 19:46 26488 c:\windows\system32\spupdsvc.exe
+ 2002-09-19 03:36 . 2007-11-30 11:18 17272 c:\windows\system32\spmsg.dll
- 2002-09-19 03:36 . 2007-11-30 12:39 17272 c:\windows\system32\spmsg.dll
+ 2001-08-18 14:00 . 2009-02-03 19:59 56832 c:\windows\system32\secur32.dll
+ 2001-08-18 14:00 . 2009-02-06 10:39 35328 c:\windows\system32\sc.exe
- 2001-08-18 14:00 . 2009-02-06 16:54 35328 c:\windows\system32\sc.exe
+ 2001-09-17 04:10 . 2009-07-09 09:14 41234 c:\windows\system32\perfc009.dat
- 2001-09-17 04:10 . 2009-07-08 19:43 41234 c:\windows\system32\perfc009.dat
+ 2004-07-09 17:24 . 2008-06-12 14:23 91648 c:\windows\system32\mtxoci.dll
- 2004-07-09 17:24 . 2008-04-14 00:12 91648 c:\windows\system32\mtxoci.dll
- 2001-08-18 14:00 . 2008-04-14 00:12 66560 c:\windows\system32\mtxclu.dll
+ 2001-08-18 14:00 . 2008-06-12 14:23 66560 c:\windows\system32\mtxclu.dll
+ 2001-08-18 14:00 . 2008-08-28 07:46 74752 c:\windows\system32\msw3prt.dll
+ 2006-08-31 20:43 . 2008-06-12 14:23 58880 c:\windows\system32\msdtclog.dll
- 2006-08-31 20:43 . 2008-04-14 00:11 58880 c:\windows\system32\msdtclog.dll
+ 2001-08-18 14:00 . 2008-06-24 16:43 74240 c:\windows\system32\mscms.dll
+ 2009-02-03 19:59 . 2009-02-03 19:59 56832 c:\windows\system32\dllcache\secur32.dll
- 2001-08-18 14:00 . 2009-02-06 16:54 35328 c:\windows\system32\dllcache\sc.exe
+ 2001-08-18 14:00 . 2009-02-06 10:39 35328 c:\windows\system32\dllcache\sc.exe
+ 2008-06-12 14:23 . 2008-06-12 14:23 91648 c:\windows\system32\dllcache\mtxoci.dll
+ 2008-06-12 14:23 . 2008-06-12 14:23 66560 c:\windows\system32\dllcache\mtxclu.dll
+ 2008-08-28 07:46 . 2008-08-28 07:46 74752 c:\windows\system32\dllcache\msw3prt.dll
+ 2008-06-12 14:23 . 2008-06-12 14:23 58880 c:\windows\system32\dllcache\msdtclog.dll
+ 2008-06-24 16:43 . 2008-06-24 16:43 74240 c:\windows\system32\dllcache\mscms.dll
+ 2009-04-29 04:46 . 2009-04-29 04:46 81920 c:\windows\system32\dllcache\ieencode.dll
- 2004-07-18 12:37 . 2008-04-14 00:12 354304 c:\windows\system32\winhttp.dll
+ 2004-07-18 12:37 . 2008-12-16 12:30 354304 c:\windows\system32\winhttp.dll
+ 2001-08-18 14:00 . 2008-08-28 07:46 104960 c:\windows\system32\win32spl.dll
+ 2006-08-31 20:43 . 2009-02-06 10:10 227840 c:\windows\system32\wbem\wmiprvse.exe
+ 2006-08-31 20:43 . 2009-02-09 12:10 453120 c:\windows\system32\wbem\wmiprvsd.dll
+ 2006-08-31 20:43 . 2009-02-09 12:10 473600 c:\windows\system32\wbem\fastprox.dll
+ 2001-08-18 14:00 . 2009-04-29 04:46 620032 c:\windows\system32\urlmon.dll
+ 2001-08-18 14:00 . 2009-02-06 11:11 110592 c:\windows\system32\services.exe
+ 2001-08-18 14:00 . 2008-12-05 06:54 144896 c:\windows\system32\schannel.dll
+ 2001-08-18 14:00 . 2009-02-09 12:10 401408 c:\windows\system32\rpcss.dll
- 2001-09-17 04:10 . 2009-07-08 19:43 313606 c:\windows\system32\perfh009.dat
+ 2001-09-17 04:10 . 2009-07-09 09:14 313606 c:\windows\system32\perfh009.dat
+ 2001-08-18 14:00 . 2009-03-06 14:22 284160 c:\windows\system32\pdh.dll
- 2001-08-18 14:00 . 2008-04-14 00:12 284160 c:\windows\system32\pdh.dll
+ 2001-08-18 14:00 . 2009-02-09 12:10 714752 c:\windows\system32\ntdll.dll
- 2001-08-18 14:00 . 2008-04-14 00:12 337408 c:\windows\system32\netapi32.dll
+ 2001-08-18 14:00 . 2008-10-15 16:34 337408 c:\windows\system32\netapi32.dll
- 2001-08-18 14:00 . 2008-04-14 00:12 245248 c:\windows\system32\mswsock.dll
+ 2001-08-18 14:00 . 2008-06-20 17:46 245248 c:\windows\system32\mswsock.dll
- 2004-07-09 17:24 . 2008-04-14 00:11 161792 c:\windows\system32\msdtcuiu.dll
+ 2004-07-09 17:24 . 2008-06-12 14:23 161792 c:\windows\system32\msdtcuiu.dll
+ 2004-07-09 17:24 . 2008-06-12 14:23 956928 c:\windows\system32\msdtctm.dll
- 2004-07-09 17:24 . 2008-04-14 00:11 956928 c:\windows\system32\msdtctm.dll
+ 2004-07-09 17:24 . 2008-06-12 14:23 428032 c:\windows\system32\msdtcprx.dll
+ 2001-08-18 14:00 . 2009-02-09 12:10 729088 c:\windows\system32\lsasrv.dll
+ 2001-08-18 14:00 . 2009-03-21 14:06 989696 c:\windows\system32\kernel32.dll
- 2001-08-18 14:00 . 2008-04-14 00:11 989696 c:\windows\system32\kernel32.dll
- 2004-06-07 18:19 . 2008-04-14 00:11 691712 c:\windows\system32\inetcomm.dll
+ 2004-06-07 18:19 . 2008-04-11 19:04 691712 c:\windows\system32\inetcomm.dll
+ 2001-08-18 14:00 . 2008-10-23 12:36 286720 c:\windows\system32\gdi32.dll
+ 2001-09-17 04:21 . 2009-07-09 09:07 319544 c:\windows\system32\FNTCACHE.DAT
- 2001-09-17 04:21 . 2009-07-08 19:31 319544 c:\windows\system32\FNTCACHE.DAT
+ 2001-08-18 14:00 . 2008-07-07 20:26 253952 c:\windows\system32\es.dll
+ 2001-08-18 14:00 . 2008-06-20 11:08 225856 c:\windows\system32\drivers\tcpip6.sys
+ 2001-08-18 14:00 . 2008-06-20 11:51 361600 c:\windows\system32\drivers\tcpip.sys
+ 2001-08-18 14:00 . 2008-12-11 10:57 333952 c:\windows\system32\drivers\srv.sys
+ 2001-08-18 14:00 . 2008-05-08 14:02 203136 c:\windows\system32\drivers\rmcast.sys
+ 2001-08-18 14:00 . 2008-10-24 11:21 455296 c:\windows\system32\drivers\mrxsmb.sys
+ 2004-08-04 06:10 . 2008-06-13 11:05 272128 c:\windows\system32\drivers\bthport.sys
+ 2001-08-18 14:00 . 2008-08-14 10:04 138496 c:\windows\system32\drivers\afd.sys
- 2001-08-18 14:00 . 2008-04-14 00:11 147968 c:\windows\system32\dnsapi.dll
+ 2001-08-18 14:00 . 2008-06-20 17:46 147968 c:\windows\system32\dnsapi.dll
+ 2009-07-08 19:51 . 2009-02-06 10:10 227840 c:\windows\system32\dllcache\wmiprvse.exe
+ 2009-07-08 19:51 . 2009-02-09 12:10 453120 c:\windows\system32\dllcache\wmiprvsd.dll
+ 2008-04-21 06:44 . 2009-04-29 04:46 666624 c:\windows\system32\dllcache\wininet.dll
+ 2008-12-16 12:30 . 2008-12-16 12:30 354304 c:\windows\system32\dllcache\winhttp.dll
+ 2008-08-28 07:46 . 2008-08-28 07:46 104960 c:\windows\system32\dllcache\win32spl.dll
+ 2009-04-29 04:46 . 2009-04-29 04:46 620032 c:\windows\system32\dllcache\urlmon.dll
+ 2008-06-20 11:08 . 2008-06-20 11:08 225856 c:\windows\system32\dllcache\tcpip6.sys
+ 2008-06-20 11:51 . 2008-06-20 11:51 361600 c:\windows\system32\dllcache\tcpip.sys
+ 2009-07-08 19:51 . 2009-02-06 11:11 110592 c:\windows\system32\dllcache\services.exe
+ 2008-12-05 06:54 . 2008-12-05 06:54 144896 c:\windows\system32\dllcache\schannel.dll
+ 2009-07-08 19:51 . 2009-02-09 12:10 401408 c:\windows\system32\dllcache\rpcss.dll
+ 2009-04-15 14:51 . 2009-04-15 14:51 585216 c:\windows\system32\dllcache\rpcrt4.dll
+ 2009-07-08 19:51 . 2008-05-08 14:02 203136 c:\windows\system32\dllcache\rmcast.sys
+ 2009-07-08 19:51 . 2009-03-06 14:22 284160 c:\windows\system32\dllcache\pdh.dll
+ 2009-07-08 19:51 . 2009-02-09 12:10 714752 c:\windows\system32\dllcache\ntdll.dll
+ 2008-06-20 17:46 . 2008-06-20 17:46 245248 c:\windows\system32\dllcache\mswsock.dll
+ 2008-06-12 14:23 . 2008-06-12 14:23 161792 c:\windows\system32\dllcache\msdtcuiu.dll
+ 2008-06-12 14:23 . 2008-06-12 14:23 956928 c:\windows\system32\dllcache\msdtctm.dll
+ 2008-06-12 14:23 . 2008-06-12 14:23 428032 c:\windows\system32\dllcache\msdtcprx.dll
+ 2008-09-21 17:04 . 2008-05-01 14:33 331776 c:\windows\system32\dllcache\msadce.dll
- 2008-09-21 17:04 . 2008-05-01 14:30 331776 c:\windows\system32\dllcache\msadce.dll
+ 2009-07-08 19:51 . 2008-10-24 11:21 455296 c:\windows\system32\dllcache\mrxsmb.sys
+ 2009-07-08 19:51 . 2009-02-09 12:10 729088 c:\windows\system32\dllcache\lsasrv.dll
+ 2009-05-07 15:32 . 2009-05-07 15:32 345600 c:\windows\system32\dllcache\localspl.dll
+ 2009-03-21 14:06 . 2009-03-21 14:06 989696 c:\windows\system32\dllcache\kernel32.dll
+ 2008-10-23 12:36 . 2008-10-23 12:36 286720 c:\windows\system32\dllcache\gdi32.dll
+ 2009-07-08 19:51 . 2009-02-09 12:10 473600 c:\windows\system32\dllcache\fastprox.dll
+ 2008-07-07 20:26 . 2008-07-07 20:26 253952 c:\windows\system32\dllcache\es.dll
+ 2008-06-20 17:46 . 2008-06-20 17:46 147968 c:\windows\system32\dllcache\dnsapi.dll
+ 2008-06-20 11:40 . 2008-08-14 10:04 138496 c:\windows\system32\dllcache\afd.sys
+ 2009-07-08 19:51 . 2009-02-09 12:10 617472 c:\windows\system32\dllcache\advapi32.dll
+ 2001-08-18 14:00 . 2009-02-09 12:10 617472 c:\windows\system32\advapi32.dll
- 2001-08-18 14:00 . 2008-04-14 00:11 617472 c:\windows\system32\advapi32.dll
+ 2009-07-08 19:51 . 2008-10-24 11:21 455296 c:\windows\Driver Cache\i386\mrxsmb.sys
+ 2009-07-08 19:52 . 2008-06-13 11:05 272128 c:\windows\Driver Cache\i386\bthport.sys
+ 2009-07-08 19:51 . 2008-04-15 17:47 1724416 c:\windows\WinSxS\x86_Microsoft.Windows.GdiPlus_6595b64144ccf1df_1.0.2600.5581_x-ww_dfbc4fc4\GdiPlus.dll
- 2001-08-18 14:00 . 2008-04-14 00:12 8461312 c:\windows\system32\shell32.dll
+ 2001-08-18 14:00 . 2008-06-17 19:02 8461312 c:\windows\system32\shell32.dll
- 2001-08-18 14:00 . 2008-04-14 00:12 1499136 c:\windows\system32\shdocvw.dll
+ 2001-08-18 14:00 . 2009-04-29 04:46 1499136 c:\windows\system32\shdocvw.dll
- 2004-07-29 14:39 . 2008-04-14 00:12 1288192 c:\windows\system32\quartz.dll
+ 2004-07-29 14:39 . 2008-12-20 22:14 1288192 c:\windows\system32\quartz.dll
+ 2001-08-18 14:00 . 2009-02-06 11:08 2189056 c:\windows\system32\ntoskrnl.exe
+ 2001-08-17 13:48 . 2009-02-07 17:02 2066048 c:\windows\system32\ntkrnlpa.exe
+ 2001-08-18 14:00 . 2009-04-29 04:46 3068928 c:\windows\system32\mshtml.dll
+ 2009-04-17 12:26 . 2009-04-17 12:26 1847168 c:\windows\system32\dllcache\win32k.sys
+ 2008-06-17 19:02 . 2008-06-17 19:02 8461312 c:\windows\system32\dllcache\shell32.dll
+ 2009-04-29 04:46 . 2009-04-29 04:46 1499136 c:\windows\system32\dllcache\shdocvw.dll
+ 2008-12-20 22:14 . 2008-12-20 22:14 1288192 c:\windows\system32\dllcache\quartz.dll
+ 2009-07-08 19:51 . 2009-02-06 11:08 2189056 c:\windows\system32\dllcache\ntoskrnl.exe
+ 2009-07-08 19:51 . 2009-02-06 10:32 2023936 c:\windows\system32\dllcache\ntkrpamp.exe
+ 2009-02-07 17:02 . 2009-02-07 17:02 2066048 c:\windows\system32\dllcache\ntkrnlpa.exe
+ 2009-07-08 19:51 . 2009-02-06 11:06 2145280 c:\windows\system32\dllcache\ntkrnlmp.exe
+ 2008-04-21 06:44 . 2009-04-29 04:46 3068928 c:\windows\system32\dllcache\mshtml.dll
+ 2009-07-08 19:51 . 2009-02-06 11:08 2189056 c:\windows\Driver Cache\i386\ntoskrnl.exe
+ 2009-07-08 19:51 . 2009-02-06 10:32 2023936 c:\windows\Driver Cache\i386\ntkrpamp.exe
+ 2009-02-07 17:02 . 2009-02-07 17:02 2066048 c:\windows\Driver Cache\i386\ntkrnlpa.exe
+ 2009-07-08 19:51 . 2009-02-06 11:06 2145280 c:\windows\Driver Cache\i386\ntkrnlmp.exe
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2002-05-16 126976]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2002-05-16 540672]
"Cpqset"="c:\compaq\cpqsetup\cpqset.exe" [2002-05-09 172101]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2009-02-05 81000]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-07-05 148888]
"ATIModeChange"="Ati2mdxx.exe" - c:\windows\system32\Ati2mdxx.exe [2002-04-08 28672]
"ATIPTA"="atiptaxx.exe" - c:\windows\system32\atiptaxx.exe [2002-04-08 286720]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-03-22 39264]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0OODBS

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"SynTPLpr"=c:\program files\Synaptics\SynTP\SynTPLpr.exe
"SynTPEnh"=c:\program files\Synaptics\SynTP\SynTPEnh.exe
"RealTray"=c:\program files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
"eabconfg.cpl"=c:\program files\Compaq\EAB\EabServr.exe /Start
"Cpqset"=c:\compaq\cpqsetup\cpqset.exe
"ATIModeChange"=Ati2mdxx.exe
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" -osboot
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_02\bin\jusched.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runservices-]
"CPQDFWAG"=c:\windows\Cpqdiag\CpqDfwAg.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"55132:TCP"= 55132:TCP

R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [4/13/2009 1:21 PM 114768]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [4/13/2009 1:21 PM 20560]
R3 ALiIRDA;ALi Infrared Device Driver;c:\windows\system32\drivers\alifir.sys [9/19/2002 4:30 AM 26624]
R3 NZLMirror1;NZLMirror1;c:\windows\system32\drivers\NZLMirror1.sys [2/5/2003 12:53 AM 2998]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.mytalktalk.co.uk
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
Trusted Zone: ntl.com\register-tesco.qa.business
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
DPF: {8B1BC605-C593-4865-8F5B-05517F0CD0BB} - file://d:\content\include\msSecUcd.cab
FF - ProfilePath - c:\documents and settings\see\Application Data\Mozilla\Firefox\Profiles\tj470amp.Default User\
FF - prefs.js: browser.startup.homepage - hxxp://en-US.start2.mozilla.com/firefox?client=firefox-a&rls=org.mozilla:en-US

fficial
FF - prefs.js: network.proxy.type - 4
FF - plugin: c:\program files\Mozilla Firefox\plugins\npmozax.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npViewpoint.dll
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
FF - user.js: network.http.max-persistent-connections-per-server - 4
FF - user.js: content.max.tokenizing.time - 1800000
FF - user.js: content.notify.interval - 600000
FF - user.js: content.switch.threshold - 1000000
FF - user.js: nglayout.initialpaint.delay - 600
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.enforce_same_site_origin", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.cache_size", 51200);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.ogg.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.wave.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.autoplay.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.urlbar.autocomplete.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.mailnews.*.wholeText", "noAccess");
c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.storage.default_quota", 5120);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("content.sink.event_probe_rate", 3);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.http.prompt-temp-redirect", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("layout.css.dpi", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("layout.css.devPixelsPerPx", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("gestures.enable_single_finger_input", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.max_chrome_script_run_time", 0);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.tcp.sendbuffer", 131072);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("geo.enabled", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.remember_cert_checkbox_default_setting", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr", "moz35");
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-cjkt", "moz35");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.blocklist.level", 2);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.urlbar.restrict.typed", "~");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.urlbar.default.behavior", 0);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.history", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.formdata", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.passwords", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.downloads", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cookies", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cache", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.sessions", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.offlineApps", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.siteSettings", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.history", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.formdata", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.passwords", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.downloads", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.cookies", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.cache", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.sessions", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.offlineApps", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.siteSettings", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.sanitize.migrateFx3Prefs", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.ssl_override_behavior", 2);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("security.alternate_certificate_error_page", "certerror");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.autostart", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.dont_prompt_on_enter", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("geo.wifi.uri", "https://www.google.com/loc/json");
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-07-09 11:58
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
"ImagePath"="\??\c:\h - back-ups\Other Stuff\L2\Lineage 2 C4\Lineage.]
[.C4.retail.updated.5.sep.06_by_KrVoLoK\Lineage II C4\system\npkcrypt.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\npkcrypt]
"ImagePath"="\??\c:\h - back-ups\Other Stuff\L2\Lineage 2 C4\Lineage.]
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\System*]
"OODEFRAG10.00.00.01WORKSTATION"="5E822A2777780AA116DC5889961C06A61>removed"
.
Completion time: 2009-07-09 12:05
ComboFix-quarantined-files.txt 2009-07-09 10:05
ComboFix2.txt 2009-07-08 20:31
ComboFix3.txt 2009-07-08 10:27
ComboFix4.txt 2009-07-06 18:38
ComboFix5.txt 2009-07-09 09:48

Pre-Run: 1,866,117,120 bytes free
Post-Run: 1,853,628,416 bytes free

306 --- E O F --- 2009-07-08 21:39

katana · Jul 9, 2009

Excellent

That's cleared all the problems.

Congratulations your logs look clean

Let's see if I can help you keep it that way

First lets tidy up

Please delete RSIT.exe and C:\RSIT (entire folder)
You can also delete any logs we have produced, and empty your Recycle bin.

Uninstall Combofix

This will clear your System Volume Information restore points and remove all the infected files that were quarantined
Click START then RUN
Now type Combofix /u in the runbox and click OK. Note the space between the X and the /U, it needs to be there.

Please download OTCleanup from HERE
Click the OTC.exe icon and then click the CleanUp button.
If you get any pop ups asking if it is OK let the program proceed. At the end the program will ask to let it reboot the computer. Let it do so.
Let me know if there were any problems with OT CleanIt

----------------------------------------------------------- -----------------------------------------------------------

The following is some info to help you stay safe and clean.

You may already have some of the following programs, but I include the full list for the benefit of all the other people who will be reading this thread in the future.
( Vista users must ensure that any programs are Vista compatible BEFORE installing )

Online Scanners
I would recommend a scan at one or more of the following sites at least once a month.

http://www.pandasecurity.com/activescan
http://www.kaspersky.com/kos/eng/partner/71706/kavwebscan.html

!!! Make sure that all your programs are updated !!!
Secunia Software Inspector does all the work for you, .... see HERE for details

AntiSpyware

AntiSpyware is not the same thing as Antivirus.
Different AntiSpyware programs detect different things, so in this case it is recommended that you have more than one.
You should only have one running all the time, the other/s should be used "on demand" on a regular basis.
Most of the programs in this list have a free (for Home Users ) and paid versions,
it is worth paying for one and having "realtime" protection, unless you intend to do a manual scan often.
Spybot - Search & Destroy <<< A must have program
- It includes host protection and registry protection
- A hosts file is a bit like a phone book, it points to the actual numeric address (i.e. the IP address) from the human friendly name of a website. This feature can be used to block malicious websites
MalwareBytes Anti-malware <<< A New and effective program
a-squared Free <<< A good "realtime" or "on demand" scanner
superantispyware <<< A good "realtime" or "on demand" scanner

Prevention

These programs don't detect malware, they help stop it getting on your machine in the first place.
Each does a different job, so you can have more than one
Winpatrol
- An excellent startup manager and then some !!
- Notifies you if programs are added to startup
- Allows delayed startup
- A must have addition
SpywareBlaster 4.0
- SpywareBlaster sets killbits in the registry to prevent known malicious activex controls from installing themselves on your computer.
SpywareGuard 2.2
- SpywareGuard provides real-time protection against spyware.
- Not required if you have other "realtime" antispyware or Winpatrol
ZonedOut
- Formerly known as IE-SPYAD, adds a long list of sites and domains associated with known advertisers and marketers to the Restricted sites zone of Internet Explorer.
MVPS HOSTS
- This little program packs a powerful punch as it blocks ads, banners, 3rd party Cookies, 3rd party page counters, web bugs, and many hijackers.
- For information on how to download and install, please read this tutorial by WinHelp2002.
- Not required if you are using other host file protections

Internet Browsers

Microsoft has worked hard to make IE.7 a more secure browser, unfortunately whilst it is still the leading browser of choice it will always be under attack from the bad guys.
Using a different web browser can help stop malware getting on your machine.
- Make your Internet Explorer more secure - This can be done by following these simple instructions:
  1. From within Internet Explorer click on the Tools menu and then click on Options.
  2. Click once on the Security tab
  3. Click once on the Internet icon so it becomes highlighted.
  4. Click once on the Custom Level button.
    - Change the Download signed ActiveX controls to Prompt
    - Change the Download unsigned ActiveX controls to Disable
    - Change the Initialise and script ActiveX controls not marked as safe to Disable
    - Change the Installation of desktop items to Prompt
    - Change the Launching programs and files in an IFRAME to Prompt
    - Change the Navigate sub-frames across different domains to Prompt
    - When all these settings have been made, click on the OK button.
    - If it prompts you as to whether or not you want to save the settings, press the Yes button.
  5. Next press the Apply button and then the OK to exit the Internet Properties page.
If you are still using IE6 then either update, or get one of the following.
- FireFox
  - With many addons available that make customization easy this is a very popular choice
  - NoScript and AdBlockPlus addons are essential
- Opera
  - Another popular alternative
- Netscape
  - Another popular alternative
  - Also has Addons available

Cleaning Temporary Internet Files and Tracking Cookies

Temporary Internet Files are mainly the files that are downloaded when you open a web page.
Unfortunately, if the site you visit is of a dubious nature or has been hacked, they can also be an entry point for malware.
It is a good idea to empty the Temporary Internet Files folder on a regular basis.

Tracking Cookies are files that websites use to monitor which sites you visit and how often.
A lot of Antispyware scanners pick up these tracking cookies and flag them as unwanted.
CAUTION :- If you delete all your cookies you will lose any autologin information for sites that you visit, and will need your passwords

Both of these can be cleaned manually, but a quicker option is to use a program
ATF Cleaner
- Free and very simple to use
CCleaner
- Free and very flexible, you can chose which cookies to keep

Also PLEASE read this article.....So How Did I Get Infected In The First Place

The last and most important thing I can tell you is UPDATE.
If you don't update your security programs (Antivirus, Antispyware even Windows) then you are at risk.
Malware changes on a day to day basis. You should update every week at the very least.

If you follow this advice then (with a bit of luck) you will never have to hear from me again

If you could post back one more time to let me know everything is OK, then I can have this thread archived.

Happy surfing K'

armuk · Jul 10, 2009

Yes it does seem to be running fine now and much better than before.

Thank you very much for all the help you've provided Katana, I appreciate it very much; and very kind of you also.

The advice in your last post was also very useful and informative.

Thanks once again,
Dan

Win32:VB-KQC [Trj] + slow PC + other issues? (Resolved)

armuk

New member

katana

Security Expert-Emeritus

armuk

New member

katana

Security Expert-Emeritus

armuk

New member

katana

Security Expert-Emeritus

armuk

New member

katana

Security Expert-Emeritus

armuk

New member

katana

Security Expert-Emeritus

armuk

New member

armuk

New member

katana

Security Expert-Emeritus

armuk

New member

katana

Security Expert-Emeritus

armuk

New member

katana

Security Expert-Emeritus

armuk

New member